春秋云镜-【仿真场景】Delegation writeup

客官°小女子只卖身不卖艺 2024-03-26 18:57 47阅读 0赞

### 0x1 Info ###

![image][]  
靶场地址：https://yunjing.ichunqiu.com/ranking/summary?id=BzMFNFpvUDU 从web到内网再到域的靶场环境都全，且出题的思路很好，感兴趣的可以去玩玩

### 0x2 Recon ###

1.  Target external IP`39.98.34.149`
2.  Nmap results
    
    ![image][image 1]
3.  关注80端口的http服务，目录爆破(省略)找到 /admin
    
    ![image][image 2]
4.  使用弱口令登录进入后台，去到模板页面，编辑header.html，添加php一句话  
    \\
    
        用户名: admin, 密码：123456

![image][image 3]

1.  命令执行
    
    ![image][image 4]

### 0x03 入口点：172.22.4.36 ###

1.  弹shell
    
    ![image][image 5]
    
      
    快速过一下：
    
     *  入口机器没特别的东西
     *  没能提权到root权限(也不需要提权到root权限)
     *  stapbpf suid利用失败  
        找到diff suid
        
        ![image][image 6]
2.  flag01`diff --line-format=%L /dev/null /home/flag/flag01.txt`
    
    ![image][image 7]
3.  flag01 里面有提示用户名`WIN19\Adrian`
4.  挂代理扫 445
    
    ![image][image 8]
    
      
    获取到三个机器信息
    
    172.22.4.19 fileserver.xiaorang.lab  
    172.22.4.7 DC01.xiaorang.lab  
    172.22.4.45 win19.xiaorang.lab
5.  用 Flag01提示的用户名 + rockyou.txt 爆破，爆破出有效凭据 (提示密码过期)`win19\Adrian babygirl1`
6.  xfreerdp 远程登录上 win19 然后改密码
    
    ![image][image 9]
    
    ![image][image 10]

### 0x04 Pwing WIN19 - 172.22.4.45 ###

前言：当前机器除了机器账户外，完全没域凭据，需要提权到system获取机器账户

1.  桌面有提示
    
    ![image][image 11]
2.  关注这一栏，当前用户Adrian对该注册表有完全控制权限
    
    ![image][image 12]
    
    ![image][image 13]
3.  提权  
    msfvenom生成服务马，执行 sam.bat
    
    ![image][image 14]
    
      
    sam.bat
    
    ![image][image 15]
    
      
    修改注册表并且启用服务，然后桌面就会获取到 sam，security，system
    
    ![image][image 16]
4.  获取 Administrator + 机器账户 凭据
    
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab:::  
    $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:917234367460f3f2817aa4439f97e636![image][image 17]
5.  flag02
    
    ![image][image 18]
6.  使用机器账户收集域信息
    
    ![image][image 19]

### 0x05 DC takeover - 172.22.4.7 ###

1.  分析 Bloodhound，发现 WIN19 + DC01都是非约束委派
    
    ![image][image 20]
2.  使用Administrator登录进入 WIN19，部署rubeus
    
    ![image][image 21]
3.  使用DFSCoerce强制触发回连到win19并且获取到DC01的TGT
    
    ![image][image 22]
    
    ![image][image 23]
4.  Base64的tgt 解码存为 DC01.kirbi
    
    ![image][image 24]
5.  DCSync 获取域管凭据
    
    ![image][image 25]
6.  psexec - flag04
    
    ![image][image 26]

### 0x06 Fileserver takeover - 172.22.4.19 ###

1.  psexec - flag03
    
    ![image][image 27]

### 0x07 Outro ###

*  感谢Alphabug师傅的提示(0x03 - 0x04)，大哥已经把入口点都打完了，我只是跟着进来而已
 *  感谢九世师傅的合作

原文链接：https://www.freebuf.com/articles/web/352151.html

[image]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/19942ebbe2e545a394dfc5437b5da982.png
[image 1]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/0e71c38cc5914ca794932c4ac618c63c.png
[image 2]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/103136f4a9294757af00753077a3ff08.png
[image 3]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/641b8cc862164296a337b51066ff1ac6.png
[image 4]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/c65af59306fb416a9e94a8c2cefd6ccd.png
[image 5]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/e206c0e5f95a49728fd376f356846c0c.png
[image 6]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/1ca482536c7e4b8aa7ef4023a5a04668.png
[image 7]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/cf7a1a2d0d1345a890f589f6189240a3.png
[image 8]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/bd392ff8a03b4894a05d1186657893ee.png
[image 9]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/5da7ffd66c834223a68329fcda3a80f1.png
[image 10]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/f095e20478bb4c2899553e9e30043556.png
[image 11]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/b1bd17ed0f7948a29597ee50f359b5a3.png
[image 12]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/a557873d04504500af7c79093fb30853.png
[image 13]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/df7b20ebc6174b5cbd9678c59e669496.png
[image 14]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/3de00429c6cb49158f58640463baae32.png
[image 15]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/e2953434e7eb47caafbcafb49f3e0ddc.png
[image 16]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/26397bd368844c4e978824d46d711197.png
[image 17]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/2182b88f97654580aedcf2d4aeba4bc6.png
[image 18]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/b34ba5a56ce0431b9991d719a25417d6.png
[image 19]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/7c2f66f4c2d24b789091e5d4257801f4.png
[image 20]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/29ecd909697a43919f5fbd53aa3d3f36.png
[image 21]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/49498382d1de4c7d8d42594ec83a6f40.png
[image 22]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/8b18618c28a944cd9d9845dbd2f7c7e2.png
[image 23]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/2c452137f11c42f08bb61744d12e1220.png
[image 24]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/fec4fad7141c44acbd28fd6fe5ccf492.png
[image 25]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/5ce51f0f05dc47d4aa537169a694d548.png
[image 26]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/9dac3c0e672542f5988a09fa24f99d72.png
[image 27]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/2e9f5fd556074b2c868f27a8c5bbf8a2.png