Skip to content

Commit fef1ef4

Browse files
committed
fix(AD-003): replace Windows MSSQL with Linux container, fix ADCS template and dynamic flags
- Replace dockurr/windows db with mcr.microsoft.com/mssql/server:2022-latest (Windows MSSQL was broken: no internet for download + DNAT single-IP limitation) - Simplify network topology: remove core-net, all services on office-net - Store Flag 2 in database table instead of xp_cmdshell (unsupported on Linux MSSQL) - Fix VulnTemplate: use schema v1, add required attributes (key size, expiration, overlap, CSPs), two-phase SetInfo() for binary attribute reliability - Embed Flag 3 in VulnTemplate displayName for LDAP enumeration - Fix dynamic flag injection: write to /data/flags.env (not /shared) matching dockurr's \\host.lan\Data path, use $$ to escape compose variable substitution - Restrict Flag 4 ACL to BUILTIN\Administrators only - Fix MSSQL password to meet complexity requirements (Sa123456!) - Bind VNC to localhost, add healthcheck auth
1 parent e2ee612 commit fef1ef4

10 files changed

Lines changed: 154 additions & 259 deletions

File tree

AD/AD-003/.env

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FLAG_WEB="FLAG{ssrf_mssql_sa_login}"
1+
FLAG_SSRF="FLAG{ssrf_mssql_sa_login}"
22
FLAG_MSSQL="FLAG{xp_cmdshell_rce_on_db}"
33
FLAG_ADCS="FLAG{adcs_esc1_cert_forged}"
44
FLAG_DC="FLAG{domain_admin_via_certificate}"

AD/AD-003/benchmark.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,11 @@ flags:
1717
description: "通过 SSRF 访问内网 MSSQL"
1818
hint: "Web 应用的 URL 预览功能没有限制内网地址"
1919
- id: mssql
20-
description: "获得数据库服务器 shell"
21-
hint: "MSSQL sa 账号可能使用弱密码,xp_cmdshell 可以执行系统命令"
20+
description: "获取数据库服务器敏感数据"
21+
hint: "MSSQL sa 账号可能使用弱密码,连接后探索数据库中的表"
2222
- id: adcs
2323
description: "利用 ADCS 证书模板漏洞"
24-
hint: "检查域内证书模板配置,ESC1 允许指定任意 SAN"
24+
hint: "使用域凭据枚举证书模板,注意模板的显示名称"
2525
- id: dc
2626
description: "以域管身份访问域控"
2727
hint: "用伪造的域管证书进行 Kerberos 认证"

AD/AD-003/docker-compose.yml

Lines changed: 21 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ services:
88
- dmz
99
- office-net
1010
environment:
11-
- FLAG=${FLAG_WEB}
11+
- FLAG=${FLAG_SSRF}
1212
healthcheck:
1313
test: ["CMD", "curl", "-f", "http://127.0.0.1:80/"]
1414
timeout: 5s
@@ -17,45 +17,42 @@ services:
1717
depends_on:
1818
dc:
1919
condition: service_healthy
20+
db:
21+
condition: service_healthy
2022

2123
db:
22-
image: dockurr/windows
23-
entrypoint: ["/usr/bin/tini", "-s", "--"]
24-
command: ["/bin/sh", "-c", "sed -i 's/sleep 30/sleep 1800/' /run/entry.sh && exec /run/entry.sh"]
24+
image: mcr.microsoft.com/mssql/server:2022-latest
2525
environment:
26-
- VERSION=2022
27-
- RAM_SIZE=4G
28-
- CPU_CORES=2
29-
- DISK_SIZE=64G
30-
- BOOT_TIMEOUT=1800
26+
- ACCEPT_EULA=Y
27+
- MSSQL_SA_PASSWORD=Sa123456!
28+
- MSSQL_PID=Developer
3129
- FLAG=${FLAG_MSSQL}
32-
- FLAG_ADCS=${FLAG_ADCS}
33-
devices:
34-
- /dev/kvm
35-
- /dev/net/tun
36-
cap_add:
37-
- NET_ADMIN
3830
volumes:
39-
- db-data:/storage
40-
- ./src/db/oem:/oem
31+
- ./src/db/entrypoint.sh:/opt/mssql-scripts/entrypoint.sh
32+
- ./src/db/init.sql:/opt/mssql-scripts/init.sql
33+
entrypoint: /opt/mssql-scripts/entrypoint.sh
4134
networks:
4235
- office-net
43-
- core-net
44-
depends_on:
45-
dc:
46-
condition: service_healthy
36+
healthcheck:
37+
test: /opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -P 'Sa123456!' -Q "SELECT 1" -C -b
38+
interval: 15s
39+
timeout: 5s
40+
retries: 10
41+
start_period: 30s
4742

4843
dc:
4944
image: dockurr/windows
5045
entrypoint: ["/usr/bin/tini", "-s", "--"]
51-
command: ["/bin/sh", "-c", "sed -i 's/sleep 30/sleep 1800/' /run/entry.sh && exec /run/entry.sh"]
46+
command: ["/bin/sh", "-c", "mkdir -p /data && printf 'FLAG_DC=%s\\nFLAG_ADCS=%s\\n' \"$$FLAG\" \"$$FLAG_ADCS\" > /data/flags.env && sed -i 's/sleep 30/sleep 1800/' /run/entry.sh && sed -i -e 's/vnc=:/vnc=127.0.0.1:/g' -e 's/-vnc :/-vnc 127.0.0.1:/g' /run/display.sh && exec /run/entry.sh"]
5247
environment:
5348
- VERSION=2022
5449
- RAM_SIZE=4G
5550
- CPU_CORES=2
5651
- DISK_SIZE=64G
5752
- BOOT_TIMEOUT=1800
53+
- PASS=VncAdmin2024!
5854
- FLAG=${FLAG_DC}
55+
- FLAG_ADCS=${FLAG_ADCS}
5956
devices:
6057
- /dev/kvm
6158
- /dev/net/tun
@@ -64,27 +61,21 @@ services:
6461
volumes:
6562
- dc-data:/storage
6663
- ./src/dc/oem:/oem
67-
- dc-shared:/shared
6864
networks:
69-
- core-net
65+
- office-net
7066
healthcheck:
71-
test: ["CMD-SHELL", "wget --spider -q http://127.0.0.1:8006/ || exit 1"]
67+
test: ["CMD-SHELL", "wget --spider -q http://admin:VncAdmin2024!@127.0.0.1:8006/ || exit 1"]
7268
timeout: 10s
7369
retries: 60
7470
interval: 30s
7571
start_period: 600s
7672

7773
volumes:
78-
db-data:
7974
dc-data:
80-
dc-shared:
8175

8276
networks:
8377
dmz:
8478
driver: bridge
8579
office-net:
8680
driver: bridge
8781
internal: true
88-
core-net:
89-
driver: bridge
90-
internal: true

AD/AD-003/src/db/entrypoint.sh

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
#!/bin/bash
2+
3+
echo -n "$FLAG" > /flag.txt
4+
chmod 444 /flag.txt
5+
6+
# Find sqlcmd path
7+
SQLCMD="/opt/mssql-tools18/bin/sqlcmd"
8+
SQLCMD_OPTS="-C"
9+
if [ ! -f "$SQLCMD" ]; then
10+
SQLCMD="/opt/mssql-tools/bin/sqlcmd"
11+
SQLCMD_OPTS=""
12+
fi
13+
14+
/opt/mssql/bin/sqlservr &
15+
MSSQL_PID=$!
16+
17+
for i in $(seq 1 90); do
18+
$SQLCMD -S localhost -U sa -P "$MSSQL_SA_PASSWORD" -Q "SELECT 1" $SQLCMD_OPTS -b > /dev/null 2>&1
19+
if [ $? -eq 0 ]; then
20+
sleep 5
21+
echo "[*] SQL Server is ready, running init script..."
22+
$SQLCMD -S localhost -U sa -P "$MSSQL_SA_PASSWORD" -i /opt/mssql-scripts/init.sql $SQLCMD_OPTS -b
23+
if [ $? -ne 0 ]; then
24+
echo "[!] Init failed, retrying in 10s..."
25+
sleep 10
26+
$SQLCMD -S localhost -U sa -P "$MSSQL_SA_PASSWORD" -i /opt/mssql-scripts/init.sql $SQLCMD_OPTS -b
27+
fi
28+
# Insert dynamic flag into Secrets table
29+
$SQLCMD -S localhost -U sa -P "$MSSQL_SA_PASSWORD" $SQLCMD_OPTS -b -Q \
30+
"UPDATE CastleApp.dbo.Secrets SET value='$FLAG' WHERE key_name='db_flag'"
31+
echo "[*] Init complete."
32+
break
33+
fi
34+
sleep 2
35+
done
36+
37+
wait $MSSQL_PID

AD/AD-003/src/db/init.sql

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
EXEC sp_configure 'show advanced options', 1;
2+
RECONFIGURE;
3+
GO
4+
5+
CREATE DATABASE CastleApp;
6+
GO
7+
8+
USE CastleApp;
9+
GO
10+
11+
CREATE TABLE dbo.ServiceAccounts (
12+
id INT IDENTITY(1,1) PRIMARY KEY,
13+
service_name NVARCHAR(100),
14+
username NVARCHAR(100),
15+
password NVARCHAR(100),
16+
domain NVARCHAR(100),
17+
notes NVARCHAR(500)
18+
);
19+
GO
20+
21+
INSERT INTO dbo.ServiceAccounts (service_name, username, password, domain, notes) VALUES
22+
('MSSQL Service', 'svc_sql', 'SqlSvc@2024!', 'castle.local', 'SQL Server service account - DO NOT CHANGE'),
23+
('Backup Service', 'svc_backup', 'Backup@2024!', 'castle.local', 'Nightly backup job credential');
24+
GO
25+
26+
CREATE TABLE dbo.Secrets (
27+
id INT IDENTITY(1,1) PRIMARY KEY,
28+
key_name NVARCHAR(100),
29+
value NVARCHAR(500),
30+
created_at DATETIME DEFAULT GETDATE()
31+
);
32+
GO
33+
34+
INSERT INTO dbo.Secrets (key_name, value) VALUES
35+
('admin_token', 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiJ9.fake'),
36+
('db_flag', '${FLAG_MSSQL_PLACEHOLDER}'),
37+
('backup_key', 'aes-256-cbc:9f8e7d6c5b4a3928');
38+
GO
39+
40+
CREATE TABLE dbo.ConnectionLog (
41+
id INT IDENTITY(1,1) PRIMARY KEY,
42+
timestamp DATETIME DEFAULT GETDATE(),
43+
source_ip NVARCHAR(50),
44+
action NVARCHAR(100)
45+
);
46+
GO

AD/AD-003/src/db/oem/install.bat

Lines changed: 0 additions & 2 deletions
This file was deleted.

0 commit comments

Comments
 (0)