{
"title": "一个供应链突破案例",
"tags": [
"post",
"渗透测试"
],
"sources": [
"xlog"
],
"external_urls": [
"https://s4u2self.cc/yi-ge-gong-ying-lian-tu-po-an-li-md"
],
"date_published": "2023-04-07T09:12:24.899Z",
"content": "某护网行动,通过企查查收集到了该单位的招投标信息。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858470385-e558e43a-7208-4b5b-884a-fb1a7cba45a5.png#averageHue=%23fdfcfc&from=url&id=FUpby&originHeight=590&originWidth=801&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />通过对该中标公司进行渗透测试,发现在其IP段里面存在一个Confluence,刚好有漏洞的版本,随即拿下。<br /><br />系统为2008R2,X64<br />发现有360全家桶,权限nt authority\\network service。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858470496-538e813b-917d-4ab3-b475-9d70794ed8d0.png#averageHue=%23000000&from=url&id=pSMSG&originHeight=481&originWidth=455&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />这个权限限制的比较死,试了一下360有点铁,没绕过去,当时有点抽风,执行exe直接无回显了。<br />然后考虑提权上3389再说。<br />\n## 0x02\n翻目录的时候发现todesk,利用todesk替换获得明文密码,连上去后发现管理员注销了。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858470597-a48c159c-39f1-4a2e-9685-9eabd35f78a3.png#averageHue=%238396a3&from=url&id=StYFb&originHeight=860&originWidth=1062&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br /><br />不过当时发现存在guest用户,登录后考虑去提权,想的是使用1388去提权,但是好像guest没有基础system的权限,利用失败了,IE没弹出来。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858470752-b7cce216-2ab4-44c7-bf06-07f577347068.png#averageHue=%23d2d0c7&from=url&id=cmyOO&originHeight=778&originWidth=922&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />使用bypassUAC也失败了,找不到白名单的程序,猜测应该还是和guest有关。<br />用guest权限去本地提权基本上全拉砸。<br /><br />最终发现该机器存在sqlps,在webshell中使用sqlps执行命令以network service权限上线到CS中。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858470915-6f5ca5dc-92ea-4d68-b2f5-c7f2e0186a1c.png#averageHue=%23a4d6a7&from=url&id=fNkEb&originHeight=63&originWidth=1663&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br /><br />在CS中用土豆提权成功,这个土豆模块此处有一个坑,权限处于薛定谔状态。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471127-b2458484-ec15-4f3c-b635-26f844d95798.png#averageHue=%23aee2b4&from=url&id=KJFL5&originHeight=46&originWidth=1305&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />此处出现了一个状况,就是去导密码的时候提示我不是管理员用户,CS明确了权限为system。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471270-3c79ca9a-42af-4efd-9a5e-d6e095afb9aa.png#averageHue=%230c0a08&from=url&id=XETYO&originHeight=212&originWidth=773&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br /><br />查看CS会话的时候发现还是原来的网络权限。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471406-1e2676fa-461c-417b-a783-034c1c924e81.png#averageHue=%23060505&from=url&id=QM3l2&originHeight=259&originWidth=373&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br /><br />后来使用进程注入重新注入了一个system的进程权限。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471515-8188bf9e-d594-4e5b-805e-573fa6d715c4.png#averageHue=%23050404&from=url&id=qI8vj&originHeight=287&originWidth=368&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br /><br />然后使用mimikatz导出密码。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471753-54ab502f-d814-4bad-946e-58ea428add8b.png#averageHue=%23050404&from=url&id=SYpDb&originHeight=489&originWidth=616&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br /><br />获得密码之后不做代理了,直接用todesk登录该用户。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858471891-bf38be04-ae2f-4fa0-abd6-1ccd9b9ba303.png#averageHue=%23f6f6f5&from=url&id=RPTH7&originHeight=614&originWidth=901&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br /><br />我宣布,我才是最后的赢家,办法总比困难多。<br /><br />\n## 内网\n内网就简单了,收集了一下本机的信息,在知识库也翻到了想要的东西。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858472015-ae554176-86b7-4094-8b92-d2bfe17b04da.png#averageHue=%23efede5&from=url&id=mtCDD&originHeight=611&originWidth=1174&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br /><br />同时在项目开发进度文档中获得了直连该单位的VPN账号密码。<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858472109-5e665351-ca85-4e61-8d7b-49b96a241bb9.png#averageHue=%23b4c684&from=url&id=oDKDO&originHeight=412&originWidth=894&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br />堡垒机权限<br />![](https://cdn.nlark.com/yuque/0/2023/png/21847644/1680858472212-6cb6dd00-ab91-4c01-a0fd-40ef705d9407.png#averageHue=%23d3dbd2&from=url&id=P8Dx4&originHeight=577&originWidth=1210&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=)<br /><br />结束,没啥特别的亮点。\n",
"attributes": [
{
"value": "yi-ge-gong-ying-lian-tu-po-an-li-md",
"trait_type": "xlog_slug"
}
]
}