Note-51552-28

{
  "title": "一个供应链突破案例",
  "tags": [
    "post",
    "渗透测试"
  ],
  "sources": [
    "xlog"
  ],
  "external_urls": [
    "https://s4u2self.cc/yi-ge-gong-ying-lian-tu-po-an-li-md"
  ],
  "date_published": "2023-04-07T09:12:24.899Z",
  "content": "某护网行动，通过企查查收集到了该单位的招投标信息。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858470385-e558e43a-7208-4b5b-884a-fb1a7cba45a5.png#averageHue=%23fdfcfc&from=url&id=FUpby&originHeight=590&originWidth=801&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />通过对该中标公司进行渗透测试，发现在其IP段里面存在一个Confluence，刚好有漏洞的版本，随即拿下。<br />‍<br />系统为2008R2，X64<br />发现有360全家桶，权限nt authority\\network service。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858470496-538e813b-917d-4ab3-b475-9d70794ed8d0.png#averageHue=%23000000&from=url&id=pSMSG&originHeight=481&originWidth=455&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />这个权限限制的比较死，试了一下360有点铁，没绕过去，当时有点抽风，执行exe直接无回显了。<br />然后考虑提权上3389再说。<br />‍\n## 0x02\n翻目录的时候发现todesk，利用todesk替换获得明文密码，连上去后发现管理员注销了。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858470597-a48c159c-39f1-4a2e-9685-9eabd35f78a3.png#averageHue=%238396a3&from=url&id=StYFb&originHeight=860&originWidth=1062&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />‍<br />不过当时发现存在guest用户，登录后考虑去提权，想的是使用1388去提权，但是好像guest没有基础system的权限，利用失败了，IE没弹出来。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858470752-b7cce216-2ab4-44c7-bf06-07f577347068.png#averageHue=%23d2d0c7&from=url&id=cmyOO&originHeight=778&originWidth=922&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />使用bypassUAC也失败了，找不到白名单的程序，猜测应该还是和guest有关。<br />用guest权限去本地提权基本上全拉砸。<br />‍<br />最终发现该机器存在sqlps，在webshell中使用sqlps执行命令以network service权限上线到CS中。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858470915-6f5ca5dc-92ea-4d68-b2f5-c7f2e0186a1c.png#averageHue=%23a4d6a7&from=url&id=fNkEb&originHeight=63&originWidth=1663&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />‍<br />在CS中用土豆提权成功，这个土豆模块此处有一个坑，权限处于薛定谔状态。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471127-b2458484-ec15-4f3c-b635-26f844d95798.png#averageHue=%23aee2b4&from=url&id=KJFL5&originHeight=46&originWidth=1305&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />此处出现了一个状况，就是去导密码的时候提示我不是管理员用户，CS明确了权限为system。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471270-3c79ca9a-42af-4efd-9a5e-d6e095afb9aa.png#averageHue=%230c0a08&from=url&id=XETYO&originHeight=212&originWidth=773&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />‍<br />查看CS会话的时候发现还是原来的网络权限。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471406-1e2676fa-461c-417b-a783-034c1c924e81.png#averageHue=%23060505&from=url&id=QM3l2&originHeight=259&originWidth=373&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />‍<br />后来使用进程注入重新注入了一个system的进程权限。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471515-8188bf9e-d594-4e5b-805e-573fa6d715c4.png#averageHue=%23050404&from=url&id=qI8vj&originHeight=287&originWidth=368&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />‍<br />然后使用mimikatz导出密码。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471753-54ab502f-d814-4bad-946e-58ea428add8b.png#averageHue=%23050404&from=url&id=SYpDb&originHeight=489&originWidth=616&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />‍<br />获得密码之后不做代理了，直接用todesk登录该用户。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471891-bf38be04-ae2f-4fa0-abd6-1ccd9b9ba303.png#averageHue=%23f6f6f5&from=url&id=RPTH7&originHeight=614&originWidth=901&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />‍<br />我宣布，我才是最后的赢家，办法总比困难多。<br />‍<br />‍\n## 内网\n内网就简单了，收集了一下本机的信息，在知识库也翻到了想要的东西。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858472015-ae554176-86b7-4094-8b92-d2bfe17b04da.png#averageHue=%23efede5&from=url&id=mtCDD&originHeight=611&originWidth=1174&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />‍<br />同时在项目开发进度文档中获得了直连该单位的VPN账号密码。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858472109-5e665351-ca85-4e61-8d7b-49b96a241bb9.png#averageHue=%23b4c684&from=url&id=oDKDO&originHeight=412&originWidth=894&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />堡垒机权限<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858472212-6cb6dd00-ab91-4c01-a0fd-40ef705d9407.png#averageHue=%23d3dbd2&from=url&id=P8Dx4&originHeight=577&originWidth=1210&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />‍<br />结束，没啥特别的亮点。\n",
  "attributes": [
    {
      "value": "yi-ge-gong-ying-lian-tu-po-an-li-md",
      "trait_type": "xlog_slug"
    }
  ]
}