Title: Spring and Autumn Cloud Mirror-[Simulation Scene] Delegation Writeup

0x1 Info

The shooting range address: https://yunjing.icunqiu.com/ranking/summary?id=BzMFNFpvUDU The shooting range environment from the web to the intranet to the domain is complete, and the idea of setting questions is very good. If you are interested, you can go and play.

0x2 Recon

Target external IP39.98.34.149Nmap results Follow the http service on port 80, directory blast (omitted) find /admin Use weak password to log in to the background, go to the template page, edit header.html, add php in a sentence

\Username : admin, Password: 123456

Command execution

0x03 Entry point: 172.22.4.36

shell

Quickly go through: The entry machine has no special things and cannot raise the permissions to root (not need to raise the permissions to root). Stapbpf suid failed to use

Find diff suid flag01diff --line-format=%L /dev/null /home/flag/flag01.txt flag01 There is a prompt for username WIN19\Adrian hanging agent scanning 445

Get the information of three machines 172.22.4.19 fileserver.xiaorang.lab

172.22.4.7 DC01.xiaorang.lab

172.22.4.45 win19.xiaorang.lab

Use Flag01 prompt username + rockyou.txt to explode, and create valid credentials (prompt password expires) win19\Adrian babygirl1xfreerdp Remote login to win19 and then change password

0x04 Pwing WIN19 - 172.22.4.45

Preface: The current machine has no domain credentials except the machine account, so you need to raise the authority to obtain the machine account at the system.

There are prompts on the desktop Follow this column. The current user Adrian has full control over the registry Elevated rights

msfvenom generates service horse, execute sam.bat

sam.bat

Modify the registry and enable the service, and then the desktop will get sam, security, system Get Administrator + Machine Account Credentials Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab:

$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:917234367460f3f2817aa4439f97e636

flag02 Collection of domain information using machine account

0x05 DC takeover - 172.22.4.7

Analysis Bloodhound, and found that WIN19 + DC01 is both non-constrained delegation Login to enter WIN19 using Administrator, deploy rubeus Use DFSCoerce to force trigger back to win19 and get the TGT of DC01 Base64's tgt decoding is DC01.kirbi DCSync Get domain management credentials psexec - flag04

0x06 Fileserver takeover - 172.22.4.19

psexec - flag03

0x07 Outro

Thanks to Master Alphabug for the tip (0x03 -0x04), my brother has finished the entry point, I just followed in and thanked Master Jiu for his cooperation original link: https://www.freebuf.com/articles/web/352151.html