编程知识 cdmana.com

Summary of the right raising of windows

When a low-power user enters an unfamiliar windows Behind the machine , Whether it's to raise the right or what to do afterwards , The first step is to collect as much information as possible . Enemy and know yourself , To be invincible .

Regular information gathering

systeminfo Query system information
hostname Host name
net user View user information
netstat -ano|find "3389" View service pid Number
wmic os get caption Check the system name
wmic qfe get Description,HotFixID,InstalledOn Check patch information
wmic product get name,version View the current setup program
wmic service list brief Query local service
wmic process list brief Query the local process
net share View local share list
netsh firewall show config View firewall configuration

The common killing software is as follows :

360sd.exe 360 antivirus
360tray.exe 360 Real time protection
ZhuDongFangYu.exe 360 Active defense
KSafeTray.exe Jinshan guard
SafeDogUpdateCenter.exe Safe dog
McAfee McShield.exe McAfee
egui.exe NOD32
AVP.exe kaspersky
avguard.exe Avira antivir
bdagent.exe BitDefender

The information to be collected is as follows :

The system of the machine and its version
Patching of the machine
Machine installation services
Firewall policy configuration of the machine
The protection software of the machine

Right operation

With enough information , Can be targeted to implement a variety of rights to operate . Some operations are listed below .

The core raises the right

This is based on the system version information and patch information , Exploit the loopholes in the system itself , Please refer to the link :https://github.com/SecWiki/wi...
To detect vulnerabilities, refer to the link :https://github.com/ianxtianxt...
You can also refer to the link :https://github.com/brianwrf/W...
msf There are a lot of built-in exp.

Windows-Expolit-suggester
Windows ClientCopyImage Win32k Exploit
Windows TrackPopupMenu Win32k NULL Pointer Dereference
 adopt Kitrap0D Conduct Windows System Empowerment 
Windows Escalate Task scheduler XML Raise the right 
MS16-016mrxdav.sys WebDav Local rights 
EPATHOBJ::pprFlattenRec Local rights 
MS13-053 : NTUserMessageCall Win32k Kernel pool overflow 
MS16-032 Secondary Logon Handle Raise the right 
RottenPotato Raise the right 

The utilization process is shown in the figure below :
 picture .png

at Command to use

stay Windows2000、Windows 2003、Windows XP In these three systems , We can use at Command to raise permissions to system jurisdiction .
at Is a command-line tool for issuing scheduled tasks , The grammar is relatively simple . adopt at Timing task plan of command issuing , Windows Default to SYSTEM Permission to run . Scheduled task scheduling can be batch processing 、 It can be a binary file . Can pass “/interactive” Open interface interaction mode :
 picture .png
In getting a system Of cmd after , Use taskmgr The command calls the task manager , The task manager at this point is system jurisdiction , then kill fall explore process , Then use task manager to create a new one explore process , Will get a system Desktop environment for
 picture .png
It can also be in msf Generate Trojan file under ,at Command execution runs the program , When online, it will be system jurisdiction .

sc Command to use

Apply to windows 7/8、03/08、12/16
SC Is a command line program used to communicate with the service control manager and services . The functionality provided is similar to “ Control panel ” in “ Management tools ” Item in “ service ”.
sc Create syscmd binPath= "cmd /K start" type= own type= interact

This command means to create a name called syscmd The new interactive cmd service , Then execute the following command , I get one system The powers of the cmd Environmental Science :

sc start systcmd

Unattended Installs

Automatic installation allows programs to be installed automatically without administrator attention . This solution is used in larger companies with more employees and time constraints Deploy the program in the organization . If the administrator doesn't clean it up , Then there will be one called Unattend Of XML The file remains on the system . This XML The file contains all the configuration during the installation process , This includes some configuration for local users , And the administrator account .
Search all over Unattend Documents are a good way , It's usually in one of the following folders :

C:WindowsPanther 
C:WindowsPantherUnattend 
C:WindowsSystem32 
C:WindowsSystem32sysprep

except Unattend.xml The documents , Also pay attention to the system of sysprep.xml and sysprep.inf file , These files will contain deployment operations The credential information used in the system , This information can help us to raise our rights .

C:UsersuserDesktop> dir C:*vnc.ini /s /b /c
# Or items with keywords in their names :
C:UsersuserDesktop> dir C: /s /b /c | findstr /sr *password*
 # Or you can search in the contents of the file password Keywords like :
C:UsersuserDesktop>findstr /si password *.txt | *.xml | *.ini
 # You can query the registry , for example , character string password:
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

These files usually contain user names and passwords , Password usage base64 code , And at the end of the day ”Password”, So the real secret The last code needs to be removed ”Password”.
 picture .png

dll hijacked

Windows When the program starts, it needs DLL. If these DLL non-existent , You can place malicious... In the location the application is looking for DLL Right to come .
Usually ,Windows Applications have predefined searches DLL The path of , It will search in the following order :

1、 The directory that the application loads 
2、32 Bit system directory (C:\Windows\System32)
3、16 Bit system directory (C:\Windows\System)
4、Windows Catalog  (C:\Windows)
5、 Current working directory (Current Working Directory,CWD)
6、 stay PATH Directory of environment variables ( First the system, then the user )

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesServiceNameParameters You can query the registry key to see which services the service is running DLL, Or you can load binaries into IDA And search for loadlibrary Library call . Also, be sure to check DLL Of itself DLL call !
Once you find vulnerable DLL call , You have to check that DLL File system :

C:> dir vulnerable.dll /s

Also pay attention to , Don't think it doesn't exist just because it can't be found . It may just be in a directory that the current user account cannot view .
Last , To execute DLL highjack, You need to be somewhere in the directory hierarchy , original .dll In itself ,CWD or PATH Write security tests in the directory in dll.
PATH Is an environment variable , It defines where the command interpreter should look for executable files when issuing commands . modify PATH, And will .dll write in PATH In the directory , Allow to proceed DLL hijacked , The process is in PATH Mid search .dll file .
Some are known to have DLL Hijacking loopholes Windows Service is :

IKE and AuthIP IPsec Key module (IKEEXT):wlbsctrl.dll
Windows Media Center Receiver service (ehRecvr):ehETW.dll
Windows Media Center Planner service (ehSched):ehETW.dll
 Auto update (wuauserv):ifsproxy.dll
 Remote Desktop Help Session Manager (RDSessMgr):SalemHook.dll
 Remote access connection manager (RasMan):ipbootp.dll
Windows Management Instrumentation(winmgmt):wbemcore.dll
 Audio services (STacSV):SFFXComm.dll SFCOM.DLL
 Intel fast storage technology (IAStorDataMgrSvc):DriverSim.dll
Juniper Unified network services (JuniperAccessService):dsLogService.dll
Encase Enterprise Agent:SDDisk.dll

There are many tools and frameworks that can make it easier to raise rights :

Metasploit
Sherlock
windows-privesc-check
Windows-Exploit-Suggester
PowerUp, now part of PowerSploit
Nishang

as follows ,PowerUp A potential DLL Take advantage of loopholes . Usually , We use it PowerUp Of Write-HijackDll Function write malicious DLL, And restart the application . When you start the application , It will load the malicious DLL And run our code with higher permissions .
 picture .png

Service path without double quotation marks

When the system administrator configures Windows The service , They have to specify the order to be executed , Or the path to run the executable file , The location of the binary to run is in binPath Property ..
When Windows Service runtime , One of the following two things happens . If an executable is given , And it refers to the full path , Then the system literally interprets it and executes . however , If the binary path of the service is not in quotation marks , Then the operating system will execute the first instance of the found space separated service path .
If binPath It's set up like this :
C:Program FilesUnquoted Path ServiceCommon Filesservice.exe
Windows It will be searched in the following order :

1.  C:Program.exe
2.  C:Program FilesUnquoted.exe
3.  C:Program FilesUnquoted Path.exe
4.  C:Program FilesUnquoted Path ServiceCommon.exe
5.  C:Program FilesUnquoted Path ServiceCommon Filesservice.exe

That is to say, without quotation marks , We can construct a malicious binary with the same name as the first as the file system object , And include spaces in its name , And when the service tries to execute its binary, it runs . All we need is write access to the directory in the path .

A command finds these misconfigurations :

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:Windows" |findstr /i /v """

utilize PowerUp It's fine too :
 picture .png
Similarly, if a low-power user has write access to the folder where the binary is located , Then he can directly upload the malicious file and rename it to replace the normal file . If the user can modify the service configuration , You can modify it directly binPath Pointing to malicious files .

More can be found in the link :
https://www.cnblogs.com/-mo-/...
https://bbs.pediy.com/thread-...
https://xz.aliyun.com/t/2519#...

版权声明
本文为[Chang'an rebellion]所创,转载请带上原文链接,感谢

Scroll to Top