When a low-power user enters an unfamiliar windows Behind the machine , Whether it's to raise the right or what to do afterwards , The first step is to collect as much information as possible . Enemy and know yourself , To be invincible .
Regular information gathering
systeminfo Query system information
hostname Host name
net user View user information
netstat -ano|find "3389" View service pid Number
wmic os get caption Check the system name
wmic qfe get Description,HotFixID,InstalledOn Check patch information
wmic product get name,version View the current setup program
wmic service list brief Query local service
wmic process list brief Query the local process
net share View local share list
netsh firewall show config View firewall configuration
The common killing software is as follows ：
360sd.exe 360 antivirus
360tray.exe 360 Real time protection
ZhuDongFangYu.exe 360 Active defense
KSafeTray.exe Jinshan guard
SafeDogUpdateCenter.exe Safe dog
McAfee McShield.exe McAfee
avguard.exe Avira antivir
The information to be collected is as follows ：
The system of the machine and its version
Patching of the machine
Machine installation services
Firewall policy configuration of the machine
The protection software of the machine
With enough information , Can be targeted to implement a variety of rights to operate . Some operations are listed below .
The core raises the right
This is based on the system version information and patch information , Exploit the loopholes in the system itself , Please refer to the link ：https://github.com/SecWiki/wi...
To detect vulnerabilities, refer to the link ：https://github.com/ianxtianxt...
You can also refer to the link ：https://github.com/brianwrf/W...
msf There are a lot of built-in exp.
Windows-Expolit-suggester Windows ClientCopyImage Win32k Exploit Windows TrackPopupMenu Win32k NULL Pointer Dereference adopt Kitrap0D Conduct Windows System Empowerment Windows Escalate Task scheduler XML Raise the right MS16-016mrxdav.sys WebDav Local rights EPATHOBJ::pprFlattenRec Local rights MS13-053 : NTUserMessageCall Win32k Kernel pool overflow MS16-032 Secondary Logon Handle Raise the right RottenPotato Raise the right
The utilization process is shown in the figure below ：
at Command to use
stay Windows2000、Windows 2003、Windows XP In these three systems , We can use at Command to raise permissions to system jurisdiction .
at Is a command-line tool for issuing scheduled tasks , The grammar is relatively simple . adopt at Timing task plan of command issuing , Windows Default to SYSTEM Permission to run . Scheduled task scheduling can be batch processing 、 It can be a binary file . Can pass “/interactive” Open interface interaction mode ：
In getting a system Of cmd after , Use taskmgr The command calls the task manager , The task manager at this point is system jurisdiction , then kill fall explore process , Then use task manager to create a new one explore process , Will get a system Desktop environment for
It can also be in msf Generate Trojan file under ,at Command execution runs the program , When online, it will be system jurisdiction .
sc Command to use
Apply to windows 7/8、03/08、12/16
SC Is a command line program used to communicate with the service control manager and services . The functionality provided is similar to “ Control panel ” in “ Management tools ” Item in “ service ”.
sc Create syscmd binPath= "cmd /K start" type= own type= interact
This command means to create a name called syscmd The new interactive cmd service , Then execute the following command , I get one system The powers of the cmd Environmental Science ：
sc start systcmd
Automatic installation allows programs to be installed automatically without administrator attention . This solution is used in larger companies with more employees and time constraints Deploy the program in the organization . If the administrator doesn't clean it up , Then there will be one called Unattend Of XML The file remains on the system . This XML The file contains all the configuration during the installation process , This includes some configuration for local users , And the administrator account .
Search all over Unattend Documents are a good way , It's usually in one of the following folders ：
C:WindowsPanther C:WindowsPantherUnattend C:WindowsSystem32 C:WindowsSystem32sysprep
except Unattend.xml The documents , Also pay attention to the system of sysprep.xml and sysprep.inf file , These files will contain deployment operations The credential information used in the system , This information can help us to raise our rights .
C:UsersuserDesktop> dir C:*vnc.ini /s /b /c
# Or items with keywords in their names ： C:UsersuserDesktop> dir C: /s /b /c | findstr /sr *password* # Or you can search in the contents of the file password Keywords like ： C:UsersuserDesktop>findstr /si password *.txt | *.xml | *.ini # You can query the registry , for example , character string password： reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
These files usually contain user names and passwords , Password usage base64 code , And at the end of the day ”Password”, So the real secret The last code needs to be removed ”Password”.
Windows When the program starts, it needs DLL. If these DLL non-existent , You can place malicious... In the location the application is looking for DLL Right to come .
Usually ,Windows Applications have predefined searches DLL The path of , It will search in the following order ：
1、 The directory that the application loads 2、32 Bit system directory （C:\Windows\System32） 3、16 Bit system directory （C:\Windows\System） 4、Windows Catalog (C:\Windows) 5、 Current working directory （Current Working Directory,CWD） 6、 stay PATH Directory of environment variables （ First the system, then the user ）
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesServiceNameParameters You can query the registry key to see which services the service is running DLL, Or you can load binaries into IDA And search for
loadlibrary Library call . Also, be sure to check DLL Of itself DLL call ！
Once you find vulnerable DLL call , You have to check that DLL File system ：
C:> dir vulnerable.dll /s
Also pay attention to , Don't think it doesn't exist just because it can't be found . It may just be in a directory that the current user account cannot view .
Last , To execute
DLL highjack, You need to be somewhere in the directory hierarchy , original .dll In itself ,CWD or PATH Write security tests in the directory in dll.
PATH Is an environment variable , It defines where the command interpreter should look for executable files when issuing commands . modify PATH, And will .dll write in PATH In the directory , Allow to proceed DLL hijacked , The process is in PATH Mid search .dll file .
Some are known to have DLL Hijacking loopholes Windows Service is ：
IKE and AuthIP IPsec Key module （IKEEXT）：wlbsctrl.dll Windows Media Center Receiver service （ehRecvr）：ehETW.dll Windows Media Center Planner service （ehSched）：ehETW.dll Auto update （wuauserv）：ifsproxy.dll Remote Desktop Help Session Manager （RDSessMgr）：SalemHook.dll Remote access connection manager （RasMan）：ipbootp.dll Windows Management Instrumentation（winmgmt）：wbemcore.dll Audio services （STacSV）：SFFXComm.dll SFCOM.DLL Intel fast storage technology （IAStorDataMgrSvc）：DriverSim.dll Juniper Unified network services （JuniperAccessService）：dsLogService.dll Encase Enterprise Agent：SDDisk.dll
There are many tools and frameworks that can make it easier to raise rights ：
Metasploit Sherlock windows-privesc-check Windows-Exploit-Suggester PowerUp, now part of PowerSploit Nishang
as follows ,PowerUp A potential DLL Take advantage of loopholes . Usually , We use it PowerUp Of Write-HijackDll Function write malicious DLL, And restart the application . When you start the application , It will load the malicious DLL And run our code with higher permissions .
Service path without double quotation marks
When the system administrator configures Windows The service , They have to specify the order to be executed , Or the path to run the executable file , The location of the binary to run is in binPath Property ..
When Windows Service runtime , One of the following two things happens . If an executable is given , And it refers to the full path , Then the system literally interprets it and executes . however , If the binary path of the service is not in quotation marks , Then the operating system will execute the first instance of the found space separated service path .
If binPath It's set up like this ：
C:Program FilesUnquoted Path ServiceCommon Filesservice.exe
Windows It will be searched in the following order ：
1. C:Program.exe 2. C:Program FilesUnquoted.exe 3. C:Program FilesUnquoted Path.exe 4. C:Program FilesUnquoted Path ServiceCommon.exe 5. C:Program FilesUnquoted Path ServiceCommon Filesservice.exe
That is to say, without quotation marks , We can construct a malicious binary with the same name as the first as the file system object , And include spaces in its name , And when the service tries to execute its binary, it runs . All we need is write access to the directory in the path .
A command finds these misconfigurations ：
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:Windows" |findstr /i /v """
utilize PowerUp It's fine too ：
Similarly, if a low-power user has write access to the folder where the binary is located , Then he can directly upload the malicious file and rename it to replace the normal file . If the user can modify the service configuration , You can modify it directly binPath Pointing to malicious files .