vulnhub靶机练习之Stapler 1

探测靶机

将ovf文件导入VirtualBox：

拓展知识：查看文件的校验码
查看ovf文件的hash值：certutil.exe -hashfile .\Stapler.ovf

kali机器和靶机都设置为桥接模式：

kali机器的IP为：192.168.1.20。

kali@kali:~$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:1f:30:76 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.20/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
       valid_lft 3558sec preferred_lft 3558sec
    inet6 240e:39a:186:e200:ec6d:db1d:6a19:e445/64 scope global temporary dynamic 
       valid_lft 259160sec preferred_lft 86206sec
    inet6 240e:39a:186:e200:a00:27ff:fe1f:3076/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 259160sec preferred_lft 172760sec
    inet6 fe80::a00:27ff:fe1f:3076/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

arp-scan扫描结果如下，根据靶机的MAC地址，确认靶机IP为：192.168.1.19。

kali@kali:~$ sudo arp-scan -l
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 08:00:27:1f:30:76, IPv4: 192.168.1.20
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1     44:a1:91:05:b1:e3       HUAWEI TECHNOLOGIES CO.,LTD
192.168.1.14    bc:a8:a6:ec:08:06       Intel Corporate
192.168.1.19    08:00:27:a5:22:5a       PCS Systemtechnik GmbH
192.168.1.6     60:14:66:b4:f8:f8       zte corporation
192.168.1.5     28:16:a8:64:e4:4e       Microsoft Corporation
192.168.1.11    78:0f:77:fd:01:b4       HangZhou Gubei Electronics Technology Co.,Ltd

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.160 seconds (118.52 hosts/sec). 6 responded

nmap扫描

nmap扫描结果如下：nmap -T4 -A -vvv -p- 192.168.1.19这条命令扫描出的结果更全面。我们发现靶机开放的端口很多，包括：21（ftp服务）、22（ssh服务）、53（dns服务）、80（http服务）、139（smb服务）、666（未知服务）、3306（mysql服务）、12380（http服务）。

kali@kali:~$ nmap -T4 -A -vvv -p- 192.168.1.19
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 07:57 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:57
Completed NSE at 07:57, 0.00s elapsed                                                               
NSE: Starting runlevel 2 (of 3) scan.                                                               
Initiating NSE at 07:57                                                                             
Completed NSE at 07:57, 0.00s elapsed                                                               
NSE: Starting runlevel 3 (of 3) scan.                                                               
Initiating NSE at 07:57                                                                             
Completed NSE at 07:57, 0.00s elapsed                                                               
Initiating Ping Scan at 07:57                                                                       
Scanning 192.168.1.19 [2 ports]                                                                     
Completed Ping Scan at 07:57, 0.00s elapsed (1 total hosts)                                         
Initiating Parallel DNS resolution of 1 host. at 07:57
Completed Parallel DNS resolution of 1 host. at 07:57, 6.52s elapsed
DNS resolution of 1 IPs took 6.52s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating Connect Scan at 07:57
Scanning 192.168.1.19 [65535 ports]
Discovered open port 3306/tcp on 192.168.1.19
Discovered open port 21/tcp on 192.168.1.19
Discovered open port 22/tcp on 192.168.1.19
Discovered open port 139/tcp on 192.168.1.19
Discovered open port 53/tcp on 192.168.1.19
Discovered open port 80/tcp on 192.168.1.19
Connect Scan Timing: About 22.87% done; ETC: 08:00 (0:01:45 remaining)
Connect Scan Timing: About 41.39% done; ETC: 08:00 (0:01:26 remaining)
Discovered open port 12380/tcp on 192.168.1.19
Connect Scan Timing: About 60.60% done; ETC: 08:00 (0:00:59 remaining)
Discovered open port 666/tcp on 192.168.1.19
Completed Connect Scan at 08:00, 132.12s elapsed (65535 total ports)
Initiating Service scan at 08:00
Scanning 8 services on 192.168.1.19
Completed Service scan at 08:00, 11.19s elapsed (8 services on 1 host)
NSE: Script scanning 192.168.1.19.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:00
NSE: [ftp-bounce 192.168.1.19:21] PORT response: 500 Illegal PORT command.
NSE Timing: About 99.91% done; ETC: 08:00 (0:00:00 remaining)
Completed NSE at 08:00, 31.04s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:00
Completed NSE at 08:00, 0.04s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:00
Completed NSE at 08:00, 0.00s elapsed
Nmap scan report for 192.168.1.19
Host is up, received syn-ack (0.0018s latency).
Scanned at 2020-03-06 07:57:52 EST for 181s
Not shown: 65523 filtered ports
Reason: 65523 no-responses
PORT      STATE  SERVICE     REASON       VERSION
20/tcp    closed ftp-data    conn-refused
21/tcp    open   ftp         syn-ack      vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.1.20
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open   ssh         syn-ack      OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc/xrBbi5hixT2B19dQilbbrCaRllRyNhtJcOzE8x0BM1ow9I80RcU7DtajyqiXXEwHRavQdO+/cHZMyOiMFZG59OCuIouLRNoVO58C91gzDgDZ1fKH6BDg+FaSz+iYZbHg2lzaMPbRje6oqNamPR4QGISNUpxZeAsQTLIiPcRlb5agwurovTd3p0SXe0GknFhZwHHvAZWa2J6lHE2b9K5IsSsDzX2WHQ4vPb+1DzDHV0RTRVUGviFvUX1X5tVFvVZy0TTFc0minD75CYClxLrgc+wFLPcAmE2C030ER/Z+9umbhuhCnLkLN87hlzDSRDPwUjWr+sNA3+7vc/xuZul
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNQB5n5kAZPIyHb9lVx1aU0fyOXMPUblpmB8DRjnP8tVIafLIWh54wmTFVd3nCMr1n5IRWiFeX1weTBDSjjz0IY=
|   256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9wvrF4tkFMApswOmWKpTymFjkaiIoie4QD0RWOYnny
53/tcp    open   domain      syn-ack      dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp    open   http        syn-ack      PHP cli server 5.5 or later
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
123/tcp   closed ntp         conn-refused
137/tcp   closed netbios-ns  conn-refused
138/tcp   closed netbios-dgm conn-refused
139/tcp   open   netbios-ssn syn-ack      Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open   tcpwrapped  syn-ack
3306/tcp  open   mysql       syn-ack      MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 10
|   Capabilities flags: 63487
|   Some Capabilities: IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, Support41Auth, ConnectWithDatabase, SupportsCompression, SupportsTransactions, LongPassword, ODBCClient, LongColumnFlag, Speaks41ProtocolOld, FoundRows, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: e~\x1C\x1EUPi .vp;2F0oI#IW
|_  Auth Plugin Name: mysql_native_password
12380/tcp open   http        syn-ack      Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 7h59m58s, deviation: 1s, median: 7h59m58s
| nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   RED<00>              Flags: <unique><active>
|   RED<03>              Flags: <unique><active>
|   RED<20>              Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 15772/tcp): CLEAN (Timeout)
|   Check 2 (port 4705/tcp): CLEAN (Timeout)
|   Check 3 (port 17120/udp): CLEAN (Failed to receive data)
|   Check 4 (port 35387/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2020-03-06T21:00:22+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-06T21:00:21
|_  start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:00
Completed NSE at 08:00, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:00
Completed NSE at 08:00, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:00
Completed NSE at 08:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 181.33 seconds

看看666端口

在浏览器输入url：http://192.168.1.19:666/
页面返回结果是以PK开头的一长串乱码，说明这是一个zip文件。

于是我们通过wget将这个zip文件下载到本地。

kali@kali:~$ wget http://192.168.1.19:666 -O 666.zip
--2020-03-06 08:13:03--  http://192.168.1.19:666/
Connecting to 192.168.1.19:666... connected.
HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9
Length: unspecified
Saving to: ‘666.zip’

666.zip                      [ <=>                               ]  11.34K  --.-KB/s    in 0s      

2020-03-06 08:13:03 (46.3 MB/s) - ‘666.zip’ saved [11608]

解压这个zip文件，得到一张图片。

1
2
3

kali@kali:~$ unzip 666.zip 
Archive:  666.zip
  inflating: message2.jpg

打开图片看看：

查看这张图片的详情：

kali@kali:~$ strings message2.jpg 
JFIF
vPhotoshop 3.0
8BIM
1If you are reading this, you should get a cookie!
8BIM
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
        #3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
/<}m
>,xr?
u-o[
Sxw]
v;]>
|_m7
l~!|0
<Elu
I[[k:>
>5[^k
;o{o
>xgH
mCXi
PE<R"
umcV
g[Y@=
[\Y_
\Oku
'X|(
?=?i
//Do
1okb
,>,&
n<;oc
*?      xC
~ |y
6{M6

12380端口有什么

我们发现12380端口可以使用http和https打开。看了http的网页源码没发现什么有价值的内容。

于是，使用nikto扫描这个https端口，扫描结果如下：

kali@kali:~$ nikto -host https://192.168.1.19:12380/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.19
+ Target Hostname:    192.168.1.19
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2020-03-06 08:31:20 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '192.168.1.19' does not match certificate's names: Red.Initech
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2020-03-06 08:35:08 (GMT-5) (228 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

我们发现这几个路径：/admin112233/、/blogblog/、/phpmyadmin/。
访问url：https://192.168.1.19:12380/admin112233/ 这就是个整蛊游戏，不管它。

访问url：https://192.168.1.19:12380/blogblog/ 这是博客。

访问url：https://192.168.1.19:12380/phpmyadmin/ 这是php管理后台。

博客

我们使用wpscan爆破博客相关的url路径。

kali@kali:~$ wpscan --url https://192.168.1.19:12380/blogblog --disable-tls-checks
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.6
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: https://192.168.1.19:12380/blogblog/
[+] Started: Fri Mar  6 08:54:38 2020

Interesting Finding(s):

[+] https://192.168.1.19:12380/blogblog/
 | Interesting Entries:
 |  - Server: Apache/2.4.18 (Ubuntu)
 |  - Dave: Soemthing doesn't look right here
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] https://192.168.1.19:12380/blogblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] https://192.168.1.19:12380/blogblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: https://192.168.1.19:12380/blogblog/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: https://192.168.1.19:12380/blogblog/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] https://192.168.1.19:12380/blogblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 | Found By: Rss Generator (Passive Detection)
 |  - https://192.168.1.19:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 |  - https://192.168.1.19:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>

[+] WordPress theme in use: bhost
 | Location: https://192.168.1.19:12380/blogblog/wp-content/themes/bhost/
 | Last Updated: 2019-12-08T00:00:00.000Z
 | Readme: https://192.168.1.19:12380/blogblog/wp-content/themes/bhost/readme.txt
 | [!] The version is out of date, the latest version is 1.4.4
 | Style URL: https://192.168.1.19:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 | Style Name: BHost
 | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 | Author: Masum Billah
 | Author URI: http://getmasum.net/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://192.168.1.19:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=======================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Fri Mar  6 08:54:42 2020
[+] Requests Done: 66
[+] Cached Requests: 5
[+] Data Sent: 14.362 KB
[+] Data Received: 14.436 MB
[+] Memory used: 168.039 MB
[+] Elapsed time: 00:00:03

从爆破出来的url中，发现wordpress有一个存在漏洞的插件。https://192.168.1.19:12380/blogblog/wp-content/plugins/

待续

21端口ftp服务

用户名：anonymous，密码：Harry

enum4linux

kali@kali:~$ enum4linux -A 192.168.1.19

S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)

最终获取到这些本地用户名。
待续