-
-
Ichunqiu云境 —— Exchange Writeup
-
发表于: 2023-3-2 19:47 9426
-
Ichunqiu云境 —— Exchange Writeup
Author:小离-xiaoli
0x00 Intro
- OSCP 渗透风格,脱离C2和MSF之类的工具
- Box 难度不高
0x01 Info
- Tag: JDBC, Exchange, NTLM, Coerce Authentication, DCSync
0x02 Recon
Target external IP
39.98.179.149
Nmap results
直接关注8000端口,前面我已经怼过80了,没东西直接过
华夏ERP,有很多漏洞的,入口点卡了很久,后面看到JDBC,直接谷歌一搜就搜到大哥的文章了
Fastjson高版本的奇技淫巧 - Bmth (bmth666.cn)(bd9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3u0E0N6r3R3$3y4U0k6Q4x3X3g2U0L8W2)9J5c8X3u0E0N6r3S2Q4y4h3k6T1L8r3!0Y4i4K6u0r3x3U0l9J5x3W2)9J5c8U0p5H3i4K6u0r3x3e0W2Q4x3V1k6r3j5i4y4@1K9Y4y4G2L8W2)9J5y4f1f1&6i4K6t1#2b7f1u0Q4x3U0f1&6z5q4)9J5y4f1f1%4i4K6t1#2z5o6W2Q4x3U0f1^5z5q4)9J5y4f1f1$3i4K6t1#2z5f1y4Q4x3U0g2m8b7#2)9J5y4f1f1%4i4K6t1#2z5f1q4Q4x3U0f1^5y4q4)9J5y4f1f1#2i4K6t1#2b7e0g2Q4x3U0f1^5y4#2)9J5y4f1f1$3i4K6t1#2z5p5q4Q4x3U0f1^5x3q4)9J5y4f1f1$3i4K6t1#2b7U0N6Q4x3U0g2m8b7W2)9J5y4f1f1#2i4K6t1#2b7U0N6Q4x3U0g2m8y4#2)9J5c8W2)9J5x3#2)9J5y4f1f1^5i4K6t1#2z5e0y4Q4x3U0f1&6c8q4)9J5y4f1f1#2i4K6t1#2b7U0S2Q4x3U0g2n7c8q4)9J5y4f1f1$3i4K6t1#2z5f1c8Q4x3U0g2m8c8U0t1H3x3U0u0Q4x3U0g2q4y4g2)9J5y4e0R3$3i4K6t1#2b7U0y4Q4x3U0g2q4z5q4)9J5y4f1t1#2i4K6t1#2z5f1u0Q4x3X3c8Q4x3U0g2q4z5q4)9J5y4f1t1#2i4K6t1#2z5p5y4Q4x3U0g2q4y4W2)9J5y4e0R3H3i4K6t1#2b7f1q4Q4x3U0V1`.构造payload
Configure MySQL_Fake_Server
未授权 + MySQL Connector JDBC反序列化组合拳直接RCE
RCE后直接获取 Flag01
0x03 入口点:172.22.3.12
SMB扫描内网主机,看到Exchange关键字 (EXC01),尝试访问
172.22.3.9 为 Exchange
Proxylogon 直接打死,获取system权限
flag02(后续凭据收集略过)
0x04 入口点:172.22.3.9
- 快进1:已经收集到了exchange机器账户的hash
- 快进2:同时收集到了一个域账户凭据:Zhangtong
这边已经通过上面的操作收集到了exchange的机器账户hash,exchang的机器账户在域内对整个domain-object有writedacl权限,那我们直接使用dacledit.py给Zhangtong加dcsync权限(其实你也可以给自己加上dcsync)
Dcsync,获取到域管和用户lumia的hashes
进入 172.22.3.2 获取flag04
0x05 Final:172.22.3.26
172.22.3.26上面的Lumia用户文件夹里面有个secret.zip
直接PTH Exchange导出Lumia mailbox里面的全部邮件以及附件
item-0.eml,提示密码是手机号
刚好导出的附件里面有一个csv,里面全是手机号
常规操作,转换成pkzip格式的hash再跑字典,跑出密码
0x06 Outro
- Exchange 后渗透那,作者本意是想让我们用 NTLM Relay去完成DCSync提权,获取Exchange SYSTEM权限后,触发webdav回连中继到ldap,这里的话就不尝试了,有兴趣的话可以看我上一篇文章 Spoofing
- Lumia用户登录exchange那,作者也是想让你改掉Lumia用户的密码,但是我就懒了,直接PTH