前往小程序,Get更优阅读体验!
立即前往
文档建议反馈控制台
首页
学习
活动
专区
工具
TVP
最新优惠活动
文章/答案/技术大牛
发布
首页
学习
活动
专区
工具
TVP最新优惠活动
返回腾讯云官网
社区首页 >专栏 >Ichunqiu云境 - Delegation Writeup

Ichunqiu云境 - Delegation Writeup

原创
作者头像
Gcow安全团队
发布2022-12-10 21:31:18
4340
发布2022-12-10 21:31:18
举报
文章被收录于专栏:Gcow安全团队

0x1 Info

Pasted image 20221208163617.png
Pasted image 20221208163617.png

0x2 Recon

  1. Target external IP 39.98.34.149
  2. Nmap results
Pasted image 20221208164115.png
Pasted image 20221208164115.png
  1. 关注80端口的http服务,目录爆破(省略)找到 /admin
b481ac2a048677f4f6ad2074a1a3407 1.png
b481ac2a048677f4f6ad2074a1a3407 1.png
  1. 使用弱口令登录进入后台,去到模板页面,编辑header.html,添加php一句话 ` 用户名: admin, 密码:123456![f71dd2cf6322f6235561582fe3698a6.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/5one0lge0t.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670679057;1670686257&q-key-time=1670679057;1670686257&q-header-list=&q-url-param-list=&q-signature=a659ade6bc6576412c13061b83024fabe71f4730) 1. 命令执行 ![82a94d5ec8b215f3a9f2723e3be15fd.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/myt2rt3n1o.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=b888af3a388ed00342c54cbd4971f8a739aaaa38) ## 0x03 入口点:172.22.4.36 1. 弹shell ![d3574e2db871fd6076c065e4fb03a9e.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/q19fnazuxw.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=a7d2a89e7e9ce9f5fd0efd9feb315b9c28b16792) 快速过一下:![Pasted image 20221208123303.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/c2q6paqlr3.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=27e6bf5dc999177d1e13e8c691d2d4664937e53c) 1. flag01 `diff --line-format=%L /dev/null /home/flag/flag01.txt` ![Pasted image 20221208165708.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/ab8evydlr5.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=7fe47d4365e755baf28b1cfeee76cb441c9f7b6c) 1. flag01 里面有提示用户名 `WIN19\Adrian` 2. 挂代理扫 445 ![Pasted image 20221208165856.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/r7qbkld6ba.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=4954b1e9f7f6e0848017731bececeec081f69675) \ 获取到三个机器信息172.22.4.19 fileserver.xiaorang.lab172.22.4.7 DC01.xiaorang.lab172.22.4.45 win19.xiaorang.lab1. 用 Flag01提示的用户名 + rockyou.txt 爆破,爆破出有效凭据 (提示密码过期) \ `win19\Adrian babygirl1` 2. xfreerdp 远程登录上 win19 然后改密码 ![Pasted image 20221208171122.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/oe43c054qo.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=fe938847de03598e9abaf4f86448865c79a3e863) ![Pasted image 20221208171214.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/osp5tg24cw.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=1fb0ac85ccdc1dc7450c4d112d19883a91c35114) ## 0x04 Pwing WIN19 - 172.22.4.45 前言:当前机器除了机器账户外,完全没域凭据,需要提权到system获取机器账户 1. 桌面有提示 ![Pasted image 20221208171414.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/7klffqx2zv.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=f0051ebbbaf706f145cd8dc9ac57521442ed14a4) 1. 关注这一栏,当前用户Adrian对该注册表有完全控制权限 ![Pasted image 20221208171546.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/5gcvnc2le6.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=ecbf386ad16a9c973c99c22d2769e82d5342e089) ![Pasted image 20221208171610.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/rnazsy4n17.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=ce291fa8cb8b54b2cd425daeb1628742ffd211dc) 1. 提权 msfvenom生成服务马,执行 sam.bat ![Pasted image 20221208144611.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/bd5mqca5km.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=826bd9a512d19ead3981ae8f29f25d1e55db55cc) \ sam.bat ![Pasted image 20221208143321.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/oa08pac482.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=0a215f9779c37c5cc6041cbf8e2761f114a8196b) \ 修改注册表并且启用服务,然后桌面就会获取到 sam,security,system ![Pasted image 20221208144646.png](https://ask8088-private-1251520898.cn-south.myqcloud.com/developer-images/article/7022325/25y4zhk314.png?q-sign-algorithm=sha1&q-ak=AKID2uZ1FGBdx1pNgjE3KK4YliPpzyjLZvug&q-sign-time=1670678997%3B1670686197&q-key-time=1670678997%3B1670686197&q-header-list=&q-url-param-list=&q-signature=37482165cda0339e5967c965292c310be36be6f1) 1. 获取 Administrator + 机器账户 凭据Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab:::$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:917234367460f3f2817aa4439f97e636
  2. 入口机器没特别的东西
  3. 没能提权到root权限(也不需要提权到root权限)
  4. stapbpf suid利用失败\ 找到diff suid

\

Pasted image 20221208173220.png
Pasted image 20221208173220.png
  1. flag02
Pasted image 20221208174927.png
Pasted image 20221208174927.png
  1. 使用机器账户收集域信息
Pasted image 20221208172122.png
Pasted image 20221208172122.png

0x05 DC takeover - 172.22.4.7

  1. 分析 Bloodhound,发现 WIN19 + DC01都是非约束委派
Pasted image 20221208172337.png
Pasted image 20221208172337.png
  1. 使用Administrator登录进入 WIN19,部署rubeus
Pasted image 20221208172853.png
Pasted image 20221208172853.png
  1. 使用DFSCoerce强制触发回连到win19并且获取到DC01的TGT
Pasted image 20221208173259.png
Pasted image 20221208173259.png
Pasted image 20221208173314.png
Pasted image 20221208173314.png
  1. Base64的tgt 解码存为 DC01.kirbi
Pasted image 20221208173720.png
Pasted image 20221208173720.png
  1. DCSync 获取域管凭据
Pasted image 20221208174536.png
Pasted image 20221208174536.png
  1. psexec - flag04
Pasted image 20221208174813.png
Pasted image 20221208174813.png

0x06 Fileserver takeover - 172.22.4.19

  1. psexec - flag03
Pasted image 20221208174831.png
Pasted image 20221208174831.png

0x07 Outro

  • 感谢Alphabug师傅的提示(0x03 - 0x04),大哥已经把入口点都打完了,我只是跟着进来而已
  • 感谢九世师傅的合作
  • Spoofing已经打完了,walkthrough也写完了,等1000奖励到手后新年释出,个人感觉Spoofing更好玩,出题的思路很妙
  • 靶场地址:https://yunjing.ichunqiu.com/ranking/summary?id=BzMFNFpvUDU 里面包含从web到内网到域的靶场,总体来说很不错

原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。

如有侵权,请联系 cloudcommunity@tencent.com 删除。

https
html
网络安全
编程算法
php

原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。

如有侵权,请联系 cloudcommunity@tencent.com 删除。

https
html
网络安全
编程算法
php
评论
登录后参与评论
0 条评论
热度
最新
登录 后参与评论
推荐阅读
LV.
文章
0
获赞
0
目录
  • 0x1 Info
  • 0x2 Recon
  • 0x05 DC takeover - 172.22.4.7
  • 0x06 Fileserver takeover - 172.22.4.19
  • 0x07 Outro
领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2024 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档

Copyright © 2013 - 2024 Tencent Cloud.

All Rights Reserved. 腾讯云 版权所有

登录 后参与评论