文章目录
- 环境搭建
- 1.设置所需网卡
- 2.更改win7设置
- 3.DC设置
- 4.web设置
- 开启docker服务
- 5.kali网段
- `渗透启动`
- 1.确认对方靶机的IP地址
- 2.端口探测
- 3.web探测
- `2001端口`
- `2002端口`
- Tomcat/8.5.19漏洞复现
- `2003端口`
- 4.docker逃逸
- 5.ssh密钥爆破
- `域渗透启动`
- 1.提权
- 2.隧道搭建
- 各项配置文件内容
- 步骤
- 测试隧道
- 3.内网主机探测
- 4.ms17-010
- 获取密码
- 开启远程桌面
- 更改administrator用户密码,激活账户
- 远程登陆
- `攻打域控`
- 1.ms14-068
- 2.mimkatz
- psexec64
- `meterpreter`
环境搭建
下载地址:红日四靶场
1.设置所需网卡
需要设置两个网卡:192.168.157.0(外网)/192.168.183.0(内网)
2.更改win7设置
先打开win7和DC靶机,web先不要打开;打开win7 ,密码
Dotest123,点击控制面板,搜索电源,更改节能设置,全改为从不
3.DC设置
进入DC,密码
Test2008,进入后需要更改密码
4.web设置
设置完成之后,打开web靶机,进入密码
ubuntu
开启docker服务
进入root,使用docker开启docker ps -a中的第一,二,三和最后一个。
ubuntu@ubuntu:~$ sudo -s
[sudo] password for ubuntu:
root@ubuntu:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ec814f6ee002 vulhub/phpmyadmin:4.8.1 "docker-php-entrypoi…" 4 years ago Exited (255) 11 minutes ago 0.0.0.0:2003->80/tcp cve-2018-12613_web_1
174745108fcb vulhub/struts2:2.3.30 "/usr/local/bin/mvn-…" 4 years ago Exited (255) 11 minutes ago 0.0.0.0:2001->8080/tcp s2-045_struts2_1
09dd4e5bfa91 cve-2017-12615_tomcat "catalina.sh run" 4 years ago Exited (255) 11 minutes ago 0.0.0.0:2002->8080/tcp cve-2017-12615_tomcat_1
bbbcc627166b 910e51b43315 "docker-php-entrypoi…" 4 years ago Exited (0) 4 years ago compassionate_euler
da81127935d7 910e51b43315 "docker-php-entrypoi…" 4 years ago Exited (0) 4 years ago blissful_benz
3dbc242a8b6c 910e51b43315 "docker-php-entrypoi…" 4 years ago Exited (0) 4 years ago elegant_perlman
abe05b39a6d6 910e51b43315 "docker-php-entrypoi…" 4 years ago Exited (0) 4 years ago wonderful_fermat
ad7866b3df9b mysql:5.5 "docker-entrypoint.s…" 4 years ago Exited (0) 4 years ago cve-2018-12613_mysql_1
root@ubuntu:~# docker start ec814f6ee002
ec814f6ee002
root@ubuntu:~# docker start 174745108fcb
174745108fcb
root@ubuntu:~# docker start 09dd4e5bfa91
09dd4e5bfa91
root@ubuntu:~# docker start ad7866b3df9b
ad7866b3df9b
5.kali网段
渗透启动
1.确认对方靶机的IP地址
arp
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.157.129
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.157.1 00:50:56:c0:00:02 VMware, Inc.
192.168.157.128 00:0c:29:13:4a:c1 VMware, Inc.
192.168.157.254 00:50:56:e3:f1:bc VMware, Inc.3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.005 seconds (127.68 hosts/sec). 3 responded
netdiscover
┌──(root㉿kali)-[~]
└─# netdiscover -s high -r 192.168.157.0/24Currently scanning: Finished! | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________IP At MAC Address Count Len MAC Vendor / Hostname -----------------------------------------------------------------------------192.168.157.1 00:50:56:c0:00:02 1 60 VMware, Inc. 192.168.157.128 00:0c:29:13:4a:c1 1 60 VMware, Inc. 192.168.157.254 00:50:56:e3:f1:bc 1 60 VMware, Inc.
2.端口探测
nmap
┌──(root㉿kali)-[~]
└─# nmap -Pn 192.168.157.128
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-22 23:40 EST
Nmap scan report for 192.168.157.128
Host is up (0.0014s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
2001/tcp open dc
2002/tcp open globe
2003/tcp open finger
MAC Address: 00:0C:29:13:4A:C1 (VMware)Nmap done: 1 IP address (1 host up) scanned in 13.34 seconds┌──(root㉿kali)-[~/kali/hr4]
└─# nmap -sV -O 192.168.157.128 -oA nmap_o
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-23 00:24 EST
Nmap scan report for 192.168.157.128
Host is up (0.00097s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
2001/tcp open http Jetty 9.2.11.v20150529
2002/tcp open http Apache Tomcat 8.5.19
2003/tcp open http Apache httpd 2.4.25 ((Debian))
MAC Address: 00:0C:29:13:4A:C1 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.74 seconds3.web探测
发现三个端口是http服务,一个一个访问
2001端口
2001端口是Jetty ,Jetty是一个开源、基于标准、全功能实现的JAVA服务框架
目录扫描只扫出一个upload,并没有什么用
