linux云服务器安装CS并实战(详细)
<h3 id="0x00-引言">0X00-引言</h3><hr>
<p>新买的服务器安装cobaltstrike4.0需要安装java环境,还要到控制台修改防火墙策略,网上安装CS的资料不是很全,这里写一份的极为详细的CS上线教程。附赠webbug靶场实战。</p>
<p>Ladies👩🎓 and Gentlemen👨🎓!Are you ready?</p>
<h3 id="0x01-云服务器安装java环境">0X01-云服务器安装JAVA环境</h3>
<hr>
<h5 id="一下载jdk8">一、下载JDK8</h5>
<p>创建download目录,在download目录下再创建java1.8目录用来保存下载的JDK文件,您也可以直接下载在根目录下面,这样会显得有点乱,毕竟解压之后会有好多内容。</p>
<pre><code>mkdir download#创建download目录
mkdir java1.8 #在download目录下再创建java1.8目录,目录名可以随意取名
</code></pre>
<p>创建成功之后应该具有的内容</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015094047704.png" alt="image-20211015094047704" loading="lazy"></p>
<p>在<strong>java1.8</strong>目录下面下载JDK并解压,依次敲下列命令运行即可</p>
<pre><code>wget https://repo.huaweicloud.com/java/jdk/8u201-b09/jdk-8u201-linux-x64.tar.gz#下载jdk压缩包
tar -zxvf jdk-8u201-linux-x64.tar.gz#解压
mv jdk1.8.0_201 /usr/local/jdk1.8/ #移动文件
</code></pre>
<p>成功之后<strong>jdk1.8</strong>文件夹内容如图</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015094723915.png" alt="image-20211015094723915" loading="lazy"></p>
<h5 id="二配置环境变量">二、配置环境变量</h5>
<p>用vim打开profile文件,按下i键进入编辑模式,添加以下语句,保存退出</p>
<pre><code>vim/etc/profile#打开profile文件
export JAVA_HOME=/usr/local/jdk1.8
export PATH=$JAVA_HOME/bin:$PATH
export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
</code></pre>
<p>成功结果如图</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015095527929.png" alt="image-20211015095527929" loading="lazy"></p>
<h5 id="三更新配置">三、更新配置</h5>
<pre><code>source /etc/profile#更新配置
</code></pre>
<h5 id="四查看是否安装成功">四、查看是否安装成功</h5>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015095845741.png" alt="image-20211015095845741" loading="lazy"></p>
<p>JAVA环境配置完成</p>
<h3 id="0x02-linux云服务器安装cobaltstrike40">0X02-linux云服务器安装cobaltstrike4.0</h3>
<hr>
<h5 id="一上传cs">一、上传CS</h5>
<p>通过Xftp将CS上传到已建立的文件夹</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015100431594.png" alt="image-20211015100431594" loading="lazy"></p>
<h5 id="二添加权限">二、添加权限</h5>
<p>进入CS文件夹,给teamserver添加可执行权限</p>
<pre><code>chmod +x teamserver#添加权限
</code></pre>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015100733716.png" alt="image-20211015100733716" loading="lazy"></p>
<h5 id="三启动">三、启动</h5>
<pre><code>./teamserver IP 密码#IP为云服务器的IP,密码自行设置
</code></pre>
<p>启动成功</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015101728073.png" alt="image-20211015101728073" loading="lazy"></p>
<h3 id="0x03-本地端连接">0X03-本地端连接</h3>
<hr>
<p>本地端CS与服务端CS应保持同一版本</p>
<p>主机填写云服务器的IP</p>
<p>端口号默认都是50050</p>
<p>用户名默认neo</p>
<p>密码为您自行设置的</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015102608066.png" alt="image-20211015102608066" loading="lazy"></p>
<p>上线成功</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015103314603.png" alt="image-20211015103314603" loading="lazy"></p>
<h3 id="0x04-出现的问题">0X04-出现的问题</h3>
<hr>
<p>云服务器安装成功之后,本地连接显示拒绝连接</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/%E5%BE%AE%E4%BF%A1%E5%9B%BE%E7%89%87_20211015103602.png" alt="微信图片_20211015103602" loading="lazy"></p>
<p>可能是端口的原因,nmap跑一下端口</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015104151494.png" alt="image-20211015104151494" loading="lazy"></p>
<p>端口显示为过滤状态</p>
<pre><code>Open:端口处于开放状态
Closed:端口处于关闭状态
Filtered(过滤的):由于报文无法到达指定的端口,nmap不能够决定端口的开放状态,这主要是由于网络或者主机安装了一些防火墙所导致的。当nmap收到icmp报文主机不可达报文(例如:type为3,code为13(communication administratively prohibit)报文)或者目标主机无应答,常常会将目标主机的状态设置为filtered
Unfiltered(未被过滤的),当nmap不能确定端口是否开放的时候所打上的状态,这种状态和filtered的区别在于:unfiltered的端口能被nmap访问,但是nmap根据返回的报文无法确定端口的开放状态,而filtered的端口直接就没能够被nmap访问。端口被定义为Unfilterd只会发生在TCP ack扫描类型时当返回RST的报文。而端口被定义为filtered 状态的原因是是报文被防火墙设备,路由器规则,或者防火墙软件拦截,无法送达到端口,这通常表现为发送NMAP的主机收到ICMP报错报文
Open|filtered这种状态主要是nmap无法区别端口处于open状态还是filtered状态。这种状态只会出现在open端口对报文不做回应的扫描类型中,如:udp,ip protocol ,TCP null,fin,和xmas扫描类型
Closed|filtered 这种状态主要出现在nmap无法区分端口处于closed还是filtered时。此状态只会出现在IP ID idle scan(这个类型我现在也不太理解,过段时间进行总结一些)中
</code></pre>
<p>上述问题可能存在于防火墙与控制台安全策略之中,此时查看云服务器的防火墙为dead状态,问题在控制台安全策略。</p>
<p>控制台找到防火墙添加规则</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015105646993.png" alt="image-20211015105646993" loading="lazy"></p>
<p>控制台重启服务器,重新上线CS即可成功</p>
<h3 id="0x05-webbug靶场实战">0x05-webbug靶场实战</h3>
<hr>
<h5 id="一搭建环境">一、搭建环境</h5>
<p>靶场:webbug4.0</p>
<p>攻击机:windows server 2016</p>
<p>打开webbug,攻击机登录webbug,这里我们假装不知道密码</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015111813708.png" alt="image-20211015111813708" loading="lazy"></p>
<h5 id="二url尝试">二、URL尝试</h5>
<p>在URL处多次尝试,发现以下内容</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015134524841.png" alt="image-20211015134524841" loading="lazy"></p>
<h5 id="三发现thinkphp框架">三、发现thinkphp框架</h5>
<p>发现框架为thinkphp,且知道thinkPHP的版本号</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015135028520.png" alt="image-20211015135028520" loading="lazy"></p>
<h5 id="四thinkphp综合利用工具扫描">四、thinkPHP综合利用工具扫描</h5>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015135414022.png" alt="image-20211015135414022" loading="lazy"></p>
<h5 id="五漏洞利用">五、漏洞利用</h5>
<p>选择一个漏洞进行利用,利用成功如下图</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015135843295.png" alt="image-20211015135843295" loading="lazy"></p>
<h5 id="六上传木马getshell">六、上传木马Getshell</h5>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015140258802.png" alt="image-20211015140258802" loading="lazy"></p>
<h5 id="七冰蝎连接">七、冰蝎连接</h5>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015140512437.png" alt="image-20211015140512437" loading="lazy"></p>
<p>双击</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015140557113.png" alt="image-20211015140557113" loading="lazy"></p>
<p>连接成功</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015140700596.png" alt="image-20211015140700596" loading="lazy"></p>
<h5 id="八上线cs">八、上线CS</h5>
<p>添加监听器</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015141506245.png" alt="image-20211015141506245" loading="lazy"></p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015141712082.png" alt="image-20211015141712082" loading="lazy"></p>
<p>建立成功</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015141759946.png" alt="image-20211015141759946" loading="lazy"></p>
<h5 id="九生成后门文件">九、生成后门文件</h5>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015141909241.png" alt="image-20211015141909241" loading="lazy"></p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015142405030.png" alt="image-20211015142405030" loading="lazy"></p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015142549242.png" alt="image-20211015142549242" loading="lazy"></p>
<h5 id="十上传后门文件">十、上传后门文件</h5>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015143003545.png" alt="image-20211015143003545" loading="lazy"></p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015143334548.png" alt="image-20211015143334548" loading="lazy"></p>
<h5 id="十一运行后门文件">十一、运行后门文件</h5>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015143737436.png" alt="image-20211015143737436" loading="lazy"></p>
<h5 id="十二查看cs并操作">十二、查看CS并操作</h5>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015143926781.png" alt="image-20211015143926781" loading="lazy"></p>
<p>修改心跳值为5s,心跳值调完才会执行命令,默认为60s,时间太长</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015144615583.png" alt="image-20211015144615583" loading="lazy"></p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015145023430.png" alt="image-20211015145023430" loading="lazy"></p>
<h5 id="十三提权">十三、提权</h5>
<p>此时为administrator权限,虽然说管理员权限很大,但还是有好多美好的事情没有办法去做,提升到system权限,为所欲为</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015151035060.png" alt="image-20211015151035060" loading="lazy"></p>
<p>选择监听器</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015151126828.png" alt="image-20211015151126828" loading="lazy"></p>
<p>成功,此时为system权限,真正的为所欲为😁</p>
<p><img src="https://images-1306307244.cos.ap-nanjing.myqcloud.com/img/image-20211015151301360.png" alt="image-20211015151301360" loading="lazy"></p>
<p><strong>CS还有还多用法,有时间写一篇CS用法介绍</strong></p><br><br>
来源:https://www.cnblogs.com/peace-and-romance/p/15612174.html
頁:
[1]